diff --git a/scripts/base/packet-protocols/__load__.zeek b/scripts/base/packet-protocols/__load__.zeek index 60c804f2fd..1462d895e2 100644 --- a/scripts/base/packet-protocols/__load__.zeek +++ b/scripts/base/packet-protocols/__load__.zeek @@ -1,4 +1,5 @@ @load base/packet-protocols/default +@load base/packet-protocols/skip @load base/packet-protocols/ethernet @load base/packet-protocols/fddi @load base/packet-protocols/ieee802_11 diff --git a/scripts/base/packet-protocols/default/main.zeek b/scripts/base/packet-protocols/default/main.zeek index e3868ada8e..0adc5e3f67 100644 --- a/scripts/base/packet-protocols/default/main.zeek +++ b/scripts/base/packet-protocols/default/main.zeek @@ -1,4 +1,4 @@ -module PacketAnalyzer::DEFAULT; +module PacketAnalyzer::Default; redef PacketAnalyzer::config_map += { PacketAnalyzer::ConfigEntry($analyzer=PacketAnalyzer::ANALYZER_DEFAULTANALYZER), diff --git a/scripts/base/packet-protocols/skip/__load__.zeek b/scripts/base/packet-protocols/skip/__load__.zeek new file mode 100644 index 0000000000..d551be57d3 --- /dev/null +++ b/scripts/base/packet-protocols/skip/__load__.zeek @@ -0,0 +1 @@ +@load ./main \ No newline at end of file diff --git a/scripts/base/packet-protocols/skip/main.zeek b/scripts/base/packet-protocols/skip/main.zeek new file mode 100644 index 0000000000..b16bcfb22a --- /dev/null +++ b/scripts/base/packet-protocols/skip/main.zeek @@ -0,0 +1,10 @@ +module PacketAnalyzer::SkipAnalyzer; + +export { + ## Bytes to skip. + const skip_bytes: count = 0 &redef; +} + +redef PacketAnalyzer::config_map += { + PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_SKIP, $analyzer=PacketAnalyzer::ANALYZER_DEFAULTANALYZER) +}; diff --git a/src/packet_analysis/Dispatcher.cc b/src/packet_analysis/Dispatcher.cc index 841906cf4c..b12ac33623 100644 --- a/src/packet_analysis/Dispatcher.cc +++ b/src/packet_analysis/Dispatcher.cc @@ -48,6 +48,7 @@ bool Dispatcher::Register(uint32_t identifier, AnalyzerPtr analyzer) } int64_t index = identifier - lowest_identifier; + //TODO: Allow to overwrite mappings? if ( table[index] == nullptr ) { table[index] = analyzer; diff --git a/src/packet_analysis/protocol/CMakeLists.txt b/src/packet_analysis/protocol/CMakeLists.txt index fbcef0f2c9..5ae00729ff 100644 --- a/src/packet_analysis/protocol/CMakeLists.txt +++ b/src/packet_analysis/protocol/CMakeLists.txt @@ -1,4 +1,5 @@ add_subdirectory(default) +add_subdirectory(skip) add_subdirectory(wrapper) add_subdirectory(null) diff --git a/src/packet_analysis/protocol/skip/CMakeLists.txt b/src/packet_analysis/protocol/skip/CMakeLists.txt new file mode 100644 index 0000000000..982cf42edd --- /dev/null +++ b/src/packet_analysis/protocol/skip/CMakeLists.txt @@ -0,0 +1,8 @@ + +include(ZeekPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +zeek_plugin_begin(PacketAnalyzer Skip) +zeek_plugin_cc(Skip.cc Plugin.cc) +zeek_plugin_end() diff --git a/src/packet_analysis/protocol/skip/Plugin.cc b/src/packet_analysis/protocol/skip/Plugin.cc new file mode 100644 index 0000000000..ed3d70a564 --- /dev/null +++ b/src/packet_analysis/protocol/skip/Plugin.cc @@ -0,0 +1,24 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "Skip.h" +#include "plugin/Plugin.h" +#include "packet_analysis/Component.h" + +namespace zeek::plugin::Zeek_Skip { + +class Plugin : public zeek::plugin::Plugin { +public: + zeek::plugin::Configuration Configure() + { + AddComponent(new zeek::packet_analysis::Component("Skip", + zeek::packet_analysis::Skip::SkipAnalyzer::Instantiate)); + + zeek::plugin::Configuration config; + config.name = "Zeek::Skip"; + config.description = "Skip packet analyzer"; + return config; + } + +} plugin; + +} diff --git a/src/packet_analysis/protocol/skip/Skip.cc b/src/packet_analysis/protocol/skip/Skip.cc new file mode 100644 index 0000000000..966561c630 --- /dev/null +++ b/src/packet_analysis/protocol/skip/Skip.cc @@ -0,0 +1,26 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "Skip.h" +#include "NetVar.h" + +using namespace zeek::packet_analysis::Skip; + +SkipAnalyzer::SkipAnalyzer() + : zeek::packet_analysis::Analyzer("Skip") + { + } + +void SkipAnalyzer::Initialize() + { + auto& skip_val = zeek::id::find_val("PacketAnalyzer::SkipAnalyzer::skip_bytes"); + if ( ! skip_val ) + return; + + skip_bytes = skip_val->AsCount(); + } + +zeek::packet_analysis::AnalyzerResult SkipAnalyzer::Analyze(Packet* packet, const uint8_t*& data) + { + data += skip_bytes; + return AnalyzeInnerPacket(packet, data); + } diff --git a/src/packet_analysis/protocol/skip/Skip.h b/src/packet_analysis/protocol/skip/Skip.h new file mode 100644 index 0000000000..a18a7c8bec --- /dev/null +++ b/src/packet_analysis/protocol/skip/Skip.h @@ -0,0 +1,27 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#pragma once + +#include +#include + +namespace zeek::packet_analysis::Skip { + +class SkipAnalyzer : public Analyzer { +public: + SkipAnalyzer(); + ~SkipAnalyzer() override = default; + + void Initialize() override; + AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override; + + static zeek::packet_analysis::AnalyzerPtr Instantiate() + { + return std::make_shared(); + } + +private: + bro_uint_t skip_bytes = 0; +}; + +} diff --git a/testing/btest/core/skip_analyzer.zeek b/testing/btest/core/skip_analyzer.zeek new file mode 100644 index 0000000000..47dc0663d6 --- /dev/null +++ b/testing/btest/core/skip_analyzer.zeek @@ -0,0 +1,13 @@ +# A test of the skip analyzer + +# @TEST-EXEC: zeek -b -C -r $TRACES/tunnels/gre-sample.pcap %INPUT +# @TEST-EXEC: btest-diff conn.log + +@load base/protocols/conn +@load base/frameworks/tunnels + +redef PacketAnalyzer::config_map += { + PacketAnalyzer::ConfigEntry($identifier=1, $analyzer=PacketAnalyzer::ANALYZER_SKIP) +}; + +redef PacketAnalyzer::SkipAnalyzer::skip_bytes: count = 38;