From 2044fbe53bb9f0a3d6db262c9eef23b8bd66f1dc Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Wed, 3 Nov 2021 12:17:22 -0700 Subject: [PATCH] Add GTPv1 packet analyzer, disable old analyzer --- auxil/bifcl | 2 +- scripts/base/frameworks/tunnels/main.zeek | 5 - scripts/base/packet-protocols/__load__.zeek | 1 + .../base/packet-protocols/gtpv1/__load__.zeek | 1 + scripts/base/packet-protocols/gtpv1/main.zeek | 28 + src/analyzer/protocol/CMakeLists.txt | 2 +- src/binpac_zeek.h | 4 + src/packet_analysis/Analyzer.h | 24 +- src/packet_analysis/protocol/CMakeLists.txt | 1 + .../protocol/gtpv1/CMakeLists.txt | 11 + src/packet_analysis/protocol/gtpv1/GTPv1.cc | 102 +++ src/packet_analysis/protocol/gtpv1/GTPv1.h | 46 ++ src/packet_analysis/protocol/gtpv1/Plugin.cc | 26 + src/packet_analysis/protocol/gtpv1/events.bif | 74 ++ .../protocol/gtpv1/functions.bif | 20 + .../protocol/gtpv1/gtpv1-analyzer.pac | 759 ++++++++++++++++++ .../protocol/gtpv1/gtpv1-protocol.pac | 496 ++++++++++++ src/packet_analysis/protocol/gtpv1/gtpv1.pac | 18 + src/zeek.pac | 1 + .../core.tunnels.gtp.non_recursive/out | 2 +- .../dpd.log | 2 +- .../canonified_loaded_scripts.log | 5 +- .../canonified_loaded_scripts.log | 5 +- testing/btest/Baseline/plugins.hooks/output | 60 +- .../Baseline/signatures.dpd/dpd-ipv4.out | 2 +- .../Baseline/signatures.dpd/dpd-ipv6.out | 2 +- .../Baseline/signatures.dpd/nosig-ipv4.out | 2 +- .../Baseline/signatures.dpd/nosig-ipv6.out | 2 +- 28 files changed, 1661 insertions(+), 42 deletions(-) create mode 100644 scripts/base/packet-protocols/gtpv1/__load__.zeek create mode 100644 scripts/base/packet-protocols/gtpv1/main.zeek create mode 100644 src/packet_analysis/protocol/gtpv1/CMakeLists.txt create mode 100644 src/packet_analysis/protocol/gtpv1/GTPv1.cc create mode 100644 src/packet_analysis/protocol/gtpv1/GTPv1.h create mode 100644 src/packet_analysis/protocol/gtpv1/Plugin.cc create mode 100644 src/packet_analysis/protocol/gtpv1/events.bif create mode 100644 src/packet_analysis/protocol/gtpv1/functions.bif create mode 100644 src/packet_analysis/protocol/gtpv1/gtpv1-analyzer.pac create mode 100644 src/packet_analysis/protocol/gtpv1/gtpv1-protocol.pac create mode 100644 src/packet_analysis/protocol/gtpv1/gtpv1.pac diff --git a/auxil/bifcl b/auxil/bifcl index 6bd2643518..762d55f9c6 160000 --- a/auxil/bifcl +++ b/auxil/bifcl @@ -1 +1 @@ -Subproject commit 6bd264351813eedb92753d2d4ed76ac6ddc076b3 +Subproject commit 762d55f9c6747267acca77f19d4b60b4dc3c3821 diff --git a/scripts/base/frameworks/tunnels/main.zeek b/scripts/base/frameworks/tunnels/main.zeek index 7cf4f82e40..3c4e8adf3d 100644 --- a/scripts/base/frameworks/tunnels/main.zeek +++ b/scripts/base/frameworks/tunnels/main.zeek @@ -90,14 +90,9 @@ export { global finalize_tunnel: Conn::RemovalHook; } -const gtpv1_ports = { 2152/udp, 2123/udp }; -redef likely_server_ports += { gtpv1_ports }; - event zeek_init() &priority=5 { Log::create_stream(Tunnel::LOG, [$columns=Info, $path="tunnel", $policy=log_policy]); - - Analyzer::register_for_ports(Analyzer::ANALYZER_GTPV1, gtpv1_ports); } function register_all(ecv: EncapsulatingConnVector) diff --git a/scripts/base/packet-protocols/__load__.zeek b/scripts/base/packet-protocols/__load__.zeek index f82027f6d1..5ea4cb93ef 100644 --- a/scripts/base/packet-protocols/__load__.zeek +++ b/scripts/base/packet-protocols/__load__.zeek @@ -25,3 +25,4 @@ @load base/packet-protocols/geneve @load base/packet-protocols/vxlan @load base/packet-protocols/teredo +@load base/packet-protocols/gtpv1 diff --git a/scripts/base/packet-protocols/gtpv1/__load__.zeek b/scripts/base/packet-protocols/gtpv1/__load__.zeek new file mode 100644 index 0000000000..d551be57d3 --- /dev/null +++ b/scripts/base/packet-protocols/gtpv1/__load__.zeek @@ -0,0 +1 @@ +@load ./main \ No newline at end of file diff --git a/scripts/base/packet-protocols/gtpv1/main.zeek b/scripts/base/packet-protocols/gtpv1/main.zeek new file mode 100644 index 0000000000..052efa5f58 --- /dev/null +++ b/scripts/base/packet-protocols/gtpv1/main.zeek @@ -0,0 +1,28 @@ +module PacketAnalyzer::GTPV1; + +# This needs to be loaded here so the function is available. Function BIFs normally aren't +# loaded until after the packet analysis init scripts are run, and then zeek complains it +# can't find the function. +@load base/bif/plugins/Zeek_GTPv1.functions.bif + +# Needed for port registration for BPF +@load base/frameworks/analyzer/main + +export { + ## Default analyzer + const default_analyzer: PacketAnalyzer::Tag = PacketAnalyzer::ANALYZER_IP &redef; +} + +const gtpv1_ports = { 2152/udp, 2123/udp }; +redef likely_server_ports += { gtpv1_ports }; + +event zeek_init() &priority=20 + { + PacketAnalyzer::register_protocol_detection(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GTPV1); + PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GTPV1, gtpv1_ports); + } + +event connection_state_remove(c: connection) + { + remove_gtpv1_connection(c$id); + } diff --git a/src/analyzer/protocol/CMakeLists.txt b/src/analyzer/protocol/CMakeLists.txt index bbc5048718..b21ec3a545 100644 --- a/src/analyzer/protocol/CMakeLists.txt +++ b/src/analyzer/protocol/CMakeLists.txt @@ -11,7 +11,7 @@ add_subdirectory(ftp) #add_subdirectory(geneve) add_subdirectory(gnutella) add_subdirectory(gssapi) -add_subdirectory(gtpv1) +#add_subdirectory(gtpv1) add_subdirectory(http) add_subdirectory(ident) add_subdirectory(imap) diff --git a/src/binpac_zeek.h b/src/binpac_zeek.h index 3735ff30a7..22bf8ed09e 100644 --- a/src/binpac_zeek.h +++ b/src/binpac_zeek.h @@ -6,6 +6,8 @@ #include "zeek/Val.h" #include "zeek/analyzer/Analyzer.h" #include "zeek/file_analysis/Analyzer.h" +#include "zeek/iosource/Packet.h" +#include "zeek/packet_analysis/Analyzer.h" #include "zeek/util.h" #include "event.bif.func_h" @@ -15,9 +17,11 @@ namespace binpac using ZeekAnalyzer = zeek::analyzer::Analyzer*; using ZeekFileAnalyzer = zeek::file_analysis::Analyzer; +using ZeekPacketAnalyzer = zeek::packet_analysis::Analyzer*; using ZeekVal = zeek::Val*; using ZeekPortVal = zeek::PortVal*; using ZeekStringVal = zeek::StringVal*; +using ZeekPacket = zeek::Packet; inline zeek::StringValPtr to_stringval(const_bytestring const& str) { diff --git a/src/packet_analysis/Analyzer.h b/src/packet_analysis/Analyzer.h index fd11ba484e..d778128b7c 100644 --- a/src/packet_analysis/Analyzer.h +++ b/src/packet_analysis/Analyzer.h @@ -173,6 +173,18 @@ public: session::AnalyzerConfirmationState::VIOLATED; } + /** + * Reports a Weird with the analyzer's name included in the addl field. + * + * @param name The name of the weird. + * @param packet An optional pointer to a packet to be used for additional + * information in the weird output. + * @param addl An optional string containing additional information about + * the weird. If this is passed, the analyzer's name will be prepended to + * it before output. + */ + void Weird(const char* name, Packet* packet = nullptr, const char* addl = "") const; + protected: friend class Manager; @@ -227,18 +239,6 @@ protected: */ bool ForwardPacket(size_t len, const uint8_t* data, Packet* packet) const; - /** - * Reports a Weird with the analyzer's name included in the addl field. - * - * @param name The name of the weird. - * @param packet An optional pointer to a packet to be used for additional - * information in the weird output. - * @param addl An optional string containing additional information about - * the weird. If this is passed, the analyzer's name will be prepended to - * it before output. - */ - void Weird(const char* name, Packet* packet = nullptr, const char* addl = "") const; - private: zeek::Tag tag; Dispatcher dispatcher; diff --git a/src/packet_analysis/protocol/CMakeLists.txt b/src/packet_analysis/protocol/CMakeLists.txt index f4c3490963..e325816351 100644 --- a/src/packet_analysis/protocol/CMakeLists.txt +++ b/src/packet_analysis/protocol/CMakeLists.txt @@ -26,3 +26,4 @@ add_subdirectory(ayiya) add_subdirectory(geneve) add_subdirectory(vxlan) add_subdirectory(teredo) +add_subdirectory(gtpv1) diff --git a/src/packet_analysis/protocol/gtpv1/CMakeLists.txt b/src/packet_analysis/protocol/gtpv1/CMakeLists.txt new file mode 100644 index 0000000000..49e23e36e8 --- /dev/null +++ b/src/packet_analysis/protocol/gtpv1/CMakeLists.txt @@ -0,0 +1,11 @@ + +include(ZeekPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +zeek_plugin_begin(Zeek GTPv1) +zeek_plugin_cc(GTPv1.cc Plugin.cc) +zeek_plugin_bif(events.bif) +zeek_plugin_bif(functions.bif) +zeek_plugin_pac(gtpv1.pac gtpv1-protocol.pac gtpv1-analyzer.pac) +zeek_plugin_end() diff --git a/src/packet_analysis/protocol/gtpv1/GTPv1.cc b/src/packet_analysis/protocol/gtpv1/GTPv1.cc new file mode 100644 index 0000000000..a382317a57 --- /dev/null +++ b/src/packet_analysis/protocol/gtpv1/GTPv1.cc @@ -0,0 +1,102 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "zeek/packet_analysis/protocol/gtpv1/GTPv1.h" + +#include "zeek/packet_analysis/protocol/gtpv1/events.bif.h" +#include "zeek/packet_analysis/protocol/ip/IP.h" +#include "zeek/packet_analysis/protocol/iptunnel/IPTunnel.h" + +namespace zeek::packet_analysis::gtpv1 + { +GTPv1_Analyzer::GTPv1_Analyzer() : zeek::packet_analysis::Analyzer("GTPV1") { } + +bool GTPv1_Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) + { + // GTPv1 always comes from a UDP connection, which means that session should always + // be valid and always be a connection. Return a weird if we didn't have a session + // stored. + if ( ! packet->session ) + { + Analyzer::Weird("gtpv1_missing_connection"); + return false; + } + + auto conn = static_cast(packet->session); + zeek::detail::ConnKey conn_key = conn->Key(); + + auto cm_it = conn_map.find(conn_key); + if ( cm_it == conn_map.end() ) + cm_it = conn_map.insert(cm_it, + {conn_key, std::make_unique(this)}); + + try + { + cm_it->second->set_raw_packet(packet); + cm_it->second->NewData(packet->is_orig, data, data + len); + } + catch ( const binpac::Exception& e ) + { + AnalyzerViolation(util::fmt("Binpac exception: %s", e.c_msg()), packet->session); + return false; + } + + // Inner packet offset not being set means we failed to process somewhere, and SetInnerInfo() + // was never called by the binpac code. Assume this is a failure and return false. + if ( inner_packet_offset <= 0 ) + return false; + + auto odata = data; + auto olen = len; + data += inner_packet_offset; + len -= inner_packet_offset; + inner_packet_offset = -1; + + // TODO: i'm not sure about this. on the one hand, we do some error checking with the result + // but on the other hand we duplicate this work here. maybe this header could just be stored + // and reused in the IP analyzer somehow? + std::shared_ptr inner = nullptr; + int result = packet_analysis::IP::ParsePacket(len, data, next_header, inner); + + if ( result == 0 ) + { + cm_it->second->set_valid(packet->is_orig, true); + + if ( (! BifConst::Tunnel::delay_gtp_confirmation) || + (cm_it->second->valid(true) && cm_it->second->valid(false)) ) + AnalyzerConfirmation(packet->session); + + if ( gtp_hdr_val ) + { + BifEvent::enqueue_gtpv1_g_pdu_packet(nullptr, conn, std::move(gtp_hdr_val), + inner->ToPktHdrVal()); + gtp_hdr_val = nullptr; + } + } + else if ( result == -2 ) + { + AnalyzerViolation("Invalid IP version in wrapped packet", packet->session); + gtp_hdr_val = nullptr; + return false; + } + else if ( result < 0 ) + { + AnalyzerViolation("Truncated GTPv1", packet->session); + gtp_hdr_val = nullptr; + return false; + } + else + { + AnalyzerViolation("GTPv1 payload length", packet->session); + gtp_hdr_val = nullptr; + return false; + } + + int encap_index = 0; + auto inner_packet = packet_analysis::IPTunnel::build_inner_packet( + packet, &encap_index, nullptr, len, data, DLT_RAW, BifEnum::Tunnel::GTPv1, + GetAnalyzerTag()); + + return ForwardPacket(len, data, inner_packet.get()); + } + + } // namespace zeek::packet_analysis::gtpv1 diff --git a/src/packet_analysis/protocol/gtpv1/GTPv1.h b/src/packet_analysis/protocol/gtpv1/GTPv1.h new file mode 100644 index 0000000000..11763782ab --- /dev/null +++ b/src/packet_analysis/protocol/gtpv1/GTPv1.h @@ -0,0 +1,46 @@ +#pragma once + +#include "zeek/packet_analysis/Analyzer.h" + +#include "packet_analysis/protocol/gtpv1/gtpv1_pac.h" + +namespace binpac::GTPv1 + { +class GTPv1_Conn; + } + +namespace zeek::packet_analysis::gtpv1 + { + +class GTPv1_Analyzer final : public packet_analysis::Analyzer + { +public: + explicit GTPv1_Analyzer(); + ~GTPv1_Analyzer() override = default; + + bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override; + + static zeek::packet_analysis::AnalyzerPtr Instantiate() + { + return std::make_shared(); + } + + void SetInnerInfo(int offset, uint8_t next, RecordValPtr val) + { + inner_packet_offset = offset; + next_header = next; + gtp_hdr_val = std::move(val); + } + + void RemoveConnection(const zeek::detail::ConnKey& conn_key) { conn_map.erase(conn_key); } + +protected: + using ConnMap = std::map>; + ConnMap conn_map; + + int inner_packet_offset = -1; + uint8_t next_header = 0; + RecordValPtr gtp_hdr_val; + }; + + } // namespace zeek::packet_analysis::gtpv1 diff --git a/src/packet_analysis/protocol/gtpv1/Plugin.cc b/src/packet_analysis/protocol/gtpv1/Plugin.cc new file mode 100644 index 0000000000..01811e71b6 --- /dev/null +++ b/src/packet_analysis/protocol/gtpv1/Plugin.cc @@ -0,0 +1,26 @@ +// See the file in the main distribution directory for copyright. + +#include "zeek/plugin/Plugin.h" + +#include "zeek/packet_analysis/Component.h" +#include "zeek/packet_analysis/protocol/gtpv1/GTPv1.h" + +namespace zeek::plugin::detail::Zeek_GTPv1 + { + +class Plugin : public zeek::plugin::Plugin + { +public: + zeek::plugin::Configuration Configure() override + { + AddComponent(new zeek::packet_analysis::Component( + "GTPv1", zeek::packet_analysis::gtpv1::GTPv1_Analyzer::Instantiate)); + + zeek::plugin::Configuration config; + config.name = "Zeek::GTPv1"; + config.description = "GTPv1 analyzer"; + return config; + } + } plugin; + + } // namespace zeek::plugin::detail::Zeek_GTPv1 diff --git a/src/packet_analysis/protocol/gtpv1/events.bif b/src/packet_analysis/protocol/gtpv1/events.bif new file mode 100644 index 0000000000..b3bac93a2e --- /dev/null +++ b/src/packet_analysis/protocol/gtpv1/events.bif @@ -0,0 +1,74 @@ +## Generated for any GTP message with a GTPv1 header. +## +## c: The connection over which the message is sent. +## +## hdr: The GTPv1 header. +event gtpv1_message%(c: connection, hdr: gtpv1_hdr%); + +## Generated for GTPv1 G-PDU packets. That is, packets with a UDP payload +## that includes a GTP header followed by an IPv4 or IPv6 packet. +## +## outer: The GTP outer tunnel connection. +## +## inner_gtp: The GTP header. +## +## inner_ip: The inner IP and transport layer packet headers. +## +## .. note:: Since this event may be raised on a per-packet basis, handling +## it may become particularly expensive for real-time analysis. +event gtpv1_g_pdu_packet%(outer: connection, inner_gtp: gtpv1_hdr, inner_ip: pkt_hdr%); + +## Generated for GTPv1-C Create PDP Context Request messages. +## +## c: The connection over which the message is sent. +## +## hdr: The GTPv1 header. +## +## elements: The set of Information Elements comprising the message. +event gtpv1_create_pdp_ctx_request%(c: connection, hdr: gtpv1_hdr, elements: gtp_create_pdp_ctx_request_elements%); + +## Generated for GTPv1-C Create PDP Context Response messages. +## +## c: The connection over which the message is sent. +## +## hdr: The GTPv1 header. +## +## elements: The set of Information Elements comprising the message. +event gtpv1_create_pdp_ctx_response%(c: connection, hdr: gtpv1_hdr, elements: gtp_create_pdp_ctx_response_elements%); + +## Generated for GTPv1-C Update PDP Context Request messages. +## +## c: The connection over which the message is sent. +## +## hdr: The GTPv1 header. +## +## elements: The set of Information Elements comprising the message. +event gtpv1_update_pdp_ctx_request%(c: connection, hdr: gtpv1_hdr, elements: gtp_update_pdp_ctx_request_elements%); + +## Generated for GTPv1-C Update PDP Context Response messages. +## +## c: The connection over which the message is sent. +## +## hdr: The GTPv1 header. +## +## elements: The set of Information Elements comprising the message. +event gtpv1_update_pdp_ctx_response%(c: connection, hdr: gtpv1_hdr, elements: gtp_update_pdp_ctx_response_elements%); + +## Generated for GTPv1-C Delete PDP Context Request messages. +## +## c: The connection over which the message is sent. +## +## hdr: The GTPv1 header. +## +## elements: The set of Information Elements comprising the message. +event gtpv1_delete_pdp_ctx_request%(c: connection, hdr: gtpv1_hdr, elements: gtp_delete_pdp_ctx_request_elements%); + +## Generated for GTPv1-C Delete PDP Context Response messages. +## +## c: The connection over which the message is sent. +## +## hdr: The GTPv1 header. +## +## elements: The set of Information Elements comprising the message. +event gtpv1_delete_pdp_ctx_response%(c: connection, hdr: gtpv1_hdr, elements: gtp_delete_pdp_ctx_response_elements%); + diff --git a/src/packet_analysis/protocol/gtpv1/functions.bif b/src/packet_analysis/protocol/gtpv1/functions.bif new file mode 100644 index 0000000000..05376a920e --- /dev/null +++ b/src/packet_analysis/protocol/gtpv1/functions.bif @@ -0,0 +1,20 @@ +module PacketAnalyzer::GTPV1; + +%%{ +#include "zeek/Conn.h" +#include "zeek/session/Manager.h" +#include "zeek/packet_analysis/Manager.h" +#include "zeek/packet_analysis/protocol/gtpv1/GTPv1.h" +%%} + +function remove_gtpv1_connection%(cid: conn_id%) : bool + %{ + zeek::packet_analysis::AnalyzerPtr gtpv1 = zeek::packet_mgr->GetAnalyzer("GTPv1"); + if ( gtpv1 ) + { + zeek::detail::ConnKey conn_key(cid); + static_cast(gtpv1.get())->RemoveConnection(conn_key); + } + + return zeek::val_mgr->True(); + %} diff --git a/src/packet_analysis/protocol/gtpv1/gtpv1-analyzer.pac b/src/packet_analysis/protocol/gtpv1/gtpv1-analyzer.pac new file mode 100644 index 0000000000..6fc18befea --- /dev/null +++ b/src/packet_analysis/protocol/gtpv1/gtpv1-analyzer.pac @@ -0,0 +1,759 @@ +%extern{ +#include "zeek/ZeekString.h" +#include "zeek/packet_analysis/protocol/gtpv1/GTPv1.h" +%} + +%code{ +zeek::RecordValPtr BuildGTPv1Hdr(const GTPv1_Header* pdu) + { + auto rv = zeek::make_intrusive(zeek::BifType::Record::gtpv1_hdr); + + rv->Assign(0, pdu->version()); + rv->Assign(1, pdu->pt_flag()); + rv->Assign(2, pdu->rsv()); + rv->Assign(3, pdu->e_flag()); + rv->Assign(4, pdu->s_flag()); + rv->Assign(5, pdu->pn_flag()); + rv->Assign(6, pdu->msg_type()); + rv->Assign(7, pdu->length()); + rv->Assign(8, pdu->teid()); + + if ( pdu->has_opt() ) + { + rv->Assign(9, pdu->opt_hdr()->seq()); + rv->Assign(10, pdu->opt_hdr()->n_pdu()); + rv->Assign(11, pdu->opt_hdr()->next_type()); + } + + return rv; + } + +static zeek::ValPtr BuildIMSI(const InformationElement* ie) + { + return zeek::val_mgr->Count(ie->imsi()->value()); + } + +static zeek::ValPtr BuildRAI(const InformationElement* ie) + { + auto ev = zeek::make_intrusive(zeek::BifType::Record::gtp_rai); + ev->Assign(0, ie->rai()->mcc()); + ev->Assign(1, ie->rai()->mnc()); + ev->Assign(2, ie->rai()->lac()); + ev->Assign(3, ie->rai()->rac()); + return ev; + } + +static zeek::ValPtr BuildRecovery(const InformationElement* ie) + { + return zeek::val_mgr->Count(ie->recovery()->restart_counter()); + } + +static zeek::ValPtr BuildSelectionMode(const InformationElement* ie) + { + return zeek::val_mgr->Count(ie->selection_mode()->mode()); + } + +static zeek::ValPtr BuildTEID1(const InformationElement* ie) + { + return zeek::val_mgr->Count(ie->teid1()->value()); + } + +static zeek::ValPtr BuildTEID_ControlPlane(const InformationElement* ie) + { + return zeek::val_mgr->Count(ie->teidcp()->value()); + } + +static zeek::ValPtr BuildNSAPI(const InformationElement* ie) + { + return zeek::val_mgr->Count(ie->nsapi()->nsapi()); + } + +static zeek::ValPtr BuildChargingCharacteristics(const InformationElement* ie) + { + return zeek::val_mgr->Count(ie->charging_characteristics()->value()); + } + +static zeek::ValPtr BuildTraceReference(const InformationElement* ie) + { + return zeek::val_mgr->Count(ie->trace_reference()->value()); + } + +static zeek::ValPtr BuildTraceType(const InformationElement* ie) + { + return zeek::val_mgr->Count(ie->trace_type()->value()); + } + +zeek::ValPtr BuildEndUserAddr(const InformationElement* ie) + { + auto ev = zeek::make_intrusive(zeek::BifType::Record::gtp_end_user_addr); + ev->Assign(0, ie->end_user_addr()->pdp_type_org()); + ev->Assign(1, ie->end_user_addr()->pdp_type_num()); + + int len = ie->end_user_addr()->pdp_addr().length(); + + if ( len > 0 ) + { + const uint8* d = ie->end_user_addr()->pdp_addr().data(); + + switch ( ie->end_user_addr()->pdp_type_num() ) { + case 0x21: + ev->Assign(2, zeek::make_intrusive( + zeek::IPAddr(IPv4, (const uint32*) d, zeek::IPAddr::Network))); + break; + case 0x57: + ev->Assign(2, zeek::make_intrusive( + zeek::IPAddr(IPv6, (const uint32*) d, zeek::IPAddr::Network))); + break; + default: + ev->Assign(3, new zeek::String((const u_char*) d, len, false)); + break; + } + } + + return ev; + } + +zeek::ValPtr BuildAccessPointName(const InformationElement* ie) + { + zeek::String* bs = new zeek::String((const u_char*) ie->ap_name()->value().data(), + ie->ap_name()->value().length(), false); + return zeek::make_intrusive(bs); + } + +zeek::ValPtr BuildProtoConfigOptions(const InformationElement* ie) + { + const u_char* d = (const u_char*) ie->proto_config_opts()->value().data(); + int len = ie->proto_config_opts()->value().length(); + return zeek::make_intrusive(new zeek::String(d, len, false)); + } + +zeek::ValPtr BuildGSN_Addr(const InformationElement* ie) + { + auto ev = zeek::make_intrusive(zeek::BifType::Record::gtp_gsn_addr); + + int len = ie->gsn_addr()->value().length(); + const uint8* d = ie->gsn_addr()->value().data(); + + if ( len == 4 ) + ev->Assign(0, zeek::make_intrusive( + zeek::IPAddr(IPv4, (const uint32*) d, zeek::IPAddr::Network))); + else if ( len == 16 ) + ev->Assign(0, zeek::make_intrusive( + zeek::IPAddr(IPv6, (const uint32*) d, zeek::IPAddr::Network))); + else + ev->Assign(1, new zeek::String((const u_char*) d, len, false)); + + return ev; + } + +zeek::ValPtr BuildMSISDN(const InformationElement* ie) + { + const u_char* d = (const u_char*) ie->msisdn()->value().data(); + int len = ie->msisdn()->value().length(); + return zeek::make_intrusive(new zeek::String(d, len, false)); + } + +zeek::ValPtr BuildQoS_Profile(const InformationElement* ie) + { + auto ev = zeek::make_intrusive(zeek::BifType::Record::gtp_qos_profile); + + const u_char* d = (const u_char*) ie->qos_profile()->data().data(); + int len = ie->qos_profile()->data().length(); + + ev->Assign(0, ie->qos_profile()->alloc_retention_priority()); + ev->Assign(1, new zeek::String(d, len, false)); + + return ev; + } + +zeek::ValPtr BuildTrafficFlowTemplate(const InformationElement* ie) + { + const uint8* d = ie->traffic_flow_template()->value().data(); + int len = ie->traffic_flow_template()->value().length(); + return zeek::make_intrusive(new zeek::String((const u_char*) d, len, false)); + } + +zeek::ValPtr BuildTriggerID(const InformationElement* ie) + { + const uint8* d = ie->trigger_id()->value().data(); + int len = ie->trigger_id()->value().length(); + return zeek::make_intrusive(new zeek::String((const u_char*) d, len, false)); + } + +zeek::ValPtr BuildOMC_ID(const InformationElement* ie) + { + const uint8* d = ie->omc_id()->value().data(); + int len = ie->omc_id()->value().length(); + return zeek::make_intrusive(new zeek::String((const u_char*) d, len, false)); + } + +zeek::ValPtr BuildPrivateExt(const InformationElement* ie) + { + auto ev = zeek::make_intrusive(zeek::BifType::Record::gtp_private_extension); + + const uint8* d = ie->private_ext()->value().data(); + int len = ie->private_ext()->value().length(); + + ev->Assign(0, ie->private_ext()->id()); + ev->Assign(1, new zeek::String((const u_char*) d, len, false)); + + return ev; + } + +static zeek::ValPtr BuildCause(const InformationElement* ie) + { + return zeek::val_mgr->Count(ie->cause()->value()); + } + +static zeek::ValPtr BuildReorderReq(const InformationElement* ie) + { + return zeek::val_mgr->Bool(ie->reorder_req()->req()); + } + +static zeek::ValPtr BuildChargingID(const InformationElement* ie) + { + return zeek::val_mgr->Count(ie->charging_id()->value());; + } + +zeek::ValPtr BuildChargingGatewayAddr(const InformationElement* ie) + { + const uint8* d = ie->charging_gateway_addr()->value().data(); + int len = ie->charging_gateway_addr()->value().length(); + if ( len == 4 ) + return zeek::make_intrusive(zeek::IPAddr(IPv4, (const uint32*) d, zeek::IPAddr::Network)); + else if ( len == 16 ) + return zeek::make_intrusive(zeek::IPAddr(IPv6, (const uint32*) d, zeek::IPAddr::Network)); + else + return nullptr; + } + +static zeek::ValPtr BuildTeardownInd(const InformationElement* ie) + { + return zeek::val_mgr->Bool(ie->teardown_ind()->ind()); + } + +void CreatePDP_Request(const ZeekPacketAnalyzer& a, zeek::Connection* c, const GTPv1_Header* pdu) + { + if ( ! ::gtpv1_create_pdp_ctx_request ) return; + + auto rv = zeek::make_intrusive( + zeek::BifType::Record::gtp_create_pdp_ctx_request_elements); + + const vector * v = pdu->create_pdp_ctx_request(); + + bool second_nsapi = false; + bool second_gsn_addr = false; + + for ( size_t i = 0; i < v->size(); ++i ) + { + const InformationElement* ie = (*v)[i]; + + switch ( ie->type() ) { + case GTPv1::TYPE_IMSI: + rv->Assign(0, BuildIMSI(ie)); + break; + case GTPv1::TYPE_RAI: + rv->Assign(1, BuildRAI(ie)); + break; + case GTPv1::TYPE_RECOVERY: + rv->Assign(2, BuildRecovery(ie)); + break; + case GTPv1::TYPE_SELECTION_MODE: + rv->Assign(3, BuildSelectionMode(ie)); + break; + case GTPv1::TYPE_TEID1: + rv->Assign(4, BuildTEID1(ie)); + break; + case GTPv1::TYPE_TEID_CONTROL_PLANE: + rv->Assign(5, BuildTEID_ControlPlane(ie)); + break; + case GTPv1::TYPE_NSAPI: + if ( second_nsapi ) + rv->Assign(7, BuildNSAPI(ie)); + else + { + second_nsapi = true; + rv->Assign(6, BuildNSAPI(ie)); + } + break; + case GTPv1::TYPE_CHARGING_CHARACTERISTICS: + rv->Assign(8, BuildChargingCharacteristics(ie)); + break; + case GTPv1::TYPE_TRACE_REFERENCE: + rv->Assign(9, BuildTraceReference(ie)); + break; + case GTPv1::TYPE_TRACE_TYPE: + rv->Assign(10, BuildTraceType(ie)); + break; + case GTPv1::TYPE_END_USER_ADDR: + rv->Assign(11, BuildEndUserAddr(ie)); + break; + case GTPv1::TYPE_ACCESS_POINT_NAME: + rv->Assign(12, BuildAccessPointName(ie)); + break; + case GTPv1::TYPE_PROTO_CONFIG_OPTIONS: + rv->Assign(13, BuildProtoConfigOptions(ie)); + break; + case GTPv1::TYPE_GSN_ADDR: + if ( second_gsn_addr ) + rv->Assign(15, BuildGSN_Addr(ie)); + else + { + second_gsn_addr = true; + rv->Assign(14, BuildGSN_Addr(ie)); + } + break; + case GTPv1::TYPE_MSISDN: + rv->Assign(16, BuildMSISDN(ie)); + break; + case GTPv1::TYPE_QOS_PROFILE: + rv->Assign(17, BuildQoS_Profile(ie)); + break; + case GTPv1::TYPE_TRAFFIC_FLOW_TEMPLATE: + rv->Assign(18, BuildTrafficFlowTemplate(ie)); + break; + case GTPv1::TYPE_TRIGGER_ID: + rv->Assign(19, BuildTriggerID(ie)); + break; + case GTPv1::TYPE_OMC_ID: + rv->Assign(20, BuildOMC_ID(ie)); + break; + case GTPv1::TYPE_PRIVATE_EXT: + rv->Assign(21, BuildPrivateExt(ie)); + break; + default: + a->Weird("gtp_invalid_info_element", nullptr, zeek::util::fmt("%d", (*v)[i]->type())); + break; + } + } + + zeek::BifEvent::enqueue_gtpv1_create_pdp_ctx_request(nullptr, c, BuildGTPv1Hdr(pdu), std::move(rv)); + } + +void CreatePDP_Response(const ZeekPacketAnalyzer& a, zeek::Connection* c, const GTPv1_Header* pdu) + { + if ( ! ::gtpv1_create_pdp_ctx_response ) + return; + + auto rv = zeek::make_intrusive( + zeek::BifType::Record::gtp_create_pdp_ctx_response_elements); + + const vector * v = pdu->create_pdp_ctx_response(); + + bool second_gsn_addr = false; + + for ( size_t i = 0; i < v->size(); ++i ) + { + const InformationElement* ie = (*v)[i]; + + switch ( ie->type() ) { + case GTPv1::TYPE_CAUSE: + rv->Assign(0, BuildCause(ie)); + break; + case GTPv1::TYPE_REORDER_REQ: + rv->Assign(1, BuildReorderReq(ie)); + break; + case GTPv1::TYPE_RECOVERY: + rv->Assign(2, BuildRecovery(ie)); + break; + case GTPv1::TYPE_TEID1: + rv->Assign(3, BuildTEID1(ie)); + break; + case GTPv1::TYPE_TEID_CONTROL_PLANE: + rv->Assign(4, BuildTEID_ControlPlane(ie)); + break; + case GTPv1::TYPE_CHARGING_ID: + rv->Assign(5, BuildChargingID(ie)); + break; + case GTPv1::TYPE_END_USER_ADDR: + rv->Assign(6, BuildEndUserAddr(ie)); + break; + case GTPv1::TYPE_PROTO_CONFIG_OPTIONS: + rv->Assign(7, BuildProtoConfigOptions(ie)); + break; + case GTPv1::TYPE_GSN_ADDR: + if ( second_gsn_addr ) + rv->Assign(9, BuildGSN_Addr(ie)); + else + { + second_gsn_addr = true; + rv->Assign(8, BuildGSN_Addr(ie)); + } + break; + case GTPv1::TYPE_QOS_PROFILE: + rv->Assign(10, BuildQoS_Profile(ie)); + break; + case GTPv1::TYPE_CHARGING_GATEWAY_ADDR: + rv->Assign(11, BuildChargingGatewayAddr(ie)); + break; + case GTPv1::TYPE_PRIVATE_EXT: + rv->Assign(12, BuildPrivateExt(ie)); + break; + default: + a->Weird("gtp_invalid_info_element", nullptr, zeek::util::fmt("%d", (*v)[i]->type())); + break; + } + } + + zeek::BifEvent::enqueue_gtpv1_create_pdp_ctx_response(nullptr, c, BuildGTPv1Hdr(pdu), std::move(rv)); + } + +void UpdatePDP_Request(const ZeekPacketAnalyzer& a, zeek::Connection* c, const GTPv1_Header* pdu) + { + if ( ! ::gtpv1_update_pdp_ctx_request ) + return; + + auto rv = zeek::make_intrusive( + zeek::BifType::Record::gtp_update_pdp_ctx_request_elements); + + const vector * v = pdu->update_pdp_ctx_request(); + + bool second_gsn_addr = false; + + for ( size_t i = 0; i < v->size(); ++i ) + { + const InformationElement* ie = (*v)[i]; + + switch ( ie->type() ) { + case GTPv1::TYPE_IMSI: + rv->Assign(0, BuildIMSI(ie)); + break; + case GTPv1::TYPE_RAI: + rv->Assign(1, BuildRAI(ie)); + break; + case GTPv1::TYPE_RECOVERY: + rv->Assign(2, BuildRecovery(ie)); + break; + case GTPv1::TYPE_TEID1: + rv->Assign(3, BuildTEID1(ie)); + break; + case GTPv1::TYPE_TEID_CONTROL_PLANE: + rv->Assign(4, BuildTEID_ControlPlane(ie)); + break; + case GTPv1::TYPE_NSAPI: + rv->Assign(5, BuildNSAPI(ie)); + break; + case GTPv1::TYPE_TRACE_REFERENCE: + rv->Assign(6, BuildTraceReference(ie)); + break; + case GTPv1::TYPE_TRACE_TYPE: + rv->Assign(7, BuildTraceType(ie)); + break; + case GTPv1::TYPE_GSN_ADDR: + if ( second_gsn_addr ) + rv->Assign(9, BuildGSN_Addr(ie)); + else + { + second_gsn_addr = true; + rv->Assign(8, BuildGSN_Addr(ie)); + } + break; + case GTPv1::TYPE_QOS_PROFILE: + rv->Assign(10, BuildQoS_Profile(ie)); + break; + case GTPv1::TYPE_TRAFFIC_FLOW_TEMPLATE: + rv->Assign(11, BuildTrafficFlowTemplate(ie)); + break; + case GTPv1::TYPE_TRIGGER_ID: + rv->Assign(12, BuildTriggerID(ie)); + break; + case GTPv1::TYPE_OMC_ID: + rv->Assign(13, BuildOMC_ID(ie)); + break; + case GTPv1::TYPE_PRIVATE_EXT: + rv->Assign(14, BuildPrivateExt(ie)); + break; + case GTPv1::TYPE_END_USER_ADDR: + rv->Assign(15, BuildEndUserAddr(ie)); + break; + default: + a->Weird("gtp_invalid_info_element", nullptr, zeek::util::fmt("%d", (*v)[i]->type())); + break; + } + } + + zeek::BifEvent::enqueue_gtpv1_update_pdp_ctx_request(nullptr, c, BuildGTPv1Hdr(pdu), std::move(rv)); + } + +void UpdatePDP_Response(const ZeekPacketAnalyzer& a, zeek::Connection* c, const GTPv1_Header* pdu) + { + if ( ! ::gtpv1_update_pdp_ctx_response ) + return; + + auto rv = zeek::make_intrusive( + zeek::BifType::Record::gtp_update_pdp_ctx_response_elements); + + const vector * v = pdu->update_pdp_ctx_response(); + + bool second_gsn_addr = false; + + for ( size_t i = 0; i < v->size(); ++i ) + { + const InformationElement* ie = (*v)[i]; + + switch ( ie->type() ) { + case GTPv1::TYPE_CAUSE: + rv->Assign(0, BuildCause(ie)); + break; + case GTPv1::TYPE_RECOVERY: + rv->Assign(1, BuildRecovery(ie)); + break; + case GTPv1::TYPE_TEID1: + rv->Assign(2, BuildTEID1(ie)); + break; + case GTPv1::TYPE_TEID_CONTROL_PLANE: + rv->Assign(3, BuildTEID_ControlPlane(ie)); + break; + case GTPv1::TYPE_CHARGING_ID: + rv->Assign(4, BuildChargingID(ie)); + break; + case GTPv1::TYPE_GSN_ADDR: + if ( second_gsn_addr ) + rv->Assign(6, BuildGSN_Addr(ie)); + else + { + second_gsn_addr = true; + rv->Assign(5, BuildGSN_Addr(ie)); + } + break; + case GTPv1::TYPE_QOS_PROFILE: + rv->Assign(7, BuildQoS_Profile(ie)); + break; + case GTPv1::TYPE_CHARGING_GATEWAY_ADDR: + rv->Assign(8, BuildChargingGatewayAddr(ie)); + break; + case GTPv1::TYPE_PRIVATE_EXT: + rv->Assign(9, BuildPrivateExt(ie)); + break; + default: + a->Weird("gtp_invalid_info_element", nullptr, zeek::util::fmt("%d", (*v)[i]->type())); + break; + } + } + + zeek::BifEvent::enqueue_gtpv1_update_pdp_ctx_response(nullptr, c, BuildGTPv1Hdr(pdu), std::move(rv)); + } + +void DeletePDP_Request(const ZeekPacketAnalyzer& a, zeek::Connection* c, const GTPv1_Header* pdu) + { + if ( ! ::gtpv1_delete_pdp_ctx_request ) + return; + + auto rv = zeek::make_intrusive( + zeek::BifType::Record::gtp_delete_pdp_ctx_request_elements); + + const vector * v = pdu->delete_pdp_ctx_request(); + + for ( size_t i = 0; i < v->size(); ++i ) + { + const InformationElement* ie = (*v)[i]; + + switch ( ie->type() ) { + case GTPv1::TYPE_TEARDOWN_IND: + rv->Assign(0, BuildTeardownInd(ie)); + break; + case GTPv1::TYPE_NSAPI: + rv->Assign(1, BuildNSAPI(ie)); + break; + case GTPv1::TYPE_PRIVATE_EXT: + rv->Assign(2, BuildPrivateExt(ie)); + break; + default: + a->Weird("gtp_invalid_info_element", nullptr, zeek::util::fmt("%d", (*v)[i]->type())); + break; + } + } + + zeek::BifEvent::enqueue_gtpv1_delete_pdp_ctx_request(nullptr, c, BuildGTPv1Hdr(pdu), std::move(rv)); + } + +void DeletePDP_Response(const ZeekPacketAnalyzer& a, zeek::Connection* c, const GTPv1_Header* pdu) + { + if ( ! ::gtpv1_delete_pdp_ctx_response ) + return; + + auto rv = zeek::make_intrusive( + zeek::BifType::Record::gtp_delete_pdp_ctx_response_elements); + + const vector * v = pdu->delete_pdp_ctx_response(); + + for ( size_t i = 0; i < v->size(); ++i ) + { + const InformationElement* ie = (*v)[i]; + + switch ( ie->type() ) { + case GTPv1::TYPE_CAUSE: + rv->Assign(0, BuildCause(ie)); + break; + case GTPv1::TYPE_PRIVATE_EXT: + rv->Assign(1, BuildPrivateExt(ie)); + break; + default: + a->Weird("gtp_invalid_info_element", nullptr, zeek::util::fmt("%d", (*v)[i]->type())); + break; + } + } + + zeek::BifEvent::enqueue_gtpv1_delete_pdp_ctx_response(nullptr, c, BuildGTPv1Hdr(pdu), std::move(rv)); + } +%} + +connection GTPv1_Conn(zeek_analyzer: ZeekPacketAnalyzer) + { + upflow = GTPv1_Flow(true); + downflow = GTPv1_Flow(false); + + %member{ + bool valid_orig; + bool valid_resp; + ZeekPacket* packet; + %} + + %init{ + valid_orig = valid_resp = false; + %} + + function valid(orig: bool): bool + %{ + return orig ? valid_orig : valid_resp; + %} + + function set_valid(orig: bool, val: bool): void + %{ + if ( orig ) + valid_orig = val; + else + valid_resp = val; + %} + + function set_raw_packet(p: ZeekPacket): void + %{ + packet = p; + %} + + function get_raw_packet(): ZeekPacket + %{ + return packet; + %} + } + +flow GTPv1_Flow(is_orig: bool) + { + datagram = GTPv1_Header withcontext(connection, this); + + function violate(r: string, pdu: GTPv1_Header): void + %{ + ZeekPacketAnalyzer a = connection()->zeek_analyzer(); + ZeekPacket* p = connection()->get_raw_packet(); + a->AnalyzerViolation(r.c_str(), p->session); + %} + + function process_gtpv1(pdu: GTPv1_Header): bool + %{ + ZeekPacketAnalyzer a = connection()->zeek_analyzer(); + ZeekPacket* p = connection()->get_raw_packet(); + zeek::Connection* c = static_cast(p->session); + const std::shared_ptr e = p->encap; + + connection()->set_valid(is_orig(), false); + + if ( e && e->Depth() >= zeek::BifConst::Tunnel::max_depth ) + { + a->Weird("tunnel_depth"); + return false; + } + + if ( e && e->LastType() == BifEnum::Tunnel::GTPv1 ) + { + // GTP is never tunneled in GTP so, this must be a regular packet + violate("GTP-in-GTP", pdu); + return false; + } + + if ( ${pdu.version} != 1 ) + { + // Only know of GTPv1 with Version == 1 + violate("GTPv1 bad Version", pdu); + return false; + } + + if ( ! ${pdu.pt_flag} ) + { + // Not interested in GTP + return false; + } + + if ( ::gtpv1_message ) + zeek::BifEvent::enqueue_gtpv1_message(nullptr, c, BuildGTPv1Hdr(pdu)); + + switch ( ${pdu.msg_type} ) { + case 16: + CreatePDP_Request(a, c, pdu); + return true; + case 17: + CreatePDP_Response(a, c, pdu); + return true; + case 18: + UpdatePDP_Request(a, c, pdu); + return true; + case 19: + UpdatePDP_Response(a, c, pdu); + return true; + case 20: + DeletePDP_Request(a, c, pdu); + return true; + case 21: + DeletePDP_Response(a, c, pdu); + return true; + case 255: + return process_g_pdu(pdu); + default: + return false; + } + + return false; + %} + + function process_g_pdu(pdu: GTPv1_Header): bool + %{ + ZeekPacketAnalyzer a = connection()->zeek_analyzer(); + ZeekPacket* p = connection()->get_raw_packet(); + zeek::Connection* c = static_cast(p->session); + + if ( ${pdu.packet}.length() < (int)sizeof(struct ip) ) + { + violate("Truncated GTPv1", pdu); + return false; + } + + const struct ip* ip = (const struct ip*) ${pdu.packet}.data(); + + if ( ip->ip_v != 4 && ip->ip_v != 6 ) + { + violate("non-IP packet in GTPv1", pdu); + return false; + } + + int hdr_len = 8; + + if ( pdu->has_opt() ) + hdr_len += 4; + + if ( pdu->e_flag() && pdu->ext_hdrs() ) + for ( const auto& eh : *pdu->ext_hdrs() ) + hdr_len += 2 + eh->contents().length(); + + auto next_hdr = ip->ip_v == 6 ? IPPROTO_IPV6 : IPPROTO_IPV4; + zeek::RecordValPtr hdr_val; + + if ( ::gtpv1_g_pdu_packet ) + hdr_val = BuildGTPv1Hdr(pdu); + + static_cast(a)->SetInnerInfo( + hdr_len, next_hdr, std::move(hdr_val)); + + return true; + %} + }; + +refine typeattr GTPv1_Header += &let { proc_gtpv1 = $context.flow.process_gtpv1(this); }; diff --git a/src/packet_analysis/protocol/gtpv1/gtpv1-protocol.pac b/src/packet_analysis/protocol/gtpv1/gtpv1-protocol.pac new file mode 100644 index 0000000000..0a87665fd2 --- /dev/null +++ b/src/packet_analysis/protocol/gtpv1/gtpv1-protocol.pac @@ -0,0 +1,496 @@ + +type GTPv1_Header = record { + flags: uint8; + msg_type: uint8; + length: uint16; + teid: uint32; + + opt: case has_opt of { + true -> opt_hdr: GTPv1_Opt_Header; + false -> no_opt: empty; + }; + + ext: case e_flag of { + true -> ext_hdrs: GTPv1_Ext_Header[] &until($element.next_type == 0); + false -> no_ext: empty; + }; + + msg: case msg_type of { + 16 -> create_pdp_ctx_request: InformationElement[]; + 17 -> create_pdp_ctx_response: InformationElement[]; + 18 -> update_pdp_ctx_request: InformationElement[]; + 19 -> update_pdp_ctx_response: InformationElement[]; + 20 -> delete_pdp_ctx_request: InformationElement[]; + 21 -> delete_pdp_ctx_response: InformationElement[]; + 255 -> packet: bytestring &restofdata; + default -> unknown: bytestring &restofdata; + }; + +} &let { + version: uint8 = (flags & 0xE0) >> 5; + pt_flag: bool = flags & 0x10; + rsv: bool = flags & 0x08; + e_flag: bool = flags & 0x04; + s_flag: bool = flags & 0x02; + pn_flag: bool = flags & 0x01; + has_opt: bool = flags & 0x07; +} &byteorder = bigendian, &exportsourcedata; + +type GTPv1_Opt_Header = record { + seq: uint16; + n_pdu: uint8; + next_type: uint8; +}; + +type GTPv1_Ext_Header = record { + length: uint8; + contents: bytestring &length=(length * 4 - 2); + next_type: uint8; +}; + +enum InfoElementType { + TYPE_CAUSE = 1, + TYPE_IMSI = 2, + TYPE_RAI = 3, + TYPE_TLLI = 4, + TYPE_P_TMSI = 5, + TYPE_REORDER_REQ = 8, + TYPE_AUTHN_TRIPLET = 9, + TYPE_MAP_CAUSE = 11, + TYPE_P_TMSI_SIG = 12, + TYPE_MS_VALID = 13, + TYPE_RECOVERY = 14, + TYPE_SELECTION_MODE = 15, + TYPE_TEID1 = 16, + TYPE_TEID_CONTROL_PLANE = 17, + TYPE_TEID2 = 18, + TYPE_TEARDOWN_IND = 19, + TYPE_NSAPI = 20, + TYPE_RANAP_CAUSE = 21, + TYPE_RAB_CTX = 22, + TYPE_RADIO_PRIORITY_SMS = 23, + TYPE_RADIO_PRIORITY = 24, + TYPE_PACKET_FLOW_ID = 25, + TYPE_CHARGING_CHARACTERISTICS = 26, + TYPE_TRACE_REFERENCE = 27, + TYPE_TRACE_TYPE = 28, + TYPE_MS_NOT_REACHABLE_REASON = 29, + TYPE_CHARGING_ID = 127, + TYPE_END_USER_ADDR = 128, + TYPE_MM_CTX = 129, + TYPE_PDP_CTX = 130, + TYPE_ACCESS_POINT_NAME = 131, + TYPE_PROTO_CONFIG_OPTIONS = 132, + TYPE_GSN_ADDR = 133, + TYPE_MSISDN = 134, + TYPE_QOS_PROFILE = 135, + TYPE_AUTHN_QUINTUPLET = 136, + TYPE_TRAFFIC_FLOW_TEMPLATE = 137, + TYPE_TARGET_ID = 138, + TYPE_UTRAN_TRANSPARENT_CONTAINER = 139, + TYPE_RAB_SETUP_INFO = 140, + TYPE_EXT_HEADER_TYPE_LIST = 141, + TYPE_TRIGGER_ID = 142, + TYPE_OMC_ID = 143, + TYPE_CHARGING_GATEWAY_ADDR = 251, + TYPE_PRIVATE_EXT = 255, +}; + +type InformationElement = record { + type: uint8; + + len: case is_tlv of { + true -> tlv_len: uint16; + false -> no_len: empty; + }; + + value: case type of { + TYPE_CAUSE -> cause: Cause; + TYPE_IMSI -> imsi: IMSI; + TYPE_RAI -> rai: RAI; + TYPE_TLLI -> tlli: TLLI; + TYPE_P_TMSI -> p_tmsi: P_TMSI; + TYPE_REORDER_REQ -> reorder_req: ReorderReq; + TYPE_AUTHN_TRIPLET -> authn_triplet: AuthN_Triplet; + TYPE_MAP_CAUSE -> map_cause: MAP_Cause; + TYPE_P_TMSI_SIG -> p_tmsi_sig: P_TMSI_Sig; + TYPE_MS_VALID -> ms_valid: MS_Valid; + TYPE_RECOVERY -> recovery: Recovery; + TYPE_SELECTION_MODE -> selection_mode: SelectionMode; + TYPE_TEID1 -> teid1: TEID1; + TYPE_TEID_CONTROL_PLANE -> teidcp: TEID_ControlPlane; + TYPE_TEID2 -> teid2: TEID2; + TYPE_TEARDOWN_IND -> teardown_ind: TeardownInd; + TYPE_NSAPI -> nsapi: NSAPI; + TYPE_RANAP_CAUSE -> ranap_cause: RANAP_Cause; + TYPE_RAB_CTX -> rab_ctx: RAB_Ctx; + TYPE_RADIO_PRIORITY_SMS -> radio_priority_sms: RadioPrioritySMS; + TYPE_RADIO_PRIORITY -> radio_priority: RadioPriority; + TYPE_PACKET_FLOW_ID -> packet_flow_id: PacketFlowID; + TYPE_CHARGING_CHARACTERISTICS -> charging_characteristics: ChargingCharacteristics; + TYPE_TRACE_REFERENCE -> trace_reference: TraceReference; + TYPE_TRACE_TYPE -> trace_type: TraceType; + TYPE_MS_NOT_REACHABLE_REASON -> ms_not_reachable_reason: MS_Not_Reachable_Reason; + TYPE_CHARGING_ID -> charging_id: ChargingID; + TYPE_END_USER_ADDR -> end_user_addr: EndUserAddr(length); + TYPE_MM_CTX -> mm_ctx: MM_Ctx(length); + TYPE_PDP_CTX -> pdp_ctx: PDP_Ctx(length); + TYPE_ACCESS_POINT_NAME -> ap_name: AP_Name(length); + TYPE_PROTO_CONFIG_OPTIONS -> proto_config_opts: ProtoConfigOpts(length); + TYPE_GSN_ADDR -> gsn_addr: GSN_Addr(length); + TYPE_MSISDN -> msisdn: MSISDN(length); + TYPE_QOS_PROFILE -> qos_profile: QoS_Profile(length); + TYPE_AUTHN_QUINTUPLET -> authn_quintuplet: AuthN_Quintuplet(length); + TYPE_TRAFFIC_FLOW_TEMPLATE -> traffic_flow_template: TrafficFlowTemplate(length); + TYPE_TARGET_ID -> target_id: TargetID(length); + TYPE_UTRAN_TRANSPARENT_CONTAINER -> utran_transparent_container: UTRAN_TransparentContainer(length); + TYPE_RAB_SETUP_INFO -> rab_setup_info: RAB_SetupInfo(length); + TYPE_EXT_HEADER_TYPE_LIST -> ext_hdr_type_list: ExtHdrTypeList(length); + TYPE_TRIGGER_ID -> trigger_id: TriggerID(length); + TYPE_OMC_ID -> omc_id: OMC_ID(length); + TYPE_CHARGING_GATEWAY_ADDR -> charging_gateway_addr: ChargingGatewayAddr(length); + TYPE_PRIVATE_EXT -> private_ext: PrivateExt(length); + default -> unknown: bytestring &length=length; + } &requires(length); + +} &let { + is_tlv: bool = (type & 0x80); + length: uint16 = is_tlv ? tlv_len : Get_IE_Len(type); +}; + +type Cause = record { + value: uint8; +}; + +function decode_imsi(v: uint8[8]): uint64 + %{ + uint64 rval = 0; + uint8 digits[16]; + for ( size_t i = 0; i < v->size(); ++i ) + { + digits[2 * i + 1] = ((*v)[i] & 0xf0) >> 4; + digits[2 * i] = (*v)[i] & 0x0f; + } + int power = 0; + for ( int i = 15; i >= 0; --i ) + { + if ( digits[i] == 0x0f ) continue; + rval += digits[i] * pow(10, power); + ++power; + } + return rval; + %} + +type IMSI = record { + tbcd_encoded_value: uint8[8]; +} &let { + value: uint64 = decode_imsi(tbcd_encoded_value); +}; + +type RAI = record { + mcc2_mcc1: uint8; + mnc3_mcc3: uint8; + mnc2_mnc1: uint8; + lac: uint16; + rac: uint8; +} &let { + mcc1: uint8 = (mcc2_mcc1 & 0x0f); + mcc2: uint8 = ((mcc2_mcc1 & 0xf0)>>4); + mcc3: uint8 = (mnc3_mcc3 & 0x0f); + mcc: uint16 = mcc1 * 100 + mcc2 * 10 + mcc3; + mnc1: uint8 = (mnc2_mnc1 & 0x0f); + mnc2: uint8 = ((mnc2_mnc1 & 0xf0)>>4); + mnc3: uint8 = (mnc3_mcc3 & 0xf0)>>4; + mnc: uint16 = (mnc3 & 0x0f) ? mnc1 * 10 + mnc2 : mnc1 * 100 + mnc2 * 10 + mnc3; +}; + +type TLLI = record { + value: uint32; +}; + +type P_TMSI = record { + value: uint32; +}; + +type ReorderReq = record { + value: uint8; +} &let { + req: bool = value & 0x01; +}; + +type AuthN_Triplet = record { + rand: bytestring &length=16; + sres: uint32; + kc: uint64; +}; + +type MAP_Cause = record { + value: uint8; +}; + +type P_TMSI_Sig = record { + value: bytestring &length=3; +}; + +type MS_Valid = record { + value: uint8; +}; + +type Recovery = record { + restart_counter: uint8; +}; + +type SelectionMode = record { + value: uint8; +} &let { + mode: uint8 = value & 0x01; +}; + +type TEID1 = record { + value: uint32; +}; + +type TEID_ControlPlane = record { + value: uint32; +}; + +type TEID2 = record { + spare_nsapi: uint8; + teid2: uint32; +}; + +type TeardownInd = record { + value: uint8; +} &let { + ind: bool = value & 0x01; +}; + +type NSAPI = record { + xxxx_nsapi: uint8; +} &let { + nsapi: uint8 = xxxx_nsapi & 0x0f; +}; + +type RANAP_Cause = record { + value: uint8; +}; + +type RAB_Ctx = record { + spare_nsapi: uint8; + dl_gtpu_seq_num: uint16; + ul_gtpu_seq_num: uint16; + dl_pdcp_seq_num: uint16; + ul_pdcp_seq_num: uint16; +}; + +type RadioPrioritySMS = record { + value: uint8; +}; + +type RadioPriority = record { + nsapi_radio_priority: uint8; +}; + +type PacketFlowID = record { + rsv_nsapi: uint8; + packet_flow_id: uint8; +}; + +type ChargingCharacteristics = record { + value: uint16; +}; + +type TraceReference = record { + value: uint16; +}; + +type TraceType = record { + value: uint16; +}; + +type MS_Not_Reachable_Reason = record { + value: uint8; +}; + +type ChargingID = record { + value: uint32; +}; + +type EndUserAddr(n: uint16) = record { + spare_pdp_type_org: uint8; + pdp_type_num: uint8; + pdp_addr: bytestring &length=(n-2); +} &let { + pdp_type_org: uint8 = spare_pdp_type_org & 0x0f; +}; + +type MM_Ctx(n: uint16) = record { + spare_cksn_ksi: uint8; + security_params: uint8; + + keys: case gsm_keys of { + true -> kc: uint64; + false -> ck_ik: bytestring &length=32; + }; + + vector_len: case have_triplets of { + true -> no_quint_len: empty; + false -> quint_len: uint16; + }; + + vectors: case have_triplets of { + true -> triplets: AuthN_Triplet[num_vectors]; + false -> quintuplets: AuthN_Quintuplet(quint_len)[num_vectors]; + } &requires(num_vectors); + + drx_param: uint16; + ms_net_capability_len: uint8; + ms_net_capability: bytestring &length=ms_net_capability_len; + container_len: uint16; + container: bytestring &length=container_len; + +} &let { + security_mode: uint8 = security_params >> 6; + gsm_keys: bool = security_mode & 0x01; + have_triplets: bool = (security_mode == 1); + num_vectors: uint8 = (security_params & 0x38) >> 3; +}; + +type PDP_Ctx(n: uint16) = record { + rsv_nsapi: uint8; + xxxx_sapi: uint8; + qos_sub_len: uint8; + qos_sub: QoS_Profile(qos_sub_len); + qos_req_len: uint8; + qos_req: QoS_Profile(qos_req_len); + qos_neg_len: uint8; + qos_neg: QoS_Profile(qos_neg_len); + snd: uint16; + snu: uint16; + send_npdu_num: uint8; + recv_npdu_num: uint8; + ul_teid_cp: TEID_ControlPlane; + ul_teid_data1: TEID1; + pdp_ctx_id: uint8; + spare_pdp_type_org: uint8; + pdp_type_num: uint8; + pdp_addr_len: uint8; + pdp_addr: bytestring &length=pdp_addr_len; + ggsn_addr_control_plane_len: uint8; + ggsn_addr_control_plane: bytestring &length=ggsn_addr_control_plane_len; + ggsn_addr_user_traffic_len: uint8; + ggsn_addr_user_traffic: bytestring &length=ggsn_addr_user_traffic_len; + apn_len: uint8; + apn: AP_Name(apn_len); + spare_transaction_id: uint8; + transaction_id: uint8; +}; + +type AP_Name(n: uint16) = record { + value: bytestring &length=n; +}; + +type ProtoConfigOpts(n: uint16) = record { + value: bytestring &length=n; +}; + +type GSN_Addr(n: uint16) = record { + value: bytestring &length=n; +}; + +type MSISDN(n: uint16) = record { + value: bytestring &length=n; +}; + +type QoS_Profile(n: uint16) = record { + alloc_retention_priority: uint8; + data: bytestring &length=n-1; +}; + +type AuthN_Quintuplet(n: uint16) = record { + rand: bytestring &length=16; + xres_len: uint8; + xres: bytestring &length=xres_len; + ck: bytestring &length=16; + ik: bytestring &length=16; + autn_len: uint8; + autn: bytestring &length=autn_len; +}; + +type TrafficFlowTemplate(n: uint16) = record { + value: bytestring &length=n; +}; + +type TargetID(n: uint16) = record { + value: bytestring &length=n; +}; + +type UTRAN_TransparentContainer(n: uint16) = record { + value: bytestring &length=n; +}; + +type RAB_SetupInfo(n: uint16) = record { + xxxx_nsapi: uint8; + + have_teid: case n of { + 1 -> no_teid: empty; + default -> teid: TEID1; + }; + + have_addr: case n of { + 1 -> no_addr: empty; + default -> rnc_addr: bytestring &length=n-5; + }; +}; + +type ExtHdrTypeList(n: uint16) = record { + value: uint8[n]; +}; + +type TriggerID(n: uint16) = record { + value: bytestring &length=n; +}; + +type OMC_ID(n: uint16) = record { + value: bytestring &length=n; +}; + +type ChargingGatewayAddr(n: uint16) = record { + value: bytestring &length=n; +}; + +type PrivateExt(n: uint16) = record { + id: uint16; + value: bytestring &length=n-2; +}; + +function Get_IE_Len(t: uint8): uint16 = + case t of { + TYPE_CAUSE -> 1; + TYPE_IMSI -> 8; + TYPE_RAI -> 6; + TYPE_TLLI -> 4; + TYPE_P_TMSI -> 4; + TYPE_REORDER_REQ -> 1; + TYPE_AUTHN_TRIPLET -> 28; + TYPE_MAP_CAUSE -> 1; + TYPE_P_TMSI_SIG -> 3; + TYPE_MS_VALID -> 1; + TYPE_RECOVERY -> 1; + TYPE_SELECTION_MODE -> 1; + TYPE_TEID1 -> 4; + TYPE_TEID_CONTROL_PLANE -> 4; + TYPE_TEID2 -> 5; + TYPE_TEARDOWN_IND -> 1; + TYPE_NSAPI -> 1; + TYPE_RANAP_CAUSE -> 1; + TYPE_RAB_CTX -> 9; + TYPE_RADIO_PRIORITY_SMS -> 1; + TYPE_RADIO_PRIORITY -> 1; + TYPE_PACKET_FLOW_ID -> 2; + TYPE_CHARGING_CHARACTERISTICS -> 2; + TYPE_TRACE_REFERENCE -> 2; + TYPE_TRACE_TYPE -> 2; + TYPE_MS_NOT_REACHABLE_REASON -> 1; + TYPE_CHARGING_ID -> 4; + }; diff --git a/src/packet_analysis/protocol/gtpv1/gtpv1.pac b/src/packet_analysis/protocol/gtpv1/gtpv1.pac new file mode 100644 index 0000000000..acc3fdeb42 --- /dev/null +++ b/src/packet_analysis/protocol/gtpv1/gtpv1.pac @@ -0,0 +1,18 @@ +%include binpac.pac +%include zeek.pac + +%extern{ +#include "zeek/IP.h" +#include "zeek/TunnelEncapsulation.h" +#include "zeek/Reporter.h" + +#include "zeek/packet_analysis/protocol/gtpv1/events.bif.h" +%} + +analyzer GTPv1 withcontext { + connection: GTPv1_Conn; + flow: GTPv1_Flow; +}; + +%include gtpv1-protocol.pac +%include gtpv1-analyzer.pac diff --git a/src/zeek.pac b/src/zeek.pac index d53a23a4a8..52d0a174f0 100644 --- a/src/zeek.pac +++ b/src/zeek.pac @@ -3,6 +3,7 @@ %} extern type ZeekAnalyzer; +extern type ZeekPacketAnalyzer; extern type ZeekVal; extern type ZeekPortVal; extern type ZeekStringVal; diff --git a/testing/btest/Baseline/core.tunnels.gtp.non_recursive/out b/testing/btest/Baseline/core.tunnels.gtp.non_recursive/out index 6555b3a123..6d38edf0cd 100644 --- a/testing/btest/Baseline/core.tunnels.gtp.non_recursive/out +++ b/testing/btest/Baseline/core.tunnels.gtp.non_recursive/out @@ -1,2 +1,2 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -protocol_violation, [orig_h=74.125.216.149, orig_p=2152/udp, resp_h=10.131.138.69, resp_p=2152/udp], GTP-in-GTP [\x80\xe1Bc.\xe20\xebn\xd9'|\x00\x00\x01\xb6[\xf6\xdc0\xb7d\xe5\xe6\xa76\x91\xfbk\x0e\x02\xc8A\x05\xa8\xe6\xf3Gi\x80...] +protocol_violation, [orig_h=74.125.216.149, orig_p=2152/udp, resp_h=10.131.138.69, resp_p=2152/udp], GTP-in-GTP diff --git a/testing/btest/Baseline/core.tunnels.gtp.unknown_or_too_short/dpd.log b/testing/btest/Baseline/core.tunnels.gtp.unknown_or_too_short/dpd.log index 733c3255ea..377275b772 100644 --- a/testing/btest/Baseline/core.tunnels.gtp.unknown_or_too_short/dpd.log +++ b/testing/btest/Baseline/core.tunnels.gtp.unknown_or_too_short/dpd.log @@ -7,5 +7,5 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto analyzer failure_reason #types time string addr port addr port enum string string -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 173.86.159.28 2152 213.72.147.186 2152 udp GTPV1 Truncated GTPv1 [0\\xff\\x00\\xac\\x98\\x13\\x01LE\\x00\\x05\\xc8G\\xea@\\x00\\x80\\x06\\xb6\\x83\\x0a\\x83w&\\xd9\\x14\\x9c\\x04\\xd9\\xc2\\x00P\\xddh\\xb4\\x8f41eV...] +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 173.86.159.28 2152 213.72.147.186 2152 udp GTPV1 Truncated GTPv1 #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log index 81552f328f..b53f471b1e 100644 --- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log @@ -76,6 +76,9 @@ scripts/base/init-bare.zeek scripts/base/packet-protocols/teredo/__load__.zeek scripts/base/packet-protocols/teredo/main.zeek build/scripts/base/bif/plugins/Zeek_Teredo.functions.bif.zeek + scripts/base/packet-protocols/gtpv1/__load__.zeek + scripts/base/packet-protocols/gtpv1/main.zeek + build/scripts/base/bif/plugins/Zeek_GTPv1.functions.bif.zeek scripts/base/init-frameworks-and-bifs.zeek scripts/base/frameworks/logging/__load__.zeek scripts/base/frameworks/logging/main.zeek @@ -137,7 +140,6 @@ scripts/base/init-frameworks-and-bifs.zeek build/scripts/base/bif/plugins/Zeek_FTP.functions.bif.zeek build/scripts/base/bif/plugins/Zeek_Gnutella.events.bif.zeek build/scripts/base/bif/plugins/Zeek_GSSAPI.events.bif.zeek - build/scripts/base/bif/plugins/Zeek_GTPv1.events.bif.zeek build/scripts/base/bif/plugins/Zeek_HTTP.events.bif.zeek build/scripts/base/bif/plugins/Zeek_HTTP.functions.bif.zeek build/scripts/base/bif/plugins/Zeek_Ident.events.bif.zeek @@ -220,6 +222,7 @@ scripts/base/init-frameworks-and-bifs.zeek build/scripts/base/bif/plugins/Zeek_Geneve.events.bif.zeek build/scripts/base/bif/plugins/Zeek_VXLAN.events.bif.zeek build/scripts/base/bif/plugins/Zeek_Teredo.events.bif.zeek + build/scripts/base/bif/plugins/Zeek_GTPv1.events.bif.zeek build/scripts/base/bif/plugins/Zeek_FileEntropy.events.bif.zeek build/scripts/base/bif/plugins/Zeek_FileExtract.events.bif.zeek build/scripts/base/bif/plugins/Zeek_FileExtract.functions.bif.zeek diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index f215057ab1..38ef5af526 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -76,6 +76,9 @@ scripts/base/init-bare.zeek scripts/base/packet-protocols/teredo/__load__.zeek scripts/base/packet-protocols/teredo/main.zeek build/scripts/base/bif/plugins/Zeek_Teredo.functions.bif.zeek + scripts/base/packet-protocols/gtpv1/__load__.zeek + scripts/base/packet-protocols/gtpv1/main.zeek + build/scripts/base/bif/plugins/Zeek_GTPv1.functions.bif.zeek scripts/base/init-frameworks-and-bifs.zeek scripts/base/frameworks/logging/__load__.zeek scripts/base/frameworks/logging/main.zeek @@ -137,7 +140,6 @@ scripts/base/init-frameworks-and-bifs.zeek build/scripts/base/bif/plugins/Zeek_FTP.functions.bif.zeek build/scripts/base/bif/plugins/Zeek_Gnutella.events.bif.zeek build/scripts/base/bif/plugins/Zeek_GSSAPI.events.bif.zeek - build/scripts/base/bif/plugins/Zeek_GTPv1.events.bif.zeek build/scripts/base/bif/plugins/Zeek_HTTP.events.bif.zeek build/scripts/base/bif/plugins/Zeek_HTTP.functions.bif.zeek build/scripts/base/bif/plugins/Zeek_Ident.events.bif.zeek @@ -220,6 +222,7 @@ scripts/base/init-frameworks-and-bifs.zeek build/scripts/base/bif/plugins/Zeek_Geneve.events.bif.zeek build/scripts/base/bif/plugins/Zeek_VXLAN.events.bif.zeek build/scripts/base/bif/plugins/Zeek_Teredo.events.bif.zeek + build/scripts/base/bif/plugins/Zeek_GTPv1.events.bif.zeek build/scripts/base/bif/plugins/Zeek_FileEntropy.events.bif.zeek build/scripts/base/bif/plugins/Zeek_FileExtract.events.bif.zeek build/scripts/base/bif/plugins/Zeek_FileExtract.functions.bif.zeek diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index d0f098c5fb..bdb7837b2e 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -14,8 +14,6 @@ 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_DTLS, 443/udp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_FTP, 21/tcp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_FTP, 2811/tcp)) -> -0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_GTPV1, 2123/udp)) -> -0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_GTPV1, 2152/udp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_HTTP, 1080/tcp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_HTTP, 3128/tcp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_HTTP, 631/tcp)) -> @@ -76,8 +74,6 @@ 0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_DTLS, 443/udp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_FTP, 21/tcp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_FTP, 2811/tcp)) -> -0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_GTPV1, 2123/udp)) -> -0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_GTPV1, 2152/udp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_HTTP, 1080/tcp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_HTTP, 3128/tcp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_HTTP, 631/tcp)) -> @@ -129,7 +125,6 @@ 0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_DNS, {5353<...>/tcp})) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_DTLS, {443/udp})) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_FTP, {2811<...>/tcp})) -> -0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_GTPV1, {2152<...>/udp})) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_HTTP, {80<...>/tcp})) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_IMAP, {143/tcp})) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_IRC, {6666<...>/tcp})) -> @@ -577,10 +572,13 @@ 0.000000 MetaHookPost CallFunction(Option::set_change_handler, , (udp_content_ports, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)) -> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_for_port, , (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, 5072/udp)) -> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_for_port, , (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, 6081/udp)) -> +0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_for_port, , (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GTPV1, 2123/udp)) -> +0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_for_port, , (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GTPV1, 2152/udp)) -> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_for_port, , (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO, 3544/udp)) -> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_for_port, , (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, 4789/udp)) -> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_for_ports, , (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, {5072/udp})) -> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_for_ports, , (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, {6081/udp})) -> +0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_for_ports, , (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GTPV1, {2152<...>/udp})) -> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_for_ports, , (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO, {3544/udp})) -> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_for_ports, , (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, {4789/udp})) -> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_AYIYA, 4, PacketAnalyzer::ANALYZER_IP)) -> @@ -631,6 +629,8 @@ 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_ROOT, 127, PacketAnalyzer::ANALYZER_IEEE802_11_RADIO)) -> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_ROOT, 239, PacketAnalyzer::ANALYZER_NFLOG)) -> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_ROOT, 50, PacketAnalyzer::ANALYZER_PPPSERIAL)) -> +0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_UDP, 2123, PacketAnalyzer::ANALYZER_GTPV1)) -> +0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_UDP, 2152, PacketAnalyzer::ANALYZER_GTPV1)) -> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_UDP, 3544, PacketAnalyzer::ANALYZER_TEREDO)) -> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_UDP, 4789, PacketAnalyzer::ANALYZER_VXLAN)) -> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_UDP, 5072, PacketAnalyzer::ANALYZER_AYIYA)) -> @@ -646,6 +646,7 @@ 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_VNTAG, 34984, PacketAnalyzer::ANALYZER_VLAN)) -> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_VNTAG, 37120, PacketAnalyzer::ANALYZER_VLAN)) -> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_protocol_detection, , (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA)) -> +0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_protocol_detection, , (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GTPV1)) -> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_protocol_detection, , (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO)) -> 0.000000 MetaHookPost CallFunction(PacketFilter::build, , ()) -> 0.000000 MetaHookPost CallFunction(PacketFilter::combine_filters, , (ip or not ip, and, )) -> @@ -677,6 +678,8 @@ 0.000000 MetaHookPost CallFunction(getenv, , (ZEEK_DEFAULT_LISTEN_ADDRESS)) -> 0.000000 MetaHookPost CallFunction(global_ids, , ()) -> 0.000000 MetaHookPost CallFunction(network_time, , ()) -> +0.000000 MetaHookPost CallFunction(port_to_count, , (2123/udp)) -> +0.000000 MetaHookPost CallFunction(port_to_count, , (2152/udp)) -> 0.000000 MetaHookPost CallFunction(port_to_count, , (3544/udp)) -> 0.000000 MetaHookPost CallFunction(port_to_count, , (4789/udp)) -> 0.000000 MetaHookPost CallFunction(port_to_count, , (5072/udp)) -> @@ -720,6 +723,7 @@ 0.000000 MetaHookPost LoadFile(0, ./Zeek_Finger.events.bif.zeek, <...>/Zeek_Finger.events.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./Zeek_GSSAPI.events.bif.zeek, <...>/Zeek_GSSAPI.events.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./Zeek_GTPv1.events.bif.zeek, <...>/Zeek_GTPv1.events.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, ./Zeek_GTPv1.functions.bif.zeek, <...>/Zeek_GTPv1.functions.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./Zeek_Geneve.events.bif.zeek, <...>/Zeek_Geneve.events.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./Zeek_Gnutella.events.bif.zeek, <...>/Zeek_Gnutella.events.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./Zeek_HTTP.events.bif.zeek, <...>/Zeek_HTTP.events.bif.zeek) -> -1 @@ -922,6 +926,7 @@ 0.000000 MetaHookPost LoadFile(0, base/init-frameworks-and-bifs.zeek, <...>/init-frameworks-and-bifs.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base/packet-protocols, <...>/packet-protocols) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/CPP-load.bif, <...>/CPP-load.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/Zeek_GTPv1.functions.bif, <...>/Zeek_GTPv1.functions.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/Zeek_KRB.types.bif, <...>/Zeek_KRB.types.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/Zeek_SNMP.types.bif, <...>/Zeek_SNMP.types.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/Zeek_Teredo.functions.bif, <...>/Zeek_Teredo.functions.bif.zeek) -> -1 @@ -963,6 +968,7 @@ 0.000000 MetaHookPost LoadFile(0, base<...>/geneve, <...>/geneve) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/geoip-distance, <...>/geoip-distance.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/gre, <...>/gre) -> -1 +0.000000 MetaHookPost LoadFile(0, base<...>/gtpv1, <...>/gtpv1) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/hash, <...>/hash) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/hash_hrw, <...>/hash_hrw.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, base<...>/http, <...>/http) -> -1 @@ -1094,6 +1100,7 @@ 0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_Finger.events.bif.zeek, <...>/Zeek_Finger.events.bif.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_GSSAPI.events.bif.zeek, <...>/Zeek_GSSAPI.events.bif.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_GTPv1.events.bif.zeek, <...>/Zeek_GTPv1.events.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_GTPv1.functions.bif.zeek, <...>/Zeek_GTPv1.functions.bif.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_Geneve.events.bif.zeek, <...>/Zeek_Geneve.events.bif.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_Gnutella.events.bif.zeek, <...>/Zeek_Gnutella.events.bif.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_HTTP.events.bif.zeek, <...>/Zeek_HTTP.events.bif.zeek) -> (-1, ) @@ -1296,6 +1303,7 @@ 0.000000 MetaHookPost LoadFileExtended(0, base/init-frameworks-and-bifs.zeek, <...>/init-frameworks-and-bifs.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, base/packet-protocols, <...>/packet-protocols) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, base<...>/CPP-load.bif, <...>/CPP-load.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/Zeek_GTPv1.functions.bif, <...>/Zeek_GTPv1.functions.bif.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, base<...>/Zeek_KRB.types.bif, <...>/Zeek_KRB.types.bif.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, base<...>/Zeek_SNMP.types.bif, <...>/Zeek_SNMP.types.bif.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, base<...>/Zeek_Teredo.functions.bif, <...>/Zeek_Teredo.functions.bif.zeek) -> (-1, ) @@ -1337,6 +1345,7 @@ 0.000000 MetaHookPost LoadFileExtended(0, base<...>/geneve, <...>/geneve) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, base<...>/geoip-distance, <...>/geoip-distance.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, base<...>/gre, <...>/gre) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/gtpv1, <...>/gtpv1) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, base<...>/hash, <...>/hash) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, base<...>/hash_hrw, <...>/hash_hrw.zeek) -> (-1, ) 0.000000 MetaHookPost LoadFileExtended(0, base<...>/http, <...>/http) -> (-1, ) @@ -1459,8 +1468,6 @@ 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_DTLS, 443/udp)) 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_FTP, 21/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_FTP, 2811/tcp)) -0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_GTPV1, 2123/udp)) -0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_GTPV1, 2152/udp)) 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_HTTP, 1080/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_HTTP, 3128/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_HTTP, 631/tcp)) @@ -1521,8 +1528,6 @@ 0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_DTLS, 443/udp)) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_FTP, 21/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_FTP, 2811/tcp)) -0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_GTPV1, 2123/udp)) -0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_GTPV1, 2152/udp)) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_HTTP, 1080/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_HTTP, 3128/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_HTTP, 631/tcp)) @@ -1574,7 +1579,6 @@ 0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_DNS, {5353<...>/tcp})) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_DTLS, {443/udp})) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_FTP, {2811<...>/tcp})) -0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_GTPV1, {2152<...>/udp})) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_HTTP, {80<...>/tcp})) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_IMAP, {143/tcp})) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_IRC, {6666<...>/tcp})) @@ -2022,10 +2026,13 @@ 0.000000 MetaHookPre CallFunction(Option::set_change_handler, , (udp_content_ports, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_for_port, , (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, 5072/udp)) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_for_port, , (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, 6081/udp)) +0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_for_port, , (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GTPV1, 2123/udp)) +0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_for_port, , (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GTPV1, 2152/udp)) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_for_port, , (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO, 3544/udp)) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_for_port, , (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, 4789/udp)) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_for_ports, , (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, {5072/udp})) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_for_ports, , (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, {6081/udp})) +0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_for_ports, , (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GTPV1, {2152<...>/udp})) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_for_ports, , (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO, {3544/udp})) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_for_ports, , (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, {4789/udp})) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_AYIYA, 4, PacketAnalyzer::ANALYZER_IP)) @@ -2076,6 +2083,8 @@ 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_ROOT, 127, PacketAnalyzer::ANALYZER_IEEE802_11_RADIO)) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_ROOT, 239, PacketAnalyzer::ANALYZER_NFLOG)) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_ROOT, 50, PacketAnalyzer::ANALYZER_PPPSERIAL)) +0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_UDP, 2123, PacketAnalyzer::ANALYZER_GTPV1)) +0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_UDP, 2152, PacketAnalyzer::ANALYZER_GTPV1)) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_UDP, 3544, PacketAnalyzer::ANALYZER_TEREDO)) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_UDP, 4789, PacketAnalyzer::ANALYZER_VXLAN)) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_UDP, 5072, PacketAnalyzer::ANALYZER_AYIYA)) @@ -2091,6 +2100,7 @@ 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_VNTAG, 34984, PacketAnalyzer::ANALYZER_VLAN)) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_VNTAG, 37120, PacketAnalyzer::ANALYZER_VLAN)) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_protocol_detection, , (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA)) +0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_protocol_detection, , (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GTPV1)) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_protocol_detection, , (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO)) 0.000000 MetaHookPre CallFunction(PacketFilter::build, , ()) 0.000000 MetaHookPre CallFunction(PacketFilter::combine_filters, , (ip or not ip, and, )) @@ -2122,6 +2132,8 @@ 0.000000 MetaHookPre CallFunction(getenv, , (ZEEK_DEFAULT_LISTEN_ADDRESS)) 0.000000 MetaHookPre CallFunction(global_ids, , ()) 0.000000 MetaHookPre CallFunction(network_time, , ()) +0.000000 MetaHookPre CallFunction(port_to_count, , (2123/udp)) +0.000000 MetaHookPre CallFunction(port_to_count, , (2152/udp)) 0.000000 MetaHookPre CallFunction(port_to_count, , (3544/udp)) 0.000000 MetaHookPre CallFunction(port_to_count, , (4789/udp)) 0.000000 MetaHookPre CallFunction(port_to_count, , (5072/udp)) @@ -2165,6 +2177,7 @@ 0.000000 MetaHookPre LoadFile(0, ./Zeek_Finger.events.bif.zeek, <...>/Zeek_Finger.events.bif.zeek) 0.000000 MetaHookPre LoadFile(0, ./Zeek_GSSAPI.events.bif.zeek, <...>/Zeek_GSSAPI.events.bif.zeek) 0.000000 MetaHookPre LoadFile(0, ./Zeek_GTPv1.events.bif.zeek, <...>/Zeek_GTPv1.events.bif.zeek) +0.000000 MetaHookPre LoadFile(0, ./Zeek_GTPv1.functions.bif.zeek, <...>/Zeek_GTPv1.functions.bif.zeek) 0.000000 MetaHookPre LoadFile(0, ./Zeek_Geneve.events.bif.zeek, <...>/Zeek_Geneve.events.bif.zeek) 0.000000 MetaHookPre LoadFile(0, ./Zeek_Gnutella.events.bif.zeek, <...>/Zeek_Gnutella.events.bif.zeek) 0.000000 MetaHookPre LoadFile(0, ./Zeek_HTTP.events.bif.zeek, <...>/Zeek_HTTP.events.bif.zeek) @@ -2367,6 +2380,7 @@ 0.000000 MetaHookPre LoadFile(0, base/init-frameworks-and-bifs.zeek, <...>/init-frameworks-and-bifs.zeek) 0.000000 MetaHookPre LoadFile(0, base/packet-protocols, <...>/packet-protocols) 0.000000 MetaHookPre LoadFile(0, base<...>/CPP-load.bif, <...>/CPP-load.bif.zeek) +0.000000 MetaHookPre LoadFile(0, base<...>/Zeek_GTPv1.functions.bif, <...>/Zeek_GTPv1.functions.bif.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/Zeek_KRB.types.bif, <...>/Zeek_KRB.types.bif.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/Zeek_SNMP.types.bif, <...>/Zeek_SNMP.types.bif.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/Zeek_Teredo.functions.bif, <...>/Zeek_Teredo.functions.bif.zeek) @@ -2408,6 +2422,7 @@ 0.000000 MetaHookPre LoadFile(0, base<...>/geneve, <...>/geneve) 0.000000 MetaHookPre LoadFile(0, base<...>/geoip-distance, <...>/geoip-distance.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/gre, <...>/gre) +0.000000 MetaHookPre LoadFile(0, base<...>/gtpv1, <...>/gtpv1) 0.000000 MetaHookPre LoadFile(0, base<...>/hash, <...>/hash) 0.000000 MetaHookPre LoadFile(0, base<...>/hash_hrw, <...>/hash_hrw.zeek) 0.000000 MetaHookPre LoadFile(0, base<...>/http, <...>/http) @@ -2539,6 +2554,7 @@ 0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_Finger.events.bif.zeek, <...>/Zeek_Finger.events.bif.zeek) 0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_GSSAPI.events.bif.zeek, <...>/Zeek_GSSAPI.events.bif.zeek) 0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_GTPv1.events.bif.zeek, <...>/Zeek_GTPv1.events.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_GTPv1.functions.bif.zeek, <...>/Zeek_GTPv1.functions.bif.zeek) 0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_Geneve.events.bif.zeek, <...>/Zeek_Geneve.events.bif.zeek) 0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_Gnutella.events.bif.zeek, <...>/Zeek_Gnutella.events.bif.zeek) 0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_HTTP.events.bif.zeek, <...>/Zeek_HTTP.events.bif.zeek) @@ -2741,6 +2757,7 @@ 0.000000 MetaHookPre LoadFileExtended(0, base/init-frameworks-and-bifs.zeek, <...>/init-frameworks-and-bifs.zeek) 0.000000 MetaHookPre LoadFileExtended(0, base/packet-protocols, <...>/packet-protocols) 0.000000 MetaHookPre LoadFileExtended(0, base<...>/CPP-load.bif, <...>/CPP-load.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/Zeek_GTPv1.functions.bif, <...>/Zeek_GTPv1.functions.bif.zeek) 0.000000 MetaHookPre LoadFileExtended(0, base<...>/Zeek_KRB.types.bif, <...>/Zeek_KRB.types.bif.zeek) 0.000000 MetaHookPre LoadFileExtended(0, base<...>/Zeek_SNMP.types.bif, <...>/Zeek_SNMP.types.bif.zeek) 0.000000 MetaHookPre LoadFileExtended(0, base<...>/Zeek_Teredo.functions.bif, <...>/Zeek_Teredo.functions.bif.zeek) @@ -2782,6 +2799,7 @@ 0.000000 MetaHookPre LoadFileExtended(0, base<...>/geneve, <...>/geneve) 0.000000 MetaHookPre LoadFileExtended(0, base<...>/geoip-distance, <...>/geoip-distance.zeek) 0.000000 MetaHookPre LoadFileExtended(0, base<...>/gre, <...>/gre) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/gtpv1, <...>/gtpv1) 0.000000 MetaHookPre LoadFileExtended(0, base<...>/hash, <...>/hash) 0.000000 MetaHookPre LoadFileExtended(0, base<...>/hash_hrw, <...>/hash_hrw.zeek) 0.000000 MetaHookPre LoadFileExtended(0, base<...>/http, <...>/http) @@ -2904,8 +2922,6 @@ 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DTLS, 443/udp) 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_FTP, 21/tcp) 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_FTP, 2811/tcp) -0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_GTPV1, 2123/udp) -0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_GTPV1, 2152/udp) 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_HTTP, 1080/tcp) 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_HTTP, 3128/tcp) 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_HTTP, 631/tcp) @@ -2966,8 +2982,6 @@ 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DTLS, 443/udp) 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_FTP, 21/tcp) 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_FTP, 2811/tcp) -0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_GTPV1, 2123/udp) -0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_GTPV1, 2152/udp) 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_HTTP, 1080/tcp) 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_HTTP, 3128/tcp) 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_HTTP, 631/tcp) @@ -3019,7 +3033,6 @@ 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_DNS, {5353<...>/tcp}) 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_DTLS, {443/udp}) 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_FTP, {2811<...>/tcp}) -0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_GTPV1, {2152<...>/udp}) 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_HTTP, {80<...>/tcp}) 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_IMAP, {143/tcp}) 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_IRC, {6666<...>/tcp}) @@ -3466,10 +3479,13 @@ 0.000000 | HookCallFunction Option::set_change_handler(udp_content_ports, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100) 0.000000 | HookCallFunction PacketAnalyzer::register_for_port(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, 5072/udp) 0.000000 | HookCallFunction PacketAnalyzer::register_for_port(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, 6081/udp) +0.000000 | HookCallFunction PacketAnalyzer::register_for_port(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GTPV1, 2123/udp) +0.000000 | HookCallFunction PacketAnalyzer::register_for_port(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GTPV1, 2152/udp) 0.000000 | HookCallFunction PacketAnalyzer::register_for_port(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO, 3544/udp) 0.000000 | HookCallFunction PacketAnalyzer::register_for_port(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, 4789/udp) 0.000000 | HookCallFunction PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, {5072/udp}) 0.000000 | HookCallFunction PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, {6081/udp}) +0.000000 | HookCallFunction PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GTPV1, {2152<...>/udp}) 0.000000 | HookCallFunction PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO, {3544/udp}) 0.000000 | HookCallFunction PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, {4789/udp}) 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_AYIYA, 4, PacketAnalyzer::ANALYZER_IP) @@ -3520,6 +3536,8 @@ 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 127, PacketAnalyzer::ANALYZER_IEEE802_11_RADIO) 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 239, PacketAnalyzer::ANALYZER_NFLOG) 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 50, PacketAnalyzer::ANALYZER_PPPSERIAL) +0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 2123, PacketAnalyzer::ANALYZER_GTPV1) +0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 2152, PacketAnalyzer::ANALYZER_GTPV1) 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 3544, PacketAnalyzer::ANALYZER_TEREDO) 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 4789, PacketAnalyzer::ANALYZER_VXLAN) 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 5072, PacketAnalyzer::ANALYZER_AYIYA) @@ -3535,6 +3553,7 @@ 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VNTAG, 34984, PacketAnalyzer::ANALYZER_VLAN) 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VNTAG, 37120, PacketAnalyzer::ANALYZER_VLAN) 0.000000 | HookCallFunction PacketAnalyzer::register_protocol_detection(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA) +0.000000 | HookCallFunction PacketAnalyzer::register_protocol_detection(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GTPV1) 0.000000 | HookCallFunction PacketAnalyzer::register_protocol_detection(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO) 0.000000 | HookCallFunction PacketFilter::build() 0.000000 | HookCallFunction PacketFilter::combine_filters(ip or not ip, and, ) @@ -3566,6 +3585,8 @@ 0.000000 | HookCallFunction getenv(ZEEK_DEFAULT_LISTEN_ADDRESS) 0.000000 | HookCallFunction global_ids() 0.000000 | HookCallFunction network_time() +0.000000 | HookCallFunction port_to_count(2123/udp) +0.000000 | HookCallFunction port_to_count(2152/udp) 0.000000 | HookCallFunction port_to_count(3544/udp) 0.000000 | HookCallFunction port_to_count(4789/udp) 0.000000 | HookCallFunction port_to_count(5072/udp) @@ -3609,6 +3630,7 @@ 0.000000 | HookLoadFile ./Zeek_Finger.events.bif.zeek <...>/Zeek_Finger.events.bif.zeek 0.000000 | HookLoadFile ./Zeek_GSSAPI.events.bif.zeek <...>/Zeek_GSSAPI.events.bif.zeek 0.000000 | HookLoadFile ./Zeek_GTPv1.events.bif.zeek <...>/Zeek_GTPv1.events.bif.zeek +0.000000 | HookLoadFile ./Zeek_GTPv1.functions.bif.zeek <...>/Zeek_GTPv1.functions.bif.zeek 0.000000 | HookLoadFile ./Zeek_Geneve.events.bif.zeek <...>/Zeek_Geneve.events.bif.zeek 0.000000 | HookLoadFile ./Zeek_Gnutella.events.bif.zeek <...>/Zeek_Gnutella.events.bif.zeek 0.000000 | HookLoadFile ./Zeek_HTTP.events.bif.zeek <...>/Zeek_HTTP.events.bif.zeek @@ -3823,6 +3845,7 @@ 0.000000 | HookLoadFile base/init-frameworks-and-bifs.zeek <...>/init-frameworks-and-bifs.zeek 0.000000 | HookLoadFile base/packet-protocols <...>/packet-protocols 0.000000 | HookLoadFile base<...>/CPP-load.bif <...>/CPP-load.bif.zeek +0.000000 | HookLoadFile base<...>/Zeek_GTPv1.functions.bif <...>/Zeek_GTPv1.functions.bif.zeek 0.000000 | HookLoadFile base<...>/Zeek_KRB.types.bif <...>/Zeek_KRB.types.bif.zeek 0.000000 | HookLoadFile base<...>/Zeek_SNMP.types.bif <...>/Zeek_SNMP.types.bif.zeek 0.000000 | HookLoadFile base<...>/Zeek_Teredo.functions.bif <...>/Zeek_Teredo.functions.bif.zeek @@ -3864,6 +3887,7 @@ 0.000000 | HookLoadFile base<...>/geneve <...>/geneve 0.000000 | HookLoadFile base<...>/geoip-distance <...>/geoip-distance.zeek 0.000000 | HookLoadFile base<...>/gre <...>/gre +0.000000 | HookLoadFile base<...>/gtpv1 <...>/gtpv1 0.000000 | HookLoadFile base<...>/hash <...>/hash 0.000000 | HookLoadFile base<...>/hash_hrw <...>/hash_hrw.zeek 0.000000 | HookLoadFile base<...>/http <...>/http @@ -3983,6 +4007,7 @@ 0.000000 | HookLoadFileExtended ./Zeek_Finger.events.bif.zeek <...>/Zeek_Finger.events.bif.zeek 0.000000 | HookLoadFileExtended ./Zeek_GSSAPI.events.bif.zeek <...>/Zeek_GSSAPI.events.bif.zeek 0.000000 | HookLoadFileExtended ./Zeek_GTPv1.events.bif.zeek <...>/Zeek_GTPv1.events.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_GTPv1.functions.bif.zeek <...>/Zeek_GTPv1.functions.bif.zeek 0.000000 | HookLoadFileExtended ./Zeek_Geneve.events.bif.zeek <...>/Zeek_Geneve.events.bif.zeek 0.000000 | HookLoadFileExtended ./Zeek_Gnutella.events.bif.zeek <...>/Zeek_Gnutella.events.bif.zeek 0.000000 | HookLoadFileExtended ./Zeek_HTTP.events.bif.zeek <...>/Zeek_HTTP.events.bif.zeek @@ -4197,6 +4222,7 @@ 0.000000 | HookLoadFileExtended base/init-frameworks-and-bifs.zeek <...>/init-frameworks-and-bifs.zeek 0.000000 | HookLoadFileExtended base/packet-protocols <...>/packet-protocols 0.000000 | HookLoadFileExtended base<...>/CPP-load.bif <...>/CPP-load.bif.zeek +0.000000 | HookLoadFileExtended base<...>/Zeek_GTPv1.functions.bif <...>/Zeek_GTPv1.functions.bif.zeek 0.000000 | HookLoadFileExtended base<...>/Zeek_KRB.types.bif <...>/Zeek_KRB.types.bif.zeek 0.000000 | HookLoadFileExtended base<...>/Zeek_SNMP.types.bif <...>/Zeek_SNMP.types.bif.zeek 0.000000 | HookLoadFileExtended base<...>/Zeek_Teredo.functions.bif <...>/Zeek_Teredo.functions.bif.zeek @@ -4238,6 +4264,7 @@ 0.000000 | HookLoadFileExtended base<...>/geneve <...>/geneve 0.000000 | HookLoadFileExtended base<...>/geoip-distance <...>/geoip-distance.zeek 0.000000 | HookLoadFileExtended base<...>/gre <...>/gre +0.000000 | HookLoadFileExtended base<...>/gtpv1 <...>/gtpv1 0.000000 | HookLoadFileExtended base<...>/hash <...>/hash 0.000000 | HookLoadFileExtended base<...>/hash_hrw <...>/hash_hrw.zeek 0.000000 | HookLoadFileExtended base<...>/http <...>/http @@ -4806,6 +4833,7 @@ XXXXXXXXXX.XXXXXX MetaHookPost CallFunction(HTTP::get_file_handle, , ( XXXXXXXXXX.XXXXXX MetaHookPost CallFunction(Log::__write, , (Conn::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=, local_resp=, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=])) -> XXXXXXXXXX.XXXXXX MetaHookPost CallFunction(Log::log_stream_policy, , ([ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=, local_resp=, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=], Conn::LOG)) -> XXXXXXXXXX.XXXXXX MetaHookPost CallFunction(Log::write, , (Conn::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=, local_resp=, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=])) -> +XXXXXXXXXX.XXXXXX MetaHookPost CallFunction(PacketAnalyzer::GTPV1::remove_gtpv1_connection, , ([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp])) -> XXXXXXXXXX.XXXXXX MetaHookPost CallFunction(PacketAnalyzer::TEREDO::remove_teredo_connection, , ([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp])) -> XXXXXXXXXX.XXXXXX MetaHookPost CallFunction(cat, , (Analyzer::ANALYZER_HTTP, XXXXXXXXXX.XXXXXX, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> XXXXXXXXXX.XXXXXX MetaHookPost CallFunction(connection_state_remove, , ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, removal_hooks={HTTP::finalize_http{ HTTP::r, HTTP::info{ if (HTTP::c?$http_state) { for ([HTTP::r] in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerceHTTP::info)}}}}}, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=, resp_mime_types=[text/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, ntp=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=])) -> @@ -4844,6 +4872,7 @@ XXXXXXXXXX.XXXXXX MetaHookPre CallFunction(HTTP::get_file_handle, , ( XXXXXXXXXX.XXXXXX MetaHookPre CallFunction(Log::__write, , (Conn::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=, local_resp=, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=])) XXXXXXXXXX.XXXXXX MetaHookPre CallFunction(Log::log_stream_policy, , ([ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=, local_resp=, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=], Conn::LOG)) XXXXXXXXXX.XXXXXX MetaHookPre CallFunction(Log::write, , (Conn::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=, local_resp=, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=])) +XXXXXXXXXX.XXXXXX MetaHookPre CallFunction(PacketAnalyzer::GTPV1::remove_gtpv1_connection, , ([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp])) XXXXXXXXXX.XXXXXX MetaHookPre CallFunction(PacketAnalyzer::TEREDO::remove_teredo_connection, , ([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp])) XXXXXXXXXX.XXXXXX MetaHookPre CallFunction(cat, , (Analyzer::ANALYZER_HTTP, XXXXXXXXXX.XXXXXX, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) XXXXXXXXXX.XXXXXX MetaHookPre CallFunction(connection_state_remove, , ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, removal_hooks={HTTP::finalize_http{ HTTP::r, HTTP::info{ if (HTTP::c?$http_state) { for ([HTTP::r] in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerceHTTP::info)}}}}}, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=, resp_mime_types=[text/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, ntp=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=])) @@ -4883,6 +4912,7 @@ XXXXXXXXXX.XXXXXX | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.2 XXXXXXXXXX.XXXXXX | HookCallFunction Log::__write(Conn::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=, local_resp=, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=]) XXXXXXXXXX.XXXXXX | HookCallFunction Log::log_stream_policy([ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=, local_resp=, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=], Conn::LOG) XXXXXXXXXX.XXXXXX | HookCallFunction Log::write(Conn::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=, local_resp=, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=]) +XXXXXXXXXX.XXXXXX | HookCallFunction PacketAnalyzer::GTPV1::remove_gtpv1_connection([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]) XXXXXXXXXX.XXXXXX | HookCallFunction PacketAnalyzer::TEREDO::remove_teredo_connection([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]) XXXXXXXXXX.XXXXXX | HookCallFunction cat(Analyzer::ANALYZER_HTTP, XXXXXXXXXX.XXXXXX, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80) XXXXXXXXXX.XXXXXX | HookCallFunction connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, removal_hooks={HTTP::finalize_http{ HTTP::r, HTTP::info{ if (HTTP::c?$http_state) { for ([HTTP::r] in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerceHTTP::info)}}}}}, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=, info_msg=, tags={}, username=, password=, capture_password=F, proxied=, range_request=F, orig_fuids=, orig_filenames=, orig_mime_types=, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=, resp_mime_types=[text/plain], current_entity=, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=, krb=, modbus=, mysql=, ntlm=, ntp=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=]) diff --git a/testing/btest/Baseline/signatures.dpd/dpd-ipv4.out b/testing/btest/Baseline/signatures.dpd/dpd-ipv4.out index 26470a7fdf..1c399929a2 100644 --- a/testing/btest/Baseline/signatures.dpd/dpd-ipv4.out +++ b/testing/btest/Baseline/signatures.dpd/dpd-ipv4.out @@ -1,5 +1,5 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -|Analyzer::all_registered_ports()|, 4 +|Analyzer::all_registered_ports()|, 5 signature_match [orig_h=141.142.220.235, orig_p=50003/tcp, resp_h=199.233.217.249, resp_p=21/tcp] - matched my_ftp_client ftp_reply 199.233.217.249:21 - 220 ftp.NetBSD.org FTP server (NetBSD-ftpd 20100320) ready. ftp_request 141.142.220.235:50003 - USER anonymous diff --git a/testing/btest/Baseline/signatures.dpd/dpd-ipv6.out b/testing/btest/Baseline/signatures.dpd/dpd-ipv6.out index 40ce076959..d7f9033f64 100644 --- a/testing/btest/Baseline/signatures.dpd/dpd-ipv6.out +++ b/testing/btest/Baseline/signatures.dpd/dpd-ipv6.out @@ -1,5 +1,5 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -|Analyzer::all_registered_ports()|, 4 +|Analyzer::all_registered_ports()|, 5 signature_match [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49185/tcp, resp_h=2001:470:4867:99::21, resp_p=21/tcp] - matched my_ftp_client ftp_reply [2001:470:4867:99::21]:21 - 220 ftp.NetBSD.org FTP server (NetBSD-ftpd 20100320) ready. ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - USER anonymous diff --git a/testing/btest/Baseline/signatures.dpd/nosig-ipv4.out b/testing/btest/Baseline/signatures.dpd/nosig-ipv4.out index 123f40020a..67da14aaad 100644 --- a/testing/btest/Baseline/signatures.dpd/nosig-ipv4.out +++ b/testing/btest/Baseline/signatures.dpd/nosig-ipv4.out @@ -1,2 +1,2 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -|Analyzer::all_registered_ports()|, 4 +|Analyzer::all_registered_ports()|, 5 diff --git a/testing/btest/Baseline/signatures.dpd/nosig-ipv6.out b/testing/btest/Baseline/signatures.dpd/nosig-ipv6.out index 123f40020a..67da14aaad 100644 --- a/testing/btest/Baseline/signatures.dpd/nosig-ipv6.out +++ b/testing/btest/Baseline/signatures.dpd/nosig-ipv6.out @@ -1,2 +1,2 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -|Analyzer::all_registered_ports()|, 4 +|Analyzer::all_registered_ports()|, 5