Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Working on TODOs.

Browse source 
- Introducing analyzer::<protocol> namespaces.
- Moving protocol-specific events out of events.bif into analyzer/protocol/<protocol>/events.bif
- Moving ARP over (even though it's not an actual analyzer).
- Moving NetFlow over (even though it's not an actual analyzer).
- Moving MIME over (even though it's not an actual analyzer).
This commit is contained in:
Robin Sommer 2013-04-18 14:39:32 -07:00
parent dfc4cb0881
commit 5dc630f722
210 changed files with 7080 additions and 6608 deletions
Download patch file Download diff file Expand all files Collapse all files

2
cmake

@ -1 +1 @@
Subproject commit 8cc03d64d00676cb75a38543800ac0de192557dd Subproject commit c50757259f509f13227cf28bbd4fd281828a39d2

5
src/CMakeLists.txt
View file

@ -133,9 +133,6 @@ set(BINPAC_AUXSRC
binpac_target(binpac-lib.pac) binpac_target(binpac-lib.pac)
binpac_target(binpac_bro-lib.pac) binpac_target(binpac_bro-lib.pac)
binpac_target(netflow.pac
netflow-protocol.pac netflow-analyzer.pac)
######################################################################## ########################################################################
## Including subdirectories. ## Including subdirectories.
######################################################################## ########################################################################
@ -212,7 +209,6 @@ set(bro_SRCS
util.cc util.cc
module_util.cc module_util.cc
Anon.cc Anon.cc
ARP.cc
Attr.cc Attr.cc
Base64.cc Base64.cc
BPF_Program.cc BPF_Program.cc
@ -254,7 +250,6 @@ set(bro_SRCS
IPAddr.cc IPAddr.cc
List.cc List.cc
Reporter.cc Reporter.cc
MIME.cc
NFA.cc NFA.cc
Net.cc Net.cc
NetVar.cc NetVar.cc

2
src/Conn.cc
View file

@ -935,7 +935,7 @@ error:
return false; return false;
} }
void Connection::SetRootAnalyzer(analyzer::TransportLayerAnalyzer* analyzer, PIA* pia) void Connection::SetRootAnalyzer(analyzer::TransportLayerAnalyzer* analyzer, analyzer::pia::PIA* pia)
{ {
root_analyzer = analyzer; root_analyzer = analyzer;
primary_PIA = pia; primary_PIA = pia;

6
src/Conn.h
View file

@ -245,9 +245,9 @@ public:
void DeleteTimer(double t); void DeleteTimer(double t);
// Sets the root of the analyzer tree as well as the primary PIA. // Sets the root of the analyzer tree as well as the primary PIA.
void SetRootAnalyzer(analyzer::TransportLayerAnalyzer* analyzer, PIA* pia); void SetRootAnalyzer(analyzer::TransportLayerAnalyzer* analyzer, analyzer::pia::PIA* pia);
analyzer::TransportLayerAnalyzer* GetRootAnalyzer() { return root_analyzer; } analyzer::TransportLayerAnalyzer* GetRootAnalyzer() { return root_analyzer; }
PIA* GetPrimaryPIA() { return primary_PIA; } analyzer::pia::PIA* GetPrimaryPIA() { return primary_PIA; }
// Sets the transport protocol in use. // Sets the transport protocol in use.
void SetTransport(TransportProto arg_proto) { proto = arg_proto; } void SetTransport(TransportProto arg_proto) { proto = arg_proto; }
@ -319,7 +319,7 @@ protected:
uint32 hist_seen; uint32 hist_seen;
analyzer::TransportLayerAnalyzer* root_analyzer; analyzer::TransportLayerAnalyzer* root_analyzer;
PIA* primary_PIA; analyzer::pia::PIA* primary_PIA;
uint64 uid; // Globally unique connection ID. uint64 uid; // Globally unique connection ID.
}; };

9
src/NetVar.cc
View file

@ -93,7 +93,6 @@ RecordType* http_stats_rec;
RecordType* http_message_stat; RecordType* http_message_stat;
int truncate_http_URI; int truncate_http_URI;
int pm_request;
RecordType* pm_mapping; RecordType* pm_mapping;
TableType* pm_mappings; TableType* pm_mappings;
RecordType* pm_port_request; RecordType* pm_port_request;
@ -408,14 +407,6 @@ void init_net_var()
http_message_stat = internal_type("http_message_stat")->AsRecordType(); http_message_stat = internal_type("http_message_stat")->AsRecordType();
truncate_http_URI = opt_internal_int("truncate_http_URI"); truncate_http_URI = opt_internal_int("truncate_http_URI");
pm_request = pm_request_null || pm_request_set ||
pm_request_unset || pm_request_getport ||
pm_request_dump || pm_request_callit ||
pm_attempt_null || pm_attempt_set ||
pm_attempt_unset || pm_attempt_getport ||
pm_attempt_dump || pm_attempt_callit ||
pm_bad_port;
pm_mapping = internal_type("pm_mapping")->AsRecordType(); pm_mapping = internal_type("pm_mapping")->AsRecordType();
pm_mappings = internal_type("pm_mappings")->AsTableType(); pm_mappings = internal_type("pm_mappings")->AsTableType();
pm_port_request = internal_type("pm_port_request")->AsRecordType(); pm_port_request = internal_type("pm_port_request")->AsRecordType();

1
src/NetVar.h
View file

@ -96,7 +96,6 @@ extern RecordType* http_stats_rec;
extern RecordType* http_message_stat; extern RecordType* http_message_stat;
extern int truncate_http_URI; extern int truncate_http_URI;
extern int pm_request;
extern RecordType* pm_mapping; extern RecordType* pm_mapping;
extern TableType* pm_mappings; extern TableType* pm_mappings;
extern RecordType* pm_port_request; extern RecordType* pm_port_request;

10
src/RuleCondition.cc
View file

@ -4,15 +4,15 @@
#include "analyzer/protocols/tcp/TCP.h" #include "analyzer/protocols/tcp/TCP.h"
#include "Scope.h" #include "Scope.h"
static inline bool is_established(const TCP_Endpoint* e) static inline bool is_established(const analyzer::tcp::TCP_Endpoint* e)
{ {
// We more or less follow Snort here: an established session // We more or less follow Snort here: an established session
// is one for which the initial handshake has succeded (but we // is one for which the initial handshake has succeded (but we
// add partial connections). The connection tear-down is part // add partial connections). The connection tear-down is part
// of the connection. // of the connection.
return e->state != TCP_ENDPOINT_INACTIVE && return e->state != analyzer::tcp::TCP_ENDPOINT_INACTIVE &&
e->state != TCP_ENDPOINT_SYN_SENT && e->state != analyzer::tcp::TCP_ENDPOINT_SYN_SENT &&
e->state != TCP_ENDPOINT_SYN_ACK_SENT; e->state != analyzer::tcp::TCP_ENDPOINT_SYN_ACK_SENT;
} }
bool RuleConditionTCPState::DoMatch(Rule* rule, RuleEndpointState* state, bool RuleConditionTCPState::DoMatch(Rule* rule, RuleEndpointState* state,
@ -23,7 +23,7 @@ bool RuleConditionTCPState::DoMatch(Rule* rule, RuleEndpointState* state,
if ( ! root || ! root->IsAnalyzer("TCP") ) if ( ! root || ! root->IsAnalyzer("TCP") )
return false; return false;
TCP_Analyzer* ta = static_cast<TCP_Analyzer*>(root); analyzer::tcp::TCP_Analyzer* ta = static_cast<analyzer::tcp::TCP_Analyzer*>(root);
if ( tcpstates & STATE_STATELESS ) if ( tcpstates & STATE_STATELESS )
return true; return true;

6
src/RuleMatcher.cc
View file

@ -161,7 +161,7 @@ void RuleHdrTest::PrintDebug()
RuleEndpointState::RuleEndpointState(analyzer::Analyzer* arg_analyzer, bool arg_is_orig, RuleEndpointState::RuleEndpointState(analyzer::Analyzer* arg_analyzer, bool arg_is_orig,
RuleEndpointState* arg_opposite, RuleEndpointState* arg_opposite,
::PIA* arg_PIA) analyzer::pia::PIA* arg_PIA)
{ {
payload_size = -1; payload_size = -1;
analyzer = arg_analyzer; analyzer = arg_analyzer;
@ -565,7 +565,7 @@ static inline bool compare(const vector<IPPrefix>& prefixes, const IPAddr& a,
RuleEndpointState* RuleMatcher::InitEndpoint(analyzer::Analyzer* analyzer, RuleEndpointState* RuleMatcher::InitEndpoint(analyzer::Analyzer* analyzer,
const IP_Hdr* ip, int caplen, const IP_Hdr* ip, int caplen,
RuleEndpointState* opposite, RuleEndpointState* opposite,
bool from_orig, PIA* pia) bool from_orig, analyzer::pia::PIA* pia)
{ {
RuleEndpointState* state = RuleEndpointState* state =
new RuleEndpointState(analyzer, from_orig, opposite, pia); new RuleEndpointState(analyzer, from_orig, opposite, pia);
@ -1301,7 +1301,7 @@ uint32 id_to_uint(const char* id)
} }
void RuleMatcherState::InitEndpointMatcher(analyzer::Analyzer* analyzer, const IP_Hdr* ip, void RuleMatcherState::InitEndpointMatcher(analyzer::Analyzer* analyzer, const IP_Hdr* ip,
int caplen, bool from_orig, PIA* pia) int caplen, bool from_orig, analyzer::pia::PIA* pia)
{ {
if ( ! rule_matcher ) if ( ! rule_matcher )
return; return;

16
src/RuleMatcher.h
View file

@ -35,8 +35,10 @@ extern const char* current_rule_file;
class RuleMatcher; class RuleMatcher;
extern RuleMatcher* rule_matcher; extern RuleMatcher* rule_matcher;
namespace analyzer { class Analyzer; } namespace analyzer {
class PIA; namespace pia { class PIA; }
class Analyzer;
}
// RuleHdrTest and associated things: // RuleHdrTest and associated things:
@ -152,7 +154,7 @@ public:
// Returns -1 if no chunk has been fed yet at all. // Returns -1 if no chunk has been fed yet at all.
int PayloadSize() { return payload_size; } int PayloadSize() { return payload_size; }
::PIA* PIA() const { return pia; } analyzer::pia::PIA* PIA() const { return pia; }
private: private:
friend class RuleMatcher; friend class RuleMatcher;
@ -160,7 +162,7 @@ private:
// Constructor is private; use RuleMatcher::InitEndpoint() // Constructor is private; use RuleMatcher::InitEndpoint()
// for creating an instance. // for creating an instance.
RuleEndpointState(analyzer::Analyzer* arg_analyzer, bool arg_is_orig, RuleEndpointState(analyzer::Analyzer* arg_analyzer, bool arg_is_orig,
RuleEndpointState* arg_opposite, ::PIA* arg_PIA); RuleEndpointState* arg_opposite, analyzer::pia::PIA* arg_PIA);
struct Matcher { struct Matcher {
RE_Match_State* state; RE_Match_State* state;
@ -173,7 +175,7 @@ private:
bool is_orig; bool is_orig;
analyzer::Analyzer* analyzer; analyzer::Analyzer* analyzer;
RuleEndpointState* opposite; RuleEndpointState* opposite;
::PIA* pia; analyzer::pia::PIA* pia;
matcher_list matchers; matcher_list matchers;
rule_hdr_test_list hdr_tests; rule_hdr_test_list hdr_tests;
@ -208,7 +210,7 @@ public:
// this endpoint). If the matching is triggered by an PIA, a pointer to // this endpoint). If the matching is triggered by an PIA, a pointer to
// it needs to be given. // it needs to be given.
RuleEndpointState* InitEndpoint(analyzer::Analyzer* analyzer, const IP_Hdr* ip, RuleEndpointState* InitEndpoint(analyzer::Analyzer* analyzer, const IP_Hdr* ip,
int caplen, RuleEndpointState* opposite, bool is_orig, PIA* pia); int caplen, RuleEndpointState* opposite, bool is_orig, analyzer::pia::PIA* pia);
// Finish matching for this stream. // Finish matching for this stream.
void FinishEndpoint(RuleEndpointState* state); void FinishEndpoint(RuleEndpointState* state);
@ -311,7 +313,7 @@ public:
// ip may be nil. // ip may be nil.
void InitEndpointMatcher(analyzer::Analyzer* analyzer, const IP_Hdr* ip, void InitEndpointMatcher(analyzer::Analyzer* analyzer, const IP_Hdr* ip,
int caplen, bool from_orig, PIA* pia = 0); int caplen, bool from_orig, analyzer::pia::PIA* pia = 0);
// bol/eol should be set to false for type Rule::PAYLOAD; they're // bol/eol should be set to false for type Rule::PAYLOAD; they're
// deduced automatically. // deduced automatically.

29
src/Sessions.cc
View file

@ -20,8 +20,13 @@
#include "analyzer/protocols/udp/UDP.h" #include "analyzer/protocols/udp/UDP.h"
#include "analyzer/protocols/stepping-stone/SteppingStone.h" #include "analyzer/protocols/stepping-stone/SteppingStone.h"
#include "analyzer/protocols/stepping-stone/events.bif.h"
#include "analyzer/protocols/backdoor/BackDoor.h" #include "analyzer/protocols/backdoor/BackDoor.h"
#include "analyzer/protocols/backdoor/events.bif.h"
#include "analyzer/protocols/interconn/InterConn.h" #include "analyzer/protocols/interconn/InterConn.h"
#include "analyzer/protocols/interconn/events.bif.h"
#include "analyzer/protocols/arp/ARP.h"
#include "analyzer/protocols/arp/events.bif.h"
#include "Discard.h" #include "Discard.h"
#include "RuleMatcher.h" #include "RuleMatcher.h"
@ -102,7 +107,7 @@ NetSessions::NetSessions()
fragments.SetDeleteFunc(bro_obj_delete_func); fragments.SetDeleteFunc(bro_obj_delete_func);
if ( stp_correlate_pair ) if ( stp_correlate_pair )
stp_manager = new SteppingStoneManager(); stp_manager = new analyzer::stepping_stone::SteppingStoneManager();
else else
stp_manager = 0; stp_manager = 0;
@ -141,7 +146,7 @@ NetSessions::NetSessions()
pkt_profiler = 0; pkt_profiler = 0;
if ( arp_request || arp_reply || bad_arp ) if ( arp_request || arp_reply || bad_arp )
arp_analyzer = new ARP_Analyzer(); arp_analyzer = new analyzer::arp::ARP_Analyzer();
else else
arp_analyzer = 0; arp_analyzer = 0;
} }
@ -254,7 +259,7 @@ void NetSessions::NextPacket(double t, const struct pcap_pkthdr* hdr,
DoNextPacket(t, hdr, &ip_hdr, pkt, hdr_size, 0); DoNextPacket(t, hdr, &ip_hdr, pkt, hdr_size, 0);
} }
else if ( ARP_Analyzer::IsARP(pkt, hdr_size) ) else if ( analyzer::arp::ARP_Analyzer::IsARP(pkt, hdr_size) )
{ {
if ( arp_analyzer ) if ( arp_analyzer )
arp_analyzer->NextPacket(t, hdr, pkt, hdr_size); arp_analyzer->NextPacket(t, hdr, pkt, hdr_size);
@ -521,9 +526,9 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
const struct icmp* icmpp = (const struct icmp *) data; const struct icmp* icmpp = (const struct icmp *) data;
id.src_port = icmpp->icmp_type; id.src_port = icmpp->icmp_type;
id.dst_port = ICMP4_counterpart(icmpp->icmp_type, id.dst_port = analyzer::icmp::ICMP4_counterpart(icmpp->icmp_type,
icmpp->icmp_code, icmpp->icmp_code,
id.is_one_way); id.is_one_way);
id.src_port = htons(id.src_port); id.src_port = htons(id.src_port);
id.dst_port = htons(id.dst_port); id.dst_port = htons(id.dst_port);
@ -537,9 +542,9 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
const struct icmp* icmpp = (const struct icmp *) data; const struct icmp* icmpp = (const struct icmp *) data;
id.src_port = icmpp->icmp_type; id.src_port = icmpp->icmp_type;
id.dst_port = ICMP6_counterpart(icmpp->icmp_type, id.dst_port = analyzer::icmp::ICMP6_counterpart(icmpp->icmp_type,
icmpp->icmp_code, icmpp->icmp_code,
id.is_one_way); id.is_one_way);
id.src_port = htons(id.src_port); id.src_port = htons(id.src_port);
id.dst_port = htons(id.dst_port); id.dst_port = htons(id.dst_port);
@ -962,12 +967,12 @@ void NetSessions::Remove(Connection* c)
{ {
c->CancelTimers(); c->CancelTimers();
TCP_Analyzer* ta = (TCP_Analyzer*) c->GetRootAnalyzer(); analyzer::tcp::TCP_Analyzer* ta = (analyzer::tcp::TCP_Analyzer*) c->GetRootAnalyzer();
if ( ta && c->ConnTransport() == TRANSPORT_TCP ) if ( ta && c->ConnTransport() == TRANSPORT_TCP )
{ {
assert(ta->IsAnalyzer("TCP")); assert(ta->IsAnalyzer("TCP"));
TCP_Endpoint* to = ta->Orig(); analyzer::tcp::TCP_Endpoint* to = ta->Orig();
TCP_Endpoint* tr = ta->Resp(); analyzer::tcp::TCP_Endpoint* tr = ta->Resp();
tcp_stats.StateLeft(to->state, tr->state); tcp_stats.StateLeft(to->state, tr->state);
} }

14
src/Sessions.h
View file

@ -6,7 +6,6 @@
#include "Dict.h" #include "Dict.h"
#include "CompHash.h" #include "CompHash.h"
#include "IP.h" #include "IP.h"
#include "ARP.h"
#include "Frag.h" #include "Frag.h"
#include "PacketFilter.h" #include "PacketFilter.h"
#include "Stats.h" #include "Stats.h"
@ -28,11 +27,12 @@ declare(PDict,Connection);
declare(PDict,FragReassembler); declare(PDict,FragReassembler);
class Discarder; class Discarder;
class SteppingStoneManager;
class PacketFilter; class PacketFilter;
class PacketSortElement; class PacketSortElement;
namespace analyzer { namespace stepping_stone { class SteppingStoneManager; } }
namespace analyzer { namespace arp { class ARP_Analyzer; } }
struct SessionStats { struct SessionStats {
int num_TCP_conns; int num_TCP_conns;
int num_UDP_conns; int num_UDP_conns;
@ -129,7 +129,7 @@ public:
void ExpireTimerMgrs(); void ExpireTimerMgrs();
SteppingStoneManager* GetSTPManager() { return stp_manager; } analyzer::stepping_stone::SteppingStoneManager* GetSTPManager() { return stp_manager; }
unsigned int CurrentConnections() unsigned int CurrentConnections()
{ {
@ -185,7 +185,7 @@ public:
unsigned int ConnectionMemoryUsage(); unsigned int ConnectionMemoryUsage();
unsigned int ConnectionMemoryUsageConnVals(); unsigned int ConnectionMemoryUsageConnVals();
unsigned int MemoryAllocation(); unsigned int MemoryAllocation();
TCPStateStats tcp_stats; // keeps statistics on TCP states analyzer::tcp::TCPStateStats tcp_stats; // keeps statistics on TCP states
protected: protected:
friend class RemoteSerializer; friend class RemoteSerializer;
@ -257,9 +257,9 @@ protected:
typedef std::map<IPPair, TunnelActivity> IPTunnelMap; typedef std::map<IPPair, TunnelActivity> IPTunnelMap;
IPTunnelMap ip_tunnels; IPTunnelMap ip_tunnels;
ARP_Analyzer* arp_analyzer; analyzer::arp::ARP_Analyzer* arp_analyzer;
SteppingStoneManager* stp_manager; analyzer::stepping_stone::SteppingStoneManager* stp_manager;
Discarder* discarder; Discarder* discarder;
PacketFilter* packet_filter; PacketFilter* packet_filter;
OSFingerprint* SYN_OS_Fingerprinter; OSFingerprint* SYN_OS_Fingerprinter;

13
src/analyzer/Analyzer.h
View file

@ -13,12 +13,13 @@
class Rule; class Rule;
class Connection; class Connection;
class PIA;
class IP_Hdr; class IP_Hdr;
class TCP_ApplicationAnalyzer;
namespace analyzer { namespace analyzer {
namespace tcp { class TCP_ApplicationAnalyzer; }
namespace pia { class PIA; }
class Analyzer; class Analyzer;
class AnalyzerTimer; class AnalyzerTimer;
class SupportAnalyzer; class SupportAnalyzer;
@ -546,7 +547,7 @@ protected:
friend class AnalyzerTimer; friend class AnalyzerTimer;
friend class Manager; friend class Manager;
friend class ::Connection; friend class ::Connection;
friend class ::TCP_ApplicationAnalyzer; friend class tcp::TCP_ApplicationAnalyzer;
/** /**
* Associates a connection with this analyzer. Must be called if * Associates a connection with this analyzer. Must be called if
@ -825,13 +826,13 @@ public:
* transport-layer input and determine which protocol analyzer(s) to * transport-layer input and determine which protocol analyzer(s) to
* use for parsing it. * use for parsing it.
*/ */
void SetPIA(PIA* arg_PIA) { pia = arg_PIA; } void SetPIA(pia::PIA* arg_PIA) { pia = arg_PIA; }
/** /**
* Returns the associated PIA, or null of none. Does not take * Returns the associated PIA, or null of none. Does not take
* ownership. * ownership.
*/ */
PIA* GetPIA() const { return pia; } pia::PIA* GetPIA() const { return pia; }
/** /**
* Helper to raise a \c packet_contents event. * Helper to raise a \c packet_contents event.
@ -843,7 +844,7 @@ public:
void PacketContents(const u_char* data, int len); void PacketContents(const u_char* data, int len);
private: private:
PIA* pia; pia::PIA* pia;
}; };
} }

4
src/analyzer/CMakeLists.txt
View file

@ -15,4 +15,8 @@ set(analyzer_SRCS
bif_target_for_subdir(analyzer.bif) bif_target_for_subdir(analyzer.bif)
bro_plugin_dependencies(DCE_RPC generate_analyzer.bif)
add_library(bro_analyzer OBJECT ${analyzer_SRCS} ${BIF_OUTPUT_CC} ${BIF_OUTPUT_H}) add_library(bro_analyzer OBJECT ${analyzer_SRCS} ${BIF_OUTPUT_CC} ${BIF_OUTPUT_H})
add_dependencies(bro_analyzer generate_events.bif)

32
src/analyzer/Manager.cc
View file

@ -15,6 +15,8 @@
#include "plugin/Manager.h" #include "plugin/Manager.h"
#include "protocols/tcp/events.bif.h"
using namespace analyzer; using namespace analyzer;
Manager::ConnIndex::ConnIndex(const IPAddr& _orig, const IPAddr& _resp, Manager::ConnIndex::ConnIndex(const IPAddr& _orig, const IPAddr& _resp,
@ -414,35 +416,35 @@ Manager::tag_set* Manager::LookupPort(PortVal* val, bool add_if_not_found)
bool Manager::BuildInitialAnalyzerTree(Connection* conn) bool Manager::BuildInitialAnalyzerTree(Connection* conn)
{ {
Analyzer* analyzer = 0; Analyzer* analyzer = 0;
TCP_Analyzer* tcp = 0; tcp::TCP_Analyzer* tcp = 0;
UDP_Analyzer* udp = 0; udp::UDP_Analyzer* udp = 0;
ICMP_Analyzer* icmp = 0; icmp::ICMP_Analyzer* icmp = 0;
TransportLayerAnalyzer* root = 0; TransportLayerAnalyzer* root = 0;
tag_set expected; tag_set expected;
PIA* pia = 0; pia::PIA* pia = 0;
bool analyzed = false; bool analyzed = false;
bool check_port = false; bool check_port = false;
switch ( conn->ConnTransport() ) { switch ( conn->ConnTransport() ) {
case TRANSPORT_TCP: case TRANSPORT_TCP:
root = tcp = new TCP_Analyzer(conn); root = tcp = new tcp::TCP_Analyzer(conn);
pia = new PIA_TCP(conn); pia = new pia::PIA_TCP(conn);
expected = GetScheduled(conn); expected = GetScheduled(conn);
check_port = true; check_port = true;
DBG_ANALYZER(conn, "activated TCP analyzer"); DBG_ANALYZER(conn, "activated TCP analyzer");
break; break;
case TRANSPORT_UDP: case TRANSPORT_UDP:
root = udp = new UDP_Analyzer(conn); root = udp = new udp::UDP_Analyzer(conn);
pia = new PIA_UDP(conn); pia = new pia::PIA_UDP(conn);
expected = GetScheduled(conn); expected = GetScheduled(conn);
check_port = true; check_port = true;
DBG_ANALYZER(conn, "activated UDP analyzer"); DBG_ANALYZER(conn, "activated UDP analyzer");
break; break;
case TRANSPORT_ICMP: { case TRANSPORT_ICMP: {
root = icmp = new ICMP_Analyzer(conn); root = icmp = new icmp::ICMP_Analyzer(conn);
DBG_ANALYZER(conn, "activated ICMP analyzer"); DBG_ANALYZER(conn, "activated ICMP analyzer");
analyzed = true; analyzed = true;
break; break;
@ -531,12 +533,12 @@ bool Manager::BuildInitialAnalyzerTree(Connection* conn)
if ( IsEnabled(analyzer_backdoor) ) if ( IsEnabled(analyzer_backdoor) )
// Add a BackDoor analyzer if requested. This analyzer // Add a BackDoor analyzer if requested. This analyzer
// can handle both reassembled and non-reassembled input. // can handle both reassembled and non-reassembled input.
tcp->AddChildAnalyzer(new BackDoor_Analyzer(conn), false); tcp->AddChildAnalyzer(new backdoor::BackDoor_Analyzer(conn), false);
if ( IsEnabled(analyzer_interconn) ) if ( IsEnabled(analyzer_interconn) )
// Add a InterConn analyzer if requested. This analyzer // Add a InterConn analyzer if requested. This analyzer
// can handle both reassembled and non-reassembled input. // can handle both reassembled and non-reassembled input.
tcp->AddChildAnalyzer(new InterConn_Analyzer(conn), false); tcp->AddChildAnalyzer(new interconn::InterConn_Analyzer(conn), false);
if ( IsEnabled(analyzer_stepping) ) if ( IsEnabled(analyzer_stepping) )
{ {
@ -550,25 +552,25 @@ bool Manager::BuildInitialAnalyzerTree(Connection* conn)
{ {
AddrVal src(conn->OrigAddr()); AddrVal src(conn->OrigAddr());
if ( ! stp_skip_src->Lookup(&src) ) if ( ! stp_skip_src->Lookup(&src) )
tcp->AddChildAnalyzer(new SteppingStone_Analyzer(conn), false); tcp->AddChildAnalyzer(new stepping_stone::SteppingStone_Analyzer(conn), false);
} }
} }
if ( IsEnabled(analyzer_tcpstats) ) if ( IsEnabled(analyzer_tcpstats) )
// Add TCPStats analyzer. This needs to see packets so // Add TCPStats analyzer. This needs to see packets so
// we cannot add it as a normal child. // we cannot add it as a normal child.
tcp->AddChildPacketAnalyzer(new TCPStats_Analyzer(conn)); tcp->AddChildPacketAnalyzer(new tcp::TCPStats_Analyzer(conn));
if ( IsEnabled(analyzer_connsize) ) if ( IsEnabled(analyzer_connsize) )
// Add ConnSize analyzer. Needs to see packets, not stream. // Add ConnSize analyzer. Needs to see packets, not stream.
tcp->AddChildPacketAnalyzer(new ConnSize_Analyzer(conn)); tcp->AddChildPacketAnalyzer(new conn_size::ConnSize_Analyzer(conn));
} }
else else
{ {
if ( IsEnabled(analyzer_connsize) ) if ( IsEnabled(analyzer_connsize) )
// Add ConnSize analyzer. Needs to see packets, not stream. // Add ConnSize analyzer. Needs to see packets, not stream.
root->AddChildAnalyzer(new ConnSize_Analyzer(conn)); root->AddChildAnalyzer(new conn_size::ConnSize_Analyzer(conn));
} }
if ( pia ) if ( pia )

