From 4bc7f9532c13c87788abc861519eb39c133f02ed Mon Sep 17 00:00:00 2001 From: Arne Welzel Date: Tue, 5 Aug 2025 11:34:02 +0200 Subject: [PATCH] IPBasedAnalyzer: Call TapPacket() when skipping When skip_further_processing() is called, a TapAnalyzer should still see the packets as skipped with SkipReason "skipping". --- .../protocol/ip/IPBasedAnalyzer.cc | 7 +++++-- .../protocol/ip/SessionAdapter.h | 1 + .../Baseline/plugins.tap-analyzer/output | 19 +++++++++++++++++++ testing/btest/plugins/tap-analyzer.zeek | 13 +++++++++++++ 4 files changed, 38 insertions(+), 2 deletions(-) diff --git a/src/packet_analysis/protocol/ip/IPBasedAnalyzer.cc b/src/packet_analysis/protocol/ip/IPBasedAnalyzer.cc index 9773d4817e..bb7ee12901 100644 --- a/src/packet_analysis/protocol/ip/IPBasedAnalyzer.cc +++ b/src/packet_analysis/protocol/ip/IPBasedAnalyzer.cc @@ -8,6 +8,7 @@ #include "zeek/analyzer/Manager.h" #include "zeek/analyzer/protocol/pia/PIA.h" #include "zeek/conn_key/Manager.h" +#include "zeek/packet_analysis/protocol/ip/SessionAdapter.h" #include "zeek/packet_analysis/protocol/ip/conn_key/IPBasedConnKey.h" #include "zeek/plugin/Manager.h" #include "zeek/session/Manager.h" @@ -105,9 +106,11 @@ bool IPBasedAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pkt run_state::current_timestamp = run_state::processing_start_time; run_state::current_pkt = pkt; - // TODO: Does this actually mean anything? - if ( conn->GetSessionAdapter()->Skipping() ) + const auto* adapter = conn->GetSessionAdapter(); + if ( adapter->Skipping() ) { + adapter->TapPacket(pkt, PacketAction::Skip, SkipReason::SkipProcessing); return true; + } DeliverPacket(conn, run_state::processing_start_time, is_orig, len, pkt); diff --git a/src/packet_analysis/protocol/ip/SessionAdapter.h b/src/packet_analysis/protocol/ip/SessionAdapter.h index db8d705d23..92d4a59059 100644 --- a/src/packet_analysis/protocol/ip/SessionAdapter.h +++ b/src/packet_analysis/protocol/ip/SessionAdapter.h @@ -29,6 +29,7 @@ enum class SkipReason : uint8_t { Unknown, ///< Placeholder if no other value fits. BadChecksum, ///< The packet's checksum is invalid and ignore_checksums is false. BadProtoHeader, ///< Something was off with the lengths or offsets in the protocol header. + SkipProcessing, ///< The session adapter's connection had skip_further_processing called on it. }; /** diff --git a/testing/btest/Baseline/plugins.tap-analyzer/output b/testing/btest/Baseline/plugins.tap-analyzer/output index 5e19fb7ab8..d56ace3e3b 100644 --- a/testing/btest/Baseline/plugins.tap-analyzer/output +++ b/testing/btest/Baseline/plugins.tap-analyzer/output @@ -66,3 +66,22 @@ Packet(len=66 orig=0, verdict=0 skip_reason=0) uid=HhAvVGS1DHFjwGM9 Packet(len=66 orig=1, verdict=0 skip_reason=0) uid=HhAvVGS1DHFjwGM9 Done() uid=HhAvVGS1DHFjwGM9 === +<...>/get.trace +Init() uid=HhAvVGS1DHFjwGM9 +Analyzer added to HhAvVGS1DHFjwGM9 +Packet(len=78 orig=1, verdict=0 skip_reason=0) uid=HhAvVGS1DHFjwGM9 +Packet(len=74 orig=0, verdict=0 skip_reason=0) uid=HhAvVGS1DHFjwGM9 +Packet(len=66 orig=1, verdict=0 skip_reason=0) uid=HhAvVGS1DHFjwGM9 +Packet(len=202 orig=1, verdict=0 skip_reason=0) uid=HhAvVGS1DHFjwGM9 +Packet(len=66 orig=0, verdict=1 skip_reason=3) uid=HhAvVGS1DHFjwGM9 +Packet(len=1514 orig=0, verdict=1 skip_reason=3) uid=HhAvVGS1DHFjwGM9 +Packet(len=1514 orig=0, verdict=1 skip_reason=3) uid=HhAvVGS1DHFjwGM9 +Packet(len=1514 orig=0, verdict=1 skip_reason=3) uid=HhAvVGS1DHFjwGM9 +Packet(len=729 orig=0, verdict=1 skip_reason=3) uid=HhAvVGS1DHFjwGM9 +Packet(len=66 orig=1, verdict=1 skip_reason=3) uid=HhAvVGS1DHFjwGM9 +Packet(len=66 orig=1, verdict=1 skip_reason=3) uid=HhAvVGS1DHFjwGM9 +Packet(len=66 orig=1, verdict=1 skip_reason=3) uid=HhAvVGS1DHFjwGM9 +Packet(len=66 orig=0, verdict=1 skip_reason=3) uid=HhAvVGS1DHFjwGM9 +Packet(len=66 orig=1, verdict=1 skip_reason=3) uid=HhAvVGS1DHFjwGM9 +Done() uid=HhAvVGS1DHFjwGM9 +=== diff --git a/testing/btest/plugins/tap-analyzer.zeek b/testing/btest/plugins/tap-analyzer.zeek index a3d2005828..2887780a8b 100644 --- a/testing/btest/plugins/tap-analyzer.zeek +++ b/testing/btest/plugins/tap-analyzer.zeek @@ -14,9 +14,13 @@ # @TEST-EXEC: ZEEK_PLUGIN_ACTIVATE="Demo::TapAnalyzer" ZEEK_PLUGIN_PATH=`pwd` zeek -b -r $TRACES/chksums/ip6-icmp6-good-chksum.pcap %INPUT >>output # # @TEST-EXEC: ZEEK_PLUGIN_ACTIVATE="Demo::TapAnalyzer" ZEEK_PLUGIN_PATH=`pwd` zeek -b -r $TRACES/http/get.trace %INPUT >>output +# @TEST-EXEC: ZEEK_PLUGIN_ACTIVATE="Demo::TapAnalyzer" ZEEK_PLUGIN_PATH=`pwd` zeek -b -r $TRACES/http/get.trace %INPUT http_skip_further_processing=T >>output # # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff output +@load base/protocols/http + + event zeek_init() { print packet_source()$path; @@ -26,3 +30,12 @@ event zeek_done() { print "==="; } + + +global http_skip_further_processing = F &redef; + +event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string) + { + if ( http_skip_further_processing ) + skip_further_processing(c$id); + }