Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge remote-tracking branch 'origin/topic/timw/2914-truncated-tunnel-plus-things'

Browse source 
* origin/topic/timw/2914-truncated-tunnel-plus-things:
  Address wire/capture length feedback
  packet_analysis/TCP: Do not use untrusted len for DeliverPacket()
  Add regression test using pcap from GH-2683
  Add btest to test Geneve->VXLAN->Truncated inner packet
  IP: Update packet->len with accumulated fragment size
  UDP: Forward any remaining data (also empty) to session-analysis
  IPTunnel: Compute inner wire length based on cap_len differences.
  IP: fix weird name to not be ipv6 specific
  UDP: don't validate checksum if caplen < len
  PIA: Modernize how struct initialization is done
This commit is contained in:
Arne Welzel 2023-05-25 20:01:37 +02:00
commit 3f3df93ac1
19 changed files with 158 additions and 39 deletions
Download patch file Download diff file Expand all files Collapse all files

41
CHANGES
View file

@ -1,3 +1,44 @@
6.0.0-dev.654 | 2023-05-25 20:01:37 +0200
* Address wire/capture length feedback (Arne Welzel, Corelight)
* packet_analysis/TCP: Do not use untrusted len for DeliverPacket() (Arne Welzel, Corelight)
We should not be passing the untrusted TCP header length into
DeliverPacket(). Also, DeliverPacket() cap len parameter should
be the capture length of the packet, not remaining data.
* GH-2683: Add regression test using pcap from GH-2683 (Arne Welzel, Corelight)
* Add btest to test Geneve->VXLAN->Truncated inner packet (Tim Wojtulewicz, Corelight)
* IP: Update packet->len with accumulated fragment size (Arne Welzel, Corelight)
With packet->len representing the wire length and other places
relying on it, ensure it's updated for fragments as well. This
assumes non-truncated fragments right now. Otherwise we'd need
to teach the FragmentReassembler to somehow track this independently
but it would be a mess.
* UDP: Forward any remaining data (also empty) to session-analysis (Arne Welzel, Corelight)
The protocol analyzers are prepared to receive truncated data and
this way we give analyzers a chance to look at data. We previously
allowed empty data being passed: When len ended up 0 and remaining
was 0 too.
* IPTunnel: Compute inner wire length based on cap_len differences. (Arne Welzel, Corelight)
* IP: fix weird name to not be ipv6 specific (Tim Wojtulewicz, Corelight)
* UDP: don't validate checksum if caplen < len (Tim Wojtulewicz, Corelight)
This may happen with truncated packets and will cause asan builds to bail out
before the packet can be forwarded along. The TCP analyzer already has this
check, but it's missing for UDP.
* PIA: Modernize how struct initialization is done (Tim Wojtulewicz, Corelight)
6.0.0-dev.643 | 2023-05-25 09:03:40 -0700
* btest.cfg: Set HILTI_CXX_COMPILER_LAUNCHER based on build/CMakeCache.txt (Arne Welzel, Corelight)

2
VERSION
View file

@ -1 +1 @@
6.0.0-dev.643
6.0.0-dev.654

31
src/analyzer/protocol/pia/PIA.h
View file

@ -60,29 +60,22 @@ protected:
// sequence numbers for TCP) and chunks of a reassembled stream.
struct DataBlock
{
IP_Hdr* ip;
const u_char* data;
bool is_orig;
int len;
uint64_t seq;
DataBlock* next;
IP_Hdr* ip = nullptr;
const u_char* data = nullptr;
bool is_orig = false;
size_t len = 0;
size_t cap_len = 0;
uint64_t seq = 0;
DataBlock* next = nullptr;
};
struct Buffer
{
Buffer()
{
head = tail = nullptr;
size = 0;
chunks = 0;
state = INIT;
}
DataBlock* head;
DataBlock* tail;
int64_t size;
int64_t chunks;
State state;
DataBlock* head = nullptr;
DataBlock* tail = nullptr;
int64_t size = 0;
int64_t chunks = 0;
State state = INIT;
};
void AddToBuffer(Buffer* buffer, uint64_t seq, int len, const u_char* data, bool is_orig,

4
src/packet_analysis/protocol/ip/IP.cc
View file

@ -93,7 +93,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
if ( packet->len < total_len + hdr_size )
{
Weird("truncated_IPv6", packet);
Weird("truncated_IP_len", packet);
return false;
}
@ -205,6 +205,8 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
}
packet->cap_len = total_len + hdr_size;
// Assumes reassembled packet has wire length == capture length.
packet->len = packet->cap_len;
}
}

18
src/packet_analysis/protocol/iptunnel/IPTunnel.cc
View file

@ -172,17 +172,29 @@ bool IPTunnelAnalyzer::ProcessEncapsulatedPacket(double t, const Packet* pkt, ui
std::unique_ptr<Packet> build_inner_packet(Packet* outer_pkt, int* encap_index,
std::shared_ptr<EncapsulationStack> encap_stack,
uint32_t len, const u_char* data, int link_type,
BifEnum::Tunnel::Type tunnel_type,
uint32_t inner_cap_len, const u_char* data,
int link_type, BifEnum::Tunnel::Type tunnel_type,
const Tag& analyzer_tag)
{
auto inner_pkt = std::make_unique<Packet>();
assert(outer_pkt->cap_len >= inner_cap_len);
assert(outer_pkt->len >= outer_pkt->cap_len - inner_cap_len);
// Compute the wire length of the inner packet based on the wire length of
// the outer and the difference in capture lengths. This ensures that for
// truncated packets the wire length of the inner packet stays intact. Wire
// length may be greater than data available for truncated packets. However,
// analyzers do validate lengths found in headers with the wire length
// of the packet and keeping it consistent avoids violations.
uint32_t consumed_len = outer_pkt->cap_len - inner_cap_len;
uint32_t inner_wire_len = outer_pkt->len - consumed_len;
pkt_timeval ts;
ts.tv_sec = static_cast<time_t>(run_state::current_timestamp);
ts.tv_usec = static_cast<suseconds_t>(
(run_state::current_timestamp - static_cast<double>(ts.tv_sec)) * 1000000);
inner_pkt->Init(link_type, &ts, len, len, data);
inner_pkt->Init(link_type, &ts, inner_cap_len, inner_wire_len, data);
*encap_index = 0;
if ( outer_pkt->session )

10
src/packet_analysis/protocol/iptunnel/IPTunnel.h
View file

@ -83,13 +83,17 @@ protected:
* builds a new packet object containing the encapsulated/tunneled packet, as well
* as adding to the associated encapsulation stack for the tunnel.
*
* The wire length (pkt->len) of the inner packet is computed based on the wire length
* of the outer packet and the differences in capture lengths.
*
* @param outer_pkt The packet containing the encapsulation. This packet should contain
* @param encap_index A return value for the current index into the encapsulation stack.
* This is returned to allow analyzers to know what point in the stack they were operating
* on as the packet analysis chain unwinds as it returns.
* @param encap_stack Tracks the encapsulations as the new encapsulations are discovered
* in the inner packets.
* @param len The byte length of the packet data containing in the inner packet.
* @param inner_cap_len The byte length of the packet data contained in the inner packet.
* Also used as capture length for the inner packet.
* @param data A pointer to the first byte of the inner packet.
* @param link_type The link type (DLT_*) for the outer packet. If not known, DLT_RAW can
* be passed for this value.
@ -99,8 +103,8 @@ protected:
*/
extern std::unique_ptr<Packet> build_inner_packet(Packet* outer_pkt, int* encap_index,
std::shared_ptr<EncapsulationStack> encap_stack,
uint32_t len, const u_char* data, int link_type,
BifEnum::Tunnel::Type tunnel_type,
uint32_t inner_cap_len, const u_char* data,
int link_type, BifEnum::Tunnel::Type tunnel_type,
const Tag& analyzer_tag);
namespace detail

