/**
* Given a packet, generate a key.
*
* @todo ICMP errors on an existing flow
*
* @param key where to set the key
* @param p Packet to make a key from
*
* @return FLOW_SUCCESS on success, else failure
*/
int flowkey_make(FLOWKEY *key, FLOWPACKET *p)
{
u_int8_t proto;
if(!key || !p)
return FLOW_ENULL;
memset(key, 0, sizeof(FLOWKEY));
/* IPV4 path */
if(IsIPv4Packet(p))
{
proto = GetIPv4Proto(p);
switch(proto)
{
case IPPROTO_TCP:
case IPPROTO_UDP:
key->init_port = GetIPv4SrcPort(p);
key->resp_port = GetIPv4DstPort(p);
default:
key->protocol = proto;
key->init_address = GetIPv4SrcIp(p);
key->resp_address = GetIPv4DstIp(p);
}
return FLOW_SUCCESS;
}
return FLOW_EINVALID;
}
/**
* Make a packet with the flowps data in it.
*
* This is used to generate a fake IP datagram to carry portscan data
* from snort so that it can be processed by custom utilities.
*
* SRC + DST mac addresses = "MACDAD"
* sip+dip == attacker
* ip proto 255
* ttl = 0
* chksum = 0
*
* @param sep score entry to generate a packet from
* @param address ptr to the address of the attacker
*
* @return a pointer to a fully formed packet on success
*/
static Packet *flowps_mkpacket(SCORE_ENTRY *sep, FLOWPACKET *orig_packet, u_int32_t *address, time_t cur)
{
Packet *p = s_pkt;
int len;
u_int32_t dst_ip;
unsigned short plen;
p->pkth->ts.tv_sec = cur;
dst_ip = GetIPv4DstIp(orig_packet);
memcpy(&p->iph->ip_src.s_addr, address, 4);
memcpy(&p->iph->ip_dst.s_addr, &dst_ip, 4);
len = score_entry_sprint(p->data, FLOWPSMAXPKTSIZE, sep, address);
if(len <= 0)
{
/* this can never return more than FLOWPSMAXPKTSIZE */
return NULL;
}
p->data[len] = '\0';
/* explicitly cast it down */
plen = (len & 0xFFFF);
if((plen + IP_HEADER_LEN) < plen)
{
/* wrap around */
return NULL;
}
p->dsize = plen;
plen += IP_HEADER_LEN;
p->iph->ip_len = htons(plen);
p->pkth->caplen = ETHERNET_HEADER_LEN + plen;
p->pkth->len = ETHERNET_HEADER_LEN + plen;
return p;
}
