Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Split session adapter code into separate files from the analyzers

Browse source
This commit is contained in:
Tim Wojtulewicz 2021-05-27 13:41:05 -07:00
parent b6ab22e9fb
commit 5433f2936e
12 changed files with 281 additions and 235 deletions
Download patch file Download diff file Expand all files Collapse all files

2
src/packet_analysis/protocol/icmp/CMakeLists.txt
View file

@ -4,6 +4,6 @@ include(ZeekPlugin)
include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
zeek_plugin_begin(Zeek ICMP) zeek_plugin_begin(Zeek ICMP)
zeek_plugin_cc(ICMP.cc Plugin.cc) zeek_plugin_cc(ICMP.cc ICMPSessionAdapter.cc Plugin.cc)
zeek_plugin_bif(events.bif) zeek_plugin_bif(events.bif)
zeek_plugin_end() zeek_plugin_end()

71
src/packet_analysis/protocol/icmp/ICMP.cc
View file

@ -12,6 +12,7 @@
#include "zeek/analyzer/Manager.h" #include "zeek/analyzer/Manager.h"
#include "zeek/session/Manager.h" #include "zeek/session/Manager.h"
#include "zeek/analyzer/protocol/conn-size/ConnSize.h" #include "zeek/analyzer/protocol/conn-size/ConnSize.h"
#include "zeek/packet_analysis/protocol/icmp/ICMPSessionAdapter.h"
#include "zeek/ZeekString.h" #include "zeek/ZeekString.h"
@ -801,76 +802,6 @@ zeek::VectorValPtr ICMPAnalyzer::BuildNDOptionsVal(int caplen, const u_char* dat
return vv; return vv;
} }
void ICMPSessionAdapter::AddExtraAnalyzers(Connection* conn)
{
static analyzer::Tag analyzer_connsize = analyzer_mgr->GetComponentTag("CONNSIZE");
if ( analyzer_mgr->IsEnabled(analyzer_connsize) )
// Add ConnSize analyzer. Needs to see packets, not stream.
AddChildAnalyzer(new analyzer::conn_size::ConnSize_Analyzer(conn));
}
void ICMPSessionAdapter::UpdateConnVal(zeek::RecordVal* conn_val)
{
const auto& orig_endp = conn_val->GetField("orig");
const auto& resp_endp = conn_val->GetField("resp");
UpdateEndpointVal(orig_endp, true);
UpdateEndpointVal(resp_endp, false);
analyzer::Analyzer::UpdateConnVal(conn_val);
}
void ICMPSessionAdapter::UpdateEndpointVal(const ValPtr& endp_arg, bool is_orig)
{
Conn()->EnableStatusUpdateTimer();
int size = is_orig ? request_len : reply_len;
auto endp = endp_arg->AsRecordVal();
if ( size < 0 )
{
endp->Assign(0, val_mgr->Count(0));
endp->Assign(1, val_mgr->Count(int(ICMP_INACTIVE)));
}
else
{
endp->Assign(0, val_mgr->Count(size));
endp->Assign(1, val_mgr->Count(int(ICMP_ACTIVE)));
}
}
void ICMPSessionAdapter::UpdateLength(bool is_orig, int len)
{
int& len_stat = is_orig ? request_len : reply_len;
if ( len_stat < 0 )
len_stat = len;
else
len_stat += len;
}
void ICMPSessionAdapter::InitEndpointMatcher(const IP_Hdr* ip_hdr, int len, bool is_orig)
{
if ( zeek::detail::rule_matcher )
{
if ( ! matcher_state.MatcherInitialized(is_orig) )
matcher_state.InitEndpointMatcher(this, ip_hdr, len, is_orig, nullptr);
}
}
void ICMPSessionAdapter::MatchEndpoint(const u_char* data, int len, bool is_orig)
{
if ( zeek::detail::rule_matcher )
matcher_state.Match(zeek::detail::Rule::PAYLOAD, data, len, is_orig,
false, false, true);
}
void ICMPSessionAdapter::Done()
{
SessionAdapter::Done();
matcher_state.FinishEndpointMatcher();
}
namespace zeek::packet_analysis::ICMP { namespace zeek::packet_analysis::ICMP {
int ICMP4_counterpart(int icmp_type, int icmp_code, bool& is_one_way) int ICMP4_counterpart(int icmp_type, int icmp_code, bool& is_one_way)

