void sfiph_orig_build(Packet *p, const void *hdr, int family)
{
IP6RawHdr *hdr6;
IPHdr *hdr4;
if(!p || !hdr)
return;
/* If iph_api is already set, we've been here before.
* That means this is a nested IP. */
if (p->orig_iph_api && (p->orig_iph_api->ver == IPH_API_V4))
{
memcpy(&p->outer_orig_ip4h, &p->inner_orig_ip4h, sizeof(IP4Hdr));
p->outer_orig_iph_api = p->orig_iph_api;
}
else if (p->orig_iph_api && (p->orig_iph_api->ver == IPH_API_V6))
{
memcpy(&p->outer_orig_ip6h, &p->inner_orig_ip6h, sizeof(IP6Hdr));
p->outer_orig_iph_api = p->orig_iph_api;
}
set_callbacks(p, family, CALLBACK_ICMP_ORIG);
if(family == AF_INET)
{
hdr4 = (IPHdr*)hdr;
/* The struct Snort uses is identical to the actual IP6 struct,
* with the exception of the IP addresses. Copy over everything but
* the IPs */
memcpy(&p->inner_orig_ip4h, hdr4, sizeof(IPHdr) - 8);
sfip_set_raw(&p->inner_orig_ip4h.ip_src, &hdr4->ip_src, p->family);
sfip_set_raw(&p->inner_orig_ip4h.ip_dst, &hdr4->ip_dst, p->family);
p->actual_ip_len = ntohs(p->inner_orig_ip4h.ip_len);
p->orig_ip4h = &p->inner_orig_ip4h;
}
else
{
hdr6 = (IP6RawHdr*)hdr;
/* The struct Snort uses is identical to the actual IP6 struct,
* with the exception of the IP addresses. Copy over everything but
* the IPs*/
memcpy(&p->inner_orig_ip6h, hdr6, sizeof(IP6RawHdr) - 32);
sfip_set_raw(&p->inner_orig_ip6h.ip_src, &hdr6->ip6_src, p->family);
sfip_set_raw(&p->inner_orig_ip6h.ip_dst, &hdr6->ip6_dst, p->family);
p->actual_ip_len = ntohs(p->inner_orig_ip6h.len) + IP6_HDR_LEN;
p->orig_ip6h = &p->inner_orig_ip6h;
}
}
static int packet_to_data(Packet *p, void *event, idmef_alert_t *alert)
{
int i;
if ( ! p )
return 0;
add_int_data(alert, "snort_rule_sid", ntohl(((Unified2EventCommon *)event)->signature_id));
add_int_data(alert, "snort_rule_rev", ntohl(((Unified2EventCommon *)event)->signature_revision));
if ( IPH_IS_VALID(p) ) {
add_int_data(alert, "ip_ver", GET_IPH_VER(p));
add_int_data(alert, "ip_hlen", GET_IPH_HLEN(p));
add_int_data(alert, "ip_tos", GET_IPH_TOS(p));
add_int_data(alert, "ip_len", ntohs(GET_IPH_LEN(p)));
#ifdef SUP_IP6
// XXX-IPv6 need fragmentation ID
#else
add_int_data(alert, "ip_id", ntohs(p->iph->ip_id));
#endif
#ifdef SUP_IP6
// XXX-IPv6 need fragmentation offset
#else
add_int_data(alert, "ip_off", ntohs(p->iph->ip_off));
#endif
add_int_data(alert, "ip_ttl", GET_IPH_TTL(p));
add_int_data(alert, "ip_proto", GET_IPH_PROTO(p));
#ifdef SUP_IP6
// XXX-IPv6 need checksum
#else
add_int_data(alert, "ip_sum", ntohs(p->iph->ip_csum));
#endif
for ( i = 0; i < p->ip_option_count; i++ ) {
add_int_data(alert, "ip_option_code", p->ip_options[i].code);
add_byte_data(alert, "ip_option_data",
p->ip_options[i].data, p->ip_options[i].len);
}
}
if ( p->tcph ) {
add_int_data(alert, "tcp_seq", ntohl(p->tcph->th_seq));
add_int_data(alert, "tcp_ack", ntohl(p->tcph->th_ack));
add_int_data(alert, "tcp_off", TCP_OFFSET(p->tcph));
add_int_data(alert, "tcp_res", TCP_X2(p->tcph));
add_int_data(alert, "tcp_flags", p->tcph->th_flags);
add_int_data(alert, "tcp_win", ntohs(p->tcph->th_win));
add_int_data(alert, "tcp_sum", ntohs(p->tcph->th_sum));
add_int_data(alert, "tcp_urp", ntohs(p->tcph->th_urp));
for ( i = 0; i < p->tcp_option_count; i++ ) {
add_int_data(alert, "tcp_option_code", p->tcp_options[i].code);
add_byte_data(alert, "tcp_option_data", p->tcp_options[i].data, p->tcp_options[i].len);
}
}
else if ( p->udph ) {
add_int_data(alert, "udp_len", ntohs(p->udph->uh_len));
add_int_data(alert, "udp_sum", ntohs(p->udph->uh_chk));
}
else if ( p->icmph ) {
add_int_data(alert, "icmp_type", p->icmph->type);
add_int_data(alert, "icmp_code", p->icmph->code);
add_int_data(alert, "icmp_sum", ntohs(p->icmph->csum));
switch ( p->icmph->type ) {
case ICMP_ECHO:
case ICMP_ECHOREPLY:
case ICMP_INFO_REQUEST:
case ICMP_INFO_REPLY:
case ICMP_ADDRESS:
case ICMP_TIMESTAMP:
add_int_data(alert, "icmp_id", ntohs(p->icmph->s_icmp_id));
add_int_data(alert, "icmp_seq", ntohs(p->icmph->s_icmp_seq));
break;
case ICMP_ADDRESSREPLY:
add_int_data(alert, "icmp_id", ntohs(p->icmph->s_icmp_id));
add_int_data(alert, "icmp_seq", ntohs(p->icmph->s_icmp_seq));
add_int_data(alert, "icmp_mask", (uint32_t) ntohl(p->icmph->s_icmp_mask));
break;
case ICMP_REDIRECT:
#ifndef SUP_IP6
add_string_data(alert, "icmp_gwaddr", inet_ntoa(p->icmph->s_icmp_gwaddr));
#else
{
sfip_t gwaddr;
sfip_set_raw(&gwaddr, (void *)&p->icmph->s_icmp_gwaddr.s_addr, AF_INET);
add_string_data(alert, "icmp_gwaddr", inet_ntoa(&gwaddr));
}
#endif
break;
case ICMP_ROUTER_ADVERTISE:
add_int_data(alert, "icmp_num_addrs", p->icmph->s_icmp_num_addrs);
add_int_data(alert, "icmp_wpa", p->icmph->s_icmp_wpa);
add_int_data(alert, "icmp_lifetime", ntohs(p->icmph->s_icmp_lifetime));
break;
case ICMP_TIMESTAMPREPLY:
add_int_data(alert, "icmp_id", ntohs(p->icmph->s_icmp_id));
add_int_data(alert, "icmp_seq", ntohs(p->icmph->s_icmp_seq));
add_int_data(alert, "icmp_otime", p->icmph->s_icmp_otime);
add_int_data(alert, "icmp_rtime", p->icmph->s_icmp_rtime);
add_int_data(alert, "icmp_ttime", p->icmph->s_icmp_ttime);
break;
}
}
add_byte_data(alert, "payload", p->data, p->dsize);
return 0;
}