[Bro-Dev] #830: topic/tunnels
Bro Tracker
bro at tracker.bro-ids.org
Thu Jun 7 14:07:21 PDT 2012
#830: topic/tunnels
--------------------+------------------------
Reporter: jsiwek | Owner: seth
Type: Task | Status: new
Priority: Normal | Milestone: Bro2.1
Component: Bro | Version: git/master
Keywords: |
--------------------+------------------------
This branch is in `bro`, `cmake`, `bro-testing`, and `bro-testing-private`
so far. It adds support for different forms of tunnel decapsulation:
IPv{4,6}-in-IPv{4,6}, Teredo, and AYIYA. The usual packet processing will
recurse on the encapsulated packets, and the presence of tunnels is
conveyed in three major ways at the script layer:
1) base/frameworks/tunnels creates a new tunnel.log to log discovery of
new tunnels
2) connection records have been extended with a *tunnel* field to indicate
whether the connection exists within a tunnel
3) base/protocols/conn will log in conn.log the UIDs of all tunnels a
given connection was seen encapsulated within, and that UID can be used to
cross reference the tunnel UIDs in tunnel.log or other connection UIDs in
conn.log
A SOCKs v4 analyzer was also (re)added and currently any SOCKS requests
register themselves at the scripting layer as a type of tunnel.
Seth, can you look into the following and turn into a merge request after:
* Does the representation of tunnels at the scripting-layer and/or format
of tunnel.log need any tweaks?
* Are the connections analyzed via SOCKS understandable or does something
more have to be done in the logs to make it more clear that one endpoint
is still the proxy and maybe not the real destination? (I think being
able to cross reference tunnel.log by UID or lookup in the
`Tunnel::active` table by `conn_id` can be helpful here)
* Anything you want to cleanup with base/protocols/socks/main.bro (tons of
commented out stuff in there) ?
* SOCKS needs a test case.
Robin, if you had time to start looking at the branch and want to make
suggestions, that would help, too.
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/830>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker
More information about the bro-dev
mailing list