On Sun, 2003-06-22 at 17:34, rmkml wrote: > I sorry, my script delete tcpdump old file, oops > sorry again. Never mind, I think I found the bug anyway. Theres a few updates needed in the TCP options parsing code anyway. The attached patch should fix the bug and alert on any other packets like that. -- // Gianni Tedesco (gianni at scaramanga dot co dot uk) lynx --source www.scaramanga.co.uk/gianni-at-ecsc.asc | gpg --import 8646BE7D: 6D9F 2287 870E A2C9 8F60 3A3C 91B5 7669 8646 BE7D
Index: ChangeLog
===================================================================
RCS file: /home/scara/cvsroot/firestorm/ChangeLog,v
retrieving revision 1.264
diff -u -r1.264 ChangeLog
--- ChangeLog 20 Jun 2003 14:36:56 -0000 1.264
+++ ChangeLog 22 Jun 2003 17:06:57 -0000
@@ -5,6 +5,7 @@
* Add concatenation support to firecat
* Changed root dir to be /var/lib/firestorm not /var/firestorm
* Incorporate Matt Halls RPM spec (matt at ecsc dot co dot uk)
+ * Fix TCP options parsing
Version 0.5.3
* Balance alerts between multiple alert spools.
Index: decode_plugins/tcpstream.c
===================================================================
RCS file: /home/scara/cvsroot/firestorm/decode_plugins/tcpstream.c,v
retrieving revision 1.146
diff -u -r1.146 tcpstream.c
--- decode_plugins/tcpstream.c 12 Jun 2003 10:48:30 -0000 1.146
+++ decode_plugins/tcpstream.c 22 Jun 2003 17:11:11 -0000
@@ -111,14 +111,18 @@
.priority=5,
.gen=&tcpstream_gen,
};
-
-/* Reassembly alerts */
static struct alert alert_tcp4={
.alert="Reassembly Error",
.sid=4, .rev=0,
.priority=5,
.gen=&tcpstream_gen,
};
+static struct alert alert_tcp5={
+ .alert="Malicious TCP options",
+ .sid=5, .rev=0,
+ .priority=5,
+ .gen=&tcpstream_gen,
+};
/* ICMP Alerts */
static struct generator icmperr_gen=
@@ -171,6 +175,7 @@
struct tcp_stream *snd, *rcv;
char *ptr;
int free;
+ struct packet *pkt;
}cur;
/* Statistics counters */
@@ -345,21 +350,33 @@
end+=(t->doff<<2);
while ( tmp<end ) {
- if ( *tmp == TCPOPT_EOL || *tmp == TCPOPT_NOP ) {
+ size_t step;
+
+ /* XXX: We continue past an EOL. Is that right? */
+ switch(*tmp) {
+ case TCPOPT_EOL:
+ case TCPOPT_NOP:
tmp++;
continue;
}
- if ( !(tmp+1 < end) ) break;
+ if ( tmp+1 >= end )
+ break;
switch(*tmp) {
case TCPOPT_TIMESTAMP:
- if ( !(tmp+10 < end) ) break;
+ if ( tmp+10 >= end )
+ break;
*tsval=ntohl(*((u_int32_t *)(tmp+2)));
return 1;
}
- tmp+=*(tmp+1);
+ step = *(tmp+1);
+ if ( step < 2 ) {
+ alert(&alert_tcp5, cur.pkt);
+ step = 2;
+ }
+ tmp += step;
}
return 0;
@@ -379,37 +396,53 @@
end+=(t->doff<<2);
while ( tmp<end ) {
- if ( *tmp == TCPOPT_EOL || *tmp == TCPOPT_NOP ) {
+ size_t step;
+
+ /* XXX: We continue past an EOL. Is that right? */
+ switch(*tmp) {
+ case TCPOPT_EOL:
+ case TCPOPT_NOP:
tmp++;
continue;
}
- if ( !(tmp+1 < end) ) break;
+ if ( tmp+1 >= end )
+ break;
+ /* Deal with fixed size options */
switch(*tmp) {
case TCPOPT_SACK_PERMITTED:
- s->flags|=TF_SACK_OK;
+ s->flags |= TF_SACK_OK;
break;
case TCPOPT_TIMESTAMP:
- s->flags|=TF_TSTAMP_OK;
+ s->flags |= TF_TSTAMP_OK;
/* Only check the bit we want */
- if ( !(tmp+10 < end) ) break;
+ if ( tmp+10 >= end )
+ break;
s->ts_recent=ntohl(*((u_int32_t *)(tmp+2)));
s->ts_recent_stamp=sec;
break;
case TCPOPT_WSCALE:
- if ( !(tmp+2 < end) ) break;
+ if ( tmp+2 >= end )
+ break;
+
s->flags|=TF_WSCALE_OK;
/* rfc1323: must log error and limit to 14 */
- if ( (s->scale=*(tmp+2)) > 14 ) s->scale=14;
+ if ( (s->scale=*(tmp+2)) > 14 )
+ s->scale=14;
break;
}
- tmp+=*(tmp+1);
+ step = *(tmp+1);
+ if ( step < 2 ) {
+ alert(&alert_tcp5, cur.pkt);
+ step = 2;
+ }
+ tmp += step;
}
}
@@ -1264,6 +1297,7 @@
cur.s = NULL;
cur.ptr = NULL;
cur.free = 0;
+ cur.pkt = pkt;
/* Ignore fragments */
if ( iph->frag_off & ipfmask )
Attachment:
signature.asc
Description: This is a digitally signed message part