suricata
decode-teredo.c
Go to the documentation of this file.
1 /* Copyright (C) 2012-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup decode
20  *
21  * @{
22  */
23 
24 
25 /**
26  * \file
27  *
28  * \author Eric Leblond <eric@regit.org>
29  *
30  * Decode Teredo Tunneling protocol.
31  *
32  * This implementation is based upon RFC 4380: http://www.ietf.org/rfc/rfc4380.txt
33  */
34 
35 #include "suricata-common.h"
36 #include "decode.h"
37 #include "decode-ipv6.h"
38 #include "decode-teredo.h"
39 
40 #include "util-validate.h"
41 #include "util-debug.h"
42 #include "conf.h"
43 #include "detect-engine-port.h"
44 
45 #define TEREDO_ORIG_INDICATION_LENGTH 8
46 #define TEREDO_MAX_PORTS 4
47 #define TEREDO_UNSET_PORT -1
48 
49 static bool g_teredo_enabled = true;
50 static bool g_teredo_ports_any = true;
51 static int g_teredo_ports_cnt = 0;
52 static int g_teredo_ports[TEREDO_MAX_PORTS] = { TEREDO_UNSET_PORT, TEREDO_UNSET_PORT,
53  TEREDO_UNSET_PORT, TEREDO_UNSET_PORT };
54 
55 bool DecodeTeredoEnabledForPort(const uint16_t sp, const uint16_t dp)
56 {
57  SCLogDebug("ports %u->%u ports %d %d %d %d", sp, dp, g_teredo_ports[0], g_teredo_ports[1],
58  g_teredo_ports[2], g_teredo_ports[3]);
59 
60  if (g_teredo_enabled) {
61  /* no port config means we are enabled for all ports */
62  if (g_teredo_ports_any) {
63  return true;
64  }
65 
66  for (int i = 0; i < g_teredo_ports_cnt; i++) {
67  if (g_teredo_ports[i] == TEREDO_UNSET_PORT)
68  return false;
69  const int port = g_teredo_ports[i];
70  if (port == (const int)sp || port == (const int)dp)
71  return true;
72  }
73  }
74  return false;
75 }
76 
77 static void DecodeTeredoConfigPorts(const char *pstr)
78 {
79  SCLogDebug("parsing \'%s\'", pstr);
80 
81  if (strcmp(pstr, "any") == 0) {
82  g_teredo_ports_any = true;
83  return;
84  }
85 
86  DetectPort *head = NULL;
87  DetectPortParse(NULL, &head, pstr);
88 
89  g_teredo_ports_any = false;
90  g_teredo_ports_cnt = 0;
91  for (DetectPort *p = head; p != NULL; p = p->next) {
92  if (g_teredo_ports_cnt >= TEREDO_MAX_PORTS) {
93  SCLogWarning(SC_ERR_INVALID_YAML_CONF_ENTRY, "only %d Teredo ports can be defined",
94  TEREDO_MAX_PORTS);
95  break;
96  }
97  g_teredo_ports[g_teredo_ports_cnt++] = (int)p->port;
98  }
99 
100  DetectPortCleanupList(NULL, head);
101 }
102 
103 void DecodeTeredoConfig(void)
104 {
105  int enabled = 0;
106  if (ConfGetBool("decoder.teredo.enabled", &enabled) == 1) {
107  if (enabled) {
108  g_teredo_enabled = true;
109  } else {
110  g_teredo_enabled = false;
111  }
112  }
113  if (g_teredo_enabled) {
114  ConfNode *node = ConfGetNode("decoder.teredo.ports");
115  if (node && node->val) {
116  DecodeTeredoConfigPorts(node->val);
117  }
118  }
119 }
120 
121 /**
122  * \brief Function to decode Teredo packets
123  *
124  * \retval TM_ECODE_FAILED if packet is not a Teredo packet, TM_ECODE_OK if it is
125  */
126 int DecodeTeredo(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p,
127  const uint8_t *pkt, uint16_t len)
128 {
129  DEBUG_VALIDATE_BUG_ON(pkt == NULL);
130 
131  if (!g_teredo_enabled)
132  return TM_ECODE_FAILED;
133 
