mirror of
https://github.com/zeek/zeek.git
synced 2025-10-07 17:18:20 +00:00
172 lines
5.3 KiB
JavaScript
172 lines
5.3 KiB
JavaScript
|
|
%extern{
|
|
#include "Event.h"
|
|
#include "file_analysis/File.h"
|
|
#include "events.bif.h"
|
|
#include "types.bif.h"
|
|
#include "IPAddr.h"
|
|
%}
|
|
|
|
%code{
|
|
zeek::AddrValPtr binpac::Unified2::Flow::unified2_addr_to_bro_addr(std::vector<uint32_t>* a)
|
|
{
|
|
if ( a->size() == 1 )
|
|
{
|
|
return zeek::make_intrusive<zeek::AddrVal>(zeek::IPAddr(IPv4, &(a->at(0)), zeek::IPAddr::Host));
|
|
}
|
|
else if ( a->size() == 4 )
|
|
{
|
|
uint32 tmp[4] = { a->at(0), a->at(1), a->at(2), a->at(3) };
|
|
return zeek::make_intrusive<zeek::AddrVal>(zeek::IPAddr(IPv6, tmp, zeek::IPAddr::Host));
|
|
}
|
|
else
|
|
{
|
|
// Should never reach here.
|
|
return zeek::make_intrusive<zeek::AddrVal>(1);
|
|
}
|
|
}
|
|
|
|
zeek::ValPtr binpac::Unified2::Flow::to_port(uint16_t n, uint8_t p)
|
|
{
|
|
TransportProto proto = TRANSPORT_UNKNOWN;
|
|
switch ( p ) {
|
|
case 1: proto = TRANSPORT_ICMP; break;
|
|
case 6: proto = TRANSPORT_TCP; break;
|
|
case 17: proto = TRANSPORT_UDP; break;
|
|
}
|
|
|
|
return zeek::val_mgr->Port(n, proto);
|
|
}
|
|
%}
|
|
|
|
refine flow Flow += {
|
|
|
|
%member{
|
|
zeek::AddrValPtr unified2_addr_to_bro_addr(std::vector<uint32_t>* a);
|
|
zeek::ValPtr to_port(uint16_t n, uint8_t p);
|
|
%}
|
|
|
|
%init{
|
|
%}
|
|
|
|
%eof{
|
|
%}
|
|
|
|
%cleanup{
|
|
%}
|
|
|
|
function ts_to_double(ts: Time): double
|
|
%{
|
|
double t = ${ts.seconds} + (${ts.microseconds} / 1000000);
|
|
return t;
|
|
%}
|
|
|
|
|
|
#function proc_record(rec: Record) : bool
|
|
# %{
|
|
# return true;
|
|
# %}
|
|
|
|
function proc_ids_event(ev: IDS_Event) : bool
|
|
%{
|
|
if ( ::unified2_event )
|
|
{
|
|
auto ids_event = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::Unified2::IDSEvent);
|
|
ids_event->Assign(0, zeek::val_mgr->Count(${ev.sensor_id}));
|
|
ids_event->Assign(1, zeek::val_mgr->Count(${ev.event_id}));
|
|
ids_event->Assign(2, zeek::make_intrusive<zeek::TimeVal>(ts_to_double(${ev.ts})));
|
|
ids_event->Assign(3, zeek::val_mgr->Count(${ev.signature_id}));
|
|
ids_event->Assign(4, zeek::val_mgr->Count(${ev.generator_id}));
|
|
ids_event->Assign(5, zeek::val_mgr->Count(${ev.signature_revision}));
|
|
ids_event->Assign(6, zeek::val_mgr->Count(${ev.classification_id}));
|
|
ids_event->Assign(7, zeek::val_mgr->Count(${ev.priority_id}));
|
|
ids_event->Assign(8, unified2_addr_to_bro_addr(${ev.src_ip}));
|
|
ids_event->Assign(9, unified2_addr_to_bro_addr(${ev.dst_ip}));
|
|
ids_event->Assign(10, to_port(${ev.src_p}, ${ev.protocol}));
|
|
ids_event->Assign(11, to_port(${ev.dst_p}, ${ev.protocol}));
|
|
ids_event->Assign(17, zeek::val_mgr->Count(${ev.packet_action}));
|
|
|
|
zeek::event_mgr.Enqueue(::unified2_event,
|
|
connection()->bro_analyzer()->GetFile()->ToVal(),
|
|
std::move(ids_event));
|
|
}
|
|
return true;
|
|
%}
|
|
|
|
function proc_ids_event_2(ev: IDS_Event_2) : bool
|
|
%{
|
|
if ( ::unified2_event )
|
|
{
|
|
auto ids_event = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::Unified2::IDSEvent);
|
|
ids_event->Assign(0, zeek::val_mgr->Count(${ev.sensor_id}));
|
|
ids_event->Assign(1, zeek::val_mgr->Count(${ev.event_id}));
|
|
ids_event->Assign(2, zeek::make_intrusive<zeek::TimeVal>(ts_to_double(${ev.ts})));
|
|
ids_event->Assign(3, zeek::val_mgr->Count(${ev.signature_id}));
|
|
ids_event->Assign(4, zeek::val_mgr->Count(${ev.generator_id}));
|
|
ids_event->Assign(5, zeek::val_mgr->Count(${ev.signature_revision}));
|
|
ids_event->Assign(6, zeek::val_mgr->Count(${ev.classification_id}));
|
|
ids_event->Assign(7, zeek::val_mgr->Count(${ev.priority_id}));
|
|
ids_event->Assign(8, unified2_addr_to_bro_addr(${ev.src_ip}));
|
|
ids_event->Assign(9, unified2_addr_to_bro_addr(${ev.dst_ip}));
|
|
ids_event->Assign(10, to_port(${ev.src_p}, ${ev.protocol}));
|
|
ids_event->Assign(11, to_port(${ev.dst_p}, ${ev.protocol}));
|
|
ids_event->Assign(12, zeek::val_mgr->Count(${ev.impact_flag}));
|
|
ids_event->Assign(13, zeek::val_mgr->Count(${ev.impact}));
|
|
ids_event->Assign(14, zeek::val_mgr->Count(${ev.blocked}));
|
|
ids_event->Assign(15, zeek::val_mgr->Count(${ev.mpls_label}));
|
|
ids_event->Assign(16, zeek::val_mgr->Count(${ev.vlan_id}));
|
|
|
|
zeek::event_mgr.Enqueue(::unified2_event,
|
|
connection()->bro_analyzer()->GetFile()->ToVal(),
|
|
std::move(ids_event));
|
|
}
|
|
|
|
return true;
|
|
%}
|
|
|
|
function proc_packet(pkt: Packet) : bool
|
|
%{
|
|
if ( ::unified2_packet )
|
|
{
|
|
auto packet = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::Unified2::Packet);
|
|
packet->Assign(0, zeek::val_mgr->Count(${pkt.sensor_id}));
|
|
packet->Assign(1, zeek::val_mgr->Count(${pkt.event_id}));
|
|
packet->Assign(2, zeek::val_mgr->Count(${pkt.event_second}));
|
|
packet->Assign(3, zeek::make_intrusive<zeek::TimeVal>(ts_to_double(${pkt.packet_ts})));
|
|
packet->Assign(4, zeek::val_mgr->Count(${pkt.link_type}));
|
|
packet->Assign(5, to_stringval(${pkt.packet_data}));
|
|
|
|
zeek::event_mgr.Enqueue(::unified2_packet,
|
|
connection()->bro_analyzer()->GetFile()->ToVal(),
|
|
std::move(packet));
|
|
}
|
|
|
|
return true;
|
|
%}
|
|
|
|
#function proc_unknown_record_type(rec: UnknownRecordType) : bool
|
|
# %{
|
|
# printf("unknown packet type\n");
|
|
# return true;
|
|
# %}
|
|
};
|
|
|
|
#refine typeattr Record += &let {
|
|
# proc : bool = $context.flow.proc_record(this);
|
|
#};
|
|
|
|
refine typeattr IDS_Event += &let {
|
|
proc : bool = $context.flow.proc_ids_event(this);
|
|
};
|
|
|
|
refine typeattr IDS_Event_2 += &let {
|
|
proc : bool = $context.flow.proc_ids_event_2(this);
|
|
};
|
|
|
|
refine typeattr Packet += &let {
|
|
proc : bool = $context.flow.proc_packet(this);
|
|
};
|
|
|
|
#refine typeattr UnknownRecordType += &let {
|
|
# proc : bool = $context.flow.proc_unknown_record_type(this);
|
|
#};
|