3
src/packet_analysis/protocol/tcp/TCP.cc
View file

@ -130,7 +130,8 @@ void TCPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int remai
// Call DeliverPacket on the adapter directly here. Normally we'd call ForwardPacket
// but this adapter does some other things in its DeliverPacket with the packet children
// analyzers.
adapter->DeliverPacket(len, data, is_orig, adapter->LastRelDataSeq(), ip.get(), remaining);
adapter->DeliverPacket(remaining, data, is_orig, adapter->LastRelDataSeq(), ip.get(),
pkt->cap_len);
}
const struct tcphdr* TCPAnalyzer::ExtractTCP_Header(const u_char*& data, int& len, int& remaining,

7
src/packet_analysis/protocol/udp/UDP.cc
View file

@ -109,7 +109,7 @@ void UDPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int remai
auto validate_checksum = ! run_state::current_pkt->l4_checksummed &&
! zeek::detail::ignore_checksums &&
! GetIgnoreChecksumsNets()->Contains(ip->IPHeaderSrcAddr()) &&
remaining >= len;
remaining >= len && pkt->len <= pkt->cap_len;
constexpr auto vxlan_len = 8;
constexpr auto eth_len = 14;
@ -225,9 +225,8 @@ void UDPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int remai
// detection has to be used.
ForwardPacket(std::min(len, remaining), data, pkt, ntohs(c->RespPort()));
// Also try sending it into session analysis.
if ( remaining >= len )
adapter->ForwardPacket(len, data, is_orig, -1, ip.get(), remaining);
// Forward any data through session-analysis, too.
adapter->ForwardPacket(remaining, data, is_orig, -1, ip.get(), pkt->cap_len);
}
bool UDPAnalyzer::ValidateChecksum(const IP_Hdr* ip, const udphdr* up, int len)

10
testing/btest/Baseline/core.reassembly/output
View file

@ -19,14 +19,14 @@ flow weird, excessively_small_fragment, 128.32.46.142, 10.0.0.1
flow weird, excessively_small_fragment, 128.32.46.142, 10.0.0.1
flow weird, fragment_inconsistency, 128.32.46.142, 10.0.0.1
----------------------
net_weird, truncated_IPv6
net_weird, truncated_IPv6
net_weird, truncated_IPv6
net_weird, truncated_IPv6
net_weird, truncated_IP_len
net_weird, truncated_IP_len
net_weird, truncated_IP_len
net_weird, truncated_IP_len
rexmit_inconsistency, [orig_h=63.193.213.194, orig_p=2564/tcp, resp_h=128.3.97.175, resp_p=80/tcp], nlkmlpjfjjnoomfnqmdqgrdsgpefslhjrdjghsshrmosrkosidknnieiggpmnggelfhlkflfqojpjrsmeqghklmjlkdskjollmensjiqosemknoehellhlsspjfjpddfgqkemghskqosrksmkpsdomfoghllfokilshsisgpjhjoosidirlnmespjhdogdidoemejrnjjrookfrmiqllllqhlqfgolfqssfjrhrjhgfkpdnigiilrmnespjspeqjfedjhrkisjdhoofqdfeqnmihrelmildkngirkqorjslhmglripdojfedjjngjnpikoliqhdipgpshenekqiphmrsqmemghklodqnqoeggfkdqngrfollhjmddjreeghdqflohgrhqhelqsmdghgihpifpnikrddpmdfejhrhgfdfdlepmmhlhrnrslepqgmkopmdfogpoljeepqoemisfeksdeddiplnkfjddjioqhojlnmlirehidipdhqlddssssgpgikieeldsmfrkidpldsngdkidkoshkrofnonrrehghlmgmqshkedgpkpgjjkoneigsfjdlgjsngepfkndqoefqmsssrgegspromqepdpdeglmmegjljlmljeeorhhfmrohjeregpfshqjsqkekrihjdpfdjflgspepqjrqfemsjffmjfkhejdkrokmgdrhojgmgjpldjeiphroeheipolfmshoglkfnllfnhlflhlpddjflekhiqilefjpfqepdrrdokkjiekmelkhdpjlqjdlnfjemqdrksirdnjlrhrdijgqjhdqlidpfdisgrmnlfnsdlishlpfkshhglpdiqhpgmhpjdrpednjljfsqknsiqpfeqhlphgqdphflglpmqfkkhdjeodkelinkfpmfedidhphldmqjqggrljlhriehqqemeimkjhoqnsrdgengmgjokpeiijgrseppeoiflngggomdfjkndpqedhgnkiqlodkpjfkqoifidjmrdhhmglledkomllhpehdfjfdspmklkjdnhkdgpgqephfdfdrfplmepoegsekmrnikknelnprdpslmfkhghhooknieksjjhdeelidikndedijqqhfmphdondndpehmfoqelqigdpgioeljhedhfoeqlinriemqjigerkphgepqmiiidqlhriqioimpglonlsgomeloipndiihqqfiekkeriokrsjlmsjqiehqsrqkhdjlddjrrllirqkidqiggdrjpjirssgqepnqmhigfsqlekiqdddllnsjmroiofkieqnghddpjnhdjkfloilheljofddrkherkrieeoijrlfghiikmhpfdhekdjloejlmpperkgrhomedpfOOOOOOOOOOOOOOOOOOOOOOOOOOOO, nlkmlpjfjjnoomfnqmdqgrdsgpefslhjrdjghsshrmosrkosidknnieiggpmnggelfhlkflfqojpjrsmeqghklmjlkdskjollmensjiqosemknoehellhlsspjfjpddfgqkemghskqosrksmkpsdomfoghllfokilshsisgpjhjoosidirlnmespjhdogdidoemejrnjjrookfrmiqllllqhlqfgolfqssfjrhrjhgfkpdnigiilrmnespjspeqjfedjhrkisjdhoofqdfeqnmihrelmildkngirkqorjslhmglripdojfedjjngjnpikoliqhdipgpshenekqiphmrsqmemghklodqnqoeggfkdqngrfollhjmddjreeghdqflohgrhqhelqsmdghgihpifpnikrddpmdfejhrhgfdfdlepmmhlhrnrslepqgmkopmdfogpoljeepqoemisfeksdeddiplnkfjddjioqhojlnmlirehidipdhqlddssssgpgikieeldsmfrkidpldsngdkidkoshkrofnonrrehghlmgmqshkedgpkpgjjkoneigsfjdlgjsngepfkndqoefqmsssrgegspromqepdpdeglmmegjljlmljeeorhhfmrohjeregpfshqjsqkekrihjdpfdjflgspepqjrqfemsjffmjfkhejdkrokmgdrhojgmgjpldjeiphroeheipolfmshoglkfnllfnhlflhlpddjflekhiqilefjpfqepdrrdokkjiekmelkhdpjlqjdlnfjemqdrksirdnjlrhrdijgqjhdqlidpfdisgrmnlfnsdlishlpfkshhglpdiqhpgmhpjdrpednjljfsqknsiqpfeqhlphgqdphflglpmqfkkhdjeodkelinkfpmfedidhphldmqjqggrljlhriehqqemeimkjhoqnsrdgengmgjokpeiijgrseppeoiflngggomdfjkndpqedhgnkiqlodkpjfkqoifidjmrdhhmglledkomllhpehdfjfdspmklkjdnhkdgpgqephfdfdrfplmepoegsekmrnikknelnprdpslmfkhghhooknieksjjhdeelidikndedijqqhfmphdondndpehmfoqelqigdpgioeljhedhfoeqlinriemqjigerkphgepqmiiidqlhriqioimpglonlsgomeloipndiihqqfiekkeriokrsjlmsjqiehqsrqkhdjlddjrrllirqkidqiggdrjpjirssgqepnqmhigfsqlekiqdddllnsjmroiofkieqnghddpjnhdjkfloilheljofddrkherkrieeoijrlfghiikmhpfdhekdjloejlmpperkgrhomedpfqkrodjdmrqfpiodgphidfliidlhd, A
rexmit_inconsistency, [orig_h=63.193.213.194, orig_p=2564/tcp, resp_h=128.3.97.175, resp_p=80/tcp], dgphrodofqhq, orgmmpelofil, A
rexmit_inconsistency, [orig_h=63.193.213.194, orig_p=2564/tcp, resp_h=128.3.97.175, resp_p=80/tcp], lenhfdqhqfgs, dfpqssidkpdg, A
rexmit_inconsistency, [orig_h=63.193.213.194, orig_p=2564/tcp, resp_h=128.3.97.175, resp_p=80/tcp], nlkmlpjfjjnoomfnqmdqgrdsgpefslhjrdjghsshrmosrkosidknnieiggpmnggelfhlkflfqojpjrsmeqghklmjlkdskjollmensjiqosemknoehellhlsspjfjpddfgqkemghskqosrksmkpsdomfoghllfokilshsisgpjhjoosidirlnmespjhdogdidoemejrnjjrookfrmiqllllqhlqfgolfqssfjrhrjhgfkpdnigiilrmnespjspeqjfedjhrkisjdhoofqdfeqnmihrelmildkngirkqorjslhmglripdojfedjjngjnpikoliqhdipgpshenekqiphmrsqmemghklodqnqoeggfkdqngrfollhjmddjreeghdqflohgrhqhelqsmdghgihpifpnikrddpmdfejhrhgfdfdlepmmhlhrnrslepqgmkopmdfogpoljeepqoemisfeksdeddiplnkfjddjioqhojlnmlirehidipdhqlddssssgpgikieeldsmfrkidpldsngdkidkoshkrofnonrrehghlmgmqshkedgpkpgjjkoneigsfjdlgjsngepfkndqoefqmsssrgegspromqepdpdeglmmegjljlmljeeorhhfmrohjeregpfshqjsqkekrihjdpfdjflgspepqjrqfemsjffmjfkhejdkrokmgdrhojgmgjpldjeiphroeheipolfmshoglkfnllfnhlflhlpddjflekhiqilefjpfqepdrrdokkjiekmelkhdpjlqjdlnfjemqdrksirdnjlrhrdijgqjhdqlidpfdisgrmnlfnsdlishlpfkshhglpdiqhpgmhpjdrpednjljfsqknsiqpfeqhlphgqdphflglpmqfkkhdjeodkelinkfpmfedidhphldmqjqggrljlhriehqqemeimkjhoqnsrdgengmgjokpeiijgrseppeoiflngggomdfjkndpqedhgnkiqlodkpjfkqoifidjmrdhhmglledkomllhpehdfjfdspmklkjdnhkdgpgqephfdfdrfplmepoegsekmrnikknelnprdpslmfkhghhooknieksjjhdeelidikndedijqqhfmphdondndpehmfoqelqigdpgioeljhedhfoeqlinriemqjigerkphgepqmiiidqlhriqioimpglonlsgomeloipndiihqqfiekkeriokrsjlmsjqiehqsrqkhdjlddjrrllirqkidqiggdrjpjirssgqepnqmhigfsqlekiqdddllnsjmroiofkieqnghddpjnhdjkfloilheljofddrkherkrieeoijrlfghiikmhpfdhekdjloejlmpperkgrhomedpfOOOOOOOOOOOOOOOOOOOOOOOOOOOO, nlkmlpjfjjnoomfnqmdqgrdsgpefslhjrdjghsshrmosrkosidknnieiggpmnggelfhlkflfqojpjrsmeqghklmjlkdskjollmensjiqosemknoehellhlsspjfjpddfgqkemghskqosrksmkpsdomfoghllfokilshsisgpjhjoosidirlnmespjhdogdidoemejrnjjrookfrmiqllllqhlqfgolfqssfjrhrjhgfkpdnigiilrmnespjspeqjfedjhrkisjdhoofqdfeqnmihrelmildkngirkqorjslhmglripdojfedjjngjnpikoliqhdipgpshenekqiphmrsqmemghklodqnqoeggfkdqngrfollhjmddjreeghdqflohgrhqhelqsmdghgihpifpnikrddpmdfejhrhgfdfdlepmmhlhrnrslepqgmkopmdfogpoljeepqoemisfeksdeddiplnkfjddjioqhojlnmlirehidipdhqlddssssgpgikieeldsmfrkidpldsngdkidkoshkrofnonrrehghlmgmqshkedgpkpgjjkoneigsfjdlgjsngepfkndqoefqmsssrgegspromqepdpdeglmmegjljlmljeeorhhfmrohjeregpfshqjsqkekrihjdpfdjflgspepqjrqfemsjffmjfkhejdkrokmgdrhojgmgjpldjeiphroeheipolfmshoglkfnllfnhlflhlpddjflekhiqilefjpfqepdrrdokkjiekmelkhdpjlqjdlnfjemqdrksirdnjlrhrdijgqjhdqlidpfdisgrmnlfnsdlishlpfkshhglpdiqhpgmhpjdrpednjljfsqknsiqpfeqhlphgqdphflglpmqfkkhdjeodkelinkfpmfedidhphldmqjqggrljlhriehqqemeimkjhoqnsrdgengmgjokpeiijgrseppeoiflngggomdfjkndpqedhgnkiqlodkpjfkqoifidjmrdhhmglledkomllhpehdfjfdspmklkjdnhkdgpgqephfdfdrfplmepoegsekmrnikknelnprdpslmfkhghhooknieksjjhdeelidikndedijqqhfmphdondndpehmfoqelqigdpgioeljhedhfoeqlinriemqjigerkphgepqmiiidqlhriqioimpglonlsgomeloipndiihqqfiekkeriokrsjlmsjqiehqsrqkhdjlddjrrllirqkidqiggdrjpjirssgqepnqmhigfsqlekiqdddllnsjmroiofkieqnghddpjnhdjkfloilheljofddrkherkrieeoijrlfghiikmhpfdhekdjloejlmpperkgrhomedpfqkrodjdmrqfpiodgphidfliislrr, A
rexmit_inconsistency, [orig_h=63.193.213.194, orig_p=2564/tcp, resp_h=128.3.97.175, resp_p=80/tcp], iokgedlsdkjkiefgmeqkfjoh, ggdeolssksemrhedoledddml, A
net_weird, truncated_IPv6
net_weird, truncated_IP_len
rexmit_inconsistency, [orig_h=63.193.213.194, orig_p=2564/tcp, resp_h=128.3.97.175, resp_p=80/tcp], OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO HTTP/1.1\x0d\x0aHost: 127.0.0.1\x0d\x0aContent-Type: text/xml\x0d\x0aContent-length: 1\x0d\x0a\x0d\x0aO<?xml version="1.0"?>\x0d\x0a<g:searchrequest xmlns:g=, OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO HTTP/1.1\x0d\x0aHost: 127.0.0.1\x0d\x0aContent-Type: text/xml\x0d\x0aContent-length: 1\x0d\x0a\x0d\x0aO<?xml version="1.0"?igplqgeqsonkllfshdjplhjspmde, AP

2
testing/btest/Baseline/core.truncation/output
View file

@ -27,7 +27,7 @@ XXXXXXXXXX.XXXXXX - - - - - truncated_IP - F zeek IP
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source
#types time string addr port addr port string string bool string string
XXXXXXXXXX.XXXXXX - - - - - truncated_IPv6 - F zeek IP
XXXXXXXXXX.XXXXXX - - - - - truncated_IP_len - F zeek IP
#close XXXX-XX-XX-XX-XX-XX
#separator \x09
#set_separator ,

12
testing/btest/Baseline/core.tunnels.geneve-47101/conn.log Normal file
View file

@ -0,0 +1,12 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path conn
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 47101 127.0.0.1 6081 udp geneve 1.025005 25684 0 S0 T T 0 D 24 26356 0 0 -
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 192.168.0.107 45474 145.40.68.75 443 tcp ssl 1.024744 781 23111 SF T F 0 ShADadFf 15 1569 9 23587 CHhAvVGS1DHFjwGM9
#close XXXX-XX-XX-XX-XX-XX

12
testing/btest/Baseline/core.tunnels.geneve-47101/tunnel.log Normal file
View file

@ -0,0 +1,12 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path tunnel
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action
#types time string addr port addr port enum enum
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 47101 127.0.0.1 6081 Tunnel::GENEVE Tunnel::DISCOVER
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 47101 127.0.0.1 6081 Tunnel::GENEVE Tunnel::CLOSE
#close XXXX-XX-XX-XX-XX-XX

13
testing/btest/Baseline/core.tunnels.geneve-vxlan-truncated/conn.log Normal file
View file

@ -0,0 +1,13 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path conn
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 172.16.11.201 36872 1.1.1.1 53 udp dns 2.000009 54 74 SF T F 0 Dd 1 82 1 102 ClEkJM2Vm5giqnMf4h
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 11803 127.0.0.1 6081 udp geneve 2.000009 300 0 S0 T T 0 D 2 356 0 0 -
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 127.0.0.1 26383 127.0.0.1 4789 udp vxlan 2.000009 228 0 S0 T T 0 D 2 284 0 0 CHhAvVGS1DHFjwGM9
#close XXXX-XX-XX-XX-XX-XX

14
testing/btest/Baseline/core.tunnels.geneve-vxlan-truncated/tunnel.log Normal file
View file

@ -0,0 +1,14 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path tunnel
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action
#types time string addr port addr port enum enum
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 11803 127.0.0.1 6081 Tunnel::GENEVE Tunnel::DISCOVER
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 127.0.0.1 26383 127.0.0.1 4789 Tunnel::VXLAN Tunnel::DISCOVER
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 11803 127.0.0.1 6081 Tunnel::GENEVE Tunnel::CLOSE
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 127.0.0.1 26383 127.0.0.1 4789 Tunnel::VXLAN Tunnel::CLOSE
#close XXXX-XX-XX-XX-XX-XX

BIN
testing/btest/Traces/tunnels/geneve-47101.pcap Normal file
View file

Binary file not shown.

BIN
testing/btest/Traces/tunnels/geneve-vxlan-dns-truncated.pcap Normal file
View file

Binary file not shown.

8
testing/btest/core/tunnels/geneve-47101.zeek Normal file
View file

@ -0,0 +1,8 @@
# @TEST-DOC: Tests a pcap containing a packet of size 14196 bytes with GENEVE encapsulation. Regression test for #2683.
# @TEST-EXEC: zeek -C -b -r $TRACES/tunnels/geneve-47101.pcap %INPUT
# @TEST-EXEC: btest-diff conn.log
# @TEST-EXEC: btest-diff tunnel.log
@load base/frameworks/tunnels
@load base/protocols/conn
@load base/protocols/ssl

8
testing/btest/core/tunnels/geneve-vxlan-truncated.zeek Normal file
View file

@ -0,0 +1,8 @@
# @TEST-DOC: Tests truncated packets tunneled via VXLAN inside GENEVE
# @TEST-EXEC: zeek -b -r $TRACES/tunnels/geneve-vxlan-dns-truncated.pcap %INPUT
# @TEST-EXEC: btest-diff conn.log
# @TEST-EXEC: btest-diff tunnel.log
@load base/frameworks/tunnels
@load base/protocols/conn
@load base/protocols/dns

2
testing/external/commit-hash.zeek-testing-private vendored
View file

@ -1 +1 @@
4d5c6de8c1d36b8fcbacab7da45fee79a433844e
b121bfe4d869f1f5e334505b970cd456558ef6a1