134  const uint8_t *start = pkt;
135 
136  /* Is this packet to short to contain an IPv6 packet ? */
137  if (len < IPV6_HEADER_LEN)
138  return TM_ECODE_FAILED;
139 
140  /* Teredo encapsulate IPv6 in UDP and can add some custom message
141  * part before the IPv6 packet. In our case, we just want to get
142  * over an ORIGIN indication. So we just make one offset if needed. */
143  if (start[0] == 0x0) {
144  /* origin indication: compatible with tunnel */
145  if (start[1] == 0x0) {
146  /* offset is not coherent with len and presence of an IPv6 header */
147  if (len < TEREDO_ORIG_INDICATION_LENGTH + IPV6_HEADER_LEN)
148  return TM_ECODE_FAILED;
149 
150  start += TEREDO_ORIG_INDICATION_LENGTH;
151 
152  /* either authentication negotiation not real tunnel or invalid second byte */
153  } else {
154  return TM_ECODE_FAILED;
155  }
156  }
157 
158  /* There is no specific field that we can check to prove that the packet
159  * is a Teredo packet. We've zapped here all the possible Teredo header
160  * and we should have an IPv6 packet at the start pointer.
161  * We then can only do a few checks before sending the encapsulated packets
162  * to decoding:
163  * - The packet has a protocol version which is IPv6.
164  * - The IPv6 length of the packet matches what remains in buffer.
165  * - HLIM is 0. This would technically be valid, but still weird.
166  * - NH 0 (HOP) and not enough data.
167  *
168  * If all these conditions are met, the tunnel decoder will be called.
169  * If the packet gets an invalid event set, it will still be rejected.
170  */
171  if (IP_GET_RAW_VER(start) == 6) {
172  IPV6Hdr *thdr = (IPV6Hdr *)start;
173 
174  /* ignore hoplimit 0 packets, most likely an artifact of bad detection */
175  if (IPV6_GET_RAW_HLIM(thdr) == 0)
176  return TM_ECODE_FAILED;
177 
178  /* if nh is 0 (HOP) with little data we have a bogus packet */
179  if (IPV6_GET_RAW_NH(thdr) == 0 && IPV6_GET_RAW_PLEN(thdr) < 8)
180  return TM_ECODE_FAILED;
181 
182  if (len == IPV6_HEADER_LEN +
183  IPV6_GET_RAW_PLEN(thdr) + (start - pkt)) {
184  int blen = len - (start - pkt);
185  /* spawn off tunnel packet */
186  Packet *tp = PacketTunnelPktSetup(tv, dtv, p, start, blen,
187  DECODE_TUNNEL_IPV6_TEREDO);
188  if (tp != NULL) {
189  PKT_SET_SRC(tp, PKT_SRC_DECODER_TEREDO);
190  /* add the tp to the packet queue. */
191  PacketEnqueueNoLock(&tv->decode_pq,tp);
192  StatsIncr(tv, dtv->counter_teredo);
193  return TM_ECODE_OK;
194  }
195  }
196  return TM_ECODE_FAILED;
197  }
198 
199  return TM_ECODE_FAILED;
200 }
201 
202 /**
203  * @}
204  */
len
uint8_t len
Definition: app-layer-dnp3.h:2
IPV6_GET_RAW_PLEN
#define IPV6_GET_RAW_PLEN(ip6h)
Definition: decode-ipv6.h:66
StatsIncr
void StatsIncr(ThreadVars *tv, uint16_t id)
Increments the local counter.
Definition: counters.c:169
IPV6_GET_RAW_HLIM
#define IPV6_GET_RAW_HLIM(ip6h)
Definition: decode-ipv6.h:67
IPV6_GET_RAW_NH
#define IPV6_GET_RAW_NH(ip6h)
Definition: decode-ipv6.h:65
ConfNode_::val
char * val
Definition: conf.h:34
ConfGetBool
int ConfGetBool(const char *name, int *val)
Retrieve a configuration value as an boolen.
