diff --git a/CHANGES b/CHANGES index 8b0b1fe9ff..08597b2422 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,23 @@ +2.6-157 | 2019-03-14 16:18:13 +0000 + + * GH-250: Add VXLAN decapsulation support (Henrik Lund Kramshoej; Jon Siwek, Corelight) + + Zeek now automatically decapsulates VXLAN traffic on UDP port + 4789. It will log such sessions as Tunnel::VXLAN in tunnel.log and + proceed to analyze the inner payload. Two options allow to tune + the analysis: + + * "Tunnel::vxlan_ports" allows to tune the set of VXLAN ports + to analyze/decapsulate. + + * "Tunnel::validate_vxlan_checksums" allows for tuning of how + checksums associated with the outer UDP header of a possible + VXLAN tunnel are handled. + + A new "vxlan_packet" event also provides per-packet access to + VXLAN traffic. + 2.6-154 | 2019-03-13 17:28:26 -0700 * Decrease memory usage via deferred list/dict initialization (Justin Azoff, Corelight) diff --git a/VERSION b/VERSION index 2a6545f80f..cb44fc556f 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.6-154 +2.6-157 diff --git a/doc b/doc index 671aa15c0d..0d850d3e7d 160000 --- a/doc +++ b/doc @@ -1 +1 @@ -Subproject commit 671aa15c0d09bf48421ec2f5e83f7778341137a7 +Subproject commit 0d850d3e7de829397e61ea50031d34f099813596 diff --git a/scripts/base/frameworks/tunnels/main.bro b/scripts/base/frameworks/tunnels/main.bro index 7721ce3a02..f90616e38e 100644 --- a/scripts/base/frameworks/tunnels/main.bro +++ b/scripts/base/frameworks/tunnels/main.bro @@ -85,7 +85,7 @@ export { const ayiya_ports = { 5072/udp }; const teredo_ports = { 3544/udp }; const gtpv1_ports = { 2152/udp, 2123/udp }; -redef likely_server_ports += { ayiya_ports, teredo_ports, gtpv1_ports }; +redef likely_server_ports += { ayiya_ports, teredo_ports, gtpv1_ports, vxlan_ports }; event bro_init() &priority=5 { @@ -94,6 +94,7 @@ event bro_init() &priority=5 Analyzer::register_for_ports(Analyzer::ANALYZER_AYIYA, ayiya_ports); Analyzer::register_for_ports(Analyzer::ANALYZER_TEREDO, teredo_ports); Analyzer::register_for_ports(Analyzer::ANALYZER_GTPV1, gtpv1_ports); + Analyzer::register_for_ports(Analyzer::ANALYZER_VXLAN, vxlan_ports); } function register_all(ecv: EncapsulatingConnVector) diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index 600a507d4f..89014bfa6a 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -4857,6 +4857,18 @@ export { ## How often to cleanup internal state for inactive IP tunnels ## (includes GRE tunnels). const ip_tunnel_timeout = 24hrs &redef; + + ## Whether to validate the checksum supplied in the outer UDP header + ## of a VXLAN encapsulation. The spec says the checksum should be + ## transmitted as zero, but if not, then the decapsulating destination + ## may choose whether to perform the validation. + const validate_vxlan_checksums = T &redef; + + ## The set of UDP ports used for VXLAN traffic. Traffic using this + ## UDP destination port will attempt to be decapsulated. Note that if + ## if you customize this, you may still want to manually ensure that + ## :bro:see:`likely_server_ports` also gets populated accordingly. + const vxlan_ports: set[port] = { 4789/udp } &redef; } # end export module Reporter; diff --git a/src/TunnelEncapsulation.h b/src/TunnelEncapsulation.h index b853fc01b3..27729e56b7 100644 --- a/src/TunnelEncapsulation.h +++ b/src/TunnelEncapsulation.h @@ -94,6 +94,14 @@ public: ((ec1.src_addr == ec2.src_addr && ec1.dst_addr == ec2.dst_addr) || (ec1.src_addr == ec2.dst_addr && ec1.dst_addr == ec2.src_addr)); + if ( ec1.type == BifEnum::Tunnel::VXLAN ) + // Reversing endpoints is still same tunnel, destination port is + // always the same. + return ec1.dst_port == ec2.dst_port && + ec1.uid == ec2.uid && ec1.proto == ec2.proto && + ((ec1.src_addr == ec2.src_addr && ec1.dst_addr == ec2.dst_addr) || + (ec1.src_addr == ec2.dst_addr && ec1.dst_addr == ec2.src_addr)); + return ec1.src_addr == ec2.src_addr && ec1.dst_addr == ec2.dst_addr && ec1.src_port == ec2.src_port && ec1.dst_port == ec2.dst_port && ec1.uid == ec2.uid && ec1.proto == ec2.proto; diff --git a/src/analyzer/Manager.cc b/src/analyzer/Manager.cc index 286c5eee9f..1546f846e5 100644 --- a/src/analyzer/Manager.cc +++ b/src/analyzer/Manager.cc @@ -96,6 +96,18 @@ void Manager::InitPreScript() void Manager::InitPostScript() { + auto id = global_scope()->Lookup("Tunnel::vxlan_ports"); + + if ( ! (id && id->ID_Val()) ) + reporter->FatalError("Tunnel::vxlan_ports not defined"); + + auto table_val = id->ID_Val()->AsTableVal(); + auto port_list = table_val->ConvertToPureList(); + + for ( auto i = 0; i < port_list->Length(); ++i ) + vxlan_ports.emplace_back(port_list->Index(i)->AsPortVal()->Port()); + + Unref(port_list); } void Manager::DumpDebug() diff --git a/src/analyzer/Manager.h b/src/analyzer/Manager.h index d341940e7d..7f58a45cbf 100644 --- a/src/analyzer/Manager.h +++ b/src/analyzer/Manager.h @@ -22,6 +22,7 @@ #define ANALYZER_MANAGER_H #include +#include #include "Analyzer.h" #include "Component.h" @@ -335,6 +336,12 @@ public: void ScheduleAnalyzer(const IPAddr& orig, const IPAddr& resp, PortVal* resp_p, Val* analyzer, double timeout); + /** + * @return the UDP port numbers to be associated with VXLAN traffic. + */ + const std::vector& GetVxlanPorts() const + { return vxlan_ports; } + private: typedef set tag_set; typedef map analyzer_map_by_port; @@ -390,6 +397,7 @@ private: conns_map conns; conns_queue conns_by_timeout; + std::vector vxlan_ports; }; } diff --git a/src/analyzer/protocol/CMakeLists.txt b/src/analyzer/protocol/CMakeLists.txt index ff34d243e8..882ba23da9 100644 --- a/src/analyzer/protocol/CMakeLists.txt +++ b/src/analyzer/protocol/CMakeLists.txt @@ -47,5 +47,6 @@ add_subdirectory(syslog) add_subdirectory(tcp) add_subdirectory(teredo) add_subdirectory(udp) +add_subdirectory(vxlan) add_subdirectory(xmpp) add_subdirectory(zip) diff --git a/src/analyzer/protocol/udp/UDP.cc b/src/analyzer/protocol/udp/UDP.cc index 0da1a2bd65..b887eea5c1 100644 --- a/src/analyzer/protocol/udp/UDP.cc +++ b/src/analyzer/protocol/udp/UDP.cc @@ -7,6 +7,7 @@ #include "Net.h" #include "NetVar.h" #include "analyzer/protocol/udp/UDP.h" +#include "analyzer/Manager.h" #include "Reporter.h" #include "Conn.h" @@ -61,7 +62,30 @@ void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, int chksum = up->uh_sum; - if ( ! ignore_checksums && caplen >= len ) + auto validate_checksum = ! ignore_checksums && caplen >=len; + constexpr auto vxlan_len = 8; + constexpr auto eth_len = 14; + + if ( validate_checksum && + len > (sizeof(struct udphdr) + vxlan_len + eth_len) && + (data[0] & 0x08) == 0x08 ) + { + auto& vxlan_ports = analyzer_mgr->GetVxlanPorts(); + + if ( std::find(vxlan_ports.begin(), vxlan_ports.end(), + ntohs(up->uh_dport)) != vxlan_ports.end() ) + { + // Looks like VXLAN on a well-known port, so the checksum should be + // transmitted as zero, and we should accept that. If not + // transmitted as zero, then validating the checksum is optional. + if ( chksum == 0 ) + validate_checksum = false; + else + validate_checksum = BifConst::Tunnel::validate_vxlan_checksums; + } + } + + if ( validate_checksum ) { bool bad = false; diff --git a/src/analyzer/protocol/vxlan/CMakeLists.txt b/src/analyzer/protocol/vxlan/CMakeLists.txt new file mode 100644 index 0000000000..e531555321 --- /dev/null +++ b/src/analyzer/protocol/vxlan/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(Bro VXLAN) +bro_plugin_cc(VXLAN.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/analyzer/protocol/vxlan/Plugin.cc b/src/analyzer/protocol/vxlan/Plugin.cc new file mode 100644 index 0000000000..1c214d691f --- /dev/null +++ b/src/analyzer/protocol/vxlan/Plugin.cc @@ -0,0 +1,24 @@ +// See the file in the main distribution directory for copyright. + +#include "plugin/Plugin.h" + +#include "VXLAN.h" + +namespace plugin { +namespace Bro_VXLAN { + +class Plugin : public plugin::Plugin { +public: + plugin::Configuration Configure() + { + AddComponent(new ::analyzer::Component("VXLAN", ::analyzer::vxlan::VXLAN_Analyzer::Instantiate)); + + plugin::Configuration config; + config.name = "Bro::VXLAN"; + config.description = "VXLAN analyzer"; + return config; + } +} plugin; + +} +} diff --git a/src/analyzer/protocol/vxlan/VXLAN.cc b/src/analyzer/protocol/vxlan/VXLAN.cc new file mode 100644 index 0000000000..858f514fd8 --- /dev/null +++ b/src/analyzer/protocol/vxlan/VXLAN.cc @@ -0,0 +1,101 @@ +// See the file in the main distribution directory for copyright. + +#include "VXLAN.h" +#include "TunnelEncapsulation.h" +#include "Conn.h" +#include "IP.h" +#include "Reporter.h" + +#include "events.bif.h" + +using namespace analyzer::vxlan; + +void VXLAN_Analyzer::Done() + { + Analyzer::Done(); + Event(udp_session_done); + } + +void VXLAN_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, + uint64 seq, const IP_Hdr* ip, int caplen) + { + Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); + + // Outer Ethernet, IP, and UDP layers already skipped. + // Also, generic UDP analyzer already checked/guarantees caplen >= len. + + constexpr auto vxlan_len = 8; + + if ( len < vxlan_len ) + { + ProtocolViolation("VXLAN header truncation", (const char*) data, len); + return; + } + + if ( (data[0] & 0x08) == 0 ) + { + ProtocolViolation("VXLAN 'I' flag not set", (const char*) data, len); + return; + } + + const EncapsulationStack* estack = Conn()->GetEncapsulation(); + + if ( estack && estack->Depth() >= BifConst::Tunnel::max_depth ) + { + reporter->Weird(Conn(), "tunnel_depth"); + return; + } + + int vni = (data[4] << 16) + (data[5] << 8) + (data[6] << 0); + + data += vxlan_len; + caplen -= vxlan_len; + len -= vxlan_len; + + pkt_timeval ts; + ts.tv_sec = (time_t) current_timestamp; + ts.tv_usec = (suseconds_t) ((current_timestamp - (double)ts.tv_sec) * 1000000); + Packet pkt(DLT_EN10MB, &ts, caplen, len, data); + + if ( ! pkt.Layer2Valid() ) + { + ProtocolViolation("VXLAN invalid inner ethernet frame", + (const char*) data, len); + return; + } + + data += pkt.hdr_size; + len -= pkt.hdr_size; + caplen -= pkt.hdr_size; + + IP_Hdr* inner = nullptr; + int res = 0; + + switch ( pkt.l3_proto ) { + case L3_IPV4: + res = sessions->ParseIPPacket(len, data, IPPROTO_IPV4, inner); + break; + case L3_IPV6: + res = sessions->ParseIPPacket(len, data, IPPROTO_IPV6, inner); + break; + default: + return; + } + + if ( res < 0 ) + { + delete inner; + ProtocolViolation("Truncated VXLAN or invalid inner IP", + (const char*) data, len); + return; + } + + ProtocolConfirmation(); + + if ( vxlan_packet ) + Conn()->Event(vxlan_packet, 0, inner->BuildPktHdrVal(), + val_mgr->GetCount(vni)); + + EncapsulatingConn ec(Conn(), BifEnum::Tunnel::VXLAN); + sessions->DoNextInnerPacket(network_time, &pkt, inner, estack, ec); + } diff --git a/src/analyzer/protocol/vxlan/VXLAN.h b/src/analyzer/protocol/vxlan/VXLAN.h new file mode 100644 index 0000000000..d8e02404fa --- /dev/null +++ b/src/analyzer/protocol/vxlan/VXLAN.h @@ -0,0 +1,29 @@ +// See the file in the main distribution directory for copyright. + +#ifndef ANALYZER_PROTOCOL_VXLAN_VXLAN_H +#define ANALYZER_PROTOCOL_VXLAN_VXLAN_H + +#include "analyzer/Analyzer.h" +#include "NetVar.h" +#include "Reporter.h" + +namespace analyzer { namespace vxlan { + +class VXLAN_Analyzer : public analyzer::Analyzer { +public: + explicit VXLAN_Analyzer(Connection* conn) + : Analyzer("VXLAN", conn) + {} + + void Done() override; + + void DeliverPacket(int len, const u_char* data, bool orig, + uint64 seq, const IP_Hdr* ip, int caplen) override; + + static analyzer::Analyzer* Instantiate(Connection* conn) + { return new VXLAN_Analyzer(conn); } +}; + +} } // namespace analyzer::* + +#endif diff --git a/src/analyzer/protocol/vxlan/events.bif b/src/analyzer/protocol/vxlan/events.bif new file mode 100644 index 0000000000..d05c74dfbe --- /dev/null +++ b/src/analyzer/protocol/vxlan/events.bif @@ -0,0 +1,12 @@ +## Generated for any packet encapsulated in a VXLAN tunnel. +## See :rfc:`7348` for more information about the VXLAN protocol. +## +## outer: The VXLAN tunnel connection. +## +## inner: The VXLAN-encapsulated Ethernet packet header and transport header. +## +## vni: VXLAN Network Identifier. +## +## .. note:: Since this event may be raised on a per-packet basis, handling +## it may become particularly expensive for real-time analysis. +event vxlan_packet%(outer: connection, inner: pkt_hdr, vni: count%); diff --git a/src/const.bif b/src/const.bif index 2d062d854a..6d60ac707b 100644 --- a/src/const.bif +++ b/src/const.bif @@ -22,5 +22,6 @@ const Tunnel::enable_gre: bool; const Tunnel::delay_teredo_confirmation: bool; const Tunnel::delay_gtp_confirmation: bool; const Tunnel::ip_tunnel_timeout: interval; +const Tunnel::validate_vxlan_checksums: bool; const Threading::heartbeat_interval: interval; diff --git a/src/types.bif b/src/types.bif index 145a8af89e..babccb0f0d 100644 --- a/src/types.bif +++ b/src/types.bif @@ -192,6 +192,7 @@ enum Type %{ GTPv1, HTTP, GRE, + VXLAN, %} type EncapsulatingConn: record; diff --git a/testing/btest/Baseline/core.print-bpf-filters/conn.log b/testing/btest/Baseline/core.print-bpf-filters/conn.log index e7f8f8714a..f14621c261 100644 --- a/testing/btest/Baseline/core.print-bpf-filters/conn.log +++ b/testing/btest/Baseline/core.print-bpf-filters/conn.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path conn -#open 2016-07-13-16-12-58 +#open 2019-03-12-03-25-14 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] 1278600802.069419 CHhAvVGS1DHFjwGM9 10.20.80.1 50343 10.0.0.15 80 tcp - 0.004152 9 3429 SF - - 0 ShADadfF 7 381 7 3801 - -#close 2016-07-13-16-12-59 +#close 2019-03-12-03-25-14 diff --git a/testing/btest/Baseline/core.print-bpf-filters/output b/testing/btest/Baseline/core.print-bpf-filters/output index 3da7f62f77..d8067da821 100644 --- a/testing/btest/Baseline/core.print-bpf-filters/output +++ b/testing/btest/Baseline/core.print-bpf-filters/output @@ -3,28 +3,28 @@ #empty_field (empty) #unset_field - #path packet_filter -#open 2016-07-13-16-12-57 +#open 2019-03-12-03-25-12 #fields ts node filter init success #types time string string bool bool -1468426377.846975 bro ip or not ip T T -#close 2016-07-13-16-12-57 +1552361112.763592 bro ip or not ip T T +#close 2019-03-12-03-25-12 #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path packet_filter -#open 2016-07-13-16-12-58 +#open 2019-03-12-03-25-13 #fields ts node filter init success #types time string string bool bool -1468426378.362651 bro port 42 T T -#close 2016-07-13-16-12-58 +1552361113.442916 bro port 42 T T +#close 2019-03-12-03-25-13 #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path packet_filter -#open 2016-07-13-16-12-58 +#open 2019-03-12-03-25-14 #fields ts node filter init success #types time string string bool bool -1468426378.944945 bro (vlan) and (ip or not ip) T T -#close 2016-07-13-16-12-59 +1552361114.111534 bro (vlan) and (ip or not ip) T T +#close 2019-03-12-03-25-14 diff --git a/testing/btest/Baseline/core.print-bpf-filters/output2 b/testing/btest/Baseline/core.print-bpf-filters/output2 index 26a4b5fa85..d46c6b1f1f 100644 --- a/testing/btest/Baseline/core.print-bpf-filters/output2 +++ b/testing/btest/Baseline/core.print-bpf-filters/output2 @@ -21,6 +21,7 @@ 1 4011 2 443 1 445 +1 4789 1 502 1 5060 1 5072 @@ -54,8 +55,8 @@ 1 992 1 993 1 995 -61 and -60 or -61 port +62 and +61 or +62 port 42 tcp -19 udp +20 udp diff --git a/testing/btest/Baseline/core.tunnels.vxlan/conn.log b/testing/btest/Baseline/core.tunnels.vxlan/conn.log new file mode 100644 index 0000000000..3805f6d92f --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.vxlan/conn.log @@ -0,0 +1,14 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#open 2019-03-12-03-29-46 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] +1467818432.676047 C4J4Th3PJpwUYZZ6gc 192.168.56.11 48134 192.168.56.12 4789 udp vxlan 3.004434 424 0 S0 - - 0 D 4 536 0 0 - +1467818432.675392 CHhAvVGS1DHFjwGM9 192.168.56.11 39924 192.168.56.12 4789 udp - - - - S0 - - 0 D 1 78 0 0 - +1467818432.675732 ClEkJM2Vm5giqnMf4h 192.168.56.12 40908 192.168.56.11 4789 udp - - - - S0 - - 0 D 1 78 0 0 - +1467818432.676385 CUM0KZ3MLUfNB0cl11 192.168.56.12 38071 192.168.56.11 4789 udp vxlan 3.004278 424 0 S0 - - 0 D 4 536 0 0 - +1467818432.676047 CtPZjS20MLrsMUOJi2 10.0.0.1 8 10.0.0.2 0 icmp - 3.004616 224 224 OTH - - 0 - 4 336 4 336 CUM0KZ3MLUfNB0cl11,C4J4Th3PJpwUYZZ6gc +#close 2019-03-12-03-29-46 diff --git a/testing/btest/Baseline/core.tunnels.vxlan/out b/testing/btest/Baseline/core.tunnels.vxlan/out new file mode 100644 index 0000000000..a8da7f7cf6 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.vxlan/out @@ -0,0 +1,8 @@ +vxlan_packet, [orig_h=192.168.56.11, orig_p=48134/udp, resp_h=192.168.56.12, resp_p=4789/udp], [ip=[hl=20, tos=0, len=84, id=12111, ttl=64, p=1, src=10.0.0.1, dst=10.0.0.2], ip6=, tcp=, udp=, icmp=[icmp_type=8]], 123 +vxlan_packet, [orig_h=192.168.56.12, orig_p=38071/udp, resp_h=192.168.56.11, resp_p=4789/udp], [ip=[hl=20, tos=0, len=84, id=36913, ttl=64, p=1, src=10.0.0.2, dst=10.0.0.1], ip6=, tcp=, udp=, icmp=[icmp_type=0]], 123 +vxlan_packet, [orig_h=192.168.56.11, orig_p=48134/udp, resp_h=192.168.56.12, resp_p=4789/udp], [ip=[hl=20, tos=0, len=84, id=12341, ttl=64, p=1, src=10.0.0.1, dst=10.0.0.2], ip6=, tcp=, udp=, icmp=[icmp_type=8]], 123 +vxlan_packet, [orig_h=192.168.56.12, orig_p=38071/udp, resp_h=192.168.56.11, resp_p=4789/udp], [ip=[hl=20, tos=0, len=84, id=37030, ttl=64, p=1, src=10.0.0.2, dst=10.0.0.1], ip6=, tcp=, udp=, icmp=[icmp_type=0]], 123 +vxlan_packet, [orig_h=192.168.56.11, orig_p=48134/udp, resp_h=192.168.56.12, resp_p=4789/udp], [ip=[hl=20, tos=0, len=84, id=12507, ttl=64, p=1, src=10.0.0.1, dst=10.0.0.2], ip6=, tcp=, udp=, icmp=[icmp_type=8]], 123 +vxlan_packet, [orig_h=192.168.56.12, orig_p=38071/udp, resp_h=192.168.56.11, resp_p=4789/udp], [ip=[hl=20, tos=0, len=84, id=37208, ttl=64, p=1, src=10.0.0.2, dst=10.0.0.1], ip6=, tcp=, udp=, icmp=[icmp_type=0]], 123 +vxlan_packet, [orig_h=192.168.56.11, orig_p=48134/udp, resp_h=192.168.56.12, resp_p=4789/udp], [ip=[hl=20, tos=0, len=84, id=12684, ttl=64, p=1, src=10.0.0.1, dst=10.0.0.2], ip6=, tcp=, udp=, icmp=[icmp_type=8]], 123 +vxlan_packet, [orig_h=192.168.56.12, orig_p=38071/udp, resp_h=192.168.56.11, resp_p=4789/udp], [ip=[hl=20, tos=0, len=84, id=37295, ttl=64, p=1, src=10.0.0.2, dst=10.0.0.1], ip6=, tcp=, udp=, icmp=[icmp_type=0]], 123 diff --git a/testing/btest/Baseline/core.tunnels.vxlan/tunnel.log b/testing/btest/Baseline/core.tunnels.vxlan/tunnel.log new file mode 100644 index 0000000000..95f062bd67 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.vxlan/tunnel.log @@ -0,0 +1,13 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path tunnel +#open 2019-03-12-03-29-46 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action +#types time string addr port addr port enum enum +1467818432.676047 C4J4Th3PJpwUYZZ6gc 192.168.56.11 48134 192.168.56.12 4789 Tunnel::VXLAN Tunnel::DISCOVER +1467818432.676385 CUM0KZ3MLUfNB0cl11 192.168.56.12 38071 192.168.56.11 4789 Tunnel::VXLAN Tunnel::DISCOVER +1467818435.680663 C4J4Th3PJpwUYZZ6gc 192.168.56.11 48134 192.168.56.12 4789 Tunnel::VXLAN Tunnel::CLOSE +1467818435.680663 CUM0KZ3MLUfNB0cl11 192.168.56.12 38071 192.168.56.11 4789 Tunnel::VXLAN Tunnel::CLOSE +#close 2019-03-12-03-29-46 diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log index 02e6855308..d7a24b1de7 100644 --- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log @@ -154,6 +154,7 @@ scripts/base/init-frameworks-and-bifs.bro build/scripts/base/bif/plugins/Bro_TCP.functions.bif.bro build/scripts/base/bif/plugins/Bro_Teredo.events.bif.bro build/scripts/base/bif/plugins/Bro_UDP.events.bif.bro + build/scripts/base/bif/plugins/Bro_VXLAN.events.bif.bro build/scripts/base/bif/plugins/Bro_XMPP.events.bif.bro build/scripts/base/bif/plugins/Bro_FileEntropy.events.bif.bro build/scripts/base/bif/plugins/Bro_FileExtract.events.bif.bro diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index 1df4b007c1..d568205a79 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -154,6 +154,7 @@ scripts/base/init-frameworks-and-bifs.bro build/scripts/base/bif/plugins/Bro_TCP.functions.bif.bro build/scripts/base/bif/plugins/Bro_Teredo.events.bif.bro build/scripts/base/bif/plugins/Bro_UDP.events.bif.bro + build/scripts/base/bif/plugins/Bro_VXLAN.events.bif.bro build/scripts/base/bif/plugins/Bro_XMPP.events.bif.bro build/scripts/base/bif/plugins/Bro_FileEntropy.events.bif.bro build/scripts/base/bif/plugins/Bro_FileExtract.events.bif.bro diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index caef030662..594d814175 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -61,6 +61,7 @@ 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_SSL, 995/tcp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_SYSLOG, 514/udp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_TEREDO, 3544/udp)) -> +0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_VXLAN, 4789/udp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_XMPP, 5222/tcp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_XMPP, 5269/tcp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::disable_analyzer, , (Analyzer::ANALYZER_BACKDOOR)) -> @@ -126,6 +127,7 @@ 0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_SSL, 995/tcp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_SYSLOG, 514/udp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_TEREDO, 3544/udp)) -> +0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_VXLAN, 4789/udp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_XMPP, 5222/tcp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_XMPP, 5269/tcp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_AYIYA, {5072/udp})) -> @@ -154,6 +156,7 @@ 0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_SSL, {5223<...>/tcp})) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_SYSLOG, {514/udp})) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_TEREDO, {3544/udp})) -> +0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_VXLAN, {4789/udp})) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_XMPP, {5222<...>/tcp})) -> 0.000000 MetaHookPost CallFunction(Cluster::is_enabled, , ()) -> 0.000000 MetaHookPost CallFunction(Cluster::is_enabled, , ()) -> @@ -274,7 +277,7 @@ 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1552508068.441287, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1552582539.91497, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Broker::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Cluster::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Config::LOG)) -> @@ -459,7 +462,7 @@ 0.000000 MetaHookPost CallFunction(Log::create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1552508068.441287, node=bro, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1552582539.91497, node=bro, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(NetControl::check_plugins, , ()) -> 0.000000 MetaHookPost CallFunction(NetControl::init, , ()) -> 0.000000 MetaHookPost CallFunction(Notice::want_pp, , ()) -> @@ -685,6 +688,7 @@ 0.000000 MetaHookPost LoadFile(0, .<...>/Bro_UDP.events.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(0, .<...>/Bro_Unified2.events.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(0, .<...>/Bro_Unified2.types.bif.bro) -> -1 +0.000000 MetaHookPost LoadFile(0, .<...>/Bro_VXLAN.events.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(0, .<...>/Bro_X509.events.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(0, .<...>/Bro_X509.functions.bif.bro) -> -1 0.000000 MetaHookPost LoadFile(0, .<...>/Bro_X509.ocsp_events.bif.bro) -> -1 @@ -958,6 +962,7 @@ 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_SSL, 995/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_SYSLOG, 514/udp)) 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_TEREDO, 3544/udp)) +0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_VXLAN, 4789/udp)) 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_XMPP, 5222/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_XMPP, 5269/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::disable_analyzer, , (Analyzer::ANALYZER_BACKDOOR)) @@ -1023,6 +1028,7 @@ 0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_SSL, 995/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_SYSLOG, 514/udp)) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_TEREDO, 3544/udp)) +0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_VXLAN, 4789/udp)) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_XMPP, 5222/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_XMPP, 5269/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_AYIYA, {5072/udp})) @@ -1051,6 +1057,7 @@ 0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_SSL, {5223<...>/tcp})) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_SYSLOG, {514/udp})) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_TEREDO, {3544/udp})) +0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_VXLAN, {4789/udp})) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_XMPP, {5222<...>/tcp})) 0.000000 MetaHookPre CallFunction(Cluster::is_enabled, , ()) 0.000000 MetaHookPre CallFunction(Cluster::is_enabled, , ()) @@ -1171,7 +1178,7 @@ 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1552508068.441287, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1552582539.91497, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Broker::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Cluster::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Config::LOG)) @@ -1356,7 +1363,7 @@ 0.000000 MetaHookPre CallFunction(Log::create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1552508068.441287, node=bro, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1552582539.91497, node=bro, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(NetControl::check_plugins, , ()) 0.000000 MetaHookPre CallFunction(NetControl::init, , ()) 0.000000 MetaHookPre CallFunction(Notice::want_pp, , ()) @@ -1582,6 +1589,7 @@ 0.000000 MetaHookPre LoadFile(0, .<...>/Bro_UDP.events.bif.bro) 0.000000 MetaHookPre LoadFile(0, .<...>/Bro_Unified2.events.bif.bro) 0.000000 MetaHookPre LoadFile(0, .<...>/Bro_Unified2.types.bif.bro) +0.000000 MetaHookPre LoadFile(0, .<...>/Bro_VXLAN.events.bif.bro) 0.000000 MetaHookPre LoadFile(0, .<...>/Bro_X509.events.bif.bro) 0.000000 MetaHookPre LoadFile(0, .<...>/Bro_X509.functions.bif.bro) 0.000000 MetaHookPre LoadFile(0, .<...>/Bro_X509.ocsp_events.bif.bro) @@ -1855,6 +1863,7 @@ 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SSL, 995/tcp) 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SYSLOG, 514/udp) 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_TEREDO, 3544/udp) +0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_VXLAN, 4789/udp) 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_XMPP, 5222/tcp) 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_XMPP, 5269/tcp) 0.000000 | HookCallFunction Analyzer::disable_analyzer(Analyzer::ANALYZER_BACKDOOR) @@ -1920,6 +1929,7 @@ 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SSL, 995/tcp) 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SYSLOG, 514/udp) 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_TEREDO, 3544/udp) +0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_VXLAN, 4789/udp) 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_XMPP, 5222/tcp) 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_XMPP, 5269/tcp) 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_AYIYA, {5072/udp}) @@ -1948,6 +1958,7 @@ 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_SSL, {5223<...>/tcp}) 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_SYSLOG, {514/udp}) 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_TEREDO, {3544/udp}) +0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_VXLAN, {4789/udp}) 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_XMPP, {5222<...>/tcp}) 0.000000 | HookCallFunction Cluster::is_enabled() 0.000000 | HookCallFunction Cluster::local_node_type() @@ -2067,7 +2078,7 @@ 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1552508068.441287, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1552582539.91497, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction Log::add_default_filter(Broker::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Config::LOG) @@ -2252,7 +2263,7 @@ 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1552508068.441287, node=bro, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1552582539.91497, node=bro, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction NetControl::check_plugins() 0.000000 | HookCallFunction NetControl::init() 0.000000 | HookCallFunction Notice::want_pp() @@ -2478,6 +2489,7 @@ 0.000000 | HookLoadFile .<...>/Bro_UDP.events.bif.bro 0.000000 | HookLoadFile .<...>/Bro_Unified2.events.bif.bro 0.000000 | HookLoadFile .<...>/Bro_Unified2.types.bif.bro +0.000000 | HookLoadFile .<...>/Bro_VXLAN.events.bif.bro 0.000000 | HookLoadFile .<...>/Bro_X509.events.bif.bro 0.000000 | HookLoadFile .<...>/Bro_X509.functions.bif.bro 0.000000 | HookLoadFile .<...>/Bro_X509.ocsp_events.bif.bro @@ -2684,7 +2696,7 @@ 0.000000 | HookLoadFile base<...>/x509 0.000000 | HookLoadFile base<...>/xmpp 0.000000 | HookLogInit packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)} -0.000000 | HookLogWrite packet_filter [ts=1552508068.441287, node=bro, filter=ip or not ip, init=T, success=T] +0.000000 | HookLogWrite packet_filter [ts=1552582539.914970, node=bro, filter=ip or not ip, init=T, success=T] 0.000000 | HookQueueEvent NetControl::init() 0.000000 | HookQueueEvent bro_init() 0.000000 | HookQueueEvent filter_change_tracking() diff --git a/testing/btest/Traces/tunnels/vxlan.pcap b/testing/btest/Traces/tunnels/vxlan.pcap new file mode 100644 index 0000000000..76c91f7feb Binary files /dev/null and b/testing/btest/Traces/tunnels/vxlan.pcap differ diff --git a/testing/btest/core/tunnels/vxlan.bro b/testing/btest/core/tunnels/vxlan.bro new file mode 100644 index 0000000000..50a7b1a24a --- /dev/null +++ b/testing/btest/core/tunnels/vxlan.bro @@ -0,0 +1,9 @@ +# @TEST-EXEC: bro -r $TRACES/tunnels/vxlan.pcap %INPUT >out +# @TEST-EXEC: btest-diff out +# @TEST-EXEC: btest-diff conn.log +# @TEST-EXEC: btest-diff tunnel.log + +event vxlan_packet(c: connection, inner: pkt_hdr, vni: count) + { + print "vxlan_packet", c$id, inner, vni; + }