3
src/analyzer/protocols/CMakeLists.txt
View file

@ -1,4 +1,5 @@
add_subdirectory(arp)
add_subdirectory(ayiya) add_subdirectory(ayiya)
add_subdirectory(backdoor) add_subdirectory(backdoor)
add_subdirectory(bittorrent) add_subdirectory(bittorrent)
@ -18,7 +19,9 @@ add_subdirectory(interconn)
add_subdirectory(irc) add_subdirectory(irc)
add_subdirectory(login) add_subdirectory(login)
add_subdirectory(modbus) add_subdirectory(modbus)
add_subdirectory(mime)
add_subdirectory(ncp) add_subdirectory(ncp)
add_subdirectory(netflow)
add_subdirectory(netbios-ssn) add_subdirectory(netbios-ssn)
add_subdirectory(ntp) add_subdirectory(ntp)
add_subdirectory(pia) add_subdirectory(pia)

6
src/analyzer/protocols/TODO
View file

@ -1,10 +1,8 @@
- introduce namespace into analyzers
- fill events.bif
- add functions.bif where needed - add functions.bif where needed
- move ARP
- move NetFlow
- update *.h guards - update *.h guards
- cleanup analyzer descriptions - cleanup analyzer descriptions
- can now lower-case the analyzer name in plugin - can now lower-case the analyzer name in plugin
- not sure cmake dependencies work right yet
- rename analyzers/protocols to analyzer/protocol

3
src/ARP.cc → src/analyzer/protocols/arp/ARP.cc
View file

@ -5,6 +5,9 @@
#include "Event.h" #include "Event.h"
#include "Reporter.h" #include "Reporter.h"
#include "events.bif.h"
using namespace analyzer::arp;
ARP_Analyzer::ARP_Analyzer() ARP_Analyzer::ARP_Analyzer()
{ {

4
src/ARP.h → src/analyzer/protocols/arp/ARP.h
View file

@ -24,7 +24,9 @@
#endif #endif
#include "NetVar.h" #include "NetVar.h"
#include "PacketSort.h"
namespace analyzer { namespace arp {
class ARP_Analyzer : public BroObj { class ARP_Analyzer : public BroObj {
public: public:
@ -53,4 +55,6 @@ protected:
EventHandlerPtr arp_reply; EventHandlerPtr arp_reply;
}; };
} } // namespace analyzer::*
#endif #endif

15
src/analyzer/protocols/arp/CMakeLists.txt Normal file
View file

@ -0,0 +1,15 @@
# This is not an actual analyzer, but used by the core. We still
# maintain it here along with the other analyzers because conceptually
# it's also parsing a protocol just like them. The current structure
# is merely a left-over from when this code was written.
include(BroPlugin)
include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
bro_plugin_begin(ARP)
bro_plugin_cc(ARP.cc Plugin.cc)
bro_plugin_bif(events.bif)
bro_plugin_end()

7
src/analyzer/protocols/arp/Plugin.cc Normal file
View file

@ -0,0 +1,7 @@
#include "plugin/Plugin.h"
BRO_PLUGIN_BEGIN(ARP)
BRO_PLUGIN_DESCRIPTION("ARP Parsing Code");
BRO_PLUGIN_BIF_FILE(events);
BRO_PLUGIN_END

63
src/analyzer/protocols/arp/events.bif Normal file
View file

@ -0,0 +1,63 @@
## Generated for ARP requests.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Address_Resolution_Protocol>`__
## for more information about the ARP protocol.
##
## mac_src: The request's source MAC address.
##
## mac_dst: The request's destination MAC address.
##
## SPA: The sender protocol address.
##
## SHA: The sender hardware address.
##
## TPA: The target protocol address.
##
## THA: The target hardware address.
##
## .. bro:see:: arp_reply bad_arp
event arp_request%(mac_src: string, mac_dst: string, SPA: addr, SHA: string,
TPA: addr, THA: string%);
## Generated for ARP replies.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Address_Resolution_Protocol>`__
## for more information about the ARP protocol.
##
## mac_src: The reply's source MAC address.
##
## mac_dst: The reply's destination MAC address.
##
## SPA: The sender protocol address.
##
## SHA: The sender hardware address.
##
## TPA: The target protocol address.
##
## THA: The target hardware address.
##
## .. bro:see:: arp_request bad_arp
event arp_reply%(mac_src: string, mac_dst: string, SPA: addr, SHA: string,
TPA: addr, THA: string%);
## Generated for ARP packets that Bro cannot interpret. Examples are packets
## with non-standard hardware address formats or hardware addresses that do not
## match the originator of the packet.
##
## SPA: The sender protocol address.
##
## SHA: The sender hardware address.
##
## TPA: The target protocol address.
##
## THA: The target hardware address.
##
## explanation: A short description of why the ARP packet is considered "bad".
##
## .. bro:see:: arp_reply arp_request
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event bad_arp%(SPA: addr, SHA: string, TPA: addr, THA: string, explanation: string%);

5
src/analyzer/protocols/ayiya/AYIYA.cc
View file

@ -1,4 +1,9 @@
#include "AYIYA.h" #include "AYIYA.h"
#include "Func.h"
#include "events.bif.h"
using namespace analyzer::ayiya;
AYIYA_Analyzer::AYIYA_Analyzer(Connection* conn) AYIYA_Analyzer::AYIYA_Analyzer(Connection* conn)
: Analyzer("AYIYA", conn) : Analyzer("AYIYA", conn)

4
src/analyzer/protocols/ayiya/AYIYA.h
View file

@ -3,6 +3,8 @@
#include "ayiya_pac.h" #include "ayiya_pac.h"
namespace analyzer { namespace ayiya {
class AYIYA_Analyzer : public analyzer::Analyzer { class AYIYA_Analyzer : public analyzer::Analyzer {
public: public:
AYIYA_Analyzer(Connection* conn); AYIYA_Analyzer(Connection* conn);
@ -21,4 +23,6 @@ protected:
binpac::AYIYA::AYIYA_Conn* interp; binpac::AYIYA::AYIYA_Conn* interp;
}; };
} } // namespace analyzer::*
#endif #endif

2
src/analyzer/protocols/ayiya/Plugin.cc
View file

@ -5,6 +5,6 @@
BRO_PLUGIN_BEGIN(AYIYA) BRO_PLUGIN_BEGIN(AYIYA)
BRO_PLUGIN_DESCRIPTION("AYIYA Analyzer"); BRO_PLUGIN_DESCRIPTION("AYIYA Analyzer");
BRO_PLUGIN_ANALYZER("AYIYA", AYIYA_Analyzer::InstantiateAnalyzer); BRO_PLUGIN_ANALYZER("AYIYA", ayiya::AYIYA_Analyzer);
BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_BIF_FILE(events);
BRO_PLUGIN_END BRO_PLUGIN_END

4
src/analyzer/protocols/ayiya/ayiya.pac
View file

@ -2,6 +2,10 @@
%include binpac.pac %include binpac.pac
%include bro.pac %include bro.pac
%extern{
#include "events.bif.h"
%}
analyzer AYIYA withcontext { analyzer AYIYA withcontext {
connection: AYIYA_Conn; connection: AYIYA_Conn;
flow: AYIYA_Flow; flow: AYIYA_Flow;

14
src/analyzer/protocols/backdoor/BackDoor.cc
View file

@ -7,7 +7,11 @@
#include "Net.h" #include "Net.h"
#include "analyzer/protocols/tcp/TCP.h" #include "analyzer/protocols/tcp/TCP.h"
BackDoorEndpoint::BackDoorEndpoint(TCP_Endpoint* e) #include "events.bif.h"
using namespace analyzer::backdoor;
BackDoorEndpoint::BackDoorEndpoint(tcp::TCP_Endpoint* e)
{ {
endp = e; endp = e;
is_partial = 0; is_partial = 0;
@ -53,7 +57,7 @@ int BackDoorEndpoint::DataSent(double /* t */, int seq,
if ( len <= 0 ) if ( len <= 0 )
return 0; return 0;
if ( endp->state == TCP_ENDPOINT_PARTIAL ) if ( endp->state == tcp::TCP_ENDPOINT_PARTIAL )
is_partial = 1; is_partial = 1;
int ack = endp->AckSeq() - endp->StartSeq(); int ack = endp->AckSeq() - endp->StartSeq();
@ -681,7 +685,7 @@ int BackDoorEndpoint::CheckForString(const char* str,
BackDoor_Analyzer::BackDoor_Analyzer(Connection* c) BackDoor_Analyzer::BackDoor_Analyzer(Connection* c)
: TCP_ApplicationAnalyzer("BACKDOOR", c) : tcp::TCP_ApplicationAnalyzer("BACKDOOR", c)
{ {
orig_endp = resp_endp = 0; orig_endp = resp_endp = 0;
@ -701,7 +705,7 @@ BackDoor_Analyzer::~BackDoor_Analyzer()
void BackDoor_Analyzer::Init() void BackDoor_Analyzer::Init()
{ {
TCP_ApplicationAnalyzer::Init(); tcp::TCP_ApplicationAnalyzer::Init();
assert(TCP()); assert(TCP());
orig_endp = new BackDoorEndpoint(TCP()->Orig()); orig_endp = new BackDoorEndpoint(TCP()->Orig());
@ -740,7 +744,7 @@ void BackDoor_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
void BackDoor_Analyzer::Done() void BackDoor_Analyzer::Done()
{ {
TCP_ApplicationAnalyzer::Done(); tcp::TCP_ApplicationAnalyzer::Done();
if ( ! IsFinished() ) if ( ! IsFinished() )
{ {

10
src/analyzer/protocols/backdoor/BackDoor.h
View file

@ -8,9 +8,11 @@
#include "NetVar.h" #include "NetVar.h"
#include "analyzer/protocols/login/Login.h" #include "analyzer/protocols/login/Login.h"
namespace analyzer { namespace backdoor {
class BackDoorEndpoint { class BackDoorEndpoint {
public: public:
BackDoorEndpoint(TCP_Endpoint* e); BackDoorEndpoint(tcp::TCP_Endpoint* e);
int DataSent(double t, int seq, int len, int caplen, const u_char* data, int DataSent(double t, int seq, int len, int caplen, const u_char* data,
const IP_Hdr* ip, const struct tcphdr* tp); const IP_Hdr* ip, const struct tcphdr* tp);
@ -44,7 +46,7 @@ protected:
int CheckForFullString(const char* str, const u_char* data, int len); int CheckForFullString(const char* str, const u_char* data, int len);
int CheckForString(const char* str, const u_char* data, int len); int CheckForString(const char* str, const u_char* data, int len);
TCP_Endpoint* endp; tcp::TCP_Endpoint* endp;
int is_partial; int is_partial;
int max_top_seq; int max_top_seq;
@ -62,7 +64,7 @@ protected:
uint32 num_7bit_ascii; uint32 num_7bit_ascii;
}; };
class BackDoor_Analyzer : public TCP_ApplicationAnalyzer { class BackDoor_Analyzer : public tcp::TCP_ApplicationAnalyzer {
public: public:
BackDoor_Analyzer(Connection* c); BackDoor_Analyzer(Connection* c);
~BackDoor_Analyzer(); ~BackDoor_Analyzer();
@ -105,4 +107,6 @@ protected:
BackDoor_Analyzer* analyzer; BackDoor_Analyzer* analyzer;
}; };
} } // namespace analyzer::*
#endif #endif

2
src/analyzer/protocols/backdoor/Plugin.cc
View file

@ -5,6 +5,6 @@
BRO_PLUGIN_BEGIN(BackDoor) BRO_PLUGIN_BEGIN(BackDoor)
BRO_PLUGIN_DESCRIPTION("Backdoor Analyzer (deprecated)"); BRO_PLUGIN_DESCRIPTION("Backdoor Analyzer (deprecated)");
BRO_PLUGIN_ANALYZER("BACKDOOR", BackDoor_Analyzer::InstantiateAnalyzer); BRO_PLUGIN_ANALYZER("BACKDOOR", backdoor::BackDoor_Analyzer);
BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_BIF_FILE(events);
BRO_PLUGIN_END BRO_PLUGIN_END

32
src/analyzer/protocols/backdoor/events.bif
View file

@ -0,0 +1,32 @@
## Deprecated. Will be removed.
event backdoor_stats%(c: connection, os: backdoor_endp_stats, rs: backdoor_endp_stats%);
## Deprecated. Will be removed.
event backdoor_remove_conn%(c: connection%);
## Deprecated. Will be removed.
event ftp_signature_found%(c: connection%);
## Deprecated. Will be removed.
event gnutella_signature_found%(c: connection%);
## Deprecated. Will be removed.
event http_signature_found%(c: connection%);
## Deprecated. Will be removed.
event irc_signature_found%(c: connection%);
## Deprecated. Will be removed.
event telnet_signature_found%(c: connection, is_orig: bool, len: count%);
## Deprecated. Will be removed.
event ssh_signature_found%(c: connection, is_orig: bool%);
## Deprecated. Will be removed.
event rlogin_signature_found%(c: connection, is_orig: bool, num_null: count, len: count%);
## Deprecated. Will be removed.
event smtp_signature_found%(c: connection%);
## Deprecated. Will be removed.
event http_proxy_signature_found%(c: connection%);

14
src/analyzer/protocols/bittorrent/BitTorrent.cc
View file

@ -3,8 +3,12 @@
#include "BitTorrent.h" #include "BitTorrent.h"
#include "analyzer/protocols/tcp/TCP_Reassembler.h" #include "analyzer/protocols/tcp/TCP_Reassembler.h"
#include "events.bif.h"
using namespace analyzer::bittorrent;
BitTorrent_Analyzer::BitTorrent_Analyzer(Connection* c) BitTorrent_Analyzer::BitTorrent_Analyzer(Connection* c)
: TCP_ApplicationAnalyzer("BITTORRENT", c) : tcp::TCP_ApplicationAnalyzer("BITTORRENT", c)
{ {
interp = new binpac::BitTorrent::BitTorrent_Conn(this); interp = new binpac::BitTorrent::BitTorrent_Conn(this);
stop_orig = stop_resp = false; stop_orig = stop_resp = false;
@ -18,7 +22,7 @@ BitTorrent_Analyzer::~BitTorrent_Analyzer()
void BitTorrent_Analyzer::Done() void BitTorrent_Analyzer::Done()
{ {
TCP_ApplicationAnalyzer::Done(); tcp::TCP_ApplicationAnalyzer::Done();
interp->FlowEOF(true); interp->FlowEOF(true);
interp->FlowEOF(false); interp->FlowEOF(false);
@ -29,7 +33,7 @@ void BitTorrent_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
uint64& this_stream_len = orig ? stream_len_orig : stream_len_resp; uint64& this_stream_len = orig ? stream_len_orig : stream_len_resp;
bool& this_stop = orig ? stop_orig : stop_resp; bool& this_stop = orig ? stop_orig : stop_resp;
TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
assert(TCP()); assert(TCP());
@ -66,7 +70,7 @@ void BitTorrent_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
void BitTorrent_Analyzer::Undelivered(int seq, int len, bool orig) void BitTorrent_Analyzer::Undelivered(int seq, int len, bool orig)
{ {
TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
// TODO: Code commented out for now. I think that shoving data that // TODO: Code commented out for now. I think that shoving data that
// is definitely wrong into the parser seems like a really bad idea. // is definitely wrong into the parser seems like a really bad idea.
@ -108,7 +112,7 @@ void BitTorrent_Analyzer::Undelivered(int seq, int len, bool orig)
void BitTorrent_Analyzer::EndpointEOF(bool is_orig) void BitTorrent_Analyzer::EndpointEOF(bool is_orig)
{ {
TCP_ApplicationAnalyzer::EndpointEOF(is_orig); tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
interp->FlowEOF(is_orig); interp->FlowEOF(is_orig);
} }

6
src/analyzer/protocols/bittorrent/BitTorrent.h
View file

@ -7,7 +7,9 @@
#include "bittorrent_pac.h" #include "bittorrent_pac.h"
class BitTorrent_Analyzer : public TCP_ApplicationAnalyzer { namespace analyzer { namespace bittorrent {
class BitTorrent_Analyzer : public tcp::TCP_ApplicationAnalyzer {
public: public:
BitTorrent_Analyzer(Connection* conn); BitTorrent_Analyzer(Connection* conn);
virtual ~BitTorrent_Analyzer(); virtual ~BitTorrent_Analyzer();
@ -28,4 +30,6 @@ protected:
uint64 stream_len_orig, stream_len_resp; uint64 stream_len_orig, stream_len_resp;
}; };
} } // namespace analyzer::*
#endif #endif

14
src/analyzer/protocols/bittorrent/BitTorrentTracker.cc
View file

@ -3,6 +3,8 @@
#include "BitTorrentTracker.h" #include "BitTorrentTracker.h"
#include "analyzer/protocols/tcp/TCP_Reassembler.h" #include "analyzer/protocols/tcp/TCP_Reassembler.h"
#include "events.bif.h"
#include <sys/types.h> #include <sys/types.h>
#include <regex.h> #include <regex.h>
@ -11,6 +13,8 @@
# define FMT_INT "%" PRId64 # define FMT_INT "%" PRId64
# define FMT_UINT "%" PRIu64 # define FMT_UINT "%" PRIu64
using namespace analyzer::bittorrent;
static TableType* bt_tracker_headers = 0; static TableType* bt_tracker_headers = 0;
static RecordType* bittorrent_peer; static RecordType* bittorrent_peer;
static TableType* bittorrent_peer_set; static TableType* bittorrent_peer_set;
@ -18,7 +22,7 @@ static RecordType* bittorrent_benc_value;
static TableType* bittorrent_benc_dir; static TableType* bittorrent_benc_dir;
BitTorrentTracker_Analyzer::BitTorrentTracker_Analyzer(Connection* c) BitTorrentTracker_Analyzer::BitTorrentTracker_Analyzer(Connection* c)
: TCP_ApplicationAnalyzer("BITTORRENT", c) : tcp::TCP_ApplicationAnalyzer("BITTORRENT", c)
{ {
if ( ! bt_tracker_headers ) if ( ! bt_tracker_headers )
{ {
@ -74,13 +78,13 @@ BitTorrentTracker_Analyzer::~BitTorrentTracker_Analyzer()
void BitTorrentTracker_Analyzer::Done() void BitTorrentTracker_Analyzer::Done()
{ {
TCP_ApplicationAnalyzer::Done(); tcp::TCP_ApplicationAnalyzer::Done();
} }
void BitTorrentTracker_Analyzer::DeliverStream(int len, const u_char* data, void BitTorrentTracker_Analyzer::DeliverStream(int len, const u_char* data,
bool orig) bool orig)
{ {
TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
assert(TCP()); assert(TCP());
@ -205,7 +209,7 @@ void BitTorrentTracker_Analyzer::ServerReply(int len, const u_char* data)
void BitTorrentTracker_Analyzer::Undelivered(int seq, int len, bool orig) void BitTorrentTracker_Analyzer::Undelivered(int seq, int len, bool orig)
{ {
TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
ProtocolViolation("BitTorrentTracker: cannot recover from content gap"); ProtocolViolation("BitTorrentTracker: cannot recover from content gap");
@ -217,7 +221,7 @@ void BitTorrentTracker_Analyzer::Undelivered(int seq, int len, bool orig)
void BitTorrentTracker_Analyzer::EndpointEOF(bool is_orig) void BitTorrentTracker_Analyzer::EndpointEOF(bool is_orig)
{ {
TCP_ApplicationAnalyzer::EndpointEOF(is_orig); tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
} }
void BitTorrentTracker_Analyzer::InitBencParser(void) void BitTorrentTracker_Analyzer::InitBencParser(void)

6
src/analyzer/protocols/bittorrent/BitTorrentTracker.h
View file

@ -7,6 +7,8 @@
#define BTTRACKER_BUF 2048 #define BTTRACKER_BUF 2048
namespace analyzer { namespace bittorrent {
// If the following is defined, then the analyzer will store all of // If the following is defined, then the analyzer will store all of
// the headers seen in tracker messages. // the headers seen in tracker messages.
//#define BTTRACKER_STORE_HEADERS 1 //#define BTTRACKER_STORE_HEADERS 1
@ -40,7 +42,7 @@ enum btt_benc_states {
BENC_STATE_STR2, BENC_STATE_STR2,
}; };
class BitTorrentTracker_Analyzer : public TCP_ApplicationAnalyzer { class BitTorrentTracker_Analyzer : public tcp::TCP_ApplicationAnalyzer {
public: public:
BitTorrentTracker_Analyzer(Connection* conn); BitTorrentTracker_Analyzer(Connection* conn);
virtual ~BitTorrentTracker_Analyzer(); virtual ~BitTorrentTracker_Analyzer();
@ -126,4 +128,6 @@ protected:
bool stop_orig, stop_resp; bool stop_orig, stop_resp;
}; };
} } // namespace analyzer::*
#endif #endif

4
src/analyzer/protocols/bittorrent/Plugin.cc
View file

@ -6,7 +6,7 @@
BRO_PLUGIN_BEGIN(BitTorrent) BRO_PLUGIN_BEGIN(BitTorrent)
BRO_PLUGIN_DESCRIPTION("BitTorrent Analyzer"); BRO_PLUGIN_DESCRIPTION("BitTorrent Analyzer");
BRO_PLUGIN_ANALYZER("BitTorrent", BitTorrent_Analyzer::InstantiateAnalyzer); BRO_PLUGIN_ANALYZER("BitTorrent", bittorrent::BitTorrent_Analyzer);
BRO_PLUGIN_ANALYZER("BitTorrentTracker", BitTorrentTracker_Analyzer::InstantiateAnalyzer); BRO_PLUGIN_ANALYZER("BitTorrentTracker", bittorrent::BitTorrent_Analyzer);
BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_BIF_FILE(events);
BRO_PLUGIN_END BRO_PLUGIN_END

2
src/analyzer/protocols/bittorrent/bittorrent.pac
View file

@ -5,6 +5,8 @@
%extern{ %extern{
#define MSGLEN_LIMIT 0x40000 #define MSGLEN_LIMIT 0x40000
#include "events.bif.h"
%} %}
analyzer BitTorrent withcontext { analyzer BitTorrent withcontext {

226
src/analyzer/protocols/bittorrent/events.bif
View file

@ -0,0 +1,226 @@
## TODO.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
## more information about the BitTorrent protocol.
##
## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
## bittorrent_peer_have bittorrent_peer_interested bittorrent_peer_keep_alive
## bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port
## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
## bittorrent_peer_weird
event bittorrent_peer_handshake%(c: connection, is_orig: bool,
reserved: string, info_hash: string, peer_id: string%);
## TODO.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
## more information about the BitTorrent protocol.
##
## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
## bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port
## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
## bittorrent_peer_weird
event bittorrent_peer_keep_alive%(c: connection, is_orig: bool%);
## TODO.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
## more information about the BitTorrent protocol.
##
## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel
## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
## bittorrent_peer_unknown bittorrent_peer_weird
event bittorrent_peer_choke%(c: connection, is_orig: bool%);
## TODO.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
## more information about the BitTorrent protocol.
##
## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
## bittorrent_peer_port bittorrent_peer_request
## bittorrent_peer_unknown bittorrent_peer_weird
event bittorrent_peer_unchoke%(c: connection, is_orig: bool%);
## TODO.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
## more information about the BitTorrent protocol.
##
## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_keep_alive
## bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port
## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
## bittorrent_peer_weird
event bittorrent_peer_interested%(c: connection, is_orig: bool%);
## TODO.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
## more information about the BitTorrent protocol.
##
## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
## bittorrent_peer_keep_alive bittorrent_peer_piece bittorrent_peer_port
## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
## bittorrent_peer_weird
event bittorrent_peer_not_interested%(c: connection, is_orig: bool%);
## TODO.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
## more information about the BitTorrent protocol.
##
## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
## bittorrent_peer_handshake bittorrent_peer_interested bittorrent_peer_keep_alive
## bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port
## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
## bittorrent_peer_weird
event bittorrent_peer_have%(c: connection, is_orig: bool, piece_index: count%);
## TODO.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
## more information about the BitTorrent protocol.
##
## .. bro:see:: bittorrent_peer_cancel bittorrent_peer_choke bittorrent_peer_handshake
## bittorrent_peer_have bittorrent_peer_interested bittorrent_peer_keep_alive
## bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port
## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
## bittorrent_peer_weird
event bittorrent_peer_bitfield%(c: connection, is_orig: bool, bitfield: string%);
## TODO.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
## more information about the BitTorrent protocol.
##
## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
## bittorrent_peer_port bittorrent_peer_unchoke bittorrent_peer_unknown
## bittorrent_peer_weird
event bittorrent_peer_request%(c: connection, is_orig: bool, index: count,
begin: count, length: count%);
## TODO.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
## more information about the BitTorrent protocol.
##
## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_port
## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
## bittorrent_peer_weird
event bittorrent_peer_piece%(c: connection, is_orig: bool, index: count,
begin: count, piece_length: count%);
## TODO.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
## more information about the BitTorrent protocol.
##
## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_choke
## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
## bittorrent_peer_unknown bittorrent_peer_weird
event bittorrent_peer_cancel%(c: connection, is_orig: bool, index: count,
begin: count, length: count%);
## TODO.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
## more information about the BitTorrent protocol.
##
## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
## bittorrent_peer_weird
event bittorrent_peer_port%(c: connection, is_orig: bool, listen_port: port%);
## TODO.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
## more information about the BitTorrent protocol.
##
## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
## bittorrent_peer_weird
event bittorrent_peer_unknown%(c: connection, is_orig: bool, message_id: count,
data: string%);
## TODO.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
## more information about the BitTorrent protocol.
##
## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
## bittorrent_peer_unknown
event bittorrent_peer_weird%(c: connection, is_orig: bool, msg: string%);
## TODO.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
## more information about the BitTorrent protocol.
##
## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
## bittorrent_peer_unknown bittorrent_peer_weird
event bt_tracker_request%(c: connection, uri: string,
headers: bt_tracker_headers%);
## TODO.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
## more information about the BitTorrent protocol.
##
## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
## bittorrent_peer_unknown bittorrent_peer_weird
event bt_tracker_response%(c: connection, status: count,
headers: bt_tracker_headers,
peers: bittorrent_peer_set,
benc: bittorrent_benc_dir%);
## TODO.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
## more information about the BitTorrent protocol.
##
## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
## bittorrent_peer_unknown bittorrent_peer_weird
event bt_tracker_response_not_ok%(c: connection, status: count,
headers: bt_tracker_headers%);
## TODO.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
## more information about the BitTorrent protocol.
##
## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
## bittorrent_peer_unknown bittorrent_peer_weird
event bt_tracker_weird%(c: connection, is_orig: bool, msg: string%);

2
src/analyzer/protocols/conn-size/ConnSize.cc
View file

@ -6,7 +6,9 @@
#include "ConnSize.h" #include "ConnSize.h"
#include "analyzer/protocols/tcp/TCP.h" #include "analyzer/protocols/tcp/TCP.h"
#include "events.bif.h"
using namespace analyzer::conn_size;
ConnSize_Analyzer::ConnSize_Analyzer(Connection* c) ConnSize_Analyzer::ConnSize_Analyzer(Connection* c)
: Analyzer("CONNSIZE", c) : Analyzer("CONNSIZE", c)

3
src/analyzer/protocols/conn-size/ConnSize.h
View file

@ -7,6 +7,7 @@
#include "analyzer/Analyzer.h" #include "analyzer/Analyzer.h"
#include "NetVar.h" #include "NetVar.h"
namespace analyzer { namespace conn_size {
class ConnSize_Analyzer : public analyzer::Analyzer { class ConnSize_Analyzer : public analyzer::Analyzer {
public: public:
@ -34,4 +35,6 @@ protected:
uint64_t resp_pkts; uint64_t resp_pkts;
}; };
} } // namespace analyzer::*
#endif #endif

2
src/analyzer/protocols/conn-size/Plugin.cc
View file

@ -5,6 +5,6 @@
BRO_PLUGIN_BEGIN(ConnSize) BRO_PLUGIN_BEGIN(ConnSize)
BRO_PLUGIN_DESCRIPTION("Connection size analyzer"); BRO_PLUGIN_DESCRIPTION("Connection size analyzer");
BRO_PLUGIN_ANALYZER("CONNSIZE", ConnSize_Analyzer::InstantiateAnalyzer); BRO_PLUGIN_ANALYZER("CONNSIZE", conn_size::ConnSize_Analyzer);
BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_BIF_FILE(events);
BRO_PLUGIN_END BRO_PLUGIN_END

16
src/analyzer/protocols/dce-rpc/DCE_RPC.cc
View file

@ -13,6 +13,10 @@ using namespace std;
#include "analyzer/Manager.h" #include "analyzer/Manager.h"
#include "events.bif.h"
using namespace analyzer::dce_rpc;
#define xbyte(b, n) (((const u_char*) (b))[n]) #define xbyte(b, n) (((const u_char*) (b))[n])
#define extract_uint16(little_endian, bytes) \ #define extract_uint16(little_endian, bytes) \
@ -27,7 +31,7 @@ static int uuid_index[] = {
12, 13, 14, 15 12, 13, 14, 15
}; };
const char* uuid_to_string(const u_char* uuid_data) const char* analyzer::dce_rpc::uuid_to_string(const u_char* uuid_data)
{ {
static char s[1024]; static char s[1024];
char* sp = s; char* sp = s;
@ -443,7 +447,7 @@ void DCE_RPC_Session::DeliverEpmapperMapResponse(
Contents_DCE_RPC_Analyzer::Contents_DCE_RPC_Analyzer(Connection* conn, Contents_DCE_RPC_Analyzer::Contents_DCE_RPC_Analyzer(Connection* conn,
bool orig, DCE_RPC_Session* arg_session, bool speculative) bool orig, DCE_RPC_Session* arg_session, bool speculative)
: TCP_SupportAnalyzer("CONTENTS_DCE_RPC", conn, orig) : tcp::TCP_SupportAnalyzer("CONTENTS_DCE_RPC", conn, orig)
{ {
session = arg_session; session = arg_session;
msg_buf = 0; msg_buf = 0;
@ -475,10 +479,10 @@ Contents_DCE_RPC_Analyzer::~Contents_DCE_RPC_Analyzer()
void Contents_DCE_RPC_Analyzer::DeliverStream(int len, const u_char* data, bool orig) void Contents_DCE_RPC_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
{ {
TCP_SupportAnalyzer::DeliverStream(len, data, orig); tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig);
TCP_Analyzer* tcp = tcp::TCP_Analyzer* tcp =
static_cast<TCP_ApplicationAnalyzer*>(Parent())->TCP(); static_cast<tcp::TCP_ApplicationAnalyzer*>(Parent())->TCP();
if ( tcp->HadGap(orig) || tcp->IsPartial() ) if ( tcp->HadGap(orig) || tcp->IsPartial() )
return; return;
@ -567,7 +571,7 @@ bool Contents_DCE_RPC_Analyzer::ParseHeader()
} }
DCE_RPC_Analyzer::DCE_RPC_Analyzer(Connection* conn, bool arg_speculative) DCE_RPC_Analyzer::DCE_RPC_Analyzer(Connection* conn, bool arg_speculative)
: TCP_ApplicationAnalyzer("DCE_RPC", conn) : tcp::TCP_ApplicationAnalyzer("DCE_RPC", conn)
{ {
session = new DCE_RPC_Session(this); session = new DCE_RPC_Session(this);
speculative = arg_speculative; speculative = arg_speculative;

10
src/analyzer/protocols/dce-rpc/DCE_RPC.h
View file

@ -8,10 +8,14 @@
#include "NetVar.h" #include "NetVar.h"
#include "analyzer/protocols/tcp/TCP.h" #include "analyzer/protocols/tcp/TCP.h"
#include "analyzer/protocols/dce-rpc/events.bif.h"
#include "IPAddr.h" #include "IPAddr.h"
#include "dce_rpc_simple_pac.h" #include "dce_rpc_simple_pac.h"
namespace analyzer { namespace dce_rpc {
class UUID { class UUID {
public: public:
UUID(); UUID();
@ -145,7 +149,7 @@ protected:
} mapped; } mapped;
}; };
class Contents_DCE_RPC_Analyzer : public TCP_SupportAnalyzer { class Contents_DCE_RPC_Analyzer : public tcp::TCP_SupportAnalyzer {
public: public:
Contents_DCE_RPC_Analyzer(Connection* conn, bool orig, DCE_RPC_Session* session, Contents_DCE_RPC_Analyzer(Connection* conn, bool orig, DCE_RPC_Session* session,
bool speculative); bool speculative);
@ -169,7 +173,7 @@ protected:
DCE_RPC_Session* session; DCE_RPC_Session* session;
}; };
class DCE_RPC_Analyzer : public TCP_ApplicationAnalyzer { class DCE_RPC_Analyzer : public tcp::TCP_ApplicationAnalyzer {
public: public:
DCE_RPC_Analyzer(Connection* conn, bool speculative = false); DCE_RPC_Analyzer(Connection* conn, bool speculative = false);
~DCE_RPC_Analyzer(); ~DCE_RPC_Analyzer();
@ -182,4 +186,6 @@ protected:
bool speculative; bool speculative;
}; };
} } // namespace analyzer::*
#endif /* dce_rpc_h */ #endif /* dce_rpc_h */

2
src/analyzer/protocols/dce-rpc/Plugin.cc
View file

@ -5,7 +5,7 @@
BRO_PLUGIN_BEGIN(DCE_RPC) BRO_PLUGIN_BEGIN(DCE_RPC)
BRO_PLUGIN_DESCRIPTION("DCE-RPC Analyzer"); BRO_PLUGIN_DESCRIPTION("DCE-RPC Analyzer");
BRO_PLUGIN_ANALYZER("DCE_RPC", DCE_RPC_Analyzer::InstantiateAnalyzer); BRO_PLUGIN_ANALYZER("DCE_RPC", dce_rpc::DCE_RPC_Analyzer);
BRO_PLUGIN_SUPPORT_ANALYZER("Contents_DCE_RPC"); BRO_PLUGIN_SUPPORT_ANALYZER("Contents_DCE_RPC");
BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_BIF_FILE(events);
BRO_PLUGIN_END BRO_PLUGIN_END

4
src/analyzer/protocols/dce-rpc/dce_rpc.pac
View file

@ -1,6 +1,10 @@
%include binpac.pac %include binpac.pac
%include bro.pac %include bro.pac
%extern{
#include "events.bif.h"
%}
analyzer DCE_RPC withcontext { analyzer DCE_RPC withcontext {
connection: DCE_RPC_Conn; connection: DCE_RPC_Conn;
flow: DCE_RPC_Flow; flow: DCE_RPC_Flow;

4
src/analyzer/protocols/dce-rpc/dce_rpc_simple.pac
View file

@ -1,5 +1,9 @@
%include bro.pac %include bro.pac
%extern{
#include "events.bif.h"
%}
analyzer DCE_RPC_Simple withcontext {}; analyzer DCE_RPC_Simple withcontext {};
%include dce_rpc-protocol.pac %include dce_rpc-protocol.pac

55
src/analyzer/protocols/dce-rpc/events.bif
View file

@ -0,0 +1,55 @@
## TODO.
##
## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_request
## dce_rpc_response rpc_timeout
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event dce_rpc_message%(c: connection, is_orig: bool, ptype: dce_rpc_ptype, msg: string%);
## TODO.
##
## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_message dce_rpc_request
## dce_rpc_response rpc_timeout
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event dce_rpc_bind%(c: connection, uuid: string%);
## TODO.
##
## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_message
## dce_rpc_response rpc_timeout
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event dce_rpc_request%(c: connection, opnum: count, stub: string%);
## TODO.
##
## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_message
## dce_rpc_request rpc_timeout
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event dce_rpc_response%(c: connection, opnum: count, stub: string%);
## TODO.
##
## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_message
## dce_rpc_request dce_rpc_response rpc_timeout
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event epm_map_response%(c: connection, uuid: string, p: port, h: addr%);

4
src/analyzer/protocols/dhcp/DHCP.cc
View file

@ -1,6 +1,10 @@
#include "DHCP.h" #include "DHCP.h"
#include "events.bif.h"
using namespace analyzer::dhcp;
DHCP_Analyzer::DHCP_Analyzer(Connection* conn) DHCP_Analyzer::DHCP_Analyzer(Connection* conn)
: Analyzer("DHCP", conn) : Analyzer("DHCP", conn)
{ {

4
src/analyzer/protocols/dhcp/DHCP.h
View file

@ -5,6 +5,8 @@
#include "dhcp_pac.h" #include "dhcp_pac.h"
namespace analyzer { namespace dhcp {
class DHCP_Analyzer : public analyzer::Analyzer { class DHCP_Analyzer : public analyzer::Analyzer {
public: public:
DHCP_Analyzer(Connection* conn); DHCP_Analyzer(Connection* conn);
@ -21,4 +23,6 @@ protected:
binpac::DHCP::DHCP_Conn* interp; binpac::DHCP::DHCP_Conn* interp;
}; };
} } // namespace analyzer::*
#endif #endif

2
src/analyzer/protocols/dhcp/Plugin.cc
View file

@ -5,6 +5,6 @@
BRO_PLUGIN_BEGIN(DHCP) BRO_PLUGIN_BEGIN(DHCP)
BRO_PLUGIN_DESCRIPTION("DHCP Analyzer"); BRO_PLUGIN_DESCRIPTION("DHCP Analyzer");
BRO_PLUGIN_ANALYZER("DHCP", DHCP_Analyzer::InstantiateAnalyzer); BRO_PLUGIN_ANALYZER("DHCP", dhcp::DHCP_Analyzer);
BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_BIF_FILE(events);
BRO_PLUGIN_END BRO_PLUGIN_END

4
src/analyzer/protocols/dhcp/dhcp.pac
View file

@ -1,5 +1,9 @@
%include bro.pac %include bro.pac
%extern{
#include "events.bif.h"
%}
analyzer DHCP withcontext { analyzer DHCP withcontext {
connection: DHCP_Conn; connection: DHCP_Conn;
flow: DHCP_Flow; flow: DHCP_Flow;

239
src/analyzer/protocols/dhcp/events.bif
View file

@ -0,0 +1,239 @@
## Generated for DHCP messages of type *discover*.
##
## See `Wikipedia
## <http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol>`__ for
## more information about the DHCP protocol.
##
## c: The connection record describing the underlying UDP flow.
##
## msg: The parsed type-independent part of the DHCP message.
##
## req_addr: The specific address requested by the client.
##
## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
##
## .. note:: Bro does not support broadcast packets (as used by the DHCP
## protocol). It treats broadcast addresses just like any other and
## associates packets into transport-level flows in the same way as usual.
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event dhcp_discover%(c: connection, msg: dhcp_msg, req_addr: addr%);
## Generated for DHCP messages of type *offer*.
##
## See `Wikipedia
## <http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol>`__ for
## more information about the DHCP protocol.
##
## c: The connection record describing the underlying UDP flow.
##
## msg: TODO.
##
## mask: The subnet mask specified by the message.
##
## router: The list of routers specified by the message.
##
## lease: The least interval specified by the message.
##
## serv_addr: The server address specified by the message.
##
## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
## dns_rejected dns_request non_dns_request
##
## .. note:: Bro does not support broadcast packets (as used by the DHCP
## protocol). It treats broadcast addresses just like any other and
## associates packets into transport-level flows in the same way as usual.
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event dhcp_offer%(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr%);
## Generated for DHCP messages of type *request*.
##
## See `Wikipedia
## <http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol>`__ for
## more information about the DHCP protocol.
##
## c: The connection record describing the underlying UDP flow.
##
## msg: The parsed type-independent part of the DHCP message.
##
## req_addr: The client address specified by the message.
##
## serv_addr: The server address specified by the message.
##
## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
## dns_rejected dns_request non_dns_request
##
## .. note:: Bro does not support broadcast packets (as used by the DHCP
## protocol). It treats broadcast addresses just like any other and
## associates packets into transport-level flows in the same way as usual.
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event dhcp_request%(c: connection, msg: dhcp_msg, req_addr: addr, serv_addr: addr%);
## Generated for DHCP messages of type *decline*.
##
## See `Wikipedia
## <http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol>`__ for
## more information about the DHCP protocol.
##
## c: The connection record describing the underlying UDP flow.
##
## msg: The parsed type-independent part of the DHCP message.
##
## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
## dns_rejected dns_request non_dns_request
##
## .. note:: Bro does not support broadcast packets (as used by the DHCP
## protocol). It treats broadcast addresses just like any other and
## associates packets into transport-level flows in the same way as usual.
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event dhcp_decline%(c: connection, msg: dhcp_msg%);
## Generated for DHCP messages of type *acknowledgment*.
##
## See `Wikipedia
## <http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol>`__ for
## more information about the DHCP protocol.
##
## c: The connection record describing the underlying UDP flow.
##
## msg: The parsed type-independent part of the DHCP message.
##
## mask: The subnet mask specified by the message.
##
## router: The list of routers specified by the message.
##
## lease: The least interval specified by the message.
##
## serv_addr: The server address specified by the message.
##
## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
## dns_rejected dns_request non_dns_request
##
## .. note:: Bro does not support broadcast packets (as used by the DHCP
## protocol). It treats broadcast addresses just like any other and
## associates packets into transport-level flows in the same way as usual.
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event dhcp_ack%(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr%);
## Generated for DHCP messages of type *negative acknowledgment*.
##
## See `Wikipedia
## <http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol>`__ for
## more information about the DHCP protocol.
##
## c: The connection record describing the underlying UDP flow.
##
## msg: The parsed type-independent part of the DHCP message.
##
## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
## dns_rejected dns_request non_dns_request
##
## .. note:: Bro does not support broadcast packets (as used by the DHCP
## protocol). It treats broadcast addresses just like any other and
## associates packets into transport-level flows in the same way as usual.
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event dhcp_nak%(c: connection, msg: dhcp_msg%);
## Generated for DHCP messages of type *release*.
##
## See `Wikipedia
## <http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol>`__ for
## more information about the DHCP protocol.
##
## c: The connection record describing the underlying UDP flow.
##
## msg: The parsed type-independent part of the DHCP message.
##
## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
## dns_rejected dns_request non_dns_request
##
## .. note:: Bro does not support broadcast packets (as used by the DHCP
## protocol). It treats broadcast addresses just like any other and
## associates packets into transport-level flows in the same way as usual.
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event dhcp_release%(c: connection, msg: dhcp_msg%);
## Generated for DHCP messages of type *inform*.
##
## See `Wikipedia
## <http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol>`__ for
## more information about the DHCP protocol.
##
## c: The connection record describing the underlying UDP flow.
##
## msg: The parsed type-independent part of the DHCP message.
##
## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
## dns_rejected dns_request non_dns_request
##
## .. note:: Bro does not support broadcast packets (as used by the DHCP
## protocol). It treats broadcast addresses just like any other and
## associates packets into transport-level flows in the same way as usual.
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event dhcp_inform%(c: connection, msg: dhcp_msg%);

16
src/analyzer/protocols/dns/DNS.cc
View file

@ -12,6 +12,10 @@
#include "Sessions.h" #include "Sessions.h"
#include "Event.h" #include "Event.h"
#include "events.bif.h"
using namespace analyzer::dns;
DNS_Interpreter::DNS_Interpreter(analyzer::Analyzer* arg_analyzer) DNS_Interpreter::DNS_Interpreter(analyzer::Analyzer* arg_analyzer)
{ {
analyzer = arg_analyzer; analyzer = arg_analyzer;
@ -993,7 +997,7 @@ Val* DNS_MsgInfo::BuildTSIG_Val()
Contents_DNS::Contents_DNS(Connection* conn, bool orig, Contents_DNS::Contents_DNS(Connection* conn, bool orig,
DNS_Interpreter* arg_interp) DNS_Interpreter* arg_interp)
: TCP_SupportAnalyzer("CONTENTS_DNS", conn, orig) : tcp::TCP_SupportAnalyzer("CONTENTS_DNS", conn, orig)
{ {
interp = arg_interp; interp = arg_interp;
@ -1080,7 +1084,7 @@ void Contents_DNS::DeliverStream(int len, const u_char* data, bool orig)
} }
DNS_Analyzer::DNS_Analyzer(Connection* conn) DNS_Analyzer::DNS_Analyzer(Connection* conn)
: TCP_ApplicationAnalyzer("DNS", conn) : tcp::TCP_ApplicationAnalyzer("DNS", conn)
{ {
interp = new DNS_Interpreter(this); interp = new DNS_Interpreter(this);
contents_dns_orig = contents_dns_resp = 0; contents_dns_orig = contents_dns_resp = 0;
@ -1112,7 +1116,7 @@ void DNS_Analyzer::Init()
void DNS_Analyzer::Done() void DNS_Analyzer::Done()
{ {
TCP_ApplicationAnalyzer::Done(); tcp::TCP_ApplicationAnalyzer::Done();
if ( Conn()->ConnTransport() == TRANSPORT_UDP && ! did_session_done ) if ( Conn()->ConnTransport() == TRANSPORT_UDP && ! did_session_done )
Event(udp_session_done); Event(udp_session_done);
@ -1123,7 +1127,7 @@ void DNS_Analyzer::Done()
void DNS_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, void DNS_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
int seq, const IP_Hdr* ip, int caplen) int seq, const IP_Hdr* ip, int caplen)
{ {
TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen); tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
if ( orig ) if ( orig )
{ {
@ -1141,10 +1145,10 @@ void DNS_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
} }
void DNS_Analyzer::ConnectionClosed(TCP_Endpoint* endpoint, TCP_Endpoint* peer, void DNS_Analyzer::ConnectionClosed(tcp::TCP_Endpoint* endpoint, tcp::TCP_Endpoint* peer,
int gen_event) int gen_event)
{ {
TCP_ApplicationAnalyzer::ConnectionClosed(endpoint, peer, gen_event); tcp::TCP_ApplicationAnalyzer::ConnectionClosed(endpoint, peer, gen_event);
assert(contents_dns_orig && contents_dns_resp); assert(contents_dns_orig && contents_dns_resp);
contents_dns_orig->Flush(); contents_dns_orig->Flush();

12
src/analyzer/protocols/dns/DNS.h
View file

@ -6,6 +6,8 @@
#include "analyzer/protocols/tcp/TCP.h" #include "analyzer/protocols/tcp/TCP.h"
#include "binpac_bro.h" #include "binpac_bro.h"
namespace analyzer { namespace dns {
typedef enum { typedef enum {
DNS_OP_QUERY = 0, ///< standard query DNS_OP_QUERY = 0, ///< standard query
DNS_OP_IQUERY = 1, ///< reverse query DNS_OP_IQUERY = 1, ///< reverse query
@ -229,7 +231,7 @@ typedef enum {
// Support analyzer which chunks the TCP stream into "packets". // Support analyzer which chunks the TCP stream into "packets".
// ### This should be merged with TCP_Contents_RPC. // ### This should be merged with TCP_Contents_RPC.
class Contents_DNS : public TCP_SupportAnalyzer { class Contents_DNS : public tcp::TCP_SupportAnalyzer {
public: public:
Contents_DNS(Connection* c, bool orig, DNS_Interpreter* interp); Contents_DNS(Connection* c, bool orig, DNS_Interpreter* interp);
~Contents_DNS(); ~Contents_DNS();
@ -251,7 +253,7 @@ protected:
}; };
// Works for both TCP and UDP. // Works for both TCP and UDP.
class DNS_Analyzer : public TCP_ApplicationAnalyzer { class DNS_Analyzer : public tcp::TCP_ApplicationAnalyzer {
public: public:
DNS_Analyzer(Connection* conn); DNS_Analyzer(Connection* conn);
~DNS_Analyzer(); ~DNS_Analyzer();
@ -261,8 +263,8 @@ public:
virtual void Init(); virtual void Init();
virtual void Done(); virtual void Done();
virtual void ConnectionClosed(TCP_Endpoint* endpoint, virtual void ConnectionClosed(tcp::TCP_Endpoint* endpoint,
TCP_Endpoint* peer, int gen_event); tcp::TCP_Endpoint* peer, int gen_event);
void ExpireTimer(double t); void ExpireTimer(double t);
@ -279,4 +281,6 @@ protected:
// FIXME: Doesn't really fit into new analyzer structure. What to do? // FIXME: Doesn't really fit into new analyzer structure. What to do?
int IsReuse(double t, const u_char* pkt); int IsReuse(double t, const u_char* pkt);
} } // namespace analyzer::*
#endif #endif

2
src/analyzer/protocols/dns/Plugin.cc
View file

@ -5,7 +5,7 @@
BRO_PLUGIN_BEGIN(DNS) BRO_PLUGIN_BEGIN(DNS)
BRO_PLUGIN_DESCRIPTION("DNS Analyzer"); BRO_PLUGIN_DESCRIPTION("DNS Analyzer");
BRO_PLUGIN_ANALYZER("DNS", DNS_Analyzer::InstantiateAnalyzer); BRO_PLUGIN_ANALYZER("DNS", dns::DNS_Analyzer);
BRO_PLUGIN_SUPPORT_ANALYZER("Contents_DNS"); BRO_PLUGIN_SUPPORT_ANALYZER("Contents_DNS");
BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_BIF_FILE(events);
BRO_PLUGIN_END BRO_PLUGIN_END

