PPP: Add PPP analyzer to handle LINKTYPE_PPP (0x9)

Using pcaps from https://interop.seemann.io/ as samples for QUIC protocol
data didn't produce a conn.log for the contained data. `tcpdump -r`
and Wireshark do show the contained IP/UDP packets. Teach Zeek how
to handle link type DLT_PPP 0x09 using a new PPP analyzer based on the
PPPSerial analyzer code.

Usual update to files/x509 baseline after adding new analyzer due
to enum values changing.

src/packet_analysis/protocol/CMakeLists.txt

@@ -4,6 +4,7 @@ add_subdirectory(skip)
 add_subdirectory(null)
 add_subdirectory(ethernet)
 add_subdirectory(vlan)
+add_subdirectory(ppp)
 add_subdirectory(pppoe)
 add_subdirectory(ppp_serial)
 add_subdirectory(ieee802_11)

src/packet_analysis/protocol/ppp/CMakeLists.txt

@@ -0,0 +1 @@
+zeek_add_plugin(PacketAnalyzer PPP SOURCES PPP.cc Plugin.cc)

src/packet_analysis/protocol/ppp/PPP.cc

@@ -0,0 +1,40 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/packet_analysis/protocol/ppp/PPP.h"
+
+using namespace zeek::packet_analysis::PPP;
+
+PPPAnalyzer::PPPAnalyzer() : zeek::packet_analysis::Analyzer("PPP") { }
+
+bool PPPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
+	{
+	// Analyzer is meant to handle DLT_PPP.
+	//
+	// From https://www.tcpdump.org/linktypes.html for LINKTYPE_PPP (0x9):
+	//
+	//   PPP, as per RFC 1661 and RFC 1662; if the first 2 bytes are 0xff and 0x03,
+	//   it's PPP in HDLC-like framing, with the PPP header following those two bytes,
+	//   otherwise it's PPP without framing, and the packet begins with the PPP header.
+	//   The data in the frame is not octet-stuffed or bit-stuffed.
+	if ( 2 >= len )
+		{
+		Weird("truncated_ppp_header", packet);
+		return false;
+		}
+
+	if ( data[0] == 0xff && data[1] == 0x03 )
+		{
+		// HDLC-Framing
+		if ( 4 >= len )
+			{
+			Weird("truncated_ppp_hdlc_header", packet);
+			return false;
+			}
+
+		uint32_t protocol = (data[2] << 8) + data[3];
+		return ForwardPacket(len - 4, data + 4, packet, protocol);
+		}
+
+	uint32_t protocol = (data[0] << 8) + data[1];
+	return ForwardPacket(len - 2, data + 2, packet, protocol);
+	}

src/packet_analysis/protocol/ppp/PPP.h

@@ -0,0 +1,25 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#pragma once
+
+#include "zeek/packet_analysis/Analyzer.h"
+#include "zeek/packet_analysis/Component.h"
+
+namespace zeek::packet_analysis::PPP
+	{
+
+class PPPAnalyzer : public Analyzer
+	{
+public:
+	PPPAnalyzer();
+	~PPPAnalyzer() override = default;
+
+	bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
+
+	static zeek::packet_analysis::AnalyzerPtr Instantiate()
+		{
+		return std::make_shared<PPPAnalyzer>();
+		}
+	};
+
+	}

src/packet_analysis/protocol/ppp/Plugin.cc

@@ -0,0 +1,27 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/plugin/Plugin.h"
+
+#include "zeek/packet_analysis/Component.h"
+#include "zeek/packet_analysis/protocol/ppp/PPP.h"
+
+namespace zeek::plugin::Zeek_PPP
+	{
+
+class Plugin final : public zeek::plugin::Plugin
+	{
+public:
+	zeek::plugin::Configuration Configure() override
+		{
+		AddComponent(new zeek::packet_analysis::Component(
+			"PPP", zeek::packet_analysis::PPP::PPPAnalyzer::Instantiate));
+
+		zeek::plugin::Configuration config;
+		config.name = "Zeek::PPP";
+		config.description = "PPP packet analyzer";
+		return config;
+		}
+
+	} plugin;
+
+	}