mirror of
https://github.com/zeek/zeek.git
synced 2025-10-08 01:28:20 +00:00
Suppress Teredo weirds unless decapsulation was successful once before.
This commit is contained in:
Jon Siwek
parent
9851591317
commit
ae85bd1b95
3 changed files with 39 additions and 20 deletions
|
|
@ -215,6 +215,11 @@ public:
|
|||
// analyzer, even if the method is called multiple times.
|
||||
virtual void ProtocolConfirmation();
|
||||
|
||||
// Return whether the analyzer previously called ProtocolConfirmation()
|
||||
// at least once before.
|
||||
virtual bool ProtocolConfirmed() const
|
||||
{ return protocol_confirmed; }
|
||||
|
||||
// Report that we found a significant protocol violation which might
|
||||
// indicate that the analyzed data is in fact not the expected
|
||||
// protocol. The protocol_violation event is raised once per call to
|
||||
|
|
|
|||
|
|
@ -13,7 +13,8 @@ bool TeredoEncapsulation::DoParse(const u_char* data, int& len,
|
|||
{
|
||||
if ( len < 2 )
|
||||
{
|
||||
reporter->Weird(conn, "truncated_Teredo");
|
||||
Weird("truncated_Teredo");
|
||||
return false;
|
||||
}
|
||||
|
||||
uint16 tag = ntohs((*((const uint16*)data)));
|
||||
|
|
@ -27,7 +28,7 @@ bool TeredoEncapsulation::DoParse(const u_char* data, int& len,
|
|||
|
||||
if ( len < 8 )
|
||||
{
|
||||
reporter->Weird(conn, "truncated_Teredo_origin_indication");
|
||||
Weird("truncated_Teredo_origin_indication");
|
||||
return false;
|
||||
}
|
||||
|
||||
|
|
@ -46,7 +47,7 @@ bool TeredoEncapsulation::DoParse(const u_char* data, int& len,
|
|||
|
||||
if ( len < 4 )
|
||||
{
|
||||
reporter->Weird(conn, "truncated_Teredo_authentication");
|
||||
Weird("truncated_Teredo_authentication");
|
||||
return false;
|
||||
}
|
||||
|
||||
|
|
@ -56,7 +57,7 @@ bool TeredoEncapsulation::DoParse(const u_char* data, int& len,
|
|||
|
||||
if ( len < tot_len )
|
||||
{
|
||||
reporter->Weird(conn, "truncated_Teredo_authentication");
|
||||
Weird("truncated_Teredo_authentication");
|
||||
return false;
|
||||
}
|
||||
|
||||
|
|
@ -70,13 +71,13 @@ bool TeredoEncapsulation::DoParse(const u_char* data, int& len,
|
|||
// IPv6
|
||||
if ( len < 40 )
|
||||
{
|
||||
reporter->Weird(conn, "truncated_IPv6_in_Teredo");
|
||||
Weird("truncated_IPv6_in_Teredo");
|
||||
return false;
|
||||
}
|
||||
|
||||
if ( len - 40 != ntohs(((const struct ip6_hdr*)data)->ip6_plen) )
|
||||
{
|
||||
reporter->Weird(conn, "Teredo_payload_len_mismatch");
|
||||
Weird("Teredo_payload_len_mismatch");
|
||||
return false;
|
||||
}
|
||||
|
||||
|
|
@ -92,25 +93,24 @@ void Teredo_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
|
|||
{
|
||||
Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
|
||||
|
||||
const Encapsulation* e = Conn()->GetEncapsulation();
|
||||
|
||||
if ( e && e->Depth() >= BifConst::Tunnel::max_depth )
|
||||
{
|
||||
reporter->Weird(Conn(), "tunnel_depth");
|
||||
return;
|
||||
}
|
||||
|
||||
TeredoEncapsulation te(Conn());
|
||||
TeredoEncapsulation te(this);
|
||||
|
||||
if ( ! te.Parse(data, len) )
|
||||
{
|
||||
ProtocolViolation("Invalid Teredo encapsulation", (const char*)data,
|
||||
len);
|
||||
ProtocolViolation("Bad Teredo encapsulation", (const char*)data, len);
|
||||
return;
|
||||
}
|
||||
|
||||
ProtocolConfirmation();
|
||||
|
||||
const Encapsulation* e = Conn()->GetEncapsulation();
|
||||
|
||||
if ( e && e->Depth() >= BifConst::Tunnel::max_depth )
|
||||
{
|
||||
Weird("tunnel_depth");
|
||||
return;
|
||||
}
|
||||
|
||||
// TODO: raise Teredo-specific events
|
||||
|
||||
Encapsulation* outer = new Encapsulation(e);
|
||||
|
|
|
|||
20
src/Teredo.h
20
src/Teredo.h
|
|
@ -24,6 +24,17 @@ public:
|
|||
//TODO: specific option to turn off Teredo analysis?
|
||||
{ return BifConst::Tunnel::max_depth > 0; }
|
||||
|
||||
/**
|
||||
* Emits a weird only if the analyzer has previously been able to
|
||||
* decapsulate a Teredo packet since otherwise the weirds could happen
|
||||
* frequently enough to be less than helpful.
|
||||
*/
|
||||
void Weird(const char* name) const
|
||||
{
|
||||
if ( ProtocolConfirmed() )
|
||||
reporter->Weird(Conn(), name);
|
||||
}
|
||||
|
||||
protected:
|
||||
friend class AnalyzerTimer;
|
||||
void ExpireTimer(double t);
|
||||
|
|
@ -31,8 +42,8 @@ protected:
|
|||
|
||||
class TeredoEncapsulation {
|
||||
public:
|
||||
TeredoEncapsulation(Connection* c)
|
||||
: inner_ip(0), origin_indication(0), auth(0), conn(c)
|
||||
TeredoEncapsulation(const Teredo_Analyzer* ta)
|
||||
: inner_ip(0), origin_indication(0), auth(0), analyzer(ta)
|
||||
{}
|
||||
|
||||
/**
|
||||
|
|
@ -54,10 +65,13 @@ public:
|
|||
protected:
|
||||
bool DoParse(const u_char* data, int& len, bool found_orig, bool found_au);
|
||||
|
||||
void Weird(const char* name) const
|
||||
{ analyzer->Weird(name); }
|
||||
|
||||
const u_char* inner_ip;
|
||||
const u_char* origin_indication;
|
||||
const u_char* auth;
|
||||
Connection* conn;
|
||||
const Teredo_Analyzer* analyzer;
|
||||
};
|
||||
|
||||
#endif
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue