init-bare: Default Tunnel::max_depth to 4

In AWS GLB environments, the max_depth of 2 is easily reached due to packets being encapsulated with GENEVE and VXLAN [1]. Any additional encapsulation layer causes Zeek raise a weird and ignore the inner traffic. Bump the default maximum depth to 4, while not common it's not unusual either to observe this in the wild. [1] https://docs.aws.amazon.com/vpc/latest/mirroring/traffic-mirroring-packet-formats.html Closes #3439
2025-10-02 06:38:20 +00:00 · 2023-11-30 16:32:50 +01:00 · 2023-11-30 16:32:50 +01:00 · fddbdf6232
commit fddbdf6232
parent 4c960fd7d5
6 changed files with 37 additions and 1 deletions
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@ -5220,7 +5220,7 @@ module Tunnel;
 export {
 	## The maximum depth of a tunnel to decapsulate until giving up.
 	## Setting this to zero will disable all types of tunnel decapsulation.
-	const max_depth: count = 2 &redef;
+	const max_depth: count = 4 &redef;

 	## With this set, the Teredo analyzer waits until it sees both sides
 	## of a connection using a valid Teredo encapsulation before issuing
--- a/testing/btest/Baseline/core.tunnels.max-depth/conn.log.cut
+++ b/testing/btest/Baseline/core.tunnels.max-depth/conn.log.cut
@ -0,0 +1,6 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+uid	id.orig_h	id.resp_p	id.resp_h	id.resp_p	proto	history	service	tunnel_parents
+CtPZjS20MLrsMUOJi2	4.4.4.4	53	4.4.4.9	53	udp	D	dns	C4J4Th3PJpwUYZZ6gc
+CHhAvVGS1DHFjwGM9	1.1.1.1	4789	1.1.1.9	4789	udp	D	vxlan	-
+ClEkJM2Vm5giqnMf4h	2.2.2.2	4789	2.2.2.9	4789	udp	D	vxlan	CHhAvVGS1DHFjwGM9
+C4J4Th3PJpwUYZZ6gc	3.3.3.3	4789	3.3.3.9	4789	udp	D	vxlan	ClEkJM2Vm5giqnMf4h
--- a/testing/btest/Baseline/core.tunnels.max-depth/dns.log.cut
+++ b/testing/btest/Baseline/core.tunnels.max-depth/dns.log.cut
@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+uid	id.orig_h	id.resp_p	id.resp_h	id.resp_p	query
+CtPZjS20MLrsMUOJi2	4.4.4.4	53	4.4.4.9	53	www.bbc.com
--- a/testing/btest/Baseline/core.tunnels.max-depth/tunnel.log
+++ b/testing/btest/Baseline/core.tunnels.max-depth/tunnel.log
@ -0,0 +1,16 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	tunnel
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	tunnel_type	action
+#types	time	string	addr	port	addr	port	enum	enum
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	1.1.1.1	4789	1.1.1.9	4789	Tunnel::VXLAN	Tunnel::DISCOVER
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	2.2.2.2	4789	2.2.2.9	4789	Tunnel::VXLAN	Tunnel::DISCOVER
+XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	3.3.3.3	4789	3.3.3.9	4789	Tunnel::VXLAN	Tunnel::DISCOVER
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	1.1.1.1	4789	1.1.1.9	4789	Tunnel::VXLAN	Tunnel::CLOSE
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	2.2.2.2	4789	2.2.2.9	4789	Tunnel::VXLAN	Tunnel::CLOSE
+XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	3.3.3.3	4789	3.3.3.9	4789	Tunnel::VXLAN	Tunnel::CLOSE
+#close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Traces/tunnels/vxlan-triple-v2.pcap
+++ b/testing/btest/Traces/tunnels/vxlan-triple-v2.pcap
--- a/testing/btest/core/tunnels/max-depth.zeek
+++ b/testing/btest/core/tunnels/max-depth.zeek
@ -0,0 +1,11 @@
+# @TEST-DOC: A DNS request encapsulated in 3 layers of VXLAN. Funky but not all that unusual.
+# @TEST-EXEC: zeek -b -r $TRACES/tunnels/vxlan-triple-v2.pcap %INPUT
+# @TEST-EXEC: zeek-cut -m uid id.orig_h id.resp_p id.resp_h id.resp_p proto history service tunnel_parents < conn.log > conn.log.cut
+# @TEST-EXEC: zeek-cut -m uid id.orig_h id.resp_p id.resp_h id.resp_p query < dns.log > dns.log.cut
+# @TEST-EXEC: btest-diff conn.log.cut
+# @TEST-EXEC: btest-diff tunnel.log
+# @TEST-EXEC: btest-diff dns.log.cut
+#
+@load base/frameworks/tunnels
+@load base/protocols/conn
+@load base/protocols/dns