suricata
decode-teredo.c
Go to the documentation of this file.
1 /* Copyright (C) 2012 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup decode
20  *
21  * @{
22  */
23 
24 
25 /**
26  * \file
27  *
28  * \author Eric Leblond <eric@regit.org>
29  *
30  * Decode Teredo Tunneling protocol.
31  *
32  * This implementation is based upon RFC 4380: http://www.ietf.org/rfc/rfc4380.txt
33  */
34 
35 #include "suricata-common.h"
36 #include "decode.h"
37 #include "decode-ipv6.h"
38 #include "decode-teredo.h"
39 #include "util-debug.h"
40 #include "conf.h"
41 
42 #define TEREDO_ORIG_INDICATION_LENGTH 8
43 
44 static bool g_teredo_enabled = true;
45 
47 {
48  int enabled = 0;
49  if (ConfGetBool("decoder.teredo.enabled", &enabled) == 1) {
50  if (enabled) {
51  g_teredo_enabled = true;
52  } else {
53  g_teredo_enabled = false;
54  }
55  }
56 }
57 
58 /**
59  * \brief Function to decode Teredo packets
60  *
61  * \retval TM_ECODE_FAILED if packet is not a Teredo packet, TM_ECODE_OK if it is
62  */
63 int DecodeTeredo(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, uint16_t len, PacketQueue *pq)
64 {
65  if (!g_teredo_enabled)
66  return TM_ECODE_FAILED;
67 
68  uint8_t *start = pkt;
69 
70  /* Is this packet to short to contain an IPv6 packet ? */
71  if (len < IPV6_HEADER_LEN)
72  return TM_ECODE_FAILED;
73 
74  /* Teredo encapsulate IPv6 in UDP and can add some custom message
75  * part before the IPv6 packet. In our case, we just want to get
76  * over an ORIGIN indication. So we just make one offset if needed. */
77  if (start[0] == 0x0) {
78  switch (start[1]) {
79  /* origin indication: compatible with tunnel */
80  case 0x0:
81  /* offset is coherent with len and presence of an IPv6 header */
84  else
85  return TM_ECODE_FAILED;
86  break;
87  /* authentication: negotiation not real tunnel */
88  case 0x1:
89  return TM_ECODE_FAILED;
90  /* this case is not possible in Teredo: not that protocol */
91  default:
92  return TM_ECODE_FAILED;
93  }
94  }
95 
96  /* There is no specific field that we can check to prove that the packet
97  * is a Teredo packet. We've zapped here all the possible Teredo header
98  * and we should have an IPv6 packet at the start pointer.
99  * We then can only do a few checks before sending the encapsulated packets
100  * to decoding:
101  * - The packet has a protocol version which is IPv6.
102  * - The IPv6 length of the packet matches what remains in buffer.
103  * - HLIM is 0. This would technically be valid, but still weird.
104  * - NH 0 (HOP) and not enough data.
105  *
106  * If all these conditions are met, the tunnel decoder will be called.
107  * If the packet gets an invalid event set, it will still be rejected.
108  */
109  if (IP_GET_RAW_VER(start) == 6) {
110  IPV6Hdr *thdr = (IPV6Hdr *)start;
111 
112  /* ignore hoplimit 0 packets, most likely an artifact of bad detection */
113  if (IPV6_GET_RAW_HLIM(thdr) == 0)
114  return TM_ECODE_FAILED;
115 
116  /* if nh is 0 (HOP) with little data we have a bogus packet */
117  if (IPV6_GET_RAW_NH(thdr) == 0 && IPV6_GET_RAW_PLEN(thdr) < 8)
118  return TM_ECODE_FAILED;
119 
120  if (len == IPV6_HEADER_LEN +
121  IPV6_GET_RAW_PLEN(thdr) + (start - pkt)) {
122  if (pq != NULL) {
123  int blen = len - (start - pkt);
124  /* spawn off tunnel packet */
125  Packet *tp = PacketTunnelPktSetup(tv, dtv, p, start, blen,
127  if (tp != NULL) {
129  /* add the tp to the packet queue. */
130  PacketEnqueue(pq,tp);
131  StatsIncr(tv, dtv->counter_teredo);
132  return TM_ECODE_OK;
133  }
134  }
135  }
136  return TM_ECODE_FAILED;
137  }
138 
139  return TM_ECODE_FAILED;
140 }
141 
142 /**
143  * @}
144  */
int ConfGetBool(const char *name, int *val)
Retrieve a configuration value as an boolen.
Definition: conf.c:517
void DecodeTeredoConfig(void)
Definition: decode-teredo.c:46
int DecodeTeredo(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, uint16_t len, PacketQueue *pq)
Function to decode Teredo packets.
Definition: decode-teredo.c:63
uint16_t counter_teredo
Definition: decode.h:675
#define PKT_SET_SRC(p, src_val)
Definition: decode.h:1143
#define IPV6_GET_RAW_PLEN(ip6h)
Definition: decode-ipv6.h:66
Structure to hold thread specific data for all decode modules.
Definition: decode.h:642
#define IP_GET_RAW_VER(pkt)
Definition: decode.h:248
void StatsIncr(ThreadVars *tv, uint16_t id)
Increments the local counter.
Definition: counters.c:163
#define TEREDO_ORIG_INDICATION_LENGTH
Definition: decode-teredo.c:42
#define IPV6_HEADER_LEN
Definition: decode-ipv6.h:27
#define IPV6_GET_RAW_HLIM(ip6h)
Definition: decode-ipv6.h:67
#define IPV6_GET_RAW_NH(ip6h)
Definition: decode-ipv6.h:65
uint8_t len
Per thread variable structure.
Definition: threadvars.h:57
Packet * PacketTunnelPktSetup(ThreadVars *tv, DecodeThreadVars *dtv, Packet *parent, uint8_t *pkt, uint32_t len, enum DecodeTunnelProto proto, PacketQueue *pq)
Setup a pseudo packet (tunnel)
Definition: decode.c:274
void PacketEnqueue(PacketQueue *q, Packet *p)
Definition: packet-queue.c:139