mirror of
https://github.com/zeek/zeek.git
synced 2025-10-14 20:48:21 +00:00
Reformat the world
This commit is contained in:
Tim Wojtulewicz
parent
194cb24547
commit
b2f171ec69
714 changed files with 35149 additions and 35203 deletions
|
|
@ -4,31 +4,28 @@
|
|||
|
||||
#include <netinet/icmp6.h>
|
||||
|
||||
#include "zeek/RunState.h"
|
||||
#include "zeek/Conn.h"
|
||||
#include "zeek/Reporter.h"
|
||||
#include "zeek/Desc.h"
|
||||
#include "zeek/Reporter.h"
|
||||
#include "zeek/RunState.h"
|
||||
#include "zeek/Val.h"
|
||||
#include "zeek/ZeekString.h"
|
||||
#include "zeek/analyzer/Manager.h"
|
||||
#include "zeek/session/Manager.h"
|
||||
#include "zeek/analyzer/protocol/conn-size/ConnSize.h"
|
||||
#include "zeek/packet_analysis/protocol/icmp/ICMPSessionAdapter.h"
|
||||
|
||||
#include "zeek/ZeekString.h"
|
||||
|
||||
#include "zeek/packet_analysis/protocol/icmp/events.bif.h"
|
||||
#include "zeek/session/Manager.h"
|
||||
|
||||
enum ICMP_EndpointState {
|
||||
ICMP_INACTIVE, // no packet seen
|
||||
ICMP_ACTIVE, // packets seen
|
||||
};
|
||||
enum ICMP_EndpointState
|
||||
{
|
||||
ICMP_INACTIVE, // no packet seen
|
||||
ICMP_ACTIVE, // packets seen
|
||||
};
|
||||
|
||||
using namespace zeek::packet_analysis::ICMP;
|
||||
using namespace zeek::packet_analysis::IP;
|
||||
|
||||
ICMPAnalyzer::ICMPAnalyzer() : IPBasedAnalyzer("ICMP", TRANSPORT_ICMP, ICMP_PORT_MASK, false)
|
||||
{
|
||||
}
|
||||
ICMPAnalyzer::ICMPAnalyzer() : IPBasedAnalyzer("ICMP", TRANSPORT_ICMP, ICMP_PORT_MASK, false) { }
|
||||
|
||||
SessionAdapter* ICMPAnalyzer::MakeSessionAdapter(Connection* conn)
|
||||
{
|
||||
|
|
@ -39,8 +36,7 @@ SessionAdapter* ICMPAnalyzer::MakeSessionAdapter(Connection* conn)
|
|||
return root;
|
||||
}
|
||||
|
||||
bool ICMPAnalyzer::BuildConnTuple(size_t len, const uint8_t* data, Packet* packet,
|
||||
ConnTuple& tuple)
|
||||
bool ICMPAnalyzer::BuildConnTuple(size_t len, const uint8_t* data, Packet* packet, ConnTuple& tuple)
|
||||
{
|
||||
if ( ! CheckHeaderTrunc(ICMP_MINLEN, len, packet) )
|
||||
return false;
|
||||
|
|
@ -49,13 +45,15 @@ bool ICMPAnalyzer::BuildConnTuple(size_t len, const uint8_t* data, Packet* packe
|
|||
tuple.dst_addr = packet->ip_hdr->DstAddr();
|
||||
tuple.proto = TRANSPORT_ICMP;
|
||||
|
||||
const struct icmp* icmpp = (const struct icmp *) data;
|
||||
const struct icmp* icmpp = (const struct icmp*)data;
|
||||
tuple.src_port = htons(icmpp->icmp_type);
|
||||
|
||||
if ( packet->proto == IPPROTO_ICMP )
|
||||
tuple.dst_port = htons(ICMP4_counterpart(icmpp->icmp_type, icmpp->icmp_code, tuple.is_one_way));
|
||||
tuple.dst_port =
|
||||
htons(ICMP4_counterpart(icmpp->icmp_type, icmpp->icmp_code, tuple.is_one_way));
|
||||
else if ( packet->proto == IPPROTO_ICMPV6 )
|
||||
tuple.dst_port = htons(ICMP6_counterpart(icmpp->icmp_type, icmpp->icmp_code, tuple.is_one_way));
|
||||
tuple.dst_port =
|
||||
htons(ICMP6_counterpart(icmpp->icmp_type, icmpp->icmp_code, tuple.is_one_way));
|
||||
else
|
||||
reporter->InternalError("Reached ICMP packet analyzer with unknown packet protocol %x",
|
||||
packet->proto);
|
||||
|
|
@ -73,29 +71,28 @@ void ICMPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int rema
|
|||
if ( packet_contents && len > 0 )
|
||||
adapter->PacketContents(data + 8, std::min(len, remaining) - 8);
|
||||
|
||||
const struct icmp* icmpp = (const struct icmp*) data;
|
||||
const struct icmp* icmpp = (const struct icmp*)data;
|
||||
const std::unique_ptr<IP_Hdr>& ip = pkt->ip_hdr;
|
||||
|
||||
if ( ! zeek::detail::ignore_checksums &&
|
||||
! GetIgnoreChecksumsNets()->Contains(ip->IPHeaderSrcAddr()) &&
|
||||
remaining >= len )
|
||||
! GetIgnoreChecksumsNets()->Contains(ip->IPHeaderSrcAddr()) && remaining >= len )
|
||||
{
|
||||
int chksum = 0;
|
||||
|
||||
switch ( ip->NextProto() )
|
||||
{
|
||||
case IPPROTO_ICMP:
|
||||
chksum = icmp_checksum(icmpp, len);
|
||||
break;
|
||||
{
|
||||
case IPPROTO_ICMP:
|
||||
chksum = icmp_checksum(icmpp, len);
|
||||
break;
|
||||
|
||||
case IPPROTO_ICMPV6:
|
||||
chksum = icmp6_checksum(icmpp, ip.get(), len);
|
||||
break;
|
||||
case IPPROTO_ICMPV6:
|
||||
chksum = icmp6_checksum(icmpp, ip.get(), len);
|
||||
break;
|
||||
|
||||
default:
|
||||
reporter->Error("unexpected IP proto in ICMP analyzer: %d", ip->NextProto());
|
||||
return;
|
||||
}
|
||||
default:
|
||||
reporter->Error("unexpected IP proto in ICMP analyzer: %d", ip->NextProto());
|
||||
return;
|
||||
}
|
||||
|
||||
if ( chksum != 0xffff )
|
||||
{
|
||||
|
|
@ -133,8 +130,7 @@ void ICMPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int rema
|
|||
}
|
||||
|
||||
void ICMPAnalyzer::NextICMP4(double t, const struct icmp* icmpp, int len, int caplen,
|
||||
const u_char*& data, const IP_Hdr* ip_hdr,
|
||||
ICMPSessionAdapter* adapter)
|
||||
const u_char*& data, const IP_Hdr* ip_hdr, ICMPSessionAdapter* adapter)
|
||||
{
|
||||
switch ( icmpp->icmp_type )
|
||||
{
|
||||
|
|
@ -155,8 +151,7 @@ void ICMPAnalyzer::NextICMP4(double t, const struct icmp* icmpp, int len, int ca
|
|||
}
|
||||
|
||||
void ICMPAnalyzer::NextICMP6(double t, const struct icmp* icmpp, int len, int caplen,
|
||||
const u_char*& data, const IP_Hdr* ip_hdr,
|
||||
ICMPSessionAdapter* adapter)
|
||||
const u_char*& data, const IP_Hdr* ip_hdr, ICMPSessionAdapter* adapter)
|
||||
{
|
||||
switch ( icmpp->icmp_type )
|
||||
{
|
||||
|
|
@ -213,10 +208,9 @@ void ICMPAnalyzer::NextICMP6(double t, const struct icmp* icmpp, int len, int ca
|
|||
}
|
||||
}
|
||||
|
||||
void ICMPAnalyzer::ICMP_Sent(const struct icmp* icmpp, int len, int caplen,
|
||||
int icmpv6, const u_char* data, const IP_Hdr* ip_hdr,
|
||||
ICMPSessionAdapter* adapter)
|
||||
{
|
||||
void ICMPAnalyzer::ICMP_Sent(const struct icmp* icmpp, int len, int caplen, int icmpv6,
|
||||
const u_char* data, const IP_Hdr* ip_hdr, ICMPSessionAdapter* adapter)
|
||||
{
|
||||
if ( icmp_sent )
|
||||
adapter->EnqueueConnEvent(icmp_sent, adapter->ConnVal(),
|
||||
BuildInfo(icmpp, len, icmpv6, ip_hdr));
|
||||
|
|
@ -231,8 +225,8 @@ void ICMPAnalyzer::ICMP_Sent(const struct icmp* icmpp, int len, int caplen,
|
|||
}
|
||||
}
|
||||
|
||||
zeek::RecordValPtr ICMPAnalyzer::BuildInfo(const struct icmp* icmpp, int len,
|
||||
bool icmpv6, const IP_Hdr* ip_hdr)
|
||||
zeek::RecordValPtr ICMPAnalyzer::BuildInfo(const struct icmp* icmpp, int len, bool icmpv6,
|
||||
const IP_Hdr* ip_hdr)
|
||||
{
|
||||
static auto icmp_info = id::find_type<RecordType>("icmp_info");
|
||||
auto rval = make_intrusive<zeek::RecordVal>(icmp_info);
|
||||
|
|
@ -244,74 +238,84 @@ zeek::RecordValPtr ICMPAnalyzer::BuildInfo(const struct icmp* icmpp, int len,
|
|||
return rval;
|
||||
}
|
||||
|
||||
TransportProto ICMPAnalyzer::GetContextProtocol(const IP_Hdr* ip_hdr, uint32_t* src_port, uint32_t* dst_port)
|
||||
TransportProto ICMPAnalyzer::GetContextProtocol(const IP_Hdr* ip_hdr, uint32_t* src_port,
|
||||
uint32_t* dst_port)
|
||||
{
|
||||
const u_char* transport_hdr;
|
||||
uint32_t ip_hdr_len = ip_hdr->HdrLen();
|
||||
bool ip4 = ip_hdr->IP4_Hdr();
|
||||
|
||||
if ( ip4 )
|
||||
transport_hdr = ((u_char *) ip_hdr->IP4_Hdr() + ip_hdr_len);
|
||||
transport_hdr = ((u_char*)ip_hdr->IP4_Hdr() + ip_hdr_len);
|
||||
else
|
||||
transport_hdr = ((u_char *) ip_hdr->IP6_Hdr() + ip_hdr_len);
