mirror of
https://github.com/zeek/zeek.git
synced 2025-10-09 10:08:20 +00:00
51bad73e1e
- Add more guards against trying to analyze captured packets with a truncated IPv6 static header or extension header chain. - Add back in the ICMP payload tracking for ICMP "connections". - Fix 'icmp_context' record construction. Some field assignments were mismatched for ICMP and ICMP6. Source and destination addresses were set incorrectly for context packets that don't contain a full IP header. Some fields for ICMP6 weren't filled out. - Changed ICMP Time Exceeded packets to raise the 'icmp_time_exceeded' event instead of 'icmp_error_message'. - Add unit tests for truncation and the main types of ICMP/ICMP6 that have specific events. - Documentation clarifications.
110 lines
4.6 KiB
Text
110 lines
4.6 KiB
Text
# These tests all check that ICMP6 events get raised with correct arguments.
|
|
|
|
# @TEST-EXEC: bro -b -r $TRACES/icmp/icmp6-destunreach-ip6ext-udp.pcap %INPUT >>output 2>&1
|
|
# @TEST-EXEC: bro -b -r $TRACES/icmp/icmp6-toobig.pcap %INPUT >>output 2>&1
|
|
# @TEST-EXEC: bro -b -r $TRACES/icmp/icmp6-timeexceeded.pcap %INPUT >>output 2>&1
|
|
# @TEST-EXEC: bro -b -r $TRACES/icmp/icmp6-paramprob.pcap %INPUT >>output 2>&1
|
|
# @TEST-EXEC: bro -b -r $TRACES/icmp/icmp6-ping.pcap %INPUT >>output 2>&1
|
|
# @TEST-EXEC: bro -b -r $TRACES/icmp/icmp6-redirect.pcap %INPUT >>output 2>&1
|
|
# @TEST-EXEC: bro -b -r $TRACES/icmp/icmp6-router-advert.pcap %INPUT >>output 2>&1
|
|
# @TEST-EXEC: bro -b -r $TRACES/icmp/icmp6-neighbor-advert.pcap %INPUT >>output 2>&1
|
|
# @TEST-EXEC: bro -b -r $TRACES/icmp/icmp6-router-solicit.pcap %INPUT >>output 2>&1
|
|
# @TEST-EXEC: bro -b -r $TRACES/icmp/icmp6-neighbor-solicit.pcap %INPUT >>output 2>&1
|
|
|
|
# @TEST-EXEC: btest-diff output
|
|
|
|
event icmp_sent(c: connection, icmp: icmp_conn)
|
|
{
|
|
print "icmp_sent";
|
|
print " conn_id: " + fmt("%s", c$id);
|
|
print " icmp_conn: " + fmt("%s", icmp);
|
|
}
|
|
|
|
event icmp_echo_request(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string)
|
|
{
|
|
print "icmp_echo_request (id=" + fmt("%d", id) + ", seq=" + fmt("%d", seq) + ", payload=" + payload + ")";
|
|
print " conn_id: " + fmt("%s", c$id);
|
|
print " icmp_conn: " + fmt("%s", icmp);
|
|
}
|
|
|
|
event icmp_echo_reply(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string)
|
|
{
|
|
print "icmp_echo_reply (id=" + fmt("%d", id) + ", seq=" + fmt("%d", seq) + ", payload=" + payload + ")";
|
|
print " conn_id: " + fmt("%s", c$id);
|
|
print " icmp_conn: " + fmt("%s", icmp);
|
|
}
|
|
|
|
event icmp_unreachable(c: connection, icmp: icmp_conn, code: count, context: icmp_context)
|
|
{
|
|
print "icmp_unreachable (code=" + fmt("%d", code) + ")";
|
|
print " conn_id: " + fmt("%s", c$id);
|
|
print " icmp_conn: " + fmt("%s", icmp);
