Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-04 15:48:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge remote-tracking branch 'origin/topic/timw/3417-packet-analysis-detail'

Browse source 
* origin/topic/timw/3417-packet-analysis-detail:
  Move packet_analysis::Dispatcher to detail namespace
This commit is contained in:
Tim Wojtulewicz 2024-05-08 09:55:01 -07:00
commit 2c46d3139c
15 changed files with 49 additions and 42 deletions
Download patch file Download diff file Expand all files Collapse all files

6
CHANGES
View file

@ -1,4 +1,8 @@
7.0.0-dev.226 | 2024-05-07 12:02:28 -0700 7.0.0-dev.229 | 2024-05-08 09:55:01 -0700
* Move packet_analysis::Dispatcher to detail namespace (Tim Wojtulewicz, Corelight)
.0.0-dev.226 | 2024-05-07 12:02:28 -0700
* make SSH analyzer robust to half-duplex connections (Vern Paxson, Corelight) * make SSH analyzer robust to half-duplex connections (Vern Paxson, Corelight)

2
VERSION
View file

@ -1 +1 @@
7.0.0-dev.226 7.0.0-dev.229

2
src/packet_analysis/Analyzer.h
View file

@ -266,7 +266,7 @@ private:
const AnalyzerPtr& DetectInnerAnalyzer(size_t len, const uint8_t* data, Packet* packet) const; const AnalyzerPtr& DetectInnerAnalyzer(size_t len, const uint8_t* data, Packet* packet) const;
zeek::Tag tag; zeek::Tag tag;
Dispatcher dispatcher; detail::Dispatcher dispatcher;
AnalyzerPtr default_analyzer = nullptr; AnalyzerPtr default_analyzer = nullptr;
bool enabled = true; bool enabled = true;

4
src/packet_analysis/Dispatcher.cc
View file

@ -8,7 +8,7 @@
#include "zeek/Reporter.h" #include "zeek/Reporter.h"
#include "zeek/packet_analysis/Analyzer.h" #include "zeek/packet_analysis/Analyzer.h"
namespace zeek::packet_analysis { namespace zeek::packet_analysis::detail {
Dispatcher::~Dispatcher() { FreeValues(); } Dispatcher::~Dispatcher() { FreeValues(); }
@ -80,4 +80,4 @@ void Dispatcher::DumpDebug() const {
#endif #endif
} }
} // namespace zeek::packet_analysis } // namespace zeek::packet_analysis::detail

3
src/packet_analysis/Dispatcher.h
View file

@ -12,6 +12,8 @@ namespace zeek::packet_analysis {
class Analyzer; // Forward declaration for Value class Analyzer; // Forward declaration for Value
using AnalyzerPtr = std::shared_ptr<zeek::packet_analysis::Analyzer>; using AnalyzerPtr = std::shared_ptr<zeek::packet_analysis::Analyzer>;
namespace detail {
/** /**
* The Dispatcher class manages identifier-to-analyzer mappings. * The Dispatcher class manages identifier-to-analyzer mappings.
*/ */
@ -62,4 +64,5 @@ private:
inline uint32_t GetHighestIdentifier() const { return lowest_identifier + table.size() - 1; } inline uint32_t GetHighestIdentifier() const { return lowest_identifier + table.size() - 1; }
}; };
} // namespace detail
} // namespace zeek::packet_analysis } // namespace zeek::packet_analysis

8
src/packet_analysis/Manager.cc
View file

@ -37,9 +37,9 @@ void Manager::InitPostScript(const std::string& unprocessed_output_file) {
auto pkt_profile_file = id::find_val("pkt_profile_file"); auto pkt_profile_file = id::find_val("pkt_profile_file");
if ( detail::pkt_profile_mode && detail::pkt_profile_freq > 0 && pkt_profile_file ) if ( zeek::detail::pkt_profile_mode && zeek::detail::pkt_profile_freq > 0 && pkt_profile_file )
pkt_profiler = pkt_profiler = new zeek::detail::PacketProfiler(zeek::detail::pkt_profile_mode, zeek::detail::pkt_profile_freq,
new detail::PacketProfiler(detail::pkt_profile_mode, detail::pkt_profile_freq, pkt_profile_file->AsFile()); pkt_profile_file->AsFile());
unknown_sampling_rate = id::find_val("UnknownProtocol::sampling_rate")->AsCount(); unknown_sampling_rate = id::find_val("UnknownProtocol::sampling_rate")->AsCount();
unknown_sampling_threshold = id::find_val("UnknownProtocol::sampling_threshold")->AsCount(); unknown_sampling_threshold = id::find_val("UnknownProtocol::sampling_threshold")->AsCount();
@ -215,7 +215,7 @@ bool Manager::PermitUnknownProtocol(const std::string& analyzer, uint32_t protoc
++count; ++count;
if ( count == 1 ) if ( count == 1 )
detail::timer_mgr->Add(new UnknownProtocolTimer(run_state::network_time, p, unknown_sampling_duration)); zeek::detail::timer_mgr->Add(new UnknownProtocolTimer(run_state::network_time, p, unknown_sampling_duration));
if ( count < unknown_sampling_threshold ) if ( count < unknown_sampling_threshold )
return true; return true;

