Simplify MPLS analysis.

2025-10-02 14:48:21 +00:00 · 2020-09-01 13:22:05 +02:00 · 2020-09-01 13:22:05 +02:00 · 3f3f00030d
commit 3f3f00030d
parent 38337d799b
7 changed files with 27 additions and 35 deletions
--- a/scripts/base/packet-protocols/load.zeek
+++ b/scripts/base/packet-protocols/load.zeek
@ -10,3 +10,4 @@
@load base/packet-protocols/ppp_serial
@load base/packet-protocols/pppoe
@load base/packet-protocols/vlan
@load base/packet-protocols/mpls
--- a/scripts/base/packet-protocols/mpls/load.zeek
+++ b/scripts/base/packet-protocols/mpls/load.zeek
@ -0,0 +1 @@
@load ./main
--- a/scripts/base/packet-protocols/mpls/main.zeek
+++ b/scripts/base/packet-protocols/mpls/main.zeek
@ -0,0 +1,5 @@
 module PacketAnalyzer::MPLS;
 redef PacketAnalyzer::config_map += {
   PacketAnalyzer::ConfigEntry($parent=PacketAnalyzer::ANALYZER_MPLS, $analyzer=PacketAnalyzer::ANALYZER_IP)
 };
--- a/src/packet_analysis/protocol/mpls/MPLS.cc
+++ b/src/packet_analysis/protocol/mpls/MPLS.cc
@ -28,28 +28,6 @@ bool MPLSAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet
 		}
 	// According to RFC3032 the encapsulated protocol is not encoded.
-	// We assume that what remains is IP.
+	// We use the configured default analyzer.
-	//TODO: Make that configurable
+	return ForwardPacket(len, data, packet);
 	if ( sizeof(struct ip) >= len )
 		{
 		packet->Weird("no_ip_in_mpls_payload");
 		return false;
 		}
 	auto ip = (const struct ip*)data;
 	if ( ip->ip_v == 4 )
 		packet->l3_proto = L3_IPV4;
 	else if ( ip->ip_v == 6 )
 		packet->l3_proto = L3_IPV6;
 	else
 		{
 		// Neither IPv4 nor IPv6.
 		packet->Weird("no_ip_in_mpls_payload");
 		return false;
 		}
 	packet->hdr_size = (data - packet->data);
 	packet->session_analysis = true;
 	return true;
 	}
--- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2020-08-28-15-37-31
+#open	2020-09-01-11-19-11
 #fields	name
 #types	string
 scripts/base/init-bare.zeek
@ -44,6 +44,8 @@ scripts/base/init-bare.zeek
      scripts/base/packet-protocols/pppoe/main.zeek
    scripts/base/packet-protocols/vlan/__load__.zeek
      scripts/base/packet-protocols/vlan/main.zeek
    scripts/base/packet-protocols/mpls/__load__.zeek
      scripts/base/packet-protocols/mpls/main.zeek
 scripts/base/init-frameworks-and-bifs.zeek
  scripts/base/frameworks/logging/__load__.zeek
    scripts/base/frameworks/logging/main.zeek
@ -212,4 +214,4 @@ scripts/base/init-frameworks-and-bifs.zeek
    build/scripts/base/bif/plugins/Zeek_SQLiteWriter.sqlite.bif.zeek
 scripts/policy/misc/loaded-scripts.zeek
  scripts/base/utils/paths.zeek
-#close	2020-08-28-15-37-31
+#close	2020-09-01-11-19-11
--- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2020-09-22-17-07-43
+#open	2020-09-22-17-11-19
 #fields	name
 #types	string
 scripts/base/init-bare.zeek
@ -44,6 +44,8 @@ scripts/base/init-bare.zeek
      scripts/base/packet-protocols/pppoe/main.zeek
    scripts/base/packet-protocols/vlan/__load__.zeek
      scripts/base/packet-protocols/vlan/main.zeek
    scripts/base/packet-protocols/mpls/__load__.zeek
      scripts/base/packet-protocols/mpls/main.zeek
 scripts/base/init-frameworks-and-bifs.zeek
  scripts/base/frameworks/logging/__load__.zeek
    scripts/base/frameworks/logging/main.zeek
@ -408,4 +410,4 @@ scripts/base/init-default.zeek
  scripts/base/misc/find-filtered-trace.zeek
  scripts/base/misc/version.zeek
 scripts/policy/misc/loaded-scripts.zeek
-#close	2020-09-22-17-07-43
+#close	2020-09-22-17-11-19
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@ -283,7 +283,7 @@
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1600794430.221915, node=zeek, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1600794672.656797, node=zeek, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Broker::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Config::LOG)) -> <no result>
@ -464,7 +464,7 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1600794430.221915, node=zeek, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1600794672.656797, node=zeek, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::check_plugins, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::init, <null>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(Notice::want_pp, <frame>, ()) -> <no result>
@ -866,6 +866,7 @@
 0.000000   MetaHookPost  LoadFile(0, base<...>/main.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/messaging.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/modbus) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/mpls) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/mqtt) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/mysql) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/netcontrol) -> -1
@ -1226,7 +1227,7 @@
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1600794430.221915, node=zeek, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1600794672.656797, node=zeek, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Broker::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Config::LOG))
@ -1407,7 +1408,7 @@
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1600794430.221915, node=zeek, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1600794672.656797, node=zeek, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(NetControl::check_plugins, <frame>, ())
 0.000000   MetaHookPre   CallFunction(NetControl::init, <null>, ())
 0.000000   MetaHookPre   CallFunction(Notice::want_pp, <frame>, ())
@ -1809,6 +1810,7 @@
 0.000000   MetaHookPre   LoadFile(0, base<...>/main.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/messaging.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/modbus)
 0.000000   MetaHookPre   LoadFile(0, base<...>/mpls)
 0.000000   MetaHookPre   LoadFile(0, base<...>/mqtt)
 0.000000   MetaHookPre   LoadFile(0, base<...>/mysql)
 0.000000   MetaHookPre   LoadFile(0, base<...>/netcontrol)
@ -2168,7 +2170,7 @@
 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1600794430.221915, node=zeek, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1600794672.656797, node=zeek, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Log::add_default_filter(Broker::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Config::LOG)
@ -2349,7 +2351,7 @@
 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1600794430.221915, node=zeek, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1600794672.656797, node=zeek, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction NetControl::check_plugins()
 0.000000 | HookCallFunction NetControl::init()
 0.000000 | HookCallFunction Notice::want_pp()
@ -2763,6 +2765,7 @@
 0.000000 | HookLoadFile  base<...>/main.zeek
 0.000000 | HookLoadFile  base<...>/messaging.bif.zeek
 0.000000 | HookLoadFile  base<...>/modbus
 0.000000 | HookLoadFile  base<...>/mpls
 0.000000 | HookLoadFile  base<...>/mqtt
 0.000000 | HookLoadFile  base<...>/mysql
 0.000000 | HookLoadFile  base<...>/netcontrol
@ -2822,7 +2825,7 @@
 0.000000 | HookLoadFile  base<...>/xmpp
 0.000000 | HookLoadFile  base<...>/zeek.bif.zeek
 0.000000 | HookLogInit   packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)}
-0.000000 | HookLogWrite  packet_filter [ts=1600794430.221915, node=zeek, filter=ip or not ip, init=T, success=T]
+0.000000 | HookLogWrite  packet_filter [ts=1600794672.656797, node=zeek, filter=ip or not ip, init=T, success=T]
 0.000000 | HookQueueEvent NetControl::init()
 0.000000 | HookQueueEvent filter_change_tracking()
 0.000000 | HookQueueEvent zeek_init()