Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-10 02:28:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Small updates for the bittorrent analyzer to support 64bit types in binpac.

Browse source 
- This branch removes the attempt at bittorrent resynchronization.
  I don't think that the bittorrent resynchronization would really
  work very well anyway.

- This need to be merged after the topic/seth/64bit-type branch in binpac.
This commit is contained in:
Seth Hall 2012-01-27 22:55:42 -05:00
parent c607785cec
commit c03efbb570
4 changed files with 56 additions and 51 deletions
Download patch file Download diff file Expand all files Collapse all files

2
aux/binpac

@ -1 +1 @@
Subproject commit 43308aab47a3357ca1885e1b6954154a2744d821 Subproject commit 35d69ffd88f14820c495a7b66c103f9b94a604ae

67
src/BitTorrent.cc
View file

@ -66,39 +66,44 @@ void BitTorrent_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
void BitTorrent_Analyzer::Undelivered(int seq, int len, bool orig) void BitTorrent_Analyzer::Undelivered(int seq, int len, bool orig)
{ {
uint64 entry_offset = orig ?
*interp->upflow()->next_message_offset() :
*interp->downflow()->next_message_offset();
uint64& this_stream_len = orig ? stream_len_orig : stream_len_resp;
bool& this_stop = orig ? stop_orig : stop_resp;
TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
this_stream_len += len; // I think that shoving data that is definitely wrong into the
// parser seems like a really bad idea. The way it's currently
if ( entry_offset < this_stream_len ) // tracking the next message offset isn't compatible with
{ // entry point is somewhere in the gap // new 64bit int support in binpac either.
DeliverWeird("Stopping BitTorrent analysis: cannot recover from content gap", orig);
this_stop = true; //uint64 entry_offset = orig ?
if ( stop_orig && stop_resp ) // *interp->upflow()->next_message_offset() :
ProtocolViolation("BitTorrent: content gap and/or protocol violation"); // *interp->downflow()->next_message_offset();
} //uint64& this_stream_len = orig ? stream_len_orig : stream_len_resp;
else //bool& this_stop = orig ? stop_orig : stop_resp;
{ // fill the gap //
try //this_stream_len += len;
{ //
u_char gap[len]; //if ( entry_offset < this_stream_len )
memset(gap, 0, len); // { // entry point is somewhere in the gap
interp->NewData(orig, gap, gap + len); // DeliverWeird("Stopping BitTorrent analysis: cannot recover from content gap", orig);
} // this_stop = true;
catch ( binpac::Exception const &e ) // if ( stop_orig && stop_resp )
{ // ProtocolViolation("BitTorrent: content gap and/or protocol violation");
DeliverWeird("Stopping BitTorrent analysis: filling content gap failed", orig); // }
this_stop = true; //else
if ( stop_orig && stop_resp ) // { // fill the gap
ProtocolViolation("BitTorrent: content gap and/or protocol violation"); // try
} // {
} // u_char gap[len];
// memset(gap, 0, len);
// interp->NewData(orig, gap, gap + len);
// }
// catch ( binpac::Exception const &e )
// {
// DeliverWeird("Stopping BitTorrent analysis: filling content gap failed", orig);
// this_stop = true;
// if ( stop_orig && stop_resp )
// ProtocolViolation("BitTorrent: content gap and/or protocol violation");
// }
// }
} }
void BitTorrent_Analyzer::EndpointEOF(TCP_Reassembler* endp) void BitTorrent_Analyzer::EndpointEOF(TCP_Reassembler* endp)

24
src/bittorrent-analyzer.pac
View file

@ -10,25 +10,25 @@ flow BitTorrent_Flow(is_orig: bool) {
%member{ %member{
bool handshake_ok; bool handshake_ok;
uint64 _next_message_offset; //uint64 _next_message_offset;
%} %}
%init{ %init{
handshake_ok = false; handshake_ok = false;
_next_message_offset = 0; //_next_message_offset = 0;
%} %}
function next_message_offset(): uint64 #function next_message_offset(): uint64
%{ # %{
return &_next_message_offset; # return &_next_message_offset;
%} # %}
function increment_next_message_offset(go: bool, len: uint32): bool #function increment_next_message_offset(go: bool, len: uint32): bool
%{ # %{
if ( go ) # if ( go )
_next_message_offset += len; # _next_message_offset += len;
return true; # return true;
%} # %}
function is_handshake_delivered(): bool function is_handshake_delivered(): bool
%{ %{

14
src/bittorrent-protocol.pac
View file

@ -22,8 +22,8 @@ type BitTorrent_Handshake = record {
} &length = 68, &let { } &length = 68, &let {
validate: bool = $context.flow.validate_handshake(pstrlen, pstr); validate: bool = $context.flow.validate_handshake(pstrlen, pstr);
incoffsetffset: bool = #incoffsetffset: bool =
$context.flow.increment_next_message_offset(true, 68); # $context.flow.increment_next_message_offset(true, 68);
deliver: bool = deliver: bool =
$context.flow.deliver_handshake(reserved, info_hash, peer_id); $context.flow.deliver_handshake(reserved, info_hash, peer_id);
}; };
@ -72,8 +72,8 @@ type BitTorrent_PieceHeader(len: uint32) = record {
index: uint32; index: uint32;
begin: uint32; begin: uint32;
} &let { } &let {
incoffset: bool = #incoffset: bool =
$context.flow.increment_next_message_offset(true, len + 5); # $context.flow.increment_next_message_offset(true, len + 5);
}; };
type BitTorrent_Piece(len: uint32) = record { type BitTorrent_Piece(len: uint32) = record {
@ -134,9 +134,9 @@ type BitTorrent_Message = record {
default -> message_id: BitTorrent_MessageID(len.len); default -> message_id: BitTorrent_MessageID(len.len);
}; };
} &length = 4 + len.len, &let { } &length = 4 + len.len, &let {
incoffset: bool = $context.flow.increment_next_message_offset( #incoffset: bool = $context.flow.increment_next_message_offset(
len.len == 0 || message_id.id != TYPE_PIECE, # len.len == 0 || message_id.id != TYPE_PIECE,
4 + len.len); # 4 + len.len);
}; };
type BitTorrent_PDU = case $context.flow.is_handshake_delivered() of { type BitTorrent_PDU = case $context.flow.is_handshake_delivered() of {