Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-07 17:18:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Move bad UDP checksum handling into adapter object

Browse source
This commit is contained in:
Tim Wojtulewicz 2021-05-18 12:10:38 -07:00
parent b22ce6848f
commit 30ab914cd8
2 changed files with 33 additions and 39 deletions
Download patch file Download diff file Expand all files Collapse all files

66
src/packet_analysis/protocol/udp/UDP.cc
View file

@ -93,9 +93,7 @@ bool UDPAnalyzer::BuildConnTuple(size_t len, const uint8_t* data, Packet* packet
void UDPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int remaining, Packet* pkt) void UDPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int remaining, Packet* pkt)
{ {
conn = c; auto* adapter = static_cast<UDPSessionAdapter*>(c->GetSessionAdapter());
auto* adapter = static_cast<UDPSessionAdapter*>(conn->GetSessionAdapter());
const u_char* data = pkt->ip_hdr->Payload(); const u_char* data = pkt->ip_hdr->Payload();
int len = pkt->ip_hdr->PayloadLen(); int len = pkt->ip_hdr->PayloadLen();
@ -159,27 +157,7 @@ void UDPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int remai
if ( bad ) if ( bad )
{ {
adapter->Weird("bad_UDP_checksum"); adapter->HandleBadChecksum(is_orig);
if ( is_orig )
{
uint32_t t = adapter->req_chk_thresh;
if ( conn->ScaledHistoryEntry('C',
adapter->req_chk_cnt,
adapter->req_chk_thresh) )
ChecksumEvent(is_orig, t);
}
else
{
uint32_t t = adapter->rep_chk_thresh;
if ( conn->ScaledHistoryEntry('c',
adapter->rep_chk_cnt,
adapter->rep_chk_thresh) )
ChecksumEvent(is_orig, t);
}
return; return;
} }
} }
@ -192,7 +170,7 @@ void UDPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int remai
ulen -= sizeof(struct udphdr); ulen -= sizeof(struct udphdr);
remaining -= sizeof(struct udphdr); remaining -= sizeof(struct udphdr);
conn->SetLastTime(run_state::current_timestamp); c->SetLastTime(run_state::current_timestamp);
if ( udp_contents ) if ( udp_contents )
{ {
@ -208,7 +186,7 @@ void UDPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int remai
do_udp_contents = true; do_udp_contents = true;
else else
{ {
uint16_t p = zeek::detail::udp_content_delivery_ports_use_resp ? conn->RespPort() uint16_t p = zeek::detail::udp_content_delivery_ports_use_resp ? c->RespPort()
: up->uh_dport; : up->uh_dport;
const auto& port_val = zeek::val_mgr->Port(ntohs(p), TRANSPORT_UDP); const auto& port_val = zeek::val_mgr->Port(ntohs(p), TRANSPORT_UDP);
@ -237,13 +215,13 @@ void UDPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int remai
if ( is_orig ) if ( is_orig )
{ {
conn->CheckHistory(HIST_ORIG_DATA_PKT, 'D'); c->CheckHistory(HIST_ORIG_DATA_PKT, 'D');
adapter->UpdateLength(is_orig, ulen); adapter->UpdateLength(is_orig, ulen);
adapter->Event(udp_request); adapter->Event(udp_request);
} }
else else
{ {
conn->CheckHistory(HIST_RESP_DATA_PKT, 'd'); c->CheckHistory(HIST_RESP_DATA_PKT, 'd');
adapter->UpdateLength(is_orig, ulen); adapter->UpdateLength(is_orig, ulen);
adapter->Event(udp_reply); adapter->Event(udp_reply);
} }
@ -254,8 +232,6 @@ void UDPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int remai
// Also try sending it into session analysis. // Also try sending it into session analysis.
if ( remaining >= len ) if ( remaining >= len )
adapter->ForwardPacket(len, data, is_orig, -1, ip.get(), remaining); adapter->ForwardPacket(len, data, is_orig, -1, ip.get(), remaining);
conn = nullptr;
} }
bool UDPAnalyzer::ValidateChecksum(const IP_Hdr* ip, const udphdr* up, int len) bool UDPAnalyzer::ValidateChecksum(const IP_Hdr* ip, const udphdr* up, int len)
@ -267,11 +243,6 @@ bool UDPAnalyzer::ValidateChecksum(const IP_Hdr* ip, const udphdr* up, int len)
return sum == 0xffff; return sum == 0xffff;
} }
void UDPAnalyzer::ChecksumEvent(bool is_orig, uint32_t threshold)
{
conn->HistoryThresholdEvent(udp_multiple_checksum_errors, is_orig, threshold);
}
void UDPSessionAdapter::AddExtraAnalyzers(Connection* conn) void UDPSessionAdapter::AddExtraAnalyzers(Connection* conn)
{ {
static analyzer::Tag analyzer_connsize = analyzer_mgr->GetComponentTag("CONNSIZE"); static analyzer::Tag analyzer_connsize = analyzer_mgr->GetComponentTag("CONNSIZE");
@ -340,3 +311,28 @@ void UDPSessionAdapter::UpdateLength(bool is_orig, int len)
} }
} }
} }
void UDPSessionAdapter::HandleBadChecksum(bool is_orig)
{
Weird("bad_UDP_checksum");
if ( is_orig )
{
uint32_t t = req_chk_thresh;
if ( Conn()->ScaledHistoryEntry('C', req_chk_cnt, req_chk_thresh) )
ChecksumEvent(is_orig, t);
}
else
{
uint32_t t = rep_chk_thresh;
if ( Conn()->ScaledHistoryEntry('c', rep_chk_cnt, rep_chk_thresh) )
ChecksumEvent(is_orig, t);
}
}
void UDPSessionAdapter::ChecksumEvent(bool is_orig, uint32_t threshold)
{
Conn()->HistoryThresholdEvent(udp_multiple_checksum_errors, is_orig, threshold);
}

6
src/packet_analysis/protocol/udp/UDP.h
View file

@ -60,10 +60,6 @@ private:
static bool ValidateChecksum(const IP_Hdr* ip, const struct udphdr* up, static bool ValidateChecksum(const IP_Hdr* ip, const struct udphdr* up,
int len); int len);
void ChecksumEvent(bool is_orig, uint32_t threshold);
Connection* conn;
std::vector<uint16_t> vxlan_ports; std::vector<uint16_t> vxlan_ports;
}; };
@ -83,6 +79,7 @@ public:
void UpdateConnVal(RecordVal* conn_val) override; void UpdateConnVal(RecordVal* conn_val) override;
void UpdateLength(bool is_orig, int len); void UpdateLength(bool is_orig, int len);
void HandleBadChecksum(bool is_orig);
// For tracking checksum history. These are connection-specific so they // For tracking checksum history. These are connection-specific so they
// need to be stored in the session adapter created for each connection. // need to be stored in the session adapter created for each connection.
@ -94,6 +91,7 @@ public:
private: private:
void UpdateEndpointVal(const ValPtr& endp_arg, bool is_orig); void UpdateEndpointVal(const ValPtr& endp_arg, bool is_orig);
void ChecksumEvent(bool is_orig, uint32_t threshold);
bro_int_t request_len = -1; bro_int_t request_len = -1;
bro_int_t reply_len = -1; bro_int_t reply_len = -1;