diff --git a/CHANGES b/CHANGES
index 18289acac4..35e2064125 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,9 @@
+4.2.0-dev.428 | 2021-12-09 14:58:53 -0700
+
+ * GH-1125: Support GRE ARUBA headers (Tim Wojtulewicz, Corelight)
+
+ * Fix ethertype for ARP in Geneve forwarding rules (Tim Wojtulewicz, Corelight)
+
4.2.0-dev.425 | 2021-12-09 13:45:17 -0800
* Add LogAscii::json_include_unset_fields flag to control unset field rendering (Christian Kreibich, Corelight)
diff --git a/VERSION b/VERSION
index 52d0f42e90..9c0a235d22 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-4.2.0-dev.425
+4.2.0-dev.428
diff --git a/scripts/base/packet-protocols/geneve/main.zeek b/scripts/base/packet-protocols/geneve/main.zeek
index d70055925b..64efe9ce66 100644
--- a/scripts/base/packet-protocols/geneve/main.zeek
+++ b/scripts/base/packet-protocols/geneve/main.zeek
@@ -23,5 +23,5 @@ event zeek_init() &priority=20
# Some additional mappings for protocols that we already handle natively.
PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GENEVE, 0x0800, PacketAnalyzer::ANALYZER_IP);
PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GENEVE, 0x08DD, PacketAnalyzer::ANALYZER_IP);
- PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GENEVE, 0x0808, PacketAnalyzer::ANALYZER_ARP);
+ PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GENEVE, 0x0806, PacketAnalyzer::ANALYZER_ARP);
}
diff --git a/src/packet_analysis/protocol/gre/GRE.cc b/src/packet_analysis/protocol/gre/GRE.cc
index f282f314eb..4eefff20e8 100644
--- a/src/packet_analysis/protocol/gre/GRE.cc
+++ b/src/packet_analysis/protocol/gre/GRE.cc
@@ -85,7 +85,6 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
{
eth_len = 14;
gre_link_type = DLT_EN10MB;
- proto_typ = ntohs(*((uint16_t*)(data + gre_len + eth_len - 2)));
}
else
{
@@ -113,7 +112,6 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
return false;
}
}
- proto_typ = ntohs(*((uint16_t*)(data + gre_len + erspan_len + eth_len - 2)));
}
else
{
@@ -144,8 +142,32 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
return false;
}
}
+ }
+ else
+ {
+ Weird("truncated_GRE", packet);
+ return false;
+ }
+ }
- proto_typ = ntohs(*((uint16_t*)(data + gre_len + erspan_len + eth_len - 2)));
+ else if ( proto_typ == 0x8200 )
+ {
+ // ARUBA. Following headers seem like they're always a 26-byte 802.11 QoS header, then
+ // an 8-byte LLC header, then IPv4. There's very little in the way of documentation
+ // for ARUBA's header format. This is all based on the one sample file we have that
+ // contains it.
+ if ( len > gre_len + 34 )
+ {
+ gre_link_type = DLT_EN10MB;
+ erspan_len = 34;
+
+ // TODO: fix this, but it's gonna require quite a bit more surgery to the GRE
+ // analyzer to make it more independent from the IPTunnel analyzer.
+ // Setting gre_version to 1 here tricks the IPTunnel analyzer into treating the
+ // first header as IP instead of Ethernet which it does by default when
+ // gre_version is 0.
