diff --git a/CHANGES b/CHANGES index 42f965c90d..98cde192d2 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,8 @@ +5.1.0-dev.405 | 2022-08-17 09:07:33 +0200 + + * Add support for parsing TCP option 27, and validate lengths for + TCP options 28, 29, & 34. (Fatema BW) + 5.1.0-dev.393 | 2022-08-17 08:59:11 +0200 * files.log: Unroll and introduce uid and id fields (Arne Welzel, Corelight) diff --git a/VERSION b/VERSION index 4430767cc5..0a748e8474 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -5.1.0-dev.393 +5.1.0-dev.405 diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek index 2651537acd..6519c8c968 100644 --- a/scripts/base/init-bare.zeek +++ b/scripts/base/init-bare.zeek @@ -380,6 +380,10 @@ export { send_timestamp: count &optional; ## Kind 8: 4-byte echo reply timestamp value. echo_timestamp: count &optional; + ## Kind 27: TCP Quick Start Response value. + rate: count &optional; + ttl_diff: count &optional; + qs_nonce: count &optional; }; ## The full list of TCP Option fields parsed from a TCP header. diff --git a/src/packet_analysis/protocol/tcp/TCPSessionAdapter.cc b/src/packet_analysis/protocol/tcp/TCPSessionAdapter.cc index a8f28725cc..1e9cbbb380 100644 --- a/src/packet_analysis/protocol/tcp/TCPSessionAdapter.cc +++ b/src/packet_analysis/protocol/tcp/TCPSessionAdapter.cc @@ -1803,6 +1803,51 @@ int TCPSessionAdapter::ParseTCPOptions(const struct tcphdr* tcp, bool is_orig) } break; + case 27: + // TCP Quick Start Response + if ( length == 8 ) + { + auto rate = o[2]; + auto ttl_diff = o[3]; + auto qs_nonce = ntohl(*reinterpret_cast(o + 4)); + option_record->Assign(8, rate); + option_record->Assign(9, ttl_diff); + option_record->Assign(10, qs_nonce); + } + else + { + add_option_data(option_record, o, length); + Weird("tcp_option_qsresponse_invalid_len", util::fmt("%d", length)); + } + break; + + case 28: + // TCP User Timeout option UTO + if ( length != 4 ) + { + add_option_data(option_record, o, length); + Weird("tcp_option_uto_invalid_len", util::fmt("%d", length)); + } + break; + + case 29: + // TCP Auth Option AO + if ( length < 4 ) + { + add_option_data(option_record, o, length); + Weird("tcp_option_ao_invalid_len", util::fmt("%d", length)); + } + break; + + case 34: + // TCP Fast open TFO + if ( (length != 2) && (length < 6 || length > 18) ) + { + add_option_data(option_record, o, length); + Weird("tcp_option_tfo_invalid_len", util::fmt("%d", length)); + } + break; + default: add_option_data(option_record, o, length); break; diff --git a/testing/btest/Baseline/core.tcp.options/out-27 b/testing/btest/Baseline/core.tcp.options/out-27 new file mode 100644 index 0000000000..89d634fe21 --- /dev/null +++ b/testing/btest/Baseline/core.tcp.options/out-27 @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +[orig_h=172.17.0.2, orig_p=1234/tcp, resp_h=72.14.207.99, resp_p=80/tcp], T, 1, 1 +[orig_h=172.17.0.2, orig_p=1234/tcp, resp_h=72.14.207.99, resp_p=80/tcp], T, 27, 8 +[orig_h=172.17.0.2, orig_p=1234/tcp, resp_h=72.14.207.99, resp_p=80/tcp], T, 28, 4 +[orig_h=172.17.0.2, orig_p=1234/tcp, resp_h=72.14.207.99, resp_p=80/tcp], T, 0, 1 +[orig_h=172.17.0.2, orig_p=1234/tcp, resp_h=72.14.207.99, resp_p=80/tcp], T + kind: 1, length: 1 + kind: 27, length: 8 + TTL Diff: 1 + kind: 28, length: 4 + kind: 0, length: 1 diff --git a/testing/btest/Traces/tcp/option-27.pcap b/testing/btest/Traces/tcp/option-27.pcap new file mode 100644 index 0000000000..783fb47da9 Binary files /dev/null and b/testing/btest/Traces/tcp/option-27.pcap differ diff --git a/testing/btest/core/tcp/options.zeek b/testing/btest/core/tcp/options.zeek index 4a561c988d..3a118f0de7 100644 --- a/testing/btest/core/tcp/options.zeek +++ b/testing/btest/core/tcp/options.zeek @@ -1,7 +1,9 @@ # @TEST-EXEC: zeek -b -r $TRACES/tcp/options.pcap %INPUT > out # @TEST-EXEC: zeek -b -r $TRACES/tcp/option-sack.pcap %INPUT > out-sack +# @TEST-EXEC: zeek -b -r $TRACES/tcp/option-27.pcap %INPUT > out-27 # @TEST-EXEC: btest-diff out # @TEST-EXEC: btest-diff out-sack +# @TEST-EXEC: btest-diff out-27 event tcp_option(c: connection, is_orig: bool, opt: count, optlen: count) { @@ -38,6 +40,9 @@ event tcp_options(c: connection, is_orig: bool, options: TCP::OptionList) print fmt(" send ts: %s", o$send_timestamp); print fmt(" echo ts: %s", o$echo_timestamp); break; + case 27: + print fmt(" TTL Diff: %s", o$ttl_diff); + break; } } }