From 981be3b670c88ca742a9ff76d4f3bd5d4b1d1d30 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Wed, 18 Mar 2015 16:16:24 -0500 Subject: [PATCH] BIT-342: add "icmp_sent_payload" event. --- src/analyzer/protocol/icmp/ICMP.cc | 33 ++++++++++++------ src/analyzer/protocol/icmp/ICMP.h | 4 +-- src/analyzer/protocol/icmp/events.bif | 14 +++++++- .../btest/Baseline/core.icmp.icmp_sent/out | 2 ++ testing/btest/Traces/icmp/icmp_sent.pcap | Bin 0 -> 134 bytes testing/btest/core/icmp/icmp_sent.bro | 12 +++++++ 6 files changed, 51 insertions(+), 14 deletions(-) create mode 100644 testing/btest/Baseline/core.icmp.icmp_sent/out create mode 100644 testing/btest/Traces/icmp/icmp_sent.pcap create mode 100644 testing/btest/core/icmp/icmp_sent.bro diff --git a/src/analyzer/protocol/icmp/ICMP.cc b/src/analyzer/protocol/icmp/ICMP.cc index 393b5536e8..84df7ab0d2 100644 --- a/src/analyzer/protocol/icmp/ICMP.cc +++ b/src/analyzer/protocol/icmp/ICMP.cc @@ -130,7 +130,7 @@ void ICMP_Analyzer::NextICMP4(double t, const struct icmp* icmpp, int len, int c break; default: - ICMPEvent(icmp_sent, icmpp, len, 0, ip_hdr); + ICMP_Sent(icmpp, len, caplen, 0, data, ip_hdr); break; } } @@ -172,7 +172,7 @@ void ICMP_Analyzer::NextICMP6(double t, const struct icmp* icmpp, int len, int c RouterSolicit(t, icmpp, len, caplen, data, ip_hdr); break; case ICMP6_ROUTER_RENUMBERING: - ICMPEvent(icmp_sent, icmpp, len, 1, ip_hdr); + ICMP_Sent(icmpp, len, caplen, 1, data, ip_hdr); break; #if 0 @@ -188,21 +188,32 @@ void ICMP_Analyzer::NextICMP6(double t, const struct icmp* icmpp, int len, int c if ( icmpp->icmp_type < 128 ) Context6(t, icmpp, len, caplen, data, ip_hdr); else - ICMPEvent(icmp_sent, icmpp, len, 1, ip_hdr); + ICMP_Sent(icmpp, len, caplen, 1, data, ip_hdr); break; } } -void ICMP_Analyzer::ICMPEvent(EventHandlerPtr f, const struct icmp* icmpp, - int len, int icmpv6, const IP_Hdr* ip_hdr) +void ICMP_Analyzer::ICMP_Sent(const struct icmp* icmpp, int len, int caplen, + int icmpv6, const u_char* data, + const IP_Hdr* ip_hdr) { - if ( ! f ) - return; + if ( icmp_sent ) + { + val_list* vl = new val_list; + vl->append(BuildConnVal()); + vl->append(BuildICMPVal(icmpp, len, icmpv6, ip_hdr)); + ConnectionEvent(icmp_sent, vl); + } - val_list* vl = new val_list; - vl->append(BuildConnVal()); - vl->append(BuildICMPVal(icmpp, len, icmpv6, ip_hdr)); - ConnectionEvent(f, vl); + if ( icmp_sent_payload ) + { + val_list* vl = new val_list; + vl->append(BuildConnVal()); + vl->append(BuildICMPVal(icmpp, len, icmpv6, ip_hdr)); + BroString* payload = new BroString(data, min(len, caplen), 0); + vl->append(new StringVal(payload)); + ConnectionEvent(icmp_sent_payload, vl); + } } RecordVal* ICMP_Analyzer::BuildICMPVal(const struct icmp* icmpp, int len, diff --git a/src/analyzer/protocol/icmp/ICMP.h b/src/analyzer/protocol/icmp/ICMP.h index d207b3813c..1de6a4afea 100644 --- a/src/analyzer/protocol/icmp/ICMP.h +++ b/src/analyzer/protocol/icmp/ICMP.h @@ -33,8 +33,8 @@ protected: virtual bool IsReuse(double t, const u_char* pkt); virtual unsigned int MemoryAllocation() const; - void ICMPEvent(EventHandlerPtr f, const struct icmp* icmpp, int len, - int icmpv6, const IP_Hdr* ip_hdr); + void ICMP_Sent(const struct icmp* icmpp, int len, int caplen, int icmpv6, + const u_char* data, const IP_Hdr* ip_hdr); void Echo(double t, const struct icmp* icmpp, int len, int caplen, const u_char*& data, const IP_Hdr* ip_hdr); diff --git a/src/analyzer/protocol/icmp/events.bif b/src/analyzer/protocol/icmp/events.bif index c471ca0ee6..bd55f17b27 100644 --- a/src/analyzer/protocol/icmp/events.bif +++ b/src/analyzer/protocol/icmp/events.bif @@ -12,9 +12,21 @@ ## icmp: Additional ICMP-specific information augmenting the standard ## connection record *c*. ## -## .. bro:see:: icmp_error_message +## .. bro:see:: icmp_error_message icmp_sent_payload event icmp_sent%(c: connection, icmp: icmp_conn%); +## The same as :bro:see:`icmp_sent` except containing the ICMP payload. +## +## c: The connection record for the corresponding ICMP flow. +## +## icmp: Additional ICMP-specific information augmenting the standard +## connection record *c*. +## +## payload: The payload of the ICMP message. +## +## .. bro:see:: icmp_error_message icmp_sent_payload +event icmp_sent_payload%(c: connection, icmp: icmp_conn, payload: string%); + ## Generated for ICMP *echo request* messages. ## ## See `Wikipedia diff --git a/testing/btest/Baseline/core.icmp.icmp_sent/out b/testing/btest/Baseline/core.icmp.icmp_sent/out new file mode 100644 index 0000000000..cf8fe9e4e1 --- /dev/null +++ b/testing/btest/Baseline/core.icmp.icmp_sent/out @@ -0,0 +1,2 @@ +icmp_sent, [orig_h=fe80::2c23:b96c:78d:e116, orig_p=143/icmp, resp_h=ff02::16, resp_p=0/icmp], [orig_h=fe80::2c23:b96c:78d:e116, resp_h=ff02::16, itype=143, icode=0, len=20, hlim=1, v6=T] +icmp_sent_payload, [orig_h=fe80::2c23:b96c:78d:e116, orig_p=143/icmp, resp_h=ff02::16, resp_p=0/icmp], [orig_h=fe80::2c23:b96c:78d:e116, resp_h=ff02::16, itype=143, icode=0, len=20, hlim=1, v6=T], 20 diff --git a/testing/btest/Traces/icmp/icmp_sent.pcap b/testing/btest/Traces/icmp/icmp_sent.pcap new file mode 100644 index 0000000000000000000000000000000000000000..0f0cfcb73e4c0d8791f829c4f1800283b162018c GIT binary patch literal 134 zcmca|c+)~A1{MYw`2U}Qff300DaYcSw}yow4#);!V`Cs8#=ucx!MLUEZUT_Qpu)iT yuK~nhV9-(CnZw@uQ0zYwgbyXftQc5out +# @TEST-EXEC: btest-diff out + +event icmp_sent(c: connection, icmp: icmp_conn) + { + print "icmp_sent", c$id, icmp; + } + +event icmp_sent_payload(c: connection, icmp: icmp_conn, payload: string) + { + print "icmp_sent_payload", c$id, icmp, |payload|; + }