Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-05 16:18:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Change to store data in packet directly instead of keystore

Browse source
This commit is contained in:
Tim Wojtulewicz 2020-09-30 17:19:31 -07:00
parent d0ef05c748
commit 7d2c35174f
5 changed files with 36 additions and 59 deletions
Download patch file Download diff file Expand all files Collapse all files

3
src/analyzer/protocol/vxlan/VXLAN.cc
View file

@ -77,7 +77,8 @@ void VXLAN_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
ts.tv_sec = (time_t) run_state::current_timestamp; ts.tv_sec = (time_t) run_state::current_timestamp;
ts.tv_usec = (suseconds_t) ((run_state::current_timestamp - (double)ts.tv_sec) * 1000000); ts.tv_usec = (suseconds_t) ((run_state::current_timestamp - (double)ts.tv_sec) * 1000000);
Packet pkt(DLT_EN10MB, &ts, caplen, len, data); Packet pkt(DLT_EN10MB, &ts, caplen, len, data);
pkt.key_store["encap"] = outer; pkt.encap = outer;
packet_mgr->ProcessPacket(&pkt); packet_mgr->ProcessPacket(&pkt);
if ( ! pkt.l2_valid ) if ( ! pkt.l2_valid )

16
src/iosource/Packet.h
View file

@ -15,6 +15,9 @@ typedef struct bpf_timeval pkt_timeval;
typedef struct timeval pkt_timeval; typedef struct timeval pkt_timeval;
#endif #endif
#include "pcap.h" // For DLT_ constants
#include "NetVar.h" // For BifEnum::Tunnel
ZEEK_FORWARD_DECLARE_NAMESPACED(ODesc, zeek); ZEEK_FORWARD_DECLARE_NAMESPACED(ODesc, zeek);
ZEEK_FORWARD_DECLARE_NAMESPACED(Val, zeek); ZEEK_FORWARD_DECLARE_NAMESPACED(Val, zeek);
ZEEK_FORWARD_DECLARE_NAMESPACED(RecordVal, zeek); ZEEK_FORWARD_DECLARE_NAMESPACED(RecordVal, zeek);
@ -214,10 +217,15 @@ public:
*/ */
mutable bool dump_packet; mutable bool dump_packet;
/** // These are fields passed between various packet analyzers. They're best
* Key/value store for use by the packet analyzers to pass information between them. // stored with the packet so they stay available as the packet is passed
*/ // around.
std::map<std::string, std::any> key_store; EncapsulationStack* encap = nullptr;
IP_Hdr* ip_hdr = nullptr;
int proto = -1;
BifEnum::Tunnel::Type tunnel_type = BifEnum::Tunnel::IP;
int gre_version = -1;
int gre_link_type = DLT_RAW;
// Wrapper to generate a packet-level weird. Has to be public for llanalyzers to use it. // Wrapper to generate a packet-level weird. Has to be public for llanalyzers to use it.
void Weird(const char* name, const EncapsulationStack* encap = nullptr); void Weird(const char* name, const EncapsulationStack* encap = nullptr);

26
src/packet_analysis/protocol/gre/GRE.cc
View file

@ -42,24 +42,15 @@ GREAnalyzer::GREAnalyzer()
bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
{ {
EncapsulationStack* encapsulation = nullptr; EncapsulationStack* encapsulation = packet->encap;
auto it = packet->key_store.find("encap");
if ( it != packet->key_store.end() )
encapsulation = std::any_cast<EncapsulationStack*>(it->second);
it = packet->key_store.find("ip_hdr"); if ( ! packet->ip_hdr )
if ( it == packet->key_store.end() )
{ {
reporter->InternalError("GREAnalyzer: ip_hdr not found in packet keystore"); reporter->InternalError("GREAnalyzer: ip_hdr not found in packet keystore");
return false; return false;
} }
IP_Hdr* ip_hdr = std::any_cast<IP_Hdr*>(it->second); IP_Hdr* ip_hdr = packet->ip_hdr;
int proto = -1;
it = packet->key_store.find("proto");
if ( it != packet->key_store.end() )
proto = std::any_cast<int>(proto);
if ( ! BifConst::Tunnel::enable_gre ) if ( ! BifConst::Tunnel::enable_gre )
{ {
@ -67,6 +58,7 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
return false; return false;
} }
int proto = packet->proto;
int gre_link_type = DLT_RAW; int gre_link_type = DLT_RAW;
uint16_t flags_ver = ntohs(*((uint16_t*)(data + 0))); uint16_t flags_ver = ntohs(*((uint16_t*)(data + 0)));
@ -205,12 +197,10 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
// Treat GRE tunnel like IP tunnels, fallthrough to logic below now // Treat GRE tunnel like IP tunnels, fallthrough to logic below now
// that GRE header is stripped and only payload packet remains. // that GRE header is stripped and only payload packet remains.
// The only thing different is the tunnel type enum value to use. // The only thing different is the tunnel type enum value to use.
BifEnum::Tunnel::Type tunnel_type = BifEnum::Tunnel::GRE; packet->tunnel_type = BifEnum::Tunnel::GRE;
packet->gre_version = gre_version;
packet->key_store["tunnel_type"] = tunnel_type; packet->gre_link_type = gre_link_type;
packet->key_store["gre_version"] = gre_version; packet->proto = proto;
packet->key_store["gre_link_type"] = gre_link_type;
packet->key_store["proto"] = proto;
ForwardPacket(len, data, packet); ForwardPacket(len, data, packet);

