/**
* \brief This function passes off to link type decoders.
*
* DecodeErfDag reads packets from the PacketQueue and passes
* them off to the proper link type decoder.
*
* \param t pointer to ThreadVars
* \param p pointer to the current packet
* \param data pointer that gets cast into PcapThreadVars for ptv
* \param pq pointer to the current PacketQueue
*/
TmEcode DecodeErfDag(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq,
PacketQueue *postpq)
{
SCEnter();
DecodeThreadVars *dtv = (DecodeThreadVars *)data;
/* update counters */
SCPerfCounterIncr(dtv->counter_pkts, tv->sc_perf_pca);
SCPerfCounterIncr(dtv->counter_pkts_per_sec, tv->sc_perf_pca);
SCPerfCounterAddUI64(dtv->counter_bytes, tv->sc_perf_pca, GET_PKT_LEN(p));
#if 0
SCPerfCounterAddDouble(dtv->counter_bytes_per_sec, tv->sc_perf_pca, GET_PKT_LEN(p));
SCPerfCounterAddDouble(dtv->counter_mbit_per_sec, tv->sc_perf_pca,
(GET_PKT_LEN(p) * 8)/1000000.0);
#endif
SCPerfCounterAddUI64(dtv->counter_avg_pkt_size, tv->sc_perf_pca, GET_PKT_LEN(p));
SCPerfCounterSetUI64(dtv->counter_max_pkt_size, tv->sc_perf_pca, GET_PKT_LEN(p));
/* call the decoder */
switch(p->datalink) {
case LINKTYPE_ETHERNET:
DecodeEthernet(tv, dtv, p, GET_PKT_DATA(p), GET_PKT_LEN(p), pq);
break;
default:
SCLogError(SC_ERR_DATALINK_UNIMPLEMENTED,
"Error: datalink type %" PRId32 " not yet supported in module DecodeErfDag",
p->datalink);
break;
}
SCReturnInt(TM_ECODE_OK);
}
/**
* \brief This function passes off to link type decoders.
*
* DecodeErfDag reads packets from the PacketQueue and passes
* them off to the proper link type decoder.
*
* \param t pointer to ThreadVars
* \param p pointer to the current packet
* \param data pointer that gets cast into PcapThreadVars for ptv
* \param pq pointer to the current PacketQueue
*/
TmEcode
DecodeErfDag(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq,
PacketQueue *postpq)
{
SCEnter();
DecodeThreadVars *dtv = (DecodeThreadVars *)data;
/* XXX HACK: flow timeout can call us for injected pseudo packets
* see bug: https://redmine.openinfosecfoundation.org/issues/1107 */
if (p->flags & PKT_PSEUDO_STREAM_END)
return TM_ECODE_OK;
/* update counters */
DecodeUpdatePacketCounters(tv, dtv, p);
/* call the decoder */
switch(p->datalink) {
case LINKTYPE_ETHERNET:
DecodeEthernet(tv, dtv, p, GET_PKT_DATA(p), GET_PKT_LEN(p), pq);
break;
default:
SCLogError(SC_ERR_DATALINK_UNIMPLEMENTED,
"Error: datalink type %" PRId32
" not yet supported in module DecodeErfDag",
p->datalink);
break;
}
PacketDecodeFinalize(tv, dtv, p);
SCReturnInt(TM_ECODE_OK);
}
/**
* Test that a DCE ethernet frame, followed by data that is too small
* for an ethernet header.
*
* Redmine issue:
* https://redmine.openinfosecfoundation.org/issues/2887
*/
static int DecodeEthernetTestDceNextTooSmall(void)
{
uint8_t raw_eth[] = {
0x00, 0x10, 0x94, 0x55, 0x00, 0x01, 0x00, 0x10,
0x94, 0x56, 0x00, 0x01, 0x89, 0x03, //0x88, 0x64,
0x00, 0x00,
0x00, 0x10, 0x94, 0x55, 0x00, 0x01, 0x00, 0x10,
0x94, 0x56, 0x00, 0x01,
};
Packet *p = SCMalloc(SIZE_OF_PACKET);
FAIL_IF_NULL(p);
ThreadVars tv;
DecodeThreadVars dtv;
memset(&dtv, 0, sizeof(DecodeThreadVars));
memset(&tv, 0, sizeof(ThreadVars));
memset(p, 0, SIZE_OF_PACKET);
DecodeEthernet(&tv, &dtv, p, raw_eth, sizeof(raw_eth), NULL);
FAIL_IF_NOT(ENGINE_ISSET_EVENT(p, ETHERNET_PKT_TOO_SMALL));
SCFree(p);
PASS;
}
/**
* \brief This function passes off to link type decoders.
*
* NapatechDecode reads packets from the PacketQueue and passes
* them off to the proper link type decoder.
*
* \param t pointer to ThreadVars
* \param p pointer to the current packet
* \param data pointer that gets cast into PcapThreadVars for ptv
* \param pq pointer to the current PacketQueue
*/
TmEcode NapatechDecode(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq,
PacketQueue *postpq)
{
SCEnter();
DecodeThreadVars *dtv = (DecodeThreadVars *)data;
/* XXX HACK: flow timeout can call us for injected pseudo packets
* see bug: https://redmine.openinfosecfoundation.org/issues/1107 */
if (p->flags & PKT_PSEUDO_STREAM_END)
return TM_ECODE_OK;
/* update counters */
SCPerfCounterIncr(dtv->counter_pkts, tv->sc_perf_pca);
// SCPerfCounterIncr(dtv->counter_pkts_per_sec, tv->sc_perf_pca);
SCPerfCounterAddUI64(dtv->counter_bytes, tv->sc_perf_pca, GET_PKT_LEN(p));
SCPerfCounterAddUI64(dtv->counter_avg_pkt_size, tv->sc_perf_pca, GET_PKT_LEN(p));
SCPerfCounterSetUI64(dtv->counter_max_pkt_size, tv->sc_perf_pca, GET_PKT_LEN(p));
switch (p->datalink) {
case LINKTYPE_ETHERNET:
DecodeEthernet(tv, dtv, p, GET_PKT_DATA(p), GET_PKT_LEN(p), pq);
break;
default:
SCLogError(SC_ERR_DATALINK_UNIMPLEMENTED,
"Error: datalink type %" PRId32 " not yet supported in module NapatechDecode",
p->datalink);
break;
}
PacketDecodeFinalize(tv, dtv, p);
SCReturnInt(TM_ECODE_OK);
}
void Decode(mbuf_t *m)
{
LOGDBG(SEC_DECODE_DBG_BIT, "==========>enter decode()\n");
if( DECODE_OK != DecodeEthernet(m, GET_PKT_DATA(m), GET_PKT_LEN(m)))
{
output_drop_proc(m);
}
return;
}
/**
* \brief UTHBuildPacketFromEth is a wrapper that build a packet for the rawbytes
*
* \param raw_eth pointer to the rawbytes containing an ethernet packet
* (and any other headers inside)
* \param pktsize pointer to the length of the payload
*
* \retval Packet pointer to the built in packet; NULL if something fail
*/
Packet *UTHBuildPacketFromEth(uint8_t *raw_eth, uint16_t pktsize)
{
DecodeThreadVars dtv;
ThreadVars th_v;
Packet *p = PacketGetFromAlloc();
if (unlikely(p == NULL))
return NULL;
memset(&dtv, 0, sizeof(DecodeThreadVars));
memset(&th_v, 0, sizeof(th_v));
DecodeEthernet(&th_v, &dtv, p, raw_eth, pktsize, NULL);
return p;
}
int DecodeTunnel(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p,
uint8_t *pkt, uint16_t len, PacketQueue *pq, enum DecodeTunnelProto proto)
{
switch (proto) {
case DECODE_TUNNEL_PPP:
return DecodePPP(tv, dtv, p, pkt, len, pq);
case DECODE_TUNNEL_IPV4:
return DecodeIPV4(tv, dtv, p, pkt, len, pq);
case DECODE_TUNNEL_IPV6:
return DecodeIPV6(tv, dtv, p, pkt, len, pq);
case DECODE_TUNNEL_VLAN:
return DecodeVLAN(tv, dtv, p, pkt, len, pq);
case DECODE_TUNNEL_ETHERNET:
return DecodeEthernet(tv, dtv, p, pkt, len, pq);
case DECODE_TUNNEL_ERSPAN:
return DecodeERSPAN(tv, dtv, p, pkt, len, pq);
default:
SCLogInfo("FIXME: DecodeTunnel: protocol %" PRIu32 " not supported.", proto);
break;
}
return TM_ECODE_OK;
}
/** DecodeEthernettest01
* \brief Valid Ethernet packet
* \retval 0 Expected test value
*/
static int DecodeEthernetTest01 (void)
{
/* ICMP packet wrapped in PPPOE */
uint8_t raw_eth[] = {
0x00, 0x10, 0x94, 0x55, 0x00, 0x01, 0x00, 0x10,
0x94, 0x56, 0x00, 0x01, 0x88, 0x64, 0x11, 0x00,
0x00, 0x01, 0x00, 0x68, 0x00, 0x21, 0x45, 0xc0,
0x00, 0x64, 0x00, 0x1e, 0x00, 0x00, 0xff, 0x01,
0xa7, 0x78, 0x0a, 0x00, 0x00, 0x02, 0x0a, 0x00,
0x00, 0x01, 0x08, 0x00, 0x4a, 0x61, 0x00, 0x06,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f,
0x3b, 0xd4, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd,
0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd,
0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd,
0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd,
0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd,
0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd,
0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd,
0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd,
0xab, 0xcd };
Packet *p = SCMalloc(SIZE_OF_PACKET);
if (unlikely(p == NULL))
return 0;
ThreadVars tv;
DecodeThreadVars dtv;
memset(&dtv, 0, sizeof(DecodeThreadVars));
memset(&tv, 0, sizeof(ThreadVars));
memset(p, 0, SIZE_OF_PACKET);
DecodeEthernet(&tv, &dtv, p, raw_eth, sizeof(raw_eth), NULL);
SCFree(p);
return 1;
}
/**
* \brief Decode the ERF file.
*
* This function ups the decoder counters and then passes the packet
* off to the ethernet decoder.
*/
TmEcode
DecodeErfFile(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQueue *postpq)
{
SCEnter();
DecodeThreadVars *dtv = (DecodeThreadVars *)data;
/* Update counters. */
SCPerfCounterIncr(dtv->counter_pkts, tv->sc_perf_pca);
// SCPerfCounterIncr(dtv->counter_pkts_per_sec, tv->sc_perf_pca);
SCPerfCounterAddUI64(dtv->counter_bytes, tv->sc_perf_pca, GET_PKT_LEN(p));
#if 0
SCPerfCounterAddDouble(dtv->counter_bytes_per_sec, tv->sc_perf_pca, GET_PKT_LEN(p));
SCPerfCounterAddDouble(dtv->counter_mbit_per_sec, tv->sc_perf_pca,
(GET_PKT_LEN(p) * 8)/1000000.0 );
#endif
SCPerfCounterAddUI64(dtv->counter_avg_pkt_size, tv->sc_perf_pca, GET_PKT_LEN(p));
SCPerfCounterSetUI64(dtv->counter_max_pkt_size, tv->sc_perf_pca, GET_PKT_LEN(p));
DecodeEthernet(tv, dtv, p, GET_PKT_DATA(p), GET_PKT_LEN(p), pq);
SCReturnInt(TM_ECODE_OK);
}
/**
* \test FragBitsTestParse04 test if DONT FRAG is not set. Must fails.
