From 09ae539ea873b06a45a8be55908a2d6b66177a76 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Tue, 12 Mar 2019 18:09:28 -0700 Subject: [PATCH] GH-250: Improve/cleanup VXLAN decapsulation support * Better parsing/error-checking of VXLAN and encapsulated packet headers * Add/implement the "vxlan_packet" event * Add "Tunnel::vxlan_ports" option to tune the set of VXLAN ports to analyze/decapsulate * Add "Tunnel::validate_vxlan_checksums" option to allow for tuning of how checksums associated with the outer UDP header of a possible VXLAN tunnel are handled Fixes GH-250 --- doc | 2 +- scripts/base/frameworks/tunnels/main.bro | 3 +- scripts/base/init-bare.bro | 12 ++ src/TunnelEncapsulation.h | 9 +- src/analyzer/Manager.cc | 12 ++ src/analyzer/Manager.h | 9 + src/analyzer/protocol/udp/UDP.cc | 26 ++- src/analyzer/protocol/vxlan/VXLAN.cc | 199 ++++++------------ src/analyzer/protocol/vxlan/VXLAN.h | 66 +----- src/analyzer/protocol/vxlan/events.bif | 4 +- src/const.bif | 2 +- .../Baseline/core.print-bpf-filters/conn.log | 4 +- .../Baseline/core.print-bpf-filters/output | 18 +- .../Baseline/core.print-bpf-filters/output2 | 9 +- .../Baseline/core.tunnels.vxlan/conn.log | 14 +- testing/btest/Baseline/core.tunnels.vxlan/out | 8 + .../Baseline/core.tunnels.vxlan/tunnel.log | 12 +- .../canonified_loaded_scripts.log | 1 + .../canonified_loaded_scripts.log | 1 + testing/btest/Baseline/plugins.hooks/output | 26 ++- testing/btest/Traces/tunnels/vxlan.pcap | Bin 0 -> 1552 bytes testing/btest/core/tunnels/vxlan.bro | 9 + testing/btest/core/tunnels/vxlan.test | 3 - 23 files changed, 206 insertions(+), 243 deletions(-) create mode 100644 testing/btest/Baseline/core.tunnels.vxlan/out create mode 100644 testing/btest/Traces/tunnels/vxlan.pcap create mode 100644 testing/btest/core/tunnels/vxlan.bro delete mode 100644 testing/btest/core/tunnels/vxlan.test diff --git a/doc b/doc index 5e7820debc..73c5b6622b 160000 --- a/doc +++ b/doc @@ -1 +1 @@ -Subproject commit 5e7820debc34f86023e696b7e880313be76275f3 +Subproject commit 73c5b6622b5b05e3fe246fcaa5c0587727d9edd0 diff --git a/scripts/base/frameworks/tunnels/main.bro b/scripts/base/frameworks/tunnels/main.bro index 3faf267eee..f90616e38e 100644 --- a/scripts/base/frameworks/tunnels/main.bro +++ b/scripts/base/frameworks/tunnels/main.bro @@ -85,7 +85,6 @@ export { const ayiya_ports = { 5072/udp }; const teredo_ports = { 3544/udp }; const gtpv1_ports = { 2152/udp, 2123/udp }; -const vxlan_ports = { 4789/udp }; redef likely_server_ports += { ayiya_ports, teredo_ports, gtpv1_ports, vxlan_ports }; event bro_init() &priority=5 @@ -94,8 +93,8 @@ event bro_init() &priority=5 Analyzer::register_for_ports(Analyzer::ANALYZER_AYIYA, ayiya_ports); Analyzer::register_for_ports(Analyzer::ANALYZER_TEREDO, teredo_ports); - Analyzer::register_for_ports(Analyzer::ANALYZER_VXLAN, vxlan_ports); Analyzer::register_for_ports(Analyzer::ANALYZER_GTPV1, gtpv1_ports); + Analyzer::register_for_ports(Analyzer::ANALYZER_VXLAN, vxlan_ports); } function register_all(ecv: EncapsulatingConnVector) diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index 600a507d4f..47a6fa5f05 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -4857,6 +4857,18 @@ export { ## How often to cleanup internal state for inactive IP tunnels ## (includes GRE tunnels). const ip_tunnel_timeout = 24hrs &redef; + + ## Whether to validate the checksum supplied in the outer UDP header + ## of a VXLAN encapsulation. The spec says the checksum should be + ## transmitted as zero, but if not, then the decapsulating destination + ## may choose whether to perform the validation. + const validate_vxlan_checksums = T &redef; + + ## The set of UDP ports used for VXLAN traffic. Traffic using this + ## UDP destination port will attempt to be decapsulated. Note that if + ## if you customize this, you may still want to manually ensure that + ## :bro:see:`likely_server_ports` also gets populated accordingly. + const vxlan_ports: set[port] = { 4789/udp }; } # end export module Reporter; diff --git a/src/TunnelEncapsulation.h b/src/TunnelEncapsulation.h index 30b7b48569..27729e56b7 100644 --- a/src/TunnelEncapsulation.h +++ b/src/TunnelEncapsulation.h @@ -88,13 +88,20 @@ public: return false; if ( ec1.type == BifEnum::Tunnel::IP || - ec1.type == BifEnum::Tunnel::VXLAN || ec1.type == BifEnum::Tunnel::GRE ) // Reversing endpoints is still same tunnel. return ec1.uid == ec2.uid && ec1.proto == ec2.proto && ((ec1.src_addr == ec2.src_addr && ec1.dst_addr == ec2.dst_addr) || (ec1.src_addr == ec2.dst_addr && ec1.dst_addr == ec2.src_addr)); + if ( ec1.type == BifEnum::Tunnel::VXLAN ) + // Reversing endpoints is still same tunnel, destination port is + // always the same. + return ec1.dst_port == ec2.dst_port && + ec1.uid == ec2.uid && ec1.proto == ec2.proto && + ((ec1.src_addr == ec2.src_addr && ec1.dst_addr == ec2.dst_addr) || + (ec1.src_addr == ec2.dst_addr && ec1.dst_addr == ec2.src_addr)); + return ec1.src_addr == ec2.src_addr && ec1.dst_addr == ec2.dst_addr && ec1.src_port == ec2.src_port && ec1.dst_port == ec2.dst_port && ec1.uid == ec2.uid && ec1.proto == ec2.proto; diff --git a/src/analyzer/Manager.cc b/src/analyzer/Manager.cc index 286c5eee9f..1546f846e5 100644 --- a/src/analyzer/Manager.cc +++ b/src/analyzer/Manager.cc @@ -96,6 +96,18 @@ void Manager::InitPreScript() void Manager::InitPostScript() { + auto id = global_scope()->Lookup("Tunnel::vxlan_ports"); + + if ( ! (id && id->ID_Val()) ) + reporter->FatalError("Tunnel::vxlan_ports not defined"); + + auto table_val = id->ID_Val()->AsTableVal(); + auto port_list = table_val->ConvertToPureList(); + + for ( auto i = 0; i < port_list->Length(); ++i ) + vxlan_ports.emplace_back(port_list->Index(i)->AsPortVal()->Port()); + + Unref(port_list); } void Manager::DumpDebug() diff --git a/src/analyzer/Manager.h b/src/analyzer/Manager.h index d341940e7d..c429745862 100644 --- a/src/analyzer/Manager.h +++ b/src/analyzer/Manager.h @@ -22,6 +22,7 @@ #define ANALYZER_MANAGER_H #include +#include #include "Analyzer.h" #include "Component.h" @@ -335,6 +336,13 @@ public: void ScheduleAnalyzer(const IPAddr& orig, const IPAddr& resp, PortVal* resp_p, Val* analyzer, double timeout); + + /** + * @return the UDP port numbers to be associated with VXLAN traffic. + */ + const std::vector& GetVxlanPorts() const + { return vxlan_ports; } + private: typedef set tag_set; typedef map analyzer_map_by_port; @@ -390,6 +398,7 @@ private: conns_map conns; conns_queue conns_by_timeout; + std::vector vxlan_ports; }; } diff --git a/src/analyzer/protocol/udp/UDP.cc b/src/analyzer/protocol/udp/UDP.cc index 0da1a2bd65..b887eea5c1 100644 --- a/src/analyzer/protocol/udp/UDP.cc +++ b/src/analyzer/protocol/udp/UDP.cc @@ -7,6 +7,7 @@ #include "Net.h" #include "NetVar.h" #include "analyzer/protocol/udp/UDP.h" +#include "analyzer/Manager.h" #include "Reporter.h" #include "Conn.h" @@ -61,7 +62,30 @@ void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, int chksum = up->uh_sum; - if ( ! ignore_checksums && caplen >= len ) + auto validate_checksum = ! ignore_checksums && caplen >=len; + constexpr auto vxlan_len = 8; + constexpr auto eth_len = 14; + + if ( validate_checksum && + len > (sizeof(struct udphdr) + vxlan_len + eth_len) && + (data[0] & 0x08) == 0x08 ) + { + auto& vxlan_ports = analyzer_mgr->GetVxlanPorts(); + + if ( std::find(vxlan_ports.begin(), vxlan_ports.end(), + ntohs(up->uh_dport)) != vxlan_ports.end() ) + { + // Looks like VXLAN on a well-known port, so the checksum should be + // transmitted as zero, and we should accept that. If not + // transmitted as zero, then validating the checksum is optional. + if ( chksum == 0 ) + validate_checksum = false; + else + validate_checksum = BifConst::Tunnel::validate_vxlan_checksums; + } + } + + if ( validate_checksum ) { bool bad = false; diff --git a/src/analyzer/protocol/vxlan/VXLAN.cc b/src/analyzer/protocol/vxlan/VXLAN.cc index 5c922a43c4..1431f92fed 100644 --- a/src/analyzer/protocol/vxlan/VXLAN.cc +++ b/src/analyzer/protocol/vxlan/VXLAN.cc @@ -3,7 +3,6 @@ #include "TunnelEncapsulation.h" #include "Conn.h" #include "IP.h" -#include "../arp/ARP.h" #include "Reporter.h" #include "events.bif.h" @@ -16,154 +15,86 @@ void VXLAN_Analyzer::Done() Event(udp_session_done); } -bool VXLANEncapsulation::DoParse(const u_char* data, int& len) - { - int eth_len = 14; - int vxlan_len = 8; - int eth_mac = 6; - int proto = 0; - reporter->Error("VXLANEncapsulation::DoParse len: %d", len); - /* Note: outer Ethernet, IP, UDP layers already skipped */ - if ( len < vxlan_len ) - { - Weird("VXLAN_truncated missing VXLAN header"); - return false; - } - /* Flags (8 bits): where the I flag MUST be set to 1 for a valid - VXLAN Network ID (VNI). The other 7 bits (designated "R") are - reserved fields and MUST be set to zero on transmission and - ignored on receipt.*/ - if ( ! (data[0] & 0x8) ) - { - Weird("VXLAN_flags packet missing I flag set "); - return false; - } - if ( len < vxlan_len + eth_len ) - { - Weird("VXLAN_truncated missing inner packet header"); - return false; - } - printf("Checking packet ethertype for inner packet:\n"); - uint16 proto_typ = ntohs(*((uint16*)(data+vxlan_len+2*eth_mac))); - if ( proto_typ == 0x0800 ) - proto = IPPROTO_IPV4; - else if ( proto_typ == 0x86dd ) - proto = IPPROTO_IPV6; - else { - Weird("VXLAN_ethertype inner packet should be ethertype: IPv4 or IPv6"); - int i; - for (i=0; i < 2; i++) - printf("%02x ",data[vxlan_len+2*eth_mac+i]); - return false; - } - data += vxlan_len + eth_len; - len -= vxlan_len + eth_len; - inner_ip = data; - return true; - } - -RecordVal* VXLANEncapsulation::BuildVal(const IP_Hdr* inner) const - { - static RecordType* vxlan_hdr_type = 0; - static RecordType* vxlan_auth_type = 0; - static RecordType* vxlan_origin_type = 0; - reporter->Error("VXLANEncapsulation::BuildVal"); - - RecordVal* vxlan_hdr = new RecordVal(vxlan_hdr_type); - vxlan_hdr->Assign(1, inner->BuildPktHdrVal()); - return vxlan_hdr; - } - void VXLAN_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, - uint64 seq, const IP_Hdr* ip, int caplen) + uint64 seq, const IP_Hdr* ip, int caplen) { Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); - /* Note: it seems we get the packet AFTER UDP header. */ - VXLANEncapsulation vx(this); + // Outer Ethernet, IP, and UDP layers already skipped. + // Also, generic UDP analyzer already checked/guarantees caplen >= len. - // If a carried packet has ethernet, this will help skip it. - int eth_len = 14; - int udp_len = 8; - int vlan_len = 4; - int vxlan_len = 8; - int eth_mac = 6; - int i = 0; - int vni= 0; - int proto = 0; + constexpr auto vxlan_len = 8; - const EncapsulationStack* e = Conn()->GetEncapsulation(); - IP_Hdr* inner = 0; - int rslt = sessions->ParseIPPacket(len, data + vxlan_len + eth_len, IPPROTO_IPV4, inner); - - reporter->Info("VXLAN_Analyzer::DeliverPacket"); - reporter->Info("len: %d", len); - printf("Packet hex:\n"); - for (i=0; i < len; i++) - printf("%0x ",data[i]); - printf("\n"); - /* Note: outer Ethernet, IP, UDP layers already skipped */ if ( len < vxlan_len ) - { - Weird("VXLAN_truncated missing VXLAN header"); + { + ProtocolViolation("VXLAN header truncation", (const char*) data, len); return; - } - /* Flags (8 bits): where the I flag MUST be set to 1 for a valid - VXLAN Network ID (VNI). The other 7 bits (designated "R") are - reserved fields and MUST be set to zero on transmission and - ignored on receipt.*/ - if ( ! (data[0] & 0x8) ) - { - Weird("VXLAN_flags packet missing I flag set "); + } + + if ( (data[0] & 0x08) == 0 ) + { + ProtocolViolation("VXLAN 'I' flag not set", (const char*) data, len); return; - } - if ( len < vxlan_len + eth_len ) - { - Weird("VXLAN_truncated missing inner packet header"); + } + + const EncapsulationStack* estack = Conn()->GetEncapsulation(); + + if ( estack && estack->Depth() >= BifConst::Tunnel::max_depth ) + { + reporter->Weird(Conn(), "tunnel_depth"); return; - } - printf("Checking packet ethertype for inner packet:\n"); - uint16 proto_typ = ntohs(*((uint16*)(data+vxlan_len+2*eth_mac))); - switch (proto_typ) - { - case 0x0800: - proto = IPPROTO_IPV4; + } + + int vni = (data[4] << 16) + (data[5] << 8) + (data[6] << 0); + + data += vxlan_len; + caplen -= vxlan_len; + len -= vxlan_len; + + pkt_timeval ts; + ts.tv_sec = (time_t) current_timestamp; + ts.tv_usec = (suseconds_t) ((current_timestamp - (double)ts.tv_sec) * 1000000); + Packet pkt(DLT_EN10MB, &ts, caplen, len, data); + + if ( ! pkt.Layer2Valid() ) + { + ProtocolViolation("VXLAN invalid inner ethernet frame", + (const char*) data, len); + return; + } + + data += pkt.hdr_size; + len -= pkt.hdr_size; + caplen -= pkt.hdr_size; + + IP_Hdr* inner = nullptr; + int res = 0; + + switch ( pkt.l3_proto ) { + case L3_IPV4: + res = sessions->ParseIPPacket(len, data, IPPROTO_IPV4, inner); break; - case 0x86dd: - proto = IPPROTO_IPV6; - break; - case 0x8100: - case 0x9100: - /* 802.1q / 802.1ad */ - proto = proto_typ; - if (len < vxlan_len + eth_len + vlan_len) - { - Weird("VXLAN truncated inner packet VLAN ether header "); - return; - } - /* Set type then to next ethertype ? */ + case L3_IPV6: + res = sessions->ParseIPPacket(len, data, IPPROTO_IPV6, inner); break; default: - Weird("VXLAN_ethertype inner packet should be ethertype: VLAN, IPv4 or IPv6"); - int i; - for (i=0; i < 2; i++) - printf("%02x ",data[vxlan_len+2*eth_mac+i]); return; - } - printf("Packet safety checks done\n"); - vni = (data[4] << 16) + (data[5] << 8) + (data[6] << 0); - printf("VXLAN VNI %d\n",vni); + if ( res < 0 ) + { + delete inner; + ProtocolViolation("Truncated VXLAN or invalid inner IP", + (const char*) data, len); + return; + } + + ProtocolConfirmation(); + + if ( vxlan_packet ) + Conn()->Event(vxlan_packet, 0, inner->BuildPktHdrVal(), + val_mgr->GetCount(vni)); - /* Do we want the inner packet with or without Ethernet header? - data += vxlan_len + udp_len + eth_len; - len -= vxlan_len + udp_len + eth_len; - caplen -= vxlan_len + udp_len + eth_len; -*/ - data += udp_len + vxlan_len; - len -= udp_len + vxlan_len; - caplen -= udp_len + vxlan_len; EncapsulatingConn ec(Conn(), BifEnum::Tunnel::VXLAN); - sessions->DoNextInnerPacket(network_time, 0, inner, e, ec); - } + sessions->DoNextInnerPacket(network_time, &pkt, inner, estack, ec); + } diff --git a/src/analyzer/protocol/vxlan/VXLAN.h b/src/analyzer/protocol/vxlan/VXLAN.h index e0f8dd99aa..f9eb52e0d3 100644 --- a/src/analyzer/protocol/vxlan/VXLAN.h +++ b/src/analyzer/protocol/vxlan/VXLAN.h @@ -9,77 +9,17 @@ namespace analyzer { namespace vxlan { class VXLAN_Analyzer : public analyzer::Analyzer { public: - explicit VXLAN_Analyzer(Connection* conn) : Analyzer("VXLAN", conn), - valid_orig(false), valid_resp(false) - {} - - ~VXLAN_Analyzer() override + explicit VXLAN_Analyzer(Connection* conn) + : Analyzer("VXLAN", conn) {} void Done() override; void DeliverPacket(int len, const u_char* data, bool orig, - uint64 seq, const IP_Hdr* ip, int caplen) override; + uint64 seq, const IP_Hdr* ip, int caplen) override; static analyzer::Analyzer* Instantiate(Connection* conn) { return new VXLAN_Analyzer(conn); } - - /** - * Emits a weird only if the analyzer has previously been able to - * decapsulate a VXLAN packet in both directions or if *force* param is - * set, since otherwise the weirds could happen frequently enough to be less - * than helpful. The *force* param is meant for cases where just one side - * has a valid encapsulation and so the weird would be informative. - */ - void Weird(const char* name, bool force = false) const - { - if ( ProtocolConfirmed() || force ) - reporter->Weird(Conn(), name); - } - - /** - * If the delayed confirmation option is set, then a valid encapsulation - * seen from both end points is required before confirming. - */ -/* copied from Teredo, do we want this too for VXLAN? - void Confirm() - { - if ( ! BifConst::Tunnel::delay_vxlan_confirmation || - ( valid_orig && valid_resp ) ) - ProtocolConfirmation(); - }*/ - -protected: - bool valid_orig; - bool valid_resp; -}; - -class VXLANEncapsulation { -public: - explicit VXLANEncapsulation(const VXLAN_Analyzer* ta) - : inner_ip(0), analyzer(ta) - {} - - /** - * Returns whether input data parsed as a valid VXLAN encapsulation type. - * If it was valid, the len argument is decremented appropriately. - */ - bool Parse(const u_char* data, int& len) - { return DoParse(data, len); } - - const u_char* InnerIP() const - { return inner_ip; } - - RecordVal* BuildVal(const IP_Hdr* inner) const; - -protected: - bool DoParse(const u_char* data, int& len); - - void Weird(const char* name) const - { analyzer->Weird(name); } - - const u_char* inner_ip; - const VXLAN_Analyzer* analyzer; }; } } // namespace analyzer::* diff --git a/src/analyzer/protocol/vxlan/events.bif b/src/analyzer/protocol/vxlan/events.bif index 9ed9fdc52b..d05c74dfbe 100644 --- a/src/analyzer/protocol/vxlan/events.bif +++ b/src/analyzer/protocol/vxlan/events.bif @@ -5,8 +5,8 @@ ## ## inner: The VXLAN-encapsulated Ethernet packet header and transport header. ## -## .. bro:see:: vxlan_authentication vxlan_origin_indication vxlan_bubble +## vni: VXLAN Network Identifier. ## ## .. note:: Since this event may be raised on a per-packet basis, handling ## it may become particularly expensive for real-time analysis. -event vxlan_packet%(outer: connection, inner: vxlan_hdr%); +event vxlan_packet%(outer: connection, inner: pkt_hdr, vni: count%); diff --git a/src/const.bif b/src/const.bif index 468929de05..6d60ac707b 100644 --- a/src/const.bif +++ b/src/const.bif @@ -19,9 +19,9 @@ const Tunnel::enable_ayiya: bool; const Tunnel::enable_teredo: bool; const Tunnel::enable_gtpv1: bool; const Tunnel::enable_gre: bool; -const Tunnel::enable_vxlan: bool; const Tunnel::delay_teredo_confirmation: bool; const Tunnel::delay_gtp_confirmation: bool; const Tunnel::ip_tunnel_timeout: interval; +const Tunnel::validate_vxlan_checksums: bool; const Threading::heartbeat_interval: interval; diff --git a/testing/btest/Baseline/core.print-bpf-filters/conn.log b/testing/btest/Baseline/core.print-bpf-filters/conn.log index e7f8f8714a..f14621c261 100644 --- a/testing/btest/Baseline/core.print-bpf-filters/conn.log +++ b/testing/btest/Baseline/core.print-bpf-filters/conn.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path conn -#open 2016-07-13-16-12-58 +#open 2019-03-12-03-25-14 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 1278600802.069419 CHhAvVGS1DHFjwGM9 10.20.80.1 50343 10.0.0.15 80 tcp - 0.004152 9 3429 SF - - 0 ShADadfF 7 381 7 3801 - -#close 2016-07-13-16-12-59 +#close 2019-03-12-03-25-14 diff --git a/testing/btest/Baseline/core.print-bpf-filters/output b/testing/btest/Baseline/core.print-bpf-filters/output index 3da7f62f77..d8067da821 100644 --- a/testing/btest/Baseline/core.print-bpf-filters/output +++ b/testing/btest/Baseline/core.print-bpf-filters/output @@ -3,28 +3,28 @@ #empty_field (empty) #unset_field - #path packet_filter -#open 2016-07-13-16-12-57 +#open 2019-03-12-03-25-12 #fields ts node filter init success #types time string string bool bool -1468426377.846975 bro ip or not ip T T -#close 2016-07-13-16-12-57 +1552361112.763592 bro ip or not ip T T +#close 2019-03-12-03-25-12 #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path packet_filter -#open 2016-07-13-16-12-58 +#open 2019-03-12-03-25-13 #fields ts node filter init success #types time string string bool bool -1468426378.362651 bro port 42 T T -#close 2016-07-13-16-12-58 +1552361113.442916 bro port 42 T T +#close 2019-03-12-03-25-13 #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path packet_filter -#open 2016-07-13-16-12-58 +#open 2019-03-12-03-25-14 #fields ts node filter init success #types time string string bool bool -1468426378.944945 bro (vlan) and (ip or not ip) T T -#close 2016-07-13-16-12-59 +1552361114.111534 bro (vlan) and (ip or not ip) T T +#close 2019-03-12-03-25-14 diff --git a/testing/btest/Baseline/core.print-bpf-filters/output2 b/testing/btest/Baseline/core.print-bpf-filters/output2 index 26a4b5fa85..d46c6b1f1f 100644 --- a/testing/btest/Baseline/core.print-bpf-filters/output2 +++ b/testing/btest/Baseline/core.print-bpf-filters/output2 @@ -21,6 +21,7 @@ 1 4011 2 443 1 445 +1 4789 1 502 1 5060 1 5072 @@ -54,8 +55,8 @@ 1 992 1 993 1 995 -61 and -60 or -61 port +62 and +61 or +62 port 42 tcp -19 udp +20 udp diff --git a/testing/btest/Baseline/core.tunnels.vxlan/conn.log b/testing/btest/Baseline/core.tunnels.vxlan/conn.log index 6531850a0c..3805f6d92f 100644 --- a/testing/btest/Baseline/core.tunnels.vxlan/conn.log +++ b/testing/btest/Baseline/core.tunnels.vxlan/conn.log @@ -3,12 +3,12 @@ #empty_field (empty) #unset_field - #path conn -#open 2018-10-18-11-51-46 +#open 2019-03-12-03-29-46 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] -1368908504.882198 CUY3VO38piNbzBWoCf 192.168.202.1 42710 192.168.203.1 4789 udp - - - - S0 - - 0 D 1 78 0 0 - -1368908504.882536 C938WE2Zxjsr1dQt8 192.168.203.1 52102 192.168.202.1 4789 udp - - - - S0 - - 0 D 1 78 0 0 - -1368908504.925960 CPPxeT3vy9lhCeFyzf 192.168.202.1 32894 192.168.203.1 4789 udp - 2.959399 424 0 S0 - - 0 D 4 536 0 0 - -1368908504.837063 CAL8II3MrNKoLygbR 192.168.203.1 45149 192.168.202.1 4789 udp - 3.004913 424 0 S0 - - 0 D 4 536 0 0 - -1368908504.837063 C3MYEy2ilZOiJASuTk 192.168.203.3 8 192.168.203.5 0 icmp - 3.048296 224 224 OTH - - 0 - 4 336 4 336 CAL8II3MrNKoLygbR,CPPxeT3vy9lhCeFyzf -#close 2018-10-18-11-51-46 +1467818432.676047 C4J4Th3PJpwUYZZ6gc 192.168.56.11 48134 192.168.56.12 4789 udp vxlan 3.004434 424 0 S0 - - 0 D 4 536 0 0 - +1467818432.675392 CHhAvVGS1DHFjwGM9 192.168.56.11 39924 192.168.56.12 4789 udp - - - - S0 - - 0 D 1 78 0 0 - +1467818432.675732 ClEkJM2Vm5giqnMf4h 192.168.56.12 40908 192.168.56.11 4789 udp - - - - S0 - - 0 D 1 78 0 0 - +1467818432.676385 CUM0KZ3MLUfNB0cl11 192.168.56.12 38071 192.168.56.11 4789 udp vxlan 3.004278 424 0 S0 - - 0 D 4 536 0 0 - +1467818432.676047 CtPZjS20MLrsMUOJi2 10.0.0.1 8 10.0.0.2 0 icmp - 3.004616 224 224 OTH - - 0 - 4 336 4 336 CUM0KZ3MLUfNB0cl11,C4J4Th3PJpwUYZZ6gc +#close 2019-03-12-03-29-46 diff --git a/testing/btest/Baseline/core.tunnels.vxlan/out b/testing/btest/Baseline/core.tunnels.vxlan/out new file mode 100644 index 0000000000..a8da7f7cf6 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.vxlan/out @@ -0,0 +1,8 @@ +vxlan_packet, [orig_h=192.168.56.11, orig_p=48134/udp, resp_h=192.168.56.12, resp_p=4789/udp], [ip=[hl=20, tos=0, len=84, id=12111, ttl=64, p=1, src=10.0.0.1, dst=10.0.0.2], ip6=, tcp=, udp=, icmp=[icmp_type=8]], 123 +vxlan_packet, [orig_h=192.168.56.12, orig_p=38071/udp, resp_h=192.168.56.11, resp_p=4789/udp], [ip=[hl=20, tos=0, len=84, id=36913, ttl=64, p=1, src=10.0.0.2, dst=10.0.0.1], ip6=, tcp=, udp=, icmp=[icmp_type=0]], 123 +vxlan_packet, [orig_h=192.168.56.11, orig_p=48134/udp, resp_h=192.168.56.12, resp_p=4789/udp], [ip=[hl=20, tos=0, len=84, id=12341, ttl=64, p=1, src=10.0.0.1, dst=10.0.0.2], ip6=, tcp=, udp=, icmp=[icmp_type=8]], 123 +vxlan_packet, [orig_h=192.168.56.12, orig_p=38071/udp, resp_h=192.168.56.11, resp_p=4789/udp], [ip=[hl=20, tos=0, len=84, id=37030, ttl=64, p=1, src=10.0.0.2, dst=10.0.0.1], ip6=, tcp=, udp=, icmp=[icmp_type=0]], 123 +vxlan_packet, [orig_h=192.168.56.11, orig_p=48134/udp, resp_h=192.168.56.12, resp_p=4789/udp], [ip=[hl=20, tos=0, len=84, id=12507, ttl=64, p=1, src=10.0.0.1, dst=10.0.0.2], ip6=, tcp=, udp=, icmp=[icmp_type=8]], 123 +vxlan_packet, [orig_h=192.168.56.12, orig_p=38071/udp, resp_h=192.168.56.11, resp_p=4789/udp], [ip=[hl=20, tos=0, len=84, id=37208, ttl=64, p=1, src=10.0.0.2, dst=10.0.0.1], ip6=, tcp=, udp=, icmp=[icmp_type=0]], 123 +vxlan_packet, [orig_h=192.168.56.11, orig_p=48134/udp, resp_h=192.168.56.12, resp_p=4789/udp], [ip=[hl=20, tos=0, len=84, id=12684, ttl=64, p=1, src=10.0.0.1, dst=10.0.0.2], ip6=, tcp=, udp=, icmp=[icmp_type=8]], 123 +vxlan_packet, [orig_h=192.168.56.12, orig_p=38071/udp, resp_h=192.168.56.11, resp_p=4789/udp], [ip=[hl=20, tos=0, len=84, id=37295, ttl=64, p=1, src=10.0.0.2, dst=10.0.0.1], ip6=, tcp=, udp=, icmp=[icmp_type=0]], 123 diff --git a/testing/btest/Baseline/core.tunnels.vxlan/tunnel.log b/testing/btest/Baseline/core.tunnels.vxlan/tunnel.log index 0e9523525c..95f062bd67 100644 --- a/testing/btest/Baseline/core.tunnels.vxlan/tunnel.log +++ b/testing/btest/Baseline/core.tunnels.vxlan/tunnel.log @@ -3,11 +3,11 @@ #empty_field (empty) #unset_field - #path tunnel -#open 2018-10-18-11-51-46 +#open 2019-03-12-03-29-46 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action #types time string addr port addr port enum enum -1368908504.837063 CAL8II3MrNKoLygbR 192.168.203.1 45149 192.168.202.1 4789 Tunnel::VXLAN Tunnel::DISCOVER -1368908504.925960 CPPxeT3vy9lhCeFyzf 192.168.202.1 32894 192.168.203.1 4789 Tunnel::VXLAN Tunnel::DISCOVER -1368908507.885359 CPPxeT3vy9lhCeFyzf 192.168.202.1 32894 192.168.203.1 4789 Tunnel::VXLAN Tunnel::CLOSE -1368908507.885359 CAL8II3MrNKoLygbR 192.168.203.1 45149 192.168.202.1 4789 Tunnel::VXLAN Tunnel::CLOSE -#close 2018-10-18-11-51-46 +1467818432.676047 C4J4Th3PJpwUYZZ6gc 192.168.56.11 48134 192.168.56.12 4789 Tunnel::VXLAN Tunnel::DISCOVER +1467818432.676385 CUM0KZ3MLUfNB0cl11 192.168.56.12 38071 192.168.56.11 4789 Tunnel::VXLAN Tunnel::DISCOVER +1467818435.680663 C4J4Th3PJpwUYZZ6gc 192.168.56.11 48134 192.168.56.12 4789 Tunnel::VXLAN Tunnel::CLOSE +1467818435.680663 CUM0KZ3MLUfNB0cl11 192.168.56.12 38071 192.168.56.11 4789 Tunnel::VXLAN Tunnel::CLOSE +#close 2019-03-12-03-29-46 diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log index 02e6855308..d7a24b1de7 100644 --- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log @@ -154,6 +154,7 @@ scripts/base/init-frameworks-and-bifs.bro build/scripts/base/bif/plugins/Bro_TCP.functions.bif.bro build/scripts/base/bif/plugins/Bro_Teredo.events.bif.bro build/scripts/base/bif/plugins/Bro_UDP.events.bif.bro + build/scripts/base/bif/plugins/Bro_VXLAN.events.bif.bro build/scripts/base/bif/plugins/Bro_XMPP.events.bif.bro build/scripts/base/bif/plugins/Bro_FileEntropy.events.bif.bro build/scripts/base/bif/plugins/Bro_FileExtract.events.bif.bro diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index 1df4b007c1..d568205a79 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -154,6 +154,7 @@ scripts/base/init-frameworks-and-bifs.bro build/scripts/base/bif/plugins/Bro_TCP.functions.bif.bro build/scripts/base/bif/plugins/Bro_Teredo.events.bif.bro build/scripts/base/bif/plugins/Bro_UDP.events.bif.bro + build/scripts/base/bif/plugins/Bro_VXLAN.events.bif.bro build/scripts/base/bif/plugins/Bro_XMPP.events.bif.bro build/scripts/base/bif/plugins/Bro_FileEntropy.events.bif.bro build/scripts/base/bif/plugins/Bro_FileExtract.events.bif.bro diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index ecbb136298..78ac89a4d0 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -61,6 +61,7 @@ 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_SSL, 995/tcp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_SYSLOG, 514/udp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_TEREDO, 3544/udp)) -> +0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_VXLAN, 4789/udp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_XMPP, 5222/tcp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_XMPP, 5269/tcp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::disable_analyzer, , (Analyzer::ANALYZER_BACKDOOR)) -> @@ -126,6 +127,7 @@ 0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_SSL, 995/tcp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_SYSLOG, 514/udp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_TEREDO, 3544/udp)) -> +0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_VXLAN, 4789/udp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_XMPP, 5222/tcp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_XMPP, 5269/tcp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_AYIYA, {5072/udp})) -> @@ -154,6 +156,7 @@ 0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_SSL, {5223<...>/tcp})) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_SYSLOG, {514/udp})) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_TEREDO, {3544/udp})) -> +0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_VXLAN, {4789/udp})) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_XMPP, {5222<...>/tcp})) -> 0.000000 MetaHookPost CallFunction(Cluster::is_enabled, , ()) -> 0.000000 MetaHookPost CallFunction(Cluster::is_enabled, , ()) -> @@ -274,7 +277,7 @@ 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1547686218.444731, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1552361542.039294, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Broker::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Cluster::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Config::LOG)) -> @@ -459,7 +462,7 @@ 0.000000 MetaHookPost CallFunction(Log::create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1547686218.444731, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1552361542.039294, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(NetControl::check_plugins, , ()) -> 0.000000 MetaHookPost CallFunction(NetControl::init, , ()) -> 0.000000 MetaHookPost CallFunction(Notice::want_pp, , ()) -> @@ -683,6 +686,7 @@ 0.000000 MetaHookPost LoadFile(0, .<...>/Bro_UDP.events.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(0, .<...>/Bro_Unified2.events.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(0, .<...>/Bro_Unified2.types.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_VXLAN.events.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(0, .<...>/Bro_X509.events.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(0, .<...>/Bro_X509.functions.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(0, .<...>/Bro_X509.ocsp_events.bif.bro) -> -1 @@ -956,6 +960,7 @@ 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_SSL, 995/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_SYSLOG, 514/udp)) 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_TEREDO, 3544/udp)) +0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_VXLAN, 4789/udp)) 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_XMPP, 5222/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_XMPP, 5269/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::disable_analyzer, , (Analyzer::ANALYZER_BACKDOOR)) @@ -1021,6 +1026,7 @@ 0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_SSL, 995/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_SYSLOG, 514/udp)) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_TEREDO, 3544/udp)) +0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_VXLAN, 4789/udp)) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_XMPP, 5222/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_XMPP, 5269/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_AYIYA, {5072/udp})) @@ -1049,6 +1055,7 @@ 0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_SSL, {5223<...>/tcp})) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_SYSLOG, {514/udp})) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_TEREDO, {3544/udp})) +0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_VXLAN, {4789/udp})) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_XMPP, {5222<...>/tcp})) 0.000000 MetaHookPre CallFunction(Cluster::is_enabled, , ()) 0.000000 MetaHookPre CallFunction(Cluster::is_enabled, , ()) @@ -1169,7 +1176,7 @@ 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1547686218.444731, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1552361542.039294, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Broker::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Cluster::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Config::LOG)) @@ -1354,7 +1361,7 @@ 0.000000 MetaHookPre CallFunction(Log::create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1547686218.444731, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1552361542.039294, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(NetControl::check_plugins, , ()) 0.000000 MetaHookPre CallFunction(NetControl::init, , ()) 0.000000 MetaHookPre CallFunction(Notice::want_pp, , ()) @@ -1578,6 +1585,7 @@ 0.000000 MetaHookPre LoadFile(0, .<...>/Bro_UDP.events.bif.bro) 0.000000 MetaHookPre LoadFile(0, .<...>/Bro_Unified2.events.bif.bro) 0.000000 MetaHookPre LoadFile(0, .<...>/Bro_Unified2.types.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_VXLAN.events.bif.bro) 0.000000 MetaHookPre LoadFile(0, .<...>/Bro_X509.events.bif.bro) 0.000000 MetaHookPre LoadFile(0, .<...>/Bro_X509.functions.bif.bro) 0.000000 MetaHookPre LoadFile(0, .<...>/Bro_X509.ocsp_events.bif.bro) @@ -1851,6 +1859,7 @@ 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SSL, 995/tcp) 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SYSLOG, 514/udp) 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_TEREDO, 3544/udp) +0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_VXLAN, 4789/udp) 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_XMPP, 5222/tcp) 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_XMPP, 5269/tcp) 0.000000 | HookCallFunction Analyzer::disable_analyzer(Analyzer::ANALYZER_BACKDOOR) @@ -1916,6 +1925,7 @@ 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SSL, 995/tcp) 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SYSLOG, 514/udp) 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_TEREDO, 3544/udp) +0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_VXLAN, 4789/udp) 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_XMPP, 5222/tcp) 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_XMPP, 5269/tcp) 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_AYIYA, {5072/udp}) @@ -1944,6 +1954,7 @@ 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_SSL, {5223<...>/tcp}) 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_SYSLOG, {514/udp}) 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_TEREDO, {3544/udp}) +0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_VXLAN, {4789/udp}) 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_XMPP, {5222<...>/tcp}) 0.000000 | HookCallFunction Cluster::is_enabled() 0.000000 | HookCallFunction Cluster::local_node_type() @@ -2063,7 +2074,7 @@ 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1547686218.444731, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1552361542.039294, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction Log::add_default_filter(Broker::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Config::LOG) @@ -2248,7 +2259,7 @@ 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1547686218.444731, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1552361542.039294, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction NetControl::check_plugins() 0.000000 | HookCallFunction NetControl::init() 0.000000 | HookCallFunction Notice::want_pp() @@ -2472,6 +2483,7 @@ 0.000000 | HookLoadFile .<...>/Bro_UDP.events.bif.bro 0.000000 | HookLoadFile .<...>/Bro_Unified2.events.bif.bro 0.000000 | HookLoadFile .<...>/Bro_Unified2.types.bif.bro +0.000000 | HookLoadFile .<...>/Bro_VXLAN.events.bif.bro 0.000000 | HookLoadFile .<...>/Bro_X509.events.bif.bro 0.000000 | HookLoadFile .<...>/Bro_X509.functions.bif.bro 0.000000 | HookLoadFile .<...>/Bro_X509.ocsp_events.bif.bro @@ -2678,7 +2690,7 @@ 0.000000 | HookLoadFile base<...>/x509 0.000000 | HookLoadFile base<...>/xmpp 0.000000 | HookLogInit packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)} -0.000000 | HookLogWrite packet_filter [ts=1547686218.444731, node=bro, filter=ip or not ip, init=T, success=T] +0.000000 | HookLogWrite packet_filter [ts=1552361542.039294, node=bro, filter=ip or not ip, init=T, success=T] 0.000000 | HookQueueEvent NetControl::init() 0.000000 | HookQueueEvent bro_init() 0.000000 | HookQueueEvent filter_change_tracking() diff --git a/testing/btest/Traces/tunnels/vxlan.pcap b/testing/btest/Traces/tunnels/vxlan.pcap new file mode 100644 index 0000000000000000000000000000000000000000..76c91f7febe83fbbffa5835ab7802c58eb84ac02 GIT binary patch literal 1552 zcmca|c+)~A1{MYcU}0bcatVyEwJ;e(d95V_@W9U;`Qr;d3#7Edip*sG+ySx&WZ(QVsCGe2^{QvIUQ`ITiwVL9*?_PWWY_rsE`}*U zyFnPkUu`#Mg8h{W^Vc3Wpj|}>e?d%z`U?~iA^QG69gN?@LB0an#=+pz#cRvJxVWb# z9B2i@)&`&`5C{kg35$q|iAzXINz2H}$tx%-DXXZescUFzY3u0f=^Gdt8Jn1znS`h=ml5iJ~N6oK5h zp@)QUTm}wDaJq$r<64T`cnIjm;3yO~qJ`tF=^!`erIQejw?X0f^)wmdP3rCO}m7`JIh!&1BEkJHue~kEWoEQNL$E&~+29_QjDRSdspc@sFP~31nIIahUout +# @TEST-EXEC: btest-diff out +# @TEST-EXEC: btest-diff conn.log +# @TEST-EXEC: btest-diff tunnel.log + +event vxlan_packet(c: connection, inner: pkt_hdr, vni: count) + { + print "vxlan_packet", c$id, inner, vni; + } diff --git a/testing/btest/core/tunnels/vxlan.test b/testing/btest/core/tunnels/vxlan.test deleted file mode 100644 index 9a77f9c285..0000000000 --- a/testing/btest/core/tunnels/vxlan.test +++ /dev/null @@ -1,3 +0,0 @@ -# @TEST-EXEC: bro -r $TRACES/tunnels/vxlan-sample.pcap -# @TEST-EXEC: btest-diff conn.log -# @TEST-EXEC: btest-diff tunnel.log