Snort_AIPreproc/include/sf_protocols.h

/* $Id$ */
/****************************************************************************
 *
 * Copyright (C) 2014-2016 Cisco and/or its affiliates. All rights reserved.
 * Copyright (C) 2005-2013 Sourcefire, Inc.
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License Version 2 as
 * published by the Free Software Foundation.  You may not use, modify or
 * distribute this program under any other version of the GNU General
 * Public License.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 *
 ****************************************************************************/

#ifndef __SF_PROTOCOLS_H__
#define __SF_PROTOCOLS_H__

typedef uint8_t IpProto;

typedef enum {
    PROTO_ETH,        /* DecodeEthPkt */
    PROTO_FPATH,      /* FabricPath - handled by DecodeEthPkt */
    PROTO_CISCO_META, /* Cisco Metadata - handled by DecodeEthPkt */

    PROTO_IP4,        /* DecodeIP */
                      /* DecodeIPOptions - handled with IP4 */
    PROTO_ICMP4,      /* DecodeICMP */
    PROTO_ICMP_IP4,   /* DecodeICMPEmbeddedIP */

    PROTO_UDP,        /* DecodeUDP */
    PROTO_TCP,        /* DecodeTCP */
                      /* DecodeTCPOptions - handled with TCP */

    PROTO_IP6,        /* DecodeIPV6 */
                      /* DecodeIPV6Extensions - nothing to do here, calls below */
    PROTO_IP6_HOP_OPTS,  /* DecodeIPV6Options - ip6 hop, dst, rte, and frag exts */
    PROTO_IP6_DST_OPTS,
    PROTO_ICMP6,      /* DecodeICMP6 */
    PROTO_ICMP_IP6,   /* DecodeICMPEmbeddedIP6 */
    PROTO_VLAN,       /* DecodeVlan */
#ifdef GRE
    PROTO_GRE,        /* DecodeGRE */
                      /* DecodeTransBridging - basically same as DecodeEthPkt */
    PROTO_ERSPAN,     /* DecodeERSPANType2 and DecodeERSPANType3 */
#endif
    PROTO_PPPOE,      /* DecodePPPoEPkt */
    PROTO_PPP_ENCAP,  /* DecodePppPktEncapsulated */
    PROTO_MPLS,       /* DecodeMPLS - decoder changes pkth len/caplen! */
                      /* DecodeEthOverMPLS - basically same as straight eth */
    PROTO_ARP,        /* DecodeARP */
    PROTO_GTP,        /* DecodeGTP */
    PROTO_AH,         /* DecodeAH - Authentication Header (IPSec stuff) */

#ifndef NO_NON_ETHER_DECODER
    PROTO_TR,         /* DecodeTRPkt */
    PROTO_FDDI,       /* DecodeFDDIPkt */
    PROTO_LSLL,       /* DecodeLinuxSLLPkt sockaddr_ll for "any" device and  */
                      /* certain misbehaving link layer encapsulations */
    PROTO_80211,      /* DecodeIEEE80211Pkt */
    PROTO_SLIP,       /* DecodeSlipPkt - actually, based on header size, this */
                      /* must be CSLIP (TCP/IP header compression) but all it */
                      /* does is skip over the presumed header w/o expanding */
                      /* and then jumps into IP4 decoding only; also, the actual */
                      /* esc/end sequences must already have been removed because */
                      /* there is no attempt to do that. */
    PROTO_L2I4,       /* DecodeI4LRawIPPkt - always skips 2 bytes and then does */
                      /* IP4 decoding only */
    PROTO_L2I4C,      /* DecodeI4LCiscoIPPkt -always skips 4 bytes and then does */
                      /* IP4 decoding only */
    PROTO_CHDLC,      /* DecodeChdlcPkt - skips 4 bytes and decodes IP4 only. */
    PROTO_PFLOG,      /* DecodePflog */
    PROTO_OLD_PFLOG,  /* DecodeOldPflog */
    PROTO_PPP,        /* DecodePppPkt - weird - optionally skips addr and cntl */
                      /* bytes; what about flag and protocol? */
                      /* calls only DecodePppPktEncapsulated. */
    PROTO_PPP_SERIAL, /* DecodePppSerialPkt - also weird - requires addr, cntl, */
                      /* and proto (no flag) but optionally skips only 2 bytes */
                      /* (presumably the trailer w/chksum is already stripped) */
                      /* Calls either DecodePppPktEncapsulated or DecodeChdlcPkt. */
    PROTO_ENC,        /* DecodeEncPkt - skips 12 bytes and decodes IP4 only. */
                      /* (add family + "spi" + "flags" - don't know what this is) */
    PROTO_EAP,        /* DecodeEAP */
    PROTO_EAPOL,      /* DecodeEapol - leaf decoder */
    PROTO_EAPOL_KEY,  /* DecodeEapolKey - leaf decoder */
#endif /* NO_NON_ETHER_DECODER */

    PROTO_MAX
} PROTO_ID;

                      /* DecodeIPX - just counts; no decoding */
                      /* DecodeEthLoopback - same as ipx */
                      /* DecodeRawPkt - jumps straight into IP4 decoding */
                      /* there is nothing to do */
                      /* DecodeNullPkt - same as DecodeRawPkt */

typedef struct {
    PROTO_ID proto;
    uint16_t length;
    uint8_t* start;
} Layer;