*
* \retval 1 on success
* \retval 0 on failure
*/
static int FragBitsTestParse04 (void) {
uint8_t raw_eth[] = {
0x00 ,0x40 ,0x33 ,0xd9 ,0x7c ,0xfd ,0x00 ,0x00,
0x39 ,0xcf ,0xd9 ,0xcd ,0x08 ,0x00 ,0x45 ,0x00,
0x01 ,0x13 ,0x9c ,0x5d ,0x40 ,0x00 ,0xf6 ,0x11,
0x44 ,0xca ,0x97 ,0xa4 ,0x01 ,0x08 ,0x0a ,0x00,
0x00 ,0x06 ,0x00 ,0x35 ,0x04 ,0x0b ,0x00 ,0xff,
0x3c ,0x87 ,0x7d ,0x9e ,0x85 ,0x80 ,0x00 ,0x01,
0x00 ,0x01 ,0x00 ,0x05 ,0x00 ,0x05 ,0x06 ,0x70,
0x69 ,0x63 ,0x61 ,0x72 ,0x64 ,0x07 ,0x75 ,0x74,
0x68 ,0x73 ,0x63 ,0x73 ,0x61 ,0x03 ,0x65 ,0x64,
0x75 ,0x00 ,0x00 ,0x01 ,0x00 ,0x01 ,0xc0 ,0x0c,
0x00 ,0x01 ,0x00 ,0x01 ,0x00 ,0x00 ,0x0e ,0x10,
0x00 ,0x04 ,0x81 ,0x6f ,0x1e ,0x1b ,0x07 ,0x75,
0x74 ,0x68 ,0x73 ,0x63 ,0x73 ,0x61 ,0x03 ,0x65,
0x64 ,0x75 ,0x00 ,0x00 ,0x02 ,0x00 ,0x01 ,0x00,
0x00 ,0x0e ,0x10 ,0x00 ,0x09 ,0x06 ,0x6b ,0x65,
0x6e ,0x6f ,0x62 ,0x69 ,0xc0 ,0x34 ,0xc0 ,0x34,
0x00 ,0x02 ,0x00 ,0x01 ,0x00 ,0x00 ,0x0e ,0x10,
0x00 ,0x07 ,0x04 ,0x6a ,0x69 ,0x6e ,0x6e ,0xc0,
0x34 ,0xc0 ,0x34 ,0x00 ,0x02 ,0x00 ,0x01 ,0x00,
0x00 ,0x0e ,0x10 ,0x00 ,0x0c ,0x04 ,0x64 ,0x6e,
0x73 ,0x31 ,0x04 ,0x6e ,0x6a ,0x69 ,0x74 ,0xc0,
0x3c ,0xc0 ,0x34 ,0x00 ,0x02 ,0x00 ,0x01 ,0x00,
0x00 ,0x0e ,0x10 ,0x00 ,0x08 ,0x05 ,0x65 ,0x6c,
0x7a ,0x69 ,0x70 ,0xc0 ,0x34 ,0xc0 ,0x34 ,0x00,
0x02 ,0x00 ,0x01 ,0x00 ,0x00 ,0x0e ,0x10 ,0x00,
0x08 ,0x05 ,0x61 ,0x72 ,0x77 ,0x65 ,0x6e ,0xc0,
0x34 ,0xc0 ,0x4b ,0x00 ,0x01 ,0x00 ,0x01 ,0x00,
0x00 ,0x0e ,0x10 ,0x00 ,0x04 ,0x81 ,0x6f ,0x1a,
0x06 ,0xc0 ,0x60 ,0x00 ,0x01 ,0x00 ,0x01 ,0x00,
0x00 ,0x0e ,0x10 ,0x00 ,0x04 ,0x81 ,0x6f ,0x1a,
0x07 ,0xc0 ,0x73 ,0x00 ,0x01 ,0x00 ,0x01 ,0x00,
0x01 ,0x03 ,0x82 ,0x00 ,0x04 ,0x80 ,0xeb ,0xfb,
0x0a ,0xc0 ,0x8b ,0x00 ,0x01 ,0x00 ,0x01 ,0x00,
0x00 ,0x0e ,0x10 ,0x00 ,0x04 ,0x81 ,0x6f ,0x01,
0x0b ,0xc0 ,0x9f ,0x00 ,0x01 ,0x00 ,0x01 ,0x00,
0x00 ,0x0e ,0x10 ,0x00 ,0x04 ,0x81 ,0x6f ,0x0b,
0x51
};
Packet *p = SCMalloc(SIZE_OF_PACKET);
if (unlikely(p == NULL))
return 0;
ThreadVars tv;
DecodeThreadVars dtv;
IPV4Hdr ipv4h;
int ret = 0;
DetectFragBitsData *de = NULL;
SigMatch *sm = NULL;
memset(&tv, 0, sizeof(ThreadVars));
memset(p, 0, SIZE_OF_PACKET);
memset(&dtv, 0, sizeof(DecodeThreadVars));
memset(&ipv4h, 0, sizeof(IPV4Hdr));
dtv.app_tctx = AppLayerGetCtxThread(&tv);
p->ip4h = &ipv4h;
FlowInitConfig(FLOW_QUIET);
DecodeEthernet(&tv, &dtv, p, raw_eth, sizeof(raw_eth), NULL);
de = DetectFragBitsParse("!D");
if (de == NULL || (de->fragbits != FRAGBITS_HAVE_DF) || (de->modifier != MODIFIER_NOT))
goto error;
sm = SigMatchAlloc();
if (sm == NULL)
goto error;
sm->type = DETECT_FRAGBITS;
sm->ctx = (void *)de;
ret = DetectFragBitsMatch(&tv,NULL,p,NULL,sm);
if(ret) {
if (de) SCFree(de);
if (sm) SCFree(sm);
PACKET_RECYCLE(p);
FlowShutdown();
SCFree(p);
return 1;
}
error:
if (de) SCFree(de);
if (sm) SCFree(sm);
PACKET_RECYCLE(p);
FlowShutdown();
SCFree(p);
return 0;
}
static int Unified2Test05 (void) {
ThreadVars tv;
DecodeThreadVars dtv;
PacketQueue pq;
void *data = NULL;
OutputCtx *oc;
LogFileCtx *lf;
Signature s;
uint8_t raw_ipv4_tcp[] = {
0x00, 0x14, 0xbf, 0xe8, 0xcb, 0x26, 0xaa, 0x00,
0x04, 0x00, 0x0a, 0x04, 0x08, 0x00, 0x45, 0x00,
0x00, 0x3c, 0x8c, 0x55, 0x40, 0x00, 0x40, 0x06,
0x69, 0x86, 0xc0, 0xa8, 0x0a, 0x68, 0x4a, 0x7d,
0x2f, 0x53, 0xc2, 0x40, 0x00, 0x50, 0x1f, 0x00,
0xa4, 0xd4, 0x00, 0x00, 0x00, 0x00, 0xa0, 0x02,
0x16, 0xd0, 0x3d, 0x4e, 0x00, 0x00, 0x02, 0x04,
