/** * \brief Add IPv4 header data, to be stored in the Additional Data * field of the IDMEF alert (see section 4.2.4.6 of RFC 4765). * * \return 0 if ok */ static int PacketToDataV4(Packet *p, PacketAlert *pa, idmef_alert_t *alert) { SCEnter(); AddIntData(alert, "ip_ver", IPV4_GET_RAW_VER(p->ip4h)); AddIntData(alert, "ip_hlen", IPV4_GET_RAW_HLEN(p->ip4h)); AddIntData(alert, "ip_tos", IPV4_GET_RAW_IPTOS(p->ip4h)); AddIntData(alert, "ip_len", ntohs(IPV4_GET_RAW_IPLEN(p->ip4h))); AddIntData(alert, "ip_id", ntohs(IPV4_GET_RAW_IPID(p->ip4h))); AddIntData(alert, "ip_off", ntohs(IPV4_GET_RAW_IPOFFSET(p->ip4h))); AddIntData(alert, "ip_ttl", IPV4_GET_RAW_IPTTL(p->ip4h)); AddIntData(alert, "ip_proto", IPV4_GET_RAW_IPPROTO(p->ip4h)); AddIntData(alert, "ip_sum", ntohs(p->ip4h->ip_csum)); SCReturnInt(0); }
/** * \brief Checks if the packet sent as the argument, has a valid or invalid * icmpv4 checksum, based on whether icmpv4-csum option for this rule * has been supplied with "valid" or "invalid" argument * * \param t Pointer to the tv for this detection module instance * \param det_ctx Pointer to the detection engine thread context * \param p Pointer to the Packet currently being matched * \param s Pointer to the Signature, the packet is being currently * matched with * \param m Pointer to the keyword_structure(SigMatch) from the above * Signature, the Packet is being currently matched with * * \retval 1 if the Packet contents match the keyword option; 0 otherwise */ static int DetectICMPV4CsumMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p, const Signature *s, const SigMatchCtx *ctx) { const DetectCsumData *cd = (const DetectCsumData *)ctx; if (p->ip4h == NULL || p->icmpv4h == NULL || p->proto != IPPROTO_ICMP || PKT_IS_PSEUDOPKT(p)) return 0; if (p->flags & PKT_IGNORE_CHECKSUM) { return cd->valid; } if (p->level4_comp_csum == -1) p->level4_comp_csum = ICMPV4CalculateChecksum((uint16_t *)p->icmpv4h, ntohs(IPV4_GET_RAW_IPLEN(p->ip4h)) - IPV4_GET_RAW_HLEN(p->ip4h) * 4); if (p->level4_comp_csum == p->icmpv4h->checksum && cd->valid == 1) return 1; else if (p->level4_comp_csum != p->icmpv4h->checksum && cd->valid == 0) return 1; else return 0; }