Merge pull request #1878 in SNORT/snort3 from ~APOORAJ/snort3:gtp_teid to master

Squashed commit of the following:

commit 65363ab96ffd788f42836c407e6143952a69e825
Author: Apoorv Raj <apooraj@cisco.com>
Date:   Tue Dec 3 23:42:37 2019 -0500

    gtp:alerts should be raised for missing TEID in gtp msg

diff --git a/src/service_inspectors/gtp/gtp_module.cc b/src/service_inspectors/gtp/gtp_module.cc
index 927268e90affc2179769d0bbd402d47d53d0865f..f6a24f0e4c088cae0a329497d7c996e10a49e572 100644 (file)
--- a/src/service_inspectors/gtp/gtp_module.cc
+++ b/src/service_inspectors/gtp/gtp_module.cc
@@ -38,6 +38,7 @@ THREAD_LOCAL ProfileStats gtp_inspect_prof;
 #define GTP_EVENT_BAD_MSG_LEN_STR        "message length is invalid"
 #define GTP_EVENT_BAD_IE_LEN_STR         "information element length is invalid"
 #define GTP_EVENT_OUT_OF_ORDER_IE_STR    "information elements are out of order"
+#define GTP_EVENT_MISSING_TEID_STR       "TEID is missing"
 
 //-------------------------------------------------------------------------
 // stats
@@ -70,6 +71,7 @@ static const RuleMap gtp_rules[] =
     { GTP_EVENT_BAD_MSG_LEN, GTP_EVENT_BAD_MSG_LEN_STR },
     { GTP_EVENT_BAD_IE_LEN, GTP_EVENT_BAD_IE_LEN_STR },
     { GTP_EVENT_OUT_OF_ORDER_IE, GTP_EVENT_OUT_OF_ORDER_IE_STR },
+    { GTP_EVENT_MISSING_TEID, GTP_EVENT_MISSING_TEID_STR },
 
     { 0, nullptr }
 };

diff --git a/src/service_inspectors/gtp/gtp_module.h b/src/service_inspectors/gtp/gtp_module.h
index e567359d60de2751aa809071bcbde6ea68c7c8d3..2a15694662810d7b9605f282cae764b2887b6ac9 100644 (file)
--- a/src/service_inspectors/gtp/gtp_module.h
+++ b/src/service_inspectors/gtp/gtp_module.h
@@ -29,6 +29,7 @@
 #define GTP_EVENT_BAD_MSG_LEN        (1)
 #define GTP_EVENT_BAD_IE_LEN         (2)
 #define GTP_EVENT_OUT_OF_ORDER_IE    (3)
+#define GTP_EVENT_MISSING_TEID       (4)
 
 #define GTP_NAME "gtp_inspect"
 #define GTP_HELP "gtp control channel inspection"

diff --git a/src/service_inspectors/gtp/gtp_parser.cc b/src/service_inspectors/gtp/gtp_parser.cc
index 8c9571d5481d0dc71f9193e49dc792168e93c262..50b491deb108d63bf41a9e4d3bf3ec1836ccfd14 100644 (file)
--- a/src/service_inspectors/gtp/gtp_parser.cc
+++ b/src/service_inspectors/gtp/gtp_parser.cc
@@ -54,14 +54,6 @@ struct GTP_C_Hdr
     uint16_t length;            /* length */
 };
 
-struct GTP_C_Hdr_v0
-{
-    GTP_C_Hdr hdr;
-    uint16_t sequence_num;
-    uint16_t flow_lable;
-    uint64_t tid;
-};
-
 /* GTP Information element Header  */
 struct GTP_IE_Hdr
 {
@@ -280,8 +272,16 @@ static int gtp_parse_v0(GTPMsg* msg, const uint8_t* buff, uint16_t gtp_len)
 static int gtp_parse_v1(GTPMsg* msg, const uint8_t* buff, uint16_t gtp_len)
 {
     const GTP_C_Hdr* hdr;
+    const uint32_t* teid;
 
     hdr = (const GTP_C_Hdr*)buff;
+    /*TEID value at 5-8 octets*/
+    teid = (const uint32_t*)(buff + 4);
+
+    if ((msg->msg_type > 3) && (*teid == 0))
+    {
+        alert(GTP_EVENT_MISSING_TEID);
+    }
 
     /*Check the length based on optional fields and extension header*/
     if (hdr->flag & 0x07)
@@ -368,8 +368,16 @@ static int gtp_parse_v1(GTPMsg* msg, const uint8_t* buff, uint16_t gtp_len)
 static int gtp_parse_v2(GTPMsg* msg, const uint8_t* buff, uint16_t gtp_len)
 {
     const GTP_C_Hdr* hdr;
+    const uint32_t* teid;
 
     hdr = (const GTP_C_Hdr*)buff;
+    /*TEID value at 5-8 octet*/
+    teid = (const uint32_t*)(buff + 4);
+
+    if ((msg->msg_type > 3) && (hdr->flag & 0x08) && (*teid == 0))
+    {
+        alert(GTP_EVENT_MISSING_TEID);
+    }
 
     if (hdr->flag & 0x8)
         msg->header_len = GTP_HEADER_LEN_EPC_V2;