Make Teredo DPD signature more precise.

Contributed by Martina Balint in https://github.com/bro/bro/pull/39. (I didn't merge the github branch, as that has some more stuff in its history. Instead I applied the single-line change directly.)
2025-10-10 02:28:21 +00:00 · 2015-08-12 17:02:24 -07:00 · 2015-08-12 17:02:24 -07:00 · a9867c706d
commit a9867c706d
parent 7d71f0047f
3 changed files with 6 additions and 2 deletions
--- a/4
+++ b/4
@ -1,4 +1,8 @@

+2.4-86 | 2015-08-12 17:02:24 -0700
+
+  * Make Teredo DPD signature more precise. (Martina Balint.)
+
 2.4-84 | 2015-08-10 14:44:39 -0700

  * Add hook 'HookSetupAnalyzerTree' to allow plugins access to a
--- a/2
+++ b/2
@ -1 +1 @@
-2.4-84
+2.4-86
--- a/scripts/base/protocols/tunnels/dpd.sig
+++ b/scripts/base/protocols/tunnels/dpd.sig
@ -9,6 +9,6 @@ signature dpd_ayiya {

 signature dpd_teredo {
  ip-proto = udp
-  payload /^(\x00\x00)|(\x00\x01)|([\x60-\x6f])/
+  payload /^(\x00\x00)|(\x00\x01)|([\x60-\x6f].{7}((\x20\x01\x00\x00)).{28})|([\x60-\x6f].{23}((\x20\x01\x00\x00))).{12}/
  enable "teredo"
 }
 @ -1 +1 @@
 .4-84
 .4-86