mirror of
https://github.com/zeek/zeek.git
synced 2025-10-17 05:58:20 +00:00
Merge branch 'master' into topic/jsiwek/broker
This commit is contained in:
Jon Siwek
commit
e95116ba85
26 changed files with 328 additions and 54 deletions
|
|
@ -1 +1 @@
|
|||
Subproject commit 7e15efe9d28d46bfa662fcdd1cbb15ce1db285c9
|
||||
Subproject commit f2e34d731ed29bb993fbb065846faa342a8c824f
|
||||
|
|
@ -323,7 +323,7 @@ int BroFunc::IsPure() const
|
|||
Val* BroFunc::Call(val_list* args, Frame* parent) const
|
||||
{
|
||||
#ifdef PROFILE_BRO_FUNCTIONS
|
||||
DEBUG_MSG("Function: %s\n", id->Name());
|
||||
DEBUG_MSG("Function: %s\n", Name());
|
||||
#endif
|
||||
|
||||
SegmentProfiler(segment_logger, location);
|
||||
|
|
|
|||
|
|
@ -57,8 +57,7 @@ void SOCKS_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
|
|||
// with the rest of the conneciton.
|
||||
//
|
||||
// Note that we assume that no payload data arrives before both endpoints
|
||||
// are done with there part of the SOCKS protocol.
|
||||
|
||||
// are done with their part of the SOCKS protocol.
|
||||
if ( ! pia )
|
||||
{
|
||||
pia = new pia::PIA_TCP(Conn());
|
||||
|
|
|
|||
|
|
@ -27,3 +27,19 @@ event socks_request%(c: connection, version: count, request_type: count, sa: SOC
|
|||
## p: The destination port for the proxied traffic.
|
||||
event socks_reply%(c: connection, version: count, reply: count, sa: SOCKS::Address, p: port%);
|
||||
|
||||
## Generated when a SOCKS client performs username and password based login.
|
||||
##
|
||||
## c: The parent connection of the proxy.
|
||||
##
|
||||
## user: The given username.
|
||||
##
|
||||
## password: The given password.
|
||||
event socks_login_userpass_request%(c: connection, user: string, password: string%);
|
||||
|
||||
## Generated when a SOCKS server replies to a username/password login attempt.
|
||||
##
|
||||
## c: The parent connection of the proxy.
|
||||
##
|
||||
## code: The response code for the attempted login.
|
||||
event socks_login_userpass_reply%(c: connection, code: count%);
|
||||
|
||||
|
|
|
|||
|
|
@ -148,6 +148,37 @@ refine connection SOCKS_Conn += {
|
|||
return true;
|
||||
%}
|
||||
|
||||
function socks5_auth_request_userpass(request: SOCKS5_Auth_Request_UserPass_v1): bool
|
||||
%{
|
||||
StringVal* user = new StringVal(${request.username}.length(), (const char*) ${request.username}.begin());
|
||||
StringVal* pass = new StringVal(${request.password}.length(), (const char*) ${request.password}.begin());
|
||||
|
||||
BifEvent::generate_socks_login_userpass_request(bro_analyzer(),
|
||||
bro_analyzer()->Conn(),
|
||||
user, pass);
|
||||
return true;
|
||||
%}
|
||||
|
||||
function socks5_unsupported_authentication_method(auth_method: uint8): bool
|
||||
%{
|
||||
reporter->Weird(bro_analyzer()->Conn(), fmt("socks5_unsupported_authentication_method_%d", auth_method));
|
||||
return true;
|
||||
%}
|
||||
|
||||
function socks5_unsupported_authentication_version(auth_method: uint8, version: uint8): bool
|
||||
%{
|
||||
reporter->Weird(bro_analyzer()->Conn(), fmt("socks5_unsupported_authentication_%d_%d", auth_method, version));
|
||||
return true;
|
||||
%}
|
||||
|
||||
function socks5_auth_reply_userpass(reply: SOCKS5_Auth_Reply_UserPass_v1): bool
|
||||
%{
|
||||
BifEvent::generate_socks_login_userpass_reply(bro_analyzer(),
|
||||
bro_analyzer()->Conn(),
|
||||
${reply.code});
|
||||
return true;
|
||||
%}
|
||||
|
||||
function version_error(version: uint8): bool
|
||||
%{
|
||||
bro_analyzer()->ProtocolViolation(fmt("unsupported/unknown SOCKS version %d", version));
|
||||
|
|
@ -176,3 +207,22 @@ refine typeattr SOCKS5_Request += &let {
|
|||
refine typeattr SOCKS5_Reply += &let {
|
||||
proc: bool = $context.connection.socks5_reply(this);
|
||||
};
|
||||
|
||||
refine typeattr SOCKS5_Auth_Negotiation_Reply += &let {
|
||||
};
|
||||
|
||||
refine typeattr SOCKS5_Auth_Request_UserPass_v1 += &let {
|
||||
proc: bool = $context.connection.socks5_auth_request_userpass(this);
|
||||
};
|
||||
|
||||
refine typeattr SOCKS5_Auth_Reply_UserPass_v1 += &let {
|
||||
proc: bool = $context.connection.socks5_auth_reply_userpass(this);
|
||||
};
|
||||
|
||||
refine typeattr SOCKS5_Unsupported_Authentication_Method += &let {
|
||||
proc: bool = $context.connection.socks5_unsupported_authentication_method($context.connection.v5_auth_method());
|
||||
};
|
||||
|
||||
refine typeattr SOCKS5_Unsupported_Authentication_Version += &let {
|
||||
proc: bool = $context.connection.socks5_unsupported_authentication_version($context.connection.v5_auth_method(), version);
|
||||
};
|
||||
|
|
|
|||
|
|
@ -1,10 +1,15 @@
|
|||
|
||||
type SOCKS_Message(is_orig: bool) = case $context.connection.v5_in_auth_sub_negotiation() of {
|
||||
true -> auth: SOCKS5_Auth_Message(is_orig);
|
||||
false -> msg: SOCKS_Version(is_orig);
|
||||
};
|
||||
|
||||
type SOCKS_Version(is_orig: bool) = record {
|
||||
version: uint8;
|
||||
msg: case version of {
|
||||
4 -> socks4_msg: SOCKS4_Message(is_orig);
|
||||
5 -> socks5_msg: SOCKS5_Message(is_orig);
|
||||
default -> socks_msg_fail: SOCKS_Version_Error(version);
|
||||
4 -> socks4_msg: SOCKS4_Message(is_orig);
|
||||
5 -> socks5_msg: SOCKS5_Message(is_orig);
|
||||
default -> socks_msg_fail: SOCKS_Version_Error(version);
|
||||
};
|
||||
};
|
||||
|
||||
|
|
@ -14,10 +19,11 @@ type SOCKS_Version_Error(version: uint8) = record {
|
|||
|
||||
# SOCKS5 Implementation
|
||||
type SOCKS5_Message(is_orig: bool) = case $context.connection.v5_past_authentication() of {
|
||||
true -> msg: SOCKS5_Real_Message(is_orig);
|
||||
false -> auth: SOCKS5_Auth_Negotiation(is_orig);
|
||||
true -> msg: SOCKS5_Real_Message(is_orig);
|
||||
};
|
||||
|
||||
|
||||
type SOCKS5_Auth_Negotiation(is_orig: bool) = case is_orig of {
|
||||
true -> req: SOCKS5_Auth_Negotiation_Request;
|
||||
false -> rep: SOCKS5_Auth_Negotiation_Reply;
|
||||
|
|
@ -31,7 +37,61 @@ type SOCKS5_Auth_Negotiation_Request = record {
|
|||
type SOCKS5_Auth_Negotiation_Reply = record {
|
||||
selected_auth_method: uint8;
|
||||
} &let {
|
||||
in_auth_sub_neg = $context.connection.set_v5_in_auth_sub_negotiation(selected_auth_method == 0 || selected_auth_method == 0xff ? false : true);
|
||||
past_auth = $context.connection.set_v5_past_authentication();
|
||||
set_auth = $context.connection.set_v5_auth_method(selected_auth_method);
|
||||
};
|
||||
|
||||
type SOCKS5_Auth_Message(is_orig: bool) = case is_orig of {
|
||||
true -> req: SOCKS5_Auth_Request;
|
||||
false -> rep: SOCKS5_Auth_Reply;
|
||||
};
|
||||
|
||||
type SOCKS5_Auth_Request = case $context.connection.v5_auth_method() of {
|
||||
0x02 -> userpass : SOCKS5_Auth_Request_UserPass;
|
||||
default -> unsupported : SOCKS5_Unsupported_Authentication_Method;
|
||||
};
|
||||
|
||||
type SOCKS5_Unsupported_Authentication_Method = record {
|
||||
crap: bytestring &restofdata;
|
||||
};
|
||||
|
||||
type SOCKS5_Unsupported_Authentication_Version(version: uint8) = record {
|
||||
crap: bytestring &restofdata;
|
||||
};
|
||||
|
||||
type SOCKS5_Auth_Request_UserPass = record {
|
||||
version: uint8;
|
||||
msg: case version of {
|
||||
1 -> v1: SOCKS5_Auth_Request_UserPass_v1;
|
||||
default -> unsupported: SOCKS5_Unsupported_Authentication_Version(version);
|
||||
};
|
||||
};
|
||||
|
||||
type SOCKS5_Auth_Request_UserPass_v1 = record {
|
||||
ulen : uint8;
|
||||
username : bytestring &length=ulen;
|
||||
plen : uint8;
|
||||
password : bytestring &length=plen;
|
||||
};
|
||||
|
||||
type SOCKS5_Auth_Reply = case $context.connection.v5_auth_method() of {
|
||||
0x02 -> userpass : SOCKS5_Auth_Reply_UserPass;
|
||||
default -> unsupported : SOCKS5_Unsupported_Authentication_Method;
|
||||
} &let {
|
||||
in_auth_sub_neg = $context.connection.set_v5_in_auth_sub_negotiation(false);
|
||||
};
|
||||
|
||||
type SOCKS5_Auth_Reply_UserPass = record {
|
||||
version: uint8;
|
||||
msg: case version of {
|
||||
1 -> v1: SOCKS5_Auth_Reply_UserPass_v1;
|
||||
default -> unsupported: SOCKS5_Unsupported_Authentication_Version(version);
|
||||
};
|
||||
};
|
||||
|
||||
type SOCKS5_Auth_Reply_UserPass_v1 = record {
|
||||
code : uint8;
|
||||
};
|
||||
|
||||
type SOCKS5_Real_Message(is_orig: bool) = case is_orig of {
|
||||
|
|
@ -55,10 +115,10 @@ type SOCKS5_Address = record {
|
|||
} &byteorder = bigendian;
|
||||
|
||||
type SOCKS5_Request = record {
|
||||
command: uint8;
|
||||
reserved: uint8;
|
||||
remote_name: SOCKS5_Address;
|
||||
port: uint16;
|
||||
command : uint8;
|
||||
reserved : uint8;
|
||||
remote_name : SOCKS5_Address;
|
||||
port : uint16;
|
||||
} &byteorder = bigendian;
|
||||
|
||||
type SOCKS5_Reply = record {
|
||||
|
|
@ -98,13 +158,28 @@ type SOCKS4_Reply = record {
|
|||
|
||||
refine connection SOCKS_Conn += {
|
||||
%member{
|
||||
bool v5_in_auth_sub_negotiation_;
|
||||
bool v5_authenticated_;
|
||||
uint8 selected_auth_method_;
|
||||
%}
|
||||
|
||||
%init{
|
||||
v5_in_auth_sub_negotiation_ = false;
|
||||
v5_authenticated_ = false;
|
||||
selected_auth_method_ = 255;
|
||||
%}
|
||||
|
||||
function v5_in_auth_sub_negotiation(): bool
|
||||
%{
|
||||
return v5_in_auth_sub_negotiation_;
|
||||
%}
|
||||
|
||||
function set_v5_in_auth_sub_negotiation(b: bool): bool
|
||||
%{
|
||||
v5_in_auth_sub_negotiation_ = b;
|
||||
return true;
|
||||
%}
|
||||
|
||||
function v5_past_authentication(): bool
|
||||
%{
|
||||
return v5_authenticated_;
|
||||
|
|
@ -115,5 +190,16 @@ refine connection SOCKS_Conn += {
|
|||
v5_authenticated_ = true;
|
||||
return true;
|
||||
%}
|
||||
|
||||
function set_v5_auth_method(method: uint8): bool
|
||||
%{
|
||||
selected_auth_method_ = method;
|
||||
return true;
|
||||
%}
|
||||
|
||||
function v5_auth_method(): uint8
|
||||
%{
|
||||
return selected_auth_method_;
|
||||
%}
|
||||
};
|
||||
|
||||
|
|
|
|||
|
|
@ -20,7 +20,7 @@ connection SOCKS_Conn(bro_analyzer: BroAnalyzer) {
|
|||
%include socks-protocol.pac
|
||||
|
||||
flow SOCKS_Flow(is_orig: bool) {
|
||||
datagram = SOCKS_Version(is_orig) withcontext(connection, this);
|
||||
datagram = SOCKS_Message(is_orig) withcontext(connection, this);
|
||||
};
|
||||
|
||||
%include socks-analyzer.pac
|
||||
|
|
|
|||
|
|
@ -492,18 +492,22 @@ void File::EndOfFile()
|
|||
if ( done )
|
||||
return;
|
||||
|
||||
if ( ! did_mime_type &&
|
||||
LookupFieldDefaultCount(missing_bytes_idx) == 0 )
|
||||
DetectMIME();
|
||||
|
||||
analyzers.DrainModifications();
|
||||
|
||||
if ( file_reassembler )
|
||||
{
|
||||
file_reassembler->Flush();
|
||||
analyzers.DrainModifications();
|
||||
}
|
||||
|
||||
// Mark the bof_buffer as full in case it isn't yet
|
||||
// so that the whole thing can be flushed out to
|
||||
// any stream analyzers.
|
||||
if ( ! bof_buffer.full )
|
||||
{
|
||||
bof_buffer.full = true;
|
||||
DeliverStream((const u_char*) "", 0);
|
||||
}
|
||||
|
||||
analyzers.DrainModifications();
|
||||
|
||||
done = true;
|
||||
|
||||
file_analysis::Analyzer* a = 0;
|
||||
|
|
|
|||
|
|
@ -172,7 +172,7 @@ bool Manager::ActivateDynamicPluginInternal(const std::string& name, bool ok_if_
|
|||
|
||||
// Load {bif,scripts}/__load__.bro automatically.
|
||||
|
||||
string init = dir + "scripts/__load__.bro";
|
||||
string init = dir + "lib/bif/__load__.bro";
|
||||
|
||||
if ( is_file(init) )
|
||||
{
|
||||
|
|
@ -180,7 +180,7 @@ bool Manager::ActivateDynamicPluginInternal(const std::string& name, bool ok_if_
|
|||
scripts_to_load.push_back(init);
|
||||
}
|
||||
|
||||
init = dir + "lib/bif/__load__.bro";
|
||||
init = dir + "scripts/__load__.bro";
|
||||
|
||||
if ( is_file(init) )
|
||||
{
|
||||
|
|
|
|||
|
|
@ -48,8 +48,8 @@
|
|||
#endif
|
||||
|
||||
#ifdef USE_PERFTOOLS_DEBUG
|
||||
#include <google/heap-checker.h>
|
||||
#include <google/heap-profiler.h>
|
||||
#include <gperftools/heap-checker.h>
|
||||
#include <gperftools/heap-profiler.h>
|
||||
extern HeapLeakChecker* heap_checker;
|
||||
#endif
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue