ZEEK 二层协议解析

最新推荐文章于 2024-05-10 11:26:40 发布

rosemary512

最新推荐文章于 2024-05-10 11:26:40 发布

阅读量1k

点赞数 1

分类专栏： Zeek 文章标签： docker 容器 linux

本文链接：https://blog.csdn.net/rosemary512/article/details/123883081

版权

Zeek 专栏收录该内容

3 篇文章 0 订阅

订阅专栏

基于ZEEK 4.0.4 LTS

以GOOSE协议为例

ZEEK Plugin框架

ZEEK Plugin

ZEEK框架

GOOSE二层协议解析Plugin结构

root@zeek-VirtualBox:/home/zeek/workspace/zeek/src/packet_analysis/protocol/goose# tree
.
├── CMakeLists.txt
├── events.bif
├── goose.cc
├── goose.h
└── Plugin.cc

CMakeLists.txt

include(ZeekPlugin)

include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})

zeek_plugin_begin(Zeek GOOSE)
zeek_plugin_cc(goose.cc Plugin.cc)
zeek_plugin_bif(events.bif)
zeek_plugin_end()

Plugin.cc
定义GOOSE Plugin
goose.cc
定义GOOSE Analyzer
events.bif
定义event, 在ZEEK script中接收此EVENT,并做处理.

Plugin.cc

```c++`
// See the file “COPYING” in the main distribution directory for copyright.

#include “zeek/plugin/Plugin.h”
#include “zeek/packet_analysis/Component.h”
#include “zeek/packet_analysis/protocol/goose/goose.h”

namespace zeek::plugin::Zeek_GOOSE {

class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure()
{
AddComponent(new zeek::packet_analysis::Component(“GOOSE”,
zeek::packet_analysis::GOOSE::GOOSEAnalyzer::Instantiate));

	zeek::plugin::Configuration config;
	config.name = "Zeek::GOOSE";
	config.description = "GOOSE packet analyzer";
	return config;
	}

} plugin;

}

### goose.h
```c++
// See the file "COPYING" in the main distribution directory for copyright.

#pragma once

#include <sys/types.h>
#include <sys/socket.h>
#include <net/if_arp.h>

#include "zeek/packet_analysis/Analyzer.h"
#include "zeek/packet_analysis/Component.h"

namespace zeek::packet_analysis::GOOSE {

class GOOSEAnalyzer : public Analyzer {
public:
	GOOSEAnalyzer();
	~GOOSEAnalyzer() override = default;

	bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;

	static zeek::packet_analysis::AnalyzerPtr Instantiate()
		{
		return std::make_shared<GOOSEAnalyzer>();
		}

private:
	zeek::AddrValPtr ToAddrVal(const void* addr);
	zeek::StringValPtr ToEthAddrStr(const u_char* addr);
};

}

goose.cc

// See the file "COPYING" in the main distribution directory for copyright.

#include "zeek/zeek-config.h"
#include "zeek/packet_analysis/protocol/goose/goose.h"

#ifdef HAVE_NET_ETHERNET_H
#include <net/ethernet.h>
#elif defined(HAVE_SYS_ETHERNET_H)
#include <sys/ethernet.h>
#elif defined(HAVE_NETINET_IF_ETHER_H)
#include <netinet/if_ether.h>
#elif defined(HAVE_NET_ETHERTYPES_H)
#include <net/ethertypes.h>
#endif

#include "zeek/Event.h"

#include "packet_analysis/protocol/goose/events.bif.h"

using namespace zeek::packet_analysis::GOOSE;

GOOSEAnalyzer::GOOSEAnalyzer()
	: zeek::packet_analysis::Analyzer("GOOSE")
	{
	}

bool GOOSEAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
	{
    printf("test\n");
	// Leave packet analyzer land
	return true;
	}

zeek::AddrValPtr GOOSEAnalyzer::ToAddrVal(const void* addr)
	{
	//Note: We only handle IPv4 addresses.
	return zeek::make_intrusive<zeek::AddrVal>(*(const uint32_t*) addr);
	}
zeek::StringValPtr GOOSEAnalyzer::ToEthAddrStr(const u_char* addr)
	{
	char buf[1024];
	snprintf(buf, sizeof(buf), "%02x:%02x:%02x:%02x:%02x:%02x",
			 addr[0], addr[1], addr[2], addr[3], addr[4], addr[5]);
	return zeek::make_intrusive<zeek::StringVal>(buf);
	}

events.bif

## Generated for ARP requests.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Address_Resolution_Protocol>`__
## for more information about the ARP protocol.
##
## mac_src: The request's source MAC address.
##
## mac_dst: The request's destination MAC address.
##
event goose_request%(mac_src: string, mac_dst: string%);

Register Analyzer

/home/zeek/workspace/zeek/scripts/base/packet-protocols/ethernet/main.zeek

event zeek_init() &priority=20
	{
	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x8847, PacketAnalyzer::ANALYZER_MPLS);
	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x0800, PacketAnalyzer::ANALYZER_IP);
	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x86DD, PacketAnalyzer::ANALYZER_IP);
	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x0806, PacketAnalyzer::ANALYZER_ARP);
	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x8035, PacketAnalyzer::ANALYZER_ARP);
	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x8100, PacketAnalyzer::ANALYZER_VLAN);
	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x88A8, PacketAnalyzer::ANALYZER_VLAN);
	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x9100, PacketAnalyzer::ANALYZER_VLAN);
	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x8864, PacketAnalyzer::ANALYZER_PPPOE);
    PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x88B8, PacketAnalyzer::ANALYZER_GOOSE);
	}

测试

# zeek -r /home/zeek/GOOSE.pcap
test
test
test
test
test
test
test
test