Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-12 19:48:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Extend weird names that occur in core packet processing during decapsulation.

Browse source 
Appending a "_in_tunnel" to the weird name might help clarify that
the weird is happening with a packet that is attempting to be processed
as a result of decapsulation.
This commit is contained in:
Jon Siwek 2012-06-07 13:03:13 -05:00
parent 6f346c8406
commit 9d2a21c490
3 changed files with 40 additions and 31 deletions
Download patch file Download diff file Expand all files Collapse all files

45
src/Sessions.cc
View file

@ -353,7 +353,7 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
uint32 len = ip_hdr->TotalLen();
if ( hdr->len < len + hdr_size )
{
Weird("truncated_IP", hdr, pkt);
Weird("truncated_IP", hdr, pkt, encapsulation);
return;
}
@ -365,7 +365,7 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
if ( ! ignore_checksums && ip4 &&
ones_complement_checksum((void*) ip4, ip_hdr_len, 0) != 0xffff )
{
Weird("bad_IP_checksum", hdr, pkt);
Weird("bad_IP_checksum", hdr, pkt, encapsulation);
return;
}
@ -380,7 +380,7 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
if ( caplen < len )
{
Weird("incompletely_captured_fragment", ip_hdr);
Weird("incompletely_captured_fragment", ip_hdr, encapsulation);
// Don't try to reassemble, that's doomed.
// Discard all except the first fragment (which
@ -432,7 +432,7 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
if ( ! ignore_checksums && mobility_header_checksum(ip_hdr) != 0xffff )
{
Weird("bad_MH_checksum", hdr, pkt);
Weird("bad_MH_checksum", hdr, pkt, encapsulation);
Remove(f);
return;
}
@ -445,7 +445,7 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
}
if ( ip_hdr->NextProto() != IPPROTO_NONE )
Weird("mobility_piggyback", hdr, pkt);
Weird("mobility_piggyback", hdr, pkt, encapsulation);
Remove(f);
return;
@ -454,7 +454,7 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
int proto = ip_hdr->NextProto();
if ( CheckHeaderTrunc(proto, len, caplen, hdr, pkt) )
if ( CheckHeaderTrunc(proto, len, caplen, hdr, pkt, encapsulation) )
{
Remove(f);
return;
@ -525,7 +525,7 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
{
if ( ! BifConst::Tunnel::enable_ip )
{
reporter->Weird(ip_hdr->SrcAddr(), ip_hdr->DstAddr(), "IP_tunnel");
Weird("IP_tunnel", ip_hdr, encapsulation);
Remove(f);
return;
}
@ -533,7 +533,7 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
if ( encapsulation &&
encapsulation->Depth() >= BifConst::Tunnel::max_depth )
{
reporter->Weird(ip_hdr->SrcAddr(), ip_hdr->DstAddr(), "tunnel_depth");
Weird("tunnel_depth", ip_hdr, encapsulation);
Remove(f);
return;
}
@ -543,11 +543,9 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
int result = ParseIPPacket(caplen, data, proto, inner);
if ( result < 0 )
reporter->Weird(ip_hdr->SrcAddr(), ip_hdr->DstAddr(),
"truncated_inner_IP");
Weird("truncated_inner_IP", ip_hdr, encapsulation);
else if ( result > 0 )
reporter->Weird(ip_hdr->SrcAddr(), ip_hdr->DstAddr(),
"inner_IP_payload_mismatch");
Weird("inner_IP_payload_mismatch", ip_hdr, encapsulation);
if ( result != 0 )
{
@ -599,7 +597,7 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
}
default:
Weird(fmt("unknown_protocol_%d", proto), hdr, pkt);
Weird(fmt("unknown_protocol_%d", proto), hdr, pkt, encapsulation);
Remove(f);
return;
}
@ -746,7 +744,8 @@ int NetSessions::ParseIPPacket(int caplen, const u_char* const pkt, int proto,
}
bool NetSessions::CheckHeaderTrunc(int proto, uint32 len, uint32 caplen,
const struct pcap_pkthdr* h, const u_char* p)
const struct pcap_pkthdr* h,
const u_char* p, const Encapsulation* encap)
{
uint32 min_hdr_len = 0;
switch ( proto ) {
@ -775,13 +774,13 @@ bool NetSessions::CheckHeaderTrunc(int proto, uint32 len, uint32 caplen,
if ( len < min_hdr_len )
{
Weird("truncated_header", h, p);
Weird("truncated_header", h, p, encap);
return true;
}
if ( caplen < min_hdr_len )
{
Weird("internally_truncated_header", h, p);
Weird("internally_truncated_header", h, p, encap);
return true;
}
@ -1298,17 +1297,25 @@ void NetSessions::Internal(const char* msg, const struct pcap_pkthdr* hdr,
reporter->InternalError("%s", msg);
}
void NetSessions::Weird(const char* name,
const struct pcap_pkthdr* hdr, const u_char* pkt)
void NetSessions::Weird(const char* name, const struct pcap_pkthdr* hdr,
const u_char* pkt, const Encapsulation* encap)
{
if ( hdr )
dump_this_packet = 1;
if ( encap && encap->LastType() != BifEnum::Tunnel::NONE )
reporter->Weird(fmt("%s_in_tunnel", name));
else
reporter->Weird(name);
}
void NetSessions::Weird(const char* name, const IP_Hdr* ip)
void NetSessions::Weird(const char* name, const IP_Hdr* ip,
const Encapsulation* encap)
{
if ( encap && encap->LastType() != BifEnum::Tunnel::NONE )
reporter->Weird(ip->SrcAddr(), ip->DstAddr(),
fmt("%s_in_tunnel", name));
else
reporter->Weird(ip->SrcAddr(), ip->DstAddr(), name);
}

10
src/Sessions.h
View file

@ -108,9 +108,10 @@ public:
void GetStats(SessionStats& s) const;
void Weird(const char* name,
const struct pcap_pkthdr* hdr, const u_char* pkt);
void Weird(const char* name, const IP_Hdr* ip);
void Weird(const char* name, const struct pcap_pkthdr* hdr,
const u_char* pkt, const Encapsulation* encap = 0);
void Weird(const char* name, const IP_Hdr* ip,
const Encapsulation* encap = 0);
PacketFilter* GetPacketFilter()
{
@ -231,7 +232,8 @@ protected:
// from lower-level headers or the length actually captured is less
// than that protocol's minimum header size.
bool CheckHeaderTrunc(int proto, uint32 len, uint32 caplen,
const struct pcap_pkthdr* hdr, const u_char* pkt);
const struct pcap_pkthdr* hdr, const u_char* pkt,
const Encapsulation* encap);
CompositeHash* ch;
PDict(Connection) tcp_conns;

12
testing/btest/Baseline/core.tunnels.false-teredo/weird.log
View file

@ -5,15 +5,15 @@
#path weird
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1258567191.405770 - - - - - truncated_header - F bro
1258567191.405770 - - - - - truncated_header_in_tunnel - F bro
1258567191.486869 UWkUyAuUGXf 192.168.1.105 57696 192.168.1.1 53 Teredo_payload_len_mismatch - F bro
1258578181.260420 - - - - - truncated_header - F bro
1258578181.260420 - - - - - truncated_header_in_tunnel - F bro
1258578181.516140 nQcgTWjvg4c 192.168.1.104 64838 192.168.1.1 53 Teredo_payload_len_mismatch - F bro
1258579063.557927 - - - - - truncated_header - F bro
1258579063.557927 - - - - - truncated_header_in_tunnel - F bro
1258579063.784919 j4u32Pc5bif 192.168.1.104 55778 192.168.1.1 53 Teredo_payload_len_mismatch - F bro
1258581768.568451 - - - - - truncated_header - F bro
1258581768.568451 - - - - - truncated_header_in_tunnel - F bro
1258581768.898165 TEfuqmmG4bh 192.168.1.104 50798 192.168.1.1 53 Teredo_payload_len_mismatch - F bro
1258584478.859853 - - - - - truncated_header - F bro
1258584478.859853 - - - - - truncated_header_in_tunnel - F bro
1258584478.989528 FrJExwHcSal 192.168.1.104 64963 192.168.1.1 53 Teredo_payload_len_mismatch - F bro
1258600683.934458 - - - - - truncated_header - F bro
1258600683.934458 - - - - - truncated_header_in_tunnel - F bro
1258600683.934672 5OKnoww6xl4 192.168.1.103 59838 192.168.1.1 53 Teredo_payload_len_mismatch - F bro