10
src/packet_analysis/protocol/ip/IP.cc
View file

@ -30,10 +30,7 @@ IPAnalyzer::~IPAnalyzer()
bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
{ {
EncapsulationStack* encapsulation = nullptr; EncapsulationStack* encapsulation = packet->encap;
auto it = packet->key_store.find("encap");
if ( it != packet->key_store.end() )
encapsulation = std::any_cast<EncapsulationStack*>(it->second);
// Check to make sure we have enough data left for an IP header to be here. Note we only // Check to make sure we have enough data left for an IP header to be here. Note we only
// check ipv4 here. We'll check ipv6 later once we determine we have an ipv6 header. // check ipv4 here. We'll check ipv6 later once we determine we have an ipv6 header.
@ -53,6 +50,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
auto ip = (const struct ip *)data; auto ip = (const struct ip *)data;
uint32_t protocol = ip->ip_v; uint32_t protocol = ip->ip_v;
// This is a unique pointer because of the mass of early returns from this method.
std::unique_ptr<IP_Hdr> ip_hdr = nullptr; std::unique_ptr<IP_Hdr> ip_hdr = nullptr;
if ( protocol == 4 ) if ( protocol == 4 )
{ {
@ -254,8 +252,8 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
break; break;
default: default:
// The tunnel analyzer needs this data. // The tunnel analyzer needs this data.
packet->key_store["ip_hdr"] = ip_hdr.get(); packet->ip_hdr = ip_hdr.get();
packet->key_store["proto"] = proto; packet->proto = proto;
// For everything else, pass it on to another analyzer. If there's no one to handle that, // For everything else, pass it on to another analyzer. If there's no one to handle that,
// it'll report a Weird. // it'll report a Weird.

40
src/packet_analysis/protocol/iptunnel/IPTunnel.cc
View file

@ -20,39 +20,15 @@ IPTunnelAnalyzer::IPTunnelAnalyzer()
bool IPTunnelAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) bool IPTunnelAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
{ {
EncapsulationStack* encapsulation = nullptr; EncapsulationStack* encapsulation = packet->encap;
auto it = packet->key_store.find("encap");
if ( it != packet->key_store.end() )
encapsulation = std::any_cast<EncapsulationStack*>(it->second);
it = packet->key_store.find("ip_hdr"); if ( ! packet->ip_hdr )
if ( it == packet->key_store.end() )
{ {
reporter->InternalError("IPTunnelAnalyzer: ip_hdr not found in packet keystore"); reporter->InternalError("IPTunnelAnalyzer: ip_hdr not found in packet keystore");
return false; return false;
} }
IP_Hdr* ip_hdr = std::any_cast<IP_Hdr*>(it->second); IP_Hdr* ip_hdr = packet->ip_hdr;
int proto = -1;
it = packet->key_store.find("proto");
if ( it != packet->key_store.end() )
proto = std::any_cast<int>(it->second);
int gre_version = -1;
it = packet->key_store.find("gre_version");
if ( it != packet->key_store.end() )
gre_version = std::any_cast<int>(it->second);
BifEnum::Tunnel::Type tunnel_type = BifEnum::Tunnel::IP;
it = packet->key_store.find("tunnel_type");
if ( it != packet->key_store.end() )
tunnel_type = std::any_cast<BifEnum::Tunnel::Type>(it->second);
int gre_link_type = DLT_RAW;
it = packet->key_store.find("gre_link_type");
if ( it != packet->key_store.end() )
gre_link_type = std::any_cast<int>(it->second);
if ( ! BifConst::Tunnel::enable_ip ) if ( ! BifConst::Tunnel::enable_ip )
{ {
@ -67,6 +43,11 @@ bool IPTunnelAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pa
return false; return false;
} }
int proto = packet->proto;
int gre_version = packet->gre_version;
BifEnum::Tunnel::Type tunnel_type = packet->tunnel_type;
int gre_link_type = packet->gre_link_type;
IP_Hdr* inner = nullptr; IP_Hdr* inner = nullptr;
if ( gre_version != 0 ) if ( gre_version != 0 )
@ -154,8 +135,7 @@ bool IPTunnelAnalyzer::ProcessEncapsulatedPacket(double t, const Packet* pkt,
// Construct fake packet for DoNextPacket // Construct fake packet for DoNextPacket
Packet p; Packet p;
p.Init(DLT_RAW, &ts, caplen, len, data, false, ""); p.Init(DLT_RAW, &ts, caplen, len, data, false, "");
p.key_store["encap"] = outer; p.encap = outer;
p.key_store["encap_inner_ip"] = inner;
// Forward the packet back to the IP analyzer. // Forward the packet back to the IP analyzer.
bool return_val = ForwardPacket(len, data, &p); bool return_val = ForwardPacket(len, data, &p);
@ -193,7 +173,7 @@ bool IPTunnelAnalyzer::ProcessEncapsulatedPacket(double t, const Packet* pkt,
// Construct fake packet for DoNextPacket // Construct fake packet for DoNextPacket
Packet p; Packet p;
p.Init(link_type, &ts, caplen, len, data, false, ""); p.Init(link_type, &ts, caplen, len, data, false, "");
p.key_store["encap"] = outer; p.encap = outer;
// Process the packet as if it was a brand new packet by passing it back // Process the packet as if it was a brand new packet by passing it back
// to the packet manager. // to the packet manager.