|
||||
transport_hdr = ((u_char*)ip_hdr->IP6_Hdr() + ip_hdr_len);
|
||||
|
||||
TransportProto proto;
|
||||
|
||||
switch ( ip_hdr->NextProto() ) {
|
||||
case 1: proto = TRANSPORT_ICMP; break;
|
||||
case 6: proto = TRANSPORT_TCP; break;
|
||||
case 17: proto = TRANSPORT_UDP; break;
|
||||
case 58: proto = TRANSPORT_ICMP; break;
|
||||
default: proto = TRANSPORT_UNKNOWN; break;
|
||||
}
|
||||
|
||||
switch ( proto ) {
|
||||
case TRANSPORT_ICMP:
|
||||
switch ( ip_hdr->NextProto() )
|
||||
{
|
||||
const struct icmp* icmpp =
|
||||
(const struct icmp *) transport_hdr;
|
||||
bool is_one_way; // dummy
|
||||
*src_port = ntohs(icmpp->icmp_type);
|
||||
|
||||
if ( ip4 )
|
||||
*dst_port = ntohs(ICMP4_counterpart(icmpp->icmp_type,
|
||||
icmpp->icmp_code, is_one_way));
|
||||
else
|
||||
*dst_port = ntohs(ICMP6_counterpart(icmpp->icmp_type,
|
||||
icmpp->icmp_code, is_one_way));
|
||||
|
||||
break;
|
||||
case 1:
|
||||
proto = TRANSPORT_ICMP;
|
||||
break;
|
||||
case 6:
|
||||
proto = TRANSPORT_TCP;
|
||||
break;
|
||||
case 17:
|
||||
proto = TRANSPORT_UDP;
|
||||
break;
|
||||
case 58:
|
||||
proto = TRANSPORT_ICMP;
|
||||
break;
|
||||
default:
|
||||
proto = TRANSPORT_UNKNOWN;
|
||||
break;
|
||||
}
|
||||
|
||||
case TRANSPORT_TCP:
|
||||
switch ( proto )
|
||||
{
|
||||
const struct tcphdr* tp =
|
||||
(const struct tcphdr *) transport_hdr;
|
||||
*src_port = ntohs(tp->th_sport);
|
||||
*dst_port = ntohs(tp->th_dport);
|
||||
break;
|
||||
}
|
||||
case TRANSPORT_ICMP:
|
||||
{
|
||||
const struct icmp* icmpp = (const struct icmp*)transport_hdr;
|
||||
bool is_one_way; // dummy
|
||||
*src_port = ntohs(icmpp->icmp_type);
|
||||
|
||||
case TRANSPORT_UDP:
|
||||
{
|
||||
const struct udphdr* up =
|
||||
(const struct udphdr *) transport_hdr;
|
||||
*src_port = ntohs(up->uh_sport);
|
||||
*dst_port = ntohs(up->uh_dport);
|
||||
break;
|
||||
}
|
||||
if ( ip4 )
|
||||
*dst_port =
|
||||
ntohs(ICMP4_counterpart(icmpp->icmp_type, icmpp->icmp_code, is_one_way));
|
||||
else
|
||||
*dst_port =
|
||||
ntohs(ICMP6_counterpart(icmpp->icmp_type, icmpp->icmp_code, is_one_way));
|
||||
|
||||
default:
|
||||
*src_port = *dst_port = ntohs(0);
|
||||
break;
|
||||
}
|
||||
break;
|
||||
}
|
||||
|
||||
case TRANSPORT_TCP:
|
||||
{
|
||||
const struct tcphdr* tp = (const struct tcphdr*)transport_hdr;
|
||||
*src_port = ntohs(tp->th_sport);
|
||||
*dst_port = ntohs(tp->th_dport);
|
||||
break;
|
||||
}
|
||||
|
||||
case TRANSPORT_UDP:
|
||||
{
|
||||
const struct udphdr* up = (const struct udphdr*)transport_hdr;
|
||||
*src_port = ntohs(up->uh_sport);
|
||||
*dst_port = ntohs(up->uh_dport);
|
||||
break;
|
||||
}
|
||||
|
||||
default:
|
||||
*src_port = *dst_port = ntohs(0);
|
||||
break;
|
||||
}
|
||||
|
||||
return proto;
|
||||
}
|
||||
|
||||
zeek::RecordValPtr ICMPAnalyzer::ExtractICMP4Context(int len, const u_char*& data)
|
||||
{
|
||||
const IP_Hdr ip_hdr_data((const struct ip*) data, false);
|
||||
const IP_Hdr ip_hdr_data((const struct ip*)data, false);
|
||||
const IP_Hdr* ip_hdr = &ip_hdr_data;
|
||||
|
||||
uint32_t ip_hdr_len = ip_hdr->HdrLen();
|
||||
|
|
@ -336,8 +340,8 @@ zeek::RecordValPtr ICMPAnalyzer::ExtractICMP4Context(int len, const u_char*& dat
|
|||
bad_hdr_len = 0;
|
||||
ip_len = ip_hdr->TotalLen();
|
||||
bad_checksum = ! run_state::current_pkt->l3_checksummed &&
|
||||
(detail::in_cksum(reinterpret_cast<const uint8_t*>(ip_hdr->IP4_Hdr()),
|
||||
ip_hdr_len) != 0xffff);
|
||||
(detail::in_cksum(reinterpret_cast<const uint8_t*>(ip_hdr->IP4_Hdr()),
|
||||
ip_hdr_len) != 0xffff);
|
||||
|
||||
src_addr = ip_hdr->SrcAddr();
|
||||
