mirror of
https://github.com/zeek/zeek.git
synced 2025-10-03 23:28:20 +00:00
924ed053c7
IP packets that have a header length that is greater than the total length of the packet cause a integer overflow, which cause range-checks to fail, which causes OOB reads. Furthermore Bro does not currently check the version field of IP packets that are read from tunnels. I added this check - otherwhise Bro reports bogus IP information in its error messages, just converting the data from the place where the IP information is supposed to be to IPs. This behavior brings us closer to what other software (e.g. Wireshark) displays in these cases.
43 lines
1.8 KiB
Text
43 lines
1.8 KiB
Text
# Truncated IP packet's should not be analyzed, and generate truncated_IP weird
|
|
|
|
# @TEST-EXEC: bro -r $TRACES/trunc/ip4-trunc.pcap
|
|
# @TEST-EXEC: mv weird.log output
|
|
# @TEST-EXEC: bro -r $TRACES/trunc/ip6-trunc.pcap
|
|
# @TEST-EXEC: cat weird.log >> output
|
|
# @TEST-EXEC: bro -r $TRACES/trunc/ip6-ext-trunc.pcap
|
|
# @TEST-EXEC: cat weird.log >> output
|
|
|
|
# If an ICMP packet's payload is truncated due to too small snaplen,
|
|
# the checksum calculation is bypassed (and Bro doesn't crash, of course).
|
|
|
|
# @TEST-EXEC: rm -f weird.log
|
|
# @TEST-EXEC: bro -r $TRACES/trunc/icmp-payload-trunc.pcap
|
|
# @TEST-EXEC: test ! -e weird.log
|
|
|
|
# If an ICMP packet has the ICMP header truncated due to too small snaplen,
|
|
# an internally_truncated_header weird gets generated.
|
|
|
|
# @TEST-EXEC: bro -r $TRACES/trunc/icmp-header-trunc.pcap
|
|
# @TEST-EXEC: cat weird.log >> output
|
|
|
|
# Truncated packets where the captured length is less than the length required
|
|
# for the packet header should also raise a Weird
|
|
# @TEST-EXEC: bro -r $TRACES/trunc/trunc-hdr.pcap
|
|
# @TEST-EXEC: cat weird.log >> output
|
|
|
|
# Truncated packet where the length of the IP header is larger than the total
|
|
# packet length
|
|
# @TEST-EXEC: bro -C -r $TRACES/trunc/ipv4-truncated-broken-header.pcap
|
|
# @TEST-EXEC: cat weird.log >> output
|
|
|
|
# Truncated packet where the captured length is big enough for the ip header
|
|
# struct, but not large enough to capture the full header length (with options)
|
|
# @TEST-EXEC: bro -C -r $TRACES/trunc/ipv4-internally-truncated-header.pcap
|
|
# @TEST-EXEC: cat weird.log >> output
|
|
|
|
# Truncated packet where the length of the IP header is larger than the total
|
|
# packet length inside several tunnels
|
|
# @TEST-EXEC: bro -C -r $TRACES/trunc/mpls-6in6-6in6-4in6-trunc.pcap
|
|
# @TEST-EXEC: cat weird.log >> output
|
|
|
|
# @TEST-EXEC: btest-diff output
|