From 9d1b738fc96dc4a3782f8959ce29ed531e66d8a1 Mon Sep 17 00:00:00 2001
From: mrsuciu <Mircea-Adrian.Suciu@softing.com>
Date: Wed, 20 Nov 2024 14:14:46 +0200
Subject: [PATCH] Track rogue client behavior only under Basic128Rsa15 security
 policy

---
 .../Stack/Tcp/TcpListenerChannel.cs           |  5 ++--
 .../Stack/Tcp/TcpTransportListener.cs         | 26 ++++++++++++-------
 2 files changed, 20 insertions(+), 11 deletions(-)

diff --git a/Stack/Opc.Ua.Core/Stack/Tcp/TcpListenerChannel.cs b/Stack/Opc.Ua.Core/Stack/Tcp/TcpListenerChannel.cs
index 9c074ef56..328252f0e 100644
--- a/Stack/Opc.Ua.Core/Stack/Tcp/TcpListenerChannel.cs
+++ b/Stack/Opc.Ua.Core/Stack/Tcp/TcpListenerChannel.cs
@@ -268,8 +268,9 @@ protected void ForceChannelFault(ServiceResult reason)
 
                 if (close)
                 {
-                    // mark the RemoteAddress as potential rogue
-                    if (reason.StatusCode == StatusCodes.BadSecurityChecksFailed || reason.StatusCode == StatusCodes.BadTcpMessageTypeInvalid)
+                    // mark the RemoteAddress as potential rogue if Basic128Rsa15
+                    if ((SecurityPolicyUri == SecurityPolicies.Basic128Rsa15) &&
+                        (reason.StatusCode == StatusCodes.BadSecurityChecksFailed || reason.StatusCode == StatusCodes.BadTcpMessageTypeInvalid))
                     {
                         var tcpTransportListener = m_listener as TcpTransportListener;
                         if (tcpTransportListener != null)
diff --git a/Stack/Opc.Ua.Core/Stack/Tcp/TcpTransportListener.cs b/Stack/Opc.Ua.Core/Stack/Tcp/TcpTransportListener.cs
index 886aa05cb..686827119 100644
--- a/Stack/Opc.Ua.Core/Stack/Tcp/TcpTransportListener.cs
+++ b/Stack/Opc.Ua.Core/Stack/Tcp/TcpTransportListener.cs
@@ -551,7 +551,11 @@ public void Start()
         {
             lock (m_lock)
             {
-                m_rogueClientTracker = new RogueClientTracker();
+                // Track rogue client behavior only if Basic128Rsa15 security policy is offered
+                if (m_descriptions.Any(d => d.SecurityPolicyUri == SecurityPolicies.Basic128Rsa15))
+                {
+                    m_rogueClientTracker = new RogueClientTracker();
+                }
 
                 // ensure a valid port.
                 int port = m_uri.Port;
@@ -734,8 +738,8 @@ public void CertificateUpdate(
         /// <param name="remoteEndpoint"></param>
         internal void MarkAsPotentialRogue(IPAddress remoteEndpoint)
         {
-            Utils.LogError("MarkClientAsPotentialRogue address: {0} ", remoteEndpoint.ToString());
-            m_rogueClientTracker.AddRogueClientAction(remoteEndpoint);
+            Utils.LogInfo("MarkClientAsPotentialRogue address: {0} ", remoteEndpoint.ToString());
+            m_rogueClientTracker?.AddRogueClientAction(remoteEndpoint);
         }
         #endregion
 
@@ -752,13 +756,17 @@ private void OnAccept(object sender, SocketAsyncEventArgs e)
             {
                 bool isRogue = false;
 
-                // Filter out the Remote IP addresses which are detected with rogue behavior
-                IPAddress ipAddress = ((IPEndPoint)e?.AcceptSocket?.RemoteEndPoint)?.Address;
-                if (ipAddress != null && m_rogueClientTracker.IsBlocked(ipAddress))
+                // Track rogue client behavior only if Basic128Rsa15 security policy is offered
+                if (m_rogueClientTracker != null)
                 {
-                    Utils.LogError("OnAccept: RemoteEndpoint address: {0} refused access for behaving as potential rogue ",
-                        ((IPEndPoint)e.AcceptSocket.RemoteEndPoint).Address.ToString());
-                    isRogue = true;
+                    // Filter out the Remote IP addresses which are detected with rogue behavior
+                    IPAddress ipAddress = ((IPEndPoint)e?.AcceptSocket?.RemoteEndPoint)?.Address;
+                    if (ipAddress != null && m_rogueClientTracker.IsBlocked(ipAddress))
+                    {
+                        Utils.LogError("OnAccept: RemoteEndpoint address: {0} refused access for behaving as potential rogue ",
+                            ((IPEndPoint)e.AcceptSocket.RemoteEndPoint).Address.ToString());
+                        isRogue = true;
+                    }
                 }
 
                 repeatAccept = false;