base/frameworks/tunnels/main.zeek¶
-
Tunnel
¶
This script handles the tracking/logging of tunnels (e.g. Teredo, AYIYA, or IP-in-IP such as 6to4 where “IP” is either IPv4 or IPv6).
For any connection that occurs over a tunnel, information about its
encapsulating tunnels is also found in the tunnel field of
connection
.
- Namespace
Tunnel
- Imports
Summary¶
Redefinable Options¶
The amount of time a tunnel is not used in establishment of new connections before it is considered inactive/expired. |
State Variables¶
|
Currently active tunnels. |
Types¶
Types of interesting activity that can occur with a tunnel. |
|
The record type which contains column fields of the tunnel log. |
Redefinitions¶
The tunnel logging stream identifier. |
|
Hooks¶
Tunnel finalization hook. |
|
A default logging policy hook for the stream. |
Functions¶
Removes a single tunnel from the |
|
Logs a single tunnel “connection” with action
|
|
Logs a single tunnel “connection” with action
|
|
Logs all tunnels in an encapsulation chain with action
|
Detailed Interface¶
Redefinable Options¶
State Variables¶
-
Tunnel::active
¶ - Type
table
[conn_id
] ofTunnel::Info
- Attributes
&read_expire
=Tunnel::expiration_interval
&expire_func
=Tunnel::expire
- Default
{}
Currently active tunnels. That is, tunnels for which new, encapsulated connections have been seen in the interval indicated by
Tunnel::expiration_interval
.
Types¶
-
Tunnel::Action
¶ - Type
-
-
Tunnel::DISCOVER
¶ A new tunnel (encapsulating “connection”) has been seen.
-
Tunnel::CLOSE
¶ A tunnel connection has closed.
-
Tunnel::EXPIRE
¶ No new connections over a tunnel happened in the amount of time indicated by
Tunnel::expiration_interval
.
-
Types of interesting activity that can occur with a tunnel.
-
Tunnel::Info
¶ - Type
-
- ts:
time
&log
Time at which some tunnel activity occurred.
- uid:
string
&log
&optional
The unique identifier for the tunnel, which may correspond to a
connection
’s uid field for non-IP-in-IP tunnels. This is optional because there could be numerous connections for payload proxies like SOCKS but we should treat it as a single tunnel.- id:
conn_id
&log
The tunnel “connection” 4-tuple of endpoint addresses/ports. For an IP tunnel, the ports will be 0.
- tunnel_type:
Tunnel::Type
&log
The type of tunnel.
- action:
Tunnel::Action
&log
The type of activity that occurred.
- ts:
The record type which contains column fields of the tunnel log.
Hooks¶
-
Tunnel::finalize_tunnel
¶ - Type
Tunnel finalization hook. Remaining Tunnel info may get logged when it’s called.
-
Tunnel::log_policy
¶ - Type
A default logging policy hook for the stream.
Functions¶
-
Tunnel::close
¶ - Type
function
(tunnel:Tunnel::Info
, action:Tunnel::Action
) :void
Removes a single tunnel from the
Tunnel::active
table and logs the closing/expiration of the tunnel.- Tunnel
The tunnel which has closed or expired.
- Action
The specific reason for the tunnel ending.
-
Tunnel::expire
¶ -
Logs a single tunnel “connection” with action
Tunnel::EXPIRE
and removes it from theTunnel::active
table.- T
A table of tunnels.
- Idx
The index of the tunnel table corresponding to the tunnel to expire.
- Returns
0secs, which when this function is used as an
&expire_func
, indicates to remove the element at idx immediately.
-
Tunnel::register
¶ - Type
function
(ec:Tunnel::EncapsulatingConn
) :void
Logs a single tunnel “connection” with action
Tunnel::DISCOVER
if it’s not already in theTunnel::active
table and adds it if not.
-
Tunnel::register_all
¶ - Type
function
(ecv:EncapsulatingConnVector
) :void
Logs all tunnels in an encapsulation chain with action
Tunnel::DISCOVER
that aren’t already in theTunnel::active
table and adds them if not.