Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Expand support for Aruba protocol types in GRE analyzer

Browse source 
This also fixes the GRE analyzer to forward into the IEEE 802.11 analyzer
if it encounters Aruba packets with the proper protocol types. This way
the QoS header can be handled correctly.
This commit is contained in:
Tim Wojtulewicz 2023-04-13 15:48:38 -07:00 committed by Tim Wojtulewicz
parent 1e6cc76c83
commit 69d72f3bbb
2 changed files with 43 additions and 32 deletions
Download patch file Download diff file Expand all files Collapse all files

30
scripts/base/packet-protocols/gre/main.zeek
View file

@ -3,3 +3,33 @@ module PacketAnalyzer::GRE;
export {
const default_analyzer: PacketAnalyzer::Tag = PacketAnalyzer::ANALYZER_IPTUNNEL &redef;
}
event zeek_init() &priority=20
{
# ARUBA
PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x8200, PacketAnalyzer::ANALYZER_IEEE802_11);
PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x8210, PacketAnalyzer::ANALYZER_IEEE802_11);
PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x8220, PacketAnalyzer::ANALYZER_IEEE802_11);
PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x8230, PacketAnalyzer::ANALYZER_IEEE802_11);
PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x8240, PacketAnalyzer::ANALYZER_IEEE802_11);
PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x8250, PacketAnalyzer::ANALYZER_IEEE802_11);
PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x8260, PacketAnalyzer::ANALYZER_IEEE802_11);
PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x8270, PacketAnalyzer::ANALYZER_IEEE802_11);
PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x8280, PacketAnalyzer::ANALYZER_IEEE802_11);
PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x8290, PacketAnalyzer::ANALYZER_IEEE802_11);
PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x82A0, PacketAnalyzer::ANALYZER_IEEE802_11);
PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x82B0, PacketAnalyzer::ANALYZER_IEEE802_11);
PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x82C0, PacketAnalyzer::ANALYZER_IEEE802_11);
PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x82D0, PacketAnalyzer::ANALYZER_IEEE802_11);
PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x82E0, PacketAnalyzer::ANALYZER_IEEE802_11);
PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x82F0, PacketAnalyzer::ANALYZER_IEEE802_11);
PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x8300, PacketAnalyzer::ANALYZER_IEEE802_11);
PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x8310, PacketAnalyzer::ANALYZER_IEEE802_11);
PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x8320, PacketAnalyzer::ANALYZER_IEEE802_11);
PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x8330, PacketAnalyzer::ANALYZER_IEEE802_11);
PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x8340, PacketAnalyzer::ANALYZER_IEEE802_11);
PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x8350, PacketAnalyzer::ANALYZER_IEEE802_11);
PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x8360, PacketAnalyzer::ANALYZER_IEEE802_11);
PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GRE, 0x8370, PacketAnalyzer::ANALYZER_IEEE802_11);
# TODO: how to handle 0x9000 here, which should just be dropped?
}

45
src/packet_analysis/protocol/gre/GRE.cc
View file

@ -149,31 +149,10 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
return false;
}
}
else if ( proto_typ == 0x8200 )
else
{
// ARUBA. Following headers seem like they're always a 26-byte 802.11 QoS header, then
// an 8-byte LLC header, then IPv4. There's very little in the way of documentation
// for ARUBA's header format. This is all based on the one sample file we have that
// contains it.
if ( len > gre_len + 34 )
{
gre_link_type = DLT_EN10MB;
erspan_len = 34;
// TODO: fix this, but it's gonna require quite a bit more surgery to the GRE
// analyzer to make it more independent from the IPTunnel analyzer.
// Setting gre_version to 1 here tricks the IPTunnel analyzer into treating the
// first header as IP instead of Ethernet which it does by default when
// gre_version is 0.
gre_version = 1;
proto = (data[gre_len + 34] & 0xF0) >> 4;
}
else
{
Weird("truncated_GRE", packet);
return false;
}
// Otherwise let the packet analysis forwarding handle it.
proto = proto_typ;
}
}
@ -189,9 +168,8 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
if ( flags_ver & 0x4000 )
{
// RFC 2784 deprecates the variable length routing field
// specified by RFC 1701. It could be parsed here, but easiest
// to just skip for now.
// RFC 2784 deprecates the variable length routing field specified by RFC 1701. It could be
// parsed here, but easiest to just skip for now.
Weird("gre_routing", packet);
return false;
}
@ -209,7 +187,9 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
return false;
}
if ( gre_version == 1 && proto_typ != 0x8200 )
// For GRE version 1/PPP, reset the protocol based on a value from the PPP header.
// TODO: where are these two values defined?
if ( gre_version == 1 )
{
uint16_t ppp_proto = ntohs(*((uint16_t*)(data + gre_len + 2)));
@ -225,15 +205,16 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
data += gre_len + ppp_len + erspan_len;
len -= gre_len + ppp_len + erspan_len;
// Treat GRE tunnel like IP tunnels, fallthrough to logic below now
// that GRE header is stripped and only payload packet remains.
// The only thing different is the tunnel type enum value to use.
// Treat GRE tunnel like IP tunnels, fallthrough to logic below now that GRE header is stripped
// and only payload packet remains. The only thing different is the tunnel type enum value to
// use.
packet->tunnel_type = BifEnum::Tunnel::GRE;
packet->gre_version = gre_version;
packet->gre_link_type = gre_link_type;
packet->proto = proto;
ForwardPacket(len, data, packet);
// This will default to forwarding into IP Tunnel unless something custom is set up.
ForwardPacket(len, data, packet, proto);
return true;
}