Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Fix IEEE 802.11 analyzer to skip packets with the Protected bit enabled

Browse source
This commit is contained in:
Tim Wojtulewicz 2023-04-13 15:48:06 -07:00 committed by Tim Wojtulewicz
parent 69d72f3bbb
commit e4a1c30828
3 changed files with 18 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

26
src/packet_analysis/protocol/ieee802_11/IEEE802_11.cc
View file

@ -26,19 +26,22 @@ bool IEEE802_11Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet*
if ( (fc_80211 >> 4) & 0x04 ) if ( (fc_80211 >> 4) & 0x04 )
return false; return false;
// 'To DS' and 'From DS' flags set indicate use of the 4th // 'To DS' and 'From DS' flags set indicate use of the 4th address field.
// address field.
if ( (data[1] & 0x03) == 0x03 ) if ( (data[1] & 0x03) == 0x03 )
len_80211 += packet->L2_ADDR_LEN; len_80211 += packet->L2_ADDR_LEN;
// Look for the QoS indicator bit. // Look for the QoS indicator bit.
if ( (fc_80211 >> 4) & 0x08 ) if ( (fc_80211 >> 4) & 0x08 )
{ {
// Skip in case of A-MSDU subframes indicated by QoS // Skip in case of A-MSDU subframes indicated by QoS control field.
// control field.
if ( data[len_80211] & 0x80 ) if ( data[len_80211] & 0x80 )
return false; return false;
// Check for the protected bit. This means the data is encrypted and we can't
// do anything with it.
if ( data[1] & 0x40 )
return true;
len_80211 += 2; len_80211 += 2;
} }
@ -48,8 +51,7 @@ bool IEEE802_11Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet*
return false; return false;
} }
// Determine link-layer addresses based // Determine link-layer addresses based on 'To DS' and 'From DS' flags
// on 'To DS' and 'From DS' flags
switch ( data[1] & 0x03 ) switch ( data[1] & 0x03 )
{ {
case 0x00: case 0x00:
@ -83,10 +85,9 @@ bool IEEE802_11Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet*
return false; return false;
} }
// Check that the DSAP and SSAP are both SNAP and that the control // Check that the DSAP and SSAP are both SNAP and that the control field indicates that this is
// field indicates that this is an unnumbered frame. // an unnumbered frame. The organization code (24bits) needs to also be zero to indicate that
// The organization code (24bits) needs to also be zero to // this is encapsulated ethernet.
// indicate that this is encapsulated ethernet.
if ( data[0] == 0xAA && data[1] == 0xAA && data[2] == 0x03 && data[3] == 0 && data[4] == 0 && if ( data[0] == 0xAA && data[1] == 0xAA && data[2] == 0x03 && data[3] == 0 && data[4] == 0 &&
data[5] == 0 ) data[5] == 0 )
{ {
@ -94,9 +95,8 @@ bool IEEE802_11Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet*
} }
else else
{ {
// If this is a logical link control frame without the // If this is a logical link control frame without the possibility of having a protocol we
// possibility of having a protocol we care about, we'll // care about, we'll just skip it for now.
// just skip it for now.
return false; return false;
} }

BIN
testing/btest/Traces/tunnels/gre-aruba-ccmp.pcap Normal file
View file

Binary file not shown.

5
testing/btest/core/tunnels/gre-aruba-ccmp.zeek Normal file
View file

@ -0,0 +1,5 @@
# @TEST-DOC: Tests a GRE ARUBA trace that contains IEEE 802.11 CCMP headers. This should report a weird about encrypted data.
# @TEST-EXEC: zeek -C -b -r $TRACES/tunnels/gre-aruba-ccmp.pcap %INPUT
# @TEST-EXEC: btest-diff weird.log
@load base/frameworks/notice/weird