0x05, 0xb4, 0x04, 0x02, 0x08, 0x0a, 0x00, 0x1c,
0x28, 0x81, 0x00, 0x00, 0x00, 0x00, 0x01, 0x03,
0x03, 0x06};
Packet *p = PacketGetFromAlloc();
if (unlikely(p == NULL))
return 0;
int ret;
memset(&dtv, 0, sizeof(DecodeThreadVars));
memset(&tv, 0, sizeof(ThreadVars));
memset(&pq, 0, sizeof(PacketQueue));
p->pkt = (uint8_t *)(p + 1);
memset(&s, 0, sizeof(Signature));
p->alerts.cnt++;
p->alerts.alerts[p->alerts.cnt-1].s = &s;
p->alerts.alerts[p->alerts.cnt-1].s->id = 1;
p->alerts.alerts[p->alerts.cnt-1].s->gid = 1;
p->alerts.alerts[p->alerts.cnt-1].s->rev = 1;
SET_PKT_LEN(p, sizeof(raw_ipv4_tcp));
FlowInitConfig(FLOW_QUIET);
DecodeEthernet(&tv, &dtv, p, raw_ipv4_tcp, sizeof(raw_ipv4_tcp), &pq);
FlowShutdown();
p->action = ACTION_DROP;
oc = Unified2AlertInitCtx(NULL);
if (oc == NULL) {
SCFree(p);
return 0;
}
lf = (LogFileCtx *)oc->data;
if(lf == NULL) {
SCFree(p);
return 0;
}
ret = Unified2AlertThreadInit(&tv, oc, &data);
if(ret == -1) {
SCFree(p);
return 0;
}
ret = Unified2Alert(&tv, p, data, &pq, NULL);
if(ret == TM_ECODE_FAILED) {
SCFree(p);
return 0;
}
ret = Unified2AlertThreadDeinit(&tv, data);
if(ret == TM_ECODE_FAILED) {
SCFree(p);
return 0;
}
Unified2AlertDeInitCtx(oc);
PACKET_CLEANUP(p);
SCFree(p);
return 1;
}
/**
* \test Test packet Matches
* \param raw_eth_pkt pointer to the ethernet packet
* \param pktsize size of the packet
* \param sig pointer to the signature to test
* \param sid sid number of the signature
* \retval return 1 if match
* \retval return 0 if not
*/
int DetectReplaceLongPatternMatchTest(uint8_t *raw_eth_pkt, uint16_t pktsize, char *sig,
uint32_t sid, uint8_t *pp, uint16_t *len)
{
int result = 0;
Packet *p = NULL;
p = PacketGetFromAlloc();
if (unlikely(p == NULL))
return 0;
DecodeThreadVars dtv;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx = NULL;
if (pp == NULL) {
SCLogDebug("replace: looks like a second run");
}
PacketCopyData(p, raw_eth_pkt, pktsize);
memset(&dtv, 0, sizeof(DecodeThreadVars));
memset(&th_v, 0, sizeof(th_v));
FlowInitConfig(FLOW_QUIET);
DecodeEthernet(&th_v, &dtv, p, GET_PKT_DATA(p), pktsize, NULL);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, sig);
if (de_ctx->sig_list == NULL) {
goto end;
}
de_ctx->sig_list->next = NULL;
if (de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->type == DETECT_CONTENT) {
DetectContentData *co = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx;
if (co->flags & DETECT_CONTENT_RELATIVE_NEXT) {
printf("relative next flag set on final match which is content: ");
goto end;
}
}
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (PacketAlertCheck(p, sid) != 1) {
SCLogDebug("replace: no alert on sig %d", sid);
goto end;
}
if (pp) {
memcpy(pp, GET_PKT_DATA(p), GET_PKT_LEN(p));
*len = pktsize;
SCLogDebug("replace: copying %d on %p", *len, pp);
}
result = 1;
end:
if (de_ctx != NULL)
{
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
if (det_ctx != NULL)
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx);
}
FlowShutdown();
SCFree(p);
return result;
}
static int Unified2Test02 (void) {
ThreadVars tv;
DecodeThreadVars dtv;
PacketQueue pq;
void *data = NULL;
OutputCtx *oc;
LogFileCtx *lf;
Signature s;
uint8_t raw_ipv6_tcp[] = {
0x00, 0x11, 0x25, 0x82, 0x95, 0xb5, 0x00, 0xd0,
0x09, 0xe3, 0xe8, 0xde, 0x86, 0xdd, 0x60, 0x00,
0x00, 0x00, 0x00, 0x28, 0x06, 0x40, 0x20, 0x01,
0x06, 0xf8, 0x10, 0x2d, 0x00, 0x00, 0x02, 0xd0,
0x09, 0xff, 0xfe, 0xe3, 0xe8, 0xde, 0x20, 0x01,
0x06, 0xf8, 0x09, 0x00, 0x07, 0xc0, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xe7, 0x41,
0x00, 0x50, 0xab, 0xdc, 0xd6, 0x60, 0x00, 0x00,
0x00, 0x00, 0xa0, 0x02, 0x16, 0x80, 0x41, 0xa2,
0x00, 0x00, 0x02, 0x04, 0x05, 0xa0, 0x04, 0x02,
0x08, 0x0a, 0x00, 0x0a, 0x22, 0xa8, 0x00, 0x00,
0x00, 0x00, 0x01, 0x03, 0x03, 0x05 };
Packet *p = SCMalloc(SIZE_OF_PACKET);
if (unlikely(p == NULL))
return 0;
int ret;
memset(&dtv, 0, sizeof(DecodeThreadVars));
memset(&tv, 0, sizeof(ThreadVars));
memset(&pq, 0, sizeof(PacketQueue));
memset(p, 0, SIZE_OF_PACKET);
p->pkt = (uint8_t *)(p + 1);
memset(&s, 0, sizeof(Signature));
PACKET_INITIALIZE(p);
p->alerts.cnt++;
p->alerts.alerts[p->alerts.cnt-1].s = &s;
p->alerts.alerts[p->alerts.cnt-1].s->id = 1;
p->alerts.alerts[p->alerts.cnt-1].s->gid = 1;
p->alerts.alerts[p->alerts.cnt-1].s->rev = 1;
SET_PKT_LEN(p, sizeof(raw_ipv6_tcp));
FlowInitConfig(FLOW_QUIET);
DecodeEthernet(&tv, &dtv, p, raw_ipv6_tcp, sizeof(raw_ipv6_tcp), &pq);
FlowShutdown();
oc = Unified2AlertInitCtx(NULL);
if (oc == NULL) {
SCFree(p);
return 0;
}
lf = (LogFileCtx *)oc->data;
if(lf == NULL) {
SCFree(p);
return 0;
}
ret = Unified2AlertThreadInit(&tv, oc, &data);
if(ret == -1) {
SCFree(p);
return 0;
}
ret = Unified2Alert(&tv, p, data, &pq, NULL);
if(ret == TM_ECODE_FAILED) {
SCFree(p);
return 0;
}
ret = Unified2AlertThreadDeinit(&tv, data);
if(ret == -1) {
SCFree(p);
return 0;
}
Unified2AlertDeInitCtx(oc);
PACKET_CLEANUP(p);
SCFree(p);
return 1;
}
static int Unified2Test03 (void) {
ThreadVars tv;
DecodeThreadVars dtv;
PacketQueue pq;
void *data = NULL;
OutputCtx *oc;
LogFileCtx *lf;
Signature s;
uint8_t raw_gre[] = {
0x00, 0x0e, 0x50, 0x06, 0x42, 0x96, 0xaa, 0x00,
0x04, 0x00, 0x0a, 0x04, 0x08, 0x00, 0x45, 0x00,
0x00, 0x74, 0x35, 0xa2, 0x40, 0x00, 0x40, 0x2f,
0xef, 0xcb, 0x0a, 0x00, 0x00, 0x64, 0x0a, 0x00,
0x00, 0x8a, 0x30, 0x01, 0x88, 0x0b, 0x00, 0x54,
0x00, 0x00, 0x00, 0x18, 0x29, 0x5f, 0xff, 0x03,
0x00, 0x21, 0x45, 0x00, 0x00, 0x50, 0xf4, 0x05,
0x40, 0x00, 0x3f, 0x06, 0x20, 0xb8, 0x50, 0x7e,
0x2b, 0x2d, 0xd4, 0xcc, 0xd6, 0x72, 0x0a, 0x92,
0x1a, 0x0b, 0xc9, 0xaf, 0x24, 0x02, 0x8c, 0xdd,
0x45, 0xf6, 0x80, 0x18, 0x21, 0xfc, 0x10, 0x7c,
0x00, 0x00, 0x01, 0x01, 0x08, 0x0a, 0x08, 0x19,
0x1a, 0xda, 0x84, 0xd6, 0xda, 0x3e, 0x50, 0x49,
0x4e, 0x47, 0x20, 0x73, 0x74, 0x65, 0x72, 0x6c,
0x69, 0x6e, 0x67, 0x2e, 0x66, 0x72, 0x65, 0x65,
0x6e, 0x6f, 0x64, 0x65, 0x2e, 0x6e, 0x65, 0x74,
0x0d, 0x0a};
Packet *p = PacketGetFromAlloc();
if (unlikely(p == NULL))
return 0;
int ret;
memset(&dtv, 0, sizeof(DecodeThreadVars));
memset(&tv, 0, sizeof(ThreadVars));
memset(&pq, 0, sizeof(PacketQueue));
p->pkt = (uint8_t *)(p + 1);
memset(&s, 0, sizeof(Signature));
p->alerts.cnt++;
p->alerts.alerts[p->alerts.cnt-1].s = &s;
p->alerts.alerts[p->alerts.cnt-1].s->id = 1;
p->alerts.alerts[p->alerts.cnt-1].s->gid = 1;
p->alerts.alerts[p->alerts.cnt-1].s->rev = 1;
SET_PKT_LEN(p, sizeof(raw_gre));
FlowInitConfig(FLOW_QUIET);
DecodeEthernet(&tv, &dtv, p, raw_gre, sizeof(raw_gre), &pq);
FlowShutdown();
oc = Unified2AlertInitCtx(NULL);
if (oc == NULL) {
SCFree(p);
return 0;
}
lf = (LogFileCtx *)oc->data;
if(lf == NULL) {
SCFree(p);
return 0;
}
ret = Unified2AlertThreadInit(&tv, oc, &data);
if(ret == -1) {
SCFree(p);
return 0;
}
ret = Unified2Alert(&tv, p, data, &pq, NULL);
if(ret == TM_ECODE_FAILED) {
SCFree(p);
return 0;
}
ret = Unified2AlertThreadDeinit(&tv, data);
if(ret == -1) {
SCFree(p);
return 0;
}
Unified2AlertDeInitCtx(oc);
Packet *pkt = PacketDequeue(&pq);
while (pkt != NULL) {
SCFree(pkt);
pkt = PacketDequeue(&pq);
}
PACKET_CLEANUP(p);
SCFree(p);
return 1;
}
int DecodeEthernet(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p,
uint8_t *pkt, uint32_t len, PacketQueue *pq)
{
StatsIncr(tv, dtv->counter_eth);
if (unlikely(len < ETHERNET_HEADER_LEN)) {
ENGINE_SET_INVALID_EVENT(p, ETHERNET_PKT_TOO_SMALL);
return TM_ECODE_FAILED;
}
if (unlikely(len > ETHERNET_HEADER_LEN + USHRT_MAX)) {
return TM_ECODE_FAILED;
}
p->ethh = (EthernetHdr *)pkt;
if (unlikely(p->ethh == NULL))
return TM_ECODE_FAILED;
SCLogDebug("p %p pkt %p ether type %04x", p, pkt, SCNtohs(p->ethh->eth_type));
switch (SCNtohs(p->ethh->eth_type)) {
case ETHERNET_TYPE_IP:
//printf("DecodeEthernet ip4\n");
DecodeIPV4(tv, dtv, p, pkt + ETHERNET_HEADER_LEN,
len - ETHERNET_HEADER_LEN, pq);
break;
case ETHERNET_TYPE_IPV6:
//printf("DecodeEthernet ip6\n");
DecodeIPV6(tv, dtv, p, pkt + ETHERNET_HEADER_LEN,
len - ETHERNET_HEADER_LEN, pq);
break;
case ETHERNET_TYPE_PPPOE_SESS:
//printf("DecodeEthernet PPPOE Session\n");
DecodePPPOESession(tv, dtv, p, pkt + ETHERNET_HEADER_LEN,
len - ETHERNET_HEADER_LEN, pq);
break;
case ETHERNET_TYPE_PPPOE_DISC:
//printf("DecodeEthernet PPPOE Discovery\n");
DecodePPPOEDiscovery(tv, dtv, p, pkt + ETHERNET_HEADER_LEN,
len - ETHERNET_HEADER_LEN, pq);
break;
case ETHERNET_TYPE_VLAN:
case ETHERNET_TYPE_8021QINQ:
DecodeVLAN(tv, dtv, p, pkt + ETHERNET_HEADER_LEN,
len - ETHERNET_HEADER_LEN, pq);
break;
case ETHERNET_TYPE_MPLS_UNICAST:
case ETHERNET_TYPE_MPLS_MULTICAST:
DecodeMPLS(tv, dtv, p, pkt + ETHERNET_HEADER_LEN,
len - ETHERNET_HEADER_LEN, pq);
break;
case ETHERNET_TYPE_DCE:
if (unlikely(len < ETHERNET_DCE_HEADER_LEN)) {
ENGINE_SET_INVALID_EVENT(p, DCE_PKT_TOO_SMALL);
} else {
DecodeEthernet(tv, dtv, p, pkt + ETHERNET_DCE_HEADER_LEN,
len - ETHERNET_DCE_HEADER_LEN, pq);
}
break;
default:
SCLogDebug("p %p pkt %p ether type %04x not supported", p,
pkt, SCNtohs(p->ethh->eth_type));
}
return TM_ECODE_OK;
}
/**
* \test FragBitsTestParse03 test if DONT FRAG is set. Must return success
*
* \retval 1 on success
* \retval 0 on failure
*/
static int FragBitsTestParse03 (void) {
uint8_t raw_eth[] = {
0x00 ,0x40 ,0x33 ,0xd9 ,0x7c ,0xfd ,0x00 ,0x00,
0x39 ,0xcf ,0xd9 ,0xcd ,0x08 ,0x00 ,0x45 ,0x00,
0x01 ,0x13 ,0x9c ,0x5d ,0x40 ,0x00 ,0xf6 ,0x11,
0x44 ,0xca ,0x97 ,0xa4 ,0x01 ,0x08 ,0x0a ,0x00,
0x00 ,0x06 ,0x00 ,0x35 ,0x04 ,0x0b ,0x00 ,0xff,
0x3c ,0x87 ,0x7d ,0x9e ,0x85 ,0x80 ,0x00 ,0x01,
0x00 ,0x01 ,0x00 ,0x05 ,0x00 ,0x05 ,0x06 ,0x70,
0x69 ,0x63 ,0x61 ,0x72 ,0x64 ,0x07 ,0x75 ,0x74,
0x68 ,0x73 ,0x63 ,0x73 ,0x61 ,0x03 ,0x65 ,0x64,
0x75 ,0x00 ,0x00 ,0x01 ,0x00 ,0x01 ,0xc0 ,0x0c,
0x00 ,0x01 ,0x00 ,0x01 ,0x00 ,0x00 ,0x0e ,0x10,
0x00 ,0x04 ,0x81 ,0x6f ,0x1e ,0x1b ,0x07 ,0x75,
0x74 ,0x68 ,0x73 ,0x63 ,0x73 ,0x61 ,0x03 ,0x65,
0x64 ,0x75 ,0x00 ,0x00 ,0x02 ,0x00 ,0x01 ,0x00,
0x00 ,0x0e ,0x10 ,0x00 ,0x09 ,0x06 ,0x6b ,0x65,
0x6e ,0x6f ,0x62 ,0x69 ,0xc0 ,0x34 ,0xc0 ,0x34,
0x00 ,0x02 ,0x00 ,0x01 ,0x00 ,0x00 ,0x0e ,0x10,
0x00 ,0x07 ,0x04 ,0x6a ,0x69 ,0x6e ,0x6e ,0xc0,
0x34 ,0xc0 ,0x34 ,0x00 ,0x02 ,0x00 ,0x01 ,0x00,
0x00 ,0x0e ,0x10 ,0x00 ,0x0c ,0x04 ,0x64 ,0x6e,
0x73 ,0x31 ,0x04 ,0x6e ,0x6a ,0x69 ,0x74 ,0xc0,
0x3c ,0xc0 ,0x34 ,0x00 ,0x02 ,0x00 ,0x01 ,0x00,
0x00 ,0x0e ,0x10 ,0x00 ,0x08 ,0x05 ,0x65 ,0x6c,
0x7a ,0x69 ,0x70 ,0xc0 ,0x34 ,0xc0 ,0x34 ,0x00,
0x02 ,0x00 ,0x01 ,0x00 ,0x00 ,0x0e ,0x10 ,0x00,
0x08 ,0x05 ,0x61 ,0x72 ,0x77 ,0x65 ,0x6e ,0xc0,
0x34 ,0xc0 ,0x4b ,0x00 ,0x01 ,0x00 ,0x01 ,0x00,
0x00 ,0x0e ,0x10 ,0x00 ,0x04 ,0x81 ,0x6f ,0x1a,
0x06 ,0xc0 ,0x60 ,0x00 ,0x01 ,0x00 ,0x01 ,0x00,
0x00 ,0x0e ,0x10 ,0x00 ,0x04 ,0x81 ,0x6f ,0x1a,
0x07 ,0xc0 ,0x73 ,0x00 ,0x01 ,0x00 ,0x01 ,0x00,
0x01 ,0x03 ,0x82 ,0x00 ,0x04 ,0x80 ,0xeb ,0xfb,
0x0a ,0xc0 ,0x8b ,0x00 ,0x01 ,0x00 ,0x01 ,0x00,
0x00 ,0x0e ,0x10 ,0x00 ,0x04 ,0x81 ,0x6f ,0x01,
0x0b ,0xc0 ,0x9f ,0x00 ,0x01 ,0x00 ,0x01 ,0x00,
0x00 ,0x0e ,0x10 ,0x00 ,0x04 ,0x81 ,0x6f ,0x0b,
0x51};
Packet *p = SCMalloc(SIZE_OF_PACKET);
if (p == NULL)
return 0;
ThreadVars tv;
DecodeThreadVars dtv;
IPV4Hdr ipv4h;
int ret = 0;
DetectFragBitsData *de = NULL;
SigMatch *sm = NULL;
memset(&tv, 0, sizeof(ThreadVars));
memset(p, 0, SIZE_OF_PACKET);
p->pkt = (uint8_t *)(p + 1);
memset(&dtv, 0, sizeof(DecodeThreadVars));
memset(&ipv4h, 0, sizeof(IPV4Hdr));
AlpProtoFinalize2Thread(&dtv.udp_dp_ctx);
p->ip4h = &ipv4h;
FlowInitConfig(FLOW_QUIET);
DecodeEthernet(&tv, &dtv, p, raw_eth, sizeof(raw_eth), NULL);
de = DetectFragBitsParse("D");
if (de == NULL || (de->fragbits != IPV4_CACHE_DF))
goto error;
sm = SigMatchAlloc();
if (sm == NULL)
goto error;
sm->type = DETECT_FRAGBITS;
sm->ctx = (void *)de;
ret = DetectFragBitsMatch(&tv,NULL,p,NULL,sm);
if(ret) {
if (de) SCFree(de);
if (sm) SCFree(sm);
SCFree(p);
return 1;
}
error:
FlowShutdown();
if (de) SCFree(de);
if (sm) SCFree(sm);
SCFree(p);
return 0;
}
int DecodeMPLS(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt,
uint16_t len, PacketQueue *pq)
{
uint32_t shim;
int label;
int event = 0;
StatsIncr(tv, dtv->counter_mpls);
do {
if (len < MPLS_HEADER_LEN) {
ENGINE_SET_INVALID_EVENT(p, MPLS_HEADER_TOO_SMALL);
return TM_ECODE_FAILED;
}
shim = *(uint32_t *)pkt;
pkt += MPLS_HEADER_LEN;
len -= MPLS_HEADER_LEN;
} while (MPLS_BOTTOM(shim) == 0);
label = MPLS_LABEL(shim);
if (label == MPLS_LABEL_IPV4) {
return DecodeIPV4(tv, dtv, p, pkt, len, pq);
}
else if (label == MPLS_LABEL_ROUTER_ALERT) {
/* Not valid at the bottom of the stack. */
event = MPLS_BAD_LABEL_ROUTER_ALERT;
}
else if (label == MPLS_LABEL_IPV6) {
return DecodeIPV6(tv, dtv, p, pkt, len, pq);
}
else if (label == MPLS_LABEL_NULL) {
/* Shouldn't appear on the wire. */
event = MPLS_BAD_LABEL_IMPLICIT_NULL;
}
else if (label < MPLS_MAX_RESERVED_LABEL) {
event = MPLS_BAD_LABEL_RESERVED;
}
if (event) {
goto end;
}
/* Best guess at inner packet. */
switch (pkt[0] >> 4) {
case MPLS_PROTO_IPV4:
DecodeIPV4(tv, dtv, p, pkt, len, pq);
break;
case MPLS_PROTO_IPV6:
DecodeIPV6(tv, dtv, p, pkt, len, pq);
break;
case MPLS_PROTO_ETHERNET_PW:
DecodeEthernet(tv, dtv, p, pkt + MPLS_PW_LEN, len - MPLS_PW_LEN,
pq);
break;
default:
ENGINE_SET_INVALID_EVENT(p, MPLS_UNKNOWN_PAYLOAD_TYPE);
return TM_ECODE_OK;
}
end:
if (event) {
ENGINE_SET_EVENT(p, event);
}
return TM_ECODE_OK;
}
int DecodeMPLS(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt,
uint32_t len, PacketQueue *pq)
{
uint32_t shim;
int label;
int event = 0;
StatsIncr(tv, dtv->counter_mpls);
do {
if (len < MPLS_HEADER_LEN) {
