[Bro-Dev] #830: topic/tunnels

Bro Tracker bro at tracker.bro-ids.org
Thu Jun 7 14:07:21 PDT 2012 

#830: topic/tunnels
--------------------+------------------------
 Reporter:  jsiwek  |      Owner:  seth
     Type:  Task    |     Status:  new
 Priority:  Normal  |  Milestone:  Bro2.1
Component:  Bro     |    Version:  git/master
 Keywords:          |
--------------------+------------------------
 This branch is in `bro`, `cmake`, `bro-testing`, and `bro-testing-private`
 so far.  It adds support for different forms of tunnel decapsulation:
 IPv{4,6}-in-IPv{4,6}, Teredo, and AYIYA.  The usual packet processing will
 recurse on the encapsulated packets, and the presence of tunnels is
 conveyed in three major ways at the script layer:

 1) base/frameworks/tunnels creates a new tunnel.log to log discovery of
 new tunnels
 2) connection records have been extended with a *tunnel* field to indicate
 whether the connection exists within a tunnel
 3) base/protocols/conn will log in conn.log the UIDs of all tunnels a
 given connection was seen encapsulated within, and that UID can be used to
 cross reference the tunnel UIDs in tunnel.log or other connection UIDs in
 conn.log

 A SOCKs v4 analyzer was also (re)added and currently any SOCKS requests
 register themselves at the scripting layer as a type of tunnel.

 Seth, can you look into the following and turn into a merge request after:

 * Does the representation of tunnels at the scripting-layer and/or format
 of tunnel.log need any tweaks?
 * Are the connections analyzed via SOCKS understandable or does something
 more have to be done in the logs to make it more clear that one endpoint
 is still the proxy and maybe not the real destination?  (I think being
 able to cross reference tunnel.log by UID or lookup in the
 `Tunnel::active` table by `conn_id` can be helpful here)
 * Anything you want to cleanup with base/protocols/socks/main.bro (tons of
 commented out stuff in there) ?
 * SOCKS needs a test case.

 Robin, if you had time to start looking at the branch and want to make
 suggestions, that would help, too.

-- 
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/830>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker

More information about the bro-dev mailing list