diff --git a/CHANGES b/CHANGES index 927587da24..b7280350ca 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,44 @@ +6.0.0-dev.654 | 2023-05-25 20:01:37 +0200 + + * Address wire/capture length feedback (Arne Welzel, Corelight) + + * packet_analysis/TCP: Do not use untrusted len for DeliverPacket() (Arne Welzel, Corelight) + + We should not be passing the untrusted TCP header length into + DeliverPacket(). Also, DeliverPacket() cap len parameter should + be the capture length of the packet, not remaining data. + + * GH-2683: Add regression test using pcap from GH-2683 (Arne Welzel, Corelight) + + * Add btest to test Geneve->VXLAN->Truncated inner packet (Tim Wojtulewicz, Corelight) + + * IP: Update packet->len with accumulated fragment size (Arne Welzel, Corelight) + + With packet->len representing the wire length and other places + relying on it, ensure it's updated for fragments as well. This + assumes non-truncated fragments right now. Otherwise we'd need + to teach the FragmentReassembler to somehow track this independently + but it would be a mess. + + * UDP: Forward any remaining data (also empty) to session-analysis (Arne Welzel, Corelight) + + The protocol analyzers are prepared to receive truncated data and + this way we give analyzers a chance to look at data. We previously + allowed empty data being passed: When len ended up 0 and remaining + was 0 too. + + * IPTunnel: Compute inner wire length based on cap_len differences. (Arne Welzel, Corelight) + + * IP: fix weird name to not be ipv6 specific (Tim Wojtulewicz, Corelight) + + * UDP: don't validate checksum if caplen < len (Tim Wojtulewicz, Corelight) + + This may happen with truncated packets and will cause asan builds to bail out + before the packet can be forwarded along. The TCP analyzer already has this + check, but it's missing for UDP. + + * PIA: Modernize how struct initialization is done (Tim Wojtulewicz, Corelight) + 6.0.0-dev.643 | 2023-05-25 09:03:40 -0700 * btest.cfg: Set HILTI_CXX_COMPILER_LAUNCHER based on build/CMakeCache.txt (Arne Welzel, Corelight) diff --git a/VERSION b/VERSION index 55da7b02ff..ca79bfdce8 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -6.0.0-dev.643 +6.0.0-dev.654 diff --git a/src/analyzer/protocol/pia/PIA.h b/src/analyzer/protocol/pia/PIA.h index 5a9babe55f..08d68b6aef 100644 --- a/src/analyzer/protocol/pia/PIA.h +++ b/src/analyzer/protocol/pia/PIA.h @@ -60,29 +60,22 @@ protected: // sequence numbers for TCP) and chunks of a reassembled stream. struct DataBlock { - IP_Hdr* ip; - const u_char* data; - bool is_orig; - int len; - uint64_t seq; - DataBlock* next; + IP_Hdr* ip = nullptr; + const u_char* data = nullptr; + bool is_orig = false; + size_t len = 0; + size_t cap_len = 0; + uint64_t seq = 0; + DataBlock* next = nullptr; }; struct Buffer { - Buffer() - { - head = tail = nullptr; - size = 0; - chunks = 0; - state = INIT; - } - - DataBlock* head; - DataBlock* tail; - int64_t size; - int64_t chunks; - State state; + DataBlock* head = nullptr; + DataBlock* tail = nullptr; + int64_t size = 0; + int64_t