mirror of
https://github.com/zeek/zeek.git
synced 2025-10-11 02:58:20 +00:00
924ed053c7
IP packets that have a header length that is greater than the total length of the packet cause a integer overflow, which cause range-checks to fail, which causes OOB reads. Furthermore Bro does not currently check the version field of IP packets that are read from tunnels. I added this check - otherwhise Bro reports bogus IP information in its error messages, just converting the data from the place where the IP information is supposed to be to IPs. This behavior brings us closer to what other software (e.g. Wireshark) displays in these cases.
80 lines
2.7 KiB
Text
80 lines
2.7 KiB
Text
#separator \x09
|
|
#set_separator ,
|
|
#empty_field (empty)
|
|
#unset_field -
|
|
#path weird
|
|
#open 2017-10-19-17-18-27
|
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
|
|
#types time string addr port addr port string string bool string
|
|
1334160095.895421 - - - - - truncated_IP - F bro
|
|
#close 2017-10-19-17-18-28
|
|
#separator \x09
|
|
#set_separator ,
|
|
#empty_field (empty)
|
|
#unset_field -
|
|
#path weird
|
|
#open 2017-10-19-17-18-29
|
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
|
|
#types time string addr port addr port string string bool string
|
|
1334156241.519125 - - - - - truncated_IP - F bro
|
|
#close 2017-10-19-17-18-30
|
|
#separator \x09
|
|
#set_separator ,
|
|
#empty_field (empty)
|
|
#unset_field -
|
|
#path weird
|
|
#open 2017-10-19-17-18-32
|
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
|
|
#types time string addr port addr port string string bool string
|
|
1334094648.590126 - - - - - truncated_IP - F bro
|
|
#close 2017-10-19-17-18-32
|
|
#separator \x09
|
|
#set_separator ,
|
|
#empty_field (empty)
|
|
#unset_field -
|
|
#path weird
|
|
#open 2017-10-19-17-18-36
|
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
|
|
#types time string addr port addr port string string bool string
|
|
1338328954.078361 - - - - - internally_truncated_header - F bro
|
|
#close 2017-10-19-17-18-36
|
|
#separator \x09
|
|
#set_separator ,
|
|
#empty_field (empty)
|
|
#unset_field -
|
|
#path weird
|
|
#open 2017-10-19-17-18-37
|
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
|
|
#types time string addr port addr port string string bool string
|
|
0.000000 - - - - - truncated_link_header - F bro
|
|
#close 2017-10-19-17-18-38
|
|
#separator \x09
|
|
#set_separator ,
|
|
#empty_field (empty)
|
|
#unset_field -
|
|
#path weird
|
|
#open 2017-10-19-17-18-39
|
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
|
|
#types time string addr port addr port string string bool string
|
|
1508360735.834163 - 163.253.48.183 0 192.150.187.43 0 invalid_IP_header_size - F bro
|
|
#close 2017-10-19-17-18-40
|
|
#separator \x09
|
|
#set_separator ,
|
|
#empty_field (empty)
|
|
#unset_field -
|
|
#path weird
|
|
#open 2017-10-19-17-18-41
|
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
|
|
#types time string addr port addr port string string bool string
|
|
1508360735.834163 - 163.253.48.183 0 192.150.187.43 0 internally_truncated_header - F bro
|
|
#close 2017-10-19-17-18-42
|
|
#separator \x09
|
|
#set_separator ,
|
|
#empty_field (empty)
|
|
#unset_field -
|
|
#path weird
|
|
#open 2017-10-19-17-18-43
|
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
|
|
#types time string addr port addr port string string bool string
|
|
1500557630.000000 - 0.255.0.255 0 15.254.2.1 0 invalid_IP_header_size_in_tunnel - F bro
|
|
#close 2017-10-19-17-18-44
|