482
src/analyzer/protocols/dns/events.bif
View file

@ -0,0 +1,482 @@
## Generated for all DNS messages.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
## transport-layer session being analyzed.
##
## is_orig: True if the message was sent by the originator of the connection.
##
## msg: The parsed DNS message header.
##
## len: The length of the message's raw representation (i.e., the DNS payload).
##
## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
## dns_mapping_unverified dns_mapping_valid dns_query_reply dns_rejected
## dns_request non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
## dns_skip_all_addl dns_skip_all_auth dns_skip_auth
event dns_message%(c: connection, is_orig: bool, msg: dns_msg, len: count%);
## Generated for DNS requests. For requests with multiple queries, this event
## is raised once for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
## transport-layer session being analyzed.
##
## msg: The parsed DNS message header.
##
## query: The queried name.
##
## qtype: The queried resource record type.
##
## qclass: The queried resource record class.
##
## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
## dns_rejected non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
## dns_skip_all_addl dns_skip_all_auth dns_skip_auth
event dns_request%(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count%);
## Generated for DNS replies that reject a query. This event is raised if a DNS
## reply either indicates failure via its status code or does not pass on any
## answers to a query. Note that all of the event's parameters are parsed out of
## the reply; there's no stateful correlation with the query.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
## transport-layer session being analyzed.
##
## msg: The parsed DNS message header.
##
## query: The queried name.
##
## qtype: The queried resource record type.
##
## qclass: The queried resource record class.
##
## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
## dns_request non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
## dns_skip_all_addl dns_skip_all_auth dns_skip_auth
event dns_rejected%(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count%);
## Generated for DNS replies with an *ok* status code but no question section.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
## transport-layer session being analyzed.
##
## msg: The parsed DNS message header.
##
## query: The queried name.
##
## qtype: The queried resource record type.
##
## qclass: The queried resource record class.
##
## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
## dns_mapping_unverified dns_mapping_valid dns_message dns_rejected
## dns_request non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
## dns_skip_all_addl dns_skip_all_auth dns_skip_auth
event dns_query_reply%(c: connection, msg: dns_msg, query: string,
qtype: count, qclass: count%);
## Generated for DNS replies of type *A*. For replies with multiple answers, an
## individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
## transport-layer session being analyzed.
##
## msg: The parsed DNS message header.
##
## ans: The type-independent part of the parsed answer record.
##
## a: The address returned by the reply.
##
## .. bro:see:: dns_AAAA_reply dns_A6_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply
## dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply
## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
event dns_A_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%);
## Generated for DNS replies of type *AAAA*. For replies with multiple answers,
## an individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
## transport-layer session being analyzed.
##
## msg: The parsed DNS message header.
##
## ans: The type-independent part of the parsed answer record.
##
## a: The address returned by the reply.
##
## .. bro:see:: dns_A_reply dns_A6_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply dns_MX_reply
## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
## dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
## dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
## non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
## dns_skip_all_addl dns_skip_all_auth dns_skip_auth
event dns_AAAA_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%);
## Generated for DNS replies of type *A6*. For replies with multiple answers, an
## individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
## transport-layer session being analyzed.
##
## msg: The parsed DNS message header.
##
## ans: The type-independent part of the parsed answer record.
##
## a: The address returned by the reply.
##
## .. bro:see:: dns_A_reply dns_AAAA_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply dns_MX_reply
## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
## dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
## dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
## non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
## dns_skip_all_addl dns_skip_all_auth dns_skip_auth
event dns_A6_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%);
## Generated for DNS replies of type *NS*. For replies with multiple answers, an
## individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
## transport-layer session being analyzed.
##
## msg: The parsed DNS message header.
##
## ans: The type-independent part of the parsed answer record.
##
## name: The name returned by the reply.
##
## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
## dns_HINFO_reply dns_MX_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply
## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
event dns_NS_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%);
## Generated for DNS replies of type *CNAME*. For replies with multiple answers,
## an individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
## transport-layer session being analyzed.
##
## msg: The parsed DNS message header.
##
## ans: The type-independent part of the parsed answer record.
##
## name: The name returned by the reply.
##
## .. bro:see:: dns_AAAA_reply dns_A_reply dns_EDNS_addl dns_HINFO_reply dns_MX_reply
## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
## dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
## dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
## non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
## dns_skip_all_addl dns_skip_all_auth dns_skip_auth
event dns_CNAME_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%);
## Generated for DNS replies of type *PTR*. For replies with multiple answers,
## an individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
## transport-layer session being analyzed.
##
## msg: The parsed DNS message header.
##
## ans: The type-independent part of the parsed answer record.
##
## name: The name returned by the reply.
##
## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_SOA_reply dns_SRV_reply
## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
event dns_PTR_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%);
## Generated for DNS replies of type *CNAME*. For replies with multiple answers,
## an individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
## transport-layer session being analyzed.
##
## msg: The parsed DNS message header.
##
## ans: The type-independent part of the parsed answer record.
##
## soa: The parsed SOA value.
##
## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SRV_reply
## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
event dns_SOA_reply%(c: connection, msg: dns_msg, ans: dns_answer, soa: dns_soa%);
## Generated for DNS replies of type *WKS*. For replies with multiple answers,
## an individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
## transport-layer session being analyzed.
##
## msg: The parsed DNS message header.
##
## ans: The type-independent part of the parsed answer record.
##
## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_end dns_full_request
## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
event dns_WKS_reply%(c: connection, msg: dns_msg, ans: dns_answer%);
## Generated for DNS replies of type *HINFO*. For replies with multiple answers,
## an individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
## transport-layer session being analyzed.
##
## msg: The parsed DNS message header.
##
## ans: The type-independent part of the parsed answer record.
##
## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl dns_MX_reply
## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
## dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
## dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
## non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
## dns_skip_all_addl dns_skip_all_auth dns_skip_auth
event dns_HINFO_reply%(c: connection, msg: dns_msg, ans: dns_answer%);
## Generated for DNS replies of type *MX*. For replies with multiple answers, an
## individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
## transport-layer session being analyzed.
##
## msg: The parsed DNS message header.
##
## ans: The type-independent part of the parsed answer record.
##
## name: The name returned by the reply.
##
## preference: The preference for *name* specified by the reply.
##
## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
## dns_HINFO_reply dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply
## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
event dns_MX_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string, preference: count%);
## Generated for DNS replies of type *TXT*. For replies with multiple answers,
## an individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
## transport-layer session being analyzed.
##
## msg: The parsed DNS message header.
##
## ans: The type-independent part of the parsed answer record.
##
## str: The textual information returned by the reply.
##
## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
## dns_SRV_reply dns_TSIG_addl dns_WKS_reply dns_end dns_full_request
## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
event dns_TXT_reply%(c: connection, msg: dns_msg, ans: dns_answer, str: string%);
## Generated for DNS replies of type *SRV*. For replies with multiple answers,
## an individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
## transport-layer session being analyzed.
##
## msg: The parsed DNS message header.
##
## ans: The type-independent part of the parsed answer record.
##
## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
event dns_SRV_reply%(c: connection, msg: dns_msg, ans: dns_answer%);
## Generated for DNS replies of type *EDNS*. For replies with multiple answers,
## an individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
## transport-layer session being analyzed.
##
## msg: The parsed DNS message header.
##
## ans: The parsed EDNS reply.
##
## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_HINFO_reply dns_MX_reply
## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
## dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
## dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
## non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
## dns_skip_all_addl dns_skip_all_auth dns_skip_auth
event dns_EDNS_addl%(c: connection, msg: dns_msg, ans: dns_edns_additional%);
## Generated for DNS replies of type *TSIG*. For replies with multiple answers,
## an individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
## transport-layer session being analyzed.
##
## msg: The parsed DNS message header.
##
## ans: The parsed TSIG reply.
##
## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
## dns_SRV_reply dns_TXT_reply dns_WKS_reply dns_end dns_full_request
## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
event dns_TSIG_addl%(c: connection, msg: dns_msg, ans: dns_tsig_additional%);
## Generated at the end of processing a DNS packet. This event is the last
## ``dns_*`` event that will be raised for a DNS query/reply and signals that
## all resource records have been passed on.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
## transport-layer session being analyzed.
##
## msg: The parsed DNS message header.
##
## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_full_request
## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
event dns_end%(c: connection, msg: dns_msg%);
## Deprecated. Will be removed.
##
## .. todo:: Unclear what this event is for; it's never raised. We should just
## remove it.
event dns_full_request%(%);
## msg: The raw DNS payload.
##
## .. note:: This event is deprecated and superseded by Bro's dynamic protocol
## detection framework.
event non_dns_request%(c: connection, msg: string%);

10
src/analyzer/protocols/file/File.cc
View file

@ -4,11 +4,15 @@
#include "Reporter.h" #include "Reporter.h"
#include "util.h" #include "util.h"
#include "events.bif.h"
using namespace analyzer::file;
magic_t File_Analyzer::magic = 0; magic_t File_Analyzer::magic = 0;
magic_t File_Analyzer::magic_mime = 0; magic_t File_Analyzer::magic_mime = 0;
File_Analyzer::File_Analyzer(Connection* conn) File_Analyzer::File_Analyzer(Connection* conn)
: TCP_ApplicationAnalyzer("FILE", conn) : tcp::TCP_ApplicationAnalyzer("FILE", conn)
{ {
buffer_len = 0; buffer_len = 0;
@ -18,7 +22,7 @@ File_Analyzer::File_Analyzer(Connection* conn)
void File_Analyzer::DeliverStream(int len, const u_char* data, bool orig) void File_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
{ {
TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
int n = min(len, BUFFER_SIZE - buffer_len); int n = min(len, BUFFER_SIZE - buffer_len);
@ -35,7 +39,7 @@ void File_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
void File_Analyzer::Done() void File_Analyzer::Done()
{ {
TCP_ApplicationAnalyzer::Done(); tcp::TCP_ApplicationAnalyzer::Done();
if ( buffer_len && buffer_len != BUFFER_SIZE ) if ( buffer_len && buffer_len != BUFFER_SIZE )
Identify(); Identify();

6
src/analyzer/protocols/file/File.h
View file

@ -7,7 +7,9 @@
#include <magic.h> #include <magic.h>
class File_Analyzer : public TCP_ApplicationAnalyzer { namespace analyzer { namespace file {
class File_Analyzer : public tcp::TCP_ApplicationAnalyzer {
public: public:
File_Analyzer(Connection* conn); File_Analyzer(Connection* conn);
@ -29,4 +31,6 @@ protected:
static magic_t magic_mime; static magic_t magic_mime;
}; };
} } // namespace analyzer::*
#endif #endif

2
src/analyzer/protocols/file/Plugin.cc
View file

@ -5,6 +5,6 @@
BRO_PLUGIN_BEGIN(File) BRO_PLUGIN_BEGIN(File)
BRO_PLUGIN_DESCRIPTION("Generic File Analyzer"); BRO_PLUGIN_DESCRIPTION("Generic File Analyzer");
BRO_PLUGIN_ANALYZER("File", File_Analyzer::InstantiateAnalyzer); BRO_PLUGIN_ANALYZER("File", file::File_Analyzer);
BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_BIF_FILE(events);
BRO_PLUGIN_END BRO_PLUGIN_END

3
src/analyzer/protocols/file/events.bif
View file

@ -0,0 +1,3 @@
## TODO.
##
event file_transferred%(c: connection, prefix: string, descr: string, mime_type: string%);

16
src/analyzer/protocols/finger/Finger.cc
View file

@ -9,25 +9,29 @@
#include "Event.h" #include "Event.h"
#include "analyzer/protocols/tcp/ContentLine.h" #include "analyzer/protocols/tcp/ContentLine.h"
#include "events.bif.h"
using namespace analyzer::finger;
Finger_Analyzer::Finger_Analyzer(Connection* conn) Finger_Analyzer::Finger_Analyzer(Connection* conn)
: TCP_ApplicationAnalyzer("FINGER", conn) : tcp::TCP_ApplicationAnalyzer("FINGER", conn)
{ {
did_deliver = 0; did_deliver = 0;
content_line_orig = new ContentLine_Analyzer(conn, true); content_line_orig = new tcp::ContentLine_Analyzer(conn, true);
content_line_orig->SetIsNULSensitive(true); content_line_orig->SetIsNULSensitive(true);
content_line_resp = new ContentLine_Analyzer(conn, false); content_line_resp = new tcp::ContentLine_Analyzer(conn, false);
AddSupportAnalyzer(content_line_orig); AddSupportAnalyzer(content_line_orig);
AddSupportAnalyzer(content_line_resp); AddSupportAnalyzer(content_line_resp);
} }
void Finger_Analyzer::Done() void Finger_Analyzer::Done()
{ {
TCP_ApplicationAnalyzer::Done(); tcp::TCP_ApplicationAnalyzer::Done();
if ( TCP() ) if ( TCP() )
if ( (! did_deliver || content_line_orig->HasPartialLine()) && if ( (! did_deliver || content_line_orig->HasPartialLine()) &&
(TCP()->OrigState() == TCP_ENDPOINT_CLOSED || (TCP()->OrigState() == tcp::TCP_ENDPOINT_CLOSED ||
TCP()->OrigPrevState() == TCP_ENDPOINT_CLOSED) ) TCP()->OrigPrevState() == tcp::TCP_ENDPOINT_CLOSED) )
// ### should include the partial text // ### should include the partial text
Weird("partial_finger_request"); Weird("partial_finger_request");
} }

11
src/analyzer/protocols/finger/Finger.h
View file

@ -4,10 +4,11 @@
#define finger_h #define finger_h
#include "analyzer/protocols/tcp/TCP.h" #include "analyzer/protocols/tcp/TCP.h"
#include "analyzer/protocols/tcp/ContentLine.h"
class ContentLine_Analyzer; namespace analyzer { namespace finger {
class Finger_Analyzer : public TCP_ApplicationAnalyzer { class Finger_Analyzer : public tcp::TCP_ApplicationAnalyzer {
public: public:
Finger_Analyzer(Connection* conn); Finger_Analyzer(Connection* conn);
virtual ~Finger_Analyzer() {} virtual ~Finger_Analyzer() {}
@ -20,9 +21,11 @@ public:
{ return new Finger_Analyzer(conn); } { return new Finger_Analyzer(conn); }
protected: protected:
ContentLine_Analyzer* content_line_orig; tcp::ContentLine_Analyzer* content_line_orig;
ContentLine_Analyzer* content_line_resp; tcp::ContentLine_Analyzer* content_line_resp;
int did_deliver; int did_deliver;
}; };
} } // namespace analyzer::*
#endif #endif

2
src/analyzer/protocols/finger/Plugin.cc
View file

@ -5,6 +5,6 @@
BRO_PLUGIN_BEGIN(Finger) BRO_PLUGIN_BEGIN(Finger)
BRO_PLUGIN_DESCRIPTION("Finger Analyzer"); BRO_PLUGIN_DESCRIPTION("Finger Analyzer");
BRO_PLUGIN_ANALYZER("FINGER", Finger_Analyzer::InstantiateAnalyzer); BRO_PLUGIN_ANALYZER("FINGER", finger::Finger_Analyzer);
BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_BIF_FILE(events);
BRO_PLUGIN_END BRO_PLUGIN_END

38
src/analyzer/protocols/finger/events.bif
View file

@ -0,0 +1,38 @@
## Generated for Finger requests.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Finger_protocol>`__ for more
## information about the Finger protocol.
##
## c: The connection.
##
## full: True if verbose information is requested (``/W`` switch).
##
## username: The request's user name.
##
## hostname: The request's host name.
##
## .. bro:see:: finger_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event finger_request%(c: connection, full: bool, username: string, hostname: string%);
## Generated for Finger replies.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Finger_protocol>`__ for more
## information about the Finger protocol.
##
## c: The connection.
##
## reply_line: The reply as returned by the server
##
## .. bro:see:: finger_request
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event finger_reply%(c: connection, reply_line: string%);

18
src/analyzer/protocols/ftp/FTP.cc
View file

@ -11,18 +11,22 @@
#include "analyzer/Manager.h" #include "analyzer/Manager.h"
#include "analyzer/protocols/login/NVT.h" #include "analyzer/protocols/login/NVT.h"
#include "events.bif.h"
using namespace analyzer::ftp;
FTP_Analyzer::FTP_Analyzer(Connection* conn) FTP_Analyzer::FTP_Analyzer(Connection* conn)
: TCP_ApplicationAnalyzer("FTP", conn) : tcp::TCP_ApplicationAnalyzer("FTP", conn)
{ {
pending_reply = 0; pending_reply = 0;
nvt_orig = new NVT_Analyzer(conn, true); nvt_orig = new login::NVT_Analyzer(conn, true);
nvt_orig->SetIsNULSensitive(true); nvt_orig->SetIsNULSensitive(true);
nvt_orig->SetIsNULSensitive(true); nvt_orig->SetIsNULSensitive(true);
nvt_orig->SetCRLFAsEOL(LF_as_EOL); nvt_orig->SetCRLFAsEOL(LF_as_EOL);
nvt_orig->SetIsNULSensitive(LF_as_EOL); nvt_orig->SetIsNULSensitive(LF_as_EOL);
nvt_resp = new NVT_Analyzer(conn, false); nvt_resp = new login::NVT_Analyzer(conn, false);
nvt_resp->SetIsNULSensitive(true); nvt_resp->SetIsNULSensitive(true);
nvt_resp->SetIsNULSensitive(true); nvt_resp->SetIsNULSensitive(true);
nvt_resp->SetCRLFAsEOL(LF_as_EOL); nvt_resp->SetCRLFAsEOL(LF_as_EOL);
@ -37,11 +41,11 @@ FTP_Analyzer::FTP_Analyzer(Connection* conn)
void FTP_Analyzer::Done() void FTP_Analyzer::Done()
{ {
TCP_ApplicationAnalyzer::Done(); tcp::TCP_ApplicationAnalyzer::Done();
if ( nvt_orig->HasPartialLine() && if ( nvt_orig->HasPartialLine() &&
(TCP()->OrigState() == TCP_ENDPOINT_CLOSED || (TCP()->OrigState() == tcp::TCP_ENDPOINT_CLOSED ||
TCP()->OrigPrevState() == TCP_ENDPOINT_CLOSED) ) TCP()->OrigPrevState() == tcp::TCP_ENDPOINT_CLOSED) )
// ### should include the partial text // ### should include the partial text
Weird("partial_ftp_request"); Weird("partial_ftp_request");
} }
@ -56,7 +60,7 @@ static uint32 get_reply_code(int len, const char* line)
void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig) void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig)
{ {
TCP_ApplicationAnalyzer::DeliverStream(length, data, orig); tcp::TCP_ApplicationAnalyzer::DeliverStream(length, data, orig);
if ( (orig && ! ftp_request) || (! orig && ! ftp_reply) ) if ( (orig && ! ftp_request) || (! orig && ! ftp_reply) )
return; return;

10
src/analyzer/protocols/ftp/FTP.h
View file

@ -6,7 +6,9 @@
#include "analyzer/protocols/login/NVT.h" #include "analyzer/protocols/login/NVT.h"
#include "analyzer/protocols/tcp/TCP.h" #include "analyzer/protocols/tcp/TCP.h"
class FTP_Analyzer : public TCP_ApplicationAnalyzer { namespace analyzer { namespace ftp {
class FTP_Analyzer : public tcp::TCP_ApplicationAnalyzer {
public: public:
FTP_Analyzer(Connection* conn); FTP_Analyzer(Connection* conn);
@ -19,8 +21,8 @@ public:
} }
protected: protected:
NVT_Analyzer* nvt_orig; login::NVT_Analyzer* nvt_orig;
NVT_Analyzer* nvt_resp; login::NVT_Analyzer* nvt_resp;
uint32 pending_reply; // code associated with multi-line reply, or 0 uint32 pending_reply; // code associated with multi-line reply, or 0
string auth_requested; // AUTH method requested string auth_requested; // AUTH method requested
}; };
@ -47,4 +49,6 @@ protected:
bool first_token; bool first_token;
}; };
} } // namespace analyzer::*
#endif #endif

2
src/analyzer/protocols/ftp/Plugin.cc
View file

@ -5,7 +5,7 @@
BRO_PLUGIN_BEGIN(FTP) BRO_PLUGIN_BEGIN(FTP)
BRO_PLUGIN_DESCRIPTION("FTP Analyzer"); BRO_PLUGIN_DESCRIPTION("FTP Analyzer");
BRO_PLUGIN_ANALYZER("FTP", FTP_Analyzer::InstantiateAnalyzer); BRO_PLUGIN_ANALYZER("FTP", ftp::FTP_Analyzer);
BRO_PLUGIN_SUPPORT_ANALYZER("FTP_ADAT"); BRO_PLUGIN_SUPPORT_ANALYZER("FTP_ADAT");
BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_BIF_FILE(events);
BRO_PLUGIN_END BRO_PLUGIN_END

35
src/analyzer/protocols/ftp/events.bif
View file

@ -0,0 +1,35 @@
## Generated for client-side FTP commands.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/File_Transfer_Protocol>`__ for
## more information about the FTP protocol.
##
## c: The connection.
##
## command: The FTP command issued by the client (without any arguments).
##
## arg: The arguments going with the command.
##
## .. bro:see:: ftp_reply fmt_ftp_port parse_eftp_port
## parse_ftp_epsv parse_ftp_pasv parse_ftp_port
event ftp_request%(c: connection, command: string, arg: string%);
## Generated for server-side FTP replies.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/File_Transfer_Protocol>`__ for
## more information about the FTP protocol.
##
## c: The connection.
##
## code: The numerical response code the server responded with.
##
## msg: The textual message of the response.
##
## cont_resp: True if the reply line is tagged as being continued to the next
## line. If so, further events will be raised and a handler may want
## to reassemble the pieces before processing the response any
## further.
##
## .. bro:see:: ftp_request fmt_ftp_port parse_eftp_port
## parse_ftp_epsv parse_ftp_pasv parse_ftp_port
event ftp_reply%(c: connection, code: count, msg: string, cont_resp: bool%);

14
src/analyzer/protocols/gnutella/Gnutella.cc
View file

@ -12,6 +12,10 @@
#include "analyzer/protocols/pia/PIA.h" #include "analyzer/protocols/pia/PIA.h"
#include "analyzer/Manager.h" #include "analyzer/Manager.h"
#include "events.bif.h"
using namespace analyzer::gnutella;
GnutellaMsgState::GnutellaMsgState() GnutellaMsgState::GnutellaMsgState()
{ {
buffer = ""; buffer = "";
@ -30,7 +34,7 @@ GnutellaMsgState::GnutellaMsgState()
Gnutella_Analyzer::Gnutella_Analyzer(Connection* conn) Gnutella_Analyzer::Gnutella_Analyzer(Connection* conn)
: TCP_ApplicationAnalyzer("GNUTELLA", conn) : tcp::TCP_ApplicationAnalyzer("GNUTELLA", conn)
{ {
state = 0; state = 0;
new_state = 0; new_state = 0;
@ -50,7 +54,7 @@ Gnutella_Analyzer::~Gnutella_Analyzer()
void Gnutella_Analyzer::Done() void Gnutella_Analyzer::Done()
{ {
TCP_ApplicationAnalyzer::Done(); tcp::TCP_ApplicationAnalyzer::Done();
if ( ! sent_establish && (gnutella_establish || gnutella_not_establish) ) if ( ! sent_establish && (gnutella_establish || gnutella_not_establish) )
{ {
@ -138,9 +142,9 @@ int Gnutella_Analyzer::IsHTTP(string header)
if ( Parent()->IsAnalyzer("TCP") ) if ( Parent()->IsAnalyzer("TCP") )
{ {
// Replay buffered data. // Replay buffered data.
PIA* pia = static_cast<analyzer::TransportLayerAnalyzer *>(Parent())->GetPIA(); pia::PIA* pia = static_cast<analyzer::TransportLayerAnalyzer *>(Parent())->GetPIA();
if ( pia ) if ( pia )
static_cast<PIA_TCP *>(pia)->ReplayStreamBuffer(a); static_cast<pia::PIA_TCP *>(pia)->ReplayStreamBuffer(a);
} }
Parent()->RemoveChildAnalyzer(this); Parent()->RemoveChildAnalyzer(this);
@ -328,7 +332,7 @@ void Gnutella_Analyzer::DeliverMessages(int len, const u_char* data, bool orig)
void Gnutella_Analyzer::DeliverStream(int len, const u_char* data, bool orig) void Gnutella_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
{ {
TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
ms = orig ? orig_msg_state : resp_msg_state; ms = orig ? orig_msg_state : resp_msg_state;
ms->current_offset = 0; ms->current_offset = 0;

6
src/analyzer/protocols/gnutella/Gnutella.h
View file

@ -11,6 +11,8 @@
#define GNUTELLA_MSG_SIZE 23 #define GNUTELLA_MSG_SIZE 23
#define GNUTELLA_MAX_PAYLOAD 1024 #define GNUTELLA_MAX_PAYLOAD 1024
namespace analyzer { namespace gnutella {
class GnutellaMsgState { class GnutellaMsgState {
public: public:
GnutellaMsgState (); GnutellaMsgState ();
@ -32,7 +34,7 @@ public:
}; };
class Gnutella_Analyzer : public TCP_ApplicationAnalyzer { class Gnutella_Analyzer : public tcp::TCP_ApplicationAnalyzer {
public: public:
Gnutella_Analyzer(Connection* conn); Gnutella_Analyzer(Connection* conn);
~Gnutella_Analyzer(); ~Gnutella_Analyzer();
@ -67,4 +69,6 @@ private:
GnutellaMsgState* ms; GnutellaMsgState* ms;
}; };
} } // namespace analyzer::*
#endif #endif

2
src/analyzer/protocols/gnutella/Plugin.cc
View file

@ -5,6 +5,6 @@
BRO_PLUGIN_BEGIN(Gnutella) BRO_PLUGIN_BEGIN(Gnutella)
BRO_PLUGIN_DESCRIPTION("Gnutella Analyzer"); BRO_PLUGIN_DESCRIPTION("Gnutella Analyzer");
BRO_PLUGIN_ANALYZER("GNUTELLA", Gnutella_Analyzer::InstantiateAnalyzer); BRO_PLUGIN_ANALYZER("GNUTELLA", gnutella::Gnutella_Analyzer);
BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_BIF_FILE(events);
BRO_PLUGIN_END BRO_PLUGIN_END

88
src/analyzer/protocols/gnutella/events.bif
View file

@ -0,0 +1,88 @@
## TODO.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Gnutella>`__ for more
## information about the Gnutella protocol.
##
## .. bro:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify
## gnutella_not_establish gnutella_partial_binary_msg gnutella_signature_found
##
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event gnutella_text_msg%(c: connection, orig: bool, headers: string%);
## TODO.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Gnutella>`__ for more
## information about the Gnutella protocol.
##
## .. bro:see:: gnutella_establish gnutella_http_notify gnutella_not_establish
## gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event gnutella_binary_msg%(c: connection, orig: bool, msg_type: count,
ttl: count, hops: count, msg_len: count,
payload: string, payload_len: count,
trunc: bool, complete: bool%);
## TODO.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Gnutella>`__ for more
## information about the Gnutella protocol.
##
## .. bro:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify
## gnutella_not_establish gnutella_signature_found gnutella_text_msg
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event gnutella_partial_binary_msg%(c: connection, orig: bool,
msg: string, len: count%);
## TODO.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Gnutella>`__ for more
## information about the Gnutella protocol.
##
## .. bro:see:: gnutella_binary_msg gnutella_http_notify gnutella_not_establish
## gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event gnutella_establish%(c: connection%);
## TODO.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Gnutella>`__ for more
## information about the Gnutella protocol.
##
## .. bro:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify
## gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event gnutella_not_establish%(c: connection%);
## TODO.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Gnutella>`__ for more
## information about the Gnutella protocol.
##
## .. bro:see:: gnutella_binary_msg gnutella_establish gnutella_not_establish
## gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event gnutella_http_notify%(c: connection%);

6
src/analyzer/protocols/gtpv1/GTPv1.cc
View file

@ -1,5 +1,11 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include "GTPv1.h" #include "GTPv1.h"
#include "events.bif.h"
using namespace analyzer::gtpv1;
GTPv1_Analyzer::GTPv1_Analyzer(Connection* conn) GTPv1_Analyzer::GTPv1_Analyzer(Connection* conn)
: Analyzer("GTPV1", conn) : Analyzer("GTPV1", conn)
{ {

4
src/analyzer/protocols/gtpv1/GTPv1.h
View file

@ -3,6 +3,8 @@
#include "gtpv1_pac.h" #include "gtpv1_pac.h"
namespace analyzer { namespace gtpv1 {
class GTPv1_Analyzer : public analyzer::Analyzer { class GTPv1_Analyzer : public analyzer::Analyzer {
public: public:
GTPv1_Analyzer(Connection* conn); GTPv1_Analyzer(Connection* conn);
@ -21,4 +23,6 @@ protected:
binpac::GTPv1::GTPv1_Conn* interp; binpac::GTPv1::GTPv1_Conn* interp;
}; };
} } // namespace analyzer::*
#endif #endif

2
src/analyzer/protocols/gtpv1/Plugin.cc
View file

@ -5,6 +5,6 @@
BRO_PLUGIN_BEGIN(GTPV1) BRO_PLUGIN_BEGIN(GTPV1)
BRO_PLUGIN_DESCRIPTION("GTPv1 Analyzer"); BRO_PLUGIN_DESCRIPTION("GTPv1 Analyzer");
BRO_PLUGIN_ANALYZER("GTPV1", GTPv1_Analyzer::InstantiateAnalyzer); BRO_PLUGIN_ANALYZER("GTPV1", gtpv1::GTPv1_Analyzer);
BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_BIF_FILE(events);
BRO_PLUGIN_END BRO_PLUGIN_END

74
src/analyzer/protocols/gtpv1/events.bif
View file

@ -0,0 +1,74 @@
## Generated for any GTP message with a GTPv1 header.
##
## c: The connection over which the message is sent.
##
## hdr: The GTPv1 header.
event gtpv1_message%(c: connection, hdr: gtpv1_hdr%);
## Generated for GTPv1 G-PDU packets. That is, packets with a UDP payload
## that includes a GTP header followed by an IPv4 or IPv6 packet.
##
## outer: The GTP outer tunnel connection.
##
## inner_gtp: The GTP header.
##
## inner_ip: The inner IP and transport layer packet headers.
##
## .. note:: Since this event may be raised on a per-packet basis, handling
## it may become particularly expensive for real-time analysis.
event gtpv1_g_pdu_packet%(outer: connection, inner_gtp: gtpv1_hdr, inner_ip: pkt_hdr%);
## Generated for GTPv1-C Create PDP Context Request messages.
##
## c: The connection over which the message is sent.
##
## hdr: The GTPv1 header.
##
## elements: The set of Information Elements comprising the message.
event gtpv1_create_pdp_ctx_request%(c: connection, hdr: gtpv1_hdr, elements: gtp_create_pdp_ctx_request_elements%);
## Generated for GTPv1-C Create PDP Context Response messages.
##
## c: The connection over which the message is sent.
##
## hdr: The GTPv1 header.
##
## elements: The set of Information Elements comprising the message.
event gtpv1_create_pdp_ctx_response%(c: connection, hdr: gtpv1_hdr, elements: gtp_create_pdp_ctx_response_elements%);
## Generated for GTPv1-C Update PDP Context Request messages.
##
## c: The connection over which the message is sent.
##
## hdr: The GTPv1 header.
##
## elements: The set of Information Elements comprising the message.
event gtpv1_update_pdp_ctx_request%(c: connection, hdr: gtpv1_hdr, elements: gtp_update_pdp_ctx_request_elements%);
## Generated for GTPv1-C Update PDP Context Response messages.
##
## c: The connection over which the message is sent.
##
## hdr: The GTPv1 header.
##
## elements: The set of Information Elements comprising the message.
event gtpv1_update_pdp_ctx_response%(c: connection, hdr: gtpv1_hdr, elements: gtp_update_pdp_ctx_response_elements%);
## Generated for GTPv1-C Delete PDP Context Request messages.
##
## c: The connection over which the message is sent.
##
## hdr: The GTPv1 header.
##
## elements: The set of Information Elements comprising the message.
event gtpv1_delete_pdp_ctx_request%(c: connection, hdr: gtpv1_hdr, elements: gtp_delete_pdp_ctx_request_elements%);
## Generated for GTPv1-C Delete PDP Context Response messages.
##
## c: The connection over which the message is sent.
##
## hdr: The GTPv1 header.
##
## elements: The set of Information Elements comprising the message.
event gtpv1_delete_pdp_ctx_response%(c: connection, hdr: gtpv1_hdr, elements: gtp_delete_pdp_ctx_response_elements%);

4
src/analyzer/protocols/gtpv1/gtpv1.pac
View file

@ -1,6 +1,10 @@
%include binpac.pac %include binpac.pac
%include bro.pac %include bro.pac
%extern{
#include "events.bif.h"
%}
analyzer GTPv1 withcontext { analyzer GTPv1 withcontext {
connection: GTPv1_Conn; connection: GTPv1_Conn;
flow: GTPv1_Flow; flow: GTPv1_Flow;

144
src/analyzer/protocols/http/HTTP.cc
View file

@ -11,7 +11,11 @@
#include "NetVar.h" #include "NetVar.h"
#include "HTTP.h" #include "HTTP.h"
#include "Event.h" #include "Event.h"
#include "MIME.h" #include "analyzer/protocols/mime/MIME.h"
#include "events.bif.h"
using namespace analyzer::http;
const bool DEBUG_http = false; const bool DEBUG_http = false;
@ -77,7 +81,7 @@ void HTTP_Entity::Deliver(int len, const char* data, int trailing_CRLF)
if ( end_of_data ) if ( end_of_data )
{ {
// Multipart entities may have trailers // Multipart entities may have trailers
if ( content_type != CONTENT_TYPE_MULTIPART ) if ( content_type != mime::CONTENT_TYPE_MULTIPART )
IllegalFormat("data trailing the end of entity"); IllegalFormat("data trailing the end of entity");
return; return;
} }
@ -93,8 +97,8 @@ void HTTP_Entity::Deliver(int len, const char* data, int trailing_CRLF)
} }
// Entity body. // Entity body.
if ( content_type == CONTENT_TYPE_MULTIPART || if ( content_type == mime::CONTENT_TYPE_MULTIPART ||
content_type == CONTENT_TYPE_MESSAGE ) content_type == mime::CONTENT_TYPE_MESSAGE )
DeliverBody(len, data, trailing_CRLF); DeliverBody(len, data, trailing_CRLF);
else if ( chunked_transfer_state != NON_CHUNKED_TRANSFER ) else if ( chunked_transfer_state != NON_CHUNKED_TRANSFER )
@ -177,14 +181,14 @@ void HTTP_Entity::DeliverBody(int len, const char* data, int trailing_CRLF)
{ {
if ( encoding == GZIP || encoding == DEFLATE ) if ( encoding == GZIP || encoding == DEFLATE )
{ {
ZIP_Analyzer::Method method = zip::ZIP_Analyzer::Method method =
encoding == GZIP ? encoding == GZIP ?
ZIP_Analyzer::GZIP : ZIP_Analyzer::DEFLATE; zip::ZIP_Analyzer::GZIP : zip::ZIP_Analyzer::DEFLATE;
if ( ! zip ) if ( ! zip )
{ {
// We don't care about the direction here. // We don't care about the direction here.
zip = new ZIP_Analyzer( zip = new zip::ZIP_Analyzer(
http_message->MyHTTP_Analyzer()->Conn(), http_message->MyHTTP_Analyzer()->Conn(),
false, method); false, method);
zip->SetOutputHandler(new UncompressedOutput(this)); zip->SetOutputHandler(new UncompressedOutput(this));
@ -291,12 +295,12 @@ void HTTP_Entity::SetPlainDelivery(int64_t length)
// expect_data_length. // expect_data_length.
} }
void HTTP_Entity::SubmitHeader(MIME_Header* h) void HTTP_Entity::SubmitHeader(mime::MIME_Header* h)
{ {
if ( strcasecmp_n(h->get_name(), "content-length") == 0 ) if ( mime::strcasecmp_n(h->get_name(), "content-length") == 0 )
{ {
data_chunk_t vt = h->get_value_token(); data_chunk_t vt = h->get_value_token();
if ( ! is_null_data_chunk(vt) ) if ( ! mime::is_null_data_chunk(vt) )
{ {
int64_t n; int64_t n;
if ( atoi_n(vt.length, vt.data, 0, 10, n) ) if ( atoi_n(vt.length, vt.data, 0, 10, n) )
@ -308,8 +312,8 @@ void HTTP_Entity::SubmitHeader(MIME_Header* h)
// Figure out content-length for HTTP 206 Partial Content response // Figure out content-length for HTTP 206 Partial Content response
// that uses multipart/byteranges content-type. // that uses multipart/byteranges content-type.
else if ( strcasecmp_n(h->get_name(), "content-range") == 0 && Parent() && else if ( mime::strcasecmp_n(h->get_name(), "content-range") == 0 && Parent() &&
Parent()->MIMEContentType() == CONTENT_TYPE_MULTIPART && Parent()->MIMEContentType() == mime::CONTENT_TYPE_MULTIPART &&
http_message->MyHTTP_Analyzer()->HTTP_ReplyCode() == 206 ) http_message->MyHTTP_Analyzer()->HTTP_ReplyCode() == 206 )
{ {
data_chunk_t vt = h->get_value_token(); data_chunk_t vt = h->get_value_token();
@ -367,19 +371,19 @@ void HTTP_Entity::SubmitHeader(MIME_Header* h)
} }
} }
else if ( strcasecmp_n(h->get_name(), "transfer-encoding") == 0 ) else if ( mime::strcasecmp_n(h->get_name(), "transfer-encoding") == 0 )
{ {
data_chunk_t vt = h->get_value_token(); data_chunk_t vt = h->get_value_token();
if ( strcasecmp_n(vt, "chunked") == 0 ) if ( mime::strcasecmp_n(vt, "chunked") == 0 )
chunked_transfer_state = BEFORE_CHUNK; chunked_transfer_state = BEFORE_CHUNK;
} }
else if ( strcasecmp_n(h->get_name(), "content-encoding") == 0 ) else if ( mime::strcasecmp_n(h->get_name(), "content-encoding") == 0 )
{ {
data_chunk_t vt = h->get_value_token(); data_chunk_t vt = h->get_value_token();
if ( strcasecmp_n(vt, "gzip") == 0 ) if ( mime::strcasecmp_n(vt, "gzip") == 0 )
encoding = GZIP; encoding = GZIP;
if ( strcasecmp_n(vt, "deflate") == 0 ) if ( mime::strcasecmp_n(vt, "deflate") == 0 )
encoding = DEFLATE; encoding = DEFLATE;
} }
@ -413,8 +417,8 @@ void HTTP_Entity::SubmitAllHeaders()
return; return;
} }
if ( content_type == CONTENT_TYPE_MULTIPART || if ( content_type == mime::CONTENT_TYPE_MULTIPART ||
content_type == CONTENT_TYPE_MESSAGE ) content_type == mime::CONTENT_TYPE_MESSAGE )
{ {
// Do nothing. // Do nothing.
// Make sure that we check for multiple/message contents first, // Make sure that we check for multiple/message contents first,
@ -463,7 +467,7 @@ void HTTP_Entity::SubmitAllHeaders()
} }
HTTP_Message::HTTP_Message(HTTP_Analyzer* arg_analyzer, HTTP_Message::HTTP_Message(HTTP_Analyzer* arg_analyzer,
ContentLine_Analyzer* arg_cl, bool arg_is_orig, tcp::ContentLine_Analyzer* arg_cl, bool arg_is_orig,
int expect_body, int64_t init_header_length) int expect_body, int64_t init_header_length)
: MIME_Message (arg_analyzer) : MIME_Message (arg_analyzer)
{ {
@ -546,7 +550,7 @@ int HTTP_Message::Undelivered(int64_t len)
return 0; return 0;
} }
void HTTP_Message::BeginEntity(MIME_Entity* entity) void HTTP_Message::BeginEntity(mime::MIME_Entity* entity)
{ {
if ( DEBUG_http ) if ( DEBUG_http )
DEBUG_MSG("%.6f: begin entity (%d)\n", network_time, is_orig); DEBUG_MSG("%.6f: begin entity (%d)\n", network_time, is_orig);
@ -562,7 +566,7 @@ void HTTP_Message::BeginEntity(MIME_Entity* entity)
} }
} }
void HTTP_Message::EndEntity(MIME_Entity* entity) void HTTP_Message::EndEntity(mime::MIME_Entity* entity)
{ {
if ( DEBUG_http ) if ( DEBUG_http )
DEBUG_MSG("%.6f: end entity (%d)\n", network_time, is_orig); DEBUG_MSG("%.6f: end entity (%d)\n", network_time, is_orig);
@ -588,12 +592,12 @@ void HTTP_Message::EndEntity(MIME_Entity* entity)
Done(); Done();
} }
void HTTP_Message::SubmitHeader(MIME_Header* h) void HTTP_Message::SubmitHeader(mime::MIME_Header* h)
{ {
MyHTTP_Analyzer()->HTTP_Header(is_orig, h); MyHTTP_Analyzer()->HTTP_Header(is_orig, h);
} }
void HTTP_Message::SubmitAllHeaders(MIME_HeaderList& hlist) void HTTP_Message::SubmitAllHeaders(mime::MIME_HeaderList& hlist)
{ {
if ( http_all_headers ) if ( http_all_headers )
{ {
@ -620,7 +624,7 @@ void HTTP_Message::SubmitAllHeaders(MIME_HeaderList& hlist)
} }
} }
void HTTP_Message::SubmitTrailingHeaders(MIME_HeaderList& /* hlist */) void HTTP_Message::SubmitTrailingHeaders(mime::MIME_HeaderList& /* hlist */)
{ {
// Do nothing for now. // Do nothing for now.
} }
@ -664,15 +668,15 @@ void HTTP_Message::SubmitEvent(int event_type, const char* detail)
const char* category = ""; const char* category = "";
switch ( event_type ) { switch ( event_type ) {
case MIME_EVENT_ILLEGAL_FORMAT: case mime::MIME_EVENT_ILLEGAL_FORMAT:
category = "illegal format"; category = "illegal format";
break; break;
case MIME_EVENT_ILLEGAL_ENCODING: case mime::MIME_EVENT_ILLEGAL_ENCODING:
category = "illegal encoding"; category = "illegal encoding";
break; break;
case MIME_EVENT_CONTENT_GAP: case mime::MIME_EVENT_CONTENT_GAP:
category = "content gap"; category = "content gap";
break; break;
@ -787,7 +791,7 @@ void HTTP_Message::Weird(const char* msg)
} }
HTTP_Analyzer::HTTP_Analyzer(Connection* conn) HTTP_Analyzer::HTTP_Analyzer(Connection* conn)
: TCP_ApplicationAnalyzer("HTTP", conn) : tcp::TCP_ApplicationAnalyzer("HTTP", conn)
{ {
num_requests = num_replies = 0; num_requests = num_replies = 0;
num_request_lines = num_reply_lines = 0; num_request_lines = num_reply_lines = 0;
@ -807,10 +811,10 @@ HTTP_Analyzer::HTTP_Analyzer(Connection* conn)
reply_code = 0; reply_code = 0;
reply_reason_phrase = 0; reply_reason_phrase = 0;
content_line_orig = new ContentLine_Analyzer(conn, true); content_line_orig = new tcp::ContentLine_Analyzer(conn, true);
AddSupportAnalyzer(content_line_orig); AddSupportAnalyzer(content_line_orig);
content_line_resp = new ContentLine_Analyzer(conn, false); content_line_resp = new tcp::ContentLine_Analyzer(conn, false);
content_line_resp->SetSkipPartial(true); content_line_resp->SetSkipPartial(true);
AddSupportAnalyzer(content_line_resp); AddSupportAnalyzer(content_line_resp);
} }
@ -828,7 +832,7 @@ void HTTP_Analyzer::Done()
if ( IsFinished() ) if ( IsFinished() )
return; return;
TCP_ApplicationAnalyzer::Done(); tcp::TCP_ApplicationAnalyzer::Done();
RequestMade(1, "message interrupted when connection done"); RequestMade(1, "message interrupted when connection done");
ReplyMade(1, "message interrupted when connection done"); ReplyMade(1, "message interrupted when connection done");
@ -850,7 +854,7 @@ void HTTP_Analyzer::Done()
void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig) void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
{ {
TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig); tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig);
if ( TCP() && TCP()->IsPartial() ) if ( TCP() && TCP()->IsPartial() )
return; return;
@ -858,7 +862,7 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
const char* line = reinterpret_cast<const char*>(data); const char* line = reinterpret_cast<const char*>(data);
const char* end_of_line = line + len; const char* end_of_line = line + len;
ContentLine_Analyzer* content_line = tcp::ContentLine_Analyzer* content_line =
is_orig ? content_line_orig : content_line_resp; is_orig ? content_line_orig : content_line_resp;
if ( content_line->IsPlainDelivery() ) if ( content_line->IsPlainDelivery() )
@ -907,7 +911,7 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
{ {
if ( ! RequestExpected() ) if ( ! RequestExpected() )
HTTP_Event("crud_trailing_HTTP_request", HTTP_Event("crud_trailing_HTTP_request",
new_string_val(line, end_of_line)); mime::new_string_val(line, end_of_line));
else else
{ {
// We do see HTTP requests with a // We do see HTTP requests with a
@ -986,20 +990,20 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
void HTTP_Analyzer::Undelivered(int seq, int len, bool is_orig) void HTTP_Analyzer::Undelivered(int seq, int len, bool is_orig)
{ {
TCP_ApplicationAnalyzer::Undelivered(seq, len, is_orig); tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, is_orig);
// DEBUG_MSG("Undelivered from %d: %d bytes\n", seq, length); // DEBUG_MSG("Undelivered from %d: %d bytes\n", seq, length);
HTTP_Message* msg = HTTP_Message* msg =
is_orig ? request_message : reply_message; is_orig ? request_message : reply_message;
ContentLine_Analyzer* content_line = tcp::ContentLine_Analyzer* content_line =
is_orig ? content_line_orig : content_line_resp; is_orig ? content_line_orig : content_line_resp;
if ( ! content_line->IsSkippedContents(seq, len) ) if ( ! content_line->IsSkippedContents(seq, len) )
{ {
if ( msg ) if ( msg )
msg->SubmitEvent(MIME_EVENT_CONTENT_GAP, msg->SubmitEvent(mime::MIME_EVENT_CONTENT_GAP,
fmt("seq=%d, len=%d", seq, len)); fmt("seq=%d, len=%d", seq, len));
} }
@ -1030,7 +1034,7 @@ void HTTP_Analyzer::Undelivered(int seq, int len, bool is_orig)
void HTTP_Analyzer::EndpointEOF(bool is_orig) void HTTP_Analyzer::EndpointEOF(bool is_orig)
{ {
TCP_ApplicationAnalyzer::EndpointEOF(is_orig); tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
// DEBUG_MSG("%.6f eof\n", network_time); // DEBUG_MSG("%.6f eof\n", network_time);
@ -1042,7 +1046,7 @@ void HTTP_Analyzer::EndpointEOF(bool is_orig)
void HTTP_Analyzer::ConnectionFinished(int half_finished) void HTTP_Analyzer::ConnectionFinished(int half_finished)
{ {
TCP_ApplicationAnalyzer::ConnectionFinished(half_finished); tcp::TCP_ApplicationAnalyzer::ConnectionFinished(half_finished);
// DEBUG_MSG("%.6f connection finished\n", network_time); // DEBUG_MSG("%.6f connection finished\n", network_time);
RequestMade(1, "message ends as connection is finished"); RequestMade(1, "message ends as connection is finished");
@ -1051,7 +1055,7 @@ void HTTP_Analyzer::ConnectionFinished(int half_finished)
void HTTP_Analyzer::ConnectionReset() void HTTP_Analyzer::ConnectionReset()
{ {
TCP_ApplicationAnalyzer::ConnectionReset(); tcp::TCP_ApplicationAnalyzer::ConnectionReset();
RequestMade(1, "message interrupted by RST"); RequestMade(1, "message interrupted by RST");
ReplyMade(1, "message interrupted by RST"); ReplyMade(1, "message interrupted by RST");
@ -1059,7 +1063,7 @@ void HTTP_Analyzer::ConnectionReset()
void HTTP_Analyzer::PacketWithRST() void HTTP_Analyzer::PacketWithRST()
{ {
TCP_ApplicationAnalyzer::PacketWithRST(); tcp::TCP_ApplicationAnalyzer::PacketWithRST();
RequestMade(1, "message interrupted by RST"); RequestMade(1, "message interrupted by RST");
ReplyMade(1, "message interrupted by RST"); ReplyMade(1, "message interrupted by RST");
@ -1203,10 +1207,10 @@ int HTTP_Analyzer::ParseRequest(const char* line, const char* end_of_line)
version_end = version_start + 3; version_end = version_start + 3;
if ( skip_whitespace(version_end, end_of_line) != end_of_line ) if ( skip_whitespace(version_end, end_of_line) != end_of_line )
HTTP_Event("crud after HTTP version is ignored", HTTP_Event("crud after HTTP version is ignored",
new_string_val(line, end_of_line)); mime::new_string_val(line, end_of_line));
} }
else else
HTTP_Event("bad_HTTP_version", new_string_val(line, end_of_line)); HTTP_Event("bad_HTTP_version", mime::new_string_val(line, end_of_line));
} }
// NormalizeURI(line, end_of_uri); // NormalizeURI(line, end_of_uri);
@ -1230,7 +1234,7 @@ double HTTP_Analyzer::HTTP_Version(int len, const char* data)
} }
else else
{ {
HTTP_Event("bad_HTTP_version", new_string_val(len, data)); HTTP_Event("bad_HTTP_version", mime::new_string_val(len, data));
return 0; return 0;
} }
} }
@ -1409,20 +1413,20 @@ int HTTP_Analyzer::HTTP_ReplyLine(const char* line, const char* end_of_line)
// ##TODO: some server replies with an HTML document // ##TODO: some server replies with an HTML document
// without a status line and a MIME header, when the // without a status line and a MIME header, when the
// request is malformed. // request is malformed.
HTTP_Event("bad_HTTP_reply", new_string_val(line, end_of_line)); HTTP_Event("bad_HTTP_reply", mime::new_string_val(line, end_of_line));
return 0; return 0;
} }
SetVersion(reply_version, HTTP_Version(end_of_line - rest, rest)); SetVersion(reply_version, HTTP_Version(end_of_line - rest, rest));
for ( ; rest < end_of_line; ++rest ) for ( ; rest < end_of_line; ++rest )
if ( is_lws(*rest) ) if ( mime::is_lws(*rest) )
break; break;
if ( rest >= end_of_line ) if ( rest >= end_of_line )
{ {
HTTP_Event("HTTP_reply_code_missing", HTTP_Event("HTTP_reply_code_missing",
new_string_val(line, end_of_line)); mime::new_string_val(line, end_of_line));
return 0; return 0;
} }
@ -1431,20 +1435,20 @@ int HTTP_Analyzer::HTTP_ReplyLine(const char* line, const char* end_of_line)
if ( rest + 3 > end_of_line ) if ( rest + 3 > end_of_line )
{ {
HTTP_Event("HTTP_reply_code_missing", HTTP_Event("HTTP_reply_code_missing",
new_string_val(line, end_of_line)); mime::new_string_val(line, end_of_line));
return 0; return 0;
} }
reply_code = HTTP_ReplyCode(rest); reply_code = HTTP_ReplyCode(rest);
for ( rest += 3; rest < end_of_line; ++rest ) for ( rest += 3; rest < end_of_line; ++rest )
if ( is_lws(*rest) ) if ( mime::is_lws(*rest) )
break; break;
if ( rest >= end_of_line ) if ( rest >= end_of_line )
{ {
HTTP_Event("HTTP_reply_reason_phrase_missing", HTTP_Event("HTTP_reply_reason_phrase_missing",
new_string_val(line, end_of_line)); mime::new_string_val(line, end_of_line));
// Tolerate missing reason phrase? // Tolerate missing reason phrase?
return 1; return 1;
} }
@ -1491,7 +1495,7 @@ int HTTP_Analyzer::ExpectReplyMessageBody()
return HTTP_BODY_EXPECTED; return HTTP_BODY_EXPECTED;
} }
void HTTP_Analyzer::HTTP_Header(int is_orig, MIME_Header* h) void HTTP_Analyzer::HTTP_Header(int is_orig, mime::MIME_Header* h)
{ {
#if 0 #if 0
// ### Only call ParseVersion if we're tracking versions: // ### Only call ParseVersion if we're tracking versions:
@ -1508,16 +1512,16 @@ void HTTP_Analyzer::HTTP_Header(int is_orig, MIME_Header* h)
// side, and if seen assume the connection to be persistent. // side, and if seen assume the connection to be persistent.
// This seems fairly safe - at worst, the client does indeed // This seems fairly safe - at worst, the client does indeed
// send additional requests, and the server ignores them. // send additional requests, and the server ignores them.
if ( is_orig && strcasecmp_n(h->get_name(), "connection") == 0 ) if ( is_orig && mime::strcasecmp_n(h->get_name(), "connection") == 0 )
{ {
if ( strcasecmp_n(h->get_value_token(), "keep-alive") == 0 ) if ( mime::strcasecmp_n(h->get_value_token(), "keep-alive") == 0 )
keep_alive = 1; keep_alive = 1;
} }
if ( ! is_orig && if ( ! is_orig &&
strcasecmp_n(h->get_name(), "connection") == 0 ) mime::strcasecmp_n(h->get_name(), "connection") == 0 )
{ {
if ( strcasecmp_n(h->get_value_token(), "close") == 0 ) if ( mime::strcasecmp_n(h->get_value_token(), "close") == 0 )
connection_close = 1; connection_close = 1;
} }
@ -1540,8 +1544,8 @@ void HTTP_Analyzer::HTTP_Header(int is_orig, MIME_Header* h)
val_list* vl = new val_list(); val_list* vl = new val_list();
vl->append(BuildConnVal()); vl->append(BuildConnVal());
vl->append(new Val(is_orig, TYPE_BOOL)); vl->append(new Val(is_orig, TYPE_BOOL));
vl->append(new_string_val(h->get_name())->ToUpper()); vl->append(mime::new_string_val(h->get_name())->ToUpper());
vl->append(new_string_val(h->get_value())); vl->append(mime::new_string_val(h->get_value()));
if ( DEBUG_http ) if ( DEBUG_http )
DEBUG_MSG("%.6f http_header\n", network_time); DEBUG_MSG("%.6f http_header\n", network_time);
ConnectionEvent(http_header, vl); ConnectionEvent(http_header, vl);
@ -1570,7 +1574,7 @@ void HTTP_Analyzer::ParseVersion(data_chunk_t ver, const IPAddr& host,
while ( len > 0 ) while ( len > 0 )
{ {
// Skip white space. // Skip white space.
while ( len && is_lws(*data) ) while ( len && mime::is_lws(*data) )
{ {
++data; ++data;
--len; --len;
@ -1583,7 +1587,7 @@ void HTTP_Analyzer::ParseVersion(data_chunk_t ver, const IPAddr& host,
// Find end of comment. // Find end of comment.
const char* data_start = data; const char* data_start = data;
const char* eoc = const char* eoc =
data + MIME_skip_lws_comments(len, data); data + mime::MIME_skip_lws_comments(len, data);
// Split into parts. // Split into parts.
// (This may get confused by nested comments, // (This may get confused by nested comments,
@ -1593,7 +1597,7 @@ void HTTP_Analyzer::ParseVersion(data_chunk_t ver, const IPAddr& host,
while ( 1 ) while ( 1 )
{ {
// Eat spaces. // Eat spaces.
while ( data < eoc && is_lws(*data) ) while ( data < eoc && mime::is_lws(*data) )
++data; ++data;
// Find end of token. // Find end of token.
@ -1606,7 +1610,7 @@ void HTTP_Analyzer::ParseVersion(data_chunk_t ver, const IPAddr& host,
break; break;
// Delete spaces at end of token. // Delete spaces at end of token.
for ( ; eot > data && is_lws(*(eot-1)); --eot ) for ( ; eot > data && mime::is_lws(*(eot-1)); --eot )
; ;
if ( data != eot && software_version_found ) if ( data != eot && software_version_found )
@ -1619,7 +1623,7 @@ void HTTP_Analyzer::ParseVersion(data_chunk_t ver, const IPAddr& host,
continue; continue;
} }
offset = MIME_get_slash_token_pair(len, data, offset = mime::MIME_get_slash_token_pair(len, data,
&product, &product_version); &product, &product_version);
if ( offset < 0 ) if ( offset < 0 )
{ {
@ -1627,10 +1631,10 @@ void HTTP_Analyzer::ParseVersion(data_chunk_t ver, const IPAddr& host,
// so we do not complain in the final version // so we do not complain in the final version
if ( num_version == 0 ) if ( num_version == 0 )
HTTP_Event("bad_HTTP_version", HTTP_Event("bad_HTTP_version",
new_string_val(len, data)); mime::new_string_val(len, data));
// Try to simply skip next token. // Try to simply skip next token.
offset = MIME_get_token(len, data, &product); offset = mime::MIME_get_token(len, data, &product);
if ( offset < 0 ) if ( offset < 0 )
break; break;
@ -1694,7 +1698,7 @@ void HTTP_Analyzer::HTTP_MessageDone(int is_orig, HTTP_Message* /* message */)
ReplyMade(0, "message ends normally"); ReplyMade(0, "message ends normally");
} }
void HTTP_Analyzer::InitHTTPMessage(ContentLine_Analyzer* cl, HTTP_Message*& message, void HTTP_Analyzer::InitHTTPMessage(tcp::ContentLine_Analyzer* cl, HTTP_Message*& message,
bool is_orig, int expect_body, int64_t init_header_length) bool is_orig, int expect_body, int64_t init_header_length)
{ {
if ( message ) if ( message )
@ -1718,24 +1722,24 @@ void HTTP_Analyzer::SkipEntityData(int is_orig)
msg->SkipEntityData(); msg->SkipEntityData();
} }
int is_reserved_URI_char(unsigned char ch) int analyzer::http::is_reserved_URI_char(unsigned char ch)
{ // see RFC 2396 (definition of URI) { // see RFC 2396 (definition of URI)
return strchr(";/?:@&=+$,", ch) != 0; return strchr(";/?:@&=+$,", ch) != 0;
} }
int is_unreserved_URI_char(unsigned char ch) int analyzer::http::is_unreserved_URI_char(unsigned char ch)
{ // see RFC 2396 (definition of URI) { // see RFC 2396 (definition of URI)
return isalnum(ch) || strchr("-_.!~*\'()", ch) != 0; return isalnum(ch) || strchr("-_.!~*\'()", ch) != 0;
} }
void escape_URI_char(unsigned char ch, unsigned char*& p) void analyzer::http::escape_URI_char(unsigned char ch, unsigned char*& p)
{ {
*p++ = '%'; *p++ = '%';
*p++ = encode_hex((ch >> 4) & 0xf); *p++ = encode_hex((ch >> 4) & 0xf);
*p++ = encode_hex(ch & 0xf); *p++ = encode_hex(ch & 0xf);
} }
BroString* unescape_URI(const u_char* line, const u_char* line_end, BroString* analyzer::http::unescape_URI(const u_char* line, const u_char* line_end,
analyzer::Analyzer* analyzer) analyzer::Analyzer* analyzer)
{ {
byte_vec decoded_URI = new u_char[line_end - line + 1]; byte_vec decoded_URI = new u_char[line_end - line + 1];

42
src/analyzer/protocols/http/HTTP.h
View file

@ -6,13 +6,15 @@
#include "analyzer/protocols/tcp/TCP.h" #include "analyzer/protocols/tcp/TCP.h"
#include "analyzer/protocols/tcp/ContentLine.h" #include "analyzer/protocols/tcp/ContentLine.h"
#include "analyzer/protocols/zip/ZIP.h" #include "analyzer/protocols/zip/ZIP.h"
#include "MIME.h" #include "analyzer/protocols/mime/MIME.h"
#include "binpac_bro.h" #include "binpac_bro.h"
#include "IPAddr.h" #include "IPAddr.h"
#include "events.bif.h" #include "events.bif.h"
#include "HTTP.h" #include "HTTP.h"
namespace analyzer { namespace http {
enum CHUNKED_TRANSFER_STATE { enum CHUNKED_TRANSFER_STATE {
NON_CHUNKED_TRANSFER, NON_CHUNKED_TRANSFER,
BEFORE_CHUNK, BEFORE_CHUNK,
@ -27,7 +29,7 @@ class HTTP_Entity;
class HTTP_Message; class HTTP_Message;
class HTTP_Analyzer; class HTTP_Analyzer;
class HTTP_Entity : public MIME_Entity { class HTTP_Entity : public mime::MIME_Entity {
public: public:
HTTP_Entity(HTTP_Message* msg, MIME_Entity* parent_entity, HTTP_Entity(HTTP_Message* msg, MIME_Entity* parent_entity,
int expect_body); int expect_body);
@ -57,7 +59,7 @@ protected:
int64_t header_length; int64_t header_length;
int deliver_body; int deliver_body;
enum { IDENTITY, GZIP, COMPRESS, DEFLATE } encoding; enum { IDENTITY, GZIP, COMPRESS, DEFLATE } encoding;
ZIP_Analyzer* zip; zip::ZIP_Analyzer* zip;
MIME_Entity* NewChildEntity() { return new HTTP_Entity(http_message, this, 1); } MIME_Entity* NewChildEntity() { return new HTTP_Entity(http_message, this, 1); }
@ -68,7 +70,7 @@ protected:
void SetPlainDelivery(int64_t length); void SetPlainDelivery(int64_t length);
void SubmitHeader(MIME_Header* h); void SubmitHeader(mime::MIME_Header* h);
void SubmitAllHeaders(); void SubmitAllHeaders();
}; };
@ -89,9 +91,9 @@ enum {
// HTTP_Message::EndEntity -> Message::Done // HTTP_Message::EndEntity -> Message::Done
// HTTP_MessageDone -> {Request,Reply}Made // HTTP_MessageDone -> {Request,Reply}Made
class HTTP_Message : public MIME_Message { class HTTP_Message : public mime::MIME_Message {
public: public:
HTTP_Message(HTTP_Analyzer* analyzer, ContentLine_Analyzer* cl, HTTP_Message(HTTP_Analyzer* analyzer, tcp::ContentLine_Analyzer* cl,
bool is_orig, int expect_body, int64_t init_header_length); bool is_orig, int expect_body, int64_t init_header_length);
~HTTP_Message(); ~HTTP_Message();
void Done(const int interrupted, const char* msg); void Done(const int interrupted, const char* msg);
@ -99,16 +101,16 @@ public:
int Undelivered(int64_t len); int Undelivered(int64_t len);
void BeginEntity(MIME_Entity* /* entity */); void BeginEntity(mime::MIME_Entity* /* entity */);
void EndEntity(MIME_Entity* entity); void EndEntity(mime::MIME_Entity* entity);
void SubmitHeader(MIME_Header* h); void SubmitHeader(mime::MIME_Header* h);
void SubmitAllHeaders(MIME_HeaderList& /* hlist */); void SubmitAllHeaders(mime::MIME_HeaderList& /* hlist */);
void SubmitData(int len, const char* buf); void SubmitData(int len, const char* buf);
int RequestBuffer(int* plen, char** pbuf); int RequestBuffer(int* plen, char** pbuf);
void SubmitAllData(); void SubmitAllData();
void SubmitEvent(int event_type, const char* detail); void SubmitEvent(int event_type, const char* detail);
void SubmitTrailingHeaders(MIME_HeaderList& /* hlist */); void SubmitTrailingHeaders(mime::MIME_HeaderList& /* hlist */);
void SetPlainDelivery(int64_t length); void SetPlainDelivery(int64_t length);
void SkipEntityData(); void SkipEntityData();
@ -120,7 +122,7 @@ public:
protected: protected:
HTTP_Analyzer* analyzer; HTTP_Analyzer* analyzer;
ContentLine_Analyzer* content_line; tcp::ContentLine_Analyzer* content_line;
bool is_orig; bool is_orig;
vector<const BroString*> buffers; vector<const BroString*> buffers;
@ -148,14 +150,14 @@ protected:
Val* BuildMessageStat(const int interrupted, const char* msg); Val* BuildMessageStat(const int interrupted, const char* msg);
}; };
class HTTP_Analyzer : public TCP_ApplicationAnalyzer { class HTTP_Analyzer : public tcp::TCP_ApplicationAnalyzer {
public: public:
HTTP_Analyzer(Connection* conn); HTTP_Analyzer(Connection* conn);
~HTTP_Analyzer(); ~HTTP_Analyzer();
void Undelivered(TCP_Endpoint* sender, int seq, int len); void Undelivered(tcp::TCP_Endpoint* sender, int seq, int len);
void HTTP_Header(int is_orig, MIME_Header* h); void HTTP_Header(int is_orig, mime::MIME_Header* h);
void HTTP_EntityData(int is_orig, const BroString* entity_data); void HTTP_EntityData(int is_orig, const BroString* entity_data);
void HTTP_MessageDone(int is_orig, HTTP_Message* message); void HTTP_MessageDone(int is_orig, HTTP_Message* message);
void HTTP_Event(const char* category, const char* detail); void HTTP_Event(const char* category, const char* detail);
@ -171,7 +173,7 @@ public:
virtual void DeliverStream(int len, const u_char* data, bool orig); virtual void DeliverStream(int len, const u_char* data, bool orig);
virtual void Undelivered(int seq, int len, bool orig); virtual void Undelivered(int seq, int len, bool orig);
// Overriden from TCP_ApplicationAnalyzer // Overriden from tcp::TCP_ApplicationAnalyzer
virtual void EndpointEOF(bool is_orig); virtual void EndpointEOF(bool is_orig);
virtual void ConnectionFinished(int half_finished); virtual void ConnectionFinished(int half_finished);
virtual void ConnectionReset(); virtual void ConnectionReset();
@ -192,7 +194,7 @@ protected:
int HTTP_RequestLine(const char* line, const char* end_of_line); int HTTP_RequestLine(const char* line, const char* end_of_line);
int HTTP_ReplyLine(const char* line, const char* end_of_line); int HTTP_ReplyLine(const char* line, const char* end_of_line);
void InitHTTPMessage(ContentLine_Analyzer* cl, HTTP_Message*& message, bool is_orig, void InitHTTPMessage(tcp::ContentLine_Analyzer* cl, HTTP_Message*& message, bool is_orig,
int expect_body, int64_t init_header_length); int expect_body, int64_t init_header_length);
const char* PrefixMatch(const char* line, const char* end_of_line, const char* PrefixMatch(const char* line, const char* end_of_line,
@ -244,8 +246,8 @@ protected:
int reply_code; int reply_code;
Val* reply_reason_phrase; Val* reply_reason_phrase;
ContentLine_Analyzer* content_line_orig; tcp::ContentLine_Analyzer* content_line_orig;
ContentLine_Analyzer* content_line_resp; tcp::ContentLine_Analyzer* content_line_resp;
HTTP_Message* request_message; HTTP_Message* request_message;
HTTP_Message* reply_message; HTTP_Message* reply_message;
@ -257,4 +259,6 @@ extern void escape_URI_char(unsigned char ch, unsigned char*& p);
extern BroString* unescape_URI(const u_char* line, const u_char* line_end, extern BroString* unescape_URI(const u_char* line, const u_char* line_end,
analyzer::Analyzer* analyzer); analyzer::Analyzer* analyzer);
} } // namespace analyzer::*
#endif #endif

2
src/analyzer/protocols/http/Plugin.cc
View file

@ -5,6 +5,6 @@
BRO_PLUGIN_BEGIN(HTTP) BRO_PLUGIN_BEGIN(HTTP)
BRO_PLUGIN_DESCRIPTION("HTTP Analyzer"); BRO_PLUGIN_DESCRIPTION("HTTP Analyzer");
BRO_PLUGIN_ANALYZER("HTTP", HTTP_Analyzer::InstantiateAnalyzer); BRO_PLUGIN_ANALYZER("HTTP", http::HTTP_Analyzer);
BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_BIF_FILE(events);
BRO_PLUGIN_END BRO_PLUGIN_END

4
src/analyzer/protocols/http/functions.bif
View file

@ -20,7 +20,7 @@ function skip_http_entity_data%(c: connection, is_orig: bool%): any
if ( ha ) if ( ha )
{ {
if ( ha->IsAnalyzer("HTTP") ) if ( ha->IsAnalyzer("HTTP") )
static_cast<HTTP_Analyzer*>(ha)->SkipEntityData(is_orig); static_cast<analyzer::http::HTTP_Analyzer*>(ha)->SkipEntityData(is_orig);
else else
reporter->Error("non-HTTP analyzer associated with connection record"); reporter->Error("non-HTTP analyzer associated with connection record");
} }
@ -52,5 +52,5 @@ function unescape_URI%(URI: string%): string
const u_char* line = URI->Bytes(); const u_char* line = URI->Bytes();
const u_char* const line_end = line + URI->Len(); const u_char* const line_end = line + URI->Len();
return new StringVal(unescape_URI(line, line_end, 0)); return new StringVal(analyzer::http::unescape_URI(line, line_end, 0));
%} %}

8
src/analyzer/protocols/icmp/ICMP.cc
View file

@ -10,8 +10,12 @@
#include "ICMP.h" #include "ICMP.h"
#include "Conn.h" #include "Conn.h"
#include "events.bif.h"
#include <netinet/icmp6.h> #include <netinet/icmp6.h>
using namespace analyzer::icmp;
ICMP_Analyzer::ICMP_Analyzer(Connection* c) ICMP_Analyzer::ICMP_Analyzer(Connection* c)
: TransportLayerAnalyzer("ICMP", c) : TransportLayerAnalyzer("ICMP", c)
{ {
@ -828,7 +832,7 @@ VectorVal* ICMP_Analyzer::BuildNDOptionsVal(int caplen, const u_char* data)
return vv; return vv;
} }
int ICMP4_counterpart(int icmp_type, int icmp_code, bool& is_one_way) int analyzer::icmp::ICMP4_counterpart(int icmp_type, int icmp_code, bool& is_one_way)
{ {
is_one_way = false; is_one_way = false;
@ -855,7 +859,7 @@ int ICMP4_counterpart(int icmp_type, int icmp_code, bool& is_one_way)
} }
} }
int ICMP6_counterpart(int icmp_type, int icmp_code, bool& is_one_way) int analyzer::icmp::ICMP6_counterpart(int icmp_type, int icmp_code, bool& is_one_way)
{ {
is_one_way = false; is_one_way = false;

4
src/analyzer/protocols/icmp/ICMP.h
View file

@ -6,6 +6,8 @@
#include "RuleMatcher.h" #include "RuleMatcher.h"
#include "analyzer/Analyzer.h" #include "analyzer/Analyzer.h"
namespace analyzer { namespace icmp {
typedef enum { typedef enum {
ICMP_INACTIVE, // no packet seen ICMP_INACTIVE, // no packet seen
ICMP_ACTIVE, // packets seen ICMP_ACTIVE, // packets seen
@ -92,4 +94,6 @@ private:
extern int ICMP4_counterpart(int icmp_type, int icmp_code, bool& is_one_way); extern int ICMP4_counterpart(int icmp_type, int icmp_code, bool& is_one_way);
extern int ICMP6_counterpart(int icmp_type, int icmp_code, bool& is_one_way); extern int ICMP6_counterpart(int icmp_type, int icmp_code, bool& is_one_way);
} } // namespace analyzer::*
#endif #endif

2
src/analyzer/protocols/icmp/Plugin.cc
View file

@ -5,6 +5,6 @@
BRO_PLUGIN_BEGIN(ICMP) BRO_PLUGIN_BEGIN(ICMP)
BRO_PLUGIN_DESCRIPTION("ICMP Analyzer"); BRO_PLUGIN_DESCRIPTION("ICMP Analyzer");
BRO_PLUGIN_ANALYZER("ICMP", ICMP_Analyzer::InstantiateAnalyzer); BRO_PLUGIN_ANALYZER("ICMP", icmp::ICMP_Analyzer);
BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_BIF_FILE(events);
BRO_PLUGIN_END BRO_PLUGIN_END

300
src/analyzer/protocols/icmp/events.bif
View file

@ -0,0 +1,300 @@
## Generated for all ICMP messages that are not handled separately with
## dedicated ICMP events. Bro's ICMP analyzer handles a number of ICMP messages
## directly with dedicated events. This event acts as a fallback for those it
## doesn't.
##
## See `Wikipedia
## <http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
## information about the ICMP protocol.
##
## c: The connection record for the corresponding ICMP flow.
##
## icmp: Additional ICMP-specific information augmenting the standard
## connection record *c*.
##
## .. bro:see:: icmp_error_message
event icmp_sent%(c: connection, icmp: icmp_conn%);
## Generated for ICMP *echo request* messages.
##
## See `Wikipedia
## <http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
## information about the ICMP protocol.
##
## c: The connection record for the corresponding ICMP flow.
##
## icmp: Additional ICMP-specific information augmenting the standard
## connection record *c*.
##
## id: The *echo request* identifier.
##
## seq: The *echo request* sequence number.
##
## payload: The message-specific data of the packet payload, i.e., everything
## after the first 8 bytes of the ICMP header.
##
## .. bro:see:: icmp_echo_reply
event icmp_echo_request%(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string%);
## Generated for ICMP *echo reply* messages.
##
## See `Wikipedia
## <http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
## information about the ICMP protocol.
##
## c: The connection record for the corresponding ICMP flow.
##
## icmp: Additional ICMP-specific information augmenting the standard connection
## record *c*.
##
## id: The *echo reply* identifier.
##
## seq: The *echo reply* sequence number.
##
## payload: The message-specific data of the packet payload, i.e., everything
## after the first 8 bytes of the ICMP header.
##
## .. bro:see:: icmp_echo_request
event icmp_echo_reply%(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string%);
## Generated for all ICMPv6 error messages that are not handled
## separately with dedicated events. Bro's ICMP analyzer handles a number
## of ICMP error messages directly with dedicated events. This event acts
## as a fallback for those it doesn't.
##
## See `Wikipedia
## <http://en.wikipedia.org/wiki/ICMPv6>`__ for more
## information about the ICMPv6 protocol.
##
## c: The connection record for the corresponding ICMP flow.
##
## icmp: Additional ICMP-specific information augmenting the standard
## connection record *c*.
##
## code: The ICMP code of the error message.
##
## context: A record with specifics of the original packet that the message
## refers to.
##
## .. bro:see:: icmp_unreachable icmp_packet_too_big
## icmp_time_exceeded icmp_parameter_problem
event icmp_error_message%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%);
## Generated for ICMP *destination unreachable* messages.
##
## See `Wikipedia
## <http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
## information about the ICMP protocol.
##
## c: The connection record for the corresponding ICMP flow.
##
## icmp: Additional ICMP-specific information augmenting the standard connection
## record *c*.
##
## code: The ICMP code of the *unreachable* message.
##
## context: A record with specifics of the original packet that the message
## refers to. *Unreachable* messages should include the original IP
## header from the packet that triggered them, and Bro parses that
## into the *context* structure. Note that if the *unreachable*
## includes only a partial IP header for some reason, no
## fields of *context* will be filled out.
##
## .. bro:see:: icmp_error_message icmp_packet_too_big
## icmp_time_exceeded icmp_parameter_problem
event icmp_unreachable%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%);
## Generated for ICMPv6 *packet too big* messages.
##
## See `Wikipedia
## <http://en.wikipedia.org/wiki/ICMPv6>`__ for more
## information about the ICMPv6 protocol.
##
## c: The connection record for the corresponding ICMP flow.
##
## icmp: Additional ICMP-specific information augmenting the standard connection
## record *c*.
##
## code: The ICMP code of the *too big* message.
##
## context: A record with specifics of the original packet that the message
## refers to. *Too big* messages should include the original IP header
## from the packet that triggered them, and Bro parses that into
## the *context* structure. Note that if the *too big* includes only
## a partial IP header for some reason, no fields of *context* will
## be filled out.
##
## .. bro:see:: icmp_error_message icmp_unreachable
## icmp_time_exceeded icmp_parameter_problem
event icmp_packet_too_big%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%);
## Generated for ICMP *time exceeded* messages.
##
## See `Wikipedia
## <http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
## information about the ICMP protocol.
##
## c: The connection record for the corresponding ICMP flow.
##
## icmp: Additional ICMP-specific information augmenting the standard connection
## record *c*.
##
## code: The ICMP code of the *exceeded* message.
##
## context: A record with specifics of the original packet that the message
## refers to. *Unreachable* messages should include the original IP
## header from the packet that triggered them, and Bro parses that
## into the *context* structure. Note that if the *exceeded* includes
## only a partial IP header for some reason, no fields of *context*
## will be filled out.
##
## .. bro:see:: icmp_error_message icmp_unreachable icmp_packet_too_big
## icmp_parameter_problem
event icmp_time_exceeded%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%);
## Generated for ICMPv6 *parameter problem* messages.
##
## See `Wikipedia
## <http://en.wikipedia.org/wiki/ICMPv6>`__ for more
## information about the ICMPv6 protocol.
##
## c: The connection record for the corresponding ICMP flow.
##
## icmp: Additional ICMP-specific information augmenting the standard connection
## record *c*.
##
## code: The ICMP code of the *parameter problem* message.
##
## context: A record with specifics of the original packet that the message
## refers to. *Parameter problem* messages should include the original
## IP header from the packet that triggered them, and Bro parses that
## into the *context* structure. Note that if the *parameter problem*
## includes only a partial IP header for some reason, no fields
## of *context* will be filled out.
##
## .. bro:see:: icmp_error_message icmp_unreachable icmp_packet_too_big
## icmp_time_exceeded
event icmp_parameter_problem%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%);
## Generated for ICMP *router solicitation* messages.
##
## See `Wikipedia
## <http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
## information about the ICMP protocol.
##
## c: The connection record for the corresponding ICMP flow.
##
## icmp: Additional ICMP-specific information augmenting the standard connection
## record *c*.
##
## options: Any Neighbor Discovery options included with message (:rfc:`4861`).
##
## .. bro:see:: icmp_router_advertisement
## icmp_neighbor_solicitation icmp_neighbor_advertisement icmp_redirect
event icmp_router_solicitation%(c: connection, icmp: icmp_conn, options: icmp6_nd_options%);
## Generated for ICMP *router advertisement* messages.
##
## See `Wikipedia
## <http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
## information about the ICMP protocol.
##
## c: The connection record for the corresponding ICMP flow.
##
## icmp: Additional ICMP-specific information augmenting the standard connection
## record *c*.
##
## cur_hop_limit: The default value that should be placed in Hop Count field
## for outgoing IP packets.
##
## managed: Managed address configuration flag, :rfc:`4861`.
##
## other: Other stateful configuration flag, :rfc:`4861`.
##
## home_agent: Mobile IPv6 home agent flag, :rfc:`3775`.
##
## pref: Router selection preferences, :rfc:`4191`.
##
## proxy: Neighbor discovery proxy flag, :rfc:`4389`.
##
## rsv: Remaining two reserved bits of router advertisement flags.
##
## router_lifetime: How long this router should be used as a default router.
##
## reachable_time: How long a neighbor should be considered reachable.
##
## retrans_timer: How long a host should wait before retransmitting.
##
## options: Any Neighbor Discovery options included with message (:rfc:`4861`).
##
## .. bro:see:: icmp_router_solicitation
## icmp_neighbor_solicitation icmp_neighbor_advertisement icmp_redirect
event icmp_router_advertisement%(c: connection, icmp: icmp_conn, cur_hop_limit: count, managed: bool, other: bool, home_agent: bool, pref: count, proxy: bool, rsv: count, router_lifetime: interval, reachable_time: interval, retrans_timer: interval, options: icmp6_nd_options%);
## Generated for ICMP *neighbor solicitation* messages.
##
## See `Wikipedia
## <http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
## information about the ICMP protocol.
##
## c: The connection record for the corresponding ICMP flow.
##
## icmp: Additional ICMP-specific information augmenting the standard connection
## record *c*.
##
## tgt: The IP address of the target of the solicitation.
##
## options: Any Neighbor Discovery options included with message (:rfc:`4861`).
##
## .. bro:see:: icmp_router_solicitation icmp_router_advertisement
## icmp_neighbor_advertisement icmp_redirect
event icmp_neighbor_solicitation%(c: connection, icmp: icmp_conn, tgt: addr, options: icmp6_nd_options%);
## Generated for ICMP *neighbor advertisement* messages.
##
## See `Wikipedia
## <http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
## information about the ICMP protocol.
##
## c: The connection record for the corresponding ICMP flow.
##
## icmp: Additional ICMP-specific information augmenting the standard connection
## record *c*.
##
## router: Flag indicating the sender is a router.
##
## solicited: Flag indicating advertisement is in response to a solicitation.
##
## override: Flag indicating advertisement should override existing caches.
##
## tgt: the Target Address in the soliciting message or the address whose
## link-layer address has changed for unsolicited adverts.
##
## options: Any Neighbor Discovery options included with message (:rfc:`4861`).
##
## .. bro:see:: icmp_router_solicitation icmp_router_advertisement
## icmp_neighbor_solicitation icmp_redirect
event icmp_neighbor_advertisement%(c: connection, icmp: icmp_conn, router: bool, solicited: bool, override: bool, tgt: addr, options: icmp6_nd_options%);
## Generated for ICMP *redirect* messages.
##
## See `Wikipedia
## <http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
## information about the ICMP protocol.
##
## c: The connection record for the corresponding ICMP flow.
##
## icmp: Additional ICMP-specific information augmenting the standard connection
## record *c*.
##
## tgt: The address that is supposed to be a better first hop to use for
## ICMP Destination Address.
##
## dest: The address of the destination which is redirected to the target.
##
## options: Any Neighbor Discovery options included with message (:rfc:`4861`).
##
## .. bro:see:: icmp_router_solicitation icmp_router_advertisement
## icmp_neighbor_solicitation icmp_neighbor_advertisement
event icmp_redirect%(c: connection, icmp: icmp_conn, tgt: addr, dest: addr, options: icmp6_nd_options%);

40
src/analyzer/protocols/ident/Ident.cc
View file

@ -8,13 +8,17 @@
#include "Ident.h" #include "Ident.h"
#include "Event.h" #include "Event.h"
#include "events.bif.h"
using namespace analyzer::ident;
Ident_Analyzer::Ident_Analyzer(Connection* conn) Ident_Analyzer::Ident_Analyzer(Connection* conn)
: TCP_ApplicationAnalyzer("IDENT", conn) : tcp::TCP_ApplicationAnalyzer("IDENT", conn)
{ {
did_bad_reply = did_deliver = 0; did_bad_reply = did_deliver = 0;
orig_ident = new ContentLine_Analyzer(conn, true); orig_ident = new tcp::ContentLine_Analyzer(conn, true);
resp_ident = new ContentLine_Analyzer(conn, false); resp_ident = new tcp::ContentLine_Analyzer(conn, false);
orig_ident->SetIsNULSensitive(true); orig_ident->SetIsNULSensitive(true);
resp_ident->SetIsNULSensitive(true); resp_ident->SetIsNULSensitive(true);
@ -25,29 +29,29 @@ Ident_Analyzer::Ident_Analyzer(Connection* conn)
void Ident_Analyzer::Done() void Ident_Analyzer::Done()
{ {
TCP_ApplicationAnalyzer::Done(); tcp::TCP_ApplicationAnalyzer::Done();
if ( TCP() ) if ( TCP() )
if ( (! did_deliver || orig_ident->HasPartialLine()) && if ( (! did_deliver || orig_ident->HasPartialLine()) &&
(TCP()->OrigState() == TCP_ENDPOINT_CLOSED || (TCP()->OrigState() == tcp::TCP_ENDPOINT_CLOSED ||
TCP()->OrigPrevState() == TCP_ENDPOINT_CLOSED) && TCP()->OrigPrevState() == tcp::TCP_ENDPOINT_CLOSED) &&
TCP()->OrigPrevState() != TCP_ENDPOINT_PARTIAL && TCP()->OrigPrevState() != tcp::TCP_ENDPOINT_PARTIAL &&
TCP()->RespPrevState() != TCP_ENDPOINT_PARTIAL && TCP()->RespPrevState() != tcp::TCP_ENDPOINT_PARTIAL &&
TCP()->OrigPrevState() != TCP_ENDPOINT_INACTIVE && TCP()->OrigPrevState() != tcp::TCP_ENDPOINT_INACTIVE &&
TCP()->RespPrevState() != TCP_ENDPOINT_INACTIVE ) TCP()->RespPrevState() != tcp::TCP_ENDPOINT_INACTIVE )
Weird("partial_ident_request"); Weird("partial_ident_request");
} }
void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig) void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
{ {
TCP_ApplicationAnalyzer::DeliverStream(length, data, is_orig); tcp::TCP_ApplicationAnalyzer::DeliverStream(length, data, is_orig);
int remote_port, local_port; int remote_port, local_port;
const char* line = (const char*) data; const char* line = (const char*) data;
const char* orig_line = line; const char* orig_line = line;
const char* end_of_line = line + length; const char* end_of_line = line + length;
TCP_Endpoint* s = 0; tcp::TCP_Endpoint* s = 0;
if ( TCP() ) if ( TCP() )
s = is_orig ? TCP()->Orig() : TCP()->Resp(); s = is_orig ? TCP()->Orig() : TCP()->Resp();
@ -60,9 +64,9 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
line = ParsePair(line, end_of_line, remote_port, local_port); line = ParsePair(line, end_of_line, remote_port, local_port);
if ( ! line ) if ( ! line )
{ {
if ( s && s->state == TCP_ENDPOINT_CLOSED && if ( s && s->state == tcp::TCP_ENDPOINT_CLOSED &&
(s->prev_state == TCP_ENDPOINT_INACTIVE || (s->prev_state == tcp::TCP_ENDPOINT_INACTIVE ||
s->prev_state == TCP_ENDPOINT_PARTIAL) ) s->prev_state == tcp::TCP_ENDPOINT_PARTIAL) )
// not surprising the request is mangled. // not surprising the request is mangled.
return; return;
@ -95,9 +99,9 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
if ( ! line || line == end_of_line || line[0] != ':' ) if ( ! line || line == end_of_line || line[0] != ':' )
{ {
if ( s && s->state == TCP_ENDPOINT_CLOSED && if ( s && s->state == tcp::TCP_ENDPOINT_CLOSED &&
(s->prev_state == TCP_ENDPOINT_INACTIVE || (s->prev_state == tcp::TCP_ENDPOINT_INACTIVE ||
s->prev_state == TCP_ENDPOINT_PARTIAL) ) s->prev_state == tcp::TCP_ENDPOINT_PARTIAL) )
// not surprising the request is mangled. // not surprising the request is mangled.
return; return;

10
src/analyzer/protocols/ident/Ident.h
View file

@ -6,7 +6,9 @@
#include "analyzer/protocols/tcp/TCP.h" #include "analyzer/protocols/tcp/TCP.h"
#include "analyzer/protocols/tcp/ContentLine.h" #include "analyzer/protocols/tcp/ContentLine.h"
class Ident_Analyzer : public TCP_ApplicationAnalyzer { namespace analyzer { namespace ident {
class Ident_Analyzer : public tcp::TCP_ApplicationAnalyzer {
public: public:
Ident_Analyzer(Connection* conn); Ident_Analyzer(Connection* conn);
virtual void Done(); virtual void Done();
@ -25,11 +27,13 @@ protected:
void BadRequest(int length, const char* line); void BadRequest(int length, const char* line);
void BadReply(int length, const char* line); void BadReply(int length, const char* line);
ContentLine_Analyzer* orig_ident; tcp::ContentLine_Analyzer* orig_ident;
ContentLine_Analyzer* resp_ident; tcp::ContentLine_Analyzer* resp_ident;
unsigned int did_deliver:1; unsigned int did_deliver:1;
unsigned int did_bad_reply:1; unsigned int did_bad_reply:1;
}; };
} } // namespace analyzer::*
#endif #endif

2
src/analyzer/protocols/ident/Plugin.cc
View file

@ -5,6 +5,6 @@
BRO_PLUGIN_BEGIN(Ident) BRO_PLUGIN_BEGIN(Ident)
BRO_PLUGIN_DESCRIPTION("Ident Analyzer"); BRO_PLUGIN_DESCRIPTION("Ident Analyzer");
BRO_PLUGIN_ANALYZER("IDENT", Ident_Analyzer::InstantiateAnalyzer); BRO_PLUGIN_ANALYZER("IDENT", ident::Ident_Analyzer);
BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_BIF_FILE(events);
BRO_PLUGIN_END BRO_PLUGIN_END

63
src/analyzer/protocols/ident/events.bif
View file

@ -0,0 +1,63 @@
## Generated for Ident requests.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/ident_protocol>`__ for more
## information about the Ident protocol.
##
## c: The connection.
##
## lport: The request's local port.
##
## rport: The request's remote port.
##
## .. bro:see:: ident_error ident_reply
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event ident_request%(c: connection, lport: port, rport: port%);
## Generated for Ident replies.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/ident_protocol>`__ for more
## information about the Ident protocol.
##
## c: The connection.
##
## lport: The corresponding request's local port.
##
## rport: The corresponding request's remote port.
##
## user_id: The user id returned by the reply.
##
## system: The operating system returned by the reply.
##
## .. bro:see:: ident_error ident_request
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event ident_reply%(c: connection, lport: port, rport: port, user_id: string, system: string%);
## Generated for Ident error replies.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/ident_protocol>`__ for more
## information about the Ident protocol.
##
## c: The connection.
##
## lport: The corresponding request's local port.
##
## rport: The corresponding request's remote port.
##
## line: The error description returned by the reply.
##
## .. bro:see:: ident_reply ident_request
##
## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event ident_error%(c: connection, lport: port, rport: port, line: string%);

18
src/analyzer/protocols/interconn/InterConn.cc
View file

@ -7,7 +7,11 @@
#include "Net.h" #include "Net.h"
#include "analyzer/protocols/tcp/TCP.h" #include "analyzer/protocols/tcp/TCP.h"
InterConnEndpoint::InterConnEndpoint(TCP_Endpoint* e) #include "events.bif.h"
using namespace analyzer::interconn;
InterConnEndpoint::InterConnEndpoint(tcp::TCP_Endpoint* e)
{ {
endp = e; endp = e;
max_top_seq = 0; max_top_seq = 0;
@ -30,7 +34,7 @@ int InterConnEndpoint::DataSent(double t, int seq, int len, int caplen,
if ( len <= 0 ) if ( len <= 0 )
return 0; return 0;
if ( endp->state == TCP_ENDPOINT_PARTIAL ) if ( endp->state == tcp::TCP_ENDPOINT_PARTIAL )
is_partial = 1; is_partial = 1;
int ack = endp->AckSeq() - endp->StartSeq(); int ack = endp->AckSeq() - endp->StartSeq();
@ -153,7 +157,7 @@ int InterConnEndpoint::IsNormalKeystrokeInterarrival(double t) const
} }
InterConn_Analyzer::InterConn_Analyzer(Connection* c) InterConn_Analyzer::InterConn_Analyzer(Connection* c)
: TCP_ApplicationAnalyzer("INTERCONN", c) : tcp::TCP_ApplicationAnalyzer("INTERCONN", c)
{ {
orig_endp = resp_endp = 0; orig_endp = resp_endp = 0;
orig_stream_pos = resp_stream_pos = 1; orig_stream_pos = resp_stream_pos = 1;
@ -172,7 +176,7 @@ InterConn_Analyzer::~InterConn_Analyzer()
void InterConn_Analyzer::Init() void InterConn_Analyzer::Init()
{ {
TCP_ApplicationAnalyzer::Init(); tcp::TCP_ApplicationAnalyzer::Init();
assert(TCP()); assert(TCP());
orig_endp = new InterConnEndpoint(TCP()->Orig()); orig_endp = new InterConnEndpoint(TCP()->Orig());
@ -182,7 +186,7 @@ void InterConn_Analyzer::Init()
void InterConn_Analyzer::DeliverPacket(int len, const u_char* data, void InterConn_Analyzer::DeliverPacket(int len, const u_char* data,
bool is_orig, int seq, const IP_Hdr* ip, int caplen) bool is_orig, int seq, const IP_Hdr* ip, int caplen)
{ {
TCP_ApplicationAnalyzer::DeliverPacket(len, data, is_orig, tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, is_orig,
seq, ip, caplen); seq, ip, caplen);
if ( is_orig ) if ( is_orig )
@ -193,7 +197,7 @@ void InterConn_Analyzer::DeliverPacket(int len, const u_char* data,
void InterConn_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig) void InterConn_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
{ {
TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig); tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig);
if ( is_orig ) if ( is_orig )
{ {
@ -218,7 +222,7 @@ void InterConn_Analyzer::Done()
RemoveEvent(); RemoveEvent();
} }
TCP_ApplicationAnalyzer::Done(); tcp::TCP_ApplicationAnalyzer::Done();
} }
void InterConn_Analyzer::StatTimer(double t, int is_expire) void InterConn_Analyzer::StatTimer(double t, int is_expire)

10
src/analyzer/protocols/interconn/InterConn.h
View file

@ -7,9 +7,11 @@
#include "Timer.h" #include "Timer.h"
#include "NetVar.h" #include "NetVar.h"
namespace analyzer { namespace interconn {
class InterConnEndpoint : public BroObj { class InterConnEndpoint : public BroObj {
public: public:
InterConnEndpoint(TCP_Endpoint* e); InterConnEndpoint(tcp::TCP_Endpoint* e);
int DataSent(double t, int seq, int len, int caplen, const u_char* data, int DataSent(double t, int seq, int len, int caplen, const u_char* data,
const IP_Hdr* ip, const struct tcphdr* tp); const IP_Hdr* ip, const struct tcphdr* tp);
@ -21,7 +23,7 @@ protected:
int IsPotentialKeystrokePacket(int len) const; int IsPotentialKeystrokePacket(int len) const;
int IsNormalKeystrokeInterarrival(double t) const; int IsNormalKeystrokeInterarrival(double t) const;
TCP_Endpoint* endp; tcp::TCP_Endpoint* endp;
double last_keystroke_time; double last_keystroke_time;
int max_top_seq; int max_top_seq;
uint32 num_pkts; uint32 num_pkts;
@ -38,7 +40,7 @@ protected:
}; };
class InterConn_Analyzer : public TCP_ApplicationAnalyzer { class InterConn_Analyzer : public tcp::TCP_ApplicationAnalyzer {
public: public:
InterConn_Analyzer(Connection* c); InterConn_Analyzer(Connection* c);
~InterConn_Analyzer(); ~InterConn_Analyzer();
@ -81,4 +83,6 @@ protected:
InterConn_Analyzer* analyzer; InterConn_Analyzer* analyzer;
}; };
} } // namespace analyzer::*
#endif #endif

2
src/analyzer/protocols/interconn/Plugin.cc
View file

@ -5,6 +5,6 @@
BRO_PLUGIN_BEGIN(InterConn) BRO_PLUGIN_BEGIN(InterConn)
BRO_PLUGIN_DESCRIPTION("InterConn Analyzer (deprecated)"); BRO_PLUGIN_DESCRIPTION("InterConn Analyzer (deprecated)");
BRO_PLUGIN_ANALYZER("INTERCONN", InterConn_Analyzer::InstantiateAnalyzer); BRO_PLUGIN_ANALYZER("INTERCONN", interconn::InterConn_Analyzer);
BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_BIF_FILE(events);
BRO_PLUGIN_END BRO_PLUGIN_END

8
src/analyzer/protocols/interconn/events.bif
View file

@ -0,0 +1,8 @@
# ##### Deprecated events. Proposed for removal.
## Deprecated. Will be removed.
event interconn_stats%(c: connection, os: interconn_endp_stats, rs: interconn_endp_stats%);
## Deprecated. Will be removed.
event interconn_remove_conn%(c: connection%);

19
src/analyzer/protocols/irc/IRC.cc
View file

@ -6,11 +6,14 @@
#include "NetVar.h" #include "NetVar.h"
#include "Event.h" #include "Event.h"
#include "analyzer/protocols/zip/ZIP.h" #include "analyzer/protocols/zip/ZIP.h"
#include "analyzer/Manager.h" #include "analyzer/Manager.h"
#include "events.bif.h"
using namespace analyzer::irc;
IRC_Analyzer::IRC_Analyzer(Connection* conn) IRC_Analyzer::IRC_Analyzer(Connection* conn)
: TCP_ApplicationAnalyzer("IRC", conn) : tcp::TCP_ApplicationAnalyzer("IRC", conn)
{ {
invalid_msg_count = 0; invalid_msg_count = 0;
invalid_msg_max_count = 20; invalid_msg_max_count = 20;
@ -18,18 +21,18 @@ IRC_Analyzer::IRC_Analyzer(Connection* conn)
resp_status = WAIT_FOR_REGISTRATION; resp_status = WAIT_FOR_REGISTRATION;
orig_zip_status = NO_ZIP; orig_zip_status = NO_ZIP;
resp_zip_status = NO_ZIP; resp_zip_status = NO_ZIP;
AddSupportAnalyzer(new ContentLine_Analyzer(conn, true)); AddSupportAnalyzer(new tcp::ContentLine_Analyzer(conn, true));
AddSupportAnalyzer(new ContentLine_Analyzer(conn, false)); AddSupportAnalyzer(new tcp::ContentLine_Analyzer(conn, false));
} }
void IRC_Analyzer::Done() void IRC_Analyzer::Done()
{ {
TCP_ApplicationAnalyzer::Done(); tcp::TCP_ApplicationAnalyzer::Done();
} }
void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
{ {
TCP_ApplicationAnalyzer::DeliverStream(length, line, orig); tcp::TCP_ApplicationAnalyzer::DeliverStream(length, line, orig);
// check line size // check line size
if ( length > 512 ) if ( length > 512 )
@ -1158,8 +1161,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
{ {
orig_zip_status = ZIP_LOADED; orig_zip_status = ZIP_LOADED;
resp_zip_status = ZIP_LOADED; resp_zip_status = ZIP_LOADED;
AddSupportAnalyzer(new ZIP_Analyzer(Conn(), true)); AddSupportAnalyzer(new zip::ZIP_Analyzer(Conn(), true));
AddSupportAnalyzer(new ZIP_Analyzer(Conn(), false)); AddSupportAnalyzer(new zip::ZIP_Analyzer(Conn(), false));
} }
return; return;

6
src/analyzer/protocols/irc/IRC.h
View file

@ -4,10 +4,12 @@
#define irc_h #define irc_h
#include "analyzer/protocols/tcp/TCP.h" #include "analyzer/protocols/tcp/TCP.h"
namespace analyzer { namespace irc {
/** /**
* \brief Main class for analyzing IRC traffic. * \brief Main class for analyzing IRC traffic.
*/ */
class IRC_Analyzer : public TCP_ApplicationAnalyzer { class IRC_Analyzer : public tcp::TCP_ApplicationAnalyzer {
enum { WAIT_FOR_REGISTRATION, REGISTERED, }; enum { WAIT_FOR_REGISTRATION, REGISTERED, };
enum { NO_ZIP, ACCEPT_ZIP, ZIP_LOADED, }; enum { NO_ZIP, ACCEPT_ZIP, ZIP_LOADED, };
public: public:
@ -60,4 +62,6 @@ private:
}; };
} } // namespace analyzer::*
#endif #endif

2
src/analyzer/protocols/irc/Plugin.cc
View file

@ -5,6 +5,6 @@
BRO_PLUGIN_BEGIN(IRC) BRO_PLUGIN_BEGIN(IRC)
BRO_PLUGIN_DESCRIPTION("IRC Analyzer"); BRO_PLUGIN_DESCRIPTION("IRC Analyzer");
BRO_PLUGIN_ANALYZER("IRC", IRC_Analyzer::InstantiateAnalyzer); BRO_PLUGIN_ANALYZER("IRC", irc::IRC_Analyzer);
BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_BIF_FILE(events);
BRO_PLUGIN_END BRO_PLUGIN_END

799
src/analyzer/protocols/irc/events.bif
View file

@ -0,0 +1,799 @@
## Generated for all client-side IRC commands.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
## information about the IRC protocol.
##
## c: The connection.
##
## is_orig: Always true.
##
## prefix: The optional prefix coming with the command. IRC uses the prefix to
## indicate the true origin of a message.
##
## command: The command.
##
## arguments: The arguments for the command.
##
## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
## irc_global_users irc_invalid_nick irc_invite_message irc_join_message
## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
## irc_nick_message irc_notice_message irc_oper_message irc_oper_response
## irc_part_message irc_password_message
##
## .. note:: This event is generated only for messages that originate
## at the client-side. Commands coming in from remote trigger
## the :bro:id:`irc_message` event instead.
event irc_request%(c: connection, is_orig: bool, prefix: string,
command: string, arguments: string%);
## Generated for all IRC replies. IRC replies are sent in response to a
## request and come with a reply code.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
## information about the IRC protocol.
##
## c: The connection.
##
## is_orig: True if the command was sent by the originator of the TCP
## connection.
##
## prefix: The optional prefix coming with the reply. IRC uses the prefix to
## indicate the true origin of a message.
##
## code: The reply code, as specified by the protocol.
##
## params: The reply's parameters.
##
## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
## irc_global_users irc_invalid_nick irc_invite_message irc_join_message
## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
## irc_nick_message irc_notice_message irc_oper_message irc_oper_response
## irc_part_message irc_password_message
event irc_reply%(c: connection, is_orig: bool, prefix: string,
code: count, params: string%);
## Generated for IRC commands forwarded from the server to the client.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
## information about the IRC protocol.
##
## c: The connection.
##
## is_orig: Always false.
##
## prefix: The optional prefix coming with the command. IRC uses the prefix to
## indicate the true origin of a message.
##
## command: The command.
##
## message: TODO.
##
## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
## irc_global_users irc_invalid_nick irc_invite_message irc_join_message
## irc_kick_message irc_mode_message irc_names_info irc_network_info
## irc_nick_message irc_notice_message irc_oper_message irc_oper_response
## irc_part_message irc_password_message
##
## .. note::
##
## This event is generated only for messages that are forwarded by the server
## to the client. Commands coming from client trigger the
## :bro:id:`irc_request` event instead.
event irc_message%(c: connection, is_orig: bool, prefix: string,
command: string, message: string%);
## Generated for IRC messages of type *quit*. This event is generated for
## messages coming from both the client and the server.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
## information about the IRC protocol.
##
## c: The connection.
##
## is_orig: True if the command was sent by the originator of the TCP
## connection.
##
## nick: The nickname coming with the message.
##
## message: The text included with the message.
##
## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
## irc_global_users irc_invalid_nick irc_invite_message irc_join_message
## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
## irc_nick_message irc_notice_message irc_oper_message irc_oper_response
## irc_part_message irc_password_message
event irc_quit_message%(c: connection, is_orig: bool, nick: string, message: string%);
## Generated for IRC messages of type *privmsg*. This event is generated for
## messages coming from both the client and the server.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
## information about the IRC protocol.
##
## c: The connection.
##
## is_orig: True if the command was sent by the originator of the TCP
## connection.
##
## source: The source of the private communication.
##
## target: The target of the private communication.
##
## message: The text of communication.
##
## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
## irc_global_users irc_invalid_nick irc_invite_message irc_join_message
## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
## irc_nick_message irc_notice_message irc_oper_message irc_oper_response
## irc_part_message irc_password_message
event irc_privmsg_message%(c: connection, is_orig: bool, source: string,
target: string, message: string%);
## Generated for IRC messages of type *notice*. This event is generated for
## messages coming from both the client and the server.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
## information about the IRC protocol.
##
## c: The connection.
##
## is_orig: True if the command was sent by the originator of the TCP
## connection.
##
## source: The source of the private communication.
##
## target: The target of the private communication.
##
## message: The text of communication.
##
## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
## irc_global_users irc_invalid_nick irc_invite_message irc_join_message
## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
## irc_nick_message irc_oper_message irc_oper_response irc_part_message
## irc_password_message
event irc_notice_message%(c: connection, is_orig: bool, source: string,
target: string, message: string%);
## Generated for IRC messages of type *squery*. This event is generated for
## messages coming from both the client and the server.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
## information about the IRC protocol.
##
## c: The connection.
##
## is_orig: True if the command was sent by the originator of the TCP
## connection.
##
## source: The source of the private communication.
##
## target: The target of the private communication.
##
## message: The text of communication.
##
## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
## irc_global_users irc_invalid_nick irc_invite_message irc_join_message
## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
## irc_nick_message irc_notice_message irc_oper_message irc_oper_response
## irc_part_message irc_password_message
event irc_squery_message%(c: connection, is_orig: bool, source: string,
target: string, message: string%);
## Generated for IRC messages of type *join*. This event is generated for
## messages coming from both the client and the server.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
## information about the IRC protocol.
##
## c: The connection.
##
## is_orig: True if the command was sent by the originator of the TCP
## connection.
##
## info_list: The user information coming with the command.
##
## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
## irc_global_users irc_invalid_nick irc_invite_message irc_kick_message
## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
## irc_notice_message irc_oper_message irc_oper_response irc_part_message
## irc_password_message
event irc_join_message%(c: connection, is_orig: bool, info_list: irc_join_list%);
## Generated for IRC messages of type *part*. This event is generated for
## messages coming from both the client and the server.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
## information about the IRC protocol.
##
## c: The connection.
##
## is_orig: True if the command was sent by the originator of the TCP
## connection.
##
## nick: The nickname coming with the message.
##
## chans: The set of channels affected.
##
## message: The text coming with the message.
##
## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
## irc_global_users irc_invalid_nick irc_invite_message irc_join_message
## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
## irc_nick_message irc_notice_message irc_oper_message irc_oper_response
## irc_password_message
event irc_part_message%(c: connection, is_orig: bool, nick: string,
chans: string_set, message: string%);
## Generated for IRC messages of type *nick*. This event is generated for
## messages coming from both the client and the server.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
## information about the IRC protocol.
##
## c: The connection.
##
## is_orig: True if the command was sent by the originator of the TCP
## connection.
##
## who: The user changing its nickname.
##
## newnick: The new nickname.
##
## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
## irc_global_users irc_invalid_nick irc_invite_message irc_join_message
## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
## irc_notice_message irc_oper_message irc_oper_response irc_part_message
## irc_password_message
event irc_nick_message%(c: connection, is_orig: bool, who: string, newnick: string%);
## Generated when a server rejects an IRC nickname.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
## information about the IRC protocol.
##
## c: The connection.
##
## is_orig: True if the command was sent by the originator of the TCP
## connection.
##
## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
## irc_global_users irc_invite_message irc_join_message irc_kick_message
## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
## irc_notice_message irc_oper_message irc_oper_response irc_part_message
## irc_password_message
event irc_invalid_nick%(c: connection, is_orig: bool%);
## Generated for an IRC reply of type *luserclient*.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
## information about the IRC protocol.
##
## c: The connection.
##
## is_orig: True if the command was sent by the originator of the TCP
## connection.
##
## users: The number of users as returned in the reply.
##
## services: The number of services as returned in the reply.
##
## servers: The number of servers as returned in the reply.
##
## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
## irc_global_users irc_invalid_nick irc_invite_message irc_join_message
## irc_kick_message irc_message irc_mode_message irc_names_info irc_nick_message
## irc_notice_message irc_oper_message irc_oper_response irc_part_message
## irc_password_message
event irc_network_info%(c: connection, is_orig: bool, users: count,
services: count, servers: count%);
## Generated for an IRC reply of type *luserme*.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
## information about the IRC protocol.
##
## c: The connection.
##
## is_orig: True if the command was sent by the originator of the TCP
## connection.
##
## users: The number of users as returned in the reply.
##
## services: The number of services as returned in the reply.
##
## servers: The number of servers as returned in the reply.
##
## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
## irc_global_users irc_invalid_nick irc_invite_message irc_join_message
## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
## irc_nick_message irc_notice_message irc_oper_message irc_oper_response
## irc_part_message irc_password_message
event irc_server_info%(c: connection, is_orig: bool, users: count,
services: count, servers: count%);
## Generated for an IRC reply of type *luserchannels*.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
## information about the IRC protocol.
##
## c: The connection.
##
## is_orig: True if the command was sent by the originator of the TCP
## connection.
##
## chans: The number of channels as returned in the reply.
##
## .. bro:see:: irc_channel_topic irc_dcc_message irc_error_message irc_global_users
## irc_invalid_nick irc_invite_message irc_join_message irc_kick_message
## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
## irc_notice_message irc_oper_message irc_oper_response irc_part_message
## irc_password_message
event irc_channel_info%(c: connection, is_orig: bool, chans: count%);
## Generated for an IRC reply of type *whoreply*.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
## information about the IRC protocol.
##
## c: The connection.
##
## is_orig: True if the command was sent by the originator of the TCP
## connection.
##
## target_nick: The target nickname.
##
## channel: The channel.
##
## user: The user.
##
## host: The host.
##
## server: The server.
##
## nick: The nickname.
##
## params: The parameters.
##
## hops: The hop count.
##
## real_name: The real name.
##
## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
## irc_global_users irc_invalid_nick irc_invite_message irc_join_message
## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
## irc_nick_message irc_notice_message irc_oper_message irc_oper_response
## irc_part_message irc_password_message
event irc_who_line%(c: connection, is_orig: bool, target_nick: string,
channel: string, user: string, host: string,
server: string, nick: string, params: string,
hops: count, real_name: string%);
## Generated for an IRC reply of type *namereply*.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
## information about the IRC protocol.
##
## c: The connection.
##
## is_orig: True if the command was sent by the originator of the TCP
## connection.
##
## c_type: The channel type.
##
## channel: The channel.
##
## users: The set of users.
##
## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
## irc_global_users irc_invalid_nick irc_invite_message irc_join_message
## irc_kick_message irc_message irc_mode_message irc_network_info irc_nick_message
## irc_notice_message irc_oper_message irc_oper_response irc_part_message
## irc_password_message
event irc_names_info%(c: connection, is_orig: bool, c_type: string,
channel: string, users: string_set%);
## Generated for an IRC reply of type *whoisoperator*.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
## information about the IRC protocol.
##
## c: The connection.
##
## is_orig: True if the command was sent by the originator of the TCP
## connection.
##
## nick: The nickname specified in the reply.
##
## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
## irc_global_users irc_invalid_nick irc_invite_message irc_join_message
## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
## irc_nick_message irc_notice_message irc_oper_message irc_oper_response
## irc_part_message irc_password_message
event irc_whois_operator_line%(c: connection, is_orig: bool, nick: string%);
## Generated for an IRC reply of type *whoischannels*.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
## information about the IRC protocol.
##
## c: The connection.
##
## is_orig: True if the command was sent by the originator of the TCP
## connection.
##
## nick: The nickname specified in the reply.
##
## chans: The set of channels returned.
##
## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
## irc_global_users irc_invalid_nick irc_invite_message irc_join_message
## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
## irc_nick_message irc_notice_message irc_oper_message irc_oper_response
## irc_part_message irc_password_message
event irc_whois_channel_line%(c: connection, is_orig: bool, nick: string,
chans: string_set%);
## Generated for an IRC reply of type *whoisuser*.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
## information about the IRC protocol.
##
## c: The connection.
##
## is_orig: True if the command was sent by the originator of the TCP
## connection.
##
## nick: The nickname specified in the reply.
##
## user: The user name specified in the reply.
##
## host: The host name specified in the reply.
##
## real_name: The real name specified in the reply.
##
## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
## irc_global_users irc_invalid_nick irc_invite_message irc_join_message
## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
## irc_nick_message irc_notice_message irc_oper_message irc_oper_response
## irc_part_message irc_password_message
event irc_whois_user_line%(c: connection, is_orig: bool, nick: string,
user: string, host: string, real_name: string%);
## Generated for IRC replies of type *youreoper* and *nooperhost*.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
## information about the IRC protocol.
##
## c: The connection.
##
## is_orig: True if the command was sent by the originator of the TCP
## connection.
##
## got_oper: True if the *oper* command was executed successfully
## (*youreport*) and false otherwise (*nooperhost*).
##
## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
## irc_global_users irc_invalid_nick irc_invite_message irc_join_message
## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
## irc_nick_message irc_notice_message irc_oper_message irc_part_message
## irc_password_message
event irc_oper_response%(c: connection, is_orig: bool, got_oper: bool%);
## Generated for an IRC reply of type *globalusers*.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
## information about the IRC protocol.
##
## c: The connection.
##
## is_orig: True if the command was sent by the originator of the TCP
## connection.
##
## prefix: The optional prefix coming with the command. IRC uses the prefix to
## indicate the true origin of a message.
##
## msg: The message coming with the reply.
##
## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
## irc_invalid_nick irc_invite_message irc_join_message irc_kick_message
## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
## irc_notice_message irc_oper_message irc_oper_response irc_part_message
## irc_password_message
event irc_global_users%(c: connection, is_orig: bool, prefix: string, msg: string%);
## Generated for an IRC reply of type *topic*.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
## information about the IRC protocol.
##
## c: The connection.
##
## is_orig: True if the command was sent by the originator of the TCP
## connection.
##
## channel: The channel name specified in the reply.
##
## topic: The topic specified in the reply.
##
## .. bro:see:: irc_channel_info irc_dcc_message irc_error_message irc_global_users
## irc_invalid_nick irc_invite_message irc_join_message irc_kick_message
## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
## irc_notice_message irc_oper_message irc_oper_response irc_part_message
## irc_password_message
event irc_channel_topic%(c: connection, is_orig: bool, channel: string, topic: string%);
## Generated for IRC messages of type *who*. This event is generated for
## messages coming from both the client and the server.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
## information about the IRC protocol.
##
## c: The connection.
##
## is_orig: True if the command was sent by the originator of the TCP
## connection.
##
## mask: The mask specified in the message.
##
## oper: True if the operator flag was set.
##
## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
## irc_global_users irc_invalid_nick irc_invite_message irc_join_message
## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
## irc_nick_message irc_notice_message irc_oper_message irc_oper_response
## irc_part_message irc_password_message
event irc_who_message%(c: connection, is_orig: bool, mask: string, oper: bool%);
## Generated for IRC messages of type *whois*. This event is generated for
## messages coming from both the client and the server.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
## information about the IRC protocol.
##
## c: The connection.
##
## is_orig: True if the command was sent by the originator of the TCP
## connection.
##
## server: TODO.
##
## users: TODO.
##
## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
## irc_global_users irc_invalid_nick irc_invite_message irc_join_message
## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
## irc_nick_message irc_notice_message irc_oper_message irc_oper_response
## irc_part_message irc_password_message
event irc_whois_message%(c: connection, is_orig: bool, server: string, users: string%);
## Generated for IRC messages of type *oper*. This event is generated for
## messages coming from both the client and the server.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
## information about the IRC protocol.
##
## c: The connection.
##
## is_orig: True if the command was sent by the originator of the TCP
## connection.
##
## user: The user specified in the message.
##
## password: The password specified in the message.
##
## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
## irc_global_users irc_invalid_nick irc_invite_message irc_join_message
## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
## irc_nick_message irc_notice_message irc_oper_response irc_part_message
## irc_password_message
event irc_oper_message%(c: connection, is_orig: bool, user: string, password: string%);
## Generated for IRC messages of type *kick*. This event is generated for
## messages coming from both the client and the server.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
## information about the IRC protocol.
##
## c: The connection.
##
## is_orig: True if the command was sent by the originator of the TCP
## connection.
##
## prefix: The optional prefix coming with the command. IRC uses the prefix to
## indicate the true origin of a message.
##
## chans: The channels specified in the message.
##
## users: The users specified in the message.
##
## comment: The comment specified in the message.
##
## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
## irc_global_users irc_invalid_nick irc_invite_message irc_join_message
## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
## irc_notice_message irc_oper_message irc_oper_response irc_part_message
## irc_password_message
event irc_kick_message%(c: connection, is_orig: bool, prefix: string,
chans: string, users: string, comment: string%);
## Generated for IRC messages of type *error*. This event is generated for
## messages coming from both the client and the server.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
## information about the IRC protocol.
##
## c: The connection.
##
## is_orig: True if the command was sent by the originator of the TCP
## connection.
##
## prefix: The optional prefix coming with the command. IRC uses the prefix to
## indicate the true origin of a message.
##
## message: The textual description specified in the message.
##
## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_global_users
## irc_invalid_nick irc_invite_message irc_join_message irc_kick_message
## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
## irc_notice_message irc_oper_message irc_oper_response irc_part_message
## irc_password_message
event irc_error_message%(c: connection, is_orig: bool, prefix: string, message: string%);
## Generated for IRC messages of type *invite*. This event is generated for
## messages coming from both the client and the server.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
## information about the IRC protocol.
##
## c: The connection.
##
## is_orig: True if the command was sent by the originator of the TCP
## connection.
##
## prefix: The optional prefix coming with the command. IRC uses the prefix to
## indicate the true origin of a message.
##
## nickname: The nickname specified in the message.
##
## channel: The channel specified in the message.
##
## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
## irc_global_users irc_invalid_nick irc_join_message irc_kick_message
## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
## irc_notice_message irc_oper_message irc_oper_response irc_part_message
## irc_password_message
event irc_invite_message%(c: connection, is_orig: bool, prefix: string,
nickname: string, channel: string%);
## Generated for IRC messages of type *mode*. This event is generated for
## messages coming from both the client and the server.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
## information about the IRC protocol.
##
## c: The connection.
##
## is_orig: True if the command was sent by the originator of the TCP
## connection.
##
## prefix: The optional prefix coming with the command. IRC uses the prefix to
## indicate the true origin of a message.
##
## params: The parameters coming with the message.
##
## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
## irc_global_users irc_invalid_nick irc_invite_message irc_join_message
## irc_kick_message irc_message irc_names_info irc_network_info irc_nick_message
## irc_notice_message irc_oper_message irc_oper_response irc_part_message
## irc_password_message
event irc_mode_message%(c: connection, is_orig: bool, prefix: string, params: string%);
## Generated for IRC messages of type *squit*. This event is generated for
## messages coming from both the client and the server.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
## information about the IRC protocol.
##
## c: The connection.
##
## is_orig: True if the command was sent by the originator of the TCP
## connection.
##
## prefix: The optional prefix coming with the command. IRC uses the prefix to
## indicate the true origin of a message.
##
## server: The server specified in the message.
##
## message: The textual description specified in the message.
##
## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
## irc_global_users irc_invalid_nick irc_invite_message irc_join_message
## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
## irc_nick_message irc_notice_message irc_oper_message irc_oper_response
## irc_part_message irc_password_message
event irc_squit_message%(c: connection, is_orig: bool, prefix: string,
server: string, message: string%);
## Generated for IRC messages of type *dcc*. This event is generated for
## messages coming from both the client and the server.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
## information about the IRC protocol.
##
## c: The connection.
##
## is_orig: True if the command was sent by the originator of the TCP
## connection.
##
## prefix: The optional prefix coming with the command. IRC uses the prefix to
## indicate the true origin of a message.
##
## target: The target specified in the message.
##
## dcc_type: The DCC type specified in the message.
##
## argument: The argument specified in the message.
##
## address: The address specified in the message.
##
## dest_port: The destination port specified in the message.
##
## size: The size specified in the message.
##
## .. bro:see:: irc_channel_info irc_channel_topic irc_error_message irc_global_users
## irc_invalid_nick irc_invite_message irc_join_message irc_kick_message
## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
## irc_notice_message irc_oper_message irc_oper_response irc_part_message
## irc_password_message
event irc_dcc_message%(c: connection, is_orig: bool,
prefix: string, target: string,
dcc_type: string, argument: string,
address: addr, dest_port: count, size: count%);
## Generated for IRC messages of type *user*. This event is generated for
## messages coming from both the client and the server.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
## information about the IRC protocol.
##
## c: The connection.
##
## is_orig: True if the command was sent by the originator of the TCP
## connection.
##
## user: The user specified in the message.
##
## host: The host name specified in the message.
##
## server: The server name specified in the message.
##
## real_name: The real name specified in the message.
##
## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
## irc_global_users irc_invalid_nick irc_invite_message irc_join_message
## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
## irc_nick_message irc_notice_message irc_oper_message irc_oper_response
## irc_part_message irc_password_message
event irc_user_message%(c: connection, is_orig: bool, user: string, host: string, server: string, real_name: string%);
## Generated for IRC messages of type *password*. This event is generated for
## messages coming from both the client and the server.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
## information about the IRC protocol.
##
## c: The connection.
##
## is_orig: True if the command was sent by the originator of the TCP
## connection.
##
## password: The password specified in the message.
##
## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
## irc_global_users irc_invalid_nick irc_invite_message irc_join_message
## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
## irc_nick_message irc_notice_message irc_oper_message irc_oper_response
## irc_part_message
event irc_password_message%(c: connection, is_orig: bool, password: string%);

14
src/analyzer/protocols/login/Login.cc
View file

@ -10,6 +10,10 @@
#include "RE.h" #include "RE.h"
#include "Event.h" #include "Event.h"
#include "events.bif.h"
using namespace analyzer::login;
static RE_Matcher* re_skip_authentication = 0; static RE_Matcher* re_skip_authentication = 0;
static RE_Matcher* re_direct_login_prompts; static RE_Matcher* re_direct_login_prompts;
static RE_Matcher* re_login_prompts; static RE_Matcher* re_login_prompts;
@ -21,7 +25,7 @@ static RE_Matcher* re_login_timeouts;
static RE_Matcher* init_RE(ListVal* l); static RE_Matcher* init_RE(ListVal* l);
Login_Analyzer::Login_Analyzer(const char* name, Connection* conn) Login_Analyzer::Login_Analyzer(const char* name, Connection* conn)
: TCP_ApplicationAnalyzer(name, conn) : tcp::TCP_ApplicationAnalyzer(name, conn)
{ {
state = LOGIN_STATE_AUTHENTICATE; state = LOGIN_STATE_AUTHENTICATE;
num_user_lines_seen = lines_scanned = 0; num_user_lines_seen = lines_scanned = 0;
@ -65,7 +69,7 @@ Login_Analyzer::~Login_Analyzer()
void Login_Analyzer::DeliverStream(int length, const u_char* line, bool orig) void Login_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
{ {
TCP_ApplicationAnalyzer::DeliverStream(length, line, orig); tcp::TCP_ApplicationAnalyzer::DeliverStream(length, line, orig);
char* str = new char[length+1]; char* str = new char[length+1];
@ -102,8 +106,8 @@ void Login_Analyzer::NewLine(bool orig, char* line)
if ( state == LOGIN_STATE_AUTHENTICATE ) if ( state == LOGIN_STATE_AUTHENTICATE )
{ {
if ( TCP()->OrigState() == TCP_ENDPOINT_PARTIAL || if ( TCP()->OrigState() == tcp::TCP_ENDPOINT_PARTIAL ||
TCP()->RespState() == TCP_ENDPOINT_PARTIAL ) TCP()->RespState() == tcp::TCP_ENDPOINT_PARTIAL )
state = LOGIN_STATE_CONFUSED; // unknown login state state = LOGIN_STATE_CONFUSED; // unknown login state
else else
{ {
@ -361,7 +365,7 @@ void Login_Analyzer::SetEnv(bool orig, char* name, char* val)
void Login_Analyzer::EndpointEOF(bool orig) void Login_Analyzer::EndpointEOF(bool orig)
{ {
TCP_ApplicationAnalyzer::EndpointEOF(orig); tcp::TCP_ApplicationAnalyzer::EndpointEOF(orig);
if ( state == LOGIN_STATE_AUTHENTICATE && HaveTypeahead() ) if ( state == LOGIN_STATE_AUTHENTICATE && HaveTypeahead() )
{ {

6
src/analyzer/protocols/login/Login.h
View file

@ -5,6 +5,8 @@
#include "analyzer/protocols/tcp/TCP.h" #include "analyzer/protocols/tcp/TCP.h"
namespace analyzer { namespace login {
typedef enum { typedef enum {
LOGIN_STATE_AUTHENTICATE, // trying to authenticate LOGIN_STATE_AUTHENTICATE, // trying to authenticate
@ -19,7 +21,7 @@ typedef enum {
// Maximum # lines look after login for failure. // Maximum # lines look after login for failure.
#define MAX_LOGIN_LOOKAHEAD 10 #define MAX_LOGIN_LOOKAHEAD 10
class Login_Analyzer : public TCP_ApplicationAnalyzer { class Login_Analyzer : public tcp::TCP_ApplicationAnalyzer {
public: public:
Login_Analyzer(const char* name, Connection* conn); Login_Analyzer(const char* name, Connection* conn);
~Login_Analyzer(); ~Login_Analyzer();
@ -82,4 +84,6 @@ protected:
int saw_ploy; int saw_ploy;
}; };
} } // namespace analyzer::*
#endif #endif

8
src/analyzer/protocols/login/NVT.cc
View file

@ -9,6 +9,8 @@
#include "Event.h" #include "Event.h"
#include "analyzer/protocols/tcp/TCP.h" #include "analyzer/protocols/tcp/TCP.h"
#include "events.bif.h"
#define IS_3_BYTE_OPTION(c) (c >= 251 && c <= 254) #define IS_3_BYTE_OPTION(c) (c >= 251 && c <= 254)
#define TELNET_OPT_SB 250 #define TELNET_OPT_SB 250
@ -24,6 +26,8 @@
#define TELNET_IAC 255 #define TELNET_IAC 255
using namespace analyzer::login;
TelnetOption::TelnetOption(NVT_Analyzer* arg_endp, unsigned int arg_code) TelnetOption::TelnetOption(NVT_Analyzer* arg_endp, unsigned int arg_code)
{ {
endp = arg_endp; endp = arg_endp;
@ -287,7 +291,7 @@ void TelnetEnvironmentOption::RecvSubOption(u_char* data, int len)
break; break;
} }
static_cast<TCP_ApplicationAnalyzer*> static_cast<tcp::TCP_ApplicationAnalyzer*>
(endp->Parent())->SetEnv(endp->IsOrig(), (endp->Parent())->SetEnv(endp->IsOrig(),
var_name, var_val); var_name, var_val);
} }
@ -360,7 +364,7 @@ void TelnetBinaryOption::InconsistentOption(unsigned int /* type */)
NVT_Analyzer::NVT_Analyzer(Connection* conn, bool orig) NVT_Analyzer::NVT_Analyzer(Connection* conn, bool orig)
: ContentLine_Analyzer("NVT", conn, orig) : tcp::ContentLine_Analyzer("NVT", conn, orig)
{ {
peer = 0; peer = 0;
is_suboption = last_was_IAC = pending_IAC = 0; is_suboption = last_was_IAC = pending_IAC = 0;

8
src/analyzer/protocols/login/NVT.h
View file

@ -5,7 +5,6 @@
#include "analyzer/protocols/tcp/ContentLine.h" #include "analyzer/protocols/tcp/ContentLine.h"
#define TELNET_OPTION_BINARY 0 #define TELNET_OPTION_BINARY 0
#define TELNET_OPTION_TERMINAL 24 #define TELNET_OPTION_TERMINAL 24
#define TELNET_OPTION_AUTHENTICATE 37 #define TELNET_OPTION_AUTHENTICATE 37
@ -13,8 +12,9 @@
#define TELNET_OPTION_ENVIRON 39 #define TELNET_OPTION_ENVIRON 39
#define NUM_TELNET_OPTIONS 5 #define NUM_TELNET_OPTIONS 5
class NVT_Analyzer; namespace analyzer { namespace login {
class NVT_Analyzer;
class TelnetOption { class TelnetOption {
public: public:
@ -123,7 +123,7 @@ protected:
void InconsistentOption(unsigned int type); void InconsistentOption(unsigned int type);
}; };
class NVT_Analyzer : public ContentLine_Analyzer { class NVT_Analyzer : public tcp::ContentLine_Analyzer {
public: public:
NVT_Analyzer(Connection* conn, bool orig); NVT_Analyzer(Connection* conn, bool orig);
~NVT_Analyzer(); ~NVT_Analyzer();
@ -170,4 +170,6 @@ protected:
int num_options; int num_options;
}; };
} } // namespace analyzer::*
#endif #endif

10
src/analyzer/protocols/login/Plugin.cc
View file

@ -8,11 +8,11 @@
BRO_PLUGIN_BEGIN(Login) BRO_PLUGIN_BEGIN(Login)
BRO_PLUGIN_DESCRIPTION("Telnet/Rsh/Rlogin Analyzer"); BRO_PLUGIN_DESCRIPTION("Telnet/Rsh/Rlogin Analyzer");
BRO_PLUGIN_ANALYZER("TELNET", Telnet_Analyzer::InstantiateAnalyzer); BRO_PLUGIN_ANALYZER("TELNET", login::Telnet_Analyzer);
BRO_PLUGIN_ANALYZER("RSH", Rsh_Analyzer::InstantiateAnalyzer); BRO_PLUGIN_ANALYZER("RSH", login::Rsh_Analyzer);
BRO_PLUGIN_ANALYZER("RLOGIN", Rlogin_Analyzer::InstantiateAnalyzer); BRO_PLUGIN_ANALYZER("RLOGIN", login::Rlogin_Analyzer);
BRO_PLUGIN_ANALYZER("NVT", 0); BRO_PLUGIN_ANALYZER_BARE("NVT");
BRO_PLUGIN_ANALYZER("Login", 0); BRO_PLUGIN_ANALYZER_BARE("Login");
BRO_PLUGIN_SUPPORT_ANALYZER("Contents_Rsh"); BRO_PLUGIN_SUPPORT_ANALYZER("Contents_Rsh");
BRO_PLUGIN_SUPPORT_ANALYZER("Contents_Rlogin"); BRO_PLUGIN_SUPPORT_ANALYZER("Contents_Rlogin");
BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_BIF_FILE(events);

Some files were not shown because too many files have changed in this diff Show more