/**
* \brief Copy data to Packet payload at given offset
*
* This function copies data/payload to a Packet. It uses the
* space allocated at Packet creation (pointed by Packet::pkt)
* or allocate some memory (pointed by Packet::ext_pkt) if the
* data size is too big to fit in initial space (of size
* default_packet_size).
*
* \param Pointer to the Packet to modify
* \param Offset of the copy relatively to payload of Packet
* \param Pointer to the data to copy
* \param Length of the data to copy
*/
inline int PacketCopyDataOffset(Packet *p, int offset, uint8_t *data, int datalen)
{
if (unlikely(offset + datalen > MAX_PAYLOAD_SIZE)) {
/* too big */
return -1;
}
/* Do we have already an packet with allocated data */
if (! p->ext_pkt) {
if (offset + datalen <= (int)default_packet_size) {
/* data will fit in memory allocated with packet */
memcpy(GET_PKT_DIRECT_DATA(p) + offset, data, datalen);
} else {
/* here we need a dynamic allocation */
p->ext_pkt = SCMalloc(MAX_PAYLOAD_SIZE);
if (unlikely(p->ext_pkt == NULL)) {
SET_PKT_LEN(p, 0);
return -1;
}
/* copy initial data */
memcpy(p->ext_pkt, GET_PKT_DIRECT_DATA(p), GET_PKT_DIRECT_MAX_SIZE(p));
/* copy data as asked */
memcpy(p->ext_pkt + offset, data, datalen);
}
} else {
memcpy(p->ext_pkt + offset, data, datalen);
}
return 0;
}
/**
* \brief Pfring Packet Process function.
*
* This function fills in our packet structure from libpfring.
* From here the packets are picked up by the DecodePfring thread.
*
* \param user pointer to PfringThreadVars
* \param h pointer to pfring packet header
* \param p pointer to the current packet
*/
static inline void PfringProcessPacket(void *user, struct pfring_pkthdr *h, Packet *p)
{
PfringThreadVars *ptv = (PfringThreadVars *)user;
ptv->bytes += h->caplen;
ptv->pkts++;
p->livedev = ptv->livedev;
/* PF_RING may fail to set timestamp */
if (h->ts.tv_sec == 0) {
gettimeofday((struct timeval *)&h->ts, NULL);
}
p->ts.tv_sec = h->ts.tv_sec;
p->ts.tv_usec = h->ts.tv_usec;
/* PF_RING all packets are marked as a link type of ethernet
* so that is what we do here. */
p->datalink = LINKTYPE_ETHERNET;
/* get vlan id from header. Check on vlan_id not null even if comment in
* header announce NO_VLAN is used when there is no VLAN. But NO_VLAN
* is not defined nor used in PF_RING code. And vlan_id is set to 0
* in PF_RING kernel code when there is no VLAN. */
if ((!ptv->vlan_disabled) && h->extended_hdr.parsed_pkt.vlan_id) {
p->vlan_id[0] = h->extended_hdr.parsed_pkt.vlan_id & 0x0fff;
p->vlan_idx = 1;
p->vlanh[0] = NULL;
}
switch (ptv->checksum_mode) {
case CHECKSUM_VALIDATION_RXONLY:
if (h->extended_hdr.rx_direction == 0) {
p->flags |= PKT_IGNORE_CHECKSUM;
}
break;
case CHECKSUM_VALIDATION_DISABLE:
p->flags |= PKT_IGNORE_CHECKSUM;
break;
case CHECKSUM_VALIDATION_AUTO:
if (ptv->livedev->ignore_checksum) {
p->flags |= PKT_IGNORE_CHECKSUM;
} else if (ChecksumAutoModeCheck(ptv->pkts,
SC_ATOMIC_GET(ptv->livedev->pkts),
SC_ATOMIC_GET(ptv->livedev->invalid_checksums))) {
ptv->livedev->ignore_checksum = 1;
p->flags |= PKT_IGNORE_CHECKSUM;
}
break;
default:
break;
}
SET_PKT_LEN(p, h->caplen);
}
/**
* \brief Set data for Packet and set length when zeo copy is used
*
* \param Pointer to the Packet to modify
* \param Pointer to the data
* \param Length of the data
*/
inline int PacketSetData(Packet *p, uint8_t *pktdata, int pktlen)
{
SET_PKT_LEN(p, (size_t)pktlen);
if (unlikely(!pktdata)) {
return -1;
}
p->ext_pkt = pktdata;
p->flags |= PKT_ZERO_COPY;
return 0;
}
inline int PacketCallocExtPkt(Packet *p, int datalen)
{
if (! p->ext_pkt) {
p->ext_pkt = SCCalloc(1, datalen);
if (unlikely(p->ext_pkt == NULL)) {
SET_PKT_LEN(p, 0);
return -1;
}
}
return 0;
}
/**
* \brief Process a DAG record into a TM packet buffer.
* \param prec pointer to a DAG record.
* \param
*/
TmEcode ProcessErfDagRecord(ErfDagThreadVars *ewtn, char *prec, Packet *p)
{
SCEnter();
int wlen = 0;
dag_record_t *dr = (dag_record_t*)prec;
erf_payload_t *pload;
assert(prec);
assert(p);
if (p == NULL) SCReturnInt(TM_ECODE_OK);
/* Only support ethernet at this time. */
if (dr->type != TYPE_ETH &&
dr->type != TYPE_DSM_COLOR_ETH &&
dr->type != TYPE_COLOR_ETH &&
dr->type != TYPE_COLOR_HASH_ETH) {
SCLogError(SC_ERR_UNIMPLEMENTED,
"Processing of DAG record type: %d not implemented.", dr->type);
SCReturnInt(TM_ECODE_FAILED);
}
wlen = ntohs(dr->wlen);
pload = &(dr->rec);
SET_PKT_LEN(p, wlen - 4); /* Trim the FCS... */
p->datalink = LINKTYPE_ETHERNET;
/* Take into account for link type Ethernet ETH frame starts
* after ther ERF header + pad.
*/
PacketCopyData(p, pload->eth.dst, GET_PKT_LEN(p));
SCLogDebug("pktlen: %" PRIu32 " (pkt %02x, pkt data %02x)",
GET_PKT_LEN(p), *p, *GET_PKT_DATA(p));
/* Convert ERF time to timeval - from libpcap. */
uint64_t ts = dr->ts;
p->ts.tv_sec = ts >> 32;
ts = (ts & 0xffffffffULL) * 1000000;
ts += 0x80000000; /* rounding */
p->ts.tv_usec = ts >> 32;
if (p->ts.tv_usec >= 1000000) {
p->ts.tv_usec -= 1000000;
p->ts.tv_sec++;
}
ewtn->pkts++;
ewtn->bytes += wlen;
SCReturnInt(TM_ECODE_OK);
}
/**
* \brief Pfring Packet Process function.
*
* This function fills in our packet structure from libpfring.
* From here the packets are picked up by the DecodePfring thread.
*
* \param user pointer to PfringThreadVars
* \param h pointer to pfring packet header
* \param p pointer to the current packet
*/
static inline void PfringProcessPacket(void *user, struct pfring_pkthdr *h, Packet *p) {
PfringThreadVars *ptv = (PfringThreadVars *)user;
ptv->bytes += h->caplen;
ptv->pkts++;
p->livedev = ptv->livedev;
/* PF_RING may fail to set timestamp */
if (h->ts.tv_sec == 0) {
gettimeofday((struct timeval *)&h->ts, NULL);
}
p->ts.tv_sec = h->ts.tv_sec;
p->ts.tv_usec = h->ts.tv_usec;
/* PF_RING all packets are marked as a link type of ethernet
* so that is what we do here. */
p->datalink = LINKTYPE_ETHERNET;
switch (ptv->checksum_mode) {
case CHECKSUM_VALIDATION_RXONLY:
if (h->extended_hdr.rx_direction == 0) {
p->flags |= PKT_IGNORE_CHECKSUM;
}
break;
case CHECKSUM_VALIDATION_DISABLE:
p->flags |= PKT_IGNORE_CHECKSUM;
break;
case CHECKSUM_VALIDATION_AUTO:
if (ptv->livedev->ignore_checksum) {
p->flags |= PKT_IGNORE_CHECKSUM;
} else if (ChecksumAutoModeCheck(ptv->pkts,
SC_ATOMIC_GET(ptv->livedev->pkts),
SC_ATOMIC_GET(ptv->livedev->invalid_checksums))) {
ptv->livedev->ignore_checksum = 1;
p->flags |= PKT_IGNORE_CHECKSUM;
}
break;
default:
break;
}
SET_PKT_LEN(p, h->caplen);
}
static int Unified2Test05 (void) {
ThreadVars tv;
DecodeThreadVars dtv;
PacketQueue pq;
void *data = NULL;
OutputCtx *oc;
LogFileCtx *lf;
Signature s;
uint8_t raw_ipv4_tcp[] = {
0x00, 0x14, 0xbf, 0xe8, 0xcb, 0x26, 0xaa, 0x00,
0x04, 0x00, 0x0a, 0x04, 0x08, 0x00, 0x45, 0x00,
0x00, 0x3c, 0x8c, 0x55, 0x40, 0x00, 0x40, 0x06,
0x69, 0x86, 0xc0, 0xa8, 0x0a, 0x68, 0x4a, 0x7d,
0x2f, 0x53, 0xc2, 0x40, 0x00, 0x50, 0x1f, 0x00,
0xa4, 0xd4, 0x00, 0x00, 0x00, 0x00, 0xa0, 0x02,
0x16, 0xd0, 0x3d, 0x4e, 0x00, 0x00, 0x02, 0x04,
0x05, 0xb4, 0x04, 0x02, 0x08, 0x0a, 0x00, 0x1c,
0x28, 0x81, 0x00, 0x00, 0x00, 0x00, 0x01, 0x03,
0x03, 0x06};
Packet *p = PacketGetFromAlloc();
if (unlikely(p == NULL))
return 0;
int ret;
memset(&dtv, 0, sizeof(DecodeThreadVars));
memset(&tv, 0, sizeof(ThreadVars));
memset(&pq, 0, sizeof(PacketQueue));
p->pkt = (uint8_t *)(p + 1);
memset(&s, 0, sizeof(Signature));
p->alerts.cnt++;
p->alerts.alerts[p->alerts.cnt-1].s = &s;
p->alerts.alerts[p->alerts.cnt-1].s->id = 1;
p->alerts.alerts[p->alerts.cnt-1].s->gid = 1;
p->alerts.alerts[p->alerts.cnt-1].s->rev = 1;
SET_PKT_LEN(p, sizeof(raw_ipv4_tcp));
FlowInitConfig(FLOW_QUIET);
DecodeEthernet(&tv, &dtv, p, raw_ipv4_tcp, sizeof(raw_ipv4_tcp), &pq);
FlowShutdown();
p->action = ACTION_DROP;
oc = Unified2AlertInitCtx(NULL);
if (oc == NULL) {
SCFree(p);
return 0;
}
lf = (LogFileCtx *)oc->data;
if(lf == NULL) {
SCFree(p);
return 0;
}
ret = Unified2AlertThreadInit(&tv, oc, &data);
if(ret == -1) {
SCFree(p);
return 0;
}
ret = Unified2Alert(&tv, p, data, &pq, NULL);
if(ret == TM_ECODE_FAILED) {
SCFree(p);
return 0;
}
