On Sun, 2003-06-22 at 17:34, rmkml wrote: > I sorry, my script delete tcpdump old file, oops > sorry again. Never mind, I think I found the bug anyway. Theres a few updates needed in the TCP options parsing code anyway. The attached patch should fix the bug and alert on any other packets like that. -- // Gianni Tedesco (gianni at scaramanga dot co dot uk) lynx --source www.scaramanga.co.uk/gianni-at-ecsc.asc | gpg --import 8646BE7D: 6D9F 2287 870E A2C9 8F60 3A3C 91B5 7669 8646 BE7D
Index: ChangeLog =================================================================== RCS file: /home/scara/cvsroot/firestorm/ChangeLog,v retrieving revision 1.264 diff -u -r1.264 ChangeLog --- ChangeLog 20 Jun 2003 14:36:56 -0000 1.264 +++ ChangeLog 22 Jun 2003 17:06:57 -0000 @@ -5,6 +5,7 @@ * Add concatenation support to firecat * Changed root dir to be /var/lib/firestorm not /var/firestorm * Incorporate Matt Halls RPM spec (matt at ecsc dot co dot uk) + * Fix TCP options parsing Version 0.5.3 * Balance alerts between multiple alert spools. Index: decode_plugins/tcpstream.c =================================================================== RCS file: /home/scara/cvsroot/firestorm/decode_plugins/tcpstream.c,v retrieving revision 1.146 diff -u -r1.146 tcpstream.c --- decode_plugins/tcpstream.c 12 Jun 2003 10:48:30 -0000 1.146 +++ decode_plugins/tcpstream.c 22 Jun 2003 17:11:11 -0000 @@ -111,14 +111,18 @@ .priority=5, .gen=&tcpstream_gen, }; - -/* Reassembly alerts */ static struct alert alert_tcp4={ .alert="Reassembly Error", .sid=4, .rev=0, .priority=5, .gen=&tcpstream_gen, }; +static struct alert alert_tcp5={ + .alert="Malicious TCP options", + .sid=5, .rev=0, + .priority=5, + .gen=&tcpstream_gen, +}; /* ICMP Alerts */ static struct generator icmperr_gen= @@ -171,6 +175,7 @@ struct tcp_stream *snd, *rcv; char *ptr; int free; + struct packet *pkt; }cur; /* Statistics counters */ @@ -345,21 +350,33 @@ end+=(t->doff<<2); while ( tmp<end ) { - if ( *tmp == TCPOPT_EOL || *tmp == TCPOPT_NOP ) { + size_t step; + + /* XXX: We continue past an EOL. Is that right? */ + switch(*tmp) { + case TCPOPT_EOL: + case TCPOPT_NOP: tmp++; continue; } - if ( !(tmp+1 < end) ) break; + if ( tmp+1 >= end ) + break; switch(*tmp) { case TCPOPT_TIMESTAMP: - if ( !(tmp+10 < end) ) break; + if ( tmp+10 >= end ) + break; *tsval=ntohl(*((u_int32_t *)(tmp+2))); return 1; } - tmp+=*(tmp+1); + step = *(tmp+1); + if ( step < 2 ) { + alert(&alert_tcp5, cur.pkt); + step = 2; + } + tmp += step; } return 0; @@ -379,37 +396,53 @@ end+=(t->doff<<2); while ( tmp<end ) { - if ( *tmp == TCPOPT_EOL || *tmp == TCPOPT_NOP ) { + size_t step; + + /* XXX: We continue past an EOL. Is that right? */ + switch(*tmp) { + case TCPOPT_EOL: + case TCPOPT_NOP: tmp++; continue; } - if ( !(tmp+1 < end) ) break; + if ( tmp+1 >= end ) + break; + /* Deal with fixed size options */ switch(*tmp) { case TCPOPT_SACK_PERMITTED: - s->flags|=TF_SACK_OK; + s->flags |= TF_SACK_OK; break; case TCPOPT_TIMESTAMP: - s->flags|=TF_TSTAMP_OK; + s->flags |= TF_TSTAMP_OK; /* Only check the bit we want */ - if ( !(tmp+10 < end) ) break; + if ( tmp+10 >= end ) + break; s->ts_recent=ntohl(*((u_int32_t *)(tmp+2))); s->ts_recent_stamp=sec; break; case TCPOPT_WSCALE: - if ( !(tmp+2 < end) ) break; + if ( tmp+2 >= end ) + break; + s->flags|=TF_WSCALE_OK; /* rfc1323: must log error and limit to 14 */ - if ( (s->scale=*(tmp+2)) > 14 ) s->scale=14; + if ( (s->scale=*(tmp+2)) > 14 ) + s->scale=14; break; } - tmp+=*(tmp+1); + step = *(tmp+1); + if ( step < 2 ) { + alert(&alert_tcp5, cur.pkt); + step = 2; + } + tmp += step; } } @@ -1264,6 +1297,7 @@ cur.s = NULL; cur.ptr = NULL; cur.free = 0; + cur.pkt = pkt; /* Ignore fragments */ if ( iph->frag_off & ipfmask )
Attachment:
signature.asc
Description: This is a digitally signed message part