Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge branch 'topic/feature/upstream/cfp' of https://github.com/corelight/bro

Browse source 
* 'topic/feature/upstream/cfp' of https://github.com/corelight/bro:
  Add Cisco FabricPath support
This commit is contained in:
Jon Siwek 2018-07-31 16:50:55 -05:00
commit 46bf6731e7
6 changed files with 65 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

7
CHANGES
View file

@ -1,4 +1,11 @@
2.5-787 | 2018-07-31 16:50:55 -0500
* Add Cisco FabricPath support (Damani Wade, Corelight)
* Replace GeoIP Legacy DB support with MaxMind DB support
(Jonathan Perkins, Corelight)
2.5-782 | 2018-07-31 11:53:22 +0200 2.5-782 | 2018-07-31 11:53:22 +0200
* Update install instructions for OpenSSL 1.1 compat (Jon Siwek, Corelight) * Update install instructions for OpenSSL 1.1 compat (Jon Siwek, Corelight)

2
VERSION
View file

@ -1 +1 @@
2.5-782 2.5-787

14
src/iosource/Packet.cc
View file

@ -140,6 +140,20 @@ void Packet::ProcessLayer2()
case DLT_EN10MB: case DLT_EN10MB:
{ {
// Skip past Cisco FabricPath to encapsulated ethernet frame.
if ( pdata[12] == 0x89 && pdata[13] == 0x03 )
{
auto constexpr cfplen = 16;
if ( pdata + cfplen + GetLinkHeaderSize(link_type) >= end_of_data )
{
Weird("truncated_link_header_cfp");
return;
}
pdata += cfplen;
}
// Get protocol being carried from the ethernet frame. // Get protocol being carried from the ethernet frame.
int protocol = (pdata[12] << 8) + pdata[13]; int protocol = (pdata[12] << 8) + pdata[13];