Definition: conf.c:516
DecodeTeredoConfig
void DecodeTeredoConfig(void)
Definition: decode-teredo.c:103
DECODE_TUNNEL_IPV6_TEREDO
@ DECODE_TUNNEL_IPV6_TEREDO
Definition: decode.h:939
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
ConfGetNode
ConfNode * ConfGetNode(const char *name)
Get a ConfNode by name.
Definition: conf.c:175
DecodeThreadVars_::counter_teredo
uint16_t counter_teredo
Definition: decode.h:675
IP_GET_RAW_VER
#define IP_GET_RAW_VER(pkt)
Definition: decode.h:257
TM_ECODE_FAILED
@ TM_ECODE_FAILED
Definition: tm-threads-common.h:81
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:80
PKT_SET_SRC
#define PKT_SET_SRC(p, src_val)
Definition: decode.h:1204
DetectPortParse
int DetectPortParse(const DetectEngineCtx *de_ctx, DetectPort **head, const char *str)
Function for parsing port strings.
Definition: detect-engine-port.c:1243
decode-ipv6.h
decode.h
util-debug.h
DecodeTeredoEnabledForPort
bool DecodeTeredoEnabledForPort(const uint16_t sp, const uint16_t dp)
Definition: decode-teredo.c:55
PKT_SRC_DECODER_TEREDO
@ PKT_SRC_DECODER_TEREDO
Definition: decode.h:55
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
detect-engine-port.h
DetectPort_
Port structure for detection engine.
Definition: detect.h:191
IPV6Hdr_
Definition: decode-ipv6.h:32
Packet_
Definition: decode.h:414
decode-teredo.h
conf.h
TEREDO_MAX_PORTS
#define TEREDO_MAX_PORTS
Definition: decode-teredo.c:46
SC_ERR_INVALID_YAML_CONF_ENTRY
@ SC_ERR_INVALID_YAML_CONF_ENTRY
Definition: util-error.h:169
Flow_::next
struct Flow_ * next
Definition: flow.h:404
dtv
DecodeThreadVars * dtv
Definition: fuzz_decodepcapfile.c:30
PacketEnqueueNoLock
void PacketEnqueueNoLock(PacketQueueNoLock *qnl, Packet *p)
Definition: packet-queue.c:167
TEREDO_UNSET_PORT
#define TEREDO_UNSET_PORT
Definition: decode-teredo.c:47
suricata-common.h
thdr
Definition: source-af-packet.c:244
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:29
util-validate.h
TEREDO_ORIG_INDICATION_LENGTH
#define TEREDO_ORIG_INDICATION_LENGTH
Definition: decode-teredo.c:45
head
Flow * head
Definition: flow-hash.h:1
SCLogWarning
#define SCLogWarning(err_code,...)
Macro used to log WARNING messages.
Definition: util-debug.h:244
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:638
ConfNode_
Definition: conf.h:32
ThreadVars_::decode_pq
PacketQueueNoLock decode_pq
Definition: threadvars.h:110
IPV6_HEADER_LEN
#define IPV6_HEADER_LEN
Definition: decode-ipv6.h:27
PacketTunnelPktSetup
Packet * PacketTunnelPktSetup(ThreadVars *tv, DecodeThreadVars *dtv, Packet *parent, const uint8_t *pkt, uint32_t len, enum DecodeTunnelProto proto)
Setup a pseudo packet (tunnel)
Definition: decode.c:289
DetectPortCleanupList
void DetectPortCleanupList(const DetectEngineCtx *de_ctx, DetectPort *head)
Free a DetectPort list and each of its members.
Definition: detect-engine-port.c:121
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:111
DecodeTeredo
int DecodeTeredo(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint16_t len)
Function to decode Teredo packets.
Definition: decode-teredo.c:126