From 4d86f38be0d76ef812fb5a40d66984a75227dfbf Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Tue, 24 Apr 2012 14:12:42 -0500 Subject: [PATCH 1/2] Remove invalid IP-in-IP encapsulated protocol value. --- src/Sessions.cc | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/Sessions.cc b/src/Sessions.cc index 326306c2fd..dbf6f1c22a 100644 --- a/src/Sessions.cc +++ b/src/Sessions.cc @@ -522,7 +522,6 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr, break; } - case IPPROTO_IP: case IPPROTO_IPV4: case IPPROTO_IPV6: { @@ -674,7 +673,6 @@ bool NetSessions::CheckHeaderTrunc(int proto, uint32 len, uint32 caplen, case IPPROTO_UDP: min_hdr_len = sizeof(struct udphdr); break; - case IPPROTO_IP: case IPPROTO_IPV4: min_hdr_len = sizeof(struct ip); break; From bd01525a86b9bfbbc0dc5475439b7acfdb09ae10 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Tue, 24 Apr 2012 14:25:47 -0500 Subject: [PATCH 2/2] Remove Tunnel::decapsulate_ip option. Setting Tunnel::max_depth to zero effectively disables tunnel decapsulation. --- scripts/base/init-bare.bro | 4 +--- src/AYIYA.h | 2 +- src/Sessions.cc | 7 ------- src/const.bif | 1 - 4 files changed, 2 insertions(+), 12 deletions(-) diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index 45ec94baa8..a04063b55a 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -2629,10 +2629,8 @@ const ignore_keep_alive_rexmit = F &redef; module Tunnel; export { - ## Whether to decapsulate IP tunnels (IPinIP, 6in4, 6to4) - const decapsulate_ip = T &redef; - ## The maximum depth of a tunnel to decapsulate until giving up. + ## Setting this to zero will disable tunnel decapsulation. const max_depth: count = 2 &redef; } # end export module GLOBAL; diff --git a/src/AYIYA.h b/src/AYIYA.h index f7c67ced5b..bf1fb0bf2c 100644 --- a/src/AYIYA.h +++ b/src/AYIYA.h @@ -16,7 +16,7 @@ public: { return new AYIYA_Analyzer(conn); } static bool Available() - { return BifConst::Tunnel::decapsulate_ip; } + { return BifConst::Tunnel::max_depth > 0; } protected: friend class AnalyzerTimer; diff --git a/src/Sessions.cc b/src/Sessions.cc index dbf6f1c22a..cb2b5633ca 100644 --- a/src/Sessions.cc +++ b/src/Sessions.cc @@ -525,13 +525,6 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr, case IPPROTO_IPV4: case IPPROTO_IPV6: { - if ( ! BifConst::Tunnel::decapsulate_ip ) - { - reporter->Weird(ip_hdr->SrcAddr(), ip_hdr->DstAddr(), "ip_tunnel"); - Remove(f); - return; - } - if ( encapsulation.Depth() >= BifConst::Tunnel::max_depth ) { reporter->Weird(ip_hdr->SrcAddr(), ip_hdr->DstAddr(), "tunnel_depth"); diff --git a/src/const.bif b/src/const.bif index db5fbbd2cb..09ce769261 100644 --- a/src/const.bif +++ b/src/const.bif @@ -11,5 +11,4 @@ const NFS3::return_data: bool; const NFS3::return_data_max: count; const NFS3::return_data_first_only: bool; -const Tunnel::decapsulate_ip: bool; const Tunnel::max_depth: count;