Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-09 18:18:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
15069 commits 387 branches 195 tags 267 MiB
Commit graph

44 commits

Author SHA1 Message Date
Arne Welzel
568946ec18 IP: Update packet->len with accumulated fragment size 
With packet->len representing the wire length and other places
relying on it, ensure it's updated for fragments as well. This
assumes non-truncated fragments right now. Otherwise we'd need
to teach the FragmentReassembler to somehow track this independently
but it would be a mess.
 2023-05-24 16:34:22 +02:00
Tim Wojtulewicz
18a30a7a53 IP: fix weird name to not be ipv6 specific 2023-05-24 16:29:29 +02:00
Tim Wojtulewicz
1e6cc76c83 Default tunnel_type in iosource::Packet to NONE 2023-04-25 09:28:20 -07:00
Tomer Lev
642d44009a Clang formatting 2022-11-11 18:54:05 +02:00
voidbar
9a74be1558
Update src/packet_analysis/protocol/ip/IP.cc 
Co-authored-by: Tim Wojtulewicz <timwoj@gmail.com>
 2022-11-10 18:43:47 +02:00
Tomer Lev
5cdc6e150e Clang format it all 2022-11-09 18:55:51 +02:00
Tim Wojtulewicz
2e457eb3ea Fix a few compiler warnings from MSVC 2022-11-09 18:17:07 +02:00
Arne Welzel
70c74e9d71 protocol/ip: Only attach IP_Hdr to Packet if valid 
Ensure packet->ip_hdr is not set (so no one can assume it's valid)
when AnalyzePacket() found something weird with the header.
 2022-11-08 16:44:04 -07:00
Tim Wojtulewicz
719e0a0f4f Reset packet cap_len before returning from IP::AnalyzePacket 2022-08-26 10:59:10 -07:00
Tim Wojtulewicz
aa79356963 Make result of IP::ParsePacket easier to understand 2022-08-22 10:56:20 -07:00
Tim Wojtulewicz
40b1452905 Remove reporter warning for bad IP protocols 
It turns out that this can be *very* spammy on networks where we're receiving
lots of these packets, and can fill up the reporter log very quickly. Weirds are
already reported in all of these cases anyways, so it doesn't make sense to log
a reporter warning too.
 2022-08-22 10:56:20 -07:00
Tim Wojtulewicz
1b5741d905 GH-2183: Rework Packet checksummed variable naming 2022-06-27 11:07:31 -07:00
Tim Wojtulewicz
ed798c6aba Change Packet::ip_hdr to be a shared_ptr so it can be copied into EncapsulatingConn 2021-11-23 19:36:49 -07:00
Johanna Amann
e14b695497 Accept packets that use tcp segment offloading. 
When checksum offloading is enabled, we now forward packets that
have 0 header lengths set - and assume that they have TSO enabled.

If checksum offloading is not enabled, we drop the packets.

Addresses GH-1829
 2021-10-28 17:12:54 +02:00
Tim Wojtulewicz
b2f171ec69 Reformat the world 2021-09-16 15:35:39 -07:00
Johanna Amann
8192ad581d Do not lookup ignore_checksums_nets for every packet 
This could lead to a noticeable (single-percent) performance
improvement.

Most of the functionality for this is in the packet analyzers that now
cache ignore_chesksums_nets.

