diff --git a/scripts/base/frameworks/tunnels/main.zeek b/scripts/base/frameworks/tunnels/main.zeek index 9f58fb5540..688d1d7f67 100644 --- a/scripts/base/frameworks/tunnels/main.zeek +++ b/scripts/base/frameworks/tunnels/main.zeek @@ -93,7 +93,7 @@ export { const ayiya_ports = { 5072/udp }; const teredo_ports = { 3544/udp }; const gtpv1_ports = { 2152/udp, 2123/udp }; -redef likely_server_ports += { ayiya_ports, teredo_ports, gtpv1_ports, vxlan_ports }; +redef likely_server_ports += { ayiya_ports, teredo_ports, gtpv1_ports, vxlan_ports, geneve_ports }; event zeek_init() &priority=5 { @@ -103,6 +103,7 @@ event zeek_init() &priority=5 Analyzer::register_for_ports(Analyzer::ANALYZER_TEREDO, teredo_ports); Analyzer::register_for_ports(Analyzer::ANALYZER_GTPV1, gtpv1_ports); Analyzer::register_for_ports(Analyzer::ANALYZER_VXLAN, vxlan_ports); + Analyzer::register_for_ports(Analyzer::ANALYZER_GENEVE, geneve_ports); } function register_all(ecv: EncapsulatingConnVector) diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek index 1ac0114a46..e8cd896adc 100644 --- a/scripts/base/init-bare.zeek +++ b/scripts/base/init-bare.zeek @@ -5029,6 +5029,12 @@ export { ## if you customize this, you may still want to manually ensure that ## :zeek:see:`likely_server_ports` also gets populated accordingly. const vxlan_ports: set[port] = { 4789/udp } &redef; + + ## The set of UDP ports used for Geneve traffic. Traffic using this + ## UDP destination port will attempt to be decapsulated. Note that if + ## if you customize this, you may still want to manually ensure that + ## :zeek:see:`likely_server_ports` also gets populated accordingly. + const geneve_ports: set[port] = { 6081/udp } &redef; } # end export module Reporter; diff --git a/src/analyzer/protocol/CMakeLists.txt b/src/analyzer/protocol/CMakeLists.txt index f63d021ccd..49dde00190 100644 --- a/src/analyzer/protocol/CMakeLists.txt +++ b/src/analyzer/protocol/CMakeLists.txt @@ -9,6 +9,7 @@ add_subdirectory(dns) add_subdirectory(file) add_subdirectory(finger) add_subdirectory(ftp) +add_subdirectory(geneve) add_subdirectory(gnutella) add_subdirectory(gssapi) add_subdirectory(gtpv1) diff --git a/src/analyzer/protocol/geneve/CMakeLists.txt b/src/analyzer/protocol/geneve/CMakeLists.txt new file mode 100644 index 0000000000..b00de62376 --- /dev/null +++ b/src/analyzer/protocol/geneve/CMakeLists.txt @@ -0,0 +1,8 @@ +include(ZeekPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +zeek_plugin_begin(Zeek Geneve) +zeek_plugin_cc(Geneve.cc Plugin.cc) +zeek_plugin_bif(events.bif) +zeek_plugin_end() diff --git a/src/analyzer/protocol/geneve/Geneve.cc b/src/analyzer/protocol/geneve/Geneve.cc new file mode 100644 index 0000000000..c3db3109bb --- /dev/null +++ b/src/analyzer/protocol/geneve/Geneve.cc @@ -0,0 +1,88 @@ +// See the file in the main distribution directory for copyright. + +#include "zeek/analyzer/protocol/geneve/Geneve.h" + +#include "zeek/Conn.h" +#include "zeek/IP.h" +#include "zeek/RunState.h" +#include "zeek/packet_analysis/protocol/iptunnel/IPTunnel.h" + +#include "zeek/analyzer/protocol/geneve/events.bif.h" + +namespace zeek::analyzer::geneve { + +void Geneve_Analyzer::Done() + { + Analyzer::Done(); + Event(udp_session_done); + } + +void Geneve_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, + uint64_t seq, const IP_Hdr* ip, int caplen) + { + Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); + + // Outer Ethernet, IP, and UDP layers already skipped. + // Also, generic UDP analyzer already checked/guarantees caplen >= len. + + constexpr auto tunnel_header_len = 8; + + if ( len < tunnel_header_len ) + { + ProtocolViolation("Geneve header truncation", reinterpret_cast(data), len); + return; + } + + auto outer = Conn()->GetEncapsulation(); + + if ( outer && outer->Depth() >= BifConst::Tunnel::max_depth ) + { + Weird("tunnel_depth"); + return; + } + + if ( ! outer ) + outer = std::make_shared(); + + EncapsulatingConn inner(Conn(), BifEnum::Tunnel::GENEVE); + outer->Add(inner); + + auto tunnel_opt_len = data[0] << 1; + auto vni = (data[4] << 16) + (data[5] << 8) + (data[6] << 0); + + if ( len < tunnel_header_len + tunnel_opt_len ) + { + ProtocolViolation("Geneve option header truncation", reinterpret_cast(data), len); + return; + } + + // Skip over the Geneve headers and create a new packet. + data += tunnel_header_len + tunnel_opt_len; + caplen -= tunnel_header_len + tunnel_opt_len; + len -= tunnel_header_len + tunnel_opt_len; + + pkt_timeval ts; + ts.tv_sec = static_cast(run_state::current_timestamp); + ts.tv_usec = static_cast((run_state::current_timestamp - static_cast(ts.tv_sec)) * 1000000); + Packet pkt(DLT_EN10MB, &ts, caplen, len, data); + pkt.encap = outer; + + if ( ! packet_mgr->ProcessInnerPacket(&pkt) ) + { + ProtocolViolation("Geneve invalid inner packet"); + return; + } + + // This isn't really an error. It's just that the inner packet wasn't an IP packet (like ARP). + // Just return without reporting a violation. + if ( ! pkt.ip_hdr ) + return; + + ProtocolConfirmation(); + + if ( geneve_packet ) + Conn()->EnqueueEvent(geneve_packet, nullptr, ConnVal(), + pkt.ip_hdr->ToPktHdrVal(), val_mgr->Count(vni)); + } + +} // namespace zeek::analyzer::geneve diff --git a/src/analyzer/protocol/geneve/Geneve.h b/src/analyzer/protocol/geneve/Geneve.h new file mode 100644 index 0000000000..4b1d9ef609 --- /dev/null +++ b/src/analyzer/protocol/geneve/Geneve.h @@ -0,0 +1,24 @@ +// See the file in the main distribution directory for copyright. + +#pragma once + +#include "zeek/analyzer/Analyzer.h" + +namespace zeek::analyzer::geneve { + +class Geneve_Analyzer final : public analyzer::Analyzer { +public: + explicit Geneve_Analyzer(Connection* conn) + : Analyzer("Geneve", conn) + {} + + void Done() override; + + void DeliverPacket(int len, const u_char* data, bool orig, + uint64_t seq, const IP_Hdr* ip, int caplen) override; + + static analyzer::Analyzer* Instantiate(Connection* conn) + { return new Geneve_Analyzer(conn); } +}; + +} // namespace zeek::analyzer::vxlan diff --git a/src/analyzer/protocol/geneve/Plugin.cc b/src/analyzer/protocol/geneve/Plugin.cc new file mode 100644 index 0000000000..b2785febb4 --- /dev/null +++ b/src/analyzer/protocol/geneve/Plugin.cc @@ -0,0 +1,22 @@ +// See the file in the main distribution directory for copyright. + +#include "zeek/plugin/Plugin.h" +#include "zeek/analyzer/Component.h" +#include "zeek/analyzer/protocol/geneve/Geneve.h" + +namespace zeek::plugin::detail::Zeek_Geneve { + +class Plugin : public zeek::plugin::Plugin { +public: + zeek::plugin::Configuration Configure() override + { + AddComponent(new zeek::analyzer::Component("Geneve", zeek::analyzer::geneve::Geneve_Analyzer::Instantiate)); + + zeek::plugin::Configuration config; + config.name = "Zeek::Geneve"; + config.description = "Geneve analyzer"; + return config; + } +} plugin; + +} // namespace zeek::plugin::detail::Zeek_Geneve diff --git a/src/analyzer/protocol/geneve/events.bif b/src/analyzer/protocol/geneve/events.bif new file mode 100644 index 0000000000..f399821f95 --- /dev/null +++ b/src/analyzer/protocol/geneve/events.bif @@ -0,0 +1,12 @@ +## Generated for any packet encapsulated in a Geneve tunnel. +## See :rfc:`8926` for more information about the VXLAN protocol. +## +## outer: The Geneve tunnel connection. +## +## inner: The Geneve-encapsulated Ethernet packet header and transport header. +## +## vni: Geneve Network Identifier. +## +## .. note:: Since this event may be raised on a per-packet basis, handling +## it may become particularly expensive for real-time analysis. +event geneve_packet%(outer: connection, inner: pkt_hdr, vni: count%); diff --git a/src/types.bif b/src/types.bif index 876365459c..543a92d4b6 100644 --- a/src/types.bif +++ b/src/types.bif @@ -193,6 +193,7 @@ enum Type %{ HTTP, GRE, VXLAN, + GENEVE, %} type EncapsulatingConn: record; diff --git a/testing/btest/Baseline/core.print-bpf-filters/output2 b/testing/btest/Baseline/core.print-bpf-filters/output2 index 92fc8c31a6..997b620e65 100644 --- a/testing/btest/Baseline/core.print-bpf-filters/output2 +++ b/testing/btest/Baseline/core.print-bpf-filters/output2 @@ -37,6 +37,7 @@ 1 563 1 585 1 587 +1 6081 1 614 1 631 1 636 @@ -57,8 +58,8 @@ 1 992 1 993 1 995 -64 and -63 or -64 port +65 and +64 or +65 port 42 tcp -22 udp +23 udp diff --git a/testing/btest/Baseline/core.tunnels.geneve/conn.log b/testing/btest/Baseline/core.tunnels.geneve/conn.log new file mode 100644 index 0000000000..4e671b771a --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.geneve/conn.log @@ -0,0 +1,15 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] +XXXXXXXXXX.XXXXXX CUM0KZ3MLUfNB0cl11 192.168.56.12 12313 192.168.56.11 6081 udp geneve 3.006029 424 0 S0 - - 0 D 4 536 0 0 - +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 192.168.56.12 18896 192.168.56.11 6081 udp - - - - S0 - - 0 D 1 78 0 0 - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.56.11 16613 192.168.56.12 6081 udp - - - - S0 - - 0 D 1 78 0 0 - +XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 192.168.56.11 35671 192.168.56.12 6081 udp geneve 3.006103 424 0 S0 - - 0 D 4 536 0 0 - +XXXXXXXXXX.XXXXXX CtPZjS20MLrsMUOJi2 10.0.0.1 8 10.0.0.2 0 icmp - 3.006247 224 224 OTH - - 0 - 4 336 4 336 CUM0KZ3MLUfNB0cl11,C4J4Th3PJpwUYZZ6gc +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/core.tunnels.geneve/out b/testing/btest/Baseline/core.tunnels.geneve/out new file mode 100644 index 0000000000..00fd7ad64e --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.geneve/out @@ -0,0 +1,9 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +geneve_packet, [orig_h=192.168.56.11, orig_p=35671/udp, resp_h=192.168.56.12, resp_p=6081/udp], [ip=[hl=20, tos=0, len=84, id=62447, ttl=64, p=1, src=10.0.0.1, dst=10.0.0.2], ip6=, tcp=, udp=, icmp=[icmp_type=8]], 123 +geneve_packet, [orig_h=192.168.56.12, orig_p=12313/udp, resp_h=192.168.56.11, resp_p=6081/udp], [ip=[hl=20, tos=0, len=84, id=6052, ttl=64, p=1, src=10.0.0.2, dst=10.0.0.1], ip6=, tcp=, udp=, icmp=[icmp_type=0]], 123 +geneve_packet, [orig_h=192.168.56.11, orig_p=35671/udp, resp_h=192.168.56.12, resp_p=6081/udp], [ip=[hl=20, tos=0, len=84, id=62605, ttl=64, p=1, src=10.0.0.1, dst=10.0.0.2], ip6=, tcp=, udp=, icmp=[icmp_type=8]], 123 +geneve_packet, [orig_h=192.168.56.12, orig_p=12313/udp, resp_h=192.168.56.11, resp_p=6081/udp], [ip=[hl=20, tos=0, len=84, id=6257, ttl=64, p=1, src=10.0.0.2, dst=10.0.0.1], ip6=, tcp=, udp=, icmp=[icmp_type=0]], 123 +geneve_packet, [orig_h=192.168.56.11, orig_p=35671/udp, resp_h=192.168.56.12, resp_p=6081/udp], [ip=[hl=20, tos=0, len=84, id=62848, ttl=64, p=1, src=10.0.0.1, dst=10.0.0.2], ip6=, tcp=, udp=, icmp=[icmp_type=8]], 123 +geneve_packet, [orig_h=192.168.56.12, orig_p=12313/udp, resp_h=192.168.56.11, resp_p=6081/udp], [ip=[hl=20, tos=0, len=84, id=6281, ttl=64, p=1, src=10.0.0.2, dst=10.0.0.1], ip6=, tcp=, udp=, icmp=[icmp_type=0]], 123 +geneve_packet, [orig_h=192.168.56.11, orig_p=35671/udp, resp_h=192.168.56.12, resp_p=6081/udp], [ip=[hl=20, tos=0, len=84, id=63054, ttl=64, p=1, src=10.0.0.1, dst=10.0.0.2], ip6=, tcp=, udp=, icmp=[icmp_type=8]], 123 +geneve_packet, [orig_h=192.168.56.12, orig_p=12313/udp, resp_h=192.168.56.11, resp_p=6081/udp], [ip=[hl=20, tos=0, len=84, id=6530, ttl=64, p=1, src=10.0.0.2, dst=10.0.0.1], ip6=, tcp=, udp=, icmp=[icmp_type=0]], 123 diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log index 813ba4354b..9e79290d34 100644 --- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log @@ -118,6 +118,7 @@ scripts/base/init-frameworks-and-bifs.zeek build/scripts/base/bif/plugins/Zeek_Finger.events.bif.zeek build/scripts/base/bif/plugins/Zeek_FTP.events.bif.zeek build/scripts/base/bif/plugins/Zeek_FTP.functions.bif.zeek + build/scripts/base/bif/plugins/Zeek_Geneve.events.bif.zeek build/scripts/base/bif/plugins/Zeek_Gnutella.events.bif.zeek build/scripts/base/bif/plugins/Zeek_GSSAPI.events.bif.zeek build/scripts/base/bif/plugins/Zeek_GTPv1.events.bif.zeek diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index 7be8032039..b065d74ea5 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -118,6 +118,7 @@ scripts/base/init-frameworks-and-bifs.zeek build/scripts/base/bif/plugins/Zeek_Finger.events.bif.zeek build/scripts/base/bif/plugins/Zeek_FTP.events.bif.zeek build/scripts/base/bif/plugins/Zeek_FTP.functions.bif.zeek + build/scripts/base/bif/plugins/Zeek_Geneve.events.bif.zeek build/scripts/base/bif/plugins/Zeek_Gnutella.events.bif.zeek build/scripts/base/bif/plugins/Zeek_GSSAPI.events.bif.zeek build/scripts/base/bif/plugins/Zeek_GTPv1.events.bif.zeek diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index aafea1436e..777c2b2b60 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -16,6 +16,7 @@ 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_DTLS, 443/udp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_FTP, 21/tcp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_FTP, 2811/tcp)) -> +0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_GENEVE, 6081/udp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_GTPV1, 2123/udp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_GTPV1, 2152/udp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_HTTP, 1080/tcp)) -> @@ -82,6 +83,7 @@ 0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_DTLS, 443/udp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_FTP, 21/tcp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_FTP, 2811/tcp)) -> +0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_GENEVE, 6081/udp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_GTPV1, 2123/udp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_GTPV1, 2152/udp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_HTTP, 1080/tcp)) -> @@ -138,6 +140,7 @@ 0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_DNS, {5353<...>/tcp})) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_DTLS, {443/udp})) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_FTP, {2811<...>/tcp})) -> +0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_GENEVE, {6081/udp})) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_GTPV1, {2152<...>/udp})) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_HTTP, {80<...>/tcp})) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_IMAP, {143/tcp})) -> @@ -671,6 +674,7 @@ 0.000000 MetaHookPost LoadFile(0, ./Zeek_Finger.events.bif.zeek, <...>/Zeek_Finger.events.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./Zeek_GSSAPI.events.bif.zeek, <...>/Zeek_GSSAPI.events.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./Zeek_GTPv1.events.bif.zeek, <...>/Zeek_GTPv1.events.bif.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, ./Zeek_Geneve.events.bif.zeek, <...>/Zeek_Geneve.events.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./Zeek_Gnutella.events.bif.zeek, <...>/Zeek_Gnutella.events.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./Zeek_HTTP.events.bif.zeek, <...>/Zeek_HTTP.events.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, ./Zeek_HTTP.functions.bif.zeek, <...>/Zeek_HTTP.functions.bif.zeek) -> -1 @@ -1020,6 +1024,7 @@ 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_DTLS, 443/udp)) 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_FTP, 21/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_FTP, 2811/tcp)) +0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_GENEVE, 6081/udp)) 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_GTPV1, 2123/udp)) 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_GTPV1, 2152/udp)) 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_HTTP, 1080/tcp)) @@ -1086,6 +1091,7 @@ 0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_DTLS, 443/udp)) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_FTP, 21/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_FTP, 2811/tcp)) +0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_GENEVE, 6081/udp)) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_GTPV1, 2123/udp)) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_GTPV1, 2152/udp)) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_HTTP, 1080/tcp)) @@ -1142,6 +1148,7 @@ 0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_DNS, {5353<...>/tcp})) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_DTLS, {443/udp})) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_FTP, {2811<...>/tcp})) +0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_GENEVE, {6081/udp})) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_GTPV1, {2152<...>/udp})) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_HTTP, {80<...>/tcp})) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_IMAP, {143/tcp})) @@ -1675,6 +1682,7 @@ 0.000000 MetaHookPre LoadFile(0, ./Zeek_Finger.events.bif.zeek, <...>/Zeek_Finger.events.bif.zeek) 0.000000 MetaHookPre LoadFile(0, ./Zeek_GSSAPI.events.bif.zeek, <...>/Zeek_GSSAPI.events.bif.zeek) 0.000000 MetaHookPre LoadFile(0, ./Zeek_GTPv1.events.bif.zeek, <...>/Zeek_GTPv1.events.bif.zeek) +0.000000 MetaHookPre LoadFile(0, ./Zeek_Geneve.events.bif.zeek, <...>/Zeek_Geneve.events.bif.zeek) 0.000000 MetaHookPre LoadFile(0, ./Zeek_Gnutella.events.bif.zeek, <...>/Zeek_Gnutella.events.bif.zeek) 0.000000 MetaHookPre LoadFile(0, ./Zeek_HTTP.events.bif.zeek, <...>/Zeek_HTTP.events.bif.zeek) 0.000000 MetaHookPre LoadFile(0, ./Zeek_HTTP.functions.bif.zeek, <...>/Zeek_HTTP.functions.bif.zeek) @@ -2024,6 +2032,7 @@ 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DTLS, 443/udp) 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_FTP, 21/tcp) 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_FTP, 2811/tcp) +0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_GENEVE, 6081/udp) 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_GTPV1, 2123/udp) 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_GTPV1, 2152/udp) 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_HTTP, 1080/tcp) @@ -2090,6 +2099,7 @@ 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DTLS, 443/udp) 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_FTP, 21/tcp) 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_FTP, 2811/tcp) +0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_GENEVE, 6081/udp) 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_GTPV1, 2123/udp) 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_GTPV1, 2152/udp) 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_HTTP, 1080/tcp) @@ -2146,6 +2156,7 @@ 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_DNS, {5353<...>/tcp}) 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_DTLS, {443/udp}) 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_FTP, {2811<...>/tcp}) +0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_GENEVE, {6081/udp}) 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_GTPV1, {2152<...>/udp}) 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_HTTP, {80<...>/tcp}) 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_IMAP, {143/tcp}) @@ -2678,6 +2689,7 @@ 0.000000 | HookLoadFile ./Zeek_Finger.events.bif.zeek <...>/Zeek_Finger.events.bif.zeek 0.000000 | HookLoadFile ./Zeek_GSSAPI.events.bif.zeek <...>/Zeek_GSSAPI.events.bif.zeek 0.000000 | HookLoadFile ./Zeek_GTPv1.events.bif.zeek <...>/Zeek_GTPv1.events.bif.zeek +0.000000 | HookLoadFile ./Zeek_Geneve.events.bif.zeek <...>/Zeek_Geneve.events.bif.zeek 0.000000 | HookLoadFile ./Zeek_Gnutella.events.bif.zeek <...>/Zeek_Gnutella.events.bif.zeek 0.000000 | HookLoadFile ./Zeek_HTTP.events.bif.zeek <...>/Zeek_HTTP.events.bif.zeek 0.000000 | HookLoadFile ./Zeek_HTTP.functions.bif.zeek <...>/Zeek_HTTP.functions.bif.zeek