Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-12 19:48:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge remote-tracking branch 'origin/topic/jsiwek/tunnels-merge' into topic/robin/tunnels-merge

Browse source 
* origin/topic/jsiwek/tunnels-merge:
  Remove &synchronized from Tunnel::active table.
  Refactor of interal tunnel analysis code.
  Add state management of NetSessions's IP tunnel map.
  Add "encap_hdr_size" option back in.
  Script-layer tunnel interface cleanup.
This commit is contained in:
Robin Sommer 2012-06-18 15:45:56 -07:00
commit ce1b9eb8ff
30 changed files with 158 additions and 95 deletions
Download patch file Download diff file Expand all files Collapse all files

2
aux/binpac

@ -1 +1 @@
Subproject commit b4094cb75e0a7769123f7db1f5d73f3f9f1c3977
Subproject commit 6f43a8115d8e6483a50957c5d21c5d69270ab3aa

2
aux/bro-aux

@ -1 +1 @@
Subproject commit f938c81ada94641ab5f0231983edc2ba866b9a1f
Subproject commit c6391412e902e896836450ab98910309b2ca2d9b

2
aux/broccoli

@ -1 +1 @@
Subproject commit 4e17842743fef8df6abf0588c7ca86c6937a2b6d
Subproject commit 0d139c09d5a9c8623ecc2a5f395178f0ddcd7e16

2
aux/broctl

@ -1 +1 @@
Subproject commit 589cb04c3d7e28a81aa07454e2b9b6b092f0e1af
Subproject commit 880f3e48d33bb28d17184656f858a4a0e2e1574c

2
aux/btest

@ -1 +1 @@
Subproject commit 4697bf4c8046a3ab7d5e00e926c5db883cb44664
Subproject commit 585645371256e8ec028cabae24c5f4a2108546d2

15
scripts/base/frameworks/tunnels/main.bro
View file

@ -17,7 +17,8 @@ export {
DISCOVER,
## A tunnel connection has closed.
CLOSE,
## No new connections over a tunnel happened in the past day.
## No new connections over a tunnel happened in the amount of
## time indicated by :bro:see:`Tunnel::expiration_interval`.
EXPIRE,
};
@ -68,9 +69,14 @@ export {
## action: The specific reason for the tunnel ending.
global close: function(tunnel: Info, action: Action);
## The amount of time a tunnel is not used in establishment of new
## connections before it is considered inactive/expired.
const expiration_interval = 24hrs &redef;
## Currently active tunnels. That is, tunnels for which new, encapsulated
## connections have been seen in the last day.
global active: table[conn_id] of Info = table() &synchronized &read_expire=24hrs &expire_func=expire;
## connections have been seen in the interval indicated by
## :bro:see:`Tunnel::expiration_interval`.
global active: table[conn_id] of Info = table() &read_expire=expiration_interval &expire_func=expire;
}
const ayiya_ports = { 5072/udp };
@ -129,9 +135,6 @@ event new_connection(c: connection) &priority=5
event tunnel_changed(c: connection, e: EncapsulatingConnVector) &priority=5
{
if ( c?$tunnel )
register_all(c$tunnel);
register_all(e);
}

7
scripts/base/init-bare.bro
View file

@ -915,6 +915,10 @@ const frag_timeout = 0.0 sec &redef;
## to be potentially copied and buffered.
const packet_sort_window = 0 usecs &redef;
## If positive, indicates the encapsulation header size that should
## be skipped. This applies to all packets.
const encap_hdr_size = 0 &redef;
## Whether to use the ``ConnSize`` analyzer to count the number of packets and
## IP-level bytes transfered by each endpoint. If true, these values are returned
## in the connection's :bro:see:`endpoint` record value.
@ -2713,6 +2717,9 @@ export {
## reduce false positives of UDP traffic (e.g. DNS) that also happens
## to have a valid Teredo encapsulation.
const yielding_teredo_decapsulation = T &redef;
## How often to cleanup internal state for inactive IP tunnels.
const ip_tunnel_timeout = 24hrs &redef;
} # end export
module GLOBAL;

