diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek index 81c3d1dc31..41b918992d 100644 --- a/scripts/base/init-bare.zeek +++ b/scripts/base/init-bare.zeek @@ -5220,7 +5220,7 @@ module Tunnel; export { ## The maximum depth of a tunnel to decapsulate until giving up. ## Setting this to zero will disable all types of tunnel decapsulation. - const max_depth: count = 2 &redef; + const max_depth: count = 4 &redef; ## With this set, the Teredo analyzer waits until it sees both sides ## of a connection using a valid Teredo encapsulation before issuing diff --git a/testing/btest/Baseline/core.tunnels.max-depth/conn.log.cut b/testing/btest/Baseline/core.tunnels.max-depth/conn.log.cut new file mode 100644 index 0000000000..e512da7cf6 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.max-depth/conn.log.cut @@ -0,0 +1,6 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +uid id.orig_h id.resp_p id.resp_h id.resp_p proto history service tunnel_parents +CtPZjS20MLrsMUOJi2 4.4.4.4 53 4.4.4.9 53 udp D dns C4J4Th3PJpwUYZZ6gc +CHhAvVGS1DHFjwGM9 1.1.1.1 4789 1.1.1.9 4789 udp D vxlan - +ClEkJM2Vm5giqnMf4h 2.2.2.2 4789 2.2.2.9 4789 udp D vxlan CHhAvVGS1DHFjwGM9 +C4J4Th3PJpwUYZZ6gc 3.3.3.3 4789 3.3.3.9 4789 udp D vxlan ClEkJM2Vm5giqnMf4h diff --git a/testing/btest/Baseline/core.tunnels.max-depth/dns.log.cut b/testing/btest/Baseline/core.tunnels.max-depth/dns.log.cut new file mode 100644 index 0000000000..4f05d18f5e --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.max-depth/dns.log.cut @@ -0,0 +1,3 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +uid id.orig_h id.resp_p id.resp_h id.resp_p query +CtPZjS20MLrsMUOJi2 4.4.4.4 53 4.4.4.9 53 www.bbc.com diff --git a/testing/btest/Baseline/core.tunnels.max-depth/tunnel.log b/testing/btest/Baseline/core.tunnels.max-depth/tunnel.log new file mode 100644 index 0000000000..356cafe0c4 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.max-depth/tunnel.log @@ -0,0 +1,16 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path tunnel +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action +#types time string addr port addr port enum enum +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 1.1.1.1 4789 1.1.1.9 4789 Tunnel::VXLAN Tunnel::DISCOVER +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 2.2.2.2 4789 2.2.2.9 4789 Tunnel::VXLAN Tunnel::DISCOVER +XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 3.3.3.3 4789 3.3.3.9 4789 Tunnel::VXLAN Tunnel::DISCOVER +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 1.1.1.1 4789 1.1.1.9 4789 Tunnel::VXLAN Tunnel::CLOSE +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 2.2.2.2 4789 2.2.2.9 4789 Tunnel::VXLAN Tunnel::CLOSE +XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 3.3.3.3 4789 3.3.3.9 4789 Tunnel::VXLAN Tunnel::CLOSE +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Traces/tunnels/vxlan-triple-v2.pcap b/testing/btest/Traces/tunnels/vxlan-triple-v2.pcap new file mode 100644 index 0000000000..c4ea59dab2 Binary files /dev/null and b/testing/btest/Traces/tunnels/vxlan-triple-v2.pcap differ diff --git a/testing/btest/core/tunnels/max-depth.zeek b/testing/btest/core/tunnels/max-depth.zeek new file mode 100644 index 0000000000..dc7335b0bb --- /dev/null +++ b/testing/btest/core/tunnels/max-depth.zeek @@ -0,0 +1,11 @@ +# @TEST-DOC: A DNS request encapsulated in 3 layers of VXLAN. Funky but not all that unusual. +# @TEST-EXEC: zeek -b -r $TRACES/tunnels/vxlan-triple-v2.pcap %INPUT +# @TEST-EXEC: zeek-cut -m uid id.orig_h id.resp_p id.resp_h id.resp_p proto history service tunnel_parents < conn.log > conn.log.cut +# @TEST-EXEC: zeek-cut -m uid id.orig_h id.resp_p id.resp_h id.resp_p query < dns.log > dns.log.cut +# @TEST-EXEC: btest-diff conn.log.cut +# @TEST-EXEC: btest-diff tunnel.log +# @TEST-EXEC: btest-diff dns.log.cut +# +@load base/frameworks/tunnels +@load base/protocols/conn +@load base/protocols/dns