From 622733c4ba927c17714b0432d889cd6897a4d50f Mon Sep 17 00:00:00 2001 From: Fatema BW Date: Thu, 28 Jul 2022 22:51:15 -0700 Subject: [PATCH 01/10] Add TCP options bad length check --- .../protocol/tcp/TCPSessionAdapter.cc | 44 +++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/src/packet_analysis/protocol/tcp/TCPSessionAdapter.cc b/src/packet_analysis/protocol/tcp/TCPSessionAdapter.cc index a8f28725cc..bb4d517788 100644 --- a/src/packet_analysis/protocol/tcp/TCPSessionAdapter.cc +++ b/src/packet_analysis/protocol/tcp/TCPSessionAdapter.cc @@ -1803,6 +1803,50 @@ int TCPSessionAdapter::ParseTCPOptions(const struct tcphdr* tcp, bool is_orig) } break; + case 27: + // TCP Quick Start Response + if ( length == 8) + { + auto rate = o[2]; + auto ttl_diff = o[3]; + auto qs_nonce = ntohl(*reinterpret_cast(o + 4)); + option_record->Assign(8, rate); + option_record->Assign(9, ttl_diff); + option_record->Assign(10, qs_nonce); + } + else + { + add_option_data(option_record, o, length); + Weird("tcp_option_QSResponse_invalid_len", util::fmt("%d", length)); + } + break; + + case 28: + // TCP User Timeout option UTO + if ( length != 4 ) + { + add_option_data(option_record, o, length); + Weird("tcp_option_UTO_invalid_len", util::fmt("%d", length)); + } + break; + + case 29: + // TCP Auth Option AO + if ( length < 4 ) + { + add_option_data(option_record, o, length); + Weird("tcp_option_AO_invalid_len", util::fmt("%d", length)); + } + break; + + case 34: + // TCP Fast open TFO + if ( (length != 2) && (length < 6 || length > 18) ) + { + add_option_data(option_record, o, length); + Weird("tcp_option_TFO_invalid_len", util::fmt("%d", length)); + } + break; default: add_option_data(option_record, o, length); break; From 70b3e28dd929ce1c85d9c3ab2fff9d685f0a8574 Mon Sep 17 00:00:00 2001 From: Fatema BW Date: Thu, 28 Jul 2022 22:53:36 -0700 Subject: [PATCH 02/10] Add the parsed fields for TCP option 27 --- scripts/base/init-bare.zeek | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek index d28ab9a13e..c16efa697c 100644 --- a/scripts/base/init-bare.zeek +++ b/scripts/base/init-bare.zeek @@ -380,6 +380,10 @@ export { send_timestamp: count &optional; ## Kind 8: 4-byte echo reply timestamp value. echo_timestamp: count &optional; + ## Kind 27: TCP Quick Start Response value. + rate: count &optional; + ttl_diff: count &optional; + qs_nonce: count &optional; }; ## The full list of TCP Option fields parsed from a TCP header. From e2bd8f0eb171d565108cf444cd672fce01b618fd Mon Sep 17 00:00:00 2001 From: Fatema BW Date: Thu, 28 Jul 2022 22:54:59 -0700 Subject: [PATCH 03/10] Add check for option 27 --- testing/btest/core/tcp/options.zeek | 3 +++ 1 file changed, 3 insertions(+) diff --git a/testing/btest/core/tcp/options.zeek b/testing/btest/core/tcp/options.zeek index 4a561c988d..bdb516c3cd 100644 --- a/testing/btest/core/tcp/options.zeek +++ b/testing/btest/core/tcp/options.zeek @@ -38,6 +38,9 @@ event tcp_options(c: connection, is_orig: bool, options: TCP::OptionList) print fmt(" send ts: %s", o$send_timestamp); print fmt(" echo ts: %s", o$echo_timestamp); break; + case 27: + print fmt(" TTL Diff: %s", o$ttl_diff); + break; } } } From 33bfe67562baf16d5b6ccd236e6232111e1d0cd1 Mon Sep 17 00:00:00 2001 From: Fatema BW Date: Thu, 28 Jul 2022 23:10:35 -0700 Subject: [PATCH 04/10] Fixing clang pre-commit error --- src/packet_analysis/protocol/tcp/TCPSessionAdapter.