Merge branch 'master' of https://github.com/aaronmbr/bro

* 'master' of https://github.com/aaronmbr/bro:
  Copy-paste issue
  Allow for logging of the VLAN data about a connection in conn.log
  Save the inner vlan in the Packet object for Q-in-Q setups

scripts/base/init-bare.bro

@@ -345,6 +345,12 @@ type connection: record {
 	## for the connection unless the :bro:id:`tunnel_changed` event is
 	## handled and reassigns this field to the new encapsulation.
 	tunnel: EncapsulatingConnVector &optional;
+
+	## The outer VLAN, if applicable, for this connection.
+	vlan: int &optional;
+
+	## The VLAN vlan, if applicable, for this connection.
+	inner_vlan: int &optional;
 };
 
 ## Default amount of time a file can be inactive before the file analysis
@@ -1511,6 +1517,7 @@ type l2_hdr: record {
 	src: string &optional;	##< L2 source (if Ethernet).
 	dst: string &optional;	##< L2 destination (if Ethernet).
 	vlan: count &optional;	##< Outermost VLAN tag if any (and Ethernet).
+	inner_vlan: count &optional;	##< Innermost VLAN tag if any (and Ethernet).
 	eth_type: count &optional;	##< Innermost Ethertype (if Ethernet).
 	proto: layer3_proto;	##< L3 protocol.
 };

scripts/policy/protocols/conn/vlan-logging.bro

@@ -0,0 +1,26 @@
+##! This script add VLAN information to the connection logs
+
+@load base/protocols/conn
+
+module Conn;
+
+redef record Info += {
+	## The outer VLAN for this connection, if applicable.
+	vlan: int      &log &optional;
+
+	## The inner VLAN for this connection, if applicable.
+	inner_vlan: int      &log &optional;
+};
+
+# Add the VLAN information to the Conn::Info structure after the connection
+# has been removed. This ensures it's only done once, and is done before the
+# connection information is written to the log.
+event connection_state_remove(c: connection) &priority=5
+	{
+	if ( c?$vlan )
+		c$conn$vlan = c$vlan;
+
+	if ( c?$inner_vlan )
+		c$conn$inner_vlan = c$inner_vlan;
+	}
+

scripts/site/local.bro

@@ -1,4 +1,4 @@
-##! Local site policy. Customize as appropriate. 
+##! Local site policy. Customize as appropriate.
 ##!
 ##! This file will not be overwritten when upgrading or reinstalling!
 
@@ -11,16 +11,16 @@
 # Load the scan detection script.
 @load misc/scan
 
-# Log some information about web applications being used by users 
+# Log some information about web applications being used by users
 # on your network.
 @load misc/app-stats
 
-# Detect traceroute being run on the network.  
+# Detect traceroute being run on the network.
 @load misc/detect-traceroute
 
 # Generate notices when vulnerable versions of software are discovered.
 # The default is to only monitor software found in the address space defined
-# as "local".  Refer to the software framework's documentation for more 
+# as "local".  Refer to the software framework's documentation for more
 # information.
 @load frameworks/software/vulnerable
 
@@ -35,12 +35,12 @@
 @load protocols/smtp/software
 @load protocols/ssh/software
 @load protocols/http/software
-# The detect-webapps script could possibly cause performance trouble when 
+# The detect-webapps script could possibly cause performance trouble when
 # running on live traffic.  Enable it cautiously.
 #@load protocols/http/detect-webapps
 
-# This script detects DNS results pointing toward your Site::local_nets 
-# where the name is not part of your local DNS zone and is being hosted 
+# This script detects DNS results pointing toward your Site::local_nets
+# where the name is not part of your local DNS zone and is being hosted
 # externally.  Requires that the Site::local_zones variable is defined.
 @load protocols/dns/detect-external-names
 
@@ -62,7 +62,7 @@
 # certificate notary service; see http://notary.icsi.berkeley.edu .
 # @load protocols/ssl/notary
 
-# If you have libGeoIP support built in, do some geographic detections and 
+# If you have libGeoIP support built in, do some geographic detections and
 # logging for SSH traffic.
 @load protocols/ssh/geo-data
 # Detect hosts doing SSH bruteforce attacks.
@@ -84,3 +84,7 @@
 # Uncomment the following line to enable detection of the heartbleed attack. Enabling
 # this might impact performance a bit.
 # @load policy/protocols/ssl/heartbleed
+
+# Uncomment the following line to enable logging of connection VLANs. Enabling
+# this adds two VLAN fields to the conn.log file.
+# @load policy/protocols/conn/vlan-logging

scripts/test-all-policy.bro

@@ -62,6 +62,7 @@
 @load misc/trim-trace-file.bro
 @load protocols/conn/known-hosts.bro
 @load protocols/conn/known-services.bro
+@load protocols/conn/vlan-logging.bro
 @load protocols/conn/weirds.bro
 @load protocols/dhcp/known-devices-and-hostnames.bro
 @load protocols/dns/auth-addl.bro