From 0e6913fba021bd849fc24a651dd87d04133dd518 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Tue, 14 Aug 2018 16:45:09 -0500 Subject: [PATCH] BIT-1798: fix PPTP GRE tunnel decapsulation --- CHANGES | 4 ++++ VERSION | 2 +- src/Sessions.cc | 4 ++-- .../btest/Baseline/core.tunnels.gre-pptp/conn.log | 10 ++++++++++ .../btest/Baseline/core.tunnels.gre-pptp/dns.log | 10 ++++++++++ .../Baseline/core.tunnels.gre-pptp/tunnel.log | 11 +++++++++++ testing/btest/Traces/tunnels/gre-pptp.pcap | Bin 0 -> 521 bytes testing/btest/core/tunnels/gre-pptp.test | 4 ++++ 8 files changed, 42 insertions(+), 3 deletions(-) create mode 100644 testing/btest/Baseline/core.tunnels.gre-pptp/conn.log create mode 100644 testing/btest/Baseline/core.tunnels.gre-pptp/dns.log create mode 100644 testing/btest/Baseline/core.tunnels.gre-pptp/tunnel.log create mode 100644 testing/btest/Traces/tunnels/gre-pptp.pcap create mode 100644 testing/btest/core/tunnels/gre-pptp.test diff --git a/CHANGES b/CHANGES index 7013e2a931..32b7c8cbc2 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,8 @@ +2.5-841 | 2018-08-14 16:45:09 -0500 + + * BIT-1798: fix PPTP GRE tunnel decapsulation (Jon Siwek, Corelight) + 2.5-840 | 2018-08-13 17:40:06 -0500 * Fix SumStats::observe key normalization logic diff --git a/VERSION b/VERSION index 446a694de2..7a93a5255d 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.5-840 +2.5-841 diff --git a/src/Sessions.cc b/src/Sessions.cc index 9dc569daa7..876988361d 100644 --- a/src/Sessions.cc +++ b/src/Sessions.cc @@ -532,7 +532,7 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr // If a carried packet has ethernet, this will help skip it. unsigned int eth_len = 0; unsigned int gre_len = gre_header_len(flags_ver); - unsigned int ppp_len = gre_version == 1 ? 1 : 0; + unsigned int ppp_len = gre_version == 1 ? 4 : 0; if ( gre_version != 0 && gre_version != 1 ) { @@ -598,7 +598,7 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr if ( gre_version == 1 ) { - int ppp_proto = *((uint8*)(data + gre_len)); + uint16 ppp_proto = ntohs(*((uint16*)(data + gre_len + 2))); if ( ppp_proto != 0x0021 && ppp_proto != 0x0057 ) { diff --git a/testing/btest/Baseline/core.tunnels.gre-pptp/conn.log b/testing/btest/Baseline/core.tunnels.gre-pptp/conn.log new file mode 100644 index 0000000000..20c0dc7317 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.gre-pptp/conn.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#open 2018-08-14-21-42-31 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] +1417577703.821897 C4J4Th3PJpwUYZZ6gc 172.16.44.3 40768 8.8.8.8 53 udp dns 0.213894 71 146 SF - - 0 Dd 1 99 1 174 ClEkJM2Vm5giqnMf4h +#close 2018-08-14-21-42-31 diff --git a/testing/btest/Baseline/core.tunnels.gre-pptp/dns.log b/testing/btest/Baseline/core.tunnels.gre-pptp/dns.log new file mode 100644 index 0000000000..01875c2ff9 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.gre-pptp/dns.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path dns +#open 2018-08-14-21-42-31 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected +#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool +1417577703.821897 C4J4Th3PJpwUYZZ6gc 172.16.44.3 40768 8.8.8.8 53 udp 42540 - xqt-detect-mode2-97712e88-167a-45b9-93ee-913140e76678 1 C_INTERNET 28 AAAA 3 NXDOMAIN F F T F 0 - - F +#close 2018-08-14-21-42-31 diff --git a/testing/btest/Baseline/core.tunnels.gre-pptp/tunnel.log b/testing/btest/Baseline/core.tunnels.gre-pptp/tunnel.log new file mode 100644 index 0000000000..780ea33f59 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.gre-pptp/tunnel.log @@ -0,0 +1,11 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path tunnel +#open 2018-08-14-21-42-31 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action +#types time string addr port addr port enum enum +1417577703.821897 CHhAvVGS1DHFjwGM9 2402:f000:1:8e01::5555 0 2607:fcd0:100:2300::b108:2a6b 0 Tunnel::IP Tunnel::DISCOVER +1417577703.821897 ClEkJM2Vm5giqnMf4h 16.0.0.200 0 192.52.166.154 0 Tunnel::GRE Tunnel::DISCOVER +#close 2018-08-14-21-42-31 diff --git a/testing/btest/Traces/tunnels/gre-pptp.pcap b/testing/btest/Traces/tunnels/gre-pptp.pcap new file mode 100644 index 0000000000000000000000000000000000000000..45216c7f7adc9c2b7fa0f7f2288e88b4e0165135 GIT binary patch literal 521 zcmca|c+)~A1{MYw`2U}Qff2}g-clFR*~PYV3b5Ffu5Ec^f&jvR#3yde$>AIOv!D6JTICalmBREQ7`lZiaO6 z1_rkNjSL)CW&fEO6oKlJfvOm61jEwT2=H{oQ8tGb^n;ROXT3F~Bnwcl+nwTb8>RKA7rs`T68XKAzq?((VnOiV0$S^Rz z0D9_tHvLA z5CnQ?2h>CBnAsQ@j0ES3fjk596oVGd)i?9VnihpUY6e%gM>Wz|O(Iz}&*X LY1P2M7}x*+<->hB literal 0 HcmV?d00001 diff --git a/testing/btest/core/tunnels/gre-pptp.test b/testing/btest/core/tunnels/gre-pptp.test new file mode 100644 index 0000000000..a5fa8c0d19 --- /dev/null +++ b/testing/btest/core/tunnels/gre-pptp.test @@ -0,0 +1,4 @@ +# @TEST-EXEC: bro -r $TRACES/tunnels/gre-pptp.pcap +# @TEST-EXEC: btest-diff conn.log +# @TEST-EXEC: btest-diff tunnel.log +# @TEST-EXEC: btest-diff dns.log