From b2e6c9ac9a28399ac829fdc15eb4c8ab882615da Mon Sep 17 00:00:00 2001 From: Peter Oettig Date: Thu, 9 May 2019 17:49:52 +0200 Subject: [PATCH 01/43] Initial implementation of Lower-Level analyzers --- .gitignore | 2 +- scripts/base/init-bare.zeek | 27 + scripts/base/llprotocols/__load__.zeek | 11 + .../base/llprotocols/default/__load__.zeek | 1 + scripts/base/llprotocols/default/main.zeek | 6 + .../base/llprotocols/ethernet/__load__.zeek | 1 + scripts/base/llprotocols/ethernet/main.zeek | 16 + scripts/base/llprotocols/fddi/__load__.zeek | 1 + scripts/base/llprotocols/fddi/main.zeek | 7 + .../base/llprotocols/ieee802_11/__load__.zeek | 1 + scripts/base/llprotocols/ieee802_11/main.zeek | 11 + .../ieee802_11_radio/__load__.zeek | 1 + .../llprotocols/ieee802_11_radio/main.zeek | 9 + .../base/llprotocols/linux_sll/__load__.zeek | 1 + scripts/base/llprotocols/linux_sll/main.zeek | 12 + scripts/base/llprotocols/nflog/__load__.zeek | 1 + scripts/base/llprotocols/nflog/main.zeek | 11 + scripts/base/llprotocols/null/__load__.zeek | 1 + scripts/base/llprotocols/null/main.zeek | 19 + .../base/llprotocols/ppp_serial/__load__.zeek | 1 + scripts/base/llprotocols/ppp_serial/main.zeek | 10 + scripts/base/llprotocols/pppoe/__load__.zeek | 1 + scripts/base/llprotocols/pppoe/main.zeek | 6 + scripts/base/llprotocols/vlan/__load__.zeek | 1 + scripts/base/llprotocols/vlan/main.zeek | 11 + src/CMakeLists.txt | 1 + src/Conn.h | 4 +- src/DebugLogger.cc | 7 +- src/DebugLogger.h | 15 +- src/Sessions.cc | 1 - src/analyzer/protocol/arp/ARP.cc | 24 +- src/iosource/Packet.cc | 562 ++---------------- src/iosource/Packet.h | 30 +- src/iosource/PktDumper.cc | 5 - src/iosource/PktDumper.h | 6 - src/iosource/PktSrc.cc | 10 - src/iosource/pcap/Dumper.cc | 1 - src/llanalyzer/Analyzer.cc | 47 ++ src/llanalyzer/Analyzer.h | 89 +++ src/llanalyzer/AnalyzerSet.h | 24 + src/llanalyzer/CMakeLists.txt | 21 + src/llanalyzer/Component.cc | 33 + src/llanalyzer/Component.h | 61 ++ src/llanalyzer/Config.cc | 87 +++ src/llanalyzer/Config.h | 44 ++ src/llanalyzer/Defines.h | 11 + src/llanalyzer/Manager.cc | 285 +++++++++ src/llanalyzer/Manager.h | 167 ++++++ src/llanalyzer/ProtocolAnalyzerSet.cc | 137 +++++ src/llanalyzer/ProtocolAnalyzerSet.h | 39 ++ src/llanalyzer/Tag.cc | 41 ++ src/llanalyzer/Tag.h | 130 ++++ src/llanalyzer/dispatchers/CMakeLists.txt | 13 + src/llanalyzer/dispatchers/Dispatcher.h | 47 ++ .../dispatchers/UniversalDispatcher.cc | 210 +++++++ .../dispatchers/UniversalDispatcher.h | 108 ++++ .../dispatchers/VectorDispatcher.cc | 122 ++++ src/llanalyzer/dispatchers/VectorDispatcher.h | 41 ++ src/llanalyzer/protocol/CMakeLists.txt | 18 + src/llanalyzer/protocol/arp/ARP.cc | 19 + src/llanalyzer/protocol/arp/ARP.h | 23 + src/llanalyzer/protocol/arp/CMakeLists.txt | 8 + src/llanalyzer/protocol/arp/Plugin.cc | 24 + .../protocol/default/CMakeLists.txt | 8 + src/llanalyzer/protocol/default/Default.cc | 28 + src/llanalyzer/protocol/default/Default.h | 23 + src/llanalyzer/protocol/default/Plugin.cc | 24 + .../protocol/ethernet/CMakeLists.txt | 8 + src/llanalyzer/protocol/ethernet/Ethernet.cc | 75 +++ src/llanalyzer/protocol/ethernet/Ethernet.h | 23 + src/llanalyzer/protocol/ethernet/Plugin.cc | 24 + src/llanalyzer/protocol/fddi/CMakeLists.txt | 8 + src/llanalyzer/protocol/fddi/FDDI.cc | 27 + src/llanalyzer/protocol/fddi/FDDI.h | 23 + src/llanalyzer/protocol/fddi/Plugin.cc | 24 + .../protocol/ieee802_11/CMakeLists.txt | 8 + .../protocol/ieee802_11/IEEE802_11.cc | 113 ++++ .../protocol/ieee802_11/IEEE802_11.h | 23 + src/llanalyzer/protocol/ieee802_11/Plugin.cc | 24 + .../protocol/ieee802_11_radio/CMakeLists.txt | 8 + .../ieee802_11_radio/IEEE802_11_Radio.cc | 38 ++ .../ieee802_11_radio/IEEE802_11_Radio.h | 23 + .../protocol/ieee802_11_radio/Plugin.cc | 23 + src/llanalyzer/protocol/ipv4/CMakeLists.txt | 8 + src/llanalyzer/protocol/ipv4/IPv4.cc | 18 + src/llanalyzer/protocol/ipv4/IPv4.h | 23 + src/llanalyzer/protocol/ipv4/Plugin.cc | 24 + src/llanalyzer/protocol/ipv6/CMakeLists.txt | 8 + src/llanalyzer/protocol/ipv6/IPv6.cc | 18 + src/llanalyzer/protocol/ipv6/IPv6.h | 23 + src/llanalyzer/protocol/ipv6/Plugin.cc | 23 + .../protocol/linux_sll/CMakeLists.txt | 8 + src/llanalyzer/protocol/linux_sll/LinuxSLL.cc | 34 ++ src/llanalyzer/protocol/linux_sll/LinuxSLL.h | 35 ++ src/llanalyzer/protocol/linux_sll/Plugin.cc | 24 + src/llanalyzer/protocol/mpls/CMakeLists.txt | 8 + src/llanalyzer/protocol/mpls/MPLS.cc | 55 ++ src/llanalyzer/protocol/mpls/MPLS.h | 23 + src/llanalyzer/protocol/mpls/Plugin.cc | 24 + src/llanalyzer/protocol/nflog/CMakeLists.txt | 8 + src/llanalyzer/protocol/nflog/NFLog.cc | 80 +++ src/llanalyzer/protocol/nflog/NFLog.h | 23 + src/llanalyzer/protocol/nflog/Plugin.cc | 23 + src/llanalyzer/protocol/null/CMakeLists.txt | 7 + src/llanalyzer/protocol/null/Null.cc | 27 + src/llanalyzer/protocol/null/Null.h | 23 + src/llanalyzer/protocol/null/Plugin.cc | 24 + .../protocol/ppp_serial/CMakeLists.txt | 8 + .../protocol/ppp_serial/PPPSerial.cc | 22 + .../protocol/ppp_serial/PPPSerial.h | 23 + src/llanalyzer/protocol/ppp_serial/Plugin.cc | 24 + src/llanalyzer/protocol/pppoe/CMakeLists.txt | 8 + src/llanalyzer/protocol/pppoe/PPPoE.cc | 28 + src/llanalyzer/protocol/pppoe/PPPoE.h | 23 + src/llanalyzer/protocol/pppoe/Plugin.cc | 24 + src/llanalyzer/protocol/vlan/CMakeLists.txt | 8 + src/llanalyzer/protocol/vlan/Plugin.cc | 24 + src/llanalyzer/protocol/vlan/VLAN.cc | 31 + src/llanalyzer/protocol/vlan/VLAN.h | 23 + .../protocol/wrapper/CMakeLists.txt | 8 + src/llanalyzer/protocol/wrapper/Plugin.cc | 24 + src/llanalyzer/protocol/wrapper/Wrapper.cc | 163 +++++ src/llanalyzer/protocol/wrapper/Wrapper.h | 23 + src/plugin/Component.cc | 4 + src/plugin/Component.h | 1 + src/plugin/TaggedComponent.h | 2 +- src/zeek-setup.cc | 7 + testing/btest/Baseline/core.truncation/output | 34 +- .../canonified_loaded_scripts.log | 27 +- .../canonified_loaded_scripts.log | 23 + testing/btest/Baseline/plugins.hooks/output | 50 +- .../btest/Baseline/plugins.ll-protocol/output | 9 + .../.stdout | 12 + testing/btest/Traces/http/get_nosyn.trace | Bin 0 -> 6069 bytes testing/btest/Traces/linuxsll-arp.pcap | Bin 0 -> 960 bytes .../plugins/ll-protocol-plugin/.btest-ignore | 0 .../plugins/ll-protocol-plugin/CMakeLists.txt | 18 + .../scripts/LLDemo/Bar/base/main.zeek | 5 + .../ll-protocol-plugin/scripts/__load__.zeek | 1 + .../plugins/ll-protocol-plugin/src/Bar.cc | 35 ++ .../plugins/ll-protocol-plugin/src/Bar.h | 22 + .../plugins/ll-protocol-plugin/src/Plugin.cc | 27 + .../plugins/ll-protocol-plugin/src/events.bif | 2 + testing/btest/plugins/ll-protocol.zeek | 14 + .../btest/plugins/pktdumper-plugin/src/Foo.cc | 1 - .../scripts/base/protocols/arp/linuxsll.test | 12 + 146 files changed, 3967 insertions(+), 613 deletions(-) create mode 100644 scripts/base/llprotocols/__load__.zeek create mode 100644 scripts/base/llprotocols/default/__load__.zeek create mode 100644 scripts/base/llprotocols/default/main.zeek create mode 100644 scripts/base/llprotocols/ethernet/__load__.zeek create mode 100644 scripts/base/llprotocols/ethernet/main.zeek create mode 100644 scripts/base/llprotocols/fddi/__load__.zeek create mode 100644 scripts/base/llprotocols/fddi/main.zeek create mode 100644 scripts/base/llprotocols/ieee802_11/__load__.zeek create mode 100644 scripts/base/llprotocols/ieee802_11/main.zeek create mode 100644 scripts/base/llprotocols/ieee802_11_radio/__load__.zeek create mode 100644 scripts/base/llprotocols/ieee802_11_radio/main.zeek create mode 100644 scripts/base/llprotocols/linux_sll/__load__.zeek create mode 100644 scripts/base/llprotocols/linux_sll/main.zeek create mode 100644 scripts/base/llprotocols/nflog/__load__.zeek create mode 100644 scripts/base/llprotocols/nflog/main.zeek create mode 100644 scripts/base/llprotocols/null/__load__.zeek create mode 100644 scripts/base/llprotocols/null/main.zeek create mode 100644 scripts/base/llprotocols/ppp_serial/__load__.zeek create mode 100644 scripts/base/llprotocols/ppp_serial/main.zeek create mode 100644 scripts/base/llprotocols/pppoe/__load__.zeek create mode 100644 scripts/base/llprotocols/pppoe/main.zeek create mode 100644 scripts/base/llprotocols/vlan/__load__.zeek create mode 100644 scripts/base/llprotocols/vlan/main.zeek create mode 100644 src/llanalyzer/Analyzer.cc create mode 100644 src/llanalyzer/Analyzer.h create mode 100644 src/llanalyzer/AnalyzerSet.h create mode 100644 src/llanalyzer/CMakeLists.txt create mode 100644 src/llanalyzer/Component.cc create mode 100644 src/llanalyzer/Component.h create mode 100644 src/llanalyzer/Config.cc create mode 100644 src/llanalyzer/Config.h create mode 100644 src/llanalyzer/Defines.h create mode 100644 src/llanalyzer/Manager.cc create mode 100644 src/llanalyzer/Manager.h create mode 100644 src/llanalyzer/ProtocolAnalyzerSet.cc create mode 100644 src/llanalyzer/ProtocolAnalyzerSet.h create mode 100644 src/llanalyzer/Tag.cc create mode 100644 src/llanalyzer/Tag.h create mode 100644 src/llanalyzer/dispatchers/CMakeLists.txt create mode 100644 src/llanalyzer/dispatchers/Dispatcher.h create mode 100644 src/llanalyzer/dispatchers/UniversalDispatcher.cc create mode 100644 src/llanalyzer/dispatchers/UniversalDispatcher.h create mode 100644 src/llanalyzer/dispatchers/VectorDispatcher.cc create mode 100644 src/llanalyzer/dispatchers/VectorDispatcher.h create mode 100644 src/llanalyzer/protocol/CMakeLists.txt create mode 100644 src/llanalyzer/protocol/arp/ARP.cc create mode 100644 src/llanalyzer/protocol/arp/ARP.h create mode 100644 src/llanalyzer/protocol/arp/CMakeLists.txt create mode 100644 src/llanalyzer/protocol/arp/Plugin.cc create mode 100644 src/llanalyzer/protocol/default/CMakeLists.txt create mode 100644 src/llanalyzer/protocol/default/Default.cc create mode 100644 src/llanalyzer/protocol/default/Default.h create mode 100644 src/llanalyzer/protocol/default/Plugin.cc create mode 100644 src/llanalyzer/protocol/ethernet/CMakeLists.txt create mode 100644 src/llanalyzer/protocol/ethernet/Ethernet.cc create mode 100644 src/llanalyzer/protocol/ethernet/Ethernet.h create mode 100644 src/llanalyzer/protocol/ethernet/Plugin.cc create mode 100644 src/llanalyzer/protocol/fddi/CMakeLists.txt create mode 100644 src/llanalyzer/protocol/fddi/FDDI.cc create mode 100644 src/llanalyzer/protocol/fddi/FDDI.h create mode 100644 src/llanalyzer/protocol/fddi/Plugin.cc create mode 100644 src/llanalyzer/protocol/ieee802_11/CMakeLists.txt create mode 100644 src/llanalyzer/protocol/ieee802_11/IEEE802_11.cc create mode 100644 src/llanalyzer/protocol/ieee802_11/IEEE802_11.h create mode 100644 src/llanalyzer/protocol/ieee802_11/Plugin.cc create mode 100644 src/llanalyzer/protocol/ieee802_11_radio/CMakeLists.txt create mode 100644 src/llanalyzer/protocol/ieee802_11_radio/IEEE802_11_Radio.cc create mode 100644 src/llanalyzer/protocol/ieee802_11_radio/IEEE802_11_Radio.h create mode 100644 src/llanalyzer/protocol/ieee802_11_radio/Plugin.cc create mode 100644 src/llanalyzer/protocol/ipv4/CMakeLists.txt create mode 100644 src/llanalyzer/protocol/ipv4/IPv4.cc create mode 100644 src/llanalyzer/protocol/ipv4/IPv4.h create mode 100644 src/llanalyzer/protocol/ipv4/Plugin.cc create mode 100644 src/llanalyzer/protocol/ipv6/CMakeLists.txt create mode 100644 src/llanalyzer/protocol/ipv6/IPv6.cc create mode 100644 src/llanalyzer/protocol/ipv6/IPv6.h create mode 100644 src/llanalyzer/protocol/ipv6/Plugin.cc create mode 100644 src/llanalyzer/protocol/linux_sll/CMakeLists.txt create mode 100644 src/llanalyzer/protocol/linux_sll/LinuxSLL.cc create mode 100644 src/llanalyzer/protocol/linux_sll/LinuxSLL.h create mode 100644 src/llanalyzer/protocol/linux_sll/Plugin.cc create mode 100644 src/llanalyzer/protocol/mpls/CMakeLists.txt create mode 100644 src/llanalyzer/protocol/mpls/MPLS.cc create mode 100644 src/llanalyzer/protocol/mpls/MPLS.h create mode 100644 src/llanalyzer/protocol/mpls/Plugin.cc create mode 100644 src/llanalyzer/protocol/nflog/CMakeLists.txt create mode 100644 src/llanalyzer/protocol/nflog/NFLog.cc create mode 100644 src/llanalyzer/protocol/nflog/NFLog.h create mode 100644 src/llanalyzer/protocol/nflog/Plugin.cc create mode 100644 src/llanalyzer/protocol/null/CMakeLists.txt create mode 100644 src/llanalyzer/protocol/null/Null.cc create mode 100644 src/llanalyzer/protocol/null/Null.h create mode 100644 src/llanalyzer/protocol/null/Plugin.cc create mode 100644 src/llanalyzer/protocol/ppp_serial/CMakeLists.txt create mode 100644 src/llanalyzer/protocol/ppp_serial/PPPSerial.cc create mode 100644 src/llanalyzer/protocol/ppp_serial/PPPSerial.h create mode 100644 src/llanalyzer/protocol/ppp_serial/Plugin.cc create mode 100644 src/llanalyzer/protocol/pppoe/CMakeLists.txt create mode 100644 src/llanalyzer/protocol/pppoe/PPPoE.cc create mode 100644 src/llanalyzer/protocol/pppoe/PPPoE.h create mode 100644 src/llanalyzer/protocol/pppoe/Plugin.cc create mode 100644 src/llanalyzer/protocol/vlan/CMakeLists.txt create mode 100644 src/llanalyzer/protocol/vlan/Plugin.cc create mode 100644 src/llanalyzer/protocol/vlan/VLAN.cc create mode 100644 src/llanalyzer/protocol/vlan/VLAN.h create mode 100644 src/llanalyzer/protocol/wrapper/CMakeLists.txt create mode 100644 src/llanalyzer/protocol/wrapper/Plugin.cc create mode 100644 src/llanalyzer/protocol/wrapper/Wrapper.cc create mode 100644 src/llanalyzer/protocol/wrapper/Wrapper.h create mode 100644 testing/btest/Baseline/plugins.ll-protocol/output create mode 100644 testing/btest/Baseline/scripts.base.protocols.arp.linuxsll/.stdout create mode 100644 testing/btest/Traces/http/get_nosyn.trace create mode 100644 testing/btest/Traces/linuxsll-arp.pcap create mode 100644 testing/btest/plugins/ll-protocol-plugin/.btest-ignore create mode 100644 testing/btest/plugins/ll-protocol-plugin/CMakeLists.txt create mode 100644 testing/btest/plugins/ll-protocol-plugin/scripts/LLDemo/Bar/base/main.zeek create mode 100644 testing/btest/plugins/ll-protocol-plugin/scripts/__load__.zeek create mode 100644 testing/btest/plugins/ll-protocol-plugin/src/Bar.cc create mode 100644 testing/btest/plugins/ll-protocol-plugin/src/Bar.h create mode 100644 testing/btest/plugins/ll-protocol-plugin/src/Plugin.cc create mode 100644 testing/btest/plugins/ll-protocol-plugin/src/events.bif create mode 100644 testing/btest/plugins/ll-protocol.zeek create mode 100644 testing/btest/scripts/base/protocols/arp/linuxsll.test diff --git a/.gitignore b/.gitignore index d962c792a4..e0efa6d316 100644 --- a/.gitignore +++ b/.gitignore @@ -4,7 +4,7 @@ tmp # Configuration and build directories for CLion .idea -cmake-build-debug +cmake-build-* # skip DS Store for MacOS .DS_Store diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek index 9def35753c..5fabc60a3e 100644 --- a/scripts/base/init-bare.zeek +++ b/scripts/base/init-bare.zeek @@ -5341,3 +5341,30 @@ event net_done(t: time) # execution would be another idea. @if ( __init_primary_bifs() ) @endif + +module LLAnalyzer; + +# Defines a mapping for the LLAnalyzer's configuration tree. This +# maps from a parent analyzer to a child analyzer through a numeric +# identifier. +export { + type ConfigEntry : record { + # The parent analyzer. This analyzer will check for the *identifier* in the + # packet data to know whether to call the next analyzer. This field is optional. + # If it is not included, the identifier will attach to the "root" analyzer. This + # means that the identifier will be searched for the initial packet header instead + # of later headers. + parent : LLAnalyzer::Tag &optional; + + # A numeric identifier that can be found in the packet data that denotes an + # analyzer should be called. + identifier : count; + + # The analyzer that corresponds to the above identifier. + analyzer : LLAnalyzer::Tag; + }; + + const config_map : vector of LLAnalyzer::ConfigEntry &redef; +} + +@load base/llprotocols diff --git a/scripts/base/llprotocols/__load__.zeek b/scripts/base/llprotocols/__load__.zeek new file mode 100644 index 0000000000..a6d256338b --- /dev/null +++ b/scripts/base/llprotocols/__load__.zeek @@ -0,0 +1,11 @@ +@load base/llprotocols/default +@load base/llprotocols/ethernet +@load base/llprotocols/fddi +@load base/llprotocols/ieee802_11 +@load base/llprotocols/ieee802_11_radio +@load base/llprotocols/linux_sll +@load base/llprotocols/nflog +@load base/llprotocols/null +@load base/llprotocols/ppp_serial +@load base/llprotocols/pppoe +@load base/llprotocols/vlan diff --git a/scripts/base/llprotocols/default/__load__.zeek b/scripts/base/llprotocols/default/__load__.zeek new file mode 100644 index 0000000000..d551be57d3 --- /dev/null +++ b/scripts/base/llprotocols/default/__load__.zeek @@ -0,0 +1 @@ +@load ./main \ No newline at end of file diff --git a/scripts/base/llprotocols/default/main.zeek b/scripts/base/llprotocols/default/main.zeek new file mode 100644 index 0000000000..caf50e6378 --- /dev/null +++ b/scripts/base/llprotocols/default/main.zeek @@ -0,0 +1,6 @@ +module LL_DEFAULT; + +redef LLAnalyzer::config_map += { + LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_DEFAULTANALYZER, $identifier=4, $analyzer=LLAnalyzer::LLANALYZER_IPV4), + LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_DEFAULTANALYZER, $identifier=6, $analyzer=LLAnalyzer::LLANALYZER_IPV6) +}; diff --git a/scripts/base/llprotocols/ethernet/__load__.zeek b/scripts/base/llprotocols/ethernet/__load__.zeek new file mode 100644 index 0000000000..d551be57d3 --- /dev/null +++ b/scripts/base/llprotocols/ethernet/__load__.zeek @@ -0,0 +1 @@ +@load ./main \ No newline at end of file diff --git a/scripts/base/llprotocols/ethernet/main.zeek b/scripts/base/llprotocols/ethernet/main.zeek new file mode 100644 index 0000000000..1227b2fb83 --- /dev/null +++ b/scripts/base/llprotocols/ethernet/main.zeek @@ -0,0 +1,16 @@ +module LL_ETHERNET; + +const DLT_EN10MB : count = 1; + +redef LLAnalyzer::config_map += { + LLAnalyzer::ConfigEntry($identifier=DLT_EN10MB, $analyzer=LLAnalyzer::LLANALYZER_ETHERNET), + LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_ETHERNET, $identifier=0x8847, $analyzer=LLAnalyzer::LLANALYZER_MPLS), + LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_ETHERNET, $identifier=0x0800, $analyzer=LLAnalyzer::LLANALYZER_IPV4), + LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_ETHERNET, $identifier=0x86DD, $analyzer=LLAnalyzer::LLANALYZER_IPV6), + LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_ETHERNET, $identifier=0x0806, $analyzer=LLAnalyzer::LLANALYZER_ARP), + LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_ETHERNET, $identifier=0x8035, $analyzer=LLAnalyzer::LLANALYZER_ARP), + LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_ETHERNET, $identifier=0x8100, $analyzer=LLAnalyzer::LLANALYZER_VLAN), + LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_ETHERNET, $identifier=0x88A8, $analyzer=LLAnalyzer::LLANALYZER_VLAN), + LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_ETHERNET, $identifier=0x9100, $analyzer=LLAnalyzer::LLANALYZER_VLAN), + LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_ETHERNET, $identifier=0x8864, $analyzer=LLAnalyzer::LLANALYZER_PPPOE) +}; diff --git a/scripts/base/llprotocols/fddi/__load__.zeek b/scripts/base/llprotocols/fddi/__load__.zeek new file mode 100644 index 0000000000..d551be57d3 --- /dev/null +++ b/scripts/base/llprotocols/fddi/__load__.zeek @@ -0,0 +1 @@ +@load ./main \ No newline at end of file diff --git a/scripts/base/llprotocols/fddi/main.zeek b/scripts/base/llprotocols/fddi/main.zeek new file mode 100644 index 0000000000..68fd691d7f --- /dev/null +++ b/scripts/base/llprotocols/fddi/main.zeek @@ -0,0 +1,7 @@ +module LL_FDDI; + +const DLT_FDDI : count = 10; + +redef LLAnalyzer::config_map += { + LLAnalyzer::ConfigEntry($identifier=DLT_FDDI, $analyzer=LLAnalyzer::LLANALYZER_FDDI) +}; diff --git a/scripts/base/llprotocols/ieee802_11/__load__.zeek b/scripts/base/llprotocols/ieee802_11/__load__.zeek new file mode 100644 index 0000000000..d551be57d3 --- /dev/null +++ b/scripts/base/llprotocols/ieee802_11/__load__.zeek @@ -0,0 +1 @@ +@load ./main \ No newline at end of file diff --git a/scripts/base/llprotocols/ieee802_11/main.zeek b/scripts/base/llprotocols/ieee802_11/main.zeek new file mode 100644 index 0000000000..070e3f9eff --- /dev/null +++ b/scripts/base/llprotocols/ieee802_11/main.zeek @@ -0,0 +1,11 @@ +module LL_IEEE802_11; + +const DLT_IEEE802_11 : count = 105; + +redef LLAnalyzer::config_map += { + LLAnalyzer::ConfigEntry($identifier=DLT_IEEE802_11, $analyzer=LLAnalyzer::LLANALYZER_IEEE802_11), + LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_IEEE802_11, $identifier=0x0800, $analyzer=LLAnalyzer::LLANALYZER_IPV4), + LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_IEEE802_11, $identifier=0x86DD, $analyzer=LLAnalyzer::LLANALYZER_IPV6), + LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_IEEE802_11, $identifier=0x0806, $analyzer=LLAnalyzer::LLANALYZER_ARP), + LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_IEEE802_11, $identifier=0x8035, $analyzer=LLAnalyzer::LLANALYZER_ARP) +}; diff --git a/scripts/base/llprotocols/ieee802_11_radio/__load__.zeek b/scripts/base/llprotocols/ieee802_11_radio/__load__.zeek new file mode 100644 index 0000000000..d551be57d3 --- /dev/null +++ b/scripts/base/llprotocols/ieee802_11_radio/__load__.zeek @@ -0,0 +1 @@ +@load ./main \ No newline at end of file diff --git a/scripts/base/llprotocols/ieee802_11_radio/main.zeek b/scripts/base/llprotocols/ieee802_11_radio/main.zeek new file mode 100644 index 0000000000..0985b0e391 --- /dev/null +++ b/scripts/base/llprotocols/ieee802_11_radio/main.zeek @@ -0,0 +1,9 @@ +module LL_IEEE802_11_RADIO; + +const DLT_IEEE802_11_RADIO : count = 127; +const DLT_IEEE802_11 : count = 105; + +redef LLAnalyzer::config_map += { + LLAnalyzer::ConfigEntry($identifier=DLT_IEEE802_11_RADIO, $analyzer=LLAnalyzer::LLANALYZER_IEEE802_11_RADIO), + LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_IEEE802_11_RADIO, $identifier=DLT_IEEE802_11, $analyzer=LLAnalyzer::LLANALYZER_IEEE802_11) +}; diff --git a/scripts/base/llprotocols/linux_sll/__load__.zeek b/scripts/base/llprotocols/linux_sll/__load__.zeek new file mode 100644 index 0000000000..d551be57d3 --- /dev/null +++ b/scripts/base/llprotocols/linux_sll/__load__.zeek @@ -0,0 +1 @@ +@load ./main \ No newline at end of file diff --git a/scripts/base/llprotocols/linux_sll/main.zeek b/scripts/base/llprotocols/linux_sll/main.zeek new file mode 100644 index 0000000000..601c5ae870 --- /dev/null +++ b/scripts/base/llprotocols/linux_sll/main.zeek @@ -0,0 +1,12 @@ +module LL_LINUX_SLL; + +const DLT_LINUX_SLL : count = 113; + +redef LLAnalyzer::config_map += { + LLAnalyzer::ConfigEntry($identifier=DLT_LINUX_SLL, $analyzer=LLAnalyzer::LLANALYZER_LINUXSLL), + LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_LINUXSLL, $identifier=0x0800, $analyzer=LLAnalyzer::LLANALYZER_IPV4), + LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_LINUXSLL, $identifier=0x86DD, $analyzer=LLAnalyzer::LLANALYZER_IPV6), + LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_LINUXSLL, $identifier=0x0806, $analyzer=LLAnalyzer::LLANALYZER_ARP), + # RARP + LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_LINUXSLL, $identifier=0x8035, $analyzer=LLAnalyzer::LLANALYZER_ARP) +}; diff --git a/scripts/base/llprotocols/nflog/__load__.zeek b/scripts/base/llprotocols/nflog/__load__.zeek new file mode 100644 index 0000000000..d551be57d3 --- /dev/null +++ b/scripts/base/llprotocols/nflog/__load__.zeek @@ -0,0 +1 @@ +@load ./main \ No newline at end of file diff --git a/scripts/base/llprotocols/nflog/main.zeek b/scripts/base/llprotocols/nflog/main.zeek new file mode 100644 index 0000000000..d62ccd20c5 --- /dev/null +++ b/scripts/base/llprotocols/nflog/main.zeek @@ -0,0 +1,11 @@ +module LL_NFLOG; + +const DLT_NFLOG : count = 239; +const AF_INET : count = 2; +const AF_INET6 : count = 10; + +redef LLAnalyzer::config_map += { + LLAnalyzer::ConfigEntry($identifier=DLT_NFLOG, $analyzer=LLAnalyzer::LLANALYZER_NFLOG), + LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_NFLOG, $identifier=AF_INET, $analyzer=LLAnalyzer::LLANALYZER_IPV4), + LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_NFLOG, $identifier=AF_INET6, $analyzer=LLAnalyzer::LLANALYZER_IPV6) +}; diff --git a/scripts/base/llprotocols/null/__load__.zeek b/scripts/base/llprotocols/null/__load__.zeek new file mode 100644 index 0000000000..d551be57d3 --- /dev/null +++ b/scripts/base/llprotocols/null/__load__.zeek @@ -0,0 +1 @@ +@load ./main \ No newline at end of file diff --git a/scripts/base/llprotocols/null/main.zeek b/scripts/base/llprotocols/null/main.zeek new file mode 100644 index 0000000000..f70f40d0e2 --- /dev/null +++ b/scripts/base/llprotocols/null/main.zeek @@ -0,0 +1,19 @@ +module LL_NULL; + +const DLT_NULL : count = 0; +const AF_INET : count = 2; +const AF_INET6 : count = 10; + +redef LLAnalyzer::config_map += { + LLAnalyzer::ConfigEntry($identifier=DLT_NULL, $analyzer=LLAnalyzer::LLANALYZER_NULL), + LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_NULL, $identifier=AF_INET, $analyzer=LLAnalyzer::LLANALYZER_IPV4), + + ## From the Wireshark Wiki: AF_INET6ANALYZER, unfortunately, has different values in + ## {NetBSD,OpenBSD,BSD/OS}, {FreeBSD,DragonFlyBSD}, and {Darwin/Mac OS X}, so an IPv6 + ## packet might have a link-layer header with 24, 28, or 30 as the AF_ value. As we + ## may be reading traces captured on platforms other than what we're running on, we + ## accept them all here. + LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_NULL, $identifier=24, $analyzer=LLAnalyzer::LLANALYZER_IPV6), + LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_NULL, $identifier=28, $analyzer=LLAnalyzer::LLANALYZER_IPV6), + LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_NULL, $identifier=30, $analyzer=LLAnalyzer::LLANALYZER_IPV6) +}; diff --git a/scripts/base/llprotocols/ppp_serial/__load__.zeek b/scripts/base/llprotocols/ppp_serial/__load__.zeek new file mode 100644 index 0000000000..d551be57d3 --- /dev/null +++ b/scripts/base/llprotocols/ppp_serial/__load__.zeek @@ -0,0 +1 @@ +@load ./main \ No newline at end of file diff --git a/scripts/base/llprotocols/ppp_serial/main.zeek b/scripts/base/llprotocols/ppp_serial/main.zeek new file mode 100644 index 0000000000..cb873a773b --- /dev/null +++ b/scripts/base/llprotocols/ppp_serial/main.zeek @@ -0,0 +1,10 @@ +module LL_PPP_SERIAL; + +const DLT_PPP_SERIAL : count = 50; + +redef LLAnalyzer::config_map += { + LLAnalyzer::ConfigEntry($identifier=DLT_PPP_SERIAL, $analyzer=LLAnalyzer::LLANALYZER_PPPSERIAL), + LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_PPPSERIAL, $identifier=0x0281, $analyzer=LLAnalyzer::LLANALYZER_MPLS), + LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_PPPSERIAL, $identifier=0x0021, $analyzer=LLAnalyzer::LLANALYZER_IPV4), + LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_PPPSERIAL, $identifier=0x0057, $analyzer=LLAnalyzer::LLANALYZER_IPV6) +}; diff --git a/scripts/base/llprotocols/pppoe/__load__.zeek b/scripts/base/llprotocols/pppoe/__load__.zeek new file mode 100644 index 0000000000..d551be57d3 --- /dev/null +++ b/scripts/base/llprotocols/pppoe/__load__.zeek @@ -0,0 +1 @@ +@load ./main \ No newline at end of file diff --git a/scripts/base/llprotocols/pppoe/main.zeek b/scripts/base/llprotocols/pppoe/main.zeek new file mode 100644 index 0000000000..737658d826 --- /dev/null +++ b/scripts/base/llprotocols/pppoe/main.zeek @@ -0,0 +1,6 @@ +module LL_PPPOE; + +redef LLAnalyzer::config_map += { + LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_PPPOE, $identifier=0x0021, $analyzer=LLAnalyzer::LLANALYZER_IPV4), + LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_PPPOE, $identifier=0x0057, $analyzer=LLAnalyzer::LLANALYZER_IPV6) +}; diff --git a/scripts/base/llprotocols/vlan/__load__.zeek b/scripts/base/llprotocols/vlan/__load__.zeek new file mode 100644 index 0000000000..d551be57d3 --- /dev/null +++ b/scripts/base/llprotocols/vlan/__load__.zeek @@ -0,0 +1 @@ +@load ./main \ No newline at end of file diff --git a/scripts/base/llprotocols/vlan/main.zeek b/scripts/base/llprotocols/vlan/main.zeek new file mode 100644 index 0000000000..97e4cdcb09 --- /dev/null +++ b/scripts/base/llprotocols/vlan/main.zeek @@ -0,0 +1,11 @@ +module LL_VLAN; + +redef LLAnalyzer::config_map += { + LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_VLAN, $identifier=0x8847, $analyzer=LLAnalyzer::LLANALYZER_MPLS), + LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_VLAN, $identifier=0x0800, $analyzer=LLAnalyzer::LLANALYZER_IPV4), + LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_VLAN, $identifier=0x86DD, $analyzer=LLAnalyzer::LLANALYZER_IPV6), + LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_VLAN, $identifier=0x0806, $analyzer=LLAnalyzer::LLANALYZER_ARP), + LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_VLAN, $identifier=0x8035, $analyzer=LLAnalyzer::LLANALYZER_ARP), + LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_VLAN, $identifier=0x8100, $analyzer=LLAnalyzer::LLANALYZER_VLAN), + LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_VLAN, $identifier=0x8864, $analyzer=LLAnalyzer::LLANALYZER_PPPOE) +}; diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index eb94d4a728..9545236898 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -146,6 +146,7 @@ set(bro_PLUGIN_LIBS CACHE INTERNAL "plugin libraries" FORCE) set(bro_PLUGIN_DEPS CACHE INTERNAL "plugin dependencies" FORCE) add_subdirectory(analyzer) +add_subdirectory(llanalyzer) add_subdirectory(broker) add_subdirectory(zeekygen) add_subdirectory(file_analysis) diff --git a/src/Conn.h b/src/Conn.h index ebd4087a9e..9be0afc8fe 100644 --- a/src/Conn.h +++ b/src/Conn.h @@ -349,8 +349,8 @@ protected: TransportProto proto; uint32_t orig_flow_label, resp_flow_label; // most recent IPv6 flow labels uint32_t vlan, inner_vlan; // VLAN this connection traverses, if available - u_char orig_l2_addr[Packet::l2_addr_len]; // Link-layer originator address, if available - u_char resp_l2_addr[Packet::l2_addr_len]; // Link-layer responder address, if available + u_char orig_l2_addr[Packet::L2_ADDR_LEN]; // Link-layer originator address, if available + u_char resp_l2_addr[Packet::L2_ADDR_LEN]; // Link-layer responder address, if available double start_time, last_time; double inactivity_timeout; RecordValPtr conn_val; diff --git a/src/DebugLogger.cc b/src/DebugLogger.cc index 5a4a468847..497bae8230 100644 --- a/src/DebugLogger.cc +++ b/src/DebugLogger.cc @@ -19,18 +19,19 @@ DebugLogger::Stream DebugLogger::streams[NUM_DBGS] = { { "string", 0, false }, { "notifiers", 0, false }, { "main-loop", 0, false }, + { "llanalyzer", 0, false }, { "dpd", 0, false }, { "tm", 0, false }, { "logging", 0, false }, - {"input", 0, false }, + { "input", 0, false }, { "threading", 0, false }, { "file_analysis", 0, false }, { "plugins", 0, false }, { "zeekygen", 0, false }, { "pktio", 0, false }, { "broker", 0, false }, - { "scripts", 0, false}, - { "supervisor", 0, false} + { "scripts", 0, false }, + { "supervisor", 0, false } }; DebugLogger::DebugLogger() diff --git a/src/DebugLogger.h b/src/DebugLogger.h index 54257e1a6f..80ec926b1b 100644 --- a/src/DebugLogger.h +++ b/src/DebugLogger.h @@ -30,21 +30,22 @@ namespace zeek { // an entry to DebugLogger::streams in DebugLogger.cc. enum DebugStream { - DBG_SERIAL, // Serialization - DBG_RULES, // Signature matching - DBG_STRING, // String code + DBG_SERIAL, // Serialization + DBG_RULES, // Signature matching + DBG_STRING, // String code DBG_NOTIFIERS, // Notifiers DBG_MAINLOOP, // Main IOSource loop + DBG_LLANALYZER, // Low-Layer Analyzer Proof of Concept DBG_ANALYZER, // Analyzer framework - DBG_TM, // Time-machine packet input via Brocolli + DBG_TM, // Time-machine packet input via Brocolli DBG_LOGGING, // Logging streams - DBG_INPUT, // Input streams + DBG_INPUT, // Input streams DBG_THREADING, // Threading system DBG_FILE_ANALYSIS, // File analysis DBG_PLUGINS, // Plugin system DBG_ZEEKYGEN, // Zeekygen - DBG_PKTIO, // Packet sources and dumpers. - DBG_BROKER, // Broker communication + DBG_PKTIO, // Packet sources and dumpers. + DBG_BROKER, // Broker communication DBG_SCRIPTS, // Script initialization DBG_SUPERVISOR, // Process supervisor diff --git a/src/Sessions.cc b/src/Sessions.cc index afe817e2b5..1b375b0e09 100644 --- a/src/Sessions.cc +++ b/src/Sessions.cc @@ -188,7 +188,6 @@ void NetSessions::NextPacket(double t, const Packet* pkt) return; } - if ( dump_this_packet && ! zeek::detail::record_all_packets ) DumpPacket(pkt); } diff --git a/src/analyzer/protocol/arp/ARP.cc b/src/analyzer/protocol/arp/ARP.cc index f45e45b959..3da870ead4 100644 --- a/src/analyzer/protocol/arp/ARP.cc +++ b/src/analyzer/protocol/arp/ARP.cc @@ -100,8 +100,8 @@ void ARP_Analyzer::NextPacket(double t, const Packet* pkt) if ( ah->ar_hln != 6 ) { // don't know how to handle the opcode snprintf(errbuf, sizeof(errbuf), - "corrupt-arp-header (hrd=%i, hln=%i)", - ntohs(ah->ar_hrd), ah->ar_hln); + "corrupt-arp-header (hrd=%i, hln=%i)", + ntohs(ah->ar_hrd), ah->ar_hln); BadARP(ah, errbuf); return; } @@ -110,7 +110,7 @@ void ARP_Analyzer::NextPacket(double t, const Packet* pkt) default: { // don't know how to proceed snprintf(errbuf, sizeof(errbuf), - "unknown-arp-hw-address (hrd=%i)", ntohs(ah->ar_hrd)); + "unknown-arp-hw-address (hrd=%i)", ntohs(ah->ar_hrd)); BadARP(ah, errbuf); return; } @@ -122,8 +122,8 @@ void ARP_Analyzer::NextPacket(double t, const Packet* pkt) if ( ah->ar_pln != 4 ) { // don't know how to handle the opcode snprintf(errbuf, sizeof(errbuf), - "corrupt-arp-header (pro=%i, pln=%i)", - ntohs(ah->ar_pro), ah->ar_pln); + "corrupt-arp-header (pro=%i, pln=%i)", + ntohs(ah->ar_pro), ah->ar_pln); BadARP(ah, errbuf); return; } @@ -132,8 +132,8 @@ void ARP_Analyzer::NextPacket(double t, const Packet* pkt) default: { // don't know how to proceed snprintf(errbuf, sizeof(errbuf), - "unknown-arp-proto-address (pro=%i)", - ntohs(ah->ar_pro)); + "unknown-arp-proto-address (pro=%i)", + ntohs(ah->ar_pro)); BadARP(ah, errbuf); return; } @@ -151,12 +151,12 @@ void ARP_Analyzer::NextPacket(double t, const Packet* pkt) switch ( ntohs(ah->ar_op) ) { case ARPOP_REQUEST: RREvent(arp_request, pkt->l2_src, pkt->l2_dst, - ar_spa(ah), ar_sha(ah), ar_tpa(ah), ar_tha(ah)); + ar_spa(ah), ar_sha(ah), ar_tpa(ah), ar_tha(ah)); break; case ARPOP_REPLY: RREvent(arp_reply, pkt->l2_src, pkt->l2_dst, - ar_spa(ah), ar_sha(ah), ar_tpa(ah), ar_tha(ah)); + ar_spa(ah), ar_sha(ah), ar_tpa(ah), ar_tha(ah)); break; case ARPOP_REVREQUEST: @@ -165,7 +165,7 @@ void ARP_Analyzer::NextPacket(double t, const Packet* pkt) case ARPOP_INVREPLY: { // don't know how to handle the opcode snprintf(errbuf, sizeof(errbuf), - "unimplemented-arp-opcode (%i)", ntohs(ah->ar_op)); + "unimplemented-arp-opcode (%i)", ntohs(ah->ar_op)); BadARP(ah, errbuf); break; } @@ -173,7 +173,7 @@ void ARP_Analyzer::NextPacket(double t, const Packet* pkt) default: { // invalid opcode snprintf(errbuf, sizeof(errbuf), - "invalid-arp-opcode (opcode=%i)", ntohs(ah->ar_op)); + "invalid-arp-opcode (opcode=%i)", ntohs(ah->ar_op)); BadARP(ah, errbuf); return; } @@ -237,7 +237,7 @@ StringValPtr ARP_Analyzer::ToEthAddrStr(const u_char* addr) { char buf[1024]; snprintf(buf, sizeof(buf), "%02x:%02x:%02x:%02x:%02x:%02x", - addr[0], addr[1], addr[2], addr[3], addr[4], addr[5]); + addr[0], addr[1], addr[2], addr[3], addr[4], addr[5]); return make_intrusive(buf); } diff --git a/src/iosource/Packet.cc b/src/iosource/Packet.cc index c7bbb87412..ae074bb9da 100644 --- a/src/iosource/Packet.cc +++ b/src/iosource/Packet.cc @@ -3,6 +3,7 @@ #include "Desc.h" #include "IP.h" #include "iosource/Manager.h" +#include "llanalyzer/Manager.h" #include "Var.h" extern "C" { @@ -45,7 +46,7 @@ void Packet::Init(int arg_link_type, pkt_timeval *arg_ts, uint32_t arg_caplen, data = arg_data; time = ts.tv_sec + double(ts.tv_usec) / 1e6; - hdr_size = GetLinkHeaderSize(arg_link_type); + hdr_size = 0; eth_type = 0; vlan = 0; inner_vlan = 0; @@ -58,14 +59,18 @@ void Packet::Init(int arg_link_type, pkt_timeval *arg_ts, uint32_t arg_caplen, l3_proto = L3_UNKNOWN; l3_checksummed = false; - if ( data && cap_len < hdr_size ) - { - Weird("truncated_link_header"); - return; - } + // For ll-analyzer: cur_pos points to the next payload. + cur_pos = data; if ( data ) - ProcessLayer2(); + { + // From here we assume that layer 2 is valid. If an ll-analyzer encounters + // an issue, it will call Packet::Weird(), which sets l2_valid to false. + l2_valid = true; + llanalyzer_mgr->ProcessPacket(this); + // Calculate header size after processing lower layers. + hdr_size = cur_pos - data; + } } const IP_Hdr Packet::IP() const @@ -79,521 +84,12 @@ void Packet::Weird(const char* name) l2_valid = false; } -int Packet::GetLinkHeaderSize(int link_type) +const u_char* const Packet::GetEndOfData() const { - switch ( link_type ) { - case DLT_NULL: - return 4; - - case DLT_EN10MB: - return 14; - - case DLT_FDDI: - return 13 + 8; // fddi_header + LLC - -#ifdef DLT_LINUX_SLL - case DLT_LINUX_SLL: - return 16; -#endif - - case DLT_PPP_SERIAL: // PPP_SERIAL - return 4; - - case DLT_IEEE802_11: // 802.11 monitor - return 34; - - case DLT_IEEE802_11_RADIO: // 802.11 plus RadioTap - return 59; - - case DLT_NFLOG: - // Linux netlink NETLINK NFLOG socket log messages - // The actual header size is variable, but we return the minimum - // expected size here, which is 4 bytes for the main header plus at - // least 2 bytes each for the type and length values assoicated with - // the final TLV carrying the packet payload. - return 8; - - case DLT_RAW: - return 0; + return data + cap_len; } - return -1; - } - -void Packet::ProcessLayer2() - { - l2_valid = true; - - // Unfortunately some packets on the link might have MPLS labels - // while others don't. That means we need to ask the link-layer if - // labels are in place. - bool have_mpls = false; - - const u_char* pdata = data; - const u_char* end_of_data = data + cap_len; - - switch ( link_type ) { - case DLT_NULL: - { - int protocol = (pdata[3] << 24) + (pdata[2] << 16) + (pdata[1] << 8) + pdata[0]; - pdata += GetLinkHeaderSize(link_type); - - // From the Wireshark Wiki: "AF_INET6, unfortunately, has - // different values in {NetBSD,OpenBSD,BSD/OS}, - // {FreeBSD,DragonFlyBSD}, and {Darwin/Mac OS X}, so an IPv6 - // packet might have a link-layer header with 24, 28, or 30 - // as the AF_ value." As we may be reading traces captured on - // platforms other than what we're running on, we accept them - // all here. - - if ( protocol == AF_INET ) - l3_proto = L3_IPV4; - else if ( protocol == 24 || protocol == 28 || protocol == 30 ) - l3_proto = L3_IPV6; - else - { - Weird("non_ip_packet_in_null_transport"); - return; - } - - break; - } - - case DLT_EN10MB: - { - // Skip past Cisco FabricPath to encapsulated ethernet frame. - if ( pdata[12] == 0x89 && pdata[13] == 0x03 ) - { - auto constexpr cfplen = 16; - - if ( pdata + cfplen + GetLinkHeaderSize(link_type) >= end_of_data ) - { - Weird("truncated_link_header_cfp"); - return; - } - - pdata += cfplen; - } - - // Get protocol being carried from the ethernet frame. - int protocol = (pdata[12] << 8) + pdata[13]; - - eth_type = protocol; - l2_dst = pdata; - l2_src = pdata + 6; - - pdata += GetLinkHeaderSize(link_type); - - bool saw_vlan = false; - - while ( protocol == 0x8100 || protocol == 0x9100 || - protocol == 0x8864 ) - { - switch ( protocol ) - { - // VLAN carried over the ethernet frame. - // 802.1q / 802.1ad - case 0x8100: - case 0x9100: - { - if ( pdata + 4 >= end_of_data ) - { - Weird("truncated_link_header"); - return; - } - - auto& vlan_ref = saw_vlan ? inner_vlan : vlan; - vlan_ref = ((pdata[0] << 8) + pdata[1]) & 0xfff; - protocol = ((pdata[2] << 8) + pdata[3]); - pdata += 4; // Skip the vlan header - saw_vlan = true; - eth_type = protocol; - } - break; - - // PPPoE carried over the ethernet frame. - case 0x8864: - { - if ( pdata + 8 >= end_of_data ) - { - Weird("truncated_link_header"); - return; - } - - protocol = (pdata[6] << 8) + pdata[7]; - pdata += 8; // Skip the PPPoE session and PPP header - - if ( protocol == 0x0021 ) - l3_proto = L3_IPV4; - else if ( protocol == 0x0057 ) - l3_proto = L3_IPV6; - else - { - // Neither IPv4 nor IPv6. - Weird("non_ip_packet_in_pppoe_encapsulation"); - return; - } - } - break; - } - } - - // Check for MPLS in VLAN. - if ( protocol == 0x8847 ) - have_mpls = true; - - // Normal path to determine Layer 3 protocol. - if ( ! have_mpls && l3_proto == L3_UNKNOWN ) - { - if ( protocol == 0x800 ) - l3_proto = L3_IPV4; - else if ( protocol == 0x86dd ) - l3_proto = L3_IPV6; - else if ( protocol == 0x0806 || protocol == 0x8035 ) - l3_proto = L3_ARP; - else - { - // Neither IPv4 nor IPv6. - Weird("non_ip_packet_in_ethernet"); - return; - } - } - - break; - } - - case DLT_PPP_SERIAL: - { - // Get PPP protocol. - int protocol = (pdata[2] << 8) + pdata[3]; - pdata += GetLinkHeaderSize(link_type); - - if ( protocol == 0x0281 ) - { - // MPLS Unicast. Remove the pdata link layer and - // denote a header size of zero before the IP header. - have_mpls = true; - } - else if ( protocol == 0x0021 ) - l3_proto = L3_IPV4; - else if ( protocol == 0x0057 ) - l3_proto = L3_IPV6; - else - { - // Neither IPv4 nor IPv6. - Weird("non_ip_packet_in_ppp_encapsulation"); - return; - } - break; - } - - case DLT_IEEE802_11_RADIO: - { - if ( pdata + 3 >= end_of_data ) - { - Weird("truncated_radiotap_header"); - return; - } - - // Skip over the RadioTap header - int rtheader_len = (pdata[3] << 8) + pdata[2]; - - if ( pdata + rtheader_len >= end_of_data ) - { - Weird("truncated_radiotap_header"); - return; - } - - pdata += rtheader_len; - // fallthrough - } - - case DLT_IEEE802_11: - { - u_char len_80211 = 24; // minimal length of data frames - - if ( pdata + len_80211 >= end_of_data ) - { - Weird("truncated_802_11_header"); - return; - } - - u_char fc_80211 = pdata[0]; // Frame Control field - - // Skip non-data frame types (management & control). - if ( ! ((fc_80211 >> 2) & 0x02) ) - return; - - // Skip subtypes without data. - if ( (fc_80211 >> 4) & 0x04 ) - return; - - // 'To DS' and 'From DS' flags set indicate use of the 4th - // address field. - if ( (pdata[1] & 0x03) == 0x03 ) - len_80211 += l2_addr_len; - - // Look for the QoS indicator bit. - if ( (fc_80211 >> 4) & 0x08 ) - { - // Skip in case of A-MSDU subframes indicated by QoS - // control field. - if ( pdata[len_80211] & 0x80) - return; - - len_80211 += 2; - } - - if ( pdata + len_80211 >= end_of_data ) - { - Weird("truncated_802_11_header"); - return; - } - - // Determine link-layer addresses based - // on 'To DS' and 'From DS' flags - switch ( pdata[1] & 0x03 ) { - case 0x00: - l2_src = pdata + 10; - l2_dst = pdata + 4; - break; - - case 0x01: - l2_src = pdata + 10; - l2_dst = pdata + 16; - break; - - case 0x02: - l2_src = pdata + 16; - l2_dst = pdata + 4; - break; - - case 0x03: - l2_src = pdata + 24; - l2_dst = pdata + 16; - break; - } - - // skip 802.11 data header - pdata += len_80211; - - if ( pdata + 8 >= end_of_data ) - { - Weird("truncated_802_11_header"); - return; - } - // Check that the DSAP and SSAP are both SNAP and that the control - // field indicates that this is an unnumbered frame. - // The organization code (24bits) needs to also be zero to - // indicate that this is encapsulated ethernet. - if ( pdata[0] == 0xAA && pdata[1] == 0xAA && pdata[2] == 0x03 && - pdata[3] == 0 && pdata[4] == 0 && pdata[5] == 0 ) - { - pdata += 6; - } - else - { - // If this is a logical link control frame without the - // possibility of having a protocol we care about, we'll - // just skip it for now. - return; - } - - int protocol = (pdata[0] << 8) + pdata[1]; - if ( protocol == 0x0800 ) - l3_proto = L3_IPV4; - else if ( protocol == 0x86DD ) - l3_proto = L3_IPV6; - else if ( protocol == 0x0806 || protocol == 0x8035 ) - l3_proto = L3_ARP; - else - { - Weird("non_ip_packet_in_ieee802_11"); - return; - } - pdata += 2; - - break; - } - - case DLT_NFLOG: - { - // See https://www.tcpdump.org/linktypes/LINKTYPE_NFLOG.html - - uint8_t protocol = pdata[0]; - - if ( protocol == AF_INET ) - l3_proto = L3_IPV4; - else if ( protocol == AF_INET6 ) - l3_proto = L3_IPV6; - else - { - Weird("non_ip_in_nflog"); - return; - } - - uint8_t version = pdata[1]; - - if ( version != 0 ) - { - Weird("unknown_nflog_version"); - return; - } - - // Skip to TLVs. - pdata += 4; - - uint16_t tlv_len; - uint16_t tlv_type; - - while ( true ) - { - if ( pdata + 4 >= end_of_data ) - { - Weird("nflog_no_pcap_payload"); - return; - } - - // TLV Type and Length values are specified in host byte order - // (libpcap should have done any needed byteswapping already). - - tlv_len = *(reinterpret_cast(pdata)); - tlv_type = *(reinterpret_cast(pdata + 2)); - - auto constexpr nflog_type_payload = 9; - - if ( tlv_type == nflog_type_payload ) - { - // The raw packet payload follows this TLV. - pdata += 4; - break; - } - else - { - // The Length value includes the 4 octets for the Type and - // Length values, but TLVs are also implicitly padded to - // 32-bit alignments (that padding may not be included in - // the Length value). - - if ( tlv_len < 4 ) - { - Weird("nflog_bad_tlv_len"); - return; - } - else - { - auto rem = tlv_len % 4; - - if ( rem != 0 ) - tlv_len += 4 - rem; - } - - pdata += tlv_len; - } - } - - break; - } - - default: - { - // Assume we're pointing at IP. Just figure out which version. - pdata += GetLinkHeaderSize(link_type); - if ( pdata + sizeof(struct ip) >= end_of_data ) - { - Weird("truncated_link_header"); - return; - } - - const struct ip* ip = (const struct ip *)pdata; - - if ( ip->ip_v == 4 ) - l3_proto = L3_IPV4; - else if ( ip->ip_v == 6 ) - l3_proto = L3_IPV6; - else - { - // Neither IPv4 nor IPv6. - Weird("non_ip_packet"); - return; - } - - break; - } - } - - if ( have_mpls ) - { - // Skip the MPLS label stack. - bool end_of_stack = false; - - while ( ! end_of_stack ) - { - if ( pdata + 4 >= end_of_data ) - { - Weird("truncated_link_header"); - return; - } - - end_of_stack = *(pdata + 2) & 0x01; - pdata += 4; - } - - // We assume that what remains is IP - if ( pdata + sizeof(struct ip) >= end_of_data ) - { - Weird("no_ip_in_mpls_payload"); - return; - } - - const struct ip* ip = (const struct ip *)pdata; - - if ( ip->ip_v == 4 ) - l3_proto = L3_IPV4; - else if ( ip->ip_v == 6 ) - l3_proto = L3_IPV6; - else - { - // Neither IPv4 nor IPv6. - Weird("no_ip_in_mpls_payload"); - return; - } - } - - else if ( zeek::detail::encap_hdr_size ) - { - // Blanket encapsulation. We assume that what remains is IP. - if ( pdata + zeek::detail::encap_hdr_size + sizeof(struct ip) >= end_of_data ) - { - Weird("no_ip_left_after_encap"); - return; - } - - pdata += zeek::detail::encap_hdr_size; - - const struct ip* ip = (const struct ip *)pdata; - - if ( ip->ip_v == 4 ) - l3_proto = L3_IPV4; - else if ( ip->ip_v == 6 ) - l3_proto = L3_IPV6; - else - { - // Neither IPv4 nor IPv6. - Weird("no_ip_in_encap"); - return; - } - - } - - // We've now determined (a) L3_IPV4 vs (b) L3_IPV6 vs (c) L3_ARP vs - // (d) L3_UNKNOWN. - - // Calculate how much header we've used up. - hdr_size = (pdata - data); -} - -RecordValPtr Packet::ToRawPktHdrVal() const +IntrusivePtr Packet::ToRawPktHdrVal() const { static auto raw_pkt_hdr_type = id::find_type("raw_pkt_hdr"); static auto l2_hdr_type = id::find_type("l2_hdr"); @@ -685,10 +181,30 @@ ValPtr Packet::FmtEUI48(const u_char* mac) const void Packet::Describe(ODesc* d) const { - const IP_Hdr ip = IP(); - d->Add(ip.SrcAddr()); - d->Add("->"); - d->Add(ip.DstAddr()); + switch ( l3_proto ) + { + case L3_ARP: + d->Add("ARP"); + break; + case L3_IPV4: + d->Add("IPv4"); + break; + case L3_IPV6: + d->Add("IPv6"); + break; + default: + d->Add("Unknown L3 protocol"); + } + + // Add IP-specific information + if ( l3_proto == L3_IPV4 || l3_proto == L3_IPV6 ) + { + const IP_Hdr ip = IP(); + d->Add(": "); + d->Add(ip.SrcAddr()); + d->Add("->"); + d->Add(ip.DstAddr()); + } } } // namespace zeek diff --git a/src/iosource/Packet.h b/src/iosource/Packet.h index 5ac6f1f876..648db8270a 100644 --- a/src/iosource/Packet.h +++ b/src/iosource/Packet.h @@ -127,7 +127,7 @@ public: /** * Interprets the Layer 3 of the packet as IP and returns a - * correspondign object. + * corresponding object. */ const IP_Hdr IP() const; @@ -141,14 +141,11 @@ public: RecordVal* BuildPktHdrVal() const; /** - * Static method returning the link-layer header size for a given - * link type. + * Returns the end of the captured data for bound checking. * - * @param link_type The link tyoe. - * - * @return The header size in bytes, or -1 if not known. + * @return End of the packet data. */ - static int GetLinkHeaderSize(int link_type); + const u_char* const GetEndOfData() const; /** * Describes the packet, with standard signature. @@ -158,7 +155,14 @@ public: /** * Maximal length of a layer 2 address. */ - static const int l2_addr_len = 6; + static const int L2_ADDR_LEN = 6; + + /** + * Empty layer 2 address to be used as default value. For example, the + * LinuxSLL llanalyzer doesn't have a destination address in the header + * and thus sets it to this default address. + */ + static constexpr const u_char L2_EMPTY_ADDR[L2_ADDR_LEN] = { 0 }; // These are passed in through the constructor. std::string tag; /// Used in serialization @@ -166,8 +170,9 @@ public: pkt_timeval ts; /// Capture timestamp const u_char* data; /// Packet data. uint32_t len; /// Actual length on wire - uint32_t cap_len; /// Captured packet length + uint32_t cap_len; /// Captured packet length uint32_t link_type; /// pcap link_type (DLT_EN10MB, DLT_RAW, etc) + const uint8_t* cur_pos; /// Pointer to the current start of unanalyzed payload data in the raw packet, used by llanalyzers // These are computed from Layer 2 data. These fields are only valid if // Layer2Valid() returns true. @@ -224,13 +229,10 @@ public: */ bool l3_checksummed; -private: - // Calculate layer 2 attributes. - void ProcessLayer2(); - - // Wrapper to generate a packet-level weird. + // Wrapper to generate a packet-level weird. Has to be public for llanalyzers to use it. void Weird(const char* name); +private: // Renders an MAC address into its ASCII representation. ValPtr FmtEUI48(const u_char* mac) const; diff --git a/src/iosource/PktDumper.cc b/src/iosource/PktDumper.cc index 87e4c6cae7..336b5f7777 100644 --- a/src/iosource/PktDumper.cc +++ b/src/iosource/PktDumper.cc @@ -53,11 +53,6 @@ const char* PktDumper::ErrorMsg() const return errmsg.size() ? errmsg.c_str() : nullptr; } -int PktDumper::HdrSize() const - { - return is_open ? props.hdr_size : -1; - } - void PktDumper::Opened(const Properties& arg_props) { is_open = true; diff --git a/src/iosource/PktDumper.h b/src/iosource/PktDumper.h index c279a704f0..5210a3c98f 100644 --- a/src/iosource/PktDumper.h +++ b/src/iosource/PktDumper.h @@ -50,11 +50,6 @@ public: */ const char* ErrorMsg() const; - /** - * Returns the size of the link-layer headers with this dumper. - */ - int HdrSize() const; - // PktDumper interface for derived classes to implement. /** @@ -97,7 +92,6 @@ protected: */ struct Properties { std::string path; - int hdr_size; double open_time; }; diff --git a/src/iosource/PktSrc.cc b/src/iosource/PktSrc.cc index c20e29d35c..519c6da81e 100644 --- a/src/iosource/PktSrc.cc +++ b/src/iosource/PktSrc.cc @@ -90,16 +90,6 @@ double PktSrc::CurrentPacketWallClock() void PktSrc::Opened(const Properties& arg_props) { - if ( Packet::GetLinkHeaderSize(arg_props.link_type) < 0 ) - { - char buf[512]; - snprintf(buf, sizeof(buf), - "unknown data link type 0x%x", arg_props.link_type); - Error(buf); - Close(); - return; - } - props = arg_props; SetClosed(false); diff --git a/src/iosource/pcap/Dumper.cc b/src/iosource/pcap/Dumper.cc index 78e3f97cf8..b7a47756ce 100644 --- a/src/iosource/pcap/Dumper.cc +++ b/src/iosource/pcap/Dumper.cc @@ -82,7 +82,6 @@ void PcapDumper::Open() } props.open_time = run_state::network_time; - props.hdr_size = Packet::GetLinkHeaderSize(pcap_datalink(pd)); Opened(props); } diff --git a/src/llanalyzer/Analyzer.cc b/src/llanalyzer/Analyzer.cc new file mode 100644 index 0000000000..ff5798070b --- /dev/null +++ b/src/llanalyzer/Analyzer.cc @@ -0,0 +1,47 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include +#include "Analyzer.h" + +namespace zeek::llanalyzer { + +Analyzer::Analyzer(std::string name) + { + Tag t = llanalyzer_mgr->GetComponentTag(name); + + if ( ! t ) + reporter->InternalError("unknown llanalyzer name %s", name.c_str()); + + Init(t); + } + +Analyzer::Analyzer(const Tag& tag) + { + Init(tag); + } + +/* PRIVATE */ +void Analyzer::Init(const Tag& _tag) + { + tag = _tag; + } + +const Tag Analyzer::GetAnalyzerTag() const + { + assert(tag); + return tag; + } + +const char* Analyzer::GetAnalyzerName() const + { + assert(tag); + return llanalyzer_mgr->GetComponentName(tag).c_str(); + } + +bool Analyzer::IsAnalyzer(const char* name) + { + assert(tag); + return llanalyzer_mgr->GetComponentName(tag).compare(name) == 0; + } + +} diff --git a/src/llanalyzer/Analyzer.h b/src/llanalyzer/Analyzer.h new file mode 100644 index 0000000000..06dd75e5d1 --- /dev/null +++ b/src/llanalyzer/Analyzer.h @@ -0,0 +1,89 @@ +// See the file "COPYING" in the main distribution directory for copyright. +#pragma once + +#include "Defines.h" +#include "Manager.h" +#include "Tag.h" +#include + +namespace zeek::llanalyzer { + +/** + * Result of low layer analysis. + */ +enum class AnalyzerResult { + Failed, // Analysis failed + Continue, // Analysis succeded and an encapuslated protocol was determined + Terminate // Analysis succeded and there is no further analysis to do +}; + +using AnalysisResultTuple = std::tuple; + +class Analyzer { +public: + /** + * Constructor. + * + * @param name The name for the type of analyzer. The name must match + * the one the corresponding Component registers. + */ + explicit Analyzer(std::string name); + + /** + * Constructor. + * + * @param tag The tag for the type of analyzer. The tag must map to + * the name the corresponding Component registers. + */ + explicit Analyzer(const Tag& tag); + + /** + * Destructor. + */ + virtual ~Analyzer() = default; + + /** + * Returns the tag associated with the analyzer's type. + */ + const Tag GetAnalyzerTag() const; + + /** + * Returns a textual description of the analyzer's type. This is + * what's passed to the constructor and usally corresponds to the + * protocol name, e.g., "ARP". + */ + const char* GetAnalyzerName() const; + + /** + * Returns true if this analyzer's type matches the name passes in. + * This is shortcut for comparing GetAnalyzerName() with the given + * name. + * + * @param name The name to check. + */ + bool IsAnalyzer(const char* name); + + /** + * Analyzes the given packet. The analysis is supposed to start at cur_pos + * of the packet, which points to the so far unanalyzed part of the packet. + * If the analyzed protocol encapsulates another protocol, the packet's + * cur_pos should be updated to point to that payload. + * + * @param packet The packet to analyze. + * + * @return A tuple of analysis result and identifier. The result indicates + * how to proceed. If analysis can continue, the identifier determines the + * encapsulated protocol. + */ + virtual std::tuple Analyze(Packet* packet) = 0; + +protected: + friend class Manager; + +private: + Tag tag; + + void Init(const Tag& tag); +}; + +} // llanalyzer namespace end diff --git a/src/llanalyzer/AnalyzerSet.h b/src/llanalyzer/AnalyzerSet.h new file mode 100644 index 0000000000..de71fb7dda --- /dev/null +++ b/src/llanalyzer/AnalyzerSet.h @@ -0,0 +1,24 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#pragma once + +#include "Analyzer.h" +#include "Defines.h" + +namespace zeek::llanalyzer { + +class Analyzer; + +class AnalyzerSet { +public: + virtual ~AnalyzerSet() = default; + virtual Analyzer* Dispatch(identifier_t identifier) = 0; + virtual void Reset() = 0; + +protected: + friend class Manager; + + virtual void DumpDebug() const = 0; +}; + +} diff --git a/src/llanalyzer/CMakeLists.txt b/src/llanalyzer/CMakeLists.txt new file mode 100644 index 0000000000..6a5fa16708 --- /dev/null +++ b/src/llanalyzer/CMakeLists.txt @@ -0,0 +1,21 @@ +include(ZeekSubdir) + +include_directories(BEFORE + ${CMAKE_CURRENT_SOURCE_DIR} + ${CMAKE_CURRENT_BINARY_DIR} +) + +add_subdirectory(protocol) +add_subdirectory(dispatchers) + +set(llanalyzer_SRCS + Analyzer.cc + ProtocolAnalyzerSet.cc + Manager.cc + Component.cc + Tag.cc + Config.cc +) + +bro_add_subdir_library(llanalyzer ${llanalyzer_SRCS}) +add_dependencies(bro_llanalyzer generate_outputs) diff --git a/src/llanalyzer/Component.cc b/src/llanalyzer/Component.cc new file mode 100644 index 0000000000..a5991cbf2b --- /dev/null +++ b/src/llanalyzer/Component.cc @@ -0,0 +1,33 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "Component.h" +#include "Desc.h" +#include "Manager.h" + +using namespace zeek::llanalyzer; + +Component::Component(const std::string& name, factory_callback arg_factory, Tag::subtype_t arg_subtype, bool arg_enabled) + : plugin::Component(plugin::component::LLANALYZER, name), + plugin::TaggedComponent(arg_subtype) + { + factory = arg_factory; + enabled = arg_enabled; + } + +void Component::Initialize() + { + InitializeTag(); + llanalyzer_mgr->RegisterComponent(this, "LLANALYZER_"); + } + +void Component::DoDescribe(ODesc* d) const + { + if ( factory ) + { + d->Add("LLANALYZER_"); + d->Add(CanonicalName()); + d->Add(", "); + } + + d->Add(enabled ? "enabled" : "disabled"); + } diff --git a/src/llanalyzer/Component.h b/src/llanalyzer/Component.h new file mode 100644 index 0000000000..5d9ed0c6f3 --- /dev/null +++ b/src/llanalyzer/Component.h @@ -0,0 +1,61 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#pragma once + +#include "zeek-config.h" +#include "util.h" +#include "Tag.h" + +#include "plugin/Component.h" +#include "plugin/TaggedComponent.h" + +namespace zeek::llanalyzer { + +class Analyzer; + +class Component : public plugin::Component, + public plugin::TaggedComponent { +public: + typedef Analyzer* (*factory_callback)(); + + Component(const std::string& name, factory_callback factory, Tag::subtype_t subtype = 0, bool enabled = true); + ~Component() override = default; + + /** + * Initialization function. This function has to be called before any + * plugin component functionality is used; it is used to add the + * plugin component to the list of components and to initialize tags + */ + void Initialize() override; + + /** + * Returns the analyzer's factory function. + */ + factory_callback Factory() const { return factory; } + + /** + * Returns true if the analyzer is currently enabled and hence + * available for use. + */ + bool Enabled() const { return enabled; } + + /** + * Enables or disables this analyzer. + * + * @param arg_enabled True to enabled, false to disable. + * + */ + void SetEnabled(bool arg_enabled) { enabled = arg_enabled; } + +protected: + /** + * Overriden from plugin::Component. + */ + void DoDescribe(ODesc* d) const override; + +private: + factory_callback factory; // The analyzer's factory callback. + bool enabled; // True if the analyzer is enabled. +}; + +} diff --git a/src/llanalyzer/Config.cc b/src/llanalyzer/Config.cc new file mode 100644 index 0000000000..1c068d27c2 --- /dev/null +++ b/src/llanalyzer/Config.cc @@ -0,0 +1,87 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "Config.h" +#include "Reporter.h" +#include "DebugLogger.h" + +namespace zeek::llanalyzer { + +// ############################## +// ####### DispatcherConfig ##### +// ############################## +const std::string& DispatcherConfig::GetName() const + { + return name; + } + +const std::map& DispatcherConfig::GetMappings() const + { + return mappings; + } + +void DispatcherConfig::AddMapping(identifier_t identifier, + const std::string& analyzer_name) + { + DBG_LOG(DBG_LLANALYZER, "Adding configuration mapping: %s -> %#x -> %s", + name.c_str(), identifier, analyzer_name.c_str()); + + if ( mappings.count(identifier) ) + reporter->InternalError("Invalid config, identifier %#x already exists " + "for dispatcher set %s.", + identifier, name.c_str()); + + mappings.emplace(identifier, analyzer_name); + } + +bool DispatcherConfig::operator==(const DispatcherConfig& rhs) const + { + return name == rhs.name; + } + +bool DispatcherConfig::operator!=(const DispatcherConfig& rhs) const + { + return ! (rhs == *this); + } + +// ############################## +// ########### Config ########### +// ############################## +std::optional> +Config::GetDispatcherConfig(const std::string& name) + { + auto it = std::find_if( + dispatchers.begin(), dispatchers.end(), + [&](const DispatcherConfig& conf) { + return conf.GetName() == name; + }); + + if ( it == dispatchers.end() ) + return {}; + else + return {std::ref(*it)}; + } + +const std::vector& Config::GetDispatchers() const + { + return dispatchers; + } + +DispatcherConfig& Config::AddDispatcherConfig(const std::string& name) + { + return dispatchers.emplace_back(name); + } + +void Config::AddMapping(const std::string& name, identifier_t identifier, + const std::string& analyzer_name) + { + // Create dispatcher config if it does not exist yet + std::optional> dispatch_config = + GetDispatcherConfig(name); + + if ( ! dispatch_config ) + AddDispatcherConfig(name).AddMapping(identifier, analyzer_name); + else + dispatch_config->get().AddMapping(identifier, analyzer_name); + } + +} // namespace llanalyzer diff --git a/src/llanalyzer/Config.h b/src/llanalyzer/Config.h new file mode 100644 index 0000000000..0ce9837174 --- /dev/null +++ b/src/llanalyzer/Config.h @@ -0,0 +1,44 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#pragma once + +#include +#include +#include +#include +#include + +#include "Defines.h" + +namespace zeek::llanalyzer { + +class DispatcherConfig { +public: + explicit DispatcherConfig(const std::string name) : name(std::move(name)) { } + + const std::string& GetName() const; + const std::map& GetMappings() const; + + void AddMapping(identifier_t identifier, const std::string& analyzer_name); + + bool operator==(const DispatcherConfig& rhs) const; + bool operator!=(const DispatcherConfig& rhs) const; + +private: + const std::string name; + std::map mappings; +}; + +class Config { + +public: + const std::vector& GetDispatchers() const; + std::optional> GetDispatcherConfig(const std::string& name); + DispatcherConfig& AddDispatcherConfig(const std::string& name); + void AddMapping(const std::string& name, identifier_t identifier, const std::string& analyzer_name); + +private: + std::vector dispatchers; +}; + +} diff --git a/src/llanalyzer/Defines.h b/src/llanalyzer/Defines.h new file mode 100644 index 0000000000..307af09e3a --- /dev/null +++ b/src/llanalyzer/Defines.h @@ -0,0 +1,11 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#pragma once + +#include + +namespace zeek::llanalyzer { + + using identifier_t = uint32_t; + +} diff --git a/src/llanalyzer/Manager.cc b/src/llanalyzer/Manager.cc new file mode 100644 index 0000000000..0aa8e7f138 --- /dev/null +++ b/src/llanalyzer/Manager.cc @@ -0,0 +1,285 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include +#include + +#include "Config.h" +#include "Manager.h" +#include "NetVar.h" +#include "ProtocolAnalyzerSet.h" +#include "plugin/Manager.h" + +using namespace zeek::llanalyzer; + +Manager::Manager() + : plugin::ComponentManager("LLAnalyzer", "Tag") + { + } + +Manager::~Manager() + { + delete analyzer_set; + } + +void Manager::InitPostScript() + { + auto llanalyzer_mapping = zeek::id::find("LLAnalyzer::config_map"); + if ( ! llanalyzer_mapping ) + return; + + auto mapping_val = llanalyzer_mapping->GetVal()->AsVectorVal(); + if ( mapping_val->Size() == 0 ) + return; + + Config configuration; + for (unsigned int i = 0; i < mapping_val->Size(); i++) + { + auto* rv = mapping_val->At(i)->AsRecordVal(); + auto parent = rv->GetField("parent"); + std::string parent_name = parent ? Lookup(parent->AsEnumVal())->Name() : "ROOT"; + auto identifier = rv->GetField("identifier")->AsCount(); + auto analyzer = rv->GetField("analyzer")->AsEnumVal(); + + configuration.AddMapping(parent_name, identifier, Lookup(analyzer)->Name()); + } + + analyzer_set = new ProtocolAnalyzerSet(configuration, "DefaultAnalyzer"); + } + +void Manager::Done() + { + } + +void Manager::DumpDebug() + { +#ifdef DEBUG + DBG_LOG(DBG_LLANALYZER, "Available llanalyzers after zeek_init():"); + for ( auto& current : GetComponents() ) + { + DBG_LOG(DBG_LLANALYZER, " %s (%s)", current->Name().c_str(), IsEnabled(current->Tag()) ? "enabled" : "disabled"); + } + + // Dump Analyzer Set + if (analyzer_set) + analyzer_set->DumpDebug(); +#endif + } + +bool Manager::EnableAnalyzer(const Tag& tag) + { + Component* p = Lookup(tag); + + if ( ! p ) + return false; + + DBG_LOG(DBG_LLANALYZER, "Enabling analyzer %s", p->Name().c_str()); + p->SetEnabled(true); + + return true; + } + +bool Manager::EnableAnalyzer(EnumVal* val) + { + Component* p = Lookup(val); + + if ( ! p ) + return false; + + DBG_LOG(DBG_LLANALYZER, "Enabling analyzer %s", p->Name().c_str()); + p->SetEnabled(true); + + return true; + } + +bool Manager::DisableAnalyzer(const Tag& tag) + { + Component* p = Lookup(tag); + + if ( ! p ) + return false; + + DBG_LOG(DBG_LLANALYZER, "Disabling analyzer %s", p->Name().c_str()); + p->SetEnabled(false); + + return true; + } + +bool Manager::DisableAnalyzer(EnumVal* val) + { + Component* p = Lookup(val); + + if ( ! p ) + return false; + + DBG_LOG(DBG_LLANALYZER, "Disabling analyzer %s", p->Name().c_str()); + p->SetEnabled(false); + + return true; + } + +void Manager::DisableAllAnalyzers() + { + DBG_LOG(DBG_LLANALYZER, "Disabling all analyzers"); + + std::list all_analyzers = GetComponents(); + for ( const auto& analyzer : all_analyzers ) + analyzer->SetEnabled(false); + } + +zeek::llanalyzer::Tag Manager::GetAnalyzerTag(const char* name) + { + return GetComponentTag(name); + } + +bool Manager::IsEnabled(Tag tag) + { + if ( ! tag ) + return false; + + Component* p = Lookup(tag); + + if ( ! p ) + return false; + + return p->Enabled(); + } + +bool Manager::IsEnabled(EnumVal* val) + { + Component* p = Lookup(val); + + if ( ! p ) + return false; + + return p->Enabled(); + } + +Analyzer* Manager::InstantiateAnalyzer(const Tag& tag) + { + Component* c = Lookup(tag); + + if ( ! c ) + { + reporter->InternalWarning("request to instantiate unknown llanalyzer"); + return nullptr; + } + + if ( ! c->Enabled() ) + return nullptr; + + if ( ! c->Factory() ) + { + reporter->InternalWarning("analyzer %s cannot be instantiated dynamically", GetComponentName(tag).c_str()); + return nullptr; + } + + Analyzer* a = c->Factory()(); + + if ( ! a ) + { + reporter->InternalWarning("analyzer instantiation failed"); + return nullptr; + } + + if ( tag != a->GetAnalyzerTag() ) + { + reporter->InternalError("Mismatch of requested analyzer %s and instantiated analyzer %s. This usually means that the plugin author made a mistake.", + GetComponentName(tag).c_str(), GetComponentName(a->GetAnalyzerTag()).c_str()); + return nullptr; + } + + return a; + } + +Analyzer* Manager::InstantiateAnalyzer(const std::string& name) + { + Tag tag = GetComponentTag(name); + return tag ? InstantiateAnalyzer(tag) : nullptr; + } + +void Manager::ProcessPacket(Packet* packet) + { +#ifdef DEBUG + static size_t counter = 0; + DBG_LOG(DBG_LLANALYZER, "Analyzing packet %ld, ts=%.3f...", ++counter, packet->time); +#endif + + if ( ! analyzer_set ) + return; + + // Dispatch and analyze layers + AnalyzerResult result = AnalyzerResult::Continue; + identifier_t next_layer_id = packet->link_type; + do + { + auto current_analyzer = analyzer_set->Dispatch(next_layer_id); + + // Analyzer not found + if ( current_analyzer == nullptr ) + { + DBG_LOG(DBG_LLANALYZER, "Could not find analyzer for identifier %#x", next_layer_id); + packet->Weird("no_suitable_analyzer_found"); + break; + } + + // Analyze this layer and get identifier of next layer protocol + std::tie(result, next_layer_id) = current_analyzer->Analyze(packet); + +#ifdef DEBUG + switch ( result ) + { + case AnalyzerResult::Continue: + DBG_LOG(DBG_LLANALYZER, "Analysis in %s succeeded, next layer identifier is %#x.", + current_analyzer->GetAnalyzerName(), next_layer_id); + break; + case AnalyzerResult::Terminate: + DBG_LOG(DBG_LLANALYZER, "Done, last found layer identifier was %#x.", next_layer_id); + break; + case AnalyzerResult::Failed: + DBG_LOG(DBG_LLANALYZER, "Analysis failed in %s", current_analyzer->GetAnalyzerName()); + } +#endif + + } while ( result == AnalyzerResult::Continue ); + + if ( result == AnalyzerResult::Terminate ) + CustomEncapsulationSkip(packet); + + // Processing finished, reset analyzer set state for next packet + analyzer_set->Reset(); + } + +void Manager::CustomEncapsulationSkip(Packet* packet) + { + if ( zeek::detail::encap_hdr_size > 0 ) + { + auto pdata = packet->cur_pos; + + // Blanket encapsulation. We assume that what remains is IP. + if ( pdata + zeek::detail::encap_hdr_size + sizeof(struct ip) >= packet->GetEndOfData() ) + { + packet->Weird("no_ip_left_after_encap"); + return; + } + + pdata += zeek::detail::encap_hdr_size; + + auto ip = (const struct ip*)pdata; + + switch ( ip->ip_v ) + { + case 4: + packet->l3_proto = L3_IPV4; + break; + case 6: + packet->l3_proto = L3_IPV6; + break; + default: + { + // Neither IPv4 nor IPv6. + packet->Weird("no_ip_in_encap"); + return; + } + } + } + } diff --git a/src/llanalyzer/Manager.h b/src/llanalyzer/Manager.h new file mode 100644 index 0000000000..54e444bb07 --- /dev/null +++ b/src/llanalyzer/Manager.h @@ -0,0 +1,167 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#pragma once + +#include +#include + +#include "Tag.h" +#include "Analyzer.h" +#include "Component.h" +#include "AnalyzerSet.h" +#include "plugin/ComponentManager.h" +#include "iosource/Packet.h" + +#include "../Dict.h" +#include "../net_util.h" + +namespace zeek::llanalyzer { + +class AnalyzerSet; + +class Manager : public plugin::ComponentManager { +public: + /** + * Constructor. + */ + Manager(); + + /** + * Destructor. + */ + ~Manager(); + + /** + * Second-stage initialization of the manager. This is called late + * during Bro's initialization after any scripts are processed. + */ + void InitPostScript(); + + /** + * Finished the manager's operations. + */ + void Done(); + + /** + * Dumps out the state of all registered analyzers to the \c analyzer + * debug stream. Should be called only after any \c zeek_init events + * have executed to ensure that any of their changes are applied. + */ + void DumpDebug(); // Called after zeek_init() events. + + /** + * Enables an analyzer type. Only enabled analyzers will be + * instantiated for new connections. + * + * @param tag The analyzer's tag. + * + * @return True if successful. + */ + bool EnableAnalyzer(const Tag& tag); + + /** + * Enables an analyzer type. Only enabled analyzers will be + * instantiated for new connections. + * + * @param tag The analyzer's tag as an enum of script type \c + * Analyzer::Tag. + * + * @return True if successful. + */ + bool EnableAnalyzer(EnumVal* tag); + + /** + * Enables an analyzer type. Disabled analyzers will not be + * instantiated for new connections. + * + * @param tag The analyzer's tag. + * + * @return True if successful. + */ + bool DisableAnalyzer(const Tag& tag); + + /** + * Disables an analyzer type. Disabled analyzers will not be + * instantiated for new connections. + * + * @param tag The analyzer's tag as an enum of script type \c + * Analyzer::Tag. + * + * @return True if successful. + */ + bool DisableAnalyzer(EnumVal* tag); + + /** + * Disables all currently registered analyzers. + */ + void DisableAllAnalyzers(); + + /** + * Returns the tag associated with an analyer name, or the tag + * associated with an error if no such analyzer exists. + * + * @param name The canonical analyzer name to check. + */ + Tag GetAnalyzerTag(const char* name); + + /** + * Returns true if an analyzer is enabled. + * + * @param tag The analyzer's tag. + */ + bool IsEnabled(Tag tag); + + /** + * Returns true if an analyzer is enabled. + * + * @param tag The analyzer's tag as an enum of script type \c + * Analyzer::Tag. + */ + bool IsEnabled(EnumVal* tag); + + /** + * Instantiates a new analyzer instance. + * + * @param tag The analyzer's tag. + * + * @return The new analyzer instance. Returns + * null if tag is invalid, the requested analyzer is disabled, or the + * analyzer can't be instantiated. + */ + Analyzer* InstantiateAnalyzer(const Tag& tag); + + /** + * Instantiates a new analyzer. + * + * @param name The name of the analyzer. + * + * @return The new analyzer instance. Returns + * null if the name is not known or if the requested analyzer that is + * disabled. + */ + Analyzer* InstantiateAnalyzer(const std::string& name); + + /** + * Processes a packet by applying the configured low layer analyzers. + * + * @param packet The packet to process. + */ + void ProcessPacket(Packet* packet); + +protected: + /** + * Skips a fixed amount of packet data that is defined by encap_hdr_size. + * It is assumed that an IP header follows. + * + * @param packet The packet to adapt. + */ + void CustomEncapsulationSkip(Packet* packet); + +private: + AnalyzerSet* analyzer_set = nullptr; + +}; + +} + +extern zeek::llanalyzer::Manager* llanalyzer_mgr; diff --git a/src/llanalyzer/ProtocolAnalyzerSet.cc b/src/llanalyzer/ProtocolAnalyzerSet.cc new file mode 100644 index 0000000000..6d2aeca83f --- /dev/null +++ b/src/llanalyzer/ProtocolAnalyzerSet.cc @@ -0,0 +1,137 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "ProtocolAnalyzerSet.h" + +namespace zeek::llanalyzer { + +ProtocolAnalyzerSet::ProtocolAnalyzerSet(Config& configuration, const std::string& default_analyzer_name) + { + // Instantiate objects for all analyzers + for ( const auto& current_dispatcher_config : configuration.GetDispatchers() ) + { + for ( const auto& current_mapping : current_dispatcher_config.GetMappings() ) + { + // Check if already instantiated + if ( analyzers.count(current_mapping.second) != 0 ) + continue; + + // Check if analyzer exists + if ( Analyzer* newAnalyzer = llanalyzer_mgr->InstantiateAnalyzer(current_mapping.second) ) + analyzers.emplace(current_mapping.second, newAnalyzer); + } + } + + // Generate Dispatchers, starting at root + root_dispatcher = GetDispatcher(configuration, "ROOT"); + if ( root_dispatcher == nullptr ) + reporter->InternalError("No dispatching configuration for ROOT of llanalyzer set."); + + // Set up default analysis + auto it = analyzers.find(default_analyzer_name); + if ( it != analyzers.end() ) + default_analyzer = it->second; + else + default_analyzer = llanalyzer_mgr->InstantiateAnalyzer(default_analyzer_name); + + default_dispatcher = nullptr; + if ( default_analyzer != nullptr ) + default_dispatcher = GetDispatcher(configuration, default_analyzer_name); + + current_state = root_dispatcher; + } + +ProtocolAnalyzerSet::~ProtocolAnalyzerSet() + { + bool delete_default = default_analyzer != nullptr; + for ( const auto& current : analyzers ) + { + if ( current.second == default_analyzer ) + delete_default = false; + + delete current.second; + } + + if ( delete_default ) + delete default_analyzer; + } + +Analyzer* ProtocolAnalyzerSet::Dispatch(identifier_t identifier) + { + // Because leaf nodes (aka no more dispatching) can still have an existing analyzer that returns more identifiers, + // current_state needs to be checked to be not null. In this case there would have been an analyzer dispatched + // in the last layer, but no dispatcher for it (end of FSM) + const Value* result = nullptr; + if ( current_state ) + result = current_state->Lookup(identifier); + + if ( result == nullptr ) + { + if ( current_state != default_dispatcher ) + { + // Switch to default analysis once + current_state = default_dispatcher; + return default_analyzer; + } + return nullptr; + } + else + { + current_state = result->dispatcher; + return result->analyzer; + } + } + +void ProtocolAnalyzerSet::Reset() + { + current_state = root_dispatcher; + } + +void ProtocolAnalyzerSet::DumpDebug() const + { +#ifdef DEBUG + DBG_LOG(DBG_LLANALYZER, "ProtocolAnalyzerSet FSM:"); + for ( const auto& current : dispatchers ) + { + DBG_LOG(DBG_LLANALYZER, " Dispatcher (%p): %s", current.second, current.first.c_str()); + current.second->DumpDebug(); + } +#endif + } + +Dispatcher* ProtocolAnalyzerSet::GetDispatcher(Config& configuration, const std::string& dispatcher_name) + { + // Is it already created? + if ( dispatchers.count(dispatcher_name) != 0 ) + return dispatchers[dispatcher_name]; + + // Create new dispatcher from config + std::optional> dispatcher_config = configuration.GetDispatcherConfig(dispatcher_name); + if ( ! dispatcher_config ) + // No such dispatcher found, this is therefore implicitly a leaf + return nullptr; + + const auto& mappings = dispatcher_config->get().GetMappings(); + + Dispatcher* dispatcher = new dispatcher_impl(); + dispatchers.emplace(dispatcher_name, dispatcher); + + for ( const auto& current_mapping : mappings ) + { + // No analyzer with this name. Report warning and ignore. + if ( analyzers.count(current_mapping.second) == 0 ) + { + reporter->InternalWarning("No analyzer %s found for dispatching identifier %#x of %s, ignoring.", + current_mapping.second.c_str(), + current_mapping.first, + dispatcher_name.c_str()); + continue; + } + + dispatcher->Register(current_mapping.first, analyzers.at(current_mapping.second), + GetDispatcher(configuration, current_mapping.second)); + } + + return dispatcher; + } + +} diff --git a/src/llanalyzer/ProtocolAnalyzerSet.h b/src/llanalyzer/ProtocolAnalyzerSet.h new file mode 100644 index 0000000000..1f6a786456 --- /dev/null +++ b/src/llanalyzer/ProtocolAnalyzerSet.h @@ -0,0 +1,39 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#pragma once + +#include "AnalyzerSet.h" +#include "Config.h" +#include "dispatchers/Dispatcher.h" +#include "dispatchers/UniversalDispatcher.h" +#include "dispatchers/VectorDispatcher.h" + +namespace zeek::llanalyzer { + +class ProtocolAnalyzerSet : public AnalyzerSet { + +public: + explicit ProtocolAnalyzerSet(Config& configuration, const std::string& default_analyzer_name); + ~ProtocolAnalyzerSet() override; + + Analyzer* Dispatch(identifier_t identifier) override; + void Reset() override; + +protected: + void DumpDebug() const override; + +private: + using dispatcher_impl = VectorDispatcher; + //using dispatcher_impl = UniversalDispatcher; + + std::map analyzers; + std::map dispatchers; + Dispatcher* root_dispatcher = nullptr; + Dispatcher* default_dispatcher = nullptr; + Dispatcher* current_state = nullptr; + Analyzer* default_analyzer = nullptr; + + Dispatcher* GetDispatcher(Config& configuration, const std::string& dispatcher_name); +}; + +} diff --git a/src/llanalyzer/Tag.cc b/src/llanalyzer/Tag.cc new file mode 100644 index 0000000000..9960ed5e35 --- /dev/null +++ b/src/llanalyzer/Tag.cc @@ -0,0 +1,41 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "Tag.h" +#include "Manager.h" + +namespace zeek::llanalyzer { + +Tag Tag::Error; + +Tag::Tag(type_t type, subtype_t subtype) + : zeek::Tag(llanalyzer_mgr->GetTagType(), type, subtype) + { + } + +Tag& Tag::operator=(const Tag& other) + { + zeek::Tag::operator=(other); + return *this; + } + +const IntrusivePtr& Tag::AsVal() const + { + return zeek::Tag::AsVal(llanalyzer_mgr->GetTagType()); + } + +EnumVal* Tag::AsEnumVal() const + { + return AsVal().get(); + } + +Tag::Tag(IntrusivePtr val) + : zeek::Tag(std::move(val)) + { + } + +Tag::Tag(EnumVal* val) + : zeek::Tag({NewRef {}, val}) + { + } + +} diff --git a/src/llanalyzer/Tag.h b/src/llanalyzer/Tag.h new file mode 100644 index 0000000000..66c2cdc6cb --- /dev/null +++ b/src/llanalyzer/Tag.h @@ -0,0 +1,130 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#pragma once + +#include "zeek-config.h" +#include "../Tag.h" + +namespace zeek::plugin { + template class TaggedComponent; + template class ComponentManager; +} +namespace plugin { + template + using TaggedComponent [[deprecated("Remove in v4.1. Use zeek::plugin::TaggedComponent instead.")]] = + zeek::plugin::TaggedComponent; + template + using ComponentManager [[deprecated("Remove in v4.1. Use zeek::plugin::ComponentManager instead.")]] = + zeek::plugin::ComponentManager; +} + +namespace zeek::llanalyzer { + +class Manager; +class Component; + +/** + * Class to identify a protocol analyzer type. + */ +class Tag : public zeek::Tag { +public: + /* + * Copy constructor. + */ + Tag(const Tag& other) : zeek::Tag(other) { } + + /** + * Default constructor. This initializes the tag with an error value + * that will make \c operator \c bool return false. + */ + Tag() : zeek::Tag() { } + + /** + * Destructor. + */ + ~Tag() = default; + + /** + * Returns false if the tag represents an error value rather than a + * legal analyzer type. + */ + explicit operator bool() const { return *this != Tag(); } + + /** + * Assignment operator. + */ + Tag& operator=(const Tag& other); + + /** + * Compares two tags for equality. + */ + bool operator==(const Tag& other) const + { + return zeek::Tag::operator==(other); + } + + /** + * Compares two tags for inequality. + */ + bool operator!=(const Tag& other) const + { + return zeek::Tag::operator!=(other); + } + + /** + * Compares two tags for less-than relationship. + */ + bool operator<(const Tag& other) const + { + return zeek::Tag::operator<(other); + } + + /** + * Returns the \c Analyzer::Tag enum that corresponds to this tag. + * The returned value does not have its ref-count increased. + * + * @param etype the script-layer enum type associated with the tag. + */ + const IntrusivePtr& AsVal() const; + + /** + * Returns the \c Analyzer::Tag enum that corresponds to this tag. + * The returned value does not have its ref-count increased. + * + * @param etype the script-layer enum type associated with the tag. + */ + [[deprecated("Remove in v4.1. Use AsVal() instead.")]] + EnumVal* AsEnumVal() const; + + static Tag Error; + +protected: + + friend class llanalyzer::Manager; + friend class plugin::ComponentManager; + friend class plugin::TaggedComponent; + + /** + * Constructor. + * + * @param type The main type. Note that the \a llanalyzer::Manager + * manages the value space internally, so noone else should assign + * any main types. + * + * @param subtype The sub type, which is left to an analyzer for + * interpretation. By default it's set to zero. + */ + explicit Tag(type_t type, subtype_t subtype = 0); + + /** + * Constructor. + * + * @param val An enum value of script type \c Analyzer::Tag. + */ + explicit Tag(IntrusivePtr val); + + [[deprecated("Remove in v4.1. Construct from IntrusivePtr instead")]] + explicit Tag(EnumVal* val); +}; + +} diff --git a/src/llanalyzer/dispatchers/CMakeLists.txt b/src/llanalyzer/dispatchers/CMakeLists.txt new file mode 100644 index 0000000000..ea4183fef8 --- /dev/null +++ b/src/llanalyzer/dispatchers/CMakeLists.txt @@ -0,0 +1,13 @@ +include(ZeekSubdir) + +include_directories(BEFORE + ${CMAKE_CURRENT_SOURCE_DIR} + ${CMAKE_CURRENT_BINARY_DIR} +) + +set(dispatcher_SRCS + UniversalDispatcher.cc + VectorDispatcher.cc +) + +bro_add_subdir_library(llanalyzer_dispatcher ${dispatcher_SRCS}) diff --git a/src/llanalyzer/dispatchers/Dispatcher.h b/src/llanalyzer/dispatchers/Dispatcher.h new file mode 100644 index 0000000000..a59060459d --- /dev/null +++ b/src/llanalyzer/dispatchers/Dispatcher.h @@ -0,0 +1,47 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#pragma once + +#include +#include + +#include "Analyzer.h" +#include "Defines.h" + +namespace zeek::llanalyzer { + +class Dispatcher; // Forward decl for Value +using register_pair = std::pair>; +using register_map = std::map>; + +class Value { +public: + Analyzer* analyzer; + Dispatcher* dispatcher; + + Value(Analyzer* analyzer, Dispatcher* dispatcher) + : analyzer(analyzer), dispatcher(dispatcher) + { + } +}; + +class Dispatcher { +public: + virtual ~Dispatcher() = default; + + virtual bool Register(identifier_t identifier, Analyzer* analyzer, Dispatcher* dispatcher) = 0; + virtual void Register(const register_map& data) + { + for ( auto& current : data ) + Register(current.first, current.second.first, current.second.second); + } + + virtual const Value* Lookup(identifier_t identifier) const = 0; + + virtual size_t Size() const = 0; + virtual void Clear() = 0; + + virtual void DumpDebug() const = 0; + }; + +} diff --git a/src/llanalyzer/dispatchers/UniversalDispatcher.cc b/src/llanalyzer/dispatchers/UniversalDispatcher.cc new file mode 100644 index 0000000000..2bc86664e1 --- /dev/null +++ b/src/llanalyzer/dispatchers/UniversalDispatcher.cc @@ -0,0 +1,210 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "UniversalDispatcher.h" + +namespace zeek::llanalyzer { + +UniversalDispatcher::UniversalDispatcher() : generator(rd()) + { + SetBins(2); + + table = std::vector(ONE << m, {0, nullptr}); + + // Initialize random engine + distribution_a = std::uniform_int_distribution(1, ~static_cast(0)); + distribution_b = std::uniform_int_distribution(0, (ONE << w_minus_m) - ONE); + + // Initialize random parameters + RandomizeAB(); + } + +UniversalDispatcher::~UniversalDispatcher() + { + FreeValues(); + } + +bool UniversalDispatcher::Register(identifier_t identifier, Analyzer* analyzer, Dispatcher* dispatcher) + { +#if DEBUG > 1 + std::shared_ptr deferred(nullptr, [=](...) { + std::cout << "Inserted " << identifier << std::endl; + }); +#endif + + uint64_t hashed_id = Hash(identifier); + if ( table[hashed_id].second == nullptr ) + { + // Free bin, insert the value + table[hashed_id] = std::make_pair(identifier, new Value(analyzer, dispatcher)); + return true; + } + else if ( table[hashed_id].first != identifier ) + { + // The bin is not empty, but the content isn't the to-be-inserted identifier --> resolve collision + + // Create intermediate representation with the new element in it, then rehash with that data + std::vector intermediate = CreateIntermediate(); + intermediate.emplace_back(identifier, new Value(analyzer, dispatcher)); + + // Try increasing the #bins until it works or it can't get any larger. + Rehash(intermediate); + return true; + } + + // Analyzer with this ID is already registered. + return false; + } + +void UniversalDispatcher::Register(const register_map& data) + { + // Analyzer already registered + for ( const auto& current : data ) + { + if ( table[Hash(current.first)].second != nullptr ) + throw std::invalid_argument("Analyzer " + std::to_string(current.first) + " already registered!"); + } + + // Create intermediate representation of current analyzer set, then add all new ones + std::vector intermediate = CreateIntermediate(); + for ( const auto& current : data ) + intermediate.emplace_back(current.first, new Value(current.second.first, current.second.second)); + + Rehash(intermediate); + } + +Value* UniversalDispatcher::Lookup(identifier_t identifier) const + { + uint64_t hashed_id = Hash(identifier); + + // The hashed_id can't be larger than the number of bins + assert(hashed_id < table.size() && "Hashed ID is outside of the hash table range!"); + + pair_t entry = table[hashed_id]; + if ( entry.second != nullptr && entry.first == identifier ) + return entry.second; + + return nullptr; + } + +size_t UniversalDispatcher::Size() const + { + size_t result = 0; + for ( const auto& current : table ) + { + if ( current.second != nullptr ) + result++; + } + return result; + } + +void UniversalDispatcher::Clear() + { + // Free all analyzers + FreeValues(); + + SetBins(2); + table = std::vector(ONE << m, {0, nullptr}); + RandomizeAB(); + } + +size_t UniversalDispatcher::BucketCount() + { + return table.size(); + } + +void UniversalDispatcher::Rehash() + { + // Intermediate representation is just the current table without nulls + Rehash(CreateIntermediate()); + } + +void UniversalDispatcher::DumpDebug() const + { +#ifdef DEBUG + DBG_LOG(DBG_LLANALYZER, " Dispatcher elements (used/total): %lu/%lu", Size(), table.size()); + for ( size_t i = 0; i < table.size(); i++ ) + { + if ( table[i].second != nullptr ) + DBG_LOG(DBG_LLANALYZER, " %#8x => %s, %p", table[i].first, table[i].second->analyzer->GetAnalyzerName(), table[i].second->dispatcher); + } +#endif + } + +// ####################### +// ####### PRIVATE ####### +// ####################### + +void UniversalDispatcher::FreeValues() + { + for ( auto& current : table ) + { + delete current.second; + current.second = nullptr; + } + } + +void UniversalDispatcher::Rehash(const std::vector& intermediate) + { + while ( ! FindCollisionFreeHashFunction(intermediate) ) + { + DBG_LOG(DBG_LLANALYZER, "Rehashing did not work. Increasing #bins to %" PRIu64 " (%" PRIu64 " bit).", (uint64_t)std::pow(2, m + 1), m + 1); + SetBins(m + 1); + } + } + +bool UniversalDispatcher::FindCollisionFreeHashFunction(const std::vector& intermediate) + { + // Don't even try if the number of values is larger than the number of buckets + if ( ONE << m < intermediate.size() ) + return false; + + // Remember the hash function parameters to not break the table if rehashing doesn't work + uint64_t stored_a = a; + uint64_t stored_b = b; + + // Because the hash function hashes all values in the universe uniformly to m bins with probability 1/m + // we should at least try a multiple of #bins times. + for ( size_t i = 1; i <= (ONE << m); i++ ) + { + // Step 1: Re-randomize hash function parameters + RandomizeAB(); + + // Step 2: Create new table + std::vector new_table(ONE << m, {0, nullptr}); + + // Step 3: Try to insert all elements into the new table with the new hash function + bool finished = true; + for ( const auto& current : intermediate ) + { + uint64_t hashed_id = Hash(current.first); + assert(hashed_id < new_table.size()); + if ( new_table[hashed_id].second == nullptr ) + { + // Free bin, insert the value + new_table[hashed_id] = current; + } + else + { + // The bin is not empty which means there is a collision + // (there are no duplicates in the intermediate representation so that can't be the case) + finished = false; + break; + } + } + + // Step 4: If the inserting finished without collisions, overwrite the previous table and exit + if ( finished ) + { + DBG_LOG(DBG_LLANALYZER, "Took %lu rehash(es) to resolve.", i); + table = new_table; + return true; + } + } + + // Finding a collision free hash function failed. Revert the hash function parameters. + a = stored_a; + b = stored_b; + return false; + } + +} diff --git a/src/llanalyzer/dispatchers/UniversalDispatcher.h b/src/llanalyzer/dispatchers/UniversalDispatcher.h new file mode 100644 index 0000000000..52b2baa982 --- /dev/null +++ b/src/llanalyzer/dispatchers/UniversalDispatcher.h @@ -0,0 +1,108 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#pragma once + +#include +#include "Dispatcher.h" + +namespace zeek::llanalyzer { + +class UniversalDispatcher : public Dispatcher { +public: + UniversalDispatcher(); + ~UniversalDispatcher() override; + + bool Register(identifier_t identifier, Analyzer* analyzer, Dispatcher* dispatcher) override; + void Register(const register_map& data) override; + Value* Lookup(identifier_t identifier) const override; + size_t Size() const override; + void Clear() override; + + void DumpDebug() const override; + size_t BucketCount(); + + // Rehashes the hash table including re-randomization of the hash function. + void Rehash(); + +private: + using pair_t = std::pair; + static const uint64_t ONE = 1u; + + // Chosen random constants for the currently selected collision free random hash function + uint64_t a = 0; // Needs to be a random odd positive value < 2^(sizeof(uint64_t) * 8) + uint64_t b = 0; // Needs to be a random non-negative value < 2^(((sizeof(uint64_t) * 8) - M) + + // Current bits that define the number of bins. Initially 2 which means there are 2^2 = 4 bins. + uint64_t m = 2; + + // Current shift value which is the number of bits that are "insignificant" because of the universe size. + uint64_t w_minus_m = 0; + + // RNG + std::random_device rd; + std::mt19937_64 generator; + std::uniform_int_distribution distribution_a; + std::uniform_int_distribution distribution_b; + +// Debug +#if DEBUG > 0 + size_t nptr_counter = 0; + size_t mismatch_counter = 0; + size_t all_counter = 0; +#endif + + std::vector table; + + void FreeValues(); + + void Rehash(const std::vector& intermediate); + + /** + * Tries to find a collision free hash function with the current number of buckets. + * + * @param intermediate The key-value set to store in the hashtable. + * @return true, iff it found a collision-free hash function. + */ + bool FindCollisionFreeHashFunction(const std::vector& intermediate); + + [[nodiscard]] inline uint64_t Hash(const uint64_t value) const + { + return (a * value + b) >> w_minus_m; + } + + inline void RandomizeAB() + { + do { + a = distribution_a(generator); + } while ( a % 2 == 0 ); + + b = distribution_b(generator); + } + + inline void SetBins(uint64_t new_m) + { + if ( new_m > (sizeof(uint64_t) * 8) ) + throw std::runtime_error("Number of bits for bin count too large."); + + m = new_m; + w_minus_m = sizeof(uint64_t) * 8 - m; + distribution_b = std::uniform_int_distribution(0, ((uint64_t)(1u) << w_minus_m) - (uint64_t)(1u)); + } + + inline std::vector CreateIntermediate() + { + std::vector intermediate; + for ( const auto& current : table ) + { + if ( current.second != nullptr ) + { + assert(current.second->analyzer != nullptr); + intermediate.emplace_back(current.first, current.second); + } + } + return intermediate; + } + +}; + +} diff --git a/src/llanalyzer/dispatchers/VectorDispatcher.cc b/src/llanalyzer/dispatchers/VectorDispatcher.cc new file mode 100644 index 0000000000..d948e3efda --- /dev/null +++ b/src/llanalyzer/dispatchers/VectorDispatcher.cc @@ -0,0 +1,122 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include + +#include "VectorDispatcher.h" + +namespace zeek::llanalyzer { + +VectorDispatcher::~VectorDispatcher() + { + FreeValues(); + } + +bool VectorDispatcher::Register(identifier_t identifier, Analyzer* analyzer, Dispatcher* dispatcher) + { + // If the table has size 1 and the entry is nullptr, there was nothing added yet. Just add it. + if ( table.size() == 1 && table[0] == nullptr ) + { + table[0] = new Value(analyzer, dispatcher); + lowest_identifier = identifier; + return true; + } + + // If highestIdentifier == identifier, overwrite would happen -> no check needed, will return false + if ( GetHighestIdentifier() < identifier ) + { + table.resize(table.size() + (identifier - GetHighestIdentifier()), nullptr); + } + else if ( identifier < lowest_identifier ) + { + // Lower than the lowest registered identifier. Shift up by lowerBound - identifier + identifier_t distance = lowest_identifier - identifier; + table.resize(table.size() + distance, nullptr); + + // Shift values + for ( ssize_t i = table.size() - 1; i >= 0; i-- ) + { + if ( table[i] != nullptr ) + { + table.at(i + distance) = table.at(i); + table.at(i) = nullptr; + } + } + + lowest_identifier = identifier; + } + + int64_t index = identifier - lowest_identifier; + if ( table[index] == nullptr ) + { + table[index] = new Value(analyzer, dispatcher); + return true; + } + + return false; + } + +void VectorDispatcher::Register(const register_map& data) + { + // Search smallest and largest identifier and resize vector + const auto& lowest_new = + std::min_element(data.begin(), data.end(), + [](const register_pair& a, const register_pair& b) { + return a.first < b.first; + }); + + // Register lowest first in order to do shifting only once + Register(lowest_new->first, lowest_new->second.first, lowest_new->second.second); + for ( auto i = data.begin(); i != data.end(); i++ ) + { + // Already added if i == lowest_new + if ( i == lowest_new ) + continue; + + if ( ! Register(i->first, i->second.first, i->second.second) ) + throw std::invalid_argument("Analyzer already registered!"); + } + } + +const Value* VectorDispatcher::Lookup(identifier_t identifier) const + { + int64_t index = identifier - lowest_identifier; + if ( index >= 0 && index < static_cast(table.size()) && table[index] != nullptr ) + return table[index]; + + return nullptr; + } + +size_t VectorDispatcher::Size() const + { + return std::count_if(table.begin(), table.end(), [](const auto* v) { return v != nullptr; }); + } + +void VectorDispatcher::Clear() + { + FreeValues(); + table.clear(); + } + +void VectorDispatcher::FreeValues() + { + for ( auto& current : table ) + { + delete current; + current = nullptr; + } + } + +void VectorDispatcher::DumpDebug() const + { +#ifdef DEBUG + DBG_LOG(DBG_LLANALYZER, " Dispatcher elements (used/total): %lu/%lu", Size(), table.size()); + DBG_LOG(DBG_LLANALYZER, "TABLE SIZE %lu", table.size()); + for ( size_t i = 0; i < table.size(); i++ ) + { + if ( table[i] != nullptr ) + DBG_LOG(DBG_LLANALYZER, " %#8lx => %s, %p", i+lowest_identifier, table[i]->analyzer->GetAnalyzerName(), table[i]->dispatcher); + } +#endif + } + +} diff --git a/src/llanalyzer/dispatchers/VectorDispatcher.h b/src/llanalyzer/dispatchers/VectorDispatcher.h new file mode 100644 index 0000000000..e801cde476 --- /dev/null +++ b/src/llanalyzer/dispatchers/VectorDispatcher.h @@ -0,0 +1,41 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#pragma once + +#include +#include "Dispatcher.h" + +namespace zeek::llanalyzer { + +class VectorDispatcher : public Dispatcher { +public: + VectorDispatcher() + : table(std::vector(1, nullptr)) + { } + + ~VectorDispatcher() override; + + bool Register(identifier_t identifier, Analyzer* analyzer, Dispatcher* dispatcher) override; + void Register(const register_map& data) override; + + const Value* Lookup(identifier_t identifier) const override; + + size_t Size() const override; + void Clear() override; + +protected: + void DumpDebug() const override; + +private: + identifier_t lowest_identifier = 0; + std::vector table; + + void FreeValues(); + + inline identifier_t GetHighestIdentifier() const + { + return lowest_identifier + table.size() - 1; + } +}; + +} diff --git a/src/llanalyzer/protocol/CMakeLists.txt b/src/llanalyzer/protocol/CMakeLists.txt new file mode 100644 index 0000000000..fbcef0f2c9 --- /dev/null +++ b/src/llanalyzer/protocol/CMakeLists.txt @@ -0,0 +1,18 @@ +add_subdirectory(default) + +add_subdirectory(wrapper) +add_subdirectory(null) +add_subdirectory(ethernet) +add_subdirectory(vlan) +add_subdirectory(pppoe) +add_subdirectory(ppp_serial) +add_subdirectory(ieee802_11) +add_subdirectory(ieee802_11_radio) +add_subdirectory(fddi) +add_subdirectory(nflog) +add_subdirectory(mpls) +add_subdirectory(linux_sll) + +add_subdirectory(arp) +add_subdirectory(ipv4) +add_subdirectory(ipv6) diff --git a/src/llanalyzer/protocol/arp/ARP.cc b/src/llanalyzer/protocol/arp/ARP.cc new file mode 100644 index 0000000000..4def2a449f --- /dev/null +++ b/src/llanalyzer/protocol/arp/ARP.cc @@ -0,0 +1,19 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "ARP.h" + +using namespace zeek::llanalyzer::ARP; + +ARPAnalyzer::ARPAnalyzer() + : zeek::llanalyzer::Analyzer("ARP") + { + } + +std::tuple ARPAnalyzer::Analyze(Packet* packet) + { + // TODO: Make ARP analyzer a native LL analyzer + packet->l3_proto = L3_ARP; + + // Leave LL analyzer land + return { AnalyzerResult::Terminate, 0 }; + } diff --git a/src/llanalyzer/protocol/arp/ARP.h b/src/llanalyzer/protocol/arp/ARP.h new file mode 100644 index 0000000000..6bf341ed51 --- /dev/null +++ b/src/llanalyzer/protocol/arp/ARP.h @@ -0,0 +1,23 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#pragma once + +#include +#include + +namespace zeek::llanalyzer::ARP { + +class ARPAnalyzer : public Analyzer { +public: + ARPAnalyzer(); + ~ARPAnalyzer() override = default; + + std::tuple Analyze(Packet* packet) override; + + static Analyzer* Instantiate() + { + return new ARPAnalyzer(); + } +}; + +} diff --git a/src/llanalyzer/protocol/arp/CMakeLists.txt b/src/llanalyzer/protocol/arp/CMakeLists.txt new file mode 100644 index 0000000000..2db553b496 --- /dev/null +++ b/src/llanalyzer/protocol/arp/CMakeLists.txt @@ -0,0 +1,8 @@ + +include(ZeekPlugin) + +include_directories(BEFORE $ {CMAKE_CURRENT_SOURCE_DIR} $ {CMAKE_CURRENT_BINARY_DIR}) + +zeek_plugin_begin(LLAnalyzer ARP) +zeek_plugin_cc(ARP.cc Plugin.cc) +zeek_plugin_end() diff --git a/src/llanalyzer/protocol/arp/Plugin.cc b/src/llanalyzer/protocol/arp/Plugin.cc new file mode 100644 index 0000000000..5a7f296ddf --- /dev/null +++ b/src/llanalyzer/protocol/arp/Plugin.cc @@ -0,0 +1,24 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "plugin/Plugin.h" +#include "ARP.h" +#include "llanalyzer/Component.h" + +namespace zeek::plugin::LLAnalyzer_ARP { + +class Plugin : public zeek::plugin::Plugin { +public: + zeek::plugin::Configuration Configure() + { + AddComponent(new zeek::llanalyzer::Component("ARP", + zeek::llanalyzer::ARP::ARPAnalyzer::Instantiate)); + + zeek::plugin::Configuration config; + config.name = "LLAnalyzer::ARP"; + config.description = "ARP LL-Analyzer"; + return config; + } + +} plugin; + +} diff --git a/src/llanalyzer/protocol/default/CMakeLists.txt b/src/llanalyzer/protocol/default/CMakeLists.txt new file mode 100644 index 0000000000..3753b432f9 --- /dev/null +++ b/src/llanalyzer/protocol/default/CMakeLists.txt @@ -0,0 +1,8 @@ + +include(ZeekPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +zeek_plugin_begin(LLAnalyzer Default) +zeek_plugin_cc(Default.cc Plugin.cc) +zeek_plugin_end() diff --git a/src/llanalyzer/protocol/default/Default.cc b/src/llanalyzer/protocol/default/Default.cc new file mode 100644 index 0000000000..3e01e1ba8c --- /dev/null +++ b/src/llanalyzer/protocol/default/Default.cc @@ -0,0 +1,28 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "Default.h" +#include "NetVar.h" + +using namespace zeek::llanalyzer::Default; + +DefaultAnalyzer::DefaultAnalyzer() + : zeek::llanalyzer::Analyzer("DefaultAnalyzer") + { + } + +std::tuple DefaultAnalyzer::Analyze(Packet* packet) + { + auto& pdata = packet->cur_pos; + + // Assume we're pointing at IP. Just figure out which version. + if ( pdata + sizeof(struct ip) >= packet->GetEndOfData() ) + { + packet->Weird("default_ll_analyser_failed"); + return { AnalyzerResult::Failed, 0 }; + } + + auto ip = (const struct ip *)pdata; + identifier_t protocol = ip->ip_v; + + return { AnalyzerResult::Continue, protocol }; + } diff --git a/src/llanalyzer/protocol/default/Default.h b/src/llanalyzer/protocol/default/Default.h new file mode 100644 index 0000000000..6c02b72f62 --- /dev/null +++ b/src/llanalyzer/protocol/default/Default.h @@ -0,0 +1,23 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#pragma once + +#include +#include + +namespace zeek::llanalyzer::Default { + +class DefaultAnalyzer : public Analyzer { +public: + DefaultAnalyzer(); + ~DefaultAnalyzer() override = default; + + std::tuple Analyze(Packet* packet) override; + + static Analyzer* Instantiate() + { + return new DefaultAnalyzer(); + } +}; + +} diff --git a/src/llanalyzer/protocol/default/Plugin.cc b/src/llanalyzer/protocol/default/Plugin.cc new file mode 100644 index 0000000000..cc92fd6870 --- /dev/null +++ b/src/llanalyzer/protocol/default/Plugin.cc @@ -0,0 +1,24 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "Default.h" +#include "plugin/Plugin.h" +#include "llanalyzer/Component.h" + +namespace zeek::plugin::LLAnalyzer_Default { + +class Plugin : public zeek::plugin::Plugin { +public: + zeek::plugin::Configuration Configure() + { + AddComponent(new zeek::llanalyzer::Component("DefaultAnalyzer", + zeek::llanalyzer::Default::DefaultAnalyzer::Instantiate)); + + zeek::plugin::Configuration config; + config.name = "LLAnalyzer::DefaultAnalyzer"; + config.description = "Default LL-Analyzer for IP fallback"; + return config; + } + +} plugin; + +} diff --git a/src/llanalyzer/protocol/ethernet/CMakeLists.txt b/src/llanalyzer/protocol/ethernet/CMakeLists.txt new file mode 100644 index 0000000000..583abdcc44 --- /dev/null +++ b/src/llanalyzer/protocol/ethernet/CMakeLists.txt @@ -0,0 +1,8 @@ + +include(ZeekPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +zeek_plugin_begin(LLAnalyzer Ethernet) +zeek_plugin_cc(Ethernet.cc Plugin.cc) +zeek_plugin_end() diff --git a/src/llanalyzer/protocol/ethernet/Ethernet.cc b/src/llanalyzer/protocol/ethernet/Ethernet.cc new file mode 100644 index 0000000000..564a3bf10f --- /dev/null +++ b/src/llanalyzer/protocol/ethernet/Ethernet.cc @@ -0,0 +1,75 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "Ethernet.h" +#include "NetVar.h" + +using namespace zeek::llanalyzer::Ethernet; + +EthernetAnalyzer::EthernetAnalyzer() + : zeek::llanalyzer::Analyzer("Ethernet") + { + } + +std::tuple EthernetAnalyzer::Analyze(Packet* packet) + { + auto& pdata = packet->cur_pos; + auto end_of_data = packet->GetEndOfData(); + + // Skip past Cisco FabricPath to encapsulated ethernet frame. + if ( pdata[12] == 0x89 && pdata[13] == 0x03 ) + { + auto constexpr cfplen = 16; + + if ( pdata + cfplen + 14 >= end_of_data ) + { + packet->Weird("truncated_link_header_cfp"); + return { AnalyzerResult::Failed, 0 }; + } + + pdata += cfplen; + } + + // Get protocol being carried from the ethernet frame. + identifier_t protocol = (pdata[12] << 8) + pdata[13]; + + packet->eth_type = protocol; + packet->l2_dst = pdata; + packet->l2_src = pdata + 6; + + // Ethernet II frames + if ( protocol >= 1536 ) + { + pdata += 14; + return { AnalyzerResult::Continue, protocol }; + } + + // Other ethernet frame types + if ( protocol <= 1500 ) + { + if ( pdata + 16 >= end_of_data ) + { + packet->Weird("truncated_ethernet_frame"); + return { AnalyzerResult::Failed, 0 }; + } + + // In the following we use undefined EtherTypes to signal uncommon + // frame types. This allows specialized analyzers to take over. + // Note that pdata remains at the start of the ethernet frame. + + // IEEE 802.2 SNAP + if ( pdata[14] == 0xAA && pdata[15] == 0xAA) + return { AnalyzerResult::Continue, 1502 }; + + // Novell raw IEEE 802.3 + if ( pdata[14] == 0xFF && pdata[15] == 0xFF) + return { AnalyzerResult::Continue, 1503 }; + + + // IEEE 802.2 LLC + return { AnalyzerResult::Continue, 1501 }; + } + + // Undefined (1500 < EtherType < 1536) + packet->Weird("undefined_ether_type"); + return { AnalyzerResult::Failed, protocol }; + } diff --git a/src/llanalyzer/protocol/ethernet/Ethernet.h b/src/llanalyzer/protocol/ethernet/Ethernet.h new file mode 100644 index 0000000000..a6805f84a8 --- /dev/null +++ b/src/llanalyzer/protocol/ethernet/Ethernet.h @@ -0,0 +1,23 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#pragma once + +#include +#include + +namespace zeek::llanalyzer::Ethernet { + +class EthernetAnalyzer : public Analyzer { +public: + EthernetAnalyzer(); + ~EthernetAnalyzer() override = default; + + std::tuple Analyze(Packet* packet) override; + + static Analyzer* Instantiate() + { + return new EthernetAnalyzer(); + } +}; + +} diff --git a/src/llanalyzer/protocol/ethernet/Plugin.cc b/src/llanalyzer/protocol/ethernet/Plugin.cc new file mode 100644 index 0000000000..5ae0e1cc87 --- /dev/null +++ b/src/llanalyzer/protocol/ethernet/Plugin.cc @@ -0,0 +1,24 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "Ethernet.h" +#include "plugin/Plugin.h" +#include "llanalyzer/Component.h" + +namespace zeek::plugin::LLAnalyzer_Ethernet { + +class Plugin : public zeek::plugin::Plugin { +public: + zeek::plugin::Configuration Configure() + { + AddComponent(new zeek::llanalyzer::Component("Ethernet", + zeek::llanalyzer::Ethernet::EthernetAnalyzer::Instantiate)); + + zeek::plugin::Configuration config; + config.name = "LLAnalyzer::Ethernet"; + config.description = "Ethernet LL-Analyzer"; + return config; + } + +} plugin; + +} diff --git a/src/llanalyzer/protocol/fddi/CMakeLists.txt b/src/llanalyzer/protocol/fddi/CMakeLists.txt new file mode 100644 index 0000000000..a1a7c571a7 --- /dev/null +++ b/src/llanalyzer/protocol/fddi/CMakeLists.txt @@ -0,0 +1,8 @@ + +include(ZeekPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +zeek_plugin_begin(LLAnalyzer FDDI) +zeek_plugin_cc(FDDI.cc Plugin.cc) +zeek_plugin_end() diff --git a/src/llanalyzer/protocol/fddi/FDDI.cc b/src/llanalyzer/protocol/fddi/FDDI.cc new file mode 100644 index 0000000000..c5594061f7 --- /dev/null +++ b/src/llanalyzer/protocol/fddi/FDDI.cc @@ -0,0 +1,27 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "FDDI.h" +#include "NetVar.h" + +using namespace zeek::llanalyzer::FDDI; + +FDDIAnalyzer::FDDIAnalyzer() + : zeek::llanalyzer::Analyzer("FDDI") + { + } + +std::tuple FDDIAnalyzer::Analyze(Packet* packet) + { + auto& pdata = packet->cur_pos; + auto hdr_size = 13 + 8; // FDDI header + LLC + + if ( pdata + hdr_size >= packet->GetEndOfData() ) + { + packet->Weird("FDDI_analyzer_failed"); + return { AnalyzerResult::Failed, 0 }; + } + + // We just skip the header and hope for default analysis + pdata += hdr_size; + return { AnalyzerResult::Continue, -1 }; + } diff --git a/src/llanalyzer/protocol/fddi/FDDI.h b/src/llanalyzer/protocol/fddi/FDDI.h new file mode 100644 index 0000000000..b4217739dd --- /dev/null +++ b/src/llanalyzer/protocol/fddi/FDDI.h @@ -0,0 +1,23 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#pragma once + +#include +#include + +namespace zeek::llanalyzer::FDDI { + +class FDDIAnalyzer : public zeek::llanalyzer::Analyzer { +public: + FDDIAnalyzer(); + ~FDDIAnalyzer() override = default; + + std::tuple Analyze(Packet* packet) override; + + static zeek::llanalyzer::Analyzer* Instantiate() + { + return new FDDIAnalyzer(); + } +}; + +} diff --git a/src/llanalyzer/protocol/fddi/Plugin.cc b/src/llanalyzer/protocol/fddi/Plugin.cc new file mode 100644 index 0000000000..809f30312f --- /dev/null +++ b/src/llanalyzer/protocol/fddi/Plugin.cc @@ -0,0 +1,24 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "FDDI.h" +#include "plugin/Plugin.h" +#include "llanalyzer/Component.h" + +namespace zeek::plugin::LLAnalyzer_FDDI { + +class Plugin : public zeek::plugin::Plugin { +public: + zeek::plugin::Configuration Configure() + { + AddComponent(new zeek::llanalyzer::Component("FDDI", + zeek::llanalyzer::FDDI::FDDIAnalyzer::Instantiate)); + + zeek::plugin::Configuration config; + config.name = "LLAnalyzer::FDDI"; + config.description = "FDDI LL-Analyzer"; + return config; + } + +} plugin; + +} diff --git a/src/llanalyzer/protocol/ieee802_11/CMakeLists.txt b/src/llanalyzer/protocol/ieee802_11/CMakeLists.txt new file mode 100644 index 0000000000..e8f20d8e80 --- /dev/null +++ b/src/llanalyzer/protocol/ieee802_11/CMakeLists.txt @@ -0,0 +1,8 @@ + +include(ZeekPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +zeek_plugin_begin(LLAnalyzer IEEE802_11) +zeek_plugin_cc(IEEE802_11.cc Plugin.cc) +zeek_plugin_end() diff --git a/src/llanalyzer/protocol/ieee802_11/IEEE802_11.cc b/src/llanalyzer/protocol/ieee802_11/IEEE802_11.cc new file mode 100644 index 0000000000..363706ae49 --- /dev/null +++ b/src/llanalyzer/protocol/ieee802_11/IEEE802_11.cc @@ -0,0 +1,113 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "IEEE802_11.h" +#include "NetVar.h" + +using namespace zeek::llanalyzer::IEEE802_11; + +IEEE802_11Analyzer::IEEE802_11Analyzer() + : zeek::llanalyzer::Analyzer("IEEE802_11") + { + } + +std::tuple IEEE802_11Analyzer::Analyze(Packet* packet) + { + auto& pdata = packet->cur_pos; + auto end_of_data = packet->GetEndOfData(); + + u_char len_80211 = 24; // minimal length of data frames + + if ( pdata + len_80211 >= end_of_data ) + { + packet->Weird("truncated_802_11_header"); + return { AnalyzerResult::Failed, 0 }; + } + + u_char fc_80211 = pdata[0]; // Frame Control field + + // Skip non-data frame types (management & control). + if ( ! ((fc_80211 >> 2) & 0x02) ) + return { AnalyzerResult::Failed, 0 }; + + // Skip subtypes without data. + if ( (fc_80211 >> 4) & 0x04 ) + return { AnalyzerResult::Failed, 0 }; + + // 'To DS' and 'From DS' flags set indicate use of the 4th + // address field. + if ( (pdata[1] & 0x03) == 0x03 ) + len_80211 += packet->L2_ADDR_LEN; + + // Look for the QoS indicator bit. + if ( (fc_80211 >> 4) & 0x08 ) + { + // Skip in case of A-MSDU subframes indicated by QoS + // control field. + if ( pdata[len_80211] & 0x80 ) + return { AnalyzerResult::Failed, 0 }; + + len_80211 += 2; + } + + if ( pdata + len_80211 >= end_of_data ) + { + packet->Weird("truncated_802_11_header"); + return { AnalyzerResult::Failed, 0 }; + } + + // Determine link-layer addresses based + // on 'To DS' and 'From DS' flags + switch ( pdata[1] & 0x03 ) + { + case 0x00: + packet->l2_src = pdata + 10; + packet->l2_dst = pdata + 4; + break; + + case 0x01: + packet->l2_src = pdata + 10; + packet->l2_dst = pdata + 16; + break; + + case 0x02: + packet->l2_src = pdata + 16; + packet->l2_dst = pdata + 4; + break; + + case 0x03: + packet->l2_src = pdata + 24; + packet->l2_dst = pdata + 16; + break; + } + + // skip 802.11 data header + pdata += len_80211; + + if ( pdata + 8 >= end_of_data ) + { + packet->Weird("truncated_802_11_header"); + return { AnalyzerResult::Failed, 0 }; + } + + // Check that the DSAP and SSAP are both SNAP and that the control + // field indicates that this is an unnumbered frame. + // The organization code (24bits) needs to also be zero to + // indicate that this is encapsulated ethernet. + if ( pdata[0] == 0xAA && pdata[1] == 0xAA && pdata[2] == 0x03 && + pdata[3] == 0 && pdata[4] == 0 && pdata[5] == 0 ) + { + pdata += 6; + } + else + { + // If this is a logical link control frame without the + // possibility of having a protocol we care about, we'll + // just skip it for now. + return { AnalyzerResult::Failed, 0 }; + } + + identifier_t protocol = (pdata[0] << 8) + pdata[1]; + pdata += 2; + + return { AnalyzerResult::Continue, protocol }; + } diff --git a/src/llanalyzer/protocol/ieee802_11/IEEE802_11.h b/src/llanalyzer/protocol/ieee802_11/IEEE802_11.h new file mode 100644 index 0000000000..930de4bce5 --- /dev/null +++ b/src/llanalyzer/protocol/ieee802_11/IEEE802_11.h @@ -0,0 +1,23 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#pragma once + +#include +#include + +namespace zeek::llanalyzer::IEEE802_11 { + +class IEEE802_11Analyzer : public Analyzer { +public: + IEEE802_11Analyzer(); + ~IEEE802_11Analyzer() override = default; + + std::tuple Analyze(Packet* packet) override; + + static Analyzer* Instantiate() + { + return new IEEE802_11Analyzer(); + } +}; + +} diff --git a/src/llanalyzer/protocol/ieee802_11/Plugin.cc b/src/llanalyzer/protocol/ieee802_11/Plugin.cc new file mode 100644 index 0000000000..b85fb29b9a --- /dev/null +++ b/src/llanalyzer/protocol/ieee802_11/Plugin.cc @@ -0,0 +1,24 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "IEEE802_11.h" +#include "plugin/Plugin.h" +#include "llanalyzer/Component.h" + +namespace zeek::plugin::LLAnalyzer_IEEE802_11 { + +class Plugin : public zeek::plugin::Plugin { +public: + zeek::plugin::Configuration Configure() + { + AddComponent(new zeek::llanalyzer::Component("IEEE802_11", + zeek::llanalyzer::IEEE802_11::IEEE802_11Analyzer::Instantiate)); + + zeek::plugin::Configuration config; + config.name = "LLAnalyzer::IEEE802_11"; + config.description = "IEEE 802.11 LL-Analyzer"; + return config; + } + +} plugin; + +} diff --git a/src/llanalyzer/protocol/ieee802_11_radio/CMakeLists.txt b/src/llanalyzer/protocol/ieee802_11_radio/CMakeLists.txt new file mode 100644 index 0000000000..2df7896a34 --- /dev/null +++ b/src/llanalyzer/protocol/ieee802_11_radio/CMakeLists.txt @@ -0,0 +1,8 @@ + +include(ZeekPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +zeek_plugin_begin(LLAnalyzer IEEE802_11_Radio) +zeek_plugin_cc(IEEE802_11_Radio.cc Plugin.cc) +zeek_plugin_end() diff --git a/src/llanalyzer/protocol/ieee802_11_radio/IEEE802_11_Radio.cc b/src/llanalyzer/protocol/ieee802_11_radio/IEEE802_11_Radio.cc new file mode 100644 index 0000000000..ef39420c64 --- /dev/null +++ b/src/llanalyzer/protocol/ieee802_11_radio/IEEE802_11_Radio.cc @@ -0,0 +1,38 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include + +#include "IEEE802_11_Radio.h" +#include "NetVar.h" + +using namespace zeek::llanalyzer::IEEE802_11_Radio; + +IEEE802_11_RadioAnalyzer::IEEE802_11_RadioAnalyzer() + : zeek::llanalyzer::Analyzer("IEEE802_11_Radio") + { + } + +std::tuple IEEE802_11_RadioAnalyzer::Analyze(Packet* packet) + { + auto pdata = packet->cur_pos; + auto end_of_data = packet->GetEndOfData(); + + if ( pdata + 3 >= end_of_data ) + { + packet->Weird("truncated_radiotap_header"); + return { AnalyzerResult::Failed, 0 }; + } + + // Skip over the RadioTap header + int rtheader_len = (pdata[3] << 8) + pdata[2]; + + if ( pdata + rtheader_len >= end_of_data ) + { + packet->Weird("truncated_radiotap_header"); + return { AnalyzerResult::Failed, 0 }; + } + + packet->cur_pos += rtheader_len; + + return { AnalyzerResult::Continue, DLT_IEEE802_11 }; + } diff --git a/src/llanalyzer/protocol/ieee802_11_radio/IEEE802_11_Radio.h b/src/llanalyzer/protocol/ieee802_11_radio/IEEE802_11_Radio.h new file mode 100644 index 0000000000..8fd9d0af65 --- /dev/null +++ b/src/llanalyzer/protocol/ieee802_11_radio/IEEE802_11_Radio.h @@ -0,0 +1,23 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#pragma once + +#include +#include + +namespace zeek::llanalyzer::IEEE802_11_Radio { + +class IEEE802_11_RadioAnalyzer : public Analyzer { +public: + IEEE802_11_RadioAnalyzer(); + ~IEEE802_11_RadioAnalyzer() override = default; + + std::tuple Analyze(Packet* packet) override; + + static Analyzer* Instantiate() + { + return new IEEE802_11_RadioAnalyzer(); + } +}; + +} diff --git a/src/llanalyzer/protocol/ieee802_11_radio/Plugin.cc b/src/llanalyzer/protocol/ieee802_11_radio/Plugin.cc new file mode 100644 index 0000000000..e0339be75d --- /dev/null +++ b/src/llanalyzer/protocol/ieee802_11_radio/Plugin.cc @@ -0,0 +1,23 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "IEEE802_11_Radio.h" +#include "plugin/Plugin.h" +#include "llanalyzer/Component.h" + +namespace zeek::plugin::LLAnalyzer_IEEE802_11_Radio { + +class Plugin : public zeek::plugin::Plugin { +public: + zeek::plugin::Configuration Configure() + { + AddComponent(new zeek::llanalyzer::Component("IEEE802_11_Radio", + zeek::llanalyzer::IEEE802_11_Radio::IEEE802_11_RadioAnalyzer::Instantiate)); + + zeek::plugin::Configuration config; + config.name = "LLAnalyzer::IEEE802_11_Radio"; + config.description = "IEEE 802.11 Radiotap LL-Analyzer"; + return config; + } + +} plugin; +} diff --git a/src/llanalyzer/protocol/ipv4/CMakeLists.txt b/src/llanalyzer/protocol/ipv4/CMakeLists.txt new file mode 100644 index 0000000000..ca4a2e033c --- /dev/null +++ b/src/llanalyzer/protocol/ipv4/CMakeLists.txt @@ -0,0 +1,8 @@ + +include(ZeekPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +zeek_plugin_begin(LLAnalyzer IPv4) +zeek_plugin_cc(IPv4.cc Plugin.cc) +zeek_plugin_end() diff --git a/src/llanalyzer/protocol/ipv4/IPv4.cc b/src/llanalyzer/protocol/ipv4/IPv4.cc new file mode 100644 index 0000000000..138ebc8460 --- /dev/null +++ b/src/llanalyzer/protocol/ipv4/IPv4.cc @@ -0,0 +1,18 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "IPv4.h" + +using namespace zeek::llanalyzer::IPv4; + +IPv4Analyzer::IPv4Analyzer() + : zeek::llanalyzer::Analyzer("IPv4") + { + } + +std::tuple IPv4Analyzer::Analyze(Packet* packet) + { + packet->l3_proto = L3_IPV4; + + // Leave LL analyzer land + return { AnalyzerResult::Terminate, 0 }; + } diff --git a/src/llanalyzer/protocol/ipv4/IPv4.h b/src/llanalyzer/protocol/ipv4/IPv4.h new file mode 100644 index 0000000000..4e16ec4371 --- /dev/null +++ b/src/llanalyzer/protocol/ipv4/IPv4.h @@ -0,0 +1,23 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#pragma once + +#include +#include + +namespace zeek::llanalyzer::IPv4 { + +class IPv4Analyzer : public Analyzer { +public: + IPv4Analyzer(); + ~IPv4Analyzer() override = default; + + std::tuple Analyze(Packet* packet) override; + + static Analyzer* Instantiate() + { + return new IPv4Analyzer(); + } +}; + +} diff --git a/src/llanalyzer/protocol/ipv4/Plugin.cc b/src/llanalyzer/protocol/ipv4/Plugin.cc new file mode 100644 index 0000000000..7990ac70e0 --- /dev/null +++ b/src/llanalyzer/protocol/ipv4/Plugin.cc @@ -0,0 +1,24 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "IPv4.h" +#include "plugin/Plugin.h" +#include "llanalyzer/Component.h" + +namespace zeek::plugin::LLAnalyzer_IPv4 { + +class Plugin : public zeek::plugin::Plugin { +public: + zeek::plugin::Configuration Configure() + { + AddComponent(new zeek::llanalyzer::Component("IPv4", + zeek::llanalyzer::IPv4::IPv4Analyzer::Instantiate)); + + zeek::plugin::Configuration config; + config.name = "LLAnalyzer::IPv4"; + config.description = "IPv4 LL-Analyzer"; + return config; + } + +} plugin; + +} diff --git a/src/llanalyzer/protocol/ipv6/CMakeLists.txt b/src/llanalyzer/protocol/ipv6/CMakeLists.txt new file mode 100644 index 0000000000..36beced1b2 --- /dev/null +++ b/src/llanalyzer/protocol/ipv6/CMakeLists.txt @@ -0,0 +1,8 @@ + +include(ZeekPlugin) + +include_directories(BEFORE $ {CMAKE_CURRENT_SOURCE_DIR} $ {CMAKE_CURRENT_BINARY_DIR}) + +zeek_plugin_begin(LLAnalyzer IPv6) +zeek_plugin_cc(IPv6.cc Plugin.cc) +zeek_plugin_end() diff --git a/src/llanalyzer/protocol/ipv6/IPv6.cc b/src/llanalyzer/protocol/ipv6/IPv6.cc new file mode 100644 index 0000000000..ee6b6ef059 --- /dev/null +++ b/src/llanalyzer/protocol/ipv6/IPv6.cc @@ -0,0 +1,18 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "IPv6.h" + +using namespace zeek::llanalyzer::IPv6; + +IPv6Analyzer::IPv6Analyzer() + : zeek::llanalyzer::Analyzer("IPv6") + { + } + +std::tuple IPv6Analyzer::Analyze(Packet* packet) + { + packet->l3_proto = L3_IPV6; + + // Leave LL analyzer land + return { AnalyzerResult::Terminate, 0 }; + } diff --git a/src/llanalyzer/protocol/ipv6/IPv6.h b/src/llanalyzer/protocol/ipv6/IPv6.h new file mode 100644 index 0000000000..0364d6b4d5 --- /dev/null +++ b/src/llanalyzer/protocol/ipv6/IPv6.h @@ -0,0 +1,23 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#pragma once + +#include +#include + +namespace zeek::llanalyzer::IPv6 { + +class IPv6Analyzer : public Analyzer { +public: + IPv6Analyzer(); + ~IPv6Analyzer() override = default; + + std::tuple Analyze(Packet* packet) override; + + static Analyzer* Instantiate() + { + return new IPv6Analyzer(); + } +}; + +} diff --git a/src/llanalyzer/protocol/ipv6/Plugin.cc b/src/llanalyzer/protocol/ipv6/Plugin.cc new file mode 100644 index 0000000000..137db569d3 --- /dev/null +++ b/src/llanalyzer/protocol/ipv6/Plugin.cc @@ -0,0 +1,23 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "plugin/Plugin.h" +#include "IPv6.h" +#include "llanalyzer/Component.h" + +namespace zeek::plugin::LLAnalyzer_IPv6 { + +class Plugin : public zeek::plugin::Plugin { +public: + zeek::plugin::Configuration Configure() + { + AddComponent(new zeek::llanalyzer::Component("IPv6", + zeek::llanalyzer::IPv6::IPv6Analyzer::Instantiate)); + + zeek::plugin::Configuration config; + config.name = "LLAnalyzer::IPv6"; + config.description = "IPv6 LL-Analyzer"; + return config; + } +} plugin; + +} diff --git a/src/llanalyzer/protocol/linux_sll/CMakeLists.txt b/src/llanalyzer/protocol/linux_sll/CMakeLists.txt new file mode 100644 index 0000000000..069b1db41a --- /dev/null +++ b/src/llanalyzer/protocol/linux_sll/CMakeLists.txt @@ -0,0 +1,8 @@ + +include(ZeekPlugin) + +include_directories(BEFORE $ {CMAKE_CURRENT_SOURCE_DIR} $ {CMAKE_CURRENT_BINARY_DIR}) + +zeek_plugin_begin(LLAnalyzer LinuxSLL) +zeek_plugin_cc(LinuxSLL.cc Plugin.cc) +zeek_plugin_end() diff --git a/src/llanalyzer/protocol/linux_sll/LinuxSLL.cc b/src/llanalyzer/protocol/linux_sll/LinuxSLL.cc new file mode 100644 index 0000000000..975b8bba09 --- /dev/null +++ b/src/llanalyzer/protocol/linux_sll/LinuxSLL.cc @@ -0,0 +1,34 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "LinuxSLL.h" + +using namespace zeek::llanalyzer::LinuxSLL; + +LinuxSLLAnalyzer::LinuxSLLAnalyzer() + : zeek::llanalyzer::Analyzer("LinuxSLL") + { + } + +std::tuple LinuxSLLAnalyzer::Analyze(Packet* packet) + { + auto& pdata = packet->cur_pos; + + if ( pdata + sizeof(SLLHeader) >= packet->GetEndOfData() ) + { + packet->Weird("truncated_Linux_SLL_header"); + return { AnalyzerResult::Failed, 0 }; + } + + //TODO: Handle different ARPHRD_types + auto hdr = (const SLLHeader*)pdata; + + identifier_t protocol = ntohs(hdr->protocol_type); + packet->l2_src = (u_char*) &(hdr->addr); + + // SLL doesn't include a destination address in the header, but not setting l2_dst to something + // here will cause crashes elsewhere. + packet->l2_dst = Packet::L2_EMPTY_ADDR; + + pdata += sizeof(SLLHeader); + return { AnalyzerResult::Continue, protocol }; + } diff --git a/src/llanalyzer/protocol/linux_sll/LinuxSLL.h b/src/llanalyzer/protocol/linux_sll/LinuxSLL.h new file mode 100644 index 0000000000..72c53972b7 --- /dev/null +++ b/src/llanalyzer/protocol/linux_sll/LinuxSLL.h @@ -0,0 +1,35 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#pragma once + +#include +#include + +namespace zeek::llanalyzer::LinuxSLL { + +class LinuxSLLAnalyzer : public Analyzer { +public: + LinuxSLLAnalyzer(); + ~LinuxSLLAnalyzer() override = default; + + std::tuple Analyze(Packet* packet) override; + + static Analyzer* Instantiate() + { + return new LinuxSLLAnalyzer(); + } + +private: + + // Structure layout is based on https://www.tcpdump.org/linktypes/LINKTYPE_LINUX_SLL.html + struct SLLHeader + { + uint16_t packet_type; + uint16_t arphrd_type; + uint16_t addr_len; + uint64_t addr; + uint16_t protocol_type; + } __attribute__((__packed__)); +}; + +} diff --git a/src/llanalyzer/protocol/linux_sll/Plugin.cc b/src/llanalyzer/protocol/linux_sll/Plugin.cc new file mode 100644 index 0000000000..8968e38c79 --- /dev/null +++ b/src/llanalyzer/protocol/linux_sll/Plugin.cc @@ -0,0 +1,24 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "plugin/Plugin.h" +#include "LinuxSLL.h" +#include "llanalyzer/Component.h" + +namespace zeek::plugin::LLAnalyzer_LinuxSLL { + +class Plugin : public zeek::plugin::Plugin { +public: + zeek::plugin::Configuration Configure() + { + AddComponent(new zeek::llanalyzer::Component("LinuxSLL", + zeek::llanalyzer::LinuxSLL::LinuxSLLAnalyzer::Instantiate)); + + zeek::plugin::Configuration config; + config.name = "LLAnalyzer::LinuxSLL"; + config.description = "Linux cooked capture (SLL) LL-Analyzer"; + return config; + } + +} plugin; + +} diff --git a/src/llanalyzer/protocol/mpls/CMakeLists.txt b/src/llanalyzer/protocol/mpls/CMakeLists.txt new file mode 100644 index 0000000000..3fd7a9f8df --- /dev/null +++ b/src/llanalyzer/protocol/mpls/CMakeLists.txt @@ -0,0 +1,8 @@ + +include(ZeekPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +zeek_plugin_begin(LLAnalyzer MPLS) +zeek_plugin_cc(MPLS.cc Plugin.cc) +zeek_plugin_end() diff --git a/src/llanalyzer/protocol/mpls/MPLS.cc b/src/llanalyzer/protocol/mpls/MPLS.cc new file mode 100644 index 0000000000..412cf74266 --- /dev/null +++ b/src/llanalyzer/protocol/mpls/MPLS.cc @@ -0,0 +1,55 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "MPLS.h" + +using namespace zeek::llanalyzer::MPLS; + +MPLSAnalyzer::MPLSAnalyzer() + : zeek::llanalyzer::Analyzer("MPLS") + { + } + +std::tuple MPLSAnalyzer::Analyze(Packet* packet) + { + auto& pdata = packet->cur_pos; + auto end_of_data = packet->GetEndOfData(); + + // Skip the MPLS label stack. + bool end_of_stack = false; + + while ( ! end_of_stack ) + { + if ( pdata + 4 >= end_of_data ) + { + packet->Weird("truncated_link_header"); + return { AnalyzerResult::Failed, 0 }; + } + + end_of_stack = *(pdata + 2u) & 0x01; + pdata += 4; + } + + // According to RFC3032 the encapsulated protocol is not encoded. + // We assume that what remains is IP. + if ( pdata + sizeof(struct ip) >= end_of_data ) + { + packet->Weird("no_ip_in_mpls_payload"); + return { AnalyzerResult::Failed, 0 }; + } + + auto ip = (const struct ip*)pdata; + + if ( ip->ip_v == 4 ) + packet->l3_proto = L3_IPV4; + else if ( ip->ip_v == 6 ) + packet->l3_proto = L3_IPV6; + else + { + // Neither IPv4 nor IPv6. + packet->Weird("no_ip_in_mpls_payload"); + return { AnalyzerResult::Failed, 0 }; + } + + packet->hdr_size = (pdata - packet->data); + return { AnalyzerResult::Terminate, 0 }; + } diff --git a/src/llanalyzer/protocol/mpls/MPLS.h b/src/llanalyzer/protocol/mpls/MPLS.h new file mode 100644 index 0000000000..72581f5ae7 --- /dev/null +++ b/src/llanalyzer/protocol/mpls/MPLS.h @@ -0,0 +1,23 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#pragma once + +#include +#include + +namespace zeek::llanalyzer::MPLS { + +class MPLSAnalyzer : public zeek::llanalyzer::Analyzer { +public: + MPLSAnalyzer(); + ~MPLSAnalyzer() override = default; + + std::tuple Analyze(Packet* packet) override; + + static zeek::llanalyzer::Analyzer* Instantiate() + { + return new MPLSAnalyzer(); + } +}; + +} diff --git a/src/llanalyzer/protocol/mpls/Plugin.cc b/src/llanalyzer/protocol/mpls/Plugin.cc new file mode 100644 index 0000000000..c24b1003f3 --- /dev/null +++ b/src/llanalyzer/protocol/mpls/Plugin.cc @@ -0,0 +1,24 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "MPLS.h" +#include "plugin/Plugin.h" +#include "llanalyzer/Component.h" + +namespace zeek::plugin::LLAnalyzer_MPLS { + +class Plugin : public zeek::plugin::Plugin { +public: + zeek::plugin::Configuration Configure() + { + AddComponent(new zeek::llanalyzer::Component("MPLS", + zeek::llanalyzer::MPLS::MPLSAnalyzer::Instantiate)); + + zeek::plugin::Configuration config; + config.name = "LLAnalyzer::MPLS"; + config.description = "MPLS LL-Analyzer"; + return config; + } + +} plugin; + +} diff --git a/src/llanalyzer/protocol/nflog/CMakeLists.txt b/src/llanalyzer/protocol/nflog/CMakeLists.txt new file mode 100644 index 0000000000..12069356b9 --- /dev/null +++ b/src/llanalyzer/protocol/nflog/CMakeLists.txt @@ -0,0 +1,8 @@ + +include(ZeekPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +zeek_plugin_begin(LLAnalyzer NFLog) +zeek_plugin_cc(NFLog.cc Plugin.cc) +zeek_plugin_end() diff --git a/src/llanalyzer/protocol/nflog/NFLog.cc b/src/llanalyzer/protocol/nflog/NFLog.cc new file mode 100644 index 0000000000..1f919dbca1 --- /dev/null +++ b/src/llanalyzer/protocol/nflog/NFLog.cc @@ -0,0 +1,80 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "NFLog.h" +#include "NetVar.h" + +using namespace zeek::llanalyzer::NFLog; + +NFLogAnalyzer::NFLogAnalyzer() + : zeek::llanalyzer::Analyzer("NFLog") + { + } + +std::tuple NFLogAnalyzer::Analyze(Packet* packet) { + auto& pdata = packet->cur_pos; + auto end_of_data = packet->GetEndOfData(); + + // See https://www.tcpdump.org/linktypes/LINKTYPE_NFLOG.html + identifier_t protocol = pdata[0]; + uint8_t version = pdata[1]; + + if ( version != 0 ) + { + packet->Weird("unknown_nflog_version"); + return { AnalyzerResult::Failed, 0 }; + } + + // Skip to TLVs. + pdata += 4; + + uint16_t tlv_len; + uint16_t tlv_type; + + while ( true ) + { + if ( pdata + 4 >= end_of_data ) + { + packet->Weird("nflog_no_pcap_payload"); + return { AnalyzerResult::Failed, 0 }; + } + + // TLV Type and Length values are specified in host byte order + // (libpcap should have done any needed byteswapping already). + + tlv_len = *(reinterpret_cast(pdata)); + tlv_type = *(reinterpret_cast(pdata + 2)); + + auto constexpr nflog_type_payload = 9; + + if ( tlv_type == nflog_type_payload ) + { + // The raw packet payload follows this TLV. + pdata += 4; + break; + } + else + { + // The Length value includes the 4 octets for the Type and + // Length values, but TLVs are also implicitly padded to + // 32-bit alignments (that padding may not be included in + // the Length value). + + if ( tlv_len < 4 ) + { + packet->Weird("nflog_bad_tlv_len"); + return { AnalyzerResult::Failed, 0 }; + } + else + { + auto rem = tlv_len % 4; + + if ( rem != 0 ) + tlv_len += 4 - rem; + } + + pdata += tlv_len; + } + } + + return { AnalyzerResult::Continue, protocol }; + } diff --git a/src/llanalyzer/protocol/nflog/NFLog.h b/src/llanalyzer/protocol/nflog/NFLog.h new file mode 100644 index 0000000000..aeb8234c31 --- /dev/null +++ b/src/llanalyzer/protocol/nflog/NFLog.h @@ -0,0 +1,23 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#pragma once + +#include +#include + +namespace zeek::llanalyzer::NFLog { + +class NFLogAnalyzer : public Analyzer { +public: + NFLogAnalyzer(); + ~NFLogAnalyzer() override = default; + + std::tuple Analyze(Packet* packet) override; + + static Analyzer* Instantiate() + { + return new NFLogAnalyzer(); + } +}; + +} diff --git a/src/llanalyzer/protocol/nflog/Plugin.cc b/src/llanalyzer/protocol/nflog/Plugin.cc new file mode 100644 index 0000000000..16106fee2d --- /dev/null +++ b/src/llanalyzer/protocol/nflog/Plugin.cc @@ -0,0 +1,23 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "NFLog.h" +#include "plugin/Plugin.h" +#include "llanalyzer/Component.h" + +namespace zeek::plugin::LLAnalyzer_NFLog { + +class Plugin : public zeek::plugin::Plugin { +public: + zeek::plugin::Configuration Configure() + { + AddComponent(new zeek::llanalyzer::Component("NFLog", + zeek::llanalyzer::NFLog::NFLogAnalyzer::Instantiate)); + + zeek::plugin::Configuration config; + config.name = "LLAnalyzer::NFLog"; + config.description = "NFLog LL-Analyzer"; + return config; + } +} plugin; + +} diff --git a/src/llanalyzer/protocol/null/CMakeLists.txt b/src/llanalyzer/protocol/null/CMakeLists.txt new file mode 100644 index 0000000000..1aa1392127 --- /dev/null +++ b/src/llanalyzer/protocol/null/CMakeLists.txt @@ -0,0 +1,7 @@ +include(ZeekPlugin) + +include_directories(BEFORE $ {CMAKE_CURRENT_SOURCE_DIR} $ {CMAKE_CURRENT_BINARY_DIR}) + +zeek_plugin_begin(LLAnalyzer Null) +zeek_plugin_cc(Null.cc Plugin.cc) +zeek_plugin_end() diff --git a/src/llanalyzer/protocol/null/Null.cc b/src/llanalyzer/protocol/null/Null.cc new file mode 100644 index 0000000000..d9c29582a2 --- /dev/null +++ b/src/llanalyzer/protocol/null/Null.cc @@ -0,0 +1,27 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "Null.h" +#include "NetVar.h" + +using namespace zeek::llanalyzer::Null; + +NullAnalyzer::NullAnalyzer() + : zeek::llanalyzer::Analyzer("Null") + { + } + +std::tuple NullAnalyzer::Analyze(Packet* packet) + { + auto& pdata = packet->cur_pos; + + if ( pdata + 4 >= packet->GetEndOfData() ) + { + packet->Weird("null_analyzer_failed"); + return { AnalyzerResult::Failed, 0 }; + } + + identifier_t protocol = (pdata[3] << 24) + (pdata[2] << 16) + (pdata[1] << 8) + pdata[0]; + pdata += 4; // skip link header + + return { AnalyzerResult::Continue, protocol }; + } diff --git a/src/llanalyzer/protocol/null/Null.h b/src/llanalyzer/protocol/null/Null.h new file mode 100644 index 0000000000..27294bc386 --- /dev/null +++ b/src/llanalyzer/protocol/null/Null.h @@ -0,0 +1,23 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#pragma once + +#include +#include + +namespace zeek::llanalyzer::Null { + +class NullAnalyzer : public Analyzer { +public: + NullAnalyzer(); + ~NullAnalyzer() override = default; + + std::tuple Analyze(Packet* packet) override; + + static Analyzer* Instantiate() + { + return new NullAnalyzer(); + } +}; + +} diff --git a/src/llanalyzer/protocol/null/Plugin.cc b/src/llanalyzer/protocol/null/Plugin.cc new file mode 100644 index 0000000000..3d1ddc4213 --- /dev/null +++ b/src/llanalyzer/protocol/null/Plugin.cc @@ -0,0 +1,24 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "plugin/Plugin.h" +#include "Null.h" +#include "llanalyzer/Component.h" + +namespace zeek::plugin::LLAnalyzer_Null { + +class Plugin : public zeek::plugin::Plugin { +public: + zeek::plugin::Configuration Configure() + { + AddComponent(new zeek::llanalyzer::Component("Null", + zeek::llanalyzer::Null::NullAnalyzer::Instantiate)); + + zeek::plugin::Configuration config; + config.name = "LLAnalyzer::Null"; + config.description = "Null LL-Analyzer"; + return config; + } + +} plugin; + +} diff --git a/src/llanalyzer/protocol/ppp_serial/CMakeLists.txt b/src/llanalyzer/protocol/ppp_serial/CMakeLists.txt new file mode 100644 index 0000000000..536eb1721d --- /dev/null +++ b/src/llanalyzer/protocol/ppp_serial/CMakeLists.txt @@ -0,0 +1,8 @@ + +include(ZeekPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +zeek_plugin_begin(LLAnalyzer PPPSerial) +zeek_plugin_cc(PPPSerial.cc Plugin.cc) +zeek_plugin_end() diff --git a/src/llanalyzer/protocol/ppp_serial/PPPSerial.cc b/src/llanalyzer/protocol/ppp_serial/PPPSerial.cc new file mode 100644 index 0000000000..a250210113 --- /dev/null +++ b/src/llanalyzer/protocol/ppp_serial/PPPSerial.cc @@ -0,0 +1,22 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "PPPSerial.h" +#include "NetVar.h" + +using namespace zeek::llanalyzer::PPPSerial; + +PPPSerialAnalyzer::PPPSerialAnalyzer() + : zeek::llanalyzer::Analyzer("PPPSerial") + { + } + +std::tuple PPPSerialAnalyzer::Analyze(Packet* packet) + { + auto& pdata = packet->cur_pos; + + // Extract protocol identifier + identifier_t protocol = (pdata[2] << 8) + pdata[3]; + pdata += 4; // skip link header + + return { AnalyzerResult::Continue, protocol }; + } diff --git a/src/llanalyzer/protocol/ppp_serial/PPPSerial.h b/src/llanalyzer/protocol/ppp_serial/PPPSerial.h new file mode 100644 index 0000000000..030b8801fa --- /dev/null +++ b/src/llanalyzer/protocol/ppp_serial/PPPSerial.h @@ -0,0 +1,23 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#pragma once + +#include +#include + +namespace zeek::llanalyzer::PPPSerial { + +class PPPSerialAnalyzer : public Analyzer { +public: + PPPSerialAnalyzer(); + ~PPPSerialAnalyzer() override = default; + + std::tuple Analyze(Packet* packet) override; + + static Analyzer* Instantiate() + { + return new PPPSerialAnalyzer(); + } +}; + +} diff --git a/src/llanalyzer/protocol/ppp_serial/Plugin.cc b/src/llanalyzer/protocol/ppp_serial/Plugin.cc new file mode 100644 index 0000000000..c7ac7c42cd --- /dev/null +++ b/src/llanalyzer/protocol/ppp_serial/Plugin.cc @@ -0,0 +1,24 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "PPPSerial.h" +#include "plugin/Plugin.h" +#include "llanalyzer/Component.h" + +namespace zeek::plugin::LLAnalyzer_PPPSerial { + +class Plugin : public zeek::plugin::Plugin { +public: + zeek::plugin::Configuration Configure() + { + AddComponent(new zeek::llanalyzer::Component("PPPSerial", + zeek::llanalyzer::PPPSerial::PPPSerialAnalyzer::Instantiate)); + + zeek::plugin::Configuration config; + config.name = "LLAnalyzer::PPPSerial"; + config.description = "PPPSerial LL-Analyzer"; + return config; + } + +} plugin; + +} diff --git a/src/llanalyzer/protocol/pppoe/CMakeLists.txt b/src/llanalyzer/protocol/pppoe/CMakeLists.txt new file mode 100644 index 0000000000..9a59457cf8 --- /dev/null +++ b/src/llanalyzer/protocol/pppoe/CMakeLists.txt @@ -0,0 +1,8 @@ + +include(ZeekPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +zeek_plugin_begin(LLAnalyzer PPPoE) +zeek_plugin_cc(PPPoE.cc Plugin.cc) +zeek_plugin_end() diff --git a/src/llanalyzer/protocol/pppoe/PPPoE.cc b/src/llanalyzer/protocol/pppoe/PPPoE.cc new file mode 100644 index 0000000000..903e5ab07b --- /dev/null +++ b/src/llanalyzer/protocol/pppoe/PPPoE.cc @@ -0,0 +1,28 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "PPPoE.h" +#include "NetVar.h" + +using namespace zeek::llanalyzer::PPPoE; + +PPPoEAnalyzer::PPPoEAnalyzer() + : zeek::llanalyzer::Analyzer("PPPoE") + { + } + +std::tuple PPPoEAnalyzer::Analyze(Packet* packet) + { + auto& pdata = packet->cur_pos; + + if ( pdata + 8 >= packet->GetEndOfData() ) + { + packet->Weird("truncated_pppoe_header"); + return { AnalyzerResult::Failed, 0 }; + } + + // Extract protocol identifier + identifier_t protocol = (pdata[6] << 8u) + pdata[7]; + pdata += 8; // Skip the PPPoE session and PPP header + + return { AnalyzerResult::Continue, protocol }; + } diff --git a/src/llanalyzer/protocol/pppoe/PPPoE.h b/src/llanalyzer/protocol/pppoe/PPPoE.h new file mode 100644 index 0000000000..cbeeda160f --- /dev/null +++ b/src/llanalyzer/protocol/pppoe/PPPoE.h @@ -0,0 +1,23 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#pragma once + +#include +#include + +namespace zeek::llanalyzer::PPPoE { + +class PPPoEAnalyzer : public Analyzer { +public: + PPPoEAnalyzer(); + ~PPPoEAnalyzer() override = default; + + std::tuple Analyze(Packet* packet) override; + + static Analyzer* Instantiate() + { + return new PPPoEAnalyzer(); + } +}; + +} diff --git a/src/llanalyzer/protocol/pppoe/Plugin.cc b/src/llanalyzer/protocol/pppoe/Plugin.cc new file mode 100644 index 0000000000..95883f51ca --- /dev/null +++ b/src/llanalyzer/protocol/pppoe/Plugin.cc @@ -0,0 +1,24 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "PPPoE.h" +#include "plugin/Plugin.h" +#include "llanalyzer/Component.h" + +namespace zeek::plugin::LLAnalyzer_PPPoE { + +class Plugin : public zeek::plugin::Plugin { +public: + zeek::plugin::Configuration Configure() + { + AddComponent(new zeek::llanalyzer::Component("PPPoE", + zeek::llanalyzer::PPPoE::PPPoEAnalyzer::Instantiate)); + + zeek::plugin::Configuration config; + config.name = "LLAnalyzer::PPPoE"; + config.description = "PPPoE LL-Analyzer"; + return config; + } + +} plugin; + +} diff --git a/src/llanalyzer/protocol/vlan/CMakeLists.txt b/src/llanalyzer/protocol/vlan/CMakeLists.txt new file mode 100644 index 0000000000..9105912d01 --- /dev/null +++ b/src/llanalyzer/protocol/vlan/CMakeLists.txt @@ -0,0 +1,8 @@ + +include(ZeekPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +zeek_plugin_begin(LLAnalyzer VLAN) +zeek_plugin_cc(VLAN.cc Plugin.cc) +zeek_plugin_end() diff --git a/src/llanalyzer/protocol/vlan/Plugin.cc b/src/llanalyzer/protocol/vlan/Plugin.cc new file mode 100644 index 0000000000..8e4da160d7 --- /dev/null +++ b/src/llanalyzer/protocol/vlan/Plugin.cc @@ -0,0 +1,24 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "VLAN.h" +#include "plugin/Plugin.h" +#include "llanalyzer/Component.h" + +namespace zeek::plugin::LLAnalyzer_VLAN { + +class Plugin : public zeek::plugin::Plugin { +public: + zeek::plugin::Configuration Configure() + { + AddComponent(new zeek::llanalyzer::Component("VLAN", + zeek::llanalyzer::VLAN::VLANAnalyzer::Instantiate)); + + zeek::plugin::Configuration config; + config.name = "LLAnalyzer::VLAN"; + config.description = "VLAN LL-Analyzer"; + return config; + } + +} plugin; + +} diff --git a/src/llanalyzer/protocol/vlan/VLAN.cc b/src/llanalyzer/protocol/vlan/VLAN.cc new file mode 100644 index 0000000000..e1cfb7c056 --- /dev/null +++ b/src/llanalyzer/protocol/vlan/VLAN.cc @@ -0,0 +1,31 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "VLAN.h" +#include "NetVar.h" + +using namespace zeek::llanalyzer::VLAN; + +VLANAnalyzer::VLANAnalyzer() + : zeek::llanalyzer::Analyzer("VLAN") + { + } + +std::tuple VLANAnalyzer::Analyze(Packet* packet) + { + auto& pdata = packet->cur_pos; + + if ( pdata + 4 >= packet->GetEndOfData() ) + { + packet->Weird("truncated_VLAN_header"); + return { AnalyzerResult::Failed, 0 }; + } + + auto& vlan_ref = packet->vlan != 0 ? packet->inner_vlan : packet->vlan; + vlan_ref = ((pdata[0] << 8u) + pdata[1]) & 0xfff; + + identifier_t protocol = ((pdata[2] << 8u) + pdata[3]); + packet->eth_type = protocol; + pdata += 4; // Skip the VLAN header + + return { AnalyzerResult::Continue, protocol }; + } diff --git a/src/llanalyzer/protocol/vlan/VLAN.h b/src/llanalyzer/protocol/vlan/VLAN.h new file mode 100644 index 0000000000..1f7532b940 --- /dev/null +++ b/src/llanalyzer/protocol/vlan/VLAN.h @@ -0,0 +1,23 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#pragma once + +#include +#include + +namespace zeek::llanalyzer::VLAN { + +class VLANAnalyzer : public Analyzer { +public: + VLANAnalyzer(); + ~VLANAnalyzer() override = default; + + std::tuple Analyze(Packet* packet) override; + + static Analyzer* Instantiate() + { + return new VLANAnalyzer(); + } +}; + +} diff --git a/src/llanalyzer/protocol/wrapper/CMakeLists.txt b/src/llanalyzer/protocol/wrapper/CMakeLists.txt new file mode 100644 index 0000000000..d1506bcae6 --- /dev/null +++ b/src/llanalyzer/protocol/wrapper/CMakeLists.txt @@ -0,0 +1,8 @@ + +include(ZeekPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +zeek_plugin_begin(LLAnalyzer Wrapper) +zeek_plugin_cc(Wrapper.cc Plugin.cc) +zeek_plugin_end() diff --git a/src/llanalyzer/protocol/wrapper/Plugin.cc b/src/llanalyzer/protocol/wrapper/Plugin.cc new file mode 100644 index 0000000000..36baa8a6dd --- /dev/null +++ b/src/llanalyzer/protocol/wrapper/Plugin.cc @@ -0,0 +1,24 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "Wrapper.h" +#include "plugin/Plugin.h" +#include "llanalyzer/Component.h" + +namespace zeek::plugin::LLAnalyzer { + +class Plugin : public zeek::plugin::Plugin { +public: + zeek::plugin::Configuration Configure() + { + AddComponent(new zeek::llanalyzer::Component("Wrapper", + zeek::llanalyzer::Wrapper::WrapperAnalyzer::Instantiate)); + + zeek::plugin::Configuration config; + config.name = "LLAnalyzer::Wrapper"; + config.description = "A wrapper for the original zeek code."; + return config; + } + +} plugin; + +} diff --git a/src/llanalyzer/protocol/wrapper/Wrapper.cc b/src/llanalyzer/protocol/wrapper/Wrapper.cc new file mode 100644 index 0000000000..b14d34e953 --- /dev/null +++ b/src/llanalyzer/protocol/wrapper/Wrapper.cc @@ -0,0 +1,163 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "Wrapper.h" +#include "NetVar.h" + +using namespace zeek::llanalyzer::Wrapper; + +WrapperAnalyzer::WrapperAnalyzer() + : zeek::llanalyzer::Analyzer("Wrapper") + { + } + +std::tuple WrapperAnalyzer::Analyze(Packet* packet) + { + // Unfortunately some packets on the link might have MPLS labels + // while others don't. That means we need to ask the link-layer if + // labels are in place. + bool have_mpls = false; + + auto pdata = packet->cur_pos; + auto end_of_data = packet->GetEndOfData(); + + // Skip past Cisco FabricPath to encapsulated ethernet frame. + if ( pdata[12] == 0x89 && pdata[13] == 0x03 ) + { + auto constexpr cfplen = 16; + + if ( pdata + cfplen + 14 >= end_of_data ) + { + packet->Weird("truncated_link_header_cfp"); + return { AnalyzerResult::Failed, 0 }; + } + + pdata += cfplen; + } + + // Extract protocol identifier + identifier_t protocol = (pdata[12] << 8u) + pdata[13]; + + packet->eth_type = protocol; + packet->l2_dst = pdata; + packet->l2_src = pdata + 6; + + pdata += 14; + + bool saw_vlan = false; + + while ( protocol == 0x8100 || protocol == 0x9100 || + protocol == 0x8864 ) + { + switch ( protocol ) + { + // VLAN carried over the ethernet frame. + // 802.1q / 802.1ad + case 0x8100: + case 0x9100: + { + if ( pdata + 4 >= end_of_data ) + { + packet->Weird("truncated_link_header"); + return { AnalyzerResult::Failed, 0 }; + } + + auto& vlan_ref = saw_vlan ? packet->inner_vlan : packet->vlan; + vlan_ref = ((pdata[0] << 8u) + pdata[1]) & 0xfff; + protocol = ((pdata[2] << 8u) + pdata[3]); + pdata += 4; // Skip the vlan header + saw_vlan = true; + packet->eth_type = protocol; + } + break; + + // PPPoE carried over the ethernet frame. + case 0x8864: + { + if ( pdata + 8 >= end_of_data ) + { + packet->Weird("truncated_link_header"); + return { AnalyzerResult::Failed, 0 }; + } + + protocol = (pdata[6] << 8u) + pdata[7]; + pdata += 8; // Skip the PPPoE session and PPP header + + if ( protocol == 0x0021 ) + packet->l3_proto = L3_IPV4; + else if ( protocol == 0x0057 ) + packet->l3_proto = L3_IPV6; + else + { + // Neither IPv4 nor IPv6. + packet->Weird("non_ip_packet_in_pppoe_encapsulation"); + return { AnalyzerResult::Failed, 0 }; + } + } + break; + } + } + + // Check for MPLS in VLAN. + if ( protocol == 0x8847 ) + have_mpls = true; + + // Normal path to determine Layer 3 protocol. + if ( ! have_mpls && packet->l3_proto == L3_UNKNOWN ) + { + if ( protocol == 0x800 ) + packet->l3_proto = L3_IPV4; + else if ( protocol == 0x86dd ) + packet->l3_proto = L3_IPV6; + else if ( protocol == 0x0806 || protocol == 0x8035 ) + packet->l3_proto = L3_ARP; + else + { + // Neither IPv4 nor IPv6. + packet->Weird("non_ip_packet_in_ethernet"); + return { AnalyzerResult::Failed, 0 }; + } + } + + if ( have_mpls ) + { + // Skip the MPLS label stack. + bool end_of_stack = false; + + while ( ! end_of_stack ) + { + if ( pdata + 4 >= end_of_data ) + { + packet->Weird("truncated_link_header"); + return { AnalyzerResult::Failed, 0 }; + } + + end_of_stack = *(pdata + 2u) & 0x01; + pdata += 4; + } + + // We assume that what remains is IP + if ( pdata + sizeof(struct ip) >= end_of_data ) + { + packet->Weird("no_ip_in_mpls_payload"); + return { AnalyzerResult::Failed, 0 }; + } + + const struct ip* ip = (const struct ip*)pdata; + + if ( ip->ip_v == 4 ) + packet->l3_proto = L3_IPV4; + else if ( ip->ip_v == 6 ) + packet->l3_proto = L3_IPV6; + else + { + // Neither IPv4 nor IPv6. + packet->Weird("no_ip_in_mpls_payload"); + return { AnalyzerResult::Failed, 0 }; + } + } + + // Calculate how much header we've used up. + packet->hdr_size = (pdata - packet->data); + + return { AnalyzerResult::Continue, protocol }; + } diff --git a/src/llanalyzer/protocol/wrapper/Wrapper.h b/src/llanalyzer/protocol/wrapper/Wrapper.h new file mode 100644 index 0000000000..74d257c052 --- /dev/null +++ b/src/llanalyzer/protocol/wrapper/Wrapper.h @@ -0,0 +1,23 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#pragma once + +#include +#include + +namespace zeek::llanalyzer::Wrapper { + +class WrapperAnalyzer : public Analyzer { +public: + WrapperAnalyzer(); + ~WrapperAnalyzer() override = default; + + std::tuple Analyze(Packet* packet) override; + + static Analyzer* Instantiate() + { + return new WrapperAnalyzer(); + } +}; + +} diff --git a/src/plugin/Component.cc b/src/plugin/Component.cc index df9b048f76..7be5d465d0 100644 --- a/src/plugin/Component.cc +++ b/src/plugin/Component.cc @@ -46,6 +46,10 @@ void Component::Describe(ODesc* d) const d->Add("Analyzer"); break; + case component::LLANALYZER: + d->Add("Low-Layer Analyzer"); + break; + case component::FILE_ANALYZER: d->Add("File Analyzer"); break; diff --git a/src/plugin/Component.h b/src/plugin/Component.h index 72237adac7..6d069e6edf 100644 --- a/src/plugin/Component.h +++ b/src/plugin/Component.h @@ -18,6 +18,7 @@ enum Type { READER, /// An input reader (not currently used). WRITER, /// A logging writer (not currenly used). ANALYZER, /// A protocol analyzer. + LLANALYZER, /// A low layer protocol analyzer. FILE_ANALYZER, /// A file analyzer. IOSOURCE, /// An I/O source, excluding packet sources. PKTSRC, /// A packet source. diff --git a/src/plugin/TaggedComponent.h b/src/plugin/TaggedComponent.h index d1a37a5794..3852ffeea6 100644 --- a/src/plugin/TaggedComponent.h +++ b/src/plugin/TaggedComponent.h @@ -1,6 +1,6 @@ #pragma once -#include +#include namespace zeek::plugin { diff --git a/src/zeek-setup.cc b/src/zeek-setup.cc index aa9cb09643..a3d7418226 100644 --- a/src/zeek-setup.cc +++ b/src/zeek-setup.cc @@ -55,6 +55,7 @@ extern "C" { #include "input/readers/raw/Raw.h" #include "analyzer/Manager.h" #include "analyzer/Tag.h" +#include "llanalyzer/Manager.h" #include "plugin/Manager.h" #include "file_analysis/Manager.h" #include "zeekygen/Manager.h" @@ -92,6 +93,7 @@ zeek::ValManager* zeek::val_mgr = nullptr; zeek::ValManager*& val_mgr = zeek::val_mgr; zeek::analyzer::Manager* zeek::analyzer_mgr = nullptr; zeek::analyzer::Manager*& analyzer_mgr = zeek::analyzer_mgr; +zeek::llanalyzer::Manager* llanalyzer_mgr = nullptr; zeek::plugin::Manager* zeek::plugin_mgr = nullptr; zeek::plugin::Manager*& plugin_mgr = zeek::plugin_mgr; @@ -265,6 +267,7 @@ static void done_with_network() run_state::terminating = true; analyzer_mgr->Done(); + llanalyzer_mgr->Done(); timer_mgr->Expire(); dns_mgr->Flush(); event_mgr.Drain(); @@ -335,6 +338,7 @@ static void terminate_bro() delete zeekygen_mgr; delete analyzer_mgr; + delete llanalyzer_mgr; delete file_mgr; // broker_mgr, timer_mgr, and supervisor are deleted via iosource_mgr delete iosource_mgr; @@ -581,6 +585,7 @@ SetupResult setup(int argc, char** argv, Options* zopts) iosource_mgr = new iosource::Manager(); event_registry = new EventRegistry(); analyzer_mgr = new analyzer::Manager(); + llanalyzer_mgr = new llanalyzer::Manager(); log_mgr = new logging::Manager(); input_mgr = new input::Manager(); file_mgr = new file_analysis::Manager(); @@ -689,6 +694,7 @@ SetupResult setup(int argc, char** argv, Options* zopts) } analyzer_mgr->InitPostScript(); + llanalyzer_mgr->InitPostScript(); file_mgr->InitPostScript(); dns_mgr->InitPostScript(); @@ -889,6 +895,7 @@ SetupResult setup(int argc, char** argv, Options* zopts) broker_mgr->ZeekInitDone(); reporter->ZeekInitDone(); analyzer_mgr->DumpDebug(); + llanalyzer_mgr->DumpDebug(); run_state::detail::have_pending_timers = ! run_state::reading_traces && timer_mgr->Size() > 0; diff --git a/testing/btest/Baseline/core.truncation/output b/testing/btest/Baseline/core.truncation/output index 8ef1ff8e9d..0bd1083165 100644 --- a/testing/btest/Baseline/core.truncation/output +++ b/testing/btest/Baseline/core.truncation/output @@ -3,78 +3,78 @@ #empty_field (empty) #unset_field - #path weird -#open 2019-06-07-02-20-03 +#open 2020-07-02-14-29-19 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer #types time string addr port addr port string string bool string 1334160095.895421 - - - - - truncated_IP - F zeek -#close 2019-06-07-02-20-03 +#close 2020-07-02-14-29-19 #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2019-06-07-02-20-03 +#open 2020-07-02-14-29-20 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer #types time string addr port addr port string string bool string 1334156241.519125 - - - - - truncated_IP - F zeek -#close 2019-06-07-02-20-03 +#close 2020-07-02-14-29-20 #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2019-06-07-02-20-04 +#open 2020-07-02-14-29-20 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer #types time string addr port addr port string string bool string 1334094648.590126 - - - - - truncated_IP - F zeek -#close 2019-06-07-02-20-04 +#close 2020-07-02-14-29-20 #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2019-06-07-02-20-05 +#open 2020-07-02-14-29-21 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer #types time string addr port addr port string string bool string 1338328954.078361 - - - - - internally_truncated_header - F zeek -#close 2019-06-07-02-20-05 +#close 2020-07-02-14-29-21 #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2019-06-07-02-20-05 +#open 2020-07-02-14-29-21 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer #types time string addr port addr port string string bool string -0.000000 - - - - - truncated_link_header - F zeek -#close 2019-06-07-02-20-05 +0.000000 - - - - - truncated_ethernet_frame - F zeek +#close 2020-07-02-14-29-21 #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2019-06-07-02-20-06 +#open 2020-07-02-14-29-21 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer #types time string addr port addr port string string bool string 1508360735.834163 - 163.253.48.183 0 192.150.187.43 0 invalid_IP_header_size - F zeek -#close 2019-06-07-02-20-06 +#close 2020-07-02-14-29-21 #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2019-06-07-02-20-06 +#open 2020-07-02-14-29-21 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer #types time string addr port addr port string string bool string 1508360735.834163 - 163.253.48.183 0 192.150.187.43 0 internally_truncated_header - F zeek -#close 2019-06-07-02-20-06 +#close 2020-07-02-14-29-22 #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2019-06-07-02-20-07 +#open 2020-07-02-14-29-22 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer #types time string addr port addr port string string bool string 1500557630.000000 - 0.255.0.255 0 15.254.2.1 0 invalid_IP_header_size_in_tunnel - F zeek -#close 2019-06-07-02-20-07 +#close 2020-07-02-14-29-22 diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log index 382bb30cb2..ada222d35d 100644 --- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2019-10-15-01-48-24 +#open 2020-06-24-22-11-31 #fields name #types string scripts/base/init-bare.zeek @@ -19,6 +19,29 @@ scripts/base/init-bare.zeek build/scripts/base/bif/plugins/Zeek_SNMP.types.bif.zeek build/scripts/base/bif/plugins/Zeek_KRB.types.bif.zeek build/scripts/base/bif/event.bif.zeek + scripts/base/llprotocols/__load__.zeek + scripts/base/llprotocols/default/__load__.zeek + scripts/base/llprotocols/default/main.zeek + scripts/base/llprotocols/ethernet/__load__.zeek + scripts/base/llprotocols/ethernet/main.zeek + scripts/base/llprotocols/fddi/__load__.zeek + scripts/base/llprotocols/fddi/main.zeek + scripts/base/llprotocols/ieee802_11/__load__.zeek + scripts/base/llprotocols/ieee802_11/main.zeek + scripts/base/llprotocols/ieee802_11_radio/__load__.zeek + scripts/base/llprotocols/ieee802_11_radio/main.zeek + scripts/base/llprotocols/linux_sll/__load__.zeek + scripts/base/llprotocols/linux_sll/main.zeek + scripts/base/llprotocols/nflog/__load__.zeek + scripts/base/llprotocols/nflog/main.zeek + scripts/base/llprotocols/null/__load__.zeek + scripts/base/llprotocols/null/main.zeek + scripts/base/llprotocols/ppp_serial/__load__.zeek + scripts/base/llprotocols/ppp_serial/main.zeek + scripts/base/llprotocols/pppoe/__load__.zeek + scripts/base/llprotocols/pppoe/main.zeek + scripts/base/llprotocols/vlan/__load__.zeek + scripts/base/llprotocols/vlan/main.zeek scripts/base/init-frameworks-and-bifs.zeek scripts/base/frameworks/logging/__load__.zeek scripts/base/frameworks/logging/main.zeek @@ -187,4 +210,4 @@ scripts/base/init-frameworks-and-bifs.zeek build/scripts/base/bif/plugins/Zeek_SQLiteWriter.sqlite.bif.zeek scripts/policy/misc/loaded-scripts.zeek scripts/base/utils/paths.zeek -#close 2019-10-15-01-48-24 +#close 2020-06-24-22-11-31 diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index 0f83430933..a67b3644ff 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -19,6 +19,29 @@ scripts/base/init-bare.zeek build/scripts/base/bif/plugins/Zeek_SNMP.types.bif.zeek build/scripts/base/bif/plugins/Zeek_KRB.types.bif.zeek build/scripts/base/bif/event.bif.zeek + scripts/base/llprotocols/__load__.zeek + scripts/base/llprotocols/default/__load__.zeek + scripts/base/llprotocols/default/main.zeek + scripts/base/llprotocols/ethernet/__load__.zeek + scripts/base/llprotocols/ethernet/main.zeek + scripts/base/llprotocols/fddi/__load__.zeek + scripts/base/llprotocols/fddi/main.zeek + scripts/base/llprotocols/ieee802_11/__load__.zeek + scripts/base/llprotocols/ieee802_11/main.zeek + scripts/base/llprotocols/ieee802_11_radio/__load__.zeek + scripts/base/llprotocols/ieee802_11_radio/main.zeek + scripts/base/llprotocols/linux_sll/__load__.zeek + scripts/base/llprotocols/linux_sll/main.zeek + scripts/base/llprotocols/nflog/__load__.zeek + scripts/base/llprotocols/nflog/main.zeek + scripts/base/llprotocols/null/__load__.zeek + scripts/base/llprotocols/null/main.zeek + scripts/base/llprotocols/ppp_serial/__load__.zeek + scripts/base/llprotocols/ppp_serial/main.zeek + scripts/base/llprotocols/pppoe/__load__.zeek + scripts/base/llprotocols/pppoe/main.zeek + scripts/base/llprotocols/vlan/__load__.zeek + scripts/base/llprotocols/vlan/main.zeek scripts/base/init-frameworks-and-bifs.zeek scripts/base/frameworks/logging/__load__.zeek scripts/base/frameworks/logging/main.zeek diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index e75cba3f3c..d125d897ec 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -283,7 +283,7 @@ 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1599794475.539113, node=zeek, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1600793171.441844, node=zeek, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Broker::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Cluster::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Config::LOG)) -> @@ -464,7 +464,7 @@ 0.000000 MetaHookPost CallFunction(Log::create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1599794475.539113, node=zeek, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1600793171.441844, node=zeek, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(NetControl::check_plugins, , ()) -> 0.000000 MetaHookPost CallFunction(NetControl::init, , ()) -> 0.000000 MetaHookPost CallFunction(Notice::want_pp, , ()) -> @@ -827,6 +827,7 @@ 0.000000 MetaHookPost LoadFile(0, base<...>/control) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/data.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/dce-rpc) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/default) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/dhcp) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/dir.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/directions-and-hosts.zeek) -> -1 @@ -834,9 +835,11 @@ 0.000000 MetaHookPost LoadFile(0, base<...>/dns) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/dpd) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/email.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/ethernet) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/event.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/exec.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/extract) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/fddi) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/file_analysis.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/files) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/files.zeek) -> -1 @@ -847,6 +850,8 @@ 0.000000 MetaHookPost LoadFile(0, base<...>/hash) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/hash_hrw.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/http) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/ieee802_11) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/ieee802_11_radio) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/imap) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/init-default.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/init-frameworks-and-bifs.zeek) -> -1 @@ -855,6 +860,8 @@ 0.000000 MetaHookPost LoadFile(0, base<...>/intel) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/irc) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/krb) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/linux_sll) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/llprotocols) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/logging) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/logging.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/main.zeek) -> -1 @@ -863,9 +870,11 @@ 0.000000 MetaHookPost LoadFile(0, base<...>/mqtt) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/mysql) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/netcontrol) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/nflog) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/notice) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/ntlm) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/ntp) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/null) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/numbers.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/openflow) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/option.bif.zeek) -> -1 @@ -875,6 +884,8 @@ 0.000000 MetaHookPost LoadFile(0, base<...>/pe) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/plugins) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/pop3) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/ppp_serial) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/pppoe) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/queue.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/radius) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/rdp) -> -1 @@ -907,6 +918,7 @@ 0.000000 MetaHookPost LoadFile(0, base<...>/urls.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/utils.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/version.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/vlan) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/weird.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/x509) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/xmpp) -> -1 @@ -1213,7 +1225,7 @@ 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1599794475.539113, node=zeek, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1600793171.441844, node=zeek, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Broker::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Cluster::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Config::LOG)) @@ -1394,7 +1406,7 @@ 0.000000 MetaHookPre CallFunction(Log::create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1599794475.539113, node=zeek, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1600793171.441844, node=zeek, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(NetControl::check_plugins, , ()) 0.000000 MetaHookPre CallFunction(NetControl::init, , ()) 0.000000 MetaHookPre CallFunction(Notice::want_pp, , ()) @@ -1757,6 +1769,7 @@ 0.000000 MetaHookPre LoadFile(0, base<...>/control) 0.000000 MetaHookPre LoadFile(0, base<...>/data.bif.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/dce-rpc) +0.000000 MetaHookPre LoadFile(0, base<...>/default) 0.000000 MetaHookPre LoadFile(0, base<...>/dhcp) 0.000000 MetaHookPre LoadFile(0, base<...>/dir.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/directions-and-hosts.zeek) @@ -1764,9 +1777,11 @@ 0.000000 MetaHookPre LoadFile(0, base<...>/dns) 0.000000 MetaHookPre LoadFile(0, base<...>/dpd) 0.000000 MetaHookPre LoadFile(0, base<...>/email.zeek) +0.000000 MetaHookPre LoadFile(0, base<...>/ethernet) 0.000000 MetaHookPre LoadFile(0, base<...>/event.bif.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/exec.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/extract) +0.000000 MetaHookPre LoadFile(0, base<...>/fddi) 0.000000 MetaHookPre LoadFile(0, base<...>/file_analysis.bif.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/files) 0.000000 MetaHookPre LoadFile(0, base<...>/files.zeek) @@ -1777,6 +1792,8 @@ 0.000000 MetaHookPre LoadFile(0, base<...>/hash) 0.000000 MetaHookPre LoadFile(0, base<...>/hash_hrw.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/http) +0.000000 MetaHookPre LoadFile(0, base<...>/ieee802_11) +0.000000 MetaHookPre LoadFile(0, base<...>/ieee802_11_radio) 0.000000 MetaHookPre LoadFile(0, base<...>/imap) 0.000000 MetaHookPre LoadFile(0, base<...>/init-default.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/init-frameworks-and-bifs.zeek) @@ -1785,6 +1802,8 @@ 0.000000 MetaHookPre LoadFile(0, base<...>/intel) 0.000000 MetaHookPre LoadFile(0, base<...>/irc) 0.000000 MetaHookPre LoadFile(0, base<...>/krb) +0.000000 MetaHookPre LoadFile(0, base<...>/linux_sll) +0.000000 MetaHookPre LoadFile(0, base<...>/llprotocols) 0.000000 MetaHookPre LoadFile(0, base<...>/logging) 0.000000 MetaHookPre LoadFile(0, base<...>/logging.bif.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/main.zeek) @@ -1793,9 +1812,11 @@ 0.000000 MetaHookPre LoadFile(0, base<...>/mqtt) 0.000000 MetaHookPre LoadFile(0, base<...>/mysql) 0.000000 MetaHookPre LoadFile(0, base<...>/netcontrol) +0.000000 MetaHookPre LoadFile(0, base<...>/nflog) 0.000000 MetaHookPre LoadFile(0, base<...>/notice) 0.000000 MetaHookPre LoadFile(0, base<...>/ntlm) 0.000000 MetaHookPre LoadFile(0, base<...>/ntp) +0.000000 MetaHookPre LoadFile(0, base<...>/null) 0.000000 MetaHookPre LoadFile(0, base<...>/numbers.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/openflow) 0.000000 MetaHookPre LoadFile(0, base<...>/option.bif.zeek) @@ -1805,6 +1826,8 @@ 0.000000 MetaHookPre LoadFile(0, base<...>/pe) 0.000000 MetaHookPre LoadFile(0, base<...>/plugins) 0.000000 MetaHookPre LoadFile(0, base<...>/pop3) +0.000000 MetaHookPre LoadFile(0, base<...>/ppp_serial) +0.000000 MetaHookPre LoadFile(0, base<...>/pppoe) 0.000000 MetaHookPre LoadFile(0, base<...>/queue.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/radius) 0.000000 MetaHookPre LoadFile(0, base<...>/rdp) @@ -1837,6 +1860,7 @@ 0.000000 MetaHookPre LoadFile(0, base<...>/urls.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/utils.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/version.zeek) +0.000000 MetaHookPre LoadFile(0, base<...>/vlan) 0.000000 MetaHookPre LoadFile(0, base<...>/weird.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/x509) 0.000000 MetaHookPre LoadFile(0, base<...>/xmpp) @@ -2142,7 +2166,7 @@ 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1599794475.539113, node=zeek, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1600793171.441844, node=zeek, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction Log::add_default_filter(Broker::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Config::LOG) @@ -2323,7 +2347,7 @@ 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1599794475.539113, node=zeek, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1600793171.441844, node=zeek, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction NetControl::check_plugins() 0.000000 | HookCallFunction NetControl::init() 0.000000 | HookCallFunction Notice::want_pp() @@ -2698,6 +2722,7 @@ 0.000000 | HookLoadFile base<...>/control 0.000000 | HookLoadFile base<...>/data.bif.zeek 0.000000 | HookLoadFile base<...>/dce-rpc +0.000000 | HookLoadFile base<...>/default 0.000000 | HookLoadFile base<...>/dhcp 0.000000 | HookLoadFile base<...>/dir.zeek 0.000000 | HookLoadFile base<...>/directions-and-hosts.zeek @@ -2705,9 +2730,11 @@ 0.000000 | HookLoadFile base<...>/dns 0.000000 | HookLoadFile base<...>/dpd 0.000000 | HookLoadFile base<...>/email.zeek +0.000000 | HookLoadFile base<...>/ethernet 0.000000 | HookLoadFile base<...>/event.bif.zeek 0.000000 | HookLoadFile base<...>/exec.zeek 0.000000 | HookLoadFile base<...>/extract +0.000000 | HookLoadFile base<...>/fddi 0.000000 | HookLoadFile base<...>/file_analysis.bif.zeek 0.000000 | HookLoadFile base<...>/files 0.000000 | HookLoadFile base<...>/files.zeek @@ -2718,6 +2745,8 @@ 0.000000 | HookLoadFile base<...>/hash 0.000000 | HookLoadFile base<...>/hash_hrw.zeek 0.000000 | HookLoadFile base<...>/http +0.000000 | HookLoadFile base<...>/ieee802_11 +0.000000 | HookLoadFile base<...>/ieee802_11_radio 0.000000 | HookLoadFile base<...>/imap 0.000000 | HookLoadFile base<...>/init-default.zeek 0.000000 | HookLoadFile base<...>/init-frameworks-and-bifs.zeek @@ -2726,6 +2755,8 @@ 0.000000 | HookLoadFile base<...>/intel 0.000000 | HookLoadFile base<...>/irc 0.000000 | HookLoadFile base<...>/krb +0.000000 | HookLoadFile base<...>/linux_sll +0.000000 | HookLoadFile base<...>/llprotocols 0.000000 | HookLoadFile base<...>/logging 0.000000 | HookLoadFile base<...>/logging.bif.zeek 0.000000 | HookLoadFile base<...>/main.zeek @@ -2734,9 +2765,11 @@ 0.000000 | HookLoadFile base<...>/mqtt 0.000000 | HookLoadFile base<...>/mysql 0.000000 | HookLoadFile base<...>/netcontrol +0.000000 | HookLoadFile base<...>/nflog 0.000000 | HookLoadFile base<...>/notice 0.000000 | HookLoadFile base<...>/ntlm 0.000000 | HookLoadFile base<...>/ntp +0.000000 | HookLoadFile base<...>/null 0.000000 | HookLoadFile base<...>/numbers.zeek 0.000000 | HookLoadFile base<...>/openflow 0.000000 | HookLoadFile base<...>/option.bif.zeek @@ -2746,6 +2779,8 @@ 0.000000 | HookLoadFile base<...>/pe 0.000000 | HookLoadFile base<...>/plugins 0.000000 | HookLoadFile base<...>/pop3 +0.000000 | HookLoadFile base<...>/ppp_serial +0.000000 | HookLoadFile base<...>/pppoe 0.000000 | HookLoadFile base<...>/queue.zeek 0.000000 | HookLoadFile base<...>/radius 0.000000 | HookLoadFile base<...>/rdp @@ -2778,12 +2813,13 @@ 0.000000 | HookLoadFile base<...>/urls.zeek 0.000000 | HookLoadFile base<...>/utils.zeek 0.000000 | HookLoadFile base<...>/version.zeek +0.000000 | HookLoadFile base<...>/vlan 0.000000 | HookLoadFile base<...>/weird.zeek 0.000000 | HookLoadFile base<...>/x509 0.000000 | HookLoadFile base<...>/xmpp 0.000000 | HookLoadFile base<...>/zeek.bif.zeek 0.000000 | HookLogInit packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)} -0.000000 | HookLogWrite packet_filter [ts=1599794475.539113, node=zeek, filter=ip or not ip, init=T, success=T] +0.000000 | HookLogWrite packet_filter [ts=1600793171.441844, node=zeek, filter=ip or not ip, init=T, success=T] 0.000000 | HookQueueEvent NetControl::init() 0.000000 | HookQueueEvent filter_change_tracking() 0.000000 | HookQueueEvent zeek_init() diff --git a/testing/btest/Baseline/plugins.ll-protocol/output b/testing/btest/Baseline/plugins.ll-protocol/output new file mode 100644 index 0000000000..578a37577d --- /dev/null +++ b/testing/btest/Baseline/plugins.ll-protocol/output @@ -0,0 +1,9 @@ +LLDemo::Bar - A Bar LL-test-analyzer. (dynamic, version 1.0.0) + [Low-Layer Analyzer] Bar (LLANALYZER_BAR, enabled) + [Event] bar_message + +=== +bar_message (DSAP = 42, SSAP = 42, Control = 3) +bar_message (DSAP = 42, SSAP = 42, Control = 3) +bar_message (DSAP = 42, SSAP = 42, Control = 3) +bar_message (DSAP = 42, SSAP = 42, Control = 3) diff --git a/testing/btest/Baseline/scripts.base.protocols.arp.linuxsll/.stdout b/testing/btest/Baseline/scripts.base.protocols.arp.linuxsll/.stdout new file mode 100644 index 0000000000..971bacd567 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.arp.linuxsll/.stdout @@ -0,0 +1,12 @@ +cc:2d:e0:26:19:99, 00:00:00:00:00:00, 192.168.22.1, cc:2d:e0:26:19:99, 192.168.22.160, 00:00:00:00:00:00 +00:50:56:8b:cf:fa, 00:00:00:00:00:00, 10.1.10.100, 00:50:56:8b:cf:fa, 10.1.10.1, 00:00:00:00:00:00 +00:50:56:8b:cf:fa, 00:00:00:00:00:00, 10.1.10.100, 00:50:56:8b:cf:fa, 10.1.10.1, 00:00:00:00:00:00 +00:50:56:8b:cf:fa, 00:00:00:00:00:00, 10.1.10.100, 00:50:56:8b:cf:fa, 10.1.10.1, 00:00:00:00:00:00 +00:50:56:8b:3f:0d, 00:00:00:00:00:00, 192.168.22.81, 00:50:56:8b:3f:0d, 192.168.22.81, 00:00:00:00:00:00 +00:50:56:8b:cf:fa, 00:00:00:00:00:00, 10.1.10.100, 00:50:56:8b:cf:fa, 10.1.10.1, 00:00:00:00:00:00 +00:50:56:8b:cf:fa, 00:00:00:00:00:00, 10.1.10.100, 00:50:56:8b:cf:fa, 10.1.10.1, 00:00:00:00:00:00 +00:50:56:8b:3f:0d, 00:00:00:00:00:00, 192.168.22.81, 00:50:56:8b:3f:0d, 192.168.22.81, 00:00:00:00:00:00 +00:50:56:8b:cf:fa, 00:00:00:00:00:00, 10.1.10.100, 00:50:56:8b:cf:fa, 10.1.10.1, 00:00:00:00:00:00 +00:50:56:8b:cf:fa, 00:00:00:00:00:00, 10.1.10.100, 00:50:56:8b:cf:fa, 10.1.10.1, 00:00:00:00:00:00 +00:50:56:8b:cf:fa, 00:00:00:00:00:00, 10.1.10.100, 00:50:56:8b:cf:fa, 10.1.10.1, 00:00:00:00:00:00 +00:50:56:8b:cf:fa, 00:00:00:00:00:00, 10.1.10.100, 00:50:56:8b:cf:fa, 10.1.10.1, 00:00:00:00:00:00 diff --git a/testing/btest/Traces/http/get_nosyn.trace b/testing/btest/Traces/http/get_nosyn.trace new file mode 100644 index 0000000000000000000000000000000000000000..9a1d08ce694b1ffeedb70c210e8ce74e982dd9b5 GIT binary patch literal 6069 zcma)AU2Ggz72ZZ|DT@rLgixQ#t=kgE_3Z!pXWEo*{FkJ0V(d*Tp4#h~ySulZof+=j z@p>bq`VmB+4?rb&=?{&>18O8*=|iO!se;l!;2{EpDj`)xLY4Y}!~>M?+?iSLuGfJ` zR@Upe=brPO?|kQ+`NJE(eCb5)_FVSwv(Iw5+wjY)pI`dM=brdt?l<^MKe>~C`pyTR zy!F~!&wudZUAfg zn;*YNQ6aiF4o>E-{^;H$GDP(PMMoBA9?a$ben;{%Zt;#kUwerxzWu;)7XR_RQHvQ8 ztWqkm%a2dxSGX27Yj)x}R$5>iT;VU}Dyx+3TGhrk>l@9f{I*bgLfNbla;GDTl|rph zWixBS4HO4l7kQ+ujlh*HDO}(x+&NZRVvV>>#wx5*wQEauB{jC%U9a1Oo?yBQVEwWZ}45gz@-TFL$_B7^F*cL3kcDM>mEi- z&$+@ATCf06wqnogTR^G}gFA}*pky==m8w-4cv`jq5^$;1YygC04&%b9ye%izX~10( zMZ8U!S>e7E9_oYlO==K*b;xEJSXb=wyp0b-Hk&=ccO&v!!EX*ElH7q5p$B9+^FHOQ2~r%M;L)?heIis81Afric1r&C7YK+;h)`JVNo20fg;k3Lp+FhAJstV zfLlJ$mHUL|xCi8v@yuf9TVM*F6Uc?n0TtsQR2w4b6J?0x4wy{FJn0M6fxv+t3wZ=c zIx2|U9b<|y?okQA5N>R^3aG={{qyyO0u=#c7TXftV9!t?=nA%e>57cHtfhi3mPK3xb3hqjCneIJ2JHI%7HhDG)HWDFMTm#+Iq_sAB zytXtro=QUYpko6Xug@Ziq9eE~lmRCKH~^2Jfu}>@kn;cQ*2@2~QU3c!mH+o2WxeDR z>bK~USuX*caK3|!H3W*FKUy=Xn86=~zk~N(Dpw*9-;tiw{V^VamSt-xsfV&vE<+Pp z3Bpse(Nu@(Aw>hU2*Gj1dR&pBnXC`cuP!c5GN1B3F<)WjMVl&aL~LN*q_-<05R%xU zMK?6!N@*U|a%$(TaHbV}Dq=CI6-!milrdNBxQm{d3K}x*q8KOKNGU%X zw<((cA1XRDhALG!`c!~AH03XK#L!q=>Egdgc&($sW^9A{Vp72EBpqXBkL!7KHd8RV zntMIo$BjOEm**MjeIQfSqDUfNDAL>?LCJHLH7HB&H;8Szh4Y1&$0kF>h_(P=}9C=?D&QPd(F zxB#7tv}%zfGpDUc_lbCkL-^h#wBc!?e6FFtUVkp37F-ejp2VnOIIzc+o^L(D-3_2UrUpgM+&1O0r-u4B|$ z7%q-%bVwSX$(s@w@EkInO&$qqm?zRKeHMKr<$v&Nx19NZW|V(= zRQYc{mnr|j4@Z?hDq=!%b_XIwV@Zsf5bzkP!FLInRKbp!Kd3$qU5tujRf;vrXQLPAPusG&Jslu#4NCtv~tpl@qsVS&%~xJ2Jn^WX3PW_ zXdBDBgJnTOIN_Axo)ES4P^9 zkz6zFT+wtQAYT$y;7T>&tQmOeq)`HMJSiO~2(c}J>alXfQD$s+X*kj}NYZsAUV{W8 zZ^SkS$JfpFp;9E zR;>VNC3j*o@nym>KFh*`Sw@wYG?x)#kKhdO93`;RWm(c#k9VlQ9FNRkVBK*Yj=B3u z+N>x95`8adr!p~z@4$5oET=RD)<+K)*lY|s-0yc$nv)5h>6=*wVFkS@>I6O1ANYc) z-z-j`1#4j|4>9p&?Km@Mt{Bm`?bH@%hGm7;!{yB@N%uo(&|4K!2=of+6CRO~XfP^h z8C&UYli44wN37S1J0K}un`D3!MO?wrrm=Uj*+ToOnbjsNag?d1^ns4qtxe%2BRS~6 zJq#Di4Ghw#E?S-pUADI`nzA;onP<=&10UXP3xIJBFr_PYisW=U6VThDX^<3qCGs}B z7E~%YJucnHP;Ky-X=f7`d*9t$ZfqJoz)Xfh;cdKrh%_mG5z2q_MDjEKw&%oeuf0Ob z|88Ye`Tx3Ll>eUG)$22($`5)VU$lo|PX@<&9qed$dqwLlew`78cEaS%wWqeuUs}f~ ziAO_+ho_GQd_I}280IO=6KHtmr2$y6wb^K%JNo>Sf!gKR_Gqbu609j9Xd_Kt0nko? z*8|WQFv}G*0Jc2dj*gny5&CblM8o!Z2X$2qUU|7C1y0)H3>zIFfA5QNQqzDPh4VZp)|hO5z(Io z(X$t&M_vKf{`qTq1^mR%$6f)yas9^4=MGMObx&SPh>n+}zn}$|EWU6{i(h)1ES`D! zsKpQ8IXHRmr~Lh+7S{^5@^SGdS^V;kCtAFl<(__hVDZ(=$JZXdZ4mW%dFN`^u2Xrx z|JG=EfA|i{`^|&9b621J_n^E#LgcSf)E6H)w0IQ9#!tw{FZ^-L$2YIv`0(9>lkl-R L@bOdl_|bm>lr);A literal 0 HcmV?d00001 diff --git a/testing/btest/Traces/linuxsll-arp.pcap b/testing/btest/Traces/linuxsll-arp.pcap new file mode 100644 index 0000000000000000000000000000000000000000..7898d55a407d9bef1e537d792d2c4672901a4ecf GIT binary patch literal 960 zcmca|c+)~A1{MYcU|}c(a-`1viF+)}$6yC!gD?Xl5VD=oeV`^elYxPQje(JafsKWM z5h8M6g%~495d#B|wE)aOA*6w(T{!_U31J#TKv?(rU&y9GM7S8aQXtxaEU3B2#>oIp zGgV_ma~rv)$pTGdY@wEEazN82YhyFbo)_Jx_PoH*3WWF!!9w;a$g~#^v6)6rxXA-e z+i1^3rEpUKn)XHyo7>3oDaf=ZbExGuMWAUezo})K6412s5zJHyH)Wt{UfZZ;8UQT^ Bgiinf literal 0 HcmV?d00001 diff --git a/testing/btest/plugins/ll-protocol-plugin/.btest-ignore b/testing/btest/plugins/ll-protocol-plugin/.btest-ignore new file mode 100644 index 0000000000..e69de29bb2 diff --git a/testing/btest/plugins/ll-protocol-plugin/CMakeLists.txt b/testing/btest/plugins/ll-protocol-plugin/CMakeLists.txt new file mode 100644 index 0000000000..7f11aa11e7 --- /dev/null +++ b/testing/btest/plugins/ll-protocol-plugin/CMakeLists.txt @@ -0,0 +1,18 @@ + +project(Zeek-LL-Plugin-Demo-Bar) + +cmake_minimum_required(VERSION 2.6.3) + +if ( NOT ZEEK_DIST ) + message(FATAL_ERROR "ZEEK_DIST not set") +endif () + +set(CMAKE_MODULE_PATH ${ZEEK_DIST}/cmake) + +include(ZeekPlugin) + +zeek_plugin_begin(LLDemo Bar) +zeek_plugin_cc(src/Plugin.cc) +zeek_plugin_cc(src/Bar.cc) +zeek_plugin_bif(src/events.bif) +zeek_plugin_end() diff --git a/testing/btest/plugins/ll-protocol-plugin/scripts/LLDemo/Bar/base/main.zeek b/testing/btest/plugins/ll-protocol-plugin/scripts/LLDemo/Bar/base/main.zeek new file mode 100644 index 0000000000..031bd4f058 --- /dev/null +++ b/testing/btest/plugins/ll-protocol-plugin/scripts/LLDemo/Bar/base/main.zeek @@ -0,0 +1,5 @@ +module LL_BAR; + +redef LLAnalyzer::config_map += { + LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_ETHERNET, $identifier=1501, $analyzer=LLAnalyzer::LLANALYZER_BAR), +}; diff --git a/testing/btest/plugins/ll-protocol-plugin/scripts/__load__.zeek b/testing/btest/plugins/ll-protocol-plugin/scripts/__load__.zeek new file mode 100644 index 0000000000..697ab585a1 --- /dev/null +++ b/testing/btest/plugins/ll-protocol-plugin/scripts/__load__.zeek @@ -0,0 +1 @@ +@load LLDemo/Bar/base/main diff --git a/testing/btest/plugins/ll-protocol-plugin/src/Bar.cc b/testing/btest/plugins/ll-protocol-plugin/src/Bar.cc new file mode 100644 index 0000000000..93c8b87dc0 --- /dev/null +++ b/testing/btest/plugins/ll-protocol-plugin/src/Bar.cc @@ -0,0 +1,35 @@ +#include "Bar.h" +#include "Event.h" +#include "Val.h" +#include "events.bif.h" + +using namespace zeek::llanalyzer::LLDemo; + +Bar::Bar() + : zeek::llanalyzer::Analyzer("Bar") + { + } + +std::tuple Bar::Analyze(Packet* packet) + { + auto& pdata = packet->cur_pos; + auto end_of_data = packet->GetEndOfData(); + + // Rudimentary parsing of 802.2 LLC + if ( pdata + 17 >= end_of_data ) + { + packet->Weird("truncated_llc_header"); + return { AnalyzerResult::Failed, 0 }; + } + + auto dsap = pdata[14]; + auto ssap = pdata[15]; + auto control = pdata[16]; + + mgr.Enqueue(bar_message, + val_mgr->Count(dsap), + val_mgr->Count(ssap), + val_mgr->Count(control)); + + return std::make_tuple(AnalyzerResult::Terminate, 0); + } diff --git a/testing/btest/plugins/ll-protocol-plugin/src/Bar.h b/testing/btest/plugins/ll-protocol-plugin/src/Bar.h new file mode 100644 index 0000000000..24f0a0856c --- /dev/null +++ b/testing/btest/plugins/ll-protocol-plugin/src/Bar.h @@ -0,0 +1,22 @@ +#pragma once + +#include +#include + +namespace zeek::llanalyzer::LLDemo { + +class Bar : public Analyzer { +public: + Bar(); + ~Bar() override = default; + + std::tuple Analyze(Packet* packet) override; + + static Analyzer* Instantiate() + { + return new Bar(); + } +}; + +} + diff --git a/testing/btest/plugins/ll-protocol-plugin/src/Plugin.cc b/testing/btest/plugins/ll-protocol-plugin/src/Plugin.cc new file mode 100644 index 0000000000..4e0b7bc451 --- /dev/null +++ b/testing/btest/plugins/ll-protocol-plugin/src/Plugin.cc @@ -0,0 +1,27 @@ + +#include "Plugin.h" +#include "llanalyzer/Component.h" + +#include "Bar.h" + +namespace zeek::plugin::LLDemo_Bar { + +class Plugin : public zeek::plugin::Plugin { +public: + zeek::plugin::Configuration Configure() + { + AddComponent(new zeek::llanalyzer::Component("Bar", + zeek::llanalyzer::LLDemo::Bar::Instantiate)); + + zeek::plugin::Configuration config; + config.name = "LLDemo::Bar"; + config.description = "A Bar LL-test-analyzer."; + config.version.major = 1; + config.version.minor = 0; + config.version.patch = 0; + return config; + } + +} plugin; + +} diff --git a/testing/btest/plugins/ll-protocol-plugin/src/events.bif b/testing/btest/plugins/ll-protocol-plugin/src/events.bif new file mode 100644 index 0000000000..0b5c6888ab --- /dev/null +++ b/testing/btest/plugins/ll-protocol-plugin/src/events.bif @@ -0,0 +1,2 @@ + +event bar_message%(dsap: count, ssap: count, control: count%); diff --git a/testing/btest/plugins/ll-protocol.zeek b/testing/btest/plugins/ll-protocol.zeek new file mode 100644 index 0000000000..125daba230 --- /dev/null +++ b/testing/btest/plugins/ll-protocol.zeek @@ -0,0 +1,14 @@ +# @TEST-EXEC: ${DIST}/auxil/zeek-aux/plugin-support/init-plugin -u . LLDemo Bar +# @TEST-EXEC: cp -r %DIR/ll-protocol-plugin/* . +# @TEST-EXEC: ./configure --zeek-dist=${DIST} && make +# @TEST-EXEC: ZEEK_PLUGIN_PATH=`pwd` zeek -NN LLDemo::Bar >>output +# @TEST-EXEC: echo === >>output +# @TEST-EXEC: ZEEK_PLUGIN_PATH=`pwd` zeek -r $TRACES/raw_packets.trace %INPUT >>output +# @TEST-EXEC: TEST_DIFF_CANONIFIER= btest-diff output + +event bar_message(dsap: count, ssap: count, control: count) + { + print fmt("bar_message (DSAP = %x, SSAP = %x, Control = %x)", + dsap, ssap, control); + } + diff --git a/testing/btest/plugins/pktdumper-plugin/src/Foo.cc b/testing/btest/plugins/pktdumper-plugin/src/Foo.cc index 75dc5d990b..9f0ad925dd 100644 --- a/testing/btest/plugins/pktdumper-plugin/src/Foo.cc +++ b/testing/btest/plugins/pktdumper-plugin/src/Foo.cc @@ -20,7 +20,6 @@ Foo::~Foo() void Foo::Open() { props.open_time = zeek::run_state::network_time; - props.hdr_size = 0; Opened(props); } diff --git a/testing/btest/scripts/base/protocols/arp/linuxsll.test b/testing/btest/scripts/base/protocols/arp/linuxsll.test new file mode 100644 index 0000000000..01922961cb --- /dev/null +++ b/testing/btest/scripts/base/protocols/arp/linuxsll.test @@ -0,0 +1,12 @@ +# @TEST-EXEC: zeek -r $TRACES/linuxsll-arp.pcap %INPUT +# @TEST-EXEC: btest-diff .stdout + +event arp_request(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string) + { + print mac_src, mac_dst, SPA, SHA, TPA, THA; + } + +event arp_reply(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string) + { + print mac_src, mac_dst, SPA, SHA, TPA, THA; + } From e53ec46c2344ca723a6547d25c33327d88b3af51 Mon Sep 17 00:00:00 2001 From: Jan Grashoefer Date: Mon, 13 Jul 2020 16:44:39 +0200 Subject: [PATCH 02/43] Renamed LL-Analyzers to Packet Analyzers. --- scripts/base/init-bare.zeek | 22 +++++------ scripts/base/llprotocols/__load__.zeek | 11 ------ scripts/base/llprotocols/default/main.zeek | 6 --- scripts/base/llprotocols/ethernet/main.zeek | 16 -------- scripts/base/llprotocols/fddi/main.zeek | 7 ---- scripts/base/llprotocols/ieee802_11/main.zeek | 11 ------ .../llprotocols/ieee802_11_radio/main.zeek | 9 ----- scripts/base/llprotocols/linux_sll/main.zeek | 12 ------ scripts/base/llprotocols/nflog/main.zeek | 11 ------ scripts/base/llprotocols/null/main.zeek | 19 ---------- scripts/base/llprotocols/ppp_serial/main.zeek | 10 ----- scripts/base/llprotocols/pppoe/main.zeek | 6 --- scripts/base/llprotocols/vlan/main.zeek | 11 ------ scripts/base/packet-protocols/__load__.zeek | 11 ++++++ .../default/__load__.zeek | 0 .../base/packet-protocols/default/main.zeek | 6 +++ .../ethernet/__load__.zeek | 0 .../base/packet-protocols/ethernet/main.zeek | 16 ++++++++ .../fddi/__load__.zeek | 0 scripts/base/packet-protocols/fddi/main.zeek | 7 ++++ .../ieee802_11/__load__.zeek | 0 .../packet-protocols/ieee802_11/main.zeek | 11 ++++++ .../ieee802_11_radio/__load__.zeek | 0 .../ieee802_11_radio/main.zeek | 9 +++++ .../linux_sll/__load__.zeek | 0 .../base/packet-protocols/linux_sll/main.zeek | 12 ++++++ .../nflog/__load__.zeek | 0 scripts/base/packet-protocols/nflog/main.zeek | 11 ++++++ .../null/__load__.zeek | 0 scripts/base/packet-protocols/null/main.zeek | 19 ++++++++++ .../ppp_serial/__load__.zeek | 0 .../packet-protocols/ppp_serial/main.zeek | 10 +++++ .../pppoe/__load__.zeek | 0 scripts/base/packet-protocols/pppoe/main.zeek | 6 +++ .../vlan/__load__.zeek | 0 scripts/base/packet-protocols/vlan/main.zeek | 11 ++++++ src/CMakeLists.txt | 2 +- src/DebugLogger.cc | 2 +- src/DebugLogger.h | 36 +++++++++--------- src/iosource/Packet.cc | 8 ++-- src/llanalyzer/protocol/default/Plugin.cc | 24 ------------ src/llanalyzer/protocol/ethernet/Plugin.cc | 24 ------------ src/llanalyzer/protocol/ieee802_11/Plugin.cc | 24 ------------ .../protocol/ieee802_11_radio/Plugin.cc | 23 ----------- src/llanalyzer/protocol/linux_sll/Plugin.cc | 24 ------------ src/llanalyzer/protocol/ppp_serial/Plugin.cc | 24 ------------ .../Analyzer.cc | 10 ++--- .../Analyzer.h | 12 +++--- .../AnalyzerSet.h | 2 +- .../CMakeLists.txt | 0 .../Component.cc | 10 ++--- .../Component.h | 4 +- src/{llanalyzer => packet_analysis}/Config.cc | 6 +-- src/{llanalyzer => packet_analysis}/Config.h | 2 +- src/{llanalyzer => packet_analysis}/Defines.h | 2 +- .../Manager.cc | 38 +++++++++---------- src/{llanalyzer => packet_analysis}/Manager.h | 6 +-- .../ProtocolAnalyzerSet.cc | 12 +++--- .../ProtocolAnalyzerSet.h | 2 +- src/{llanalyzer => packet_analysis}/Tag.cc | 6 +-- src/{llanalyzer => packet_analysis}/Tag.h | 4 +- .../dispatchers/CMakeLists.txt | 0 .../dispatchers/Dispatcher.h | 2 +- .../dispatchers/UniversalDispatcher.cc | 10 ++--- .../dispatchers/UniversalDispatcher.h | 2 +- .../dispatchers/VectorDispatcher.cc | 8 ++-- .../dispatchers/VectorDispatcher.h | 2 +- .../protocol/CMakeLists.txt | 0 .../protocol/arp/ARP.cc | 6 +-- .../protocol/arp/ARP.h | 6 +-- .../protocol/arp/CMakeLists.txt | 0 .../protocol/arp/Plugin.cc | 12 +++--- .../protocol/default/CMakeLists.txt | 0 .../protocol/default/Default.cc | 6 +-- .../protocol/default/Default.h | 6 +-- .../protocol/default/Plugin.cc | 24 ++++++++++++ .../protocol/ethernet/CMakeLists.txt | 0 .../protocol/ethernet/Ethernet.cc | 6 +-- .../protocol/ethernet/Ethernet.h | 6 +-- .../protocol/ethernet/Plugin.cc | 24 ++++++++++++ .../protocol/fddi/CMakeLists.txt | 0 .../protocol/fddi/FDDI.cc | 6 +-- .../protocol/fddi/FDDI.h | 10 ++--- .../protocol/fddi/Plugin.cc | 12 +++--- .../protocol/ieee802_11/CMakeLists.txt | 0 .../protocol/ieee802_11/IEEE802_11.cc | 6 +-- .../protocol/ieee802_11/IEEE802_11.h | 6 +-- .../protocol/ieee802_11/Plugin.cc | 24 ++++++++++++ .../protocol/ieee802_11_radio/CMakeLists.txt | 0 .../ieee802_11_radio/IEEE802_11_Radio.cc | 6 +-- .../ieee802_11_radio/IEEE802_11_Radio.h | 6 +-- .../protocol/ieee802_11_radio/Plugin.cc | 23 +++++++++++ .../protocol/ipv4/CMakeLists.txt | 0 .../protocol/ipv4/IPv4.cc | 6 +-- .../protocol/ipv4/IPv4.h | 6 +-- .../protocol/ipv4/Plugin.cc | 12 +++--- .../protocol/ipv6/CMakeLists.txt | 0 .../protocol/ipv6/IPv6.cc | 6 +-- .../protocol/ipv6/IPv6.h | 6 +-- .../protocol/ipv6/Plugin.cc | 12 +++--- .../protocol/linux_sll/CMakeLists.txt | 0 .../protocol/linux_sll/LinuxSLL.cc | 6 +-- .../protocol/linux_sll/LinuxSLL.h | 6 +-- .../protocol/linux_sll/Plugin.cc | 24 ++++++++++++ .../protocol/mpls/CMakeLists.txt | 0 .../protocol/mpls/MPLS.cc | 6 +-- .../protocol/mpls/MPLS.h | 10 ++--- .../protocol/mpls/Plugin.cc | 12 +++--- .../protocol/nflog/CMakeLists.txt | 0 .../protocol/nflog/NFLog.cc | 6 +-- .../protocol/nflog/NFLog.h | 6 +-- .../protocol/nflog/Plugin.cc | 12 +++--- .../protocol/null/CMakeLists.txt | 0 .../protocol/null/Null.cc | 6 +-- .../protocol/null/Null.h | 6 +-- .../protocol/null/Plugin.cc | 12 +++--- .../protocol/ppp_serial/CMakeLists.txt | 0 .../protocol/ppp_serial/PPPSerial.cc | 6 +-- .../protocol/ppp_serial/PPPSerial.h | 6 +-- .../protocol/ppp_serial/Plugin.cc | 24 ++++++++++++ .../protocol/pppoe/CMakeLists.txt | 0 .../protocol/pppoe/PPPoE.cc | 6 +-- .../protocol/pppoe/PPPoE.h | 6 +-- .../protocol/pppoe/Plugin.cc | 12 +++--- .../protocol/vlan/CMakeLists.txt | 0 .../protocol/vlan/Plugin.cc | 12 +++--- .../protocol/vlan/VLAN.cc | 6 +-- .../protocol/vlan/VLAN.h | 6 +-- .../protocol/wrapper/CMakeLists.txt | 0 .../protocol/wrapper/Plugin.cc | 8 ++-- .../protocol/wrapper/Wrapper.cc | 6 +-- .../protocol/wrapper/Wrapper.h | 6 +-- src/plugin/Component.cc | 4 +- src/plugin/Component.h | 16 ++++---- src/zeek-setup.cc | 14 +++---- testing/btest/Baseline/plugins.hooks/output | 20 +++++----- .../output | 4 +- .../scripts/LLDemo/Bar/base/main.zeek | 5 --- .../ll-protocol-plugin/scripts/__load__.zeek | 1 - .../.btest-ignore | 0 .../CMakeLists.txt | 4 +- .../scripts/PacketDemo/Bar/base/main.zeek | 5 +++ .../scripts/__load__.zeek | 1 + .../src/Bar.cc | 6 +-- .../src/Bar.h | 6 +-- .../src/Plugin.cc | 12 +++--- .../src/events.bif | 0 ...{ll-protocol.zeek => packet-protocol.zeek} | 6 +-- 148 files changed, 587 insertions(+), 587 deletions(-) delete mode 100644 scripts/base/llprotocols/__load__.zeek delete mode 100644 scripts/base/llprotocols/default/main.zeek delete mode 100644 scripts/base/llprotocols/ethernet/main.zeek delete mode 100644 scripts/base/llprotocols/fddi/main.zeek delete mode 100644 scripts/base/llprotocols/ieee802_11/main.zeek delete mode 100644 scripts/base/llprotocols/ieee802_11_radio/main.zeek delete mode 100644 scripts/base/llprotocols/linux_sll/main.zeek delete mode 100644 scripts/base/llprotocols/nflog/main.zeek delete mode 100644 scripts/base/llprotocols/null/main.zeek delete mode 100644 scripts/base/llprotocols/ppp_serial/main.zeek delete mode 100644 scripts/base/llprotocols/pppoe/main.zeek delete mode 100644 scripts/base/llprotocols/vlan/main.zeek create mode 100644 scripts/base/packet-protocols/__load__.zeek rename scripts/base/{llprotocols => packet-protocols}/default/__load__.zeek (100%) create mode 100644 scripts/base/packet-protocols/default/main.zeek rename scripts/base/{llprotocols => packet-protocols}/ethernet/__load__.zeek (100%) create mode 100644 scripts/base/packet-protocols/ethernet/main.zeek rename scripts/base/{llprotocols => packet-protocols}/fddi/__load__.zeek (100%) create mode 100644 scripts/base/packet-protocols/fddi/main.zeek rename scripts/base/{llprotocols => packet-protocols}/ieee802_11/__load__.zeek (100%) create mode 100644 scripts/base/packet-protocols/ieee802_11/main.zeek rename scripts/base/{llprotocols => packet-protocols}/ieee802_11_radio/__load__.zeek (100%) create mode 100644 scripts/base/packet-protocols/ieee802_11_radio/main.zeek rename scripts/base/{llprotocols => packet-protocols}/linux_sll/__load__.zeek (100%) create mode 100644 scripts/base/packet-protocols/linux_sll/main.zeek rename scripts/base/{llprotocols => packet-protocols}/nflog/__load__.zeek (100%) create mode 100644 scripts/base/packet-protocols/nflog/main.zeek rename scripts/base/{llprotocols => packet-protocols}/null/__load__.zeek (100%) create mode 100644 scripts/base/packet-protocols/null/main.zeek rename scripts/base/{llprotocols => packet-protocols}/ppp_serial/__load__.zeek (100%) create mode 100644 scripts/base/packet-protocols/ppp_serial/main.zeek rename scripts/base/{llprotocols => packet-protocols}/pppoe/__load__.zeek (100%) create mode 100644 scripts/base/packet-protocols/pppoe/main.zeek rename scripts/base/{llprotocols => packet-protocols}/vlan/__load__.zeek (100%) create mode 100644 scripts/base/packet-protocols/vlan/main.zeek delete mode 100644 src/llanalyzer/protocol/default/Plugin.cc delete mode 100644 src/llanalyzer/protocol/ethernet/Plugin.cc delete mode 100644 src/llanalyzer/protocol/ieee802_11/Plugin.cc delete mode 100644 src/llanalyzer/protocol/ieee802_11_radio/Plugin.cc delete mode 100644 src/llanalyzer/protocol/linux_sll/Plugin.cc delete mode 100644 src/llanalyzer/protocol/ppp_serial/Plugin.cc rename src/{llanalyzer => packet_analysis}/Analyzer.cc (66%) rename src/{llanalyzer => packet_analysis}/Analyzer.h (86%) rename src/{llanalyzer => packet_analysis}/AnalyzerSet.h (91%) rename src/{llanalyzer => packet_analysis}/CMakeLists.txt (100%) rename src/{llanalyzer => packet_analysis}/Component.cc (69%) rename src/{llanalyzer => packet_analysis}/Component.h (92%) rename src/{llanalyzer => packet_analysis}/Config.cc (93%) rename src/{llanalyzer => packet_analysis}/Config.h (97%) rename src/{llanalyzer => packet_analysis}/Defines.h (81%) rename src/{llanalyzer => packet_analysis}/Manager.cc (76%) rename src/{llanalyzer => packet_analysis}/Manager.h (95%) rename src/{llanalyzer => packet_analysis}/ProtocolAnalyzerSet.cc (90%) rename src/{llanalyzer => packet_analysis}/ProtocolAnalyzerSet.h (96%) rename src/{llanalyzer => packet_analysis}/Tag.cc (78%) rename src/{llanalyzer => packet_analysis}/Tag.h (97%) rename src/{llanalyzer => packet_analysis}/dispatchers/CMakeLists.txt (100%) rename src/{llanalyzer => packet_analysis}/dispatchers/Dispatcher.h (96%) rename src/{llanalyzer => packet_analysis}/dispatchers/UniversalDispatcher.cc (91%) rename src/{llanalyzer => packet_analysis}/dispatchers/UniversalDispatcher.h (98%) rename src/{llanalyzer => packet_analysis}/dispatchers/VectorDispatcher.cc (89%) rename src/{llanalyzer => packet_analysis}/dispatchers/VectorDispatcher.h (95%) rename src/{llanalyzer => packet_analysis}/protocol/CMakeLists.txt (100%) rename src/{llanalyzer => packet_analysis}/protocol/arp/ARP.cc (57%) rename src/{llanalyzer => packet_analysis}/protocol/arp/ARP.h (74%) rename src/{llanalyzer => packet_analysis}/protocol/arp/CMakeLists.txt (100%) rename src/{llanalyzer => packet_analysis}/protocol/arp/Plugin.cc (51%) rename src/{llanalyzer => packet_analysis}/protocol/default/CMakeLists.txt (100%) rename src/{llanalyzer => packet_analysis}/protocol/default/Default.cc (70%) rename src/{llanalyzer => packet_analysis}/protocol/default/Default.h (74%) create mode 100644 src/packet_analysis/protocol/default/Plugin.cc rename src/{llanalyzer => packet_analysis}/protocol/ethernet/CMakeLists.txt (100%) rename src/{llanalyzer => packet_analysis}/protocol/ethernet/Ethernet.cc (88%) rename src/{llanalyzer => packet_analysis}/protocol/ethernet/Ethernet.h (75%) create mode 100644 src/packet_analysis/protocol/ethernet/Plugin.cc rename src/{llanalyzer => packet_analysis}/protocol/fddi/CMakeLists.txt (100%) rename src/{llanalyzer => packet_analysis}/protocol/fddi/FDDI.cc (70%) rename src/{llanalyzer => packet_analysis}/protocol/fddi/FDDI.h (54%) rename src/{llanalyzer => packet_analysis}/protocol/fddi/Plugin.cc (50%) rename src/{llanalyzer => packet_analysis}/protocol/ieee802_11/CMakeLists.txt (100%) rename src/{llanalyzer => packet_analysis}/protocol/ieee802_11/IEEE802_11.cc (91%) rename src/{llanalyzer => packet_analysis}/protocol/ieee802_11/IEEE802_11.h (75%) create mode 100644 src/packet_analysis/protocol/ieee802_11/Plugin.cc rename src/{llanalyzer => packet_analysis}/protocol/ieee802_11_radio/CMakeLists.txt (100%) rename src/{llanalyzer => packet_analysis}/protocol/ieee802_11_radio/IEEE802_11_Radio.cc (74%) rename src/{llanalyzer => packet_analysis}/protocol/ieee802_11_radio/IEEE802_11_Radio.h (75%) create mode 100644 src/packet_analysis/protocol/ieee802_11_radio/Plugin.cc rename src/{llanalyzer => packet_analysis}/protocol/ipv4/CMakeLists.txt (100%) rename src/{llanalyzer => packet_analysis}/protocol/ipv4/IPv4.cc (52%) rename src/{llanalyzer => packet_analysis}/protocol/ipv4/IPv4.h (74%) rename src/{llanalyzer => packet_analysis}/protocol/ipv4/Plugin.cc (50%) rename src/{llanalyzer => packet_analysis}/protocol/ipv6/CMakeLists.txt (100%) rename src/{llanalyzer => packet_analysis}/protocol/ipv6/IPv6.cc (52%) rename src/{llanalyzer => packet_analysis}/protocol/ipv6/IPv6.h (74%) rename src/{llanalyzer => packet_analysis}/protocol/ipv6/Plugin.cc (50%) rename src/{llanalyzer => packet_analysis}/protocol/linux_sll/CMakeLists.txt (100%) rename src/{llanalyzer => packet_analysis}/protocol/linux_sll/LinuxSLL.cc (77%) rename src/{llanalyzer => packet_analysis}/protocol/linux_sll/LinuxSLL.h (83%) create mode 100644 src/packet_analysis/protocol/linux_sll/Plugin.cc rename src/{llanalyzer => packet_analysis}/protocol/mpls/CMakeLists.txt (100%) rename src/{llanalyzer => packet_analysis}/protocol/mpls/MPLS.cc (83%) rename src/{llanalyzer => packet_analysis}/protocol/mpls/MPLS.h (54%) rename src/{llanalyzer => packet_analysis}/protocol/mpls/Plugin.cc (50%) rename src/{llanalyzer => packet_analysis}/protocol/nflog/CMakeLists.txt (100%) rename src/{llanalyzer => packet_analysis}/protocol/nflog/NFLog.cc (88%) rename src/{llanalyzer => packet_analysis}/protocol/nflog/NFLog.h (74%) rename src/{llanalyzer => packet_analysis}/protocol/nflog/Plugin.cc (50%) rename src/{llanalyzer => packet_analysis}/protocol/null/CMakeLists.txt (100%) rename src/{llanalyzer => packet_analysis}/protocol/null/Null.cc (70%) rename src/{llanalyzer => packet_analysis}/protocol/null/Null.h (74%) rename src/{llanalyzer => packet_analysis}/protocol/null/Plugin.cc (50%) rename src/{llanalyzer => packet_analysis}/protocol/ppp_serial/CMakeLists.txt (100%) rename src/{llanalyzer => packet_analysis}/protocol/ppp_serial/PPPSerial.cc (62%) rename src/{llanalyzer => packet_analysis}/protocol/ppp_serial/PPPSerial.h (75%) create mode 100644 src/packet_analysis/protocol/ppp_serial/Plugin.cc rename src/{llanalyzer => packet_analysis}/protocol/pppoe/CMakeLists.txt (100%) rename src/{llanalyzer => packet_analysis}/protocol/pppoe/PPPoE.cc (70%) rename src/{llanalyzer => packet_analysis}/protocol/pppoe/PPPoE.h (75%) rename src/{llanalyzer => packet_analysis}/protocol/pppoe/Plugin.cc (50%) rename src/{llanalyzer => packet_analysis}/protocol/vlan/CMakeLists.txt (100%) rename src/{llanalyzer => packet_analysis}/protocol/vlan/Plugin.cc (50%) rename src/{llanalyzer => packet_analysis}/protocol/vlan/VLAN.cc (74%) rename src/{llanalyzer => packet_analysis}/protocol/vlan/VLAN.h (74%) rename src/{llanalyzer => packet_analysis}/protocol/wrapper/CMakeLists.txt (100%) rename src/{llanalyzer => packet_analysis}/protocol/wrapper/Plugin.cc (64%) rename src/{llanalyzer => packet_analysis}/protocol/wrapper/Wrapper.cc (94%) rename src/{llanalyzer => packet_analysis}/protocol/wrapper/Wrapper.h (74%) rename testing/btest/Baseline/{plugins.ll-protocol => plugins.packet-protocol}/output (65%) delete mode 100644 testing/btest/plugins/ll-protocol-plugin/scripts/LLDemo/Bar/base/main.zeek delete mode 100644 testing/btest/plugins/ll-protocol-plugin/scripts/__load__.zeek rename testing/btest/plugins/{ll-protocol-plugin => packet-protocol-plugin}/.btest-ignore (100%) rename testing/btest/plugins/{ll-protocol-plugin => packet-protocol-plugin}/CMakeLists.txt (80%) create mode 100644 testing/btest/plugins/packet-protocol-plugin/scripts/PacketDemo/Bar/base/main.zeek create mode 100644 testing/btest/plugins/packet-protocol-plugin/scripts/__load__.zeek rename testing/btest/plugins/{ll-protocol-plugin => packet-protocol-plugin}/src/Bar.cc (73%) rename testing/btest/plugins/{ll-protocol-plugin => packet-protocol-plugin}/src/Bar.h (65%) rename testing/btest/plugins/{ll-protocol-plugin => packet-protocol-plugin}/src/Plugin.cc (50%) rename testing/btest/plugins/{ll-protocol-plugin => packet-protocol-plugin}/src/events.bif (100%) rename testing/btest/plugins/{ll-protocol.zeek => packet-protocol.zeek} (75%) diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek index 5fabc60a3e..5c86024202 100644 --- a/scripts/base/init-bare.zeek +++ b/scripts/base/init-bare.zeek @@ -5342,29 +5342,29 @@ event net_done(t: time) @if ( __init_primary_bifs() ) @endif -module LLAnalyzer; +module PacketAnalyzer; -# Defines a mapping for the LLAnalyzer's configuration tree. This +# Defines a mapping for the PacketAnalyzer's configuration tree. This # maps from a parent analyzer to a child analyzer through a numeric # identifier. export { type ConfigEntry : record { # The parent analyzer. This analyzer will check for the *identifier* in the # packet data to know whether to call the next analyzer. This field is optional. - # If it is not included, the identifier will attach to the "root" analyzer. This - # means that the identifier will be searched for the initial packet header instead - # of later headers. - parent : LLAnalyzer::Tag &optional; + # If it is not included, the identifier will attach to the "root" analyzer. The + # root analyzer uses the link layer identifier provided by the packet source to + # determine the protocol for the initial packet header. + parent : PacketAnalyzer::Tag &optional; - # A numeric identifier that can be found in the packet data that denotes an - # analyzer should be called. + # A numeric identifier, which can be found in the packet data, that denotes the + # encapsulated protocol. identifier : count; # The analyzer that corresponds to the above identifier. - analyzer : LLAnalyzer::Tag; + analyzer : PacketAnalyzer::Tag; }; - const config_map : vector of LLAnalyzer::ConfigEntry &redef; + const config_map : vector of PacketAnalyzer::ConfigEntry &redef; } -@load base/llprotocols +@load base/packet-protocols diff --git a/scripts/base/llprotocols/__load__.zeek b/scripts/base/llprotocols/__load__.zeek deleted file mode 100644 index a6d256338b..0000000000 --- a/scripts/base/llprotocols/__load__.zeek +++ /dev/null @@ -1,11 +0,0 @@ -@load base/llprotocols/default -@load base/llprotocols/ethernet -@load base/llprotocols/fddi -@load base/llprotocols/ieee802_11 -@load base/llprotocols/ieee802_11_radio -@load base/llprotocols/linux_sll -@load base/llprotocols/nflog -@load base/llprotocols/null -@load base/llprotocols/ppp_serial -@load base/llprotocols/pppoe -@load base/llprotocols/vlan diff --git a/scripts/base/llprotocols/default/main.zeek b/scripts/base/llprotocols/default/main.zeek deleted file mode 100644 index caf50e6378..0000000000 --- a/scripts/base/llprotocols/default/main.zeek +++ /dev/null @@ -1,6 +0,0 @@ -module LL_DEFAULT; - -redef LLAnalyzer::config_map += { - LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_DEFAULTANALYZER, $identifier=4, $analyzer=LLAnalyzer::LLANALYZER_IPV4), - LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_DEFAULTANALYZER, $identifier=6, $analyzer=LLAnalyzer::LLANALYZER_IPV6) -}; diff --git a/scripts/base/llprotocols/ethernet/main.zeek b/scripts/base/llprotocols/ethernet/main.zeek deleted file mode 100644 index 1227b2fb83..0000000000 --- a/scripts/base/llprotocols/ethernet/main.zeek +++ /dev/null @@ -1,16 +0,0 @@ -module LL_ETHERNET; - -const DLT_EN10MB : count = 1; - -redef LLAnalyzer::config_map += { - LLAnalyzer::ConfigEntry($identifier=DLT_EN10MB, $analyzer=LLAnalyzer::LLANALYZER_ETHERNET), - LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_ETHERNET, $identifier=0x8847, $analyzer=LLAnalyzer::LLANALYZER_MPLS), - LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_ETHERNET, $identifier=0x0800, $analyzer=LLAnalyzer::LLANALYZER_IPV4), - LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_ETHERNET, $identifier=0x86DD, $analyzer=LLAnalyzer::LLANALYZER_IPV6), - LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_ETHERNET, $identifier=0x0806, $analyzer=LLAnalyzer::LLANALYZER_ARP), - LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_ETHERNET, $identifier=0x8035, $analyzer=LLAnalyzer::LLANALYZER_ARP), - LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_ETHERNET, $identifier=0x8100, $analyzer=LLAnalyzer::LLANALYZER_VLAN), - LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_ETHERNET, $identifier=0x88A8, $analyzer=LLAnalyzer::LLANALYZER_VLAN), - LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_ETHERNET, $identifier=0x9100, $analyzer=LLAnalyzer::LLANALYZER_VLAN), - LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_ETHERNET, $identifier=0x8864, $analyzer=LLAnalyzer::LLANALYZER_PPPOE) -}; diff --git a/scripts/base/llprotocols/fddi/main.zeek b/scripts/base/llprotocols/fddi/main.zeek deleted file mode 100644 index 68fd691d7f..0000000000 --- a/scripts/base/llprotocols/fddi/main.zeek +++ /dev/null @@ -1,7 +0,0 @@ -module LL_FDDI; - -const DLT_FDDI : count = 10; - -redef LLAnalyzer::config_map += { - LLAnalyzer::ConfigEntry($identifier=DLT_FDDI, $analyzer=LLAnalyzer::LLANALYZER_FDDI) -}; diff --git a/scripts/base/llprotocols/ieee802_11/main.zeek b/scripts/base/llprotocols/ieee802_11/main.zeek deleted file mode 100644 index 070e3f9eff..0000000000 --- a/scripts/base/llprotocols/ieee802_11/main.zeek +++ /dev/null @@ -1,11 +0,0 @@ -module LL_IEEE802_11; - -const DLT_IEEE802_11 : count = 105; - -redef LLAnalyzer::config_map += { - LLAnalyzer::ConfigEntry($identifier=DLT_IEEE802_11, $analyzer=LLAnalyzer::LLANALYZER_IEEE802_11), - LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_IEEE802_11, $identifier=0x0800, $analyzer=LLAnalyzer::LLANALYZER_IPV4), - LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_IEEE802_11, $identifier=0x86DD, $analyzer=LLAnalyzer::LLANALYZER_IPV6), - LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_IEEE802_11, $identifier=0x0806, $analyzer=LLAnalyzer::LLANALYZER_ARP), - LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_IEEE802_11, $identifier=0x8035, $analyzer=LLAnalyzer::LLANALYZER_ARP) -}; diff --git a/scripts/base/llprotocols/ieee802_11_radio/main.zeek b/scripts/base/llprotocols/ieee802_11_radio/main.zeek deleted file mode 100644 index 0985b0e391..0000000000 --- a/scripts/base/llprotocols/ieee802_11_radio/main.zeek +++ /dev/null @@ -1,9 +0,0 @@ -module LL_IEEE802_11_RADIO; - -const DLT_IEEE802_11_RADIO : count = 127; -const DLT_IEEE802_11 : count = 105; - -redef LLAnalyzer::config_map += { - LLAnalyzer::ConfigEntry($identifier=DLT_IEEE802_11_RADIO, $analyzer=LLAnalyzer::LLANALYZER_IEEE802_11_RADIO), - LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_IEEE802_11_RADIO, $identifier=DLT_IEEE802_11, $analyzer=LLAnalyzer::LLANALYZER_IEEE802_11) -}; diff --git a/scripts/base/llprotocols/linux_sll/main.zeek b/scripts/base/llprotocols/linux_sll/main.zeek deleted file mode 100644 index 601c5ae870..0000000000 --- a/scripts/base/llprotocols/linux_sll/main.zeek +++ /dev/null @@ -1,12 +0,0 @@ -module LL_LINUX_SLL; - -const DLT_LINUX_SLL : count = 113; - -redef LLAnalyzer::config_map += { - LLAnalyzer::ConfigEntry($identifier=DLT_LINUX_SLL, $analyzer=LLAnalyzer::LLANALYZER_LINUXSLL), - LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_LINUXSLL, $identifier=0x0800, $analyzer=LLAnalyzer::LLANALYZER_IPV4), - LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_LINUXSLL, $identifier=0x86DD, $analyzer=LLAnalyzer::LLANALYZER_IPV6), - LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_LINUXSLL, $identifier=0x0806, $analyzer=LLAnalyzer::LLANALYZER_ARP), - # RARP - LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_LINUXSLL, $identifier=0x8035, $analyzer=LLAnalyzer::LLANALYZER_ARP) -}; diff --git a/scripts/base/llprotocols/nflog/main.zeek b/scripts/base/llprotocols/nflog/main.zeek deleted file mode 100644 index d62ccd20c5..0000000000 --- a/scripts/base/llprotocols/nflog/main.zeek +++ /dev/null @@ -1,11 +0,0 @@ -module LL_NFLOG; - -const DLT_NFLOG : count = 239; -const AF_INET : count = 2; -const AF_INET6 : count = 10; - -redef LLAnalyzer::config_map += { - LLAnalyzer::ConfigEntry($identifier=DLT_NFLOG, $analyzer=LLAnalyzer::LLANALYZER_NFLOG), - LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_NFLOG, $identifier=AF_INET, $analyzer=LLAnalyzer::LLANALYZER_IPV4), - LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_NFLOG, $identifier=AF_INET6, $analyzer=LLAnalyzer::LLANALYZER_IPV6) -}; diff --git a/scripts/base/llprotocols/null/main.zeek b/scripts/base/llprotocols/null/main.zeek deleted file mode 100644 index f70f40d0e2..0000000000 --- a/scripts/base/llprotocols/null/main.zeek +++ /dev/null @@ -1,19 +0,0 @@ -module LL_NULL; - -const DLT_NULL : count = 0; -const AF_INET : count = 2; -const AF_INET6 : count = 10; - -redef LLAnalyzer::config_map += { - LLAnalyzer::ConfigEntry($identifier=DLT_NULL, $analyzer=LLAnalyzer::LLANALYZER_NULL), - LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_NULL, $identifier=AF_INET, $analyzer=LLAnalyzer::LLANALYZER_IPV4), - - ## From the Wireshark Wiki: AF_INET6ANALYZER, unfortunately, has different values in - ## {NetBSD,OpenBSD,BSD/OS}, {FreeBSD,DragonFlyBSD}, and {Darwin/Mac OS X}, so an IPv6 - ## packet might have a link-layer header with 24, 28, or 30 as the AF_ value. As we - ## may be reading traces captured on platforms other than what we're running on, we - ## accept them all here. - LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_NULL, $identifier=24, $analyzer=LLAnalyzer::LLANALYZER_IPV6), - LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_NULL, $identifier=28, $analyzer=LLAnalyzer::LLANALYZER_IPV6), - LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_NULL, $identifier=30, $analyzer=LLAnalyzer::LLANALYZER_IPV6) -}; diff --git a/scripts/base/llprotocols/ppp_serial/main.zeek b/scripts/base/llprotocols/ppp_serial/main.zeek deleted file mode 100644 index cb873a773b..0000000000 --- a/scripts/base/llprotocols/ppp_serial/main.zeek +++ /dev/null @@ -1,10 +0,0 @@ -module LL_PPP_SERIAL; - -const DLT_PPP_SERIAL : count = 50; - -redef LLAnalyzer::config_map += { - LLAnalyzer::ConfigEntry($identifier=DLT_PPP_SERIAL, $analyzer=LLAnalyzer::LLANALYZER_PPPSERIAL), - LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_PPPSERIAL, $identifier=0x0281, $analyzer=LLAnalyzer::LLANALYZER_MPLS), - LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_PPPSERIAL, $identifier=0x0021, $analyzer=LLAnalyzer::LLANALYZER_IPV4), - LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_PPPSERIAL, $identifier=0x0057, $analyzer=LLAnalyzer::LLANALYZER_IPV6) -}; diff --git a/scripts/base/llprotocols/pppoe/main.zeek b/scripts/base/llprotocols/pppoe/main.zeek deleted file mode 100644 index 737658d826..0000000000 --- a/scripts/base/llprotocols/pppoe/main.zeek +++ /dev/null @@ -1,6 +0,0 @@ -module LL_PPPOE; - -redef LLAnalyzer::config_map += { - LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_PPPOE, $identifier=0x0021, $analyzer=LLAnalyzer::LLANALYZER_IPV4), - LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_PPPOE, $identifier=0x0057, $analyzer=LLAnalyzer::LLANALYZER_IPV6) -}; diff --git a/scripts/base/llprotocols/vlan/main.zeek b/scripts/base/llprotocols/vlan/main.zeek deleted file mode 100644 index 97e4cdcb09..0000000000 --- a/scripts/base/llprotocols/vlan/main.zeek +++ /dev/null @@ -1,11 +0,0 @@ -module LL_VLAN; - -redef LLAnalyzer::config_map += { - LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_VLAN, $identifier=0x8847, $analyzer=LLAnalyzer::LLANALYZER_MPLS), - LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_VLAN, $identifier=0x0800, $analyzer=LLAnalyzer::LLANALYZER_IPV4), - LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_VLAN, $identifier=0x86DD, $analyzer=LLAnalyzer::LLANALYZER_IPV6), - LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_VLAN, $identifier=0x0806, $analyzer=LLAnalyzer::LLANALYZER_ARP), - LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_VLAN, $identifier=0x8035, $analyzer=LLAnalyzer::LLANALYZER_ARP), - LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_VLAN, $identifier=0x8100, $analyzer=LLAnalyzer::LLANALYZER_VLAN), - LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_VLAN, $identifier=0x8864, $analyzer=LLAnalyzer::LLANALYZER_PPPOE) -}; diff --git a/scripts/base/packet-protocols/__load__.zeek b/scripts/base/packet-protocols/__load__.zeek new file mode 100644 index 0000000000..60c804f2fd --- /dev/null +++ b/scripts/base/packet-protocols/__load__.zeek @@ -0,0 +1,11 @@ +@load base/packet-protocols/default +@load base/packet-protocols/ethernet +@load base/packet-protocols/fddi +@load base/packet-protocols/ieee802_11 +@load base/packet-protocols/ieee802_11_radio +@load base/packet-protocols/linux_sll +@load base/packet-protocols/nflog +@load base/packet-protocols/null +@load base/packet-protocols/ppp_serial +@load base/packet-protocols/pppoe +@load base/packet-protocols/vlan diff --git a/scripts/base/llprotocols/default/__load__.zeek b/scripts/base/packet-protocols/default/__load__.zeek similarity index 100% rename from scripts/base/llprotocols/default/__load__.zeek rename to scripts/base/packet-protocols/default/__load__.zeek diff --git a/scripts/base/packet-protocols/default/main.zeek b/scripts/base/packet-protocols/default/main.zeek new file mode 100644 index 0000000000..2d0d451d3f --- /dev/null +++ b/scripts/base/packet-protocols/default/main.zeek @@ -0,0 +1,6 @@ +module LL_DEFAULT; + +redef PacketAnalyzer::config_map += { + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_DEFAULTANALYZER, $identifier=4, $analyzer=PacketAnalyzer::ANALYZER_IPV4), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_DEFAULTANALYZER, $identifier=6, $analyzer=PacketAnalyzer::ANALYZER_IPV6) +}; diff --git a/scripts/base/llprotocols/ethernet/__load__.zeek b/scripts/base/packet-protocols/ethernet/__load__.zeek similarity index 100% rename from scripts/base/llprotocols/ethernet/__load__.zeek rename to scripts/base/packet-protocols/ethernet/__load__.zeek diff --git a/scripts/base/packet-protocols/ethernet/main.zeek b/scripts/base/packet-protocols/ethernet/main.zeek new file mode 100644 index 0000000000..ca11767466 --- /dev/null +++ b/scripts/base/packet-protocols/ethernet/main.zeek @@ -0,0 +1,16 @@ +module LL_ETHERNET; + +const DLT_EN10MB : count = 1; + +redef PacketAnalyzer::config_map += { + PacketAnalyzer::ConfigEntry($identifier=DLT_EN10MB, $analyzer=PacketAnalyzer::ANALYZER_ETHERNET), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x8847, $analyzer=PacketAnalyzer::ANALYZER_MPLS), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x0800, $analyzer=PacketAnalyzer::ANALYZER_IPV4), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x86DD, $analyzer=PacketAnalyzer::ANALYZER_IPV6), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x0806, $analyzer=PacketAnalyzer::ANALYZER_ARP), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x8035, $analyzer=PacketAnalyzer::ANALYZER_ARP), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x8100, $analyzer=PacketAnalyzer::ANALYZER_VLAN), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x88A8, $analyzer=PacketAnalyzer::ANALYZER_VLAN), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x9100, $analyzer=PacketAnalyzer::ANALYZER_VLAN), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x8864, $analyzer=PacketAnalyzer::ANALYZER_PPPOE) +}; diff --git a/scripts/base/llprotocols/fddi/__load__.zeek b/scripts/base/packet-protocols/fddi/__load__.zeek similarity index 100% rename from scripts/base/llprotocols/fddi/__load__.zeek rename to scripts/base/packet-protocols/fddi/__load__.zeek diff --git a/scripts/base/packet-protocols/fddi/main.zeek b/scripts/base/packet-protocols/fddi/main.zeek new file mode 100644 index 0000000000..b503a143f1 --- /dev/null +++ b/scripts/base/packet-protocols/fddi/main.zeek @@ -0,0 +1,7 @@ +module LL_FDDI; + +const DLT_FDDI : count = 10; + +redef PacketAnalyzer::config_map += { + PacketAnalyzer::ConfigEntry($identifier=DLT_FDDI, $analyzer=PacketAnalyzer::ANALYZER_FDDI) +}; diff --git a/scripts/base/llprotocols/ieee802_11/__load__.zeek b/scripts/base/packet-protocols/ieee802_11/__load__.zeek similarity index 100% rename from scripts/base/llprotocols/ieee802_11/__load__.zeek rename to scripts/base/packet-protocols/ieee802_11/__load__.zeek diff --git a/scripts/base/packet-protocols/ieee802_11/main.zeek b/scripts/base/packet-protocols/ieee802_11/main.zeek new file mode 100644 index 0000000000..221f301ef3 --- /dev/null +++ b/scripts/base/packet-protocols/ieee802_11/main.zeek @@ -0,0 +1,11 @@ +module LL_IEEE802_11; + +const DLT_IEEE802_11 : count = 105; + +redef PacketAnalyzer::config_map += { + PacketAnalyzer::ConfigEntry($identifier=DLT_IEEE802_11, $analyzer=PacketAnalyzer::ANALYZER_IEEE802_11), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_IEEE802_11, $identifier=0x0800, $analyzer=PacketAnalyzer::ANALYZER_IPV4), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_IEEE802_11, $identifier=0x86DD, $analyzer=PacketAnalyzer::ANALYZER_IPV6), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_IEEE802_11, $identifier=0x0806, $analyzer=PacketAnalyzer::ANALYZER_ARP), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_IEEE802_11, $identifier=0x8035, $analyzer=PacketAnalyzer::ANALYZER_ARP) +}; diff --git a/scripts/base/llprotocols/ieee802_11_radio/__load__.zeek b/scripts/base/packet-protocols/ieee802_11_radio/__load__.zeek similarity index 100% rename from scripts/base/llprotocols/ieee802_11_radio/__load__.zeek rename to scripts/base/packet-protocols/ieee802_11_radio/__load__.zeek diff --git a/scripts/base/packet-protocols/ieee802_11_radio/main.zeek b/scripts/base/packet-protocols/ieee802_11_radio/main.zeek new file mode 100644 index 0000000000..52660f6e5e --- /dev/null +++ b/scripts/base/packet-protocols/ieee802_11_radio/main.zeek @@ -0,0 +1,9 @@ +module LL_IEEE802_11_RADIO; + +const DLT_IEEE802_11_RADIO : count = 127; +const DLT_IEEE802_11 : count = 105; + +redef PacketAnalyzer::config_map += { + PacketAnalyzer::ConfigEntry($identifier=DLT_IEEE802_11_RADIO, $analyzer=PacketAnalyzer::ANALYZER_IEEE802_11_RADIO), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_IEEE802_11_RADIO, $identifier=DLT_IEEE802_11, $analyzer=PacketAnalyzer::ANALYZER_IEEE802_11) +}; diff --git a/scripts/base/llprotocols/linux_sll/__load__.zeek b/scripts/base/packet-protocols/linux_sll/__load__.zeek similarity index 100% rename from scripts/base/llprotocols/linux_sll/__load__.zeek rename to scripts/base/packet-protocols/linux_sll/__load__.zeek diff --git a/scripts/base/packet-protocols/linux_sll/main.zeek b/scripts/base/packet-protocols/linux_sll/main.zeek new file mode 100644 index 0000000000..096ffb2d74 --- /dev/null +++ b/scripts/base/packet-protocols/linux_sll/main.zeek @@ -0,0 +1,12 @@ +module LL_LINUX_SLL; + +const DLT_LINUX_SLL : count = 113; + +redef PacketAnalyzer::config_map += { + PacketAnalyzer::ConfigEntry($identifier=DLT_LINUX_SLL, $analyzer=PacketAnalyzer::ANALYZER_LINUXSLL), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_LINUXSLL, $identifier=0x0800, $analyzer=PacketAnalyzer::ANALYZER_IPV4), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_LINUXSLL, $identifier=0x86DD, $analyzer=PacketAnalyzer::ANALYZER_IPV6), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_LINUXSLL, $identifier=0x0806, $analyzer=PacketAnalyzer::ANALYZER_ARP), + # RARP + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_LINUXSLL, $identifier=0x8035, $analyzer=PacketAnalyzer::ANALYZER_ARP) +}; diff --git a/scripts/base/llprotocols/nflog/__load__.zeek b/scripts/base/packet-protocols/nflog/__load__.zeek similarity index 100% rename from scripts/base/llprotocols/nflog/__load__.zeek rename to scripts/base/packet-protocols/nflog/__load__.zeek diff --git a/scripts/base/packet-protocols/nflog/main.zeek b/scripts/base/packet-protocols/nflog/main.zeek new file mode 100644 index 0000000000..ebbf156df8 --- /dev/null +++ b/scripts/base/packet-protocols/nflog/main.zeek @@ -0,0 +1,11 @@ +module LL_NFLOG; + +const DLT_NFLOG : count = 239; +const AF_INET : count = 2; +const AF_INET6 : count = 10; + +redef PacketAnalyzer::config_map += { + PacketAnalyzer::ConfigEntry($identifier=DLT_NFLOG, $analyzer=PacketAnalyzer::ANALYZER_NFLOG), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_NFLOG, $identifier=AF_INET, $analyzer=PacketAnalyzer::ANALYZER_IPV4), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_NFLOG, $identifier=AF_INET6, $analyzer=PacketAnalyzer::ANALYZER_IPV6) +}; diff --git a/scripts/base/llprotocols/null/__load__.zeek b/scripts/base/packet-protocols/null/__load__.zeek similarity index 100% rename from scripts/base/llprotocols/null/__load__.zeek rename to scripts/base/packet-protocols/null/__load__.zeek diff --git a/scripts/base/packet-protocols/null/main.zeek b/scripts/base/packet-protocols/null/main.zeek new file mode 100644 index 0000000000..f2a8a02245 --- /dev/null +++ b/scripts/base/packet-protocols/null/main.zeek @@ -0,0 +1,19 @@ +module LL_NULL; + +const DLT_NULL : count = 0; +const AF_INET : count = 2; +const AF_INET6 : count = 10; + +redef PacketAnalyzer::config_map += { + PacketAnalyzer::ConfigEntry($identifier=DLT_NULL, $analyzer=PacketAnalyzer::ANALYZER_NULL), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_NULL, $identifier=AF_INET, $analyzer=PacketAnalyzer::ANALYZER_IPV4), + + ## From the Wireshark Wiki: AF_INET6ANALYZER, unfortunately, has different values in + ## {NetBSD,OpenBSD,BSD/OS}, {FreeBSD,DragonFlyBSD}, and {Darwin/Mac OS X}, so an IPv6 + ## packet might have a link-layer header with 24, 28, or 30 as the AF_ value. As we + ## may be reading traces captured on platforms other than what we're running on, we + ## accept them all here. + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_NULL, $identifier=24, $analyzer=PacketAnalyzer::ANALYZER_IPV6), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_NULL, $identifier=28, $analyzer=PacketAnalyzer::ANALYZER_IPV6), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_NULL, $identifier=30, $analyzer=PacketAnalyzer::ANALYZER_IPV6) +}; diff --git a/scripts/base/llprotocols/ppp_serial/__load__.zeek b/scripts/base/packet-protocols/ppp_serial/__load__.zeek similarity index 100% rename from scripts/base/llprotocols/ppp_serial/__load__.zeek rename to scripts/base/packet-protocols/ppp_serial/__load__.zeek diff --git a/scripts/base/packet-protocols/ppp_serial/main.zeek b/scripts/base/packet-protocols/ppp_serial/main.zeek new file mode 100644 index 0000000000..1feb5fdfe3 --- /dev/null +++ b/scripts/base/packet-protocols/ppp_serial/main.zeek @@ -0,0 +1,10 @@ +module LL_PPP_SERIAL; + +const DLT_PPP_SERIAL : count = 50; + +redef PacketAnalyzer::config_map += { + PacketAnalyzer::ConfigEntry($identifier=DLT_PPP_SERIAL, $analyzer=PacketAnalyzer::ANALYZER_PPPSERIAL), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_PPPSERIAL, $identifier=0x0281, $analyzer=PacketAnalyzer::ANALYZER_MPLS), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_PPPSERIAL, $identifier=0x0021, $analyzer=PacketAnalyzer::ANALYZER_IPV4), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_PPPSERIAL, $identifier=0x0057, $analyzer=PacketAnalyzer::ANALYZER_IPV6) +}; diff --git a/scripts/base/llprotocols/pppoe/__load__.zeek b/scripts/base/packet-protocols/pppoe/__load__.zeek similarity index 100% rename from scripts/base/llprotocols/pppoe/__load__.zeek rename to scripts/base/packet-protocols/pppoe/__load__.zeek diff --git a/scripts/base/packet-protocols/pppoe/main.zeek b/scripts/base/packet-protocols/pppoe/main.zeek new file mode 100644 index 0000000000..8416e42bf2 --- /dev/null +++ b/scripts/base/packet-protocols/pppoe/main.zeek @@ -0,0 +1,6 @@ +module LL_PPPOE; + +redef PacketAnalyzer::config_map += { + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_PPPOE, $identifier=0x0021, $analyzer=PacketAnalyzer::ANALYZER_IPV4), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_PPPOE, $identifier=0x0057, $analyzer=PacketAnalyzer::ANALYZER_IPV6) +}; diff --git a/scripts/base/llprotocols/vlan/__load__.zeek b/scripts/base/packet-protocols/vlan/__load__.zeek similarity index 100% rename from scripts/base/llprotocols/vlan/__load__.zeek rename to scripts/base/packet-protocols/vlan/__load__.zeek diff --git a/scripts/base/packet-protocols/vlan/main.zeek b/scripts/base/packet-protocols/vlan/main.zeek new file mode 100644 index 0000000000..78bff9398a --- /dev/null +++ b/scripts/base/packet-protocols/vlan/main.zeek @@ -0,0 +1,11 @@ +module LL_VLAN; + +redef PacketAnalyzer::config_map += { + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_VLAN, $identifier=0x8847, $analyzer=PacketAnalyzer::ANALYZER_MPLS), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_VLAN, $identifier=0x0800, $analyzer=PacketAnalyzer::ANALYZER_IPV4), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_VLAN, $identifier=0x86DD, $analyzer=PacketAnalyzer::ANALYZER_IPV6), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_VLAN, $identifier=0x0806, $analyzer=PacketAnalyzer::ANALYZER_ARP), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_VLAN, $identifier=0x8035, $analyzer=PacketAnalyzer::ANALYZER_ARP), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_VLAN, $identifier=0x8100, $analyzer=PacketAnalyzer::ANALYZER_VLAN), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_VLAN, $identifier=0x8864, $analyzer=PacketAnalyzer::ANALYZER_PPPOE) +}; diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 9545236898..e851872b65 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -146,7 +146,7 @@ set(bro_PLUGIN_LIBS CACHE INTERNAL "plugin libraries" FORCE) set(bro_PLUGIN_DEPS CACHE INTERNAL "plugin dependencies" FORCE) add_subdirectory(analyzer) -add_subdirectory(llanalyzer) +add_subdirectory(packet_analysis) add_subdirectory(broker) add_subdirectory(zeekygen) add_subdirectory(file_analysis) diff --git a/src/DebugLogger.cc b/src/DebugLogger.cc index 497bae8230..96a9ce171c 100644 --- a/src/DebugLogger.cc +++ b/src/DebugLogger.cc @@ -19,7 +19,7 @@ DebugLogger::Stream DebugLogger::streams[NUM_DBGS] = { { "string", 0, false }, { "notifiers", 0, false }, { "main-loop", 0, false }, - { "llanalyzer", 0, false }, + { "packet_analysis", 0, false }, { "dpd", 0, false }, { "tm", 0, false }, { "logging", 0, false }, diff --git a/src/DebugLogger.h b/src/DebugLogger.h index 80ec926b1b..1005c367a6 100644 --- a/src/DebugLogger.h +++ b/src/DebugLogger.h @@ -30,24 +30,24 @@ namespace zeek { // an entry to DebugLogger::streams in DebugLogger.cc. enum DebugStream { - DBG_SERIAL, // Serialization - DBG_RULES, // Signature matching - DBG_STRING, // String code - DBG_NOTIFIERS, // Notifiers - DBG_MAINLOOP, // Main IOSource loop - DBG_LLANALYZER, // Low-Layer Analyzer Proof of Concept - DBG_ANALYZER, // Analyzer framework - DBG_TM, // Time-machine packet input via Brocolli - DBG_LOGGING, // Logging streams - DBG_INPUT, // Input streams - DBG_THREADING, // Threading system - DBG_FILE_ANALYSIS, // File analysis - DBG_PLUGINS, // Plugin system - DBG_ZEEKYGEN, // Zeekygen - DBG_PKTIO, // Packet sources and dumpers. - DBG_BROKER, // Broker communication - DBG_SCRIPTS, // Script initialization - DBG_SUPERVISOR, // Process supervisor + DBG_SERIAL, // Serialization + DBG_RULES, // Signature matching + DBG_STRING, // String code + DBG_NOTIFIERS, // Notifiers + DBG_MAINLOOP, // Main IOSource loop + DBG_ANALYZER, // Analyzer framework + DBG_PACKET_ANALYSIS, // Packet analysis + DBG_FILE_ANALYSIS, // File analysis + DBG_TM, // Time-machine packet input via Brocolli + DBG_LOGGING, // Logging streams + DBG_INPUT, // Input streams + DBG_THREADING, // Threading system + DBG_PLUGINS, // Plugin system + DBG_ZEEKYGEN, // Zeekygen + DBG_PKTIO, // Packet sources and dumpers. + DBG_BROKER, // Broker communication + DBG_SCRIPTS, // Script initialization + DBG_SUPERVISOR, // Process supervisor NUM_DBGS // Has to be last }; diff --git a/src/iosource/Packet.cc b/src/iosource/Packet.cc index ae074bb9da..e2c9ca01b6 100644 --- a/src/iosource/Packet.cc +++ b/src/iosource/Packet.cc @@ -3,7 +3,7 @@ #include "Desc.h" #include "IP.h" #include "iosource/Manager.h" -#include "llanalyzer/Manager.h" +#include "packet_analysis/Manager.h" #include "Var.h" extern "C" { @@ -59,15 +59,15 @@ void Packet::Init(int arg_link_type, pkt_timeval *arg_ts, uint32_t arg_caplen, l3_proto = L3_UNKNOWN; l3_checksummed = false; - // For ll-analyzer: cur_pos points to the next payload. + // For packet analyzer: cur_pos points to the next payload. cur_pos = data; if ( data ) { - // From here we assume that layer 2 is valid. If an ll-analyzer encounters + // From here we assume that layer 2 is valid. If a packet analyzer encounters // an issue, it will call Packet::Weird(), which sets l2_valid to false. l2_valid = true; - llanalyzer_mgr->ProcessPacket(this); + packet_mgr->ProcessPacket(this); // Calculate header size after processing lower layers. hdr_size = cur_pos - data; } diff --git a/src/llanalyzer/protocol/default/Plugin.cc b/src/llanalyzer/protocol/default/Plugin.cc deleted file mode 100644 index cc92fd6870..0000000000 --- a/src/llanalyzer/protocol/default/Plugin.cc +++ /dev/null @@ -1,24 +0,0 @@ -// See the file "COPYING" in the main distribution directory for copyright. - -#include "Default.h" -#include "plugin/Plugin.h" -#include "llanalyzer/Component.h" - -namespace zeek::plugin::LLAnalyzer_Default { - -class Plugin : public zeek::plugin::Plugin { -public: - zeek::plugin::Configuration Configure() - { - AddComponent(new zeek::llanalyzer::Component("DefaultAnalyzer", - zeek::llanalyzer::Default::DefaultAnalyzer::Instantiate)); - - zeek::plugin::Configuration config; - config.name = "LLAnalyzer::DefaultAnalyzer"; - config.description = "Default LL-Analyzer for IP fallback"; - return config; - } - -} plugin; - -} diff --git a/src/llanalyzer/protocol/ethernet/Plugin.cc b/src/llanalyzer/protocol/ethernet/Plugin.cc deleted file mode 100644 index 5ae0e1cc87..0000000000 --- a/src/llanalyzer/protocol/ethernet/Plugin.cc +++ /dev/null @@ -1,24 +0,0 @@ -// See the file "COPYING" in the main distribution directory for copyright. - -#include "Ethernet.h" -#include "plugin/Plugin.h" -#include "llanalyzer/Component.h" - -namespace zeek::plugin::LLAnalyzer_Ethernet { - -class Plugin : public zeek::plugin::Plugin { -public: - zeek::plugin::Configuration Configure() - { - AddComponent(new zeek::llanalyzer::Component("Ethernet", - zeek::llanalyzer::Ethernet::EthernetAnalyzer::Instantiate)); - - zeek::plugin::Configuration config; - config.name = "LLAnalyzer::Ethernet"; - config.description = "Ethernet LL-Analyzer"; - return config; - } - -} plugin; - -} diff --git a/src/llanalyzer/protocol/ieee802_11/Plugin.cc b/src/llanalyzer/protocol/ieee802_11/Plugin.cc deleted file mode 100644 index b85fb29b9a..0000000000 --- a/src/llanalyzer/protocol/ieee802_11/Plugin.cc +++ /dev/null @@ -1,24 +0,0 @@ -// See the file "COPYING" in the main distribution directory for copyright. - -#include "IEEE802_11.h" -#include "plugin/Plugin.h" -#include "llanalyzer/Component.h" - -namespace zeek::plugin::LLAnalyzer_IEEE802_11 { - -class Plugin : public zeek::plugin::Plugin { -public: - zeek::plugin::Configuration Configure() - { - AddComponent(new zeek::llanalyzer::Component("IEEE802_11", - zeek::llanalyzer::IEEE802_11::IEEE802_11Analyzer::Instantiate)); - - zeek::plugin::Configuration config; - config.name = "LLAnalyzer::IEEE802_11"; - config.description = "IEEE 802.11 LL-Analyzer"; - return config; - } - -} plugin; - -} diff --git a/src/llanalyzer/protocol/ieee802_11_radio/Plugin.cc b/src/llanalyzer/protocol/ieee802_11_radio/Plugin.cc deleted file mode 100644 index e0339be75d..0000000000 --- a/src/llanalyzer/protocol/ieee802_11_radio/Plugin.cc +++ /dev/null @@ -1,23 +0,0 @@ -// See the file "COPYING" in the main distribution directory for copyright. - -#include "IEEE802_11_Radio.h" -#include "plugin/Plugin.h" -#include "llanalyzer/Component.h" - -namespace zeek::plugin::LLAnalyzer_IEEE802_11_Radio { - -class Plugin : public zeek::plugin::Plugin { -public: - zeek::plugin::Configuration Configure() - { - AddComponent(new zeek::llanalyzer::Component("IEEE802_11_Radio", - zeek::llanalyzer::IEEE802_11_Radio::IEEE802_11_RadioAnalyzer::Instantiate)); - - zeek::plugin::Configuration config; - config.name = "LLAnalyzer::IEEE802_11_Radio"; - config.description = "IEEE 802.11 Radiotap LL-Analyzer"; - return config; - } - -} plugin; -} diff --git a/src/llanalyzer/protocol/linux_sll/Plugin.cc b/src/llanalyzer/protocol/linux_sll/Plugin.cc deleted file mode 100644 index 8968e38c79..0000000000 --- a/src/llanalyzer/protocol/linux_sll/Plugin.cc +++ /dev/null @@ -1,24 +0,0 @@ -// See the file "COPYING" in the main distribution directory for copyright. - -#include "plugin/Plugin.h" -#include "LinuxSLL.h" -#include "llanalyzer/Component.h" - -namespace zeek::plugin::LLAnalyzer_LinuxSLL { - -class Plugin : public zeek::plugin::Plugin { -public: - zeek::plugin::Configuration Configure() - { - AddComponent(new zeek::llanalyzer::Component("LinuxSLL", - zeek::llanalyzer::LinuxSLL::LinuxSLLAnalyzer::Instantiate)); - - zeek::plugin::Configuration config; - config.name = "LLAnalyzer::LinuxSLL"; - config.description = "Linux cooked capture (SLL) LL-Analyzer"; - return config; - } - -} plugin; - -} diff --git a/src/llanalyzer/protocol/ppp_serial/Plugin.cc b/src/llanalyzer/protocol/ppp_serial/Plugin.cc deleted file mode 100644 index c7ac7c42cd..0000000000 --- a/src/llanalyzer/protocol/ppp_serial/Plugin.cc +++ /dev/null @@ -1,24 +0,0 @@ -// See the file "COPYING" in the main distribution directory for copyright. - -#include "PPPSerial.h" -#include "plugin/Plugin.h" -#include "llanalyzer/Component.h" - -namespace zeek::plugin::LLAnalyzer_PPPSerial { - -class Plugin : public zeek::plugin::Plugin { -public: - zeek::plugin::Configuration Configure() - { - AddComponent(new zeek::llanalyzer::Component("PPPSerial", - zeek::llanalyzer::PPPSerial::PPPSerialAnalyzer::Instantiate)); - - zeek::plugin::Configuration config; - config.name = "LLAnalyzer::PPPSerial"; - config.description = "PPPSerial LL-Analyzer"; - return config; - } - -} plugin; - -} diff --git a/src/llanalyzer/Analyzer.cc b/src/packet_analysis/Analyzer.cc similarity index 66% rename from src/llanalyzer/Analyzer.cc rename to src/packet_analysis/Analyzer.cc index ff5798070b..c045a9302f 100644 --- a/src/llanalyzer/Analyzer.cc +++ b/src/packet_analysis/Analyzer.cc @@ -3,14 +3,14 @@ #include #include "Analyzer.h" -namespace zeek::llanalyzer { +namespace zeek::packet_analysis { Analyzer::Analyzer(std::string name) { - Tag t = llanalyzer_mgr->GetComponentTag(name); + Tag t = packet_mgr->GetComponentTag(name); if ( ! t ) - reporter->InternalError("unknown llanalyzer name %s", name.c_str()); + reporter->InternalError("unknown packet_analysis name %s", name.c_str()); Init(t); } @@ -35,13 +35,13 @@ const Tag Analyzer::GetAnalyzerTag() const const char* Analyzer::GetAnalyzerName() const { assert(tag); - return llanalyzer_mgr->GetComponentName(tag).c_str(); + return packet_mgr->GetComponentName(tag).c_str(); } bool Analyzer::IsAnalyzer(const char* name) { assert(tag); - return llanalyzer_mgr->GetComponentName(tag).compare(name) == 0; + return packet_mgr->GetComponentName(tag).compare(name) == 0; } } diff --git a/src/llanalyzer/Analyzer.h b/src/packet_analysis/Analyzer.h similarity index 86% rename from src/llanalyzer/Analyzer.h rename to src/packet_analysis/Analyzer.h index 06dd75e5d1..0a20f2fe39 100644 --- a/src/llanalyzer/Analyzer.h +++ b/src/packet_analysis/Analyzer.h @@ -6,15 +6,15 @@ #include "Tag.h" #include -namespace zeek::llanalyzer { +namespace zeek::packet_analysis { /** - * Result of low layer analysis. + * Result of packet analysis. */ enum class AnalyzerResult { Failed, // Analysis failed - Continue, // Analysis succeded and an encapuslated protocol was determined - Terminate // Analysis succeded and there is no further analysis to do + Continue, // Analysis succeeded and an encapsulated protocol was determined + Terminate // Analysis succeeded and there is no further analysis to do }; using AnalysisResultTuple = std::tuple; @@ -49,7 +49,7 @@ public: /** * Returns a textual description of the analyzer's type. This is - * what's passed to the constructor and usally corresponds to the + * what's passed to the constructor and usually corresponds to the * protocol name, e.g., "ARP". */ const char* GetAnalyzerName() const; @@ -86,4 +86,4 @@ private: void Init(const Tag& tag); }; -} // llanalyzer namespace end +} diff --git a/src/llanalyzer/AnalyzerSet.h b/src/packet_analysis/AnalyzerSet.h similarity index 91% rename from src/llanalyzer/AnalyzerSet.h rename to src/packet_analysis/AnalyzerSet.h index de71fb7dda..5e9c538ce2 100644 --- a/src/llanalyzer/AnalyzerSet.h +++ b/src/packet_analysis/AnalyzerSet.h @@ -5,7 +5,7 @@ #include "Analyzer.h" #include "Defines.h" -namespace zeek::llanalyzer { +namespace zeek::packet_analysis { class Analyzer; diff --git a/src/llanalyzer/CMakeLists.txt b/src/packet_analysis/CMakeLists.txt similarity index 100% rename from src/llanalyzer/CMakeLists.txt rename to src/packet_analysis/CMakeLists.txt diff --git a/src/llanalyzer/Component.cc b/src/packet_analysis/Component.cc similarity index 69% rename from src/llanalyzer/Component.cc rename to src/packet_analysis/Component.cc index a5991cbf2b..7ca6f24bcc 100644 --- a/src/llanalyzer/Component.cc +++ b/src/packet_analysis/Component.cc @@ -4,11 +4,11 @@ #include "Desc.h" #include "Manager.h" -using namespace zeek::llanalyzer; +using namespace zeek::packet_analysis; Component::Component(const std::string& name, factory_callback arg_factory, Tag::subtype_t arg_subtype, bool arg_enabled) - : plugin::Component(plugin::component::LLANALYZER, name), - plugin::TaggedComponent(arg_subtype) + : plugin::Component(plugin::component::PACKET_ANALYZER, name), + plugin::TaggedComponent(arg_subtype) { factory = arg_factory; enabled = arg_enabled; @@ -17,14 +17,14 @@ Component::Component(const std::string& name, factory_callback arg_factory, Tag: void Component::Initialize() { InitializeTag(); - llanalyzer_mgr->RegisterComponent(this, "LLANALYZER_"); + packet_mgr->RegisterComponent(this, "ANALYZER_"); } void Component::DoDescribe(ODesc* d) const { if ( factory ) { - d->Add("LLANALYZER_"); + d->Add("ANALYZER_"); d->Add(CanonicalName()); d->Add(", "); } diff --git a/src/llanalyzer/Component.h b/src/packet_analysis/Component.h similarity index 92% rename from src/llanalyzer/Component.h rename to src/packet_analysis/Component.h index 5d9ed0c6f3..8bb7452080 100644 --- a/src/llanalyzer/Component.h +++ b/src/packet_analysis/Component.h @@ -9,12 +9,12 @@ #include "plugin/Component.h" #include "plugin/TaggedComponent.h" -namespace zeek::llanalyzer { +namespace zeek::packet_analysis { class Analyzer; class Component : public plugin::Component, - public plugin::TaggedComponent { + public plugin::TaggedComponent { public: typedef Analyzer* (*factory_callback)(); diff --git a/src/llanalyzer/Config.cc b/src/packet_analysis/Config.cc similarity index 93% rename from src/llanalyzer/Config.cc rename to src/packet_analysis/Config.cc index 1c068d27c2..bfb41d2540 100644 --- a/src/llanalyzer/Config.cc +++ b/src/packet_analysis/Config.cc @@ -4,7 +4,7 @@ #include "Reporter.h" #include "DebugLogger.h" -namespace zeek::llanalyzer { +namespace zeek::packet_analysis { // ############################## // ####### DispatcherConfig ##### @@ -22,7 +22,7 @@ const std::map& DispatcherConfig::GetMappings() const void DispatcherConfig::AddMapping(identifier_t identifier, const std::string& analyzer_name) { - DBG_LOG(DBG_LLANALYZER, "Adding configuration mapping: %s -> %#x -> %s", + DBG_LOG(DBG_PACKET_ANALYSIS, "Adding configuration mapping: %s -> %#x -> %s", name.c_str(), identifier, analyzer_name.c_str()); if ( mappings.count(identifier) ) @@ -84,4 +84,4 @@ void Config::AddMapping(const std::string& name, identifier_t identifier, dispatch_config->get().AddMapping(identifier, analyzer_name); } -} // namespace llanalyzer +} // namespace packet_analysis diff --git a/src/llanalyzer/Config.h b/src/packet_analysis/Config.h similarity index 97% rename from src/llanalyzer/Config.h rename to src/packet_analysis/Config.h index 0ce9837174..f99526d311 100644 --- a/src/llanalyzer/Config.h +++ b/src/packet_analysis/Config.h @@ -10,7 +10,7 @@ #include "Defines.h" -namespace zeek::llanalyzer { +namespace zeek::packet_analysis { class DispatcherConfig { public: diff --git a/src/llanalyzer/Defines.h b/src/packet_analysis/Defines.h similarity index 81% rename from src/llanalyzer/Defines.h rename to src/packet_analysis/Defines.h index 307af09e3a..3479b5b392 100644 --- a/src/llanalyzer/Defines.h +++ b/src/packet_analysis/Defines.h @@ -4,7 +4,7 @@ #include -namespace zeek::llanalyzer { +namespace zeek::packet_analysis { using identifier_t = uint32_t; diff --git a/src/llanalyzer/Manager.cc b/src/packet_analysis/Manager.cc similarity index 76% rename from src/llanalyzer/Manager.cc rename to src/packet_analysis/Manager.cc index 0aa8e7f138..8b0ff3bbb7 100644 --- a/src/llanalyzer/Manager.cc +++ b/src/packet_analysis/Manager.cc @@ -9,10 +9,10 @@ #include "ProtocolAnalyzerSet.h" #include "plugin/Manager.h" -using namespace zeek::llanalyzer; +using namespace zeek::packet_analysis; Manager::Manager() - : plugin::ComponentManager("LLAnalyzer", "Tag") + : plugin::ComponentManager("PacketAnalyzer", "Tag") { } @@ -23,11 +23,11 @@ Manager::~Manager() void Manager::InitPostScript() { - auto llanalyzer_mapping = zeek::id::find("LLAnalyzer::config_map"); - if ( ! llanalyzer_mapping ) + auto analyzer_mapping = zeek::id::find("PacketAnalyzer::config_map"); + if ( ! analyzer_mapping ) return; - auto mapping_val = llanalyzer_mapping->GetVal()->AsVectorVal(); + auto mapping_val = analyzer_mapping->GetVal()->AsVectorVal(); if ( mapping_val->Size() == 0 ) return; @@ -53,10 +53,10 @@ void Manager::Done() void Manager::DumpDebug() { #ifdef DEBUG - DBG_LOG(DBG_LLANALYZER, "Available llanalyzers after zeek_init():"); + DBG_LOG(DBG_PACKET_ANALYSIS, "Available packet analyzers after zeek_init():"); for ( auto& current : GetComponents() ) { - DBG_LOG(DBG_LLANALYZER, " %s (%s)", current->Name().c_str(), IsEnabled(current->Tag()) ? "enabled" : "disabled"); + DBG_LOG(DBG_PACKET_ANALYSIS, " %s (%s)", current->Name().c_str(), IsEnabled(current->Tag()) ? "enabled" : "disabled"); } // Dump Analyzer Set @@ -72,7 +72,7 @@ bool Manager::EnableAnalyzer(const Tag& tag) if ( ! p ) return false; - DBG_LOG(DBG_LLANALYZER, "Enabling analyzer %s", p->Name().c_str()); + DBG_LOG(DBG_PACKET_ANALYSIS, "Enabling analyzer %s", p->Name().c_str()); p->SetEnabled(true); return true; @@ -85,7 +85,7 @@ bool Manager::EnableAnalyzer(EnumVal* val) if ( ! p ) return false; - DBG_LOG(DBG_LLANALYZER, "Enabling analyzer %s", p->Name().c_str()); + DBG_LOG(DBG_PACKET_ANALYSIS, "Enabling analyzer %s", p->Name().c_str()); p->SetEnabled(true); return true; @@ -98,7 +98,7 @@ bool Manager::DisableAnalyzer(const Tag& tag) if ( ! p ) return false; - DBG_LOG(DBG_LLANALYZER, "Disabling analyzer %s", p->Name().c_str()); + DBG_LOG(DBG_PACKET_ANALYSIS, "Disabling analyzer %s", p->Name().c_str()); p->SetEnabled(false); return true; @@ -111,7 +111,7 @@ bool Manager::DisableAnalyzer(EnumVal* val) if ( ! p ) return false; - DBG_LOG(DBG_LLANALYZER, "Disabling analyzer %s", p->Name().c_str()); + DBG_LOG(DBG_PACKET_ANALYSIS, "Disabling analyzer %s", p->Name().c_str()); p->SetEnabled(false); return true; @@ -119,14 +119,14 @@ bool Manager::DisableAnalyzer(EnumVal* val) void Manager::DisableAllAnalyzers() { - DBG_LOG(DBG_LLANALYZER, "Disabling all analyzers"); + DBG_LOG(DBG_PACKET_ANALYSIS, "Disabling all analyzers"); std::list all_analyzers = GetComponents(); for ( const auto& analyzer : all_analyzers ) analyzer->SetEnabled(false); } -zeek::llanalyzer::Tag Manager::GetAnalyzerTag(const char* name) +zeek::packet_analysis::Tag Manager::GetAnalyzerTag(const char* name) { return GetComponentTag(name); } @@ -160,7 +160,7 @@ Analyzer* Manager::InstantiateAnalyzer(const Tag& tag) if ( ! c ) { - reporter->InternalWarning("request to instantiate unknown llanalyzer"); + reporter->InternalWarning("request to instantiate unknown packet_analysis"); return nullptr; } @@ -201,7 +201,7 @@ void Manager::ProcessPacket(Packet* packet) { #ifdef DEBUG static size_t counter = 0; - DBG_LOG(DBG_LLANALYZER, "Analyzing packet %ld, ts=%.3f...", ++counter, packet->time); + DBG_LOG(DBG_PACKET_ANALYSIS, "Analyzing packet %ld, ts=%.3f...", ++counter, packet->time); #endif if ( ! analyzer_set ) @@ -217,7 +217,7 @@ void Manager::ProcessPacket(Packet* packet) // Analyzer not found if ( current_analyzer == nullptr ) { - DBG_LOG(DBG_LLANALYZER, "Could not find analyzer for identifier %#x", next_layer_id); + DBG_LOG(DBG_PACKET_ANALYSIS, "Could not find analyzer for identifier %#x", next_layer_id); packet->Weird("no_suitable_analyzer_found"); break; } @@ -229,14 +229,14 @@ void Manager::ProcessPacket(Packet* packet) switch ( result ) { case AnalyzerResult::Continue: - DBG_LOG(DBG_LLANALYZER, "Analysis in %s succeeded, next layer identifier is %#x.", + DBG_LOG(DBG_PACKET_ANALYSIS, "Analysis in %s succeeded, next layer identifier is %#x.", current_analyzer->GetAnalyzerName(), next_layer_id); break; case AnalyzerResult::Terminate: - DBG_LOG(DBG_LLANALYZER, "Done, last found layer identifier was %#x.", next_layer_id); + DBG_LOG(DBG_PACKET_ANALYSIS, "Done, last found layer identifier was %#x.", next_layer_id); break; case AnalyzerResult::Failed: - DBG_LOG(DBG_LLANALYZER, "Analysis failed in %s", current_analyzer->GetAnalyzerName()); + DBG_LOG(DBG_PACKET_ANALYSIS, "Analysis failed in %s", current_analyzer->GetAnalyzerName()); } #endif diff --git a/src/llanalyzer/Manager.h b/src/packet_analysis/Manager.h similarity index 95% rename from src/llanalyzer/Manager.h rename to src/packet_analysis/Manager.h index 54e444bb07..30a1facb94 100644 --- a/src/llanalyzer/Manager.h +++ b/src/packet_analysis/Manager.h @@ -15,7 +15,7 @@ #include "../Dict.h" #include "../net_util.h" -namespace zeek::llanalyzer { +namespace zeek::packet_analysis { class AnalyzerSet; @@ -33,7 +33,7 @@ public: /** * Second-stage initialization of the manager. This is called late - * during Bro's initialization after any scripts are processed. + * during Zeek's initialization after any scripts are processed. */ void InitPostScript(); @@ -164,4 +164,4 @@ private: } -extern zeek::llanalyzer::Manager* llanalyzer_mgr; +extern zeek::packet_analysis::Manager* packet_mgr; diff --git a/src/llanalyzer/ProtocolAnalyzerSet.cc b/src/packet_analysis/ProtocolAnalyzerSet.cc similarity index 90% rename from src/llanalyzer/ProtocolAnalyzerSet.cc rename to src/packet_analysis/ProtocolAnalyzerSet.cc index 6d2aeca83f..21a3eac1f6 100644 --- a/src/llanalyzer/ProtocolAnalyzerSet.cc +++ b/src/packet_analysis/ProtocolAnalyzerSet.cc @@ -2,7 +2,7 @@ #include "ProtocolAnalyzerSet.h" -namespace zeek::llanalyzer { +namespace zeek::packet_analysis { ProtocolAnalyzerSet::ProtocolAnalyzerSet(Config& configuration, const std::string& default_analyzer_name) { @@ -16,7 +16,7 @@ ProtocolAnalyzerSet::ProtocolAnalyzerSet(Config& configuration, const std::strin continue; // Check if analyzer exists - if ( Analyzer* newAnalyzer = llanalyzer_mgr->InstantiateAnalyzer(current_mapping.second) ) + if ( Analyzer* newAnalyzer = packet_mgr->InstantiateAnalyzer(current_mapping.second) ) analyzers.emplace(current_mapping.second, newAnalyzer); } } @@ -24,14 +24,14 @@ ProtocolAnalyzerSet::ProtocolAnalyzerSet(Config& configuration, const std::strin // Generate Dispatchers, starting at root root_dispatcher = GetDispatcher(configuration, "ROOT"); if ( root_dispatcher == nullptr ) - reporter->InternalError("No dispatching configuration for ROOT of llanalyzer set."); + reporter->InternalError("No dispatching configuration for ROOT of packet_analysis set."); // Set up default analysis auto it = analyzers.find(default_analyzer_name); if ( it != analyzers.end() ) default_analyzer = it->second; else - default_analyzer = llanalyzer_mgr->InstantiateAnalyzer(default_analyzer_name); + default_analyzer = packet_mgr->InstantiateAnalyzer(default_analyzer_name); default_dispatcher = nullptr; if ( default_analyzer != nullptr ) @@ -89,10 +89,10 @@ void ProtocolAnalyzerSet::Reset() void ProtocolAnalyzerSet::DumpDebug() const { #ifdef DEBUG - DBG_LOG(DBG_LLANALYZER, "ProtocolAnalyzerSet FSM:"); + DBG_LOG(DBG_PACKET_ANALYSIS, "ProtocolAnalyzerSet FSM:"); for ( const auto& current : dispatchers ) { - DBG_LOG(DBG_LLANALYZER, " Dispatcher (%p): %s", current.second, current.first.c_str()); + DBG_LOG(DBG_PACKET_ANALYSIS, " Dispatcher (%p): %s", current.second, current.first.c_str()); current.second->DumpDebug(); } #endif diff --git a/src/llanalyzer/ProtocolAnalyzerSet.h b/src/packet_analysis/ProtocolAnalyzerSet.h similarity index 96% rename from src/llanalyzer/ProtocolAnalyzerSet.h rename to src/packet_analysis/ProtocolAnalyzerSet.h index 1f6a786456..bde05e73f9 100644 --- a/src/llanalyzer/ProtocolAnalyzerSet.h +++ b/src/packet_analysis/ProtocolAnalyzerSet.h @@ -8,7 +8,7 @@ #include "dispatchers/UniversalDispatcher.h" #include "dispatchers/VectorDispatcher.h" -namespace zeek::llanalyzer { +namespace zeek::packet_analysis { class ProtocolAnalyzerSet : public AnalyzerSet { diff --git a/src/llanalyzer/Tag.cc b/src/packet_analysis/Tag.cc similarity index 78% rename from src/llanalyzer/Tag.cc rename to src/packet_analysis/Tag.cc index 9960ed5e35..c33ab0dd82 100644 --- a/src/llanalyzer/Tag.cc +++ b/src/packet_analysis/Tag.cc @@ -3,12 +3,12 @@ #include "Tag.h" #include "Manager.h" -namespace zeek::llanalyzer { +namespace zeek::packet_analysis { Tag Tag::Error; Tag::Tag(type_t type, subtype_t subtype) - : zeek::Tag(llanalyzer_mgr->GetTagType(), type, subtype) + : zeek::Tag(packet_mgr->GetTagType(), type, subtype) { } @@ -20,7 +20,7 @@ Tag& Tag::operator=(const Tag& other) const IntrusivePtr& Tag::AsVal() const { - return zeek::Tag::AsVal(llanalyzer_mgr->GetTagType()); + return zeek::Tag::AsVal(packet_mgr->GetTagType()); } EnumVal* Tag::AsEnumVal() const diff --git a/src/llanalyzer/Tag.h b/src/packet_analysis/Tag.h similarity index 97% rename from src/llanalyzer/Tag.h rename to src/packet_analysis/Tag.h index 66c2cdc6cb..0d554e52f8 100644 --- a/src/llanalyzer/Tag.h +++ b/src/packet_analysis/Tag.h @@ -18,7 +18,7 @@ namespace plugin { zeek::plugin::ComponentManager; } -namespace zeek::llanalyzer { +namespace zeek::packet_analysis { class Manager; class Component; @@ -100,7 +100,7 @@ public: protected: - friend class llanalyzer::Manager; + friend class packet_analysis::Manager; friend class plugin::ComponentManager; friend class plugin::TaggedComponent; diff --git a/src/llanalyzer/dispatchers/CMakeLists.txt b/src/packet_analysis/dispatchers/CMakeLists.txt similarity index 100% rename from src/llanalyzer/dispatchers/CMakeLists.txt rename to src/packet_analysis/dispatchers/CMakeLists.txt diff --git a/src/llanalyzer/dispatchers/Dispatcher.h b/src/packet_analysis/dispatchers/Dispatcher.h similarity index 96% rename from src/llanalyzer/dispatchers/Dispatcher.h rename to src/packet_analysis/dispatchers/Dispatcher.h index a59060459d..e71d1b5dfb 100644 --- a/src/llanalyzer/dispatchers/Dispatcher.h +++ b/src/packet_analysis/dispatchers/Dispatcher.h @@ -8,7 +8,7 @@ #include "Analyzer.h" #include "Defines.h" -namespace zeek::llanalyzer { +namespace zeek::packet_analysis { class Dispatcher; // Forward decl for Value using register_pair = std::pair>; diff --git a/src/llanalyzer/dispatchers/UniversalDispatcher.cc b/src/packet_analysis/dispatchers/UniversalDispatcher.cc similarity index 91% rename from src/llanalyzer/dispatchers/UniversalDispatcher.cc rename to src/packet_analysis/dispatchers/UniversalDispatcher.cc index 2bc86664e1..685c275b70 100644 --- a/src/llanalyzer/dispatchers/UniversalDispatcher.cc +++ b/src/packet_analysis/dispatchers/UniversalDispatcher.cc @@ -2,7 +2,7 @@ #include "UniversalDispatcher.h" -namespace zeek::llanalyzer { +namespace zeek::packet_analysis { UniversalDispatcher::UniversalDispatcher() : generator(rd()) { @@ -121,11 +121,11 @@ void UniversalDispatcher::Rehash() void UniversalDispatcher::DumpDebug() const { #ifdef DEBUG - DBG_LOG(DBG_LLANALYZER, " Dispatcher elements (used/total): %lu/%lu", Size(), table.size()); + DBG_LOG(DBG_PACKET_ANALYSIS, " Dispatcher elements (used/total): %lu/%lu", Size(), table.size()); for ( size_t i = 0; i < table.size(); i++ ) { if ( table[i].second != nullptr ) - DBG_LOG(DBG_LLANALYZER, " %#8x => %s, %p", table[i].first, table[i].second->analyzer->GetAnalyzerName(), table[i].second->dispatcher); + DBG_LOG(DBG_PACKET_ANALYSIS, " %#8x => %s, %p", table[i].first, table[i].second->analyzer->GetAnalyzerName(), table[i].second->dispatcher); } #endif } @@ -147,7 +147,7 @@ void UniversalDispatcher::Rehash(const std::vector& intermediate) { while ( ! FindCollisionFreeHashFunction(intermediate) ) { - DBG_LOG(DBG_LLANALYZER, "Rehashing did not work. Increasing #bins to %" PRIu64 " (%" PRIu64 " bit).", (uint64_t)std::pow(2, m + 1), m + 1); + DBG_LOG(DBG_PACKET_ANALYSIS, "Rehashing did not work. Increasing #bins to %" PRIu64 " (%" PRIu64 " bit).", (uint64_t)std::pow(2, m + 1), m + 1); SetBins(m + 1); } } @@ -195,7 +195,7 @@ bool UniversalDispatcher::FindCollisionFreeHashFunction(const std::vector #include "Dispatcher.h" -namespace zeek::llanalyzer { +namespace zeek::packet_analysis { class UniversalDispatcher : public Dispatcher { public: diff --git a/src/llanalyzer/dispatchers/VectorDispatcher.cc b/src/packet_analysis/dispatchers/VectorDispatcher.cc similarity index 89% rename from src/llanalyzer/dispatchers/VectorDispatcher.cc rename to src/packet_analysis/dispatchers/VectorDispatcher.cc index d948e3efda..0afa8660f0 100644 --- a/src/llanalyzer/dispatchers/VectorDispatcher.cc +++ b/src/packet_analysis/dispatchers/VectorDispatcher.cc @@ -4,7 +4,7 @@ #include "VectorDispatcher.h" -namespace zeek::llanalyzer { +namespace zeek::packet_analysis { VectorDispatcher::~VectorDispatcher() { @@ -109,12 +109,12 @@ void VectorDispatcher::FreeValues() void VectorDispatcher::DumpDebug() const { #ifdef DEBUG - DBG_LOG(DBG_LLANALYZER, " Dispatcher elements (used/total): %lu/%lu", Size(), table.size()); - DBG_LOG(DBG_LLANALYZER, "TABLE SIZE %lu", table.size()); + DBG_LOG(DBG_PACKET_ANALYSIS, " Dispatcher elements (used/total): %lu/%lu", Size(), table.size()); + DBG_LOG(DBG_PACKET_ANALYSIS, "TABLE SIZE %lu", table.size()); for ( size_t i = 0; i < table.size(); i++ ) { if ( table[i] != nullptr ) - DBG_LOG(DBG_LLANALYZER, " %#8lx => %s, %p", i+lowest_identifier, table[i]->analyzer->GetAnalyzerName(), table[i]->dispatcher); + DBG_LOG(DBG_PACKET_ANALYSIS, " %#8lx => %s, %p", i+lowest_identifier, table[i]->analyzer->GetAnalyzerName(), table[i]->dispatcher); } #endif } diff --git a/src/llanalyzer/dispatchers/VectorDispatcher.h b/src/packet_analysis/dispatchers/VectorDispatcher.h similarity index 95% rename from src/llanalyzer/dispatchers/VectorDispatcher.h rename to src/packet_analysis/dispatchers/VectorDispatcher.h index e801cde476..5e5b1ff4f7 100644 --- a/src/llanalyzer/dispatchers/VectorDispatcher.h +++ b/src/packet_analysis/dispatchers/VectorDispatcher.h @@ -5,7 +5,7 @@ #include #include "Dispatcher.h" -namespace zeek::llanalyzer { +namespace zeek::packet_analysis { class VectorDispatcher : public Dispatcher { public: diff --git a/src/llanalyzer/protocol/CMakeLists.txt b/src/packet_analysis/protocol/CMakeLists.txt similarity index 100% rename from src/llanalyzer/protocol/CMakeLists.txt rename to src/packet_analysis/protocol/CMakeLists.txt diff --git a/src/llanalyzer/protocol/arp/ARP.cc b/src/packet_analysis/protocol/arp/ARP.cc similarity index 57% rename from src/llanalyzer/protocol/arp/ARP.cc rename to src/packet_analysis/protocol/arp/ARP.cc index 4def2a449f..d0aa620dde 100644 --- a/src/llanalyzer/protocol/arp/ARP.cc +++ b/src/packet_analysis/protocol/arp/ARP.cc @@ -2,14 +2,14 @@ #include "ARP.h" -using namespace zeek::llanalyzer::ARP; +using namespace zeek::packet_analysis::ARP; ARPAnalyzer::ARPAnalyzer() - : zeek::llanalyzer::Analyzer("ARP") + : zeek::packet_analysis::Analyzer("ARP") { } -std::tuple ARPAnalyzer::Analyze(Packet* packet) +std::tuple ARPAnalyzer::Analyze(Packet* packet) { // TODO: Make ARP analyzer a native LL analyzer packet->l3_proto = L3_ARP; diff --git a/src/llanalyzer/protocol/arp/ARP.h b/src/packet_analysis/protocol/arp/ARP.h similarity index 74% rename from src/llanalyzer/protocol/arp/ARP.h rename to src/packet_analysis/protocol/arp/ARP.h index 6bf341ed51..0abfd7bf1d 100644 --- a/src/llanalyzer/protocol/arp/ARP.h +++ b/src/packet_analysis/protocol/arp/ARP.h @@ -2,10 +2,10 @@ #pragma once -#include -#include +#include +#include -namespace zeek::llanalyzer::ARP { +namespace zeek::packet_analysis::ARP { class ARPAnalyzer : public Analyzer { public: diff --git a/src/llanalyzer/protocol/arp/CMakeLists.txt b/src/packet_analysis/protocol/arp/CMakeLists.txt similarity index 100% rename from src/llanalyzer/protocol/arp/CMakeLists.txt rename to src/packet_analysis/protocol/arp/CMakeLists.txt diff --git a/src/llanalyzer/protocol/arp/Plugin.cc b/src/packet_analysis/protocol/arp/Plugin.cc similarity index 51% rename from src/llanalyzer/protocol/arp/Plugin.cc rename to src/packet_analysis/protocol/arp/Plugin.cc index 5a7f296ddf..e2808cffb3 100644 --- a/src/llanalyzer/protocol/arp/Plugin.cc +++ b/src/packet_analysis/protocol/arp/Plugin.cc @@ -2,20 +2,20 @@ #include "plugin/Plugin.h" #include "ARP.h" -#include "llanalyzer/Component.h" +#include "packet_analysis/Component.h" -namespace zeek::plugin::LLAnalyzer_ARP { +namespace zeek::plugin::Zeek_ARP { class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() { - AddComponent(new zeek::llanalyzer::Component("ARP", - zeek::llanalyzer::ARP::ARPAnalyzer::Instantiate)); + AddComponent(new zeek::packet_analysis::Component("ARP", + zeek::packet_analysis::ARP::ARPAnalyzer::Instantiate)); zeek::plugin::Configuration config; - config.name = "LLAnalyzer::ARP"; - config.description = "ARP LL-Analyzer"; + config.name = "Zeek::ARP"; + config.description = "ARP packet analyzer"; return config; } diff --git a/src/llanalyzer/protocol/default/CMakeLists.txt b/src/packet_analysis/protocol/default/CMakeLists.txt similarity index 100% rename from src/llanalyzer/protocol/default/CMakeLists.txt rename to src/packet_analysis/protocol/default/CMakeLists.txt diff --git a/src/llanalyzer/protocol/default/Default.cc b/src/packet_analysis/protocol/default/Default.cc similarity index 70% rename from src/llanalyzer/protocol/default/Default.cc rename to src/packet_analysis/protocol/default/Default.cc index 3e01e1ba8c..72e226fcad 100644 --- a/src/llanalyzer/protocol/default/Default.cc +++ b/src/packet_analysis/protocol/default/Default.cc @@ -3,14 +3,14 @@ #include "Default.h" #include "NetVar.h" -using namespace zeek::llanalyzer::Default; +using namespace zeek::packet_analysis::Default; DefaultAnalyzer::DefaultAnalyzer() - : zeek::llanalyzer::Analyzer("DefaultAnalyzer") + : zeek::packet_analysis::Analyzer("DefaultAnalyzer") { } -std::tuple DefaultAnalyzer::Analyze(Packet* packet) +std::tuple DefaultAnalyzer::Analyze(Packet* packet) { auto& pdata = packet->cur_pos; diff --git a/src/llanalyzer/protocol/default/Default.h b/src/packet_analysis/protocol/default/Default.h similarity index 74% rename from src/llanalyzer/protocol/default/Default.h rename to src/packet_analysis/protocol/default/Default.h index 6c02b72f62..eae4a3a5b9 100644 --- a/src/llanalyzer/protocol/default/Default.h +++ b/src/packet_analysis/protocol/default/Default.h @@ -2,10 +2,10 @@ #pragma once -#include -#include +#include +#include -namespace zeek::llanalyzer::Default { +namespace zeek::packet_analysis::Default { class DefaultAnalyzer : public Analyzer { public: diff --git a/src/packet_analysis/protocol/default/Plugin.cc b/src/packet_analysis/protocol/default/Plugin.cc new file mode 100644 index 0000000000..30e27711f3 --- /dev/null +++ b/src/packet_analysis/protocol/default/Plugin.cc @@ -0,0 +1,24 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "Default.h" +#include "plugin/Plugin.h" +#include "packet_analysis/Component.h" + +namespace zeek::plugin::Zeek_Default { + +class Plugin : public zeek::plugin::Plugin { +public: + zeek::plugin::Configuration Configure() + { + AddComponent(new zeek::packet_analysis::Component("DefaultAnalyzer", + zeek::packet_analysis::Default::DefaultAnalyzer::Instantiate)); + + zeek::plugin::Configuration config; + config.name = "Zeek::DefaultAnalyzer"; + config.description = "Default packet analyzer for IP fallback"; + return config; + } + +} plugin; + +} diff --git a/src/llanalyzer/protocol/ethernet/CMakeLists.txt b/src/packet_analysis/protocol/ethernet/CMakeLists.txt similarity index 100% rename from src/llanalyzer/protocol/ethernet/CMakeLists.txt rename to src/packet_analysis/protocol/ethernet/CMakeLists.txt diff --git a/src/llanalyzer/protocol/ethernet/Ethernet.cc b/src/packet_analysis/protocol/ethernet/Ethernet.cc similarity index 88% rename from src/llanalyzer/protocol/ethernet/Ethernet.cc rename to src/packet_analysis/protocol/ethernet/Ethernet.cc index 564a3bf10f..261f30a0f0 100644 --- a/src/llanalyzer/protocol/ethernet/Ethernet.cc +++ b/src/packet_analysis/protocol/ethernet/Ethernet.cc @@ -3,14 +3,14 @@ #include "Ethernet.h" #include "NetVar.h" -using namespace zeek::llanalyzer::Ethernet; +using namespace zeek::packet_analysis::Ethernet; EthernetAnalyzer::EthernetAnalyzer() - : zeek::llanalyzer::Analyzer("Ethernet") + : zeek::packet_analysis::Analyzer("Ethernet") { } -std::tuple EthernetAnalyzer::Analyze(Packet* packet) +std::tuple EthernetAnalyzer::Analyze(Packet* packet) { auto& pdata = packet->cur_pos; auto end_of_data = packet->GetEndOfData(); diff --git a/src/llanalyzer/protocol/ethernet/Ethernet.h b/src/packet_analysis/protocol/ethernet/Ethernet.h similarity index 75% rename from src/llanalyzer/protocol/ethernet/Ethernet.h rename to src/packet_analysis/protocol/ethernet/Ethernet.h index a6805f84a8..b59936a8c2 100644 --- a/src/llanalyzer/protocol/ethernet/Ethernet.h +++ b/src/packet_analysis/protocol/ethernet/Ethernet.h @@ -2,10 +2,10 @@ #pragma once -#include -#include +#include +#include -namespace zeek::llanalyzer::Ethernet { +namespace zeek::packet_analysis::Ethernet { class EthernetAnalyzer : public Analyzer { public: diff --git a/src/packet_analysis/protocol/ethernet/Plugin.cc b/src/packet_analysis/protocol/ethernet/Plugin.cc new file mode 100644 index 0000000000..409292b3ac --- /dev/null +++ b/src/packet_analysis/protocol/ethernet/Plugin.cc @@ -0,0 +1,24 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "Ethernet.h" +#include "plugin/Plugin.h" +#include "packet_analysis/Component.h" + +namespace zeek::plugin::Zeek_Ethernet { + +class Plugin : public zeek::plugin::Plugin { +public: + zeek::plugin::Configuration Configure() + { + AddComponent(new zeek::packet_analysis::Component("Ethernet", + zeek::packet_analysis::Ethernet::EthernetAnalyzer::Instantiate)); + + zeek::plugin::Configuration config; + config.name = "Zeek::Ethernet"; + config.description = "Ethernet packet analyzer"; + return config; + } + +} plugin; + +} diff --git a/src/llanalyzer/protocol/fddi/CMakeLists.txt b/src/packet_analysis/protocol/fddi/CMakeLists.txt similarity index 100% rename from src/llanalyzer/protocol/fddi/CMakeLists.txt rename to src/packet_analysis/protocol/fddi/CMakeLists.txt diff --git a/src/llanalyzer/protocol/fddi/FDDI.cc b/src/packet_analysis/protocol/fddi/FDDI.cc similarity index 70% rename from src/llanalyzer/protocol/fddi/FDDI.cc rename to src/packet_analysis/protocol/fddi/FDDI.cc index c5594061f7..3a7b2c5d11 100644 --- a/src/llanalyzer/protocol/fddi/FDDI.cc +++ b/src/packet_analysis/protocol/fddi/FDDI.cc @@ -3,14 +3,14 @@ #include "FDDI.h" #include "NetVar.h" -using namespace zeek::llanalyzer::FDDI; +using namespace zeek::packet_analysis::FDDI; FDDIAnalyzer::FDDIAnalyzer() - : zeek::llanalyzer::Analyzer("FDDI") + : zeek::packet_analysis::Analyzer("FDDI") { } -std::tuple FDDIAnalyzer::Analyze(Packet* packet) +std::tuple FDDIAnalyzer::Analyze(Packet* packet) { auto& pdata = packet->cur_pos; auto hdr_size = 13 + 8; // FDDI header + LLC diff --git a/src/llanalyzer/protocol/fddi/FDDI.h b/src/packet_analysis/protocol/fddi/FDDI.h similarity index 54% rename from src/llanalyzer/protocol/fddi/FDDI.h rename to src/packet_analysis/protocol/fddi/FDDI.h index b4217739dd..a96dcc8d9d 100644 --- a/src/llanalyzer/protocol/fddi/FDDI.h +++ b/src/packet_analysis/protocol/fddi/FDDI.h @@ -2,19 +2,19 @@ #pragma once -#include -#include +#include +#include -namespace zeek::llanalyzer::FDDI { +namespace zeek::packet_analysis::FDDI { -class FDDIAnalyzer : public zeek::llanalyzer::Analyzer { +class FDDIAnalyzer : public zeek::packet_analysis::Analyzer { public: FDDIAnalyzer(); ~FDDIAnalyzer() override = default; std::tuple Analyze(Packet* packet) override; - static zeek::llanalyzer::Analyzer* Instantiate() + static zeek::packet_analysis::Analyzer* Instantiate() { return new FDDIAnalyzer(); } diff --git a/src/llanalyzer/protocol/fddi/Plugin.cc b/src/packet_analysis/protocol/fddi/Plugin.cc similarity index 50% rename from src/llanalyzer/protocol/fddi/Plugin.cc rename to src/packet_analysis/protocol/fddi/Plugin.cc index 809f30312f..8154e7f915 100644 --- a/src/llanalyzer/protocol/fddi/Plugin.cc +++ b/src/packet_analysis/protocol/fddi/Plugin.cc @@ -2,20 +2,20 @@ #include "FDDI.h" #include "plugin/Plugin.h" -#include "llanalyzer/Component.h" +#include "packet_analysis/Component.h" -namespace zeek::plugin::LLAnalyzer_FDDI { +namespace zeek::plugin::Zeek_FDDI { class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() { - AddComponent(new zeek::llanalyzer::Component("FDDI", - zeek::llanalyzer::FDDI::FDDIAnalyzer::Instantiate)); + AddComponent(new zeek::packet_analysis::Component("FDDI", + zeek::packet_analysis::FDDI::FDDIAnalyzer::Instantiate)); zeek::plugin::Configuration config; - config.name = "LLAnalyzer::FDDI"; - config.description = "FDDI LL-Analyzer"; + config.name = "Zeek::FDDI"; + config.description = "FDDI packet analyzer"; return config; } diff --git a/src/llanalyzer/protocol/ieee802_11/CMakeLists.txt b/src/packet_analysis/protocol/ieee802_11/CMakeLists.txt similarity index 100% rename from src/llanalyzer/protocol/ieee802_11/CMakeLists.txt rename to src/packet_analysis/protocol/ieee802_11/CMakeLists.txt diff --git a/src/llanalyzer/protocol/ieee802_11/IEEE802_11.cc b/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc similarity index 91% rename from src/llanalyzer/protocol/ieee802_11/IEEE802_11.cc rename to src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc index 363706ae49..500d1fe592 100644 --- a/src/llanalyzer/protocol/ieee802_11/IEEE802_11.cc +++ b/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc @@ -3,14 +3,14 @@ #include "IEEE802_11.h" #include "NetVar.h" -using namespace zeek::llanalyzer::IEEE802_11; +using namespace zeek::packet_analysis::IEEE802_11; IEEE802_11Analyzer::IEEE802_11Analyzer() - : zeek::llanalyzer::Analyzer("IEEE802_11") + : zeek::packet_analysis::Analyzer("IEEE802_11") { } -std::tuple IEEE802_11Analyzer::Analyze(Packet* packet) +std::tuple IEEE802_11Analyzer::Analyze(Packet* packet) { auto& pdata = packet->cur_pos; auto end_of_data = packet->GetEndOfData(); diff --git a/src/llanalyzer/protocol/ieee802_11/IEEE802_11.h b/src/packet_analysis/protocol/ieee802_11/IEEE802_11.h similarity index 75% rename from src/llanalyzer/protocol/ieee802_11/IEEE802_11.h rename to src/packet_analysis/protocol/ieee802_11/IEEE802_11.h index 930de4bce5..4890dc0ff1 100644 --- a/src/llanalyzer/protocol/ieee802_11/IEEE802_11.h +++ b/src/packet_analysis/protocol/ieee802_11/IEEE802_11.h @@ -2,10 +2,10 @@ #pragma once -#include -#include +#include +#include -namespace zeek::llanalyzer::IEEE802_11 { +namespace zeek::packet_analysis::IEEE802_11 { class IEEE802_11Analyzer : public Analyzer { public: diff --git a/src/packet_analysis/protocol/ieee802_11/Plugin.cc b/src/packet_analysis/protocol/ieee802_11/Plugin.cc new file mode 100644 index 0000000000..11efda40c4 --- /dev/null +++ b/src/packet_analysis/protocol/ieee802_11/Plugin.cc @@ -0,0 +1,24 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "IEEE802_11.h" +#include "plugin/Plugin.h" +#include "packet_analysis/Component.h" + +namespace zeek::plugin::Zeek_IEEE802_11 { + +class Plugin : public zeek::plugin::Plugin { +public: + zeek::plugin::Configuration Configure() + { + AddComponent(new zeek::packet_analysis::Component("IEEE802_11", + zeek::packet_analysis::IEEE802_11::IEEE802_11Analyzer::Instantiate)); + + zeek::plugin::Configuration config; + config.name = "Zeek::IEEE802_11"; + config.description = "IEEE 802.11 packet analyzer"; + return config; + } + +} plugin; + +} diff --git a/src/llanalyzer/protocol/ieee802_11_radio/CMakeLists.txt b/src/packet_analysis/protocol/ieee802_11_radio/CMakeLists.txt similarity index 100% rename from src/llanalyzer/protocol/ieee802_11_radio/CMakeLists.txt rename to src/packet_analysis/protocol/ieee802_11_radio/CMakeLists.txt diff --git a/src/llanalyzer/protocol/ieee802_11_radio/IEEE802_11_Radio.cc b/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.cc similarity index 74% rename from src/llanalyzer/protocol/ieee802_11_radio/IEEE802_11_Radio.cc rename to src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.cc index ef39420c64..b5025ce372 100644 --- a/src/llanalyzer/protocol/ieee802_11_radio/IEEE802_11_Radio.cc +++ b/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.cc @@ -5,14 +5,14 @@ #include "IEEE802_11_Radio.h" #include "NetVar.h" -using namespace zeek::llanalyzer::IEEE802_11_Radio; +using namespace zeek::packet_analysis::IEEE802_11_Radio; IEEE802_11_RadioAnalyzer::IEEE802_11_RadioAnalyzer() - : zeek::llanalyzer::Analyzer("IEEE802_11_Radio") + : zeek::packet_analysis::Analyzer("IEEE802_11_Radio") { } -std::tuple IEEE802_11_RadioAnalyzer::Analyze(Packet* packet) +std::tuple IEEE802_11_RadioAnalyzer::Analyze(Packet* packet) { auto pdata = packet->cur_pos; auto end_of_data = packet->GetEndOfData(); diff --git a/src/llanalyzer/protocol/ieee802_11_radio/IEEE802_11_Radio.h b/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.h similarity index 75% rename from src/llanalyzer/protocol/ieee802_11_radio/IEEE802_11_Radio.h rename to src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.h index 8fd9d0af65..1dba34c294 100644 --- a/src/llanalyzer/protocol/ieee802_11_radio/IEEE802_11_Radio.h +++ b/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.h @@ -2,10 +2,10 @@ #pragma once -#include -#include +#include +#include -namespace zeek::llanalyzer::IEEE802_11_Radio { +namespace zeek::packet_analysis::IEEE802_11_Radio { class IEEE802_11_RadioAnalyzer : public Analyzer { public: diff --git a/src/packet_analysis/protocol/ieee802_11_radio/Plugin.cc b/src/packet_analysis/protocol/ieee802_11_radio/Plugin.cc new file mode 100644 index 0000000000..0b566f6d5f --- /dev/null +++ b/src/packet_analysis/protocol/ieee802_11_radio/Plugin.cc @@ -0,0 +1,23 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "IEEE802_11_Radio.h" +#include "plugin/Plugin.h" +#include "packet_analysis/Component.h" + +namespace zeek::plugin::Zeek_IEEE802_11_Radio { + +class Plugin : public zeek::plugin::Plugin { +public: + zeek::plugin::Configuration Configure() + { + AddComponent(new zeek::packet_analysis::Component("IEEE802_11_Radio", + zeek::packet_analysis::IEEE802_11_Radio::IEEE802_11_RadioAnalyzer::Instantiate)); + + zeek::plugin::Configuration config; + config.name = "Zeek::IEEE802_11_Radio"; + config.description = "IEEE 802.11 Radiotap packet analyzer"; + return config; + } + +} plugin; +} diff --git a/src/llanalyzer/protocol/ipv4/CMakeLists.txt b/src/packet_analysis/protocol/ipv4/CMakeLists.txt similarity index 100% rename from src/llanalyzer/protocol/ipv4/CMakeLists.txt rename to src/packet_analysis/protocol/ipv4/CMakeLists.txt diff --git a/src/llanalyzer/protocol/ipv4/IPv4.cc b/src/packet_analysis/protocol/ipv4/IPv4.cc similarity index 52% rename from src/llanalyzer/protocol/ipv4/IPv4.cc rename to src/packet_analysis/protocol/ipv4/IPv4.cc index 138ebc8460..c8b03a3b37 100644 --- a/src/llanalyzer/protocol/ipv4/IPv4.cc +++ b/src/packet_analysis/protocol/ipv4/IPv4.cc @@ -2,14 +2,14 @@ #include "IPv4.h" -using namespace zeek::llanalyzer::IPv4; +using namespace zeek::packet_analysis::IPv4; IPv4Analyzer::IPv4Analyzer() - : zeek::llanalyzer::Analyzer("IPv4") + : zeek::packet_analysis::Analyzer("IPv4") { } -std::tuple IPv4Analyzer::Analyze(Packet* packet) +std::tuple IPv4Analyzer::Analyze(Packet* packet) { packet->l3_proto = L3_IPV4; diff --git a/src/llanalyzer/protocol/ipv4/IPv4.h b/src/packet_analysis/protocol/ipv4/IPv4.h similarity index 74% rename from src/llanalyzer/protocol/ipv4/IPv4.h rename to src/packet_analysis/protocol/ipv4/IPv4.h index 4e16ec4371..d40a033f2c 100644 --- a/src/llanalyzer/protocol/ipv4/IPv4.h +++ b/src/packet_analysis/protocol/ipv4/IPv4.h @@ -2,10 +2,10 @@ #pragma once -#include -#include +#include +#include -namespace zeek::llanalyzer::IPv4 { +namespace zeek::packet_analysis::IPv4 { class IPv4Analyzer : public Analyzer { public: diff --git a/src/llanalyzer/protocol/ipv4/Plugin.cc b/src/packet_analysis/protocol/ipv4/Plugin.cc similarity index 50% rename from src/llanalyzer/protocol/ipv4/Plugin.cc rename to src/packet_analysis/protocol/ipv4/Plugin.cc index 7990ac70e0..ec865917da 100644 --- a/src/llanalyzer/protocol/ipv4/Plugin.cc +++ b/src/packet_analysis/protocol/ipv4/Plugin.cc @@ -2,20 +2,20 @@ #include "IPv4.h" #include "plugin/Plugin.h" -#include "llanalyzer/Component.h" +#include "packet_analysis/Component.h" -namespace zeek::plugin::LLAnalyzer_IPv4 { +namespace zeek::plugin::Zeek_IPv4 { class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() { - AddComponent(new zeek::llanalyzer::Component("IPv4", - zeek::llanalyzer::IPv4::IPv4Analyzer::Instantiate)); + AddComponent(new zeek::packet_analysis::Component("IPv4", + zeek::packet_analysis::IPv4::IPv4Analyzer::Instantiate)); zeek::plugin::Configuration config; - config.name = "LLAnalyzer::IPv4"; - config.description = "IPv4 LL-Analyzer"; + config.name = "Zeek::IPv4"; + config.description = "IPv4 packet analyzer"; return config; } diff --git a/src/llanalyzer/protocol/ipv6/CMakeLists.txt b/src/packet_analysis/protocol/ipv6/CMakeLists.txt similarity index 100% rename from src/llanalyzer/protocol/ipv6/CMakeLists.txt rename to src/packet_analysis/protocol/ipv6/CMakeLists.txt diff --git a/src/llanalyzer/protocol/ipv6/IPv6.cc b/src/packet_analysis/protocol/ipv6/IPv6.cc similarity index 52% rename from src/llanalyzer/protocol/ipv6/IPv6.cc rename to src/packet_analysis/protocol/ipv6/IPv6.cc index ee6b6ef059..65ed530ee6 100644 --- a/src/llanalyzer/protocol/ipv6/IPv6.cc +++ b/src/packet_analysis/protocol/ipv6/IPv6.cc @@ -2,14 +2,14 @@ #include "IPv6.h" -using namespace zeek::llanalyzer::IPv6; +using namespace zeek::packet_analysis::IPv6; IPv6Analyzer::IPv6Analyzer() - : zeek::llanalyzer::Analyzer("IPv6") + : zeek::packet_analysis::Analyzer("IPv6") { } -std::tuple IPv6Analyzer::Analyze(Packet* packet) +std::tuple IPv6Analyzer::Analyze(Packet* packet) { packet->l3_proto = L3_IPV6; diff --git a/src/llanalyzer/protocol/ipv6/IPv6.h b/src/packet_analysis/protocol/ipv6/IPv6.h similarity index 74% rename from src/llanalyzer/protocol/ipv6/IPv6.h rename to src/packet_analysis/protocol/ipv6/IPv6.h index 0364d6b4d5..86d361436c 100644 --- a/src/llanalyzer/protocol/ipv6/IPv6.h +++ b/src/packet_analysis/protocol/ipv6/IPv6.h @@ -2,10 +2,10 @@ #pragma once -#include -#include +#include +#include -namespace zeek::llanalyzer::IPv6 { +namespace zeek::packet_analysis::IPv6 { class IPv6Analyzer : public Analyzer { public: diff --git a/src/llanalyzer/protocol/ipv6/Plugin.cc b/src/packet_analysis/protocol/ipv6/Plugin.cc similarity index 50% rename from src/llanalyzer/protocol/ipv6/Plugin.cc rename to src/packet_analysis/protocol/ipv6/Plugin.cc index 137db569d3..474926e000 100644 --- a/src/llanalyzer/protocol/ipv6/Plugin.cc +++ b/src/packet_analysis/protocol/ipv6/Plugin.cc @@ -2,20 +2,20 @@ #include "plugin/Plugin.h" #include "IPv6.h" -#include "llanalyzer/Component.h" +#include "packet_analysis/Component.h" -namespace zeek::plugin::LLAnalyzer_IPv6 { +namespace zeek::plugin::Zeek_IPv6 { class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() { - AddComponent(new zeek::llanalyzer::Component("IPv6", - zeek::llanalyzer::IPv6::IPv6Analyzer::Instantiate)); + AddComponent(new zeek::packet_analysis::Component("IPv6", + zeek::packet_analysis::IPv6::IPv6Analyzer::Instantiate)); zeek::plugin::Configuration config; - config.name = "LLAnalyzer::IPv6"; - config.description = "IPv6 LL-Analyzer"; + config.name = "Zeek::IPv6"; + config.description = "IPv6 packet analyzer"; return config; } } plugin; diff --git a/src/llanalyzer/protocol/linux_sll/CMakeLists.txt b/src/packet_analysis/protocol/linux_sll/CMakeLists.txt similarity index 100% rename from src/llanalyzer/protocol/linux_sll/CMakeLists.txt rename to src/packet_analysis/protocol/linux_sll/CMakeLists.txt diff --git a/src/llanalyzer/protocol/linux_sll/LinuxSLL.cc b/src/packet_analysis/protocol/linux_sll/LinuxSLL.cc similarity index 77% rename from src/llanalyzer/protocol/linux_sll/LinuxSLL.cc rename to src/packet_analysis/protocol/linux_sll/LinuxSLL.cc index 975b8bba09..f324f368f0 100644 --- a/src/llanalyzer/protocol/linux_sll/LinuxSLL.cc +++ b/src/packet_analysis/protocol/linux_sll/LinuxSLL.cc @@ -2,14 +2,14 @@ #include "LinuxSLL.h" -using namespace zeek::llanalyzer::LinuxSLL; +using namespace zeek::packet_analysis::LinuxSLL; LinuxSLLAnalyzer::LinuxSLLAnalyzer() - : zeek::llanalyzer::Analyzer("LinuxSLL") + : zeek::packet_analysis::Analyzer("LinuxSLL") { } -std::tuple LinuxSLLAnalyzer::Analyze(Packet* packet) +std::tuple LinuxSLLAnalyzer::Analyze(Packet* packet) { auto& pdata = packet->cur_pos; diff --git a/src/llanalyzer/protocol/linux_sll/LinuxSLL.h b/src/packet_analysis/protocol/linux_sll/LinuxSLL.h similarity index 83% rename from src/llanalyzer/protocol/linux_sll/LinuxSLL.h rename to src/packet_analysis/protocol/linux_sll/LinuxSLL.h index 72c53972b7..e66d335f0a 100644 --- a/src/llanalyzer/protocol/linux_sll/LinuxSLL.h +++ b/src/packet_analysis/protocol/linux_sll/LinuxSLL.h @@ -2,10 +2,10 @@ #pragma once -#include -#include +#include +#include -namespace zeek::llanalyzer::LinuxSLL { +namespace zeek::packet_analysis::LinuxSLL { class LinuxSLLAnalyzer : public Analyzer { public: diff --git a/src/packet_analysis/protocol/linux_sll/Plugin.cc b/src/packet_analysis/protocol/linux_sll/Plugin.cc new file mode 100644 index 0000000000..a0cf4583be --- /dev/null +++ b/src/packet_analysis/protocol/linux_sll/Plugin.cc @@ -0,0 +1,24 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "plugin/Plugin.h" +#include "LinuxSLL.h" +#include "packet_analysis/Component.h" + +namespace zeek::plugin::Zeek_LinuxSLL { + +class Plugin : public zeek::plugin::Plugin { +public: + zeek::plugin::Configuration Configure() + { + AddComponent(new zeek::packet_analysis::Component("LinuxSLL", + zeek::packet_analysis::LinuxSLL::LinuxSLLAnalyzer::Instantiate)); + + zeek::plugin::Configuration config; + config.name = "Zeek::LinuxSLL"; + config.description = "Linux cooked capture (SLL) packet analyzer"; + return config; + } + +} plugin; + +} diff --git a/src/llanalyzer/protocol/mpls/CMakeLists.txt b/src/packet_analysis/protocol/mpls/CMakeLists.txt similarity index 100% rename from src/llanalyzer/protocol/mpls/CMakeLists.txt rename to src/packet_analysis/protocol/mpls/CMakeLists.txt diff --git a/src/llanalyzer/protocol/mpls/MPLS.cc b/src/packet_analysis/protocol/mpls/MPLS.cc similarity index 83% rename from src/llanalyzer/protocol/mpls/MPLS.cc rename to src/packet_analysis/protocol/mpls/MPLS.cc index 412cf74266..b655ada837 100644 --- a/src/llanalyzer/protocol/mpls/MPLS.cc +++ b/src/packet_analysis/protocol/mpls/MPLS.cc @@ -2,14 +2,14 @@ #include "MPLS.h" -using namespace zeek::llanalyzer::MPLS; +using namespace zeek::packet_analysis::MPLS; MPLSAnalyzer::MPLSAnalyzer() - : zeek::llanalyzer::Analyzer("MPLS") + : zeek::packet_analysis::Analyzer("MPLS") { } -std::tuple MPLSAnalyzer::Analyze(Packet* packet) +std::tuple MPLSAnalyzer::Analyze(Packet* packet) { auto& pdata = packet->cur_pos; auto end_of_data = packet->GetEndOfData(); diff --git a/src/llanalyzer/protocol/mpls/MPLS.h b/src/packet_analysis/protocol/mpls/MPLS.h similarity index 54% rename from src/llanalyzer/protocol/mpls/MPLS.h rename to src/packet_analysis/protocol/mpls/MPLS.h index 72581f5ae7..35f595e3d3 100644 --- a/src/llanalyzer/protocol/mpls/MPLS.h +++ b/src/packet_analysis/protocol/mpls/MPLS.h @@ -2,19 +2,19 @@ #pragma once -#include -#include +#include +#include -namespace zeek::llanalyzer::MPLS { +namespace zeek::packet_analysis::MPLS { -class MPLSAnalyzer : public zeek::llanalyzer::Analyzer { +class MPLSAnalyzer : public zeek::packet_analysis::Analyzer { public: MPLSAnalyzer(); ~MPLSAnalyzer() override = default; std::tuple Analyze(Packet* packet) override; - static zeek::llanalyzer::Analyzer* Instantiate() + static zeek::packet_analysis::Analyzer* Instantiate() { return new MPLSAnalyzer(); } diff --git a/src/llanalyzer/protocol/mpls/Plugin.cc b/src/packet_analysis/protocol/mpls/Plugin.cc similarity index 50% rename from src/llanalyzer/protocol/mpls/Plugin.cc rename to src/packet_analysis/protocol/mpls/Plugin.cc index c24b1003f3..ef29566623 100644 --- a/src/llanalyzer/protocol/mpls/Plugin.cc +++ b/src/packet_analysis/protocol/mpls/Plugin.cc @@ -2,20 +2,20 @@ #include "MPLS.h" #include "plugin/Plugin.h" -#include "llanalyzer/Component.h" +#include "packet_analysis/Component.h" -namespace zeek::plugin::LLAnalyzer_MPLS { +namespace zeek::plugin::Zeek_MPLS { class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() { - AddComponent(new zeek::llanalyzer::Component("MPLS", - zeek::llanalyzer::MPLS::MPLSAnalyzer::Instantiate)); + AddComponent(new zeek::packet_analysis::Component("MPLS", + zeek::packet_analysis::MPLS::MPLSAnalyzer::Instantiate)); zeek::plugin::Configuration config; - config.name = "LLAnalyzer::MPLS"; - config.description = "MPLS LL-Analyzer"; + config.name = "Zeek::MPLS"; + config.description = "MPLS packet analyzer"; return config; } diff --git a/src/llanalyzer/protocol/nflog/CMakeLists.txt b/src/packet_analysis/protocol/nflog/CMakeLists.txt similarity index 100% rename from src/llanalyzer/protocol/nflog/CMakeLists.txt rename to src/packet_analysis/protocol/nflog/CMakeLists.txt diff --git a/src/llanalyzer/protocol/nflog/NFLog.cc b/src/packet_analysis/protocol/nflog/NFLog.cc similarity index 88% rename from src/llanalyzer/protocol/nflog/NFLog.cc rename to src/packet_analysis/protocol/nflog/NFLog.cc index 1f919dbca1..38bb08d5db 100644 --- a/src/llanalyzer/protocol/nflog/NFLog.cc +++ b/src/packet_analysis/protocol/nflog/NFLog.cc @@ -3,14 +3,14 @@ #include "NFLog.h" #include "NetVar.h" -using namespace zeek::llanalyzer::NFLog; +using namespace zeek::packet_analysis::NFLog; NFLogAnalyzer::NFLogAnalyzer() - : zeek::llanalyzer::Analyzer("NFLog") + : zeek::packet_analysis::Analyzer("NFLog") { } -std::tuple NFLogAnalyzer::Analyze(Packet* packet) { +std::tuple NFLogAnalyzer::Analyze(Packet* packet) { auto& pdata = packet->cur_pos; auto end_of_data = packet->GetEndOfData(); diff --git a/src/llanalyzer/protocol/nflog/NFLog.h b/src/packet_analysis/protocol/nflog/NFLog.h similarity index 74% rename from src/llanalyzer/protocol/nflog/NFLog.h rename to src/packet_analysis/protocol/nflog/NFLog.h index aeb8234c31..c2b691ea51 100644 --- a/src/llanalyzer/protocol/nflog/NFLog.h +++ b/src/packet_analysis/protocol/nflog/NFLog.h @@ -2,10 +2,10 @@ #pragma once -#include -#include +#include +#include -namespace zeek::llanalyzer::NFLog { +namespace zeek::packet_analysis::NFLog { class NFLogAnalyzer : public Analyzer { public: diff --git a/src/llanalyzer/protocol/nflog/Plugin.cc b/src/packet_analysis/protocol/nflog/Plugin.cc similarity index 50% rename from src/llanalyzer/protocol/nflog/Plugin.cc rename to src/packet_analysis/protocol/nflog/Plugin.cc index 16106fee2d..94997fe96a 100644 --- a/src/llanalyzer/protocol/nflog/Plugin.cc +++ b/src/packet_analysis/protocol/nflog/Plugin.cc @@ -2,20 +2,20 @@ #include "NFLog.h" #include "plugin/Plugin.h" -#include "llanalyzer/Component.h" +#include "packet_analysis/Component.h" -namespace zeek::plugin::LLAnalyzer_NFLog { +namespace zeek::plugin::Zeek_NFLog { class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() { - AddComponent(new zeek::llanalyzer::Component("NFLog", - zeek::llanalyzer::NFLog::NFLogAnalyzer::Instantiate)); + AddComponent(new zeek::packet_analysis::Component("NFLog", + zeek::packet_analysis::NFLog::NFLogAnalyzer::Instantiate)); zeek::plugin::Configuration config; - config.name = "LLAnalyzer::NFLog"; - config.description = "NFLog LL-Analyzer"; + config.name = "Zeek::NFLog"; + config.description = "NFLog packet analyzer"; return config; } } plugin; diff --git a/src/llanalyzer/protocol/null/CMakeLists.txt b/src/packet_analysis/protocol/null/CMakeLists.txt similarity index 100% rename from src/llanalyzer/protocol/null/CMakeLists.txt rename to src/packet_analysis/protocol/null/CMakeLists.txt diff --git a/src/llanalyzer/protocol/null/Null.cc b/src/packet_analysis/protocol/null/Null.cc similarity index 70% rename from src/llanalyzer/protocol/null/Null.cc rename to src/packet_analysis/protocol/null/Null.cc index d9c29582a2..6a0158a508 100644 --- a/src/llanalyzer/protocol/null/Null.cc +++ b/src/packet_analysis/protocol/null/Null.cc @@ -3,14 +3,14 @@ #include "Null.h" #include "NetVar.h" -using namespace zeek::llanalyzer::Null; +using namespace zeek::packet_analysis::Null; NullAnalyzer::NullAnalyzer() - : zeek::llanalyzer::Analyzer("Null") + : zeek::packet_analysis::Analyzer("Null") { } -std::tuple NullAnalyzer::Analyze(Packet* packet) +std::tuple NullAnalyzer::Analyze(Packet* packet) { auto& pdata = packet->cur_pos; diff --git a/src/llanalyzer/protocol/null/Null.h b/src/packet_analysis/protocol/null/Null.h similarity index 74% rename from src/llanalyzer/protocol/null/Null.h rename to src/packet_analysis/protocol/null/Null.h index 27294bc386..7f3976cf31 100644 --- a/src/llanalyzer/protocol/null/Null.h +++ b/src/packet_analysis/protocol/null/Null.h @@ -2,10 +2,10 @@ #pragma once -#include -#include +#include +#include -namespace zeek::llanalyzer::Null { +namespace zeek::packet_analysis::Null { class NullAnalyzer : public Analyzer { public: diff --git a/src/llanalyzer/protocol/null/Plugin.cc b/src/packet_analysis/protocol/null/Plugin.cc similarity index 50% rename from src/llanalyzer/protocol/null/Plugin.cc rename to src/packet_analysis/protocol/null/Plugin.cc index 3d1ddc4213..ab568641db 100644 --- a/src/llanalyzer/protocol/null/Plugin.cc +++ b/src/packet_analysis/protocol/null/Plugin.cc @@ -2,20 +2,20 @@ #include "plugin/Plugin.h" #include "Null.h" -#include "llanalyzer/Component.h" +#include "packet_analysis/Component.h" -namespace zeek::plugin::LLAnalyzer_Null { +namespace zeek::plugin::Zeek_Null { class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() { - AddComponent(new zeek::llanalyzer::Component("Null", - zeek::llanalyzer::Null::NullAnalyzer::Instantiate)); + AddComponent(new zeek::packet_analysis::Component("Null", + zeek::packet_analysis::Null::NullAnalyzer::Instantiate)); zeek::plugin::Configuration config; - config.name = "LLAnalyzer::Null"; - config.description = "Null LL-Analyzer"; + config.name = "Zeek::Null"; + config.description = "Null packet analyzer"; return config; } diff --git a/src/llanalyzer/protocol/ppp_serial/CMakeLists.txt b/src/packet_analysis/protocol/ppp_serial/CMakeLists.txt similarity index 100% rename from src/llanalyzer/protocol/ppp_serial/CMakeLists.txt rename to src/packet_analysis/protocol/ppp_serial/CMakeLists.txt diff --git a/src/llanalyzer/protocol/ppp_serial/PPPSerial.cc b/src/packet_analysis/protocol/ppp_serial/PPPSerial.cc similarity index 62% rename from src/llanalyzer/protocol/ppp_serial/PPPSerial.cc rename to src/packet_analysis/protocol/ppp_serial/PPPSerial.cc index a250210113..b4019a74a4 100644 --- a/src/llanalyzer/protocol/ppp_serial/PPPSerial.cc +++ b/src/packet_analysis/protocol/ppp_serial/PPPSerial.cc @@ -3,14 +3,14 @@ #include "PPPSerial.h" #include "NetVar.h" -using namespace zeek::llanalyzer::PPPSerial; +using namespace zeek::packet_analysis::PPPSerial; PPPSerialAnalyzer::PPPSerialAnalyzer() - : zeek::llanalyzer::Analyzer("PPPSerial") + : zeek::packet_analysis::Analyzer("PPPSerial") { } -std::tuple PPPSerialAnalyzer::Analyze(Packet* packet) +std::tuple PPPSerialAnalyzer::Analyze(Packet* packet) { auto& pdata = packet->cur_pos; diff --git a/src/llanalyzer/protocol/ppp_serial/PPPSerial.h b/src/packet_analysis/protocol/ppp_serial/PPPSerial.h similarity index 75% rename from src/llanalyzer/protocol/ppp_serial/PPPSerial.h rename to src/packet_analysis/protocol/ppp_serial/PPPSerial.h index 030b8801fa..76e7dcd8b9 100644 --- a/src/llanalyzer/protocol/ppp_serial/PPPSerial.h +++ b/src/packet_analysis/protocol/ppp_serial/PPPSerial.h @@ -2,10 +2,10 @@ #pragma once -#include -#include +#include +#include -namespace zeek::llanalyzer::PPPSerial { +namespace zeek::packet_analysis::PPPSerial { class PPPSerialAnalyzer : public Analyzer { public: diff --git a/src/packet_analysis/protocol/ppp_serial/Plugin.cc b/src/packet_analysis/protocol/ppp_serial/Plugin.cc new file mode 100644 index 0000000000..e45923c311 --- /dev/null +++ b/src/packet_analysis/protocol/ppp_serial/Plugin.cc @@ -0,0 +1,24 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "PPPSerial.h" +#include "plugin/Plugin.h" +#include "packet_analysis/Component.h" + +namespace zeek::plugin::Zeek_PPPSerial { + +class Plugin : public zeek::plugin::Plugin { +public: + zeek::plugin::Configuration Configure() + { + AddComponent(new zeek::packet_analysis::Component("PPPSerial", + zeek::packet_analysis::PPPSerial::PPPSerialAnalyzer::Instantiate)); + + zeek::plugin::Configuration config; + config.name = "Zeek::PPPSerial"; + config.description = "PPPSerial packet analyzer"; + return config; + } + +} plugin; + +} diff --git a/src/llanalyzer/protocol/pppoe/CMakeLists.txt b/src/packet_analysis/protocol/pppoe/CMakeLists.txt similarity index 100% rename from src/llanalyzer/protocol/pppoe/CMakeLists.txt rename to src/packet_analysis/protocol/pppoe/CMakeLists.txt diff --git a/src/llanalyzer/protocol/pppoe/PPPoE.cc b/src/packet_analysis/protocol/pppoe/PPPoE.cc similarity index 70% rename from src/llanalyzer/protocol/pppoe/PPPoE.cc rename to src/packet_analysis/protocol/pppoe/PPPoE.cc index 903e5ab07b..282e341cde 100644 --- a/src/llanalyzer/protocol/pppoe/PPPoE.cc +++ b/src/packet_analysis/protocol/pppoe/PPPoE.cc @@ -3,14 +3,14 @@ #include "PPPoE.h" #include "NetVar.h" -using namespace zeek::llanalyzer::PPPoE; +using namespace zeek::packet_analysis::PPPoE; PPPoEAnalyzer::PPPoEAnalyzer() - : zeek::llanalyzer::Analyzer("PPPoE") + : zeek::packet_analysis::Analyzer("PPPoE") { } -std::tuple PPPoEAnalyzer::Analyze(Packet* packet) +std::tuple PPPoEAnalyzer::Analyze(Packet* packet) { auto& pdata = packet->cur_pos; diff --git a/src/llanalyzer/protocol/pppoe/PPPoE.h b/src/packet_analysis/protocol/pppoe/PPPoE.h similarity index 75% rename from src/llanalyzer/protocol/pppoe/PPPoE.h rename to src/packet_analysis/protocol/pppoe/PPPoE.h index cbeeda160f..3a979af8a1 100644 --- a/src/llanalyzer/protocol/pppoe/PPPoE.h +++ b/src/packet_analysis/protocol/pppoe/PPPoE.h @@ -2,10 +2,10 @@ #pragma once -#include -#include +#include +#include -namespace zeek::llanalyzer::PPPoE { +namespace zeek::packet_analysis::PPPoE { class PPPoEAnalyzer : public Analyzer { public: diff --git a/src/llanalyzer/protocol/pppoe/Plugin.cc b/src/packet_analysis/protocol/pppoe/Plugin.cc similarity index 50% rename from src/llanalyzer/protocol/pppoe/Plugin.cc rename to src/packet_analysis/protocol/pppoe/Plugin.cc index 95883f51ca..b70e7e5af1 100644 --- a/src/llanalyzer/protocol/pppoe/Plugin.cc +++ b/src/packet_analysis/protocol/pppoe/Plugin.cc @@ -2,20 +2,20 @@ #include "PPPoE.h" #include "plugin/Plugin.h" -#include "llanalyzer/Component.h" +#include "packet_analysis/Component.h" -namespace zeek::plugin::LLAnalyzer_PPPoE { +namespace zeek::plugin::Zeek_PPPoE { class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() { - AddComponent(new zeek::llanalyzer::Component("PPPoE", - zeek::llanalyzer::PPPoE::PPPoEAnalyzer::Instantiate)); + AddComponent(new zeek::packet_analysis::Component("PPPoE", + zeek::packet_analysis::PPPoE::PPPoEAnalyzer::Instantiate)); zeek::plugin::Configuration config; - config.name = "LLAnalyzer::PPPoE"; - config.description = "PPPoE LL-Analyzer"; + config.name = "Zeek::PPPoE"; + config.description = "PPPoE packet analyzer"; return config; } diff --git a/src/llanalyzer/protocol/vlan/CMakeLists.txt b/src/packet_analysis/protocol/vlan/CMakeLists.txt similarity index 100% rename from src/llanalyzer/protocol/vlan/CMakeLists.txt rename to src/packet_analysis/protocol/vlan/CMakeLists.txt diff --git a/src/llanalyzer/protocol/vlan/Plugin.cc b/src/packet_analysis/protocol/vlan/Plugin.cc similarity index 50% rename from src/llanalyzer/protocol/vlan/Plugin.cc rename to src/packet_analysis/protocol/vlan/Plugin.cc index 8e4da160d7..7a6222c9b3 100644 --- a/src/llanalyzer/protocol/vlan/Plugin.cc +++ b/src/packet_analysis/protocol/vlan/Plugin.cc @@ -2,20 +2,20 @@ #include "VLAN.h" #include "plugin/Plugin.h" -#include "llanalyzer/Component.h" +#include "packet_analysis/Component.h" -namespace zeek::plugin::LLAnalyzer_VLAN { +namespace zeek::plugin::Zeek_VLAN { class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() { - AddComponent(new zeek::llanalyzer::Component("VLAN", - zeek::llanalyzer::VLAN::VLANAnalyzer::Instantiate)); + AddComponent(new zeek::packet_analysis::Component("VLAN", + zeek::packet_analysis::VLAN::VLANAnalyzer::Instantiate)); zeek::plugin::Configuration config; - config.name = "LLAnalyzer::VLAN"; - config.description = "VLAN LL-Analyzer"; + config.name = "Zeek::VLAN"; + config.description = "VLAN packet analyzer"; return config; } diff --git a/src/llanalyzer/protocol/vlan/VLAN.cc b/src/packet_analysis/protocol/vlan/VLAN.cc similarity index 74% rename from src/llanalyzer/protocol/vlan/VLAN.cc rename to src/packet_analysis/protocol/vlan/VLAN.cc index e1cfb7c056..24f23b14b1 100644 --- a/src/llanalyzer/protocol/vlan/VLAN.cc +++ b/src/packet_analysis/protocol/vlan/VLAN.cc @@ -3,14 +3,14 @@ #include "VLAN.h" #include "NetVar.h" -using namespace zeek::llanalyzer::VLAN; +using namespace zeek::packet_analysis::VLAN; VLANAnalyzer::VLANAnalyzer() - : zeek::llanalyzer::Analyzer("VLAN") + : zeek::packet_analysis::Analyzer("VLAN") { } -std::tuple VLANAnalyzer::Analyze(Packet* packet) +std::tuple VLANAnalyzer::Analyze(Packet* packet) { auto& pdata = packet->cur_pos; diff --git a/src/llanalyzer/protocol/vlan/VLAN.h b/src/packet_analysis/protocol/vlan/VLAN.h similarity index 74% rename from src/llanalyzer/protocol/vlan/VLAN.h rename to src/packet_analysis/protocol/vlan/VLAN.h index 1f7532b940..8f64e0ec64 100644 --- a/src/llanalyzer/protocol/vlan/VLAN.h +++ b/src/packet_analysis/protocol/vlan/VLAN.h @@ -2,10 +2,10 @@ #pragma once -#include -#include +#include +#include -namespace zeek::llanalyzer::VLAN { +namespace zeek::packet_analysis::VLAN { class VLANAnalyzer : public Analyzer { public: diff --git a/src/llanalyzer/protocol/wrapper/CMakeLists.txt b/src/packet_analysis/protocol/wrapper/CMakeLists.txt similarity index 100% rename from src/llanalyzer/protocol/wrapper/CMakeLists.txt rename to src/packet_analysis/protocol/wrapper/CMakeLists.txt diff --git a/src/llanalyzer/protocol/wrapper/Plugin.cc b/src/packet_analysis/protocol/wrapper/Plugin.cc similarity index 64% rename from src/llanalyzer/protocol/wrapper/Plugin.cc rename to src/packet_analysis/protocol/wrapper/Plugin.cc index 36baa8a6dd..45be64498e 100644 --- a/src/llanalyzer/protocol/wrapper/Plugin.cc +++ b/src/packet_analysis/protocol/wrapper/Plugin.cc @@ -2,7 +2,7 @@ #include "Wrapper.h" #include "plugin/Plugin.h" -#include "llanalyzer/Component.h" +#include "packet_analysis/Component.h" namespace zeek::plugin::LLAnalyzer { @@ -10,11 +10,11 @@ class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() { - AddComponent(new zeek::llanalyzer::Component("Wrapper", - zeek::llanalyzer::Wrapper::WrapperAnalyzer::Instantiate)); + AddComponent(new zeek::packet_analysis::Component("Wrapper", + zeek::packet_analysis::Wrapper::WrapperAnalyzer::Instantiate)); zeek::plugin::Configuration config; - config.name = "LLAnalyzer::Wrapper"; + config.name = "Zeek::Wrapper"; config.description = "A wrapper for the original zeek code."; return config; } diff --git a/src/llanalyzer/protocol/wrapper/Wrapper.cc b/src/packet_analysis/protocol/wrapper/Wrapper.cc similarity index 94% rename from src/llanalyzer/protocol/wrapper/Wrapper.cc rename to src/packet_analysis/protocol/wrapper/Wrapper.cc index b14d34e953..4a92504e5a 100644 --- a/src/llanalyzer/protocol/wrapper/Wrapper.cc +++ b/src/packet_analysis/protocol/wrapper/Wrapper.cc @@ -3,14 +3,14 @@ #include "Wrapper.h" #include "NetVar.h" -using namespace zeek::llanalyzer::Wrapper; +using namespace zeek::packet_analysis::Wrapper; WrapperAnalyzer::WrapperAnalyzer() - : zeek::llanalyzer::Analyzer("Wrapper") + : zeek::packet_analysis::Analyzer("Wrapper") { } -std::tuple WrapperAnalyzer::Analyze(Packet* packet) +std::tuple WrapperAnalyzer::Analyze(Packet* packet) { // Unfortunately some packets on the link might have MPLS labels // while others don't. That means we need to ask the link-layer if diff --git a/src/llanalyzer/protocol/wrapper/Wrapper.h b/src/packet_analysis/protocol/wrapper/Wrapper.h similarity index 74% rename from src/llanalyzer/protocol/wrapper/Wrapper.h rename to src/packet_analysis/protocol/wrapper/Wrapper.h index 74d257c052..b8403e297e 100644 --- a/src/llanalyzer/protocol/wrapper/Wrapper.h +++ b/src/packet_analysis/protocol/wrapper/Wrapper.h @@ -2,10 +2,10 @@ #pragma once -#include -#include +#include +#include -namespace zeek::llanalyzer::Wrapper { +namespace zeek::packet_analysis::Wrapper { class WrapperAnalyzer : public Analyzer { public: diff --git a/src/plugin/Component.cc b/src/plugin/Component.cc index 7be5d465d0..a0bc21cfb8 100644 --- a/src/plugin/Component.cc +++ b/src/plugin/Component.cc @@ -46,8 +46,8 @@ void Component::Describe(ODesc* d) const d->Add("Analyzer"); break; - case component::LLANALYZER: - d->Add("Low-Layer Analyzer"); + case component::PACKET_ANALYZER: + d->Add("Packet Analyzer"); break; case component::FILE_ANALYZER: diff --git a/src/plugin/Component.h b/src/plugin/Component.h index 6d069e6edf..52068f68ce 100644 --- a/src/plugin/Component.h +++ b/src/plugin/Component.h @@ -15,14 +15,14 @@ namespace component { * Component types. */ enum Type { - READER, /// An input reader (not currently used). - WRITER, /// A logging writer (not currenly used). - ANALYZER, /// A protocol analyzer. - LLANALYZER, /// A low layer protocol analyzer. - FILE_ANALYZER, /// A file analyzer. - IOSOURCE, /// An I/O source, excluding packet sources. - PKTSRC, /// A packet source. - PKTDUMPER /// A packet dumper. + READER, /// An input reader (not currently used). + WRITER, /// A logging writer (not currently used). + ANALYZER, /// A protocol analyzer. + PACKET_ANALYZER, /// A packet analyzer. + FILE_ANALYZER, /// A file analyzer. + IOSOURCE, /// An I/O source, excluding packet sources. + PKTSRC, /// A packet source. + PKTDUMPER /// A packet dumper. }; } // namespace component diff --git a/src/zeek-setup.cc b/src/zeek-setup.cc index a3d7418226..c748e02d84 100644 --- a/src/zeek-setup.cc +++ b/src/zeek-setup.cc @@ -55,7 +55,7 @@ extern "C" { #include "input/readers/raw/Raw.h" #include "analyzer/Manager.h" #include "analyzer/Tag.h" -#include "llanalyzer/Manager.h" +#include "packet_analysis/Manager.h" #include "plugin/Manager.h" #include "file_analysis/Manager.h" #include "zeekygen/Manager.h" @@ -93,7 +93,7 @@ zeek::ValManager* zeek::val_mgr = nullptr; zeek::ValManager*& val_mgr = zeek::val_mgr; zeek::analyzer::Manager* zeek::analyzer_mgr = nullptr; zeek::analyzer::Manager*& analyzer_mgr = zeek::analyzer_mgr; -zeek::llanalyzer::Manager* llanalyzer_mgr = nullptr; +zeek::packet_analysis::Manager* packet_mgr = nullptr; zeek::plugin::Manager* zeek::plugin_mgr = nullptr; zeek::plugin::Manager*& plugin_mgr = zeek::plugin_mgr; @@ -267,7 +267,7 @@ static void done_with_network() run_state::terminating = true; analyzer_mgr->Done(); - llanalyzer_mgr->Done(); + packet_mgr->Done(); timer_mgr->Expire(); dns_mgr->Flush(); event_mgr.Drain(); @@ -338,7 +338,7 @@ static void terminate_bro() delete zeekygen_mgr; delete analyzer_mgr; - delete llanalyzer_mgr; + delete packet_mgr; delete file_mgr; // broker_mgr, timer_mgr, and supervisor are deleted via iosource_mgr delete iosource_mgr; @@ -585,7 +585,7 @@ SetupResult setup(int argc, char** argv, Options* zopts) iosource_mgr = new iosource::Manager(); event_registry = new EventRegistry(); analyzer_mgr = new analyzer::Manager(); - llanalyzer_mgr = new llanalyzer::Manager(); + packet_mgr = new packet_analysis::Manager(); log_mgr = new logging::Manager(); input_mgr = new input::Manager(); file_mgr = new file_analysis::Manager(); @@ -694,7 +694,7 @@ SetupResult setup(int argc, char** argv, Options* zopts) } analyzer_mgr->InitPostScript(); - llanalyzer_mgr->InitPostScript(); + packet_mgr->InitPostScript(); file_mgr->InitPostScript(); dns_mgr->InitPostScript(); @@ -895,7 +895,7 @@ SetupResult setup(int argc, char** argv, Options* zopts) broker_mgr->ZeekInitDone(); reporter->ZeekInitDone(); analyzer_mgr->DumpDebug(); - llanalyzer_mgr->DumpDebug(); + packet_mgr->DumpDebug(); run_state::detail::have_pending_timers = ! run_state::reading_traces && timer_mgr->Size() > 0; diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index d125d897ec..96865c911b 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -283,7 +283,7 @@ 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1600793171.441844, node=zeek, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1600793375.962139, node=zeek, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Broker::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Cluster::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Config::LOG)) -> @@ -464,7 +464,7 @@ 0.000000 MetaHookPost CallFunction(Log::create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1600793171.441844, node=zeek, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1600793375.962139, node=zeek, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(NetControl::check_plugins, , ()) -> 0.000000 MetaHookPost CallFunction(NetControl::init, , ()) -> 0.000000 MetaHookPost CallFunction(Notice::want_pp, , ()) -> @@ -861,7 +861,6 @@ 0.000000 MetaHookPost LoadFile(0, base<...>/irc) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/krb) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/linux_sll) -> -1 -0.000000 MetaHookPost LoadFile(0, base<...>/llprotocols) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/logging) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/logging.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/main.zeek) -> -1 @@ -879,6 +878,7 @@ 0.000000 MetaHookPost LoadFile(0, base<...>/openflow) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/option.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/packet-filter) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/packet-protocols) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/paths.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/patterns.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/pe) -> -1 @@ -1225,7 +1225,7 @@ 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1600793171.441844, node=zeek, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1600793375.962139, node=zeek, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Broker::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Cluster::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Config::LOG)) @@ -1406,7 +1406,7 @@ 0.000000 MetaHookPre CallFunction(Log::create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1600793171.441844, node=zeek, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1600793375.962139, node=zeek, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(NetControl::check_plugins, , ()) 0.000000 MetaHookPre CallFunction(NetControl::init, , ()) 0.000000 MetaHookPre CallFunction(Notice::want_pp, , ()) @@ -1803,7 +1803,6 @@ 0.000000 MetaHookPre LoadFile(0, base<...>/irc) 0.000000 MetaHookPre LoadFile(0, base<...>/krb) 0.000000 MetaHookPre LoadFile(0, base<...>/linux_sll) -0.000000 MetaHookPre LoadFile(0, base<...>/llprotocols) 0.000000 MetaHookPre LoadFile(0, base<...>/logging) 0.000000 MetaHookPre LoadFile(0, base<...>/logging.bif.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/main.zeek) @@ -1821,6 +1820,7 @@ 0.000000 MetaHookPre LoadFile(0, base<...>/openflow) 0.000000 MetaHookPre LoadFile(0, base<...>/option.bif.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/packet-filter) +0.000000 MetaHookPre LoadFile(0, base<...>/packet-protocols) 0.000000 MetaHookPre LoadFile(0, base<...>/paths.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/patterns.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/pe) @@ -2166,7 +2166,7 @@ 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1600793171.441844, node=zeek, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1600793375.962139, node=zeek, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction Log::add_default_filter(Broker::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Config::LOG) @@ -2347,7 +2347,7 @@ 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1600793171.441844, node=zeek, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1600793375.962139, node=zeek, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction NetControl::check_plugins() 0.000000 | HookCallFunction NetControl::init() 0.000000 | HookCallFunction Notice::want_pp() @@ -2756,7 +2756,6 @@ 0.000000 | HookLoadFile base<...>/irc 0.000000 | HookLoadFile base<...>/krb 0.000000 | HookLoadFile base<...>/linux_sll -0.000000 | HookLoadFile base<...>/llprotocols 0.000000 | HookLoadFile base<...>/logging 0.000000 | HookLoadFile base<...>/logging.bif.zeek 0.000000 | HookLoadFile base<...>/main.zeek @@ -2774,6 +2773,7 @@ 0.000000 | HookLoadFile base<...>/openflow 0.000000 | HookLoadFile base<...>/option.bif.zeek 0.000000 | HookLoadFile base<...>/packet-filter +0.000000 | HookLoadFile base<...>/packet-protocols 0.000000 | HookLoadFile base<...>/paths.zeek 0.000000 | HookLoadFile base<...>/patterns.zeek 0.000000 | HookLoadFile base<...>/pe @@ -2819,7 +2819,7 @@ 0.000000 | HookLoadFile base<...>/xmpp 0.000000 | HookLoadFile base<...>/zeek.bif.zeek 0.000000 | HookLogInit packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)} -0.000000 | HookLogWrite packet_filter [ts=1600793171.441844, node=zeek, filter=ip or not ip, init=T, success=T] +0.000000 | HookLogWrite packet_filter [ts=1600793375.962139, node=zeek, filter=ip or not ip, init=T, success=T] 0.000000 | HookQueueEvent NetControl::init() 0.000000 | HookQueueEvent filter_change_tracking() 0.000000 | HookQueueEvent zeek_init() diff --git a/testing/btest/Baseline/plugins.ll-protocol/output b/testing/btest/Baseline/plugins.packet-protocol/output similarity index 65% rename from testing/btest/Baseline/plugins.ll-protocol/output rename to testing/btest/Baseline/plugins.packet-protocol/output index 578a37577d..42fd1cea42 100644 --- a/testing/btest/Baseline/plugins.ll-protocol/output +++ b/testing/btest/Baseline/plugins.packet-protocol/output @@ -1,5 +1,5 @@ -LLDemo::Bar - A Bar LL-test-analyzer. (dynamic, version 1.0.0) - [Low-Layer Analyzer] Bar (LLANALYZER_BAR, enabled) +PacketDemo::Bar - A Bar packet analyzer. (dynamic, version 1.0.0) + [Packet Analyzer] Bar (ANALYZER_BAR, enabled) [Event] bar_message === diff --git a/testing/btest/plugins/ll-protocol-plugin/scripts/LLDemo/Bar/base/main.zeek b/testing/btest/plugins/ll-protocol-plugin/scripts/LLDemo/Bar/base/main.zeek deleted file mode 100644 index 031bd4f058..0000000000 --- a/testing/btest/plugins/ll-protocol-plugin/scripts/LLDemo/Bar/base/main.zeek +++ /dev/null @@ -1,5 +0,0 @@ -module LL_BAR; - -redef LLAnalyzer::config_map += { - LLAnalyzer::ConfigEntry($parent=LLAnalyzer::LLANALYZER_ETHERNET, $identifier=1501, $analyzer=LLAnalyzer::LLANALYZER_BAR), -}; diff --git a/testing/btest/plugins/ll-protocol-plugin/scripts/__load__.zeek b/testing/btest/plugins/ll-protocol-plugin/scripts/__load__.zeek deleted file mode 100644 index 697ab585a1..0000000000 --- a/testing/btest/plugins/ll-protocol-plugin/scripts/__load__.zeek +++ /dev/null @@ -1 +0,0 @@ -@load LLDemo/Bar/base/main diff --git a/testing/btest/plugins/ll-protocol-plugin/.btest-ignore b/testing/btest/plugins/packet-protocol-plugin/.btest-ignore similarity index 100% rename from testing/btest/plugins/ll-protocol-plugin/.btest-ignore rename to testing/btest/plugins/packet-protocol-plugin/.btest-ignore diff --git a/testing/btest/plugins/ll-protocol-plugin/CMakeLists.txt b/testing/btest/plugins/packet-protocol-plugin/CMakeLists.txt similarity index 80% rename from testing/btest/plugins/ll-protocol-plugin/CMakeLists.txt rename to testing/btest/plugins/packet-protocol-plugin/CMakeLists.txt index 7f11aa11e7..a642f8ca01 100644 --- a/testing/btest/plugins/ll-protocol-plugin/CMakeLists.txt +++ b/testing/btest/plugins/packet-protocol-plugin/CMakeLists.txt @@ -1,5 +1,5 @@ -project(Zeek-LL-Plugin-Demo-Bar) +project(Zeek-Packet-Plugin-Demo-Bar) cmake_minimum_required(VERSION 2.6.3) @@ -11,7 +11,7 @@ set(CMAKE_MODULE_PATH ${ZEEK_DIST}/cmake) include(ZeekPlugin) -zeek_plugin_begin(LLDemo Bar) +zeek_plugin_begin(PacketDemo Bar) zeek_plugin_cc(src/Plugin.cc) zeek_plugin_cc(src/Bar.cc) zeek_plugin_bif(src/events.bif) diff --git a/testing/btest/plugins/packet-protocol-plugin/scripts/PacketDemo/Bar/base/main.zeek b/testing/btest/plugins/packet-protocol-plugin/scripts/PacketDemo/Bar/base/main.zeek new file mode 100644 index 0000000000..a0c4fa6757 --- /dev/null +++ b/testing/btest/plugins/packet-protocol-plugin/scripts/PacketDemo/Bar/base/main.zeek @@ -0,0 +1,5 @@ +module Packet_BAR; + +redef PacketAnalyzer::config_map += { + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=1501, $analyzer=PacketAnalyzer::ANALYZER_BAR), +}; diff --git a/testing/btest/plugins/packet-protocol-plugin/scripts/__load__.zeek b/testing/btest/plugins/packet-protocol-plugin/scripts/__load__.zeek new file mode 100644 index 0000000000..deb0a01443 --- /dev/null +++ b/testing/btest/plugins/packet-protocol-plugin/scripts/__load__.zeek @@ -0,0 +1 @@ +@load PacketDemo/Bar/base/main diff --git a/testing/btest/plugins/ll-protocol-plugin/src/Bar.cc b/testing/btest/plugins/packet-protocol-plugin/src/Bar.cc similarity index 73% rename from testing/btest/plugins/ll-protocol-plugin/src/Bar.cc rename to testing/btest/plugins/packet-protocol-plugin/src/Bar.cc index 93c8b87dc0..14308d2339 100644 --- a/testing/btest/plugins/ll-protocol-plugin/src/Bar.cc +++ b/testing/btest/plugins/packet-protocol-plugin/src/Bar.cc @@ -3,14 +3,14 @@ #include "Val.h" #include "events.bif.h" -using namespace zeek::llanalyzer::LLDemo; +using namespace zeek::packet_analysis::PacketDemo; Bar::Bar() - : zeek::llanalyzer::Analyzer("Bar") + : zeek::packet_analysis::Analyzer("Bar") { } -std::tuple Bar::Analyze(Packet* packet) +std::tuple Bar::Analyze(Packet* packet) { auto& pdata = packet->cur_pos; auto end_of_data = packet->GetEndOfData(); diff --git a/testing/btest/plugins/ll-protocol-plugin/src/Bar.h b/testing/btest/plugins/packet-protocol-plugin/src/Bar.h similarity index 65% rename from testing/btest/plugins/ll-protocol-plugin/src/Bar.h rename to testing/btest/plugins/packet-protocol-plugin/src/Bar.h index 24f0a0856c..125e8883c1 100644 --- a/testing/btest/plugins/ll-protocol-plugin/src/Bar.h +++ b/testing/btest/plugins/packet-protocol-plugin/src/Bar.h @@ -1,9 +1,9 @@ #pragma once -#include -#include +#include +#include -namespace zeek::llanalyzer::LLDemo { +namespace zeek::packet_analysis::PacketDemo { class Bar : public Analyzer { public: diff --git a/testing/btest/plugins/ll-protocol-plugin/src/Plugin.cc b/testing/btest/plugins/packet-protocol-plugin/src/Plugin.cc similarity index 50% rename from testing/btest/plugins/ll-protocol-plugin/src/Plugin.cc rename to testing/btest/plugins/packet-protocol-plugin/src/Plugin.cc index 4e0b7bc451..80032ea5f5 100644 --- a/testing/btest/plugins/ll-protocol-plugin/src/Plugin.cc +++ b/testing/btest/plugins/packet-protocol-plugin/src/Plugin.cc @@ -1,21 +1,21 @@ #include "Plugin.h" -#include "llanalyzer/Component.h" +#include "packet_analysis/Component.h" #include "Bar.h" -namespace zeek::plugin::LLDemo_Bar { +namespace zeek::plugin::PacketDemo_Bar { class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() { - AddComponent(new zeek::llanalyzer::Component("Bar", - zeek::llanalyzer::LLDemo::Bar::Instantiate)); + AddComponent(new zeek::packet_analysis::Component("Bar", + zeek::packet_analysis::PacketDemo::Bar::Instantiate)); zeek::plugin::Configuration config; - config.name = "LLDemo::Bar"; - config.description = "A Bar LL-test-analyzer."; + config.name = "PacketDemo::Bar"; + config.description = "A Bar packet analyzer."; config.version.major = 1; config.version.minor = 0; config.version.patch = 0; diff --git a/testing/btest/plugins/ll-protocol-plugin/src/events.bif b/testing/btest/plugins/packet-protocol-plugin/src/events.bif similarity index 100% rename from testing/btest/plugins/ll-protocol-plugin/src/events.bif rename to testing/btest/plugins/packet-protocol-plugin/src/events.bif diff --git a/testing/btest/plugins/ll-protocol.zeek b/testing/btest/plugins/packet-protocol.zeek similarity index 75% rename from testing/btest/plugins/ll-protocol.zeek rename to testing/btest/plugins/packet-protocol.zeek index 125daba230..d4f351f2fe 100644 --- a/testing/btest/plugins/ll-protocol.zeek +++ b/testing/btest/plugins/packet-protocol.zeek @@ -1,7 +1,7 @@ -# @TEST-EXEC: ${DIST}/auxil/zeek-aux/plugin-support/init-plugin -u . LLDemo Bar -# @TEST-EXEC: cp -r %DIR/ll-protocol-plugin/* . +# @TEST-EXEC: ${DIST}/auxil/zeek-aux/plugin-support/init-plugin -u . PacketDemo Bar +# @TEST-EXEC: cp -r %DIR/packet-protocol-plugin/* . # @TEST-EXEC: ./configure --zeek-dist=${DIST} && make -# @TEST-EXEC: ZEEK_PLUGIN_PATH=`pwd` zeek -NN LLDemo::Bar >>output +# @TEST-EXEC: ZEEK_PLUGIN_PATH=`pwd` zeek -NN PacketDemo::Bar >>output # @TEST-EXEC: echo === >>output # @TEST-EXEC: ZEEK_PLUGIN_PATH=`pwd` zeek -r $TRACES/raw_packets.trace %INPUT >>output # @TEST-EXEC: TEST_DIFF_CANONIFIER= btest-diff output From 1e0e8e35af8b5e07217e5208e377be535c837355 Mon Sep 17 00:00:00 2001 From: Jan Grashoefer Date: Mon, 13 Jul 2020 17:12:20 +0200 Subject: [PATCH 03/43] Minor fixes for packet analyzer renaming. --- src/packet_analysis/Manager.h | 2 +- src/packet_analysis/protocol/arp/ARP.cc | 4 +- src/packet_analysis/protocol/ipv4/IPv4.cc | 2 +- src/packet_analysis/protocol/ipv6/IPv6.cc | 2 +- .../canonified_loaded_scripts.log | 50 +++++++++---------- .../canonified_loaded_scripts.log | 50 +++++++++---------- 6 files changed, 55 insertions(+), 55 deletions(-) diff --git a/src/packet_analysis/Manager.h b/src/packet_analysis/Manager.h index 30a1facb94..f5130e1b2a 100644 --- a/src/packet_analysis/Manager.h +++ b/src/packet_analysis/Manager.h @@ -142,7 +142,7 @@ public: Analyzer* InstantiateAnalyzer(const std::string& name); /** - * Processes a packet by applying the configured low layer analyzers. + * Processes a packet by applying the configured packet analyzers. * * @param packet The packet to process. */ diff --git a/src/packet_analysis/protocol/arp/ARP.cc b/src/packet_analysis/protocol/arp/ARP.cc index d0aa620dde..204e9b54c4 100644 --- a/src/packet_analysis/protocol/arp/ARP.cc +++ b/src/packet_analysis/protocol/arp/ARP.cc @@ -11,9 +11,9 @@ ARPAnalyzer::ARPAnalyzer() std::tuple ARPAnalyzer::Analyze(Packet* packet) { - // TODO: Make ARP analyzer a native LL analyzer + // TODO: Make ARP analyzer a native packet analyzer packet->l3_proto = L3_ARP; - // Leave LL analyzer land + // Leave packet analyzer land return { AnalyzerResult::Terminate, 0 }; } diff --git a/src/packet_analysis/protocol/ipv4/IPv4.cc b/src/packet_analysis/protocol/ipv4/IPv4.cc index c8b03a3b37..6c04a93e59 100644 --- a/src/packet_analysis/protocol/ipv4/IPv4.cc +++ b/src/packet_analysis/protocol/ipv4/IPv4.cc @@ -13,6 +13,6 @@ std::tuplel3_proto = L3_IPV4; - // Leave LL analyzer land + // Leave packet analyzer land return { AnalyzerResult::Terminate, 0 }; } diff --git a/src/packet_analysis/protocol/ipv6/IPv6.cc b/src/packet_analysis/protocol/ipv6/IPv6.cc index 65ed530ee6..e7712d60e3 100644 --- a/src/packet_analysis/protocol/ipv6/IPv6.cc +++ b/src/packet_analysis/protocol/ipv6/IPv6.cc @@ -13,6 +13,6 @@ std::tuplel3_proto = L3_IPV6; - // Leave LL analyzer land + // Leave packet analyzer land return { AnalyzerResult::Terminate, 0 }; } diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log index ada222d35d..1cfc2492cd 100644 --- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2020-06-24-22-11-31 +#open 2020-07-13-15-09-39 #fields name #types string scripts/base/init-bare.zeek @@ -19,29 +19,29 @@ scripts/base/init-bare.zeek build/scripts/base/bif/plugins/Zeek_SNMP.types.bif.zeek build/scripts/base/bif/plugins/Zeek_KRB.types.bif.zeek build/scripts/base/bif/event.bif.zeek - scripts/base/llprotocols/__load__.zeek - scripts/base/llprotocols/default/__load__.zeek - scripts/base/llprotocols/default/main.zeek - scripts/base/llprotocols/ethernet/__load__.zeek - scripts/base/llprotocols/ethernet/main.zeek - scripts/base/llprotocols/fddi/__load__.zeek - scripts/base/llprotocols/fddi/main.zeek - scripts/base/llprotocols/ieee802_11/__load__.zeek - scripts/base/llprotocols/ieee802_11/main.zeek - scripts/base/llprotocols/ieee802_11_radio/__load__.zeek - scripts/base/llprotocols/ieee802_11_radio/main.zeek - scripts/base/llprotocols/linux_sll/__load__.zeek - scripts/base/llprotocols/linux_sll/main.zeek - scripts/base/llprotocols/nflog/__load__.zeek - scripts/base/llprotocols/nflog/main.zeek - scripts/base/llprotocols/null/__load__.zeek - scripts/base/llprotocols/null/main.zeek - scripts/base/llprotocols/ppp_serial/__load__.zeek - scripts/base/llprotocols/ppp_serial/main.zeek - scripts/base/llprotocols/pppoe/__load__.zeek - scripts/base/llprotocols/pppoe/main.zeek - scripts/base/llprotocols/vlan/__load__.zeek - scripts/base/llprotocols/vlan/main.zeek + scripts/base/packet-protocols/__load__.zeek + scripts/base/packet-protocols/default/__load__.zeek + scripts/base/packet-protocols/default/main.zeek + scripts/base/packet-protocols/ethernet/__load__.zeek + scripts/base/packet-protocols/ethernet/main.zeek + scripts/base/packet-protocols/fddi/__load__.zeek + scripts/base/packet-protocols/fddi/main.zeek + scripts/base/packet-protocols/ieee802_11/__load__.zeek + scripts/base/packet-protocols/ieee802_11/main.zeek + scripts/base/packet-protocols/ieee802_11_radio/__load__.zeek + scripts/base/packet-protocols/ieee802_11_radio/main.zeek + scripts/base/packet-protocols/linux_sll/__load__.zeek + scripts/base/packet-protocols/linux_sll/main.zeek + scripts/base/packet-protocols/nflog/__load__.zeek + scripts/base/packet-protocols/nflog/main.zeek + scripts/base/packet-protocols/null/__load__.zeek + scripts/base/packet-protocols/null/main.zeek + scripts/base/packet-protocols/ppp_serial/__load__.zeek + scripts/base/packet-protocols/ppp_serial/main.zeek + scripts/base/packet-protocols/pppoe/__load__.zeek + scripts/base/packet-protocols/pppoe/main.zeek + scripts/base/packet-protocols/vlan/__load__.zeek + scripts/base/packet-protocols/vlan/main.zeek scripts/base/init-frameworks-and-bifs.zeek scripts/base/frameworks/logging/__load__.zeek scripts/base/frameworks/logging/main.zeek @@ -210,4 +210,4 @@ scripts/base/init-frameworks-and-bifs.zeek build/scripts/base/bif/plugins/Zeek_SQLiteWriter.sqlite.bif.zeek scripts/policy/misc/loaded-scripts.zeek scripts/base/utils/paths.zeek -#close 2020-06-24-22-11-31 +#close 2020-07-13-15-09-39 diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index a67b3644ff..8c8f58b0bd 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2020-09-11-03-21-10 +#open 2020-09-22-16-54-06 #fields name #types string scripts/base/init-bare.zeek @@ -19,29 +19,29 @@ scripts/base/init-bare.zeek build/scripts/base/bif/plugins/Zeek_SNMP.types.bif.zeek build/scripts/base/bif/plugins/Zeek_KRB.types.bif.zeek build/scripts/base/bif/event.bif.zeek - scripts/base/llprotocols/__load__.zeek - scripts/base/llprotocols/default/__load__.zeek - scripts/base/llprotocols/default/main.zeek - scripts/base/llprotocols/ethernet/__load__.zeek - scripts/base/llprotocols/ethernet/main.zeek - scripts/base/llprotocols/fddi/__load__.zeek - scripts/base/llprotocols/fddi/main.zeek - scripts/base/llprotocols/ieee802_11/__load__.zeek - scripts/base/llprotocols/ieee802_11/main.zeek - scripts/base/llprotocols/ieee802_11_radio/__load__.zeek - scripts/base/llprotocols/ieee802_11_radio/main.zeek - scripts/base/llprotocols/linux_sll/__load__.zeek - scripts/base/llprotocols/linux_sll/main.zeek - scripts/base/llprotocols/nflog/__load__.zeek - scripts/base/llprotocols/nflog/main.zeek - scripts/base/llprotocols/null/__load__.zeek - scripts/base/llprotocols/null/main.zeek - scripts/base/llprotocols/ppp_serial/__load__.zeek - scripts/base/llprotocols/ppp_serial/main.zeek - scripts/base/llprotocols/pppoe/__load__.zeek - scripts/base/llprotocols/pppoe/main.zeek - scripts/base/llprotocols/vlan/__load__.zeek - scripts/base/llprotocols/vlan/main.zeek + scripts/base/packet-protocols/__load__.zeek + scripts/base/packet-protocols/default/__load__.zeek + scripts/base/packet-protocols/default/main.zeek + scripts/base/packet-protocols/ethernet/__load__.zeek + scripts/base/packet-protocols/ethernet/main.zeek + scripts/base/packet-protocols/fddi/__load__.zeek + scripts/base/packet-protocols/fddi/main.zeek + scripts/base/packet-protocols/ieee802_11/__load__.zeek + scripts/base/packet-protocols/ieee802_11/main.zeek + scripts/base/packet-protocols/ieee802_11_radio/__load__.zeek + scripts/base/packet-protocols/ieee802_11_radio/main.zeek + scripts/base/packet-protocols/linux_sll/__load__.zeek + scripts/base/packet-protocols/linux_sll/main.zeek + scripts/base/packet-protocols/nflog/__load__.zeek + scripts/base/packet-protocols/nflog/main.zeek + scripts/base/packet-protocols/null/__load__.zeek + scripts/base/packet-protocols/null/main.zeek + scripts/base/packet-protocols/ppp_serial/__load__.zeek + scripts/base/packet-protocols/ppp_serial/main.zeek + scripts/base/packet-protocols/pppoe/__load__.zeek + scripts/base/packet-protocols/pppoe/main.zeek + scripts/base/packet-protocols/vlan/__load__.zeek + scripts/base/packet-protocols/vlan/main.zeek scripts/base/init-frameworks-and-bifs.zeek scripts/base/frameworks/logging/__load__.zeek scripts/base/frameworks/logging/main.zeek @@ -406,4 +406,4 @@ scripts/base/init-default.zeek scripts/base/misc/find-filtered-trace.zeek scripts/base/misc/version.zeek scripts/policy/misc/loaded-scripts.zeek -#close 2020-09-11-03-21-10 +#close 2020-09-22-16-54-06 From 1c3ded7dd53e864d89052a166f0904a27b555b7e Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Mon, 13 Jul 2020 17:14:12 -0400 Subject: [PATCH 04/43] Merge ProtocolAnalyzerSet into Manager, remove AnalyzerSet base class --- src/packet_analysis/AnalyzerSet.h | 24 ---- src/packet_analysis/CMakeLists.txt | 1 - src/packet_analysis/Manager.cc | 136 ++++++++++++++++++-- src/packet_analysis/Manager.h | 27 ++-- src/packet_analysis/ProtocolAnalyzerSet.cc | 137 --------------------- src/packet_analysis/ProtocolAnalyzerSet.h | 39 ------ 6 files changed, 142 insertions(+), 222 deletions(-) delete mode 100644 src/packet_analysis/AnalyzerSet.h delete mode 100644 src/packet_analysis/ProtocolAnalyzerSet.cc delete mode 100644 src/packet_analysis/ProtocolAnalyzerSet.h diff --git a/src/packet_analysis/AnalyzerSet.h b/src/packet_analysis/AnalyzerSet.h deleted file mode 100644 index 5e9c538ce2..0000000000 --- a/src/packet_analysis/AnalyzerSet.h +++ /dev/null @@ -1,24 +0,0 @@ -// See the file "COPYING" in the main distribution directory for copyright. - -#pragma once - -#include "Analyzer.h" -#include "Defines.h" - -namespace zeek::packet_analysis { - -class Analyzer; - -class AnalyzerSet { -public: - virtual ~AnalyzerSet() = default; - virtual Analyzer* Dispatch(identifier_t identifier) = 0; - virtual void Reset() = 0; - -protected: - friend class Manager; - - virtual void DumpDebug() const = 0; -}; - -} diff --git a/src/packet_analysis/CMakeLists.txt b/src/packet_analysis/CMakeLists.txt index 6a5fa16708..88023b8fa2 100644 --- a/src/packet_analysis/CMakeLists.txt +++ b/src/packet_analysis/CMakeLists.txt @@ -10,7 +10,6 @@ add_subdirectory(dispatchers) set(llanalyzer_SRCS Analyzer.cc - ProtocolAnalyzerSet.cc Manager.cc Component.cc Tag.cc diff --git a/src/packet_analysis/Manager.cc b/src/packet_analysis/Manager.cc index 8b0ff3bbb7..f9e1f6e9c7 100644 --- a/src/packet_analysis/Manager.cc +++ b/src/packet_analysis/Manager.cc @@ -1,13 +1,15 @@ // See the file "COPYING" in the main distribution directory for copyright. +#include "Manager.h" + #include #include #include "Config.h" -#include "Manager.h" #include "NetVar.h" -#include "ProtocolAnalyzerSet.h" #include "plugin/Manager.h" +#include "Analyzer.h" +#include "dispatchers/VectorDispatcher.h" using namespace zeek::packet_analysis; @@ -18,7 +20,17 @@ Manager::Manager() Manager::~Manager() { - delete analyzer_set; + bool delete_default = default_analyzer != nullptr; + for ( const auto& current : analyzers ) + { + if ( current.second == default_analyzer ) + delete_default = false; + + delete current.second; + } + + if ( delete_default ) + delete default_analyzer; } void Manager::InitPostScript() @@ -43,7 +55,38 @@ void Manager::InitPostScript() configuration.AddMapping(parent_name, identifier, Lookup(analyzer)->Name()); } - analyzer_set = new ProtocolAnalyzerSet(configuration, "DefaultAnalyzer"); + // Instantiate objects for all analyzers + for ( const auto& current_dispatcher_config : configuration.GetDispatchers() ) + { + for ( const auto& current_mapping : current_dispatcher_config.GetMappings() ) + { + // Check if already instantiated + if ( analyzers.count(current_mapping.second) != 0 ) + continue; + + // Check if analyzer exists + if ( Analyzer* newAnalyzer = InstantiateAnalyzer(current_mapping.second) ) + analyzers.emplace(current_mapping.second, newAnalyzer); + } + } + + // Generate Dispatchers, starting at root + root_dispatcher = GetDispatcher(configuration, "ROOT"); + if ( root_dispatcher == nullptr ) + reporter->InternalError("No dispatching configuration for ROOT of packet_analysis set."); + + // Set up default analysis + auto it = analyzers.find("DefaultAnalyzer"); + if ( it != analyzers.end() ) + default_analyzer = it->second; + else + default_analyzer = InstantiateAnalyzer("DefaultAnalyzer"); + + default_dispatcher = nullptr; + if ( default_analyzer != nullptr ) + default_dispatcher = GetDispatcher(configuration, "DefaultAnalyzer"); + + current_state = root_dispatcher; } void Manager::Done() @@ -59,9 +102,12 @@ void Manager::DumpDebug() DBG_LOG(DBG_PACKET_ANALYSIS, " %s (%s)", current->Name().c_str(), IsEnabled(current->Tag()) ? "enabled" : "disabled"); } - // Dump Analyzer Set - if (analyzer_set) - analyzer_set->DumpDebug(); + DBG_LOG(DBG_PACKET_ANALYSIS, "ProtocolAnalyzerSet FSM:"); + for ( const auto& current : dispatchers ) + { + DBG_LOG(DBG_PACKET_ANALYSIS, " Dispatcher (%p): %s", current.second, current.first.c_str()); + current.second->DumpDebug(); + } #endif } @@ -204,15 +250,12 @@ void Manager::ProcessPacket(Packet* packet) DBG_LOG(DBG_PACKET_ANALYSIS, "Analyzing packet %ld, ts=%.3f...", ++counter, packet->time); #endif - if ( ! analyzer_set ) - return; - // Dispatch and analyze layers AnalyzerResult result = AnalyzerResult::Continue; identifier_t next_layer_id = packet->link_type; do { - auto current_analyzer = analyzer_set->Dispatch(next_layer_id); + auto current_analyzer = Dispatch(next_layer_id); // Analyzer not found if ( current_analyzer == nullptr ) @@ -246,7 +289,7 @@ void Manager::ProcessPacket(Packet* packet) CustomEncapsulationSkip(packet); // Processing finished, reset analyzer set state for next packet - analyzer_set->Reset(); + Reset(); } void Manager::CustomEncapsulationSkip(Packet* packet) @@ -283,3 +326,72 @@ void Manager::CustomEncapsulationSkip(Packet* packet) } } } + +Analyzer* Manager::Dispatch(identifier_t identifier) + { + // Because leaf nodes (aka no more dispatching) can still have an existing analyzer that returns more identifiers, + // current_state needs to be checked to be not null. In this case there would have been an analyzer dispatched + // in the last layer, but no dispatcher for it (end of FSM) + const Value* result = nullptr; + if ( current_state ) + result = current_state->Lookup(identifier); + + if ( result == nullptr ) + { + if ( current_state != default_dispatcher ) + { + // Switch to default analysis once + current_state = default_dispatcher; + return default_analyzer; + } + return nullptr; + } + else + { + current_state = result->dispatcher; + return result->analyzer; + } + } + +void Manager::Reset() + { + current_state = root_dispatcher; + } + +Dispatcher* Manager::GetDispatcher(Config& configuration, const std::string& dispatcher_name) + { + // Is it already created? + if ( dispatchers.count(dispatcher_name) != 0 ) + return dispatchers[dispatcher_name]; + + // Create new dispatcher from config + std::optional> dispatcher_config = + configuration.GetDispatcherConfig(dispatcher_name); + + if ( ! dispatcher_config ) + // No such dispatcher found, this is therefore implicitly a leaf + return nullptr; + + const auto& mappings = dispatcher_config->get().GetMappings(); + + Dispatcher* dispatcher = new VectorDispatcher(); + dispatchers.emplace(dispatcher_name, dispatcher); + + for ( const auto& current_mapping : mappings ) + { + // No analyzer with this name. Report warning and ignore. + if ( analyzers.count(current_mapping.second) == 0 ) + { + reporter->InternalWarning("No analyzer %s found for dispatching identifier %#x of %s, ignoring.", + current_mapping.second.c_str(), + current_mapping.first, + dispatcher_name.c_str()); + continue; + } + + dispatcher->Register(current_mapping.first, analyzers.at(current_mapping.second), + GetDispatcher(configuration, current_mapping.second)); + } + + return dispatcher; + } diff --git a/src/packet_analysis/Manager.h b/src/packet_analysis/Manager.h index f5130e1b2a..a23849bbb0 100644 --- a/src/packet_analysis/Manager.h +++ b/src/packet_analysis/Manager.h @@ -5,19 +5,18 @@ #include #include +#include "Config.h" #include "Tag.h" -#include "Analyzer.h" #include "Component.h" -#include "AnalyzerSet.h" #include "plugin/ComponentManager.h" #include "iosource/Packet.h" - -#include "../Dict.h" -#include "../net_util.h" +#include "Dict.h" +#include "net_util.h" namespace zeek::packet_analysis { -class AnalyzerSet; +class Analyzer; +class Dispatcher; class Manager : public plugin::ComponentManager { public: @@ -148,7 +147,8 @@ public: */ void ProcessPacket(Packet* packet); -protected: +private: + /** * Skips a fixed amount of packet data that is defined by encap_hdr_size. * It is assumed that an IP header follows. @@ -157,9 +157,18 @@ protected: */ void CustomEncapsulationSkip(Packet* packet); -private: - AnalyzerSet* analyzer_set = nullptr; + Analyzer* Dispatch(identifier_t identifier); + void Reset(); + + Dispatcher* GetDispatcher(Config& configuration, const std::string& dispatcher_name); + + std::map analyzers; + std::map dispatchers; + Dispatcher* root_dispatcher = nullptr; + Dispatcher* default_dispatcher = nullptr; + Dispatcher* current_state = nullptr; + Analyzer* default_analyzer = nullptr; }; } diff --git a/src/packet_analysis/ProtocolAnalyzerSet.cc b/src/packet_analysis/ProtocolAnalyzerSet.cc deleted file mode 100644 index 21a3eac1f6..0000000000 --- a/src/packet_analysis/ProtocolAnalyzerSet.cc +++ /dev/null @@ -1,137 +0,0 @@ -// See the file "COPYING" in the main distribution directory for copyright. - -#include "ProtocolAnalyzerSet.h" - -namespace zeek::packet_analysis { - -ProtocolAnalyzerSet::ProtocolAnalyzerSet(Config& configuration, const std::string& default_analyzer_name) - { - // Instantiate objects for all analyzers - for ( const auto& current_dispatcher_config : configuration.GetDispatchers() ) - { - for ( const auto& current_mapping : current_dispatcher_config.GetMappings() ) - { - // Check if already instantiated - if ( analyzers.count(current_mapping.second) != 0 ) - continue; - - // Check if analyzer exists - if ( Analyzer* newAnalyzer = packet_mgr->InstantiateAnalyzer(current_mapping.second) ) - analyzers.emplace(current_mapping.second, newAnalyzer); - } - } - - // Generate Dispatchers, starting at root - root_dispatcher = GetDispatcher(configuration, "ROOT"); - if ( root_dispatcher == nullptr ) - reporter->InternalError("No dispatching configuration for ROOT of packet_analysis set."); - - // Set up default analysis - auto it = analyzers.find(default_analyzer_name); - if ( it != analyzers.end() ) - default_analyzer = it->second; - else - default_analyzer = packet_mgr->InstantiateAnalyzer(default_analyzer_name); - - default_dispatcher = nullptr; - if ( default_analyzer != nullptr ) - default_dispatcher = GetDispatcher(configuration, default_analyzer_name); - - current_state = root_dispatcher; - } - -ProtocolAnalyzerSet::~ProtocolAnalyzerSet() - { - bool delete_default = default_analyzer != nullptr; - for ( const auto& current : analyzers ) - { - if ( current.second == default_analyzer ) - delete_default = false; - - delete current.second; - } - - if ( delete_default ) - delete default_analyzer; - } - -Analyzer* ProtocolAnalyzerSet::Dispatch(identifier_t identifier) - { - // Because leaf nodes (aka no more dispatching) can still have an existing analyzer that returns more identifiers, - // current_state needs to be checked to be not null. In this case there would have been an analyzer dispatched - // in the last layer, but no dispatcher for it (end of FSM) - const Value* result = nullptr; - if ( current_state ) - result = current_state->Lookup(identifier); - - if ( result == nullptr ) - { - if ( current_state != default_dispatcher ) - { - // Switch to default analysis once - current_state = default_dispatcher; - return default_analyzer; - } - return nullptr; - } - else - { - current_state = result->dispatcher; - return result->analyzer; - } - } - -void ProtocolAnalyzerSet::Reset() - { - current_state = root_dispatcher; - } - -void ProtocolAnalyzerSet::DumpDebug() const - { -#ifdef DEBUG - DBG_LOG(DBG_PACKET_ANALYSIS, "ProtocolAnalyzerSet FSM:"); - for ( const auto& current : dispatchers ) - { - DBG_LOG(DBG_PACKET_ANALYSIS, " Dispatcher (%p): %s", current.second, current.first.c_str()); - current.second->DumpDebug(); - } -#endif - } - -Dispatcher* ProtocolAnalyzerSet::GetDispatcher(Config& configuration, const std::string& dispatcher_name) - { - // Is it already created? - if ( dispatchers.count(dispatcher_name) != 0 ) - return dispatchers[dispatcher_name]; - - // Create new dispatcher from config - std::optional> dispatcher_config = configuration.GetDispatcherConfig(dispatcher_name); - if ( ! dispatcher_config ) - // No such dispatcher found, this is therefore implicitly a leaf - return nullptr; - - const auto& mappings = dispatcher_config->get().GetMappings(); - - Dispatcher* dispatcher = new dispatcher_impl(); - dispatchers.emplace(dispatcher_name, dispatcher); - - for ( const auto& current_mapping : mappings ) - { - // No analyzer with this name. Report warning and ignore. - if ( analyzers.count(current_mapping.second) == 0 ) - { - reporter->InternalWarning("No analyzer %s found for dispatching identifier %#x of %s, ignoring.", - current_mapping.second.c_str(), - current_mapping.first, - dispatcher_name.c_str()); - continue; - } - - dispatcher->Register(current_mapping.first, analyzers.at(current_mapping.second), - GetDispatcher(configuration, current_mapping.second)); - } - - return dispatcher; - } - -} diff --git a/src/packet_analysis/ProtocolAnalyzerSet.h b/src/packet_analysis/ProtocolAnalyzerSet.h deleted file mode 100644 index bde05e73f9..0000000000 --- a/src/packet_analysis/ProtocolAnalyzerSet.h +++ /dev/null @@ -1,39 +0,0 @@ -// See the file "COPYING" in the main distribution directory for copyright. - -#pragma once - -#include "AnalyzerSet.h" -#include "Config.h" -#include "dispatchers/Dispatcher.h" -#include "dispatchers/UniversalDispatcher.h" -#include "dispatchers/VectorDispatcher.h" - -namespace zeek::packet_analysis { - -class ProtocolAnalyzerSet : public AnalyzerSet { - -public: - explicit ProtocolAnalyzerSet(Config& configuration, const std::string& default_analyzer_name); - ~ProtocolAnalyzerSet() override; - - Analyzer* Dispatch(identifier_t identifier) override; - void Reset() override; - -protected: - void DumpDebug() const override; - -private: - using dispatcher_impl = VectorDispatcher; - //using dispatcher_impl = UniversalDispatcher; - - std::map analyzers; - std::map dispatchers; - Dispatcher* root_dispatcher = nullptr; - Dispatcher* default_dispatcher = nullptr; - Dispatcher* current_state = nullptr; - Analyzer* default_analyzer = nullptr; - - Dispatcher* GetDispatcher(Config& configuration, const std::string& dispatcher_name); -}; - -} From 08ceea8de1ed8def9112134a2dfb93680ecaca5e Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Mon, 13 Jul 2020 16:46:39 -0700 Subject: [PATCH 05/43] Fixes for various btest issues - Fix handling of truncated ethernet headers, fix core.truncation test output - Update commit hashes for external private test repo --- .../protocol/default/Default.cc | 2 +- .../protocol/ethernet/Ethernet.cc | 8 +++++ testing/btest/Baseline/core.truncation/output | 32 +++++++++---------- 3 files changed, 25 insertions(+), 17 deletions(-) diff --git a/src/packet_analysis/protocol/default/Default.cc b/src/packet_analysis/protocol/default/Default.cc index 72e226fcad..d3e3901c1b 100644 --- a/src/packet_analysis/protocol/default/Default.cc +++ b/src/packet_analysis/protocol/default/Default.cc @@ -17,7 +17,7 @@ std::tuple= packet->GetEndOfData() ) { - packet->Weird("default_ll_analyser_failed"); + packet->Weird("packet_analyzer_truncated_header"); return { AnalyzerResult::Failed, 0 }; } diff --git a/src/packet_analysis/protocol/ethernet/Ethernet.cc b/src/packet_analysis/protocol/ethernet/Ethernet.cc index 261f30a0f0..9db434d82c 100644 --- a/src/packet_analysis/protocol/ethernet/Ethernet.cc +++ b/src/packet_analysis/protocol/ethernet/Ethernet.cc @@ -15,6 +15,14 @@ std::tuplecur_pos; auto end_of_data = packet->GetEndOfData(); + // Make sure that we actually got an entire ethernet header before trying + // to pull bytes out of it. + if ( pdata + 16 >= end_of_data ) + { + packet->Weird("truncated_ethernet_frame"); + return { AnalyzerResult::Failed, 0 }; + } + // Skip past Cisco FabricPath to encapsulated ethernet frame. if ( pdata[12] == 0x89 && pdata[13] == 0x03 ) { diff --git a/testing/btest/Baseline/core.truncation/output b/testing/btest/Baseline/core.truncation/output index 0bd1083165..9625b3a1bb 100644 --- a/testing/btest/Baseline/core.truncation/output +++ b/testing/btest/Baseline/core.truncation/output @@ -3,78 +3,78 @@ #empty_field (empty) #unset_field - #path weird -#open 2020-07-02-14-29-19 +#open 2020-07-14-01-19-19 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer #types time string addr port addr port string string bool string 1334160095.895421 - - - - - truncated_IP - F zeek -#close 2020-07-02-14-29-19 +#close 2020-07-14-01-19-19 #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-07-02-14-29-20 +#open 2020-07-14-01-19-20 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer #types time string addr port addr port string string bool string 1334156241.519125 - - - - - truncated_IP - F zeek -#close 2020-07-02-14-29-20 +#close 2020-07-14-01-19-20 #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-07-02-14-29-20 +#open 2020-07-14-01-19-21 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer #types time string addr port addr port string string bool string 1334094648.590126 - - - - - truncated_IP - F zeek -#close 2020-07-02-14-29-20 +#close 2020-07-14-01-19-21 #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-07-02-14-29-21 +#open 2020-07-14-01-19-23 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer #types time string addr port addr port string string bool string 1338328954.078361 - - - - - internally_truncated_header - F zeek -#close 2020-07-02-14-29-21 +#close 2020-07-14-01-19-23 #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-07-02-14-29-21 +#open 2020-07-14-01-19-24 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer #types time string addr port addr port string string bool string 0.000000 - - - - - truncated_ethernet_frame - F zeek -#close 2020-07-02-14-29-21 +#close 2020-07-14-01-19-24 #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-07-02-14-29-21 +#open 2020-07-14-01-19-25 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer #types time string addr port addr port string string bool string 1508360735.834163 - 163.253.48.183 0 192.150.187.43 0 invalid_IP_header_size - F zeek -#close 2020-07-02-14-29-21 +#close 2020-07-14-01-19-25 #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-07-02-14-29-21 +#open 2020-07-14-01-19-26 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer #types time string addr port addr port string string bool string 1508360735.834163 - 163.253.48.183 0 192.150.187.43 0 internally_truncated_header - F zeek -#close 2020-07-02-14-29-22 +#close 2020-07-14-01-19-26 #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path weird -#open 2020-07-02-14-29-22 +#open 2020-07-14-01-19-27 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer #types time string addr port addr port string string bool string 1500557630.000000 - 0.255.0.255 0 15.254.2.1 0 invalid_IP_header_size_in_tunnel - F zeek -#close 2020-07-02-14-29-22 +#close 2020-07-14-01-19-27 From 94ec639bfbbff28845ddd3c4ce9b29e765d54435 Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Mon, 13 Jul 2020 20:45:55 -0400 Subject: [PATCH 06/43] Fix ordering of debug logger strings to match the enum --- src/DebugLogger.cc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/DebugLogger.cc b/src/DebugLogger.cc index 96a9ce171c..f2d0f75dd6 100644 --- a/src/DebugLogger.cc +++ b/src/DebugLogger.cc @@ -19,13 +19,13 @@ DebugLogger::Stream DebugLogger::streams[NUM_DBGS] = { { "string", 0, false }, { "notifiers", 0, false }, { "main-loop", 0, false }, - { "packet_analysis", 0, false }, { "dpd", 0, false }, + { "packet_analysis", 0, false }, + { "file_analysis", 0, false }, { "tm", 0, false }, { "logging", 0, false }, { "input", 0, false }, { "threading", 0, false }, - { "file_analysis", 0, false }, { "plugins", 0, false }, { "zeekygen", 0, false }, { "pktio", 0, false }, From 27fea2b218c90a5bc733e3be63e1a25c0584d0ba Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Mon, 13 Jul 2020 19:01:51 -0700 Subject: [PATCH 07/43] Reorganize some pointer handling --- src/packet_analysis/Manager.cc | 76 +++++++++++++++------------------- 1 file changed, 34 insertions(+), 42 deletions(-) diff --git a/src/packet_analysis/Manager.cc b/src/packet_analysis/Manager.cc index f9e1f6e9c7..f6f63dec38 100644 --- a/src/packet_analysis/Manager.cc +++ b/src/packet_analysis/Manager.cc @@ -113,54 +113,50 @@ void Manager::DumpDebug() bool Manager::EnableAnalyzer(const Tag& tag) { - Component* p = Lookup(tag); + if ( Component* p = Lookup(tag) ) + { + DBG_LOG(DBG_PACKET_ANALYSIS, "Enabling analyzer %s", p->Name().c_str()); + p->SetEnabled(true); + return true; + } - if ( ! p ) - return false; - - DBG_LOG(DBG_PACKET_ANALYSIS, "Enabling analyzer %s", p->Name().c_str()); - p->SetEnabled(true); - - return true; + return false; } bool Manager::EnableAnalyzer(EnumVal* val) { - Component* p = Lookup(val); + if ( Component* p = Lookup(val) ) + { + DBG_LOG(DBG_PACKET_ANALYSIS, "Enabling analyzer %s", p->Name().c_str()); + p->SetEnabled(true); + return true; + } - if ( ! p ) - return false; - - DBG_LOG(DBG_PACKET_ANALYSIS, "Enabling analyzer %s", p->Name().c_str()); - p->SetEnabled(true); - - return true; + return false; } bool Manager::DisableAnalyzer(const Tag& tag) { - Component* p = Lookup(tag); + if ( Component* p = Lookup(tag) ) + { + DBG_LOG(DBG_PACKET_ANALYSIS, "Disabling analyzer %s", p->Name().c_str()); + p->SetEnabled(false); + return true; + } - if ( ! p ) - return false; - - DBG_LOG(DBG_PACKET_ANALYSIS, "Disabling analyzer %s", p->Name().c_str()); - p->SetEnabled(false); - - return true; + return false; } bool Manager::DisableAnalyzer(EnumVal* val) { - Component* p = Lookup(val); + if ( Component* p = Lookup(val) ) + { + DBG_LOG(DBG_PACKET_ANALYSIS, "Disabling analyzer %s", p->Name().c_str()); + p->SetEnabled(false); + return true; + } - if ( ! p ) - return false; - - DBG_LOG(DBG_PACKET_ANALYSIS, "Disabling analyzer %s", p->Name().c_str()); - p->SetEnabled(false); - - return true; + return false; } void Manager::DisableAllAnalyzers() @@ -182,22 +178,18 @@ bool Manager::IsEnabled(Tag tag) if ( ! tag ) return false; - Component* p = Lookup(tag); + if ( Component* p = Lookup(tag) ) + return p->Enabled(); - if ( ! p ) - return false; - - return p->Enabled(); + return false; } bool Manager::IsEnabled(EnumVal* val) { - Component* p = Lookup(val); + if ( Component* p = Lookup(val) ) + return p->Enabled(); - if ( ! p ) - return false; - - return p->Enabled(); + return false; } Analyzer* Manager::InstantiateAnalyzer(const Tag& tag) From 07b7a3be40184686615aafb1d2f773fcca5d6d2c Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Mon, 13 Jul 2020 20:07:41 -0700 Subject: [PATCH 08/43] Whitespace fixes from review --- src/packet_analysis/Config.cc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/packet_analysis/Config.cc b/src/packet_analysis/Config.cc index bfb41d2540..4fd644b35d 100644 --- a/src/packet_analysis/Config.cc +++ b/src/packet_analysis/Config.cc @@ -20,7 +20,7 @@ const std::map& DispatcherConfig::GetMappings() const } void DispatcherConfig::AddMapping(identifier_t identifier, - const std::string& analyzer_name) + const std::string& analyzer_name) { DBG_LOG(DBG_PACKET_ANALYSIS, "Adding configuration mapping: %s -> %#x -> %s", name.c_str(), identifier, analyzer_name.c_str()); @@ -72,7 +72,7 @@ DispatcherConfig& Config::AddDispatcherConfig(const std::string& name) } void Config::AddMapping(const std::string& name, identifier_t identifier, - const std::string& analyzer_name) + const std::string& analyzer_name) { // Create dispatcher config if it does not exist yet std::optional> dispatch_config = From f39d6bb4c40d071625d457104973870ae5a9ee70 Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Tue, 14 Jul 2020 10:26:53 -0700 Subject: [PATCH 09/43] Use shared_ptr instead of raw pointers in packet_analysis for analyzers and dispatchers --- src/packet_analysis/Analyzer.h | 2 ++ src/packet_analysis/Component.h | 3 +- src/packet_analysis/Manager.cc | 29 ++++++------------- src/packet_analysis/Manager.h | 22 +++++++------- src/packet_analysis/dispatchers/Dispatcher.h | 18 +++++++----- .../dispatchers/UniversalDispatcher.cc | 15 ++++------ .../dispatchers/UniversalDispatcher.h | 6 ++-- .../dispatchers/VectorDispatcher.cc | 15 ++++------ .../dispatchers/VectorDispatcher.h | 8 ++--- src/packet_analysis/protocol/arp/ARP.h | 4 +-- .../protocol/default/Default.h | 4 +-- .../protocol/ethernet/Ethernet.h | 4 +-- src/packet_analysis/protocol/fddi/FDDI.h | 4 +-- .../protocol/ieee802_11/IEEE802_11.h | 4 +-- .../ieee802_11_radio/IEEE802_11_Radio.h | 4 +-- src/packet_analysis/protocol/ipv4/IPv4.h | 4 +-- src/packet_analysis/protocol/ipv6/IPv6.h | 4 +-- .../protocol/linux_sll/LinuxSLL.h | 4 +-- src/packet_analysis/protocol/mpls/MPLS.h | 4 +-- src/packet_analysis/protocol/nflog/NFLog.h | 4 +-- src/packet_analysis/protocol/null/Null.h | 4 +-- .../protocol/ppp_serial/PPPSerial.h | 4 +-- src/packet_analysis/protocol/pppoe/PPPoE.h | 4 +-- src/packet_analysis/protocol/vlan/VLAN.h | 4 +-- .../protocol/wrapper/Wrapper.h | 4 +-- .../plugins/packet-protocol-plugin/src/Bar.h | 5 ++-- 26 files changed, 89 insertions(+), 98 deletions(-) diff --git a/src/packet_analysis/Analyzer.h b/src/packet_analysis/Analyzer.h index 0a20f2fe39..e8d431cfca 100644 --- a/src/packet_analysis/Analyzer.h +++ b/src/packet_analysis/Analyzer.h @@ -86,4 +86,6 @@ private: void Init(const Tag& tag); }; +using AnalyzerPtr = std::shared_ptr; + } diff --git a/src/packet_analysis/Component.h b/src/packet_analysis/Component.h index 8bb7452080..ded61ac744 100644 --- a/src/packet_analysis/Component.h +++ b/src/packet_analysis/Component.h @@ -12,11 +12,12 @@ namespace zeek::packet_analysis { class Analyzer; +using AnalyzerPtr = std::shared_ptr; class Component : public plugin::Component, public plugin::TaggedComponent { public: - typedef Analyzer* (*factory_callback)(); + typedef AnalyzerPtr (*factory_callback)(); Component(const std::string& name, factory_callback factory, Tag::subtype_t subtype = 0, bool enabled = true); ~Component() override = default; diff --git a/src/packet_analysis/Manager.cc b/src/packet_analysis/Manager.cc index f6f63dec38..8826ccf1e0 100644 --- a/src/packet_analysis/Manager.cc +++ b/src/packet_analysis/Manager.cc @@ -20,17 +20,6 @@ Manager::Manager() Manager::~Manager() { - bool delete_default = default_analyzer != nullptr; - for ( const auto& current : analyzers ) - { - if ( current.second == default_analyzer ) - delete_default = false; - - delete current.second; - } - - if ( delete_default ) - delete default_analyzer; } void Manager::InitPostScript() @@ -65,7 +54,7 @@ void Manager::InitPostScript() continue; // Check if analyzer exists - if ( Analyzer* newAnalyzer = InstantiateAnalyzer(current_mapping.second) ) + if ( AnalyzerPtr newAnalyzer = InstantiateAnalyzer(current_mapping.second) ) analyzers.emplace(current_mapping.second, newAnalyzer); } } @@ -105,7 +94,7 @@ void Manager::DumpDebug() DBG_LOG(DBG_PACKET_ANALYSIS, "ProtocolAnalyzerSet FSM:"); for ( const auto& current : dispatchers ) { - DBG_LOG(DBG_PACKET_ANALYSIS, " Dispatcher (%p): %s", current.second, current.first.c_str()); + DBG_LOG(DBG_PACKET_ANALYSIS, " Dispatcher (%p): %s", current.second.get(), current.first.c_str()); current.second->DumpDebug(); } #endif @@ -192,7 +181,7 @@ bool Manager::IsEnabled(EnumVal* val) return false; } -Analyzer* Manager::InstantiateAnalyzer(const Tag& tag) +AnalyzerPtr Manager::InstantiateAnalyzer(const Tag& tag) { Component* c = Lookup(tag); @@ -211,7 +200,7 @@ Analyzer* Manager::InstantiateAnalyzer(const Tag& tag) return nullptr; } - Analyzer* a = c->Factory()(); + AnalyzerPtr a = c->Factory()(); if ( ! a ) { @@ -229,7 +218,7 @@ Analyzer* Manager::InstantiateAnalyzer(const Tag& tag) return a; } -Analyzer* Manager::InstantiateAnalyzer(const std::string& name) +AnalyzerPtr Manager::InstantiateAnalyzer(const std::string& name) { Tag tag = GetComponentTag(name); return tag ? InstantiateAnalyzer(tag) : nullptr; @@ -319,12 +308,12 @@ void Manager::CustomEncapsulationSkip(Packet* packet) } } -Analyzer* Manager::Dispatch(identifier_t identifier) +AnalyzerPtr Manager::Dispatch(identifier_t identifier) { // Because leaf nodes (aka no more dispatching) can still have an existing analyzer that returns more identifiers, // current_state needs to be checked to be not null. In this case there would have been an analyzer dispatched // in the last layer, but no dispatcher for it (end of FSM) - const Value* result = nullptr; + ValuePtr result = nullptr; if ( current_state ) result = current_state->Lookup(identifier); @@ -350,7 +339,7 @@ void Manager::Reset() current_state = root_dispatcher; } -Dispatcher* Manager::GetDispatcher(Config& configuration, const std::string& dispatcher_name) +DispatcherPtr Manager::GetDispatcher(Config& configuration, const std::string& dispatcher_name) { // Is it already created? if ( dispatchers.count(dispatcher_name) != 0 ) @@ -366,7 +355,7 @@ Dispatcher* Manager::GetDispatcher(Config& configuration, const std::string& dis const auto& mappings = dispatcher_config->get().GetMappings(); - Dispatcher* dispatcher = new VectorDispatcher(); + DispatcherPtr dispatcher = std::make_shared(); dispatchers.emplace(dispatcher_name, dispatcher); for ( const auto& current_mapping : mappings ) diff --git a/src/packet_analysis/Manager.h b/src/packet_analysis/Manager.h index a23849bbb0..7e6c767c7b 100644 --- a/src/packet_analysis/Manager.h +++ b/src/packet_analysis/Manager.h @@ -17,6 +17,8 @@ namespace zeek::packet_analysis { class Analyzer; class Dispatcher; +using AnalyzerPtr = std::shared_ptr; +using DispatcherPtr = std::shared_ptr; class Manager : public plugin::ComponentManager { public: @@ -127,7 +129,7 @@ public: * null if tag is invalid, the requested analyzer is disabled, or the * analyzer can't be instantiated. */ - Analyzer* InstantiateAnalyzer(const Tag& tag); + AnalyzerPtr InstantiateAnalyzer(const Tag& tag); /** * Instantiates a new analyzer. @@ -138,7 +140,7 @@ public: * null if the name is not known or if the requested analyzer that is * disabled. */ - Analyzer* InstantiateAnalyzer(const std::string& name); + AnalyzerPtr InstantiateAnalyzer(const std::string& name); /** * Processes a packet by applying the configured packet analyzers. @@ -157,18 +159,18 @@ private: */ void CustomEncapsulationSkip(Packet* packet); - Analyzer* Dispatch(identifier_t identifier); + AnalyzerPtr Dispatch(identifier_t identifier); void Reset(); - Dispatcher* GetDispatcher(Config& configuration, const std::string& dispatcher_name); + DispatcherPtr GetDispatcher(Config& configuration, const std::string& dispatcher_name); - std::map analyzers; - std::map dispatchers; - Dispatcher* root_dispatcher = nullptr; - Dispatcher* default_dispatcher = nullptr; - Dispatcher* current_state = nullptr; - Analyzer* default_analyzer = nullptr; + std::map analyzers; + std::map dispatchers; + DispatcherPtr root_dispatcher = nullptr; + DispatcherPtr default_dispatcher = nullptr; + DispatcherPtr current_state = nullptr; + AnalyzerPtr default_analyzer = nullptr; }; } diff --git a/src/packet_analysis/dispatchers/Dispatcher.h b/src/packet_analysis/dispatchers/Dispatcher.h index e71d1b5dfb..f7fca9e3b1 100644 --- a/src/packet_analysis/dispatchers/Dispatcher.h +++ b/src/packet_analysis/dispatchers/Dispatcher.h @@ -11,32 +11,36 @@ namespace zeek::packet_analysis { class Dispatcher; // Forward decl for Value -using register_pair = std::pair>; -using register_map = std::map>; +using DispatcherPtr = std::shared_ptr; + +using register_pair = std::pair>; +using register_map = std::map>; class Value { public: - Analyzer* analyzer; - Dispatcher* dispatcher; + AnalyzerPtr analyzer; + DispatcherPtr dispatcher; - Value(Analyzer* analyzer, Dispatcher* dispatcher) + Value(AnalyzerPtr analyzer, DispatcherPtr dispatcher) : analyzer(analyzer), dispatcher(dispatcher) { } }; +using ValuePtr = std::shared_ptr; + class Dispatcher { public: virtual ~Dispatcher() = default; - virtual bool Register(identifier_t identifier, Analyzer* analyzer, Dispatcher* dispatcher) = 0; + virtual bool Register(identifier_t identifier, AnalyzerPtr analyzer, DispatcherPtr dispatcher) = 0; virtual void Register(const register_map& data) { for ( auto& current : data ) Register(current.first, current.second.first, current.second.second); } - virtual const Value* Lookup(identifier_t identifier) const = 0; + virtual ValuePtr Lookup(identifier_t identifier) const = 0; virtual size_t Size() const = 0; virtual void Clear() = 0; diff --git a/src/packet_analysis/dispatchers/UniversalDispatcher.cc b/src/packet_analysis/dispatchers/UniversalDispatcher.cc index 685c275b70..517d8f109d 100644 --- a/src/packet_analysis/dispatchers/UniversalDispatcher.cc +++ b/src/packet_analysis/dispatchers/UniversalDispatcher.cc @@ -23,7 +23,7 @@ UniversalDispatcher::~UniversalDispatcher() FreeValues(); } -bool UniversalDispatcher::Register(identifier_t identifier, Analyzer* analyzer, Dispatcher* dispatcher) +bool UniversalDispatcher::Register(identifier_t identifier, AnalyzerPtr analyzer, DispatcherPtr dispatcher) { #if DEBUG > 1 std::shared_ptr deferred(nullptr, [=](...) { @@ -35,7 +35,7 @@ bool UniversalDispatcher::Register(identifier_t identifier, Analyzer* analyzer, if ( table[hashed_id].second == nullptr ) { // Free bin, insert the value - table[hashed_id] = std::make_pair(identifier, new Value(analyzer, dispatcher)); + table[hashed_id] = std::make_pair(identifier, std::make_shared(analyzer, dispatcher)); return true; } else if ( table[hashed_id].first != identifier ) @@ -44,7 +44,7 @@ bool UniversalDispatcher::Register(identifier_t identifier, Analyzer* analyzer, // Create intermediate representation with the new element in it, then rehash with that data std::vector intermediate = CreateIntermediate(); - intermediate.emplace_back(identifier, new Value(analyzer, dispatcher)); + intermediate.emplace_back(identifier, std::make_shared(analyzer, dispatcher)); // Try increasing the #bins until it works or it can't get any larger. Rehash(intermediate); @@ -67,12 +67,12 @@ void UniversalDispatcher::Register(const register_map& data) // Create intermediate representation of current analyzer set, then add all new ones std::vector intermediate = CreateIntermediate(); for ( const auto& current : data ) - intermediate.emplace_back(current.first, new Value(current.second.first, current.second.second)); + intermediate.emplace_back(current.first, std::make_shared(current.second.first, current.second.second)); Rehash(intermediate); } -Value* UniversalDispatcher::Lookup(identifier_t identifier) const +ValuePtr UniversalDispatcher::Lookup(identifier_t identifier) const { uint64_t hashed_id = Hash(identifier); @@ -125,7 +125,7 @@ void UniversalDispatcher::DumpDebug() const for ( size_t i = 0; i < table.size(); i++ ) { if ( table[i].second != nullptr ) - DBG_LOG(DBG_PACKET_ANALYSIS, " %#8x => %s, %p", table[i].first, table[i].second->analyzer->GetAnalyzerName(), table[i].second->dispatcher); + DBG_LOG(DBG_PACKET_ANALYSIS, " %#8x => %s, %p", table[i].first, table[i].second->analyzer->GetAnalyzerName(), table[i].second->dispatcher.get()); } #endif } @@ -137,10 +137,7 @@ void UniversalDispatcher::DumpDebug() const void UniversalDispatcher::FreeValues() { for ( auto& current : table ) - { - delete current.second; current.second = nullptr; - } } void UniversalDispatcher::Rehash(const std::vector& intermediate) diff --git a/src/packet_analysis/dispatchers/UniversalDispatcher.h b/src/packet_analysis/dispatchers/UniversalDispatcher.h index 84e5f6373e..f235f438fd 100644 --- a/src/packet_analysis/dispatchers/UniversalDispatcher.h +++ b/src/packet_analysis/dispatchers/UniversalDispatcher.h @@ -12,9 +12,9 @@ public: UniversalDispatcher(); ~UniversalDispatcher() override; - bool Register(identifier_t identifier, Analyzer* analyzer, Dispatcher* dispatcher) override; + bool Register(identifier_t identifier, AnalyzerPtr analyzer, DispatcherPtr dispatcher) override; void Register(const register_map& data) override; - Value* Lookup(identifier_t identifier) const override; + ValuePtr Lookup(identifier_t identifier) const override; size_t Size() const override; void Clear() override; @@ -25,7 +25,7 @@ public: void Rehash(); private: - using pair_t = std::pair; + using pair_t = std::pair; static const uint64_t ONE = 1u; // Chosen random constants for the currently selected collision free random hash function diff --git a/src/packet_analysis/dispatchers/VectorDispatcher.cc b/src/packet_analysis/dispatchers/VectorDispatcher.cc index 0afa8660f0..09256f0a85 100644 --- a/src/packet_analysis/dispatchers/VectorDispatcher.cc +++ b/src/packet_analysis/dispatchers/VectorDispatcher.cc @@ -11,12 +11,12 @@ VectorDispatcher::~VectorDispatcher() FreeValues(); } -bool VectorDispatcher::Register(identifier_t identifier, Analyzer* analyzer, Dispatcher* dispatcher) +bool VectorDispatcher::Register(identifier_t identifier, AnalyzerPtr analyzer, DispatcherPtr dispatcher) { // If the table has size 1 and the entry is nullptr, there was nothing added yet. Just add it. if ( table.size() == 1 && table[0] == nullptr ) { - table[0] = new Value(analyzer, dispatcher); + table[0] = std::make_shared(analyzer, dispatcher); lowest_identifier = identifier; return true; } @@ -48,7 +48,7 @@ bool VectorDispatcher::Register(identifier_t identifier, Analyzer* analyzer, Dis int64_t index = identifier - lowest_identifier; if ( table[index] == nullptr ) { - table[index] = new Value(analyzer, dispatcher); + table[index] = std::make_shared(analyzer, dispatcher); return true; } @@ -77,7 +77,7 @@ void VectorDispatcher::Register(const register_map& data) } } -const Value* VectorDispatcher::Lookup(identifier_t identifier) const +ValuePtr VectorDispatcher::Lookup(identifier_t identifier) const { int64_t index = identifier - lowest_identifier; if ( index >= 0 && index < static_cast(table.size()) && table[index] != nullptr ) @@ -88,7 +88,7 @@ const Value* VectorDispatcher::Lookup(identifier_t identifier) const size_t VectorDispatcher::Size() const { - return std::count_if(table.begin(), table.end(), [](const auto* v) { return v != nullptr; }); + return std::count_if(table.begin(), table.end(), [](ValuePtr v) { return v != nullptr; }); } void VectorDispatcher::Clear() @@ -100,10 +100,7 @@ void VectorDispatcher::Clear() void VectorDispatcher::FreeValues() { for ( auto& current : table ) - { - delete current; current = nullptr; - } } void VectorDispatcher::DumpDebug() const @@ -114,7 +111,7 @@ void VectorDispatcher::DumpDebug() const for ( size_t i = 0; i < table.size(); i++ ) { if ( table[i] != nullptr ) - DBG_LOG(DBG_PACKET_ANALYSIS, " %#8lx => %s, %p", i+lowest_identifier, table[i]->analyzer->GetAnalyzerName(), table[i]->dispatcher); + DBG_LOG(DBG_PACKET_ANALYSIS, " %#8lx => %s, %p", i+lowest_identifier, table[i]->analyzer->GetAnalyzerName(), table[i]->dispatcher.get()); } #endif } diff --git a/src/packet_analysis/dispatchers/VectorDispatcher.h b/src/packet_analysis/dispatchers/VectorDispatcher.h index 5e5b1ff4f7..ad7bbebe41 100644 --- a/src/packet_analysis/dispatchers/VectorDispatcher.h +++ b/src/packet_analysis/dispatchers/VectorDispatcher.h @@ -10,15 +10,15 @@ namespace zeek::packet_analysis { class VectorDispatcher : public Dispatcher { public: VectorDispatcher() - : table(std::vector(1, nullptr)) + : table(std::vector(1, nullptr)) { } ~VectorDispatcher() override; - bool Register(identifier_t identifier, Analyzer* analyzer, Dispatcher* dispatcher) override; + bool Register(identifier_t identifier, AnalyzerPtr analyzer, DispatcherPtr dispatcher) override; void Register(const register_map& data) override; - const Value* Lookup(identifier_t identifier) const override; + ValuePtr Lookup(identifier_t identifier) const override; size_t Size() const override; void Clear() override; @@ -28,7 +28,7 @@ protected: private: identifier_t lowest_identifier = 0; - std::vector table; + std::vector table; void FreeValues(); diff --git a/src/packet_analysis/protocol/arp/ARP.h b/src/packet_analysis/protocol/arp/ARP.h index 0abfd7bf1d..2e93b8231f 100644 --- a/src/packet_analysis/protocol/arp/ARP.h +++ b/src/packet_analysis/protocol/arp/ARP.h @@ -14,9 +14,9 @@ public: std::tuple Analyze(Packet* packet) override; - static Analyzer* Instantiate() + static zeek::packet_analysis::AnalyzerPtr Instantiate() { - return new ARPAnalyzer(); + return std::make_shared(); } }; diff --git a/src/packet_analysis/protocol/default/Default.h b/src/packet_analysis/protocol/default/Default.h index eae4a3a5b9..a61b2cce53 100644 --- a/src/packet_analysis/protocol/default/Default.h +++ b/src/packet_analysis/protocol/default/Default.h @@ -14,9 +14,9 @@ public: std::tuple Analyze(Packet* packet) override; - static Analyzer* Instantiate() + static zeek::packet_analysis::AnalyzerPtr Instantiate() { - return new DefaultAnalyzer(); + return std::make_shared(); } }; diff --git a/src/packet_analysis/protocol/ethernet/Ethernet.h b/src/packet_analysis/protocol/ethernet/Ethernet.h index b59936a8c2..e64b131afb 100644 --- a/src/packet_analysis/protocol/ethernet/Ethernet.h +++ b/src/packet_analysis/protocol/ethernet/Ethernet.h @@ -14,9 +14,9 @@ public: std::tuple Analyze(Packet* packet) override; - static Analyzer* Instantiate() + static zeek::packet_analysis::AnalyzerPtr Instantiate() { - return new EthernetAnalyzer(); + return std::make_shared(); } }; diff --git a/src/packet_analysis/protocol/fddi/FDDI.h b/src/packet_analysis/protocol/fddi/FDDI.h index a96dcc8d9d..52bcd94598 100644 --- a/src/packet_analysis/protocol/fddi/FDDI.h +++ b/src/packet_analysis/protocol/fddi/FDDI.h @@ -14,9 +14,9 @@ public: std::tuple Analyze(Packet* packet) override; - static zeek::packet_analysis::Analyzer* Instantiate() + static zeek::packet_analysis::AnalyzerPtr Instantiate() { - return new FDDIAnalyzer(); + return std::make_shared(); } }; diff --git a/src/packet_analysis/protocol/ieee802_11/IEEE802_11.h b/src/packet_analysis/protocol/ieee802_11/IEEE802_11.h index 4890dc0ff1..2b3e74e205 100644 --- a/src/packet_analysis/protocol/ieee802_11/IEEE802_11.h +++ b/src/packet_analysis/protocol/ieee802_11/IEEE802_11.h @@ -14,9 +14,9 @@ public: std::tuple Analyze(Packet* packet) override; - static Analyzer* Instantiate() + static zeek::packet_analysis::AnalyzerPtr Instantiate() { - return new IEEE802_11Analyzer(); + return std::make_shared(); } }; diff --git a/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.h b/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.h index 1dba34c294..f9fe41f2dd 100644 --- a/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.h +++ b/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.h @@ -14,9 +14,9 @@ public: std::tuple Analyze(Packet* packet) override; - static Analyzer* Instantiate() + static zeek::packet_analysis::AnalyzerPtr Instantiate() { - return new IEEE802_11_RadioAnalyzer(); + return std::make_shared(); } }; diff --git a/src/packet_analysis/protocol/ipv4/IPv4.h b/src/packet_analysis/protocol/ipv4/IPv4.h index d40a033f2c..7750fa9033 100644 --- a/src/packet_analysis/protocol/ipv4/IPv4.h +++ b/src/packet_analysis/protocol/ipv4/IPv4.h @@ -14,9 +14,9 @@ public: std::tuple Analyze(Packet* packet) override; - static Analyzer* Instantiate() + static zeek::packet_analysis::AnalyzerPtr Instantiate() { - return new IPv4Analyzer(); + return std::make_shared(); } }; diff --git a/src/packet_analysis/protocol/ipv6/IPv6.h b/src/packet_analysis/protocol/ipv6/IPv6.h index 86d361436c..ae425ffec4 100644 --- a/src/packet_analysis/protocol/ipv6/IPv6.h +++ b/src/packet_analysis/protocol/ipv6/IPv6.h @@ -14,9 +14,9 @@ public: std::tuple Analyze(Packet* packet) override; - static Analyzer* Instantiate() + static AnalyzerPtr Instantiate() { - return new IPv6Analyzer(); + return std::make_shared(); } }; diff --git a/src/packet_analysis/protocol/linux_sll/LinuxSLL.h b/src/packet_analysis/protocol/linux_sll/LinuxSLL.h index e66d335f0a..09990eba2b 100644 --- a/src/packet_analysis/protocol/linux_sll/LinuxSLL.h +++ b/src/packet_analysis/protocol/linux_sll/LinuxSLL.h @@ -14,9 +14,9 @@ public: std::tuple Analyze(Packet* packet) override; - static Analyzer* Instantiate() + static zeek::packet_analysis::AnalyzerPtr Instantiate() { - return new LinuxSLLAnalyzer(); + return std::make_shared(); } private: diff --git a/src/packet_analysis/protocol/mpls/MPLS.h b/src/packet_analysis/protocol/mpls/MPLS.h index 35f595e3d3..694e551f31 100644 --- a/src/packet_analysis/protocol/mpls/MPLS.h +++ b/src/packet_analysis/protocol/mpls/MPLS.h @@ -14,9 +14,9 @@ public: std::tuple Analyze(Packet* packet) override; - static zeek::packet_analysis::Analyzer* Instantiate() + static zeek::packet_analysis::AnalyzerPtr Instantiate() { - return new MPLSAnalyzer(); + return std::make_shared(); } }; diff --git a/src/packet_analysis/protocol/nflog/NFLog.h b/src/packet_analysis/protocol/nflog/NFLog.h index c2b691ea51..01ecf0233f 100644 --- a/src/packet_analysis/protocol/nflog/NFLog.h +++ b/src/packet_analysis/protocol/nflog/NFLog.h @@ -14,9 +14,9 @@ public: std::tuple Analyze(Packet* packet) override; - static Analyzer* Instantiate() + static AnalyzerPtr Instantiate() { - return new NFLogAnalyzer(); + return std::make_shared(); } }; diff --git a/src/packet_analysis/protocol/null/Null.h b/src/packet_analysis/protocol/null/Null.h index 7f3976cf31..4c7b692081 100644 --- a/src/packet_analysis/protocol/null/Null.h +++ b/src/packet_analysis/protocol/null/Null.h @@ -14,9 +14,9 @@ public: std::tuple Analyze(Packet* packet) override; - static Analyzer* Instantiate() + static zeek::packet_analysis::AnalyzerPtr Instantiate() { - return new NullAnalyzer(); + return std::make_shared(); } }; diff --git a/src/packet_analysis/protocol/ppp_serial/PPPSerial.h b/src/packet_analysis/protocol/ppp_serial/PPPSerial.h index 76e7dcd8b9..3985e85bbf 100644 --- a/src/packet_analysis/protocol/ppp_serial/PPPSerial.h +++ b/src/packet_analysis/protocol/ppp_serial/PPPSerial.h @@ -14,9 +14,9 @@ public: std::tuple Analyze(Packet* packet) override; - static Analyzer* Instantiate() + static zeek::packet_analysis::AnalyzerPtr Instantiate() { - return new PPPSerialAnalyzer(); + return std::make_shared(); } }; diff --git a/src/packet_analysis/protocol/pppoe/PPPoE.h b/src/packet_analysis/protocol/pppoe/PPPoE.h index 3a979af8a1..f342402d7f 100644 --- a/src/packet_analysis/protocol/pppoe/PPPoE.h +++ b/src/packet_analysis/protocol/pppoe/PPPoE.h @@ -14,9 +14,9 @@ public: std::tuple Analyze(Packet* packet) override; - static Analyzer* Instantiate() + static zeek::packet_analysis::AnalyzerPtr Instantiate() { - return new PPPoEAnalyzer(); + return std::make_shared(); } }; diff --git a/src/packet_analysis/protocol/vlan/VLAN.h b/src/packet_analysis/protocol/vlan/VLAN.h index 8f64e0ec64..d80af10ccb 100644 --- a/src/packet_analysis/protocol/vlan/VLAN.h +++ b/src/packet_analysis/protocol/vlan/VLAN.h @@ -14,9 +14,9 @@ public: std::tuple Analyze(Packet* packet) override; - static Analyzer* Instantiate() + static zeek::packet_analysis::AnalyzerPtr Instantiate() { - return new VLANAnalyzer(); + return std::make_shared(); } }; diff --git a/src/packet_analysis/protocol/wrapper/Wrapper.h b/src/packet_analysis/protocol/wrapper/Wrapper.h index b8403e297e..6151cb4a39 100644 --- a/src/packet_analysis/protocol/wrapper/Wrapper.h +++ b/src/packet_analysis/protocol/wrapper/Wrapper.h @@ -14,9 +14,9 @@ public: std::tuple Analyze(Packet* packet) override; - static Analyzer* Instantiate() + static zeek::packet_analysis::AnalyzerPtr Instantiate() { - return new WrapperAnalyzer(); + return std::make_shared(); } }; diff --git a/testing/btest/plugins/packet-protocol-plugin/src/Bar.h b/testing/btest/plugins/packet-protocol-plugin/src/Bar.h index 125e8883c1..2473388ea4 100644 --- a/testing/btest/plugins/packet-protocol-plugin/src/Bar.h +++ b/testing/btest/plugins/packet-protocol-plugin/src/Bar.h @@ -12,11 +12,10 @@ public: std::tuple Analyze(Packet* packet) override; - static Analyzer* Instantiate() + static AnalyzerPtr Instantiate() { - return new Bar(); + return std::make_shared(); } }; } - From bd6d3e0112dbd0a28beadb9a3b31d3fb93f24126 Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Thu, 16 Jul 2020 08:40:46 -0700 Subject: [PATCH 10/43] Remove enabled state from Components, ability to enable/disable from Manager --- src/packet_analysis/Component.cc | 6 +- src/packet_analysis/Component.h | 17 +--- src/packet_analysis/Manager.cc | 86 +------------------ src/packet_analysis/Manager.h | 62 ------------- .../Baseline/plugins.packet-protocol/output | 2 +- .../packet-protocol-plugin/src/Plugin.cc | 1 - 6 files changed, 4 insertions(+), 170 deletions(-) diff --git a/src/packet_analysis/Component.cc b/src/packet_analysis/Component.cc index 7ca6f24bcc..0fec613648 100644 --- a/src/packet_analysis/Component.cc +++ b/src/packet_analysis/Component.cc @@ -6,12 +6,11 @@ using namespace zeek::packet_analysis; -Component::Component(const std::string& name, factory_callback arg_factory, Tag::subtype_t arg_subtype, bool arg_enabled) +Component::Component(const std::string& name, factory_callback arg_factory, Tag::subtype_t arg_subtype) : plugin::Component(plugin::component::PACKET_ANALYZER, name), plugin::TaggedComponent(arg_subtype) { factory = arg_factory; - enabled = arg_enabled; } void Component::Initialize() @@ -26,8 +25,5 @@ void Component::DoDescribe(ODesc* d) const { d->Add("ANALYZER_"); d->Add(CanonicalName()); - d->Add(", "); } - - d->Add(enabled ? "enabled" : "disabled"); } diff --git a/src/packet_analysis/Component.h b/src/packet_analysis/Component.h index ded61ac744..61986719f7 100644 --- a/src/packet_analysis/Component.h +++ b/src/packet_analysis/Component.h @@ -19,7 +19,7 @@ class Component : public plugin::Component, public: typedef AnalyzerPtr (*factory_callback)(); - Component(const std::string& name, factory_callback factory, Tag::subtype_t subtype = 0, bool enabled = true); + Component(const std::string& name, factory_callback factory, Tag::subtype_t subtype = 0); ~Component() override = default; /** @@ -34,20 +34,6 @@ public: */ factory_callback Factory() const { return factory; } - /** - * Returns true if the analyzer is currently enabled and hence - * available for use. - */ - bool Enabled() const { return enabled; } - - /** - * Enables or disables this analyzer. - * - * @param arg_enabled True to enabled, false to disable. - * - */ - void SetEnabled(bool arg_enabled) { enabled = arg_enabled; } - protected: /** * Overriden from plugin::Component. @@ -56,7 +42,6 @@ protected: private: factory_callback factory; // The analyzer's factory callback. - bool enabled; // True if the analyzer is enabled. }; } diff --git a/src/packet_analysis/Manager.cc b/src/packet_analysis/Manager.cc index 8826ccf1e0..5ba5fae028 100644 --- a/src/packet_analysis/Manager.cc +++ b/src/packet_analysis/Manager.cc @@ -88,7 +88,7 @@ void Manager::DumpDebug() DBG_LOG(DBG_PACKET_ANALYSIS, "Available packet analyzers after zeek_init():"); for ( auto& current : GetComponents() ) { - DBG_LOG(DBG_PACKET_ANALYSIS, " %s (%s)", current->Name().c_str(), IsEnabled(current->Tag()) ? "enabled" : "disabled"); + DBG_LOG(DBG_PACKET_ANALYSIS, " %s", current->Name().c_str()); } DBG_LOG(DBG_PACKET_ANALYSIS, "ProtocolAnalyzerSet FSM:"); @@ -100,87 +100,6 @@ void Manager::DumpDebug() #endif } -bool Manager::EnableAnalyzer(const Tag& tag) - { - if ( Component* p = Lookup(tag) ) - { - DBG_LOG(DBG_PACKET_ANALYSIS, "Enabling analyzer %s", p->Name().c_str()); - p->SetEnabled(true); - return true; - } - - return false; - } - -bool Manager::EnableAnalyzer(EnumVal* val) - { - if ( Component* p = Lookup(val) ) - { - DBG_LOG(DBG_PACKET_ANALYSIS, "Enabling analyzer %s", p->Name().c_str()); - p->SetEnabled(true); - return true; - } - - return false; - } - -bool Manager::DisableAnalyzer(const Tag& tag) - { - if ( Component* p = Lookup(tag) ) - { - DBG_LOG(DBG_PACKET_ANALYSIS, "Disabling analyzer %s", p->Name().c_str()); - p->SetEnabled(false); - return true; - } - - return false; - } - -bool Manager::DisableAnalyzer(EnumVal* val) - { - if ( Component* p = Lookup(val) ) - { - DBG_LOG(DBG_PACKET_ANALYSIS, "Disabling analyzer %s", p->Name().c_str()); - p->SetEnabled(false); - return true; - } - - return false; - } - -void Manager::DisableAllAnalyzers() - { - DBG_LOG(DBG_PACKET_ANALYSIS, "Disabling all analyzers"); - - std::list all_analyzers = GetComponents(); - for ( const auto& analyzer : all_analyzers ) - analyzer->SetEnabled(false); - } - -zeek::packet_analysis::Tag Manager::GetAnalyzerTag(const char* name) - { - return GetComponentTag(name); - } - -bool Manager::IsEnabled(Tag tag) - { - if ( ! tag ) - return false; - - if ( Component* p = Lookup(tag) ) - return p->Enabled(); - - return false; - } - -bool Manager::IsEnabled(EnumVal* val) - { - if ( Component* p = Lookup(val) ) - return p->Enabled(); - - return false; - } - AnalyzerPtr Manager::InstantiateAnalyzer(const Tag& tag) { Component* c = Lookup(tag); @@ -191,9 +110,6 @@ AnalyzerPtr Manager::InstantiateAnalyzer(const Tag& tag) return nullptr; } - if ( ! c->Enabled() ) - return nullptr; - if ( ! c->Factory() ) { reporter->InternalWarning("analyzer %s cannot be instantiated dynamically", GetComponentName(tag).c_str()); diff --git a/src/packet_analysis/Manager.h b/src/packet_analysis/Manager.h index 7e6c767c7b..b1a4638ee9 100644 --- a/src/packet_analysis/Manager.h +++ b/src/packet_analysis/Manager.h @@ -50,53 +50,6 @@ public: */ void DumpDebug(); // Called after zeek_init() events. - /** - * Enables an analyzer type. Only enabled analyzers will be - * instantiated for new connections. - * - * @param tag The analyzer's tag. - * - * @return True if successful. - */ - bool EnableAnalyzer(const Tag& tag); - - /** - * Enables an analyzer type. Only enabled analyzers will be - * instantiated for new connections. - * - * @param tag The analyzer's tag as an enum of script type \c - * Analyzer::Tag. - * - * @return True if successful. - */ - bool EnableAnalyzer(EnumVal* tag); - - /** - * Enables an analyzer type. Disabled analyzers will not be - * instantiated for new connections. - * - * @param tag The analyzer's tag. - * - * @return True if successful. - */ - bool DisableAnalyzer(const Tag& tag); - - /** - * Disables an analyzer type. Disabled analyzers will not be - * instantiated for new connections. - * - * @param tag The analyzer's tag as an enum of script type \c - * Analyzer::Tag. - * - * @return True if successful. - */ - bool DisableAnalyzer(EnumVal* tag); - - /** - * Disables all currently registered analyzers. - */ - void DisableAllAnalyzers(); - /** * Returns the tag associated with an analyer name, or the tag * associated with an error if no such analyzer exists. @@ -105,21 +58,6 @@ public: */ Tag GetAnalyzerTag(const char* name); - /** - * Returns true if an analyzer is enabled. - * - * @param tag The analyzer's tag. - */ - bool IsEnabled(Tag tag); - - /** - * Returns true if an analyzer is enabled. - * - * @param tag The analyzer's tag as an enum of script type \c - * Analyzer::Tag. - */ - bool IsEnabled(EnumVal* tag); - /** * Instantiates a new analyzer instance. * diff --git a/testing/btest/Baseline/plugins.packet-protocol/output b/testing/btest/Baseline/plugins.packet-protocol/output index 42fd1cea42..ce4796e58b 100644 --- a/testing/btest/Baseline/plugins.packet-protocol/output +++ b/testing/btest/Baseline/plugins.packet-protocol/output @@ -1,5 +1,5 @@ PacketDemo::Bar - A Bar packet analyzer. (dynamic, version 1.0.0) - [Packet Analyzer] Bar (ANALYZER_BAR, enabled) + [Packet Analyzer] Bar (ANALYZER_BAR) [Event] bar_message === diff --git a/testing/btest/plugins/packet-protocol-plugin/src/Plugin.cc b/testing/btest/plugins/packet-protocol-plugin/src/Plugin.cc index 80032ea5f5..b90436a9ee 100644 --- a/testing/btest/plugins/packet-protocol-plugin/src/Plugin.cc +++ b/testing/btest/plugins/packet-protocol-plugin/src/Plugin.cc @@ -1,4 +1,3 @@ - #include "Plugin.h" #include "packet_analysis/Component.h" From d22481aef30f2cba72195c9340086173a8f5b31b Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Thu, 16 Jul 2020 08:57:31 -0700 Subject: [PATCH 11/43] Remove Manager::Reset() method --- src/packet_analysis/Manager.cc | 7 +------ src/packet_analysis/Manager.h | 2 -- 2 files changed, 1 insertion(+), 8 deletions(-) diff --git a/src/packet_analysis/Manager.cc b/src/packet_analysis/Manager.cc index 5ba5fae028..2f2d4f03b3 100644 --- a/src/packet_analysis/Manager.cc +++ b/src/packet_analysis/Manager.cc @@ -186,7 +186,7 @@ void Manager::ProcessPacket(Packet* packet) CustomEncapsulationSkip(packet); // Processing finished, reset analyzer set state for next packet - Reset(); + current_state = root_dispatcher; } void Manager::CustomEncapsulationSkip(Packet* packet) @@ -250,11 +250,6 @@ AnalyzerPtr Manager::Dispatch(identifier_t identifier) } } -void Manager::Reset() - { - current_state = root_dispatcher; - } - DispatcherPtr Manager::GetDispatcher(Config& configuration, const std::string& dispatcher_name) { // Is it already created? diff --git a/src/packet_analysis/Manager.h b/src/packet_analysis/Manager.h index b1a4638ee9..34c61ceafd 100644 --- a/src/packet_analysis/Manager.h +++ b/src/packet_analysis/Manager.h @@ -99,8 +99,6 @@ private: AnalyzerPtr Dispatch(identifier_t identifier); - void Reset(); - DispatcherPtr GetDispatcher(Config& configuration, const std::string& dispatcher_name); std::map analyzers; From b46e600775fbb0d4a12cbcc486bd930c5d5779c3 Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Thu, 16 Jul 2020 09:24:15 -0700 Subject: [PATCH 12/43] Move VectorDispatcher to be the only dispatcher --- src/packet_analysis/CMakeLists.txt | 2 +- .../VectorDispatcher.cc => Dispatcher.cc} | 18 +- .../{dispatchers => }/Dispatcher.h | 40 ++-- src/packet_analysis/Manager.cc | 4 +- .../dispatchers/CMakeLists.txt | 13 -- .../dispatchers/UniversalDispatcher.cc | 207 ------------------ .../dispatchers/UniversalDispatcher.h | 108 --------- .../dispatchers/VectorDispatcher.h | 41 ---- 8 files changed, 36 insertions(+), 397 deletions(-) rename src/packet_analysis/{dispatchers/VectorDispatcher.cc => Dispatcher.cc} (86%) rename src/packet_analysis/{dispatchers => }/Dispatcher.h (56%) delete mode 100644 src/packet_analysis/dispatchers/CMakeLists.txt delete mode 100644 src/packet_analysis/dispatchers/UniversalDispatcher.cc delete mode 100644 src/packet_analysis/dispatchers/UniversalDispatcher.h delete mode 100644 src/packet_analysis/dispatchers/VectorDispatcher.h diff --git a/src/packet_analysis/CMakeLists.txt b/src/packet_analysis/CMakeLists.txt index 88023b8fa2..044370b727 100644 --- a/src/packet_analysis/CMakeLists.txt +++ b/src/packet_analysis/CMakeLists.txt @@ -6,10 +6,10 @@ include_directories(BEFORE ) add_subdirectory(protocol) -add_subdirectory(dispatchers) set(llanalyzer_SRCS Analyzer.cc + Dispatcher.cc Manager.cc Component.cc Tag.cc diff --git a/src/packet_analysis/dispatchers/VectorDispatcher.cc b/src/packet_analysis/Dispatcher.cc similarity index 86% rename from src/packet_analysis/dispatchers/VectorDispatcher.cc rename to src/packet_analysis/Dispatcher.cc index 09256f0a85..7662c42b88 100644 --- a/src/packet_analysis/dispatchers/VectorDispatcher.cc +++ b/src/packet_analysis/Dispatcher.cc @@ -2,16 +2,16 @@ #include -#include "VectorDispatcher.h" +#include "Dispatcher.h" namespace zeek::packet_analysis { -VectorDispatcher::~VectorDispatcher() +Dispatcher::~Dispatcher() { FreeValues(); } -bool VectorDispatcher::Register(identifier_t identifier, AnalyzerPtr analyzer, DispatcherPtr dispatcher) +bool Dispatcher::Register(identifier_t identifier, AnalyzerPtr analyzer, DispatcherPtr dispatcher) { // If the table has size 1 and the entry is nullptr, there was nothing added yet. Just add it. if ( table.size() == 1 && table[0] == nullptr ) @@ -55,7 +55,7 @@ bool VectorDispatcher::Register(identifier_t identifier, AnalyzerPtr analyzer, D return false; } -void VectorDispatcher::Register(const register_map& data) +void Dispatcher::Register(const register_map& data) { // Search smallest and largest identifier and resize vector const auto& lowest_new = @@ -77,7 +77,7 @@ void VectorDispatcher::Register(const register_map& data) } } -ValuePtr VectorDispatcher::Lookup(identifier_t identifier) const +ValuePtr Dispatcher::Lookup(identifier_t identifier) const { int64_t index = identifier - lowest_identifier; if ( index >= 0 && index < static_cast(table.size()) && table[index] != nullptr ) @@ -86,24 +86,24 @@ ValuePtr VectorDispatcher::Lookup(identifier_t identifier) const return nullptr; } -size_t VectorDispatcher::Size() const +size_t Dispatcher::Size() const { return std::count_if(table.begin(), table.end(), [](ValuePtr v) { return v != nullptr; }); } -void VectorDispatcher::Clear() +void Dispatcher::Clear() { FreeValues(); table.clear(); } -void VectorDispatcher::FreeValues() +void Dispatcher::FreeValues() { for ( auto& current : table ) current = nullptr; } -void VectorDispatcher::DumpDebug() const +void Dispatcher::DumpDebug() const { #ifdef DEBUG DBG_LOG(DBG_PACKET_ANALYSIS, " Dispatcher elements (used/total): %lu/%lu", Size(), table.size()); diff --git a/src/packet_analysis/dispatchers/Dispatcher.h b/src/packet_analysis/Dispatcher.h similarity index 56% rename from src/packet_analysis/dispatchers/Dispatcher.h rename to src/packet_analysis/Dispatcher.h index f7fca9e3b1..eb4b0c8c36 100644 --- a/src/packet_analysis/dispatchers/Dispatcher.h +++ b/src/packet_analysis/Dispatcher.h @@ -2,11 +2,9 @@ #pragma once -#include #include - +#include #include "Analyzer.h" -#include "Defines.h" namespace zeek::packet_analysis { @@ -31,21 +29,31 @@ using ValuePtr = std::shared_ptr; class Dispatcher { public: - virtual ~Dispatcher() = default; + Dispatcher() + : table(std::vector(1, nullptr)) + { } - virtual bool Register(identifier_t identifier, AnalyzerPtr analyzer, DispatcherPtr dispatcher) = 0; - virtual void Register(const register_map& data) + ~Dispatcher(); + + bool Register(identifier_t identifier, AnalyzerPtr analyzer, DispatcherPtr dispatcher); + void Register(const register_map& data); + + ValuePtr Lookup(identifier_t identifier) const; + + size_t Size() const; + void Clear(); + void DumpDebug() const; + +private: + identifier_t lowest_identifier = 0; + std::vector table; + + void FreeValues(); + + inline identifier_t GetHighestIdentifier() const { - for ( auto& current : data ) - Register(current.first, current.second.first, current.second.second); + return lowest_identifier + table.size() - 1; } - - virtual ValuePtr Lookup(identifier_t identifier) const = 0; - - virtual size_t Size() const = 0; - virtual void Clear() = 0; - - virtual void DumpDebug() const = 0; - }; +}; } diff --git a/src/packet_analysis/Manager.cc b/src/packet_analysis/Manager.cc index 2f2d4f03b3..b9e17ac916 100644 --- a/src/packet_analysis/Manager.cc +++ b/src/packet_analysis/Manager.cc @@ -9,7 +9,7 @@ #include "NetVar.h" #include "plugin/Manager.h" #include "Analyzer.h" -#include "dispatchers/VectorDispatcher.h" +#include "Dispatcher.h" using namespace zeek::packet_analysis; @@ -266,7 +266,7 @@ DispatcherPtr Manager::GetDispatcher(Config& configuration, const std::string& d const auto& mappings = dispatcher_config->get().GetMappings(); - DispatcherPtr dispatcher = std::make_shared(); + DispatcherPtr dispatcher = std::make_shared(); dispatchers.emplace(dispatcher_name, dispatcher); for ( const auto& current_mapping : mappings ) diff --git a/src/packet_analysis/dispatchers/CMakeLists.txt b/src/packet_analysis/dispatchers/CMakeLists.txt deleted file mode 100644 index ea4183fef8..0000000000 --- a/src/packet_analysis/dispatchers/CMakeLists.txt +++ /dev/null @@ -1,13 +0,0 @@ -include(ZeekSubdir) - -include_directories(BEFORE - ${CMAKE_CURRENT_SOURCE_DIR} - ${CMAKE_CURRENT_BINARY_DIR} -) - -set(dispatcher_SRCS - UniversalDispatcher.cc - VectorDispatcher.cc -) - -bro_add_subdir_library(llanalyzer_dispatcher ${dispatcher_SRCS}) diff --git a/src/packet_analysis/dispatchers/UniversalDispatcher.cc b/src/packet_analysis/dispatchers/UniversalDispatcher.cc deleted file mode 100644 index 517d8f109d..0000000000 --- a/src/packet_analysis/dispatchers/UniversalDispatcher.cc +++ /dev/null @@ -1,207 +0,0 @@ -// See the file "COPYING" in the main distribution directory for copyright. - -#include "UniversalDispatcher.h" - -namespace zeek::packet_analysis { - -UniversalDispatcher::UniversalDispatcher() : generator(rd()) - { - SetBins(2); - - table = std::vector(ONE << m, {0, nullptr}); - - // Initialize random engine - distribution_a = std::uniform_int_distribution(1, ~static_cast(0)); - distribution_b = std::uniform_int_distribution(0, (ONE << w_minus_m) - ONE); - - // Initialize random parameters - RandomizeAB(); - } - -UniversalDispatcher::~UniversalDispatcher() - { - FreeValues(); - } - -bool UniversalDispatcher::Register(identifier_t identifier, AnalyzerPtr analyzer, DispatcherPtr dispatcher) - { -#if DEBUG > 1 - std::shared_ptr deferred(nullptr, [=](...) { - std::cout << "Inserted " << identifier << std::endl; - }); -#endif - - uint64_t hashed_id = Hash(identifier); - if ( table[hashed_id].second == nullptr ) - { - // Free bin, insert the value - table[hashed_id] = std::make_pair(identifier, std::make_shared(analyzer, dispatcher)); - return true; - } - else if ( table[hashed_id].first != identifier ) - { - // The bin is not empty, but the content isn't the to-be-inserted identifier --> resolve collision - - // Create intermediate representation with the new element in it, then rehash with that data - std::vector intermediate = CreateIntermediate(); - intermediate.emplace_back(identifier, std::make_shared(analyzer, dispatcher)); - - // Try increasing the #bins until it works or it can't get any larger. - Rehash(intermediate); - return true; - } - - // Analyzer with this ID is already registered. - return false; - } - -void UniversalDispatcher::Register(const register_map& data) - { - // Analyzer already registered - for ( const auto& current : data ) - { - if ( table[Hash(current.first)].second != nullptr ) - throw std::invalid_argument("Analyzer " + std::to_string(current.first) + " already registered!"); - } - - // Create intermediate representation of current analyzer set, then add all new ones - std::vector intermediate = CreateIntermediate(); - for ( const auto& current : data ) - intermediate.emplace_back(current.first, std::make_shared(current.second.first, current.second.second)); - - Rehash(intermediate); - } - -ValuePtr UniversalDispatcher::Lookup(identifier_t identifier) const - { - uint64_t hashed_id = Hash(identifier); - - // The hashed_id can't be larger than the number of bins - assert(hashed_id < table.size() && "Hashed ID is outside of the hash table range!"); - - pair_t entry = table[hashed_id]; - if ( entry.second != nullptr && entry.first == identifier ) - return entry.second; - - return nullptr; - } - -size_t UniversalDispatcher::Size() const - { - size_t result = 0; - for ( const auto& current : table ) - { - if ( current.second != nullptr ) - result++; - } - return result; - } - -void UniversalDispatcher::Clear() - { - // Free all analyzers - FreeValues(); - - SetBins(2); - table = std::vector(ONE << m, {0, nullptr}); - RandomizeAB(); - } - -size_t UniversalDispatcher::BucketCount() - { - return table.size(); - } - -void UniversalDispatcher::Rehash() - { - // Intermediate representation is just the current table without nulls - Rehash(CreateIntermediate()); - } - -void UniversalDispatcher::DumpDebug() const - { -#ifdef DEBUG - DBG_LOG(DBG_PACKET_ANALYSIS, " Dispatcher elements (used/total): %lu/%lu", Size(), table.size()); - for ( size_t i = 0; i < table.size(); i++ ) - { - if ( table[i].second != nullptr ) - DBG_LOG(DBG_PACKET_ANALYSIS, " %#8x => %s, %p", table[i].first, table[i].second->analyzer->GetAnalyzerName(), table[i].second->dispatcher.get()); - } -#endif - } - -// ####################### -// ####### PRIVATE ####### -// ####################### - -void UniversalDispatcher::FreeValues() - { - for ( auto& current : table ) - current.second = nullptr; - } - -void UniversalDispatcher::Rehash(const std::vector& intermediate) - { - while ( ! FindCollisionFreeHashFunction(intermediate) ) - { - DBG_LOG(DBG_PACKET_ANALYSIS, "Rehashing did not work. Increasing #bins to %" PRIu64 " (%" PRIu64 " bit).", (uint64_t)std::pow(2, m + 1), m + 1); - SetBins(m + 1); - } - } - -bool UniversalDispatcher::FindCollisionFreeHashFunction(const std::vector& intermediate) - { - // Don't even try if the number of values is larger than the number of buckets - if ( ONE << m < intermediate.size() ) - return false; - - // Remember the hash function parameters to not break the table if rehashing doesn't work - uint64_t stored_a = a; - uint64_t stored_b = b; - - // Because the hash function hashes all values in the universe uniformly to m bins with probability 1/m - // we should at least try a multiple of #bins times. - for ( size_t i = 1; i <= (ONE << m); i++ ) - { - // Step 1: Re-randomize hash function parameters - RandomizeAB(); - - // Step 2: Create new table - std::vector new_table(ONE << m, {0, nullptr}); - - // Step 3: Try to insert all elements into the new table with the new hash function - bool finished = true; - for ( const auto& current : intermediate ) - { - uint64_t hashed_id = Hash(current.first); - assert(hashed_id < new_table.size()); - if ( new_table[hashed_id].second == nullptr ) - { - // Free bin, insert the value - new_table[hashed_id] = current; - } - else - { - // The bin is not empty which means there is a collision - // (there are no duplicates in the intermediate representation so that can't be the case) - finished = false; - break; - } - } - - // Step 4: If the inserting finished without collisions, overwrite the previous table and exit - if ( finished ) - { - DBG_LOG(DBG_PACKET_ANALYSIS, "Took %lu rehash(es) to resolve.", i); - table = new_table; - return true; - } - } - - // Finding a collision free hash function failed. Revert the hash function parameters. - a = stored_a; - b = stored_b; - return false; - } - -} diff --git a/src/packet_analysis/dispatchers/UniversalDispatcher.h b/src/packet_analysis/dispatchers/UniversalDispatcher.h deleted file mode 100644 index f235f438fd..0000000000 --- a/src/packet_analysis/dispatchers/UniversalDispatcher.h +++ /dev/null @@ -1,108 +0,0 @@ -// See the file "COPYING" in the main distribution directory for copyright. - -#pragma once - -#include -#include "Dispatcher.h" - -namespace zeek::packet_analysis { - -class UniversalDispatcher : public Dispatcher { -public: - UniversalDispatcher(); - ~UniversalDispatcher() override; - - bool Register(identifier_t identifier, AnalyzerPtr analyzer, DispatcherPtr dispatcher) override; - void Register(const register_map& data) override; - ValuePtr Lookup(identifier_t identifier) const override; - size_t Size() const override; - void Clear() override; - - void DumpDebug() const override; - size_t BucketCount(); - - // Rehashes the hash table including re-randomization of the hash function. - void Rehash(); - -private: - using pair_t = std::pair; - static const uint64_t ONE = 1u; - - // Chosen random constants for the currently selected collision free random hash function - uint64_t a = 0; // Needs to be a random odd positive value < 2^(sizeof(uint64_t) * 8) - uint64_t b = 0; // Needs to be a random non-negative value < 2^(((sizeof(uint64_t) * 8) - M) - - // Current bits that define the number of bins. Initially 2 which means there are 2^2 = 4 bins. - uint64_t m = 2; - - // Current shift value which is the number of bits that are "insignificant" because of the universe size. - uint64_t w_minus_m = 0; - - // RNG - std::random_device rd; - std::mt19937_64 generator; - std::uniform_int_distribution distribution_a; - std::uniform_int_distribution distribution_b; - -// Debug -#if DEBUG > 0 - size_t nptr_counter = 0; - size_t mismatch_counter = 0; - size_t all_counter = 0; -#endif - - std::vector table; - - void FreeValues(); - - void Rehash(const std::vector& intermediate); - - /** - * Tries to find a collision free hash function with the current number of buckets. - * - * @param intermediate The key-value set to store in the hashtable. - * @return true, iff it found a collision-free hash function. - */ - bool FindCollisionFreeHashFunction(const std::vector& intermediate); - - [[nodiscard]] inline uint64_t Hash(const uint64_t value) const - { - return (a * value + b) >> w_minus_m; - } - - inline void RandomizeAB() - { - do { - a = distribution_a(generator); - } while ( a % 2 == 0 ); - - b = distribution_b(generator); - } - - inline void SetBins(uint64_t new_m) - { - if ( new_m > (sizeof(uint64_t) * 8) ) - throw std::runtime_error("Number of bits for bin count too large."); - - m = new_m; - w_minus_m = sizeof(uint64_t) * 8 - m; - distribution_b = std::uniform_int_distribution(0, ((uint64_t)(1u) << w_minus_m) - (uint64_t)(1u)); - } - - inline std::vector CreateIntermediate() - { - std::vector intermediate; - for ( const auto& current : table ) - { - if ( current.second != nullptr ) - { - assert(current.second->analyzer != nullptr); - intermediate.emplace_back(current.first, current.second); - } - } - return intermediate; - } - -}; - -} diff --git a/src/packet_analysis/dispatchers/VectorDispatcher.h b/src/packet_analysis/dispatchers/VectorDispatcher.h deleted file mode 100644 index ad7bbebe41..0000000000 --- a/src/packet_analysis/dispatchers/VectorDispatcher.h +++ /dev/null @@ -1,41 +0,0 @@ -// See the file "COPYING" in the main distribution directory for copyright. - -#pragma once - -#include -#include "Dispatcher.h" - -namespace zeek::packet_analysis { - -class VectorDispatcher : public Dispatcher { -public: - VectorDispatcher() - : table(std::vector(1, nullptr)) - { } - - ~VectorDispatcher() override; - - bool Register(identifier_t identifier, AnalyzerPtr analyzer, DispatcherPtr dispatcher) override; - void Register(const register_map& data) override; - - ValuePtr Lookup(identifier_t identifier) const override; - - size_t Size() const override; - void Clear() override; - -protected: - void DumpDebug() const override; - -private: - identifier_t lowest_identifier = 0; - std::vector table; - - void FreeValues(); - - inline identifier_t GetHighestIdentifier() const - { - return lowest_identifier + table.size() - 1; - } -}; - -} From c2500d03d6a06f027f7bebe6aec049e85ddd6974 Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Thu, 16 Jul 2020 13:52:04 -0700 Subject: [PATCH 13/43] Remove packet_analysis/Defines.h - Replace uses of identifier_t with uint32_t - Replace repeated usage of tuple type for Analysis results with type alias --- src/packet_analysis/Analyzer.h | 5 ++--- src/packet_analysis/Config.cc | 6 +++--- src/packet_analysis/Config.h | 10 ++++------ src/packet_analysis/Defines.h | 11 ----------- src/packet_analysis/Dispatcher.cc | 6 +++--- src/packet_analysis/Dispatcher.h | 12 ++++++------ src/packet_analysis/Manager.cc | 4 ++-- src/packet_analysis/Manager.h | 2 +- src/packet_analysis/protocol/arp/ARP.cc | 2 +- src/packet_analysis/protocol/arp/ARP.h | 2 +- src/packet_analysis/protocol/default/Default.cc | 4 ++-- src/packet_analysis/protocol/default/Default.h | 2 +- src/packet_analysis/protocol/ethernet/Ethernet.cc | 4 ++-- src/packet_analysis/protocol/ethernet/Ethernet.h | 2 +- src/packet_analysis/protocol/fddi/FDDI.cc | 2 +- src/packet_analysis/protocol/fddi/FDDI.h | 2 +- .../protocol/ieee802_11/IEEE802_11.cc | 4 ++-- src/packet_analysis/protocol/ieee802_11/IEEE802_11.h | 2 +- .../protocol/ieee802_11_radio/IEEE802_11_Radio.cc | 2 +- .../protocol/ieee802_11_radio/IEEE802_11_Radio.h | 2 +- src/packet_analysis/protocol/ipv4/IPv4.cc | 2 +- src/packet_analysis/protocol/ipv4/IPv4.h | 2 +- src/packet_analysis/protocol/ipv6/IPv6.cc | 2 +- src/packet_analysis/protocol/ipv6/IPv6.h | 2 +- src/packet_analysis/protocol/linux_sll/LinuxSLL.cc | 4 ++-- src/packet_analysis/protocol/linux_sll/LinuxSLL.h | 2 +- src/packet_analysis/protocol/mpls/MPLS.cc | 2 +- src/packet_analysis/protocol/mpls/MPLS.h | 2 +- src/packet_analysis/protocol/nflog/NFLog.cc | 4 ++-- src/packet_analysis/protocol/nflog/NFLog.h | 2 +- src/packet_analysis/protocol/null/Null.cc | 4 ++-- src/packet_analysis/protocol/null/Null.h | 2 +- src/packet_analysis/protocol/ppp_serial/PPPSerial.cc | 4 ++-- src/packet_analysis/protocol/ppp_serial/PPPSerial.h | 2 +- src/packet_analysis/protocol/pppoe/PPPoE.cc | 4 ++-- src/packet_analysis/protocol/pppoe/PPPoE.h | 2 +- src/packet_analysis/protocol/vlan/VLAN.cc | 4 ++-- src/packet_analysis/protocol/vlan/VLAN.h | 2 +- src/packet_analysis/protocol/wrapper/Wrapper.cc | 4 ++-- src/packet_analysis/protocol/wrapper/Wrapper.h | 2 +- .../btest/plugins/packet-protocol-plugin/src/Bar.cc | 4 ++-- .../btest/plugins/packet-protocol-plugin/src/Bar.h | 2 +- 42 files changed, 66 insertions(+), 80 deletions(-) delete mode 100644 src/packet_analysis/Defines.h diff --git a/src/packet_analysis/Analyzer.h b/src/packet_analysis/Analyzer.h index e8d431cfca..fd1321bfbb 100644 --- a/src/packet_analysis/Analyzer.h +++ b/src/packet_analysis/Analyzer.h @@ -1,7 +1,6 @@ // See the file "COPYING" in the main distribution directory for copyright. #pragma once -#include "Defines.h" #include "Manager.h" #include "Tag.h" #include @@ -17,7 +16,7 @@ enum class AnalyzerResult { Terminate // Analysis succeeded and there is no further analysis to do }; -using AnalysisResultTuple = std::tuple; +using AnalysisResultTuple = std::tuple; class Analyzer { public: @@ -75,7 +74,7 @@ public: * how to proceed. If analysis can continue, the identifier determines the * encapsulated protocol. */ - virtual std::tuple Analyze(Packet* packet) = 0; + virtual AnalysisResultTuple Analyze(Packet* packet) = 0; protected: friend class Manager; diff --git a/src/packet_analysis/Config.cc b/src/packet_analysis/Config.cc index 4fd644b35d..236d8797d5 100644 --- a/src/packet_analysis/Config.cc +++ b/src/packet_analysis/Config.cc @@ -14,12 +14,12 @@ const std::string& DispatcherConfig::GetName() const return name; } -const std::map& DispatcherConfig::GetMappings() const +const std::map& DispatcherConfig::GetMappings() const { return mappings; } -void DispatcherConfig::AddMapping(identifier_t identifier, +void DispatcherConfig::AddMapping(uint32_t identifier, const std::string& analyzer_name) { DBG_LOG(DBG_PACKET_ANALYSIS, "Adding configuration mapping: %s -> %#x -> %s", @@ -71,7 +71,7 @@ DispatcherConfig& Config::AddDispatcherConfig(const std::string& name) return dispatchers.emplace_back(name); } -void Config::AddMapping(const std::string& name, identifier_t identifier, +void Config::AddMapping(const std::string& name, uint32_t identifier, const std::string& analyzer_name) { // Create dispatcher config if it does not exist yet diff --git a/src/packet_analysis/Config.h b/src/packet_analysis/Config.h index f99526d311..9a89626925 100644 --- a/src/packet_analysis/Config.h +++ b/src/packet_analysis/Config.h @@ -8,8 +8,6 @@ #include #include -#include "Defines.h" - namespace zeek::packet_analysis { class DispatcherConfig { @@ -17,16 +15,16 @@ public: explicit DispatcherConfig(const std::string name) : name(std::move(name)) { } const std::string& GetName() const; - const std::map& GetMappings() const; + const std::map& GetMappings() const; - void AddMapping(identifier_t identifier, const std::string& analyzer_name); + void AddMapping(uint32_t identifier, const std::string& analyzer_name); bool operator==(const DispatcherConfig& rhs) const; bool operator!