mirror of
https://github.com/zeek/zeek.git
synced 2025-10-06 00:28:21 +00:00
Reformat the world
This commit is contained in:
Tim Wojtulewicz
parent
194cb24547
commit
b2f171ec69
714 changed files with 35149 additions and 35203 deletions
156
src/Conn.h
156
src/Conn.h
|
|
@ -3,26 +3,25 @@
|
|||
#pragma once
|
||||
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <string>
|
||||
#include <tuple>
|
||||
#include <type_traits>
|
||||
|
||||
#include "zeek/Dict.h"
|
||||
#include "zeek/Timer.h"
|
||||
#include "zeek/Rule.h"
|
||||
#include "zeek/IPAddr.h"
|
||||
#include "zeek/IntrusivePtr.h"
|
||||
#include "zeek/Rule.h"
|
||||
#include "zeek/Timer.h"
|
||||
#include "zeek/UID.h"
|
||||
#include "zeek/WeirdState.h"
|
||||
#include "zeek/ZeekArgs.h"
|
||||
#include "zeek/IntrusivePtr.h"
|
||||
#include "zeek/session/Session.h"
|
||||
#include "zeek/iosource/Packet.h"
|
||||
|
||||
#include "zeek/analyzer/Tag.h"
|
||||
#include "zeek/analyzer/Analyzer.h"
|
||||
#include "zeek/analyzer/Tag.h"
|
||||
#include "zeek/iosource/Packet.h"
|
||||
#include "zeek/session/Session.h"
|
||||
|
||||
namespace zeek {
|
||||
namespace zeek
|
||||
{
|
||||
|
||||
class Connection;
|
||||
class EncapsulationStack;
|
||||
|
|
@ -32,47 +31,59 @@ class RecordVal;
|
|||
using ValPtr = IntrusivePtr<Val>;
|
||||
using RecordValPtr = IntrusivePtr<RecordVal>;
|
||||
|
||||
namespace session { class Manager; }
|
||||
namespace detail {
|
||||
namespace session
|
||||
{
|
||||
class Manager;
|
||||
}
|
||||
namespace detail
|
||||
{
|
||||
|
||||
class Specific_RE_Matcher;
|
||||
class RuleEndpointState;
|
||||
class RuleHdrTest;
|
||||
|
||||
} // namespace detail
|
||||
} // namespace detail
|
||||
|
||||
namespace analyzer { class Analyzer; }
|
||||
namespace packet_analysis::IP { class SessionAdapter; }
|
||||
namespace analyzer
|
||||
{
|
||||
class Analyzer;
|
||||
}
|
||||
namespace packet_analysis::IP
|
||||
{
|
||||
class SessionAdapter;
|
||||
}
|
||||
|
||||
enum ConnEventToFlag {
|
||||
enum ConnEventToFlag
|
||||
{
|
||||
NUL_IN_LINE,
|
||||
SINGULAR_CR,
|
||||
SINGULAR_LF,
|
||||
NUM_EVENTS_TO_FLAG,
|
||||
};
|
||||
};
|
||||
|
||||
struct ConnTuple {
|
||||
struct ConnTuple
|
||||
{
|
||||
IPAddr src_addr;
|
||||
IPAddr dst_addr;
|
||||
uint32_t src_port;
|
||||
uint32_t dst_port;
|
||||
bool is_one_way; // if true, don't canonicalize order
|
||||
bool is_one_way; // if true, don't canonicalize order
|
||||
TransportProto proto;
|
||||
};
|
||||
};
|
||||
|
||||
using ConnID [[deprecated("Remove in v5.1. Use zeek::ConnTuple.")]] = ConnTuple;
|
||||
|
||||
static inline int addr_port_canon_lt(const IPAddr& addr1, uint32_t p1,
|
||||
const IPAddr& addr2, uint32_t p2)
|
||||
static inline int addr_port_canon_lt(const IPAddr& addr1, uint32_t p1, const IPAddr& addr2,
|
||||
uint32_t p2)
|
||||
{
|
||||
return addr1 < addr2 || (addr1 == addr2 && p1 < p2);
|
||||
}
|
||||
|
||||
class Connection final : public session::Session {
|
||||
class Connection final : public session::Session
|
||||
{
|
||||
public:
|
||||
|
||||
Connection(const detail::ConnKey& k, double t, const ConnTuple* id,
|
||||
uint32_t flow, const Packet* pkt);
|
||||
Connection(const detail::ConnKey& k, double t, const ConnTuple* id, uint32_t flow,
|
||||
const Packet* pkt);
|
||||
~Connection() override;
|
||||
|
||||
/**
|
||||
|
|
@ -101,34 +112,32 @@ public:
|
|||
// If record_content is true, then its entire contents should
|
||||
// be recorded, otherwise just up through the transport header.
|
||||
// Both are assumed set to true when called.
|
||||
void NextPacket(double t, bool is_orig,
|
||||
const IP_Hdr* ip, int len, int caplen,
|
||||
const u_char*& data,
|
||||
int& record_packet, int& record_content,
|
||||
void NextPacket(double t, bool is_orig, const IP_Hdr* ip, int len, int caplen,
|
||||
const u_char*& data, int& record_packet, int& record_content,
|
||||
// arguments for reproducing packets
|
||||
const Packet *pkt);
|
||||
const Packet* pkt);
|
||||
|
||||
// Keys are only considered valid for a connection when a
|
||||
// connection is in the session map. If it is removed, the key
|
||||
// should be marked invalid.
|
||||
const detail::ConnKey& Key() const { return key; }
|
||||
const detail::ConnKey& Key() const { return key; }
|
||||
session::detail::Key SessionKey(bool copy) const override
|
||||
{
|
||||
return session::detail::Key{
|
||||
&key, sizeof(key), session::detail::Key::CONNECTION_KEY_TYPE, copy};
|
||||
return session::detail::Key{&key, sizeof(key), session::detail::Key::CONNECTION_KEY_TYPE,
|
||||
copy};
|
||||
}
|
||||
|
||||
const IPAddr& OrigAddr() const { return orig_addr; }
|
||||
const IPAddr& RespAddr() const { return resp_addr; }
|
||||
const IPAddr& OrigAddr() const { return orig_addr; }
|
||||
const IPAddr& RespAddr() const { return resp_addr; }
|
||||
|
||||
uint32_t OrigPort() const { return orig_port; }
|
||||
uint32_t RespPort() const { return resp_port; }
|
||||
uint32_t OrigPort() const { return orig_port; }
|
||||
uint32_t RespPort() const { return resp_port; }
|
||||
|
||||
void FlipRoles();
|
||||
|
||||
analyzer::Analyzer* FindAnalyzer(analyzer::ID id);
|
||||
analyzer::Analyzer* FindAnalyzer(const analyzer::Tag& tag); // find first in tree.
|
||||
analyzer::Analyzer* FindAnalyzer(const char* name); // find first in tree.
|
||||
analyzer::Analyzer* FindAnalyzer(const analyzer::Tag& tag); // find first in tree.
|
||||
analyzer::Analyzer* FindAnalyzer(const char* name); // find first in tree.
|
||||
|
||||
TransportProto ConnTransport() const { return proto; }
|
||||
std::string TransportIdentifier() const override
|
||||
|
|
@ -158,8 +167,8 @@ public:
|
|||
*/
|
||||
void AppendAddl(const char* str);
|
||||
|
||||
void Match(detail::Rule::PatternType type, const u_char* data, int len,
|
||||
bool is_orig, bool bol, bool eol, bool clear_state);
|
||||
void Match(detail::Rule::PatternType type, const u_char* data, int len, bool is_orig, bool bol,
|
||||
bool eol, bool clear_state);
|
||||
|
||||
/**
|
||||
* Generates connection removal event(s).
|
||||
|
|
@ -167,7 +176,7 @@ public:
|
|||
void RemovalEvent() override;
|
||||
|
||||
void Weird(const char* name, const char* addl = "", const char* source = "");
|
||||
bool DidWeird() const { return weird != 0; }
|
||||
bool DidWeird() const { return weird != 0; }
|
||||
|
||||
inline bool FlagEvent(ConnEventToFlag e)
|
||||
{
|
||||
|
|
@ -187,15 +196,15 @@ public:
|
|||
// Statistics.
|
||||
|
||||
// Just a lower bound.
|
||||
[[deprecated("Remove in v5.1. MemoryAllocation() is deprecated and will be removed. See GHI-572.")]]
|
||||
unsigned int MemoryAllocation() const override;
|
||||
[[deprecated("Remove in v5.1. MemoryAllocation() is deprecated and will be removed. See GHI-572.")]]
|
||||
unsigned int MemoryAllocationVal() const override;
|
||||
[[deprecated("Remove in v5.1. MemoryAllocation() is deprecated and will be removed. See "
|
||||
"GHI-572.")]] unsigned int
|
||||
MemoryAllocation() const override;
|
||||
[[deprecated("Remove in v5.1. MemoryAllocation() is deprecated and will be removed. See "
|
||||
"GHI-572.")]] unsigned int
|
||||
MemoryAllocationVal() const override;
|
||||
|
||||
static uint64_t TotalConnections()
|
||||
{ return total_connections; }
|
||||
static uint64_t CurrentConnections()
|
||||
{ return current_connections; }
|
||||
static uint64_t TotalConnections() { return total_connections; }
|
||||
static uint64_t CurrentConnections() { return current_connections; }
|
||||
|
||||
// Returns true if the history was already seen, false otherwise.
|
||||
bool CheckHistory(uint32_t mask, char code)
|
||||
|
|
@ -214,59 +223,54 @@ public:
|
|||
// code if it has crossed the next scaling threshold. Scaling
|
||||
// is done in terms of powers of the third argument.
|
||||
// Returns true if the threshold was crossed, false otherwise.
|
||||
bool ScaledHistoryEntry(char code, uint32_t& counter,
|
||||
uint32_t& scaling_threshold,
|
||||
bool ScaledHistoryEntry(char code, uint32_t& counter, uint32_t& scaling_threshold,
|
||||
uint32_t scaling_base = 10);
|
||||
|
||||
void HistoryThresholdEvent(EventHandlerPtr e, bool is_orig,
|
||||
uint32_t threshold);
|
||||
void HistoryThresholdEvent(EventHandlerPtr e, bool is_orig, uint32_t threshold);
|
||||
|
||||
void AddHistory(char code) { history += code; }
|
||||
void AddHistory(char code) { history += code; }
|
||||
|
||||
// Sets the root of the analyzer tree as well as the primary PIA.
|
||||
void SetSessionAdapter(packet_analysis::IP::SessionAdapter* aa, analyzer::pia::PIA* pia);
|
||||
packet_analysis::IP::SessionAdapter* GetSessionAdapter() { return adapter; }
|
||||
analyzer::pia::PIA* GetPrimaryPIA() { return primary_PIA; }
|
||||
packet_analysis::IP::SessionAdapter* GetSessionAdapter() { return adapter; }
|
||||
analyzer::pia::PIA* GetPrimaryPIA() { return primary_PIA; }
|
||||
|
||||
// Sets the transport protocol in use.
|
||||
void SetTransport(TransportProto arg_proto) { proto = arg_proto; }
|
||||
void SetTransport(TransportProto arg_proto) { proto = arg_proto; }
|
||||
|
||||
void SetUID(const UID &arg_uid) { uid = arg_uid; }
|
||||
void SetUID(const UID& arg_uid) { uid = arg_uid; }
|
||||
|
||||
UID GetUID() const { return uid; }
|
||||
|
||||
std::shared_ptr<EncapsulationStack> GetEncapsulation() const
|
||||
{ return encapsulation; }
|
||||
std::shared_ptr<EncapsulationStack> GetEncapsulation() const { return encapsulation; }
|
||||
|
||||
void CheckFlowLabel(bool is_orig, uint32_t flow_label);
|
||||
|
||||
uint32_t GetOrigFlowLabel() { return orig_flow_label; }
|
||||
uint32_t GetRespFlowLabel() { return resp_flow_label; }
|
||||
|
||||
bool PermitWeird(const char* name, uint64_t threshold, uint64_t rate,
|
||||
double duration);
|
||||
bool PermitWeird(const char* name, uint64_t threshold, uint64_t rate, double duration);
|
||||
|
||||
private:
|
||||
|
||||
friend class session::detail::Timer;
|
||||
|
||||
IPAddr orig_addr;
|
||||
IPAddr resp_addr;
|
||||
uint32_t orig_port, resp_port; // in network order
|
||||
uint32_t orig_port, resp_port; // in network order
|
||||
TransportProto proto;
|
||||
uint32_t orig_flow_label, resp_flow_label; // most recent IPv6 flow labels
|
||||
uint32_t vlan, inner_vlan; // VLAN this connection traverses, if available
|
||||
u_char orig_l2_addr[Packet::L2_ADDR_LEN]; // Link-layer originator address, if available
|
||||
u_char resp_l2_addr[Packet::L2_ADDR_LEN]; // Link-layer responder address, if available
|
||||
int suppress_event; // suppress certain events to once per conn.
|
||||
uint32_t orig_flow_label, resp_flow_label; // most recent IPv6 flow labels
|
||||
uint32_t vlan, inner_vlan; // VLAN this connection traverses, if available
|
||||
u_char orig_l2_addr[Packet::L2_ADDR_LEN]; // Link-layer originator address, if available
|
||||
u_char resp_l2_addr[Packet::L2_ADDR_LEN]; // Link-layer responder address, if available
|
||||
int suppress_event; // suppress certain events to once per conn.
|
||||
RecordValPtr conn_val;
|
||||
std::shared_ptr<EncapsulationStack> encapsulation; // tunnels
|
||||
|
||||
detail::ConnKey key;
|
||||
|
||||
unsigned int weird:1;
|
||||
unsigned int finished:1;
|
||||
unsigned int saw_first_orig_packet:1, saw_first_resp_packet:1;
|
||||
unsigned int weird : 1;
|
||||
unsigned int finished : 1;
|
||||
unsigned int saw_first_orig_packet : 1, saw_first_resp_packet : 1;
|
||||
|
||||
uint32_t hist_seen;
|
||||
std::string history;
|
||||
|
|
@ -274,12 +278,12 @@ private:
|
|||
packet_analysis::IP::SessionAdapter* adapter;
|
||||
analyzer::pia::PIA* primary_PIA;
|
||||
|
||||
UID uid; // Globally unique connection ID.
|
||||
UID uid; // Globally unique connection ID.
|
||||
detail::WeirdStateMap weird_state;
|
||||
|
||||
// Count number of connections.
|
||||
static uint64_t total_connections;
|
||||
static uint64_t current_connections;
|
||||
};
|
||||
};
|
||||
|
||||
} // namespace zeek
|
||||
} // namespace zeek
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue