Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Make default packet analyzer definition explicit.

Browse source
This commit is contained in:
Jan Grashoefer 2020-09-07 19:01:02 +02:00 committed by Tim Wojtulewicz
parent 8f951574d7
commit efa262a229
15 changed files with 64 additions and 31 deletions
Download patch file Download diff file Expand all files Collapse all files

2
scripts/base/init-bare.zeek
View file

@ -5355,7 +5355,7 @@ export {
## A numeric identifier, which can be found in the packet data, that denotes the ## A numeric identifier, which can be found in the packet data, that denotes the
## encapsulated protocol. This field is optional. If it is not included, the ## encapsulated protocol. This field is optional. If it is not included, the
## configured child analyzer will be used as default analyzer. ## configured child analyzer will be used as default analyzer.
identifier : count &optional; identifier : count;
## The analyzer that corresponds to the above identifier. ## The analyzer that corresponds to the above identifier.
analyzer : PacketAnalyzer::Tag; analyzer : PacketAnalyzer::Tag;

1
scripts/base/packet-protocols/__load__.zeek
View file

@ -1,3 +1,4 @@
@load base/packet-protocols/root
@load base/packet-protocols/ip @load base/packet-protocols/ip
@load base/packet-protocols/skip @load base/packet-protocols/skip
@load base/packet-protocols/ethernet @load base/packet-protocols/ethernet

6
scripts/base/packet-protocols/ethernet/main.zeek
View file

@ -1,6 +1,9 @@
module PacketAnalyzer::Ethernet; module PacketAnalyzer::ETHERNET;
export { export {
## Default analyzer
const default_analyzer: PacketAnalyzer::Tag = PacketAnalyzer::ANALYZER_IP &redef;
## IEEE 802.2 SNAP analyzer ## IEEE 802.2 SNAP analyzer
const snap_analyzer: PacketAnalyzer::Tag &redef; const snap_analyzer: PacketAnalyzer::Tag &redef;
## Novell raw IEEE 802.3 analyzer ## Novell raw IEEE 802.3 analyzer
@ -22,5 +25,4 @@ redef PacketAnalyzer::config_map += {
PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x88A8, $analyzer=PacketAnalyzer::ANALYZER_VLAN), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x88A8, $analyzer=PacketAnalyzer::ANALYZER_VLAN),
PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x9100, $analyzer=PacketAnalyzer::ANALYZER_VLAN), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x9100, $analyzer=PacketAnalyzer::ANALYZER_VLAN),
PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x8864, $analyzer=PacketAnalyzer::ANALYZER_PPPOE), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $identifier=0x8864, $analyzer=PacketAnalyzer::ANALYZER_PPPOE),
PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ETHERNET, $analyzer=PacketAnalyzer::ANALYZER_IP)
}; };

6
scripts/base/packet-protocols/fddi/main.zeek
View file

@ -1,8 +1,12 @@
module PacketAnalyzer::FDDI; module PacketAnalyzer::FDDI;
export {
## Default analyzer
const default_analyzer: PacketAnalyzer::Tag = PacketAnalyzer::ANALYZER_IP &redef;
}
const DLT_FDDI : count = 10; const DLT_FDDI : count = 10;
redef PacketAnalyzer::config_map += { redef PacketAnalyzer::config_map += {
PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ROOT, $identifier=DLT_FDDI, $analyzer=PacketAnalyzer::ANALYZER_FDDI), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ROOT, $identifier=DLT_FDDI, $analyzer=PacketAnalyzer::ANALYZER_FDDI),
PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_FDDI, $analyzer=PacketAnalyzer::ANALYZER_IP)
}; };

1
scripts/base/packet-protocols/ip/main.zeek
View file

@ -1,7 +1,6 @@
module PacketAnalyzer::IP; module PacketAnalyzer::IP;
redef PacketAnalyzer::config_map += { redef PacketAnalyzer::config_map += {
PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ROOT, $analyzer=PacketAnalyzer::ANALYZER_IP),
PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_IP, $identifier=4, $analyzer=PacketAnalyzer::ANALYZER_IPV4), PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_IP, $identifier=4, $analyzer=PacketAnalyzer::ANALYZER_IPV4),
PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_IP, $identifier=6, $analyzer=PacketAnalyzer::ANALYZER_IPV6) PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_IP, $identifier=6, $analyzer=PacketAnalyzer::ANALYZER_IPV6)
}; };

7
scripts/base/packet-protocols/mpls/main.zeek
View file

@ -1,5 +1,6 @@
module PacketAnalyzer::MPLS; module PacketAnalyzer::MPLS;
redef PacketAnalyzer::config_map += { export {
PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_MPLS, $analyzer=PacketAnalyzer::ANALYZER_IP) ## Default analyzer
}; const default_analyzer: PacketAnalyzer::Tag = PacketAnalyzer::ANALYZER_IP &redef;
}

1
scripts/base/packet-protocols/root/__load__.zeek Normal file
View file

@ -0,0 +1 @@
@load ./main

6
scripts/base/packet-protocols/root/main.zeek Normal file
View file

@ -0,0 +1,6 @@
module PacketAnalyzer::ROOT;
export {
## Default analyzer (if we don't know the link type, we assume raw IP)
const default_analyzer: PacketAnalyzer::Tag = PacketAnalyzer::ANALYZER_IP &redef;
}

9
scripts/base/packet-protocols/skip/main.zeek
View file

@ -1,10 +1,9 @@
module PacketAnalyzer::SkipAnalyzer; module PacketAnalyzer::SKIP;
export { export {
## Default analyzer
const default_analyzer: PacketAnalyzer::Tag = PacketAnalyzer::ANALYZER_IP &redef;
## Bytes to skip. ## Bytes to skip.
const skip_bytes: count = 0 &redef; const skip_bytes: count = 0 &redef;
} }
redef PacketAnalyzer::config_map += {
PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_SKIP, $analyzer=PacketAnalyzer::ANALYZER_IP)
};

21
src/packet_analysis/Analyzer.cc
View file

@ -2,6 +2,7 @@
#include "Analyzer.h" #include "Analyzer.h"
#include "Dict.h"
#include "DebugLogger.h" #include "DebugLogger.h"
namespace zeek::packet_analysis { namespace zeek::packet_analysis {
@ -26,6 +27,26 @@ void Analyzer::Init(const Tag& _tag)
tag = _tag; tag = _tag;
} }
void Analyzer::Initialize()
{
std::string ns = util::fmt("PacketAnalyzer::%s::", GetAnalyzerName());
default_analyzer = LoadAnalyzer(ns +"default_analyzer");
}
zeek::packet_analysis::AnalyzerPtr Analyzer::LoadAnalyzer(const std::string &name)
{
auto& analyzer = zeek::id::find(name);
if ( ! analyzer )
return nullptr;
auto& analyzer_val = analyzer->GetVal();
if ( ! analyzer_val )
return nullptr;
return packet_mgr->GetAnalyzer(analyzer_val->AsEnumVal());
}
const Tag Analyzer::GetAnalyzerTag() const const Tag Analyzer::GetAnalyzerTag() const
{ {
assert(tag); assert(tag);

