Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-06 08:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

add Pacf plugin for the internal Bro PacketFilter (not BPF)

Browse source
This commit is contained in:
Johanna Amann 2015-05-12 15:11:41 -07:00
parent ed65fdb6ba
commit 73d22a2dbd
4 changed files with 146 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

1
scripts/base/frameworks/pacf/plugins/__load__.bro
View file

@ -1,2 +1,3 @@
@load ./debug @load ./debug
@load ./openflow @load ./openflow
@load ./packetfilter

115
scripts/base/frameworks/pacf/plugins/packetfilter.bro Normal file
View file

@ -0,0 +1,115 @@
# PACF plugin for the PacketFilter handling that comes with
# Bro. Since the PacketFilter in Bro is quite limited in scope
# and can only add/remove filters for addresses, this is quite
# limited in scope at the moment.
module Pacf;
export {
## Instantiates the packetfilter plugin.
global create_packetfilter: function() : PluginState;
}
# Check if we can handle this rule. If it specifies ports or
# anything Bro cannot handle, simply ignore it for now.
function packetfilter_check_rule(r: Rule) : bool
{
if ( r$ty != DROP )
return F;
if ( r$target != MONITOR )
return F;
local e = r$entity;
if ( e$ty == ADDRESS )
return T;
if ( e$ty != FLOW ) # everything else requires ports or MAC stuff
return F;
if ( e$flow?$src_p || e$flow?$dst_p || e$flow?$src_m || e$flow?$dst_m )
return F;
return T;
}
function packetfilter_add_rule(p: PluginState, r: Rule) : bool
{
if ( ! packetfilter_check_rule(r) )
return F;
local e = r$entity;
if ( e$ty == ADDRESS )
{
install_src_net_filter(e$ip, 0, 1.0);
install_dst_net_filter(e$ip, 0, 1.0);
return T;
}
if ( e$ty == FLOW )
{
local f = e$flow;
if ( f?$src_h )
install_src_net_filter(f$src_h, 0, 1.0);
if ( f?$dst_h )
install_dst_net_filter(f$dst_h, 0, 1.0);
return T;
}
return F;
}
function packetfilter_remove_rule(p: PluginState, r: Rule) : bool
{
if ( ! packetfilter_check_rule(r) )
return F;
local e = r$entity;
if ( e$ty == ADDRESS )
{
uninstall_src_net_filter(e$ip);
uninstall_dst_net_filter(e$ip);
return T;
}
if ( e$ty == FLOW )
{
local f = e$flow;
if ( f?$src_h )
uninstall_src_net_filter(f$src_h);
if ( f?$dst_h )
uninstall_dst_net_filter(f$dst_h);
return T;
}
return F;
}
function packetfilter_name(p: PluginState) : string
{
return "PACF plugin for the Bro packetfilter";
}
global packetfilter_plugin = Plugin(
$name=packetfilter_name,
$can_expire = F,
# $init = packetfilter_init,
# $done = packetfilter_done,
$add_rule = packetfilter_add_rule,
$remove_rule = packetfilter_remove_rule
# $add_notification = packetfilter_add_notification,
# $remove_notification = packetfilter_remove_notification,
# $transaction_begin = packetfilter_transaction_begin,
# $transaction_end = packetfilter_transaction_end
);
function create_packetfilter() : PluginState
{
local p: PluginState = [$plugin=packetfilter_plugin];
return p;
}

12
testing/btest/Baseline/scripts.base.frameworks.pacf.packetfilter/conn.log Normal file
View file

@ -0,0 +1,12 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path conn
#open 2015-05-12-22-11-25
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
1254722767.492060 CXWv6p3arKYeMETxOg 10.10.1.4 56166 10.10.1.1 53 udp dns 0.034025 34 100 SF - - 0 Dd 1 62 1 128 (empty)
1254722767.529046 CjhGID4nQcgTWjvg4c 10.10.1.4 1470 74.53.140.153 25 tcp - 0.346950 0 0 S1 - - 0 Sh 1 48 1 48 (empty)
1254722776.690444 CCvvfg3TEfuqmmG4bh 10.10.1.20 138 10.10.1.255 138 udp - - - - S0 - - 0 D 1 229 0 0 (empty)
#close 2015-05-12-22-11-25

18
testing/btest/scripts/base/frameworks/pacf/packetfilter.bro Normal file
View file

@ -0,0 +1,18 @@
# @TEST-EXEC: bro -r $TRACES/smtp.trace %INPUT
# @TEST-EXEC: btest-diff conn.log
@load base/frameworks/pacf
event bro_init()
{
local pacf_packetfilter = Pacf::create_packetfilter();
Pacf::activate(pacf_packetfilter, 0);
}
event connection_established(c: connection)
{
local e = Pacf::Entity($ty=Pacf::ADDRESS, $ip=addr_to_subnet(c$id$orig_h));
local r = Pacf::Rule($ty=Pacf::DROP, $target=Pacf::MONITOR, $entity=e, $expire=10min);
Pacf::add_rule(r);
}