Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-09 01:58:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Reformat the world

Browse source
This commit is contained in:
Tim Wojtulewicz 2021-09-16 15:35:39 -07:00
parent 194cb24547
commit b2f171ec69
714 changed files with 35149 additions and 35203 deletions
Download patch file Download diff file Expand all files Collapse all files

20
src/packet_analysis/Analyzer.cc
View file

@ -2,16 +2,17 @@
#include "zeek/packet_analysis/Analyzer.h"
#include "zeek/Dict.h"
#include "zeek/DebugLogger.h"
#include "zeek/Dict.h"
#include "zeek/RunState.h"
#include "zeek/session/Manager.h"
#include "zeek/util.h"
namespace zeek::packet_analysis {
namespace zeek::packet_analysis
{
Analyzer::Analyzer(std::string name, bool report_unknown_protocols) :
report_unknown_protocols(report_unknown_protocols)
Analyzer::Analyzer(std::string name, bool report_unknown_protocols)
: report_unknown_protocols(report_unknown_protocols)
{
Tag t = packet_mgr->GetComponentTag(name);
@ -36,7 +37,7 @@ void Analyzer::Initialize()
default_analyzer = LoadAnalyzer("default_analyzer");
}
zeek::packet_analysis::AnalyzerPtr Analyzer::LoadAnalyzer(const std::string &name)
zeek::packet_analysis::AnalyzerPtr Analyzer::LoadAnalyzer(const std::string& name)
{
auto& analyzer = zeek::id::find(GetModuleName() + name);
if ( ! analyzer )
@ -83,7 +84,8 @@ bool Analyzer::ForwardPacket(size_t len, const uint8_t* data, Packet* packet,
{
if ( report_unknown_protocols )
{
DBG_LOG(DBG_PACKET_ANALYSIS, "Analysis in %s failed, could not find analyzer for identifier %#x.",
DBG_LOG(DBG_PACKET_ANALYSIS,
"Analysis in %s failed, could not find analyzer for identifier %#x.",
GetAnalyzerName(), identifier);
packet_mgr->ReportUnknownProtocol(GetAnalyzerName(), identifier, data, len);
return false;
@ -93,7 +95,7 @@ bool Analyzer::ForwardPacket(size_t len, const uint8_t* data, Packet* packet,
}
DBG_LOG(DBG_PACKET_ANALYSIS, "Analysis in %s succeeded, next layer identifier is %#x.",
GetAnalyzerName(), identifier);
GetAnalyzerName(), identifier);
return inner_analyzer->AnalyzePacket(len, data, packet);
}
@ -103,7 +105,7 @@ bool Analyzer::ForwardPacket(size_t len, const uint8_t* data, Packet* packet) co
return default_analyzer->AnalyzePacket(len, data, packet);
DBG_LOG(DBG_PACKET_ANALYSIS, "Analysis in %s stopped, no default analyzer available.",
GetAnalyzerName());
GetAnalyzerName());
if ( report_unknown_protocols )
Weird("no_suitable_analyzer_found", packet);
@ -132,4 +134,4 @@ void Analyzer::Weird(const char* name, Packet* packet, const char* addl) const
session_mgr->Weird(name, packet, addl, GetAnalyzerName());
}
} // namespace zeek::packet_analysis
} // namespace zeek::packet_analysis

27
src/packet_analysis/Analyzer.h
View file

@ -1,16 +1,18 @@
// See the file "COPYING" in the main distribution directory for copyright.
#pragma once
#include "zeek/iosource/Packet.h"
#include "zeek/packet_analysis/Manager.h"
#include "zeek/packet_analysis/Tag.h"
#include "zeek/iosource/Packet.h"
namespace zeek::packet_analysis {
namespace zeek::packet_analysis
{
/**
* Main packet analyzer interface.
*/
class Analyzer {
class Analyzer
{
public:
/**
* Constructor.
@ -21,7 +23,7 @@ public:
* protocols during packet forwarding. This should generally always be
* set to true.
*/
explicit Analyzer(std::string name, bool report_unknown_protocols=true);
explicit Analyzer(std::string name, bool report_unknown_protocols = true);
/**
* Constructor.
@ -80,8 +82,7 @@ public:
*
* @return false if the analysis failed, else true.
*/
virtual bool AnalyzePacket(size_t len, const uint8_t* data,
Packet* packet) = 0;
virtual bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) = 0;
/**
* Dumps out debug information to the \c analyzer debug stream.
@ -123,9 +124,10 @@ protected:
* namespace. Configuration values for the analyzer are expected in this module.
* @return Analyzer's module name.
*/
std::string GetModuleName() const {
std::string GetModuleName() const
{
return util::fmt("PacketAnalyzer::%s::", GetAnalyzerName());
};
};
/**
* Triggers analysis of the encapsulated packet. The encapsulated protocol
@ -137,8 +139,7 @@ protected:
*
* @return false if the analysis failed, else true.
*/
bool ForwardPacket(size_t len, const uint8_t* data, Packet* packet,
uint32_t identifier) const;
bool ForwardPacket(size_t len, const uint8_t* data, Packet* packet, uint32_t identifier) const;
/**
* Triggers default analysis of the encapsulated packet if the default analyzer
@ -161,7 +162,7 @@ protected:
* the weird. If this is passed, the analyzer's name will be prepended to
* it before output.
*/
void Weird(const char* name, Packet* packet=nullptr, const char* addl="") const;
void Weird(const char* name, Packet* packet = nullptr, const char* addl = "") const;
private:
Tag tag;
@ -174,8 +175,8 @@ private:
bool report_unknown_protocols = true;
void Init(const Tag& tag);
};
};
using AnalyzerPtr = std::shared_ptr<Analyzer>;
}
}

4
src/packet_analysis/Component.cc
View file

@ -1,12 +1,14 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include "zeek/packet_analysis/Component.h"
#include "zeek/Desc.h"
#include "zeek/packet_analysis/Manager.h"
using namespace zeek::packet_analysis;
Component::Component(const std::string& name, factory_callback arg_factory, Tag::subtype_t arg_subtype)
Component::Component(const std::string& name, factory_callback arg_factory,
Tag::subtype_t arg_subtype)
: plugin::Component(plugin::component::PACKET_ANALYZER, name),
plugin::TaggedComponent<packet_analysis::Tag>(arg_subtype)
{

19
src/packet_analysis/Component.h
View file

@ -2,25 +2,24 @@
#pragma once
#include "zeek/zeek-config.h"
#include <functional>
#include "zeek/util.h"
#include "zeek/packet_analysis/Tag.h"
#include "zeek/plugin/Component.h"
#include "zeek/plugin/TaggedComponent.h"
#include "zeek/util.h"
#include "zeek/zeek-config.h"
namespace zeek::packet_analysis {
namespace zeek::packet_analysis
{
class Analyzer;
using AnalyzerPtr = std::shared_ptr<Analyzer>;
class Component : public plugin::Component,
public plugin::TaggedComponent<packet_analysis::Tag> {
class Component : public plugin::Component, public plugin::TaggedComponent<packet_analysis::Tag>
{
public:
using factory_callback = std::function<AnalyzerPtr ()>;
using factory_callback = std::function<AnalyzerPtr()>;
Component(const std::string& name, factory_callback factory, Tag::subtype_t subtype = 0);
~Component() override = default;
@ -45,6 +44,6 @@ protected:
private:
factory_callback factory; // The analyzer's factory callback.
};
};
}
}

31
src/packet_analysis/Dispatcher.cc
View file

@ -1,13 +1,15 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include "zeek/packet_analysis/Dispatcher.h"
#include <algorithm>
#include "zeek/packet_analysis/Dispatcher.h"
#include "zeek/packet_analysis/Analyzer.h"
#include "zeek/Reporter.h"
#include "zeek/DebugLogger.h"
#include "zeek/Reporter.h"
#include "zeek/packet_analysis/Analyzer.h"
namespace zeek::packet_analysis {
namespace zeek::packet_analysis
{
Dispatcher::~Dispatcher()
{
@ -24,7 +26,8 @@ void Dispatcher::Register(uint32_t identifier, AnalyzerPtr analyzer)
return;
}
// If highestIdentifier == identifier, overwrite would happen -> no check needed, will return false
// If highestIdentifier == identifier, overwrite would happen -> no check needed, will return
// false
if ( GetHighestIdentifier() < identifier )
{
table.resize(table.size() + (identifier - GetHighestIdentifier()), nullptr);
@ -51,7 +54,8 @@ void Dispatcher::Register(uint32_t identifier, AnalyzerPtr analyzer)
int64_t index = identifier - lowest_identifier;
if ( table[index] != nullptr )
reporter->InternalWarning("Overwriting packet analyzer mapping %#8" PRIx64 " => %s with %s",
index+lowest_identifier, table[index]->GetAnalyzerName(), analyzer->GetAnalyzerName());
index + lowest_identifier, table[index]->GetAnalyzerName(),
analyzer->GetAnalyzerName());
table[index] = std::move(analyzer);
}
@ -66,7 +70,11 @@ AnalyzerPtr Dispatcher::Lookup(uint32_t identifier) const
size_t Dispatcher::Count() const
{
return std::count_if(table.begin(), table.end(), [](AnalyzerPtr a) { return a != nullptr; });
return std::count_if(table.begin(), table.end(),
[](AnalyzerPtr a)
{
return a != nullptr;
});
}
void Dispatcher::Clear()
@ -84,14 +92,15 @@ void Dispatcher::FreeValues()
void Dispatcher::DumpDebug() const
{
#ifdef DEBUG
DBG_LOG(DBG_PACKET_ANALYSIS, "Dispatcher elements (used/total): %lu/%lu", Count(), table.size());
DBG_LOG(DBG_PACKET_ANALYSIS, "Dispatcher elements (used/total): %lu/%lu", Count(),
table.size());
for ( size_t i = 0; i < table.size(); i++ )
{
if ( table[i] != nullptr )
DBG_LOG(DBG_PACKET_ANALYSIS, "%#8lx => %s",
i+lowest_identifier, table[i]->GetAnalyzerName());
DBG_LOG(DBG_PACKET_ANALYSIS, "%#8lx => %s", i + lowest_identifier,
table[i]->GetAnalyzerName());
}
#endif
}
}
}

21
src/packet_analysis/Dispatcher.h
View file

@ -2,12 +2,13 @@
#pragma once
#include <memory>
#include <map>
#include <cstdint>
#include <map>
#include <memory>
#include <vector>
namespace zeek::packet_analysis {
namespace zeek::packet_analysis
{
class Analyzer; // Forward declaration for Value
using AnalyzerPtr = std::shared_ptr<zeek::packet_analysis::Analyzer>;
@ -15,9 +16,10 @@ using AnalyzerPtr = std::shared_ptr<zeek::packet_analysis::Analyzer>;
/**
* The Dispatcher class manages identifier-to-analyzer mappings.
*/
class Dispatcher {
class Dispatcher
{
public:
Dispatcher() : table(std::vector<AnalyzerPtr>(1, nullptr)) { };
Dispatcher() : table(std::vector<AnalyzerPtr>(1, nullptr)){};
~Dispatcher();
/**
@ -59,10 +61,7 @@ private:
void FreeValues();
inline uint32_t GetHighestIdentifier() const
{
return lowest_identifier + table.size() - 1;
}
};
inline uint32_t GetHighestIdentifier() const { return lowest_identifier + table.size() - 1; }
};
}
}

64
src/packet_analysis/Manager.cc
View file

@ -2,17 +2,18 @@
#include "zeek/packet_analysis/Manager.h"
#include "zeek/RunState.h"
#include "zeek/Stats.h"
#include "zeek/iosource/PktDumper.h"
#include "zeek/packet_analysis/Analyzer.h"
#include "zeek/packet_analysis/Dispatcher.h"
#include "zeek/zeek-bif.h"
#include "zeek/Stats.h"
#include "zeek/RunState.h"
#include "zeek/iosource/PktDumper.h"
using namespace zeek::packet_analysis;
Manager::Manager()
: plugin::ComponentManager<packet_analysis::Tag, packet_analysis::Component>("PacketAnalyzer", "Tag")
: plugin::ComponentManager<packet_analysis::Tag, packet_analysis::Component>("PacketAnalyzer",
"Tag")
{
}
@ -40,9 +41,8 @@ void Manager::InitPostScript()
auto pkt_profile_file = id::find_val("pkt_profile_file");
if ( detail::pkt_profile_mode && detail::pkt_profile_freq > 0 && pkt_profile_file )
pkt_profiler = new detail::PacketProfiler(detail::pkt_profile_mode,
detail::pkt_profile_freq,
pkt_profile_file->AsFile());
pkt_profiler = new detail::PacketProfiler(
detail::pkt_profile_mode, detail::pkt_profile_freq, pkt_profile_file->AsFile());
unknown_sampling_rate = id::find_val("UnknownProtocol::sampling_rate")->AsCount();
unknown_sampling_threshold = id::find_val("UnknownProtocol::sampling_threshold")->AsCount();
@ -50,9 +50,7 @@ void Manager::InitPostScript()
unknown_first_bytes_count = id::find_val("UnknownProtocol::first_bytes_count")->AsCount();
}
void Manager::Done()
{
}
void Manager::Done() { }
void Manager::DumpDebug()
{
@ -67,7 +65,7 @@ void Manager::DumpDebug()
#endif
}
AnalyzerPtr Manager::GetAnalyzer(EnumVal *val)
AnalyzerPtr Manager::GetAnalyzer(EnumVal* val)
{
auto analyzer_comp = Lookup(val);
if ( ! analyzer_comp )
@ -106,8 +104,7 @@ void Manager::ProcessPacket(Packet* packet)
}
// Start packet analysis
root_analyzer->ForwardPacket(packet->cap_len, packet->data,
packet, packet->link_type);
root_analyzer->ForwardPacket(packet->cap_len, packet->data, packet, packet->link_type);
if ( raw_packet )
event_mgr.Enqueue(raw_packet, packet->ToRawPktHdrVal());
@ -134,7 +131,8 @@ AnalyzerPtr Manager::InstantiateAnalyzer(const Tag& tag)
if ( ! c->Factory() )
{
reporter->InternalWarning("analyzer %s cannot be instantiated dynamically", GetComponentName(tag).c_str());
reporter->InternalWarning("analyzer %s cannot be instantiated dynamically",
GetComponentName(tag).c_str());
return nullptr;
}
@ -148,8 +146,10 @@ AnalyzerPtr Manager::InstantiateAnalyzer(const Tag& tag)
if ( tag != a->GetAnalyzerTag() )
{
reporter->InternalError("Mismatch of requested analyzer %s and instantiated analyzer %s. This usually means that the plugin author made a mistake.",
GetComponentName(tag).c_str(), GetComponentName(a->GetAnalyzerTag()).c_str());
reporter->InternalError("Mismatch of requested analyzer %s and instantiated analyzer %s. "
"This usually means that the plugin author made a mistake.",
GetComponentName(tag).c_str(),
GetComponentName(a->GetAnalyzerTag()).c_str());
}
return a;
@ -161,7 +161,7 @@ AnalyzerPtr Manager::InstantiateAnalyzer(const std::string& name)
return tag ? InstantiateAnalyzer(tag) : nullptr;
}
void Manager::DumpPacket(const Packet *pkt, int len)
void Manager::DumpPacket(const Packet* pkt, int len)
{
if ( ! run_state::detail::pkt_dumper )
return;
@ -171,28 +171,33 @@ void Manager::DumpPacket(const Packet *pkt, int len)
if ( (uint32_t)len > pkt->cap_len )
reporter->Warning("bad modified caplen");
else
const_cast<Packet *>(pkt)->cap_len = len;
const_cast<Packet*>(pkt)->cap_len = len;
}
run_state::detail::pkt_dumper->Dump(pkt);
}
class UnknownProtocolTimer final : public zeek::detail::Timer {
class UnknownProtocolTimer final : public zeek::detail::Timer
{
public:
// Represents a combination of an analyzer name and protocol identifier, where the identifier was
// reported as unknown by the analyzer.
// Represents a combination of an analyzer name and protocol identifier, where the identifier
// was reported as unknown by the analyzer.
using UnknownProtocolPair = std::pair<std::string, uint32_t>;
UnknownProtocolTimer(double t, UnknownProtocolPair p, double timeout)
: zeek::detail::Timer(t + timeout, zeek::detail::TIMER_UNKNOWN_PROTOCOL_EXPIRE),
unknown_protocol(std::move(p))
{}
{
}
void Dispatch(double t, bool is_expire) override
{ zeek::packet_mgr->ResetUnknownProtocolTimer(unknown_protocol.first, unknown_protocol.second); }
{
zeek::packet_mgr->ResetUnknownProtocolTimer(unknown_protocol.first,
unknown_protocol.second);
}
UnknownProtocolPair unknown_protocol;
};
};
void Manager::ResetUnknownProtocolTimer(const std::string& analyzer, uint32_t protocol)
{
@ -206,8 +211,8 @@ bool Manager::PermitUnknownProtocol(const std::string& analyzer, uint32_t protoc
++count;
if ( count == 1 )
detail::timer_mgr->Add(new UnknownProtocolTimer(run_state::network_time, p,
unknown_sampling_duration));
detail::timer_mgr->Add(
new UnknownProtocolTimer(run_state::network_time, p, unknown_sampling_duration));
if ( count < unknown_sampling_threshold )
return true;
@ -224,14 +229,13 @@ void Manager::ReportUnknownProtocol(const std::string& analyzer, uint32_t protoc
{
if ( unknown_protocol )
{
if ( PermitUnknownProtocol(analyzer, protocol ) )
if ( PermitUnknownProtocol(analyzer, protocol) )
{
int bytes_len = std::min(unknown_first_bytes_count, static_cast<uint64_t>(len));
event_mgr.Enqueue(unknown_protocol,
make_intrusive<StringVal>(analyzer),
event_mgr.Enqueue(unknown_protocol, make_intrusive<StringVal>(analyzer),
val_mgr->Count(protocol),
make_intrusive<StringVal>(bytes_len, (const char*) data));
make_intrusive<StringVal>(bytes_len, (const char*)data));
}
}
}

40
src/packet_analysis/Manager.h
View file

@ -2,23 +2,29 @@
#pragma once
#include "zeek/packet_analysis/Tag.h"
#include "zeek/packet_analysis/Component.h"
#include "zeek/plugin/ComponentManager.h"
#include "zeek/iosource/Packet.h"
#include "zeek/packet_analysis/Dispatcher.h"
#include "zeek/PacketFilter.h"
#include "zeek/iosource/Packet.h"
#include "zeek/packet_analysis/Component.h"
#include "zeek/packet_analysis/Dispatcher.h"
#include "zeek/packet_analysis/Tag.h"
#include "zeek/plugin/ComponentManager.h"
namespace zeek {
namespace zeek
{
namespace detail { class PacketProfiler; }
namespace detail
{
class PacketProfiler;
}
namespace packet_analysis {
namespace packet_analysis
{
class Analyzer;
using AnalyzerPtr = std::shared_ptr<Analyzer>;
class Manager : public plugin::ComponentManager<Tag, Component> {
class Manager : public plugin::ComponentManager<Tag, Component>
{
public:
/**
* Constructor.
@ -55,7 +61,7 @@ public:
*
* @return The analyzer instance or nullptr if no instance is found.
*/
AnalyzerPtr GetAnalyzer(EnumVal *val);
AnalyzerPtr GetAnalyzer(EnumVal* val);
/**
* Looks up an analyzer instance.
@ -83,7 +89,7 @@ public:
*/
bool ProcessInnerPacket(Packet* packet);
uint64_t PacketsProcessed() const { return num_packets_processed; }
uint64_t PacketsProcessed() const { return num_packets_processed; }
/**
* Records the given packet if a dumper is active.
@ -92,7 +98,7 @@ public:
* @param len The number of bytes to record. If set to zero, the whole
* packet is recorded.
*/
void DumpPacket(const Packet *pkt, int len=0);
void DumpPacket(const Packet* pkt, int len = 0);
/**
* Attempts to write an entry to unknown_protocols.log, rate-limited to avoid
@ -105,7 +111,7 @@ public:
* @param len The remaining length of the data in the packet being processed.
*/
void ReportUnknownProtocol(const std::string& analyzer, uint32_t protocol,
const uint8_t* data=nullptr, size_t len=0);
const uint8_t* data = nullptr, size_t len = 0);
/**
* Callback method for UnknownProtocolTimer to remove an analyzer/protocol
@ -113,7 +119,7 @@ public:
*/
void ResetUnknownProtocolTimer(const std::string& analyzer, uint32_t protocol);
detail::PacketFilter* GetPacketFilter(bool init=true)
detail::PacketFilter* GetPacketFilter(bool init = true)
{
if ( ! pkt_filter && init )
pkt_filter = new detail::PacketFilter(detail::packet_filter_default);
@ -157,10 +163,10 @@ private:
uint64_t unknown_sampling_rate = 0;
double unknown_sampling_duration = 0;
uint64_t unknown_first_bytes_count = 0;
};
};
} // namespace packet_analysis
} // namespace packet_analysis
extern zeek::packet_analysis::Manager* packet_mgr;
} // namespace zeek
} // namespace zeek

16
src/packet_analysis/Tag.cc
View file

@ -1,16 +1,15 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include "zeek/packet_analysis/Tag.h"
#include "zeek/packet_analysis/Manager.h"
namespace zeek::packet_analysis {
namespace zeek::packet_analysis
{
Tag Tag::Error;
Tag::Tag(type_t type, subtype_t subtype)
: zeek::Tag(packet_mgr->GetTagType(), type, subtype)
{
}
Tag::Tag(type_t type, subtype_t subtype) : zeek::Tag(packet_mgr->GetTagType(), type, subtype) { }
Tag& Tag::operator=(const Tag& other)
{
@ -23,9 +22,6 @@ const IntrusivePtr<EnumVal>& Tag::AsVal() const
return zeek::Tag::AsVal(packet_mgr->GetTagType());
}
Tag::Tag(IntrusivePtr<EnumVal> val)
: zeek::Tag(std::move(val))
{
}
Tag::Tag(IntrusivePtr<EnumVal> val) : zeek::Tag(std::move(val)) { }
}
}

37
src/packet_analysis/Tag.h
View file

@ -2,15 +2,17 @@
#pragma once
#include "zeek/zeek-config.h"
#include "zeek/Tag.h"
#include "zeek/zeek-config.h"
namespace zeek::plugin {
template <class T> class TaggedComponent;
template <class T, class C> class ComponentManager;
}
namespace zeek::plugin
{
template <class T> class TaggedComponent;
template <class T, class C> class ComponentManager;
}
namespace zeek::packet_analysis {
namespace zeek::packet_analysis
{
class Manager;
class Component;
@ -18,7 +20,8 @@ class Component;
/**
* Class to identify a protocol analyzer type.
*/
class Tag : public zeek::Tag {
class Tag : public zeek::Tag
{
public:
/*
* Copy constructor.
@ -50,26 +53,17 @@ public:
/**
* Compares two tags for equality.
*/
bool operator==(const Tag& other) const
{
return zeek::Tag::operator==(other);
}
bool operator==(const Tag& other) const { return zeek::Tag::operator==(other); }
/**
* Compares two tags for inequality.
*/
bool operator!=(const Tag& other) const
{
return zeek::Tag::operator!=(other);
}
bool operator!=(const Tag& other) const { return zeek::Tag::operator!=(other); }
/**
* Compares two tags for less-than relationship.
*/
bool operator<(const Tag& other) const
{
return zeek::Tag::operator<(other);
}
bool operator<(const Tag& other) const { return zeek::Tag::operator<(other); }
/**
* Returns the \c Analyzer::Tag enum that corresponds to this tag.
@ -82,7 +76,6 @@ public:
static Tag Error;
protected:
friend class packet_analysis::Manager;
friend class plugin::ComponentManager<Tag, Component>;
friend class plugin::TaggedComponent<Tag>;
@ -105,6 +98,6 @@ protected:
* @param val An enum value of script type \c Analyzer::Tag.
*/
explicit Tag(IntrusivePtr<EnumVal> val);
};
};
}
}