ret = Unified2AlertThreadDeinit(&tv, data);
if(ret == TM_ECODE_FAILED) {
SCFree(p);
return 0;
}
Unified2AlertDeInitCtx(oc);
PACKET_CLEANUP(p);
SCFree(p);
return 1;
}
static int Unified2Test04 (void) {
ThreadVars tv;
DecodeThreadVars dtv;
PacketQueue pq;
void *data = NULL;
OutputCtx *oc;
LogFileCtx *lf;
Signature s;
uint8_t raw_ppp[] = {
0xff, 0x03, 0x00, 0x21, 0x45, 0xc0, 0x00, 0x2c,
0x4d, 0xed, 0x00, 0x00, 0xff, 0x06, 0xd5, 0x17,
0xbf, 0x01, 0x0d, 0x01, 0xbf, 0x01, 0x0d, 0x03,
0xea, 0x37, 0x00, 0x17, 0x6d, 0x0b, 0xba, 0xc3,
0x00, 0x00, 0x00, 0x00, 0x60, 0x02, 0x10, 0x20,
0xdd, 0xe1, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4};
Packet *p = PacketGetFromAlloc();
if (unlikely(p == NULL))
return 0;
int ret;
memset(&dtv, 0, sizeof(DecodeThreadVars));
memset(&tv, 0, sizeof(ThreadVars));
memset(&pq, 0, sizeof(PacketQueue));
p->pkt = (uint8_t *)(p + 1);
memset(&s, 0, sizeof(Signature));
p->alerts.cnt++;
p->alerts.alerts[p->alerts.cnt-1].s = &s;
p->alerts.alerts[p->alerts.cnt-1].s->id = 1;
p->alerts.alerts[p->alerts.cnt-1].s->gid = 1;
p->alerts.alerts[p->alerts.cnt-1].s->rev = 1;
SET_PKT_LEN(p, sizeof(raw_ppp));
FlowInitConfig(FLOW_QUIET);
DecodePPP(&tv, &dtv, p, raw_ppp, sizeof(raw_ppp), &pq);
FlowShutdown();
oc = Unified2AlertInitCtx(NULL);
if (oc == NULL) {
SCFree(p);
return 0;
}
lf = (LogFileCtx *)oc->data;
if(lf == NULL) {
SCFree(p);
return 0;
}
ret = Unified2AlertThreadInit(&tv, oc, &data);
if(ret == -1) {
SCFree(p);
return 0;
}
ret = Unified2Alert(&tv, p, data, &pq, NULL);
if(ret == TM_ECODE_FAILED) {
SCFree(p);
return 0;
}
ret = Unified2AlertThreadDeinit(&tv, data);
if(ret == -1) {
SCFree(p);
return 0;
}
Unified2AlertDeInitCtx(oc);
PACKET_CLEANUP(p);
SCFree(p);
return 1;
}
static int Unified2Test03 (void) {
ThreadVars tv;
DecodeThreadVars dtv;
PacketQueue pq;
void *data = NULL;
OutputCtx *oc;
LogFileCtx *lf;
Signature s;
uint8_t raw_gre[] = {
0x00, 0x0e, 0x50, 0x06, 0x42, 0x96, 0xaa, 0x00,
0x04, 0x00, 0x0a, 0x04, 0x08, 0x00, 0x45, 0x00,
0x00, 0x74, 0x35, 0xa2, 0x40, 0x00, 0x40, 0x2f,
0xef, 0xcb, 0x0a, 0x00, 0x00, 0x64, 0x0a, 0x00,
0x00, 0x8a, 0x30, 0x01, 0x88, 0x0b, 0x00, 0x54,
0x00, 0x00, 0x00, 0x18, 0x29, 0x5f, 0xff, 0x03,
0x00, 0x21, 0x45, 0x00, 0x00, 0x50, 0xf4, 0x05,
0x40, 0x00, 0x3f, 0x06, 0x20, 0xb8, 0x50, 0x7e,
0x2b, 0x2d, 0xd4, 0xcc, 0xd6, 0x72, 0x0a, 0x92,
0x1a, 0x0b, 0xc9, 0xaf, 0x24, 0x02, 0x8c, 0xdd,
0x45, 0xf6, 0x80, 0x18, 0x21, 0xfc, 0x10, 0x7c,
0x00, 0x00, 0x01, 0x01, 0x08, 0x0a, 0x08, 0x19,
0x1a, 0xda, 0x84, 0xd6, 0xda, 0x3e, 0x50, 0x49,
0x4e, 0x47, 0x20, 0x73, 0x74, 0x65, 0x72, 0x6c,
0x69, 0x6e, 0x67, 0x2e, 0x66, 0x72, 0x65, 0x65,
0x6e, 0x6f, 0x64, 0x65, 0x2e, 0x6e, 0x65, 0x74,
0x0d, 0x0a};
Packet *p = PacketGetFromAlloc();
if (unlikely(p == NULL))
return 0;
int ret;
memset(&dtv, 0, sizeof(DecodeThreadVars));
memset(&tv, 0, sizeof(ThreadVars));
memset(&pq, 0, sizeof(PacketQueue));
p->pkt = (uint8_t *)(p + 1);
memset(&s, 0, sizeof(Signature));
p->alerts.cnt++;
p->alerts.alerts[p->alerts.cnt-1].s = &s;
p->alerts.alerts[p->alerts.cnt-1].s->id = 1;
p->alerts.alerts[p->alerts.cnt-1].s->gid = 1;
p->alerts.alerts[p->alerts.cnt-1].s->rev = 1;
SET_PKT_LEN(p, sizeof(raw_gre));
FlowInitConfig(FLOW_QUIET);
DecodeEthernet(&tv, &dtv, p, raw_gre, sizeof(raw_gre), &pq);
FlowShutdown();
oc = Unified2AlertInitCtx(NULL);
if (oc == NULL) {
SCFree(p);
return 0;
}
lf = (LogFileCtx *)oc->data;
if(lf == NULL) {
SCFree(p);
return 0;
}
ret = Unified2AlertThreadInit(&tv, oc, &data);
if(ret == -1) {
SCFree(p);
return 0;
}
ret = Unified2Alert(&tv, p, data, &pq, NULL);
if(ret == TM_ECODE_FAILED) {
SCFree(p);
return 0;
}
ret = Unified2AlertThreadDeinit(&tv, data);
if(ret == -1) {
SCFree(p);
return 0;
}
Unified2AlertDeInitCtx(oc);
Packet *pkt = PacketDequeue(&pq);
while (pkt != NULL) {
SCFree(pkt);
pkt = PacketDequeue(&pq);
}
PACKET_CLEANUP(p);
SCFree(p);
return 1;
}
/**
* \brief UTHBuildPacketReal is a function that create tcp/udp packets for unittests
* specifying ip and port sources and destinations (IPV6)
*
* \param payload pointer to the payloadd buffer
* \param payload_len pointer to the length of the payload
* \param ipproto Protocols allowed atm are IPPROTO_TCP and IPPROTO_UDP
* \param src pointer to a string containing the ip source
* \param dst pointer to a string containing the ip destination
* \param sport pointer to a string containing the port source
* \param dport pointer to a string containing the port destination
*
* \retval Packet pointer to the built in packet
*/
Packet *UTHBuildPacketIPV6Real(uint8_t *payload, uint16_t payload_len,
uint8_t ipproto, char *src, char *dst,
uint16_t sport, uint16_t dport)
{
uint32_t in[4];
Packet *p = PacketGetFromAlloc();
if (unlikely(p == NULL))
return NULL;
TimeSet(&p->ts);
p->src.family = AF_INET6;
p->dst.family = AF_INET6;
p->payload = payload;
p->payload_len = payload_len;
p->proto = ipproto;
p->ip6h = SCMalloc(sizeof(IPV6Hdr));
if (p->ip6h == NULL)
goto error;
memset(p->ip6h, 0, sizeof(IPV6Hdr));
p->ip6h->s_ip6_nxt = ipproto;
p->ip6h->s_ip6_plen = htons(payload_len + sizeof(TCPHdr));
if (inet_pton(AF_INET6, src, &in) != 1)
goto error;
p->src.addr_data32[0] = in[0];
p->src.addr_data32[1] = in[1];
p->src.addr_data32[2] = in[2];
p->src.addr_data32[3] = in[3];
p->sp = sport;
p->ip6h->s_ip6_src[0] = in[0];
p->ip6h->s_ip6_src[1] = in[1];
p->ip6h->s_ip6_src[2] = in[2];
p->ip6h->s_ip6_src[3] = in[3];
if (inet_pton(AF_INET6, dst, &in) != 1)
goto error;
p->dst.addr_data32[0] = in[0];
p->dst.addr_data32[1] = in[1];
p->dst.addr_data32[2] = in[2];
p->dst.addr_data32[3] = in[3];
p->dp = dport;
p->ip6h->s_ip6_dst[0] = in[0];
p->ip6h->s_ip6_dst[1] = in[1];
p->ip6h->s_ip6_dst[2] = in[2];
p->ip6h->s_ip6_dst[3] = in[3];
p->tcph = SCMalloc(sizeof(TCPHdr));
if (p->tcph == NULL)
goto error;
memset(p->tcph, 0, sizeof(TCPHdr));
p->tcph->th_sport = htons(sport);
p->tcph->th_dport = htons(dport);
SET_PKT_LEN(p, sizeof(IPV6Hdr) + sizeof(TCPHdr) + payload_len);
return p;
error:
if (p != NULL) {
if (p->ip6h != NULL) {
SCFree(p->ip6h);
}
if (p->tcph != NULL) {
SCFree(p->tcph);
}
SCFree(p);
}
return NULL;
}
/**
* \brief Pfring Packet Process function.
*
* This function fills in our packet structure from libpfring.
* From here the packets are picked up by the DecodePfring thread.
*
* \param user pointer to PfringThreadVars
* \param h pointer to pfring packet header
* \param p pointer to the current packet
*/
static inline void PfringProcessPacket(void *user, struct pfring_pkthdr *h, Packet *p)
{
PfringThreadVars *ptv = (PfringThreadVars *)user;
ptv->bytes += h->caplen;
ptv->pkts++;
p->livedev = ptv->livedev;
/* PF_RING may fail to set timestamp */
if (h->ts.tv_sec == 0) {
gettimeofday((struct timeval *)&h->ts, NULL);
}
p->ts.tv_sec = h->ts.tv_sec;
p->ts.tv_usec = h->ts.tv_usec;
/* PF_RING all packets are marked as a link type of ethernet
* so that is what we do here. */
p->datalink = LINKTYPE_ETHERNET;
/* In the past, we needed this vlan handling in cases
* where the vlan header was stripped from the raw packet.
* With modern (at least >= 6) versions of PF_RING, the
* 'copy_data_to_ring' function (kernel/pf_ring.c) makes
* sure that if the hardware stripped the vlan header,
* it is put back by PF_RING.
*
* PF_RING should put it back in all cases, but as a extra
* precaution keep the check here. If the vlan header is
* part of the raw packet, the vlan_offset will be set.
* So is it is not set, use the parsed info from PF_RING's
* extended header.
*/
if ((!ptv->vlan_disabled) &&
h->extended_hdr.parsed_pkt.offset.vlan_offset == 0 &&
h->extended_hdr.parsed_pkt.vlan_id)
{
p->vlan_id[0] = h->extended_hdr.parsed_pkt.vlan_id & 0x0fff;
p->vlan_idx = 1;
p->vlanh[0] = NULL;
if (!ptv->vlan_hdr_warned) {
SCLogWarning(SC_ERR_PF_RING_VLAN, "no VLAN header in the raw "
"packet. See #2355.");
ptv->vlan_hdr_warned = true;
}
}
switch (ptv->checksum_mode) {
case CHECKSUM_VALIDATION_RXONLY:
if (h->extended_hdr.rx_direction == 0) {
p->flags |= PKT_IGNORE_CHECKSUM;
}
break;
case CHECKSUM_VALIDATION_DISABLE:
p->flags |= PKT_IGNORE_CHECKSUM;
break;
case CHECKSUM_VALIDATION_AUTO:
if (ptv->livedev->ignore_checksum) {
p->flags |= PKT_IGNORE_CHECKSUM;
} else if (ChecksumAutoModeCheck(ptv->pkts,
SC_ATOMIC_GET(ptv->livedev->pkts),
SC_ATOMIC_GET(ptv->livedev->invalid_checksums))) {
ptv->livedev->ignore_checksum = 1;
p->flags |= PKT_IGNORE_CHECKSUM;
}
break;
default:
break;
}
SET_PKT_LEN(p, h->caplen);
}
/**
* \brief Copy data to Packet payload and set packet length
*
* \param Pointer to the Packet to modify
* \param Pointer to the data to copy
* \param Length of the data to copy
*/
inline int PacketCopyData(Packet *p, uint8_t *pktdata, int pktlen)
{
SET_PKT_LEN(p, (size_t)pktlen);
return PacketCopyDataOffset(p, 0, pktdata, pktlen);
}
/**
* \internal
* \brief Pseudo packet setup for flow forced reassembly.
*
* \param direction Direction of the packet. 0 indicates toserver and 1
* indicates toclient.
* \param f Pointer to the flow.
* \param ssn Pointer to the tcp session.
* \param dummy Indicates to create a dummy pseudo packet. Not all pseudo
* packets need to force reassembly, in which case we just
* set dummy ack/seq values.
*/
static inline Packet *FlowForceReassemblyPseudoPacketSetup(Packet *p,
int direction,
Flow *f,
TcpSession *ssn,
int dummy)
{
p->datalink = DLT_RAW;
p->proto = IPPROTO_TCP;
FlowReference(&p->flow, f);
p->flags |= PKT_STREAM_EST;
p->flags |= PKT_STREAM_EOF;
p->flags |= PKT_HAS_FLOW;
p->flags |= PKT_PSEUDO_STREAM_END;
if (direction == 0)
p->flowflags |= FLOW_PKT_TOSERVER;
else
p->flowflags |= FLOW_PKT_TOCLIENT;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->payload = NULL;
p->payload_len = 0;
if (FLOW_IS_IPV4(f)) {
if (direction == 0) {
FLOW_COPY_IPV4_ADDR_TO_PACKET(&f->src, &p->src);
FLOW_COPY_IPV4_ADDR_TO_PACKET(&f->dst, &p->dst);
p->sp = f->sp;
p->dp = f->dp;
} else {
FLOW_COPY_IPV4_ADDR_TO_PACKET(&f->src, &p->dst);
FLOW_COPY_IPV4_ADDR_TO_PACKET(&f->dst, &p->src);
p->sp = f->dp;
p->dp = f->sp;
}
/* set the ip header */
p->ip4h = (IPV4Hdr *)GET_PKT_DATA(p);
/* version 4 and length 20 bytes for the tcp header */
p->ip4h->ip_verhl = 0x45;
p->ip4h->ip_tos = 0;
p->ip4h->ip_len = htons(40);
p->ip4h->ip_id = 0;
p->ip4h->ip_off = 0;
p->ip4h->ip_ttl = 64;
p->ip4h->ip_proto = IPPROTO_TCP;
//p->ip4h->ip_csum =
if (direction == 0) {
p->ip4h->s_ip_src.s_addr = f->src.addr_data32[0];
p->ip4h->s_ip_dst.s_addr = f->dst.addr_data32[0];
} else {
p->ip4h->s_ip_src.s_addr = f->dst.addr_data32[0];
p->ip4h->s_ip_dst.s_addr = f->src.addr_data32[0];
}
/* set the tcp header */
p->tcph = (TCPHdr *)((uint8_t *)GET_PKT_DATA(p) + 20);
SET_PKT_LEN(p, 40); /* ipv4 hdr + tcp hdr */
} else if (FLOW_IS_IPV6(f)) {
if (direction == 0) {
FLOW_COPY_IPV6_ADDR_TO_PACKET(&f->src, &p->src);
FLOW_COPY_IPV6_ADDR_TO_PACKET(&f->dst, &p->dst);
p->sp = f->sp;
p->dp = f->dp;
} else {
FLOW_COPY_IPV6_ADDR_TO_PACKET(&f->src, &p->dst);
FLOW_COPY_IPV6_ADDR_TO_PACKET(&f->dst, &p->src);
p->sp = f->dp;
p->dp = f->sp;
}
/* set the ip header */
p->ip6h = (IPV6Hdr *)GET_PKT_DATA(p);
/* version 6 */
p->ip6h->s_ip6_vfc = 0x60;
p->ip6h->s_ip6_flow = 0;
p->ip6h->s_ip6_nxt = IPPROTO_TCP;
p->ip6h->s_ip6_plen = htons(20);
p->ip6h->s_ip6_hlim = 64;
if (direction == 0) {
p->ip6h->s_ip6_src[0] = f->src.addr_data32[0];
p->ip6h->s_ip6_src[1] = f->src.addr_data32[1];
p->ip6h->s_ip6_src[2] = f->src.addr_data32[2];
p->ip6h->s_ip6_src[3] = f->src.addr_data32[3];
p->ip6h->s_ip6_dst[0] = f->dst.addr_data32[0];
p->ip6h->s_ip6_dst[1] = f->dst.addr_data32[1];
p->ip6h->s_ip6_dst[2] = f->dst.addr_data32[2];
p->ip6h->s_ip6_dst[3] = f->dst.addr_data32[3];
} else {
p->ip6h->s_ip6_src[0] = f->dst.addr_data32[0];
p->ip6h->s_ip6_src[1] = f->dst.addr_data32[1];
p->ip6h->s_ip6_src[2] = f->dst.addr_data32[2];
p->ip6h->s_ip6_src[3] = f->dst.addr_data32[3];
p->ip6h->s_ip6_dst[0] = f->src.addr_data32[0];
p->ip6h->s_ip6_dst[1] = f->src.addr_data32[1];
p->ip6h->s_ip6_dst[2] = f->src.addr_data32[2];
p->ip6h->s_ip6_dst[3] = f->src.addr_data32[3];
}
/* set the tcp header */
p->tcph = (TCPHdr *)((uint8_t *)GET_PKT_DATA(p) + 40);
SET_PKT_LEN(p, 60); /* ipv6 hdr + tcp hdr */
}
p->tcph->th_offx2 = 0x50;
p->tcph->th_flags |= TH_ACK;
p->tcph->th_win = 10;
p->tcph->th_urp = 0;
/* to server */
if (direction == 0) {
p->tcph->th_sport = htons(f->sp);
p->tcph->th_dport = htons(f->dp);
if (dummy) {
p->tcph->th_seq = htonl(ssn->client.next_seq);
p->tcph->th_ack = htonl(ssn->server.last_ack);
} else {
p->tcph->th_seq = htonl(ssn->client.next_seq);
p->tcph->th_ack = htonl(ssn->server.seg_list_tail->seq +
ssn->server.seg_list_tail->payload_len);
}
/* to client */
} else {
p->tcph->th_sport = htons(f->dp);
p->tcph->th_dport = htons(f->sp);
if (dummy) {
p->tcph->th_seq = htonl(ssn->server.next_seq);
p->tcph->th_ack = htonl(ssn->client.last_ack);
} else {
p->tcph->th_seq = htonl(ssn->server.next_seq);
p->tcph->th_ack = htonl(ssn->client.seg_list_tail->seq +
ssn->client.seg_list_tail->payload_len);
}
}
if (FLOW_IS_IPV4(f)) {
p->tcph->th_sum = TCPCalculateChecksum(p->ip4h->s_ip_addrs,
(uint16_t *)p->tcph, 20);
/* calc ipv4 csum as we may log it and barnyard might reject
* a wrong checksum */
p->ip4h->ip_csum = IPV4CalculateChecksum((uint16_t *)p->ip4h,
IPV4_GET_RAW_HLEN(p->ip4h));
} else if (FLOW_IS_IPV6(f)) {
p->tcph->th_sum = TCPCalculateChecksum(p->ip6h->s_ip6_addrs,
(uint16_t *)p->tcph, 20);
}
memset(&p->ts, 0, sizeof(struct timeval));
TimeGet(&p->ts);
AppLayerSetEOF(f);
return p;
}
static int Unified2Test02 (void) {
ThreadVars tv;
DecodeThreadVars dtv;
PacketQueue pq;
void *data = NULL;
OutputCtx *oc;
LogFileCtx *lf;
Signature s;
uint8_t raw_ipv6_tcp[] = {
0x00, 0x11, 0x25, 0x82, 0x95, 0xb5, 0x00, 0xd0,
0x09, 0xe3, 0xe8, 0xde, 0x86, 0xdd, 0x60, 0x00,
0x00, 0x00, 0x00, 0x28, 0x06, 0x40, 0x20, 0x01,
0x06, 0xf8, 0x10, 0x2d, 0x00, 0x00, 0x02, 0xd0,
0x09, 0xff, 0xfe, 0xe3, 0xe8, 0xde, 0x20, 0x01,
0x06, 0xf8, 0x09, 0x00, 0x07, 0xc0, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xe7, 0x41,
0x00, 0x50, 0xab, 0xdc, 0xd6, 0x60, 0x00, 0x00,
0x00, 0x00, 0xa0, 0x02, 0x16, 0x80, 0x41, 0xa2,
0x00, 0x00, 0x02, 0x04, 0x05, 0xa0, 0x04, 0x02,
0x08, 0x0a, 0x00, 0x0a, 0x22, 0xa8, 0x00, 0x00,
0x00, 0x00, 0x01, 0x03, 0x03, 0x05 };
Packet *p = SCMalloc(SIZE_OF_PACKET);
if (unlikely(p == NULL))
return 0;
int ret;
memset(&dtv, 0, sizeof(DecodeThreadVars));
memset(&tv, 0, sizeof(ThreadVars));
memset(&pq, 0, sizeof(PacketQueue));
memset(p, 0, SIZE_OF_PACKET);
p->pkt = (uint8_t *)(p + 1);
memset(&s, 0, sizeof(Signature));
PACKET_INITIALIZE(p);
p->alerts.cnt++;
p->alerts.alerts[p->alerts.cnt-1].s = &s;
p->alerts.alerts[p->alerts.cnt-1].s->id = 1;
p->alerts.alerts[p->alerts.cnt-1].s->gid = 1;
p->alerts.alerts[p->alerts.cnt-1].s->rev = 1;
SET_PKT_LEN(p, sizeof(raw_ipv6_tcp));
FlowInitConfig(FLOW_QUIET);
DecodeEthernet(&tv, &dtv, p, raw_ipv6_tcp, sizeof(raw_ipv6_tcp), &pq);
FlowShutdown();
oc = Unified2AlertInitCtx(NULL);
if (oc == NULL) {
SCFree(p);
return 0;
}
lf = (LogFileCtx *)oc->data;
if(lf == NULL) {
SCFree(p);
return 0;
}
ret = Unified2AlertThreadInit(&tv, oc, &data);
if(ret == -1) {
SCFree(p);
return 0;
}
ret = Unified2Alert(&tv, p, data, &pq, NULL);
if(ret == TM_ECODE_FAILED) {
SCFree(p);
return 0;
}
ret = Unified2AlertThreadDeinit(&tv, data);
if(ret == -1) {
SCFree(p);
return 0;
}
Unified2AlertDeInitCtx(oc);
PACKET_CLEANUP(p);
SCFree(p);
return 1;
}
int NFQSetupPkt (Packet *p, struct nfq_q_handle *qh, void *data)
{
struct nfq_data *tb = (struct nfq_data *)data;
int ret;
char *pktdata;
struct nfqnl_msg_packet_hdr *ph;
ph = nfq_get_msg_packet_hdr(tb);
if (ph != NULL) {
p->nfq_v.id = ntohl(ph->packet_id);
//p->nfq_v.hw_protocol = ntohs(p->nfq_v.ph->hw_protocol);
p->nfq_v.hw_protocol = ph->hw_protocol;
}
p->nfq_v.mark = nfq_get_nfmark(tb);
if (nfq_config.mode == NFQ_REPEAT_MODE) {
if ((nfq_config.mark & nfq_config.mask) ==
(p->nfq_v.mark & nfq_config.mask)) {
int iter = 0;
if (already_seen_warning < MAX_ALREADY_TREATED)
SCLogInfo("Packet seems already treated by suricata");
already_seen_warning++;
do {
ret = nfq_set_verdict(qh, p->nfq_v.id, NF_ACCEPT, 0, NULL);
} while ((ret < 0) && (iter++ < NFQ_VERDICT_RETRY_TIME));
if (ret < 0) {
SCLogWarning(SC_ERR_NFQ_SET_VERDICT,
"nfq_set_verdict of %p failed %" PRId32 "",
p, ret);
}
return -1 ;
}
}
p->nfq_v.ifi = nfq_get_indev(tb);
p->nfq_v.ifo = nfq_get_outdev(tb);
#ifdef NFQ_GET_PAYLOAD_SIGNED
ret = nfq_get_payload(tb, &pktdata);
#else
ret = nfq_get_payload(tb, (unsigned char **) &pktdata);
#endif /* NFQ_GET_PAYLOAD_SIGNED */
if (ret > 0) {
/* nfq_get_payload returns a pointer to a part of memory
* that is not preserved over the lifetime of our packet.
* So we need to copy it. */
if (ret > 65536) {
/* Will not be able to copy data ! Set length to 0
* to trigger an error in packet decoding.
* This is unlikely to happen */
SCLogWarning(SC_ERR_INVALID_ARGUMENTS, "NFQ sent too big packet");
SET_PKT_LEN(p, 0);
} else {
PacketCopyData(p, (uint8_t *)pktdata, ret);
}
} else if (ret == -1) {
/* unable to get pointer to data, ensure packet length is zero.
* This will trigger an error in packet decoding */
SET_PKT_LEN(p, 0);
}
ret = nfq_get_timestamp(tb, &p->ts);
if (ret != 0) {
memset (&p->ts, 0, sizeof(struct timeval));
gettimeofday(&p->ts, NULL);
}
p->datalink = DLT_RAW;
return 0;
}
/**
* \brief Process a DAG record into a TM packet buffer.
* \param prec pointer to a DAG record.
* \param
*/
static inline TmEcode ProcessErfDagRecord(ErfDagThreadVars *ewtn, char *prec)
{
SCEnter();
int wlen = 0;
int rlen = 0;
int hdr_num = 0;
char hdr_type = 0;
dag_record_t *dr = (dag_record_t*)prec;
erf_payload_t *pload;
Packet *p;
hdr_type = dr->type;
wlen = ntohs(dr->wlen);
rlen = ntohs(dr->rlen);
/* count extension headers */
while (hdr_type & 0x80) {
if (rlen < (dag_record_size + (hdr_num * 8))) {
SCLogError(SC_ERR_UNIMPLEMENTED,
"Insufficient captured packet length.");
SCReturnInt(TM_ECODE_FAILED);
}
hdr_type = prec[(dag_record_size + (hdr_num * 8))];
hdr_num++;
}
/* Check that the whole frame was captured */
if (rlen < (dag_record_size + (8 * hdr_num) + 2 + wlen)) {
SCLogInfo("Incomplete frame captured.");
SCReturnInt(TM_ECODE_OK);
}
/* skip over extension headers */
pload = (erf_payload_t *)(prec + dag_record_size + (8 * hdr_num));
p = PacketGetFromQueueOrAlloc();
if (p == NULL) {
SCLogError(SC_ERR_MEM_ALLOC,
"Failed to allocate a Packet on stream: %d, DAG: %s",
ewtn->dagstream, ewtn->dagname);
SCReturnInt(TM_ECODE_FAILED);
}
PKT_SET_SRC(p, PKT_SRC_WIRE);
SET_PKT_LEN(p, wlen);
p->datalink = LINKTYPE_ETHERNET;
/* Take into account for link type Ethernet ETH frame starts
* after ther ERF header + pad.
*/
if (unlikely(PacketCopyData(p, pload->eth.dst, GET_PKT_LEN(p)))) {
TmqhOutputPacketpool(ewtn->tv, p);
SCReturnInt(TM_ECODE_FAILED);
}
/* Convert ERF time to timeval - from libpcap. */
uint64_t ts = dr->ts;
p->ts.tv_sec = ts >> 32;
ts = (ts & 0xffffffffULL) * 1000000;
ts += 0x80000000; /* rounding */
p->ts.tv_usec = ts >> 32;
if (p->ts.tv_usec >= 1000000) {
p->ts.tv_usec -= 1000000;
p->ts.tv_sec++;
}
SCPerfCounterIncr(ewtn->packets, ewtn->tv->sc_perf_pca);
ewtn->bytes += wlen;
if (TmThreadsSlotProcessPkt(ewtn->tv, ewtn->slot, p) != TM_ECODE_OK) {
TmqhOutputPacketpool(ewtn->tv, p);
SCReturnInt(TM_ECODE_FAILED);
}
SCReturnInt(TM_ECODE_OK);
}
/**
* \brief UTHBuildPacketReal is a function that create tcp/udp packets for unittests
* specifying ip and port sources and destinations
*
* \param payload pointer to the payloadd buffer
* \param payload_len pointer to the length of the payload
* \param ipproto Protocols allowed atm are IPPROTO_TCP and IPPROTO_UDP
* \param src pointer to a string containing the ip source
* \param dst pointer to a string containing the ip destination
* \param sport pointer to a string containing the port source
* \param dport pointer to a string containing the port destination
*
* \retval Packet pointer to the built in packet
*/
Packet *UTHBuildPacketReal(uint8_t *payload, uint16_t payload_len,
uint8_t ipproto, char *src, char *dst,
uint16_t sport, uint16_t dport)
{
struct in_addr in;
Packet *p = PacketGetFromAlloc();
if (unlikely(p == NULL))
return NULL;
struct timeval tv;
TimeGet(&tv);
COPY_TIMESTAMP(&tv, &p->ts);
p->src.family = AF_INET;
p->dst.family = AF_INET;
p->payload = payload;
p->payload_len = payload_len;
p->proto = ipproto;
if (inet_pton(AF_INET, src, &in) != 1)
goto error;
p->src.addr_data32[0] = in.s_addr;
p->sp = sport;
if (inet_pton(AF_INET, dst, &in) != 1)
goto error;
p->dst.addr_data32[0] = in.s_addr;
p->dp = dport;
p->ip4h = (IPV4Hdr *)GET_PKT_DATA(p);
if (p->ip4h == NULL)
goto error;
p->ip4h->s_ip_src.s_addr = p->src.addr_data32[0];
p->ip4h->s_ip_dst.s_addr = p->dst.addr_data32[0];
p->ip4h->ip_proto = ipproto;
p->ip4h->ip_verhl = sizeof(IPV4Hdr);
p->proto = ipproto;
int hdr_offset = sizeof(IPV4Hdr);
switch (ipproto) {
case IPPROTO_UDP:
p->udph = (UDPHdr *)(GET_PKT_DATA(p) + sizeof(IPV4Hdr));
if (p->udph == NULL)
goto error;
p->udph->uh_sport = sport;
p->udph->uh_dport = dport;
hdr_offset += sizeof(UDPHdr);
break;
case IPPROTO_TCP:
p->tcph = (TCPHdr *)(GET_PKT_DATA(p) + sizeof(IPV4Hdr));
if (p->tcph == NULL)
goto error;
p->tcph->th_sport = htons(sport);
p->tcph->th_dport = htons(dport);
hdr_offset += sizeof(TCPHdr);
break;
case IPPROTO_ICMP:
p->icmpv4h = (ICMPV4Hdr *)(GET_PKT_DATA(p) + sizeof(IPV4Hdr));
if (p->icmpv4h == NULL)
goto error;
hdr_offset += sizeof(ICMPV4Hdr);
break;
default:
break;
/* TODO: Add more protocols */
}
PacketCopyDataOffset(p, hdr_offset, payload, payload_len);
SET_PKT_LEN(p, hdr_offset + payload_len);
p->payload = GET_PKT_DATA(p)+hdr_offset;
return p;
error:
SCFree(p);
return NULL;
}
