diff options
Diffstat (limited to 'framework/src/suricata/src/decode-tcp.c')
-rw-r--r-- | framework/src/suricata/src/decode-tcp.c | 521 |
1 files changed, 521 insertions, 0 deletions
diff --git a/framework/src/suricata/src/decode-tcp.c b/framework/src/suricata/src/decode-tcp.c new file mode 100644 index 00000000..428e7ae4 --- /dev/null +++ b/framework/src/suricata/src/decode-tcp.c @@ -0,0 +1,521 @@ +/* Copyright (C) 2007-2013 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \ingroup decode + * + * @{ + */ + + +/** + * \file + * + * \author Victor Julien <victor@inliniac.net> + * + * Decode TCP + */ + +#include "suricata-common.h" +#include "decode.h" +#include "decode-tcp.h" +#include "decode-events.h" +#include "util-unittest.h" +#include "util-debug.h" +#include "util-optimize.h" +#include "flow.h" +#include "util-profiling.h" +#include "pkt-var.h" +#include "host.h" + +static int DecodeTCPOptions(Packet *p, uint8_t *pkt, uint16_t len) +{ + uint16_t plen = len; + while (plen) + { + /* single byte options */ + if (*pkt == TCP_OPT_EOL) { + break; + } else if (*pkt == TCP_OPT_NOP) { + pkt++; + plen--; + + /* multibyte options */ + } else { + if (plen < 2) { + break; + } + + /* we already know that the total options len is valid, + * so here the len of the specific option must be bad. + * Also check for invalid lengths 0 and 1. */ + if (unlikely(*(pkt+1) > plen || *(pkt+1) < 2)) { + ENGINE_SET_INVALID_EVENT(p, TCP_OPT_INVALID_LEN); + return -1; + } + + p->TCP_OPTS[p->TCP_OPTS_CNT].type = *pkt; + p->TCP_OPTS[p->TCP_OPTS_CNT].len = *(pkt+1); + if (plen > 2) + p->TCP_OPTS[p->TCP_OPTS_CNT].data = (pkt+2); + else + p->TCP_OPTS[p->TCP_OPTS_CNT].data = NULL; + + /* we are parsing the most commonly used opts to prevent + * us from having to walk the opts list for these all the + * time. */ + switch (p->TCP_OPTS[p->TCP_OPTS_CNT].type) { + case TCP_OPT_WS: + if (p->TCP_OPTS[p->TCP_OPTS_CNT].len != TCP_OPT_WS_LEN) { + ENGINE_SET_EVENT(p,TCP_OPT_INVALID_LEN); + } else { + if (p->tcpvars.ws != NULL) { + ENGINE_SET_EVENT(p,TCP_OPT_DUPLICATE); + } else { + p->tcpvars.ws = &p->TCP_OPTS[p->TCP_OPTS_CNT]; + } + } + break; + case TCP_OPT_MSS: + if (p->TCP_OPTS[p->TCP_OPTS_CNT].len != TCP_OPT_MSS_LEN) { + ENGINE_SET_EVENT(p,TCP_OPT_INVALID_LEN); + } else { + if (p->tcpvars.mss != NULL) { + ENGINE_SET_EVENT(p,TCP_OPT_DUPLICATE); + } else { + p->tcpvars.mss = &p->TCP_OPTS[p->TCP_OPTS_CNT]; + } + } + break; + case TCP_OPT_SACKOK: + if (p->TCP_OPTS[p->TCP_OPTS_CNT].len != TCP_OPT_SACKOK_LEN) { + ENGINE_SET_EVENT(p,TCP_OPT_INVALID_LEN); + } else { + if (p->tcpvars.sackok != NULL) { + ENGINE_SET_EVENT(p,TCP_OPT_DUPLICATE); + } else { + p->tcpvars.sackok = &p->TCP_OPTS[p->TCP_OPTS_CNT]; + } + } + break; + case TCP_OPT_TS: + if (p->TCP_OPTS[p->TCP_OPTS_CNT].len != TCP_OPT_TS_LEN) { + ENGINE_SET_EVENT(p,TCP_OPT_INVALID_LEN); + } else { + if (p->tcpvars.ts != NULL) { + ENGINE_SET_EVENT(p,TCP_OPT_DUPLICATE); + } else { + p->tcpvars.ts = &p->TCP_OPTS[p->TCP_OPTS_CNT]; + } + } + break; + case TCP_OPT_SACK: + SCLogDebug("SACK option, len %u", p->TCP_OPTS[p->TCP_OPTS_CNT].len); + if (p->TCP_OPTS[p->TCP_OPTS_CNT].len < TCP_OPT_SACK_MIN_LEN || + p->TCP_OPTS[p->TCP_OPTS_CNT].len > TCP_OPT_SACK_MAX_LEN || + !((p->TCP_OPTS[p->TCP_OPTS_CNT].len - 2) % 8 == 0)) + { + ENGINE_SET_EVENT(p,TCP_OPT_INVALID_LEN); + } else { + if (p->tcpvars.sack != NULL) { + ENGINE_SET_EVENT(p,TCP_OPT_DUPLICATE); + } else { + p->tcpvars.sack = &p->TCP_OPTS[p->TCP_OPTS_CNT]; + } + } + break; + } + + pkt += p->TCP_OPTS[p->TCP_OPTS_CNT].len; + plen -= (p->TCP_OPTS[p->TCP_OPTS_CNT].len); + p->TCP_OPTS_CNT++; + } + } + return 0; +} + +static int DecodeTCPPacket(ThreadVars *tv, Packet *p, uint8_t *pkt, uint16_t len) +{ + if (unlikely(len < TCP_HEADER_LEN)) { + ENGINE_SET_INVALID_EVENT(p, TCP_PKT_TOO_SMALL); + return -1; + } + + p->tcph = (TCPHdr *)pkt; + + uint8_t hlen = TCP_GET_HLEN(p); + if (unlikely(len < hlen)) { + ENGINE_SET_INVALID_EVENT(p, TCP_HLEN_TOO_SMALL); + return -1; + } + + uint8_t tcp_opt_len = hlen - TCP_HEADER_LEN; + if (unlikely(tcp_opt_len > TCP_OPTLENMAX)) { + ENGINE_SET_INVALID_EVENT(p, TCP_INVALID_OPTLEN); + return -1; + } + + if (likely(tcp_opt_len > 0)) { + DecodeTCPOptions(p, pkt + TCP_HEADER_LEN, tcp_opt_len); + } + + SET_TCP_SRC_PORT(p,&p->sp); + SET_TCP_DST_PORT(p,&p->dp); + + p->proto = IPPROTO_TCP; + + p->payload = pkt + hlen; + p->payload_len = len - hlen; + + return 0; +} + +int DecodeTCP(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, uint16_t len, PacketQueue *pq) +{ + StatsIncr(tv, dtv->counter_tcp); + + if (unlikely(DecodeTCPPacket(tv, p,pkt,len) < 0)) { + SCLogDebug("invalid TCP packet"); + p->tcph = NULL; + return TM_ECODE_FAILED; + } + +#ifdef DEBUG + SCLogDebug("TCP sp: %" PRIu32 " -> dp: %" PRIu32 " - HLEN: %" PRIu32 " LEN: %" PRIu32 " %s%s%s%s%s", + GET_TCP_SRC_PORT(p), GET_TCP_DST_PORT(p), TCP_GET_HLEN(p), len, + p->tcpvars.sackok ? "SACKOK " : "", p->tcpvars.sack ? "SACK " : "", + p->tcpvars.ws ? "WS " : "", p->tcpvars.ts ? "TS " : "", + p->tcpvars.mss ? "MSS " : ""); +#endif + + /* Flow is an integral part of us */ + FlowHandlePacket(tv, dtv, p); + + return TM_ECODE_OK; +} + +#ifdef UNITTESTS +static int TCPCalculateValidChecksumtest01(void) +{ + uint16_t csum = 0; + + uint8_t raw_ipshdr[] = { + 0x40, 0x8e, 0x7e, 0xb2, 0xc0, 0xa8, 0x01, 0x03}; + + uint8_t raw_tcp[] = { + 0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c, + 0xcf, 0x0d, 0x21, 0x80, 0xa0, 0x12, 0x16, 0xa0, + 0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4, + 0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73, + 0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 02}; + + csum = *( ((uint16_t *)raw_tcp) + 8); + + return (csum == TCPCalculateChecksum((uint16_t *) raw_ipshdr, + (uint16_t *)raw_tcp, sizeof(raw_tcp))); +} + +static int TCPCalculateInvalidChecksumtest02(void) +{ + uint16_t csum = 0; + + uint8_t raw_ipshdr[] = { + 0x40, 0x8e, 0x7e, 0xb2, 0xc0, 0xa8, 0x01, 0x03}; + + uint8_t raw_tcp[] = { + 0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c, + 0xcf, 0x0d, 0x21, 0x80, 0xa0, 0x12, 0x16, 0xa0, + 0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4, + 0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73, + 0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 03}; + + csum = *( ((uint16_t *)raw_tcp) + 8); + + return (csum == TCPCalculateChecksum((uint16_t *) raw_ipshdr, + (uint16_t *)raw_tcp, sizeof(raw_tcp))); +} + +static int TCPV6CalculateValidChecksumtest03(void) +{ + uint16_t csum = 0; + + static uint8_t raw_ipv6[] = { + 0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00, + 0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00, + 0x00, 0x00, 0x00, 0x20, 0x06, 0x40, 0x3f, 0xfe, + 0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00, + 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe, + 0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0, + 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0x03, 0xfe, + 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d, 0x0c, 0x7a, + 0x08, 0x77, 0x80, 0x10, 0x21, 0x5c, 0xc2, 0xf1, + 0x00, 0x00, 0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, + 0xca, 0x5a, 0x00, 0x01, 0x69, 0x27}; + + csum = *( ((uint16_t *)(raw_ipv6 + 70))); + + return (csum == TCPV6CalculateChecksum((uint16_t *)(raw_ipv6 + 14 + 8), + (uint16_t *)(raw_ipv6 + 54), 32)); +} + +static int TCPV6CalculateInvalidChecksumtest04(void) +{ + uint16_t csum = 0; + + static uint8_t raw_ipv6[] = { + 0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00, + 0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00, + 0x00, 0x00, 0x00, 0x20, 0x06, 0x40, 0x3f, 0xfe, + 0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00, + 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe, + 0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0, + 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0x03, 0xfe, + 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d, 0x0c, 0x7a, + 0x08, 0x77, 0x80, 0x10, 0x21, 0x5c, 0xc2, 0xf1, + 0x00, 0x00, 0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, + 0xca, 0x5a, 0x00, 0x01, 0x69, 0x28}; + + csum = *( ((uint16_t *)(raw_ipv6 + 70))); + + return (csum == TCPV6CalculateChecksum((uint16_t *)(raw_ipv6 + 14 + 8), + (uint16_t *)(raw_ipv6 + 54), 32)); +} + +/** \test Get the wscale of 2 */ +static int TCPGetWscaleTest01(void) +{ + int retval = 0; + static uint8_t raw_tcp[] = {0xda, 0xc1, 0x00, 0x50, 0xb6, 0x21, 0x7f, 0x58, + 0x00, 0x00, 0x00, 0x00, 0xa0, 0x02, 0x16, 0xd0, + 0x8a, 0xaf, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4, + 0x04, 0x02, 0x08, 0x0a, 0x00, 0x62, 0x88, 0x28, + 0x00, 0x00, 0x00, 0x00, 0x01, 0x03, 0x03, 0x02}; + Packet *p = PacketGetFromAlloc(); + if (unlikely(p == NULL)) + return 0; + IPV4Hdr ip4h; + ThreadVars tv; + DecodeThreadVars dtv; + + memset(&tv, 0, sizeof(ThreadVars)); + memset(&dtv, 0, sizeof(DecodeThreadVars)); + memset(&ip4h, 0, sizeof(IPV4Hdr)); + + p->src.family = AF_INET; + p->dst.family = AF_INET; + p->ip4h = &ip4h; + + + FlowInitConfig(FLOW_QUIET); + DecodeTCP(&tv, &dtv, p, raw_tcp, sizeof(raw_tcp), NULL); + + if (p->tcph == NULL) { + printf("tcp packet decode failed: "); + goto end; + } + + uint8_t wscale = TCP_GET_WSCALE(p); + if (wscale != 2) { + printf("wscale %"PRIu8", expected 2: ", wscale); + goto end; + } + + retval = 1; +end: + PACKET_RECYCLE(p); + FlowShutdown(); + SCFree(p); + return retval; +} + +/** \test Get the wscale of 15, so see if return 0 properly */ +static int TCPGetWscaleTest02(void) +{ + int retval = 0; + static uint8_t raw_tcp[] = {0xda, 0xc1, 0x00, 0x50, 0xb6, 0x21, 0x7f, 0x58, + 0x00, 0x00, 0x00, 0x00, 0xa0, 0x02, 0x16, 0xd0, + 0x8a, 0xaf, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4, + 0x04, 0x02, 0x08, 0x0a, 0x00, 0x62, 0x88, 0x28, + 0x00, 0x00, 0x00, 0x00, 0x01, 0x03, 0x03, 0x0f}; + Packet *p = PacketGetFromAlloc(); + if (unlikely(p == NULL)) + return 0; + IPV4Hdr ip4h; + ThreadVars tv; + DecodeThreadVars dtv; + + memset(&tv, 0, sizeof(ThreadVars)); + memset(&dtv, 0, sizeof(DecodeThreadVars)); + memset(&ip4h, 0, sizeof(IPV4Hdr)); + + p->src.family = AF_INET; + p->dst.family = AF_INET; + p->ip4h = &ip4h; + + FlowInitConfig(FLOW_QUIET); + DecodeTCP(&tv, &dtv, p, raw_tcp, sizeof(raw_tcp), NULL); + + if (p->tcph == NULL) { + printf("tcp packet decode failed: "); + goto end; + } + + uint8_t wscale = TCP_GET_WSCALE(p); + if (wscale != 0) { + printf("wscale %"PRIu8", expected 0: ", wscale); + goto end; + } + + retval = 1; +end: + PACKET_RECYCLE(p); + FlowShutdown(); + SCFree(p); + return retval; +} + +/** \test Get the wscale, but it's missing, so see if return 0 properly */ +static int TCPGetWscaleTest03(void) +{ + int retval = 0; + static uint8_t raw_tcp[] = {0xda, 0xc1, 0x00, 0x50, 0xb6, 0x21, 0x7f, 0x59, + 0xdd, 0xa3, 0x6f, 0xf8, 0x80, 0x10, 0x05, 0xb4, + 0x7c, 0x70, 0x00, 0x00, 0x01, 0x01, 0x08, 0x0a, + 0x00, 0x62, 0x88, 0x9e, 0x00, 0x00, 0x00, 0x00}; + Packet *p = PacketGetFromAlloc(); + if (unlikely(p == NULL)) + return 0; + IPV4Hdr ip4h; + ThreadVars tv; + DecodeThreadVars dtv; + + memset(&tv, 0, sizeof(ThreadVars)); + memset(&dtv, 0, sizeof(DecodeThreadVars)); + memset(&ip4h, 