Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge remote-tracking branch 'origin/master' into topic/icmp6

Browse source 
Conflicts:
	src/ICMP.cc
	src/net_util.cc
	src/net_util.h
This commit is contained in:
Daniel Thayer 2012-02-20 17:18:55 -06:00
commit 8e32e89ce4
104 changed files with 2152 additions and 1956 deletions
Download patch file Download diff file Expand all files Collapse all files

48
CHANGES
View file

@ -1,4 +1,52 @@
2.0-86 | 2012-02-17 15:41:06 -0800
* Changing ARP detection to always kick in even if no analyzer is
activated. (Robin Sommer)
* DNS name lookups performed by Bro now also query AAAA records.
DNS_Mgr handles combining the results of the A and AAAA queries
for a given hostname such that at the scripting layer, the name
resolution can yield a set with both IPv4 and IPv6 addresses. (Jon
Siwek)
* Add counts_to_addr and addr_to_counts conversion BIFs. (Jon Siwek)
* Change HashKey threshold for using H3 to 36 bytes. (Jon Siwek)
* Remove mention of --enable-brov6 in docs. (Daniel Thayer)
* Remove --enable-brov6 from configure usage text (Daniel Thayer)
* Add a test and baseline for addr_to_ptr_name BiF. (Daniel Thayer)
* Adding a test and baseline for ptr_name_to_addr BiF. (Seth Hall)
* Fix the ptr_name_to_addr BiF to work with IPv6 (Daniel Thayer)
* Fix a memory leak that perftools now complains about. (Jon Siwek)
* Remove --enable-brov6 flag, IPv6 now supported by default. (Jon Siwek)
Some script-layer changes of note:
- dns_AAAA_reply event signature changed: the string representation
of an IPv6 addr is easily derived from the addr value, it doesn't
need to be another parameter. This event also now generated directly
by the DNS analyzer instead of being "faked" into a dns_A_reply event.
- Removed addr_to_count BIF. It used to return the host-order
count representation of IPv4 addresses only. To make it more
generic, we might later add a BIF to return a vector of counts
in order to support IPv6.
- Changed the result of enclosing addr variables in vertical pipes
(e.g. |my_addr|) to return the bit-width of the address type which
is 128 for IPv6 and 32 for IPv4. It used to function the same
way as addr_to_count mentioned above.
- Remove bro_has_ipv6 BIF
2.0-57 | 2012-02-10 00:02:35 -0800
* Fix typos in the documentation. (Daniel Thayer)

15
NEWS
View file

@ -5,6 +5,20 @@ Release Notes
This document summarizes the most important changes in the current Bro
release. For a complete list of changes, see the ``CHANGES`` file.
Bro 2.1
-------
- Bro now supports IPv6 out of the box; the configure switch
--enable-brov6 is gone.
- DNS name lookups performed by Bro now also query AAAA records. The
results of the A and AAAA queries for a given hostname are combined
such that at the scripting layer, the name resolution can yield a
set with both IPv4 and IPv6 addresses.
TODO: Extend.
Bro 2.0
-------
@ -61,4 +75,3 @@ final release are:

2
VERSION
View file

@ -1 +1 @@
2.0-57
2.0-86

3
config.h.in
View file

@ -1,6 +1,3 @@
/* enable IPV6 processing */
#cmakedefine BROv6
/* Old libpcap versions (< 0.6.1) need defining pcap_freecode and
pcap_compile_nopcap */
#cmakedefine DONT_HAVE_LIBPCAP_PCAP_FREECODE

5
configure vendored
View file

@ -27,7 +27,6 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
Optional Features:
--enable-debug compile in debugging mode
--enable-brov6 enable IPv6 processing
--enable-perftools use Google's perftools
--disable-broccoli don't build or install the Broccoli library
--disable-broctl don't install Broctl
@ -92,7 +91,6 @@ append_cache_entry BRO_ROOT_DIR PATH /usr/local/bro
append_cache_entry PY_MOD_INSTALL_DIR PATH /usr/local/bro/lib/broctl
append_cache_entry BRO_SCRIPT_INSTALL_PATH STRING /usr/local/bro/share/bro
append_cache_entry ENABLE_DEBUG BOOL false
append_cache_entry BROv6 BOOL false
append_cache_entry ENABLE_PERFTOOLS BOOL false
append_cache_entry BinPAC_SKIP_INSTALL BOOL true
append_cache_entry BUILD_SHARED_LIBS BOOL true
@ -134,9 +132,6 @@ while [ $# -ne 0 ]; do
--enable-debug)
append_cache_entry ENABLE_DEBUG BOOL true
;;
--enable-brov6)
append_cache_entry BROv6 BOOL true
;;
--enable-perftools)
append_cache_entry ENABLE_PERFTOOLS BOOL true
;;

4
doc/scripts/builtins.rst
View file

@ -156,9 +156,7 @@ The Bro scripting language supports the following built-in types.
.. bro:type:: addr
A type representing an IP address. Currently, Bro defaults to only
supporting IPv4 addresses unless configured/built with
``--enable-brov6``, in which case, IPv6 addresses are supported.
A type representing an IP address.
IPv4 address constants are written in "dotted quad" format,
``A1.A2.A3.A4``, where Ai all lie between 0 and 255.

51
scripts/base/frameworks/packet-filter/main.bro
View file

@ -16,7 +16,7 @@ export {
redef enum Notice::Type += {
## This notice is generated if a packet filter is unable to be compiled.
Compile_Failure,
## This notice is generated if a packet filter is fails to install.
Install_Failure,
};
@ -26,18 +26,18 @@ export {
type Info: record {
## The time at which the packet filter installation attempt was made.
ts: time &log;
## This is a string representation of the node that applied this
## packet filter. It's mostly useful in the context of dynamically
## changing filters on clusters.
node: string &log &optional;
## The packet filter that is being set.
filter: string &log;
## Indicate if this is the filter set during initialization.
init: bool &log &default=F;
## Indicate if the filter was applied successfully.
success: bool &log &default=T;
};
@ -48,16 +48,16 @@ export {
## The latter used to be default for Bro versions < 2.0. That has now
## changed however to enable port-independent protocol analysis.
const all_packets = T &redef;
## Filter string which is unconditionally or'ed to the beginning of every
## Filter string which is unconditionally or'ed to the beginning of every
## dynamically built filter.
const unrestricted_filter = "" &redef;
## Call this function to build and install a new dynamically built
## packet filter.
global install: function();
## This is where the default packet filter is stored and it should not
## This is where the default packet filter is stored and it should not
## normally be modified by users.
global default_filter = "<not set yet>";
}
@ -85,35 +85,26 @@ function build_default_filter(): string
return cmd_line_bpf_filter;
if ( all_packets )
{
# Return an "always true" filter.
if ( bro_has_ipv6() )
return "ip or not ip";
else
return "not ip6";
}
return "ip or not ip";
# Build filter dynamically.
# First the capture_filter.
local cfilter = "";
for ( id in capture_filters )
cfilter = combine_filters(cfilter, capture_filters[id], "or");
# Then the restrict_filter.
local rfilter = "";
for ( id in restrict_filters )
rfilter = combine_filters(rfilter, restrict_filters[id], "and");
# Finally, join them into one filter.
local filter = combine_filters(rfilter, cfilter, "and");
if ( unrestricted_filter != "" )
filter = combine_filters(unrestricted_filter, filter, "or");
# Exclude IPv6 if we don't support it.
if ( ! bro_has_ipv6() )
filter = combine_filters(filter, "not ip6", "and");
return filter;
}
@ -123,32 +114,32 @@ function install()
if ( ! precompile_pcap_filter(DefaultPcapFilter, default_filter) )
{
NOTICE([$note=Compile_Failure,
NOTICE([$note=Compile_Failure,
$msg=fmt("Compiling packet filter failed"),
$sub=default_filter]);
Reporter::fatal(fmt("Bad pcap filter '%s'", default_filter));
}
# Do an audit log for the packet filter.
local info: Info;
info$ts = network_time();
# If network_time() is 0.0 we're at init time so use the wall clock.
if ( info$ts == 0.0 )
if ( info$ts == 0.0 )
{
info$ts = current_time();
info$init = T;
}
info$filter = default_filter;
if ( ! install_pcap_filter(DefaultPcapFilter) )
{
# Installing the filter failed for some reason.
info$success = F;
NOTICE([$note=Install_Failure,
NOTICE([$note=Install_Failure,
$msg=fmt("Installing packet filter failed"),
$sub=default_filter]);
}
if ( reading_live_traffic() || reading_traces() )
Log::write(PacketFilter::LOG, info);
}

9
scripts/base/protocols/dns/main.bro
View file

@ -261,10 +261,13 @@ event dns_TXT_reply(c: connection, msg: dns_msg, ans: dns_answer, str: string) &
event DNS::do_reply(c, msg, ans, str);
}
event dns_AAAA_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr,
astr: string) &priority=5
event dns_AAAA_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr) &priority=5
{
event DNS::do_reply(c, msg, ans, fmt("%s", a));
}
event dns_A6_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr) &priority=5
{
# TODO: What should we do with astr?
event DNS::do_reply(c, msg, ans, fmt("%s", a));
}

2
src/ARP.cc
View file

@ -17,7 +17,7 @@ ARP_Analyzer::~ARP_Analyzer()
{
}
bool ARP_Analyzer::IsARP(const u_char* pkt, int hdr_size) const
bool ARP_Analyzer::IsARP(const u_char* pkt, int hdr_size)
{
unsigned short network_protocol =
*(unsigned short*) (pkt + hdr_size - 2);

7
src/ARP.h
View file

@ -31,9 +31,6 @@ public:
ARP_Analyzer();
virtual ~ARP_Analyzer();
// Whether a packet is of interest for ARP analysis.
bool IsARP(const u_char* pkt, int hdr_size) const;
void NextPacket(double t, const struct pcap_pkthdr* hdr,
const u_char* const pkt, int hdr_size);
@ -41,6 +38,10 @@ public:
void RREvent(EventHandlerPtr e, const u_char* src, const u_char* dst,
const char* spa, const char* sha,
const char* tpa, const char* tha);
// Whether a packet is of interest for ARP analysis.
static bool IsARP(const u_char* pkt, int hdr_size);
protected:
AddrVal* ConstructAddrVal(const void* addr);
StringVal* EthAddrToStr(const u_char* addr);

4
src/Anon.cc
View file

@ -153,7 +153,9 @@ void AnonymizeIPAddr_A50::init()
int AnonymizeIPAddr_A50::PreservePrefix(ipaddr32_t input, int num_bits)
{
DEBUG_MSG("%s/%d\n", dotted_addr(input), num_bits);
DEBUG_MSG("%s/%d\n",
IPAddr(IPAddr::IPv4, &input, IPAddr::Network).AsString().c_str(),
num_bits);
if ( ! before_anonymization )
{

1
src/CMakeLists.txt
View file

@ -331,6 +331,7 @@ set(bro_SRCS
IntSet.cc
InterConn.cc
IOSource.cc
IPAddr.cc
IRC.cc
List.cc
Reporter.cc

90
src/CompHash.cc
View file

@ -107,40 +107,28 @@ char* CompositeHash::SingleValHash(int type_check, char* kp0,
case TYPE_INTERNAL_ADDR:
{
// Use uint32 instead of int, because 'int' is not
// guaranteed to be 32-bit.
uint32* kp = AlignAndPadType<uint32>(kp0);
#ifdef BROv6
const addr_type av = v->AsAddr();
kp[0] = av[0];
kp[1] = av[1];
kp[2] = av[2];
kp[3] = av[3];
uint32 bytes[4];
v->AsAddr().CopyIPv6(bytes);
kp[0] = bytes[0];
kp[1] = bytes[1];
kp[2] = bytes[2];
kp[3] = bytes[3];
kp1 = reinterpret_cast<char*>(kp+4);
#else
*kp = v->AsAddr();
kp1 = reinterpret_cast<char*>(kp+1);
#endif
}
break;
case TYPE_INTERNAL_SUBNET:
{
uint32* kp = AlignAndPadType<uint32>(kp0);
#ifdef BROv6
const subnet_type* sv = v->AsSubNet();
kp[0] = sv->net[0];
kp[1] = sv->net[1];
kp[2] = sv->net[2];
kp[3] = sv->net[3];
kp[4] = sv->width;
uint32 bytes[4];
v->AsSubNet().Prefix().CopyIPv6(bytes);
kp[0] = bytes[0];
kp[1] = bytes[1];
kp[2] = bytes[2];
kp[3] = bytes[3];
kp[4] = v->AsSubNet().Length();
kp1 = reinterpret_cast<char*>(kp+5);
#else
const subnet_type* sv = v->AsSubNet();
kp[0] = sv->net;
kp[1] = sv->width;
kp1 = reinterpret_cast<char*>(kp+2);
#endif
}
break;
@ -358,26 +346,25 @@ HashKey* CompositeHash::ComputeSingletonHash(const Val* v, int type_check) const
if ( type_check && v->Type()->InternalType() != singleton_tag )
return 0;
uint32 tmp_addr;
switch ( singleton_tag ) {
case TYPE_INTERNAL_INT:
case TYPE_INTERNAL_UNSIGNED:
return new HashKey(v->ForceAsInt());
case TYPE_INTERNAL_ADDR:
#ifdef BROv6
return new HashKey(v->AsAddr(), 4);
#else
return new HashKey(v->AsAddr());
#endif
{
uint32 bytes[4];
v->AsAddr().CopyIPv6(bytes);
return new HashKey((void*)bytes, 4 * sizeof(uint32));
}
case TYPE_INTERNAL_SUBNET:
#ifdef BROv6
return new HashKey((const uint32*) v->AsSubNet(), 5);
#else
return new HashKey((const uint32*) v->AsSubNet(), 2);
#endif
{
uint32 bytes[5];
v->AsSubNet().Prefix().CopyIPv6(bytes);
bytes[4] = v->AsSubNet().Length();
return new HashKey((void*)bytes, 5 * sizeof(uint32));
}
case TYPE_INTERNAL_DOUBLE:
return new HashKey(v->InternalDouble());
@ -425,22 +412,13 @@ int CompositeHash::SingleTypeKeySize(BroType* bt, const Val* v,
break;
case TYPE_INTERNAL_ADDR:
#ifdef BROv6
sz = SizeAlign(sz, sizeof(uint32));
sz += sizeof(uint32) * 3; // to make a total of 4 words
#else
sz = SizeAlign(sz, sizeof(uint32));
#endif
break;
case TYPE_INTERNAL_SUBNET:
#ifdef BROv6
sz = SizeAlign(sz, sizeof(uint32));
sz += sizeof(uint32) * 4; // to make a total of 5 words
#else
sz = SizeAlign(sz, sizeof(uint32));
sz += sizeof(uint32); // make room for width
#endif
break;
case TYPE_INTERNAL_DOUBLE:
@ -748,16 +726,13 @@ const char* CompositeHash::RecoverOneVal(const HashKey* k, const char* kp0,
case TYPE_INTERNAL_ADDR:
{
const uint32* const kp = AlignType<uint32>(kp0);
#ifdef BROv6
const_addr_type addr_val = kp;
kp1 = reinterpret_cast<const char*>(kp+4);
#else
const_addr_type addr_val = *kp;
kp1 = reinterpret_cast<const char*>(kp+1);
#endif
IPAddr addr(IPAddr::IPv6, kp, IPAddr::Network);
switch ( tag ) {
case TYPE_ADDR:
pval = new AddrVal(addr_val);
pval = new AddrVal(addr);
break;
default:
@ -770,12 +745,9 @@ const char* CompositeHash::RecoverOneVal(const HashKey* k, const char* kp0,
case TYPE_INTERNAL_SUBNET:
{
const subnet_type* const kp =
reinterpret_cast<const subnet_type*>(
AlignType<uint32>(kp0));
kp1 = reinterpret_cast<const char*>(kp+1);
pval = new SubNetVal(kp->net, kp->width);
const uint32* const kp = AlignType<uint32>(kp0);
kp1 = reinterpret_cast<const char*>(kp+5);
pval = new SubNetVal(kp, kp[4]);
}
break;

40
src/Conn.cc
View file

@ -24,15 +24,15 @@ HashKey* ConnID::BuildConnKey() const
if ( is_one_way ||
addr_port_canon_lt(src_addr, src_port, dst_addr, dst_port) )
{
copy_addr(src_addr, key.ip1);
copy_addr(dst_addr, key.ip2);
src_addr.CopyIPv6(key.ip1);
dst_addr.CopyIPv6(key.ip2);
key.port1 = src_port;
key.port2 = dst_port;
}
else
{
copy_addr(dst_addr, key.ip1);
copy_addr(src_addr, key.ip2);
dst_addr.CopyIPv6(key.ip1);
src_addr.CopyIPv6(key.ip2);
key.port1 = dst_port;
key.port2 = src_port;
}
@ -143,8 +143,8 @@ Connection::Connection(NetSessions* s, HashKey* k, double t, const ConnID* id)
key = k;
start_time = last_time = t;
copy_addr(id->src_addr, orig_addr);
copy_addr(id->dst_addr, resp_addr);
orig_addr = id->src_addr;
resp_addr = id->dst_addr;
orig_port = id->src_port;
resp_port = id->dst_port;
proto = TRANSPORT_UNKNOWN;
@ -521,7 +521,7 @@ Val* Connection::BuildVersionVal(const char* s, int len)
return sw;
}
int Connection::VersionFoundEvent(const uint32* addr, const char* s, int len,
int Connection::VersionFoundEvent(const IPAddr& addr, const char* s, int len,
Analyzer* analyzer)
{
if ( ! software_version_found && ! software_parse_error )
@ -559,7 +559,7 @@ int Connection::VersionFoundEvent(const uint32* addr, const char* s, int len,
return 1;
}
int Connection::UnparsedVersionFoundEvent(const uint32* addr,
int Connection::UnparsedVersionFoundEvent(const IPAddr& addr,
const char* full, int len, Analyzer* analyzer)
{
// Skip leading white space.
@ -693,10 +693,9 @@ TimerMgr* Connection::GetTimerMgr() const
void Connection::FlipRoles()
{
uint32 tmp_addr[NUM_ADDR_WORDS];
copy_addr(resp_addr, tmp_addr);
copy_addr(orig_addr, resp_addr);
copy_addr(tmp_addr, orig_addr);
IPAddr tmp_addr = resp_addr;
orig_addr = resp_addr;
resp_addr = tmp_addr;
uint32 tmp_port = resp_port;
resp_port = orig_port;
@ -752,14 +751,14 @@ void Connection::Describe(ODesc* d) const
}
d->SP();
d->Add(dotted_addr(orig_addr));
d->Add(orig_addr);
d->Add(":");
d->Add(ntohs(orig_port));
d->SP();
d->AddSP("->");
d->Add(dotted_addr(resp_addr));
d->Add(resp_addr);
d->Add(":");
d->Add(ntohs(resp_port));
@ -782,9 +781,8 @@ bool Connection::DoSerialize(SerialInfo* info) const
// First we write the members which are needed to
// create the HashKey.
for ( int j = 0; j < NUM_ADDR_WORDS; ++j )
if ( ! SERIALIZE(orig_addr[j]) || ! SERIALIZE(resp_addr[j]) )
return false;
if ( ! SERIALIZE(orig_addr) || ! SERIALIZE(resp_addr) )
return false;
if ( ! SERIALIZE(orig_port) || ! SERIALIZE(resp_port) )
return false;
@ -830,14 +828,14 @@ bool Connection::DoUnserialize(UnserialInfo* info)
// Build the hash key first. Some of the recursive *::Unserialize()
// functions may need it.
for ( int i = 0; i < NUM_ADDR_WORDS; ++i )
if ( ! UNSERIALIZE(&orig_addr[i]) || ! UNSERIALIZE(&resp_addr[i]) )
goto error;
ConnID id;
if ( ! UNSERIALIZE(&orig_addr) || ! UNSERIALIZE(&resp_addr) )
goto error;
if ( ! UNSERIALIZE(&orig_port) || ! UNSERIALIZE(&resp_port) )
goto error;
ConnID id;
id.src_addr = orig_addr;
id.dst_addr = resp_addr;
// This doesn't work for ICMP. But I guess this is not really important.

33
src/Conn.h
View file

@ -12,6 +12,7 @@
#include "PersistenceSerializer.h"
#include "RuleMatcher.h"
#include "AnalyzerTags.h"
#include "IPAddr.h"
class Connection;
class ConnectionTimer;
@ -32,8 +33,8 @@ typedef enum {
typedef void (Connection::*timer_func)(double t);
struct ConnID {
const uint32* src_addr;
const uint32* dst_addr;
IPAddr src_addr;
IPAddr dst_addr;
uint32 src_port;
uint32 dst_port;
bool is_one_way; // if true, don't canonicalize
@ -49,17 +50,20 @@ struct ConnID {
// The structure used internally for hashing.
struct Key {
uint32 ip1[NUM_ADDR_WORDS];
uint32 ip2[NUM_ADDR_WORDS];
uint32 ip1[4];
uint32 ip2[4];
uint16 port1;
uint16 port2;
};
};
static inline int addr_port_canon_lt(const uint32* a1, uint32 p1,
const uint32* a2, uint32 p2)
static inline int addr_port_canon_lt(const IPAddr& addr1, uint32 p1,
const IPAddr& addr2, uint32 p2)
{
#ifdef BROv6
uint32 a1[4];
uint32 a2[4];
addr1.CopyIPv6(a1);
addr2.CopyIPv6(a2);
// Because it's a canonical ordering, not a strict ordering,
// we can choose to give more weight to the least significant
// word than to the most significant word. This matters
@ -75,9 +79,6 @@ static inline int addr_port_canon_lt(const uint32* a1, uint32 p1,
(a1[0] < a2[0] ||
(a1[0] == a2[0] &&
p1 < p2)))))));
#else
return *a1 < *a2 || (*a1 == *a2 && p1 < p2);
#endif
}
class Analyzer;
@ -119,8 +120,8 @@ public:
double LastTime() const { return last_time; }
void SetLastTime(double t) { last_time = t; }
const uint32* OrigAddr() const { return orig_addr; }
const uint32* RespAddr() const { return resp_addr; }
const IPAddr& OrigAddr() const { return orig_addr; }
const IPAddr& RespAddr() const { return resp_addr; }
uint32 OrigPort() const { return orig_port; }
uint32 RespPort() const { return resp_port; }
@ -185,11 +186,11 @@ public:
// Raises a software_version_found event based on the
// given string (returns false if it's not parseable).
int VersionFoundEvent(const uint32* addr, const char* s, int len,
int VersionFoundEvent(const IPAddr& addr, const char* s, int len,
Analyzer* analyzer = 0);
// Raises a software_unparsed_version_found event.
int UnparsedVersionFoundEvent(const uint32* addr,
int UnparsedVersionFoundEvent(const IPAddr& addr,
const char* full_descr, int len, Analyzer* analyzer);
void Event(EventHandlerPtr f, Analyzer* analyzer, const char* name = 0);
@ -325,8 +326,8 @@ protected:
TimerMgr::Tag* conn_timer_mgr;
timer_list timers;
uint32 orig_addr[NUM_ADDR_WORDS]; // in network order
uint32 resp_addr[NUM_ADDR_WORDS]; // in network order
IPAddr orig_addr;
IPAddr resp_addr;
uint32 orig_port, resp_port; // in network order
TransportProto proto;
double start_time, last_time;

43
src/ConnCompressor.cc
View file

@ -235,7 +235,8 @@ Connection* ConnCompressor::NextPacket(double t, HashKey* key, const IP_Hdr* ip,
tc = FirstFromOrig(t, key, ip, tp);
}
else if ( addr_eq(ip->SrcAddr(), SrcAddr(pending)) &&
else if ( ip->SrcAddr() ==
IPAddr(IPAddr::IPv6, SrcAddr(pending), IPAddr::Network) &&
tp->th_sport == SrcPort(pending) )
// Another packet from originator.
tc = NextFromOrig(pending, t, key, ip, tp);
@ -507,8 +508,8 @@ Connection* ConnCompressor::Instantiate(HashKey* key, PendingConn* pending)
{
// Instantantiate a Connection.
ConnID conn_id;
conn_id.src_addr = SrcAddr(pending);
conn_id.dst_addr = DstAddr(pending);
conn_id.src_addr = IPAddr(IPAddr::IPv6, SrcAddr(pending), IPAddr::Network);
conn_id.dst_addr = IPAddr(IPAddr::IPv6, DstAddr(pending), IPAddr::Network);
conn_id.src_port = SrcPort(pending);
conn_id.dst_port = DstPort(pending);
@ -541,7 +542,7 @@ Connection* ConnCompressor::Instantiate(HashKey* key, PendingConn* pending)
sessions->BuildHeader(faked_pkt->IP4_Hdr()));
// NewConn() may have swapped originator and responder.
int is_orig = addr_eq(conn_id.src_addr, new_conn->OrigAddr()) &&
int is_orig = conn_id.src_addr == new_conn->OrigAddr() &&
conn_id.src_port == new_conn->OrigPort();
// Pass the faked packet to the connection.
@ -607,7 +608,8 @@ void ConnCompressor::PktHdrToPendingConn(double time, const HashKey* key,
memcpy(&c->key, key->Key(), key->Size());
c->hash = key->Hash();
c->ip1_is_src = addr_eq(c->key.ip1, ip->SrcAddr()) &&
IPAddr ip1(IPAddr::IPv6, c->key.ip1, IPAddr::Network);
c->ip1_is_src = ip1 == ip->SrcAddr() &&
c->key.port1 == tp->th_sport;
c->time = time;
c->window = tp->th_win;
@ -656,17 +658,28 @@ const IP_Hdr* ConnCompressor::PendingConnToPacket(const PendingConn* c)
tp->th_urp = 0;
}
// Note, do *not* use copy_addr() here. This is because we're
// copying to an IPv4 header, which has room for exactly and
// only an IPv4 address.
#ifdef BROv6
if ( ! is_v4_addr(c->key.ip1) || ! is_v4_addr(c->key.ip2) )
IPAddr ip1(IPAddr::IPv6, c->key.ip1, IPAddr::Network);
IPAddr ip2(IPAddr::IPv6, c->key.ip2, IPAddr::Network);
if ( ip1.GetFamily() == IPAddr::IPv6 ||
ip2.GetFamily() == IPAddr::IPv6 )
reporter->InternalError("IPv6 snuck into connection compressor");
#endif
*(uint32*) &ip->ip_src =
to_v4_addr(c->ip1_is_src ? c->key.ip1 : c->key.ip2);
*(uint32*) &ip->ip_dst =
to_v4_addr(c->ip1_is_src ? c->key.ip2 : c->key.ip1);
else
{
const uint32* src_bytes;
const uint32* dst_bytes;
if ( c->ip1_is_src )
{
ip1.GetBytes(&src_bytes);
ip2.GetBytes(&dst_bytes);
}
else
{
ip2.GetBytes(&src_bytes);
ip1.GetBytes(&dst_bytes);
}
memcpy(&ip->ip_src, src_bytes, sizeof(ip->ip_src));
memcpy(&ip->ip_dst, dst_bytes, sizeof(ip->ip_dst));
}
if ( c->ip1_is_src )
{

21
src/DCE_RPC.cc
View file

@ -137,12 +137,12 @@ static bool is_mapped_dce_rpc_endpoint(const dce_rpc_endpoint_addr& addr)
bool is_mapped_dce_rpc_endpoint(const ConnID* id, TransportProto proto)
{
#ifdef BROv6
if ( ! is_v4_addr(id->dst_addr) )
if ( id->dst_addr.GetFamily() == IPAddr::IPv6 )
// TODO: Does the protocol support v6 addresses? #773
return false;
#endif
dce_rpc_endpoint_addr addr;
addr.addr = ntohl(to_v4_addr(id->dst_addr));
addr.addr = id->dst_addr;
addr.port = ntohs(id->dst_port);
addr.proto = proto;
@ -160,12 +160,7 @@ static void add_dce_rpc_endpoint(const dce_rpc_endpoint_addr& addr,
// of the dce_rpc_endpoints table.
// FIXME: Don't hard-code the timeout.
// Convert the address to a v4/v6 address (depending on how
// Bro was configured). This is all based on the address currently
// being a 32-bit host-order v4 address.
AddrVal a(htonl(addr.addr));
const addr_type at = a.AsAddr();
dpm->ExpectConnection(0, at, addr.port, addr.proto,
dpm->ExpectConnection(IPAddr(), addr.addr, addr.port, addr.proto,
AnalyzerTag::DCE_RPC, 5 * 60, 0);
}
@ -418,8 +413,8 @@ void DCE_RPC_Session::DeliverEpmapperMapResponse(
break;
case binpac::DCE_RPC_Simple::EPM_PROTOCOL_IP:
mapped.addr.addr =
floor->rhs()->data()->ip();
uint32 hostip = floor->rhs()->data()->ip();
mapped.addr.addr = IPAddr(IPAddr::IPv4, &hostip, IPAddr::Host);
break;
}
}
@ -433,7 +428,7 @@ void DCE_RPC_Session::DeliverEpmapperMapResponse(
vl->append(analyzer->BuildConnVal());
vl->append(new StringVal(mapped.uuid.to_string()));
vl->append(new PortVal(mapped.addr.port, mapped.addr.proto));
vl->append(new AddrVal(htonl(mapped.addr.addr)));
vl->append(new AddrVal(mapped.addr.addr));
analyzer->ConnectionEvent(epm_map_response, vl);
}

9
src/DCE_RPC.h
View file

@ -8,6 +8,7 @@
#include "NetVar.h"
#include "TCP.h"
#include "IPAddr.h"
#include "dce_rpc_simple_pac.h"
@ -34,19 +35,19 @@ const char* uuid_to_string(const u_char* uuid_data);
struct dce_rpc_endpoint_addr {
// All fields are in host byteorder.
uint32 addr;
IPAddr addr;
u_short port;
TransportProto proto;
dce_rpc_endpoint_addr()
{
addr = 0;
addr = IPAddr();
port = 0;
proto = TRANSPORT_UNKNOWN;
}
bool is_valid_addr() const
{ return addr != 0 && port != 0 && proto != TRANSPORT_UNKNOWN; }
{ return addr != IPAddr() && port != 0 && proto != TRANSPORT_UNKNOWN; }
bool operator<(dce_rpc_endpoint_addr const &e) const
{
@ -64,7 +65,7 @@ struct dce_rpc_endpoint_addr {
{
static char buf[128];
snprintf(buf, sizeof(buf), "%s/%d/%s",
dotted_addr(htonl(addr)), port,
addr.AsString().c_str(), port,
proto == TRANSPORT_TCP ? "tcp" :
(proto == TRANSPORT_UDP ? "udp" : "?"));

