diff --git a/doc/scripts/DocSourcesList.cmake b/doc/scripts/DocSourcesList.cmake index 54783f61b3..fbf93ce869 100644 --- a/doc/scripts/DocSourcesList.cmake +++ b/doc/scripts/DocSourcesList.cmake @@ -95,6 +95,7 @@ rest_target(${psd} policy/frameworks/dpd/detect-protocols.bro) rest_target(${psd} policy/frameworks/dpd/packet-segment-logging.bro) rest_target(${psd} policy/frameworks/software/version-changes.bro) rest_target(${psd} policy/frameworks/software/vulnerable.bro) +rest_target(${psd} policy/frameworks/tunnel.bro) rest_target(${psd} policy/integration/barnyard2/base.bro) rest_target(${psd} policy/integration/barnyard2/event.bro) rest_target(${psd} policy/integration/barnyard2/types.bro) diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index 2f83b99bf8..45357fde77 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -84,14 +84,14 @@ type AnalyzerID: count; module Tunnel; export { ## Records the identity of a the parent of a tunneled connection. - type parent_t: record { + type Parent: record { ## The 4-tuple of the tunnel "connection". In case of an IP-in-IP ## tunnel the ports will be set to 0. The direction (i.e., orig and ## resp) of the parent are set according to the tunneled connection ## and not according to the side that established the tunnel. cid: conn_id; ## The type of tunnel. - tunnel_type: tunneltype_t; + tunnel_type: Tunneltype; } &log; } # end export module GLOBAL; @@ -107,7 +107,7 @@ type connection: record { hot: count; # how hot; 0 = don't know or not hot history: string; uid: string; - tunnel_parent: Tunnel::parent_t &optional; + tunnel_parent: Tunnel::Parent &optional; }; type SYN_packet: record { diff --git a/scripts/policy/frameworks/tunnel.bro b/scripts/policy/frameworks/tunnel.bro index ebec2b0f06..a24bd6e1f6 100644 --- a/scripts/policy/frameworks/tunnel.bro +++ b/scripts/policy/frameworks/tunnel.bro @@ -22,7 +22,7 @@ ##! defragmentation but before there is a connection context. The tunnel ##! headers are stripped from packet and the identity of the parent is ##! is stored as the ``tunnel_parent`` member of :bro:type:`connection`, -##! which is of type :bro:type:`parent_t`. +##! which is of type :bro:type:`Tunnel::Parent`. ##! ##! *Limitation:* The decapsulated packets are not fed through the ##! defragmenter again and decapsulation happens only on the primary @@ -30,9 +30,12 @@ ##! ##! +@load base/protocols/conn + module Tunnel; #redef use_connection_compressor = F; +## enab redef Tunnel::decapsulate_ip = T; redef Tunnel::decapsulate_udp = T; redef Tunnel::udp_tunnel_allports = T; @@ -51,14 +54,19 @@ export { ## The child's transport protocol proto: transport_proto &log; ## The parent connection of IP-pair - parent: parent_t &log; + parent: Parent &log; + }; + global log_tunnel: event(rec: Info); + + redef record Conn::Info += { + ## If the connection is tunneled the type of tunnel + tunnel_type: Tunneltype &log &optional; }; - global log_conn: event(rec: Info); } event bro_init() { - Log::create_stream(TUNNEL, [$columns=Info, $ev=log_conn]); + Log::create_stream(TUNNEL, [$columns=Info, $ev=log_tunnel]); } event new_connection(c: connection) diff --git a/src/TunnelHandler.cc b/src/TunnelHandler.cc index 78428c700f..6b1f78e0c0 100644 --- a/src/TunnelHandler.cc +++ b/src/TunnelHandler.cc @@ -54,7 +54,7 @@ TunnelInfo* TunnelHandler::DecapsulateTunnel(const IP_Hdr *ip_hdr, int len, int // TODO: check if IP6 header makes sense tunnel_info = new TunnelInfo(); tunnel_info->child = new IP_Hdr((const struct ip6_hdr*)ip_hdr->Payload()); - tunnel_info->tunneltype = BifEnum::Tunnel::IP6inIP; + tunnel_info->tunneltype = BifEnum::Tunnel::IP6_IN_IP; tunnel_info->hdr_len = tunnel_info->child->HdrLen(); tunnel_info->SetParentIPs(ip_hdr); return tunnel_info; @@ -86,7 +86,7 @@ TunnelInfo* TunnelHandler::HandleUDP(const IP_Hdr *ip_hdr, int len, int caplen) const u_char *data = ip_hdr->Payload(); const struct udphdr* uh = (const struct udphdr*)data; IP_Hdr *cand_ip_hdr = 0; - BifEnum::Tunnel::tunneltype_t tunneltype = BifEnum::Tunnel::NONE; + BifEnum::Tunnel::Tunneltype tunneltype = BifEnum::Tunnel::NONE; int hdr_len = sizeof(struct udphdr); data += hdr_len; @@ -103,7 +103,7 @@ TunnelInfo* TunnelHandler::HandleUDP(const IP_Hdr *ip_hdr, int len, int caplen) if (cand_ip_hdr) { tunneltype = (cand_ip_hdr->IP4_Hdr()) ? - BifEnum::Tunnel::IP4inUDP : BifEnum::Tunnel::IP6inUDP; + BifEnum::Tunnel::IP4_IN_UDP : BifEnum::Tunnel::IP6_IN_UDP; } else if (datalen >= 8) { @@ -129,7 +129,7 @@ TunnelInfo* TunnelHandler::HandleUDP(const IP_Hdr *ip_hdr, int len, int caplen) { hdr_len += 8 + id_len + sig_len; tunneltype = (cand_ip_hdr->IP4_Hdr()) ? - BifEnum::Tunnel::IP4inAYIAY : BifEnum::Tunnel::IP6inAYIAY; + BifEnum::Tunnel::IP4_IN_AYIAY : BifEnum::Tunnel::IP6_IN_AYIAY; } } if (cand_ip_hdr) diff --git a/src/TunnelHandler.h b/src/TunnelHandler.h index 31c9791a1c..d88e6ff2b4 100644 --- a/src/TunnelHandler.h +++ b/src/TunnelHandler.h @@ -39,11 +39,11 @@ public: RecordVal* GetRecordVal() const { - RecordVal *rv = new RecordVal(BifType::Record::Tunnel::parent_t); + RecordVal *rv = new RecordVal(BifType::Record::Tunnel::Parent); TransportProto tproto; switch(tunneltype) { - case BifEnum::Tunnel::IP6inIP: - case BifEnum::Tunnel::IP4inIP: + case BifEnum::Tunnel::IP6_IN_IP: + case BifEnum::Tunnel::IP4_IN_IP: tproto = TRANSPORT_UNKNOWN; break; default: @@ -56,14 +56,14 @@ public: id_val->Assign(2, new AddrVal(parent.dst_addr)); id_val->Assign(3, new PortVal(ntohs(parent.dst_port), tproto)); rv->Assign(0, id_val); - rv->Assign(1, new EnumVal(tunneltype, BifType::Enum::Tunnel::tunneltype_t)); + rv->Assign(1, new EnumVal(tunneltype, BifType::Enum::Tunnel::Tunneltype)); return rv; } IP_Hdr *child; ConnID parent; int hdr_len; - BifEnum::Tunnel::tunneltype_t tunneltype; + BifEnum::Tunnel::Tunneltype tunneltype; }; class TunnelHandler { diff --git a/src/types.bif b/src/types.bif index 35c4db0daf..5f1c4b850b 100644 --- a/src/types.bif +++ b/src/types.bif @@ -168,16 +168,16 @@ enum ID %{ module Tunnel; -enum tunneltype_t %{ +enum Tunneltype %{ NONE, - IP6inIP, - IP4inIP, - IP6inUDP, - IP4inUDP, - IP6inAYIAY, - IP4inAYIAY, + IP6_IN_IP, + IP4_IN_IP, + IP6_IN_UDP, + IP4_IN_UDP, + IP6_IN_AYIAY, + IP4_IN_AYIAY, %} -type parent_t: record; +type Parent: record; module GLOBAL;