Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Add SkipAnalyzer.

Browse source 
This is WIP: The test case would require a new pcap or the possibility
to overwrite analyzer mappings. The CustomEncapsulationSkip method and
the corresponding options need to be removed.
This commit is contained in:
Jan Grashoefer 2020-08-25 17:03:20 +02:00 committed by Tim Wojtulewicz
parent 6f6e5b4df0
commit fc814bd7e2
11 changed files with 113 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

1
scripts/base/packet-protocols/__load__.zeek
View file

@ -1,4 +1,5 @@
@load base/packet-protocols/default
@load base/packet-protocols/skip
@load base/packet-protocols/ethernet
@load base/packet-protocols/fddi
@load base/packet-protocols/ieee802_11

2
scripts/base/packet-protocols/default/main.zeek
View file

@ -1,4 +1,4 @@
module PacketAnalyzer::DEFAULT;
module PacketAnalyzer::Default;
redef PacketAnalyzer::config_map += {
PacketAnalyzer::ConfigEntry($analyzer=PacketAnalyzer::ANALYZER_DEFAULTANALYZER),

1
scripts/base/packet-protocols/skip/__load__.zeek Normal file
View file

@ -0,0 +1 @@
@load ./main

10
scripts/base/packet-protocols/skip/main.zeek Normal file
View file

@ -0,0 +1,10 @@
module PacketAnalyzer::SkipAnalyzer;
export {
## Bytes to skip.
const skip_bytes: count = 0 &redef;
}
redef PacketAnalyzer::config_map += {
PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_SKIP, $analyzer=PacketAnalyzer::ANALYZER_DEFAULTANALYZER)
};

1
src/packet_analysis/Dispatcher.cc
View file

@ -48,6 +48,7 @@ bool Dispatcher::Register(uint32_t identifier, AnalyzerPtr analyzer)
}
int64_t index = identifier - lowest_identifier;
//TODO: Allow to overwrite mappings?
if ( table[index] == nullptr )
{
table[index] = analyzer;

1
src/packet_analysis/protocol/CMakeLists.txt
View file

@ -1,4 +1,5 @@
add_subdirectory(default)
add_subdirectory(skip)
add_subdirectory(wrapper)
add_subdirectory(null)

8
src/packet_analysis/protocol/skip/CMakeLists.txt Normal file
View file

@ -0,0 +1,8 @@
include(ZeekPlugin)
include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
zeek_plugin_begin(PacketAnalyzer Skip)
zeek_plugin_cc(Skip.cc Plugin.cc)
zeek_plugin_end()

24
src/packet_analysis/protocol/skip/Plugin.cc Normal file
View file

@ -0,0 +1,24 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include "Skip.h"
#include "plugin/Plugin.h"
#include "packet_analysis/Component.h"
namespace zeek::plugin::Zeek_Skip {
class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure()
{
AddComponent(new zeek::packet_analysis::Component("Skip",
zeek::packet_analysis::Skip::SkipAnalyzer::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::Skip";
config.description = "Skip packet analyzer";
return config;
}
} plugin;
}

26
src/packet_analysis/protocol/skip/Skip.cc Normal file
View file

@ -0,0 +1,26 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include "Skip.h"
#include "NetVar.h"
using namespace zeek::packet_analysis::Skip;
SkipAnalyzer::SkipAnalyzer()
: zeek::packet_analysis::Analyzer("Skip")
{
}
void SkipAnalyzer::Initialize()
{
auto& skip_val = zeek::id::find_val("PacketAnalyzer::SkipAnalyzer::skip_bytes");
if ( ! skip_val )
return;
skip_bytes = skip_val->AsCount();
}
zeek::packet_analysis::AnalyzerResult SkipAnalyzer::Analyze(Packet* packet, const uint8_t*& data)
{
data += skip_bytes;
return AnalyzeInnerPacket(packet, data);
}

27
src/packet_analysis/protocol/skip/Skip.h Normal file
View file

@ -0,0 +1,27 @@
// See the file "COPYING" in the main distribution directory for copyright.
#pragma once
#include <packet_analysis/Analyzer.h>
#include <packet_analysis/Component.h>
namespace zeek::packet_analysis::Skip {
class SkipAnalyzer : public Analyzer {
public:
SkipAnalyzer();
~SkipAnalyzer() override = default;
void Initialize() override;
AnalyzerResult Analyze(Packet* packet, const uint8_t*& data) override;
static zeek::packet_analysis::AnalyzerPtr Instantiate()
{
return std::make_shared<SkipAnalyzer>();
}
private:
bro_uint_t skip_bytes = 0;
};
}

13
testing/btest/core/skip_analyzer.zeek Normal file
View file

@ -0,0 +1,13 @@
# A test of the skip analyzer
# @TEST-EXEC: zeek -b -C -r $TRACES/tunnels/gre-sample.pcap %INPUT
# @TEST-EXEC: btest-diff conn.log
@load base/protocols/conn
@load base/frameworks/tunnels
redef PacketAnalyzer::config_map += {
PacketAnalyzer::ConfigEntry($identifier=1, $analyzer=PacketAnalyzer::ANALYZER_SKIP)
};
redef PacketAnalyzer::SkipAnalyzer::skip_bytes: count = 38;