From bcadb67731482b26e2b3c0b7103f1f51c1ca0de3 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Sat, 21 Apr 2012 14:42:20 -0400
Subject: [PATCH] First commit of binpac based AYIYA analyzer.

- ayiya-analyzer.pac needs work to do something with the actual packet.

- Lots more cleanup to do, but it parses the protocol at least.
---
 src/AYIYA.cc           | 90 ++++++++++++++++++++++++++++++++++++++++++
 src/AYIYA.h            | 55 ++++++++++++++++++++++++++
 src/Analyzer.cc        | 11 ++++++
 src/AnalyzerTags.h     |  8 +++-
 src/CMakeLists.txt     |  4 ++
 src/ayiya-analyzer.pac | 25 ++++++++++++
 src/ayiya-protocol.pac | 14 +++++++
 src/ayiya.pac          | 10 +++++
 8 files changed, 215 insertions(+), 2 deletions(-)
 create mode 100644 src/AYIYA.cc
 create mode 100644 src/AYIYA.h
 create mode 100644 src/ayiya-analyzer.pac
 create mode 100644 src/ayiya-protocol.pac
 create mode 100644 src/ayiya.pac

diff --git a/src/AYIYA.cc b/src/AYIYA.cc
new file mode 100644
index 0000000000..d69db642b3
--- /dev/null
+++ b/src/AYIYA.cc
@@ -0,0 +1,90 @@
+#include "AYIYA.h"
+#include "TCP_Reassembler.h"
+
+AYIYA_Analyzer::AYIYA_Analyzer(Connection* conn)
+: Analyzer(AnalyzerTag::SYSLOG_BINPAC, conn)
+	{
+	interp = new binpac::AYIYA::AYIYA_Conn(this);
+	did_session_done = 0;
+	//ADD_ANALYZER_TIMER(&AYIYA_Analyzer::ExpireTimer,
+	//		network_time + Syslog_session_timeout, 1, TIMER_Syslog_EXPIRE);
+	}
+
+AYIYA_Analyzer::~AYIYA_Analyzer()
+	{
+	delete interp;
+	}
+
+void AYIYA_Analyzer::Done()
+	{
+	Analyzer::Done();
+
+	if ( ! did_session_done )
+		Event(udp_session_done);
+	}
+
+void AYIYA_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen)
+	{
+	Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
+	interp->NewData(orig, data, data + len);
+	}
+
+//void AYIYA_Analyzer::ExpireTimer(double t)
+//	{
+//	// The - 1.0 in the following is to allow 1 second for the
+//	// common case of a single request followed by a single reply,
+//	// so we don't needlessly set the timer twice in that case.
+//	if ( t - Conn()->LastTime() >= Syslog_session_timeout - 1.0 || terminating )
+//		{
+//		Event(connection_timeout);
+//		sessions->Remove(Conn());
+//		}
+//	else
+//		ADD_ANALYZER_TIMER(&AYIYA_Analyzer::ExpireTimer,
+//				t + Syslog_session_timeout, 1, TIMER_Syslog_EXPIRE);
+//	}
+
+//Syslog_TCP_Analyzer_binpac::Syslog_TCP_Analyzer_binpac(Connection* conn)
+//: TCP_ApplicationAnalyzer(AnalyzerTag::Syslog_TCP_BINPAC, conn)
+//	{
+//	interp = new binpac::Syslog_on_TCP::Syslog_TCP_Conn(this);
+//	}
+
+//Syslog_TCP_Analyzer_binpac::~Syslog_TCP_Analyzer_binpac()
+//	{
+//	delete interp;
+//	}
+
+//void Syslog_TCP_Analyzer_binpac::Done()
+//	{
+//	TCP_ApplicationAnalyzer::Done();
+//
+//	interp->FlowEOF(true);
+//	interp->FlowEOF(false);
+//	}
+
+//void Syslog_TCP_Analyzer_binpac::EndpointEOF(TCP_Reassembler* endp)
+//	{
+//	TCP_ApplicationAnalyzer::EndpointEOF(endp);
+//	interp->FlowEOF(endp->IsOrig());
+//	}
+
+//void Syslog_TCP_Analyzer_binpac::DeliverStream(int len, const u_char* data,
+//						bool orig)
+//	{
+//	TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
+//
+//	assert(TCP());
+//
+//	if ( TCP()->IsPartial() || TCP()->HadGap(orig) )
+//		// punt-on-partial or stop-on-gap.
+//		return;
+//
+//	interp->NewData(orig, data, data + len);
+//	}
+
+//void Syslog_TCP_Analyzer_binpac::Undelivered(int seq, int len, bool orig)
+//	{
+//	TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
+//	interp->NewGap(orig, len);
+//	}
diff --git a/src/AYIYA.h b/src/AYIYA.h
new file mode 100644
index 0000000000..294eeca1ea
--- /dev/null
+++ b/src/AYIYA.h
@@ -0,0 +1,55 @@
+#ifndef AYIYA_h
+#define AYIYA_h
+
+#include "UDP.h"
+#include "TCP.h"
+
+#include "ayiya_pac.h"
+
+class AYIYA_Analyzer : public Analyzer {
+public:
+	AYIYA_Analyzer(Connection* conn);
+	virtual ~AYIYA_Analyzer();
+
+	virtual void Done();
+	virtual void DeliverPacket(int len, const u_char* data, bool orig,
+					int seq, const IP_Hdr* ip, int caplen);
+
+	static Analyzer* InstantiateAnalyzer(Connection* conn)
+		{ return new AYIYA_Analyzer(conn); }
+
+	static bool Available()
+		{ return true; }
+
+protected:
+	friend class AnalyzerTimer;
+	void ExpireTimer(double t);
+
+	int did_session_done;
+
+	binpac::AYIYA::AYIYA_Conn* interp;
+};
+
+// #include "Syslog_tcp_pac.h"
+//
+//class Syslog_TCP_Analyzer_binpac : public TCP_ApplicationAnalyzer {
+//public:
+//	Syslog_TCP_Analyzer_binpac(Connection* conn);
+//	virtual ~Syslog_TCP_Analyzer_binpac();
+//
+//	virtual void Done();
+//	virtual void DeliverStream(int len, const u_char* data, bool orig);
+//	virtual void Undelivered(int seq, int len, bool orig);
+//	virtual void EndpointEOF(TCP_Reassembler* endp);
+//
+//	static Analyzer* InstantiateAnalyzer(Connection* conn)
+//		{ return new Syslog_TCP_Analyzer_binpac(conn); }
+//
+//	static bool Available()
+//		{ return (Syslog_request || Syslog_full_request) && FLAGS_use_binpac; }
+//
+//protected:
+//	binpac::Syslog_on_TCP::Syslog_TCP_Conn* interp;
+//};
+//
+#endif
diff --git a/src/Analyzer.cc b/src/Analyzer.cc
index 92ca3ecc50..70bb5567cc 100644
--- a/src/Analyzer.cc
+++ b/src/Analyzer.cc
@@ -4,6 +4,7 @@
 #include "PIA.h"
 #include "Event.h"
 
+#include "AYIYA.h"
 #include "BackDoor.h"
 #include "BitTorrent.h"
 #include "BitTorrentTracker.h"
@@ -127,6 +128,16 @@ const Analyzer::Config Analyzer::analyzer_configs[] = {
 		Syslog_Analyzer_binpac::InstantiateAnalyzer,
 		Syslog_Analyzer_binpac::Available, 0, false },
 
+	//{ AnalyzerTag::6to4, "6to4",
+	//	6to4_Analyzer::InstantiateAnalyzer,
+	//	6to4_Anylzer::Available, 0, false },
+	{ AnalyzerTag::AYIYA, "AYIYA",
+		AYIYA_Analyzer::InstantiateAnalyzer,
+		AYIYA_Analyzer::Available, 0, false },
+	//{ AnalyzerTag::Teredo, "Teredo",
+	//	Teredo_Analyzer::InstantiateAnalyzer,
+	//	Teredo_Analyzer::Available, 0, false },
+
 	{ AnalyzerTag::File, "FILE", File_Analyzer::InstantiateAnalyzer,
 		File_Analyzer::Available, 0, false },
 	{ AnalyzerTag::Backdoor, "BACKDOOR",
diff --git a/src/AnalyzerTags.h b/src/AnalyzerTags.h
index dc10a55f22..0f9794527e 100644
--- a/src/AnalyzerTags.h
+++ b/src/AnalyzerTags.h
@@ -33,11 +33,15 @@ namespace AnalyzerTag {
 		DHCP_BINPAC, DNS_TCP_BINPAC, DNS_UDP_BINPAC,
 		HTTP_BINPAC, SSL, SYSLOG_BINPAC,
 
+		// Decapsulation Analyzers
+		//6to4, 
+		AYIYA,
+		//Teredo,
+		
 		// Other
 		File, Backdoor, InterConn, SteppingStone, TCPStats,
 		ConnSize,
-
-
+		
 		// Support-analyzers
 		Contents, ContentLine, NVT, Zip, Contents_DNS, Contents_NCP,
 		Contents_NetbiosSSN, Contents_Rlogin, Contents_Rsh,
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index a755fde64e..6cca13de16 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -186,6 +186,9 @@ endmacro(BINPAC_TARGET)
 
 binpac_target(binpac-lib.pac)
 binpac_target(binpac_bro-lib.pac)
+
+binpac_target(ayiya.pac
+    ayiya-protocol.pac ayiya-analyzer.pac)
 binpac_target(bittorrent.pac
     bittorrent-protocol.pac bittorrent-analyzer.pac)
 binpac_target(dce_rpc.pac
@@ -277,6 +280,7 @@ set(bro_SRCS
     Anon.cc
     ARP.cc
     Attr.cc
+    AYIYA.cc
     BackDoor.cc
     Base64.cc
     BitTorrent.cc
diff --git a/src/ayiya-analyzer.pac b/src/ayiya-analyzer.pac
new file mode 100644
index 0000000000..888cc575a5
--- /dev/null
+++ b/src/ayiya-analyzer.pac
@@ -0,0 +1,25 @@
+
+connection AYIYA_Conn(bro_analyzer: BroAnalyzer)
+	{
+	upflow = AYIYA_Flow;
+	downflow = AYIYA_Flow;
+	};
+
+flow AYIYA_Flow
+	{
+	datagram = PDU withcontext(connection, this);
+	
+	function process_ayiya(pdu: PDU): bool
+		%{
+		connection()->bro_analyzer()->ProtocolConfirmation();
+		
+		// Not sure what to do here.
+		printf("packet: %s\n", ${pdu.packet}.data());
+		return true;
+		%}
+
+	};
+
+refine typeattr PDU += &let {
+	proc_ayiya = $context.flow.process_ayiya(this);
+};
diff --git a/src/ayiya-protocol.pac b/src/ayiya-protocol.pac
new file mode 100644
index 0000000000..25aca23fb9
--- /dev/null
+++ b/src/ayiya-protocol.pac
@@ -0,0 +1,14 @@
+
+type PDU = record {
+	identity_byte:    uint8;
+	signature_byte:   uint8;
+	auth_and_op_crap: uint8;
+	next_header:      uint8;
+	epoch:            uint32;
+	identity:         bytestring &length=identity_len;
+	signature:        bytestring &length=signature_len;
+	packet:           bytestring &restofdata;
+} &let {
+	identity_len  = (1 << (identity_byte >> 4));
+	signature_len = (signature_byte >> 4) * 4;
+} &byteorder = littleendian;
\ No newline at end of file
diff --git a/src/ayiya.pac b/src/ayiya.pac
new file mode 100644
index 0000000000..58fa196c15
--- /dev/null
+++ b/src/ayiya.pac
@@ -0,0 +1,10 @@
+%include binpac.pac
+%include bro.pac
+
+analyzer AYIYA withcontext {
+	connection:	AYIYA_Conn;
+	flow:		AYIYA_Flow;
+};
+
+%include ayiya-protocol.pac
+%include ayiya-analyzer.pac