Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

communityid: Do not include ports for non TCP, UDP, ICMP

Browse source 
Checked against the result of pycommunityid. The SCTP case
isn't quite right, because Zeek's core will not have extracted
any ports for SCTP.
This commit is contained in:
Arne Welzel 2024-11-14 09:31:52 +01:00
parent af4c21763f
commit b05f7a4d0e
3 changed files with 19 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

17
src/communityid.bif
View file

@ -23,6 +23,7 @@ function community_id_v1%(cid: conn_id, seed: count &default=0, do_base64: bool
uint8_t hash_padbyte = 0; uint8_t hash_padbyte = 0;
uint16_t hash_src_port = 0; uint16_t hash_src_port = 0;
uint16_t hash_dst_port = 0; uint16_t hash_dst_port = 0;
bool has_ports = true;
const auto& orig_addr = cid_rec->GetFieldAs<zeek::AddrVal>(0); const auto& orig_addr = cid_rec->GetFieldAs<zeek::AddrVal>(0);
const auto& orig_port = cid_rec->GetFieldAs<zeek::PortVal>(1); const auto& orig_port = cid_rec->GetFieldAs<zeek::PortVal>(1);
@ -57,6 +58,15 @@ function community_id_v1%(cid: conn_id, seed: count &default=0, do_base64: bool
} }
hash_proto = static_cast<uint8_t>(cid_proto); hash_proto = static_cast<uint8_t>(cid_proto);
has_ports = false;
// The following isn't right if the conn_id entry comes
// from Zeek's core, because there's no native SCTP support.
// Assuming someone used 80/unknown for an SCTP conn_id record,
// it still somehow works right.
if ( hash_proto == IPPROTO_SCTP )
has_ports = true;
break; break;
} }
default: default:
@ -107,8 +117,11 @@ function community_id_v1%(cid: conn_id, seed: count &default=0, do_base64: bool
dlen += digest_update(ctx, hash_dst_addr, is_ipv4 ? 4 : 16); dlen += digest_update(ctx, hash_dst_addr, is_ipv4 ? 4 : 16);
dlen += digest_update(ctx, &hash_proto, 1); dlen += digest_update(ctx, &hash_proto, 1);
dlen += digest_update(ctx, &hash_padbyte, 1); dlen += digest_update(ctx, &hash_padbyte, 1);
dlen += digest_update(ctx, &hash_src_port, 2);
dlen += digest_update(ctx, &hash_dst_port, 2); if ( has_ports ) {
dlen += digest_update(ctx, &hash_src_port, 2);
dlen += digest_update(ctx, &hash_dst_port, 2);
}
u_char digest[ZEEK_SHA_DIGEST_LENGTH]; u_char digest[ZEEK_SHA_DIGEST_LENGTH];
zeek::detail::hash_final(ctx, digest); zeek::detail::hash_final(ctx, digest);

