void prepare_tcp(packetinfo *pi)
{
config.p_s.tcp_recv++;
if (pi->af == AF_INET) {
vlog(0x3, "[*] IPv4 PROTOCOL TYPE TCP:\n");
pi->tcph = (tcp_header *) (pi->packet + pi->eth_hlen +
(IP_HL(pi->ip4) * 4));
pi->plen = (pi->pheader->caplen - (TCP_OFFSET(pi->tcph)) * 4 -
(IP_HL(pi->ip4) * 4) - pi->eth_hlen);
pi->payload = (pi->packet + pi->eth_hlen + (IP_HL(pi->ip4) * 4) +
(TCP_OFFSET(pi->tcph) * 4));
}
else if (pi->af == AF_INET6) {
vlog(0x3, "[*] IPv6 PROTOCOL TYPE TCP:\n");
pi->tcph = (tcp_header *) (pi->packet + pi->eth_hlen + IP6_HEADER_LEN);
pi->plen = (pi->pheader->caplen - (TCP_OFFSET(pi->tcph)) * 4 -
IP6_HEADER_LEN - pi->eth_hlen);
pi->payload = (pi->packet + pi->eth_hlen + IP6_HEADER_LEN +
(TCP_OFFSET(pi->tcph)*4));
}
pi->proto = IP_PROTO_TCP;
pi->s_port = pi->tcph->src_port;
pi->d_port = pi->tcph->dst_port;
connection_tracking(pi);
}
static int Syslog_FormatTCPHeaderLog(OpSyslog_Data *data, Packet *p)
{
unsigned int th_win, th_sum, th_flags, th_ack, th_seq, th_urp, th_off, th_x2;
th_win=th_sum=th_flags=th_ack=th_seq=th_urp=th_off=th_x2=0;
if( (data == NULL) ||
(p == NULL) ||
(p->tcph == NULL))
{
/* XXX */
return 1;
}
if(p->tcph)
{
if(p->tcph->th_seq)
th_seq = ntohl(p->tcph->th_seq);
if(p->tcph->th_ack)
th_ack = ntohl(p->tcph->th_ack);
if(TCP_OFFSET(p->tcph))
th_off = TCP_OFFSET(p->tcph);
if(TCP_X2(p->tcph))
th_x2 = TCP_X2(p->tcph);
if(p->tcph->th_flags)
th_flags = p->tcph->th_flags;
if(p->tcph->th_win)
th_win = ntohs(p->tcph->th_win);
if(p->tcph->th_sum)
th_sum = ntohs(p->tcph->th_sum);
if(p->tcph->th_urp)
th_urp = ntohs(p->tcph->th_urp);
}
if( (data->format_current_pos += snprintf(data->formatBuffer,SYSLOG_MAX_QUERY_SIZE,
"%u%c%u%c%u%c%u%c%u%c%u%c%u%c%u%c%u%c%u",
p->sp,data->field_separators,
p->dp, data->field_separators,
th_seq, data->field_separators,
th_ack, data->field_separators,
th_off, data->field_separators,
th_x2, data->field_separators,
th_flags, data->field_separators,
th_win, data->field_separators,
th_sum, data->field_separators,
th_urp)) > SYSLOG_MAX_QUERY_SIZE)
{
/* XXX */
return 1;
}
return OpSyslog_Concat(data);
}
/*--------------------------------------------------------------------
* Function: LogTCPHeader(TextLog* )
*
* Purpose: Dump the TCP header info to the given TextLog
*
* Arguments: log => pointer to TextLog to print data to
*
* Returns: void function
*--------------------------------------------------------------------
*/
void LogTCPHeader(TextLog* log, Packet * p)
{
char tcpFlags[9];
if(p->tcph == NULL)
{
TextLog_Print(log, "TCP header truncated\n");
return;
}
/* print TCP flags */
CreateTCPFlagString(p, tcpFlags);
TextLog_Puts(log, tcpFlags); /* We don't care about the NULL */
/* print other TCP info */
TextLog_Print(log, " Seq: 0x%lX Ack: 0x%lX Win: 0x%X TcpLen: %d",
(u_long) ntohl(p->tcph->th_seq),
(u_long) ntohl(p->tcph->th_ack),
ntohs(p->tcph->th_win), TCP_OFFSET(p->tcph) << 2);
if((p->tcph->th_flags & TH_URG) != 0)
{
TextLog_Print(log, " UrgPtr: 0x%X\n", (uint16_t) ntohs(p->tcph->th_urp));
}
else
{
TextLog_NewLine(log);
}
/* dump the TCP options */
if(p->tcp_option_count != 0)
{
LogTcpOptions(log, p);
}
}
static struct tcp_header *
pull_tcp(struct ofpbuf *packet)
{
if (packet->size >= TCP_HEADER_LEN) {
struct tcp_header *tcp = packet->data;
int tcp_len = TCP_OFFSET(tcp->tcp_ctl) * 4;
if (tcp_len >= TCP_HEADER_LEN && packet->size >= tcp_len) {
return ofpbuf_pull(packet, tcp_len);
}
}
return NULL;
}
static int packet_to_data(Packet *p, Event *event, idmef_alert_t *alert)
{
int i;
if ( ! p )
return 0;
add_int_data(alert, "snort_rule_sid", event->sig_id);
add_int_data(alert, "snort_rule_rev", event->sig_rev);
if ( p->iph ) {
add_int_data(alert, "ip_ver", IP_VER(p->iph));
add_int_data(alert, "ip_hlen", IP_HLEN(p->iph));
add_int_data(alert, "ip_tos", p->iph->ip_tos);
add_int_data(alert, "ip_len", ntohs(p->iph->ip_len));
add_int_data(alert, "ip_id", ntohs(p->iph->ip_id));
add_int_data(alert, "ip_off", ntohs(p->iph->ip_off));
add_int_data(alert, "ip_ttl", p->iph->ip_ttl);
add_int_data(alert, "ip_proto", p->iph->ip_proto);
add_int_data(alert, "ip_sum", ntohs(p->iph->ip_csum));
for ( i = 0; i < p->ip_option_count; i++ ) {
add_int_data(alert, "ip_option_code", p->ip_options[i].code);
add_byte_data(alert, "ip_option_data", p->ip_options[i].data, p->ip_options[i].len);
}
}
if ( p->tcph ) {
add_int_data(alert, "tcp_seq", ntohl(p->tcph->th_seq));
add_int_data(alert, "tcp_ack", ntohl(p->tcph->th_ack));
add_int_data(alert, "tcp_off", TCP_OFFSET(p->tcph));
add_int_data(alert, "tcp_res", TCP_X2(p->tcph));
add_int_data(alert, "tcp_flags", p->tcph->th_flags);
add_int_data(alert, "tcp_win", ntohs(p->tcph->th_win));
add_int_data(alert, "tcp_sum", ntohs(p->tcph->th_sum));
add_int_data(alert, "tcp_urp", ntohs(p->tcph->th_urp));
for ( i = 0; i < p->tcp_option_count; i++ ) {
add_int_data(alert, "tcp_option_code", p->tcp_options[i].code);
add_byte_data(alert, "tcp_option_data", p->tcp_options[i].data, p->tcp_options[i].len);
}
}
else if ( p->udph ) {
add_int_data(alert, "udp_len", ntohs(p->udph->uh_len));
add_int_data(alert, "udp_sum", ntohs(p->udph->uh_chk));
}
else if ( p->icmph ) {
add_int_data(alert, "icmp_type", p->icmph->type);
add_int_data(alert, "icmp_code", p->icmph->code);
add_int_data(alert, "icmp_sum", ntohs(p->icmph->csum));
switch ( p->icmph->type ) {
case ICMP_ECHO:
case ICMP_ECHOREPLY:
case ICMP_INFO_REQUEST:
case ICMP_INFO_REPLY:
case ICMP_ADDRESS:
case ICMP_TIMESTAMP:
add_int_data(alert, "icmp_id", ntohs(p->icmph->s_icmp_id));
add_int_data(alert, "icmp_seq", ntohs(p->icmph->s_icmp_seq));
break;
case ICMP_ADDRESSREPLY:
add_int_data(alert, "icmp_id", ntohs(p->icmph->s_icmp_id));
add_int_data(alert, "icmp_seq", ntohs(p->icmph->s_icmp_seq));
add_int_data(alert, "icmp_mask", (uint32_t) ntohl(p->icmph->s_icmp_mask));
break;
case ICMP_REDIRECT:
add_string_data(alert, "icmp_gwaddr", inet_ntoa(p->icmph->s_icmp_gwaddr));
break;
case ICMP_ROUTER_ADVERTISE:
add_int_data(alert, "icmp_num_addrs", p->icmph->s_icmp_num_addrs);
add_int_data(alert, "icmp_wpa", p->icmph->s_icmp_wpa);
add_int_data(alert, "icmp_lifetime", ntohs(p->icmph->s_icmp_lifetime));
break;
case ICMP_TIMESTAMPREPLY:
add_int_data(alert, "icmp_id", ntohs(p->icmph->s_icmp_id));
add_int_data(alert, "icmp_seq", ntohs(p->icmph->s_icmp_seq));
add_int_data(alert, "icmp_otime", p->icmph->s_icmp_otime);
add_int_data(alert, "icmp_rtime", p->icmph->s_icmp_rtime);
add_int_data(alert, "icmp_ttime", p->icmph->s_icmp_ttime);
break;
}
}
add_byte_data(alert, "payload", p->data, p->dsize);
return 0;
}
static int packet_to_data(Packet *p, void *event, idmef_alert_t *alert)
{
int i;
if ( ! p )
return 0;
add_int_data(alert, "snort_rule_sid", ntohl(((Unified2EventCommon *)event)->signature_id));
add_int_data(alert, "snort_rule_rev", ntohl(((Unified2EventCommon *)event)->signature_revision));
if ( IPH_IS_VALID(p) ) {
add_int_data(alert, "ip_ver", GET_IPH_VER(p));
add_int_data(alert, "ip_hlen", GET_IPH_HLEN(p));
add_int_data(alert, "ip_tos", GET_IPH_TOS(p));
add_int_data(alert, "ip_len", ntohs(GET_IPH_LEN(p)));
#ifdef SUP_IP6
// XXX-IPv6 need fragmentation ID
#else
add_int_data(alert, "ip_id", ntohs(p->iph->ip_id));
#endif
#ifdef SUP_IP6
// XXX-IPv6 need fragmentation offset
#else
add_int_data(alert, "ip_off", ntohs(p->iph->ip_off));
#endif
add_int_data(alert, "ip_ttl", GET_IPH_TTL(p));
add_int_data(alert, "ip_proto", GET_IPH_PROTO(p));
#ifdef SUP_IP6
// XXX-IPv6 need checksum
#else
add_int_data(alert, "ip_sum", ntohs(p->iph->ip_csum));
#endif
for ( i = 0; i < p->ip_option_count; i++ ) {
add_int_data(alert, "ip_option_code", p->ip_options[i].code);
add_byte_data(alert, "ip_option_data",
p->ip_options[i].data, p->ip_options[i].len);
}
}
if ( p->tcph ) {
add_int_data(alert, "tcp_seq", ntohl(p->tcph->th_seq));
add_int_data(alert, "tcp_ack", ntohl(p->tcph->th_ack));
add_int_data(alert, "tcp_off", TCP_OFFSET(p->tcph));
add_int_data(alert, "tcp_res", TCP_X2(p->tcph));
add_int_data(alert, "tcp_flags", p->tcph->th_flags);
add_int_data(alert, "tcp_win", ntohs(p->tcph->th_win));
add_int_data(alert, "tcp_sum", ntohs(p->tcph->th_sum));
add_int_data(alert, "tcp_urp", ntohs(p->tcph->th_urp));
for ( i = 0; i < p->tcp_option_count; i++ ) {
add_int_data(alert, "tcp_option_code", p->tcp_options[i].code);
add_byte_data(alert, "tcp_option_data", p->tcp_options[i].data, p->tcp_options[i].len);
}
}
else if ( p->udph ) {
add_int_data(alert, "udp_len", ntohs(p->udph->uh_len));
add_int_data(alert, "udp_sum", ntohs(p->udph->uh_chk));
}
else if ( p->icmph ) {
add_int_data(alert, "icmp_type", p->icmph->type);
add_int_data(alert, "icmp_code", p->icmph->code);
add_int_data(alert, "icmp_sum", ntohs(p->icmph->csum));
switch ( p->icmph->type ) {
case ICMP_ECHO:
case ICMP_ECHOREPLY:
case ICMP_INFO_REQUEST:
case ICMP_INFO_REPLY:
case ICMP_ADDRESS:
case ICMP_TIMESTAMP:
add_int_data(alert, "icmp_id", ntohs(p->icmph->s_icmp_id));
add_int_data(alert, "icmp_seq", ntohs(p->icmph->s_icmp_seq));
break;
case ICMP_ADDRESSREPLY:
add_int_data(alert, "icmp_id", ntohs(p->icmph->s_icmp_id));
add_int_data(alert, "icmp_seq", ntohs(p->icmph->s_icmp_seq));
add_int_data(alert, "icmp_mask", (uint32_t) ntohl(p->icmph->s_icmp_mask));
break;
case ICMP_REDIRECT:
#ifndef SUP_IP6
add_string_data(alert, "icmp_gwaddr", inet_ntoa(p->icmph->s_icmp_gwaddr));
#else
{
sfip_t gwaddr;
sfip_set_raw(&gwaddr, (void *)&p->icmph->s_icmp_gwaddr.s_addr, AF_INET);
add_string_data(alert, "icmp_gwaddr", inet_ntoa(&gwaddr));
}
#endif
break;
case ICMP_ROUTER_ADVERTISE:
add_int_data(alert, "icmp_num_addrs", p->icmph->s_icmp_num_addrs);
add_int_data(alert, "icmp_wpa", p->icmph->s_icmp_wpa);
add_int_data(alert, "icmp_lifetime", ntohs(p->icmph->s_icmp_lifetime));
break;
case ICMP_TIMESTAMPREPLY:
add_int_data(alert, "icmp_id", ntohs(p->icmph->s_icmp_id));
add_int_data(alert, "icmp_seq", ntohs(p->icmph->s_icmp_seq));
add_int_data(alert, "icmp_otime", p->icmph->s_icmp_otime);
add_int_data(alert, "icmp_rtime", p->icmph->s_icmp_rtime);
add_int_data(alert, "icmp_ttime", p->icmph->s_icmp_ttime);
break;
}
}
add_byte_data(alert, "payload", p->data, p->dsize);
return 0;
}