51
src/DNS.cc
View file

@ -758,62 +758,37 @@ int DNS_Interpreter::ParseRR_A(DNS_MsgInfo* msg,
int DNS_Interpreter::ParseRR_AAAA(DNS_MsgInfo* msg,
const u_char*& data, int& len, int rdlength)
{
// We need to parse an IPv6 address, high-order byte first.
// ### Currently, we fake an A reply rather than an AAAA reply,
// since for the latter we won't be able to express the full
// address (unless Bro was compiled for IPv6 addresses). We do
// this fake by using just the bottom 4 bytes of the IPv6 address.
uint32 addr[4];
int i;
for ( i = 0; i < 4; ++i )
for ( int i = 0; i < 4; ++i )
{
addr[i] = ntohl(ExtractLong(data, len));
addr[i] = htonl(ExtractLong(data, len));
if ( len < 0 )
{
analyzer->Weird("DNS_AAAA_neg_length");
if ( msg->atype == TYPE_AAAA )
analyzer->Weird("DNS_AAAA_neg_length");
else
analyzer->Weird("DNS_A6_neg_length");
return 0;
}
}
// Currently, dns_AAAA_reply is treated like dns_A_reply, since
// IPv6 addresses are not generally processed. This needs to be
// fixed. ###
if ( dns_A_reply && ! msg->skip_event )
EventHandlerPtr event;
if ( msg->atype == TYPE_AAAA )
event = dns_AAAA_reply;
else
event = dns_A6_reply;
if ( event && ! msg->skip_event )
{
val_list* vl = new val_list;
vl->append(analyzer->BuildConnVal());
vl->append(msg->BuildHdrVal());
vl->append(msg->BuildAnswerVal());
vl->append(new AddrVal(htonl(addr[3])));
analyzer->ConnectionEvent(dns_A_reply, vl);
}
#if 0
alternative AAAA code from Chris
if ( dns_AAAA_reply && ! msg->skip_event )
{
val_list* vl = new val_list;
vl->append(analyzer->BuildConnVal());
vl->append(msg->BuildHdrVal());
vl->append(msg->BuildAnswerVal());
#ifdef BROv6
// FIXME: might need to htonl the addr first
vl->append(new AddrVal(addr));
#else
vl->append(new AddrVal((uint32)0x0000));
#endif
char addrstr[INET6_ADDRSTRLEN];
inet_ntop(AF_INET6, addr, addrstr, INET6_ADDRSTRLEN);
vl->append(new StringVal(addrstr));
analyzer->ConnectionEvent(dns_AAAA_reply, vl);
analyzer->ConnectionEvent(event, vl);
}
#endif
return 1;
}

276
src/DNS_Mgr.cc
View file

@ -46,13 +46,13 @@ extern int select(int, fd_set *, fd_set *, fd_set *, struct timeval *);
class DNS_Mgr_Request {
public:
DNS_Mgr_Request(const char* h) { host = copy_string(h); addr = 0; }
DNS_Mgr_Request(uint32 a) { addr = a; host = 0; }
DNS_Mgr_Request(const char* h, int af) { host = copy_string(h); fam = af; }
DNS_Mgr_Request(const IPAddr& a) { addr = a; host = 0; fam = 0; }
~DNS_Mgr_Request() { delete [] host; }
// Returns nil if this was an address request.
const char* ReqHost() const { return host; }
uint32 ReqAddr() const { return addr; }
const IPAddr& ReqAddr() const { return addr; }
int MakeRequest(nb_dns_info* nb_dns);
int RequestPending() const { return request_pending; }
@ -61,8 +61,8 @@ public:
protected:
char* host; // if non-nil, this is a host request
uint32 addr;
uint32 ttl;
int fam; // address family query type for host requests
IPAddr addr;
int request_pending;
};
@ -75,15 +75,20 @@ int DNS_Mgr_Request::MakeRequest(nb_dns_info* nb_dns)
char err[NB_DNS_ERRSIZE];
if ( host )
return nb_dns_host_request(nb_dns, host, (void*) this, err) >= 0;
return nb_dns_host_request2(nb_dns, host, fam, (void*) this, err) >= 0;
else
return nb_dns_addr_request(nb_dns, addr, (void*) this, err) >= 0;
{
const uint32* bytes;
int len = addr.GetBytes(&bytes);
return nb_dns_addr_request2(nb_dns, (char*) bytes,
len == 1 ? AF_INET : AF_INET6, (void*) this, err) >= 0;
}
}
class DNS_Mapping {
public:
DNS_Mapping(const char* host, struct hostent* h, uint32 ttl);
DNS_Mapping(uint32 addr, struct hostent* h, uint32 ttl);
DNS_Mapping(const IPAddr& addr, struct hostent* h, uint32 ttl);
DNS_Mapping(FILE* f);
int NoMapping() const { return no_mapping; }
@ -93,9 +98,11 @@ public:
// Returns nil if this was an address request.
const char* ReqHost() const { return req_host; }
uint32 ReqAddr() const { return req_addr; }
const char* ReqStr() const
{ return req_host ? req_host : dotted_addr(ReqAddr()); }
IPAddr ReqAddr() const { return req_addr; }
string ReqStr() const
{
return req_host ? req_host : req_addr;
}
ListVal* Addrs();
TableVal* AddrsSet(); // addresses returned as a set
@ -109,7 +116,14 @@ public:
int Valid() const { return ! failed; }
bool Expired() const
{ return current_time() > (creation_time + req_ttl); }
{
if ( req_host && num_addrs == 0)
return false; // nothing to expire
return current_time() > (creation_time + req_ttl);
}
int Type() const { return map_type; }
protected:
friend class DNS_Mgr;
@ -121,7 +135,7 @@ protected:
int init_failed;
char* req_host;
uint32 req_addr;
IPAddr req_addr;
uint32 req_ttl;
int num_names;
@ -129,11 +143,12 @@ protected:
StringVal* host_val;
int num_addrs;
uint32* addrs;
IPAddr* addrs;
ListVal* addrs_val;
int failed;
double creation_time;
int map_type;
};
void DNS_Mgr_mapping_delete_func(void* v)
@ -154,14 +169,13 @@ DNS_Mapping::DNS_Mapping(const char* host, struct hostent* h, uint32 ttl)
{
Init(h);
req_host = copy_string(host);
req_addr = 0;
req_ttl = ttl;
if ( names && ! names[0] )
names[0] = copy_string(host);
}
DNS_Mapping::DNS_Mapping(uint32 addr, struct hostent* h, uint32 ttl)
DNS_Mapping::DNS_Mapping(const IPAddr& addr, struct hostent* h, uint32 ttl)
{
Init(h);
req_addr = addr;
@ -175,7 +189,6 @@ DNS_Mapping::DNS_Mapping(FILE* f)
init_failed = 1;
req_host = 0;
req_addr = 0;
char buf[512];
@ -188,14 +201,15 @@ DNS_Mapping::DNS_Mapping(FILE* f)
char req_buf[512+1], name_buf[512+1];
int is_req_host;
if ( sscanf(buf, "%lf %d %512s %d %512s %d", &creation_time, &is_req_host,
req_buf, &failed, name_buf, &num_addrs) != 6 )
if ( sscanf(buf, "%lf %d %512s %d %512s %d %d %"PRIu32, &creation_time,
&is_req_host, req_buf, &failed, name_buf, &map_type, &num_addrs,
&req_ttl) != 8 )
return;
if ( is_req_host )
req_host = copy_string(req_buf);
else
req_addr = dotted_to_addr(req_buf);
req_addr = IPAddr(req_buf);
num_names = 1;
names = new char*[num_names];
@ -203,7 +217,7 @@ DNS_Mapping::DNS_Mapping(FILE* f)
if ( num_addrs > 0 )
{
addrs = new uint32[num_addrs];
addrs = new IPAddr[num_addrs];
for ( int i = 0; i < num_addrs; ++i )
{
@ -217,7 +231,7 @@ DNS_Mapping::DNS_Mapping(FILE* f)
if ( newline )
*newline = '\0';
addrs[i] = dotted_to_addr(buf);
addrs[i] = IPAddr(buf);
}
}
else
@ -280,14 +294,6 @@ StringVal* DNS_Mapping::Host()
return host_val;
}
// Converts an array of 4 bytes in network order to the corresponding
// 32-bit network long.
static uint32 raw_bytes_to_addr(const unsigned char b[4])
{
uint32 l = (b[0] << 24) | (b[1] << 16) | (b[2] << 8) | b[3];
return uint32(htonl(l));
}
void DNS_Mapping::Init(struct hostent* h)
{
no_mapping = 0;
@ -296,12 +302,13 @@ void DNS_Mapping::Init(struct hostent* h)
host_val = 0;
addrs_val = 0;
if ( ! h || h->h_addrtype != AF_INET || h->h_length != 4 )
if ( ! h )
{
Clear();
return;
}
map_type = h->h_addrtype;
num_names = 1; // for now, just use official name
names = new char*[num_names];
names[0] = h->h_name ? copy_string(h->h_name) : 0;
@ -311,10 +318,14 @@ void DNS_Mapping::Init(struct hostent* h)
if ( num_addrs > 0 )
{
addrs = new uint32[num_addrs];
addrs = new IPAddr[num_addrs];
for ( int i = 0; i < num_addrs; ++i )
addrs[i] = raw_bytes_to_addr(
(unsigned char*)h->h_addr_list[i]);
if ( h->h_addrtype == AF_INET )
addrs[i] = IPAddr(IPAddr::IPv4, (uint32*)h->h_addr_list[i],
IPAddr::Network);
else if ( h->h_addrtype == AF_INET6 )
addrs[i] = IPAddr(IPAddr::IPv6, (uint32*)h->h_addr_list[i],
IPAddr::Network);
}
else
addrs = 0;
@ -330,18 +341,19 @@ void DNS_Mapping::Clear()
host_val = 0;
addrs_val = 0;
no_mapping = 0;
map_type = 0;
failed = 1;
}
void DNS_Mapping::Save(FILE* f) const
{
fprintf(f, "%.0f %d %s %d %s %d\n", creation_time, req_host != 0,
req_host ? req_host : dotted_addr(req_addr),
fprintf(f, "%.0f %d %s %d %s %d %d %"PRIu32"\n", creation_time, req_host != 0,
req_host ? req_host : req_addr.AsString().c_str(),
failed, (names && names[0]) ? names[0] : "*",
num_addrs);
map_type, num_addrs, req_ttl);
for ( int i = 0; i < num_addrs; ++i )
fprintf(f, "%s\n", dotted_addr(addrs[i]));
fprintf(f, "%s\n", addrs[i].AsString().c_str());
}
@ -351,7 +363,6 @@ DNS_Mgr::DNS_Mgr(DNS_MgrMode arg_mode)
mode = arg_mode;
host_mappings.SetDeleteFunc(DNS_Mgr_mapping_delete_func);
addr_mappings.SetDeleteFunc(DNS_Mgr_mapping_delete_func);
char err[NB_DNS_ERRSIZE];
@ -440,24 +451,34 @@ TableVal* DNS_Mgr::LookupHost(const char* name)
if ( mode != DNS_PRIME )
{
DNS_Mapping* d = host_mappings.Lookup(name);
HostMap::iterator it = host_mappings.find(name);
if ( d )
if ( it != host_mappings.end() )
{
if ( d->Valid() )
return d->Addrs()->ConvertToSet();
else
DNS_Mapping* d4 = it->second.first;
DNS_Mapping* d6 = it->second.second;
if ( (d4 && d4->Failed()) || (d6 && d6->Failed()) )
{
reporter->Warning("no such host: %s", name);
return empty_addr_set();
}
else if ( d4 && d6 )
{
TableVal* tv4 = d4->AddrsSet();
TableVal* tv6 = d6->AddrsSet();
tv4->AddTo(tv6, false);
Unref(tv4);
return tv6;
}
}
}
// Not found, or priming.
switch ( mode ) {
case DNS_PRIME:
requests.append(new DNS_Mgr_Request(name));
requests.append(new DNS_Mgr_Request(name, AF_INET));
requests.append(new DNS_Mgr_Request(name, AF_INET6));
return empty_addr_set();
case DNS_FORCE:
@ -465,7 +486,8 @@ TableVal* DNS_Mgr::LookupHost(const char* name)
return 0;
case DNS_DEFAULT:
requests.append(new DNS_Mgr_Request(name));
requests.append(new DNS_Mgr_Request(name, AF_INET));
requests.append(new DNS_Mgr_Request(name, AF_INET6));
Resolve();
return LookupHost(name);
@ -475,14 +497,14 @@ TableVal* DNS_Mgr::LookupHost(const char* name)
}
}
Val* DNS_Mgr::LookupAddr(uint32 addr)
Val* DNS_Mgr::LookupAddr(const IPAddr& addr)
{
if ( ! did_init )
Init();
if ( mode != DNS_PRIME )
{
HashKey h(&addr, 1);
HashKey h(addr);
DNS_Mapping* d = addr_mappings.Lookup(&h);
if ( d )
@ -491,8 +513,9 @@ Val* DNS_Mgr::LookupAddr(uint32 addr)
return d->Host();
else
{
reporter->Warning("can't resolve IP address: %s", dotted_addr(addr));
return new StringVal(dotted_addr(addr));
string s(addr);
reporter->Warning("can't resolve IP address: %s", s.c_str());
return new StringVal(s.c_str());
}
}
}
@ -505,7 +528,7 @@ Val* DNS_Mgr::LookupAddr(uint32 addr)
case DNS_FORCE:
reporter->FatalError("can't find DNS entry for %s in cache",
dotted_addr(addr));
addr.AsString().c_str());
return 0;
case DNS_DEFAULT:
@ -681,27 +704,55 @@ void DNS_Mgr::AddResult(DNS_Mgr_Request* dr, struct nb_dns_result* r)
if ( dr->ReqHost() )
{
new_dm = new DNS_Mapping(dr->ReqHost(), h, ttl);
prev_dm = host_mappings.Insert(dr->ReqHost(), new_dm);
HostMap::iterator it = host_mappings.find(dr->ReqHost());
if ( it == host_mappings.end() )
{
host_mappings[dr->ReqHost()].first =
new_dm->Type() == AF_INET ? new_dm : 0;
host_mappings[dr->ReqHost()].second =
new_dm->Type() == AF_INET6 ? new_dm : 0;
prev_dm = 0;
}
else
{
prev_dm = 0;
if ( new_dm->Type() == AF_INET )
{
prev_dm = it->second.first;
it->second.first = new_dm;
}
else
{
prev_dm = it->second.second;
it->second.second = new_dm;
}
}
if ( new_dm->Failed() && prev_dm && prev_dm->Valid() )
{
// Put previous, valid entry back - CompareMappings
// will generate a corresponding warning.
(void) host_mappings.Insert(dr->ReqHost(), prev_dm);
if ( prev_dm->Type() == AF_INET )
host_mappings[dr->ReqHost()].first = prev_dm;
else
host_mappings[dr->ReqHost()].second = prev_dm;
++keep_prev;
}
}
else
{
new_dm = new DNS_Mapping(dr->ReqAddr(), h, ttl);
uint32 tmp_addr = dr->ReqAddr();
HashKey k(&tmp_addr, 1);
HashKey k(dr->ReqAddr());
prev_dm = addr_mappings.Insert(&k, new_dm);
if ( new_dm->Failed() && prev_dm && prev_dm->Valid() )
{
uint32 tmp_addr = dr->ReqAddr();
HashKey k2(&tmp_addr, 1);
HashKey k2(dr->ReqAddr());
(void) addr_mappings.Insert(&k2, prev_dm);
++keep_prev;
}
@ -774,17 +825,13 @@ ListVal* DNS_Mgr::AddrListDelta(ListVal* al1, ListVal* al2)
for ( int i = 0; i < al1->Length(); ++i )
{
addr_type al1_i = al1->Index(i)->AsAddr();
const IPAddr& al1_i = al1->Index(i)->AsAddr();
int j;
for ( j = 0; j < al2->Length(); ++j )
{
addr_type al2_j = al2->Index(j)->AsAddr();
#ifdef BROv6
if ( addr_eq(al1_i, al2_j) )
#else
const IPAddr& al2_j = al2->Index(j)->AsAddr();
if ( al1_i == al2_j )
#endif
break;
}
@ -800,8 +847,8 @@ void DNS_Mgr::DumpAddrList(FILE* f, ListVal* al)
{
for ( int i = 0; i < al->Length(); ++i )
{
addr_type al_i = al->Index(i)->AsAddr();
fprintf(f, "%s%s", i > 0 ? "," : "", dotted_addr(al_i));
const IPAddr& al_i = al->Index(i)->AsAddr();
fprintf(f, "%s%s", i > 0 ? "," : "", al_i.AsString().c_str());
}
}
@ -814,11 +861,20 @@ void DNS_Mgr::LoadCache(FILE* f)
for ( ; ! m->NoMapping() && ! m->InitFailed(); m = new DNS_Mapping(f) )
{
if ( m->ReqHost() )
host_mappings.Insert(m->ReqHost(), m);
{
if ( host_mappings.find(m->ReqHost()) == host_mappings.end() )
{
host_mappings[m->ReqHost()].first = 0;
host_mappings[m->ReqHost()].second = 0;
}
if ( m->Type() == AF_INET )
host_mappings[m->ReqHost()].first = m;
else
host_mappings[m->ReqHost()].second = m;
}
else
{
uint32 tmp_addr = m->ReqAddr();
HashKey h(&tmp_addr, 1);
HashKey h(m->ReqAddr());
addr_mappings.Insert(&h, m);
}
}
@ -839,9 +895,23 @@ void DNS_Mgr::Save(FILE* f, PDict(DNS_Mapping)& m)
dm->Save(f);
}
const char* DNS_Mgr::LookupAddrInCache(dns_mgr_addr_type addr)
void DNS_Mgr::Save(FILE* f, const HostMap& m)
{
HashKey h(&addr, 1);
HostMap::const_iterator it;
for ( it = m.begin(); it != m.end(); ++it )
{
if ( it->second.first )
it->second.first->Save(f);
if ( it->second.second )
it->second.second->Save(f);
}
}
const char* DNS_Mgr::LookupAddrInCache(const IPAddr& addr)
{
HashKey h(addr);
DNS_Mapping* d = dns_mgr->addr_mappings.Lookup(&h);
if ( ! d )
@ -861,23 +931,32 @@ const char* DNS_Mgr::LookupAddrInCache(dns_mgr_addr_type addr)
TableVal* DNS_Mgr::LookupNameInCache(string name)
{
DNS_Mapping* d = dns_mgr->host_mappings.Lookup(name.c_str());
if ( ! d || ! d->names )
HostMap::iterator it = dns_mgr->host_mappings.find(name);
if ( it == dns_mgr->host_mappings.end() )
return 0;
if ( d->Expired() )
DNS_Mapping* d4 = it->second.first;
DNS_Mapping* d6 = it->second.second;
if ( ! d4 || ! d4->names || ! d6 || ! d6->names )
return 0;
if ( d4->Expired() || d6->Expired() )
{
HashKey h(name.c_str());
dns_mgr->host_mappings.Remove(&h);
delete d;
dns_mgr->host_mappings.erase(it);
delete d4;
delete d6;
return 0;
}
return d->AddrsSet();
TableVal* tv4 = d4->AddrsSet();
TableVal* tv6 = d6->AddrsSet();
tv4->AddTo(tv6, false);
Unref(tv4);
return tv6;
}
void DNS_Mgr::AsyncLookupAddr(dns_mgr_addr_type host, LookupCallback* callback)
void DNS_Mgr::AsyncLookupAddr(const IPAddr& host, LookupCallback* callback)
{
if ( ! did_init )
Init();
@ -956,10 +1035,15 @@ void DNS_Mgr::IssueAsyncRequests()
++num_requests;
DNS_Mgr_Request* dr;
DNS_Mgr_Request* dr6 = 0;
if ( req->IsAddrReq() )
dr = new DNS_Mgr_Request(req->host);
else
dr = new DNS_Mgr_Request(req->name.c_str());
{
dr = new DNS_Mgr_Request(req->name.c_str(), AF_INET);
dr6 = new DNS_Mgr_Request(req->name.c_str(), AF_INET6);
}
if ( ! dr->MakeRequest(nb_dns) )
{
@ -969,6 +1053,14 @@ void DNS_Mgr::IssueAsyncRequests()
continue;
}
if ( dr6 && ! dr6->MakeRequest(nb_dns) )
{
reporter->Warning("can't issue DNS request");
++failed;
req->Timeout();
continue;
}
req->time = current_time();
asyncs_timeouts.push(req);
@ -987,7 +1079,7 @@ double DNS_Mgr::NextTimestamp(double* network_time)
return asyncs_timeouts.size() ? timer_mgr->Time() : -1.0;
}
void DNS_Mgr::CheckAsyncAddrRequest(dns_mgr_addr_type addr, bool timeout)
void DNS_Mgr::CheckAsyncAddrRequest(const IPAddr& addr, bool timeout)
{
// Note that this code is a mirror of that for CheckAsyncHostRequest.
@ -1060,10 +1152,14 @@ void DNS_Mgr::Flush()
{
DoProcess(false);
IterCookie* cookie = addr_mappings.InitForIteration();
DNS_Mapping* dm;
HostMap::iterator it;
for ( it = host_mappings.begin(); it != host_mappings.end(); ++it )
{
delete it->second.first;
delete it->second.second;
}
host_mappings.Clear();
host_mappings.clear();
addr_mappings.Clear();
}
@ -1107,6 +1203,14 @@ void DNS_Mgr::DoProcess(bool flush)
else if ( status > 0 )
{
DNS_Mgr_Request* dr = (DNS_Mgr_Request*) r.cookie;
bool do_host_timeout = true;
if ( dr->ReqHost() &&
host_mappings.find(dr->ReqHost()) == host_mappings.end() )
// Don't timeout when this is the first result in an expected pair
// (one result each for A and AAAA queries).
do_host_timeout = false;
if ( dr->RequestPending() )
{
AddResult(dr, &r);
@ -1116,7 +1220,7 @@ void DNS_Mgr::DoProcess(bool flush)
if ( ! dr->ReqHost() )
CheckAsyncAddrRequest(dr->ReqAddr(), true);
else
CheckAsyncHostRequest(dr->ReqHost(), true);
CheckAsyncHostRequest(dr->ReqHost(), do_host_timeout);
IssueAsyncRequests();
@ -1167,7 +1271,7 @@ void DNS_Mgr::GetStats(Stats* stats)
stats->successful = successful;
stats->failed = failed;
stats->pending = asyncs_pending;
stats->cached_hosts = host_mappings.Length();
stats->cached_hosts = host_mappings.size();
stats->cached_addresses = addr_mappings.Length();
}

22
src/DNS_Mgr.h
View file

@ -6,12 +6,14 @@
#include <list>
#include <map>
#include <queue>
#include <utility>
#include "util.h"
#include "BroList.h"
#include "Dict.h"
#include "EventHandler.h"
#include "IOSource.h"
#include "IPAddr.h"
class Val;
class ListVal;
@ -39,10 +41,6 @@ enum DNS_MgrMode {
// Number of seconds we'll wait for a reply.
#define DNS_TIMEOUT 5
// ### For now, we don't support IPv6 lookups. When we do, this
// should become addr_type.
typedef uint32 dns_mgr_addr_type;
class DNS_Mgr : public IOSource {
public:
DNS_Mgr(DNS_MgrMode mode);
@ -55,7 +53,7 @@ public:
// a set of addr.
TableVal* LookupHost(const char* host);
Val* LookupAddr(uint32 addr);
Val* LookupAddr(const IPAddr& addr);
// Define the directory where to store the data.
void SetDir(const char* arg_dir) { dir = copy_string(arg_dir); }
@ -64,7 +62,7 @@ public:
void Resolve();
int Save();
const char* LookupAddrInCache(dns_mgr_addr_type addr);
const char* LookupAddrInCache(const IPAddr& addr);
TableVal* LookupNameInCache(string name);
// Support for async lookups.
@ -78,7 +76,7 @@ public:
virtual void Timeout() = 0;
};
void AsyncLookupAddr(dns_mgr_addr_type host, LookupCallback* callback);
void AsyncLookupAddr(const IPAddr& host, LookupCallback* callback);
void AsyncLookupName(string name, LookupCallback* callback);
struct Stats {
@ -107,8 +105,10 @@ protected:
ListVal* AddrListDelta(ListVal* al1, ListVal* al2);
void DumpAddrList(FILE* f, ListVal* al);
typedef map<string, pair<DNS_Mapping*, DNS_Mapping*> > HostMap;
void LoadCache(FILE* f);
void Save(FILE* f, PDict(DNS_Mapping)& m);
void Save(FILE* f, const HostMap& m);
// Selects on the fd to see if there is an answer available (timeout
// is secs). Returns 0 on timeout, -1 on EINTR or other error, and 1
@ -120,7 +120,7 @@ protected:
// Finish the request if we have a result. If not, time it out if
// requested.
void CheckAsyncAddrRequest(dns_mgr_addr_type addr, bool timeout);
void CheckAsyncAddrRequest(const IPAddr& addr, bool timeout);
void CheckAsyncHostRequest(const char* host, bool timeout);
// Process outstanding requests.
@ -136,7 +136,7 @@ protected:
PDict(ListVal) services;
PDict(DNS_Mapping) host_mappings;
HostMap host_mappings;
PDict(DNS_Mapping) addr_mappings;
DNS_mgr_request_list requests;
@ -163,7 +163,7 @@ protected:
struct AsyncRequest {
double time;
dns_mgr_addr_type host;
IPAddr host;
string name;
CallbackList callbacks;
@ -204,7 +204,7 @@ protected:
};
typedef map<dns_mgr_addr_type, AsyncRequest*> AsyncRequestAddrMap;
typedef map<IPAddr, AsyncRequest*> AsyncRequestAddrMap;
AsyncRequestAddrMap asyncs_addrs;
typedef map<string, AsyncRequest*> AsyncRequestNameMap;

99
src/DPM.cc
View file

@ -11,52 +11,43 @@
#include "ConnSizeAnalyzer.h"
ExpectedConn::ExpectedConn(const uint32* _orig, const uint32* _resp,
ExpectedConn::ExpectedConn(const IPAddr& _orig, const IPAddr& _resp,
uint16 _resp_p, uint16 _proto)
{
if ( orig )
copy_addr(_orig, orig);
if ( _orig == IPAddr(string("0.0.0.0")) )
// don't use the IPv4 mapping, use the literal unspecified address
// to indicate a wildcard
orig = IPAddr(string("::"));
else
{
for ( int i = 0; i < NUM_ADDR_WORDS; ++i )
orig[i] = 0;
}
copy_addr(_resp, resp);
resp_p = _resp_p;
proto = _proto;
}
ExpectedConn::ExpectedConn(uint32 _orig, uint32 _resp,
uint16 _resp_p, uint16 _proto)
{
#ifdef BROv6
// Use the IPv4-within-IPv6 convention, as this is what's
// needed when we mix uint32's (like in this construction)
// with addr_type's (for example, when looking up expected
// connections).
orig[0] = orig[1] = orig[2] = 0;
resp[0] = resp[1] = resp[2] = 0;
orig[3] = _orig;
resp[3] = _resp;
#else
orig[0] = _orig;
resp[0] = _resp;
#endif
orig = _orig;
resp = _resp;
resp_p = _resp_p;
proto = _proto;
}
ExpectedConn::ExpectedConn(const ExpectedConn& c)
{
copy_addr(c.orig, orig);
copy_addr(c.resp, resp);
orig = c.orig;
resp = c.resp;
resp_p = c.resp_p;
proto = c.proto;
}
HashKey* ExpectedConn::GetKey() const
{
struct Key {
uint32 orig[4];
uint32 resp[4];
uint16 resp_p;
uint16 proto;
};
Key k;
orig.CopyIPv6(k.orig);
resp.CopyIPv6(k.resp);
k.resp_p = resp_p;
k.proto = proto;
return new HashKey(&k, sizeof(k));
}
DPM::DPM()
: expected_conns_queue(AssignedAnalyzer::compare)
@ -158,23 +149,18 @@ AnalyzerTag::Tag DPM::GetExpected(int proto, const Connection* conn)
ExpectedConn c(conn->OrigAddr(), conn->RespAddr(),
ntohs(conn->RespPort()), proto);
// Can't use sizeof(c) due to potential alignment issues.
// FIXME: I guess this is still not portable ...
HashKey key(&c, sizeof(c.orig) + sizeof(c.resp) +
sizeof(c.resp_p) + sizeof(c.proto));
AssignedAnalyzer* a = expected_conns.Lookup(&key);
HashKey* key = c.GetKey();
AssignedAnalyzer* a = expected_conns.Lookup(key);
delete key;
if ( ! a )
{
// Wildcard for originator.
for ( int i = 0; i < NUM_ADDR_WORDS; ++i )
c.orig[i] = 0;
c.orig = IPAddr(string("::"));
HashKey key(&c, sizeof(c.orig) + sizeof(c.resp) +
sizeof(c.resp_p) + sizeof(c.proto));
a = expected_conns.Lookup(&key);
HashKey* key = c.GetKey();
a = expected_conns.Lookup(key);
delete key;
}
if ( ! a )
@ -366,7 +352,8 @@ bool DPM::BuildInitialAnalyzerTree(TransportProto proto, Connection* conn,
return true;
}
void DPM::ExpectConnection(addr_type orig, addr_type resp, uint16 resp_p,
void DPM::ExpectConnection(const IPAddr& orig, const IPAddr& resp,
uint16 resp_p,
TransportProto proto, AnalyzerTag::Tag analyzer,
double timeout, void* cookie)
{
@ -378,11 +365,7 @@ void DPM::ExpectConnection(addr_type orig, addr_type resp, uint16 resp_p,
{
if ( ! a->deleted )
{
HashKey* key = new HashKey(&a->conn,
sizeof(a->conn.orig) +
sizeof(a->conn.resp) +
sizeof(a->conn.resp_p) +
sizeof(a->conn.proto));
HashKey* key = a->conn.GetKey();
expected_conns.Remove(key);
delete key;
}
@ -401,10 +384,9 @@ void DPM::ExpectConnection(addr_type orig, addr_type resp, uint16 resp_p,
ExpectedConn c(orig, resp, resp_p, proto);
HashKey key(&c, sizeof(c.orig) + sizeof(c.resp) +
sizeof(c.resp_p) + sizeof(c.proto));
HashKey* key = c.GetKey();
AssignedAnalyzer* a = expected_conns.Lookup(&key);
AssignedAnalyzer* a = expected_conns.Lookup(key);
if ( a )
a->deleted = true;
@ -416,8 +398,9 @@ void DPM::ExpectConnection(addr_type orig, addr_type resp, uint16 resp_p,
a->timeout = network_time + timeout;
a->deleted = false;
expected_conns.Insert(&key, a);
expected_conns.Insert(key, a);
expected_conns_queue.push(a);
delete key;
}
void DPM::Done()
@ -428,11 +411,7 @@ void DPM::Done()
AssignedAnalyzer* a = expected_conns_queue.top();
if ( ! a->deleted )
{
HashKey* key = new HashKey(&a->conn,
sizeof(a->conn.orig) +
sizeof(a->conn.resp) +
sizeof(a->conn.resp_p) +
sizeof(a->conn.proto));
HashKey* key = a->conn.GetKey();
expected_conns.Remove(key);
delete key;
}

