Add VLAN-aware connection tuples.

Loading policy/protocols/conntuple/vlan adapts Zeek's flow hashing and the script-layer conn_id record to show VLAN tags when present. I'm using script-layer ints for the VLAN tag representation for consistency with what we alrady do elsewhere, but it seems odd since they can never be negative. I'm currently skipping protocols/conntuple/vlan in test-all-policy since it otherwise affects the external testsuites -- could revisit if people feel it should run on these.
2025-10-15 13:08:20 +00:00 · 2025-04-11 15:52:26 -07:00 · 2025-04-11 15:52:26 -07:00 · ccb1eab575
commit ccb1eab575
parent ae6335bb70
11 changed files with 184 additions and 0 deletions
--- a/scripts/policy/protocols/conntuple/vlan.zeek
+++ b/scripts/policy/protocols/conntuple/vlan.zeek
@ -0,0 +1,14 @@
+##! This script adapts Zeek's connection tuples to include 802.1Q VLAN and
+##! Q-in-Q tags, when available. Zeek normally ignores VLAN tags in its flow
+##! lookups; this change makes it factor them in and also makes those VLAN tags
+##! part of the conn_id record.
+
+redef record conn_id += {
+	## The outer VLAN for this connection, if applicable.
+	vlan: int      &log &optional;
+
+	## The inner VLAN for this connection, if applicable.
+	inner_vlan: int      &log &optional;
+};
+
+redef ConnTuple::builder = ConnTuple::CONNTUPLE_VLAN;