128
src/packet_analysis/protocol/arp/ARP.cc
View file

@ -1,8 +1,9 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include "zeek/zeek-config.h"
#include "zeek/packet_analysis/protocol/arp/ARP.h"
#include "zeek/zeek-config.h"
#ifdef HAVE_NET_ETHERNET_H
#include <net/ethernet.h>
#elif defined(HAVE_SYS_ETHERNET_H)
@ -14,56 +15,52 @@
#endif
#include "zeek/Event.h"
#include "zeek/packet_analysis/protocol/arp/events.bif.h"
using namespace zeek::packet_analysis::ARP;
ARPAnalyzer::ARPAnalyzer()
: zeek::packet_analysis::Analyzer("ARP")
{
}
ARPAnalyzer::ARPAnalyzer() : zeek::packet_analysis::Analyzer("ARP") { }
// Argh! FreeBSD and Linux have almost completely different net/if_arp.h .
// ... and on Solaris we are missing half of the ARPOP codes, so define
// them here as necessary:
#ifndef ARPOP_REQUEST
#define ARPOP_REQUEST 1 // ARP request.
#define ARPOP_REQUEST 1 // ARP request.
#endif
#ifndef ARPOP_REPLY
#define ARPOP_REPLY 2 // ARP reply.
#define ARPOP_REPLY 2 // ARP reply.
#endif
#ifndef ARPOP_PREQUEST
#define ARPOP_RREQUEST 3 // RARP request.
#define ARPOP_RREQUEST 3 // RARP request.
#endif
#ifndef ARPOP_RREPLY
#define ARPOP_RREPLY 4 // RARP reply.
#define ARPOP_RREPLY 4 // RARP reply.
#endif
#ifndef ARPOP_InREQUEST
#define ARPOP_InREQUEST 8 // InARP request.
#define ARPOP_InREQUEST 8 // InARP request.
#endif
#ifndef ARPOP_InREPLY
#define ARPOP_InREPLY 9 // InARP reply.
#define ARPOP_InREPLY 9 // InARP reply.
#endif
#ifndef ARPOP_NAK
#define ARPOP_NAK 10 // (ATM)ARP NAK.
#define ARPOP_NAK 10 // (ATM)ARP NAK.
#endif
#ifndef ar_sha
#define ar_sha(ap) ((caddr_t((ap)+1)) + 0)
#define ar_sha(ap) ((caddr_t((ap) + 1)) + 0)
#endif
#ifndef ar_spa
#define ar_spa(ap) ((caddr_t((ap)+1)) + (ap)->ar_hln)
#define ar_spa(ap) ((caddr_t((ap) + 1)) + (ap)->ar_hln)
#endif
#ifndef ar_tha
#define ar_tha(ap) ((caddr_t((ap)+1)) + (ap)->ar_hln + (ap)->ar_pln)
#define ar_tha(ap) ((caddr_t((ap) + 1)) + (ap)->ar_hln + (ap)->ar_pln)
#endif
#ifndef ar_tpa
#define ar_tpa(ap) ((caddr_t((ap)+1)) + 2*(ap)->ar_hln + (ap)->ar_pln)
#define ar_tpa(ap) ((caddr_t((ap) + 1)) + 2 * (ap)->ar_hln + (ap)->ar_pln)
#endif
#ifndef ARPOP_REVREQUEST
@ -94,10 +91,10 @@ bool ARPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
}
// Check whether the packet is OK ("inspired" in tcpdump's print-arp.c).
auto ah = (const struct arp_pkthdr*) data;
auto ah = (const struct arp_pkthdr*)data;
// Check the size.
size_t min_length = (ar_tpa(ah) - (char*) data) + ah->ar_pln;
size_t min_length = (ar_tpa(ah) - (char*)data) + ah->ar_pln;
if ( min_length > len )
{
Weird("truncated_ARP", packet);
@ -105,46 +102,47 @@ bool ARPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
}
// Check the address description fields.
switch ( ntohs(ah->ar_hrd) ) {
switch ( ntohs(ah->ar_hrd) )
{
case ARPHRD_ETHER:
if ( ah->ar_hln != 6 )
{
// don't know how to handle the opcode
BadARPEvent(ah, "corrupt-arp-header (hrd=%i, hln=%i)",
ntohs(ah->ar_hrd), ah->ar_hln);
BadARPEvent(ah, "corrupt-arp-header (hrd=%i, hln=%i)", ntohs(ah->ar_hrd),
ah->ar_hln);
return false;
}
break;
default:
{
// don't know how to proceed
BadARPEvent(ah, "unknown-arp-hw-address (hrd=%i)", ntohs(ah->ar_hrd));
return false;
}
{
// don't know how to proceed
BadARPEvent(ah, "unknown-arp-hw-address (hrd=%i)", ntohs(ah->ar_hrd));
return false;
}
}
// Note: We don't support IPv6 addresses.
switch ( ntohs(ah->ar_pro) ) {
switch ( ntohs(ah->ar_pro) )
{
case ETHERTYPE_IP:
if ( ah->ar_pln != 4 )
{
// don't know how to handle the opcode
BadARPEvent(ah,"corrupt-arp-header (pro=%i, pln=%i)",
ntohs(ah->ar_pro), ah->ar_pln);
BadARPEvent(ah, "corrupt-arp-header (pro=%i, pln=%i)", ntohs(ah->ar_pro),
ah->ar_pln);
return false;
}
break;
default:
{
// don't know how to proceed
BadARPEvent(ah,"unknown-arp-proto-address (pro=%i)", ntohs(ah->ar_pro));
return false;
}
{
// don't know how to proceed
BadARPEvent(ah, "unknown-arp-proto-address (pro=%i)", ntohs(ah->ar_pro));
return false;
}
}
// Check MAC src address = ARP sender MAC address.
if ( memcmp(packet->l2_src, ar_sha(ah), ah->ar_hln) != 0 )
{
@ -153,51 +151,51 @@ bool ARPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
}
// Check the code is supported.
switch ( ntohs(ah->ar_op) ) {
switch ( ntohs(ah->ar_op) )
{
case ARPOP_REQUEST:
RequestReplyEvent(arp_request, packet->l2_src, packet->l2_dst,
ar_spa(ah), ar_sha(ah), ar_tpa(ah), ar_tha(ah));
RequestReplyEvent(arp_request, packet->l2_src, packet->l2_dst, ar_spa(ah), ar_sha(ah),
ar_tpa(ah), ar_tha(ah));
break;
case ARPOP_REPLY:
RequestReplyEvent(arp_reply, packet->l2_src, packet->l2_dst,
ar_spa(ah), ar_sha(ah), ar_tpa(ah), ar_tha(ah));
RequestReplyEvent(arp_reply, packet->l2_src, packet->l2_dst, ar_spa(ah), ar_sha(ah),
ar_tpa(ah), ar_tha(ah));
break;
case ARPOP_REVREQUEST:
case ARPOP_REVREPLY:
case ARPOP_INVREQUEST:
case ARPOP_INVREPLY:
{
// don't know how to handle the opcode
BadARPEvent(ah, "unimplemented-arp-opcode (%i)", ntohs(ah->ar_op));
return false;
}
{
// don't know how to handle the opcode
BadARPEvent(ah, "unimplemented-arp-opcode (%i)", ntohs(ah->ar_op));
return false;
}
default:
{
// invalid opcode
BadARPEvent(ah, "invalid-arp-opcode (opcode=%i)", ntohs(ah->ar_op));
return false;
}
{
// invalid opcode
BadARPEvent(ah, "invalid-arp-opcode (opcode=%i)", ntohs(ah->ar_op));
return false;
}
}
// Leave packet analyzer land
return true;
}
zeek::AddrValPtr ARPAnalyzer::ToAddrVal(const void* addr)
{
//Note: We only handle IPv4 addresses.
return zeek::make_intrusive<zeek::AddrVal>(*(const uint32_t*) addr);
// Note: We only handle IPv4 addresses.
return zeek::make_intrusive<zeek::AddrVal>(*(const uint32_t*)addr);
}
zeek::StringValPtr ARPAnalyzer::ToEthAddrStr(const u_char* addr)
{
char buf[1024];
snprintf(buf, sizeof(buf), "%02x:%02x:%02x:%02x:%02x:%02x",
addr[0], addr[1], addr[2], addr[3], addr[4], addr[5]);
snprintf(buf, sizeof(buf), "%02x:%02x:%02x:%02x:%02x:%02x", addr[0], addr[1], addr[2], addr[3],
addr[4], addr[5]);
return zeek::make_intrusive<zeek::StringVal>(buf);
}
@ -212,19 +210,19 @@ void ARPAnalyzer::BadARPEvent(const struct arp_pkthdr* hdr, const char* fmt, ...
vsnprintf(msg, sizeof(msg), fmt, args);
va_end(args);
event_mgr.Enqueue(bad_arp,
ToAddrVal(ar_spa(hdr)), ToEthAddrStr((const u_char*) ar_sha(hdr)),
ToAddrVal(ar_tpa(hdr)), ToEthAddrStr((const u_char*) ar_tha(hdr)),
zeek::make_intrusive<zeek::StringVal>(msg));
event_mgr.Enqueue(bad_arp, ToAddrVal(ar_spa(hdr)), ToEthAddrStr((const u_char*)ar_sha(hdr)),
ToAddrVal(ar_tpa(hdr)), ToEthAddrStr((const u_char*)ar_tha(hdr)),
zeek::make_intrusive<zeek::StringVal>(msg));
}
void ARPAnalyzer::RequestReplyEvent(EventHandlerPtr e, const u_char *src, const u_char *dst,
const char *spa, const char *sha, const char *tpa, const char *tha)
void ARPAnalyzer::RequestReplyEvent(EventHandlerPtr e, const u_char* src, const u_char* dst,
const char* spa, const char* sha, const char* tpa,
const char* tha)
{
if ( ! e )
return;
event_mgr.Enqueue(e, ToEthAddrStr(src), ToEthAddrStr(dst),
ToAddrVal(spa), ToEthAddrStr((const u_char*) sha),
ToAddrVal(tpa), ToEthAddrStr((const u_char*) tha));
event_mgr.Enqueue(e, ToEthAddrStr(src), ToEthAddrStr(dst), ToAddrVal(spa),
ToEthAddrStr((const u_char*)sha), ToAddrVal(tpa),
ToEthAddrStr((const u_char*)tha));
}

20
src/packet_analysis/protocol/arp/ARP.h
View file

@ -2,9 +2,9 @@
#pragma once
#include <sys/types.h>
#include <sys/socket.h>
#include <net/if_arp.h>
#include <sys/socket.h>
#include <sys/types.h>
#include "zeek/packet_analysis/Analyzer.h"
#include "zeek/packet_analysis/Component.h"
@ -13,9 +13,11 @@
#define arp_pkthdr arphdr
#endif
namespace zeek::packet_analysis::ARP {
namespace zeek::packet_analysis::ARP
{
class ARPAnalyzer : public Analyzer {
class ARPAnalyzer : public Analyzer
{
public:
ARPAnalyzer();
~ARPAnalyzer() override = default;
@ -32,9 +34,9 @@ private:
zeek::StringValPtr ToEthAddrStr(const u_char* addr);
void BadARPEvent(const struct arp_pkthdr* hdr, const char* fmt, ...)
__attribute__((format(printf, 3, 4)));
void RequestReplyEvent(EventHandlerPtr e, const u_char* src, const u_char* dst,
const char* spa, const char* sha, const char* tpa, const char* tha);
};
__attribute__((format(printf, 3, 4)));
void RequestReplyEvent(EventHandlerPtr e, const u_char* src, const u_char* dst, const char* spa,
const char* sha, const char* tpa, const char* tha);
};
}
}

15
src/packet_analysis/protocol/arp/Plugin.cc
View file

@ -1,17 +1,20 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include "zeek/plugin/Plugin.h"
#include "zeek/packet_analysis/Component.h"
#include "zeek/packet_analysis/protocol/arp/ARP.h"
namespace zeek::plugin::Zeek_ARP {
namespace zeek::plugin::Zeek_ARP
{
class Plugin : public zeek::plugin::Plugin {
class Plugin : public zeek::plugin::Plugin
{
public:
zeek::plugin::Configuration Configure()
{
AddComponent(new zeek::packet_analysis::Component("ARP",
zeek::packet_analysis::ARP::ARPAnalyzer::Instantiate));
AddComponent(new zeek::packet_analysis::Component(
"ARP", zeek::packet_analysis::ARP::ARPAnalyzer::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::ARP";
@ -19,6 +22,6 @@ public:
return config;
}
} plugin;
} plugin;
}
}

10
src/packet_analysis/protocol/ethernet/Ethernet.cc
View file

@ -1,14 +1,12 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include "zeek/packet_analysis/protocol/ethernet/Ethernet.h"
#include "zeek/packet_analysis/Manager.h"
using namespace zeek::packet_analysis::Ethernet;
EthernetAnalyzer::EthernetAnalyzer()
: zeek::packet_analysis::Analyzer("Ethernet")
{
}
EthernetAnalyzer::EthernetAnalyzer() : zeek::packet_analysis::Analyzer("Ethernet") { }
void EthernetAnalyzer::Initialize()
{
@ -69,10 +67,10 @@ bool EthernetAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pa
AnalyzerPtr eth_analyzer = nullptr;
if ( data[14] == 0xAA && data[15] == 0xAA)
if ( data[14] == 0xAA && data[15] == 0xAA )
// IEEE 802.2 SNAP
eth_analyzer = SNAPAnalyzer;
else if ( data[14] == 0xFF && data[15] == 0xFF)
else if ( data[14] == 0xFF && data[15] == 0xFF )
// Novell raw IEEE 802.3
eth_analyzer = NovellRawAnalyzer;
else

10
src/packet_analysis/protocol/ethernet/Ethernet.h
View file

@ -5,9 +5,11 @@
#include "zeek/packet_analysis/Analyzer.h"
#include "zeek/packet_analysis/Component.h"
namespace zeek::packet_analysis::Ethernet {
namespace zeek::packet_analysis::Ethernet
{
class EthernetAnalyzer : public Analyzer {
class EthernetAnalyzer : public Analyzer
{
public:
EthernetAnalyzer();
~EthernetAnalyzer() override = default;
@ -24,6 +26,6 @@ private:
AnalyzerPtr SNAPAnalyzer = nullptr;
AnalyzerPtr NovellRawAnalyzer = nullptr;
AnalyzerPtr LLCAnalyzer = nullptr;
};
};
}
}

15
src/packet_analysis/protocol/ethernet/Plugin.cc
View file

@ -1,17 +1,20 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include "zeek/plugin/Plugin.h"
#include "zeek/packet_analysis/Component.h"
#include "zeek/packet_analysis/protocol/ethernet/Ethernet.h"
namespace zeek::plugin::Zeek_Ethernet {
namespace zeek::plugin::Zeek_Ethernet
{
class Plugin : public zeek::plugin::Plugin {
class Plugin : public zeek::plugin::Plugin
{
public:
zeek::plugin::Configuration Configure()
{
AddComponent(new zeek::packet_analysis::Component("Ethernet",
zeek::packet_analysis::Ethernet::EthernetAnalyzer::Instantiate));
AddComponent(new zeek::packet_analysis::Component(
"Ethernet", zeek::packet_analysis::Ethernet::EthernetAnalyzer::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::Ethernet";
@ -19,6 +22,6 @@ public:
return config;
}
} plugin;
} plugin;
}
}

5
src/packet_analysis/protocol/fddi/FDDI.cc
View file

@ -4,10 +4,7 @@
using namespace zeek::packet_analysis::FDDI;
FDDIAnalyzer::FDDIAnalyzer()
: zeek::packet_analysis::Analyzer("FDDI")
{
}
FDDIAnalyzer::FDDIAnalyzer() : zeek::packet_analysis::Analyzer("FDDI") { }
bool FDDIAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
{

10
src/packet_analysis/protocol/fddi/FDDI.h
View file

@ -5,9 +5,11 @@
#include "zeek/packet_analysis/Analyzer.h"
#include "zeek/packet_analysis/Component.h"
namespace zeek::packet_analysis::FDDI {
namespace zeek::packet_analysis::FDDI
{
class FDDIAnalyzer : public zeek::packet_analysis::Analyzer {
class FDDIAnalyzer : public zeek::packet_analysis::Analyzer
{
public:
FDDIAnalyzer();
~FDDIAnalyzer() override = default;
@ -18,6 +20,6 @@ public:
{
return std::make_shared<FDDIAnalyzer>();
}
};
};
}
}

15
src/packet_analysis/protocol/fddi/Plugin.cc
View file

@ -1,17 +1,20 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include "zeek/plugin/Plugin.h"
#include "zeek/packet_analysis/Component.h"
#include "zeek/packet_analysis/protocol/fddi/FDDI.h"
namespace zeek::plugin::Zeek_FDDI {
namespace zeek::plugin::Zeek_FDDI
{
class Plugin : public zeek::plugin::Plugin {
class Plugin : public zeek::plugin::Plugin
{
public:
zeek::plugin::Configuration Configure()
{
AddComponent(new zeek::packet_analysis::Component("FDDI",
zeek::packet_analysis::FDDI::FDDIAnalyzer::Instantiate));
AddComponent(new zeek::packet_analysis::Component(
"FDDI", zeek::packet_analysis::FDDI::FDDIAnalyzer::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::FDDI";
@ -19,6 +22,6 @@ public:
return config;
}
} plugin;
} plugin;
}
}

17
src/packet_analysis/protocol/gre/GRE.cc
View file

@ -4,16 +4,16 @@
#include <pcap.h> // For DLT_ constants
#include "zeek/session/Manager.h"
#include "zeek/RunState.h"
#include "zeek/IP.h"
#include "zeek/Reporter.h"
#include "zeek/RunState.h"
#include "zeek/session/Manager.h"
using namespace zeek::packet_analysis::GRE;
static unsigned int gre_header_len(uint16_t flags=0)
static unsigned int gre_header_len(uint16_t flags = 0)
{
unsigned int len = 4; // Always has 2 byte flags and 2 byte protocol type.
unsigned int len = 4; // Always has 2 byte flags and 2 byte protocol type.
if ( flags & 0x8000 )
// Checksum/Reserved1 present.
@ -36,10 +36,7 @@ static unsigned int gre_header_len(uint16_t flags=0)
return len;
}
GREAnalyzer::GREAnalyzer()
: zeek::packet_analysis::Analyzer("GRE")
{
}
GREAnalyzer::GREAnalyzer() : zeek::packet_analysis::Analyzer("GRE") { }
bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
{
@ -116,7 +113,7 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
return false;
}
}
proto_typ = ntohs(*((uint16_t *) (data + gre_len + erspan_len + eth_len - 2)));
proto_typ = ntohs(*((uint16_t*)(data + gre_len + erspan_len + eth_len - 2)));
}
else
{
@ -137,7 +134,7 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
auto flags = data + gre_len + erspan_len - 1;
bool have_opt_header = ((*flags & 0x01) == 0x01);
if ( have_opt_header )
if ( have_opt_header )
{
if ( len > gre_len + erspan_len + 8 + eth_len )
erspan_len += 8;

10
src/packet_analysis/protocol/gre/GRE.h
View file

@ -5,9 +5,11 @@
#include "zeek/packet_analysis/Analyzer.h"
#include "zeek/packet_analysis/Component.h"
namespace zeek::packet_analysis::GRE {
namespace zeek::packet_analysis::GRE
{
class GREAnalyzer : public Analyzer {
class GREAnalyzer : public Analyzer
{
public:
GREAnalyzer();
~GREAnalyzer() override = default;
@ -18,6 +20,6 @@ public:
{
return std::make_shared<GREAnalyzer>();
}
};
};
}
}

15
src/packet_analysis/protocol/gre/Plugin.cc
View file

@ -1,17 +1,20 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include "zeek/plugin/Plugin.h"
#include "zeek/packet_analysis/Component.h"
#include "zeek/packet_analysis/protocol/gre/GRE.h"
namespace zeek::plugin::Zeek_GRE {
namespace zeek::plugin::Zeek_GRE
{
class Plugin : public zeek::plugin::Plugin {
class Plugin : public zeek::plugin::Plugin
{
public:
zeek::plugin::Configuration Configure()
{
AddComponent(new zeek::packet_analysis::Component("GRE",
zeek::packet_analysis::GRE::GREAnalyzer::Instantiate));
AddComponent(new zeek::packet_analysis::Component(
"GRE", zeek::packet_analysis::GRE::GREAnalyzer::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::GRE";
@ -19,6 +22,6 @@ public:
return config;
}
} plugin;
} plugin;
}
}

559
src/packet_analysis/protocol/icmp/ICMP.cc
View file

@ -4,31 +4,28 @@
#include <netinet/icmp6.h>
#include "zeek/RunState.h"
#include "zeek/Conn.h"
#include "zeek/Reporter.h"
#include "zeek/Desc.h"
#include "zeek/Reporter.h"
#include "zeek/RunState.h"
#include "zeek/Val.h"
#include "zeek/ZeekString.h"
#include "zeek/analyzer/Manager.h"
#include "zeek/session/Manager.h"
#include "zeek/analyzer/protocol/conn-size/ConnSize.h"
#include "zeek/packet_analysis/protocol/icmp/ICMPSessionAdapter.h"
#include "zeek/ZeekString.h"
#include "zeek/packet_analysis/protocol/icmp/events.bif.h"
#include "zeek/session/Manager.h"
enum ICMP_EndpointState {
ICMP_INACTIVE, // no packet seen
ICMP_ACTIVE, // packets seen
};
enum ICMP_EndpointState
{
ICMP_INACTIVE, // no packet seen
ICMP_ACTIVE, // packets seen
};
using namespace zeek::packet_analysis::ICMP;
using namespace zeek::packet_analysis::IP;
ICMPAnalyzer::ICMPAnalyzer() : IPBasedAnalyzer("ICMP", TRANSPORT_ICMP, ICMP_PORT_MASK, false)
{
}
ICMPAnalyzer::ICMPAnalyzer() : IPBasedAnalyzer("ICMP", TRANSPORT_ICMP, ICMP_PORT_MASK, false) { }
SessionAdapter* ICMPAnalyzer::MakeSessionAdapter(Connection* conn)
{
@ -39,8 +36,7 @@ SessionAdapter* ICMPAnalyzer::MakeSessionAdapter(Connection* conn)
return root;
}
bool ICMPAnalyzer::BuildConnTuple(size_t len, const uint8_t* data, Packet* packet,
ConnTuple& tuple)
bool ICMPAnalyzer::BuildConnTuple(size_t len, const uint8_t* data, Packet* packet, ConnTuple& tuple)
{
if ( ! CheckHeaderTrunc(ICMP_MINLEN, len, packet) )
return false;
@ -49,13 +45,15 @@ bool ICMPAnalyzer::BuildConnTuple(size_t len, const uint8_t* data, Packet* packe
tuple.dst_addr = packet->ip_hdr->DstAddr();
tuple.proto = TRANSPORT_ICMP;
const struct icmp* icmpp = (const struct icmp *) data;
const struct icmp* icmpp = (const struct icmp*)data;
tuple.src_port = htons(icmpp->icmp_type);
if ( packet->proto == IPPROTO_ICMP )
tuple.dst_port = htons(ICMP4_counterpart(icmpp->icmp_type, icmpp->icmp_code, tuple.is_one_way));
tuple.dst_port =
htons(ICMP4_counterpart(icmpp->icmp_type, icmpp->icmp_code, tuple.is_one_way));
else if ( packet->proto == IPPROTO_ICMPV6 )
tuple.dst_port = htons(ICMP6_counterpart(icmpp->icmp_type, icmpp->icmp_code, tuple.is_one_way));
tuple.dst_port =
htons(ICMP6_counterpart(icmpp->icmp_type, icmpp->icmp_code, tuple.is_one_way));
else
reporter->InternalError("Reached ICMP packet analyzer with unknown packet protocol %x",
packet->proto);
@ -73,29 +71,28 @@ void ICMPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int rema
if ( packet_contents && len > 0 )
adapter->PacketContents(data + 8, std::min(len, remaining) - 8);
const struct icmp* icmpp = (const struct icmp*) data;
const struct icmp* icmpp = (const struct icmp*)data;
const std::unique_ptr<IP_Hdr>& ip = pkt->ip_hdr;
if ( ! zeek::detail::ignore_checksums &&
! GetIgnoreChecksumsNets()->Contains(ip->IPHeaderSrcAddr()) &&
remaining >= len )
! GetIgnoreChecksumsNets()->Contains(ip->IPHeaderSrcAddr()) && remaining >= len )
{
int chksum = 0;
switch ( ip->NextProto() )
{
case IPPROTO_ICMP:
chksum = icmp_checksum(icmpp, len);
break;
{
case IPPROTO_ICMP:
chksum = icmp_checksum(icmpp, len);
break;
case IPPROTO_ICMPV6:
chksum = icmp6_checksum(icmpp, ip.get(), len);
break;
case IPPROTO_ICMPV6:
chksum = icmp6_checksum(icmpp, ip.get(), len);
break;
default:
reporter->Error("unexpected IP proto in ICMP analyzer: %d", ip->NextProto());
return;
}
default:
reporter->Error("unexpected IP proto in ICMP analyzer: %d", ip->NextProto());
return;
}
if ( chksum != 0xffff )
{
@ -133,8 +130,7 @@ void ICMPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int rema
}
void ICMPAnalyzer::NextICMP4(double t, const struct icmp* icmpp, int len, int caplen,
const u_char*& data, const IP_Hdr* ip_hdr,
ICMPSessionAdapter* adapter)
const u_char*& data, const IP_Hdr* ip_hdr, ICMPSessionAdapter* adapter)
{
switch ( icmpp->icmp_type )
{
@ -155,8 +151,7 @@ void ICMPAnalyzer::NextICMP4(double t, const struct icmp* icmpp, int len, int ca
}
void ICMPAnalyzer::NextICMP6(double t, const struct icmp* icmpp, int len, int caplen,
const u_char*& data, const IP_Hdr* ip_hdr,
ICMPSessionAdapter* adapter)
const u_char*& data, const IP_Hdr* ip_hdr, ICMPSessionAdapter* adapter)
{
switch ( icmpp->icmp_type )
{
@ -213,10 +208,9 @@ void ICMPAnalyzer::NextICMP6(double t, const struct icmp* icmpp, int len, int ca
}
}
void ICMPAnalyzer::ICMP_Sent(const struct icmp* icmpp, int len, int caplen,
int icmpv6, const u_char* data, const IP_Hdr* ip_hdr,
ICMPSessionAdapter* adapter)
{
void ICMPAnalyzer::ICMP_Sent(const struct icmp* icmpp, int len, int caplen, int icmpv6,
const u_char* data, const IP_Hdr* ip_hdr, ICMPSessionAdapter* adapter)
{
if ( icmp_sent )
adapter->EnqueueConnEvent(icmp_sent, adapter->ConnVal(),
BuildInfo(icmpp, len, icmpv6, ip_hdr));
@ -231,8 +225,8 @@ void ICMPAnalyzer::ICMP_Sent(const struct icmp* icmpp, int len, int caplen,
}
}
zeek::RecordValPtr ICMPAnalyzer::BuildInfo(const struct icmp* icmpp, int len,
bool icmpv6, const IP_Hdr* ip_hdr)
zeek::RecordValPtr ICMPAnalyzer::BuildInfo(const struct icmp* icmpp, int len, bool icmpv6,
const IP_Hdr* ip_hdr)
{
static auto icmp_info = id::find_type<RecordType>("icmp_info");
auto rval = make_intrusive<zeek::RecordVal>(icmp_info);
@ -244,74 +238,84 @@ zeek::RecordValPtr ICMPAnalyzer::BuildInfo(const struct icmp* icmpp, int len,
return rval;
}
TransportProto ICMPAnalyzer::GetContextProtocol(const IP_Hdr* ip_hdr, uint32_t* src_port, uint32_t* dst_port)
TransportProto ICMPAnalyzer::GetContextProtocol(const IP_Hdr* ip_hdr, uint32_t* src_port,
uint32_t* dst_port)
{
const u_char* transport_hdr;
uint32_t ip_hdr_len = ip_hdr->HdrLen();
bool ip4 = ip_hdr->IP4_Hdr();
if ( ip4 )
transport_hdr = ((u_char *) ip_hdr->IP4_Hdr() + ip_hdr_len);
transport_hdr = ((u_char*)ip_hdr->IP4_Hdr() + ip_hdr_len);
else
transport_hdr = ((u_char *) ip_hdr->IP6_Hdr() + ip_hdr_len);
transport_hdr = ((u_char*)ip_hdr->IP6_Hdr() + ip_hdr_len);
TransportProto proto;
switch ( ip_hdr->NextProto() ) {
case 1: proto = TRANSPORT_ICMP; break;
case 6: proto = TRANSPORT_TCP; break;
case 17: proto = TRANSPORT_UDP; break;
case 58: proto = TRANSPORT_ICMP; break;
default: proto = TRANSPORT_UNKNOWN; break;
}
switch ( proto ) {
case TRANSPORT_ICMP:
switch ( ip_hdr->NextProto() )
{
const struct icmp* icmpp =
(const struct icmp *) transport_hdr;
bool is_one_way; // dummy
*src_port = ntohs(icmpp->icmp_type);
if ( ip4 )
*dst_port = ntohs(ICMP4_counterpart(icmpp->icmp_type,
icmpp->icmp_code, is_one_way));
else
*dst_port = ntohs(ICMP6_counterpart(icmpp->icmp_type,
icmpp->icmp_code, is_one_way));
break;
case 1:
proto = TRANSPORT_ICMP;
break;
case 6:
proto = TRANSPORT_TCP;
break;
case 17:
proto = TRANSPORT_UDP;
break;
case 58:
proto = TRANSPORT_ICMP;
break;
default:
proto = TRANSPORT_UNKNOWN;
break;
}
case TRANSPORT_TCP:
switch ( proto )
{
const struct tcphdr* tp =
(const struct tcphdr *) transport_hdr;
*src_port = ntohs(tp->th_sport);
*dst_port = ntohs(tp->th_dport);
break;
}
case TRANSPORT_ICMP:
{
const struct icmp* icmpp = (const struct icmp*)transport_hdr;
bool is_one_way; // dummy
*src_port = ntohs(icmpp->icmp_type);
case TRANSPORT_UDP:
{
const struct udphdr* up =
(const struct udphdr *) transport_hdr;
*src_port = ntohs(up->uh_sport);
*dst_port = ntohs(up->uh_dport);
break;
}
if ( ip4 )
*dst_port =
ntohs(ICMP4_counterpart(icmpp->icmp_type, icmpp->icmp_code, is_one_way));
else
*dst_port =
ntohs(ICMP6_counterpart(icmpp->icmp_type, icmpp->icmp_code, is_one_way));
default:
*src_port = *dst_port = ntohs(0);
break;
}
break;
}
case TRANSPORT_TCP:
{
const struct tcphdr* tp = (const struct tcphdr*)transport_hdr;
*src_port = ntohs(tp->th_sport);
*dst_port = ntohs(tp->th_dport);
break;
}
case TRANSPORT_UDP:
{
const struct udphdr* up = (const struct udphdr*)transport_hdr;
*src_port = ntohs(up->uh_sport);
*dst_port = ntohs(up->uh_dport);
break;
}
default:
*src_port = *dst_port = ntohs(0);
break;
}
return proto;
}
zeek::RecordValPtr ICMPAnalyzer::ExtractICMP4Context(int len, const u_char*& data)
{
const IP_Hdr ip_hdr_data((const struct ip*) data, false);
const IP_Hdr ip_hdr_data((const struct ip*)data, false);
const IP_Hdr* ip_hdr = &ip_hdr_data;
uint32_t ip_hdr_len = ip_hdr->HdrLen();
@ -336,8 +340,8 @@ zeek::RecordValPtr ICMPAnalyzer::ExtractICMP4Context(int len, const u_char*& dat
bad_hdr_len = 0;
ip_len = ip_hdr->TotalLen();
bad_checksum = ! run_state::current_pkt->l3_checksummed &&
(detail::in_cksum(reinterpret_cast<const uint8_t*>(ip_hdr->IP4_Hdr()),
ip_hdr_len) != 0xffff);
(detail::in_cksum(reinterpret_cast<const uint8_t*>(ip_hdr->IP4_Hdr()),
ip_hdr_len) != 0xffff);
src_addr = ip_hdr->SrcAddr();
dst_addr = ip_hdr->DstAddr();
@ -396,7 +400,7 @@ zeek::RecordValPtr ICMPAnalyzer::ExtractICMP6Context(int len, const u_char*& dat
}
else
{
const IP_Hdr ip_hdr_data((const struct ip6_hdr*) data, false, len);
const IP_Hdr ip_hdr_data((const struct ip6_hdr*)data, false, len);
const IP_Hdr* ip_hdr = &ip_hdr_data;
ip_len = ip_hdr->TotalLen();
@ -439,19 +443,16 @@ zeek::RecordValPtr ICMPAnalyzer::ExtractICMP6Context(int len, const u_char*& dat
return iprec;
}
void ICMPAnalyzer::Echo(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const IP_Hdr* ip_hdr,
ICMPSessionAdapter* adapter)
void ICMPAnalyzer::Echo(double t, const struct icmp* icmpp, int len, int caplen,
const u_char*& data, const IP_Hdr* ip_hdr, ICMPSessionAdapter* adapter)
{
// For handling all Echo related ICMP messages
EventHandlerPtr f = nullptr;
if ( ip_hdr->NextProto() == IPPROTO_ICMPV6 )
f = (icmpp->icmp_type == ICMP6_ECHO_REQUEST)
? icmp_echo_request : icmp_echo_reply;
f = (icmpp->icmp_type == ICMP6_ECHO_REQUEST) ? icmp_echo_request : icmp_echo_reply;
else
f = (icmpp->icmp_type == ICMP_ECHO)
? icmp_echo_request : icmp_echo_reply;
f = (icmpp->icmp_type == ICMP_ECHO) ? icmp_echo_request : icmp_echo_reply;
if ( ! f )
return;
@ -461,18 +462,13 @@ void ICMPAnalyzer::Echo(double t, const struct icmp* icmpp, int len,
String* payload = new String(data, caplen, false);
adapter->EnqueueConnEvent(f,
adapter->ConnVal(),
BuildInfo(icmpp, len, ip_hdr->NextProto() != IPPROTO_ICMP, ip_hdr),
val_mgr->Count(iid),
val_mgr->Count(iseq),
make_intrusive<StringVal>(payload)
);
adapter->EnqueueConnEvent(
f, adapter->ConnVal(), BuildInfo(icmpp, len, ip_hdr->NextProto() != IPPROTO_ICMP, ip_hdr),
val_mgr->Count(iid), val_mgr->Count(iseq), make_intrusive<StringVal>(payload));
}
void ICMPAnalyzer::RouterAdvert(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const IP_Hdr* ip_hdr,
void ICMPAnalyzer::RouterAdvert(double t, const struct icmp* icmpp, int len, int caplen,
const u_char*& data, const IP_Hdr* ip_hdr,
ICMPSessionAdapter* adapter)
{
EventHandlerPtr f = icmp_router_advertisement;
@ -490,26 +486,23 @@ void ICMPAnalyzer::RouterAdvert(double t, const struct icmp* icmpp, int len,
int opt_offset = sizeof(reachable) + sizeof(retrans);
adapter->EnqueueConnEvent(f,
adapter->ConnVal(),
BuildInfo(icmpp, len, 1, ip_hdr),
adapter->EnqueueConnEvent(
f, adapter->ConnVal(), BuildInfo(icmpp, len, 1, ip_hdr),
val_mgr->Count(icmpp->icmp_num_addrs), // Cur Hop Limit
val_mgr->Bool(icmpp->icmp_wpa & 0x80), // Managed
val_mgr->Bool(icmpp->icmp_wpa & 0x40), // Other
val_mgr->Bool(icmpp->icmp_wpa & 0x20), // Home Agent
val_mgr->Count((icmpp->icmp_wpa & 0x18)>>3), // Pref
val_mgr->Count((icmpp->icmp_wpa & 0x18) >> 3), // Pref
val_mgr->Bool(icmpp->icmp_wpa & 0x04), // Proxy
val_mgr->Count(icmpp->icmp_wpa & 0x02), // Reserved
make_intrusive<IntervalVal>((double)ntohs(icmpp->icmp_lifetime), Seconds),
make_intrusive<IntervalVal>((double)ntohl(reachable), Milliseconds),
make_intrusive<IntervalVal>((double)ntohl(retrans), Milliseconds),
BuildNDOptionsVal(caplen - opt_offset, data + opt_offset, adapter)
);
BuildNDOptionsVal(caplen - opt_offset, data + opt_offset, adapter));
}
void ICMPAnalyzer::NeighborAdvert(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const IP_Hdr* ip_hdr,
void ICMPAnalyzer::NeighborAdvert(double t, const struct icmp* icmpp, int len, int caplen,
const u_char*& data, const IP_Hdr* ip_hdr,
ICMPSessionAdapter* adapter)
{
EventHandlerPtr f = icmp_neighbor_advertisement;
@ -524,20 +517,16 @@ void ICMPAnalyzer::NeighborAdvert(double t, const struct icmp* icmpp, int len,
int opt_offset = sizeof(in6_addr);
adapter->EnqueueConnEvent(f,
adapter->ConnVal(),
BuildInfo(icmpp, len, 1, ip_hdr),
val_mgr->Bool(icmpp->icmp_num_addrs & 0x80), // Router
val_mgr->Bool(icmpp->icmp_num_addrs & 0x40), // Solicited
val_mgr->Bool(icmpp->icmp_num_addrs & 0x20), // Override
make_intrusive<AddrVal>(tgtaddr),
BuildNDOptionsVal(caplen - opt_offset, data + opt_offset, adapter)
);
adapter->EnqueueConnEvent(f, adapter->ConnVal(), BuildInfo(icmpp, len, 1, ip_hdr),
val_mgr->Bool(icmpp->icmp_num_addrs & 0x80), // Router
val_mgr->Bool(icmpp->icmp_num_addrs & 0x40), // Solicited
val_mgr->Bool(icmpp->icmp_num_addrs & 0x20), // Override
make_intrusive<AddrVal>(tgtaddr),
BuildNDOptionsVal(caplen - opt_offset, data + opt_offset, adapter));
}
void ICMPAnalyzer::NeighborSolicit(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const IP_Hdr* ip_hdr,
void ICMPAnalyzer::NeighborSolicit(double t, const struct icmp* icmpp, int len, int caplen,
const u_char*& data, const IP_Hdr* ip_hdr,
ICMPSessionAdapter* adapter)
{
EventHandlerPtr f = icmp_neighbor_solicitation;
@ -552,18 +541,13 @@ void ICMPAnalyzer::NeighborSolicit(double t, const struct icmp* icmpp, int len,
int opt_offset = sizeof(in6_addr);
adapter->EnqueueConnEvent(f,
adapter->ConnVal(),
BuildInfo(icmpp, len, 1, ip_hdr),
make_intrusive<AddrVal>(tgtaddr),
BuildNDOptionsVal(caplen - opt_offset, data + opt_offset, adapter)
);
adapter->EnqueueConnEvent(f, adapter->ConnVal(), BuildInfo(icmpp, len, 1, ip_hdr),
make_intrusive<AddrVal>(tgtaddr),
BuildNDOptionsVal(caplen - opt_offset, data + opt_offset, adapter));
}
void ICMPAnalyzer::Redirect(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const IP_Hdr* ip_hdr,
ICMPSessionAdapter* adapter)
void ICMPAnalyzer::Redirect(double t, const struct icmp* icmpp, int len, int caplen,
const u_char*& data, const IP_Hdr* ip_hdr, ICMPSessionAdapter* adapter)
{
EventHandlerPtr f = icmp_redirect;
@ -580,18 +564,13 @@ void ICMPAnalyzer::Redirect(double t, const struct icmp* icmpp, int len,
int opt_offset = 2 * sizeof(in6_addr);
adapter->EnqueueConnEvent(f,
adapter->ConnVal(),
BuildInfo(icmpp, len, 1, ip_hdr),
make_intrusive<AddrVal>(tgtaddr),
make_intrusive<AddrVal>(dstaddr),
BuildNDOptionsVal(caplen - opt_offset, data + opt_offset, adapter)
);
adapter->EnqueueConnEvent(f, adapter->ConnVal(), BuildInfo(icmpp, len, 1, ip_hdr),
make_intrusive<AddrVal>(tgtaddr), make_intrusive<AddrVal>(dstaddr),
BuildNDOptionsVal(caplen - opt_offset, data + opt_offset, adapter));
}
void ICMPAnalyzer::RouterSolicit(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const IP_Hdr* ip_hdr,
void ICMPAnalyzer::RouterSolicit(double t, const struct icmp* icmpp, int len, int caplen,
const u_char*& data, const IP_Hdr* ip_hdr,
ICMPSessionAdapter* adapter)
{
EventHandlerPtr f = icmp_router_solicitation;
@ -599,17 +578,12 @@ void ICMPAnalyzer::RouterSolicit(double t, const struct icmp* icmpp, int len,
if ( ! f )
return;
adapter->EnqueueConnEvent(f,
adapter->ConnVal(),
BuildInfo(icmpp, len, 1, ip_hdr),
BuildNDOptionsVal(caplen, data, adapter)
);
adapter->EnqueueConnEvent(f, adapter->ConnVal(), BuildInfo(icmpp, len, 1, ip_hdr),
BuildNDOptionsVal(caplen, data, adapter));
}
void ICMPAnalyzer::Context4(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const IP_Hdr* ip_hdr,
ICMPSessionAdapter* adapter)
void ICMPAnalyzer::Context4(double t, const struct icmp* icmpp, int len, int caplen,
const u_char*& data, const IP_Hdr* ip_hdr, ICMPSessionAdapter* adapter)
{
EventHandlerPtr f = nullptr;
@ -625,18 +599,13 @@ void ICMPAnalyzer::Context4(double t, const struct icmp* icmpp, int len,
}
if ( f )
adapter->EnqueueConnEvent(f,
adapter->ConnVal(),
BuildInfo(icmpp, len, 0, ip_hdr),
val_mgr->Count(icmpp->icmp_code),
ExtractICMP4Context(caplen, data)
);
adapter->EnqueueConnEvent(f, adapter->ConnVal(), BuildInfo(icmpp, len, 0, ip_hdr),
val_mgr->Count(icmpp->icmp_code),
ExtractICMP4Context(caplen, data));
}
void ICMPAnalyzer::Context6(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const IP_Hdr* ip_hdr,
ICMPSessionAdapter* adapter)
void ICMPAnalyzer::Context6(double t, const struct icmp* icmpp, int len, int caplen,
const u_char*& data, const IP_Hdr* ip_hdr, ICMPSessionAdapter* adapter)
{
EventHandlerPtr f = nullptr;
@ -664,12 +633,9 @@ void ICMPAnalyzer::Context6(double t, const struct icmp* icmpp, int len,
}
if ( f )
adapter->EnqueueConnEvent(f,
adapter->ConnVal(),
BuildInfo(icmpp, len, 1, ip_hdr),
val_mgr->Count(icmpp->icmp_code),
ExtractICMP6Context(caplen, data)
);
adapter->EnqueueConnEvent(f, adapter->ConnVal(), BuildInfo(icmpp, len, 1, ip_hdr),
val_mgr->Count(icmpp->icmp_code),
ExtractICMP6Context(caplen, data));
}
zeek::VectorValPtr ICMPAnalyzer::BuildNDOptionsVal(int caplen, const u_char* data,
@ -678,8 +644,7 @@ zeek::VectorValPtr ICMPAnalyzer::BuildNDOptionsVal(int caplen, const u_char* dat
static auto icmp6_nd_option_type = id::find_type<RecordType>("icmp6_nd_option");
static auto icmp6_nd_prefix_info_type = id::find_type<RecordType>("icmp6_nd_prefix_info");
auto vv = make_intrusive<zeek::VectorVal>(
id::find_type<VectorType>("icmp6_nd_options"));
auto vv = make_intrusive<zeek::VectorVal>(id::find_type<VectorType>("icmp6_nd_options"));
while ( caplen > 0 )
{
@ -712,81 +677,84 @@ zeek::VectorValPtr ICMPAnalyzer::BuildNDOptionsVal(int caplen, const u_char* dat
bool set_payload_field = false;
// Only parse out known options that are there in full.
switch ( type ) {
case 1:
case 2:
// Source/Target Link-layer Address option
switch ( type )
{
if ( caplen >= length )
{
String* link_addr = new String(data, length, false);
rv->Assign(2, make_intrusive<StringVal>(link_addr));
}
else
set_payload_field = true;
case 1:
case 2:
// Source/Target Link-layer Address option
{
if ( caplen >= length )
{
String* link_addr = new String(data, length, false);
rv->Assign(2, make_intrusive<StringVal>(link_addr));
}
else
set_payload_field = true;
break;
break;
}
case 3:
// Prefix Information option
{
if ( caplen >= 30 )
{
auto info = make_intrusive<zeek::RecordVal>(icmp6_nd_prefix_info_type);
uint8_t prefix_len = *((const uint8_t*)(data));
bool L_flag = (*((const uint8_t*)(data + 1)) & 0x80) != 0;
bool A_flag = (*((const uint8_t*)(data + 1)) & 0x40) != 0;
uint32_t valid_life = *((const uint32_t*)(data + 2));
uint32_t prefer_life = *((const uint32_t*)(data + 6));
in6_addr prefix = *((const in6_addr*)(data + 14));
info->Assign(0, val_mgr->Count(prefix_len));
info->Assign(1, val_mgr->Bool(L_flag));
info->Assign(2, val_mgr->Bool(A_flag));
info->Assign(
3, make_intrusive<IntervalVal>((double)ntohl(valid_life), Seconds));
info->Assign(
4, make_intrusive<IntervalVal>((double)ntohl(prefer_life), Seconds));
info->Assign(5, make_intrusive<AddrVal>(IPAddr(prefix)));
rv->Assign(3, std::move(info));
}
else
set_payload_field = true;
break;
}
case 4:
// Redirected Header option
{
if ( caplen >= length )
{
const u_char* hdr = data + 6;
rv->Assign(4, ExtractICMP6Context(length - 6, hdr));
}
else
set_payload_field = true;
break;
}
case 5:
// MTU option
{
if ( caplen >= 6 )
rv->Assign(5, val_mgr->Count(ntohl(*((const uint32_t*)(data + 2)))));
else
set_payload_field = true;
break;
}
default:
{
set_payload_field = true;
break;
}
}
case 3:
// Prefix Information option
{
if ( caplen >= 30 )
{
auto info = make_intrusive<zeek::RecordVal>(icmp6_nd_prefix_info_type);
uint8_t prefix_len = *((const uint8_t*)(data));
bool L_flag = (*((const uint8_t*)(data + 1)) & 0x80) != 0;
bool A_flag = (*((const uint8_t*)(data + 1)) & 0x40) != 0;
uint32_t valid_life = *((const uint32_t*)(data + 2));
uint32_t prefer_life = *((const uint32_t*)(data + 6));
in6_addr prefix = *((const in6_addr*)(data + 14));
info->Assign(0, val_mgr->Count(prefix_len));
info->Assign(1, val_mgr->Bool(L_flag));
info->Assign(2, val_mgr->Bool(A_flag));
info->Assign(3, make_intrusive<IntervalVal>((double)ntohl(valid_life), Seconds));
info->Assign(4, make_intrusive<IntervalVal>((double)ntohl(prefer_life), Seconds));
info->Assign(5, make_intrusive<AddrVal>(IPAddr(prefix)));
rv->Assign(3, std::move(info));
}
else
set_payload_field = true;
break;
}
case 4:
// Redirected Header option
{
if ( caplen >= length )
{
const u_char* hdr = data + 6;
rv->Assign(4, ExtractICMP6Context(length - 6, hdr));
}
else
set_payload_field = true;
break;
}
case 5:
// MTU option
{
if ( caplen >= 6 )
rv->Assign(5, val_mgr->Count(ntohl(*((const uint32_t*)(data + 2)))));
else
set_payload_field = true;
break;
}
default:
{
set_payload_field = true;
break;
}
}
if ( set_payload_field )
{
String* payload = new String(data, std::min((int)length, caplen), false);
@ -802,7 +770,8 @@ zeek::VectorValPtr ICMPAnalyzer::BuildNDOptionsVal(int caplen, const u_char* dat
return vv;
}
namespace zeek::packet_analysis::ICMP {
namespace zeek::packet_analysis::ICMP
{
int ICMP4_counterpart(int icmp_type, int icmp_code, bool& is_one_way)
{
@ -812,56 +781,84 @@ int ICMP4_counterpart(int icmp_type, int icmp_code, bool& is_one_way)
// to track corresponding ICMP requests/replies.
// Note that for the two-way ICMP messages, icmp_code is
// always 0 (RFC 792).
switch ( icmp_type ) {
case ICMP_ECHO: return ICMP_ECHOREPLY;
case ICMP_ECHOREPLY: return ICMP_ECHO;
switch ( icmp_type )
{
case ICMP_ECHO:
return ICMP_ECHOREPLY;
case ICMP_ECHOREPLY:
return ICMP_ECHO;
case ICMP_TSTAMP: return ICMP_TSTAMPREPLY;
case ICMP_TSTAMPREPLY: return ICMP_TSTAMP;
case ICMP_TSTAMP:
return ICMP_TSTAMPREPLY;
case ICMP_TSTAMPREPLY:
return ICMP_TSTAMP;
case ICMP_IREQ: return ICMP_IREQREPLY;
case ICMP_IREQREPLY: return ICMP_IREQ;
case ICMP_IREQ:
return ICMP_IREQREPLY;
case ICMP_IREQREPLY:
return ICMP_IREQ;
case ICMP_ROUTERSOLICIT: return ICMP_ROUTERADVERT;
case ICMP_ROUTERADVERT: return ICMP_ROUTERSOLICIT;
case ICMP_ROUTERSOLICIT:
return ICMP_ROUTERADVERT;
case ICMP_ROUTERADVERT:
return ICMP_ROUTERSOLICIT;
case ICMP_MASKREQ: return ICMP_MASKREPLY;
case ICMP_MASKREPLY: return ICMP_MASKREQ;
case ICMP_MASKREQ:
return ICMP_MASKREPLY;
case ICMP_MASKREPLY:
return ICMP_MASKREQ;
default: is_one_way = true; return icmp_code;
}
default:
is_one_way = true;
return icmp_code;
}
}
int ICMP6_counterpart(int icmp_type, int icmp_code, bool& is_one_way)
{
is_one_way = false;
switch ( icmp_type ) {
case ICMP6_ECHO_REQUEST: return ICMP6_ECHO_REPLY;
case ICMP6_ECHO_REPLY: return ICMP6_ECHO_REQUEST;
switch ( icmp_type )
{
case ICMP6_ECHO_REQUEST:
return ICMP6_ECHO_REPLY;
case ICMP6_ECHO_REPLY:
return ICMP6_ECHO_REQUEST;
case ND_ROUTER_SOLICIT: return ND_ROUTER_ADVERT;
case ND_ROUTER_ADVERT: return ND_ROUTER_SOLICIT;
case ND_ROUTER_SOLICIT:
return ND_ROUTER_ADVERT;
case ND_ROUTER_ADVERT:
return ND_ROUTER_SOLICIT;
case ND_NEIGHBOR_SOLICIT: return ND_NEIGHBOR_ADVERT;
case ND_NEIGHBOR_ADVERT: return ND_NEIGHBOR_SOLICIT;
case ND_NEIGHBOR_SOLICIT:
return ND_NEIGHBOR_ADVERT;
case ND_NEIGHBOR_ADVERT:
return ND_NEIGHBOR_SOLICIT;
case MLD_LISTENER_QUERY: return MLD_LISTENER_REPORT;
case MLD_LISTENER_REPORT: return MLD_LISTENER_QUERY;
case MLD_LISTENER_QUERY:
return MLD_LISTENER_REPORT;
case MLD_LISTENER_REPORT:
return MLD_LISTENER_QUERY;
// ICMP node information query and response respectively (not defined in
// icmp6.h)
case 139: return 140;
case 140: return 139;
// ICMP node information query and response respectively (not defined in
// icmp6.h)
case 139:
return 140;
case 140:
return 139;
// Home Agent Address Discovery Request Message and reply
case 144: return 145;
case 145: return 144;
// Home Agent Address Discovery Request Message and reply
case 144:
return 145;
case 145:
return 144;
// TODO: Add further counterparts.
// TODO: Add further counterparts.
default: is_one_way = true; return icmp_code;
}
default:
is_one_way = true;
return icmp_code;
}
}
} // namespace zeek::packet_analysis::ICMP
} // namespace zeek::packet_analysis::ICMP

