Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-10 10:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Rework Sessions::Weird

Browse source
This commit is contained in:
Tim Wojtulewicz 2020-10-14 12:37:46 -07:00
parent b1e517e863
commit a99b540e46
17 changed files with 130 additions and 128 deletions
Download patch file Download diff file Expand all files Collapse all files

25
src/packet_analysis/protocol/gre/GRE.cc
View file

@ -50,7 +50,7 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
if ( ! BifConst::Tunnel::enable_gre )
{
sessions->Weird("GRE_tunnel", packet->ip_hdr.get(), packet->encap);
sessions->Weird("GRE_tunnel", packet);
return false;
}
@ -68,8 +68,7 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
if ( gre_version != 0 && gre_version != 1 )
{
sessions->Weird("unknown_gre_version", packet->ip_hdr.get(), packet->encap,
util::fmt("%d", gre_version));
sessions->Weird("unknown_gre_version", packet, util::fmt("%d", gre_version));
return false;
}
@ -86,7 +85,7 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
}
else
{
sessions->Weird("truncated_GRE", packet->ip_hdr.get(), packet->encap);
sessions->Weird("truncated_GRE", packet);
return false;
}
}
@ -103,7 +102,7 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
}
else
{
sessions->Weird("truncated_GRE", packet->ip_hdr.get(), packet->encap);
sessions->Weird("truncated_GRE", packet);
return false;
}
}
@ -126,7 +125,7 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
erspan_len += 8;
else
{
sessions->Weird("truncated_GRE", packet->ip_hdr.get(), packet->encap);
sessions->Weird("truncated_GRE", packet);
return false;
}
}
@ -135,7 +134,7 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
}
else
{
sessions->Weird("truncated_GRE", packet->ip_hdr.get(), packet->encap);
sessions->Weird("truncated_GRE", packet);
return false;
}
}
@ -146,8 +145,7 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
if ( proto_typ != 0x880b )
{
// Enhanced GRE payload must be PPP.
sessions->Weird("egre_protocol_type", packet->ip_hdr.get(), packet->encap,
util::fmt("%d", proto_typ));
sessions->Weird("egre_protocol_type", packet, util::fmt("%d", proto_typ));
return false;
}
}
@ -157,20 +155,20 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
// RFC 2784 deprecates the variable length routing field
// specified by RFC 1701. It could be parsed here, but easiest
// to just skip for now.
sessions->Weird("gre_routing", packet->ip_hdr.get(), packet->encap);
sessions->Weird("gre_routing", packet);
return false;
}
if ( flags_ver & 0x0078 )
{
// Expect last 4 bits of flags are reserved, undefined.
sessions->Weird("unknown_gre_flags", packet->ip_hdr.get(), packet->encap);
sessions->Weird("unknown_gre_flags", packet);
return false;
}
if ( len < gre_len + ppp_len + eth_len + erspan_len )
{
sessions->Weird("truncated_GRE", packet->ip_hdr.get(), packet->encap);
sessions->Weird("truncated_GRE", packet);
return false;
}
@ -180,8 +178,7 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
if ( ppp_proto != 0x0021 && ppp_proto != 0x0057 )
{
sessions->Weird("non_ip_packet_in_encap", packet->ip_hdr.get(),
packet->encap);
sessions->Weird("non_ip_packet_in_encap", packet);
return false;
}

28
src/packet_analysis/protocol/ip/IP.cc
View file

@ -34,7 +34,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
// check ipv4 here. We'll check ipv6 later once we determine we have an ipv6 header.
if ( len < sizeof(struct ip) )
{
packet->Weird("truncated_IP");
sessions->Weird("truncated_IP", packet);
return false;
}
@ -58,7 +58,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
{
if ( len < sizeof(struct ip6_hdr) )
{
packet->Weird("truncated_IP");
sessions->Weird("truncated_IP", packet);
return false;
}
@ -67,7 +67,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
}
else
{
packet->Weird("unknown_ip_version");
sessions->Weird("unknown_ip_version", packet);
return false;
}
@ -78,7 +78,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
if ( total_len == 0 )
{
// TCP segmentation offloading can zero out the ip_len field.
packet->Weird("ip_hdr_len_zero", packet->encap);
sessions->Weird("ip_hdr_len_zero", packet);
// Cope with the zero'd out ip_len field by using the caplen.
total_len = packet->cap_len - packet->hdr_size;
@ -86,7 +86,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
if ( packet->len < total_len + packet->hdr_size )
{
packet->Weird("truncated_IPv6", packet->encap);
sessions->Weird("truncated_IPv6", packet);
return false;
}
@ -95,13 +95,13 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
uint16_t ip_hdr_len = packet->ip_hdr->HdrLen();
if ( ip_hdr_len > total_len )
{
sessions->Weird("invalid_IP_header_size", packet->ip_hdr.get(), packet->encap);
sessions->Weird("invalid_IP_header_size", packet);
return false;
}
if ( ip_hdr_len > len )
{
sessions->Weird("internally_truncated_header", packet->ip_hdr.get(), packet->encap);
sessions->Weird("internally_truncated_header", packet);
return false;
}
@ -109,7 +109,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
{
if ( ip_hdr_len < sizeof(struct ip) )
{
packet->Weird("IPv4_min_header_size");
sessions->Weird("IPv4_min_header_size", packet);
return false;
}
}
@ -117,7 +117,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
{
if ( ip_hdr_len < sizeof(struct ip6_hdr) )
{
packet->Weird("IPv6_min_header_size");
sessions->Weird("IPv6_min_header_size", packet);
return false;
}
}
@ -130,7 +130,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
if ( ! packet->l2_checksummed && ! detail::ignore_checksums && ip4 &&
detail::in_cksum(reinterpret_cast<const uint8_t*>(ip4), ip_hdr_len) != 0xffff )
{
sessions->Weird("bad_IP_checksum", packet, packet->encap);
sessions->Weird("bad_IP_checksum", packet);
return false;
}
@ -145,7 +145,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
if ( len < total_len )
{
sessions->Weird("incompletely_captured_fragment", packet->ip_hdr.get(), packet->encap);
sessions->Weird("incompletely_captured_fragment", packet);
// Don't try to reassemble, that's doomed.
// Discard all except the first fragment (which
@ -175,7 +175,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
if ( ip_hdr_len > total_len )
{
sessions->Weird("invalid_IP_header_size", packet->ip_hdr.get(), packet->encap);
sessions->Weird("invalid_IP_header_size", packet);
return false;
}
}
@ -204,7 +204,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
if ( ! ignore_checksums && mobility_header_checksum(packet->ip_hdr) != 0xffff )
{
sessions->Weird("bad_MH_checksum", packet, packet->encap);
sessions->Weird("bad_MH_checksum", packet);
return false;
}
@ -212,7 +212,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
event_mgr.Enqueue(mobile_ipv6_message, packet->ip_hdr->ToPktHdrVal());
if ( packet->ip_hdr->NextProto() != IPPROTO_NONE )
sessions->Weird("mobility_piggyback", packet, packet->encap);
sessions->Weird("mobility_piggyback", packet);
return true;
}

10
src/packet_analysis/protocol/iptunnel/IPTunnel.cc
View file

@ -28,14 +28,14 @@ bool IPTunnelAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pa
if ( ! BifConst::Tunnel::enable_ip )
{
sessions->Weird("IP_tunnel", packet->ip_hdr.get(), packet->encap);
sessions->Weird("IP_tunnel", packet);
return false;
}
if ( packet->encap &&
packet->encap->Depth() >= BifConst::Tunnel::max_depth )
{
sessions->Weird("exceeded_tunnel_max_depth", packet->ip_hdr.get(), packet->encap);
sessions->Weird("exceeded_tunnel_max_depth", packet);
return false;
}
@ -51,11 +51,11 @@ bool IPTunnelAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pa
// Check for a valid inner packet first.
int result = sessions->ParseIPPacket(len, data, proto, inner);
if ( result == -2 )
sessions->Weird("invalid_inner_IP_version", packet->ip_hdr.get(), packet->encap);
sessions->Weird("invalid_inner_IP_version", packet);
else if ( result < 0 )
sessions->Weird("truncated_inner_IP", packet->ip_hdr.get(), packet->encap);
sessions->Weird("truncated_inner_IP", packet);
else if ( result > 0 )
sessions->Weird("inner_IP_payload_length_mismatch", packet->ip_hdr.get(), packet->encap);
sessions->Weird("inner_IP_payload_length_mismatch", packet);
if ( result != 0 )
{