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packet_analysis/protocol/tcp/TCPSessionAdapter.cc b/src/packet_analysis/protocol/tcp/TCPSessionAdapter.cc index bb4d517788..b941475796 100644 --- a/src/packet_analysis/protocol/tcp/TCPSessionAdapter.cc +++ b/src/packet_analysis/protocol/tcp/TCPSessionAdapter.cc @@ -1805,7 +1805,7 @@ int TCPSessionAdapter::ParseTCPOptions(const struct tcphdr* tcp, bool is_orig) case 27: // TCP Quick Start Response - if ( length == 8) + if ( length == 8 ) { auto rate = o[2]; auto ttl_diff = o[3]; From 5ffeb657a54c9764b2dcafda04257a584c353f7a Mon Sep 17 00:00:00 2001 From: Fatema BW Date: Tue, 2 Aug 2022 09:59:34 -0700 Subject: [PATCH 05/10] Fixing whitespaces.. --- scripts/base/init-bare.zeek | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek index c16efa697c..1d2bc4a3f9 100644 --- a/scripts/base/init-bare.zeek +++ b/scripts/base/init-bare.zeek @@ -381,9 +381,9 @@ export { ## Kind 8: 4-byte echo reply timestamp value. echo_timestamp: count &optional; ## Kind 27: TCP Quick Start Response value. - rate: count &optional; - ttl_diff: count &optional; - qs_nonce: count &optional; + rate: count &optional; + ttl_diff: count &optional; + qs_nonce: count &optional; }; ## The full list of TCP Option fields parsed from a TCP header. From 1348b739ab7ad66b4d70ba35c5fa27f28a182352 Mon Sep 17 00:00:00 2001 From: Fatema BW Date: Tue, 2 Aug 2022 10:01:31 -0700 Subject: [PATCH 06/10] Updating the weird names to use all lower case --- src/packet_analysis/protocol/tcp/TCPSessionAdapter.cc | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/packet_analysis/protocol/tcp/TCPSessionAdapter.cc b/src/packet_analysis/protocol/tcp/TCPSessionAdapter.cc index b941475796..155805e761 100644 --- a/src/packet_analysis/protocol/tcp/TCPSessionAdapter.cc +++ b/src/packet_analysis/protocol/tcp/TCPSessionAdapter.cc @@ -1817,7 +1817,7 @@ int TCPSessionAdapter::ParseTCPOptions(const struct tcphdr* tcp, bool is_orig) else { add_option_data(option_record, o, length); - Weird("tcp_option_QSResponse_invalid_len", util::fmt("%d", length)); + Weird("tcp_option_qsresponse_invalid_len", util::fmt("%d", length)); } break; @@ -1826,7 +1826,7 @@ int TCPSessionAdapter::ParseTCPOptions(const struct tcphdr* tcp, bool is_orig) if ( length != 4 ) { add_option_data(option_record, o, length); - Weird("tcp_option_UTO_invalid_len", util::fmt("%d", length)); + Weird("tcp_option_uto_invalid_len", util::fmt("%d", length)); } break; @@ -1835,7 +1835,7 @@ int TCPSessionAdapter::ParseTCPOptions(const struct tcphdr* tcp, bool is_orig) if ( length < 4 ) { add_option_data(option_record, o, length); - Weird("tcp_option_AO_invalid_len", util::fmt("%d", length)); + Weird("tcp_option_ao_invalid_len", util::fmt("%d", length)); } break; @@ -1844,7 +1844,7 @@ int TCPSessionAdapter::ParseTCPOptions(const struct tcphdr* tcp, bool is_orig) if ( (length != 2) && (length < 6 || length > 18) ) { add_option_data(option_record, o, length); - Weird("tcp_option_TFO_invalid_len", util::fmt("%d", length)); + Weird("tcp_option_tfo_invalid_len", util::fmt("%d", length)); } break; default: From 660278be1fcc139ec0f41bff3bf22996efbf0c66 Mon