From fcc866567cfb2a6df76baa4fae0879ab4d94ff6a Mon Sep 17 00:00:00 2001
From: Gorka Olalde Mendia <golalde@mondragon.edu>
Date: Wed, 17 Mar 2021 11:43:53 +0100
Subject: [PATCH 1/2] Add ERSPAN Type I patch

Co-authored-by: Markel Elorza Alvarez <melorzaalvarez@gmail.com>
Co-authored-by: Ivan Arrizabalaga Cupido <ivanarrcup@gmail.com>
---
 src/packet_analysis/protocol/gre/GRE.cc | 23 +++++++++++++++++------
 1 file changed, 17 insertions(+), 6 deletions(-)

diff --git a/src/packet_analysis/protocol/gre/GRE.cc b/src/packet_analysis/protocol/gre/GRE.cc
index 6a36442b93..a5024d8782 100644
--- a/src/packet_analysis/protocol/gre/GRE.cc
+++ b/src/packet_analysis/protocol/gre/GRE.cc
@@ -99,13 +99,24 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 
 		else if ( proto_typ == 0x88be )
 			{
-			// ERSPAN type II
-			if ( len > gre_len + 14 + 8 )
+			if ( len > gre_len + 14 )
 				{
-				erspan_len = 8;
-				eth_len = 14;
-				gre_link_type = DLT_EN10MB;
-				proto_typ = ntohs(*((uint16_t*)(data + gre_len + erspan_len + eth_len - 2)));
+					// ERSPAN type I
+					erspan_len = 0;
+					eth_len = 14;
+					gre_link_type = DLT_EN10MB;
+					bool have_sequence_header = ( flags_ver & 0x1000 );
+					if( have_sequence_header )
+						{
+							// ERSPAN type II
+							erspan_len += 8;
+							if ( len < gre_len + eth_len + erspan_len )
+								{
+									Weird("truncated_GRE", packet);
+									return false;
+								}
+						}
+					proto_typ = ntohs(*((uint16_t *) (data + gre_len + erspan_len + eth_len - 2)));
 				}
 			else
 				{

From ec8c5f6c0758c516dc71bdc908c64cdc56853b6c Mon Sep 17 00:00:00 2001
From: Gorka Olalde Mendia <golalde@mondragon.edu>
Date: Wed, 17 Mar 2021 14:41:29 +0100
Subject: [PATCH 2/2] Add tests for ERSPAN Type I patch

Co-authored-by: Markel Elorza Alvarez <melorzaalvarez@gmail.com>
Co-authored-by: Ivan Arrizabalaga Cupido <ivanarrcup@gmail.com>
---
 testing/btest/Baseline/core.erspanI/conn.log   |  11 +++++++++++
 testing/btest/Baseline/core.erspanI/tunnel.log |  11 +++++++++++
 testing/btest/Traces/erspanI.pcap              | Bin 0 -> 1544 bytes
 testing/btest/core/erspanI.zeek                |   6 ++++++
 4 files changed, 28 insertions(+)
 create mode 100644 testing/btest/Baseline/core.erspanI/conn.log
 create mode 100644 testing/btest/Baseline/core.erspanI/tunnel.log
 create mode 100644 testing/btest/Traces/erspanI.pcap
 create mode 100644 testing/btest/core/erspanI.zeek

diff --git a/testing/btest/Baseline/core.erspanI/conn.log b/testing/btest/Baseline/core.erspanI/conn.log
new file mode 100644
index 0000000000..db479dd329
--- /dev/null
+++ b/testing/btest/Baseline/core.erspanI/conn.log
@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	172.16.133.2	8	172.217.11.78	0	icmp	-	0.014360	280	280	OTH	-	-	0	-	5	420	5	420	CHhAvVGS1DHFjwGM9
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/core.erspanI/tunnel.log b/testing/btest/Baseline/core.erspanI/tunnel.log
new file mode 100644
index 0000000000..173855a536
--- /dev/null
+++ b/testing/btest/Baseline/core.erspanI/tunnel.log
@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	tunnel
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	tunnel_type	action
+#types	time	string	addr	port	addr	port	enum	enum
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.1.1	0	192.168.1.2	0	Tunnel::GRE	Tunnel::DISCOVER
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Traces/erspanI.pcap b/testing/btest/Traces/erspanI.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..f137d40a1977142fe941de7185f9bdf1d3658fdf
GIT binary patch
literal 1544
zcmca|c+)~A1{MYw`2U}Qff2}YKNXmu8NtTT0c3;lk3$`&{>cK#eeY#B7+e_`szAyd
z^uIG4Si#5$#7sbS`<697=b4bgz@vHIKoqPhWJ;C;g9GDUmNf#cOlxj(`*AS5S7ABD
zz}S8Md_2g`+r0cBia|h7NLWNvOk6@zN?Jx%PF_J#Nm)fzO<hA%OIt@*Pv5}M$k@cx
z%pBydx$&gB3*sV(>wxZ3U<d)(S;&~+4{{U8Z43<GDR$TXG*aD#CA`*w!fVd~M0k}e
z0K<!^2O3^Mf~1GnksMOpMND|rQ|zvTMWnh5GrXpnfy2uJ5nh{QfZ@g53k@$Z5z@me
zwUShK5ffg!D0Y`#J*n=(5?-@G;kElRBD_o_f#Jo{2Mw>uVx)&xZwsmJA|||SD0UZD
r7pd;T46kXz;P8q@gjbCSFuYj%q2c8vMS6HSP9W7?#DrH1MeYIsRQZK&

literal 0
HcmV?d00001

diff --git a/testing/btest/core/erspanI.zeek b/testing/btest/core/erspanI.zeek
new file mode 100644
index 0000000000..15336c8853
--- /dev/null
+++ b/testing/btest/core/erspanI.zeek
@@ -0,0 +1,6 @@
+# @TEST-EXEC: zeek -C -b -r $TRACES/erspanI.pcap %INPUT
+# @TEST-EXEC: btest-diff tunnel.log
+# @TEST-EXEC: btest-diff conn.log
+
+@load base/frameworks/tunnels
+@load base/protocols/conn