Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-09 18:18:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

add extended mac field with 20 byte digest (+4 byte key id)

Browse source
This commit is contained in:
Mauro Palumbo 2019-06-09 20:21:56 +02:00
parent 01ae5203e3
commit d0465bc45d
2 changed files with 16 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

5
src/analyzer/protocol/ntp/ntp-analyzer.pac
View file

@ -65,9 +65,12 @@ refine flow NTP_Flow += {
rv->Assign(11, proc_ntp_timestamp(${nsm.receive_ts})); rv->Assign(11, proc_ntp_timestamp(${nsm.receive_ts}));
rv->Assign(12, proc_ntp_timestamp(${nsm.transmit_ts})); rv->Assign(12, proc_ntp_timestamp(${nsm.transmit_ts}));
if (${nsm.has_mac}) { if (${nsm.mac_len}==20) {
rv->Assign(13, val_mgr->GetCount(${nsm.mac.key_id})); rv->Assign(13, val_mgr->GetCount(${nsm.mac.key_id}));
rv->Assign(14, bytestring_to_val(${nsm.mac.digest})); rv->Assign(14, bytestring_to_val(${nsm.mac.digest}));
} else if (${nsm.mac_len}==24) {
rv->Assign(13, val_mgr->GetCount(${nsm.mac_ext.key_id}));
rv->Assign(14, bytestring_to_val(${nsm.mac_ext.digest}));
} }
// TODO: add extension fields // TODO: add extension fields
//rv->Assign(15, val_mgr->GetCount((uint32) ${nsm.extensions}->size())); //rv->Assign(15, val_mgr->GetCount((uint32) ${nsm.extensions}->size()));

15
src/analyzer/protocol/ntp/ntp-protocol.pac
View file

@ -40,13 +40,14 @@ type NTP_std_msg = record {
receive_ts : NTP_Time; receive_ts : NTP_Time;
transmit_ts : NTP_Time; transmit_ts : NTP_Time;
#extensions : Extension_Field[] &until($input.length() == 20); #TODO: this need to be properly parsed #extensions : Extension_Field[] &until($input.length() == 20); #TODO: this need to be properly parsed
mac_fields : case (has_mac) of { mac_fields : case (mac_len) of {
true -> mac : NTP_MAC; 20 -> mac : NTP_MAC;
24 -> mac_ext : NTP_MAC_ext;
false -> nil : empty; false -> nil : empty;
} &requires(has_mac); } &requires(mac_len);
} &let { } &let {
length = sourcedata.length(); length = sourcedata.length();
has_mac: bool = (length - offsetof(mac_fields)) == 20; mac_len: uint32 = (length - offsetof(mac_fields));
} &byteorder=bigendian &exportsourcedata; } &byteorder=bigendian &exportsourcedata;
# This format is for mode==6, control msg # This format is for mode==6, control msg
@ -78,6 +79,12 @@ type NTP_MAC = record {
digest: bytestring &length=16; digest: bytestring &length=16;
} &length=20; } &length=20;
# As in RFC 5906, same as NTP_MAC but with a 160 bit digest
type NTP_MAC_ext = record {
key_id: uint32;
digest: bytestring &length=20;
} &length=24;
# As in RFC 1119 # As in RFC 1119
type NTP_CONTROL_MAC = record { type NTP_CONTROL_MAC = record {
key_id: uint32; key_id: uint32;