/* DecodePPPtest02
* Decode malformed ppp layer packet
* Expected test value: 1
*/
static int DecodePPPtest02 (void)
{
uint8_t raw_ppp[] = { 0xff, 0x03, 0x00, 0xff, 0x45, 0xc0, 0x00, 0x2c, 0x4d,
0xed, 0x00, 0x00, 0xff, 0x06, 0xd5, 0x17, 0xbf, 0x01,
0x0d, 0x01, 0xbf, 0x01, 0x0d, 0x03, 0xea, 0x37, 0x00,
0x17, 0x6d, 0x0b, 0xba, 0xc3, 0x00, 0x00, 0x00, 0x00,
0x60, 0x02, 0x10, 0x20, 0xdd, 0xe1, 0x00, 0x00 };
Packet *p = PacketGetFromAlloc();
if (unlikely(p == NULL))
return 0;
ThreadVars tv;
DecodeThreadVars dtv;
memset(&tv, 0, sizeof(ThreadVars));
memset(&dtv, 0, sizeof(DecodeThreadVars));
DecodePPP(&tv, &dtv, p, raw_ppp, sizeof(raw_ppp), NULL);
/* Function must returns here */
if(ENGINE_ISSET_EVENT(p,PPP_WRONG_TYPE)) {
SCFree(p);
return 1;
}
SCFree(p);
return 0;
}
/** DecodePPPtest03
* \brief Decode good PPP packet, additionally the IPv4 packet inside is
* 4 bytes short.
* \retval 0 Test failed
* \retval 1 Test succeeded
*/
static int DecodePPPtest03 (void)
{
uint8_t raw_ppp[] = { 0xff, 0x03, 0x00, 0x21, 0x45, 0xc0, 0x00, 0x2c, 0x4d,
0xed, 0x00, 0x00, 0xff, 0x06, 0xd5, 0x17, 0xbf, 0x01,
0x0d, 0x01, 0xbf, 0x01, 0x0d, 0x03, 0xea, 0x37, 0x00,
0x17, 0x6d, 0x0b, 0xba, 0xc3, 0x00, 0x00, 0x00, 0x00,
0x60, 0x02, 0x10, 0x20, 0xdd, 0xe1, 0x00, 0x00 };
Packet *p = PacketGetFromAlloc();
if (unlikely(p == NULL))
return 0;
ThreadVars tv;
DecodeThreadVars dtv;
memset(&tv, 0, sizeof(ThreadVars));
memset(&dtv, 0, sizeof(DecodeThreadVars));
FlowInitConfig(FLOW_QUIET);
DecodePPP(&tv, &dtv, p, raw_ppp, sizeof(raw_ppp), NULL);
FlowShutdown();
if(p->ppph == NULL) {
SCFree(p);
return 0;
}
if(ENGINE_ISSET_EVENT(p,PPP_PKT_TOO_SMALL)) {
SCFree(p);
return 0;
}
if(ENGINE_ISSET_EVENT(p,PPPIPV4_PKT_TOO_SMALL)) {
SCFree(p);
return 0;
}
if(ENGINE_ISSET_EVENT(p,PPP_WRONG_TYPE)) {
SCFree(p);
return 0;
}
if (!(ENGINE_ISSET_EVENT(p,IPV4_TRUNC_PKT))) {
SCFree(p);
return 0;
}
/* Function must return here */
SCFree(p);
return 1;
}
/**
* \brief This function passes off to link type decoders.
*
* DecodePcap reads packets from the PacketQueue and passes
* them off to the proper link type decoder.
*
* \param t pointer to ThreadVars
* \param p pointer to the current packet
* \param data pointer that gets cast into PcapThreadVars for ptv
* \param pq pointer to the current PacketQueue
*/
TmEcode DecodePcap(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQueue *postpq)
{
SCEnter();
DecodeThreadVars *dtv = (DecodeThreadVars *)data;
/* XXX HACK: flow timeout can call us for injected pseudo packets
* see bug: https://redmine.openinfosecfoundation.org/issues/1107 */
if (p->flags & PKT_PSEUDO_STREAM_END)
return TM_ECODE_OK;
/* update counters */
SCPerfCounterIncr(dtv->counter_pkts, tv->sc_perf_pca);
// SCPerfCounterIncr(dtv->counter_pkts_per_sec, tv->sc_perf_pca);
SCPerfCounterAddUI64(dtv->counter_bytes, tv->sc_perf_pca, GET_PKT_LEN(p));
#if 0
SCPerfCounterAddDouble(dtv->counter_bytes_per_sec, tv->sc_perf_pca, GET_PKT_LEN(p));
SCPerfCounterAddDouble(dtv->counter_mbit_per_sec, tv->sc_perf_pca,
(GET_PKT_LEN(p) * 8)/1000000.0);
#endif
SCPerfCounterAddUI64(dtv->counter_avg_pkt_size, tv->sc_perf_pca, GET_PKT_LEN(p));
SCPerfCounterSetUI64(dtv->counter_max_pkt_size, tv->sc_perf_pca, GET_PKT_LEN(p));
/* call the decoder */
switch(p->datalink) {
case LINKTYPE_LINUX_SLL:
DecodeSll(tv, dtv, p, GET_PKT_DATA(p), GET_PKT_LEN(p), pq);
break;
case LINKTYPE_ETHERNET:
DecodeEthernet(tv, dtv, p,GET_PKT_DATA(p), GET_PKT_LEN(p), pq);
break;
case LINKTYPE_PPP:
DecodePPP(tv, dtv, p, GET_PKT_DATA(p), GET_PKT_LEN(p), pq);
break;
case LINKTYPE_RAW:
DecodeRaw(tv, dtv, p, GET_PKT_DATA(p), GET_PKT_LEN(p), pq);
break;
default:
SCLogError(SC_ERR_DATALINK_UNIMPLEMENTED, "Error: datalink type %" PRId32 " not yet supported in module DecodePcap", p->datalink);
break;
}
PacketDecodeFinalize(tv, dtv, p);
SCReturnInt(TM_ECODE_OK);
}
void DecodeTunnel(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p,
uint8_t *pkt, uint16_t len, PacketQueue *pq, uint8_t proto)
{
switch (proto) {
case PPP_OVER_GRE:
return DecodePPP(tv, dtv, p, pkt, len, pq);
case IPPROTO_IP:
return DecodeIPV4(tv, dtv, p, pkt, len, pq);
case IPPROTO_IPV6:
return DecodeIPV6(tv, dtv, p, pkt, len, pq);
case VLAN_OVER_GRE:
return DecodeVLAN(tv, dtv, p, pkt, len, pq);
default:
SCLogInfo("FIXME: DecodeTunnel: protocol %" PRIu32 " not supported.", proto);
break;
}
}
/**
* \brief This function passes off to link type decoders.
*
* DecodePcap reads packets from the PacketQueue and passes
* them off to the proper link type decoder.
*
* \param t pointer to ThreadVars
* \param p pointer to the current packet
* \param data pointer that gets cast into PcapThreadVars for ptv
* \param pq pointer to the current PacketQueue
*/
TmEcode DecodePcap(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQueue *postpq)
{
SCEnter();
DecodeThreadVars *dtv = (DecodeThreadVars *)data;
/* XXX HACK: flow timeout can call us for injected pseudo packets
* see bug: https://redmine.openinfosecfoundation.org/issues/1107 */
if (p->flags & PKT_PSEUDO_STREAM_END)
return TM_ECODE_OK;
/* update counters */
DecodeUpdatePacketCounters(tv, dtv, p);
/* call the decoder */
switch(p->datalink) {
case LINKTYPE_LINUX_SLL:
DecodeSll(tv, dtv, p, GET_PKT_DATA(p), GET_PKT_LEN(p), pq);
break;
case LINKTYPE_ETHERNET:
DecodeEthernet(tv, dtv, p,GET_PKT_DATA(p), GET_PKT_LEN(p), pq);
break;
case LINKTYPE_PPP:
DecodePPP(tv, dtv, p, GET_PKT_DATA(p), GET_PKT_LEN(p), pq);
break;
case LINKTYPE_RAW:
DecodeRaw(tv, dtv, p, GET_PKT_DATA(p), GET_PKT_LEN(p), pq);
break;
case LINKTYPE_NULL:
DecodeNull(tv, dtv, p, GET_PKT_DATA(p), GET_PKT_LEN(p), pq);
break;
default:
SCLogError(SC_ERR_DATALINK_UNIMPLEMENTED, "Error: datalink type %" PRId32 " not yet supported in module DecodePcap", p->datalink);
break;
}
PacketDecodeFinalize(tv, dtv, p);
SCReturnInt(TM_ECODE_OK);
}
int DecodeTunnel(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p,
uint8_t *pkt, uint16_t len, PacketQueue *pq, enum DecodeTunnelProto proto)
{
switch (proto) {
case DECODE_TUNNEL_PPP:
return DecodePPP(tv, dtv, p, pkt, len, pq);
case DECODE_TUNNEL_IPV4:
return DecodeIPV4(tv, dtv, p, pkt, len, pq);
case DECODE_TUNNEL_IPV6:
return DecodeIPV6(tv, dtv, p, pkt, len, pq);
case DECODE_TUNNEL_VLAN:
return DecodeVLAN(tv, dtv, p, pkt, len, pq);
case DECODE_TUNNEL_ETHERNET:
return DecodeEthernet(tv, dtv, p, pkt, len, pq);
case DECODE_TUNNEL_ERSPAN:
return DecodeERSPAN(tv, dtv, p, pkt, len, pq);
default:
SCLogInfo("FIXME: DecodeTunnel: protocol %" PRIu32 " not supported.", proto);
break;
}
return TM_ECODE_OK;
}
/* DecodePPPtest01
* Decode malformed ip layer PPP packet
* Expected test value: 1
*/
static int DecodePPPtest01 (void) {
uint8_t raw_ppp[] = { 0xff, 0x03, 0x00, 0x21, 0x45, 0xc0, 0x00 };
Packet *p = PacketGetFromAlloc();
if (unlikely(p == NULL))
return 0;
ThreadVars tv;
DecodeThreadVars dtv;
memset(&tv, 0, sizeof(ThreadVars));
memset(&dtv, 0, sizeof(DecodeThreadVars));
DecodePPP(&tv, &dtv, p, raw_ppp, sizeof(raw_ppp), NULL);
/* Function my returns here with expected value */
if(ENGINE_ISSET_EVENT(p,PPPIPV4_PKT_TOO_SMALL)) {
SCFree(p);
return 1;
}
SCFree(p);
return 0;
}
static int Unified2Test04 (void) {
ThreadVars tv;
DecodeThreadVars dtv;
PacketQueue pq;
void *data = NULL;
OutputCtx *oc;
LogFileCtx *lf;
Signature s;
uint8_t raw_ppp[] = {
0xff, 0x03, 0x00, 0x21, 0x45, 0xc0, 0x00, 0x2c,
0x4d, 0xed, 0x00, 0x00, 0xff, 0x06, 0xd5, 0x17,
0xbf, 0x01, 0x0d, 0x01, 0xbf, 0x01, 0x0d, 0x03,
0xea, 0x37, 0x00, 0x17, 0x6d, 0x0b, 0xba, 0xc3,
0x00, 0x00, 0x00, 0x00, 0x60, 0x02, 0x10, 0x20,
0xdd, 0xe1, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4};
Packet *p = PacketGetFromAlloc();
if (unlikely(p == NULL))
return 0;
int ret;
memset(&dtv, 0, sizeof(DecodeThreadVars));
memset(&tv, 0, sizeof(ThreadVars));
memset(&pq, 0, sizeof(PacketQueue));
p->pkt = (uint8_t *)(p + 1);
memset(&s, 0, sizeof(Signature));
p->alerts.cnt++;
p->alerts.alerts[p->alerts.cnt-1].s = &s;
p->alerts.alerts[p->alerts.cnt-1].s->id = 1;
p->alerts.alerts[p->alerts.cnt-1].s->gid = 1;
p->alerts.alerts[p->alerts.cnt-1].s->rev = 1;
SET_PKT_LEN(p, sizeof(raw_ppp));
FlowInitConfig(FLOW_QUIET);
DecodePPP(&tv, &dtv, p, raw_ppp, sizeof(raw_ppp), &pq);
FlowShutdown();
oc = Unified2AlertInitCtx(NULL);
if (oc == NULL) {
SCFree(p);
return 0;
}
lf = (LogFileCtx *)oc->data;
if(lf == NULL) {
SCFree(p);
return 0;
}
ret = Unified2AlertThreadInit(&tv, oc, &data);
if(ret == -1) {
SCFree(p);
return 0;
}
ret = Unified2Alert(&tv, p, data, &pq, NULL);
if(ret == TM_ECODE_FAILED) {
SCFree(p);
return 0;
}
ret = Unified2AlertThreadDeinit(&tv, data);
if(ret == -1) {
SCFree(p);
return 0;
}
Unified2AlertDeInitCtx(oc);
PACKET_CLEANUP(p);
SCFree(p);
return 1;
}
