suricata
decode-teredo.c
Go to the documentation of this file.
1 /* Copyright (C) 2012-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup decode
20  *
21  * @{
22  */
23 
24 
25 /**
26  * \file
27  *
28  * \author Eric Leblond <eric@regit.org>
29  *
30  * Decode Teredo Tunneling protocol.
31  *
32  * This implementation is based upon RFC 4380: http://www.ietf.org/rfc/rfc4380.txt
33  */
34 
35 #include "suricata-common.h"
36 #include "decode.h"
37 #include "decode-ipv6.h"
38 #include "decode-teredo.h"
39 #include "util-debug.h"
40 #include "conf.h"
41 #include "detect-engine-port.h"
42 
43 #define TEREDO_ORIG_INDICATION_LENGTH 8
44 #define TEREDO_MAX_PORTS 4
45 #define TEREDO_UNSET_PORT -1
46 
47 static bool g_teredo_enabled = true;
48 static bool g_teredo_ports_any = true;
49 static int g_teredo_ports_cnt = 0;
50 static int g_teredo_ports[TEREDO_MAX_PORTS] = { TEREDO_UNSET_PORT, TEREDO_UNSET_PORT,
51  TEREDO_UNSET_PORT, TEREDO_UNSET_PORT };
52 
53 bool DecodeTeredoEnabledForPort(const uint16_t sp, const uint16_t dp)
54 {
55  SCLogDebug("ports %u->%u ports %d %d %d %d", sp, dp, g_teredo_ports[0], g_teredo_ports[1],
56  g_teredo_ports[2], g_teredo_ports[3]);
57 
58  if (g_teredo_enabled) {
59  /* no port config means we are enabled for all ports */
60  if (g_teredo_ports_any) {
61  return true;
62  }
63 
64  for (int i = 0; i < g_teredo_ports_cnt; i++) {
65  if (g_teredo_ports[i] == TEREDO_UNSET_PORT)
66  return false;
67  const int port = g_teredo_ports[i];
68  if (port == (const int)sp || port == (const int)dp)
69  return true;
70  }
71  }
72  return false;
73 }
74 
75 static void DecodeTeredoConfigPorts(const char *pstr)
76 {
77  SCLogDebug("parsing \'%s\'", pstr);
78 
79  if (strcmp(pstr, "any") == 0) {
80  g_teredo_ports_any = true;
81  return;
82  }
83 
84  DetectPort *head = NULL;
85  DetectPortParse(NULL, &head, pstr);
86 
87  g_teredo_ports_any = false;
88  g_teredo_ports_cnt = 0;
89  for (DetectPort *p = head; p != NULL; p = p->next) {
90  if (g_teredo_ports_cnt >= TEREDO_MAX_PORTS) {
91  SCLogWarning(SC_ERR_INVALID_YAML_CONF_ENTRY, "only %d Teredo ports can be defined",
92  TEREDO_MAX_PORTS);
93  break;
94  }
95  g_teredo_ports[g_teredo_ports_cnt++] = (int)p->port;
96  }
97 
98  DetectPortCleanupList(NULL, head);
99 }
100 
101 void DecodeTeredoConfig(void)
102 {
103  int enabled = 0;
104  if (ConfGetBool("decoder.teredo.enabled", &enabled) == 1) {
105  if (enabled) {
106  g_teredo_enabled = true;
107  } else {
108  g_teredo_enabled = false;
109  }
110  }
111  if (g_teredo_enabled) {
112  ConfNode *node = ConfGetNode("decoder.teredo.ports");
113  if (node && node->val) {
114  DecodeTeredoConfigPorts(node->val);
115  }
116  }
117 }
118 
119 /**
120  * \brief Function to decode Teredo packets
121  *
122  * \retval TM_ECODE_FAILED if packet is not a Teredo packet, TM_ECODE_OK if it is
123  */
124 int DecodeTeredo(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p,
125  const uint8_t *pkt, uint16_t len)
126 {
127  if (!g_teredo_enabled)
128  return TM_ECODE_FAILED;
129 
130  const uint8_t *start = pkt;
131 