30
src/packet_analysis/protocol/icmp/ICMP.h
View file

@ -7,7 +7,6 @@
#include "zeek/packet_analysis/protocol/ip/IPBasedAnalyzer.h" #include "zeek/packet_analysis/protocol/ip/IPBasedAnalyzer.h"
#include "zeek/packet_analysis/protocol/ip/SessionAdapter.h" #include "zeek/packet_analysis/protocol/ip/SessionAdapter.h"
#include "zeek/analyzer/Analyzer.h" #include "zeek/analyzer/Analyzer.h"
#include "zeek/RuleMatcher.h"
namespace zeek { namespace zeek {
@ -101,35 +100,6 @@ private:
void UpdateEndpointVal(const ValPtr& endp, bool is_orig); void UpdateEndpointVal(const ValPtr& endp, bool is_orig);
}; };
class ICMPSessionAdapter final : public IP::SessionAdapter {
public:
ICMPSessionAdapter(Connection* conn) :
IP::SessionAdapter("ICMP", conn) { }
static zeek::analyzer::Analyzer* Instantiate(Connection* conn)
{
return new ICMPSessionAdapter(conn);
}
void AddExtraAnalyzers(Connection* conn) override;
void UpdateConnVal(RecordVal* conn_val) override;
void UpdateEndpointVal(const ValPtr& endp, bool is_orig);
void UpdateLength(bool is_orig, int len);
void Done() override;
void InitEndpointMatcher(const IP_Hdr* ip_hdr, int len, bool is_orig);
void MatchEndpoint(const u_char* data, int len, bool is_orig);
private:
detail::RuleMatcherState matcher_state;
int request_len = -1;
int reply_len = -1;
};
// Returns the counterpart type to the given type (e.g., the counterpart // Returns the counterpart type to the given type (e.g., the counterpart
// to ICMP_ECHOREPLY is ICMP_ECHO). // to ICMP_ECHOREPLY is ICMP_ECHO).
extern int ICMP4_counterpart(int icmp_type, int icmp_code, bool& is_one_way); extern int ICMP4_counterpart(int icmp_type, int icmp_code, bool& is_one_way);

