Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-06 00:28:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Finished work on unified2 analyzer.

Browse source
This commit is contained in:
Seth Hall 2013-08-13 03:21:43 -04:00
parent 95161a920c
commit f7c6dd7f7e
9 changed files with 260 additions and 30 deletions
Download patch file Download diff file Expand all files Collapse all files

12
src/file_analysis/analyzer/unified2/unified2-analyzer.pac
View file

@ -61,7 +61,7 @@ refine flow Flow += {
# return true;
# %}
function proc_legacy_ids_event(ev: LegacyIDSEvent) : bool
function proc_ids_event(ev: IDS_Event) : bool
%{
if ( ::unified2_event )
{
@ -88,7 +88,7 @@ refine flow Flow += {
return true;
%}
function proc_ids_event(ev: IDSEvent) : bool
function proc_ids_event_2(ev: IDS_Event_2) : bool
%{
if ( ::unified2_event )
{
@ -152,12 +152,12 @@ refine flow Flow += {
# proc : bool = $context.flow.proc_record(this);
#};
refine typeattr LegacyIDSEvent += &let {
proc : bool = $context.flow.proc_legacy_ids_event(this);
refine typeattr IDS_Event += &let {
proc : bool = $context.flow.proc_ids_event(this);
};
refine typeattr IDSEvent += &let {
proc : bool = $context.flow.proc_ids_event(this);
refine typeattr IDS_Event_2 += &let {
proc : bool = $context.flow.proc_ids_event_2(this);
};
refine typeattr Packet += &let {

12
src/file_analysis/analyzer/unified2/unified2-file.pac
View file

@ -18,16 +18,16 @@ type Record = record {
length: uint32;
data: case rtype of {
PACKET -> packet: Packet(this);
IDS_EVENT -> ids_event: LegacyIDSEvent(this, 1);
IDS_EVENT_IPV6 -> ids_event_ipv6: LegacyIDSEvent(this, 4);
IDS_EVENT_2 -> ids_event_vlan: IDSEvent(this, 1);
IDS_EVENT_IPV6_2 -> ids_event_ipv6_vlan: IDSEvent(this, 4);
IDS_EVENT -> ids_event: IDS_Event(this, 1);
IDS_EVENT_IPV6 -> ids_event_ipv6: IDS_Event(this, 4);
IDS_EVENT_2 -> ids_event_vlan: IDS_Event_2(this, 1);
IDS_EVENT_IPV6_2 -> ids_event_ipv6_vlan: IDS_Event_2(this, 4);
#EXTRA_DATA -> extra_data: ExtraData(this);
default -> unknown_record_type: UnknownRecordType(this);
};
} &byteorder=bigendian &length=length+8;
type LegacyIDSEvent(rec: Record, ip_len: int) = record {
type IDS_Event(rec: Record, ip_len: int) = record {
sensor_id: uint32;
event_id: uint32;
ts: Time;
@ -44,7 +44,7 @@ type LegacyIDSEvent(rec: Record, ip_len: int) = record {
packet_action: uint8;
} &byteorder=bigendian;
type IDSEvent(rec: Record, ip_len: int) = record {
type IDS_Event_2(rec: Record, ip_len: int) = record {
sensor_id: uint32;
event_id: uint32;
ts: Time;