#endif /* __PROTOCOLS_H__ */
upgrade to ubuntu 16.04, snort 2.9.9.0, but bugs to be fixed 2017-05-01 14:41:55 +02:00			`/* $Id$ */`
			`/****************************************************************************`
			`*`
			`* Copyright (C) 2014-2016 Cisco and/or its affiliates. All rights reserved.`
			`* Copyright (C) 2005-2013 Sourcefire, Inc.`
			`*`
			`* This program is free software; you can redistribute it and/or modify`
			`* it under the terms of the GNU General Public License Version 2 as`
			`* published by the Free Software Foundation. You may not use, modify or`
			`* distribute this program under any other version of the GNU General`
			`* Public License.`
			`*`
			`* This program is distributed in the hope that it will be useful,`
			`* but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`* GNU General Public License for more details.`
			`*`
			`* You should have received a copy of the GNU General Public License`
			`* along with this program; if not, write to the Free Software`
			`* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.`
			`*`
			`****************************************************************************/`

			`#ifndef __SF_PROTOCOLS_H__`
			`#define __SF_PROTOCOLS_H__`

			`typedef uint8_t IpProto;`

			`typedef enum {`
			`PROTO_ETH, /* DecodeEthPkt */`
			`PROTO_FPATH, /* FabricPath - handled by DecodeEthPkt */`
			`PROTO_CISCO_META, /* Cisco Metadata - handled by DecodeEthPkt */`

			`PROTO_IP4, /* DecodeIP */`
			`/* DecodeIPOptions - handled with IP4 */`
			`PROTO_ICMP4, /* DecodeICMP */`
			`PROTO_ICMP_IP4, /* DecodeICMPEmbeddedIP */`

			`PROTO_UDP, /* DecodeUDP */`
			`PROTO_TCP, /* DecodeTCP */`
			`/* DecodeTCPOptions - handled with TCP */`

			`PROTO_IP6, /* DecodeIPV6 */`
			`/* DecodeIPV6Extensions - nothing to do here, calls below */`
			`PROTO_IP6_HOP_OPTS, /* DecodeIPV6Options - ip6 hop, dst, rte, and frag exts */`
			`PROTO_IP6_DST_OPTS,`
			`PROTO_ICMP6, /* DecodeICMP6 */`
			`PROTO_ICMP_IP6, /* DecodeICMPEmbeddedIP6 */`
			`PROTO_VLAN, /* DecodeVlan */`
			`#ifdef GRE`
			`PROTO_GRE, /* DecodeGRE */`
			`/* DecodeTransBridging - basically same as DecodeEthPkt */`
			`PROTO_ERSPAN, /* DecodeERSPANType2 and DecodeERSPANType3 */`
			`#endif`
			`PROTO_PPPOE, /* DecodePPPoEPkt */`
			`PROTO_PPP_ENCAP, /* DecodePppPktEncapsulated */`
			`PROTO_MPLS, /* DecodeMPLS - decoder changes pkth len/caplen! */`
			`/* DecodeEthOverMPLS - basically same as straight eth */`
			`PROTO_ARP, /* DecodeARP */`
			`PROTO_GTP, /* DecodeGTP */`
			`PROTO_AH, /* DecodeAH - Authentication Header (IPSec stuff) */`

			`#ifndef NO_NON_ETHER_DECODER`
			`PROTO_TR, /* DecodeTRPkt */`
			`PROTO_FDDI, /* DecodeFDDIPkt */`
			`PROTO_LSLL, /* DecodeLinuxSLLPkt sockaddr_ll for "any" device and */`
			`/* certain misbehaving link layer encapsulations */`
			`PROTO_80211, /* DecodeIEEE80211Pkt */`
			`PROTO_SLIP, /* DecodeSlipPkt - actually, based on header size, this */`
			`/* must be CSLIP (TCP/IP header compression) but all it */`
			`/* does is skip over the presumed header w/o expanding */`
			`/* and then jumps into IP4 decoding only; also, the actual */`
			`/* esc/end sequences must already have been removed because */`
			`/* there is no attempt to do that. */`
			`PROTO_L2I4, /* DecodeI4LRawIPPkt - always skips 2 bytes and then does */`
			`/* IP4 decoding only */`
			`PROTO_L2I4C, /* DecodeI4LCiscoIPPkt -always skips 4 bytes and then does */`
			`/* IP4 decoding only */`
			`PROTO_CHDLC, /* DecodeChdlcPkt - skips 4 bytes and decodes IP4 only. */`
			`PROTO_PFLOG, /* DecodePflog */`
			`PROTO_OLD_PFLOG, /* DecodeOldPflog */`
			`PROTO_PPP, /* DecodePppPkt - weird - optionally skips addr and cntl */`
			`/* bytes; what about flag and protocol? */`
			`/* calls only DecodePppPktEncapsulated. */`
			`PROTO_PPP_SERIAL, /* DecodePppSerialPkt - also weird - requires addr, cntl, */`
			`/* and proto (no flag) but optionally skips only 2 bytes */`
			`/* (presumably the trailer w/chksum is already stripped) */`
			`/* Calls either DecodePppPktEncapsulated or DecodeChdlcPkt. */`
			`PROTO_ENC, /* DecodeEncPkt - skips 12 bytes and decodes IP4 only. */`
			`/* (add family + "spi" + "flags" - don't know what this is) */`
			`PROTO_EAP, /* DecodeEAP */`
			`PROTO_EAPOL, /* DecodeEapol - leaf decoder */`
			`PROTO_EAPOL_KEY, /* DecodeEapolKey - leaf decoder */`
			`#endif /* NO_NON_ETHER_DECODER */`

			`PROTO_MAX`
			`} PROTO_ID;`

			`/* DecodeIPX - just counts; no decoding */`
			`/* DecodeEthLoopback - same as ipx */`
			`/* DecodeRawPkt - jumps straight into IP4 decoding */`
			`/* there is nothing to do */`
			`/* DecodeNullPkt - same as DecodeRawPkt */`

			`typedef struct {`
			`PROTO_ID proto;`
			`uint16_t length;`
			`uint8_t* start;`
			`} Layer;`

			`#endif /* __PROTOCOLS_H__ */`