12
src/packet_analysis/Analyzer.h
View file

@ -37,8 +37,10 @@ public:
* Initialize the analyzer. This method is called after the configuration * Initialize the analyzer. This method is called after the configuration
* was read. Derived classes can override this method to implement custom * was read. Derived classes can override this method to implement custom
* initialization. * initialization.
* When overriding this methods, always make sure to call the base-class
* version to ensure proper initialization.
*/ */
virtual void Initialize() { }; virtual void Initialize();
/** /**
* Returns the tag associated with the analyzer's type. * Returns the tag associated with the analyzer's type.
@ -109,6 +111,14 @@ protected:
*/ */
AnalyzerPtr Lookup(uint32_t identifier) const; AnalyzerPtr Lookup(uint32_t identifier) const;
/**
* Returns an analyzer based on a script-land definition.
*
* @param name The script-land identifier for a PacketAnalyzer::Tag value.
* @return The defined analyzer if available, else nullptr.
*/
AnalyzerPtr LoadAnalyzer(const std::string& name);
/** /**
* Triggers analysis of the encapsulated packet. The encapsulated protocol * Triggers analysis of the encapsulated packet. The encapsulated protocol
* is determined using the given identifier. * is determined using the given identifier.

15
src/packet_analysis/protocol/ethernet/Ethernet.cc
View file

@ -13,24 +13,13 @@ EthernetAnalyzer::EthernetAnalyzer()
void EthernetAnalyzer::Initialize() void EthernetAnalyzer::Initialize()
{ {
Analyzer::Initialize();
SNAPAnalyzer = LoadAnalyzer("PacketAnalyzer::Ethernet::snap_analyzer"); SNAPAnalyzer = LoadAnalyzer("PacketAnalyzer::Ethernet::snap_analyzer");
NovellRawAnalyzer = LoadAnalyzer("PacketAnalyzer::Ethernet::novell_raw_analyzer"); NovellRawAnalyzer = LoadAnalyzer("PacketAnalyzer::Ethernet::novell_raw_analyzer");
LLCAnalyzer = LoadAnalyzer("PacketAnalyzer::Ethernet::llc_analyzer"); LLCAnalyzer = LoadAnalyzer("PacketAnalyzer::Ethernet::llc_analyzer");
} }
zeek::packet_analysis::AnalyzerPtr EthernetAnalyzer::LoadAnalyzer(const std::string &name)
{
auto& analyzer = zeek::id::find(name);
if ( ! analyzer )
return nullptr;
auto& analyzer_val = analyzer->GetVal();
if ( ! analyzer_val )
return nullptr;
return packet_mgr->GetAnalyzer(analyzer_val->AsEnumVal());
}
bool EthernetAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) bool EthernetAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
{ {
// Make sure that we actually got an entire ethernet header before trying // Make sure that we actually got an entire ethernet header before trying

2
src/packet_analysis/protocol/ethernet/Ethernet.h
View file

@ -24,8 +24,6 @@ private:
AnalyzerPtr SNAPAnalyzer = nullptr; AnalyzerPtr SNAPAnalyzer = nullptr;
AnalyzerPtr NovellRawAnalyzer = nullptr; AnalyzerPtr NovellRawAnalyzer = nullptr;
AnalyzerPtr LLCAnalyzer = nullptr; AnalyzerPtr LLCAnalyzer = nullptr;
AnalyzerPtr LoadAnalyzer(const std::string& name);
}; };
} }

4
src/packet_analysis/protocol/skip/Skip.cc
View file

@ -12,7 +12,9 @@ SkipAnalyzer::SkipAnalyzer()
void SkipAnalyzer::Initialize() void SkipAnalyzer::Initialize()
{ {
auto& skip_val = zeek::id::find_val("PacketAnalyzer::SkipAnalyzer::skip_bytes"); Analyzer::Initialize();
auto& skip_val = zeek::id::find_val("PacketAnalyzer::SKIP::skip_bytes");
if ( ! skip_val ) if ( ! skip_val )
return; return;

2
testing/btest/core/skip_analyzer.zeek
View file

@ -11,4 +11,4 @@ redef PacketAnalyzer::config_map += {
PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ROOT, $identifier=1, $analyzer=PacketAnalyzer::ANALYZER_SKIP) PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_ROOT, $identifier=1, $analyzer=PacketAnalyzer::ANALYZER_SKIP)
}; };
redef PacketAnalyzer::SkipAnalyzer::skip_bytes: count = 38; redef PacketAnalyzer::SKIP::skip_bytes: count = 38;