Merge remote-tracking branch 'origin/topic/johanna/pppoe-session-id-logging'

* origin/topic/johanna/pppoe-session-id-logging: Update external tests for pppoe-session-id conn.log changes PPPoE: add session id logging
2025-10-02 06:38:20 +00:00 · 2025-07-24 07:51:03 +01:00 · 2025-07-24 07:51:03 +01:00 · 4399f171ae
commit 4399f171ae
parent 106831bc62 9ab7b768c6
15 changed files with 91 additions and 5 deletions
--- a/10
+++ b/10
@ -1,3 +1,13 @@
+8.0.0-dev.734 | 2025-07-24 07:55:31 +0100
+
+  * PPPoE: add session id logging (Johanna Amann, Corelight)
+
+    This adds a new PacketAnalyzer::PPPoE::session_id bif, which extracts
+    the PPPoE session ID from the current packet.
+
+    Furthermore, a new policy script is added which adds the pppoe session
+    id to the connection log.
+
 8.0.0-dev.730 | 2025-07-23 15:26:08 -0700

  * Fix a few other minor issues reported by Coverity (Tim Wojtulewicz, Corelight)
--- a/6
+++ b/6
@ -268,6 +268,12 @@ New Functionality
  up traditional connection monitoring without introducing overhead for connections that
  would never reach a larger threshold anyway.

+- Zeek now supports extracting the PPPoE session ID. The ``PacketAnalyzer::PPPoE::session_id``
+  BiF can be used to get the session ID of the current packet.
+
+  The ``onn/pppoe-session-id-logging.zeek`` policy script adds pppoe session IDs to the
+  connection log.
+
 Changed Functionality
 ---------------------

--- a/2
+++ b/2
@ -1 +1 @@
-8.0.0-dev.730
+8.0.0-dev.734
--- a/scripts/policy/protocols/conn/pppoe-session-id-logging.zeek
+++ b/scripts/policy/protocols/conn/pppoe-session-id-logging.zeek
@ -0,0 +1,27 @@
+##! This script adds PPPoE session ID information to the connection log.
+
+@load base/protocols/conn
+
+module Conn;
+
+redef record Info += {
+	## The PPPoE session id, if applicable for this connection.
+	pppoe_session_id: count &log &optional;
+};
+
+# Add the PPPoE session ID to the Conn::Info structure. We have to do this right
+# at the beginning, while we are handling a packet.
+event new_connection(c: connection)
+	{
+	local session_id = PacketAnalyzer::PPPoE::session_id();
+
+	# no session ID
+	if ( session_id == 0xFFFFFFFF )
+		return;
+
+	# FIXME: remove when GH-4688 is merged
+	set_conn(c, F);
+
+	c$conn$pppoe_session_id = session_id;
+	}
+
--- a/scripts/test-all-policy.zeek
+++ b/scripts/test-all-policy.zeek
@ -113,6 +113,7 @@
@load protocols/conn/known-services.zeek
@load protocols/conn/mac-logging.zeek
@load protocols/conn/vlan-logging.zeek
+@load protocols/conn/pppoe-session-id-logging.zeek
@load protocols/conn/weirds.zeek
 #@load frameworks/conn_key/vlan_fivetuple.zeek
 #@load protocols/conn/speculative-service.zeek
--- a/src/packet_analysis/protocol/pppoe/CMakeLists.txt
+++ b/src/packet_analysis/protocol/pppoe/CMakeLists.txt
@ -1,3 +1,4 @@
 zeek_add_plugin(
-    PacketAnalyzer PPPoE
-    SOURCES PPPoE.cc Plugin.cc)
+    Zeek PPPoE
+    SOURCES PPPoE.cc Plugin.cc
+    BIFS functions.bif)
--- a/src/packet_analysis/protocol/pppoe/functions.bif
+++ b/src/packet_analysis/protocol/pppoe/functions.bif
@ -0,0 +1,22 @@
+module PacketAnalyzer::PPPoE;
+
+%%{
+#include "zeek/packet_analysis/Manager.h"
+%%}
+
+## Returns the PPPoE Session ID of the current packet, if present.
+##
+## If no PPPoE Session ID is present, 0xFFFFFFFF is returned, which
+## is out of range of the session ID.
+##
+## Returns: The PPPoE session ID if present, 0xFFFFFFFF otherwise.
+function session_id%(%): count
+	%{
+	static const auto& analyzer = zeek::packet_mgr->GetAnalyzer("PPPoE");
+	auto spans = zeek::packet_mgr->GetAnalyzerData(analyzer);
+
+	if ( spans.size() == 0 || spans[0].size() <=8 )
+		return zeek::val_mgr->Count(0xFFFFFFFF);
+
+	return zeek::val_mgr->Count((spans[0][2] << 8u) + spans[0][3]);
+	%}
--- a/src/script_opt/FuncInfo.cc
+++ b/src/script_opt/FuncInfo.cc
@ -117,6 +117,7 @@ static std::unordered_map<std::string, unsigned int> func_attrs = {
    {"Option::set_change_handler", ATTR_NO_SCRIPT_SIDE_EFFECTS},
    {"PacketAnalyzer::GTPV1::remove_gtpv1_connection", ATTR_NO_SCRIPT_SIDE_EFFECTS},
    {"PacketAnalyzer::Geneve::get_options", ATTR_NO_SCRIPT_SIDE_EFFECTS},
+    {"PacketAnalyzer::PPPoE::session_id", ATTR_NO_SCRIPT_SIDE_EFFECTS},
    {"PacketAnalyzer::TEREDO::remove_teredo_connection", ATTR_NO_SCRIPT_SIDE_EFFECTS},
    {"PacketAnalyzer::__disable_analyzer", ATTR_NO_SCRIPT_SIDE_EFFECTS},
    {"PacketAnalyzer::__enable_analyzer", ATTR_NO_SCRIPT_SIDE_EFFECTS},
--- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
@ -266,6 +266,7 @@ scripts/base/init-frameworks-and-bifs.zeek
    build/scripts/base/bif/plugins/Zeek_WebSocket.types.bif.zeek
    build/scripts/base/bif/plugins/Zeek_XMPP.events.bif.zeek
    build/scripts/base/bif/plugins/Zeek_Cluster_Backend_ZeroMQ.cluster_backend_zeromq.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_PPPoE.functions.bif.zeek
    build/scripts/base/bif/plugins/Zeek_ARP.events.bif.zeek
    build/scripts/base/bif/plugins/Zeek_UDP.events.bif.zeek
    build/scripts/base/bif/plugins/Zeek_ICMP.events.bif.zeek
--- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
@ -266,6 +266,7 @@ scripts/base/init-frameworks-and-bifs.zeek
    build/scripts/base/bif/plugins/Zeek_WebSocket.types.bif.zeek
    build/scripts/base/bif/plugins/Zeek_XMPP.events.bif.zeek
    build/scripts/base/bif/plugins/Zeek_Cluster_Backend_ZeroMQ.cluster_backend_zeromq.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_PPPoE.functions.bif.zeek
    build/scripts/base/bif/plugins/Zeek_ARP.events.bif.zeek
    build/scripts/base/bif/plugins/Zeek_UDP.events.bif.zeek
    build/scripts/base/bif/plugins/Zeek_ICMP.events.bif.zeek
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@ -369,6 +369,7 @@
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_PE.events.bif.zeek, <...>/Zeek_PE.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_POP3.consts.bif.zeek, <...>/Zeek_POP3.consts.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_POP3.events.bif.zeek, <...>/Zeek_POP3.events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, ./Zeek_PPPoE.functions.bif.zeek, <...>/Zeek_PPPoE.functions.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_RADIUS.events.bif.zeek, <...>/Zeek_RADIUS.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_RDP.events.bif.zeek, <...>/Zeek_RDP.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_RDP.types.bif.zeek, <...>/Zeek_RDP.types.bif.zeek) -> -1
@ -684,6 +685,7 @@
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_PE.events.bif.zeek, <...>/Zeek_PE.events.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_POP3.consts.bif.zeek, <...>/Zeek_POP3.consts.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_POP3.events.bif.zeek, <...>/Zeek_POP3.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_PPPoE.functions.bif.zeek, <...>/Zeek_PPPoE.functions.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_RADIUS.events.bif.zeek, <...>/Zeek_RADIUS.events.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_RDP.events.bif.zeek, <...>/Zeek_RDP.events.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_RDP.types.bif.zeek, <...>/Zeek_RDP.types.bif.zeek) -> (-1, <no content>)
@ -1310,6 +1312,7 @@
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_PE.events.bif.zeek, <...>/Zeek_PE.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_POP3.consts.bif.zeek, <...>/Zeek_POP3.consts.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_POP3.events.bif.zeek, <...>/Zeek_POP3.events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, ./Zeek_PPPoE.functions.bif.zeek, <...>/Zeek_PPPoE.functions.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_RADIUS.events.bif.zeek, <...>/Zeek_RADIUS.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_RDP.events.bif.zeek, <...>/Zeek_RDP.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_RDP.types.bif.zeek, <...>/Zeek_RDP.types.bif.zeek)
@ -1625,6 +1628,7 @@
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_PE.events.bif.zeek, <...>/Zeek_PE.events.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_POP3.consts.bif.zeek, <...>/Zeek_POP3.consts.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_POP3.events.bif.zeek, <...>/Zeek_POP3.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_PPPoE.functions.bif.zeek, <...>/Zeek_PPPoE.functions.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_RADIUS.events.bif.zeek, <...>/Zeek_RADIUS.events.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_RDP.events.bif.zeek, <...>/Zeek_RDP.events.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_RDP.types.bif.zeek, <...>/Zeek_RDP.types.bif.zeek)
@ -2250,6 +2254,7 @@
 0.000000 | HookLoadFile  ./Zeek_PE.events.bif.zeek <...>/Zeek_PE.events.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_POP3.consts.bif.zeek <...>/Zeek_POP3.consts.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_POP3.events.bif.zeek <...>/Zeek_POP3.events.bif.zeek
+0.000000 | HookLoadFile  ./Zeek_PPPoE.functions.bif.zeek <...>/Zeek_PPPoE.functions.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_RADIUS.events.bif.zeek <...>/Zeek_RADIUS.events.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_RDP.events.bif.zeek <...>/Zeek_RDP.events.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_RDP.types.bif.zeek <...>/Zeek_RDP.types.bif.zeek
@ -2565,6 +2570,7 @@
 0.000000 | HookLoadFileExtended ./Zeek_PE.events.bif.zeek <...>/Zeek_PE.events.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_POP3.consts.bif.zeek <...>/Zeek_POP3.consts.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_POP3.events.bif.zeek <...>/Zeek_POP3.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_PPPoE.functions.bif.zeek <...>/Zeek_PPPoE.functions.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_RADIUS.events.bif.zeek <...>/Zeek_RADIUS.events.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_RDP.events.bif.zeek <...>/Zeek_RDP.events.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_RDP.types.bif.zeek <...>/Zeek_RDP.types.bif.zeek
--- a/testing/btest/Baseline/scripts.policy.protocols.conn.pppoe-session-id-logging/conn.log.cut
+++ b/testing/btest/Baseline/scripts.policy.protocols.conn.pppoe-session-id-logging/conn.log.cut
@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	pppoe_session_id
+CHhAvVGS1DHFjwGM9	1.1.1.1	20394	2.2.2.2	443	3847
--- a/testing/btest/scripts/policy/protocols/conn/pppoe-session-id-logging.zeek
+++ b/testing/btest/scripts/policy/protocols/conn/pppoe-session-id-logging.zeek
@ -0,0 +1,7 @@
+# A basic test of pppoe session id logging
+
+# @TEST-EXEC: zeek -b -r $TRACES/pppoe-over-qinq.pcap %INPUT
+# @TEST-EXEC: zeek-cut -m uid id.orig_h id.orig_p id.resp_h id.resp_p pppoe_session_id < conn.log > conn.log.cut
+# @TEST-EXEC: btest-diff conn.log.cut
+
+@load protocols/conn/pppoe-session-id-logging
--- a/testing/external/commit-hash.zeek-testing
+++ b/testing/external/commit-hash.zeek-testing
@ -1 +1 @@
-b0713238ffa1adb47a5f2824dc685eba144d3feb
+79e994ccb40bdc35988867a680cc7efa152d3543
--- a/testing/external/commit-hash.zeek-testing-private
+++ b/testing/external/commit-hash.zeek-testing-private
@ -1 +1 @@
-7bedceb12209bd7256be9faf8c067e55ced9bd59
+034c859753b435dc2a6368fa46ecf3e92c98d9da