41
testing/btest/Baseline/core.cisco-fabric-path/conn.log Normal file
View file

@ -0,0 +1,41 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path conn
#open 2018-07-09-14-17-29
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
1529347003.860008 C7fIlMZDuRiqjpYbb 1.1.1.6 57005 2.2.2.2 48879 tcp - 0.001018 0 0 S0 - - 0 S 2 80 0 0 -
1529347003.861732 CykQaM33ztNt0csB9a 1.1.1.4 57005 2.2.2.2 48879 tcp - 0.000928 0 0 S0 - - 0 S 2 80 0 0 -
1529347003.863372 CtxTCR2Yer0FR1tIBg 1.1.1.14 57005 2.2.2.2 48879 tcp - 0.000928 0 0 S0 - - 0 S 2 80 0 0 -
1529347003.865002 CpmdRlaUoJLN3uIRa 1.1.1.12 57005 2.2.2.2 48879 tcp - 0.000926 0 0 S0 - - 0 S 2 80 0 0 -
1529347003.866648 C1Xkzz2MaGtLrc1Tla 1.1.1.0 57005 2.2.2.2 48879 tcp - 0.001042 0 0 S0 - - 0 S 2 80 0 0 -
1529347003.868394 CqlVyW1YwZ15RhTBc4 1.1.1.2 57005 2.2.2.2 48879 tcp - 0.000920 0 0 S0 - - 0 S 2 80 0 0 -
1529347003.870014 CLNN1k2QMum1aexUK7 1.1.1.8 57005 2.2.2.2 48879 tcp - 0.000930 0 0 S0 - - 0 S 2 80 0 0 -
1529347003.871649 CBA8792iHmnhPLksKa 1.1.1.10 57005 2.2.2.2 48879 tcp - 0.000928 0 0 S0 - - 0 S 2 80 0 0 -
1529347003.873385 CGLPPc35OzDQij1XX8 1234::e 57005 5678:: 48879 tcp - 0.001139 0 0 S0 - - 0 S 2 120 0 0 -
1529347003.875322 CiyBAq1bBLNaTiTAc 1234::c 57005 5678:: 48879 tcp - 0.001027 0 0 S0 - - 0 S 2 120 0 0 -
1529347003.877182 CFSwNi4CNGxcuffo49 1234::6 57005 5678:: 48879 tcp - 0.001055 0 0 S0 - - 0 S 2 120 0 0 -
1529347003.879034 Cipfzj1BEnhejw8cGf 1234::4 57005 5678:: 48879 tcp - 0.001018 0 0 S0 - - 0 S 2 120 0 0 -
1529347003.881330 CV5WJ42jPYbNW9JNWf 1234::8 57005 5678:: 48879 tcp - 0.001029 0 0 S0 - - 0 S 2 120 0 0 -
1529347003.883152 CPhDKt12KQPUVbQz06 1234::a 57005 5678:: 48879 tcp - 0.001005 0 0 S0 - - 0 S 2 120 0 0 -
1529347003.884945 CAnFrb2Cvxr5T7quOc 1234:: 57005 5678:: 48879 tcp - 0.001005 0 0 S0 - - 0 S 2 120 0 0 -
1529347003.886751 C8rquZ3DjgNW06JGLl 1234::2 57005 5678:: 48879 tcp - 0.001120 0 0 S0 - - 0 S 2 120 0 0 -
1529347003.851951 CFLRIC3zaTU1loLGxh 1234::4 57005 5678:: 48879 udp - 0.000905 0 0 S0 - - 0 D 2 96 0 0 -
1529347003.855232 Ck51lg1bScffFj34Ri 1234::a 57005 5678:: 48879 udp - 0.000894 0 0 S0 - - 0 D 2 96 0 0 -
1529347003.839636 CtPZjS20MLrsMUOJi2 1.1.1.12 57005 2.2.2.2 48879 udp - 0.000847 0 0 S0 - - 0 D 2 56 0 0 -
1529347003.858393 CNnMIj2QSd84NKf7U3 1234::2 57005 5678:: 48879 udp - 0.000902 0 0 S0 - - 0 D 2 96 0 0 -
1529347003.842649 CmES5u32sYpV7JYN 1.1.1.2 57005 2.2.2.2 48879 udp - 0.000830 0 0 S0 - - 0 D 2 56 0 0 -
1529347003.850367 C0LAHyvtKSQHyJxIl 1234::6 57005 5678:: 48879 udp - 0.000898 0 0 S0 - - 0 D 2 96 0 0 -
1529347003.848776 CwjjYJ2WqgTbAqiHl6 1234::c 57005 5678:: 48879 udp - 0.000902 0 0 S0 - - 0 D 2 96 0 0 -
1529347003.856801 C9mvWx3ezztgzcexV7 1234:: 57005 5678:: 48879 udp - 0.000898 0 0 S0 - - 0 D 2 96 0 0 -
1529347003.841103 CUM0KZ3MLUfNB0cl11 1.1.1.0 57005 2.2.2.2 48879 udp - 0.000926 0 0 S0 - - 0 D 2 56 0 0 -
1529347003.845524 C37jN32gN3y3AZzyf6 1.1.1.10 57005 2.2.2.2 48879 udp - 0.000843 0 0 S0 - - 0 D 2 56 0 0 -
1529347003.847079 C3eiCBGOLw3VtHfOj 1234::e 57005 5678:: 48879 udp - 0.001014 0 0 S0 - - 0 D 2 96 0 0 -
1529347003.853544 C9rXSW3KSpTYvPrlI1 1234::8 57005 5678:: 48879 udp - 0.001010 0 0 S0 - - 0 D 2 96 0 0 -
1529347003.836659 ClEkJM2Vm5giqnMf4h 1.1.1.4 57005 2.2.2.2 48879 udp - 0.000847 0 0 S0 - - 0 D 2 56 0 0 -
1529347003.838130 C4J4Th3PJpwUYZZ6gc 1.1.1.14 57005 2.2.2.2 48879 udp - 0.000880 0 0 S0 - - 0 D 2 56 0 0 -
1529347003.844086 CP5puj4I8PtEU4qzYg 1.1.1.8 57005 2.2.2.2 48879 udp - 0.000830 0 0 S0 - - 0 D 2 56 0 0 -
1529347003.834704 CHhAvVGS1DHFjwGM9 1.1.1.6 57005 2.2.2.2 48879 udp - 0.001243 0 0 S0 - - 0 D 2 56 0 0 -
#close 2018-07-09-14-17-29

BIN
testing/btest/Traces/cisco-fabric-path.pcap Normal file
View file

Binary file not shown.

2
testing/btest/core/cisco-fabric-path.bro Normal file
View file

@ -0,0 +1,2 @@
# @TEST-EXEC: bro -C -r $TRACES/cisco-fabric-path.pcap
# @TEST-EXEC: btest-diff conn.log