16
src/DPM.h
View file

@ -27,19 +27,15 @@
// Map to assign expected connections to analyzers.
class ExpectedConn {
public:
// This form can be used for IPv6 as well as IPv4.
ExpectedConn(const uint32* _orig, const uint32* _resp,
ExpectedConn(const IPAddr& _orig, const IPAddr& _resp,
uint16 _resp_p, uint16 _proto);
// This form only works for expecting an IPv4 connection. Note
// that we do the right thing whether we're built IPv4-only or
// BROv6.
ExpectedConn(uint32 _orig, uint32 _resp, uint16 _resp_p, uint16 _proto);
ExpectedConn(const ExpectedConn& c);
uint32 orig[NUM_ADDR_WORDS];
uint32 resp[NUM_ADDR_WORDS];
HashKey* GetKey() const;
IPAddr orig;
IPAddr resp;
uint16 resp_p;
uint16 proto;
};
@ -90,7 +86,7 @@ public:
// Schedules a particular analyzer for an upcoming connection.
// 0 acts as a wildcard for orig. (Cookie is currently unused.
// Eventually, we may pass it on to the analyzer).
void ExpectConnection(addr_type orig, addr_type resp, uint16 resp_p,
void ExpectConnection(const IPAddr& orig, const IPAddr& resp, uint16 resp_p,
TransportProto proto, AnalyzerTag::Tag analyzer,
double timeout, void* cookie);

5
src/Desc.h
View file

@ -6,7 +6,9 @@
#include <stdio.h>
#include <list>
#include <utility>
#include "BroString.h"
#include "IPAddr.h"
typedef enum {
DESC_READABLE,
@ -68,11 +70,14 @@ public:
void Add(const char* s, int do_indent=1);
void AddN(const char* s, int len) { AddBytes(s, len); }
void Add(const string& s) { AddBytes(s.data(), s.size()); }
void Add(int i);
void Add(uint32 u);
void Add(int64 i);
void Add(uint64 u);
void Add(double d);
void Add(const IPAddr& addr) { Add(addr.AsString()); }
void Add(const IPPrefix& prefix) { Add(prefix.AsString()); }
// Add s as a counted string.
void AddCS(const char* s);

62
src/Expr.cc
View file

@ -14,6 +14,7 @@
#include "Net.h"
#include "Traverse.h"
#include "Trigger.h"
#include "IPAddr.h"
const char* expr_name(BroExprTag t)
{
@ -834,30 +835,30 @@ Val* BinaryExpr::StringFold(Val* v1, Val* v2) const
Val* BinaryExpr::AddrFold(Val* v1, Val* v2) const
{
addr_type a1 = v1->AsAddr();
addr_type a2 = v2->AsAddr();
IPAddr a1 = v1->AsAddr();
IPAddr a2 = v2->AsAddr();
int result = 0;
switch ( tag ) {
#undef DO_FOLD
#ifdef BROv6
#define DO_FOLD(sense) { result = memcmp(a1, a2, 16) sense 0; break; }
#else
#define DO_FOLD(sense) \
{ \
a1 = ntohl(a1); \
a2 = ntohl(a2); \
result = (a1 < a2 ? -1 : (a1 == a2 ? 0 : 1)) sense 0; \
break; \
}
#endif
case EXPR_LT: DO_FOLD(<)
case EXPR_LE: DO_FOLD(<=)
case EXPR_EQ: DO_FOLD(==)
case EXPR_NE: DO_FOLD(!=)
case EXPR_GE: DO_FOLD(>=)
case EXPR_GT: DO_FOLD(>)
case EXPR_LT:
result = a1 < a2;
break;
case EXPR_LE:
result = a1 < a2 || a1 == a2;
break;
case EXPR_EQ:
result = a1 == a2;
break;
case EXPR_NE:
result = a1 != a2;
break;
case EXPR_GE:
result = ! ( a1 < a2 );
break;
case EXPR_GT:
result = ( ! ( a1 < a2 ) ) && ( a1 != a2 );
break;
default:
BadTag("BinaryExpr::AddrFold", expr_name(tag));
@ -868,20 +869,13 @@ Val* BinaryExpr::AddrFold(Val* v1, Val* v2) const
Val* BinaryExpr::SubNetFold(Val* v1, Val* v2) const
{
subnet_type* n1 = v1->AsSubNet();
subnet_type* n2 = v2->AsSubNet();
const IPPrefix& n1 = v1->AsSubNet();
const IPPrefix& n2 = v2->AsSubNet();
if ( n1->width != n2->width )
if ( n1 == n2 )
return new Val(1, TYPE_BOOL);
else
return new Val(0, TYPE_BOOL);
#ifdef BROv6
if ( memcmp(n1->net, n2->net, 16) )
#else
if ( n1->net != n2->net )
#endif
return new Val(0, TYPE_BOOL);
return new Val(1, TYPE_BOOL);
}
void BinaryExpr::SwapOps()
@ -1681,15 +1675,13 @@ DivideExpr::DivideExpr(Expr* arg_op1, Expr* arg_op2)
Val* DivideExpr::AddrFold(Val* v1, Val* v2) const
{
addr_type a1 = v1->AsAddr();
uint32 mask;
if ( v2->Type()->Tag() == TYPE_COUNT )
mask = static_cast<uint32>(v2->InternalUnsigned());
else
mask = static_cast<uint32>(v2->InternalInt());
return new SubNetVal(a1, mask);
return new SubNetVal(v1->AsAddr(), mask);
}
Expr* DivideExpr::DoSimplify()

2
src/HTTP.cc
View file

@ -1543,7 +1543,7 @@ void HTTP_Analyzer::HTTP_Header(int is_orig, MIME_Header* h)
}
}
void HTTP_Analyzer::ParseVersion(data_chunk_t ver, const uint32* host,
void HTTP_Analyzer::ParseVersion(data_chunk_t ver, const IPAddr& host,
bool user_agent)
{
int len = ver.length;

3
src/HTTP.h
View file

@ -8,6 +8,7 @@
#include "MIME.h"
#include "binpac_bro.h"
#include "ZIP.h"
#include "IPAddr.h"
enum CHUNKED_TRANSFER_STATE {
NON_CHUNKED_TRANSFER,
@ -212,7 +213,7 @@ protected:
const BroString* UnansweredRequestMethod();
void ParseVersion(data_chunk_t ver, const uint32* host, bool user_agent);
void ParseVersion(data_chunk_t ver, const IPAddr& host, bool user_agent);
int HTTP_ReplyCode(const char* code_str);
int ExpectReplyMessageBody();

10
src/Hash.cc
View file

@ -103,6 +103,16 @@ HashKey::HashKey(const BroString* s)
is_our_dynamic = 0;
}
HashKey::HashKey(const IPAddr& addr)
{
const uint32* bytes;
int len = addr.GetBytes(&bytes);
size = len * sizeof(uint32);
key = CopyKey(bytes, size);
is_our_dynamic = 1;
hash = HashBytes(key, size);
}
HashKey::HashKey(int copy_key, void* arg_key, int arg_size)
{
size = arg_size;

4
src/Hash.h
View file

@ -6,8 +6,9 @@
#include <stdlib.h>
#include "BroString.h"
#include "IPAddr.h"
#define UHASH_KEY_SIZE 32
#define UHASH_KEY_SIZE 36
typedef uint64 hash_t;
@ -28,6 +29,7 @@ public:
HashKey(const void* p);
HashKey(const char* s);
HashKey(const BroString* s);
HashKey(const IPAddr& addr);
~HashKey()
{
if ( is_our_dynamic )

38
src/ICMP.cc
View file

@ -55,7 +55,6 @@ void ICMP_Analyzer::DeliverPacket(int len, const u_char* data,
{
int chksum = 0;
#ifdef BROv6
switch ( ip->NextProto() )
{
case IPPROTO_ICMP:
@ -69,10 +68,6 @@ void ICMP_Analyzer::DeliverPacket(int len, const u_char* data,
default:
reporter->InternalError("unexpected IP proto in ICMP analyzer");
}
#else
// Classic v4 version.
chksum = icmp_checksum(icmpp, len);
#endif
if ( chksum != 0xffff )
{
@ -89,6 +84,9 @@ void ICMP_Analyzer::DeliverPacket(int len, const u_char* data,
matcher_state.InitEndpointMatcher(this, ip, len, is_orig, 0);
}
type = icmpp->icmp_type;
code = icmpp->icmp_code;
// Move past common portion of ICMP header.
data += 8;
caplen -= 8;
@ -96,10 +94,8 @@ void ICMP_Analyzer::DeliverPacket(int len, const u_char* data,
if ( ip->NextProto() == IPPROTO_ICMP )
NextICMP4(current_timestamp, icmpp, len, caplen, data, ip);
#ifdef BROv6
else
NextICMP6(current_timestamp, icmpp, len, caplen, data, ip);
#endif
if ( caplen >= len )
@ -130,7 +126,6 @@ void ICMP_Analyzer::NextICMP4(double t, const struct icmp* icmpp, int len, int c
}
}
#ifdef BROv6
void ICMP_Analyzer::NextICMP6(double t, const struct icmp* icmpp, int len, int caplen,
const u_char*& data, const IP_Hdr* ip_hdr )
{
@ -178,7 +173,6 @@ void ICMP_Analyzer::NextICMP6(double t, const struct icmp* icmpp, int len, int c
break;
}
}
#endif
void ICMP_Analyzer::ICMPEvent(EventHandlerPtr f, const struct icmp* icmpp, int len, int icmpv6)
{
@ -284,7 +278,7 @@ RecordVal* ICMP_Analyzer::ExtractICMP4Context(int len, const u_char*& data)
uint32 ip_len, frag_offset;
TransportProto proto = TRANSPORT_UNKNOWN;
int DF, MF, bad_hdr_len, bad_checksum;
uint32 src_addr, dst_addr,src_addr2, dst_addr2;
IPAddr src_addr, dst_addr;
uint32 src_port, dst_port;
if ( ip_hdr_len < sizeof(struct ip) || ip_hdr_len > uint32(len) )
@ -303,8 +297,8 @@ RecordVal* ICMP_Analyzer::ExtractICMP4Context(int len, const u_char*& data)
ip_len = ip_hdr->TotalLen();
bad_checksum = ones_complement_checksum((void*) ip_hdr->IP4_Hdr(), ip_hdr_len, 0) != 0xffff;
src_addr = ip_hdr->SrcAddr4();
dst_addr = ip_hdr->DstAddr4();
src_addr = ip_hdr->SrcAddr();
dst_addr = ip_hdr->DstAddr();
uint32 frag_field = ip_hdr->FragField();
DF = ip_hdr->DF();
@ -342,7 +336,6 @@ RecordVal* ICMP_Analyzer::ExtractICMP4Context(int len, const u_char*& data)
return iprec;
}
#ifdef BROv6
RecordVal* ICMP_Analyzer::ExtractICMP6Context(int len, const u_char*& data)
{
const IP_Hdr ip_hdr_data((const struct ip6_hdr*) data);
@ -351,8 +344,8 @@ RecordVal* ICMP_Analyzer::ExtractICMP6Context(int len, const u_char*& data)
TransportProto proto = TRANSPORT_UNKNOWN;
uint32 ip_hdr_len = ip_hdr->HdrLen(); //should always be 40
uint32* src_addr;
uint32* dst_addr;
IPAddr src_addr;
IPAddr dst_addr;
uint32 ip_len, frag_offset = 0;
uint32 src_port, dst_port;
@ -368,8 +361,8 @@ RecordVal* ICMP_Analyzer::ExtractICMP6Context(int len, const u_char*& data)
{
ip_len = ip_hdr->TotalLen();
src_addr = (uint32 *) ip_hdr->SrcAddr();
dst_addr = (uint32 *) ip_hdr->DstAddr();
src_addr = ip_hdr->SrcAddr();
dst_addr = ip_hdr->DstAddr();
if ( uint32(len) >= ip_hdr_len + 4 )
proto = GetContextProtocol(ip_hdr, &src_port, &dst_port);
@ -413,7 +406,6 @@ RecordVal* ICMP_Analyzer::ExtractICMP6Context(int len, const u_char*& data)
return iprec;
}
#endif
bool ICMP_Analyzer::IsReuse(double /* t */, const u_char* /* pkt */)
@ -428,18 +420,16 @@ void ICMP_Analyzer::Describe(ODesc* d) const
d->Add(Conn()->LastTime());
d->AddSP(")");
d->Add(dotted_addr(Conn()->OrigAddr()));
#if 0
d->Add(Conn()->OrigAddr());
d->Add(".");
d->Add(type);
d->Add(".");
d->Add(code);
#endif
d->SP();
d->AddSP("->");
d->Add(dotted_addr(Conn()->RespAddr()));
d->Add(Conn()->RespAddr());
}
void ICMP_Analyzer::UpdateConnVal(RecordVal *conn_val)
@ -488,11 +478,9 @@ void ICMP_Analyzer::Echo(double t, const struct icmp* icmpp, int len,
// For handling all Echo related ICMP messages
EventHandlerPtr f = 0;
#ifdef BROv6
if ( ip_hdr->NextProto() == IPPROTO_ICMPV6 )
f = (icmpp->icmp_type == ICMP6_ECHO_REQUEST) ? icmp_echo_request : icmp_echo_reply;
else
#endif
f = (icmpp->icmp_type == ICMP_ECHO) ? icmp_echo_request : icmp_echo_reply;
if ( ! f )
@ -569,7 +557,6 @@ void ICMP_Analyzer::Context4(double t, const struct icmp* icmpp,
}
#ifdef BROv6
void ICMP_Analyzer::Context6(double t, const struct icmp* icmpp,
int len, int caplen, const u_char*& data, const IP_Hdr* ip_hdr)
{
@ -598,7 +585,6 @@ void ICMP_Analyzer::Context6(double t, const struct icmp* icmpp,
ConnectionEvent(f, vl);
}
}
#endif
int ICMP4_counterpart(int icmp_type, int icmp_code, bool& is_one_way)
{

4
src/ICMP.h
View file

@ -57,7 +57,6 @@ protected:
TransportProto GetContextProtocol(const IP_Hdr* ip_hdr, uint32* src_port,
uint32* dst_port);
#ifdef BROv6
void NextICMP6(double t, const struct icmp* icmpp, int len, int caplen,
const u_char*& data, const IP_Hdr* ip_hdr );
@ -65,9 +64,10 @@ protected:
void Context6(double t, const struct icmp* icmpp, int len, int caplen,
const u_char*& data, const IP_Hdr* ip_hdr);
#endif
RecordVal* icmp_conn_val;
int type;
int code;
int request_len, reply_len;
RuleMatcherState matcher_state;

65
src/IP.h
View file

@ -4,63 +4,29 @@
#define ip_h
#include "config.h"
#include "IPAddr.h"
#include <net_util.h>
class IP_Hdr {
public:
IP_Hdr(struct ip* arg_ip4)
: ip4(arg_ip4), ip6(0), del(1)
{
ip4 = arg_ip4;
ip6 = 0;
del = 1;
#ifdef BROv6
src_addr[0] = src_addr[1] = src_addr[2] = 0;
dst_addr[0] = dst_addr[1] = dst_addr[2] = 0;
src_addr[3] = ip4->ip_src.s_addr;
dst_addr[3] = ip4->ip_dst.s_addr;
#endif
}
IP_Hdr(const struct ip* arg_ip4)
: ip4(arg_ip4), ip6(0), del(0)
{
ip4 = arg_ip4;
ip6 = 0;
del = 0;
#ifdef BROv6
src_addr[0] = src_addr[1] = src_addr[2] = 0;
dst_addr[0] = dst_addr[1] = dst_addr[2] = 0;
src_addr[3] = ip4->ip_src.s_addr;
dst_addr[3] = ip4->ip_dst.s_addr;
#endif
}
IP_Hdr(struct ip6_hdr* arg_ip6)
: ip4(0), ip6(arg_ip6), del(1)
{
ip4 = 0;
ip6 = arg_ip6;
del = 1;
#ifdef BROv6
memcpy(src_addr, ip6->ip6_src.s6_addr, 16);
memcpy(dst_addr, ip6->ip6_dst.s6_addr, 16);
#endif
}
IP_Hdr(const struct ip6_hdr* arg_ip6)
: ip4(0), ip6(arg_ip6), del(0)
{
ip4 = 0;
ip6 = arg_ip6;
del = 0;
#ifdef BROv6
memcpy(src_addr, ip6->ip6_src.s6_addr, 16);
memcpy(dst_addr, ip6->ip6_dst.s6_addr, 16);
#endif
}
~IP_Hdr()
@ -77,19 +43,12 @@ public:
const struct ip* IP4_Hdr() const { return ip4; }
const struct ip6_hdr* IP6_Hdr() const { return ip6; }
#ifdef BROv6
const uint32* SrcAddr() const { return src_addr; }
const uint32* DstAddr() const { return dst_addr; }
#else
const uint32* SrcAddr() const
{ return ip4 ? &(ip4->ip_src.s_addr) : 0; }
const uint32* DstAddr() const
{ return ip4 ? &(ip4->ip_dst.s_addr) : 0; }
#endif
uint32 SrcAddr4() const { return ip4->ip_src.s_addr; }
uint32 DstAddr4() const { return ip4->ip_dst.s_addr; }
IPAddr SrcAddr() const
{ return ip4 ? IPAddr(ip4->ip_src) : IPAddr(ip6->ip6_src); }
IPAddr DstAddr() const
{ return ip4 ? IPAddr(ip4->ip_dst) : IPAddr(ip6->ip6_dst); }
//TODO: needs adapting/replacement for IPv6 support
uint16 ID4() const { return ip4 ? ip4->ip_id : 0; }
const u_char* Payload() const
@ -131,10 +90,6 @@ public:
private:
const struct ip* ip4;
const struct ip6_hdr* ip6;
#ifdef BROv6
uint32 src_addr[NUM_ADDR_WORDS];
uint32 dst_addr[NUM_ADDR_WORDS];
#endif
int del;
};

166
src/IPAddr.cc Normal file
View file

@ -0,0 +1,166 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include "IPAddr.h"
#include "Reporter.h"
const uint8_t IPAddr::v4_mapped_prefix[12] = { 0, 0, 0, 0,
0, 0, 0, 0,
0, 0, 0xff, 0xff };
void IPAddr::Mask(int top_bits_to_keep)
{
if ( top_bits_to_keep <= 0 || top_bits_to_keep > 128 )
{
reporter->Error("Bad IPAddr::Mask value %d", top_bits_to_keep);
return;
}
uint32_t tmp[4];
memcpy(tmp, in6.s6_addr, sizeof(in6.s6_addr));
int word = 3;
int bits_to_chop = 128 - top_bits_to_keep;
while ( bits_to_chop >= 32 )
{
tmp[word] = 0;
--word;
bits_to_chop -= 32;
}
uint32_t w = ntohl(tmp[word]);
w >>= bits_to_chop;
w <<= bits_to_chop;
tmp[word] = htonl(w);
memcpy(in6.s6_addr, tmp, sizeof(in6.s6_addr));
}
void IPAddr::ReverseMask(int top_bits_to_chop)
{
if ( top_bits_to_chop <= 0 || top_bits_to_chop > 128 )
{
reporter->Error("Bad IPAddr::ReverseMask value %d", top_bits_to_chop);
return;
}
uint32_t tmp[4];
memcpy(tmp, in6.s6_addr, sizeof(in6.s6_addr));
int word = 0;
int bits_to_chop = top_bits_to_chop;
while ( bits_to_chop >= 32 )
{
tmp[word] = 0;
++word;
bits_to_chop -= 32;
}
uint32_t w = ntohl(tmp[word]);
w <<= bits_to_chop;
w >>= bits_to_chop;
tmp[word] = htonl(w);
memcpy(in6.s6_addr, tmp, sizeof(in6.s6_addr));
}
void IPAddr::Init(const std::string& s)
{
if ( s.find(':') == std::string::npos ) // IPv4.
{
memcpy(in6.s6_addr, v4_mapped_prefix, sizeof(v4_mapped_prefix));
if ( inet_pton(AF_INET, s.c_str(), &in6.s6_addr[12]) <=0 )
{
reporter->Error("Bad IP address: %s", s.c_str());
memset(in6.s6_addr, 0, sizeof(in6.s6_addr));
}
}
else
{
if ( inet_pton(AF_INET6, s.c_str(), in6.s6_addr) <=0 )
{
reporter->Error("Bad IP address: %s", s.c_str());
memset(in6.s6_addr, 0, sizeof(in6.s6_addr));
}
}
}
string IPAddr::AsString() const
{
if ( GetFamily() == IPv4 )
{
char s[INET_ADDRSTRLEN];
if ( inet_ntop(AF_INET, &in6.s6_addr[12], s, INET_ADDRSTRLEN) == NULL )
return "<bad IPv4 address conversion";
else
return s;
}
else
{
char s[INET6_ADDRSTRLEN];
if ( inet_ntop(AF_INET6, in6.s6_addr, s, INET6_ADDRSTRLEN) == NULL )
return "<bad IPv6 address conversion";
else
return s;
}
}
IPPrefix::IPPrefix(const in4_addr& in4, uint8_t length)
: prefix(in4), length(96 + length)
{
if ( length > 32 )
reporter->InternalError("Bad in4_addr IPPrefix length : %d", length);
prefix.Mask(this->length);
}
IPPrefix::IPPrefix(const in6_addr& in6, uint8_t length)
: prefix(in6), length(length)
{
if ( length > 128 )
reporter->InternalError("Bad in6_addr IPPrefix length : %d", length);
prefix.Mask(this->length);
}
IPPrefix::IPPrefix(const IPAddr& addr, uint8_t length)
: prefix(addr)
{
if ( prefix.GetFamily() == IPAddr::IPv4 )
{
if ( length > 32 )
reporter->InternalError("Bad IPAddr(v4) IPPrefix length : %d",
length);
this->length = length + 96;
}
else
{
if ( length > 128 )
reporter->InternalError("Bad IPAddr(v6) IPPrefix length : %d",
length);
this->length = length;
}
prefix.Mask(this->length);
}
string IPPrefix::AsString() const
{
char l[16];
if ( prefix.GetFamily() == IPAddr::IPv4 )
modp_uitoa10(length - 96, l);
else
modp_uitoa10(length, l);
return prefix.AsString() +"/" + l;
}

460
src/IPAddr.h Normal file
View file

@ -0,0 +1,460 @@
// See the file "COPYING" in the main distribution directory for copyright.
#ifndef IPADDR_H
#define IPADDR_H
#include <netinet/in.h>
#include <arpa/inet.h>
#include <string>
#include "BroString.h"
#include "util.h"
typedef in_addr in4_addr;
/**
* Class storing both IPv4 and IPv6 addresses.
*/
class IPAddr
{
public:
/**
* Address family.
*/
enum Family { IPv4, IPv6 };
/**
* Byte order.
*/
enum ByteOrder { Host, Network };
/**
* Constructs the unspecified IPv6 address (all 128 bits zeroed).
*/
IPAddr()
{
memset(in6.s6_addr, 0, sizeof(in6.s6_addr));
}
/**
* Constructs an address instance from an IPv4 address.
*
* @param in6 The IPv6 address.
*/
IPAddr(const in4_addr& in4)
{
memcpy(in6.s6_addr, v4_mapped_prefix, sizeof(v4_mapped_prefix));
memcpy(&in6.s6_addr[12], &in4.s_addr, sizeof(in4.s_addr));
}
/**
* Constructs an address instance from an IPv6 address.
*
* @param in6 The IPv6 address.
*/
IPAddr(const in6_addr& arg_in6) : in6(arg_in6) { }
/**
* Constructs an address instance from a string representation.
*
* @param s String containing an IP address as either a dotted IPv4
* address or a hex IPv6 address.
*/
IPAddr(const std::string& s)
{
Init(s);
}
/**
* Constructs an address instance from a string representation.
*
* @param s ASCIIZ string containing an IP address as either a
* dotted IPv4 address or a hex IPv6 address.
*/
IPAddr(const char* s)
{
Init(s);
}
/**
* Constructs an address instance from a string representation.
*
* @param s String containing an IP address as either a dotted IPv4
* address or a hex IPv6 address.
*/
IPAddr(const BroString& s)
{
Init(s.CheckString());
}
/**
* Constructs an address instance from a raw byte representation.
*
* @param family The address family.
*
* @param bytes A pointer to the raw byte representation. This must point
* to 4 bytes if \a family is IPv4, and to 16 bytes if \a family is
* IPv6.
*
* @param order Indicates whether the raw representation pointed to
* by \a bytes is stored in network or host order.
*/
IPAddr(Family family, const uint32_t* bytes, ByteOrder order);
/**
* Copy constructor.
*/
IPAddr(const IPAddr& other) : in6(other.in6) { };
/**
* Destructor.
*/
~IPAddr() { };
/**
* Returns the address' family.
*/
Family GetFamily() const
{
if ( memcmp(in6.s6_addr, v4_mapped_prefix, 12) == 0 )
return IPv4;
else
return IPv6;
}
/**
* Returns true if the address represents a loopback device.
*/
bool IsLoopback() const;
/**
* Returns true if the address represents a multicast address.
*/
bool IsMulticast() const
{
if ( GetFamily() == IPv4 )
return in6.s6_addr[12] == 224;
else
return in6.s6_addr[0] == 0xff;
}
/**
* Returns true if the address represents a broadcast address.
*/
bool IsBroadcast() const
{
if ( GetFamily() == IPv4 )
return ((in6.s6_addr[12] == 0xff) && (in6.s6_addr[13] == 0xff)
&& (in6.s6_addr[14] == 0xff) && (in6.s6_addr[15] == 0xff));
else
return false;
}
/**
* Retrieves the raw byte representation of the address.
*
* @param bytes The pointer to which \a bytes points will be set to
* the address of the raw representation in network-byte order.
* The return value indicates how many 32-bit words are valid starting at
* that address. The pointer will be valid as long as the address instance
* exists.
*
* @return The number of 32-bit words the raw representation uses. This
* will be 1 for an IPv4 address and 4 for an IPv6 address.
*/
int GetBytes(const uint32_t** bytes) const
{
if ( GetFamily() == IPv4 )
{
*bytes = (uint32_t*) &in6.s6_addr[12];
return 1;
}
else
{
*bytes = (uint32_t*) in6.s6_addr;
return 4;
}
}
/**
* Retrieves a copy of the IPv6 raw byte representation of the address.
* If the internal address is IPv4, then the copied bytes use the
* IPv4 to IPv6 address mapping to return a full 16 bytes.
*
* @param bytes The pointer to a memory location in which the
* raw bytes of the address are to be copied in network byte-order.
*/
void CopyIPv6(uint32_t* bytes) const
{
memcpy(bytes, in6.s6_addr, sizeof(in6.s6_addr));
}
/**
* Masks out lower bits of the address.
*
* @param top_bits_to_keep The number of bits \a not to mask out,
* counting from the highest order bit. The value is always
* interpreted relative to the IPv6 bit width, even if the address
* is IPv4. That means if compute ``192.168.1.2/16``, you need to
* pass in 112 (i.e., 96 + 16). The value must be in the range from
* 0 to 128.
*/
void Mask(int top_bits_to_keep);
/**
* Masks out top bits of the address.
*
* @param top_bits_to_chop The number of bits to mask out, counting
* from the highest order bit. The value is always interpreted relative
* to the IPv6 bit width, even if the address is IPv4. So to mask out
* the first 16 bits of an IPv4 address, pass in 112 (i.e., 96 + 16).
* The value must be in the range from 0 to 128.
*/
void ReverseMask(int top_bits_to_chop);
/**
* Assignment operator.
*/
IPAddr& operator=(const IPAddr& other)
{
// No self-assignment check here because it's correct without it and
// makes the common case faster.
in6 = other.in6;
return *this;
}
/**
* Returns a string representation of the address. IPv4 addresses
* will be returned in dotted representation, IPv6 addresses in
* compressed hex.
*/
string AsString() const;
/**
* Returns a string representation of the address. This returns the
* same as AsString().
*/
operator std::string() const { return AsString(); }
/**
* Comparison operator for IP address.
*/
friend bool operator==(const IPAddr& addr1, const IPAddr& addr2)
{
return memcmp(&addr1.in6, &addr2.in6, sizeof(in6_addr)) == 0;
}
friend bool operator!=(const IPAddr& addr1, const IPAddr& addr2)
{
return ! (addr1 == addr2);
}
/**
* Comparison operator IP addresses. This defines a well-defined order for
* IP addresses. However, the order does not necessarily correspond to
* their numerical values.
*/
friend bool operator<(const IPAddr& addr1, const IPAddr& addr2)
{
return memcmp(&addr1.in6, &addr2.in6, sizeof(in6_addr)) < 0;
}
unsigned int MemoryAllocation() const { return padded_sizeof(*this); }
private:
/**
* Initializes an address instance from a string representation.
*
* @param s String containing an IP address as either a dotted IPv4
* address or a hex IPv6 address.
*/
void Init(const std::string& s);
in6_addr in6; // IPv6 or v4-to-v6-mapped address
static const uint8_t v4_mapped_prefix[12]; // top 96 bits of v4-mapped-addr
};
inline IPAddr::IPAddr(Family family, const uint32_t* bytes, ByteOrder order)
{
if ( family == IPv4 )
{
memcpy(in6.s6_addr, v4_mapped_prefix, sizeof(v4_mapped_prefix));
memcpy(&in6.s6_addr[12], bytes, sizeof(uint32_t));
if ( order == Host )
{
uint32_t* p = (uint32_t*) &in6.s6_addr[12];
*p = htonl(*p);
}
}
else
{
memcpy(in6.s6_addr, bytes, sizeof(in6.s6_addr));
if ( order == Host )
{
for ( unsigned int i = 0; i < 4; ++ i)
{
uint32_t* p = (uint32_t*) &in6.s6_addr[i*4];
*p = htonl(*p);
}
}
}
}
inline bool IPAddr::IsLoopback() const
{
if ( GetFamily() == IPv4 )
return in6.s6_addr[12] == 127;
else
return ((in6.s6_addr[0] == 0) && (in6.s6_addr[1] == 0)
&& (in6.s6_addr[2] == 0) && (in6.s6_addr[3] == 0)
&& (in6.s6_addr[4] == 0) && (in6.s6_addr[5] == 0)
&& (in6.s6_addr[6] == 0) && (in6.s6_addr[7] == 0)
&& (in6.s6_addr[8] == 0) && (in6.s6_addr[9] == 0)
&& (in6.s6_addr[10] == 0) && (in6.s6_addr[11] == 0)
&& (in6.s6_addr[12] == 0) && (in6.s6_addr[13] == 0)
&& (in6.s6_addr[14] == 0) && (in6.s6_addr[15] == 1));
}
/**
* Class storing both IPv4 and IPv6 prefixes
* (i.e., \c 192.168.1.1/16 and \c FD00::/8.
*/
class IPPrefix
{
public:
/**
* Constructs a prefix 0/0.
*/
IPPrefix() : length(0) {}
/**
* Constructs a prefix instance from an IPv4 address and a prefix
* length.
*
* @param in4 The IPv4 address.
*
* @param length The prefix length in the range from 0 to 32.
*/
IPPrefix(const in4_addr& in4, uint8_t length);
/**
* Constructs a prefix instance from an IPv6 address and a prefix
* length.
*
* @param in6 The IPv6 address.
*
* @param length The prefix length in the range from 0 to 128.
*/
IPPrefix(const in6_addr& in6, uint8_t length);
/**
* Constructs a prefix instance from an IPAddr object and prefix length.
*
* @param addr The IP address.
*
* @param length The prefix length in the range from 0 to 128
*/
IPPrefix(const IPAddr& addr, uint8_t length);
/**
* Copy constructor.
*/
IPPrefix(const IPPrefix& other)
: prefix(other.prefix), length(other.length) { }
/**
* Destructor.
*/
~IPPrefix() { }
/**
* Returns the prefix in the form of an IP address. The address will
* have all bits not part of the prefixed set to zero.
*/
const IPAddr& Prefix() const { return prefix; }
/**
* Returns the bit length of the prefix, relative to the 32 bits
* of an IPv4 prefix or relative to the 128 bits of an IPv6 prefix.
*/
uint8_t Length() const
{
return prefix.GetFamily() == IPAddr::IPv4 ? length - 96 : length;
}
/**
* Returns the bit length of the prefix always relative to a full
* 128 bits of an IPv6 prefix (or IPv4 mapped to IPv6).
*/
uint8_t LengthIPv6() const { return length; }
/** Returns true if the given address is part of the prefix.
*
* @param addr The address to test.
*/
bool Contains(const IPAddr& addr) const
{
IPAddr p(addr);
p.Mask(length);
return p == prefix;
}
/**
* Assignment operator.
*/
IPPrefix& operator=(const IPPrefix& other)
{
// No self-assignment check here because it's correct without it and
// makes the common case faster.
prefix = other.prefix;
length = other.length;
return *this;
}
/**
* Returns a string representation of the prefix. IPv4 addresses
* will be returned in dotted representation, IPv6 addresses in
* compressed hex.
*/
string AsString() const;
operator std::string() const { return AsString(); }
unsigned int MemoryAllocation() const { return padded_sizeof(*this); }
/**
* Comparison operator for IP prefix.
*/
friend bool operator==(const IPPrefix& net1, const IPPrefix& net2)
{
return net1.Prefix() == net2.Prefix() && net1.Length() == net2.Length();
}
/**
* Comparison operator IP prefixes. This defines a well-defined order for
* IP prefix. However, the order does not necessarily corresponding to their
* numerical values.
*/
friend bool operator<(const IPPrefix& net1, const IPPrefix& net2)
{
if ( net1.Prefix() < net2.Prefix() )
return true;
else if ( net1.Prefix() == net2.Prefix() )
return net1.Length() < net2.Length();
else
return false;
}
private:
IPAddr prefix; // We store it as an address with the non-prefix bits masked out via Mask().
uint8_t length; // The bit length of the prefix relative to full IPv6 addr.
};
#endif

