suricata
decode-teredo.c
Go to the documentation of this file.
1 /* Copyright (C) 2012-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup decode
20  *
21  * @{
22  */
23 
24 
25 /**
26  * \file
27  *
28  * \author Eric Leblond <eric@regit.org>
29  *
30  * Decode Teredo Tunneling protocol.
31  *
32  * This implementation is based upon RFC 4380: http://www.ietf.org/rfc/rfc4380.txt
33  */
34 
35 #include "suricata-common.h"
36 #include "decode.h"
37 #include "decode-ipv6.h"
38 #include "decode-teredo.h"
39 #include "util-debug.h"
40 #include "conf.h"
41 #include "detect-engine-port.h"
42 
43 #define TEREDO_ORIG_INDICATION_LENGTH 8
44 
45 static bool g_teredo_enabled = true;
46 static int g_teredo_ports[4] = { -1, -1, -1, -1 };
47 static int g_teredo_ports_cnt = 0;
48 static bool g_teredo_ports_any = true;
49 
50 bool DecodeTeredoEnabledForPort(const uint16_t sp, const uint16_t dp)
51 {
52  SCLogDebug("ports %u->%u ports %d %d %d %d", sp, dp,
53  g_teredo_ports[0], g_teredo_ports[1],
54  g_teredo_ports[2], g_teredo_ports[3]);
55 
56  if (g_teredo_enabled) {
57  /* no port config means we are enabled for all ports */
58  if (g_teredo_ports_any) {
59  return true;
60  }
61 
62  for (int i = 0; i < g_teredo_ports_cnt; i++) {
63  if (g_teredo_ports[i] == -1)
64  return false;
65  const int port = g_teredo_ports[i];
66  if (port == (const int)sp ||
67  port == (const int)dp)
68  return true;
69  }
70  }
71  return false;
72 }
73 
74 static void DecodeTeredoConfigPorts(const char *pstr)
75 {
76  SCLogDebug("parsing \'%s\'", pstr);
77 
78  if (strcmp(pstr, "any") == 0) {
79  g_teredo_ports_any = true;
80  return;
81  }
82 
83  DetectPort *head = NULL;
84  DetectPortParse(NULL, &head, pstr);
85 
86  g_teredo_ports_any = false;
87  g_teredo_ports_cnt = 0;
88  for (DetectPort *p = head; p != NULL; p = p->next) {
89  if (g_teredo_ports_cnt >= 4) {
90  SCLogWarning(SC_ERR_INVALID_YAML_CONF_ENTRY,
91  "only 4 Teredo ports can be defined");
92  break;
93  }
94  g_teredo_ports[g_teredo_ports_cnt++] = (int)p->port;
95  }
96  DetectPortCleanupList(NULL, head);
97 }
98 
99 void DecodeTeredoConfig(void)
100 {
101  int enabled = 0;
102  if (ConfGetBool("decoder.teredo.enabled", &enabled) == 1) {
103  if (enabled) {
104  g_teredo_enabled = true;
105  } else {
106  g_teredo_enabled = false;
107  }
108  }
109  if (g_teredo_enabled) {
110  ConfNode *node = ConfGetNode("decoder.teredo.ports");
111  if (node && node->val) {
112  DecodeTeredoConfigPorts(node->val);
113  }
114  }
115 }
116 
117 /**
118  * \brief Function to decode Teredo packets
119  *
120  * \retval TM_ECODE_FAILED if packet is not a Teredo packet, TM_ECODE_OK if it is
121  */
122 int DecodeTeredo(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p,
123  const uint8_t *pkt, uint16_t len)
124 {
125  if (!g_teredo_enabled)
126  return TM_ECODE_FAILED;
127 
128  const uint8_t *start = pkt;
129 
130  /* Is this packet to short to contain an IPv6 packet ? */
131  if (len < IPV6_HEADER_LEN)
132  return TM_ECODE_FAILED;
133 
134  /* Teredo encapsulate IPv6 in UDP and can add some custom message
135  * part before the IPv6 packet. In our case, we just want to get
136  * over an ORIGIN indication. So we just make one offset if needed. */
137  if (start[0] == 0x0) {
138  switch (start[1]) {
139  /* origin indication: compatible with tunnel */
140  case 0x0:
141  /* offset is coherent with len and presence of an IPv6 header */
142  if (len >= TEREDO_ORIG_INDICATION_LENGTH + IPV6_HEADER_LEN)
143  start += TEREDO_ORIG_INDICATION_LENGTH;
144  else
145  return TM_ECODE_FAILED;
146  break;
147  /* authentication: negotiation not real tunnel */
148  case 0x1:
149  return TM_ECODE_FAILED;
150  /* this case is not possible in Teredo: not that protocol */
151  default:
152  return TM_ECODE_FAILED;
153  }
154  }
155 
156  /* There is no specific field that we can check to prove that the packet
157  * is a Teredo packet. We've zapped here all the possible Teredo header
158  * and we should have an IPv6 packet at the start pointer.
159  * We then can only do a few checks before sending the encapsulated packets
160  * to decoding:
161  * - The packet has a protocol version which is IPv6.
162  * - The IPv6 length of the packet matches what remains in buffer.
163  * - HLIM is 0. This would technically be valid, but still weird.
164  * - NH 0 (HOP) and not enough data.
165  *
166  * If all these conditions are met, the tunnel decoder will be called.
167  * If the packet gets an invalid event set, it will still be rejected.
168  */
169  if (IP_GET_RAW_VER(start) == 6) {
170  IPV6Hdr *thdr = (IPV6Hdr *)start;
171 
172  /* ignore hoplimit 0 packets, most likely an artifact of bad detection */
173  if (IPV6_GET_RAW_HLIM(thdr) == 0)
174  return TM_ECODE_FAILED;
175 
176  /* if nh is 0 (HOP) with little data we have a bogus packet */
177  if (IPV6_GET_RAW_NH(thdr) == 0 && IPV6_GET_RAW_PLEN(thdr) < 8)
178  return TM_ECODE_FAILED;
179 
180  if (len == IPV6_HEADER_LEN +
181  IPV6_GET_RAW_PLEN(thdr) + (start - pkt)) {
182  int blen = len - (start - pkt);
183  /* spawn off tunnel packet */
184  Packet *tp = PacketTunnelPktSetup(tv, dtv, p, start, blen,
185  DECODE_TUNNEL_IPV6_TEREDO);
186  if (tp != NULL) {
187  PKT_SET_SRC(tp, PKT_SRC_DECODER_TEREDO);
188  /* add the tp to the packet queue. */
189  PacketEnqueueNoLock(&tv->decode_pq,tp);
190  StatsIncr(tv, dtv->counter_teredo);
191  return TM_ECODE_OK;
192  }
193  }
194  return TM_ECODE_FAILED;
195  }
196 
197  return TM_ECODE_FAILED;
198 }
199 
200 /**
201  * @}
202  */
len
uint8_t len
Definition: app-layer-dnp3.h:2
IPV6_GET_RAW_PLEN
#define IPV6_GET_RAW_PLEN(ip6h)
Definition: decode-ipv6.h:66
StatsIncr
void StatsIncr(ThreadVars *tv, uint16_t id)
Increments the local counter.
Definition: counters.c:169
IPV6_GET_RAW_HLIM
#define IPV6_GET_RAW_HLIM(ip6h)
Definition: decode-ipv6.h:67
IPV6_GET_RAW_NH
#define IPV6_GET_RAW_NH(ip6h)
Definition: decode-ipv6.h:65
ConfNode_::val
char * val
Definition: conf.h:34
ConfGetBool
int ConfGetBool(const char *name, int *val)
Retrieve a configuration value as an boolen.
Definition: conf.c:516
DecodeTeredoConfig
void DecodeTeredoConfig(void)
Definition: decode-teredo.c:99
DECODE_TUNNEL_IPV6_TEREDO
@ DECODE_TUNNEL_IPV6_TEREDO
Definition: decode.h:889
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
ConfGetNode
ConfNode * ConfGetNode(const char *name)
Get a ConfNode by name.
Definition: conf.c:175
DecodeThreadVars_::counter_teredo
uint16_t counter_teredo
Definition: decode.h:657
IP_GET_RAW_VER
#define IP_GET_RAW_VER(pkt)
Definition: decode.h:252
TM_ECODE_FAILED
@ TM_ECODE_FAILED
Definition: tm-threads-common.h:79
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:78
PKT_SET_SRC
#define PKT_SET_SRC(p, src_val)
Definition: decode.h:1128
DetectPortParse
int DetectPortParse(const DetectEngineCtx *de_ctx, DetectPort **head, const char *str)
Function for parsing port strings.
Definition: detect-engine-port.c:1241
decode-ipv6.h
decode.h
util-debug.h
DecodeTeredoEnabledForPort
bool DecodeTeredoEnabledForPort(const uint16_t sp, const uint16_t dp)
Definition: decode-teredo.c:50
PKT_SRC_DECODER_TEREDO
@ PKT_SRC_DECODER_TEREDO
Definition: decode.h:54
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
detect-engine-port.h
DetectPort_
Port structure for detection engine.
Definition: detect.h:191
IPV6Hdr_
Definition: decode-ipv6.h:32
Packet_
Definition: decode.h:411
decode-teredo.h
conf.h
SC_ERR_INVALID_YAML_CONF_ENTRY
@ SC_ERR_INVALID_YAML_CONF_ENTRY
Definition: util-error.h:169
dtv
DecodeThreadVars * dtv
Definition: fuzz_decodepcapfile.c:30
PacketEnqueueNoLock
void PacketEnqueueNoLock(PacketQueueNoLock *qnl, Packet *p)
Definition: packet-queue.c:167
suricata-common.h
thdr
Definition: source-af-packet.c:197
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:29
TEREDO_ORIG_INDICATION_LENGTH
#define TEREDO_ORIG_INDICATION_LENGTH
Definition: decode-teredo.c:43
head
Flow * head
Definition: flow-hash.h:0
SCLogWarning
#define SCLogWarning(err_code,...)
Macro used to log WARNING messages.
Definition: util-debug.h:244
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:625
ConfNode_
Definition: conf.h:32
ThreadVars_::decode_pq
PacketQueueNoLock decode_pq
Definition: threadvars.h:110
IPV6_HEADER_LEN
#define IPV6_HEADER_LEN
Definition: decode-ipv6.h:27
PacketTunnelPktSetup
Packet * PacketTunnelPktSetup(ThreadVars *tv, DecodeThreadVars *dtv, Packet *parent, const uint8_t *pkt, uint32_t len, enum DecodeTunnelProto proto)
Setup a pseudo packet (tunnel)
Definition: decode.c:278
DetectPortCleanupList
void DetectPortCleanupList(const DetectEngineCtx *de_ctx, DetectPort *head)
Free a DetectPort list and each of its members.
Definition: detect-engine-port.c:121
DecodeTeredo
int DecodeTeredo(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint16_t len)
Function to decode Teredo packets.
Definition: decode-teredo.c:122