From 2da84020cfcf413876716b6a4502e9a0965fbb6a Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Mon, 6 Apr 2020 14:51:34 -0700 Subject: [PATCH 1/2] Add new "udp_content_delivery_ports_use_resp" option This controls whether ports given by "udp_content_delivery_ports_orig" and "udp_content_delivery_ports_orig" are in terms of the UDP packet's destination port or by the Connection's "responder" port (the former is the unchanged default behavior). --- scripts/base/init-bare.zeek | 10 ++++++++++ src/NetVar.cc | 3 +++ src/NetVar.h | 1 + src/analyzer/protocol/udp/UDP.cc | 4 +++- .../out | 2 ++ testing/btest/Baseline/plugins.hooks/output | 17 ++++++++++------- .../udp-contents-delivery-ports-use-resp.zeek | 12 ++++++++++++ 7 files changed, 41 insertions(+), 8 deletions(-) create mode 100644 testing/btest/Baseline/core.udp-contents-delivery-ports-use-resp/out create mode 100644 testing/btest/core/udp-contents-delivery-ports-use-resp.zeek diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek index 20db8ccfb6..d89d9d9d72 100644 --- a/scripts/base/init-bare.zeek +++ b/scripts/base/init-bare.zeek @@ -1116,6 +1116,7 @@ const tcp_content_deliver_all_resp = F &redef; ## tcp_content_deliver_all_orig tcp_content_deliver_all_resp ## udp_content_delivery_ports_resp udp_content_deliver_all_orig ## udp_content_deliver_all_resp udp_contents +## udp_content_delivery_ports_use_resp const udp_content_delivery_ports_orig: table[port] of bool = {} &redef; ## Defines UDP destination ports for which the contents of the responder stream @@ -1125,8 +1126,15 @@ const udp_content_delivery_ports_orig: table[port] of bool = {} &redef; ## tcp_content_delivery_ports_resp tcp_content_deliver_all_orig ## tcp_content_deliver_all_resp udp_content_delivery_ports_orig ## udp_content_deliver_all_orig udp_content_deliver_all_resp udp_contents +## udp_content_delivery_ports_use_resp const udp_content_delivery_ports_resp: table[port] of bool = {} &redef; +## Whether ports given in :zeek:see:`udp_content_delivery_ports_orig` +## and :zeek:see:`udp_content_delivery_ports_resp` are in terms of +## UDP packet's destination port or the UDP connection's "responder" +## port. +option udp_content_delivery_ports_use_resp = F; + ## If true, all UDP originator-side traffic is reported via ## :zeek:see:`udp_contents`. ## @@ -1135,6 +1143,7 @@ const udp_content_delivery_ports_resp: table[port] of bool = {} &redef; ## tcp_content_delivery_ports_orig udp_content_delivery_ports_orig ## udp_content_delivery_ports_resp udp_content_deliver_all_resp ## udp_contents +## udp_content_delivery_ports_use_resp const udp_content_deliver_all_orig = F &redef; ## If true, all UDP responder-side traffic is reported via @@ -1145,6 +1154,7 @@ const udp_content_deliver_all_orig = F &redef; ## tcp_content_delivery_ports_orig udp_content_delivery_ports_orig ## udp_content_delivery_ports_resp udp_content_deliver_all_orig ## udp_contents +## udp_content_delivery_ports_use_resp const udp_content_deliver_all_resp = F &redef; ## Check for expired table entries after this amount of time. diff --git a/src/NetVar.cc b/src/NetVar.cc index 53a5e6c35c..0cf80acaf3 100644 --- a/src/NetVar.cc +++ b/src/NetVar.cc @@ -77,6 +77,7 @@ TableVal* udp_content_delivery_ports_orig; TableVal* udp_content_delivery_ports_resp; bool udp_content_deliver_all_orig; bool udp_content_deliver_all_resp; +bool udp_content_delivery_ports_use_resp; double dns_session_timeout; double rpc_timeout; @@ -323,6 +324,8 @@ void init_net_var() bool(internal_val("udp_content_deliver_all_orig")->AsBool()); udp_content_deliver_all_resp = bool(internal_val("udp_content_deliver_all_resp")->AsBool()); + udp_content_delivery_ports_use_resp = + bool(internal_val("udp_content_delivery_ports_use_resp")->AsBool()); dns_session_timeout = opt_internal_double("dns_session_timeout"); rpc_timeout = opt_internal_double("rpc_timeout"); diff --git a/src/NetVar.h b/src/NetVar.h index a02c742859..e579138c8d 100644 --- a/src/NetVar.h +++ b/src/NetVar.h @@ -77,6 +77,7 @@ extern TableVal* udp_content_delivery_ports_orig; extern TableVal* udp_content_delivery_ports_resp; extern bool udp_content_deliver_all_orig; extern bool udp_content_deliver_all_resp; +extern bool udp_content_delivery_ports_use_resp; extern double dns_session_timeout; extern double rpc_timeout; diff --git a/src/analyzer/protocol/udp/UDP.cc b/src/analyzer/protocol/udp/UDP.cc index faaee88075..e5e381b352 100644 --- a/src/analyzer/protocol/udp/UDP.cc +++ b/src/analyzer/protocol/udp/UDP.cc @@ -134,7 +134,9 @@ void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, if ( udp_contents ) { - auto port_val = val_mgr->GetPort(ntohs(up->uh_dport), TRANSPORT_UDP); + uint16_t p = udp_content_delivery_ports_use_resp ? Conn()->RespPort() + : up->uh_dport; + auto port_val = val_mgr->GetPort(ntohs(p), TRANSPORT_UDP); bool do_udp_contents = false; if ( is_orig ) diff --git a/testing/btest/Baseline/core.udp-contents-delivery-ports-use-resp/out b/testing/btest/Baseline/core.udp-contents-delivery-ports-use-resp/out new file mode 100644 index 0000000000..611a684c9e --- /dev/null +++ b/testing/btest/Baseline/core.udp-contents-delivery-ports-use-resp/out @@ -0,0 +1,2 @@ +Contents:, [orig_h=172.16.115.20, orig_p=111/udp, resp_h=202.77.162.213, resp_p=54790/udp], F, 56 +Contents:, [orig_h=172.16.115.20, orig_p=111/udp, resp_h=202.77.162.213, resp_p=54790/udp], T, 28 diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index 3bb2f44cec..8dd5dba221 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -282,7 +282,7 @@ 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1585876138.391469, node=zeek, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1586209631.620895, node=zeek, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Broker::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Cluster::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Config::LOG)) -> @@ -463,7 +463,7 @@ 0.000000 MetaHookPost CallFunction(Log::create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1585876138.391469, node=zeek, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1586209631.620895, node=zeek, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(NetControl::check_plugins, , ()) -> 0.000000 MetaHookPost CallFunction(NetControl::init, , ()) -> 0.000000 MetaHookPost CallFunction(Notice::want_pp, , ()) -> @@ -547,6 +547,7 @@ 0.000000 MetaHookPost CallFunction(Option::set_change_handler, , (X509::certificate_cache_minimum_eviction_interval, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) -> 0.000000 MetaHookPost CallFunction(Option::set_change_handler, , (default_file_bof_buffer_size, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) -> 0.000000 MetaHookPost CallFunction(Option::set_change_handler, , (default_file_timeout_interval, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) -> +0.000000 MetaHookPost CallFunction(Option::set_change_handler, , (udp_content_delivery_ports_use_resp, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) -> 0.000000 MetaHookPost CallFunction(PacketFilter::build, , ()) -> 0.000000 MetaHookPost CallFunction(PacketFilter::combine_filters, , (ip or not ip, and, )) -> 0.000000 MetaHookPost CallFunction(PacketFilter::install, , ()) -> @@ -1198,7 +1199,7 @@ 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1585876138.391469, node=zeek, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1586209631.620895, node=zeek, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Broker::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Cluster::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Config::LOG)) @@ -1379,7 +1380,7 @@ 0.000000 MetaHookPre CallFunction(Log::create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1585876138.391469, node=zeek, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1586209631.620895, node=zeek, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(NetControl::check_plugins, , ()) 0.000000 MetaHookPre CallFunction(NetControl::init, , ()) 0.000000 MetaHookPre CallFunction(Notice::want_pp, , ()) @@ -1463,6 +1464,7 @@ 0.000000 MetaHookPre CallFunction(Option::set_change_handler, , (X509::certificate_cache_minimum_eviction_interval, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) 0.000000 MetaHookPre CallFunction(Option::set_change_handler, , (default_file_bof_buffer_size, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) 0.000000 MetaHookPre CallFunction(Option::set_change_handler, , (default_file_timeout_interval, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) +0.000000 MetaHookPre CallFunction(Option::set_change_handler, , (udp_content_delivery_ports_use_resp, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) 0.000000 MetaHookPre CallFunction(PacketFilter::build, , ()) 0.000000 MetaHookPre CallFunction(PacketFilter::combine_filters, , (ip or not ip, and, )) 0.000000 MetaHookPre CallFunction(PacketFilter::install, , ()) @@ -2113,7 +2115,7 @@ 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1585876138.391469, node=zeek, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1586209631.620895, node=zeek, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction Log::add_default_filter(Broker::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Config::LOG) @@ -2294,7 +2296,7 @@ 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1585876138.391469, node=zeek, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1586209631.620895, node=zeek, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction NetControl::check_plugins() 0.000000 | HookCallFunction NetControl::init() 0.000000 | HookCallFunction Notice::want_pp() @@ -2378,6 +2380,7 @@ 0.000000 | HookCallFunction Option::set_change_handler(X509::certificate_cache_minimum_eviction_interval, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100) 0.000000 | HookCallFunction Option::set_change_handler(default_file_bof_buffer_size, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100) 0.000000 | HookCallFunction Option::set_change_handler(default_file_timeout_interval, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100) +0.000000 | HookCallFunction Option::set_change_handler(udp_content_delivery_ports_use_resp, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100) 0.000000 | HookCallFunction PacketFilter::build() 0.000000 | HookCallFunction PacketFilter::combine_filters(ip or not ip, and, ) 0.000000 | HookCallFunction PacketFilter::install() @@ -2741,7 +2744,7 @@ 0.000000 | HookLoadFile base<...>/xmpp 0.000000 | HookLoadFile base<...>/zeek.bif.zeek 0.000000 | HookLogInit packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)} -0.000000 | HookLogWrite packet_filter [ts=1585876138.391469, node=zeek, filter=ip or not ip, init=T, success=T] +0.000000 | HookLogWrite packet_filter [ts=1586209631.620895, node=zeek, filter=ip or not ip, init=T, success=T] 0.000000 | HookQueueEvent NetControl::init() 0.000000 | HookQueueEvent filter_change_tracking() 0.000000 | HookQueueEvent zeek_init() diff --git a/testing/btest/core/udp-contents-delivery-ports-use-resp.zeek b/testing/btest/core/udp-contents-delivery-ports-use-resp.zeek new file mode 100644 index 0000000000..2091db1f2e --- /dev/null +++ b/testing/btest/core/udp-contents-delivery-ports-use-resp.zeek @@ -0,0 +1,12 @@ +# @TEST-EXEC: zeek -b -r $TRACES/rpc-portmap-sadmind.pcap %INPUT >out +# @TEST-EXEC: btest-diff out + +redef udp_content_delivery_ports_use_resp = T; +redef udp_content_delivery_ports_orig += {[54790/udp] = T}; +redef udp_content_delivery_ports_resp += {[54790/udp] = T}; +redef likely_server_ports += {54790/udp}; + +event udp_contents(c: connection, is_orig: bool, contents: string) + { + print "Contents:", c$id, is_orig, |contents|; + } From c1b3c9593b09ee39c6c88437e46b02fdaba22f8f Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Tue, 7 Apr 2020 13:02:29 -0700 Subject: [PATCH 2/2] Add "udp_content_ports" option Any port in that set found as either source or destination port of a UDP packet will cause the "udp_contents" event to be raised. --- scripts/base/init-bare.zeek | 15 +++++++- src/NetVar.cc | 3 ++ src/NetVar.h | 1 + src/analyzer/protocol/udp/UDP.cc | 37 +++++++++++-------- .../btest/Baseline/core.udp-content-ports/out | 2 + testing/btest/Baseline/plugins.hooks/output | 17 +++++---- testing/btest/core/udp-content-ports.zeek | 9 +++++ 7 files changed, 60 insertions(+), 24 deletions(-) create mode 100644 testing/btest/Baseline/core.udp-content-ports/out create mode 100644 testing/btest/core/udp-content-ports.zeek diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek index d89d9d9d72..0faa65d5c5 100644 --- a/scripts/base/init-bare.zeek +++ b/scripts/base/init-bare.zeek @@ -1116,7 +1116,7 @@ const tcp_content_deliver_all_resp = F &redef; ## tcp_content_deliver_all_orig tcp_content_deliver_all_resp ## udp_content_delivery_ports_resp udp_content_deliver_all_orig ## udp_content_deliver_all_resp udp_contents -## udp_content_delivery_ports_use_resp +## udp_content_delivery_ports_use_resp udp_content_ports const udp_content_delivery_ports_orig: table[port] of bool = {} &redef; ## Defines UDP destination ports for which the contents of the responder stream @@ -1126,9 +1126,20 @@ const udp_content_delivery_ports_orig: table[port] of bool = {} &redef; ## tcp_content_delivery_ports_resp tcp_content_deliver_all_orig ## tcp_content_deliver_all_resp udp_content_delivery_ports_orig ## udp_content_deliver_all_orig udp_content_deliver_all_resp udp_contents -## udp_content_delivery_ports_use_resp +## udp_content_delivery_ports_use_resp udp_content_ports const udp_content_delivery_ports_resp: table[port] of bool = {} &redef; +## Defines UDP ports (source or destination) for which the contents of +## either originator or responder streams should be delivered via +## :zeek:see:`udp_contents`. +## +## .. zeek:see:: tcp_content_delivery_ports_orig +## tcp_content_delivery_ports_resp tcp_content_deliver_all_orig +## tcp_content_deliver_all_resp udp_content_delivery_ports_orig +## udp_content_deliver_all_orig udp_content_deliver_all_resp udp_contents +## udp_content_delivery_ports_use_resp udp_content_delivery_ports_resp +option udp_content_ports: set[port] = {}; + ## Whether ports given in :zeek:see:`udp_content_delivery_ports_orig` ## and :zeek:see:`udp_content_delivery_ports_resp` are in terms of ## UDP packet's destination port or the UDP connection's "responder" diff --git a/src/NetVar.cc b/src/NetVar.cc index 0cf80acaf3..cb604c75ba 100644 --- a/src/NetVar.cc +++ b/src/NetVar.cc @@ -75,6 +75,7 @@ bool tcp_content_deliver_all_resp; TableVal* udp_content_delivery_ports_orig; TableVal* udp_content_delivery_ports_resp; +TableVal* udp_content_ports; bool udp_content_deliver_all_orig; bool udp_content_deliver_all_resp; bool udp_content_delivery_ports_use_resp; @@ -320,6 +321,8 @@ void init_net_var() internal_val("udp_content_delivery_ports_orig")->AsTableVal(); udp_content_delivery_ports_resp = internal_val("udp_content_delivery_ports_resp")->AsTableVal(); + udp_content_ports = + internal_val("udp_content_ports")->AsTableVal(); udp_content_deliver_all_orig = bool(internal_val("udp_content_deliver_all_orig")->AsBool()); udp_content_deliver_all_resp = diff --git a/src/NetVar.h b/src/NetVar.h index e579138c8d..07b1b92f10 100644 --- a/src/NetVar.h +++ b/src/NetVar.h @@ -75,6 +75,7 @@ extern bool tcp_content_deliver_all_resp; extern TableVal* udp_content_delivery_ports_orig; extern TableVal* udp_content_delivery_ports_resp; +extern TableVal* udp_content_ports; extern bool udp_content_deliver_all_orig; extern bool udp_content_deliver_all_resp; extern bool udp_content_delivery_ports_use_resp; diff --git a/src/analyzer/protocol/udp/UDP.cc b/src/analyzer/protocol/udp/UDP.cc index e5e381b352..23f6f88188 100644 --- a/src/analyzer/protocol/udp/UDP.cc +++ b/src/analyzer/protocol/udp/UDP.cc @@ -134,24 +134,33 @@ void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, if ( udp_contents ) { - uint16_t p = udp_content_delivery_ports_use_resp ? Conn()->RespPort() - : up->uh_dport; - auto port_val = val_mgr->GetPort(ntohs(p), TRANSPORT_UDP); bool do_udp_contents = false; + auto sport_val = IntrusivePtr{AdoptRef{}, val_mgr->GetPort(ntohs(up->uh_sport), TRANSPORT_UDP)}; + auto dport_val = IntrusivePtr{AdoptRef{}, val_mgr->GetPort(ntohs(up->uh_dport), TRANSPORT_UDP)}; - if ( is_orig ) - { - auto result = udp_content_delivery_ports_orig->Lookup(port_val); - - if ( udp_content_deliver_all_orig || (result && result->AsBool()) ) - do_udp_contents = true; - } + if ( udp_content_ports->Lookup(dport_val.get()) || + udp_content_ports->Lookup(sport_val.get()) ) + do_udp_contents = true; else { - auto result = udp_content_delivery_ports_resp->Lookup(port_val); + uint16_t p = udp_content_delivery_ports_use_resp ? Conn()->RespPort() + : up->uh_dport; + auto port_val = IntrusivePtr{AdoptRef{}, val_mgr->GetPort(ntohs(p), TRANSPORT_UDP)}; - if ( udp_content_deliver_all_resp || (result && result->AsBool()) ) - do_udp_contents = true; + if ( is_orig ) + { + auto result = udp_content_delivery_ports_orig->Lookup(port_val.get()); + + if ( udp_content_deliver_all_orig || (result && result->AsBool()) ) + do_udp_contents = true; + } + else + { + auto result = udp_content_delivery_ports_resp->Lookup(port_val.get()); + + if ( udp_content_deliver_all_resp || (result && result->AsBool()) ) + do_udp_contents = true; + } } if ( do_udp_contents ) @@ -160,8 +169,6 @@ void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)}, make_intrusive(len, (const char*) data) ); - - Unref(port_val); } if ( is_orig ) diff --git a/testing/btest/Baseline/core.udp-content-ports/out b/testing/btest/Baseline/core.udp-content-ports/out new file mode 100644 index 0000000000..864009bd53 --- /dev/null +++ b/testing/btest/Baseline/core.udp-content-ports/out @@ -0,0 +1,2 @@ +Contents:, [orig_h=202.77.162.213, orig_p=54790/udp, resp_h=172.16.115.20, resp_p=111/udp], T, 56 +Contents:, [orig_h=202.77.162.213, orig_p=54790/udp, resp_h=172.16.115.20, resp_p=111/udp], F, 28 diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index 8dd5dba221..af177cac00 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -282,7 +282,7 @@ 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1586209631.620895, node=zeek, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1586289531.944197, node=zeek, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Broker::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Cluster::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Config::LOG)) -> @@ -463,7 +463,7 @@ 0.000000 MetaHookPost CallFunction(Log::create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1586209631.620895, node=zeek, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1586289531.944197, node=zeek, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(NetControl::check_plugins, , ()) -> 0.000000 MetaHookPost CallFunction(NetControl::init, , ()) -> 0.000000 MetaHookPost CallFunction(Notice::want_pp, , ()) -> @@ -548,6 +548,7 @@ 0.000000 MetaHookPost CallFunction(Option::set_change_handler, , (default_file_bof_buffer_size, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) -> 0.000000 MetaHookPost CallFunction(Option::set_change_handler, , (default_file_timeout_interval, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) -> 0.000000 MetaHookPost CallFunction(Option::set_change_handler, , (udp_content_delivery_ports_use_resp, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) -> +0.000000 MetaHookPost CallFunction(Option::set_change_handler, , (udp_content_ports, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) -> 0.000000 MetaHookPost CallFunction(PacketFilter::build, , ()) -> 0.000000 MetaHookPost CallFunction(PacketFilter::combine_filters, , (ip or not ip, and, )) -> 0.000000 MetaHookPost CallFunction(PacketFilter::install, , ()) -> @@ -1199,7 +1200,7 @@ 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1586209631.620895, node=zeek, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1586289531.944197, node=zeek, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Broker::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Cluster::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Config::LOG)) @@ -1380,7 +1381,7 @@ 0.000000 MetaHookPre CallFunction(Log::create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1586209631.620895, node=zeek, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1586289531.944197, node=zeek, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(NetControl::check_plugins, , ()) 0.000000 MetaHookPre CallFunction(NetControl::init, , ()) 0.000000 MetaHookPre CallFunction(Notice::want_pp, , ()) @@ -1465,6 +1466,7 @@ 0.000000 MetaHookPre CallFunction(Option::set_change_handler, , (default_file_bof_buffer_size, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) 0.000000 MetaHookPre CallFunction(Option::set_change_handler, , (default_file_timeout_interval, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) 0.000000 MetaHookPre CallFunction(Option::set_change_handler, , (udp_content_delivery_ports_use_resp, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) +0.000000 MetaHookPre CallFunction(Option::set_change_handler, , (udp_content_ports, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100)) 0.000000 MetaHookPre CallFunction(PacketFilter::build, , ()) 0.000000 MetaHookPre CallFunction(PacketFilter::combine_filters, , (ip or not ip, and, )) 0.000000 MetaHookPre CallFunction(PacketFilter::install, , ()) @@ -2115,7 +2117,7 @@ 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1586209631.620895, node=zeek, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1586289531.944197, node=zeek, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction Log::add_default_filter(Broker::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Config::LOG) @@ -2296,7 +2298,7 @@ 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1586209631.620895, node=zeek, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1586289531.944197, node=zeek, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction NetControl::check_plugins() 0.000000 | HookCallFunction NetControl::init() 0.000000 | HookCallFunction Notice::want_pp() @@ -2381,6 +2383,7 @@ 0.000000 | HookCallFunction Option::set_change_handler(default_file_bof_buffer_size, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100) 0.000000 | HookCallFunction Option::set_change_handler(default_file_timeout_interval, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100) 0.000000 | HookCallFunction Option::set_change_handler(udp_content_delivery_ports_use_resp, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100) +0.000000 | HookCallFunction Option::set_change_handler(udp_content_ports, Config::config_option_changed{ Config::log = (coerce [$ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value)] to Config::Info)if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, Config::log)return (Config::new_value)}, -100) 0.000000 | HookCallFunction PacketFilter::build() 0.000000 | HookCallFunction PacketFilter::combine_filters(ip or not ip, and, ) 0.000000 | HookCallFunction PacketFilter::install() @@ -2744,7 +2747,7 @@ 0.000000 | HookLoadFile base<...>/xmpp 0.000000 | HookLoadFile base<...>/zeek.bif.zeek 0.000000 | HookLogInit packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)} -0.000000 | HookLogWrite packet_filter [ts=1586209631.620895, node=zeek, filter=ip or not ip, init=T, success=T] +0.000000 | HookLogWrite packet_filter [ts=1586289531.944197, node=zeek, filter=ip or not ip, init=T, success=T] 0.000000 | HookQueueEvent NetControl::init() 0.000000 | HookQueueEvent filter_change_tracking() 0.000000 | HookQueueEvent zeek_init() diff --git a/testing/btest/core/udp-content-ports.zeek b/testing/btest/core/udp-content-ports.zeek new file mode 100644 index 0000000000..8679bf2f81 --- /dev/null +++ b/testing/btest/core/udp-content-ports.zeek @@ -0,0 +1,9 @@ +# @TEST-EXEC: zeek -b -r $TRACES/rpc-portmap-sadmind.pcap %INPUT >out +# @TEST-EXEC: btest-diff out + +redef udp_content_ports += { 54790/udp }; + +event udp_contents(c: connection, is_orig: bool, contents: string) + { + print "Contents:", c$id, is_orig, |contents|; + }