Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-16 13:38:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Add independent options to toggle the different decapsulation methods

Browse source
This commit is contained in:
Jon Siwek 2012-06-05 10:17:41 -05:00
parent 8540c4d0cd
commit 976e8db155
5 changed files with 24 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

11
scripts/base/init-bare.bro
View file

@ -2650,8 +2650,17 @@ const ignore_keep_alive_rexmit = F &redef;
module Tunnel; module Tunnel;
export { export {
## The maximum depth of a tunnel to decapsulate until giving up. ## The maximum depth of a tunnel to decapsulate until giving up.
## Setting this to zero will disable tunnel decapsulation. ## Setting this to zero will disable all types of tunnel decapsulation.
const max_depth: count = 2 &redef; const max_depth: count = 2 &redef;
## Toggle whether to do IPv{4,6}-in-IPv{4,6} decapsulation.
const enable_ip = T &redef;
## Toggle whether to do IPv{4,6}-in-AYIYA decapsulation.
const enable_ayiya = T &redef;
## Toggle whether to do IPv6-in-Teredo decapsulation.
const enable_teredo = T &redef;
} # end export } # end export
module GLOBAL; module GLOBAL;

4
src/AYIYA.h
View file

@ -16,8 +16,8 @@ public:
{ return new AYIYA_Analyzer(conn); } { return new AYIYA_Analyzer(conn); }
static bool Available() static bool Available()
// TODO: specific option to turn off AYIYA analysis { return BifConst::Tunnel::enable_ayiya &&
{ return BifConst::Tunnel::max_depth > 0; } BifConst::Tunnel::max_depth > 0; }
protected: protected:
friend class AnalyzerTimer; friend class AnalyzerTimer;

7
src/Sessions.cc
View file

@ -523,6 +523,13 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
case IPPROTO_IPV4: case IPPROTO_IPV4:
case IPPROTO_IPV6: case IPPROTO_IPV6:
{ {
if ( ! BifConst::Tunnel::enable_ip )
{
reporter->Weird(ip_hdr->SrcAddr(), ip_hdr->DstAddr(), "IP_tunnel");
Remove(f);
return;
}
if ( encapsulation && if ( encapsulation &&
encapsulation->Depth() >= BifConst::Tunnel::max_depth ) encapsulation->Depth() >= BifConst::Tunnel::max_depth )
{ {

4
src/Teredo.h
View file

@ -21,8 +21,8 @@ public:
{ return new Teredo_Analyzer(conn); } { return new Teredo_Analyzer(conn); }
static bool Available() static bool Available()
//TODO: specific option to turn off Teredo analysis? { return BifConst::Tunnel::enable_teredo &&
{ return BifConst::Tunnel::max_depth > 0; } BifConst::Tunnel::max_depth > 0; }
/** /**
* Emits a weird only if the analyzer has previously been able to * Emits a weird only if the analyzer has previously been able to

3
src/const.bif
View file

@ -12,5 +12,8 @@ const NFS3::return_data_max: count;
const NFS3::return_data_first_only: bool; const NFS3::return_data_first_only: bool;
const Tunnel::max_depth: count; const Tunnel::max_depth: count;
const Tunnel::enable_ip: bool;
const Tunnel::enable_ayiya: bool;
const Tunnel::enable_teredo: bool;
const Threading::heartbeat_interval: interval; const Threading::heartbeat_interval: interval;