mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
af1809aaa3
This is a larger internal change that moves the analyzer
infrastructure to a more flexible model where the available analyzers
don't need to be hardcoded at compile time anymore. While currently
they actually still are, this will in the future enable external
analyzer plugins. For now, it does already add the capability to
dynamically enable/disable analyzers from script-land, replacing the
old Analyzer::Available() methods.
There are three major parts going into this:
- A new plugin infrastructure in src/plugin. This is independent
of analyzers and will eventually support plugins for other parts
of Bro as well (think: readers and writers). The goal is that
plugins can be alternatively compiled in statically or loadead
dynamically at runtime from a shared library. While the latter
isn't there yet, there'll be almost no code change for a plugin
to make it dynamic later (hopefully :)
- New analyzer infrastructure in src/analyzer. I've moved a number
of analyzer-related classes here, including Analyzer and DPM;
the latter now renamed to Analyzer::Manager. More will move here
later. Currently, there's only one plugin here, which provides
*all* existing analyzers. We can modularize this further in the
future (or not).
- A new script interface in base/framework/analyzer. I think that
this will eventually replace the dpm framework, but for now
that's still there as well, though some parts have moved over.
I've also remove the dpd_config table; ports are now configured via
the analyzer framework. For exmaple, for SSH:
const ports = { 22/tcp } &redef;
event bro_init() &priority=5
{
...
Analyzer::register_for_ports(Analyzer::ANALYZER_SSH, ports);
}
As you can see, the old ANALYZER_SSH constants have more into an enum
in the Analyzer namespace.
This is all hardly tested right now, and not everything works yet.
There's also a lot more cleanup to do (moving more classes around;
removing no longer used functionality; documenting script and C++
interfaces; regression tests). But it seems to generally work with a
small trace at least.
The debug stream "dpm" shows more about the loaded/enabled analyzers.
A new option -N lists loaded plugins and what they provide (including
those compiled in statically; i.e., right now it outputs all the
analyzers).
This is all not cast-in-stone yet, for some things we need to see if
they make sense this way. Feedback welcome.
95 lines
2.9 KiB
Text
95 lines
2.9 KiB
Text
@load base/frameworks/tunnels
|
|
@load ./consts
|
|
|
|
module SOCKS;
|
|
|
|
export {
|
|
redef enum Log::ID += { LOG };
|
|
|
|
type Info: record {
|
|
## Time when the proxy connection was first detected.
|
|
ts: time &log;
|
|
## Unique ID for the tunnel - may correspond to connection uid or be non-existent.
|
|
uid: string &log;
|
|
## The connection's 4-tuple of endpoint addresses/ports.
|
|
id: conn_id &log;
|
|
## Protocol version of SOCKS.
|
|
version: count &log;
|
|
## Username for the proxy if extracted from the network..
|
|
user: string &log &optional;
|
|
## Server status for the attempt at using the proxy.
|
|
status: string &log &optional;
|
|
## Client requested SOCKS address. Could be an address, a name or both.
|
|
request: SOCKS::Address &log &optional;
|
|
## Client requested port.
|
|
request_p: port &log &optional;
|
|
## Server bound address. Could be an address, a name or both.
|
|
bound: SOCKS::Address &log &optional;
|
|
## Server bound port.
|
|
bound_p: port &log &optional;
|
|
};
|
|
|
|
## Event that can be handled to access the SOCKS
|
|
## record as it is sent on to the logging framework.
|
|
global log_socks: event(rec: Info);
|
|
}
|
|
|
|
const ports = { 1080/tcp };
|
|
redef likely_server_ports += { ports };
|
|
|
|
event bro_init() &priority=5
|
|
{
|
|
Log::create_stream(SOCKS::LOG, [$columns=Info, $ev=log_socks]);
|
|
Analyzer::register_for_ports(Analyzer::ANALYZER_SOCKS, ports);
|
|
}
|
|
|
|
redef record connection += {
|
|
socks: SOCKS::Info &optional;
|
|
};
|
|
|
|
# Configure DPD
|
|
redef capture_filters += { ["socks"] = "tcp port 1080" };
|
|
redef likely_server_ports += { 1080/tcp };
|
|
|
|
function set_session(c: connection, version: count)
|
|
{
|
|
if ( ! c?$socks )
|
|
c$socks = [$ts=network_time(), $id=c$id, $uid=c$uid, $version=version];
|
|
}
|
|
|
|
event socks_request(c: connection, version: count, request_type: count,
|
|
sa: SOCKS::Address, p: port, user: string) &priority=5
|
|
{
|
|
set_session(c, version);
|
|
|
|
c$socks$request = sa;
|
|
c$socks$request_p = p;
|
|
|
|
# Copy this conn_id and set the orig_p to zero because in the case of SOCKS proxies there will
|
|
# be potentially many source ports since a new proxy connection is established for each
|
|
# proxied connection. We treat this as a singular "tunnel".
|
|
local cid = copy(c$id);
|
|
cid$orig_p = 0/tcp;
|
|
Tunnel::register([$cid=cid, $tunnel_type=Tunnel::SOCKS]);
|
|
}
|
|
|
|
event socks_reply(c: connection, version: count, reply: count, sa: SOCKS::Address, p: port) &priority=5
|
|
{
|
|
set_session(c, version);
|
|
|
|
if ( version == 5 )
|
|
c$socks$status = v5_status[reply];
|
|
else if ( version == 4 )
|
|
c$socks$status = v4_status[reply];
|
|
|
|
c$socks$bound = sa;
|
|
c$socks$bound_p = p;
|
|
}
|
|
|
|
event socks_reply(c: connection, version: count, reply: count, sa: SOCKS::Address, p: port) &priority=-5
|
|
{
|
|
# This will handle the case where the analyzer failed in some way and was removed. We probably
|
|
# don't want to log these connections.
|
|
if ( "SOCKS" in c$service )
|
|
Log::write(SOCKS::LOG, c$socks);
|
|
}
|