81
src/LogMgr.cc
View file

@ -101,6 +101,12 @@ LogVal::~LogVal()
&& present )
delete val.string_val;
if ( type == TYPE_ADDR && present )
delete val.addr_val;
if ( type == TYPE_SUBNET && present )
delete val.subnet_val;
if ( type == TYPE_TABLE && present )
{
for ( int i = 0; i < val.set_val.size; i++ )
@ -193,40 +199,21 @@ bool LogVal::Read(SerializationFormat* fmt)
case TYPE_SUBNET:
{
uint32 net[4];
if ( ! (fmt->Read(&net[0], "net0") &&
fmt->Read(&net[1], "net1") &&
fmt->Read(&net[2], "net2") &&
fmt->Read(&net[3], "net3") &&
fmt->Read(&val.subnet_val.width, "width")) )
IPPrefix prefix;
if ( ! fmt->Read(&prefix, "subnet") )
return false;
#ifdef BROv6
val.subnet_val.net[0] = net[0];
val.subnet_val.net[1] = net[1];
val.subnet_val.net[2] = net[2];
val.subnet_val.net[3] = net[3];
#else
val.subnet_val.net = net[0];
#endif
val.subnet_val = new IPPrefix(prefix);
return true;
}
case TYPE_ADDR:
{
uint32 addr[4];
if ( ! (fmt->Read(&addr[0], "addr0") &&
fmt->Read(&addr[1], "addr1") &&
fmt->Read(&addr[2], "addr2") &&
fmt->Read(&addr[3], "addr3")) )
IPAddr addr;
if ( ! fmt->Read(&addr, "net") )
return false;
val.addr_val[0] = addr[0];
#ifdef BROv6
val.addr_val[1] = addr[1];
val.addr_val[2] = addr[2];
val.addr_val[3] = addr[3];
#endif
val.addr_val = new IPAddr(addr);
return true;
}
@ -307,40 +294,11 @@ bool LogVal::Write(SerializationFormat* fmt) const
return fmt->Write(val.uint_val, "uint");
case TYPE_SUBNET:
{
uint32 net[4];
#ifdef BROv6
net[0] = val.subnet_val.net[0];
net[1] = val.subnet_val.net[1];
net[2] = val.subnet_val.net[2];
net[3] = val.subnet_val.net[3];
#else
net[0] = val.subnet_val.net;
net[1] = net[2] = net[3] = 0;
#endif
return fmt->Write(net[0], "net0") &&
fmt->Write(net[1], "net1") &&
fmt->Write(net[2], "net2") &&
fmt->Write(net[3], "net3") &&
fmt->Write(val.subnet_val.width, "width");
}
return fmt->Write(*val.subnet_val, "subnet");
case TYPE_ADDR:
{
uint32 addr[4];
addr[0] = val.addr_val[0];
#ifdef BROv6
addr[1] = val.addr_val[1];
addr[2] = val.addr_val[2];
addr[3] = val.addr_val[3];
#else
addr[1] = addr[2] = addr[3] = 0;
#endif
return fmt->Write(addr[0], "addr0") &&
fmt->Write(addr[1], "addr1") &&
fmt->Write(addr[2], "addr2") &&
fmt->Write(addr[3], "addr3");
}
return fmt->Write(*val.addr_val, "addr");
case TYPE_DOUBLE:
case TYPE_TIME:
@ -1107,17 +1065,12 @@ LogVal* LogMgr::ValToLogVal(Val* val, BroType* ty)
break;
case TYPE_SUBNET:
lval->val.subnet_val = *val->AsSubNet();
lval->val.subnet_val = new IPPrefix(val->AsSubNet());
break;
case TYPE_ADDR:
{
addr_type t = val->AsAddr();
#ifdef BROv6
copy_addr(t, lval->val.addr_val);
#else
copy_addr(&t, lval->val.addr_val);
#endif
lval->val.addr_val = new IPAddr(val->AsAddr());
break;
}

5
src/LogMgr.h
View file

@ -8,6 +8,7 @@
#include "Val.h"
#include "EventHandler.h"
#include "RemoteSerializer.h"
#include "IPAddr.h"
class SerializationFormat;
@ -40,8 +41,8 @@ struct LogVal {
union _val {
bro_int_t int_val;
bro_uint_t uint_val;
uint32 addr_val[NUM_ADDR_WORDS];
subnet_type subnet_val;
IPAddr* addr_val;
IPPrefix* subnet_val;
double double_val;
string* string_val;
set_t set_val;

6
src/LogWriterAscii.cc
View file

@ -166,13 +166,11 @@ bool LogWriterAscii::DoWriteOne(ODesc* desc, LogVal* val, const LogField* field)
break;
case TYPE_SUBNET:
desc->Add(dotted_addr(val->val.subnet_val.net));
desc->Add("/");
desc->Add(val->val.subnet_val.width);
desc->Add(*val->val.subnet_val);
break;
case TYPE_ADDR:
desc->Add(dotted_addr(val->val.addr_val));
desc->Add(*val->val.addr_val);
break;
case TYPE_TIME:

6
src/OSFinger.cc
View file

@ -63,9 +63,11 @@ OSFingerprint::OSFingerprint(FingerprintMode arg_mode)
}
}
bool OSFingerprint::CacheMatch(uint32 addr, int id)
bool OSFingerprint::CacheMatch(const IPAddr& addr, int id)
{
HashKey key = HashKey(&addr, 1);
uint32 bytes[4];
addr.CopyIPv6(bytes);
HashKey key = HashKey(bytes, 4);
int* pid = new int;
*pid=id;
int* prev = os_matches.Insert(&key, pid);

3
src/OSFinger.h
View file

@ -14,6 +14,7 @@
#include "util.h"
#include "Dict.h"
#include "Reporter.h"
#include "IPAddr.h"
// Size limit for size wildcards.
#define PACKET_BIG 100
@ -88,7 +89,7 @@ public:
int FindMatch(struct os_type* retval, uint16 tot, uint8 DF_flag,
uint8 TTL, uint16 WSS, uint8 ocnt, uint8* op, uint16 MSS,
uint8 win_scale, uint32 tstamp, uint32 quirks, uint8 ECN) const;
bool CacheMatch(uint32 addr, int id);
bool CacheMatch(const IPAddr& addr, int id);
int Get_OS_From_SYN(struct os_type* retval,
uint16 tot, uint8 DF_flag, uint8 TTL, uint16 WSS,

12
src/PIA.cc
View file

@ -199,17 +199,21 @@ void PIA_TCP::FirstPacket(bool is_orig, const IP_Hdr* ip)
ip4_hdr = new IP_Hdr((const struct ip*) ip4);
}
const uint32* obytes;
const uint32* rbytes;
Conn()->OrigAddr().GetBytes(&obytes);
Conn()->RespAddr().GetBytes(&rbytes);
if ( is_orig )
{
copy_addr(Conn()->OrigAddr(), &ip4->ip_src.s_addr);
copy_addr(Conn()->RespAddr(), &ip4->ip_dst.s_addr);
memcpy(&ip4->ip_src.s_addr, obytes, sizeof(uint32));
memcpy(&ip4->ip_dst.s_addr, rbytes, sizeof(uint32));
tcp4->th_sport = htons(Conn()->OrigPort());
tcp4->th_dport = htons(Conn()->RespPort());
}
else
{
copy_addr(Conn()->RespAddr(), &ip4->ip_src.s_addr);
copy_addr(Conn()->OrigAddr(), &ip4->ip_dst.s_addr);
memcpy(&ip4->ip_src.s_addr, rbytes, sizeof(uint32));
memcpy(&ip4->ip_dst.s_addr, obytes, sizeof(uint32));
tcp4->th_sport = htons(Conn()->RespPort());
tcp4->th_dport = htons(Conn()->OrigPort());
}

30
src/PacketFilter.cc
View file

@ -1,11 +1,11 @@
#include "PacketFilter.h"
void PacketFilter::AddSrc(addr_type src, uint32 tcp_flags, double probability)
void PacketFilter::AddSrc(const IPAddr& src, uint32 tcp_flags, double probability)
{
Filter* f = new Filter;
f->tcp_flags = tcp_flags;
f->probability = uint32(probability * RAND_MAX);
src_filter.Insert(src, NUM_ADDR_WORDS * 32, f);
src_filter.Insert(src, 128, f);
}
void PacketFilter::AddSrc(Val* src, uint32 tcp_flags, double probability)
@ -16,12 +16,12 @@ void PacketFilter::AddSrc(Val* src, uint32 tcp_flags, double probability)
src_filter.Insert(src, f);
}
void PacketFilter::AddDst(addr_type dst, uint32 tcp_flags, double probability)
void PacketFilter::AddDst(const IPAddr& dst, uint32 tcp_flags, double probability)
{
Filter* f = new Filter;
f->tcp_flags = tcp_flags;
f->probability = uint32(probability * RAND_MAX);
dst_filter.Insert(dst, NUM_ADDR_WORDS * 32, f);
dst_filter.Insert(dst, 128, f);
}
void PacketFilter::AddDst(Val* dst, uint32 tcp_flags, double probability)
@ -32,9 +32,9 @@ void PacketFilter::AddDst(Val* dst, uint32 tcp_flags, double probability)
dst_filter.Insert(dst, f);
}
bool PacketFilter::RemoveSrc(addr_type src)
bool PacketFilter::RemoveSrc(const IPAddr& src)
{
return src_filter.Remove(src, NUM_ADDR_WORDS * 32) != 0;
return src_filter.Remove(src, 128) != 0;
}
bool PacketFilter::RemoveSrc(Val* src)
@ -42,9 +42,9 @@ bool PacketFilter::RemoveSrc(Val* src)
return src_filter.Remove(src) != NULL;
}
bool PacketFilter::RemoveDst(addr_type dst)
bool PacketFilter::RemoveDst(const IPAddr& dst)
{
return dst_filter.Remove(dst, NUM_ADDR_WORDS * 32) != NULL;
return dst_filter.Remove(dst, 128) != NULL;
}
bool PacketFilter::RemoveDst(Val* dst)
@ -54,21 +54,11 @@ bool PacketFilter::RemoveDst(Val* dst)
bool PacketFilter::Match(const IP_Hdr* ip, int len, int caplen)
{
#ifdef BROv6
Filter* f = (Filter*) src_filter.Lookup(ip->SrcAddr(),
NUM_ADDR_WORDS * 32);
#else
Filter* f = (Filter*) src_filter.Lookup(*ip->SrcAddr(),
NUM_ADDR_WORDS * 32);
#endif
Filter* f = (Filter*) src_filter.Lookup(ip->SrcAddr(), 128);
if ( f )
return MatchFilter(*f, *ip, len, caplen);
#ifdef BROv6
f = (Filter*) dst_filter.Lookup(ip->DstAddr(), NUM_ADDR_WORDS * 32);
#else
f = (Filter*) dst_filter.Lookup(*ip->DstAddr(), NUM_ADDR_WORDS * 32);
#endif
f = (Filter*) dst_filter.Lookup(ip->DstAddr(), 128);
if ( f )
return MatchFilter(*f, *ip, len, caplen);

8
src/PacketFilter.h
View file

@ -14,16 +14,16 @@ public:
// Drops all packets from a particular source (which may be given
// as an AddrVal or a SubnetVal) which hasn't any of TCP flags set
// (TH_*) with the given probability (from 0..MAX_PROB).
void AddSrc(addr_type src, uint32 tcp_flags, double probability);
void AddSrc(const IPAddr& src, uint32 tcp_flags, double probability);
void AddSrc(Val* src, uint32 tcp_flags, double probability);
void AddDst(addr_type src, uint32 tcp_flags, double probability);
void AddDst(const IPAddr& src, uint32 tcp_flags, double probability);
void AddDst(Val* src, uint32 tcp_flags, double probability);
// Removes the filter entry for the given src/dst
// Returns false if filter doesn not exist.
bool RemoveSrc(addr_type src);
bool RemoveSrc(const IPAddr& src);
bool RemoveSrc(Val* dst);
bool RemoveDst(addr_type dst);
bool RemoveDst(const IPAddr& dst);
bool RemoveDst(Val* dst);
// Returns true if packet matches a drop filter

44
src/PrefixTable.cc
View file

@ -1,34 +1,21 @@
#include "PrefixTable.h"
#include "Reporter.h"
// IPv4 version.
inline static prefix_t* make_prefix(const uint32 addr, int width)
inline static prefix_t* make_prefix(const IPAddr& addr, int width)
{
prefix_t* prefix = (prefix_t*) safe_malloc(sizeof(prefix_t));
memcpy(&prefix->add.sin, &addr, sizeof(prefix->add.sin)) ;
prefix->family = AF_INET;
prefix->bitlen = width;
prefix->ref_count = 1;
return prefix;
}
#ifdef BROv6
inline static prefix_t* make_prefix(const uint32* addr, int width)
{
prefix_t* prefix = (prefix_t*) safe_malloc(sizeof(prefix_t));
memcpy(&prefix->add.sin6, addr, 4 * sizeof(uint32));
uint32 bytes[4];
addr.CopyIPv6(bytes);
memcpy(&prefix->add.sin6, bytes, 4 * sizeof(uint32));
prefix->family = AF_INET6;
prefix->bitlen = width;
prefix->ref_count = 1;
return prefix;
}
#endif
void* PrefixTable::Insert(const_addr_type addr, int width, void* data)
void* PrefixTable::Insert(const IPAddr& addr, int width, void* data)
{
prefix_t* prefix = make_prefix(addr, width);
patricia_node_t* node = patricia_lookup(tree, prefix);
@ -55,12 +42,12 @@ void* PrefixTable::Insert(const Val* value, void* data)
switch ( value->Type()->Tag() ) {
case TYPE_ADDR:
return Insert(value->AsAddr(), NUM_ADDR_WORDS * 32, data);
return Insert(value->AsAddr(), 128, data);
break;
case TYPE_SUBNET:
return Insert(value->AsSubNet()->net,
value->AsSubNet()->width, data);
return Insert(value->AsSubNet().Prefix(),
value->AsSubNet().LengthIPv6(), data);
break;
default:
@ -69,7 +56,7 @@ void* PrefixTable::Insert(const Val* value, void* data)
}
}
void* PrefixTable::Lookup(const_addr_type addr, int width, bool exact) const
void* PrefixTable::Lookup(const IPAddr& addr, int width, bool exact) const
{
prefix_t* prefix = make_prefix(addr, width);
patricia_node_t* node =
@ -89,12 +76,12 @@ void* PrefixTable::Lookup(const Val* value, bool exact) const
switch ( value->Type()->Tag() ) {
case TYPE_ADDR:
return Lookup(value->AsAddr(), NUM_ADDR_WORDS * 32, exact);
return Lookup(value->AsAddr(), 128, exact);
break;
case TYPE_SUBNET:
return Lookup(value->AsSubNet()->net,
value->AsSubNet()->width, exact);
return Lookup(value->AsSubNet().Prefix(),
value->AsSubNet().LengthIPv6(), exact);
break;
default:
@ -104,7 +91,7 @@ void* PrefixTable::Lookup(const Val* value, bool exact) const
}
}
void* PrefixTable::Remove(const_addr_type addr, int width)
void* PrefixTable::Remove(const IPAddr& addr, int width)
{
prefix_t* prefix = make_prefix(addr, width);
patricia_node_t* node = patricia_search_exact(tree, prefix);
@ -128,11 +115,12 @@ void* PrefixTable::Remove(const Val* value)
switch ( value->Type()->Tag() ) {
case TYPE_ADDR:
return Remove(value->AsAddr(), NUM_ADDR_WORDS * 32);
return Remove(value->AsAddr(), 128);
break;
case TYPE_SUBNET:
return Remove(value->AsSubNet()->net, value->AsSubNet()->width);
return Remove(value->AsSubNet().Prefix(),
value->AsSubNet().LengthIPv6());
break;
default:

7
src/PrefixTable.h
View file

@ -3,6 +3,7 @@
#include "Val.h"
#include "net_util.h"
#include "IPAddr.h"
extern "C" {
#include "patricia.h"
@ -24,7 +25,7 @@ public:
// Addr in network byte order. If data is zero, acts like a set.
// Returns ptr to old data if already existing.
// For existing items without data, returns non-nil if found.
void* Insert(const_addr_type addr, int width, void* data = 0);
void* Insert(const IPAddr& addr, int width, void* data = 0);
// Value may be addr or subnet.
void* Insert(const Val* value, void* data = 0);
@ -32,11 +33,11 @@ public:
// Returns nil if not found, pointer to data otherwise.
// For items without data, returns non-nil if found.
// If exact is false, performs exact rather than longest-prefix match.
void* Lookup(const_addr_type addr, int width, bool exact = false) const;
void* Lookup(const IPAddr& addr, int width, bool exact = false) const;
void* Lookup(const Val* value, bool exact = false) const;
// Returns pointer to data or nil if not found.
void* Remove(const_addr_type addr, int width);
void* Remove(const IPAddr& addr, int width);
void* Remove(const Val* value);
void Clear() { Clear_Patricia(tree, 0); }

2
src/Reassem.cc
View file

@ -43,7 +43,7 @@ DataBlock::DataBlock(const u_char* data, int size, int arg_seq,
unsigned int Reassembler::total_size = 0;
Reassembler::Reassembler(int init_seq, const uint32* ip_addr,
Reassembler::Reassembler(int init_seq, const IPAddr& ip_addr,
ReassemblerType arg_type)
{
blocks = last_block = 0;

3
src/Reassem.h
View file

@ -4,6 +4,7 @@
#define reassem_h
#include "Obj.h"
#include "IPAddr.h"
class DataBlock {
public:
@ -25,7 +26,7 @@ enum ReassemblerType { REASSEM_IP, REASSEM_TCP };
class Reassembler : public BroObj {
public:
Reassembler(int init_seq, const uint32* ip_addr,
Reassembler(int init_seq, const IPAddr& ip_addr,
ReassemblerType arg_type);
virtual ~Reassembler();

31
src/RemoteSerializer.cc
View file

@ -185,6 +185,7 @@
#include "Conn.h"
#include "LogMgr.h"
#include "Reporter.h"
#include "IPAddr.h"
extern "C" {
#include "setsignal.h"
@ -670,8 +671,8 @@ void RemoteSerializer::Fork()
}
}
RemoteSerializer::PeerID RemoteSerializer::Connect(addr_type ip, uint16 port,
const char* our_class, double retry, bool use_ssl)
RemoteSerializer::PeerID RemoteSerializer::Connect(const IPAddr& ip,
uint16 port, const char* our_class, double retry, bool use_ssl)
{
if ( ! using_communication )
return true;
@ -679,16 +680,12 @@ RemoteSerializer::PeerID RemoteSerializer::Connect(addr_type ip, uint16 port,
if ( ! initialized )
reporter->InternalError("remote serializer not initialized");
#ifdef BROv6
if ( ! is_v4_addr(ip) )
if ( ip.GetFamily() == IPAddr::IPv6 )
Error("inter-Bro communication not supported over IPv6");
uint32 ip4 = to_v4_addr(ip);
#else
uint32 ip4 = ip;
#endif
ip4 = ntohl(ip4);
const uint32* bytes;
ip.GetBytes(&bytes);
uint32 ip4 = ntohl(*bytes);
if ( ! child_pid )
Fork();
@ -1232,7 +1229,7 @@ bool RemoteSerializer::SendCapabilities(Peer* peer)
return caps ? SendToChild(MSG_CAPS, peer, 3, caps, 0, 0) : true;
}
bool RemoteSerializer::Listen(addr_type ip, uint16 port, bool expect_ssl)
bool RemoteSerializer::Listen(const IPAddr& ip, uint16 port, bool expect_ssl)
{
if ( ! using_communication )
return true;
@ -1240,16 +1237,12 @@ bool RemoteSerializer::Listen(addr_type ip, uint16 port, bool expect_ssl)
if ( ! initialized )
reporter->InternalError("remote serializer not initialized");
#ifdef BROv6
if ( ! is_v4_addr(ip) )
if ( ip.GetFamily() == IPAddr::IPv6 )
Error("inter-Bro communication not supported over IPv6");
uint32 ip4 = to_v4_addr(ip);
#else
uint32 ip4 = ip;
#endif
ip4 = ntohl(ip4);
const uint32* bytes;
ip.GetBytes(&bytes);
uint32 ip4 = ntohl(*bytes);
if ( ! SendToChild(MSG_LISTEN, 0, 3, ip4, port, expect_ssl) )
return false;

4
src/RemoteSerializer.h
View file

@ -32,7 +32,7 @@ public:
static const PeerID PEER_NONE = SOURCE_LOCAL;
// Connect to host (returns PEER_NONE on error).
PeerID Connect(addr_type ip, uint16 port, const char* our_class, double retry, bool use_ssl);
PeerID Connect(const IPAddr& ip, uint16 port, const char* our_class, double retry, bool use_ssl);
// Close connection to host.
bool CloseConnection(PeerID peer);
@ -60,7 +60,7 @@ public:
bool CompleteHandshake(PeerID peer);
// Start to listen.
bool Listen(addr_type ip, uint16 port, bool expect_ssl);
bool Listen(const IPAddr& ip, uint16 port, bool expect_ssl);
// Stop it.
bool StopListening();

4
src/Reporter.cc
View file

@ -155,7 +155,7 @@ void Reporter::WeirdHelper(EventHandlerPtr event, Val* conn_val, const char* add
delete vl;
}
void Reporter::WeirdFlowHelper(const uint32* orig, const uint32* resp, const char* fmt_name, ...)
void Reporter::WeirdFlowHelper(const IPAddr& orig, const IPAddr& resp, const char* fmt_name, ...)
{
val_list* vl = new val_list(2);
vl->append(new AddrVal(orig));
@ -184,7 +184,7 @@ void Reporter::Weird(Val* conn_val, const char* name, const char* addl)
WeirdHelper(conn_weird, conn_val, addl, "%s", name);
}
void Reporter::Weird(const uint32* orig, const uint32* resp, const char* name)
void Reporter::Weird(const IPAddr& orig, const IPAddr& resp, const char* name)
{
WeirdFlowHelper(orig, resp, "%s", name);
}

5
src/Reporter.h
View file

@ -11,6 +11,7 @@
#include "util.h"
#include "net_util.h"
#include "EventHandler.h"
#include "IPAddr.h"
class Connection;
class Location;
@ -74,7 +75,7 @@ public:
void Weird(const char* name); // Raises net_weird().
void Weird(Connection* conn, const char* name, const char* addl = ""); // Raises conn_weird().
void Weird(Val* conn_val, const char* name, const char* addl = ""); // Raises conn_weird().
void Weird(const uint32* orig, const uint32* resp, const char* name); // Raises flow_weird().
void Weird(const IPAddr& orig, const IPAddr& resp, const char* name); // Raises flow_weird().
// Syslog a message. This methods does nothing if we're running
// offline from a trace.
@ -121,7 +122,7 @@ private:
// The order if addl, name needs to be like that since fmt_name can
// contain format specifiers
void WeirdHelper(EventHandlerPtr event, Val* conn_val, const char* addl, const char* fmt_name, ...);
void WeirdFlowHelper(const uint32* orig, const uint32* resp, const char* fmt_name, ...);
void WeirdFlowHelper(const IPAddr& orig, const IPAddr& resp, const char* fmt_name, ...);
int errors;
bool via_events;

20
src/RuleMatcher.cc
View file

@ -1067,16 +1067,22 @@ static bool val_to_maskedval(Val* v, maskedvalue_list* append_to)
break;
case TYPE_SUBNET:
#ifdef BROv6
{
uint32* n = v->AsSubNet()->net;
uint32* m = v->AsSubNetVal()->Mask();
const uint32* n;
uint32 m[4];
v->AsSubNet().Prefix().GetBytes(&n);
v->AsSubNetVal()->Mask().CopyIPv6(m);
for ( unsigned int i = 0; i < 4; ++i )
m[i] = ntohl(m[i]);
bool is_v4_mask = m[0] == 0xffffffff &&
m[1] == m[0] && m[2] == m[0];
if ( is_v4_addr(n) && is_v4_mask )
if ( v->AsSubNet().Prefix().GetFamily() == IPAddr::IPv4 &&
is_v4_mask )
{
mval->val = ntohl(to_v4_addr(n));
mval->val = ntohl(*n);
mval->mask = m[3];
}
@ -1087,10 +1093,6 @@ static bool val_to_maskedval(Val* v, maskedvalue_list* append_to)
mval->mask = 0;
}
}
#else
mval->val = ntohl(v->AsSubNet()->net);
mval->mask = v->AsSubNetVal()->Mask();
#endif
break;
default:

9
src/SSH.cc
View file

@ -50,23 +50,24 @@ void SSH_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
// SSH-<protocolmajor>.<protocolminor>-<version>\n
//
// We're interested in the "version" part here.
if ( length < 4 || memcmp(line, "SSH-", 4) != 0 )
{
Weird("malformed_ssh_identification");
ProtocolViolation("malformed ssh identification", line, length);
return;
}
int i;
for ( i = 4; i < length && line[i] != '-'; ++i )
;
if ( TCP() )
{
if ( length >= i )
{
const uint32* dst;
IPAddr dst;
if ( is_orig )
dst = TCP()->Orig()->dst_addr;
else

87
src/SerializationFormat.cc
View file

@ -230,6 +230,45 @@ bool BinarySerializationFormat::Read(string* v, const char* tag)
return true;
}
bool BinarySerializationFormat::Read(IPAddr* addr, const char* tag)
{
int n = 0;
if ( ! Read(&n, "addr-len") )
return false;
if ( n != 1 && n != 4 )
return false;
uint32_t raw[4];
for ( int i = 0; i < n; ++i )
{
if ( ! Read(&raw[i], "addr-part") )
return false;
raw[i] = htonl(raw[i]);
}
if ( n == 1 )
*addr = IPAddr(IPAddr::IPv4, raw, IPAddr::Network);
else
*addr = IPAddr(IPAddr::IPv6, raw, IPAddr::Network);
return true;
}
bool BinarySerializationFormat::Read(IPPrefix* prefix, const char* tag)
{
IPAddr addr;
int len;
if ( ! (Read(&addr, "prefix") && Read(&len, "width")) )
return false;
*prefix = IPPrefix(addr, len);
return true;
}
bool BinarySerializationFormat::Write(char v, const char* tag)
{
DBG_LOG(DBG_SERIAL, "Write char %s [%s]", fmt_bytes(&v, 1), tag);
@ -299,6 +338,30 @@ bool BinarySerializationFormat::Write(const string& s, const char* tag)
return Write(s.data(), s.size(), tag);
}
bool BinarySerializationFormat::Write(const IPAddr& addr, const char* tag)
{
const uint32_t* raw;
int n = addr.GetBytes(&raw);
assert(n == 1 || n == 4);
if ( ! Write(n, "addr-len") )
return false;
for ( int i = 0; i < n; ++i )
{
if ( ! Write(ntohl(raw[i]), "addr-part") )
return false;
}
return true;
}
bool BinarySerializationFormat::Write(const IPPrefix& prefix, const char* tag)
{
return Write(prefix.Prefix(), "prefix") && Write(prefix.Length(), "width");
}
bool BinarySerializationFormat::WriteOpenTag(const char* tag)
{
return true;
@ -389,6 +452,18 @@ bool XMLSerializationFormat::Read(string* s, const char* tag)
return false;
}
bool XMLSerializationFormat::Read(IPAddr* addr, const char* tag)
{
reporter->InternalError("no reading of xml");
return false;
}
bool XMLSerializationFormat::Read(IPPrefix* prefix, const char* tag)
{
reporter->InternalError("no reading of xml");
return false;
}
bool XMLSerializationFormat::Write(char v, const char* tag)
{
return WriteElem(tag, "char", &v, 1);
@ -469,6 +544,18 @@ bool XMLSerializationFormat::Write(const char* buf, int len, const char* tag)
return WriteElem(tag, "string", buf, len);
}
bool XMLSerializationFormat::Write(const IPAddr& addr, const char* tag)
{
reporter->InternalError("XML output of addresses not implemented");
return false;
}
bool XMLSerializationFormat::Write(const IPPrefix& prefix, const char* tag)
{
reporter->InternalError("XML output of prefixes not implemented");
return false;
}
bool XMLSerializationFormat::WriteEncodedString(const char* s, int len)
{
while ( len-- )

12
src/SerializationFormat.h
View file

@ -28,6 +28,8 @@ public:
virtual bool Read(bool* v, const char* tag) = 0;
virtual bool Read(double* d, const char* tag) = 0;
virtual bool Read(string* s, const char* tag) = 0;
virtual bool Read(IPAddr* addr, const char* tag) = 0;
virtual bool Read(IPPrefix* prefix, const char* tag) = 0;
// Returns number of raw bytes read since last call to StartRead().
int BytesRead() const { return bytes_read; }
@ -50,6 +52,8 @@ public:
virtual bool Write(const char* s, const char* tag) = 0;
virtual bool Write(const char* buf, int len, const char* tag) = 0;
virtual bool Write(const string& s, const char* tag) = 0;
virtual bool Write(const IPAddr& addr, const char* tag) = 0;
virtual bool Write(const IPPrefix& prefix, const char* tag) = 0;
virtual bool WriteOpenTag(const char* tag) = 0;
virtual bool WriteCloseTag(const char* tag) = 0;
@ -90,6 +94,8 @@ public:
virtual bool Read(double* d, const char* tag);
virtual bool Read(char** str, int* len, const char* tag);
virtual bool Read(string* s, const char* tag);
virtual bool Read(IPAddr* addr, const char* tag);
virtual bool Read(IPPrefix* prefix, const char* tag);
virtual bool Write(int v, const char* tag);
virtual bool Write(uint16 v, const char* tag);
virtual bool Write(uint32 v, const char* tag);
@ -101,6 +107,8 @@ public:
virtual bool Write(const char* s, const char* tag);
virtual bool Write(const char* buf, int len, const char* tag);
virtual bool Write(const string& s, const char* tag);
virtual bool Write(const IPAddr& addr, const char* tag);
virtual bool Write(const IPPrefix& prefix, const char* tag);
virtual bool WriteOpenTag(const char* tag);
virtual bool WriteCloseTag(const char* tag);
virtual bool WriteSeparator();
@ -123,6 +131,8 @@ public:
virtual bool Write(const char* s, const char* tag);
virtual bool Write(const char* buf, int len, const char* tag);
virtual bool Write(const string& s, const char* tag);
virtual bool Write(const IPAddr& addr, const char* tag);
virtual bool Write(const IPPrefix& prefix, const char* tag);
virtual bool WriteOpenTag(const char* tag);
virtual bool WriteCloseTag(const char* tag);
virtual bool WriteSeparator();
@ -138,6 +148,8 @@ public:
virtual bool Read(double* d, const char* tag);
virtual bool Read(char** str, int* len, const char* tag);
virtual bool Read(string* s, const char* tag);
virtual bool Read(IPAddr* addr, const char* tag);
virtual bool Read(IPPrefix* prefix, const char* tag);
private:
// Encodes non-printable characters.