=(const DispatcherConfig& rhs) const; private: const std::string name; - std::map mappings; + std::map mappings; }; class Config { @@ -35,7 +33,7 @@ public: const std::vector& GetDispatchers() const; std::optional> GetDispatcherConfig(const std::string& name); DispatcherConfig& AddDispatcherConfig(const std::string& name); - void AddMapping(const std::string& name, identifier_t identifier, const std::string& analyzer_name); + void AddMapping(const std::string& name, uint32_t identifier, const std::string& analyzer_name); private: std::vector dispatchers; diff --git a/src/packet_analysis/Defines.h b/src/packet_analysis/Defines.h deleted file mode 100644 index 3479b5b392..0000000000 --- a/src/packet_analysis/Defines.h +++ /dev/null @@ -1,11 +0,0 @@ -// See the file "COPYING" in the main distribution directory for copyright. - -#pragma once - -#include - -namespace zeek::packet_analysis { - - using identifier_t = uint32_t; - -} diff --git a/src/packet_analysis/Dispatcher.cc b/src/packet_analysis/Dispatcher.cc index 7662c42b88..9ca3ae1c67 100644 --- a/src/packet_analysis/Dispatcher.cc +++ b/src/packet_analysis/Dispatcher.cc @@ -11,7 +11,7 @@ Dispatcher::~Dispatcher() FreeValues(); } -bool Dispatcher::Register(identifier_t identifier, AnalyzerPtr analyzer, DispatcherPtr dispatcher) +bool Dispatcher::Register(uint32_t identifier, AnalyzerPtr analyzer, DispatcherPtr dispatcher) { // If the table has size 1 and the entry is nullptr, there was nothing added yet. Just add it. if ( table.size() == 1 && table[0] == nullptr ) @@ -29,7 +29,7 @@ bool Dispatcher::Register(identifier_t identifier, AnalyzerPtr analyzer, Dispatc else if ( identifier < lowest_identifier ) { // Lower than the lowest registered identifier. Shift up by lowerBound - identifier - identifier_t distance = lowest_identifier - identifier; + uint32_t distance = lowest_identifier - identifier; table.resize(table.size() + distance, nullptr); // Shift values @@ -77,7 +77,7 @@ void Dispatcher::Register(const register_map& data) } } -ValuePtr Dispatcher::Lookup(identifier_t identifier) const +ValuePtr Dispatcher::Lookup(uint32_t identifier) const { int64_t index = identifier - lowest_identifier; if ( index >= 0 && index < static_cast(table.size()) && table[index] != nullptr ) diff --git a/src/packet_analysis/Dispatcher.h b/src/packet_analysis/Dispatcher.h index eb4b0c8c36..18da74923c 100644 --- a/src/packet_analysis/Dispatcher.h +++ b/src/packet_analysis/Dispatcher.h @@ -11,8 +11,8 @@ namespace zeek::packet_analysis { class Dispatcher; // Forward decl for Value using DispatcherPtr = std::shared_ptr; -using register_pair = std::pair>; -using register_map = std::map>; +using register_pair = std::pair>; +using register_map = std::map>; class Value { public: @@ -35,22 +35,22 @@ public: ~Dispatcher(); - bool Register(identifier_t identifier, AnalyzerPtr analyzer, DispatcherPtr dispatcher); + bool Register(uint32_t identifier, AnalyzerPtr analyzer, DispatcherPtr dispatcher); void Register(const register_map& data); - ValuePtr Lookup(identifier_t identifier) const; + ValuePtr Lookup(uint32_t identifier) const; size_t Size() const; void Clear(); void DumpDebug() const; private: - identifier_t lowest_identifier = 0; + uint32_t lowest_identifier = 0; std::vector table; void FreeValues(); - inline identifier_t GetHighestIdentifier() const + inline uint32_t GetHighestIdentifier() const { return lowest_identifier + table.size() - 1; } diff --git a/src/packet_analysis/Manager.cc b/src/packet_analysis/Manager.cc index b9e17ac916..1e3a405ee8 100644 --- a/src/packet_analysis/Manager.cc +++ b/src/packet_analysis/Manager.cc @@ -149,7 +149,7 @@ void Manager::ProcessPacket(Packet* packet) // Dispatch and analyze layers AnalyzerResult result = AnalyzerResult::Continue; - identifier_t next_layer_id = packet->link_type; + uint32_t next_layer_id = packet->link_type; do { auto current_analyzer = Dispatch(next_layer_id); @@ -224,7 +224,7 @@ void Manager::CustomEncapsulationSkip(Packet* packet) } } -AnalyzerPtr Manager::Dispatch(identifier_t identifier) +AnalyzerPtr Manager::Dispatch(uint32_t identifier) { // Because leaf nodes (aka no more dispatching) can still have an existing analyzer that returns more identifiers, // current_state needs to be checked to be not null. In this case there would have been an analyzer dispatched diff --git a/src/packet_analysis/Manager.h b/src/packet_analysis/Manager.h index 34c61ceafd..cffc9cc0ce 100644 --- a/src/packet_analysis/Manager.h +++ b/src/packet_analysis/Manager.h @@ -97,7 +97,7 @@ private: */ void CustomEncapsulationSkip(Packet* packet); - AnalyzerPtr Dispatch(identifier_t identifier); + AnalyzerPtr Dispatch(uint32_t identifier); DispatcherPtr GetDispatcher(Config& configuration, const std::string& dispatcher_name); diff --git a/src/packet_analysis/protocol/arp/ARP.cc b/src/packet_analysis/protocol/arp/ARP.cc index 204e9b54c4..bcc860deb5 100644 --- a/src/packet_analysis/protocol/arp/ARP.cc +++ b/src/packet_analysis/protocol/arp/ARP.cc @@ -9,7 +9,7 @@ ARPAnalyzer::ARPAnalyzer() { } -std::tuple ARPAnalyzer::Analyze(Packet* packet) +zeek::packet_analysis::AnalysisResultTuple ARPAnalyzer::Analyze(Packet* packet) { // TODO: Make ARP analyzer a native packet analyzer packet->l3_proto = L3_ARP; diff --git a/src/packet_analysis/protocol/arp/ARP.h b/src/packet_analysis/protocol/arp/ARP.h index 2e93b8231f..89c8f55db0 100644 --- a/src/packet_analysis/protocol/arp/ARP.h +++ b/src/packet_analysis/protocol/arp/ARP.h @@ -12,7 +12,7 @@ public: ARPAnalyzer(); ~ARPAnalyzer() override = default; - std::tuple Analyze(Packet* packet) override; + AnalysisResultTuple Analyze(Packet* packet) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/default/Default.cc b/src/packet_analysis/protocol/default/Default.cc index d3e3901c1b..56f49df949 100644 --- a/src/packet_analysis/protocol/default/Default.cc +++ b/src/packet_analysis/protocol/default/Default.cc @@ -10,7 +10,7 @@ DefaultAnalyzer::DefaultAnalyzer() { } -std::tuple DefaultAnalyzer::Analyze(Packet* packet) +zeek::packet_analysis::AnalysisResultTuple DefaultAnalyzer::Analyze(Packet* packet) { auto& pdata = packet->cur_pos; @@ -22,7 +22,7 @@ std::tupleip_v; + uint32_t protocol = ip->ip_v; return { AnalyzerResult::Continue, protocol }; } diff --git a/src/packet_analysis/protocol/default/Default.h b/src/packet_analysis/protocol/default/Default.h index a61b2cce53..86eb7e1445 100644 --- a/src/packet_analysis/protocol/default/Default.h +++ b/src/packet_analysis/protocol/default/Default.h @@ -12,7 +12,7 @@ public: DefaultAnalyzer(); ~DefaultAnalyzer() override = default; - std::tuple Analyze(Packet* packet) override; + AnalysisResultTuple Analyze(Packet* packet) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/ethernet/Ethernet.cc b/src/packet_analysis/protocol/ethernet/Ethernet.cc index 9db434d82c..9633596d84 100644 --- a/src/packet_analysis/protocol/ethernet/Ethernet.cc +++ b/src/packet_analysis/protocol/ethernet/Ethernet.cc @@ -10,7 +10,7 @@ EthernetAnalyzer::EthernetAnalyzer() { } -std::tuple EthernetAnalyzer::Analyze(Packet* packet) +zeek::packet_analysis::AnalysisResultTuple EthernetAnalyzer::Analyze(Packet* packet) { auto& pdata = packet->cur_pos; auto end_of_data = packet->GetEndOfData(); @@ -38,7 +38,7 @@ std::tupleeth_type = protocol; packet->l2_dst = pdata; diff --git a/src/packet_analysis/protocol/ethernet/Ethernet.h b/src/packet_analysis/protocol/ethernet/Ethernet.h index e64b131afb..aa4707df1b 100644 --- a/src/packet_analysis/protocol/ethernet/Ethernet.h +++ b/src/packet_analysis/protocol/ethernet/Ethernet.h @@ -12,7 +12,7 @@ public: EthernetAnalyzer(); ~EthernetAnalyzer() override = default; - std::tuple Analyze(Packet* packet) override; + AnalysisResultTuple Analyze(Packet* packet) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/fddi/FDDI.cc b/src/packet_analysis/protocol/fddi/FDDI.cc index 3a7b2c5d11..763e25c1e0 100644 --- a/src/packet_analysis/protocol/fddi/FDDI.cc +++ b/src/packet_analysis/protocol/fddi/FDDI.cc @@ -10,7 +10,7 @@ FDDIAnalyzer::FDDIAnalyzer() { } -std::tuple FDDIAnalyzer::Analyze(Packet* packet) +zeek::packet_analysis::AnalysisResultTuple FDDIAnalyzer::Analyze(Packet* packet) { auto& pdata = packet->cur_pos; auto hdr_size = 13 + 8; // FDDI header + LLC diff --git a/src/packet_analysis/protocol/fddi/FDDI.h b/src/packet_analysis/protocol/fddi/FDDI.h index 52bcd94598..4e092eccb4 100644 --- a/src/packet_analysis/protocol/fddi/FDDI.h +++ b/src/packet_analysis/protocol/fddi/FDDI.h @@ -12,7 +12,7 @@ public: FDDIAnalyzer(); ~FDDIAnalyzer() override = default; - std::tuple Analyze(Packet* packet) override; + AnalysisResultTuple Analyze(Packet* packet) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc b/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc index 500d1fe592..ee4b090efc 100644 --- a/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc +++ b/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc @@ -10,7 +10,7 @@ IEEE802_11Analyzer::IEEE802_11Analyzer() { } -std::tuple IEEE802_11Analyzer::Analyze(Packet* packet) +zeek::packet_analysis::AnalysisResultTuple IEEE802_11Analyzer::Analyze(Packet* packet) { auto& pdata = packet->cur_pos; auto end_of_data = packet->GetEndOfData(); @@ -106,7 +106,7 @@ std::tuple Analyze(Packet* packet) override; + AnalysisResultTuple Analyze(Packet* packet) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.cc b/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.cc index b5025ce372..ec34f39d04 100644 --- a/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.cc +++ b/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.cc @@ -12,7 +12,7 @@ IEEE802_11_RadioAnalyzer::IEEE802_11_RadioAnalyzer() { } -std::tuple IEEE802_11_RadioAnalyzer::Analyze(Packet* packet) +zeek::packet_analysis::AnalysisResultTuple IEEE802_11_RadioAnalyzer::Analyze(Packet* packet) { auto pdata = packet->cur_pos; auto end_of_data = packet->GetEndOfData(); diff --git a/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.h b/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.h index f9fe41f2dd..ef1cf1fb39 100644 --- a/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.h +++ b/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.h @@ -12,7 +12,7 @@ public: IEEE802_11_RadioAnalyzer(); ~IEEE802_11_RadioAnalyzer() override = default; - std::tuple Analyze(Packet* packet) override; + AnalysisResultTuple Analyze(Packet* packet) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/ipv4/IPv4.cc b/src/packet_analysis/protocol/ipv4/IPv4.cc index 6c04a93e59..8cfd51b7f9 100644 --- a/src/packet_analysis/protocol/ipv4/IPv4.cc +++ b/src/packet_analysis/protocol/ipv4/IPv4.cc @@ -9,7 +9,7 @@ IPv4Analyzer::IPv4Analyzer() { } -std::tuple IPv4Analyzer::Analyze(Packet* packet) +zeek::packet_analysis::AnalysisResultTuple IPv4Analyzer::Analyze(Packet* packet) { packet->l3_proto = L3_IPV4; diff --git a/src/packet_analysis/protocol/ipv4/IPv4.h b/src/packet_analysis/protocol/ipv4/IPv4.h index 7750fa9033..1ee5b5098b 100644 --- a/src/packet_analysis/protocol/ipv4/IPv4.h +++ b/src/packet_analysis/protocol/ipv4/IPv4.h @@ -12,7 +12,7 @@ public: IPv4Analyzer(); ~IPv4Analyzer() override = default; - std::tuple Analyze(Packet* packet) override; + AnalysisResultTuple Analyze(Packet* packet) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/ipv6/IPv6.cc b/src/packet_analysis/protocol/ipv6/IPv6.cc index e7712d60e3..2d724d9188 100644 --- a/src/packet_analysis/protocol/ipv6/IPv6.cc +++ b/src/packet_analysis/protocol/ipv6/IPv6.cc @@ -9,7 +9,7 @@ IPv6Analyzer::IPv6Analyzer() { } -std::tuple IPv6Analyzer::Analyze(Packet* packet) +zeek::packet_analysis::AnalysisResultTuple IPv6Analyzer::Analyze(Packet* packet) { packet->l3_proto = L3_IPV6; diff --git a/src/packet_analysis/protocol/ipv6/IPv6.h b/src/packet_analysis/protocol/ipv6/IPv6.h index ae425ffec4..db9416697a 100644 --- a/src/packet_analysis/protocol/ipv6/IPv6.h +++ b/src/packet_analysis/protocol/ipv6/IPv6.h @@ -12,7 +12,7 @@ public: IPv6Analyzer(); ~IPv6Analyzer() override = default; - std::tuple Analyze(Packet* packet) override; + AnalysisResultTuple Analyze(Packet* packet) override; static AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/linux_sll/LinuxSLL.cc b/src/packet_analysis/protocol/linux_sll/LinuxSLL.cc index f324f368f0..5a1f0fb29b 100644 --- a/src/packet_analysis/protocol/linux_sll/LinuxSLL.cc +++ b/src/packet_analysis/protocol/linux_sll/LinuxSLL.cc @@ -9,7 +9,7 @@ LinuxSLLAnalyzer::LinuxSLLAnalyzer() { } -std::tuple LinuxSLLAnalyzer::Analyze(Packet* packet) +zeek::packet_analysis::AnalysisResultTuple LinuxSLLAnalyzer::Analyze(Packet* packet) { auto& pdata = packet->cur_pos; @@ -22,7 +22,7 @@ std::tupleprotocol_type); + uint32_t protocol = ntohs(hdr->protocol_type); packet->l2_src = (u_char*) &(hdr->addr); // SLL doesn't include a destination address in the header, but not setting l2_dst to something diff --git a/src/packet_analysis/protocol/linux_sll/LinuxSLL.h b/src/packet_analysis/protocol/linux_sll/LinuxSLL.h index 09990eba2b..04cd170318 100644 --- a/src/packet_analysis/protocol/linux_sll/LinuxSLL.h +++ b/src/packet_analysis/protocol/linux_sll/LinuxSLL.h @@ -12,7 +12,7 @@ public: LinuxSLLAnalyzer(); ~LinuxSLLAnalyzer() override = default; - std::tuple Analyze(Packet* packet) override; + AnalysisResultTuple Analyze(Packet* packet) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/mpls/MPLS.cc b/src/packet_analysis/protocol/mpls/MPLS.cc index b655ada837..1b22403919 100644 --- a/src/packet_analysis/protocol/mpls/MPLS.cc +++ b/src/packet_analysis/protocol/mpls/MPLS.cc @@ -9,7 +9,7 @@ MPLSAnalyzer::MPLSAnalyzer() { } -std::tuple MPLSAnalyzer::Analyze(Packet* packet) +zeek::packet_analysis::AnalysisResultTuple MPLSAnalyzer::Analyze(Packet* packet) { auto& pdata = packet->cur_pos; auto end_of_data = packet->GetEndOfData(); diff --git a/src/packet_analysis/protocol/mpls/MPLS.h b/src/packet_analysis/protocol/mpls/MPLS.h index 694e551f31..3c13e5d878 100644 --- a/src/packet_analysis/protocol/mpls/MPLS.h +++ b/src/packet_analysis/protocol/mpls/MPLS.h @@ -12,7 +12,7 @@ public: MPLSAnalyzer(); ~MPLSAnalyzer() override = default; - std::tuple Analyze(Packet* packet) override; + AnalysisResultTuple Analyze(Packet* packet) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/nflog/NFLog.cc b/src/packet_analysis/protocol/nflog/NFLog.cc index 38bb08d5db..0167a792fa 100644 --- a/src/packet_analysis/protocol/nflog/NFLog.cc +++ b/src/packet_analysis/protocol/nflog/NFLog.cc @@ -10,12 +10,12 @@ NFLogAnalyzer::NFLogAnalyzer() { } -std::tuple NFLogAnalyzer::Analyze(Packet* packet) { +zeek::packet_analysis::AnalysisResultTuple NFLogAnalyzer::Analyze(Packet* packet) { auto& pdata = packet->cur_pos; auto end_of_data = packet->GetEndOfData(); // See https://www.tcpdump.org/linktypes/LINKTYPE_NFLOG.html - identifier_t protocol = pdata[0]; + uint32_t protocol = pdata[0]; uint8_t version = pdata[1]; if ( version != 0 ) diff --git a/src/packet_analysis/protocol/nflog/NFLog.h b/src/packet_analysis/protocol/nflog/NFLog.h index 01ecf0233f..e5212c6788 100644 --- a/src/packet_analysis/protocol/nflog/NFLog.h +++ b/src/packet_analysis/protocol/nflog/NFLog.h @@ -12,7 +12,7 @@ public: NFLogAnalyzer(); ~NFLogAnalyzer() override = default; - std::tuple Analyze(Packet* packet) override; + AnalysisResultTuple Analyze(Packet* packet) override; static AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/null/Null.cc b/src/packet_analysis/protocol/null/Null.cc index 6a0158a508..923f5c4ba9 100644 --- a/src/packet_analysis/protocol/null/Null.cc +++ b/src/packet_analysis/protocol/null/Null.cc @@ -10,7 +10,7 @@ NullAnalyzer::NullAnalyzer() { } -std::tuple NullAnalyzer::Analyze(Packet* packet) +zeek::packet_analysis::AnalysisResultTuple NullAnalyzer::Analyze(Packet* packet) { auto& pdata = packet->cur_pos; @@ -20,7 +20,7 @@ std::tuple Analyze(Packet* packet) override; + AnalysisResultTuple Analyze(Packet* packet) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/ppp_serial/PPPSerial.cc b/src/packet_analysis/protocol/ppp_serial/PPPSerial.cc index b4019a74a4..fc79156bd6 100644 --- a/src/packet_analysis/protocol/ppp_serial/PPPSerial.cc +++ b/src/packet_analysis/protocol/ppp_serial/PPPSerial.cc @@ -10,12 +10,12 @@ PPPSerialAnalyzer::PPPSerialAnalyzer() { } -std::tuple PPPSerialAnalyzer::Analyze(Packet* packet) +zeek::packet_analysis::AnalysisResultTuple PPPSerialAnalyzer::Analyze(Packet* packet) { auto& pdata = packet->cur_pos; // Extract protocol identifier - identifier_t protocol = (pdata[2] << 8) + pdata[3]; + uint32_t protocol = (pdata[2] << 8) + pdata[3]; pdata += 4; // skip link header return { AnalyzerResult::Continue, protocol }; diff --git a/src/packet_analysis/protocol/ppp_serial/PPPSerial.h b/src/packet_analysis/protocol/ppp_serial/PPPSerial.h index 3985e85bbf..02201c97fd 100644 --- a/src/packet_analysis/protocol/ppp_serial/PPPSerial.h +++ b/src/packet_analysis/protocol/ppp_serial/PPPSerial.h @@ -12,7 +12,7 @@ public: PPPSerialAnalyzer(); ~PPPSerialAnalyzer() override = default; - std::tuple Analyze(Packet* packet) override; + AnalysisResultTuple Analyze(Packet* packet) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/pppoe/PPPoE.cc b/src/packet_analysis/protocol/pppoe/PPPoE.cc index 282e341cde..5e2d2db6f1 100644 --- a/src/packet_analysis/protocol/pppoe/PPPoE.cc +++ b/src/packet_analysis/protocol/pppoe/PPPoE.cc @@ -10,7 +10,7 @@ PPPoEAnalyzer::PPPoEAnalyzer() { } -std::tuple PPPoEAnalyzer::Analyze(Packet* packet) +zeek::packet_analysis::AnalysisResultTuple PPPoEAnalyzer::Analyze(Packet* packet) { auto& pdata = packet->cur_pos; @@ -21,7 +21,7 @@ std::tuple Analyze(Packet* packet) override; + AnalysisResultTuple Analyze(Packet* packet) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/vlan/VLAN.cc b/src/packet_analysis/protocol/vlan/VLAN.cc index 24f23b14b1..be3788f3fe 100644 --- a/src/packet_analysis/protocol/vlan/VLAN.cc +++ b/src/packet_analysis/protocol/vlan/VLAN.cc @@ -10,7 +10,7 @@ VLANAnalyzer::VLANAnalyzer() { } -std::tuple VLANAnalyzer::Analyze(Packet* packet) +zeek::packet_analysis::AnalysisResultTuple VLANAnalyzer::Analyze(Packet* packet) { auto& pdata = packet->cur_pos; @@ -23,7 +23,7 @@ std::tuplevlan != 0 ? packet->inner_vlan : packet->vlan; vlan_ref = ((pdata[0] << 8u) + pdata[1]) & 0xfff; - identifier_t protocol = ((pdata[2] << 8u) + pdata[3]); + uint32_t protocol = ((pdata[2] << 8u) + pdata[3]); packet->eth_type = protocol; pdata += 4; // Skip the VLAN header diff --git a/src/packet_analysis/protocol/vlan/VLAN.h b/src/packet_analysis/protocol/vlan/VLAN.h index d80af10ccb..40868e5adf 100644 --- a/src/packet_analysis/protocol/vlan/VLAN.h +++ b/src/packet_analysis/protocol/vlan/VLAN.h @@ -12,7 +12,7 @@ public: VLANAnalyzer(); ~VLANAnalyzer() override = default; - std::tuple Analyze(Packet* packet) override; + AnalysisResultTuple Analyze(Packet* packet) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/wrapper/Wrapper.cc b/src/packet_analysis/protocol/wrapper/Wrapper.cc index 4a92504e5a..8d91dd5ed8 100644 --- a/src/packet_analysis/protocol/wrapper/Wrapper.cc +++ b/src/packet_analysis/protocol/wrapper/Wrapper.cc @@ -10,7 +10,7 @@ WrapperAnalyzer::WrapperAnalyzer() { } -std::tuple WrapperAnalyzer::Analyze(Packet* packet) +zeek::packet_analysis::AnalysisResultTuple WrapperAnalyzer::Analyze(Packet* packet) { // Unfortunately some packets on the link might have MPLS labels // while others don't. That means we need to ask the link-layer if @@ -35,7 +35,7 @@ std::tupleeth_type = protocol; packet->l2_dst = pdata; diff --git a/src/packet_analysis/protocol/wrapper/Wrapper.h b/src/packet_analysis/protocol/wrapper/Wrapper.h index 6151cb4a39..2fd8abbea0 100644 --- a/src/packet_analysis/protocol/wrapper/Wrapper.h +++ b/src/packet_analysis/protocol/wrapper/Wrapper.h @@ -12,7 +12,7 @@ public: WrapperAnalyzer(); ~WrapperAnalyzer() override = default; - std::tuple Analyze(Packet* packet) override; + AnalysisResultTuple Analyze(Packet* packet) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/testing/btest/plugins/packet-protocol-plugin/src/Bar.cc b/testing/btest/plugins/packet-protocol-plugin/src/Bar.cc index 14308d2339..fdf313d518 100644 --- a/testing/btest/plugins/packet-protocol-plugin/src/Bar.cc +++ b/testing/btest/plugins/packet-protocol-plugin/src/Bar.cc @@ -10,7 +10,7 @@ Bar::Bar() { } -std::tuple Bar::Analyze(Packet* packet) +zeek::packet_analysis::AnalysisResultTuple Bar::Analyze(Packet* packet) { auto& pdata = packet->cur_pos; auto end_of_data = packet->GetEndOfData(); @@ -31,5 +31,5 @@ std::tupleCount(ssap), val_mgr->Count(control)); - return std::make_tuple(AnalyzerResult::Terminate, 0); + return { AnalyzerResult::Terminate, 0 }; } diff --git a/testing/btest/plugins/packet-protocol-plugin/src/Bar.h b/testing/btest/plugins/packet-protocol-plugin/src/Bar.h index 2473388ea4..a125b1c8c2 100644 --- a/testing/btest/plugins/packet-protocol-plugin/src/Bar.h +++ b/testing/btest/plugins/packet-protocol-plugin/src/Bar.h @@ -10,7 +10,7 @@ public: Bar(); ~Bar() override = default; - std::tuple Analyze(Packet* packet) override; + AnalysisResultTuple Analyze(Packet* packet) override; static AnalyzerPtr Instantiate() { From 96d0e11bb8867e5c20da64d0aaa1a421ef1d9949 Mon Sep 17 00:00:00 2001 From: Jan Grashoefer Date: Fri, 17 Jul 2020 18:25:22 +0200 Subject: [PATCH 14/43] Move cur_pos from packet into packet manager loop. --- src/iosource/Packet.cc | 5 --- src/iosource/Packet.h | 5 +-- src/packet_analysis/Analyzer.h | 11 ++--- src/packet_analysis/Manager.cc | 18 ++++---- src/packet_analysis/Manager.h | 4 +- src/packet_analysis/protocol/arp/ARP.cc | 2 +- src/packet_analysis/protocol/arp/ARP.h | 2 +- .../protocol/default/Default.cc | 8 ++-- .../protocol/default/Default.h | 2 +- .../protocol/ethernet/Ethernet.cc | 25 +++++------ .../protocol/ethernet/Ethernet.h | 2 +- src/packet_analysis/protocol/fddi/FDDI.cc | 7 ++- src/packet_analysis/protocol/fddi/FDDI.h | 2 +- .../protocol/ieee802_11/IEEE802_11.cc | 45 +++++++++---------- .../protocol/ieee802_11/IEEE802_11.h | 2 +- .../ieee802_11_radio/IEEE802_11_Radio.cc | 11 +++-- .../ieee802_11_radio/IEEE802_11_Radio.h | 2 +- src/packet_analysis/protocol/ipv4/IPv4.cc | 2 +- src/packet_analysis/protocol/ipv4/IPv4.h | 2 +- src/packet_analysis/protocol/ipv6/IPv6.cc | 2 +- src/packet_analysis/protocol/ipv6/IPv6.h | 2 +- .../protocol/linux_sll/LinuxSLL.cc | 10 ++--- .../protocol/linux_sll/LinuxSLL.h | 2 +- src/packet_analysis/protocol/mpls/MPLS.cc | 15 +++---- src/packet_analysis/protocol/mpls/MPLS.h | 2 +- src/packet_analysis/protocol/nflog/NFLog.cc | 19 ++++---- src/packet_analysis/protocol/nflog/NFLog.h | 2 +- src/packet_analysis/protocol/null/Null.cc | 10 ++--- src/packet_analysis/protocol/null/Null.h | 2 +- .../protocol/ppp_serial/PPPSerial.cc | 8 ++-- .../protocol/ppp_serial/PPPSerial.h | 2 +- src/packet_analysis/protocol/pppoe/PPPoE.cc | 10 ++--- src/packet_analysis/protocol/pppoe/PPPoE.h | 2 +- src/packet_analysis/protocol/vlan/VLAN.cc | 12 +++-- src/packet_analysis/protocol/vlan/VLAN.h | 2 +- .../protocol/wrapper/Wrapper.cc | 43 +++++++++--------- .../protocol/wrapper/Wrapper.h | 2 +- .../plugins/packet-protocol-plugin/src/Bar.cc | 11 +++-- .../plugins/packet-protocol-plugin/src/Bar.h | 2 +- 39 files changed, 148 insertions(+), 169 deletions(-) diff --git a/src/iosource/Packet.cc b/src/iosource/Packet.cc index e2c9ca01b6..15617ee7f2 100644 --- a/src/iosource/Packet.cc +++ b/src/iosource/Packet.cc @@ -59,17 +59,12 @@ void Packet::Init(int arg_link_type, pkt_timeval *arg_ts, uint32_t arg_caplen, l3_proto = L3_UNKNOWN; l3_checksummed = false; - // For packet analyzer: cur_pos points to the next payload. - cur_pos = data; - if ( data ) { // From here we assume that layer 2 is valid. If a packet analyzer encounters // an issue, it will call Packet::Weird(), which sets l2_valid to false. l2_valid = true; packet_mgr->ProcessPacket(this); - // Calculate header size after processing lower layers. - hdr_size = cur_pos - data; } } diff --git a/src/iosource/Packet.h b/src/iosource/Packet.h index 648db8270a..d99979010d 100644 --- a/src/iosource/Packet.h +++ b/src/iosource/Packet.h @@ -159,8 +159,8 @@ public: /** * Empty layer 2 address to be used as default value. For example, the - * LinuxSLL llanalyzer doesn't have a destination address in the header - * and thus sets it to this default address. + * LinuxSLL packet analyzer doesn't have a destination address in the + * header and thus sets it to this default address. */ static constexpr const u_char L2_EMPTY_ADDR[L2_ADDR_LEN] = { 0 }; @@ -172,7 +172,6 @@ public: uint32_t len; /// Actual length on wire uint32_t cap_len; /// Captured packet length uint32_t link_type; /// pcap link_type (DLT_EN10MB, DLT_RAW, etc) - const uint8_t* cur_pos; /// Pointer to the current start of unanalyzed payload data in the raw packet, used by llanalyzers // These are computed from Layer 2 data. These fields are only valid if // Layer2Valid() returns true. diff --git a/src/packet_analysis/Analyzer.h b/src/packet_analysis/Analyzer.h index fd1321bfbb..e6b974aefc 100644 --- a/src/packet_analysis/Analyzer.h +++ b/src/packet_analysis/Analyzer.h @@ -63,18 +63,19 @@ public: bool IsAnalyzer(const char* name); /** - * Analyzes the given packet. The analysis is supposed to start at cur_pos - * of the packet, which points to the so far unanalyzed part of the packet. - * If the analyzed protocol encapsulates another protocol, the packet's - * cur_pos should be updated to point to that payload. + * Analyzes the given packet. The data reference points to the part of the + * raw packet to be analyzed. If the analyzed protocol encapsulates another + * protocol, the data reference should be updated to point to that payload. * * @param packet The packet to analyze. * + * @param data Reference to the payload pointer into the raw packet. + * * @return A tuple of analysis result and identifier. The result indicates * how to proceed. If analysis can continue, the identifier determines the * encapsulated protocol. */ - virtual AnalysisResultTuple Analyze(Packet* packet) = 0; + virtual AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) = 0; protected: friend class Manager; diff --git a/src/packet_analysis/Manager.cc b/src/packet_analysis/Manager.cc index 1e3a405ee8..a535b93b8d 100644 --- a/src/packet_analysis/Manager.cc +++ b/src/packet_analysis/Manager.cc @@ -150,6 +150,7 @@ void Manager::ProcessPacket(Packet* packet) // Dispatch and analyze layers AnalyzerResult result = AnalyzerResult::Continue; uint32_t next_layer_id = packet->link_type; + const uint8_t* data = packet->data; do { auto current_analyzer = Dispatch(next_layer_id); @@ -163,7 +164,7 @@ void Manager::ProcessPacket(Packet* packet) } // Analyze this layer and get identifier of next layer protocol - std::tie(result, next_layer_id) = current_analyzer->Analyze(packet); + std::tie(result, next_layer_id) = current_analyzer->Analyze(packet, data); #ifdef DEBUG switch ( result ) @@ -183,28 +184,29 @@ void Manager::ProcessPacket(Packet* packet) } while ( result == AnalyzerResult::Continue ); if ( result == AnalyzerResult::Terminate ) - CustomEncapsulationSkip(packet); + CustomEncapsulationSkip(packet, data); // Processing finished, reset analyzer set state for next packet current_state = root_dispatcher; + + // Calculate header size after processing packet layers. + packet->hdr_size = data - packet->data; } -void Manager::CustomEncapsulationSkip(Packet* packet) +void Manager::CustomEncapsulationSkip(Packet* packet, const uint8_t* data) { if ( zeek::detail::encap_hdr_size > 0 ) { - auto pdata = packet->cur_pos; - // Blanket encapsulation. We assume that what remains is IP. - if ( pdata + zeek::detail::encap_hdr_size + sizeof(struct ip) >= packet->GetEndOfData() ) + if ( data + zeek::detail::encap_hdr_size + sizeof(struct ip) >= packet->GetEndOfData() ) { packet->Weird("no_ip_left_after_encap"); return; } - pdata += zeek::detail::encap_hdr_size; + data += zeek::detail::encap_hdr_size; - auto ip = (const struct ip*)pdata; + auto ip = (const struct ip*)data; switch ( ip->ip_v ) { diff --git a/src/packet_analysis/Manager.h b/src/packet_analysis/Manager.h index cffc9cc0ce..f576952228 100644 --- a/src/packet_analysis/Manager.h +++ b/src/packet_analysis/Manager.h @@ -94,8 +94,10 @@ private: * It is assumed that an IP header follows. * * @param packet The packet to adapt. + * + * @param data Pointer to remaining payload. */ - void CustomEncapsulationSkip(Packet* packet); + void CustomEncapsulationSkip(Packet* packet, const uint8_t* data); AnalyzerPtr Dispatch(uint32_t identifier); diff --git a/src/packet_analysis/protocol/arp/ARP.cc b/src/packet_analysis/protocol/arp/ARP.cc index bcc860deb5..eec4f72860 100644 --- a/src/packet_analysis/protocol/arp/ARP.cc +++ b/src/packet_analysis/protocol/arp/ARP.cc @@ -9,7 +9,7 @@ ARPAnalyzer::ARPAnalyzer() { } -zeek::packet_analysis::AnalysisResultTuple ARPAnalyzer::Analyze(Packet* packet) +zeek::packet_analysis::AnalysisResultTuple ARPAnalyzer::Analyze(Packet* packet, const uint8_t*& data) { // TODO: Make ARP analyzer a native packet analyzer packet->l3_proto = L3_ARP; diff --git a/src/packet_analysis/protocol/arp/ARP.h b/src/packet_analysis/protocol/arp/ARP.h index 89c8f55db0..9bd1c8a009 100644 --- a/src/packet_analysis/protocol/arp/ARP.h +++ b/src/packet_analysis/protocol/arp/ARP.h @@ -12,7 +12,7 @@ public: ARPAnalyzer(); ~ARPAnalyzer() override = default; - AnalysisResultTuple Analyze(Packet* packet) override; + AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/default/Default.cc b/src/packet_analysis/protocol/default/Default.cc index 56f49df949..6d53fd3669 100644 --- a/src/packet_analysis/protocol/default/Default.cc +++ b/src/packet_analysis/protocol/default/Default.cc @@ -10,18 +10,16 @@ DefaultAnalyzer::DefaultAnalyzer() { } -zeek::packet_analysis::AnalysisResultTuple DefaultAnalyzer::Analyze(Packet* packet) +zeek::packet_analysis::AnalysisResultTuple DefaultAnalyzer::Analyze(Packet* packet, const uint8_t*& data) { - auto& pdata = packet->cur_pos; - // Assume we're pointing at IP. Just figure out which version. - if ( pdata + sizeof(struct ip) >= packet->GetEndOfData() ) + if ( data + sizeof(struct ip) >= packet->GetEndOfData() ) { packet->Weird("packet_analyzer_truncated_header"); return { AnalyzerResult::Failed, 0 }; } - auto ip = (const struct ip *)pdata; + auto ip = (const struct ip *)data; uint32_t protocol = ip->ip_v; return { AnalyzerResult::Continue, protocol }; diff --git a/src/packet_analysis/protocol/default/Default.h b/src/packet_analysis/protocol/default/Default.h index 86eb7e1445..43a8d48f89 100644 --- a/src/packet_analysis/protocol/default/Default.h +++ b/src/packet_analysis/protocol/default/Default.h @@ -12,7 +12,7 @@ public: DefaultAnalyzer(); ~DefaultAnalyzer() override = default; - AnalysisResultTuple Analyze(Packet* packet) override; + AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/ethernet/Ethernet.cc b/src/packet_analysis/protocol/ethernet/Ethernet.cc index 9633596d84..198d2912ee 100644 --- a/src/packet_analysis/protocol/ethernet/Ethernet.cc +++ b/src/packet_analysis/protocol/ethernet/Ethernet.cc @@ -10,51 +10,50 @@ EthernetAnalyzer::EthernetAnalyzer() { } -zeek::packet_analysis::AnalysisResultTuple EthernetAnalyzer::Analyze(Packet* packet) +zeek::packet_analysis::AnalysisResultTuple EthernetAnalyzer::Analyze(Packet* packet, const uint8_t*& data) { - auto& pdata = packet->cur_pos; auto end_of_data = packet->GetEndOfData(); // Make sure that we actually got an entire ethernet header before trying // to pull bytes out of it. - if ( pdata + 16 >= end_of_data ) + if ( data + 16 >= end_of_data ) { packet->Weird("truncated_ethernet_frame"); return { AnalyzerResult::Failed, 0 }; } // Skip past Cisco FabricPath to encapsulated ethernet frame. - if ( pdata[12] == 0x89 && pdata[13] == 0x03 ) + if ( data[12] == 0x89 && data[13] == 0x03 ) { auto constexpr cfplen = 16; - if ( pdata + cfplen + 14 >= end_of_data ) + if ( data + cfplen + 14 >= end_of_data ) { packet->Weird("truncated_link_header_cfp"); return { AnalyzerResult::Failed, 0 }; } - pdata += cfplen; + data += cfplen; } // Get protocol being carried from the ethernet frame. - uint32_t protocol = (pdata[12] << 8) + pdata[13]; + uint32_t protocol = (data[12] << 8) + data[13]; packet->eth_type = protocol; - packet->l2_dst = pdata; - packet->l2_src = pdata + 6; + packet->l2_dst = data; + packet->l2_src = data + 6; // Ethernet II frames if ( protocol >= 1536 ) { - pdata += 14; + data += 14; return { AnalyzerResult::Continue, protocol }; } // Other ethernet frame types if ( protocol <= 1500 ) { - if ( pdata + 16 >= end_of_data ) + if ( data + 16 >= end_of_data ) { packet->Weird("truncated_ethernet_frame"); return { AnalyzerResult::Failed, 0 }; @@ -65,11 +64,11 @@ zeek::packet_analysis::AnalysisResultTuple EthernetAnalyzer::Analyze(Packet* pac // Note that pdata remains at the start of the ethernet frame. // IEEE 802.2 SNAP - if ( pdata[14] == 0xAA && pdata[15] == 0xAA) + if ( data[14] == 0xAA && data[15] == 0xAA) return { AnalyzerResult::Continue, 1502 }; // Novell raw IEEE 802.3 - if ( pdata[14] == 0xFF && pdata[15] == 0xFF) + if ( data[14] == 0xFF && data[15] == 0xFF) return { AnalyzerResult::Continue, 1503 }; diff --git a/src/packet_analysis/protocol/ethernet/Ethernet.h b/src/packet_analysis/protocol/ethernet/Ethernet.h index aa4707df1b..d6779ede58 100644 --- a/src/packet_analysis/protocol/ethernet/Ethernet.h +++ b/src/packet_analysis/protocol/ethernet/Ethernet.h @@ -12,7 +12,7 @@ public: EthernetAnalyzer(); ~EthernetAnalyzer() override = default; - AnalysisResultTuple Analyze(Packet* packet) override; + AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/fddi/FDDI.cc b/src/packet_analysis/protocol/fddi/FDDI.cc index 763e25c1e0..8cf503f85a 100644 --- a/src/packet_analysis/protocol/fddi/FDDI.cc +++ b/src/packet_analysis/protocol/fddi/FDDI.cc @@ -10,18 +10,17 @@ FDDIAnalyzer::FDDIAnalyzer() { } -zeek::packet_analysis::AnalysisResultTuple FDDIAnalyzer::Analyze(Packet* packet) +zeek::packet_analysis::AnalysisResultTuple FDDIAnalyzer::Analyze(Packet* packet, const uint8_t*& data) { - auto& pdata = packet->cur_pos; auto hdr_size = 13 + 8; // FDDI header + LLC - if ( pdata + hdr_size >= packet->GetEndOfData() ) + if ( data + hdr_size >= packet->GetEndOfData() ) { packet->Weird("FDDI_analyzer_failed"); return { AnalyzerResult::Failed, 0 }; } // We just skip the header and hope for default analysis - pdata += hdr_size; + data += hdr_size; return { AnalyzerResult::Continue, -1 }; } diff --git a/src/packet_analysis/protocol/fddi/FDDI.h b/src/packet_analysis/protocol/fddi/FDDI.h index 4e092eccb4..adb87d8dd7 100644 --- a/src/packet_analysis/protocol/fddi/FDDI.h +++ b/src/packet_analysis/protocol/fddi/FDDI.h @@ -12,7 +12,7 @@ public: FDDIAnalyzer(); ~FDDIAnalyzer() override = default; - AnalysisResultTuple Analyze(Packet* packet) override; + AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc b/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc index ee4b090efc..a0e6eb999f 100644 --- a/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc +++ b/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc @@ -10,20 +10,19 @@ IEEE802_11Analyzer::IEEE802_11Analyzer() { } -zeek::packet_analysis::AnalysisResultTuple IEEE802_11Analyzer::Analyze(Packet* packet) +zeek::packet_analysis::AnalysisResultTuple IEEE802_11Analyzer::Analyze(Packet* packet, const uint8_t*& data) { - auto& pdata = packet->cur_pos; auto end_of_data = packet->GetEndOfData(); u_char len_80211 = 24; // minimal length of data frames - if ( pdata + len_80211 >= end_of_data ) + if ( data + len_80211 >= end_of_data ) { packet->Weird("truncated_802_11_header"); return { AnalyzerResult::Failed, 0 }; } - u_char fc_80211 = pdata[0]; // Frame Control field + u_char fc_80211 = data[0]; // Frame Control field // Skip non-data frame types (management & control). if ( ! ((fc_80211 >> 2) & 0x02) ) @@ -35,7 +34,7 @@ zeek::packet_analysis::AnalysisResultTuple IEEE802_11Analyzer::Analyze(Packet* p // 'To DS' and 'From DS' flags set indicate use of the 4th // address field. - if ( (pdata[1] & 0x03) == 0x03 ) + if ( (data[1] & 0x03) == 0x03 ) len_80211 += packet->L2_ADDR_LEN; // Look for the QoS indicator bit. @@ -43,13 +42,13 @@ zeek::packet_analysis::AnalysisResultTuple IEEE802_11Analyzer::Analyze(Packet* p { // Skip in case of A-MSDU subframes indicated by QoS // control field. - if ( pdata[len_80211] & 0x80 ) + if ( data[len_80211] & 0x80 ) return { AnalyzerResult::Failed, 0 }; len_80211 += 2; } - if ( pdata + len_80211 >= end_of_data ) + if ( data + len_80211 >= end_of_data ) { packet->Weird("truncated_802_11_header"); return { AnalyzerResult::Failed, 0 }; @@ -57,33 +56,33 @@ zeek::packet_analysis::AnalysisResultTuple IEEE802_11Analyzer::Analyze(Packet* p // Determine link-layer addresses based // on 'To DS' and 'From DS' flags - switch ( pdata[1] & 0x03 ) + switch ( data[1] & 0x03 ) { case 0x00: - packet->l2_src = pdata + 10; - packet->l2_dst = pdata + 4; + packet->l2_src = data + 10; + packet->l2_dst = data + 4; break; case 0x01: - packet->l2_src = pdata + 10; - packet->l2_dst = pdata + 16; + packet->l2_src = data + 10; + packet->l2_dst = data + 16; break; case 0x02: - packet->l2_src = pdata + 16; - packet->l2_dst = pdata + 4; + packet->l2_src = data + 16; + packet->l2_dst = data + 4; break; case 0x03: - packet->l2_src = pdata + 24; - packet->l2_dst = pdata + 16; + packet->l2_src = data + 24; + packet->l2_dst = data + 16; break; } // skip 802.11 data header - pdata += len_80211; + data += len_80211; - if ( pdata + 8 >= end_of_data ) + if ( data + 8 >= end_of_data ) { packet->Weird("truncated_802_11_header"); return { AnalyzerResult::Failed, 0 }; @@ -93,10 +92,10 @@ zeek::packet_analysis::AnalysisResultTuple IEEE802_11Analyzer::Analyze(Packet* p // field indicates that this is an unnumbered frame. // The organization code (24bits) needs to also be zero to // indicate that this is encapsulated ethernet. - if ( pdata[0] == 0xAA && pdata[1] == 0xAA && pdata[2] == 0x03 && - pdata[3] == 0 && pdata[4] == 0 && pdata[5] == 0 ) + if ( data[0] == 0xAA && data[1] == 0xAA && data[2] == 0x03 && + data[3] == 0 && data[4] == 0 && data[5] == 0 ) { - pdata += 6; + data += 6; } else { @@ -106,8 +105,8 @@ zeek::packet_analysis::AnalysisResultTuple IEEE802_11Analyzer::Analyze(Packet* p return { AnalyzerResult::Failed, 0 }; } - uint32_t protocol = (pdata[0] << 8) + pdata[1]; - pdata += 2; + uint32_t protocol = (data[0] << 8) + data[1]; + data += 2; return { AnalyzerResult::Continue, protocol }; } diff --git a/src/packet_analysis/protocol/ieee802_11/IEEE802_11.h b/src/packet_analysis/protocol/ieee802_11/IEEE802_11.h index 03b706d9ae..beccbd59d9 100644 --- a/src/packet_analysis/protocol/ieee802_11/IEEE802_11.h +++ b/src/packet_analysis/protocol/ieee802_11/IEEE802_11.h @@ -12,7 +12,7 @@ public: IEEE802_11Analyzer(); ~IEEE802_11Analyzer() override = default; - AnalysisResultTuple Analyze(Packet* packet) override; + AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.cc b/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.cc index ec34f39d04..26bdf9f041 100644 --- a/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.cc +++ b/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.cc @@ -12,27 +12,26 @@ IEEE802_11_RadioAnalyzer::IEEE802_11_RadioAnalyzer() { } -zeek::packet_analysis::AnalysisResultTuple IEEE802_11_RadioAnalyzer::Analyze(Packet* packet) +zeek::packet_analysis::AnalysisResultTuple IEEE802_11_RadioAnalyzer::Analyze(Packet* packet, const uint8_t*& data) { - auto pdata = packet->cur_pos; auto end_of_data = packet->GetEndOfData(); - if ( pdata + 3 >= end_of_data ) + if ( data + 3 >= end_of_data ) { packet->Weird("truncated_radiotap_header"); return { AnalyzerResult::Failed, 0 }; } // Skip over the RadioTap header - int rtheader_len = (pdata[3] << 8) + pdata[2]; + int rtheader_len = (data[3] << 8) + data[2]; - if ( pdata + rtheader_len >= end_of_data ) + if ( data + rtheader_len >= end_of_data ) { packet->Weird("truncated_radiotap_header"); return { AnalyzerResult::Failed, 0 }; } - packet->cur_pos += rtheader_len; + data += rtheader_len; return { AnalyzerResult::Continue, DLT_IEEE802_11 }; } diff --git a/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.h b/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.h index ef1cf1fb39..1c50c07dbd 100644 --- a/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.h +++ b/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.h @@ -12,7 +12,7 @@ public: IEEE802_11_RadioAnalyzer(); ~IEEE802_11_RadioAnalyzer() override = default; - AnalysisResultTuple Analyze(Packet* packet) override; + AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/ipv4/IPv4.cc b/src/packet_analysis/protocol/ipv4/IPv4.cc index 8cfd51b7f9..ad199f97f8 100644 --- a/src/packet_analysis/protocol/ipv4/IPv4.cc +++ b/src/packet_analysis/protocol/ipv4/IPv4.cc @@ -9,7 +9,7 @@ IPv4Analyzer::IPv4Analyzer() { } -zeek::packet_analysis::AnalysisResultTuple IPv4Analyzer::Analyze(Packet* packet) +zeek::packet_analysis::AnalysisResultTuple IPv4Analyzer::Analyze(Packet* packet, const uint8_t*& data) { packet->l3_proto = L3_IPV4; diff --git a/src/packet_analysis/protocol/ipv4/IPv4.h b/src/packet_analysis/protocol/ipv4/IPv4.h index 1ee5b5098b..37026cabd9 100644 --- a/src/packet_analysis/protocol/ipv4/IPv4.h +++ b/src/packet_analysis/protocol/ipv4/IPv4.h @@ -12,7 +12,7 @@ public: IPv4Analyzer(); ~IPv4Analyzer() override = default; - AnalysisResultTuple Analyze(Packet* packet) override; + AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/ipv6/IPv6.cc b/src/packet_analysis/protocol/ipv6/IPv6.cc index 2d724d9188..9380a1fe85 100644 --- a/src/packet_analysis/protocol/ipv6/IPv6.cc +++ b/src/packet_analysis/protocol/ipv6/IPv6.cc @@ -9,7 +9,7 @@ IPv6Analyzer::IPv6Analyzer() { } -zeek::packet_analysis::AnalysisResultTuple IPv6Analyzer::Analyze(Packet* packet) +zeek::packet_analysis::AnalysisResultTuple IPv6Analyzer::Analyze(Packet* packet, const uint8_t*& data) { packet->l3_proto = L3_IPV6; diff --git a/src/packet_analysis/protocol/ipv6/IPv6.h b/src/packet_analysis/protocol/ipv6/IPv6.h index db9416697a..f7ad9fdc74 100644 --- a/src/packet_analysis/protocol/ipv6/IPv6.h +++ b/src/packet_analysis/protocol/ipv6/IPv6.h @@ -12,7 +12,7 @@ public: IPv6Analyzer(); ~IPv6Analyzer() override = default; - AnalysisResultTuple Analyze(Packet* packet) override; + AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override; static AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/linux_sll/LinuxSLL.cc b/src/packet_analysis/protocol/linux_sll/LinuxSLL.cc index 5a1f0fb29b..56149c42f1 100644 --- a/src/packet_analysis/protocol/linux_sll/LinuxSLL.cc +++ b/src/packet_analysis/protocol/linux_sll/LinuxSLL.cc @@ -9,18 +9,16 @@ LinuxSLLAnalyzer::LinuxSLLAnalyzer() { } -zeek::packet_analysis::AnalysisResultTuple LinuxSLLAnalyzer::Analyze(Packet* packet) +zeek::packet_analysis::AnalysisResultTuple LinuxSLLAnalyzer::Analyze(Packet* packet, const uint8_t*& data) { - auto& pdata = packet->cur_pos; - - if ( pdata + sizeof(SLLHeader) >= packet->GetEndOfData() ) + if ( data + sizeof(SLLHeader) >= packet->GetEndOfData() ) { packet->Weird("truncated_Linux_SLL_header"); return { AnalyzerResult::Failed, 0 }; } //TODO: Handle different ARPHRD_types - auto hdr = (const SLLHeader*)pdata; + auto hdr = (const SLLHeader*)data; uint32_t protocol = ntohs(hdr->protocol_type); packet->l2_src = (u_char*) &(hdr->addr); @@ -29,6 +27,6 @@ zeek::packet_analysis::AnalysisResultTuple LinuxSLLAnalyzer::Analyze(Packet* pac // here will cause crashes elsewhere. packet->l2_dst = Packet::L2_EMPTY_ADDR; - pdata += sizeof(SLLHeader); + data += sizeof(SLLHeader); return { AnalyzerResult::Continue, protocol }; } diff --git a/src/packet_analysis/protocol/linux_sll/LinuxSLL.h b/src/packet_analysis/protocol/linux_sll/LinuxSLL.h index 04cd170318..f9519b214f 100644 --- a/src/packet_analysis/protocol/linux_sll/LinuxSLL.h +++ b/src/packet_analysis/protocol/linux_sll/LinuxSLL.h @@ -12,7 +12,7 @@ public: LinuxSLLAnalyzer(); ~LinuxSLLAnalyzer() override = default; - AnalysisResultTuple Analyze(Packet* packet) override; + AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/mpls/MPLS.cc b/src/packet_analysis/protocol/mpls/MPLS.cc index 1b22403919..2d507a4fc8 100644 --- a/src/packet_analysis/protocol/mpls/MPLS.cc +++ b/src/packet_analysis/protocol/mpls/MPLS.cc @@ -9,9 +9,8 @@ MPLSAnalyzer::MPLSAnalyzer() { } -zeek::packet_analysis::AnalysisResultTuple MPLSAnalyzer::Analyze(Packet* packet) +zeek::packet_analysis::AnalysisResultTuple MPLSAnalyzer::Analyze(Packet* packet, const uint8_t*& data) { - auto& pdata = packet->cur_pos; auto end_of_data = packet->GetEndOfData(); // Skip the MPLS label stack. @@ -19,25 +18,25 @@ zeek::packet_analysis::AnalysisResultTuple MPLSAnalyzer::Analyze(Packet* packet) while ( ! end_of_stack ) { - if ( pdata + 4 >= end_of_data ) + if ( data + 4 >= end_of_data ) { packet->Weird("truncated_link_header"); return { AnalyzerResult::Failed, 0 }; } - end_of_stack = *(pdata + 2u) & 0x01; - pdata += 4; + end_of_stack = *(data + 2u) & 0x01; + data += 4; } // According to RFC3032 the encapsulated protocol is not encoded. // We assume that what remains is IP. - if ( pdata + sizeof(struct ip) >= end_of_data ) + if ( data + sizeof(struct ip) >= end_of_data ) { packet->Weird("no_ip_in_mpls_payload"); return { AnalyzerResult::Failed, 0 }; } - auto ip = (const struct ip*)pdata; + auto ip = (const struct ip*)data; if ( ip->ip_v == 4 ) packet->l3_proto = L3_IPV4; @@ -50,6 +49,6 @@ zeek::packet_analysis::AnalysisResultTuple MPLSAnalyzer::Analyze(Packet* packet) return { AnalyzerResult::Failed, 0 }; } - packet->hdr_size = (pdata - packet->data); + packet->hdr_size = (data - packet->data); return { AnalyzerResult::Terminate, 0 }; } diff --git a/src/packet_analysis/protocol/mpls/MPLS.h b/src/packet_analysis/protocol/mpls/MPLS.h index 3c13e5d878..61439ee4c4 100644 --- a/src/packet_analysis/protocol/mpls/MPLS.h +++ b/src/packet_analysis/protocol/mpls/MPLS.h @@ -12,7 +12,7 @@ public: MPLSAnalyzer(); ~MPLSAnalyzer() override = default; - AnalysisResultTuple Analyze(Packet* packet) override; + AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/nflog/NFLog.cc b/src/packet_analysis/protocol/nflog/NFLog.cc index 0167a792fa..3b5fc3a86a 100644 --- a/src/packet_analysis/protocol/nflog/NFLog.cc +++ b/src/packet_analysis/protocol/nflog/NFLog.cc @@ -10,13 +10,12 @@ NFLogAnalyzer::NFLogAnalyzer() { } -zeek::packet_analysis::AnalysisResultTuple NFLogAnalyzer::Analyze(Packet* packet) { - auto& pdata = packet->cur_pos; +zeek::packet_analysis::AnalysisResultTuple NFLogAnalyzer::Analyze(Packet* packet, const uint8_t*& data) { auto end_of_data = packet->GetEndOfData(); // See https://www.tcpdump.org/linktypes/LINKTYPE_NFLOG.html - uint32_t protocol = pdata[0]; - uint8_t version = pdata[1]; + uint32_t protocol = data[0]; + uint8_t version = data[1]; if ( version != 0 ) { @@ -25,14 +24,14 @@ zeek::packet_analysis::AnalysisResultTuple NFLogAnalyzer::Analyze(Packet* packet } // Skip to TLVs. - pdata += 4; + data += 4; uint16_t tlv_len; uint16_t tlv_type; while ( true ) { - if ( pdata + 4 >= end_of_data ) + if ( data + 4 >= end_of_data ) { packet->Weird("nflog_no_pcap_payload"); return { AnalyzerResult::Failed, 0 }; @@ -41,15 +40,15 @@ zeek::packet_analysis::AnalysisResultTuple NFLogAnalyzer::Analyze(Packet* packet // TLV Type and Length values are specified in host byte order // (libpcap should have done any needed byteswapping already). - tlv_len = *(reinterpret_cast(pdata)); - tlv_type = *(reinterpret_cast(pdata + 2)); + tlv_len = *(reinterpret_cast(data)); + tlv_type = *(reinterpret_cast(data + 2)); auto constexpr nflog_type_payload = 9; if ( tlv_type == nflog_type_payload ) { // The raw packet payload follows this TLV. - pdata += 4; + data += 4; break; } else @@ -72,7 +71,7 @@ zeek::packet_analysis::AnalysisResultTuple NFLogAnalyzer::Analyze(Packet* packet tlv_len += 4 - rem; } - pdata += tlv_len; + data += tlv_len; } } diff --git a/src/packet_analysis/protocol/nflog/NFLog.h b/src/packet_analysis/protocol/nflog/NFLog.h index e5212c6788..bc5b34eb2a 100644 --- a/src/packet_analysis/protocol/nflog/NFLog.h +++ b/src/packet_analysis/protocol/nflog/NFLog.h @@ -12,7 +12,7 @@ public: NFLogAnalyzer(); ~NFLogAnalyzer() override = default; - AnalysisResultTuple Analyze(Packet* packet) override; + AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override; static AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/null/Null.cc b/src/packet_analysis/protocol/null/Null.cc index 923f5c4ba9..5c61a53897 100644 --- a/src/packet_analysis/protocol/null/Null.cc +++ b/src/packet_analysis/protocol/null/Null.cc @@ -10,18 +10,16 @@ NullAnalyzer::NullAnalyzer() { } -zeek::packet_analysis::AnalysisResultTuple NullAnalyzer::Analyze(Packet* packet) +zeek::packet_analysis::AnalysisResultTuple NullAnalyzer::Analyze(Packet* packet, const uint8_t*& data) { - auto& pdata = packet->cur_pos; - - if ( pdata + 4 >= packet->GetEndOfData() ) + if ( data + 4 >= packet->GetEndOfData() ) { packet->Weird("null_analyzer_failed"); return { AnalyzerResult::Failed, 0 }; } - uint32_t protocol = (pdata[3] << 24) + (pdata[2] << 16) + (pdata[1] << 8) + pdata[0]; - pdata += 4; // skip link header + uint32_t protocol = (data[3] << 24) + (data[2] << 16) + (data[1] << 8) + data[0]; + data += 4; // skip link header return { AnalyzerResult::Continue, protocol }; } diff --git a/src/packet_analysis/protocol/null/Null.h b/src/packet_analysis/protocol/null/Null.h index 8282cee7b5..1df209225a 100644 --- a/src/packet_analysis/protocol/null/Null.h +++ b/src/packet_analysis/protocol/null/Null.h @@ -12,7 +12,7 @@ public: NullAnalyzer(); ~NullAnalyzer() override = default; - AnalysisResultTuple Analyze(Packet* packet) override; + AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/ppp_serial/PPPSerial.cc b/src/packet_analysis/protocol/ppp_serial/PPPSerial.cc index fc79156bd6..da28fc6dc4 100644 --- a/src/packet_analysis/protocol/ppp_serial/PPPSerial.cc +++ b/src/packet_analysis/protocol/ppp_serial/PPPSerial.cc @@ -10,13 +10,11 @@ PPPSerialAnalyzer::PPPSerialAnalyzer() { } -zeek::packet_analysis::AnalysisResultTuple PPPSerialAnalyzer::Analyze(Packet* packet) +zeek::packet_analysis::AnalysisResultTuple PPPSerialAnalyzer::Analyze(Packet* packet, const uint8_t*& data) { - auto& pdata = packet->cur_pos; - // Extract protocol identifier - uint32_t protocol = (pdata[2] << 8) + pdata[3]; - pdata += 4; // skip link header + uint32_t protocol = (data[2] << 8) + data[3]; + data += 4; // skip link header return { AnalyzerResult::Continue, protocol }; } diff --git a/src/packet_analysis/protocol/ppp_serial/PPPSerial.h b/src/packet_analysis/protocol/ppp_serial/PPPSerial.h index 02201c97fd..75003f4242 100644 --- a/src/packet_analysis/protocol/ppp_serial/PPPSerial.h +++ b/src/packet_analysis/protocol/ppp_serial/PPPSerial.h @@ -12,7 +12,7 @@ public: PPPSerialAnalyzer(); ~PPPSerialAnalyzer() override = default; - AnalysisResultTuple Analyze(Packet* packet) override; + AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/pppoe/PPPoE.cc b/src/packet_analysis/protocol/pppoe/PPPoE.cc index 5e2d2db6f1..53b004b733 100644 --- a/src/packet_analysis/protocol/pppoe/PPPoE.cc +++ b/src/packet_analysis/protocol/pppoe/PPPoE.cc @@ -10,19 +10,17 @@ PPPoEAnalyzer::PPPoEAnalyzer() { } -zeek::packet_analysis::AnalysisResultTuple PPPoEAnalyzer::Analyze(Packet* packet) +zeek::packet_analysis::AnalysisResultTuple PPPoEAnalyzer::Analyze(Packet* packet, const uint8_t*& data) { - auto& pdata = packet->cur_pos; - - if ( pdata + 8 >= packet->GetEndOfData() ) + if ( data + 8 >= packet->GetEndOfData() ) { packet->Weird("truncated_pppoe_header"); return { AnalyzerResult::Failed, 0 }; } // Extract protocol identifier - uint32_t protocol = (pdata[6] << 8u) + pdata[7]; - pdata += 8; // Skip the PPPoE session and PPP header + uint32_t protocol = (data[6] << 8u) + data[7]; + data += 8; // Skip the PPPoE session and PPP header return { AnalyzerResult::Continue, protocol }; } diff --git a/src/packet_analysis/protocol/pppoe/PPPoE.h b/src/packet_analysis/protocol/pppoe/PPPoE.h index 3e37cf4cf4..cbb08fabc1 100644 --- a/src/packet_analysis/protocol/pppoe/PPPoE.h +++ b/src/packet_analysis/protocol/pppoe/PPPoE.h @@ -12,7 +12,7 @@ public: PPPoEAnalyzer(); ~PPPoEAnalyzer() override = default; - AnalysisResultTuple Analyze(Packet* packet) override; + AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/vlan/VLAN.cc b/src/packet_analysis/protocol/vlan/VLAN.cc index be3788f3fe..84fcfe28dd 100644 --- a/src/packet_analysis/protocol/vlan/VLAN.cc +++ b/src/packet_analysis/protocol/vlan/VLAN.cc @@ -10,22 +10,20 @@ VLANAnalyzer::VLANAnalyzer() { } -zeek::packet_analysis::AnalysisResultTuple VLANAnalyzer::Analyze(Packet* packet) +zeek::packet_analysis::AnalysisResultTuple VLANAnalyzer::Analyze(Packet* packet, const uint8_t*& data) { - auto& pdata = packet->cur_pos; - - if ( pdata + 4 >= packet->GetEndOfData() ) + if ( data + 4 >= packet->GetEndOfData() ) { packet->Weird("truncated_VLAN_header"); return { AnalyzerResult::Failed, 0 }; } auto& vlan_ref = packet->vlan != 0 ? packet->inner_vlan : packet->vlan; - vlan_ref = ((pdata[0] << 8u) + pdata[1]) & 0xfff; + vlan_ref = ((data[0] << 8u) + data[1]) & 0xfff; - uint32_t protocol = ((pdata[2] << 8u) + pdata[3]); + uint32_t protocol = ((data[2] << 8u) + data[3]); packet->eth_type = protocol; - pdata += 4; // Skip the VLAN header + data += 4; // Skip the VLAN header return { AnalyzerResult::Continue, protocol }; } diff --git a/src/packet_analysis/protocol/vlan/VLAN.h b/src/packet_analysis/protocol/vlan/VLAN.h index 40868e5adf..94446c0766 100644 --- a/src/packet_analysis/protocol/vlan/VLAN.h +++ b/src/packet_analysis/protocol/vlan/VLAN.h @@ -12,7 +12,7 @@ public: VLANAnalyzer(); ~VLANAnalyzer() override = default; - AnalysisResultTuple Analyze(Packet* packet) override; + AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/wrapper/Wrapper.cc b/src/packet_analysis/protocol/wrapper/Wrapper.cc index 8d91dd5ed8..eed1087acf 100644 --- a/src/packet_analysis/protocol/wrapper/Wrapper.cc +++ b/src/packet_analysis/protocol/wrapper/Wrapper.cc @@ -10,38 +10,37 @@ WrapperAnalyzer::WrapperAnalyzer() { } -zeek::packet_analysis::AnalysisResultTuple WrapperAnalyzer::Analyze(Packet* packet) +zeek::packet_analysis::AnalysisResultTuple WrapperAnalyzer::Analyze(Packet* packet, const uint8_t*& data) { // Unfortunately some packets on the link might have MPLS labels // while others don't. That means we need to ask the link-layer if // labels are in place. bool have_mpls = false; - auto pdata = packet->cur_pos; auto end_of_data = packet->GetEndOfData(); // Skip past Cisco FabricPath to encapsulated ethernet frame. - if ( pdata[12] == 0x89 && pdata[13] == 0x03 ) + if ( data[12] == 0x89 && data[13] == 0x03 ) { auto constexpr cfplen = 16; - if ( pdata + cfplen + 14 >= end_of_data ) + if ( data + cfplen + 14 >= end_of_data ) { packet->Weird("truncated_link_header_cfp"); return { AnalyzerResult::Failed, 0 }; } - pdata += cfplen; + data += cfplen; } // Extract protocol identifier - uint32_t protocol = (pdata[12] << 8u) + pdata[13]; + uint32_t protocol = (data[12] << 8u) + data[13]; packet->eth_type = protocol; - packet->l2_dst = pdata; - packet->l2_src = pdata + 6; + packet->l2_dst = data; + packet->l2_src = data + 6; - pdata += 14; + data += 14; bool saw_vlan = false; @@ -55,16 +54,16 @@ zeek::packet_analysis::AnalysisResultTuple WrapperAnalyzer::Analyze(Packet* pack case 0x8100: case 0x9100: { - if ( pdata + 4 >= end_of_data ) + if ( data + 4 >= end_of_data ) { packet->Weird("truncated_link_header"); return { AnalyzerResult::Failed, 0 }; } auto& vlan_ref = saw_vlan ? packet->inner_vlan : packet->vlan; - vlan_ref = ((pdata[0] << 8u) + pdata[1]) & 0xfff; - protocol = ((pdata[2] << 8u) + pdata[3]); - pdata += 4; // Skip the vlan header + vlan_ref = ((data[0] << 8u) + data[1]) & 0xfff; + protocol = ((data[2] << 8u) + data[3]); + data += 4; // Skip the vlan header saw_vlan = true; packet->eth_type = protocol; } @@ -73,14 +72,14 @@ zeek::packet_analysis::AnalysisResultTuple WrapperAnalyzer::Analyze(Packet* pack // PPPoE carried over the ethernet frame. case 0x8864: { - if ( pdata + 8 >= end_of_data ) + if ( data + 8 >= end_of_data ) { packet->Weird("truncated_link_header"); return { AnalyzerResult::Failed, 0 }; } - protocol = (pdata[6] << 8u) + pdata[7]; - pdata += 8; // Skip the PPPoE session and PPP header + protocol = (data[6] << 8u) + data[7]; + data += 8; // Skip the PPPoE session and PPP header if ( protocol == 0x0021 ) packet->l3_proto = L3_IPV4; @@ -125,24 +124,24 @@ zeek::packet_analysis::AnalysisResultTuple WrapperAnalyzer::Analyze(Packet* pack while ( ! end_of_stack ) { - if ( pdata + 4 >= end_of_data ) + if ( data + 4 >= end_of_data ) { packet->Weird("truncated_link_header"); return { AnalyzerResult::Failed, 0 }; } - end_of_stack = *(pdata + 2u) & 0x01; - pdata += 4; + end_of_stack = *(data + 2u) & 0x01; + data += 4; } // We assume that what remains is IP - if ( pdata + sizeof(struct ip) >= end_of_data ) + if ( data + sizeof(struct ip) >= end_of_data ) { packet->Weird("no_ip_in_mpls_payload"); return { AnalyzerResult::Failed, 0 }; } - const struct ip* ip = (const struct ip*)pdata; + const struct ip* ip = (const struct ip*)data; if ( ip->ip_v == 4 ) packet->l3_proto = L3_IPV4; @@ -157,7 +156,7 @@ zeek::packet_analysis::AnalysisResultTuple WrapperAnalyzer::Analyze(Packet* pack } // Calculate how much header we've used up. - packet->hdr_size = (pdata - packet->data); + packet->hdr_size = (data - packet->data); return { AnalyzerResult::Continue, protocol }; } diff --git a/src/packet_analysis/protocol/wrapper/Wrapper.h b/src/packet_analysis/protocol/wrapper/Wrapper.h index 2fd8abbea0..38fb6ca268 100644 --- a/src/packet_analysis/protocol/wrapper/Wrapper.h +++ b/src/packet_analysis/protocol/wrapper/Wrapper.h @@ -12,7 +12,7 @@ public: WrapperAnalyzer(); ~WrapperAnalyzer() override = default; - AnalysisResultTuple Analyze(Packet* packet) override; + AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/testing/btest/plugins/packet-protocol-plugin/src/Bar.cc b/testing/btest/plugins/packet-protocol-plugin/src/Bar.cc index fdf313d518..f0588e7627 100644 --- a/testing/btest/plugins/packet-protocol-plugin/src/Bar.cc +++ b/testing/btest/plugins/packet-protocol-plugin/src/Bar.cc @@ -10,21 +10,20 @@ Bar::Bar() { } -zeek::packet_analysis::AnalysisResultTuple Bar::Analyze(Packet* packet) +zeek::packet_analysis::AnalysisResultTuple Bar::Analyze(Packet* packet, const uint8_t*& data) { - auto& pdata = packet->cur_pos; auto end_of_data = packet->GetEndOfData(); // Rudimentary parsing of 802.2 LLC - if ( pdata + 17 >= end_of_data ) + if ( data + 17 >= end_of_data ) { packet->Weird("truncated_llc_header"); return { AnalyzerResult::Failed, 0 }; } - auto dsap = pdata[14]; - auto ssap = pdata[15]; - auto control = pdata[16]; + auto dsap = data[14]; + auto ssap = data[15]; + auto control = data[16]; mgr.Enqueue(bar_message, val_mgr->Count(dsap), diff --git a/testing/btest/plugins/packet-protocol-plugin/src/Bar.h b/testing/btest/plugins/packet-protocol-plugin/src/Bar.h index a125b1c8c2..83f0bf6ce9 100644 --- a/testing/btest/plugins/packet-protocol-plugin/src/Bar.h +++ b/testing/btest/plugins/packet-protocol-plugin/src/Bar.h @@ -10,7 +10,7 @@ public: Bar(); ~Bar() override = default; - AnalysisResultTuple Analyze(Packet* packet) override; + AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override; static AnalyzerPtr Instantiate() { From 9feda100b993b8f1e5cbb8e41bdfa99ba7c540ab Mon Sep 17 00:00:00 2001 From: Jan Grashoefer Date: Wed, 19 Aug 2020 16:36:09 +0200 Subject: [PATCH 15/43] Move dispatching into packet analyzers. WIP that updates only the Ethernet analyzer. --- scripts/base/packet-protocols/__load__.zeek | 20 ++++---- .../base/packet-protocols/ethernet/main.zeek | 14 +++--- src/packet_analysis/Analyzer.cc | 21 +++++++- src/packet_analysis/Analyzer.h | 15 +++++- src/packet_analysis/Manager.cc | 48 +++++-------------- src/packet_analysis/Manager.h | 12 ++++- src/packet_analysis/protocol/CMakeLists.txt | 30 ++++++------ .../protocol/ethernet/Ethernet.cc | 19 ++++---- .../protocol/ethernet/Ethernet.h | 2 +- src/packet_analysis/protocol/ipv4/IPv4.cc | 4 +- src/packet_analysis/protocol/ipv4/IPv4.h | 2 +- src/packet_analysis/protocol/ipv6/IPv6.cc | 4 +- src/packet_analysis/protocol/ipv6/IPv6.h | 2 +- 13 files changed, 105 insertions(+), 88 deletions(-) diff --git a/scripts/base/packet-protocols/__load__.zeek b/scripts/base/packet-protocols/__load__.zeek index 60c804f2fd..c64d5442a4 100644 --- a/scripts/base/packet-protocols/__load__.zeek +++ b/scripts/base/packet-protocols/__load__.zeek @@ -1,11 +1,11 @@ -@load base/packet-protocols/default +#@load base/packet-protocols/default @load base/packet-protocols/ethernet -@load base/packet-protocols/fddi -@load base/packet-protocols/ieee802_11 -@load base/packet-protocols/ieee802_11_radio -@load base/packet-protocols/linux_sll -@load base/packet-protocols/nflog -@load base/packet-protocols/null -@load base/packet-protocols/ppp_serial -@load base/packet-protocols/pppoe -@load base/packet-protocols/vlan +#@load base/packet-protocols/fddi +#@load base/packet-protocols/ieee802_11 +#@load base/packet-protocols/ieee802_11_radio +#@load base/packet-protocols/linux_sll +#@load base/packet-protocols/nflog +#@load base/packet-protocols/null +#@load base/packet-protocols/ppp_serial +#@load base/packet-protocols/pppoe +#@load base/packet-protocols/vlan diff --git a/scripts/base/packet-protocols/ethernet/main.zeek b/scripts/base/packet-protocols/ethernet/main.zeek index ca11767466..b7a242efb0 100644 --- a/scripts/base/packet-protocols/ethernet/main.zeek +++ b/scripts/base/packet-protocols/ethernet/main.zeek @@ -4,13 +4,13 @@ const DLT_EN10MB : count = 1; redef PacketAnalyzer::config_map += { PacketAnalyzer::ConfigEntry($identifier=DLT_EN10MB, $analyzer=PacketAnalyzer::ANALYZER_ETHERNET), - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x8847, $analyzer=PacketAnalyzer::ANALYZER_MPLS), + #PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x8847, $analyzer=PacketAnalyzer::ANALYZER_MPLS), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x0800, $analyzer=PacketAnalyzer::ANALYZER_IPV4), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x86DD, $analyzer=PacketAnalyzer::ANALYZER_IPV6), - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x0806, $analyzer=PacketAnalyzer::ANALYZER_ARP), - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x8035, $analyzer=PacketAnalyzer::ANALYZER_ARP), - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x8100, $analyzer=PacketAnalyzer::ANALYZER_VLAN), - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x88A8, $analyzer=PacketAnalyzer::ANALYZER_VLAN), - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x9100, $analyzer=PacketAnalyzer::ANALYZER_VLAN), - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x8864, $analyzer=PacketAnalyzer::ANALYZER_PPPOE) + #PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x0806, $analyzer=PacketAnalyzer::ANALYZER_ARP), + #PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x8035, $analyzer=PacketAnalyzer::ANALYZER_ARP), + #PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x8100, $analyzer=PacketAnalyzer::ANALYZER_VLAN), + #PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x88A8, $analyzer=PacketAnalyzer::ANALYZER_VLAN), + #PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x9100, $analyzer=PacketAnalyzer::ANALYZER_VLAN), + #PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x8864, $analyzer=PacketAnalyzer::ANALYZER_PPPOE) }; diff --git a/src/packet_analysis/Analyzer.cc b/src/packet_analysis/Analyzer.cc index c045a9302f..6e40e270cd 100644 --- a/src/packet_analysis/Analyzer.cc +++ b/src/packet_analysis/Analyzer.cc @@ -44,4 +44,23 @@ bool Analyzer::IsAnalyzer(const char* name) return packet_mgr->GetComponentName(tag).compare(name) == 0; } -} +AnalyzerResult Analyzer::AnalyzeInnerPacket(Packet* packet, + const uint8_t*& data, uint32_t identifier) const + { + auto inner_analyzer = packet_mgr->Dispatch(identifier); + + if ( inner_analyzer == nullptr ) + { + //TODO: Handle default analysis here + DBG_LOG(DBG_PACKET_ANALYSIS, "Analysis in %s failed, could not find analyzer for identifier %#x.", + GetAnalyzerName(), identifier); + packet->Weird("no_suitable_analyzer_found"); + return AnalyzerResult::Failed; + } + + DBG_LOG(DBG_PACKET_ANALYSIS, "Analysis in %s succeeded, next layer identifier is %#x.", + GetAnalyzerName(), identifier); + return inner_analyzer->Analyze(packet, data); + } + +} \ No newline at end of file diff --git a/src/packet_analysis/Analyzer.h b/src/packet_analysis/Analyzer.h index e6b974aefc..be6e47f5b5 100644 --- a/src/packet_analysis/Analyzer.h +++ b/src/packet_analysis/Analyzer.h @@ -68,18 +68,29 @@ public: * protocol, the data reference should be updated to point to that payload. * * @param packet The packet to analyze. - * * @param data Reference to the payload pointer into the raw packet. * * @return A tuple of analysis result and identifier. The result indicates * how to proceed. If analysis can continue, the identifier determines the * encapsulated protocol. */ - virtual AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) = 0; + virtual AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) = 0; protected: friend class Manager; + /** + * Triggers analysis of the encapsulated packet. The encapsulated protocol + * is determined using the given identifier. + * + * @param packet The packet to analyze. + * @param data Reference to the payload pointer into the raw packet. + * @param identifier The identifier of the encapsulated protocol. + * + * @return The outcome of the analysis. + */ + AnalyzerResult AnalyzeInnerPacket(Packet* packet, const uint8_t*& data, + uint32_t identifier) const; private: Tag tag; diff --git a/src/packet_analysis/Manager.cc b/src/packet_analysis/Manager.cc index a535b93b8d..35d52c9244 100644 --- a/src/packet_analysis/Manager.cc +++ b/src/packet_analysis/Manager.cc @@ -147,44 +147,22 @@ void Manager::ProcessPacket(Packet* packet) DBG_LOG(DBG_PACKET_ANALYSIS, "Analyzing packet %ld, ts=%.3f...", ++counter, packet->time); #endif - // Dispatch and analyze layers - AnalyzerResult result = AnalyzerResult::Continue; - uint32_t next_layer_id = packet->link_type; + // Start packet analysis const uint8_t* data = packet->data; - do + + auto root_analyzer = Dispatch(packet->link_type); + if ( root_analyzer == nullptr ) { - auto current_analyzer = Dispatch(next_layer_id); + DBG_LOG(DBG_PACKET_ANALYSIS, "No analyzer for link type: %#x.", packet->link_type); + packet->Weird("no_suitable_analyzer_found"); + } + else + { + auto result = root_analyzer->Analyze(packet, data); - // Analyzer not found - if ( current_analyzer == nullptr ) - { - DBG_LOG(DBG_PACKET_ANALYSIS, "Could not find analyzer for identifier %#x", next_layer_id); - packet->Weird("no_suitable_analyzer_found"); - break; - } - - // Analyze this layer and get identifier of next layer protocol - std::tie(result, next_layer_id) = current_analyzer->Analyze(packet, data); - -#ifdef DEBUG - switch ( result ) - { - case AnalyzerResult::Continue: - DBG_LOG(DBG_PACKET_ANALYSIS, "Analysis in %s succeeded, next layer identifier is %#x.", - current_analyzer->GetAnalyzerName(), next_layer_id); - break; - case AnalyzerResult::Terminate: - DBG_LOG(DBG_PACKET_ANALYSIS, "Done, last found layer identifier was %#x.", next_layer_id); - break; - case AnalyzerResult::Failed: - DBG_LOG(DBG_PACKET_ANALYSIS, "Analysis failed in %s", current_analyzer->GetAnalyzerName()); - } -#endif - - } while ( result == AnalyzerResult::Continue ); - - if ( result == AnalyzerResult::Terminate ) - CustomEncapsulationSkip(packet, data); + if (result == AnalyzerResult::Terminate) + CustomEncapsulationSkip(packet, data); + } // Processing finished, reset analyzer set state for next packet current_state = root_dispatcher; diff --git a/src/packet_analysis/Manager.h b/src/packet_analysis/Manager.h index f576952228..4ad9f76b11 100644 --- a/src/packet_analysis/Manager.h +++ b/src/packet_analysis/Manager.h @@ -87,6 +87,16 @@ public: */ void ProcessPacket(Packet* packet); + /** + * Looks up a packet analyzer by identifier considering the context + * as given by current_state. + * + * @param identifier The identifier to look up. + * + * @return The analyzer corresponding to the identifier. + */ + AnalyzerPtr Dispatch(uint32_t identifier); + private: /** @@ -99,8 +109,6 @@ private: */ void CustomEncapsulationSkip(Packet* packet, const uint8_t* data); - AnalyzerPtr Dispatch(uint32_t identifier); - DispatcherPtr GetDispatcher(Config& configuration, const std::string& dispatcher_name); std::map analyzers; diff --git a/src/packet_analysis/protocol/CMakeLists.txt b/src/packet_analysis/protocol/CMakeLists.txt index fbcef0f2c9..dc3327460d 100644 --- a/src/packet_analysis/protocol/CMakeLists.txt +++ b/src/packet_analysis/protocol/CMakeLists.txt @@ -1,18 +1,18 @@ -add_subdirectory(default) - -add_subdirectory(wrapper) -add_subdirectory(null) +#add_subdirectory(default) +# +#add_subdirectory(wrapper) +#add_subdirectory(null) add_subdirectory(ethernet) -add_subdirectory(vlan) -add_subdirectory(pppoe) -add_subdirectory(ppp_serial) -add_subdirectory(ieee802_11) -add_subdirectory(ieee802_11_radio) -add_subdirectory(fddi) -add_subdirectory(nflog) -add_subdirectory(mpls) -add_subdirectory(linux_sll) - -add_subdirectory(arp) +#add_subdirectory(vlan) +#add_subdirectory(pppoe) +#add_subdirectory(ppp_serial) +#add_subdirectory(ieee802_11) +#add_subdirectory(ieee802_11_radio) +#add_subdirectory(fddi) +#add_subdirectory(nflog) +#add_subdirectory(mpls) +#add_subdirectory(linux_sll) +# +#add_subdirectory(arp) add_subdirectory(ipv4) add_subdirectory(ipv6) diff --git a/src/packet_analysis/protocol/ethernet/Ethernet.cc b/src/packet_analysis/protocol/ethernet/Ethernet.cc index 198d2912ee..7f152ad5bc 100644 --- a/src/packet_analysis/protocol/ethernet/Ethernet.cc +++ b/src/packet_analysis/protocol/ethernet/Ethernet.cc @@ -10,7 +10,7 @@ EthernetAnalyzer::EthernetAnalyzer() { } -zeek::packet_analysis::AnalysisResultTuple EthernetAnalyzer::Analyze(Packet* packet, const uint8_t*& data) +zeek::packet_analysis::AnalyzerResult EthernetAnalyzer::Analyze(Packet* packet, const uint8_t*& data) { auto end_of_data = packet->GetEndOfData(); @@ -19,7 +19,7 @@ zeek::packet_analysis::AnalysisResultTuple EthernetAnalyzer::Analyze(Packet* pac if ( data + 16 >= end_of_data ) { packet->Weird("truncated_ethernet_frame"); - return { AnalyzerResult::Failed, 0 }; + return AnalyzerResult::Failed; } // Skip past Cisco FabricPath to encapsulated ethernet frame. @@ -30,7 +30,7 @@ zeek::packet_analysis::AnalysisResultTuple EthernetAnalyzer::Analyze(Packet* pac if ( data + cfplen + 14 >= end_of_data ) { packet->Weird("truncated_link_header_cfp"); - return { AnalyzerResult::Failed, 0 }; + return AnalyzerResult::Failed; } data += cfplen; @@ -47,7 +47,7 @@ zeek::packet_analysis::AnalysisResultTuple EthernetAnalyzer::Analyze(Packet* pac if ( protocol >= 1536 ) { data += 14; - return { AnalyzerResult::Continue, protocol }; + return AnalyzeInnerPacket(packet, data, protocol); } // Other ethernet frame types @@ -56,27 +56,28 @@ zeek::packet_analysis::AnalysisResultTuple EthernetAnalyzer::Analyze(Packet* pac if ( data + 16 >= end_of_data ) { packet->Weird("truncated_ethernet_frame"); - return { AnalyzerResult::Failed, 0 }; + return AnalyzerResult::Failed; } // In the following we use undefined EtherTypes to signal uncommon // frame types. This allows specialized analyzers to take over. // Note that pdata remains at the start of the ethernet frame. + //TODO: Lookup the analyzers on startup // IEEE 802.2 SNAP if ( data[14] == 0xAA && data[15] == 0xAA) - return { AnalyzerResult::Continue, 1502 }; + return AnalyzeInnerPacket(packet, data, 1502); // Novell raw IEEE 802.3 if ( data[14] == 0xFF && data[15] == 0xFF) - return { AnalyzerResult::Continue, 1503 }; + return AnalyzeInnerPacket(packet, data, 1503); // IEEE 802.2 LLC - return { AnalyzerResult::Continue, 1501 }; + return AnalyzeInnerPacket(packet, data, 1501); } // Undefined (1500 < EtherType < 1536) packet->Weird("undefined_ether_type"); - return { AnalyzerResult::Failed, protocol }; + return AnalyzerResult::Failed; } diff --git a/src/packet_analysis/protocol/ethernet/Ethernet.h b/src/packet_analysis/protocol/ethernet/Ethernet.h index d6779ede58..22f51b233d 100644 --- a/src/packet_analysis/protocol/ethernet/Ethernet.h +++ b/src/packet_analysis/protocol/ethernet/Ethernet.h @@ -12,7 +12,7 @@ public: EthernetAnalyzer(); ~EthernetAnalyzer() override = default; - AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override; + AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/ipv4/IPv4.cc b/src/packet_analysis/protocol/ipv4/IPv4.cc index ad199f97f8..57aef8eb25 100644 --- a/src/packet_analysis/protocol/ipv4/IPv4.cc +++ b/src/packet_analysis/protocol/ipv4/IPv4.cc @@ -9,10 +9,10 @@ IPv4Analyzer::IPv4Analyzer() { } -zeek::packet_analysis::AnalysisResultTuple IPv4Analyzer::Analyze(Packet* packet, const uint8_t*& data) +zeek::packet_analysis::AnalyzerResult IPv4Analyzer::Analyze(Packet* packet, const uint8_t*& data) { packet->l3_proto = L3_IPV4; // Leave packet analyzer land - return { AnalyzerResult::Terminate, 0 }; + return AnalyzerResult::Terminate; } diff --git a/src/packet_analysis/protocol/ipv4/IPv4.h b/src/packet_analysis/protocol/ipv4/IPv4.h index 37026cabd9..984ad4e532 100644 --- a/src/packet_analysis/protocol/ipv4/IPv4.h +++ b/src/packet_analysis/protocol/ipv4/IPv4.h @@ -12,7 +12,7 @@ public: IPv4Analyzer(); ~IPv4Analyzer() override = default; - AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override; + AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/ipv6/IPv6.cc b/src/packet_analysis/protocol/ipv6/IPv6.cc index 9380a1fe85..903dfd1607 100644 --- a/src/packet_analysis/protocol/ipv6/IPv6.cc +++ b/src/packet_analysis/protocol/ipv6/IPv6.cc @@ -9,10 +9,10 @@ IPv6Analyzer::IPv6Analyzer() { } -zeek::packet_analysis::AnalysisResultTuple IPv6Analyzer::Analyze(Packet* packet, const uint8_t*& data) +zeek::packet_analysis::AnalyzerResult IPv6Analyzer::Analyze(Packet* packet, const uint8_t*& data) { packet->l3_proto = L3_IPV6; // Leave packet analyzer land - return { AnalyzerResult::Terminate, 0 }; + return AnalyzerResult::Terminate; } diff --git a/src/packet_analysis/protocol/ipv6/IPv6.h b/src/packet_analysis/protocol/ipv6/IPv6.h index f7ad9fdc74..ffff59a668 100644 --- a/src/packet_analysis/protocol/ipv6/IPv6.h +++ b/src/packet_analysis/protocol/ipv6/IPv6.h @@ -12,7 +12,7 @@ public: IPv6Analyzer(); ~IPv6Analyzer() override = default; - AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override; + AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override; static AnalyzerPtr Instantiate() { From d4ff5a236c0198236e2b3feecf8534ffba897f9d Mon Sep 17 00:00:00 2001 From: Jan Grashoefer Date: Thu, 20 Aug 2020 18:40:37 +0200 Subject: [PATCH 16/43] Further simplified the packet analysis API. This is still WIP and includes the following changes: * Dispatchers are now part of analyzers (moving dispatching logic from the manager to the analyzers) * All available analyzers are instantiated on start up * Removal of configuration class --- src/packet_analysis/Analyzer.cc | 11 +- src/packet_analysis/Analyzer.h | 22 ++- src/packet_analysis/CMakeLists.txt | 1 - src/packet_analysis/Config.cc | 87 --------- src/packet_analysis/Config.h | 42 ---- src/packet_analysis/Dispatcher.cc | 18 +- src/packet_analysis/Dispatcher.h | 34 ++-- src/packet_analysis/Manager.cc | 180 +++++------------- src/packet_analysis/Manager.h | 37 +--- src/packet_analysis/protocol/CMakeLists.txt | 4 +- .../protocol/default/Default.cc | 6 +- .../protocol/default/Default.h | 2 +- 12 files changed, 104 insertions(+), 340 deletions(-) delete mode 100644 src/packet_analysis/Config.cc delete mode 100644 src/packet_analysis/Config.h diff --git a/src/packet_analysis/Analyzer.cc b/src/packet_analysis/Analyzer.cc index 6e40e270cd..05fdccd416 100644 --- a/src/packet_analysis/Analyzer.cc +++ b/src/packet_analysis/Analyzer.cc @@ -1,6 +1,5 @@ // See the file "COPYING" in the main distribution directory for copyright. -#include #include "Analyzer.h" namespace zeek::packet_analysis { @@ -20,7 +19,6 @@ Analyzer::Analyzer(const Tag& tag) Init(tag); } -/* PRIVATE */ void Analyzer::Init(const Tag& _tag) { tag = _tag; @@ -41,13 +39,18 @@ const char* Analyzer::GetAnalyzerName() const bool Analyzer::IsAnalyzer(const char* name) { assert(tag); - return packet_mgr->GetComponentName(tag).compare(name) == 0; + return packet_mgr->GetComponentName(tag) == name; + } + +bool Analyzer::RegisterAnalyzerMapping(uint32_t identifier, AnalyzerPtr analyzer) + { + return dispatcher.Register(identifier, std::move(analyzer)); } AnalyzerResult Analyzer::AnalyzeInnerPacket(Packet* packet, const uint8_t*& data, uint32_t identifier) const { - auto inner_analyzer = packet_mgr->Dispatch(identifier); + auto inner_analyzer = dispatcher.Lookup(identifier); if ( inner_analyzer == nullptr ) { diff --git a/src/packet_analysis/Analyzer.h b/src/packet_analysis/Analyzer.h index be6e47f5b5..4cc32243ea 100644 --- a/src/packet_analysis/Analyzer.h +++ b/src/packet_analysis/Analyzer.h @@ -10,9 +10,9 @@ namespace zeek::packet_analysis { /** * Result of packet analysis. */ + //TODO: Replace with bool? enum class AnalyzerResult { Failed, // Analysis failed - Continue, // Analysis succeeded and an encapsulated protocol was determined Terminate // Analysis succeeded and there is no further analysis to do }; @@ -41,6 +41,13 @@ public: */ virtual ~Analyzer() = default; + /** + * Initialize the analyzer. This method is called after the configuration + * was read. Derived classes can override this method to implement custom + * initialization. + */ + virtual void Initialize() { }; + /** * Returns the tag associated with the analyzer's type. */ @@ -62,6 +69,15 @@ public: */ bool IsAnalyzer(const char* name); + /** + * Registers an analyzer to be dispatched for the given identifier. + * + * @param identifier The identifier an analyzer should be called for. + * @param analyzer The analyzer that should be called. + * @return True if the registration was successfull. + */ + bool RegisterAnalyzerMapping(uint32_t identifier, AnalyzerPtr analyzer); + /** * Analyzes the given packet. The data reference points to the part of the * raw packet to be analyzed. If the analyzed protocol encapsulates another @@ -90,9 +106,11 @@ protected: * @return The outcome of the analysis. */ AnalyzerResult AnalyzeInnerPacket(Packet* packet, const uint8_t*& data, - uint32_t identifier) const; + uint32_t identifier) const; + private: Tag tag; + Dispatcher dispatcher; void Init(const Tag& tag); }; diff --git a/src/packet_analysis/CMakeLists.txt b/src/packet_analysis/CMakeLists.txt index 044370b727..c952e703ed 100644 --- a/src/packet_analysis/CMakeLists.txt +++ b/src/packet_analysis/CMakeLists.txt @@ -13,7 +13,6 @@ set(llanalyzer_SRCS Manager.cc Component.cc Tag.cc - Config.cc ) bro_add_subdir_library(llanalyzer ${llanalyzer_SRCS}) diff --git a/src/packet_analysis/Config.cc b/src/packet_analysis/Config.cc deleted file mode 100644 index 236d8797d5..0000000000 --- a/src/packet_analysis/Config.cc +++ /dev/null @@ -1,87 +0,0 @@ -// See the file "COPYING" in the main distribution directory for copyright. - -#include "Config.h" -#include "Reporter.h" -#include "DebugLogger.h" - -namespace zeek::packet_analysis { - -// ############################## -// ####### DispatcherConfig ##### -// ############################## -const std::string& DispatcherConfig::GetName() const - { - return name; - } - -const std::map& DispatcherConfig::GetMappings() const - { - return mappings; - } - -void DispatcherConfig::AddMapping(uint32_t identifier, - const std::string& analyzer_name) - { - DBG_LOG(DBG_PACKET_ANALYSIS, "Adding configuration mapping: %s -> %#x -> %s", - name.c_str(), identifier, analyzer_name.c_str()); - - if ( mappings.count(identifier) ) - reporter->InternalError("Invalid config, identifier %#x already exists " - "for dispatcher set %s.", - identifier, name.c_str()); - - mappings.emplace(identifier, analyzer_name); - } - -bool DispatcherConfig::operator==(const DispatcherConfig& rhs) const - { - return name == rhs.name; - } - -bool DispatcherConfig::operator!=(const DispatcherConfig& rhs) const - { - return ! (rhs == *this); - } - -// ############################## -// ########### Config ########### -// ############################## -std::optional> -Config::GetDispatcherConfig(const std::string& name) - { - auto it = std::find_if( - dispatchers.begin(), dispatchers.end(), - [&](const DispatcherConfig& conf) { - return conf.GetName() == name; - }); - - if ( it == dispatchers.end() ) - return {}; - else - return {std::ref(*it)}; - } - -const std::vector& Config::GetDispatchers() const - { - return dispatchers; - } - -DispatcherConfig& Config::AddDispatcherConfig(const std::string& name) - { - return dispatchers.emplace_back(name); - } - -void Config::AddMapping(const std::string& name, uint32_t identifier, - const std::string& analyzer_name) - { - // Create dispatcher config if it does not exist yet - std::optional> dispatch_config = - GetDispatcherConfig(name); - - if ( ! dispatch_config ) - AddDispatcherConfig(name).AddMapping(identifier, analyzer_name); - else - dispatch_config->get().AddMapping(identifier, analyzer_name); - } - -} // namespace packet_analysis diff --git a/src/packet_analysis/Config.h b/src/packet_analysis/Config.h deleted file mode 100644 index 9a89626925..0000000000 --- a/src/packet_analysis/Config.h +++ /dev/null @@ -1,42 +0,0 @@ -// See the file "COPYING" in the main distribution directory for copyright. - -#pragma once - -#include -#include -#include -#include -#include - -namespace zeek::packet_analysis { - -class DispatcherConfig { -public: - explicit DispatcherConfig(const std::string name) : name(std::move(name)) { } - - const std::string& GetName() const; - const std::map& GetMappings() const; - - void AddMapping(uint32_t identifier, const std::string& analyzer_name); - - bool operator==(const DispatcherConfig& rhs) const; - bool operator!=(const DispatcherConfig& rhs) const; - -private: - const std::string name; - std::map mappings; -}; - -class Config { - -public: - const std::vector& GetDispatchers() const; - std::optional> GetDispatcherConfig(const std::string& name); - DispatcherConfig& AddDispatcherConfig(const std::string& name); - void AddMapping(const std::string& name, uint32_t identifier, const std::string& analyzer_name); - -private: - std::vector dispatchers; -}; - -} diff --git a/src/packet_analysis/Dispatcher.cc b/src/packet_analysis/Dispatcher.cc index 9ca3ae1c67..841906cf4c 100644 --- a/src/packet_analysis/Dispatcher.cc +++ b/src/packet_analysis/Dispatcher.cc @@ -3,6 +3,8 @@ #include #include "Dispatcher.h" +#include "Analyzer.h" +#include "DebugLogger.h" namespace zeek::packet_analysis { @@ -11,12 +13,12 @@ Dispatcher::~Dispatcher() FreeValues(); } -bool Dispatcher::Register(uint32_t identifier, AnalyzerPtr analyzer, DispatcherPtr dispatcher) +bool Dispatcher::Register(uint32_t identifier, AnalyzerPtr analyzer) { // If the table has size 1 and the entry is nullptr, there was nothing added yet. Just add it. if ( table.size() == 1 && table[0] == nullptr ) { - table[0] = std::make_shared(analyzer, dispatcher); + table[0] = analyzer; lowest_identifier = identifier; return true; } @@ -48,7 +50,7 @@ bool Dispatcher::Register(uint32_t identifier, AnalyzerPtr analyzer, DispatcherP int64_t index = identifier - lowest_identifier; if ( table[index] == nullptr ) { - table[index] = std::make_shared(analyzer, dispatcher); + table[index] = analyzer; return true; } @@ -65,19 +67,19 @@ void Dispatcher::Register(const register_map& data) }); // Register lowest first in order to do shifting only once - Register(lowest_new->first, lowest_new->second.first, lowest_new->second.second); + Register(lowest_new->first, lowest_new->second); for ( auto i = data.begin(); i != data.end(); i++ ) { // Already added if i == lowest_new if ( i == lowest_new ) continue; - if ( ! Register(i->first, i->second.first, i->second.second) ) + if ( ! Register(i->first, i->second) ) throw std::invalid_argument("Analyzer already registered!"); } } -ValuePtr Dispatcher::Lookup(uint32_t identifier) const +AnalyzerPtr Dispatcher::Lookup(uint32_t identifier) const { int64_t index = identifier - lowest_identifier; if ( index >= 0 && index < static_cast(table.size()) && table[index] != nullptr ) @@ -88,7 +90,7 @@ ValuePtr Dispatcher::Lookup(uint32_t identifier) const size_t Dispatcher::Size() const { - return std::count_if(table.begin(), table.end(), [](ValuePtr v) { return v != nullptr; }); + return std::count_if(table.begin(), table.end(), [](AnalyzerPtr a) { return a != nullptr; }); } void Dispatcher::Clear() @@ -111,7 +113,7 @@ void Dispatcher::DumpDebug() const for ( size_t i = 0; i < table.size(); i++ ) { if ( table[i] != nullptr ) - DBG_LOG(DBG_PACKET_ANALYSIS, " %#8lx => %s, %p", i+lowest_identifier, table[i]->analyzer->GetAnalyzerName(), table[i]->dispatcher.get()); + DBG_LOG(DBG_PACKET_ANALYSIS, " %#8lx => %s", i+lowest_identifier, table[i]->GetAnalyzerName()); } #endif } diff --git a/src/packet_analysis/Dispatcher.h b/src/packet_analysis/Dispatcher.h index 18da74923c..8f730022b4 100644 --- a/src/packet_analysis/Dispatcher.h +++ b/src/packet_analysis/Dispatcher.h @@ -2,43 +2,31 @@ #pragma once -#include +#include +#include +#include #include -#include "Analyzer.h" namespace zeek::packet_analysis { -class Dispatcher; // Forward decl for Value -using DispatcherPtr = std::shared_ptr; +class Analyzer; // Forward declaration for Value +using AnalyzerPtr = std::shared_ptr; -using register_pair = std::pair>; -using register_map = std::map>; - -class Value { -public: - AnalyzerPtr analyzer; - DispatcherPtr dispatcher; - - Value(AnalyzerPtr analyzer, DispatcherPtr dispatcher) - : analyzer(analyzer), dispatcher(dispatcher) - { - } -}; - -using ValuePtr = std::shared_ptr; +using register_pair = std::pair; +using register_map = std::map; class Dispatcher { public: Dispatcher() - : table(std::vector(1, nullptr)) + : table(std::vector(1, nullptr)) { } ~Dispatcher(); - bool Register(uint32_t identifier, AnalyzerPtr analyzer, DispatcherPtr dispatcher); + bool Register(uint32_t identifier, AnalyzerPtr analyzer); void Register(const register_map& data); - ValuePtr Lookup(uint32_t identifier) const; + AnalyzerPtr Lookup(uint32_t identifier) const; size_t Size() const; void Clear(); @@ -46,7 +34,7 @@ public: private: uint32_t lowest_identifier = 0; - std::vector table; + std::vector table; void FreeValues(); diff --git a/src/packet_analysis/Manager.cc b/src/packet_analysis/Manager.cc index 35d52c9244..f7c97d89b4 100644 --- a/src/packet_analysis/Manager.cc +++ b/src/packet_analysis/Manager.cc @@ -2,12 +2,7 @@ #include "Manager.h" -#include -#include - -#include "Config.h" #include "NetVar.h" -#include "plugin/Manager.h" #include "Analyzer.h" #include "Dispatcher.h" @@ -18,13 +13,17 @@ Manager::Manager() { } -Manager::~Manager() - { - } - void Manager::InitPostScript() { - auto analyzer_mapping = zeek::id::find("PacketAnalyzer::config_map"); + // Instantiate objects for all available analyzers + for ( const auto& analyzerComponent : GetComponents() ) + { + if ( AnalyzerPtr newAnalyzer = InstantiateAnalyzer(analyzerComponent->Tag()) ) + analyzers.emplace(analyzerComponent->Name(), newAnalyzer); + } + + // Read in analyzer map and create dispatchers + auto& analyzer_mapping = zeek::id::find("PacketAnalyzer::config_map"); if ( ! analyzer_mapping ) return; @@ -32,50 +31,48 @@ void Manager::InitPostScript() if ( mapping_val->Size() == 0 ) return; - Config configuration; for (unsigned int i = 0; i < mapping_val->Size(); i++) { auto* rv = mapping_val->At(i)->AsRecordVal(); - auto parent = rv->GetField("parent"); - std::string parent_name = parent ? Lookup(parent->AsEnumVal())->Name() : "ROOT"; + //TODO: Make that field a string for usability reasons + //TODO: Check error handling when fields are omitted + auto& parent_tag = rv->GetField("parent"); + std::string parent_name = parent_tag ? Lookup(parent_tag->AsEnumVal())->Name() : "ROOT"; auto identifier = rv->GetField("identifier")->AsCount(); - auto analyzer = rv->GetField("analyzer")->AsEnumVal(); + auto analyzer_tag = rv->GetField("analyzer")->AsEnumVal(); + auto analyzer_name = Lookup(analyzer_tag)->Name(); - configuration.AddMapping(parent_name, identifier, Lookup(analyzer)->Name()); - } - - // Instantiate objects for all analyzers - for ( const auto& current_dispatcher_config : configuration.GetDispatchers() ) - { - for ( const auto& current_mapping : current_dispatcher_config.GetMappings() ) + if ( analyzers.find(analyzer_name) == analyzers.end() ) { - // Check if already instantiated - if ( analyzers.count(current_mapping.second) != 0 ) - continue; - - // Check if analyzer exists - if ( AnalyzerPtr newAnalyzer = InstantiateAnalyzer(current_mapping.second) ) - analyzers.emplace(current_mapping.second, newAnalyzer); + reporter->InternalWarning("Mapped analyzer %s not found.", analyzer_name.c_str()); + continue; } + + if ( parent_name == "ROOT" ) + { + root_dispatcher.Register(identifier, analyzers[analyzer_name]); + continue; + } + + if ( analyzers.find(parent_name) == analyzers.end() ) + { + reporter->InternalWarning("Parent analyzer %s not found.", parent_name.c_str()); + continue; + } + + auto& parent_analyzer = analyzers[parent_name]; + parent_analyzer->RegisterAnalyzerMapping(identifier, analyzers[analyzer_name]); } - // Generate Dispatchers, starting at root - root_dispatcher = GetDispatcher(configuration, "ROOT"); - if ( root_dispatcher == nullptr ) - reporter->InternalError("No dispatching configuration for ROOT of packet_analysis set."); + // Set default analyzer + auto da_it = analyzers.find("DefaultAnalyzer"); + if ( da_it == analyzers.end() ) + reporter->InternalError("DefaultAnalyzer not found."); + default_analyzer = da_it->second; - // Set up default analysis - auto it = analyzers.find("DefaultAnalyzer"); - if ( it != analyzers.end() ) - default_analyzer = it->second; - else - default_analyzer = InstantiateAnalyzer("DefaultAnalyzer"); - - default_dispatcher = nullptr; - if ( default_analyzer != nullptr ) - default_dispatcher = GetDispatcher(configuration, "DefaultAnalyzer"); - - current_state = root_dispatcher; + // Initialize all analyzers + for ( auto& [name, analyzer] : analyzers ) + analyzer->Initialize(); } void Manager::Done() @@ -90,13 +87,6 @@ void Manager::DumpDebug() { DBG_LOG(DBG_PACKET_ANALYSIS, " %s", current->Name().c_str()); } - - DBG_LOG(DBG_PACKET_ANALYSIS, "ProtocolAnalyzerSet FSM:"); - for ( const auto& current : dispatchers ) - { - DBG_LOG(DBG_PACKET_ANALYSIS, " Dispatcher (%p): %s", current.second.get(), current.first.c_str()); - current.second->DumpDebug(); - } #endif } @@ -128,7 +118,6 @@ AnalyzerPtr Manager::InstantiateAnalyzer(const Tag& tag) { reporter->InternalError("Mismatch of requested analyzer %s and instantiated analyzer %s. This usually means that the plugin author made a mistake.", GetComponentName(tag).c_str(), GetComponentName(a->GetAnalyzerTag()).c_str()); - return nullptr; } return a; @@ -146,29 +135,18 @@ void Manager::ProcessPacket(Packet* packet) static size_t counter = 0; DBG_LOG(DBG_PACKET_ANALYSIS, "Analyzing packet %ld, ts=%.3f...", ++counter, packet->time); #endif - // Start packet analysis const uint8_t* data = packet->data; - auto root_analyzer = Dispatch(packet->link_type); - if ( root_analyzer == nullptr ) - { - DBG_LOG(DBG_PACKET_ANALYSIS, "No analyzer for link type: %#x.", packet->link_type); - packet->Weird("no_suitable_analyzer_found"); - } - else - { - auto result = root_analyzer->Analyze(packet, data); + auto root_analyzer = root_dispatcher.Lookup(packet->link_type); + auto analyzer = root_analyzer == nullptr ? default_analyzer : root_analyzer; - if (result == AnalyzerResult::Terminate) - CustomEncapsulationSkip(packet, data); - } - - // Processing finished, reset analyzer set state for next packet - current_state = root_dispatcher; + auto result = analyzer->Analyze(packet, data); + if (result == AnalyzerResult::Terminate) + CustomEncapsulationSkip(packet, data); // Calculate header size after processing packet layers. - packet->hdr_size = data - packet->data; + packet->hdr_size = static_cast(data - packet->data); } void Manager::CustomEncapsulationSkip(Packet* packet, const uint8_t* data) @@ -203,67 +181,3 @@ void Manager::CustomEncapsulationSkip(Packet* packet, const uint8_t* data) } } } - -AnalyzerPtr Manager::Dispatch(uint32_t identifier) - { - // Because leaf nodes (aka no more dispatching) can still have an existing analyzer that returns more identifiers, - // current_state needs to be checked to be not null. In this case there would have been an analyzer dispatched - // in the last layer, but no dispatcher for it (end of FSM) - ValuePtr result = nullptr; - if ( current_state ) - result = current_state->Lookup(identifier); - - if ( result == nullptr ) - { - if ( current_state != default_dispatcher ) - { - // Switch to default analysis once - current_state = default_dispatcher; - return default_analyzer; - } - return nullptr; - } - else - { - current_state = result->dispatcher; - return result->analyzer; - } - } - -DispatcherPtr Manager::GetDispatcher(Config& configuration, const std::string& dispatcher_name) - { - // Is it already created? - if ( dispatchers.count(dispatcher_name) != 0 ) - return dispatchers[dispatcher_name]; - - // Create new dispatcher from config - std::optional> dispatcher_config = - configuration.GetDispatcherConfig(dispatcher_name); - - if ( ! dispatcher_config ) - // No such dispatcher found, this is therefore implicitly a leaf - return nullptr; - - const auto& mappings = dispatcher_config->get().GetMappings(); - - DispatcherPtr dispatcher = std::make_shared(); - dispatchers.emplace(dispatcher_name, dispatcher); - - for ( const auto& current_mapping : mappings ) - { - // No analyzer with this name. Report warning and ignore. - if ( analyzers.count(current_mapping.second) == 0 ) - { - reporter->InternalWarning("No analyzer %s found for dispatching identifier %#x of %s, ignoring.", - current_mapping.second.c_str(), - current_mapping.first, - dispatcher_name.c_str()); - continue; - } - - dispatcher->Register(current_mapping.first, analyzers.at(current_mapping.second), - GetDispatcher(configuration, current_mapping.second)); - } - - return dispatcher; - } diff --git a/src/packet_analysis/Manager.h b/src/packet_analysis/Manager.h index 4ad9f76b11..da0a74b70b 100644 --- a/src/packet_analysis/Manager.h +++ b/src/packet_analysis/Manager.h @@ -2,23 +2,16 @@ #pragma once -#include -#include - -#include "Config.h" #include "Tag.h" #include "Component.h" #include "plugin/ComponentManager.h" #include "iosource/Packet.h" -#include "Dict.h" -#include "net_util.h" +#include "Dispatcher.h" namespace zeek::packet_analysis { class Analyzer; -class Dispatcher; using AnalyzerPtr = std::shared_ptr; -using DispatcherPtr = std::shared_ptr; class Manager : public plugin::ComponentManager { public: @@ -30,7 +23,7 @@ public: /** * Destructor. */ - ~Manager(); + ~Manager() = default; /** * Second-stage initialization of the manager. This is called late @@ -50,14 +43,6 @@ public: */ void DumpDebug(); // Called after zeek_init() events. - /** - * Returns the tag associated with an analyer name, or the tag - * associated with an error if no such analyzer exists. - * - * @param name The canonical analyzer name to check. - */ - Tag GetAnalyzerTag(const char* name); - /** * Instantiates a new analyzer instance. * @@ -87,18 +72,7 @@ public: */ void ProcessPacket(Packet* packet); - /** - * Looks up a packet analyzer by identifier considering the context - * as given by current_state. - * - * @param identifier The identifier to look up. - * - * @return The analyzer corresponding to the identifier. - */ - AnalyzerPtr Dispatch(uint32_t identifier); - private: - /** * Skips a fixed amount of packet data that is defined by encap_hdr_size. * It is assumed that an IP header follows. @@ -109,13 +83,8 @@ private: */ void CustomEncapsulationSkip(Packet* packet, const uint8_t* data); - DispatcherPtr GetDispatcher(Config& configuration, const std::string& dispatcher_name); - std::map analyzers; - std::map dispatchers; - DispatcherPtr root_dispatcher = nullptr; - DispatcherPtr default_dispatcher = nullptr; - DispatcherPtr current_state = nullptr; + Dispatcher root_dispatcher; AnalyzerPtr default_analyzer = nullptr; }; diff --git a/src/packet_analysis/protocol/CMakeLists.txt b/src/packet_analysis/protocol/CMakeLists.txt index dc3327460d..df1e5ca0d3 100644 --- a/src/packet_analysis/protocol/CMakeLists.txt +++ b/src/packet_analysis/protocol/CMakeLists.txt @@ -1,5 +1,5 @@ -#add_subdirectory(default) -# +add_subdirectory(default) + #add_subdirectory(wrapper) #add_subdirectory(null) add_subdirectory(ethernet) diff --git a/src/packet_analysis/protocol/default/Default.cc b/src/packet_analysis/protocol/default/Default.cc index 6d53fd3669..2b5c433ab1 100644 --- a/src/packet_analysis/protocol/default/Default.cc +++ b/src/packet_analysis/protocol/default/Default.cc @@ -10,17 +10,17 @@ DefaultAnalyzer::DefaultAnalyzer() { } -zeek::packet_analysis::AnalysisResultTuple DefaultAnalyzer::Analyze(Packet* packet, const uint8_t*& data) +zeek::packet_analysis::AnalyzerResult DefaultAnalyzer::Analyze(Packet* packet, const uint8_t*& data) { // Assume we're pointing at IP. Just figure out which version. if ( data + sizeof(struct ip) >= packet->GetEndOfData() ) { packet->Weird("packet_analyzer_truncated_header"); - return { AnalyzerResult::Failed, 0 }; + return AnalyzerResult::Failed; } auto ip = (const struct ip *)data; uint32_t protocol = ip->ip_v; - return { AnalyzerResult::Continue, protocol }; + return AnalyzeInnerPacket(packet, data, protocol); } diff --git a/src/packet_analysis/protocol/default/Default.h b/src/packet_analysis/protocol/default/Default.h index 43a8d48f89..fbe03a83fc 100644 --- a/src/packet_analysis/protocol/default/Default.h +++ b/src/packet_analysis/protocol/default/Default.h @@ -12,7 +12,7 @@ public: DefaultAnalyzer(); ~DefaultAnalyzer() override = default; - AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override; + AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { From 462b1fe3a2b7980dc2308467a6f30eddc2729f11 Mon Sep 17 00:00:00 2001 From: Jan Grashoefer Date: Fri, 21 Aug 2020 18:11:05 +0200 Subject: [PATCH 17/43] Bring back default packet analysis. Default analyzers can be configured per packet analyzer by omitting the identifier in the ConfigEntry. --- scripts/base/init-bare.zeek | 5 +-- scripts/base/packet-protocols/__load__.zeek | 2 +- .../base/packet-protocols/default/main.zeek | 1 + .../base/packet-protocols/ethernet/main.zeek | 3 +- src/packet_analysis/Analyzer.cc | 14 +++++++-- src/packet_analysis/Analyzer.h | 24 ++++++++++++-- src/packet_analysis/Manager.cc | 31 ++++++++++++------- .../protocol/default/Default.cc | 18 +++++++++++ .../protocol/default/Default.h | 4 +++ 9 files changed, 81 insertions(+), 21 deletions(-) diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek index 5c86024202..dd21ff686a 100644 --- a/scripts/base/init-bare.zeek +++ b/scripts/base/init-bare.zeek @@ -5357,8 +5357,9 @@ export { parent : PacketAnalyzer::Tag &optional; # A numeric identifier, which can be found in the packet data, that denotes the - # encapsulated protocol. - identifier : count; + # encapsulated protocol. This field is optional. If it is not included, the + # configured child analyzer will be used as default analyzer. + identifier : count &optional; # The analyzer that corresponds to the above identifier. analyzer : PacketAnalyzer::Tag; diff --git a/scripts/base/packet-protocols/__load__.zeek b/scripts/base/packet-protocols/__load__.zeek index c64d5442a4..75055a3e47 100644 --- a/scripts/base/packet-protocols/__load__.zeek +++ b/scripts/base/packet-protocols/__load__.zeek @@ -1,4 +1,4 @@ -#@load base/packet-protocols/default +@load base/packet-protocols/default @load base/packet-protocols/ethernet #@load base/packet-protocols/fddi #@load base/packet-protocols/ieee802_11 diff --git a/scripts/base/packet-protocols/default/main.zeek b/scripts/base/packet-protocols/default/main.zeek index 2d0d451d3f..12c8099b2d 100644 --- a/scripts/base/packet-protocols/default/main.zeek +++ b/scripts/base/packet-protocols/default/main.zeek @@ -1,6 +1,7 @@ module LL_DEFAULT; redef PacketAnalyzer::config_map += { + PacketAnalyzer::ConfigEntry($analyzer=PacketAnalyzer::ANALYZER_DEFAULTANALYZER), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_DEFAULTANALYZER, $identifier=4, $analyzer=PacketAnalyzer::ANALYZER_IPV4), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_DEFAULTANALYZER, $identifier=6, $analyzer=PacketAnalyzer::ANALYZER_IPV6) }; diff --git a/scripts/base/packet-protocols/ethernet/main.zeek b/scripts/base/packet-protocols/ethernet/main.zeek index b7a242efb0..217780423e 100644 --- a/scripts/base/packet-protocols/ethernet/main.zeek +++ b/scripts/base/packet-protocols/ethernet/main.zeek @@ -12,5 +12,6 @@ redef PacketAnalyzer::config_map += { #PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x8100, $analyzer=PacketAnalyzer::ANALYZER_VLAN), #PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x88A8, $analyzer=PacketAnalyzer::ANALYZER_VLAN), #PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x9100, $analyzer=PacketAnalyzer::ANALYZER_VLAN), - #PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x8864, $analyzer=PacketAnalyzer::ANALYZER_PPPOE) + #PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x8864, $analyzer=PacketAnalyzer::ANALYZER_PPPOE), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $analyzer=PacketAnalyzer::ANALYZER_DEFAULTANALYZER) }; diff --git a/src/packet_analysis/Analyzer.cc b/src/packet_analysis/Analyzer.cc index 05fdccd416..3aeeea9d75 100644 --- a/src/packet_analysis/Analyzer.cc +++ b/src/packet_analysis/Analyzer.cc @@ -47,14 +47,24 @@ bool Analyzer::RegisterAnalyzerMapping(uint32_t identifier, AnalyzerPtr analyzer return dispatcher.Register(identifier, std::move(analyzer)); } +void Analyzer::RegisterDefaultAnalyzer(AnalyzerPtr default_analyzer) + { + this->default_analyzer = std::move(default_analyzer); + } + +AnalyzerPtr Analyzer::Lookup(uint32_t identifier) const + { + return dispatcher.Lookup(identifier); + } + AnalyzerResult Analyzer::AnalyzeInnerPacket(Packet* packet, const uint8_t*& data, uint32_t identifier) const { - auto inner_analyzer = dispatcher.Lookup(identifier); + auto inner_analyzer = Lookup(identifier); + inner_analyzer = inner_analyzer ? inner_analyzer : default_analyzer; if ( inner_analyzer == nullptr ) { - //TODO: Handle default analysis here DBG_LOG(DBG_PACKET_ANALYSIS, "Analysis in %s failed, could not find analyzer for identifier %#x.", GetAnalyzerName(), identifier); packet->Weird("no_suitable_analyzer_found"); diff --git a/src/packet_analysis/Analyzer.h b/src/packet_analysis/Analyzer.h index 4cc32243ea..80191d61fe 100644 --- a/src/packet_analysis/Analyzer.h +++ b/src/packet_analysis/Analyzer.h @@ -74,10 +74,17 @@ public: * * @param identifier The identifier an analyzer should be called for. * @param analyzer The analyzer that should be called. - * @return True if the registration was successfull. + * @return True if the registration was successful. */ bool RegisterAnalyzerMapping(uint32_t identifier, AnalyzerPtr analyzer); + /** + * Registers a default analyzer. + * + * @param default_analyzer The analyzer to use as default. + */ + void RegisterDefaultAnalyzer(AnalyzerPtr default_analyzer); + /** * Analyzes the given packet. The data reference points to the part of the * raw packet to be analyzed. If the analyzed protocol encapsulates another @@ -95,6 +102,16 @@ public: protected: friend class Manager; + /** + * Looks up the analyzer for the encapsulated protocol based on the given + * identifier. + * + * @param identifier Identifier for the encapsulated protocol. + * @return The analyzer registered for the given identifier. Returns a + * nullptr if no analyzer is registered. + */ + AnalyzerPtr Lookup(uint32_t identifier) const; + /** * Triggers analysis of the encapsulated packet. The encapsulated protocol * is determined using the given identifier. @@ -105,12 +122,13 @@ protected: * * @return The outcome of the analysis. */ - AnalyzerResult AnalyzeInnerPacket(Packet* packet, const uint8_t*& data, - uint32_t identifier) const; + virtual AnalyzerResult AnalyzeInnerPacket(Packet* packet, const uint8_t*& data, + uint32_t identifier) const; private: Tag tag; Dispatcher dispatcher; + AnalyzerPtr default_analyzer = nullptr; void Init(const Tag& tag); }; diff --git a/src/packet_analysis/Manager.cc b/src/packet_analysis/Manager.cc index f7c97d89b4..b17911bcc4 100644 --- a/src/packet_analysis/Manager.cc +++ b/src/packet_analysis/Manager.cc @@ -36,9 +36,9 @@ void Manager::InitPostScript() auto* rv = mapping_val->At(i)->AsRecordVal(); //TODO: Make that field a string for usability reasons //TODO: Check error handling when fields are omitted - auto& parent_tag = rv->GetField("parent"); - std::string parent_name = parent_tag ? Lookup(parent_tag->AsEnumVal())->Name() : "ROOT"; - auto identifier = rv->GetField("identifier")->AsCount(); + auto& parent_val = rv->GetField("parent"); + std::string parent_name = parent_val ? Lookup(parent_val->AsEnumVal())->Name() : "ROOT"; + auto& identifier_val = rv->GetField("identifier"); auto analyzer_tag = rv->GetField("analyzer")->AsEnumVal(); auto analyzer_name = Lookup(analyzer_tag)->Name(); @@ -50,7 +50,11 @@ void Manager::InitPostScript() if ( parent_name == "ROOT" ) { - root_dispatcher.Register(identifier, analyzers[analyzer_name]); + if ( identifier_val ) + root_dispatcher.Register(identifier_val->AsCount(), + analyzers[analyzer_name]); + else + default_analyzer = analyzers[analyzer_name]; continue; } @@ -61,15 +65,13 @@ void Manager::InitPostScript() } auto& parent_analyzer = analyzers[parent_name]; - parent_analyzer->RegisterAnalyzerMapping(identifier, analyzers[analyzer_name]); + if ( identifier_val ) + parent_analyzer->RegisterAnalyzerMapping(identifier_val->AsCount(), + analyzers[analyzer_name]); + else + parent_analyzer->RegisterDefaultAnalyzer(analyzers[analyzer_name]); } - // Set default analyzer - auto da_it = analyzers.find("DefaultAnalyzer"); - if ( da_it == analyzers.end() ) - reporter->InternalError("DefaultAnalyzer not found."); - default_analyzer = da_it->second; - // Initialize all analyzers for ( auto& [name, analyzer] : analyzers ) analyzer->Initialize(); @@ -139,7 +141,12 @@ void Manager::ProcessPacket(Packet* packet) const uint8_t* data = packet->data; auto root_analyzer = root_dispatcher.Lookup(packet->link_type); - auto analyzer = root_analyzer == nullptr ? default_analyzer : root_analyzer; + auto analyzer = root_analyzer ? root_analyzer : default_analyzer; + if ( !analyzer ) + { + reporter->InternalWarning("No analyzer for link type %#x", packet->link_type); + return; + } auto result = analyzer->Analyze(packet, data); if (result == AnalyzerResult::Terminate) diff --git a/src/packet_analysis/protocol/default/Default.cc b/src/packet_analysis/protocol/default/Default.cc index 2b5c433ab1..de904f9ad7 100644 --- a/src/packet_analysis/protocol/default/Default.cc +++ b/src/packet_analysis/protocol/default/Default.cc @@ -24,3 +24,21 @@ zeek::packet_analysis::AnalyzerResult DefaultAnalyzer::Analyze(Packet* packet, c return AnalyzeInnerPacket(packet, data, protocol); } + +zeek::packet_analysis::AnalyzerResult DefaultAnalyzer::AnalyzeInnerPacket(Packet* packet, + const uint8_t*& data, uint32_t identifier) const + { + auto inner_analyzer = Lookup(identifier); + + if ( inner_analyzer == nullptr ) + { + DBG_LOG(DBG_PACKET_ANALYSIS, "Default analysis in %s failed, could not find analyzer for identifier %#x.", + GetAnalyzerName(), identifier); + packet->Weird("no_suitable_analyzer_found"); + return AnalyzerResult::Failed; + } + + DBG_LOG(DBG_PACKET_ANALYSIS, "Default analysis in %s succeeded, next layer identifier is %#x.", + GetAnalyzerName(), identifier); + return inner_analyzer->Analyze(packet, data); + } \ No newline at end of file diff --git a/src/packet_analysis/protocol/default/Default.h b/src/packet_analysis/protocol/default/Default.h index fbe03a83fc..9a37a11a44 100644 --- a/src/packet_analysis/protocol/default/Default.h +++ b/src/packet_analysis/protocol/default/Default.h @@ -18,6 +18,10 @@ public: { return std::make_shared(); } + +protected: + AnalyzerResult AnalyzeInnerPacket(Packet* packet, const uint8_t*& data, + uint32_t identifier) const override; }; } From cbdaa53f8513b5ae4e2d6ba4ad16b6ab81e5b66e Mon Sep 17 00:00:00 2001 From: Jan Grashoefer Date: Mon, 24 Aug 2020 14:42:16 +0200 Subject: [PATCH 18/43] Remove magic identifiers from Ethernet analyzer. --- .../base/packet-protocols/ethernet/main.zeek | 6 +- src/packet_analysis/Manager.cc | 70 ++++++++++++------- src/packet_analysis/Manager.h | 38 +++++++--- .../protocol/ethernet/Ethernet.cc | 46 +++++++++--- .../protocol/ethernet/Ethernet.h | 8 +++ 5 files changed, 119 insertions(+), 49 deletions(-) diff --git a/scripts/base/packet-protocols/ethernet/main.zeek b/scripts/base/packet-protocols/ethernet/main.zeek index 217780423e..05feb246db 100644 --- a/scripts/base/packet-protocols/ethernet/main.zeek +++ b/scripts/base/packet-protocols/ethernet/main.zeek @@ -1,4 +1,4 @@ -module LL_ETHERNET; +module PacketAnalyzer::Ethernet; const DLT_EN10MB : count = 1; @@ -15,3 +15,7 @@ redef PacketAnalyzer::config_map += { #PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x8864, $analyzer=PacketAnalyzer::ANALYZER_PPPOE), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $analyzer=PacketAnalyzer::ANALYZER_DEFAULTANALYZER) }; + +const snap_analyzer: PacketAnalyzer::Tag &redef; +const novell_raw_analyzer: PacketAnalyzer::Tag &redef; +const llc_analyzer: PacketAnalyzer::Tag &redef; diff --git a/src/packet_analysis/Manager.cc b/src/packet_analysis/Manager.cc index b17911bcc4..663c85fd6f 100644 --- a/src/packet_analysis/Manager.cc +++ b/src/packet_analysis/Manager.cc @@ -92,6 +92,49 @@ void Manager::DumpDebug() #endif } +AnalyzerPtr Manager::GetAnalyzer(EnumVal *val) + { + auto analyzer_comp = Lookup(val); + if ( ! analyzer_comp ) + return nullptr; + + return GetAnalyzer(analyzer_comp->Name()); + } + +AnalyzerPtr Manager::GetAnalyzer(const std::string& name) + { + auto analyzer_it = analyzers.find(name); + if ( analyzer_it == analyzers.end() ) + return nullptr; + + return analyzer_it->second; + } + +void Manager::ProcessPacket(Packet* packet) + { +#ifdef DEBUG + static size_t counter = 0; + DBG_LOG(DBG_PACKET_ANALYSIS, "Analyzing packet %ld, ts=%.3f...", ++counter, packet->time); +#endif + // Start packet analysis + const uint8_t* data = packet->data; + + auto root_analyzer = root_dispatcher.Lookup(packet->link_type); + auto analyzer = root_analyzer ? root_analyzer : default_analyzer; + if ( !analyzer ) + { + reporter->InternalWarning("No analyzer for link type %#x", packet->link_type); + return; + } + + auto result = analyzer->Analyze(packet, data); + if (result == AnalyzerResult::Terminate) + CustomEncapsulationSkip(packet, data); + + // Calculate header size after processing packet layers. + packet->hdr_size = static_cast(data - packet->data); + } + AnalyzerPtr Manager::InstantiateAnalyzer(const Tag& tag) { Component* c = Lookup(tag); @@ -119,7 +162,7 @@ AnalyzerPtr Manager::InstantiateAnalyzer(const Tag& tag) if ( tag != a->GetAnalyzerTag() ) { reporter->InternalError("Mismatch of requested analyzer %s and instantiated analyzer %s. This usually means that the plugin author made a mistake.", - GetComponentName(tag).c_str(), GetComponentName(a->GetAnalyzerTag()).c_str()); + GetComponentName(tag).c_str(), GetComponentName(a->GetAnalyzerTag()).c_str()); } return a; @@ -131,31 +174,6 @@ AnalyzerPtr Manager::InstantiateAnalyzer(const std::string& name) return tag ? InstantiateAnalyzer(tag) : nullptr; } -void Manager::ProcessPacket(Packet* packet) - { -#ifdef DEBUG - static size_t counter = 0; - DBG_LOG(DBG_PACKET_ANALYSIS, "Analyzing packet %ld, ts=%.3f...", ++counter, packet->time); -#endif - // Start packet analysis - const uint8_t* data = packet->data; - - auto root_analyzer = root_dispatcher.Lookup(packet->link_type); - auto analyzer = root_analyzer ? root_analyzer : default_analyzer; - if ( !analyzer ) - { - reporter->InternalWarning("No analyzer for link type %#x", packet->link_type); - return; - } - - auto result = analyzer->Analyze(packet, data); - if (result == AnalyzerResult::Terminate) - CustomEncapsulationSkip(packet, data); - - // Calculate header size after processing packet layers. - packet->hdr_size = static_cast(data - packet->data); - } - void Manager::CustomEncapsulationSkip(Packet* packet, const uint8_t* data) { if ( zeek::detail::encap_hdr_size > 0 ) diff --git a/src/packet_analysis/Manager.h b/src/packet_analysis/Manager.h index da0a74b70b..cbded374e1 100644 --- a/src/packet_analysis/Manager.h +++ b/src/packet_analysis/Manager.h @@ -44,26 +44,22 @@ public: void DumpDebug(); // Called after zeek_init() events. /** - * Instantiates a new analyzer instance. + * Looks up an analyzer instance. * - * @param tag The analyzer's tag. + * @param val The analyzer's tag value. * - * @return The new analyzer instance. Returns - * null if tag is invalid, the requested analyzer is disabled, or the - * analyzer can't be instantiated. + * @return The analyzer instance or nullptr if no instance is found. */ - AnalyzerPtr InstantiateAnalyzer(const Tag& tag); + AnalyzerPtr GetAnalyzer(EnumVal *val); /** - * Instantiates a new analyzer. + * Looks up an analyzer instance. * * @param name The name of the analyzer. * - * @return The new analyzer instance. Returns - * null if the name is not known or if the requested analyzer that is - * disabled. + * @return The analyzer instance or nullptr if no instance is found. */ - AnalyzerPtr InstantiateAnalyzer(const std::string& name); + AnalyzerPtr GetAnalyzer(const std::string& name); /** * Processes a packet by applying the configured packet analyzers. @@ -73,6 +69,26 @@ public: void ProcessPacket(Packet* packet); private: + /** + * Instantiates a new analyzer instance. + * + * @param tag The analyzer's tag. + * + * @return The new analyzer instance. Returns null if tag is invalid, the + * requested analyzer is disabled, or the analyzer can't be instantiated. + */ + AnalyzerPtr InstantiateAnalyzer(const Tag& tag); + + /** + * Instantiates a new analyzer. + * + * @param name The name of the analyzer. + * + * @return The new analyzer instance. Returns null if the name is not known + * or if the requested analyzer that is disabled. + */ + AnalyzerPtr InstantiateAnalyzer(const std::string& name); + /** * Skips a fixed amount of packet data that is defined by encap_hdr_size. * It is assumed that an IP header follows. diff --git a/src/packet_analysis/protocol/ethernet/Ethernet.cc b/src/packet_analysis/protocol/ethernet/Ethernet.cc index 7f152ad5bc..cd5c5889b4 100644 --- a/src/packet_analysis/protocol/ethernet/Ethernet.cc +++ b/src/packet_analysis/protocol/ethernet/Ethernet.cc @@ -2,6 +2,7 @@ #include "Ethernet.h" #include "NetVar.h" +#include "Manager.h" using namespace zeek::packet_analysis::Ethernet; @@ -10,6 +11,26 @@ EthernetAnalyzer::EthernetAnalyzer() { } +void EthernetAnalyzer::Initialize() + { + SNAPAnalyzer = LoadAnalyzer("PacketAnalyzer::Ethernet::snap_analyzer"); + NovellRawAnalyzer = LoadAnalyzer("PacketAnalyzer::Ethernet::novell_raw_analyzer"); + LLCAnalyzer = LoadAnalyzer("PacketAnalyzer::Ethernet::llc_analyzer"); + } + +zeek::packet_analysis::AnalyzerPtr EthernetAnalyzer::LoadAnalyzer(const std::string &name) + { + auto& analyzer = zeek::id::find(name); + if ( ! analyzer ) + return nullptr; + + auto& analyzer_val = analyzer->GetVal(); + if ( ! analyzer_val ) + return nullptr; + + return packet_mgr->GetAnalyzer(analyzer_val->AsEnumVal()); + } + zeek::packet_analysis::AnalyzerResult EthernetAnalyzer::Analyze(Packet* packet, const uint8_t*& data) { auto end_of_data = packet->GetEndOfData(); @@ -59,22 +80,25 @@ zeek::packet_analysis::AnalyzerResult EthernetAnalyzer::Analyze(Packet* packet, return AnalyzerResult::Failed; } - // In the following we use undefined EtherTypes to signal uncommon - // frame types. This allows specialized analyzers to take over. + // Let specialized analyzers take over for non Ethernet II frames. // Note that pdata remains at the start of the ethernet frame. - //TODO: Lookup the analyzers on startup - // IEEE 802.2 SNAP + AnalyzerPtr eth_analyzer = nullptr; + if ( data[14] == 0xAA && data[15] == 0xAA) - return AnalyzeInnerPacket(packet, data, 1502); + // IEEE 802.2 SNAP + eth_analyzer = SNAPAnalyzer; + else if ( data[14] == 0xFF && data[15] == 0xFF) + // Novell raw IEEE 802.3 + eth_analyzer = NovellRawAnalyzer; + else + // IEEE 802.2 LLC + eth_analyzer = LLCAnalyzer; - // Novell raw IEEE 802.3 - if ( data[14] == 0xFF && data[15] == 0xFF) - return AnalyzeInnerPacket(packet, data, 1503); + if ( eth_analyzer ) + return eth_analyzer->Analyze(packet, data); - - // IEEE 802.2 LLC - return AnalyzeInnerPacket(packet, data, 1501); + return AnalyzerResult::Terminate; } // Undefined (1500 < EtherType < 1536) diff --git a/src/packet_analysis/protocol/ethernet/Ethernet.h b/src/packet_analysis/protocol/ethernet/Ethernet.h index 22f51b233d..c1f89a6f02 100644 --- a/src/packet_analysis/protocol/ethernet/Ethernet.h +++ b/src/packet_analysis/protocol/ethernet/Ethernet.h @@ -12,12 +12,20 @@ public: EthernetAnalyzer(); ~EthernetAnalyzer() override = default; + void Initialize() override; AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { return std::make_shared(); } + +private: + AnalyzerPtr SNAPAnalyzer = nullptr; + AnalyzerPtr NovellRawAnalyzer = nullptr; + AnalyzerPtr LLCAnalyzer = nullptr; + + AnalyzerPtr LoadAnalyzer(const std::string& name); }; } From 6365fa6d805ea27d2766a479cec2c6b50badf489 Mon Sep 17 00:00:00 2001 From: Jan Grashoefer Date: Mon, 24 Aug 2020 17:34:42 +0200 Subject: [PATCH 19/43] Migrate all packet analyzers to new API. --- scripts/base/packet-protocols/__load__.zeek | 18 ++++++------- .../base/packet-protocols/ethernet/main.zeek | 27 +++++++++++-------- scripts/base/packet-protocols/fddi/main.zeek | 3 ++- src/packet_analysis/Analyzer.cc | 11 ++++++++ src/packet_analysis/Analyzer.h | 11 ++++++++ src/packet_analysis/protocol/CMakeLists.txt | 26 +++++++++--------- src/packet_analysis/protocol/arp/ARP.cc | 4 +-- src/packet_analysis/protocol/arp/ARP.h | 2 +- src/packet_analysis/protocol/fddi/FDDI.cc | 6 ++--- src/packet_analysis/protocol/fddi/FDDI.h | 2 +- .../protocol/ieee802_11/IEEE802_11.cc | 18 ++++++------- .../protocol/ieee802_11/IEEE802_11.h | 2 +- .../ieee802_11_radio/IEEE802_11_Radio.cc | 8 +++--- .../ieee802_11_radio/IEEE802_11_Radio.h | 2 +- .../protocol/linux_sll/LinuxSLL.cc | 6 ++--- .../protocol/linux_sll/LinuxSLL.h | 2 +- src/packet_analysis/protocol/mpls/MPLS.cc | 10 +++---- src/packet_analysis/protocol/mpls/MPLS.h | 2 +- src/packet_analysis/protocol/nflog/NFLog.cc | 10 +++---- src/packet_analysis/protocol/nflog/NFLog.h | 2 +- src/packet_analysis/protocol/null/Null.cc | 6 ++--- src/packet_analysis/protocol/null/Null.h | 2 +- .../protocol/ppp_serial/PPPSerial.cc | 4 +-- .../protocol/ppp_serial/PPPSerial.h | 2 +- src/packet_analysis/protocol/pppoe/PPPoE.cc | 6 ++--- src/packet_analysis/protocol/pppoe/PPPoE.h | 2 +- src/packet_analysis/protocol/vlan/VLAN.cc | 6 ++--- src/packet_analysis/protocol/vlan/VLAN.h | 2 +- .../protocol/wrapper/Wrapper.cc | 20 +++++++------- .../protocol/wrapper/Wrapper.h | 2 +- testing/btest/Baseline/core.raw_packet/output | 4 +++ .../scripts/PacketDemo/Bar/base/main.zeek | 4 +-- .../plugins/packet-protocol-plugin/src/Bar.cc | 6 ++--- .../plugins/packet-protocol-plugin/src/Bar.h | 2 +- 34 files changed, 135 insertions(+), 105 deletions(-) diff --git a/scripts/base/packet-protocols/__load__.zeek b/scripts/base/packet-protocols/__load__.zeek index 75055a3e47..60c804f2fd 100644 --- a/scripts/base/packet-protocols/__load__.zeek +++ b/scripts/base/packet-protocols/__load__.zeek @@ -1,11 +1,11 @@ @load base/packet-protocols/default @load base/packet-protocols/ethernet -#@load base/packet-protocols/fddi -#@load base/packet-protocols/ieee802_11 -#@load base/packet-protocols/ieee802_11_radio -#@load base/packet-protocols/linux_sll -#@load base/packet-protocols/nflog -#@load base/packet-protocols/null -#@load base/packet-protocols/ppp_serial -#@load base/packet-protocols/pppoe -#@load base/packet-protocols/vlan +@load base/packet-protocols/fddi +@load base/packet-protocols/ieee802_11 +@load base/packet-protocols/ieee802_11_radio +@load base/packet-protocols/linux_sll +@load base/packet-protocols/nflog +@load base/packet-protocols/null +@load base/packet-protocols/ppp_serial +@load base/packet-protocols/pppoe +@load base/packet-protocols/vlan diff --git a/scripts/base/packet-protocols/ethernet/main.zeek b/scripts/base/packet-protocols/ethernet/main.zeek index 05feb246db..efcbf8adb7 100644 --- a/scripts/base/packet-protocols/ethernet/main.zeek +++ b/scripts/base/packet-protocols/ethernet/main.zeek @@ -1,21 +1,26 @@ module PacketAnalyzer::Ethernet; +export { + ## IEEE 802.2 SNAP analyzer + const snap_analyzer: PacketAnalyzer::Tag &redef; + ## Novell raw IEEE 802.3 analyzer + const novell_raw_analyzer: PacketAnalyzer::Tag &redef; + ## IEEE 802.2 LLC analyzer + const llc_analyzer: PacketAnalyzer::Tag &redef; +} + const DLT_EN10MB : count = 1; redef PacketAnalyzer::config_map += { PacketAnalyzer::ConfigEntry($identifier=DLT_EN10MB, $analyzer=PacketAnalyzer::ANALYZER_ETHERNET), - #PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x8847, $analyzer=PacketAnalyzer::ANALYZER_MPLS), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x8847, $analyzer=PacketAnalyzer::ANALYZER_MPLS), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x0800, $analyzer=PacketAnalyzer::ANALYZER_IPV4), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x86DD, $analyzer=PacketAnalyzer::ANALYZER_IPV6), - #PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x0806, $analyzer=PacketAnalyzer::ANALYZER_ARP), - #PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x8035, $analyzer=PacketAnalyzer::ANALYZER_ARP), - #PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x8100, $analyzer=PacketAnalyzer::ANALYZER_VLAN), - #PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x88A8, $analyzer=PacketAnalyzer::ANALYZER_VLAN), - #PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x9100, $analyzer=PacketAnalyzer::ANALYZER_VLAN), - #PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x8864, $analyzer=PacketAnalyzer::ANALYZER_PPPOE), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x0806, $analyzer=PacketAnalyzer::ANALYZER_ARP), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x8035, $analyzer=PacketAnalyzer::ANALYZER_ARP), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x8100, $analyzer=PacketAnalyzer::ANALYZER_VLAN), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x88A8, $analyzer=PacketAnalyzer::ANALYZER_VLAN), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x9100, $analyzer=PacketAnalyzer::ANALYZER_VLAN), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x8864, $analyzer=PacketAnalyzer::ANALYZER_PPPOE), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $analyzer=PacketAnalyzer::ANALYZER_DEFAULTANALYZER) }; - -const snap_analyzer: PacketAnalyzer::Tag &redef; -const novell_raw_analyzer: PacketAnalyzer::Tag &redef; -const llc_analyzer: PacketAnalyzer::Tag &redef; diff --git a/scripts/base/packet-protocols/fddi/main.zeek b/scripts/base/packet-protocols/fddi/main.zeek index b503a143f1..372b098587 100644 --- a/scripts/base/packet-protocols/fddi/main.zeek +++ b/scripts/base/packet-protocols/fddi/main.zeek @@ -3,5 +3,6 @@ module LL_FDDI; const DLT_FDDI : count = 10; redef PacketAnalyzer::config_map += { - PacketAnalyzer::ConfigEntry($identifier=DLT_FDDI, $analyzer=PacketAnalyzer::ANALYZER_FDDI) + PacketAnalyzer::ConfigEntry($identifier=DLT_FDDI, $analyzer=PacketAnalyzer::ANALYZER_FDDI), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_FDDI, $analyzer=PacketAnalyzer::ANALYZER_DEFAULTANALYZER) }; diff --git a/src/packet_analysis/Analyzer.cc b/src/packet_analysis/Analyzer.cc index 3aeeea9d75..b318c514a3 100644 --- a/src/packet_analysis/Analyzer.cc +++ b/src/packet_analysis/Analyzer.cc @@ -76,4 +76,15 @@ AnalyzerResult Analyzer::AnalyzeInnerPacket(Packet* packet, return inner_analyzer->Analyze(packet, data); } +AnalyzerResult Analyzer::AnalyzeInnerPacket(Packet* packet, const uint8_t*& data) const + { + if ( default_analyzer ) + return default_analyzer->Analyze(packet, data); + + DBG_LOG(DBG_PACKET_ANALYSIS, "Analysis in %s stopped, no default analyzer available.", + GetAnalyzerName()); + packet->Weird("no_suitable_analyzer_found"); + return AnalyzerResult::Terminate; + } + } \ No newline at end of file diff --git a/src/packet_analysis/Analyzer.h b/src/packet_analysis/Analyzer.h index 80191d61fe..a52ab4d8df 100644 --- a/src/packet_analysis/Analyzer.h +++ b/src/packet_analysis/Analyzer.h @@ -125,6 +125,17 @@ protected: virtual AnalyzerResult AnalyzeInnerPacket(Packet* packet, const uint8_t*& data, uint32_t identifier) const; + /** + * Triggers default analysis of the encapsulated packet if the default analyzer + * is set. + * + * @param packet The packet to analyze. + * @param data Reference to the payload pointer into the raw packet. + * + * @return The outcome of the analysis. + */ + AnalyzerResult AnalyzeInnerPacket(Packet* packet, const uint8_t*& data) const; + private: Tag tag; Dispatcher dispatcher; diff --git a/src/packet_analysis/protocol/CMakeLists.txt b/src/packet_analysis/protocol/CMakeLists.txt index df1e5ca0d3..fbcef0f2c9 100644 --- a/src/packet_analysis/protocol/CMakeLists.txt +++ b/src/packet_analysis/protocol/CMakeLists.txt @@ -1,18 +1,18 @@ add_subdirectory(default) -#add_subdirectory(wrapper) -#add_subdirectory(null) +add_subdirectory(wrapper) +add_subdirectory(null) add_subdirectory(ethernet) -#add_subdirectory(vlan) -#add_subdirectory(pppoe) -#add_subdirectory(ppp_serial) -#add_subdirectory(ieee802_11) -#add_subdirectory(ieee802_11_radio) -#add_subdirectory(fddi) -#add_subdirectory(nflog) -#add_subdirectory(mpls) -#add_subdirectory(linux_sll) -# -#add_subdirectory(arp) +add_subdirectory(vlan) +add_subdirectory(pppoe) +add_subdirectory(ppp_serial) +add_subdirectory(ieee802_11) +add_subdirectory(ieee802_11_radio) +add_subdirectory(fddi) +add_subdirectory(nflog) +add_subdirectory(mpls) +add_subdirectory(linux_sll) + +add_subdirectory(arp) add_subdirectory(ipv4) add_subdirectory(ipv6) diff --git a/src/packet_analysis/protocol/arp/ARP.cc b/src/packet_analysis/protocol/arp/ARP.cc index eec4f72860..27d71d807d 100644 --- a/src/packet_analysis/protocol/arp/ARP.cc +++ b/src/packet_analysis/protocol/arp/ARP.cc @@ -9,11 +9,11 @@ ARPAnalyzer::ARPAnalyzer() { } -zeek::packet_analysis::AnalysisResultTuple ARPAnalyzer::Analyze(Packet* packet, const uint8_t*& data) +zeek::packet_analysis::AnalyzerResult ARPAnalyzer::Analyze(Packet* packet, const uint8_t*& data) { // TODO: Make ARP analyzer a native packet analyzer packet->l3_proto = L3_ARP; // Leave packet analyzer land - return { AnalyzerResult::Terminate, 0 }; + return AnalyzerResult::Terminate; } diff --git a/src/packet_analysis/protocol/arp/ARP.h b/src/packet_analysis/protocol/arp/ARP.h index 9bd1c8a009..a6a7a445c1 100644 --- a/src/packet_analysis/protocol/arp/ARP.h +++ b/src/packet_analysis/protocol/arp/ARP.h @@ -12,7 +12,7 @@ public: ARPAnalyzer(); ~ARPAnalyzer() override = default; - AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override; + AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/fddi/FDDI.cc b/src/packet_analysis/protocol/fddi/FDDI.cc index 8cf503f85a..25235cca3e 100644 --- a/src/packet_analysis/protocol/fddi/FDDI.cc +++ b/src/packet_analysis/protocol/fddi/FDDI.cc @@ -10,17 +10,17 @@ FDDIAnalyzer::FDDIAnalyzer() { } -zeek::packet_analysis::AnalysisResultTuple FDDIAnalyzer::Analyze(Packet* packet, const uint8_t*& data) +zeek::packet_analysis::AnalyzerResult FDDIAnalyzer::Analyze(Packet* packet, const uint8_t*& data) { auto hdr_size = 13 + 8; // FDDI header + LLC if ( data + hdr_size >= packet->GetEndOfData() ) { packet->Weird("FDDI_analyzer_failed"); - return { AnalyzerResult::Failed, 0 }; + return AnalyzerResult::Failed; } // We just skip the header and hope for default analysis data += hdr_size; - return { AnalyzerResult::Continue, -1 }; + return AnalyzeInnerPacket(packet, data); } diff --git a/src/packet_analysis/protocol/fddi/FDDI.h b/src/packet_analysis/protocol/fddi/FDDI.h index adb87d8dd7..4219529c6a 100644 --- a/src/packet_analysis/protocol/fddi/FDDI.h +++ b/src/packet_analysis/protocol/fddi/FDDI.h @@ -12,7 +12,7 @@ public: FDDIAnalyzer(); ~FDDIAnalyzer() override = default; - AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override; + AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc b/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc index a0e6eb999f..f0a9720605 100644 --- a/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc +++ b/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc @@ -10,7 +10,7 @@ IEEE802_11Analyzer::IEEE802_11Analyzer() { } -zeek::packet_analysis::AnalysisResultTuple IEEE802_11Analyzer::Analyze(Packet* packet, const uint8_t*& data) +zeek::packet_analysis::AnalyzerResult IEEE802_11Analyzer::Analyze(Packet* packet, const uint8_t*& data) { auto end_of_data = packet->GetEndOfData(); @@ -19,18 +19,18 @@ zeek::packet_analysis::AnalysisResultTuple IEEE802_11Analyzer::Analyze(Packet* p if ( data + len_80211 >= end_of_data ) { packet->Weird("truncated_802_11_header"); - return { AnalyzerResult::Failed, 0 }; + return AnalyzerResult::Failed; } u_char fc_80211 = data[0]; // Frame Control field // Skip non-data frame types (management & control). if ( ! ((fc_80211 >> 2) & 0x02) ) - return { AnalyzerResult::Failed, 0 }; + return AnalyzerResult::Failed; // Skip subtypes without data. if ( (fc_80211 >> 4) & 0x04 ) - return { AnalyzerResult::Failed, 0 }; + return AnalyzerResult::Failed; // 'To DS' and 'From DS' flags set indicate use of the 4th // address field. @@ -43,7 +43,7 @@ zeek::packet_analysis::AnalysisResultTuple IEEE802_11Analyzer::Analyze(Packet* p // Skip in case of A-MSDU subframes indicated by QoS // control field. if ( data[len_80211] & 0x80 ) - return { AnalyzerResult::Failed, 0 }; + return AnalyzerResult::Failed; len_80211 += 2; } @@ -51,7 +51,7 @@ zeek::packet_analysis::AnalysisResultTuple IEEE802_11Analyzer::Analyze(Packet* p if ( data + len_80211 >= end_of_data ) { packet->Weird("truncated_802_11_header"); - return { AnalyzerResult::Failed, 0 }; + return AnalyzerResult::Failed; } // Determine link-layer addresses based @@ -85,7 +85,7 @@ zeek::packet_analysis::AnalysisResultTuple IEEE802_11Analyzer::Analyze(Packet* p if ( data + 8 >= end_of_data ) { packet->Weird("truncated_802_11_header"); - return { AnalyzerResult::Failed, 0 }; + return AnalyzerResult::Failed; } // Check that the DSAP and SSAP are both SNAP and that the control @@ -102,11 +102,11 @@ zeek::packet_analysis::AnalysisResultTuple IEEE802_11Analyzer::Analyze(Packet* p // If this is a logical link control frame without the // possibility of having a protocol we care about, we'll // just skip it for now. - return { AnalyzerResult::Failed, 0 }; + return AnalyzerResult::Failed; } uint32_t protocol = (data[0] << 8) + data[1]; data += 2; - return { AnalyzerResult::Continue, protocol }; + return AnalyzeInnerPacket(packet, data, protocol); } diff --git a/src/packet_analysis/protocol/ieee802_11/IEEE802_11.h b/src/packet_analysis/protocol/ieee802_11/IEEE802_11.h index beccbd59d9..842f182bcd 100644 --- a/src/packet_analysis/protocol/ieee802_11/IEEE802_11.h +++ b/src/packet_analysis/protocol/ieee802_11/IEEE802_11.h @@ -12,7 +12,7 @@ public: IEEE802_11Analyzer(); ~IEEE802_11Analyzer() override = default; - AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override; + AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.cc b/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.cc index 26bdf9f041..703906ac82 100644 --- a/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.cc +++ b/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.cc @@ -12,14 +12,14 @@ IEEE802_11_RadioAnalyzer::IEEE802_11_RadioAnalyzer() { } -zeek::packet_analysis::AnalysisResultTuple IEEE802_11_RadioAnalyzer::Analyze(Packet* packet, const uint8_t*& data) +zeek::packet_analysis::AnalyzerResult IEEE802_11_RadioAnalyzer::Analyze(Packet* packet, const uint8_t*& data) { auto end_of_data = packet->GetEndOfData(); if ( data + 3 >= end_of_data ) { packet->Weird("truncated_radiotap_header"); - return { AnalyzerResult::Failed, 0 }; + return AnalyzerResult::Failed; } // Skip over the RadioTap header @@ -28,10 +28,10 @@ zeek::packet_analysis::AnalysisResultTuple IEEE802_11_RadioAnalyzer::Analyze(Pac if ( data + rtheader_len >= end_of_data ) { packet->Weird("truncated_radiotap_header"); - return { AnalyzerResult::Failed, 0 }; + return AnalyzerResult::Failed; } data += rtheader_len; - return { AnalyzerResult::Continue, DLT_IEEE802_11 }; + return AnalyzeInnerPacket(packet, data, DLT_IEEE802_11); } diff --git a/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.h b/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.h index 1c50c07dbd..e9f306ef26 100644 --- a/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.h +++ b/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.h @@ -12,7 +12,7 @@ public: IEEE802_11_RadioAnalyzer(); ~IEEE802_11_RadioAnalyzer() override = default; - AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override; + AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/linux_sll/LinuxSLL.cc b/src/packet_analysis/protocol/linux_sll/LinuxSLL.cc index 56149c42f1..740b63a518 100644 --- a/src/packet_analysis/protocol/linux_sll/LinuxSLL.cc +++ b/src/packet_analysis/protocol/linux_sll/LinuxSLL.cc @@ -9,12 +9,12 @@ LinuxSLLAnalyzer::LinuxSLLAnalyzer() { } -zeek::packet_analysis::AnalysisResultTuple LinuxSLLAnalyzer::Analyze(Packet* packet, const uint8_t*& data) +zeek::packet_analysis::AnalyzerResult LinuxSLLAnalyzer::Analyze(Packet* packet, const uint8_t*& data) { if ( data + sizeof(SLLHeader) >= packet->GetEndOfData() ) { packet->Weird("truncated_Linux_SLL_header"); - return { AnalyzerResult::Failed, 0 }; + return AnalyzerResult::Failed; } //TODO: Handle different ARPHRD_types @@ -28,5 +28,5 @@ zeek::packet_analysis::AnalysisResultTuple LinuxSLLAnalyzer::Analyze(Packet* pac packet->l2_dst = Packet::L2_EMPTY_ADDR; data += sizeof(SLLHeader); - return { AnalyzerResult::Continue, protocol }; + return AnalyzeInnerPacket(packet, data, protocol); } diff --git a/src/packet_analysis/protocol/linux_sll/LinuxSLL.h b/src/packet_analysis/protocol/linux_sll/LinuxSLL.h index f9519b214f..b62b3a3f59 100644 --- a/src/packet_analysis/protocol/linux_sll/LinuxSLL.h +++ b/src/packet_analysis/protocol/linux_sll/LinuxSLL.h @@ -12,7 +12,7 @@ public: LinuxSLLAnalyzer(); ~LinuxSLLAnalyzer() override = default; - AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override; + AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/mpls/MPLS.cc b/src/packet_analysis/protocol/mpls/MPLS.cc index 2d507a4fc8..962e206239 100644 --- a/src/packet_analysis/protocol/mpls/MPLS.cc +++ b/src/packet_analysis/protocol/mpls/MPLS.cc @@ -9,7 +9,7 @@ MPLSAnalyzer::MPLSAnalyzer() { } -zeek::packet_analysis::AnalysisResultTuple MPLSAnalyzer::Analyze(Packet* packet, const uint8_t*& data) +zeek::packet_analysis::AnalyzerResult MPLSAnalyzer::Analyze(Packet* packet, const uint8_t*& data) { auto end_of_data = packet->GetEndOfData(); @@ -21,7 +21,7 @@ zeek::packet_analysis::AnalysisResultTuple MPLSAnalyzer::Analyze(Packet* packet, if ( data + 4 >= end_of_data ) { packet->Weird("truncated_link_header"); - return { AnalyzerResult::Failed, 0 }; + return AnalyzerResult::Failed; } end_of_stack = *(data + 2u) & 0x01; @@ -33,7 +33,7 @@ zeek::packet_analysis::AnalysisResultTuple MPLSAnalyzer::Analyze(Packet* packet, if ( data + sizeof(struct ip) >= end_of_data ) { packet->Weird("no_ip_in_mpls_payload"); - return { AnalyzerResult::Failed, 0 }; + return AnalyzerResult::Failed; } auto ip = (const struct ip*)data; @@ -46,9 +46,9 @@ zeek::packet_analysis::AnalysisResultTuple MPLSAnalyzer::Analyze(Packet* packet, { // Neither IPv4 nor IPv6. packet->Weird("no_ip_in_mpls_payload"); - return { AnalyzerResult::Failed, 0 }; + return AnalyzerResult::Failed; } packet->hdr_size = (data - packet->data); - return { AnalyzerResult::Terminate, 0 }; + return AnalyzerResult::Terminate; } diff --git a/src/packet_analysis/protocol/mpls/MPLS.h b/src/packet_analysis/protocol/mpls/MPLS.h index 61439ee4c4..caade44f94 100644 --- a/src/packet_analysis/protocol/mpls/MPLS.h +++ b/src/packet_analysis/protocol/mpls/MPLS.h @@ -12,7 +12,7 @@ public: MPLSAnalyzer(); ~MPLSAnalyzer() override = default; - AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override; + AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/nflog/NFLog.cc b/src/packet_analysis/protocol/nflog/NFLog.cc index 3b5fc3a86a..e2b7c218d2 100644 --- a/src/packet_analysis/protocol/nflog/NFLog.cc +++ b/src/packet_analysis/protocol/nflog/NFLog.cc @@ -10,7 +10,7 @@ NFLogAnalyzer::NFLogAnalyzer() { } -zeek::packet_analysis::AnalysisResultTuple NFLogAnalyzer::Analyze(Packet* packet, const uint8_t*& data) { +zeek::packet_analysis::AnalyzerResult NFLogAnalyzer::Analyze(Packet* packet, const uint8_t*& data) { auto end_of_data = packet->GetEndOfData(); // See https://www.tcpdump.org/linktypes/LINKTYPE_NFLOG.html @@ -20,7 +20,7 @@ zeek::packet_analysis::AnalysisResultTuple NFLogAnalyzer::Analyze(Packet* packet if ( version != 0 ) { packet->Weird("unknown_nflog_version"); - return { AnalyzerResult::Failed, 0 }; + return AnalyzerResult::Failed; } // Skip to TLVs. @@ -34,7 +34,7 @@ zeek::packet_analysis::AnalysisResultTuple NFLogAnalyzer::Analyze(Packet* packet if ( data + 4 >= end_of_data ) { packet->Weird("nflog_no_pcap_payload"); - return { AnalyzerResult::Failed, 0 }; + return AnalyzerResult::Failed; } // TLV Type and Length values are specified in host byte order @@ -61,7 +61,7 @@ zeek::packet_analysis::AnalysisResultTuple NFLogAnalyzer::Analyze(Packet* packet if ( tlv_len < 4 ) { packet->Weird("nflog_bad_tlv_len"); - return { AnalyzerResult::Failed, 0 }; + return AnalyzerResult::Failed; } else { @@ -75,5 +75,5 @@ zeek::packet_analysis::AnalysisResultTuple NFLogAnalyzer::Analyze(Packet* packet } } - return { AnalyzerResult::Continue, protocol }; + return AnalyzeInnerPacket(packet, data, protocol); } diff --git a/src/packet_analysis/protocol/nflog/NFLog.h b/src/packet_analysis/protocol/nflog/NFLog.h index bc5b34eb2a..6cb1335373 100644 --- a/src/packet_analysis/protocol/nflog/NFLog.h +++ b/src/packet_analysis/protocol/nflog/NFLog.h @@ -12,7 +12,7 @@ public: NFLogAnalyzer(); ~NFLogAnalyzer() override = default; - AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override; + AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override; static AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/null/Null.cc b/src/packet_analysis/protocol/null/Null.cc index 5c61a53897..bac13dcf07 100644 --- a/src/packet_analysis/protocol/null/Null.cc +++ b/src/packet_analysis/protocol/null/Null.cc @@ -10,16 +10,16 @@ NullAnalyzer::NullAnalyzer() { } -zeek::packet_analysis::AnalysisResultTuple NullAnalyzer::Analyze(Packet* packet, const uint8_t*& data) +zeek::packet_analysis::AnalyzerResult NullAnalyzer::Analyze(Packet* packet, const uint8_t*& data) { if ( data + 4 >= packet->GetEndOfData() ) { packet->Weird("null_analyzer_failed"); - return { AnalyzerResult::Failed, 0 }; + return AnalyzerResult::Failed; } uint32_t protocol = (data[3] << 24) + (data[2] << 16) + (data[1] << 8) + data[0]; data += 4; // skip link header - return { AnalyzerResult::Continue, protocol }; + return AnalyzeInnerPacket(packet, data, protocol); } diff --git a/src/packet_analysis/protocol/null/Null.h b/src/packet_analysis/protocol/null/Null.h index 1df209225a..d25cf8a2d9 100644 --- a/src/packet_analysis/protocol/null/Null.h +++ b/src/packet_analysis/protocol/null/Null.h @@ -12,7 +12,7 @@ public: NullAnalyzer(); ~NullAnalyzer() override = default; - AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override; + AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/ppp_serial/PPPSerial.cc b/src/packet_analysis/protocol/ppp_serial/PPPSerial.cc index da28fc6dc4..9ec9596c11 100644 --- a/src/packet_analysis/protocol/ppp_serial/PPPSerial.cc +++ b/src/packet_analysis/protocol/ppp_serial/PPPSerial.cc @@ -10,11 +10,11 @@ PPPSerialAnalyzer::PPPSerialAnalyzer() { } -zeek::packet_analysis::AnalysisResultTuple PPPSerialAnalyzer::Analyze(Packet* packet, const uint8_t*& data) +zeek::packet_analysis::AnalyzerResult PPPSerialAnalyzer::Analyze(Packet* packet, const uint8_t*& data) { // Extract protocol identifier uint32_t protocol = (data[2] << 8) + data[3]; data += 4; // skip link header - return { AnalyzerResult::Continue, protocol }; + return AnalyzeInnerPacket(packet, data, protocol); } diff --git a/src/packet_analysis/protocol/ppp_serial/PPPSerial.h b/src/packet_analysis/protocol/ppp_serial/PPPSerial.h index 75003f4242..c10c34d92e 100644 --- a/src/packet_analysis/protocol/ppp_serial/PPPSerial.h +++ b/src/packet_analysis/protocol/ppp_serial/PPPSerial.h @@ -12,7 +12,7 @@ public: PPPSerialAnalyzer(); ~PPPSerialAnalyzer() override = default; - AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override; + AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/pppoe/PPPoE.cc b/src/packet_analysis/protocol/pppoe/PPPoE.cc index 53b004b733..899f62d512 100644 --- a/src/packet_analysis/protocol/pppoe/PPPoE.cc +++ b/src/packet_analysis/protocol/pppoe/PPPoE.cc @@ -10,17 +10,17 @@ PPPoEAnalyzer::PPPoEAnalyzer() { } -zeek::packet_analysis::AnalysisResultTuple PPPoEAnalyzer::Analyze(Packet* packet, const uint8_t*& data) +zeek::packet_analysis::AnalyzerResult PPPoEAnalyzer::Analyze(Packet* packet, const uint8_t*& data) { if ( data + 8 >= packet->GetEndOfData() ) { packet->Weird("truncated_pppoe_header"); - return { AnalyzerResult::Failed, 0 }; + return AnalyzerResult::Failed; } // Extract protocol identifier uint32_t protocol = (data[6] << 8u) + data[7]; data += 8; // Skip the PPPoE session and PPP header - return { AnalyzerResult::Continue, protocol }; + return AnalyzeInnerPacket(packet, data, protocol); } diff --git a/src/packet_analysis/protocol/pppoe/PPPoE.h b/src/packet_analysis/protocol/pppoe/PPPoE.h index cbb08fabc1..164a96b8e6 100644 --- a/src/packet_analysis/protocol/pppoe/PPPoE.h +++ b/src/packet_analysis/protocol/pppoe/PPPoE.h @@ -12,7 +12,7 @@ public: PPPoEAnalyzer(); ~PPPoEAnalyzer() override = default; - AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override; + AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/vlan/VLAN.cc b/src/packet_analysis/protocol/vlan/VLAN.cc index 84fcfe28dd..364e1c9096 100644 --- a/src/packet_analysis/protocol/vlan/VLAN.cc +++ b/src/packet_analysis/protocol/vlan/VLAN.cc @@ -10,12 +10,12 @@ VLANAnalyzer::VLANAnalyzer() { } -zeek::packet_analysis::AnalysisResultTuple VLANAnalyzer::Analyze(Packet* packet, const uint8_t*& data) +zeek::packet_analysis::AnalyzerResult VLANAnalyzer::Analyze(Packet* packet, const uint8_t*& data) { if ( data + 4 >= packet->GetEndOfData() ) { packet->Weird("truncated_VLAN_header"); - return { AnalyzerResult::Failed, 0 }; + return AnalyzerResult::Failed; } auto& vlan_ref = packet->vlan != 0 ? packet->inner_vlan : packet->vlan; @@ -25,5 +25,5 @@ zeek::packet_analysis::AnalysisResultTuple VLANAnalyzer::Analyze(Packet* packet, packet->eth_type = protocol; data += 4; // Skip the VLAN header - return { AnalyzerResult::Continue, protocol }; + return AnalyzeInnerPacket(packet, data, protocol); } diff --git a/src/packet_analysis/protocol/vlan/VLAN.h b/src/packet_analysis/protocol/vlan/VLAN.h index 94446c0766..d2169374f1 100644 --- a/src/packet_analysis/protocol/vlan/VLAN.h +++ b/src/packet_analysis/protocol/vlan/VLAN.h @@ -12,7 +12,7 @@ public: VLANAnalyzer(); ~VLANAnalyzer() override = default; - AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override; + AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/wrapper/Wrapper.cc b/src/packet_analysis/protocol/wrapper/Wrapper.cc index eed1087acf..ea04b3a8c9 100644 --- a/src/packet_analysis/protocol/wrapper/Wrapper.cc +++ b/src/packet_analysis/protocol/wrapper/Wrapper.cc @@ -10,7 +10,7 @@ WrapperAnalyzer::WrapperAnalyzer() { } -zeek::packet_analysis::AnalysisResultTuple WrapperAnalyzer::Analyze(Packet* packet, const uint8_t*& data) +zeek::packet_analysis::AnalyzerResult WrapperAnalyzer::Analyze(Packet* packet, const uint8_t*& data) { // Unfortunately some packets on the link might have MPLS labels // while others don't. That means we need to ask the link-layer if @@ -27,7 +27,7 @@ zeek::packet_analysis::AnalysisResultTuple WrapperAnalyzer::Analyze(Packet* pack if ( data + cfplen + 14 >= end_of_data ) { packet->Weird("truncated_link_header_cfp"); - return { AnalyzerResult::Failed, 0 }; + return AnalyzerResult::Failed; } data += cfplen; @@ -57,7 +57,7 @@ zeek::packet_analysis::AnalysisResultTuple WrapperAnalyzer::Analyze(Packet* pack if ( data + 4 >= end_of_data ) { packet->Weird("truncated_link_header"); - return { AnalyzerResult::Failed, 0 }; + return AnalyzerResult::Failed; } auto& vlan_ref = saw_vlan ? packet->inner_vlan : packet->vlan; @@ -75,7 +75,7 @@ zeek::packet_analysis::AnalysisResultTuple WrapperAnalyzer::Analyze(Packet* pack if ( data + 8 >= end_of_data ) { packet->Weird("truncated_link_header"); - return { AnalyzerResult::Failed, 0 }; + return AnalyzerResult::Failed; } protocol = (data[6] << 8u) + data[7]; @@ -89,7 +89,7 @@ zeek::packet_analysis::AnalysisResultTuple WrapperAnalyzer::Analyze(Packet* pack { // Neither IPv4 nor IPv6. packet->Weird("non_ip_packet_in_pppoe_encapsulation"); - return { AnalyzerResult::Failed, 0 }; + return AnalyzerResult::Failed; } } break; @@ -113,7 +113,7 @@ zeek::packet_analysis::AnalysisResultTuple WrapperAnalyzer::Analyze(Packet* pack { // Neither IPv4 nor IPv6. packet->Weird("non_ip_packet_in_ethernet"); - return { AnalyzerResult::Failed, 0 }; + return AnalyzerResult::Failed; } } @@ -127,7 +127,7 @@ zeek::packet_analysis::AnalysisResultTuple WrapperAnalyzer::Analyze(Packet* pack if ( data + 4 >= end_of_data ) { packet->Weird("truncated_link_header"); - return { AnalyzerResult::Failed, 0 }; + return AnalyzerResult::Failed; } end_of_stack = *(data + 2u) & 0x01; @@ -138,7 +138,7 @@ zeek::packet_analysis::AnalysisResultTuple WrapperAnalyzer::Analyze(Packet* pack if ( data + sizeof(struct ip) >= end_of_data ) { packet->Weird("no_ip_in_mpls_payload"); - return { AnalyzerResult::Failed, 0 }; + return AnalyzerResult::Failed; } const struct ip* ip = (const struct ip*)data; @@ -151,12 +151,12 @@ zeek::packet_analysis::AnalysisResultTuple WrapperAnalyzer::Analyze(Packet* pack { // Neither IPv4 nor IPv6. packet->Weird("no_ip_in_mpls_payload"); - return { AnalyzerResult::Failed, 0 }; + return AnalyzerResult::Failed; } } // Calculate how much header we've used up. packet->hdr_size = (data - packet->data); - return { AnalyzerResult::Continue, protocol }; + return AnalyzeInnerPacket(packet, data, protocol); } diff --git a/src/packet_analysis/protocol/wrapper/Wrapper.h b/src/packet_analysis/protocol/wrapper/Wrapper.h index 38fb6ca268..20ddd66fb5 100644 --- a/src/packet_analysis/protocol/wrapper/Wrapper.h +++ b/src/packet_analysis/protocol/wrapper/Wrapper.h @@ -12,7 +12,7 @@ public: WrapperAnalyzer(); ~WrapperAnalyzer() override = default; - AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override; + AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/testing/btest/Baseline/core.raw_packet/output b/testing/btest/Baseline/core.raw_packet/output index b9e82f8b70..c642d3cd0b 100644 --- a/testing/btest/Baseline/core.raw_packet/output +++ b/testing/btest/Baseline/core.raw_packet/output @@ -1,15 +1,18 @@ [l2=[encap=LINK_ETHERNET, len=215, cap_len=215, src=e8:de:27:ff:c0:78, dst=ff:ff:ff:ff:ff:ff, vlan=, inner_vlan=, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=201, id=0, ttl=64, p=17, src=192.168.1.1, dst=255.255.255.255], ip6=, tcp=, udp=[sport=40190/udp, dport=7437/udp, ulen=181], icmp=] [l2=[encap=LINK_ETHERNET, len=68, cap_len=68, src=60:f8:1d:c9:8c:fa, dst=e8:de:27:ff:c0:78, vlan=, inner_vlan=, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=54, id=52261, ttl=64, p=6, src=192.168.1.103, dst=64.4.23.176], ip6=, tcp=[sport=65493/tcp, dport=40031/tcp, seq=2642773190, ack=2891276360, hl=32, dl=2, reserved=0, flags=24, win=4096], udp=, icmp=] +[l2=[encap=LINK_ETHERNET, len=60, cap_len=60, src=e8:de:27:ff:c0:77, dst=01:80:c2:00:00:00, vlan=, inner_vlan=, eth_type=38, proto=L3_UNKNOWN], ip=, ip6=, tcp=, udp=, icmp=] [l2=[encap=LINK_ETHERNET, len=78, cap_len=78, src=60:f8:1d:c9:8c:fa, dst=e8:de:27:ff:c0:78, vlan=, inner_vlan=, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=64, id=32575, ttl=64, p=17, src=192.168.1.103, dst=192.168.1.1], ip6=, tcp=, udp=[sport=65170/udp, dport=53/udp, ulen=44], icmp=] [l2=[encap=LINK_ETHERNET, len=78, cap_len=78, src=60:f8:1d:c9:8c:fa, dst=e8:de:27:ff:c0:78, vlan=, inner_vlan=, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=64, id=55466, ttl=64, p=17, src=192.168.1.103, dst=192.168.1.1], ip6=, tcp=, udp=[sport=53129/udp, dport=53/udp, ulen=44], icmp=] [l2=[encap=LINK_ETHERNET, len=92, cap_len=92, src=60:f8:1d:c9:8c:fa, dst=e8:de:27:ff:c0:78, vlan=, inner_vlan=, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=78, id=32240, ttl=64, p=17, src=192.168.1.103, dst=192.168.1.1], ip6=, tcp=, udp=[sport=53129/udp, dport=53/udp, ulen=58], icmp=] [l2=[encap=LINK_ETHERNET, len=85, cap_len=85, src=60:f8:1d:c9:8c:fa, dst=e8:de:27:ff:c0:78, vlan=, inner_vlan=, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=71, id=53895, ttl=64, p=17, src=192.168.1.103, dst=192.168.1.1], ip6=, tcp=, udp=[sport=57932/udp, dport=53/udp, ulen=51], icmp=] +[l2=[encap=LINK_ETHERNET, len=60, cap_len=60, src=e8:de:27:ff:c0:77, dst=01:80:c2:00:00:00, vlan=, inner_vlan=, eth_type=38, proto=L3_UNKNOWN], ip=, ip6=, tcp=, udp=, icmp=] [l2=[encap=LINK_ETHERNET, len=42, cap_len=42, src=00:50:56:3e:93:6b, dst=ff:ff:ff:ff:ff:ff, vlan=, inner_vlan=, eth_type=2054, proto=L3_ARP], ip=, ip6=, tcp=, udp=, icmp=] [l2=[encap=LINK_ETHERNET, len=42, cap_len=42, src=00:50:56:3e:93:6b, dst=ff:ff:ff:ff:ff:ff, vlan=, inner_vlan=, eth_type=2054, proto=L3_ARP], ip=, ip6=, tcp=, udp=, icmp=] [l2=[encap=LINK_ETHERNET, len=307, cap_len=307, src=e8:de:27:ff:c0:78, dst=01:00:5e:7f:ff:fa, vlan=, inner_vlan=, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=293, id=0, ttl=4, p=17, src=192.168.1.1, dst=239.255.255.250], ip6=, tcp=, udp=[sport=45335/udp, dport=1900/udp, ulen=273], icmp=] [l2=[encap=LINK_ETHERNET, len=316, cap_len=316, src=e8:de:27:ff:c0:78, dst=01:00:5e:7f:ff:fa, vlan=, inner_vlan=, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=302, id=0, ttl=4, p=17, src=192.168.1.1, dst=239.255.255.250], ip6=, tcp=, udp=[sport=45335/udp, dport=1900/udp, ulen=282], icmp=] [l2=[encap=LINK_ETHERNET, len=379, cap_len=379, src=e8:de:27:ff:c0:78, dst=01:00:5e:7f:ff:fa, vlan=, inner_vlan=, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=365, id=0, ttl=4, p=17, src=192.168.1.1, dst=239.255.255.250], ip6=, tcp=, udp=[sport=45335/udp, dport=1900/udp, ulen=345], icmp=] [l2=[encap=LINK_ETHERNET, len=371, cap_len=371, src=e8:de:27:ff:c0:78, dst=01:00:5e:7f:ff:fa, vlan=, inner_vlan=, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=357, id=0, ttl=4, p=17, src=192.168.1.1, dst=239.255.255.250], ip6=, tcp=, udp=[sport=45335/udp, dport=1900/udp, ulen=337], icmp=] +[l2=[encap=LINK_ETHERNET, len=60, cap_len=60, src=e8:de:27:ff:c0:77, dst=01:80:c2:00:00:00, vlan=, inner_vlan=, eth_type=38, proto=L3_UNKNOWN], ip=, ip6=, tcp=, udp=, icmp=] [l2=[encap=LINK_ETHERNET, len=355, cap_len=355, src=e8:de:27:ff:c0:78, dst=01:00:5e:7f:ff:fa, vlan=, inner_vlan=, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=341, id=0, ttl=4, p=17, src=192.168.1.1, dst=239.255.255.250], ip6=, tcp=, udp=[sport=45335/udp, dport=1900/udp, ulen=321], icmp=] [l2=[encap=LINK_ETHERNET, len=42, cap_len=42, src=00:50:56:3e:93:6b, dst=ff:ff:ff:ff:ff:ff, vlan=, inner_vlan=, eth_type=2054, proto=L3_ARP], ip=, ip6=, tcp=, udp=, icmp=] [l2=[encap=LINK_ETHERNET, len=387, cap_len=387, src=e8:de:27:ff:c0:78, dst=01:00:5e:7f:ff:fa, vlan=, inner_vlan=, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=373, id=0, ttl=4, p=17, src=192.168.1.1, dst=239.255.255.250], ip6=, tcp=, udp=[sport=45335/udp, dport=1900/udp, ulen=353], icmp=] @@ -27,6 +30,7 @@ [l2=[encap=LINK_ETHERNET, len=112, cap_len=112, src=60:f8:1d:c9:8c:fa, dst=e8:de:27:ff:c0:78, vlan=, inner_vlan=, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=98, id=85, ttl=64, p=6, src=192.168.1.103, dst=74.125.21.138], ip6=, tcp=[sport=49171/tcp, dport=443/tcp, seq=3725176077, ack=445274652, hl=32, dl=46, reserved=0, flags=24, win=4096], udp=, icmp=] [l2=[encap=LINK_ETHERNET, len=97, cap_len=97, src=60:f8:1d:c9:8c:fa, dst=e8:de:27:ff:c0:78, vlan=, inner_vlan=, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=83, id=28558, ttl=64, p=6, src=192.168.1.103, dst=74.125.21.138], ip6=, tcp=[sport=49171/tcp, dport=443/tcp, seq=3725176123, ack=445274652, hl=32, dl=31, reserved=0, flags=24, win=4096], udp=, icmp=] [l2=[encap=LINK_ETHERNET, len=66, cap_len=66, src=60:f8:1d:c9:8c:fa, dst=e8:de:27:ff:c0:78, vlan=, inner_vlan=, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=52, id=36529, ttl=64, p=6, src=192.168.1.103, dst=74.125.21.138], ip6=, tcp=[sport=49171/tcp, dport=443/tcp, seq=3725176154, ack=445274652, hl=32, dl=0, reserved=0, flags=17, win=4096], udp=, icmp=] +[l2=[encap=LINK_ETHERNET, len=60, cap_len=60, src=e8:de:27:ff:c0:77, dst=01:80:c2:00:00:00, vlan=, inner_vlan=, eth_type=38, proto=L3_UNKNOWN], ip=, ip6=, tcp=, udp=, icmp=] [l2=[encap=LINK_ETHERNET, len=64, cap_len=64, src=00:19:06:ea:b8:c1, dst=ff:ff:ff:ff:ff:ff, vlan=123, inner_vlan=, eth_type=2054, proto=L3_ARP], ip=, ip6=, tcp=, udp=, icmp=] [l2=[encap=LINK_ETHERNET, len=64, cap_len=64, src=00:18:73:de:57:c1, dst=ff:ff:ff:ff:ff:ff, vlan=123, inner_vlan=, eth_type=2054, proto=L3_ARP], ip=, ip6=, tcp=, udp=, icmp=] [l2=[encap=LINK_ETHERNET, len=64, cap_len=64, src=00:18:73:de:57:c1, dst=ff:ff:ff:ff:ff:ff, vlan=123, inner_vlan=, eth_type=2054, proto=L3_ARP], ip=, ip6=, tcp=, udp=, icmp=] diff --git a/testing/btest/plugins/packet-protocol-plugin/scripts/PacketDemo/Bar/base/main.zeek b/testing/btest/plugins/packet-protocol-plugin/scripts/PacketDemo/Bar/base/main.zeek index a0c4fa6757..b0cc2f1249 100644 --- a/testing/btest/plugins/packet-protocol-plugin/scripts/PacketDemo/Bar/base/main.zeek +++ b/testing/btest/plugins/packet-protocol-plugin/scripts/PacketDemo/Bar/base/main.zeek @@ -1,5 +1,3 @@ module Packet_BAR; -redef PacketAnalyzer::config_map += { - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=1501, $analyzer=PacketAnalyzer::ANALYZER_BAR), -}; +redef PacketAnalyzer::Ethernet::llc_analyzer = PacketAnalyzer::ANALYZER_BAR; \ No newline at end of file diff --git a/testing/btest/plugins/packet-protocol-plugin/src/Bar.cc b/testing/btest/plugins/packet-protocol-plugin/src/Bar.cc index f0588e7627..27cf68235c 100644 --- a/testing/btest/plugins/packet-protocol-plugin/src/Bar.cc +++ b/testing/btest/plugins/packet-protocol-plugin/src/Bar.cc @@ -10,7 +10,7 @@ Bar::Bar() { } -zeek::packet_analysis::AnalysisResultTuple Bar::Analyze(Packet* packet, const uint8_t*& data) +zeek::packet_analysis::AnalyzerResult Bar::Analyze(Packet* packet, const uint8_t*& data) { auto end_of_data = packet->GetEndOfData(); @@ -18,7 +18,7 @@ zeek::packet_analysis::AnalysisResultTuple Bar::Analyze(Packet* packet, const ui if ( data + 17 >= end_of_data ) { packet->Weird("truncated_llc_header"); - return { AnalyzerResult::Failed, 0 }; + return AnalyzerResult::Failed; } auto dsap = data[14]; @@ -30,5 +30,5 @@ zeek::packet_analysis::AnalysisResultTuple Bar::Analyze(Packet* packet, const ui val_mgr->Count(ssap), val_mgr->Count(control)); - return { AnalyzerResult::Terminate, 0 }; + return AnalyzerResult::Terminate; } diff --git a/testing/btest/plugins/packet-protocol-plugin/src/Bar.h b/testing/btest/plugins/packet-protocol-plugin/src/Bar.h index 83f0bf6ce9..ad1ee8185e 100644 --- a/testing/btest/plugins/packet-protocol-plugin/src/Bar.h +++ b/testing/btest/plugins/packet-protocol-plugin/src/Bar.h @@ -10,7 +10,7 @@ public: Bar(); ~Bar() override = default; - AnalysisResultTuple Analyze(Packet* packet, const uint8_t*& data) override; + AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override; static AnalyzerPtr Instantiate() { From 4aeab7402dde75d0ea0286d5e04408de099f7370 Mon Sep 17 00:00:00 2001 From: Jan Grashoefer Date: Mon, 24 Aug 2020 19:25:24 +0200 Subject: [PATCH 20/43] Improve naming in packet analysis. --- scripts/base/packet-protocols/default/main.zeek | 2 +- scripts/base/packet-protocols/fddi/main.zeek | 2 +- scripts/base/packet-protocols/ieee802_11/main.zeek | 2 +- scripts/base/packet-protocols/ieee802_11_radio/main.zeek | 2 +- scripts/base/packet-protocols/linux_sll/main.zeek | 2 +- scripts/base/packet-protocols/nflog/main.zeek | 2 +- scripts/base/packet-protocols/null/main.zeek | 2 +- scripts/base/packet-protocols/ppp_serial/main.zeek | 2 +- scripts/base/packet-protocols/pppoe/main.zeek | 2 +- scripts/base/packet-protocols/vlan/main.zeek | 2 +- src/packet_analysis/CMakeLists.txt | 6 +++--- src/packet_analysis/Tag.h | 6 +++--- src/packet_analysis/protocol/arp/CMakeLists.txt | 2 +- src/packet_analysis/protocol/default/CMakeLists.txt | 2 +- src/packet_analysis/protocol/ethernet/CMakeLists.txt | 2 +- src/packet_analysis/protocol/fddi/CMakeLists.txt | 2 +- src/packet_analysis/protocol/ieee802_11/CMakeLists.txt | 2 +- .../protocol/ieee802_11_radio/CMakeLists.txt | 2 +- src/packet_analysis/protocol/ipv4/CMakeLists.txt | 2 +- src/packet_analysis/protocol/ipv6/CMakeLists.txt | 2 +- src/packet_analysis/protocol/linux_sll/CMakeLists.txt | 2 +- src/packet_analysis/protocol/mpls/CMakeLists.txt | 2 +- src/packet_analysis/protocol/nflog/CMakeLists.txt | 2 +- src/packet_analysis/protocol/null/CMakeLists.txt | 2 +- src/packet_analysis/protocol/ppp_serial/CMakeLists.txt | 2 +- src/packet_analysis/protocol/pppoe/CMakeLists.txt | 2 +- src/packet_analysis/protocol/vlan/CMakeLists.txt | 2 +- src/packet_analysis/protocol/wrapper/CMakeLists.txt | 2 +- src/packet_analysis/protocol/wrapper/Plugin.cc | 2 +- 29 files changed, 33 insertions(+), 33 deletions(-) diff --git a/scripts/base/packet-protocols/default/main.zeek b/scripts/base/packet-protocols/default/main.zeek index 12c8099b2d..e3868ada8e 100644 --- a/scripts/base/packet-protocols/default/main.zeek +++ b/scripts/base/packet-protocols/default/main.zeek @@ -1,4 +1,4 @@ -module LL_DEFAULT; +module PacketAnalyzer::DEFAULT; redef PacketAnalyzer::config_map += { PacketAnalyzer::ConfigEntry($analyzer=PacketAnalyzer::ANALYZER_DEFAULTANALYZER), diff --git a/scripts/base/packet-protocols/fddi/main.zeek b/scripts/base/packet-protocols/fddi/main.zeek index 372b098587..181cd27534 100644 --- a/scripts/base/packet-protocols/fddi/main.zeek +++ b/scripts/base/packet-protocols/fddi/main.zeek @@ -1,4 +1,4 @@ -module LL_FDDI; +module PacketAnalyzer::FDDI; const DLT_FDDI : count = 10; diff --git a/scripts/base/packet-protocols/ieee802_11/main.zeek b/scripts/base/packet-protocols/ieee802_11/main.zeek index 221f301ef3..21123cd719 100644 --- a/scripts/base/packet-protocols/ieee802_11/main.zeek +++ b/scripts/base/packet-protocols/ieee802_11/main.zeek @@ -1,4 +1,4 @@ -module LL_IEEE802_11; +module PacketAnalyzer::IEEE802_11; const DLT_IEEE802_11 : count = 105; diff --git a/scripts/base/packet-protocols/ieee802_11_radio/main.zeek b/scripts/base/packet-protocols/ieee802_11_radio/main.zeek index 52660f6e5e..8c369d0183 100644 --- a/scripts/base/packet-protocols/ieee802_11_radio/main.zeek +++ b/scripts/base/packet-protocols/ieee802_11_radio/main.zeek @@ -1,4 +1,4 @@ -module LL_IEEE802_11_RADIO; +module PacketAnalyzer::IEEE802_11_RADIO; const DLT_IEEE802_11_RADIO : count = 127; const DLT_IEEE802_11 : count = 105; diff --git a/scripts/base/packet-protocols/linux_sll/main.zeek b/scripts/base/packet-protocols/linux_sll/main.zeek index 096ffb2d74..d5c9708556 100644 --- a/scripts/base/packet-protocols/linux_sll/main.zeek +++ b/scripts/base/packet-protocols/linux_sll/main.zeek @@ -1,4 +1,4 @@ -module LL_LINUX_SLL; +module PacketAnalyzer::LINUX_SLL; const DLT_LINUX_SLL : count = 113; diff --git a/scripts/base/packet-protocols/nflog/main.zeek b/scripts/base/packet-protocols/nflog/main.zeek index ebbf156df8..50edf4b514 100644 --- a/scripts/base/packet-protocols/nflog/main.zeek +++ b/scripts/base/packet-protocols/nflog/main.zeek @@ -1,4 +1,4 @@ -module LL_NFLOG; +module PacketAnalyzer::NFLOG; const DLT_NFLOG : count = 239; const AF_INET : count = 2; diff --git a/scripts/base/packet-protocols/null/main.zeek b/scripts/base/packet-protocols/null/main.zeek index f2a8a02245..9ad54c9b74 100644 --- a/scripts/base/packet-protocols/null/main.zeek +++ b/scripts/base/packet-protocols/null/main.zeek @@ -1,4 +1,4 @@ -module LL_NULL; +module PacketAnalyzer::NULL; const DLT_NULL : count = 0; const AF_INET : count = 2; diff --git a/scripts/base/packet-protocols/ppp_serial/main.zeek b/scripts/base/packet-protocols/ppp_serial/main.zeek index 1feb5fdfe3..839e19c1d4 100644 --- a/scripts/base/packet-protocols/ppp_serial/main.zeek +++ b/scripts/base/packet-protocols/ppp_serial/main.zeek @@ -1,4 +1,4 @@ -module LL_PPP_SERIAL; +module PacketAnalyzer::PPP_SERIAL; const DLT_PPP_SERIAL : count = 50; diff --git a/scripts/base/packet-protocols/pppoe/main.zeek b/scripts/base/packet-protocols/pppoe/main.zeek index 8416e42bf2..425b857f2c 100644 --- a/scripts/base/packet-protocols/pppoe/main.zeek +++ b/scripts/base/packet-protocols/pppoe/main.zeek @@ -1,4 +1,4 @@ -module LL_PPPOE; +module PacketAnalyzer::PPPOE; redef PacketAnalyzer::config_map += { PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_PPPOE, $identifier=0x0021, $analyzer=PacketAnalyzer::ANALYZER_IPV4), diff --git a/scripts/base/packet-protocols/vlan/main.zeek b/scripts/base/packet-protocols/vlan/main.zeek index 78bff9398a..927f381acf 100644 --- a/scripts/base/packet-protocols/vlan/main.zeek +++ b/scripts/base/packet-protocols/vlan/main.zeek @@ -1,4 +1,4 @@ -module LL_VLAN; +module PacketAnalyzer::VLAN; redef PacketAnalyzer::config_map += { PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_VLAN, $identifier=0x8847, $analyzer=PacketAnalyzer::ANALYZER_MPLS), diff --git a/src/packet_analysis/CMakeLists.txt b/src/packet_analysis/CMakeLists.txt index c952e703ed..681dad1f82 100644 --- a/src/packet_analysis/CMakeLists.txt +++ b/src/packet_analysis/CMakeLists.txt @@ -7,7 +7,7 @@ include_directories(BEFORE add_subdirectory(protocol) -set(llanalyzer_SRCS +set(packet_analysis_SRCS Analyzer.cc Dispatcher.cc Manager.cc @@ -15,5 +15,5 @@ set(llanalyzer_SRCS Tag.cc ) -bro_add_subdir_library(llanalyzer ${llanalyzer_SRCS}) -add_dependencies(bro_llanalyzer generate_outputs) +bro_add_subdir_library(packet_analysis ${packet_analysis_SRCS}) +add_dependencies(bro_packet_analysis generate_outputs) diff --git a/src/packet_analysis/Tag.h b/src/packet_analysis/Tag.h index 0d554e52f8..2ab1f12a4f 100644 --- a/src/packet_analysis/Tag.h +++ b/src/packet_analysis/Tag.h @@ -107,9 +107,9 @@ protected: /** * Constructor. * - * @param type The main type. Note that the \a llanalyzer::Manager - * manages the value space internally, so noone else should assign - * any main types. + * @param type The main type. Note that the \a zeek::packet_analysis::Manager + * manages the value space internally, so noone else should assign any main + * types. * * @param subtype The sub type, which is left to an analyzer for * interpretation. By default it's set to zero. diff --git a/src/packet_analysis/protocol/arp/CMakeLists.txt b/src/packet_analysis/protocol/arp/CMakeLists.txt index 2db553b496..f2a482e4e1 100644 --- a/src/packet_analysis/protocol/arp/CMakeLists.txt +++ b/src/packet_analysis/protocol/arp/CMakeLists.txt @@ -3,6 +3,6 @@ include(ZeekPlugin) include_directories(BEFORE $ {CMAKE_CURRENT_SOURCE_DIR} $ {CMAKE_CURRENT_BINARY_DIR}) -zeek_plugin_begin(LLAnalyzer ARP) +zeek_plugin_begin(PacketAnalyzer ARP) zeek_plugin_cc(ARP.cc Plugin.cc) zeek_plugin_end() diff --git a/src/packet_analysis/protocol/default/CMakeLists.txt b/src/packet_analysis/protocol/default/CMakeLists.txt index 3753b432f9..c41a982b87 100644 --- a/src/packet_analysis/protocol/default/CMakeLists.txt +++ b/src/packet_analysis/protocol/default/CMakeLists.txt @@ -3,6 +3,6 @@ include(ZeekPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -zeek_plugin_begin(LLAnalyzer Default) +zeek_plugin_begin(PacketAnalyzer Default) zeek_plugin_cc(Default.cc Plugin.cc) zeek_plugin_end() diff --git a/src/packet_analysis/protocol/ethernet/CMakeLists.txt b/src/packet_analysis/protocol/ethernet/CMakeLists.txt index 583abdcc44..a852c8f3f3 100644 --- a/src/packet_analysis/protocol/ethernet/CMakeLists.txt +++ b/src/packet_analysis/protocol/ethernet/CMakeLists.txt @@ -3,6 +3,6 @@ include(ZeekPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -zeek_plugin_begin(LLAnalyzer Ethernet) +zeek_plugin_begin(PacketAnalyzer Ethernet) zeek_plugin_cc(Ethernet.cc Plugin.cc) zeek_plugin_end() diff --git a/src/packet_analysis/protocol/fddi/CMakeLists.txt b/src/packet_analysis/protocol/fddi/CMakeLists.txt index a1a7c571a7..2e68aa92d9 100644 --- a/src/packet_analysis/protocol/fddi/CMakeLists.txt +++ b/src/packet_analysis/protocol/fddi/CMakeLists.txt @@ -3,6 +3,6 @@ include(ZeekPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -zeek_plugin_begin(LLAnalyzer FDDI) +zeek_plugin_begin(PacketAnalyzer FDDI) zeek_plugin_cc(FDDI.cc Plugin.cc) zeek_plugin_end() diff --git a/src/packet_analysis/protocol/ieee802_11/CMakeLists.txt b/src/packet_analysis/protocol/ieee802_11/CMakeLists.txt index e8f20d8e80..bd6c43c6ea 100644 --- a/src/packet_analysis/protocol/ieee802_11/CMakeLists.txt +++ b/src/packet_analysis/protocol/ieee802_11/CMakeLists.txt @@ -3,6 +3,6 @@ include(ZeekPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -zeek_plugin_begin(LLAnalyzer IEEE802_11) +zeek_plugin_begin(PacketAnalyzer IEEE802_11) zeek_plugin_cc(IEEE802_11.cc Plugin.cc) zeek_plugin_end() diff --git a/src/packet_analysis/protocol/ieee802_11_radio/CMakeLists.txt b/src/packet_analysis/protocol/ieee802_11_radio/CMakeLists.txt index 2df7896a34..e063cbecca 100644 --- a/src/packet_analysis/protocol/ieee802_11_radio/CMakeLists.txt +++ b/src/packet_analysis/protocol/ieee802_11_radio/CMakeLists.txt @@ -3,6 +3,6 @@ include(ZeekPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -zeek_plugin_begin(LLAnalyzer IEEE802_11_Radio) +zeek_plugin_begin(PacketAnalyzer IEEE802_11_Radio) zeek_plugin_cc(IEEE802_11_Radio.cc Plugin.cc) zeek_plugin_end() diff --git a/src/packet_analysis/protocol/ipv4/CMakeLists.txt b/src/packet_analysis/protocol/ipv4/CMakeLists.txt index ca4a2e033c..80c8d9c5c0 100644 --- a/src/packet_analysis/protocol/ipv4/CMakeLists.txt +++ b/src/packet_analysis/protocol/ipv4/CMakeLists.txt @@ -3,6 +3,6 @@ include(ZeekPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -zeek_plugin_begin(LLAnalyzer IPv4) +zeek_plugin_begin(PacketAnalyzer IPv4) zeek_plugin_cc(IPv4.cc Plugin.cc) zeek_plugin_end() diff --git a/src/packet_analysis/protocol/ipv6/CMakeLists.txt b/src/packet_analysis/protocol/ipv6/CMakeLists.txt index 36beced1b2..566652cc73 100644 --- a/src/packet_analysis/protocol/ipv6/CMakeLists.txt +++ b/src/packet_analysis/protocol/ipv6/CMakeLists.txt @@ -3,6 +3,6 @@ include(ZeekPlugin) include_directories(BEFORE $ {CMAKE_CURRENT_SOURCE_DIR} $ {CMAKE_CURRENT_BINARY_DIR}) -zeek_plugin_begin(LLAnalyzer IPv6) +zeek_plugin_begin(PacketAnalyzer IPv6) zeek_plugin_cc(IPv6.cc Plugin.cc) zeek_plugin_end() diff --git a/src/packet_analysis/protocol/linux_sll/CMakeLists.txt b/src/packet_analysis/protocol/linux_sll/CMakeLists.txt index 069b1db41a..8476d2524a 100644 --- a/src/packet_analysis/protocol/linux_sll/CMakeLists.txt +++ b/src/packet_analysis/protocol/linux_sll/CMakeLists.txt @@ -3,6 +3,6 @@ include(ZeekPlugin) include_directories(BEFORE $ {CMAKE_CURRENT_SOURCE_DIR} $ {CMAKE_CURRENT_BINARY_DIR}) -zeek_plugin_begin(LLAnalyzer LinuxSLL) +zeek_plugin_begin(PacketAnalyzer LinuxSLL) zeek_plugin_cc(LinuxSLL.cc Plugin.cc) zeek_plugin_end() diff --git a/src/packet_analysis/protocol/mpls/CMakeLists.txt b/src/packet_analysis/protocol/mpls/CMakeLists.txt index 3fd7a9f8df..a72da68f3f 100644 --- a/src/packet_analysis/protocol/mpls/CMakeLists.txt +++ b/src/packet_analysis/protocol/mpls/CMakeLists.txt @@ -3,6 +3,6 @@ include(ZeekPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -zeek_plugin_begin(LLAnalyzer MPLS) +zeek_plugin_begin(PacketAnalyzer MPLS) zeek_plugin_cc(MPLS.cc Plugin.cc) zeek_plugin_end() diff --git a/src/packet_analysis/protocol/nflog/CMakeLists.txt b/src/packet_analysis/protocol/nflog/CMakeLists.txt index 12069356b9..ada26faa3c 100644 --- a/src/packet_analysis/protocol/nflog/CMakeLists.txt +++ b/src/packet_analysis/protocol/nflog/CMakeLists.txt @@ -3,6 +3,6 @@ include(ZeekPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -zeek_plugin_begin(LLAnalyzer NFLog) +zeek_plugin_begin(PacketAnalyzer NFLog) zeek_plugin_cc(NFLog.cc Plugin.cc) zeek_plugin_end() diff --git a/src/packet_analysis/protocol/null/CMakeLists.txt b/src/packet_analysis/protocol/null/CMakeLists.txt index 1aa1392127..7a3c062af7 100644 --- a/src/packet_analysis/protocol/null/CMakeLists.txt +++ b/src/packet_analysis/protocol/null/CMakeLists.txt @@ -2,6 +2,6 @@ include(ZeekPlugin) include_directories(BEFORE $ {CMAKE_CURRENT_SOURCE_DIR} $ {CMAKE_CURRENT_BINARY_DIR}) -zeek_plugin_begin(LLAnalyzer Null) +zeek_plugin_begin(PacketAnalyzer Null) zeek_plugin_cc(Null.cc Plugin.cc) zeek_plugin_end() diff --git a/src/packet_analysis/protocol/ppp_serial/CMakeLists.txt b/src/packet_analysis/protocol/ppp_serial/CMakeLists.txt index 536eb1721d..25917e191b 100644 --- a/src/packet_analysis/protocol/ppp_serial/CMakeLists.txt +++ b/src/packet_analysis/protocol/ppp_serial/CMakeLists.txt @@ -3,6 +3,6 @@ include(ZeekPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -zeek_plugin_begin(LLAnalyzer PPPSerial) +zeek_plugin_begin(PacketAnalyzer PPPSerial) zeek_plugin_cc(PPPSerial.cc Plugin.cc) zeek_plugin_end() diff --git a/src/packet_analysis/protocol/pppoe/CMakeLists.txt b/src/packet_analysis/protocol/pppoe/CMakeLists.txt index 9a59457cf8..460f43856c 100644 --- a/src/packet_analysis/protocol/pppoe/CMakeLists.txt +++ b/src/packet_analysis/protocol/pppoe/CMakeLists.txt @@ -3,6 +3,6 @@ include(ZeekPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -zeek_plugin_begin(LLAnalyzer PPPoE) +zeek_plugin_begin(PacketAnalyzer PPPoE) zeek_plugin_cc(PPPoE.cc Plugin.cc) zeek_plugin_end() diff --git a/src/packet_analysis/protocol/vlan/CMakeLists.txt b/src/packet_analysis/protocol/vlan/CMakeLists.txt index 9105912d01..8f1c86ae55 100644 --- a/src/packet_analysis/protocol/vlan/CMakeLists.txt +++ b/src/packet_analysis/protocol/vlan/CMakeLists.txt @@ -3,6 +3,6 @@ include(ZeekPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -zeek_plugin_begin(LLAnalyzer VLAN) +zeek_plugin_begin(PacketAnalyzer VLAN) zeek_plugin_cc(VLAN.cc Plugin.cc) zeek_plugin_end() diff --git a/src/packet_analysis/protocol/wrapper/CMakeLists.txt b/src/packet_analysis/protocol/wrapper/CMakeLists.txt index d1506bcae6..76b59fc30a 100644 --- a/src/packet_analysis/protocol/wrapper/CMakeLists.txt +++ b/src/packet_analysis/protocol/wrapper/CMakeLists.txt @@ -3,6 +3,6 @@ include(ZeekPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -zeek_plugin_begin(LLAnalyzer Wrapper) +zeek_plugin_begin(PacketAnalyzer Wrapper) zeek_plugin_cc(Wrapper.cc Plugin.cc) zeek_plugin_end() diff --git a/src/packet_analysis/protocol/wrapper/Plugin.cc b/src/packet_analysis/protocol/wrapper/Plugin.cc index 45be64498e..c6e9fd5334 100644 --- a/src/packet_analysis/protocol/wrapper/Plugin.cc +++ b/src/packet_analysis/protocol/wrapper/Plugin.cc @@ -4,7 +4,7 @@ #include "plugin/Plugin.h" #include "packet_analysis/Component.h" -namespace zeek::plugin::LLAnalyzer { +namespace zeek::plugin::Zeek_Wrapper { class Plugin : public zeek::plugin::Plugin { public: From 6f6e5b4df015a8595b0ca1a8566f91b0c72bdb08 Mon Sep 17 00:00:00 2001 From: Jan Grashoefer Date: Tue, 25 Aug 2020 11:14:36 +0200 Subject: [PATCH 21/43] Suggested code improvements for packet analysis. --- src/packet_analysis/Analyzer.cc | 3 ++- src/packet_analysis/Manager.cc | 19 ++++++++++--------- 2 files changed, 12 insertions(+), 10 deletions(-) diff --git a/src/packet_analysis/Analyzer.cc b/src/packet_analysis/Analyzer.cc index b318c514a3..82c0add46c 100644 --- a/src/packet_analysis/Analyzer.cc +++ b/src/packet_analysis/Analyzer.cc @@ -61,7 +61,8 @@ AnalyzerResult Analyzer::AnalyzeInnerPacket(Packet* packet, const uint8_t*& data, uint32_t identifier) const { auto inner_analyzer = Lookup(identifier); - inner_analyzer = inner_analyzer ? inner_analyzer : default_analyzer; + if ( ! inner_analyzer ) + inner_analyzer = default_analyzer; if ( inner_analyzer == nullptr ) { diff --git a/src/packet_analysis/Manager.cc b/src/packet_analysis/Manager.cc index 663c85fd6f..7e68a5bfef 100644 --- a/src/packet_analysis/Manager.cc +++ b/src/packet_analysis/Manager.cc @@ -42,34 +42,35 @@ void Manager::InitPostScript() auto analyzer_tag = rv->GetField("analyzer")->AsEnumVal(); auto analyzer_name = Lookup(analyzer_tag)->Name(); - if ( analyzers.find(analyzer_name) == analyzers.end() ) + auto analyzer_it = analyzers.find(analyzer_name); + if ( analyzer_it == analyzers.end() ) { reporter->InternalWarning("Mapped analyzer %s not found.", analyzer_name.c_str()); continue; } + auto& analyzer = analyzer_it->second; if ( parent_name == "ROOT" ) { if ( identifier_val ) - root_dispatcher.Register(identifier_val->AsCount(), - analyzers[analyzer_name]); + root_dispatcher.Register(identifier_val->AsCount(), analyzer); else - default_analyzer = analyzers[analyzer_name]; + default_analyzer = analyzer; continue; } - if ( analyzers.find(parent_name) == analyzers.end() ) + auto parent_analyzer_it = analyzers.find(parent_name); + if ( parent_analyzer_it == analyzers.end() ) { reporter->InternalWarning("Parent analyzer %s not found.", parent_name.c_str()); continue; } + auto& parent_analyzer = parent_analyzer_it->second; - auto& parent_analyzer = analyzers[parent_name]; if ( identifier_val ) - parent_analyzer->RegisterAnalyzerMapping(identifier_val->AsCount(), - analyzers[analyzer_name]); + parent_analyzer->RegisterAnalyzerMapping(identifier_val->AsCount(), analyzer); else - parent_analyzer->RegisterDefaultAnalyzer(analyzers[analyzer_name]); + parent_analyzer->RegisterDefaultAnalyzer(analyzer); } // Initialize all analyzers From fc814bd7e2c6bb61b7734808671e2fbb9716050b Mon Sep 17 00:00:00 2001 From: Jan Grashoefer Date: Tue, 25 Aug 2020 17:03:20 +0200 Subject: [PATCH 22/43] Add SkipAnalyzer. This is WIP: The test case would require a new pcap or the possibility to overwrite analyzer mappings. The CustomEncapsulationSkip method and the corresponding options need to be removed. --- scripts/base/packet-protocols/__load__.zeek | 1 + .../base/packet-protocols/default/main.zeek | 2 +- .../base/packet-protocols/skip/__load__.zeek | 1 + scripts/base/packet-protocols/skip/main.zeek | 10 +++++++ src/packet_analysis/Dispatcher.cc | 1 + src/packet_analysis/protocol/CMakeLists.txt | 1 + .../protocol/skip/CMakeLists.txt | 8 ++++++ src/packet_analysis/protocol/skip/Plugin.cc | 24 +++++++++++++++++ src/packet_analysis/protocol/skip/Skip.cc | 26 ++++++++++++++++++ src/packet_analysis/protocol/skip/Skip.h | 27 +++++++++++++++++++ testing/btest/core/skip_analyzer.zeek | 13 +++++++++ 11 files changed, 113 insertions(+), 1 deletion(-) create mode 100644 scripts/base/packet-protocols/skip/__load__.zeek create mode 100644 scripts/base/packet-protocols/skip/main.zeek create mode 100644 src/packet_analysis/protocol/skip/CMakeLists.txt create mode 100644 src/packet_analysis/protocol/skip/Plugin.cc create mode 100644 src/packet_analysis/protocol/skip/Skip.cc create mode 100644 src/packet_analysis/protocol/skip/Skip.h create mode 100644 testing/btest/core/skip_analyzer.zeek diff --git a/scripts/base/packet-protocols/__load__.zeek b/scripts/base/packet-protocols/__load__.zeek index 60c804f2fd..1462d895e2 100644 --- a/scripts/base/packet-protocols/__load__.zeek +++ b/scripts/base/packet-protocols/__load__.zeek @@ -1,4 +1,5 @@ @load base/packet-protocols/default +@load base/packet-protocols/skip @load base/packet-protocols/ethernet @load base/packet-protocols/fddi @load base/packet-protocols/ieee802_11 diff --git a/scripts/base/packet-protocols/default/main.zeek b/scripts/base/packet-protocols/default/main.zeek index e3868ada8e..0adc5e3f67 100644 --- a/scripts/base/packet-protocols/default/main.zeek +++ b/scripts/base/packet-protocols/default/main.zeek @@ -1,4 +1,4 @@ -module PacketAnalyzer::DEFAULT; +module PacketAnalyzer::Default; redef PacketAnalyzer::config_map += { PacketAnalyzer::ConfigEntry($analyzer=PacketAnalyzer::ANALYZER_DEFAULTANALYZER), diff --git a/scripts/base/packet-protocols/skip/__load__.zeek b/scripts/base/packet-protocols/skip/__load__.zeek new file mode 100644 index 0000000000..d551be57d3 --- /dev/null +++ b/scripts/base/packet-protocols/skip/__load__.zeek @@ -0,0 +1 @@ +@load ./main \ No newline at end of file diff --git a/scripts/base/packet-protocols/skip/main.zeek b/scripts/base/packet-protocols/skip/main.zeek new file mode 100644 index 0000000000..b16bcfb22a --- /dev/null +++ b/scripts/base/packet-protocols/skip/main.zeek @@ -0,0 +1,10 @@ +module PacketAnalyzer::SkipAnalyzer; + +export { + ## Bytes to skip. + const skip_bytes: count = 0 &redef; +} + +redef PacketAnalyzer::config_map += { + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_SKIP, $analyzer=PacketAnalyzer::ANALYZER_DEFAULTANALYZER) +}; diff --git a/src/packet_analysis/Dispatcher.cc b/src/packet_analysis/Dispatcher.cc index 841906cf4c..b12ac33623 100644 --- a/src/packet_analysis/Dispatcher.cc +++ b/src/packet_analysis/Dispatcher.cc @@ -48,6 +48,7 @@ bool Dispatcher::Register(uint32_t identifier, AnalyzerPtr analyzer) } int64_t index = identifier - lowest_identifier; + //TODO: Allow to overwrite mappings? if ( table[index] == nullptr ) { table[index] = analyzer; diff --git a/src/packet_analysis/protocol/CMakeLists.txt b/src/packet_analysis/protocol/CMakeLists.txt index fbcef0f2c9..5ae00729ff 100644 --- a/src/packet_analysis/protocol/CMakeLists.txt +++ b/src/packet_analysis/protocol/CMakeLists.txt @@ -1,4 +1,5 @@ add_subdirectory(default) +add_subdirectory(skip) add_subdirectory(wrapper) add_subdirectory(null) diff --git a/src/packet_analysis/protocol/skip/CMakeLists.txt b/src/packet_analysis/protocol/skip/CMakeLists.txt new file mode 100644 index 0000000000..982cf42edd --- /dev/null +++ b/src/packet_analysis/protocol/skip/CMakeLists.txt @@ -0,0 +1,8 @@ + +include(ZeekPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +zeek_plugin_begin(PacketAnalyzer Skip) +zeek_plugin_cc(Skip.cc Plugin.cc) +zeek_plugin_end() diff --git a/src/packet_analysis/protocol/skip/Plugin.cc b/src/packet_analysis/protocol/skip/Plugin.cc new file mode 100644 index 0000000000..ed3d70a564 --- /dev/null +++ b/src/packet_analysis/protocol/skip/Plugin.cc @@ -0,0 +1,24 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "Skip.h" +#include "plugin/Plugin.h" +#include "packet_analysis/Component.h" + +namespace zeek::plugin::Zeek_Skip { + +class Plugin : public zeek::plugin::Plugin { +public: + zeek::plugin::Configuration Configure() + { + AddComponent(new zeek::packet_analysis::Component("Skip", + zeek::packet_analysis::Skip::SkipAnalyzer::Instantiate)); + + zeek::plugin::Configuration config; + config.name = "Zeek::Skip"; + config.description = "Skip packet analyzer"; + return config; + } + +} plugin; + +} diff --git a/src/packet_analysis/protocol/skip/Skip.cc b/src/packet_analysis/protocol/skip/Skip.cc new file mode 100644 index 0000000000..966561c630 --- /dev/null +++ b/src/packet_analysis/protocol/skip/Skip.cc @@ -0,0 +1,26 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "Skip.h" +#include "NetVar.h" + +using namespace zeek::packet_analysis::Skip; + +SkipAnalyzer::SkipAnalyzer() + : zeek::packet_analysis::Analyzer("Skip") + { + } + +void SkipAnalyzer::Initialize() + { + auto& skip_val = zeek::id::find_val("PacketAnalyzer::SkipAnalyzer::skip_bytes"); + if ( ! skip_val ) + return; + + skip_bytes = skip_val->AsCount(); + } + +zeek::packet_analysis::AnalyzerResult SkipAnalyzer::Analyze(Packet* packet, const uint8_t*& data) + { + data += skip_bytes; + return AnalyzeInnerPacket(packet, data); + } diff --git a/src/packet_analysis/protocol/skip/Skip.h b/src/packet_analysis/protocol/skip/Skip.h new file mode 100644 index 0000000000..a18a7c8bec --- /dev/null +++ b/src/packet_analysis/protocol/skip/Skip.h @@ -0,0 +1,27 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#pragma once + +#include +#include + +namespace zeek::packet_analysis::Skip { + +class SkipAnalyzer : public Analyzer { +public: + SkipAnalyzer(); + ~SkipAnalyzer() override = default; + + void Initialize() override; + AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override; + + static zeek::packet_analysis::AnalyzerPtr Instantiate() + { + return std::make_shared(); + } + +private: + bro_uint_t skip_bytes = 0; +}; + +} diff --git a/testing/btest/core/skip_analyzer.zeek b/testing/btest/core/skip_analyzer.zeek new file mode 100644 index 0000000000..47dc0663d6 --- /dev/null +++ b/testing/btest/core/skip_analyzer.zeek @@ -0,0 +1,13 @@ +# A test of the skip analyzer + +# @TEST-EXEC: zeek -b -C -r $TRACES/tunnels/gre-sample.pcap %INPUT +# @TEST-EXEC: btest-diff conn.log + +@load base/protocols/conn +@load base/frameworks/tunnels + +redef PacketAnalyzer::config_map += { + PacketAnalyzer::ConfigEntry($identifier=1, $analyzer=PacketAnalyzer::ANALYZER_SKIP) +}; + +redef PacketAnalyzer::SkipAnalyzer::skip_bytes: count = 38; From 54961b5ea26ff9d7cb709904fbfa41a0ac6ae0ae Mon Sep 17 00:00:00 2001 From: Jan Grashoefer Date: Wed, 26 Aug 2020 13:53:06 +0200 Subject: [PATCH 23/43] Allow to overwrite packet analysis mappings. --- src/packet_analysis/Analyzer.cc | 4 +-- src/packet_analysis/Analyzer.h | 3 +- src/packet_analysis/Dispatcher.cc | 51 ++++++++----------------------- src/packet_analysis/Dispatcher.h | 41 +++++++++++++++++++------ src/packet_analysis/Manager.cc | 3 ++ 5 files changed, 50 insertions(+), 52 deletions(-) diff --git a/src/packet_analysis/Analyzer.cc b/src/packet_analysis/Analyzer.cc index 82c0add46c..55b7e5fd9c 100644 --- a/src/packet_analysis/Analyzer.cc +++ b/src/packet_analysis/Analyzer.cc @@ -42,9 +42,9 @@ bool Analyzer::IsAnalyzer(const char* name) return packet_mgr->GetComponentName(tag) == name; } -bool Analyzer::RegisterAnalyzerMapping(uint32_t identifier, AnalyzerPtr analyzer) +void Analyzer::RegisterAnalyzerMapping(uint32_t identifier, AnalyzerPtr analyzer) { - return dispatcher.Register(identifier, std::move(analyzer)); + dispatcher.Register(identifier, std::move(analyzer)); } void Analyzer::RegisterDefaultAnalyzer(AnalyzerPtr default_analyzer) diff --git a/src/packet_analysis/Analyzer.h b/src/packet_analysis/Analyzer.h index a52ab4d8df..7c74b4ab18 100644 --- a/src/packet_analysis/Analyzer.h +++ b/src/packet_analysis/Analyzer.h @@ -74,9 +74,8 @@ public: * * @param identifier The identifier an analyzer should be called for. * @param analyzer The analyzer that should be called. - * @return True if the registration was successful. */ - bool RegisterAnalyzerMapping(uint32_t identifier, AnalyzerPtr analyzer); + void RegisterAnalyzerMapping(uint32_t identifier, AnalyzerPtr analyzer); /** * Registers a default analyzer. diff --git a/src/packet_analysis/Dispatcher.cc b/src/packet_analysis/Dispatcher.cc index b12ac33623..d1b169045b 100644 --- a/src/packet_analysis/Dispatcher.cc +++ b/src/packet_analysis/Dispatcher.cc @@ -4,6 +4,7 @@ #include "Dispatcher.h" #include "Analyzer.h" +#include "Reporter.h" #include "DebugLogger.h" namespace zeek::packet_analysis { @@ -13,14 +14,14 @@ Dispatcher::~Dispatcher() FreeValues(); } -bool Dispatcher::Register(uint32_t identifier, AnalyzerPtr analyzer) +void Dispatcher::Register(uint32_t identifier, AnalyzerPtr analyzer) { // If the table has size 1 and the entry is nullptr, there was nothing added yet. Just add it. if ( table.size() == 1 && table[0] == nullptr ) { - table[0] = analyzer; + table[0] = std::move(analyzer); lowest_identifier = identifier; - return true; + return; } // If highestIdentifier == identifier, overwrite would happen -> no check needed, will return false @@ -39,7 +40,7 @@ bool Dispatcher::Register(uint32_t identifier, AnalyzerPtr analyzer) { if ( table[i] != nullptr ) { - table.at(i + distance) = table.at(i); + table.at(i + distance) = std::move(table.at(i)); table.at(i) = nullptr; } } @@ -48,36 +49,10 @@ bool Dispatcher::Register(uint32_t identifier, AnalyzerPtr analyzer) } int64_t index = identifier - lowest_identifier; - //TODO: Allow to overwrite mappings? - if ( table[index] == nullptr ) - { - table[index] = analyzer; - return true; - } - - return false; - } - -void Dispatcher::Register(const register_map& data) - { - // Search smallest and largest identifier and resize vector - const auto& lowest_new = - std::min_element(data.begin(), data.end(), - [](const register_pair& a, const register_pair& b) { - return a.first < b.first; - }); - - // Register lowest first in order to do shifting only once - Register(lowest_new->first, lowest_new->second); - for ( auto i = data.begin(); i != data.end(); i++ ) - { - // Already added if i == lowest_new - if ( i == lowest_new ) - continue; - - if ( ! Register(i->first, i->second) ) - throw std::invalid_argument("Analyzer already registered!"); - } + if ( table[index] != nullptr ) + reporter->InternalWarning("Overwriting packet analyzer mapping %#8" PRIx64 " => %s with %s", + index+lowest_identifier, table[index]->GetAnalyzerName(), analyzer->GetAnalyzerName()); + table[index] = std::move(analyzer); } AnalyzerPtr Dispatcher::Lookup(uint32_t identifier) const @@ -89,7 +64,7 @@ AnalyzerPtr Dispatcher::Lookup(uint32_t identifier) const return nullptr; } -size_t Dispatcher::Size() const +size_t Dispatcher::Count() const { return std::count_if(table.begin(), table.end(), [](AnalyzerPtr a) { return a != nullptr; }); } @@ -109,12 +84,12 @@ void Dispatcher::FreeValues() void Dispatcher::DumpDebug() const { #ifdef DEBUG - DBG_LOG(DBG_PACKET_ANALYSIS, " Dispatcher elements (used/total): %lu/%lu", Size(), table.size()); - DBG_LOG(DBG_PACKET_ANALYSIS, "TABLE SIZE %lu", table.size()); + DBG_LOG(DBG_PACKET_ANALYSIS, "Dispatcher elements (used/total): %lu/%lu", Count(), table.size()); for ( size_t i = 0; i < table.size(); i++ ) { if ( table[i] != nullptr ) - DBG_LOG(DBG_PACKET_ANALYSIS, " %#8lx => %s", i+lowest_identifier, table[i]->GetAnalyzerName()); + DBG_LOG(DBG_PACKET_ANALYSIS, "%#8lx => %s", + i+lowest_identifier, table[i]->GetAnalyzerName()); } #endif } diff --git a/src/packet_analysis/Dispatcher.h b/src/packet_analysis/Dispatcher.h index 8f730022b4..2c556e074c 100644 --- a/src/packet_analysis/Dispatcher.h +++ b/src/packet_analysis/Dispatcher.h @@ -12,24 +12,45 @@ namespace zeek::packet_analysis { class Analyzer; // Forward declaration for Value using AnalyzerPtr = std::shared_ptr; -using register_pair = std::pair; -using register_map = std::map; - +/** + * The Dispatcher class manages identifier-to-analyzer mappings. + */ class Dispatcher { public: - Dispatcher() - : table(std::vector(1, nullptr)) - { } - + Dispatcher() : table(std::vector(1, nullptr)) { }; ~Dispatcher(); - bool Register(uint32_t identifier, AnalyzerPtr analyzer); - void Register(const register_map& data); + /** + * Register an analyzer for a given identifier. + * + * @param identifier The identifier. + * @param analyzer The analyzer to register. + */ + void Register(uint32_t identifier, AnalyzerPtr analyzer); + /** + * Looks up the analyzer for an identifier. + * + * @param identifier The identifier to look up. + * @return The analyzer registered for the given identifier. Returns a + * nullptr if no analyzer is registered. + */ AnalyzerPtr Lookup(uint32_t identifier) const; - size_t Size() const; + /** + * Returns the number of registered analyzers. + * @return Number of registered analyzers. + */ + size_t Count() const; + + /** + * Removes all mappings from the dispatcher. + */ void Clear(); + + /** + * Dumps out the data structure to the \c analyzer debug stream. + */ void DumpDebug() const; private: diff --git a/src/packet_analysis/Manager.cc b/src/packet_analysis/Manager.cc index 7e68a5bfef..6d277a9a0b 100644 --- a/src/packet_analysis/Manager.cc +++ b/src/packet_analysis/Manager.cc @@ -90,6 +90,9 @@ void Manager::DumpDebug() { DBG_LOG(DBG_PACKET_ANALYSIS, " %s", current->Name().c_str()); } + + DBG_LOG(DBG_PACKET_ANALYSIS, "Root dispatcher:"); + root_dispatcher.DumpDebug(); #endif } From aa4506ad060f53490677af9729122e5f9e99abdf Mon Sep 17 00:00:00 2001 From: Jan Grashoefer Date: Wed, 26 Aug 2020 14:12:04 +0200 Subject: [PATCH 24/43] Add skip analyzer test and update baselines. --- .../btest/Baseline/core.skip_analyzer/conn.log | 16 ++++++++++++++++ .../canonified_loaded_scripts.log | 6 ++++-- .../canonified_loaded_scripts.log | 6 ++++-- testing/btest/Baseline/plugins.hooks/output | 17 ++++++++++------- testing/btest/core/skip_analyzer.zeek | 5 +++-- 5 files changed, 37 insertions(+), 13 deletions(-) create mode 100644 testing/btest/Baseline/core.skip_analyzer/conn.log diff --git a/testing/btest/Baseline/core.skip_analyzer/conn.log b/testing/btest/Baseline/core.skip_analyzer/conn.log new file mode 100644 index 0000000000..7de75363cf --- /dev/null +++ b/testing/btest/Baseline/core.skip_analyzer/conn.log @@ -0,0 +1,16 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#open 2020-08-26-12-05-07 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] +1055289978.756932 C4J4Th3PJpwUYZZ6gc 66.59.111.190 40264 172.28.2.3 22 tcp - 3.157831 952 1671 SF - - 0 ShAdDaFf 12 1584 10 2199 - +1055289973.849878 ClEkJM2Vm5giqnMf4h 66.59.111.190 123 18.26.4.105 123 udp - 0.074086 48 48 SF - - 0 Dd 1 76 1 76 - +1055289992.849231 CmES5u32sYpV7JYN 66.59.111.190 123 66.59.111.182 123 udp - 0.056629 48 48 SF - - 0 Dd 1 76 1 76 - +1055289996.849099 CP5puj4I8PtEU4qzYg 66.59.111.190 123 129.170.17.4 123 udp - 0.072374 48 48 SF - - 0 Dd 1 76 1 76 - +1055289987.055189 CtPZjS20MLrsMUOJi2 66.59.111.190 37675 172.28.2.3 53 udp - 5.001141 66 0 S0 - - 0 D 2 122 0 0 - +1055289968.793044 CHhAvVGS1DHFjwGM9 66.59.111.190 8 172.28.2.3 0 icmp - 3.061298 224 224 OTH - - 0 - 4 336 4 336 - +1055289987.106744 CUM0KZ3MLUfNB0cl11 172.28.2.3 3 66.59.111.190 3 icmp - 4.994662 122 0 OTH - - 0 - 2 178 0 0 - +#close 2020-08-26-12-05-07 diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log index 1cfc2492cd..06e46c20d5 100644 --- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2020-07-13-15-09-39 +#open 2020-08-26-12-08-09 #fields name #types string scripts/base/init-bare.zeek @@ -22,6 +22,8 @@ scripts/base/init-bare.zeek scripts/base/packet-protocols/__load__.zeek scripts/base/packet-protocols/default/__load__.zeek scripts/base/packet-protocols/default/main.zeek + scripts/base/packet-protocols/skip/__load__.zeek + scripts/base/packet-protocols/skip/main.zeek scripts/base/packet-protocols/ethernet/__load__.zeek scripts/base/packet-protocols/ethernet/main.zeek scripts/base/packet-protocols/fddi/__load__.zeek @@ -210,4 +212,4 @@ scripts/base/init-frameworks-and-bifs.zeek build/scripts/base/bif/plugins/Zeek_SQLiteWriter.sqlite.bif.zeek scripts/policy/misc/loaded-scripts.zeek scripts/base/utils/paths.zeek -#close 2020-07-13-15-09-39 +#close 2020-08-26-12-08-09 diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index 8c8f58b0bd..53c9751365 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2020-09-22-16-54-06 +#open 2020-09-22-16-59-24 #fields name #types string scripts/base/init-bare.zeek @@ -22,6 +22,8 @@ scripts/base/init-bare.zeek scripts/base/packet-protocols/__load__.zeek scripts/base/packet-protocols/default/__load__.zeek scripts/base/packet-protocols/default/main.zeek + scripts/base/packet-protocols/skip/__load__.zeek + scripts/base/packet-protocols/skip/main.zeek scripts/base/packet-protocols/ethernet/__load__.zeek scripts/base/packet-protocols/ethernet/main.zeek scripts/base/packet-protocols/fddi/__load__.zeek @@ -406,4 +408,4 @@ scripts/base/init-default.zeek scripts/base/misc/find-filtered-trace.zeek scripts/base/misc/version.zeek scripts/policy/misc/loaded-scripts.zeek -#close 2020-09-22-16-54-06 +#close 2020-09-22-16-59-24 diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index 96865c911b..e29903e23f 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -283,7 +283,7 @@ 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1600793375.962139, node=zeek, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1600793985.114718, node=zeek, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Broker::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Cluster::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Config::LOG)) -> @@ -464,7 +464,7 @@ 0.000000 MetaHookPost CallFunction(Log::create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1600793375.962139, node=zeek, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1600793985.114718, node=zeek, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(NetControl::check_plugins, , ()) -> 0.000000 MetaHookPost CallFunction(NetControl::init, , ()) -> 0.000000 MetaHookPost CallFunction(Notice::want_pp, , ()) -> @@ -896,6 +896,7 @@ 0.000000 MetaHookPost LoadFile(0, base<...>/signatures) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/sip) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/site.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/skip) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/smb) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/smtp) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/snmp) -> -1 @@ -1225,7 +1226,7 @@ 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1600793375.962139, node=zeek, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1600793985.114718, node=zeek, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Broker::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Cluster::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Config::LOG)) @@ -1406,7 +1407,7 @@ 0.000000 MetaHookPre CallFunction(Log::create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1600793375.962139, node=zeek, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1600793985.114718, node=zeek, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(NetControl::check_plugins, , ()) 0.000000 MetaHookPre CallFunction(NetControl::init, , ()) 0.000000 MetaHookPre CallFunction(Notice::want_pp, , ()) @@ -1838,6 +1839,7 @@ 0.000000 MetaHookPre LoadFile(0, base<...>/signatures) 0.000000 MetaHookPre LoadFile(0, base<...>/sip) 0.000000 MetaHookPre LoadFile(0, base<...>/site.zeek) +0.000000 MetaHookPre LoadFile(0, base<...>/skip) 0.000000 MetaHookPre LoadFile(0, base<...>/smb) 0.000000 MetaHookPre LoadFile(0, base<...>/smtp) 0.000000 MetaHookPre LoadFile(0, base<...>/snmp) @@ -2166,7 +2168,7 @@ 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1600793375.962139, node=zeek, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1600793985.114718, node=zeek, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction Log::add_default_filter(Broker::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Config::LOG) @@ -2347,7 +2349,7 @@ 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1600793375.962139, node=zeek, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1600793985.114718, node=zeek, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction NetControl::check_plugins() 0.000000 | HookCallFunction NetControl::init() 0.000000 | HookCallFunction Notice::want_pp() @@ -2791,6 +2793,7 @@ 0.000000 | HookLoadFile base<...>/signatures 0.000000 | HookLoadFile base<...>/sip 0.000000 | HookLoadFile base<...>/site.zeek +0.000000 | HookLoadFile base<...>/skip 0.000000 | HookLoadFile base<...>/smb 0.000000 | HookLoadFile base<...>/smtp 0.000000 | HookLoadFile base<...>/snmp @@ -2819,7 +2822,7 @@ 0.000000 | HookLoadFile base<...>/xmpp 0.000000 | HookLoadFile base<...>/zeek.bif.zeek 0.000000 | HookLogInit packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)} -0.000000 | HookLogWrite packet_filter [ts=1600793375.962139, node=zeek, filter=ip or not ip, init=T, success=T] +0.000000 | HookLogWrite packet_filter [ts=1600793985.114718, node=zeek, filter=ip or not ip, init=T, success=T] 0.000000 | HookQueueEvent NetControl::init() 0.000000 | HookQueueEvent filter_change_tracking() 0.000000 | HookQueueEvent zeek_init() diff --git a/testing/btest/core/skip_analyzer.zeek b/testing/btest/core/skip_analyzer.zeek index 47dc0663d6..70018e6aeb 100644 --- a/testing/btest/core/skip_analyzer.zeek +++ b/testing/btest/core/skip_analyzer.zeek @@ -1,7 +1,8 @@ -# A test of the skip analyzer - # @TEST-EXEC: zeek -b -C -r $TRACES/tunnels/gre-sample.pcap %INPUT # @TEST-EXEC: btest-diff conn.log +# @TEST-EXEC: test ! -e tunnel.log + +# Test the skip analyzer by skipping everything outside the GRE tunnel. @load base/protocols/conn @load base/frameworks/tunnels From 0925b3bbecc8672bfc708d622e746d528c3eaa10 Mon Sep 17 00:00:00 2001 From: Jan Grashoefer Date: Wed, 26 Aug 2020 15:12:49 +0200 Subject: [PATCH 25/43] Remove encap_hdr_size (replaced by skip analyzer). --- scripts/base/init-bare.zeek | 4 ---- src/NetVar.cc | 5 ----- src/NetVar.h | 3 --- src/packet_analysis/Manager.cc | 36 ---------------------------------- src/packet_analysis/Manager.h | 10 ---------- 5 files changed, 58 deletions(-) diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek index dd21ff686a..db2f04145a 100644 --- a/scripts/base/init-bare.zeek +++ b/scripts/base/init-bare.zeek @@ -1225,10 +1225,6 @@ const rpc_timeout = 24 sec &redef; ## means "forever", which resists evasion, but can lead to state accrual. const frag_timeout = 0.0 sec &redef; -## If positive, indicates the encapsulation header size that should -## be skipped. This applies to all packets. -const encap_hdr_size = 0 &redef; - ## Whether to use the ``ConnSize`` analyzer to count the number of packets and ## IP-level bytes transferred by each endpoint. If true, these values are ## returned in the connection's :zeek:see:`endpoint` record value. diff --git a/src/NetVar.cc b/src/NetVar.cc index edd778fa92..dfc52e0ea4 100644 --- a/src/NetVar.cc +++ b/src/NetVar.cc @@ -113,8 +113,6 @@ int partial_connection_ok; int tcp_SYN_ack_ok; int tcp_match_undelivered; -int encap_hdr_size; - double frag_timeout; double tcp_SYN_timeout; @@ -261,8 +259,6 @@ void init_net_var() tcp_SYN_ack_ok = id::find_val("tcp_SYN_ack_ok")->AsBool(); tcp_match_undelivered = id::find_val("tcp_match_undelivered")->AsBool(); - encap_hdr_size = id::find_val("encap_hdr_size")->AsCount(); - frag_timeout = id::find_val("frag_timeout")->AsInterval(); tcp_SYN_timeout = id::find_val("tcp_SYN_timeout")->AsInterval(); @@ -365,7 +361,6 @@ int& ignore_checksums = zeek::detail::ignore_checksums; int& partial_connection_ok = zeek::detail::partial_connection_ok; int& tcp_SYN_ack_ok = zeek::detail::tcp_SYN_ack_ok; int& tcp_match_undelivered = zeek::detail::tcp_match_undelivered; -int& encap_hdr_size = zeek::detail::encap_hdr_size; double& frag_timeout = zeek::detail::frag_timeout; double& tcp_SYN_timeout = zeek::detail::tcp_SYN_timeout; double& tcp_session_timer = zeek::detail::tcp_session_timer; diff --git a/src/NetVar.h b/src/NetVar.h index 45199108b0..29a1bb55fc 100644 --- a/src/NetVar.h +++ b/src/NetVar.h @@ -17,8 +17,6 @@ extern int partial_connection_ok; extern int tcp_SYN_ack_ok; extern int tcp_match_undelivered; -extern int encap_hdr_size; - extern double frag_timeout; extern double tcp_SYN_timeout; @@ -117,7 +115,6 @@ extern int& ignore_checksums [[deprecated("Remove in v4.1. Use zeek::detail::ign extern int& partial_connection_ok [[deprecated("Remove in v4.1. Use zeek::detail::partial_connection_ok.")]]; extern int& tcp_SYN_ack_ok [[deprecated("Remove in v4.1. Use zeek::detail::tcp_SYN_ack_ok.")]]; extern int& tcp_match_undelivered [[deprecated("Remove in v4.1. Use zeek::detail::tcp_match_undelivered.")]]; -extern int& encap_hdr_size [[deprecated("Remove in v4.1. Use zeek::detail::encap_hdr_size.")]]; extern double& frag_timeout [[deprecated("Remove in v4.1. Use zeek::detail::frag_timeout.")]]; extern double& tcp_SYN_timeout [[deprecated("Remove in v4.1. Use zeek::detail::tcp_SYN_timeout.")]]; extern double& tcp_session_timer [[deprecated("Remove in v4.1. Use zeek::detail::tcp_session_timer.")]]; diff --git a/src/packet_analysis/Manager.cc b/src/packet_analysis/Manager.cc index 6d277a9a0b..1654fb7ddb 100644 --- a/src/packet_analysis/Manager.cc +++ b/src/packet_analysis/Manager.cc @@ -2,7 +2,6 @@ #include "Manager.h" -#include "NetVar.h" #include "Analyzer.h" #include "Dispatcher.h" @@ -132,8 +131,6 @@ void Manager::ProcessPacket(Packet* packet) } auto result = analyzer->Analyze(packet, data); - if (result == AnalyzerResult::Terminate) - CustomEncapsulationSkip(packet, data); // Calculate header size after processing packet layers. packet->hdr_size = static_cast(data - packet->data); @@ -177,36 +174,3 @@ AnalyzerPtr Manager::InstantiateAnalyzer(const std::string& name) Tag tag = GetComponentTag(name); return tag ? InstantiateAnalyzer(tag) : nullptr; } - -void Manager::CustomEncapsulationSkip(Packet* packet, const uint8_t* data) - { - if ( zeek::detail::encap_hdr_size > 0 ) - { - // Blanket encapsulation. We assume that what remains is IP. - if ( data + zeek::detail::encap_hdr_size + sizeof(struct ip) >= packet->GetEndOfData() ) - { - packet->Weird("no_ip_left_after_encap"); - return; - } - - data += zeek::detail::encap_hdr_size; - - auto ip = (const struct ip*)data; - - switch ( ip->ip_v ) - { - case 4: - packet->l3_proto = L3_IPV4; - break; - case 6: - packet->l3_proto = L3_IPV6; - break; - default: - { - // Neither IPv4 nor IPv6. - packet->Weird("no_ip_in_encap"); - return; - } - } - } - } diff --git a/src/packet_analysis/Manager.h b/src/packet_analysis/Manager.h index cbded374e1..f13feaa590 100644 --- a/src/packet_analysis/Manager.h +++ b/src/packet_analysis/Manager.h @@ -89,16 +89,6 @@ private: */ AnalyzerPtr InstantiateAnalyzer(const std::string& name); - /** - * Skips a fixed amount of packet data that is defined by encap_hdr_size. - * It is assumed that an IP header follows. - * - * @param packet The packet to adapt. - * - * @param data Pointer to remaining payload. - */ - void CustomEncapsulationSkip(Packet* packet, const uint8_t* data); - std::map analyzers; Dispatcher root_dispatcher; AnalyzerPtr default_analyzer = nullptr; From 2d7280fabd4d726f30e6e7a6f366019b43cde7ea Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Wed, 26 Aug 2020 23:44:23 +0000 Subject: [PATCH 26/43] Fix some build issues from the rebase --- testing/btest/Baseline/plugins.hooks/output | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index e29903e23f..c30578cb03 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -283,7 +283,7 @@ 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1600793985.114718, node=zeek, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1600794262.290585, node=zeek, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Broker::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Cluster::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Config::LOG)) -> @@ -464,7 +464,7 @@ 0.000000 MetaHookPost CallFunction(Log::create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1600793985.114718, node=zeek, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1600794262.290585, node=zeek, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(NetControl::check_plugins, , ()) -> 0.000000 MetaHookPost CallFunction(NetControl::init, , ()) -> 0.000000 MetaHookPost CallFunction(Notice::want_pp, , ()) -> @@ -1226,7 +1226,7 @@ 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1600793985.114718, node=zeek, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1600794262.290585, node=zeek, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Broker::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Cluster::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Config::LOG)) @@ -1407,7 +1407,7 @@ 0.000000 MetaHookPre CallFunction(Log::create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1600793985.114718, node=zeek, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1600794262.290585, node=zeek, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(NetControl::check_plugins, , ()) 0.000000 MetaHookPre CallFunction(NetControl::init, , ()) 0.000000 MetaHookPre CallFunction(Notice::want_pp, , ()) @@ -2168,7 +2168,7 @@ 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1600793985.114718, node=zeek, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1600794262.290585, node=zeek, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction Log::add_default_filter(Broker::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Config::LOG) @@ -2349,7 +2349,7 @@ 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1600793985.114718, node=zeek, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1600794262.290585, node=zeek, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction NetControl::check_plugins() 0.000000 | HookCallFunction NetControl::init() 0.000000 | HookCallFunction Notice::want_pp() @@ -2822,7 +2822,7 @@ 0.000000 | HookLoadFile base<...>/xmpp 0.000000 | HookLoadFile base<...>/zeek.bif.zeek 0.000000 | HookLogInit packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)} -0.000000 | HookLogWrite packet_filter [ts=1600793985.114718, node=zeek, filter=ip or not ip, init=T, success=T] +0.000000 | HookLogWrite packet_filter [ts=1600794262.290585, node=zeek, filter=ip or not ip, init=T, success=T] 0.000000 | HookQueueEvent NetControl::init() 0.000000 | HookQueueEvent filter_change_tracking() 0.000000 | HookQueueEvent zeek_init() From 0ec7516602a77b3e0fd7122f9654fcde6872a08e Mon Sep 17 00:00:00 2001 From: Jan Grashoefer Date: Fri, 28 Aug 2020 14:41:34 +0200 Subject: [PATCH 27/43] Small cleanup of packet analysis. --- scripts/base/init-bare.zeek | 24 ++++++++++++------------ src/packet_analysis/Manager.cc | 2 +- src/packet_analysis/Tag.cc | 10 ---------- src/packet_analysis/Tag.h | 20 -------------------- 4 files changed, 13 insertions(+), 43 deletions(-) diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek index db2f04145a..3efb1180da 100644 --- a/scripts/base/init-bare.zeek +++ b/scripts/base/init-bare.zeek @@ -5340,24 +5340,24 @@ event net_done(t: time) module PacketAnalyzer; -# Defines a mapping for the PacketAnalyzer's configuration tree. This -# maps from a parent analyzer to a child analyzer through a numeric -# identifier. +## Defines a mapping for the PacketAnalyzer's configuration tree. This +## maps from a parent analyzer to a child analyzer through a numeric +## identifier. export { type ConfigEntry : record { - # The parent analyzer. This analyzer will check for the *identifier* in the - # packet data to know whether to call the next analyzer. This field is optional. - # If it is not included, the identifier will attach to the "root" analyzer. The - # root analyzer uses the link layer identifier provided by the packet source to - # determine the protocol for the initial packet header. + ## The parent analyzer. This analyzer will check for the *identifier* in the + ## packet data to know whether to call the next analyzer. This field is optional. + ## If it is not included, the identifier will attach to the "root" analyzer. The + ## root analyzer uses the link layer identifier provided by the packet source to + ## determine the protocol for the initial packet header. parent : PacketAnalyzer::Tag &optional; - # A numeric identifier, which can be found in the packet data, that denotes the - # encapsulated protocol. This field is optional. If it is not included, the - # configured child analyzer will be used as default analyzer. + ## A numeric identifier, which can be found in the packet data, that denotes the + ## encapsulated protocol. This field is optional. If it is not included, the + ## configured child analyzer will be used as default analyzer. identifier : count &optional; - # The analyzer that corresponds to the above identifier. + ## The analyzer that corresponds to the above identifier. analyzer : PacketAnalyzer::Tag; }; diff --git a/src/packet_analysis/Manager.cc b/src/packet_analysis/Manager.cc index 1654fb7ddb..0ad05ed4d6 100644 --- a/src/packet_analysis/Manager.cc +++ b/src/packet_analysis/Manager.cc @@ -30,7 +30,7 @@ void Manager::InitPostScript() if ( mapping_val->Size() == 0 ) return; - for (unsigned int i = 0; i < mapping_val->Size(); i++) + for ( unsigned int i = 0; i < mapping_val->Size(); i++ ) { auto* rv = mapping_val->At(i)->AsRecordVal(); //TODO: Make that field a string for usability reasons diff --git a/src/packet_analysis/Tag.cc b/src/packet_analysis/Tag.cc index c33ab0dd82..8a3cc89ea6 100644 --- a/src/packet_analysis/Tag.cc +++ b/src/packet_analysis/Tag.cc @@ -23,19 +23,9 @@ const IntrusivePtr& Tag::AsVal() const return zeek::Tag::AsVal(packet_mgr->GetTagType()); } -EnumVal* Tag::AsEnumVal() const - { - return AsVal().get(); - } - Tag::Tag(IntrusivePtr val) : zeek::Tag(std::move(val)) { } -Tag::Tag(EnumVal* val) - : zeek::Tag({NewRef {}, val}) - { - } - } diff --git a/src/packet_analysis/Tag.h b/src/packet_analysis/Tag.h index 2ab1f12a4f..6233f6d89e 100644 --- a/src/packet_analysis/Tag.h +++ b/src/packet_analysis/Tag.h @@ -9,14 +9,6 @@ namespace zeek::plugin { template class TaggedComponent; template class ComponentManager; } -namespace plugin { - template - using TaggedComponent [[deprecated("Remove in v4.1. Use zeek::plugin::TaggedComponent instead.")]] = - zeek::plugin::TaggedComponent; - template - using ComponentManager [[deprecated("Remove in v4.1. Use zeek::plugin::ComponentManager instead.")]] = - zeek::plugin::ComponentManager; -} namespace zeek::packet_analysis { @@ -87,15 +79,6 @@ public: */ const IntrusivePtr& AsVal() const; - /** - * Returns the \c Analyzer::Tag enum that corresponds to this tag. - * The returned value does not have its ref-count increased. - * - * @param etype the script-layer enum type associated with the tag. - */ - [[deprecated("Remove in v4.1. Use AsVal() instead.")]] - EnumVal* AsEnumVal() const; - static Tag Error; protected: @@ -122,9 +105,6 @@ protected: * @param val An enum value of script type \c Analyzer::Tag. */ explicit Tag(IntrusivePtr val); - - [[deprecated("Remove in v4.1. Construct from IntrusivePtr instead")]] - explicit Tag(EnumVal* val); }; } From 24babf096ebf4a46c59e76bca8d91653fbb57b16 Mon Sep 17 00:00:00 2001 From: Jan Grashoefer Date: Fri, 28 Aug 2020 16:27:53 +0200 Subject: [PATCH 28/43] Move ARP analysis into packet analyzer. --- src/Sessions.cc | 14 +- src/Sessions.h | 2 - src/analyzer/protocol/CMakeLists.txt | 1 - src/analyzer/protocol/arp/ARP.cc | 244 ------------------ src/analyzer/protocol/arp/ARP.h | 66 ----- src/analyzer/protocol/arp/CMakeLists.txt | 15 -- src/analyzer/protocol/arp/Plugin.cc | 18 -- src/packet_analysis/CMakeLists.txt | 1 + src/packet_analysis/protocol/arp/ARP.cc | 207 ++++++++++++++- src/packet_analysis/protocol/arp/ARP.h | 15 ++ .../protocol/arp/CMakeLists.txt | 5 +- .../protocol/arp/events.bif | 0 .../protocol/ipv6/CMakeLists.txt | 2 +- .../protocol/linux_sll/CMakeLists.txt | 2 +- .../protocol/null/CMakeLists.txt | 2 +- .../canonified_loaded_scripts.log | 6 +- .../canonified_loaded_scripts.log | 6 +- 17 files changed, 238 insertions(+), 368 deletions(-) delete mode 100644 src/analyzer/protocol/arp/ARP.cc delete mode 100644 src/analyzer/protocol/arp/ARP.h delete mode 100644 src/analyzer/protocol/arp/CMakeLists.txt delete mode 100644 src/analyzer/protocol/arp/Plugin.cc rename src/{analyzer => packet_analysis}/protocol/arp/events.bif (100%) diff --git a/src/Sessions.cc b/src/Sessions.cc index 1b375b0e09..79014f2808 100644 --- a/src/Sessions.cc +++ b/src/Sessions.cc @@ -22,8 +22,6 @@ #include "analyzer/protocol/stepping-stone/SteppingStone.h" #include "analyzer/protocol/stepping-stone/events.bif.h" -#include "analyzer/protocol/arp/ARP.h" -#include "analyzer/protocol/arp/events.bif.h" #include "Discard.h" #include "RuleMatcher.h" @@ -33,6 +31,8 @@ #include "iosource/IOSource.h" #include "iosource/PktDumper.h" +#include "pcap.h" + // These represent NetBIOS services on ephemeral ports. They're numbered // so that we can use a single int to hold either an actual TCP/UDP server // port or one of these. @@ -96,11 +96,6 @@ NetSessions::NetSessions() else pkt_profiler = nullptr; - if ( arp_request || arp_reply || bad_arp ) - arp_analyzer = new analyzer::arp::ARP_Analyzer(); - else - arp_analyzer = nullptr; - memset(&stats, 0, sizeof(SessionStats)); } @@ -108,7 +103,6 @@ NetSessions::~NetSessions() { delete packet_filter; delete pkt_profiler; - Unref(arp_analyzer); delete discarder; delete stp_manager; @@ -178,8 +172,8 @@ void NetSessions::NextPacket(double t, const Packet* pkt) else if ( pkt->l3_proto == L3_ARP ) { - if ( arp_analyzer ) - arp_analyzer->NextPacket(t, pkt); + // Do nothing here as ARP has moved into a packet analyzer + //TODO: Revisit the use of packet's l3_proto } else diff --git a/src/Sessions.h b/src/Sessions.h index fe483ca0b8..8539fe4b0b 100644 --- a/src/Sessions.h +++ b/src/Sessions.h @@ -234,8 +234,6 @@ protected: using IPTunnelMap = std::map; IPTunnelMap ip_tunnels; - analyzer::arp::ARP_Analyzer* arp_analyzer; - analyzer::stepping_stone::SteppingStoneManager* stp_manager; detail::Discarder* discarder; detail::PacketFilter* packet_filter; diff --git a/src/analyzer/protocol/CMakeLists.txt b/src/analyzer/protocol/CMakeLists.txt index a6f091fa45..f63d021ccd 100644 --- a/src/analyzer/protocol/CMakeLists.txt +++ b/src/analyzer/protocol/CMakeLists.txt @@ -1,5 +1,4 @@ -add_subdirectory(arp) add_subdirectory(ayiya) add_subdirectory(bittorrent) add_subdirectory(conn-size) diff --git a/src/analyzer/protocol/arp/ARP.cc b/src/analyzer/protocol/arp/ARP.cc deleted file mode 100644 index 3da870ead4..0000000000 --- a/src/analyzer/protocol/arp/ARP.cc +++ /dev/null @@ -1,244 +0,0 @@ -// See the file "COPYING" in the main distribution directory for copyright. - -#include "ARP.h" -#include "Event.h" -#include "Reporter.h" -#include "Desc.h" - -#include "events.bif.h" - -namespace zeek::analyzer::arp { - -ARP_Analyzer::ARP_Analyzer() - { - } - -ARP_Analyzer::~ARP_Analyzer() - { - } - -// Argh! FreeBSD and Linux have almost completely different net/if_arp.h . -// ... and on Solaris we are missing half of the ARPOP codes, so define -// them here as necessary: - -#ifndef ARPOP_REQUEST -#define ARPOP_REQUEST 1 // ARP request. -#endif -#ifndef ARPOP_REPLY -#define ARPOP_REPLY 2 // ARP reply. -#endif -#ifndef ARPOP_PREQUEST -#define ARPOP_RREQUEST 3 // RARP request. -#endif -#ifndef ARPOP_RREPLY -#define ARPOP_RREPLY 4 // RARP reply. -#endif -#ifndef ARPOP_InREQUEST -#define ARPOP_InREQUEST 8 // InARP request. -#endif -#ifndef ARPOP_InREPLY -#define ARPOP_InREPLY 9 // InARP reply. -#endif -#ifndef ARPOP_NAK -#define ARPOP_NAK 10 // (ATM)ARP NAK. -#endif - -#ifndef ar_sha -#define ar_sha(ap) ((caddr_t((ap)+1)) + 0) -#endif - -#ifndef ar_spa -#define ar_spa(ap) ((caddr_t((ap)+1)) + (ap)->ar_hln) -#endif - -#ifndef ar_tha -#define ar_tha(ap) ((caddr_t((ap)+1)) + (ap)->ar_hln + (ap)->ar_pln) -#endif - -#ifndef ar_tpa -#define ar_tpa(ap) ((caddr_t((ap)+1)) + 2*(ap)->ar_hln + (ap)->ar_pln) -#endif - -#ifndef ARPOP_REVREQUEST -#define ARPOP_REVREQUEST ARPOP_RREQUEST -#endif - -#ifndef ARPOP_REVREPLY -#define ARPOP_REVREPLY ARPOP_RREPLY -#endif - -#ifndef ARPOP_INVREQUEST -#define ARPOP_INVREQUEST ARPOP_InREQUEST -#endif - -#ifndef ARPOP_INVREPLY -#define ARPOP_INVREPLY ARPOP_InREPLY -#endif - - -void ARP_Analyzer::NextPacket(double t, const Packet* pkt) - { - const u_char *data = pkt->data; - // Check whether the packet is OK ("inspired" in tcpdump's print-arp.c). - const struct arp_pkthdr* ah = - (const struct arp_pkthdr*) (data + pkt->hdr_size); - - // Check the size. - int min_length = (ar_tpa(ah) - (char*) (data + pkt->hdr_size)) + ah->ar_pln; - int real_length = pkt->cap_len - pkt->hdr_size; - if ( min_length > real_length ) - { - Corrupted("truncated_ARP"); - return; - } - - char errbuf[1024]; - - // Check the address description fields. - switch ( ntohs(ah->ar_hrd) ) { - case ARPHRD_ETHER: - if ( ah->ar_hln != 6 ) - { // don't know how to handle the opcode - snprintf(errbuf, sizeof(errbuf), - "corrupt-arp-header (hrd=%i, hln=%i)", - ntohs(ah->ar_hrd), ah->ar_hln); - BadARP(ah, errbuf); - return; - } - break; - - default: - { // don't know how to proceed - snprintf(errbuf, sizeof(errbuf), - "unknown-arp-hw-address (hrd=%i)", ntohs(ah->ar_hrd)); - BadARP(ah, errbuf); - return; - } - } - - // ### Note, we don't support IPv6 addresses yet. - switch ( ntohs(ah->ar_pro) ) { - case ETHERTYPE_IP: - if ( ah->ar_pln != 4 ) - { // don't know how to handle the opcode - snprintf(errbuf, sizeof(errbuf), - "corrupt-arp-header (pro=%i, pln=%i)", - ntohs(ah->ar_pro), ah->ar_pln); - BadARP(ah, errbuf); - return; - } - break; - - default: - { // don't know how to proceed - snprintf(errbuf, sizeof(errbuf), - "unknown-arp-proto-address (pro=%i)", - ntohs(ah->ar_pro)); - BadARP(ah, errbuf); - return; - } - } - - - // Check MAC src address = ARP sender MAC address. - if ( memcmp(pkt->l2_src, ar_sha(ah), ah->ar_hln) ) - { - BadARP(ah, "weird-arp-sha"); - return; - } - - // Check the code is supported. - switch ( ntohs(ah->ar_op) ) { - case ARPOP_REQUEST: - RREvent(arp_request, pkt->l2_src, pkt->l2_dst, - ar_spa(ah), ar_sha(ah), ar_tpa(ah), ar_tha(ah)); - break; - - case ARPOP_REPLY: - RREvent(arp_reply, pkt->l2_src, pkt->l2_dst, - ar_spa(ah), ar_sha(ah), ar_tpa(ah), ar_tha(ah)); - break; - - case ARPOP_REVREQUEST: - case ARPOP_REVREPLY: - case ARPOP_INVREQUEST: - case ARPOP_INVREPLY: - { // don't know how to handle the opcode - snprintf(errbuf, sizeof(errbuf), - "unimplemented-arp-opcode (%i)", ntohs(ah->ar_op)); - BadARP(ah, errbuf); - break; - } - - default: - { // invalid opcode - snprintf(errbuf, sizeof(errbuf), - "invalid-arp-opcode (opcode=%i)", ntohs(ah->ar_op)); - BadARP(ah, errbuf); - return; - } - } - } - -void ARP_Analyzer::Describe(ODesc* d) const - { - d->Add(""); - d->NL(); - } - -void ARP_Analyzer::BadARP(const struct arp_pkthdr* hdr, const char* msg) - { - if ( ! bad_arp ) - return; - - event_mgr.Enqueue(bad_arp, - ToAddrVal(ar_spa(hdr)), - ToEthAddrStr((const u_char*) ar_sha(hdr)), - ToAddrVal(ar_tpa(hdr)), - ToEthAddrStr((const u_char*) ar_tha(hdr)), - make_intrusive(msg)); - } - -void ARP_Analyzer::Corrupted(const char* msg) - { - reporter->Weird(msg); - } - -void ARP_Analyzer::RREvent(EventHandlerPtr e, - const u_char* src, const u_char *dst, - const char* spa, const char* sha, - const char* tpa, const char* tha) - { - if ( ! e ) - return; - - event_mgr.Enqueue(e, - ToEthAddrStr(src), - ToEthAddrStr(dst), - ToAddrVal(spa), - ToEthAddrStr((const u_char*) sha), - ToAddrVal(tpa), - ToEthAddrStr((const u_char*) tha)); - } - -AddrVal* ARP_Analyzer::ConstructAddrVal(const void* addr) - { return ToAddrVal(addr).release(); } - -AddrValPtr ARP_Analyzer::ToAddrVal(const void* addr) - { - // ### For now, we only handle IPv4 addresses. - return make_intrusive(*(const uint32_t*) addr); - } - -StringVal* ARP_Analyzer::EthAddrToStr(const u_char* addr) - { return ToEthAddrStr(addr).release(); } - -StringValPtr ARP_Analyzer::ToEthAddrStr(const u_char* addr) - { - char buf[1024]; - snprintf(buf, sizeof(buf), "%02x:%02x:%02x:%02x:%02x:%02x", - addr[0], addr[1], addr[2], addr[3], addr[4], addr[5]); - return make_intrusive(buf); - } - -} // namespace zeek::analyzer::arp diff --git a/src/analyzer/protocol/arp/ARP.h b/src/analyzer/protocol/arp/ARP.h deleted file mode 100644 index 8d2f1b5fed..0000000000 --- a/src/analyzer/protocol/arp/ARP.h +++ /dev/null @@ -1,66 +0,0 @@ -// See the file "COPYING" in the main distribution directory for copyright. - -#pragma once - -#include "zeek-config.h" -#include -#include -#include -#include -#include -#ifdef HAVE_NET_ETHERNET_H -#include -#elif defined(HAVE_SYS_ETHERNET_H) -#include -#elif defined(HAVE_NETINET_IF_ETHER_H) -#include -#elif defined(HAVE_NET_ETHERTYPES_H) -#include -#endif - -#ifndef arp_pkthdr -#define arp_pkthdr arphdr -#endif - -#include "NetVar.h" - -ZEEK_FORWARD_DECLARE_NAMESPACED(Packet, zeek); - -extern "C" { -#include -} - -namespace zeek::analyzer::arp { - -class ARP_Analyzer : public Obj { -public: - ARP_Analyzer(); - ~ARP_Analyzer() override; - - void NextPacket(double t, const Packet* pkt); - - void Describe(ODesc* d) const override; - void RREvent(EventHandlerPtr e, const u_char* src, const u_char* dst, - const char* spa, const char* sha, - const char* tpa, const char* tha); - -protected: - - [[deprecated("Remove in v4.1. Use ToAddrVal().")]] - AddrVal* ConstructAddrVal(const void* addr); - [[deprecated("Remove in v4.1. Use ToEthAddrStr().")]] - StringVal* EthAddrToStr(const u_char* addr); - - AddrValPtr ToAddrVal(const void* addr); - StringValPtr ToEthAddrStr(const u_char* addr); - void BadARP(const struct arp_pkthdr* hdr, const char* string); - void Corrupted(const char* string); -}; - -} // namespace zeek::analyzer::arp - -namespace analyzer::arp { - -using ARP_Analyzer [[deprecated("Remove in v4.1. Use zeek::analyzer::arp::ARP_Analyzer.")]] = zeek::analyzer::arp::ARP_Analyzer; - -} // namespace analyzer::arp diff --git a/src/analyzer/protocol/arp/CMakeLists.txt b/src/analyzer/protocol/arp/CMakeLists.txt deleted file mode 100644 index 0b911b1979..0000000000 --- a/src/analyzer/protocol/arp/CMakeLists.txt +++ /dev/null @@ -1,15 +0,0 @@ - -# This is not an actual analyzer, but used by the core. We still -# maintain it here along with the other analyzers because conceptually -# it's also parsing a protocol just like them. The current structure -# is merely a left-over from when this code was written. - -include(ZeekPlugin) - -include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) - -zeek_plugin_begin(Zeek ARP) -zeek_plugin_cc(ARP.cc Plugin.cc) -zeek_plugin_bif(events.bif) -zeek_plugin_end() - diff --git a/src/analyzer/protocol/arp/Plugin.cc b/src/analyzer/protocol/arp/Plugin.cc deleted file mode 100644 index 1ff5f08c63..0000000000 --- a/src/analyzer/protocol/arp/Plugin.cc +++ /dev/null @@ -1,18 +0,0 @@ -// See the file in the main distribution directory for copyright. - -#include "plugin/Plugin.h" - -namespace zeek::plugin::detail::Zeek_ARP { - -class Plugin : public zeek::plugin::Plugin { -public: - zeek::plugin::Configuration Configure() override - { - zeek::plugin::Configuration config; - config.name = "Zeek::ARP"; - config.description = "ARP Parsing"; - return config; - } -} plugin; - -} // namespace zeek::plugin::detail::Zeek_ARP diff --git a/src/packet_analysis/CMakeLists.txt b/src/packet_analysis/CMakeLists.txt index 681dad1f82..6ece492dce 100644 --- a/src/packet_analysis/CMakeLists.txt +++ b/src/packet_analysis/CMakeLists.txt @@ -1,3 +1,4 @@ + include(ZeekSubdir) include_directories(BEFORE diff --git a/src/packet_analysis/protocol/arp/ARP.cc b/src/packet_analysis/protocol/arp/ARP.cc index 27d71d807d..ae9844be58 100644 --- a/src/packet_analysis/protocol/arp/ARP.cc +++ b/src/packet_analysis/protocol/arp/ARP.cc @@ -1,6 +1,20 @@ // See the file "COPYING" in the main distribution directory for copyright. #include "ARP.h" +#include "Event.h" + +#include "events.bif.h" + +#include "zeek-config.h" +#ifdef HAVE_NET_ETHERNET_H +#include +#elif defined(HAVE_SYS_ETHERNET_H) +#include +#elif defined(HAVE_NETINET_IF_ETHER_H) +#include +#elif defined(HAVE_NET_ETHERTYPES_H) +#include +#endif using namespace zeek::packet_analysis::ARP; @@ -9,11 +23,202 @@ ARPAnalyzer::ARPAnalyzer() { } +// Argh! FreeBSD and Linux have almost completely different net/if_arp.h . +// ... and on Solaris we are missing half of the ARPOP codes, so define +// them here as necessary: + +#ifndef ARPOP_REQUEST +#define ARPOP_REQUEST 1 // ARP request. +#endif +#ifndef ARPOP_REPLY +#define ARPOP_REPLY 2 // ARP reply. +#endif +#ifndef ARPOP_PREQUEST +#define ARPOP_RREQUEST 3 // RARP request. +#endif +#ifndef ARPOP_RREPLY +#define ARPOP_RREPLY 4 // RARP reply. +#endif +#ifndef ARPOP_InREQUEST +#define ARPOP_InREQUEST 8 // InARP request. +#endif +#ifndef ARPOP_InREPLY +#define ARPOP_InREPLY 9 // InARP reply. +#endif +#ifndef ARPOP_NAK +#define ARPOP_NAK 10 // (ATM)ARP NAK. +#endif + +#ifndef ar_sha +#define ar_sha(ap) ((caddr_t((ap)+1)) + 0) +#endif + +#ifndef ar_spa +#define ar_spa(ap) ((caddr_t((ap)+1)) + (ap)->ar_hln) +#endif + +#ifndef ar_tha +#define ar_tha(ap) ((caddr_t((ap)+1)) + (ap)->ar_hln + (ap)->ar_pln) +#endif + +#ifndef ar_tpa +#define ar_tpa(ap) ((caddr_t((ap)+1)) + 2*(ap)->ar_hln + (ap)->ar_pln) +#endif + +#ifndef ARPOP_REVREQUEST +#define ARPOP_REVREQUEST ARPOP_RREQUEST +#endif + +#ifndef ARPOP_REVREPLY +#define ARPOP_REVREPLY ARPOP_RREPLY +#endif + +#ifndef ARPOP_INVREQUEST +#define ARPOP_INVREQUEST ARPOP_InREQUEST +#endif + +#ifndef ARPOP_INVREPLY +#define ARPOP_INVREPLY ARPOP_InREPLY +#endif + zeek::packet_analysis::AnalyzerResult ARPAnalyzer::Analyze(Packet* packet, const uint8_t*& data) { - // TODO: Make ARP analyzer a native packet analyzer packet->l3_proto = L3_ARP; + // Check whether the packet is OK ("inspired" in tcpdump's print-arp.c). + auto ah = (const struct arp_pkthdr*) data; + + // Check the size. + auto min_length = (ar_tpa(ah) - (char*) data) + ah->ar_pln; + auto pkt_hdr_len = data - packet->data; + auto real_length = packet->cap_len - pkt_hdr_len; + if ( min_length > real_length ) + { + packet->Weird("truncated_ARP"); + return AnalyzerResult::Failed; + } + + // Check the address description fields. + switch ( ntohs(ah->ar_hrd) ) { + case ARPHRD_ETHER: + if ( ah->ar_hln != 6 ) + { + // don't know how to handle the opcode + BadARPEvent(ah, "corrupt-arp-header (hrd=%i, hln=%i)", + ntohs(ah->ar_hrd), ah->ar_hln); + return AnalyzerResult::Failed; + } + break; + + default: + { + // don't know how to proceed + BadARPEvent(ah, "unknown-arp-hw-address (hrd=%i)", ntohs(ah->ar_hrd)); + return AnalyzerResult::Failed; + } + } + + // Note: We don't support IPv6 addresses. + switch ( ntohs(ah->ar_pro) ) { + case ETHERTYPE_IP: + if ( ah->ar_pln != 4 ) + { + // don't know how to handle the opcode + BadARPEvent(ah,"corrupt-arp-header (pro=%i, pln=%i)", + ntohs(ah->ar_pro), ah->ar_pln); + return AnalyzerResult::Failed; + } + break; + + default: + { + // don't know how to proceed + BadARPEvent(ah,"unknown-arp-proto-address (pro=%i)", ntohs(ah->ar_pro)); + return AnalyzerResult::Failed; + } + } + + + // Check MAC src address = ARP sender MAC address. + if ( memcmp(packet->l2_src, ar_sha(ah), ah->ar_hln) != 0 ) + { + BadARPEvent(ah, "weird-arp-sha"); + return AnalyzerResult::Failed; + } + + // Check the code is supported. + switch ( ntohs(ah->ar_op) ) { + case ARPOP_REQUEST: + RequestReplyEvent(arp_request, packet->l2_src, packet->l2_dst, + ar_spa(ah), ar_sha(ah), ar_tpa(ah), ar_tha(ah)); + break; + + case ARPOP_REPLY: + RequestReplyEvent(arp_reply, packet->l2_src, packet->l2_dst, + ar_spa(ah), ar_sha(ah), ar_tpa(ah), ar_tha(ah)); + break; + + case ARPOP_REVREQUEST: + case ARPOP_REVREPLY: + case ARPOP_INVREQUEST: + case ARPOP_INVREPLY: + { + // don't know how to handle the opcode + BadARPEvent(ah, "unimplemented-arp-opcode (%i)", ntohs(ah->ar_op)); + return AnalyzerResult::Failed; + } + + default: + { + // invalid opcode + BadARPEvent(ah, "invalid-arp-opcode (opcode=%i)", ntohs(ah->ar_op)); + return AnalyzerResult::Failed; + } + } + + // Leave packet analyzer land return AnalyzerResult::Terminate; } + +zeek::AddrValPtr ARPAnalyzer::ToAddrVal(const void* addr) + { + //Note: We only handle IPv4 addresses. + return zeek::make_intrusive(*(const uint32_t*) addr); + } + +zeek::StringValPtr ARPAnalyzer::ToEthAddrStr(const u_char* addr) + { + char buf[1024]; + snprintf(buf, sizeof(buf), "%02x:%02x:%02x:%02x:%02x:%02x", + addr[0], addr[1], addr[2], addr[3], addr[4], addr[5]); + return zeek::make_intrusive(buf); + } + +void ARPAnalyzer::BadARPEvent(const struct arp_pkthdr* hdr, const char* fmt, ...) + { + if ( ! bad_arp ) + return; + + char msg[1024]; + va_list args; + va_start(args, fmt); + vsnprintf(msg, sizeof(msg), fmt, args); + va_end(args); + + event_mgr.Enqueue(bad_arp, + ToAddrVal(ar_spa(hdr)), ToEthAddrStr((const u_char*) ar_sha(hdr)), + ToAddrVal(ar_tpa(hdr)), ToEthAddrStr((const u_char*) ar_tha(hdr)), + zeek::make_intrusive(msg)); + } + +void ARPAnalyzer::RequestReplyEvent(EventHandlerPtr e, const u_char *src, const u_char *dst, + const char *spa, const char *sha, const char *tpa, const char *tha) + { + if ( ! e ) + return; + + event_mgr.Enqueue(e, ToEthAddrStr(src), ToEthAddrStr(dst), + ToAddrVal(spa), ToEthAddrStr((const u_char*) sha), + ToAddrVal(tpa), ToEthAddrStr((const u_char*) tha)); + } diff --git a/src/packet_analysis/protocol/arp/ARP.h b/src/packet_analysis/protocol/arp/ARP.h index a6a7a445c1..b6f590dc9a 100644 --- a/src/packet_analysis/protocol/arp/ARP.h +++ b/src/packet_analysis/protocol/arp/ARP.h @@ -5,6 +5,12 @@ #include #include +#include + +#ifndef arp_pkthdr +#define arp_pkthdr arphdr +#endif + namespace zeek::packet_analysis::ARP { class ARPAnalyzer : public Analyzer { @@ -18,6 +24,15 @@ public: { return std::make_shared(); } + +private: + zeek::AddrValPtr ToAddrVal(const void* addr); + zeek::StringValPtr ToEthAddrStr(const u_char* addr); + + void BadARPEvent(const struct arp_pkthdr* hdr, const char* fmt, ...) + __attribute__((format(printf, 3, 4))); + void RequestReplyEvent(EventHandlerPtr e, const u_char* src, const u_char* dst, + const char* spa, const char* sha, const char* tpa, const char* tha); }; } diff --git a/src/packet_analysis/protocol/arp/CMakeLists.txt b/src/packet_analysis/protocol/arp/CMakeLists.txt index f2a482e4e1..ad3c7f732f 100644 --- a/src/packet_analysis/protocol/arp/CMakeLists.txt +++ b/src/packet_analysis/protocol/arp/CMakeLists.txt @@ -1,8 +1,9 @@ include(ZeekPlugin) -include_directories(BEFORE $ {CMAKE_CURRENT_SOURCE_DIR} $ {CMAKE_CURRENT_BINARY_DIR}) +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -zeek_plugin_begin(PacketAnalyzer ARP) +zeek_plugin_begin(Zeek ARP) zeek_plugin_cc(ARP.cc Plugin.cc) +zeek_plugin_bif(events.bif) zeek_plugin_end() diff --git a/src/analyzer/protocol/arp/events.bif b/src/packet_analysis/protocol/arp/events.bif similarity index 100% rename from src/analyzer/protocol/arp/events.bif rename to src/packet_analysis/protocol/arp/events.bif diff --git a/src/packet_analysis/protocol/ipv6/CMakeLists.txt b/src/packet_analysis/protocol/ipv6/CMakeLists.txt index 566652cc73..f2614beedf 100644 --- a/src/packet_analysis/protocol/ipv6/CMakeLists.txt +++ b/src/packet_analysis/protocol/ipv6/CMakeLists.txt @@ -1,7 +1,7 @@ include(ZeekPlugin) -include_directories(BEFORE $ {CMAKE_CURRENT_SOURCE_DIR} $ {CMAKE_CURRENT_BINARY_DIR}) +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) zeek_plugin_begin(PacketAnalyzer IPv6) zeek_plugin_cc(IPv6.cc Plugin.cc) diff --git a/src/packet_analysis/protocol/linux_sll/CMakeLists.txt b/src/packet_analysis/protocol/linux_sll/CMakeLists.txt index 8476d2524a..8e00b95609 100644 --- a/src/packet_analysis/protocol/linux_sll/CMakeLists.txt +++ b/src/packet_analysis/protocol/linux_sll/CMakeLists.txt @@ -1,7 +1,7 @@ include(ZeekPlugin) -include_directories(BEFORE $ {CMAKE_CURRENT_SOURCE_DIR} $ {CMAKE_CURRENT_BINARY_DIR}) +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) zeek_plugin_begin(PacketAnalyzer LinuxSLL) zeek_plugin_cc(LinuxSLL.cc Plugin.cc) diff --git a/src/packet_analysis/protocol/null/CMakeLists.txt b/src/packet_analysis/protocol/null/CMakeLists.txt index 7a3c062af7..960c1dd031 100644 --- a/src/packet_analysis/protocol/null/CMakeLists.txt +++ b/src/packet_analysis/protocol/null/CMakeLists.txt @@ -1,6 +1,6 @@ include(ZeekPlugin) -include_directories(BEFORE $ {CMAKE_CURRENT_SOURCE_DIR} $ {CMAKE_CURRENT_BINARY_DIR}) +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) zeek_plugin_begin(PacketAnalyzer Null) zeek_plugin_cc(Null.cc Plugin.cc) diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log index 06e46c20d5..fc541cc1b1 100644 --- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2020-08-26-12-08-09 +#open 2020-08-28-14-19-59 #fields name #types string scripts/base/init-bare.zeek @@ -91,7 +91,6 @@ scripts/base/init-frameworks-and-bifs.zeek build/scripts/base/bif/cardinality-counter.bif.zeek build/scripts/base/bif/top-k.bif.zeek build/scripts/base/bif/plugins/__load__.zeek - build/scripts/base/bif/plugins/Zeek_ARP.events.bif.zeek build/scripts/base/bif/plugins/Zeek_BitTorrent.events.bif.zeek build/scripts/base/bif/plugins/Zeek_ConnSize.events.bif.zeek build/scripts/base/bif/plugins/Zeek_ConnSize.functions.bif.zeek @@ -190,6 +189,7 @@ scripts/base/init-frameworks-and-bifs.zeek build/scripts/base/bif/plugins/Zeek_UDP.events.bif.zeek build/scripts/base/bif/plugins/Zeek_VXLAN.events.bif.zeek build/scripts/base/bif/plugins/Zeek_XMPP.events.bif.zeek + build/scripts/base/bif/plugins/Zeek_ARP.events.bif.zeek build/scripts/base/bif/plugins/Zeek_FileEntropy.events.bif.zeek build/scripts/base/bif/plugins/Zeek_FileExtract.events.bif.zeek build/scripts/base/bif/plugins/Zeek_FileExtract.functions.bif.zeek @@ -212,4 +212,4 @@ scripts/base/init-frameworks-and-bifs.zeek build/scripts/base/bif/plugins/Zeek_SQLiteWriter.sqlite.bif.zeek scripts/policy/misc/loaded-scripts.zeek scripts/base/utils/paths.zeek -#close 2020-08-26-12-08-09 +#close 2020-08-28-14-19-59 diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index 53c9751365..cb80b86ab0 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2020-09-22-16-59-24 +#open 2020-09-22-17-05-35 #fields name #types string scripts/base/init-bare.zeek @@ -91,7 +91,6 @@ scripts/base/init-frameworks-and-bifs.zeek build/scripts/base/bif/cardinality-counter.bif.zeek build/scripts/base/bif/top-k.bif.zeek build/scripts/base/bif/plugins/__load__.zeek - build/scripts/base/bif/plugins/Zeek_ARP.events.bif.zeek build/scripts/base/bif/plugins/Zeek_BitTorrent.events.bif.zeek build/scripts/base/bif/plugins/Zeek_ConnSize.events.bif.zeek build/scripts/base/bif/plugins/Zeek_ConnSize.functions.bif.zeek @@ -190,6 +189,7 @@ scripts/base/init-frameworks-and-bifs.zeek build/scripts/base/bif/plugins/Zeek_UDP.events.bif.zeek build/scripts/base/bif/plugins/Zeek_VXLAN.events.bif.zeek build/scripts/base/bif/plugins/Zeek_XMPP.events.bif.zeek + build/scripts/base/bif/plugins/Zeek_ARP.events.bif.zeek build/scripts/base/bif/plugins/Zeek_FileEntropy.events.bif.zeek build/scripts/base/bif/plugins/Zeek_FileExtract.events.bif.zeek build/scripts/base/bif/plugins/Zeek_FileExtract.functions.bif.zeek @@ -408,4 +408,4 @@ scripts/base/init-default.zeek scripts/base/misc/find-filtered-trace.zeek scripts/base/misc/version.zeek scripts/policy/misc/loaded-scripts.zeek -#close 2020-09-22-16-59-24 +#close 2020-09-22-17-05-36 From d5ca0f9da58b62ad2f4d71d18134ce1db7e10d55 Mon Sep 17 00:00:00 2001 From: Jan Grashoefer Date: Fri, 28 Aug 2020 18:40:02 +0200 Subject: [PATCH 29/43] Rename DefaultAnalyzer to IP. --- scripts/base/packet-protocols/__load__.zeek | 2 +- .../base/packet-protocols/default/main.zeek | 7 --- .../base/packet-protocols/ethernet/main.zeek | 2 +- scripts/base/packet-protocols/fddi/main.zeek | 2 +- .../{default => ip}/__load__.zeek | 0 scripts/base/packet-protocols/ip/main.zeek | 7 +++ scripts/base/packet-protocols/skip/main.zeek | 2 +- src/packet_analysis/Analyzer.h | 2 +- src/packet_analysis/protocol/CMakeLists.txt | 2 +- .../protocol/default/Default.cc | 44 ------------------- .../protocol/default/Default.h | 27 ------------ .../protocol/{default => ip}/CMakeLists.txt | 4 +- src/packet_analysis/protocol/ip/IP.cc | 38 ++++++++++++++++ src/packet_analysis/protocol/ip/IP.h | 23 ++++++++++ .../protocol/{default => ip}/Plugin.cc | 10 ++--- .../canonified_loaded_scripts.log | 8 ++-- .../canonified_loaded_scripts.log | 8 ++-- testing/btest/Baseline/plugins.hooks/output | 20 ++++----- 18 files changed, 99 insertions(+), 109 deletions(-) delete mode 100644 scripts/base/packet-protocols/default/main.zeek rename scripts/base/packet-protocols/{default => ip}/__load__.zeek (100%) create mode 100644 scripts/base/packet-protocols/ip/main.zeek delete mode 100644 src/packet_analysis/protocol/default/Default.cc delete mode 100644 src/packet_analysis/protocol/default/Default.h rename src/packet_analysis/protocol/{default => ip}/CMakeLists.txt (61%) create mode 100644 src/packet_analysis/protocol/ip/IP.cc create mode 100644 src/packet_analysis/protocol/ip/IP.h rename src/packet_analysis/protocol/{default => ip}/Plugin.cc (55%) diff --git a/scripts/base/packet-protocols/__load__.zeek b/scripts/base/packet-protocols/__load__.zeek index 1462d895e2..38e9caf788 100644 --- a/scripts/base/packet-protocols/__load__.zeek +++ b/scripts/base/packet-protocols/__load__.zeek @@ -1,4 +1,4 @@ -@load base/packet-protocols/default +@load base/packet-protocols/ip @load base/packet-protocols/skip @load base/packet-protocols/ethernet @load base/packet-protocols/fddi diff --git a/scripts/base/packet-protocols/default/main.zeek b/scripts/base/packet-protocols/default/main.zeek deleted file mode 100644 index 0adc5e3f67..0000000000 --- a/scripts/base/packet-protocols/default/main.zeek +++ /dev/null @@ -1,7 +0,0 @@ -module PacketAnalyzer::Default; - -redef PacketAnalyzer::config_map += { - PacketAnalyzer::ConfigEntry($analyzer=PacketAnalyzer::ANALYZER_DEFAULTANALYZER), - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_DEFAULTANALYZER, $identifier=4, $analyzer=PacketAnalyzer::ANALYZER_IPV4), - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_DEFAULTANALYZER, $identifier=6, $analyzer=PacketAnalyzer::ANALYZER_IPV6) -}; diff --git a/scripts/base/packet-protocols/ethernet/main.zeek b/scripts/base/packet-protocols/ethernet/main.zeek index efcbf8adb7..9c8e3631cf 100644 --- a/scripts/base/packet-protocols/ethernet/main.zeek +++ b/scripts/base/packet-protocols/ethernet/main.zeek @@ -22,5 +22,5 @@ redef PacketAnalyzer::config_map += { PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x88A8, $analyzer=PacketAnalyzer::ANALYZER_VLAN), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x9100, $analyzer=PacketAnalyzer::ANALYZER_VLAN), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x8864, $analyzer=PacketAnalyzer::ANALYZER_PPPOE), - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $analyzer=PacketAnalyzer::ANALYZER_DEFAULTANALYZER) + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $analyzer=PacketAnalyzer::ANALYZER_IP) }; diff --git a/scripts/base/packet-protocols/fddi/main.zeek b/scripts/base/packet-protocols/fddi/main.zeek index 181cd27534..229846dab6 100644 --- a/scripts/base/packet-protocols/fddi/main.zeek +++ b/scripts/base/packet-protocols/fddi/main.zeek @@ -4,5 +4,5 @@ const DLT_FDDI : count = 10; redef PacketAnalyzer::config_map += { PacketAnalyzer::ConfigEntry($identifier=DLT_FDDI, $analyzer=PacketAnalyzer::ANALYZER_FDDI), - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_FDDI, $analyzer=PacketAnalyzer::ANALYZER_DEFAULTANALYZER) + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_FDDI, $analyzer=PacketAnalyzer::ANALYZER_IP) }; diff --git a/scripts/base/packet-protocols/default/__load__.zeek b/scripts/base/packet-protocols/ip/__load__.zeek similarity index 100% rename from scripts/base/packet-protocols/default/__load__.zeek rename to scripts/base/packet-protocols/ip/__load__.zeek diff --git a/scripts/base/packet-protocols/ip/main.zeek b/scripts/base/packet-protocols/ip/main.zeek new file mode 100644 index 0000000000..4c9d2c2740 --- /dev/null +++ b/scripts/base/packet-protocols/ip/main.zeek @@ -0,0 +1,7 @@ +module PacketAnalyzer::IP; + +redef PacketAnalyzer::config_map += { + PacketAnalyzer::ConfigEntry($analyzer=PacketAnalyzer::ANALYZER_IP), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_IP, $identifier=4, $analyzer=PacketAnalyzer::ANALYZER_IPV4), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_IP, $identifier=6, $analyzer=PacketAnalyzer::ANALYZER_IPV6) +}; diff --git a/scripts/base/packet-protocols/skip/main.zeek b/scripts/base/packet-protocols/skip/main.zeek index b16bcfb22a..8ea2a951f4 100644 --- a/scripts/base/packet-protocols/skip/main.zeek +++ b/scripts/base/packet-protocols/skip/main.zeek @@ -6,5 +6,5 @@ export { } redef PacketAnalyzer::config_map += { - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_SKIP, $analyzer=PacketAnalyzer::ANALYZER_DEFAULTANALYZER) + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_SKIP, $analyzer=PacketAnalyzer::ANALYZER_IP) }; diff --git a/src/packet_analysis/Analyzer.h b/src/packet_analysis/Analyzer.h index 7c74b4ab18..2bc92afa7b 100644 --- a/src/packet_analysis/Analyzer.h +++ b/src/packet_analysis/Analyzer.h @@ -121,7 +121,7 @@ protected: * * @return The outcome of the analysis. */ - virtual AnalyzerResult AnalyzeInnerPacket(Packet* packet, const uint8_t*& data, + AnalyzerResult AnalyzeInnerPacket(Packet* packet, const uint8_t*& data, uint32_t identifier) const; /** diff --git a/src/packet_analysis/protocol/CMakeLists.txt b/src/packet_analysis/protocol/CMakeLists.txt index 5ae00729ff..4aee498aa2 100644 --- a/src/packet_analysis/protocol/CMakeLists.txt +++ b/src/packet_analysis/protocol/CMakeLists.txt @@ -1,4 +1,3 @@ -add_subdirectory(default) add_subdirectory(skip) add_subdirectory(wrapper) @@ -15,5 +14,6 @@ add_subdirectory(mpls) add_subdirectory(linux_sll) add_subdirectory(arp) +add_subdirectory(ip) add_subdirectory(ipv4) add_subdirectory(ipv6) diff --git a/src/packet_analysis/protocol/default/Default.cc b/src/packet_analysis/protocol/default/Default.cc deleted file mode 100644 index de904f9ad7..0000000000 --- a/src/packet_analysis/protocol/default/Default.cc +++ /dev/null @@ -1,44 +0,0 @@ -// See the file "COPYING" in the main distribution directory for copyright. - -#include "Default.h" -#include "NetVar.h" - -using namespace zeek::packet_analysis::Default; - -DefaultAnalyzer::DefaultAnalyzer() - : zeek::packet_analysis::Analyzer("DefaultAnalyzer") - { - } - -zeek::packet_analysis::AnalyzerResult DefaultAnalyzer::Analyze(Packet* packet, const uint8_t*& data) - { - // Assume we're pointing at IP. Just figure out which version. - if ( data + sizeof(struct ip) >= packet->GetEndOfData() ) - { - packet->Weird("packet_analyzer_truncated_header"); - return AnalyzerResult::Failed; - } - - auto ip = (const struct ip *)data; - uint32_t protocol = ip->ip_v; - - return AnalyzeInnerPacket(packet, data, protocol); - } - -zeek::packet_analysis::AnalyzerResult DefaultAnalyzer::AnalyzeInnerPacket(Packet* packet, - const uint8_t*& data, uint32_t identifier) const - { - auto inner_analyzer = Lookup(identifier); - - if ( inner_analyzer == nullptr ) - { - DBG_LOG(DBG_PACKET_ANALYSIS, "Default analysis in %s failed, could not find analyzer for identifier %#x.", - GetAnalyzerName(), identifier); - packet->Weird("no_suitable_analyzer_found"); - return AnalyzerResult::Failed; - } - - DBG_LOG(DBG_PACKET_ANALYSIS, "Default analysis in %s succeeded, next layer identifier is %#x.", - GetAnalyzerName(), identifier); - return inner_analyzer->Analyze(packet, data); - } \ No newline at end of file diff --git a/src/packet_analysis/protocol/default/Default.h b/src/packet_analysis/protocol/default/Default.h deleted file mode 100644 index 9a37a11a44..0000000000 --- a/src/packet_analysis/protocol/default/Default.h +++ /dev/null @@ -1,27 +0,0 @@ -// See the file "COPYING" in the main distribution directory for copyright. - -#pragma once - -#include -#include - -namespace zeek::packet_analysis::Default { - -class DefaultAnalyzer : public Analyzer { -public: - DefaultAnalyzer(); - ~DefaultAnalyzer() override = default; - - AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override; - - static zeek::packet_analysis::AnalyzerPtr Instantiate() - { - return std::make_shared(); - } - -protected: - AnalyzerResult AnalyzeInnerPacket(Packet* packet, const uint8_t*& data, - uint32_t identifier) const override; -}; - -} diff --git a/src/packet_analysis/protocol/default/CMakeLists.txt b/src/packet_analysis/protocol/ip/CMakeLists.txt similarity index 61% rename from src/packet_analysis/protocol/default/CMakeLists.txt rename to src/packet_analysis/protocol/ip/CMakeLists.txt index c41a982b87..3be79005d9 100644 --- a/src/packet_analysis/protocol/default/CMakeLists.txt +++ b/src/packet_analysis/protocol/ip/CMakeLists.txt @@ -3,6 +3,6 @@ include(ZeekPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -zeek_plugin_begin(PacketAnalyzer Default) -zeek_plugin_cc(Default.cc Plugin.cc) +zeek_plugin_begin(PacketAnalyzer IP) +zeek_plugin_cc(IP.cc Plugin.cc) zeek_plugin_end() diff --git a/src/packet_analysis/protocol/ip/IP.cc b/src/packet_analysis/protocol/ip/IP.cc new file mode 100644 index 0000000000..d6c2b91e9a --- /dev/null +++ b/src/packet_analysis/protocol/ip/IP.cc @@ -0,0 +1,38 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "IP.h" +#include "NetVar.h" + +using namespace zeek::packet_analysis::IP; + +IPAnalyzer::IPAnalyzer() + : zeek::packet_analysis::Analyzer("IP") + { + } + +zeek::packet_analysis::AnalyzerResult IPAnalyzer::Analyze(Packet* packet, const uint8_t*& data) + { + // Assume we're pointing at IP. Just figure out which version. + if ( data + sizeof(struct ip) >= packet->GetEndOfData() ) + { + packet->Weird("packet_analyzer_truncated_header"); + return AnalyzerResult::Failed; + } + + auto ip = (const struct ip *)data; + uint32_t protocol = ip->ip_v; + + auto inner_analyzer = Lookup(protocol); + + if ( inner_analyzer == nullptr ) + { + DBG_LOG(DBG_PACKET_ANALYSIS, "Analysis in %s failed, could not find analyzer for identifier %#x.", + GetAnalyzerName(), protocol); + packet->Weird("no_suitable_analyzer_found"); + return AnalyzerResult::Failed; + } + + DBG_LOG(DBG_PACKET_ANALYSIS, "Analysis in %s succeeded, next layer identifier is %#x.", + GetAnalyzerName(), protocol); + return inner_analyzer->Analyze(packet, data); + } \ No newline at end of file diff --git a/src/packet_analysis/protocol/ip/IP.h b/src/packet_analysis/protocol/ip/IP.h new file mode 100644 index 0000000000..f57012247c --- /dev/null +++ b/src/packet_analysis/protocol/ip/IP.h @@ -0,0 +1,23 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#pragma once + +#include +#include + +namespace zeek::packet_analysis::IP { + +class IPAnalyzer : public Analyzer { +public: + IPAnalyzer(); + ~IPAnalyzer() override = default; + + AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override; + + static zeek::packet_analysis::AnalyzerPtr Instantiate() + { + return std::make_shared(); + } +}; + +} diff --git a/src/packet_analysis/protocol/default/Plugin.cc b/src/packet_analysis/protocol/ip/Plugin.cc similarity index 55% rename from src/packet_analysis/protocol/default/Plugin.cc rename to src/packet_analysis/protocol/ip/Plugin.cc index 30e27711f3..5645220677 100644 --- a/src/packet_analysis/protocol/default/Plugin.cc +++ b/src/packet_analysis/protocol/ip/Plugin.cc @@ -1,6 +1,6 @@ // See the file "COPYING" in the main distribution directory for copyright. -#include "Default.h" +#include "IP.h" #include "plugin/Plugin.h" #include "packet_analysis/Component.h" @@ -10,12 +10,12 @@ class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() { - AddComponent(new zeek::packet_analysis::Component("DefaultAnalyzer", - zeek::packet_analysis::Default::DefaultAnalyzer::Instantiate)); + AddComponent(new zeek::packet_analysis::Component("IP", + zeek::packet_analysis::IP::IPAnalyzer::Instantiate)); zeek::plugin::Configuration config; - config.name = "Zeek::DefaultAnalyzer"; - config.description = "Default packet analyzer for IP fallback"; + config.name = "Zeek::IP"; + config.description = "Packet analyzer for IP fallback (v4 or v6)"; return config; } diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log index fc541cc1b1..c95f448c08 100644 --- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2020-08-28-14-19-59 +#open 2020-08-28-15-37-31 #fields name #types string scripts/base/init-bare.zeek @@ -20,8 +20,8 @@ scripts/base/init-bare.zeek build/scripts/base/bif/plugins/Zeek_KRB.types.bif.zeek build/scripts/base/bif/event.bif.zeek scripts/base/packet-protocols/__load__.zeek - scripts/base/packet-protocols/default/__load__.zeek - scripts/base/packet-protocols/default/main.zeek + scripts/base/packet-protocols/ip/__load__.zeek + scripts/base/packet-protocols/ip/main.zeek scripts/base/packet-protocols/skip/__load__.zeek scripts/base/packet-protocols/skip/main.zeek scripts/base/packet-protocols/ethernet/__load__.zeek @@ -212,4 +212,4 @@ scripts/base/init-frameworks-and-bifs.zeek build/scripts/base/bif/plugins/Zeek_SQLiteWriter.sqlite.bif.zeek scripts/policy/misc/loaded-scripts.zeek scripts/base/utils/paths.zeek -#close 2020-08-28-14-19-59 +#close 2020-08-28-15-37-31 diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index cb80b86ab0..2c4f3c2331 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2020-09-22-17-05-35 +#open 2020-09-22-17-07-43 #fields name #types string scripts/base/init-bare.zeek @@ -20,8 +20,8 @@ scripts/base/init-bare.zeek build/scripts/base/bif/plugins/Zeek_KRB.types.bif.zeek build/scripts/base/bif/event.bif.zeek scripts/base/packet-protocols/__load__.zeek - scripts/base/packet-protocols/default/__load__.zeek - scripts/base/packet-protocols/default/main.zeek + scripts/base/packet-protocols/ip/__load__.zeek + scripts/base/packet-protocols/ip/main.zeek scripts/base/packet-protocols/skip/__load__.zeek scripts/base/packet-protocols/skip/main.zeek scripts/base/packet-protocols/ethernet/__load__.zeek @@ -408,4 +408,4 @@ scripts/base/init-default.zeek scripts/base/misc/find-filtered-trace.zeek scripts/base/misc/version.zeek scripts/policy/misc/loaded-scripts.zeek -#close 2020-09-22-17-05-36 +#close 2020-09-22-17-07-43 diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index c30578cb03..24d3425197 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -283,7 +283,7 @@ 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1600794262.290585, node=zeek, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1600794430.221915, node=zeek, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Broker::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Cluster::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Config::LOG)) -> @@ -464,7 +464,7 @@ 0.000000 MetaHookPost CallFunction(Log::create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1600794262.290585, node=zeek, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1600794430.221915, node=zeek, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(NetControl::check_plugins, , ()) -> 0.000000 MetaHookPost CallFunction(NetControl::init, , ()) -> 0.000000 MetaHookPost CallFunction(Notice::want_pp, , ()) -> @@ -827,7 +827,6 @@ 0.000000 MetaHookPost LoadFile(0, base<...>/control) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/data.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/dce-rpc) -> -1 -0.000000 MetaHookPost LoadFile(0, base<...>/default) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/dhcp) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/dir.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/directions-and-hosts.zeek) -> -1 @@ -858,6 +857,7 @@ 0.000000 MetaHookPost LoadFile(0, base<...>/input) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/input.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/intel) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/ip) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/irc) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/krb) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/linux_sll) -> -1 @@ -1226,7 +1226,7 @@ 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1600794262.290585, node=zeek, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1600794430.221915, node=zeek, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Broker::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Cluster::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Config::LOG)) @@ -1407,7 +1407,7 @@ 0.000000 MetaHookPre CallFunction(Log::create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1600794262.290585, node=zeek, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1600794430.221915, node=zeek, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(NetControl::check_plugins, , ()) 0.000000 MetaHookPre CallFunction(NetControl::init, , ()) 0.000000 MetaHookPre CallFunction(Notice::want_pp, , ()) @@ -1770,7 +1770,6 @@ 0.000000 MetaHookPre LoadFile(0, base<...>/control) 0.000000 MetaHookPre LoadFile(0, base<...>/data.bif.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/dce-rpc) -0.000000 MetaHookPre LoadFile(0, base<...>/default) 0.000000 MetaHookPre LoadFile(0, base<...>/dhcp) 0.000000 MetaHookPre LoadFile(0, base<...>/dir.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/directions-and-hosts.zeek) @@ -1801,6 +1800,7 @@ 0.000000 MetaHookPre LoadFile(0, base<...>/input) 0.000000 MetaHookPre LoadFile(0, base<...>/input.bif.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/intel) +0.000000 MetaHookPre LoadFile(0, base<...>/ip) 0.000000 MetaHookPre LoadFile(0, base<...>/irc) 0.000000 MetaHookPre LoadFile(0, base<...>/krb) 0.000000 MetaHookPre LoadFile(0, base<...>/linux_sll) @@ -2168,7 +2168,7 @@ 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1600794262.290585, node=zeek, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1600794430.221915, node=zeek, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction Log::add_default_filter(Broker::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Config::LOG) @@ -2349,7 +2349,7 @@ 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1600794262.290585, node=zeek, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1600794430.221915, node=zeek, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction NetControl::check_plugins() 0.000000 | HookCallFunction NetControl::init() 0.000000 | HookCallFunction Notice::want_pp() @@ -2724,7 +2724,6 @@ 0.000000 | HookLoadFile base<...>/control 0.000000 | HookLoadFile base<...>/data.bif.zeek 0.000000 | HookLoadFile base<...>/dce-rpc -0.000000 | HookLoadFile base<...>/default 0.000000 | HookLoadFile base<...>/dhcp 0.000000 | HookLoadFile base<...>/dir.zeek 0.000000 | HookLoadFile base<...>/directions-and-hosts.zeek @@ -2755,6 +2754,7 @@ 0.000000 | HookLoadFile base<...>/input 0.000000 | HookLoadFile base<...>/input.bif.zeek 0.000000 | HookLoadFile base<...>/intel +0.000000 | HookLoadFile base<...>/ip 0.000000 | HookLoadFile base<...>/irc 0.000000 | HookLoadFile base<...>/krb 0.000000 | HookLoadFile base<...>/linux_sll @@ -2822,7 +2822,7 @@ 0.000000 | HookLoadFile base<...>/xmpp 0.000000 | HookLoadFile base<...>/zeek.bif.zeek 0.000000 | HookLogInit packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)} -0.000000 | HookLogWrite packet_filter [ts=1600794262.290585, node=zeek, filter=ip or not ip, init=T, success=T] +0.000000 | HookLogWrite packet_filter [ts=1600794430.221915, node=zeek, filter=ip or not ip, init=T, success=T] 0.000000 | HookQueueEvent NetControl::init() 0.000000 | HookQueueEvent filter_change_tracking() 0.000000 | HookQueueEvent zeek_init() From 90eb97876ff4fe48c8baffa64cbe1d6ebae03fb3 Mon Sep 17 00:00:00 2001 From: Jan Grashoefer Date: Mon, 31 Aug 2020 17:13:22 +0200 Subject: [PATCH 30/43] Improve packet analyzer API. --- src/iosource/Packet.cc | 5 ---- src/iosource/Packet.h | 9 +------ src/packet_analysis/Analyzer.cc | 10 ++++---- src/packet_analysis/Analyzer.h | 24 +++++++++---------- src/packet_analysis/Manager.cc | 7 +----- src/packet_analysis/protocol/CMakeLists.txt | 1 - src/packet_analysis/protocol/arp/ARP.cc | 16 +++++++++---- src/packet_analysis/protocol/arp/ARP.h | 2 +- .../protocol/ethernet/Ethernet.cc | 19 +++++++-------- .../protocol/ethernet/Ethernet.h | 2 +- src/packet_analysis/protocol/fddi/FDDI.cc | 10 ++++---- src/packet_analysis/protocol/fddi/FDDI.h | 2 +- .../protocol/ieee802_11/IEEE802_11.cc | 14 +++++------ .../protocol/ieee802_11/IEEE802_11.h | 2 +- .../ieee802_11_radio/IEEE802_11_Radio.cc | 15 +++++------- .../ieee802_11_radio/IEEE802_11_Radio.h | 2 +- src/packet_analysis/protocol/ip/IP.cc | 8 +++---- src/packet_analysis/protocol/ip/IP.h | 2 +- src/packet_analysis/protocol/ipv4/IPv4.cc | 4 +++- src/packet_analysis/protocol/ipv4/IPv4.h | 2 +- src/packet_analysis/protocol/ipv6/IPv6.cc | 4 +++- src/packet_analysis/protocol/ipv6/IPv6.h | 2 +- .../protocol/linux_sll/LinuxSLL.cc | 9 +++---- .../protocol/linux_sll/LinuxSLL.h | 2 +- src/packet_analysis/protocol/mpls/MPLS.cc | 11 +++++---- src/packet_analysis/protocol/mpls/MPLS.h | 2 +- src/packet_analysis/protocol/nflog/NFLog.cc | 17 +++++++++---- src/packet_analysis/protocol/nflog/NFLog.h | 2 +- src/packet_analysis/protocol/null/Null.cc | 10 ++++---- src/packet_analysis/protocol/null/Null.h | 2 +- .../protocol/ppp_serial/PPPSerial.cc | 14 +++++++---- .../protocol/ppp_serial/PPPSerial.h | 2 +- src/packet_analysis/protocol/pppoe/PPPoE.cc | 10 ++++---- src/packet_analysis/protocol/pppoe/PPPoE.h | 2 +- src/packet_analysis/protocol/skip/Skip.cc | 6 ++--- src/packet_analysis/protocol/skip/Skip.h | 2 +- src/packet_analysis/protocol/vlan/VLAN.cc | 10 ++++---- src/packet_analysis/protocol/vlan/VLAN.h | 2 +- .../plugins/packet-protocol-plugin/src/Bar.cc | 7 +++--- .../plugins/packet-protocol-plugin/src/Bar.h | 2 +- 40 files changed, 138 insertions(+), 136 deletions(-) diff --git a/src/iosource/Packet.cc b/src/iosource/Packet.cc index 15617ee7f2..7b40c75e43 100644 --- a/src/iosource/Packet.cc +++ b/src/iosource/Packet.cc @@ -79,11 +79,6 @@ void Packet::Weird(const char* name) l2_valid = false; } -const u_char* const Packet::GetEndOfData() const - { - return data + cap_len; - } - IntrusivePtr Packet::ToRawPktHdrVal() const { static auto raw_pkt_hdr_type = id::find_type("raw_pkt_hdr"); diff --git a/src/iosource/Packet.h b/src/iosource/Packet.h index d99979010d..dfe5d86562 100644 --- a/src/iosource/Packet.h +++ b/src/iosource/Packet.h @@ -140,13 +140,6 @@ public: [[deprecated("Remove in v4.1. Use ToRawPktHdrval() instead.")]] RecordVal* BuildPktHdrVal() const; - /** - * Returns the end of the captured data for bound checking. - * - * @return End of the packet data. - */ - const u_char* const GetEndOfData() const; - /** * Describes the packet, with standard signature. */ @@ -228,7 +221,7 @@ public: */ bool l3_checksummed; - // Wrapper to generate a packet-level weird. Has to be public for llanalyzers to use it. + // Wrapper to generate a packet-level weird. Has to be public for packet analyzers to use it. void Weird(const char* name); private: diff --git a/src/packet_analysis/Analyzer.cc b/src/packet_analysis/Analyzer.cc index 55b7e5fd9c..3262e22fe9 100644 --- a/src/packet_analysis/Analyzer.cc +++ b/src/packet_analysis/Analyzer.cc @@ -57,8 +57,8 @@ AnalyzerPtr Analyzer::Lookup(uint32_t identifier) const return dispatcher.Lookup(identifier); } -AnalyzerResult Analyzer::AnalyzeInnerPacket(Packet* packet, - const uint8_t*& data, uint32_t identifier) const +AnalyzerResult Analyzer::ForwardPacket(size_t len, const uint8_t* data, Packet* packet, + uint32_t identifier) const { auto inner_analyzer = Lookup(identifier); if ( ! inner_analyzer ) @@ -74,13 +74,13 @@ AnalyzerResult Analyzer::AnalyzeInnerPacket(Packet* packet, DBG_LOG(DBG_PACKET_ANALYSIS, "Analysis in %s succeeded, next layer identifier is %#x.", GetAnalyzerName(), identifier); - return inner_analyzer->Analyze(packet, data); + return inner_analyzer->AnalyzePacket(len, data, packet); } -AnalyzerResult Analyzer::AnalyzeInnerPacket(Packet* packet, const uint8_t*& data) const +AnalyzerResult Analyzer::ForwardPacket(size_t len, const uint8_t* data, Packet* packet) const { if ( default_analyzer ) - return default_analyzer->Analyze(packet, data); + return default_analyzer->AnalyzePacket(len, data, packet); DBG_LOG(DBG_PACKET_ANALYSIS, "Analysis in %s stopped, no default analyzer available.", GetAnalyzerName()); diff --git a/src/packet_analysis/Analyzer.h b/src/packet_analysis/Analyzer.h index 2bc92afa7b..82ddf3a686 100644 --- a/src/packet_analysis/Analyzer.h +++ b/src/packet_analysis/Analyzer.h @@ -10,7 +10,6 @@ namespace zeek::packet_analysis { /** * Result of packet analysis. */ - //TODO: Replace with bool? enum class AnalyzerResult { Failed, // Analysis failed Terminate // Analysis succeeded and there is no further analysis to do @@ -85,18 +84,19 @@ public: void RegisterDefaultAnalyzer(AnalyzerPtr default_analyzer); /** - * Analyzes the given packet. The data reference points to the part of the - * raw packet to be analyzed. If the analyzed protocol encapsulates another - * protocol, the data reference should be updated to point to that payload. + * Analyzes the given packet. A common case is that the analyzed protocol + * encapsulates another protocol, which can be determined by an identifier + * in the header. In this case, derived classes may use ForwardPacket() to + * forward the payload to the corresponding analyzer. * - * @param packet The packet to analyze. - * @param data Reference to the payload pointer into the raw packet. + * @param len The number of bytes passed in. + * @param data Pointer to the input to process. + * @param packet Object that maintains the packet's meta data. * - * @return A tuple of analysis result and identifier. The result indicates - * how to proceed. If analysis can continue, the identifier determines the - * encapsulated protocol. + * @return The outcome of the analysis. */ - virtual AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) = 0; + virtual AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, + Packet* packet) = 0; protected: friend class Manager; @@ -121,7 +121,7 @@ protected: * * @return The outcome of the analysis. */ - AnalyzerResult AnalyzeInnerPacket(Packet* packet, const uint8_t*& data, + AnalyzerResult ForwardPacket(size_t len, const uint8_t* data, Packet* packet, uint32_t identifier) const; /** @@ -133,7 +133,7 @@ protected: * * @return The outcome of the analysis. */ - AnalyzerResult AnalyzeInnerPacket(Packet* packet, const uint8_t*& data) const; + AnalyzerResult ForwardPacket(size_t len, const uint8_t* data, Packet* packet) const; private: Tag tag; diff --git a/src/packet_analysis/Manager.cc b/src/packet_analysis/Manager.cc index 0ad05ed4d6..7e44c10883 100644 --- a/src/packet_analysis/Manager.cc +++ b/src/packet_analysis/Manager.cc @@ -120,8 +120,6 @@ void Manager::ProcessPacket(Packet* packet) DBG_LOG(DBG_PACKET_ANALYSIS, "Analyzing packet %ld, ts=%.3f...", ++counter, packet->time); #endif // Start packet analysis - const uint8_t* data = packet->data; - auto root_analyzer = root_dispatcher.Lookup(packet->link_type); auto analyzer = root_analyzer ? root_analyzer : default_analyzer; if ( !analyzer ) @@ -130,10 +128,7 @@ void Manager::ProcessPacket(Packet* packet) return; } - auto result = analyzer->Analyze(packet, data); - - // Calculate header size after processing packet layers. - packet->hdr_size = static_cast(data - packet->data); + auto result = analyzer->AnalyzePacket(packet->cap_len, packet->data, packet); } AnalyzerPtr Manager::InstantiateAnalyzer(const Tag& tag) diff --git a/src/packet_analysis/protocol/CMakeLists.txt b/src/packet_analysis/protocol/CMakeLists.txt index 4aee498aa2..c7228c2123 100644 --- a/src/packet_analysis/protocol/CMakeLists.txt +++ b/src/packet_analysis/protocol/CMakeLists.txt @@ -1,6 +1,5 @@ add_subdirectory(skip) -add_subdirectory(wrapper) add_subdirectory(null) add_subdirectory(ethernet) add_subdirectory(vlan) diff --git a/src/packet_analysis/protocol/arp/ARP.cc b/src/packet_analysis/protocol/arp/ARP.cc index ae9844be58..c38cea1d34 100644 --- a/src/packet_analysis/protocol/arp/ARP.cc +++ b/src/packet_analysis/protocol/arp/ARP.cc @@ -81,18 +81,24 @@ ARPAnalyzer::ARPAnalyzer() #define ARPOP_INVREPLY ARPOP_InREPLY #endif -zeek::packet_analysis::AnalyzerResult ARPAnalyzer::Analyze(Packet* packet, const uint8_t*& data) +zeek::packet_analysis::AnalyzerResult ARPAnalyzer::AnalyzePacket(size_t len, + const uint8_t* data, Packet* packet) { packet->l3_proto = L3_ARP; + // Check whether the header is complete. + if ( sizeof(struct arp_pkthdr) > len ) + { + packet->Weird("truncated_ARP"); + return AnalyzerResult::Failed; + } + // Check whether the packet is OK ("inspired" in tcpdump's print-arp.c). auto ah = (const struct arp_pkthdr*) data; // Check the size. - auto min_length = (ar_tpa(ah) - (char*) data) + ah->ar_pln; - auto pkt_hdr_len = data - packet->data; - auto real_length = packet->cap_len - pkt_hdr_len; - if ( min_length > real_length ) + size_t min_length = (ar_tpa(ah) - (char*) data) + ah->ar_pln; + if ( min_length > len ) { packet->Weird("truncated_ARP"); return AnalyzerResult::Failed; diff --git a/src/packet_analysis/protocol/arp/ARP.h b/src/packet_analysis/protocol/arp/ARP.h index b6f590dc9a..f38ed5ff27 100644 --- a/src/packet_analysis/protocol/arp/ARP.h +++ b/src/packet_analysis/protocol/arp/ARP.h @@ -18,7 +18,7 @@ public: ARPAnalyzer(); ~ARPAnalyzer() override = default; - AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override; + AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/ethernet/Ethernet.cc b/src/packet_analysis/protocol/ethernet/Ethernet.cc index cd5c5889b4..0bced04b4a 100644 --- a/src/packet_analysis/protocol/ethernet/Ethernet.cc +++ b/src/packet_analysis/protocol/ethernet/Ethernet.cc @@ -31,13 +31,12 @@ zeek::packet_analysis::AnalyzerPtr EthernetAnalyzer::LoadAnalyzer(const std::str return packet_mgr->GetAnalyzer(analyzer_val->AsEnumVal()); } -zeek::packet_analysis::AnalyzerResult EthernetAnalyzer::Analyze(Packet* packet, const uint8_t*& data) +zeek::packet_analysis::AnalyzerResult EthernetAnalyzer::AnalyzePacket(size_t len, + const uint8_t* data, Packet* packet) { - auto end_of_data = packet->GetEndOfData(); - // Make sure that we actually got an entire ethernet header before trying // to pull bytes out of it. - if ( data + 16 >= end_of_data ) + if ( 16 >= len ) { packet->Weird("truncated_ethernet_frame"); return AnalyzerResult::Failed; @@ -48,13 +47,14 @@ zeek::packet_analysis::AnalyzerResult EthernetAnalyzer::Analyze(Packet* packet, { auto constexpr cfplen = 16; - if ( data + cfplen + 14 >= end_of_data ) + if ( cfplen + 14 >= len ) { packet->Weird("truncated_link_header_cfp"); return AnalyzerResult::Failed; } data += cfplen; + len -= cfplen; } // Get protocol being carried from the ethernet frame. @@ -66,15 +66,12 @@ zeek::packet_analysis::AnalyzerResult EthernetAnalyzer::Analyze(Packet* packet, // Ethernet II frames if ( protocol >= 1536 ) - { - data += 14; - return AnalyzeInnerPacket(packet, data, protocol); - } + return ForwardPacket(len - 14, data + 14, packet, protocol); // Other ethernet frame types if ( protocol <= 1500 ) { - if ( data + 16 >= end_of_data ) + if ( 16 >= len ) { packet->Weird("truncated_ethernet_frame"); return AnalyzerResult::Failed; @@ -96,7 +93,7 @@ zeek::packet_analysis::AnalyzerResult EthernetAnalyzer::Analyze(Packet* packet, eth_analyzer = LLCAnalyzer; if ( eth_analyzer ) - return eth_analyzer->Analyze(packet, data); + return eth_analyzer->AnalyzePacket(len, data, packet); return AnalyzerResult::Terminate; } diff --git a/src/packet_analysis/protocol/ethernet/Ethernet.h b/src/packet_analysis/protocol/ethernet/Ethernet.h index c1f89a6f02..b69b4887ef 100644 --- a/src/packet_analysis/protocol/ethernet/Ethernet.h +++ b/src/packet_analysis/protocol/ethernet/Ethernet.h @@ -13,7 +13,7 @@ public: ~EthernetAnalyzer() override = default; void Initialize() override; - AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override; + AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/fddi/FDDI.cc b/src/packet_analysis/protocol/fddi/FDDI.cc index 25235cca3e..3612670f10 100644 --- a/src/packet_analysis/protocol/fddi/FDDI.cc +++ b/src/packet_analysis/protocol/fddi/FDDI.cc @@ -10,17 +10,17 @@ FDDIAnalyzer::FDDIAnalyzer() { } -zeek::packet_analysis::AnalyzerResult FDDIAnalyzer::Analyze(Packet* packet, const uint8_t*& data) +zeek::packet_analysis::AnalyzerResult FDDIAnalyzer::AnalyzePacket(size_t len, + const uint8_t* data, Packet* packet) { - auto hdr_size = 13 + 8; // FDDI header + LLC + size_t hdr_size = 13 + 8; // FDDI header + LLC - if ( data + hdr_size >= packet->GetEndOfData() ) + if ( hdr_size >= len ) { packet->Weird("FDDI_analyzer_failed"); return AnalyzerResult::Failed; } // We just skip the header and hope for default analysis - data += hdr_size; - return AnalyzeInnerPacket(packet, data); + return ForwardPacket(len - hdr_size, data + hdr_size, packet); } diff --git a/src/packet_analysis/protocol/fddi/FDDI.h b/src/packet_analysis/protocol/fddi/FDDI.h index 4219529c6a..d0e204e7d9 100644 --- a/src/packet_analysis/protocol/fddi/FDDI.h +++ b/src/packet_analysis/protocol/fddi/FDDI.h @@ -12,7 +12,7 @@ public: FDDIAnalyzer(); ~FDDIAnalyzer() override = default; - AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override; + AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc b/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc index f0a9720605..117677b535 100644 --- a/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc +++ b/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc @@ -10,13 +10,12 @@ IEEE802_11Analyzer::IEEE802_11Analyzer() { } -zeek::packet_analysis::AnalyzerResult IEEE802_11Analyzer::Analyze(Packet* packet, const uint8_t*& data) +zeek::packet_analysis::AnalyzerResult IEEE802_11Analyzer::AnalyzePacket(size_t len, + const uint8_t* data, Packet* packet) { - auto end_of_data = packet->GetEndOfData(); - u_char len_80211 = 24; // minimal length of data frames - if ( data + len_80211 >= end_of_data ) + if ( len_80211 >= len ) { packet->Weird("truncated_802_11_header"); return AnalyzerResult::Failed; @@ -48,7 +47,7 @@ zeek::packet_analysis::AnalyzerResult IEEE802_11Analyzer::Analyze(Packet* packet len_80211 += 2; } - if ( data + len_80211 >= end_of_data ) + if ( len_80211 >= len ) { packet->Weird("truncated_802_11_header"); return AnalyzerResult::Failed; @@ -82,7 +81,8 @@ zeek::packet_analysis::AnalyzerResult IEEE802_11Analyzer::Analyze(Packet* packet // skip 802.11 data header data += len_80211; - if ( data + 8 >= end_of_data ) + len_80211 += 8; + if ( len_80211 >= len ) { packet->Weird("truncated_802_11_header"); return AnalyzerResult::Failed; @@ -108,5 +108,5 @@ zeek::packet_analysis::AnalyzerResult IEEE802_11Analyzer::Analyze(Packet* packet uint32_t protocol = (data[0] << 8) + data[1]; data += 2; - return AnalyzeInnerPacket(packet, data, protocol); + return ForwardPacket(len - len_80211, data, packet, protocol); } diff --git a/src/packet_analysis/protocol/ieee802_11/IEEE802_11.h b/src/packet_analysis/protocol/ieee802_11/IEEE802_11.h index 842f182bcd..a9f4916654 100644 --- a/src/packet_analysis/protocol/ieee802_11/IEEE802_11.h +++ b/src/packet_analysis/protocol/ieee802_11/IEEE802_11.h @@ -12,7 +12,7 @@ public: IEEE802_11Analyzer(); ~IEEE802_11Analyzer() override = default; - AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override; + AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.cc b/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.cc index 703906ac82..68eea492da 100644 --- a/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.cc +++ b/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.cc @@ -12,26 +12,23 @@ IEEE802_11_RadioAnalyzer::IEEE802_11_RadioAnalyzer() { } -zeek::packet_analysis::AnalyzerResult IEEE802_11_RadioAnalyzer::Analyze(Packet* packet, const uint8_t*& data) +zeek::packet_analysis::AnalyzerResult IEEE802_11_RadioAnalyzer::AnalyzePacket(size_t len, + const uint8_t* data, Packet* packet) { - auto end_of_data = packet->GetEndOfData(); - - if ( data + 3 >= end_of_data ) + if ( 3 >= len ) { packet->Weird("truncated_radiotap_header"); return AnalyzerResult::Failed; } // Skip over the RadioTap header - int rtheader_len = (data[3] << 8) + data[2]; + size_t rtheader_len = (data[3] << 8) + data[2]; - if ( data + rtheader_len >= end_of_data ) + if ( rtheader_len >= len ) { packet->Weird("truncated_radiotap_header"); return AnalyzerResult::Failed; } - data += rtheader_len; - - return AnalyzeInnerPacket(packet, data, DLT_IEEE802_11); + return ForwardPacket(len - rtheader_len, data + rtheader_len, packet, DLT_IEEE802_11); } diff --git a/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.h b/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.h index e9f306ef26..9f75eece30 100644 --- a/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.h +++ b/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.h @@ -12,7 +12,7 @@ public: IEEE802_11_RadioAnalyzer(); ~IEEE802_11_RadioAnalyzer() override = default; - AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override; + AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/ip/IP.cc b/src/packet_analysis/protocol/ip/IP.cc index d6c2b91e9a..1e0de7d171 100644 --- a/src/packet_analysis/protocol/ip/IP.cc +++ b/src/packet_analysis/protocol/ip/IP.cc @@ -10,10 +10,11 @@ IPAnalyzer::IPAnalyzer() { } -zeek::packet_analysis::AnalyzerResult IPAnalyzer::Analyze(Packet* packet, const uint8_t*& data) +zeek::packet_analysis::AnalyzerResult IPAnalyzer::AnalyzePacket(size_t len, + const uint8_t* data, Packet* packet) { // Assume we're pointing at IP. Just figure out which version. - if ( data + sizeof(struct ip) >= packet->GetEndOfData() ) + if ( sizeof(struct ip) >= len ) { packet->Weird("packet_analyzer_truncated_header"); return AnalyzerResult::Failed; @@ -23,7 +24,6 @@ zeek::packet_analysis::AnalyzerResult IPAnalyzer::Analyze(Packet* packet, const uint32_t protocol = ip->ip_v; auto inner_analyzer = Lookup(protocol); - if ( inner_analyzer == nullptr ) { DBG_LOG(DBG_PACKET_ANALYSIS, "Analysis in %s failed, could not find analyzer for identifier %#x.", @@ -34,5 +34,5 @@ zeek::packet_analysis::AnalyzerResult IPAnalyzer::Analyze(Packet* packet, const DBG_LOG(DBG_PACKET_ANALYSIS, "Analysis in %s succeeded, next layer identifier is %#x.", GetAnalyzerName(), protocol); - return inner_analyzer->Analyze(packet, data); + return inner_analyzer->AnalyzePacket(len, data, packet); } \ No newline at end of file diff --git a/src/packet_analysis/protocol/ip/IP.h b/src/packet_analysis/protocol/ip/IP.h index f57012247c..7fd5d7a799 100644 --- a/src/packet_analysis/protocol/ip/IP.h +++ b/src/packet_analysis/protocol/ip/IP.h @@ -12,7 +12,7 @@ public: IPAnalyzer(); ~IPAnalyzer() override = default; - AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override; + AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/ipv4/IPv4.cc b/src/packet_analysis/protocol/ipv4/IPv4.cc index 57aef8eb25..958089c52b 100644 --- a/src/packet_analysis/protocol/ipv4/IPv4.cc +++ b/src/packet_analysis/protocol/ipv4/IPv4.cc @@ -9,9 +9,11 @@ IPv4Analyzer::IPv4Analyzer() { } -zeek::packet_analysis::AnalyzerResult IPv4Analyzer::Analyze(Packet* packet, const uint8_t*& data) +zeek::packet_analysis::AnalyzerResult IPv4Analyzer::AnalyzePacket(size_t len, + const uint8_t* data, Packet* packet) { packet->l3_proto = L3_IPV4; + packet->hdr_size = static_cast(data - packet->data); // Leave packet analyzer land return AnalyzerResult::Terminate; diff --git a/src/packet_analysis/protocol/ipv4/IPv4.h b/src/packet_analysis/protocol/ipv4/IPv4.h index 984ad4e532..b2f01e4d34 100644 --- a/src/packet_analysis/protocol/ipv4/IPv4.h +++ b/src/packet_analysis/protocol/ipv4/IPv4.h @@ -12,7 +12,7 @@ public: IPv4Analyzer(); ~IPv4Analyzer() override = default; - AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override; + AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/ipv6/IPv6.cc b/src/packet_analysis/protocol/ipv6/IPv6.cc index 903dfd1607..e36444d296 100644 --- a/src/packet_analysis/protocol/ipv6/IPv6.cc +++ b/src/packet_analysis/protocol/ipv6/IPv6.cc @@ -9,9 +9,11 @@ IPv6Analyzer::IPv6Analyzer() { } -zeek::packet_analysis::AnalyzerResult IPv6Analyzer::Analyze(Packet* packet, const uint8_t*& data) +zeek::packet_analysis::AnalyzerResult IPv6Analyzer::AnalyzePacket(size_t len, + const uint8_t* data, Packet* packet) { packet->l3_proto = L3_IPV6; + packet->hdr_size = static_cast(data - packet->data); // Leave packet analyzer land return AnalyzerResult::Terminate; diff --git a/src/packet_analysis/protocol/ipv6/IPv6.h b/src/packet_analysis/protocol/ipv6/IPv6.h index ffff59a668..1a03540cf9 100644 --- a/src/packet_analysis/protocol/ipv6/IPv6.h +++ b/src/packet_analysis/protocol/ipv6/IPv6.h @@ -12,7 +12,7 @@ public: IPv6Analyzer(); ~IPv6Analyzer() override = default; - AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override; + AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; static AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/linux_sll/LinuxSLL.cc b/src/packet_analysis/protocol/linux_sll/LinuxSLL.cc index 740b63a518..2c998dc8d9 100644 --- a/src/packet_analysis/protocol/linux_sll/LinuxSLL.cc +++ b/src/packet_analysis/protocol/linux_sll/LinuxSLL.cc @@ -9,9 +9,11 @@ LinuxSLLAnalyzer::LinuxSLLAnalyzer() { } -zeek::packet_analysis::AnalyzerResult LinuxSLLAnalyzer::Analyze(Packet* packet, const uint8_t*& data) +zeek::packet_analysis::AnalyzerResult LinuxSLLAnalyzer::AnalyzePacket(size_t len, + const uint8_t* data, Packet* packet) { - if ( data + sizeof(SLLHeader) >= packet->GetEndOfData() ) + auto len_sll_hdr = sizeof(SLLHeader); + if ( len_sll_hdr >= len ) { packet->Weird("truncated_Linux_SLL_header"); return AnalyzerResult::Failed; @@ -27,6 +29,5 @@ zeek::packet_analysis::AnalyzerResult LinuxSLLAnalyzer::Analyze(Packet* packet, // here will cause crashes elsewhere. packet->l2_dst = Packet::L2_EMPTY_ADDR; - data += sizeof(SLLHeader); - return AnalyzeInnerPacket(packet, data, protocol); + return ForwardPacket(len - len_sll_hdr, data + len_sll_hdr, packet, protocol); } diff --git a/src/packet_analysis/protocol/linux_sll/LinuxSLL.h b/src/packet_analysis/protocol/linux_sll/LinuxSLL.h index b62b3a3f59..65225a1fe6 100644 --- a/src/packet_analysis/protocol/linux_sll/LinuxSLL.h +++ b/src/packet_analysis/protocol/linux_sll/LinuxSLL.h @@ -12,7 +12,7 @@ public: LinuxSLLAnalyzer(); ~LinuxSLLAnalyzer() override = default; - AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override; + AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/mpls/MPLS.cc b/src/packet_analysis/protocol/mpls/MPLS.cc index 962e206239..f0432a0e17 100644 --- a/src/packet_analysis/protocol/mpls/MPLS.cc +++ b/src/packet_analysis/protocol/mpls/MPLS.cc @@ -9,16 +9,15 @@ MPLSAnalyzer::MPLSAnalyzer() { } -zeek::packet_analysis::AnalyzerResult MPLSAnalyzer::Analyze(Packet* packet, const uint8_t*& data) +zeek::packet_analysis::AnalyzerResult MPLSAnalyzer::AnalyzePacket(size_t len, + const uint8_t* data, Packet* packet) { - auto end_of_data = packet->GetEndOfData(); - // Skip the MPLS label stack. bool end_of_stack = false; while ( ! end_of_stack ) { - if ( data + 4 >= end_of_data ) + if ( 4 >= len ) { packet->Weird("truncated_link_header"); return AnalyzerResult::Failed; @@ -26,11 +25,13 @@ zeek::packet_analysis::AnalyzerResult MPLSAnalyzer::Analyze(Packet* packet, cons end_of_stack = *(data + 2u) & 0x01; data += 4; + len -= 4; } // According to RFC3032 the encapsulated protocol is not encoded. // We assume that what remains is IP. - if ( data + sizeof(struct ip) >= end_of_data ) + //TODO: Make that configurable + if ( sizeof(struct ip) >= len ) { packet->Weird("no_ip_in_mpls_payload"); return AnalyzerResult::Failed; diff --git a/src/packet_analysis/protocol/mpls/MPLS.h b/src/packet_analysis/protocol/mpls/MPLS.h index caade44f94..58c68b1aa4 100644 --- a/src/packet_analysis/protocol/mpls/MPLS.h +++ b/src/packet_analysis/protocol/mpls/MPLS.h @@ -12,7 +12,7 @@ public: MPLSAnalyzer(); ~MPLSAnalyzer() override = default; - AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override; + AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/nflog/NFLog.cc b/src/packet_analysis/protocol/nflog/NFLog.cc index e2b7c218d2..49fd6a1656 100644 --- a/src/packet_analysis/protocol/nflog/NFLog.cc +++ b/src/packet_analysis/protocol/nflog/NFLog.cc @@ -10,8 +10,14 @@ NFLogAnalyzer::NFLogAnalyzer() { } -zeek::packet_analysis::AnalyzerResult NFLogAnalyzer::Analyze(Packet* packet, const uint8_t*& data) { - auto end_of_data = packet->GetEndOfData(); +zeek::packet_analysis::AnalyzerResult NFLogAnalyzer::AnalyzePacket(size_t len, + const uint8_t* data, Packet* packet) + { + if ( 4 >= len ) + { + packet->Weird("truncated_nflog_header"); + return AnalyzerResult::Failed; + } // See https://www.tcpdump.org/linktypes/LINKTYPE_NFLOG.html uint32_t protocol = data[0]; @@ -25,13 +31,14 @@ zeek::packet_analysis::AnalyzerResult NFLogAnalyzer::Analyze(Packet* packet, con // Skip to TLVs. data += 4; + len -= 4; uint16_t tlv_len; uint16_t tlv_type; while ( true ) { - if ( data + 4 >= end_of_data ) + if ( 4 >= len ) { packet->Weird("nflog_no_pcap_payload"); return AnalyzerResult::Failed; @@ -49,6 +56,7 @@ zeek::packet_analysis::AnalyzerResult NFLogAnalyzer::Analyze(Packet* packet, con { // The raw packet payload follows this TLV. data += 4; + len -= 4; break; } else @@ -72,8 +80,9 @@ zeek::packet_analysis::AnalyzerResult NFLogAnalyzer::Analyze(Packet* packet, con } data += tlv_len; + len -= tlv_len; } } - return AnalyzeInnerPacket(packet, data, protocol); + return ForwardPacket(len, data, packet, protocol); } diff --git a/src/packet_analysis/protocol/nflog/NFLog.h b/src/packet_analysis/protocol/nflog/NFLog.h index 6cb1335373..9b725565f9 100644 --- a/src/packet_analysis/protocol/nflog/NFLog.h +++ b/src/packet_analysis/protocol/nflog/NFLog.h @@ -12,7 +12,7 @@ public: NFLogAnalyzer(); ~NFLogAnalyzer() override = default; - AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override; + AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; static AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/null/Null.cc b/src/packet_analysis/protocol/null/Null.cc index bac13dcf07..1e54ceaab1 100644 --- a/src/packet_analysis/protocol/null/Null.cc +++ b/src/packet_analysis/protocol/null/Null.cc @@ -10,16 +10,16 @@ NullAnalyzer::NullAnalyzer() { } -zeek::packet_analysis::AnalyzerResult NullAnalyzer::Analyze(Packet* packet, const uint8_t*& data) +zeek::packet_analysis::AnalyzerResult NullAnalyzer::AnalyzePacket(size_t len, + const uint8_t* data, Packet* packet) { - if ( data + 4 >= packet->GetEndOfData() ) + if ( 4 >= len ) { packet->Weird("null_analyzer_failed"); return AnalyzerResult::Failed; } uint32_t protocol = (data[3] << 24) + (data[2] << 16) + (data[1] << 8) + data[0]; - data += 4; // skip link header - - return AnalyzeInnerPacket(packet, data, protocol); + // skip link header + return ForwardPacket(len - 4, data + 4, packet, protocol); } diff --git a/src/packet_analysis/protocol/null/Null.h b/src/packet_analysis/protocol/null/Null.h index d25cf8a2d9..e82340a690 100644 --- a/src/packet_analysis/protocol/null/Null.h +++ b/src/packet_analysis/protocol/null/Null.h @@ -12,7 +12,7 @@ public: NullAnalyzer(); ~NullAnalyzer() override = default; - AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override; + AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/ppp_serial/PPPSerial.cc b/src/packet_analysis/protocol/ppp_serial/PPPSerial.cc index 9ec9596c11..4b0531ba8e 100644 --- a/src/packet_analysis/protocol/ppp_serial/PPPSerial.cc +++ b/src/packet_analysis/protocol/ppp_serial/PPPSerial.cc @@ -10,11 +10,17 @@ PPPSerialAnalyzer::PPPSerialAnalyzer() { } -zeek::packet_analysis::AnalyzerResult PPPSerialAnalyzer::Analyze(Packet* packet, const uint8_t*& data) +zeek::packet_analysis::AnalyzerResult PPPSerialAnalyzer::AnalyzePacket(size_t len, + const uint8_t* data, Packet* packet) { + if ( 4 >= len ) + { + packet->Weird("truncated_ppp_serial_header"); + return AnalyzerResult::Failed; + } + // Extract protocol identifier uint32_t protocol = (data[2] << 8) + data[3]; - data += 4; // skip link header - - return AnalyzeInnerPacket(packet, data, protocol); + // skip link header + return ForwardPacket(len - 4, data + 4, packet, protocol); } diff --git a/src/packet_analysis/protocol/ppp_serial/PPPSerial.h b/src/packet_analysis/protocol/ppp_serial/PPPSerial.h index c10c34d92e..c9c067ccac 100644 --- a/src/packet_analysis/protocol/ppp_serial/PPPSerial.h +++ b/src/packet_analysis/protocol/ppp_serial/PPPSerial.h @@ -12,7 +12,7 @@ public: PPPSerialAnalyzer(); ~PPPSerialAnalyzer() override = default; - AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override; + AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/pppoe/PPPoE.cc b/src/packet_analysis/protocol/pppoe/PPPoE.cc index 899f62d512..adbbb3fbe8 100644 --- a/src/packet_analysis/protocol/pppoe/PPPoE.cc +++ b/src/packet_analysis/protocol/pppoe/PPPoE.cc @@ -10,9 +10,10 @@ PPPoEAnalyzer::PPPoEAnalyzer() { } -zeek::packet_analysis::AnalyzerResult PPPoEAnalyzer::Analyze(Packet* packet, const uint8_t*& data) +zeek::packet_analysis::AnalyzerResult PPPoEAnalyzer::AnalyzePacket(size_t len, + const uint8_t* data, Packet* packet) { - if ( data + 8 >= packet->GetEndOfData() ) + if ( 8 >= len ) { packet->Weird("truncated_pppoe_header"); return AnalyzerResult::Failed; @@ -20,7 +21,6 @@ zeek::packet_analysis::AnalyzerResult PPPoEAnalyzer::Analyze(Packet* packet, con // Extract protocol identifier uint32_t protocol = (data[6] << 8u) + data[7]; - data += 8; // Skip the PPPoE session and PPP header - - return AnalyzeInnerPacket(packet, data, protocol); + // Skip the PPPoE session and PPP header + return ForwardPacket(len - 8, data + 8, packet, protocol); } diff --git a/src/packet_analysis/protocol/pppoe/PPPoE.h b/src/packet_analysis/protocol/pppoe/PPPoE.h index 164a96b8e6..2c5113815b 100644 --- a/src/packet_analysis/protocol/pppoe/PPPoE.h +++ b/src/packet_analysis/protocol/pppoe/PPPoE.h @@ -12,7 +12,7 @@ public: PPPoEAnalyzer(); ~PPPoEAnalyzer() override = default; - AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override; + AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/skip/Skip.cc b/src/packet_analysis/protocol/skip/Skip.cc index 966561c630..66002d0811 100644 --- a/src/packet_analysis/protocol/skip/Skip.cc +++ b/src/packet_analysis/protocol/skip/Skip.cc @@ -19,8 +19,8 @@ void SkipAnalyzer::Initialize() skip_bytes = skip_val->AsCount(); } -zeek::packet_analysis::AnalyzerResult SkipAnalyzer::Analyze(Packet* packet, const uint8_t*& data) +zeek::packet_analysis::AnalyzerResult SkipAnalyzer::AnalyzePacket(size_t len, + const uint8_t* data, Packet* packet) { - data += skip_bytes; - return AnalyzeInnerPacket(packet, data); + return ForwardPacket(len - skip_bytes, data + skip_bytes, packet); } diff --git a/src/packet_analysis/protocol/skip/Skip.h b/src/packet_analysis/protocol/skip/Skip.h index a18a7c8bec..5cef785d69 100644 --- a/src/packet_analysis/protocol/skip/Skip.h +++ b/src/packet_analysis/protocol/skip/Skip.h @@ -13,7 +13,7 @@ public: ~SkipAnalyzer() override = default; void Initialize() override; - AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override; + AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/vlan/VLAN.cc b/src/packet_analysis/protocol/vlan/VLAN.cc index 364e1c9096..a2b245e1ff 100644 --- a/src/packet_analysis/protocol/vlan/VLAN.cc +++ b/src/packet_analysis/protocol/vlan/VLAN.cc @@ -10,9 +10,10 @@ VLANAnalyzer::VLANAnalyzer() { } -zeek::packet_analysis::AnalyzerResult VLANAnalyzer::Analyze(Packet* packet, const uint8_t*& data) +zeek::packet_analysis::AnalyzerResult VLANAnalyzer::AnalyzePacket(size_t len, + const uint8_t* data, Packet* packet) { - if ( data + 4 >= packet->GetEndOfData() ) + if ( 4 >= len ) { packet->Weird("truncated_VLAN_header"); return AnalyzerResult::Failed; @@ -23,7 +24,6 @@ zeek::packet_analysis::AnalyzerResult VLANAnalyzer::Analyze(Packet* packet, cons uint32_t protocol = ((data[2] << 8u) + data[3]); packet->eth_type = protocol; - data += 4; // Skip the VLAN header - - return AnalyzeInnerPacket(packet, data, protocol); + // Skip the VLAN header + return ForwardPacket(len - 4, data + 4, packet, protocol); } diff --git a/src/packet_analysis/protocol/vlan/VLAN.h b/src/packet_analysis/protocol/vlan/VLAN.h index d2169374f1..0e1ffcfb92 100644 --- a/src/packet_analysis/protocol/vlan/VLAN.h +++ b/src/packet_analysis/protocol/vlan/VLAN.h @@ -12,7 +12,7 @@ public: VLANAnalyzer(); ~VLANAnalyzer() override = default; - AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override; + AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/testing/btest/plugins/packet-protocol-plugin/src/Bar.cc b/testing/btest/plugins/packet-protocol-plugin/src/Bar.cc index 27cf68235c..3781c62272 100644 --- a/testing/btest/plugins/packet-protocol-plugin/src/Bar.cc +++ b/testing/btest/plugins/packet-protocol-plugin/src/Bar.cc @@ -10,12 +10,11 @@ Bar::Bar() { } -zeek::packet_analysis::AnalyzerResult Bar::Analyze(Packet* packet, const uint8_t*& data) +zeek::packet_analysis::AnalyzerResult Bar::AnalyzePacket(size_t len, + const uint8_t* data, Packet* packet) { - auto end_of_data = packet->GetEndOfData(); - // Rudimentary parsing of 802.2 LLC - if ( data + 17 >= end_of_data ) + if ( 17 >= len ) { packet->Weird("truncated_llc_header"); return AnalyzerResult::Failed; diff --git a/testing/btest/plugins/packet-protocol-plugin/src/Bar.h b/testing/btest/plugins/packet-protocol-plugin/src/Bar.h index ad1ee8185e..e8d64e0783 100644 --- a/testing/btest/plugins/packet-protocol-plugin/src/Bar.h +++ b/testing/btest/plugins/packet-protocol-plugin/src/Bar.h @@ -10,7 +10,7 @@ public: Bar(); ~Bar() override = default; - AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override; + AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; static AnalyzerPtr Instantiate() { From 38337d799b6129c96a0e60f537faa6310b9f581f Mon Sep 17 00:00:00 2001 From: Jan Grashoefer Date: Mon, 31 Aug 2020 20:28:06 +0200 Subject: [PATCH 31/43] Improve packet analysis data flow. --- src/Sessions.cc | 31 ++++++++--------- src/Sessions.h | 1 - src/iosource/Packet.cc | 34 ++----------------- src/iosource/Packet.h | 24 ++++++++++--- src/packet_analysis/Analyzer.cc | 8 ++--- src/packet_analysis/Analyzer.h | 21 ++++-------- src/packet_analysis/Manager.cc | 3 +- src/packet_analysis/protocol/arp/ARP.cc | 23 ++++++------- src/packet_analysis/protocol/arp/ARP.h | 2 +- .../protocol/ethernet/Ethernet.cc | 13 ++++--- .../protocol/ethernet/Ethernet.h | 2 +- src/packet_analysis/protocol/fddi/FDDI.cc | 5 ++- src/packet_analysis/protocol/fddi/FDDI.h | 2 +- .../protocol/ieee802_11/IEEE802_11.cc | 17 +++++----- .../protocol/ieee802_11/IEEE802_11.h | 2 +- .../ieee802_11_radio/IEEE802_11_Radio.cc | 7 ++-- .../ieee802_11_radio/IEEE802_11_Radio.h | 2 +- src/packet_analysis/protocol/ip/IP.cc | 7 ++-- src/packet_analysis/protocol/ip/IP.h | 2 +- src/packet_analysis/protocol/ipv4/IPv4.cc | 6 ++-- src/packet_analysis/protocol/ipv4/IPv4.h | 2 +- src/packet_analysis/protocol/ipv6/IPv6.cc | 6 ++-- src/packet_analysis/protocol/ipv6/IPv6.h | 2 +- .../protocol/linux_sll/LinuxSLL.cc | 5 ++- .../protocol/linux_sll/LinuxSLL.h | 2 +- src/packet_analysis/protocol/mpls/MPLS.cc | 12 +++---- src/packet_analysis/protocol/mpls/MPLS.h | 2 +- src/packet_analysis/protocol/nflog/NFLog.cc | 11 +++--- src/packet_analysis/protocol/nflog/NFLog.h | 2 +- src/packet_analysis/protocol/null/Null.cc | 5 ++- src/packet_analysis/protocol/null/Null.h | 2 +- .../protocol/ppp_serial/PPPSerial.cc | 5 ++- .../protocol/ppp_serial/PPPSerial.h | 2 +- src/packet_analysis/protocol/pppoe/PPPoE.cc | 5 ++- src/packet_analysis/protocol/pppoe/PPPoE.h | 2 +- src/packet_analysis/protocol/skip/Skip.cc | 3 +- src/packet_analysis/protocol/skip/Skip.h | 2 +- src/packet_analysis/protocol/vlan/VLAN.cc | 5 ++- src/packet_analysis/protocol/vlan/VLAN.h | 2 +- .../protocol/wrapper/Wrapper.cc | 18 +++++----- .../protocol/wrapper/Wrapper.h | 2 +- .../plugins/packet-protocol-plugin/src/Bar.cc | 6 ++-- .../plugins/packet-protocol-plugin/src/Bar.h | 2 +- 43 files changed, 141 insertions(+), 176 deletions(-) diff --git a/src/Sessions.cc b/src/Sessions.cc index 79014f2808..7dd33362a9 100644 --- a/src/Sessions.cc +++ b/src/Sessions.cc @@ -85,7 +85,6 @@ NetSessions::NetSessions() packet_filter = nullptr; - dump_this_packet = false; num_packets_processed = 0; static auto pkt_profile_file = id::find_val("pkt_profile_file"); @@ -132,10 +131,15 @@ void NetSessions::NextPacket(double t, const Packet* pkt) ++num_packets_processed; - dump_this_packet = false; - - if ( zeek::detail::record_all_packets ) + bool dumped_packet = false; + if ( pkt->dump_packet || zeek::detail::record_all_packets ) + { DumpPacket(pkt); + dumped_packet = true; + } + + if ( ! pkt->session_analysis ) + return; if ( pkt->hdr_size > pkt->cap_len ) { @@ -153,7 +157,7 @@ void NetSessions::NextPacket(double t, const Packet* pkt) return; } - const struct ip* ip = (const struct ip*) (pkt->data + pkt->hdr_size); + auto ip = (const struct ip*) (pkt->data + pkt->hdr_size); IP_Hdr ip_hdr(ip, false); DoNextPacket(t, pkt, &ip_hdr, nullptr); } @@ -170,19 +174,14 @@ void NetSessions::NextPacket(double t, const Packet* pkt) DoNextPacket(t, pkt, &ip_hdr, nullptr); } - else if ( pkt->l3_proto == L3_ARP ) - { - // Do nothing here as ARP has moved into a packet analyzer - //TODO: Revisit the use of packet's l3_proto - } - else { Weird("unknown_packet_type", pkt); return; } - if ( dump_this_packet && ! zeek::detail::record_all_packets ) + // Check whether packet should be recorded based on session analysis + if ( pkt->dump_packet && ! dumped_packet ) DumpPacket(pkt); } @@ -283,7 +282,7 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr if ( ip_hdr->IsFragment() ) { - dump_this_packet = true; // always record fragments + pkt->dump_packet = true; // always record fragments if ( caplen < len ) { @@ -326,7 +325,7 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr // there, it's always the last. if ( ip_hdr->LastHeader() == IPPROTO_ESP ) { - dump_this_packet = true; + pkt->dump_packet = true; if ( esp_packet ) event_mgr.Enqueue(esp_packet, ip_hdr->ToPktHdrVal()); @@ -728,7 +727,7 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr else if ( record_packet ) { if ( record_content ) - dump_this_packet = true; // save the whole thing + pkt->dump_packet = true; // save the whole thing else { @@ -1322,7 +1321,7 @@ void NetSessions::Weird(const char* name, const Packet* pkt, const EncapsulationStack* encap, const char* addl) { if ( pkt ) - dump_this_packet = true; + pkt->dump_packet = true; if ( encap && encap->LastType() != BifEnum::Tunnel::NONE ) reporter->Weird(util::fmt("%s_in_tunnel", name), addl); diff --git a/src/Sessions.h b/src/Sessions.h index 8539fe4b0b..277e637ae7 100644 --- a/src/Sessions.h +++ b/src/Sessions.h @@ -239,7 +239,6 @@ protected: detail::PacketFilter* packet_filter; uint64_t num_packets_processed; detail::PacketProfiler* pkt_profiler; - bool dump_this_packet; // if true, current packet should be recorded }; namespace detail { diff --git a/src/iosource/Packet.cc b/src/iosource/Packet.cc index 7b40c75e43..3d530fea3b 100644 --- a/src/iosource/Packet.cc +++ b/src/iosource/Packet.cc @@ -61,8 +61,8 @@ void Packet::Init(int arg_link_type, pkt_timeval *arg_ts, uint32_t arg_caplen, if ( data ) { - // From here we assume that layer 2 is valid. If a packet analyzer encounters - // an issue, it will call Packet::Weird(), which sets l2_valid to false. + // From here we assume that layer 2 is valid. If the packet analysis fails, + // the packet manager will invalidate the packet. l2_valid = true; packet_mgr->ProcessPacket(this); } @@ -76,7 +76,6 @@ const IP_Hdr Packet::IP() const void Packet::Weird(const char* name) { sessions->Weird(name, this); - l2_valid = false; } IntrusivePtr Packet::ToRawPktHdrVal() const @@ -99,6 +98,7 @@ IntrusivePtr Packet::ToRawPktHdrVal() const else if ( l3_proto == L3_ARP ) l3 = BifEnum::L3_ARP; + // TODO: Get rid of hardcoded l3 protocols. // l2_hdr layout: // encap: link_encap; ##< L2 link encapsulation // len: count; ##< Total frame length on wire @@ -169,32 +169,4 @@ ValPtr Packet::FmtEUI48(const u_char* mac) const return make_intrusive(buf); } -void Packet::Describe(ODesc* d) const - { - switch ( l3_proto ) - { - case L3_ARP: - d->Add("ARP"); - break; - case L3_IPV4: - d->Add("IPv4"); - break; - case L3_IPV6: - d->Add("IPv6"); - break; - default: - d->Add("Unknown L3 protocol"); - } - - // Add IP-specific information - if ( l3_proto == L3_IPV4 || l3_proto == L3_IPV6 ) - { - const IP_Hdr ip = IP(); - d->Add(": "); - d->Add(ip.SrcAddr()); - d->Add("->"); - d->Add(ip.DstAddr()); - } - } - } // namespace zeek diff --git a/src/iosource/Packet.h b/src/iosource/Packet.h index dfe5d86562..fe1968038f 100644 --- a/src/iosource/Packet.h +++ b/src/iosource/Packet.h @@ -125,6 +125,14 @@ public: return l2_valid; } + /** + * Signals that the processing of layer 2 failed. + */ + void InvalidateLayer2() + { + l2_valid = false; + } + /** * Interprets the Layer 3 of the packet as IP and returns a * corresponding object. @@ -140,11 +148,6 @@ public: [[deprecated("Remove in v4.1. Use ToRawPktHdrval() instead.")]] RecordVal* BuildPktHdrVal() const; - /** - * Describes the packet, with standard signature. - */ - void Describe(ODesc* d) const; - /** * Maximal length of a layer 2 address. */ @@ -221,6 +224,17 @@ public: */ bool l3_checksummed; + /** + * Indicates whether the packet should be processed by zeek's + * session analysis in NetSessions. + */ + bool session_analysis = false; + + /** + * Indicates whether this packet should be recorded. + */ + mutable bool dump_packet = false; + // Wrapper to generate a packet-level weird. Has to be public for packet analyzers to use it. void Weird(const char* name); diff --git a/src/packet_analysis/Analyzer.cc b/src/packet_analysis/Analyzer.cc index 3262e22fe9..5dcb9a900e 100644 --- a/src/packet_analysis/Analyzer.cc +++ b/src/packet_analysis/Analyzer.cc @@ -57,7 +57,7 @@ AnalyzerPtr Analyzer::Lookup(uint32_t identifier) const return dispatcher.Lookup(identifier); } -AnalyzerResult Analyzer::ForwardPacket(size_t len, const uint8_t* data, Packet* packet, +bool Analyzer::ForwardPacket(size_t len, const uint8_t* data, Packet* packet, uint32_t identifier) const { auto inner_analyzer = Lookup(identifier); @@ -69,7 +69,7 @@ AnalyzerResult Analyzer::ForwardPacket(size_t len, const uint8_t* data, Packet* DBG_LOG(DBG_PACKET_ANALYSIS, "Analysis in %s failed, could not find analyzer for identifier %#x.", GetAnalyzerName(), identifier); packet->Weird("no_suitable_analyzer_found"); - return AnalyzerResult::Failed; + return false; } DBG_LOG(DBG_PACKET_ANALYSIS, "Analysis in %s succeeded, next layer identifier is %#x.", @@ -77,7 +77,7 @@ AnalyzerResult Analyzer::ForwardPacket(size_t len, const uint8_t* data, Packet* return inner_analyzer->AnalyzePacket(len, data, packet); } -AnalyzerResult Analyzer::ForwardPacket(size_t len, const uint8_t* data, Packet* packet) const +bool Analyzer::ForwardPacket(size_t len, const uint8_t* data, Packet* packet) const { if ( default_analyzer ) return default_analyzer->AnalyzePacket(len, data, packet); @@ -85,7 +85,7 @@ AnalyzerResult Analyzer::ForwardPacket(size_t len, const uint8_t* data, Packet* DBG_LOG(DBG_PACKET_ANALYSIS, "Analysis in %s stopped, no default analyzer available.", GetAnalyzerName()); packet->Weird("no_suitable_analyzer_found"); - return AnalyzerResult::Terminate; + return true; } } \ No newline at end of file diff --git a/src/packet_analysis/Analyzer.h b/src/packet_analysis/Analyzer.h index 82ddf3a686..8faaeab169 100644 --- a/src/packet_analysis/Analyzer.h +++ b/src/packet_analysis/Analyzer.h @@ -8,15 +8,8 @@ namespace zeek::packet_analysis { /** - * Result of packet analysis. + * Main packet analyzer interface. */ -enum class AnalyzerResult { - Failed, // Analysis failed - Terminate // Analysis succeeded and there is no further analysis to do -}; - -using AnalysisResultTuple = std::tuple; - class Analyzer { public: /** @@ -93,9 +86,9 @@ public: * @param data Pointer to the input to process. * @param packet Object that maintains the packet's meta data. * - * @return The outcome of the analysis. + * @return false if the analysis failed, else true. */ - virtual AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, + virtual bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) = 0; protected: @@ -119,9 +112,9 @@ protected: * @param data Reference to the payload pointer into the raw packet. * @param identifier The identifier of the encapsulated protocol. * - * @return The outcome of the analysis. + * @return false if the analysis failed, else true. */ - AnalyzerResult ForwardPacket(size_t len, const uint8_t* data, Packet* packet, + bool ForwardPacket(size_t len, const uint8_t* data, Packet* packet, uint32_t identifier) const; /** @@ -131,9 +124,9 @@ protected: * @param packet The packet to analyze. * @param data Reference to the payload pointer into the raw packet. * - * @return The outcome of the analysis. + * @return false if the analysis failed, else true. */ - AnalyzerResult ForwardPacket(size_t len, const uint8_t* data, Packet* packet) const; + bool ForwardPacket(size_t len, const uint8_t* data, Packet* packet) const; private: Tag tag; diff --git a/src/packet_analysis/Manager.cc b/src/packet_analysis/Manager.cc index 7e44c10883..0d71632574 100644 --- a/src/packet_analysis/Manager.cc +++ b/src/packet_analysis/Manager.cc @@ -128,7 +128,8 @@ void Manager::ProcessPacket(Packet* packet) return; } - auto result = analyzer->AnalyzePacket(packet->cap_len, packet->data, packet); + if ( ! analyzer->AnalyzePacket(packet->cap_len, packet->data, packet) ) + packet->InvalidateLayer2(); } AnalyzerPtr Manager::InstantiateAnalyzer(const Tag& tag) diff --git a/src/packet_analysis/protocol/arp/ARP.cc b/src/packet_analysis/protocol/arp/ARP.cc index c38cea1d34..651c29d167 100644 --- a/src/packet_analysis/protocol/arp/ARP.cc +++ b/src/packet_analysis/protocol/arp/ARP.cc @@ -81,8 +81,7 @@ ARPAnalyzer::ARPAnalyzer() #define ARPOP_INVREPLY ARPOP_InREPLY #endif -zeek::packet_analysis::AnalyzerResult ARPAnalyzer::AnalyzePacket(size_t len, - const uint8_t* data, Packet* packet) +bool ARPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) { packet->l3_proto = L3_ARP; @@ -90,7 +89,7 @@ zeek::packet_analysis::AnalyzerResult ARPAnalyzer::AnalyzePacket(size_t len, if ( sizeof(struct arp_pkthdr) > len ) { packet->Weird("truncated_ARP"); - return AnalyzerResult::Failed; + return false; } // Check whether the packet is OK ("inspired" in tcpdump's print-arp.c). @@ -101,7 +100,7 @@ zeek::packet_analysis::AnalyzerResult ARPAnalyzer::AnalyzePacket(size_t len, if ( min_length > len ) { packet->Weird("truncated_ARP"); - return AnalyzerResult::Failed; + return false; } // Check the address description fields. @@ -112,7 +111,7 @@ zeek::packet_analysis::AnalyzerResult ARPAnalyzer::AnalyzePacket(size_t len, // don't know how to handle the opcode BadARPEvent(ah, "corrupt-arp-header (hrd=%i, hln=%i)", ntohs(ah->ar_hrd), ah->ar_hln); - return AnalyzerResult::Failed; + return false; } break; @@ -120,7 +119,7 @@ zeek::packet_analysis::AnalyzerResult ARPAnalyzer::AnalyzePacket(size_t len, { // don't know how to proceed BadARPEvent(ah, "unknown-arp-hw-address (hrd=%i)", ntohs(ah->ar_hrd)); - return AnalyzerResult::Failed; + return false; } } @@ -132,7 +131,7 @@ zeek::packet_analysis::AnalyzerResult ARPAnalyzer::AnalyzePacket(size_t len, // don't know how to handle the opcode BadARPEvent(ah,"corrupt-arp-header (pro=%i, pln=%i)", ntohs(ah->ar_pro), ah->ar_pln); - return AnalyzerResult::Failed; + return false; } break; @@ -140,7 +139,7 @@ zeek::packet_analysis::AnalyzerResult ARPAnalyzer::AnalyzePacket(size_t len, { // don't know how to proceed BadARPEvent(ah,"unknown-arp-proto-address (pro=%i)", ntohs(ah->ar_pro)); - return AnalyzerResult::Failed; + return false; } } @@ -149,7 +148,7 @@ zeek::packet_analysis::AnalyzerResult ARPAnalyzer::AnalyzePacket(size_t len, if ( memcmp(packet->l2_src, ar_sha(ah), ah->ar_hln) != 0 ) { BadARPEvent(ah, "weird-arp-sha"); - return AnalyzerResult::Failed; + return false; } // Check the code is supported. @@ -171,20 +170,20 @@ zeek::packet_analysis::AnalyzerResult ARPAnalyzer::AnalyzePacket(size_t len, { // don't know how to handle the opcode BadARPEvent(ah, "unimplemented-arp-opcode (%i)", ntohs(ah->ar_op)); - return AnalyzerResult::Failed; + return false; } default: { // invalid opcode BadARPEvent(ah, "invalid-arp-opcode (opcode=%i)", ntohs(ah->ar_op)); - return AnalyzerResult::Failed; + return false; } } // Leave packet analyzer land - return AnalyzerResult::Terminate; + return true; } zeek::AddrValPtr ARPAnalyzer::ToAddrVal(const void* addr) diff --git a/src/packet_analysis/protocol/arp/ARP.h b/src/packet_analysis/protocol/arp/ARP.h index f38ed5ff27..710821cb68 100644 --- a/src/packet_analysis/protocol/arp/ARP.h +++ b/src/packet_analysis/protocol/arp/ARP.h @@ -18,7 +18,7 @@ public: ARPAnalyzer(); ~ARPAnalyzer() override = default; - AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; + bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/ethernet/Ethernet.cc b/src/packet_analysis/protocol/ethernet/Ethernet.cc index 0bced04b4a..cec9d90288 100644 --- a/src/packet_analysis/protocol/ethernet/Ethernet.cc +++ b/src/packet_analysis/protocol/ethernet/Ethernet.cc @@ -31,15 +31,14 @@ zeek::packet_analysis::AnalyzerPtr EthernetAnalyzer::LoadAnalyzer(const std::str return packet_mgr->GetAnalyzer(analyzer_val->AsEnumVal()); } -zeek::packet_analysis::AnalyzerResult EthernetAnalyzer::AnalyzePacket(size_t len, - const uint8_t* data, Packet* packet) +bool EthernetAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) { // Make sure that we actually got an entire ethernet header before trying // to pull bytes out of it. if ( 16 >= len ) { packet->Weird("truncated_ethernet_frame"); - return AnalyzerResult::Failed; + return false; } // Skip past Cisco FabricPath to encapsulated ethernet frame. @@ -50,7 +49,7 @@ zeek::packet_analysis::AnalyzerResult EthernetAnalyzer::AnalyzePacket(size_t len if ( cfplen + 14 >= len ) { packet->Weird("truncated_link_header_cfp"); - return AnalyzerResult::Failed; + return false; } data += cfplen; @@ -74,7 +73,7 @@ zeek::packet_analysis::AnalyzerResult EthernetAnalyzer::AnalyzePacket(size_t len if ( 16 >= len ) { packet->Weird("truncated_ethernet_frame"); - return AnalyzerResult::Failed; + return false; } // Let specialized analyzers take over for non Ethernet II frames. @@ -95,10 +94,10 @@ zeek::packet_analysis::AnalyzerResult EthernetAnalyzer::AnalyzePacket(size_t len if ( eth_analyzer ) return eth_analyzer->AnalyzePacket(len, data, packet); - return AnalyzerResult::Terminate; + return true; } // Undefined (1500 < EtherType < 1536) packet->Weird("undefined_ether_type"); - return AnalyzerResult::Failed; + return false; } diff --git a/src/packet_analysis/protocol/ethernet/Ethernet.h b/src/packet_analysis/protocol/ethernet/Ethernet.h index b69b4887ef..eef3741a1f 100644 --- a/src/packet_analysis/protocol/ethernet/Ethernet.h +++ b/src/packet_analysis/protocol/ethernet/Ethernet.h @@ -13,7 +13,7 @@ public: ~EthernetAnalyzer() override = default; void Initialize() override; - AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; + bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/fddi/FDDI.cc b/src/packet_analysis/protocol/fddi/FDDI.cc index 3612670f10..5466ab2dad 100644 --- a/src/packet_analysis/protocol/fddi/FDDI.cc +++ b/src/packet_analysis/protocol/fddi/FDDI.cc @@ -10,15 +10,14 @@ FDDIAnalyzer::FDDIAnalyzer() { } -zeek::packet_analysis::AnalyzerResult FDDIAnalyzer::AnalyzePacket(size_t len, - const uint8_t* data, Packet* packet) +bool FDDIAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) { size_t hdr_size = 13 + 8; // FDDI header + LLC if ( hdr_size >= len ) { packet->Weird("FDDI_analyzer_failed"); - return AnalyzerResult::Failed; + return false; } // We just skip the header and hope for default analysis diff --git a/src/packet_analysis/protocol/fddi/FDDI.h b/src/packet_analysis/protocol/fddi/FDDI.h index d0e204e7d9..080834ae71 100644 --- a/src/packet_analysis/protocol/fddi/FDDI.h +++ b/src/packet_analysis/protocol/fddi/FDDI.h @@ -12,7 +12,7 @@ public: FDDIAnalyzer(); ~FDDIAnalyzer() override = default; - AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; + bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc b/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc index 117677b535..c7e6b32982 100644 --- a/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc +++ b/src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc @@ -10,26 +10,25 @@ IEEE802_11Analyzer::IEEE802_11Analyzer() { } -zeek::packet_analysis::AnalyzerResult IEEE802_11Analyzer::AnalyzePacket(size_t len, - const uint8_t* data, Packet* packet) +bool IEEE802_11Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) { u_char len_80211 = 24; // minimal length of data frames if ( len_80211 >= len ) { packet->Weird("truncated_802_11_header"); - return AnalyzerResult::Failed; + return false; } u_char fc_80211 = data[0]; // Frame Control field // Skip non-data frame types (management & control). if ( ! ((fc_80211 >> 2) & 0x02) ) - return AnalyzerResult::Failed; + return false; // Skip subtypes without data. if ( (fc_80211 >> 4) & 0x04 ) - return AnalyzerResult::Failed; + return false; // 'To DS' and 'From DS' flags set indicate use of the 4th // address field. @@ -42,7 +41,7 @@ zeek::packet_analysis::AnalyzerResult IEEE802_11Analyzer::AnalyzePacket(size_t l // Skip in case of A-MSDU subframes indicated by QoS // control field. if ( data[len_80211] & 0x80 ) - return AnalyzerResult::Failed; + return false; len_80211 += 2; } @@ -50,7 +49,7 @@ zeek::packet_analysis::AnalyzerResult IEEE802_11Analyzer::AnalyzePacket(size_t l if ( len_80211 >= len ) { packet->Weird("truncated_802_11_header"); - return AnalyzerResult::Failed; + return false; } // Determine link-layer addresses based @@ -85,7 +84,7 @@ zeek::packet_analysis::AnalyzerResult IEEE802_11Analyzer::AnalyzePacket(size_t l if ( len_80211 >= len ) { packet->Weird("truncated_802_11_header"); - return AnalyzerResult::Failed; + return false; } // Check that the DSAP and SSAP are both SNAP and that the control @@ -102,7 +101,7 @@ zeek::packet_analysis::AnalyzerResult IEEE802_11Analyzer::AnalyzePacket(size_t l // If this is a logical link control frame without the // possibility of having a protocol we care about, we'll // just skip it for now. - return AnalyzerResult::Failed; + return false; } uint32_t protocol = (data[0] << 8) + data[1]; diff --git a/src/packet_analysis/protocol/ieee802_11/IEEE802_11.h b/src/packet_analysis/protocol/ieee802_11/IEEE802_11.h index a9f4916654..e919f9676c 100644 --- a/src/packet_analysis/protocol/ieee802_11/IEEE802_11.h +++ b/src/packet_analysis/protocol/ieee802_11/IEEE802_11.h @@ -12,7 +12,7 @@ public: IEEE802_11Analyzer(); ~IEEE802_11Analyzer() override = default; - AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; + bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.cc b/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.cc index 68eea492da..19fcc052a7 100644 --- a/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.cc +++ b/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.cc @@ -12,13 +12,12 @@ IEEE802_11_RadioAnalyzer::IEEE802_11_RadioAnalyzer() { } -zeek::packet_analysis::AnalyzerResult IEEE802_11_RadioAnalyzer::AnalyzePacket(size_t len, - const uint8_t* data, Packet* packet) +bool IEEE802_11_RadioAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) { if ( 3 >= len ) { packet->Weird("truncated_radiotap_header"); - return AnalyzerResult::Failed; + return false; } // Skip over the RadioTap header @@ -27,7 +26,7 @@ zeek::packet_analysis::AnalyzerResult IEEE802_11_RadioAnalyzer::AnalyzePacket(si if ( rtheader_len >= len ) { packet->Weird("truncated_radiotap_header"); - return AnalyzerResult::Failed; + return false; } return ForwardPacket(len - rtheader_len, data + rtheader_len, packet, DLT_IEEE802_11); diff --git a/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.h b/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.h index 9f75eece30..bbd06d2b0f 100644 --- a/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.h +++ b/src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.h @@ -12,7 +12,7 @@ public: IEEE802_11_RadioAnalyzer(); ~IEEE802_11_RadioAnalyzer() override = default; - AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; + bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/ip/IP.cc b/src/packet_analysis/protocol/ip/IP.cc index 1e0de7d171..2153ee0ebb 100644 --- a/src/packet_analysis/protocol/ip/IP.cc +++ b/src/packet_analysis/protocol/ip/IP.cc @@ -10,14 +10,13 @@ IPAnalyzer::IPAnalyzer() { } -zeek::packet_analysis::AnalyzerResult IPAnalyzer::AnalyzePacket(size_t len, - const uint8_t* data, Packet* packet) +bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) { // Assume we're pointing at IP. Just figure out which version. if ( sizeof(struct ip) >= len ) { packet->Weird("packet_analyzer_truncated_header"); - return AnalyzerResult::Failed; + return false; } auto ip = (const struct ip *)data; @@ -29,7 +28,7 @@ zeek::packet_analysis::AnalyzerResult IPAnalyzer::AnalyzePacket(size_t len, DBG_LOG(DBG_PACKET_ANALYSIS, "Analysis in %s failed, could not find analyzer for identifier %#x.", GetAnalyzerName(), protocol); packet->Weird("no_suitable_analyzer_found"); - return AnalyzerResult::Failed; + return false; } DBG_LOG(DBG_PACKET_ANALYSIS, "Analysis in %s succeeded, next layer identifier is %#x.", diff --git a/src/packet_analysis/protocol/ip/IP.h b/src/packet_analysis/protocol/ip/IP.h index 7fd5d7a799..22f3b015b7 100644 --- a/src/packet_analysis/protocol/ip/IP.h +++ b/src/packet_analysis/protocol/ip/IP.h @@ -12,7 +12,7 @@ public: IPAnalyzer(); ~IPAnalyzer() override = default; - AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; + bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/ipv4/IPv4.cc b/src/packet_analysis/protocol/ipv4/IPv4.cc index 958089c52b..1121ea437d 100644 --- a/src/packet_analysis/protocol/ipv4/IPv4.cc +++ b/src/packet_analysis/protocol/ipv4/IPv4.cc @@ -9,12 +9,12 @@ IPv4Analyzer::IPv4Analyzer() { } -zeek::packet_analysis::AnalyzerResult IPv4Analyzer::AnalyzePacket(size_t len, - const uint8_t* data, Packet* packet) +bool IPv4Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) { packet->l3_proto = L3_IPV4; packet->hdr_size = static_cast(data - packet->data); + packet->session_analysis = true; // Leave packet analyzer land - return AnalyzerResult::Terminate; + return true; } diff --git a/src/packet_analysis/protocol/ipv4/IPv4.h b/src/packet_analysis/protocol/ipv4/IPv4.h index b2f01e4d34..4a4833abef 100644 --- a/src/packet_analysis/protocol/ipv4/IPv4.h +++ b/src/packet_analysis/protocol/ipv4/IPv4.h @@ -12,7 +12,7 @@ public: IPv4Analyzer(); ~IPv4Analyzer() override = default; - AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; + bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/ipv6/IPv6.cc b/src/packet_analysis/protocol/ipv6/IPv6.cc index e36444d296..5da788d4b7 100644 --- a/src/packet_analysis/protocol/ipv6/IPv6.cc +++ b/src/packet_analysis/protocol/ipv6/IPv6.cc @@ -9,12 +9,12 @@ IPv6Analyzer::IPv6Analyzer() { } -zeek::packet_analysis::AnalyzerResult IPv6Analyzer::AnalyzePacket(size_t len, - const uint8_t* data, Packet* packet) +bool IPv6Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) { packet->l3_proto = L3_IPV6; packet->hdr_size = static_cast(data - packet->data); + packet->session_analysis = true; // Leave packet analyzer land - return AnalyzerResult::Terminate; + return true; } diff --git a/src/packet_analysis/protocol/ipv6/IPv6.h b/src/packet_analysis/protocol/ipv6/IPv6.h index 1a03540cf9..a640b3beff 100644 --- a/src/packet_analysis/protocol/ipv6/IPv6.h +++ b/src/packet_analysis/protocol/ipv6/IPv6.h @@ -12,7 +12,7 @@ public: IPv6Analyzer(); ~IPv6Analyzer() override = default; - AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; + bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; static AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/linux_sll/LinuxSLL.cc b/src/packet_analysis/protocol/linux_sll/LinuxSLL.cc index 2c998dc8d9..c924b7233d 100644 --- a/src/packet_analysis/protocol/linux_sll/LinuxSLL.cc +++ b/src/packet_analysis/protocol/linux_sll/LinuxSLL.cc @@ -9,14 +9,13 @@ LinuxSLLAnalyzer::LinuxSLLAnalyzer() { } -zeek::packet_analysis::AnalyzerResult LinuxSLLAnalyzer::AnalyzePacket(size_t len, - const uint8_t* data, Packet* packet) +bool LinuxSLLAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) { auto len_sll_hdr = sizeof(SLLHeader); if ( len_sll_hdr >= len ) { packet->Weird("truncated_Linux_SLL_header"); - return AnalyzerResult::Failed; + return false; } //TODO: Handle different ARPHRD_types diff --git a/src/packet_analysis/protocol/linux_sll/LinuxSLL.h b/src/packet_analysis/protocol/linux_sll/LinuxSLL.h index 65225a1fe6..ec18d92eb1 100644 --- a/src/packet_analysis/protocol/linux_sll/LinuxSLL.h +++ b/src/packet_analysis/protocol/linux_sll/LinuxSLL.h @@ -12,7 +12,7 @@ public: LinuxSLLAnalyzer(); ~LinuxSLLAnalyzer() override = default; - AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; + bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/mpls/MPLS.cc b/src/packet_analysis/protocol/mpls/MPLS.cc index f0432a0e17..945b026ea4 100644 --- a/src/packet_analysis/protocol/mpls/MPLS.cc +++ b/src/packet_analysis/protocol/mpls/MPLS.cc @@ -9,8 +9,7 @@ MPLSAnalyzer::MPLSAnalyzer() { } -zeek::packet_analysis::AnalyzerResult MPLSAnalyzer::AnalyzePacket(size_t len, - const uint8_t* data, Packet* packet) +bool MPLSAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) { // Skip the MPLS label stack. bool end_of_stack = false; @@ -20,7 +19,7 @@ zeek::packet_analysis::AnalyzerResult MPLSAnalyzer::AnalyzePacket(size_t len, if ( 4 >= len ) { packet->Weird("truncated_link_header"); - return AnalyzerResult::Failed; + return false; } end_of_stack = *(data + 2u) & 0x01; @@ -34,7 +33,7 @@ zeek::packet_analysis::AnalyzerResult MPLSAnalyzer::AnalyzePacket(size_t len, if ( sizeof(struct ip) >= len ) { packet->Weird("no_ip_in_mpls_payload"); - return AnalyzerResult::Failed; + return false; } auto ip = (const struct ip*)data; @@ -47,9 +46,10 @@ zeek::packet_analysis::AnalyzerResult MPLSAnalyzer::AnalyzePacket(size_t len, { // Neither IPv4 nor IPv6. packet->Weird("no_ip_in_mpls_payload"); - return AnalyzerResult::Failed; + return false; } packet->hdr_size = (data - packet->data); - return AnalyzerResult::Terminate; + packet->session_analysis = true; + return true; } diff --git a/src/packet_analysis/protocol/mpls/MPLS.h b/src/packet_analysis/protocol/mpls/MPLS.h index 58c68b1aa4..b536b934d0 100644 --- a/src/packet_analysis/protocol/mpls/MPLS.h +++ b/src/packet_analysis/protocol/mpls/MPLS.h @@ -12,7 +12,7 @@ public: MPLSAnalyzer(); ~MPLSAnalyzer() override = default; - AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; + bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/nflog/NFLog.cc b/src/packet_analysis/protocol/nflog/NFLog.cc index 49fd6a1656..55a09dc147 100644 --- a/src/packet_analysis/protocol/nflog/NFLog.cc +++ b/src/packet_analysis/protocol/nflog/NFLog.cc @@ -10,13 +10,12 @@ NFLogAnalyzer::NFLogAnalyzer() { } -zeek::packet_analysis::AnalyzerResult NFLogAnalyzer::AnalyzePacket(size_t len, - const uint8_t* data, Packet* packet) +bool NFLogAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) { if ( 4 >= len ) { packet->Weird("truncated_nflog_header"); - return AnalyzerResult::Failed; + return false; } // See https://www.tcpdump.org/linktypes/LINKTYPE_NFLOG.html @@ -26,7 +25,7 @@ zeek::packet_analysis::AnalyzerResult NFLogAnalyzer::AnalyzePacket(size_t len, if ( version != 0 ) { packet->Weird("unknown_nflog_version"); - return AnalyzerResult::Failed; + return false; } // Skip to TLVs. @@ -41,7 +40,7 @@ zeek::packet_analysis::AnalyzerResult NFLogAnalyzer::AnalyzePacket(size_t len, if ( 4 >= len ) { packet->Weird("nflog_no_pcap_payload"); - return AnalyzerResult::Failed; + return false; } // TLV Type and Length values are specified in host byte order @@ -69,7 +68,7 @@ zeek::packet_analysis::AnalyzerResult NFLogAnalyzer::AnalyzePacket(size_t len, if ( tlv_len < 4 ) { packet->Weird("nflog_bad_tlv_len"); - return AnalyzerResult::Failed; + return false; } else { diff --git a/src/packet_analysis/protocol/nflog/NFLog.h b/src/packet_analysis/protocol/nflog/NFLog.h index 9b725565f9..9e7dfecfea 100644 --- a/src/packet_analysis/protocol/nflog/NFLog.h +++ b/src/packet_analysis/protocol/nflog/NFLog.h @@ -12,7 +12,7 @@ public: NFLogAnalyzer(); ~NFLogAnalyzer() override = default; - AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; + bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; static AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/null/Null.cc b/src/packet_analysis/protocol/null/Null.cc index 1e54ceaab1..92ecb29315 100644 --- a/src/packet_analysis/protocol/null/Null.cc +++ b/src/packet_analysis/protocol/null/Null.cc @@ -10,13 +10,12 @@ NullAnalyzer::NullAnalyzer() { } -zeek::packet_analysis::AnalyzerResult NullAnalyzer::AnalyzePacket(size_t len, - const uint8_t* data, Packet* packet) +bool NullAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) { if ( 4 >= len ) { packet->Weird("null_analyzer_failed"); - return AnalyzerResult::Failed; + return false; } uint32_t protocol = (data[3] << 24) + (data[2] << 16) + (data[1] << 8) + data[0]; diff --git a/src/packet_analysis/protocol/null/Null.h b/src/packet_analysis/protocol/null/Null.h index e82340a690..4179130690 100644 --- a/src/packet_analysis/protocol/null/Null.h +++ b/src/packet_analysis/protocol/null/Null.h @@ -12,7 +12,7 @@ public: NullAnalyzer(); ~NullAnalyzer() override = default; - AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; + bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/ppp_serial/PPPSerial.cc b/src/packet_analysis/protocol/ppp_serial/PPPSerial.cc index 4b0531ba8e..8ddf60ac82 100644 --- a/src/packet_analysis/protocol/ppp_serial/PPPSerial.cc +++ b/src/packet_analysis/protocol/ppp_serial/PPPSerial.cc @@ -10,13 +10,12 @@ PPPSerialAnalyzer::PPPSerialAnalyzer() { } -zeek::packet_analysis::AnalyzerResult PPPSerialAnalyzer::AnalyzePacket(size_t len, - const uint8_t* data, Packet* packet) +bool PPPSerialAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) { if ( 4 >= len ) { packet->Weird("truncated_ppp_serial_header"); - return AnalyzerResult::Failed; + return false; } // Extract protocol identifier diff --git a/src/packet_analysis/protocol/ppp_serial/PPPSerial.h b/src/packet_analysis/protocol/ppp_serial/PPPSerial.h index c9c067ccac..9029e1d378 100644 --- a/src/packet_analysis/protocol/ppp_serial/PPPSerial.h +++ b/src/packet_analysis/protocol/ppp_serial/PPPSerial.h @@ -12,7 +12,7 @@ public: PPPSerialAnalyzer(); ~PPPSerialAnalyzer() override = default; - AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; + bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/pppoe/PPPoE.cc b/src/packet_analysis/protocol/pppoe/PPPoE.cc index adbbb3fbe8..8a7454479d 100644 --- a/src/packet_analysis/protocol/pppoe/PPPoE.cc +++ b/src/packet_analysis/protocol/pppoe/PPPoE.cc @@ -10,13 +10,12 @@ PPPoEAnalyzer::PPPoEAnalyzer() { } -zeek::packet_analysis::AnalyzerResult PPPoEAnalyzer::AnalyzePacket(size_t len, - const uint8_t* data, Packet* packet) +bool PPPoEAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) { if ( 8 >= len ) { packet->Weird("truncated_pppoe_header"); - return AnalyzerResult::Failed; + return false; } // Extract protocol identifier diff --git a/src/packet_analysis/protocol/pppoe/PPPoE.h b/src/packet_analysis/protocol/pppoe/PPPoE.h index 2c5113815b..cb21a80760 100644 --- a/src/packet_analysis/protocol/pppoe/PPPoE.h +++ b/src/packet_analysis/protocol/pppoe/PPPoE.h @@ -12,7 +12,7 @@ public: PPPoEAnalyzer(); ~PPPoEAnalyzer() override = default; - AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; + bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/skip/Skip.cc b/src/packet_analysis/protocol/skip/Skip.cc index 66002d0811..8b8ee4974f 100644 --- a/src/packet_analysis/protocol/skip/Skip.cc +++ b/src/packet_analysis/protocol/skip/Skip.cc @@ -19,8 +19,7 @@ void SkipAnalyzer::Initialize() skip_bytes = skip_val->AsCount(); } -zeek::packet_analysis::AnalyzerResult SkipAnalyzer::AnalyzePacket(size_t len, - const uint8_t* data, Packet* packet) +bool SkipAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) { return ForwardPacket(len - skip_bytes, data + skip_bytes, packet); } diff --git a/src/packet_analysis/protocol/skip/Skip.h b/src/packet_analysis/protocol/skip/Skip.h index 5cef785d69..544d2ac43a 100644 --- a/src/packet_analysis/protocol/skip/Skip.h +++ b/src/packet_analysis/protocol/skip/Skip.h @@ -13,7 +13,7 @@ public: ~SkipAnalyzer() override = default; void Initialize() override; - AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; + bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/vlan/VLAN.cc b/src/packet_analysis/protocol/vlan/VLAN.cc index a2b245e1ff..5dc3fe1874 100644 --- a/src/packet_analysis/protocol/vlan/VLAN.cc +++ b/src/packet_analysis/protocol/vlan/VLAN.cc @@ -10,13 +10,12 @@ VLANAnalyzer::VLANAnalyzer() { } -zeek::packet_analysis::AnalyzerResult VLANAnalyzer::AnalyzePacket(size_t len, - const uint8_t* data, Packet* packet) +bool VLANAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) { if ( 4 >= len ) { packet->Weird("truncated_VLAN_header"); - return AnalyzerResult::Failed; + return false; } auto& vlan_ref = packet->vlan != 0 ? packet->inner_vlan : packet->vlan; diff --git a/src/packet_analysis/protocol/vlan/VLAN.h b/src/packet_analysis/protocol/vlan/VLAN.h index 0e1ffcfb92..bde045b552 100644 --- a/src/packet_analysis/protocol/vlan/VLAN.h +++ b/src/packet_analysis/protocol/vlan/VLAN.h @@ -12,7 +12,7 @@ public: VLANAnalyzer(); ~VLANAnalyzer() override = default; - AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; + bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/src/packet_analysis/protocol/wrapper/Wrapper.cc b/src/packet_analysis/protocol/wrapper/Wrapper.cc index ea04b3a8c9..5d431af2c6 100644 --- a/src/packet_analysis/protocol/wrapper/Wrapper.cc +++ b/src/packet_analysis/protocol/wrapper/Wrapper.cc @@ -10,7 +10,7 @@ WrapperAnalyzer::WrapperAnalyzer() { } -zeek::packet_analysis::AnalyzerResult WrapperAnalyzer::Analyze(Packet* packet, const uint8_t*& data) +bool WrapperAnalyzer::Analyze(Packet* packet, const uint8_t*& data) { // Unfortunately some packets on the link might have MPLS labels // while others don't. That means we need to ask the link-layer if @@ -27,7 +27,7 @@ zeek::packet_analysis::AnalyzerResult WrapperAnalyzer::Analyze(Packet* packet, c if ( data + cfplen + 14 >= end_of_data ) { packet->Weird("truncated_link_header_cfp"); - return AnalyzerResult::Failed; + return false; } data += cfplen; @@ -57,7 +57,7 @@ zeek::packet_analysis::AnalyzerResult WrapperAnalyzer::Analyze(Packet* packet, c if ( data + 4 >= end_of_data ) { packet->Weird("truncated_link_header"); - return AnalyzerResult::Failed; + return false; } auto& vlan_ref = saw_vlan ? packet->inner_vlan : packet->vlan; @@ -75,7 +75,7 @@ zeek::packet_analysis::AnalyzerResult WrapperAnalyzer::Analyze(Packet* packet, c if ( data + 8 >= end_of_data ) { packet->Weird("truncated_link_header"); - return AnalyzerResult::Failed; + return false; } protocol = (data[6] << 8u) + data[7]; @@ -89,7 +89,7 @@ zeek::packet_analysis::AnalyzerResult WrapperAnalyzer::Analyze(Packet* packet, c { // Neither IPv4 nor IPv6. packet->Weird("non_ip_packet_in_pppoe_encapsulation"); - return AnalyzerResult::Failed; + return false; } } break; @@ -113,7 +113,7 @@ zeek::packet_analysis::AnalyzerResult WrapperAnalyzer::Analyze(Packet* packet, c { // Neither IPv4 nor IPv6. packet->Weird("non_ip_packet_in_ethernet"); - return AnalyzerResult::Failed; + return false; } } @@ -127,7 +127,7 @@ zeek::packet_analysis::AnalyzerResult WrapperAnalyzer::Analyze(Packet* packet, c if ( data + 4 >= end_of_data ) { packet->Weird("truncated_link_header"); - return AnalyzerResult::Failed; + return false; } end_of_stack = *(data + 2u) & 0x01; @@ -138,7 +138,7 @@ zeek::packet_analysis::AnalyzerResult WrapperAnalyzer::Analyze(Packet* packet, c if ( data + sizeof(struct ip) >= end_of_data ) { packet->Weird("no_ip_in_mpls_payload"); - return AnalyzerResult::Failed; + return false; } const struct ip* ip = (const struct ip*)data; @@ -151,7 +151,7 @@ zeek::packet_analysis::AnalyzerResult WrapperAnalyzer::Analyze(Packet* packet, c { // Neither IPv4 nor IPv6. packet->Weird("no_ip_in_mpls_payload"); - return AnalyzerResult::Failed; + return false; } } diff --git a/src/packet_analysis/protocol/wrapper/Wrapper.h b/src/packet_analysis/protocol/wrapper/Wrapper.h index 20ddd66fb5..28bc073832 100644 --- a/src/packet_analysis/protocol/wrapper/Wrapper.h +++ b/src/packet_analysis/protocol/wrapper/Wrapper.h @@ -12,7 +12,7 @@ public: WrapperAnalyzer(); ~WrapperAnalyzer() override = default; - AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override; + bool Analyze(Packet* packet, const uint8_t*& data) override; static zeek::packet_analysis::AnalyzerPtr Instantiate() { diff --git a/testing/btest/plugins/packet-protocol-plugin/src/Bar.cc b/testing/btest/plugins/packet-protocol-plugin/src/Bar.cc index 3781c62272..29926decbc 100644 --- a/testing/btest/plugins/packet-protocol-plugin/src/Bar.cc +++ b/testing/btest/plugins/packet-protocol-plugin/src/Bar.cc @@ -10,14 +10,14 @@ Bar::Bar() { } -zeek::packet_analysis::AnalyzerResult Bar::AnalyzePacket(size_t len, +bool Bar::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) { // Rudimentary parsing of 802.2 LLC if ( 17 >= len ) { packet->Weird("truncated_llc_header"); - return AnalyzerResult::Failed; + return false; } auto dsap = data[14]; @@ -29,5 +29,5 @@ zeek::packet_analysis::AnalyzerResult Bar::AnalyzePacket(size_t len, val_mgr->Count(ssap), val_mgr->Count(control)); - return AnalyzerResult::Terminate; + return true; } diff --git a/testing/btest/plugins/packet-protocol-plugin/src/Bar.h b/testing/btest/plugins/packet-protocol-plugin/src/Bar.h index e8d64e0783..e9a7ce8b25 100644 --- a/testing/btest/plugins/packet-protocol-plugin/src/Bar.h +++ b/testing/btest/plugins/packet-protocol-plugin/src/Bar.h @@ -10,7 +10,7 @@ public: Bar(); ~Bar() override = default; - AnalyzerResult AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; + bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; static AnalyzerPtr Instantiate() { From 3f3f00030d21faa79704741661f59815ab92ea4f Mon Sep 17 00:00:00 2001 From: Jan Grashoefer Date: Tue, 1 Sep 2020 13:22:05 +0200 Subject: [PATCH 32/43] Simplify MPLS analysis. --- scripts/base/packet-protocols/__load__.zeek | 1 + .../base/packet-protocols/mpls/__load__.zeek | 1 + scripts/base/packet-protocols/mpls/main.zeek | 5 ++++ src/packet_analysis/protocol/mpls/MPLS.cc | 26 ++----------------- .../canonified_loaded_scripts.log | 6 +++-- .../canonified_loaded_scripts.log | 6 +++-- testing/btest/Baseline/plugins.hooks/output | 17 +++++++----- 7 files changed, 27 insertions(+), 35 deletions(-) create mode 100644 scripts/base/packet-protocols/mpls/__load__.zeek create mode 100644 scripts/base/packet-protocols/mpls/main.zeek diff --git a/scripts/base/packet-protocols/__load__.zeek b/scripts/base/packet-protocols/__load__.zeek index 38e9caf788..0edfce8a76 100644 --- a/scripts/base/packet-protocols/__load__.zeek +++ b/scripts/base/packet-protocols/__load__.zeek @@ -10,3 +10,4 @@ @load base/packet-protocols/ppp_serial @load base/packet-protocols/pppoe @load base/packet-protocols/vlan +@load base/packet-protocols/mpls diff --git a/scripts/base/packet-protocols/mpls/__load__.zeek b/scripts/base/packet-protocols/mpls/__load__.zeek new file mode 100644 index 0000000000..d551be57d3 --- /dev/null +++ b/scripts/base/packet-protocols/mpls/__load__.zeek @@ -0,0 +1 @@ +@load ./main \ No newline at end of file diff --git a/scripts/base/packet-protocols/mpls/main.zeek b/scripts/base/packet-protocols/mpls/main.zeek new file mode 100644 index 0000000000..6fcf4b5777 --- /dev/null +++ b/scripts/base/packet-protocols/mpls/main.zeek @@ -0,0 +1,5 @@ +module PacketAnalyzer::MPLS; + +redef PacketAnalyzer::config_map += { + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_MPLS, $analyzer=PacketAnalyzer::ANALYZER_IP) +}; diff --git a/src/packet_analysis/protocol/mpls/MPLS.cc b/src/packet_analysis/protocol/mpls/MPLS.cc index 945b026ea4..4ec72ad4b6 100644 --- a/src/packet_analysis/protocol/mpls/MPLS.cc +++ b/src/packet_analysis/protocol/mpls/MPLS.cc @@ -28,28 +28,6 @@ bool MPLSAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet } // According to RFC3032 the encapsulated protocol is not encoded. - // We assume that what remains is IP. - //TODO: Make that configurable - if ( sizeof(struct ip) >= len ) - { - packet->Weird("no_ip_in_mpls_payload"); - return false; - } - - auto ip = (const struct ip*)data; - - if ( ip->ip_v == 4 ) - packet->l3_proto = L3_IPV4; - else if ( ip->ip_v == 6 ) - packet->l3_proto = L3_IPV6; - else - { - // Neither IPv4 nor IPv6. - packet->Weird("no_ip_in_mpls_payload"); - return false; - } - - packet->hdr_size = (data - packet->data); - packet->session_analysis = true; - return true; + // We use the configured default analyzer. + return ForwardPacket(len, data, packet); } diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log index c95f448c08..23a92ba95e 100644 --- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2020-08-28-15-37-31 +#open 2020-09-01-11-19-11 #fields name #types string scripts/base/init-bare.zeek @@ -44,6 +44,8 @@ scripts/base/init-bare.zeek scripts/base/packet-protocols/pppoe/main.zeek scripts/base/packet-protocols/vlan/__load__.zeek scripts/base/packet-protocols/vlan/main.zeek + scripts/base/packet-protocols/mpls/__load__.zeek + scripts/base/packet-protocols/mpls/main.zeek scripts/base/init-frameworks-and-bifs.zeek scripts/base/frameworks/logging/__load__.zeek scripts/base/frameworks/logging/main.zeek @@ -212,4 +214,4 @@ scripts/base/init-frameworks-and-bifs.zeek build/scripts/base/bif/plugins/Zeek_SQLiteWriter.sqlite.bif.zeek scripts/policy/misc/loaded-scripts.zeek scripts/base/utils/paths.zeek -#close 2020-08-28-15-37-31 +#close 2020-09-01-11-19-11 diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index 2c4f3c2331..f45aefe579 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2020-09-22-17-07-43 +#open 2020-09-22-17-11-19 #fields name #types string scripts/base/init-bare.zeek @@ -44,6 +44,8 @@ scripts/base/init-bare.zeek scripts/base/packet-protocols/pppoe/main.zeek scripts/base/packet-protocols/vlan/__load__.zeek scripts/base/packet-protocols/vlan/main.zeek + scripts/base/packet-protocols/mpls/__load__.zeek + scripts/base/packet-protocols/mpls/main.zeek scripts/base/init-frameworks-and-bifs.zeek scripts/base/frameworks/logging/__load__.zeek scripts/base/frameworks/logging/main.zeek @@ -408,4 +410,4 @@ scripts/base/init-default.zeek scripts/base/misc/find-filtered-trace.zeek scripts/base/misc/version.zeek scripts/policy/misc/loaded-scripts.zeek -#close 2020-09-22-17-07-43 +#close 2020-09-22-17-11-19 diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index 24d3425197..d6524ea28e 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -283,7 +283,7 @@ 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1600794430.221915, node=zeek, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1600794672.656797, node=zeek, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Broker::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Cluster::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Config::LOG)) -> @@ -464,7 +464,7 @@ 0.000000 MetaHookPost CallFunction(Log::create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1600794430.221915, node=zeek, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1600794672.656797, node=zeek, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(NetControl::check_plugins, , ()) -> 0.000000 MetaHookPost CallFunction(NetControl::init, , ()) -> 0.000000 MetaHookPost CallFunction(Notice::want_pp, , ()) -> @@ -866,6 +866,7 @@ 0.000000 MetaHookPost LoadFile(0, base<...>/main.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/messaging.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/modbus) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/mpls) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/mqtt) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/mysql) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/netcontrol) -> -1 @@ -1226,7 +1227,7 @@ 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1600794430.221915, node=zeek, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1600794672.656797, node=zeek, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Broker::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Cluster::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Config::LOG)) @@ -1407,7 +1408,7 @@ 0.000000 MetaHookPre CallFunction(Log::create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1600794430.221915, node=zeek, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1600794672.656797, node=zeek, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(NetControl::check_plugins, , ()) 0.000000 MetaHookPre CallFunction(NetControl::init, , ()) 0.000000 MetaHookPre CallFunction(Notice::want_pp, , ()) @@ -1809,6 +1810,7 @@ 0.000000 MetaHookPre LoadFile(0, base<...>/main.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/messaging.bif.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/modbus) +0.000000 MetaHookPre LoadFile(0, base<...>/mpls) 0.000000 MetaHookPre LoadFile(0, base<...>/mqtt) 0.000000 MetaHookPre LoadFile(0, base<...>/mysql) 0.000000 MetaHookPre LoadFile(0, base<...>/netcontrol) @@ -2168,7 +2170,7 @@ 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1600794430.221915, node=zeek, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1600794672.656797, node=zeek, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction Log::add_default_filter(Broker::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Config::LOG) @@ -2349,7 +2351,7 @@ 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1600794430.221915, node=zeek, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1600794672.656797, node=zeek, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction NetControl::check_plugins() 0.000000 | HookCallFunction NetControl::init() 0.000000 | HookCallFunction Notice::want_pp() @@ -2763,6 +2765,7 @@ 0.000000 | HookLoadFile base<...>/main.zeek 0.000000 | HookLoadFile base<...>/messaging.bif.zeek 0.000000 | HookLoadFile base<...>/modbus +0.000000 | HookLoadFile base<...>/mpls 0.000000 | HookLoadFile base<...>/mqtt 0.000000 | HookLoadFile base<...>/mysql 0.000000 | HookLoadFile base<...>/netcontrol @@ -2822,7 +2825,7 @@ 0.000000 | HookLoadFile base<...>/xmpp 0.000000 | HookLoadFile base<...>/zeek.bif.zeek 0.000000 | HookLogInit packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)} -0.000000 | HookLogWrite packet_filter [ts=1600794430.221915, node=zeek, filter=ip or not ip, init=T, success=T] +0.000000 | HookLogWrite packet_filter [ts=1600794672.656797, node=zeek, filter=ip or not ip, init=T, success=T] 0.000000 | HookQueueEvent NetControl::init() 0.000000 | HookQueueEvent filter_change_tracking() 0.000000 | HookQueueEvent zeek_init() From d51252bb3f4d273eed62081ac2763066e41693d1 Mon Sep 17 00:00:00 2001 From: Jan Grashoefer Date: Thu, 3 Sep 2020 19:59:08 +0200 Subject: [PATCH 33/43] Extend packet analysis test. --- .../Baseline/plugins.packet-protocol/output | 9 ------ .../plugins.packet-protocol/output_build | 6 ++++ .../plugins.packet-protocol/output_llc | 4 +++ .../plugins.packet-protocol/output_orig | 20 ++++++++++++ .../plugins.packet-protocol/output_raw | 12 +++++++ testing/btest/Traces/raw_layer.pcap | Bin 0 -> 161 bytes .../packet-protocol-plugin/CMakeLists.txt | 5 +-- .../{Bar => LLCDemo}/base/main.zeek | 4 +-- .../PacketDemo/RawLayer/base/main.zeek | 6 ++++ .../scripts/__load__.zeek | 3 +- .../src/{Bar.cc => LLCDemo.cc} | 11 +++---- .../src/{Bar.h => LLCDemo.h} | 8 ++--- .../packet-protocol-plugin/src/Plugin.cc | 11 ++++--- .../packet-protocol-plugin/src/RawLayer.cc | 29 +++++++++++++++++ .../packet-protocol-plugin/src/RawLayer.h | 21 ++++++++++++ .../packet-protocol-plugin/src/events.bif | 3 +- testing/btest/plugins/packet-protocol.zeek | 30 ++++++++++++++---- 17 files changed, 147 insertions(+), 35 deletions(-) delete mode 100644 testing/btest/Baseline/plugins.packet-protocol/output create mode 100644 testing/btest/Baseline/plugins.packet-protocol/output_build create mode 100644 testing/btest/Baseline/plugins.packet-protocol/output_llc create mode 100644 testing/btest/Baseline/plugins.packet-protocol/output_orig create mode 100644 testing/btest/Baseline/plugins.packet-protocol/output_raw create mode 100644 testing/btest/Traces/raw_layer.pcap rename testing/btest/plugins/packet-protocol-plugin/scripts/PacketDemo/{Bar => LLCDemo}/base/main.zeek (61%) create mode 100644 testing/btest/plugins/packet-protocol-plugin/scripts/PacketDemo/RawLayer/base/main.zeek rename testing/btest/plugins/packet-protocol-plugin/src/{Bar.cc => LLCDemo.cc} (67%) rename testing/btest/plugins/packet-protocol-plugin/src/{Bar.h => LLCDemo.h} (70%) create mode 100644 testing/btest/plugins/packet-protocol-plugin/src/RawLayer.cc create mode 100644 testing/btest/plugins/packet-protocol-plugin/src/RawLayer.h diff --git a/testing/btest/Baseline/plugins.packet-protocol/output b/testing/btest/Baseline/plugins.packet-protocol/output deleted file mode 100644 index ce4796e58b..0000000000 --- a/testing/btest/Baseline/plugins.packet-protocol/output +++ /dev/null @@ -1,9 +0,0 @@ -PacketDemo::Bar - A Bar packet analyzer. (dynamic, version 1.0.0) - [Packet Analyzer] Bar (ANALYZER_BAR) - [Event] bar_message - -=== -bar_message (DSAP = 42, SSAP = 42, Control = 3) -bar_message (DSAP = 42, SSAP = 42, Control = 3) -bar_message (DSAP = 42, SSAP = 42, Control = 3) -bar_message (DSAP = 42, SSAP = 42, Control = 3) diff --git a/testing/btest/Baseline/plugins.packet-protocol/output_build b/testing/btest/Baseline/plugins.packet-protocol/output_build new file mode 100644 index 0000000000..9762ab88f0 --- /dev/null +++ b/testing/btest/Baseline/plugins.packet-protocol/output_build @@ -0,0 +1,6 @@ +PacketDemo::Bar - Demo packet analyzers (RawLayer, LLC). (dynamic, version 1.0.0) + [Packet Analyzer] LLCDemo (ANALYZER_LLCDEMO) + [Packet Analyzer] RawLayer (ANALYZER_RAWLAYER) + [Event] raw_layer_message + [Event] llc_demo_message + diff --git a/testing/btest/Baseline/plugins.packet-protocol/output_llc b/testing/btest/Baseline/plugins.packet-protocol/output_llc new file mode 100644 index 0000000000..2d25cc574d --- /dev/null +++ b/testing/btest/Baseline/plugins.packet-protocol/output_llc @@ -0,0 +1,4 @@ +llc_demo_message (DSAP = 42, SSAP = 42, Control = 3) +llc_demo_message (DSAP = 42, SSAP = 42, Control = 3) +llc_demo_message (DSAP = 42, SSAP = 42, Control = 3) +llc_demo_message (DSAP = 42, SSAP = 42, Control = 3) diff --git a/testing/btest/Baseline/plugins.packet-protocol/output_orig b/testing/btest/Baseline/plugins.packet-protocol/output_orig new file mode 100644 index 0000000000..576ab517dd --- /dev/null +++ b/testing/btest/Baseline/plugins.packet-protocol/output_orig @@ -0,0 +1,20 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#open 2020-09-02-18-56-02 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] +1599068759.619112 CHhAvVGS1DHFjwGM9 172.22.214.60 8 192.0.78.212 0 icmp - - - - OTH - - 0 - 1 28 0 0 - +#close 2020-09-02-18-56-02 +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path weird +#open 2020-09-02-18-56-02 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer +#types time string addr port addr port string string bool string +1599068759.647566 - - - - - truncated_IP - F zeek +#close 2020-09-02-18-56-02 diff --git a/testing/btest/Baseline/plugins.packet-protocol/output_raw b/testing/btest/Baseline/plugins.packet-protocol/output_raw new file mode 100644 index 0000000000..621f8054ee --- /dev/null +++ b/testing/btest/Baseline/plugins.packet-protocol/output_raw @@ -0,0 +1,12 @@ +raw_layer_message (Message = 'I am encapsulating IP', Protocol = 4950) +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#open 2020-09-03-17-54-45 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] +1599068759.647566 ClEkJM2Vm5giqnMf4h 172.22.214.60 8 192.0.78.150 0 icmp - - - - OTH - - 0 - 1 28 0 0 - +1599068759.619112 CHhAvVGS1DHFjwGM9 172.22.214.60 8 192.0.78.212 0 icmp - - - - OTH - - 0 - 1 28 0 0 - +#close 2020-09-03-17-54-45 diff --git a/testing/btest/Traces/raw_layer.pcap b/testing/btest/Traces/raw_layer.pcap new file mode 100644 index 0000000000000000000000000000000000000000..5e4ed891dca385beeec0a58c85689b3790b843ed GIT binary patch literal 161 zcmca|c+)~A1{MYw`2U}Qff2|FzvUmFQN+oh1!RNpe=s-^UADJ;H3x$$1A`1mnFHg? z9c#p{*&JZ-yTZZn9jF(gv+p4%gFTQ9!pJ&1wt6Zg<|?G-B_|dXm*ymvWagzScm^OD L_YG>?G?;M!%da= len ) @@ -24,7 +23,7 @@ bool Bar::AnalyzePacket(size_t len, auto ssap = data[15]; auto control = data[16]; - mgr.Enqueue(bar_message, + event_mgr.Enqueue(llc_demo_message, val_mgr->Count(dsap), val_mgr->Count(ssap), val_mgr->Count(control)); diff --git a/testing/btest/plugins/packet-protocol-plugin/src/Bar.h b/testing/btest/plugins/packet-protocol-plugin/src/LLCDemo.h similarity index 70% rename from testing/btest/plugins/packet-protocol-plugin/src/Bar.h rename to testing/btest/plugins/packet-protocol-plugin/src/LLCDemo.h index e9a7ce8b25..a649970e85 100644 --- a/testing/btest/plugins/packet-protocol-plugin/src/Bar.h +++ b/testing/btest/plugins/packet-protocol-plugin/src/LLCDemo.h @@ -5,16 +5,16 @@ namespace zeek::packet_analysis::PacketDemo { -class Bar : public Analyzer { +class LLCDemo : public Analyzer { public: - Bar(); - ~Bar() override = default; + LLCDemo(); + ~LLCDemo() override = default; bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; static AnalyzerPtr Instantiate() { - return std::make_shared(); + return std::make_shared(); } }; diff --git a/testing/btest/plugins/packet-protocol-plugin/src/Plugin.cc b/testing/btest/plugins/packet-protocol-plugin/src/Plugin.cc index b90436a9ee..55a814a150 100644 --- a/testing/btest/plugins/packet-protocol-plugin/src/Plugin.cc +++ b/testing/btest/plugins/packet-protocol-plugin/src/Plugin.cc @@ -1,7 +1,8 @@ #include "Plugin.h" #include "packet_analysis/Component.h" -#include "Bar.h" +#include "RawLayer.h" +#include "LLCDemo.h" namespace zeek::plugin::PacketDemo_Bar { @@ -9,12 +10,14 @@ class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() { - AddComponent(new zeek::packet_analysis::Component("Bar", - zeek::packet_analysis::PacketDemo::Bar::Instantiate)); + AddComponent(new zeek::packet_analysis::Component("RawLayer", + zeek::packet_analysis::PacketDemo::RawLayer::Instantiate)); + AddComponent(new zeek::packet_analysis::Component("LLCDemo", + zeek::packet_analysis::PacketDemo::LLCDemo::Instantiate)); zeek::plugin::Configuration config; config.name = "PacketDemo::Bar"; - config.description = "A Bar packet analyzer."; + config.description = "Demo packet analyzers (RawLayer, LLC)."; config.version.major = 1; config.version.minor = 0; config.version.patch = 0; diff --git a/testing/btest/plugins/packet-protocol-plugin/src/RawLayer.cc b/testing/btest/plugins/packet-protocol-plugin/src/RawLayer.cc new file mode 100644 index 0000000000..800879b2bc --- /dev/null +++ b/testing/btest/plugins/packet-protocol-plugin/src/RawLayer.cc @@ -0,0 +1,29 @@ +#include "RawLayer.h" +#include "Event.h" +#include "Val.h" +#include "events.bif.h" + +using namespace zeek::packet_analysis::PacketDemo; + +RawLayer::RawLayer() + : zeek::packet_analysis::Analyzer("RawLayer") + { + } + +bool RawLayer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) + { + constexpr auto layer_size = 21; + if ( layer_size >= len ) + { + packet->Weird("truncated_raw_layer"); + return false; + } + + uint16_t protocol = ntohs(*((const uint16_t*)(data + layer_size -2))); + + event_mgr.Enqueue(raw_layer_message, + make_intrusive(layer_size, reinterpret_cast(data)), + val_mgr->Count(protocol)); + + return ForwardPacket(len - layer_size, data + layer_size, packet, protocol); + } diff --git a/testing/btest/plugins/packet-protocol-plugin/src/RawLayer.h b/testing/btest/plugins/packet-protocol-plugin/src/RawLayer.h new file mode 100644 index 0000000000..bf47e933ab --- /dev/null +++ b/testing/btest/plugins/packet-protocol-plugin/src/RawLayer.h @@ -0,0 +1,21 @@ +#pragma once + +#include +#include + +namespace zeek::packet_analysis::PacketDemo { + +class RawLayer : public Analyzer { +public: + RawLayer(); + ~RawLayer() override = default; + + bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; + + static AnalyzerPtr Instantiate() + { + return std::make_shared(); + } +}; + +} diff --git a/testing/btest/plugins/packet-protocol-plugin/src/events.bif b/testing/btest/plugins/packet-protocol-plugin/src/events.bif index 0b5c6888ab..d70f3e1ea1 100644 --- a/testing/btest/plugins/packet-protocol-plugin/src/events.bif +++ b/testing/btest/plugins/packet-protocol-plugin/src/events.bif @@ -1,2 +1,3 @@ -event bar_message%(dsap: count, ssap: count, control: count%); +event raw_layer_message%(message: string, protocol: count%); +event llc_demo_message%(dsap: count, ssap: count, control: count%); diff --git a/testing/btest/plugins/packet-protocol.zeek b/testing/btest/plugins/packet-protocol.zeek index d4f351f2fe..4ac25356a0 100644 --- a/testing/btest/plugins/packet-protocol.zeek +++ b/testing/btest/plugins/packet-protocol.zeek @@ -1,14 +1,32 @@ +# @TEST-EXEC: zeek -r $TRACES/raw_layer.pcap +# @TEST-EXEC: cat conn.log > output_orig +# @TEST-EXEC: cat weird.log >> output_orig +# @TEST-EXEC: btest-diff output_orig +# @TEST-EXEC: rm -f *.log +# # @TEST-EXEC: ${DIST}/auxil/zeek-aux/plugin-support/init-plugin -u . PacketDemo Bar # @TEST-EXEC: cp -r %DIR/packet-protocol-plugin/* . # @TEST-EXEC: ./configure --zeek-dist=${DIST} && make -# @TEST-EXEC: ZEEK_PLUGIN_PATH=`pwd` zeek -NN PacketDemo::Bar >>output -# @TEST-EXEC: echo === >>output -# @TEST-EXEC: ZEEK_PLUGIN_PATH=`pwd` zeek -r $TRACES/raw_packets.trace %INPUT >>output -# @TEST-EXEC: TEST_DIFF_CANONIFIER= btest-diff output +# @TEST-EXEC: ZEEK_PLUGIN_PATH=`pwd` zeek -NN PacketDemo::Bar > output_build +# @TEST-EXEC: btest-diff output_build +# +# @TEST-EXEC: ZEEK_PLUGIN_PATH=`pwd` zeek -r $TRACES/raw_layer.pcap %INPUT > output_raw +# @TEST-EXEC: cat conn.log >> output_raw +# @TEST-EXEC: test ! -e weird.log +# @TEST-EXEC: btest-diff output_raw +# @TEST-EXEC: rm -f *.log +# +# @TEST-EXEC: ZEEK_PLUGIN_PATH=`pwd` zeek -r $TRACES/raw_packets.trace %INPUT > output_llc +# @TEST-EXEC: btest-diff output_llc -event bar_message(dsap: count, ssap: count, control: count) +event raw_layer_message(msg: string, protocol: count) { - print fmt("bar_message (DSAP = %x, SSAP = %x, Control = %x)", + print fmt("raw_layer_message (Message = '%s', Protocol = %x)", msg, protocol); + } + +event llc_demo_message(dsap: count, ssap: count, control: count) + { + print fmt("llc_demo_message (DSAP = %x, SSAP = %x, Control = %x)", dsap, ssap, control); } From 8f951574d74cf280a8a85c545b3f71cb51cc72fa Mon Sep 17 00:00:00 2001 From: Jan Grashoefer Date: Mon, 7 Sep 2020 16:17:26 +0200 Subject: [PATCH 34/43] Add explicit root analyzer for packet analysis. --- scripts/base/init-bare.zeek | 2 +- .../base/packet-protocols/ethernet/main.zeek | 2 +- scripts/base/packet-protocols/fddi/main.zeek | 2 +- .../packet-protocols/ieee802_11/main.zeek | 2 +- .../ieee802_11_radio/main.zeek | 2 +- scripts/base/packet-protocols/ip/main.zeek | 2 +- .../base/packet-protocols/linux_sll/main.zeek | 2 +- scripts/base/packet-protocols/nflog/main.zeek | 2 +- scripts/base/packet-protocols/null/main.zeek | 2 +- .../packet-protocols/ppp_serial/main.zeek | 2 +- src/packet_analysis/Analyzer.cc | 12 ++++++++- src/packet_analysis/Analyzer.h | 5 ++++ src/packet_analysis/Manager.cc | 25 ++++--------------- src/packet_analysis/Manager.h | 3 +-- src/packet_analysis/protocol/CMakeLists.txt | 1 + src/packet_analysis/protocol/ip/Plugin.cc | 2 +- .../protocol/root/CMakeLists.txt | 8 ++++++ src/packet_analysis/protocol/root/Plugin.cc | 24 ++++++++++++++++++ src/packet_analysis/protocol/root/Root.cc | 16 ++++++++++++ src/packet_analysis/protocol/root/Root.h | 23 +++++++++++++++++ testing/btest/core/skip_analyzer.zeek | 2 +- 21 files changed, 106 insertions(+), 35 deletions(-) create mode 100644 src/packet_analysis/protocol/root/CMakeLists.txt create mode 100644 src/packet_analysis/protocol/root/Plugin.cc create mode 100644 src/packet_analysis/protocol/root/Root.cc create mode 100644 src/packet_analysis/protocol/root/Root.h diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek index 3efb1180da..b408586873 100644 --- a/scripts/base/init-bare.zeek +++ b/scripts/base/init-bare.zeek @@ -5350,7 +5350,7 @@ export { ## If it is not included, the identifier will attach to the "root" analyzer. The ## root analyzer uses the link layer identifier provided by the packet source to ## determine the protocol for the initial packet header. - parent : PacketAnalyzer::Tag &optional; + parent : PacketAnalyzer::Tag; ## A numeric identifier, which can be found in the packet data, that denotes the ## encapsulated protocol. This field is optional. If it is not included, the diff --git a/scripts/base/packet-protocols/ethernet/main.zeek b/scripts/base/packet-protocols/ethernet/main.zeek index 9c8e3631cf..170e4a7d6e 100644 --- a/scripts/base/packet-protocols/ethernet/main.zeek +++ b/scripts/base/packet-protocols/ethernet/main.zeek @@ -12,7 +12,7 @@ export { const DLT_EN10MB : count = 1; redef PacketAnalyzer::config_map += { - PacketAnalyzer::ConfigEntry($identifier=DLT_EN10MB, $analyzer=PacketAnalyzer::ANALYZER_ETHERNET), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ROOT, $identifier=DLT_EN10MB, $analyzer=PacketAnalyzer::ANALYZER_ETHERNET), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x8847, $analyzer=PacketAnalyzer::ANALYZER_MPLS), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x0800, $analyzer=PacketAnalyzer::ANALYZER_IPV4), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x86DD, $analyzer=PacketAnalyzer::ANALYZER_IPV6), diff --git a/scripts/base/packet-protocols/fddi/main.zeek b/scripts/base/packet-protocols/fddi/main.zeek index 229846dab6..10d885ee84 100644 --- a/scripts/base/packet-protocols/fddi/main.zeek +++ b/scripts/base/packet-protocols/fddi/main.zeek @@ -3,6 +3,6 @@ module PacketAnalyzer::FDDI; const DLT_FDDI : count = 10; redef PacketAnalyzer::config_map += { - PacketAnalyzer::ConfigEntry($identifier=DLT_FDDI, $analyzer=PacketAnalyzer::ANALYZER_FDDI), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ROOT, $identifier=DLT_FDDI, $analyzer=PacketAnalyzer::ANALYZER_FDDI), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_FDDI, $analyzer=PacketAnalyzer::ANALYZER_IP) }; diff --git a/scripts/base/packet-protocols/ieee802_11/main.zeek b/scripts/base/packet-protocols/ieee802_11/main.zeek index 21123cd719..292e26b34b 100644 --- a/scripts/base/packet-protocols/ieee802_11/main.zeek +++ b/scripts/base/packet-protocols/ieee802_11/main.zeek @@ -3,7 +3,7 @@ module PacketAnalyzer::IEEE802_11; const DLT_IEEE802_11 : count = 105; redef PacketAnalyzer::config_map += { - PacketAnalyzer::ConfigEntry($identifier=DLT_IEEE802_11, $analyzer=PacketAnalyzer::ANALYZER_IEEE802_11), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ROOT, $identifier=DLT_IEEE802_11, $analyzer=PacketAnalyzer::ANALYZER_IEEE802_11), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_IEEE802_11, $identifier=0x0800, $analyzer=PacketAnalyzer::ANALYZER_IPV4), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_IEEE802_11, $identifier=0x86DD, $analyzer=PacketAnalyzer::ANALYZER_IPV6), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_IEEE802_11, $identifier=0x0806, $analyzer=PacketAnalyzer::ANALYZER_ARP), diff --git a/scripts/base/packet-protocols/ieee802_11_radio/main.zeek b/scripts/base/packet-protocols/ieee802_11_radio/main.zeek index 8c369d0183..13c0cbe618 100644 --- a/scripts/base/packet-protocols/ieee802_11_radio/main.zeek +++ b/scripts/base/packet-protocols/ieee802_11_radio/main.zeek @@ -4,6 +4,6 @@ const DLT_IEEE802_11_RADIO : count = 127; const DLT_IEEE802_11 : count = 105; redef PacketAnalyzer::config_map += { - PacketAnalyzer::ConfigEntry($identifier=DLT_IEEE802_11_RADIO, $analyzer=PacketAnalyzer::ANALYZER_IEEE802_11_RADIO), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ROOT, $identifier=DLT_IEEE802_11_RADIO, $analyzer=PacketAnalyzer::ANALYZER_IEEE802_11_RADIO), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_IEEE802_11_RADIO, $identifier=DLT_IEEE802_11, $analyzer=PacketAnalyzer::ANALYZER_IEEE802_11) }; diff --git a/scripts/base/packet-protocols/ip/main.zeek b/scripts/base/packet-protocols/ip/main.zeek index 4c9d2c2740..6731bddb29 100644 --- a/scripts/base/packet-protocols/ip/main.zeek +++ b/scripts/base/packet-protocols/ip/main.zeek @@ -1,7 +1,7 @@ module PacketAnalyzer::IP; redef PacketAnalyzer::config_map += { - PacketAnalyzer::ConfigEntry($analyzer=PacketAnalyzer::ANALYZER_IP), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ROOT, $analyzer=PacketAnalyzer::ANALYZER_IP), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_IP, $identifier=4, $analyzer=PacketAnalyzer::ANALYZER_IPV4), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_IP, $identifier=6, $analyzer=PacketAnalyzer::ANALYZER_IPV6) }; diff --git a/scripts/base/packet-protocols/linux_sll/main.zeek b/scripts/base/packet-protocols/linux_sll/main.zeek index d5c9708556..ce693f6625 100644 --- a/scripts/base/packet-protocols/linux_sll/main.zeek +++ b/scripts/base/packet-protocols/linux_sll/main.zeek @@ -3,7 +3,7 @@ module PacketAnalyzer::LINUX_SLL; const DLT_LINUX_SLL : count = 113; redef PacketAnalyzer::config_map += { - PacketAnalyzer::ConfigEntry($identifier=DLT_LINUX_SLL, $analyzer=PacketAnalyzer::ANALYZER_LINUXSLL), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ROOT, $identifier=DLT_LINUX_SLL, $analyzer=PacketAnalyzer::ANALYZER_LINUXSLL), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_LINUXSLL, $identifier=0x0800, $analyzer=PacketAnalyzer::ANALYZER_IPV4), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_LINUXSLL, $identifier=0x86DD, $analyzer=PacketAnalyzer::ANALYZER_IPV6), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_LINUXSLL, $identifier=0x0806, $analyzer=PacketAnalyzer::ANALYZER_ARP), diff --git a/scripts/base/packet-protocols/nflog/main.zeek b/scripts/base/packet-protocols/nflog/main.zeek index 50edf4b514..d5da9f47c8 100644 --- a/scripts/base/packet-protocols/nflog/main.zeek +++ b/scripts/base/packet-protocols/nflog/main.zeek @@ -5,7 +5,7 @@ const AF_INET : count = 2; const AF_INET6 : count = 10; redef PacketAnalyzer::config_map += { - PacketAnalyzer::ConfigEntry($identifier=DLT_NFLOG, $analyzer=PacketAnalyzer::ANALYZER_NFLOG), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ROOT, $identifier=DLT_NFLOG, $analyzer=PacketAnalyzer::ANALYZER_NFLOG), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_NFLOG, $identifier=AF_INET, $analyzer=PacketAnalyzer::ANALYZER_IPV4), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_NFLOG, $identifier=AF_INET6, $analyzer=PacketAnalyzer::ANALYZER_IPV6) }; diff --git a/scripts/base/packet-protocols/null/main.zeek b/scripts/base/packet-protocols/null/main.zeek index 9ad54c9b74..35a4258f04 100644 --- a/scripts/base/packet-protocols/null/main.zeek +++ b/scripts/base/packet-protocols/null/main.zeek @@ -5,7 +5,7 @@ const AF_INET : count = 2; const AF_INET6 : count = 10; redef PacketAnalyzer::config_map += { - PacketAnalyzer::ConfigEntry($identifier=DLT_NULL, $analyzer=PacketAnalyzer::ANALYZER_NULL), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ROOT, $identifier=DLT_NULL, $analyzer=PacketAnalyzer::ANALYZER_NULL), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_NULL, $identifier=AF_INET, $analyzer=PacketAnalyzer::ANALYZER_IPV4), ## From the Wireshark Wiki: AF_INET6ANALYZER, unfortunately, has different values in diff --git a/scripts/base/packet-protocols/ppp_serial/main.zeek b/scripts/base/packet-protocols/ppp_serial/main.zeek index 839e19c1d4..75d97706fe 100644 --- a/scripts/base/packet-protocols/ppp_serial/main.zeek +++ b/scripts/base/packet-protocols/ppp_serial/main.zeek @@ -3,7 +3,7 @@ module PacketAnalyzer::PPP_SERIAL; const DLT_PPP_SERIAL : count = 50; redef PacketAnalyzer::config_map += { - PacketAnalyzer::ConfigEntry($identifier=DLT_PPP_SERIAL, $analyzer=PacketAnalyzer::ANALYZER_PPPSERIAL), + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ROOT, $identifier=DLT_PPP_SERIAL, $analyzer=PacketAnalyzer::ANALYZER_PPPSERIAL), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_PPPSERIAL, $identifier=0x0281, $analyzer=PacketAnalyzer::ANALYZER_MPLS), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_PPPSERIAL, $identifier=0x0021, $analyzer=PacketAnalyzer::ANALYZER_IPV4), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_PPPSERIAL, $identifier=0x0057, $analyzer=PacketAnalyzer::ANALYZER_IPV6) diff --git a/src/packet_analysis/Analyzer.cc b/src/packet_analysis/Analyzer.cc index 5dcb9a900e..bec54918eb 100644 --- a/src/packet_analysis/Analyzer.cc +++ b/src/packet_analysis/Analyzer.cc @@ -2,6 +2,8 @@ #include "Analyzer.h" +#include "DebugLogger.h" + namespace zeek::packet_analysis { Analyzer::Analyzer(std::string name) @@ -88,4 +90,12 @@ bool Analyzer::ForwardPacket(size_t len, const uint8_t* data, Packet* packet) co return true; } -} \ No newline at end of file +void Analyzer::DumpDebug() const + { +#ifdef DEBUG + DBG_LOG(DBG_PACKET_ANALYSIS, "Debug info for %s", this->GetAnalyzerName()); + dispatcher.DumpDebug(); +#endif + } + +} diff --git a/src/packet_analysis/Analyzer.h b/src/packet_analysis/Analyzer.h index 8faaeab169..e2ae7e76f4 100644 --- a/src/packet_analysis/Analyzer.h +++ b/src/packet_analysis/Analyzer.h @@ -91,6 +91,11 @@ public: virtual bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) = 0; + /** + * Dumps out debug information to the \c analyzer debug stream. + */ + void DumpDebug() const; + protected: friend class Manager; diff --git a/src/packet_analysis/Manager.cc b/src/packet_analysis/Manager.cc index 0d71632574..5a7251d8ad 100644 --- a/src/packet_analysis/Manager.cc +++ b/src/packet_analysis/Manager.cc @@ -36,7 +36,7 @@ void Manager::InitPostScript() //TODO: Make that field a string for usability reasons //TODO: Check error handling when fields are omitted auto& parent_val = rv->GetField("parent"); - std::string parent_name = parent_val ? Lookup(parent_val->AsEnumVal())->Name() : "ROOT"; + std::string parent_name = Lookup(parent_val->AsEnumVal())->Name(); auto& identifier_val = rv->GetField("identifier"); auto analyzer_tag = rv->GetField("analyzer")->AsEnumVal(); auto analyzer_name = Lookup(analyzer_tag)->Name(); @@ -49,15 +49,6 @@ void Manager::InitPostScript() } auto& analyzer = analyzer_it->second; - if ( parent_name == "ROOT" ) - { - if ( identifier_val ) - root_dispatcher.Register(identifier_val->AsCount(), analyzer); - else - default_analyzer = analyzer; - continue; - } - auto parent_analyzer_it = analyzers.find(parent_name); if ( parent_analyzer_it == analyzers.end() ) { @@ -75,6 +66,8 @@ void Manager::InitPostScript() // Initialize all analyzers for ( auto& [name, analyzer] : analyzers ) analyzer->Initialize(); + + root_analyzer = analyzers["Root"]; } void Manager::Done() @@ -91,7 +84,7 @@ void Manager::DumpDebug() } DBG_LOG(DBG_PACKET_ANALYSIS, "Root dispatcher:"); - root_dispatcher.DumpDebug(); + root_analyzer->DumpDebug(); #endif } @@ -120,15 +113,7 @@ void Manager::ProcessPacket(Packet* packet) DBG_LOG(DBG_PACKET_ANALYSIS, "Analyzing packet %ld, ts=%.3f...", ++counter, packet->time); #endif // Start packet analysis - auto root_analyzer = root_dispatcher.Lookup(packet->link_type); - auto analyzer = root_analyzer ? root_analyzer : default_analyzer; - if ( !analyzer ) - { - reporter->InternalWarning("No analyzer for link type %#x", packet->link_type); - return; - } - - if ( ! analyzer->AnalyzePacket(packet->cap_len, packet->data, packet) ) + if ( ! root_analyzer->ForwardPacket(packet->cap_len, packet->data, packet, packet->link_type) ) packet->InvalidateLayer2(); } diff --git a/src/packet_analysis/Manager.h b/src/packet_analysis/Manager.h index f13feaa590..7030c8fc05 100644 --- a/src/packet_analysis/Manager.h +++ b/src/packet_analysis/Manager.h @@ -90,8 +90,7 @@ private: AnalyzerPtr InstantiateAnalyzer(const std::string& name); std::map analyzers; - Dispatcher root_dispatcher; - AnalyzerPtr default_analyzer = nullptr; + AnalyzerPtr root_analyzer = nullptr; }; } diff --git a/src/packet_analysis/protocol/CMakeLists.txt b/src/packet_analysis/protocol/CMakeLists.txt index c7228c2123..10103d7dca 100644 --- a/src/packet_analysis/protocol/CMakeLists.txt +++ b/src/packet_analysis/protocol/CMakeLists.txt @@ -1,3 +1,4 @@ +add_subdirectory(root) add_subdirectory(skip) add_subdirectory(null) diff --git a/src/packet_analysis/protocol/ip/Plugin.cc b/src/packet_analysis/protocol/ip/Plugin.cc index 5645220677..c24a880c60 100644 --- a/src/packet_analysis/protocol/ip/Plugin.cc +++ b/src/packet_analysis/protocol/ip/Plugin.cc @@ -4,7 +4,7 @@ #include "plugin/Plugin.h" #include "packet_analysis/Component.h" -namespace zeek::plugin::Zeek_Default { +namespace zeek::plugin::Zeek_IP { class Plugin : public zeek::plugin::Plugin { public: diff --git a/src/packet_analysis/protocol/root/CMakeLists.txt b/src/packet_analysis/protocol/root/CMakeLists.txt new file mode 100644 index 0000000000..3ea75189f3 --- /dev/null +++ b/src/packet_analysis/protocol/root/CMakeLists.txt @@ -0,0 +1,8 @@ + +include(ZeekPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +zeek_plugin_begin(PacketAnalyzer Root) +zeek_plugin_cc(Root.cc Plugin.cc) +zeek_plugin_end() diff --git a/src/packet_analysis/protocol/root/Plugin.cc b/src/packet_analysis/protocol/root/Plugin.cc new file mode 100644 index 0000000000..1d3432b627 --- /dev/null +++ b/src/packet_analysis/protocol/root/Plugin.cc @@ -0,0 +1,24 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "Root.h" +#include "plugin/Plugin.h" +#include "packet_analysis/Component.h" + +namespace zeek::plugin::Zeek_Root { + +class Plugin : public zeek::plugin::Plugin { +public: + zeek::plugin::Configuration Configure() + { + AddComponent(new zeek::packet_analysis::Component("Root", + zeek::packet_analysis::Root::RootAnalyzer::Instantiate)); + + zeek::plugin::Configuration config; + config.name = "Zeek::Root"; + config.description = "Root packet analyzer"; + return config; + } + +} plugin; + +} diff --git a/src/packet_analysis/protocol/root/Root.cc b/src/packet_analysis/protocol/root/Root.cc new file mode 100644 index 0000000000..aae58e8054 --- /dev/null +++ b/src/packet_analysis/protocol/root/Root.cc @@ -0,0 +1,16 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "Root.h" +#include "NetVar.h" + +using namespace zeek::packet_analysis::Root; + +RootAnalyzer::RootAnalyzer() + : zeek::packet_analysis::Analyzer("Root") + { + } + +bool RootAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) + { + reporter->InternalError("AnalysisPacket() was called for the root analyzer."); + } \ No newline at end of file diff --git a/src/packet_analysis/protocol/root/Root.h b/src/packet_analysis/protocol/root/Root.h new file mode 100644 index 0000000000..fc1543bbb8 --- /dev/null +++ b/src/packet_analysis/protocol/root/Root.h @@ -0,0 +1,23 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#pragma once + +#include +#include + +namespace zeek::packet_analysis::Root { + +class RootAnalyzer : public Analyzer { +public: + RootAnalyzer(); + ~RootAnalyzer() override = default; + + bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; + + static zeek::packet_analysis::AnalyzerPtr Instantiate() + { + return std::make_shared(); + } +}; + +} diff --git a/testing/btest/core/skip_analyzer.zeek b/testing/btest/core/skip_analyzer.zeek index 70018e6aeb..ed0b6d587f 100644 --- a/testing/btest/core/skip_analyzer.zeek +++ b/testing/btest/core/skip_analyzer.zeek @@ -8,7 +8,7 @@ @load base/frameworks/tunnels redef PacketAnalyzer::config_map += { - PacketAnalyzer::ConfigEntry($identifier=1, $analyzer=PacketAnalyzer::ANALYZER_SKIP) + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ROOT, $identifier=1, $analyzer=PacketAnalyzer::ANALYZER_SKIP) }; redef PacketAnalyzer::SkipAnalyzer::skip_bytes: count = 38; From efa262a22921297bc2267991922da8e451b64d6e Mon Sep 17 00:00:00 2001 From: Jan Grashoefer Date: Mon, 7 Sep 2020 19:01:02 +0200 Subject: [PATCH 35/43] Make default packet analyzer definition explicit. --- scripts/base/init-bare.zeek | 2 +- scripts/base/packet-protocols/__load__.zeek | 1 + .../base/packet-protocols/ethernet/main.zeek | 6 ++++-- scripts/base/packet-protocols/fddi/main.zeek | 6 +++++- scripts/base/packet-protocols/ip/main.zeek | 1 - scripts/base/packet-protocols/mpls/main.zeek | 7 ++++--- .../base/packet-protocols/root/__load__.zeek | 1 + scripts/base/packet-protocols/root/main.zeek | 6 ++++++ scripts/base/packet-protocols/skip/main.zeek | 9 ++++---- src/packet_analysis/Analyzer.cc | 21 +++++++++++++++++++ src/packet_analysis/Analyzer.h | 12 ++++++++++- .../protocol/ethernet/Ethernet.cc | 15 ++----------- .../protocol/ethernet/Ethernet.h | 2 -- src/packet_analysis/protocol/skip/Skip.cc | 4 +++- testing/btest/core/skip_analyzer.zeek | 2 +- 15 files changed, 64 insertions(+), 31 deletions(-) create mode 100644 scripts/base/packet-protocols/root/__load__.zeek create mode 100644 scripts/base/packet-protocols/root/main.zeek diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek index b408586873..b89aa00f4c 100644 --- a/scripts/base/init-bare.zeek +++ b/scripts/base/init-bare.zeek @@ -5355,7 +5355,7 @@ export { ## A numeric identifier, which can be found in the packet data, that denotes the ## encapsulated protocol. This field is optional. If it is not included, the ## configured child analyzer will be used as default analyzer. - identifier : count &optional; + identifier : count; ## The analyzer that corresponds to the above identifier. analyzer : PacketAnalyzer::Tag; diff --git a/scripts/base/packet-protocols/__load__.zeek b/scripts/base/packet-protocols/__load__.zeek index 0edfce8a76..572b1a0c0c 100644 --- a/scripts/base/packet-protocols/__load__.zeek +++ b/scripts/base/packet-protocols/__load__.zeek @@ -1,3 +1,4 @@ +@load base/packet-protocols/root @load base/packet-protocols/ip @load base/packet-protocols/skip @load base/packet-protocols/ethernet diff --git a/scripts/base/packet-protocols/ethernet/main.zeek b/scripts/base/packet-protocols/ethernet/main.zeek index 170e4a7d6e..6723556708 100644 --- a/scripts/base/packet-protocols/ethernet/main.zeek +++ b/scripts/base/packet-protocols/ethernet/main.zeek @@ -1,6 +1,9 @@ -module PacketAnalyzer::Ethernet; +module PacketAnalyzer::ETHERNET; export { + ## Default analyzer + const default_analyzer: PacketAnalyzer::Tag = PacketAnalyzer::ANALYZER_IP &redef; + ## IEEE 802.2 SNAP analyzer const snap_analyzer: PacketAnalyzer::Tag &redef; ## Novell raw IEEE 802.3 analyzer @@ -22,5 +25,4 @@ redef PacketAnalyzer::config_map += { PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x88A8, $analyzer=PacketAnalyzer::ANALYZER_VLAN), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x9100, $analyzer=PacketAnalyzer::ANALYZER_VLAN), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x8864, $analyzer=PacketAnalyzer::ANALYZER_PPPOE), - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $analyzer=PacketAnalyzer::ANALYZER_IP) }; diff --git a/scripts/base/packet-protocols/fddi/main.zeek b/scripts/base/packet-protocols/fddi/main.zeek index 10d885ee84..30ab05331f 100644 --- a/scripts/base/packet-protocols/fddi/main.zeek +++ b/scripts/base/packet-protocols/fddi/main.zeek @@ -1,8 +1,12 @@ module PacketAnalyzer::FDDI; +export { + ## Default analyzer + const default_analyzer: PacketAnalyzer::Tag = PacketAnalyzer::ANALYZER_IP &redef; +} + const DLT_FDDI : count = 10; redef PacketAnalyzer::config_map += { PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ROOT, $identifier=DLT_FDDI, $analyzer=PacketAnalyzer::ANALYZER_FDDI), - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_FDDI, $analyzer=PacketAnalyzer::ANALYZER_IP) }; diff --git a/scripts/base/packet-protocols/ip/main.zeek b/scripts/base/packet-protocols/ip/main.zeek index 6731bddb29..c7884db588 100644 --- a/scripts/base/packet-protocols/ip/main.zeek +++ b/scripts/base/packet-protocols/ip/main.zeek @@ -1,7 +1,6 @@ module PacketAnalyzer::IP; redef PacketAnalyzer::config_map += { - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ROOT, $analyzer=PacketAnalyzer::ANALYZER_IP), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_IP, $identifier=4, $analyzer=PacketAnalyzer::ANALYZER_IPV4), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_IP, $identifier=6, $analyzer=PacketAnalyzer::ANALYZER_IPV6) }; diff --git a/scripts/base/packet-protocols/mpls/main.zeek b/scripts/base/packet-protocols/mpls/main.zeek index 6fcf4b5777..a597ceea0b 100644 --- a/scripts/base/packet-protocols/mpls/main.zeek +++ b/scripts/base/packet-protocols/mpls/main.zeek @@ -1,5 +1,6 @@ module PacketAnalyzer::MPLS; -redef PacketAnalyzer::config_map += { - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_MPLS, $analyzer=PacketAnalyzer::ANALYZER_IP) -}; +export { + ## Default analyzer + const default_analyzer: PacketAnalyzer::Tag = PacketAnalyzer::ANALYZER_IP &redef; +} diff --git a/scripts/base/packet-protocols/root/__load__.zeek b/scripts/base/packet-protocols/root/__load__.zeek new file mode 100644 index 0000000000..d551be57d3 --- /dev/null +++ b/scripts/base/packet-protocols/root/__load__.zeek @@ -0,0 +1 @@ +@load ./main \ No newline at end of file diff --git a/scripts/base/packet-protocols/root/main.zeek b/scripts/base/packet-protocols/root/main.zeek new file mode 100644 index 0000000000..09edcc97b4 --- /dev/null +++ b/scripts/base/packet-protocols/root/main.zeek @@ -0,0 +1,6 @@ +module PacketAnalyzer::ROOT; + +export { + ## Default analyzer (if we don't know the link type, we assume raw IP) + const default_analyzer: PacketAnalyzer::Tag = PacketAnalyzer::ANALYZER_IP &redef; +} diff --git a/scripts/base/packet-protocols/skip/main.zeek b/scripts/base/packet-protocols/skip/main.zeek index 8ea2a951f4..f18050ce83 100644 --- a/scripts/base/packet-protocols/skip/main.zeek +++ b/scripts/base/packet-protocols/skip/main.zeek @@ -1,10 +1,9 @@ -module PacketAnalyzer::SkipAnalyzer; +module PacketAnalyzer::SKIP; export { + ## Default analyzer + const default_analyzer: PacketAnalyzer::Tag = PacketAnalyzer::ANALYZER_IP &redef; + ## Bytes to skip. const skip_bytes: count = 0 &redef; } - -redef PacketAnalyzer::config_map += { - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_SKIP, $analyzer=PacketAnalyzer::ANALYZER_IP) -}; diff --git a/src/packet_analysis/Analyzer.cc b/src/packet_analysis/Analyzer.cc index bec54918eb..12b446738f 100644 --- a/src/packet_analysis/Analyzer.cc +++ b/src/packet_analysis/Analyzer.cc @@ -2,6 +2,7 @@ #include "Analyzer.h" +#include "Dict.h" #include "DebugLogger.h" namespace zeek::packet_analysis { @@ -26,6 +27,26 @@ void Analyzer::Init(const Tag& _tag) tag = _tag; } +void Analyzer::Initialize() + { + std::string ns = util::fmt("PacketAnalyzer::%s::", GetAnalyzerName()); + + default_analyzer = LoadAnalyzer(ns +"default_analyzer"); + } + +zeek::packet_analysis::AnalyzerPtr Analyzer::LoadAnalyzer(const std::string &name) + { + auto& analyzer = zeek::id::find(name); + if ( ! analyzer ) + return nullptr; + + auto& analyzer_val = analyzer->GetVal(); + if ( ! analyzer_val ) + return nullptr; + + return packet_mgr->GetAnalyzer(analyzer_val->AsEnumVal()); + } + const Tag Analyzer::GetAnalyzerTag() const { assert(tag); diff --git a/src/packet_analysis/Analyzer.h b/src/packet_analysis/Analyzer.h index e2ae7e76f4..8331784954 100644 --- a/src/packet_analysis/Analyzer.h +++ b/src/packet_analysis/Analyzer.h @@ -37,8 +37,10 @@ public: * Initialize the analyzer. This method is called after the configuration * was read. Derived classes can override this method to implement custom * initialization. + * When overriding this methods, always make sure to call the base-class + * version to ensure proper initialization. */ - virtual void Initialize() { }; + virtual void Initialize(); /** * Returns the tag associated with the analyzer's type. @@ -109,6 +111,14 @@ protected: */ AnalyzerPtr Lookup(uint32_t identifier) const; + /** + * Returns an analyzer based on a script-land definition. + * + * @param name The script-land identifier for a PacketAnalyzer::Tag value. + * @return The defined analyzer if available, else nullptr. + */ + AnalyzerPtr LoadAnalyzer(const std::string& name); + /** * Triggers analysis of the encapsulated packet. The encapsulated protocol * is determined using the given identifier. diff --git a/src/packet_analysis/protocol/ethernet/Ethernet.cc b/src/packet_analysis/protocol/ethernet/Ethernet.cc index cec9d90288..998eb3498f 100644 --- a/src/packet_analysis/protocol/ethernet/Ethernet.cc +++ b/src/packet_analysis/protocol/ethernet/Ethernet.cc @@ -13,24 +13,13 @@ EthernetAnalyzer::EthernetAnalyzer() void EthernetAnalyzer::Initialize() { + Analyzer::Initialize(); + SNAPAnalyzer = LoadAnalyzer("PacketAnalyzer::Ethernet::snap_analyzer"); NovellRawAnalyzer = LoadAnalyzer("PacketAnalyzer::Ethernet::novell_raw_analyzer"); LLCAnalyzer = LoadAnalyzer("PacketAnalyzer::Ethernet::llc_analyzer"); } -zeek::packet_analysis::AnalyzerPtr EthernetAnalyzer::LoadAnalyzer(const std::string &name) - { - auto& analyzer = zeek::id::find(name); - if ( ! analyzer ) - return nullptr; - - auto& analyzer_val = analyzer->GetVal(); - if ( ! analyzer_val ) - return nullptr; - - return packet_mgr->GetAnalyzer(analyzer_val->AsEnumVal()); - } - bool EthernetAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) { // Make sure that we actually got an entire ethernet header before trying diff --git a/src/packet_analysis/protocol/ethernet/Ethernet.h b/src/packet_analysis/protocol/ethernet/Ethernet.h index eef3741a1f..ea003d27ab 100644 --- a/src/packet_analysis/protocol/ethernet/Ethernet.h +++ b/src/packet_analysis/protocol/ethernet/Ethernet.h @@ -24,8 +24,6 @@ private: AnalyzerPtr SNAPAnalyzer = nullptr; AnalyzerPtr NovellRawAnalyzer = nullptr; AnalyzerPtr LLCAnalyzer = nullptr; - - AnalyzerPtr LoadAnalyzer(const std::string& name); }; } diff --git a/src/packet_analysis/protocol/skip/Skip.cc b/src/packet_analysis/protocol/skip/Skip.cc index 8b8ee4974f..bb2a71330a 100644 --- a/src/packet_analysis/protocol/skip/Skip.cc +++ b/src/packet_analysis/protocol/skip/Skip.cc @@ -12,7 +12,9 @@ SkipAnalyzer::SkipAnalyzer() void SkipAnalyzer::Initialize() { - auto& skip_val = zeek::id::find_val("PacketAnalyzer::SkipAnalyzer::skip_bytes"); + Analyzer::Initialize(); + + auto& skip_val = zeek::id::find_val("PacketAnalyzer::SKIP::skip_bytes"); if ( ! skip_val ) return; diff --git a/testing/btest/core/skip_analyzer.zeek b/testing/btest/core/skip_analyzer.zeek index ed0b6d587f..9a152a9d4c 100644 --- a/testing/btest/core/skip_analyzer.zeek +++ b/testing/btest/core/skip_analyzer.zeek @@ -11,4 +11,4 @@ redef PacketAnalyzer::config_map += { PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ROOT, $identifier=1, $analyzer=PacketAnalyzer::ANALYZER_SKIP) }; -redef PacketAnalyzer::SkipAnalyzer::skip_bytes: count = 38; +redef PacketAnalyzer::SKIP::skip_bytes: count = 38; From 7ede4f48bd009a3b8414eef67928019be1e5269c Mon Sep 17 00:00:00 2001 From: Jan Grashoefer Date: Mon, 7 Sep 2020 20:46:14 +0200 Subject: [PATCH 36/43] Simplify packet analyzer config. --- scripts/base/init-bare.zeek | 28 +++-------- .../base/packet-protocols/ethernet/main.zeek | 26 +++++----- scripts/base/packet-protocols/fddi/main.zeek | 6 --- .../packet-protocols/ieee802_11/main.zeek | 16 +++--- .../ieee802_11_radio/main.zeek | 11 +++-- scripts/base/packet-protocols/ip/main.zeek | 11 +++-- .../base/packet-protocols/linux_sll/main.zeek | 18 ++++--- scripts/base/packet-protocols/nflog/main.zeek | 13 +++-- scripts/base/packet-protocols/null/main.zeek | 24 +++++---- .../packet-protocols/ppp_serial/main.zeek | 18 +++++-- scripts/base/packet-protocols/pppoe/main.zeek | 11 +++-- scripts/base/packet-protocols/root/main.zeek | 20 ++++++++ scripts/base/packet-protocols/vlan/main.zeek | 21 +++++--- src/DebugLogger.h | 38 +++++++------- src/packet_analysis/Analyzer.cc | 41 ++++++++++------ src/packet_analysis/Analyzer.h | 24 ++++----- src/packet_analysis/Manager.cc | 49 ++----------------- .../protocol/ethernet/Ethernet.cc | 6 +-- .../canonified_loaded_scripts.log | 6 ++- .../canonified_loaded_scripts.log | 6 ++- testing/btest/Baseline/plugins.hooks/output | 17 ++++--- .../plugins.packet-protocol/output_build | 4 +- testing/btest/core/skip_analyzer.zeek | 4 +- .../scripts/PacketDemo/LLCDemo/base/main.zeek | 4 +- .../PacketDemo/RawLayer/base/main.zeek | 16 ++++-- .../packet-protocol-plugin/src/LLCDemo.cc | 2 +- .../packet-protocol-plugin/src/Plugin.cc | 4 +- .../packet-protocol-plugin/src/RawLayer.cc | 2 +- 28 files changed, 233 insertions(+), 213 deletions(-) diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek index b89aa00f4c..b7a2b1b80c 100644 --- a/scripts/base/init-bare.zeek +++ b/scripts/base/init-bare.zeek @@ -5340,28 +5340,16 @@ event net_done(t: time) module PacketAnalyzer; -## Defines a mapping for the PacketAnalyzer's configuration tree. This -## maps from a parent analyzer to a child analyzer through a numeric -## identifier. export { - type ConfigEntry : record { - ## The parent analyzer. This analyzer will check for the *identifier* in the - ## packet data to know whether to call the next analyzer. This field is optional. - ## If it is not included, the identifier will attach to the "root" analyzer. The - ## root analyzer uses the link layer identifier provided by the packet source to - ## determine the protocol for the initial packet header. - parent : PacketAnalyzer::Tag; + type DispatchEntry : record { + ## The analyzer to dispatch. + analyzer : PacketAnalyzer::Tag; + }; - ## A numeric identifier, which can be found in the packet data, that denotes the - ## encapsulated protocol. This field is optional. If it is not included, the - ## configured child analyzer will be used as default analyzer. - identifier : count; - - ## The analyzer that corresponds to the above identifier. - analyzer : PacketAnalyzer::Tag; - }; - - const config_map : vector of PacketAnalyzer::ConfigEntry &redef; + ## A packet analyzer may extract a numeric identifier, which can be found in the + ## packet data and denotes the encapsulated protocol. A DispatchMap allows to map + ## the identifier to a child analyzer, which is defined using a DispatchEntry. + type DispatchMap : table[count] of DispatchEntry; } @load base/packet-protocols diff --git a/scripts/base/packet-protocols/ethernet/main.zeek b/scripts/base/packet-protocols/ethernet/main.zeek index 6723556708..6f1c31df90 100644 --- a/scripts/base/packet-protocols/ethernet/main.zeek +++ b/scripts/base/packet-protocols/ethernet/main.zeek @@ -10,19 +10,19 @@ export { const novell_raw_analyzer: PacketAnalyzer::Tag &redef; ## IEEE 802.2 LLC analyzer const llc_analyzer: PacketAnalyzer::Tag &redef; + + ## Identifier mappings based on EtherType + const dispatch_map: PacketAnalyzer::DispatchMap = {} &redef; } -const DLT_EN10MB : count = 1; - -redef PacketAnalyzer::config_map += { - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ROOT, $identifier=DLT_EN10MB, $analyzer=PacketAnalyzer::ANALYZER_ETHERNET), - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x8847, $analyzer=PacketAnalyzer::ANALYZER_MPLS), - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x0800, $analyzer=PacketAnalyzer::ANALYZER_IPV4), - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x86DD, $analyzer=PacketAnalyzer::ANALYZER_IPV6), - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x0806, $analyzer=PacketAnalyzer::ANALYZER_ARP), - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x8035, $analyzer=PacketAnalyzer::ANALYZER_ARP), - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x8100, $analyzer=PacketAnalyzer::ANALYZER_VLAN), - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x88A8, $analyzer=PacketAnalyzer::ANALYZER_VLAN), - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x9100, $analyzer=PacketAnalyzer::ANALYZER_VLAN), - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x8864, $analyzer=PacketAnalyzer::ANALYZER_PPPOE), +redef dispatch_map += { + [0x8847] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_MPLS), + [0x0800] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IPV4), + [0x86DD] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IPV6), + [0x0806] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_ARP), + [0x8035] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_ARP), + [0x8100] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_VLAN), + [0x88A8] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_VLAN), + [0x9100] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_VLAN), + [0x8864] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_PPPOE) }; diff --git a/scripts/base/packet-protocols/fddi/main.zeek b/scripts/base/packet-protocols/fddi/main.zeek index 30ab05331f..3104682102 100644 --- a/scripts/base/packet-protocols/fddi/main.zeek +++ b/scripts/base/packet-protocols/fddi/main.zeek @@ -4,9 +4,3 @@ export { ## Default analyzer const default_analyzer: PacketAnalyzer::Tag = PacketAnalyzer::ANALYZER_IP &redef; } - -const DLT_FDDI : count = 10; - -redef PacketAnalyzer::config_map += { - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ROOT, $identifier=DLT_FDDI, $analyzer=PacketAnalyzer::ANALYZER_FDDI), -}; diff --git a/scripts/base/packet-protocols/ieee802_11/main.zeek b/scripts/base/packet-protocols/ieee802_11/main.zeek index 292e26b34b..f46f89e377 100644 --- a/scripts/base/packet-protocols/ieee802_11/main.zeek +++ b/scripts/base/packet-protocols/ieee802_11/main.zeek @@ -1,11 +1,13 @@ module PacketAnalyzer::IEEE802_11; -const DLT_IEEE802_11 : count = 105; +export { + ## Identifier mappings based on EtherType + const dispatch_map: PacketAnalyzer::DispatchMap = {} &redef; +} -redef PacketAnalyzer::config_map += { - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ROOT, $identifier=DLT_IEEE802_11, $analyzer=PacketAnalyzer::ANALYZER_IEEE802_11), - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_IEEE802_11, $identifier=0x0800, $analyzer=PacketAnalyzer::ANALYZER_IPV4), - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_IEEE802_11, $identifier=0x86DD, $analyzer=PacketAnalyzer::ANALYZER_IPV6), - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_IEEE802_11, $identifier=0x0806, $analyzer=PacketAnalyzer::ANALYZER_ARP), - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_IEEE802_11, $identifier=0x8035, $analyzer=PacketAnalyzer::ANALYZER_ARP) +redef dispatch_map += { + [0x0800] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IPV4), + [0x86DD] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IPV6), + [0x0806] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_ARP), + [0x8035] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_ARP) }; diff --git a/scripts/base/packet-protocols/ieee802_11_radio/main.zeek b/scripts/base/packet-protocols/ieee802_11_radio/main.zeek index 13c0cbe618..483a80acf0 100644 --- a/scripts/base/packet-protocols/ieee802_11_radio/main.zeek +++ b/scripts/base/packet-protocols/ieee802_11_radio/main.zeek @@ -1,9 +1,12 @@ module PacketAnalyzer::IEEE802_11_RADIO; -const DLT_IEEE802_11_RADIO : count = 127; +export { + ## Identifier mappings + const dispatch_map: PacketAnalyzer::DispatchMap = {} &redef; +} + const DLT_IEEE802_11 : count = 105; -redef PacketAnalyzer::config_map += { - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ROOT, $identifier=DLT_IEEE802_11_RADIO, $analyzer=PacketAnalyzer::ANALYZER_IEEE802_11_RADIO), - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_IEEE802_11_RADIO, $identifier=DLT_IEEE802_11, $analyzer=PacketAnalyzer::ANALYZER_IEEE802_11) +redef dispatch_map += { + [DLT_IEEE802_11] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IEEE802_11) }; diff --git a/scripts/base/packet-protocols/ip/main.zeek b/scripts/base/packet-protocols/ip/main.zeek index c7884db588..feb5fde73b 100644 --- a/scripts/base/packet-protocols/ip/main.zeek +++ b/scripts/base/packet-protocols/ip/main.zeek @@ -1,6 +1,11 @@ module PacketAnalyzer::IP; -redef PacketAnalyzer::config_map += { - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_IP, $identifier=4, $analyzer=PacketAnalyzer::ANALYZER_IPV4), - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_IP, $identifier=6, $analyzer=PacketAnalyzer::ANALYZER_IPV6) +export { + ## Identifier mappings based on IP version (4 or 6) + const dispatch_map: PacketAnalyzer::DispatchMap = {} &redef; +} + +redef dispatch_map += { + [4] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IPV4), + [6] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IPV6) }; diff --git a/scripts/base/packet-protocols/linux_sll/main.zeek b/scripts/base/packet-protocols/linux_sll/main.zeek index ce693f6625..995c972ae6 100644 --- a/scripts/base/packet-protocols/linux_sll/main.zeek +++ b/scripts/base/packet-protocols/linux_sll/main.zeek @@ -1,12 +1,14 @@ -module PacketAnalyzer::LINUX_SLL; +module PacketAnalyzer::LINUXSLL; -const DLT_LINUX_SLL : count = 113; +export { + ## Identifier mappings based on EtherType + const dispatch_map: PacketAnalyzer::DispatchMap = {} &redef; +} -redef PacketAnalyzer::config_map += { - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ROOT, $identifier=DLT_LINUX_SLL, $analyzer=PacketAnalyzer::ANALYZER_LINUXSLL), - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_LINUXSLL, $identifier=0x0800, $analyzer=PacketAnalyzer::ANALYZER_IPV4), - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_LINUXSLL, $identifier=0x86DD, $analyzer=PacketAnalyzer::ANALYZER_IPV6), - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_LINUXSLL, $identifier=0x0806, $analyzer=PacketAnalyzer::ANALYZER_ARP), +redef dispatch_map += { + [0x0800] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IPV4), + [0x86DD] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IPV6), + [0x0806] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_ARP), # RARP - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_LINUXSLL, $identifier=0x8035, $analyzer=PacketAnalyzer::ANALYZER_ARP) + [0x8035] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_ARP) }; diff --git a/scripts/base/packet-protocols/nflog/main.zeek b/scripts/base/packet-protocols/nflog/main.zeek index d5da9f47c8..cecc0d466b 100644 --- a/scripts/base/packet-protocols/nflog/main.zeek +++ b/scripts/base/packet-protocols/nflog/main.zeek @@ -1,11 +1,14 @@ module PacketAnalyzer::NFLOG; -const DLT_NFLOG : count = 239; +export { + ## Identifier mappings + const dispatch_map: PacketAnalyzer::DispatchMap = {} &redef; +} + const AF_INET : count = 2; const AF_INET6 : count = 10; -redef PacketAnalyzer::config_map += { - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ROOT, $identifier=DLT_NFLOG, $analyzer=PacketAnalyzer::ANALYZER_NFLOG), - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_NFLOG, $identifier=AF_INET, $analyzer=PacketAnalyzer::ANALYZER_IPV4), - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_NFLOG, $identifier=AF_INET6, $analyzer=PacketAnalyzer::ANALYZER_IPV6) +redef dispatch_map += { + [AF_INET] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IPV4), + [AF_INET6] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IPV6) }; diff --git a/scripts/base/packet-protocols/null/main.zeek b/scripts/base/packet-protocols/null/main.zeek index 35a4258f04..e1aff33dcd 100644 --- a/scripts/base/packet-protocols/null/main.zeek +++ b/scripts/base/packet-protocols/null/main.zeek @@ -1,19 +1,25 @@ module PacketAnalyzer::NULL; -const DLT_NULL : count = 0; -const AF_INET : count = 2; -const AF_INET6 : count = 10; +export { + ## Identifier mappings + const dispatch_map: PacketAnalyzer::DispatchMap = {} &redef; +} -redef PacketAnalyzer::config_map += { - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ROOT, $identifier=DLT_NULL, $analyzer=PacketAnalyzer::ANALYZER_NULL), - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_NULL, $identifier=AF_INET, $analyzer=PacketAnalyzer::ANALYZER_IPV4), +const DLT_NULL : count = 0; + +redef PacketAnalyzer::ROOT::dispatch_map += { + [DLT_NULL] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_NULL) +}; + +redef dispatch_map += { + [2] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IPV4), ## From the Wireshark Wiki: AF_INET6ANALYZER, unfortunately, has different values in ## {NetBSD,OpenBSD,BSD/OS}, {FreeBSD,DragonFlyBSD}, and {Darwin/Mac OS X}, so an IPv6 ## packet might have a link-layer header with 24, 28, or 30 as the AF_ value. As we ## may be reading traces captured on platforms other than what we're running on, we ## accept them all here. - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_NULL, $identifier=24, $analyzer=PacketAnalyzer::ANALYZER_IPV6), - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_NULL, $identifier=28, $analyzer=PacketAnalyzer::ANALYZER_IPV6), - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_NULL, $identifier=30, $analyzer=PacketAnalyzer::ANALYZER_IPV6) + [24] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IPV6), + [28] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IPV6), + [30] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IPV6) }; diff --git a/scripts/base/packet-protocols/ppp_serial/main.zeek b/scripts/base/packet-protocols/ppp_serial/main.zeek index 75d97706fe..4c2ba042c0 100644 --- a/scripts/base/packet-protocols/ppp_serial/main.zeek +++ b/scripts/base/packet-protocols/ppp_serial/main.zeek @@ -1,10 +1,18 @@ module PacketAnalyzer::PPP_SERIAL; +export { + ## Identifier mappings + const dispatch_map: PacketAnalyzer::DispatchMap = {} &redef; +} + const DLT_PPP_SERIAL : count = 50; -redef PacketAnalyzer::config_map += { - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ROOT, $identifier=DLT_PPP_SERIAL, $analyzer=PacketAnalyzer::ANALYZER_PPPSERIAL), - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_PPPSERIAL, $identifier=0x0281, $analyzer=PacketAnalyzer::ANALYZER_MPLS), - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_PPPSERIAL, $identifier=0x0021, $analyzer=PacketAnalyzer::ANALYZER_IPV4), - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_PPPSERIAL, $identifier=0x0057, $analyzer=PacketAnalyzer::ANALYZER_IPV6) +redef PacketAnalyzer::ROOT::dispatch_map += { + [DLT_PPP_SERIAL] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_PPPSERIAL) +}; + +redef dispatch_map += { + [0x0281] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_MPLS), + [0x0021] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IPV4), + [0x0057] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IPV6) }; diff --git a/scripts/base/packet-protocols/pppoe/main.zeek b/scripts/base/packet-protocols/pppoe/main.zeek index 425b857f2c..f8e8f76d44 100644 --- a/scripts/base/packet-protocols/pppoe/main.zeek +++ b/scripts/base/packet-protocols/pppoe/main.zeek @@ -1,6 +1,11 @@ module PacketAnalyzer::PPPOE; -redef PacketAnalyzer::config_map += { - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_PPPOE, $identifier=0x0021, $analyzer=PacketAnalyzer::ANALYZER_IPV4), - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_PPPOE, $identifier=0x0057, $analyzer=PacketAnalyzer::ANALYZER_IPV6) +export { + ## Identifier mappings + const dispatch_map: PacketAnalyzer::DispatchMap = {} &redef; +} + +redef dispatch_map += { + [0x0021] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IPV4), + [0x0057] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IPV6) }; diff --git a/scripts/base/packet-protocols/root/main.zeek b/scripts/base/packet-protocols/root/main.zeek index 09edcc97b4..a53788804f 100644 --- a/scripts/base/packet-protocols/root/main.zeek +++ b/scripts/base/packet-protocols/root/main.zeek @@ -3,4 +3,24 @@ module PacketAnalyzer::ROOT; export { ## Default analyzer (if we don't know the link type, we assume raw IP) const default_analyzer: PacketAnalyzer::Tag = PacketAnalyzer::ANALYZER_IP &redef; + + ## Identifier mappings based on link type + const dispatch_map: PacketAnalyzer::DispatchMap = {} &redef; } + +const DLT_EN10MB : count = 1; +const DLT_FDDI : count = 10; +const DLT_IEEE802_11 : count = 105; +const DLT_IEEE802_11_RADIO : count = 127; +const DLT_LINUX_SLL : count = 113; +const DLT_NFLOG : count = 239; + +redef dispatch_map += { + [DLT_EN10MB] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_ETHERNET), + [DLT_FDDI] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_FDDI), + [DLT_IEEE802_11] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IEEE802_11), + [DLT_IEEE802_11_RADIO] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IEEE802_11_RADIO), + [DLT_LINUX_SLL] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_LINUXSLL), + [DLT_NFLOG] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_NFLOG) + +}; diff --git a/scripts/base/packet-protocols/vlan/main.zeek b/scripts/base/packet-protocols/vlan/main.zeek index 927f381acf..7f564cfa0d 100644 --- a/scripts/base/packet-protocols/vlan/main.zeek +++ b/scripts/base/packet-protocols/vlan/main.zeek @@ -1,11 +1,16 @@ module PacketAnalyzer::VLAN; -redef PacketAnalyzer::config_map += { - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_VLAN, $identifier=0x8847, $analyzer=PacketAnalyzer::ANALYZER_MPLS), - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_VLAN, $identifier=0x0800, $analyzer=PacketAnalyzer::ANALYZER_IPV4), - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_VLAN, $identifier=0x86DD, $analyzer=PacketAnalyzer::ANALYZER_IPV6), - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_VLAN, $identifier=0x0806, $analyzer=PacketAnalyzer::ANALYZER_ARP), - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_VLAN, $identifier=0x8035, $analyzer=PacketAnalyzer::ANALYZER_ARP), - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_VLAN, $identifier=0x8100, $analyzer=PacketAnalyzer::ANALYZER_VLAN), - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_VLAN, $identifier=0x8864, $analyzer=PacketAnalyzer::ANALYZER_PPPOE) +export { + ## Identifier mappings based on EtherType + const dispatch_map: PacketAnalyzer::DispatchMap = {} &redef; +} + +redef dispatch_map += { + [0x8847] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_MPLS), + [0x0800] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IPV4), + [0x86DD] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IPV6), + [0x0806] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_ARP), + [0x8035] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_ARP), + [0x8100] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_VLAN), + [0x8864] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_PPPOE) }; diff --git a/src/DebugLogger.h b/src/DebugLogger.h index 1005c367a6..f7c3a04e55 100644 --- a/src/DebugLogger.h +++ b/src/DebugLogger.h @@ -30,26 +30,26 @@ namespace zeek { // an entry to DebugLogger::streams in DebugLogger.cc. enum DebugStream { - DBG_SERIAL, // Serialization - DBG_RULES, // Signature matching - DBG_STRING, // String code - DBG_NOTIFIERS, // Notifiers - DBG_MAINLOOP, // Main IOSource loop - DBG_ANALYZER, // Analyzer framework - DBG_PACKET_ANALYSIS, // Packet analysis - DBG_FILE_ANALYSIS, // File analysis - DBG_TM, // Time-machine packet input via Brocolli - DBG_LOGGING, // Logging streams - DBG_INPUT, // Input streams - DBG_THREADING, // Threading system - DBG_PLUGINS, // Plugin system - DBG_ZEEKYGEN, // Zeekygen - DBG_PKTIO, // Packet sources and dumpers. - DBG_BROKER, // Broker communication - DBG_SCRIPTS, // Script initialization - DBG_SUPERVISOR, // Process supervisor + DBG_SERIAL, // Serialization + DBG_RULES, // Signature matching + DBG_STRING, // String code + DBG_NOTIFIERS, // Notifiers + DBG_MAINLOOP, // Main IOSource loop + DBG_ANALYZER, // Analyzer framework + DBG_PACKET_ANALYSIS, // Packet analysis + DBG_FILE_ANALYSIS, // File analysis + DBG_TM, // Time-machine packet input via Brocolli + DBG_LOGGING, // Logging streams + DBG_INPUT, // Input streams + DBG_THREADING, // Threading system + DBG_PLUGINS, // Plugin system + DBG_ZEEKYGEN, // Zeekygen + DBG_PKTIO, // Packet sources and dumpers. + DBG_BROKER, // Broker communication + DBG_SCRIPTS, // Script initialization + DBG_SUPERVISOR, // Process supervisor - NUM_DBGS // Has to be last + NUM_DBGS // Has to be last }; namespace detail { diff --git a/src/packet_analysis/Analyzer.cc b/src/packet_analysis/Analyzer.cc index 12b446738f..9587423ea2 100644 --- a/src/packet_analysis/Analyzer.cc +++ b/src/packet_analysis/Analyzer.cc @@ -29,14 +29,37 @@ void Analyzer::Init(const Tag& _tag) void Analyzer::Initialize() { - std::string ns = util::fmt("PacketAnalyzer::%s::", GetAnalyzerName()); + default_analyzer = LoadAnalyzer("default_analyzer"); - default_analyzer = LoadAnalyzer(ns +"default_analyzer"); + // Create dispatcher based on configuration + auto& mapping_id = zeek::id::find(GetModuleName() + "dispatch_map"); + if ( ! mapping_id ) + return; + + auto mapping_val = mapping_id->GetVal()->AsTableVal(); + auto mapping_tbl = mapping_val->AsTable(); + auto c = mapping_tbl->InitForIteration(); + + zeek::detail::HashKey* k = nullptr; + TableEntryVal* v; + while ( (v = mapping_tbl->NextEntry(k, c)) ) + { + auto key = mapping_val->RecreateIndex(*k); + delete k; + + auto identifier = key->Idx(0)->AsCount(); + auto config_entry_val = v->GetVal()->AsRecordVal(); + + auto mapped_tag = config_entry_val->GetField("analyzer")->AsEnumVal(); + auto mapped_analyzer = packet_mgr->GetAnalyzer(mapped_tag); + + dispatcher.Register(identifier, std::move(mapped_analyzer)); + } } zeek::packet_analysis::AnalyzerPtr Analyzer::LoadAnalyzer(const std::string &name) { - auto& analyzer = zeek::id::find(name); + auto& analyzer = zeek::id::find(GetModuleName() + name); if ( ! analyzer ) return nullptr; @@ -65,16 +88,6 @@ bool Analyzer::IsAnalyzer(const char* name) return packet_mgr->GetComponentName(tag) == name; } -void Analyzer::RegisterAnalyzerMapping(uint32_t identifier, AnalyzerPtr analyzer) - { - dispatcher.Register(identifier, std::move(analyzer)); - } - -void Analyzer::RegisterDefaultAnalyzer(AnalyzerPtr default_analyzer) - { - this->default_analyzer = std::move(default_analyzer); - } - AnalyzerPtr Analyzer::Lookup(uint32_t identifier) const { return dispatcher.Lookup(identifier); @@ -114,7 +127,7 @@ bool Analyzer::ForwardPacket(size_t len, const uint8_t* data, Packet* packet) co void Analyzer::DumpDebug() const { #ifdef DEBUG - DBG_LOG(DBG_PACKET_ANALYSIS, "Debug info for %s", this->GetAnalyzerName()); + DBG_LOG(DBG_PACKET_ANALYSIS, "Dispatcher for %s", this->GetAnalyzerName()); dispatcher.DumpDebug(); #endif } diff --git a/src/packet_analysis/Analyzer.h b/src/packet_analysis/Analyzer.h index 8331784954..241787135e 100644 --- a/src/packet_analysis/Analyzer.h +++ b/src/packet_analysis/Analyzer.h @@ -63,21 +63,6 @@ public: */ bool IsAnalyzer(const char* name); - /** - * Registers an analyzer to be dispatched for the given identifier. - * - * @param identifier The identifier an analyzer should be called for. - * @param analyzer The analyzer that should be called. - */ - void RegisterAnalyzerMapping(uint32_t identifier, AnalyzerPtr analyzer); - - /** - * Registers a default analyzer. - * - * @param default_analyzer The analyzer to use as default. - */ - void RegisterDefaultAnalyzer(AnalyzerPtr default_analyzer); - /** * Analyzes the given packet. A common case is that the analyzed protocol * encapsulates another protocol, which can be determined by an identifier @@ -119,6 +104,15 @@ protected: */ AnalyzerPtr LoadAnalyzer(const std::string& name); + /** + * Returns the module name corresponding to the analyzer, i.e. its script-land + * namespace. Configuration values for the analyzer are expected in this module. + * @return Analyzer's module name. + */ + std::string GetModuleName() const { + return util::fmt("PacketAnalyzer::%s::", GetAnalyzerName()); + }; + /** * Triggers analysis of the encapsulated packet. The encapsulated protocol * is determined using the given identifier. diff --git a/src/packet_analysis/Manager.cc b/src/packet_analysis/Manager.cc index 5a7251d8ad..62574e7f8f 100644 --- a/src/packet_analysis/Manager.cc +++ b/src/packet_analysis/Manager.cc @@ -21,48 +21,6 @@ void Manager::InitPostScript() analyzers.emplace(analyzerComponent->Name(), newAnalyzer); } - // Read in analyzer map and create dispatchers - auto& analyzer_mapping = zeek::id::find("PacketAnalyzer::config_map"); - if ( ! analyzer_mapping ) - return; - - auto mapping_val = analyzer_mapping->GetVal()->AsVectorVal(); - if ( mapping_val->Size() == 0 ) - return; - - for ( unsigned int i = 0; i < mapping_val->Size(); i++ ) - { - auto* rv = mapping_val->At(i)->AsRecordVal(); - //TODO: Make that field a string for usability reasons - //TODO: Check error handling when fields are omitted - auto& parent_val = rv->GetField("parent"); - std::string parent_name = Lookup(parent_val->AsEnumVal())->Name(); - auto& identifier_val = rv->GetField("identifier"); - auto analyzer_tag = rv->GetField("analyzer")->AsEnumVal(); - auto analyzer_name = Lookup(analyzer_tag)->Name(); - - auto analyzer_it = analyzers.find(analyzer_name); - if ( analyzer_it == analyzers.end() ) - { - reporter->InternalWarning("Mapped analyzer %s not found.", analyzer_name.c_str()); - continue; - } - auto& analyzer = analyzer_it->second; - - auto parent_analyzer_it = analyzers.find(parent_name); - if ( parent_analyzer_it == analyzers.end() ) - { - reporter->InternalWarning("Parent analyzer %s not found.", parent_name.c_str()); - continue; - } - auto& parent_analyzer = parent_analyzer_it->second; - - if ( identifier_val ) - parent_analyzer->RegisterAnalyzerMapping(identifier_val->AsCount(), analyzer); - else - parent_analyzer->RegisterDefaultAnalyzer(analyzer); - } - // Initialize all analyzers for ( auto& [name, analyzer] : analyzers ) analyzer->Initialize(); @@ -79,12 +37,11 @@ void Manager::DumpDebug() #ifdef DEBUG DBG_LOG(DBG_PACKET_ANALYSIS, "Available packet analyzers after zeek_init():"); for ( auto& current : GetComponents() ) - { DBG_LOG(DBG_PACKET_ANALYSIS, " %s", current->Name().c_str()); - } - DBG_LOG(DBG_PACKET_ANALYSIS, "Root dispatcher:"); - root_analyzer->DumpDebug(); + DBG_LOG(DBG_PACKET_ANALYSIS, "Packet analyzer debug information:"); + for ( auto& [name, analyzer] : analyzers ) + analyzer->DumpDebug(); #endif } diff --git a/src/packet_analysis/protocol/ethernet/Ethernet.cc b/src/packet_analysis/protocol/ethernet/Ethernet.cc index 998eb3498f..68dd5b935f 100644 --- a/src/packet_analysis/protocol/ethernet/Ethernet.cc +++ b/src/packet_analysis/protocol/ethernet/Ethernet.cc @@ -15,9 +15,9 @@ void EthernetAnalyzer::Initialize() { Analyzer::Initialize(); - SNAPAnalyzer = LoadAnalyzer("PacketAnalyzer::Ethernet::snap_analyzer"); - NovellRawAnalyzer = LoadAnalyzer("PacketAnalyzer::Ethernet::novell_raw_analyzer"); - LLCAnalyzer = LoadAnalyzer("PacketAnalyzer::Ethernet::llc_analyzer"); + SNAPAnalyzer = LoadAnalyzer("snap_analyzer"); + NovellRawAnalyzer = LoadAnalyzer("novell_raw_analyzer"); + LLCAnalyzer = LoadAnalyzer("llc_analyzer"); } bool EthernetAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log index 23a92ba95e..8af64df840 100644 --- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2020-09-01-11-19-11 +#open 2020-09-08-08-14-03 #fields name #types string scripts/base/init-bare.zeek @@ -20,6 +20,8 @@ scripts/base/init-bare.zeek build/scripts/base/bif/plugins/Zeek_KRB.types.bif.zeek build/scripts/base/bif/event.bif.zeek scripts/base/packet-protocols/__load__.zeek + scripts/base/packet-protocols/root/__load__.zeek + scripts/base/packet-protocols/root/main.zeek scripts/base/packet-protocols/ip/__load__.zeek scripts/base/packet-protocols/ip/main.zeek scripts/base/packet-protocols/skip/__load__.zeek @@ -214,4 +216,4 @@ scripts/base/init-frameworks-and-bifs.zeek build/scripts/base/bif/plugins/Zeek_SQLiteWriter.sqlite.bif.zeek scripts/policy/misc/loaded-scripts.zeek scripts/base/utils/paths.zeek -#close 2020-09-01-11-19-11 +#close 2020-09-08-08-14-03 diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index f45aefe579..c38a701e86 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2020-09-22-17-11-19 +#open 2020-09-22-17-14-48 #fields name #types string scripts/base/init-bare.zeek @@ -20,6 +20,8 @@ scripts/base/init-bare.zeek build/scripts/base/bif/plugins/Zeek_KRB.types.bif.zeek build/scripts/base/bif/event.bif.zeek scripts/base/packet-protocols/__load__.zeek + scripts/base/packet-protocols/root/__load__.zeek + scripts/base/packet-protocols/root/main.zeek scripts/base/packet-protocols/ip/__load__.zeek scripts/base/packet-protocols/ip/main.zeek scripts/base/packet-protocols/skip/__load__.zeek @@ -410,4 +412,4 @@ scripts/base/init-default.zeek scripts/base/misc/find-filtered-trace.zeek scripts/base/misc/version.zeek scripts/policy/misc/loaded-scripts.zeek -#close 2020-09-22-17-11-19 +#close 2020-09-22-17-14-48 diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index d6524ea28e..1dec4d4ae8 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -283,7 +283,7 @@ 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1600794672.656797, node=zeek, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1600794881.771065, node=zeek, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Broker::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Cluster::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Config::LOG)) -> @@ -464,7 +464,7 @@ 0.000000 MetaHookPost CallFunction(Log::create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1600794672.656797, node=zeek, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1600794881.771065, node=zeek, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(NetControl::check_plugins, , ()) -> 0.000000 MetaHookPost CallFunction(NetControl::init, , ()) -> 0.000000 MetaHookPost CallFunction(Notice::want_pp, , ()) -> @@ -894,6 +894,7 @@ 0.000000 MetaHookPost LoadFile(0, base<...>/reporter) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/reporter.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/rfb) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/root) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/signatures) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/sip) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/site.zeek) -> -1 @@ -1227,7 +1228,7 @@ 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1600794672.656797, node=zeek, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1600794881.771065, node=zeek, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Broker::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Cluster::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Config::LOG)) @@ -1408,7 +1409,7 @@ 0.000000 MetaHookPre CallFunction(Log::create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1600794672.656797, node=zeek, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1600794881.771065, node=zeek, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(NetControl::check_plugins, , ()) 0.000000 MetaHookPre CallFunction(NetControl::init, , ()) 0.000000 MetaHookPre CallFunction(Notice::want_pp, , ()) @@ -1838,6 +1839,7 @@ 0.000000 MetaHookPre LoadFile(0, base<...>/reporter) 0.000000 MetaHookPre LoadFile(0, base<...>/reporter.bif.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/rfb) +0.000000 MetaHookPre LoadFile(0, base<...>/root) 0.000000 MetaHookPre LoadFile(0, base<...>/signatures) 0.000000 MetaHookPre LoadFile(0, base<...>/sip) 0.000000 MetaHookPre LoadFile(0, base<...>/site.zeek) @@ -2170,7 +2172,7 @@ 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1600794672.656797, node=zeek, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1600794881.771065, node=zeek, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction Log::add_default_filter(Broker::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Config::LOG) @@ -2351,7 +2353,7 @@ 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1600794672.656797, node=zeek, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1600794881.771065, node=zeek, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction NetControl::check_plugins() 0.000000 | HookCallFunction NetControl::init() 0.000000 | HookCallFunction Notice::want_pp() @@ -2793,6 +2795,7 @@ 0.000000 | HookLoadFile base<...>/reporter 0.000000 | HookLoadFile base<...>/reporter.bif.zeek 0.000000 | HookLoadFile base<...>/rfb +0.000000 | HookLoadFile base<...>/root 0.000000 | HookLoadFile base<...>/signatures 0.000000 | HookLoadFile base<...>/sip 0.000000 | HookLoadFile base<...>/site.zeek @@ -2825,7 +2828,7 @@ 0.000000 | HookLoadFile base<...>/xmpp 0.000000 | HookLoadFile base<...>/zeek.bif.zeek 0.000000 | HookLogInit packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)} -0.000000 | HookLogWrite packet_filter [ts=1600794672.656797, node=zeek, filter=ip or not ip, init=T, success=T] +0.000000 | HookLogWrite packet_filter [ts=1600794881.771065, node=zeek, filter=ip or not ip, init=T, success=T] 0.000000 | HookQueueEvent NetControl::init() 0.000000 | HookQueueEvent filter_change_tracking() 0.000000 | HookQueueEvent zeek_init() diff --git a/testing/btest/Baseline/plugins.packet-protocol/output_build b/testing/btest/Baseline/plugins.packet-protocol/output_build index 9762ab88f0..a5aa53185b 100644 --- a/testing/btest/Baseline/plugins.packet-protocol/output_build +++ b/testing/btest/Baseline/plugins.packet-protocol/output_build @@ -1,6 +1,6 @@ PacketDemo::Bar - Demo packet analyzers (RawLayer, LLC). (dynamic, version 1.0.0) - [Packet Analyzer] LLCDemo (ANALYZER_LLCDEMO) - [Packet Analyzer] RawLayer (ANALYZER_RAWLAYER) + [Packet Analyzer] LLC_Demo (ANALYZER_LLC_DEMO) + [Packet Analyzer] Raw_Layer (ANALYZER_RAW_LAYER) [Event] raw_layer_message [Event] llc_demo_message diff --git a/testing/btest/core/skip_analyzer.zeek b/testing/btest/core/skip_analyzer.zeek index 9a152a9d4c..62652d0373 100644 --- a/testing/btest/core/skip_analyzer.zeek +++ b/testing/btest/core/skip_analyzer.zeek @@ -7,8 +7,8 @@ @load base/protocols/conn @load base/frameworks/tunnels -redef PacketAnalyzer::config_map += { - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ROOT, $identifier=1, $analyzer=PacketAnalyzer::ANALYZER_SKIP) +redef PacketAnalyzer::ROOT::dispatch_map += { + [1] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_SKIP) }; redef PacketAnalyzer::SKIP::skip_bytes: count = 38; diff --git a/testing/btest/plugins/packet-protocol-plugin/scripts/PacketDemo/LLCDemo/base/main.zeek b/testing/btest/plugins/packet-protocol-plugin/scripts/PacketDemo/LLCDemo/base/main.zeek index 46f5dba9f7..6269c4ff99 100644 --- a/testing/btest/plugins/packet-protocol-plugin/scripts/PacketDemo/LLCDemo/base/main.zeek +++ b/testing/btest/plugins/packet-protocol-plugin/scripts/PacketDemo/LLCDemo/base/main.zeek @@ -1,3 +1,3 @@ -module Packet_LLC_Demo; +module PacketAnalyzer::LLC_DEMO; -redef PacketAnalyzer::Ethernet::llc_analyzer = PacketAnalyzer::ANALYZER_LLCDEMO; \ No newline at end of file +redef PacketAnalyzer::ETHERNET::llc_analyzer = PacketAnalyzer::ANALYZER_LLC_DEMO; \ No newline at end of file diff --git a/testing/btest/plugins/packet-protocol-plugin/scripts/PacketDemo/RawLayer/base/main.zeek b/testing/btest/plugins/packet-protocol-plugin/scripts/PacketDemo/RawLayer/base/main.zeek index b8c567836a..be32149e59 100644 --- a/testing/btest/plugins/packet-protocol-plugin/scripts/PacketDemo/RawLayer/base/main.zeek +++ b/testing/btest/plugins/packet-protocol-plugin/scripts/PacketDemo/RawLayer/base/main.zeek @@ -1,6 +1,14 @@ -module Packet_Raw_Layer; +module PacketAnalyzer::RAW_LAYER; -redef PacketAnalyzer::config_map += { - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x88B5, $analyzer=PacketAnalyzer::ANALYZER_RAWLAYER), - PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_RAWLAYER, $identifier=0x4950, $analyzer=PacketAnalyzer::ANALYZER_IP) +export { + ## Identifier mapping + const dispatch_map: PacketAnalyzer::DispatchMap = {} &redef; +} + +redef PacketAnalyzer::ETHERNET::dispatch_map += { + [0x88B5] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_RAW_LAYER) +}; + +redef dispatch_map += { + [0x4950] = PacketAnalyzer::DispatchEntry($analyzer=PacketAnalyzer::ANALYZER_IP) }; diff --git a/testing/btest/plugins/packet-protocol-plugin/src/LLCDemo.cc b/testing/btest/plugins/packet-protocol-plugin/src/LLCDemo.cc index 391a2811f9..f8bc8be53f 100644 --- a/testing/btest/plugins/packet-protocol-plugin/src/LLCDemo.cc +++ b/testing/btest/plugins/packet-protocol-plugin/src/LLCDemo.cc @@ -6,7 +6,7 @@ using namespace zeek::packet_analysis::PacketDemo; LLCDemo::LLCDemo() - : zeek::packet_analysis::Analyzer("LLCDemo") + : zeek::packet_analysis::Analyzer("LLC_Demo") { } diff --git a/testing/btest/plugins/packet-protocol-plugin/src/Plugin.cc b/testing/btest/plugins/packet-protocol-plugin/src/Plugin.cc index 55a814a150..af88a438fa 100644 --- a/testing/btest/plugins/packet-protocol-plugin/src/Plugin.cc +++ b/testing/btest/plugins/packet-protocol-plugin/src/Plugin.cc @@ -10,9 +10,9 @@ class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() { - AddComponent(new zeek::packet_analysis::Component("RawLayer", + AddComponent(new zeek::packet_analysis::Component("Raw_Layer", zeek::packet_analysis::PacketDemo::RawLayer::Instantiate)); - AddComponent(new zeek::packet_analysis::Component("LLCDemo", + AddComponent(new zeek::packet_analysis::Component("LLC_Demo", zeek::packet_analysis::PacketDemo::LLCDemo::Instantiate)); zeek::plugin::Configuration config; diff --git a/testing/btest/plugins/packet-protocol-plugin/src/RawLayer.cc b/testing/btest/plugins/packet-protocol-plugin/src/RawLayer.cc index 800879b2bc..a1bb9af237 100644 --- a/testing/btest/plugins/packet-protocol-plugin/src/RawLayer.cc +++ b/testing/btest/plugins/packet-protocol-plugin/src/RawLayer.cc @@ -6,7 +6,7 @@ using namespace zeek::packet_analysis::PacketDemo; RawLayer::RawLayer() - : zeek::packet_analysis::Analyzer("RawLayer") + : zeek::packet_analysis::Analyzer("Raw_Layer") { } From 62562504d550208bf1db06a6049746749409dc0d Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Wed, 9 Sep 2020 23:59:29 +0000 Subject: [PATCH 37/43] Minor cleanup --- src/Sessions.h | 1 - src/packet_analysis/protocol/root/Root.cc | 4 ++-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/src/Sessions.h b/src/Sessions.h index 277e637ae7..991eeacd5a 100644 --- a/src/Sessions.h +++ b/src/Sessions.h @@ -24,7 +24,6 @@ using ConnID [[deprecated("Remove in v4.1. Use zeek::ConnID.")]] = zeek::ConnID; ZEEK_FORWARD_DECLARE_NAMESPACED(Discarder, zeek::detail); ZEEK_FORWARD_DECLARE_NAMESPACED(SteppingStoneManager, zeek, analyzer::stepping_stone); -ZEEK_FORWARD_DECLARE_NAMESPACED(ARP_Analyzer, zeek, analyzer::arp); namespace zeek { diff --git a/src/packet_analysis/protocol/root/Root.cc b/src/packet_analysis/protocol/root/Root.cc index aae58e8054..21ad3eec7e 100644 --- a/src/packet_analysis/protocol/root/Root.cc +++ b/src/packet_analysis/protocol/root/Root.cc @@ -12,5 +12,5 @@ RootAnalyzer::RootAnalyzer() bool RootAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) { - reporter->InternalError("AnalysisPacket() was called for the root analyzer."); - } \ No newline at end of file + reporter->InternalError("AnalyzePacket() was called for the root analyzer."); + } From 8d834a1d89c723c1a20097dbbe1572e55c886230 Mon Sep 17 00:00:00 2001 From: Jan Grashoefer Date: Tue, 22 Sep 2020 15:07:41 +0200 Subject: [PATCH 38/43] Packet analysis cleanup. --- src/Sessions.cc | 2 +- src/analyzer/protocol/vxlan/VXLAN.cc | 2 +- src/iosource/Packet.cc | 2 +- src/iosource/Packet.h | 45 ++++++------------- src/iosource/PktSrc.cc | 2 +- src/packet_analysis/Manager.cc | 4 +- .../protocol/linux_sll/LinuxSLL.cc | 3 +- 7 files changed, 21 insertions(+), 39 deletions(-) diff --git a/src/Sessions.cc b/src/Sessions.cc index 7dd33362a9..418e154a9e 100644 --- a/src/Sessions.cc +++ b/src/Sessions.cc @@ -802,7 +802,7 @@ void NetSessions::DoNextInnerPacket(double t, const Packet* pkt, Packet p; p.Init(link_type, &ts, caplen, len, data, false, ""); - if ( p.Layer2Valid() && (p.l3_proto == L3_IPV4 || p.l3_proto == L3_IPV6) ) + if ( p.l2_valid && (p.l3_proto == L3_IPV4 || p.l3_proto == L3_IPV6) ) { auto inner = p.IP(); DoNextPacket(t, &p, &inner, outer); diff --git a/src/analyzer/protocol/vxlan/VXLAN.cc b/src/analyzer/protocol/vxlan/VXLAN.cc index 7fde0ce5ef..a28fe45798 100644 --- a/src/analyzer/protocol/vxlan/VXLAN.cc +++ b/src/analyzer/protocol/vxlan/VXLAN.cc @@ -65,7 +65,7 @@ void VXLAN_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, ts.tv_usec = (suseconds_t) ((run_state::current_timestamp - (double)ts.tv_sec) * 1000000); Packet pkt(DLT_EN10MB, &ts, caplen, len, data); - if ( ! pkt.Layer2Valid() ) + if ( ! pkt.l2_valid ) { ProtocolViolation("VXLAN invalid inner ethernet frame", (const char*) data, len); diff --git a/src/iosource/Packet.cc b/src/iosource/Packet.cc index 3d530fea3b..d8e985d153 100644 --- a/src/iosource/Packet.cc +++ b/src/iosource/Packet.cc @@ -78,7 +78,7 @@ void Packet::Weird(const char* name) sessions->Weird(name, this); } -IntrusivePtr Packet::ToRawPktHdrVal() const +RecordValPtr Packet::ToRawPktHdrVal() const { static auto raw_pkt_hdr_type = id::find_type("raw_pkt_hdr"); static auto l2_hdr_type = id::find_type("l2_hdr"); diff --git a/src/iosource/Packet.h b/src/iosource/Packet.h index fe1968038f..ecb98ad7ea 100644 --- a/src/iosource/Packet.h +++ b/src/iosource/Packet.h @@ -116,23 +116,6 @@ public: uint32_t len, const u_char *data, bool copy = false, std::string tag = std::string("")); - /** - * Returns true if parsing the layer 2 fields failed, including when - * no data was passed into the constructor in the first place. - */ - bool Layer2Valid() const - { - return l2_valid; - } - - /** - * Signals that the processing of layer 2 failed. - */ - void InvalidateLayer2() - { - l2_valid = false; - } - /** * Interprets the Layer 3 of the packet as IP and returns a * corresponding object. @@ -169,46 +152,47 @@ public: uint32_t cap_len; /// Captured packet length uint32_t link_type; /// pcap link_type (DLT_EN10MB, DLT_RAW, etc) + // True if L2 processing succeeded. If data is set on initialization of + // the packet, L2 is assumed to be valid. The packet manager will then + // process the packet and set l2_valid to False if the analysis failed. + bool l2_valid; + // These are computed from Layer 2 data. These fields are only valid if - // Layer2Valid() returns true. + // l2_valid returns true. /** - * Layer 2 header size. Valid iff Layer2Valid() returns true. + * Layer 2 header size. Valid iff l2_valid is true. */ uint32_t hdr_size; /** - * Layer 3 protocol identified (if any). Valid iff Layer2Valid() - * returns true. + * Layer 3 protocol identified (if any). Valid iff l2_valid is true. */ Layer3Proto l3_proto; /** * If layer 2 is Ethernet, innermost ethertype field. Valid iff - * Layer2Valid() returns true. + * l2_valid is true. */ uint32_t eth_type; /** - * Layer 2 source address. Valid iff Layer2Valid() returns true. + * Layer 2 source address. Valid iff l2_valid is true. */ const u_char* l2_src; /** - * Layer 2 destination address. Valid iff Layer2Valid() returns - * true. + * Layer 2 destination address. Valid iff l2_valid is true. */ const u_char* l2_dst; /** - * (Outermost) VLAN tag if any, else 0. Valid iff Layer2Valid() - * returns true. + * (Outermost) VLAN tag if any, else 0. Valid iff l2_valid is true. */ uint32_t vlan; /** - * (Innermost) VLAN tag if any, else 0. Valid iff Layer2Valid() - * returns true. + * (Innermost) VLAN tag if any, else 0. Valid iff l2_valid is true. */ uint32_t inner_vlan; @@ -245,9 +229,6 @@ private: // True if we need to delete associated packet memory upon // destruction. bool copy; - - // True if L2 processing succeeded. - bool l2_valid; }; } // namespace zeek diff --git a/src/iosource/PktSrc.cc b/src/iosource/PktSrc.cc index 519c6da81e..38fb51cefb 100644 --- a/src/iosource/PktSrc.cc +++ b/src/iosource/PktSrc.cc @@ -189,7 +189,7 @@ void PktSrc::Process() if ( ! ExtractNextPacketInternal() ) return; - if ( current_packet.Layer2Valid() ) + if ( current_packet.l2_valid ) { if ( run_state::pseudo_realtime ) { diff --git a/src/packet_analysis/Manager.cc b/src/packet_analysis/Manager.cc index 62574e7f8f..4229bfb33a 100644 --- a/src/packet_analysis/Manager.cc +++ b/src/packet_analysis/Manager.cc @@ -70,8 +70,8 @@ void Manager::ProcessPacket(Packet* packet) DBG_LOG(DBG_PACKET_ANALYSIS, "Analyzing packet %ld, ts=%.3f...", ++counter, packet->time); #endif // Start packet analysis - if ( ! root_analyzer->ForwardPacket(packet->cap_len, packet->data, packet, packet->link_type) ) - packet->InvalidateLayer2(); + packet->l2_valid = root_analyzer->ForwardPacket(packet->cap_len, packet->data, + packet, packet->link_type); } AnalyzerPtr Manager::InstantiateAnalyzer(const Tag& tag) diff --git a/src/packet_analysis/protocol/linux_sll/LinuxSLL.cc b/src/packet_analysis/protocol/linux_sll/LinuxSLL.cc index c924b7233d..9f3dd25787 100644 --- a/src/packet_analysis/protocol/linux_sll/LinuxSLL.cc +++ b/src/packet_analysis/protocol/linux_sll/LinuxSLL.cc @@ -18,7 +18,8 @@ bool LinuxSLLAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pa return false; } - //TODO: Handle different ARPHRD_types + // Note: We assume to see an Ethertype and don't consider different ARPHRD_types + // (see https://www.tcpdump.org/linktypes/LINKTYPE_LINUX_SLL.html) auto hdr = (const SLLHeader*)data; uint32_t protocol = ntohs(hdr->protocol_type); From 6a0bd6375660a2ac25ff00d61dddf1a5099bb589 Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Tue, 22 Sep 2020 14:22:05 -0700 Subject: [PATCH 39/43] Fix Sessions::DoNextPacket to ignore ARP packets and not report weirds for them --- src/Sessions.cc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/Sessions.cc b/src/Sessions.cc index 418e154a9e..64b110e8ee 100644 --- a/src/Sessions.cc +++ b/src/Sessions.cc @@ -174,7 +174,9 @@ void NetSessions::NextPacket(double t, const Packet* pkt) DoNextPacket(t, pkt, &ip_hdr, nullptr); } - else + // Check that it wasn't set to L3_ARP here, or there's a bunch of extra weirds + // that get reported. + else if ( pkt->l3_proto != L3_ARP) { Weird("unknown_packet_type", pkt); return; From 1658b8dc847ae7ce8fea1b041c1383bb2ac5aee0 Mon Sep 17 00:00:00 2001 From: Jan Grashoefer Date: Wed, 23 Sep 2020 15:46:11 +0200 Subject: [PATCH 40/43] Fix handling of session analysis. This reverts commit 0e51be18ac59d7a176f18780f1f8df85561449b9. --- src/Sessions.cc | 6 ++---- src/iosource/Packet.cc | 3 +++ src/iosource/Packet.h | 4 ++-- 3 files changed, 7 insertions(+), 6 deletions(-) diff --git a/src/Sessions.cc b/src/Sessions.cc index 64b110e8ee..79725bff5d 100644 --- a/src/Sessions.cc +++ b/src/Sessions.cc @@ -174,9 +174,7 @@ void NetSessions::NextPacket(double t, const Packet* pkt) DoNextPacket(t, pkt, &ip_hdr, nullptr); } - // Check that it wasn't set to L3_ARP here, or there's a bunch of extra weirds - // that get reported. - else if ( pkt->l3_proto != L3_ARP) + else { Weird("unknown_packet_type", pkt); return; @@ -340,7 +338,7 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr // last if present. if ( ip_hdr->LastHeader() == IPPROTO_MOBILITY ) { - dump_this_packet = true; + pkt->dump_packet = true; if ( ! ignore_checksums && mobility_header_checksum(ip_hdr) != 0xffff ) { diff --git a/src/iosource/Packet.cc b/src/iosource/Packet.cc index d8e985d153..152723f866 100644 --- a/src/iosource/Packet.cc +++ b/src/iosource/Packet.cc @@ -45,6 +45,9 @@ void Packet::Init(int arg_link_type, pkt_timeval *arg_ts, uint32_t arg_caplen, else data = arg_data; + session_analysis = false; + dump_packet = false; + time = ts.tv_sec + double(ts.tv_usec) / 1e6; hdr_size = 0; eth_type = 0; diff --git a/src/iosource/Packet.h b/src/iosource/Packet.h index ecb98ad7ea..8d4e5ba60d 100644 --- a/src/iosource/Packet.h +++ b/src/iosource/Packet.h @@ -212,12 +212,12 @@ public: * Indicates whether the packet should be processed by zeek's * session analysis in NetSessions. */ - bool session_analysis = false; + bool session_analysis; /** * Indicates whether this packet should be recorded. */ - mutable bool dump_packet = false; + mutable bool dump_packet; // Wrapper to generate a packet-level weird. Has to be public for packet analyzers to use it. void Weird(const char* name); From bfe31f1c589ce510453123b516d0089b6d31d631 Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Wed, 23 Sep 2020 08:51:36 -0700 Subject: [PATCH 41/43] Update hashes for external testing repos --- testing/external/commit-hash.zeek-testing | 2 +- testing/external/commit-hash.zeek-testing-private | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/testing/external/commit-hash.zeek-testing b/testing/external/commit-hash.zeek-testing index 1ad188ee12..05520f90d5 100644 --- a/testing/external/commit-hash.zeek-testing +++ b/testing/external/commit-hash.zeek-testing @@ -1 +1 @@ -fecd17b3e3d886fccc9277b1394e84499649fc53 +4f492329f46bd3fb2992b09ce4c299b1f7237d45 diff --git a/testing/external/commit-hash.zeek-testing-private b/testing/external/commit-hash.zeek-testing-private index 24b4e069ff..271a66b118 100644 --- a/testing/external/commit-hash.zeek-testing-private +++ b/testing/external/commit-hash.zeek-testing-private @@ -1 +1 @@ -418c0cdd93a298eaa7c02bc8b7db7037269a2ba4 +d57bbaabc12dad1f56b22b93cf290deae6862020 From c21504deed4e586dc0a9499c08c0671cfb527f41 Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Wed, 23 Sep 2020 10:31:42 -0700 Subject: [PATCH 42/43] Fix build on FreeBSD, which was missing full definition of sockaddr for ARP --- src/packet_analysis/protocol/arp/ARP.h | 1 + 1 file changed, 1 insertion(+) diff --git a/src/packet_analysis/protocol/arp/ARP.h b/src/packet_analysis/protocol/arp/ARP.h index 710821cb68..c4de038876 100644 --- a/src/packet_analysis/protocol/arp/ARP.h +++ b/src/packet_analysis/protocol/arp/ARP.h @@ -5,6 +5,7 @@ #include #include +#include #include #ifndef arp_pkthdr From a9d5d083a21720497c1860398e7956903fbe18b3 Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Wed, 23 Sep 2020 11:31:42 -0700 Subject: [PATCH 43/43] Update NEWS --- NEWS | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/NEWS b/NEWS index d113a1783e..1a89a2ed9c 100644 --- a/NEWS +++ b/NEWS @@ -11,6 +11,11 @@ New Functionality - Added support for EDNS0 Cookie and Keep-Alive options. +- Added new Packet Analysis plugin architecture for parsing packet headers + at layers below the existing Session analysis plugins. This allows + writing plugins to parse the various parts of a packet header separately, + chaining down into other plugins as needed. + Changed Functionality ---------------------