Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Documenting tunnel decapsulation.

Browse source 
Haven't tested the autodoc output yet.
This commit is contained in:
Gregor Maier 2011-08-07 12:26:19 -07:00
parent b0ac4882bd
commit 32f37c9f6d
2 changed files with 73 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

17
scripts/base/bro.init
View file

@ -83,8 +83,14 @@ type AnalyzerID: count;
module Tunnel; module Tunnel;
export { export {
## Records the identity of a the parent of a tunneled connection.
type parent_t: record { type parent_t: record {
## The 4-tuple of the tunnel "connection". In case of an IP-in-IP
## tunnel the ports will be set to 0. The direction (i.e., orig and
## resp) of the parent are set according to the tunneled connection
## and not according to the side that established the tunnel.
cid: conn_id; cid: conn_id;
## The type of tunnel.
tunnel_type: tunneltype_t; tunnel_type: tunneltype_t;
} &log; } &log;
} # end export } # end export
@ -1495,20 +1501,21 @@ const parse_udp_tunnels = F &redef;
module Tunnel; module Tunnel;
export { export {
# Whether to decapsulate IP tunnels (IPinIP, 6in4, 6to4) ## Whether to decapsulate IP tunnels (IPinIP, 6in4, 6to4)
const decapsulate_ip = F &redef; const decapsulate_ip = F &redef;
# Whether to decapsulate URDP tunnels (e.g., Teredo, IPv4 in UDP) ## Whether to decapsulate URDP tunnels (e.g., Teredo, IPv4 in UDP)
const decapsulate_udp = F &redef; const decapsulate_udp = F &redef;
# If decapsulating UDP: the set of ports for which to do so ## If decapsulating UDP: the set of ports for which to do so.
## Can be overridden by :bro:id:`Tunnel::udp_tunnel_allports`
const udp_tunnel_ports: set[port] = { const udp_tunnel_ports: set[port] = {
3544/udp, # Teredo 3544/udp, # Teredo
5072/udp, # AYIAY 5072/udp, # AYIAY
} &redef; } &redef;
# If udp_tunnel_allports is T udp_tunnel_ports is ignored and we ## If udp_tunnel_allports is T :bro:id:`udp_tunnel_ports` is ignored and we
# check every UDP packet for tunnels. ## check every UDP packet for tunnels.
const udp_tunnel_allports = F &redef; const udp_tunnel_allports = F &redef;
} # end export } # end export
module GLOBAL; module GLOBAL;

61
scripts/policy/frameworks/tunnel.bro Normal file
View file

@ -0,0 +1,61 @@
##! Handle tunneled connections.
##!
##! Bro can decapsulate IPinIP and IPinUDP tunnels, were "IP" can be either
##! IPv4 or IPv6. The most common case will be decapsulating Teredo, 6to4,
##! 6in4, and AYIAY.
##!
##! Decapsulation happens early in a packets processing, right after IP
##! defragmentation but before there is a connection context. The tunnel
##! headers are stripped from packet and the identity of the parent is
##! is stored as the ``tunnel_parent`` member of :bro:type:`connection`,
##! which is of type :bro:type:`parent_t`.
##!
##! *Limitation:* The decapsulated packets are not fed through the
##! defragmenter again.
##!
##!
module Tunnel;
redef use_connection_compressor = F;
redef Tunnel::decapsulate_ip = T;
redef Tunnel::decapsulate_udp = T;
redef Tunnel::udp_tunnel_allports = T;
export {
redef enum Log::ID += { TUNNEL };
## This record will be logged
type Info : record {
## This is the time of the first record
ts: time &log;
## The uid of the child connection, i.e. the connection in the tunnel
uid: string &log;
## The connection id of the child
id: conn_id &log;
## The child's transport protocol
proto: transport_proto &log;
## The parent connection of IP-pair
parent: parent_t &log;
};
global log_conn: event(rec: Info);
}
event bro_init()
{
Log::create_stream(TUNNEL, [$columns=Info, $ev=log_conn]);
}
event new_connection(c: connection)
{
if (c?$tunnel_parent)
{
local info: Info;
info$ts = c$start_time;
info$uid = c$uid;
info$id = c$id;
info$proto = get_port_transport_proto(c$id$resp_p);
info$parent = c$tunnel_parent;
Log::write(TUNNEL, info);
}
}