blacklight
/
Snort_AIPreproc
mirror of https://github.com/BlackLight/Snort_AIPreproc.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
Snort_AIPreproc/include/sf_snort_packet.h

802 lines
24 KiB
C
Executable File
Raw Blame History

/*
* sf_snort_packet.h
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License Version 2 as
* published by the Free Software Foundation. You may not use, modify or
* distribute this program under any other version of the GNU General
* Public License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*
* Copyright (C) 2014-2016 Cisco and/or its affiliates. All rights reserved.
* Copyright (C) 2005-2013 Sourcefire, Inc.
*
* Author: Steve Sturges
* Andy Mullican
*
* Date: 5/2005
*
* Sourcefire Black-box Plugin API for rules
*
*/
#ifndef _SF_SNORT_PACKET_H_
#define _SF_SNORT_PACKET_H_
#ifndef WIN32
#include <sys/types.h>
#include <netinet/in.h>
#else
#include <winsock2.h>
#include <windows.h>
#endif
#include <daq.h>
#include <sfbpf_dlt.h>
#include "sf_ip.h"
#include "sf_protocols.h"
#include "preprocids.h"
#define VLAN_HDR_LEN 4
/* for vrt backwards compatibility */
#define pcap_header pkt_header
typedef int (*LogFunction)(void *ssnptr, uint8_t **buf, uint32_t *len, uint32_t *type);
typedef DAQ_PktHdr_t SFDAQ_PktHdr_t;
#define VTH_PRIORITY(vh) ((ntohs((vh)->vth_pri_cfi_vlan) & 0xe000) >> 13)
#define VTH_CFI(vh) ((ntohs((vh)->vth_pri_cfi_vlan) & 0x1000) >> 12)
#define VTH_VLAN(vh) ((uint16_t)(ntohs((vh)->vth_pri_cfi_vlan) & 0x0FFF))
typedef struct _VlanHeader
{
uint16_t vth_pri_cfi_vlan;
uint16_t vth_proto; /* protocol field... */
} VlanHeader;
/*#define NO_NON_ETHER_DECODER */
#define ETHER_HDR_LEN 14
#define ETHERNET_TYPE_IP 0x0800
#define ETHERNET_TYPE_IPV6 0x86dd
#define ETHERNET_TYPE_8021Q 0x8100
/*
* Cisco MetaData header
*/
typedef struct _CiscoMetaHdr
{
uint8_t version; // This must be 1
uint8_t length; //This is the header size in bytes / 8
} CiscoMetaHdr;
/*
* Cisco MetaData header options
*/
typedef struct _CiscoMetaOpt
{
uint16_t opt_len_type; /* 3-bit length + 13-bit type. Length of 0 = 4. Type must be 1. */
uint16_t sgt; /* Can be any value except 0xFFFF */
} CiscoMetaOpt;
typedef struct _EtherHeader
{
uint8_t ether_destination[6];
uint8_t ether_source[6];
uint16_t ethernet_type;
} EtherHeader;
/* We must twiddle to align the offset the ethernet header and align
* the IP header on solaris -- maybe this will work on HPUX too.
*/
#if defined (SOLARIS) || defined (SUNOS) || defined (__sparc__) || defined(__sparc64__) || defined (HPUX)
#define SUN_SPARC_TWIDDLE 2
#else
#define SUN_SPARC_TWIDDLE 0
#endif
#define IP_RESBIT 0x8000
#ifdef IP_DONTFRAG
#undef IP_DONTFRAG
#endif
#define IP_DONTFRAG 0x4000
#define IP_MOREFRAGS 0x2000
#ifndef IP_MAXPKT
#define IP_MAXPKT 65535 /* maximum packet size */
#endif /* IP_MAXPACKET */
#define IP_HDR_LEN 20
typedef struct _IPV4Header
{
uint8_t version_headerlength;
uint8_t type_service;
uint16_t data_length;
uint16_t identifier;
uint16_t offset;
uint8_t time_to_live;
uint8_t proto;
uint16_t checksum;
struct in_addr source;
struct in_addr destination;
} IPV4Header;
#define MAX_LOG_FUNC 32
#define MAX_IP_OPTIONS 40
/* ip option codes */
#define IPOPTION_EOL 0x00
#define IPOPTION_NOP 0x01
#define IPOPTION_RR 0x07
#define IPOPTION_RTRALT 0x94
#define IPOPTION_TS 0x44
#define IPOPTION_SECURITY 0x82
#define IPOPTION_LSRR 0x83
#define IPOPTION_LSRR_E 0x84
#define IPOPTION_SATID 0x88
#define IPOPTION_SSRR 0x89
typedef struct _IPOptions
{
uint8_t option_code;
uint8_t length;
uint8_t *option_data;
} IPOptions;
#define TCP_HDR_LEN 20
typedef struct _TCPHeader
{
uint16_t source_port;
uint16_t destination_port;
uint32_t sequence;
uint32_t acknowledgement;
uint8_t offset_reserved;
uint8_t flags;
uint16_t window;
uint16_t checksum;
uint16_t urgent_pointer;
} TCPHeader;
#define TCPHEADER_FIN 0x01
#define TCPHEADER_SYN 0x02
#define TCPHEADER_RST 0x04
#define TCPHEADER_PUSH 0x08
#define TCPHEADER_ACK 0x10
#define TCPHEADER_URG 0x20
#define TCPHEADER_ECE 0x40
#define TCPHEADER_CWR 0x80
#define TCPHEADER_NORESERVED (TCPHEADER_FIN|TCPHEADER_SYN|TCPHEADER_RST \
|TCPHEADER_PUSH|TCPHEADER_ACK|TCPHEADER_URG)
#define MAX_TCP_OPTIONS 40
/* tcp option codes */
#define TCPOPT_EOL 0x00
#define TCPOPT_NOP 0x01
#define TCPOPT_MSS 0x02
#define TCPOPT_WSCALE 0x03 /* window scale factor (rfc1072) */
#define TCPOPT_SACKOK 0x04 /* selective ack ok (rfc1072) */
#define TCPOPT_SACK 0x05 /* selective ack (rfc1072) */
#define TCPOPT_ECHO 0x06 /* echo (rfc1072) */
#define TCPOPT_ECHOREPLY 0x07 /* echo (rfc1072) */
#define TCPOPT_TIMESTAMP 0x08 /* timestamps (rfc1323) */
#define TCPOPT_CC 0x11 /* T/TCP CC options (rfc1644) */
#define TCPOPT_CCNEW 0x12 /* T/TCP CC options (rfc1644) */
#define TCPOPT_CCECHO 0x13 /* T/TCP CC options (rfc1644) */
typedef IPOptions TCPOptions;
#define UDP_HDR_LEN 8
typedef struct _UDPHeader
{
uint16_t source_port;
uint16_t destination_port;
uint16_t data_length;
uint16_t checksum;
} UDPHeader;
typedef struct _ICMPSequenceID
{
uint16_t id;
uint16_t seq;
} ICMPSequenceID;
typedef struct _ICMPHeader
{
uint8_t type;
uint8_t code;
uint16_t checksum;
union
{
/* type 12 */
uint8_t parameter_problem_ptr;
/* type 5 */
struct in_addr gateway_addr;
/* type 8, 0 */
ICMPSequenceID echo;
/* type 13, 14 */
ICMPSequenceID timestamp;
/* type 15, 16 */
ICMPSequenceID info;
int voidInfo;
/* type 3/code=4 (Path MTU, RFC 1191) */
struct path_mtu
{
uint16_t voidInfo;
uint16_t next_mtu;
} path_mtu;
/* type 9 */
struct router_advertisement
{
uint8_t number_addrs;
uint8_t entry_size;
uint16_t lifetime;
} router_advertisement;
} icmp_header_union;
#define icmp_parameter_ptr icmp_header_union.parameter_problem_ptr
#define icmp_gateway_addr icmp_header_union.gateway_waddr
#define icmp_echo_id icmp_header_union.echo.id
