Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-06 16:48:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Another tunneling checkpoint.

Browse source 
- AYIYA works.
  - AYIYA analyzed connections are still labelled wrong in conn.log (logged as syslog)
- Some clean up for left over code.
- Small refactoring to pass packets back from analyzers to core.
- $uid is now optional in conn logs since ip-in-ip tunnel parent's
  won't have an actual connection.
This commit is contained in:
Seth Hall 2012-04-24 01:05:35 -04:00
parent ae96314196
commit 2a79fe95ec
12 changed files with 53 additions and 122 deletions
Download patch file Download diff file Expand all files Collapse all files

12
scripts/base/protocols/conn/main.bro
View file

@ -101,6 +101,9 @@ export {
resp_pkts: count &log &optional;
## Number IP level bytes the responder sent. See ``orig_pkts``.
resp_ip_bytes: count &log &optional;
## If this connection was over a tunnel, indicate the
## `uid` value for the parent connection or connections.
parents: vector of string &log &optional;
};
## Event that can be handled to access the :bro:type:`Conn::Info`
@ -190,6 +193,15 @@ function set_conn(c: connection, eoc: bool)
c$conn$ts=c$start_time;
c$conn$uid=c$uid;
c$conn$id=c$id;
if ( ! c$conn?$parents && c?$tunnel )
{
c$conn$parents = vector();
for ( i in c$tunnel )
{
# TODO: maybe we should be storing uid's in the $tunnel field?
#c$conn$parents[|c$conn$parents|] = lookup_connection(c$tunnel[i]$cid)$uid;
}
}
c$conn$proto=get_port_transport_proto(c$id$resp_p);
if( |Site::local_nets| > 0 )
c$conn$local_orig=Site::is_local_addr(c$id$orig_h);