# it will sometimes detect non-teredo as teredo.
teredo:
enabled: true
+ # ports to look for Teredo. Max 4 ports. If no ports are given, or
+ # the value is set to 'any', Teredo detection runs on _all_ UDP packets.
+ ports: $TEREDO_PORTS # syntax: '[3544, 1234]'
+Using this default configuration, Teredo detection will run on UDP port
+3544. If the `ports` parameter is missing, or set to `any`, all ports will be
+inspected for possible presence of Teredo.
Advanced Options
----------------
-/* Copyright (C) 2012 Open Information Security Foundation
+/* Copyright (C) 2012-2020 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
#include "decode-teredo.h"
#include "util-debug.h"
#include "conf.h"
+#include "detect-engine-port.h"
-#define TEREDO_ORIG_INDICATION_LENGTH 8
+#define TEREDO_ORIG_INDICATION_LENGTH 8
static bool g_teredo_enabled = true;
+static int g_teredo_ports[4] = { -1, -1, -1, -1 };
+static int g_teredo_ports_cnt = 0;
+static bool g_teredo_ports_any = true;
+
+bool DecodeTeredoEnabledForPort(const uint16_t sp, const uint16_t dp)
+{
+ SCLogDebug("ports %u->%u ports %d %d %d %d", sp, dp,
+ g_teredo_ports[0], g_teredo_ports[1],
+ g_teredo_ports[2], g_teredo_ports[3]);
+
+ if (g_teredo_enabled) {
+ /* no port config means we are enabled for all ports */
+ if (g_teredo_ports_any) {
+ return true;
+ }
+
+ for (int i = 0; i < g_teredo_ports_cnt; i++) {
+ if (g_teredo_ports[i] == -1)
+ return false;
+ const int port = g_teredo_ports[i];
+ if (port == (const int)sp ||
+ port == (const int)dp)
+ return true;
+ }
+ }
+ return false;
+}
+
+static void DecodeTeredoConfigPorts(const char *pstr)
+{
+ SCLogDebug("parsing \'%s\'", pstr);
+
+ if (strcmp(pstr, "any") == 0) {
+ g_teredo_ports_any = true;
+ return;
+ }
+
+ DetectPort *head = NULL;
+ DetectPortParse(NULL, &head, pstr);
+
+ g_teredo_ports_any = false;
+ g_teredo_ports_cnt = 0;
+ for (DetectPort *p = head; p != NULL; p = p->next) {
+ if (g_teredo_ports_cnt >= 4) {
+ SCLogWarning(SC_ERR_INVALID_YAML_CONF_ENTRY,
+ "only 4 Teredo ports can be defined");
+ break;
+ }
+ g_teredo_ports[g_teredo_ports_cnt++] = (int)p->port;
+ }
+ DetectPortCleanupList(NULL, head);
+}
void DecodeTeredoConfig(void)
{
g_teredo_enabled = false;
}
}
+ if (g_teredo_enabled) {
+ ConfNode *node = ConfGetNode("decoder.teredo.ports");
+ if (node && node->val) {
+ DecodeTeredoConfigPorts(node->val);
+ }
+ }
}
/**
-/* Copyright (C) 2012 Open Information Security Foundation
+/* Copyright (C) 2012-2020 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
int DecodeTeredo(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p,
const uint8_t *pkt, uint16_t len);
void DecodeTeredoConfig(void);
+bool DecodeTeredoEnabledForPort(const uint16_t sp, const uint16_t dp);
#endif
-/* Copyright (C) 2007-2010 Open Information Security Foundation
+/* Copyright (C) 2007-2020 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
SCLogDebug("UDP sp: %" PRIu32 " -> dp: %" PRIu32 " - HLEN: %" PRIu32 " LEN: %" PRIu32 "",
UDP_GET_SRC_PORT(p), UDP_GET_DST_PORT(p), UDP_HEADER_LEN, p->payload_len);
- if (unlikely(DecodeTeredo(tv, dtv, p, p->payload, p->payload_len) == TM_ECODE_OK)) {
+ if (DecodeTeredoEnabledForPort(p->sp, p->dp) &&
+ likely(DecodeTeredo(tv, dtv, p, p->payload, p->payload_len) == TM_ECODE_OK)) {
/* Here we have a Teredo packet and don't need to handle app
* layer */
FlowSetupPacket(p);
FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
FTP_PORTS: 21
VXLAN_PORTS: 4789
+ TEREDO_PORTS: 3544
##
## Step 2: Select outputs to enable
# as it will sometimes detect non-teredo as teredo.
teredo:
enabled: true
+ # ports to look for Teredo. Max 4 ports. If no ports are given, or
+ # the value is set to 'any', Teredo detection runs on _all_ UDP packets.
+ ports: $TEREDO_PORTS # syntax: '[3544, 1234]' or '3533' or 'any'.
+
# VXLAN decoder is assigned to up to 4 UDP ports. By default only the
# IANA assigned port 4789 is enabled.
vxlan:
projects / thirdparty / suricata.git / commitdiff
