Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-16 13:38:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

BIT-342: add "icmp_sent_payload" event.

Browse source
This commit is contained in:
Jon Siwek 2015-03-18 16:16:24 -05:00
parent 567073ac09
commit 981be3b670
6 changed files with 51 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

33
src/analyzer/protocol/icmp/ICMP.cc
View file

@ -130,7 +130,7 @@ void ICMP_Analyzer::NextICMP4(double t, const struct icmp* icmpp, int len, int c
break; break;
default: default:
ICMPEvent(icmp_sent, icmpp, len, 0, ip_hdr); ICMP_Sent(icmpp, len, caplen, 0, data, ip_hdr);
break; break;
} }
} }
@ -172,7 +172,7 @@ void ICMP_Analyzer::NextICMP6(double t, const struct icmp* icmpp, int len, int c
RouterSolicit(t, icmpp, len, caplen, data, ip_hdr); RouterSolicit(t, icmpp, len, caplen, data, ip_hdr);
break; break;
case ICMP6_ROUTER_RENUMBERING: case ICMP6_ROUTER_RENUMBERING:
ICMPEvent(icmp_sent, icmpp, len, 1, ip_hdr); ICMP_Sent(icmpp, len, caplen, 1, data, ip_hdr);
break; break;
#if 0 #if 0
@ -188,21 +188,32 @@ void ICMP_Analyzer::NextICMP6(double t, const struct icmp* icmpp, int len, int c
if ( icmpp->icmp_type < 128 ) if ( icmpp->icmp_type < 128 )
Context6(t, icmpp, len, caplen, data, ip_hdr); Context6(t, icmpp, len, caplen, data, ip_hdr);
else else
ICMPEvent(icmp_sent, icmpp, len, 1, ip_hdr); ICMP_Sent(icmpp, len, caplen, 1, data, ip_hdr);
break; break;
} }
} }
void ICMP_Analyzer::ICMPEvent(EventHandlerPtr f, const struct icmp* icmpp, void ICMP_Analyzer::ICMP_Sent(const struct icmp* icmpp, int len, int caplen,
int len, int icmpv6, const IP_Hdr* ip_hdr) int icmpv6, const u_char* data,
const IP_Hdr* ip_hdr)
{ {
if ( ! f ) if ( icmp_sent )
return; {
val_list* vl = new val_list;
vl->append(BuildConnVal());
vl->append(BuildICMPVal(icmpp, len, icmpv6, ip_hdr));
ConnectionEvent(icmp_sent, vl);
}
val_list* vl = new val_list; if ( icmp_sent_payload )
vl->append(BuildConnVal()); {
vl->append(BuildICMPVal(icmpp, len, icmpv6, ip_hdr)); val_list* vl = new val_list;
ConnectionEvent(f, vl); vl->append(BuildConnVal());
vl->append(BuildICMPVal(icmpp, len, icmpv6, ip_hdr));
BroString* payload = new BroString(data, min(len, caplen), 0);
vl->append(new StringVal(payload));
ConnectionEvent(icmp_sent_payload, vl);
}
} }
RecordVal* ICMP_Analyzer::BuildICMPVal(const struct icmp* icmpp, int len, RecordVal* ICMP_Analyzer::BuildICMPVal(const struct icmp* icmpp, int len,

4
src/analyzer/protocol/icmp/ICMP.h
View file

@ -33,8 +33,8 @@ protected:
virtual bool IsReuse(double t, const u_char* pkt); virtual bool IsReuse(double t, const u_char* pkt);
virtual unsigned int MemoryAllocation() const; virtual unsigned int MemoryAllocation() const;
void ICMPEvent(EventHandlerPtr f, const struct icmp* icmpp, int len, void ICMP_Sent(const struct icmp* icmpp, int len, int caplen, int icmpv6,
int icmpv6, const IP_Hdr* ip_hdr); const u_char* data, const IP_Hdr* ip_hdr);
void Echo(double t, const struct icmp* icmpp, int len, void Echo(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const IP_Hdr* ip_hdr); int caplen, const u_char*& data, const IP_Hdr* ip_hdr);

14
src/analyzer/protocol/icmp/events.bif
View file

@ -12,9 +12,21 @@
## icmp: Additional ICMP-specific information augmenting the standard ## icmp: Additional ICMP-specific information augmenting the standard
## connection record *c*. ## connection record *c*.
## ##
## .. bro:see:: icmp_error_message ## .. bro:see:: icmp_error_message icmp_sent_payload
event icmp_sent%(c: connection, icmp: icmp_conn%); event icmp_sent%(c: connection, icmp: icmp_conn%);
## The same as :bro:see:`icmp_sent` except containing the ICMP payload.
##
## c: The connection record for the corresponding ICMP flow.
##
## icmp: Additional ICMP-specific information augmenting the standard
## connection record *c*.
##
## payload: The payload of the ICMP message.
##
## .. bro:see:: icmp_error_message icmp_sent_payload
event icmp_sent_payload%(c: connection, icmp: icmp_conn, payload: string%);
## Generated for ICMP *echo request* messages. ## Generated for ICMP *echo request* messages.
## ##
## See `Wikipedia ## See `Wikipedia

2
testing/btest/Baseline/core.icmp.icmp_sent/out Normal file
View file

@ -0,0 +1,2 @@
icmp_sent, [orig_h=fe80::2c23:b96c:78d:e116, orig_p=143/icmp, resp_h=ff02::16, resp_p=0/icmp], [orig_h=fe80::2c23:b96c:78d:e116, resp_h=ff02::16, itype=143, icode=0, len=20, hlim=1, v6=T]
icmp_sent_payload, [orig_h=fe80::2c23:b96c:78d:e116, orig_p=143/icmp, resp_h=ff02::16, resp_p=0/icmp], [orig_h=fe80::2c23:b96c:78d:e116, resp_h=ff02::16, itype=143, icode=0, len=20, hlim=1, v6=T], 20

BIN
testing/btest/Traces/icmp/icmp_sent.pcap Normal file
View file

Binary file not shown.

12
testing/btest/core/icmp/icmp_sent.bro Normal file
View file

@ -0,0 +1,12 @@
# @TEST-EXEC: bro -b -r $TRACES/icmp/icmp_sent.pcap %INPUT >out
# @TEST-EXEC: btest-diff out
event icmp_sent(c: connection, icmp: icmp_conn)
{
print "icmp_sent", c$id, icmp;
}
event icmp_sent_payload(c: connection, icmp: icmp_conn, payload: string)
{
print "icmp_sent_payload", c$id, icmp, |payload|;
}