From 42be2444a7a5ca3350fffe7eb3b227f7337b6c12 Mon Sep 17 00:00:00 2001 From: Arne Welzel Date: Fri, 26 Aug 2022 10:40:46 +0200 Subject: [PATCH] gtpv1: Do not register for protocol detection While reviewing/understanding the analyzer setup, it didn't seem like GTPv1 implements packet_analysis::Analyzer::DetectProtocol(), so should not register it for protocol_detection either. Alternatively, maybe DetectProtocol() should've been implemented in which case maybe this should be an issue? --- scripts/base/packet-protocols/gtpv1/main.zeek | 1 - testing/btest/Baseline/plugins.hooks/output | 3 --- 2 files changed, 4 deletions(-) diff --git a/scripts/base/packet-protocols/gtpv1/main.zeek b/scripts/base/packet-protocols/gtpv1/main.zeek index 052efa5f58..0ad181f0f7 100644 --- a/scripts/base/packet-protocols/gtpv1/main.zeek +++ b/scripts/base/packet-protocols/gtpv1/main.zeek @@ -18,7 +18,6 @@ redef likely_server_ports += { gtpv1_ports }; event zeek_init() &priority=20 { - PacketAnalyzer::register_protocol_detection(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GTPV1); PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GTPV1, gtpv1_ports); } diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index 38b9de87c7..d27f61492f 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -664,7 +664,6 @@ 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_VNTAG, 34984, PacketAnalyzer::ANALYZER_VLAN)) -> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_VNTAG, 37120, PacketAnalyzer::ANALYZER_VLAN)) -> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_protocol_detection, , (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA)) -> -0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_protocol_detection, , (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GTPV1)) -> 0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_protocol_detection, , (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO)) -> 0.000000 MetaHookPost CallFunction(PacketFilter::build, , ()) -> 0.000000 MetaHookPost CallFunction(PacketFilter::combine_filters, , (ip or not ip, and, )) -> @@ -2178,7 +2177,6 @@ 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_VNTAG, 34984, PacketAnalyzer::ANALYZER_VLAN)) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_VNTAG, 37120, PacketAnalyzer::ANALYZER_VLAN)) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_protocol_detection, , (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA)) -0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_protocol_detection, , (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GTPV1)) 0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_protocol_detection, , (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO)) 0.000000 MetaHookPre CallFunction(PacketFilter::build, , ()) 0.000000 MetaHookPre CallFunction(PacketFilter::combine_filters, , (ip or not ip, and, )) @@ -3691,7 +3689,6 @@ 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VNTAG, 34984, PacketAnalyzer::ANALYZER_VLAN) 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VNTAG, 37120, PacketAnalyzer::ANALYZER_VLAN) 0.000000 | HookCallFunction PacketAnalyzer::register_protocol_detection(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA) -0.000000 | HookCallFunction PacketAnalyzer::register_protocol_detection(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GTPV1) 0.000000 | HookCallFunction PacketAnalyzer::register_protocol_detection(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO) 0.000000 | HookCallFunction PacketFilter::build() 0.000000 | HookCallFunction PacketFilter::combine_filters(ip or not ip, and, )