From e5a434c392be62f0861f1e73ab89c0edf38449e5 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Wed, 2 Jul 2025 17:14:18 +0100
Subject: [PATCH 1/2] PPPoE: add session id logging

This adds a new PacketAnalyzer::PPPoE::session_id bif, which extracts
the PPPoE session ID from the current packet.

Furthermore, a new policy script is added which adds the pppoe session
id to the connection log.

Related to GH-4602
---
 .../conn/pppoe-session-id-logging.zeek        | 27 +++++++++++++++++++
 scripts/test-all-policy.zeek                  |  1 +
 .../protocol/pppoe/CMakeLists.txt             |  5 ++--
 .../protocol/pppoe/functions.bif              | 22 +++++++++++++++
 src/script_opt/FuncInfo.cc                    |  1 +
 .../canonified_loaded_scripts.log             |  1 +
 .../canonified_loaded_scripts.log             |  1 +
 testing/btest/Baseline/plugins.hooks/output   |  6 +++++
 .../conn.log.cut                              |  3 +++
 .../conn/pppoe-session-id-logging.zeek        |  7 +++++
 10 files changed, 72 insertions(+), 2 deletions(-)
 create mode 100644 scripts/policy/protocols/conn/pppoe-session-id-logging.zeek
 create mode 100644 src/packet_analysis/protocol/pppoe/functions.bif
 create mode 100644 testing/btest/Baseline/scripts.policy.protocols.conn.pppoe-session-id-logging/conn.log.cut
 create mode 100644 testing/btest/scripts/policy/protocols/conn/pppoe-session-id-logging.zeek

diff --git a/scripts/policy/protocols/conn/pppoe-session-id-logging.zeek b/scripts/policy/protocols/conn/pppoe-session-id-logging.zeek
new file mode 100644
index 0000000000..1adbb0ae37
--- /dev/null
+++ b/scripts/policy/protocols/conn/pppoe-session-id-logging.zeek
@@ -0,0 +1,27 @@
+##! This script adds PPPoE session ID information to the connection log.
+
+@load base/protocols/conn
+
+module Conn;
+
+redef record Info += {
+	## The PPPoE session id, if applicable for this connection.
+	pppoe_session_id: count &log &optional;
+};
+
+# Add the PPPoE session ID to the Conn::Info structure. We have to do this right
+# at the beginning, while we are handling a packet.
+event new_connection(c: connection)
+	{
+	local session_id = PacketAnalyzer::PPPoE::session_id();
+
+	# no session ID
+	if ( session_id == 0xFFFFFFFF )
+		return;
+
+	# FIXME: remove when GH-4688 is merged
+	set_conn(c, F);
+
+	c$conn$pppoe_session_id = session_id;
+	}
+
diff --git a/scripts/test-all-policy.zeek b/scripts/test-all-policy.zeek
index cc22fd4e55..3aa07c1c8d 100644
--- a/scripts/test-all-policy.zeek
+++ b/scripts/test-all-policy.zeek
@@ -113,6 +113,7 @@
 @load protocols/conn/known-services.zeek
 @load protocols/conn/mac-logging.zeek
 @load protocols/conn/vlan-logging.zeek
+@load protocols/conn/pppoe-session-id-logging.zeek
 @load protocols/conn/weirds.zeek
 #@load frameworks/conn_key/vlan_fivetuple.zeek
 #@load protocols/conn/speculative-service.zeek
diff --git a/src/packet_analysis/protocol/pppoe/CMakeLists.txt b/src/packet_analysis/protocol/pppoe/CMakeLists.txt
index b549cf4d1a..cdf53bc58c 100644
--- a/src/packet_analysis/protocol/pppoe/CMakeLists.txt
+++ b/src/packet_analysis/protocol/pppoe/CMakeLists.txt
@@ -1,3 +1,4 @@
 zeek_add_plugin(
-    PacketAnalyzer PPPoE
-    SOURCES PPPoE.cc Plugin.cc)
+    Zeek PPPoE
+    SOURCES PPPoE.cc Plugin.cc
+    BIFS functions.bif)
diff --git a/src/packet_analysis/protocol/pppoe/functions.bif b/src/packet_analysis/protocol/pppoe/functions.bif
new file mode 100644
index 0000000000..1786d0d74b
--- /dev/null
+++ b/src/packet_analysis/protocol/pppoe/functions.bif
@@ -0,0 +1,22 @@
+module PacketAnalyzer::PPPoE;
+
+%%{
+#include "zeek/packet_analysis/Manager.h"
+%%}
+
+## Returns the PPPoE Session ID of the current packet, if present.
+##
+## If no PPPoE Session ID is present, 0xFFFFFFFF is returned, which
+## is out of range of the session ID.
+##
+## Returns: The PPPoE session ID if present, 0xFFFFFFFF otherwise.
+function session_id%(%): count
+	%{
+	static const auto& analyzer = zeek::packet_mgr->GetAnalyzer("PPPoE");
+	auto spans = zeek::packet_mgr->GetAnalyzerData(analyzer);
+
+	if ( spans.size() == 0 || spans[0].size() <=8 )
+		return zeek::val_mgr->Count(0xFFFFFFFF);
+
+	return zeek::val_mgr->Count((spans[0][2] << 8u) + spans[0][3]);
+	%}
diff --git a/src/script_opt/FuncInfo.cc b/src/script_opt/FuncInfo.cc
index 29f9a42ae2..874772d828 100644
--- a/src/script_opt/FuncInfo.cc
+++ b/src/script_opt/FuncInfo.cc
@@ -117,6 +117,7 @@ static std::unordered_map<std::string, unsigned int> func_attrs = {
     {"Option::set_change_handler", ATTR_NO_SCRIPT_SIDE_EFFECTS},
     {"PacketAnalyzer::GTPV1::remove_gtpv1_connection", ATTR_NO_SCRIPT_SIDE_EFFECTS},
     {"PacketAnalyzer::Geneve::get_options", ATTR_NO_SCRIPT_SIDE_EFFECTS},
+    {"PacketAnalyzer::PPPoE::session_id", ATTR_NO_SCRIPT_SIDE_EFFECTS},
     {"PacketAnalyzer::TEREDO::remove_teredo_connection", ATTR_NO_SCRIPT_SIDE_EFFECTS},
     {"PacketAnalyzer::__disable_analyzer", ATTR_NO_SCRIPT_SIDE_EFFECTS},
     {"PacketAnalyzer::__enable_analyzer", ATTR_NO_SCRIPT_SIDE_EFFECTS},
diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
index 4bb0fdb685..92ae304ef1 100644
--- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
@@ -266,6 +266,7 @@ scripts/base/init-frameworks-and-bifs.zeek
     build/scripts/base/bif/plugins/Zeek_WebSocket.types.bif.zeek
     build/scripts/base/bif/plugins/Zeek_XMPP.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_Cluster_Backend_ZeroMQ.cluster_backend_zeromq.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_PPPoE.functions.bif.zeek
     build/scripts/base/bif/plugins/Zeek_ARP.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_UDP.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_ICMP.events.bif.zeek
diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
index 4ed3a0c33b..8d2b58f0e1 100644
--- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
@@ -266,6 +266,7 @@ scripts/base/init-frameworks-and-bifs.zeek
     build/scripts/base/bif/plugins/Zeek_WebSocket.types.bif.zeek
     build/scripts/base/bif/plugins/Zeek_XMPP.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_Cluster_Backend_ZeroMQ.cluster_backend_zeromq.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_PPPoE.functions.bif.zeek
     build/scripts/base/bif/plugins/Zeek_ARP.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_UDP.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_ICMP.events.bif.zeek
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index b9d02db981..d210eaa685 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -369,6 +369,7 @@
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_PE.events.bif.zeek, <...>/Zeek_PE.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_POP3.consts.bif.zeek, <...>/Zeek_POP3.consts.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_POP3.events.bif.zeek, <...>/Zeek_POP3.events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, ./Zeek_PPPoE.functions.bif.zeek, <...>/Zeek_PPPoE.functions.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_RADIUS.events.bif.zeek, <...>/Zeek_RADIUS.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_RDP.events.bif.zeek, <...>/Zeek_RDP.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_RDP.types.bif.zeek, <...>/Zeek_RDP.types.bif.zeek) -> -1
@@ -684,6 +685,7 @@
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_PE.events.bif.zeek, <...>/Zeek_PE.events.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_POP3.consts.bif.zeek, <...>/Zeek_POP3.consts.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_POP3.events.bif.zeek, <...>/Zeek_POP3.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_PPPoE.functions.bif.zeek, <...>/Zeek_PPPoE.functions.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_RADIUS.events.bif.zeek, <...>/Zeek_RADIUS.events.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_RDP.events.bif.zeek, <...>/Zeek_RDP.events.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_RDP.types.bif.zeek, <...>/Zeek_RDP.types.bif.zeek) -> (-1, <no content>)
@@ -1310,6 +1312,7 @@
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_PE.events.bif.zeek, <...>/Zeek_PE.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_POP3.consts.bif.zeek, <...>/Zeek_POP3.consts.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_POP3.events.bif.zeek, <...>/Zeek_POP3.events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, ./Zeek_PPPoE.functions.bif.zeek, <...>/Zeek_PPPoE.functions.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_RADIUS.events.bif.zeek, <...>/Zeek_RADIUS.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_RDP.events.bif.zeek, <...>/Zeek_RDP.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_RDP.types.bif.zeek, <...>/Zeek_RDP.types.bif.zeek)
@@ -1625,6 +1628,7 @@
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_PE.events.bif.zeek, <...>/Zeek_PE.events.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_POP3.consts.bif.zeek, <...>/Zeek_POP3.consts.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_POP3.events.bif.zeek, <...>/Zeek_POP3.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_PPPoE.functions.bif.zeek, <...>/Zeek_PPPoE.functions.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_RADIUS.events.bif.zeek, <...>/Zeek_RADIUS.events.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_RDP.events.bif.zeek, <...>/Zeek_RDP.events.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_RDP.types.bif.zeek, <...>/Zeek_RDP.types.bif.zeek)
@@ -2250,6 +2254,7 @@
 0.000000 | HookLoadFile  ./Zeek_PE.events.bif.zeek <...>/Zeek_PE.events.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_POP3.consts.bif.zeek <...>/Zeek_POP3.consts.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_POP3.events.bif.zeek <...>/Zeek_POP3.events.bif.zeek
+0.000000 | HookLoadFile  ./Zeek_PPPoE.functions.bif.zeek <...>/Zeek_PPPoE.functions.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_RADIUS.events.bif.zeek <...>/Zeek_RADIUS.events.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_RDP.events.bif.zeek <...>/Zeek_RDP.events.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_RDP.types.bif.zeek <...>/Zeek_RDP.types.bif.zeek
@@ -2565,6 +2570,7 @@
 0.000000 | HookLoadFileExtended ./Zeek_PE.events.bif.zeek <...>/Zeek_PE.events.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_POP3.consts.bif.zeek <...>/Zeek_POP3.consts.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_POP3.events.bif.zeek <...>/Zeek_POP3.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_PPPoE.functions.bif.zeek <...>/Zeek_PPPoE.functions.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_RADIUS.events.bif.zeek <...>/Zeek_RADIUS.events.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_RDP.events.bif.zeek <...>/Zeek_RDP.events.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_RDP.types.bif.zeek <...>/Zeek_RDP.types.bif.zeek
diff --git a/testing/btest/Baseline/scripts.policy.protocols.conn.pppoe-session-id-logging/conn.log.cut b/testing/btest/Baseline/scripts.policy.protocols.conn.pppoe-session-id-logging/conn.log.cut
new file mode 100644
index 0000000000..822e11c82c
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.protocols.conn.pppoe-session-id-logging/conn.log.cut
@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	pppoe_session_id
+CHhAvVGS1DHFjwGM9	1.1.1.1	20394	2.2.2.2	443	3847
diff --git a/testing/btest/scripts/policy/protocols/conn/pppoe-session-id-logging.zeek b/testing/btest/scripts/policy/protocols/conn/pppoe-session-id-logging.zeek
new file mode 100644
index 0000000000..a701c4294a
--- /dev/null
+++ b/testing/btest/scripts/policy/protocols/conn/pppoe-session-id-logging.zeek
@@ -0,0 +1,7 @@
+# A basic test of pppoe session id logging
+
+# @TEST-EXEC: zeek -b -r $TRACES/pppoe-over-qinq.pcap %INPUT
+# @TEST-EXEC: zeek-cut -m uid id.orig_h id.orig_p id.resp_h id.resp_p pppoe_session_id < conn.log > conn.log.cut
+# @TEST-EXEC: btest-diff conn.log.cut
+
+@load protocols/conn/pppoe-session-id-logging

From 9ab7b768c60efc1c94b0723abcefa86fc59a6b30 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Wed, 23 Jul 2025 13:59:34 +0100
Subject: [PATCH 2/2] Update external tests for pppoe-session-id conn.log
 changes

---
 testing/external/commit-hash.zeek-testing         | 2 +-
 testing/external/commit-hash.zeek-testing-private | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/testing/external/commit-hash.zeek-testing b/testing/external/commit-hash.zeek-testing
index 55f2339e5f..ca1d38b7c3 100644
--- a/testing/external/commit-hash.zeek-testing
+++ b/testing/external/commit-hash.zeek-testing
@@ -1 +1 @@
-b0713238ffa1adb47a5f2824dc685eba144d3feb
+81f4e656c22a0b13f38edd155347fd5f5ff9a8ee
diff --git a/testing/external/commit-hash.zeek-testing-private b/testing/external/commit-hash.zeek-testing-private
index cc43ed7906..fe7ef3af18 100644
--- a/testing/external/commit-hash.zeek-testing-private
+++ b/testing/external/commit-hash.zeek-testing-private
@@ -1 +1 @@
-7bedceb12209bd7256be9faf8c067e55ced9bd59
+639b1a7be96b937108c347496965215441394261