4
src/Serializer.cc
View file

@ -1103,9 +1103,9 @@ void EventPlayer::Process()
void Packet::Describe(ODesc* d) const
{
const IP_Hdr ip = IP();
d->Add(dotted_addr(ip.SrcAddr()));
d->Add(ip.SrcAddr());
d->Add("->");
d->Add(dotted_addr(ip.DstAddr()));
d->Add(ip.DstAddr());
}
bool Packet::Serialize(SerialInfo* info) const

4
src/Serializer.h
View file

@ -69,6 +69,8 @@ public:
{ return format->Read(const_cast<char**>(str), len, tag); }
bool Read(string* s, const char* tag);
bool Read(IPAddr* a, const char* tag) { return format->Read(a, tag); }
bool Read(IPPrefix* p, const char* tag) { return format->Read(p, tag); }
bool Write(const char* s, const char* tag)
{ return format->Write(s, tag); }
@ -76,6 +78,8 @@ public:
{ return format->Write(buf, len, tag); }
bool Write(const string& s, const char* tag)
{ return format->Write(s.data(), s.size(), tag); }
bool Write(const IPAddr& a, const char* tag) { return format->Write(a, tag); }
bool Write(const IPPrefix& p, const char* tag) { return format->Write(p, tag); }
bool WriteOpenTag(const char* tag)
{ return format->WriteOpenTag(tag); }

47
src/Sessions.cc
View file

@ -71,8 +71,8 @@ void TimerMgrExpireTimer::Dispatch(double t, int is_expire)
NetSessions::NetSessions()
{
TypeList* t = new TypeList();
t->Append(base_type(TYPE_COUNT)); // source IP address
t->Append(base_type(TYPE_COUNT)); // dest IP address
t->Append(base_type(TYPE_ADDR)); // source IP address
t->Append(base_type(TYPE_ADDR)); // dest IP address
t->Append(base_type(TYPE_COUNT)); // source and dest ports
ch = new CompositeHash(t);
@ -280,18 +280,22 @@ void NetSessions::NextPacket(double t, const struct pcap_pkthdr* hdr,
DoNextPacket(t, hdr, &ip_hdr, pkt, hdr_size);
}
else if ( arp_analyzer && arp_analyzer->IsARP(pkt, hdr_size) )
arp_analyzer->NextPacket(t, hdr, pkt, hdr_size);
else if ( ip->ip_v == 6 )
{
IP_Hdr ip_hdr((const struct ip6_hdr*) (pkt + hdr_size));
DoNextPacket(t, hdr, &ip_hdr, pkt, hdr_size);
}
else if ( ARP_Analyzer::IsARP(pkt, hdr_size) )
{
if ( arp_analyzer )
arp_analyzer->NextPacket(t, hdr, pkt, hdr_size);
}
else
{
#ifdef BROv6
IP_Hdr ip_hdr((const struct ip6_hdr*) (pkt + hdr_size));
DoNextPacket(t, hdr, &ip_hdr, pkt, hdr_size);
#else
Weird("non_IPv4_packet", hdr, pkt);
Weird("unknown_packet_type", hdr, pkt);
return;
#endif
}
}
@ -629,8 +633,8 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
int record_packet = 1; // whether to record the packet at all
int record_content = 1; // whether to record its data
int is_orig = addr_eq(id.src_addr, conn->OrigAddr()) &&
id.src_port == conn->OrigPort();
int is_orig = (id.src_addr == conn->OrigAddr()) &&
(id.src_port == conn->OrigPort());
if ( new_packet && ip4 )
conn->Event(new_packet, 0, BuildHeader(ip4));
@ -769,13 +773,11 @@ Val* NetSessions::BuildHeader(const struct ip* ip)
FragReassembler* NetSessions::NextFragment(double t, const IP_Hdr* ip,
const u_char* pkt, uint32 frag_field)
{
uint32 src_addr = uint32(ip->SrcAddr4());
uint32 dst_addr = uint32(ip->DstAddr4());
uint32 frag_id = ntohs(ip->ID4()); // we actually could skip conv.
ListVal* key = new ListVal(TYPE_ANY);
key->Append(new Val(src_addr, TYPE_COUNT));
key->Append(new Val(dst_addr, TYPE_COUNT));
key->Append(new AddrVal(ip->SrcAddr()));
key->Append(new AddrVal(ip->DstAddr()));
key->Append(new Val(frag_id, TYPE_COUNT));
HashKey* h = ch->ComputeHash(key, 1);
@ -810,7 +812,7 @@ int NetSessions::Get_OS_From_SYN(struct os_type* retval,
quirks, ECN) : 0;
}
bool NetSessions::CompareWithPreviousOSMatch(uint32 addr, int id) const
bool NetSessions::CompareWithPreviousOSMatch(const IPAddr& addr, int id) const
{
return SYN_OS_Fingerprinter ?
SYN_OS_Fingerprinter->CacheMatch(addr, id) : 0;
@ -851,21 +853,16 @@ Connection* NetSessions::FindConnection(Val* v)
// types, too.
}
addr_type orig_addr = (*vl)[orig_h]->AsAddr();
addr_type resp_addr = (*vl)[resp_h]->AsAddr();
const IPAddr& orig_addr = (*vl)[orig_h]->AsAddr();
const IPAddr& resp_addr = (*vl)[resp_h]->AsAddr();
PortVal* orig_portv = (*vl)[orig_p]->AsPortVal();
PortVal* resp_portv = (*vl)[resp_p]->AsPortVal();
ConnID id;
#ifdef BROv6
id.src_addr = orig_addr;
id.dst_addr = resp_addr;
#else
id.src_addr = &orig_addr;
id.dst_addr = &resp_addr;
#endif
id.src_port = htons((unsigned short) orig_portv->Port());
id.dst_port = htons((unsigned short) resp_portv->Port());
@ -1133,7 +1130,7 @@ Connection* NetSessions::NewConn(HashKey* k, double t, const ConnID* id,
// an analyzable connection.
ConnID flip_id = *id;
const uint32* ta = flip_id.src_addr;
const IPAddr ta = flip_id.src_addr;
flip_id.src_addr = flip_id.dst_addr;
flip_id.dst_addr = ta;

2
src/Sessions.h
View file

@ -87,7 +87,7 @@ public:
uint32 tstamp, /* uint8 TOS, */ uint32 quirks,
uint8 ECN) const;
bool CompareWithPreviousOSMatch(uint32 addr, int id) const;
bool CompareWithPreviousOSMatch(const IPAddr& addr, int id) const;
// Looks up the connection referred to by the given Val,
// which should be a conn_id record. Returns nil if there's

12
src/TCP.cc
View file

@ -276,7 +276,7 @@ void TCP_Analyzer::ProcessSYN(const IP_Hdr* ip, const struct tcphdr* tp,
uint32 tcp_hdr_len, int& seq_len,
TCP_Endpoint* endpoint, TCP_Endpoint* peer,
uint32 base_seq, uint32 ack_seq,
const uint32* orig_addr,
const IPAddr& orig_addr,
int is_orig, TCP_Flags flags)
{
int len = seq_len;
@ -346,7 +346,7 @@ void TCP_Analyzer::ProcessSYN(const IP_Hdr* ip, const struct tcphdr* tp,
// is_orig will be removed once we can do SYN-ACK fingerprinting.
if ( OS_version_found && is_orig )
{
Val src_addr_val(orig_addr, TYPE_ADDR);
AddrVal src_addr_val(orig_addr);
if ( generate_OS_version_event->Size() == 0 ||
generate_OS_version_event->Lookup(&src_addr_val) )
{
@ -414,7 +414,7 @@ int TCP_Analyzer::ProcessFlags(double t,
uint32 tcp_hdr_len, int len, int& seq_len,
TCP_Endpoint* endpoint, TCP_Endpoint* peer,
uint32 base_seq, uint32 ack_seq,
const uint32* orig_addr,
const IPAddr& orig_addr,
int is_orig, TCP_Flags flags)
{
if ( flags.SYN() )
@ -989,8 +989,8 @@ void TCP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
if ( ! orig->did_close || ! resp->did_close )
Conn()->SetLastTime(t);
const uint32* orig_addr = Conn()->OrigAddr();
const uint32* resp_addr = Conn()->RespAddr();
const IPAddr orig_addr = Conn()->OrigAddr();
const IPAddr resp_addr = Conn()->RespAddr();
uint32 tcp_hdr_len = data - (const u_char*) tp;
@ -1331,7 +1331,7 @@ RecordVal* TCP_Analyzer::BuildOSVal(int is_orig, const IP_Hdr* ip,
tstamp, quirks,
uint8(tcp->th_flags & (TH_ECE|TH_CWR)));
if ( sessions->CompareWithPreviousOSMatch(ip->SrcAddr4(), id) )
if ( sessions->CompareWithPreviousOSMatch(ip->SrcAddr(), id) )
{
RecordVal* os = new RecordVal(OS_version);

5
src/TCP.h
View file

@ -6,6 +6,7 @@
#include "Analyzer.h"
#include "TCP.h"
#include "PacketDumper.h"
#include "IPAddr.h"
// We define two classes here:
// - TCP_Analyzer is the analyzer for the TCP protocol itself.
@ -128,7 +129,7 @@ protected:
uint32 tcp_hdr_len, int& seq_len,
TCP_Endpoint* endpoint, TCP_Endpoint* peer,
uint32 base_seq, uint32 ack_seq,
const uint32* orig_addr,
const IPAddr& orig_addr,
int is_orig, TCP_Flags flags);
void ProcessFIN(double t, TCP_Endpoint* endpoint, int& seq_len,
@ -144,7 +145,7 @@ protected:
uint32 tcp_hdr_len, int len, int& seq_len,
TCP_Endpoint* endpoint, TCP_Endpoint* peer,
uint32 base_seq, uint32 ack_seq,
const uint32* orig_addr,
const IPAddr& orig_addr,
int is_orig, TCP_Flags flags);
void TransitionFromInactive(double t, TCP_Endpoint* endpoint,

13
src/TCP_Endpoint.cc
View file

@ -32,13 +32,12 @@ TCP_Endpoint::TCP_Endpoint(TCP_Analyzer* arg_analyzer, int arg_is_orig)
dst_addr = is_orig ? tcp_analyzer->Conn()->OrigAddr() :
tcp_analyzer->Conn()->RespAddr();
#ifdef BROv6
checksum_base = ones_complement_checksum((void*) src_addr, 16, 0);
checksum_base = ones_complement_checksum((void*) dst_addr, 16, checksum_base);
#else
checksum_base = ones_complement_checksum((void*) src_addr, 4, 0);
checksum_base = ones_complement_checksum((void*) dst_addr, 4, checksum_base);
#endif
const uint32* src_bytes;
const uint32* dst_bytes;
int n = src_addr.GetBytes(&src_bytes);
int m = dst_addr.GetBytes(&dst_bytes);
checksum_base = ones_complement_checksum((void*) src_bytes, n*4, 0);
checksum_base = ones_complement_checksum((void*) dst_bytes, m*4, checksum_base);
// Note, for IPv6, strictly speaking this field is 32 bits
// rather than 16 bits. But because the upper bits are all zero,
// we get the same checksum either way. The same applies to

6
src/TCP_Endpoint.h
View file

@ -3,6 +3,8 @@
#ifndef tcpendpoint_h
#define tcpendpoint_h
#include "IPAddr.h"
typedef enum {
TCP_ENDPOINT_INACTIVE, // no SYN (or other packets) seen for this side
TCP_ENDPOINT_SYN_SENT, // SYN seen, but no ack
@ -128,8 +130,8 @@ public:
uint32 checksum_base;
double start_time, last_time;
const uint32* src_addr; // the other endpoint
const uint32* dst_addr; // this endpoint
IPAddr src_addr; // the other endpoint
IPAddr dst_addr; // this endpoint
uint32 window; // current congestion window (*scaled*, not pre-scaling)
int window_scale; // from the TCP option
uint32 window_ack_seq; // at which ack_seq number did we record 'window'

2
src/UDP.cc
View file

@ -61,11 +61,9 @@ void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
udp_checksum(ip->IP4_Hdr(), up, len) != 0xffff )
bad = true;
#ifdef BROv6
if ( ip->IP6_Hdr() && /* checksum is not optional for IPv6 */
udp6_checksum(ip->IP6_Hdr(), up, len) != 0xffff )
bad = true;
#endif
if ( bad )
{

404
src/Val.cc
View file

@ -25,7 +25,7 @@
#include "PrefixTable.h"
#include "Conn.h"
#include "Reporter.h"
#include "IPAddr.h"
Val::Val(Func* f)
{
@ -205,29 +205,10 @@ bool Val::DoSerialize(SerialInfo* info) const
val.string_val->Len());
case TYPE_INTERNAL_ADDR:
return SERIALIZE(NUM_ADDR_WORDS)
#ifdef BROv6
&& SERIALIZE(uint32(ntohl(val.addr_val[0])))
&& SERIALIZE(uint32(ntohl(val.addr_val[1])))
&& SERIALIZE(uint32(ntohl(val.addr_val[2])))
&& SERIALIZE(uint32(ntohl(val.addr_val[3])));
#else
&& SERIALIZE(uint32(ntohl(val.addr_val)));
#endif
return SERIALIZE(*val.addr_val);
case TYPE_INTERNAL_SUBNET:
return info->s->WriteOpenTag("subnet")
&& SERIALIZE(NUM_ADDR_WORDS)
#ifdef BROv6
&& SERIALIZE(uint32(ntohl(val.subnet_val.net[0])))
&& SERIALIZE(uint32(ntohl(val.subnet_val.net[1])))
&& SERIALIZE(uint32(ntohl(val.subnet_val.net[2])))
&& SERIALIZE(uint32(ntohl(val.subnet_val.net[3])))
#else
&& SERIALIZE(uint32(ntohl(val.subnet_val.net)))
#endif
&& SERIALIZE(val.subnet_val.width)
&& info->s->WriteCloseTag("subnet");
return SERIALIZE(*val.subnet_val);
case TYPE_INTERNAL_OTHER:
// Derived classes are responsible for this.
@ -294,94 +275,15 @@ bool Val::DoUnserialize(UnserialInfo* info)
case TYPE_INTERNAL_ADDR:
{
int num_words;
if ( ! UNSERIALIZE(&num_words) )
return false;
if ( num_words != 1 && num_words != 4 )
{
info->s->Error("bad address type");
return false;
}
uint32 a[4]; // big enough to hold either
for ( int i = 0; i < num_words; ++i )
{
if ( ! UNSERIALIZE(&a[i]) )
return false;
a[i] = htonl(a[i]);
}
#ifndef BROv6
if ( num_words == 4 )
{
if ( a[0] || a[1] || a[2] )
info->s->Warning("received IPv6 address, ignoring");
((AddrVal*) this)->Init(a[3]);
}
else
((AddrVal*) this)->Init(a[0]);
#else
if ( num_words == 1 )
((AddrVal*) this)->Init(a[0]);
else
((AddrVal*) this)->Init(a);
#endif
val.addr_val = new IPAddr();
return UNSERIALIZE(val.addr_val);
}
return true;
case TYPE_INTERNAL_SUBNET:
{
int num_words;
if ( ! UNSERIALIZE(&num_words) )
return false;
if ( num_words != 1 && num_words != 4 )
{
info->s->Error("bad subnet type");
return false;
}
uint32 a[4]; // big enough to hold either
for ( int i = 0; i < num_words; ++i )
{
if ( ! UNSERIALIZE(&a[i]) )
return false;
a[i] = htonl(a[i]);
}
int width;
if ( ! UNSERIALIZE(&width) )
return false;
#ifdef BROv6
if ( num_words == 1 )
{
a[3] = a[0];
a[0] = a[1] = a[2] = 0;
}
((SubNetVal*) this)->Init(a, width);
#else
if ( num_words == 4 )
{
if ( a[0] || a[1] || a[2] )
info->s->Warning("received IPv6 subnet, ignoring");
a[0] = a[3];
if ( width > 32 )
width -= 96;
}
((SubNetVal*) this)->Init(a[0], width);
#endif
val.subnet_val = new IPPrefix();
return UNSERIALIZE(val.subnet_val);
}
return true;
case TYPE_INTERNAL_OTHER:
// Derived classes are responsible for this.
@ -590,12 +492,10 @@ void Val::ValDescribe(ODesc* d) const
case TYPE_INTERNAL_UNSIGNED: d->Add(val.uint_val); break;
case TYPE_INTERNAL_DOUBLE: d->Add(val.double_val); break;
case TYPE_INTERNAL_STRING: d->AddBytes(val.string_val); break;
case TYPE_INTERNAL_ADDR: d->Add(dotted_addr(val.addr_val)); break;
case TYPE_INTERNAL_ADDR: d->Add(val.addr_val->AsString().c_str()); break;
case TYPE_INTERNAL_SUBNET:
d->Add(dotted_addr(val.subnet_val.net));
d->Add("/");
d->Add(val.subnet_val.width);
d->Add(val.subnet_val->AsString().c_str());
break;
case TYPE_INTERNAL_ERROR: d->AddCS("error"); break;
@ -706,7 +606,8 @@ ID* MutableVal::Bind() const
ip = htonl(0x7f000001); // 127.0.0.1
safe_snprintf(name, MAX_NAME_SIZE, "#%s#%d#",
dotted_addr(ip), getpid());
IPAddr(IPAddr::IPv4, &ip, IPAddr::Network)->AsString().c_str(),
getpid());
#else
safe_snprintf(name, MAX_NAME_SIZE, "#%s#%d#", host, getpid());
#endif
@ -956,92 +857,41 @@ bool PortVal::DoUnserialize(UnserialInfo* info)
AddrVal::AddrVal(const char* text) : Val(TYPE_ADDR)
{
const char* colon = strchr(text, ':');
if ( colon )
{
#ifdef BROv6
Init(dotted_to_addr6(text));
#else
reporter->Error("bro wasn't compiled with IPv6 support");
Init(uint32(0));
#endif
}
else
Init(dotted_to_addr(text));
val.addr_val = new IPAddr(text);
}
AddrVal::AddrVal(uint32 addr) : Val(TYPE_ADDR)
{
// ### perhaps do gethostbyaddr here?
Init(addr);
val.addr_val = new IPAddr(IPAddr::IPv4, &addr, IPAddr::Network);
}
AddrVal::AddrVal(const uint32* addr) : Val(TYPE_ADDR)
AddrVal::AddrVal(const uint32 addr[4]) : Val(TYPE_ADDR)
{
Init(addr);
val.addr_val = new IPAddr(IPAddr::IPv6, addr, IPAddr::Network);
}
AddrVal::AddrVal(const IPAddr& addr) : Val(TYPE_ADDR)
{
val.addr_val = new IPAddr(addr);
}
AddrVal::~AddrVal()
{
#ifdef BROv6
delete [] val.addr_val;
#endif
}
Val* AddrVal::SizeVal() const
{
uint32 addr;
#ifdef BROv6
if ( ! is_v4_addr(val.addr_val) )
{
Error("|addr| for IPv6 addresses not supported");
return new Val(0, TYPE_COUNT);
}
addr = to_v4_addr(val.addr_val);
#else
addr = val.addr_val;
#endif
addr = ntohl(addr);
return new Val(addr, TYPE_COUNT);
}
void AddrVal::Init(uint32 addr)
{
#ifdef BROv6
val.addr_val = new uint32[4];
val.addr_val[0] = val.addr_val[1] = val.addr_val[2] = 0;
val.addr_val[3] = addr;
#else
val.addr_val = addr;
#endif
}
void AddrVal::Init(const uint32* addr)
{
#ifdef BROv6
val.addr_val = new uint32[4];
val.addr_val[0] = addr[0];
val.addr_val[1] = addr[1];
val.addr_val[2] = addr[2];
val.addr_val[3] = addr[3];
#else
val.addr_val = addr[0];
#endif
delete val.addr_val;
}
unsigned int AddrVal::MemoryAllocation() const
{
#ifdef BROv6
return padded_sizeof(*this) + pad_size(4 * sizeof(uint32));
#else
return padded_sizeof(*this);
#endif
return padded_sizeof(*this) + val.addr_val->MemoryAllocation();
}
Val* AddrVal::SizeVal() const
{
if ( val.addr_val->GetFamily() == IPAddr::IPv4 )
return new Val(32, TYPE_COUNT);
else
return new Val(128, TYPE_COUNT);
}
IMPLEMENT_SERIAL(AddrVal, SER_ADDR_VAL);
@ -1058,209 +908,91 @@ bool AddrVal::DoUnserialize(UnserialInfo* info)
return true;
}
static uint32 parse_dotted(const char* text, int& dots)
{
int addr[4];
uint32 a = 0;
dots = 0;
if ( sscanf(text, "%d.%d.%d.%d", addr+0, addr+1, addr+2, addr+3) == 4 )
{
a = (addr[0] << 24) | (addr[1] << 16) |
(addr[2] << 8) | addr[3];
dots = 3;
}
else if ( sscanf(text, "%d.%d.%d", addr+0, addr+1, addr+2) == 3 )
{
a = (addr[0] << 24) | (addr[1] << 16) | (addr[2] << 8);
dots = 2;
}
else if ( sscanf(text, "%d.%d", addr+0, addr+1) == 2 )
{
a = (addr[0] << 24) | (addr[1] << 16);
dots = 1;
}
else
reporter->InternalError("scanf failed in parse_dotted()");
for ( int i = 0; i <= dots; ++i )
{
if ( addr[i] < 0 || addr[i] > 255 )
{
reporter->Error("bad dotted address %s", text);
break;
}
}
return a;
}
SubNetVal::SubNetVal(const char* text) : Val(TYPE_SUBNET)
{
const char* sep = strchr(text, '/');
if ( ! sep )
Internal("separator missing in SubNetVal::SubNetVal");
Init(text, atoi(sep+1));
val.subnet_val = new IPPrefix(text, atoi(sep+1));
}
SubNetVal::SubNetVal(const char* text, int width) : Val(TYPE_SUBNET)
{
Init(text, width);
val.subnet_val = new IPPrefix(text, width);
}
SubNetVal::SubNetVal(uint32 addr, int width) : Val(TYPE_SUBNET)
{
Init(addr, width);
IPAddr a(IPAddr::IPv4, &addr, IPAddr::Network);
val.subnet_val = new IPPrefix(a, width);
}
#ifdef BROv6
SubNetVal::SubNetVal(const uint32* addr, int width) : Val(TYPE_SUBNET)
{
Init(addr, width);
}
#endif
void SubNetVal::Init(const char* text, int width)
{
#ifdef BROv6
if ( width <= 0 || width > 128 )
#else
if ( width <= 0 || width > 32 )
#endif
Error("bad subnet width");
int dots;
uint32 a = parse_dotted(text, dots);
Init(uint32(htonl(a)), width);
IPAddr a(IPAddr::IPv6, addr, IPAddr::Network);
val.subnet_val = new IPPrefix(a, width);
}
void SubNetVal::Init(uint32 addr, int width)
SubNetVal::SubNetVal(const IPAddr& addr, int width) : Val(TYPE_SUBNET)
{
#ifdef BROv6
Internal("SubNetVal::Init called on 4-byte address w/ BROv6");
#else
val.subnet_val.net = mask_addr(addr, uint32(width));
val.subnet_val.width = width;
#endif
val.subnet_val = new IPPrefix(addr, width);
}
void SubNetVal::Init(const uint32* addr, int width)
SubNetVal::~SubNetVal()
{
#ifdef BROv6
const uint32* a = mask_addr(addr, uint32(width));
delete val.subnet_val;
}
val.subnet_val.net[0] = a[0];
val.subnet_val.net[1] = a[1];
val.subnet_val.net[2] = a[2];
val.subnet_val.net[3] = a[3];
if ( is_v4_addr(addr) && width <= 32 )
val.subnet_val.width = width + 96;
else
val.subnet_val.width = width;
#else
Internal("SubNetVal::Init called on 16-byte address w/o BROv6");
#endif
unsigned int SubNetVal::MemoryAllocation() const
{
return padded_sizeof(*this) + val.subnet_val->MemoryAllocation();
}
Val* SubNetVal::SizeVal() const
{
int retained;
#ifdef BROv6
retained = 128 - Width();
#else
retained = 32 - Width();
#endif
int retained = 128 - val.subnet_val->LengthIPv6();
return new Val(pow(2.0, double(retained)), TYPE_DOUBLE);
}
void SubNetVal::ValDescribe(ODesc* d) const
{
d->Add(dotted_addr(val.subnet_val.net, d->Style() == ALTERNATIVE_STYLE));
d->Add("/");
#ifdef BROv6
if ( is_v4_addr(val.subnet_val.net) )
d->Add(val.subnet_val.width - 96);
else
#endif
d->Add(val.subnet_val.width);
d->Add(string(*val.subnet_val).c_str());
}
addr_type SubNetVal::Mask() const
IPAddr SubNetVal::Mask() const
{
if ( val.subnet_val.width == 0 )
if ( val.subnet_val->Length() == 0 )
{
// We need to special-case a mask width of zero, since
// the compiler doesn't guarantee that 1 << 32 yields 0.
#ifdef BROv6
uint32* m = new uint32[4];
for ( int i = 0; i < 4; ++i )
uint32 m[4];
for ( unsigned int i = 0; i < 4; ++i )
m[i] = 0;
return m;
#else
return 0;
#endif
IPAddr rval(IPAddr::IPv6, m, IPAddr::Host);
return rval;
}
#ifdef BROv6
uint32* m = new uint32[4];
uint32 m[4];
uint32* mp = m;
uint32 w;
for ( w = val.subnet_val.width; w >= 32; w -= 32 )
*(mp++) = 0xffffffff;
for ( w = val.subnet_val->Length(); w >= 32; w -= 32 )
*(mp++) = 0xffffffff;
*mp = ~((1 << (32 - w)) - 1);
while ( ++mp < m + 4 )
*mp = 0;
*mp = 0;
return m;
#else
return ~((1 << (32 - val.subnet_val.width)) - 1);
#endif
IPAddr rval(IPAddr::IPv6, m, IPAddr::Host);
return rval;
}
bool SubNetVal::Contains(const uint32 addr) const
bool SubNetVal::Contains(const IPAddr& addr) const
{
#ifdef BROv6
Internal("SubNetVal::Contains called on 4-byte address w/ BROv6");
return false;
#else
return ntohl(val.subnet_val.net) == (ntohl(addr) & Mask());
#endif
}
bool SubNetVal::Contains(const uint32* addr) const
{
#ifdef BROv6
const uint32* net = val.subnet_val.net;
const uint32* a = addr;
uint32 m;
for ( m = val.subnet_val.width; m > 32; m -= 32 )
{
if ( *net != *a )
return false;
++net;
++a;
}
uint32 mask = ~((1 << (32 - m)) - 1);
return ntohl(*net) == (ntohl(*a) & mask);
#else
return Contains(addr[3]);
#endif
IPAddr a(addr);
return val.subnet_val->Contains(a);
}
IMPLEMENT_SERIAL(SubNetVal, SER_SUBNET_VAL);
@ -3475,20 +3207,10 @@ int same_atomic_val(const Val* v1, const Val* v2)
return v1->InternalDouble() == v2->InternalDouble();
case TYPE_INTERNAL_STRING:
return Bstr_eq(v1->AsString(), v2->AsString());
case TYPE_INTERNAL_ADDR:
{
const addr_type& a1 = v1->AsAddr();
const addr_type& a2 = v2->AsAddr();
#ifdef BROv6
return addr_eq(a1, a2);
#else
return addr_eq(&a1, &a2);
#endif
}
return v1->AsAddr() == v2->AsAddr();
case TYPE_INTERNAL_SUBNET:
return subnet_eq(v1->AsSubNet(), v2->AsSubNet());
return v1->AsSubNet() == v2->AsSubNet();
default:
reporter->InternalError("same_atomic_val called for non-atomic value");

