diff --git a/scripts/base/frameworks/tunnels/main.bro b/scripts/base/frameworks/tunnels/main.bro index 4076e79cd5..32270cf898 100644 --- a/scripts/base/frameworks/tunnels/main.bro +++ b/scripts/base/frameworks/tunnels/main.bro @@ -2,7 +2,7 @@ ##! AYIYA, or IP-in-IP such as 6to4 where "IP" is either IPv4 or IPv6). ##! ##! For any connection that occurs over a tunnel, information about its -##! its encapsulating tunnels is also found in the *tunnel* field of +##! encapsulating tunnels is also found in the *tunnel* field of ##! :bro:type:`connection`. module Tunnel; @@ -35,7 +35,6 @@ export { action: Action &log; ## The type of tunnel. tunnel_type: Tunnel::Type &log; - user: string &log &optional; }; ## Logs all tunnels in an ecapsulation chain with action diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 0a6c2a5c76..50e58d87e3 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -402,7 +402,7 @@ set(bro_SRCS Timer.cc Traverse.cc Trigger.cc - Tunnels.cc + TunnelEncapsulation.cc Type.cc UDP.cc Val.cc diff --git a/src/Conn.cc b/src/Conn.cc index ec62a1b944..9780b15dfc 100644 --- a/src/Conn.cc +++ b/src/Conn.cc @@ -13,7 +13,7 @@ #include "Timer.h" #include "PIA.h" #include "binpac.h" -#include "Tunnels.h" +#include "TunnelEncapsulation.h" void ConnectionTimer::Init(Connection* arg_conn, timer_func arg_timer, int arg_do_expire) diff --git a/src/Conn.h b/src/Conn.h index f2efa2971d..52c14598be 100644 --- a/src/Conn.h +++ b/src/Conn.h @@ -13,7 +13,7 @@ #include "RuleMatcher.h" #include "AnalyzerTags.h" #include "IPAddr.h" -#include "Tunnels.h" +#include "TunnelEncapsulation.h" class Connection; class ConnectionTimer; diff --git a/src/Sessions.cc b/src/Sessions.cc index 4e81ba1661..77ccd7aeb6 100644 --- a/src/Sessions.cc +++ b/src/Sessions.cc @@ -30,7 +30,7 @@ #include "DPM.h" #include "PacketSort.h" -#include "Tunnels.h" +#include "TunnelEncapsulation.h" // These represent NetBIOS services on ephemeral ports. They're numbered // so that we can use a single int to hold either an actual TCP/UDP server @@ -570,8 +570,7 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr, if ( it == ip_tunnels.end() ) { - EncapsulatingConn ec(ip_hdr->SrcAddr(), ip_hdr->DstAddr(), - BifEnum::Tunnel::IP); + EncapsulatingConn ec(ip_hdr->SrcAddr(), ip_hdr->DstAddr()); ip_tunnels[tunnel_idx] = ec; outer->Add(ec); } diff --git a/src/Sessions.h b/src/Sessions.h index 9273a02787..b98fc7e432 100644 --- a/src/Sessions.h +++ b/src/Sessions.h @@ -11,7 +11,7 @@ #include "PacketFilter.h" #include "Stats.h" #include "NetVar.h" -#include "Tunnels.h" +#include "TunnelEncapsulation.h" #include struct pcap_pkthdr; diff --git a/src/Tunnels.cc b/src/TunnelEncapsulation.cc similarity index 68% rename from src/Tunnels.cc rename to src/TunnelEncapsulation.cc index 7ae87912d7..e7ee3e27d1 100644 --- a/src/Tunnels.cc +++ b/src/TunnelEncapsulation.cc @@ -1,13 +1,13 @@ // See the file "COPYING" in the main distribution directory for copyright. -#include "Tunnels.h" +#include "TunnelEncapsulation.h" #include "util.h" #include "Conn.h" EncapsulatingConn::EncapsulatingConn(Connection* c, BifEnum::Tunnel::Type t) : src_addr(c->OrigAddr()), dst_addr(c->RespAddr()), src_port(c->OrigPort()), dst_port(c->RespPort()), - type(t), uid(c->GetUID()) + proto(c->ConnTransport()), type(t), uid(c->GetUID()) { if ( ! uid ) { @@ -18,28 +18,13 @@ EncapsulatingConn::EncapsulatingConn(Connection* c, BifEnum::Tunnel::Type t) RecordVal* EncapsulatingConn::GetRecordVal() const { - RecordVal *rv = - new RecordVal(BifType::Record::Tunnel::EncapsulatingConn); - TransportProto tproto; - switch ( type ) { - case BifEnum::Tunnel::AYIYA: - case BifEnum::Tunnel::TEREDO: - tproto = TRANSPORT_UDP; - break; - case BifEnum::Tunnel::SOCKS: - tproto = TRANSPORT_TCP; - break; - case BifEnum::Tunnel::IP: - default: - tproto = TRANSPORT_UNKNOWN; - break; - } // end switch + RecordVal *rv = new RecordVal(BifType::Record::Tunnel::EncapsulatingConn); RecordVal* id_val = new RecordVal(conn_id); id_val->Assign(0, new AddrVal(src_addr)); - id_val->Assign(1, new PortVal(ntohs(src_port), tproto)); + id_val->Assign(1, new PortVal(ntohs(src_port), proto)); id_val->Assign(2, new AddrVal(dst_addr)); - id_val->Assign(3, new PortVal(ntohs(dst_port), tproto)); + id_val->Assign(3, new PortVal(ntohs(dst_port), proto)); rv->Assign(0, id_val); rv->Assign(1, new EnumVal(type, BifType::Enum::Tunnel::Type)); char tmp[20]; diff --git a/src/Tunnels.h b/src/TunnelEncapsulation.h similarity index 51% rename from src/Tunnels.h rename to src/TunnelEncapsulation.h index c2f070c168..f0d07b0501 100644 --- a/src/Tunnels.h +++ b/src/TunnelEncapsulation.h @@ -11,30 +11,71 @@ class Connection; +/** + * Represents various types of tunnel "connections", that is, a pair of + * endpoints whose communication encapsulates inner IP packets. This could + * mean IP packets nested inside IP packets or IP packets nested inside a + * transport layer protocol. EncapsulatingConn's are assigned a UID, which can + * be shared with Connection's in the case the tunnel uses a transport-layer. + */ class EncapsulatingConn { public: + /** + * Default tunnel connection constructor. + */ EncapsulatingConn() - : src_port(0), dst_port(0), type(BifEnum::Tunnel::NONE), uid(0) + : src_port(0), dst_port(0), proto(TRANSPORT_UNKNOWN), + type(BifEnum::Tunnel::NONE), uid(0) {} - EncapsulatingConn(const IPAddr& s, const IPAddr& d, - BifEnum::Tunnel::Type t) - : src_addr(s), dst_addr(d), src_port(0), dst_port(0), type(t) + /** + * Construct an IP tunnel "connection" with its own UID. + * The assignment of "source" and "destination" addresses here can be + * arbitrary, comparison between EncapsulatingConn objects will treat IP + * tunnels as equivalent as long as the same two endpoints are involved. + * + * @param s The tunnel source address, likely taken from an IP header. + * @param d The tunnel destination address, likely taken from an IP header. + */ + EncapsulatingConn(const IPAddr& s, const IPAddr& d) + : src_addr(s), dst_addr(d), src_port(0), dst_port(0), + proto(TRANSPORT_UNKNOWN), type(BifEnum::Tunnel::IP) { uid = calculate_unique_id(); } + /** + * Construct a tunnel connection using information from an already existing + * transport-layer-aware connection object. + * + * @param c The connection from which endpoint information can be extracted. + * If it already has a UID associated with it, that gets inherited, + * otherwise a new UID is created for this tunnel and \a c. + * @param t The type of tunneling that is occurring over the connection. + */ EncapsulatingConn(Connection* c, BifEnum::Tunnel::Type t); + /** + * Copy constructor. + */ EncapsulatingConn(const EncapsulatingConn& other) : src_addr(other.src_addr), dst_addr(other.dst_addr), src_port(other.src_port), dst_port(other.dst_port), - type(other.type), uid(other.uid) + proto(other.proto), type(other.type), uid(other.uid) {} + /** + * Destructor. + */ ~EncapsulatingConn() {} + BifEnum::Tunnel::Type Type() const + { return type; } + + /** + * Returns record value of type "EncapsulatingConn" representing the tunnel. + */ RecordVal* GetRecordVal() const; friend bool operator==(const EncapsulatingConn& ec1, @@ -43,12 +84,13 @@ public: if ( ec1.type != ec2.type ) return false; if ( ec1.type == BifEnum::Tunnel::IP ) - return ec1.uid == ec2.uid && + // Reversing endpoints is still same tunnel. + return ec1.uid == ec2.uid && ec1.proto == ec2.proto && ((ec1.src_addr == ec2.src_addr && ec1.dst_addr == ec2.dst_addr) || (ec1.src_addr == ec2.dst_addr && ec1.dst_addr == ec2.src_addr)); return ec1.src_addr == ec2.src_addr && ec1.dst_addr == ec2.dst_addr && ec1.src_port == ec2.src_port && ec1.dst_port == ec2.dst_port && - ec1.uid == ec2.uid; + ec1.uid == ec2.uid && ec1.proto == ec2.proto; } friend bool operator!=(const EncapsulatingConn& ec1, @@ -57,14 +99,19 @@ public: return ! ( ec1 == ec2 ); } +protected: IPAddr src_addr; IPAddr dst_addr; uint16 src_port; uint16 dst_port; + TransportProto proto; BifEnum::Tunnel::Type type; uint64 uid; }; +/** + * Abstracts an arbitrary amount of nested tunneling. + */ class Encapsulation { public: Encapsulation() : conns(0) @@ -99,6 +146,11 @@ public: ~Encapsulation() { delete conns; } + /** + * Add a new inner-most tunnel to the Encapsulation. + * + * @param c The new inner-most tunnel to append to the tunnel chain. + */ void Add(const EncapsulatingConn& c) { if ( ! conns ) @@ -106,16 +158,27 @@ public: conns->push_back(c); } + /** + * Return how many nested tunnels are involved in a encapsulation, zero + * meaning no tunnels are present. + */ size_t Depth() const { return conns ? conns->size() : 0; } + /** + * Return the tunnel type of the inner-most tunnel. + */ BifEnum::Tunnel::Type LastType() const { - return conns ? (*conns)[conns->size()-1].type : BifEnum::Tunnel::NONE; + return conns ? (*conns)[conns->size()-1].Type() : BifEnum::Tunnel::NONE; } + /** + * Get the value of type "EncapsulatingConnVector" represented by the + * entire encapsulation chain. + */ VectorVal* GetVectorVal() const { VectorVal* vv = new VectorVal( @@ -133,6 +196,7 @@ public: return ! ( e1 == e2 ); } +protected: vector* conns; }; diff --git a/testing/btest/Baseline/core.leaks.ayiya/tunnel.log b/testing/btest/Baseline/core.leaks.ayiya/tunnel.log index 69e331b477..512f49b6ee 100644 --- a/testing/btest/Baseline/core.leaks.ayiya/tunnel.log +++ b/testing/btest/Baseline/core.leaks.ayiya/tunnel.log @@ -3,9 +3,9 @@ #empty_field (empty) #unset_field - #path tunnel -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p action tunnel_type user -#types time string addr port addr port enum enum string -1257655293.629048 UWkUyAuUGXf 192.168.3.101 53796 216.14.98.22 5072 Tunnel::DISCOVER Tunnel::AYIYA - -1257655296.585034 k6kgXLOoSKl 192.168.3.101 53859 216.14.98.22 5072 Tunnel::DISCOVER Tunnel::AYIYA - -1257655317.464035 k6kgXLOoSKl 192.168.3.101 53859 216.14.98.22 5072 Tunnel::CLOSE Tunnel::AYIYA - -1257655317.464035 UWkUyAuUGXf 192.168.3.101 53796 216.14.98.22 5072 Tunnel::CLOSE Tunnel::AYIYA - +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p action tunnel_type +#types time string addr port addr port enum enum +1257655293.629048 UWkUyAuUGXf 192.168.3.101 53796 216.14.98.22 5072 Tunnel::DISCOVER Tunnel::AYIYA +1257655296.585034 k6kgXLOoSKl 192.168.3.101 53859 216.14.98.22 5072 Tunnel::DISCOVER Tunnel::AYIYA +1257655317.464035 k6kgXLOoSKl 192.168.3.101 53859 216.14.98.22 5072 Tunnel::CLOSE Tunnel::AYIYA +1257655317.464035 UWkUyAuUGXf 192.168.3.101 53796 216.14.98.22 5072 Tunnel::CLOSE Tunnel::AYIYA diff --git a/testing/btest/Baseline/core.leaks.teredo/tunnel.log b/testing/btest/Baseline/core.leaks.teredo/tunnel.log index 5549d66a29..5a2114dd1c 100644 --- a/testing/btest/Baseline/core.leaks.teredo/tunnel.log +++ b/testing/btest/Baseline/core.leaks.teredo/tunnel.log @@ -3,11 +3,11 @@ #empty_field (empty) #unset_field - #path tunnel -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p action tunnel_type user -#types time string addr port addr port enum enum string -1210953052.202579 nQcgTWjvg4c 192.168.2.16 3797 65.55.158.80 3544 Tunnel::DISCOVER Tunnel::TEREDO - -1210953052.324629 TEfuqmmG4bh 192.168.2.16 3797 65.55.158.81 3544 Tunnel::DISCOVER Tunnel::TEREDO - -1210953061.292918 GSxOnSLghOa 192.168.2.16 3797 83.170.1.38 32900 Tunnel::DISCOVER Tunnel::TEREDO - -1210953076.058333 nQcgTWjvg4c 192.168.2.16 3797 65.55.158.80 3544 Tunnel::CLOSE Tunnel::TEREDO - -1210953076.058333 GSxOnSLghOa 192.168.2.16 3797 83.170.1.38 32900 Tunnel::CLOSE Tunnel::TEREDO - -1210953076.058333 TEfuqmmG4bh 192.168.2.16 3797 65.55.158.81 3544 Tunnel::CLOSE Tunnel::TEREDO - +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p action tunnel_type +#types time string addr port addr port enum enum +1210953052.202579 nQcgTWjvg4c 192.168.2.16 3797 65.55.158.80 3544 Tunnel::DISCOVER Tunnel::TEREDO +1210953052.324629 TEfuqmmG4bh 192.168.2.16 3797 65.55.158.81 3544 Tunnel::DISCOVER Tunnel::TEREDO +1210953061.292918 GSxOnSLghOa 192.168.2.16 3797 83.170.1.38 32900 Tunnel::DISCOVER Tunnel::TEREDO +1210953076.058333 nQcgTWjvg4c 192.168.2.16 3797 65.55.158.80 3544 Tunnel::CLOSE Tunnel::TEREDO +1210953076.058333 GSxOnSLghOa 192.168.2.16 3797 83.170.1.38 32900 Tunnel::CLOSE Tunnel::TEREDO +1210953076.058333 TEfuqmmG4bh 192.168.2.16 3797 65.55.158.81 3544 Tunnel::CLOSE Tunnel::TEREDO diff --git a/testing/btest/Baseline/core.tunnels.ayiya/tunnel.log b/testing/btest/Baseline/core.tunnels.ayiya/tunnel.log index 69e331b477..512f49b6ee 100644 --- a/testing/btest/Baseline/core.tunnels.ayiya/tunnel.log +++ b/testing/btest/Baseline/core.tunnels.ayiya/tunnel.log @@ -3,9 +3,9 @@ #empty_field (empty) #unset_field - #path tunnel -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p action tunnel_type user -#types time string addr port addr port enum enum string -1257655293.629048 UWkUyAuUGXf 192.168.3.101 53796 216.14.98.22 5072 Tunnel::DISCOVER Tunnel::AYIYA - -1257655296.585034 k6kgXLOoSKl 192.168.3.101 53859 216.14.98.22 5072 Tunnel::DISCOVER Tunnel::AYIYA - -1257655317.464035 k6kgXLOoSKl 192.168.3.101 53859 216.14.98.22 5072 Tunnel::CLOSE Tunnel::AYIYA - -1257655317.464035 UWkUyAuUGXf 192.168.3.101 53796 216.14.98.22 5072 Tunnel::CLOSE Tunnel::AYIYA - +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p action tunnel_type +#types time string addr port addr port enum enum +1257655293.629048 UWkUyAuUGXf 192.168.3.101 53796 216.14.98.22 5072 Tunnel::DISCOVER Tunnel::AYIYA +1257655296.585034 k6kgXLOoSKl 192.168.3.101 53859 216.14.98.22 5072 Tunnel::DISCOVER Tunnel::AYIYA +1257655317.464035 k6kgXLOoSKl 192.168.3.101 53859 216.14.98.22 5072 Tunnel::CLOSE Tunnel::AYIYA +1257655317.464035 UWkUyAuUGXf 192.168.3.101 53796 216.14.98.22 5072 Tunnel::CLOSE Tunnel::AYIYA diff --git a/testing/btest/Baseline/core.tunnels.teredo/tunnel.log b/testing/btest/Baseline/core.tunnels.teredo/tunnel.log index 5549d66a29..5a2114dd1c 100644 --- a/testing/btest/Baseline/core.tunnels.teredo/tunnel.log +++ b/testing/btest/Baseline/core.tunnels.teredo/tunnel.log @@ -3,11 +3,11 @@ #empty_field (empty) #unset_field - #path tunnel -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p action tunnel_type user -#types time string addr port addr port enum enum string -1210953052.202579 nQcgTWjvg4c 192.168.2.16 3797 65.55.158.80 3544 Tunnel::DISCOVER Tunnel::TEREDO - -1210953052.324629 TEfuqmmG4bh 192.168.2.16 3797 65.55.158.81 3544 Tunnel::DISCOVER Tunnel::TEREDO - -1210953061.292918 GSxOnSLghOa 192.168.2.16 3797 83.170.1.38 32900 Tunnel::DISCOVER Tunnel::TEREDO - -1210953076.058333 nQcgTWjvg4c 192.168.2.16 3797 65.55.158.80 3544 Tunnel::CLOSE Tunnel::TEREDO - -1210953076.058333 GSxOnSLghOa 192.168.2.16 3797 83.170.1.38 32900 Tunnel::CLOSE Tunnel::TEREDO - -1210953076.058333 TEfuqmmG4bh 192.168.2.16 3797 65.55.158.81 3544 Tunnel::CLOSE Tunnel::TEREDO - +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p action tunnel_type +#types time string addr port addr port enum enum +1210953052.202579 nQcgTWjvg4c 192.168.2.16 3797 65.55.158.80 3544 Tunnel::DISCOVER Tunnel::TEREDO +1210953052.324629 TEfuqmmG4bh 192.168.2.16 3797 65.55.158.81 3544 Tunnel::DISCOVER Tunnel::TEREDO +1210953061.292918 GSxOnSLghOa 192.168.2.16 3797 83.170.1.38 32900 Tunnel::DISCOVER Tunnel::TEREDO +1210953076.058333 nQcgTWjvg4c 192.168.2.16 3797 65.55.158.80 3544 Tunnel::CLOSE Tunnel::TEREDO +1210953076.058333 GSxOnSLghOa 192.168.2.16 3797 83.170.1.38 32900 Tunnel::CLOSE Tunnel::TEREDO +1210953076.058333 TEfuqmmG4bh 192.168.2.16 3797 65.55.158.81 3544 Tunnel::CLOSE Tunnel::TEREDO