Merge ssh://github.com/fatemabw/zeek

* ssh://github.com/fatemabw/zeek:
  Update options.zeek
  Create out-27
  Add files via upload
  Update src/packet_analysis/protocol/tcp/TCPSessionAdapter.cc
  Updating the weird names to use all lower case
  Fixing whitespaces..
  Fixing clang pre-commit error
  Add check for option 27
  Add the parsed fields for TCP option 27
  Add TCP options bad length check

CHANGES

@@ -1,3 +1,8 @@
+5.1.0-dev.405 | 2022-08-17 09:07:33 +0200
+
+  * Add support for parsing TCP option 27, and validate lengths for
+    TCP options 28, 29, & 34. (Fatema BW)
+
 5.1.0-dev.393 | 2022-08-17 08:59:11 +0200
 
   * files.log: Unroll and introduce uid and id fields (Arne Welzel, Corelight)

VERSION

@@ -1 +1 @@
-5.1.0-dev.393
+5.1.0-dev.405

scripts/base/init-bare.zeek

@@ -380,6 +380,10 @@ export {
 		send_timestamp: count &optional;
 		## Kind 8: 4-byte echo reply timestamp value.
 		echo_timestamp: count &optional;
+		## Kind 27: TCP Quick Start Response value.
+		rate: count &optional;
+		ttl_diff: count &optional;
+		qs_nonce: count &optional;
 	};
 
 	## The full list of TCP Option fields parsed from a TCP header.

src/packet_analysis/protocol/tcp/TCPSessionAdapter.cc

@@ -1803,6 +1803,51 @@ int TCPSessionAdapter::ParseTCPOptions(const struct tcphdr* tcp, bool is_orig)
 						}
 					break;
 
+				case 27:
+					// TCP Quick Start Response
+					if ( length == 8 )
+						{
+						auto rate = o[2];
+						auto ttl_diff = o[3];
+						auto qs_nonce = ntohl(*reinterpret_cast<const uint32_t*>(o + 4));
+						option_record->Assign(8, rate);
+						option_record->Assign(9, ttl_diff);
+						option_record->Assign(10, qs_nonce);
+						}
+					else
+						{
+						add_option_data(option_record, o, length);
+						Weird("tcp_option_qsresponse_invalid_len", util::fmt("%d", length));
+						}
+					break;
+
+				case 28:
+					// TCP User Timeout option UTO
+					if ( length != 4 )
+						{
+						add_option_data(option_record, o, length);
+						Weird("tcp_option_uto_invalid_len", util::fmt("%d", length));
+						}
+					break;
+
+				case 29:
+					// TCP Auth Option AO
+					if ( length < 4 )
+						{
+						add_option_data(option_record, o, length);
+						Weird("tcp_option_ao_invalid_len", util::fmt("%d", length));
+						}
+					break;
+
+				case 34:
+					// TCP Fast open TFO
+					if ( (length != 2) && (length < 6 || length > 18) )
+						{
+						add_option_data(option_record, o, length);
+						Weird("tcp_option_tfo_invalid_len", util::fmt("%d", length));
+						}
+					break;
+					
 				default:
 					add_option_data(option_record, o, length);
 					break;

testing/btest/Baseline/core.tcp.options/out-27

@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+[orig_h=172.17.0.2, orig_p=1234/tcp, resp_h=72.14.207.99, resp_p=80/tcp], T, 1, 1
+[orig_h=172.17.0.2, orig_p=1234/tcp, resp_h=72.14.207.99, resp_p=80/tcp], T, 27, 8
+[orig_h=172.17.0.2, orig_p=1234/tcp, resp_h=72.14.207.99, resp_p=80/tcp], T, 28, 4
+[orig_h=172.17.0.2, orig_p=1234/tcp, resp_h=72.14.207.99, resp_p=80/tcp], T, 0, 1
+[orig_h=172.17.0.2, orig_p=1234/tcp, resp_h=72.14.207.99, resp_p=80/tcp], T
+  kind: 1, length: 1
+  kind: 27, length: 8
+     TTL Diff: 1
+  kind: 28, length: 4
+  kind: 0, length: 1

testing/btest/core/tcp/options.zeek

@@ -1,7 +1,9 @@
 # @TEST-EXEC: zeek -b -r $TRACES/tcp/options.pcap %INPUT > out
 # @TEST-EXEC: zeek -b -r $TRACES/tcp/option-sack.pcap %INPUT > out-sack
+# @TEST-EXEC: zeek -b -r $TRACES/tcp/option-27.pcap %INPUT > out-27
 # @TEST-EXEC: btest-diff out
 # @TEST-EXEC: btest-diff out-sack
+# @TEST-EXEC: btest-diff out-27
 
 event tcp_option(c: connection, is_orig: bool, opt: count, optlen: count)
 	{
@@ -38,6 +40,9 @@ event tcp_options(c: connection, is_orig: bool, options: TCP::OptionList)
 				print fmt("    send ts: %s", o$send_timestamp);
 				print fmt("    echo ts: %s", o$echo_timestamp);
 				break;
+			case 27:
+				print fmt("     TTL Diff: %s", o$ttl_diff);
+				break;
 			}
 			}
 		}