8
src/packet_analysis/Manager.h
View file

@ -164,9 +164,9 @@ public:
*/ */
void ResetUnknownProtocolTimer(const std::string& analyzer, uint32_t protocol); void ResetUnknownProtocolTimer(const std::string& analyzer, uint32_t protocol);
detail::PacketFilter* GetPacketFilter(bool init = true) { zeek::detail::PacketFilter* GetPacketFilter(bool init = true) {
if ( ! pkt_filter && init ) if ( ! pkt_filter && init )
pkt_filter = new detail::PacketFilter(detail::packet_filter_default); pkt_filter = new zeek::detail::PacketFilter(zeek::detail::packet_filter_default);
return pkt_filter; return pkt_filter;
} }
@ -203,8 +203,8 @@ private:
AnalyzerPtr root_analyzer = nullptr; AnalyzerPtr root_analyzer = nullptr;
uint64_t num_packets_processed = 0; uint64_t num_packets_processed = 0;
detail::PacketProfiler* pkt_profiler = nullptr; zeek::detail::PacketProfiler* pkt_profiler = nullptr;
detail::PacketFilter* pkt_filter = nullptr; zeek::detail::PacketFilter* pkt_filter = nullptr;
using UnknownProtocolPair = std::pair<std::string, uint32_t>; using UnknownProtocolPair = std::pair<std::string, uint32_t>;
std::map<UnknownProtocolPair, uint64_t> unknown_protocols; std::map<UnknownProtocolPair, uint64_t> unknown_protocols;

4
src/packet_analysis/protocol/icmp/ICMP.cc
View file

@ -280,8 +280,8 @@ zeek::RecordValPtr ICMPAnalyzer::ExtractICMP4Context(int len, const u_char*& dat
if ( ! bad_hdr_len ) if ( ! bad_hdr_len )
bad_checksum = ! run_state::current_pkt->l4_checksummed && bad_checksum = ! run_state::current_pkt->l4_checksummed &&
(detail::in_cksum(reinterpret_cast<const uint8_t*>(ip_hdr->IP4_Hdr()), (zeek::detail::in_cksum(reinterpret_cast<const uint8_t*>(ip_hdr->IP4_Hdr()),
static_cast<int>(ip_hdr_len)) != 0xffff); static_cast<int>(ip_hdr_len)) != 0xffff);
else else
bad_checksum = false; bad_checksum = false;

2
src/packet_analysis/protocol/icmp/ICMPSessionAdapter.h
View file

@ -22,7 +22,7 @@ public:
void MatchEndpoint(const u_char* data, int len, bool is_orig); void MatchEndpoint(const u_char* data, int len, bool is_orig);
private: private:
detail::RuleMatcherState matcher_state; zeek::detail::RuleMatcherState matcher_state;
int request_len = -1; int request_len = -1;
int reply_len = -1; int reply_len = -1;
}; };

