"Fossies" - the Fresh Open Source Software Archive 
Member "snort-2.9.17/src/decode.c" (16 Oct 2020, 233312 Bytes) of package /linux/misc/snort-2.9.17.tar.gz:
As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) C and C++ source code syntax highlighting (style:
standard) with prefixed line numbers and
code folding option.
Alternatively you can here
view or
download the uninterpreted source code file.
For more information about "decode.c" see the
Fossies "Dox" file reference documentation and the latest
Fossies "Diffs" side-by-side code changes report:
2.9.16.1_vs_2.9.17.
1 /* $Id$ */
2
3 /*
4 ** Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved.
5 ** Copyright (C) 2002-2013 Sourcefire, Inc.
6 ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com>
7 **
8 ** This program is free software; you can redistribute it and/or modify
9 ** it under the terms of the GNU General Public License Version 2 as
10 ** published by the Free Software Foundation. You may not use, modify or
11 ** distribute this program under any other version of the GNU General
12 ** Public License.
13 **
14 ** This program is distributed in the hope that it will be useful,
15 ** but WITHOUT ANY WARRANTY; without even the implied warranty of
16 ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 ** GNU General Public License for more details.
18 **
19 ** You should have received a copy of the GNU General Public License
20 ** along with this program; if not, write to the Free Software
21 ** Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
22 */
23
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #endif
27
28 #ifdef HAVE_STRINGS_H
29 #include <strings.h>
30 #endif
31
32 #include <string.h>
33 #include <stdlib.h>
34
35 #ifdef HAVE_DUMBNET_H
36 #include <dumbnet.h>
37 #else
38 #include <dnet.h>
39 #endif
40
41 #include "decode.h"
42 #include "snort.h"
43 #include "snort_debug.h"
44 #include "util.h"
45 #include "detect.h"
46 #include "checksum.h"
47 #include "log.h"
48 #include "generators.h"
49 #include "event_queue.h"
50 #include "active.h"
51 #include "sfxhash.h"
52 #include "snort_bounds.h"
53 #include "strlcpyu.h"
54 #include "sf_iph.h"
55 #include "fpdetect.h"
56 #include "profiler.h"
57 #include "sfActionQueue.h"
58 #include "mempool.h"
59 #include "spp_normalize.h"
60 #include "sfdaq.h"
61 #include "sfrf.h"
62
63 #ifdef REG_TEST
64 #include "reg_test.h"
65 #include <stdio.h>
66 #endif
67
68 extern tSfActionQueueId decoderActionQ;
69 extern MemPool decoderAlertMemPool;
70
71 static IpAddrSet *SynToMulticastDstIp = NULL;
72 static IpAddrSet *MulticastReservedIp = NULL;
73 #ifdef PERF_PROFILING
74 PreprocStats decodePerfStats;
75 #endif
76
77 // Array to check if the decoder rules are enabled in at least one policy
78 static uint8_t decodeRulesArray[DECODE_INDEX_MAX];
79
80 //--------------------------------------------------------------------
81 // decode.c::event support
82 //--------------------------------------------------------------------
83
84 #ifdef NORMALIZER
85 static inline int ScNormalDrop (NormFlags nf)
86 {
87 return Normalize_GetMode(snort_conf, nf) == NORM_MODE_OFF;
88 }
89 #else
90 #define ScNormalDrop(nf) 1
91 #endif
92
93 static inline void queueExecDrop(
94 void (*callback)(void *), Packet* p)
95 {
96 int ret = sfActionQueueAdd( decoderActionQ, callback, (void*)p);
97 if (ret == -1)
98 {
99 ErrorMessage("Could not add drop event to decoderActionQ\n");
100 }
101 }
102
103 // no harm declaring the exec*Drop()s as inline, but since
104 // the only use is via pointer, these won't get inlined.
105 static inline void execDecoderDrop (void *data)
106 {
107 if ( ScDecoderAlerts() && ScDecoderDrops() )
108 {
109 DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
110 "Dropping bad packet\n"););
111 Active_DropSession((Packet*)data);
112 if (pkt_trace_enabled)
113 addPktTraceData(VERDICT_REASON_SNORT, snprintf(trace_line, MAX_TRACE_LINE,
114 "Snort: bad packet decode error, %s\n", getPktTraceActMsg()));
115 else addPktTraceData(VERDICT_REASON_SNORT, 0);
116 }
117 }
118
119 static inline void execIpOptDrop (void *data)
120 {
121 if ( ScDecoderIpOptDrops() )
122 {
123 DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
124 "Dropping bad packet (IP opts)\n"););
125 Active_DropPacket((Packet*)data);
126 if (pkt_trace_enabled)
127 addPktTraceData(VERDICT_REASON_SNORT, snprintf(trace_line, MAX_TRACE_LINE,
128 "Snort: IP options decode error, %s\n", getPktTraceActMsg()));
129 else addPktTraceData(VERDICT_REASON_SNORT, 0);
130 }
131 }
132
133 static inline void execMinTtlDrop (void *data)
134 {
135 if ( ScNormalDrop(NORM_IP4_TTL) &&
136 ScDecoderAlerts() && ScDecoderDrops() )
137 {
138 Packet* p = (Packet*)data;
139 DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
140 "Dropping bad packet (IP4 min TTL)\n"););
141 p->error_flags |= PKT_ERR_BAD_TTL;
142 Active_DropPacket(p);
143 if (pkt_trace_enabled)
144 addPktTraceData(VERDICT_REASON_SNORT, snprintf(trace_line, MAX_TRACE_LINE,
145 "Snort: IP4 min TTL error, %s\n", getPktTraceActMsg()));
146 else addPktTraceData(VERDICT_REASON_SNORT, 0);
147 }
148 }
149
150 static inline void execTtlDrop (void *data)
151 {
152 if ( ScNormalDrop(NORM_IP4_TTL) )
153 {
154 Packet* p = (Packet*)data;
155 DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
156 "Dropping bad packet (IP4 zero TTL)\n"););
157 p->error_flags |= PKT_ERR_BAD_TTL;
158 Active_DropPacket(p);
159 if (pkt_trace_enabled)
160 addPktTraceData(VERDICT_REASON_SNORT, snprintf(trace_line, MAX_TRACE_LINE,
161 "Snort: IP4 zero TTL error, %s\n", getPktTraceActMsg()));
162 else addPktTraceData(VERDICT_REASON_SNORT, 0);
163 }
164 }
165
166 static inline void execHopDrop (void *data)
167 {
168 if ( ScNormalDrop(NORM_IP6_TTL) )
169 {
170 Packet* p = (Packet*)data;
171 DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
172 "Dropping bad packet (IP6 zero hop)\n"););
173 p->error_flags |= PKT_ERR_BAD_TTL;
174 Active_DropPacket(p);
175 if (pkt_trace_enabled)
176 addPktTraceData(VERDICT_REASON_SNORT, snprintf(trace_line, MAX_TRACE_LINE,
177 "Snort: IP6 zero hop error, %s\n", getPktTraceActMsg()));
178 else addPktTraceData(VERDICT_REASON_SNORT, 0);
179 }
180 }
181
182 static inline void execIpv6MinTtlDrop (void *data)
183 {
184 if ( ScNormalDrop(NORM_IP6_TTL) &&
185 ScDecoderAlerts() && ScDecoderDrops() )
186 {
187 Packet* p = (Packet*)data;
188 DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
189 "Dropping bad packet (IP6 hop limit)\n"););
190 p->error_flags |= PKT_ERR_BAD_TTL;
191 Active_DropPacket(p);
192 if (pkt_trace_enabled)
193 addPktTraceData(VERDICT_REASON_SNORT, snprintf(trace_line, MAX_TRACE_LINE,
194 "Snort: IP6 hop limit error, %s\n", getPktTraceActMsg()));
195 else addPktTraceData(VERDICT_REASON_SNORT, 0);
196 }
197 }
198
199 static inline void execTcpOptDrop (void *data)
200 {
201 if ( ScDecoderTcpOptDrops() )
202 {
203 DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
204 "Dropping bad packet (TCP opts)\n"););
205 Active_DropPacket((Packet*)data);
206 if (pkt_trace_enabled)
207 addPktTraceData(VERDICT_REASON_SNORT, snprintf(trace_line, MAX_TRACE_LINE,
208 "Snort: TCP options decode error, %s\n", getPktTraceActMsg()));
209 else addPktTraceData(VERDICT_REASON_SNORT, 0);
210 }
211 }
212
213 static inline void execTcpOptExpDrop (void *data)
214 {
215 if ( ScDecoderTcpOptExpDrops() )
216 {
217 DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
218 "Dropping bad packet (TCP exp opts)\n"););
219 Active_DropPacket((Packet*)data);
220 if (pkt_trace_enabled)
221 addPktTraceData(VERDICT_REASON_SNORT, snprintf(trace_line, MAX_TRACE_LINE,
222 "Snort: TCP experimental options decode error, %s\n", getPktTraceActMsg()));
223 else addPktTraceData(VERDICT_REASON_SNORT, 0);
224 }
225 }
226
227 static inline void execTcpOptObsDrop (void *data)
228 {
229 if ( ScDecoderTcpOptObsDrops() )
230 {
231 DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
232 "Dropping bad packet (TCP obs opts)\n"););
233 Active_DropPacket((Packet*)data);
234 if (pkt_trace_enabled)
235 addPktTraceData(VERDICT_REASON_SNORT, snprintf(trace_line, MAX_TRACE_LINE,
236 "Snort: TCP obsolete options decode error, %s\n", getPktTraceActMsg()));
237 else addPktTraceData(VERDICT_REASON_SNORT, 0);
238 }
239 }
240
241 static inline void execTcpOptTTcpDrop (void *data)
242 {
243 if ( ScDecoderTcpOptTTcpDrops() )
244 {
245 DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
246 "Dropping bad packet (TTCP opts)\n"););
247 Active_DropPacket((Packet*)data);
248 if (pkt_trace_enabled)
249 addPktTraceData(VERDICT_REASON_SNORT, snprintf(trace_line, MAX_TRACE_LINE,
250 "Snort: Test TCP (TTCP) options decode error, %s\n", getPktTraceActMsg()));
251 else addPktTraceData(VERDICT_REASON_SNORT, 0);
252 }
253 }
254
255 static inline void execIpChksmDrop (void *data)
256 {
257 // TBD only set policy csum drop if policy inline
258 // and delete this inline mode check
259 if( ScNapInlineMode() && ScIpChecksumDrops() )
260 {
261 DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
262 "Dropping bad packet (IP checksum)\n"););
263 Active_NapDropPacket((Packet*)data);
264 if (pkt_trace_enabled)
265 addPktTraceData(VERDICT_REASON_SNORT, snprintf(trace_line, MAX_TRACE_LINE,
266 "Snort: IP checksum error, %s\n", getPktTraceActMsg()));
267 else addPktTraceData(VERDICT_REASON_SNORT, 0);
268 }
269 }
270
271 static inline void execTcpChksmDrop (void *data)
272 {
273 if( ScNapInlineMode() && ScTcpChecksumDrops() )
274 {
275 DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
276 "Dropping bad packet (TCP checksum)\n"););
277 Active_NapDropPacket((Packet*)data);
278 if (pkt_trace_enabled)
279 addPktTraceData(VERDICT_REASON_SNORT, snprintf(trace_line, MAX_TRACE_LINE,
280 "Snort: TCP checksum error, %s\n", getPktTraceActMsg()));
281 else addPktTraceData(VERDICT_REASON_SNORT, 0);
282 }
283 }
284
285 static inline void execUdpChksmDrop (void *data)
286 {
287 if( ScNapInlineMode() && ScUdpChecksumDrops() )
288 {
289 DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
290 "Dropping bad packet (UDP checksum)\n"););
291 Active_NapDropPacket((Packet*)data);
292 if (pkt_trace_enabled)
293 addPktTraceData(VERDICT_REASON_SNORT, snprintf(trace_line, MAX_TRACE_LINE,
294 "Snort: UDP checksum error, %s\n", getPktTraceActMsg()));
295 else addPktTraceData(VERDICT_REASON_SNORT, 0);
296 }
297 }
298
299 static inline void execIcmpChksmDrop (void *data)
300 {
301 if( ScNapInlineMode() && ScIcmpChecksumDrops() )
302 {
303 DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
304 "Dropping bad packet (ICMP checksum)\n"););
305 Active_NapDropPacket((Packet*)data);
306 if (pkt_trace_enabled)
307 addPktTraceData(VERDICT_REASON_SNORT, snprintf(trace_line, MAX_TRACE_LINE,
308 "Snort: ICMP checksum error, %s\n", getPktTraceActMsg()));
309 else addPktTraceData(VERDICT_REASON_SNORT, 0);
310 }
311 }
312
313 void execDecoderEvent(void *data)
314 {
315 MemBucket *alertBucket = (MemBucket *)data;
316 EventNode *en = (EventNode *)alertBucket->data;
317 int add;
318
319 switch (en->sid)
320 {
321 case DECODE_IPV4OPT_BADLEN:
322 case DECODE_IPV4OPT_TRUNCATED:
323 add = ScDecoderIpOptAlerts();
324 break;
325
326 case DECODE_TCPOPT_WSCALE_INVALID:
327 case DECODE_TCPOPT_BADLEN:
328 case DECODE_TCPOPT_TRUNCATED:
329 add = ScDecoderTcpOptAlerts();
330 break;
331
332 case DECODE_TCPOPT_EXPERIMENT:
333 add = ScDecoderTcpOptExpAlerts();
334 break;
335
336 case DECODE_TCPOPT_OBSOLETE:
337 add = ScDecoderTcpOptObsAlerts();
338 break;
339
340 case DECODE_TCPOPT_TTCP:
341 add = ScDecoderTcpOptTTcpAlerts();
342 break;
343
344 default:
345 add = ScDecoderAlerts();
346 break;
347 }
348
349 if ( add )
350 {
351 SnortEventqAdd(en->gid, en->sid, en->rev, en->classification,
352 en->priority, en->msg, en->rule_info);
353 }
354 mempool_free(&decoderAlertMemPool, alertBucket);
355 }
356
357 void queueDecoderEvent(
358 unsigned int gid,
359 unsigned int sid,
360 unsigned int rev,
361 unsigned int classification,
362 unsigned int pri,
363 const char *msg,
364 void *rule_info)
365 {
366 MemBucket *alertBucket;
367 EventNode *en;
368 int ret;
369
370 alertBucket = (MemBucket *)mempool_alloc(&decoderAlertMemPool);
371 if(!alertBucket)
372 return;
373
374 en = (EventNode *)alertBucket->data;
375 en->gid = gid;
376 en->sid = sid;
377 en->rev = rev;
378 en->classification = classification;
379 en->priority = pri;
380 en->msg = msg;
381 en->rule_info = (OptTreeNode *) rule_info;
382
383 ret = sfActionQueueAdd( decoderActionQ, execDecoderEvent, alertBucket);
384 if (ret == -1)
385 {
386 ErrorMessage("Could not add event to decoderActionQ\n");
387 mempool_free(&decoderAlertMemPool, alertBucket);
388 }
389 }
390
391 static inline void DecoderEvent (
392 Packet *p, int sid, const char *str, int event_flag, int drop_flag)
393 {
394 if ( ScLogVerbose() )
395 ErrorMessage("%s\n", str);
396
397 if (ScIdsMode() && event_flag)
398 {
399 queueDecoderEvent(GENERATOR_SNORT_DECODE, sid, 1,
400 DECODE_CLASS, 3, str, 0);
401
402 if ( drop_flag )
403 {
404 queueExecDrop(execDecoderDrop, p);
405 if (pkt_trace_enabled)
406 addPktTraceData(VERDICT_REASON_NO_BLOCK, snprintf(trace_line, MAX_TRACE_LINE,
407 "Snort: gid %u, sid %u, bad packet queued for decoder drop\n", GENERATOR_SNORT_DECODE, sid));
408 }
409 }
410 }
411
412 static inline void DecoderOptEvent (
413 Packet *p, int sid, char *str, int event_flag, int drop_flag,
414 void (*callback)(void*) )
415 {
416 if ( ScLogVerbose() )
417 ErrorMessage("%s\n", str);
418
419 if (ScIdsMode() && event_flag)
420 {
421 queueDecoderEvent(GENERATOR_SNORT_DECODE, sid, 1,
422 DECODE_CLASS, 3, str, 0);
423
424 if ( drop_flag )
425 {
426 queueExecDrop(callback, p);
427 }
428 }
429 }
430
431 static inline void DecoderEventDrop (
432 Packet *p, int sid, char *str, int event_flag, int drop_flag)
433 {
434 if ( ScLogVerbose() )
435 ErrorMessage("%s\n", str);
436
437 if (ScIdsMode() && event_flag)
438 {
439 queueDecoderEvent(GENERATOR_SNORT_DECODE, sid, 1,
440 DECODE_CLASS, 3, str, 0);
441
442 if ( drop_flag )
443 {
444 Active_DropPacket(p);
445 if (pkt_trace_enabled)
446 addPktTraceData(VERDICT_REASON_SNORT, snprintf(trace_line, MAX_TRACE_LINE,
447 "Snort: decoder gid %u, sid %u, %s\n", GENERATOR_SNORT_DECODE, sid, getPktTraceActMsg()));
448 else addPktTraceData(VERDICT_REASON_SNORT, 0);
449 }
450 }
451 }
452
453 void DecoderAlertEncapsulated(
454 Packet *p, int type, const char *str, const uint8_t *pkt, uint32_t len)
455 {
456 DecoderEvent(p, type, str, 1, 1);
457
458 p->data = pkt;
459 p->dsize = (uint16_t)len;
460
461 p->greh = NULL;
462 }
463
464 #define EVARGS(ID) DECODE_ ## ID, DECODE_ ## ID ## _STR
465
466 static inline int Event_Enabled(int sid)
467 {
468 return ( decodeRulesArray[sid] );
469 }
470
471 //--------------------------------------------------------------------
472 // decode.c::miscellaneous public methods and helper functions
473 //--------------------------------------------------------------------
474
475 #if defined(WORDS_MUSTALIGN) && !defined(__GNUC__)
476 uint32_t EXTRACT_32BITS (u_char *p)
477 {
478 uint32_t __tmp;
479
480 memmove(&__tmp, p, sizeof(uint32_t));
481 return (uint32_t) ntohl(__tmp);
482 }
483 #endif /* WORDS_MUSTALIGN && !__GNUC__ */
484
485 void InitSynToMulticastDstIp( struct _SnortConfig *sc )
486 {
487 // Multicast addresses pursuant to RFC 5771
488 SynToMulticastDstIp = IpAddrSetParse(sc, "[224.0.0.0/4]");
489
490 if( SynToMulticastDstIp == NULL )
491 {
492 FatalError("Could not initialize SynToMulticastDstIp\n");
493 }
494 }
495
496 void InitMulticastReservedIp( struct _SnortConfig *sc )
497 {
498 // Reserved addresses within multicast address space (See RFC 5771)
499 MulticastReservedIp = IpAddrSetParse(sc,
500 "[224.1.0.0/16,224.5.0.0/16,224.6.0.0/15,224.8.0.0/13,224.16.0.0/12,"
501 "224.32.0.0/11,224.64.0.0/10,224.128.0.0/9,225.0.0.0/8,226.0.0.0/7,"
502 "228.0.0.0/6,234.0.0.0/7,236.0.0.0/7,238.0.0.0/8]");
503
504 if( MulticastReservedIp == NULL )
505 {
506 FatalError("Could not initialize MulticastReservedIp\n");
507 }
508 }
509
510 void SynToMulticastDstIpDestroy( void )
511 {
512 if( SynToMulticastDstIp )
513 {
514 IpAddrSetDestroy(SynToMulticastDstIp);
515 }
516 }
517
518 void MulticastReservedIpDestroy( void )
519 {
520 if( MulticastReservedIp )
521 {
522 IpAddrSetDestroy(MulticastReservedIp);
523 }
524 }
525
526 static inline void CheckIPv4_MinTTL(Packet *p, uint8_t ttl)
527 {
528
529 // this sequence of tests is best for the "normal" case where
530 // the packet ttl is >= the configured min (the default is 1)
531 if( ttl < ScMinTTL() )
532 {
533 if ( Event_Enabled(DECODE_ZERO_TTL) && (ttl == 0) )
534 {
535 DecoderOptEvent(p, DECODE_ZERO_TTL, DECODE_ZERO_TTL_STR,
536 1, 1, execTtlDrop);
537 }
538 else if ( Event_Enabled(DECODE_IP4_MIN_TTL) )
539 {
540 DecoderOptEvent(p, DECODE_IP4_MIN_TTL, DECODE_IP4_MIN_TTL_STR,
541 1, 1, execMinTtlDrop);
542 }
543 }
544 }
545
546 static inline void CheckIPv6_MinTTL(Packet *p, uint8_t hop_limit)
547 {
548 // this sequence of tests is best for the "normal" case where
549 // the packet ttl is >= the configured min (the default is 1)
550 if( hop_limit < ScMinTTL() )
551 {
552 if ( Event_Enabled(DECODE_IP6_ZERO_HOP_LIMIT) && (hop_limit == 0) )
553 {
554 DecoderOptEvent(p, DECODE_IP6_ZERO_HOP_LIMIT,
555 DECODE_IP6_ZERO_HOP_LIMIT_STR, 1, 1, execHopDrop);
556 }
557 else if ( Event_Enabled(DECODE_IPV6_MIN_TTL) )
558 {
559 DecoderOptEvent(p, DECODE_IPV6_MIN_TTL,
560 DECODE_IPV6_MIN_TTL_STR, 1, 1, execIpv6MinTtlDrop);
561 }
562 }
563 }
564
565 /* Decoding of ttl/hop_limit is based on the policy min_ttl */
566 static inline void DecodeIP_MinTTL(Packet *p)
567 {
568 switch(p->outer_family)
569 {
570 case AF_INET:
571 CheckIPv4_MinTTL( p, p->outer_ip4h.ip_ttl);
572 return;
573
574 case AF_INET6:
575 CheckIPv6_MinTTL( p, p->outer_ip6h.hop_lmt);
576 return;
577
578 default:
579 break;
580 }
581
582 switch(p->family)
583 {
584 case AF_INET:
585 CheckIPv4_MinTTL( p, p->ip4h->ip_ttl);
586 return;
587
588 case AF_INET6:
589 CheckIPv6_MinTTL( p, p->ip6h->hop_lmt);
590 return;
591
592 default:
593 break;
594 }
595
596 return;
597 }
598
599 /* Any policy specific decoding should be done in this function which is called by ProcessPacket*/
600 void DecodePolicySpecific(Packet *p)
601 {
602 DecodeIP_MinTTL(p);
603 }
604
605 /* This function enables or disables the decoder rule. value can only be 0 or 1*/
606 void UpdateDecodeRulesArray(uint32_t sid, int value, int all_rules)
607 {
608 int i;
609
610 if ( all_rules )
611 {
612 for( i = 0; i < DECODE_INDEX_MAX; i++ )
613 decodeRulesArray[i] = ( value != 0 );
614 }
615 else if ( sid < DECODE_INDEX_MAX )
616 {
617 decodeRulesArray[sid] = ( value != 0 );
618 }
619 }
620
621 static ThrottleInfo log_throttleInfo = {0, 60, 0, 100};
622
623 // this must be called iff the layer is successfully decoded because, when
624 // enabled, the normalizer assumes that the encoding is structurally sound
625 static inline void PushLayer(PROTO_ID type, Packet* p, const uint8_t* hdr, uint32_t len)
626 {
627 if ( p->next_layer < LAYER_MAX )
628 {
629 Layer* lyr = p->layers + p->next_layer++;
630 lyr->proto = type;
631 lyr->start = (uint8_t*)hdr;
632 lyr->length = (uint16_t)len;
633 }
634 else
635 {
636 LogThrottledByTimeCount(&log_throttleInfo,
637 "(snort_decoder) WARNING: Too many levels for decoding;"
638 "next proto is %u.\n", type);
639 SnortEventqAdd(GENERATOR_SNORT_DECODE,
640 DECODE_DECODING_DEPTH_EXCEEDED,
641 1,
642 0,
643 1,
644 DECODE_DECODING_DEPTH_EXCEEDED_STR,
645 NULL);
646 pc.alert_pkts++;
647 }
648 }
649
650 //--------------------------------------------------------------------
651 // decode.c::ARP
652 //--------------------------------------------------------------------
653
654 /*
655 * Function: DecodeARP(uint8_t *, uint32_t, Packet *)
656 *
657 * Purpose: Decode ARP stuff
658 *
659 * Arguments: pkt => ptr to the packet data
660 * len => length from here to the end of the packet
661 * p => pointer to decoded packet struct
662 *
663 * Returns: void function
664 */
665 void DecodeARP(const uint8_t * pkt, uint32_t len, Packet * p)
666 {
667 pc.arp++;
668
669 #ifdef GRE
670 if (p->greh != NULL)
671 pc.gre_arp++;
672 #endif
673
674 p->ah = (EtherARP *) pkt;
675
676 if(len < sizeof(EtherARP))
677 {
678 DecoderEvent(p, DECODE_ARP_TRUNCATED,
679 DECODE_ARP_TRUNCATED_STR, 1, 1);
680
681 pc.discards++;
682 return;
683 }
684
685 p->proto_bits |= PROTO_BIT__ARP;
686 PushLayer(PROTO_ARP, p, pkt, sizeof(*p->ah));
687 }
688
689 //--------------------------------------------------------------------
690 // decode.c::NULL and Loopback
691 //--------------------------------------------------------------------
692
693 /*
694 * Function: DecodeNullPkt(Packet *, char *, DAQ_PktHdr_t*, uint8_t*)
695 *
696 * Purpose: Decoding on loopback devices.
