suricata
decode-teredo.c
Go to the documentation of this file.
1 /* Copyright (C) 2012-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup decode
20  *
21  * @{
22  */
23 
24 
25 /**
26  * \file
27  *
28  * \author Eric Leblond <eric@regit.org>
29  *
30  * Decode Teredo Tunneling protocol.
31  *
32  * This implementation is based upon RFC 4380: http://www.ietf.org/rfc/rfc4380.txt
33  */
34 
35 #include "suricata-common.h"
36 #include "decode.h"
37 #include "decode-ipv6.h"
38 #include "decode-teredo.h"
39 
40 #include "util-validate.h"
41 #include "util-debug.h"
42 #include "conf.h"
43 
44 #include "detect.h"
45 #include "detect-engine-port.h"
46 
47 #define TEREDO_ORIG_INDICATION_LENGTH 8
48 #define TEREDO_MAX_PORTS 4
49 #define TEREDO_UNSET_PORT -1
50 
51 static bool g_teredo_enabled = true;
52 static bool g_teredo_ports_any = true;
53 static int g_teredo_ports_cnt = 0;
54 static int g_teredo_ports[TEREDO_MAX_PORTS] = { TEREDO_UNSET_PORT, TEREDO_UNSET_PORT,
56 
57 bool DecodeTeredoEnabledForPort(const uint16_t sp, const uint16_t dp)
58 {
59  SCLogDebug("ports %u->%u ports %d %d %d %d", sp, dp, g_teredo_ports[0], g_teredo_ports[1],
60  g_teredo_ports[2], g_teredo_ports[3]);
61 
62  if (g_teredo_enabled) {
63  /* no port config means we are enabled for all ports */
64  if (g_teredo_ports_any) {
65  return true;
66  }
67 
68  for (int i = 0; i < g_teredo_ports_cnt; i++) {
69  if (g_teredo_ports[i] == TEREDO_UNSET_PORT)
70  return false;
71  const int port = g_teredo_ports[i];
72  if (port == (const int)sp || port == (const int)dp)
73  return true;
74  }
75  }
76  return false;
77 }
78 
79 static void DecodeTeredoConfigPorts(const char *pstr)
80 {
81  SCLogDebug("parsing \'%s\'", pstr);
82 
83  if (strcmp(pstr, "any") == 0) {
84  g_teredo_ports_any = true;
85  return;
86  }
87 
88  DetectPort *head = NULL;
89  DetectPortParse(NULL, &head, pstr);
90 
91  g_teredo_ports_any = false;
92  g_teredo_ports_cnt = 0;
93  for (DetectPort *p = head; p != NULL; p = p->next) {
94  if (g_teredo_ports_cnt >= TEREDO_MAX_PORTS) {
95  SCLogWarning("only %d Teredo ports can be defined", TEREDO_MAX_PORTS);
96  break;
97  }
98  g_teredo_ports[g_teredo_ports_cnt++] = (int)p->port;
99  }
100 
102 }
103 
105 {
106  int enabled = 0;
107  if (ConfGetBool("decoder.teredo.enabled", &enabled) == 1) {
108  if (enabled) {
109  g_teredo_enabled = true;
110  } else {
111  g_teredo_enabled = false;
112  }
113  }
114  if (g_teredo_enabled) {
115  ConfNode *node = ConfGetNode("decoder.teredo.ports");
116  if (node && node->val) {
117  DecodeTeredoConfigPorts(node->val);
118  }
119  }
120 }
121 
122 /**
123  * \brief Function to decode Teredo packets
124  *
125  * \retval TM_ECODE_FAILED if packet is not a Teredo packet, TM_ECODE_OK if it is
126  */
128  const uint8_t *pkt, uint16_t len)
129 {
130  DEBUG_VALIDATE_BUG_ON(pkt == NULL);
131 
132  if (!g_teredo_enabled)
133  return TM_ECODE_FAILED;
134 
135  const uint8_t *start = pkt;
136 
137  /* Is this packet to short to contain an IPv6 packet ? */
138  if (len < IPV6_HEADER_LEN)
139  return TM_ECODE_FAILED;
140 
141  /* Teredo encapsulate IPv6 in UDP and can add some custom message
142  * part before the IPv6 packet. In our case, we just want to get
143  * over an ORIGIN indication. So we just make one offset if needed. */
144  if (start[0] == 0x0) {
145  /* origin indication: compatible with tunnel */
146  if (start[1] == 0x0) {
147  /* offset is not coherent with len and presence of an IPv6 header */
149  return TM_ECODE_FAILED;
150 
152 
153  /* either authentication negotiation not real tunnel or invalid second byte */
154  } else {
155  return TM_ECODE_FAILED;
156  }
157  }
158 
159  /* There is no specific field that we can check to prove that the packet
160  * is a Teredo packet. We've zapped here all the possible Teredo header
161  * and we should have an IPv6 packet at the start pointer.
162  * We then can only do a few checks before sending the encapsulated packets
163  * to decoding:
164  * - The packet has a protocol version which is IPv6.
165  * - The IPv6 length of the packet matches what remains in buffer.
166  * - HLIM is 0. This would technically be valid, but still weird.
167  * - NH 0 (HOP) and not enough data.
168  *
169  * If all these conditions are met, the tunnel decoder will be called.
170  * If the packet gets an invalid event set, it will still be rejected.