Sep 17 00:00:00 2001 From: Fatema BW Date: Tue, 2 Aug 2022 10:02:32 -0700 Subject: [PATCH 07/10] Update src/packet_analysis/protocol/tcp/TCPSessionAdapter.cc Co-authored-by: Robin Sommer --- src/packet_analysis/protocol/tcp/TCPSessionAdapter.cc | 1 + 1 file changed, 1 insertion(+) diff --git a/src/packet_analysis/protocol/tcp/TCPSessionAdapter.cc b/src/packet_analysis/protocol/tcp/TCPSessionAdapter.cc index 155805e761..1e9cbbb380 100644 --- a/src/packet_analysis/protocol/tcp/TCPSessionAdapter.cc +++ b/src/packet_analysis/protocol/tcp/TCPSessionAdapter.cc @@ -1847,6 +1847,7 @@ int TCPSessionAdapter::ParseTCPOptions(const struct tcphdr* tcp, bool is_orig) Weird("tcp_option_tfo_invalid_len", util::fmt("%d", length)); } break; + default: add_option_data(option_record, o, length); break; From 4609429aa4b5b161538ee4f7e38d0ba44c348a46 Mon Sep 17 00:00:00 2001 From: Fatema BW Date: Thu, 11 Aug 2022 18:23:02 -0700 Subject: [PATCH 08/10] Add files via upload --- testing/btest/Traces/tcp/option-27.pcap | Bin 0 -> 110 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 testing/btest/Traces/tcp/option-27.pcap diff --git a/testing/btest/Traces/tcp/option-27.pcap b/testing/btest/Traces/tcp/option-27.pcap new file mode 100644 index 0000000000000000000000000000000000000000..783fb47da9eb7c39f07b099974e0a967c31c2b3f GIT binary patch literal 110 zcmca|c+)~A1{MYcU}0bca>5pVO%jpgWN-trL72%Yt(o^NlhYbO1||*$R|W Date: Thu, 11 Aug 2022 18:27:28 -0700 Subject: [PATCH 09/10] Create out-27 --- testing/btest/Baseline/core.tcp.options/out-27 | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 testing/btest/Baseline/core.tcp.options/out-27 diff --git a/testing/btest/Baseline/core.tcp.options/out-27 b/testing/btest/Baseline/core.tcp.options/out-27 new file mode 100644 index 0000000000..89d634fe21 --- /dev/null +++ b/testing/btest/Baseline/core.tcp.options/out-27 @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +[orig_h=172.17.0.2, orig_p=1234/tcp, resp_h=72.14.207.99, resp_p=80/tcp], T, 1, 1 +[orig_h=172.17.0.2, orig_p=1234/tcp, resp_h=72.14.207.99, resp_p=80/tcp], T, 27, 8 +[orig_h=172.17.0.2, orig_p=1234/tcp, resp_h=72.14.207.99, resp_p=80/tcp], T, 28, 4 +[orig_h=172.17.0.2, orig_p=1234/tcp, resp_h=72.14.207.99, resp_p=80/tcp], T, 0, 1 +[orig_h=172.17.0.2, orig_p=1234/tcp, resp_h=72.14.207.99, resp_p=80/tcp], T + kind: 1, length: 1 + kind: 27, length: 8 + TTL Diff: 1 + kind: 28, length: 4 + kind: 0, length: 1 From 61244738c81b8cba334dea10ca9fa32313041a53 Mon Sep 17 00:00:00 2001 From: Fatema BW Date: Thu, 11 Aug 2022 18:29:12 -0700 Subject: [PATCH 10/10] Update options.zeek --- testing/btest/core/tcp/options.zeek | 2 ++ 1 file changed, 2 insertions(+) diff --git a/testing/btest/core/tcp/options.zeek b/testing/btest/core/tcp/options.zeek index bdb516c3cd..81fdf90893 100644 --- a/testing/btest/core/tcp/options.zeek +++ b/testing/btest/core/tcp/options.zeek @@ -1,7 +1,9 @@ # @TEST-EXEC: zeek -b -r $TRACES/tcp/options.pcap %INPUT > out # @TEST-EXEC: zeek -b -r $TRACES/tcp/option-sack.pcap %INPUT > out-sack +# @TEST-EXEC: zeek -b -r $TRACES/tcp/option-27.pcap %INPUT > out-27 # @TEST-EXEC: btest-diff out # @TEST-EXEC: btest-diff out-sack +# @TEST-EXEC: btest-diff out-27 event tcp_option(c: connection, is_orig: bool, opt: count, optlen: count) {