suricata
decode-teredo.c
Go to the documentation of this file.
1 /* Copyright (C) 2012 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup decode
20  *
21  * @{
22  */
23 
24 
25 /**
26  * \file
27  *
28  * \author Eric Leblond <eric@regit.org>
29  *
30  * Decode Teredo Tunneling protocol.
31  *
32  * This implementation is based upon RFC 4380: http://www.ietf.org/rfc/rfc4380.txt
33  */
34 
35 #include "suricata-common.h"
36 #include "decode.h"
37 #include "decode-ipv6.h"
38 #include "decode-teredo.h"
39 #include "util-debug.h"
40 #include "conf.h"
41 
42 #define TEREDO_ORIG_INDICATION_LENGTH 8
43 
44 static bool g_teredo_enabled = true;
45 
47 {
48  int enabled = 0;
49  if (ConfGetBool("decoder.teredo.enabled", &enabled) == 1) {
50  if (enabled) {
51  g_teredo_enabled = true;
52  } else {
53  g_teredo_enabled = false;
54  }
55  }
56 }
57 
58 /**
59  * \brief Function to decode Teredo packets
60  *
61  * \retval TM_ECODE_FAILED if packet is not a Teredo packet, TM_ECODE_OK if it is
62  */
64  const uint8_t *pkt, uint16_t len, PacketQueue *pq)
65 {
66  if (!g_teredo_enabled)
67  return TM_ECODE_FAILED;
68 
69  const uint8_t *start = pkt;
70 
71  /* Is this packet to short to contain an IPv6 packet ? */
72  if (len < IPV6_HEADER_LEN)
73  return TM_ECODE_FAILED;
74 
75  /* Teredo encapsulate IPv6 in UDP and can add some custom message
76  * part before the IPv6 packet. In our case, we just want to get
77  * over an ORIGIN indication. So we just make one offset if needed. */
78  if (start[0] == 0x0) {
79  switch (start[1]) {
80  /* origin indication: compatible with tunnel */
81  case 0x0:
82  /* offset is coherent with len and presence of an IPv6 header */
85  else
86  return TM_ECODE_FAILED;
87  break;
88  /* authentication: negotiation not real tunnel */
89  case 0x1:
90  return TM_ECODE_FAILED;
91  /* this case is not possible in Teredo: not that protocol */
92  default:
93  return TM_ECODE_FAILED;
94  }
95  }
96 
97  /* There is no specific field that we can check to prove that the packet
98  * is a Teredo packet. We've zapped here all the possible Teredo header
99  * and we should have an IPv6 packet at the start pointer.
100  * We then can only do a few checks before sending the encapsulated packets
101  * to decoding:
102  * - The packet has a protocol version which is IPv6.
103  * - The IPv6 length of the packet matches what remains in buffer.
104  * - HLIM is 0. This would technically be valid, but still weird.
105  * - NH 0 (HOP) and not enough data.
106  *
107  * If all these conditions are met, the tunnel decoder will be called.
108  * If the packet gets an invalid event set, it will still be rejected.
109  */
110  if (IP_GET_RAW_VER(start) == 6) {
111  IPV6Hdr *thdr = (IPV6Hdr *)start;
112 
113  /* ignore hoplimit 0 packets, most likely an artifact of bad detection */
114  if (IPV6_GET_RAW_HLIM(thdr) == 0)
115  return TM_ECODE_FAILED;
116 
117  /* if nh is 0 (HOP) with little data we have a bogus packet */
118  if (IPV6_GET_RAW_NH(thdr) == 0 && IPV6_GET_RAW_PLEN(thdr) < 8)
119  return TM_ECODE_FAILED;
120 
121  if (len == IPV6_HEADER_LEN +
122  IPV6_GET_RAW_PLEN(thdr) + (start - pkt)) {
123  if (pq != NULL) {
124  int blen = len - (start - pkt);
125  /* spawn off tunnel packet */
126  Packet *tp = PacketTunnelPktSetup(tv, dtv, p, start, blen,
128  if (tp != NULL) {
130  /* add the tp to the packet queue. */
131  PacketEnqueue(pq,tp);
132  StatsIncr(tv, dtv->counter_teredo);
133  return TM_ECODE_OK;
134  }
135  }
136  }
137  return TM_ECODE_FAILED;
138  }
139 
140  return TM_ECODE_FAILED;
141 }
142 
143 /**
144  * @}
145  */
Packet * PacketTunnelPktSetup(ThreadVars *tv, DecodeThreadVars *dtv, Packet *parent, const uint8_t *pkt, uint32_t len, enum DecodeTunnelProto proto, PacketQueue *pq)
Setup a pseudo packet (tunnel)
Definition: decode.c:275
int ConfGetBool(const char *name, int *val)
Retrieve a configuration value as an boolen.
Definition: conf.c:517
void DecodeTeredoConfig(void)
Definition: decode-teredo.c:46
uint16_t counter_teredo
Definition: decode.h:664
#define PKT_SET_SRC(p, src_val)
Definition: decode.h:1135
#define IPV6_GET_RAW_PLEN(ip6h)
Definition: decode-ipv6.h:66
int DecodeTeredo(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint16_t len, PacketQueue *pq)
Function to decode Teredo packets.
Definition: decode-teredo.c:63
Structure to hold thread specific data for all decode modules.
Definition: decode.h:632
#define IP_GET_RAW_VER(pkt)
Definition: decode.h:249
void StatsIncr(ThreadVars *tv, uint16_t id)
Increments the local counter.
Definition: counters.c:168
#define TEREDO_ORIG_INDICATION_LENGTH
Definition: decode-teredo.c:42
#define IPV6_HEADER_LEN
Definition: decode-ipv6.h:27
#define IPV6_GET_RAW_HLIM(ip6h)
Definition: decode-ipv6.h:67
#define IPV6_GET_RAW_NH(ip6h)
Definition: decode-ipv6.h:65
uint8_t len
Per thread variable structure.
Definition: threadvars.h:57
void PacketEnqueue(PacketQueue *q, Packet *p)
Definition: packet-queue.c:139