20
src/packet_analysis/protocol/ip/IP.cc
View file

@ -19,7 +19,7 @@
using namespace zeek::packet_analysis::IP; using namespace zeek::packet_analysis::IP;
IPAnalyzer::IPAnalyzer() : zeek::packet_analysis::Analyzer("IP") { IPAnalyzer::IPAnalyzer() : zeek::packet_analysis::Analyzer("IP") {
discarder = new detail::Discarder(); discarder = new zeek::detail::Discarder();
if ( ! discarder->IsActive() ) { if ( ! discarder->IsActive() ) {
delete discarder; delete discarder;
discarder = nullptr; discarder = nullptr;
@ -69,7 +69,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
// TCP segmentation offloading can zero out the ip_len field. // TCP segmentation offloading can zero out the ip_len field.
Weird("ip_hdr_len_zero", packet); Weird("ip_hdr_len_zero", packet);
if ( detail::ignore_checksums ) if ( zeek::detail::ignore_checksums )
// Cope with the zero'd out ip_len field by using the caplen. // Cope with the zero'd out ip_len field by using the caplen.
total_len = packet->cap_len - hdr_size; total_len = packet->cap_len - hdr_size;
else else
@ -123,13 +123,13 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
} }
// Ignore if packet matches packet filter. // Ignore if packet matches packet filter.
detail::PacketFilter* packet_filter = packet_mgr->GetPacketFilter(false); zeek::detail::PacketFilter* packet_filter = packet_mgr->GetPacketFilter(false);
if ( packet_filter && packet_filter->Match(packet->ip_hdr, total_len, len) ) if ( packet_filter && packet_filter->Match(packet->ip_hdr, total_len, len) )
return false; return false;
if ( ! packet->l3_checksummed && ! detail::ignore_checksums && ip4 && if ( ! packet->l3_checksummed && ! zeek::detail::ignore_checksums && ip4 &&
! IPBasedAnalyzer::GetIgnoreChecksumsNets()->Contains(packet->ip_hdr->IPHeaderSrcAddr()) && ! IPBasedAnalyzer::GetIgnoreChecksumsNets()->Contains(packet->ip_hdr->IPHeaderSrcAddr()) &&
detail::in_cksum(reinterpret_cast<const uint8_t*>(ip4), ip_hdr_len) != 0xffff ) { zeek::detail::in_cksum(reinterpret_cast<const uint8_t*>(ip4), ip_hdr_len) != 0xffff ) {
Weird("bad_IP_checksum", packet); Weird("bad_IP_checksum", packet);
return false; return false;
} }
@ -137,7 +137,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
if ( discarder && discarder->NextPacket(packet->ip_hdr, total_len, len) ) if ( discarder && discarder->NextPacket(packet->ip_hdr, total_len, len) )
return false; return false;
detail::FragReassembler* f = nullptr; zeek::detail::FragReassembler* f = nullptr;
// Store this off so that it can be reset back to the original value before returning from // Store this off so that it can be reset back to the original value before returning from
// this method. // this method.
@ -156,8 +156,8 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
return false; return false;
} }
else { else {
f = detail::fragment_mgr->NextFragment(run_state::processing_start_time, packet->ip_hdr, f = zeek::detail::fragment_mgr->NextFragment(run_state::processing_start_time, packet->ip_hdr,
packet->data + hdr_size); packet->data + hdr_size);
std::shared_ptr<IP_Hdr> ih = f->ReassembledPkt(); std::shared_ptr<IP_Hdr> ih = f->ReassembledPkt();
if ( ! ih ) if ( ! ih )
@ -184,7 +184,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
} }
} }
detail::FragReassemblerTracker frt(f); zeek::detail::FragReassemblerTracker frt(f);
// We stop building the chain when seeing IPPROTO_ESP so if it's // We stop building the chain when seeing IPPROTO_ESP so if it's
// there, it's always the last. // there, it's always the last.
@ -203,7 +203,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
if ( packet->ip_hdr->LastHeader() == IPPROTO_MOBILITY ) { if ( packet->ip_hdr->LastHeader() == IPPROTO_MOBILITY ) {
packet->dump_packet = true; packet->dump_packet = true;
if ( ! detail::ignore_checksums && mobility_header_checksum(packet->ip_hdr.get()) != 0xffff ) { if ( ! zeek::detail::ignore_checksums && mobility_header_checksum(packet->ip_hdr.get()) != 0xffff ) {
Weird("bad_MH_checksum", packet); Weird("bad_MH_checksum", packet);
packet->cap_len = orig_cap_len; packet->cap_len = orig_cap_len;
return false; return false;

4
src/packet_analysis/protocol/ip/IPBasedAnalyzer.cc
View file

@ -27,7 +27,7 @@ bool IPBasedAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pkt
return false; return false;
const std::shared_ptr<IP_Hdr>& ip_hdr = pkt->ip_hdr; const std::shared_ptr<IP_Hdr>& ip_hdr = pkt->ip_hdr;
detail::ConnKey key(tuple); zeek::detail::ConnKey key(tuple);
Connection* conn = session_mgr->FindConnection(key); Connection* conn = session_mgr->FindConnection(key);
@ -140,7 +140,7 @@ bool IPBasedAnalyzer::IsLikelyServerPort(uint32_t port) const {
return port_cache.find(port) != port_cache.end(); return port_cache.find(port) != port_cache.end();
} }
zeek::Connection* IPBasedAnalyzer::NewConn(const ConnTuple* id, const detail::ConnKey& key, const Packet* pkt) { zeek::Connection* IPBasedAnalyzer::NewConn(const ConnTuple* id, const zeek::detail::ConnKey& key, const Packet* pkt) {
int src_h = ntohs(id->src_port); int src_h = ntohs(id->src_port);
int dst_h = ntohs(id->dst_port); int dst_h = ntohs(id->dst_port);
bool flip = false; bool flip = false;

2
src/packet_analysis/protocol/ip/IPBasedAnalyzer.h
View file

@ -185,7 +185,7 @@ private:
* @param key A connection ID key generated from the ID. * @param key A connection ID key generated from the ID.
* @param pkt The packet associated with the new connection. * @param pkt The packet associated with the new connection.
*/ */
zeek::Connection* NewConn(const ConnTuple* id, const detail::ConnKey& key, const Packet* pkt); zeek::Connection* NewConn(const ConnTuple* id, const zeek::detail::ConnKey& key, const Packet* pkt);
void BuildSessionAnalyzerTree(Connection* conn); void BuildSessionAnalyzerTree(Connection* conn);

2
src/packet_analysis/protocol/tcp/TCP.cc
View file

@ -148,7 +148,7 @@ const struct tcphdr* TCPAnalyzer::ExtractTCP_Header(const u_char*& data, int& le
bool TCPAnalyzer::ValidateChecksum(const IP_Hdr* ip, const struct tcphdr* tp, analyzer::tcp::TCP_Endpoint* endpoint, bool TCPAnalyzer::ValidateChecksum(const IP_Hdr* ip, const struct tcphdr* tp, analyzer::tcp::TCP_Endpoint* endpoint,
int len, int caplen, TCPSessionAdapter* adapter) { int len, int caplen, TCPSessionAdapter* adapter) {
if ( ! run_state::current_pkt->l4_checksummed && ! detail::ignore_checksums && if ( ! run_state::current_pkt->l4_checksummed && ! zeek::detail::ignore_checksums &&
! GetIgnoreChecksumsNets()->Contains(ip->IPHeaderSrcAddr()) && caplen >= len && ! GetIgnoreChecksumsNets()->Contains(ip->IPHeaderSrcAddr()) && caplen >= len &&
! endpoint->ValidChecksum(tp, len, ip->IP4_Hdr()) ) { ! endpoint->ValidChecksum(tp, len, ip->IP4_Hdr()) ) {
adapter->Weird("bad_TCP_checksum"); adapter->Weird("bad_TCP_checksum");

