Moving all analyzers over to new structure.

This is a checkpoint, it works but there's more cleanup to do. TODOs in
src/analyzer/protocols/TODO.
This commit is contained in:
Robin Sommer 2013-04-16 16:07:20 -07:00
parent 56edef1646
commit dfc4cb0881
250 changed files with 1095 additions and 470 deletions

View file

@ -17,15 +17,48 @@ rest_target(${psd} base/init-default.bro internal)
rest_target(${psd} base/init-bare.bro internal)
rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/analyzer.bif.bro)
rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/ayiya/events.bif.bro)
rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/backdoor/events.bif.bro)
rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/bittorrent/events.bif.bro)
rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/conn-size/events.bif.bro)
rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/dce-rpc/events.bif.bro)
rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/dhcp/events.bif.bro)
rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/dns/events.bif.bro)
rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/file/events.bif.bro)
rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/finger/events.bif.bro)
rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/ftp/events.bif.bro)
rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/gnutella/events.bif.bro)
rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/gtpv1/events.bif.bro)
rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/http/events.bif.bro)
rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/http/functions.bif.bro)
rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/icmp/events.bif.bro)
rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/ident/events.bif.bro)
rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/interconn/events.bif.bro)
rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/irc/events.bif.bro)
rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/login/events.bif.bro)
rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/modbus/events.bif.bro)
rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/ncp/events.bif.bro)
rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/netbios-ssn/events.bif.bro)
rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/ntp/events.bif.bro)
rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/pia/events.bif.bro)
rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/pop3/events.bif.bro)
rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/rpc/events.bif.bro)
rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/smb/events.bif.bro)
rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/smtp/events.bif.bro)
rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/socks/events.bif.bro)
rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/ssh/events.bif.bro)
rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/ssl/events.bif.bro)
rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/stepping-stone/events.bif.bro)
rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/syslog/events.bif.bro)
rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/tcp/events.bif.bro)
rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/teredo/events.bif.bro)
rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/udp/events.bif.bro)
rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/zip/events.bif.bro)
rest_target(${CMAKE_BINARY_DIR}/src base/bro.bif.bro)
rest_target(${CMAKE_BINARY_DIR}/src base/const.bif.bro)
rest_target(${CMAKE_BINARY_DIR}/src base/event.bif.bro)
rest_target(${CMAKE_BINARY_DIR}/src base/input.bif.bro)
rest_target(${CMAKE_BINARY_DIR}/src base/logging.bif.bro)
rest_target(${CMAKE_BINARY_DIR}/src base/protocols/http/events.bif.bro)
rest_target(${CMAKE_BINARY_DIR}/src base/protocols/http/functions.bif.bro)
rest_target(${CMAKE_BINARY_DIR}/src base/protocols/ssl/events.bif.bro)
rest_target(${CMAKE_BINARY_DIR}/src base/protocols/syslog/events.bif.bro)
rest_target(${CMAKE_BINARY_DIR}/src base/reporter.bif.bro)
rest_target(${CMAKE_BINARY_DIR}/src base/strings.bif.bro)
rest_target(${CMAKE_BINARY_DIR}/src base/types.bif.bro)

View file

@ -133,27 +133,8 @@ set(BINPAC_AUXSRC
binpac_target(binpac-lib.pac)
binpac_target(binpac_bro-lib.pac)
binpac_target(ayiya.pac
ayiya-protocol.pac ayiya-analyzer.pac)
binpac_target(bittorrent.pac
bittorrent-protocol.pac bittorrent-analyzer.pac)
binpac_target(dce_rpc.pac
dce_rpc-protocol.pac dce_rpc-analyzer.pac epmapper.pac)
binpac_target(dce_rpc_simple.pac
dce_rpc-protocol.pac epmapper.pac)
binpac_target(dhcp.pac
dhcp-protocol.pac dhcp-analyzer.pac)
binpac_target(gtpv1.pac
gtpv1-protocol.pac gtpv1-analyzer.pac)
binpac_target(ncp.pac)
binpac_target(netflow.pac
netflow-protocol.pac netflow-analyzer.pac)
binpac_target(smb.pac
smb-protocol.pac smb-pipe.pac smb-mailslot.pac)
binpac_target(socks.pac
socks-protocol.pac socks-analyzer.pac)
binpac_target(modbus.pac
modbus-protocol.pac modbus-analyzer.pac)
########################################################################
## Including subdirectories.
@ -233,11 +214,7 @@ set(bro_SRCS
Anon.cc
ARP.cc
Attr.cc
AYIYA.cc
BackDoor.cc
Base64.cc
BitTorrent.cc
BitTorrentTracker.cc
BPF_Program.cc
BroDoc.cc
BroDocObj.cc
@ -247,13 +224,7 @@ set(bro_SRCS
ChunkedIO.cc
CompHash.cc
Conn.cc
ConnSizeAnalyzer.cc
ContentLine.cc
DCE_RPC.cc
DFA.cc
DHCP-binpac.cc
DNS.cc
DNS_Mgr.cc
DbgBreakpoint.cc
DbgHelp.cc
DbgWatch.cc
@ -263,45 +234,30 @@ set(bro_SRCS
Desc.cc
Dict.cc
Discard.cc
DNS_Mgr.cc
EquivClass.cc
Event.cc
EventHandler.cc
EventLauncher.cc
EventRegistry.cc
Expr.cc
FTP.cc
File.cc
FileAnalyzer.cc
Finger.cc
FlowSrc.cc
Frag.cc
Frame.cc
Func.cc
Gnutella.cc
GTPv1.cc
Hash.cc
ICMP.cc
ID.cc
Ident.cc
IntSet.cc
InterConn.cc
IOSource.cc
IP.cc
IPAddr.cc
IRC.cc
List.cc
Reporter.cc
Login.cc
MIME.cc
Modbus.cc
NCP.cc
NFA.cc
NFS.cc
NTP.cc
NVT.cc
Net.cc
NetVar.cc
NetbiosSSN.cc
Obj.cc
OpaqueVal.cc
OSFinger.cc
@ -309,30 +265,20 @@ set(bro_SRCS
PacketSort.cc
PersistenceSerializer.cc
PktSrc.cc
PIA.cc
PolicyFile.cc
POP3.cc
Portmap.cc
PrefixTable.cc
PriorityQueue.cc
Queue.cc
RandTest.cc
RE.cc
RPC.cc
Reassem.cc
RemoteSerializer.cc
Rlogin.cc
RSH.cc
Rule.cc
RuleAction.cc
RuleCondition.cc
RuleMatcher.cc
ScriptAnaly.cc
SmithWaterman.cc
SMB.cc
SMTP.cc
SOCKS.cc
SSH.cc
Scope.cc
SerializationFormat.cc
SerialObj.cc
@ -340,23 +286,14 @@ set(bro_SRCS
Sessions.cc
StateAccess.cc
Stats.cc
SteppingStone.cc
Stmt.cc
TCP.cc
TCP_Endpoint.cc
TCP_Reassembler.cc
Telnet.cc
Teredo.cc
Timer.cc
Traverse.cc
Trigger.cc
TunnelEncapsulation.cc
Type.cc
UDP.cc
Val.cc
Var.cc
XDR.cc
ZIP.cc
bsd-getopt-long.c
bro_inet_ntop.c
cq.c
@ -391,8 +328,6 @@ set(bro_SRCS
plugin/Manager.cc
plugin/Plugin.cc
analyzer/protocols/BuiltInAnalyzers.cc
nb_dns.c
digest.h
)

View file

@ -11,7 +11,7 @@
#include "Sessions.h"
#include "Reporter.h"
#include "Timer.h"
#include "PIA.h"
#include "analyzer/protocols/pia/PIA.h"
#include "binpac.h"
#include "TunnelEncapsulation.h"
#include "analyzer/Analyzer.h"

View file

@ -38,7 +38,7 @@
#include "Func.h"
#include "Frame.h"
#include "Var.h"
#include "Login.h"
#include "analyzer/protocols/login/Login.h"
#include "Sessions.h"
#include "RE.h"
#include "Serializer.h"

View file

@ -8,7 +8,7 @@ using std::string;
#include "Conn.h"
#include "Event.h"
#include "NetVar.h"
#include "PIA.h"
#include "analyzer/protocols/pia/PIA.h"
#include "analyzer/Manager.h"

View file

@ -1,7 +1,7 @@
#include "config.h"
#include "RuleCondition.h"
#include "TCP.h"
#include "analyzer/protocols/tcp/TCP.h"
#include "Scope.h"
static inline bool is_established(const TCP_Endpoint* e)

View file

@ -16,12 +16,12 @@
#include "Reporter.h"
#include "OSFinger.h"
#include "ICMP.h"
#include "UDP.h"
#include "analyzer/protocols/icmp/ICMP.h"
#include "analyzer/protocols/udp/UDP.h"
#include "SteppingStone.h"
#include "BackDoor.h"
#include "InterConn.h"
#include "analyzer/protocols/stepping-stone/SteppingStone.h"
#include "analyzer/protocols/backdoor/BackDoor.h"
#include "analyzer/protocols/interconn/InterConn.h"
#include "Discard.h"
#include "RuleMatcher.h"

View file

@ -12,6 +12,8 @@
#include "Stats.h"
#include "NetVar.h"
#include "TunnelEncapsulation.h"
#include "analyzer/protocols/tcp/Stats.h"
#include <utility>
struct pcap_pkthdr;

View file

@ -389,84 +389,6 @@ void SegmentProfiler::Report()
reporter->SegmentProfile(name, loc, dtime, dmem);
}
TCPStateStats::TCPStateStats()
{
for ( int i = 0; i < TCP_ENDPOINT_RESET + 1; ++i )
for ( int j = 0; j < TCP_ENDPOINT_RESET + 1; ++j )
state_cnt[i][j] = 0;
}
void TCPStateStats::ChangeState(EndpointState o_prev, EndpointState o_now,
EndpointState r_prev, EndpointState r_now)
{
--state_cnt[o_prev][r_prev];
++state_cnt[o_now][r_now];
}
void TCPStateStats::FlipState(EndpointState orig, EndpointState resp)
{
--state_cnt[orig][resp];
++state_cnt[resp][orig];
}
unsigned int TCPStateStats::NumStatePartial() const
{
unsigned int sum = 0;
for ( int i = 0; i < TCP_ENDPOINT_RESET + 1; ++i )
{
sum += state_cnt[TCP_ENDPOINT_PARTIAL][i];
sum += state_cnt[i][TCP_ENDPOINT_PARTIAL];
}
return sum;
}
void TCPStateStats::PrintStats(BroFile* file, const char* prefix)
{
file->Write(prefix);
file->Write(" Inact. Syn. SA Part. Est. Fin. Rst.\n");
for ( int i = 0; i < TCP_ENDPOINT_RESET + 1; ++i )
{
file->Write(prefix);
switch ( i ) {
#define STATE_STRING(state, str) \
case state: \
file->Write(str); \
break;
STATE_STRING(TCP_ENDPOINT_INACTIVE, "Inact.");
STATE_STRING(TCP_ENDPOINT_SYN_SENT, "Syn. ");
STATE_STRING(TCP_ENDPOINT_SYN_ACK_SENT, "SA ");
STATE_STRING(TCP_ENDPOINT_PARTIAL, "Part. ");
STATE_STRING(TCP_ENDPOINT_ESTABLISHED, "Est. ");
STATE_STRING(TCP_ENDPOINT_CLOSED, "Fin. ");
STATE_STRING(TCP_ENDPOINT_RESET, "Rst. ");
}
file->Write(" ");
for ( int j = 0; j < TCP_ENDPOINT_RESET + 1; ++j )
{
unsigned int n = state_cnt[i][j];
if ( n > 0 )
{
char buf[32];
safe_snprintf(buf, sizeof(buf), "%-8d", state_cnt[i][j]);
file->Write(buf);
}
else
file->Write(" ");
}
file->Write("\n");
}
}
PacketProfiler::PacketProfiler(unsigned int mode, double freq,
BroFile* arg_file)
{

View file

@ -7,9 +7,6 @@
#include <sys/time.h>
#include <sys/resource.h>
#include "TCP_Endpoint.h"
// Object called by SegmentProfiler when it is done and reports its
// cumulative CPU/memory statistics.
class SegmentStatsReporter {
@ -121,67 +118,6 @@ extern uint64 tot_ack_bytes;
extern uint64 tot_gap_events;
extern uint64 tot_gap_bytes;
// A TCPStateStats object tracks the distribution of TCP states for
// the currently active connections.
class TCPStateStats {
public:
TCPStateStats();
~TCPStateStats() { }
void ChangeState(EndpointState o_prev, EndpointState o_now,
EndpointState r_prev, EndpointState r_now);
void FlipState(EndpointState orig, EndpointState resp);
void StateEntered (EndpointState o_state, EndpointState r_state)
{ ++state_cnt[o_state][r_state]; }
void StateLeft (EndpointState o_state, EndpointState r_state)
{ --state_cnt[o_state][r_state]; }
unsigned int Cnt(EndpointState state) const
{ return Cnt(state, state); }
unsigned int Cnt(EndpointState state1, EndpointState state2) const
{ return state_cnt[state1][state2]; }
unsigned int NumStateEstablished() const
{ return Cnt(TCP_ENDPOINT_ESTABLISHED); }
unsigned int NumStateHalfClose() const
{ // corresponds to S2,S3
return Cnt(TCP_ENDPOINT_ESTABLISHED, TCP_ENDPOINT_CLOSED) +
Cnt(TCP_ENDPOINT_CLOSED, TCP_ENDPOINT_ESTABLISHED);
}
unsigned int NumStateHalfRst() const
{
return Cnt(TCP_ENDPOINT_ESTABLISHED, TCP_ENDPOINT_RESET) +
Cnt(TCP_ENDPOINT_RESET, TCP_ENDPOINT_ESTABLISHED);
}
unsigned int NumStateClosed() const
{ return Cnt(TCP_ENDPOINT_CLOSED); }
unsigned int NumStateRequest() const
{
assert(Cnt(TCP_ENDPOINT_INACTIVE, TCP_ENDPOINT_SYN_SENT)==0);
return Cnt(TCP_ENDPOINT_SYN_SENT, TCP_ENDPOINT_INACTIVE);
}
unsigned int NumStateSuccRequest() const
{
return Cnt(TCP_ENDPOINT_SYN_SENT, TCP_ENDPOINT_SYN_ACK_SENT) +
Cnt(TCP_ENDPOINT_SYN_ACK_SENT, TCP_ENDPOINT_SYN_SENT);
}
unsigned int NumStateRstRequest() const
{
return Cnt(TCP_ENDPOINT_SYN_SENT, TCP_ENDPOINT_RESET) +
Cnt(TCP_ENDPOINT_RESET, TCP_ENDPOINT_SYN_SENT);
}
unsigned int NumStateInactive() const
{ return Cnt(TCP_ENDPOINT_INACTIVE); }
unsigned int NumStatePartial() const;
void PrintStats(BroFile* file, const char* prefix);
private:
unsigned int state_cnt[TCP_ENDPOINT_RESET+1][TCP_ENDPOINT_RESET+1];
};
class PacketProfiler {
public:
PacketProfiler(unsigned int mode, double freq, BroFile* arg_file);

View file

@ -4,7 +4,7 @@
#include "Analyzer.h"
#include "Manager.h"
#include "../PIA.h"
#include "analyzer/protocols/pia/PIA.h"
#include "../Event.h"
namespace analyzer {

View file

@ -1,16 +1,17 @@
#include "Manager.h"
#include "PIA.h"
#include "Hash.h"
#include "ICMP.h"
#include "UDP.h"
#include "TCP.h"
#include "Val.h"
#include "BackDoor.h"
#include "InterConn.h"
#include "SteppingStone.h"
#include "ConnSizeAnalyzer.h"
#include "analyzer/protocols/backdoor/BackDoor.h"
#include "analyzer/protocols/conn-size/ConnSize.h"
#include "analyzer/protocols/icmp/ICMP.h"
#include "analyzer/protocols/interconn/InterConn.h"
#include "analyzer/protocols/pia/PIA.h"
#include "analyzer/protocols/stepping-stone/SteppingStone.h"
#include "analyzer/protocols/tcp/TCP.h"
#include "analyzer/protocols/udp/UDP.h"
#include "plugin/Manager.h"
@ -153,15 +154,16 @@ void Manager::RegisterAnalyzerComponent(Component* component)
if ( Lookup(component->Name()) )
reporter->FatalError("Analyzer %s defined more than once", component->Name());
DBG_LOG(DBG_ANALYZER, "Registering analyzer %s (tag %s)",
component->Name(), component->Tag().AsString().c_str());
string name = to_upper(component->Name());
analyzers_by_name.insert(std::make_pair(component->Name(), component));
DBG_LOG(DBG_ANALYZER, "Registering analyzer %s (tag %s)",
name.c_str(), component->Tag().AsString().c_str());
analyzers_by_name.insert(std::make_pair(name, component));
analyzers_by_tag.insert(std::make_pair(component->Tag(), component));
analyzers_by_val.insert(std::make_pair(component->Tag().AsEnumVal()->InternalInt(), component));
// Install enum "Analyzer::ANALYZER_*"
string name = to_upper(component->Name());
string id = fmt("ANALYZER_%s", name.c_str());
tag_enum_type->AddName("Analyzer", id.c_str(), component->Tag().AsEnumVal()->InternalInt(), true);
}
@ -306,7 +308,9 @@ Analyzer* Manager::InstantiateAnalyzer(Tag tag, Connection* conn)
if ( ! c->Enabled() )
return 0;
assert(c->Factory());
if ( ! c->Factory() )
reporter->InternalError("analyzer %s cannot be instantiated dynamically", GetAnalyzerName(tag));
Analyzer* a = c->Factory()(conn);
if ( ! a )

View file

@ -1,119 +0,0 @@
// TODO: This file will eventually go away once we've converrted all
// analyzers into separate plugins.
#include "BuiltInAnalyzers.h"
#include "analyzer/Component.h"
#include "../../binpac_bro.h"
#include "AYIYA.h"
#include "BackDoor.h"
#include "BitTorrent.h"
#include "BitTorrentTracker.h"
#include "Finger.h"
#include "InterConn.h"
#include "NTP.h"
#include "ICMP.h"
#include "SteppingStone.h"
#include "IRC.h"
#include "SMTP.h"
#include "FTP.h"
#include "FileAnalyzer.h"
#include "DNS.h"
#include "DHCP-binpac.h"
#include "Telnet.h"
#include "Rlogin.h"
#include "RSH.h"
#include "DCE_RPC.h"
#include "Gnutella.h"
#include "Ident.h"
#include "Modbus.h"
#include "NCP.h"
#include "NetbiosSSN.h"
#include "SMB.h"
#include "NFS.h"
#include "Portmap.h"
#include "POP3.h"
#include "SOCKS.h"
#include "SSH.h"
#include "Teredo.h"
#include "ConnSizeAnalyzer.h"
#include "GTPv1.h"
using namespace analyzer;
BuiltinAnalyzers builtin_analyzers;
#define DEFINE_ANALYZER(name, factory) \
AddComponent(new Component(name, factory))
void BuiltinAnalyzers::Init()
{
SetName("Core-Analyzers");
SetDescription("Built-in protocol analyzers");
SetVersion(BRO_PLUGIN_VERSION_BUILTIN);
DEFINE_ANALYZER("PIA_TCP", PIA_TCP::InstantiateAnalyzer);
DEFINE_ANALYZER("PIA_UDP", PIA_UDP::InstantiateAnalyzer);
DEFINE_ANALYZER("ICMP", ICMP_Analyzer::InstantiateAnalyzer);
DEFINE_ANALYZER("TCP", TCP_Analyzer::InstantiateAnalyzer);
DEFINE_ANALYZER("UDP", UDP_Analyzer::InstantiateAnalyzer);
DEFINE_ANALYZER("BITTORRENT", BitTorrent_Analyzer::InstantiateAnalyzer);
DEFINE_ANALYZER("BITTORRENTTRACKER", BitTorrentTracker_Analyzer::InstantiateAnalyzer);
DEFINE_ANALYZER("DCE_RPC", DCE_RPC_Analyzer::InstantiateAnalyzer);
DEFINE_ANALYZER("DNS", DNS_Analyzer::InstantiateAnalyzer);
DEFINE_ANALYZER("FINGER", Finger_Analyzer::InstantiateAnalyzer);
DEFINE_ANALYZER("FTP", FTP_Analyzer::InstantiateAnalyzer);
DEFINE_ANALYZER("GNUTELLA", Gnutella_Analyzer::InstantiateAnalyzer);
DEFINE_ANALYZER("IDENT", Ident_Analyzer::InstantiateAnalyzer);
DEFINE_ANALYZER("IRC", IRC_Analyzer::InstantiateAnalyzer);
DEFINE_ANALYZER("LOGIN", 0); // just a base class
DEFINE_ANALYZER("NCP", NCP_Analyzer::InstantiateAnalyzer);
DEFINE_ANALYZER("NETBIOSSSN", NetbiosSSN_Analyzer::InstantiateAnalyzer);
DEFINE_ANALYZER("NFS", NFS_Analyzer::InstantiateAnalyzer);
DEFINE_ANALYZER("NTP", NTP_Analyzer::InstantiateAnalyzer);
DEFINE_ANALYZER("POP3", POP3_Analyzer::InstantiateAnalyzer);
DEFINE_ANALYZER("PORTMAPPER", Portmapper_Analyzer::InstantiateAnalyzer);
DEFINE_ANALYZER("RLOGIN", Rlogin_Analyzer::InstantiateAnalyzer);
DEFINE_ANALYZER("RPC", 0);
DEFINE_ANALYZER("RSH", Rsh_Analyzer::InstantiateAnalyzer);
DEFINE_ANALYZER("SMB", SMB_Analyzer::InstantiateAnalyzer);
DEFINE_ANALYZER("SMTP", SMTP_Analyzer::InstantiateAnalyzer);
DEFINE_ANALYZER("SSH", SSH_Analyzer::InstantiateAnalyzer);
DEFINE_ANALYZER("TELNET", Telnet_Analyzer::InstantiateAnalyzer);
DEFINE_ANALYZER("DHCP_BINPAC", DHCP_Analyzer_binpac::InstantiateAnalyzer);
DEFINE_ANALYZER("MODBUS", ModbusTCP_Analyzer::InstantiateAnalyzer);
DEFINE_ANALYZER("AYIYA", AYIYA_Analyzer::InstantiateAnalyzer);
DEFINE_ANALYZER("SOCKS", SOCKS_Analyzer::InstantiateAnalyzer);
DEFINE_ANALYZER("TEREDO", Teredo_Analyzer::InstantiateAnalyzer);
DEFINE_ANALYZER("GTPV1", GTPv1_Analyzer::InstantiateAnalyzer);
DEFINE_ANALYZER("FILE", File_Analyzer::InstantiateAnalyzer);
DEFINE_ANALYZER("BACKDOOR", BackDoor_Analyzer::InstantiateAnalyzer);
DEFINE_ANALYZER("INTERCONN", InterConn_Analyzer::InstantiateAnalyzer);
DEFINE_ANALYZER("STEPPINGSTONE", SteppingStone_Analyzer::InstantiateAnalyzer);
DEFINE_ANALYZER("TCPSTATS", TCPStats_Analyzer::InstantiateAnalyzer);
DEFINE_ANALYZER("CONNSIZE", ConnSize_Analyzer::InstantiateAnalyzer);
DEFINE_ANALYZER("CONTENTS", 0);
DEFINE_ANALYZER("CONTENTLINE", 0);
DEFINE_ANALYZER("NVT", 0);
DEFINE_ANALYZER("ZIP", 0);
DEFINE_ANALYZER("CONTENTS_DNS", 0);
DEFINE_ANALYZER("CONTENTS_NETBIOSSSN", 0);
DEFINE_ANALYZER("CONTENTS_NCP", 0);
DEFINE_ANALYZER("CONTENTS_RLOGIN", 0);
DEFINE_ANALYZER("CONTENTS_RSH", 0);
DEFINE_ANALYZER("CONTENTS_DCE_RPC", 0);
DEFINE_ANALYZER("CONTENTS_SMB", 0);
DEFINE_ANALYZER("CONTENTS_RPC", 0);
DEFINE_ANALYZER("CONTENTS_NFS", 0);
DEFINE_ANALYZER("FTP_ADAT", 0);
}

View file

@ -1,17 +0,0 @@
#ifndef ANALYZER_BUILTIN_ANALYZERS_H
#define ANALYZER_BUILTIN_ANALYZERS_H
#include "plugin/Plugin.h"
namespace analyzer {
class BuiltinAnalyzers : public plugin::Plugin {
public:
virtual void Init();
};
}
#endif

View file

@ -1,4 +1,37 @@
add_subdirectory(ayiya)
add_subdirectory(backdoor)
add_subdirectory(bittorrent)
add_subdirectory(conn-size)
add_subdirectory(dce-rpc)
add_subdirectory(dhcp)
add_subdirectory(dns)
add_subdirectory(file)
add_subdirectory(finger)
add_subdirectory(ftp)
add_subdirectory(gnutella)
add_subdirectory(gtpv1)
add_subdirectory(http)
add_subdirectory(icmp)
add_subdirectory(ident)
add_subdirectory(interconn)
add_subdirectory(irc)
add_subdirectory(login)
add_subdirectory(modbus)
add_subdirectory(ncp)
add_subdirectory(netbios-ssn)
add_subdirectory(ntp)
add_subdirectory(pia)
add_subdirectory(pop3)
add_subdirectory(rpc)
add_subdirectory(smb)
add_subdirectory(smtp)
add_subdirectory(socks)
add_subdirectory(ssh)
add_subdirectory(ssl)
add_subdirectory(stepping-stone)
add_subdirectory(syslog)
add_subdirectory(tcp)
add_subdirectory(teredo)
add_subdirectory(udp)
add_subdirectory(zip)

View file

@ -0,0 +1,10 @@
- introduce namespace into analyzers
- fill events.bif
- add functions.bif where needed
- move ARP
- move NetFlow
- update *.h guards
- cleanup analyzer descriptions
- can now lower-case the analyzer name in plugin

View file

@ -0,0 +1,10 @@
include(BroPlugin)
include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
bro_plugin_begin(AYIYA)
bro_plugin_cc(AYIYA.cc Plugin.cc)
bro_plugin_bif(events.bif)
bro_plugin_pac(ayiya.pac ayiya-protocol.pac ayiya-analyzer.pac)
bro_plugin_end()

View file

@ -0,0 +1,10 @@
#include "plugin/Plugin.h"
#include "AYIYA.h"
BRO_PLUGIN_BEGIN(AYIYA)
BRO_PLUGIN_DESCRIPTION("AYIYA Analyzer");
BRO_PLUGIN_ANALYZER("AYIYA", AYIYA_Analyzer::InstantiateAnalyzer);
BRO_PLUGIN_BIF_FILE(events);
BRO_PLUGIN_END

View file

View file

@ -5,7 +5,7 @@
#include "BackDoor.h"
#include "Event.h"
#include "Net.h"
#include "TCP.h"
#include "analyzer/protocols/tcp/TCP.h"
BackDoorEndpoint::BackDoorEndpoint(TCP_Endpoint* e)
{

View file

@ -3,10 +3,10 @@
#ifndef backdoor_h
#define backdoor_h
#include "TCP.h"
#include "analyzer/protocols/tcp/TCP.h"
#include "Timer.h"
#include "NetVar.h"
#include "Login.h"
#include "analyzer/protocols/login/Login.h"
class BackDoorEndpoint {
public:

View file

@ -0,0 +1,9 @@
include(BroPlugin)
include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
bro_plugin_begin(BackDoor)
bro_plugin_cc(BackDoor.cc Plugin.cc)
bro_plugin_bif(events.bif)
bro_plugin_end()

View file

@ -0,0 +1,10 @@
#include "plugin/Plugin.h"
#include "BackDoor.h"
BRO_PLUGIN_BEGIN(BackDoor)
BRO_PLUGIN_DESCRIPTION("Backdoor Analyzer (deprecated)");
BRO_PLUGIN_ANALYZER("BACKDOOR", BackDoor_Analyzer::InstantiateAnalyzer);
BRO_PLUGIN_BIF_FILE(events);
BRO_PLUGIN_END

View file

@ -1,7 +1,7 @@
// This code contributed by Nadi Sarrar.
#include "BitTorrent.h"
#include "TCP_Reassembler.h"
#include "analyzer/protocols/tcp/TCP_Reassembler.h"
BitTorrent_Analyzer::BitTorrent_Analyzer(Connection* c)
: TCP_ApplicationAnalyzer("BITTORRENT", c)

View file

@ -3,7 +3,7 @@
#ifndef bittorrent_h
#define bittorrent_h
#include "TCP.h"
#include "analyzer/protocols/tcp/TCP.h"
#include "bittorrent_pac.h"

View file

@ -1,7 +1,7 @@
// This code contributed by Nadi Sarrar.
#include "BitTorrentTracker.h"
#include "TCP_Reassembler.h"
#include "analyzer/protocols/tcp/TCP_Reassembler.h"
#include <sys/types.h>
#include <regex.h>

View file

@ -3,7 +3,7 @@
#ifndef bittorrenttracker_h
#define bittorrenttracker_h
#include "TCP.h"
#include "analyzer/protocols/tcp/TCP.h"
#define BTTRACKER_BUF 2048

View file

@ -0,0 +1,10 @@
include(BroPlugin)
include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
bro_plugin_begin(BitTorrent)
bro_plugin_cc(BitTorrent.cc BitTorrentTracker.cc Plugin.cc)
bro_plugin_bif(events.bif)
bro_plugin_pac(bittorrent.pac bittorrent-analyzer.pac bittorrent-protocol.pac)
bro_plugin_end()

View file

@ -0,0 +1,12 @@
#include "plugin/Plugin.h"
#include "BitTorrent.h"
#include "BitTorrentTracker.h"
BRO_PLUGIN_BEGIN(BitTorrent)
BRO_PLUGIN_DESCRIPTION("BitTorrent Analyzer");
BRO_PLUGIN_ANALYZER("BitTorrent", BitTorrent_Analyzer::InstantiateAnalyzer);
BRO_PLUGIN_ANALYZER("BitTorrentTracker", BitTorrentTracker_Analyzer::InstantiateAnalyzer);
BRO_PLUGIN_BIF_FILE(events);
BRO_PLUGIN_END

View file

@ -0,0 +1,9 @@
include(BroPlugin)
include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
bro_plugin_begin(ConnSize)
bro_plugin_cc(ConnSize.cc Plugin.cc)
bro_plugin_bif(events.bif)
bro_plugin_end()

View file

@ -3,8 +3,8 @@
// See ConnSize.h for more extensive comments.
#include "ConnSizeAnalyzer.h"
#include "TCP.h"
#include "ConnSize.h"
#include "analyzer/protocols/tcp/TCP.h"

View file

@ -0,0 +1,10 @@
#include "plugin/Plugin.h"
#include "ConnSize.h"
BRO_PLUGIN_BEGIN(ConnSize)
BRO_PLUGIN_DESCRIPTION("Connection size analyzer");
BRO_PLUGIN_ANALYZER("CONNSIZE", ConnSize_Analyzer::InstantiateAnalyzer);
BRO_PLUGIN_BIF_FILE(events);
BRO_PLUGIN_END

View file

@ -0,0 +1,11 @@
include(BroPlugin)
include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
bro_plugin_begin(DCE_RPC)
bro_plugin_cc(DCE_RPC.cc Plugin.cc)
bro_plugin_bif(events.bif)
bro_plugin_pac(dce_rpc.pac dce_rpc-protocol.pac dce_rpc-analyzer.pac)
bro_plugin_pac(dce_rpc_simple.pac dce_rpc-protocol.pac epmapper.pac)
bro_plugin_end()

View file

@ -7,7 +7,7 @@
// Windows systems) and shouldn't be considered as stable.
#include "NetVar.h"
#include "TCP.h"
#include "analyzer/protocols/tcp/TCP.h"
#include "IPAddr.h"
#include "dce_rpc_simple_pac.h"

View file

@ -0,0 +1,11 @@
#include "plugin/Plugin.h"
#include "DCE_RPC.h"
BRO_PLUGIN_BEGIN(DCE_RPC)
BRO_PLUGIN_DESCRIPTION("DCE-RPC Analyzer");
BRO_PLUGIN_ANALYZER("DCE_RPC", DCE_RPC_Analyzer::InstantiateAnalyzer);
BRO_PLUGIN_SUPPORT_ANALYZER("Contents_DCE_RPC");
BRO_PLUGIN_BIF_FILE(events);
BRO_PLUGIN_END

View file

@ -0,0 +1,10 @@
include(BroPlugin)
include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
bro_plugin_begin(DHCP)
bro_plugin_cc(DHCP.cc Plugin.cc)
bro_plugin_bif(events.bif)
bro_plugin_pac(dhcp.pac dhcp-protocol.pac dhcp-analyzer.pac)
bro_plugin_end()

View file

@ -1,22 +1,23 @@
#include "DHCP-binpac.h"
DHCP_Analyzer_binpac::DHCP_Analyzer_binpac(Connection* conn)
#include "DHCP.h"
DHCP_Analyzer::DHCP_Analyzer(Connection* conn)
: Analyzer("DHCP", conn)
{
interp = new binpac::DHCP::DHCP_Conn(this);
}
DHCP_Analyzer_binpac::~DHCP_Analyzer_binpac()
DHCP_Analyzer::~DHCP_Analyzer()
{
delete interp;
}
void DHCP_Analyzer_binpac::Done()
void DHCP_Analyzer::Done()
{
Analyzer::Done();
}
void DHCP_Analyzer_binpac::DeliverPacket(int len, const u_char* data,
void DHCP_Analyzer::DeliverPacket(int len, const u_char* data,
bool orig, int seq, const IP_Hdr* ip, int caplen)
{
Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);

View file

@ -1,22 +1,21 @@
#ifndef dhcp_binpac_h
#define dhcp_binpac_h
#include "UDP.h"
#include "analyzer/protocols/udp/UDP.h"
#include "dhcp_pac.h"
class DHCP_Analyzer_binpac : public analyzer::Analyzer {
class DHCP_Analyzer : public analyzer::Analyzer {
public:
DHCP_Analyzer_binpac(Connection* conn);
virtual ~DHCP_Analyzer_binpac();
DHCP_Analyzer(Connection* conn);
virtual ~DHCP_Analyzer();
virtual void Done();
virtual void DeliverPacket(int len, const u_char* data, bool orig,
int seq, const IP_Hdr* ip, int caplen);
static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
{ return new DHCP_Analyzer_binpac(conn); }
{ return new DHCP_Analyzer(conn); }
protected:
binpac::DHCP::DHCP_Conn* interp;

View file

@ -0,0 +1,10 @@
#include "plugin/Plugin.h"
#include "DHCP.h"
BRO_PLUGIN_BEGIN(DHCP)
BRO_PLUGIN_DESCRIPTION("DHCP Analyzer");
BRO_PLUGIN_ANALYZER("DHCP", DHCP_Analyzer::InstantiateAnalyzer);
BRO_PLUGIN_BIF_FILE(events);
BRO_PLUGIN_END

View file

View file

@ -0,0 +1,9 @@
include(BroPlugin)
include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
bro_plugin_begin(DNS)
bro_plugin_cc(DNS.cc Plugin.cc)
bro_plugin_bif(events.bif)
bro_plugin_end()

View file

@ -3,7 +3,7 @@
#ifndef dns_h
#define dns_h
#include "TCP.h"
#include "analyzer/protocols/tcp/TCP.h"
#include "binpac_bro.h"
typedef enum {

View file

@ -0,0 +1,11 @@
#include "plugin/Plugin.h"
#include "DNS.h"
BRO_PLUGIN_BEGIN(DNS)
BRO_PLUGIN_DESCRIPTION("DNS Analyzer");
BRO_PLUGIN_ANALYZER("DNS", DNS_Analyzer::InstantiateAnalyzer);
BRO_PLUGIN_SUPPORT_ANALYZER("Contents_DNS");
BRO_PLUGIN_BIF_FILE(events);
BRO_PLUGIN_END

View file

View file

@ -0,0 +1,9 @@
include(BroPlugin)
include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
bro_plugin_begin(File)
bro_plugin_cc(File.cc Plugin.cc)
bro_plugin_bif(events.bif)
bro_plugin_end()

View file

@ -1,6 +1,6 @@
#include <algorithm>
#include "FileAnalyzer.h"
#include "File.h"
#include "Reporter.h"
#include "util.h"

View file

@ -3,7 +3,7 @@
#ifndef FILEANALYZER_H
#define FILEANALYZER_H
#include "TCP.h"
#include "analyzer/protocols/tcp/TCP.h"
#include <magic.h>

View file

@ -0,0 +1,10 @@
#include "plugin/Plugin.h"
#include "./File.h"
BRO_PLUGIN_BEGIN(File)
BRO_PLUGIN_DESCRIPTION("Generic File Analyzer");
BRO_PLUGIN_ANALYZER("File", File_Analyzer::InstantiateAnalyzer);
BRO_PLUGIN_BIF_FILE(events);
BRO_PLUGIN_END

View file

View file

@ -0,0 +1,9 @@
include(BroPlugin)
include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
bro_plugin_begin(Finger)
bro_plugin_cc(Finger.cc Plugin.cc)
bro_plugin_bif(events.bif)
bro_plugin_end()

View file

@ -7,7 +7,7 @@
#include "NetVar.h"
#include "Finger.h"
#include "Event.h"
#include "ContentLine.h"
#include "analyzer/protocols/tcp/ContentLine.h"
Finger_Analyzer::Finger_Analyzer(Connection* conn)
: TCP_ApplicationAnalyzer("FINGER", conn)

