suricata
decode-teredo.c
Go to the documentation of this file.
1 /* Copyright (C) 2012-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup decode
20  *
21  * @{
22  */
23 
24 
25 /**
26  * \file
27  *
28  * \author Eric Leblond <eric@regit.org>
29  *
30  * Decode Teredo Tunneling protocol.
31  *
32  * This implementation is based upon RFC 4380: http://www.ietf.org/rfc/rfc4380.txt
33  */
34 
35 #include "suricata-common.h"
36 #include "decode.h"
37 #include "decode-ipv6.h"
38 #include "decode-teredo.h"
39 
40 #include "util-validate.h"
41 #include "util-debug.h"
42 #include "conf.h"
43 
44 #include "detect.h"
45 #include "detect-engine-port.h"
46 
47 #define TEREDO_ORIG_INDICATION_LENGTH 8
48 #define TEREDO_MAX_PORTS 4
49 #define TEREDO_UNSET_PORT -1
50 
51 static bool g_teredo_enabled = true;
52 static bool g_teredo_ports_any = true;
53 static int g_teredo_ports_cnt = 0;
54 static int g_teredo_ports[TEREDO_MAX_PORTS] = { TEREDO_UNSET_PORT, TEREDO_UNSET_PORT,
56 
57 bool DecodeTeredoEnabledForPort(const uint16_t sp, const uint16_t dp)
58 {
59  SCLogDebug("ports %u->%u ports %d %d %d %d", sp, dp, g_teredo_ports[0], g_teredo_ports[1],
60  g_teredo_ports[2], g_teredo_ports[3]);
61 
62  if (g_teredo_enabled) {
63  /* no port config means we are enabled for all ports */
64  if (g_teredo_ports_any) {
65  return true;
66  }
67 
68  for (int i = 0; i < g_teredo_ports_cnt; i++) {
69  if (g_teredo_ports[i] == TEREDO_UNSET_PORT)
70  return false;
71  const int port = g_teredo_ports[i];
72  if (port == (const int)sp || port == (const int)dp)
73  return true;
74  }
75  }
76  return false;
77 }
78 
79 static void DecodeTeredoConfigPorts(const char *pstr)
80 {
81  SCLogDebug("parsing \'%s\'", pstr);
82 
83  if (strcmp(pstr, "any") == 0) {
84  g_teredo_ports_any = true;
85  return;
86  }
87 
88  DetectPort *head = NULL;
89  DetectPortParse(NULL, &head, pstr);
90 
91  g_teredo_ports_any = false;
92  g_teredo_ports_cnt = 0;
93  for (DetectPort *p = head; p != NULL; p = p->next) {
94  if (g_teredo_ports_cnt >= TEREDO_MAX_PORTS) {
95  SCLogWarning(SC_ERR_INVALID_YAML_CONF_ENTRY, "only %d Teredo ports can be defined",
97  break;
98  }
99  g_teredo_ports[g_teredo_ports_cnt++] = (int)p->port;
100  }
101 
103 }
104 
106 {
107  int enabled = 0;
108  if (ConfGetBool("decoder.teredo.enabled", &enabled) == 1) {
109  if (enabled) {
110  g_teredo_enabled = true;
111  } else {
112  g_teredo_enabled = false;
113  }
114  }
115  if (g_teredo_enabled) {
116  ConfNode *node = ConfGetNode("decoder.teredo.ports");
117  if (node && node->val) {
118  DecodeTeredoConfigPorts(node->val);
119  }
120  }
121 }
122 
123 /**
124  * \brief Function to decode Teredo packets
125  *
126  * \retval TM_ECODE_FAILED if packet is not a Teredo packet, TM_ECODE_OK if it is
127  */
129  const uint8_t *pkt, uint16_t len)
130 {
131  DEBUG_VALIDATE_BUG_ON(pkt == NULL);
132 
133  if (!g_teredo_enabled)
134  return TM_ECODE_FAILED;
135 
136  const uint8_t *start = pkt;
137 
138  /* Is this packet to short to contain an IPv6 packet ? */
139  if (len < IPV6_HEADER_LEN)
140  return TM_ECODE_FAILED;
141 
142  /* Teredo encapsulate IPv6 in UDP and can add some custom message
143  * part before the IPv6 packet. In our case, we just want to get
144  * over an ORIGIN indication. So we just make one offset if needed. */
145  if (start[0] == 0x0) {
146  /* origin indication: compatible with tunnel */
147  if (start[1] == 0x0) {
148  /* offset is not coherent with len and presence of an IPv6 header */
150  return TM_ECODE_FAILED;
151 
153 
154  /* either authentication negotiation not real tunnel or invalid second byte */
155  } else {
156  return TM_ECODE_FAILED;
157  }
158  }
159 
160  /* There is no specific field that we can check to prove that the packet
161  * is a Teredo packet. We've zapped here all the possible Teredo header
162  * and we should have an IPv6 packet at the start pointer.
163  * We then can only do a few checks before sending the encapsulated packets
164  * to decoding:
165  * - The packet has a protocol version which is IPv6.
166  * - The IPv6 length of the packet matches what remains in buffer.
167  * - HLIM is 0. This would technically be valid, but still weird.
168  * - NH 0 (HOP) and not enough data.
169  *
170  * If all these conditions are met, the tunnel decoder will be called.
171  * If the packet gets an invalid event set, it will still be rejected.
172  */
173  if (IP_GET_RAW_VER(start) == 6) {
174  IPV6Hdr *thdr = (IPV6Hdr *)start;
175 
176  /* ignore hoplimit 0 packets, most likely an artifact of bad detection */
177  if (IPV6_GET_RAW_HLIM(thdr) == 0)
178  return TM_ECODE_FAILED;
179 
180  /* if nh is 0 (HOP) with little data we have a bogus packet */
181  if (IPV6_GET_RAW_NH(thdr) == 0 && IPV6_GET_RAW_PLEN(thdr) < 8)
182  return TM_ECODE_FAILED;
183 
184  if (len == IPV6_HEADER_LEN +
185  IPV6_GET_RAW_PLEN(thdr) + (start - pkt)) {
186  int blen = len - (start - pkt);
187  /* spawn off tunnel packet */
188  Packet *tp = PacketTunnelPktSetup(tv, dtv, p, start, blen,
190  if (tp != NULL) {
192  /* add the tp to the packet queue. */
195  return TM_ECODE_OK;
196  }
197  }
198  return TM_ECODE_FAILED;
199  }
200 
201  return TM_ECODE_FAILED;
202 }
203 
204 /**
205  * @}
206  */
len
uint8_t len
Definition: app-layer-dnp3.h:2
IPV6_GET_RAW_PLEN
#define IPV6_GET_RAW_PLEN(ip6h)
Definition: decode-ipv6.h:66
StatsIncr
void StatsIncr(ThreadVars *tv, uint16_t id)
Increments the local counter.
Definition: counters.c:167
IPV6_GET_RAW_HLIM
#define IPV6_GET_RAW_HLIM(ip6h)
Definition: decode-ipv6.h:67
IPV6_GET_RAW_NH
#define IPV6_GET_RAW_NH(ip6h)
Definition: decode-ipv6.h:65
ConfNode_::val
char * val
Definition: conf.h:34
ConfGetBool
int ConfGetBool(const char *name, int *val)
Retrieve a configuration value as an boolen.
Definition: conf.c:473
DecodeTeredoConfig
void DecodeTeredoConfig(void)
Definition: decode-teredo.c:105
DECODE_TUNNEL_IPV6_TEREDO
@ DECODE_TUNNEL_IPV6_TEREDO
Definition: decode.h:805
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:296
ConfGetNode
ConfNode * ConfGetNode(const char *name)
Get a ConfNode by name.
Definition: conf.c:176
DecodeThreadVars_::counter_teredo
uint16_t counter_teredo
Definition: decode.h:696
IP_GET_RAW_VER
#define IP_GET_RAW_VER(pkt)
Definition: decode.h:240
TM_ECODE_FAILED
@ TM_ECODE_FAILED
Definition: tm-threads-common.h:83
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:82
PKT_SET_SRC
#define PKT_SET_SRC(p, src_val)
Definition: decode.h:1055
DetectPortParse
int DetectPortParse(const DetectEngineCtx *de_ctx, DetectPort **head, const char *str)
Function for parsing port strings.
Definition: detect-engine-port.c:1247
decode-ipv6.h
decode.h
util-debug.h
DecodeTeredoEnabledForPort
bool DecodeTeredoEnabledForPort(const uint16_t sp, const uint16_t dp)
Definition: decode-teredo.c:57
PKT_SRC_DECODER_TEREDO
@ PKT_SRC_DECODER_TEREDO
Definition: decode.h:58
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
detect-engine-port.h
DetectPort_
Port structure for detection engine.
Definition: detect.h:180
IPV6Hdr_
Definition: decode-ipv6.h:32
Packet_
Definition: decode.h:425
decode-teredo.h
conf.h
TEREDO_MAX_PORTS
#define TEREDO_MAX_PORTS
Definition: decode-teredo.c:48
SC_ERR_INVALID_YAML_CONF_ENTRY
@ SC_ERR_INVALID_YAML_CONF_ENTRY
Definition: util-error.h:169
Flow_::next
struct Flow_ * next
Definition: flow.h:407
dtv
DecodeThreadVars * dtv
Definition: fuzz_decodepcapfile.c:33
PacketEnqueueNoLock
void PacketEnqueueNoLock(PacketQueueNoLock *qnl, Packet *p)
Definition: packet-queue.c:167
TEREDO_UNSET_PORT
#define TEREDO_UNSET_PORT
Definition: decode-teredo.c:49
suricata-common.h
thdr
Definition: source-af-packet.c:246
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
util-validate.h
TEREDO_ORIG_INDICATION_LENGTH
#define TEREDO_ORIG_INDICATION_LENGTH
Definition: decode-teredo.c:47
head
Flow * head
Definition: flow-hash.h:1
SCLogWarning
#define SCLogWarning(err_code,...)
Macro used to log WARNING messages.
Definition: util-debug.h:242
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:659
ConfNode_
Definition: conf.h:32
ThreadVars_::decode_pq
PacketQueueNoLock decode_pq
Definition: threadvars.h:111
IPV6_HEADER_LEN
#define IPV6_HEADER_LEN
Definition: decode-ipv6.h:27
PacketTunnelPktSetup
Packet * PacketTunnelPktSetup(ThreadVars *tv, DecodeThreadVars *dtv, Packet *parent, const uint8_t *pkt, uint32_t len, enum DecodeTunnelProto proto)
Setup a pseudo packet (tunnel)
Definition: decode.c:308
DetectPortCleanupList
void DetectPortCleanupList(const DetectEngineCtx *de_ctx, DetectPort *head)
Free a DetectPort list and each of its members.
Definition: detect-engine-port.c:121
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:111
DecodeTeredo
int DecodeTeredo(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint16_t len)
Function to decode Teredo packets.
Definition: decode-teredo.c:128