PPPoE: add session id logging

This adds a new PacketAnalyzer::PPPoE::session_id bif, which extracts
the PPPoE session ID from the current packet.

Furthermore, a new policy script is added which adds the pppoe session
id to the connection log.

Related to GH-4602

scripts/policy/protocols/conn/pppoe-session-id-logging.zeek

@@ -0,0 +1,27 @@
+##! This script adds PPPoE session ID information to the connection log.
+
+@load base/protocols/conn
+
+module Conn;
+
+redef record Info += {
+	## The PPPoE session id, if applicable for this connection.
+	pppoe_session_id: count &log &optional;
+};
+
+# Add the PPPoE session ID to the Conn::Info structure. We have to do this right
+# at the beginning, while we are handling a packet.
+event new_connection(c: connection)
+	{
+	local session_id = PacketAnalyzer::PPPoE::session_id();
+
+	# no session ID
+	if ( session_id == 0xFFFFFFFF )
+		return;
+
+	# FIXME: remove when GH-4688 is merged
+	set_conn(c, F);
+
+	c$conn$pppoe_session_id = session_id;
+	}
+

scripts/test-all-policy.zeek

@@ -113,6 +113,7 @@
 @load protocols/conn/known-services.zeek
 @load protocols/conn/mac-logging.zeek
 @load protocols/conn/vlan-logging.zeek
+@load protocols/conn/pppoe-session-id-logging.zeek
 @load protocols/conn/weirds.zeek
 #@load frameworks/conn_key/vlan_fivetuple.zeek
 #@load protocols/conn/speculative-service.zeek

src/packet_analysis/protocol/pppoe/CMakeLists.txt

@@ -1,3 +1,4 @@
 zeek_add_plugin(
-    PacketAnalyzer PPPoE
+    Zeek PPPoE
-    SOURCES PPPoE.cc Plugin.cc)
+    SOURCES PPPoE.cc Plugin.cc
+    BIFS functions.bif)

src/packet_analysis/protocol/pppoe/functions.bif

@@ -0,0 +1,22 @@
+module PacketAnalyzer::PPPoE;
+
+%%{
+#include "zeek/packet_analysis/Manager.h"
+%%}
+
+## Returns the PPPoE Session ID of the current packet, if present.
+##
+## If no PPPoE Session ID is present, 0xFFFFFFFF is returned, which
+## is out of range of the session ID.
+##
+## Returns: The PPPoE session ID if present, 0xFFFFFFFF otherwise.
+function session_id%(%): count
+	%{
+	static const auto& analyzer = zeek::packet_mgr->GetAnalyzer("PPPoE");
+	auto spans = zeek::packet_mgr->GetAnalyzerData(analyzer);
+
+	if ( spans.size() == 0 || spans[0].size() <=8 )
+		return zeek::val_mgr->Count(0xFFFFFFFF);
+
+	return zeek::val_mgr->Count((spans[0][2] << 8u) + spans[0][3]);
+	%}

src/script_opt/FuncInfo.cc

@@ -117,6 +117,7 @@ static std::unordered_map<std::string, unsigned int> func_attrs = {
     {"Option::set_change_handler", ATTR_NO_SCRIPT_SIDE_EFFECTS},
     {"PacketAnalyzer::GTPV1::remove_gtpv1_connection", ATTR_NO_SCRIPT_SIDE_EFFECTS},
     {"PacketAnalyzer::Geneve::get_options", ATTR_NO_SCRIPT_SIDE_EFFECTS},
+    {"PacketAnalyzer::PPPoE::session_id", ATTR_NO_SCRIPT_SIDE_EFFECTS},
     {"PacketAnalyzer::TEREDO::remove_teredo_connection", ATTR_NO_SCRIPT_SIDE_EFFECTS},
     {"PacketAnalyzer::__disable_analyzer", ATTR_NO_SCRIPT_SIDE_EFFECTS},
     {"PacketAnalyzer::__enable_analyzer", ATTR_NO_SCRIPT_SIDE_EFFECTS},

testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log

@@ -266,6 +266,7 @@ scripts/base/init-frameworks-and-bifs.zeek
     build/scripts/base/bif/plugins/Zeek_WebSocket.types.bif.zeek
     build/scripts/base/bif/plugins/Zeek_XMPP.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_Cluster_Backend_ZeroMQ.cluster_backend_zeromq.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_PPPoE.functions.bif.zeek
     build/scripts/base/bif/plugins/Zeek_ARP.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_UDP.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_ICMP.events.bif.zeek

testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log

@@ -266,6 +266,7 @@ scripts/base/init-frameworks-and-bifs.zeek
     build/scripts/base/bif/plugins/Zeek_WebSocket.types.bif.zeek
     build/scripts/base/bif/plugins/Zeek_XMPP.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_Cluster_Backend_ZeroMQ.cluster_backend_zeromq.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_PPPoE.functions.bif.zeek
     build/scripts/base/bif/plugins/Zeek_ARP.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_UDP.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_ICMP.events.bif.zeek

testing/btest/Baseline/plugins.hooks/output

@@ -369,6 +369,7 @@
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_PE.events.bif.zeek, <...>/Zeek_PE.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_POP3.consts.bif.zeek, <...>/Zeek_POP3.consts.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_POP3.events.bif.zeek, <...>/Zeek_POP3.events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, ./Zeek_PPPoE.functions.bif.zeek, <...>/Zeek_PPPoE.functions.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_RADIUS.events.bif.zeek, <...>/Zeek_RADIUS.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_RDP.events.bif.zeek, <...>/Zeek_RDP.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_RDP.types.bif.zeek, <...>/Zeek_RDP.types.bif.zeek) -> -1
@@ -684,6 +685,7 @@
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_PE.events.bif.zeek, <...>/Zeek_PE.events.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_POP3.consts.bif.zeek, <...>/Zeek_POP3.consts.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_POP3.events.bif.zeek, <...>/Zeek_POP3.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_PPPoE.functions.bif.zeek, <...>/Zeek_PPPoE.functions.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_RADIUS.events.bif.zeek, <...>/Zeek_RADIUS.events.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_RDP.events.bif.zeek, <...>/Zeek_RDP.events.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_RDP.types.bif.zeek, <...>/Zeek_RDP.types.bif.zeek) -> (-1, <no content>)
@@ -1310,6 +1312,7 @@
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_PE.events.bif.zeek, <...>/Zeek_PE.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_POP3.consts.bif.zeek, <...>/Zeek_POP3.consts.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_POP3.events.bif.zeek, <...>/Zeek_POP3.events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, ./Zeek_PPPoE.functions.bif.zeek, <...>/Zeek_PPPoE.functions.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_RADIUS.events.bif.zeek, <...>/Zeek_RADIUS.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_RDP.events.bif.zeek, <...>/Zeek_RDP.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_RDP.types.bif.zeek, <...>/Zeek_RDP.types.bif.zeek)
@@ -1625,6 +1628,7 @@
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_PE.events.bif.zeek, <...>/Zeek_PE.events.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_POP3.consts.bif.zeek, <...>/Zeek_POP3.consts.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_POP3.events.bif.zeek, <...>/Zeek_POP3.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_PPPoE.functions.bif.zeek, <...>/Zeek_PPPoE.functions.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_RADIUS.events.bif.zeek, <...>/Zeek_RADIUS.events.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_RDP.events.bif.zeek, <...>/Zeek_RDP.events.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_RDP.types.bif.zeek, <...>/Zeek_RDP.types.bif.zeek)
@@ -2250,6 +2254,7 @@
 0.000000 | HookLoadFile  ./Zeek_PE.events.bif.zeek <...>/Zeek_PE.events.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_POP3.consts.bif.zeek <...>/Zeek_POP3.consts.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_POP3.events.bif.zeek <...>/Zeek_POP3.events.bif.zeek
+0.000000 | HookLoadFile  ./Zeek_PPPoE.functions.bif.zeek <...>/Zeek_PPPoE.functions.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_RADIUS.events.bif.zeek <...>/Zeek_RADIUS.events.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_RDP.events.bif.zeek <...>/Zeek_RDP.events.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_RDP.types.bif.zeek <...>/Zeek_RDP.types.bif.zeek
@@ -2565,6 +2570,7 @@
 0.000000 | HookLoadFileExtended ./Zeek_PE.events.bif.zeek <...>/Zeek_PE.events.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_POP3.consts.bif.zeek <...>/Zeek_POP3.consts.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_POP3.events.bif.zeek <...>/Zeek_POP3.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_PPPoE.functions.bif.zeek <...>/Zeek_PPPoE.functions.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_RADIUS.events.bif.zeek <...>/Zeek_RADIUS.events.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_RDP.events.bif.zeek <...>/Zeek_RDP.events.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_RDP.types.bif.zeek <...>/Zeek_RDP.types.bif.zeek

testing/btest/Baseline/scripts.policy.protocols.conn.pppoe-session-id-logging/conn.log.cut

@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	pppoe_session_id
+CHhAvVGS1DHFjwGM9	1.1.1.1	20394	2.2.2.2	443	3847

testing/btest/scripts/policy/protocols/conn/pppoe-session-id-logging.zeek

@@ -0,0 +1,7 @@
+# A basic test of pppoe session id logging
+
+# @TEST-EXEC: zeek -b -r $TRACES/pppoe-over-qinq.pcap %INPUT
+# @TEST-EXEC: zeek-cut -m uid id.orig_h id.orig_p id.resp_h id.resp_p pppoe_session_id < conn.log > conn.log.cut
+# @TEST-EXEC: btest-diff conn.log.cut
+
+@load protocols/conn/pppoe-session-id-logging