[Bro] Broadcast detection
anthony kasza
anthony.kasza at gmail.com
Fri Sep 4 08:00:13 PDT 2015
That's much cleaner and doesn't have the v4/v6 issue I introduced. Thanks
Daniel. I understand now why Robin suggested using those methods.
-AK
On Sep 3, 2015 11:38 PM, "Daniel Thayer" <dnthayer at illinois.edu> wrote:
> Here is a simpler implementation of this function (no other
> changes to Bro are needed):
>
> function subnet_end%(s: subnet%): addr
> %{
> IPAddr mask;
> int offset = 0;
>
> if ( s->Prefix().GetFamily() == IPv4 )
> {
> mask = IPAddr("255.255.255.255");
> offset = 96;
> }
> else
> {
> mask = IPAddr("ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff");
> }
>
> mask.ReverseMask(offset + s->Width());
>
> return new AddrVal(mask | s->Prefix());
> %}
>
>
> On 09/03/2015 09:41 PM, anthony kasza wrote:
>
>> I believe I have some logic that solves this. I created an xor (^)
>> operator for IPAddr types similar to the inclusive or (|) and am
>> making use of it to calculate the broadcast address of a subnet. My
>> BiF follows:
>>
>> function subnet_end%(snet: subnet%): addr
>> %{
>> IPAddr broadcast;
>>
>> if (snet->Prefix().GetFamily() == IPv4) //ipv4
>> {
>> broadcast = (IPAddr(string("255.255.255.255")) ^
>> snet->Mask()) | snet->Prefix();
>> }
>> else if (snet->Prefix().GetFamily() == IPv6) //ipv6
>> {
>> broadcast =
>> (IPAddr(string("ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff")) ^
>> snet->Mask()) | snet->Prefix();
>> }
>> else
>> {
>> reporter->InternalError("Unsupported address size. Not
>> IPv4 or IPv6.");
>> }
>>
>> return new AddrVal(broadcast);
>> %}
>>
>>
>> When calling this from scriptland, v6 addresses work properly.
>> However, v4 addresses are represented as v6 addresses still. I am
>> missing some concept around how IPAddrs can be either v4 or v6 and how
>> scriptland knows the difference. How might I properly indicate the
>> IPAddr in the returned AddrVal is meant to represent a v4 address
>> instead of a v6 address?
>> Thanks!
>>
>> -AK
>>
>> On Thu, Aug 27, 2015 at 8:03 AM, Robin Sommer <robin at icir.org> wrote:
>>
>>>
>>>
>>> On Wed, Aug 26, 2015 at 18:12 -0700, anthony kasza wrote:
>>>
>>> I'm looking to write a bif which does this. How can I access a subnet's
>>>> prefix as an int?
>>>>
>>>
>>> snet->Prefix() yields an IPAddr. You don't easily get that as an int,
>>> but it has a method for getting it as a sequence of bytes:
>>>
>>> int GetBytes(const uint32_t** bytes)
>>>
>>> That works for both IPv4 and v6.
>>>
>>> That said, I think you can solve this more easily by combining some
>>> other methods that IPAddr offers as well:
>>>
>>> /**
>>> * Masks out lower bits of the address.
>>> [...]
>>> */
>>> void Mask(int top_bits_to_keep);
>>>
>>> /**
>>> * Masks out top bits of the address.
>>> [...]
>>> */
>>> void ReverseMask(int top_bits_to_chop);
>>>
>>> /**
>>> * Bitwise OR operator returns the IP address resulting from
>>> the bitwise
>>> * OR operation on the raw bytes of this address with another.
>>> */
>>> IPAddr operator|(const IPAddr& other)
>>>
>>> You'd mask out the lower bits of the prefix, mask out the upper bits
>>> of 255.255.255.255 (for IPv4), and then "or" the two together.
>>>
>>> Robin
>>>
>>> --
>>> Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin
>>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150904/c22706f0/attachment.html
More information about the Bro
mailing list