697 *
698 * Arguments: p => pointer to decoded packet struct
699 * user => Utility pointer, unused
700 * pkthdr => ptr to the packet header
701 * pkt => pointer to the real live packet data
702 *
703 * Returns: void function
704 */
705 void DecodeNullPkt(Packet * p, const DAQ_PktHdr_t * pkthdr, const uint8_t * pkt)
706 {
707 uint32_t cap_len = pkthdr->caplen;
708 PROFILE_VARS;
709
710 PREPROC_PROFILE_START(decodePerfStats);
711
712 pc.total_processed++;
713
714 memset(p, 0, PKT_ZERO_LEN);
715
716 p->pkth = pkthdr;
717 p->pkt = pkt;
718
719 DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n"); );
720
721 /* do a little validation */
722 if(cap_len < NULL_HDRLEN)
723 {
724 if (ScLogVerbose())
725 {
726 ErrorMessage("NULL header length < captured len! (%d bytes)\n",
727 cap_len);
728 }
729
730 PREPROC_PROFILE_END(decodePerfStats);
731 return;
732 }
733
734 DecodeIP(p->pkt + NULL_HDRLEN, cap_len - NULL_HDRLEN, p);
735 PREPROC_PROFILE_END(decodePerfStats);
736 }
737
738 /*
739 * Function: DecodeEthLoopback(uint8_t *, uint32_t)
740 *
741 * Purpose: Just like IPX, it's just for counting.
742 *
743 * Arguments: pkt => ptr to the packet data
744 * len => length from here to the end of the packet
745 *
746 * Returns: void function
747 */
748 void DecodeEthLoopback(const uint8_t *pkt, uint32_t len, Packet *p)
749 {
750 DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "EthLoopback is not supported.\n"););
751
752 pc.ethloopback++;
753
754 #ifdef GRE
755 if (p->greh != NULL)
756 pc.gre_loopback++;
757 #endif
758
759 return;
760 }
761
762 //--------------------------------------------------------------------
763 // decode.c::Ethernet
764 //--------------------------------------------------------------------
765 void DecodeEthTypes(Packet *p, const uint8_t *pkt, uint16_t ethtype, uint32_t cap_len, uint8_t linklen);
766
767 void DecodeCiscoMeta(const uint8_t *pkt, uint32_t rem_len, Packet *p)
768 {
769 uint16_t real_len;
770 uint16_t realeth;
771 int16_t cmdh_rem_len;
772 uint8_t i;
773
774 if (rem_len < CISCO_META_PREHEADER_LEN)
775 {
776 DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
777 "WARNING: Truncated Cisco Metadata header (%d bytes).\n", rem_len););
778
779 if ( Event_Enabled(DECODE_CISCO_META_HDR_TRUNC) )
780 DecoderEvent(p, EVARGS(CISCO_META_HDR_TRUNC), 1, 1);
781
782 pc.discards++;
783 return;
784 }
785
786 p->cmdh = (CiscoMetaHdr*)pkt;
787 p->cmd_options = (CiscoMetaOpt*)(pkt + sizeof(CiscoMetaHdr));
788 cmdh_rem_len = p->cmdh->length << 3;
789
790 /* validate CMD tag header */
791 if(rem_len < cmdh_rem_len || cmdh_rem_len == 0)
792 {
793 DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
794 "WARNING: Truncated Cisco Metadata header (%d bytes).\n", rem_len););
795
796 if ( Event_Enabled(DECODE_CISCO_META_HDR_TRUNC) )
797 DecoderEvent(p, EVARGS(CISCO_META_HDR_TRUNC), 1, 1);
798
799 pc.discards++;
800 return;
801 }
802
803 /* validate options, lengths, and SGTs*/
804 cmdh_rem_len -= sizeof(CiscoMetaHdr) + sizeof(uint16_t); //2 octects for ethertype
805 if(cmdh_rem_len == 0)
806 p->cmd_options = NULL;
807
808 for(i = 0; cmdh_rem_len > 0; i++)
809 {
810 CiscoMetaOpt *opt;
811 uint8_t len;
812 uint16_t type;
813
814 /* Top 3 bits (length) must be equal to 0 or 4 */
815 /* Bottom 13 bits (type) must be 1 to indicate SGT*/
816 opt = &p->cmd_options[i];
817 len = ntohs(opt->opt_len_type) >> CISCO_META_OPT_LEN_SHIFT;
818 type = ntohs(opt->opt_len_type) & CISCO_META_OPT_TYPE_MASK;
819
820 /* 0 indicates 4 octets */
821 if(len != 0 && len != 4)
822 {
823 DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
824 "WARNING: Invalid Cisco Metadata option length (%u bytes).\n", (uint32_t)len););
825
826 if ( Event_Enabled(DECODE_CISCO_META_HDR_OPT_LEN) )
827 DecoderEvent(p, EVARGS(CISCO_META_HDR_OPT_LEN), 1, 1);
828
829 pc.discards++;
830 return;
831 }
832
833 if(type != CISCO_META_OPT_TYPE_SGT)
834 {
835 DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
836 "WARNING: Invalid Cisco Metadata option type (%u).\n", (uint32_t)len););
837
838 if ( Event_Enabled(DECODE_CISCO_META_HDR_OPT_TYPE) )
839 DecoderEvent(p, EVARGS(CISCO_META_HDR_OPT_TYPE), 1, 1);
840
841 pc.discards++;
842 return;
843 }
844
845 /* Tag value 0xFFFF is invalid */
846 if(opt->sgt == 0xFFFF)
847 {
848 DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
849 "WARNING: Invalid Cisco Metadata SGT (0xFFFF).\n"););
850
851 if ( Event_Enabled(DECODE_CISCO_META_HDR_SGT) )
852 DecoderEvent(p, EVARGS(CISCO_META_HDR_SGT), 1, 1);
853
854 pc.discards++;
855 return;
856
857 }
858 cmdh_rem_len -= sizeof(CiscoMetaOpt);
859 }
860
861 /* Move to next header */
862 real_len = p->cmdh->length << 3;
863 realeth = ntohs(*((uint16_t*) (pkt + real_len - sizeof(uint16_t)))); //The last 2 octets of the header will be the real ethtype
864 PushLayer(PROTO_CISCO_META, p, pkt, real_len);
865
866 //Decode the real ethtype
867 DecodeEthTypes(p, pkt, realeth, rem_len, real_len);
868 }
869
870 /* Handles ethtypes. Used for ethtypes that chain to other ethtypes */
871 void DecodeEthTypes(Packet *p, const uint8_t *pkt, uint16_t ethtype, uint32_t cap_len, uint8_t linklen)
872 {
873 /* grab out the network type */
874 switch(ethtype)
875 {
876 case ETHERNET_TYPE_IP:
877 DEBUG_WRAP(
878 DebugMessage(DEBUG_DECODE,
879 "IP datagram size calculated to be %lu bytes\n",
880 (unsigned long)(cap_len - linklen));
881 );
882
883 DecodeIP(pkt + linklen,
884 cap_len - linklen, p);
885
886 return;
887
888 case ETHERNET_TYPE_ARP:
889 case ETHERNET_TYPE_REVARP:
890 DecodeARP(pkt + linklen,
891 cap_len - linklen, p);
892 return;
893
894 case ETHERNET_TYPE_IPV6:
895 DecodeIPV6(pkt + linklen,
896 (cap_len - linklen), p);
897 return;
898
899 case ETHERNET_TYPE_PPPoE_DISC:
900 case ETHERNET_TYPE_PPPoE_SESS:
901 DecodePPPoEPkt(pkt + linklen,
902 (cap_len - linklen), p);
903 return;
904
905 #ifndef NO_NON_ETHER_DECODER
906 case ETHERNET_TYPE_IPX:
907 DecodeIPX(pkt + linklen,
908 (cap_len - linklen), p);
909 return;
910 #endif
911
912 case ETHERNET_TYPE_LOOP:
913 DecodeEthLoopback(pkt + linklen,
914 (cap_len - linklen), p);
915 return;
916
917 case ETHERNET_TYPE_8021Q:
918 case ETHERNET_TYPE_8021AD:
919 case ETHERNET_TYPE_QINQ_NS1:
920 case ETHERNET_TYPE_QINQ_NS2:
921 DecodeVlan(pkt + linklen,
922 cap_len - linklen, p);
923 return;
924 #ifdef MPLS
925 case ETHERNET_TYPE_MPLS_MULTICAST:
926 if(!ScMplsMulticast())
927 {
928 //additional check for DecoderAlerts will be done now.
929 DecoderEvent(p, DECODE_BAD_MPLS, DECODE_MULTICAST_MPLS_STR, 1, 1);
930 }
931 case ETHERNET_TYPE_MPLS_UNICAST:
932 DecodeMPLS(pkt + linklen,
933 cap_len - linklen, p);
934 return;
935 #endif
936 case ETHERNET_TYPE_CISCO_META:
937 DecodeCiscoMeta(pkt + linklen,
938 cap_len - linklen, p);
939 return;
940 default:
941 // TBD add decoder drop event for unknown eth type
942 pc.other++;
943 return;
944 }
945 }
946
947 /*
948 * Function: DecodeEthPkt(Packet *, char *, DAQ_PktHdr_t*, uint8_t*)
949 *
950 * Purpose: Decode those fun loving ethernet packets, one at a time!
951 *
952 * Arguments: p => pointer to the decoded packet struct
953 * user => Utility pointer (unused)
954 * pkthdr => ptr to the packet header
955 * pkt => pointer to the real live packet data
956 *
957 * Returns: void function
958 */
959 void DecodeEthPkt(Packet * p, const DAQ_PktHdr_t * pkthdr, const uint8_t * pkt)
960 {
961 uint32_t cap_len = pkthdr->caplen;
962 uint32_t rem_len = cap_len;
963 uint8_t linklen = ETHERNET_HEADER_LEN;
964 PROFILE_VARS;
965
966 PREPROC_PROFILE_START(decodePerfStats);
967 pc.eth++;
968 pc.total_processed++;
969
970 memset(p, 0, PKT_ZERO_LEN);
971
972 p->pkth = pkthdr;
973 p->pkt = pkt;
974
975 DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n");
976 DebugMessage(DEBUG_DECODE, "caplen: %lu pktlen: %lu\n",
977 (unsigned long)cap_len, (unsigned long)pkthdr->pktlen);
978 );
979
980 while(true)
981 {
982 /* do a little validation */
983 if(rem_len < ETHERNET_HEADER_LEN)
984 {
985 DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
986 "WARNING: Truncated eth header (%d bytes).\n", rem_len););
987
988 if ( Event_Enabled(DECODE_ETH_HDR_TRUNC) )
989 DecoderEvent(p, EVARGS(ETH_HDR_TRUNC), 1, 1);
990
991 pc.discards++;
992 pc.ethdisc++;
993 PREPROC_PROFILE_END(decodePerfStats);
994 return;
995 }
996
997 /* lay the ethernet structure over the packet data */
998 p->eh = (EtherHdr *) pkt;
999
1000 /* check if this is a FabricPath header */
1001 if(ntohs(p->eh->ether_type) == ETHERNET_TYPE_FPATH)
1002 {
1003 /* do a little validation */
1004 if(rem_len < FABRICPATH_HEADER_LEN)
1005 {
1006 DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
1007 "WARNING: Truncated FabricPath header (%d bytes).\n", rem_len););
1008
1009 if ( Event_Enabled(DECODE_FPATH_HDR_TRUNC) )
1010 DecoderEvent(p, EVARGS(FPATH_HDR_TRUNC), 1, 1);
1011
1012 pc.discards++;
1013 PREPROC_PROFILE_END(decodePerfStats);
1014 return;
1015 }
1016 /* strip FabricPath header*/
1017 PushLayer(PROTO_FPATH, p, pkt, FABRICPATH_HEADER_LEN);
1018 pkt += FABRICPATH_HEADER_LEN;
1019 linklen += FABRICPATH_HEADER_LEN;
1020 rem_len -= FABRICPATH_HEADER_LEN;
1021 }
1022
1023
1024 else
1025 break;
1026 }
1027 PushLayer(PROTO_ETH, p, pkt, sizeof(*p->eh));
1028
1029 DEBUG_WRAP(
1030 DebugMessage(DEBUG_DECODE, "%X:%X:%X:%X:%X:%X -> %X:%X:%X:%X:%X:%X\n",
1031 p->eh->ether_src[0],
1032 p->eh->ether_src[1], p->eh->ether_src[2], p->eh->ether_src[3],
1033 p->eh->ether_src[4], p->eh->ether_src[5], p->eh->ether_dst[0],
1034 p->eh->ether_dst[1], p->eh->ether_dst[2], p->eh->ether_dst[3],
1035 p->eh->ether_dst[4], p->eh->ether_dst[5]);
1036 );
1037 DEBUG_WRAP(
1038 DebugMessage(DEBUG_DECODE, "type:0x%X len:0x%X\n",
1039 ntohs(p->eh->ether_type), p->pkth->pktlen)
1040 );
1041 DecodeEthTypes(p, p->pkt, ntohs(p->eh->ether_type), cap_len, linklen);
1042 PREPROC_PROFILE_END(decodePerfStats);
1043 }
1044
1045 #ifdef GRE
1046 /*
1047 * Function: DecodeTransBridging(uint8_t *, const uint32_t, Packet)
1048 *
1049 * Purpose: Decode Transparent Ethernet Bridging
1050 *
1051 * Arguments: pkt => pointer to the real live packet data
1052 * len => length of remaining data in packet
1053 * p => pointer to the decoded packet struct
1054 *
1055 *
1056 * Returns: void function
1057 *
1058 * Note: This is basically the code from DecodeEthPkt but the calling
1059 * convention needed to be changed and the stuff at the beginning
1060 * wasn't needed since we are already deep into the packet
1061 */
1062 void DecodeTransBridging(const uint8_t *pkt, const uint32_t len, Packet *p)
1063 {
1064 pc.gre_eth++;
1065
1066 if(len < ETHERNET_HEADER_LEN)
1067 {
1068 DecoderAlertEncapsulated(p, DECODE_GRE_TRANS_DGRAM_LT_TRANSHDR,
1069 DECODE_GRE_TRANS_DGRAM_LT_TRANSHDR_STR,
1070 pkt, len);
1071 return;
1072 }
1073
1074 /* The Packet struct's ethernet header will now point to the inner ethernet
1075 * header of the packet
1076 */
1077 p->eh = (EtherHdr *)pkt;
1078 PushLayer(PROTO_ETH, p, pkt, sizeof(*p->eh));
1079
1080 switch (ntohs(p->eh->ether_type))
1081 {
1082 case ETHERNET_TYPE_IP:
1083 DecodeIP(pkt + ETHERNET_HEADER_LEN, len - ETHERNET_HEADER_LEN, p);
1084 return;
1085
1086 case ETHERNET_TYPE_ARP:
1087 case ETHERNET_TYPE_REVARP:
1088 DecodeARP(pkt + ETHERNET_HEADER_LEN, len - ETHERNET_HEADER_LEN, p);
1089 return;
1090
1091 case ETHERNET_TYPE_IPV6:
1092 DecodeIPV6(pkt + ETHERNET_HEADER_LEN, len - ETHERNET_HEADER_LEN, p);
1093 return;
1094
1095 #ifndef NO_NON_ETHER_DECODER
1096 case ETHERNET_TYPE_IPX:
1097 DecodeIPX(pkt + ETHERNET_HEADER_LEN, len - ETHERNET_HEADER_LEN, p);
1098 return;
1099 #endif
1100
1101 case ETHERNET_TYPE_LOOP:
1102 DecodeEthLoopback(pkt + ETHERNET_HEADER_LEN, len - ETHERNET_HEADER_LEN, p);
1103 return;
1104
1105 case ETHERNET_TYPE_8021Q:
1106 DecodeVlan(pkt + ETHERNET_HEADER_LEN, len - ETHERNET_HEADER_LEN, p);
1107 return;
1108
1109 default:
1110 // TBD add decoder drop event for unknown xbrdg/eth type
1111 pc.other++;
1112 p->data = pkt + ETHERNET_HEADER_LEN;
1113 p->dsize = (uint16_t)(len - ETHERNET_HEADER_LEN);
1114 return;
1115 }
1116 }
1117 #endif /* GRE */
1118
1119 //--------------------------------------------------------------------
1120 // decode.c::MPLS
1121 //--------------------------------------------------------------------
1122
1123 #ifdef MPLS
1124 /*
1125 * check if reserved labels are used properly
1126 */
1127 static int checkMplsHdr(uint32_t label, uint8_t exp, uint8_t bos, uint8_t ttl, Packet *p)
1128 {
1129 int iRet = 0;
1130 switch(label)
1131 {
1132 case 0:
1133 case 2:
1134 /* check if this label is the bottom of the stack */
1135 if(bos)
1136 {
1137 if ( label == 0 )
1138 iRet = MPLS_PAYLOADTYPE_IPV4;
1139 else if ( label == 2 )
1140 iRet = MPLS_PAYLOADTYPE_IPV6;
1141
1142
1143 /* when label == 2, IPv6 is expected;
1144 * when label == 0, IPv4 is expected */
1145 if((label&&(ScMplsPayloadType() != MPLS_PAYLOADTYPE_IPV6))
1146 ||((!label)&&(ScMplsPayloadType() != MPLS_PAYLOADTYPE_IPV4)))
1147 {
1148 if( !label )
1149 DecoderEvent(p, DECODE_BAD_MPLS_LABEL0,
1150 DECODE_BAD_MPLS_LABEL0_STR, 1, 1);
1151 else
1152 DecoderEvent(p, DECODE_BAD_MPLS_LABEL2,
1153 DECODE_BAD_MPLS_LABEL2_STR, 1, 1);
1154 }
1155 break;
1156 }
1157
1158 #if 0
1159 /* This is valid per RFC 4182. Just pop this label off, ignore it
1160 * and move on to the next one.
1161 */
1162 if( !label )
1163 DecoderEvent(p, DECODE_BAD_MPLS_LABEL0,
1164 DECODE_BAD_MPLS_LABEL0_STR, 1, 1);
1165 else
1166 DecoderEvent(p, DECODE_BAD_MPLS_LABEL2,
1167 DECODE_BAD_MPLS_LABEL2_STR, 1, 1);
1168
1169 pc.discards++;
1170 p->iph = NULL;
1171 p->family = NO_IP;
1172 return(-1);
1173 #endif
1174 break;
1175 case 1:
1176 if(!bos) break;
1177
1178 DecoderEvent(p, DECODE_BAD_MPLS_LABEL1,
1179 DECODE_BAD_MPLS_LABEL1_STR, 1, 1);
1180
1181 pc.discards++;
1182 p->iph = NULL;
1183 p->family = NO_IP;
1184 iRet = MPLS_PAYLOADTYPE_ERROR;
1185 break;
1186
1187 case 3:
1188 DecoderEvent(p, DECODE_BAD_MPLS_LABEL3,
1189 DECODE_BAD_MPLS_LABEL3_STR, 1, 1);
1190
1191 pc.discards++;
1192 p->iph = NULL;
1193 p->family = NO_IP;
1194 iRet = MPLS_PAYLOADTYPE_ERROR;
1195 break;
1196 case 4:
1197 case 5:
1198 case 6:
1199 case 7:
1200 case 8:
1201 case 9:
1202 case 10:
1203 case 11:
1204 case 12:
1205 case 13:
1206 case 14:
1207 case 15:
1208 DecoderEvent(p, DECODE_MPLS_RESERVED_LABEL,
1209 DECODE_MPLS_RESERVEDLABEL_STR, 1, 1);
1210 break;
1211 default:
1212 break;
1213 }
1214 if ( !iRet )
1215 {
1216 iRet = ScMplsPayloadType();
1217 }
1218 return iRet;
1219 }
1220
1221 void DecodeMPLS(const uint8_t* pkt, const uint32_t len, Packet* p)
1222 {
1223 uint32_t* tmpMplsHdr;
1224 uint32_t mpls_h;
1225 uint32_t label;
1226 uint32_t mlen = 0;
1227
1228 uint8_t exp;
1229 uint8_t bos = 0;
1230 uint8_t ttl;
1231 uint8_t chainLen = 0;
1232 uint32_t stack_len = len;
1233
1234 int iRet = 0;
1235
1236 pc.mpls++;
1237 UpdateMPLSStats(&sfBase, len, Active_PacketWasDropped());
1238 tmpMplsHdr = (uint32_t *) pkt;
1239 p->mpls = NULL;
1240
1241 while (!bos)
1242 {
1243 if(stack_len < MPLS_HEADER_LEN)
1244 {
1245 DecoderEvent(p, DECODE_BAD_MPLS, DECODE_BAD_MPLS_STR, 1, 1);
1246
1247 pc.discards++;
1248 p->iph = NULL;
1249 p->family = NO_IP;
1250 return;
1251 }
1252
1253 mpls_h = ntohl(*tmpMplsHdr);
1254 ttl = (uint8_t)(mpls_h & 0x000000FF);
1255 mpls_h = mpls_h>>8;
1256 bos = (uint8_t)(mpls_h & 0x00000001);
1257 exp = (uint8_t)(mpls_h & 0x0000000E);
1258 label = (mpls_h>>4) & 0x000FFFFF;
1259
1260 if((label<NUM_RESERVED_LABELS)&&((iRet = checkMplsHdr(label, exp, bos, ttl, p)) < 0))
1261 return;
1262
1263 if( bos )
1264 {
1265 p->mplsHdr.label = label;
1266 p->mplsHdr.exp = exp;
1267 p->mplsHdr.bos = bos;
1268 p->mplsHdr.ttl = ttl;
1269 /**
1270 p->mpls = &(p->mplsHdr);
1271 **/
1272 p->mpls = tmpMplsHdr;
1273 if(!iRet)
1274 {
1275 iRet = ScMplsPayloadType();
1276 }
1277 }
1278 tmpMplsHdr++;
1279 stack_len -= MPLS_HEADER_LEN;
1280
1281 if ((ScMplsStackDepth() != -1) && (chainLen++ >= ScMplsStackDepth()))
1282 {
1283 DecoderEvent(p, DECODE_MPLS_LABEL_STACK,
1284 DECODE_MPLS_LABEL_STACK_STR, 1, 1);
1285
1286 pc.discards++;
1287 p->iph = NULL;
1288 p->family = NO_IP;
1289 return;
1290 }
1291 } /* while bos not 1, peel off more labels */
1292
1293 mlen = (uint8_t*)tmpMplsHdr - pkt;
1294 PushLayer(PROTO_MPLS, p, pkt, mlen);
1295 mlen = len - mlen;
1296
1297 if ( ScTunnelBypassEnabled(TUNNEL_MPLS) )
1298 Active_SetTunnelBypass();
1299
1300 #ifdef MPLS_RFC4023_SUPPORT
1301 /* Currently, this additional check for MPLS payload type presumes:
1302 * Only IPv4 or IPv6 payloads are supported (based on code inspection).
1303 *
1304 * If MPLS payload type is Ethernet or PWE extensions, the following
1305 * functions:
1306 *
1307 * ScMplsPayloadCheck
1308 * checkMplsHdr and
1309 * ScMplsPayloadType
1310 *
1311 * must be revisited for performance and payload type checks as against,
1312 * static assignment from SnortConfig: sc->mpls_payload_type
1313 */
1314 iRet = ScMplsPayloadCheck(*(uint8_t *)tmpMplsHdr, iRet);
1315 #endif
1316
1317 p->non_ip_pkt = 1;
1318
1319 switch (iRet)
1320 {
1321 case MPLS_PAYLOADTYPE_IPV4:
1322 DecodeIP((uint8_t *)tmpMplsHdr, mlen, p);
1323 break;
1324
1325 case MPLS_PAYLOADTYPE_IPV6:
1326 DecodeIPV6((uint8_t *)tmpMplsHdr, mlen, p);
1327 break;
1328
1329 case MPLS_PAYLOADTYPE_ETHERNET:
1330 DecodeEthOverMPLS((uint8_t *)tmpMplsHdr, mlen, p);
1331 break;
1332
1333 default:
1334 break;
1335 }
1336 return;
1337 }
1338
1339 void DecodeEthOverMPLS(const uint8_t* pkt, const uint32_t len, Packet* p)
1340 {
1341 /* do a little validation */
1342 if(len < ETHERNET_HEADER_LEN)
1343 {
1344 if (ScLogVerbose())
1345 {
1346 ErrorMessage("Captured data length < Ethernet header length!"
1347 " (%d bytes)\n", len);
1348 }
1349
1350 p->iph = NULL;
1351 p->family = NO_IP;
1352 // TBD add decoder drop event for eth over MPLS cap len issue
1353 pc.discards++;
1354 pc.ethdisc++;
1355 return;
1356 }
1357
1358 /* lay the ethernet structure over the packet data */
1359 p->eh = (EtherHdr *) pkt; // FIXTHIS squashes outer eth!
1360 PushLayer(PROTO_ETH, p, pkt, sizeof(*p->eh));
1361
1362 DEBUG_WRAP(
1363 DebugMessage(DEBUG_DECODE, "%X %X\n",
1364 *p->eh->ether_src, *p->eh->ether_dst);
1365 );
1366
1367 /* grab out the network type */
1368 switch(ntohs(p->eh->ether_type))
1369 {
1370 case ETHERNET_TYPE_IP:
1371 DEBUG_WRAP(
1372 DebugMessage(DEBUG_DECODE,
1373 "IP datagram size calculated to be %lu bytes\n",
1374 (unsigned long)(len - ETHERNET_HEADER_LEN));
1375 );
1376
1377 DecodeIP(p->pkt + ETHERNET_HEADER_LEN,
1378 len - ETHERNET_HEADER_LEN, p);
1379
1380 return;
1381
1382 case ETHERNET_TYPE_ARP:
1383 case ETHERNET_TYPE_REVARP:
1384 DecodeARP(p->pkt + ETHERNET_HEADER_LEN,
1385 len - ETHERNET_HEADER_LEN, p);
1386 return;
1387
1388 case ETHERNET_TYPE_IPV6:
1389 DecodeIPV6(p->pkt + ETHERNET_HEADER_LEN,
1390 (len - ETHERNET_HEADER_LEN), p);
1391 return;
1392
1393 case ETHERNET_TYPE_PPPoE_DISC:
1394 case ETHERNET_TYPE_PPPoE_SESS:
1395 DecodePPPoEPkt(p->pkt + ETHERNET_HEADER_LEN,
1396 (len - ETHERNET_HEADER_LEN), p);
1397 return;
1398
1399 #ifndef NO_NON_ETHER_DECODER
1400 case ETHERNET_TYPE_IPX:
1401 DecodeIPX(p->pkt + ETHERNET_HEADER_LEN,
1402 (len - ETHERNET_HEADER_LEN), p);
1403 return;
1404 #endif
1405
1406 case ETHERNET_TYPE_LOOP:
1407 DecodeEthLoopback(p->pkt + ETHERNET_HEADER_LEN,
1408 (len - ETHERNET_HEADER_LEN), p);
1409 return;
1410
1411 case ETHERNET_TYPE_8021Q:
1412 DecodeVlan(p->pkt + ETHERNET_HEADER_LEN,
1413 len - ETHERNET_HEADER_LEN, p);
1414 return;
1415
1416 default:
1417 // TBD add decoder drop event for unknown mpls/eth type
1418 pc.other++;
1419 return;
1420 }
1421
1422 return;
1423 }
1424
1425 int isPrivateIP(uint32_t addr)
1426 {
1427 switch (addr & 0xff)
1428 {
1429 case 0x0a:
1430 return 1;
1431 break;
1432 case 0xac:
1433 if ((addr & 0xf000) == 0x1000)
1434 return 1;
1435 break;
1436 case 0xc0:
1437 if (((addr & 0xff00) ) == 0xa800)
1438 return 1;
1439 break;
1440 }
1441 return 0;
1442 }
1443 #endif // MPLS
1444
1445 //--------------------------------------------------------------------
1446 // decode.c::VLAN
1447 //--------------------------------------------------------------------
1448
1449 #define LEN_VLAN_LLC_OTHER (sizeof(VlanTagHdr) + sizeof(EthLlc) + sizeof(EthLlcOther))
1450
1451 void DecodeVlan(const uint8_t * pkt, const uint32_t len, Packet * p)
1452 {
1453 VlanTagHdr* vh;
1454
1455 pc.vlan++;
1456
1457 #ifdef GRE
1458 if (p->greh != NULL)
1459 pc.gre_vlan++;
1460 #endif
1461
1462 if(len < sizeof(VlanTagHdr))
1463 {
1464 DecoderEvent(p, DECODE_BAD_VLAN, DECODE_BAD_VLAN_STR, 1, 1);
1465
1466 // TBD add decoder drop event for VLAN hdr len issue
1467 pc.discards++;
1468 p->iph = NULL;
1469 p->family = NO_IP;
1470 return;
1471 }
1472
1473 vh = (VlanTagHdr *) pkt;
1474 #ifdef HAVE_DAQ_REAL_ADDRESSES
1475 if (!(p->pkth->flags & DAQ_PKT_FLAG_IGNORE_VLAN))
1476 #endif
1477 p->vh = vh;
1478
1479 DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Vlan traffic:\n");
1480 DebugMessage(DEBUG_DECODE, " Priority: %d(0x%X)\n",
1481 VTH_PRIORITY(vh), VTH_PRIORITY(vh));
1482 DebugMessage(DEBUG_DECODE, " CFI: %d\n", VTH_CFI(vh));
1483 DebugMessage(DEBUG_DECODE, " Vlan ID: %d(0x%04X)\n",
1484 VTH_VLAN(vh), VTH_VLAN(vh));
1485 DebugMessage(DEBUG_DECODE, " Vlan Proto: 0x%04X\n",
1486 ntohs(vh->vth_proto));
1487 );
1488
1489 /* check to see if we've got an encapsulated LLC layer
1490 * http://www.geocities.com/billalexander/ethernet.html
1491 */
1492 if(ntohs(vh->vth_proto) <= ETHERNET_MAX_LEN_ENCAP)
1493 {
1494 if(len < sizeof(VlanTagHdr) + sizeof(EthLlc))
1495 {
1496 DecoderEvent(p, DECODE_BAD_VLAN_ETHLLC,
1497 DECODE_BAD_VLAN_ETHLLC_STR, 1, 1);
1498
1499 pc.discards++;
1500 p->iph = NULL;
1501 p->family = NO_IP;
1502 return;
1503 }
1504
1505 p->ehllc = (EthLlc *) (pkt + sizeof(VlanTagHdr));
1506
1507 DEBUG_WRAP(
1508 DebugMessage(DEBUG_DECODE, "LLC Header:\n");
1509 DebugMessage(DEBUG_DECODE, " DSAP: 0x%X\n", p->ehllc->dsap);
1510 DebugMessage(DEBUG_DECODE, " SSAP: 0x%X\n", p->ehllc->ssap);
1511 );
1512
1513 if(p->ehllc->dsap == ETH_DSAP_IP && p->ehllc->ssap == ETH_SSAP_IP)
1514 {
1515 if ( len < LEN_VLAN_LLC_OTHER )
1516 {
1517 DecoderEvent(p, DECODE_BAD_VLAN_OTHER,
1518 DECODE_BAD_VLAN_OTHER_STR, 1, 1);
1519
1520 pc.discards++;
1521 p->iph = NULL;
1522 p->family = NO_IP;
1523
1524 return;
1525 }
1526
1527 p->ehllcother = (EthLlcOther *) (pkt + sizeof(VlanTagHdr) + sizeof(EthLlc));
1528
1529 DEBUG_WRAP(
1530 DebugMessage(DEBUG_DECODE, "LLC Other Header:\n");
1531 DebugMessage(DEBUG_DECODE, " CTRL: 0x%X\n",
1532 p->ehllcother->ctrl);
1533 DebugMessage(DEBUG_DECODE, " ORG: 0x%02X%02X%02X\n",
1534 p->ehllcother->org_code[0], p->ehllcother->org_code[1],
1535 p->ehllcother->org_code[2]);
1536 DebugMessage(DEBUG_DECODE, " PROTO: 0x%04X\n",
1537 ntohs(p->ehllcother->proto_id));
1538 );
1539
1540 PushLayer(PROTO_VLAN, p, pkt, sizeof(*vh));
1541
1542 switch(ntohs(p->ehllcother->proto_id))
1543 {
1544 case ETHERNET_TYPE_IP:
1545 DecodeIP(p->pkt + LEN_VLAN_LLC_OTHER,
1546 len - LEN_VLAN_LLC_OTHER, p);
1547 return;
1548
1549 case ETHERNET_TYPE_ARP:
1550 case ETHERNET_TYPE_REVARP:
1551 DecodeARP(p->pkt + LEN_VLAN_LLC_OTHER,
1552 len - LEN_VLAN_LLC_OTHER, p);
1553 return;
1554
1555 case ETHERNET_TYPE_IPV6:
1556 DecodeIPV6(p->pkt + LEN_VLAN_LLC_OTHER,
1557 len - LEN_VLAN_LLC_OTHER, p);
1558 return;
1559
1560 case ETHERNET_TYPE_8021Q:
1561 case ETHERNET_TYPE_8021AD:
1562 case ETHERNET_TYPE_QINQ_NS1:
1563 case ETHERNET_TYPE_QINQ_NS2:
1564 pc.nested_vlan++;
1565 DecodeVlan(p->pkt + LEN_VLAN_LLC_OTHER,
1566 len - LEN_VLAN_LLC_OTHER, p);
1567 return;
1568
1569 case ETHERNET_TYPE_LOOP:
1570 DecodeEthLoopback(p->pkt + LEN_VLAN_LLC_OTHER,
1571 len - LEN_VLAN_LLC_OTHER, p);
1572 return;
1573
1574 #ifndef NO_NON_ETHER_DECODER
1575 case ETHERNET_TYPE_IPX:
1576 DecodeIPX(p->pkt + LEN_VLAN_LLC_OTHER,
1577 len - LEN_VLAN_LLC_OTHER, p);
1578 return;
1579 #endif
1580
1581 case ETHERNET_TYPE_PPPoE_DISC:
1582 case ETHERNET_TYPE_PPPoE_SESS:
1583 DecodePPPoEPkt(p->pkt + LEN_VLAN_LLC_OTHER,
1584 len - LEN_VLAN_LLC_OTHER, p);
1585 return;
1586 #ifdef MPLS
1587 case ETHERNET_TYPE_MPLS_MULTICAST:
1588 if(!ScMplsMulticast())
1589 {
1590 DecoderEvent(p, DECODE_BAD_MPLS,
1591 DECODE_MULTICAST_MPLS_STR, 1, 1);
1592 }
1593 /* Fall through */
1594 case ETHERNET_TYPE_MPLS_UNICAST:
1595 DecodeMPLS(p->pkt + LEN_VLAN_LLC_OTHER,
1596 len - LEN_VLAN_LLC_OTHER, p);
1597 return;
1598 #endif
1599
1600 default:
1601 // TBD add decoder drop event for unknown vlan/eth type
1602 pc.other++;
1603 return;
1604 }
1605 }
1606 }
1607 else
1608 {
1609 PushLayer(PROTO_VLAN, p, pkt, sizeof(*vh));
1610
1611 switch(ntohs(vh->vth_proto))
1612 {
1613 case ETHERNET_TYPE_IP:
1614 DecodeIP(pkt + sizeof(VlanTagHdr),
1615 len - sizeof(VlanTagHdr), p);
1616 return;
1617
1618 case ETHERNET_TYPE_ARP:
1619 case ETHERNET_TYPE_REVARP:
1620 DecodeARP(pkt + sizeof(VlanTagHdr),
1621 len - sizeof(VlanTagHdr), p);
1622 return;
1623
1624 case ETHERNET_TYPE_IPV6:
1625 DecodeIPV6(pkt +sizeof(VlanTagHdr),
1626 len - sizeof(VlanTagHdr), p);
1627 return;
1628
1629 case ETHERNET_TYPE_8021Q:
1630 case ETHERNET_TYPE_8021AD:
1631 case ETHERNET_TYPE_QINQ_NS1:
1632 case ETHERNET_TYPE_QINQ_NS2:
1633 pc.nested_vlan++;
1634 DecodeVlan(pkt + sizeof(VlanTagHdr),
1635 len - sizeof(VlanTagHdr), p);
1636 return;
1637
1638 case ETHERNET_TYPE_LOOP:
1639 DecodeEthLoopback(pkt + sizeof(VlanTagHdr),
1640 len - sizeof(VlanTagHdr), p);
1641 return;
1642
1643 #ifndef NO_NON_ETHER_DECODER
1644 case ETHERNET_TYPE_IPX:
1645 DecodeIPX(pkt + sizeof(VlanTagHdr),
1646 len - sizeof(VlanTagHdr), p);
1647 return;
1648 #endif
1649
1650 case ETHERNET_TYPE_PPPoE_DISC:
1651 case ETHERNET_TYPE_PPPoE_SESS:
1652 DecodePPPoEPkt(pkt + sizeof(VlanTagHdr),
1653 len - sizeof(VlanTagHdr), p);
1654 return;
1655
1656 #ifdef MPLS
1657 case ETHERNET_TYPE_MPLS_MULTICAST:
1658 if(!ScMplsMulticast())
1659 {
1660 SnortEventqAdd(GENERATOR_SNORT_DECODE, DECODE_BAD_MPLS, 1, DECODE_CLASS, 3, DECODE_MULTICAST_MPLS_STR, 0);
1661 }
1662 case ETHERNET_TYPE_MPLS_UNICAST:
1663 DecodeMPLS(pkt + sizeof(VlanTagHdr),
1664 len - sizeof(VlanTagHdr), p);
1665 return;
1666 #endif
1667 case ETHERNET_TYPE_CISCO_META:
1668 DecodeCiscoMeta(pkt + sizeof(VlanTagHdr),
1669 len - sizeof(VlanTagHdr), p);
1670 return;
1671
1672 default:
1673 // TBD add decoder drop event for unknown vlan/eth type
1674 pc.other++;
1675 return;
1676 }
1677 }
1678
1679 // TBD add decoder drop event for unknown vlan/llc type
1680 pc.other++;
1681 return;
1682 }
1683
1684 //--------------------------------------------------------------------
1685 // decode.c::PPP related
1686 //--------------------------------------------------------------------
1687
1688 /*
1689 * Function: DecodePPPoEPkt(Packet *, char *, DAQ_PktHdr_t*, uint8_t*)
1690 *
1691 * Purpose: Decode those fun loving ethernet packets, one at a time!
1692 *
1693 * Arguments: p => pointer to the decoded packet struct
1694 * user => Utility pointer (unused)
1695 * pkthdr => ptr to the packet header
1696 * pkt => pointer to the real live packet data
1697 *
1698 * Returns: void function
1699 *
1700 * see http://www.faqs.org/rfcs/rfc2516.html
1701 *
1702 */
1703 void DecodePPPoEPkt(const uint8_t* pkt, const uint32_t len, Packet* p)
1704 {
1705 //PPPoE_Tag *ppppoe_tag=0;
1706 //PPPoE_Tag tag; /* needed to avoid alignment problems */
1707
1708 DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "PPPoE with len: %lu\n",
1709 (unsigned long)len););
1710
1711 /* do a little validation */
1712 if(len < PPPOE_HEADER_LEN)
1713 {
1714 DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
1715 "Captured data length < PPPoE header length! "
1716 "(%d bytes)\n", len););
1717
1718 DecoderEvent(p, DECODE_BAD_PPPOE, DECODE_BAD_PPPOE_STR, 1, 1);
1719
1720 return;
1721 }
1722
1723 DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "%X %X\n",
1724 *p->eh->ether_src, *p->eh->ether_dst););
1725
1726 /* lay the PPP over ethernet structure over the packet data */
1727 p->pppoeh = (PPPoEHdr *)pkt;
1728
1729 /* grab out the network type */
1730 switch(ntohs(p->eh->ether_type))
1731 {
1732 case ETHERNET_TYPE_PPPoE_DISC:
1733 DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "(PPPOE Discovery) "););
1734 break;
1735
1736 case ETHERNET_TYPE_PPPoE_SESS:
1737 DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "(PPPOE Session) "););
1738 break;
1739
1740 default:
1741 return;
1742 }
1743
1744 #ifdef DEBUG_MSGS
1745 switch(p->pppoeh->code)
1746 {
1747 case PPPoE_CODE_PADI:
1748 /* The Host sends the PADI packet with the DESTINATION_ADDR set
1749 * to the broadcast address. The CODE field is set to 0x09 and
1750 * the SESSION_ID MUST be set to 0x0000.
1751 *
1752 * The PADI packet MUST contain exactly one TAG of TAG_TYPE
1753 * Service-Name, indicating the service the Host is requesting,
1754 * and any number of other TAG types. An entire PADI packet
1755 * (including the PPPoE header) MUST NOT exceed 1484 octets so
1756 * as to leave sufficient room for a relay agent to add a
1757 * Relay-Session-Id TAG.
1758 */
1759 DebugMessage(DEBUG_DECODE, "Active Discovery Initiation (PADI)\n");
1760 break;
1761
1762 case PPPoE_CODE_PADO:
1763 /* When the Access Concentrator receives a PADI that it can
1764 * serve, it replies by sending a PADO packet. The
1765 * DESTINATION_ADDR is the unicast address of the Host that
1766 * sent the PADI. The CODE field is set to 0x07 and the
1767 * SESSION_ID MUST be set to 0x0000.
1768 *
1769 * The PADO packet MUST contain one AC-Name TAG containing the
1770 * Access Concentrator's name, a Service-Name TAG identical to
1771 * the one in the PADI, and any number of other Service-Name
1772 * TAGs indicating other services that the Access Concentrator
1773 * offers. If the Access Concentrator can not serve the PADI
1774 * it MUST NOT respond with a PADO.
1775 */
1776 DebugMessage(DEBUG_DECODE, "Active Discovery Offer (PADO)\n");
1777 break;
1778
1779 case PPPoE_CODE_PADR:
1780 /* Since the PADI was broadcast, the Host may receive more than
1781 * one PADO. The Host looks through the PADO packets it receives
1782 * and chooses one. The choice can be based on the AC-Name or
1783 * the Services offered. The Host then sends one PADR packet
1784 * to the Access Concentrator that it has chosen. The
1785 * DESTINATION_ADDR field is set to the unicast Ethernet address
1786 * of the Access Concentrator that sent the PADO. The CODE
1787 * field is set to 0x19 and the SESSION_ID MUST be set to 0x0000.
1788 *
1789 * The PADR packet MUST contain exactly one TAG of TAG_TYPE
1790 * Service-Name, indicating the service the Host is requesting,
1791 * and any number of other TAG types.
1792 */
1793 DebugMessage(DEBUG_DECODE, "Active Discovery Request (PADR)\n");
1794 break;
1795
1796 case PPPoE_CODE_PADS:
1797 /* When the Access Concentrator receives a PADR packet, it
1798 * prepares to begin a PPP session. It generates a unique
1799 * SESSION_ID for the PPPoE session and replies to the Host with
1800 * a PADS packet. The DESTINATION_ADDR field is the unicast
1801 * Ethernet address of the Host that sent the PADR. The CODE
1802 * field is set to 0x65 and the SESSION_ID MUST be set to the
1803 * unique value generated for this PPPoE session.
1804 *
1805 * The PADS packet contains exactly one TAG of TAG_TYPE
1806 * Service-Name, indicating the service under which Access
1807 * Concentrator has accepted the PPPoE session, and any number
1808 * of other TAG types.
1809 *
1810 * If the Access Concentrator does not like the Service-Name in
1811 * the PADR, then it MUST reply with a PADS containing a TAG of
1812 * TAG_TYPE Service-Name-Error (and any number of other TAG
1813 * types). In this case the SESSION_ID MUST be set to 0x0000.
1814 */
1815 DebugMessage(DEBUG_DECODE, "Active Discovery "
1816 "Session-confirmation (PADS)\n");
1817 break;
1818
1819 case PPPoE_CODE_PADT:
1820 /* This packet may be sent anytime after a session is established
1821 * to indicate that a PPPoE session has been terminated. It may
1822 * be sent by either the Host or the Access Concentrator. The
1823 * DESTINATION_ADDR field is a unicast Ethernet address, the
1824 * CODE field is set to 0xa7 and the SESSION_ID MUST be set to
1825 * indicate which session is to be terminated. No TAGs are
1826 * required.
1827 *
1828 * When a PADT is received, no further PPP traffic is allowed to
1829 * be sent using that session. Even normal PPP termination
1830 * packets MUST NOT be sent after sending or receiving a PADT.
1831 * A PPP peer SHOULD use the PPP protocol itself to bring down a
1832 * PPPoE session, but the PADT MAY be used when PPP can not be
1833 * used.
1834 */
1835 DebugMessage(DEBUG_DECODE, "Active Discovery Terminate (PADT)\n");
1836 break;
1837
1838 case PPPoE_CODE_SESS:
1839 DebugMessage(DEBUG_DECODE, "Session Packet (SESS)\n");
1840 break;
1841
1842 default:
1843 DebugMessage(DEBUG_DECODE, "(Unknown)\n");
1844 break;
1845 }
1846 #endif
1847
1848 if (ntohs(p->eh->ether_type) != ETHERNET_TYPE_PPPoE_DISC)
1849 {
1850 PushLayer(PROTO_PPPOE, p, pkt, PPPOE_HEADER_LEN);
1851 p->non_ip_pkt = 1;
1852 DecodePppPktEncapsulated(pkt + PPPOE_HEADER_LEN, len - PPPOE_HEADER_LEN, p);
1853 return;
1854 }
1855 else
1856 {
1857 DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Returning early on PPPOE discovery packet\n"););
1858 return;
1859 }
1860
1861 #if 0
1862 ppppoe_tag = (PPPoE_Tag *)(pkt + sizeof(PPPoEHdr));
1863
1864 while (ppppoe_tag < (PPPoE_Tag *)(pkt + len))
1865 {
1866 if (((char*)(ppppoe_tag)+(sizeof(PPPoE_Tag)-1)) > (char*)(pkt + len))
1867 {
1868 DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Not enough data in packet for PPPOE Tag\n"););
1869 break;
1870 }
1871
1872 /* no guarantee in PPPoE spec that ppppoe_tag is aligned at all... */
1873 memcpy(&tag, ppppoe_tag, sizeof(tag));
1874
1875 DEBUG_WRAP(
1876 DebugMessage(DEBUG_DECODE, "\tPPPoE tag:\ntype: %04x length: %04x ",
1877 ntohs(tag.type), ntohs(tag.length)););
1878
1879 #ifdef DEBUG_MSGS
1880 switch(ntohs(tag.type))
1881 {
1882 case PPPoE_TAG_END_OF_LIST:
1883 DebugMessage(DEBUG_DECODE, "(End of list)\n\t");
1884 break;
1885 case PPPoE_TAG_SERVICE_NAME:
1886 DebugMessage(DEBUG_DECODE, "(Service name)\n\t");
1887 break;
1888 case PPPoE_TAG_AC_NAME:
1889 DebugMessage(DEBUG_DECODE, "(AC Name)\n\t");
1890 break;
1891 case PPPoE_TAG_HOST_UNIQ:
1892 DebugMessage(DEBUG_DECODE, "(Host Uniq)\n\t");
1893 break;
1894 case PPPoE_TAG_AC_COOKIE:
1895 DebugMessage(DEBUG_DECODE, "(AC Cookie)\n\t");
1896 break;
1897 case PPPoE_TAG_VENDOR_SPECIFIC:
1898 DebugMessage(DEBUG_DECODE, "(Vendor Specific)\n\t");
1899 break;
1900 case PPPoE_TAG_RELAY_SESSION_ID:
1901 DebugMessage(DEBUG_DECODE, "(Relay Session ID)\n\t");
1902 break;
1903 case PPPoE_TAG_SERVICE_NAME_ERROR:
1904 DebugMessage(DEBUG_DECODE, "(Service Name Error)\n\t");
1905 break;
1906 case PPPoE_TAG_AC_SYSTEM_ERROR:
1907 DebugMessage(DEBUG_DECODE, "(AC System Error)\n\t");
1908 break;
1909 case PPPoE_TAG_GENERIC_ERROR:
1910 DebugMessage(DEBUG_DECODE, "(Generic Error)\n\t");
1911 break;
1912 default:
1913 DebugMessage(DEBUG_DECODE, "(Unknown)\n\t");
1914 break;
1915 }
1916 #endif
1917
1918 #ifdef DEBUG_MSGS
1919 if (ntohs(tag.length) > 0)
1920 {
1921 char *buf;
1922 int i;
1923
1924 switch (ntohs(tag.type))
1925 {
1926 case PPPoE_TAG_SERVICE_NAME:
1927 case PPPoE_TAG_AC_NAME:
1928 case PPPoE_TAG_SERVICE_NAME_ERROR:
1929 case PPPoE_TAG_AC_SYSTEM_ERROR:
1930 case PPPoE_TAG_GENERIC_ERROR: * ascii data *
1931 buf = (char *)SnortAlloc(ntohs(tag.length) + 1);
1932 strlcpy(buf, (char *)(ppppoe_tag+1), ntohs(tag.length));
1933 DebugMessage(DEBUG_DECODE, "data (UTF-8): %s\n", buf);
1934 free(buf);
1935 break;
1936
1937 case PPPoE_TAG_HOST_UNIQ:
1938 case PPPoE_TAG_AC_COOKIE:
1939 case PPPoE_TAG_RELAY_SESSION_ID:
1940 DebugMessage(DEBUG_DECODE, "data (bin): ");
1941 for (i = 0; i < ntohs(tag.length); i++)
1942 DebugMessage(DEBUG_DECODE,
1943 "%02x", *(((unsigned char *)ppppoe_tag) +
1944 sizeof(PPPoE_Tag) + i));
1945 DebugMessage(DEBUG_DECODE, "\n");
1946 break;
1947
1948 default:
1949 DebugMessage(DEBUG_DECODE, "unrecognized data\n");
1950 break;
1951 }
1952 }
1953 #endif
1954
1955 ppppoe_tag = (PPPoE_Tag *)((char *)(ppppoe_tag+1)+ntohs(tag.length));
1956 }
1957
1958 #endif /* #if 0 */
1959
1960 return;
1961 }
1962
1963 /*
1964 * Function: DecodePppPktEncapsulated(Packet *, const uint32_t len, uint8_t*)
1965 *
1966 * Purpose: Decode PPP traffic (RFC1661 framing).
1967 *
1968 * Arguments: p => pointer to decoded packet struct
1969 * len => length of data to process
1970 * pkt => pointer to the real live packet data
1971 *
1972 * Returns: void function
1973 */
1974 void DecodePppPktEncapsulated(const uint8_t* pkt, const uint32_t len, Packet* p)
1975 {
1976 static int had_vj = 0;
1977 uint16_t protocol;
1978 uint32_t hlen = 1; /* HEADER - try 1 then 2 */
1979
1980 DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "PPP Packet!\n"););
1981
1982 #ifdef WORDS_MUSTALIGN
1983 DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet with PPP header. "
1984 "PPP is only 1 or 2 bytes and will throw off "
1985 "alignment on this architecture when decoding IP, "
1986 "causing a bus error - stop decoding packet.\n"););
1987
1988 p->data = pkt;
1989 p->dsize = (uint16_t)len;
1990 return;
1991 #endif /* WORDS_MUSTALIGN */
1992
1993 #ifdef GRE
1994 if (p->greh != NULL)
1995 pc.gre_ppp++;
1996 #endif /* GRE */
1997
1998 /* do a little validation:
1999 *
2000 */
2001 if(len < 2)
2002 {
2003 if (ScLogVerbose())
2004 {
2005 ErrorMessage("Length not big enough for even a single "
2006 "header or a one byte payload\n");
2007 }
2008 return;
2009 }
2010
2011
2012 if(pkt[0] & 0x01)
2013 {
2014 /* Check for protocol compression rfc1661 section 5
2015 *
2016 */
2017 hlen = 1;
2018 protocol = pkt[0];
2019 }
2020 else
2021 {
2022 protocol = ntohs(*((uint16_t *)pkt));
2023 hlen = 2;
2024 }
2025
2026 /*
2027 * We only handle uncompressed packets. Handling VJ compression would mean
2028 * to implement a PPP state machine.
2029 */
2030 switch (protocol)
2031 {
2032 case PPP_VJ_COMP:
2033 if (!had_vj)
2034 ErrorMessage("PPP link seems to use VJ compression, "
2035 "cannot handle compressed packets!\n");
2036 had_vj = 1;
2037 break;
2038 case PPP_VJ_UCOMP:
2039 /* VJ compression modifies the protocol field. It must be set
2040 * to tcp (only TCP packets can be VJ compressed) */
2041 if(len < (hlen + IP_HEADER_LEN))
2042 {
2043 if (ScLogVerbose())
2044 ErrorMessage("PPP VJ min packet length > captured len! "
2045 "(%d bytes)\n", len);
2046 return;
2047 }
2048
2049 ((IPHdr *)(pkt + hlen))->ip_proto = IPPROTO_TCP;
2050 /* fall through */
2051
2052 case PPP_IP:
2053 PushLayer(PROTO_PPP_ENCAP, p, pkt, hlen);
2054 DecodeIP(pkt + hlen, len - hlen, p);
2055 break;
2056
2057 case PPP_IPV6:
2058 PushLayer(PROTO_PPP_ENCAP, p, pkt, hlen);
2059 DecodeIPV6(pkt + hlen, len - hlen, p);
2060 break;
2061
2062 #ifndef NO_NON_ETHER_DECODER
2063 case PPP_IPX:
2064 PushLayer(PROTO_PPP_ENCAP, p, pkt, hlen);
2065 DecodeIPX(pkt + hlen, len - hlen, p);
2066 break;
2067 #endif
2068 }
2069 }
2070
2071 //--------------------------------------------------------------------
2072 // decode.c::Raw packets
2073 //--------------------------------------------------------------------
2074
2075 /*
2076 * Function: DecodeRawPkt(Packet *, char *, DAQ_PktHdr_t*, uint8_t*)
2077 *
2078 * Purpose: Decodes packets coming in raw on layer 2, like PPP. Coded and
2079 * in by Jed Pickle (thanks Jed!) and modified for a few little tweaks
2080 * by me.
2081 *
2082 * Arguments: p => pointer to decoded packet struct
2083 * pkthdr => ptr to the packet header
2084 * pkt => pointer to the real live packet data
2085 *
2086 * Returns: void function
2087 */
2088 void DecodeRawPkt(Packet * p, const DAQ_PktHdr_t * pkthdr, const uint8_t * pkt)
2089 {
2090 PROFILE_VARS;
2091
2092 PREPROC_PROFILE_START(decodePerfStats);
2093
2094 pc.total_processed++;
2095
2096 memset(p, 0, PKT_ZERO_LEN);
2097
2098 p->pkth = pkthdr;
2099 p->pkt = pkt;
2100
2101 DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Raw IP4 Packet!\n"););
2102
2103 DecodeIP(pkt, p->pkth->caplen, p);
2104
2105 PREPROC_PROFILE_END(decodePerfStats);
2106 return;
2107 }
2108
2109 // raw packets are predetermined to be ip4 (above) or ip6 (below) by the DLT
2110
2111 void DecodeRawPkt6(Packet * p, const DAQ_PktHdr_t * pkthdr, const uint8_t * pkt)
2112 {
2113 PROFILE_VARS;
2114 PREPROC_PROFILE_START(decodePerfStats);
2115
2116 pc.total_processed++;
2117 memset(p, 0, PKT_ZERO_LEN);
2118
2119 p->pkth = pkthdr;
2120 p->pkt = pkt;
2121
2122 DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Raw IP6 Packet!\n"););
2123
2124 DecodeIPV6(pkt, p->pkth->caplen, p);
2125
2126 PREPROC_PROFILE_END(decodePerfStats);
2127 return;
2128 }
2129
2130 //--------------------------------------------------------------------
2131 // decode.c::IP4 misc
2132 //--------------------------------------------------------------------
2133
2134 /*
2135 * Some IP Header tests
2136 * Land Attack(same src/dst ip)
2137 * Loopback (src or dst in 127/8 block)
2138 * Modified: 2/22/05-man for High Endian Architecture.
2139 */
2140 #define IP4_THIS_NET 0x00 // msb
2141 #define IP4_MULTICAST 0x0E // ms nibble
2142 #define IP4_RESERVED 0x0F // ms nibble
2143 #define IP4_LOOPBACK 0x7F // msb
2144 #define IP4_BROADCAST 0xffffffff
2145
2146 void IP4AddrTests (Packet* p)
2147 {
2148 uint8_t msb_src, msb_dst;
2149
2150 #if !defined(SFLINUX) && defined(DAQ_CAPA_VRF)
2151 uint16_t sAsId;
2152 uint16_t dAsId;
2153
2154 sAsId = DAQ_GetSourceAddressSpaceID(p->pkth);
2155 dAsId = DAQ_GetDestinationAddressSpaceID(p->pkth);
2156
2157 // check all 32 bits ...
2158 if((p->iph->ip_src.s_addr == p->iph->ip_dst.s_addr)
2159 && (sAsId == dAsId))
2160 {
2161 DecoderEvent(p, DECODE_BAD_TRAFFIC_SAME_SRCDST,
2162 DECODE_BAD_TRAFFIC_SAME_SRCDST_STR, 1, 1);
2163 if( pkt_trace_enabled )
2164 {
2165 addPktTraceData(VERDICT_REASON_SNORT, snprintf(trace_line, MAX_TRACE_LINE,
2166 "Packet is blocked since same source and destination"));
2167 }
2168 }
2169 #else
2170 if(p->iph->ip_src.s_addr == p->iph->ip_dst.s_addr)
2171 {
2172 DecoderEvent(p, DECODE_BAD_TRAFFIC_SAME_SRCDST,
2173 DECODE_BAD_TRAFFIC_SAME_SRCDST_STR, 1, 1);
2174 }
2175 #endif
2176
2177 // check all 32 bits ...
2178 if ( Event_Enabled(DECODE_IP4_SRC_BROADCAST ) )
2179 if ( p->iph->ip_src.s_addr == IP4_BROADCAST )
2180 DecoderEvent(p, EVARGS(IP4_SRC_BROADCAST), 1, 1);
2181
2182 if ( Event_Enabled(DECODE_IP4_DST_BROADCAST ) )
2183 if ( p->iph->ip_dst.s_addr == IP4_BROADCAST )
2184 DecoderEvent(p, EVARGS(IP4_DST_BROADCAST), 1, 1);
2185
2186 /* Loopback traffic - don't use htonl for speed reasons -
2187 * s_addr is always in network order */
2188 #ifdef WORDS_BIGENDIAN
2189 msb_src = (p->iph->ip_src.s_addr >> 24);
2190 msb_dst = (p->iph->ip_dst.s_addr >> 24);
2191 #else
2192 msb_src = (uint8_t)(p->iph->ip_src.s_addr & 0xff);
2193 msb_dst = (uint8_t)(p->iph->ip_dst.s_addr & 0xff);
2194 #endif
2195 // check the msb ...
2196 if ( msb_src == IP4_LOOPBACK || msb_dst == IP4_LOOPBACK )
2197 {
2198 DecoderEvent(p, DECODE_BAD_TRAFFIC_LOOPBACK,
2199 DECODE_BAD_TRAFFIC_LOOPBACK_STR, 1, 1);
2200 }
2201 // check the msb ...
2202 if ( Event_Enabled(DECODE_IP4_SRC_THIS_NET ) )
2203 if ( msb_src == IP4_THIS_NET )
2204 DecoderEvent(p, EVARGS(IP4_SRC_THIS_NET), 1, 1);
2205
2206 if ( Event_Enabled(DECODE_IP4_DST_THIS_NET ) )
2207 if ( msb_dst == IP4_THIS_NET )
2208 DecoderEvent(p, EVARGS(IP4_DST_THIS_NET), 1, 1);
2209
2210 // check the 'msn' (most significant nibble) ...
2211 msb_src >>= 4;
2212 msb_dst >>= 4;
2213
2214 if ( Event_Enabled(DECODE_IP4_SRC_MULTICAST) )
2215 if ( msb_src == IP4_MULTICAST )
2216 DecoderEvent(p, EVARGS(IP4_SRC_MULTICAST), 1, 1);
2217
2218 if ( Event_Enabled(DECODE_IP4_SRC_RESERVED) )
2219 {
2220 if ( msb_src == IP4_RESERVED ||
2221 IpAddrSetContains(MulticastReservedIp, GET_SRC_ADDR(p)) )
2222 {
2223 DecoderEvent(p, EVARGS(IP4_SRC_RESERVED), 1, 1);
2224 }
2225 }
2226
2227 if ( Event_Enabled(DECODE_IP4_DST_RESERVED) )
2228 {
2229 if ( msb_dst == IP4_RESERVED ||
2230 IpAddrSetContains(MulticastReservedIp, GET_DST_ADDR(p)) )
2231 {
2232 DecoderEvent(p, EVARGS(IP4_DST_RESERVED), 1, 1);
2233 }
2234 }
2235 }
2236
2237 static inline void ICMP4AddrTests (Packet* p)
2238 {
2239 uint8_t msb_dst;
2240
2241 uint32_t dst = sfaddr_get_ip4_value(GET_DST_IP(p));
2242
2243 // check all 32 bits; all set so byte order is irrelevant ...
2244 if ( Event_Enabled(DECODE_ICMP4_DST_BROADCAST ) )
2245 if ( dst == IP4_BROADCAST )
2246 DecoderEvent(p, EVARGS(ICMP4_DST_BROADCAST), 1, 1);
2247
2248 /* - don't use htonl for speed reasons -
2249 * s_addr is always in network order */
2250 #ifdef WORDS_BIGENDIAN
2251 msb_dst = (uint8_t)(dst >> 24);
2252 #else
2253 msb_dst = (uint8_t)(dst & 0xff);
2254 #endif
2255
2256 // check the 'msn' (most significant nibble) ...
2257 msb_dst >>= 4;
2258
2259 if ( Event_Enabled(DECODE_ICMP4_DST_MULTICAST) )
2260 if ( msb_dst == IP4_MULTICAST )
2261 DecoderEvent(p, EVARGS(ICMP4_DST_MULTICAST), 1, 1);
2262 }
2263
2264 static inline void ICMP4MiscTests (Packet *p)
2265 {
2266 if ( Event_Enabled(DECODE_ICMP_PING_NMAP) )
2267 {
2268 if ((p->dsize == 0) &&
2269 (p->icmph->type == ICMP_ECHO))
2270 DecoderEvent(p, EVARGS(ICMP_PING_NMAP), 1, 1);
2271 }
2272
2273 if ( Event_Enabled(DECODE_ICMP_ICMPENUM) )
2274 {
2275 if ((p->dsize == 0) &&
2276 (p->icmph->s_icmp_seq == 666))
2277 DecoderEvent(p, EVARGS(ICMP_ICMPENUM), 1, 1);
2278 }
2279
2280 if ( Event_Enabled(DECODE_ICMP_REDIRECT_HOST) )
2281 {
2282 if ((p->icmph->code == 1) &&
2283 (p->icmph->type == ICMP_REDIRECT))
2284 DecoderEvent(p, EVARGS(ICMP_REDIRECT_HOST), 1, 1);
2285 }
2286
2287 if ( Event_Enabled(DECODE_ICMP_REDIRECT_NET) )
2288 {
2289 if ((p->icmph->type == ICMP_REDIRECT) &&
2290 (p->icmph->code == 0))
2291 DecoderEvent(p, EVARGS(ICMP_REDIRECT_NET), 1, 1);
2292 }
2293
2294 if ( Event_Enabled(DECODE_ICMP_TRACEROUTE_IPOPTS) )
2295 {
2296 if (p->icmph->type == ICMP_ECHOREPLY)
2297 {
2298 int i;
2299 for (i = 0; i < p->ip_option_count; i++)
2300 {
2301 if (p->ip_options[i].code == IPOPT_RR)
2302 DecoderEvent(p, EVARGS(ICMP_TRACEROUTE_IPOPTS), 1, 1);
2303 }
2304 }
2305 }
2306
2307 if ( Event_Enabled(DECODE_ICMP_SOURCE_QUENCH) )
2308 {
2309 if ((p->icmph->type == ICMP_SOURCE_QUENCH) &&
2310 (p->icmph->code == 0))
2311 DecoderEvent(p, DECODE_ICMP_SOURCE_QUENCH,
2312 DECODE_ICMP_SOURCE_QUENCH_STR, 1, 1);
2313 }
2314
2315 if ( Event_Enabled(DECODE_ICMP_BROADSCAN_SMURF_SCANNER) )
2316 {
2317 if ((p->dsize == 4) &&
2318 (p->icmph->type == ICMP_ECHO) &&
2319 (p->icmph->s_icmp_seq == 0) &&
2320 (p->icmph->code == 0))
2321 DecoderEvent(p, EVARGS(ICMP_BROADSCAN_SMURF_SCANNER), 1, 1);
2322 }
2323
2324 if ( Event_Enabled(DECODE_ICMP_DST_UNREACH_ADMIN_PROHIBITED) )
2325 {
2326 if ((p->icmph->type == ICMP_DEST_UNREACH) &&
2327 (p->icmph->code == 13))
2328 DecoderEvent(p, EVARGS(ICMP_DST_UNREACH_ADMIN_PROHIBITED), 1, 1);
2329 }
2330
2331 if ( Event_Enabled(DECODE_ICMP_DST_UNREACH_DST_HOST_PROHIBITED) )
2332 {
2333 if ((p->icmph->type == ICMP_DEST_UNREACH) &&
2334 (p->icmph->code == 10))
2335 DecoderEvent(p, EVARGS(ICMP_DST_UNREACH_DST_HOST_PROHIBITED), 1, 1);
2336 }
2337
2338 if ( Event_Enabled(DECODE_ICMP_DST_UNREACH_DST_NET_PROHIBITED) )
2339 {
2340 if ((p->icmph->type == ICMP_DEST_UNREACH) &&
2341 (p->icmph->code == 9))
2342 DecoderEvent(p, EVARGS(ICMP_DST_UNREACH_DST_NET_PROHIBITED), 1, 1);
2343 }
2344
2345 }
2346
2347 /* IPv4-layer decoder rules */
2348 static inline void IPMiscTests(Packet *p)
2349 {
2350 if ( Event_Enabled(DECODE_ICMP_DOS_ATTEMPT) )
2351 {
2352 /* Yes, it's an ICMP-related vuln in IP options. */
2353 uint8_t i, length, pointer;
2354
2355 /* Alert on IP packets with either 0x07 (Record Route) or 0x44 (Timestamp)
2356 options that are specially crafted. */
2357 for (i = 0; i < p->ip_option_count; i++)
2358 {
2359 if (p->ip_options[i].data == NULL)
2360 continue;
2361
2362 if (p->ip_options[i].code == IPOPT_RR)
2363 {
2364 length = p->ip_options[i].len;
2365 if (length < 1)
2366 continue;
2367
2368 pointer = p->ip_options[i].data[0];
2369
2370 /* If the pointer goes past the end of the data, then the data
2371 is full. That's okay. */
2372 if (pointer >= length + 2)
2373 continue;
2374 /* If the remaining space in the option isn't a multiple of 4
2375 bytes, alert. */
2376 if (((length + 3) - pointer) % 4)
2377 DecoderEvent(p, EVARGS(ICMP_DOS_ATTEMPT), 1, 1);
2378 }
2379 else if (p->ip_options[i].code == IPOPT_TS)
2380 {
2381 length = p->ip_options[i].len;
2382 if (length < 2)
2383 continue;
2384
2385 pointer = p->ip_options[i].data[0];
2386
2387 /* If the pointer goes past the end of the data, then the data
2388 is full. That's okay. */
2389 if (pointer >= length + 2)
2390 continue;
2391 /* If the remaining space in the option isn't a multiple of 4
2392 bytes, alert. */
2393 if (((length + 3) - pointer) % 4)
2394 DecoderEvent(p, EVARGS(ICMP_DOS_ATTEMPT), 1, 1);
2395 /* If there is a timestamp + address, we need a multiple of 8
2396 bytes instead. */
2397 if ((p->ip_options[i].data[1] & 0x01) && /* address flag */
2398 (((length + 3) - pointer) % 8))
2399 DecoderEvent(p, EVARGS(ICMP_DOS_ATTEMPT), 1, 1);
2400 }
2401 }
2402 }
2403 if ( Event_Enabled(DECODE_IP_OPTION_SET) )
2404 {
2405 if (p->ip_option_count > 0)
2406 DecoderEvent(p, EVARGS(IP_OPTION_SET), 1, 1);
2407 }
2408
2409 if ( Event_Enabled(DECODE_IP_RESERVED_FRAG_BIT) )
2410 {
2411 if (p->rf)
2412 DecoderEvent(p, EVARGS(IP_RESERVED_FRAG_BIT), 1, 1);
2413 }
2414 }
2415
2416 //--------------------------------------------------------------------
2417 // decode.c::IP4 vulnerabilities
2418 //--------------------------------------------------------------------
2419
2420 /* This PGM NAK function started off as an SO rule, sid 8351. */
2421 static inline int pgm_nak_detect (const uint8_t *data, uint16_t length) {
2422 uint16_t data_left;
2423 uint16_t checksum;
2424 const PGM_HEADER *header;
2425
2426 if (NULL == data) {
2427 return PGM_NAK_ERR;
2428 }
2429
2430 /* request must be bigger than 44 bytes to cause vuln */
2431 if (length <= sizeof(PGM_HEADER) || (length % 4) != 0) {
2432 return PGM_NAK_ERR;
2433 }
2434
2435 header = (PGM_HEADER *) data;
2436
2437 if (8 != header->type) {
2438 return PGM_NAK_ERR;
2439 }
2440
2441 if (2 != header->nak.opt.type) {
2442 return PGM_NAK_ERR;
2443 }
2444
2445
2446 /*
2447 * alert if the amount of data after the options is more than the length
2448 * specified.