84
src/packet_analysis/protocol/icmp/ICMPSessionAdapter.cc Normal file
View file

@ -0,0 +1,84 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include "zeek/packet_analysis/protocol/icmp/ICMPSessionAdapter.h"
#include "zeek/analyzer/Manager.h"
#include "zeek/analyzer/protocol/conn-size/ConnSize.h"
using namespace zeek::packet_analysis::ICMP;
using namespace zeek::packet_analysis::IP;
enum ICMP_EndpointState {
ICMP_INACTIVE, // no packet seen
ICMP_ACTIVE, // packets seen
};
void ICMPSessionAdapter::AddExtraAnalyzers(Connection* conn)
{
static analyzer::Tag analyzer_connsize = analyzer_mgr->GetComponentTag("CONNSIZE");
if ( analyzer_mgr->IsEnabled(analyzer_connsize) )
// Add ConnSize analyzer. Needs to see packets, not stream.
AddChildAnalyzer(new analyzer::conn_size::ConnSize_Analyzer(conn));
}
void ICMPSessionAdapter::UpdateConnVal(zeek::RecordVal* conn_val)
{
const auto& orig_endp = conn_val->GetField("orig");
const auto& resp_endp = conn_val->GetField("resp");
UpdateEndpointVal(orig_endp, true);
UpdateEndpointVal(resp_endp, false);
analyzer::Analyzer::UpdateConnVal(conn_val);
}
void ICMPSessionAdapter::UpdateEndpointVal(const ValPtr& endp_arg, bool is_orig)
{
Conn()->EnableStatusUpdateTimer();
int size = is_orig ? request_len : reply_len;
auto endp = endp_arg->AsRecordVal();
if ( size < 0 )
{
endp->Assign(0, val_mgr->Count(0));
endp->Assign(1, val_mgr->Count(int(ICMP_INACTIVE)));
}
else
{
endp->Assign(0, val_mgr->Count(size));
endp->Assign(1, val_mgr->Count(int(ICMP_ACTIVE)));
}
}
void ICMPSessionAdapter::UpdateLength(bool is_orig, int len)
{
int& len_stat = is_orig ? request_len : reply_len;
if ( len_stat < 0 )
len_stat = len;
else
len_stat += len;
}
void ICMPSessionAdapter::InitEndpointMatcher(const IP_Hdr* ip_hdr, int len, bool is_orig)
{
if ( zeek::detail::rule_matcher )
{
if ( ! matcher_state.MatcherInitialized(is_orig) )
matcher_state.InitEndpointMatcher(this, ip_hdr, len, is_orig, nullptr);
}
}
void ICMPSessionAdapter::MatchEndpoint(const u_char* data, int len, bool is_orig)
{
if ( zeek::detail::rule_matcher )
matcher_state.Match(zeek::detail::Rule::PAYLOAD, data, len, is_orig,
false, false, true);
}
void ICMPSessionAdapter::Done()
{
SessionAdapter::Done();
matcher_state.FinishEndpointMatcher();
}

39
src/packet_analysis/protocol/icmp/ICMPSessionAdapter.h Normal file
View file

@ -0,0 +1,39 @@
// See the file "COPYING" in the main distribution directory for copyright.
#pragma once
#include "zeek/packet_analysis/protocol/ip/SessionAdapter.h"
#include "zeek/RuleMatcher.h"
namespace zeek::packet_analysis::ICMP {
class ICMPSessionAdapter final : public IP::SessionAdapter {
public:
ICMPSessionAdapter(Connection* conn) :
IP::SessionAdapter("ICMP", conn) { }
static zeek::analyzer::Analyzer* Instantiate(Connection* conn)
{
return new ICMPSessionAdapter(conn);
}
void AddExtraAnalyzers(Connection* conn) override;
void UpdateConnVal(RecordVal* conn_val) override;
void UpdateEndpointVal(const ValPtr& endp, bool is_orig);
void UpdateLength(bool is_orig, int len);
void Done() override;
void InitEndpointMatcher(const IP_Hdr* ip_hdr, int len, bool is_orig);
void MatchEndpoint(const u_char* data, int len, bool is_orig);
private:
detail::RuleMatcherState matcher_state;
int request_len = -1;
int reply_len = -1;
};
} // namespace zeek::packet_analysis::ICMP

1
src/packet_analysis/protocol/icmp/Plugin.cc
View file

@ -3,6 +3,7 @@
#include "zeek/plugin/Plugin.h" #include "zeek/plugin/Plugin.h"
#include "zeek/packet_analysis/Component.h" #include "zeek/packet_analysis/Component.h"
#include "zeek/packet_analysis/protocol/icmp/ICMP.h" #include "zeek/packet_analysis/protocol/icmp/ICMP.h"
#include "zeek/packet_analysis/protocol/icmp/ICMPSessionAdapter.h"
#include "zeek/analyzer/Component.h" #include "zeek/analyzer/Component.h"
namespace zeek::plugin::Zeek_ICMP { namespace zeek::plugin::Zeek_ICMP {

2
src/packet_analysis/protocol/udp/CMakeLists.txt
View file

@ -4,6 +4,6 @@ include(ZeekPlugin)
include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
zeek_plugin_begin(Zeek UDP) zeek_plugin_begin(Zeek UDP)
zeek_plugin_cc(UDP.cc Plugin.cc) zeek_plugin_cc(UDP.cc UDPSessionAdapter.cc Plugin.cc)
zeek_plugin_bif(events.bif) zeek_plugin_bif(events.bif)
zeek_plugin_end() zeek_plugin_end()

1
src/packet_analysis/protocol/udp/Plugin.cc
View file

@ -3,6 +3,7 @@
#include "zeek/plugin/Plugin.h" #include "zeek/plugin/Plugin.h"
#include "zeek/packet_analysis/Component.h" #include "zeek/packet_analysis/Component.h"
#include "zeek/packet_analysis/protocol/udp/UDP.h" #include "zeek/packet_analysis/protocol/udp/UDP.h"
#include "zeek/packet_analysis/protocol/udp/UDPSessionAdapter.h"
#include "zeek/analyzer/Component.h" #include "zeek/analyzer/Component.h"
namespace zeek::plugin::Zeek_UDP { namespace zeek::plugin::Zeek_UDP {

100
src/packet_analysis/protocol/udp/UDP.cc
View file

@ -7,6 +7,7 @@
#include "zeek/analyzer/Manager.h" #include "zeek/analyzer/Manager.h"
#include "zeek/analyzer/protocol/pia/PIA.h" #include "zeek/analyzer/protocol/pia/PIA.h"
#include "zeek/analyzer/protocol/conn-size/ConnSize.h" #include "zeek/analyzer/protocol/conn-size/ConnSize.h"
#include "zeek/packet_analysis/protocol/udp/UDPSessionAdapter.h"
#include "zeek/packet_analysis/protocol/udp/events.bif.h" #include "zeek/packet_analysis/protocol/udp/events.bif.h"
@ -18,11 +19,6 @@ constexpr uint32_t HIST_RESP_DATA_PKT = 0x2;
constexpr uint32_t HIST_ORIG_CORRUPT_PKT = 0x4; constexpr uint32_t HIST_ORIG_CORRUPT_PKT = 0x4;
constexpr uint32_t HIST_RESP_CORRUPT_PKT = 0x8; constexpr uint32_t HIST_RESP_CORRUPT_PKT = 0x8;
enum UDP_EndpointState {
UDP_INACTIVE, // no packet seen
UDP_ACTIVE, // packets seen
};
UDPAnalyzer::UDPAnalyzer() : IPBasedAnalyzer("UDP", TRANSPORT_UDP, UDP_PORT_MASK, false) UDPAnalyzer::UDPAnalyzer() : IPBasedAnalyzer("UDP", TRANSPORT_UDP, UDP_PORT_MASK, false)
{ {
} }
@ -236,97 +232,3 @@ bool UDPAnalyzer::ValidateChecksum(const IP_Hdr* ip, const udphdr* up, int len)
return sum == 0xffff; return sum == 0xffff;
} }
void UDPSessionAdapter::AddExtraAnalyzers(Connection* conn)
{
static analyzer::Tag analyzer_connsize = analyzer_mgr->GetComponentTag("CONNSIZE");
if ( analyzer_mgr->IsEnabled(analyzer_connsize) )
// Add ConnSize analyzer. Needs to see packets, not stream.
AddChildAnalyzer(new analyzer::conn_size::ConnSize_Analyzer(conn));
}
void UDPSessionAdapter::UpdateConnVal(RecordVal* conn_val)
{
auto orig_endp = conn_val->GetField("orig");
auto resp_endp = conn_val->GetField("resp");
UpdateEndpointVal(orig_endp, true);
UpdateEndpointVal(resp_endp, false);
// Call children's UpdateConnVal
Analyzer::UpdateConnVal(conn_val);
}
void UDPSessionAdapter::UpdateEndpointVal(const ValPtr& endp_arg, bool is_orig)
{
bro_int_t size = is_orig ? request_len : reply_len;
auto endp = endp_arg->AsRecordVal();
if ( size < 0 )
{
endp->Assign(0, val_mgr->Count(0));
endp->Assign(1, UDP_INACTIVE);
}
else
{
endp->Assign(0, static_cast<uint64_t>(size));
endp->Assign(1, UDP_ACTIVE);
}
}
void UDPSessionAdapter::UpdateLength(bool is_orig, int len)
{
if ( is_orig )
{
if ( request_len < 0 )
request_len = len;
else
{
request_len += len;
#ifdef DEBUG
if ( request_len < 0 )
reporter->Warning("wrapping around for UDP request length");
#endif
}
}
else
{
if ( reply_len < 0 )
reply_len = len;
else
{
reply_len += len;
#ifdef DEBUG
if ( reply_len < 0 )
reporter->Warning("wrapping around for UDP reply length");
#endif
}
}
}
void UDPSessionAdapter::HandleBadChecksum(bool is_orig)
{
Weird("bad_UDP_checksum");
if ( is_orig )
{
uint32_t t = req_chk_thresh;
if ( Conn()->ScaledHistoryEntry('C', req_chk_cnt, req_chk_thresh) )
ChecksumEvent(is_orig, t);
}
else
{
uint32_t t = rep_chk_thresh;
if ( Conn()->ScaledHistoryEntry('c', rep_chk_cnt, rep_chk_thresh) )
ChecksumEvent(is_orig, t);
}
}
void UDPSessionAdapter::ChecksumEvent(bool is_orig, uint32_t threshold)
{
Conn()->HistoryThresholdEvent(udp_multiple_checksum_errors, is_orig, threshold);
}

34
src/packet_analysis/protocol/udp/UDP.h
View file

@ -64,38 +64,4 @@ private:
std::vector<uint16_t> vxlan_ports; std::vector<uint16_t> vxlan_ports;
}; };
class UDPSessionAdapter final : public IP::SessionAdapter {
public:
UDPSessionAdapter(Connection* conn) :
IP::SessionAdapter("UDP", conn) { }
static zeek::analyzer::Analyzer* Instantiate(Connection* conn)
{
return new UDPSessionAdapter(conn);
}
void AddExtraAnalyzers(Connection* conn) override;
void UpdateConnVal(RecordVal* conn_val) override;
void UpdateLength(bool is_orig, int len);
void HandleBadChecksum(bool is_orig);
// For tracking checksum history. These are connection-specific so they
// need to be stored in the session adapter created for each connection.
uint32_t req_chk_cnt = 0;
uint32_t req_chk_thresh = 1;
uint32_t rep_chk_cnt = 0;
uint32_t rep_chk_thresh = 1;
private:
void UpdateEndpointVal(const ValPtr& endp_arg, bool is_orig);
void ChecksumEvent(bool is_orig, uint32_t threshold);
bro_int_t request_len = -1;
bro_int_t reply_len = -1;
};
} }

109
src/packet_analysis/protocol/udp/UDPSessionAdapter.cc Normal file
View file

@ -0,0 +1,109 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include "zeek/packet_analysis/protocol/udp/UDPSessionAdapter.h"
#include "zeek/analyzer/Manager.h"
#include "zeek/analyzer/protocol/conn-size/ConnSize.h"
#include "zeek/packet_analysis/protocol/udp/events.bif.h"
using namespace zeek::packet_analysis::UDP;
using namespace zeek::packet_analysis::IP;
enum UDP_EndpointState {
UDP_INACTIVE, // no packet seen
UDP_ACTIVE, // packets seen
};
void UDPSessionAdapter::AddExtraAnalyzers(Connection* conn)
{
static analyzer::Tag analyzer_connsize = analyzer_mgr->GetComponentTag("CONNSIZE");
if ( analyzer_mgr->IsEnabled(analyzer_connsize) )
// Add ConnSize analyzer. Needs to see packets, not stream.
AddChildAnalyzer(new analyzer::conn_size::ConnSize_Analyzer(conn));
}
void UDPSessionAdapter::UpdateConnVal(RecordVal* conn_val)
{
auto orig_endp = conn_val->GetField("orig");
auto resp_endp = conn_val->GetField("resp");
UpdateEndpointVal(orig_endp, true);
UpdateEndpointVal(resp_endp, false);
// Call children's UpdateConnVal
Analyzer::UpdateConnVal(conn_val);
}
void UDPSessionAdapter::UpdateEndpointVal(const ValPtr& endp_arg, bool is_orig)
{
bro_int_t size = is_orig ? request_len : reply_len;
auto endp = endp_arg->AsRecordVal();
