Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-11 19:18:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge remote-tracking branch 'origin/topic/johanna/l2flip'

Browse source 
BIT-1787 #merged

* origin/topic/johanna/l2flip:
  Fix layer 2 connection flipping.
This commit is contained in:
Robin Sommer 2017-02-03 12:31:55 -08:00
commit bdbbed64f1
4 changed files with 12 additions and 27 deletions
Download patch file Download diff file Expand all files Collapse all files

19
src/Sessions.cc
View file

@ -1212,28 +1212,11 @@ Connection* NetSessions::NewConn(HashKey* k, double t, const ConnID* id,
if ( ! WantConnection(src_h, dst_h, tproto, flags, flip) ) if ( ! WantConnection(src_h, dst_h, tproto, flags, flip) )
return 0; return 0;
ConnID flip_id = *id;
if ( flip )
{
// Make a guess that we're seeing the tail half of
// an analyzable connection.
const IPAddr ta = flip_id.src_addr;
flip_id.src_addr = flip_id.dst_addr;
flip_id.dst_addr = ta;
uint32 t = flip_id.src_port;
flip_id.src_port = flip_id.dst_port;
flip_id.dst_port = t;
id = &flip_id;
}
Connection* conn = new Connection(this, k, t, id, flow_label, pkt, encapsulation); Connection* conn = new Connection(this, k, t, id, flow_label, pkt, encapsulation);
conn->SetTransport(tproto); conn->SetTransport(tproto);
if ( flip ) if ( flip )
conn->AddHistory('^'); conn->FlipRoles();
if ( ! analyzer_mgr->BuildInitialAnalyzerTree(conn) ) if ( ! analyzer_mgr->BuildInitialAnalyzerTree(conn) )
{ {

10
testing/btest/Baseline/core.history-flip/conn.log
View file

@ -3,8 +3,8 @@
#empty_field (empty) #empty_field (empty)
#unset_field - #unset_field -
#path conn #path conn
#open 2016-07-13-17-58-11 #open 2017-01-30-23-13-15
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents orig_l2_addr resp_l2_addr
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] string string
1128727435.633408 CHhAvVGS1DHFjwGM9 141.42.64.125 56730 125.190.109.199 80 tcp http 1.550793 98 9417 SF - - 0 ^hADdFaf 11 670 10 9945 (empty) 1128727435.633408 CHhAvVGS1DHFjwGM9 141.42.64.125 56730 125.190.109.199 80 tcp http 1.550793 98 9417 SF - - 0 ^hADdFaf 11 670 10 9945 (empty) 00:d0:03:3b:f4:00 00:b0:c2:86:ec:00
#close 2016-07-13-17-58-11 #close 2017-01-30-23-13-15

8
testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
View file

File diff suppressed because one or more lines are too long

2
testing/btest/core/history-flip.bro
View file

@ -1,2 +1,4 @@
# @TEST-EXEC: bro -C -r $TRACES/tcp/missing-syn.pcap %INPUT # @TEST-EXEC: bro -C -r $TRACES/tcp/missing-syn.pcap %INPUT
# @TEST-EXEC: btest-diff conn.log # @TEST-EXEC: btest-diff conn.log
@load policy/protocols/conn/mac-logging