Teredo analyzer causing analyzer_violations for mdns and others

[awelzel]

I haven't looked closer, but in the course of #2657 , it popped out that the MDNS packets from external pcaps or wikipedia.trace is causing analyzer violations for Teredo.

In the zeek-testing-private repository for short/medium there are also a few hits on non MDNS traffic.

If it's actually any MDNS packet, maybe we can improve the DoDetect() method of Teredo, or remove it and rely on the well-known port, or skip *:5353 -> (224.0.0.251|ff02::fb):5353 endpoints.

#fields ts      cause   analyzer_kind   analyzer_name   uid     fuid    id.orig_h       id.orig_p       id.resp_h       id.resp_p       failure_reason  failure_data
#types  time    string  string  string  string  string  addr    port    addr    port    string  string
XXXXXXXXXX.XXXXXX       violation       packet  TEREDO  CHhAvVGS1DHFjwGM9       -       141.142.220.202 5353    224.0.0.251     5353    Bad Teredo encapsulation        \x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x06gemini\x09_sftp-ssh\x04_tcp\x05lo
XXXXXXXXXX.XXXXXX       violation       packet  TEREDO  ClEkJM2Vm5giqnMf4h      -       fe80::217:f2ff:fed7:cf65        5353    ff02::fb        5353    Bad Teredo encapsulation        \x00\x00\x84\x00\x00\x00\x00\x01\x00\x00\x00\x04\x06gemini\x09_sftp-ssh\x04_tcp\x05local
XXXXXXXXXX.XXXXXX       violation       packet  TEREDO  C4J4Th3PJpwUYZZ6gc      -       141.142.220.50  5353    224.0.0.251     5353    Bad Teredo encapsulation        \x00\x00\x84\x00\x00\x00\x00\x01\x00\x00\x00\x04\x06gemini\x09_sftp-ssh\x04_tcp\x05local
XXXXXXXXXX.XXXXXX       violation       packet  TEREDO  Cipfzj1BEnhejw8cGf      -       141.142.220.44  5353    224.0.0.251     5353    Bad Teredo encapsulation        \x00\x00\x00\x00\x00\x01\x00\x01\x00\x00\x00\x00\x05gomez\x09_sftp-ssh\x04_tcp\x05local\x00

$ zeek -f 'port 5353'  -r Traces/wikipedia.trace -e 'event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo) { print info$c$id, info$reason; }'

[timwoj]

Yeah, the problem here is that the Teredo analyzer flags anything starting with 0x00 0x00 or 0x00 0x01 as being a Teredo packet. That's going to hit an awful lot of other protocols that it shouldn't.

For another reference, here's how Wireshark is handling the heuristic for Teredo: https://gitlab.com/wireshark/wireshark/-/blob/master/epan/dissectors/packet-teredo.c#L237-302. It doesn't properly handle our teredo-udp-in-udp.pcap capture, and only shows the outer UDP frame with a data hunk inside it.

[awelzel]

A different angle, @0xxon today said that analyzer's shouldn't raise violations if they weren't confirmed and given that we have a session with Teredo, maybe that's an okay fix:

--- a/src/packet_analysis/protocol/teredo/Teredo.cc
+++ b/src/packet_analysis/protocol/teredo/Teredo.cc
@@ -184,7 +184,8 @@ bool TeredoAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pack
        detail::TeredoEncapsulation te(this);
        if ( ! te.Parse(data, len) )
                {
-               AnalyzerViolation("Bad Teredo encapsulation", conn, (const char*)data, len);
+               if AnalyzerConfirmed(packet->session)
+                       AnalyzerViolation("Bad Teredo encapsulation", conn, (const char*)data, len);
                return false;
                }

It doesn't solve the fact that the analyzer is even considered, but it does stop raising analyzer_violation / analyzer_violation_info events if we're not even sure yet this is Teredo.

It's interesting: The Teredo::Weird() implementation basically does that, so seems fine for AnalyzerViolation()

[timwoj]

It's interesting: The Teredo::Weird() implementation basically does that, so seems fine for AnalyzerViolation()

I can confirm that this does indeed work. I have a NetBIOS pcap here, and the analyzer violations go away with that patch. I agree that I wish it could just avoid going into the analyzer at all, but I also tried reimplementing Wireshark's heuristic and Zeek fails to find the tunnels in the same ways that Wireshark itself does. I'll open a quick PR with this.