mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
PPPoE: add session id logging
This adds a new PacketAnalyzer::PPPoE::session_id bif, which extracts the PPPoE session ID from the current packet. Furthermore, a new policy script is added which adds the pppoe session id to the connection log. Related to GH-4602
This commit is contained in:
Johanna Amann
parent
55cdb707e9
commit
e5a434c392
10 changed files with 72 additions and 2 deletions
27
scripts/policy/protocols/conn/pppoe-session-id-logging.zeek
Normal file
27
scripts/policy/protocols/conn/pppoe-session-id-logging.zeek
Normal file
|
|
@ -0,0 +1,27 @@
|
|||
##! This script adds PPPoE session ID information to the connection log.
|
||||
|
||||
@load base/protocols/conn
|
||||
|
||||
module Conn;
|
||||
|
||||
redef record Info += {
|
||||
## The PPPoE session id, if applicable for this connection.
|
||||
pppoe_session_id: count &log &optional;
|
||||
};
|
||||
|
||||
# Add the PPPoE session ID to the Conn::Info structure. We have to do this right
|
||||
# at the beginning, while we are handling a packet.
|
||||
event new_connection(c: connection)
|
||||
{
|
||||
local session_id = PacketAnalyzer::PPPoE::session_id();
|
||||
|
||||
# no session ID
|
||||
if ( session_id == 0xFFFFFFFF )
|
||||
return;
|
||||
|
||||
# FIXME: remove when GH-4688 is merged
|
||||
set_conn(c, F);
|
||||
|
||||
c$conn$pppoe_session_id = session_id;
|
||||
}
|
||||
|
||||
|
|
@ -113,6 +113,7 @@
|
|||
@load protocols/conn/known-services.zeek
|
||||
@load protocols/conn/mac-logging.zeek
|
||||
@load protocols/conn/vlan-logging.zeek
|
||||
@load protocols/conn/pppoe-session-id-logging.zeek
|
||||
@load protocols/conn/weirds.zeek
|
||||
#@load frameworks/conn_key/vlan_fivetuple.zeek
|
||||
#@load protocols/conn/speculative-service.zeek
|
||||
|
|
|
|||
|
|
@ -1,3 +1,4 @@
|
|||
zeek_add_plugin(
|
||||
PacketAnalyzer PPPoE
|
||||
SOURCES PPPoE.cc Plugin.cc)
|
||||
Zeek PPPoE
|
||||
SOURCES PPPoE.cc Plugin.cc
|
||||
BIFS functions.bif)
|
||||
|
|
|
|||
22
src/packet_analysis/protocol/pppoe/functions.bif
Normal file
22
src/packet_analysis/protocol/pppoe/functions.bif
Normal file
|
|
@ -0,0 +1,22 @@
|
|||
module PacketAnalyzer::PPPoE;
|
||||
|
||||
%%{
|
||||
#include "zeek/packet_analysis/Manager.h"
|
||||
%%}
|
||||
|
||||
## Returns the PPPoE Session ID of the current packet, if present.
|
||||
##
|
||||
## If no PPPoE Session ID is present, 0xFFFFFFFF is returned, which
|
||||
## is out of range of the session ID.
|
||||
##
|
||||
## Returns: The PPPoE session ID if present, 0xFFFFFFFF otherwise.
|
||||
function session_id%(%): count
|
||||
%{
|
||||
static const auto& analyzer = zeek::packet_mgr->GetAnalyzer("PPPoE");
|
||||
auto spans = zeek::packet_mgr->GetAnalyzerData(analyzer);
|
||||
|
||||
if ( spans.size() == 0 || spans[0].size() <=8 )
|
||||
return zeek::val_mgr->Count(0xFFFFFFFF);
|
||||
|
||||
return zeek::val_mgr->Count((spans[0][2] << 8u) + spans[0][3]);
|
||||
%}
|
||||
|
|
@ -117,6 +117,7 @@ static std::unordered_map<std::string, unsigned int> func_attrs = {
|
|||
{"Option::set_change_handler", ATTR_NO_SCRIPT_SIDE_EFFECTS},
|
||||
{"PacketAnalyzer::GTPV1::remove_gtpv1_connection", ATTR_NO_SCRIPT_SIDE_EFFECTS},
|
||||
{"PacketAnalyzer::Geneve::get_options", ATTR_NO_SCRIPT_SIDE_EFFECTS},
|
||||
{"PacketAnalyzer::PPPoE::session_id", ATTR_NO_SCRIPT_SIDE_EFFECTS},
|
||||
{"PacketAnalyzer::TEREDO::remove_teredo_connection", ATTR_NO_SCRIPT_SIDE_EFFECTS},
|
||||
{"PacketAnalyzer::__disable_analyzer", ATTR_NO_SCRIPT_SIDE_EFFECTS},
|
||||
{"PacketAnalyzer::__enable_analyzer", ATTR_NO_SCRIPT_SIDE_EFFECTS},
|
||||
|
|
|
|||
|
|
@ -266,6 +266,7 @@ scripts/base/init-frameworks-and-bifs.zeek
|
|||
build/scripts/base/bif/plugins/Zeek_WebSocket.types.bif.zeek
|
||||
build/scripts/base/bif/plugins/Zeek_XMPP.events.bif.zeek
|
||||
build/scripts/base/bif/plugins/Zeek_Cluster_Backend_ZeroMQ.cluster_backend_zeromq.bif.zeek
|
||||
build/scripts/base/bif/plugins/Zeek_PPPoE.functions.bif.zeek
|
||||
build/scripts/base/bif/plugins/Zeek_ARP.events.bif.zeek
|
||||
build/scripts/base/bif/plugins/Zeek_UDP.events.bif.zeek
|
||||
build/scripts/base/bif/plugins/Zeek_ICMP.events.bif.zeek
|
||||
|
|
|
|||
|
|
@ -266,6 +266,7 @@ scripts/base/init-frameworks-and-bifs.zeek
|
|||
build/scripts/base/bif/plugins/Zeek_WebSocket.types.bif.zeek
|
||||
build/scripts/base/bif/plugins/Zeek_XMPP.events.bif.zeek
|
||||
build/scripts/base/bif/plugins/Zeek_Cluster_Backend_ZeroMQ.cluster_backend_zeromq.bif.zeek
|
||||
build/scripts/base/bif/plugins/Zeek_PPPoE.functions.bif.zeek
|
||||
build/scripts/base/bif/plugins/Zeek_ARP.events.bif.zeek
|
||||
build/scripts/base/bif/plugins/Zeek_UDP.events.bif.zeek
|
||||
build/scripts/base/bif/plugins/Zeek_ICMP.events.bif.zeek
|
||||
|
|
|
|||
|
|
@ -369,6 +369,7 @@
|
|||
0.000000 MetaHookPost LoadFile(0, ./Zeek_PE.events.bif.zeek, <...>/Zeek_PE.events.bif.zeek) -> -1
|
||||
0.000000 MetaHookPost LoadFile(0, ./Zeek_POP3.consts.bif.zeek, <...>/Zeek_POP3.consts.bif.zeek) -> -1
|
||||
0.000000 MetaHookPost LoadFile(0, ./Zeek_POP3.events.bif.zeek, <...>/Zeek_POP3.events.bif.zeek) -> -1
|
||||
0.000000 MetaHookPost LoadFile(0, ./Zeek_PPPoE.functions.bif.zeek, <...>/Zeek_PPPoE.functions.bif.zeek) -> -1
|
||||
0.000000 MetaHookPost LoadFile(0, ./Zeek_RADIUS.events.bif.zeek, <...>/Zeek_RADIUS.events.bif.zeek) -> -1
|
||||
0.000000 MetaHookPost LoadFile(0, ./Zeek_RDP.events.bif.zeek, <...>/Zeek_RDP.events.bif.zeek) -> -1
|
||||
0.000000 MetaHookPost LoadFile(0, ./Zeek_RDP.types.bif.zeek, <...>/Zeek_RDP.types.bif.zeek) -> -1
|
||||
|
|
@ -684,6 +685,7 @@
|
|||
0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_PE.events.bif.zeek, <...>/Zeek_PE.events.bif.zeek) -> (-1, <no content>)
|
||||
0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_POP3.consts.bif.zeek, <...>/Zeek_POP3.consts.bif.zeek) -> (-1, <no content>)
|
||||
0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_POP3.events.bif.zeek, <...>/Zeek_POP3.events.bif.zeek) -> (-1, <no content>)
|
||||
0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_PPPoE.functions.bif.zeek, <...>/Zeek_PPPoE.functions.bif.zeek) -> (-1, <no content>)
|
||||
0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_RADIUS.events.bif.zeek, <...>/Zeek_RADIUS.events.bif.zeek) -> (-1, <no content>)
|
||||
0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_RDP.events.bif.zeek, <...>/Zeek_RDP.events.bif.zeek) -> (-1, <no content>)
|
||||
0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_RDP.types.bif.zeek, <...>/Zeek_RDP.types.bif.zeek) -> (-1, <no content>)
|
||||
|
|
@ -1310,6 +1312,7 @@
|
|||
0.000000 MetaHookPre LoadFile(0, ./Zeek_PE.events.bif.zeek, <...>/Zeek_PE.events.bif.zeek)
|
||||
0.000000 MetaHookPre LoadFile(0, ./Zeek_POP3.consts.bif.zeek, <...>/Zeek_POP3.consts.bif.zeek)
|
||||
0.000000 MetaHookPre LoadFile(0, ./Zeek_POP3.events.bif.zeek, <...>/Zeek_POP3.events.bif.zeek)
|
||||
0.000000 MetaHookPre LoadFile(0, ./Zeek_PPPoE.functions.bif.zeek, <...>/Zeek_PPPoE.functions.bif.zeek)
|
||||
0.000000 MetaHookPre LoadFile(0, ./Zeek_RADIUS.events.bif.zeek, <...>/Zeek_RADIUS.events.bif.zeek)
|
||||
0.000000 MetaHookPre LoadFile(0, ./Zeek_RDP.events.bif.zeek, <...>/Zeek_RDP.events.bif.zeek)
|
||||
0.000000 MetaHookPre LoadFile(0, ./Zeek_RDP.types.bif.zeek, <...>/Zeek_RDP.types.bif.zeek)
|
||||
|
|
@ -1625,6 +1628,7 @@
|
|||
0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_PE.events.bif.zeek, <...>/Zeek_PE.events.bif.zeek)
|
||||
0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_POP3.consts.bif.zeek, <...>/Zeek_POP3.consts.bif.zeek)
|
||||
0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_POP3.events.bif.zeek, <...>/Zeek_POP3.events.bif.zeek)
|
||||
0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_PPPoE.functions.bif.zeek, <...>/Zeek_PPPoE.functions.bif.zeek)
|
||||
0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_RADIUS.events.bif.zeek, <...>/Zeek_RADIUS.events.bif.zeek)
|
||||
0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_RDP.events.bif.zeek, <...>/Zeek_RDP.events.bif.zeek)
|
||||
0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_RDP.types.bif.zeek, <...>/Zeek_RDP.types.bif.zeek)
|
||||
|
|
@ -2250,6 +2254,7 @@
|
|||
0.000000 | HookLoadFile ./Zeek_PE.events.bif.zeek <...>/Zeek_PE.events.bif.zeek
|
||||
0.000000 | HookLoadFile ./Zeek_POP3.consts.bif.zeek <...>/Zeek_POP3.consts.bif.zeek
|
||||
0.000000 | HookLoadFile ./Zeek_POP3.events.bif.zeek <...>/Zeek_POP3.events.bif.zeek
|
||||
0.000000 | HookLoadFile ./Zeek_PPPoE.functions.bif.zeek <...>/Zeek_PPPoE.functions.bif.zeek
|
||||
0.000000 | HookLoadFile ./Zeek_RADIUS.events.bif.zeek <...>/Zeek_RADIUS.events.bif.zeek
|
||||
0.000000 | HookLoadFile ./Zeek_RDP.events.bif.zeek <...>/Zeek_RDP.events.bif.zeek
|
||||
0.000000 | HookLoadFile ./Zeek_RDP.types.bif.zeek <...>/Zeek_RDP.types.bif.zeek
|
||||
|
|
@ -2565,6 +2570,7 @@
|
|||
0.000000 | HookLoadFileExtended ./Zeek_PE.events.bif.zeek <...>/Zeek_PE.events.bif.zeek
|
||||
0.000000 | HookLoadFileExtended ./Zeek_POP3.consts.bif.zeek <...>/Zeek_POP3.consts.bif.zeek
|
||||
0.000000 | HookLoadFileExtended ./Zeek_POP3.events.bif.zeek <...>/Zeek_POP3.events.bif.zeek
|
||||
0.000000 | HookLoadFileExtended ./Zeek_PPPoE.functions.bif.zeek <...>/Zeek_PPPoE.functions.bif.zeek
|
||||
0.000000 | HookLoadFileExtended ./Zeek_RADIUS.events.bif.zeek <...>/Zeek_RADIUS.events.bif.zeek
|
||||
0.000000 | HookLoadFileExtended ./Zeek_RDP.events.bif.zeek <...>/Zeek_RDP.events.bif.zeek
|
||||
0.000000 | HookLoadFileExtended ./Zeek_RDP.types.bif.zeek <...>/Zeek_RDP.types.bif.zeek
|
||||
|
|
|
|||
|
|
@ -0,0 +1,3 @@
|
|||
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||
uid id.orig_h id.orig_p id.resp_h id.resp_p pppoe_session_id
|
||||
CHhAvVGS1DHFjwGM9 1.1.1.1 20394 2.2.2.2 443 3847
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
# A basic test of pppoe session id logging
|
||||
|
||||
# @TEST-EXEC: zeek -b -r $TRACES/pppoe-over-qinq.pcap %INPUT
|
||||
# @TEST-EXEC: zeek-cut -m uid id.orig_h id.orig_p id.resp_h id.resp_p pppoe_session_id < conn.log > conn.log.cut
|
||||
# @TEST-EXEC: btest-diff conn.log.cut
|
||||
|
||||
@load protocols/conn/pppoe-session-id-logging
|
||||
Loading…
Add table
Add a link
Reference in a new issue