Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

gtpv1: Replace connection_state_remove() with RemovalHook

Browse source
This commit is contained in:
Arne Welzel 2024-09-12 22:20:47 +02:00
parent 34956f4ca4
commit 9d4025804d
3 changed files with 28 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

13
scripts/base/packet-protocols/gtpv1/main.zeek
View file

@ -3,11 +3,15 @@ module PacketAnalyzer::GTPV1;
# This needs to be loaded here so the function is available. Function BIFs normally aren't # This needs to be loaded here so the function is available. Function BIFs normally aren't
# loaded until after the packet analysis init scripts are run, and then zeek complains it # loaded until after the packet analysis init scripts are run, and then zeek complains it
# can't find the function. # can't find the function.
@load base/bif/plugins/Zeek_GTPv1.events.bif
@load base/bif/plugins/Zeek_GTPv1.functions.bif @load base/bif/plugins/Zeek_GTPv1.functions.bif
# Needed for port registration for BPF # Needed for port registration for BPF
@load base/frameworks/analyzer/main @load base/frameworks/analyzer/main
# Needed to register Conn::RemovalHook
@load base/protocols/conn/removal-hooks
export { export {
## Default analyzer ## Default analyzer
const default_analyzer: PacketAnalyzer::Tag = PacketAnalyzer::ANALYZER_IP &redef; const default_analyzer: PacketAnalyzer::Tag = PacketAnalyzer::ANALYZER_IP &redef;
@ -21,7 +25,14 @@ event zeek_init() &priority=20
PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GTPV1, gtpv1_ports); PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GTPV1, gtpv1_ports);
} }
event connection_state_remove(c: connection) # The analyzer keeps a BinPac interpreter per connection
# that isn't cleaned due to being stored in a global table.
hook finalize_gtpv1(c: connection)
{ {
remove_gtpv1_connection(c$id); remove_gtpv1_connection(c$id);
} }
event new_gtpv1_state(c: connection)
{
Conn::register_removal_hook(c, finalize_gtpv1);
}

7
src/packet_analysis/protocol/gtpv1/GTPv1.cc
View file

@ -22,9 +22,14 @@ bool GTPv1_Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pack
zeek::detail::ConnKey conn_key = conn->Key(); zeek::detail::ConnKey conn_key = conn->Key();
auto cm_it = conn_map.find(conn_key); auto cm_it = conn_map.find(conn_key);
if ( cm_it == conn_map.end() ) if ( cm_it == conn_map.end() ) {
cm_it = conn_map.insert(cm_it, {conn_key, std::make_unique<binpac::GTPv1::GTPv1_Conn>(this)}); cm_it = conn_map.insert(cm_it, {conn_key, std::make_unique<binpac::GTPv1::GTPv1_Conn>(this)});
// Let script land know about the state we created, so it will
// register a conn removal hook for cleanup.
BifEvent::enqueue_new_gtpv1_state(nullptr, conn);
}
try { try {
cm_it->second->set_raw_packet(packet); cm_it->second->set_raw_packet(packet);
cm_it->second->NewData(packet->is_orig, data, data + len); cm_it->second->NewData(packet->is_orig, data, data + len);

10
src/packet_analysis/protocol/gtpv1/events.bif
View file

@ -1,3 +1,13 @@
module GLOBAL;
## Generated when a new GTP analyzer is instantiated for a connection.
##
## This event exists to install a connection removal hook to clear
## internal per-connection GTPv1 state.
##
## c: The connection for which the analyzer is instantiated.
event new_gtpv1_state%(c: connection%);
## Generated for any GTP message with a GTPv1 header. ## Generated for any GTP message with a GTPv1 header.
## ##
## c: The connection over which the message is sent. ## c: The connection over which the message is sent.