Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-12 19:48:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Extend weird names that occur in core packet processing during decapsulation.

Browse source 
Appending a "_in_tunnel" to the weird name might help clarify that
the weird is happening with a packet that is attempting to be processed
as a result of decapsulation.
This commit is contained in:
Jon Siwek 2012-06-07 13:03:13 -05:00
parent 6f346c8406
commit 9d2a21c490
3 changed files with 40 additions and 31 deletions
Download patch file Download diff file Expand all files Collapse all files

49
src/Sessions.cc
View file

@ -353,7 +353,7 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
uint32 len = ip_hdr->TotalLen(); uint32 len = ip_hdr->TotalLen();
if ( hdr->len < len + hdr_size ) if ( hdr->len < len + hdr_size )
{ {
Weird("truncated_IP", hdr, pkt); Weird("truncated_IP", hdr, pkt, encapsulation);
return; return;
} }
@ -365,7 +365,7 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
if ( ! ignore_checksums && ip4 && if ( ! ignore_checksums && ip4 &&
ones_complement_checksum((void*) ip4, ip_hdr_len, 0) != 0xffff ) ones_complement_checksum((void*) ip4, ip_hdr_len, 0) != 0xffff )
{ {
Weird("bad_IP_checksum", hdr, pkt); Weird("bad_IP_checksum", hdr, pkt, encapsulation);
return; return;
} }
@ -380,7 +380,7 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
if ( caplen < len ) if ( caplen < len )
{ {
Weird("incompletely_captured_fragment", ip_hdr); Weird("incompletely_captured_fragment", ip_hdr, encapsulation);
// Don't try to reassemble, that's doomed. // Don't try to reassemble, that's doomed.
// Discard all except the first fragment (which // Discard all except the first fragment (which
@ -432,7 +432,7 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
if ( ! ignore_checksums && mobility_header_checksum(ip_hdr) != 0xffff ) if ( ! ignore_checksums && mobility_header_checksum(ip_hdr) != 0xffff )
{ {
Weird("bad_MH_checksum", hdr, pkt); Weird("bad_MH_checksum", hdr, pkt, encapsulation);
Remove(f); Remove(f);
return; return;
} }
@ -445,7 +445,7 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
} }
if ( ip_hdr->NextProto() != IPPROTO_NONE ) if ( ip_hdr->NextProto() != IPPROTO_NONE )
Weird("mobility_piggyback", hdr, pkt); Weird("mobility_piggyback", hdr, pkt, encapsulation);
Remove(f); Remove(f);
return; return;
@ -454,7 +454,7 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
int proto = ip_hdr->NextProto(); int proto = ip_hdr->NextProto();
if ( CheckHeaderTrunc(proto, len, caplen, hdr, pkt) ) if ( CheckHeaderTrunc(proto, len, caplen, hdr, pkt, encapsulation) )
{ {
Remove(f); Remove(f);
return; return;
@ -525,7 +525,7 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
{ {
if ( ! BifConst::Tunnel::enable_ip ) if ( ! BifConst::Tunnel::enable_ip )
{ {
reporter->Weird(ip_hdr->SrcAddr(), ip_hdr->DstAddr(), "IP_tunnel"); Weird("IP_tunnel", ip_hdr, encapsulation);
Remove(f); Remove(f);
return; return;
} }
@ -533,7 +533,7 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
if ( encapsulation && if ( encapsulation &&
encapsulation->Depth() >= BifConst::Tunnel::max_depth ) encapsulation->Depth() >= BifConst::Tunnel::max_depth )
{ {
reporter->Weird(ip_hdr->SrcAddr(), ip_hdr->DstAddr(), "tunnel_depth"); Weird("tunnel_depth", ip_hdr, encapsulation);
Remove(f); Remove(f);
return; return;
} }
@ -543,11 +543,9 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
int result = ParseIPPacket(caplen, data, proto, inner); int result = ParseIPPacket(caplen, data, proto, inner);
if ( result < 0 ) if ( result < 0 )
reporter->Weird(ip_hdr->SrcAddr(), ip_hdr->DstAddr(), Weird("truncated_inner_IP", ip_hdr, encapsulation);
"truncated_inner_IP");
else if ( result > 0 ) else if ( result > 0 )
reporter->Weird(ip_hdr->SrcAddr(), ip_hdr->DstAddr(), Weird("inner_IP_payload_mismatch", ip_hdr, encapsulation);
"inner_IP_payload_mismatch");
if ( result != 0 ) if ( result != 0 )
{ {
@ -599,7 +597,7 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
} }
default: default:
Weird(fmt("unknown_protocol_%d", proto), hdr, pkt); Weird(fmt("unknown_protocol_%d", proto), hdr, pkt, encapsulation);
Remove(f); Remove(f);
return; return;
} }
@ -746,7 +744,8 @@ int NetSessions::ParseIPPacket(int caplen, const u_char* const pkt, int proto,
} }
bool NetSessions::CheckHeaderTrunc(int proto, uint32 len, uint32 caplen, bool NetSessions::CheckHeaderTrunc(int proto, uint32 len, uint32 caplen,
const struct pcap_pkthdr* h, const u_char* p) const struct pcap_pkthdr* h,
const u_char* p, const Encapsulation* encap)
{ {
uint32 min_hdr_len = 0; uint32 min_hdr_len = 0;
switch ( proto ) { switch ( proto ) {
@ -775,13 +774,13 @@ bool NetSessions::CheckHeaderTrunc(int proto, uint32 len, uint32 caplen,
if ( len < min_hdr_len ) if ( len < min_hdr_len )
{ {
Weird("truncated_header", h, p); Weird("truncated_header", h, p, encap);
return true; return true;
} }
if ( caplen < min_hdr_len ) if ( caplen < min_hdr_len )
{ {
Weird("internally_truncated_header", h, p); Weird("internally_truncated_header", h, p, encap);
return true; return true;
} }
@ -1298,18 +1297,26 @@ void NetSessions::Internal(const char* msg, const struct pcap_pkthdr* hdr,
reporter->InternalError("%s", msg); reporter->InternalError("%s", msg);
} }
void NetSessions::Weird(const char* name, void NetSessions::Weird(const char* name, const struct pcap_pkthdr* hdr,
const struct pcap_pkthdr* hdr, const u_char* pkt) const u_char* pkt, const Encapsulation* encap)
{ {
if ( hdr ) if ( hdr )
dump_this_packet = 1; dump_this_packet = 1;
reporter->Weird(name); if ( encap && encap->LastType() != BifEnum::Tunnel::NONE )
reporter->Weird(fmt("%s_in_tunnel", name));
else
reporter->Weird(name);
} }
void NetSessions::Weird(const char* name, const IP_Hdr* ip) void NetSessions::Weird(const char* name, const IP_Hdr* ip,
const Encapsulation* encap)
{ {
reporter->Weird(ip->SrcAddr(), ip->DstAddr(), name); if ( encap && encap->LastType() != BifEnum::Tunnel::NONE )
reporter->Weird(ip->SrcAddr(), ip->DstAddr(),
fmt("%s_in_tunnel", name));
else
reporter->Weird(ip->SrcAddr(), ip->DstAddr(), name);
} }
unsigned int NetSessions::ConnectionMemoryUsage() unsigned int NetSessions::ConnectionMemoryUsage()

10
src/Sessions.h
View file

@ -108,9 +108,10 @@ public:
void GetStats(SessionStats& s) const; void GetStats(SessionStats& s) const;
void Weird(const char* name, void Weird(const char* name, const struct pcap_pkthdr* hdr,
const struct pcap_pkthdr* hdr, const u_char* pkt); const u_char* pkt, const Encapsulation* encap = 0);
void Weird(const char* name, const IP_Hdr* ip); void Weird(const char* name, const IP_Hdr* ip,
const Encapsulation* encap = 0);
PacketFilter* GetPacketFilter() PacketFilter* GetPacketFilter()
{ {
@ -231,7 +232,8 @@ protected:
// from lower-level headers or the length actually captured is less // from lower-level headers or the length actually captured is less
// than that protocol's minimum header size. // than that protocol's minimum header size.
bool CheckHeaderTrunc(int proto, uint32 len, uint32 caplen, bool CheckHeaderTrunc(int proto, uint32 len, uint32 caplen,
const struct pcap_pkthdr* hdr, const u_char* pkt); const struct pcap_pkthdr* hdr, const u_char* pkt,
const Encapsulation* encap);
CompositeHash* ch; CompositeHash* ch;
PDict(Connection) tcp_conns; PDict(Connection) tcp_conns;

12
testing/btest/Baseline/core.tunnels.false-teredo/weird.log
View file

@ -5,15 +5,15 @@
#path weird #path weird
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string #types time string addr port addr port string string bool string
1258567191.405770 - - - - - truncated_header - F bro 1258567191.405770 - - - - - truncated_header_in_tunnel - F bro
1258567191.486869 UWkUyAuUGXf 192.168.1.105 57696 192.168.1.1 53 Teredo_payload_len_mismatch - F bro 1258567191.486869 UWkUyAuUGXf 192.168.1.105 57696 192.168.1.1 53 Teredo_payload_len_mismatch - F bro
1258578181.260420 - - - - - truncated_header - F bro 1258578181.260420 - - - - - truncated_header_in_tunnel - F bro
1258578181.516140 nQcgTWjvg4c 192.168.1.104 64838 192.168.1.1 53 Teredo_payload_len_mismatch - F bro 1258578181.516140 nQcgTWjvg4c 192.168.1.104 64838 192.168.1.1 53 Teredo_payload_len_mismatch - F bro
1258579063.557927 - - - - - truncated_header - F bro 1258579063.557927 - - - - - truncated_header_in_tunnel - F bro
1258579063.784919 j4u32Pc5bif 192.168.1.104 55778 192.168.1.1 53 Teredo_payload_len_mismatch - F bro 1258579063.784919 j4u32Pc5bif 192.168.1.104 55778 192.168.1.1 53 Teredo_payload_len_mismatch - F bro
1258581768.568451 - - - - - truncated_header - F bro 1258581768.568451 - - - - - truncated_header_in_tunnel - F bro
1258581768.898165 TEfuqmmG4bh 192.168.1.104 50798 192.168.1.1 53 Teredo_payload_len_mismatch - F bro 1258581768.898165 TEfuqmmG4bh 192.168.1.104 50798 192.168.1.1 53 Teredo_payload_len_mismatch - F bro
1258584478.859853 - - - - - truncated_header - F bro 1258584478.859853 - - - - - truncated_header_in_tunnel - F bro
1258584478.989528 FrJExwHcSal 192.168.1.104 64963 192.168.1.1 53 Teredo_payload_len_mismatch - F bro 1258584478.989528 FrJExwHcSal 192.168.1.104 64963 192.168.1.1 53 Teredo_payload_len_mismatch - F bro
1258600683.934458 - - - - - truncated_header - F bro 1258600683.934458 - - - - - truncated_header_in_tunnel - F bro
1258600683.934672 5OKnoww6xl4 192.168.1.103 59838 192.168.1.1 53 Teredo_payload_len_mismatch - F bro 1258600683.934672 5OKnoww6xl4 192.168.1.103 59838 192.168.1.1 53 Teredo_payload_len_mismatch - F bro