Merge remote-tracking branch 'origin/topic/awelzel/vxlan-per-packet-analyzer-confirmation'

* origin/topic/awelzel/vxlan-per-packet-analyzer-confirmation:
  packet_analysis: Do not raise analyzer_confirmation per-packet for tunnels

CHANGES

@@ -1,3 +1,8 @@
+5.2.0-dev.17 | 2022-09-27 13:30:27 +0200
+
+  * packet_analysis: Do not raise analyzer_confirmation per-packet for
+    tunnels (Arne Welzel, Corelight)
+
 5.2.0-dev.15 | 2022-09-23 13:33:16 -0700
 
   * Skip darwin builds on zeek-security repo (Tim Wojtulewicz, Corelight)

VERSION

@@ -1 +1 @@
-5.2.0-dev.15
+5.2.0-dev.17

src/packet_analysis/Analyzer.cc

@@ -168,26 +168,30 @@ void Analyzer::Weird(const char* name, Packet* packet, const char* addl) const
 
 void Analyzer::AnalyzerConfirmation(session::Session* session, zeek::Tag arg_tag)
 	{
-	if ( session->AnalyzerState(arg_tag) == session::AnalyzerConfirmationState::CONFIRMED )
+	const auto& effective_tag = arg_tag ? arg_tag : GetAnalyzerTag();
+
+	if ( session->AnalyzerState(effective_tag) == session::AnalyzerConfirmationState::CONFIRMED )
 		return;
 
-	session->SetAnalyzerState(GetAnalyzerTag(), session::AnalyzerConfirmationState::CONFIRMED);
+	session->SetAnalyzerState(effective_tag, session::AnalyzerConfirmationState::CONFIRMED);
 
 	if ( ! analyzer_confirmation )
 		return;
 
-	const auto& tval = arg_tag ? arg_tag.AsVal() : tag.AsVal();
-	event_mgr.Enqueue(analyzer_confirmation, session->GetVal(), tval, val_mgr->Count(0));
+	event_mgr.Enqueue(analyzer_confirmation, session->GetVal(), effective_tag.AsVal(),
+	                  val_mgr->Count(0));
 	}
 
 void Analyzer::AnalyzerViolation(const char* reason, session::Session* session, const char* data,
                                  int len, zeek::Tag arg_tag)
 	{
+	const auto& effective_tag = arg_tag ? arg_tag : GetAnalyzerTag();
+
+	session->SetAnalyzerState(effective_tag, session::AnalyzerConfirmationState::VIOLATED);
+
 	if ( ! analyzer_violation )
 		return;
 
-	session->SetAnalyzerState(GetAnalyzerTag(), session::AnalyzerConfirmationState::VIOLATED);
-
 	StringValPtr r;
 
 	if ( data && len )
@@ -200,8 +204,8 @@ void Analyzer::AnalyzerViolation(const char* reason, session::Session* session,
 	else
 		r = make_intrusive<StringVal>(reason);
 
-	const auto& tval = arg_tag ? arg_tag.AsVal() : tag.AsVal();
-	event_mgr.Enqueue(analyzer_violation, session->GetVal(), tval, val_mgr->Count(0), std::move(r));
+	event_mgr.Enqueue(analyzer_violation, session->GetVal(), effective_tag.AsVal(),
+	                  val_mgr->Count(0), std::move(r));
 	}
 
 	} // namespace zeek::packet_analysis

testing/btest/Baseline/core.tunnels.analyzer-confirmation/conn.log

@@ -0,0 +1,12 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.1.200.131	50000	10.1.1.172	4789	udp	vxlan	0.627090	10203	0	S0	-	-	0	D	12	10539	0	0	-
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	172.16.11.201	40354	54.86.237.188	80	tcp	http	0.627052	87	9212	SF	-	-	0	ShADadFf	7	459	5	9480	CHhAvVGS1DHFjwGM9
+#close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/core.tunnels.analyzer-confirmation/http.log

@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	http
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	origin	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	172.16.11.201	40354	54.86.237.188	80	1	GET	eu.httpbin.org	/image/svg	-	1.1	curl/7.76.1	-	0	8984	200	OK	-	-	(empty)	-	-	-	-	-	-	FTKnz016WapPYpNaxl	-	text/plain
+#close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/core.tunnels.analyzer-confirmation/out

@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+analyzer_confirmation, CHhAvVGS1DHFjwGM9, [orig_h=10.1.200.131, orig_p=50000/udp, resp_h=10.1.1.172, resp_p=4789/udp], 0
+analyzer_confirmation, ClEkJM2Vm5giqnMf4h, [orig_h=172.16.11.201, orig_p=40354/tcp, resp_h=54.86.237.188, resp_p=80/tcp], 6

testing/btest/core/tunnels/analyzer-confirmation.zeek

@@ -0,0 +1,19 @@
+# @TEST-DOC: Check how many analyzer_confirmation events a vxlan-encapsulated HTTP transaction triggers. Should be 2.
+# @TEST-EXEC: zeek -b -r $TRACES/tunnels/vxlan-encapsulated-http.pcap %INPUT >out
+# @TEST-EXEC: btest-diff out
+# @TEST-EXEC: btest-diff conn.log
+# @TEST-EXEC: btest-diff http.log
+
+@load base/frameworks/tunnels
+@load base/protocols/conn
+@load base/protocols/http
+
+event analyzer_confirmation(c: connection, atype: AllAnalyzers::Tag, aid: count)
+	{
+	print "analyzer_confirmation", c$uid, c$id, aid;
+	}
+
+event analyzer_violation(c: connection, atype: AllAnalyzers::Tag, aid: count, reason: string)
+	{
+	print "analyzer_violation", c$uid, c$id, aid, reason;
+	}