+ gre_version = 1;
+ proto = (data[gre_len + 34] & 0xF0) >> 4;
}
else
{
@@ -187,7 +209,7 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
return false;
}
- if ( gre_version == 1 )
+ if ( gre_version == 1 && proto_typ != 0x8200 )
{
uint16_t ppp_proto = ntohs(*((uint16_t*)(data + gre_len + 2)));
diff --git a/src/packet_analysis/protocol/iptunnel/IPTunnel.cc b/src/packet_analysis/protocol/iptunnel/IPTunnel.cc
index 699572a950..b16b2dd00c 100644
--- a/src/packet_analysis/protocol/iptunnel/IPTunnel.cc
+++ b/src/packet_analysis/protocol/iptunnel/IPTunnel.cc
@@ -84,13 +84,12 @@ bool IPTunnelAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pa
tunnel_it->second.second = zeek::run_state::network_time;
if ( gre_version == 0 )
- ProcessEncapsulatedPacket(run_state::processing_start_time, packet, len, len, data,
- gre_link_type, packet->encap, ip_tunnels[tunnel_idx].first);
+ return ProcessEncapsulatedPacket(run_state::processing_start_time, packet, len, len, data,
+ gre_link_type, packet->encap,
+ ip_tunnels[tunnel_idx].first);
else
- ProcessEncapsulatedPacket(run_state::processing_start_time, packet, inner, packet->encap,
- ip_tunnels[tunnel_idx].first);
-
- return true;
+ return ProcessEncapsulatedPacket(run_state::processing_start_time, packet, inner,
+ packet->encap, ip_tunnels[tunnel_idx].first);
}
/**
diff --git a/testing/btest/Baseline/core.tunnels.gre-aruba/tunnel.log b/testing/btest/Baseline/core.tunnels.gre-aruba/tunnel.log
new file mode 100644
index 0000000000..468fedf7aa
--- /dev/null
+++ b/testing/btest/Baseline/core.tunnels.gre-aruba/tunnel.log
@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator ,
+#empty_field (empty)
+#unset_field -
+#path tunnel
+#open XXXX-XX-XX-XX-XX-XX
+#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action
+#types time string addr port addr port enum enum
+XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.3.34.171 0 10.33.10.23 0 Tunnel::GRE Tunnel::DISCOVER
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index 274c93bb10..45ee2b9c00 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -594,7 +594,7 @@
0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_ETHERNET, 35110, PacketAnalyzer::ANALYZER_VNTAG)) ->
0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_ETHERNET, 37120, PacketAnalyzer::ANALYZER_VLAN)) ->
0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_GENEVE, 2048, PacketAnalyzer::ANALYZER_IP)) ->
-0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_GENEVE, 2056, PacketAnalyzer::ANALYZER_ARP)) ->
+0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_GENEVE, 2054, PacketAnalyzer::ANALYZER_ARP)) ->
0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_GENEVE, 2269, PacketAnalyzer::ANALYZER_IP)) ->
0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_GENEVE, 25944, PacketAnalyzer::ANALYZER_ETHERNET)) ->
0.000000 MetaHookPost CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_IEEE802_11, 2048, PacketAnalyzer::ANALYZER_IP)) ->
@@ -2051,7 +2051,7 @@
0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_ETHERNET, 35110, PacketAnalyzer::ANALYZER_VNTAG))
0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_ETHERNET, 37120, PacketAnalyzer::ANALYZER_VLAN))
0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_GENEVE, 2048, PacketAnalyzer::ANALYZER_IP))
-0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_GENEVE, 2056, PacketAnalyzer::ANALYZER_ARP))
+0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_GENEVE, 2054, PacketAnalyzer::ANALYZER_ARP))
0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_GENEVE, 2269, PacketAnalyzer::ANALYZER_IP))
0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_GENEVE, 25944, PacketAnalyzer::ANALYZER_ETHERNET))
0.000000 MetaHookPre CallFunction(PacketAnalyzer::register_packet_analyzer, , (PacketAnalyzer::ANALYZER_IEEE802_11, 2048, PacketAnalyzer::ANALYZER_IP))
@@ -3507,7 +3507,7 @@
0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 35110, PacketAnalyzer::ANALYZER_VNTAG)
0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 37120, PacketAnalyzer::ANALYZER_VLAN)
0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GENEVE, 2048, PacketAnalyzer::ANALYZER_IP)
-0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GENEVE, 2056, PacketAnalyzer::ANALYZER_ARP)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GENEVE, 2054, PacketAnalyzer::ANALYZER_ARP)
0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GENEVE, 2269, PacketAnalyzer::ANALYZER_IP)
0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GENEVE, 25944, PacketAnalyzer::ANALYZER_ETHERNET)
0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IEEE802_11, 2048, PacketAnalyzer::ANALYZER_IP)
diff --git a/testing/btest/Traces/tunnels/gre-aruba.pcap b/testing/btest/Traces/tunnels/gre-aruba.pcap
new file mode 100644
index 0000000000..ba150aa4b2
Binary files /dev/null and b/testing/btest/Traces/tunnels/gre-aruba.pcap differ
diff --git a/testing/btest/core/tunnels/gre-aruba.zeek b/testing/btest/core/tunnels/gre-aruba.zeek
new file mode 100644
index 0000000000..5df8396377
--- /dev/null
+++ b/testing/btest/core/tunnels/gre-aruba.zeek
@@ -0,0 +1,4 @@
+# @TEST-EXEC: zeek -C -b -r $TRACES/tunnels/gre-aruba.pcap %INPUT
+# @TEST-EXEC: btest-diff tunnel.log
+
+@load base/frameworks/tunnels