802 lines
24 KiB
C
Executable File
802 lines
24 KiB
C
Executable File
/*
|
|
* sf_snort_packet.h
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License Version 2 as
|
|
* published by the Free Software Foundation. You may not use, modify or
|
|
* distribute this program under any other version of the GNU General
|
|
* Public License.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program; if not, write to the Free Software
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
|
*
|
|
* Copyright (C) 2014-2016 Cisco and/or its affiliates. All rights reserved.
|
|
* Copyright (C) 2005-2013 Sourcefire, Inc.
|
|
*
|
|
* Author: Steve Sturges
|
|
* Andy Mullican
|
|
*
|
|
* Date: 5/2005
|
|
*
|
|
* Sourcefire Black-box Plugin API for rules
|
|
*
|
|
*/
|
|
|
|
#ifndef _SF_SNORT_PACKET_H_
|
|
#define _SF_SNORT_PACKET_H_
|
|
|
|
#ifndef WIN32
|
|
#include <sys/types.h>
|
|
#include <netinet/in.h>
|
|
#else
|
|
#include <winsock2.h>
|
|
#include <windows.h>
|
|
#endif
|
|
|
|
#include <daq.h>
|
|
#include <sfbpf_dlt.h>
|
|
|
|
#include "sf_ip.h"
|
|
#include "sf_protocols.h"
|
|
#include "preprocids.h"
|
|
|
|
#define VLAN_HDR_LEN 4
|
|
|
|
/* for vrt backwards compatibility */
|
|
#define pcap_header pkt_header
|
|
|
|
typedef int (*LogFunction)(void *ssnptr, uint8_t **buf, uint32_t *len, uint32_t *type);
|
|
|
|
typedef DAQ_PktHdr_t SFDAQ_PktHdr_t;
|
|
|
|
#define VTH_PRIORITY(vh) ((ntohs((vh)->vth_pri_cfi_vlan) & 0xe000) >> 13)
|
|
#define VTH_CFI(vh) ((ntohs((vh)->vth_pri_cfi_vlan) & 0x1000) >> 12)
|
|
#define VTH_VLAN(vh) ((uint16_t)(ntohs((vh)->vth_pri_cfi_vlan) & 0x0FFF))
|
|
|
|
typedef struct _VlanHeader
|
|
{
|
|
uint16_t vth_pri_cfi_vlan;
|
|
uint16_t vth_proto; /* protocol field... */
|
|
|
|
} VlanHeader;
|
|
|
|
/*#define NO_NON_ETHER_DECODER */
|
|
#define ETHER_HDR_LEN 14
|
|
#define ETHERNET_TYPE_IP 0x0800
|
|
#define ETHERNET_TYPE_IPV6 0x86dd
|
|
#define ETHERNET_TYPE_8021Q 0x8100
|
|
/*
|
|
* Cisco MetaData header
|
|
*/
|
|
|
|
typedef struct _CiscoMetaHdr
|
|
{
|
|
uint8_t version; // This must be 1
|
|
uint8_t length; //This is the header size in bytes / 8
|
|
} CiscoMetaHdr;
|
|
|
|
/*
|
|
* Cisco MetaData header options
|
|
*/
|
|
|
|
typedef struct _CiscoMetaOpt
|
|
{
|
|
uint16_t opt_len_type; /* 3-bit length + 13-bit type. Length of 0 = 4. Type must be 1. */
|
|
uint16_t sgt; /* Can be any value except 0xFFFF */
|
|
} CiscoMetaOpt;
|
|
|
|
|
|
typedef struct _EtherHeader
|
|
{
|
|
uint8_t ether_destination[6];
|
|
uint8_t ether_source[6];
|
|
uint16_t ethernet_type;
|
|
|
|
} EtherHeader;
|
|
|
|
/* We must twiddle to align the offset the ethernet header and align
|
|
* the IP header on solaris -- maybe this will work on HPUX too.
|
|
*/
|
|
#if defined (SOLARIS) || defined (SUNOS) || defined (__sparc__) || defined(__sparc64__) || defined (HPUX)
|
|
#define SUN_SPARC_TWIDDLE 2
|
|
#else
|
|
#define SUN_SPARC_TWIDDLE 0
|
|
#endif
|
|
|
|
#define IP_RESBIT 0x8000
|
|
#ifdef IP_DONTFRAG
|
|
#undef IP_DONTFRAG
|
|
#endif
|
|
#define IP_DONTFRAG 0x4000
|
|
#define IP_MOREFRAGS 0x2000
|
|
|
|
#ifndef IP_MAXPKT
|
|
#define IP_MAXPKT 65535 /* maximum packet size */
|
|
#endif /* IP_MAXPACKET */
|
|
|
|
#define IP_HDR_LEN 20
|
|
|
|
typedef struct _IPV4Header
|
|
{
|
|
uint8_t version_headerlength;
|
|
uint8_t type_service;
|
|
uint16_t data_length;
|
|
uint16_t identifier;
|
|
uint16_t offset;
|
|
uint8_t time_to_live;
|
|
uint8_t proto;
|
|
uint16_t checksum;
|
|
struct in_addr source;
|
|
struct in_addr destination;
|
|
} IPV4Header;
|
|
|
|
#define MAX_LOG_FUNC 32
|
|
#define MAX_IP_OPTIONS 40
|
|
|
|
/* ip option codes */
|
|
#define IPOPTION_EOL 0x00
|
|
#define IPOPTION_NOP 0x01
|
|
#define IPOPTION_RR 0x07
|
|
#define IPOPTION_RTRALT 0x94
|
|
#define IPOPTION_TS 0x44
|
|
#define IPOPTION_SECURITY 0x82
|
|
#define IPOPTION_LSRR 0x83
|
|
#define IPOPTION_LSRR_E 0x84
|
|
#define IPOPTION_SATID 0x88
|
|
#define IPOPTION_SSRR 0x89
|
|
|
|
typedef struct _IPOptions
|
|
{
|
|
uint8_t option_code;
|
|
uint8_t length;
|
|
uint8_t *option_data;
|
|
} IPOptions;
|
|
|
|
|
|
#define TCP_HDR_LEN 20
|
|
|
|
typedef struct _TCPHeader
|
|
{
|
|
uint16_t source_port;
|
|
uint16_t destination_port;
|
|
uint32_t sequence;
|
|
uint32_t acknowledgement;
|
|
uint8_t offset_reserved;
|
|
uint8_t flags;
|
|
uint16_t window;
|
|
uint16_t checksum;
|
|
uint16_t urgent_pointer;
|
|
} TCPHeader;
|
|
|
|
#define TCPHEADER_FIN 0x01
|
|
#define TCPHEADER_SYN 0x02
|
|
#define TCPHEADER_RST 0x04
|
|
#define TCPHEADER_PUSH 0x08
|
|
#define TCPHEADER_ACK 0x10
|
|
#define TCPHEADER_URG 0x20
|
|
#define TCPHEADER_ECE 0x40
|
|
#define TCPHEADER_CWR 0x80
|
|
#define TCPHEADER_NORESERVED (TCPHEADER_FIN|TCPHEADER_SYN|TCPHEADER_RST \
|
|
|TCPHEADER_PUSH|TCPHEADER_ACK|TCPHEADER_URG)
|
|
|
|
#define MAX_TCP_OPTIONS 40
|
|
/* tcp option codes */
|
|
#define TCPOPT_EOL 0x00
|
|
#define TCPOPT_NOP 0x01
|
|
#define TCPOPT_MSS 0x02
|
|
#define TCPOPT_WSCALE 0x03 /* window scale factor (rfc1072) */
|
|
#define TCPOPT_SACKOK 0x04 /* selective ack ok (rfc1072) */
|
|
#define TCPOPT_SACK 0x05 /* selective ack (rfc1072) */
|
|
#define TCPOPT_ECHO 0x06 /* echo (rfc1072) */
|
|
#define TCPOPT_ECHOREPLY 0x07 /* echo (rfc1072) */
|
|
#define TCPOPT_TIMESTAMP 0x08 /* timestamps (rfc1323) */
|
|
#define TCPOPT_CC 0x11 /* T/TCP CC options (rfc1644) */
|
|
#define TCPOPT_CCNEW 0x12 /* T/TCP CC options (rfc1644) */
|
|
#define TCPOPT_CCECHO 0x13 /* T/TCP CC options (rfc1644) */
|
|
|
|
typedef IPOptions TCPOptions;
|
|
|
|
#define UDP_HDR_LEN 8
|
|
|
|
typedef struct _UDPHeader
|
|
{
|
|
uint16_t source_port;
|
|
uint16_t destination_port;
|
|
uint16_t data_length;
|
|
uint16_t checksum;
|
|
} UDPHeader;
|
|
|
|
typedef struct _ICMPSequenceID
|
|
{
|
|
uint16_t id;
|
|
uint16_t seq;
|
|
} ICMPSequenceID;
|
|
|
|
typedef struct _ICMPHeader
|
|
{
|
|
uint8_t type;
|
|
uint8_t code;
|
|
uint16_t checksum;
|
|
|
|
union
|
|
{
|
|
/* type 12 */
|
|
uint8_t parameter_problem_ptr;
|
|
|
|
/* type 5 */
|
|
struct in_addr gateway_addr;
|
|
|
|
/* type 8, 0 */
|
|
ICMPSequenceID echo;
|
|
|
|
/* type 13, 14 */
|
|
ICMPSequenceID timestamp;
|
|
|
|
/* type 15, 16 */
|
|
ICMPSequenceID info;
|
|
|
|
int voidInfo;
|
|
|
|
/* type 3/code=4 (Path MTU, RFC 1191) */
|
|
struct path_mtu
|
|
{
|
|
uint16_t voidInfo;
|
|
uint16_t next_mtu;
|
|
} path_mtu;
|
|
|
|
/* type 9 */
|
|
struct router_advertisement
|
|
{
|
|
uint8_t number_addrs;
|
|
uint8_t entry_size;
|
|
uint16_t lifetime;
|
|
} router_advertisement;
|
|
} icmp_header_union;
|
|
|
|
#define icmp_parameter_ptr icmp_header_union.parameter_problem_ptr
|
|
#define icmp_gateway_addr icmp_header_union.gateway_waddr
|
|
#define icmp_echo_id icmp_header_union.echo.id
|
|
#define icmp_echo_seq icmp_header_union.echo.seq
|
|
#define icmp_timestamp_id icmp_header_union.timestamp.id
|
|
#define icmp_timestamp_seq icmp_header_union.timestamp.seq
|
|
#define icmp_info_id icmp_header_union.info.id
|
|
#define icmp_info_seq icmp_header_union.info.seq
|
|
#define icmp_void icmp_header_union.void
|
|
#define icmp_nextmtu icmp_header_union.path_mtu.nextmtu
|
|
#define icmp_ra_num_addrs icmp_header_union.router_advertisement.number_addrs
|
|
#define icmp_ra_entry_size icmp_header_union.router_advertisement.entry_size
|
|
#define icmp_ra_lifetime icmp_header_union.router_advertisement.lifetime
|
|
|
|
union
|
|
{
|
|
/* timestamp */
|
|
struct timestamp
|
|
{
|
|
uint32_t orig;
|
|
uint32_t receive;
|
|
uint32_t transmit;
|
|
} timestamp;
|
|
|
|
/* IP header for unreach */
|
|
struct ipv4_header
|
|
{
|
|
IPV4Header *ip;
|
|
/* options and then 64 bits of data */
|
|
} ipv4_header;
|
|
|
|
/* Router Advertisement */
|
|
struct router_address
|
|
{
|
|
uint32_t addr;
|
|
uint32_t preference;
|
|
} router_address;
|
|
|
|
/* type 17, 18 */
|
|
uint32_t mask;
|
|
|
|
char data[1];
|
|
|
|
} icmp_data_union;
|
|
#define icmp_orig_timestamp icmp_data_union.timestamp.orig
|
|
#define icmp_recv_timestamp icmp_data_union.timestamp.receive
|
|
#define icmp_xmit_timestamp icmp_data_union.timestamp.transmit
|
|
#define icmp_ipheader icmp_data_union.ip_header
|
|
#define icmp_ra_addr0 icmp_data_union.router_address
|
|
#define icmp_mask icmp_data_union.mask
|
|
#define icmp_data icmp_data_union.data
|
|
} ICMPHeader;
|
|
|
|
#define ICMP_ECHO_REPLY 0 /* Echo Reply */
|
|
#define ICMP_DEST_UNREACHABLE 3 /* Destination Unreachable */
|
|
#define ICMP_SOURCE_QUENCH 4 /* Source Quench */
|
|
#define ICMP_REDIRECT 5 /* Redirect (change route) */
|
|
#define ICMP_ECHO_REQUEST 8 /* Echo Request */
|
|
#define ICMP_ROUTER_ADVERTISEMENT 9 /* Router Advertisement */
|
|
#define ICMP_ROUTER_SOLICITATION 10 /* Router Solicitation */
|
|
#define ICMP_TIME_EXCEEDED 11 /* Time Exceeded */
|
|
#define ICMP_PARAMETER_PROBLEM 12 /* Parameter Problem */
|
|
#define ICMP_TIMESTAMP_REQUEST 13 /* Timestamp Request */
|
|
#define ICMP_TIMESTAMP_REPLY 14 /* Timestamp Reply */
|
|
#define ICMP_INFO_REQUEST 15 /* Information Request */
|
|
#define ICMP_INFO_REPLY 16 /* Information Reply */
|
|
#define ICMP_ADDRESS_REQUEST 17 /* Address Mask Request */
|
|
#define ICMP_ADDRESS_REPLY 18 /* Address Mask Reply */
|
|
|
|
#define INVALID_CHECKSUM_IP 0x01
|
|
#define INVALID_CHECKSUM_TCP 0x02
|
|
#define INVALID_CHECKSUM_UDP 0x04
|
|
#define INVALID_CHECKSUM_ICMP 0x08
|
|
#define INVALID_CHECKSUM_IGMP 0x10
|
|
#define INVALID_CHECKSUM_ALL 0x1F
|
|
#define INVALID_TTL 0x20
|
|
|
|
typedef struct _IPv6Extension
|
|
{
|
|
uint8_t option_type;
|
|
const uint8_t *option_data;
|
|
} IP6Extension;
|
|
|
|
typedef struct _IPAddresses
|
|
{
|
|
sfaddr_t ip_src; /* source IP */
|
|
sfaddr_t ip_dst; /* dest IP */
|
|
} IPAddresses;
|
|
|
|
typedef struct _IPv4Hdr
|
|
{
|
|
uint8_t ip_verhl; /* version & header length */
|
|
uint8_t ip_tos; /* type of service */
|
|
uint16_t ip_len; /* datagram length */
|
|
uint16_t ip_id; /* identification */
|
|
uint16_t ip_off; /* fragment offset */
|
|
uint8_t ip_ttl; /* time to live field */
|
|
uint8_t ip_proto; /* datagram protocol */
|
|
uint16_t ip_csum; /* checksum */
|
|
IPAddresses* ip_addrs; /* IP addresses*/
|
|
} IP4Hdr;
|
|
|
|
typedef struct _IP6RawHdr
|
|
{
|
|
uint32_t vcl; /* version, class, and label */
|
|
uint16_t payload_len; /* length of the payload */
|
|
uint8_t next_header; /* same values as ip4 protocol field + new ip6 values */
|
|
uint8_t hop_limit; /* same usage as ip4 ttl */
|
|
|
|
struct in6_addr src_addr;
|
|
struct in6_addr dst_addr;
|
|
} IP6RawHdr;
|
|
|
|
#define ip6_vcl vcl
|
|
#define ip6_payload_len payload_len
|
|
#define ip6_next_header next_header
|
|
#define ip6_hop_limit hop_limit
|
|
#define ip6_hops hop_limit
|
|
|
|
typedef struct _IPv6Hdr
|
|
{
|
|
uint32_t vcl; /* version, class, and label */
|
|
uint16_t len; /* length of the payload */
|
|
uint8_t next; /* next header
|
|
* Uses the same flags as
|
|
* the IPv4 protocol field */
|
|
uint8_t hop_lmt; /* hop limit */
|
|
IPAddresses* ip_addrs; /* IP addresses*/
|
|
} IP6Hdr;
|
|
|
|
typedef struct _IP6FragHdr
|
|
{
|
|
uint8_t ip6f_nxt; /* next header */
|
|
uint8_t ip6f_reserved; /* reserved field */
|
|
uint16_t ip6f_offlg; /* offset, reserved, and flag */
|
|
uint32_t ip6f_ident; /* identification */
|
|
} IP6FragHdr;
|
|
|
|
typedef struct _ICMP6
|
|
{
|
|
uint8_t type;
|
|
uint8_t code;
|
|
uint16_t csum;
|
|
|
|
} ICMP6Hdr;
|
|
|
|
#define ICMP6_UNREACH 1
|
|
#define ICMP6_BIG 2
|
|
#define ICMP6_TIME 3
|
|
#define ICMP6_PARAMS 4
|
|
#define ICMP6_ECHO 128
|
|
#define ICMP6_REPLY 129
|
|
|
|
/* Minus 1 due to the 'body' field */
|
|
#define ICMP6_MIN_HEADER_LEN (sizeof(ICMP6Hdr) )
|
|
|
|
struct _SFSnortPacket;
|
|
|
|
typedef struct _IPH_API
|
|
{
|
|
sfaddr_t * (*iph_ret_src)(const struct _SFSnortPacket *);
|
|
sfaddr_t * (*iph_ret_dst)(const struct _SFSnortPacket *);
|
|
uint16_t (*iph_ret_tos)(const struct _SFSnortPacket *);
|
|
uint8_t (*iph_ret_ttl)(const struct _SFSnortPacket *);
|
|
uint16_t (*iph_ret_len)(const struct _SFSnortPacket *);
|
|
uint32_t (*iph_ret_id)(const struct _SFSnortPacket *);
|
|
uint8_t (*iph_ret_proto)(const struct _SFSnortPacket *);
|
|
uint16_t (*iph_ret_off)(const struct _SFSnortPacket *);
|
|
uint8_t (*iph_ret_ver)(const struct _SFSnortPacket *);
|
|
uint8_t (*iph_ret_hlen)(const struct _SFSnortPacket *);
|
|
|
|
sfaddr_t * (*orig_iph_ret_src)(const struct _SFSnortPacket *);
|
|
sfaddr_t * (*orig_iph_ret_dst)(const struct _SFSnortPacket *);
|
|
uint16_t (*orig_iph_ret_tos)(const struct _SFSnortPacket *);
|
|
uint8_t (*orig_iph_ret_ttl)(const struct _SFSnortPacket *);
|
|
uint16_t (*orig_iph_ret_len)(const struct _SFSnortPacket *);
|
|
uint32_t (*orig_iph_ret_id)(const struct _SFSnortPacket *);
|
|
uint8_t (*orig_iph_ret_proto)(const struct _SFSnortPacket *);
|
|
uint16_t (*orig_iph_ret_off)(const struct _SFSnortPacket *);
|
|
uint8_t (*orig_iph_ret_ver)(const struct _SFSnortPacket *);
|
|
uint8_t (*orig_iph_ret_hlen)(const struct _SFSnortPacket *);
|
|
char version;
|
|
} IPH_API;
|
|
|
|
typedef enum {
|
|
PSEUDO_PKT_IP,
|
|
PSEUDO_PKT_TCP,
|
|
PSEUDO_PKT_DCE_RPKT,
|
|
PSEUDO_PKT_SMB_SEG,
|
|
PSEUDO_PKT_DCE_SEG,
|
|
PSEUDO_PKT_DCE_FRAG,
|
|
PSEUDO_PKT_SMB_TRANS,
|
|
PSEUDO_PKT_PS,
|
|
PSEUDO_PKT_SDF,
|
|
PSEUDO_PKT_MAX
|
|
} PseudoPacketType;
|
|
|
|
#include "ipv6_port.h"
|
|
|
|
#define IP6_HEADER_LEN 40
|
|
|
|
#define IPH_API_V4 4
|
|
#define IPH_API_V6 6
|
|
|
|
extern IPH_API ip4;
|
|
extern IPH_API ip6;
|
|
|
|
#define iph_is_valid(p) ((p)->family != NO_IP)
|
|
|
|
#define NO_IP 0
|
|
|
|
#define IP6_HDR_LEN 40
|
|
|
|
typedef struct _MplsHdr
|
|
{
|
|
uint32_t label;
|
|
uint8_t exp;
|
|
uint8_t bos;
|
|
uint8_t ttl;
|
|
} MplsHdr;
|
|
|
|
typedef struct _H2PriSpec
|
|
{
|
|
uint32_t stream_id;
|
|
uint32_t weight;
|
|
uint8_t exclusive;
|
|
} H2PriSpec;
|
|
|
|
typedef struct _H2Hdr
|
|
{
|
|
uint32_t length;
|
|
uint32_t stream_id;
|
|
uint8_t type;
|
|
uint8_t flags;
|
|
uint8_t reserved;
|
|
H2PriSpec pri;
|
|
} H2Hdr;
|
|
|
|
#define MAX_PROTO_LAYERS 32
|
|
|
|
typedef struct {
|
|
PROTO_ID proto_id;
|
|
uint16_t proto_length;
|
|
uint8_t* proto_start;
|
|
} ProtoLayer;
|
|
|
|
// for backwards compatibility with VRT .so rules
|
|
#define stream_session_ptr stream_session
|
|
|
|
// forward declaration for snort list management type
|
|
struct sfSDList;
|
|
|
|
// forward declaration for snort expected session created due to this packet.
|
|
struct _ExpectNode;
|
|
|
|
typedef struct _SFSnortPacket
|
|
{
|
|
const SFDAQ_PktHdr_t *pkt_header; /* Is this GPF'd? */
|
|
const uint8_t *pkt_data;
|
|
|
|
void *ether_arp_header;
|
|
const EtherHeader *ether_header;
|
|
const VlanHeader *vlan_tag_header;
|
|
void *ether_header_llc;
|
|
void *ether_header_other;
|
|
const void *ppp_over_ether_header;
|
|
const void *gre_header;
|
|
uint32_t *mpls;
|
|
const CiscoMetaHdr *cmdh; /* Cisco Metadata Header */
|
|
|
|
const IPV4Header *ip4_header, *orig_ip4_header;
|
|
const IPV4Header *inner_ip4_header;
|
|
const IPV4Header *outer_ip4_header;
|
|
const TCPHeader *tcp_header, *orig_tcp_header;
|
|
const UDPHeader *udp_header, *orig_udp_header;
|
|
const UDPHeader *inner_udph; /* if Teredo + UDP, this will be the inner UDP header */
|
|
const UDPHeader *outer_udph; /* if Teredo + UDP, this will be the outer UDP header */
|
|
const ICMPHeader *icmp_header, *orig_icmp_header;
|
|
|
|
const uint8_t *payload;
|
|
const uint8_t *ip_payload;
|
|
const uint8_t *outer_ip_payload;
|
|
|
|
void *stream_session;
|
|
void *fragmentation_tracking_ptr;
|
|
|
|
IP4Hdr *ip4h, *orig_ip4h;
|
|
IP6Hdr *ip6h, *orig_ip6h;
|
|
ICMP6Hdr *icmp6h, *orig_icmp6h;
|
|
|
|
IPH_API* iph_api;
|
|
IPH_API* orig_iph_api;
|
|
IPH_API* outer_iph_api;
|
|
IPH_API* outer_orig_iph_api;
|
|
|
|
int family;
|
|
int orig_family;
|
|
int outer_family;
|
|
|
|
PreprocEnableMask preprocessor_bit_mask;
|
|
|
|
uint64_t flags;
|
|
|
|
uint32_t xtradata_mask;
|
|
|
|
uint16_t proto_bits;
|
|
|
|
uint16_t payload_size;
|
|
uint16_t ip_payload_size;
|
|
uint16_t normalized_payload_size;
|
|
uint16_t actual_ip_length;
|
|
uint16_t outer_ip_payload_size;
|
|
|
|
uint16_t ip_fragment_offset;
|
|
uint16_t ip_frag_length;
|
|
uint16_t ip4_options_length;
|
|
uint16_t tcp_options_length;
|
|
|
|
uint16_t src_port;
|
|
uint16_t dst_port;
|
|
uint16_t orig_src_port;
|
|
uint16_t orig_dst_port;
|
|
|
|
int16_t application_protocol_ordinal;
|
|
|
|
uint8_t ip_fragmented;
|
|
uint8_t ip_more_fragments;
|
|
uint8_t ip_dont_fragment;
|
|
uint8_t ip_reserved;
|
|
|
|
uint8_t num_ip_options;
|
|
uint8_t num_tcp_options;
|
|
uint8_t num_ip6_extensions;
|
|
uint8_t ip6_frag_extension;
|
|
|
|
uint8_t invalid_flags;
|
|
uint8_t encapsulated;
|
|
uint8_t GTPencapsulated;
|
|
uint8_t next_layer_index;
|
|
|
|
#ifndef NO_NON_ETHER_DECODER
|
|
const void *fddi_header;
|
|
void *fddi_saps;
|
|
void *fddi_sna;
|
|
void *fddi_iparp;
|
|
void *fddi_other;
|
|
|
|
const void *tokenring_header;
|
|
void *tokenring_header_llc;
|
|
void *tokenring_header_mr;
|
|
|
|
void *pflog1_header;
|
|
void *pflog2_header;
|
|
void *pflog3_header;
|
|
void *pflog4_header;
|
|
|
|
#ifdef DLT_LINUX_SLL
|
|
const void *sll_header;
|
|
#endif
|
|
#ifdef DLT_IEEE802_11
|
|
const void *wifi_header;
|
|
#endif
|
|
const void *ether_eapol_header;
|
|
const void *eapol_headear;
|
|
const uint8_t *eapol_type;
|
|
void *eapol_key;
|
|
#endif
|
|
|
|
IPOptions ip_options[MAX_IP_OPTIONS];
|
|
TCPOptions tcp_options[MAX_TCP_OPTIONS];
|
|
IP6Extension *ip6_extensions;
|
|
CiscoMetaOpt *cmd_options; /* Cisco Metadata header options */
|
|
|
|
const uint8_t *ip_frag_start;
|
|
const uint8_t *ip4_options_data;
|
|
const uint8_t *tcp_options_data;
|
|
|
|
const IP6RawHdr* raw_ip6_header;
|
|
ProtoLayer proto_layers[MAX_PROTO_LAYERS];
|
|
|
|
IPAddresses inner_ips, inner_orig_ips;
|
|
IP4Hdr inner_ip4h, inner_orig_ip4h;
|
|
IP6Hdr inner_ip6h, inner_orig_ip6h;
|
|
IPAddresses outer_ips, outer_orig_ips;
|
|
IP4Hdr outer_ip4h, outer_orig_ip4h;
|
|
IP6Hdr outer_ip6h, outer_orig_ip6h;
|
|
|
|
MplsHdr mplsHdr;
|
|
H2Hdr *h2Hdr;
|
|
|
|
PseudoPacketType pseudo_type;
|
|
uint16_t max_payload;
|
|
|
|
/**policyId provided in configuration file. Used for correlating configuration
|
|
* with event output
|
|
*/
|
|
uint16_t configPolicyId;
|
|
|
|
uint32_t iplist_id;
|
|
unsigned char iprep_layer;
|
|
|
|
uint8_t ps_proto; /* Used for portscan and unified2 logging */
|
|
|
|
uint8_t ips_os_selected;
|
|
void *cur_pp;
|
|
|
|
// Expected session created due to this packet.
|
|
struct _ExpectNode* expectedSession;
|
|
} SFSnortPacket;
|
|
|
|
#define IP_INNER_LAYER 1
|
|
#define IP_OUTTER_LAYER 0
|
|
|
|
#define PKT_ZERO_LEN offsetof(SFSnortPacket, ip_options)
|
|
|
|
#define PROTO_BIT__IP 0x0001
|
|
#define PROTO_BIT__ARP 0x0002
|
|
#define PROTO_BIT__TCP 0x0004
|
|
#define PROTO_BIT__UDP 0x0008
|
|
#define PROTO_BIT__ICMP 0x0010
|
|
#define PROTO_BIT__TEREDO 0x0020
|
|
#define PROTO_BIT__ALL 0xffff
|
|
|
|
#define IsIP(p) (IPH_IS_VALID(p))
|
|
#define IsTCP(p) (IsIP(p) && p->tcp_header)
|
|
#define IsUDP(p) (IsIP(p) && p->udp_header)
|
|
#define IsICMP(p) (IsIP(p) && p->icmp_header)
|
|
|
|
#define SET_IP4_VER(ip_header, value) \
|
|
((ip_header)->version_headerlength = \
|
|
(unsigned char)(((ip_header)->version_headerlength & 0x0f) | (value << 4)))
|
|
#define SET_IP4_HLEN(ip_header, value) \
|
|
((ip_header)->version_headerlength = \
|
|
(unsigned char)(((ip_header)->version_headerlength & 0xf0) | (value & 0x0f)))
|
|
|
|
#define SET_TCP_HDR_OFFSET(tcp_header, value) \
|
|
((tcp_header)->offset_reserved = \
|
|
(unsigned char)(((tcp_header)->offset_reserved & 0x0f) | (value << 4)))
|
|
|
|
#define BIT(i) (0x1 << (i-1))
|
|
|
|
|
|
/* beware: some flags are redefined in dynamic-plugins/sf_dynamic_define.h! */
|
|
#define FLAG_REBUILT_FRAG 0x00000001 /* is a rebuilt fragment */
|
|
#define FLAG_REBUILT_STREAM 0x00000002 /* is a rebuilt stream */
|
|
#define FLAG_STREAM_UNEST_UNI 0x00000004 /* is from an unestablished stream and
|
|
* we've only seen traffic in one direction */
|
|
#define FLAG_STREAM_EST 0x00000008 /* is from an established stream */
|
|
|
|
#define FLAG_STREAM_INSERT 0x00000010 /* this packet has been queued for stream reassembly */
|
|
#define FLAG_STREAM_TWH 0x00000020 /* packet completes the 3-way handshake */
|
|
#define FLAG_FROM_SERVER 0x00000040 /* this packet came from the server
|
|
side of a connection (TCP) */
|
|
#define FLAG_FROM_CLIENT 0x00000080 /* this packet came from the client
|
|
side of a connection (TCP) */
|
|
|
|
#define FLAG_PDU_HEAD 0x00000100 /* start of PDU */
|
|
#define FLAG_PDU_TAIL 0x00000200 /* end of PDU */
|
|
#define FLAG_UNSURE_ENCAP 0x00000400 /* packet may have incorrect encapsulation layer. */
|
|
/* don't alert if "next layer" is invalid. */
|
|
#define FLAG_HTTP_DECODE 0x00000800 /* this packet has normalized http */
|
|
|
|
#define FLAG_IGNORE_PORT 0x00001000 /* this packet should be ignored, based on port */
|
|
#define FLAG_NO_DETECT 0x00002000 /* this packet should not be preprocessed */
|
|
#define FLAG_ALLOW_MULTIPLE_DETECT 0x00004000 /* packet has either pipelined mime attachements */
|
|
/* or pipeline http requests */
|
|
#define FLAG_PAYLOAD_OBFUSCATE 0x00008000
|
|
|
|
#define FLAG_STATELESS 0x00010000 /* Packet has matched a stateless rule */
|
|
#define FLAG_PASS_RULE 0x00020000 /* this packet has matched a pass rule */
|
|
#define FLAG_IP_RULE 0x00040000 /* this packet is being evaluated against an IP rule */
|
|
#define FLAG_IP_RULE_2ND 0x00080000 /* this packet is being evaluated against an IP rule */
|
|
|
|
#define FLAG_LOGGED 0x00100000 /* this packet has been logged */
|
|
#define FLAG_PSEUDO 0x00200000 /* is a pseudo packet */
|
|
#define FLAG_MODIFIED 0x00400000 /* packet had normalizations, etc. */
|
|
#ifdef NORMALIZER
|
|
#define FLAG_RESIZED 0x00800000 /* packet has new size; must set modified too */
|
|
#endif
|
|
|
|
/* neither of these flags will be set for (full) retransmissions or non-data segments */
|
|
/* a partial overlap results in out of sequence condition */
|
|
/* out of sequence condition is sticky */
|
|
#define FLAG_STREAM_ORDER_OK 0x01000000 /* this segment is in order, w/o gaps */
|
|
#define FLAG_STREAM_ORDER_BAD 0x02000000 /* this stream had at least one gap */
|
|
#define FLAG_REASSEMBLED_OLD 0x04000000 /* for backwards compat with so rules */
|
|
|
|
#define FLAG_IPREP_SOURCE_TRIGGERED 0x08000000
|
|
#define FLAG_IPREP_DATA_SET 0x10000000
|
|
#define FLAG_FILE_EVENT_SET 0x20000000
|
|
#define FLAG_EARLY_REASSEMBLY 0x40000000 /* this packet. part of the expected stream, should have stream reassembly set */
|
|
#define FLAG_RETRANSMIT 0x80000000 /* this packet is identified as re-transmitted one */
|
|
#define FLAG_PURGE 0x0100000000 /* Stream will not flush the data */
|
|
|
|
|
|
#define FLAG_PDU_FULL (FLAG_PDU_HEAD | FLAG_PDU_TAIL)
|
|
|
|
#define REASSEMBLED_PACKET_FLAGS (FLAG_REBUILT_STREAM|FLAG_REASSEMBLED_OLD)
|
|
|
|
#define SFTARGET_UNKNOWN_PROTOCOL -1
|
|
|
|
static inline int PacketWasCooked(const SFSnortPacket* p)
|
|
{
|
|
return ( p->flags & FLAG_PSEUDO ) != 0;
|
|
}
|
|
|
|
static inline int IsPortscanPacket(const SFSnortPacket *p)
|
|
{
|
|
return ((p->flags & FLAG_PSEUDO) && (p->pseudo_type == PSEUDO_PKT_PS));
|
|
}
|
|
|
|
static inline uint8_t GetEventProto(const SFSnortPacket *p)
|
|
{
|
|
if (IsPortscanPacket(p))
|
|
return p->ps_proto;
|
|
return IPH_IS_VALID(p) ? GET_IPH_PROTO(p) : 0;
|
|
}
|
|
|
|
static inline int PacketHasFullPDU (const SFSnortPacket* p)
|
|
{
|
|
return ( (p->flags & FLAG_PDU_FULL) == FLAG_PDU_FULL );
|
|
}
|
|
|
|
static inline int PacketHasStartOfPDU (const SFSnortPacket* p)
|
|
{
|
|
return ( (p->flags & FLAG_PDU_HEAD) != 0 );
|
|
}
|
|
|
|
static inline int PacketHasPAFPayload (const SFSnortPacket* p)
|
|
{
|
|
return ( (p->flags & FLAG_REBUILT_STREAM) || (p->flags & FLAG_PDU_TAIL) );
|
|
}
|
|
|
|
static inline void SetExtraData (SFSnortPacket* p, uint32_t xid)
|
|
{
|
|
p->xtradata_mask |= BIT(xid);
|
|
}
|
|
|
|
#endif /* _SF_SNORT_PACKET_H_ */
|
|
|