Based on a patch by Arne Welzel (Corelight).
 2021-08-06 10:32:53 +01:00
Tim Wojtulewicz
b14cd1ef16 GH-1216: Enable Mobile IPv6 support by default 
This removes the ENABLE_MOBILE_IPV6 #define variable. It also marks the
--enable-mobile-ipv6 configure argument as deprecated.
 2021-06-28 11:11:55 -07:00
Tim Wojtulewicz
0e34f2e02f Fix handling of IP packets with bogus IP header lengths 
Credit to OSS-Fuzz for discovery
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34711
(Link to details becomes public 30 days after patch release)
 2021-05-27 16:33:50 -07:00
Tim Wojtulewicz
3e1692676d Move SessionManager::ParseIPPacket to IP analyzer's namespace 2021-05-18 11:52:03 -07:00
Tim Wojtulewicz
0c3e3069d0 Added skeletons for TCP/UDP/ICMP packet analysis plugins. 
This includes integration into the IP plugin and calling of the sessions code from each plugin.
 2021-05-18 11:52:03 -07:00
Tim Wojtulewicz
0b7ca5e7bc Remove Session prefix from some session-related classes and files 2021-04-29 11:09:35 -07:00
Tim Wojtulewicz
18c6aaaa33 Move session code into new directory and into zeek::session namespace 2021-04-29 11:09:35 -07:00
Tim Wojtulewicz
db1d753b35 Rename NetSessions to SessionManager 
This also includes:
- Deprecating the NetSessions name.
- Renaming the zeek::sessions global to zeek::session_mgr and deprecating the old name.
- Renaming Sessions.{h,cc} to SessionManager.{h,cc}.
 2021-04-29 10:24:45 -07:00
Tim Wojtulewicz
c752d76052 Move packet filter out of NetSessions 2021-04-29 10:24:45 -07:00
Tim Wojtulewicz
6c52fd502f GH-1493: Fix build with -DENABLE_MOBILE_IPV6 2021-04-07 13:44:18 -07:00
Tim Wojtulewicz
5111b8e386 Fix comment in IP analyzer 2021-03-02 14:04:30 -07:00
Tim Wojtulewicz
e27008ef26 GH-1184: Add 'source' field to weird log denoting where the weird was reported 2020-12-01 09:34:37 -07:00
Tim Wojtulewicz
96d9115360 GH-1079: Use full paths starting with zeek/ when including files 2020-11-12 12:15:26 -07:00
Tim Wojtulewicz
b3eb63c48a GH-1186: Remove Packet::hdr_size and uses of it. 
This change also removes Packet::IP(), since Packet now contains an ip_hdr member
that points at the IP header if it exists.
 2020-11-09 10:49:57 -07:00
Seth Hall
552a24e07c Add an option to ignore packets sourced from particular subnets. 
It's implemented with a new set[subnet] option named ignore_checksums_nets.

If you populate this set with subnets, any packet with a src address within
that set of subnets will not have it's checksum validated.
 2020-10-22 13:23:10 -04:00
Tim Wojtulewicz
ce2b00fe83 Fix a couple of Coverity findings (1433618, 1433619) 2020-10-21 10:53:34 -07:00
Tim Wojtulewicz
a99b540e46 Rework Sessions::Weird 2020-10-15 13:03:11 -07:00
Tim Wojtulewicz
ecd970ffde Store packet's ip header as unique_ptr 2020-10-15 12:49:08 -07:00
Tim Wojtulewicz
41dcd0cde0 Use shared_ptr for encapsulation data instead of raw pointer 2020-10-15 12:49:05 -07:00
Tim Wojtulewicz
a7d4364334 Review cleanup 2020-10-15 12:44:45 -07:00
Tim Wojtulewicz
665d0d9814 Store the ip header in the packet after processing, reuse other places 2020-10-15 12:18:32 -07:00
Tim Wojtulewicz
7d2c35174f Change to store data in packet directly instead of keystore 2020-10-15 12:18:32 -07:00
Tim Wojtulewicz
d0ef05c748 Don't always insert data into keystore for tunnels 2020-10-15 12:18:32 -07:00
Tim Wojtulewicz
02ed03adaa Add comment about packet header size and session analysis 2020-10-15 12:18:32 -07:00
Tim Wojtulewicz
d0cc30eccd Set data to ip header's payload instead of advancing the pointer 2020-10-15 12:18:32 -07:00
Tim Wojtulewicz
1cf251d1ca Move IP and IP tunnel code from Sessions into packet analyzers 2020-10-15 12:18:30 -07:00
Jan Grashoefer
38337d799b Improve packet analysis data flow. 2020-09-23 11:13:29 -07:00
Jan Grashoefer
90eb97876f Improve packet analyzer API. 2020-09-23 11:13:28 -07:00
Jan Grashoefer
d5ca0f9da5 Rename DefaultAnalyzer to IP. 2020-09-23 11:13:28 -07:00