Add new Tunnel::delay_teredo_confirmation option, default to true.

This option indicates that the Teredo analyzer should wait until it sees both sides of a connection using a valid Teredo encapsulation before issuing a protocol_confirmation. Previous behavior confirmed on the first instance of a valid encapsulation, which could result in more false positives (and e.g. bogus entries in known-services.log). Addresses #890.
2025-10-03 15:18:20 +00:00 · 2012-10-02 15:13:38 -05:00 · 2012-10-02 15:13:38 -05:00 · 5f3af9e9eb
commit 5f3af9e9eb
parent b4b7a384dc
11 changed files with 87 additions and 30 deletions
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@ -2784,6 +2784,14 @@ export {
 	## to have a valid Teredo encapsulation.
 	const yielding_teredo_decapsulation = T &redef;

+	## With this set, the Teredo analyzer waits until it sees both sides
+	## of a connection using a valid Teredo encapsulation before issuing
+	## a :bro:see:`protocol_confirmation`.  If it's false, the first
+	## occurence of a packet with valid Teredo encapsulation causes a
+	## confirmation.  Both cases are still subject to effects of
+	## :bro:see:`Tunnel::yielding_teredo_decapsulation`.
+	const delay_teredo_confirmation = T &redef;
+
 	## How often to cleanup internal state for inactive IP tunnels.
 	const ip_tunnel_timeout = 24hrs &redef;
 } # end export