Add VXLAN packet analyzer, disable old analyzer

src/packet_analysis/protocol/CMakeLists.txt

@@ -24,3 +24,4 @@ add_subdirectory(gre)
 add_subdirectory(iptunnel)
 add_subdirectory(ayiya)
 add_subdirectory(geneve)
+add_subdirectory(vxlan)

src/packet_analysis/protocol/udp/UDP.cc

@@ -41,10 +41,10 @@ void UDPAnalyzer::Initialize()
 	{
 	IPBasedAnalyzer::Initialize();
 
-	const auto& id = detail::global_scope()->Find("Tunnel::vxlan_ports");
+	const auto& id = detail::global_scope()->Find("PacketAnalyzer::VXLAN::vxlan_ports");
 
 	if ( ! (id && id->GetVal()) )
-		reporter->FatalError("Tunnel::vxlan_ports not defined");
+		reporter->FatalError("PacketAnalyzer::VXLAN::vxlan_ports not defined");
 
 	auto table_val = id->GetVal()->AsTableVal();
 	auto port_list = table_val->ToPureListVal();

src/packet_analysis/protocol/vxlan/CMakeLists.txt

@@ -0,0 +1,6 @@
+include(ZeekPlugin)
+
+zeek_plugin_begin(Zeek VXLAN)
+zeek_plugin_cc(VXLAN.cc Plugin.cc)
+zeek_plugin_bif(events.bif)
+zeek_plugin_end()

src/packet_analysis/protocol/vxlan/Plugin.cc

@@ -0,0 +1,27 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/plugin/Plugin.h"
+
+#include "zeek/packet_analysis/Component.h"
+#include "zeek/packet_analysis/protocol/vxlan/VXLAN.h"
+
+namespace zeek::plugin::Zeek_VXLAN
+	{
+
+class Plugin : public zeek::plugin::Plugin
+	{
+public:
+	zeek::plugin::Configuration Configure()
+		{
+		AddComponent(new zeek::packet_analysis::Component(
+			"VXLAN", zeek::packet_analysis::VXLAN::VXLAN_Analyzer::Instantiate));
+
+		zeek::plugin::Configuration config;
+		config.name = "Zeek::VXLAN";
+		config.description = "VXLAN packet analyzer";
+		return config;
+		}
+
+	} plugin;
+
+	}

src/packet_analysis/protocol/vxlan/VXLAN.cc

@@ -0,0 +1,65 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/packet_analysis/protocol/vxlan/VXLAN.h"
+
+#include "zeek/packet_analysis/protocol/iptunnel/IPTunnel.h"
+#include "zeek/packet_analysis/protocol/vxlan/events.bif.h"
+
+using namespace zeek::packet_analysis::VXLAN;
+
+VXLAN_Analyzer::VXLAN_Analyzer() : zeek::packet_analysis::Analyzer("VXLAN") { }
+
+bool VXLAN_Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
+	{
+	if ( packet->encap && packet->encap->Depth() >= BifConst::Tunnel::max_depth )
+		{
+		Weird("exceeded_tunnel_max_depth", packet);
+		return false;
+		}
+
+	constexpr uint16_t hdr_size = 8;
+
+	if ( hdr_size > len )
+		{
+		AnalyzerViolation("VXLAN header truncation", packet->session, (const char*)data, len);
+		return false;
+		}
+
+	if ( (data[0] & 0x08) == 0 )
+		{
+		AnalyzerViolation("VXLAN 'I' flag not set", packet->session, (const char*)data, len);
+		return false;
+		}
+
+	int vni = (data[4] << 16) + (data[5] << 8) + (data[6] << 0);
+
+	len -= hdr_size;
+	data += hdr_size;
+
+	int encap_index = 0;
+	auto inner_packet = packet_analysis::IPTunnel::build_inner_packet(
+		packet, &encap_index, nullptr, len, data, DLT_RAW, BifEnum::Tunnel::VXLAN,
+		GetAnalyzerTag());
+
+	bool fwd_ret_val = true;
+	if ( len > hdr_size )
+		fwd_ret_val = ForwardPacket(len, data, inner_packet.get());
+
+	if ( fwd_ret_val )
+		{
+		AnalyzerConfirmation(packet->session);
+
+		if ( vxlan_packet && packet->session )
+			{
+			EncapsulatingConn* ec = inner_packet->encap->At(encap_index);
+			if ( ec && ec->ip_hdr )
+				inner_packet->session->EnqueueEvent(vxlan_packet, nullptr,
+				                                    packet->session->GetVal(),
+				                                    ec->ip_hdr->ToPktHdrVal(), val_mgr->Count(vni));
+			}
+		}
+	else
+		AnalyzerViolation("VXLAN invalid inner packet", packet->session);
+
+	return fwd_ret_val;
+	}

src/packet_analysis/protocol/vxlan/VXLAN.h

@@ -0,0 +1,25 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#pragma once
+
+#include "zeek/packet_analysis/Analyzer.h"
+#include "zeek/packet_analysis/Component.h"
+
+namespace zeek::packet_analysis::VXLAN
+	{
+
+class VXLAN_Analyzer : public zeek::packet_analysis::Analyzer
+	{
+public:
+	VXLAN_Analyzer();
+	~VXLAN_Analyzer() override = default;
+
+	bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
+
+	static zeek::packet_analysis::AnalyzerPtr Instantiate()
+		{
+		return std::make_shared<VXLAN_Analyzer>();
+		}
+	};
+
+	}

src/packet_analysis/protocol/vxlan/events.bif

@@ -0,0 +1,12 @@
+## Generated for any packet encapsulated in a VXLAN tunnel.
+## See :rfc:`7348` for more information about the VXLAN protocol.
+##
+## outer: The VXLAN tunnel connection.
+##
+## inner: The VXLAN-encapsulated Ethernet packet header and transport header.
+##
+## vni: VXLAN Network Identifier.
+##
+## .. note:: Since this event may be raised on a per-packet basis, handling
+##    it may become particularly expensive for real-time analysis.
+event vxlan_packet%(outer: connection, inner: pkt_hdr, vni: count%);