dst_addr = ip_hdr->DstAddr();
|
||||
|
|
@ -396,7 +400,7 @@ zeek::RecordValPtr ICMPAnalyzer::ExtractICMP6Context(int len, const u_char*& dat
|
|||
}
|
||||
else
|
||||
{
|
||||
const IP_Hdr ip_hdr_data((const struct ip6_hdr*) data, false, len);
|
||||
const IP_Hdr ip_hdr_data((const struct ip6_hdr*)data, false, len);
|
||||
const IP_Hdr* ip_hdr = &ip_hdr_data;
|
||||
|
||||
ip_len = ip_hdr->TotalLen();
|
||||
|
|
@ -439,19 +443,16 @@ zeek::RecordValPtr ICMPAnalyzer::ExtractICMP6Context(int len, const u_char*& dat
|
|||
return iprec;
|
||||
}
|
||||
|
||||
void ICMPAnalyzer::Echo(double t, const struct icmp* icmpp, int len,
|
||||
int caplen, const u_char*& data, const IP_Hdr* ip_hdr,
|
||||
ICMPSessionAdapter* adapter)
|
||||
void ICMPAnalyzer::Echo(double t, const struct icmp* icmpp, int len, int caplen,
|
||||
const u_char*& data, const IP_Hdr* ip_hdr, ICMPSessionAdapter* adapter)
|
||||
{
|
||||
// For handling all Echo related ICMP messages
|
||||
EventHandlerPtr f = nullptr;
|
||||
|
||||
if ( ip_hdr->NextProto() == IPPROTO_ICMPV6 )
|
||||
f = (icmpp->icmp_type == ICMP6_ECHO_REQUEST)
|
||||
? icmp_echo_request : icmp_echo_reply;
|
||||
f = (icmpp->icmp_type == ICMP6_ECHO_REQUEST) ? icmp_echo_request : icmp_echo_reply;
|
||||
else
|
||||
f = (icmpp->icmp_type == ICMP_ECHO)
|
||||
? icmp_echo_request : icmp_echo_reply;
|
||||
f = (icmpp->icmp_type == ICMP_ECHO) ? icmp_echo_request : icmp_echo_reply;
|
||||
|
||||
if ( ! f )
|
||||
return;
|
||||
|
|
@ -461,18 +462,13 @@ void ICMPAnalyzer::Echo(double t, const struct icmp* icmpp, int len,
|
|||
|
||||
String* payload = new String(data, caplen, false);
|
||||
|
||||
adapter->EnqueueConnEvent(f,
|
||||
adapter->ConnVal(),
|
||||
BuildInfo(icmpp, len, ip_hdr->NextProto() != IPPROTO_ICMP, ip_hdr),
|
||||
val_mgr->Count(iid),
|
||||
val_mgr->Count(iseq),
|
||||
make_intrusive<StringVal>(payload)
|
||||
);
|
||||
adapter->EnqueueConnEvent(
|
||||
f, adapter->ConnVal(), BuildInfo(icmpp, len, ip_hdr->NextProto() != IPPROTO_ICMP, ip_hdr),
|
||||
val_mgr->Count(iid), val_mgr->Count(iseq), make_intrusive<StringVal>(payload));
|
||||
}
|
||||
|
||||
|
||||
void ICMPAnalyzer::RouterAdvert(double t, const struct icmp* icmpp, int len,
|
||||
int caplen, const u_char*& data, const IP_Hdr* ip_hdr,
|
||||
void ICMPAnalyzer::RouterAdvert(double t, const struct icmp* icmpp, int len, int caplen,
|
||||
const u_char*& data, const IP_Hdr* ip_hdr,
|
||||
ICMPSessionAdapter* adapter)
|
||||
{
|
||||
EventHandlerPtr f = icmp_router_advertisement;
|
||||
|
|
@ -490,26 +486,23 @@ void ICMPAnalyzer::RouterAdvert(double t, const struct icmp* icmpp, int len,
|
|||
|
||||
int opt_offset = sizeof(reachable) + sizeof(retrans);
|
||||
|
||||
adapter->EnqueueConnEvent(f,
|
||||
adapter->ConnVal(),
|
||||
BuildInfo(icmpp, len, 1, ip_hdr),
|
||||
adapter->EnqueueConnEvent(
|
||||
f, adapter->ConnVal(), BuildInfo(icmpp, len, 1, ip_hdr),
|
||||
val_mgr->Count(icmpp->icmp_num_addrs), // Cur Hop Limit
|
||||
val_mgr->Bool(icmpp->icmp_wpa & 0x80), // Managed
|
||||
val_mgr->Bool(icmpp->icmp_wpa & 0x40), // Other
|
||||
val_mgr->Bool(icmpp->icmp_wpa & 0x20), // Home Agent
|
||||
val_mgr->Count((icmpp->icmp_wpa & 0x18)>>3), // Pref
|
||||
val_mgr->Count((icmpp->icmp_wpa & 0x18) >> 3), // Pref
|
||||
val_mgr->Bool(icmpp->icmp_wpa & 0x04), // Proxy
|
||||
val_mgr->Count(icmpp->icmp_wpa & 0x02), // Reserved
|
||||
make_intrusive<IntervalVal>((double)ntohs(icmpp->icmp_lifetime), Seconds),
|
||||
make_intrusive<IntervalVal>((double)ntohl(reachable), Milliseconds),
|
||||
make_intrusive<IntervalVal>((double)ntohl(retrans), Milliseconds),
|
||||
