zeek
zeek copied to clipboard
TCP Options-27,28,29,34 invalid length check
Recently saw some malicious traffic with invalid TFO (TCP Fast Open) cookie length - 2 bytes. This traffic was picked up by a suri alert for "TCP options invalid length". I realized that Zeek didn't flag it, bcoz TFO - TCP option no. 34, isn't checked against the invalid length. Hence, thought to write some quick length check for 4 popularly seen TCP options.
I also realized that the weirds associated with TCP options aren't triggered and logged by default, until "tcp_option/tcp_options" events are explicitly called in a script. We might want to change that, as it would be nice to log these weirds by default w/o explicitly calling tcp_option/tcp_options events. Test: I was testing this code against a pcap with bad length TFO option, and it didn't log any weirds, but when I tested the same code against the same pcap with an explicit script having tcp_options event called, then I saw the weirds getting logged in weird.log. That's the current behavior.
Do you think you can still create a pcap? Otherwise I'll go ahead and merge as is.
Give me one more day, and I will let you know by tomorrow. Sorry for the delay on this.
@rsmmr Are you happy with this one now?
Yes, I'll merge, thanks @fatemabw!