Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-08 09:38:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Add validation of session to start of AYIYA/VXLAN/Geneve analysis

Browse source 
This mimics how the Teredo analyzer is already doing it, including
sending a weird if the session is invalid and bailing out if the
protocol was already violated.
This commit is contained in:
Tim Wojtulewicz 2023-02-13 16:42:11 -07:00
parent de934b6af5
commit 16f6cafd9a
3 changed files with 33 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

11
src/packet_analysis/protocol/ayiya/AYIYA.cc
View file

@ -13,6 +13,17 @@ bool AYIYAAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packe
if ( ! BifConst::Tunnel::enable_ayiya ) if ( ! BifConst::Tunnel::enable_ayiya )
return false; return false;
// AYIYA always comes from a TCP or UDP connection, which means that session
// should always be valid and always be a connection. Return a weird if we
// didn't have a session stored.
if ( ! packet->session )
{
Analyzer::Weird("ayiya_missing_connection");
return false;
}
else if ( AnalyzerViolated(packet->session) )
return false;
if ( packet->encap && packet->encap->Depth() >= BifConst::Tunnel::max_depth ) if ( packet->encap && packet->encap->Depth() >= BifConst::Tunnel::max_depth )
{ {
Weird("exceeded_tunnel_max_depth", packet); Weird("exceeded_tunnel_max_depth", packet);

11
src/packet_analysis/protocol/geneve/Geneve.cc
View file

@ -11,6 +11,17 @@ GeneveAnalyzer::GeneveAnalyzer() : zeek::packet_analysis::Analyzer("Geneve") { }
bool GeneveAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) bool GeneveAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
{ {
// Geneve always comes from a UDP connection, which means that session should always
// be valid and always be a connection. Return a weird if we didn't have a session
// stored.
if ( ! packet->session )
{
Analyzer::Weird("geneve_missing_connection");
return false;
}
else if ( AnalyzerViolated(packet->session) )
return false;
if ( packet->encap && packet->encap->Depth() >= BifConst::Tunnel::max_depth ) if ( packet->encap && packet->encap->Depth() >= BifConst::Tunnel::max_depth )
{ {
Weird("exceeded_tunnel_max_depth", packet); Weird("exceeded_tunnel_max_depth", packet);

11
src/packet_analysis/protocol/vxlan/VXLAN.cc
View file

@ -11,6 +11,17 @@ VXLAN_Analyzer::VXLAN_Analyzer() : zeek::packet_analysis::Analyzer("VXLAN") { }
bool VXLAN_Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) bool VXLAN_Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
{ {
// VXLAN always comes from a UDP connection, which means that session should always
// be valid and always be a connection. Return a weird if we didn't have a session
// stored.
if ( ! packet->session )
{
Analyzer::Weird("vxlan_missing_connection");
return false;
}
else if ( AnalyzerViolated(packet->session) )
return false;
if ( packet->encap && packet->encap->Depth() >= BifConst::Tunnel::max_depth ) if ( packet->encap && packet->encap->Depth() >= BifConst::Tunnel::max_depth )
{ {
Weird("exceeded_tunnel_max_depth", packet); Weird("exceeded_tunnel_max_depth", packet);