60
src/Val.h
View file

@ -18,6 +18,7 @@
#include "ID.h"
#include "Scope.h"
#include "StateAccess.h"
#include "IPAddr.h"
class Val;
class Func;
@ -53,11 +54,11 @@ typedef union {
// Used for count, counter, port, subnet.
bro_uint_t uint_val;
// Used for addr, net
addr_type addr_val;
// Used for addr
IPAddr* addr_val;
// Used for subnet
subnet_type subnet_val;
IPPrefix* subnet_val;
// Used for double, time, interval.
double double_val;
@ -226,10 +227,10 @@ public:
CONST_ACCESSOR(TYPE_PATTERN, RE_Matcher*, re_val, AsPattern)
CONST_ACCESSOR(TYPE_VECTOR, vector<Val*>*, vector_val, AsVector)
const subnet_type* AsSubNet() const
const IPPrefix& AsSubNet() const
{
CHECK_TAG(type->Tag(), TYPE_SUBNET, "Val::SubNet", type_name)
return &val.subnet_val;
return *val.subnet_val;
}
BroType* AsType() const
@ -238,12 +239,11 @@ public:
return type;
}
// ... in network byte order
const addr_type AsAddr() const
const IPAddr& AsAddr() const
{
if ( type->Tag() != TYPE_ADDR )
BadTag("Val::AsAddr", type_name(type->Tag()));
return val.addr_val;
return *val.addr_val;
}
#define ACCESSOR(tag, ctype, accessor, name) \
@ -261,10 +261,17 @@ public:
ACCESSOR(TYPE_PATTERN, RE_Matcher*, re_val, AsPattern)
ACCESSOR(TYPE_VECTOR, vector<Val*>*, vector_val, AsVector)
subnet_type* AsSubNet()
const IPPrefix& AsSubNet()
{
CHECK_TAG(type->Tag(), TYPE_SUBNET, "Val::SubNet", type_name)
return &val.subnet_val;
return *val.subnet_val;
}
const IPAddr& AsAddr()
{
if ( type->Tag() != TYPE_ADDR )
BadTag("Val::AsAddr", type_name(type->Tag()));
return *val.addr_val;
}
// Gives fast access to the bits of something that is one of
@ -282,6 +289,7 @@ public:
CONVERTER(TYPE_PATTERN, PatternVal*, AsPatternVal)
CONVERTER(TYPE_PORT, PortVal*, AsPortVal)
CONVERTER(TYPE_SUBNET, SubNetVal*, AsSubNetVal)
CONVERTER(TYPE_ADDR, AddrVal*, AsAddrVal)
CONVERTER(TYPE_TABLE, TableVal*, AsTableVal)
CONVERTER(TYPE_RECORD, RecordVal*, AsRecordVal)
CONVERTER(TYPE_LIST, ListVal*, AsListVal)
@ -299,6 +307,7 @@ public:
CONST_CONVERTER(TYPE_PATTERN, PatternVal*, AsPatternVal)
CONST_CONVERTER(TYPE_PORT, PortVal*, AsPortVal)
CONST_CONVERTER(TYPE_SUBNET, SubNetVal*, AsSubNetVal)
CONST_CONVERTER(TYPE_ADDR, AddrVal*, AsAddrVal)
CONST_CONVERTER(TYPE_TABLE, TableVal*, AsTableVal)
CONST_CONVERTER(TYPE_RECORD, RecordVal*, AsRecordVal)
CONST_CONVERTER(TYPE_LIST, ListVal*, AsListVal)
@ -555,8 +564,9 @@ public:
Val* SizeVal() const;
// Constructor for address already in network order.
AddrVal(uint32 addr);
AddrVal(const uint32* addr);
AddrVal(uint32 addr); // IPv4.
AddrVal(const uint32 addr[4]); // IPv6.
AddrVal(const IPAddr& addr);
unsigned int MemoryAllocation() const;
@ -566,9 +576,6 @@ protected:
AddrVal(TypeTag t) : Val(t) { }
AddrVal(BroType* t) : Val(t) { }
void Init(uint32 addr);
void Init(const uint32* addr);
DECLARE_SERIAL(AddrVal);
};
@ -576,30 +583,25 @@ class SubNetVal : public Val {
public:
SubNetVal(const char* text);
SubNetVal(const char* text, int width);
SubNetVal(uint32 addr, int width); // for address already massaged
SubNetVal(const uint32* addr, int width); // ditto
SubNetVal(uint32 addr, int width); // IPv4.
SubNetVal(const uint32 addr[4], int width); // IPv6.
SubNetVal(const IPAddr& addr, int width);
~SubNetVal();
Val* SizeVal() const;
int Width() const { return val.subnet_val.width; }
addr_type Mask() const; // returns host byte order
const IPAddr& Prefix() const { return val.subnet_val->Prefix(); }
int Width() const { return val.subnet_val->Length(); }
IPAddr Mask() const;
bool Contains(const uint32 addr) const;
bool Contains(const uint32* addr) const;
bool Contains(const IPAddr& addr) const;
unsigned int MemoryAllocation() const
{
return Val::MemoryAllocation() + padded_sizeof(*this) - padded_sizeof(Val);
}
unsigned int MemoryAllocation() const;
protected:
friend class Val;
SubNetVal() {}
void Init(const char* text, int width);
void Init(uint32 addr, int width);
void Init(const uint32 *addr, int width);
void ValDescribe(ODesc* d) const;
DECLARE_SERIAL(SubNetVal);

2
src/bif_type.def
View file

@ -1,6 +1,6 @@
// DEFINE_BIF_TYPE(id, bif_type, bro_type, c_type, accessor, constructor)
DEFINE_BIF_TYPE(TYPE_ADDR, "addr", "addr", "addr_type", "%s->AsAddr()", "new AddrVal(%s)")
DEFINE_BIF_TYPE(TYPE_ADDR, "addr", "addr", "AddrVal*", "%s->AsAddrVal()", "%s")
DEFINE_BIF_TYPE(TYPE_ANY, "any", "any", "Val*", "%s", "%s")
DEFINE_BIF_TYPE(TYPE_BOOL, "bool", "bool", "int", "%s->AsBool()", "new Val(%s, TYPE_BOOL)")
DEFINE_BIF_TYPE(TYPE_CONN_ID, "conn_id", "conn_id", "Val*", "%s", "%s")

549
src/bro.bif
View file

@ -14,6 +14,7 @@
#include <cstdio>
#include "Reporter.h"
#include "IPAddr.h"
using namespace std;
@ -178,35 +179,38 @@ static void do_fmt(const char*& fmt, Val* v, ODesc* d)
// This makes only a very slight difference, so not
// clear it would e worth the hassle.
addr_type u = v->AsAddr();
#ifdef BROv6
// We explicitly convert the address to host order
// in a copy, because if we just call ntohl() for
// our invocation on snprintf() below, on some systems
// it turns a 32-bit value (Linux), whereas on
// others it returns a long (FreeBSD); the latter
// gets us in trouble if we have longs > 32 bits,
// because then the format specifier needs to be %lx
// rather than %x ....... what a pain!
//
// Also note that we don't change u in-place because
// that would alter the byte order of the underlying
// value. (Speaking of which, I'm not clear on why
// we're allowed to assign a const addr_type to an
// addr_type above, both g++ allows it.)
uint32 host_order_u[4];
host_order_u[0] = ntohl(u[0]);
host_order_u[1] = ntohl(u[1]);
host_order_u[2] = ntohl(u[2]);
host_order_u[3] = ntohl(u[3]);
const IPAddr& u = v->AsAddr();
const uint32* net_order_u;
int len = u.GetBytes(&net_order_u);
snprintf(out_buf, sizeof(out_buf), "%08x%08x%08x%08x",
host_order_u[0], host_order_u[1],
host_order_u[2], host_order_u[3]);
#else
u = ntohl(u);
snprintf(out_buf, sizeof(out_buf), "%08x", u);
#endif
if ( len == 4 )
{
// We explicitly convert the address to host order
// in a copy, because if we just call ntohl() for
// our invocation on snprintf() below, on some systems
// it turns a 32-bit value (Linux), whereas on
// others it returns a long (FreeBSD); the latter
// gets us in trouble if we have longs > 32 bits,
// because then the format specifier needs to be %lx
// rather than %x ....... what a pain!
//
// Also note that we don't change u in-place because
// that would alter the byte order of the underlying
// value.
uint32 host_order_u[4];
host_order_u[0] = ntohl(net_order_u[0]);
host_order_u[1] = ntohl(net_order_u[1]);
host_order_u[2] = ntohl(net_order_u[2]);
host_order_u[3] = ntohl(net_order_u[3]);
snprintf(out_buf, sizeof(out_buf), "%08x%08x%08x%08x",
host_order_u[0], host_order_u[1],
host_order_u[2], host_order_u[3]);
}
else
{
snprintf(out_buf, sizeof(out_buf), "%08x", ntohl(net_order_u[0]));
}
}
else if ( ! check_fmt_type(t, ok_d_fmt) )
@ -1959,44 +1963,41 @@ function do_profiling%(%) : any
## Returns: True if *ip* belongs to a local interface.
function is_local_interface%(ip: addr%) : bool
%{
static uint32* addrs;
static int len = -1;
if ( ip->AsAddr().IsLoopback() )
return new Val(1, TYPE_BOOL);
if ( len < 0 )
list<IPAddr> addrs;
char host[MAXHOSTNAMELEN];
strcpy(host, "localhost");
gethostname(host, MAXHOSTNAMELEN);
host[MAXHOSTNAMELEN-1] = '\0';
struct hostent* ent = gethostbyname2(host, AF_INET);
if ( ent )
{
char host[MAXHOSTNAMELEN];
strcpy(host, "localhost");
gethostname(host, MAXHOSTNAMELEN);
host[MAXHOSTNAMELEN-1] = '\0';
struct hostent* ent = gethostbyname(host);
for ( len = 0; ent->h_addr_list[len]; ++len )
;
addrs = new uint32[len + 1];
for ( int i = 0; i < len; i++ )
addrs[i] = *(uint32*) ent->h_addr_list[i];
addrs[len++] = 0x0100007f; // 127.0.0.1
for ( unsigned int len = 0; ent->h_addr_list[len]; ++len )
addrs.push_back(IPAddr(IPAddr::IPv4, (uint32*)ent->h_addr_list[len],
IPAddr::Network));
}
#ifdef BROv6
if ( ! is_v4_addr(ip) )
ent = gethostbyname2(host, AF_INET6);
if ( ent )
{
builtin_error("is_local_interface() only supports IPv4 addresses");
return new Val(0, TYPE_BOOL);
for ( unsigned int len = 0; ent->h_addr_list[len]; ++len )
addrs.push_back(IPAddr(IPAddr::IPv6, (uint32*)ent->h_addr_list[len],
IPAddr::Network));
}
uint32 ip4 = to_v4_addr(ip);
#else
uint32 ip4 = ip;
#endif
for ( int i = 0; i < len; i++ )
if ( addrs[i] == ip4 )
list<IPAddr>::const_iterator it;
for ( it = addrs.begin(); it != addrs.end(); ++it )
{
if ( *it == ip->AsAddr() )
return new Val(1, TYPE_BOOL);
}
return new Val(0, TYPE_BOOL);
%}
@ -2046,12 +2047,88 @@ function gethostname%(%) : string
return new StringVal(buffer);
%}
## Returns whether an address is IPv4 or not.
##
## a: the address to check.
##
## Returns: true if *a* is an IPv4 address, else false.
function is_v4_addr%(a: addr%): bool
%{
if ( a->AsAddr().GetFamily() == IPAddr::IPv4 )
return new Val(1, TYPE_BOOL);
else
return new Val(0, TYPE_BOOL);
%}
## Returns whether an address is IPv6 or not.
##
## a: the address to check.
##
## Returns: true if *a* is an IPv6 address, else false.
function is_v6_addr%(a: addr%): bool
%{
if ( a->AsAddr().GetFamily() == IPAddr::IPv6 )
return new Val(1, TYPE_BOOL);
else
return new Val(0, TYPE_BOOL);
%}
# ===========================================================================
#
# Conversion
#
# ===========================================================================
## Converts a :bro:type:`addr` to a :bro:type:`index_vec`.
##
## a: The address to convert into a vector of counts.
##
## Returns: A vector containing the host-order address representation,
## four elements in size for IPv6 addresses, or one element for IPv4.
##
## .. bro:see:: counts_to_addr
function addr_to_counts%(a: addr%): index_vec
%{
VectorVal* rval = new VectorVal(new VectorType(base_type(TYPE_COUNT)));
const uint32* bytes;
int len = a->AsAddr().GetBytes(&bytes);
for ( int i = 0; i < len; ++i )
rval->Assign(i, new Val(ntohl(bytes[i]), TYPE_COUNT), 0);
return rval;
%}
## Converts a :bro:type:`index_vec` to a :bro:type:`addr`.
##
## v: The vector containing host-order IP address representation,
## one element for IPv4 addresses, four elements for IPv6 addresses.
##
## Returns: An IP address.
##
## .. bro:see:: addr_to_counts
function counts_to_addr%(v: index_vec%): addr
%{
if ( v->AsVector()->size() == 1 )
{
return new AddrVal(htonl((*v->AsVector())[0]->AsCount()));
}
else if ( v->AsVector()->size() == 4 )
{
uint32 bytes[4];
for ( int i = 0; i < 4; ++i )
bytes[i] = htonl((*v->AsVector())[i]->AsCount());
return new AddrVal(bytes);
}
else
{
builtin_error("invalid vector size", @ARG@[0]);
uint32 bytes[4];
memset(bytes, 0, sizeof(bytes));
return new AddrVal(bytes);
}
%}
## Converts a :bro:type:`string` to a :bro:type:`int`.
##
## str: The :bro:type:`string` to convert.
@ -2180,29 +2257,6 @@ function double_to_interval%(d: double%): interval
return new Val(d, TYPE_INTERVAL);
%}
## Converts a :bro:type:`addr` to a :bro:type:`count`.
##
## a: The :bro:type:`addr` to convert.
##
## Returns: The :bro:type:`addr` *a* as :bro:type:`count`.
##
## .. bro:see:: addr_to_ptr_name
function addr_to_count%(a: addr%): count
%{
#ifdef BROv6
if ( ! is_v4_addr(a) )
{
builtin_error("conversion of non-IPv4 address to count", @ARG@[0]);
return new Val(0, TYPE_COUNT);
}
uint32 addr = to_v4_addr(a);
#else
uint32 addr = a;
#endif
return new Val(ntohl(addr), TYPE_COUNT);
%}
## Converts a :bro:type:`port` to a :bro:type:`count`.
##
## p: The :bro:type:`port` to convert.
@ -2327,20 +2381,58 @@ function to_port%(s: string%): port
## .. bro:see:: addr_to_ptr_name parse_dotted_addr
function ptr_name_to_addr%(s: string%): addr
%{
int a[4];
uint32 addr;
if ( sscanf(s->CheckString(),
"%d.%d.%d.%d.in-addr.arpa",
a, a+1, a+2, a+3) != 4 )
if ( s->Len() != 72 )
{
builtin_error("bad PTR name", @ARG@[0]);
addr = 0;
int a[4];
uint32 addr;
char ss[13]; // this will contain "in-addr.arpa"
if ( sscanf(s->CheckString(),
"%d.%d.%d.%d.%12s",
a, a+1, a+2, a+3, ss) != 5
|| strcmp(ss, "in-addr.arpa") != 0 )
{
builtin_error("bad PTR name", @ARG@[0]);
addr = 0;
}
else
addr = (a[3] << 24) | (a[2] << 16) | (a[1] << 8) | a[0];
return new AddrVal(htonl(addr));
}
else
addr = (a[3] << 24) | (a[2] << 16) | (a[1] << 8) | a[0];
{
uint32 addr6[4];
uint32 b[32];
char ss[9]; // this will contain "ip6.arpa"
if ( sscanf(s->CheckString(),
"%1x.%1x.%1x.%1x.%1x.%1x.%1x.%1x."
"%1x.%1x.%1x.%1x.%1x.%1x.%1x.%1x."
"%1x.%1x.%1x.%1x.%1x.%1x.%1x.%1x."
"%1x.%1x.%1x.%1x.%1x.%1x.%1x.%1x.%8s",
b+31, b+30, b+29, b+28, b+27, b+26, b+25, b+24,
b+23, b+22, b+21, b+20, b+19, b+18, b+17, b+16,
b+15, b+14, b+13, b+12, b+11, b+10, b+9, b+8,
b+7, b+6, b+5, b+4, b+3, b+2, b+1, b, ss) != 33
|| strcmp(ss, "ip6.arpa") != 0 )
{
builtin_error("bad PTR name", @ARG@[0]);
memset(addr6, 0, sizeof addr6);
}
else
{
for ( unsigned int i = 0; i < 4; ++i )
{
uint32 a = 0;
for ( unsigned int j = 1; j <= 8; ++j )
a |= b[8*i+j-1] << (32-j*4);
return new AddrVal(htonl(addr));
addr6[i] = htonl(a);
}
}
return new AddrVal(addr6);
}
%}
## Converts an IP address to a reverse pointer name. For example,
@ -2350,34 +2442,38 @@ function ptr_name_to_addr%(s: string%): addr
##
## Returns: The reverse pointer representation of *a*.
##
## .. bro:see:: addr_to_count ptr_name_to_addr parse_dotted_addr
## .. bro:see:: ptr_name_to_addr parse_dotted_addr
function addr_to_ptr_name%(a: addr%): string
%{
// ## Question:
// uint32 addr = ntohl((*args)[0]->InternalUnsigned());
uint32 addr;
#ifdef BROv6
if ( is_v4_addr(a) )
addr = a[3];
const uint32* addr;
int len = a->AsAddr().GetBytes(&addr);
if ( len == 1 )
{
char buf[256];
uint32 a = ntohl(addr[0]);
uint32 a3 = (a >> 24) & 0xff;
uint32 a2 = (a >> 16) & 0xff;
uint32 a1 = (a >> 8) & 0xff;
uint32 a0 = a & 0xff;
sprintf(buf, "%u.%u.%u.%u.in-addr.arpa", a0, a1, a2, a3);
return new StringVal(buf);
}
else
{
builtin_error("conversion of non-IPv4 address to net", @ARG@[0]);
addr = 0;
static const char hex_digit[] = "0123456789abcdef";
string ptr_name("ip6.arpa");
for ( unsigned int i = 0; i < 4; ++i )
{
uint32 a = ntohl(addr[i]);
for ( unsigned int j = 1; j <=8; ++j )
{
ptr_name.insert(0, 1, '.');
ptr_name.insert(0, 1, hex_digit[(a >> (32-j*4)) & 0x0f]);
}
}
return new StringVal(ptr_name.c_str());
}
#else
addr = a;
#endif
addr = ntohl(addr);
uint32 a3 = (addr >> 24) & 0xff;
uint32 a2 = (addr >> 16) & 0xff;
uint32 a1 = (addr >> 8) & 0xff;
uint32 a0 = addr & 0xff;
char buf[256];
sprintf(buf, "%u.%u.%u.%u.in-addr.arpa", a0, a1, a2, a3);
return new StringVal(buf);
%}
# Transforms n0.n1.n2.n3 -> addr.
@ -2389,10 +2485,11 @@ function addr_to_ptr_name%(a: addr%): string
##
## Returns: The IP address as type :bro:type:`addr`.
##
## .. bro:see:: addr_to_ptr_name parse_dotted_addr addr_to_count
## .. bro:see:: addr_to_ptr_name parse_dotted_addr
function parse_dotted_addr%(s: string%): addr
%{
return new AddrVal(dotted_to_addr(s->CheckString()));
IPAddr a(s->CheckString());
return new AddrVal(a);
%}
%%{
@ -2465,7 +2562,11 @@ static Val* parse_eftp(const char* line)
line = next_delim + 1;
if ( *line != delimiter ) // default of 0 is ok
{
addr = dotted_to_addr(line);
string s(line);
IPAddr tmp(s);
const uint32* bytes;
tmp.GetBytes(&bytes);
addr = *bytes;
if ( addr == 0 )
good = 0;
}
@ -2570,20 +2671,23 @@ function parse_ftp_epsv%(str: string%): ftp_port
## .. bro:see:: parse_ftp_port parse_eftp_port parse_ftp_pasv parse_ftp_epsv
function fmt_ftp_port%(a: addr, p: port%): string
%{
#ifdef BROv6
if ( ! is_v4_addr(a) )
builtin_error("conversion of non-IPv4 address to net", @ARG@[0]);
uint32 addr = to_v4_addr(a);
#else
uint32 addr = a;
#endif
addr = ntohl(addr);
uint32 pn = p->Port();
return new StringVal(fmt("%d,%d,%d,%d,%d,%d",
addr >> 24, (addr >> 16) & 0xff,
(addr >> 8) & 0xff, addr & 0xff,
pn >> 8, pn & 0xff));
const uint32* addr;
int len = a->AsAddr().GetBytes(&addr);
if ( len == 1 )
{
uint32 a = ntohl(addr[0]);
uint32 pn = p->Port();
return new StringVal(fmt("%d,%d,%d,%d,%d,%d",
a >> 24, (a >> 16) & 0xff,
(a >> 8) & 0xff, a & 0xff,
pn >> 8, pn & 0xff));
}
else
{
builtin_error("conversion of non-IPv4 address in fmt_ftp_port",
@ARG@[0]);
return new StringVal("");
}
%}
## Decode a NetBIOS name. See http://support.microsoft.com/kb/194203.
@ -2896,7 +3000,7 @@ function strftime%(fmt: string, d: time%) : string
## .. bro:see:: remask_addr
function mask_addr%(a: addr, top_bits_to_keep: count%): subnet
%{
return new SubNetVal(mask_addr(a, top_bits_to_keep), top_bits_to_keep);
return new SubNetVal(a->AsAddr(), top_bits_to_keep);
%}
## Takes some top bits (e.g., subnet address) from one address and the other
@ -2909,29 +3013,26 @@ function mask_addr%(a: addr, top_bits_to_keep: count%): subnet
## a2: The address to take the remaining bits from.
##
## top_bits_from_a1: The number of top bits to keep in *a1*; must be greater
## than 0 and less than 33.
## than 0 and less than 129. This value is always interpreted
## relative to the IPv6 bit width (v4-mapped addresses start
## at bit number 96).
##
## Returns: The address *a* masked down to *top_bits_to_keep* bits.
##
## .. bro:see:: mask_addr
function remask_addr%(a1: addr, a2: addr, top_bits_from_a1: count%): addr
%{
#ifdef BROv6
if ( ! is_v4_addr(a1) || ! is_v4_addr(a2) )
{
builtin_error("cannot use remask_addr on IPv6 addresses");
return new AddrVal(a1);
}
uint32 x1 = to_v4_addr(a1);
uint32 x2 = to_v4_addr(a2);
#else
uint32 x1 = a1;
uint32 x2 = a2;
#endif
return new AddrVal(
mask_addr(x1, top_bits_from_a1) |
(x2 ^ mask_addr(x2, top_bits_from_a1)) );
IPAddr addr1(a1->AsAddr());
addr1.Mask(top_bits_from_a1);
IPAddr addr2(a2->AsAddr());
addr1.ReverseMask(top_bits_from_a1);
uint32 x1[4];
uint32 x2[4];
addr1.CopyIPv6(x1);
addr2.CopyIPv6(x2);
for ( unsigned int i = 0; i < 4; ++i )
x1[i] = x1[i] | x2[i];
return new AddrVal(x1);
%}
## Checks whether a given :bro:type:`port` has TCP as transport protocol.
@ -3104,12 +3205,13 @@ const char* conn_id_string(Val* c)
Val* id = (*(c->AsRecord()))[0];
const val_list* vl = id->AsRecord();
addr_type orig_h = (*vl)[0]->AsAddr();
const IPAddr& orig_h = (*vl)[0]->AsAddr();
uint32 orig_p = (*vl)[1]->AsPortVal()->Port();
addr_type resp_h = (*vl)[2]->AsAddr();
const IPAddr& resp_h = (*vl)[2]->AsAddr();
uint32 resp_p = (*vl)[3]->AsPortVal()->Port();
return fmt("%s/%u -> %s/%u\n", dotted_addr(orig_h), orig_p, dotted_addr(resp_h), resp_p);
return fmt("%s/%u -> %s/%u\n", orig_h.AsString().c_str(), orig_p,
resp_h.AsString().c_str(), resp_p);
}
%%}
@ -3339,29 +3441,8 @@ function lookup_addr%(host: addr%) : string
frame->SetDelayed();
trigger->Hold();
#ifdef BROv6
if ( ! is_v4_addr(host) )
{
// FIXME: This is a temporary work-around until we get this
// fixed. We warn the user once, and always trigger a timeout.
// Ticket #355 records the problem.
static bool warned = false;
if ( ! warned )
{
reporter->Warning("lookup_addr() only supports IPv4 addresses currently");
warned = true;
}
trigger->Timeout();
return 0;
}
dns_mgr->AsyncLookupAddr(to_v4_addr(host),
dns_mgr->AsyncLookupAddr(host->AsAddr(),
new LookupHostCallback(trigger, frame->GetCall(), true));
#else
dns_mgr->AsyncLookupAddr(host,
new LookupHostCallback(trigger, frame->GetCall(), true));
#endif
return 0;
%}
@ -3453,8 +3534,6 @@ function lookup_location%(a: addr%) : geo_location
else
have_city_db = true;
#ifdef BROv6
#ifdef HAVE_GEOIP_CITY_EDITION_REV0_V6
geoip_v6 = open_geoip_db(GEOIP_CITY_EDITION_REV0_V6);
if ( geoip_v6 )
@ -3467,16 +3546,15 @@ function lookup_location%(a: addr%) : geo_location
#endif
if ( ! geoip_v6 )
builtin_error("Can't initialize GeoIPv6 City/Country database");
#endif
}
#ifdef BROv6
#ifdef HAVE_GEOIP_COUNTRY_EDITION_V6
if ( geoip_v6 && ! is_v4_addr(a) )
if ( geoip_v6 && a->AsAddr().GetFamily() == IPAddr::IPv6 )
{
const uint32* bytes;
a->AsAddr().GetBytes(&bytes);
geoipv6_t ga;
memcpy(&ga, a, 16);
memcpy(&ga, bytes, 16);
if ( have_cityv6_db )
gir = GeoIP_record_by_ipnum_v6(geoip_v6, ga);
else
@ -3485,25 +3563,16 @@ function lookup_location%(a: addr%) : geo_location
else
#endif
if ( geoip && is_v4_addr(a) )
if ( geoip && a->AsAddr().GetFamily() == IPAddr::IPv4 )
{
uint32 addr = to_v4_addr(a);
const uint32* bytes;
a->AsAddr().GetBytes(&bytes);
if ( have_city_db )
gir = GeoIP_record_by_ipnum(geoip, ntohl(addr));
gir = GeoIP_record_by_ipnum(geoip, ntohl(*bytes));
else
cc = GeoIP_country_code_by_ipnum(geoip, ntohl(addr));
cc = GeoIP_country_code_by_ipnum(geoip, ntohl(*bytes));
}
#else // not BROv6
if ( geoip )
{
if ( have_city_db )
gir = GeoIP_record_by_ipnum(geoip, ntohl(a));
else
cc = GeoIP_country_code_by_ipnum(geoip, ntohl(a));
}
#endif
if ( gir )
{
if ( gir->country_code )
@ -3575,28 +3644,25 @@ function lookup_asn%(a: addr%) : count
if ( geoip_asn )
{
#ifdef BROv6
// IPv6 support showed up in 1.4.5.
#ifdef HAVE_GEOIP_COUNTRY_EDITION_V6
if ( ! is_v4_addr(a) )
if ( a->AsAddr().GetFamily() == IPAddr::IPv6 )
{
const uint32* bytes;
a->AsAddr().GetBytes(&bytes);
geoipv6_t ga;
memcpy(&ga, a, 16);
memcpy(&ga, bytes, 16);
gir = GeoIP_name_by_ipnum_v6(geoip_asn, ga);
}
else
#endif
if ( is_v4_addr(a) )
if ( a->AsAddr().GetFamily() == IPAddr::IPv4 )
{
uint32 addr = to_v4_addr(a);
gir = GeoIP_name_by_ipnum(geoip_asn, ntohl(addr));
const uint32* bytes;
a->AsAddr().GetBytes(&bytes);
gir = GeoIP_name_by_ipnum(geoip_asn, ntohl(*bytes));
}
#else // not BROv6
gir = GeoIP_name_by_ipnum(geoip_asn, ntohl(a));
#endif
}
if ( gir )
@ -3878,9 +3944,9 @@ function file_mode%(mode: count%): string
function expect_connection%(orig: addr, resp: addr, resp_p: port,
analyzer: count, tout: interval%) : any
%{
dpm->ExpectConnection(orig, resp, resp_p->Port(), resp_p->PortType(),
(AnalyzerTag::Tag) analyzer, tout, 0);
return 0;
dpm->ExpectConnection(orig->AsAddr(), resp->AsAddr(), resp_p->Port(),
resp_p->PortType(), (AnalyzerTag::Tag) analyzer, tout, 0);
return new Val(1, TYPE_BOOL);
%}
## Disables the analyzer which raised the current event (if the analyzer
@ -4652,7 +4718,7 @@ function pcap_error%(%): string
## .. todo:: The return value should be changed to any.
function install_src_addr_filter%(ip: addr, tcp_flags: count, prob: double%) : bool
%{
sessions->GetPacketFilter()->AddSrc(ip, tcp_flags, prob);
sessions->GetPacketFilter()->AddSrc(ip->AsAddr(), tcp_flags, prob);
return new Val(1, TYPE_BOOL);
%}
@ -4704,7 +4770,7 @@ function install_src_net_filter%(snet: subnet, tcp_flags: count, prob: double%)
## pcap_error
function uninstall_src_addr_filter%(ip: addr%) : bool
%{
return new Val(sessions->GetPacketFilter()->RemoveSrc(ip), TYPE_BOOL);
return new Val(sessions->GetPacketFilter()->RemoveSrc(ip->AsAddr()), TYPE_BOOL);
%}
## Removes a source subnet filter.
@ -4754,7 +4820,7 @@ function uninstall_src_net_filter%(snet: subnet%) : bool
## .. todo:: The return value should be changed to any.
function install_dst_addr_filter%(ip: addr, tcp_flags: count, prob: double%) : bool
%{
sessions->GetPacketFilter()->AddDst(ip, tcp_flags, prob);
sessions->GetPacketFilter()->AddDst(ip->AsAddr(), tcp_flags, prob);
return new Val(1, TYPE_BOOL);
%}
@ -4806,7 +4872,7 @@ function install_dst_net_filter%(snet: subnet, tcp_flags: count, prob: double%)
## pcap_error
function uninstall_dst_addr_filter%(ip: addr%) : bool
%{
return new Val(sessions->GetPacketFilter()->RemoveDst(ip), TYPE_BOOL);
return new Val(sessions->GetPacketFilter()->RemoveDst(ip->AsAddr()), TYPE_BOOL);
%}
## Removes a destination subnet filter.
@ -4947,7 +5013,7 @@ function capture_state_updates%(filename: string%) : bool
## send_id
function connect%(ip: addr, p: port, our_class: string, retry: interval, ssl: bool%) : count
%{
return new Val(uint32(remote_serializer->Connect(ip, p->Port(),
return new Val(uint32(remote_serializer->Connect(ip->AsAddr(), p->Port(),
our_class->CheckString(), retry, ssl)),
TYPE_COUNT);
%}
@ -5062,7 +5128,7 @@ function set_compression_level%(p: event_peer, level: count%) : bool
## .. bro:see:: connect disconnect
function listen%(ip: addr, p: port, ssl: bool %) : bool
%{
return new Val(remote_serializer->Listen(ip, p->Port(), ssl), TYPE_BOOL);
return new Val(remote_serializer->Listen(ip->AsAddr(), p->Port(), ssl), TYPE_BOOL);
%}
## Checks whether the last raised event came from a remote peer.
@ -5318,14 +5384,14 @@ function preserve_prefix%(a: addr, width: count%): any
AnonymizeIPAddr* ip_anon = ip_anonymizer[PREFIX_PRESERVING_A50];
if ( ip_anon )
{
#ifdef BROv6
if ( ! is_v4_addr(a) )
if ( a->AsAddr().GetFamily() == IPAddr::IPv6 )
builtin_error("preserve_prefix() not supported for IPv6 addresses");
else
ip_anon->PreservePrefix(a[3], width);
#else
ip_anon->PreservePrefix(a, width);
#endif
{
const uint32* bytes;
a->AsAddr().GetBytes(&bytes);
ip_anon->PreservePrefix(*bytes, width);
}
}
@ -5343,18 +5409,18 @@ function preserve_prefix%(a: addr, width: count%): any
## .. todo:: Currently dysfunctional.
function preserve_subnet%(a: subnet%): any
%{
DEBUG_MSG("%s/%d\n", dotted_addr(a->AsAddr()), a->Width());
DEBUG_MSG("%s/%d\n", a->Prefix().AsString().c_str(), a->Width());
AnonymizeIPAddr* ip_anon = ip_anonymizer[PREFIX_PRESERVING_A50];
if ( ip_anon )
{
#ifdef BROv6
if ( ! is_v4_addr(a->AsAddr()) )
if ( a->AsSubNet().Prefix().GetFamily() == IPAddr::IPv6 )
builtin_error("preserve_subnet() not supported for IPv6 addresses");
else
ip_anon->PreservePrefix(a->AsAddr()[3], a->Width());
#else
ip_anon->PreservePrefix(a->AsAddr(), a->Width());
#endif
{
const uint32* bytes;
a->AsSubNet().Prefix().GetBytes(&bytes);
ip_anon->PreservePrefix(*bytes, a->AsSubNet().Length());
}
}
return 0;
@ -5383,19 +5449,18 @@ function anonymize_addr%(a: addr, cl: IPAddrAnonymizationClass%): addr
if ( anon_class < 0 || anon_class >= NUM_ADDR_ANONYMIZATION_CLASSES )
builtin_error("anonymize_addr(): invalid ip addr anonymization class");
#ifdef BROv6
if ( ! is_v4_addr(a) )
if ( a->AsAddr().GetFamily() == IPAddr::IPv6 )
{
builtin_error("anonymize_addr() not supported for IPv6 addresses");
return 0;
}
else
return new AddrVal(anonymize_ip(a[3],
{
const uint32* bytes;
a->AsAddr().GetBytes(&bytes);
return new AddrVal(anonymize_ip(*bytes,
(enum ip_addr_anonymization_class_t) anon_class));
#else
return new AddrVal(anonymize_ip(a,
(enum ip_addr_anonymization_class_t) anon_class));
#endif
}
%}
## Deprecated. Will be removed.
@ -5445,7 +5510,7 @@ function generate_idmef%(src_ip: addr, src_port: port,
newNode(newAddress(
newAttribute("category","ipv4-addr"),
newSimpleElement("address",
copy_string(dotted_addr(src_ip))),
copy_string(src_ip->AsAddr().AsString().c_str())),
NULL), NULL),
newService(
newSimpleElement("port",
@ -5455,7 +5520,7 @@ function generate_idmef%(src_ip: addr, src_port: port,
newNode(newAddress(
newAttribute("category","ipv4-addr"),
newSimpleElement("address",
copy_string(dotted_addr(dst_ip))),
copy_string(dst_ip->AsAddr().AsString().c_str())),
NULL), NULL),
newService(
newSimpleElement("port",
@ -5470,13 +5535,3 @@ function generate_idmef%(src_ip: addr, src_port: port,
return new Val(0, TYPE_BOOL);
#endif
%}
## Deprecated. Will be removed.
function bro_has_ipv6%(%) : bool
%{
#ifdef BROv6
return new Val(1, TYPE_BOOL);
#else
return new Val(0, TYPE_BOOL);
#endif
%}

56
src/dhcp-analyzer.pac
View file

@ -55,33 +55,18 @@ flow DHCP_Flow(is_orig: bool) {
vector<DHCP_Option*>::const_iterator ptr;
// Requested IP address to the server.
#ifdef BROv6
::uint32 req_addr[4], serv_addr[4];
req_addr[0] = req_addr[1] = req_addr[2] = req_addr[3] = 0;
serv_addr[0] = serv_addr[1] = serv_addr[2] = serv_addr[3] = 0;
#else
addr_type req_addr = 0, serv_addr = 0;
#endif
::uint32 req_addr = 0, serv_addr = 0;
for ( ptr = options->begin();
ptr != options->end() && ! (*ptr)->last(); ++ptr )
{
switch ( (*ptr)->code() ) {
case REQ_IP_OPTION:
#ifdef BROv6
req_addr[3] = htonl((*ptr)->info()->req_addr());
#else
req_addr = htonl((*ptr)->info()->req_addr());
#endif
break;
case SERV_ID_OPTION:
#ifdef BROv6
serv_addr[3] = htonl((*ptr)->info()->serv_addr());
#else
serv_addr = htonl((*ptr)->info()->serv_addr());
#endif
break;
}
}
@ -91,13 +76,14 @@ flow DHCP_Flow(is_orig: bool) {
case DHCPDISCOVER:
BifEvent::generate_dhcp_discover(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
dhcp_msg_val_->Ref(), req_addr);
dhcp_msg_val_->Ref(), new AddrVal(req_addr));
break;
case DHCPREQUEST:
BifEvent::generate_dhcp_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
dhcp_msg_val_->Ref(), req_addr, serv_addr);
dhcp_msg_val_->Ref(), new AddrVal(req_addr),
new AddrVal(serv_addr));
break;
case DHCPDECLINE:
@ -129,15 +115,7 @@ flow DHCP_Flow(is_orig: bool) {
// RFC 1533 allows a list of router addresses.
TableVal* router_list = 0;
#ifdef BROv6
::uint32 subnet_mask[4], serv_addr[4];
subnet_mask[0] = subnet_mask[1] =
subnet_mask[2] = subnet_mask[3] = 0;
serv_addr[0] = serv_addr[1] = serv_addr[2] = serv_addr[3] = 0;
#else
addr_type subnet_mask = 0, serv_addr = 0;
#endif
::uint32 subnet_mask = 0, serv_addr = 0;
uint32 lease = 0;
@ -146,13 +124,7 @@ flow DHCP_Flow(is_orig: bool) {
{
switch ( (*ptr)->code() ) {
case SUBNET_OPTION:
#ifdef BROv6
subnet_mask[0] =
subnet_mask[1] = subnet_mask[2] = 0;
subnet_mask[3] = htonl((*ptr)->info()->mask());
#else
subnet_mask = htonl((*ptr)->info()->mask());
#endif
break;
case ROUTER_OPTION:
@ -170,14 +142,8 @@ flow DHCP_Flow(is_orig: bool) {
vector<uint32>* rlist =
(*ptr)->info()->router_list();
uint32 raddr = (*rlist)[i];
#ifdef BROv6
::uint32 tmp_addr[4];
tmp_addr[0] = tmp_addr[1] = tmp_addr[2] = 0;
tmp_addr[3] = htonl(raddr);
#else
::uint32 tmp_addr;
tmp_addr = htonl(raddr);
#endif
// index starting from 1
Val* index = new Val(i + 1, TYPE_COUNT);
router_list->Assign(index, new AddrVal(tmp_addr));
@ -191,11 +157,7 @@ flow DHCP_Flow(is_orig: bool) {
break;
case SERV_ID_OPTION:
#ifdef BROv6
serv_addr[3] = htonl((*ptr)->info()->serv_addr());
#else
serv_addr = htonl((*ptr)->info()->serv_addr());
#endif
break;
}
}
@ -204,15 +166,15 @@ flow DHCP_Flow(is_orig: bool) {
case DHCPOFFER:
BifEvent::generate_dhcp_offer(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
dhcp_msg_val_->Ref(), subnet_mask,
router_list, lease, serv_addr);
dhcp_msg_val_->Ref(), new AddrVal(subnet_mask),
router_list, lease, new AddrVal(serv_addr));
break;
case DHCPACK:
BifEvent::generate_dhcp_ack(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
dhcp_msg_val_->Ref(), subnet_mask,
router_list, lease, serv_addr);
dhcp_msg_val_->Ref(), new AddrVal(subnet_mask),
router_list, lease, new AddrVal(serv_addr));
break;
case DHCPNAK:

66
src/dns-analyzer.pac
View file

@ -216,44 +216,42 @@ flow DNS_Flow
switch ( rr->rr_type() ) {
case TYPE_A:
if ( dns_A_reply )
{
::uint32 addr = rd->type_a();
BifEvent::generate_dns_A_reply(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
dns_msg_val_->Ref(), build_dns_answer(rr),
new AddrVal(htonl(addr)));
}
break;
case TYPE_A6:
case TYPE_AAAA:
if ( ! dns_A_reply )
break;
#ifdef BROv6
::uint32 addr[4];
#else
addr_type addr;
#endif
if ( rr->rr_type() == TYPE_A )
if ( dns_A6_reply )
{
#ifdef BROv6
addr[0] = addr[1] = addr[2] = 0;
addr[3] = htonl(rd->type_a());
#else
addr = htonl(rd->type_a());
#endif
}
else
{
#ifdef BROv6
for ( int i = 0; i < 4; ++i )
::uint32 addr[4];
for ( unsigned int i = 0; i < 4; ++i )
addr[i] = htonl((*rd->type_aaaa())[i]);
#else
addr = htonl((*rd->type_aaaa())[3]);
#endif
}
// For now, we treat A6 and AAAA as A's. Given the
// above fixes for BROv6, we can probably now introduce
// their own events. (It's not clear A6 is needed -
// do we actually encounter it in practice?)
BifEvent::generate_dns_A_reply(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
dns_msg_val_->Ref(), build_dns_answer(rr), addr);
BifEvent::generate_dns_A6_reply(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
dns_msg_val_->Ref(), build_dns_answer(rr),
new AddrVal(addr));
}
break;
case TYPE_AAAA:
if ( dns_AAAA_reply )
{
::uint32 addr[4];
for ( unsigned int i = 0; i < 4; ++i )
addr[i] = htonl((*rd->type_aaaa())[i]);
BifEvent::generate_dns_AAAA_reply(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
dns_msg_val_->Ref(), build_dns_answer(rr),
new AddrVal(addr));
}
break;
case TYPE_NS:

38
src/event.bif
View file

@ -3740,19 +3740,13 @@ event non_dns_request%(c: connection, msg: string%) &group="dns";
##
## a: The address returned by the reply.
##
## .. bro:see:: dns_AAAA_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply
## .. bro:see:: dns_AAAA_reply dns_A6_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply
## dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply
## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
##
## .. note: This event is currently also raised for ``AAAA`` records. In that
## case, the address *a* will correspond to the lower-order 4 bytes of the
## IPv6 address. This will go away once IPv6 support is improved.
##
## .. todo: IPv6 handling is obviously very broken here ...
event dns_A_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%) &group="dns";
## Generated for DNS replies of type *AAAA*. For replies with multiple answers, an
@ -3770,18 +3764,38 @@ event dns_A_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%) &grou
##
## a: The address returned by the reply.
##
## .. bro:see:: dns_A_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply dns_MX_reply
## .. bro:see:: dns_A_reply dns_A6_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply dns_MX_reply
## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
## dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
## dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
## non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
## dns_skip_all_addl dns_skip_all_auth dns_skip_auth
event dns_AAAA_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%) &group="dns";
## Generated for DNS replies of type *A6*. For replies with multiple answers, an
## individual event of the corresponding type is raised for each.
##
## .. todo: Raising this event is not implemented currently, not even when
## Bro's compiled IPv6 support. ``AAAA`` are currently always turned into
## :bro:id:`dns_A_reply` events.
event dns_AAAA_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr, astr: string%) &group="dns";
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
## transport-layer session being analyzed.
##
## msg: The parsed DNS message header.
##
## ans: The type-independent part of the parsed answer record.
##
## a: The address returned by the reply.
##
## .. bro:see:: dns_A_reply dns_AAAA_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply dns_MX_reply
## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
## dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
## dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
## non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
## dns_skip_all_addl dns_skip_all_auth dns_skip_auth
event dns_A6_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%) &group="dns";
## Generated for DNS replies of type *NS*. For replies with multiple answers, an
## individual event of the corresponding type is raised for each.

4
src/nb_dns.c
View file

@ -186,7 +186,7 @@ _nb_dns_cmpsockaddr(register struct sockaddr *sa1,
#endif
static const char serr[] = "answer from wrong nameserver (%d)";
if (sa1->sa_family != sa1->sa_family) {
if (sa1->sa_family != sa2->sa_family) {
snprintf(errstr, NB_DNS_ERRSIZE, serr, 1);
return (-1);
}
@ -381,7 +381,7 @@ nb_dns_addr_request2(register struct nb_dns_info *nd, char *addrp,
size -= i;
cp += i;
}
snprintf(cp, size, "ip6.int");
snprintf(cp, size, "ip6.arpa");
break;
#endif

225
src/net_util.cc
View file

@ -2,17 +2,16 @@
#include "config.h"
#ifdef BROv6
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#endif
#include "Reporter.h"
#include "net_util.h"
#include "IPAddr.h"
// - adapted from tcpdump
// Returns the ones-complement checksum of a chunk of b short-aligned bytes.
@ -81,7 +80,6 @@ int udp_checksum(const struct ip* ip, const struct udphdr* up, int len)
return sum;
}
#ifdef BROv6
int udp6_checksum(const struct ip6_hdr* ip6, const struct udphdr* up, int len)
{
// UDP over IPv6 uses the same checksum function as over IPv4 but a
@ -135,7 +133,6 @@ int icmp6_checksum(const struct icmp* icmpp, const struct ip6_hdr* ip6, int len)
return sum;
}
#endif
int icmp_checksum(const struct icmp* icmpp, int len)
{
@ -172,225 +169,27 @@ char addr_to_class(uint32 addr)
return 'A';
}
uint32 addr_to_net(uint32 addr)
const char* fmt_conn_id(const IPAddr& src_addr, uint32 src_port,
const IPAddr& dst_addr, uint32 dst_port)
{
if ( CHECK_CLASS(addr, CLASS_D) )
; // class D's are left alone ###
else if ( CHECK_CLASS(addr, CLASS_C) )
addr = addr & 0xffffff00;
else if ( CHECK_CLASS(addr, CLASS_B) )
addr = addr & 0xffff0000;
else
addr = addr & 0xff000000;
static char buffer[512];
return addr;
}
safe_snprintf(buffer, sizeof(buffer), "%s:%d > %s:%d",
string(src_addr).c_str(), src_port,
string(dst_addr).c_str(), dst_port);
const char* dotted_addr(uint32 addr, int alternative)
{
addr = ntohl(addr);
const char* fmt = alternative ? "%d,%d.%d.%d" : "%d.%d.%d.%d";
static char buf[32];
snprintf(buf, sizeof(buf), fmt,
addr >> 24, (addr >> 16) & 0xff,
(addr >> 8) & 0xff, addr & 0xff);
return buf;
}
const char* dotted_addr(const uint32* addr, int alternative)
{
#ifdef BROv6
if ( is_v4_addr(addr) )
return dotted_addr(addr[3], alternative);
static char buf[256];
if ( inet_ntop(AF_INET6, addr, buf, sizeof buf) == NULL )
return "<bad IPv6 address conversion>";
return buf;
#else
return dotted_addr(to_v4_addr(addr), alternative);
#endif
}
const char* dotted_net(uint32 addr)
{
addr = ntohl(addr);
static char buf[32];
if ( CHECK_CLASS(addr, CLASS_D) )
sprintf(buf, "%d.%d.%d.%d",
addr >> 24, (addr >> 16) & 0xff,
(addr >> 8) & 0xff, addr & 0xff);
else if ( CHECK_CLASS(addr, CLASS_C) )
sprintf(buf, "%d.%d.%d",
addr >> 24, (addr >> 16) & 0xff, (addr >> 8) & 0xff);
else
// Same for class A's and B's.
sprintf(buf, "%d.%d", addr >> 24, (addr >> 16) & 0xff);
return buf;
}
#ifdef BROv6
const char* dotted_net6(const uint32* addr)
{
if ( is_v4_addr(addr) )
return dotted_net(to_v4_addr(addr));
else
// ### this isn't right, but net's should go away eventually ...
return dotted_addr(addr);
}
#endif
uint32 dotted_to_addr(const char* addr_text)
{
int addr[4];
if ( sscanf(addr_text,
"%d.%d.%d.%d", addr+0, addr+1, addr+2, addr+3) != 4 )
{
reporter->Error("bad dotted address: %s", addr_text );
return 0;
}
if ( addr[0] < 0 || addr[1] < 0 || addr[2] < 0 || addr[3] < 0 ||
addr[0] > 255 || addr[1] > 255 || addr[2] > 255 || addr[3] > 255 )
{
reporter->Error("bad dotted address: %s", addr_text);
return 0;
}
uint32 a = (addr[0] << 24) | (addr[1] << 16) | (addr[2] << 8) | addr[3];
// ### perhaps do gethostbyaddr here?
return uint32(htonl(a));
}
#ifdef BROv6
uint32* dotted_to_addr6(const char* addr_text)
{
uint32* addr = new uint32[4];
if ( inet_pton(AF_INET6, addr_text, addr) <= 0 )
{
reporter->Error("bad IPv6 address: %s", addr_text );
addr[0] = addr[1] = addr[2] = addr[3] = 0;
}
return addr;
}
#endif
#ifdef BROv6
int is_v4_addr(const uint32 addr[4])
{
return addr[0] == 0 && addr[1] == 0 && addr[2] == 0;
}
#endif
uint32 to_v4_addr(const uint32* addr)
{
#ifdef BROv6
if ( ! is_v4_addr(addr) )
reporter->InternalError("conversion of non-IPv4 address to IPv4 address");
return addr[3];
#else
return addr[0];
#endif
}
uint32 mask_addr(uint32 a, uint32 top_bits_to_keep)
{
if ( top_bits_to_keep > 32 )
{
reporter->Error("bad address mask value %d", top_bits_to_keep);
return a;
}
if ( top_bits_to_keep == 0 )
// The shifts below don't have any effect with 0, i.e.,
// 1 << 32 does not yield 0; either due to compiler
// misoptimization or language semantics.
return 0;
uint32 addr = ntohl(a);
int shift = 32 - top_bits_to_keep;
addr >>= shift;
addr <<= shift;
return htonl(addr);
}
const uint32* mask_addr(const uint32* a, uint32 top_bits_to_keep)
{
#ifdef BROv6
static uint32 addr[4];
addr[0] = a[0];
addr[1] = a[1];
addr[2] = a[2];
addr[3] = a[3];
// This is a bit dicey: if it's a v4 address, then we interpret
// the mask as being with respect to 32 bits total, even though
// strictly speaking, the v4 address comprises the least-significant
// bits out of 128, rather than the most significant. However,
// we only do this if the mask itself is consistent for a 32-bit
// address.
uint32 max_bits = (is_v4_addr(a) && top_bits_to_keep <= 32) ? 32 : 128;
if ( top_bits_to_keep == 0 || top_bits_to_keep > max_bits )
{
reporter->Error("bad address mask value %s", top_bits_to_keep);
return addr;
}
int word = 3; // start zeroing out with word #3
int bits_to_chop = max_bits - top_bits_to_keep; // bits to discard
while ( bits_to_chop >= 32 )
{ // there's an entire word to discard
addr[word] = 0;
--word; // move on to next, more significant word
bits_to_chop -= 32; // we just go rid of 32 bits
}
// All that's left to work with now is the word pointed to by "word".
uint32 addr32 = ntohl(addr[word]);
addr32 >>= bits_to_chop;
addr32 <<= bits_to_chop;
addr[word] = htonl(addr32);
return addr;
#else
return a;
#endif
return buffer;
}
const char* fmt_conn_id(const uint32* src_addr, uint32 src_port,
const uint32* dst_addr, uint32 dst_port)
{
char addr1[128], addr2[128];
static char buffer[512];
strcpy(addr1, dotted_addr(src_addr));
strcpy(addr2, dotted_addr(dst_addr));
safe_snprintf(buffer, sizeof(buffer), "%s:%d > %s:%d",
addr1, src_port, addr2, dst_port);
return buffer;
IPAddr src(IPAddr::IPv6, src_addr, IPAddr::Network);
IPAddr dst(IPAddr::IPv6, dst_addr, IPAddr::Network);
return fmt_conn_id(src, src_port, dst, dst_port);
}
uint32 extract_uint32(const u_char* data)
{
uint32 val;

92
src/net_util.h
View file

@ -21,6 +21,7 @@
#include <netinet/ip_icmp.h>
#include "util.h"
#include "IPAddr.h"
#ifdef HAVE_NETINET_IP6_H
#include <netinet/ip6.h>
@ -32,30 +33,6 @@ struct ip6_hdr {
};
#endif
#include "util.h"
#ifdef BROv6
typedef uint32* addr_type; // a pointer to 4 uint32's
typedef const uint32* const_addr_type;
#define NUM_ADDR_WORDS 4
typedef struct {
uint32 net[4];
uint32 width;
} subnet_type;
#else
typedef uint32 addr_type;
typedef const uint32 const_addr_type;
#define NUM_ADDR_WORDS 1
typedef struct {
uint32 net;
uint32 width;
} subnet_type;
#endif
// For Solaris.
#if !defined(TCPOPT_WINDOW) && defined(TCPOPT_WSCALE)
#define TCPOPT_WINDOW TCPOPT_WSCALE
@ -86,81 +63,20 @@ extern int ones_complement_checksum(const void* p, int b, uint32 sum);
extern int tcp_checksum(const struct ip* ip, const struct tcphdr* tp, int len);
extern int udp_checksum(const struct ip* ip, const struct udphdr* up, int len);
extern int icmp_checksum(const struct icmp* icmpp, int len);
#ifdef BROv6
extern int udp6_checksum(const struct ip6_hdr* ip, const struct udphdr* up,
int len);
extern int icmp6_checksum(const struct icmp* icmpp, const struct ip6_hdr* ip6,
int len);
#endif
extern int icmp_checksum(const struct icmp* icmpp, int len);
// Given an address in host order, returns its "classical network prefix",
// also in host order.
extern uint32 addr_to_net(uint32 addr);
// Returns 'A', 'B', 'C' or 'D'
extern char addr_to_class(uint32 addr);
// Returns a pointer to static storage giving the ASCII dotted representation
// of the given address, which should be passed in network order.
extern const char* dotted_addr(uint32 addr, int alternative=0);
extern const char* dotted_addr(const uint32* addr, int alternative=0);
// Same, but for the network prefix.
extern const char* dotted_net(uint32 addr);
extern const char* dotted_net6(const uint32* addr);
// Given an ASCII dotted representation, returns the corresponding address
// in network order.
extern uint32 dotted_to_addr(const char* addr_text);
extern uint32* dotted_to_addr6(const char* addr_text);
extern int is_v4_addr(const uint32 addr[4]);
extern uint32 to_v4_addr(const uint32* addr);
extern uint32 mask_addr(uint32 a, uint32 top_bits_to_keep);
extern const uint32* mask_addr(const uint32* a, uint32 top_bits_to_keep);
extern const char* fmt_conn_id(const IPAddr& src_addr, uint32 src_port,
const IPAddr& dst_addr, uint32 dst_port);
extern const char* fmt_conn_id(const uint32* src_addr, uint32 src_port,
const uint32* dst_addr, uint32 dst_port);
inline void copy_addr(const uint32* src_a, uint32* dst_a)
{
#ifdef BROv6
dst_a[0] = src_a[0];
dst_a[1] = src_a[1];
dst_a[2] = src_a[2];
dst_a[3] = src_a[3];
#else
dst_a[0] = src_a[0];
#endif
}
inline int addr_eq(const uint32* a1, const uint32* a2)
{
#ifdef BROv6
return a1[0] == a2[0] &&
a1[1] == a2[1] &&
a1[2] == a2[2] &&
a1[3] == a2[3];
#else
return a1[0] == a2[0];
#endif
}
inline int subnet_eq(const subnet_type* s1, const subnet_type* s2)
{
#ifdef BROv6
return s1->net[0] == s2->net[0] &&
s1->net[1] == s2->net[1] &&
s1->net[2] == s2->net[2] &&
s1->net[3] == s2->net[3] &&
s1->width == s2->width;
#else
return s1->net == s2->net && s1->width == s2->width;
#endif
}
// Read 4 bytes from data and return in network order.
extern uint32 extract_uint32(const u_char* data);

2
src/patricia.c
View file

@ -259,7 +259,7 @@ New_Prefix2 (int family, void *dest, int bitlen, prefix_t *prefix)
if (family == AF_INET6) {
default_bitlen = 128;
if (prefix == NULL) {
prefix = calloc(1, sizeof (prefix6_t));
prefix = calloc(1, sizeof (prefix_t));
dynamic_allocated++;
}
memcpy (&prefix->add.sin6, dest, 16);

2
src/patricia.h
View file

@ -53,11 +53,9 @@
#include <sys/types.h>
#ifdef BROv6
#ifndef HAVE_IPV6
#define HAVE_IPV6
#endif
#endif
/* typedef unsigned int u_int; */
typedef void (*void_fn_t)();

4
testing/btest/Baseline/bifs.addr_count_conversion/output Normal file
View file

@ -0,0 +1,4 @@
[536939960, 2242052096, 35374, 57701172]
2001:db8:85a3::8a2e:370:7334
[16909060]
1.2.3.4

2
testing/btest/Baseline/bifs.addr_to_ptr_name/output Normal file
View file

@ -0,0 +1,2 @@
2.1.0.1.0.0.0.0.0.0.0.0.0.0.0.0.2.0.8.0.9.0.0.4.0.b.8.f.7.0.6.2.ip6.arpa
52.225.125.74.in-addr.arpa

4
testing/btest/Baseline/bifs.addr_version/out Normal file
View file

@ -0,0 +1,4 @@
T
F
F
T

2
testing/btest/Baseline/bifs.net_stats_trace/output
View file

@ -1 +1 @@
[pkts_recvd=131, pkts_dropped=0, pkts_link=0]
[pkts_recvd=136, pkts_dropped=0, pkts_link=0]

2
testing/btest/Baseline/bifs.ptr_name_to_addr/output Normal file
View file

@ -0,0 +1,2 @@
2607:f8b0:4009:802::1012
74.125.225.52

2
testing/btest/Baseline/core.conn-uid/counts
View file

@ -1 +1 @@
62
68

81
testing/btest/Baseline/core.conn-uid/output
View file

@ -1,40 +1,43 @@
[orig_h=141.142.220.202, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], UWkUyAuUGXf
[orig_h=141.142.220.50, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], arKYeMETxOg
[orig_h=141.142.220.118, orig_p=35634/tcp, resp_h=208.80.152.2, resp_p=80/tcp], k6kgXLOoSKl
[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp], nQcgTWjvg4c
[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp], nQcgTWjvg4c
[orig_h=141.142.220.118, orig_p=43927/udp, resp_h=141.142.2.2, resp_p=53/udp], j4u32Pc5bif
[orig_h=141.142.220.118, orig_p=37676/udp, resp_h=141.142.2.2, resp_p=53/udp], TEfuqmmG4bh
[orig_h=141.142.220.118, orig_p=40526/udp, resp_h=141.142.2.2, resp_p=53/udp], FrJExwHcSal
[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp], 5OKnoww6xl4
[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp], 3PKsZ2Uye21
[orig_h=141.142.220.118, orig_p=32902/udp, resp_h=141.142.2.2, resp_p=53/udp], VW0XPVINV8a
[orig_h=141.142.220.118, orig_p=59816/udp, resp_h=141.142.2.2, resp_p=53/udp], fRFu0wcOle6
[orig_h=141.142.220.118, orig_p=59714/udp, resp_h=141.142.2.2, resp_p=53/udp], qSsw6ESzHV4
[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp], iE6yhOq3SF
[orig_h=141.142.220.118, orig_p=58206/udp, resp_h=141.142.2.2, resp_p=53/udp], GSxOnSLghOa
[orig_h=141.142.220.118, orig_p=38911/udp, resp_h=141.142.2.2, resp_p=53/udp], qCaWGmzFtM5
[orig_h=141.142.220.118, orig_p=59746/udp, resp_h=141.142.2.2, resp_p=53/udp], 70MGiRM1Qf4
[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp], h5DsfNtYzi1
[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp], P654jzLoe3a
[orig_h=141.142.220.118, orig_p=45000/udp, resp_h=141.142.2.2, resp_p=53/udp], Tw8jXtpTGu6
[orig_h=141.142.220.118, orig_p=48479/udp, resp_h=141.142.2.2, resp_p=53/udp], c4Zw9TmAE05
[orig_h=141.142.220.118, orig_p=48128/udp, resp_h=141.142.2.2, resp_p=53/udp], EAr0uf4mhq
[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp], GvmoxJFXdTa
[orig_h=141.142.220.118, orig_p=56056/udp, resp_h=141.142.2.2, resp_p=53/udp], 0Q4FH8sESw5
[orig_h=141.142.220.118, orig_p=55092/udp, resp_h=141.142.2.2, resp_p=53/udp], slFea8xwSmb
[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp], UfGkYA2HI2g
[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp], 3PKsZ2Uye21
[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp], 5OKnoww6xl4
[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp], iE6yhOq3SF
[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp], P654jzLoe3a
[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp], h5DsfNtYzi1
[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp], GvmoxJFXdTa
[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp], UfGkYA2HI2g
[orig_h=141.142.220.235, orig_p=6705/tcp, resp_h=173.192.163.128, resp_p=80/tcp], i2rO3KD1Syg
[orig_h=141.142.220.235, orig_p=6705/tcp, resp_h=173.192.163.128, resp_p=80/tcp], i2rO3KD1Syg
[orig_h=141.142.220.44, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], 2cx26uAvUPl
[orig_h=141.142.220.226, orig_p=137/udp, resp_h=141.142.220.255, resp_p=137/udp], BWaU4aSuwkc
[orig_h=141.142.220.226, orig_p=55131/udp, resp_h=224.0.0.252, resp_p=5355/udp], 10XodEwRycf
[orig_h=141.142.220.226, orig_p=55671/udp, resp_h=224.0.0.252, resp_p=5355/udp], zno26fFZkrh
[orig_h=141.142.220.238, orig_p=56641/udp, resp_h=141.142.220.255, resp_p=137/udp], v5rgkJBig5l
[orig_h=fe80::217:f2ff:fed7:cf65, orig_p=5353/udp, resp_h=ff02::fb, resp_p=5353/udp], arKYeMETxOg
[orig_h=141.142.220.50, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], k6kgXLOoSKl
[orig_h=141.142.220.118, orig_p=35634/tcp, resp_h=208.80.152.2, resp_p=80/tcp], nQcgTWjvg4c
[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp], j4u32Pc5bif
[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp], j4u32Pc5bif
[orig_h=141.142.220.118, orig_p=43927/udp, resp_h=141.142.2.2, resp_p=53/udp], TEfuqmmG4bh
[orig_h=141.142.220.118, orig_p=37676/udp, resp_h=141.142.2.2, resp_p=53/udp], FrJExwHcSal
[orig_h=141.142.220.118, orig_p=40526/udp, resp_h=141.142.2.2, resp_p=53/udp], 5OKnoww6xl4
[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp], 3PKsZ2Uye21
[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp], VW0XPVINV8a
[orig_h=141.142.220.118, orig_p=32902/udp, resp_h=141.142.2.2, resp_p=53/udp], fRFu0wcOle6
[orig_h=141.142.220.118, orig_p=59816/udp, resp_h=141.142.2.2, resp_p=53/udp], qSsw6ESzHV4
[orig_h=141.142.220.118, orig_p=59714/udp, resp_h=141.142.2.2, resp_p=53/udp], iE6yhOq3SF
[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp], GSxOnSLghOa
[orig_h=141.142.220.118, orig_p=58206/udp, resp_h=141.142.2.2, resp_p=53/udp], qCaWGmzFtM5
[orig_h=141.142.220.118, orig_p=38911/udp, resp_h=141.142.2.2, resp_p=53/udp], 70MGiRM1Qf4
[orig_h=141.142.220.118, orig_p=59746/udp, resp_h=141.142.2.2, resp_p=53/udp], h5DsfNtYzi1
[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp], P654jzLoe3a
[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp], Tw8jXtpTGu6
[orig_h=141.142.220.118, orig_p=45000/udp, resp_h=141.142.2.2, resp_p=53/udp], c4Zw9TmAE05
[orig_h=141.142.220.118, orig_p=48479/udp, resp_h=141.142.2.2, resp_p=53/udp], EAr0uf4mhq
[orig_h=141.142.220.118, orig_p=48128/udp, resp_h=141.142.2.2, resp_p=53/udp], GvmoxJFXdTa
[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp], 0Q4FH8sESw5
[orig_h=141.142.220.118, orig_p=56056/udp, resp_h=141.142.2.2, resp_p=53/udp], slFea8xwSmb
[orig_h=141.142.220.118, orig_p=55092/udp, resp_h=141.142.2.2, resp_p=53/udp], UfGkYA2HI2g
[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp], i2rO3KD1Syg
[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp], VW0XPVINV8a
[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp], 3PKsZ2Uye21
[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp], GSxOnSLghOa
[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp], Tw8jXtpTGu6
[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp], P654jzLoe3a
[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp], 0Q4FH8sESw5
[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp], i2rO3KD1Syg
[orig_h=141.142.220.235, orig_p=6705/tcp, resp_h=173.192.163.128, resp_p=80/tcp], 2cx26uAvUPl
[orig_h=141.142.220.235, orig_p=6705/tcp, resp_h=173.192.163.128, resp_p=80/tcp], 2cx26uAvUPl
[orig_h=141.142.220.44, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], BWaU4aSuwkc
[orig_h=141.142.220.226, orig_p=137/udp, resp_h=141.142.220.255, resp_p=137/udp], 10XodEwRycf
[orig_h=fe80::3074:17d5:2052:c324, orig_p=65373/udp, resp_h=ff02::1:3, resp_p=5355/udp], zno26fFZkrh
[orig_h=141.142.220.226, orig_p=55131/udp, resp_h=224.0.0.252, resp_p=5355/udp], v5rgkJBig5l
[orig_h=fe80::3074:17d5:2052:c324, orig_p=54213/udp, resp_h=ff02::1:3, resp_p=5355/udp], eWZCH7OONC1
[orig_h=141.142.220.226, orig_p=55671/udp, resp_h=224.0.0.252, resp_p=5355/udp], 0Pwk3ntf8O3
[orig_h=141.142.220.238, orig_p=56641/udp, resp_h=141.142.220.255, resp_p=137/udp], 0HKorjr8Zp7

