Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-08 01:28:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Add VXLAN packet analyzer, disable old analyzer

Browse source
This commit is contained in:
Tim Wojtulewicz 2021-08-26 12:37:28 -07:00
parent cbb0bcd49c
commit 05574ecce1
22 changed files with 194 additions and 29 deletions
Download patch file Download diff file Expand all files Collapse all files

3
scripts/base/frameworks/tunnels/main.zeek
View file

@ -92,7 +92,7 @@ export {
const teredo_ports = { 3544/udp };
const gtpv1_ports = { 2152/udp, 2123/udp };
redef likely_server_ports += { teredo_ports, gtpv1_ports, vxlan_ports };
redef likely_server_ports += { teredo_ports, gtpv1_ports };
event zeek_init() &priority=5
{
@ -100,7 +100,6 @@ event zeek_init() &priority=5
Analyzer::register_for_ports(Analyzer::ANALYZER_TEREDO, teredo_ports);
Analyzer::register_for_ports(Analyzer::ANALYZER_GTPV1, gtpv1_ports);
Analyzer::register_for_ports(Analyzer::ANALYZER_VXLAN, vxlan_ports);
}
function register_all(ecv: EncapsulatingConnVector)

5
scripts/base/init-bare.zeek
View file

@ -5060,11 +5060,6 @@ export {
## may choose whether to perform the validation.
const validate_vxlan_checksums = T &redef;
## The set of UDP ports used for VXLAN traffic. Traffic using this
## UDP destination port will attempt to be decapsulated. Note that if
## if you customize this, you may still want to manually ensure that
## :zeek:see:`likely_server_ports` also gets populated accordingly.
const vxlan_ports: set[port] = { 4789/udp } &redef;
} # end export
module Reporter;

1
scripts/base/packet-protocols/__load__.zeek
View file

@ -23,3 +23,4 @@
@load base/packet-protocols/iptunnel
@load base/packet-protocols/ayiya
@load base/packet-protocols/geneve
@load base/packet-protocols/vxlan

1
scripts/base/packet-protocols/vxlan/__load__.zeek Normal file
View file

@ -0,0 +1 @@
@load ./main

20
scripts/base/packet-protocols/vxlan/main.zeek Normal file
View file

@ -0,0 +1,20 @@
module PacketAnalyzer::VXLAN;
export {
# There's no indicator in the VXLAN packet header format about what the next protocol
# in the chain is. All of the documentation just lists Ethernet, so default to that.
const default_analyzer: PacketAnalyzer::Tag = PacketAnalyzer::ANALYZER_ETHERNET &redef;
## The set of UDP ports used for VXLAN traffic. Traffic using this
## UDP destination port will attempt to be decapsulated. Note that if
## if you customize this, you may still want to manually ensure that
## :zeek:see:`likely_server_ports` also gets populated accordingly.
const vxlan_ports: set[port] = { 4789/udp } &redef;
}
redef likely_server_ports += { vxlan_ports };
event zeek_init() &priority=20
{
PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, vxlan_ports);
}