if ( size < 0 )
{
endp->Assign(0, val_mgr->Count(0));
endp->Assign(1, UDP_INACTIVE);
}
else
{
endp->Assign(0, static_cast<uint64_t>(size));
endp->Assign(1, UDP_ACTIVE);
}
}
void UDPSessionAdapter::UpdateLength(bool is_orig, int len)
{
if ( is_orig )
{
if ( request_len < 0 )
request_len = len;
else
{
request_len += len;
#ifdef DEBUG
if ( request_len < 0 )
reporter->Warning("wrapping around for UDP request length");
#endif
}
}
else
{
if ( reply_len < 0 )
reply_len = len;
else
{
reply_len += len;
#ifdef DEBUG
if ( reply_len < 0 )
reporter->Warning("wrapping around for UDP reply length");
#endif
}
}
}
void UDPSessionAdapter::HandleBadChecksum(bool is_orig)
{
Weird("bad_UDP_checksum");
if ( is_orig )
{
uint32_t t = req_chk_thresh;
if ( Conn()->ScaledHistoryEntry('C', req_chk_cnt, req_chk_thresh) )
ChecksumEvent(is_orig, t);
}
else
{
uint32_t t = rep_chk_thresh;
if ( Conn()->ScaledHistoryEntry('c', rep_chk_cnt, rep_chk_thresh) )
ChecksumEvent(is_orig, t);
}
}
void UDPSessionAdapter::ChecksumEvent(bool is_orig, uint32_t threshold)
{
Conn()->HistoryThresholdEvent(udp_multiple_checksum_errors, is_orig, threshold);
}

43
src/packet_analysis/protocol/udp/UDPSessionAdapter.h Normal file
View file

@ -0,0 +1,43 @@
// See the file "COPYING" in the main distribution directory for copyright.
#pragma once
#include "zeek/packet_analysis/protocol/ip/SessionAdapter.h"
namespace zeek::packet_analysis::UDP {
class UDPSessionAdapter final : public IP::SessionAdapter {
public:
UDPSessionAdapter(Connection* conn) :
IP::SessionAdapter("UDP", conn) { }
static zeek::analyzer::Analyzer* Instantiate(Connection* conn)
{
return new UDPSessionAdapter(conn);
}
void AddExtraAnalyzers(Connection* conn) override;
void UpdateConnVal(RecordVal* conn_val) override;
void UpdateLength(bool is_orig, int len);
void HandleBadChecksum(bool is_orig);
// For tracking checksum history. These are connection-specific so they
// need to be stored in the session adapter created for each connection.
uint32_t req_chk_cnt = 0;
uint32_t req_chk_thresh = 1;
uint32_t rep_chk_cnt = 0;
uint32_t rep_chk_thresh = 1;
private:
void UpdateEndpointVal(const ValPtr& endp_arg, bool is_orig);
void ChecksumEvent(bool is_orig, uint32_t threshold);
bro_int_t request_len = -1;
bro_int_t reply_len = -1;
};
} // namespace zeek::packet_analysis::UDP