View file

@ -3,7 +3,7 @@
#ifndef finger_h
#define finger_h
#include "TCP.h"
#include "analyzer/protocols/tcp/TCP.h"
class ContentLine_Analyzer;

View file

@ -0,0 +1,10 @@
#include "plugin/Plugin.h"
#include "Finger.h"
BRO_PLUGIN_BEGIN(Finger)
BRO_PLUGIN_DESCRIPTION("Finger Analyzer");
BRO_PLUGIN_ANALYZER("FINGER", Finger_Analyzer::InstantiateAnalyzer);
BRO_PLUGIN_BIF_FILE(events);
BRO_PLUGIN_END

View file

View file

@ -0,0 +1,9 @@
include(BroPlugin)
include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
bro_plugin_begin(FTP)
bro_plugin_cc(FTP.cc Plugin.cc)
bro_plugin_bif(events.bif)
bro_plugin_end()

View file

@ -6,10 +6,10 @@
#include "NetVar.h"
#include "FTP.h"
#include "NVT.h"
#include "Event.h"
#include "Base64.h"
#include "analyzer/Manager.h"
#include "analyzer/protocols/login/NVT.h"
FTP_Analyzer::FTP_Analyzer(Connection* conn)
: TCP_ApplicationAnalyzer("FTP", conn)

View file

@ -3,8 +3,8 @@
#ifndef ftp_h
#define ftp_h
#include "NVT.h"
#include "TCP.h"
#include "analyzer/protocols/login/NVT.h"
#include "analyzer/protocols/tcp/TCP.h"
class FTP_Analyzer : public TCP_ApplicationAnalyzer {
public:

View file

@ -0,0 +1,11 @@
#include "plugin/Plugin.h"
#include "FTP.h"
BRO_PLUGIN_BEGIN(FTP)
BRO_PLUGIN_DESCRIPTION("FTP Analyzer");
BRO_PLUGIN_ANALYZER("FTP", FTP_Analyzer::InstantiateAnalyzer);
BRO_PLUGIN_SUPPORT_ANALYZER("FTP_ADAT");
BRO_PLUGIN_BIF_FILE(events);
BRO_PLUGIN_END

View file

View file

@ -0,0 +1,9 @@
include(BroPlugin)
include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
bro_plugin_begin(Gnutella)
bro_plugin_cc(Gnutella.cc Plugin.cc)
bro_plugin_bif(events.bif)
bro_plugin_end()

View file

@ -9,7 +9,7 @@
#include "NetVar.h"
#include "Gnutella.h"
#include "Event.h"
#include "PIA.h"
#include "analyzer/protocols/pia/PIA.h"
#include "analyzer/Manager.h"
GnutellaMsgState::GnutellaMsgState()

View file

@ -3,7 +3,7 @@
#ifndef gnutella_h
#define gnutella_h
#include "TCP.h"
#include "analyzer/protocols/tcp/TCP.h"
#define ORIG_OK 0x1
#define RESP_OK 0x2

View file

@ -0,0 +1,10 @@
#include "plugin/Plugin.h"
#include "Gnutella.h"
BRO_PLUGIN_BEGIN(Gnutella)
BRO_PLUGIN_DESCRIPTION("Gnutella Analyzer");
BRO_PLUGIN_ANALYZER("GNUTELLA", Gnutella_Analyzer::InstantiateAnalyzer);
BRO_PLUGIN_BIF_FILE(events);
BRO_PLUGIN_END

View file

@ -0,0 +1,10 @@
include(BroPlugin)
include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
bro_plugin_begin(GTPV1)
bro_plugin_cc(GTPv1.cc Plugin.cc)
bro_plugin_bif(events.bif)
bro_plugin_pac(gtpv1.pac gtpv1-protocol.pac gtpv1-analyzer.pac)
bro_plugin_end()

View file

@ -0,0 +1,10 @@
#include "plugin/Plugin.h"
#include "GTPv1.h"
BRO_PLUGIN_BEGIN(GTPV1)
BRO_PLUGIN_DESCRIPTION("GTPv1 Analyzer");
BRO_PLUGIN_ANALYZER("GTPV1", GTPv1_Analyzer::InstantiateAnalyzer);
BRO_PLUGIN_BIF_FILE(events);
BRO_PLUGIN_END

View file

View file

@ -3,15 +3,16 @@
#ifndef http_h
#define http_h
#include "TCP.h"
#include "ContentLine.h"
#include "analyzer/protocols/tcp/TCP.h"
#include "analyzer/protocols/tcp/ContentLine.h"
#include "analyzer/protocols/zip/ZIP.h"
#include "MIME.h"
#include "binpac_bro.h"
#include "ZIP.h"
#include "IPAddr.h"
#include "HTTP.h"
#include "events.bif.h"
#include "HTTP.h"
enum CHUNKED_TRANSFER_STATE {
NON_CHUNKED_TRANSFER,
BEFORE_CHUNK,

View file

@ -0,0 +1,9 @@
include(BroPlugin)
include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
bro_plugin_begin(ICMP)
bro_plugin_cc(ICMP.cc Plugin.cc)
bro_plugin_bif(events.bif)
bro_plugin_end()

View file

@ -0,0 +1,10 @@
#include "plugin/Plugin.h"
#include "ICMP.h"
BRO_PLUGIN_BEGIN(ICMP)
BRO_PLUGIN_DESCRIPTION("ICMP Analyzer");
BRO_PLUGIN_ANALYZER("ICMP", ICMP_Analyzer::InstantiateAnalyzer);
BRO_PLUGIN_BIF_FILE(events);
BRO_PLUGIN_END

Some files were not shown because too many files have changed in this diff Show more