Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-17 05:58:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Reformat Zeek in Spicy style

Browse source 
This largely copies over Spicy's `.clang-format` configuration file. The
one place where we deviate is header include order since Zeek depends on
headers being included in a certain order.
This commit is contained in:
Benjamin Bannier 2023-10-10 21:13:34 +02:00
parent 7b8e7ed72c
commit f5a76c1aed
786 changed files with 131714 additions and 153609 deletions
Download patch file Download diff file Expand all files Collapse all files

253
src/packet_analysis/protocol/arp/ARP.cc
View file

@ -19,7 +19,7 @@
using namespace zeek::packet_analysis::ARP;
ARPAnalyzer::ARPAnalyzer() : zeek::packet_analysis::Analyzer("ARP") { }
ARPAnalyzer::ARPAnalyzer() : zeek::packet_analysis::Analyzer("ARP") {}
// Argh! FreeBSD and Linux have almost completely different net/if_arp.h .
// ... and on Solaris we are missing half of the ARPOP codes, so define
@ -84,165 +84,140 @@ ARPAnalyzer::ARPAnalyzer() : zeek::packet_analysis::Analyzer("ARP") { }
#define ARPHRD_IEEE802 6
#endif
bool ARPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
{
packet->l3_proto = L3_ARP;
bool ARPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) {
packet->l3_proto = L3_ARP;
// Check whether the header is complete.
if ( sizeof(struct arp_pkthdr) > len )
{
Weird("truncated_ARP", packet);
return false;
}
// Check whether the header is complete.
if ( sizeof(struct arp_pkthdr) > len ) {
Weird("truncated_ARP", packet);
return false;
}
// Check whether the packet is OK ("inspired" in tcpdump's print-arp.c).
auto ah = (const struct arp_pkthdr*)data;
// Check whether the packet is OK ("inspired" in tcpdump's print-arp.c).
auto ah = (const struct arp_pkthdr*)data;
// Check the size.
size_t min_length = (ar_tpa(ah) - (caddr_t)data) + ah->ar_pln;
if ( min_length > len )
{
Weird("truncated_ARP", packet);
return false;
}
// Check the size.
size_t min_length = (ar_tpa(ah) - (caddr_t)data) + ah->ar_pln;
if ( min_length > len ) {
Weird("truncated_ARP", packet);
return false;
}
// ARP packets are considered processed if we get to this point. There may be issues
// with the processing of them, but they're actually an ARP packet and anything else
// will be reported via events.
packet->processed = true;
// ARP packets are considered processed if we get to this point. There may be issues
// with the processing of them, but they're actually an ARP packet and anything else
// will be reported via events.
packet->processed = true;
// Check the address description fields.
switch ( ntohs(ah->ar_hrd) )
{
case ARPHRD_ETHER:
case ARPHRD_IEEE802:
if ( ah->ar_hln != 6 )
{
// don't know how to handle the opcode
BadARPEvent(ah, "corrupt-arp-header (hrd=%i, hln=%i)", ntohs(ah->ar_hrd),
ah->ar_hln);
return false;
}
break;
// Check the address description fields.
switch ( ntohs(ah->ar_hrd) ) {
case ARPHRD_ETHER:
case ARPHRD_IEEE802:
if ( ah->ar_hln != 6 ) {
// don't know how to handle the opcode
BadARPEvent(ah, "corrupt-arp-header (hrd=%i, hln=%i)", ntohs(ah->ar_hrd), ah->ar_hln);
return false;
}
break;
default:
{
// don't know how to proceed
BadARPEvent(ah, "unknown-arp-hw-address (hrd=%i)", ntohs(ah->ar_hrd));
return false;
}
}
default: {
// don't know how to proceed
BadARPEvent(ah, "unknown-arp-hw-address (hrd=%i)", ntohs(ah->ar_hrd));
return false;
}
}
// Note: We don't support IPv6 addresses.
switch ( ntohs(ah->ar_pro) )
{
case ETHERTYPE_IP:
if ( ah->ar_pln != 4 )
{
// don't know how to handle the opcode
BadARPEvent(ah, "corrupt-arp-header (pro=%i, pln=%i)", ntohs(ah->ar_pro),
ah->ar_pln);
return false;
}
break;
// Note: We don't support IPv6 addresses.
switch ( ntohs(ah->ar_pro) ) {
case ETHERTYPE_IP:
if ( ah->ar_pln != 4 ) {
// don't know how to handle the opcode
BadARPEvent(ah, "corrupt-arp-header (pro=%i, pln=%i)", ntohs(ah->ar_pro), ah->ar_pln);
return false;
}
break;
default:
{
// don't know how to proceed
BadARPEvent(ah, "unknown-arp-proto-address (pro=%i)", ntohs(ah->ar_pro));
return false;
}
}
default: {
// don't know how to proceed
BadARPEvent(ah, "unknown-arp-proto-address (pro=%i)", ntohs(ah->ar_pro));
return false;
}
}
// Check MAC src address = ARP sender MAC address.
if ( memcmp(packet->l2_src, (const char*)ar_sha(ah), ah->ar_hln) != 0 )
{
BadARPEvent(ah, "weird-arp-sha");
return false;
}
// Check MAC src address = ARP sender MAC address.
if ( memcmp(packet->l2_src, (const char*)ar_sha(ah), ah->ar_hln) != 0 ) {
BadARPEvent(ah, "weird-arp-sha");
return false;
}
// Check the code is supported.
switch ( ntohs(ah->ar_op) )
{
case ARPOP_REQUEST:
RequestReplyEvent(arp_request, packet->l2_src, packet->l2_dst, ah);
break;
// Check the code is supported.
switch ( ntohs(ah->ar_op) ) {
case ARPOP_REQUEST: RequestReplyEvent(arp_request, packet->l2_src, packet->l2_dst, ah); break;
case ARPOP_REPLY:
RequestReplyEvent(arp_reply, packet->l2_src, packet->l2_dst, ah);
break;
case ARPOP_REPLY: RequestReplyEvent(arp_reply, packet->l2_src, packet->l2_dst, ah); break;
case ARPOP_REVREQUEST:
case ARPOP_REVREPLY:
case ARPOP_INVREQUEST:
case ARPOP_INVREPLY:
{
// don't know how to handle the opcode
BadARPEvent(ah, "unimplemented-arp-opcode (%i)", ntohs(ah->ar_op));
return false;
}
case ARPOP_REVREQUEST:
case ARPOP_REVREPLY:
case ARPOP_INVREQUEST:
case ARPOP_INVREPLY: {
// don't know how to handle the opcode
BadARPEvent(ah, "unimplemented-arp-opcode (%i)", ntohs(ah->ar_op));
return false;
}
default:
{
// invalid opcode
BadARPEvent(ah, "invalid-arp-opcode (opcode=%i)", ntohs(ah->ar_op));
return false;
}
}
default: {
// invalid opcode
BadARPEvent(ah, "invalid-arp-opcode (opcode=%i)", ntohs(ah->ar_op));
return false;
}
}
// Leave packet analyzer land
return true;
}
// Leave packet analyzer land
return true;
}
zeek::AddrValPtr ARPAnalyzer::ToAddrVal(const void* addr, size_t len)
{
if ( len < 4 )
return zeek::make_intrusive<zeek::AddrVal>(static_cast<uint32_t>(0));
zeek::AddrValPtr ARPAnalyzer::ToAddrVal(const void* addr, size_t len) {
if ( len < 4 )
return zeek::make_intrusive<zeek::AddrVal>(static_cast<uint32_t>(0));
// Note: We only handle IPv4 addresses.
return zeek::make_intrusive<zeek::AddrVal>(*(const uint32_t*)addr);
}
// Note: We only handle IPv4 addresses.
return zeek::make_intrusive<zeek::AddrVal>(*(const uint32_t*)addr);
}
zeek::StringValPtr ARPAnalyzer::ToEthAddrStr(const u_char* addr, size_t len)
{
if ( len < 6 )
return zeek::make_intrusive<zeek::StringVal>("");
zeek::StringValPtr ARPAnalyzer::ToEthAddrStr(const u_char* addr, size_t len) {
if ( len < 6 )
return zeek::make_intrusive<zeek::StringVal>("");
char buf[1024];
snprintf(buf, sizeof(buf), "%02x:%02x:%02x:%02x:%02x:%02x", addr[0], addr[1], addr[2], addr[3],
addr[4], addr[5]);
return zeek::make_intrusive<zeek::StringVal>(buf);
}
char buf[1024];
snprintf(buf, sizeof(buf), "%02x:%02x:%02x:%02x:%02x:%02x", addr[0], addr[1], addr[2], addr[3], addr[4], addr[5]);
return zeek::make_intrusive<zeek::StringVal>(buf);
}
void ARPAnalyzer::BadARPEvent(const struct arp_pkthdr* hdr, const char* fmt, ...)
{
if ( ! bad_arp )
return;
void ARPAnalyzer::BadARPEvent(const struct arp_pkthdr* hdr, const char* fmt, ...) {
if ( ! bad_arp )
return;
char msg[1024];
va_list args;
va_start(args, fmt);
vsnprintf(msg, sizeof(msg), fmt, args);
va_end(args);
char msg[1024];
va_list args;
va_start(args, fmt);
vsnprintf(msg, sizeof(msg), fmt, args);
va_end(args);
event_mgr.Enqueue(bad_arp, ToAddrVal(reinterpret_cast<const u_char*>(ar_spa(hdr)), hdr->ar_pln),
ToEthAddrStr(reinterpret_cast<const u_char*>(ar_sha(hdr)), hdr->ar_hln),
ToAddrVal(reinterpret_cast<const u_char*>(ar_tpa(hdr)), hdr->ar_pln),
ToEthAddrStr(reinterpret_cast<const u_char*>(ar_tha(hdr)), hdr->ar_hln),
zeek::make_intrusive<zeek::StringVal>(msg));
}
event_mgr.Enqueue(bad_arp, ToAddrVal(reinterpret_cast<const u_char*>(ar_spa(hdr)), hdr->ar_pln),
ToEthAddrStr(reinterpret_cast<const u_char*>(ar_sha(hdr)), hdr->ar_hln),
ToAddrVal(reinterpret_cast<const u_char*>(ar_tpa(hdr)), hdr->ar_pln),
ToEthAddrStr(reinterpret_cast<const u_char*>(ar_tha(hdr)), hdr->ar_hln),
zeek::make_intrusive<zeek::StringVal>(msg));
}
void ARPAnalyzer::RequestReplyEvent(EventHandlerPtr e, const u_char* src, const u_char* dst,
const struct arp_pkthdr* hdr)
{
if ( ! e )
return;
const struct arp_pkthdr* hdr) {
if ( ! e )
return;
// The src and dst pointers are the l2_src and l2_dst addresses from the packet. We assume
// that the length of those were validated at some point earlier in the processing.
event_mgr.Enqueue(e, ToEthAddrStr(src, 6), ToEthAddrStr(dst, 6),
ToAddrVal(ar_spa(hdr), hdr->ar_pln),
ToEthAddrStr(reinterpret_cast<const u_char*>(ar_sha(hdr)), hdr->ar_hln),
ToAddrVal(ar_tpa(hdr), hdr->ar_pln),
ToEthAddrStr(reinterpret_cast<const u_char*>(ar_tha(hdr)), hdr->ar_hln));
}
// The src and dst pointers are the l2_src and l2_dst addresses from the packet. We assume
// that the length of those were validated at some point earlier in the processing.
event_mgr.Enqueue(e, ToEthAddrStr(src, 6), ToEthAddrStr(dst, 6), ToAddrVal(ar_spa(hdr), hdr->ar_pln),
ToEthAddrStr(reinterpret_cast<const u_char*>(ar_sha(hdr)), hdr->ar_hln),
ToAddrVal(ar_tpa(hdr), hdr->ar_pln),
ToEthAddrStr(reinterpret_cast<const u_char*>(ar_tha(hdr)), hdr->ar_hln));
}

