[Bro] Broadcast detection

Daniel Thayer dnthayer at illinois.edu
Thu Sep 3 23:39:04 PDT 2015


Here is a simpler implementation of this function (no other
changes to Bro are needed):

function subnet_end%(s: subnet%): addr
     %{
     IPAddr mask;
     int offset = 0;

     if ( s->Prefix().GetFamily() == IPv4 )
         {
         mask = IPAddr("255.255.255.255");
         offset = 96;
         }
     else
         {
         mask = IPAddr("ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff");
         }

     mask.ReverseMask(offset + s->Width());

     return new AddrVal(mask | s->Prefix());
     %}


On 09/03/2015 09:41 PM, anthony kasza wrote:
> I believe I have some logic that solves this. I created an xor (^)
> operator for IPAddr types similar to the inclusive or (|) and am
> making use of it to calculate the broadcast address of a subnet. My
> BiF follows:
>
> function subnet_end%(snet: subnet%): addr
>          %{
>          IPAddr broadcast;
>
>          if (snet->Prefix().GetFamily() == IPv4)   //ipv4
>                  {
>                  broadcast = (IPAddr(string("255.255.255.255")) ^
> snet->Mask()) | snet->Prefix();
>                  }
>          else if (snet->Prefix().GetFamily() == IPv6)    //ipv6
>                  {
>                  broadcast =
> (IPAddr(string("ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff")) ^
> snet->Mask()) | snet->Prefix();
>                  }
>          else
>                  {
>                  reporter->InternalError("Unsupported address size. Not
> IPv4 or IPv6.");
>                  }
>
>          return new AddrVal(broadcast);
>          %}
>
>
> When calling this from scriptland, v6 addresses work properly.
> However, v4 addresses are represented as v6 addresses still. I am
> missing some concept around how IPAddrs can be either v4 or v6 and how
> scriptland knows the difference. How might I properly indicate the
> IPAddr in the returned AddrVal is meant to represent a v4 address
> instead of a v6 address?
> Thanks!
>
> -AK
>
> On Thu, Aug 27, 2015 at 8:03 AM, Robin Sommer <robin at icir.org> wrote:
>>
>>
>> On Wed, Aug 26, 2015 at 18:12 -0700, anthony kasza wrote:
>>
>>> I'm looking to write a bif which does this. How can I access a subnet's
>>> prefix as an int?
>>
>> snet->Prefix() yields an IPAddr. You don't easily get that as an int,
>> but it has a method for getting it as a sequence of bytes:
>>
>>      int GetBytes(const uint32_t** bytes)
>>
>> That works for both IPv4 and v6.
>>
>> That said, I think you can solve this more easily by combining some
>> other methods that IPAddr offers as well:
>>
>>       /**
>>           * Masks out lower bits of the address.
>>           [...]
>>           */
>>          void Mask(int top_bits_to_keep);
>>
>>       /**
>>           * Masks out top bits of the address.
>>          [...]
>>           */
>>          void ReverseMask(int top_bits_to_chop);
>>
>>        /**
>>           * Bitwise OR operator returns the IP address resulting from the bitwise
>>           * OR operation on the raw bytes of this address with another.
>>           */
>>         IPAddr operator|(const IPAddr& other)
>>
>> You'd mask out the lower bits of the prefix, mask out the upper bits
>> of 255.255.255.255 (for IPv4), and then "or" the two together.
>>
>> Robin
>>
>> --
>> Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>


More information about the Bro mailing list