mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
Merge remote-tracking branch 'origin/topic/timw/4266-tunnel-ip-proto'
* origin/topic/timw/4266-tunnel-ip-proto: Set ip_proto when creating new tunnel encapsulations
This commit is contained in:
Tim Wojtulewicz
commit
81f7e77801
7 changed files with 40 additions and 26 deletions
6
CHANGES
6
CHANGES
|
|
@ -1,3 +1,9 @@
|
|||
7.2.0-dev.273 | 2025-03-06 16:41:43 -0700
|
||||
|
||||
* Set ip_proto when creating new tunnel encapsulations (Tim Wojtulewicz, Corelight)
|
||||
|
||||
* Add code of conduct and contributing to repo. (Johanna Amann, Corelight)
|
||||
|
||||
7.2.0-dev.269 | 2025-03-06 13:12:31 +0000
|
||||
|
||||
* Remove violating analyzer from services field again (Johanna Amann, Corelight)
|
||||
|
|
|
|||
2
VERSION
2
VERSION
|
|
@ -1 +1 @@
|
|||
7.2.0-dev.269
|
||||
7.2.0-dev.273
|
||||
|
|
|
|||
|
|
@ -40,15 +40,22 @@ public:
|
|||
* @param d The tunnel destination address, likely taken from an IP header.
|
||||
* @param t The type of IP tunnel.
|
||||
*/
|
||||
EncapsulatingConn(const IPAddr& s, const IPAddr& d, BifEnum::Tunnel::Type t = BifEnum::Tunnel::IP)
|
||||
EncapsulatingConn(const IPAddr& s, const IPAddr& d, BifEnum::Tunnel::Type t = BifEnum::Tunnel::IP,
|
||||
uint16_t ip_proto = UNKNOWN_IP_PROTO)
|
||||
: src_addr(s),
|
||||
dst_addr(d),
|
||||
src_port(0),
|
||||
dst_port(0),
|
||||
proto(TRANSPORT_UNKNOWN),
|
||||
ip_proto(UNKNOWN_IP_PROTO),
|
||||
ip_proto(ip_proto),
|
||||
type(t),
|
||||
uid(UID(detail::bits_per_uid)) {}
|
||||
uid(UID(detail::bits_per_uid)) {
|
||||
switch ( ip_proto ) {
|
||||
case IPPROTO_ICMP: proto = TRANSPORT_ICMP; break;
|
||||
case IPPROTO_UDP: proto = TRANSPORT_UDP; break;
|
||||
case IPPROTO_TCP: proto = TRANSPORT_TCP; break;
|
||||
default: proto = TRANSPORT_UNKNOWN; break;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Construct a tunnel connection using information from an already existing
|
||||
|
|
|
|||
|
|
@ -60,7 +60,8 @@ bool IPTunnelAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pa
|
|||
IPTunnelMap::iterator tunnel_it = ip_tunnels.find(tunnel_idx);
|
||||
|
||||
if ( tunnel_it == ip_tunnels.end() ) {
|
||||
EncapsulatingConn ec(packet->ip_hdr->SrcAddr(), packet->ip_hdr->DstAddr(), tunnel_type);
|
||||
EncapsulatingConn ec(packet->ip_hdr->SrcAddr(), packet->ip_hdr->DstAddr(), tunnel_type,
|
||||
packet->ip_hdr->NextProto());
|
||||
ip_tunnels[tunnel_idx] = TunnelActivity(ec, run_state::network_time);
|
||||
zeek::detail::timer_mgr->Add(new detail::IPTunnelTimer(run_state::network_time, tunnel_idx, this));
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,5 +2,5 @@
|
|||
echo request, 43, 4
|
||||
echo reply, 43, 4
|
||||
[orig_h=172.31.10.31, orig_p=8/icmp, resp_h=172.31.10.2, resp_p=0/icmp, proto=1]
|
||||
[[cid=[orig_h=172.31.1.23, orig_p=0/unknown, resp_h=172.31.1.135, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::GRE, uid=CHhAvVGS1DHFjwGM9]]
|
||||
[[cid=[orig_h=172.31.1.23, orig_p=0/unknown, resp_h=172.31.1.135, resp_p=0/unknown, proto=47], tunnel_type=Tunnel::GRE, uid=CHhAvVGS1DHFjwGM9]]
|
||||
vlans 10, nil
|
||||
|
|
|
|||
|
|
@ -1,23 +1,23 @@
|
|||
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||
new_connection: tunnel
|
||||
conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp, proto=17]
|
||||
encap: [[cid=[orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=0/unknown, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
||||
encap: [[cid=[orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=0/unknown, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=0/unknown, proto=41], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
||||
new_connection: tunnel
|
||||
conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp, proto=17]
|
||||
encap: [[cid=[orig_h=feed::beef, orig_p=0/unknown, resp_h=feed::cafe, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9], [cid=[orig_h=babe::beef, orig_p=0/unknown, resp_h=dead::babe, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=ClEkJM2Vm5giqnMf4h]]
|
||||
encap: [[cid=[orig_h=feed::beef, orig_p=0/unknown, resp_h=feed::cafe, resp_p=0/unknown, proto=41], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9], [cid=[orig_h=babe::beef, orig_p=0/unknown, resp_h=dead::babe, resp_p=0/unknown, proto=41], tunnel_type=Tunnel::IP, uid=ClEkJM2Vm5giqnMf4h]]
|
||||
new_connection: tunnel
|
||||
conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp, proto=17]
|
||||
encap: [[cid=[orig_h=1.2.3.4, orig_p=0/unknown, resp_h=5.6.7.8, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
||||
encap: [[cid=[orig_h=1.2.3.4, orig_p=0/unknown, resp_h=5.6.7.8, resp_p=0/unknown, proto=41], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
||||
new_connection: tunnel
|
||||
conn_id: [orig_h=70.55.213.211, orig_p=31337/tcp, resp_h=192.88.99.1, resp_p=80/tcp, proto=6]
|
||||
encap: [[cid=[orig_h=2002:4637:d5d3::4637:d5d3, orig_p=0/unknown, resp_h=2001:4860:0:2001::68, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
||||
encap: [[cid=[orig_h=2002:4637:d5d3::4637:d5d3, orig_p=0/unknown, resp_h=2001:4860:0:2001::68, resp_p=0/unknown, proto=4], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
||||
new_connection: tunnel
|
||||
conn_id: [orig_h=10.0.0.1, orig_p=30000/udp, resp_h=10.0.0.2, resp_p=13000/udp, proto=17]
|
||||
encap: [[cid=[orig_h=1.2.3.4, orig_p=0/unknown, resp_h=5.6.7.8, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
||||
encap: [[cid=[orig_h=1.2.3.4, orig_p=0/unknown, resp_h=5.6.7.8, resp_p=0/unknown, proto=4], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
||||
new_connection: tunnel
|
||||
conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp, proto=17]
|
||||
encap: [[cid=[orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=0/unknown, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
||||
encap: [[cid=[orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=0/unknown, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=0/unknown, proto=41], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
||||
tunnel_changed:
|
||||
conn_id: [orig_h=dead::beef, orig_p=30000/udp, resp_h=cafe::babe, resp_p=13000/udp, proto=17]
|
||||
old: [[cid=[orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=0/unknown, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
||||
new: [[cid=[orig_h=feed::beef, orig_p=0/unknown, resp_h=feed::cafe, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=C4J4Th3PJpwUYZZ6gc]]
|
||||
old: [[cid=[orig_h=2001:4f8:4:7:2e0:81ff:fe52:ffff, orig_p=0/unknown, resp_h=2001:4f8:4:7:2e0:81ff:fe52:9a6b, resp_p=0/unknown, proto=41], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
||||
new: [[cid=[orig_h=feed::beef, orig_p=0/unknown, resp_h=feed::cafe, resp_p=0/unknown, proto=41], tunnel_type=Tunnel::IP, uid=C4J4Th3PJpwUYZZ6gc]]
|
||||
|
|
|
|||
|
|
@ -1,34 +1,34 @@
|
|||
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||
new_connection: tunnel
|
||||
conn_id: [orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58]
|
||||
encap: [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
||||
encap: [[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=41], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
||||
NEW_PACKET:
|
||||
[orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58]
|
||||
[[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
||||
[[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=41], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
||||
NEW_PACKET:
|
||||
[orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58]
|
||||
[[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
||||
[[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=41], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
||||
NEW_PACKET:
|
||||
[orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58]
|
||||
[[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
||||
[[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=41], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
||||
NEW_PACKET:
|
||||
[orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58]
|
||||
[[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
||||
[[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=41], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
||||
NEW_PACKET:
|
||||
[orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58]
|
||||
[[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
||||
[[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=41], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
||||
NEW_PACKET:
|
||||
[orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58]
|
||||
[[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
||||
[[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=41], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
||||
NEW_PACKET:
|
||||
[orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58]
|
||||
[[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
||||
[[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=41], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
||||
NEW_PACKET:
|
||||
[orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58]
|
||||
[[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
||||
[[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=41], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
||||
NEW_PACKET:
|
||||
[orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58]
|
||||
[[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
||||
[[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=41], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
||||
NEW_PACKET:
|
||||
[orig_h=2001:db8:0:1::1, orig_p=128/icmp, resp_h=2001:db8:0:1::2, resp_p=129/icmp, proto=58]
|
||||
[[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=65535], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
||||
[[cid=[orig_h=10.0.0.1, orig_p=0/unknown, resp_h=10.0.0.2, resp_p=0/unknown, proto=41], tunnel_type=Tunnel::IP, uid=CHhAvVGS1DHFjwGM9]]
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue