mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
b3f1f45082
Internally, all BROv6 preprocessor switches were removed and addr/subnet representations wrapped in the new IPAddr/IPPrefix classes. Some script-layer changes of note: - dns_AAAA_reply event signature changed: the string representation of an IPv6 addr is easily derived from the addr value, it doesn't need to be another parameter. This event also now generated directly by the DNS analyzer instead of being "faked" into a dns_A_reply event. - removed addr_to_count BIF. It used to return the host-order count representation of IPv4 addresses only. To make it more generic, we might later add a BIF to return a vector of counts in order to support IPv6. - changed the result of enclosing addr variables in vertical pipes (e.g. |my_addr|) to return the bit-width of the address type which is 128 for IPv6 and 32 for IPv4. It used to function the same way as addr_to_count mentioned above. - remove bro_has_ipv6 BIF
94 lines
2.3 KiB
C++
94 lines
2.3 KiB
C++
#include "PacketFilter.h"
|
|
|
|
void PacketFilter::AddSrc(const IPAddr& src, uint32 tcp_flags, double probability)
|
|
{
|
|
Filter* f = new Filter;
|
|
f->tcp_flags = tcp_flags;
|
|
f->probability = uint32(probability * RAND_MAX);
|
|
src_filter.Insert(src, 128, f);
|
|
}
|
|
|
|
void PacketFilter::AddSrc(Val* src, uint32 tcp_flags, double probability)
|
|
{
|
|
Filter* f = new Filter;
|
|
f->tcp_flags = tcp_flags;
|
|
f->probability = uint32(probability * RAND_MAX);
|
|
src_filter.Insert(src, f);
|
|
}
|
|
|
|
void PacketFilter::AddDst(const IPAddr& dst, uint32 tcp_flags, double probability)
|
|
{
|
|
Filter* f = new Filter;
|
|
f->tcp_flags = tcp_flags;
|
|
f->probability = uint32(probability * RAND_MAX);
|
|
dst_filter.Insert(dst, 128, f);
|
|
}
|
|
|
|
void PacketFilter::AddDst(Val* dst, uint32 tcp_flags, double probability)
|
|
{
|
|
Filter* f = new Filter;
|
|
f->tcp_flags = tcp_flags;
|
|
f->probability = uint32(probability * RAND_MAX);
|
|
dst_filter.Insert(dst, f);
|
|
}
|
|
|
|
bool PacketFilter::RemoveSrc(const IPAddr& src)
|
|
{
|
|
return src_filter.Remove(src, 128) != 0;
|
|
}
|
|
|
|
bool PacketFilter::RemoveSrc(Val* src)
|
|
{
|
|
return src_filter.Remove(src) != NULL;
|
|
}
|
|
|
|
bool PacketFilter::RemoveDst(const IPAddr& dst)
|
|
{
|
|
return dst_filter.Remove(dst, 128) != NULL;
|
|
}
|
|
|
|
bool PacketFilter::RemoveDst(Val* dst)
|
|
{
|
|
return dst_filter.Remove(dst) != NULL;
|
|
}
|
|
|
|
bool PacketFilter::Match(const IP_Hdr* ip, int len, int caplen)
|
|
{
|
|
Filter* f = (Filter*) src_filter.Lookup(ip->SrcAddr(), 128);
|
|
if ( f )
|
|
return MatchFilter(*f, *ip, len, caplen);
|
|
|
|
f = (Filter*) dst_filter.Lookup(ip->DstAddr(), 128);
|
|
if ( f )
|
|
return MatchFilter(*f, *ip, len, caplen);
|
|
|
|
return default_match;
|
|
}
|
|
|
|
bool PacketFilter::MatchFilter(const Filter& f, const IP_Hdr& ip,
|
|
int len, int caplen)
|
|
{
|
|
if ( ip.NextProto() == IPPROTO_TCP && f.tcp_flags )
|
|
{
|
|
// Caution! The packet sanity checks have not been performed yet
|
|
const struct ip* ip4 = ip.IP4_Hdr();
|
|
|
|
int ip_hdr_len = ip4->ip_hl * 4;
|
|
len -= ip_hdr_len; // remove IP header
|
|
caplen -= ip_hdr_len;
|
|
|
|
if ( (unsigned int) len < sizeof(struct tcphdr) ||
|
|
(unsigned int) caplen < sizeof(struct tcphdr) )
|
|
// Packet too short, will be dropped anyway.
|
|
return false;
|
|
|
|
const struct tcphdr* tp =
|
|
(const struct tcphdr*) ((u_char*) ip4 + ip_hdr_len);
|
|
|
|
if ( tp->th_flags & f.tcp_flags )
|
|
// At least one of the flags is set, so don't drop
|
|
return false;
|
|
}
|
|
|
|
return uint32(bro_random()) < f.probability;
|
|
}
|