snort  2.9.17.1
About: Snort is a network intrusion prevention and detection system (IDS/IPS) combining the benefits of signature, protocol and anomaly-based inspection.
  Fossies Dox: snort-2.9.17.1.tar.gz  ("unofficial" and yet experimental doxygen-generated source code documentation)  

sf_snort_packet.h
Go to the documentation of this file.
1 /*
2  * sf_snort_packet.h
3  *
4  * This program is free software; you can redistribute it and/or modify
5  * it under the terms of the GNU General Public License Version 2 as
6  * published by the Free Software Foundation. You may not use, modify or
7  * distribute this program under any other version of the GNU General
8  * Public License.
9  *
10  * This program is distributed in the hope that it will be useful,
11  * but WITHOUT ANY WARRANTY; without even the implied warranty of
12  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13  * GNU General Public License for more details.
14  *
15  * You should have received a copy of the GNU General Public License
16  * along with this program; if not, write to the Free Software
17  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
18  *
19  * Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved.
20  * Copyright (C) 2005-2013 Sourcefire, Inc.
21  *
22  * Author: Steve Sturges
23  * Andy Mullican
24  *
25  * Date: 5/2005
26  *
27  * Sourcefire Black-box Plugin API for rules
28  *
29  */
30 
31 #ifndef _SF_SNORT_PACKET_H_
32 #define _SF_SNORT_PACKET_H_
33 
34 #ifndef WIN32
35 #include <sys/types.h>
36 #include <netinet/in.h>
37 #else
38 #include <winsock2.h>
39 #include <windows.h>
40 #endif
41 
42 #include <daq.h>
43 #include <sfbpf_dlt.h>
44 
45 #include "sf_ip.h"
46 #include "sf_protocols.h"
47 #include "preprocids.h"
48 
49 #define VLAN_HDR_LEN 4
50 
51 /* for vrt backwards compatibility */
52 #define pcap_header pkt_header
53 
54 typedef int (*LogFunction)(void *ssnptr, uint8_t **buf, uint32_t *len, uint32_t *type);
55 
56 typedef DAQ_PktHdr_t SFDAQ_PktHdr_t;
57 
58 #define VTH_PRIORITY(vh) ((ntohs((vh)->vth_pri_cfi_vlan) & 0xe000) >> 13)
59 #define VTH_CFI(vh) ((ntohs((vh)->vth_pri_cfi_vlan) & 0x1000) >> 12)
60 #define VTH_VLAN(vh) ((uint16_t)(ntohs((vh)->vth_pri_cfi_vlan) & 0x0FFF))
61 
62 typedef struct _VlanHeader
63 {
65  uint16_t vth_proto; /* protocol field... */
66 
68 
69 /*#define NO_NON_ETHER_DECODER */
70 #define ETHER_HDR_LEN 14
71 #define ETHERNET_TYPE_IP 0x0800
72 #define ETHERNET_TYPE_IPV6 0x86dd
73 #define ETHERNET_TYPE_8021Q 0x8100
74 /*
75  * Cisco MetaData header
76  */
77 
78 typedef struct _CiscoMetaHdr
79 {
80  uint8_t version; // This must be 1
81  uint8_t length; //This is the header size in bytes / 8
83 
84 /*
85  * Cisco MetaData header options
86  */
87 
88 typedef struct _CiscoMetaOpt
89 {
90  uint16_t opt_len_type; /* 3-bit length + 13-bit type. Length of 0 = 4. Type must be 1. */
91  uint16_t sgt; /* Can be any value except 0xFFFF */
93 
94 
95 typedef struct _EtherHeader
96 {
100 
102 
103 /* We must twiddle to align the offset the ethernet header and align
104  * the IP header on solaris -- maybe this will work on HPUX too.
105  */
106 #if defined (SOLARIS) || defined (SUNOS) || defined (__sparc__) || defined(__sparc64__) || defined (HPUX)
107 #define SUN_SPARC_TWIDDLE 2
108 #else
109 #define SUN_SPARC_TWIDDLE 0
110 #endif
111 
112 #define IP_RESBIT 0x8000
113 #ifdef IP_DONTFRAG
114 #undef IP_DONTFRAG
115 #endif
116 #define IP_DONTFRAG 0x4000
117 #define IP_MOREFRAGS 0x2000
118 
119 #ifndef IP_MAXPKT
120 #define IP_MAXPKT 65535 /* maximum packet size */
121 #endif /* IP_MAXPACKET */
122 
123 #define IP_HDR_LEN 20
124 
125 #if !defined(SFLINUX) && defined(DAQ_CAPA_CARRIER_ID)
126 #if defined(DAQ_VERSION) && DAQ_VERSION > 10
127 #define GET_SFOUTER_IPH_PROTOID(p, pkt_header) ((uint32_t)(p->pkt_header->carrier_id) ? p->pkt_header->carrier_id : 0 )
128 #else
129 #define GET_SFOUTER_IPH_PROTOID(p, pkt_header) ((uint32_t)((p)->outer_ip4_header ? (IS_IP6(p) ? ((p)->outer_ip6h.next) : ((p)->outer_ip4h.ip_proto)):0))
130 #endif
131 #endif
132 
133 typedef struct _IPV4Header
134 {
143  struct in_addr source;
144  struct in_addr destination;
146 
147 #define MAX_LOG_FUNC 32
148 #define MAX_IP_OPTIONS 40
149 
150 /* ip option codes */
151 #define IPOPTION_EOL 0x00
152 #define IPOPTION_NOP 0x01
153 #define IPOPTION_RR 0x07
154 #define IPOPTION_RTRALT 0x94
155 #define IPOPTION_TS 0x44
156 #define IPOPTION_SECURITY 0x82
157 #define IPOPTION_LSRR 0x83
158 #define IPOPTION_LSRR_E 0x84
159 #define IPOPTION_SATID 0x88
160 #define IPOPTION_SSRR 0x89
161 
162 typedef struct _IPOptions
163 {
168 
169 
170 #define TCP_HDR_LEN 20
171 
172 typedef struct _TCPHeader
173 {
184 
185 #define TCPHEADER_FIN 0x01
186 #define TCPHEADER_SYN 0x02
187 #define TCPHEADER_RST 0x04
188 #define TCPHEADER_PUSH 0x08
189 #define TCPHEADER_ACK 0x10
190 #define TCPHEADER_URG 0x20
191 #define TCPHEADER_ECE 0x40
192 #define TCPHEADER_CWR 0x80
193 #define TCPHEADER_NORESERVED (TCPHEADER_FIN|TCPHEADER_SYN|TCPHEADER_RST \
194  |TCPHEADER_PUSH|TCPHEADER_ACK|TCPHEADER_URG)
195 
196 #define MAX_TCP_OPTIONS 40
197 /* tcp option codes */
198 #define TCPOPT_EOL 0x00
199 #define TCPOPT_NOP 0x01
200 #define TCPOPT_MSS 0x02
201 #define TCPOPT_WSCALE 0x03 /* window scale factor (rfc1072) */
202 #define TCPOPT_SACKOK 0x04 /* selective ack ok (rfc1072) */
203 #define TCPOPT_SACK 0x05 /* selective ack (rfc1072) */
204 #define TCPOPT_ECHO 0x06 /* echo (rfc1072) */
205 #define TCPOPT_ECHOREPLY 0x07 /* echo (rfc1072) */
206 #define TCPOPT_TIMESTAMP 0x08 /* timestamps (rfc1323) */
207 #define TCPOPT_CC 0x11 /* T/TCP CC options (rfc1644) */
208 #define TCPOPT_CCNEW 0x12 /* T/TCP CC options (rfc1644) */
209 #define TCPOPT_CCECHO 0x13 /* T/TCP CC options (rfc1644) */
210 
212 
213 #define UDP_HDR_LEN 8
214 
215 typedef struct _UDPHeader
216 {
222 
223 typedef struct _ICMPSequenceID
224 {
228 
229 typedef struct _ICMPHeader
230 {
234 
235  union
236  {
237  /* type 12 */
239 
240  /* type 5 */
241  struct in_addr gateway_addr;
242 
243  /* type 8, 0 */
245 
246  /* type 13, 14 */
248 
249  /* type 15, 16 */
251 
252  int voidInfo;
253 
254  /* type 3/code=4 (Path MTU, RFC 1191) */
255  struct path_mtu
256  {
260 
261  /* type 9 */
262  struct router_advertisement
263  {
269 
270 #define icmp_parameter_ptr icmp_header_union.parameter_problem_ptr
271 #define icmp_gateway_addr icmp_header_union.gateway_waddr
272 #define icmp_echo_id icmp_header_union.echo.id
273 #define icmp_echo_seq icmp_header_union.echo.seq
274 #define icmp_timestamp_id icmp_header_union.timestamp.id
275 #define icmp_timestamp_seq icmp_header_union.timestamp.seq
276 #define icmp_info_id icmp_header_union.info.id
277 #define icmp_info_seq icmp_header_union.info.seq
278 #define icmp_void icmp_header_union.void
279 #define icmp_nextmtu icmp_header_union.path_mtu.nextmtu
280 #define icmp_ra_num_addrs icmp_header_union.router_advertisement.number_addrs
281 #define icmp_ra_entry_size icmp_header_union.router_advertisement.entry_size
282 #define icmp_ra_lifetime icmp_header_union.router_advertisement.lifetime
283 
284  union
285  {
286  /* timestamp */
287  struct timestamp
288  {
293 
294  /* IP header for unreach */
295  struct ipv4_header
296  {
298  /* options and then 64 bits of data */
300 
301  /* Router Advertisement */
302  struct router_address
303  {
307 
308  /* type 17, 18 */
310 
311  char data[1];
312 
314 #define icmp_orig_timestamp icmp_data_union.timestamp.orig
315 #define icmp_recv_timestamp icmp_data_union.timestamp.receive
316 #define icmp_xmit_timestamp icmp_data_union.timestamp.transmit
317 #define icmp_ipheader icmp_data_union.ip_header
318 #define icmp_ra_addr0 icmp_data_union.router_address
319 #define icmp_mask icmp_data_union.mask
320 #define icmp_data icmp_data_union.data
322 
323 #define ICMP_ECHO_REPLY 0 /* Echo Reply */
324 #define ICMP_DEST_UNREACHABLE 3 /* Destination Unreachable */
325 #define ICMP_SOURCE_QUENCH 4 /* Source Quench */
326 #define ICMP_REDIRECT 5 /* Redirect (change route) */
327 #define ICMP_ECHO_REQUEST 8 /* Echo Request */
328 #define ICMP_ROUTER_ADVERTISEMENT 9 /* Router Advertisement */
329 #define ICMP_ROUTER_SOLICITATION 10 /* Router Solicitation */
330 #define ICMP_TIME_EXCEEDED 11 /* Time Exceeded */
331 #define ICMP_PARAMETER_PROBLEM 12 /* Parameter Problem */
332 #define ICMP_TIMESTAMP_REQUEST 13 /* Timestamp Request */
333 #define ICMP_TIMESTAMP_REPLY 14 /* Timestamp Reply */
334 #define ICMP_INFO_REQUEST 15 /* Information Request */
335 #define ICMP_INFO_REPLY 16 /* Information Reply */
336 #define ICMP_ADDRESS_REQUEST 17 /* Address Mask Request */
337 #define ICMP_ADDRESS_REPLY 18 /* Address Mask Reply */
338 
339 #define INVALID_CHECKSUM_IP 0x01
340 #define INVALID_CHECKSUM_TCP 0x02
341 #define INVALID_CHECKSUM_UDP 0x04
342 #define INVALID_CHECKSUM_ICMP 0x08
343 #define INVALID_CHECKSUM_IGMP 0x10
344 #define INVALID_CHECKSUM_ALL 0x1F
345 #define INVALID_TTL 0x20
346 
347 typedef struct _IPv6Extension
348 {
352 
353 typedef struct _IPAddresses
354 {
355  sfaddr_t ip_src; /* source IP */
356  sfaddr_t ip_dst; /* dest IP */
358 
359 typedef struct _IPv4Hdr
360 {
361  uint8_t ip_verhl; /* version & header length */
362  uint8_t ip_tos; /* type of service */
363  uint16_t ip_len; /* datagram length */
364  uint16_t ip_id; /* identification */
365  uint16_t ip_off; /* fragment offset */
366  uint8_t ip_ttl; /* time to live field */
367  uint8_t ip_proto; /* datagram protocol */
368  uint16_t ip_csum; /* checksum */
369  IPAddresses* ip_addrs; /* IP addresses*/
371 
372 typedef struct _IP6RawHdr
373 {
374  uint32_t vcl; /* version, class, and label */
375  uint16_t payload_len; /* length of the payload */
376  uint8_t next_header; /* same values as ip4 protocol field + new ip6 values */
377  uint8_t hop_limit; /* same usage as ip4 ttl */
378 
379  struct in6_addr src_addr;
380  struct in6_addr dst_addr;
382 
383 #define ip6_vcl vcl
384 #define ip6_payload_len payload_len
385 #define ip6_next_header next_header
386 #define ip6_hop_limit hop_limit
387 #define ip6_hops hop_limit
388 
389 typedef struct _IPv6Hdr
390 {
391  uint32_t vcl; /* version, class, and label */
392  uint16_t len; /* length of the payload */
393  uint8_t next; /* next header
394  * Uses the same flags as
395  * the IPv4 protocol field */
396  uint8_t hop_lmt; /* hop limit */
397  IPAddresses* ip_addrs; /* IP addresses*/
399 
400 typedef struct _IP6FragHdr
401 {
402  uint8_t ip6f_nxt; /* next header */
403  uint8_t ip6f_reserved; /* reserved field */
404  uint16_t ip6f_offlg; /* offset, reserved, and flag */
405  uint32_t ip6f_ident; /* identification */
407 
408 typedef struct _ICMP6
409 {
410  uint8_t type;
411  uint8_t code;
412  uint16_t csum;
413 
415 
416 #define ICMP6_UNREACH 1
417 #define ICMP6_BIG 2
418 #define ICMP6_TIME 3
419 #define ICMP6_PARAMS 4
420 #define ICMP6_ECHO 128
421 #define ICMP6_REPLY 129
422 
423 /* Minus 1 due to the 'body' field */
424 #define ICMP6_MIN_HEADER_LEN (sizeof(ICMP6Hdr) )
425 
426 struct _SFSnortPacket;
427 
428 typedef struct _IPH_API
429 {
430  sfaddr_t * (*iph_ret_src)(const struct _SFSnortPacket *);
431  sfaddr_t * (*iph_ret_dst)(const struct _SFSnortPacket *);
432  uint16_t (*iph_ret_tos)(const struct _SFSnortPacket *);
433  uint8_t (*iph_ret_ttl)(const struct _SFSnortPacket *);
434  uint16_t (*iph_ret_len)(const struct _SFSnortPacket *);
435  uint32_t (*iph_ret_id)(const struct _SFSnortPacket *);
436  uint8_t (*iph_ret_proto)(const struct _SFSnortPacket *);
437  uint16_t (*iph_ret_off)(const struct _SFSnortPacket *);
438  uint8_t (*iph_ret_ver)(const struct _SFSnortPacket *);
439  uint8_t (*iph_ret_hlen)(const struct _SFSnortPacket *);
440 
441  sfaddr_t * (*orig_iph_ret_src)(const struct _SFSnortPacket *);
442  sfaddr_t * (*orig_iph_ret_dst)(const struct _SFSnortPacket *);
443  uint16_t (*orig_iph_ret_tos)(const struct _SFSnortPacket *);
444  uint8_t (*orig_iph_ret_ttl)(const struct _SFSnortPacket *);
445  uint16_t (*orig_iph_ret_len)(const struct _SFSnortPacket *);
446  uint32_t (*orig_iph_ret_id)(const struct _SFSnortPacket *);
447  uint8_t (*orig_iph_ret_proto)(const struct _SFSnortPacket *);
448  uint16_t (*orig_iph_ret_off)(const struct _SFSnortPacket *);
449  uint8_t (*orig_iph_ret_ver)(const struct _SFSnortPacket *);
450  uint8_t (*orig_iph_ret_hlen)(const struct _SFSnortPacket *);
451  char version;
453 
454 typedef enum {
466 
467 #include "ipv6_port.h"
468 
469 #define IP6_HEADER_LEN 40
470 
471 #define IPH_API_V4 4
472 #define IPH_API_V6 6
473 
474 extern IPH_API ip4;
475 extern IPH_API ip6;
476 
477 #define iph_is_valid(p) ((p)->family != NO_IP)
478 
479 #define NO_IP 0
480 
481 #define IP6_HDR_LEN 40
482 
483 typedef struct _MplsHdr
484 {
485  uint32_t label;
486  uint8_t exp;
487  uint8_t bos;
488  uint8_t ttl;
490 
491 typedef struct _H2PriSpec
492 {
497 
498 typedef struct _H2Hdr
499 {
502  uint8_t type;
503  uint8_t flags;
505  H2PriSpec pri;
507 
508 #define MAX_PROTO_LAYERS 32
509 
510 typedef struct {
514 } ProtoLayer;
515 
516 // for backwards compatibility with VRT .so rules
517 #define stream_session_ptr stream_session
518 
519 // forward declaration for snort list management type
520 struct sfSDList;
521 
522 // forward declaration for snort expected session created due to this packet.
523 struct _ExpectNode;
524 
525 typedef struct _SFSnortPacket
526 {
527  const SFDAQ_PktHdr_t *pkt_header; /* Is this GPF'd? */
529 
536  const void *gre_header;
538  const CiscoMetaHdr *cmdh; /* Cisco Metadata Header */
539 
545  const UDPHeader *inner_udph; /* if Teredo + UDP, this will be the inner UDP header */
546  const UDPHeader *outer_udph; /* if Teredo + UDP, this will be the outer UDP header */
548 
549  const uint8_t *payload;
552 
555 
559 
564 
565  int family;
568 
570 
571  uint64_t flags;
572 
574 
576 
582 
587 
592 
594 
599 
604 
610 
611 #ifndef NO_NON_ETHER_DECODER
612  const void *fddi_header;
613  void *fddi_saps;
614  void *fddi_sna;
615  void *fddi_iparp;
616  void *fddi_other;
617 
618  const void *tokenring_header;
621 
626 
627 #ifdef DLT_LINUX_SLL
628  const void *sll_header;
629 #endif
630 #ifdef DLT_IEEE802_11
631  const void *wifi_header;
632 #endif
633  const void *ether_eapol_header;
634  const void *eapol_headear;
636  void *eapol_key;
637 #endif
638 
642  CiscoMetaOpt *cmd_options; /* Cisco Metadata header options */
643 
647 
650 
657 
660 
663 
664  /**policyId provided in configuration file. Used for correlating configuration
665  * with event output
666  */
668 
670  unsigned char iprep_layer;
671 
672  uint8_t ps_proto; /* Used for portscan and unified2 logging */
673 
675  void *cur_pp;
676 
677  // Expected session created due to this packet.
680 
681 #define IP_INNER_LAYER 1
682 #define IP_OUTTER_LAYER 0
683 
684 #define PKT_ZERO_LEN offsetof(SFSnortPacket, ip_options)
685 
686 #define PROTO_BIT__IP 0x0001
687 #define PROTO_BIT__ARP 0x0002
688 #define PROTO_BIT__TCP 0x0004
689 #define PROTO_BIT__UDP 0x0008
690 #define PROTO_BIT__ICMP 0x0010
691 #define PROTO_BIT__TEREDO 0x0020
692 #define PROTO_BIT__ALL 0xffff
693 
694 #define IsIP(p) (IPH_IS_VALID(p))
695 #define IsTCP(p) (IsIP(p) && p->tcp_header)
696 #define IsUDP(p) (IsIP(p) && p->udp_header)
697 #define IsICMP(p) (IsIP(p) && p->icmp_header)
698 
699 #define SET_IP4_VER(ip_header, value) \
700  ((ip_header)->version_headerlength = \
701  (unsigned char)(((ip_header)->version_headerlength & 0x0f) | (value << 4)))
702 #define SET_IP4_HLEN(ip_header, value) \
703  ((ip_header)->version_headerlength = \
704  (unsigned char)(((ip_header)->version_headerlength & 0xf0) | (value & 0x0f)))
705 
706 #define SET_TCP_HDR_OFFSET(tcp_header, value) \
707  ((tcp_header)->offset_reserved = \
708  (unsigned char)(((tcp_header)->offset_reserved & 0x0f) | (value << 4)))
709 
710 #define BIT(i) (0x1 << (i-1))
711 
712 
713 /* beware: some flags are redefined in dynamic-plugins/sf_dynamic_define.h! */
714 #define FLAG_REBUILT_FRAG 0x00000001 /* is a rebuilt fragment */
715 #define FLAG_REBUILT_STREAM 0x00000002 /* is a rebuilt stream */
716 #define FLAG_STREAM_UNEST_UNI 0x00000004 /* is from an unestablished stream and
717  * we've only seen traffic in one direction */
718 #define FLAG_STREAM_EST 0x00000008 /* is from an established stream */
719 
720 #define FLAG_STREAM_INSERT 0x00000010 /* this packet has been queued for stream reassembly */
721 #define FLAG_STREAM_TWH 0x00000020 /* packet completes the 3-way handshake */
722 #define FLAG_FROM_SERVER 0x00000040 /* this packet came from the server
723  side of a connection (TCP) */
724 #define FLAG_FROM_CLIENT 0x00000080 /* this packet came from the client
725  side of a connection (TCP) */
726 
727 #define FLAG_PDU_HEAD 0x00000100 /* start of PDU */
728 #define FLAG_PDU_TAIL 0x00000200 /* end of PDU */
729 #define FLAG_UNSURE_ENCAP 0x00000400 /* packet may have incorrect encapsulation layer. */
730  /* don't alert if "next layer" is invalid. */
731 #define FLAG_HTTP_DECODE 0x00000800 /* this packet has normalized http */
732 
733 #define FLAG_IGNORE_PORT 0x00001000 /* this packet should be ignored, based on port */
734 #define FLAG_NO_DETECT 0x00002000 /* this packet should not be preprocessed */
735 #define FLAG_ALLOW_MULTIPLE_DETECT 0x00004000 /* packet has either pipelined mime attachements */
736  /* or pipeline http requests */
737 #define FLAG_PAYLOAD_OBFUSCATE 0x00008000
738 
739 #define FLAG_STATELESS 0x00010000 /* Packet has matched a stateless rule */
740 #define FLAG_PASS_RULE 0x00020000 /* this packet has matched a pass rule */
741 #define FLAG_IP_RULE 0x00040000 /* this packet is being evaluated against an IP rule */
742 #define FLAG_IP_RULE_2ND 0x00080000 /* this packet is being evaluated against an IP rule */
743 
744 #define FLAG_LOGGED 0x00100000 /* this packet has been logged */
745 #define FLAG_PSEUDO 0x00200000 /* is a pseudo packet */
746 #define FLAG_MODIFIED 0x00400000 /* packet had normalizations, etc. */
747 #ifdef NORMALIZER
748 #define FLAG_RESIZED 0x00800000 /* packet has new size; must set modified too */
749 #endif
750 
751 /* neither of these flags will be set for (full) retransmissions or non-data segments */
752 /* a partial overlap results in out of sequence condition */
753 /* out of sequence condition is sticky */
754 #define FLAG_STREAM_ORDER_OK 0x01000000 /* this segment is in order, w/o gaps */
755 #define FLAG_STREAM_ORDER_BAD 0x02000000 /* this stream had at least one gap */
756 #define FLAG_REASSEMBLED_OLD 0x04000000 /* for backwards compat with so rules */
757 
758 #define FLAG_IPREP_SOURCE_TRIGGERED 0x08000000
759 #define FLAG_IPREP_DATA_SET 0x10000000
760 #define FLAG_FILE_EVENT_SET 0x20000000
761 #define FLAG_EARLY_REASSEMBLY 0x40000000 /* this packet. part of the expected stream, should have stream reassembly set */
762 #define FLAG_RETRANSMIT 0x80000000 /* this packet is identified as re-transmitted one */
763 #define FLAG_PURGE 0x0100000000 /* Stream will not flush the data */
764 #define FLAG_H1_ABORT 0x0200000000 /* Used by H1 and H2 paf */
765 #define FLAG_UPGRADE_PROTO 0x0400000000 /* Used by H1 paf */
766 #define FLAG_PSEUDO_FLUSH 0x0800000000
767 #define FLAG_FAST_BLOCK 0x1000000000
768 #define FLAG_EVAL_DROP 0x2000000000 /* Packet with FLAG_EVAL_DROP is evaluated if it is needed to dropped */
769 
770 
771 #define FLAG_PDU_FULL (FLAG_PDU_HEAD | FLAG_PDU_TAIL)
772 
773 #define REASSEMBLED_PACKET_FLAGS (FLAG_REBUILT_STREAM|FLAG_REASSEMBLED_OLD)
774 
775 #define SFTARGET_UNKNOWN_PROTOCOL -1
776 
777 static inline int PacketWasCooked(const SFSnortPacket* p)
778 {
779  return ( p->flags & FLAG_PSEUDO ) != 0;
780 }
781 
782 static inline int IsPortscanPacket(const SFSnortPacket *p)
783 {
784  return ((p->flags & FLAG_PSEUDO) && (p->pseudo_type == PSEUDO_PKT_PS));
785 }
786 
787 static inline uint8_t GetEventProto(const SFSnortPacket *p)
788 {
789  if (IsPortscanPacket(p))
790  return p->ps_proto;
791  return IPH_IS_VALID(p) ? GET_IPH_PROTO(p) : 0;
792 }
793 
794 static inline int PacketHasFullPDU (const SFSnortPacket* p)
795 {
796  return ( (p->flags & FLAG_PDU_FULL) == FLAG_PDU_FULL );
797 }
798 
799 static inline int PacketHasStartOfPDU (const SFSnortPacket* p)
800 {
801  return ( (p->flags & FLAG_PDU_HEAD) != 0 );
802 }
803 
804 static inline int PacketHasPAFPayload (const SFSnortPacket* p)
805 {
806  return ( (p->flags & FLAG_REBUILT_STREAM) || (p->flags & FLAG_PDU_TAIL) );
807 }
808 
809 static inline void SetExtraData (SFSnortPacket* p, uint32_t xid)
810 {
811  p->xtradata_mask |= BIT(xid);
812 }
813 
814 #endif /* _SF_SNORT_PACKET_H_ */
815 
PseudoPacketType
Definition: decode.h:672
#define GET_IPH_PROTO(p)
Definition: ipv6_port.h:68
#define IPH_IS_VALID(p)
Definition: ipv6_port.h:76
uint64_t PreprocEnableMask
Definition: preprocids.h:203
PROTO_ID
Definition: sf_protocols.h:29
Secure_Hash_Type type
Definition: sf_sechash.c:53
struct _ICMPSequenceID ICMPSequenceID
struct _SFSnortPacket SFSnortPacket
struct _IP6RawHdr IP6RawHdr
#define FLAG_REBUILT_STREAM
static int PacketHasStartOfPDU(const SFSnortPacket *p)
static void SetExtraData(SFSnortPacket *p, uint32_t xid)
struct _EtherHeader EtherHeader
int(* LogFunction)(void *ssnptr, uint8_t **buf, uint32_t *len, uint32_t *type)
static int PacketHasPAFPayload(const SFSnortPacket *p)
PseudoPacketType
@ PSEUDO_PKT_PS
@ PSEUDO_PKT_SDF
@ PSEUDO_PKT_DCE_RPKT
@ PSEUDO_PKT_SMB_SEG
@ PSEUDO_PKT_TCP
@ PSEUDO_PKT_DCE_FRAG
@ PSEUDO_PKT_MAX
@ PSEUDO_PKT_DCE_SEG
@ PSEUDO_PKT_IP
@ PSEUDO_PKT_SMB_TRANS
#define FLAG_PDU_TAIL
static int PacketHasFullPDU(const SFSnortPacket *p)
struct _IPH_API IPH_API
#define BIT(i)
struct _CiscoMetaHdr CiscoMetaHdr
struct _UDPHeader UDPHeader
#define MAX_PROTO_LAYERS
struct _VlanHeader VlanHeader
IPH_API ip6
Definition: sf_iph.c:351
#define MAX_IP_OPTIONS
DAQ_PktHdr_t SFDAQ_PktHdr_t
struct _IPv6Hdr IP6Hdr
IPH_API ip4
Definition: sf_iph.c:324
#define FLAG_PDU_HEAD
struct _IP6FragHdr IP6FragHdr
static int PacketWasCooked(const SFSnortPacket *p)
struct _H2PriSpec H2PriSpec
struct _IPAddresses IPAddresses
struct _TCPHeader TCPHeader
static uint8_t GetEventProto(const SFSnortPacket *p)
struct _IPV4Header IPV4Header
struct _IPv4Hdr IP4Hdr
#define MAX_TCP_OPTIONS
struct _ICMPHeader ICMPHeader
struct _IPOptions IPOptions
struct _MplsHdr MplsHdr
#define FLAG_PDU_FULL
IPOptions TCPOptions
struct _ICMP6 ICMP6Hdr
static int IsPortscanPacket(const SFSnortPacket *p)
struct _IPv6Extension IP6Extension
struct _H2Hdr H2Hdr
#define FLAG_PSEUDO
struct _CiscoMetaOpt CiscoMetaOpt
const int
Definition: spp_ftptelnet.c:75
__int16 int16_t
Definition: stdint.h:27
uint16_t proto_length
uint8_t * proto_start
PROTO_ID proto_id
uint8_t version
Definition: decode.h:1009
uint8_t length
Definition: decode.h:1010
uint16_t opt_len_type
Definition: decode.h:1019
uint16_t sgt
Definition: decode.h:1020
uint8_t ether_source[6]
uint8_t ether_destination[6]
uint16_t ethernet_type
uint32_t length
Definition: decode.h:1626
uint8_t reserved
Definition: decode.h:1630
uint32_t stream_id
Definition: decode.h:1627
H2PriSpec pri
Definition: decode.h:1631
uint8_t flags
Definition: decode.h:1629
uint8_t type
Definition: decode.h:1628
uint32_t stream_id
Definition: decode.h:1619
uint8_t exclusive
Definition: decode.h:1621
uint32_t weight
Definition: decode.h:1620
uint8_t type
Definition: decode.h:1258
uint16_t csum
Definition: decode.h:1260
uint8_t code
Definition: decode.h:1259
ICMPSequenceID echo
ICMPSequenceID info
struct _ICMPHeader::@77::path_mtu path_mtu
struct _ICMPHeader::@77::router_advertisement router_advertisement
struct _ICMPHeader::@78::ipv4_header ipv4_header
uint32_t transmit
struct in_addr gateway_addr
union _ICMPHeader::@77 icmp_header_union
uint8_t number_addrs
ICMPSequenceID timestamp
IPV4Header * ip
uint16_t checksum
uint16_t next_mtu
struct _ICMPHeader::@78::router_address router_address
uint32_t receive
uint16_t lifetime
uint8_t entry_size
uint8_t parameter_problem_ptr
uint16_t voidInfo
uint32_t preference
union _ICMPHeader::@78 icmp_data_union
uint8_t ip6f_nxt
uint32_t ip6f_ident
uint16_t ip6f_offlg
uint8_t ip6f_reserved
uint8_t hop_limit
uint32_t vcl
uint8_t next_header
struct in6_addr dst_addr
struct in6_addr src_addr
uint16_t payload_len
sfaddr_t ip_dst
Definition: decode.h:1109
sfaddr_t ip_src
Definition: decode.h:1108
uint16_t(* iph_ret_off)(const struct _Packet *)
Definition: sf_iph.h:36
uint16_t(* iph_ret_len)(const struct _Packet *)
Definition: sf_iph.h:33
uint8_t(* orig_iph_ret_ttl)(const struct _Packet *)
Definition: sf_iph.h:43
uint8_t(* orig_iph_ret_hlen)(const struct _Packet *)
Definition: sf_iph.h:49
uint8_t(* iph_ret_hlen)(const struct _Packet *)
Definition: sf_iph.h:38
uint16_t(* orig_iph_ret_len)(const struct _Packet *)
Definition: sf_iph.h:44
uint8_t(* orig_iph_ret_ver)(const struct _Packet *)
Definition: sf_iph.h:48
uint8_t(* orig_iph_ret_proto)(const struct _Packet *)
Definition: sf_iph.h:46
uint8_t(* iph_ret_proto)(const struct _Packet *)
Definition: sf_iph.h:35
uint8_t(* iph_ret_ttl)(const struct _Packet *)
Definition: sf_iph.h:32
uint16_t(* iph_ret_tos)(const struct _Packet *)
Definition: sf_iph.h:31
uint16_t(* orig_iph_ret_tos)(const struct _Packet *)
Definition: sf_iph.h:42
uint16_t(* orig_iph_ret_off)(const struct _Packet *)
Definition: sf_iph.h:47
uint32_t(* orig_iph_ret_id)(const struct _Packet *)
Definition: sf_iph.h:45
uint32_t(* iph_ret_id)(const struct _Packet *)
Definition: sf_iph.h:34
uint8_t(* iph_ret_ver)(const struct _Packet *)
Definition: sf_iph.h:37
uint8_t length
uint8_t * option_data
uint8_t option_code
uint16_t data_length
uint8_t version_headerlength
uint16_t offset
uint8_t type_service
struct in_addr destination
uint8_t time_to_live
uint16_t identifier
struct in_addr source
uint16_t checksum
uint16_t ip_csum
Definition: decode.h:1121
uint8_t ip_proto
Definition: decode.h:1120
uint8_t ip_verhl
Definition: decode.h:1114
uint16_t ip_off
Definition: decode.h:1118
IPAddresses * ip_addrs
Definition: decode.h:1122
uint8_t ip_tos
Definition: decode.h:1115
uint8_t ip_ttl
Definition: decode.h:1119
uint16_t ip_id
Definition: decode.h:1117
uint16_t ip_len
Definition: decode.h:1116
const uint8_t * option_data
uint16_t len
Definition: decode.h:1128
uint32_t vcl
Definition: decode.h:1127
uint8_t next
Definition: decode.h:1129
uint8_t hop_lmt
Definition: decode.h:1132
IPAddresses * ip_addrs
Definition: decode.h:1133
uint32_t label
Definition: decode.h:1611
uint8_t ttl
Definition: decode.h:1614
uint8_t exp
Definition: decode.h:1612
uint8_t bos
Definition: decode.h:1613
const IPV4Header * outer_ip4_header
const IPV4Header * ip4_header
uint8_t ip6_frag_extension
PseudoPacketType pseudo_type
const void * eapol_headear
uint16_t normalized_payload_size
ICMP6Hdr * icmp6h
const uint8_t * ip_frag_start
const UDPHeader * outer_udph
ProtoLayer proto_layers[32]
uint8_t ip_more_fragments
const void * fddi_header
uint32_t xtradata_mask
const UDPHeader * udp_header
uint8_t GTPencapsulated
const ICMPHeader * icmp_header
const uint8_t * ip_payload
IPAddresses inner_orig_ips
uint16_t actual_ip_length
uint8_t num_ip6_extensions
const UDPHeader * inner_udph
const SFDAQ_PktHdr_t * pkt_header
IPH_API * outer_orig_iph_api
const EtherHeader * ether_header
IPOptions ip_options[40]
const UDPHeader * orig_udp_header
uint16_t configPolicyId
TCPOptions tcp_options[40]
CiscoMetaOpt * cmd_options
const TCPHeader * tcp_header
const uint8_t * tcp_options_data
uint8_t ips_os_selected
uint16_t max_payload
const CiscoMetaHdr * cmdh
uint16_t ip_payload_size
struct _ExpectNode * expectedSession
uint16_t ip_frag_length
uint16_t ip4_options_length
void * ether_header_other
const IPV4Header * inner_ip4_header
const void * gre_header
uint8_t ip_dont_fragment
uint16_t orig_src_port
const TCPHeader * orig_tcp_header
PreprocEnableMask preprocessor_bit_mask
IPAddresses outer_orig_ips
IPH_API * outer_iph_api
uint8_t num_tcp_options
const IP6RawHdr * raw_ip6_header
const IPV4Header * orig_ip4_header
IP6Extension * ip6_extensions
const uint8_t * ip4_options_data
const uint8_t * payload
const void * ppp_over_ether_header
uint16_t ip_fragment_offset
const uint8_t * outer_ip_payload
const uint8_t * pkt_data
uint16_t tcp_options_length
const uint8_t * eapol_type
uint8_t num_ip_options
const void * ether_eapol_header
uint16_t outer_ip_payload_size
uint16_t payload_size
uint8_t next_layer_index
IPAddresses inner_ips
uint16_t orig_dst_port
void * fragmentation_tracking_ptr
ICMP6Hdr * orig_icmp6h
void * tokenring_header_mr
unsigned char iprep_layer
void * tokenring_header_llc
IPAddresses outer_ips
const void * tokenring_header
const VlanHeader * vlan_tag_header
int16_t application_protocol_ordinal
IPH_API * orig_iph_api
const ICMPHeader * orig_icmp_header
uint8_t offset_reserved
uint16_t destination_port
uint16_t urgent_pointer
uint16_t source_port
uint16_t window
uint32_t acknowledgement
uint32_t sequence
uint16_t checksum
uint16_t data_length
uint16_t checksum
uint16_t destination_port
uint16_t source_port
uint16_t vth_proto
uint16_t vth_pri_cfi_vlan
Definition: sf_ip.h:91
Definition: sll.h:85
unsigned short uint16_t
Definition: u2openappid.c:53
unsigned int uint32_t
Definition: u2openappid.c:52
unsigned char uint8_t
Definition: u2openappid.c:54