chunks = 0; + State state = INIT; }; void AddToBuffer(Buffer* buffer, uint64_t seq, int len, const u_char* data, bool is_orig, diff --git a/src/packet_analysis/protocol/ip/IP.cc b/src/packet_analysis/protocol/ip/IP.cc index 0fd7537197..1803122c27 100644 --- a/src/packet_analysis/protocol/ip/IP.cc +++ b/src/packet_analysis/protocol/ip/IP.cc @@ -93,7 +93,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) if ( packet->len < total_len + hdr_size ) { - Weird("truncated_IPv6", packet); + Weird("truncated_IP_len", packet); return false; } @@ -205,6 +205,8 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) } packet->cap_len = total_len + hdr_size; + // Assumes reassembled packet has wire length == capture length. + packet->len = packet->cap_len; } } diff --git a/src/packet_analysis/protocol/iptunnel/IPTunnel.cc b/src/packet_analysis/protocol/iptunnel/IPTunnel.cc index f1e44b19a4..1bfb69b09d 100644 --- a/src/packet_analysis/protocol/iptunnel/IPTunnel.cc +++ b/src/packet_analysis/protocol/iptunnel/IPTunnel.cc @@ -172,17 +172,29 @@ bool IPTunnelAnalyzer::ProcessEncapsulatedPacket(double t, const Packet* pkt, ui std::unique_ptr build_inner_packet(Packet* outer_pkt, int* encap_index, std::shared_ptr encap_stack, - uint32_t len, const u_char* data, int link_type, - BifEnum::Tunnel::Type tunnel_type, + uint32_t inner_cap_len, const u_char* data, + int link_type, BifEnum::Tunnel::Type tunnel_type, const Tag& analyzer_tag) { auto inner_pkt = std::make_unique(); + assert(outer_pkt->cap_len >= inner_cap_len); + assert(outer_pkt->len >= outer_pkt->cap_len - inner_cap_len); + + // Compute the wire length of the inner packet based on the wire length of + // the outer and the difference in capture lengths. This ensures that for + // truncated packets the wire length of the inner packet stays intact. Wire + // length may be greater than data available for truncated packets. However, + // analyzers do validate lengths found in headers with the wire length + // of the packet and keeping it consistent avoids violations. + uint32_t consumed_len = outer_pkt->cap_len - inner_cap_len; + uint32_t inner_wire_len = outer_pkt->len - consumed_len; + pkt_timeval ts; ts.tv_sec = static_cast(run_state::current_timestamp); ts.tv_usec = static_cast( (run_state::current_timestamp - static_cast(ts.tv_sec)) * 1000000); - inner_pkt->Init(link_type, &ts, len, len, data); + inner_pkt->Init(link_type, &ts, inner_cap_len, inner_wire_len, data); *encap_index = 0; if ( outer_pkt->session ) diff --git a/src/packet_analysis/protocol/iptunnel/IPTunnel.h b/src/packet_analysis/protocol/iptunnel/IPTunnel.h index cddd981045..9b1fbe35bc 100644 --- a/src/packet_analysis/protocol/iptunnel/IPTunnel.h +++ b/src/packet_analysis/protocol/iptunnel/IPTunnel.h @@ -83,13 +83,17 @@ protected: * builds a new packet object containing the encapsulated/tunneled packet, as well * as adding to the associated encapsulation stack for the tunnel. * + * The wire length (pkt->len) of the inner packet is computed based on the wire length + * of the outer packet and the differences in capture