base/frameworks/tunnels/main.bro
-
Tunnel
This script handles the tracking/logging of tunnels (e.g. Teredo, AYIYA, or IP-in-IP such as 6to4 where “IP” is either IPv4 or IPv6).
For any connection that occurs over a tunnel, information about its
encapsulating tunnels is also found in the tunnel field of
connection.
| Namespace: | Tunnel |
|---|---|
| Source File: | /scripts/base/frameworks/tunnels/main.bro |
Summary
Options
Tunnel::expiration_interval: interval &redef |
The amount of time a tunnel is not used in establishment of new connections before it is considered inactive/expired. |
State Variables
Tunnel::active: table &read_expire = Tunnel::expiration_interval &expire_func = Tunnel::expire |
Currently active tunnels. |
Types
Tunnel::Action: enum |
Types of interesting activity that can occur with a tunnel. |
Tunnel::Info: record |
The record type which contains column fields of the tunnel log. |
Redefinitions
Log::ID: enum |
The tunnel logging stream identifier. |
likely_server_ports: set &redef |
Functions
Tunnel::close: function |
Removes a single tunnel from the Tunnel::active table
and logs the closing/expiration of the tunnel. |
Tunnel::expire: function |
Logs a single tunnel “connection” with action
Tunnel::EXPIRE and removes it from the
Tunnel::active table. |
Tunnel::register: function |
Logs a single tunnel “connection” with action
Tunnel::DISCOVER if it’s not already in the
Tunnel::active table and adds it if not. |
Tunnel::register_all: function |
Logs all tunnels in an encapsulation chain with action
Tunnel::DISCOVER that aren’t already in the
Tunnel::active table and adds them if not. |
Detailed Interface
Options
State Variables
-
Tunnel::active Type: table[conn_id] ofTunnel::InfoAttributes: &read_expire=Tunnel::expiration_interval&expire_func=Tunnel::expireDefault: {}Currently active tunnels. That is, tunnels for which new, encapsulated connections have been seen in the interval indicated by
Tunnel::expiration_interval.
Types
-
Tunnel::Action Type: -
Tunnel::DISCOVER A new tunnel (encapsulating “connection”) has been seen.
-
Tunnel::CLOSE A tunnel connection has closed.
-
Tunnel::EXPIRE No new connections over a tunnel happened in the amount of time indicated by
Tunnel::expiration_interval.
Types of interesting activity that can occur with a tunnel.
-
-
Tunnel::Info Type: - ts:
time&log Time at which some tunnel activity occurred.
- uid:
string&log&optional The unique identifier for the tunnel, which may correspond to a
connection’s uid field for non-IP-in-IP tunnels. This is optional because there could be numerous connections for payload proxies like SOCKS but we should treat it as a single tunnel.- id:
conn_id&log The tunnel “connection” 4-tuple of endpoint addresses/ports. For an IP tunnel, the ports will be 0.
- tunnel_type:
Tunnel::Type&log The type of tunnel.
- action:
Tunnel::Action&log The type of activity that occurred.
The record type which contains column fields of the tunnel log.
- ts:
Functions
-
Tunnel::close Type: function(tunnel:Tunnel::Info, action:Tunnel::Action) :voidRemoves a single tunnel from the
Tunnel::activetable and logs the closing/expiration of the tunnel.Tunnel: The tunnel which has closed or expired. Action: The specific reason for the tunnel ending.
-
Tunnel::expire Type: function(t:table[conn_id] ofTunnel::Info, idx:conn_id) :intervalLogs a single tunnel “connection” with action
Tunnel::EXPIREand removes it from theTunnel::activetable.T: A table of tunnels. Idx: The index of the tunnel table corresponding to the tunnel to expire. Returns: 0secs, which when this function is used as an &expire_func, indicates to remove the element at idx immediately.
-
Tunnel::register Type: function(ec:Tunnel::EncapsulatingConn) :voidLogs a single tunnel “connection” with action
Tunnel::DISCOVERif it’s not already in theTunnel::activetable and adds it if not.
-
Tunnel::register_all Type: function(ecv:EncapsulatingConnVector) :voidLogs all tunnels in an encapsulation chain with action
Tunnel::DISCOVERthat aren’t already in theTunnel::activetable and adds them if not.
