[Bro] tcp contents
john mcnicholas
jomcn at mail.com
Mon Nov 29 11:12:02 PST 2004
In short, this is what I'm trying to do: I want to selectively save
the payload/contents of a TCP stream to a file just based on the
protocol/port number. Note: I can currently do this using 2 different
approaches but I'm looking for the "right" way.
a - (this approach works but I modified the source code) The small
TCP_TransactionConnection class below in conjunction with a simple
policy script does appear to successfully save the TCP contents for
POP3, SMTP and HTTP. (Yes trivial code changes were made to substitute
the TCP_TransactionConnection for SMTP_Conn and HTTP_Conn in
Sessions.cc ) The simple policy script filters on the desired ports
and assigns a contents file each time a tcp connection is created.
b. - (this approach also works but it is not as efficient as above) I
was able to save the HTTP and SMTP data by just creating empty event
handlers for ("event smtp_data" and "event http_reply") in conjunction
with the identical policy script used above. This is less efficient
than the first approach because of all the processing done by the
HTTP_Conn and SMTP_Conn classes which would not be utilized by this
prototype/application.
c. (this approach may have potential but it doesn't look like it can
work in the current code) There is a TCP_ConnectionContents class that
gets instantiated if a "new_connection_contents" policy handler exists
(in Sessions.cc) but it doesn't look it can limit itself to a certain
number of protocols/ports. In addition, it doesn't look like the code
there was fully implemented in the BuildEndPoints method for the
TCP_ConnectionContents class (the TCP_CONTENTS_BOTH case is missing).
Bottom line. Since I'm not that familiar with the source code how does
this feature/goal fit into the overall design of bro and is there
already a way to accomplish it? Determining if this feature is of
value is probably the first question.
Thanks again for your help and your time. If anything is unclear
please let me know.
John
/
/-----------------------------------------------------------------------
------
//---- here is the TCP_TransaactionConnection code that I've been using
for testing.
//
//
//
class TCP_TransactionConnection : public TCP_Connection
{
public:
TCP_TransactionConnection(NetSessions* s, HashKey* k, double t,
const ConnID* id,
const struct tcphdr* tp);
void BuildEndpoints();
private:
};
TCP_TransactionConnection::TCP_TransactionConnection(NetSessions* s,
HashKey* k, double t, const ConnID* id,
const struct tcphdr* tp)
: TCP_Connection(s, k, t, id, tp)
{
}
void TCP_TransactionConnection::BuildEndpoints()
{
// ! NUL_sensitive, skip_partial
orig->AddContentsProcessor(new TCP_ContentLine(orig, 1, 0, 1));
resp->AddContentsProcessor(new TCP_ContentLine(resp, 0, 0, 1));
// sender = orig;
}
More information about the Bro
mailing list