mirror of
https://github.com/zeek/zeek.git
synced 2025-10-06 00:28:21 +00:00
Remove unified2 file analyzer
This commit is contained in:
Arne Welzel
parent
b20f2b5b98
commit
8d19fa23ef
24 changed files with 8 additions and 866 deletions
|
|
@ -3,5 +3,4 @@ add_subdirectory(entropy)
|
|||
add_subdirectory(extract)
|
||||
add_subdirectory(hash)
|
||||
add_subdirectory(pe)
|
||||
add_subdirectory(unified2)
|
||||
add_subdirectory(x509)
|
||||
|
|
|
|||
|
|
@ -1,11 +0,0 @@
|
|||
|
||||
include(ZeekPlugin)
|
||||
|
||||
include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR}
|
||||
${CMAKE_CURRENT_BINARY_DIR})
|
||||
|
||||
zeek_plugin_begin(Zeek Unified2)
|
||||
zeek_plugin_cc(Unified2.cc Plugin.cc)
|
||||
zeek_plugin_bif(events.bif types.bif)
|
||||
zeek_plugin_pac(unified2.pac unified2-file.pac unified2-analyzer.pac)
|
||||
zeek_plugin_end()
|
||||
|
|
@ -1,28 +0,0 @@
|
|||
// See the file in the main distribution directory for copyright.
|
||||
|
||||
// See the file "COPYING" in the main distribution directory for copyright.
|
||||
|
||||
#include "zeek/plugin/Plugin.h"
|
||||
|
||||
#include "zeek/file_analysis/Component.h"
|
||||
#include "zeek/file_analysis/analyzer/unified2/Unified2.h"
|
||||
|
||||
namespace zeek::plugin::detail::Zeek_Unified2
|
||||
{
|
||||
|
||||
class Plugin : public zeek::plugin::Plugin
|
||||
{
|
||||
public:
|
||||
zeek::plugin::Configuration Configure() override
|
||||
{
|
||||
AddComponent(new zeek::file_analysis::Component(
|
||||
"UNIFIED2", zeek::file_analysis::detail::Unified2::Instantiate));
|
||||
|
||||
zeek::plugin::Configuration config;
|
||||
config.name = "Zeek::Unified2";
|
||||
config.description = "Analyze Unified2 alert files.";
|
||||
return config;
|
||||
}
|
||||
} plugin;
|
||||
|
||||
} // namespace zeek::plugin::detail::Zeek_Unified2
|
||||
|
|
@ -1,41 +0,0 @@
|
|||
// See the file "COPYING" in the main distribution directory for copyright.
|
||||
|
||||
#include "zeek/file_analysis/analyzer/unified2/Unified2.h"
|
||||
|
||||
#include "zeek/file_analysis/Manager.h"
|
||||
|
||||
namespace zeek::file_analysis::detail
|
||||
{
|
||||
|
||||
Unified2::Unified2(RecordValPtr args, file_analysis::File* file)
|
||||
: file_analysis::Analyzer(file_mgr->GetComponentTag("UNIFIED2"), std::move(args), file)
|
||||
{
|
||||
interp = new binpac::Unified2::Unified2_Analyzer(this);
|
||||
}
|
||||
|
||||
Unified2::~Unified2()
|
||||
{
|
||||
delete interp;
|
||||
}
|
||||
|
||||
file_analysis::Analyzer* Unified2::Instantiate(RecordValPtr args, file_analysis::File* file)
|
||||
{
|
||||
return new Unified2(std::move(args), file);
|
||||
}
|
||||
|
||||
bool Unified2::DeliverStream(const u_char* data, uint64_t len)
|
||||
{
|
||||
try
|
||||
{
|
||||
interp->NewData(true, data, data + len);
|
||||
}
|
||||
catch ( const binpac::Exception& e )
|
||||
{
|
||||
printf("Binpac exception: %s\n", e.c_msg());
|
||||
return false;
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
} // namespace zeek::file_analysis::detail
|
||||
|
|
@ -1,37 +0,0 @@
|
|||
// See the file "COPYING" in the main distribution directory for copyright.
|
||||
|
||||
#pragma once
|
||||
|
||||
#include <string>
|
||||
|
||||
#include "zeek/Val.h"
|
||||
#include "zeek/file_analysis/Analyzer.h"
|
||||
#include "zeek/file_analysis/File.h"
|
||||
|
||||
#include "file_analysis/analyzer/unified2/unified2_pac.h"
|
||||
|
||||
namespace zeek::file_analysis::detail
|
||||
{
|
||||
|
||||
/**
|
||||
* An analyzer to extract content of files from local disk.
|
||||
*/
|
||||
class Unified2 : public file_analysis::Analyzer
|
||||
{
|
||||
public:
|
||||
~Unified2() override;
|
||||
|
||||
bool DeliverStream(const u_char* data, uint64_t len) override;
|
||||
|
||||
static file_analysis::Analyzer* Instantiate(RecordValPtr args, file_analysis::File* file);
|
||||
|
||||
protected:
|
||||
Unified2(RecordValPtr args, file_analysis::File* file);
|
||||
|
||||
private:
|
||||
binpac::Unified2::Unified2_Analyzer* interp;
|
||||
|
||||
string filename;
|
||||
};
|
||||
|
||||
} // namespace zeek::file_analysis::detail
|
||||
|
|
@ -1,17 +0,0 @@
|
|||
|
||||
## Abstract all of the various Unified2 event formats into
|
||||
## a single event.
|
||||
##
|
||||
## f: The file.
|
||||
##
|
||||
## ev: TODO.
|
||||
##
|
||||
event unified2_event%(f: fa_file, ev: Unified2::IDSEvent%);
|
||||
|
||||
## The Unified2 packet format event.
|
||||
##
|
||||
## f: The file.
|
||||
##
|
||||
## pkt: TODO.
|
||||
##
|
||||
event unified2_packet%(f: fa_file, pkt: Unified2::Packet%);
|
||||
|
|
@ -1,2 +0,0 @@
|
|||
type Unified2::IDSEvent: record;
|
||||
type Unified2::Packet: record;
|
||||
|
|
@ -1,173 +0,0 @@
|
|||
|
||||
%extern{
|
||||
#include "zeek/Event.h"
|
||||
#include "zeek/file_analysis/File.h"
|
||||
#include "zeek/IPAddr.h"
|
||||
|
||||
#include "zeek/file_analysis/analyzer/unified2/events.bif.h"
|
||||
#include "zeek/file_analysis/analyzer/unified2/types.bif.h"
|
||||
%}
|
||||
|
||||
%code{
|
||||
zeek::AddrValPtr binpac::Unified2::Flow::unified2_addr_to_zeek_addr(std::vector<uint32_t>* a)
|
||||
{
|
||||
if ( a->size() == 1 )
|
||||
{
|
||||
return zeek::make_intrusive<zeek::AddrVal>(zeek::IPAddr(IPv4, &(a->at(0)), zeek::IPAddr::Host));
|
||||
}
|
||||
else if ( a->size() == 4 )
|
||||
{
|
||||
uint32 tmp[4] = { a->at(0), a->at(1), a->at(2), a->at(3) };
|
||||
return zeek::make_intrusive<zeek::AddrVal>(zeek::IPAddr(IPv6, tmp, zeek::IPAddr::Host));
|
||||
}
|
||||
else
|
||||
{
|
||||
// Should never reach here.
|
||||
return zeek::make_intrusive<zeek::AddrVal>(1);
|
||||
}
|
||||
}
|
||||
|
||||
zeek::ValPtr binpac::Unified2::Flow::to_port(uint16_t n, uint8_t p)
|
||||
{
|
||||
TransportProto proto = TRANSPORT_UNKNOWN;
|
||||
switch ( p ) {
|
||||
case 1: proto = TRANSPORT_ICMP; break;
|
||||
case 6: proto = TRANSPORT_TCP; break;
|
||||
case 17: proto = TRANSPORT_UDP; break;
|
||||
}
|
||||
|
||||
return zeek::val_mgr->Port(n, proto);
|
||||
}
|
||||
%}
|
||||
|
||||
refine flow Flow += {
|
||||
|
||||
%member{
|
||||
zeek::AddrValPtr unified2_addr_to_zeek_addr(std::vector<uint32_t>* a);
|
||||
zeek::ValPtr to_port(uint16_t n, uint8_t p);
|
||||
%}
|
||||
|
||||
%init{
|
||||
%}
|
||||
|
||||
%eof{
|
||||
%}
|
||||
|
||||
%cleanup{
|
||||
%}
|
||||
|
||||
function ts_to_double(ts: Time): double
|
||||
%{
|
||||
double t = ${ts.seconds} + (${ts.microseconds} / 1000000);
|
||||
return t;
|
||||
%}
|
||||
|
||||
|
||||
#function proc_record(rec: Record) : bool
|
||||
# %{
|
||||
# return true;
|
||||
# %}
|
||||
|
||||
function proc_ids_event(ev: IDS_Event) : bool
|
||||
%{
|
||||
if ( ::unified2_event )
|
||||
{
|
||||
auto ids_event = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::Unified2::IDSEvent);
|
||||
ids_event->Assign(0, ${ev.sensor_id});
|
||||
ids_event->Assign(1, ${ev.event_id});
|
||||
ids_event->AssignTime(2, ts_to_double(${ev.ts}));
|
||||
ids_event->Assign(3, ${ev.signature_id});
|
||||
ids_event->Assign(4, ${ev.generator_id});
|
||||
ids_event->Assign(5, ${ev.signature_revision});
|
||||
ids_event->Assign(6, ${ev.classification_id});
|
||||
ids_event->Assign(7, ${ev.priority_id});
|
||||
ids_event->Assign(8, unified2_addr_to_zeek_addr(${ev.src_ip}));
|
||||
ids_event->Assign(9, unified2_addr_to_zeek_addr(${ev.dst_ip}));
|
||||
ids_event->Assign(10, to_port(${ev.src_p}, ${ev.protocol}));
|
||||
ids_event->Assign(11, to_port(${ev.dst_p}, ${ev.protocol}));
|
||||
ids_event->Assign(17, ${ev.packet_action});
|
||||
|
||||
zeek::event_mgr.Enqueue(::unified2_event,
|
||||
connection()->zeek_analyzer()->GetFile()->ToVal(),
|
||||
std::move(ids_event));
|
||||
}
|
||||
return true;
|
||||
%}
|
||||
|
||||
function proc_ids_event_2(ev: IDS_Event_2) : bool
|
||||
%{
|
||||
if ( ::unified2_event )
|
||||
{
|
||||
auto ids_event = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::Unified2::IDSEvent);
|
||||
ids_event->Assign(0, ${ev.sensor_id});
|
||||
ids_event->Assign(1, ${ev.event_id});
|
||||
ids_event->AssignTime(2, ts_to_double(${ev.ts}));
|
||||
ids_event->Assign(3, ${ev.signature_id});
|
||||
ids_event->Assign(4, ${ev.generator_id});
|
||||
ids_event->Assign(5, ${ev.signature_revision});
|
||||
ids_event->Assign(6, ${ev.classification_id});
|
||||
ids_event->Assign(7, ${ev.priority_id});
|
||||
ids_event->Assign(8, unified2_addr_to_zeek_addr(${ev.src_ip}));
|
||||
ids_event->Assign(9, unified2_addr_to_zeek_addr(${ev.dst_ip}));
|
||||
ids_event->Assign(10, to_port(${ev.src_p}, ${ev.protocol}));
|
||||
ids_event->Assign(11, to_port(${ev.dst_p}, ${ev.protocol}));
|
||||
ids_event->Assign(12, ${ev.impact_flag});
|
||||
ids_event->Assign(13, ${ev.impact});
|
||||
ids_event->Assign(14, ${ev.blocked});
|
||||
ids_event->Assign(15, ${ev.mpls_label});
|
||||
ids_event->Assign(16, ${ev.vlan_id});
|
||||
|
||||
zeek::event_mgr.Enqueue(::unified2_event,
|
||||
connection()->zeek_analyzer()->GetFile()->ToVal(),
|
||||
std::move(ids_event));
|
||||
}
|
||||
|
||||
return true;
|
||||
%}
|
||||
|
||||
function proc_packet(pkt: Packet) : bool
|
||||
%{
|
||||
if ( ::unified2_packet )
|
||||
{
|
||||
auto packet = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::Unified2::Packet);
|
||||
packet->Assign(0, ${pkt.sensor_id});
|
||||
packet->Assign(1, ${pkt.event_id});
|
||||
packet->Assign(2, ${pkt.event_second});
|
||||
packet->AssignTime(3, ts_to_double(${pkt.packet_ts}));
|
||||
packet->Assign(4, ${pkt.link_type});
|
||||
packet->Assign(5, to_stringval(${pkt.packet_data}));
|
||||
|
||||
zeek::event_mgr.Enqueue(::unified2_packet,
|
||||
connection()->zeek_analyzer()->GetFile()->ToVal(),
|
||||
std::move(packet));
|
||||
}
|
||||
|
||||
return true;
|
||||
%}
|
||||
|
||||
#function proc_unknown_record_type(rec: UnknownRecordType) : bool
|
||||
# %{
|
||||
# printf("unknown packet type\n");
|
||||
# return true;
|
||||
# %}
|
||||
};
|
||||
|
||||
#refine typeattr Record += &let {
|
||||
# proc : bool = $context.flow.proc_record(this);
|
||||
#};
|
||||
|
||||
refine typeattr IDS_Event += &let {
|
||||
proc : bool = $context.flow.proc_ids_event(this);
|
||||
};
|
||||
|
||||
refine typeattr IDS_Event_2 += &let {
|
||||
proc : bool = $context.flow.proc_ids_event_2(this);
|
||||
};
|
||||
|
||||
refine typeattr Packet += &let {
|
||||
proc : bool = $context.flow.proc_packet(this);
|
||||
};
|
||||
|
||||
#refine typeattr UnknownRecordType += &let {
|
||||
# proc : bool = $context.flow.proc_unknown_record_type(this);
|
||||
#};
|
||||
|
|
@ -1,91 +0,0 @@
|
|||
|
||||
enum Types {
|
||||
PACKET = 2,
|
||||
IDS_EVENT = 7,
|
||||
IDS_EVENT_IPV6 = 72,
|
||||
IDS_EVENT_2 = 104,
|
||||
IDS_EVENT_IPV6_2 = 105,
|
||||
EXTRA_DATA = 110,
|
||||
};
|
||||
|
||||
type Time = record {
|
||||
seconds: uint32;
|
||||
microseconds: uint32;
|
||||
} &byteorder=bigendian;
|
||||
|
||||
type Record = record {
|
||||
rtype: uint32;
|
||||
length: uint32;
|
||||
data: case rtype of {
|
||||
PACKET -> packet: Packet(this);
|
||||
IDS_EVENT -> ids_event: IDS_Event(this, 1);
|
||||
IDS_EVENT_IPV6 -> ids_event_ipv6: IDS_Event(this, 4);
|
||||
IDS_EVENT_2 -> ids_event_vlan: IDS_Event_2(this, 1);
|
||||
IDS_EVENT_IPV6_2 -> ids_event_ipv6_vlan: IDS_Event_2(this, 4);
|
||||
#EXTRA_DATA -> extra_data: ExtraData(this);
|
||||
default -> unknown_record_type: UnknownRecordType(this);
|
||||
};
|
||||
} &byteorder=bigendian &length=length+8;
|
||||
|
||||
type IDS_Event(rec: Record, ip_len: int) = record {
|
||||
sensor_id: uint32;
|
||||
event_id: uint32;
|
||||
ts: Time;
|
||||
signature_id: uint32;
|
||||
generator_id: uint32;
|
||||
signature_revision: uint32;
|
||||
classification_id: uint32;
|
||||
priority_id: uint32;
|
||||
src_ip: uint32[ip_len];
|
||||
dst_ip: uint32[ip_len];
|
||||
src_p: uint16;
|
||||
dst_p: uint16;
|
||||
protocol: uint8;
|
||||
packet_action: uint8;
|
||||
} &byteorder=bigendian;
|
||||
|
||||
type IDS_Event_2(rec: Record, ip_len: int) = record {
|
||||
sensor_id: uint32;
|
||||
event_id: uint32;
|
||||
ts: Time;
|
||||
signature_id: uint32;
|
||||
generator_id: uint32;
|
||||
signature_revision: uint32;
|
||||
classification_id: uint32;
|
||||
priority_id: uint32;
|
||||
src_ip: uint32[ip_len];
|
||||
dst_ip: uint32[ip_len];
|
||||
src_p: uint16;
|
||||
dst_p: uint16;
|
||||
protocol: uint8;
|
||||
impact_flag: uint8;
|
||||
impact: uint8;
|
||||
blocked: uint8;
|
||||
mpls_label: uint32;
|
||||
vlan_id: uint16;
|
||||
pad: uint16;
|
||||
} &byteorder=bigendian;
|
||||
|
||||
type Packet(rec: Record) = record {
|
||||
sensor_id: uint32;
|
||||
event_id: uint32;
|
||||
event_second: uint32;
|
||||
packet_ts: Time;
|
||||
link_type: uint32;
|
||||
packet_len: uint32;
|
||||
packet_data: bytestring &length=packet_len;
|
||||
} &byteorder=bigendian;
|
||||
|
||||
type ExtraData(rec: Record) = record {
|
||||
sensor_id: uint32;
|
||||
event_id: uint32;
|
||||
event_second: uint32;
|
||||
extra_type: uint32;
|
||||
data_type: uint32;
|
||||
blob_len: uint32;
|
||||
blob: bytestring &length=blob_len;
|
||||
} &byteorder=bigendian &length=rec.length;
|
||||
|
||||
type UnknownRecordType(rec: Record) = record {
|
||||
data: bytestring &transient &length=rec.length;
|
||||
} &byteorder=bigendian &length=rec.length;
|
||||
|
|
@ -1,21 +0,0 @@
|
|||
|
||||
%include binpac.pac
|
||||
%include zeek.pac
|
||||
|
||||
analyzer Unified2 withcontext {
|
||||
analyzer: Unified2_Analyzer;
|
||||
flow: Flow;
|
||||
};
|
||||
|
||||
analyzer Unified2_Analyzer(zeek_analyzer: ZeekFileAnalyzer) {
|
||||
downflow = Flow;
|
||||
upflow = Flow;
|
||||
};
|
||||
|
||||
%include unified2-file.pac
|
||||
|
||||
flow Flow {
|
||||
flowunit = Record withcontext(connection, this);
|
||||
};
|
||||
|
||||
%include unified2-analyzer.pac
|
||||
Loading…
Add table
Add a link
Reference in a new issue