Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
zeek/src/analyzer/protocol/bittorrent/bittorrent-analyzer.pac
Jon Siwek 995368e68c Remove variable content from weird names 
This changes many weird names to move non-static content from the
weird name into the "addl" field to help ensure the total number of
weird names is reasonably bounded.  Note the net_weird and flow_weird
events do not have an "addl" parameter, so information may no longer
be available in those cases -- to make it available again we'd need
to either (1) define new events that contain such a parameter, or
(2) change net_weird/flow_weird event signature (which is a breaking
change for user-code at the moment).

Also, the generic handling of binpac exceptions for analyzers which
to not otherwise catch and handle them has been changed from a Weird
to a ProtocolViolation.

Finally, a new "file_weird" event has been added for reporting
weirdness found during file analysis.
2019-04-01 18:30:11 -07:00

244 lines
5 KiB
JavaScript
Raw Blame History

# This code contributed by Nadi Sarrar.
connection BitTorrent_Conn(bro_analyzer: BroAnalyzer) {
upflow = BitTorrent_Flow(true);
downflow = BitTorrent_Flow(false);
};
flow BitTorrent_Flow(is_orig: bool) {
flowunit = BitTorrent_PDU withcontext (connection, this);
%member{
bool handshake_ok;
//uint64 _next_message_offset;
%}
%init{
handshake_ok = false;
//_next_message_offset = 0;
%}
#function next_message_offset(): uint64
# %{
# return &_next_message_offset;
# %}
#function increment_next_message_offset(go: bool, len: uint32): bool
# %{
# if ( go )
# _next_message_offset += len;
# return true;
# %}
function is_handshake_delivered(): bool
%{
return handshake_ok;
%}
function validate_handshake(pstrlen: uint8, pstr: const_bytestring): bool
%{
if ( pstrlen != 19 ||
memcmp("BitTorrent protocol", pstr.begin(), 19) )
{
throw Exception("invalid handshake");
}
return true;
%}
function validate_message_length(len: uint32): bool
%{
if ( len > MSGLEN_LIMIT )
throw Exception(fmt("message length prefix exceeds limit: %u > %u",
len, MSGLEN_LIMIT));
return true;
%}
function deliver_handshake(reserved: const_bytestring,
info_hash: const_bytestring,
peer_id: const_bytestring): bool
%{
handshake_ok = true;
if ( ::bittorrent_peer_handshake )
{
BifEvent::generate_bittorrent_peer_handshake(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(),
bytestring_to_val(reserved),
bytestring_to_val(info_hash),
bytestring_to_val(peer_id));
}
connection()->bro_analyzer()->ProtocolConfirmation();
return true;
%}
function deliver_keep_alive(): bool
%{
if ( ::bittorrent_peer_keep_alive )
{
BifEvent::generate_bittorrent_peer_keep_alive(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig());
}
return true;
%}
function deliver_choke(): bool
%{
if ( ::bittorrent_peer_choke )
{
BifEvent::generate_bittorrent_peer_choke(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig());
}
return true;
%}
function deliver_unchoke(): bool
%{
if ( ::bittorrent_peer_unchoke )
{
BifEvent::generate_bittorrent_peer_unchoke(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig());
}
return true;
%}
function deliver_interested(): bool
%{
if ( ::bittorrent_peer_interested )
{
BifEvent::generate_bittorrent_peer_interested(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig());
}
return true;
%}
function deliver_not_interested(): bool
%{
if ( ::bittorrent_peer_not_interested )
{
BifEvent::generate_bittorrent_peer_not_interested(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig());
}
return true;
%}
function deliver_have(piece_index: uint32): bool
%{
if ( ::bittorrent_peer_have )
{
BifEvent::generate_bittorrent_peer_have(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(),
piece_index);
}
return true;
%}
function deliver_bitfield(bitfield: const_bytestring): bool
%{
if ( ::bittorrent_peer_bitfield )
{
BifEvent::generate_bittorrent_peer_bitfield(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(),
bytestring_to_val(bitfield));
}
return true;
%}
function deliver_request(index: uint32, begin: uint32,
length: uint32): bool
%{
if ( ::bittorrent_peer_request )
{
BifEvent::generate_bittorrent_peer_request(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(),
index, begin, length);
}
return true;
%}
function deliver_piece(index: uint32, begin: uint32,
piece_length: uint32): bool
%{
if ( ::bittorrent_peer_piece )
{
BifEvent::generate_bittorrent_peer_piece(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(),
index, begin, piece_length);
}
return true;
%}
function deliver_cancel(index: uint32, begin: uint32,
length: uint32): bool
%{
if ( ::bittorrent_peer_cancel )
{
BifEvent::generate_bittorrent_peer_cancel(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(),
index, begin, length);
}
return true;
%}
function deliver_port(listen_port: uint16): bool
%{
if ( ::bittorrent_peer_port )
{
BifEvent::generate_bittorrent_peer_port(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(),
val_mgr->GetPort(listen_port, TRANSPORT_TCP));
}
return true;
%}
function deliver_unknown(id: uint8, data: const_bytestring): bool
%{
if ( ::bittorrent_peer_unknown )
{
BifEvent::generate_bittorrent_peer_unknown(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(),
id,
bytestring_to_val(data));
}
return true;
%}
};
Reference in a new issue View git blame Copy permalink