81
testing/btest/Baseline/core.conn-uid/output.cc
View file

@ -1,40 +1,43 @@
[orig_h=141.142.220.202, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], UWkUyAuUGXf
[orig_h=141.142.220.50, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], arKYeMETxOg
[orig_h=141.142.220.118, orig_p=35634/tcp, resp_h=208.80.152.2, resp_p=80/tcp], k6kgXLOoSKl
[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp], nQcgTWjvg4c
[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp], nQcgTWjvg4c
[orig_h=141.142.220.118, orig_p=43927/udp, resp_h=141.142.2.2, resp_p=53/udp], j4u32Pc5bif
[orig_h=141.142.220.118, orig_p=37676/udp, resp_h=141.142.2.2, resp_p=53/udp], TEfuqmmG4bh
[orig_h=141.142.220.118, orig_p=40526/udp, resp_h=141.142.2.2, resp_p=53/udp], FrJExwHcSal
[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp], 5OKnoww6xl4
[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp], 3PKsZ2Uye21
[orig_h=141.142.220.118, orig_p=32902/udp, resp_h=141.142.2.2, resp_p=53/udp], VW0XPVINV8a
[orig_h=141.142.220.118, orig_p=59816/udp, resp_h=141.142.2.2, resp_p=53/udp], fRFu0wcOle6
[orig_h=141.142.220.118, orig_p=59714/udp, resp_h=141.142.2.2, resp_p=53/udp], qSsw6ESzHV4
[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp], iE6yhOq3SF
[orig_h=141.142.220.118, orig_p=58206/udp, resp_h=141.142.2.2, resp_p=53/udp], GSxOnSLghOa
[orig_h=141.142.220.118, orig_p=38911/udp, resp_h=141.142.2.2, resp_p=53/udp], qCaWGmzFtM5
[orig_h=141.142.220.118, orig_p=59746/udp, resp_h=141.142.2.2, resp_p=53/udp], 70MGiRM1Qf4
[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp], h5DsfNtYzi1
[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp], P654jzLoe3a
[orig_h=141.142.220.118, orig_p=45000/udp, resp_h=141.142.2.2, resp_p=53/udp], Tw8jXtpTGu6
[orig_h=141.142.220.118, orig_p=48479/udp, resp_h=141.142.2.2, resp_p=53/udp], c4Zw9TmAE05
[orig_h=141.142.220.118, orig_p=48128/udp, resp_h=141.142.2.2, resp_p=53/udp], EAr0uf4mhq
[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp], GvmoxJFXdTa
[orig_h=141.142.220.118, orig_p=56056/udp, resp_h=141.142.2.2, resp_p=53/udp], 0Q4FH8sESw5
[orig_h=141.142.220.118, orig_p=55092/udp, resp_h=141.142.2.2, resp_p=53/udp], slFea8xwSmb
[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp], UfGkYA2HI2g
[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp], 3PKsZ2Uye21
[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp], 5OKnoww6xl4
[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp], iE6yhOq3SF
[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp], P654jzLoe3a
[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp], h5DsfNtYzi1
[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp], GvmoxJFXdTa
[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp], UfGkYA2HI2g
[orig_h=141.142.220.235, orig_p=6705/tcp, resp_h=173.192.163.128, resp_p=80/tcp], i2rO3KD1Syg
[orig_h=141.142.220.235, orig_p=6705/tcp, resp_h=173.192.163.128, resp_p=80/tcp], i2rO3KD1Syg
[orig_h=141.142.220.44, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], 2cx26uAvUPl
[orig_h=141.142.220.226, orig_p=137/udp, resp_h=141.142.220.255, resp_p=137/udp], BWaU4aSuwkc
[orig_h=141.142.220.226, orig_p=55131/udp, resp_h=224.0.0.252, resp_p=5355/udp], 10XodEwRycf
[orig_h=141.142.220.226, orig_p=55671/udp, resp_h=224.0.0.252, resp_p=5355/udp], zno26fFZkrh
[orig_h=141.142.220.238, orig_p=56641/udp, resp_h=141.142.220.255, resp_p=137/udp], v5rgkJBig5l
[orig_h=fe80::217:f2ff:fed7:cf65, orig_p=5353/udp, resp_h=ff02::fb, resp_p=5353/udp], arKYeMETxOg
[orig_h=141.142.220.50, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], k6kgXLOoSKl
[orig_h=141.142.220.118, orig_p=35634/tcp, resp_h=208.80.152.2, resp_p=80/tcp], nQcgTWjvg4c
[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp], j4u32Pc5bif
[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp], j4u32Pc5bif
[orig_h=141.142.220.118, orig_p=43927/udp, resp_h=141.142.2.2, resp_p=53/udp], TEfuqmmG4bh
[orig_h=141.142.220.118, orig_p=37676/udp, resp_h=141.142.2.2, resp_p=53/udp], FrJExwHcSal
[orig_h=141.142.220.118, orig_p=40526/udp, resp_h=141.142.2.2, resp_p=53/udp], 5OKnoww6xl4
[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp], 3PKsZ2Uye21
[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp], VW0XPVINV8a
[orig_h=141.142.220.118, orig_p=32902/udp, resp_h=141.142.2.2, resp_p=53/udp], fRFu0wcOle6
[orig_h=141.142.220.118, orig_p=59816/udp, resp_h=141.142.2.2, resp_p=53/udp], qSsw6ESzHV4
[orig_h=141.142.220.118, orig_p=59714/udp, resp_h=141.142.2.2, resp_p=53/udp], iE6yhOq3SF
[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp], GSxOnSLghOa
[orig_h=141.142.220.118, orig_p=58206/udp, resp_h=141.142.2.2, resp_p=53/udp], qCaWGmzFtM5
[orig_h=141.142.220.118, orig_p=38911/udp, resp_h=141.142.2.2, resp_p=53/udp], 70MGiRM1Qf4
[orig_h=141.142.220.118, orig_p=59746/udp, resp_h=141.142.2.2, resp_p=53/udp], h5DsfNtYzi1
[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp], P654jzLoe3a
[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp], Tw8jXtpTGu6
[orig_h=141.142.220.118, orig_p=45000/udp, resp_h=141.142.2.2, resp_p=53/udp], c4Zw9TmAE05
[orig_h=141.142.220.118, orig_p=48479/udp, resp_h=141.142.2.2, resp_p=53/udp], EAr0uf4mhq
[orig_h=141.142.220.118, orig_p=48128/udp, resp_h=141.142.2.2, resp_p=53/udp], GvmoxJFXdTa
[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp], 0Q4FH8sESw5
[orig_h=141.142.220.118, orig_p=56056/udp, resp_h=141.142.2.2, resp_p=53/udp], slFea8xwSmb
[orig_h=141.142.220.118, orig_p=55092/udp, resp_h=141.142.2.2, resp_p=53/udp], UfGkYA2HI2g
[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp], i2rO3KD1Syg
[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp], VW0XPVINV8a
[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp], 3PKsZ2Uye21
[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp], GSxOnSLghOa
[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp], Tw8jXtpTGu6
[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp], P654jzLoe3a
[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp], 0Q4FH8sESw5
[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp], i2rO3KD1Syg
[orig_h=141.142.220.235, orig_p=6705/tcp, resp_h=173.192.163.128, resp_p=80/tcp], 2cx26uAvUPl
[orig_h=141.142.220.235, orig_p=6705/tcp, resp_h=173.192.163.128, resp_p=80/tcp], 2cx26uAvUPl
[orig_h=141.142.220.44, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], BWaU4aSuwkc
[orig_h=141.142.220.226, orig_p=137/udp, resp_h=141.142.220.255, resp_p=137/udp], 10XodEwRycf
[orig_h=fe80::3074:17d5:2052:c324, orig_p=65373/udp, resp_h=ff02::1:3, resp_p=5355/udp], zno26fFZkrh
[orig_h=141.142.220.226, orig_p=55131/udp, resp_h=224.0.0.252, resp_p=5355/udp], v5rgkJBig5l
[orig_h=fe80::3074:17d5:2052:c324, orig_p=54213/udp, resp_h=ff02::1:3, resp_p=5355/udp], eWZCH7OONC1
[orig_h=141.142.220.226, orig_p=55671/udp, resp_h=224.0.0.252, resp_p=5355/udp], 0Pwk3ntf8O3
[orig_h=141.142.220.238, orig_p=56641/udp, resp_h=141.142.220.255, resp_p=137/udp], 0HKorjr8Zp7

81
testing/btest/Baseline/core.conn-uid/output.cc2
View file

@ -1,40 +1,43 @@
[orig_h=141.142.220.202, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], UWkUyAuUGXf
[orig_h=141.142.220.50, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], arKYeMETxOg
[orig_h=141.142.220.118, orig_p=35634/tcp, resp_h=208.80.152.2, resp_p=80/tcp], k6kgXLOoSKl
[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp], nQcgTWjvg4c
[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp], nQcgTWjvg4c
[orig_h=141.142.220.118, orig_p=43927/udp, resp_h=141.142.2.2, resp_p=53/udp], j4u32Pc5bif
[orig_h=141.142.220.118, orig_p=37676/udp, resp_h=141.142.2.2, resp_p=53/udp], TEfuqmmG4bh
[orig_h=141.142.220.118, orig_p=40526/udp, resp_h=141.142.2.2, resp_p=53/udp], FrJExwHcSal
[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp], 5OKnoww6xl4
[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp], 3PKsZ2Uye21
[orig_h=141.142.220.118, orig_p=32902/udp, resp_h=141.142.2.2, resp_p=53/udp], VW0XPVINV8a
[orig_h=141.142.220.118, orig_p=59816/udp, resp_h=141.142.2.2, resp_p=53/udp], fRFu0wcOle6
[orig_h=141.142.220.118, orig_p=59714/udp, resp_h=141.142.2.2, resp_p=53/udp], qSsw6ESzHV4
[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp], iE6yhOq3SF
[orig_h=141.142.220.118, orig_p=58206/udp, resp_h=141.142.2.2, resp_p=53/udp], GSxOnSLghOa
[orig_h=141.142.220.118, orig_p=38911/udp, resp_h=141.142.2.2, resp_p=53/udp], qCaWGmzFtM5
[orig_h=141.142.220.118, orig_p=59746/udp, resp_h=141.142.2.2, resp_p=53/udp], 70MGiRM1Qf4
[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp], h5DsfNtYzi1
[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp], P654jzLoe3a
[orig_h=141.142.220.118, orig_p=45000/udp, resp_h=141.142.2.2, resp_p=53/udp], Tw8jXtpTGu6
[orig_h=141.142.220.118, orig_p=48479/udp, resp_h=141.142.2.2, resp_p=53/udp], c4Zw9TmAE05
[orig_h=141.142.220.118, orig_p=48128/udp, resp_h=141.142.2.2, resp_p=53/udp], EAr0uf4mhq
[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp], GvmoxJFXdTa
[orig_h=141.142.220.118, orig_p=56056/udp, resp_h=141.142.2.2, resp_p=53/udp], 0Q4FH8sESw5
[orig_h=141.142.220.118, orig_p=55092/udp, resp_h=141.142.2.2, resp_p=53/udp], slFea8xwSmb
[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp], UfGkYA2HI2g
[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp], 3PKsZ2Uye21
[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp], 5OKnoww6xl4
[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp], iE6yhOq3SF
[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp], P654jzLoe3a
[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp], h5DsfNtYzi1
[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp], GvmoxJFXdTa
[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp], UfGkYA2HI2g
[orig_h=141.142.220.235, orig_p=6705/tcp, resp_h=173.192.163.128, resp_p=80/tcp], i2rO3KD1Syg
[orig_h=141.142.220.235, orig_p=6705/tcp, resp_h=173.192.163.128, resp_p=80/tcp], i2rO3KD1Syg
[orig_h=141.142.220.44, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], 2cx26uAvUPl
[orig_h=141.142.220.226, orig_p=137/udp, resp_h=141.142.220.255, resp_p=137/udp], BWaU4aSuwkc
[orig_h=141.142.220.226, orig_p=55131/udp, resp_h=224.0.0.252, resp_p=5355/udp], 10XodEwRycf
[orig_h=141.142.220.226, orig_p=55671/udp, resp_h=224.0.0.252, resp_p=5355/udp], zno26fFZkrh
[orig_h=141.142.220.238, orig_p=56641/udp, resp_h=141.142.220.255, resp_p=137/udp], v5rgkJBig5l
[orig_h=fe80::217:f2ff:fed7:cf65, orig_p=5353/udp, resp_h=ff02::fb, resp_p=5353/udp], arKYeMETxOg
[orig_h=141.142.220.50, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], k6kgXLOoSKl
[orig_h=141.142.220.118, orig_p=35634/tcp, resp_h=208.80.152.2, resp_p=80/tcp], nQcgTWjvg4c
[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp], j4u32Pc5bif
[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp], j4u32Pc5bif
[orig_h=141.142.220.118, orig_p=43927/udp, resp_h=141.142.2.2, resp_p=53/udp], TEfuqmmG4bh
[orig_h=141.142.220.118, orig_p=37676/udp, resp_h=141.142.2.2, resp_p=53/udp], FrJExwHcSal
[orig_h=141.142.220.118, orig_p=40526/udp, resp_h=141.142.2.2, resp_p=53/udp], 5OKnoww6xl4
[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp], 3PKsZ2Uye21
[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp], VW0XPVINV8a
[orig_h=141.142.220.118, orig_p=32902/udp, resp_h=141.142.2.2, resp_p=53/udp], fRFu0wcOle6
[orig_h=141.142.220.118, orig_p=59816/udp, resp_h=141.142.2.2, resp_p=53/udp], qSsw6ESzHV4
[orig_h=141.142.220.118, orig_p=59714/udp, resp_h=141.142.2.2, resp_p=53/udp], iE6yhOq3SF
[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp], GSxOnSLghOa
[orig_h=141.142.220.118, orig_p=58206/udp, resp_h=141.142.2.2, resp_p=53/udp], qCaWGmzFtM5
[orig_h=141.142.220.118, orig_p=38911/udp, resp_h=141.142.2.2, resp_p=53/udp], 70MGiRM1Qf4
[orig_h=141.142.220.118, orig_p=59746/udp, resp_h=141.142.2.2, resp_p=53/udp], h5DsfNtYzi1
[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp], P654jzLoe3a
[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp], Tw8jXtpTGu6
[orig_h=141.142.220.118, orig_p=45000/udp, resp_h=141.142.2.2, resp_p=53/udp], c4Zw9TmAE05
[orig_h=141.142.220.118, orig_p=48479/udp, resp_h=141.142.2.2, resp_p=53/udp], EAr0uf4mhq
[orig_h=141.142.220.118, orig_p=48128/udp, resp_h=141.142.2.2, resp_p=53/udp], GvmoxJFXdTa
[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp], 0Q4FH8sESw5
[orig_h=141.142.220.118, orig_p=56056/udp, resp_h=141.142.2.2, resp_p=53/udp], slFea8xwSmb
[orig_h=141.142.220.118, orig_p=55092/udp, resp_h=141.142.2.2, resp_p=53/udp], UfGkYA2HI2g
[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp], i2rO3KD1Syg
[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp], VW0XPVINV8a
[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp], 3PKsZ2Uye21
[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp], GSxOnSLghOa
[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp], Tw8jXtpTGu6
[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp], P654jzLoe3a
[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp], 0Q4FH8sESw5
[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp], i2rO3KD1Syg
[orig_h=141.142.220.235, orig_p=6705/tcp, resp_h=173.192.163.128, resp_p=80/tcp], 2cx26uAvUPl
[orig_h=141.142.220.235, orig_p=6705/tcp, resp_h=173.192.163.128, resp_p=80/tcp], 2cx26uAvUPl
[orig_h=141.142.220.44, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], BWaU4aSuwkc
[orig_h=141.142.220.226, orig_p=137/udp, resp_h=141.142.220.255, resp_p=137/udp], 10XodEwRycf
[orig_h=fe80::3074:17d5:2052:c324, orig_p=65373/udp, resp_h=ff02::1:3, resp_p=5355/udp], zno26fFZkrh
[orig_h=141.142.220.226, orig_p=55131/udp, resp_h=224.0.0.252, resp_p=5355/udp], v5rgkJBig5l
[orig_h=fe80::3074:17d5:2052:c324, orig_p=54213/udp, resp_h=ff02::1:3, resp_p=5355/udp], eWZCH7OONC1
[orig_h=141.142.220.226, orig_p=55671/udp, resp_h=224.0.0.252, resp_p=5355/udp], 0Pwk3ntf8O3
[orig_h=141.142.220.238, orig_p=56641/udp, resp_h=141.142.220.255, resp_p=137/udp], 0HKorjr8Zp7

32
testing/btest/Baseline/core.print-bpf-filters-ipv4/output
View file

@ -1,32 +0,0 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path packet_filter
#fields ts node filter init success
#types time string string bool bool
1324314285.981347 - not ip6 T T
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path packet_filter
#fields ts node filter init success
#types time string string bool bool
1324314286.168294 - (((((((((((((((((((((((((port 53) or (tcp port 989)) or (tcp port 443)) or (port 6669)) or (udp and port 5353)) or (port 6668)) or (udp and port 5355)) or (tcp port 22)) or (tcp port 995)) or (port 21)) or (tcp port 25 or tcp port 587)) or (port 6667)) or (tcp port 614)) or (tcp port 990)) or (udp port 137)) or (tcp port 993)) or (tcp port 5223)) or (port 514)) or (tcp port 585)) or (tcp port 992)) or (tcp port 563)) or (tcp port 994)) or (tcp port 636)) or (tcp and port (80 or 81 or 631 or 1080 or 3138 or 8000 or 8080 or 8888))) or (port 6666)) and (not ip6) T T
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path packet_filter
#fields ts node filter init success
#types time string string bool bool
1324314286.350780 - port 42 T T
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path packet_filter
#fields ts node filter init success
#types time string string bool bool
1324314286.530768 - port 56730 T T

2
testing/btest/Baseline/core.print-bpf-filters-ipv6/conn.log
View file

@ -1,2 +0,0 @@
# ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history notice_tags
1128727435.4509 UWkUyAuUGXf 141.42.64.125 56730 125.190.109.199 80 tcp - 1.73330307006836 98 9417 SF - 0 ShADdFaf -

8
testing/btest/Baseline/core.print-bpf-filters-ipv6/output
View file

@ -1,8 +0,0 @@
# ts node filter init success
1308603220.46822 - ip or not ip F T
# ts node filter init success
1308603220.51607 - tcp port 22 F T
# ts node filter init success
1308603220.55432 - port 42 F T
# ts node filter init success
1308603220.59452 - port 56730 T T

0
testing/btest/Baseline/core.print-bpf-filters-ipv4/conn.log → testing/btest/Baseline/core.print-bpf-filters/conn.log
View file

32
testing/btest/Baseline/core.print-bpf-filters/output Normal file
View file

@ -0,0 +1,32 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path packet_filter
#fields ts node filter init success
#types time string string bool bool
1328294052.330721 - ip or not ip T T
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path packet_filter
#fields ts node filter init success
#types time string string bool bool
1328294052.542418 - ((((((((((((((((((((((((port 53) or (tcp port 989)) or (tcp port 443)) or (port 6669)) or (udp and port 5353)) or (port 6668)) or (udp and port 5355)) or (tcp port 22)) or (tcp port 995)) or (port 21)) or (tcp port 25 or tcp port 587)) or (port 6667)) or (tcp port 614)) or (tcp port 990)) or (udp port 137)) or (tcp port 993)) or (tcp port 5223)) or (port 514)) or (tcp port 585)) or (tcp port 992)) or (tcp port 563)) or (tcp port 994)) or (tcp port 636)) or (tcp and port (80 or 81 or 631 or 1080 or 3138 or 8000 or 8080 or 8888))) or (port 6666) T T
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path packet_filter
#fields ts node filter init success
#types time string string bool bool
1328294052.748480 - port 42 T T
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path packet_filter
#fields ts node filter init success
#types time string string bool bool
1328294052.952845 - port 56730 T T

6
testing/btest/Baseline/language.cross-product-init/output
View file

@ -1,6 +1,6 @@
{
[bar, 1.2.0.0/19] ,
[foo, 5.6.0.0/21] ,
[foo, 1.2.0.0/19] ,
[bar, 5.6.0.0/21] ,
[foo, 1.2.0.0/19]
[foo, 5.6.0.0/21] ,
[bar, 1.2.0.0/19]
}

3
testing/btest/Baseline/language.sizeof/output
View file

@ -1,4 +1,5 @@
Address 1.2.3.4: 16909060
IPv4 Address 1.2.3.4: 32
IPv6 Address ::1: 128
Boolean T: 1
Count 10: 10
Double -1.23: 1.230000

52
testing/btest/Baseline/scripts.base.frameworks.logging.path-func-column-demote/local.log
View file

@ -5,33 +5,33 @@
#path local
#fields ts id.orig_h
#types time addr
1300475168.652003 141.142.220.118
1300475168.724007 141.142.220.118
1300475168.859163 141.142.220.118
1300475168.902635 141.142.220.118
1300475168.892936 141.142.220.118
1300475168.892913 141.142.220.118
1300475168.855305 141.142.220.118
1300475168.855330 141.142.220.118
1300475168.652003 141.142.220.118
1300475168.895267 141.142.220.118
1300475168.853899 141.142.220.118
1300475168.893988 141.142.220.118
1300475168.894787 141.142.220.118
1300475173.117362 141.142.220.226
1300475173.153679 141.142.220.238
1300475168.857956 141.142.220.118
1300475168.854378 141.142.220.118
1300475168.854837 141.142.220.118
1300475167.099816 141.142.220.50
1300475168.855305 141.142.220.118
1300475168.859163 141.142.220.118
1300475168.892913 141.142.220.118
1300475168.724007 141.142.220.118
1300475168.892936 141.142.220.118
1300475168.902635 141.142.220.118
1300475168.891644 141.142.220.118
1300475168.892037 141.142.220.118
1300475171.677081 141.142.220.226
1300475168.894422 141.142.220.118
1300475167.096535 141.142.220.202
1300475168.858713 141.142.220.118
1300475168.902195 141.142.220.118
1300475169.899438 141.142.220.44
1300475168.892414 141.142.220.118
1300475168.858306 141.142.220.118
1300475168.901749 141.142.220.118
1300475170.862384 141.142.220.226
1300475168.853899 141.142.220.118
1300475168.854378 141.142.220.118
1300475168.857956 141.142.220.118
1300475173.117362 141.142.220.226
1300475168.858713 141.142.220.118
1300475167.096535 141.142.220.202
1300475167.099816 141.142.220.50
1300475168.892037 141.142.220.118
1300475168.893988 141.142.220.118
1300475168.854837 141.142.220.118
1300475169.899438 141.142.220.44
1300475168.858306 141.142.220.118
1300475168.894422 141.142.220.118
1300475173.153679 141.142.220.238
1300475168.892414 141.142.220.118
1300475171.677081 141.142.220.226
1300475168.902195 141.142.220.118
1300475168.894787 141.142.220.118
1300475168.901749 141.142.220.118

3
testing/btest/Baseline/scripts.base.frameworks.logging.path-func-column-demote/remote.log
View file

@ -6,3 +6,6 @@
#fields ts id.orig_h
#types time addr
1300475169.780331 173.192.163.128
1300475167.097012 fe80::217:f2ff:fed7:cf65
1300475171.675372 fe80::3074:17d5:2052:c324
1300475173.116749 fe80::3074:17d5:2052:c324

6
testing/btest/Baseline/scripts.base.frameworks.metrics.basic-cluster/manager-1.metrics.log
View file

@ -5,6 +5,6 @@
#path metrics
#fields ts metric_id filter_name index.host index.str index.network value
#types time enum string addr string subnet count
1324314335.570789 TEST_METRIC foo-bar 6.5.4.3 - - 4
1324314335.570789 TEST_METRIC foo-bar 1.2.3.4 - - 6
1324314335.570789 TEST_METRIC foo-bar 7.2.1.5 - - 2
1328303679.867377 TEST_METRIC foo-bar 6.5.4.3 - - 4
1328303679.867377 TEST_METRIC foo-bar 7.2.1.5 - - 2
1328303679.867377 TEST_METRIC foo-bar 1.2.3.4 - - 6

6
testing/btest/Baseline/scripts.base.frameworks.metrics.basic/metrics.log
View file

@ -5,6 +5,6 @@
#path metrics
#fields ts metric_id filter_name index.host index.str index.network value
#types time enum string addr string subnet count
1324314344.807073 TEST_METRIC foo-bar 6.5.4.3 - - 2
1324314344.807073 TEST_METRIC foo-bar 1.2.3.4 - - 3
1324314344.807073 TEST_METRIC foo-bar 7.2.1.5 - - 1
1328303763.333948 TEST_METRIC foo-bar 6.5.4.3 - - 2
1328303763.333948 TEST_METRIC foo-bar 7.2.1.5 - - 1
1328303763.333948 TEST_METRIC foo-bar 1.2.3.4 - - 3

11
testing/btest/bifs/addr_count_conversion.bro Normal file
View file

@ -0,0 +1,11 @@
# @TEST-EXEC: bro %INPUT >output
# @TEST-EXEC: btest-diff output
global v: index_vec;
v = addr_to_counts(2001:0db8:85a3:0000:0000:8a2e:0370:7334);
print v;
print counts_to_addr(v);
v = addr_to_counts(1.2.3.4);
print v;
print counts_to_addr(v);

6
testing/btest/bifs/addr_to_ptr_name.bro Normal file
View file

@ -0,0 +1,6 @@
# @TEST-EXEC: bro %INPUT >output
# @TEST-EXEC: btest-diff output
print addr_to_ptr_name(2607:f8b0:4009:802::1012);
print addr_to_ptr_name(74.125.225.52);

7
testing/btest/bifs/addr_version.bro Normal file
View file

@ -0,0 +1,7 @@
# @TEST-EXEC: bro %INPUT >out
# @TEST-EXEC: btest-diff out
print is_v4_addr(1.2.3.4);
print is_v4_addr(::1);
print is_v6_addr(1.2.3.4);
print is_v6_addr(::1);

8
testing/btest/bifs/ptr_name_to_addr.bro Normal file
View file

@ -0,0 +1,8 @@
# @TEST-EXEC: bro %INPUT >output
# @TEST-EXEC: btest-diff output
global v6 = ptr_name_to_addr("2.1.0.1.0.0.0.0.0.0.0.0.0.0.0.0.2.0.8.0.9.0.0.4.0.b.8.f.7.0.6.2.ip6.arpa");
global v4 = ptr_name_to_addr("52.225.125.74.in-addr.arpa");
print v6;
print v4;

12
testing/btest/core/print-bpf-filters-ipv4.bro
View file

@ -1,12 +0,0 @@
# @TEST-REQUIRES: bro -e 'print bro_has_ipv6()' | grep -q F
#
# @TEST-EXEC: bro -r $TRACES/empty.trace -e '' >output
# @TEST-EXEC: cat packet_filter.log >>output
# @TEST-EXEC: bro -r $TRACES/empty.trace PacketFilter::all_packets=F >>output
# @TEST-EXEC: cat packet_filter.log >>output
# @TEST-EXEC: bro -r $TRACES/empty.trace -f "port 42" -e '' >>output
# @TEST-EXEC: cat packet_filter.log >>output
# @TEST-EXEC: bro -r $TRACES/empty.trace -C -f "port 56730" -r $TRACES/mixed-vlan-mpls.trace >>output
# @TEST-EXEC: cat packet_filter.log >>output
# @TEST-EXEC: btest-diff output
# @TEST-EXEC: btest-diff conn.log

Some files were not shown because too many files have changed in this diff Show more