31
src/packet_analysis/protocol/arp/ARP.h
View file

@ -15,30 +15,23 @@
#define arp_pkthdr arphdr
#endif
namespace zeek::packet_analysis::ARP
{
namespace zeek::packet_analysis::ARP {
class ARPAnalyzer : public Analyzer
{
class ARPAnalyzer : public Analyzer {
public:
ARPAnalyzer();
~ARPAnalyzer() override = default;
ARPAnalyzer();
~ARPAnalyzer() override = default;
bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
static zeek::packet_analysis::AnalyzerPtr Instantiate()
{
return std::make_shared<ARPAnalyzer>();
}
static zeek::packet_analysis::AnalyzerPtr Instantiate() { return std::make_shared<ARPAnalyzer>(); }
private:
zeek::AddrValPtr ToAddrVal(const void* addr, size_t len);
zeek::StringValPtr ToEthAddrStr(const u_char* addr, size_t len);
zeek::AddrValPtr ToAddrVal(const void* addr, size_t len);
zeek::StringValPtr ToEthAddrStr(const u_char* addr, size_t len);
void BadARPEvent(const struct arp_pkthdr* hdr, const char* fmt, ...)
__attribute__((format(printf, 3, 4)));
void RequestReplyEvent(EventHandlerPtr e, const u_char* src, const u_char* dst,
const struct arp_pkthdr* hdr);
};
void BadARPEvent(const struct arp_pkthdr* hdr, const char* fmt, ...) __attribute__((format(printf, 3, 4)));
void RequestReplyEvent(EventHandlerPtr e, const u_char* src, const u_char* dst, const struct arp_pkthdr* hdr);
};
}
} // namespace zeek::packet_analysis::ARP

26
src/packet_analysis/protocol/arp/Plugin.cc
View file

@ -5,23 +5,19 @@
#include "zeek/packet_analysis/Component.h"
#include "zeek/packet_analysis/protocol/arp/ARP.h"
namespace zeek::plugin::Zeek_ARP
{
namespace zeek::plugin::Zeek_ARP {
class Plugin final : public zeek::plugin::Plugin
{
class Plugin final : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure() override
{
AddComponent(new zeek::packet_analysis::Component(
"ARP", zeek::packet_analysis::ARP::ARPAnalyzer::Instantiate));
zeek::plugin::Configuration Configure() override {
AddComponent(new zeek::packet_analysis::Component("ARP", zeek::packet_analysis::ARP::ARPAnalyzer::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::ARP";
config.description = "ARP packet analyzer";
return config;
}
zeek::plugin::Configuration config;
config.name = "Zeek::ARP";
config.description = "ARP packet analyzer";
return config;
}
} plugin;
} plugin;
}
} // namespace zeek::plugin::Zeek_ARP