6
scripts/base/protocols/conn/main.bro
View file

@ -104,7 +104,7 @@ export {
## If this connection was over a tunnel, indicate the
## *uid* values for any encapsulating parent connections
## used over the lifetime of this inner connection.
parents: set[string] &log;
tunnel_parents: set[string] &log;
};
## Event that can be handled to access the :bro:type:`Conn::Info`
@ -195,7 +195,7 @@ function set_conn(c: connection, eoc: bool)
c$conn$uid=c$uid;
c$conn$id=c$id;
if ( c?$tunnel && |c$tunnel| > 0 )
add c$conn$parents[c$tunnel[|c$tunnel|-1]$uid];
add c$conn$tunnel_parents[c$tunnel[|c$tunnel|-1]$uid];
c$conn$proto=get_port_transport_proto(c$id$resp_p);
if( |Site::local_nets| > 0 )
c$conn$local_orig=Site::is_local_addr(c$id$orig_h);
@ -238,7 +238,7 @@ event tunnel_changed(c: connection, e: EncapsulatingConnVector) &priority=5
{
set_conn(c, F);
if ( |e| > 0 )
add c$conn$parents[e[|e|-1]$uid];
add c$conn$tunnel_parents[e[|e|-1]$uid];
c$tunnel = e;
}

14
src/Conn.cc
View file

@ -113,7 +113,7 @@ unsigned int Connection::external_connections = 0;
IMPLEMENT_SERIAL(Connection, SER_CONNECTION);
Connection::Connection(NetSessions* s, HashKey* k, double t, const ConnID* id,
uint32 flow, const Encapsulation* arg_encap)
uint32 flow, const EncapsulationStack* arg_encap)
{
sessions = s;
key = k;
@ -162,7 +162,7 @@ Connection::Connection(NetSessions* s, HashKey* k, double t, const ConnID* id,
uid = 0; // Will set later.
if ( arg_encap )
encapsulation = new Encapsulation(arg_encap);
encapsulation = new EncapsulationStack(*arg_encap);
else
encapsulation = 0;
@ -200,7 +200,7 @@ Connection::~Connection()
--external_connections;
}
void Connection::CheckEncapsulation(const Encapsulation* arg_encap)
void Connection::CheckEncapsulation(const EncapsulationStack* arg_encap)
{
if ( encapsulation && arg_encap )
{
@ -208,22 +208,22 @@ void Connection::CheckEncapsulation(const Encapsulation* arg_encap)
{
Event(tunnel_changed, 0, arg_encap->GetVectorVal());
delete encapsulation;
encapsulation = new Encapsulation(arg_encap);
encapsulation = new EncapsulationStack(*arg_encap);
}
}
else if ( encapsulation )
{
Encapsulation empty;
EncapsulationStack empty;
Event(tunnel_changed, 0, empty.GetVectorVal());
delete encapsulation;
encapsulation = new Encapsulation(arg_encap);
encapsulation = 0;
}
else if ( arg_encap )
{
Event(tunnel_changed, 0, arg_encap->GetVectorVal());
encapsulation = new Encapsulation(arg_encap);
encapsulation = new EncapsulationStack(*arg_encap);
}
}

8
src/Conn.h
View file

@ -52,7 +52,7 @@ class Analyzer;
class Connection : public BroObj {
public:
Connection(NetSessions* s, HashKey* k, double t, const ConnID* id,
uint32 flow, const Encapsulation* arg_encap);
uint32 flow, const EncapsulationStack* arg_encap);
virtual ~Connection();
// Invoked when an encapsulation is discovered. It records the
@ -60,7 +60,7 @@ public:
// event if it's different from the previous encapsulation (or the
// first encountered). encap can be null to indicate no
// encapsulation.
void CheckEncapsulation(const Encapsulation* encap);
void CheckEncapsulation(const EncapsulationStack* encap);
// Invoked when connection is about to be removed. Use Ref(this)
// inside Done to keep the connection object around (though it'll
@ -252,7 +252,7 @@ public:
uint64 GetUID() const { return uid; }
const Encapsulation* GetEncapsulation() const
const EncapsulationStack* GetEncapsulation() const
{ return encapsulation; }
void CheckFlowLabel(bool is_orig, uint32 flow_label);
@ -292,7 +292,7 @@ protected:
double inactivity_timeout;
RecordVal* conn_val;
LoginConn* login_conn; // either nil, or this
const Encapsulation* encapsulation; // tunnels
const EncapsulationStack* encapsulation; // tunnels
int suppress_event; // suppress certain events to once per conn.
unsigned int installed_status_timer:1;

4
src/NetVar.cc
View file

@ -30,6 +30,8 @@ int partial_connection_ok;
int tcp_SYN_ack_ok;
int tcp_match_undelivered;
int encap_hdr_size;
double frag_timeout;
double tcp_SYN_timeout;
@ -323,6 +325,8 @@ void init_net_var()
tcp_SYN_ack_ok = opt_internal_int("tcp_SYN_ack_ok");
tcp_match_undelivered = opt_internal_int("tcp_match_undelivered");
encap_hdr_size = opt_internal_int("encap_hdr_size");
frag_timeout = opt_internal_double("frag_timeout");
tcp_SYN_timeout = opt_internal_double("tcp_SYN_timeout");

2
src/NetVar.h
View file

@ -33,6 +33,8 @@ extern int partial_connection_ok;
extern int tcp_SYN_ack_ok;
extern int tcp_match_undelivered;
extern int encap_hdr_size;
extern double frag_timeout;
extern double tcp_SYN_timeout;

65
src/Sessions.cc
View file

@ -68,6 +68,26 @@ void TimerMgrExpireTimer::Dispatch(double t, int is_expire)
}
}
void IPTunnelTimer::Dispatch(double t, int is_expire)
{
NetSessions::IPTunnelMap::const_iterator it =
sessions->ip_tunnels.find(tunnel_idx);
if ( it == sessions->ip_tunnels.end() )
return;
double last_active = it->second.second;
double inactive_time = t > last_active ? t - last_active : 0;
if ( inactive_time >= BifConst::Tunnel::ip_tunnel_timeout )
// tunnel activity timed out, delete it from map
sessions->ip_tunnels.erase(tunnel_idx);
else if ( ! is_expire )
// tunnel activity didn't timeout, schedule another timer
timer_mgr->Add(new IPTunnelTimer(t, tunnel_idx));
}
NetSessions::NetSessions()
{
TypeList* t = new TypeList();
@ -158,6 +178,10 @@ void NetSessions::DispatchPacket(double t, const struct pcap_pkthdr* hdr,
ip_data = pkt + hdr_size + (ip_hdr->ip_hl << 2);
}
if ( encap_hdr_size > 0 && ip_data )
// Blanket encapsulation
hdr_size += encap_hdr_size;
if ( src_ps->FilterType() == TYPE_FILTER_NORMAL )
NextPacket(t, hdr, pkt, hdr_size, pkt_elem);
else
@ -345,7 +369,7 @@ int NetSessions::CheckConnectionTag(Connection* conn)
void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
const IP_Hdr* ip_hdr, const u_char* const pkt,
int hdr_size, const Encapsulation* encapsulation)
int hdr_size, const EncapsulationStack* encapsulation)
{
uint32 caplen = hdr->caplen - hdr_size;
const struct ip* ip4 = ip_hdr->IP4_Hdr();
@ -554,8 +578,6 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
return;
}
Encapsulation* outer = new Encapsulation(encapsulation);
// Look up to see if we've already seen this IP tunnel, identified
// by the pair of IP addresses, so that we can always associate the
// same UID with it.
@ -565,21 +587,20 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
else
tunnel_idx = IPPair(ip_hdr->DstAddr(), ip_hdr->SrcAddr());
IPTunnelMap::const_iterator it = ip_tunnels.find(tunnel_idx);
IPTunnelMap::iterator it = ip_tunnels.find(tunnel_idx);
if ( it == ip_tunnels.end() )
{
EncapsulatingConn ec(ip_hdr->SrcAddr(), ip_hdr->DstAddr());
ip_tunnels[tunnel_idx] = ec;
outer->Add(ec);
ip_tunnels[tunnel_idx] = TunnelActivity(ec, network_time);
timer_mgr->Add(new IPTunnelTimer(network_time, tunnel_idx));
}
else
outer->Add(it->second);
it->second.second = network_time;
DoNextInnerPacket(t, hdr, inner, outer);
DoNextInnerPacket(t, hdr, inner, encapsulation,
ip_tunnels[tunnel_idx].first);
delete inner;
delete outer;
Remove(f);
return;
}
@ -698,7 +719,8 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
}
void NetSessions::DoNextInnerPacket(double t, const struct pcap_pkthdr* hdr,
const IP_Hdr* inner, const Encapsulation* outer)
const IP_Hdr* inner, const EncapsulationStack* prev,
const EncapsulatingConn& ec)
{
struct pcap_pkthdr fake_hdr;
fake_hdr.caplen = fake_hdr.len = inner->TotalLen();
@ -706,7 +728,11 @@ void NetSessions::DoNextInnerPacket(double t, const struct pcap_pkthdr* hdr,
if ( hdr )
fake_hdr.ts = hdr->ts;
else
fake_hdr.ts.tv_sec = fake_hdr.ts.tv_usec = 0;
{
fake_hdr.ts.tv_sec = (time_t) network_time;
fake_hdr.ts.tv_usec = (suseconds_t)
((network_time - (double)fake_hdr.ts.tv_sec) * 1000000);
}
const u_char* pkt = 0;
@ -715,7 +741,14 @@ void NetSessions::DoNextInnerPacket(double t, const struct pcap_pkthdr* hdr,
else
pkt = (const u_char*) inner->IP6_Hdr();
EncapsulationStack* outer = prev ?
new EncapsulationStack(*prev) : new EncapsulationStack();
outer->Add(ec);
DoNextPacket(t, &fake_hdr, inner, pkt, 0, outer);
delete inner;
delete outer;
}
int NetSessions::ParseIPPacket(int caplen, const u_char* const pkt, int proto,
@ -752,7 +785,7 @@ int NetSessions::ParseIPPacket(int caplen, const u_char* const pkt, int proto,
bool NetSessions::CheckHeaderTrunc(int proto, uint32 len, uint32 caplen,
const struct pcap_pkthdr* h,
const u_char* p, const Encapsulation* encap)
const u_char* p, const EncapsulationStack* encap)
{
uint32 min_hdr_len = 0;
switch ( proto ) {
@ -1084,7 +1117,7 @@ void NetSessions::GetStats(SessionStats& s) const
Connection* NetSessions::NewConn(HashKey* k, double t, const ConnID* id,
const u_char* data, int proto, uint32 flow_label,
const Encapsulation* encapsulation)
const EncapsulationStack* encapsulation)
{
// FIXME: This should be cleaned up a bit, it's too protocol-specific.
// But I'm not yet sure what the right abstraction for these things is.
@ -1305,7 +1338,7 @@ void NetSessions::Internal(const char* msg, const struct pcap_pkthdr* hdr,
}
void NetSessions::Weird(const char* name, const struct pcap_pkthdr* hdr,
const u_char* pkt, const Encapsulation* encap)
const u_char* pkt, const EncapsulationStack* encap)
{
if ( hdr )
dump_this_packet = 1;
@ -1317,7 +1350,7 @@ void NetSessions::Weird(const char* name, const struct pcap_pkthdr* hdr,
}
void NetSessions::Weird(const char* name, const IP_Hdr* ip,
const Encapsulation* encap)
const EncapsulationStack* encap)
{
if ( encap && encap->LastType() != BifEnum::Tunnel::NONE )
reporter->Weird(ip->SrcAddr(), ip->DstAddr(),

41
src/Sessions.h
View file

@ -16,7 +16,7 @@
struct pcap_pkthdr;
class Encapsulation;
class EncapsulationStack;
class Connection;
class ConnID;
class OSFingerprint;
@ -109,9 +109,9 @@ public:
void GetStats(SessionStats& s) const;
void Weird(const char* name, const struct pcap_pkthdr* hdr,
const u_char* pkt, const Encapsulation* encap = 0);
const u_char* pkt, const EncapsulationStack* encap = 0);
void Weird(const char* name, const IP_Hdr* ip,
const Encapsulation* encap = 0);
const EncapsulationStack* encap = 0);
PacketFilter* GetPacketFilter()
{
@ -137,7 +137,7 @@ public:
void DoNextPacket(double t, const struct pcap_pkthdr* hdr,
const IP_Hdr* ip_hdr, const u_char* const pkt,
int hdr_size, const Encapsulation* encapsulation);
int hdr_size, const EncapsulationStack* encapsulation);
/**
* Wrapper that recurses on DoNextPacket for encapsulated IP packets.
@ -147,10 +147,15 @@ public:
* so that the fake pcap header passed to DoNextPacket will use
* the same timeval. The caplen and len fields of the fake pcap
* header are always set to the TotalLength() of \a inner.
* @param outer The encapsulation information for the inner IP packet.
* @param inner Pointer to IP header wrapper of the inner packet, ownership
* of the pointer's memory is assumed by this function.
* @param prev Any previous encapsulation stack of the caller, not including
* the most-recently found depth of encapsulation.
* @param ec The most-recently found depth of encapsulation.
*/
void DoNextInnerPacket(double t, const struct pcap_pkthdr* hdr,
const IP_Hdr* inner, const Encapsulation* outer);
const IP_Hdr* inner, const EncapsulationStack* prev,
const EncapsulatingConn& ec);
/**
* Returns a wrapper IP_Hdr object if \a pkt appears to be a valid IPv4
@ -181,10 +186,11 @@ protected:
friend class RemoteSerializer;
friend class ConnCompressor;
friend class TimerMgrExpireTimer;
friend class IPTunnelTimer;
Connection* NewConn(HashKey* k, double t, const ConnID* id,
const u_char* data, int proto, uint32 flow_lable,
const Encapsulation* encapsulation);
const EncapsulationStack* encapsulation);
// Check whether the tag of the current packet is consistent with
// the given connection. Returns:
@ -233,15 +239,17 @@ protected:
// than that protocol's minimum header size.
bool CheckHeaderTrunc(int proto, uint32 len, uint32 caplen,
const struct pcap_pkthdr* hdr, const u_char* pkt,
const Encapsulation* encap);
const EncapsulationStack* encap);
CompositeHash* ch;
PDict(Connection) tcp_conns;
PDict(Connection) udp_conns;
PDict(Connection) icmp_conns;
PDict(FragReassembler) fragments;
typedef pair<IPAddr, IPAddr> IPPair;
typedef std::map<IPPair, EncapsulatingConn> IPTunnelMap;
typedef pair<EncapsulatingConn, double> TunnelActivity;
typedef std::map<IPPair, TunnelActivity> IPTunnelMap;
IPTunnelMap ip_tunnels;
ARP_Analyzer* arp_analyzer;
@ -261,6 +269,21 @@ protected:
TimerMgrMap timer_mgrs;
};
class IPTunnelTimer : public Timer {
public:
IPTunnelTimer(double t, NetSessions::IPPair p)
: Timer(t + BifConst::Tunnel::ip_tunnel_timeout,
TIMER_IP_TUNNEL_INACTIVITY), tunnel_idx(p) {}
~IPTunnelTimer() {}
void Dispatch(double t, int is_expire);
protected:
NetSessions::IPPair tunnel_idx;
};
// Manager for the currently active sessions.
extern NetSessions* sessions;

9
src/Teredo.cc
View file

@ -149,7 +149,7 @@ void Teredo_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
return;
}
const Encapsulation* e = Conn()->GetEncapsulation();
const EncapsulationStack* e = Conn()->GetEncapsulation();
if ( e && e->Depth() >= BifConst::Tunnel::max_depth )
{
@ -222,12 +222,7 @@ void Teredo_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
Conn()->Event(teredo_bubble, 0, teredo_hdr);
}
Encapsulation* outer = new Encapsulation(e);
EncapsulatingConn ec(Conn(), BifEnum::Tunnel::TEREDO);
outer->Add(ec);
sessions->DoNextInnerPacket(network_time, 0, inner, outer);
delete inner;
delete outer;
sessions->DoNextInnerPacket(network_time, 0, inner, e, ec);
}

1
src/Timer.cc
View file

@ -20,6 +20,7 @@ const char* TimerNames[] = {
"IncrementalSendTimer",
"IncrementalWriteTimer",
"InterconnTimer",
"IPTunnelInactivityTimer",
"NetbiosExpireTimer",
"NetworkTimer",
"NTPExpireTimer",

1
src/Timer.h
View file

@ -26,6 +26,7 @@ enum TimerType {
TIMER_INCREMENTAL_SEND,
TIMER_INCREMENTAL_WRITE,
TIMER_INTERCONN,
TIMER_IP_TUNNEL_INACTIVITY,
TIMER_NB_EXPIRE,
TIMER_NETWORK,
TIMER_NTP_EXPIRE,

2
src/TunnelEncapsulation.cc
View file

@ -34,7 +34,7 @@ RecordVal* EncapsulatingConn::GetRecordVal() const
return rv;
}
bool operator==(const Encapsulation& e1, const Encapsulation& e2)
bool operator==(const EncapsulationStack& e1, const EncapsulationStack& e2)
{
if ( ! e1.conns )
return e2.conns;

26
src/TunnelEncapsulation.h
View file

@ -114,12 +114,12 @@ protected:
/**
* Abstracts an arbitrary amount of nested tunneling.
*/
class Encapsulation {
class EncapsulationStack {
public:
Encapsulation() : conns(0)
EncapsulationStack() : conns(0)
{}
Encapsulation(const Encapsulation& other)
EncapsulationStack(const EncapsulationStack& other)
{
if ( other.conns )
conns = new vector<EncapsulatingConn>(*(other.conns));
@ -127,15 +127,7 @@ public:
conns = 0;
}
Encapsulation(const Encapsulation* other)
{
if ( other && other->conns )
conns = new vector<EncapsulatingConn>(*(other->conns));
else
conns = 0;
}
Encapsulation& operator=(const Encapsulation& other)
EncapsulationStack& operator=(const EncapsulationStack& other)
{
if ( this == &other )
return *this;
@ -150,10 +142,10 @@ public:
return *this;
}
~Encapsulation() { delete conns; }
~EncapsulationStack() { delete conns; }
/**
* Add a new inner-most tunnel to the Encapsulation.
* Add a new inner-most tunnel to the EncapsulationStack.
*
* @param c The new inner-most tunnel to append to the tunnel chain.
*/
@ -200,9 +192,11 @@ public:
return vv;
}
friend bool operator==(const Encapsulation& e1, const Encapsulation& e2);
friend bool operator==(const EncapsulationStack& e1,
const EncapsulationStack& e2);
friend bool operator!=(const Encapsulation& e1, const Encapsulation& e2)
friend bool operator!=(const EncapsulationStack& e1,
const EncapsulationStack& e2)
{
return ! ( e1 == e2 );
}

8
src/ayiya-analyzer.pac
View file

@ -12,7 +12,7 @@ flow AYIYA_Flow
function process_ayiya(pdu: PDU): bool
%{
Connection *c = connection()->bro_analyzer()->Conn();
const Encapsulation* e = c->GetEncapsulation();
const EncapsulationStack* e = c->GetEncapsulation();
if ( e && e->Depth() >= BifConst::Tunnel::max_depth )
{
@ -72,14 +72,10 @@ flow AYIYA_Flow
if ( result != 0 )
return false;
Encapsulation* outer = new Encapsulation(e);
EncapsulatingConn ec(c, BifEnum::Tunnel::AYIYA);
outer->Add(ec);
sessions->DoNextInnerPacket(network_time(), 0, inner, outer);
sessions->DoNextInnerPacket(network_time(), 0, inner, e, ec);
delete inner;
delete outer;
return (result == 0) ? true : false;
%}

1
src/const.bif
View file

@ -16,5 +16,6 @@ const Tunnel::enable_ip: bool;
const Tunnel::enable_ayiya: bool;
const Tunnel::enable_teredo: bool;
const Tunnel::yielding_teredo_decapsulation: bool;
const Tunnel::ip_tunnel_timeout: interval;
const Threading::heartbeat_interval: interval;

9
src/event.bif
View file

@ -143,9 +143,12 @@ event new_connection%(c: connection%);
## Generated for a connection whose tunneling has changed. This could
## be from a previously seen connection now being encapsulated in a tunnel,
## or from the outer encapsulation changing. Note that the connection's
## *tunnel* field is NOT automatically assigned to the new encapsulation value
## internally after this event is raised.
## or from the outer encapsulation changing. Note that connection *c*'s
## *tunnel* field is NOT automatically/internally assigned to the new
## encapsulation value of *e* after this event is raised. If the desired
## behavior is to track the latest tunnel encapsulation per-connection,
## then a handler of this event should assign *e* to ``c$tunnel`` (which Bro's
## default scripts are doing).
##
## c: The connection whose tunnel/encapsulation changed.
##

2
testing/btest/Baseline/core.print-bpf-filters/conn.log
View file

@ -3,6 +3,6 @@
#empty_field (empty)
#unset_field -
#path conn
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes parents
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
#types time string addr port addr port enum string interval count count string bool count string count count count count table[string]
1128727435.450898 UWkUyAuUGXf 141.42.64.125 56730 125.190.109.199 80 tcp http 1.733303 98 9417 SF - 0 ShADdFaf 12 730 10 9945 (empty)

8
testing/btest/Baseline/core.print-bpf-filters/output
View file

@ -5,7 +5,7 @@
#path packet_filter
#fields ts node filter init success
#types time string string bool bool
1335456050.312960 - ip or not ip T T
1340040469.440535 - ip or not ip T T
#separator \x09
#set_separator ,
#empty_field (empty)
@ -13,7 +13,7 @@
#path packet_filter
#fields ts node filter init success
#types time string string bool bool
1335456050.557822 - ((((((((((((((((((((((((port 53) or (tcp port 989)) or (tcp port 443)) or (port 6669)) or (udp and port 5353)) or (port 6668)) or (udp and port 5355)) or (tcp port 22)) or (tcp port 995)) or (port 21)) or (tcp port 25 or tcp port 587)) or (port 6667)) or (tcp port 614)) or (tcp port 990)) or (udp port 137)) or (tcp port 993)) or (tcp port 5223)) or (port 514)) or (tcp port 585)) or (tcp port 992)) or (tcp port 563)) or (tcp port 994)) or (tcp port 636)) or (tcp and port (80 or 81 or 631 or 1080 or 3138 or 8000 or 8080 or 8888))) or (port 6666) T T
1340040469.681428 - ((((((((((((((((((((((((port 53) or (tcp port 989)) or (tcp port 443)) or (port 6669)) or (udp and port 5353)) or (port 6668)) or (udp and port 5355)) or (tcp port 22)) or (tcp port 995)) or (port 21)) or (tcp port 25 or tcp port 587)) or (port 6667)) or (tcp port 614)) or (tcp port 990)) or (udp port 137)) or (tcp port 993)) or (tcp port 5223)) or (port 514)) or (tcp port 585)) or (tcp port 992)) or (tcp port 563)) or (tcp port 994)) or (tcp port 636)) or (tcp and port (80 or 81 or 631 or 1080 or 3138 or 8000 or 8080 or 8888))) or (port 6666) T T
#separator \x09
#set_separator ,
#empty_field (empty)
@ -21,7 +21,7 @@
#path packet_filter
#fields ts node filter init success
#types time string string bool bool
1335456050.805695 - port 42 T T
1340040469.925663 - port 42 T T
#separator \x09
#set_separator ,
#empty_field (empty)
@ -29,4 +29,4 @@
#path packet_filter
#fields ts node filter init success
#types time string string bool bool
1335456051.042953 - port 56730 T T
1340040470.169001 - port 56730 T T

2
testing/btest/Baseline/core.tunnels.ayiya/conn.log
View file

@ -3,7 +3,7 @@
#empty_field (empty)
#unset_field -
#path conn
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes parents
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
#types time string addr port addr port enum string interval count count string bool count string count count count count table[string]
1257655301.595604 5OKnoww6xl4 2001:4978:f:4c::2 53382 2001:4860:b002::68 80 tcp http 2.101052 2981 4665 S1 - 0 ShADad 10 3605 11 5329 k6kgXLOoSKl
1257655296.585034 k6kgXLOoSKl 192.168.3.101 53859 216.14.98.22 5072 udp ayiya 20.879001 5129 6109 SF - 0 Dd 21 5717 13 6473 (empty)

2
testing/btest/Baseline/core.tunnels.socks/conn.log
View file

@ -3,6 +3,6 @@
#empty_field (empty)
#unset_field -
#path conn
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes parents
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
#types time string addr port addr port enum string interval count count string bool count string count count count count table[string]
1208299429.265243 UWkUyAuUGXf 127.0.0.1 62270 127.0.0.1 1080 tcp http,socks 0.008138 152 3950 SF - 0 ShAaDdfF 9 632 9 4430 (empty)

2
testing/btest/Baseline/core.tunnels.teredo/conn.log
View file

@ -3,7 +3,7 @@
#empty_field (empty)
#unset_field -
#path conn
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes parents
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
#types time string addr port addr port enum string interval count count string bool count string count count count count table[string]
1210953047.736921 arKYeMETxOg 192.168.2.16 1576 75.126.130.163 80 tcp - 0.000357 0 0 SHR - 0 fA 1 40 1 40 (empty)
1210953050.867067 k6kgXLOoSKl 192.168.2.16 1577 75.126.203.78 80 tcp - 0.000387 0 0 SHR - 0 fA 1 40 1 40 (empty)

2
testing/btest/Baseline/core.vlan-mpls/conn.log
View file

@ -3,7 +3,7 @@
#empty_field (empty)
#unset_field -
#path conn
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes parents
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
#types time string addr port addr port enum string interval count count string bool count string count count count count table[string]
952109346.874907 UWkUyAuUGXf 10.1.2.1 11001 10.34.0.1 23 tcp - 2.102560 26 0 SH - 0 SADF 11 470 0 0 (empty)
1128727435.450898 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 tcp http 1.733303 98 9417 SF - 0 ShADdFaf 12 730 10 9945 (empty)

2
testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv4/conn.log
View file

@ -3,7 +3,7 @@
#empty_field (empty)
#unset_field -
#path conn
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes parents
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
#types time string addr port addr port enum string interval count count string bool count string count count count count table[string]
1329843175.736107 arKYeMETxOg 141.142.220.235 37604 199.233.217.249 56666 tcp ftp-data 0.112432 0 342 SF - 0 ShAdfFa 4 216 4 562 (empty)
1329843179.871641 k6kgXLOoSKl 141.142.220.235 59378 199.233.217.249 56667 tcp ftp-data 0.111218 0 77 SF - 0 ShAdfFa 4 216 4 297 (empty)

2
testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv6/conn.log
View file

@ -3,7 +3,7 @@
#empty_field (empty)
#unset_field -
#path conn
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes parents
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
#types time string addr port addr port enum string interval count count string bool count string count count count count table[string]
1329327783.316897 arKYeMETxOg 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49186 2001:470:4867:99::21 57086 tcp ftp-data 0.219721 0 342 SF - 0 ShAdfFa 5 372 4 642 (empty)
1329327786.524332 k6kgXLOoSKl 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49187 2001:470:4867:99::21 57087 tcp ftp-data 0.217501 0 43 SF - 0 ShAdfFa 5 372 4 343 (empty)