132  /* Is this packet to short to contain an IPv6 packet ? */
133  if (len < IPV6_HEADER_LEN)
134  return TM_ECODE_FAILED;
135 
136  /* Teredo encapsulate IPv6 in UDP and can add some custom message
137  * part before the IPv6 packet. In our case, we just want to get
138  * over an ORIGIN indication. So we just make one offset if needed. */
139  if (start[0] == 0x0) {
140  /* origin indication: compatible with tunnel */
141  if (start[1] == 0x0) {
142  /* offset is not coherent with len and presence of an IPv6 header */
143  if (len < TEREDO_ORIG_INDICATION_LENGTH + IPV6_HEADER_LEN)
144  return TM_ECODE_FAILED;
145 
146  start += TEREDO_ORIG_INDICATION_LENGTH;
147 
148  /* either authentication negotiation not real tunnel or invalid second byte */
149  } else {
150  return TM_ECODE_FAILED;
151  }
152  }
153 
154  /* There is no specific field that we can check to prove that the packet
155  * is a Teredo packet. We've zapped here all the possible Teredo header
156  * and we should have an IPv6 packet at the start pointer.
157  * We then can only do a few checks before sending the encapsulated packets
158  * to decoding:
159  * - The packet has a protocol version which is IPv6.
160  * - The IPv6 length of the packet matches what remains in buffer.
161  * - HLIM is 0. This would technically be valid, but still weird.
162  * - NH 0 (HOP) and not enough data.
163  *
164  * If all these conditions are met, the tunnel decoder will be called.
165  * If the packet gets an invalid event set, it will still be rejected.
166  */
167  if (IP_GET_RAW_VER(start) == 6) {
168  IPV6Hdr *thdr = (IPV6Hdr *)start;
169 
170  /* ignore hoplimit 0 packets, most likely an artifact of bad detection */
171  if (IPV6_GET_RAW_HLIM(thdr) == 0)
172  return TM_ECODE_FAILED;
173 
174  /* if nh is 0 (HOP) with little data we have a bogus packet */
175  if (IPV6_GET_RAW_NH(thdr) == 0 && IPV6_GET_RAW_PLEN(thdr) < 8)
176  return TM_ECODE_FAILED;
177 
178  if (len == IPV6_HEADER_LEN +
179  IPV6_GET_RAW_PLEN(thdr) + (start - pkt)) {
180  int blen = len - (start - pkt);
181  /* spawn off tunnel packet */
182  Packet *tp = PacketTunnelPktSetup(tv, dtv, p, start, blen,
183  DECODE_TUNNEL_IPV6_TEREDO);
184  if (tp != NULL) {
185  PKT_SET_SRC(tp, PKT_SRC_DECODER_TEREDO);
186  /* add the tp to the packet queue. */
187  PacketEnqueueNoLock(&tv->decode_pq,tp);
188  StatsIncr(tv, dtv->counter_teredo);
189  return TM_ECODE_OK;
190  }
191  }
192  return TM_ECODE_FAILED;
193  }
194 
195  return TM_ECODE_FAILED;
196 }
197 
198 /**
199  * @}
200  */
len
uint8_t len
Definition: app-layer-dnp3.h:2
IPV6_GET_RAW_PLEN
#define IPV6_GET_RAW_PLEN(ip6h)
Definition: decode-ipv6.h:66
StatsIncr
void StatsIncr(ThreadVars *tv, uint16_t id)
Increments the local counter.
Definition: counters.c:169
IPV6_GET_RAW_HLIM
#define IPV6_GET_RAW_HLIM(ip6h)
Definition: decode-ipv6.h:67
IPV6_GET_RAW_NH
#define IPV6_GET_RAW_NH(ip6h)
Definition: decode-ipv6.h:65
ConfNode_::val
char * val
Definition: conf.h:34
ConfGetBool
int ConfGetBool(const char *name, int *val)
Retrieve a configuration value as an boolen.
Definition: conf.c:516
DecodeTeredoConfig
void DecodeTeredoConfig(void)
Definition: decode-teredo.c:101
DECODE_TUNNEL_IPV6_TEREDO
@ DECODE_TUNNEL_IPV6_TEREDO
Definition: decode.h:909
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
ConfGetNode
ConfNode * ConfGetNode(const char *name)
Get a ConfNode by name.
Definition: conf.c:175
DecodeThreadVars_::counter_teredo
uint16_t counter_teredo
Definition: decode.h:666
IP_GET_RAW_VER
#define IP_GET_RAW_VER(pkt)
Definition: decode.h:255
TM_ECODE_FAILED
@ TM_ECODE_FAILED
Definition: tm-threads-common.h:81
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:80
PKT_SET_SRC
#define PKT_SET_SRC(p, src_val)
Definition: decode.h:1150
DetectPortParse
int DetectPortParse(const DetectEngineCtx *de_ctx, DetectPort **head, const char *str)
Function for parsing port strings.
Definition: detect-engine-port.c:1243
decode-ipv6.h
decode.h
util-debug.h
DecodeTeredoEnabledForPort
bool DecodeTeredoEnabledForPort(const uint16_t sp, const uint16_t dp)
Definition: decode-teredo.c:53
PKT_SRC_DECODER_TEREDO
@ PKT_SRC_DECODER_TEREDO
Definition: decode.h:55
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
detect-engine-port.h
DetectPort_
Port structure for detection engine.
Definition: detect.h:191
IPV6Hdr_
Definition: decode-ipv6.h:32
Packet_
Definition: decode.h:414
decode-teredo.h
conf.h
TEREDO_MAX_PORTS
#define TEREDO_MAX_PORTS
Definition: decode-teredo.c:44
SC_ERR_INVALID_YAML_CONF_ENTRY
@ SC_ERR_INVALID_YAML_CONF_ENTRY
Definition: util-error.h:169
Flow_::next
struct Flow_ * next
Definition: flow.h:394
dtv
DecodeThreadVars * dtv
Definition: fuzz_decodepcapfile.c:30
PacketEnqueueNoLock
void PacketEnqueueNoLock(PacketQueueNoLock *qnl, Packet *p)
Definition: packet-queue.c:167
TEREDO_UNSET_PORT
#define TEREDO_UNSET_PORT
Definition: decode-teredo.c:45
suricata-common.h
thdr
Definition: source-af-packet.c:194
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:29
TEREDO_ORIG_INDICATION_LENGTH
#define TEREDO_ORIG_INDICATION_LENGTH
Definition: decode-teredo.c:43
head
Flow * head
Definition: flow-hash.h:1
SCLogWarning
#define SCLogWarning(err_code,...)
Macro used to log WARNING messages.
Definition: util-debug.h:244
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:631
ConfNode_
Definition: conf.h:32
ThreadVars_::decode_pq
PacketQueueNoLock decode_pq
Definition: threadvars.h:110
IPV6_HEADER_LEN
#define IPV6_HEADER_LEN
Definition: decode-ipv6.h:27
PacketTunnelPktSetup
Packet * PacketTunnelPktSetup(ThreadVars *tv, DecodeThreadVars *dtv, Packet *parent, const uint8_t *pkt, uint32_t len, enum DecodeTunnelProto proto)
Setup a pseudo packet (tunnel)
Definition: decode.c:278
DetectPortCleanupList
void DetectPortCleanupList(const DetectEngineCtx *de_ctx, DetectPort *head)
Free a DetectPort list and each of its members.
Definition: detect-engine-port.c:121
DecodeTeredo
int DecodeTeredo(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint16_t len)
Function to decode Teredo packets.
Definition: decode-teredo.c:124