From 5618b21ccaad0cd199cfa69f9f7665531d93279c Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Thu, 17 Jan 2019 18:03:10 -0600 Subject: [PATCH] Improve ERSPAN Type III support Added check for the optional sub-header in ERSPAN Type III as well as additional truncation checks to the GRE parsing logic in general. Also added a unit test for ERSPAN Type II. --- CHANGES | 6 ++ VERSION | 2 +- src/Sessions.cc | 61 ++++++++++++++---- testing/btest/Baseline/core.erspanII/conn.log | 10 +++ .../btest/Baseline/core.erspanII/tunnel.log | 10 +++ testing/btest/Traces/erspanII.pcap | Bin 0 -> 1088 bytes testing/btest/core/erspanII.bro | 6 ++ 7 files changed, 83 insertions(+), 12 deletions(-) create mode 100644 testing/btest/Baseline/core.erspanII/conn.log create mode 100644 testing/btest/Baseline/core.erspanII/tunnel.log create mode 100644 testing/btest/Traces/erspanII.pcap create mode 100644 testing/btest/core/erspanII.bro diff --git a/CHANGES b/CHANGES index ecf41099c1..fd01287c0f 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,10 @@ +2.6-86 | 2019-01-17 18:03:10 -0600 + + * Improve ERSPAN Type III support (Jon Siwek, Corelight) + + * Implement ERSPAN type II and ERSPAN type III support (Stu H) + 2.6-82 | 2019-01-17 14:09:29 -0600 * Change doc/ subdir into a git submodule (Jon Siwek, Corelight) diff --git a/VERSION b/VERSION index 714e4d7406..241a132ae2 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.6-82 +2.6-86 diff --git a/src/Sessions.cc b/src/Sessions.cc index b467b61d92..2cab543fa9 100644 --- a/src/Sessions.cc +++ b/src/Sessions.cc @@ -544,27 +544,66 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr if ( gre_version == 0 ) { - if ( proto_typ == 0x6558 && len > gre_len + 14 ) + if ( proto_typ == 0x6558 ) { // transparent ethernet bridging - eth_len = 14; - proto_typ = ntohs(*((uint16*)(data + gre_len + 12))); + if ( len > gre_len + 14 ) + { + eth_len = 14; + proto_typ = ntohs(*((uint16*)(data + gre_len + eth_len - 2))); + } + else + { + Weird("truncated_GRE", ip_hdr, encapsulation); + return; + } } - if ( proto_typ == 0x88be && len > gre_len + 14 + 8) + else if ( proto_typ == 0x88be ) { // ERSPAN type II - erspan_len = 8; - eth_len = 14; - proto_typ = ntohs(*((uint16*)(data + gre_len + 20))); + if ( len > gre_len + 14 + 8 ) + { + erspan_len = 8; + eth_len = 14; + proto_typ = ntohs(*((uint16*)(data + gre_len + erspan_len + eth_len - 2))); + } + else + { + Weird("truncated_GRE", ip_hdr, encapsulation); + return; + } } - if ( proto_typ == 0x22eb && len > gre_len + 14 + 12) + else if ( proto_typ == 0x22eb ) { // ERSPAN type III - erspan_len = 12; - eth_len = 14; - proto_typ = ntohs(*((uint16*)(data + gre_len + 24))); + if ( len > gre_len + 14 + 12 ) + { + erspan_len = 12; + eth_len = 14; + + auto flags = data + erspan_len - 1; + bool have_opt_header = ((*flags & 0x01) == 0x01); + + if ( have_opt_header ) + { + if ( len > gre_len + erspan_len + 8 + eth_len ) + erspan_len += 8; + else + { + Weird("truncated_GRE", ip_hdr, encapsulation); + return; + } + } + + proto_typ = ntohs(*((uint16*)(data + gre_len + erspan_len + eth_len - 2))); + } + else + { + Weird("truncated_GRE", ip_hdr, encapsulation); + return; + } } if ( proto_typ == 0x0800 ) diff --git a/testing/btest/Baseline/core.erspanII/conn.log b/testing/btest/Baseline/core.erspanII/conn.log new file mode 100644 index 0000000000..dc6f5c277e --- /dev/null +++ b/testing/btest/Baseline/core.erspanII/conn.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#open 2019-01-17-23-57-23 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] +1402723255.667881 ClEkJM2Vm5giqnMf4h 23.0.0.2 8 23.0.0.3 0 icmp - 0.001727 144 144 OTH - - 0 - 2 200 2 200 CHhAvVGS1DHFjwGM9 +#close 2019-01-17-23-57-23 diff --git a/testing/btest/Baseline/core.erspanII/tunnel.log b/testing/btest/Baseline/core.erspanII/tunnel.log new file mode 100644 index 0000000000..a9e5a8395b --- /dev/null +++ b/testing/btest/Baseline/core.erspanII/tunnel.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path tunnel +#open 2019-01-17-23-57-23 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action +#types time string addr port addr port enum enum +1402723255.667881 CHhAvVGS1DHFjwGM9 2.2.2.2 0 1.1.1.1 0 Tunnel::GRE Tunnel::DISCOVER +#close 2019-01-17-23-57-23 diff --git a/testing/btest/Traces/erspanII.pcap b/testing/btest/Traces/erspanII.pcap new file mode 100644 index 0000000000000000000000000000000000000000..c601f2978162570ac17e4f1f0c644b624e29758d GIT binary patch literal 1088 zcmd<$<>jhiU|{gI(UxKa(*L1=nL(DpH!)ekKUl%gK+jUoSV6-jv8X&VPr=Yw&q&We z6R4JjL6^a$G`Ao*u|UC4&qB{kK_fWKPa!C^Ou@v$(8Nd~ttdZNLBFJ^G%s5hr~sq~ z1VHwI?DB!q|Nk>EFflMQq~@72Z~|r6fZ{wv*bh_&HUp&o2#5m&M}D&~tn`Whx&+7u z;S`3Cj~Io(BqIldD+9wc1_lR)fBI#{OhCX01Of~l`xqG5Sp>v6Qa~mE)jniq29Zom zU>zwOQ-I;Z*vcRdbS4lpb1;N&We@|Y1%ef-*H@pV41(N_?uUhbWcYy<*$+%i5T9W9 zff?iv28MW=`yn}y3_q|T`vEN;rh?+3yC@F#B;Ra=~u=*^vc*qDQ!w>Ap zen5){gdbq>Ky^Q`0)rz594L_dAo+9BS4IXI2Iu_Jypq(SVugaD{IblH)D(rJN`(|i i24-U50Oy@MQH`INp=@EGJ{BMwlr}+t705;gAUgmxU23EN literal 0 HcmV?d00001 diff --git a/testing/btest/core/erspanII.bro b/testing/btest/core/erspanII.bro new file mode 100644 index 0000000000..b59c0ecf08 --- /dev/null +++ b/testing/btest/core/erspanII.bro @@ -0,0 +1,6 @@ +# @TEST-EXEC: bro -C -b -r $TRACES/erspanII.pcap %INPUT +# @TEST-EXEC: btest-diff tunnel.log +# @TEST-EXEC: btest-diff conn.log + +@load base/frameworks/tunnels +@load base/protocols/conn