4
testing/btest/Baseline/bifs.community_id.v1/out
View file

@ -9,5 +9,5 @@ PASS: expected '1:9pr4ZGTICiuZoIh90RRYE2RyXpU=', got '1:9pr4ZGTICiuZoIh90RRYE2Ry
PASS: expected '1:IO27GQzPuCtNnwFvjWALMHu5tJE=', got '1:IO27GQzPuCtNnwFvjWALMHu5tJE=' ([orig_h=fe80:1:203:405:607:809:a0b:c0d, orig_p=128/icmp, resp_h=fe80:1011:1213:1415:1617:1819:1a1b:1c1d, resp_p=129/icmp, proto=1], seed=1) PASS: expected '1:IO27GQzPuCtNnwFvjWALMHu5tJE=', got '1:IO27GQzPuCtNnwFvjWALMHu5tJE=' ([orig_h=fe80:1:203:405:607:809:a0b:c0d, orig_p=128/icmp, resp_h=fe80:1011:1213:1415:1617:1819:1a1b:1c1d, resp_p=129/icmp, proto=1], seed=1)
PASS: expected '', got '' ([orig_h=1.2.3.4, orig_p=0/unknown, resp_h=5.6.7.8, resp_p=0/unknown, proto=65535], seed=0) PASS: expected '', got '' ([orig_h=1.2.3.4, orig_p=0/unknown, resp_h=5.6.7.8, resp_p=0/unknown, proto=65535], seed=0)
PASS: expected '', got '' ([orig_h=fe80:1:203:405:607:809:a0b:c0d, orig_p=0/unknown, resp_h=fe80:1011:1213:1415:1617:1819:1a1b:1c1d, resp_p=0/unknown, proto=65535], seed=1) PASS: expected '', got '' ([orig_h=fe80:1:203:405:607:809:a0b:c0d, orig_p=0/unknown, resp_h=fe80:1011:1213:1415:1617:1819:1a1b:1c1d, resp_p=0/unknown, proto=65535], seed=1)
PASS: expected '1:yXTIO8p5F2ZhuXBcNBN8CsgCUTE=', got '1:yXTIO8p5F2ZhuXBcNBN8CsgCUTE=' ([orig_h=1.2.3.4, orig_p=0/unknown, resp_h=5.6.7.8, resp_p=0/unknown, proto=10], seed=0) PASS: expected '1:7bYuQ7nyGBIQn7uDcQ5WraAnhWI=', got '1:7bYuQ7nyGBIQn7uDcQ5WraAnhWI=' ([orig_h=1.2.3.4, orig_p=0/unknown, resp_h=5.6.7.8, resp_p=0/unknown, proto=10], seed=0)
PASS: expected '1:OrvlNyNZWyubXHIUHR/w18b5im8=', got '1:OrvlNyNZWyubXHIUHR/w18b5im8=' ([orig_h=fe80:1:203:405:607:809:a0b:c0d, orig_p=0/unknown, resp_h=fe80:1011:1213:1415:1617:1819:1a1b:1c1d, resp_p=0/unknown, proto=10], seed=1) PASS: expected '1:rcMO2BlHXpMNFXyyWqSDUQCBRBc=', got '1:rcMO2BlHXpMNFXyyWqSDUQCBRBc=' ([orig_h=fe80:1:203:405:607:809:a0b:c0d, orig_p=0/unknown, resp_h=fe80:1011:1213:1415:1617:1819:1a1b:1c1d, resp_p=0/unknown, proto=10], seed=1)

4
testing/btest/bifs/community_id/v1.zeek
View file

@ -29,7 +29,7 @@ event zeek_init()
$resp_h=[fe80:1011:1213:1415:1617:1819:1A1B:1C1D], $resp_p=0/unknown], 1, ""); $resp_h=[fe80:1011:1213:1415:1617:1819:1A1B:1C1D], $resp_p=0/unknown], 1, "");
# Test with some unknown-but-valid proto values. # Test with some unknown-but-valid proto values.
test_it([$orig_h=1.2.3.4, $orig_p=0/unknown, $resp_h=5.6.7.8, $resp_p=0/unknown, $proto=10], 0, "1:yXTIO8p5F2ZhuXBcNBN8CsgCUTE="); test_it([$orig_h=1.2.3.4, $orig_p=0/unknown, $resp_h=5.6.7.8, $resp_p=0/unknown, $proto=10], 0, "1:7bYuQ7nyGBIQn7uDcQ5WraAnhWI=");
test_it([$orig_h=[fe80:0001:0203:0405:0607:0809:0A0B:0C0D], $orig_p=0/unknown, test_it([$orig_h=[fe80:0001:0203:0405:0607:0809:0A0B:0C0D], $orig_p=0/unknown,
$resp_h=[fe80:1011:1213:1415:1617:1819:1A1B:1C1D], $resp_p=0/unknown, $proto=10], 1, "1:OrvlNyNZWyubXHIUHR/w18b5im8="); $resp_h=[fe80:1011:1213:1415:1617:1819:1A1B:1C1D], $resp_p=0/unknown, $proto=10], 1, "1:rcMO2BlHXpMNFXyyWqSDUQCBRBc=");
} }