BuildNDOptionsVal(caplen - opt_offset, data + opt_offset, adapter)
|
||||
);
|
||||
BuildNDOptionsVal(caplen - opt_offset, data + opt_offset, adapter));
|
||||
}
|
||||
|
||||
|
||||
void ICMPAnalyzer::NeighborAdvert(double t, const struct icmp* icmpp, int len,
|
||||
int caplen, const u_char*& data, const IP_Hdr* ip_hdr,
|
||||
void ICMPAnalyzer::NeighborAdvert(double t, const struct icmp* icmpp, int len, int caplen,
|
||||
const u_char*& data, const IP_Hdr* ip_hdr,
|
||||
ICMPSessionAdapter* adapter)
|
||||
{
|
||||
EventHandlerPtr f = icmp_neighbor_advertisement;
|
||||
|
|
@ -524,20 +517,16 @@ void ICMPAnalyzer::NeighborAdvert(double t, const struct icmp* icmpp, int len,
|
|||
|
||||
int opt_offset = sizeof(in6_addr);
|
||||
|
||||
adapter->EnqueueConnEvent(f,
|
||||
adapter->ConnVal(),
|
||||
BuildInfo(icmpp, len, 1, ip_hdr),
|
||||
val_mgr->Bool(icmpp->icmp_num_addrs & 0x80), // Router
|
||||
val_mgr->Bool(icmpp->icmp_num_addrs & 0x40), // Solicited
|
||||
val_mgr->Bool(icmpp->icmp_num_addrs & 0x20), // Override
|
||||
make_intrusive<AddrVal>(tgtaddr),
|
||||
BuildNDOptionsVal(caplen - opt_offset, data + opt_offset, adapter)
|
||||
);
|
||||
adapter->EnqueueConnEvent(f, adapter->ConnVal(), BuildInfo(icmpp, len, 1, ip_hdr),
|
||||
val_mgr->Bool(icmpp->icmp_num_addrs & 0x80), // Router
|
||||
val_mgr->Bool(icmpp->icmp_num_addrs & 0x40), // Solicited
|
||||
val_mgr->Bool(icmpp->icmp_num_addrs & 0x20), // Override
|
||||
make_intrusive<AddrVal>(tgtaddr),
|
||||
BuildNDOptionsVal(caplen - opt_offset, data + opt_offset, adapter));
|
||||
}
|
||||
|
||||
|
||||
void ICMPAnalyzer::NeighborSolicit(double t, const struct icmp* icmpp, int len,
|
||||
int caplen, const u_char*& data, const IP_Hdr* ip_hdr,
|
||||
void ICMPAnalyzer::NeighborSolicit(double t, const struct icmp* icmpp, int len, int caplen,
|
||||
const u_char*& data, const IP_Hdr* ip_hdr,
|
||||
ICMPSessionAdapter* adapter)
|
||||
{
|
||||
EventHandlerPtr f = icmp_neighbor_solicitation;
|
||||
|
|
@ -552,18 +541,13 @@ void ICMPAnalyzer::NeighborSolicit(double t, const struct icmp* icmpp, int len,
|
|||
|
||||
int opt_offset = sizeof(in6_addr);
|
||||
|
||||
adapter->EnqueueConnEvent(f,
|
||||
adapter->ConnVal(),
|
||||
BuildInfo(icmpp, len, 1, ip_hdr),
|
||||
make_intrusive<AddrVal>(tgtaddr),
|
||||
BuildNDOptionsVal(caplen - opt_offset, data + opt_offset, adapter)
|
||||
);
|
||||
adapter->EnqueueConnEvent(f, adapter->ConnVal(), BuildInfo(icmpp, len, 1, ip_hdr),
|
||||
make_intrusive<AddrVal>(tgtaddr),
|
||||
BuildNDOptionsVal(caplen - opt_offset, data + opt_offset, adapter));
|
||||
}
|
||||
|
||||
|
||||
void ICMPAnalyzer::Redirect(double t, const struct icmp* icmpp, int len,
|
||||
int caplen, const u_char*& data, const IP_Hdr* ip_hdr,
|
||||
ICMPSessionAdapter* adapter)
|
||||
void ICMPAnalyzer::Redirect(double t, const struct icmp* icmpp, int len, int caplen,
|
||||
const u_char*& data, const IP_Hdr* ip_hdr, ICMPSessionAdapter* adapter)
|
||||
{
|
||||
EventHandlerPtr f = icmp_redirect;
|
||||
|
||||
|
|
@ -580,18 +564,13 @@ void ICMPAnalyzer::Redirect(double t, const struct icmp* icmpp, int len,
|
|||
|
||||
int opt_offset = 2 * sizeof(in6_addr);
|
||||
|
||||
adapter->EnqueueConnEvent(f,
|
||||
adapter->ConnVal(),
|
||||
BuildInfo(icmpp, len, 1, ip_hdr),
|
||||
make_intrusive<AddrVal>(tgtaddr),
|
||||
make_intrusive<AddrVal>(dstaddr),
|
||||
BuildNDOptionsVal(caplen - opt_offset, data + opt_offset, adapter)
|
||||
);
|
||||
adapter->EnqueueConnEvent(f, adapter->ConnVal(), BuildInfo(icmpp, len, 1, ip_hdr),
|
||||
make_intrusive<AddrVal>(tgtaddr), make_intrusive<AddrVal>(dstaddr),
|
||||
BuildNDOptionsVal(caplen - opt_offset, data + opt_offset, adapter));