ENGINE_SET_INVALID_EVENT(p, MPLS_HEADER_TOO_SMALL);
return TM_ECODE_FAILED;
}
memcpy(&shim, pkt, sizeof(shim));
pkt += MPLS_HEADER_LEN;
len -= MPLS_HEADER_LEN;
} while (MPLS_BOTTOM(shim) == 0);
label = MPLS_LABEL(shim);
if (label == MPLS_LABEL_IPV4) {
if (len > USHRT_MAX) {
return TM_ECODE_FAILED;
}
return DecodeIPV4(tv, dtv, p, pkt, len, pq);
}
else if (label == MPLS_LABEL_ROUTER_ALERT) {
/* Not valid at the bottom of the stack. */
event = MPLS_BAD_LABEL_ROUTER_ALERT;
}
else if (label == MPLS_LABEL_IPV6) {
if (len > USHRT_MAX) {
return TM_ECODE_FAILED;
}
return DecodeIPV6(tv, dtv, p, pkt, len, pq);
}
else if (label == MPLS_LABEL_NULL) {
/* Shouldn't appear on the wire. */
event = MPLS_BAD_LABEL_IMPLICIT_NULL;
}
else if (label < MPLS_MAX_RESERVED_LABEL) {
event = MPLS_BAD_LABEL_RESERVED;
}
if (event) {
goto end;
}
// Make sure we still have enough data. While we only need 1 byte to test
// for IPv4 and IPv4, we need for to check for ethernet.
if (len < MPLS_PW_LEN) {
ENGINE_SET_INVALID_EVENT(p, MPLS_PKT_TOO_SMALL);
return TM_ECODE_FAILED;
}
/* Best guess at inner packet. */
switch (pkt[0] >> 4) {
case MPLS_PROTO_IPV4:
if (len > USHRT_MAX) {
return TM_ECODE_FAILED;
}
DecodeIPV4(tv, dtv, p, pkt, len, pq);
break;
case MPLS_PROTO_IPV6:
if (len > USHRT_MAX) {
return TM_ECODE_FAILED;
}
DecodeIPV6(tv, dtv, p, pkt, len, pq);
break;
case MPLS_PROTO_ETHERNET_PW:
DecodeEthernet(tv, dtv, p, pkt + MPLS_PW_LEN, len - MPLS_PW_LEN,
pq);
break;
default:
ENGINE_SET_INVALID_EVENT(p, MPLS_UNKNOWN_PAYLOAD_TYPE);
return TM_ECODE_OK;
}
end:
if (event) {
ENGINE_SET_EVENT(p, event);
}
return TM_ECODE_OK;
}
static int DetectCsumICMPV6Test01(void)
{
DetectEngineCtx *de_ctx = NULL;
Signature *s = NULL;
ThreadVars tv;
DetectEngineThreadCtx *det_ctx = NULL;
DecodeThreadVars dtv;
Packet *p = PacketGetFromAlloc();
FAIL_IF_NULL(p);
uint8_t pkt[] = {
0x00, 0x30, 0x18, 0xa8, 0x7c, 0x23, 0x2c, 0x41,
0x38, 0xa7, 0xea, 0xeb, 0x86, 0xdd, 0x60, 0x00,
0x00, 0x00, 0x00, 0x40, 0x3c, 0x40, 0xad, 0xa1,
0x09, 0x80, 0x00, 0x01, 0xd6, 0xf3, 0x20, 0x01,
0xf4, 0xbe, 0xea, 0x3c, 0x00, 0x01, 0x00, 0x00,
0x00, 0x00, 0x32, 0xb2, 0x00, 0x01, 0x32, 0xb2,
0x09, 0x80, 0x20, 0x01, 0x00, 0x00, 0x3c, 0x00,
0x01, 0x04, 0x00, 0x00, 0x00, 0x00, 0x3c, 0x00,
0x01, 0x04, 0x00, 0x00, 0x00, 0x00, 0x2c, 0x00,
0x01, 0x04, 0x00, 0x00, 0x00, 0x00, 0x2c, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3c, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2c, 0x00,
0x01, 0x04, 0x00, 0x00, 0x00, 0x00, 0x3a, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00,
0x63, 0xc2, 0x00, 0x00, 0x00, 0x00 };
PacketCopyData(p, pkt, sizeof(pkt));
memset(&tv, 0, sizeof(tv));
memset(&dtv, 0, sizeof(dtv));
StreamTcpInitConfig(TRUE);
FlowInitConfig(FLOW_QUIET);
de_ctx = DetectEngineCtxInit();
FAIL_IF_NULL(de_ctx);
de_ctx->mpm_matcher = mpm_default_matcher;
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx, "alert ip any any -> any any "
"(icmpv6-csum:valid; sid:1;)");
FAIL_IF_NULL(s);
SigGroupBuild(de_ctx);
DecodeEthernet(&tv, &dtv, p, GET_PKT_DATA(p), GET_PKT_LEN(p), NULL);
DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
SigMatchSignatures(&tv, de_ctx, det_ctx, p);
FAIL_IF(!PacketAlertCheck(p, 1));
DetectEngineThreadCtxDeinit(&tv, det_ctx);
DetectEngineCtxFree(de_ctx);
StreamTcpFreeConfig(TRUE);
PACKET_RECYCLE(p);
FlowShutdown();
SCFree(p);
PASS;
}
