Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-12 03:28:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Add base class for IP-based packet analyzers

Browse source
This commit is contained in:
Tim Wojtulewicz 2021-04-13 15:36:31 -07:00
parent 3e1692676d
commit c1f0d312b5
23 changed files with 781 additions and 421 deletions
Download patch file Download diff file Expand all files Collapse all files

2
src/packet_analysis/protocol/ip/CMakeLists.txt
View file

@ -4,5 +4,5 @@ include(ZeekPlugin)
include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
zeek_plugin_begin(PacketAnalyzer IP)
zeek_plugin_cc(IP.cc Plugin.cc)
zeek_plugin_cc(IP.cc IPBasedAnalyzer.cc Plugin.cc)
zeek_plugin_end()

209
src/packet_analysis/protocol/ip/IPBasedAnalyzer.cc Normal file
View file

@ -0,0 +1,209 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include "zeek/packet_analysis/protocol/ip/IPBasedAnalyzer.h"
#include "zeek/RunState.h"
#include "zeek/Conn.h"
#include "zeek/Val.h"
#include "zeek/session/Manager.h"
#include "zeek/analyzer/Manager.h"
using namespace zeek;
using namespace zeek::packet_analysis::IP;
IPBasedAnalyzer::IPBasedAnalyzer(const char* name, TransportProto proto, uint32_t mask,
bool report_unknown_protocols)
: zeek::packet_analysis::Analyzer(name, report_unknown_protocols),
transport(proto), server_port_mask(mask)
{
}
IPBasedAnalyzer::~IPBasedAnalyzer()
{
}
void IPBasedAnalyzer::ProcessConnection(const ConnTuple& conn_id, Packet* pkt, size_t remaining)
{
const std::unique_ptr<IP_Hdr>& ip_hdr = pkt->ip_hdr;
detail::ConnKey key(conn_id);
Connection* conn = session_mgr->FindConnection(key);
if ( ! conn )
{
conn = NewConn(&conn_id, key, pkt);
if ( conn )
session_mgr->Insert(conn, false);
}
else
{
if ( conn->IsReuse(run_state::processing_start_time, ip_hdr->Payload()) )
{
conn->Event(connection_reused, nullptr);
session_mgr->Remove(conn);
conn = NewConn(&conn_id, key, pkt);
if ( conn )
session_mgr->Insert(conn, false);
}
else
{
conn->CheckEncapsulation(pkt->encap);
}
}
if ( ! conn )
return;
bool is_orig = (conn_id.src_addr == conn->OrigAddr()) &&
(conn_id.src_port == conn->OrigPort());
conn->CheckFlowLabel(is_orig, ip_hdr->FlowLabel());
zeek::ValPtr pkt_hdr_val;
if ( ipv6_ext_headers && ip_hdr->NumHeaders() > 1 )
{
pkt_hdr_val = ip_hdr->ToPktHdrVal();
conn->EnqueueEvent(ipv6_ext_headers, nullptr, conn->GetVal(),
pkt_hdr_val);
}
if ( new_packet )
conn->EnqueueEvent(new_packet, nullptr, conn->GetVal(),
pkt_hdr_val ? std::move(pkt_hdr_val) : ip_hdr->ToPktHdrVal());
if ( new_plugin )
{
conn->SetRecordPackets(true);
conn->SetRecordContents(true);
const u_char* data = pkt->ip_hdr->Payload();
run_state::current_timestamp = run_state::processing_start_time;
run_state::current_pkt = pkt;
// TODO: Does this actually mean anything?
if ( conn->Skipping() )
return;
ContinueProcessing(conn, run_state::processing_start_time, is_orig, remaining, pkt);
run_state::current_timestamp = 0;
run_state::current_pkt = nullptr;
// If the packet is reassembled, disable packet dumping because the
// pointer math to dump the data wouldn't work.
if ( pkt->ip_hdr->reassembled )
pkt->dump_packet = false;
else if ( conn->RecordPackets() )
{
pkt->dump_packet = true;
// If we don't want the content, set the dump size to include just
// the header.
if ( ! conn->RecordContents() )
pkt->dump_size = data - pkt->data;
}
}
else
{
int record_packet = 1; // whether to record the packet at all
int record_content = 1; // whether to record its data
const u_char* data = pkt->ip_hdr->Payload();
conn->NextPacket(run_state::processing_start_time, is_orig, ip_hdr.get(), ip_hdr->PayloadLen(),
remaining, data, record_packet, record_content, pkt);
// If the packet is reassembled, disable packet dumping because the
// pointer math to dump the data wouldn't work.
if ( ip_hdr->reassembled )
pkt->dump_packet = false;
else if ( record_packet )
{
pkt->dump_packet = true;
// If we don't want the content, set the dump size to include just
// the header.
if ( ! record_content )
pkt->dump_size = data - pkt->data;
}
}
}
bool IPBasedAnalyzer::CheckHeaderTrunc(size_t min_hdr_len, size_t remaining, Packet* packet)
{
if ( packet->ip_hdr->PayloadLen() < min_hdr_len )
{
Weird("truncated_header", packet);
return false;
}
else if ( remaining < min_hdr_len )
{
Weird("internally_truncated_header", packet);
return false;
}
return true;
}
bool IPBasedAnalyzer::IsLikelyServerPort(uint32_t port) const
{
// We keep a cached in-core version of the table to speed up the lookup.
static std::set<bro_uint_t> port_cache;
static bool have_cache = false;
if ( ! have_cache )
{
auto likely_server_ports = id::find_val<TableVal>("likely_server_ports");
auto lv = likely_server_ports->ToPureListVal();
for ( int i = 0; i < lv->Length(); i++ )
port_cache.insert(lv->Idx(i)->InternalUnsigned());
have_cache = true;
}
// We exploit our knowledge of PortVal's internal storage mechanism here.
port |= server_port_mask;
return port_cache.find(port) != port_cache.end();
}
zeek::Connection* IPBasedAnalyzer::NewConn(const ConnTuple* id, const detail::ConnKey& key,
const Packet* pkt)
{
int src_h = ntohs(id->src_port);
int dst_h = ntohs(id->dst_port);
bool flip = false;
if ( ! WantConnection(src_h, dst_h, pkt->ip_hdr->Payload(), flip) )
return nullptr;
Connection* conn = new Connection(key, run_state::processing_start_time,
id, pkt->ip_hdr->FlowLabel(), pkt);
conn->SetTransport(transport);
if ( flip )
conn->FlipRoles();
if ( ! new_plugin )
{
if ( ! analyzer_mgr->BuildInitialAnalyzerTree(conn) )
{
conn->Done();
Unref(conn);
return nullptr;
}
}
else if ( ! analyzer_mgr->BuildSessionAnalyzerTree(conn, this) )
{
conn->Done();
Unref(conn);
return nullptr;
}
if ( new_connection )
conn->Event(new_connection, nullptr);
return conn;
}

182
src/packet_analysis/protocol/ip/IPBasedAnalyzer.h Normal file
View file

@ -0,0 +1,182 @@
// See the file "COPYING" in the main distribution directory for copyright.
#pragma once
#include "zeek/packet_analysis/Analyzer.h"
#include "zeek/packet_analysis/Component.h"
#include "zeek/analyzer/Analyzer.h"
#include "zeek/analyzer/Manager.h"
namespace zeek::analyzer::pia { class PIA; }
namespace zeek::packet_analysis::IP {
class IPBasedTransportAnalyzer;
/**
* A base class for any packet analyzer based on IP. This is used by default by
* the TCP, UDP, and ICMP analyzers to reduce a large amount of duplicated code
* that those plugins have in common.
*/
class IPBasedAnalyzer : public Analyzer {
public:
~IPBasedAnalyzer() override;
/**
* Returns true if the analyzer determines that in fact a new
* connection has started without the connection statement having
* terminated the previous one, i.e., the new data is arriving at
* what's the analyzer for the previous instance. This is used only
* for TCP.
*/
virtual bool IsReuse(double t, const u_char* pkt) { return false; }
/**
* TODO: comment
*/
virtual void CreateTransportAnalyzer(Connection* conn, IPBasedTransportAnalyzer*& root,
analyzer::pia::PIA*& pia, bool& check_port) = 0;
protected:
/**
* Construct a new IP-based analyzer.
*
* @param name The name for the type of analyzer. The name must match
* the one the corresponding Component registers.
* @param proto The transport protocol implemented by this analyzer.
* @param mask The mask used to determine if a port is a server port
* for this protocol. This is used by IsLikelyServerPort().
* @param report_unknown_protocols Flag for whether to report unknown
* protocols during packet forwarding. This is typically false for IP
* protocols since packets may go into the session analysis framework
* as well.
*/
IPBasedAnalyzer(const char* name, TransportProto proto, uint32_t mask,
bool report_unknown_protocols);
/**
* Entry point for child classes to call to do the actual heavy lifting for
* processing a packet and extracting a connection out of it.
*
* @param conn_id The connection ID generated by the child class.
* @param pkt The packet being processed.
* @param remaining The number of bytes remaining to be processed in the packet.
*/
void ProcessConnection(const ConnTuple& conn_id, Packet* pkt, size_t remaining);
/**
* Verifies that there is enough data in the packet to process the header
* length requested.
*
* @param min_hdr_len The minimum data in bytes that needs to exist.
* @param remaining The remaining number of bytes in the packet reported by
* previous analyzer.
* @param packet The packet being processed. This will be used to pull out the
* number of bytes the IP header says we have remaining.
*/
bool CheckHeaderTrunc(size_t min_hdr_len, size_t remaining, Packet* packet);
/**
* Upon seeing the first packet of a connection, checks whether we want
* to analyze it (e.g. we may not want to look at partial connections)
* and, if yes, whether we should flip the roles of originator and
* responder based on known ports and such.
*
* @param src_port The source port of the connection.
* @param dst_port The destination port of the connection.
* @param data The payload data for the packet being processed.
* @param flip_roles Return value if the roles should be flipped.
* @return True if the connection is wanted. False otherwise.
*/
virtual bool WantConnection(uint16_t src_port, uint16_t dst_port,
const u_char* data, bool& flip_roles) const
{
flip_roles = false;
return true;
}
/**
* Returns true if the port corresponds to an application for which there
* is a Zeek analyzer (even if it might not be used by the present policy
* script) or if it's generally a likely server port.
*
* @param port The port number to check, in host order.
*/
bool IsLikelyServerPort(uint32_t port) const;
/**
* Continues process of packet after the connection has been inserted into the
* session manager. This should be implemented by all child classes.
*
* @param conn The connection currently being processed.
* @param t The timestamp for the current packet.
* @param is_orig Flag denoting whether this packet is from the originator of
* the connection.
* @param remaining The remaining about of data in the packet.
* @param pkt The packet being processed.
*/
virtual void ContinueProcessing(Connection* conn, double t, bool is_orig, int remaining,
Packet* pkt) {}
// TODO: temporary, until all of the plugins are implemented
bool new_plugin = false;
private:
/**
* Creates a new Connection object from data gleaned from the current packet.
*
* @param id A connection ID generated from the packet data. This should have been
* passed in from a child analyzer.
* @param key A connection ID key generated from the ID.
* @param pkt The packet associated with the new connection.
*/
zeek::Connection* NewConn(const ConnTuple* id, const detail::ConnKey& key,
const Packet* pkt);
TransportProto transport;
uint32_t server_port_mask;
};
/**
* This class represents the interface between the packet analysis framework and
* the session analysis framework. One of these should be implemented for each
* packet analyzer that intends to forward into the session analysis.
*/
class IPBasedTransportAnalyzer : public zeek::analyzer::TransportLayerAnalyzer {
public:
IPBasedTransportAnalyzer(const char* name, Connection* conn)
: TransportLayerAnalyzer(name, conn) { }
/**
* Sets the parent packet analyzer for this transport analyzer. This can't be passed to
* the constructor due to the way that TransportLayerAnalyzer gets instantiated.
*
* @param p The parent packet analyzer to store
*/
void SetParent(IPBasedAnalyzer* p) { parent = p; }
/**
* Returns true if the analyzer determines that in fact a new connection has started
* without the connection statement having terminated the previous one, i.e., the new
* data is arriving at what's the analyzer for the previous instance. This is used only
* for TCP.
*/
bool IsReuse(double t, const u_char* pkt) override { return parent->IsReuse(t, pkt); }
/**
* Pure virtual method to allow extra session analzyers to be added to this analyzer's
* tree of children. This is used by analyzer::Manager when creating the session analyzer
* tree.
*/
virtual void AddExtraAnalyzers(Connection* conn) = 0;
protected:
IPBasedAnalyzer* parent;
};
}