From 7325bc945f1625614e358deb6421f787fe16a6e7 Mon Sep 17 00:00:00 2001 From: Arne Welzel Date: Thu, 30 Nov 2023 18:49:59 +0100 Subject: [PATCH] tunnels: Add 'X' to history when reaching Tunnel::max_depth --- scripts/base/protocols/conn/main.zeek | 1 + src/packet_analysis/protocol/ayiya/AYIYA.cc | 1 + src/packet_analysis/protocol/geneve/Geneve.cc | 1 + src/packet_analysis/protocol/iptunnel/IPTunnel.cc | 1 + src/packet_analysis/protocol/teredo/Teredo.cc | 1 + src/packet_analysis/protocol/vxlan/VXLAN.cc | 1 + .../core.tunnels.max-depth-exceeded/conn.log.cut | 5 +++++ .../core.tunnels.max-depth-exceeded/tunnel.log | 14 ++++++++++++++ .../core.tunnels.max-depth-exceeded/weird.log | 11 +++++++++++ .../btest/core/tunnels/max-depth-exceeded.zeek | 15 +++++++++++++++ 10 files changed, 51 insertions(+) create mode 100644 testing/btest/Baseline/core.tunnels.max-depth-exceeded/conn.log.cut create mode 100644 testing/btest/Baseline/core.tunnels.max-depth-exceeded/tunnel.log create mode 100644 testing/btest/Baseline/core.tunnels.max-depth-exceeded/weird.log create mode 100644 testing/btest/core/tunnels/max-depth-exceeded.zeek diff --git a/scripts/base/protocols/conn/main.zeek b/scripts/base/protocols/conn/main.zeek index 1e2ff41216..f2686fc597 100644 --- a/scripts/base/protocols/conn/main.zeek +++ b/scripts/base/protocols/conn/main.zeek @@ -125,6 +125,7 @@ export { ## i inconsistent packet (e.g. FIN+RST bits set) ## q multi-flag packet (SYN+FIN or SYN+RST bits set) ## ^ connection direction was flipped by Zeek's heuristic + ## x connection analysis partial (e.g. limits exceeded) ## ====== ==================================================== ## ## If the event comes from the originator, the letter is in diff --git a/src/packet_analysis/protocol/ayiya/AYIYA.cc b/src/packet_analysis/protocol/ayiya/AYIYA.cc index 64685253e1..42bee0dc97 100644 --- a/src/packet_analysis/protocol/ayiya/AYIYA.cc +++ b/src/packet_analysis/protocol/ayiya/AYIYA.cc @@ -20,6 +20,7 @@ bool AYIYAAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packe return false; if ( packet->encap && packet->encap->Depth() >= BifConst::Tunnel::max_depth ) { + packet->session->CheckHistory(zeek::session::detail::HIST_UNKNOWN_PKT, 'X'); Weird("exceeded_tunnel_max_depth", packet); return false; } diff --git a/src/packet_analysis/protocol/geneve/Geneve.cc b/src/packet_analysis/protocol/geneve/Geneve.cc index 515375976d..632a37df9f 100644 --- a/src/packet_analysis/protocol/geneve/Geneve.cc +++ b/src/packet_analysis/protocol/geneve/Geneve.cc @@ -21,6 +21,7 @@ bool GeneveAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pack return false; if ( packet->encap && packet->encap->Depth() >= BifConst::Tunnel::max_depth ) { + packet->session->CheckHistory(zeek::session::detail::HIST_UNKNOWN_PKT, 'X'); Weird("exceeded_tunnel_max_depth", packet); return false; } diff --git a/src/packet_analysis/protocol/iptunnel/IPTunnel.cc b/src/packet_analysis/protocol/iptunnel/IPTunnel.cc index e7ac1b3cc1..c1ac082c75 100644 --- a/src/packet_analysis/protocol/iptunnel/IPTunnel.cc +++ b/src/packet_analysis/protocol/iptunnel/IPTunnel.cc @@ -23,6 +23,7 @@ bool IPTunnelAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pa } if ( packet->encap && packet->encap->Depth() >= BifConst::Tunnel::max_depth ) { + packet->session->CheckHistory(zeek::session::detail::HIST_UNKNOWN_PKT, 'X'); Weird("exceeded_tunnel_max_depth", packet); return false; } diff --git a/src/packet_analysis/protocol/teredo/Teredo.cc b/src/packet_analysis/protocol/teredo/Teredo.cc index 58ef4feffa..ca256016e0 100644 --- a/src/packet_analysis/protocol/teredo/Teredo.cc +++ b/src/packet_analysis/protocol/teredo/Teredo.cc @@ -148,6 +148,7 @@ bool TeredoAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pack return false; if ( packet->encap && packet->encap->Depth() >= BifConst::Tunnel::max_depth ) { + packet->session->CheckHistory(zeek::session::detail::HIST_UNKNOWN_PKT, 'X'); Analyzer::Weird("exceeded_tunnel_max_depth", packet); return false; } diff --git a/src/packet_analysis/protocol/vxlan/VXLAN.cc b/src/packet_analysis/protocol/vxlan/VXLAN.cc index e5f4f8ec5e..376c43d3c3 100644 --- a/src/packet_analysis/protocol/vxlan/VXLAN.cc +++ b/src/packet_analysis/protocol/vxlan/VXLAN.cc @@ -21,6 +21,7 @@ bool VXLAN_Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pack return false; if ( packet->encap && packet->encap->Depth() >= BifConst::Tunnel::max_depth ) { + packet->session->CheckHistory(zeek::session::detail::HIST_UNKNOWN_PKT, 'X'); Weird("exceeded_tunnel_max_depth", packet); return false; } diff --git a/testing/btest/Baseline/core.tunnels.max-depth-exceeded/conn.log.cut b/testing/btest/Baseline/core.tunnels.max-depth-exceeded/conn.log.cut new file mode 100644 index 0000000000..993a560913 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.max-depth-exceeded/conn.log.cut @@ -0,0 +1,5 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +uid id.orig_h id.resp_p id.resp_h id.resp_p proto history service tunnel_parents +CHhAvVGS1DHFjwGM9 1.1.1.1 4789 1.1.1.9 4789 udp D vxlan - +ClEkJM2Vm5giqnMf4h 2.2.2.2 4789 2.2.2.9 4789 udp D vxlan CHhAvVGS1DHFjwGM9 +C4J4Th3PJpwUYZZ6gc 3.3.3.3 4789 3.3.3.9 4789 udp DX - ClEkJM2Vm5giqnMf4h diff --git a/testing/btest/Baseline/core.tunnels.max-depth-exceeded/tunnel.log b/testing/btest/Baseline/core.tunnels.max-depth-exceeded/tunnel.log new file mode 100644 index 0000000000..f5f8ff9bce --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.max-depth-exceeded/tunnel.log @@ -0,0 +1,14 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path tunnel +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action +#types time string addr port addr port enum enum +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 1.1.1.1 4789 1.1.1.9 4789 Tunnel::VXLAN Tunnel::DISCOVER +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 2.2.2.2 4789 2.2.2.9 4789 Tunnel::VXLAN Tunnel::DISCOVER +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 1.1.1.1 4789 1.1.1.9 4789 Tunnel::VXLAN Tunnel::CLOSE +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 2.2.2.2 4789 2.2.2.9 4789 Tunnel::VXLAN Tunnel::CLOSE +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/core.tunnels.max-depth-exceeded/weird.log b/testing/btest/Baseline/core.tunnels.max-depth-exceeded/weird.log new file mode 100644 index 0000000000..65b1b5768d --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.max-depth-exceeded/weird.log @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path weird +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX - 3.3.3.3 0 3.3.3.9 0 exceeded_tunnel_max_depth_in_tunnel - F zeek VXLAN +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/core/tunnels/max-depth-exceeded.zeek b/testing/btest/core/tunnels/max-depth-exceeded.zeek new file mode 100644 index 0000000000..d3ee33ab47 --- /dev/null +++ b/testing/btest/core/tunnels/max-depth-exceeded.zeek @@ -0,0 +1,15 @@ +# @TEST-DOC: Set a too small Tunnel::max_depth value, observe the effects. +# +# @TEST-EXEC: zeek -b -r $TRACES/tunnels/vxlan-triple-v2.pcap %INPUT +# @TEST-EXEC: zeek-cut -m uid id.orig_h id.resp_p id.resp_h id.resp_p proto history service tunnel_parents < conn.log > conn.log.cut +# @TEST-EXEC: btest-diff conn.log.cut +# @TEST-EXEC: btest-diff tunnel.log +# @TEST-EXEC: btest-diff weird.log +# @TEST-EXEC: test ! -f dns.log +# +@load base/frameworks/notice/weird +@load base/frameworks/tunnels +@load base/protocols/conn +@load base/protocols/dns + +redef Tunnel::max_depth = 2;