diff --git a/CHANGES b/CHANGES index 7013e2a931..32b7c8cbc2 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,8 @@ +2.5-841 | 2018-08-14 16:45:09 -0500 + + * BIT-1798: fix PPTP GRE tunnel decapsulation (Jon Siwek, Corelight) + 2.5-840 | 2018-08-13 17:40:06 -0500 * Fix SumStats::observe key normalization logic diff --git a/VERSION b/VERSION index 446a694de2..7a93a5255d 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.5-840 +2.5-841 diff --git a/src/Sessions.cc b/src/Sessions.cc index 9dc569daa7..876988361d 100644 --- a/src/Sessions.cc +++ b/src/Sessions.cc @@ -532,7 +532,7 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr // If a carried packet has ethernet, this will help skip it. unsigned int eth_len = 0; unsigned int gre_len = gre_header_len(flags_ver); - unsigned int ppp_len = gre_version == 1 ? 1 : 0; + unsigned int ppp_len = gre_version == 1 ? 4 : 0; if ( gre_version != 0 && gre_version != 1 ) { @@ -598,7 +598,7 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr if ( gre_version == 1 ) { - int ppp_proto = *((uint8*)(data + gre_len)); + uint16 ppp_proto = ntohs(*((uint16*)(data + gre_len + 2))); if ( ppp_proto != 0x0021 && ppp_proto != 0x0057 ) { diff --git a/testing/btest/Baseline/core.tunnels.gre-pptp/conn.log b/testing/btest/Baseline/core.tunnels.gre-pptp/conn.log new file mode 100644 index 0000000000..20c0dc7317 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.gre-pptp/conn.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#open 2018-08-14-21-42-31 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] +1417577703.821897 C4J4Th3PJpwUYZZ6gc 172.16.44.3 40768 8.8.8.8 53 udp dns 0.213894 71 146 SF - - 0 Dd 1 99 1 174 ClEkJM2Vm5giqnMf4h +#close 2018-08-14-21-42-31 diff --git a/testing/btest/Baseline/core.tunnels.gre-pptp/dns.log b/testing/btest/Baseline/core.tunnels.gre-pptp/dns.log new file mode 100644 index 0000000000..01875c2ff9 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.gre-pptp/dns.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path dns +#open 2018-08-14-21-42-31 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected +#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool +1417577703.821897 C4J4Th3PJpwUYZZ6gc 172.16.44.3 40768 8.8.8.8 53 udp 42540 - xqt-detect-mode2-97712e88-167a-45b9-93ee-913140e76678 1 C_INTERNET 28 AAAA 3 NXDOMAIN F F T F 0 - - F +#close 2018-08-14-21-42-31 diff --git a/testing/btest/Baseline/core.tunnels.gre-pptp/tunnel.log b/testing/btest/Baseline/core.tunnels.gre-pptp/tunnel.log new file mode 100644 index 0000000000..780ea33f59 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.gre-pptp/tunnel.log @@ -0,0 +1,11 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path tunnel +#open 2018-08-14-21-42-31 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action +#types time string addr port addr port enum enum +1417577703.821897 CHhAvVGS1DHFjwGM9 2402:f000:1:8e01::5555 0 2607:fcd0:100:2300::b108:2a6b 0 Tunnel::IP Tunnel::DISCOVER +1417577703.821897 ClEkJM2Vm5giqnMf4h 16.0.0.200 0 192.52.166.154 0 Tunnel::GRE Tunnel::DISCOVER +#close 2018-08-14-21-42-31 diff --git a/testing/btest/Traces/tunnels/gre-pptp.pcap b/testing/btest/Traces/tunnels/gre-pptp.pcap new file mode 100644 index 0000000000..45216c7f7a Binary files /dev/null and b/testing/btest/Traces/tunnels/gre-pptp.pcap differ diff --git a/testing/btest/core/tunnels/gre-pptp.test b/testing/btest/core/tunnels/gre-pptp.test new file mode 100644 index 0000000000..a5fa8c0d19 --- /dev/null +++ b/testing/btest/core/tunnels/gre-pptp.test @@ -0,0 +1,4 @@ +# @TEST-EXEC: bro -r $TRACES/tunnels/gre-pptp.pcap +# @TEST-EXEC: btest-diff conn.log +# @TEST-EXEC: btest-diff tunnel.log +# @TEST-EXEC: btest-diff dns.log