/** * Given a packet, generate a key. * * @todo ICMP errors on an existing flow * * @param key where to set the key * @param p Packet to make a key from * * @return FLOW_SUCCESS on success, else failure */ int flowkey_make(FLOWKEY *key, FLOWPACKET *p) { u_int8_t proto; if(!key || !p) return FLOW_ENULL; memset(key, 0, sizeof(FLOWKEY)); /* IPV4 path */ if(IsIPv4Packet(p)) { proto = GetIPv4Proto(p); switch(proto) { case IPPROTO_TCP: case IPPROTO_UDP: key->init_port = GetIPv4SrcPort(p); key->resp_port = GetIPv4DstPort(p); default: key->protocol = proto; key->init_address = GetIPv4SrcIp(p); key->resp_address = GetIPv4DstIp(p); } return FLOW_SUCCESS; } return FLOW_EINVALID; }
/** * Make a packet with the flowps data in it. * * This is used to generate a fake IP datagram to carry portscan data * from snort so that it can be processed by custom utilities. * * SRC + DST mac addresses = "MACDAD" * sip+dip == attacker * ip proto 255 * ttl = 0 * chksum = 0 * * @param sep score entry to generate a packet from * @param address ptr to the address of the attacker * * @return a pointer to a fully formed packet on success */ static Packet *flowps_mkpacket(SCORE_ENTRY *sep, FLOWPACKET *orig_packet, u_int32_t *address, time_t cur) { Packet *p = s_pkt; int len; u_int32_t dst_ip; unsigned short plen; p->pkth->ts.tv_sec = cur; dst_ip = GetIPv4DstIp(orig_packet); memcpy(&p->iph->ip_src.s_addr, address, 4); memcpy(&p->iph->ip_dst.s_addr, &dst_ip, 4); len = score_entry_sprint(p->data, FLOWPSMAXPKTSIZE, sep, address); if(len <= 0) { /* this can never return more than FLOWPSMAXPKTSIZE */ return NULL; } p->data[len] = '\0'; /* explicitly cast it down */ plen = (len & 0xFFFF); if((plen + IP_HEADER_LEN) < plen) { /* wrap around */ return NULL; } p->dsize = plen; plen += IP_HEADER_LEN; p->iph->ip_len = htons(plen); p->pkth->caplen = ETHERNET_HEADER_LEN + plen; p->pkth->len = ETHERNET_HEADER_LEN + plen; return p; }