|
||||
}
|
||||
|
||||
|
||||
void ICMPAnalyzer::RouterSolicit(double t, const struct icmp* icmpp, int len,
|
||||
int caplen, const u_char*& data, const IP_Hdr* ip_hdr,
|
||||
void ICMPAnalyzer::RouterSolicit(double t, const struct icmp* icmpp, int len, int caplen,
|
||||
const u_char*& data, const IP_Hdr* ip_hdr,
|
||||
ICMPSessionAdapter* adapter)
|
||||
{
|
||||
EventHandlerPtr f = icmp_router_solicitation;
|
||||
|
|
@ -599,17 +578,12 @@ void ICMPAnalyzer::RouterSolicit(double t, const struct icmp* icmpp, int len,
|
|||
if ( ! f )
|
||||
return;
|
||||
|
||||
adapter->EnqueueConnEvent(f,
|
||||
adapter->ConnVal(),
|
||||
BuildInfo(icmpp, len, 1, ip_hdr),
|
||||
BuildNDOptionsVal(caplen, data, adapter)
|
||||
);
|
||||
adapter->EnqueueConnEvent(f, adapter->ConnVal(), BuildInfo(icmpp, len, 1, ip_hdr),
|
||||
BuildNDOptionsVal(caplen, data, adapter));
|
||||
}
|
||||
|
||||
|
||||
void ICMPAnalyzer::Context4(double t, const struct icmp* icmpp, int len,
|
||||
int caplen, const u_char*& data, const IP_Hdr* ip_hdr,
|
||||
ICMPSessionAdapter* adapter)
|
||||
void ICMPAnalyzer::Context4(double t, const struct icmp* icmpp, int len, int caplen,
|
||||
const u_char*& data, const IP_Hdr* ip_hdr, ICMPSessionAdapter* adapter)
|
||||
{
|
||||
EventHandlerPtr f = nullptr;
|
||||
|
||||
|
|
@ -625,18 +599,13 @@ void ICMPAnalyzer::Context4(double t, const struct icmp* icmpp, int len,
|
|||
}
|
||||
|
||||
if ( f )
|
||||
adapter->EnqueueConnEvent(f,
|
||||
adapter->ConnVal(),
|
||||
BuildInfo(icmpp, len, 0, ip_hdr),
|
||||
val_mgr->Count(icmpp->icmp_code),
|
||||
ExtractICMP4Context(caplen, data)
|
||||
);
|
||||
adapter->EnqueueConnEvent(f, adapter->ConnVal(), BuildInfo(icmpp, len, 0, ip_hdr),
|
||||
val_mgr->Count(icmpp->icmp_code),
|
||||
ExtractICMP4Context(caplen, data));
|
||||
}
|
||||
|
||||
|
||||
void ICMPAnalyzer::Context6(double t, const struct icmp* icmpp, int len,
|
||||
int caplen, const u_char*& data, const IP_Hdr* ip_hdr,
|
||||
ICMPSessionAdapter* adapter)
|
||||
void ICMPAnalyzer::Context6(double t, const struct icmp* icmpp, int len, int caplen,
|
||||
const u_char*& data, const IP_Hdr* ip_hdr, ICMPSessionAdapter* adapter)
|
||||
{
|
||||
EventHandlerPtr f = nullptr;
|
||||
|
||||
|
|
@ -664,12 +633,9 @@ void ICMPAnalyzer::Context6(double t, const struct icmp* icmpp, int len,
|
|||
}
|
||||
|
||||
if ( f )
|
||||
adapter->EnqueueConnEvent(f,
|
||||
adapter->ConnVal(),
|
||||
BuildInfo(icmpp, len, 1, ip_hdr),
|
||||
val_mgr->Count(icmpp->icmp_code),
|
||||
ExtractICMP6Context(caplen, data)
|
||||
);
|
||||
adapter->EnqueueConnEvent(f, adapter->ConnVal(), BuildInfo(icmpp, len, 1, ip_hdr),
|
||||
val_mgr->Count(icmpp->icmp_code),
|
||||
ExtractICMP6Context(caplen, data));
|
||||
}
|
||||
|
||||
zeek::VectorValPtr ICMPAnalyzer::BuildNDOptionsVal(int caplen, const u_char* data,
|
||||
|
|
@ -678,8 +644,7 @@ zeek::VectorValPtr ICMPAnalyzer::BuildNDOptionsVal(int caplen, const u_char* dat
|
|||
static auto icmp6_nd_option_type = id::find_type<RecordType>("icmp6_nd_option");
|
||||
static auto icmp6_nd_prefix_info_type = id::find_type<RecordType>("icmp6_nd_prefix_info");
|
||||
|
||||
auto vv = make_intrusive<zeek::VectorVal>(
|
||||
id::find_type<VectorType>("icmp6_nd_options"));
|
||||
auto vv = make_intrusive<zeek::VectorVal>(id::find_type<VectorType>("icmp6_nd_options"));
|
||||
|
||||
while ( caplen > 0 )
|
||||
{
|
||||
|
|
@ -712,81 +677,84 @@ zeek::VectorValPtr ICMPAnalyzer::BuildNDOptionsVal(int caplen, const u_char* dat
|
|||
bool set_payload_field = false;
|
||||
|
||||
// Only parse out known options that are there in full.
|
||||
switch ( type ) {
|
||||
case 1:
|
||||
case 2:
|
||||
// Source/Target Link-layer Address option
|
||||
switch ( type )
|
||||
{
|
||||
if ( caplen >= length )
|
||||
{
|
||||
String* link_addr = new String(data, length, false);
|
||||
rv->Assign(2, make_intrusive<StringVal>(link_addr));
|
||||
}
|
||||
else
|
||||
set_payload_field = true;
|
||||
case 1:
|
||||
case 2:
|
||||
// Source/Target Link-layer Address option
|
||||
{
|
||||
if ( caplen >= length )
|
||||
{
|
||||
String* link_addr = new String(data, length, false);
|
||||
rv->Assign(2, make_intrusive<StringVal>(link_addr));
|
||||
}
|
||||
else
|
||||
set_payload_field = true;
|
||||
|
||||
break;
|
||||
break;
|
||||
}
|
||||
|
||||
case 3:
|
||||
// Prefix Information option
|
||||
{
|
||||
if ( caplen >= 30 )
|
||||
{
|
||||
auto info = make_intrusive<zeek::RecordVal>(icmp6_nd_prefix_info_type);
|
||||
uint8_t prefix_len = *((const uint8_t*)(data));
|
||||
bool L_flag = (*((const uint8_t*)(data + 1)) & 0x80) != 0;
|
||||
bool A_flag = (*((const uint8_t*)(data + 1)) & 0x40) != 0;
|
||||
uint32_t valid_life = *((const uint32_t*)(data + 2));
|
||||
uint32_t prefer_life = *((const uint32_t*)(data + 6));
|
||||
in6_addr prefix = *((const in6_addr*)(data + 14));
|
||||
info->Assign(0, val_mgr->Count(prefix_len));
|
||||
info->Assign(1, val_mgr->Bool(L_flag));
|
||||
info->Assign(2, val_mgr->Bool(A_flag));
|
||||
info->Assign(
|
||||
3, make_intrusive<IntervalVal>((double)ntohl(valid_life), Seconds));
|
||||
info->Assign(
|
||||
4, make_intrusive<IntervalVal>((double)ntohl(prefer_life), Seconds));
|
||||
info->Assign(5, make_intrusive<AddrVal>(IPAddr(prefix)));
|
||||
rv->Assign(3, std::move(info));
|
||||
}
|
||||
|
||||
else
|
||||
set_payload_field = true;
|
||||
break;
|
||||
}
|
||||
|
||||
case 4:
|
||||
// Redirected Header option
|
||||
{
|
||||
if ( caplen >= length )
|
||||
{
|
||||
const u_char* hdr = data + 6;
|
||||
rv->Assign(4, ExtractICMP6Context(length - 6, hdr));
|
||||
}
|
||||
|
||||
else
|
||||
set_payload_field = true;
|
||||
|
||||
break;
|
||||
}
|
||||
|
||||
case 5:
|
||||
// MTU option
|
||||
{
|
||||
if ( caplen >= 6 )
|
||||
rv->Assign(5, val_mgr->Count(ntohl(*((const uint32_t*)(data + 2)))));
|
||||
else
|
||||
set_payload_field = true;
|
||||
|
||||
break;
|
||||
}
|
||||
|
||||
default:
|
||||
{
|
||||
set_payload_field = true;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
case 3:
|
||||
// Prefix Information option
|
||||
{
|
||||
if ( caplen >= 30 )
|
||||
{
|
||||
auto info = make_intrusive<zeek::RecordVal>(icmp6_nd_prefix_info_type);
|
||||
uint8_t prefix_len = *((const uint8_t*)(data));
|
||||
bool L_flag = (*((const uint8_t*)(data + 1)) & 0x80) != 0;
|
||||
bool A_flag = (*((const uint8_t*)(data + 1)) & 0x40) != 0;
|
||||
uint32_t valid_life = *((const uint32_t*)(data + 2));
|
||||
uint32_t prefer_life = *((const uint32_t*)(data + 6));
|
||||
in6_addr prefix = *((const in6_addr*)(data + 14));
|
||||
info->Assign(0, val_mgr->Count(prefix_len));
|
||||
info->Assign(1, val_mgr->Bool(L_flag));
|
||||
info->Assign(2, val_mgr->Bool(A_flag));
|
||||
info->Assign(3, make_intrusive<IntervalVal>((double)ntohl(valid_life), Seconds));
|
||||
info->Assign(4, make_intrusive<IntervalVal>((double)ntohl(prefer_life), Seconds));
|
||||
info->Assign(5, make_intrusive<AddrVal>(IPAddr(prefix)));
|
||||
rv->Assign(3, std::move(info));
|
||||
}
|
||||
|
||||
else
|
||||
set_payload_field = true;
|
||||
break;
|
||||
}
|
||||
|
||||
case 4:
|
||||
// Redirected Header option
|
||||
{
|
||||
if ( caplen >= length )
|
||||
{
|
||||
const u_char* hdr = data + 6;
|
||||
rv->Assign(4, ExtractICMP6Context(length - 6, hdr));
|
||||
}
|
||||
|
||||
else
|
||||
set_payload_field = true;
|
||||
|
||||
break;
|
||||
}
|
||||
|
||||
case 5:
|
||||
// MTU option
|
||||
{
|
||||
if ( caplen >= 6 )
|
||||
rv->Assign(5, val_mgr->Count(ntohl(*((const uint32_t*)(data + 2)))));
|
||||
else
|
||||
set_payload_field = true;
|
||||
|
||||
break;
|
||||
}
|
||||
|
||||
default:
|
||||
{
|
||||
set_payload_field = true;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
if ( set_payload_field )
|
||||
{
|
||||
String* payload = new String(data, std::min((int)length, caplen), false);
|
||||
|
|
@ -802,7 +770,8 @@ zeek::VectorValPtr ICMPAnalyzer::BuildNDOptionsVal(int caplen, const u_char* dat
|
|||
return vv;
|
||||
}
|
||||
|
||||
namespace zeek::packet_analysis::ICMP {
|
||||
namespace zeek::packet_analysis::ICMP
|
||||
{
|
||||
|
||||
int ICMP4_counterpart(int icmp_type, int icmp_code, bool& is_one_way)
|
||||
{
|
||||
|
|
@ -812,56 +781,84 @@ int ICMP4_counterpart(int icmp_type, int icmp_code, bool& is_one_way)
|
|||
// to track corresponding ICMP requests/replies.