#define icmp_echo_seq icmp_header_union.echo.seq
#define icmp_timestamp_id icmp_header_union.timestamp.id
#define icmp_timestamp_seq icmp_header_union.timestamp.seq
#define icmp_info_id icmp_header_union.info.id
#define icmp_info_seq icmp_header_union.info.seq
#define icmp_void icmp_header_union.void
#define icmp_nextmtu icmp_header_union.path_mtu.nextmtu
#define icmp_ra_num_addrs icmp_header_union.router_advertisement.number_addrs
#define icmp_ra_entry_size icmp_header_union.router_advertisement.entry_size
#define icmp_ra_lifetime icmp_header_union.router_advertisement.lifetime
union
{
/* timestamp */
struct timestamp
{
uint32_t orig;
uint32_t receive;
uint32_t transmit;
} timestamp;
/* IP header for unreach */
struct ipv4_header
{
IPV4Header *ip;
/* options and then 64 bits of data */
} ipv4_header;
/* Router Advertisement */
struct router_address
{
uint32_t addr;
uint32_t preference;
} router_address;
/* type 17, 18 */
uint32_t mask;
char data[1];
} icmp_data_union;
#define icmp_orig_timestamp icmp_data_union.timestamp.orig
#define icmp_recv_timestamp icmp_data_union.timestamp.receive
#define icmp_xmit_timestamp icmp_data_union.timestamp.transmit
#define icmp_ipheader icmp_data_union.ip_header
#define icmp_ra_addr0 icmp_data_union.router_address
#define icmp_mask icmp_data_union.mask
#define icmp_data icmp_data_union.data
} ICMPHeader;
#define ICMP_ECHO_REPLY 0 /* Echo Reply */
#define ICMP_DEST_UNREACHABLE 3 /* Destination Unreachable */
#define ICMP_SOURCE_QUENCH 4 /* Source Quench */
#define ICMP_REDIRECT 5 /* Redirect (change route) */
#define ICMP_ECHO_REQUEST 8 /* Echo Request */
#define ICMP_ROUTER_ADVERTISEMENT 9 /* Router Advertisement */
#define ICMP_ROUTER_SOLICITATION 10 /* Router Solicitation */
#define ICMP_TIME_EXCEEDED 11 /* Time Exceeded */
#define ICMP_PARAMETER_PROBLEM 12 /* Parameter Problem */
#define ICMP_TIMESTAMP_REQUEST 13 /* Timestamp Request */
#define ICMP_TIMESTAMP_REPLY 14 /* Timestamp Reply */
#define ICMP_INFO_REQUEST 15 /* Information Request */
#define ICMP_INFO_REPLY 16 /* Information Reply */
#define ICMP_ADDRESS_REQUEST 17 /* Address Mask Request */
#define ICMP_ADDRESS_REPLY 18 /* Address Mask Reply */
#define INVALID_CHECKSUM_IP 0x01
#define INVALID_CHECKSUM_TCP 0x02
#define INVALID_CHECKSUM_UDP 0x04
#define INVALID_CHECKSUM_ICMP 0x08
#define INVALID_CHECKSUM_IGMP 0x10
#define INVALID_CHECKSUM_ALL 0x1F
#define INVALID_TTL 0x20
typedef struct _IPv6Extension
{
uint8_t option_type;
const uint8_t *option_data;
} IP6Extension;
typedef struct _IPAddresses
{
sfaddr_t ip_src; /* source IP */
sfaddr_t ip_dst; /* dest IP */
} IPAddresses;
typedef struct _IPv4Hdr
{
uint8_t ip_verhl; /* version & header length */
uint8_t ip_tos; /* type of service */
uint16_t ip_len; /* datagram length */
uint16_t ip_id; /* identification */
uint16_t ip_off; /* fragment offset */
uint8_t ip_ttl; /* time to live field */
uint8_t ip_proto; /* datagram protocol */
uint16_t ip_csum; /* checksum */
IPAddresses* ip_addrs; /* IP addresses*/
} IP4Hdr;
typedef struct _IP6RawHdr
{
uint32_t vcl; /* version, class, and label */
uint16_t payload_len; /* length of the payload */
uint8_t next_header; /* same values as ip4 protocol field + new ip6 values */
uint8_t hop_limit; /* same usage as ip4 ttl */
struct in6_addr src_addr;
struct in6_addr dst_addr;
} IP6RawHdr;
#define ip6_vcl vcl
#define ip6_payload_len payload_len
#define ip6_next_header next_header
#define ip6_hop_limit hop_limit
#define ip6_hops hop_limit
typedef struct _IPv6Hdr
{
uint32_t vcl; /* version, class, and label */
uint16_t len; /* length of the payload */
uint8_t next; /* next header
* Uses the same flags as
* the IPv4 protocol field */
uint8_t hop_lmt; /* hop limit */
IPAddresses* ip_addrs; /* IP addresses*/
} IP6Hdr;
typedef struct _IP6FragHdr
{
uint8_t ip6f_nxt; /* next header */
uint8_t ip6f_reserved; /* reserved field */
uint16_t ip6f_offlg; /* offset, reserved, and flag */
uint32_t ip6f_ident; /* identification */
} IP6FragHdr;
typedef struct _ICMP6
{
uint8_t type;
uint8_t code;
uint16_t csum;
} ICMP6Hdr;
#define ICMP6_UNREACH 1
#define ICMP6_BIG 2
#define ICMP6_TIME 3
#define ICMP6_PARAMS 4
#define ICMP6_ECHO 128
#define ICMP6_REPLY 129
/* Minus 1 due to the 'body' field */
#define ICMP6_MIN_HEADER_LEN (sizeof(ICMP6Hdr) )
struct _SFSnortPacket;
typedef struct _IPH_API
{
sfaddr_t * (*iph_ret_src)(const struct _SFSnortPacket *);
sfaddr_t * (*iph_ret_dst)(const struct _SFSnortPacket *);
uint16_t (*iph_ret_tos)(const struct _SFSnortPacket *);
uint8_t (*iph_ret_ttl)(const struct _SFSnortPacket *);
uint16_t (*iph_ret_len)(const struct _SFSnortPacket *);
uint32_t (*iph_ret_id)(const struct _SFSnortPacket *);
uint8_t (*iph_ret_proto)(const struct _SFSnortPacket *);
uint16_t (*iph_ret_off)(const struct _SFSnortPacket *);
uint8_t (*iph_ret_ver)(const struct _SFSnortPacket *);
uint8_t (*iph_ret_hlen)(const struct _SFSnortPacket *);
sfaddr_t * (*orig_iph_ret_src)(const struct _SFSnortPacket *);
sfaddr_t * (*orig_iph_ret_dst)(const struct _SFSnortPacket *);
uint16_t (*orig_iph_ret_tos)(const struct _SFSnortPacket *);
uint8_t (*orig_iph_ret_ttl)(const struct _SFSnortPacket *);
uint16_t (*orig_iph_ret_len)(const struct _SFSnortPacket *);
uint32_t (*orig_iph_ret_id)(const struct _SFSnortPacket *);
uint8_t (*orig_iph_ret_proto)(const struct _SFSnortPacket *);
uint16_t (*orig_iph_ret_off)(const struct _SFSnortPacket *);
uint8_t (*orig_iph_ret_ver)(const struct _SFSnortPacket *);
uint8_t (*orig_iph_ret_hlen)(const struct _SFSnortPacket *);
char version;
} IPH_API;
typedef enum {
PSEUDO_PKT_IP,
PSEUDO_PKT_TCP,
PSEUDO_PKT_DCE_RPKT,
PSEUDO_PKT_SMB_SEG,
PSEUDO_PKT_DCE_SEG,
PSEUDO_PKT_DCE_FRAG,
PSEUDO_PKT_SMB_TRANS,
PSEUDO_PKT_PS,
PSEUDO_PKT_SDF,
PSEUDO_PKT_MAX
} PseudoPacketType;
#include "ipv6_port.h"
#define IP6_HEADER_LEN 40
#define IPH_API_V4 4
#define IPH_API_V6 6
extern IPH_API ip4;
extern IPH_API ip6;
#define iph_is_valid(p) ((p)->family != NO_IP)
#define NO_IP 0
#define IP6_HDR_LEN 40
typedef struct _MplsHdr
{
uint32_t label;
uint8_t exp;
uint8_t bos;
uint8_t ttl;
} MplsHdr;
typedef struct _H2PriSpec
{
uint32_t stream_id;
uint32_t weight;
uint8_t exclusive;
} H2PriSpec;
typedef struct _H2Hdr
{
uint32_t length;
uint32_t stream_id;
uint8_t type;
uint8_t flags;
uint8_t reserved;
H2PriSpec pri;
} H2Hdr;
#define MAX_PROTO_LAYERS 32
typedef struct {
PROTO_ID proto_id;
uint16_t proto_length;
uint8_t* proto_start;
} ProtoLayer;
// for backwards compatibility with VRT .so rules
#define stream_session_ptr stream_session
// forward declaration for snort list management type
struct sfSDList;
// forward declaration for snort expected session created due to this packet.
struct _ExpectNode;
typedef struct _SFSnortPacket
{
const SFDAQ_PktHdr_t *pkt_header; /* Is this GPF'd? */
const uint8_t *pkt_data;
void *ether_arp_header;
const EtherHeader *ether_header;
const VlanHeader *vlan_tag_header;
void *ether_header_llc;
void *ether_header_other;
const void *ppp_over_ether_header;
const void *gre_header;
uint32_t *mpls;
const CiscoMetaHdr *cmdh; /* Cisco Metadata Header */
const IPV4Header *ip4_header, *orig_ip4_header;
const IPV4Header *inner_ip4_header;
const IPV4Header *outer_ip4_header;
const TCPHeader *tcp_header, *orig_tcp_header;
const UDPHeader *udp_header, *orig_udp_header;
const UDPHeader *inner_udph; /* if Teredo + UDP, this will be the inner UDP header */
const UDPHeader *outer_udph; /* if Teredo + UDP, this will be the outer UDP header */
const ICMPHeader *icmp_header, *orig_icmp_header;
const uint8_t *payload;
const uint8_t *ip_payload;
const uint8_t *outer_ip_payload;
void *stream_session;
void *fragmentation_tracking_ptr;
IP4Hdr *ip4h, *orig_ip4h;
IP6Hdr *ip6h, *orig_ip6h;
ICMP6Hdr *icmp6h, *orig_icmp6h;
IPH_API* iph_api;
IPH_API* orig_iph_api;
IPH_API* outer_iph_api;
IPH_API* outer_orig_iph_api;
int family;
int orig_family;
int outer_family;
PreprocEnableMask preprocessor_bit_mask;
uint64_t flags;
uint32_t xtradata_mask;
uint16_t proto_bits;
uint16_t payload_size;
uint16_t ip_payload_size;
uint16_t normalized_payload_size;
uint16_t actual_ip_length;
uint16_t outer_ip_payload_size;
uint16_t ip_fragment_offset;
uint16_t ip_frag_length;
uint16_t ip4_options_length;
uint16_t tcp_options_length;
uint16_t src_port;
uint16_t dst_port;
uint16_t orig_src_port;
uint16_t orig_dst_port;
int16_t application_protocol_ordinal;
uint8_t ip_fragmented;
uint8_t ip_more_fragments;
uint8_t ip_dont_fragment;
uint8_t ip_reserved;
uint8_t num_ip_options;
uint8_t num_tcp_options;
uint8_t num_ip6_extensions;
uint8_t ip6_frag_extension;
uint8_t invalid_flags;
uint8_t encapsulated;
uint8_t GTPencapsulated;
uint8_t next_layer_index;
#ifndef NO_NON_ETHER_DECODER
const void *fddi_header;
void *fddi_saps;
void *fddi_sna;
void *fddi_iparp;
void *fddi_other;
const void *tokenring_header;
void *tokenring_header_llc;
void *tokenring_header_mr;
void *pflog1_header;
void *pflog2_header;
void *pflog3_header;
void *pflog4_header;
#ifdef DLT_LINUX_SLL
const void *sll_header;
#endif
#ifdef DLT_IEEE802_11
const void *wifi_header;
#endif
const void *ether_eapol_header;
const void *eapol_headear;
const uint8_t *eapol_type;
void *eapol_key;
#endif
IPOptions ip_options[MAX_IP_OPTIONS];
TCPOptions tcp_options[MAX_TCP_OPTIONS];
IP6Extension *ip6_extensions;
CiscoMetaOpt *cmd_options; /* Cisco Metadata header options */
const uint8_t *ip_frag_start;
const uint8_t *ip4_options_data;
const uint8_t *tcp_options_data;
const IP6RawHdr* raw_ip6_header;
ProtoLayer proto_layers[MAX_PROTO_LAYERS];
IPAddresses inner_ips, inner_orig_ips;
IP4Hdr inner_ip4h, inner_orig_ip4h;
IP6Hdr inner_ip6h, inner_orig_ip6h;
IPAddresses outer_ips, outer_orig_ips;
IP4Hdr outer_ip4h, outer_orig_ip4h;
IP6Hdr outer_ip6h, outer_orig_ip6h;
MplsHdr mplsHdr;
H2Hdr *h2Hdr;
PseudoPacketType pseudo_type;
uint16_t max_payload;
/**policyId provided in configuration file. Used for correlating configuration
* with event output
*/
uint16_t configPolicyId;
uint32_t iplist_id;
unsigned char iprep_layer;
uint8_t ps_proto; /* Used for portscan and unified2 logging */
uint8_t ips_os_selected;
void *cur_pp;
// Expected session created due to this packet.
struct _ExpectNode* expectedSession;
} SFSnortPacket;
#define IP_INNER_LAYER 1
#define IP_OUTTER_LAYER 0
#define PKT_ZERO_LEN offsetof(SFSnortPacket, ip_options)
#define PROTO_BIT__IP 0x0001
#define PROTO_BIT__ARP 0x0002
#define PROTO_BIT__TCP 0x0004
#define PROTO_BIT__UDP 0x0008
#define PROTO_BIT__ICMP 0x0010
#define PROTO_BIT__TEREDO 0x0020
#define PROTO_BIT__ALL 0xffff
#define IsIP(p) (IPH_IS_VALID(p))
#define IsTCP(p) (IsIP(p) && p->tcp_header)
#define IsUDP(p) (IsIP(p) && p->udp_header)
#define IsICMP(p) (IsIP(p) && p->icmp_header)
#define SET_IP4_VER(ip_header, value) \
((ip_header)->version_headerlength = \
(unsigned char)(((ip_header)->version_headerlength & 0x0f) | (value << 4)))
#define SET_IP4_HLEN(ip_header, value) \
((ip_header)->version_headerlength = \
(unsigned char)(((ip_header)->version_headerlength & 0xf0) | (value & 0x0f)))
#define SET_TCP_HDR_OFFSET(tcp_header, value) \
((tcp_header)->offset_reserved = \
(unsigned char)(((tcp_header)->offset_reserved & 0x0f) | (value << 4)))
#define BIT(i) (0x1 << (i-1))
/* beware: some flags are redefined in dynamic-plugins/sf_dynamic_define.h! */
#define FLAG_REBUILT_FRAG 0x00000001 /* is a rebuilt fragment */
#define FLAG_REBUILT_STREAM 0x00000002 /* is a rebuilt stream */
#define FLAG_STREAM_UNEST_UNI 0x00000004 /* is from an unestablished stream and
* we've only seen traffic in one direction */
#define FLAG_STREAM_EST 0x00000008 /* is from an established stream */
#define FLAG_STREAM_INSERT 0x00000010 /* this packet has been queued for stream reassembly */
#define FLAG_STREAM_TWH 0x00000020 /* packet completes the 3-way handshake */
#define FLAG_FROM_SERVER 0x00000040 /* this packet came from the server
side of a connection (TCP) */
#define FLAG_FROM_CLIENT 0x00000080 /* this packet came from the client
side of a connection (TCP) */
#define FLAG_PDU_HEAD 0x00000100 /* start of PDU */
#define FLAG_PDU_TAIL 0x00000200 /* end of PDU */
#define FLAG_UNSURE_ENCAP 0x00000400 /* packet may have incorrect encapsulation layer. */
/* don't alert if "next layer" is invalid. */
#define FLAG_HTTP_DECODE 0x00000800 /* this packet has normalized http */
#define FLAG_IGNORE_PORT 0x00001000 /* this packet should be ignored, based on port */
#define FLAG_NO_DETECT 0x00002000 /* this packet should not be preprocessed */
#define FLAG_ALLOW_MULTIPLE_DETECT 0x00004000 /* packet has either pipelined mime attachements */
/* or pipeline http requests */
#define FLAG_PAYLOAD_OBFUSCATE 0x00008000
#define FLAG_STATELESS 0x00010000 /* Packet has matched a stateless rule */
#define FLAG_PASS_RULE 0x00020000 /* this packet has matched a pass rule */
#define FLAG_IP_RULE 0x00040000 /* this packet is being evaluated against an IP rule */
#define FLAG_IP_RULE_2ND 0x00080000 /* this packet is being evaluated against an IP rule */
#define FLAG_LOGGED 0x00100000 /* this packet has been logged */
#define FLAG_PSEUDO 0x00200000 /* is a pseudo packet */
#define FLAG_MODIFIED 0x00400000 /* packet had normalizations, etc. */
#ifdef NORMALIZER
#define FLAG_RESIZED 0x00800000 /* packet has new size; must set modified too */
#endif
/* neither of these flags will be set for (full) retransmissions or non-data segments */
/* a partial overlap results in out of sequence condition */
/* out of sequence condition is sticky */
#define FLAG_STREAM_ORDER_OK 0x01000000 /* this segment is in order, w/o gaps */
#define FLAG_STREAM_ORDER_BAD 0x02000000 /* this stream had at least one gap */
#define FLAG_REASSEMBLED_OLD 0x04000000 /* for backwards compat with so rules */
#define FLAG_IPREP_SOURCE_TRIGGERED 0x08000000
#define FLAG_IPREP_DATA_SET 0x10000000
#define FLAG_FILE_EVENT_SET 0x20000000
#define FLAG_EARLY_REASSEMBLY 0x40000000 /* this packet. part of the expected stream, should have stream reassembly set */
#define FLAG_RETRANSMIT 0x80000000 /* this packet is identified as re-transmitted one */
#define FLAG_PURGE 0x0100000000 /* Stream will not flush the data */
#define FLAG_PDU_FULL (FLAG_PDU_HEAD | FLAG_PDU_TAIL)
#define REASSEMBLED_PACKET_FLAGS (FLAG_REBUILT_STREAM|FLAG_REASSEMBLED_OLD)
#define SFTARGET_UNKNOWN_PROTOCOL -1
static inline int PacketWasCooked(const SFSnortPacket* p)
{
return ( p->flags & FLAG_PSEUDO ) != 0;
}
static inline int IsPortscanPacket(const SFSnortPacket *p)
{
return ((p->flags & FLAG_PSEUDO) && (p->pseudo_type == PSEUDO_PKT_PS));
}
static inline uint8_t GetEventProto(const SFSnortPacket *p)
{
if (IsPortscanPacket(p))
return p->ps_proto;
return IPH_IS_VALID(p) ? GET_IPH_PROTO(p) : 0;
}
static inline int PacketHasFullPDU (const SFSnortPacket* p)
{
return ( (p->flags & FLAG_PDU_FULL) == FLAG_PDU_FULL );
}
static inline int PacketHasStartOfPDU (const SFSnortPacket* p)
{
return ( (p->flags & FLAG_PDU_HEAD) != 0 );
}
static inline int PacketHasPAFPayload (const SFSnortPacket* p)
{
return ( (p->flags & FLAG_REBUILT_STREAM) || (p->flags & FLAG_PDU_TAIL) );
}
static inline void SetExtraData (SFSnortPacket* p, uint32_t xid)
{
p->xtradata_mask |= BIT(xid);
}
#endif /* _SF_SNORT_PACKET_H_ */
Reference in New Issue View Git Blame Copy Permalink