diff --git a/CHANGES b/CHANGES index fd6b69f099..2e4a2be3af 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,16 @@ +2.1-218 | 2012-12-10 14:45:04 -0800 + + * Add GPRS Tunnelling Protocol (GTPv1) decapsulation. This currently + supports automatic decapsulation of GTP-U packets on UDP port 2152. + The GTPv1 headers for such tunnels can be inspected by handling + the "gtpv1_g_pdu_packet" event, which has a parameter of type + "gtpv1_hdr". Addresses #690. (Jon Siwek; derived from patch by + Carsten Langer) + + * Change BinPAC exceptions in AYIYA/GTP analyzers to do + "protocol_violation". (Jon Siwek) + 2.1-212 | 2012-12-07 19:42:03 -0800 * Changing the HTTP parser to accept request methods in alignment diff --git a/NEWS b/NEWS index 63c4d5d6f7..f3fe143362 100644 --- a/NEWS +++ b/NEWS @@ -13,6 +13,8 @@ Bro 2.2 New Functionality ~~~~~~~~~~~~~~~~~ +- GPRS Tunnelling Protocol (GTPv1) decapsulation. + - GridFTP support. TODO: Extend. - ssl.log now also records the subject client and issuer certificates. diff --git a/VERSION b/VERSION index ae0289baaf..addd00e2de 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.1-212 +2.1-218 diff --git a/scripts/base/frameworks/tunnels/main.bro b/scripts/base/frameworks/tunnels/main.bro index 0861559558..a3db7061d3 100644 --- a/scripts/base/frameworks/tunnels/main.bro +++ b/scripts/base/frameworks/tunnels/main.bro @@ -88,7 +88,10 @@ redef dpd_config += { [ANALYZER_AYIYA] = [$ports = ayiya_ports] }; const teredo_ports = { 3544/udp }; redef dpd_config += { [ANALYZER_TEREDO] = [$ports = teredo_ports] }; -redef likely_server_ports += { ayiya_ports, teredo_ports }; +const gtpv1u_ports = { 2152/udp }; +redef dpd_config += { [ANALYZER_GTPV1] = [$ports = gtpv1u_ports] }; + +redef likely_server_ports += { ayiya_ports, teredo_ports, gtpv1u_ports }; event bro_init() &priority=5 { diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index df3596d31e..e5365a9428 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -1450,6 +1450,44 @@ type teredo_hdr: record { hdr: pkt_hdr; ##< IPv6 and transport protocol headers. }; +## A GTPv1 (GPRS Tunneling Protocol) header. +type gtpv1_hdr: record { + ## The 3-bit version field, which for GTPv1 should be 1. + version: count; + ## Protocol Type value differentiates GTP (value 1) from GTP' (value 0). + pt_flag: bool; + ## Reserved field, should be 0. + rsv: bool; + ## Extension Header flag. When 0, the *next_type* field may or may not + ## be present, but shouldn't be meaningful. When 1, *next_type* is + ## present and meaningful. + e_flag: bool; + ## Sequence Number flag. When 0, the *seq* field may or may not + ## be present, but shouldn't be meaningful. When 1, *seq* is + ## present and meaningful. + s_flag: bool; + ## N-PDU flag. When 0, the *n_pdu* field may or may not + ## be present, but shouldn't be meaningful. When 1, *n_pdu* is + ## present and meaningful. + pn_flag: bool; + ## Message Type. A value of 255 indicates user-plane data is encapsulated. + msg_type: count; + ## Length of the GTP packet payload (the rest of the packet following the + ## mandatory 8-byte GTP header). + length: count; + ## Tunnel Endpoint Identifier. Unambiguously identifies a tunnel endpoint + ## in receiving GTP-U or GTP-C protocol entity. + teid: count; + ## Sequence Number. Set if any *e_flag*, *s_flag*, or *pn_flag* field is + ## set. + seq: count &optional; + ## N-PDU Number. Set if any *e_flag*, *s_flag*, or *pn_flag* field is set. + n_pdu: count &optional; + ## Next Extension Header Type. Set if any *e_flag*, *s_flag*, or *pn_flag* + ## field is set. + next_type: count &optional; +}; + ## Definition of "secondary filters". A secondary filter is a BPF filter given as ## index in this table. For each such filter, the corresponding event is raised for ## all matching packets. @@ -2786,6 +2824,9 @@ export { ## Toggle whether to do IPv6-in-Teredo decapsulation. const enable_teredo = T &redef; + ## Toggle whether to do GTPv1 decapsulation. + const enable_gtpv1 = T &redef; + ## With this option set, the Teredo analysis will first check to see if ## other protocol analyzers have confirmed that they think they're ## parsing the right protocol and only continue with Teredo tunnel @@ -2802,6 +2843,15 @@ export { ## :bro:see:`Tunnel::yielding_teredo_decapsulation`. const delay_teredo_confirmation = T &redef; + ## With this set, the GTP analyzer waits until the most-recent upflow + ## and downflow packets are a valid GTPv1 encapsulation before + ## issuing :bro:see:`protocol_confirmation`. If it's false, the + ## first occurence of a packet with valid GTPv1 encapsulation causes + ## confirmation. Since the same inner connection can be carried + ## differing outer upflow/downflow connections, setting to false + ## may work better. + const delay_gtp_confirmation = F &redef; + ## How often to cleanup internal state for inactive IP tunnels. const ip_tunnel_timeout = 24hrs &redef; } # end export diff --git a/src/AYIYA.cc b/src/AYIYA.cc index c525a73b6c..79fa44e743 100644 --- a/src/AYIYA.cc +++ b/src/AYIYA.cc @@ -20,5 +20,13 @@ void AYIYA_Analyzer::Done() void AYIYA_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen) { Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); - interp->NewData(orig, data, data + len); + + try + { + interp->NewData(orig, data, data + len); + } + catch ( const binpac::Exception& e ) + { + ProtocolViolation(fmt("Binpac exception: %s", e.c_msg())); + } } diff --git a/src/Analyzer.cc b/src/Analyzer.cc index 0a5188d76c..15926dfa2a 100644 --- a/src/Analyzer.cc +++ b/src/Analyzer.cc @@ -41,6 +41,7 @@ #include "Syslog-binpac.h" #include "Teredo.h" #include "ConnSizeAnalyzer.h" +#include "GTPv1.h" // Keep same order here as in AnalyzerTag definition! const Analyzer::Config Analyzer::analyzer_configs[] = { @@ -143,6 +144,9 @@ const Analyzer::Config Analyzer::analyzer_configs[] = { { AnalyzerTag::Teredo, "TEREDO", Teredo_Analyzer::InstantiateAnalyzer, Teredo_Analyzer::Available, 0, false }, + { AnalyzerTag::GTPv1, "GTPV1", + GTPv1_Analyzer::InstantiateAnalyzer, + GTPv1_Analyzer::Available, 0, false }, { AnalyzerTag::File, "FILE", File_Analyzer::InstantiateAnalyzer, File_Analyzer::Available, 0, false }, diff --git a/src/AnalyzerTags.h b/src/AnalyzerTags.h index 4dbbcd7499..38e47cf8fc 100644 --- a/src/AnalyzerTags.h +++ b/src/AnalyzerTags.h @@ -38,6 +38,7 @@ namespace AnalyzerTag { AYIYA, SOCKS, Teredo, + GTPv1, // Other File, Backdoor, InterConn, SteppingStone, TCPStats, diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 6867b9639c..d304604dcd 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -203,6 +203,8 @@ binpac_target(dns.pac dns-protocol.pac dns-analyzer.pac) binpac_target(dns_tcp.pac dns.pac) +binpac_target(gtpv1.pac + gtpv1-protocol.pac gtpv1-analyzer.pac) binpac_target(http.pac http-protocol.pac http-analyzer.pac) binpac_target(ncp.pac) @@ -332,6 +334,7 @@ set(bro_SRCS Frame.cc Func.cc Gnutella.cc + GTPv1.cc HTTP.cc HTTP-binpac.cc Hash.cc diff --git a/src/GTPv1.cc b/src/GTPv1.cc new file mode 100644 index 0000000000..68b6f30a0c --- /dev/null +++ b/src/GTPv1.cc @@ -0,0 +1,31 @@ +#include "GTPv1.h" + +GTPv1_Analyzer::GTPv1_Analyzer(Connection* conn) +: Analyzer(AnalyzerTag::GTPv1, conn) + { + interp = new binpac::GTPv1::GTPv1_Conn(this); + } + +GTPv1_Analyzer::~GTPv1_Analyzer() + { + delete interp; + } + +void GTPv1_Analyzer::Done() + { + Analyzer::Done(); + Event(udp_session_done); + } + +void GTPv1_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen) + { + Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); + try + { + interp->NewData(orig, data, data + len); + } + catch ( const binpac::Exception& e ) + { + ProtocolViolation(fmt("Binpac exception: %s", e.c_msg())); + } + } diff --git a/src/GTPv1.h b/src/GTPv1.h new file mode 100644 index 0000000000..e111158833 --- /dev/null +++ b/src/GTPv1.h @@ -0,0 +1,29 @@ +#ifndef GTPv1_h +#define GTPv1_h + +#include "gtpv1_pac.h" + +class GTPv1_Analyzer : public Analyzer { +public: + GTPv1_Analyzer(Connection* conn); + virtual ~GTPv1_Analyzer(); + + virtual void Done(); + virtual void DeliverPacket(int len, const u_char* data, bool orig, + int seq, const IP_Hdr* ip, int caplen); + + static Analyzer* InstantiateAnalyzer(Connection* conn) + { return new GTPv1_Analyzer(conn); } + + static bool Available() + { return BifConst::Tunnel::enable_gtpv1 && + BifConst::Tunnel::max_depth > 0; } + +protected: + friend class AnalyzerTimer; + void ExpireTimer(double t); + + binpac::GTPv1::GTPv1_Conn* interp; +}; + +#endif diff --git a/src/NetVar.cc b/src/NetVar.cc index 248ae15e1a..1783130f34 100644 --- a/src/NetVar.cc +++ b/src/NetVar.cc @@ -5,6 +5,7 @@ #include "Var.h" #include "NetVar.h" +RecordType* gtpv1_hdr_type; RecordType* conn_id; RecordType* endpoint; RecordType* endpoint_stats; @@ -308,6 +309,7 @@ void init_net_var() #include "input.bif.netvar_init" #include "reporter.bif.netvar_init" + gtpv1_hdr_type = internal_type("gtpv1_hdr")->AsRecordType(); conn_id = internal_type("conn_id")->AsRecordType(); endpoint = internal_type("endpoint")->AsRecordType(); endpoint_stats = internal_type("endpoint_stats")->AsRecordType(); diff --git a/src/NetVar.h b/src/NetVar.h index 2561fa0ad9..4bb2d2a7f9 100644 --- a/src/NetVar.h +++ b/src/NetVar.h @@ -8,6 +8,7 @@ #include "EventRegistry.h" #include "Stats.h" +extern RecordType* gtpv1_hdr_type; extern RecordType* conn_id; extern RecordType* endpoint; extern RecordType* endpoint_stats; diff --git a/src/const.bif b/src/const.bif index 7373403c11..ea7dc03817 100644 --- a/src/const.bif +++ b/src/const.bif @@ -15,8 +15,10 @@ const Tunnel::max_depth: count; const Tunnel::enable_ip: bool; const Tunnel::enable_ayiya: bool; const Tunnel::enable_teredo: bool; +const Tunnel::enable_gtpv1: bool; const Tunnel::yielding_teredo_decapsulation: bool; const Tunnel::delay_teredo_confirmation: bool; +const Tunnel::delay_gtp_confirmation: bool; const Tunnel::ip_tunnel_timeout: interval; const Threading::heartbeat_interval: interval; diff --git a/src/event.bif b/src/event.bif index b965c26ae9..8dd940f38b 100644 --- a/src/event.bif +++ b/src/event.bif @@ -577,6 +577,19 @@ event teredo_origin_indication%(outer: connection, inner: teredo_hdr%); ## it may become particularly expensive for real-time analysis. event teredo_bubble%(outer: connection, inner: teredo_hdr%); +## Generated for GTPv1 G-PDU packets. That is, packets with a UDP payload +## that includes a GTP header followed by an IPv4 or IPv6 packet. +## +## outer: The GTP outer tunnel connection. +## +## inner_gtp: The GTP header. +## +## inner_ip: The inner IP and transport layer packet headers. +## +## .. note:: Since this event may be raised on a per-packet basis, handling +## it may become particularly expensive for real-time analysis. +event gtpv1_g_pdu_packet%(outer: connection, inner_gtp: gtpv1_hdr, inner_ip: pkt_hdr%); + ## Generated for every packet that has a non-empty transport-layer payload. ## This is a very low-level and expensive event that should be avoided when ## at all possible. It's usually infeasible to handle when processing even @@ -858,7 +871,7 @@ event udp_contents%(u: connection, is_orig: bool, contents: string%); ## Generated when a UDP session for a supported protocol has finished. Some of ## Bro's application-layer UDP analyzers flag the end of a session by raising ## this event. Currently, the analyzers for DNS, NTP, Netbios, Syslog, AYIYA, -## and Teredo support this. +## Teredo, and GTPv1 support this. ## ## u: The connection record for the corresponding UDP flow. ## diff --git a/src/gtpv1-analyzer.pac b/src/gtpv1-analyzer.pac new file mode 100644 index 0000000000..08fbdef74a --- /dev/null +++ b/src/gtpv1-analyzer.pac @@ -0,0 +1,161 @@ + +connection GTPv1_Conn(bro_analyzer: BroAnalyzer) + { + upflow = GTPv1_Flow(true); + downflow = GTPv1_Flow(false); + + %member{ + bool valid_orig; + bool valid_resp; + %} + + %init{ + valid_orig = valid_resp = false; + %} + + function valid(orig: bool): bool + %{ + return orig ? valid_orig : valid_resp; + %} + + function set_valid(orig: bool, val: bool): void + %{ + if ( orig ) + valid_orig = val; + else + valid_resp = val; + %} + } + +%code{ +inline void violate(const char* r, const BroAnalyzer& a, const bytestring& p) + { + a->ProtocolViolation(r, (const char*) p.data(), p.length()); + } +%} + +flow GTPv1_Flow(is_orig: bool) + { + datagram = GTPv1_Header withcontext(connection, this); + + function process_gtpv1(pdu: GTPv1_Header): bool + %{ + BroAnalyzer a = connection()->bro_analyzer(); + Connection *c = a->Conn(); + const EncapsulationStack* e = c->GetEncapsulation(); + + connection()->set_valid(is_orig(), false); + + if ( e && e->Depth() >= BifConst::Tunnel::max_depth ) + { + reporter->Weird(c, "tunnel_depth"); + return false; + } + + if ( e && e->LastType() == BifEnum::Tunnel::GTPv1 ) + { + // GTP is never tunneled in GTP so, this must be a regular packet + violate("GTP-in-GTP", a, ${pdu.packet}); + return false; + } + + if ( ${pdu.version} != 1 ) + { + // Only know of GTPv1 with Version == 1 + violate("GTPv1 bad Version", a, ${pdu.packet}); + return false; + } + + if ( ! ${pdu.pt_flag} ) + { + // Not interested in GTP' + return false; + } + + if ( ${pdu.e_flag} ) + { + // TODO: can't currently parse past extension headers + return false; + } + + if ( ${pdu.msg_type} != 0xff ) + { + // Only interested in decapsulating user plane data beyond here. + return false; + } + + if ( ${pdu.packet}.length() < (int)sizeof(struct ip) ) + { + violate("Truncated GTPv1", a, ${pdu.packet}); + return false; + } + + const struct ip* ip = (const struct ip*) ${pdu.packet}.data(); + + if ( ip->ip_v != 4 && ip->ip_v != 6 ) + { + violate("non-IP packet in GTPv1", a, ${pdu.packet}); + return false; + } + + IP_Hdr* inner = 0; + int result = sessions->ParseIPPacket(${pdu.packet}.length(), + ${pdu.packet}.data(), ip->ip_v == 6 ? IPPROTO_IPV6 : IPPROTO_IPV4, + inner); + + if ( result == 0 ) + { + connection()->set_valid(is_orig(), true); + + if ( (! BifConst::Tunnel::delay_gtp_confirmation) || + (connection()->valid(true) && connection()->valid(false)) ) + a->ProtocolConfirmation(); + } + + else if ( result < 0 ) + violate("Truncated GTPv1", a, ${pdu.packet}); + + else + violate("GTPv1 payload length", a, ${pdu.packet}); + + if ( result != 0 ) + { + delete inner; + return false; + } + + if ( ::gtpv1_g_pdu_packet ) + { + RecordVal* rv = new RecordVal(gtpv1_hdr_type); + + rv->Assign(0, new Val(${pdu.version}, TYPE_COUNT)); + rv->Assign(1, new Val(${pdu.pt_flag}, TYPE_BOOL)); + rv->Assign(2, new Val(${pdu.rsv}, TYPE_BOOL)); + rv->Assign(3, new Val(${pdu.e_flag}, TYPE_BOOL)); + rv->Assign(4, new Val(${pdu.s_flag}, TYPE_BOOL)); + rv->Assign(5, new Val(${pdu.pn_flag}, TYPE_BOOL)); + rv->Assign(6, new Val(${pdu.msg_type}, TYPE_COUNT)); + rv->Assign(7, new Val(ntohs(${pdu.length}), TYPE_COUNT)); + rv->Assign(8, new Val(ntohl(${pdu.teid}), TYPE_COUNT)); + + if ( ${pdu.has_opt} ) + { + rv->Assign(9, new Val(ntohs(${pdu.opt_hdr.seq}), TYPE_COUNT)); + rv->Assign(10, new Val(${pdu.opt_hdr.n_pdu}, TYPE_COUNT)); + rv->Assign(11, new Val(${pdu.opt_hdr.next_type}, TYPE_COUNT)); + } + + BifEvent::generate_gtpv1_g_pdu_packet(a, c, rv, + inner->BuildPktHdrVal()); + } + + EncapsulatingConn ec(c, BifEnum::Tunnel::GTPv1); + + sessions->DoNextInnerPacket(network_time(), 0, inner, e, ec); + + return (result == 0) ? true : false; + %} + + }; + +refine typeattr GTPv1_Header += &let { proc_gtpv1 = $context.flow.process_gtpv1(this); }; diff --git a/src/gtpv1-protocol.pac b/src/gtpv1-protocol.pac new file mode 100644 index 0000000000..5bf31a48ee --- /dev/null +++ b/src/gtpv1-protocol.pac @@ -0,0 +1,27 @@ + +type GTPv1_Header = record { + flags: uint8; + msg_type: uint8; + length: uint16; + teid: uint32; + opt: case has_opt of { + true -> opt_hdr: GTPv1_Opt_Header; + false -> no_opt: empty; + } &requires(has_opt); + packet: bytestring &restofdata; + +} &let { + version: uint8 = (flags & 0xE0) >> 5; + pt_flag: bool = flags & 0x10; + rsv: bool = flags & 0x08; + e_flag: bool = flags & 0x04; + s_flag: bool = flags & 0x02; + pn_flag: bool = flags & 0x01; + has_opt: bool = flags & 0x07; +} &byteorder = littleendian; + +type GTPv1_Opt_Header = record { + seq: uint16; + n_pdu: uint8; + next_type: uint8; +} diff --git a/src/gtpv1.pac b/src/gtpv1.pac new file mode 100644 index 0000000000..d155ecfd67 --- /dev/null +++ b/src/gtpv1.pac @@ -0,0 +1,10 @@ +%include binpac.pac +%include bro.pac + +analyzer GTPv1 withcontext { + connection: GTPv1_Conn; + flow: GTPv1_Flow; +}; + +%include gtpv1-protocol.pac +%include gtpv1-analyzer.pac diff --git a/src/types.bif b/src/types.bif index 34e17ce28e..888310419c 100644 --- a/src/types.bif +++ b/src/types.bif @@ -184,6 +184,7 @@ enum Type %{ AYIYA, TEREDO, SOCKS, + GTPv1, %} type EncapsulatingConn: record; diff --git a/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/conn.log b/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/conn.log new file mode 100644 index 0000000000..e2861b4ae1 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/conn.log @@ -0,0 +1,12 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#open 2012-10-19-17-03-55 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string bool count string count count count count table[string] +1333458850.321642 arKYeMETxOg 10.131.17.170 51803 173.199.115.168 80 tcp http 0.257902 1138 63424 S3 - 0 ShADadf 29 2310 49 65396 UWkUyAuUGXf,k6kgXLOoSKl +1333458850.325787 k6kgXLOoSKl 207.233.125.40 2152 167.55.105.244 2152 udp gtpv1 0.251127 65788 0 S0 - 0 D 49 67160 0 0 (empty) +1333458850.321642 UWkUyAuUGXf 167.55.105.244 5906 207.233.125.40 2152 udp gtpv1 0.257902 2542 0 S0 - 0 D 29 3354 0 0 (empty) +#close 2012-10-19-17-03-55 diff --git a/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/http.log b/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/http.log new file mode 100644 index 0000000000..66b17e1200 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/http.log @@ -0,0 +1,11 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path http +#open 2012-10-19-17-03-55 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file +#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file +1333458850.340368 arKYeMETxOg 10.131.17.170 51803 173.199.115.168 80 1 GET cdn.epicgameads.com /ads/flash/728x90_nx8com.swf?clickTAG=http://www.epicgameads.com/ads/bannerclickPage.php?id=e3ubwU6IF&pd=1&adid=0&icpc=1&axid=0&uctt=1&channel=4&cac=1&t=728x90&cb=1333458879 http://www.epicgameads.com/ads/banneriframe.php?id=e3ubwU6IF&t=728x90&channel=4&cb=1333458905296 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) 0 31461 200 OK - - - (empty) - - - application/x-shockwave-flash - - +1333458850.399501 arKYeMETxOg 10.131.17.170 51803 173.199.115.168 80 2 GET cdn.epicgameads.com /ads/flash/728x90_nx8com.swf?clickTAG=http://www.epicgameads.com/ads/bannerclickPage.php?id=e3ubwU6IF&pd=1&adid=0&icpc=1&axid=0&uctt=1&channel=0&cac=1&t=728x90&cb=1333458881 http://www.epicgameads.com/ads/banneriframe.php?id=e3ubwU6IF&t=728x90&cb=1333458920207 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) 0 31461 200 OK - - - (empty) - - - application/x-shockwave-flash - - +#close 2012-10-19-17-03-55 diff --git a/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/tunnel.log b/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/tunnel.log new file mode 100644 index 0000000000..233ad1c850 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/tunnel.log @@ -0,0 +1,13 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path tunnel +#open 2012-10-19-17-03-55 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action +#types time string addr port addr port enum enum +1333458850.321642 UWkUyAuUGXf 167.55.105.244 5906 207.233.125.40 2152 Tunnel::GTPv1 Tunnel::DISCOVER +1333458850.325787 k6kgXLOoSKl 207.233.125.40 2152 167.55.105.244 2152 Tunnel::GTPv1 Tunnel::DISCOVER +1333458850.579544 k6kgXLOoSKl 207.233.125.40 2152 167.55.105.244 2152 Tunnel::GTPv1 Tunnel::CLOSE +1333458850.579544 UWkUyAuUGXf 167.55.105.244 5906 207.233.125.40 2152 Tunnel::GTPv1 Tunnel::CLOSE +#close 2012-10-19-17-03-55 diff --git a/testing/btest/Baseline/core.tunnels.gtp.false_gtp/conn.log b/testing/btest/Baseline/core.tunnels.gtp.false_gtp/conn.log new file mode 100644 index 0000000000..1234558195 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.gtp.false_gtp/conn.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#open 2012-10-19-17-07-44 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string bool count string count count count count table[string] +1333458871.219794 UWkUyAuUGXf 10.131.24.6 2152 195.178.38.3 53 udp dns - - - S0 - 0 D 1 64 0 0 (empty) +#close 2012-10-19-17-07-44 diff --git a/testing/btest/Baseline/core.tunnels.gtp.false_gtp/dns.log b/testing/btest/Baseline/core.tunnels.gtp.false_gtp/dns.log new file mode 100644 index 0000000000..a293d6ff6a --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.gtp.false_gtp/dns.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path dns +#open 2012-10-19-17-07-44 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected +#types time string addr port addr port enum count string count string count string count string bool bool bool bool count vector[string] vector[interval] bool +1333458871.219794 UWkUyAuUGXf 10.131.24.6 2152 195.178.38.3 53 udp 27595 abcd.efg.hijklm.nm 1 C_INTERNET 1 A - - F F T F 0 - - F +#close 2012-10-19-17-07-44 diff --git a/testing/btest/Baseline/core.tunnels.gtp.inner_ipv6/conn.log b/testing/btest/Baseline/core.tunnels.gtp.inner_ipv6/conn.log new file mode 100644 index 0000000000..326205172a --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.gtp.inner_ipv6/conn.log @@ -0,0 +1,12 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#open 2012-10-19-17-21-27 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string bool count string count count count count table[string] +1333458851.770000 arKYeMETxOg fe80::224c:4fff:fe43:414c 1234 ff02::1:3 5355 udp dns - - - S0 - 0 D 1 80 0 0 UWkUyAuUGXf +1333458851.770000 UWkUyAuUGXf 118.92.124.41 2152 118.92.124.72 2152 udp gtpv1 0.199236 152 0 S0 - 0 D 2 208 0 0 (empty) +1333458851.969236 k6kgXLOoSKl fe80::224c:4fff:fe43:414c 133 ff02::2 134 icmp - - - - OTH - 0 - 1 56 0 0 UWkUyAuUGXf +#close 2012-10-19-17-21-27 diff --git a/testing/btest/Baseline/core.tunnels.gtp.inner_ipv6/tunnel.log b/testing/btest/Baseline/core.tunnels.gtp.inner_ipv6/tunnel.log new file mode 100644 index 0000000000..dfae2ba269 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.gtp.inner_ipv6/tunnel.log @@ -0,0 +1,11 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path tunnel +#open 2012-10-19-17-21-27 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action +#types time string addr port addr port enum enum +1333458851.770000 UWkUyAuUGXf 118.92.124.41 2152 118.92.124.72 2152 Tunnel::GTPv1 Tunnel::DISCOVER +1333458851.969236 UWkUyAuUGXf 118.92.124.41 2152 118.92.124.72 2152 Tunnel::GTPv1 Tunnel::CLOSE +#close 2012-10-19-17-21-27 diff --git a/testing/btest/Baseline/core.tunnels.gtp.inner_teredo/conn.log b/testing/btest/Baseline/core.tunnels.gtp.inner_teredo/conn.log new file mode 100644 index 0000000000..9c3e1f6f66 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.gtp.inner_teredo/conn.log @@ -0,0 +1,26 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#open 2012-10-19-17-34-25 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string bool count string count count count count table[string] +1333458850.037956 qCaWGmzFtM5 10.131.112.102 51403 94.245.121.253 3544 udp teredo - - - SHR - 0 d 0 0 1 84 GSxOnSLghOa +1333458850.040098 70MGiRM1Qf4 174.94.190.229 2152 190.104.181.57 2152 udp gtpv1 0.003698 192 0 S0 - 0 D 2 248 0 0 (empty) +1333458850.016620 nQcgTWjvg4c 172.24.16.121 61901 94.245.121.251 3544 udp teredo - - - S0 - 0 D 1 80 0 0 k6kgXLOoSKl +1333458850.029781 FrJExwHcSal 172.24.16.67 52298 94.245.121.253 3544 udp teredo - - - S0 - 0 D 1 88 0 0 TEfuqmmG4bh +1333458850.035456 VW0XPVINV8a 190.104.181.210 2152 190.104.181.125 2152 udp gtpv1 0.000004 194 0 S0 - 0 D 2 250 0 0 (empty) +1333458850.016620 k6kgXLOoSKl 174.94.190.229 2152 190.104.181.62 2152 udp gtpv1 0.016267 88 92 SF - 0 Dd 1 116 1 120 (empty) +1333458850.029781 TEfuqmmG4bh 190.104.181.254 2152 190.104.181.62 2152 udp gtpv1 0.000002 192 0 S0 - 0 D 2 248 0 0 (empty) +1333458850.035460 iE6yhOq3SF 172.27.159.9 63912 94.245.121.254 3544 udp teredo - - - S0 - 0 D 1 89 0 0 VW0XPVINV8a +1333458850.037956 GSxOnSLghOa 190.104.181.57 2152 190.104.181.222 2152 udp gtpv1 - - - S0 - 0 D 1 120 0 0 (empty) +1333458850.014199 UWkUyAuUGXf 174.94.190.213 2152 190.104.181.57 2152 udp gtpv1 - - - S0 - 0 D 1 124 0 0 (empty) +1333458850.040098 h5DsfNtYzi1 172.24.203.81 54447 65.55.158.118 3544 udp teredo 0.003698 120 0 S0 - 0 D 2 176 0 0 70MGiRM1Qf4 +1333458850.029783 5OKnoww6xl4 172.24.16.67 52298 65.55.158.118 3544 udp teredo - - - S0 - 0 D 1 88 0 0 TEfuqmmG4bh +1333458850.032887 3PKsZ2Uye21 10.131.42.160 62069 94.245.121.253 3544 udp teredo - - - SHR - 0 d 0 0 1 84 k6kgXLOoSKl +1333458850.014199 arKYeMETxOg 172.24.204.200 56528 65.55.158.118 3544 udp teredo - - - S0 - 0 D 1 88 0 0 UWkUyAuUGXf +1333458850.035456 fRFu0wcOle6 172.27.159.9 63912 94.245.121.253 3544 udp teredo - - - S0 - 0 D 1 89 0 0 VW0XPVINV8a +1333458850.016620 j4u32Pc5bif 2001:0:5ef5:79fb:38b8:1695:2b37:be8e 128 2002:2571:c817::2571:c817 129 icmp - - - - OTH - 0 - 1 52 0 0 nQcgTWjvg4c +1333458850.035456 qSsw6ESzHV4 fe80::ffff:ffff:fffe 133 ff02::2 134 icmp - 0.000004 0 0 OTH - 0 - 2 96 0 0 fRFu0wcOle6,iE6yhOq3SF +#close 2012-10-19-17-34-25 diff --git a/testing/btest/Baseline/core.tunnels.gtp.inner_teredo/tunnel.log b/testing/btest/Baseline/core.tunnels.gtp.inner_teredo/tunnel.log new file mode 100644 index 0000000000..904fcc7db6 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.gtp.inner_teredo/tunnel.log @@ -0,0 +1,27 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path tunnel +#open 2012-10-19-17-34-25 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action +#types time string addr port addr port enum enum +1333458850.014199 UWkUyAuUGXf 174.94.190.213 2152 190.104.181.57 2152 Tunnel::GTPv1 Tunnel::DISCOVER +1333458850.016620 k6kgXLOoSKl 174.94.190.229 2152 190.104.181.62 2152 Tunnel::GTPv1 Tunnel::DISCOVER +1333458850.016620 nQcgTWjvg4c 172.24.16.121 61901 94.245.121.251 3544 Tunnel::TEREDO Tunnel::DISCOVER +1333458850.029781 TEfuqmmG4bh 190.104.181.254 2152 190.104.181.62 2152 Tunnel::GTPv1 Tunnel::DISCOVER +1333458850.035456 VW0XPVINV8a 190.104.181.210 2152 190.104.181.125 2152 Tunnel::GTPv1 Tunnel::DISCOVER +1333458850.035456 fRFu0wcOle6 172.27.159.9 63912 94.245.121.253 3544 Tunnel::TEREDO Tunnel::DISCOVER +1333458850.035460 iE6yhOq3SF 172.27.159.9 63912 94.245.121.254 3544 Tunnel::TEREDO Tunnel::DISCOVER +1333458850.037956 GSxOnSLghOa 190.104.181.57 2152 190.104.181.222 2152 Tunnel::GTPv1 Tunnel::DISCOVER +1333458850.040098 70MGiRM1Qf4 174.94.190.229 2152 190.104.181.57 2152 Tunnel::GTPv1 Tunnel::DISCOVER +1333458850.043796 70MGiRM1Qf4 174.94.190.229 2152 190.104.181.57 2152 Tunnel::GTPv1 Tunnel::CLOSE +1333458850.043796 nQcgTWjvg4c 172.24.16.121 61901 94.245.121.251 3544 Tunnel::TEREDO Tunnel::CLOSE +1333458850.043796 VW0XPVINV8a 190.104.181.210 2152 190.104.181.125 2152 Tunnel::GTPv1 Tunnel::CLOSE +1333458850.043796 k6kgXLOoSKl 174.94.190.229 2152 190.104.181.62 2152 Tunnel::GTPv1 Tunnel::CLOSE +1333458850.043796 TEfuqmmG4bh 190.104.181.254 2152 190.104.181.62 2152 Tunnel::GTPv1 Tunnel::CLOSE +1333458850.043796 iE6yhOq3SF 172.27.159.9 63912 94.245.121.254 3544 Tunnel::TEREDO Tunnel::CLOSE +1333458850.043796 GSxOnSLghOa 190.104.181.57 2152 190.104.181.222 2152 Tunnel::GTPv1 Tunnel::CLOSE +1333458850.043796 UWkUyAuUGXf 174.94.190.213 2152 190.104.181.57 2152 Tunnel::GTPv1 Tunnel::CLOSE +1333458850.043796 fRFu0wcOle6 172.27.159.9 63912 94.245.121.253 3544 Tunnel::TEREDO Tunnel::CLOSE +#close 2012-10-19-17-34-25 diff --git a/testing/btest/Baseline/core.tunnels.gtp.non_recursive/out b/testing/btest/Baseline/core.tunnels.gtp.non_recursive/out new file mode 100644 index 0000000000..a299c4d592 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.gtp.non_recursive/out @@ -0,0 +1 @@ +protocol_violation, [orig_h=74.125.216.149, orig_p=2152/udp, resp_h=10.131.138.69, resp_p=2152/udp], GTP-in-GTP [n\xd9'|\x00\x00\x01\xb6[\xf6\xdc0\xb7d\xe5\xe6\xa76\x91\xfbk\x0e\x02\xc8A\x05\xa8\xe6\xf3Gi\x80(]\xcew\x84\xae}\xd2...] diff --git a/testing/btest/Baseline/core.tunnels.gtp.not_user_plane_data/conn.log b/testing/btest/Baseline/core.tunnels.gtp.not_user_plane_data/conn.log new file mode 100644 index 0000000000..ad6e4fb2c4 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.gtp.not_user_plane_data/conn.log @@ -0,0 +1,11 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#open 2012-10-19-17-46-48 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string bool count string count count count count table[string] +1333458850.532814 UWkUyAuUGXf 247.56.43.90 2152 247.56.43.248 2152 udp - - - - S0 - 0 D 1 52 0 0 (empty) +1333458850.867091 arKYeMETxOg 247.56.43.214 2152 237.56.101.238 2152 udp - 0.028676 12 14 SF - 0 Dd 1 40 1 42 (empty) +#close 2012-10-19-17-46-48 diff --git a/testing/btest/Baseline/core.tunnels.gtp.opt_header/conn.log b/testing/btest/Baseline/core.tunnels.gtp.opt_header/conn.log new file mode 100644 index 0000000000..9f250903f2 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.gtp.opt_header/conn.log @@ -0,0 +1,11 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#open 2012-10-19-17-19-16 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string bool count string count count count count table[string] +1333458852.011535 arKYeMETxOg 10.222.10.10 44960 173.194.69.188 5228 tcp ssl 0.573499 704 1026 S1 - 0 ShADad 17 1604 14 1762 UWkUyAuUGXf +1333458852.011535 UWkUyAuUGXf 79.188.154.91 2152 243.149.173.198 2152 udp gtpv1 0.573499 1740 1930 SF - 0 Dd 17 2216 14 2322 (empty) +#close 2012-10-19-17-19-16 diff --git a/testing/btest/Baseline/core.tunnels.gtp.opt_header/out b/testing/btest/Baseline/core.tunnels.gtp.opt_header/out new file mode 100644 index 0000000000..7feeb2a110 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.gtp.opt_header/out @@ -0,0 +1,31 @@ +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=60, teid=1980578736, seq=, n_pdu=, next_type=] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=60, teid=1980578736, seq=, n_pdu=, next_type=] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=64, teid=159098, seq=0, n_pdu=0, next_type=0] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=52, teid=1980578736, seq=, n_pdu=, next_type=] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=170, teid=1980578736, seq=, n_pdu=, next_type=] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=56, teid=159098, seq=1, n_pdu=0, next_type=0] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=194, teid=159098, seq=2, n_pdu=0, next_type=0] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=52, teid=1980578736, seq=, n_pdu=, next_type=] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=111, teid=1980578736, seq=, n_pdu=, next_type=] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=56, teid=159098, seq=3, n_pdu=0, next_type=0] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=89, teid=1980578736, seq=, n_pdu=, next_type=] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=56, teid=159098, seq=4, n_pdu=0, next_type=0] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=93, teid=159098, seq=5, n_pdu=0, next_type=0] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=52, teid=1980578736, seq=, n_pdu=, next_type=] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=457, teid=1980578736, seq=, n_pdu=, next_type=] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=157, teid=159098, seq=6, n_pdu=0, next_type=0] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=173, teid=159098, seq=7, n_pdu=0, next_type=0] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=52, teid=1980578736, seq=, n_pdu=, next_type=] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=52, teid=1980578736, seq=, n_pdu=, next_type=] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=137, teid=1980578736, seq=, n_pdu=, next_type=] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=56, teid=159098, seq=8, n_pdu=0, next_type=0] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=157, teid=159098, seq=9, n_pdu=0, next_type=0] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=189, teid=159098, seq=10, n_pdu=0, next_type=0] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=173, teid=159098, seq=11, n_pdu=0, next_type=0] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=205, teid=159098, seq=12, n_pdu=0, next_type=0] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=189, teid=159098, seq=13, n_pdu=0, next_type=0] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=52, teid=1980578736, seq=, n_pdu=, next_type=] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=52, teid=1980578736, seq=, n_pdu=, next_type=] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=52, teid=1980578736, seq=, n_pdu=, next_type=] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=52, teid=1980578736, seq=, n_pdu=, next_type=] +gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=52, teid=1980578736, seq=, n_pdu=, next_type=] diff --git a/testing/btest/Baseline/core.tunnels.gtp.opt_header/tunnel.log b/testing/btest/Baseline/core.tunnels.gtp.opt_header/tunnel.log new file mode 100644 index 0000000000..a421f399ec --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.gtp.opt_header/tunnel.log @@ -0,0 +1,11 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path tunnel +#open 2012-10-19-17-19-16 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action +#types time string addr port addr port enum enum +1333458852.011535 UWkUyAuUGXf 79.188.154.91 2152 243.149.173.198 2152 Tunnel::GTPv1 Tunnel::DISCOVER +1333458852.585034 UWkUyAuUGXf 79.188.154.91 2152 243.149.173.198 2152 Tunnel::GTPv1 Tunnel::CLOSE +#close 2012-10-19-17-19-16 diff --git a/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/conn.log b/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/conn.log new file mode 100644 index 0000000000..b5f61564cf --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/conn.log @@ -0,0 +1,11 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#open 2012-10-19-16-44-02 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string bool count string count count count count table[string] +1333458850.364667 arKYeMETxOg 10.131.47.185 1923 79.101.110.141 80 tcp http 0.069783 2100 56702 SF - 0 ShADadfF 27 3204 41 52594 UWkUyAuUGXf +1333458850.364667 UWkUyAuUGXf 239.114.155.111 2152 63.94.149.181 2152 udp gtpv1 0.069813 3420 52922 SF - 0 Dd 27 4176 41 54070 (empty) +#close 2012-10-19-16-44-02 diff --git a/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/http.log b/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/http.log new file mode 100644 index 0000000000..8a994d56af --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/http.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path http +#open 2012-10-19-16-44-02 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file +#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file +1333458850.375568 arKYeMETxOg 10.131.47.185 1923 79.101.110.141 80 1 GET o-o.preferred.telekomrs-beg1.v2.lscache8.c.youtube.com /videoplayback?upn=MTU2MDY5NzQ5OTM0NTI3NDY4NDc&sparams=algorithm,burst,cp,factor,id,ip,ipbits,itag,source,upn,expire&fexp=912300,907210&algorithm=throttle-factor&itag=34&ip=212.0.0.0&burst=40&sver=3&signature=832FB1042E20780CFCA77A4DB5EA64AC593E8627.D1166C7E8365732E52DAFD68076DAE0146E0AE01&source=youtube&expire=1333484980&key=yt1&ipbits=8&factor=1.25&cp=U0hSSFRTUl9NSkNOMl9MTVZKOjh5eEN2SG8tZF84&id=ebf1e932d4bd1286&cm2=1 http://s.ytimg.com/yt/swfbin/watch_as3-vflqrJwOA.swf Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.11 (KHTML, like Gecko; X-SBLSP) Chrome/17.0.963.83 Safari/535.11 0 56320 206 Partial Content - - - (empty) - - - application/octet-stream - - +#close 2012-10-19-16-44-02 diff --git a/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/tunnel.log b/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/tunnel.log new file mode 100644 index 0000000000..54c4acd0d6 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/tunnel.log @@ -0,0 +1,11 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path tunnel +#open 2012-10-19-16-44-02 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action +#types time string addr port addr port enum enum +1333458850.364667 UWkUyAuUGXf 239.114.155.111 2152 63.94.149.181 2152 Tunnel::GTPv1 Tunnel::DISCOVER +1333458850.434480 UWkUyAuUGXf 239.114.155.111 2152 63.94.149.181 2152 Tunnel::GTPv1 Tunnel::CLOSE +#close 2012-10-19-16-44-02 diff --git a/testing/btest/Baseline/core.tunnels.gtp.unknown_or_too_short/dpd.log b/testing/btest/Baseline/core.tunnels.gtp.unknown_or_too_short/dpd.log new file mode 100644 index 0000000000..221fa16f4f --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.gtp.unknown_or_too_short/dpd.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path dpd +#open 2012-10-19-17-38-54 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto analyzer failure_reason +#types time string addr port addr port enum string string +1333458853.075889 UWkUyAuUGXf 173.86.159.28 2152 213.72.147.186 2152 udp GTPV1 Truncated GTPv1 [E\x00\x05\xc8G\xea@\x00\x80\x06\xb6\x83\x0a\x83w&\xd9\x14\x9c\x04\xd9\xc2\x00P\xddh\xb4\x8f41eVP\x10\x10\xe0u\xcf\x00\x00...] +#close 2012-10-19-17-38-54 diff --git a/testing/btest/Baseline/core.tunnels.gtp.unknown_or_too_short/tunnel.log b/testing/btest/Baseline/core.tunnels.gtp.unknown_or_too_short/tunnel.log new file mode 100644 index 0000000000..659090a581 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.gtp.unknown_or_too_short/tunnel.log @@ -0,0 +1,11 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path tunnel +#open 2012-10-19-17-38-54 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action +#types time string addr port addr port enum enum +1333458853.034734 UWkUyAuUGXf 173.86.159.28 2152 213.72.147.186 2152 Tunnel::GTPv1 Tunnel::DISCOVER +1333458853.108391 UWkUyAuUGXf 173.86.159.28 2152 213.72.147.186 2152 Tunnel::GTPv1 Tunnel::CLOSE +#close 2012-10-19-17-38-54 diff --git a/testing/btest/Traces/tunnels/gtp/gtp10_not_0xff.pcap b/testing/btest/Traces/tunnels/gtp/gtp10_not_0xff.pcap new file mode 100755 index 0000000000..575edf55f9 Binary files /dev/null and b/testing/btest/Traces/tunnels/gtp/gtp10_not_0xff.pcap differ diff --git a/testing/btest/Traces/tunnels/gtp/gtp1_gn_normal_incl_fragmentation.pcap b/testing/btest/Traces/tunnels/gtp/gtp1_gn_normal_incl_fragmentation.pcap new file mode 100755 index 0000000000..7ca3b3b05d Binary files /dev/null and b/testing/btest/Traces/tunnels/gtp/gtp1_gn_normal_incl_fragmentation.pcap differ diff --git a/testing/btest/Traces/tunnels/gtp/gtp2_different_udp_port.pcap b/testing/btest/Traces/tunnels/gtp/gtp2_different_udp_port.pcap new file mode 100755 index 0000000000..fda97cdaf5 Binary files /dev/null and b/testing/btest/Traces/tunnels/gtp/gtp2_different_udp_port.pcap differ diff --git a/testing/btest/Traces/tunnels/gtp/gtp3_false_gtp.pcap b/testing/btest/Traces/tunnels/gtp/gtp3_false_gtp.pcap new file mode 100755 index 0000000000..e623fd7912 Binary files /dev/null and b/testing/btest/Traces/tunnels/gtp/gtp3_false_gtp.pcap differ diff --git a/testing/btest/Traces/tunnels/gtp/gtp4_udp_2152_inside.pcap b/testing/btest/Traces/tunnels/gtp/gtp4_udp_2152_inside.pcap new file mode 100755 index 0000000000..ca67a37046 Binary files /dev/null and b/testing/btest/Traces/tunnels/gtp/gtp4_udp_2152_inside.pcap differ diff --git a/testing/btest/Traces/tunnels/gtp/gtp6_gtp_0x32.pcap b/testing/btest/Traces/tunnels/gtp/gtp6_gtp_0x32.pcap new file mode 100755 index 0000000000..7dd3905c5d Binary files /dev/null and b/testing/btest/Traces/tunnels/gtp/gtp6_gtp_0x32.pcap differ diff --git a/testing/btest/Traces/tunnels/gtp/gtp7_ipv6.pcap b/testing/btest/Traces/tunnels/gtp/gtp7_ipv6.pcap new file mode 100755 index 0000000000..4f358bc374 Binary files /dev/null and b/testing/btest/Traces/tunnels/gtp/gtp7_ipv6.pcap differ diff --git a/testing/btest/Traces/tunnels/gtp/gtp8_teredo.pcap b/testing/btest/Traces/tunnels/gtp/gtp8_teredo.pcap new file mode 100755 index 0000000000..fff0b2ddfb Binary files /dev/null and b/testing/btest/Traces/tunnels/gtp/gtp8_teredo.pcap differ diff --git a/testing/btest/Traces/tunnels/gtp/gtp9_unknown_or_too_short_payload.pcap b/testing/btest/Traces/tunnels/gtp/gtp9_unknown_or_too_short_payload.pcap new file mode 100755 index 0000000000..a39026aeff Binary files /dev/null and b/testing/btest/Traces/tunnels/gtp/gtp9_unknown_or_too_short_payload.pcap differ diff --git a/testing/btest/core/leaks/gtp_opt_header.test b/testing/btest/core/leaks/gtp_opt_header.test new file mode 100644 index 0000000000..76c65d5762 --- /dev/null +++ b/testing/btest/core/leaks/gtp_opt_header.test @@ -0,0 +1,15 @@ +# Needs perftools support. +# +# @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks +# +# @TEST-GROUP: leaks +# +# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local bro -m -r $TRACES/tunnels/gtp/gtp6_gtp_0x32.pcap %INPUT >out + +# Some GTPv1 headers have some optional fields totaling to a 4-byte extension +# of the mandatory header. + +event gtpv1_g_pdu_packet(outer: connection, inner_gtp: gtpv1_hdr, inner_ip: pkt_hdr) + { + print "gtpv1_packet", inner_gtp; + } diff --git a/testing/btest/core/tunnels/gtp/different_dl_and_ul.test b/testing/btest/core/tunnels/gtp/different_dl_and_ul.test new file mode 100644 index 0000000000..136853c463 --- /dev/null +++ b/testing/btest/core/tunnels/gtp/different_dl_and_ul.test @@ -0,0 +1,10 @@ +# @TEST-EXEC: bro -C -r $TRACES/tunnels/gtp/gtp2_different_udp_port.pcap +# @TEST-EXEC: btest-diff conn.log +# @TEST-EXEC: btest-diff http.log +# @TEST-EXEC: btest-diff tunnel.log + +# Uplink GTP tunnel uses src port 5906 and dst port 2152. +# One side on port 2152 qualifies for GTP user plane. +# The Downlink GTP tunnel uses port 2152 for both src and dst. +# (checksums are incorrect because packets were anonymized and tcprewrite +# seems to fail to correct the checksums when there's IP fragmentation). diff --git a/testing/btest/core/tunnels/gtp/false_gtp.test b/testing/btest/core/tunnels/gtp/false_gtp.test new file mode 100644 index 0000000000..6e84be7323 --- /dev/null +++ b/testing/btest/core/tunnels/gtp/false_gtp.test @@ -0,0 +1,8 @@ +# @TEST-EXEC: bro -r $TRACES/tunnels/gtp/gtp3_false_gtp.pcap +# @TEST-EXEC: btest-diff conn.log +# @TEST-EXEC: btest-diff dns.log +# @TEST-EXEC: test ! -e tunnel.log + +# The fact that udp port 2152 on only one side already qualifies for GTP +# increases the risk for false positives, see this trace. This is not a +# GTP packet, but a DNS packet which just happens to use port 2152 diff --git a/testing/btest/core/tunnels/gtp/inner_ipv6.test b/testing/btest/core/tunnels/gtp/inner_ipv6.test new file mode 100644 index 0000000000..97d8562ecc --- /dev/null +++ b/testing/btest/core/tunnels/gtp/inner_ipv6.test @@ -0,0 +1,6 @@ +# @TEST-EXEC: bro -r $TRACES/tunnels/gtp/gtp7_ipv6.pcap +# @TEST-EXEC: btest-diff conn.log +# @TEST-EXEC: btest-diff tunnel.log + +# While the majority of user plane traffic inside the GTP tunnel is still IPv4, +# there is sometimes already native IPv6. diff --git a/testing/btest/core/tunnels/gtp/inner_teredo.test b/testing/btest/core/tunnels/gtp/inner_teredo.test new file mode 100644 index 0000000000..9161d31229 --- /dev/null +++ b/testing/btest/core/tunnels/gtp/inner_teredo.test @@ -0,0 +1,7 @@ +# @TEST-EXEC: bro -r $TRACES/tunnels/gtp/gtp8_teredo.pcap "Tunnel::delay_teredo_confirmation=F" +# @TEST-EXEC: btest-diff conn.log +# @TEST-EXEC: btest-diff tunnel.log + +# GTP packets may carry Teredo packets. Toggled the delay teredo confirmation +# option so that it shows in the service field (in one case the inner +# connection of the teredo packet is carried over differing outer connections). diff --git a/testing/btest/core/tunnels/gtp/non_recursive.test b/testing/btest/core/tunnels/gtp/non_recursive.test new file mode 100644 index 0000000000..d44bfce79d --- /dev/null +++ b/testing/btest/core/tunnels/gtp/non_recursive.test @@ -0,0 +1,11 @@ +# @TEST-EXEC: bro -r $TRACES/tunnels/gtp/gtp4_udp_2152_inside.pcap %INPUT >out +# @TEST-EXEC: btest-diff out + +# In telecoms there is never a GTP tunnel within another GTP tunnel. +# So if we find inside a GTP tunnel anohter IP/UDP packet with port 2152, +# it is just a UDP packet, but not another GTP tunnel. + +event protocol_violation(c: connection, atype: count, aid: count, reason: string) + { + print "protocol_violation", c$id, reason; + } diff --git a/testing/btest/core/tunnels/gtp/not_user_plane_data.test b/testing/btest/core/tunnels/gtp/not_user_plane_data.test new file mode 100644 index 0000000000..a6a3333360 --- /dev/null +++ b/testing/btest/core/tunnels/gtp/not_user_plane_data.test @@ -0,0 +1,9 @@ +# @TEST-EXEC: bro -r $TRACES/tunnels/gtp/gtp10_not_0xff.pcap +# @TEST-EXEC: btest-diff conn.log +# @TEST-EXEC: test ! -e tunnel.log + +# There are GTP tunnel packets, which do not contain user plane data. Only +# those with gtp.message==0xff contain user plane data. Other GTP packets +# without user plane data are echo request, echo reply, error indication +# and stop marker (not included in trace). Those non-user plane GTP +# packets are ignored for now. diff --git a/testing/btest/core/tunnels/gtp/opt_header.test b/testing/btest/core/tunnels/gtp/opt_header.test new file mode 100644 index 0000000000..32329c7ca8 --- /dev/null +++ b/testing/btest/core/tunnels/gtp/opt_header.test @@ -0,0 +1,12 @@ +# @TEST-EXEC: bro -r $TRACES/tunnels/gtp/gtp6_gtp_0x32.pcap %INPUT >out +# @TEST-EXEC: btest-diff out +# @TEST-EXEC: btest-diff conn.log +# @TEST-EXEC: btest-diff tunnel.log + +# Some GTPv1 headers have some optional fields totaling to a 4-byte extension +# of the mandatory header. + +event gtpv1_g_pdu_packet(outer: connection, inner_gtp: gtpv1_hdr, inner_ip: pkt_hdr) + { + print "gtpv1_packet", inner_gtp; + } diff --git a/testing/btest/core/tunnels/gtp/outer_ip_frag.test b/testing/btest/core/tunnels/gtp/outer_ip_frag.test new file mode 100644 index 0000000000..b2badb9c1b --- /dev/null +++ b/testing/btest/core/tunnels/gtp/outer_ip_frag.test @@ -0,0 +1,11 @@ +# @TEST-EXEC: bro -C -r $TRACES/tunnels/gtp/gtp1_gn_normal_incl_fragmentation.pcap +# @TEST-EXEC: btest-diff conn.log +# @TEST-EXEC: btest-diff http.log +# @TEST-EXEC: btest-diff tunnel.log + +# Normal GTP file, incl. TCP handshake and HTTP message. +# The inner IP packet is put into a GTP tunnel and as the original user payload +# is already 1500 byte, the tunneled packet incl. GTP/UDP/IP payload is +# bigger than 1500 byte and thus the outer IP must be fragmented, as seen here. +# (checksums are incorrect because packets were anonymized and tcprewrite +# seems to fail to correct the checksums when there's IP fragmentation). diff --git a/testing/btest/core/tunnels/gtp/unknown_or_too_short.test b/testing/btest/core/tunnels/gtp/unknown_or_too_short.test new file mode 100644 index 0000000000..e1b3d4ba20 --- /dev/null +++ b/testing/btest/core/tunnels/gtp/unknown_or_too_short.test @@ -0,0 +1,13 @@ +# @TEST-EXEC: bro -C -r $TRACES/tunnels/gtp/gtp9_unknown_or_too_short_payload.pcap +# @TEST-EXEC: btest-diff dpd.log +# @TEST-EXEC: btest-diff tunnel.log + +# Packet 11, epoch time 1333458853.075889 is malformed. Only 222 byte are +# captured, although according to the IP header a full packet should be +# available. In Sessions.cc this throws a weird message at line 710. +# Packet 12, epoch time 1333458853.075904 is malformed. The user plane +# packet is no IPv4 nor IPv6 packet. Very probably this is a follow up +# issue on a problem of the user plane packet before it was put into the +# tunnel. The user plane packet may got corrupt and then put into 2 tunnel +# packets, here packet 11 and 12, and in packet 12 the user plane data is +# part of the remainder of the broken user plane packet of packet 11.