0, sizeof(IPV4Hdr)); + + p->src.family = AF_INET; + p->dst.family = AF_INET; + p->ip4h = &ip4h; + + FlowInitConfig(FLOW_QUIET); + DecodeTCP(&tv, &dtv, p, raw_tcp, sizeof(raw_tcp), NULL); + + if (p->tcph == NULL) { + printf("tcp packet decode failed: "); + goto end; + } + + uint8_t wscale = TCP_GET_WSCALE(p); + if (wscale != 0) { + printf("wscale %"PRIu8", expected 0: ", wscale); + goto end; + } + + retval = 1; +end: + PACKET_RECYCLE(p); + FlowShutdown(); + SCFree(p); + return retval; +} + +static int TCPGetSackTest01(void) +{ + int retval = 0; + static uint8_t raw_tcp[] = { + 0x00, 0x50, 0x06, 0xa6, 0xfa, 0x87, 0x0b, 0xf5, + 0xf1, 0x59, 0x02, 0xe0, 0xa0, 0x10, 0x3e, 0xbc, + 0x1d, 0xe7, 0x00, 0x00, 0x01, 0x01, 0x05, 0x12, + 0xf1, 0x59, 0x13, 0xfc, 0xf1, 0x59, 0x1f, 0x64, + 0xf1, 0x59, 0x08, 0x94, 0xf1, 0x59, 0x0e, 0x48 }; + static uint8_t raw_tcp_sack[] = { + 0xf1, 0x59, 0x13, 0xfc, 0xf1, 0x59, 0x1f, 0x64, + 0xf1, 0x59, 0x08, 0x94, 0xf1, 0x59, 0x0e, 0x48 }; + Packet *p = PacketGetFromAlloc(); + if (unlikely(p == NULL)) + return 0; + IPV4Hdr ip4h; + ThreadVars tv; + DecodeThreadVars dtv; + + memset(&tv, 0, sizeof(ThreadVars)); + memset(&dtv, 0, sizeof(DecodeThreadVars)); + memset(&ip4h, 0, sizeof(IPV4Hdr)); + + p->src.family = AF_INET; + p->dst.family = AF_INET; + p->ip4h = &ip4h; + + FlowInitConfig(FLOW_QUIET); + DecodeTCP(&tv, &dtv, p, raw_tcp, sizeof(raw_tcp), NULL); + + if (p->tcph == NULL) { + printf("tcp packet decode failed: "); + goto end; + } + + if (p->tcpvars.sack == NULL) { + printf("tcp packet sack not decoded: "); + goto end; + } + + int sack = TCP_GET_SACK_CNT(p); + if (sack != 2) { + printf("expected 2 sack records, got %u: ", TCP_GET_SACK_CNT(p)); + goto end; + } + + uint8_t *sackptr = TCP_GET_SACK_PTR(p); + if (sackptr == NULL) { + printf("no sack data: "); + goto end; + } + + if (memcmp(sackptr, raw_tcp_sack, 16) != 0) { + printf("malformed sack data: "); + goto end; + } + + retval = 1; +end: + PACKET_RECYCLE(p); + FlowShutdown(); + SCFree(p); + return retval; +} +#endif /* UNITTESTS */ + +void DecodeTCPRegisterTests(void) +{ +#ifdef UNITTESTS + UtRegisterTest("TCPCalculateValidChecksumtest01", + TCPCalculateValidChecksumtest01, 1); + UtRegisterTest("TCPCalculateInvalidChecksumtest02", + TCPCalculateInvalidChecksumtest02, 0); + UtRegisterTest("TCPV6CalculateValidChecksumtest03", + TCPV6CalculateValidChecksumtest03, 1); + UtRegisterTest("TCPV6CalculateInvalidChecksumtest04", + TCPV6CalculateInvalidChecksumtest04, 0); + UtRegisterTest("TCPGetWscaleTest01", TCPGetWscaleTest01, 1); + UtRegisterTest("TCPGetWscaleTest02", TCPGetWscaleTest02, 1); + UtRegisterTest("TCPGetWscaleTest03", TCPGetWscaleTest03, 1); + UtRegisterTest("TCPGetSackTest01", TCPGetSackTest01, 1); +#endif /* UNITTESTS */ +} +/** + * @} + */ |