lengths. + * * @param outer_pkt The packet containing the encapsulation. This packet should contain * @param encap_index A return value for the current index into the encapsulation stack. * This is returned to allow analyzers to know what point in the stack they were operating * on as the packet analysis chain unwinds as it returns. * @param encap_stack Tracks the encapsulations as the new encapsulations are discovered * in the inner packets. - * @param len The byte length of the packet data containing in the inner packet. + * @param inner_cap_len The byte length of the packet data contained in the inner packet. + * Also used as capture length for the inner packet. * @param data A pointer to the first byte of the inner packet. * @param link_type The link type (DLT_*) for the outer packet. If not known, DLT_RAW can * be passed for this value. @@ -99,8 +103,8 @@ protected: */ extern std::unique_ptr build_inner_packet(Packet* outer_pkt, int* encap_index, std::shared_ptr encap_stack, - uint32_t len, const u_char* data, int link_type, - BifEnum::Tunnel::Type tunnel_type, + uint32_t inner_cap_len, const u_char* data, + int link_type, BifEnum::Tunnel::Type tunnel_type, const Tag& analyzer_tag); namespace detail diff --git a/src/packet_analysis/protocol/tcp/TCP.cc b/src/packet_analysis/protocol/tcp/TCP.cc index 6d6dfc4dbb..7df5236048 100644 --- a/src/packet_analysis/protocol/tcp/TCP.cc +++ b/src/packet_analysis/protocol/tcp/TCP.cc @@ -130,7 +130,8 @@ void TCPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int remai // Call DeliverPacket on the adapter directly here. Normally we'd call ForwardPacket // but this adapter does some other things in its DeliverPacket with the packet children // analyzers. - adapter->DeliverPacket(len, data, is_orig, adapter->LastRelDataSeq(), ip.get(), remaining); + adapter->DeliverPacket(remaining, data, is_orig, adapter->LastRelDataSeq(), ip.get(), + pkt->cap_len); } const struct tcphdr* TCPAnalyzer::ExtractTCP_Header(const u_char*& data, int& len, int& remaining, diff --git a/src/packet_analysis/protocol/udp/UDP.cc b/src/packet_analysis/protocol/udp/UDP.cc index 58f12960a3..1200cd2f49 100644 --- a/src/packet_analysis/protocol/udp/UDP.cc +++ b/src/packet_analysis/protocol/udp/UDP.cc @@ -109,7 +109,7 @@ void UDPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int remai auto validate_checksum = ! run_state::current_pkt->l4_checksummed && ! zeek::detail::ignore_checksums && ! GetIgnoreChecksumsNets()->Contains(ip->IPHeaderSrcAddr()) && - remaining >= len; + remaining >= len && pkt->len <= pkt->cap_len; constexpr auto vxlan_len = 8; constexpr auto eth_len = 14; @@ -225,9 +225,8 @@ void UDPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int remai // detection has to be used. ForwardPacket(std::min(len, remaining), data, pkt, ntohs(c->RespPort())); - // Also try sending it into session analysis. - if ( remaining >= len ) - adapter->ForwardPacket(len, data, is_orig, -1, ip.get(), remaining); + // Forward any data through session-analysis, too. + adapter->ForwardPacket(remaining, data, is_orig, -1, ip.get(), pkt->cap_len); } bool