Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ARP: implement decoder and logger v10 #11060

Closed
wants to merge 6 commits into from
Closed

ARP: implement decoder and logger v10 #11060

wants to merge 6 commits into from

Conversation

glongo
Copy link
Contributor

@glongo glongo commented May 14, 2024

Make sure these boxes are signed before submitting your Pull Request -- thank you.

Link to ticket: https://redmine.openinfosecfoundation.org/issues/
https://redmine.openinfosecfoundation.org/issues/6827

Describe changes:

  • Make checks stricter: first check for minimum size, then for full size.
  • Add events for invalid hardware and protocol sizes
  • Update schema.json
  • Fix minor mistakes in the logger

SV_BRANCH=OISF/suricata-verify#1807

@glongo
decode/arp: implement decoder
94bca84 
This adds a decoder for ARP.

Ticket OISF#6827
@glongo
output/json: make JSONFormatAndAddMACAddr public
67f161b 
This change exposes 'JSONFormatAndAddMACAddr' as a public function,
allowing it to be reused across modules, such as the ARP logger, for logging
MAC addresses extracted from ARP packets.
@glongo
output/json: check 5-tuple values prior to logging
7fae8b8 
This commit enhances the JSON output by introducing a feature for conditional port logging.
Now, port logging is dependent on the underlying protocol
(such as TCP, UDP, or SCTP), where port information is pertinent, while it
avoids unnecessary logging for protocols where a port is not utilized (e.g. ARP).

Furthermore, this update ensures that IP addresses and the protocol have
meaningful values set, rather than being logged as empty strings.

These changes will make each log entry more precise, eliminating cases where
5-tuple fields are empty or set to zero, indicating the absence of a field.
@glongo
output-json/arp: implement logger
bfa5b80 
This adds a logger for ARP, disabled by default.

Ticket OISF#6827
@glongo
doc: add arp changes
3922dbf
@glongo
decode/gre: decode arp packets
cf234cc
@glongo glongo requested review from jufajardini, victorjulien and a team as code owners May 14, 2024 03:57
This was referenced May 14, 2024
Closed
Closed
@codecov Codecov
Copy link

codecov bot commented May 14, 2024
edited

Codecov Report

Attention: Patch coverage is 72.72727% with 30 lines in your changes are missing coverage. Please review.

Project coverage is 83.62%. Comparing base (cb56752) to head (cf234cc).

Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #11060      +/-   ##
==========================================
- Coverage   83.63%   83.62%   -0.02%     
==========================================
  Files         922      925       +3     
  Lines      250321   250425     +104     
==========================================
+ Hits       209349   209406      +57     
- Misses      40972    41019      +47
Flag Coverage Δ
fuzzcorpus 64.18% <38.18%> (-0.05%) ⬇️
livemode 18.42% <30.00%> (+<0.01%) ⬆️
suricata-verify 62.76% <69.09%> (-0.01%) ⬇️
unittests 62.25% <4.54%> (-0.02%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

victorjulien
victorjulien requested changes May 14, 2024
View reviewed changes
Copy link
Member

@victorjulien victorjulien left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not quite happy with the decoder yet, see inline

src/decode-arp.c
return TM_ECODE_FAILED;

if (SCNtohs(arph->hw_type) != ARP_HW_TYPE_ETHERNET) {
ENGINE_SET_INVALID_EVENT(p, ARP_UNSUPPORTED_HARDWARE);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should call PacketClearL3(p); to "unset" the ARP header in the packet.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same for other failure paths

src/decode-arp.h
#ifndef SURICATA_DECODE_ARP_H
#define SURICATA_DECODE_ARP_H

#define ARP_HEADER_MIN_LEN 2
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should be 4? 2 times 16 bits are read (hw_type, proto_type) before more checks are done

src/decode-arp.c
}

if (unlikely(len != ARP_HEADER_LEN)) {
ENGINE_SET_INVALID_EVENT(p, ARP_UNSUPPORTED_PKT);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if we get here, we know that packet is arp, hw type ethernet, proto type ip. So is a size mismatch here a "invalid" or an "unsupported" packet? I think invalid seems more appropriate?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

in fact, I would think < ARP_HEADER_LEN => invalid
and > ARP_HEADER_LEN "trailing data" or something?

In general, it might be good to validate the fixed size part of the header, so the first 8 bytes

    uint16_t hw_type;
    uint16_t proto_type;
    uint8_t hw_size;
    uint8_t proto_size;
    uint16_t opcode;

+ the sum of the hw_size and proto_size, and see if it matches the input. Shorter is bad/invalid+event, longer is suspicious/valid+event?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if we get here, we know that packet is arp, hw type ethernet, proto type ip. So is a size mismatch here a "invalid" or an "unsupported" packet? I think invalid seems more appropriate?

Yes, I think invalid is more appropriate.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

in fact, I would think < ARP_HEADER_LEN => invalid and > ARP_HEADER_LEN "trailing data" or something?

In general, it might be good to validate the fixed size part of the header, so the first 8 bytes

    uint16_t hw_type;
    uint16_t proto_type;
    uint8_t hw_size;
    uint8_t proto_size;
    uint16_t opcode;

+ the sum of the hw_size and proto_size, and see if it matches the input. Shorter is bad/invalid+event, longer is suspicious/valid+event?

I've found a pcap where after the ARP pkt, 18 bytes are added as padding for Ethernet (which can be filtered with eth.padding). Here is how the packet looks:

ARP:
00 01 08 00 06 04 00 03  00 00 a1 12 dd 88 00 00
00 00 00 00 a1 12 dd 88  00 00 00 00
Ethernet padding:
00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
00 00

To summarize, if the length is shorter than ARP_HEADER_LEN, it is invalid (and an event is set).
If it is longer, it is valid, but I wonder if we should set an event, as it can be more noisy than helpful if padding is often added at the end of the packet.

@glongo
Copy link
Contributor Author

glongo commented May 15, 2024

Replaced with #11085

@glongo glongo closed this May 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@victorjulien victorjulien victorjulien requested changes

@jufajardini jufajardini Awaiting requested review from jufajardini jufajardini is a code owner

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
2 participants
@glongo @victorjulien