mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
Tweaking tunnel decapsulation.
Changing names to comply with "Bro Scripting Conventions" Tweaking documentation.
This commit is contained in:
Gregor Maier
parent
1a565fadfe
commit
d0a67dc8bf
6 changed files with 33 additions and 24 deletions
|
|
@ -84,14 +84,14 @@ type AnalyzerID: count;
|
|||
module Tunnel;
|
||||
export {
|
||||
## Records the identity of a the parent of a tunneled connection.
|
||||
type parent_t: record {
|
||||
type Parent: record {
|
||||
## The 4-tuple of the tunnel "connection". In case of an IP-in-IP
|
||||
## tunnel the ports will be set to 0. The direction (i.e., orig and
|
||||
## resp) of the parent are set according to the tunneled connection
|
||||
## and not according to the side that established the tunnel.
|
||||
cid: conn_id;
|
||||
## The type of tunnel.
|
||||
tunnel_type: tunneltype_t;
|
||||
tunnel_type: Tunneltype;
|
||||
} &log;
|
||||
} # end export
|
||||
module GLOBAL;
|
||||
|
|
@ -107,7 +107,7 @@ type connection: record {
|
|||
hot: count; # how hot; 0 = don't know or not hot
|
||||
history: string;
|
||||
uid: string;
|
||||
tunnel_parent: Tunnel::parent_t &optional;
|
||||
tunnel_parent: Tunnel::Parent &optional;
|
||||
};
|
||||
|
||||
type SYN_packet: record {
|
||||
|
|
|
|||
|
|
@ -22,7 +22,7 @@
|
|||
##! defragmentation but before there is a connection context. The tunnel
|
||||
##! headers are stripped from packet and the identity of the parent is
|
||||
##! is stored as the ``tunnel_parent`` member of :bro:type:`connection`,
|
||||
##! which is of type :bro:type:`parent_t`.
|
||||
##! which is of type :bro:type:`Tunnel::Parent`.
|
||||
##!
|
||||
##! *Limitation:* The decapsulated packets are not fed through the
|
||||
##! defragmenter again and decapsulation happens only on the primary
|
||||
|
|
@ -30,9 +30,12 @@
|
|||
##!
|
||||
##!
|
||||
|
||||
@load base/protocols/conn
|
||||
|
||||
module Tunnel;
|
||||
|
||||
#redef use_connection_compressor = F;
|
||||
## enab
|
||||
redef Tunnel::decapsulate_ip = T;
|
||||
redef Tunnel::decapsulate_udp = T;
|
||||
redef Tunnel::udp_tunnel_allports = T;
|
||||
|
|
@ -51,14 +54,19 @@ export {
|
|||
## The child's transport protocol
|
||||
proto: transport_proto &log;
|
||||
## The parent connection of IP-pair
|
||||
parent: parent_t &log;
|
||||
parent: Parent &log;
|
||||
};
|
||||
global log_tunnel: event(rec: Info);
|
||||
|
||||
redef record Conn::Info += {
|
||||
## If the connection is tunneled the type of tunnel
|
||||
tunnel_type: Tunneltype &log &optional;
|
||||
};
|
||||
global log_conn: event(rec: Info);
|
||||
}
|
||||
|
||||
event bro_init()
|
||||
{
|
||||
Log::create_stream(TUNNEL, [$columns=Info, $ev=log_conn]);
|
||||
Log::create_stream(TUNNEL, [$columns=Info, $ev=log_tunnel]);
|
||||
}
|
||||
|
||||
event new_connection(c: connection)
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue