Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-10 02:28:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Make tunnels always identifiable by UID, tunnel.log now gets populated.

Browse source 
conn.log now sets a field indicating all the parent tunnel UIDs over
which a connection operated and cross reference the UIDs found in
the tunnel.log.

Also some renaming of tunnel related types at the scripting layer.
This commit is contained in:
Jon Siwek 2012-04-26 12:29:59 -05:00
parent ad55331258
commit b8e1604ab5
22 changed files with 224 additions and 213 deletions
Download patch file Download diff file Expand all files Collapse all files

24
scripts/base/protocols/conn/main.bro
View file

@ -102,8 +102,9 @@ export {
## Number IP level bytes the responder sent. See ``orig_pkts``.
resp_ip_bytes: count &log &optional;
## If this connection was over a tunnel, indicate the
## `uid` value for the parent connection or connections.
parents: vector of string &log &optional;
## *uid* values for any encapsulating parent connections
## used over the lifetime of this inner connection.
parents: set[string] &log;
};
## Event that can be handled to access the :bro:type:`Conn::Info`
@ -193,15 +194,8 @@ function set_conn(c: connection, eoc: bool)
c$conn$ts=c$start_time;
c$conn$uid=c$uid;
c$conn$id=c$id;
if ( ! c$conn?$parents && c?$tunnel )
{
c$conn$parents = vector();
for ( i in c$tunnel )
{
# TODO: maybe we should be storing uid's in the $tunnel field?
#c$conn$parents[|c$conn$parents|] = lookup_connection(c$tunnel[i]$cid)$uid;
}
}
if ( c?$tunnel && |c$tunnel| > 0 )
add c$conn$parents[c$tunnel[|c$tunnel|-1]$uid];
c$conn$proto=get_port_transport_proto(c$id$resp_p);
if( |Site::local_nets| > 0 )
c$conn$local_orig=Site::is_local_addr(c$id$orig_h);
@ -239,6 +233,14 @@ event content_gap(c: connection, is_orig: bool, seq: count, length: count) &prio
c$conn$missed_bytes = c$conn$missed_bytes + length;
}
event tunnel_changed(c: connection, e: EncapsulatingConnVector) &priority=5
{
set_conn(c, F);
if ( |e| > 0 )
add c$conn$parents[e[|e|-1]$uid];
c$tunnel = e;
}
event connection_state_remove(c: connection) &priority=5
{

2
scripts/base/protocols/socks/main.bro
View file

@ -11,7 +11,7 @@ export {
event socks_request(c: connection, request_type: count, dstaddr: addr, dstname: string, p: port, user: string)
{
Tunnels::register(c, "SOCKS");
Tunnel::register([$cid=c$id, $tunnel_type=Tunnel::SOCKS, $uid=c$uid]);
}
#