/** \test Get the wscale of 2 */
static int TCPGetWscaleTest01(void)
{
int retval = 0;
static uint8_t raw_tcp[] = {0xda, 0xc1, 0x00, 0x50, 0xb6, 0x21, 0x7f, 0x58,
0x00, 0x00, 0x00, 0x00, 0xa0, 0x02, 0x16, 0xd0,
0x8a, 0xaf, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
0x04, 0x02, 0x08, 0x0a, 0x00, 0x62, 0x88, 0x28,
0x00, 0x00, 0x00, 0x00, 0x01, 0x03, 0x03, 0x02};
Packet *p = SCMalloc(SIZE_OF_PACKET);
if (p == NULL)
return 0;
IPV4Hdr ip4h;
ThreadVars tv;
DecodeThreadVars dtv;
memset(&tv, 0, sizeof(ThreadVars));
memset(p, 0, SIZE_OF_PACKET);
p->pkt = (uint8_t *)(p + 1);
memset(&dtv, 0, sizeof(DecodeThreadVars));
memset(&ip4h, 0, sizeof(IPV4Hdr));
p->src.family = AF_INET;
p->dst.family = AF_INET;
p->ip4h = &ip4h;
FlowInitConfig(FLOW_QUIET);
DecodeTCP(&tv, &dtv, p, raw_tcp, sizeof(raw_tcp), NULL);
FlowShutdown();
if (p->tcph == NULL) {
printf("tcp packet decode failed: ");
goto end;
}
uint8_t wscale = TCP_GET_WSCALE(p);
if (wscale != 2) {
printf("wscale %"PRIu8", expected 2: ", wscale);
goto end;
}
retval = 1;
end:
SCFree(p);
return retval;
}
/** \test Get the wscale, but it's missing, so see if return 0 properly */
static int TCPGetWscaleTest03(void)
{
int retval = 0;
static uint8_t raw_tcp[] = {0xda, 0xc1, 0x00, 0x50, 0xb6, 0x21, 0x7f, 0x59,
0xdd, 0xa3, 0x6f, 0xf8, 0x80, 0x10, 0x05, 0xb4,
0x7c, 0x70, 0x00, 0x00, 0x01, 0x01, 0x08, 0x0a,
0x00, 0x62, 0x88, 0x9e, 0x00, 0x00, 0x00, 0x00};
Packet *p = PacketGetFromAlloc();
if (unlikely(p == NULL))
return 0;
IPV4Hdr ip4h;
ThreadVars tv;
DecodeThreadVars dtv;
memset(&tv, 0, sizeof(ThreadVars));
memset(&dtv, 0, sizeof(DecodeThreadVars));
memset(&ip4h, 0, sizeof(IPV4Hdr));
p->src.family = AF_INET;
p->dst.family = AF_INET;
p->ip4h = &ip4h;
FlowInitConfig(FLOW_QUIET);
DecodeTCP(&tv, &dtv, p, raw_tcp, sizeof(raw_tcp), NULL);
if (p->tcph == NULL) {
printf("tcp packet decode failed: ");
goto end;
}
uint8_t wscale = TCP_GET_WSCALE(p);
if (wscale != 0) {
printf("wscale %"PRIu8", expected 0: ", wscale);
goto end;
}
retval = 1;
end:
PACKET_RECYCLE(p);
FlowShutdown();
SCFree(p);
return retval;
}
/**
* \brief Convert IP packet to an IDMEF alert (RFC 4765).
* This function stores the alert SID (description and reference),
* the payload of the packet, and pre-processed data.
*
* \return 0 if ok
*/
static int PacketToData(const Packet *p, const PacketAlert *pa, idmef_alert_t *alert, AlertPreludeCtx *ctx)
{
SCEnter();
if (unlikely(p == NULL))
SCReturnInt(0);
AddIntData(alert, "snort_rule_sid", pa->s->id);
AddIntData(alert, "snort_rule_rev", pa->s->rev);
if (ctx->log_packet_header) {
if ( PKT_IS_IPV4(p) )
PacketToDataV4(p, pa, alert);
else if ( PKT_IS_IPV6(p) )
PacketToDataV6(p, pa, alert);
if ( PKT_IS_TCP(p) ) {
AddIntData(alert, "tcp_seq", TCP_GET_SEQ(p));
AddIntData(alert, "tcp_ack", TCP_GET_ACK(p));
AddIntData(alert, "tcp_off", TCP_GET_OFFSET(p));
AddIntData(alert, "tcp_res", TCP_GET_X2(p));
AddIntData(alert, "tcp_flags", TCP_GET_FLAGS(p));
AddIntData(alert, "tcp_win", TCP_GET_WINDOW(p));
AddIntData(alert, "tcp_sum", TCP_GET_SUM(p));
AddIntData(alert, "tcp_urp", TCP_GET_URG_POINTER(p));
if (p->tcpvars.ts_val != 0) {
AddIntData(alert, "tcp_tsval", TCP_GET_TSVAL(p));
}
if (p->tcpvars.ts_ecr != 0) {
AddIntData(alert, "tcp_tsecr", TCP_GET_TSECR(p));
}
if (p->tcph != NULL) {
AddIntData(alert, "tcp_wscale", TCP_GET_WSCALE(p));
}
if (TCP_HAS_SACKOK(p)) {
AddIntData(alert, "tcp_sackok", TCP_GET_SACKOK(p));
}
if (TCP_HAS_SACK(p)) {
AddIntData(alert, "tcp_sack_cnt", TCP_GET_SACK_CNT(p));
}
AddIntData(alert, "tcp_hlen", TCP_GET_HLEN(p));
}
else if ( PKT_IS_UDP(p) ) {
AddIntData(alert, "udp_len", UDP_GET_LEN(p));
AddIntData(alert, "udp_sum", UDP_GET_SUM(p));
}
else if ( PKT_IS_ICMPV4(p) ) {
AddIntData(alert, "icmp_type", ICMPV4_GET_TYPE(p));
AddIntData(alert, "icmp_code", ICMPV4_GET_CODE(p));
AddIntData(alert, "icmp_sum", ICMPV4_GET_RAW_CSUM(p));
}
else if ( PKT_IS_ICMPV6(p) ) {
AddIntData(alert, "icmp_type", ICMPV6_GET_TYPE(p));
AddIntData(alert, "icmp_code", ICMPV6_GET_CODE(p));
AddIntData(alert, "icmp_csum", ICMPV6_GET_RAW_CSUM(p));
}
}
if (ctx->log_packet_content)
AddByteData(alert, "payload", p->payload, p->payload_len);
SCReturnInt(0);
}
