From fddbdf623245777a65eab7a79e7d3a70e01c7af9 Mon Sep 17 00:00:00 2001 From: Arne Welzel Date: Thu, 30 Nov 2023 16:32:50 +0100 Subject: [PATCH 1/6] init-bare: Default Tunnel::max_depth to 4 In AWS GLB environments, the max_depth of 2 is easily reached due to packets being encapsulated with GENEVE and VXLAN [1]. Any additional encapsulation layer causes Zeek raise a weird and ignore the inner traffic. Bump the default maximum depth to 4, while not common it's not unusual either to observe this in the wild. [1] https://docs.aws.amazon.com/vpc/latest/mirroring/traffic-mirroring-packet-formats.html Closes #3439 --- scripts/base/init-bare.zeek | 2 +- .../core.tunnels.max-depth/conn.log.cut | 6 ++++++ .../Baseline/core.tunnels.max-depth/dns.log.cut | 3 +++ .../Baseline/core.tunnels.max-depth/tunnel.log | 16 ++++++++++++++++ .../btest/Traces/tunnels/vxlan-triple-v2.pcap | Bin 0 -> 261 bytes testing/btest/core/tunnels/max-depth.zeek | 11 +++++++++++ 6 files changed, 37 insertions(+), 1 deletion(-) create mode 100644 testing/btest/Baseline/core.tunnels.max-depth/conn.log.cut create mode 100644 testing/btest/Baseline/core.tunnels.max-depth/dns.log.cut create mode 100644 testing/btest/Baseline/core.tunnels.max-depth/tunnel.log create mode 100644 testing/btest/Traces/tunnels/vxlan-triple-v2.pcap create mode 100644 testing/btest/core/tunnels/max-depth.zeek diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek index 81c3d1dc31..41b918992d 100644 --- a/scripts/base/init-bare.zeek +++ b/scripts/base/init-bare.zeek @@ -5220,7 +5220,7 @@ module Tunnel; export { ## The maximum depth of a tunnel to decapsulate until giving up. ## Setting this to zero will disable all types of tunnel decapsulation. - const max_depth: count = 2 &redef; + const max_depth: count = 4 &redef; ## With this set, the Teredo analyzer waits until it sees both sides ## of a connection using a valid Teredo encapsulation before issuing diff --git a/testing/btest/Baseline/core.tunnels.max-depth/conn.log.cut b/testing/btest/Baseline/core.tunnels.max-depth/conn.log.cut new file mode 100644 index 0000000000..e512da7cf6 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.max-depth/conn.log.cut @@ -0,0 +1,6 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +uid id.orig_h id.resp_p id.resp_h id.resp_p proto history service tunnel_parents +CtPZjS20MLrsMUOJi2 4.4.4.4 53 4.4.4.9 53 udp D dns C4J4Th3PJpwUYZZ6gc +CHhAvVGS1DHFjwGM9 1.1.1.1 4789 1.1.1.9 4789 udp D vxlan - +ClEkJM2Vm5giqnMf4h 2.2.2.2 4789 2.2.2.9 4789 udp D vxlan CHhAvVGS1DHFjwGM9 +C4J4Th3PJpwUYZZ6gc 3.3.3.3 4789 3.3.3.9 4789 udp D vxlan ClEkJM2Vm5giqnMf4h diff --git a/testing/btest/Baseline/core.tunnels.max-depth/dns.log.cut b/testing/btest/Baseline/core.tunnels.max-depth/dns.log.cut new file mode 100644 index 0000000000..4f05d18f5e --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.max-depth/dns.log.cut @@ -0,0 +1,3 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +uid id.orig_h id.resp_p id.resp_h id.resp_p query +CtPZjS20MLrsMUOJi2 4.4.4.4 53 4.4.4.9 53 www.bbc.com diff --git a/testing/btest/Baseline/core.tunnels.max-depth/tunnel.log b/testing/btest/Baseline/core.tunnels.max-depth/tunnel.log new file mode 100644 index 0000000000..356cafe0c4 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.max-depth/tunnel.log @@ -0,0 +1,16 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path tunnel +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action +#types time string addr port addr port enum enum +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 1.1.1.1 4789 1.1.1.9 4789 Tunnel::VXLAN Tunnel::DISCOVER +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 2.2.2.2 4789 2.2.2.9 4789 Tunnel::VXLAN Tunnel::DISCOVER +XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 3.3.3.3 4789 3.3.3.9 4789 Tunnel::VXLAN Tunnel::DISCOVER +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 1.1.1.1 4789 1.1.1.9 4789 Tunnel::VXLAN Tunnel::CLOSE +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 2.2.2.2 4789 2.2.2.9 4789 Tunnel::VXLAN Tunnel::CLOSE +XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 3.3.3.3 4789 3.3.3.9 4789 Tunnel::VXLAN Tunnel::CLOSE +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Traces/tunnels/vxlan-triple-v2.pcap b/testing/btest/Traces/tunnels/vxlan-triple-v2.pcap new file mode 100644 index 0000000000000000000000000000000000000000..c4ea59dab215d3bc70e59bfd4072d736a16e1ea0 GIT binary patch literal 261 zcmca|c+)~A1{MYw`2U}Qff2}Q6kpAhW(a`j x2=C8^=wQawVF}TZHJ=3nI2lZVP<6%vu&+QK0|Msq@^a>+q-5sg{9KSYBLE*oI(7g6 literal 0 HcmV?d00001 diff --git a/testing/btest/core/tunnels/max-depth.zeek b/testing/btest/core/tunnels/max-depth.zeek new file mode 100644 index 0000000000..dc7335b0bb --- /dev/null +++ b/testing/btest/core/tunnels/max-depth.zeek @@ -0,0 +1,11 @@ +# @TEST-DOC: A DNS request encapsulated in 3 layers of VXLAN. Funky but not all that unusual. +# @TEST-EXEC: zeek -b -r $TRACES/tunnels/vxlan-triple-v2.pcap %INPUT +# @TEST-EXEC: zeek-cut -m uid id.orig_h id.resp_p id.resp_h id.resp_p proto history service tunnel_parents < conn.log > conn.log.cut +# @TEST-EXEC: zeek-cut -m uid id.orig_h id.resp_p id.resp_h id.resp_p query < dns.log > dns.log.cut +# @TEST-EXEC: btest-diff conn.log.cut +# @TEST-EXEC: btest-diff tunnel.log +# @TEST-EXEC: btest-diff dns.log.cut +# +@load base/frameworks/tunnels +@load base/protocols/conn +@load base/protocols/dns From b4e86f28b8adcbd45b9008dfa1818c6eb2fbb4d0 Mon Sep 17 00:00:00 2001 From: Arne Welzel Date: Thu, 30 Nov 2023 17:18:53 +0100 Subject: [PATCH 2/6] Conn/Session: Lift history logic into Session This should allow to mangle a Session's history also from packet analyzers without necessarily knowing the concrete connection type. Given Connection is a subclass of Session, I don't think this changes much. --- src/Conn.cc | 33 ---------------------- src/Conn.h | 27 ------------------ src/session/Session.cc | 33 ++++++++++++++++++++++ src/session/Session.h | 64 ++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 97 insertions(+), 60 deletions(-) diff --git a/src/Conn.cc b/src/Conn.cc index 1f21df7775..dc46e06f89 100644 --- a/src/Conn.cc +++ b/src/Conn.cc @@ -158,39 +158,6 @@ void Connection::NextPacket(double t, bool is_orig, const IP_Hdr* ip, int len, i bool Connection::IsReuse(double t, const u_char* pkt) { return adapter && adapter->IsReuse(t, pkt); } -bool Connection::ScaledHistoryEntry(char code, uint32_t& counter, uint32_t& scaling_threshold, uint32_t scaling_base) { - if ( ++counter == scaling_threshold ) { - AddHistory(code); - - auto new_threshold = scaling_threshold * scaling_base; - - if ( new_threshold <= scaling_threshold ) - // This can happen due to wrap-around. In that - // case, reset the counter but leave the threshold - // unchanged. - counter = 0; - - else - scaling_threshold = new_threshold; - - return true; - } - - return false; -} - -void Connection::HistoryThresholdEvent(EventHandlerPtr e, bool is_orig, uint32_t threshold) { - if ( ! e ) - return; - - if ( threshold == 1 ) - // This will be far and away the most common case, - // and at this stage it's not a *multiple* instance. - return; - - EnqueueEvent(e, nullptr, GetVal(), val_mgr->Bool(is_orig), val_mgr->Count(threshold)); -} - namespace { // Flip everything that needs to be flipped in the connection // record that is known on this level. This needs to align diff --git a/src/Conn.h b/src/Conn.h index 6ad9d56a55..9f42341d08 100644 --- a/src/Conn.h +++ b/src/Conn.h @@ -179,30 +179,6 @@ public: static uint64_t TotalConnections() { return total_connections; } static uint64_t CurrentConnections() { return current_connections; } - // Returns true if the history was already seen, false otherwise. - bool CheckHistory(uint32_t mask, char code) { - if ( (hist_seen & mask) == 0 ) { - hist_seen |= mask; - AddHistory(code); - return false; - } - else - return true; - } - - // Increments the passed counter and adds it as a history - // code if it has crossed the next scaling threshold. Scaling - // is done in terms of powers of the third argument. - // Returns true if the threshold was crossed, false otherwise. - bool ScaledHistoryEntry(char code, uint32_t& counter, uint32_t& scaling_threshold, uint32_t scaling_base = 10); - - void HistoryThresholdEvent(EventHandlerPtr e, bool is_orig, uint32_t threshold); - - void AddHistory(char code) { history += code; } - - const std::string& GetHistory() const { return history; } - void ReplaceHistory(std::string new_h) { history = std::move(new_h); } - // Sets the root of the analyzer tree as well as the primary PIA. void SetSessionAdapter(packet_analysis::IP::SessionAdapter* aa, analyzer::pia::PIA* pia); packet_analysis::IP::SessionAdapter* GetSessionAdapter() { return adapter; } @@ -246,9 +222,6 @@ private: unsigned int finished : 1; unsigned int saw_first_orig_packet : 1, saw_first_resp_packet : 1; - uint32_t hist_seen; - std::string history; - packet_analysis::IP::SessionAdapter* adapter; analyzer::pia::PIA* primary_PIA; diff --git a/src/session/Session.cc b/src/session/Session.cc index 28f9f85839..3d244e35f6 100644 --- a/src/session/Session.cc +++ b/src/session/Session.cc @@ -186,4 +186,37 @@ void Session::SetAnalyzerState(const zeek::Tag& tag, AnalyzerConfirmationState v analyzer_confirmations.insert_or_assign(tag, value); } +bool Session::ScaledHistoryEntry(char code, uint32_t& counter, uint32_t& scaling_threshold, uint32_t scaling_base) { + if ( ++counter == scaling_threshold ) { + AddHistory(code); + + auto new_threshold = scaling_threshold * scaling_base; + + if ( new_threshold <= scaling_threshold ) + // This can happen due to wrap-around. In that + // case, reset the counter but leave the threshold + // unchanged. + counter = 0; + + else + scaling_threshold = new_threshold; + + return true; + } + + return false; +} + +void Session::HistoryThresholdEvent(EventHandlerPtr e, bool is_orig, uint32_t threshold) { + if ( ! e ) + return; + + if ( threshold == 1 ) + // This will be far and away the most common case, + // and at this stage it's not a *multiple* instance. + return; + + EnqueueEvent(e, nullptr, GetVal(), val_mgr->Bool(is_orig), val_mgr->Count(threshold)); +} + } // namespace zeek::session diff --git a/src/session/Session.h b/src/session/Session.h index ea500924fc..589c39af71 100644 --- a/src/session/Session.h +++ b/src/session/Session.h @@ -185,6 +185,67 @@ public: AnalyzerConfirmationState AnalyzerState(const zeek::Tag& tag) const; void SetAnalyzerState(const zeek::Tag& tag, AnalyzerConfirmationState); + /** + * Add \a code to history unless already seen. + * + * @param mask Bitmask used for the given code character. + * @param code The character to add to the history. + * + * @return True if the given \a code was already seen (mask set), + * otherwise false after adding it. + */ + bool CheckHistory(uint32_t mask, char code) { + if ( (hist_seen & mask) == 0 ) { + hist_seen |= mask; + AddHistory(code); + return false; + } + + return true; + } + + /** + * Increments the passed counter and adds it as a history + * code if it has crossed the next scaling threshold. Scaling + * is done in terms of powers of the third argument. + * + * @param code The history code. + * @param counter Reference to counter for this code. + * @param scaling_threshold The next threshold, updated to next threshold if crossed. + * @param scaling_base Base to compute the next scaling_threshold. + * + * @return True if the threshold was crossed, false otherwise. + */ + bool ScaledHistoryEntry(char code, uint32_t& counter, uint32_t& scaling_threshold, uint32_t scaling_base = 10); + + /** + * Helper to enqueue a history threshold event \a e with the Connection object of this session. + * + * @param e The event to enqueue + * @param is_orig True if this is the originator of the session. + * @param threshold Crossed threshold to use as event argument. + */ + void HistoryThresholdEvent(EventHandlerPtr e, bool is_orig, uint32_t threshold); + + /** + * Add \a code to the history. + * + * @param code Code to add + */ + void AddHistory(char code) { history += code; } + + /** + * @return The current history value. + */ + const std::string& GetHistory() const { return history; } + + /** + * Replace the history of this session with a new one. + * + * @param new_h The new history. + */ + void ReplaceHistory(std::string new_h) { history = std::move(new_h); } + protected: friend class detail::Timer; @@ -234,6 +295,9 @@ protected: bool in_session_table; std::map analyzer_confirmations; + + uint32_t hist_seen; + std::string history; }; namespace detail { From c8a032ac70bf1e5caaaa118a55753a04b97d8bbf Mon Sep 17 00:00:00 2001 From: Arne Welzel Date: Thu, 30 Nov 2023 18:05:32 +0100 Subject: [PATCH 3/6] Conn: Deprecated AppendAddl --- src/Conn.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/Conn.h b/src/Conn.h index 9f42341d08..8534e3dd73 100644 --- a/src/Conn.h +++ b/src/Conn.h @@ -148,7 +148,8 @@ public: /** * Append additional entries to the history field in the connection record. */ - void AppendAddl(const char* str); + [[deprecated("Remove in v7.1 - Appears unused and named rough. Use CheckHistory() or AddHistory() instead.")]] void + AppendAddl(const char* str); void Match(detail::Rule::PatternType type, const u_char* data, int len, bool is_orig, bool bol, bool eol, bool clear_state); From ad9446d799e0104382b86c1d1b8b24206786031e Mon Sep 17 00:00:00 2001 From: Arne Welzel Date: Thu, 30 Nov 2023 16:58:47 +0100 Subject: [PATCH 4/6] Session/TCP/UDP: Reserve HIST_UNKNOWN_PKT mask This is meant to be used for a new 'X' code in the history in scenarios when packets are knowingly not processed or an unexpected unknown situation is recognized. Usually, these situations are currently reported via weirds or analyzer violations, but being able to include it in the history field allows them to be more visible. Will be used for exceeding tunnel depths first. --- src/analyzer/protocol/tcp/TCP_Endpoint.h | 1 + src/packet_analysis/protocol/udp/UDP.cc | 1 + src/session/Session.h | 4 +++- 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/src/analyzer/protocol/tcp/TCP_Endpoint.h b/src/analyzer/protocol/tcp/TCP_Endpoint.h index 993c4b826b..df8acffdff 100644 --- a/src/analyzer/protocol/tcp/TCP_Endpoint.h +++ b/src/analyzer/protocol/tcp/TCP_Endpoint.h @@ -203,6 +203,7 @@ public: #define HIST_CORRUPT_PKT 0x80 #define HIST_RXMIT 0x100 #define HIST_WIN0 0x200 + // #define HIST_UNKNOWN_PKT 0x400 (do not use - used in Session.h) bool CheckHistory(uint32_t mask, char code); void AddHistory(char code); diff --git a/src/packet_analysis/protocol/udp/UDP.cc b/src/packet_analysis/protocol/udp/UDP.cc index ae609e1dd3..5796d0969e 100644 --- a/src/packet_analysis/protocol/udp/UDP.cc +++ b/src/packet_analysis/protocol/udp/UDP.cc @@ -18,6 +18,7 @@ constexpr uint32_t HIST_ORIG_DATA_PKT = 0x1; constexpr uint32_t HIST_RESP_DATA_PKT = 0x2; constexpr uint32_t HIST_ORIG_CORRUPT_PKT = 0x4; constexpr uint32_t HIST_RESP_CORRUPT_PKT = 0x8; +// constexpr uint32_t HIST_UNKNOWN_PKT = 0x400; (do not use - used in Session.h) UDPAnalyzer::UDPAnalyzer() : IPBasedAnalyzer("UDP", TRANSPORT_UDP, UDP_PORT_MASK, false) {} diff --git a/src/session/Session.h b/src/session/Session.h index 589c39af71..467dd9c9af 100644 --- a/src/session/Session.h +++ b/src/session/Session.h @@ -24,7 +24,9 @@ class Analyzer; namespace session { namespace detail { class Timer; -} + +constexpr uint32_t HIST_UNKNOWN_PKT = 0x400; // Initially for exceeded_tunnel_max_depth. +} // namespace detail class Session; using timer_func = void (Session::*)(double t); From 7325bc945f1625614e358deb6421f787fe16a6e7 Mon Sep 17 00:00:00 2001 From: Arne Welzel Date: Thu, 30 Nov 2023 18:49:59 +0100 Subject: [PATCH 5/6] tunnels: Add 'X' to history when reaching Tunnel::max_depth --- scripts/base/protocols/conn/main.zeek | 1 + src/packet_analysis/protocol/ayiya/AYIYA.cc | 1 + src/packet_analysis/protocol/geneve/Geneve.cc | 1 + src/packet_analysis/protocol/iptunnel/IPTunnel.cc | 1 + src/packet_analysis/protocol/teredo/Teredo.cc | 1 + src/packet_analysis/protocol/vxlan/VXLAN.cc | 1 + .../core.tunnels.max-depth-exceeded/conn.log.cut | 5 +++++ .../core.tunnels.max-depth-exceeded/tunnel.log | 14 ++++++++++++++ .../core.tunnels.max-depth-exceeded/weird.log | 11 +++++++++++ .../btest/core/tunnels/max-depth-exceeded.zeek | 15 +++++++++++++++ 10 files changed, 51 insertions(+) create mode 100644 testing/btest/Baseline/core.tunnels.max-depth-exceeded/conn.log.cut create mode 100644 testing/btest/Baseline/core.tunnels.max-depth-exceeded/tunnel.log create mode 100644 testing/btest/Baseline/core.tunnels.max-depth-exceeded/weird.log create mode 100644 testing/btest/core/tunnels/max-depth-exceeded.zeek diff --git a/scripts/base/protocols/conn/main.zeek b/scripts/base/protocols/conn/main.zeek index 1e2ff41216..f2686fc597 100644 --- a/scripts/base/protocols/conn/main.zeek +++ b/scripts/base/protocols/conn/main.zeek @@ -125,6 +125,7 @@ export { ## i inconsistent packet (e.g. FIN+RST bits set) ## q multi-flag packet (SYN+FIN or SYN+RST bits set) ## ^ connection direction was flipped by Zeek's heuristic + ## x connection analysis partial (e.g. limits exceeded) ## ====== ==================================================== ## ## If the event comes from the originator, the letter is in diff --git a/src/packet_analysis/protocol/ayiya/AYIYA.cc b/src/packet_analysis/protocol/ayiya/AYIYA.cc index 64685253e1..42bee0dc97 100644 --- a/src/packet_analysis/protocol/ayiya/AYIYA.cc +++ b/src/packet_analysis/protocol/ayiya/AYIYA.cc @@ -20,6 +20,7 @@ bool AYIYAAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packe return false; if ( packet->encap && packet->encap->Depth() >= BifConst::Tunnel::max_depth ) { + packet->session->CheckHistory(zeek::session::detail::HIST_UNKNOWN_PKT, 'X'); Weird("exceeded_tunnel_max_depth", packet); return false; } diff --git a/src/packet_analysis/protocol/geneve/Geneve.cc b/src/packet_analysis/protocol/geneve/Geneve.cc index 515375976d..632a37df9f 100644 --- a/src/packet_analysis/protocol/geneve/Geneve.cc +++ b/src/packet_analysis/protocol/geneve/Geneve.cc @@ -21,6 +21,7 @@ bool GeneveAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pack return false; if ( packet->encap && packet->encap->Depth() >= BifConst::Tunnel::max_depth ) { + packet->session->CheckHistory(zeek::session::detail::HIST_UNKNOWN_PKT, 'X'); Weird("exceeded_tunnel_max_depth", packet); return false; } diff --git a/src/packet_analysis/protocol/iptunnel/IPTunnel.cc b/src/packet_analysis/protocol/iptunnel/IPTunnel.cc index e7ac1b3cc1..c1ac082c75 100644 --- a/src/packet_analysis/protocol/iptunnel/IPTunnel.cc +++ b/src/packet_analysis/protocol/iptunnel/IPTunnel.cc @@ -23,6 +23,7 @@ bool IPTunnelAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pa } if ( packet->encap && packet->encap->Depth() >= BifConst::Tunnel::max_depth ) { + packet->session->CheckHistory(zeek::session::detail::HIST_UNKNOWN_PKT, 'X'); Weird("exceeded_tunnel_max_depth", packet); return false; } diff --git a/src/packet_analysis/protocol/teredo/Teredo.cc b/src/packet_analysis/protocol/teredo/Teredo.cc index 58ef4feffa..ca256016e0 100644 --- a/src/packet_analysis/protocol/teredo/Teredo.cc +++ b/src/packet_analysis/protocol/teredo/Teredo.cc @@ -148,6 +148,7 @@ bool TeredoAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pack return false; if ( packet->encap && packet->encap->Depth() >= BifConst::Tunnel::max_depth ) { + packet->session->CheckHistory(zeek::session::detail::HIST_UNKNOWN_PKT, 'X'); Analyzer::Weird("exceeded_tunnel_max_depth", packet); return false; } diff --git a/src/packet_analysis/protocol/vxlan/VXLAN.cc b/src/packet_analysis/protocol/vxlan/VXLAN.cc index e5f4f8ec5e..376c43d3c3 100644 --- a/src/packet_analysis/protocol/vxlan/VXLAN.cc +++ b/src/packet_analysis/protocol/vxlan/VXLAN.cc @@ -21,6 +21,7 @@ bool VXLAN_Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pack return false; if ( packet->encap && packet->encap->Depth() >= BifConst::Tunnel::max_depth ) { + packet->session->CheckHistory(zeek::session::detail::HIST_UNKNOWN_PKT, 'X'); Weird("exceeded_tunnel_max_depth", packet); return false; } diff --git a/testing/btest/Baseline/core.tunnels.max-depth-exceeded/conn.log.cut b/testing/btest/Baseline/core.tunnels.max-depth-exceeded/conn.log.cut new file mode 100644 index 0000000000..993a560913 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.max-depth-exceeded/conn.log.cut @@ -0,0 +1,5 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +uid id.orig_h id.resp_p id.resp_h id.resp_p proto history service tunnel_parents +CHhAvVGS1DHFjwGM9 1.1.1.1 4789 1.1.1.9 4789 udp D vxlan - +ClEkJM2Vm5giqnMf4h 2.2.2.2 4789 2.2.2.9 4789 udp D vxlan CHhAvVGS1DHFjwGM9 +C4J4Th3PJpwUYZZ6gc 3.3.3.3 4789 3.3.3.9 4789 udp DX - ClEkJM2Vm5giqnMf4h diff --git a/testing/btest/Baseline/core.tunnels.max-depth-exceeded/tunnel.log b/testing/btest/Baseline/core.tunnels.max-depth-exceeded/tunnel.log new file mode 100644 index 0000000000..f5f8ff9bce --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.max-depth-exceeded/tunnel.log @@ -0,0 +1,14 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path tunnel +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action +#types time string addr port addr port enum enum +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 1.1.1.1 4789 1.1.1.9 4789 Tunnel::VXLAN Tunnel::DISCOVER +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 2.2.2.2 4789 2.2.2.9 4789 Tunnel::VXLAN Tunnel::DISCOVER +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 1.1.1.1 4789 1.1.1.9 4789 Tunnel::VXLAN Tunnel::CLOSE +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 2.2.2.2 4789 2.2.2.9 4789 Tunnel::VXLAN Tunnel::CLOSE +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/core.tunnels.max-depth-exceeded/weird.log b/testing/btest/Baseline/core.tunnels.max-depth-exceeded/weird.log new file mode 100644 index 0000000000..65b1b5768d --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.max-depth-exceeded/weird.log @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path weird +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX - 3.3.3.3 0 3.3.3.9 0 exceeded_tunnel_max_depth_in_tunnel - F zeek VXLAN +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/core/tunnels/max-depth-exceeded.zeek b/testing/btest/core/tunnels/max-depth-exceeded.zeek new file mode 100644 index 0000000000..d3ee33ab47 --- /dev/null +++ b/testing/btest/core/tunnels/max-depth-exceeded.zeek @@ -0,0 +1,15 @@ +# @TEST-DOC: Set a too small Tunnel::max_depth value, observe the effects. +# +# @TEST-EXEC: zeek -b -r $TRACES/tunnels/vxlan-triple-v2.pcap %INPUT +# @TEST-EXEC: zeek-cut -m uid id.orig_h id.resp_p id.resp_h id.resp_p proto history service tunnel_parents < conn.log > conn.log.cut +# @TEST-EXEC: btest-diff conn.log.cut +# @TEST-EXEC: btest-diff tunnel.log +# @TEST-EXEC: btest-diff weird.log +# @TEST-EXEC: test ! -f dns.log +# +@load base/frameworks/notice/weird +@load base/frameworks/tunnels +@load base/protocols/conn +@load base/protocols/dns + +redef Tunnel::max_depth = 2; From 040068f390ce39e3bbf475daf0b74a04e98be70b Mon Sep 17 00:00:00 2001 From: Arne Welzel Date: Wed, 10 Jan 2024 15:36:12 +0100 Subject: [PATCH 6/6] NEWS: Update news for tunnel depth changes --- NEWS | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/NEWS b/NEWS index 0b9871f966..29bbedeac3 100644 --- a/NEWS +++ b/NEWS @@ -153,6 +153,10 @@ New Functionality Note that generally you should prefer record extension in conditionally loaded scripts rather than using conditional directives in the original record definition. +- The 'X' code can now appear in a connection's history. It is meant to indicate + situations where Zeek stopped analyzing traffic due to exceeding certain limits or + when encountering unknown/unsupported protocols. Its first use is to indicate + ``Tunnel::max_depth`` being exceeded. Changed Functionality --------------------- @@ -172,6 +176,10 @@ Changed Functionality detail API from ``digest.h`` to compute hashes likely need to accommodate for this change. +- The ``Tunnel::max_depth`` default was changed from 2 to 4 allowing for more than + two encapsulation layers. Two layers are already easily reached in AWS GLB + environments. + Removed Functionality ---------------------