From fddbdf623245777a65eab7a79e7d3a70e01c7af9 Mon Sep 17 00:00:00 2001 From: Arne Welzel Date: Thu, 30 Nov 2023 16:32:50 +0100 Subject: [PATCH] init-bare: Default Tunnel::max_depth to 4 In AWS GLB environments, the max_depth of 2 is easily reached due to packets being encapsulated with GENEVE and VXLAN [1]. Any additional encapsulation layer causes Zeek raise a weird and ignore the inner traffic. Bump the default maximum depth to 4, while not common it's not unusual either to observe this in the wild. [1] https://docs.aws.amazon.com/vpc/latest/mirroring/traffic-mirroring-packet-formats.html Closes #3439 --- scripts/base/init-bare.zeek | 2 +- .../core.tunnels.max-depth/conn.log.cut | 6 ++++++ .../Baseline/core.tunnels.max-depth/dns.log.cut | 3 +++ .../Baseline/core.tunnels.max-depth/tunnel.log | 16 ++++++++++++++++ .../btest/Traces/tunnels/vxlan-triple-v2.pcap | Bin 0 -> 261 bytes testing/btest/core/tunnels/max-depth.zeek | 11 +++++++++++ 6 files changed, 37 insertions(+), 1 deletion(-) create mode 100644 testing/btest/Baseline/core.tunnels.max-depth/conn.log.cut create mode 100644 testing/btest/Baseline/core.tunnels.max-depth/dns.log.cut create mode 100644 testing/btest/Baseline/core.tunnels.max-depth/tunnel.log create mode 100644 testing/btest/Traces/tunnels/vxlan-triple-v2.pcap create mode 100644 testing/btest/core/tunnels/max-depth.zeek diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek index 81c3d1dc31..41b918992d 100644 --- a/scripts/base/init-bare.zeek +++ b/scripts/base/init-bare.zeek @@ -5220,7 +5220,7 @@ module Tunnel; export { ## The maximum depth of a tunnel to decapsulate until giving up. ## Setting this to zero will disable all types of tunnel decapsulation. - const max_depth: count = 2 &redef; + const max_depth: count = 4 &redef; ## With this set, the Teredo analyzer waits until it sees both sides ## of a connection using a valid Teredo encapsulation before issuing diff --git a/testing/btest/Baseline/core.tunnels.max-depth/conn.log.cut b/testing/btest/Baseline/core.tunnels.max-depth/conn.log.cut new file mode 100644 index 0000000000..e512da7cf6 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.max-depth/conn.log.cut @@ -0,0 +1,6 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +uid id.orig_h id.resp_p id.resp_h id.resp_p proto history service tunnel_parents +CtPZjS20MLrsMUOJi2 4.4.4.4 53 4.4.4.9 53 udp D dns C4J4Th3PJpwUYZZ6gc +CHhAvVGS1DHFjwGM9 1.1.1.1 4789 1.1.1.9 4789 udp D vxlan - +ClEkJM2Vm5giqnMf4h 2.2.2.2 4789 2.2.2.9 4789 udp D vxlan CHhAvVGS1DHFjwGM9 +C4J4Th3PJpwUYZZ6gc 3.3.3.3 4789 3.3.3.9 4789 udp D vxlan ClEkJM2Vm5giqnMf4h diff --git a/testing/btest/Baseline/core.tunnels.max-depth/dns.log.cut b/testing/btest/Baseline/core.tunnels.max-depth/dns.log.cut new file mode 100644 index 0000000000..4f05d18f5e --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.max-depth/dns.log.cut @@ -0,0 +1,3 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +uid id.orig_h id.resp_p id.resp_h id.resp_p query +CtPZjS20MLrsMUOJi2 4.4.4.4 53 4.4.4.9 53 www.bbc.com diff --git a/testing/btest/Baseline/core.tunnels.max-depth/tunnel.log b/testing/btest/Baseline/core.tunnels.max-depth/tunnel.log new file mode 100644 index 0000000000..356cafe0c4 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.max-depth/tunnel.log @@ -0,0 +1,16 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path tunnel +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action +#types time string addr port addr port enum enum +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 1.1.1.1 4789 1.1.1.9 4789 Tunnel::VXLAN Tunnel::DISCOVER +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 2.2.2.2 4789 2.2.2.9 4789 Tunnel::VXLAN Tunnel::DISCOVER +XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 3.3.3.3 4789 3.3.3.9 4789 Tunnel::VXLAN Tunnel::DISCOVER +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 1.1.1.1 4789 1.1.1.9 4789 Tunnel::VXLAN Tunnel::CLOSE +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 2.2.2.2 4789 2.2.2.9 4789 Tunnel::VXLAN Tunnel::CLOSE +XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 3.3.3.3 4789 3.3.3.9 4789 Tunnel::VXLAN Tunnel::CLOSE +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Traces/tunnels/vxlan-triple-v2.pcap b/testing/btest/Traces/tunnels/vxlan-triple-v2.pcap new file mode 100644 index 0000000000000000000000000000000000000000..c4ea59dab215d3bc70e59bfd4072d736a16e1ea0 GIT binary patch literal 261 zcmca|c+)~A1{MYw`2U}Qff2}Q6kpAhW(a`j x2=C8^=wQawVF}TZHJ=3nI2lZVP<6%vu&+QK0|Msq@^a>+q-5sg{9KSYBLE*oI(7g6 literal 0 HcmV?d00001 diff --git a/testing/btest/core/tunnels/max-depth.zeek b/testing/btest/core/tunnels/max-depth.zeek new file mode 100644 index 0000000000..dc7335b0bb --- /dev/null +++ b/testing/btest/core/tunnels/max-depth.zeek @@ -0,0 +1,11 @@ +# @TEST-DOC: A DNS request encapsulated in 3 layers of VXLAN. Funky but not all that unusual. +# @TEST-EXEC: zeek -b -r $TRACES/tunnels/vxlan-triple-v2.pcap %INPUT +# @TEST-EXEC: zeek-cut -m uid id.orig_h id.resp_p id.resp_h id.resp_p proto history service tunnel_parents < conn.log > conn.log.cut +# @TEST-EXEC: zeek-cut -m uid id.orig_h id.resp_p id.resp_h id.resp_p query < dns.log > dns.log.cut +# @TEST-EXEC: btest-diff conn.log.cut +# @TEST-EXEC: btest-diff tunnel.log +# @TEST-EXEC: btest-diff dns.log.cut +# +@load base/frameworks/tunnels +@load base/protocols/conn +@load base/protocols/dns