|
|
print " icmp_context: " + fmt("%s", context);
|
|
}
|
|
|
|
event icmp_packet_too_big(c: connection, icmp: icmp_conn, code: count, context: icmp_context)
|
|
{
|
|
print "icmp_packet_too_big (code=" + fmt("%d", code) + ")";
|
|
print " conn_id: " + fmt("%s", c$id);
|
|
print " icmp_conn: " + fmt("%s", icmp);
|
|
print " icmp_context: " + fmt("%s", context);
|
|
}
|
|
|
|
event icmp_time_exceeded(c: connection, icmp: icmp_conn, code: count, context: icmp_context)
|
|
{
|
|
print "icmp_time_exceeded (code=" + fmt("%d", code) + ")";
|
|
print " conn_id: " + fmt("%s", c$id);
|
|
print " icmp_conn: " + fmt("%s", icmp);
|
|
print " icmp_context: " + fmt("%s", context);
|
|
}
|
|
|
|
event icmp_parameter_problem(c: connection, icmp: icmp_conn, code: count, context: icmp_context)
|
|
{
|
|
print "icmp_parameter_problem (code=" + fmt("%d", code) + ")";
|
|
print " conn_id: " + fmt("%s", c$id);
|
|
print " icmp_conn: " + fmt("%s", icmp);
|
|
print " icmp_context: " + fmt("%s", context);
|
|
}
|
|
|
|
event icmp_redirect(c: connection, icmp: icmp_conn, tgt: addr, dest: addr)
|
|
{
|
|
print "icmp_redirect (tgt=" + fmt("%s", tgt) + ", dest=" + fmt("%s", dest) + ")";
|
|
print " conn_id: " + fmt("%s", c$id);
|
|
print " icmp_conn: " + fmt("%s", icmp);
|
|
}
|
|
|
|
event icmp_error_message(c: connection, icmp: icmp_conn, code: count, context: icmp_context)
|
|
{
|
|
print "icmp_error_message (code=" + fmt("%d", code) + ")";
|
|
print " conn_id: " + fmt("%s", c$id);
|
|
print " icmp_conn: " + fmt("%s", icmp);
|
|
print " icmp_context: " + fmt("%s", context);
|
|
}
|
|
|
|
event icmp_neighbor_solicitation(c: connection, icmp: icmp_conn, tgt: addr)
|
|
{
|
|
print "icmp_neighbor_solicitation (tgt=" + fmt("%s", tgt) + ")";
|
|
print " conn_id: " + fmt("%s", c$id);
|
|
print " icmp_conn: " + fmt("%s", icmp);
|
|
}
|
|
|
|
event icmp_neighbor_advertisement(c: connection, icmp: icmp_conn, tgt:addr)
|
|
{
|
|
print "icmp_neighbor_advertisement (tgt=" + fmt("%s", tgt) + ")";
|
|
print " conn_id: " + fmt("%s", c$id);
|
|
print " icmp_conn: " + fmt("%s", icmp);
|
|
}
|
|
|
|
event icmp_router_solicitation(c: connection, icmp: icmp_conn)
|
|
{
|
|
print "icmp_router_solicitation";
|
|
print " conn_id: " + fmt("%s", c$id);
|
|
print " icmp_conn: " + fmt("%s", icmp);
|
|
}
|
|
|
|
event icmp_router_advertisement(c: connection, icmp: icmp_conn, hop_limit: count, managed: bool, router_lifetime: count, reachable_time: interval, retrans_timer: interval)
|
|
{
|
|
print "icmp_router_advertisement (hop_limit=" + fmt("%d", hop_limit) + ", managed=" + fmt("%s", managed) + ", rlifetime=" + fmt("%d", router_lifetime) + ", reachable=" + fmt("%f", reachable_time) + ", retrans=" + fmt("%f", retrans_timer) + ")";
|
|
print " conn_id: " + fmt("%s", c$id);
|
|
print " icmp_conn: " + fmt("%s", icmp);
|
|
}
|