|
||||
// Note that for the two-way ICMP messages, icmp_code is
|
||||
// always 0 (RFC 792).
|
||||
switch ( icmp_type ) {
|
||||
case ICMP_ECHO: return ICMP_ECHOREPLY;
|
||||
case ICMP_ECHOREPLY: return ICMP_ECHO;
|
||||
switch ( icmp_type )
|
||||
{
|
||||
case ICMP_ECHO:
|
||||
return ICMP_ECHOREPLY;
|
||||
case ICMP_ECHOREPLY:
|
||||
return ICMP_ECHO;
|
||||
|
||||
case ICMP_TSTAMP: return ICMP_TSTAMPREPLY;
|
||||
case ICMP_TSTAMPREPLY: return ICMP_TSTAMP;
|
||||
case ICMP_TSTAMP:
|
||||
return ICMP_TSTAMPREPLY;
|
||||
case ICMP_TSTAMPREPLY:
|
||||
return ICMP_TSTAMP;
|
||||
|
||||
case ICMP_IREQ: return ICMP_IREQREPLY;
|
||||
case ICMP_IREQREPLY: return ICMP_IREQ;
|
||||
case ICMP_IREQ:
|
||||
return ICMP_IREQREPLY;
|
||||
case ICMP_IREQREPLY:
|
||||
return ICMP_IREQ;
|
||||
|
||||
case ICMP_ROUTERSOLICIT: return ICMP_ROUTERADVERT;
|
||||
case ICMP_ROUTERADVERT: return ICMP_ROUTERSOLICIT;
|
||||
case ICMP_ROUTERSOLICIT:
|
||||
return ICMP_ROUTERADVERT;
|
||||
case ICMP_ROUTERADVERT:
|
||||
return ICMP_ROUTERSOLICIT;
|
||||
|
||||
case ICMP_MASKREQ: return ICMP_MASKREPLY;
|
||||
case ICMP_MASKREPLY: return ICMP_MASKREQ;
|
||||
case ICMP_MASKREQ:
|
||||
return ICMP_MASKREPLY;
|
||||
case ICMP_MASKREPLY:
|
||||
return ICMP_MASKREQ;
|
||||
|
||||
default: is_one_way = true; return icmp_code;
|
||||
}
|
||||
default:
|
||||
is_one_way = true;
|
||||
return icmp_code;
|
||||
}
|
||||
}
|
||||
|
||||
int ICMP6_counterpart(int icmp_type, int icmp_code, bool& is_one_way)
|
||||
{
|
||||
is_one_way = false;
|
||||
|
||||
switch ( icmp_type ) {
|
||||
case ICMP6_ECHO_REQUEST: return ICMP6_ECHO_REPLY;
|
||||
case ICMP6_ECHO_REPLY: return ICMP6_ECHO_REQUEST;
|
||||
switch ( icmp_type )
|
||||
{
|
||||
case ICMP6_ECHO_REQUEST:
|
||||
return ICMP6_ECHO_REPLY;
|
||||
case ICMP6_ECHO_REPLY:
|
||||
return ICMP6_ECHO_REQUEST;
|
||||
|
||||
case ND_ROUTER_SOLICIT: return ND_ROUTER_ADVERT;
|
||||
case ND_ROUTER_ADVERT: return ND_ROUTER_SOLICIT;
|
||||
case ND_ROUTER_SOLICIT:
|
||||
return ND_ROUTER_ADVERT;
|
||||
case ND_ROUTER_ADVERT:
|
||||
return ND_ROUTER_SOLICIT;
|
||||
|
||||
case ND_NEIGHBOR_SOLICIT: return ND_NEIGHBOR_ADVERT;
|
||||
case ND_NEIGHBOR_ADVERT: return ND_NEIGHBOR_SOLICIT;
|
||||
case ND_NEIGHBOR_SOLICIT:
|
||||
return ND_NEIGHBOR_ADVERT;
|
||||
case ND_NEIGHBOR_ADVERT:
|
||||
return ND_NEIGHBOR_SOLICIT;
|
||||
|
||||
case MLD_LISTENER_QUERY: return MLD_LISTENER_REPORT;
|
||||
case MLD_LISTENER_REPORT: return MLD_LISTENER_QUERY;
|
||||
case MLD_LISTENER_QUERY:
|
||||
return MLD_LISTENER_REPORT;
|
||||
case MLD_LISTENER_REPORT:
|
||||
return MLD_LISTENER_QUERY;
|
||||
|
||||
// ICMP node information query and response respectively (not defined in
|
||||
// icmp6.h)
|
||||
case 139: return 140;
|
||||
case 140: return 139;
|
||||
// ICMP node information query and response respectively (not defined in
|
||||
// icmp6.h)
|
||||
case 139:
|
||||
return 140;
|
||||
case 140:
|
||||
return 139;
|
||||
|
||||
// Home Agent Address Discovery Request Message and reply
|
||||
case 144: return 145;
|
||||
case 145: return 144;
|
||||
// Home Agent Address Discovery Request Message and reply
|
||||
case 144:
|
||||
return 145;
|
||||
case 145:
|
||||
return 144;
|
||||
|
||||
// TODO: Add further counterparts.
|
||||
// TODO: Add further counterparts.
|
||||
|
||||
default: is_one_way = true; return icmp_code;
|
||||
}
|
||||
default:
|
||||
is_one_way = true;
|
||||
return icmp_code;
|
||||
}
|
||||
}
|
||||
|
||||
} // namespace zeek::packet_analysis::ICMP
|
||||
} // namespace zeek::packet_analysis::ICMP
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue