Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-04 15:48:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Apply requested changes:

Browse source 
- file dpd.sig and TODO comments for signature protocol detection removed
- missing doc field filled in events.bif
- rename OpCode and ReqCode fields into op_code and req_code respectively
- removed unnecessary child method in NTP.h/.cc
- main.zeek and ntp-protocol.pac reformatted
This commit is contained in:
Mauro Palumbo 2019-06-14 12:30:29 +02:00
parent b130cc7931
commit 32663cec04
8 changed files with 229 additions and 248 deletions
Download patch file Download diff file Expand all files Collapse all files

4
scripts/base/init-bare.zeek
View file

@ -4995,7 +4995,7 @@ export {
## 6 set trap address/port command/response ## 6 set trap address/port command/response
## 7 trap response ## 7 trap response
## Other values are reserved. ## Other values are reserved.
OpCode : count; op_code : count;
## The response bit. Set to zero for commands, one for responses. ## The response bit. Set to zero for commands, one for responses.
resp_bit : bool; resp_bit : bool;
## The error bit. Set to zero for normal response, one for error response. ## The error bit. Set to zero for normal response, one for error response.
@ -5029,7 +5029,7 @@ export {
## An implementation-specific code which specifies the ## An implementation-specific code which specifies the
## operation to be (which has been) performed and/or the ## operation to be (which has been) performed and/or the
## format and semantics of the data included in the packet. ## format and semantics of the data included in the packet.
ReqCode : count; req_code : count;
## The authenticated bit. If set, this packet is authenticated. ## The authenticated bit. If set, this packet is authenticated.
auth_bit : bool; auth_bit : bool;
## For a multipacket response, contains the sequence ## For a multipacket response, contains the sequence

1
scripts/base/protocols/ntp/__load__.zeek
View file

@ -1,2 +1 @@
@load ./main @load ./main
#@load-sigs ./dpd.sig

12
scripts/base/protocols/ntp/dpd.sig
View file

@ -1,12 +0,0 @@
signature dpd_ntp {
ip-proto == udp
# ## TODO: Define the payload. When Bro sees this regex, on
# ## any port, it will enable your analyzer on that
# ## connection.
# ## payload /^NTP/
enable "ntp"
}

20
scripts/base/protocols/ntp/main.zeek
View file

@ -1,7 +1,5 @@
module NTP; module NTP;
# TODO: The recommended method to do dynamic protocol detection
# (DPD) is with the signatures in dpd.sig.
# For the time being, we use port detection. # For the time being, we use port detection.
const ports = { 123/udp }; const ports = { 123/udp };
redef likely_server_ports += { ports }; redef likely_server_ports += { ports };
@ -63,7 +61,7 @@ export {
## 6 set trap address/port command/response ## 6 set trap address/port command/response
## 7 trap response ## 7 trap response
## Other values are reserved. ## Other values are reserved.
OpCode : count &log; op_code : count &log;
## The response bit. Set to zero for commands, one for responses. ## The response bit. Set to zero for commands, one for responses.
resp_bit : bool &log; resp_bit : bool &log;
## The error bit. Set to zero for normal response, one for error response. ## The error bit. Set to zero for normal response, one for error response.
@ -86,7 +84,7 @@ export {
## An implementation-specific code which specifies the ## An implementation-specific code which specifies the
## operation to be (which has been) performed and/or the ## operation to be (which has been) performed and/or the
## format and semantics of the data included in the packet. ## format and semantics of the data included in the packet.
ReqCode : count &log; req_code : count &log;
## The authenticated bit. If set, this packet is authenticated. ## The authenticated bit. If set, this packet is authenticated.
auth_bit : bool &log; auth_bit : bool &log;
## For a multipacket response, contains the sequence ## For a multipacket response, contains the sequence
@ -132,7 +130,8 @@ event ntp_message(c: connection, is_orig: bool, msg: NTP::Message) &priority=5
info$version = msg$version; info$version = msg$version;
info$mode = msg$mode; info$mode = msg$mode;
if ( msg$mode < 6 ) { if ( msg$mode < 6 )
{
info$stratum = msg$std_msg$stratum; info$stratum = msg$std_msg$stratum;
info$poll = msg$std_msg$poll; info$poll = msg$std_msg$poll;
info$precision = msg$std_msg$precision; info$precision = msg$std_msg$precision;
@ -161,8 +160,9 @@ event ntp_message(c: connection, is_orig: bool, msg: NTP::Message) &priority=5
info$num_exts = msg$std_msg$num_exts; info$num_exts = msg$std_msg$num_exts;
} }
if ( msg$mode==6 ) { if ( msg$mode==6 )
info$OpCode = msg$control_msg$OpCode; {
info$op_code = msg$control_msg$op_code;
info$resp_bit = msg$control_msg$resp_bit; info$resp_bit = msg$control_msg$resp_bit;
info$err_bit = msg$control_msg$err_bit; info$err_bit = msg$control_msg$err_bit;
info$more_bit = msg$control_msg$more_bit; info$more_bit = msg$control_msg$more_bit;
@ -174,11 +174,11 @@ event ntp_message(c: connection, is_orig: bool, msg: NTP::Message) &priority=5
info$ctrl_key_id = msg$control_msg$key_id; info$ctrl_key_id = msg$control_msg$key_id;
if ( msg$control_msg?$crypto_checksum) if ( msg$control_msg?$crypto_checksum)
info$crypto_checksum = msg$control_msg$crypto_checksum; info$crypto_checksum = msg$control_msg$crypto_checksum;
} }
if ( msg$mode==7 ) { if ( msg$mode==7 )
info$ReqCode = msg$mode7_msg$ReqCode; {
info$req_code = msg$mode7_msg$req_code;
info$auth_bit = msg$mode7_msg$auth_bit; info$auth_bit = msg$mode7_msg$auth_bit;
info$sequence = msg$mode7_msg$sequence; info$sequence = msg$mode7_msg$sequence;
info$implementation = msg$mode7_msg$implementation; info$implementation = msg$mode7_msg$implementation;

5
src/analyzer/protocol/ntp/NTP.cc
View file

@ -17,11 +17,6 @@ NTP_Analyzer::~NTP_Analyzer()
delete interp; delete interp;
} }
void NTP_Analyzer::Done()
{
Analyzer::Done();
}
void NTP_Analyzer::DeliverPacket(int len, const u_char* data, void NTP_Analyzer::DeliverPacket(int len, const u_char* data,
bool orig, uint64 seq, const IP_Hdr* ip, int caplen) bool orig, uint64 seq, const IP_Hdr* ip, int caplen)
{ {

1
src/analyzer/protocol/ntp/NTP.h
View file

@ -16,7 +16,6 @@ public:
~NTP_Analyzer() override; ~NTP_Analyzer() override;
// Overriden from Analyzer. // Overriden from Analyzer.
void Done() override;
void DeliverPacket(int len, const u_char* data, bool orig, void DeliverPacket(int len, const u_char* data, bool orig,
uint64 seq, const IP_Hdr* ip, int caplen) override; uint64 seq, const IP_Hdr* ip, int caplen) override;

2
src/analyzer/protocol/ntp/events.bif
View file

@ -6,7 +6,7 @@
## ##
## c: The connection record describing the corresponding UDP flow. ## c: The connection record describing the corresponding UDP flow.
## ##
## is_orig: ## is_orig: True if the message was sent by the originator.
## ##
## msg: The parsed NTP message. ## msg: The parsed NTP message.
## ##