18
src/packet_analysis/protocol/tcp/TCPSessionAdapter.cc
View file

@ -23,8 +23,8 @@ using namespace zeek::packet_analysis::TCP;
TCPSessionAdapter::TCPSessionAdapter(Connection* conn) : packet_analysis::IP::SessionAdapter("TCP", conn) { TCPSessionAdapter::TCPSessionAdapter(Connection* conn) : packet_analysis::IP::SessionAdapter("TCP", conn) {
// Set a timer to eventually time out this connection. // Set a timer to eventually time out this connection.
ADD_ANALYZER_TIMER(&TCPSessionAdapter::ExpireTimer, run_state::network_time + detail::tcp_SYN_timeout, false, ADD_ANALYZER_TIMER(&TCPSessionAdapter::ExpireTimer, run_state::network_time + zeek::detail::tcp_SYN_timeout, false,
detail::TIMER_TCP_EXPIRE); zeek::detail::TIMER_TCP_EXPIRE);
deferred_gen_event = close_deferred = 0; deferred_gen_event = close_deferred = 0;
@ -529,8 +529,8 @@ void TCPSessionAdapter::Process(bool is_orig, const struct tcphdr* tp, int len,
if ( flags.FIN() ) { if ( flags.FIN() ) {
++endpoint->FIN_cnt; ++endpoint->FIN_cnt;
if ( endpoint->FIN_cnt >= detail::tcp_storm_thresh && if ( endpoint->FIN_cnt >= zeek::detail::tcp_storm_thresh &&
run_state::current_timestamp < endpoint->last_time + detail::tcp_storm_interarrival_thresh ) run_state::current_timestamp < endpoint->last_time + zeek::detail::tcp_storm_interarrival_thresh )
Weird("FIN_storm"); Weird("FIN_storm");
endpoint->FIN_seq = rel_seq + seg_len; endpoint->FIN_seq = rel_seq + seg_len;
@ -539,8 +539,8 @@ void TCPSessionAdapter::Process(bool is_orig, const struct tcphdr* tp, int len,
if ( flags.RST() ) { if ( flags.RST() ) {
++endpoint->RST_cnt; ++endpoint->RST_cnt;
if ( endpoint->RST_cnt >= detail::tcp_storm_thresh && if ( endpoint->RST_cnt >= zeek::detail::tcp_storm_thresh &&
run_state::current_timestamp < endpoint->last_time + detail::tcp_storm_interarrival_thresh ) run_state::current_timestamp < endpoint->last_time + zeek::detail::tcp_storm_interarrival_thresh )
Weird("RST_storm"); Weird("RST_storm");
// This now happens often enough that it's // This now happens often enough that it's
@ -717,8 +717,8 @@ void TCPSessionAdapter::UpdateInactiveState(double t, analyzer::tcp::TCP_Endpoin
endpoint->SetState(analyzer::tcp::TCP_ENDPOINT_SYN_SENT); endpoint->SetState(analyzer::tcp::TCP_ENDPOINT_SYN_SENT);
if ( zeek::detail::tcp_attempt_delay ) if ( zeek::detail::tcp_attempt_delay )
ADD_ANALYZER_TIMER(&TCPSessionAdapter::AttemptTimer, t + detail::tcp_attempt_delay, true, ADD_ANALYZER_TIMER(&TCPSessionAdapter::AttemptTimer, t + zeek::detail::tcp_attempt_delay, true,
detail::TIMER_TCP_ATTEMPT); zeek::detail::TIMER_TCP_ATTEMPT);
} }
else { else {
if ( flags.ACK() ) { if ( flags.ACK() ) {
@ -1205,7 +1205,7 @@ void TCPSessionAdapter::ConnectionClosed(analyzer::tcp::TCP_Endpoint* endpoint,
if ( DEBUG_tcp_connection_close ) { if ( DEBUG_tcp_connection_close ) {
DEBUG_MSG("%.6f close_complete=%d tcp_close_delay=%f\n", run_state::network_time, close_complete, DEBUG_MSG("%.6f close_complete=%d tcp_close_delay=%f\n", run_state::network_time, close_complete,
detail::tcp_close_delay); zeek::detail::tcp_close_delay);
} }
if ( close_complete ) { if ( close_complete ) {

6
src/packet_analysis/protocol/udp/UDP.cc
View file

@ -37,7 +37,7 @@ zeek::analyzer::pia::PIA* UDPAnalyzer::MakePIA(Connection* conn) { return new an
void UDPAnalyzer::Initialize() { void UDPAnalyzer::Initialize() {
IPBasedAnalyzer::Initialize(); IPBasedAnalyzer::Initialize();
const auto& id = detail::global_scope()->Find("PacketAnalyzer::VXLAN::vxlan_ports"); const auto& id = zeek::detail::global_scope()->Find("PacketAnalyzer::VXLAN::vxlan_ports");
if ( ! (id && id->GetVal()) ) if ( ! (id && id->GetVal()) )
reporter->FatalError("PacketAnalyzer::VXLAN::vxlan_ports not defined"); reporter->FatalError("PacketAnalyzer::VXLAN::vxlan_ports not defined");
@ -204,8 +204,8 @@ void UDPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int remai
} }
bool UDPAnalyzer::ValidateChecksum(const IP_Hdr* ip, const udphdr* up, int len) { bool UDPAnalyzer::ValidateChecksum(const IP_Hdr* ip, const udphdr* up, int len) {
auto sum = detail::ip_in_cksum(ip->IP4_Hdr(), ip->SrcAddr(), ip->DstAddr(), IPPROTO_UDP, auto sum = zeek::detail::ip_in_cksum(ip->IP4_Hdr(), ip->SrcAddr(), ip->DstAddr(), IPPROTO_UDP,
reinterpret_cast<const uint8_t*>(up), len); reinterpret_cast<const uint8_t*>(up), len);
return sum == 0xffff; return sum == 0xffff;
} }