UDPAnalyzer::ValidateChecksum(const IP_Hdr* ip, const udphdr* up, int len) diff --git a/testing/btest/Baseline/core.reassembly/output b/testing/btest/Baseline/core.reassembly/output index 8f50aa51f2..fde583b6a9 100644 --- a/testing/btest/Baseline/core.reassembly/output +++ b/testing/btest/Baseline/core.reassembly/output @@ -19,14 +19,14 @@ flow weird, excessively_small_fragment, 128.32.46.142, 10.0.0.1 flow weird, excessively_small_fragment, 128.32.46.142, 10.0.0.1 flow weird, fragment_inconsistency, 128.32.46.142, 10.0.0.1 ---------------------- -net_weird, truncated_IPv6 -net_weird, truncated_IPv6 -net_weird, truncated_IPv6 -net_weird, truncated_IPv6 +net_weird, truncated_IP_len +net_weird, truncated_IP_len +net_weird, truncated_IP_len +net_weird, truncated_IP_len rexmit_inconsistency, [orig_h=63.193.213.194, orig_p=2564/tcp, resp_h=128.3.97.175, resp_p=80/tcp], nlkmlpjfjjnoomfnqmdqgrdsgpefslhjrdjghsshrmosrkosidknnieiggpmnggelfhlkflfqojpjrsmeqghklmjlkdskjollmensjiqosemknoehellhlsspjfjpddfgqkemghskqosrksmkpsdomfoghllfokilshsisgpjhjoosidirlnmespjhdogdidoemejrnjjrookfrmiqllllqhlqfgolfqssfjrhrjhgfkpdnigiilrmnespjspeqjfedjhrkisjdhoofqdfeqnmihrelmildkngirkqorjslhmglripdojfedjjngjnpikoliqhdipgpshenekqiphmrsqmemghklodqnqoeggfkdqngrfollhjmddjreeghdqflohgrhqhelqsmdghgihpifpnikrddpmdfejhrhgfdfdlepmmhlhrnrslepqgmkopmdfogpoljeepqoemisfeksdeddiplnkfjddjioqhojlnmlirehidipdhqlddssssgpgikieeldsmfrkidpldsngdkidkoshkrofnonrrehghlmgmqshkedgpkpgjjkoneigsfjdlgjsngepfkndqoefqmsssrgegspromqepdpdeglmmegjljlmljeeorhhfmrohjeregpfshqjsqkekrihjdpfdjflgspepqjrqfemsjffmjfkhejdkrokmgdrhojgmgjpldjeiphroeheipolfmshoglkfnllfnhlflhlpddjflekhiqilefjpfqepdrrdokkjiekmelkhdpjlqjdlnfjemqdrksirdnjlrhrdijgqjhdqlidpfdisgrmnlfnsdlishlpfkshhglpdiqhpgmhpjdrpednjljfsqknsiqpfeqhlphgqdphflglpmqfkkhdjeodkelinkfpmfedidhphldmqjqggrljlhriehqqemeimkjhoqnsrdgengmgjokpeiijgrseppeoiflngggomdfjkndpqedhgnkiqlodkpjfkqoifidjmrdhhmglledkomllhpehdfjfdspmklkjdnhkdgpgqephfdfdrfplmepoegsekmrnikknelnprdpslmfkhghhooknieksjjhdeelidikndedijqqhfmphdondndpehmfoqelqigdpgioeljhedhfoeqlinriemqjigerkphgepqmiiidqlhriqioimpglonlsgomeloipndiihqqfiekkeriokrsjlmsjqiehqsrqkhdjlddjrrllirqkidqiggdrjpjirssgqepnqmhigfsqlekiqdddllnsjmroiofkieqnghddpjnhdjkfloilheljofddrkherkrieeoijrlfghiikmhpfdhekdjloejlmpperkgrhomedpfOOOOOOOOOOOOOOOOOOOOOOOOOOOO, nlkmlpjfjjnoomfnqmdqgrdsgpefslhjrdjghsshrmosrkosidknnieiggpmnggelfhlkflfqojpjrsmeqghklmjlkdskjollmensjiqosemknoehellhlsspjfjpddfgqkemghskqosrksmkpsdomfoghllfokilshsisgpjhjoosidirlnmespjhdogdidoemejrnjjrookfrmiqllllqhlqfgolfqssfjrhrjhgfkpdnigiilrmnespjspeqjfedjhrkisjdhoofqdfeqnmihrelmildkngirkqorjslhmglripdojfedjjngjnpikoliqhdipgpshenekqiphmrsqmemghklodqnqoeggfkdqngrfollhjmddjreeghdqflohgrhqhelqsmdghgihpifpnikrddpmdfejhrhgfdfdlepmmhlhrnrslepqgmkopmdfogpoljeepqoemisfeksdeddiplnkfjddjioqhojlnmlirehidipdhqlddssssgpgikieeldsmfrkidpldsngdkidkoshkrofnonrrehghlmgmqshkedgpkpgjjkoneigsfjdlgjsngepfkndqoefqmsssrgegspromqepdpdeglmmegjljlmljeeorhhfmrohjeregpfshqjsqkekrihjdpfdjflgspepqjrqfemsjffmjfkhejdkrokmgdrhojgmgjpldjeiphroeheipolfmshoglkfnllfnhlflhlpddjflekhiqilefjpfqepdrrdokkjiekmelkhdpjlqjdlnfjemqdrksirdnjlrhrdijgqjhdqlidpfdisgrmnlfnsdlishlpfkshhglpdiqhpgmhpjdrpednjljfsqknsiqpfeqhlphgqdphflglpmqfkkhdjeodkelinkfpmfedidhphldmqjqggrljlhriehqqemeimkjhoqnsrdgengmgjokpeiijgrseppeoiflngggomdfjkndpqedhgnkiqlodkpjfkqoifidjmrdhhmglledkomllhpehdfjfdspmklkjdnhkdgpgqephfdfdrfplmepoegsekmrnikknelnprdpslmfkhghhooknieksjjhdeelidikndedijqqhfmphdondndpehmfoqelqigdpgioeljhedhfoeqlinriemqjigerkphgepqmiiidqlhriqioimpglonlsgomeloipndiihqqfiekkeriokrsjlmsjqiehqsrqkhdjlddjrrllirqkidqiggdrjpjirssgqepnqmhigfsqlekiqdddllnsjmroiofkieqnghddpjnhdjkfloilheljofddrkherkrieeoijrlfghiikmhpfdhekdjloejlmpperkgrhomedpfqkrodjdmrqfpiodgphidfliidlhd, A rexmit_inconsistency, [orig_h=63.193.213.194, orig_p=2564/tcp, resp_h=128.3.97.175, resp_p=80/tcp], dgphrodofqhq, orgmmpelofil, A rexmit_inconsistency, [orig_h=63.193.213.194, orig_p=2564/tcp, resp_h=128.3.97.175, resp_p=80/tcp], lenhfdqhqfgs, dfpqssidkpdg, A rexmit_inconsistency, [orig_h=63.193.213.194, orig_p=2564/tcp, resp_h=128.3.97.175, resp_p=80/tcp], nlkmlpjfjjnoomfnqmdqgrdsgpefslhjrdjghsshrmosrkosidknnieiggpmnggelfhlkflfqojpjrsmeqghklmjlkdskjollmensjiqosemknoehellhlsspjfjpddfgqkemghskqosrksmkpsdomfoghllfokilshsisgpjhjoosidirlnmespjhdogdidoemejrnjjrookfrmiqllllqhlqfgolfqssfjrhrjhgfkpdnigiilrmnespjspeqjfedjhrkisjdhoofqdfeqnmihrelmildkngirkqorjslhmglripdojfedjjngjnpikoliqhdipgpshenekqiphmrsqmemghklodqnqoeggfkdqngrfollhjmddjreeghdqflohgrhqhelqsmdghgihpifpnikrddpmdfejhrhgfdfdlepmmhlhrnrslepqgmkopmdfogpoljeepqoemisfeksdeddiplnkfjddjioqhojlnmlirehidipdhqlddssssgpgikieeldsmfrkidpldsngdkidkoshkrofnonrrehghlmgmqshkedgpkpgjjkoneigsfjdlgjsngepfkndqoefqmsssrgegspromqepdpdeglmmegjljlmljeeorhhfmrohjeregpfshqjsqkekrihjdpfdjflgspepqjrqfemsjffmjfkhejdkrokmgdrhojgmgjpldjeiphroeheipolfmshoglkfnllfnhlflhlpddjflekhiqilefjpfqepdrrdokkjiekmelkhdpjlqjdlnfjemqdrksirdnjlrhrdijgqjhdqlidpfdisgrmnlfnsdlishlpfkshhglpdiqhpgmhpjdrpednjljfsqknsiqpfeqhlphgqdphflglpmqfkkhdjeodkelinkfpmfedidhphldmqjqggrljlhriehqqemeimkjhoqnsrdgengmgjokpeiijgrseppeoiflngggomdfjkndpqedhgnkiqlodkpjfkqoifidjmrdhhmglledkomllhpehdfjfdspmklkjdnhkdgpgqephfdfdrfplmepoegsekmrnikknelnprdpslmfkhghhooknieksjjhdeelidikndedijqqhfmphdondndpehmfoqelqigdpgioeljhedhfoeqlinriemqjigerkphgepqmiiidqlhriqioimpglonlsgomeloipndiihqqfiekkeriokrsjlmsjqiehqsrqkhdjlddjrrllirqkidqiggdrjpjirssgqepnqmhigfsqlekiqdddllnsjmroiofkieqnghddpjnhdjkfloilheljofddrkherkrieeoijrlfghiikmhpfdhekdjloejlmpperkgrhomedpfOOOOOOOOOOOOOOOOOOOOOOOOOOOO, nlkmlpjfjjnoomfnqmdqgrdsgpefslhjrdjghsshrmosrkosidknnieiggpmnggelfhlkflfqojpjrsmeqghklmjlkdskjollmensjiqosemknoehellhlsspjfjpddfgqkemghskqosrksmkpsdomfoghllfokilshsisgpjhjoosidirlnmespjhdogdidoemejrnjjrookfrmiqllllqhlqfgolfqssfjrhrjhgfkpdnigiilrmnespjspeqjfedjhrkisjdhoofqdfeqnmihrelmildkngirkqorjslhmglripdojfedjjngjnpikoliqhdipgpshenekqiphmrsqmemghklodqnqoeggfkdqngrfollhjmddjreeghdqflohgrhqhelqsmdghgihpifpnikrddpmdfejhrhgfdfdlepmmhlhrnrslepqgmkopmdfogpoljeepqoemisfeksdeddiplnkfjddjioqhojlnmlirehidipdhqlddssssgpgikieeldsmfrkidpldsngdkidkoshkrofnonrrehghlmgmqshkedgpkpgjjkoneigsfjdlgjsngepfkndqoefqmsssrgegspromqepdpdeglmmegjljlmljeeorhhfmrohjeregpfshqjsqkekrihjdpfdjflgspepqjrqfemsjffmjfkhejdkrokmgdrhojgmgjpldjeiphroeheipolfmshoglkfnllfnhlflhlpddjflekhiqilefjpfqepdrrdokkjiekmelkhdpjlqjdlnfjemqdrksirdnjlrhrdijgqjhdqlidpfdisgrmnlfnsdlishlpfkshhglpdiqhpgmhpjdrpednjljfsqknsiqpfeqhlphgqdphflglpmqfkkhdjeodkelinkfpmfedidhphldmqjqggrljlhriehqqemeimkjhoqnsrdgengmgjokpeiijgrseppeoiflngggomdfjkndpqedhgnkiqlodkpjfkqoifidjmrdhhmglledkomllhpehdfjfdspmklkjdnhkdgpgqephfdfdrfplmepoegsekmrnikknelnprdpslmfkhghhooknieksjjhdeelidikndedijqqhfmphdondndpehmfoqelqigdpgioeljhedhfoeqlinriemqjigerkphgepqmiiidqlhriqioimpglonlsgomeloipndiihqqfiekkeriokrsjlmsjqiehqsrqkhdjlddjrrllirqkidqiggdrjpjirssgqepnqmhigfsqlekiqdddllnsjmroiofkieqnghddpjnhdjkfloilheljofddrkherkrieeoijrlfghiikmhpfdhekdjloejlmpperkgrhomedpfqkrodjdmrqfpiodgphidfliislrr, A rexmit_inconsistency, [orig_h=63.193.213.194, orig_p=2564/tcp, resp_h=128.3.97.175, resp_p=80/tcp], iokgedlsdkjkiefgmeqkfjoh, ggdeolssksemrhedoledddml, A -net_weird, truncated_IPv6 +net_weird, truncated_IP_len rexmit_inconsistency, [orig_h=63.193.213.194, orig_p=2564/tcp, resp_h=128.3.97.175, resp_p=80/tcp], OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO HTTP/1.1\x0d\x0aHost: 127.0.0.1\x0d\x0aContent-Type: text/xml\x0d\x0aContent-length: 1\x0d\x0a\x0d\x0aO\x0d\x0a= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 47101 127.0.0.1 6081 udp geneve 1.025005 25684 0 S0 T T 0 D 24 26356 0 0 - +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 192.168.0.107 45474 145.40.68.75 443 tcp ssl 1.024744 781 23111 SF T F 0 ShADadFf 15 1569 9 23587 CHhAvVGS1DHFjwGM9 +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/core.tunnels.geneve-47101/tunnel.log b/testing/btest/Baseline/core.tunnels.geneve-47101/tunnel.log new file mode 100644 index 0000000000..06848a4135 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.geneve-47101/tunnel.log @@ -0,0 +1,12 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path tunnel +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action +#types time string addr port addr port enum enum +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 47101 127.0.0.1 6081 Tunnel::GENEVE Tunnel::DISCOVER +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 47101 127.0.0.1 6081 Tunnel::GENEVE Tunnel::CLOSE +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/core.tunnels.geneve-vxlan-truncated/conn.log b/testing/btest/Baseline/core.tunnels.geneve-vxlan-truncated/conn.log new file mode 100644 index 0000000000..da327070c6 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.geneve-vxlan-truncated/conn.log @@ -0,0 +1,13 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] +XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 172.16.11.201 36872 1.1.1.1 53 udp dns 2.000009 54 74 SF T F 0 Dd 1 82 1 102 ClEkJM2Vm5giqnMf4h +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 11803 127.0.0.1 6081 udp geneve 2.000009 300 0 S0 T T 0 D 2 356 0 0 - +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 127.0.0.1 26383 127.0.0.1 4789 udp vxlan 2.000009 228 0 S0 T T 0 D 2 284 0 0 CHhAvVGS1DHFjwGM9 +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/core.tunnels.geneve-vxlan-truncated/tunnel.log b/testing/btest/Baseline/core.tunnels.geneve-vxlan-truncated/tunnel.log new file mode 100644 index 0000000000..58cb917657 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.geneve-vxlan-truncated/tunnel.log @@ -0,0 +1,14 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path tunnel +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action +#types time string addr port addr port enum enum +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 11803 127.0.0.1 6081 Tunnel::GENEVE Tunnel::DISCOVER +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 127.0.0.1 26383 127.0.0.1 4789 Tunnel::VXLAN Tunnel::DISCOVER +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 11803 127.0.0.1 6081 Tunnel::GENEVE Tunnel::CLOSE +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 127.0.0.1 26383 127.0.0.1 4789 Tunnel::VXLAN Tunnel::CLOSE +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Traces/tunnels/geneve-47101.pcap b/testing/btest/Traces/tunnels/geneve-47101.pcap new file mode 100644 index 0000000000..0bf57934b0 Binary files /dev/null and b/testing/btest/Traces/tunnels/geneve-47101.pcap differ diff --git a/testing/btest/Traces/tunnels/geneve-vxlan-dns-truncated.pcap b/testing/btest/Traces/tunnels/geneve-vxlan-dns-truncated.pcap new file mode 100644 index 0000000000..237704a8af Binary files /dev/null and b/testing/btest/Traces/tunnels/geneve-vxlan-dns-truncated.pcap differ diff --git a/testing/btest/core/tunnels/geneve-47101.zeek b/testing/btest/core/tunnels/geneve-47101.zeek new file mode 100644 index 0000000000..afc33d02ca --- /dev/null +++ b/testing/btest/core/tunnels/geneve-47101.zeek @@ -0,0 +1,8 @@ +# @TEST-DOC: Tests a pcap containing a packet of size 14196 bytes with GENEVE encapsulation. Regression test for #2683. +# @TEST-EXEC: zeek -C -b -r $TRACES/tunnels/geneve-47101.pcap %INPUT +# @TEST-EXEC: btest-diff conn.log +# @TEST-EXEC: btest-diff tunnel.log + +@load base/frameworks/tunnels +@load base/protocols/conn +@load base/protocols/ssl diff --git a/testing/btest/core/tunnels/geneve-vxlan-truncated.zeek b/testing/btest/core/tunnels/geneve-vxlan-truncated.zeek new file mode 100644 index 0000000000..ff1e2b3ae1 --- /dev/null +++ b/testing/btest/core/tunnels/geneve-vxlan-truncated.zeek @@ -0,0 +1,8 @@ +# @TEST-DOC: Tests truncated packets tunneled via VXLAN inside GENEVE +# @TEST-EXEC: zeek -b -r $TRACES/tunnels/geneve-vxlan-dns-truncated.pcap %INPUT +# @TEST-EXEC: btest-diff conn.log +# @TEST-EXEC: btest-diff tunnel.log + +@load base/frameworks/tunnels +@load base/protocols/conn +@load base/protocols/dns diff --git a/testing/external/commit-hash.zeek-testing-private b/testing/external/commit-hash.zeek-testing-private index 3a600fa811..c5dd200880 100644 --- a/testing/external/commit-hash.zeek-testing-private +++ b/testing/external/commit-hash.zeek-testing-private @@ -1 +1 @@ -4d5c6de8c1d36b8fcbacab7da45fee79a433844e +b121bfe4d869f1f5e334505b970cd456558ef6a1