171  */
172  if (IP_GET_RAW_VER(start) == 6) {
173  IPV6Hdr *thdr = (IPV6Hdr *)start;
174 
175  /* ignore hoplimit 0 packets, most likely an artifact of bad detection */
176  if (IPV6_GET_RAW_HLIM(thdr) == 0)
177  return TM_ECODE_FAILED;
178 
179  /* if nh is 0 (HOP) with little data we have a bogus packet */
180  if (IPV6_GET_RAW_NH(thdr) == 0 && IPV6_GET_RAW_PLEN(thdr) < 8)
181  return TM_ECODE_FAILED;
182 
183  if (len == IPV6_HEADER_LEN +
184  IPV6_GET_RAW_PLEN(thdr) + (start - pkt)) {
185  uint32_t blen = len - (uint32_t)(start - pkt);
186  /* spawn off tunnel packet */
187  Packet *tp = PacketTunnelPktSetup(tv, dtv, p, start, blen,
189  if (tp != NULL) {
191  /* add the tp to the packet queue. */
194  return TM_ECODE_OK;
195  }
196  }
197  return TM_ECODE_FAILED;
198  }
199 
200  return TM_ECODE_FAILED;
201 }
202 
203 /**
204  * @}
205  */
len
uint8_t len
Definition: app-layer-dnp3.h:2
IPV6_GET_RAW_PLEN
#define IPV6_GET_RAW_PLEN(ip6h)
Definition: decode-ipv6.h:66
StatsIncr
void StatsIncr(ThreadVars *tv, uint16_t id)
Increments the local counter.
Definition: counters.c:166
IPV6_GET_RAW_HLIM
#define IPV6_GET_RAW_HLIM(ip6h)
Definition: decode-ipv6.h:67
IPV6_GET_RAW_NH
#define IPV6_GET_RAW_NH(ip6h)
Definition: decode-ipv6.h:65
ConfNode_::val
char * val
Definition: conf.h:34
ConfGetBool
int ConfGetBool(const char *name, int *val)
Retrieve a configuration value as a boolean.
Definition: conf.c:482
DecodeTeredoConfig
void DecodeTeredoConfig(void)
Definition: decode-teredo.c:104
DECODE_TUNNEL_IPV6_TEREDO
@ DECODE_TUNNEL_IPV6_TEREDO
Definition: decode.h:1073
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
ConfGetNode
ConfNode * ConfGetNode(const char *name)
Get a ConfNode by name.
Definition: conf.c:181
DecodeThreadVars_::counter_teredo
uint16_t counter_teredo
Definition: decode.h:976
IP_GET_RAW_VER
#define IP_GET_RAW_VER(pkt)
Definition: decode.h:228
TM_ECODE_FAILED
@ TM_ECODE_FAILED
Definition: tm-threads-common.h:81
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:80
PKT_SET_SRC
#define PKT_SET_SRC(p, src_val)
Definition: decode.h:1324
DetectPortParse
int DetectPortParse(const DetectEngineCtx *de_ctx, DetectPort **head, const char *str)
Function for parsing port strings.
Definition: detect-engine-port.c:1182
decode-ipv6.h
decode.h
util-debug.h
DecodeTeredoEnabledForPort
bool DecodeTeredoEnabledForPort(const uint16_t sp, const uint16_t dp)
Definition: decode-teredo.c:57
PKT_SRC_DECODER_TEREDO
@ PKT_SRC_DECODER_TEREDO
Definition: decode.h:55
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
detect-engine-port.h
SCLogWarning
#define SCLogWarning(...)
Macro used to log WARNING messages.
Definition: util-debug.h:249
DetectPort_
Port structure for detection engine.
Definition: detect.h:217
IPV6Hdr_
Definition: decode-ipv6.h:32
Packet_
Definition: decode.h:476
decode-teredo.h
conf.h
TEREDO_MAX_PORTS
#define TEREDO_MAX_PORTS
Definition: decode-teredo.c:48
Flow_::next
struct Flow_ * next
Definition: flow.h:401
dtv
DecodeThreadVars * dtv
Definition: fuzz_decodepcapfile.c:33
PacketEnqueueNoLock
void PacketEnqueueNoLock(PacketQueueNoLock *qnl, Packet *p)
Definition: packet-queue.c:168
TEREDO_UNSET_PORT
#define TEREDO_UNSET_PORT
Definition: decode-teredo.c:49
suricata-common.h
thdr
Definition: source-af-packet.c:247
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
util-validate.h
TEREDO_ORIG_INDICATION_LENGTH
#define TEREDO_ORIG_INDICATION_LENGTH
Definition: decode-teredo.c:47
head
Flow * head
Definition: flow-hash.h:1
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:932
ConfNode_
Definition: conf.h:32
ThreadVars_::decode_pq
PacketQueueNoLock decode_pq
Definition: threadvars.h:112
IPV6_HEADER_LEN
#define IPV6_HEADER_LEN
Definition: decode-ipv6.h:27
PacketTunnelPktSetup
Packet * PacketTunnelPktSetup(ThreadVars *tv, DecodeThreadVars *dtv, Packet *parent, const uint8_t *pkt, uint32_t len, enum DecodeTunnelProto proto)
Setup a pseudo packet (tunnel)
Definition: decode.c:367
DetectPortCleanupList
void DetectPortCleanupList(const DetectEngineCtx *de_ctx, DetectPort *head)
Free a DetectPort list and each of its members.
Definition: detect-engine-port.c:124
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:102
DecodeTeredo
int DecodeTeredo(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint16_t len)
Function to decode Teredo packets.
Definition: decode-teredo.c:127