Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Fixes for community ID hashing with new proto values

Browse source
This commit is contained in:
Tim Wojtulewicz 2024-11-12 13:35:07 -07:00
parent 5a3d16e16f
commit 43e77a3338
5 changed files with 21 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

14
src/communityid.bif
View file

@ -1,4 +1,5 @@
%%{ // C segment
#include "zeek/IP.h"
#include "zeek/IPAddr.h"
#include "zeek/Val.h"
#include "zeek/digest.h"
@ -48,9 +49,16 @@ function community_id_v1%(cid: conn_id, seed: count &default=0, do_base64: bool
hash_proto = IPPROTO_ICMPV6;
break;
case TRANSPORT_UNKNOWN:
emit_builtin_error("CommunityID: unknown transport layer", cid);
return zeek::make_intrusive<zeek::StringVal>("");
case TRANSPORT_UNKNOWN: {
uint16_t cid_proto = static_cast<uint16_t>(cid_rec->GetFieldAs<zeek::CountVal>(4));
if ( cid_proto == zeek::UNKNOWN_IP_PROTO ) {
emit_builtin_error("CommunityID: unknown transport layer", cid);
return zeek::make_intrusive<zeek::StringVal>("");
}
hash_proto = static_cast<uint8_t>(cid_proto);
break;
}
default:
emit_builtin_error("CommunityID: unhandled transport layer", cid);
return zeek::make_intrusive<zeek::StringVal>("");

2
testing/btest/Baseline/bifs.community_id.run-pcaps/sctp.pcap.out
View file

@ -1,2 +1,2 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
[orig_h=192.168.170.8, orig_p=0/unknown, resp_h=192.168.170.56, resp_p=0/unknown, proto=132],
[orig_h=192.168.170.8, orig_p=0/unknown, resp_h=192.168.170.56, resp_p=0/unknown, proto=132], 1:U5cVwrVgLshgANPmc8hKzEcqp1M=

1
testing/btest/Baseline/bifs.community_id.v1/.stdout Normal file
View file

@ -0,0 +1 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.

2
testing/btest/Baseline/bifs.community_id.v1/out
View file

@ -9,3 +9,5 @@ PASS: expected '1:9pr4ZGTICiuZoIh90RRYE2RyXpU=', got '1:9pr4ZGTICiuZoIh90RRYE2Ry
PASS: expected '1:IO27GQzPuCtNnwFvjWALMHu5tJE=', got '1:IO27GQzPuCtNnwFvjWALMHu5tJE=' ([orig_h=fe80:1:203:405:607:809:a0b:c0d, orig_p=128/icmp, resp_h=fe80:1011:1213:1415:1617:1819:1a1b:1c1d, resp_p=129/icmp, proto=1], seed=1)
PASS: expected '', got '' ([orig_h=1.2.3.4, orig_p=0/unknown, resp_h=5.6.7.8, resp_p=0/unknown, proto=65535], seed=0)
PASS: expected '', got '' ([orig_h=fe80:1:203:405:607:809:a0b:c0d, orig_p=0/unknown, resp_h=fe80:1011:1213:1415:1617:1819:1a1b:1c1d, resp_p=0/unknown, proto=65535], seed=1)
PASS: expected '1:yXTIO8p5F2ZhuXBcNBN8CsgCUTE=', got '1:yXTIO8p5F2ZhuXBcNBN8CsgCUTE=' ([orig_h=1.2.3.4, orig_p=0/unknown, resp_h=5.6.7.8, resp_p=0/unknown, proto=10], seed=0)
PASS: expected '1:OrvlNyNZWyubXHIUHR/w18b5im8=', got '1:OrvlNyNZWyubXHIUHR/w18b5im8=' ([orig_h=fe80:1:203:405:607:809:a0b:c0d, orig_p=0/unknown, resp_h=fe80:1011:1213:1415:1617:1819:1a1b:1c1d, resp_p=0/unknown, proto=10], seed=1)

6
testing/btest/bifs/community_id/v1.zeek
View file

@ -1,5 +1,6 @@
# @TEST-EXEC: zeek -b %INPUT >out
# @TEST-EXEC: btest-diff out
# @TEST-EXEC: btest-diff .stdout
function test_it(cid: conn_id, seed: count, expected: string)
{
@ -26,4 +27,9 @@ event zeek_init()
test_it([$orig_h=1.2.3.4, $orig_p=0/unknown, $resp_h=5.6.7.8, $resp_p=0/unknown], 0, "");
test_it([$orig_h=[fe80:0001:0203:0405:0607:0809:0A0B:0C0D], $orig_p=0/unknown,
$resp_h=[fe80:1011:1213:1415:1617:1819:1A1B:1C1D], $resp_p=0/unknown], 1, "");
# Test with some unknown-but-valid proto values.
test_it([$orig_h=1.2.3.4, $orig_p=0/unknown, $resp_h=5.6.7.8, $resp_p=0/unknown, $proto=10], 0, "1:yXTIO8p5F2ZhuXBcNBN8CsgCUTE=");
test_it([$orig_h=[fe80:0001:0203:0405:0607:0809:0A0B:0C0D], $orig_p=0/unknown,
$resp_h=[fe80:1011:1213:1415:1617:1819:1A1B:1C1D], $resp_p=0/unknown, $proto=10], 1, "1:OrvlNyNZWyubXHIUHR/w18b5im8=");
}