87
src/packet_analysis/protocol/icmp/ICMP.h
View file

@ -2,24 +2,27 @@
#pragma once
#include "zeek/analyzer/Analyzer.h"
#include "zeek/packet_analysis/Analyzer.h"
#include "zeek/packet_analysis/Component.h"
#include "zeek/packet_analysis/protocol/ip/IPBasedAnalyzer.h"
#include "zeek/packet_analysis/protocol/ip/SessionAdapter.h"
#include "zeek/analyzer/Analyzer.h"
namespace zeek {
namespace zeek
{
class VectorVal;
using VectorValPtr = IntrusivePtr<VectorVal>;
class RecordVal;
using RecordValPtr = IntrusivePtr<RecordVal>;
namespace packet_analysis::ICMP {
namespace packet_analysis::ICMP
{
class ICMPSessionAdapter;
class ICMPAnalyzer final : public IP::IPBasedAnalyzer {
class ICMPAnalyzer final : public IP::IPBasedAnalyzer
{
public:
ICMPAnalyzer();
~ICMPAnalyzer() override = default;
@ -32,70 +35,52 @@ public:
packet_analysis::IP::SessionAdapter* MakeSessionAdapter(Connection* conn) override;
protected:
/**
* Parse the header from the packet into a ConnTuple object.
*/
bool BuildConnTuple(size_t len, const uint8_t* data, Packet* packet,
ConnTuple& tuple) override;
bool BuildConnTuple(size_t len, const uint8_t* data, Packet* packet, ConnTuple& tuple) override;
void DeliverPacket(Connection* c, double t, bool is_orig, int remaining,
Packet* pkt) override;
void DeliverPacket(Connection* c, double t, bool is_orig, int remaining, Packet* pkt) override;
private:
void NextICMP4(double t, const struct icmp* icmpp, int len, int caplen, const u_char*& data,
const IP_Hdr* ip_hdr, ICMPSessionAdapter* adapter);
void NextICMP4(double t, const struct icmp* icmpp, int len, int caplen,
const u_char*& data, const IP_Hdr* ip_hdr,
ICMPSessionAdapter* adapter);
void NextICMP6(double t, const struct icmp* icmpp, int len, int caplen, const u_char*& data,
const IP_Hdr* ip_hdr, ICMPSessionAdapter* adapter);
void NextICMP6(double t, const struct icmp* icmpp, int len, int caplen,
const u_char*& data, const IP_Hdr* ip_hdr,
ICMPSessionAdapter* adapter);
void ICMP_Sent(const struct icmp* icmpp, int len, int caplen, int icmpv6, const u_char* data,
const IP_Hdr* ip_hdr, ICMPSessionAdapter* adapter);
void ICMP_Sent(const struct icmp* icmpp, int len, int caplen, int icmpv6,
const u_char* data, const IP_Hdr* ip_hdr,
ICMPSessionAdapter* adapter);
void Echo(double t, const struct icmp* icmpp, int len, int caplen, const u_char*& data,
const IP_Hdr* ip_hdr, ICMPSessionAdapter* adapter);
void Redirect(double t, const struct icmp* icmpp, int len, int caplen, const u_char*& data,
const IP_Hdr* ip_hdr, ICMPSessionAdapter* adapter);
void RouterAdvert(double t, const struct icmp* icmpp, int len, int caplen, const u_char*& data,
const IP_Hdr* ip_hdr, ICMPSessionAdapter* adapter);
void NeighborAdvert(double t, const struct icmp* icmpp, int len, int caplen,
const u_char*& data, const IP_Hdr* ip_hdr, ICMPSessionAdapter* adapter);
void NeighborSolicit(double t, const struct icmp* icmpp, int len, int caplen,
const u_char*& data, const IP_Hdr* ip_hdr, ICMPSessionAdapter* adapter);
void RouterSolicit(double t, const struct icmp* icmpp, int len, int caplen, const u_char*& data,
const IP_Hdr* ip_hdr, ICMPSessionAdapter* adapter);
void Echo(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const IP_Hdr* ip_hdr,
ICMPSessionAdapter* adapter);
void Redirect(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const IP_Hdr* ip_hdr,
ICMPSessionAdapter* adapter);
void RouterAdvert(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const IP_Hdr* ip_hdr,
ICMPSessionAdapter* adapter);
void NeighborAdvert(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const IP_Hdr* ip_hdr,
ICMPSessionAdapter* adapter);
void NeighborSolicit(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const IP_Hdr* ip_hdr,
ICMPSessionAdapter* adapter);
void RouterSolicit(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const IP_Hdr* ip_hdr,
ICMPSessionAdapter* adapter);
RecordValPtr BuildInfo(const struct icmp* icmpp, int len,
bool icmpv6, const IP_Hdr* ip_hdr);
RecordValPtr BuildInfo(const struct icmp* icmpp, int len, bool icmpv6, const IP_Hdr* ip_hdr);
RecordValPtr ExtractICMP4Context(int len, const u_char*& data);
void Context4(double t, const struct icmp* icmpp, int len, int caplen,
const u_char*& data, const IP_Hdr* ip_hdr,
ICMPSessionAdapter* adapter);
void Context4(double t, const struct icmp* icmpp, int len, int caplen, const u_char*& data,
const IP_Hdr* ip_hdr, ICMPSessionAdapter* adapter);
TransportProto GetContextProtocol(const IP_Hdr* ip_hdr, uint32_t* src_port,
uint32_t* dst_port);
TransportProto GetContextProtocol(const IP_Hdr* ip_hdr, uint32_t* src_port, uint32_t* dst_port);
RecordValPtr ExtractICMP6Context(int len, const u_char*& data);
void Context6(double t, const struct icmp* icmpp, int len, int caplen,
const u_char*& data, const IP_Hdr* ip_hdr,
ICMPSessionAdapter* adapter);
void Context6(double t, const struct icmp* icmpp, int len, int caplen, const u_char*& data,
const IP_Hdr* ip_hdr, ICMPSessionAdapter* adapter);
// RFC 4861 Neighbor Discover message options
VectorValPtr BuildNDOptionsVal(int caplen, const u_char* data,
ICMPSessionAdapter* adapter);
VectorValPtr BuildNDOptionsVal(int caplen, const u_char* data, ICMPSessionAdapter* adapter);
void UpdateEndpointVal(const ValPtr& endp, bool is_orig);
};
@ -105,5 +90,5 @@ private:
extern int ICMP4_counterpart(int icmp_type, int icmp_code, bool& is_one_way);
extern int ICMP6_counterpart(int icmp_type, int icmp_code, bool& is_one_way);
} // namespace packet_analysis::ICMP
} // namespace zeek
} // namespace packet_analysis::ICMP
} // namespace zeek

12
src/packet_analysis/protocol/icmp/ICMPSessionAdapter.cc
View file

@ -8,10 +8,11 @@
using namespace zeek::packet_analysis::ICMP;
using namespace zeek::packet_analysis::IP;
enum ICMP_EndpointState {
ICMP_INACTIVE, // no packet seen
ICMP_ACTIVE, // packets seen
};
enum ICMP_EndpointState
{
ICMP_INACTIVE, // no packet seen
ICMP_ACTIVE, // packets seen
};
void ICMPSessionAdapter::AddExtraAnalyzers(Connection* conn)
{
@ -73,8 +74,7 @@ void ICMPSessionAdapter::InitEndpointMatcher(const IP_Hdr* ip_hdr, int len, bool
void ICMPSessionAdapter::MatchEndpoint(const u_char* data, int len, bool is_orig)
{
if ( zeek::detail::rule_matcher )
matcher_state.Match(zeek::detail::Rule::PAYLOAD, data, len, is_orig,
false, false, true);
matcher_state.Match(zeek::detail::Rule::PAYLOAD, data, len, is_orig, false, false, true);
}
void ICMPSessionAdapter::Done()

17
src/packet_analysis/protocol/icmp/ICMPSessionAdapter.h
View file

@ -2,17 +2,17 @@
#pragma once
#include "zeek/packet_analysis/protocol/ip/SessionAdapter.h"
#include "zeek/RuleMatcher.h"
#include "zeek/packet_analysis/protocol/ip/SessionAdapter.h"
namespace zeek::packet_analysis::ICMP {
namespace zeek::packet_analysis::ICMP
{
class ICMPSessionAdapter final : public IP::SessionAdapter {
class ICMPSessionAdapter final : public IP::SessionAdapter
{
public:
ICMPSessionAdapter(Connection* conn) :
IP::SessionAdapter("ICMP", conn) { }
ICMPSessionAdapter(Connection* conn) : IP::SessionAdapter("ICMP", conn) { }
void AddExtraAnalyzers(Connection* conn) override;
void UpdateConnVal(RecordVal* conn_val) override;
@ -25,10 +25,9 @@ public:
void MatchEndpoint(const u_char* data, int len, bool is_orig);
private:
detail::RuleMatcherState matcher_state;
int request_len = -1;
int reply_len = -1;
};
};
} // namespace zeek::packet_analysis::ICMP
} // namespace zeek::packet_analysis::ICMP

17
src/packet_analysis/protocol/icmp/Plugin.cc
View file

@ -1,19 +1,22 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include "zeek/plugin/Plugin.h"
#include "zeek/analyzer/Component.h"
#include "zeek/packet_analysis/Component.h"
#include "zeek/packet_analysis/protocol/icmp/ICMP.h"
#include "zeek/packet_analysis/protocol/icmp/ICMPSessionAdapter.h"
#include "zeek/analyzer/Component.h"
namespace zeek::plugin::Zeek_ICMP {
namespace zeek::plugin::Zeek_ICMP
{
class Plugin : public zeek::plugin::Plugin {
class Plugin : public zeek::plugin::Plugin
{
public:
zeek::plugin::Configuration Configure()
{
AddComponent(new zeek::packet_analysis::Component("ICMP",
zeek::packet_analysis::ICMP::ICMPAnalyzer::Instantiate));
AddComponent(new zeek::packet_analysis::Component(
"ICMP", zeek::packet_analysis::ICMP::ICMPAnalyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("ICMP", nullptr, 0, true, false, true));
zeek::plugin::Configuration config;
@ -22,6 +25,6 @@ public:
return config;
}
} plugin;
} plugin;
}
}

9
src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc
View file

@ -4,10 +4,7 @@
using namespace zeek::packet_analysis::IEEE802_11;
IEEE802_11Analyzer::IEEE802_11Analyzer()
: zeek::packet_analysis::Analyzer("IEEE802_11")
{
}
IEEE802_11Analyzer::IEEE802_11Analyzer() : zeek::packet_analysis::Analyzer("IEEE802_11") { }
bool IEEE802_11Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
{
@ -90,8 +87,8 @@ bool IEEE802_11Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet*
// field indicates that this is an unnumbered frame.
// The organization code (24bits) needs to also be zero to
// indicate that this is encapsulated ethernet.
if ( data[0] == 0xAA && data[1] == 0xAA && data[2] == 0x03 &&
data[3] == 0 && data[4] == 0 && data[5] == 0 )
if ( data[0] == 0xAA && data[1] == 0xAA && data[2] == 0x03 && data[3] == 0 && data[4] == 0 &&
data[5] == 0 )
{
data += 6;
}

10
src/packet_analysis/protocol/ieee802_11/IEEE802_11.h
View file

@ -5,9 +5,11 @@
#include "zeek/packet_analysis/Analyzer.h"
#include "zeek/packet_analysis/Component.h"
namespace zeek::packet_analysis::IEEE802_11 {
namespace zeek::packet_analysis::IEEE802_11
{
class IEEE802_11Analyzer : public Analyzer {
class IEEE802_11Analyzer : public Analyzer
{
public:
IEEE802_11Analyzer();
~IEEE802_11Analyzer() override = default;
@ -18,6 +20,6 @@ public:
{
return std::make_shared<IEEE802_11Analyzer>();
}
};
};
}
}

15
src/packet_analysis/protocol/ieee802_11/Plugin.cc
View file

@ -1,17 +1,20 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include "zeek/plugin/Plugin.h"
#include "zeek/packet_analysis/Component.h"
#include "zeek/packet_analysis/protocol/ieee802_11/IEEE802_11.h"
namespace zeek::plugin::Zeek_IEEE802_11 {
namespace zeek::plugin::Zeek_IEEE802_11
{
class Plugin : public zeek::plugin::Plugin {
class Plugin : public zeek::plugin::Plugin
{
public:
zeek::plugin::Configuration Configure()
{
AddComponent(new zeek::packet_analysis::Component("IEEE802_11",
zeek::packet_analysis::IEEE802_11::IEEE802_11Analyzer::Instantiate));
AddComponent(new zeek::packet_analysis::Component(
"IEEE802_11", zeek::packet_analysis::IEEE802_11::IEEE802_11Analyzer::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::IEEE802_11";
@ -19,6 +22,6 @@ public:
return config;
}
} plugin;
} plugin;
}
}

10
src/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.h
View file

@ -5,9 +5,11 @@
#include "zeek/packet_analysis/Analyzer.h"
#include "zeek/packet_analysis/Component.h"
namespace zeek::packet_analysis::IEEE802_11_Radio {
namespace zeek::packet_analysis::IEEE802_11_Radio
{
class IEEE802_11_RadioAnalyzer : public Analyzer {
class IEEE802_11_RadioAnalyzer : public Analyzer
{
public:
IEEE802_11_RadioAnalyzer();
~IEEE802_11_RadioAnalyzer() override = default;
@ -18,6 +20,6 @@ public:
{
return std::make_shared<IEEE802_11_RadioAnalyzer>();
}
};
};
}
}

16
src/packet_analysis/protocol/ieee802_11_radio/Plugin.cc
View file

@ -1,17 +1,21 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include "zeek/plugin/Plugin.h"
#include "zeek/packet_analysis/Component.h"
#include "zeek/packet_analysis/protocol/ieee802_11_radio/IEEE802_11_Radio.h"
namespace zeek::plugin::Zeek_IEEE802_11_Radio {
namespace zeek::plugin::Zeek_IEEE802_11_Radio
{
class Plugin : public zeek::plugin::Plugin {
class Plugin : public zeek::plugin::Plugin
{
public:
zeek::plugin::Configuration Configure()
{
AddComponent(new zeek::packet_analysis::Component("IEEE802_11_Radio",
zeek::packet_analysis::IEEE802_11_Radio::IEEE802_11_RadioAnalyzer::Instantiate));
AddComponent(new zeek::packet_analysis::Component(
"IEEE802_11_Radio",
zeek::packet_analysis::IEEE802_11_Radio::IEEE802_11_RadioAnalyzer::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::IEEE802_11_Radio";
@ -19,5 +23,5 @@ public:
return config;
}
} plugin;
}
} plugin;
}

89
src/packet_analysis/protocol/ip/IP.cc
View file

@ -1,22 +1,22 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include "zeek/packet_analysis/protocol/ip/IP.h"
#include "zeek/packet_analysis/protocol/ip/IPBasedAnalyzer.h"
#include "zeek/NetVar.h"
#include "zeek/IP.h"
#include "zeek/Discard.h"
#include "zeek/PacketFilter.h"
#include "zeek/session/Manager.h"
#include "zeek/RunState.h"
#include "zeek/Frag.h"
#include "zeek/Event.h"
#include "zeek/TunnelEncapsulation.h"
#include "zeek/Frag.h"
#include "zeek/IP.h"
#include "zeek/IPAddr.h"
#include "zeek/NetVar.h"
#include "zeek/PacketFilter.h"
#include "zeek/RunState.h"
#include "zeek/TunnelEncapsulation.h"
#include "zeek/packet_analysis/protocol/ip/IPBasedAnalyzer.h"
#include "zeek/session/Manager.h"
using namespace zeek::packet_analysis::IP;
IPAnalyzer::IPAnalyzer()
: zeek::packet_analysis::Analyzer("IP")
IPAnalyzer::IPAnalyzer() : zeek::packet_analysis::Analyzer("IP")
{
discarder = new detail::Discarder();
if ( ! discarder->IsActive() )
@ -45,7 +45,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
// Cast the current data pointer to an IP header pointer so we can use it to get some
// data about the header.
auto ip = (const struct ip *)data;
auto ip = (const struct ip*)data;
uint32_t protocol = ip->ip_v;
// This is a unique pointer because of the mass of early returns from this method.
@ -62,7 +62,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
return false;
}
packet->ip_hdr = std::make_unique<IP_Hdr>((const struct ip6_hdr*) data, false, len);
packet->ip_hdr = std::make_unique<IP_Hdr>((const struct ip6_hdr*)data, false, len);
packet->l3_proto = L3_IPV6;
}
else
@ -126,7 +126,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
// Ignore if packet matches packet filter.
detail::PacketFilter* packet_filter = packet_mgr->GetPacketFilter(false);
if ( packet_filter && packet_filter->Match(packet->ip_hdr, total_len, len) )
return false;
return false;
if ( ! packet->l2_checksummed && ! detail::ignore_checksums && ip4 &&
! IPBasedAnalyzer::GetIgnoreChecksumsNets()->Contains(packet->ip_hdr->IPHeaderSrcAddr()) &&
@ -143,7 +143,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
if ( packet->ip_hdr->IsFragment() )
{
packet->dump_packet = true; // always record fragments
packet->dump_packet = true; // always record fragments
if ( len < total_len )
{
@ -203,7 +203,8 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
{
packet->dump_packet = true;
if ( ! detail::ignore_checksums && mobility_header_checksum(packet->ip_hdr.get()) != 0xffff )
if ( ! detail::ignore_checksums &&
mobility_header_checksum(packet->ip_hdr.get()) != 0xffff )
{
Weird("bad_MH_checksum", packet);
return false;
@ -218,16 +219,16 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
return true;
}
// Set the data pointer to match the payload from the IP header. This makes sure that it's also pointing
// at the reassembled data for a fragmented packet.
// Set the data pointer to match the payload from the IP header. This makes sure that it's also
// pointing at the reassembled data for a fragmented packet.
data = packet->ip_hdr->Payload();
len -= ip_hdr_len;
// Session analysis assumes that the header size stored in the packet does not include the IP header
// size. There are two reasons for this: 1) Packet::ToRawPktHdrVal() wants to look at the IP header for
// reporting, and 2) The VXLAN analyzer uses the header position to create the next packet in the tunnel
// chain. Once the TCP/UDP work is done and the VXLAN analyzer can move into packet analysis, this can
// change, but for now we leave it as it is.
// Session analysis assumes that the header size stored in the packet does not include the IP
// header size. There are two reasons for this: 1) Packet::ToRawPktHdrVal() wants to look at the
// IP header for reporting, and 2) The VXLAN analyzer uses the header position to create the
// next packet in the tunnel chain. Once the TCP/UDP work is done and the VXLAN analyzer can
// move into packet analysis, this can change, but for now we leave it as it is.
bool return_val = true;
int proto = packet->ip_hdr->NextProto();
@ -241,26 +242,26 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
return false;
}
switch ( proto ) {
case IPPROTO_NONE:
// If the packet is encapsulated in Teredo, then it was a bubble and
// the Teredo analyzer may have raised an event for that, else we're
// not sure the reason for the No Next header in the packet.
if ( ! ( packet->encap &&
packet->encap->LastType() == BifEnum::Tunnel::TEREDO ) )
{
Weird("ipv6_no_next", packet);
return_val = false;
}
break;
default:
packet->proto = proto;
switch ( proto )
{
case IPPROTO_NONE:
// If the packet is encapsulated in Teredo, then it was a bubble and
// the Teredo analyzer may have raised an event for that, else we're
// not sure the reason for the No Next header in the packet.
if ( ! (packet->encap && packet->encap->LastType() == BifEnum::Tunnel::TEREDO) )
{
Weird("ipv6_no_next", packet);
return_val = false;
}
break;
default:
packet->proto = proto;
// For everything else, pass it on to another analyzer. If there's no one to handle that,
// it'll report a Weird.
return_val = ForwardPacket(len, data, packet, proto);
break;
}
// For everything else, pass it on to another analyzer. If there's no one to handle
// that, it'll report a Weird.
return_val = ForwardPacket(len, data, packet, proto);
break;
}
if ( f )
f->DeleteTimer();
@ -276,9 +277,9 @@ int zeek::packet_analysis::IP::ParsePacket(int caplen, const u_char* const pkt,
if ( caplen < (int)sizeof(struct ip6_hdr) )
return -1;
const struct ip6_hdr* ip6 = (const struct ip6_hdr*) pkt;
const struct ip6_hdr* ip6 = (const struct ip6_hdr*)pkt;
inner = std::make_unique<zeek::IP_Hdr>(ip6, false, caplen);
if ( ( ip6->ip6_ctlun.ip6_un2_vfc & 0xF0 ) != 0x60 )
if ( (ip6->ip6_ctlun.ip6_un2_vfc & 0xF0) != 0x60 )
return -2;
}
@ -287,7 +288,7 @@ int zeek::packet_analysis::IP::ParsePacket(int caplen, const u_char* const pkt,
if ( caplen < (int)sizeof(struct ip) )
return -1;
const struct ip* ip4 = (const struct ip*) pkt;
const struct ip* ip4 = (const struct ip*)pkt;
inner = std::make_unique<zeek::IP_Hdr>(ip4, false);
if ( ip4->ip_v != 4 )
return -2;

24
src/packet_analysis/protocol/ip/IP.h
View file

@ -2,15 +2,20 @@
#pragma once
#include "zeek/Frag.h"
#include "zeek/packet_analysis/Analyzer.h"
#include "zeek/packet_analysis/Component.h"
#include "zeek/Frag.h"
namespace zeek::detail { class Discarder; }
namespace zeek::detail
{
class Discarder;
}
namespace zeek::packet_analysis::IP {
namespace zeek::packet_analysis::IP
{
class IPAnalyzer : public Analyzer {
class IPAnalyzer : public Analyzer
{
public:
IPAnalyzer();
~IPAnalyzer() override;
@ -23,14 +28,12 @@ public:
}
private:
// Returns a reassembled packet, or nil if there are still
// some missing fragments.
zeek::detail::FragReassembler* NextFragment(double t, const IP_Hdr* ip,
const u_char* pkt);
zeek::detail::FragReassembler* NextFragment(double t, const IP_Hdr* ip, const u_char* pkt);
zeek::detail::Discarder* discarder = nullptr;
};
};
/**
* Returns a wrapper IP_Hdr object if \a pkt appears to be a valid IPv4
@ -54,6 +57,5 @@ private:
* long enough to be an IP header, and \a inner is always non-null
* for other return values.
*/
int ParsePacket(int caplen, const u_char* const pkt, int proto,
std::unique_ptr<IP_Hdr>& inner);
}
int ParsePacket(int caplen, const u_char* const pkt, int proto, std::unique_ptr<IP_Hdr>& inner);
}

30
src/packet_analysis/protocol/ip/IPBasedAnalyzer.cc
View file

@ -2,21 +2,21 @@
#include "zeek/packet_analysis/protocol/ip/IPBasedAnalyzer.h"
#include "zeek/RunState.h"
#include "zeek/Conn.h"
#include "zeek/RunState.h"
#include "zeek/Val.h"
#include "zeek/session/Manager.h"
#include "zeek/analyzer/Manager.h"
#include "zeek/analyzer/protocol/pia/PIA.h"
#include "zeek/plugin/Manager.h"
#include "zeek/session/Manager.h"
using namespace zeek;
using namespace zeek::packet_analysis::IP;
IPBasedAnalyzer::IPBasedAnalyzer(const char* name, TransportProto proto, uint32_t mask,
bool report_unknown_protocols)
: zeek::packet_analysis::Analyzer(name, report_unknown_protocols),
transport(proto), server_port_mask(mask)
: zeek::packet_analysis::Analyzer(name, report_unknown_protocols), transport(proto),
server_port_mask(mask)
{
}
@ -63,8 +63,7 @@ bool IPBasedAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pkt
if ( ! conn )
return false;
bool is_orig = (tuple.src_addr == conn->OrigAddr()) &&
(tuple.src_port == conn->OrigPort());
bool is_orig = (tuple.src_addr == conn->OrigAddr()) && (tuple.src_port == conn->OrigPort());
conn->CheckFlowLabel(is_orig, ip_hdr->FlowLabel());
@ -73,8 +72,7 @@ bool IPBasedAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pkt
if ( ipv6_ext_headers && ip_hdr->NumHeaders() > 1 )
{
pkt_hdr_val = ip_hdr->ToPktHdrVal();
conn->EnqueueEvent(ipv6_ext_headers, nullptr, conn->GetVal(),
pkt_hdr_val);
conn->EnqueueEvent(ipv6_ext_headers, nullptr, conn->GetVal(), pkt_hdr_val);
}
if ( new_packet )
@ -162,8 +160,8 @@ zeek::Connection* IPBasedAnalyzer::NewConn(const ConnTuple* id, const detail::Co
if ( ! WantConnection(src_h, dst_h, pkt->ip_hdr->Payload(), flip) )
return nullptr;
Connection* conn = new Connection(key, run_state::processing_start_time,
id, pkt->ip_hdr->FlowLabel(), pkt);
Connection* conn =
new Connection(key, run_state::processing_start_time, id, pkt->ip_hdr->FlowLabel(), pkt);
conn->SetTransport(transport);
if ( flip )
@ -244,11 +242,12 @@ bool IPBasedAnalyzer::UnregisterAnalyzerForPort(const analyzer::Tag& tag, uint32
tag_set* l = LookupPort(port, true);
if ( ! l )
return true; // still a "successful" unregistration
return true; // still a "successful" unregistration
#ifdef DEBUG
const char* name = analyzer_mgr->GetComponentName(tag).c_str();
DBG_LOG(DBG_ANALYZER, "Unregistering analyzer %s for port %" PRIu32 "/%d", name, port, transport);
DBG_LOG(DBG_ANALYZER, "Unregistering analyzer %s for port %" PRIu32 "/%d", name, port,
transport);
#endif
l->erase(tag);
@ -279,7 +278,8 @@ void IPBasedAnalyzer::DumpPortDebug()
for ( const auto& tag : *(mapping.second) )
s += std::string(analyzer_mgr->GetComponentName(tag)) + " ";
DBG_LOG(DBG_ANALYZER, " %d/%s: %s", mapping.first, transport_proto_string(transport), s.c_str());
DBG_LOG(DBG_ANALYZER, " %d/%s: %s", mapping.first, transport_proto_string(transport),
s.c_str());
}
}
@ -293,7 +293,7 @@ void IPBasedAnalyzer::SetIgnoreChecksumsNets(TableValPtr t)
TableValPtr IPBasedAnalyzer::GetIgnoreChecksumsNets()
{
if ( ! IPBasedAnalyzer::ignore_checksums_nets_table )
IPBasedAnalyzer::ignore_checksums_nets_table = zeek::id::find_val<TableVal>("ignore_checksums_nets");
IPBasedAnalyzer::ignore_checksums_nets_table =
zeek::id::find_val<TableVal>("ignore_checksums_nets");
return IPBasedAnalyzer::ignore_checksums_nets_table;
}

36
src/packet_analysis/protocol/ip/IPBasedAnalyzer.h
View file

@ -5,13 +5,17 @@
#include <map>
#include <set>
#include "zeek/packet_analysis/Analyzer.h"
#include "zeek/analyzer/Tag.h"
#include "zeek/ID.h"
#include "zeek/analyzer/Tag.h"
#include "zeek/packet_analysis/Analyzer.h"
namespace zeek::analyzer::pia { class PIA; }
namespace zeek::analyzer::pia
{
class PIA;
}
namespace zeek::packet_analysis::IP {
namespace zeek::packet_analysis::IP
{
class SessionAdapter;
@ -20,7 +24,8 @@ class SessionAdapter;
* by the TCP, UDP, and ICMP analyzers to reduce a large amount of duplicated code
* that those plugins have in common.
*/
class IPBasedAnalyzer : public Analyzer {
class IPBasedAnalyzer : public Analyzer
{
public:
~IPBasedAnalyzer() override;
@ -71,8 +76,7 @@ public:
*/
static void SetIgnoreChecksumsNets(TableValPtr t);
/**
/**
* Gets the interpal pointer to the script-level variable `ignore_checksums_nets`.
* This is used to prevent repeated (costly) lookup of the script-level variable
* by IP-based analyzers.
@ -82,7 +86,6 @@ public:
static TableValPtr GetIgnoreChecksumsNets();
protected:
/**
* Construct a new IP-based analyzer.
*
@ -116,8 +119,9 @@ protected:
* @param remaining The remaining about of data in the packet.
* @param pkt The packet being processed.
*/
virtual void DeliverPacket(Connection* conn, double t, bool is_orig, int remaining,
Packet* pkt) {}
virtual void DeliverPacket(Connection* conn, double t, bool is_orig, int remaining, Packet* pkt)
{
}
/**
* Upon seeing the first packet of a connection, checks whether we want
@ -131,8 +135,8 @@ protected:
* @param flip_roles Return value if the roles should be flipped.
* @return True if the connection is wanted. False otherwise.
*/
virtual bool WantConnection(uint16_t src_port, uint16_t dst_port,
const u_char* data, bool& flip_roles) const
virtual bool WantConnection(uint16_t src_port, uint16_t dst_port, const u_char* data,
bool& flip_roles) const
{
flip_roles = false;
return true;
@ -173,7 +177,6 @@ protected:
bool IsLikelyServerPort(uint32_t port) const;
private:
// While this is storing session analyzer tags, we store it here since packet analyzers
// are persitent objects. We can't do this in the adapters because those get created
// and destroyed for each connection.
@ -191,14 +194,13 @@ private:
* @param key A connection ID key generated from the ID.
* @param pkt The packet associated with the new connection.
*/
zeek::Connection* NewConn(const ConnTuple* id, const detail::ConnKey& key,
const Packet* pkt);
zeek::Connection* NewConn(const ConnTuple* id, const detail::ConnKey& key, const Packet* pkt);
void BuildSessionAnalyzerTree(Connection* conn);
TransportProto transport;
uint32_t server_port_mask;
static TableValPtr ignore_checksums_nets_table;
};
};
}
}

15
src/packet_analysis/protocol/ip/Plugin.cc
View file

@ -1,17 +1,20 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include "zeek/plugin/Plugin.h"
#include "zeek/packet_analysis/Component.h"
#include "zeek/packet_analysis/protocol/ip/IP.h"
namespace zeek::plugin::Zeek_IP {
namespace zeek::plugin::Zeek_IP
{
class Plugin : public zeek::plugin::Plugin {
class Plugin : public zeek::plugin::Plugin
{
public:
zeek::plugin::Configuration Configure()
{
AddComponent(new zeek::packet_analysis::Component("IP",
zeek::packet_analysis::IP::IPAnalyzer::Instantiate));
AddComponent(new zeek::packet_analysis::Component(
"IP", zeek::packet_analysis::IP::IPAnalyzer::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::IP";
@ -19,6 +22,6 @@ public:
return config;
}
} plugin;
} plugin;
}
}

3
src/packet_analysis/protocol/ip/SessionAdapter.cc
View file

@ -16,8 +16,7 @@ bool SessionAdapter::IsReuse(double t, const u_char* pkt)
return parent->IsReuse(t, pkt);
}
void SessionAdapter::SetContentsFile(unsigned int /* direction */,
FilePtr /* f */)
void SessionAdapter::SetContentsFile(unsigned int /* direction */, FilePtr /* f */)
{
reporter->Error("analyzer type does not support writing to a contents file");
}

24
src/packet_analysis/protocol/ip/SessionAdapter.h
View file

@ -2,9 +2,13 @@
#include "zeek/analyzer/Analyzer.h"
namespace zeek::analyzer::pia { class PIA; }
namespace zeek::analyzer::pia
{
class PIA;
}
namespace zeek::packet_analysis::IP {
namespace zeek::packet_analysis::IP
{
class IPBasedAnalyzer;
@ -13,12 +17,11 @@ class IPBasedAnalyzer;
* the session analysis framework. One of these should be implemented for each
* packet analyzer that intends to forward into the session analysis.
*/
class SessionAdapter : public analyzer::Analyzer {
class SessionAdapter : public analyzer::Analyzer
{
public:
SessionAdapter(const char* name, Connection* conn)
: analyzer::Analyzer(name, conn) { }
SessionAdapter(const char* name, Connection* conn) : analyzer::Analyzer(name, conn) { }
/**
* Overridden from parent class.
@ -76,13 +79,13 @@ public:
* transport-layer input and determine which protocol analyzer(s) to
* use for parsing it.
*/
void SetPIA(analyzer::pia::PIA* arg_PIA) { pia = arg_PIA; }
void SetPIA(analyzer::pia::PIA* arg_PIA) { pia = arg_PIA; }
/**
* Returns the associated PIA, or null of none. Does not take
* ownership.
*/
analyzer::pia::PIA* GetPIA() const { return pia; }
analyzer::pia::PIA* GetPIA() const { return pia; }
/**
* Helper to raise a \c packet_contents event.
@ -94,9 +97,8 @@ public:
void PacketContents(const u_char* data, int len);
protected:
IPBasedAnalyzer* parent = nullptr;
analyzer::pia::PIA* pia = nullptr;
};
};
} // namespace zeek::packet_analysis::IP
} // namespace zeek::packet_analysis::IP

53
src/packet_analysis/protocol/iptunnel/IPTunnel.cc
View file

@ -4,17 +4,17 @@
#include <pcap.h> // For DLT_ constants
#include "zeek/RunState.h"
#include "zeek/IP.h"
#include "zeek/RunState.h"
#include "zeek/TunnelEncapsulation.h"
#include "zeek/packet_analysis/protocol/ip/IP.h"
namespace zeek::packet_analysis::IPTunnel {
namespace zeek::packet_analysis::IPTunnel
{
IPTunnelAnalyzer* ip_tunnel_analyzer;
IPTunnelAnalyzer::IPTunnelAnalyzer()
: zeek::packet_analysis::Analyzer("IPTunnel")
IPTunnelAnalyzer::IPTunnelAnalyzer() : zeek::packet_analysis::Analyzer("IPTunnel")
{
ip_tunnel_analyzer = this;
}
@ -33,8 +33,7 @@ bool IPTunnelAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pa
return false;
}
if ( packet->encap &&
packet->encap->Depth() >= BifConst::Tunnel::max_depth )
if ( packet->encap && packet->encap->Depth() >= BifConst::Tunnel::max_depth )
{
Weird("exceeded_tunnel_max_depth", packet);
return false;
@ -75,17 +74,17 @@ bool IPTunnelAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pa
if ( tunnel_it == ip_tunnels.end() )
{
EncapsulatingConn ec(packet->ip_hdr->SrcAddr(), packet->ip_hdr->DstAddr(),
tunnel_type);
EncapsulatingConn ec(packet->ip_hdr->SrcAddr(), packet->ip_hdr->DstAddr(), tunnel_type);
ip_tunnels[tunnel_idx] = TunnelActivity(ec, run_state::network_time);
zeek::detail::timer_mgr->Add(new detail::IPTunnelTimer(run_state::network_time, tunnel_idx, this));
zeek::detail::timer_mgr->Add(
new detail::IPTunnelTimer(run_state::network_time, tunnel_idx, this));
}
else
tunnel_it->second.second = zeek::run_state::network_time;
if ( gre_version == 0 )
ProcessEncapsulatedPacket(run_state::processing_start_time, packet, len, len, data, gre_link_type,
packet->encap, ip_tunnels[tunnel_idx].first);
ProcessEncapsulatedPacket(run_state::processing_start_time, packet, len, len, data,
gre_link_type, packet->encap, ip_tunnels[tunnel_idx].first);
else
ProcessEncapsulatedPacket(run_state::processing_start_time, packet, inner, packet->encap,
ip_tunnels[tunnel_idx].first);
@ -111,17 +110,16 @@ bool IPTunnelAnalyzer::ProcessEncapsulatedPacket(double t, const Packet* pkt,
ts = pkt->ts;
else
{
ts.tv_sec = (time_t) run_state::network_time;
ts.tv_usec = (suseconds_t)
((run_state::network_time - (double)ts.tv_sec) * 1000000);
ts.tv_sec = (time_t)run_state::network_time;
ts.tv_usec = (suseconds_t)((run_state::network_time - (double)ts.tv_sec) * 1000000);
}
const u_char* data = nullptr;
if ( inner->IP4_Hdr() )
data = (const u_char*) inner->IP4_Hdr();
data = (const u_char*)inner->IP4_Hdr();
else
data = (const u_char*) inner->IP6_Hdr();
data = (const u_char*)inner->IP6_Hdr();
auto outer = prev ? prev : std::make_shared<EncapsulationStack>();
outer->Add(ec);
@ -141,9 +139,8 @@ bool IPTunnelAnalyzer::ProcessEncapsulatedPacket(double t, const Packet* pkt,
/**
* Handles a packet that contains a physical-layer header after the tunnel header.
*/
bool IPTunnelAnalyzer::ProcessEncapsulatedPacket(double t, const Packet* pkt,
uint32_t caplen, uint32_t len,
const u_char* data, int link_type,
bool IPTunnelAnalyzer::ProcessEncapsulatedPacket(double t, const Packet* pkt, uint32_t caplen,
uint32_t len, const u_char* data, int link_type,
std::shared_ptr<EncapsulationStack> prev,
const EncapsulatingConn& ec)
{
@ -153,9 +150,8 @@ bool IPTunnelAnalyzer::ProcessEncapsulatedPacket(double t, const Packet* pkt,
ts = pkt->ts;
else
{
ts.tv_sec = (time_t) run_state::network_time;
ts.tv_usec = (suseconds_t)
((run_state::network_time - (double)ts.tv_sec) * 1000000);
ts.tv_sec = (time_t)run_state::network_time;
ts.tv_usec = (suseconds_t)((run_state::network_time - (double)ts.tv_sec) * 1000000);
}
auto outer = prev ? prev : std::make_shared<EncapsulationStack>();
@ -174,19 +170,18 @@ bool IPTunnelAnalyzer::ProcessEncapsulatedPacket(double t, const Packet* pkt,
return return_val;
}
namespace detail {
namespace detail
{
IPTunnelTimer::IPTunnelTimer(double t, IPTunnelAnalyzer::IPPair p, IPTunnelAnalyzer* analyzer)
: Timer(t + BifConst::Tunnel::ip_tunnel_timeout,
zeek::detail::TIMER_IP_TUNNEL_INACTIVITY),
: Timer(t + BifConst::Tunnel::ip_tunnel_timeout, zeek::detail::TIMER_IP_TUNNEL_INACTIVITY),
tunnel_idx(p), analyzer(analyzer)
{
}
void IPTunnelTimer::Dispatch(double t, bool is_expire)
{
IPTunnelAnalyzer::IPTunnelMap::const_iterator it =
analyzer->ip_tunnels.find(tunnel_idx);
IPTunnelAnalyzer::IPTunnelMap::const_iterator it = analyzer->ip_tunnels.find(tunnel_idx);
if ( it == analyzer->ip_tunnels.end() )
return;
@ -203,6 +198,6 @@ void IPTunnelTimer::Dispatch(double t, bool is_expire)
zeek::detail::timer_mgr->Add(new IPTunnelTimer(t, tunnel_idx, analyzer));
}
} // namespace detail
} // namespace detail
} // namespace zeek::packet_analysis::IPTunnel
} // namespace zeek::packet_analysis::IPTunnel

37
src/packet_analysis/protocol/iptunnel/IPTunnel.h
View file

@ -2,18 +2,22 @@
#pragma once
#include "zeek/packet_analysis/Analyzer.h"
#include "zeek/packet_analysis/Component.h"
#include "zeek/IPAddr.h"
#include "zeek/TunnelEncapsulation.h"
#include "zeek/packet_analysis/Analyzer.h"
#include "zeek/packet_analysis/Component.h"
namespace zeek::packet_analysis::IPTunnel {
namespace zeek::packet_analysis::IPTunnel
{
namespace detail { class IPTunnelTimer; }
namespace detail
{
class IPTunnelTimer;
}
class IPTunnelAnalyzer : public Analyzer {
class IPTunnelAnalyzer : public Analyzer
{
public:
IPTunnelAnalyzer();
~IPTunnelAnalyzer() override = default;
@ -39,7 +43,7 @@ public:
* the most-recently found depth of encapsulation.
* @param ec The most-recently found depth of encapsulation.
*/
bool ProcessEncapsulatedPacket(double t, const Packet *pkt,
bool ProcessEncapsulatedPacket(double t, const Packet* pkt,
const std::unique_ptr<IP_Hdr>& inner,
std::shared_ptr<EncapsulationStack> prev,
const EncapsulatingConn& ec);
@ -60,26 +64,25 @@ public:
* including the most-recently found depth of encapsulation.
* @param ec The most-recently found depth of encapsulation.
*/
bool ProcessEncapsulatedPacket(double t, const Packet* pkt,
uint32_t caplen, uint32_t len,
bool ProcessEncapsulatedPacket(double t, const Packet* pkt, uint32_t caplen, uint32_t len,
const u_char* data, int link_type,
std::shared_ptr<EncapsulationStack> prev,
const EncapsulatingConn& ec);
protected:
friend class detail::IPTunnelTimer;
using IPPair = std::pair<IPAddr, IPAddr>;
using TunnelActivity = std::pair<EncapsulatingConn, double>;
using IPTunnelMap = std::map<IPPair, TunnelActivity>;
IPTunnelMap ip_tunnels;
};
};
namespace detail
{
namespace detail {
class IPTunnelTimer final : public zeek::detail::Timer {
class IPTunnelTimer final : public zeek::detail::Timer
{
public:
IPTunnelTimer(double t, IPTunnelAnalyzer::IPPair p, IPTunnelAnalyzer* analyzer);
~IPTunnelTimer() override = default;
@ -89,11 +92,11 @@ public:
protected:
IPTunnelAnalyzer::IPPair tunnel_idx;
IPTunnelAnalyzer* analyzer;
};
};
} // namespace detail
} // namespace detail
// This is temporary until the TCP and UDP analyzers are moved to be packet analyzers.
extern IPTunnelAnalyzer* ip_tunnel_analyzer;
}
}

15
src/packet_analysis/protocol/iptunnel/Plugin.cc
View file

@ -1,17 +1,20 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include "zeek/plugin/Plugin.h"
#include "zeek/packet_analysis/Component.h"
#include "zeek/packet_analysis/protocol/iptunnel/IPTunnel.h"
namespace zeek::plugin::Zeek_IPTunnel {
namespace zeek::plugin::Zeek_IPTunnel
{
class Plugin : public zeek::plugin::Plugin {
class Plugin : public zeek::plugin::Plugin
{
public:
zeek::plugin::Configuration Configure()
{
AddComponent(new zeek::packet_analysis::Component("IPTunnel",
zeek::packet_analysis::IPTunnel::IPTunnelAnalyzer::Instantiate));
AddComponent(new zeek::packet_analysis::Component(
"IPTunnel", zeek::packet_analysis::IPTunnel::IPTunnelAnalyzer::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::IPTunnel";
@ -19,6 +22,6 @@ public:
return config;
}
} plugin;
} plugin;
}
}

7
src/packet_analysis/protocol/linux_sll/LinuxSLL.cc
View file

@ -4,10 +4,7 @@
using namespace zeek::packet_analysis::LinuxSLL;
LinuxSLLAnalyzer::LinuxSLLAnalyzer()
: zeek::packet_analysis::Analyzer("LinuxSLL")
{
}
LinuxSLLAnalyzer::LinuxSLLAnalyzer() : zeek::packet_analysis::Analyzer("LinuxSLL") { }
bool LinuxSLLAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
{
@ -23,7 +20,7 @@ bool LinuxSLLAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pa
auto hdr = (const SLLHeader*)data;
uint32_t protocol = ntohs(hdr->protocol_type);
packet->l2_src = (u_char*) &(hdr->addr);
packet->l2_src = (u_char*)&(hdr->addr);
// SLL doesn't include a destination address in the header, but not setting l2_dst to something
// here will cause crashes elsewhere.

11
src/packet_analysis/protocol/linux_sll/LinuxSLL.h
View file

@ -5,9 +5,11 @@
#include "zeek/packet_analysis/Analyzer.h"
#include "zeek/packet_analysis/Component.h"
namespace zeek::packet_analysis::LinuxSLL {
namespace zeek::packet_analysis::LinuxSLL
{
class LinuxSLLAnalyzer : public Analyzer {
class LinuxSLLAnalyzer : public Analyzer
{
public:
LinuxSLLAnalyzer();
~LinuxSLLAnalyzer() override = default;
@ -20,7 +22,6 @@ public:
}
private:
// Structure layout is based on https://www.tcpdump.org/linktypes/LINKTYPE_LINUX_SLL.html
struct SLLHeader
{
@ -30,6 +31,6 @@ private:
uint64_t addr;
uint16_t protocol_type;
} __attribute__((__packed__));
};
};
}
}

15
src/packet_analysis/protocol/linux_sll/Plugin.cc
View file

@ -1,17 +1,20 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include "zeek/plugin/Plugin.h"
#include "zeek/packet_analysis/Component.h"
#include "zeek/packet_analysis/protocol/linux_sll/LinuxSLL.h"
namespace zeek::plugin::Zeek_LinuxSLL {
namespace zeek::plugin::Zeek_LinuxSLL
{
class Plugin : public zeek::plugin::Plugin {
class Plugin : public zeek::plugin::Plugin
{
public:
zeek::plugin::Configuration Configure()
{
AddComponent(new zeek::packet_analysis::Component("LinuxSLL",
zeek::packet_analysis::LinuxSLL::LinuxSLLAnalyzer::Instantiate));
AddComponent(new zeek::packet_analysis::Component(
"LinuxSLL", zeek::packet_analysis::LinuxSLL::LinuxSLLAnalyzer::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::LinuxSLL";
@ -19,6 +22,6 @@ public:
return config;
}
} plugin;
} plugin;
}
}

5
src/packet_analysis/protocol/mpls/MPLS.cc
View file

@ -4,10 +4,7 @@
using namespace zeek::packet_analysis::MPLS;
MPLSAnalyzer::MPLSAnalyzer()
: zeek::packet_analysis::Analyzer("MPLS")
{
}
MPLSAnalyzer::MPLSAnalyzer() : zeek::packet_analysis::Analyzer("MPLS") { }
bool MPLSAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
{

10
src/packet_analysis/protocol/mpls/MPLS.h
View file

@ -5,9 +5,11 @@
#include "zeek/packet_analysis/Analyzer.h"
#include "zeek/packet_analysis/Component.h"
namespace zeek::packet_analysis::MPLS {
namespace zeek::packet_analysis::MPLS
{
class MPLSAnalyzer : public zeek::packet_analysis::Analyzer {
class MPLSAnalyzer : public zeek::packet_analysis::Analyzer
{
public:
MPLSAnalyzer();
~MPLSAnalyzer() override = default;
@ -18,6 +20,6 @@ public:
{
return std::make_shared<MPLSAnalyzer>();
}
};
};
}
}

15
src/packet_analysis/protocol/mpls/Plugin.cc
View file

@ -1,17 +1,20 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include "zeek/plugin/Plugin.h"
#include "zeek/packet_analysis/Component.h"
#include "zeek/packet_analysis/protocol/mpls/MPLS.h"
namespace zeek::plugin::Zeek_MPLS {
namespace zeek::plugin::Zeek_MPLS
{
class Plugin : public zeek::plugin::Plugin {
class Plugin : public zeek::plugin::Plugin
{
public:
zeek::plugin::Configuration Configure()
{
AddComponent(new zeek::packet_analysis::Component("MPLS",
zeek::packet_analysis::MPLS::MPLSAnalyzer::Instantiate));
AddComponent(new zeek::packet_analysis::Component(
"MPLS", zeek::packet_analysis::MPLS::MPLSAnalyzer::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::MPLS";
@ -19,6 +22,6 @@ public:
return config;
}
} plugin;
} plugin;
}
}

5
src/packet_analysis/protocol/nflog/NFLog.cc
View file

@ -4,10 +4,7 @@
using namespace zeek::packet_analysis::NFLog;
NFLogAnalyzer::NFLogAnalyzer()
: zeek::packet_analysis::Analyzer("NFLog")
{
}
NFLogAnalyzer::NFLogAnalyzer() : zeek::packet_analysis::Analyzer("NFLog") { }
bool NFLogAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
{

15
src/packet_analysis/protocol/nflog/NFLog.h
View file

@ -5,19 +5,18 @@
#include "zeek/packet_analysis/Analyzer.h"
#include "zeek/packet_analysis/Component.h"
namespace zeek::packet_analysis::NFLog {
namespace zeek::packet_analysis::NFLog
{
class NFLogAnalyzer : public Analyzer {
class NFLogAnalyzer : public Analyzer
{
public:
NFLogAnalyzer();
~NFLogAnalyzer() override = default;
bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
static AnalyzerPtr Instantiate()
{
return std::make_shared<NFLogAnalyzer>();
}
};
static AnalyzerPtr Instantiate() { return std::make_shared<NFLogAnalyzer>(); }
};
}
}

15
src/packet_analysis/protocol/nflog/Plugin.cc
View file

@ -1,23 +1,26 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include "zeek/plugin/Plugin.h"
#include "zeek/packet_analysis/Component.h"
#include "zeek/packet_analysis/protocol/nflog/NFLog.h"
namespace zeek::plugin::Zeek_NFLog {
namespace zeek::plugin::Zeek_NFLog
{
class Plugin : public zeek::plugin::Plugin {
class Plugin : public zeek::plugin::Plugin
{
public:
zeek::plugin::Configuration Configure()
{
AddComponent(new zeek::packet_analysis::Component("NFLog",
zeek::packet_analysis::NFLog::NFLogAnalyzer::Instantiate));
AddComponent(new zeek::packet_analysis::Component(
"NFLog", zeek::packet_analysis::NFLog::NFLogAnalyzer::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::NFLog";
config.description = "NFLog packet analyzer";
return config;
}
} plugin;
} plugin;
}
}

5
src/packet_analysis/protocol/null/Null.cc
View file

@ -4,10 +4,7 @@
using namespace zeek::packet_analysis::Null;
NullAnalyzer::NullAnalyzer()
: zeek::packet_analysis::Analyzer("Null")
{
}
NullAnalyzer::NullAnalyzer() : zeek::packet_analysis::Analyzer("Null") { }
bool NullAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
{

10
src/packet_analysis/protocol/null/Null.h
View file

@ -5,9 +5,11 @@
#include "zeek/packet_analysis/Analyzer.h"
#include "zeek/packet_analysis/Component.h"
namespace zeek::packet_analysis::Null {
namespace zeek::packet_analysis::Null
{
class NullAnalyzer : public Analyzer {
class NullAnalyzer : public Analyzer
{
public:
NullAnalyzer();
~NullAnalyzer() override = default;
@ -18,6 +20,6 @@ public:
{
return std::make_shared<NullAnalyzer>();
}
};
};
}
}

15
src/packet_analysis/protocol/null/Plugin.cc
View file

@ -1,17 +1,20 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include "zeek/plugin/Plugin.h"
#include "zeek/packet_analysis/Component.h"
#include "zeek/packet_analysis/protocol/null/Null.h"
namespace zeek::plugin::Zeek_Null {
namespace zeek::plugin::Zeek_Null
{
class Plugin : public zeek::plugin::Plugin {
class Plugin : public zeek::plugin::Plugin
{
public:
zeek::plugin::Configuration Configure()
{
AddComponent(new zeek::packet_analysis::Component("Null",
zeek::packet_analysis::Null::NullAnalyzer::Instantiate));
AddComponent(new zeek::packet_analysis::Component(
"Null", zeek::packet_analysis::Null::NullAnalyzer::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::Null";
@ -19,6 +22,6 @@ public:
return config;
}
} plugin;
} plugin;
}
}

5
src/packet_analysis/protocol/ppp_serial/PPPSerial.cc
View file

@ -4,10 +4,7 @@
using namespace zeek::packet_analysis::PPPSerial;
PPPSerialAnalyzer::PPPSerialAnalyzer()
: zeek::packet_analysis::Analyzer("PPPSerial")
{
}
PPPSerialAnalyzer::PPPSerialAnalyzer() : zeek::packet_analysis::Analyzer("PPPSerial") { }
bool PPPSerialAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
{

10
src/packet_analysis/protocol/ppp_serial/PPPSerial.h
View file

@ -5,9 +5,11 @@
#include "zeek/packet_analysis/Analyzer.h"
#include "zeek/packet_analysis/Component.h"
namespace zeek::packet_analysis::PPPSerial {
namespace zeek::packet_analysis::PPPSerial
{
class PPPSerialAnalyzer : public Analyzer {
class PPPSerialAnalyzer : public Analyzer
{
public:
PPPSerialAnalyzer();
~PPPSerialAnalyzer() override = default;
@ -18,6 +20,6 @@ public:
{
return std::make_shared<PPPSerialAnalyzer>();
}
};
};
}
}

15
src/packet_analysis/protocol/ppp_serial/Plugin.cc
View file

@ -1,17 +1,20 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include "zeek/plugin/Plugin.h"
#include "zeek/packet_analysis/Component.h"
#include "zeek/packet_analysis/protocol/ppp_serial/PPPSerial.h"
namespace zeek::plugin::Zeek_PPPSerial {
namespace zeek::plugin::Zeek_PPPSerial
{
class Plugin : public zeek::plugin::Plugin {
class Plugin : public zeek::plugin::Plugin
{
public:
zeek::plugin::Configuration Configure()
{
AddComponent(new zeek::packet_analysis::Component("PPPSerial",
zeek::packet_analysis::PPPSerial::PPPSerialAnalyzer::Instantiate));
AddComponent(new zeek::packet_analysis::Component(
"PPPSerial", zeek::packet_analysis::PPPSerial::PPPSerialAnalyzer::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::PPPSerial";
@ -19,6 +22,6 @@ public:
return config;
}
} plugin;
} plugin;
}
}

5
src/packet_analysis/protocol/pppoe/PPPoE.cc
View file

@ -4,10 +4,7 @@
using namespace zeek::packet_analysis::PPPoE;
PPPoEAnalyzer::PPPoEAnalyzer()
: zeek::packet_analysis::Analyzer("PPPoE")
{
}
PPPoEAnalyzer::PPPoEAnalyzer() : zeek::packet_analysis::Analyzer("PPPoE") { }
bool PPPoEAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
{

12
src/packet_analysis/protocol/pppoe/PPPoE.h
View file

@ -5,9 +5,11 @@
#include "zeek/packet_analysis/Analyzer.h"
#include "zeek/packet_analysis/Component.h"
namespace zeek::packet_analysis::PPPoE {
namespace zeek::packet_analysis::PPPoE
{
class PPPoEAnalyzer : public Analyzer {
class PPPoEAnalyzer : public Analyzer
{
public:
PPPoEAnalyzer();
~PPPoEAnalyzer() override = default;
@ -17,7 +19,7 @@ public:
static zeek::packet_analysis::AnalyzerPtr Instantiate()
{
return std::make_shared<PPPoEAnalyzer>();
}
};
}
};
}
}

29
src/packet_analysis/protocol/pppoe/Plugin.cc
View file

@ -1,24 +1,27 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include "zeek/plugin/Plugin.h"
#include "zeek/packet_analysis/Component.h"
#include "zeek/packet_analysis/protocol/pppoe/PPPoE.h"
namespace zeek::plugin::Zeek_PPPoE {
namespace zeek::plugin::Zeek_PPPoE
{
class Plugin : public zeek::plugin::Plugin {
class Plugin : public zeek::plugin::Plugin
{
public:
zeek::plugin::Configuration Configure()
{
AddComponent(new zeek::packet_analysis::Component("PPPoE",
zeek::packet_analysis::PPPoE::PPPoEAnalyzer::Instantiate));
zeek::plugin::Configuration Configure()
{
AddComponent(new zeek::packet_analysis::Component(
"PPPoE", zeek::packet_analysis::PPPoE::PPPoEAnalyzer::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::PPPoE";
config.description = "PPPoE packet analyzer";
return config;
}
zeek::plugin::Configuration config;
config.name = "Zeek::PPPoE";
config.description = "PPPoE packet analyzer";
return config;
}
} plugin;
} plugin;
}
}

15
src/packet_analysis/protocol/root/Plugin.cc
View file

@ -1,17 +1,20 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include "zeek/plugin/Plugin.h"
#include "zeek/packet_analysis/Component.h"
#include "zeek/packet_analysis/protocol/root/Root.h"
namespace zeek::plugin::Zeek_Root {
namespace zeek::plugin::Zeek_Root
{
class Plugin : public zeek::plugin::Plugin {
class Plugin : public zeek::plugin::Plugin
{
public:
zeek::plugin::Configuration Configure()
{
AddComponent(new zeek::packet_analysis::Component("Root",
zeek::packet_analysis::Root::RootAnalyzer::Instantiate));
AddComponent(new zeek::packet_analysis::Component(
"Root", zeek::packet_analysis::Root::RootAnalyzer::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::Root";
@ -19,6 +22,6 @@ public:
return config;
}
} plugin;
} plugin;
}
}

5
src/packet_analysis/protocol/root/Root.cc
View file

@ -4,10 +4,7 @@
using namespace zeek::packet_analysis::Root;
RootAnalyzer::RootAnalyzer()
: zeek::packet_analysis::Analyzer("Root")
{
}
RootAnalyzer::RootAnalyzer() : zeek::packet_analysis::Analyzer("Root") { }
bool RootAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
{

10
src/packet_analysis/protocol/root/Root.h
View file

@ -5,9 +5,11 @@
#include "zeek/packet_analysis/Analyzer.h"
#include "zeek/packet_analysis/Component.h"
namespace zeek::packet_analysis::Root {
namespace zeek::packet_analysis::Root
{
class RootAnalyzer : public Analyzer {
class RootAnalyzer : public Analyzer
{
public:
RootAnalyzer();
~RootAnalyzer() override = default;
@ -18,6 +20,6 @@ public:
{
return std::make_shared<RootAnalyzer>();
}
};
};
}
}

15
src/packet_analysis/protocol/skip/Plugin.cc
View file

@ -1,17 +1,20 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include "zeek/plugin/Plugin.h"
#include "zeek/packet_analysis/Component.h"
#include "zeek/packet_analysis/protocol/skip/Skip.h"
namespace zeek::plugin::Zeek_Skip {
namespace zeek::plugin::Zeek_Skip
{
class Plugin : public zeek::plugin::Plugin {
class Plugin : public zeek::plugin::Plugin
{
public:
zeek::plugin::Configuration Configure()
{
AddComponent(new zeek::packet_analysis::Component("Skip",
zeek::packet_analysis::Skip::SkipAnalyzer::Instantiate));
AddComponent(new zeek::packet_analysis::Component(
"Skip", zeek::packet_analysis::Skip::SkipAnalyzer::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::Skip";
@ -19,6 +22,6 @@ public:
return config;
}
} plugin;
} plugin;
}
}

5
src/packet_analysis/protocol/skip/Skip.cc
View file

@ -4,10 +4,7 @@
using namespace zeek::packet_analysis::Skip;
SkipAnalyzer::SkipAnalyzer()
: zeek::packet_analysis::Analyzer("Skip")
{
}
SkipAnalyzer::SkipAnalyzer() : zeek::packet_analysis::Analyzer("Skip") { }
void SkipAnalyzer::Initialize()
{

10
src/packet_analysis/protocol/skip/Skip.h
View file

@ -5,9 +5,11 @@
#include "zeek/packet_analysis/Analyzer.h"
#include "zeek/packet_analysis/Component.h"
namespace zeek::packet_analysis::Skip {
namespace zeek::packet_analysis::Skip
{
class SkipAnalyzer : public Analyzer {
class SkipAnalyzer : public Analyzer
{
public:
SkipAnalyzer();
~SkipAnalyzer() override = default;
@ -22,6 +24,6 @@ public:
private:
bro_uint_t skip_bytes = 0;
};
};
}
}

17
src/packet_analysis/protocol/tcp/Plugin.cc
View file

@ -1,19 +1,22 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include "zeek/plugin/Plugin.h"
#include "zeek/analyzer/Component.h"
#include "zeek/packet_analysis/Component.h"
#include "zeek/packet_analysis/protocol/tcp/TCP.h"
#include "zeek/packet_analysis/protocol/tcp/TCPSessionAdapter.h"
#include "zeek/analyzer/Component.h"
namespace zeek::plugin::Zeek_TCP {
namespace zeek::plugin::Zeek_TCP
{
class Plugin : public zeek::plugin::Plugin {
class Plugin : public zeek::plugin::Plugin
{
public:
zeek::plugin::Configuration Configure()
{
AddComponent(new zeek::packet_analysis::Component("TCP",
zeek::packet_analysis::TCP::TCPAnalyzer::Instantiate));
AddComponent(new zeek::packet_analysis::Component(
"TCP", zeek::packet_analysis::TCP::TCPAnalyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("TCP", nullptr, 0, true, false, true));
zeek::plugin::Configuration config;
@ -22,6 +25,6 @@ public:
return config;
}
} plugin;
} plugin;
}
}

38
src/packet_analysis/protocol/tcp/Stats.cc
View file

@ -3,10 +3,10 @@
#include "zeek/packet_analysis/protocol/tcp/Stats.h"
#include "zeek/File.h"
#include "zeek/analyzer/protocol/tcp/events.bif.h"
namespace zeek::packet_analysis::TCP {
namespace zeek::packet_analysis::TCP
{
TCPStateStats::TCPStateStats()
{
@ -15,8 +15,10 @@ TCPStateStats::TCPStateStats()
state_cnt[i][j] = 0;
}
void TCPStateStats::ChangeState(analyzer::tcp::EndpointState o_prev, analyzer::tcp::EndpointState o_now,
analyzer::tcp::EndpointState r_prev, analyzer::tcp::EndpointState r_now)
void TCPStateStats::ChangeState(analyzer::tcp::EndpointState o_prev,
analyzer::tcp::EndpointState o_now,
analyzer::tcp::EndpointState r_prev,
analyzer::tcp::EndpointState r_now)
{
--state_cnt[o_prev][r_prev];
++state_cnt[o_now][r_now];
@ -49,21 +51,21 @@ void TCPStateStats::PrintStats(File* file, const char* prefix)
{
file->Write(prefix);
switch ( i ) {
#define STATE_STRING(state, str) \
case state: \
file->Write(str); \
switch ( i )
{
#define STATE_STRING(state, str) \
case state: \
file->Write(str); \
break;
STATE_STRING(analyzer::tcp::TCP_ENDPOINT_INACTIVE, "Inact.");
STATE_STRING(analyzer::tcp::TCP_ENDPOINT_SYN_SENT, "Syn. ");
STATE_STRING(analyzer::tcp::TCP_ENDPOINT_SYN_ACK_SENT, "SA ");
STATE_STRING(analyzer::tcp::TCP_ENDPOINT_PARTIAL, "Part. ");
STATE_STRING(analyzer::tcp::TCP_ENDPOINT_ESTABLISHED, "Est. ");
STATE_STRING(analyzer::tcp::TCP_ENDPOINT_CLOSED, "Fin. ");
STATE_STRING(analyzer::tcp::TCP_ENDPOINT_RESET, "Rst. ");
}
STATE_STRING(analyzer::tcp::TCP_ENDPOINT_INACTIVE, "Inact.");
STATE_STRING(analyzer::tcp::TCP_ENDPOINT_SYN_SENT, "Syn. ");
STATE_STRING(analyzer::tcp::TCP_ENDPOINT_SYN_ACK_SENT, "SA ");
STATE_STRING(analyzer::tcp::TCP_ENDPOINT_PARTIAL, "Part. ");
STATE_STRING(analyzer::tcp::TCP_ENDPOINT_ESTABLISHED, "Est. ");
STATE_STRING(analyzer::tcp::TCP_ENDPOINT_CLOSED, "Fin. ");
STATE_STRING(analyzer::tcp::TCP_ENDPOINT_RESET, "Rst. ");
}
file->Write(" ");
@ -84,4 +86,4 @@ void TCPStateStats::PrintStats(File* file, const char* prefix)
}
}
} // namespace zeek::packet_analysis::TCP
} // namespace zeek::packet_analysis::TCP

53
src/packet_analysis/protocol/tcp/Stats.h
View file

@ -4,13 +4,15 @@
#include "zeek/analyzer/protocol/tcp/TCP_Endpoint.h"
namespace zeek::packet_analysis::TCP {
namespace zeek::packet_analysis::TCP
{
/**
* A TCPStateStats object tracks the distribution of TCP states for
* the currently active connections.
*/
class TCPStateStats {
class TCPStateStats
{
public:
TCPStateStats();
~TCPStateStats() = default;
@ -19,53 +21,60 @@ public:
analyzer::tcp::EndpointState r_prev, analyzer::tcp::EndpointState r_now);
void FlipState(analyzer::tcp::EndpointState orig, analyzer::tcp::EndpointState resp);
void StateEntered (analyzer::tcp::EndpointState o_state, analyzer::tcp::EndpointState r_state)
{ ++state_cnt[o_state][r_state]; }
void StateLeft (analyzer::tcp::EndpointState o_state, analyzer::tcp::EndpointState r_state)
{ --state_cnt[o_state][r_state]; }
void StateEntered(analyzer::tcp::EndpointState o_state, analyzer::tcp::EndpointState r_state)
{
++state_cnt[o_state][r_state];
}
void StateLeft(analyzer::tcp::EndpointState o_state, analyzer::tcp::EndpointState r_state)
{
--state_cnt[o_state][r_state];
}
unsigned int Cnt(analyzer::tcp::EndpointState state) const
{ return Cnt(state, state); }
unsigned int Cnt(analyzer::tcp::EndpointState state) const { return Cnt(state, state); }
unsigned int Cnt(analyzer::tcp::EndpointState state1, analyzer::tcp::EndpointState state2) const
{ return state_cnt[state1][state2]; }
{
return state_cnt[state1][state2];
}
unsigned int NumStateEstablished() const
{ return Cnt(analyzer::tcp::TCP_ENDPOINT_ESTABLISHED); }
{
return Cnt(analyzer::tcp::TCP_ENDPOINT_ESTABLISHED);
}
unsigned int NumStateHalfClose() const
{ // corresponds to S2,S3
return Cnt(analyzer::tcp::TCP_ENDPOINT_ESTABLISHED, analyzer::tcp::TCP_ENDPOINT_CLOSED) +
Cnt(analyzer::tcp::TCP_ENDPOINT_CLOSED, analyzer::tcp::TCP_ENDPOINT_ESTABLISHED);
Cnt(analyzer::tcp::TCP_ENDPOINT_CLOSED, analyzer::tcp::TCP_ENDPOINT_ESTABLISHED);
}
unsigned int NumStateHalfRst() const
{
return Cnt(analyzer::tcp::TCP_ENDPOINT_ESTABLISHED, analyzer::tcp::TCP_ENDPOINT_RESET) +
Cnt(analyzer::tcp::TCP_ENDPOINT_RESET, analyzer::tcp::TCP_ENDPOINT_ESTABLISHED);
Cnt(analyzer::tcp::TCP_ENDPOINT_RESET, analyzer::tcp::TCP_ENDPOINT_ESTABLISHED);
}
unsigned int NumStateClosed() const
{ return Cnt(analyzer::tcp::TCP_ENDPOINT_CLOSED); }
unsigned int NumStateClosed() const { return Cnt(analyzer::tcp::TCP_ENDPOINT_CLOSED); }
unsigned int NumStateRequest() const
{
assert(Cnt(analyzer::tcp::TCP_ENDPOINT_INACTIVE, analyzer::tcp::TCP_ENDPOINT_SYN_SENT)==0);
assert(Cnt(analyzer::tcp::TCP_ENDPOINT_INACTIVE, analyzer::tcp::TCP_ENDPOINT_SYN_SENT) ==
0);
return Cnt(analyzer::tcp::TCP_ENDPOINT_SYN_SENT, analyzer::tcp::TCP_ENDPOINT_INACTIVE);
}
unsigned int NumStateSuccRequest() const
{
return Cnt(analyzer::tcp::TCP_ENDPOINT_SYN_SENT, analyzer::tcp::TCP_ENDPOINT_SYN_ACK_SENT) +
Cnt(analyzer::tcp::TCP_ENDPOINT_SYN_ACK_SENT, analyzer::tcp::TCP_ENDPOINT_SYN_SENT);
Cnt(analyzer::tcp::TCP_ENDPOINT_SYN_ACK_SENT, analyzer::tcp::TCP_ENDPOINT_SYN_SENT);
}
unsigned int NumStateRstRequest() const
{
return Cnt(analyzer::tcp::TCP_ENDPOINT_SYN_SENT, analyzer::tcp::TCP_ENDPOINT_RESET) +
Cnt(analyzer::tcp::TCP_ENDPOINT_RESET, analyzer::tcp::TCP_ENDPOINT_SYN_SENT);
Cnt(analyzer::tcp::TCP_ENDPOINT_RESET, analyzer::tcp::TCP_ENDPOINT_SYN_SENT);
}
unsigned int NumStateInactive() const
{ return Cnt(analyzer::tcp::TCP_ENDPOINT_INACTIVE); }
unsigned int NumStateInactive() const { return Cnt(analyzer::tcp::TCP_ENDPOINT_INACTIVE); }
unsigned int NumStatePartial() const;
void PrintStats(File* file, const char* prefix);
private:
unsigned int state_cnt[analyzer::tcp::TCP_ENDPOINT_RESET+1][analyzer::tcp::TCP_ENDPOINT_RESET+1];
};
unsigned int state_cnt[analyzer::tcp::TCP_ENDPOINT_RESET + 1]
[analyzer::tcp::TCP_ENDPOINT_RESET + 1];
};
} // namespace zeek::packet_analysis::TCP
} // namespace zeek::packet_analysis::TCP

37
src/packet_analysis/protocol/tcp/TCP.cc
View file

@ -1,24 +1,20 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include "zeek/packet_analysis/protocol/tcp/TCP.h"
#include "zeek/RunState.h"
#include "zeek/analyzer/protocol/pia/PIA.h"
#include "zeek/packet_analysis/protocol/tcp/TCPSessionAdapter.h"
#include "zeek/analyzer/protocol/tcp/events.bif.h"
#include "zeek/analyzer/protocol/tcp/types.bif.h"
#include "zeek/packet_analysis/protocol/tcp/TCPSessionAdapter.h"
using namespace zeek;
using namespace zeek::packet_analysis::TCP;
using namespace zeek::packet_analysis::IP;
TCPAnalyzer::TCPAnalyzer() : IPBasedAnalyzer("TCP", TRANSPORT_TCP, TCP_PORT_MASK, false)
{
}
TCPAnalyzer::TCPAnalyzer() : IPBasedAnalyzer("TCP", TRANSPORT_TCP, TCP_PORT_MASK, false) { }
void TCPAnalyzer::Initialize()
{
}
void TCPAnalyzer::Initialize() { }
SessionAdapter* TCPAnalyzer::MakeSessionAdapter(Connection* conn)
{
@ -36,8 +32,7 @@ zeek::analyzer::pia::PIA* TCPAnalyzer::MakePIA(Connection* conn)
return new analyzer::pia::PIA_TCP(conn);
}
bool TCPAnalyzer::BuildConnTuple(size_t len, const uint8_t* data, Packet* packet,
ConnTuple& tuple)
bool TCPAnalyzer::BuildConnTuple(size_t len, const uint8_t* data, Packet* packet, ConnTuple& tuple)
{
uint32_t min_hdr_len = sizeof(struct tcphdr);
if ( ! CheckHeaderTrunc(min_hdr_len, len, packet) )
@ -48,7 +43,7 @@ bool TCPAnalyzer::BuildConnTuple(size_t len, const uint8_t* data, Packet* packet
data = packet->ip_hdr->Payload();
const struct tcphdr* tp = (const struct tcphdr *) data;
const struct tcphdr* tp = (const struct tcphdr*)data;
tuple.src_port = tp->th_sport;
tuple.dst_port = tp->th_dport;
tuple.is_one_way = false;
@ -57,11 +52,11 @@ bool TCPAnalyzer::BuildConnTuple(size_t len, const uint8_t* data, Packet* packet
return true;
}
bool TCPAnalyzer::WantConnection(uint16_t src_port, uint16_t dst_port,
const u_char* data, bool& flip_roles) const
bool TCPAnalyzer::WantConnection(uint16_t src_port, uint16_t dst_port, const u_char* data,
bool& flip_roles) const
{
flip_roles = false;
const struct tcphdr* tp = (const struct tcphdr*) data;
const struct tcphdr* tp = (const struct tcphdr*)data;
uint8_t tcp_flags = tp->th_flags;
if ( ! (tcp_flags & TH_SYN) || (tcp_flags & TH_ACK) )
@ -133,7 +128,7 @@ void TCPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int remai
const struct tcphdr* TCPAnalyzer::ExtractTCP_Header(const u_char*& data, int& len, int& remaining,
TCPSessionAdapter* adapter)
{
const struct tcphdr* tp = (const struct tcphdr*) data;
const struct tcphdr* tp = (const struct tcphdr*)data;
uint32_t tcp_hdr_len = tp->th_off * 4;
if ( tcp_hdr_len < sizeof(struct tcphdr) )
@ -142,15 +137,14 @@ const struct tcphdr* TCPAnalyzer::ExtractTCP_Header(const u_char*& data, int& le
return nullptr;
}
if ( tcp_hdr_len > uint32_t(len) ||
tcp_hdr_len > uint32_t(remaining) )
if ( tcp_hdr_len > uint32_t(len) || tcp_hdr_len > uint32_t(remaining) )
{
// This can happen even with the above test, due to TCP options.
adapter->Weird("truncated_header");
return nullptr;
}
len -= tcp_hdr_len; // remove TCP header
len -= tcp_hdr_len; // remove TCP header
remaining -= tcp_hdr_len;
data += tcp_hdr_len;
@ -161,10 +155,9 @@ bool TCPAnalyzer::ValidateChecksum(const IP_Hdr* ip, const struct tcphdr* tp,
analyzer::tcp::TCP_Endpoint* endpoint, int len, int caplen,
TCPSessionAdapter* adapter)
{
if ( ! run_state::current_pkt->l3_checksummed &&
! detail::ignore_checksums &&
! GetIgnoreChecksumsNets()->Contains(ip->IPHeaderSrcAddr()) &&
caplen >= len && ! endpoint->ValidChecksum(tp, len, ip->IP4_Hdr()) )
if ( ! run_state::current_pkt->l3_checksummed && ! detail::ignore_checksums &&
! GetIgnoreChecksumsNets()->Contains(ip->IPHeaderSrcAddr()) && caplen >= len &&
! endpoint->ValidChecksum(tp, len, ip->IP4_Hdr()) )
{
adapter->Weird("bad_TCP_checksum");
endpoint->ChecksumError();

33
src/packet_analysis/protocol/tcp/TCP.h
View file

@ -2,19 +2,24 @@
#pragma once
#include "zeek/analyzer/protocol/tcp/TCP_Flags.h"
#include "zeek/packet_analysis/Analyzer.h"
#include "zeek/packet_analysis/Component.h"
#include "zeek/packet_analysis/protocol/ip/IPBasedAnalyzer.h"
#include "zeek/packet_analysis/protocol/tcp/Stats.h"
#include "zeek/analyzer/protocol/tcp/TCP_Flags.h"
namespace zeek::analyzer::tcp { class TCP_Endpoint; }
namespace zeek::analyzer::tcp
{
class TCP_Endpoint;
}
namespace zeek::packet_analysis::TCP {
namespace zeek::packet_analysis::TCP
{
class TCPSessionAdapter;
class TCPAnalyzer final : public IP::IPBasedAnalyzer {
class TCPAnalyzer final : public IP::IPBasedAnalyzer
{
public:
TCPAnalyzer();
~TCPAnalyzer() override = default;
@ -38,15 +43,12 @@ public:
}
protected:
/**
* Parse the header from the packet into a ConnTuple object.
*/
bool BuildConnTuple(size_t len, const uint8_t* data, Packet* packet,
ConnTuple& tuple) override;
bool BuildConnTuple(size_t len, const uint8_t* data, Packet* packet, ConnTuple& tuple) override;
void DeliverPacket(Connection* c, double t, bool is_orig, int remaining,
Packet* pkt) override;
void DeliverPacket(Connection* c, double t, bool is_orig, int remaining, Packet* pkt) override;
/**
* Upon seeing the first packet of a connection, checks whether we want
@ -60,8 +62,8 @@ protected:
* @param flip_roles Return value if the roles should be flipped.
* @return True if the connection is wanted. False otherwise.
*/
bool WantConnection(uint16_t src_port, uint16_t dst_port,
const u_char* data, bool& flip_roles) const override;
bool WantConnection(uint16_t src_port, uint16_t dst_port, const u_char* data,
bool& flip_roles) const override;
/**
* Returns an analyzer adapter appropriate for this IP-based analyzer. This adapter
@ -77,15 +79,14 @@ protected:
analyzer::pia::PIA* MakePIA(Connection* conn) override;
private:
const struct tcphdr* ExtractTCP_Header(const u_char*& data, int& len, int& remaining,
TCPSessionAdapter* adapter);
// Returns true if the checksum is valid, false if not (and in which
// case also updates the status history of the endpoint).
bool ValidateChecksum(const IP_Hdr* ip, const struct tcphdr* tp,
analyzer::tcp::TCP_Endpoint* endpoint,
int len, int caplen, TCPSessionAdapter* adapter);
};
analyzer::tcp::TCP_Endpoint* endpoint, int len, int caplen,
TCPSessionAdapter* adapter);
};
}
}

708
src/packet_analysis/protocol/tcp/TCPSessionAdapter.cc
View file

File diff suppressed because it is too large Load diff

131
src/packet_analysis/protocol/tcp/TCPSessionAdapter.h
View file

@ -2,32 +2,38 @@
#pragma once
#include "zeek/analyzer/protocol/tcp/TCP_Endpoint.h"
#include "zeek/analyzer/protocol/tcp/TCP_Flags.h"
#include "zeek/packet_analysis/Analyzer.h"
#include "zeek/packet_analysis/Component.h"
#include "zeek/packet_analysis/protocol/ip/SessionAdapter.h"
#include "zeek/session/Manager.h"
#include "zeek/analyzer/protocol/tcp/TCP_Flags.h"
#include "zeek/analyzer/protocol/tcp/TCP_Endpoint.h"
namespace zeek::analyzer::pia { class PIA_TCP; }
namespace zeek::analyzer::tcp { class TCP_Reassembler; }
namespace zeek::analyzer::pia
{
class PIA_TCP;
}
namespace zeek::analyzer::tcp
{
class TCP_Reassembler;
}
namespace zeek::packet_analysis::TCP {
namespace zeek::packet_analysis::TCP
{
constexpr bool DEBUG_tcp_data_sent = false;
constexpr bool DEBUG_tcp_connection_close = false;
class TCPAnalyzer;
class TCPSessionAdapter final : public packet_analysis::IP::SessionAdapter {
class TCPSessionAdapter final : public packet_analysis::IP::SessionAdapter
{
public:
explicit TCPSessionAdapter(Connection* conn);
~TCPSessionAdapter() override;
void Process(bool is_orig, const struct tcphdr* tp, int len,
const std::unique_ptr<IP_Hdr>& ip, const u_char* data,
int remaining);
void Process(bool is_orig, const struct tcphdr* tp, int len, const std::unique_ptr<IP_Hdr>& ip,
const u_char* data, int remaining);
void EnableReassembly();
@ -40,21 +46,21 @@ public:
bool RemoveChildAnalyzer(analyzer::ID id) override;
// True if the connection has closed in some sense, false otherwise.
bool IsClosed() const { return orig->did_close || resp->did_close; }
bool BothClosed() const { return orig->did_close && resp->did_close; }
bool IsClosed() const { return orig->did_close || resp->did_close; }
bool BothClosed() const { return orig->did_close && resp->did_close; }
bool IsPartial() const { return is_partial; }
bool IsPartial() const { return is_partial; }
bool HadGap(bool orig) const;
analyzer::tcp::TCP_Endpoint* Orig() const { return orig; }
analyzer::tcp::TCP_Endpoint* Resp() const { return resp; }
int OrigState() const { return orig->state; }
int RespState() const { return resp->state; }
int OrigPrevState() const { return orig->prev_state; }
int RespPrevState() const { return resp->prev_state; }
uint32_t OrigSeq() const { return orig->LastSeq(); }
uint32_t RespSeq() const { return resp->LastSeq(); }
analyzer::tcp::TCP_Endpoint* Orig() const { return orig; }
analyzer::tcp::TCP_Endpoint* Resp() const { return resp; }
int OrigState() const { return orig->state; }
int RespState() const { return resp->state; }
int OrigPrevState() const { return orig->prev_state; }
int RespPrevState() const { return resp->prev_state; }
uint32_t OrigSeq() const { return orig->LastSeq(); }
uint32_t RespSeq() const { return resp->LastSeq(); }
// True if either endpoint still has pending data. closing_endp
// is an endpoint that has indicated it is closing (i.e., for
@ -67,12 +73,11 @@ public:
FilePtr GetContentsFile(unsigned int direction) const override;
// From Analyzer.h
void UpdateConnVal(RecordVal *conn_val) override;
void UpdateConnVal(RecordVal* conn_val) override;
void AddExtraAnalyzers(Connection* conn) override;
protected:
friend class analyzer::tcp::TCP_ApplicationAnalyzer;
friend class analyzer::tcp::TCP_Reassembler;
friend class analyzer::pia::PIA_TCP;
@ -81,8 +86,8 @@ protected:
// Analyzer interface.
void Init() override;
void Done() override;
void DeliverPacket(int len, const u_char* data, bool orig, uint64_t seq,
const IP_Hdr* ip, int caplen) override;
void DeliverPacket(int len, const u_char* data, bool orig, uint64_t seq, const IP_Hdr* ip,
int caplen) override;
void DeliverStream(int len, const u_char* data, bool orig) override;
void Undelivered(uint64_t seq, int len, bool orig) override;
void FlipRoles() override;
@ -96,39 +101,35 @@ protected:
// On return, do_close is true if we should consider the connection
// as closed, and gen_event if we shouuld generate an event about
// this fact.
void UpdateStateMachine(double t,
analyzer::tcp::TCP_Endpoint* endpoint, analyzer::tcp::TCP_Endpoint* peer,
uint32_t base_seq, uint32_t ack_seq,
int len, int32_t delta_last, bool is_orig, analyzer::tcp::TCP_Flags flags,
bool& do_close, bool& gen_event);
void UpdateStateMachine(double t, analyzer::tcp::TCP_Endpoint* endpoint,
analyzer::tcp::TCP_Endpoint* peer, uint32_t base_seq, uint32_t ack_seq,
int len, int32_t delta_last, bool is_orig,
analyzer::tcp::TCP_Flags flags, bool& do_close, bool& gen_event);
void UpdateInactiveState(double t,
analyzer::tcp::TCP_Endpoint* endpoint, analyzer::tcp::TCP_Endpoint* peer,
uint32_t base_seq, uint32_t ack_seq,
int len, bool is_orig, analyzer::tcp::TCP_Flags flags,
bool& do_close, bool& gen_event);
void UpdateInactiveState(double t, analyzer::tcp::TCP_Endpoint* endpoint,
analyzer::tcp::TCP_Endpoint* peer, uint32_t base_seq, uint32_t ack_seq,
int len, bool is_orig, analyzer::tcp::TCP_Flags flags, bool& do_close,
bool& gen_event);
void UpdateSYN_SentState(analyzer::tcp::TCP_Endpoint* endpoint, analyzer::tcp::TCP_Endpoint* peer,
int len, bool is_orig, analyzer::tcp::TCP_Flags flags,
bool& do_close, bool& gen_event);
void UpdateSYN_SentState(analyzer::tcp::TCP_Endpoint* endpoint,
analyzer::tcp::TCP_Endpoint* peer, int len, bool is_orig,
analyzer::tcp::TCP_Flags flags, bool& do_close, bool& gen_event);
void UpdateEstablishedState(analyzer::tcp::TCP_Endpoint* endpoint, analyzer::tcp::TCP_Endpoint* peer,
analyzer::tcp::TCP_Flags flags, bool& do_close, bool& gen_event);
void UpdateEstablishedState(analyzer::tcp::TCP_Endpoint* endpoint,
analyzer::tcp::TCP_Endpoint* peer, analyzer::tcp::TCP_Flags flags,
bool& do_close, bool& gen_event);
void UpdateClosedState(double t, analyzer::tcp::TCP_Endpoint* endpoint,
int32_t delta_last, analyzer::tcp::TCP_Flags flags,
bool& do_close);
void UpdateClosedState(double t, analyzer::tcp::TCP_Endpoint* endpoint, int32_t delta_last,
analyzer::tcp::TCP_Flags flags, bool& do_close);
void UpdateResetState(int len, analyzer::tcp::TCP_Flags flags);
void GeneratePacketEvent(uint64_t rel_seq, uint64_t rel_ack,
const u_char* data, int len, int caplen,
bool is_orig, analyzer::tcp::TCP_Flags flags);
void GeneratePacketEvent(uint64_t rel_seq, uint64_t rel_ack, const u_char* data, int len,
int caplen, bool is_orig, analyzer::tcp::TCP_Flags flags);
bool DeliverData(double t, const u_char* data, int len, int caplen,
const IP_Hdr* ip, const struct tcphdr* tp,
analyzer::tcp::TCP_Endpoint* endpoint, uint64_t rel_data_seq,
bool is_orig, analyzer::tcp::TCP_Flags flags);
bool DeliverData(double t, const u_char* data, int len, int caplen, const IP_Hdr* ip,
const struct tcphdr* tp, analyzer::tcp::TCP_Endpoint* endpoint,
uint64_t rel_data_seq, bool is_orig, analyzer::tcp::TCP_Flags flags);
void CheckPIA_FirstPacket(bool is_orig, const IP_Hdr* ip);
@ -141,18 +142,18 @@ protected:
void ConnDeleteTimer(double t);
void EndpointEOF(analyzer::tcp::TCP_Reassembler* endp);
void ConnectionClosed(analyzer::tcp::TCP_Endpoint* endpoint,
analyzer::tcp::TCP_Endpoint* peer, bool gen_event);
void ConnectionClosed(analyzer::tcp::TCP_Endpoint* endpoint, analyzer::tcp::TCP_Endpoint* peer,
bool gen_event);
void ConnectionFinished(bool half_finished);
void ConnectionReset();
void PacketWithRST();
void SetReassembler(analyzer::tcp::TCP_Reassembler* rorig, analyzer::tcp::TCP_Reassembler* rresp);
void SetReassembler(analyzer::tcp::TCP_Reassembler* rorig,
analyzer::tcp::TCP_Reassembler* rresp);
uint64_t LastRelDataSeq() const { return rel_data_seq; }
uint64_t LastRelDataSeq() const { return rel_data_seq; }
private:
void SynWeirds(analyzer::tcp::TCP_Flags flags, analyzer::tcp::TCP_Endpoint* endpoint,
int data_len) const;
@ -166,21 +167,21 @@ private:
analyzer::analyzer_list packet_children;
uint64_t rel_data_seq = 0;
unsigned int first_packet_seen: 2;
unsigned int reassembling: 1;
unsigned int is_partial: 1;
unsigned int is_active: 1;
unsigned int finished: 1;
unsigned int first_packet_seen : 2;
unsigned int reassembling : 1;
unsigned int is_partial : 1;
unsigned int is_active : 1;
unsigned int finished : 1;
// Whether we're waiting on final data delivery before closing
// this connection.
unsigned int close_deferred: 1;
unsigned int close_deferred : 1;
// Whether to generate an event when we finally do close it.
unsigned int deferred_gen_event: 1;
unsigned int deferred_gen_event : 1;
// Whether we have seen the first ACK from the originator.
unsigned int seen_first_ACK: 1;
};
unsigned int seen_first_ACK : 1;
};
} // namespace zeek::packet_analysis::tcp
} // namespace zeek::packet_analysis::tcp

17
src/packet_analysis/protocol/udp/Plugin.cc
View file

@ -1,19 +1,22 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include "zeek/plugin/Plugin.h"
#include "zeek/analyzer/Component.h"
#include "zeek/packet_analysis/Component.h"
#include "zeek/packet_analysis/protocol/udp/UDP.h"
#include "zeek/packet_analysis/protocol/udp/UDPSessionAdapter.h"
#include "zeek/analyzer/Component.h"
namespace zeek::plugin::Zeek_UDP {
namespace zeek::plugin::Zeek_UDP
{
class Plugin : public zeek::plugin::Plugin {
class Plugin : public zeek::plugin::Plugin
{
public:
zeek::plugin::Configuration Configure()
{
AddComponent(new zeek::packet_analysis::Component("UDP",
zeek::packet_analysis::UDP::UDPAnalyzer::Instantiate));
AddComponent(new zeek::packet_analysis::Component(
"UDP", zeek::packet_analysis::UDP::UDPAnalyzer::Instantiate));
AddComponent(new zeek::analyzer::Component("UDP", nullptr, 0, true, false, true));
zeek::plugin::Configuration config;
@ -22,6 +25,6 @@ public:
return config;
}
} plugin;
} plugin;
}
}

61
src/packet_analysis/protocol/udp/UDP.cc
View file

@ -1,15 +1,15 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include "zeek/packet_analysis/protocol/udp/UDP.h"
#include "zeek/RunState.h"
#include "zeek/Conn.h"
#include "zeek/session/Manager.h"
#include "zeek/analyzer/Manager.h"
#include "zeek/analyzer/protocol/pia/PIA.h"
#include "zeek/analyzer/protocol/conn-size/ConnSize.h"
#include "zeek/packet_analysis/protocol/udp/UDPSessionAdapter.h"
#include "zeek/Conn.h"
#include "zeek/RunState.h"
#include "zeek/analyzer/Manager.h"
#include "zeek/analyzer/protocol/conn-size/ConnSize.h"
#include "zeek/analyzer/protocol/pia/PIA.h"
#include "zeek/packet_analysis/protocol/udp/UDPSessionAdapter.h"
#include "zeek/packet_analysis/protocol/udp/events.bif.h"
#include "zeek/session/Manager.h"
using namespace zeek::packet_analysis::UDP;
using namespace zeek::packet_analysis::IP;
@ -19,9 +19,7 @@ constexpr uint32_t HIST_RESP_DATA_PKT = 0x2;
constexpr uint32_t HIST_ORIG_CORRUPT_PKT = 0x4;
constexpr uint32_t HIST_RESP_CORRUPT_PKT = 0x8;
UDPAnalyzer::UDPAnalyzer() : IPBasedAnalyzer("UDP", TRANSPORT_UDP, UDP_PORT_MASK, false)
{
}
UDPAnalyzer::UDPAnalyzer() : IPBasedAnalyzer("UDP", TRANSPORT_UDP, UDP_PORT_MASK, false) { }
SessionAdapter* UDPAnalyzer::MakeSessionAdapter(Connection* conn)
{
@ -55,15 +53,14 @@ void UDPAnalyzer::Initialize()
vxlan_ports.emplace_back(port_list->Idx(i)->AsPortVal()->Port());
}
bool UDPAnalyzer::WantConnection(uint16_t src_port, uint16_t dst_port,
const u_char* data, bool& flip_roles) const
bool UDPAnalyzer::WantConnection(uint16_t src_port, uint16_t dst_port, const u_char* data,
bool& flip_roles) const
{
flip_roles = IsLikelyServerPort(src_port) && ! IsLikelyServerPort(dst_port);
return true;
}
bool UDPAnalyzer::BuildConnTuple(size_t len, const uint8_t* data, Packet* packet,
ConnTuple& tuple)
bool UDPAnalyzer::BuildConnTuple(size_t len, const uint8_t* data, Packet* packet, ConnTuple& tuple)
{
uint32_t min_hdr_len = sizeof(struct udphdr);
if ( ! CheckHeaderTrunc(min_hdr_len, len, packet) )
@ -72,7 +69,7 @@ bool UDPAnalyzer::BuildConnTuple(size_t len, const uint8_t* data, Packet* packet
tuple.src_addr = packet->ip_hdr->SrcAddr();
tuple.dst_addr = packet->ip_hdr->DstAddr();
const struct udphdr* up = (const struct udphdr *) packet->ip_hdr->Payload();
const struct udphdr* up = (const struct udphdr*)packet->ip_hdr->Payload();
tuple.src_port = up->uh_sport;
tuple.dst_port = up->uh_dport;
tuple.is_one_way = false;
@ -88,7 +85,7 @@ void UDPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int remai
const u_char* data = pkt->ip_hdr->Payload();
int len = pkt->ip_hdr->PayloadLen();
const struct udphdr* up = (const struct udphdr*) data;
const struct udphdr* up = (const struct udphdr*)data;
const std::unique_ptr<IP_Hdr>& ip = pkt->ip_hdr;
adapter->DeliverPacket(len, data, is_orig, -1, ip.get(), remaining);
@ -106,20 +103,17 @@ void UDPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int remai
int chksum = up->uh_sum;
auto validate_checksum =
! run_state::current_pkt->l3_checksummed &&
! zeek::detail::ignore_checksums &&
! GetIgnoreChecksumsNets()->Contains(ip->IPHeaderSrcAddr()) &&
remaining >=len;
! run_state::current_pkt->l3_checksummed && ! zeek::detail::ignore_checksums &&
! GetIgnoreChecksumsNets()->Contains(ip->IPHeaderSrcAddr()) && remaining >= len;
constexpr auto vxlan_len = 8;
constexpr auto eth_len = 14;
if ( validate_checksum &&
len > ((int)sizeof(struct udphdr) + vxlan_len + eth_len) &&
if ( validate_checksum && len > ((int)sizeof(struct udphdr) + vxlan_len + eth_len) &&
(data[0] & 0x08) == 0x08 )
{
if ( std::find(vxlan_ports.begin(), vxlan_ports.end(),
ntohs(up->uh_dport)) != vxlan_ports.end() )
if ( std::find(vxlan_ports.begin(), vxlan_ports.end(), ntohs(up->uh_dport)) !=
vxlan_ports.end() )
{
// Looks like VXLAN on a well-known port, so the checksum should be
// transmitted as zero, and we should accept that. If not
@ -165,8 +159,10 @@ void UDPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int remai
if ( udp_contents )
{
static auto udp_content_ports = id::find_val<TableVal>("udp_content_ports");
static auto udp_content_delivery_ports_orig = id::find_val<TableVal>("udp_content_delivery_ports_orig");
static auto udp_content_delivery_ports_resp = id::find_val<TableVal>("udp_content_delivery_ports_resp");
static auto udp_content_delivery_ports_orig =
id::find_val<TableVal>("udp_content_delivery_ports_orig");
static auto udp_content_delivery_ports_resp =
id::find_val<TableVal>("udp_content_delivery_ports_resp");
bool do_udp_contents = false;
const auto& sport_val = val_mgr->Port(ntohs(up->uh_sport), TRANSPORT_UDP);
const auto& dport_val = val_mgr->Port(ntohs(up->uh_dport), TRANSPORT_UDP);
@ -176,8 +172,8 @@ void UDPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int remai
do_udp_contents = true;
else
{
uint16_t p = zeek::detail::udp_content_delivery_ports_use_resp ? c->RespPort()
: up->uh_dport;
uint16_t p =
zeek::detail::udp_content_delivery_ports_use_resp ? c->RespPort() : up->uh_dport;
const auto& port_val = zeek::val_mgr->Port(ntohs(p), TRANSPORT_UDP);
if ( is_orig )
@ -197,10 +193,8 @@ void UDPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int remai
}
if ( do_udp_contents )
adapter->EnqueueConnEvent(udp_contents,
adapter->ConnVal(),
val_mgr->Bool(is_orig),
make_intrusive<StringVal>(len, (const char*) data));
adapter->EnqueueConnEvent(udp_contents, adapter->ConnVal(), val_mgr->Bool(is_orig),
make_intrusive<StringVal>(len, (const char*)data));
}
if ( is_orig )
@ -226,8 +220,7 @@ void UDPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int remai
bool UDPAnalyzer::ValidateChecksum(const IP_Hdr* ip, const udphdr* up, int len)
{
auto sum = detail::ip_in_cksum(ip->IP4_Hdr(), ip->SrcAddr(), ip->DstAddr(),
IPPROTO_UDP,
auto sum = detail::ip_in_cksum(ip->IP4_Hdr(), ip->SrcAddr(), ip->DstAddr(), IPPROTO_UDP,
reinterpret_cast<const uint8_t*>(up), len);
return sum == 0xffff;

25
src/packet_analysis/protocol/udp/UDP.h
View file

@ -7,9 +7,11 @@
#include "zeek/packet_analysis/protocol/ip/IPBasedAnalyzer.h"
#include "zeek/packet_analysis/protocol/ip/SessionAdapter.h"
namespace zeek::packet_analysis::UDP {
namespace zeek::packet_analysis::UDP
{
class UDPAnalyzer final : public IP::IPBasedAnalyzer {
class UDPAnalyzer final : public IP::IPBasedAnalyzer
{
public:
UDPAnalyzer();
~UDPAnalyzer() override = default;
@ -27,15 +29,12 @@ public:
void Initialize() override;
protected:
/**
* Parse the header from the packet into a ConnTuple object.
*/
bool BuildConnTuple(size_t len, const uint8_t* data, Packet* packet,
ConnTuple& tuple) override;
bool BuildConnTuple(size_t len, const uint8_t* data, Packet* packet, ConnTuple& tuple) override;
void DeliverPacket(Connection* c, double t, bool is_orig, int remaining,
Packet* pkt) override;
void DeliverPacket(Connection* c, double t, bool is_orig, int remaining, Packet* pkt) override;
/**
* Upon seeing the first packet of a connection, checks whether we want
@ -49,19 +48,17 @@ protected:
* @param flip_roles Return value if the roles should be flipped.
* @return True if the connection is wanted. False otherwise.
*/
bool WantConnection(uint16_t src_port, uint16_t dst_port,
const u_char* data, bool& flip_roles) const override;
bool WantConnection(uint16_t src_port, uint16_t dst_port, const u_char* data,
bool& flip_roles) const override;
packet_analysis::IP::SessionAdapter* MakeSessionAdapter(Connection* conn) override;
analyzer::pia::PIA* MakePIA(Connection* conn) override;
private:
// Returns true if the checksum is valid, false if not
static bool ValidateChecksum(const IP_Hdr* ip, const struct udphdr* up,
int len);
static bool ValidateChecksum(const IP_Hdr* ip, const struct udphdr* up, int len);
std::vector<uint16_t> vxlan_ports;
};
};
}
}

9
src/packet_analysis/protocol/udp/UDPSessionAdapter.cc
View file

@ -9,10 +9,11 @@
using namespace zeek::packet_analysis::UDP;
using namespace zeek::packet_analysis::IP;
enum UDP_EndpointState {
UDP_INACTIVE, // no packet seen
UDP_ACTIVE, // packets seen
};
enum UDP_EndpointState
{
UDP_INACTIVE, // no packet seen
UDP_ACTIVE, // packets seen
};
void UDPSessionAdapter::AddExtraAnalyzers(Connection* conn)
{

15
src/packet_analysis/protocol/udp/UDPSessionAdapter.h
View file

@ -4,14 +4,14 @@
#include "zeek/packet_analysis/protocol/ip/SessionAdapter.h"
namespace zeek::packet_analysis::UDP {
namespace zeek::packet_analysis::UDP
{
class UDPSessionAdapter final : public IP::SessionAdapter {
class UDPSessionAdapter final : public IP::SessionAdapter
{
public:
UDPSessionAdapter(Connection* conn) :
IP::SessionAdapter("UDP", conn) { }
UDPSessionAdapter(Connection* conn) : IP::SessionAdapter("UDP", conn) { }
void AddExtraAnalyzers(Connection* conn) override;
void UpdateConnVal(RecordVal* conn_val) override;
@ -27,12 +27,11 @@ public:
uint32_t rep_chk_thresh = 1;
private:
void UpdateEndpointVal(const ValPtr& endp_arg, bool is_orig);
void ChecksumEvent(bool is_orig, uint32_t threshold);
bro_int_t request_len = -1;
bro_int_t reply_len = -1;
};
};
} // namespace zeek::packet_analysis::UDP
} // namespace zeek::packet_analysis::UDP

29
src/packet_analysis/protocol/vlan/Plugin.cc
View file

@ -1,24 +1,27 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include "zeek/plugin/Plugin.h"
#include "zeek/packet_analysis/Component.h"
#include "zeek/packet_analysis/protocol/vlan/VLAN.h"
namespace zeek::plugin::Zeek_VLAN {
namespace zeek::plugin::Zeek_VLAN
{
class Plugin : public zeek::plugin::Plugin {
class Plugin : public zeek::plugin::Plugin
{
public:
zeek::plugin::Configuration Configure()
{
AddComponent(new zeek::packet_analysis::Component("VLAN",
zeek::packet_analysis::VLAN::VLANAnalyzer::Instantiate));
zeek::plugin::Configuration Configure()
{
AddComponent(new zeek::packet_analysis::Component(
"VLAN", zeek::packet_analysis::VLAN::VLANAnalyzer::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::VLAN";
config.description = "VLAN packet analyzer";
return config;
}
zeek::plugin::Configuration config;
config.name = "Zeek::VLAN";
config.description = "VLAN packet analyzer";
return config;
}
} plugin;
} plugin;
}
}

5
src/packet_analysis/protocol/vlan/VLAN.cc
View file

@ -4,10 +4,7 @@
using namespace zeek::packet_analysis::VLAN;
VLANAnalyzer::VLANAnalyzer()
: zeek::packet_analysis::Analyzer("VLAN")
{
}
VLANAnalyzer::VLANAnalyzer() : zeek::packet_analysis::Analyzer("VLAN") { }
bool VLANAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
{

10
src/packet_analysis/protocol/vlan/VLAN.h
View file

@ -5,9 +5,11 @@
#include "zeek/packet_analysis/Analyzer.h"
#include "zeek/packet_analysis/Component.h"
namespace zeek::packet_analysis::VLAN {
namespace zeek::packet_analysis::VLAN
{
class VLANAnalyzer : public Analyzer {
class VLANAnalyzer : public Analyzer
{
public:
VLANAnalyzer();
~VLANAnalyzer() override = default;
@ -18,6 +20,6 @@ public:
{
return std::make_shared<VLANAnalyzer>();
}
};
};
}
}

29
src/packet_analysis/protocol/vntag/Plugin.cc
View file

@ -1,24 +1,27 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include "zeek/plugin/Plugin.h"
#include "zeek/packet_analysis/Component.h"
#include "zeek/packet_analysis/protocol/vntag/VNTag.h"
namespace zeek::plugin::Zeek_VNTag {
namespace zeek::plugin::Zeek_VNTag
{
class Plugin : public zeek::plugin::Plugin {
class Plugin : public zeek::plugin::Plugin
{
public:
zeek::plugin::Configuration Configure()
{
AddComponent(new zeek::packet_analysis::Component("VNTag",
zeek::packet_analysis::VNTag::VNTagAnalyzer::Instantiate));
zeek::plugin::Configuration Configure()
{
AddComponent(new zeek::packet_analysis::Component(
"VNTag", zeek::packet_analysis::VNTag::VNTagAnalyzer::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::VNTag";
config.description = "VNTag packet analyzer";
return config;
}
zeek::plugin::Configuration config;
config.name = "Zeek::VNTag";
config.description = "VNTag packet analyzer";
return config;
}
} plugin;
} plugin;
}
}

5
src/packet_analysis/protocol/vntag/VNTag.cc
View file

@ -4,10 +4,7 @@
using namespace zeek::packet_analysis::VNTag;
VNTagAnalyzer::VNTagAnalyzer()
: zeek::packet_analysis::Analyzer("VNTag")
{
}
VNTagAnalyzer::VNTagAnalyzer() : zeek::packet_analysis::Analyzer("VNTag") { }
bool VNTagAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
{

10
src/packet_analysis/protocol/vntag/VNTag.h
View file

@ -5,9 +5,11 @@
#include "zeek/packet_analysis/Analyzer.h"
#include "zeek/packet_analysis/Component.h"
namespace zeek::packet_analysis::VNTag {
namespace zeek::packet_analysis::VNTag
{
class VNTagAnalyzer : public Analyzer {
class VNTagAnalyzer : public Analyzer
{
public:
VNTagAnalyzer();
~VNTagAnalyzer() override = default;
@ -18,6 +20,6 @@ public:
{
return std::make_shared<VNTagAnalyzer>();
}
};
};
}
}

15
src/packet_analysis/protocol/wrapper/Plugin.cc
View file

@ -1,17 +1,20 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include "zeek/plugin/Plugin.h"
#include "zeek/packet_analysis/Component.h"
#include "zeek/packet_analysis/protocol/wrapper/Wrapper.h"
namespace zeek::plugin::Zeek_Wrapper {
namespace zeek::plugin::Zeek_Wrapper
{
class Plugin : public zeek::plugin::Plugin {
class Plugin : public zeek::plugin::Plugin
{
public:
zeek::plugin::Configuration Configure()
{
AddComponent(new zeek::packet_analysis::Component("Wrapper",
zeek::packet_analysis::Wrapper::WrapperAnalyzer::Instantiate));
AddComponent(new zeek::packet_analysis::Component(
"Wrapper", zeek::packet_analysis::Wrapper::WrapperAnalyzer::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::Wrapper";
@ -19,6 +22,6 @@ public:
return config;
}
} plugin;
} plugin;
}
}

70
src/packet_analysis/protocol/wrapper/Wrapper.cc
View file

@ -4,10 +4,7 @@
using namespace zeek::packet_analysis::Wrapper;
WrapperAnalyzer::WrapperAnalyzer()
: zeek::packet_analysis::Analyzer("Wrapper")
{
}
WrapperAnalyzer::WrapperAnalyzer() : zeek::packet_analysis::Analyzer("Wrapper") { }
bool WrapperAnalyzer::Analyze(Packet* packet, const uint8_t*& data)
{
@ -43,8 +40,7 @@ bool WrapperAnalyzer::Analyze(Packet* packet, const uint8_t*& data)
bool saw_vlan = false;
while ( protocol == 0x8100 || protocol == 0x9100 ||
protocol == 0x8864 )
while ( protocol == 0x8100 || protocol == 0x9100 || protocol == 0x8864 )
{
switch ( protocol )
{
@ -52,46 +48,46 @@ bool WrapperAnalyzer::Analyze(Packet* packet, const uint8_t*& data)
// 802.1q / 802.1ad
case 0x8100:
case 0x9100:
{
if ( data + 4 >= end_of_data )
{
Weird("truncated_link_header", packet);
return false;
}
if ( data + 4 >= end_of_data )
{
Weird("truncated_link_header", packet);
return false;
}
auto& vlan_ref = saw_vlan ? packet->inner_vlan : packet->vlan;
vlan_ref = ((data[0] << 8u) + data[1]) & 0xfff;
protocol = ((data[2] << 8u) + data[3]);
data += 4; // Skip the vlan header
saw_vlan = true;
packet->eth_type = protocol;
}
break;
auto& vlan_ref = saw_vlan ? packet->inner_vlan : packet->vlan;
vlan_ref = ((data[0] << 8u) + data[1]) & 0xfff;
protocol = ((data[2] << 8u) + data[3]);
data += 4; // Skip the vlan header
saw_vlan = true;
packet->eth_type = protocol;
}
break;
// PPPoE carried over the ethernet frame.
case 0x8864:
{
if ( data + 8 >= end_of_data )
{
Weird("truncated_link_header", packet);
return false;
}
if ( data + 8 >= end_of_data )
{
Weird("truncated_link_header", packet);
return false;
}
protocol = (data[6] << 8u) + data[7];
data += 8; // Skip the PPPoE session and PPP header
protocol = (data[6] << 8u) + data[7];
data += 8; // Skip the PPPoE session and PPP header
if ( protocol == 0x0021 )
packet->l3_proto = L3_IPV4;
else if ( protocol == 0x0057 )
packet->l3_proto = L3_IPV6;
else
{
// Neither IPv4 nor IPv6.
Weird("non_ip_packet_in_pppoe_encapsulation", packet);
return false;
if ( protocol == 0x0021 )
packet->l3_proto = L3_IPV4;
else if ( protocol == 0x0057 )
packet->l3_proto = L3_IPV6;
else
{
// Neither IPv4 nor IPv6.
Weird("non_ip_packet_in_pppoe_encapsulation", packet);
return false;
}
}
}
break;
break;
}
}

10
src/packet_analysis/protocol/wrapper/Wrapper.h
View file

@ -5,9 +5,11 @@
#include "zeek/packet_analysis/Analyzer.h"
#include "zeek/packet_analysis/Component.h"
namespace zeek::packet_analysis::Wrapper {
namespace zeek::packet_analysis::Wrapper
{
class WrapperAnalyzer : public Analyzer {
class WrapperAnalyzer : public Analyzer
{
public:
WrapperAnalyzer();
~WrapperAnalyzer() override = default;
@ -18,6 +20,6 @@ public:
{
return std::make_shared<WrapperAnalyzer>();
}
};
};
}
}