2449 */
2450
2451
2452 data_left = length - 36;
2453 if (data_left > header->nak.opt.len) {
2454
2455 /* checksum is expensive... do that only if the length is bad */
2456 if (header->checksum != 0) {
2457 checksum = in_chksum_ip((const unsigned short*)data, (int)length);
2458 if (checksum != 0)
2459 return PGM_NAK_ERR;
2460 }
2461
2462 return PGM_NAK_VULN;
2463 }
2464
2465 return PGM_NAK_OK;
2466 }
2467
2468 static inline void CheckPGMVuln(Packet *p)
2469 {
2470 if ( pgm_nak_detect(p->data, p->dsize) == PGM_NAK_VULN )
2471 DecoderEvent(p, EVARGS(PGM_NAK_OVERFLOW), 1, 1);
2472 }
2473
2474 /* This function is a port of an old .so rule, sid 3:8092. */
2475 static inline void CheckIGMPVuln(Packet *p)
2476 {
2477 int i, alert = 0;
2478
2479 if (p->dsize >= 1 && p->data[0] == 0x11)
2480 {
2481 if (p->ip_options_data != NULL) {
2482 if (p->ip_options_len >= 2) {
2483 if (*(p->ip_options_data) == 0 && *(p->ip_options_data+1) == 0)
2484 {
2485 DecoderEvent(p, EVARGS(IGMP_OPTIONS_DOS), 1, 1);
2486 return;
2487 }
2488 }
2489 }
2490
2491 for(i=0; i< (int) p->ip_option_count; i++) {
2492 /* All IGMPv2 packets contain IP option code 148 (router alert).
2493 This vulnerability only applies to IGMPv3, so return early. */
2494 if (p->ip_options[i].code == 148) {
2495 return; /* No alert. */
2496 }
2497
2498 if (p->ip_options[i].len == 1) {
2499 alert++;
2500 }
2501 }
2502
2503 if (alert > 0)
2504 DecoderEvent(p, EVARGS(IGMP_OPTIONS_DOS), 1, 1);
2505 }
2506 }
2507
2508 //--------------------------------------------------------------------
2509 // decode.c::IP4 decoder
2510 //--------------------------------------------------------------------
2511
2512 /* Function: DecodeIPv4Proto
2513 *
2514 * Gernalized IPv4 next protocol decoder dispatching.
2515 *
2516 * Arguments: proto => IPPROTO value of the next protocol
2517 * pkt => ptr to the packet data
2518 * len => length from here to the end of the packet
2519 * p => pointer to the packet decode struct
2520 *
2521 */
2522 static inline void DecodeIPv4Proto(const uint8_t proto,
2523 const uint8_t *pkt, const uint32_t len, Packet *p)
2524 {
2525 switch(proto)
2526 {
2527 case IPPROTO_TCP:
2528 pc.tcp++;
2529 DecodeTCP(pkt, len, p);
2530 return;
2531
2532 case IPPROTO_UDP:
2533 pc.udp++;
2534 DecodeUDP(pkt, len, p);
2535 return;
2536
2537 case IPPROTO_ICMP:
2538 pc.icmp++;
2539 DecodeICMP(pkt, len, p);
2540 return;
2541
2542 #ifdef MPLS_RFC4023_SUPPORT
2543 case IPPROTO_MPLS: /*MPLS IN IP (protocol number 137 */
2544 DecodeMPLS(pkt, len, p);
2545 return;
2546 #endif
2547
2548 #ifdef GRE
2549 case IPPROTO_IPV6:
2550 if (len < 40)
2551 {
2552 /* Insufficient size for IPv6 Header. */
2553 /* This could be an attempt to exploit Linux kernel
2554 * vulnerability, so log an alert */
2555 DecoderEvent(p, DECODE_IPV6_TUNNELED_IPV4_TRUNCATED,
2556 DECODE_IPV6_TUNNELED_IPV4_TRUNCATED_STR,
2557 1, 1);
2558 }
2559 pc.ip4ip6++;
2560 if ( ScTunnelBypassEnabled(TUNNEL_6IN4) )
2561 Active_SetTunnelBypass();
2562 DecodeIPV6(pkt, len, p);
2563 return;
2564
2565 case IPPROTO_GRE:
2566 pc.gre++;
2567 DecodeGRE(pkt, len, p);
2568 return;
2569
2570 case IPPROTO_IPIP:
2571 pc.ip4ip4++;
2572 if ( ScTunnelBypassEnabled(TUNNEL_4IN4) )
2573 Active_SetTunnelBypass();
2574 DecodeIP(pkt, len, p);
2575 return;
2576 #endif
2577
2578 case IPPROTO_ESP:
2579 if (ScESPDecoding())
2580 DecodeESP(pkt, len, p);
2581 return;
2582
2583 case IPPROTO_AH:
2584 DecodeAH(pkt, len, p);
2585 return;
2586
2587 case IPPROTO_SWIPE:
2588 case IPPROTO_IP_MOBILITY:
2589 case IPPROTO_SUN_ND:
2590 case IPPROTO_PIM:
2591 if ( Event_Enabled(DECODE_IP_BAD_PROTO) )
2592 DecoderEvent(p, EVARGS(IP_BAD_PROTO), 1, 1);
2593 pc.other++;
2594 p->data = pkt;
2595 p->dsize = (uint16_t)len;
2596 return;
2597
2598 case IPPROTO_PGM:
2599 pc.other++;
2600 p->data = pkt;
2601 p->dsize = (uint16_t)len;
2602
2603 if ( Event_Enabled(DECODE_PGM_NAK_OVERFLOW) )
2604 CheckPGMVuln(p);
2605 return;
2606
2607 case IPPROTO_IGMP:
2608 pc.other++;
2609 p->data = pkt;
2610 p->dsize = (uint16_t)len;
2611
2612 if ( Event_Enabled(DECODE_IGMP_OPTIONS_DOS) )
2613 CheckIGMPVuln(p);
2614 return;
2615
2616 default:
2617 if ( Event_Enabled(DECODE_IP_UNASSIGNED_PROTO) )
2618 {
2619 if (GET_IPH_PROTO(p) >= MIN_UNASSIGNED_IP_PROTO)
2620 DecoderEvent(p, EVARGS(IP_UNASSIGNED_PROTO), 1, 1);
2621 }
2622 pc.other++;
2623 p->data = pkt;
2624 p->dsize = (uint16_t)len;
2625 return;
2626 }
2627 }
2628
2629 /*
2630 * Function: DecodeIP(uint8_t *, const uint32_t, Packet *)
2631 *
2632 * Purpose: Decode the IP network layer
2633 *
2634 * Arguments: pkt => ptr to the packet data
2635 * len => length from here to the end of the packet
2636 * p => pointer to the packet decode struct
2637 *
2638 * Returns: void function
2639 */
2640 void DecodeIP(const uint8_t * pkt, const uint32_t len, Packet * p)
2641 {
2642 uint32_t ip_len; /* length from the start of the ip hdr to the pkt end */
2643 uint32_t hlen; /* ip header length */
2644
2645 pc.ip++;
2646
2647 #ifdef GRE
2648 if (p->greh != NULL)
2649 pc.gre_ip++;
2650 #endif
2651
2652 DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n"););
2653
2654 /* do a little validation */
2655 if(len < IP_HEADER_LEN)
2656 {
2657 DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
2658 "WARNING: Truncated IP4 header (%d bytes).\n", len););
2659
2660 if ( Event_Enabled(DECODE_IP4_HDR_TRUNC) && ((p->packet_flags & PKT_UNSURE_ENCAP) == 0))
2661 DecoderEvent(p, EVARGS(IP4_HDR_TRUNC), 1, 1);
2662
2663 p->iph = NULL;
2664 p->family = NO_IP;
2665
2666 pc.discards++;
2667 pc.ipdisc++;
2668 return;
2669 }
2670
2671 if (p->family != NO_IP)
2672 {
2673 if (p->encapsulated)
2674 {
2675 DecoderAlertEncapsulated(p, DECODE_IP_MULTIPLE_ENCAPSULATION,
2676 DECODE_IP_MULTIPLE_ENCAPSULATION_STR, pkt, len);
2677
2678 return;
2679 }
2680 else
2681 {
2682 p->encapsulated = 1;
2683 p->outer_iph = p->iph;
2684 p->outer_ip_data = p->ip_data;
2685 p->outer_ip_dsize = p->ip_dsize;
2686 }
2687 }
2688
2689 /* lay the IP struct over the raw data */
2690 p->inner_iph = p->iph = (IPHdr *)pkt;
2691
2692 /*
2693 * with datalink DLT_RAW it's impossible to differ ARP datagrams from IP.
2694 * So we are just ignoring non IP datagrams
2695 */
2696 if(IP_VER((IPHdr*)pkt) != 4)
2697 {
2698 if ((p->packet_flags & PKT_UNSURE_ENCAP) == 0)
2699 DecoderEvent(p, DECODE_NOT_IPV4_DGRAM,
2700 DECODE_NOT_IPV4_DGRAM_STR, 1, 1);
2701
2702 p->iph = NULL;
2703 p->family = NO_IP;
2704
2705 pc.discards++;
2706 pc.ipdisc++;
2707 return;
2708 }
2709
2710 sfiph_build(p, p->iph, AF_INET);
2711
2712 /* get the IP datagram length */
2713 ip_len = ntohs(p->iph->ip_len);
2714
2715 /* get the IP header length */
2716 hlen = IP_HLEN(p->iph) << 2;
2717
2718 /* header length sanity check */
2719 if(hlen < IP_HEADER_LEN)
2720 {
2721 DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
2722 "Bogus IP header length of %i bytes\n", hlen););
2723
2724 DecoderEvent(p, DECODE_IPV4_INVALID_HEADER_LEN,
2725 DECODE_IPV4_INVALID_HEADER_LEN_STR, 1, 1);
2726
2727 p->iph = NULL;
2728 p->family = NO_IP;
2729
2730 pc.discards++;
2731 pc.ipdisc++;
2732 return;
2733 }
2734
2735 if (ip_len > len)
2736 {
2737 DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
2738 "IP Len field is %d bytes bigger than captured length.\n"
2739 " (ip.len: %lu, cap.len: %lu)\n",
2740 ip_len - len, ip_len, len););
2741
2742 DecoderEventDrop(p, DECODE_IPV4_DGRAM_GT_CAPLEN,
2743 DECODE_IPV4_DGRAM_GT_CAPLEN_STR,
2744 ScDecoderOversizedAlerts(),
2745 ScDecoderOversizedDrops());
2746
2747 p->iph = NULL;
2748 p->family = NO_IP;
2749
2750 pc.discards++;
2751 pc.ipdisc++;
2752 return;
2753 }
2754 #if 0
2755 // There is no need to alert when (ip_len < len).
2756 // Libpcap will capture more bytes than are part of the IP payload.
2757 // These could be Ethernet trailers, ESP trailers, etc.
2758 // This code is left in, commented, to keep us from re-writing it later.
2759 else if (ip_len < len)
2760 {
2761 if (ScLogVerbose())
2762 ErrorMessage("IP Len field is %d bytes "
2763 "smaller than captured length.\n"
2764 " (ip.len: %lu, cap.len: %lu)\n",
2765 len - ip_len, ip_len, len);
2766 }
2767 #endif
2768
2769 if(ip_len < hlen)
2770 {
2771 DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
2772 "IP dgm len (%d bytes) < IP hdr "
2773 "len (%d bytes), packet discarded\n", ip_len, hlen););
2774
2775 DecoderEvent(p, DECODE_IPV4_DGRAM_LT_IPHDR,
2776 DECODE_IPV4_DGRAM_LT_IPHDR_STR, 1, 1);
2777
2778 p->iph = NULL;
2779 p->family = NO_IP;
2780
2781 pc.discards++;
2782 pc.ipdisc++;
2783 return;
2784 }
2785
2786 /*
2787 * IP Header tests: Land attack, and Loop back test
2788 */
2789 if(ScIdsMode())
2790 {
2791 IP4AddrTests(p);
2792 }
2793
2794
2795 #ifdef HAVE_DAQ_DECRYPTED_SSL
2796 if (!(p->pkth->flags & DAQ_PKT_FLAG_DECRYPTED_SSL) && ScIpChecksums())
2797 #else
2798 if (ScIpChecksums())
2799 #endif
2800 {
2801 /* routers drop packets with bad IP checksums, we don't really
2802 * need to check them (should make this a command line/config
2803 * option
2804 */
2805 int16_t csum = in_chksum_ip((const unsigned short *)p->iph, hlen);
2806
2807 if(csum)
2808 {
2809 p->error_flags |= PKT_ERR_CKSUM_IP;
2810 DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Bad IP checksum\n"););
2811 #ifdef REG_TEST
2812 if (getRegTestFlags() & REG_TEST_FLAG_STREAM_DECODE)
2813 printf("Bad IP checksum | ");
2814 #endif
2815
2816 if ( ScIdsMode() )
2817 queueExecDrop(execIpChksmDrop, p);
2818 }
2819 #ifdef DEBUG_MSGS
2820 else
2821 {
2822 DebugMessage(DEBUG_DECODE, "IP Checksum: OK\n");
2823 }
2824 #endif /* DEBUG */
2825 }
2826
2827 PushLayer(PROTO_IP4, p, pkt, hlen);
2828
2829 /* test for IP options */
2830 p->ip_options_len = (uint16_t)(hlen - IP_HEADER_LEN);
2831
2832 if(p->ip_options_len > 0)
2833 {
2834 p->ip_options_data = pkt + IP_HEADER_LEN;
2835 DecodeIPOptions((pkt + IP_HEADER_LEN), p->ip_options_len, p);
2836 }
2837 else
2838 {
2839 #ifdef GRE
2840 /* If delivery header for GRE encapsulated packet is IP and it
2841 * had options, the packet's ip options will be refering to this
2842 * outer IP's options
2843 * Zero these options so they aren't associated with this inner IP
2844 * since p->iph will be pointing to this inner IP
2845 */
2846 if (p->encapsulated)
2847 {
2848 p->ip_options_data = NULL;
2849 p->ip_options_len = 0;
2850 }
2851 #endif
2852 p->ip_option_count = 0;
2853 }
2854
2855 /* set the real IP length for logging */
2856 p->actual_ip_len = (uint16_t) ip_len;
2857
2858 /* set the remaining packet length */
2859 ip_len -= hlen;
2860
2861 /* check for fragmented packets */
2862 p->frag_offset = ntohs(p->iph->ip_off);
2863
2864 /*
2865 * get the values of the reserved, more
2866 * fragments and don't fragment flags
2867 */
2868 p->rf = (uint8_t)((p->frag_offset & 0x8000) >> 15);
2869 p->df = (uint8_t)((p->frag_offset & 0x4000) >> 14);
2870 p->mf = (uint8_t)((p->frag_offset & 0x2000) >> 13);
2871
2872 /* mask off the high bits in the fragment offset field */
2873 p->frag_offset &= 0x1FFF;
2874
2875 if ( Event_Enabled(DECODE_IP4_DF_OFFSET) )
2876 if ( p->df && p->frag_offset )
2877 DecoderEvent(p, EVARGS(IP4_DF_OFFSET), 1, 1);
2878
2879 if ( Event_Enabled(DECODE_IP4_LEN_OFFSET) )
2880 if ( p->frag_offset + p->actual_ip_len > IP_MAXPACKET )
2881 DecoderEvent(p, EVARGS(IP4_LEN_OFFSET), 1, 1);
2882
2883 if(p->frag_offset || p->mf)
2884 {
2885 if ( !ip_len && Event_Enabled(DECODE_ZERO_LENGTH_FRAG) )
2886 {
2887 DecoderEvent(p, DECODE_ZERO_LENGTH_FRAG,
2888 DECODE_ZERO_LENGTH_FRAG_STR, 1, 1);
2889 p->frag_flag = 0;
2890 }
2891 else
2892 {
2893 /* set the packet fragment flag */
2894 p->frag_flag = 1;
2895 p->ip_frag_start = pkt + hlen;
2896 p->ip_frag_len = (uint16_t)ip_len;
2897 pc.frags++;
2898 }
2899 }
2900 else
2901 {
2902 p->frag_flag = 0;
2903 }
2904
2905 if(Event_Enabled(DECODE_BAD_FRAGBITS))
2906 {
2907
2908 if( p->mf && p->df )
2909 {
2910 DecoderEvent(p, DECODE_BAD_FRAGBITS,
2911 DECODE_BAD_FRAGBITS_STR, 1, 1);
2912 }
2913 }
2914
2915 /* Set some convienience pointers */
2916 p->ip_data = pkt + hlen;
2917 p->ip_dsize = (u_short) ip_len;
2918
2919 if (ScIdsMode())
2920 {
2921 /* See if there are any ip_proto only rules that match */
2922 fpEvalIpProtoOnlyRules(snort_conf->ip_proto_only_lists, p);
2923 p->proto_bits |= PROTO_BIT__IP;
2924 }
2925
2926 IPMiscTests(p);
2927
2928 /* if this packet isn't a fragment
2929 * or if it is, its a UDP packet and offset is 0 */
2930 if(!(p->frag_flag) ||
2931 (p->frag_flag && (p->frag_offset == 0) &&
2932 (p->iph->ip_proto == IPPROTO_UDP)))
2933 {
2934 DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "IP header length: %lu\n",
2935 (unsigned long)hlen););
2936
2937 DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p);
2938 }
2939 else
2940 {
2941 /* set the payload pointer and payload size */
2942 p->data = pkt + hlen;
2943 p->dsize = (u_short) ip_len;
2944 }
2945 }
2946
2947 //--------------------------------------------------------------------
2948 // decode.c::ICMP
2949 //--------------------------------------------------------------------
2950
2951 /*
2952 * Function: DecodeICMP(uint8_t *, const uint32_t, Packet *)
2953 *
2954 * Purpose: Decode the ICMP transport layer
2955 *
2956 * Arguments: pkt => ptr to the packet data
2957 * len => length from here to the end of the packet
2958 * p => pointer to the decoded packet struct
2959 *
2960 * Returns: void function
2961 */
2962 void DecodeICMP(const uint8_t * pkt, const uint32_t len, Packet * p)
2963 {
2964 if(len < ICMP_HEADER_LEN)
2965 {
2966 DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
2967 "WARNING: Truncated ICMP4 header (%d bytes).\n", len););
2968
2969 if ( Event_Enabled(DECODE_ICMP4_HDR_TRUNC) )
2970 DecoderEvent(p, EVARGS(ICMP4_HDR_TRUNC), 1, 1);
2971
2972 p->icmph = NULL;
2973 pc.discards++;
2974 pc.icmpdisc++;
2975
2976 return;
2977 }
2978
2979 /* set the header ptr first */
2980 p->icmph = (ICMPHdr *) pkt;
2981
2982 switch (p->icmph->type)
2983 {
2984 // fall through ...
2985 case ICMP_SOURCE_QUENCH:
2986 case ICMP_DEST_UNREACH:
2987 case ICMP_REDIRECT:
2988 case ICMP_TIME_EXCEEDED:
2989 case ICMP_PARAMETERPROB:
2990 case ICMP_ECHOREPLY:
2991 case ICMP_ECHO:
2992 case ICMP_ROUTER_ADVERTISE:
2993 case ICMP_ROUTER_SOLICIT:
2994 case ICMP_INFO_REQUEST:
2995 case ICMP_INFO_REPLY:
2996 if (len < 8)
2997 {
2998 DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
2999 "Truncated ICMP header(%d bytes)\n", len););
3000
3001 DecoderEvent(p, DECODE_ICMP_DGRAM_LT_ICMPHDR,
3002 DECODE_ICMP_DGRAM_LT_ICMPHDR_STR, 1, 1);
3003
3004 p->icmph = NULL;
3005 pc.discards++;
3006 pc.icmpdisc++;
3007
3008 return;
3009 }
3010 break;
3011
3012 case ICMP_TIMESTAMP:
3013 case ICMP_TIMESTAMPREPLY:
3014 if (len < 20)
3015 {
3016 DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
3017 "Truncated ICMP header(%d bytes)\n", len););
3018
3019 DecoderEvent(p, DECODE_ICMP_DGRAM_LT_TIMESTAMPHDR,
3020 DECODE_ICMP_DGRAM_LT_TIMESTAMPHDR_STR, 1, 1);
3021
3022 p->icmph = NULL;
3023 pc.discards++;
3024 pc.icmpdisc++;
3025
3026 return;
3027 }
3028 break;
3029
3030 case ICMP_ADDRESS:
3031 case ICMP_ADDRESSREPLY:
3032 if (len < 12)
3033 {
3034 DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
3035 "Truncated ICMP header(%d bytes)\n", len););
3036
3037
3038 DecoderEvent(p, DECODE_ICMP_DGRAM_LT_ADDRHDR,
3039 DECODE_ICMP_DGRAM_LT_ADDRHDR_STR, 1, 1);
3040
3041 p->icmph = NULL;
3042 pc.discards++;
3043 pc.icmpdisc++;
3044
3045 return;
3046 }
3047 break;
3048
3049 default:
3050 if ( Event_Enabled(DECODE_ICMP4_TYPE_OTHER) )
3051 DecoderEvent(p, EVARGS(ICMP4_TYPE_OTHER), 1, 1);
3052 break;
3053 }
3054
3055
3056 if (ScIcmpChecksums())
3057 {
3058 uint16_t csum = in_chksum_icmp((uint16_t *)p->icmph, len);
3059
3060 if(csum)
3061 {
3062 p->error_flags |= PKT_ERR_CKSUM_ICMP;
3063 DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Bad ICMP Checksum\n"););
3064
3065 if ( ScIdsMode() )
3066 queueExecDrop(execIcmpChksmDrop, p);
3067 }
3068 else
3069 {
3070 DEBUG_WRAP(DebugMessage(DEBUG_DECODE,"ICMP Checksum: OK\n"););
3071 }
3072 }
3073
3074 p->dsize = (u_short)(len - ICMP_HEADER_LEN);
3075 p->data = pkt + ICMP_HEADER_LEN;
3076
3077 DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "ICMP type: %d code: %d\n",
3078 p->icmph->type, p->icmph->code););
3079
3080 switch(p->icmph->type)
3081 {
3082 case ICMP_ECHO:
3083 ICMP4AddrTests(p);
3084 // fall through ...
3085
3086 case ICMP_ECHOREPLY:
3087 /* setup the pkt id and seq numbers */
3088 p->dsize -= sizeof(struct idseq); /* add the size of the
3089 * echo ext to the data
3090 * ptr and subtract it
3091 * from the data size */
3092 p->data += sizeof(struct idseq);
3093 PushLayer(PROTO_ICMP4, p, pkt, ICMP_NORMAL_LEN);
3094 break;
3095
3096 case ICMP_DEST_UNREACH:
3097 if ((p->icmph->code == ICMP_FRAG_NEEDED)
3098 && (ntohs(p->icmph->s_icmp_nextmtu) < 576))
3099 {
3100 if ( Event_Enabled(DECODE_ICMP_PATH_MTU_DOS) )
3101 DecoderEvent(p, EVARGS(ICMP_PATH_MTU_DOS), 1, 1);
3102 }
3103
3104 /* Fall through */
3105
3106 case ICMP_SOURCE_QUENCH:
3107 case ICMP_REDIRECT:
3108 case ICMP_TIME_EXCEEDED:
3109 case ICMP_PARAMETERPROB:
3110 /* account for extra 4 bytes in header */
3111 p->dsize -= 4;
3112 p->data += 4;
3113
3114 PushLayer(PROTO_ICMP4, p, pkt, ICMP_NORMAL_LEN);
3115 DecodeICMPEmbeddedIP(p->data, p->dsize, p);
3116 break;
3117
3118 default:
3119 PushLayer(PROTO_ICMP4, p, pkt, ICMP_HEADER_LEN);
3120 break;
3121 }
3122
3123 /* Run a bunch of ICMP decoder rules */
3124 ICMP4MiscTests(p);
3125
3126 p->proto_bits |= PROTO_BIT__ICMP;
3127 p->proto_bits &= ~(PROTO_BIT__UDP | PROTO_BIT__TCP);
3128 }
3129
3130 /*
3131 * Function: DecodeICMPEmbeddedIP(uint8_t *, const uint32_t, Packet *)
3132 *
3133 * Purpose: Decode the ICMP embedded IP header + 64 bits payload
3134 *
3135 * Arguments: pkt => ptr to the packet data
3136 * len => length from here to the end of the packet
3137 * p => pointer to dummy packet decode struct
3138 *
3139 * Returns: void function
3140 */
3141 void DecodeICMPEmbeddedIP(const uint8_t *pkt, const uint32_t len, Packet *p)
3142 {
3143 uint32_t ip_len; /* length from the start of the ip hdr to the
3144 * pkt end */
3145 uint32_t hlen; /* ip header length */
3146 uint16_t orig_frag_offset;
3147
3148 /* do a little validation */
3149 if(len < IP_HEADER_LEN)
3150 {
3151 DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
3152 "ICMP: IP short header (%d bytes)\n", len););
3153
3154 DecoderEvent(p, DECODE_ICMP_ORIG_IP_TRUNCATED,
3155 DECODE_ICMP_ORIG_IP_TRUNCATED_STR, 1, 1);
3156
3157 p->orig_family = NO_IP;
3158 p->orig_iph = NULL;
3159 return;
3160 }
3161
3162 /* lay the IP struct over the raw data */
3163 sfiph_orig_build(p, pkt, AF_INET);
3164 p->orig_iph = (IPHdr *) pkt;
3165
3166 DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "DecodeICMPEmbeddedIP: ip header"
3167 " starts at: %p, length is %lu\n", p->orig_iph,
3168 (unsigned long) len););
3169 /*
3170 * with datalink DLT_RAW it's impossible to differ ARP datagrams from IP.
3171 * So we are just ignoring non IP datagrams
3172 */
3173 if((GET_ORIG_IPH_VER(p) != 4) && !IS_IP6(p))
3174 {
3175 DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
3176 "ICMP: not IPv4 datagram ([ver: 0x%x][len: 0x%x])\n",
3177 GET_ORIG_IPH_VER(p), GET_ORIG_IPH_LEN(p)););
3178
3179 DecoderEvent(p, DECODE_ICMP_ORIG_IP_VER_MISMATCH,
3180 DECODE_ICMP_ORIG_IP_VER_MISMATCH_STR, 1, 1);
3181
3182 p->orig_family = NO_IP;
3183 p->orig_iph = NULL;
3184 return;
3185 }
3186
3187 /* set the IP datagram length */
3188 ip_len = ntohs(GET_ORIG_IPH_LEN(p));
3189
3190 /* set the IP header length */
3191 hlen = (p->orig_ip4h->ip_verhl & 0x0f) << 2;
3192
3193 if(len < hlen)
3194 {
3195 DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
3196 "ICMP: IP len (%d bytes) < IP hdr len (%d bytes), packet discarded\n",
3197 ip_len, hlen););
3198
3199 DecoderEvent(p, DECODE_ICMP_ORIG_DGRAM_LT_ORIG_IP,
3200 DECODE_ICMP_ORIG_DGRAM_LT_ORIG_IP_STR, 1, 1);
3201
3202 p->orig_family = NO_IP;
3203 p->orig_iph = NULL;
3204 return;
3205 }
3206
3207 /* set the remaining packet length */
3208 ip_len = len - hlen;
3209
3210 orig_frag_offset = ntohs(GET_ORIG_IPH_OFF(p));
3211 orig_frag_offset &= 0x1FFF;
3212
3213 if (orig_frag_offset == 0)
3214 {
3215 /* Original IP payload should be 64 bits */
3216 if (ip_len < 8)
3217 {
3218 DecoderEvent(p, DECODE_ICMP_ORIG_PAYLOAD_LT_64,
3219 DECODE_ICMP_ORIG_PAYLOAD_LT_64_STR, 1, 1);
3220
3221 return;
3222 }
3223 /* ICMP error packets could contain as much of original payload
3224 * as possible, but not exceed 576 bytes
3225 */
3226 else if (ntohs(GET_IPH_LEN(p)) > 576)
3227 {
3228 DecoderEvent(p, DECODE_ICMP_ORIG_PAYLOAD_GT_576,
3229 DECODE_ICMP_ORIG_PAYLOAD_GT_576_STR, 1, 1);
3230 }
3231 }
3232 else
3233 {
3234 /* RFC states that only first frag will get an ICMP response */
3235 DecoderEvent(p, DECODE_ICMP_ORIG_IP_WITH_FRAGOFFSET,
3236 DECODE_ICMP_ORIG_IP_WITH_FRAGOFFSET_STR, 1, 1);
3237 return;
3238 }
3239
3240 DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "ICMP Unreachable IP header length: "
3241 "%lu\n", (unsigned long)hlen););
3242
3243 switch(GET_ORIG_IPH_PROTO(p))
3244 {
3245 case IPPROTO_TCP: /* decode the interesting part of the header */
3246 p->orig_tcph = (TCPHdr *)(pkt + hlen);
3247
3248 /* stuff more data into the printout data struct */
3249 p->orig_sp = ntohs(p->orig_tcph->th_sport);
3250 p->orig_dp = ntohs(p->orig_tcph->th_dport);
3251
3252 break;
3253
3254 case IPPROTO_UDP:
3255 p->orig_udph = (UDPHdr *)(pkt + hlen);
3256
3257 /* fill in the printout data structs */
3258 p->orig_sp = ntohs(p->orig_udph->uh_sport);
3259 p->orig_dp = ntohs(p->orig_udph->uh_dport);
3260
3261 break;
3262
3263 case IPPROTO_ICMP:
3264 p->orig_icmph = (ICMPHdr *)(pkt + hlen);
3265 break;
3266 }
3267
3268 return;
3269 }
3270
3271 /*
3272 * Function: DecodeIPV6(uint8_t *, uint32_t)
3273 *
3274 * Purpose: Decoding IPv6 headers
3275 *
3276 * Arguments: pkt => ptr to the packet data
3277 * len => length from here to the end of the packet
3278 *
3279 * Returns: void function
3280 */
3281
3282 //--------------------------------------------------------------------
3283 // decode.c::IP6 misc
3284 //--------------------------------------------------------------------
3285
3286 #define IP6_MULTICAST 0xFF // first/most significant octet
3287 #define IP6_MULTICAST_SCOPE_RESERVED 0x00
3288 #define IP6_MULTICAST_SCOPE_INTERFACE 0x01
3289 #define IP6_MULTICAST_SCOPE_LINK 0x02
3290 #define IP6_MULTICAST_SCOPE_ADMIN 0x04
3291 #define IP6_MULTICAST_SCOPE_SITE 0x05
3292 #define IP6_MULTICAST_SCOPE_ORG 0x08
3293 #define IP6_MULTICAST_SCOPE_GLOBAL 0x0E
3294
3295 /* Check for multiple IPv6 Multicast-related alerts */
3296 static void CheckIPV6Multicast(Packet *p)
3297 {
3298 IP6RawHdr* hdr6 = (IP6RawHdr*)p->iph;
3299 uint8_t multicast_scope;
3300 struct in6_addr* ip_dst;
3301 uint32_t h_ip_dst;
3302
3303 if ( hdr6->ip6_src.s6_addr[0] == IP6_MULTICAST )
3304 {
3305 DecoderEvent(p, DECODE_IPV6_SRC_MULTICAST,
3306 DECODE_IPV6_SRC_MULTICAST_STR, 1, 1);
3307 }
3308 ip_dst = &hdr6->ip6_dst;
3309 if ( ip_dst->s6_addr[0] != IP6_MULTICAST )
3310 {
3311 return;
3312 }
3313
3314 multicast_scope = ip_dst->s6_addr[1] & 0x0F;
3315 switch (multicast_scope)
3316 {
3317 case IP6_MULTICAST_SCOPE_RESERVED:
3318 case IP6_MULTICAST_SCOPE_INTERFACE:
3319 case IP6_MULTICAST_SCOPE_LINK:
3320 case IP6_MULTICAST_SCOPE_ADMIN:
3321 case IP6_MULTICAST_SCOPE_SITE:
3322 case IP6_MULTICAST_SCOPE_ORG:
3323 case IP6_MULTICAST_SCOPE_GLOBAL:
3324 break;
3325
3326 default:
3327 DecoderEvent(p, DECODE_IPV6_BAD_MULTICAST_SCOPE,
3328 DECODE_IPV6_BAD_MULTICAST_SCOPE_STR, 1, 1);
3329 }
3330
3331 /* Check against assigned multicast addresses. These are listed at:
3332 http://www.iana.org/assignments/ipv6-multicast-addresses/ */
3333
3334 /* Multicast addresses only specify the first 16 and last 40 bits.
3335 Others should be zero. */
3336 if ((ip_dst->s6_addr16[1] != 0) ||
3337 (ip_dst->s6_addr32[1] != 0) ||
3338 (ip_dst->s6_addr16[4] != 0) ||
3339 (ip_dst->s6_addr[10] != 0))
3340 {
3341 DecoderEvent(p, DECODE_IPV6_DST_RESERVED_MULTICAST,
3342 DECODE_IPV6_DST_RESERVED_MULTICAST_STR, 1, 1);
3343 return;
3344 }
3345
3346 if (ip_dst->s6_addr[1] == IP6_MULTICAST_SCOPE_INTERFACE)
3347 {
3348 // Node-local scope
3349 if ((ip_dst->s6_addr16[1] != 0) ||
3350 (ip_dst->s6_addr32[1] != 0) ||
3351 (ip_dst->s6_addr32[2] != 0) ||
3352 (ip_dst->s6_addr16[6] != 0))
3353 {
3354
3355 DecoderEvent(p, DECODE_IPV6_DST_RESERVED_MULTICAST,
3356 DECODE_IPV6_DST_RESERVED_MULTICAST_STR, 1, 1);
3357 }
3358 else
3359 {
3360 switch (ntohl(ip_dst->s6_addr32[3]))
3361 {
3362 case 0x00000001: // All Nodes
3363 case 0x00000002: // All Routers
3364 case 0x000000FB: // mDNSv6
3365 break;
3366 default:
3367 DecoderEvent(p, DECODE_IPV6_DST_RESERVED_MULTICAST,
3368 DECODE_IPV6_DST_RESERVED_MULTICAST_STR, 1, 1);
3369 }
3370 }
3371 }
3372 else if (ip_dst->s6_addr[1] == IP6_MULTICAST_SCOPE_LINK)
3373 {
3374 // Link-local scope
3375 switch (ntohl(ip_dst->s6_addr32[3]))
3376 {
3377 case 0x00000001: // All Nodes
3378 case 0x00000002: // All Routers
3379 case 0x00000004: // DVMRP Routers
3380 case 0x00000005: // OSPFIGP
3381 case 0x00000006: // OSPFIGP Designated Routers
3382 case 0x00000007: // ST Routers
3383 case 0x00000008: // ST Hosts
3384 case 0x00000009: // RIP Routers
3385 case 0x0000000A: // EIGRP Routers
3386 case 0x0000000B: // Mobile-Agents
3387 case 0x0000000C: // SSDP
3388 case 0x0000000D: // All PIMP Routers
3389 case 0x0000000E: // RSVP-ENCAPSULATION
3390 case 0x0000000F: // UPnP
3391 case 0x00000012: // VRRP
3392 case 0x00000016: // All MLDv2-capable routers
3393 case 0x0000006A: // All-Snoopers
3394 case 0x0000006B: // PTP-pdelay
3395 case 0x0000006C: // Saratoga
3396 case 0x0000006D: // LL-MANET-Routers
3397 case 0x0000006E: // IGRS
3398 case 0x0000006F: // iADT Discovery
3399 case 0x000000FB: // mDNSv6
3400 case 0x00010001: // Link Name
3401 case 0x00010002: // All-dhcp-agents
3402 case 0x00010003: // Link-local Multicast Name Resolution
3403 case 0x00010004: // DTCP Announcement
3404 break;
3405 default:
3406 if ((ip_dst->s6_addr[11] == 1) &&
3407 (ip_dst->s6_addr[12] == 0xFF))
3408 {
3409 break; // Solicited-Node Address
3410 }
3411 if ((ip_dst->s6_addr[11] == 2) &&
3412 (ip_dst->s6_addr[12] == 0xFF))
3413 {
3414 break; // Node Information Queries
3415 }
3416 DecoderEvent(p, DECODE_IPV6_DST_RESERVED_MULTICAST,
3417 DECODE_IPV6_DST_RESERVED_MULTICAST_STR, 1, 1);
3418 }
3419 }
3420 else if (ip_dst->s6_addr[1] == IP6_MULTICAST_SCOPE_SITE)
3421 {
3422 // Site-local scope
3423 switch (ntohl(ip_dst->s6_addr32[3]))
3424 {
3425 case 0x00000002: // All Routers
3426 case 0x000000FB: // mDNSv6
3427 case 0x00010003: // All-dhcp-servers
3428 case 0x00010004: // Deprecated
3429 case 0x00010005: // SL-MANET-ROUTERS
3430 break;
3431 default:
3432 DecoderEvent(p, DECODE_IPV6_DST_RESERVED_MULTICAST,
3433 DECODE_IPV6_DST_RESERVED_MULTICAST_STR, 1, 1);
3434 }
3435 }
3436 else if ((ip_dst->s6_addr[1] & 0xF0) == 0)
3437 {
3438 h_ip_dst = ntohl(ip_dst->s6_addr32[3]);
3439
3440 // Variable scope
3441 switch (h_ip_dst)
3442 {
3443 case 0x0000000C: // SSDP
3444 case 0x000000FB: // mDNSv6
3445 case 0x00000181: // PTP-primary
3446 case 0x00000182: // PTP-alternate1
3447 case 0x00000183: // PTP-alternate2
3448 case 0x00000184: // PTP-alternate3
3449 case 0x0000018C: // All ACs multicast address
3450 case 0x00000201: // "rwho" Group (BSD)
3451 case 0x00000202: // SUN RPC PMAPPROC_CALLIT
3452 case 0x00000204: // All C1222 Nodes
3453 case 0x00000300: // Mbus/IPv6
3454 case 0x00027FFE: // SAPv1 Announcements
3455 case 0x00027FFF: // SAPv0 Announcements
3456 break;
3457 default:
3458 if ((h_ip_dst >= 0x00000100) &&
3459 (h_ip_dst <= 0x00000136))
3460 {
3461 break; // Several addresses assigned in a contiguous block
3462 }
3463
3464 if ((h_ip_dst >= 0x00000140) &&
3465 (h_ip_dst <= 0x0000014F))
3466 {
3467 break; // EPSON-disc-set
3468 }
3469
3470 if ((h_ip_dst >= 0x00020000) &&
3471 (h_ip_dst <= 0x00027FFD))
3472 {
3473 break; // Multimedia Conference Calls
3474 }
3475
3476 if ((h_ip_dst >= 0x00011000) &&
3477 (h_ip_dst <= 0x000113FF))
3478 {
3479 break; // Service Location, Version 2
3480 }
3481
3482 if ((h_ip_dst >= 0x00028000) &&
3483 (h_ip_dst <= 0x0002FFFF))
3484 {
3485 break; // SAP Dynamic Assignments
3486 }
3487
3488 DecoderEvent(p, DECODE_IPV6_DST_RESERVED_MULTICAST,
3489 DECODE_IPV6_DST_RESERVED_MULTICAST_STR, 1, 1);
3490 }
3491 }
3492 else if ((ip_dst->s6_addr[1] & 0xF0) == 0x30)
3493 {
3494 h_ip_dst = ntohl(ip_dst->s6_addr32[3]);
3495
3496 // Source-Specific Multicast block
3497 if ((h_ip_dst >= 0x40000001) &&
3498 (h_ip_dst <= 0x7FFFFFFF))
3499 {
3500 return; // IETF consensus
3501 }
3502 else if ((h_ip_dst >= 0x80000000) &&
3503 (h_ip_dst <= 0xFFFFFFFF))
3504 {
3505 return; // Dynamiclly allocated by hosts when needed
3506 }
3507 else
3508 {
3509 // Other addresses in this block are reserved.
3510 DecoderEvent(p, DECODE_IPV6_DST_RESERVED_MULTICAST,
3511 DECODE_IPV6_DST_RESERVED_MULTICAST_STR, 1, 1);
3512 }
3513 }
3514 else
3515 {
3516 /* Addresses not listed above are reserved. */
3517 DecoderEvent(p, DECODE_IPV6_DST_RESERVED_MULTICAST,
3518 DECODE_IPV6_DST_RESERVED_MULTICAST_STR, 1, 1);
3519 }
3520 }
3521
3522 /* Teredo packets need to have one of their IPs use either the Teredo prefix,
3523 or a link-local prefix (in the case of Router Solicitation messages) */
3524 static inline int CheckTeredoPrefix(IP6RawHdr *hdr)
3525 {
3526 /* Check if src address matches 2001::/32 */
3527 if ((hdr->ip6_src.s6_addr[0] == 0x20) &&
3528 (hdr->ip6_src.s6_addr[1] == 0x01) &&
3529 (hdr->ip6_src.s6_addr[2] == 0x00) &&
3530 (hdr->ip6_src.s6_addr[3] == 0x00))
3531 return 1;
3532
3533 /* Check if src address matches fe80::/64 */
3534 if ((hdr->ip6_src.s6_addr[0] == 0xfe) &&
3535 (hdr->ip6_src.s6_addr[1] == 0x80) &&
3536 (hdr->ip6_src.s6_addr[2] == 0x00) &&
3537 (hdr->ip6_src.s6_addr[3] == 0x00) &&
3538 (hdr->ip6_src.s6_addr[4] == 0x00) &&
3539 (hdr->ip6_src.s6_addr[5] == 0x00) &&
3540 (hdr->ip6_src.s6_addr[6] == 0x00) &&
3541 (hdr->ip6_src.s6_addr[7] == 0x00))
3542 return 1;
3543
3544 /* Check if dst address matches 2001::/32 */
3545 if ((hdr->ip6_dst.s6_addr[0] == 0x20) &&
3546 (hdr->ip6_dst.s6_addr[1] == 0x01) &&
3547 (hdr->ip6_dst.s6_addr[2] == 0x00) &&
3548 (hdr->ip6_dst.s6_addr[3] == 0x00))
3549 return 1;
3550
3551 /* Check if dst address matches fe80::/64 */
3552 if ((hdr->ip6_dst.s6_addr[0] == 0xfe) &&
3553 (hdr->ip6_dst.s6_addr[1] == 0x80) &&
3554 (hdr->ip6_dst.s6_addr[2] == 0x00) &&
3555 (hdr->ip6_dst.s6_addr[3] == 0x00) &&
3556 (hdr->ip6_dst.s6_addr[4] == 0x00) &&
3557 (hdr->ip6_dst.s6_addr[5] == 0x00) &&
3558 (hdr->ip6_dst.s6_addr[6] == 0x00) &&
3559 (hdr->ip6_dst.s6_addr[7] == 0x00))
3560 return 1;
3561
3562 /* No Teredo prefix found. */
3563 return 0;
3564 }
3565
3566 /* Function: IPV6MiscTests(Packet *p)
3567 *
3568 * Purpose: A bunch of IPv6 decoder alerts
3569 *
3570 * Arguments: p => the Packet to check
3571 *
3572 * Returns: void function
3573 */
3574 static inline void IPV6MiscTests(Packet *p)
3575 {
3576 IP6RawHdr* hdr6 = (IP6RawHdr*)p->iph;
3577 /*
3578 * Some IP Header tests
3579 * Land Attack(same src/dst ip)
3580 * Loopback (src or dst in 127/8 block)
3581 * Modified: 2/22/05-man for High Endian Architecture.
3582 *
3583 * some points in the code assume an IP of 0.0.0.0 matches anything, but
3584 * that is not so here. The sfip_compare makes that assumption for
3585 * compatibility, but sfip_contains does not. Hence, sfip_contains
3586 * is used here in the interrim. */
3587 #if !defined(SFLINUX) && defined(DAQ_CAPA_VRF)
3588 uint16_t sAsId;
3589 uint16_t dAsId;
3590
3591 sAsId = DAQ_GetSourceAddressSpaceID(p->pkth);
3592 dAsId = DAQ_GetDestinationAddressSpaceID(p->pkth);
3593
3594 if( sfip_fast_eq6((sfaddr_t*)&hdr6->ip6_src.s6_addr, (sfaddr_t*)&hdr6->ip6_dst.s6_addr)
3595 && (sAsId == dAsId))
3596 {
3597 DecoderEvent(p, DECODE_BAD_TRAFFIC_SAME_SRCDST,
3598 DECODE_BAD_TRAFFIC_SAME_SRCDST_STR,
3599 1, 1);
3600 if( pkt_trace_enabled )
3601 {
3602 addPktTraceData(VERDICT_REASON_SNORT, snprintf(trace_line, MAX_TRACE_LINE,
3603 "Packet is blocked since same source and destination"));
3604 }
3605 }
3606 #else
3607 if( sfip_fast_eq6((sfaddr_t*)&hdr6->ip6_src.s6_addr, (sfaddr_t*)&hdr6->ip6_dst.s6_addr))
3608 {
3609 DecoderEvent(p, DECODE_BAD_TRAFFIC_SAME_SRCDST,
3610 DECODE_BAD_TRAFFIC_SAME_SRCDST_STR,
3611 1, 1);
3612 }
3613 #endif
3614 if(sfip_is_loopback((sfaddr_t*)&hdr6->ip6_src.s6_addr) || sfip_is_loopback((sfaddr_t*)&hdr6->ip6_dst.s6_addr))
3615 {
3616 DecoderEvent(p, DECODE_BAD_TRAFFIC_LOOPBACK,
3617 DECODE_BAD_TRAFFIC_LOOPBACK_STR,
3618 1,1);
3619 }
3620
3621 /* Other decoder alerts for IPv6 addresses
3622 Added: 5/24/10 (Snort 2.9.0) */
3623 if (!sfraw_is_set(&hdr6->ip6_dst))
3624 {
3625 DecoderEvent(p, DECODE_IPV6_DST_ZERO, DECODE_IPV6_DST_ZERO_STR, 1, 1);
3626 }
3627
3628 CheckIPV6Multicast(p);
3629
3630 if ( Event_Enabled(DECODE_IPV6_ISATAP_SPOOF) )
3631 {
3632 /* Only check for IPv6 over IPv4 */
3633 if (p->outer_iph && p->outer_iph->ip_proto == IPPROTO_IPV6)
3634 {
3635 uint32_t isatap_interface_id = ntohl(hdr6->ip6_src.s6_addr32[2]) & 0xFCFFFFFF;
3636
3637 /* ISATAP uses address with prefix fe80:0000:0000:0000:0200:5efe or
3638 fe80:0000:0000:0000:0000:5efe, followed by the IPv4 address. */
3639 if (isatap_interface_id == 0x00005EFE)
3640 {
3641 if (p->outer_iph->ip_src.s_addr != hdr6->ip6_src.s6_addr32[3])
3642 DecoderEvent(p, EVARGS(IPV6_ISATAP_SPOOF), 1, 1);
3643 }
3644 }
3645 }
3646 }
3647
3648 //--------------------------------------------------------------------
3649 // decode.c::IP6 extensions
3650 //--------------------------------------------------------------------
3651
3652 static inline int IPV6ExtensionOrder(uint8_t type)
3653 {
3654 switch (type)
3655 {
3656 case IPPROTO_HOPOPTS: return 1;
3657 case IPPROTO_DSTOPTS: return 2;
3658 case IPPROTO_ROUTING: return 3;
3659 case IPPROTO_FRAGMENT: return 4;
3660 case IPPROTO_AH: return 5;
3661 case IPPROTO_ESP: return 6;
3662 default: return 7;
3663 }
3664 }
3665
3666 /* Check for out-of-order IPv6 Extension Headers */
3667 static inline void CheckIPv6ExtensionOrder(Packet *p)
3668 {
3669 int routing_seen = 0;
3670 int current_type_order, next_type_order, i;
3671
3672 if (Event_Enabled(DECODE_IPV6_UNORDERED_EXTENSIONS))
3673 {
3674 if (p->ip6_extension_count > 0)
3675 current_type_order = IPV6ExtensionOrder(p->ip6_extensions[0].type);
3676
3677 for (i = 1; i < (p->ip6_extension_count); i++)
3678 {
3679 next_type_order = IPV6ExtensionOrder(p->ip6_extensions[i].type);
3680
3681 if (p->ip6_extensions[i].type == IPPROTO_ROUTING)
3682 routing_seen = 1;
3683
3684 if (next_type_order <= current_type_order)
3685 {
3686 /* A second "Destination Options" header is allowed iff:
3687 1) A routing header was already seen, and
3688 2) The second destination header is the last one before the upper layer.
3689 */
3690 if (!routing_seen ||
3691 !(p->ip6_extensions[i].type == IPPROTO_DSTOPTS) ||
3692 !(i+1 == p->ip6_extension_count))
3693 {
3694 DecoderEvent(p, EVARGS(IPV6_UNORDERED_EXTENSIONS), 1, 1);
3695 }
3696 }
3697
3698 current_type_order = next_type_order;
3699 }
3700 }
3701 }
3702
3703 void DecodeIPV6Extensions(uint8_t next, const uint8_t *pkt, uint32_t len, Packet *p);
3704
3705 static inline int CheckIPV6HopOptions(const uint8_t *pkt, uint32_t len, Packet *p)
3706 {
3707 IP6Extension *exthdr = (IP6Extension *)pkt;
3708 uint32_t total_octets = (exthdr->ip6e_len * 8) + 8;
3709 const uint8_t *hdr_end = pkt + total_octets;
3710 uint8_t type, oplen;
3711
3712 if (len < total_octets)
3713 {
3714 DecoderEvent(p, EVARGS(IPV6_TRUNCATED_EXT), 1, 1);
3715 return -1;
3716 }
3717
3718 /* Skip to the options */
3719 pkt += 2;
3720
3721 /* Iterate through the options, check for bad ones */
3722 while (pkt < hdr_end)
3723 {
3724 type = *pkt;
3725 switch (type)
3726 {
3727 case IP6_OPT_PAD1:
3728 pkt++;
3729 break;
3730 case IP6_OPT_PADN:
3731 case IP6_OPT_JUMBO:
3732 case IP6_OPT_RTALERT:
3733 case IP6_OPT_TUNNEL_ENCAP:
3734 case IP6_OPT_QUICK_START:
3735 case IP6_OPT_CALIPSO:
3736 case IP6_OPT_HOME_ADDRESS:
3737 case IP6_OPT_ENDPOINT_IDENT:
3738 pkt++;
3739 if (pkt < hdr_end)
3740 {
3741 oplen = *pkt;
3742 if ((pkt + oplen + 1) > hdr_end)
3743 {
3744 DecoderEvent(p, EVARGS(IPV6_BAD_OPT_LEN), 1, 1);
3745 return -1;
3746 }
3747 pkt += oplen + 1;
3748 }
3749 break;
3750 default:
3751 DecoderEvent(p, EVARGS(IPV6_BAD_OPT_TYPE), 1, 1);
3752 return -1;
3753 }
3754 }
3755
3756 return 0;
3757 }
3758
3759 void DecodeIPV6Options(int type, const uint8_t *pkt, uint32_t len, Packet *p)
3760 {
3761 IP6Extension *exthdr;
3762 uint32_t hdrlen = 0;
3763
3764 /* This should only be called by DecodeIPV6 or DecodeIPV6Extensions
3765 * so no validation performed. Otherwise, uncomment the following: */
3766 /* if(IPH_IS_VALID(p)) return */
3767
3768 pc.ipv6opts++;
3769
3770 /* Need at least two bytes, one for next header, one for len. */
3771 /* But size is an integer multiple of 8 octets, so 8 is min. */
3772 if(len < sizeof(IP6Extension))
3773 {
3774 DecoderEvent(p, DECODE_IPV6_TRUNCATED_EXT,
3775 DECODE_IPV6_TRUNCATED_EXT_STR,
3776 1, 1);
3777 return;
3778 }
3779
3780 if ( p->ip6_extension_count >= ScMaxIP6Extensions() )
3781 {
3782 DecoderEvent(p, DECODE_IP6_EXCESS_EXT_HDR,
3783 DECODE_IP6_EXCESS_EXT_HDR_STR,
3784 1, 1);
3785 return;
3786 }
3787
3788 exthdr = (IP6Extension *)pkt;
3789
3790 p->ip6_extensions[p->ip6_extension_count].type = type;
3791 p->ip6_extensions[p->ip6_extension_count].data = pkt;
3792
3793 // TBD add layers for other ip6 ext headers
3794 switch (type)
3795 {
3796 case IPPROTO_HOPOPTS:
3797 hdrlen = sizeof(IP6Extension) + (exthdr->ip6e_len << 3);
3798
3799 if ( CheckIPV6HopOptions(pkt, len, p) == 0 )
3800 PushLayer(PROTO_IP6_HOP_OPTS, p, pkt, hdrlen);
3801 break;
3802
3803 case IPPROTO_DSTOPTS:
3804 if (exthdr->ip6e_nxt == IPPROTO_ROUTING)
3805 {
3806 DecoderEvent(p, DECODE_IPV6_DSTOPTS_WITH_ROUTING,
3807 DECODE_IPV6_DSTOPTS_WITH_ROUTING_STR,
3808 1, 1);
3809 }
3810 hdrlen = sizeof(IP6Extension) + (exthdr->ip6e_len << 3);
3811
3812 if ( CheckIPV6HopOptions(pkt, len, p) == 0 )
3813 PushLayer(PROTO_IP6_DST_OPTS, p, pkt, hdrlen);
3814 break;
3815
3816 case IPPROTO_ROUTING:
3817
3818 /* Routing type 0 extension headers are evil creatures. */
3819 {
3820 IP6Route *rte = (IP6Route *)exthdr;
3821
3822 if (rte->ip6rte_type == 0)
3823 {
3824 DecoderEvent(p, DECODE_IPV6_ROUTE_ZERO,
3825 DECODE_IPV6_ROUTE_ZERO_STR, 1, 1);
3826 }
3827 }
3828
3829 if (exthdr->ip6e_nxt == IPPROTO_HOPOPTS)
3830 {
3831 DecoderEvent(p, DECODE_IPV6_ROUTE_AND_HOPBYHOP,
3832 DECODE_IPV6_ROUTE_AND_HOPBYHOP_STR,
3833 1, 1);
3834 }
3835 if (exthdr->ip6e_nxt == IPPROTO_ROUTING)
3836 {
3837 DecoderEvent(p, DECODE_IPV6_TWO_ROUTE_HEADERS,
3838 DECODE_IPV6_TWO_ROUTE_HEADERS_STR,
3839 1, 1);
3840 }
3841 hdrlen = sizeof(IP6Extension) + (exthdr->ip6e_len << 3);
3842 break;
3843
3844 case IPPROTO_FRAGMENT:
3845 if (len == sizeof(IP6Frag))
3846 {
3847 DecoderEvent(p, DECODE_ZERO_LENGTH_FRAG,
3848 DECODE_ZERO_LENGTH_FRAG_STR, 1, 1);
3849 return;
3850 }
3851 else
3852 {
3853 IP6Frag *ip6frag_hdr = (IP6Frag *)pkt;
3854 /* If this is an IP Fragment, set some data... */
3855 p->ip6_frag_index = p->ip6_extension_count;
3856 p->ip_frag_start = pkt + sizeof(IP6Frag);
3857
3858 p->df = 0;
3859 p->rf = IP6F_RES(ip6frag_hdr);
3860 p->mf = IP6F_MF(ip6frag_hdr);
3861 p->frag_offset = IP6F_OFFSET(ip6frag_hdr);
3862
3863 if ( p->frag_offset || p->mf )
3864 {
3865 p->frag_flag = 1;
3866 pc.frag6++;
3867 }
3868 else
3869 {
3870 DecoderEvent(p, DECODE_IPV6_BAD_FRAG_PKT,
3871 DECODE_IPV6_BAD_FRAG_PKT_STR , 1, 1);
3872 }
3873 if (
3874 !(p->frag_offset) &&
3875 Event_Enabled(DECODE_IPV6_UNORDERED_EXTENSIONS) )
3876 {
3877 // check header ordering of fragged (next) header
3878 if ( IPV6ExtensionOrder(ip6frag_hdr->ip6f_nxt) <
3879 IPV6ExtensionOrder(IPPROTO_FRAGMENT) )
3880 DecoderEvent(p, EVARGS(IPV6_UNORDERED_EXTENSIONS), 1, 1);
3881 }
3882 }
3883 hdrlen = sizeof(IP6Frag);
3884 p->ip_frag_len = (uint16_t)(len - hdrlen);
3885
3886 if ( p->frag_flag && ((p->frag_offset > 0) ||
3887 (exthdr->ip6e_nxt != IPPROTO_UDP)) )
3888 {
3889 //check header order up thru frag header
3890 p->ip6_extension_count++;
3891 CheckIPv6ExtensionOrder(p);
3892
3893 /* For non-zero offset frags, we stop decoding after the
3894 Frag header. According to RFC 2460, the "Next Header"
3895 value may differ from that of the offset zero frag,
3896 but only the Next Header of the original frag is used. */
3897 // check DecodeIP(); we handle frags the same way here
3898 return;
3899 }
3900 break;
3901
3902 case IPPROTO_AH:
3903 /* Auth Headers work in both IPv4 & IPv6, and their lengths are
3904 given in 4-octet increments instead of 8-octet increments. */
3905 hdrlen = sizeof(IP6Extension) + (exthdr->ip6e_len << 2);
3906
3907 if (hdrlen <= len)
3908 PushLayer(PROTO_AH, p, pkt, hdrlen);
3909 break;
3910
3911 default:
3912 hdrlen = sizeof(IP6Extension) + (exthdr->ip6e_len << 3);
3913 break;
3914 }
3915
3916 p->ip6_extension_count++;
3917
3918 if(hdrlen > len)
3919 {
3920 DecoderEvent(p, DECODE_IPV6_TRUNCATED_EXT,
3921 DECODE_IPV6_TRUNCATED_EXT_STR,
3922 1, 1);
3923 return;
3924 }
3925
3926 if ( hdrlen > 0 )
3927 {
3928 DecodeIPV6Extensions(*pkt, pkt + hdrlen, len - hdrlen, p);
3929 }
3930 #ifdef DEBUG_MSGS
3931 else
3932 {
3933 DebugMessage(DEBUG_DECODE, "WARNING - no next ip6 header decoded\n");
3934 }
3935 #endif
3936 }
3937
3938 void DecodeIPV6Extensions(uint8_t next, const uint8_t *pkt, uint32_t len, Packet *p)
3939 {
3940 pc.ip6ext++;
3941
3942 #ifdef GRE
3943 if (p->greh != NULL)
3944 pc.gre_ipv6ext++;
3945 #endif
3946
3947 /* XXX might this introduce an issue if the "next" field is invalid? */
3948 p->ip6h->next = next;
3949
3950 if (ScIdsMode())
3951 {
3952 /* See if there are any ip_proto only rules that match */
3953 fpEvalIpProtoOnlyRules(snort_conf->ip_proto_only_lists, p);
3954 p->proto_bits |= PROTO_BIT__IP;
3955 }
3956
3957 switch(next) {
3958 case IPPROTO_TCP:
3959 pc.tcp6++;
3960 CheckIPv6ExtensionOrder(p);
3961 DecodeTCP(pkt, len, p);
3962 return;
3963 case IPPROTO_UDP:
3964 pc.udp6++;
3965 CheckIPv6ExtensionOrder(p);
3966 DecodeUDP(pkt, len, p);
3967 return;
3968 case IPPROTO_ICMPV6:
3969 pc.icmp6++;
3970 CheckIPv6ExtensionOrder(p);
3971 DecodeICMP6(pkt , len, p);
3972 return;
3973 case IPPROTO_NONE:
3974 CheckIPv6ExtensionOrder(p);
3975 p->dsize = 0;
3976 return;
3977 case IPPROTO_HOPOPTS:
3978 case IPPROTO_DSTOPTS:
3979 case IPPROTO_ROUTING:
3980 case IPPROTO_FRAGMENT:
3981 case IPPROTO_AH:
3982 DecodeIPV6Options(next, pkt, len, p);
3983 // Anything special to do here? just return?
3984 return;
3985 #ifdef MPLS_RFC4023_SUPPORT
3986 case IPPROTO_MPLS:
3987 DecodeMPLS(pkt, len, p);
3988 return;
3989 #endif
3990 #ifdef GRE
3991 case IPPROTO_GRE:
3992 pc.gre++;
3993 CheckIPv6ExtensionOrder(p);
3994 DecodeGRE(pkt, len, p);
3995 return;
3996 case IPPROTO_IPIP:
3997 pc.ip6ip4++;
3998 if ( ScTunnelBypassEnabled(TUNNEL_4IN6) )
3999 Active_SetTunnelBypass();
4000 CheckIPv6ExtensionOrder(p);
4001 DecodeIP(pkt, len, p);
4002 return;
4003 case IPPROTO_IPV6:
4004 pc.ip6ip6++;
4005 if ( ScTunnelBypassEnabled(TUNNEL_6IN6) )
4006 Active_SetTunnelBypass();
4007 CheckIPv6ExtensionOrder(p);
4008 DecodeIPV6(pkt, len, p);
4009 return;
4010 case IPPROTO_ESP:
4011 CheckIPv6ExtensionOrder(p);
4012 if (ScESPDecoding())
4013 DecodeESP(pkt, len, p);
4014 return;
4015 #endif
4016 default:
4017 CheckIPv6ExtensionOrder(p);
4018 // There may be valid headers after this unsupported one,
4019 // need to decode this header, set "next" and continue
4020 // looping.
4021
4022 DecoderEvent(p, DECODE_IPV6_BAD_NEXT_HEADER,
4023 DECODE_IPV6_BAD_NEXT_HEADER_STR, 1, 1);
4024
4025 pc.other++;
4026 p->data = pkt;
4027 p->dsize = (uint16_t)len;
4028 break;
4029 };
4030 }
4031
4032 //--------------------------------------------------------------------
4033 // decode.c::IP6 decoder
4034 //--------------------------------------------------------------------
4035
4036 void DecodeIPV6(const uint8_t *pkt, uint32_t len, Packet *p)
4037 {
4038 IP6RawHdr *hdr;
4039 uint32_t payload_len;
4040
4041 pc.ipv6++;
4042
4043 #ifdef GRE
4044 if (p->greh != NULL)
4045 pc.gre_ipv6++;
4046 #endif
4047
4048 hdr = (IP6RawHdr*)pkt;
4049
4050 if(len < IP6_HDR_LEN)
4051 {
4052 if ((p->packet_flags & PKT_UNSURE_ENCAP) == 0)
4053 DecoderEvent(p, DECODE_IPV6_TRUNCATED, DECODE_IPV6_TRUNCATED_STR,
4054 1, 1);
4055
4056 goto decodeipv6_fail;
4057 }
4058
4059 /* Verify version in IP6 Header agrees */
4060 if(IPRAW_HDR_VER(hdr) != 6)
4061 {
4062 if ((p->packet_flags & PKT_UNSURE_ENCAP) == 0)
4063 DecoderEvent(p, DECODE_IPV6_IS_NOT, DECODE_IPV6_IS_NOT_STR,
4064 1, 1);
4065
4066 goto decodeipv6_fail;
4067 }
4068
4069 if (p->family != NO_IP)
4070 {
4071 /* Snort currently supports only 2 IP layers. Any more will fail to be
4072 decoded. */
4073 if (p->encapsulated)
4074 {
4075
4076 DecoderAlertEncapsulated(p, DECODE_IP_MULTIPLE_ENCAPSULATION,
4077 DECODE_IP_MULTIPLE_ENCAPSULATION_STR,
4078 pkt, len);
4079 goto decodeipv6_fail;
4080 }
4081 else
4082 {
4083 p->encapsulated = 1;
4084 }
4085 }
4086 payload_len = ntohs(hdr->ip6plen) + IP6_HDR_LEN;
4087
4088 if(payload_len != len)
4089 {
4090 if (payload_len > len)
4091 {
4092 if ((p->packet_flags & PKT_UNSURE_ENCAP) == 0)
4093 DecoderEvent(p, DECODE_IPV6_DGRAM_GT_CAPLEN,
4094 DECODE_IPV6_DGRAM_GT_CAPLEN_STR,
4095 ScDecoderOversizedAlerts(), ScDecoderOversizedDrops());
4096
4097 goto decodeipv6_fail;
4098 }
4099 }
4100
4101 /* Teredo packets should always use the 2001:0000::/32 prefix, or in some
4102 cases the link-local prefix fe80::/64.
4103 Source: RFC 4380, section 2.6 & section 5.2.1
4104
4105 Checking the addresses will save us from numerous false positives
4106 when UDP clients use 3544 as their ephemeral port, or "Deep Teredo
4107 Inspection" is turned on.
4108
4109 If we ever start decoding more than 2 layers of IP in a packet, this
4110 check against p->proto_bits will need to be refactored. */
4111 if ((p->proto_bits & PROTO_BIT__TEREDO) && (CheckTeredoPrefix(hdr) == 0))
4112 {
4113 goto decodeipv6_fail;
4114 }
4115 if (p->encapsulated)
4116 {
4117 p->outer_iph = p->iph;
4118 p->outer_ip_data = p->ip_data;
4119 p->outer_ip_dsize = p->ip_dsize;
4120 }
4121 /* lay the IP struct over the raw data */
4122 // this is ugly but necessary to keep the rest of the code happy
4123 p->inner_iph = p->iph = (IPHdr *)pkt;
4124
4125 /* Build Packet structure's version of the IP6 header */
4126 sfiph_build(p, hdr, AF_INET6);
4127
4128 #ifdef GRE
4129 /* Remove outer IP options */
4130 if (p->encapsulated)
4131 {
4132 p->ip_options_data = NULL;
4133 p->ip_options_len = 0;
4134 }
4135 #endif
4136 p->ip_option_count = 0;
4137
4138 /* set the real IP length for logging */
4139 p->actual_ip_len = ntohs(p->ip6h->len);
4140 p->ip_data = pkt + IP6_HDR_LEN;
4141 p->ip_dsize = ntohs(p->ip6h->len);
4142
4143 PushLayer(PROTO_IP6, p, pkt, sizeof(*hdr));
4144
4145 IPV6MiscTests(p);
4146
4147 DecodeIPV6Extensions(GET_IPH_PROTO(p), pkt + IP6_HDR_LEN, ntohs(p->ip6h->len), p);
4148 return;
4149
4150 decodeipv6_fail:
4151 /* If this was Teredo, back up and treat the packet as normal UDP. */
4152 if (p->proto_bits & PROTO_BIT__TEREDO)
4153 {
4154 pc.ipv6--;
4155 pc.teredo--;
4156 p->proto_bits &= ~PROTO_BIT__TEREDO;
4157 #ifdef GRE
4158 if (p->greh != NULL)
4159 pc.gre_ipv6--;
4160 #endif
4161 if ( ScTunnelBypassEnabled(TUNNEL_TEREDO) )
4162 Active_ClearTunnelBypass();
4163 return;
4164 }
4165
4166 pc.discards++;
4167 pc.ipv6disc++;
4168 }
4169
4170 //--------------------------------------------------------------------
4171 // decode.c::ICMP6
4172 //--------------------------------------------------------------------
4173
4174 void DecodeICMP6(const uint8_t *pkt, const uint32_t len, Packet *p)
4175 {
4176 if(len < ICMP6_MIN_HEADER_LEN)
4177 {
4178 DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
4179 "WARNING: Truncated ICMP6 header (%d bytes).\n", len););
4180
4181 if ( Event_Enabled(DECODE_ICMP6_HDR_TRUNC) )
4182 DecoderEvent(p, EVARGS(ICMP6_HDR_TRUNC), 1, 1);
4183
4184 pc.discards++;
4185 return;
4186 }
4187
4188 p->icmp6h = (ICMP6Hdr*)pkt;
4189 p->icmph = (ICMPHdr*)pkt; /* This is needed for icmp rules */
4190
4191 /* Do checksums */
4192 if (ScIcmpChecksums())
4193 {
4194 uint16_t csum;
4195
4196 if(IS_IP4(p))
4197 {
4198 csum = in_chksum_icmp((uint16_t *)(p->icmp6h), len);
4199 }
4200 /* IPv6 traffic */
4201 else
4202 {
4203 IP6RawHdr* hdr6 = (IP6RawHdr*)p->iph;
4204 pseudoheader6 ph6;
4205 COPY4(ph6.sip, hdr6->ip6_src.s6_addr32);
4206 COPY4(ph6.dip, hdr6->ip6_dst.s6_addr32);
4207 ph6.zero = 0;
4208 ph6.protocol = GET_IPH_PROTO(p);
4209 ph6.len = htons((u_short)len);
4210
4211 csum = in_chksum_icmp6(&ph6, (uint16_t *)(p->icmp6h), len);
4212 }
4213 if(csum)
4214 {
4215 p->error_flags |= PKT_ERR_CKSUM_ICMP;
4216 DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Bad ICMP Checksum\n"););
4217
4218 if ( ScIdsMode() )
4219 queueExecDrop(execIcmpChksmDrop, p);
4220 }
4221 else
4222 {
4223 DEBUG_WRAP(DebugMessage(DEBUG_DECODE,"ICMP Checksum: OK\n"););
4224 }
4225 }
4226
4227 p->dsize = (u_short)(len - ICMP6_MIN_HEADER_LEN);
4228 p->data = pkt + ICMP6_MIN_HEADER_LEN;
4229
4230 DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "ICMP type: %d code: %d\n",
4231 p->icmp6h->type, p->icmp6h->code););
4232
4233 switch(p->icmp6h->type)
4234 {
4235 case ICMP6_ECHO:
4236 case ICMP6_REPLY:
4237 if (p->dsize >= sizeof(struct idseq))
4238 {
4239 IP6RawHdr* hdr6 = (IP6RawHdr*)p->iph;
4240
4241 /* Set data pointer to that of the "echo message" */
4242 /* add the size of the echo ext to the data
4243 * ptr and subtract it from the data size */
4244 p->dsize -= sizeof(struct idseq);
4245 p->data += sizeof(struct idseq);
4246
4247 if ( Event_Enabled(DECODE_ICMP6_DST_MULTICAST) )
4248 if ( hdr6->ip6_dst.s6_addr[0] == IP6_MULTICAST )
4249 DecoderEvent(p, EVARGS(ICMP6_DST_MULTICAST), 1, 1);
4250
4251 PushLayer(PROTO_ICMP6, p, pkt, ICMP_NORMAL_LEN);
4252 }
4253 else
4254 {
4255 DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
4256 "WARNING: Truncated ICMP Echo header (%d bytes).\n", len););
4257
4258 DecoderEvent(p, DECODE_ICMP_DGRAM_LT_ICMPHDR,
4259 DECODE_ICMP_DGRAM_LT_ICMPHDR_STR, 1, 1);
4260
4261 p->icmph = NULL;
4262 p->icmp6h = NULL;
4263 pc.discards++;
4264 pc.icmpdisc++;
4265 return;
4266 }
4267 break;
4268
4269 case ICMP6_BIG:
4270 if (p->dsize >= sizeof(ICMP6TooBig))
4271 {
4272 ICMP6TooBig *too_big = (ICMP6TooBig *)pkt;
4273 /* Set data pointer past MTU */
4274 p->data += 4;
4275 p->dsize -= 4;
4276
4277 if (ntohl(too_big->mtu) < 1280)
4278 {
4279 DecoderEvent(p, DECODE_ICMPV6_TOO_BIG_BAD_MTU,
4280 DECODE_ICMPV6_TOO_BIG_BAD_MTU_STR, 1, 1);
4281 }
4282
4283 PushLayer(PROTO_ICMP6, p, pkt, ICMP_NORMAL_LEN);
4284 DecodeICMPEmbeddedIP6(p->data, p->dsize, p);
4285 }
4286 else
4287 {
4288 DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
4289 "WARNING: Truncated ICMP header (%d bytes).\n", len););
4290
4291 DecoderEvent(p, DECODE_ICMP_DGRAM_LT_ICMPHDR,
4292 DECODE_ICMP_DGRAM_LT_ICMPHDR_STR, 1, 1);
4293
4294 p->icmph = NULL;
4295 p->icmp6h = NULL;
4296 pc.discards++;
4297 pc.icmpdisc++;
4298 return;
4299 }
4300 break;
4301
4302 case ICMP6_TIME:
4303 case ICMP6_PARAMS:
4304 case ICMP6_UNREACH:
4305 if (p->dsize >= 4)
4306 {
4307 /* Set data pointer past the 'unused/mtu/pointer block */
4308 p->data += 4;
4309 p->dsize -= 4;
4310
4311 if (p->icmp6h->type == ICMP6_UNREACH)
4312 {
4313 if (p->icmp6h->code == 2)
4314 {
4315 DecoderEvent(p, DECODE_ICMPV6_UNREACHABLE_NON_RFC_2463_CODE,
4316 DECODE_ICMPV6_UNREACHABLE_NON_RFC_2463_CODE_STR, 1, 1);
4317 }
4318 else if (p->icmp6h->code > 6)
4319 {
4320 DecoderEvent(p, DECODE_ICMPV6_UNREACHABLE_NON_RFC_4443_CODE,
4321 DECODE_ICMPV6_UNREACHABLE_NON_RFC_4443_CODE_STR, 1, 1);
4322 }
4323 }
4324
4325 PushLayer(PROTO_ICMP6, p, pkt, ICMP_NORMAL_LEN);
4326 DecodeICMPEmbeddedIP6(p->data, p->dsize, p);
4327 }
4328 else
4329 {
4330 DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
4331 "WARNING: Truncated ICMP header (%d bytes).\n", len););
4332
4333 DecoderEvent(p, DECODE_ICMP_DGRAM_LT_ICMPHDR,
4334 DECODE_ICMP_DGRAM_LT_ICMPHDR_STR, 1, 1);
4335
4336 p->icmph = NULL;
4337 p->icmp6h = NULL;
4338 pc.discards++;
4339 pc.icmpdisc++;
4340 return;
4341 }
4342 break;
4343
4344 case ICMP6_ADVERTISEMENT:
4345 if (p->dsize >= (sizeof(ICMP6RouterAdvertisement) - ICMP6_MIN_HEADER_LEN))
4346 {
4347 ICMP6RouterAdvertisement *ra = (ICMP6RouterAdvertisement *)pkt;
4348 if (p->icmp6h->code != 0)
4349 {
4350 DecoderEvent(p, DECODE_ICMPV6_ADVERT_BAD_CODE,
4351 DECODE_ICMPV6_ADVERT_BAD_CODE_STR, 1, 1);
4352 }
4353 if (ntohl(ra->reachable_time) > 3600000)
4354 {
4355 DecoderEvent(p, DECODE_ICMPV6_ADVERT_BAD_REACHABLE,
4356 DECODE_ICMPV6_ADVERT_BAD_REACHABLE_STR, 1, 1);
4357 }
4358 PushLayer(PROTO_ICMP6, p, pkt, ICMP_HEADER_LEN);
4359 }
4360 else
4361 {
4362 DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
4363 "WARNING: Truncated ICMP header (%d bytes).\n", len););
4364
4365 DecoderEvent(p, DECODE_ICMP_DGRAM_LT_ICMPHDR,
4366 DECODE_ICMP_DGRAM_LT_ICMPHDR_STR, 1, 1);
4367
4368 p->icmph = NULL;
4369 p->icmp6h = NULL;
4370 pc.discards++;
4371 pc.icmpdisc++;
4372 return;
4373 }
4374 break;
4375
4376 case ICMP6_SOLICITATION:
4377 if (p->dsize >= (sizeof(ICMP6RouterSolicitation) - ICMP6_MIN_HEADER_LEN))
4378 {
4379 ICMP6RouterSolicitation *rs = (ICMP6RouterSolicitation *)pkt;
4380 if (rs->code != 0)
4381 {
4382 DecoderEvent(p, DECODE_ICMPV6_SOLICITATION_BAD_CODE,
4383 DECODE_ICMPV6_SOLICITATION_BAD_CODE_STR, 1, 1);
4384 }
4385 if (ntohl(rs->reserved) != 0)
4386 {
4387 DecoderEvent(p, DECODE_ICMPV6_SOLICITATION_BAD_RESERVED,
4388 DECODE_ICMPV6_SOLICITATION_BAD_RESERVED_STR, 1, 1);
4389 }
4390 PushLayer(PROTO_ICMP6, p, pkt, ICMP_HEADER_LEN);
4391 }
4392 else
4393 {
4394 DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
4395 "WARNING: Truncated ICMP header (%d bytes).\n", len););
4396
4397 DecoderEvent(p, DECODE_ICMP_DGRAM_LT_ICMPHDR,
4398 DECODE_ICMP_DGRAM_LT_ICMPHDR_STR, 1, 1);
4399
4400 p->icmph = NULL;
4401 p->icmp6h = NULL;
4402 pc.discards++;
4403 pc.icmpdisc++;
4404 return;
4405 }
4406 break;
4407
4408 case ICMP6_NODE_INFO_QUERY:
4409 case ICMP6_NODE_INFO_RESPONSE:
4410 if (p->dsize >= (sizeof(ICMP6NodeInfo) - ICMP6_MIN_HEADER_LEN))
4411 {
4412 ICMP6NodeInfo *ni = (ICMP6NodeInfo *)pkt;
4413 if (ni->code > 2)
4414 {
4415 DecoderEvent(p, DECODE_ICMPV6_NODE_INFO_BAD_CODE,
4416 DECODE_ICMPV6_NODE_INFO_BAD_CODE_STR, 1, 1);
4417 }
4418 /* TODO: Add alert for INFO Response, code == 1 || code == 2)
4419 * and there is data.
4420 */
4421 }
4422 else
4423 {
4424 DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
4425 "WARNING: Truncated ICMP header (%d bytes).\n", len););
4426
4427 DecoderEvent(p, DECODE_ICMP_DGRAM_LT_ICMPHDR,
4428 DECODE_ICMP_DGRAM_LT_ICMPHDR_STR, 1, 1);
4429
4430 p->icmph = NULL;
4431 p->icmp6h = NULL;
4432 pc.discards++;
4433 pc.icmpdisc++;
4434 return;
4435 }
4436 break;
4437
4438 default:
4439 if ( Event_Enabled(DECODE_ICMP6_TYPE_OTHER) )
4440 DecoderEvent(p, EVARGS(ICMP6_TYPE_OTHER), 1, 1);
4441
4442 PushLayer(PROTO_ICMP6, p, pkt, ICMP_HEADER_LEN);
4443 break;
4444 }
4445
4446 p->proto_bits |= PROTO_BIT__ICMP;
4447 p->proto_bits &= ~(PROTO_BIT__UDP | PROTO_BIT__TCP);
4448 }
4449
4450 /*
4451 * Function: DecodeICMPEmbeddedIP6(uint8_t *, const uint32_t, Packet *)
4452 *
4453 * Purpose: Decode the ICMP embedded IP6 header + payload
4454 *
4455 * Arguments: pkt => ptr to the packet data
4456 * len => length from here to the end of the packet
4457 * p => pointer to dummy packet decode struct
4458 *
4459 * Returns: void function
4460 */
4461 void DecodeICMPEmbeddedIP6(const uint8_t *pkt, const uint32_t len, Packet *p)
4462 {
4463
4464 /* lay the IP struct over the raw data */
4465 IP6RawHdr* hdr = (IP6RawHdr*)pkt;
4466 pc.embdip++;
4467
4468 DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "DecodeICMPEmbeddedIP6: ip header"
4469 " starts at: %p, length is %lu\n", hdr,
4470 (unsigned long) len););
4471
4472 /* do a little validation */
4473 if ( len < IP6_HDR_LEN )
4474 {
4475 DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
4476 "ICMP6: IP short header (%d bytes)\n", len););
4477
4478 DecoderEvent(p, DECODE_ICMP_ORIG_IP_TRUNCATED,
4479 DECODE_ICMP_ORIG_IP_TRUNCATED_STR, 1, 1);
4480
4481 pc.discards++;
4482 return;
4483 }
4484
4485 /*
4486 * with datalink DLT_RAW it's impossible to differ ARP datagrams from IP.
4487 * So we are just ignoring non IP datagrams
4488 */
4489 if(IPRAW_HDR_VER(hdr) != 6)
4490 {
4491 DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
4492 "ICMP: not IPv6 datagram ([ver: 0x%x][len: 0x%x])\n",
4493 IPRAW_HDR_VER(hdr), len););
4494
4495 DecoderEvent(p, DECODE_ICMP_ORIG_IP_VER_MISMATCH,
4496 DECODE_ICMP_ORIG_IP_VER_MISMATCH_STR, 1, 1);
4497
4498 pc.discards++;
4499 return;
4500 }
4501
4502 sfiph_orig_build(p, pkt, AF_INET6);
4503
4504
4505 // XXX NOT YET IMPLEMENTED - fragments inside ICMP payload
4506
4507 DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "ICMP6 Unreachable IP6 header length: "
4508 "%lu\n", (unsigned long)IP6_HDR_LEN););
4509
4510 switch(GET_ORIG_IPH_PROTO(p))
4511 {
4512 case IPPROTO_TCP: /* decode the interesting part of the header */
4513 p->orig_tcph = (TCPHdr *)(pkt + IP6_HDR_LEN);
4514
4515 /* stuff more data into the printout data struct */
4516 p->orig_sp = ntohs(p->orig_tcph->th_sport);
4517 p->orig_dp = ntohs(p->orig_tcph->th_dport);
4518
4519 break;
4520
4521 case IPPROTO_UDP:
4522 p->orig_udph = (UDPHdr *)(pkt + IP6_HDR_LEN);
4523
4524 /* fill in the printout data structs */
4525 p->orig_sp = ntohs(p->orig_udph->uh_sport);
4526 p->orig_dp = ntohs(p->orig_udph->uh_dport);
4527
4528 break;
4529
4530 case IPPROTO_ICMP:
4531 p->orig_icmph = (ICMPHdr *)(pkt + IP6_HDR_LEN);
4532 break;
4533 }
4534
4535 return;
4536 }
4537
4538 //--------------------------------------------------------------------
4539 // decode.c::Teredo
4540 //--------------------------------------------------------------------
4541
4542 /* Function: DecodeTeredo(uint8_t *, uint32_t, Packet *)
4543 *
4544 * Teredo is IPv6 layered over UDP, with optional "indicators" in between.
4545 * Decode these (if present) and go to DecodeIPv6.
4546 *
4547 */
4548
4549 void DecodeTeredo(const uint8_t *pkt, uint32_t len, Packet *p)
4550 {
4551 if (len < TEREDO_MIN_LEN)
4552 return;
4553
4554 /* Decode indicators. If both are present, Auth always comes before Origin. */
4555 if (ntohs(*(uint16_t *)pkt) == TEREDO_INDICATOR_AUTH)
4556 {
4557 uint8_t client_id_length, auth_data_length;
4558
4559 if (len < TEREDO_INDICATOR_AUTH_MIN_LEN)
4560 return;
4561
4562 client_id_length = *(pkt + 2);
4563 auth_data_length = *(pkt + 3);
4564
4565 if (len < (uint32_t)(TEREDO_INDICATOR_AUTH_MIN_LEN + client_id_length + auth_data_length))
4566 return;
4567
4568 pkt += (TEREDO_INDICATOR_AUTH_MIN_LEN + client_id_length + auth_data_length);
4569 len -= (TEREDO_INDICATOR_AUTH_MIN_LEN + client_id_length + auth_data_length);
4570 }
4571
4572 if (ntohs(*(uint16_t *)pkt) == TEREDO_INDICATOR_ORIGIN)
4573 {
4574 if (len < TEREDO_INDICATOR_ORIGIN_LEN)
4575 return;
4576
4577 pkt += TEREDO_INDICATOR_ORIGIN_LEN;
4578 len -= TEREDO_INDICATOR_ORIGIN_LEN;
4579 }
4580
4581 /* If this is an IPv6 datagram, the first 4 bits will be the number 6. */
4582 if (( (*pkt & 0xF0) >> 4) == 6)
4583 {
4584 p->proto_bits |= PROTO_BIT__TEREDO;
4585 pc.teredo++;
4586
4587 if ( ScTunnelBypassEnabled(TUNNEL_TEREDO) )
4588 Active_SetTunnelBypass();
4589
4590 if (ScDeepTeredoInspection() && (p->sp != TEREDO_PORT) && (p->dp != TEREDO_PORT))
4591 p->packet_flags |= PKT_UNSURE_ENCAP;
4592
4593 DecodeIPV6(pkt, len, p);
4594
4595 p->packet_flags &= ~PKT_UNSURE_ENCAP;
4596 }
4597
4598 /* Otherwise, we treat this as normal UDP traffic. */
4599 return;
4600 }
4601
4602 //--------------------------------------------------------------------
4603 // decode.c::ESP
4604 //--------------------------------------------------------------------
4605
4606 /* Function: DecodeAH
4607 *
4608 * Purpose: Decode Authentication Header
4609 *
4610 * NOTE: This is for IPv4 Auth Headers, we leave IPv6 to do its own
4611 * work.
4612 *
4613 */
4614 void DecodeAH(const uint8_t *pkt, uint32_t len, Packet *p)
4615 {
4616 IP6Extension *ah = (IP6Extension *)pkt;
4617 unsigned extlen;
4618
4619 if ( len < sizeof(*ah) )
4620 {
4621 DecoderEvent(p, EVARGS(AUTH_HDR_TRUNC), 1, 1);
4622 pc.discards++;
4623 return;
4624 }
4625
4626 extlen = sizeof(*ah) + (ah->ip6e_len << 2);
4627 if ( extlen > len )
4628 {
4629 DecoderEvent(p, EVARGS(AUTH_HDR_BAD_LEN), 1, 1);
4630 pc.discards++;
4631 return;
4632 }
4633
4634 PushLayer(PROTO_AH, p, pkt, extlen);
4635 DecodeIPv4Proto(ah->ip6e_nxt, pkt+extlen, len-extlen, p);
4636 }
4637
4638 /*
4639 * Function: DecodeESP(const uint8_t *, uint32_t, Packet *)
4640 *
4641 * Purpose: Attempt to decode Encapsulated Security Payload.
4642 * The contents are probably encrypted, but ESP is sometimes used
4643 * with "null" encryption, solely for Authentication.
4644 * This is more of a heuristic -- there is no ESP field that specifies
4645 * the encryption type (or lack thereof).
4646 *
4647 * Arguments: pkt => ptr to the packet data
4648 * len => length from here to the end of the packet
4649 * p => ptr to the Packet struct being filled out
4650 *
4651 * Returns: void function
4652 */
4653 void DecodeESP(const uint8_t *pkt, uint32_t len, Packet *p)
4654 {
4655 const uint8_t *esp_payload;
4656 uint8_t next_header;
4657 uint8_t pad_length;
4658 uint8_t save_layer = p->next_layer;
4659
4660 /* The ESP header contains a crypto Initialization Vector (IV) and
4661 a sequence number. Skip these. */
4662 if (len < (ESP_HEADER_LEN + ESP_AUTH_DATA_LEN + ESP_TRAILER_LEN))
4663 {
4664 /* Truncated ESP traffic. Bail out here and inspect the rest as payload. */
4665 DecoderEvent(p, EVARGS(ESP_HEADER_TRUNC), 1, 1);
4666 p->data = pkt;
4667 p->dsize = (uint16_t) len;
4668 return;
4669 }
4670 esp_payload = pkt + ESP_HEADER_LEN;
4671
4672 /* The Authentication Data at the end of the packet is variable-length.
4673 RFC 2406 says that Encryption and Authentication algorithms MUST NOT
4674 both be NULL, so we assume NULL Encryption and some other Authentication.
4675
4676 The mandatory algorithms for Authentication are HMAC-MD5-96 and
4677 HMAC-SHA-1-96, so we assume a 12-byte authentication data at the end. */
4678 len -= (ESP_HEADER_LEN + ESP_AUTH_DATA_LEN + ESP_TRAILER_LEN);
4679
4680 pad_length = *(esp_payload + len);
4681 next_header = *(esp_payload + len + 1);
4682
4683 /* Adjust the packet length to account for the padding.
4684 If the padding length is too big, this is probably encrypted traffic. */
4685 if (pad_length < len)
4686 {
4687 len -= (pad_length);
4688 }
4689 else
4690 {
4691 p->packet_flags |= PKT_TRUST;
4692 p->data = esp_payload;
4693 p->dsize = (u_short) len;
4694 return;
4695 }
4696
4697 /* Attempt to decode the inner payload.
4698 There is a small chance that an encrypted next_header would become a
4699 different valid next_header. The PKT_UNSURE_ENCAP flag tells the next
4700 decoder stage to silently ignore invalid headers. */
4701
4702 p->packet_flags |= PKT_UNSURE_ENCAP;
4703 switch (next_header)
4704 {
4705 case IPPROTO_IPIP:
4706 DecodeIP(esp_payload, len, p);
4707 p->packet_flags &= ~PKT_UNSURE_ENCAP;
4708 break;
4709
4710 case IPPROTO_IPV6:
4711 DecodeIPV6(esp_payload, len, p);
4712 p->packet_flags &= ~PKT_UNSURE_ENCAP;
4713 break;
4714
4715 case IPPROTO_TCP:
4716 pc.tcp++;
4717 DecodeTCP(esp_payload, len, p);
4718 p->packet_flags &= ~PKT_UNSURE_ENCAP;
4719 break;
4720
4721 case IPPROTO_UDP:
4722 pc.udp++;
4723 DecodeUDP(esp_payload, len, p);
4724 p->packet_flags &= ~PKT_UNSURE_ENCAP;
4725 break;
4726
4727 case IPPROTO_ICMP:
4728 pc.icmp++;
4729 DecodeICMP(esp_payload, len, p);
4730 p->packet_flags &= ~PKT_UNSURE_ENCAP;
4731 break;
4732
4733 #ifdef GRE
4734 case IPPROTO_GRE:
4735 pc.gre++;
4736 DecodeGRE(esp_payload, len, p);
4737 p->packet_flags &= ~PKT_UNSURE_ENCAP;
4738 break;
4739 #endif
4740
4741 default:
4742 /* If we didn't get a valid next_header, this packet is probably
4743 encrypted. Start data here and treat it as an IP datagram. */
4744 p->data = esp_payload;
4745 p->dsize = (u_short) len;
4746 p->packet_flags &= ~PKT_UNSURE_ENCAP;
4747 p->packet_flags |= PKT_TRUST;
4748 return;
4749 }
4750
4751 /* If no protocol was added to the stack, than we assume its'
4752 * encrypted. */
4753 if (save_layer == p->next_layer)
4754 p->packet_flags |= PKT_TRUST;
4755 }
4756
4757 #ifdef GRE
4758 //--------------------------------------------------------------------
4759 // decode.c::ERSPAN
4760 //--------------------------------------------------------------------
4761
4762 /*
4763 * Function: DecodeERSPANType2(uint8_t *, uint32_t, Packet *)
4764 *
4765 * Purpose: Decode Encapsulated Remote Switch Packet Analysis Type 2
4766 * This will decode ERSPAN Type 2 Headers
4767 *
4768 * Arguments: pkt => ptr to the packet data
4769 * len => length from here to the end of the packet
4770 * p => pointer to decoded packet struct
4771 *
4772 * Returns: void function
4773 *
4774 */
4775 void DecodeERSPANType2(const uint8_t *pkt, const uint32_t len, Packet *p)
4776 {
4777 uint32_t hlen = sizeof(ERSpanType2Hdr);
4778 uint32_t payload_len;
4779 ERSpanType2Hdr *erSpan2Hdr = (ERSpanType2Hdr *)pkt;
4780
4781 if (len < sizeof(ERSpanType2Hdr))
4782 {
4783 DecoderAlertEncapsulated(p, DECODE_ERSPAN2_DGRAM_LT_HDR,
4784 DECODE_ERSPAN2_DGRAM_LT_HDR_STR,
4785 pkt, len);
4786 return;
4787 }
4788
4789 if (p->encapsulated)
4790 {
4791 /* discard packet - multiple encapsulation */
4792 /* not sure if this is ever used but I am assuming it is not */
4793 DecoderAlertEncapsulated(p, DECODE_IP_MULTIPLE_ENCAPSULATION,
4794 DECODE_IP_MULTIPLE_ENCAPSULATION_STR,
4795 pkt, len);
4796 return;
4797 }
4798
4799 /* Check that this is in fact ERSpan Type 2.
4800 */
4801 if (ERSPAN_VERSION(erSpan2Hdr) != 0x01) /* Type 2 == version 0x01 */
4802 {
4803 DecoderAlertEncapsulated(p, DECODE_ERSPAN_HDR_VERSION_MISMATCH,
4804 DECODE_ERSPAN_HDR_VERSION_MISMATCH_STR,
4805 pkt, len);
4806 return;
4807 }
4808
4809 PushLayer(PROTO_ERSPAN, p, pkt, hlen);
4810 payload_len = len - hlen;
4811
4812 DecodeTransBridging(pkt + hlen, payload_len, p);
4813 }
4814
4815 /*
4816 * Function: DecodeERSPANType3(uint8_t *, uint32_t, Packet *)
4817 *
4818 * Purpose: Decode Encapsulated Remote Switch Packet Analysis Type 3
4819 * This will decode ERSPAN Type 3 Headers
4820 *
4821 * Arguments: pkt => ptr to the packet data
4822 * len => length from here to the end of the packet
4823 * p => pointer to decoded packet struct
4824 *
4825 * Returns: void function
4826 *
4827 */
4828 void DecodeERSPANType3(const uint8_t *pkt, const uint32_t len, Packet *p)
4829 {
4830 uint32_t hlen = sizeof(ERSpanType3Hdr);
4831 uint32_t payload_len;
4832 ERSpanType3Hdr *erSpan3Hdr = (ERSpanType3Hdr *)pkt;
4833
4834 if (len < sizeof(ERSpanType3Hdr))
4835 {
4836 DecoderAlertEncapsulated(p, DECODE_ERSPAN3_DGRAM_LT_HDR,
4837 DECODE_ERSPAN3_DGRAM_LT_HDR_STR,
4838 pkt, len);
4839 return;
4840 }
4841
4842 if (p->encapsulated)
4843 {
4844 /* discard packet - multiple encapsulation */
4845 /* not sure if this is ever used but I am assuming it is not */
4846 DecoderAlertEncapsulated(p, DECODE_IP_MULTIPLE_ENCAPSULATION,
4847 DECODE_IP_MULTIPLE_ENCAPSULATION_STR,
4848 pkt, len);
4849 return;
4850 }
4851
4852 /* Check that this is in fact ERSpan Type 3.
4853 */
4854 if (ERSPAN_VERSION(erSpan3Hdr) != 0x02) /* Type 3 == version 0x02 */
4855 {
4856 DecoderAlertEncapsulated(p, DECODE_ERSPAN_HDR_VERSION_MISMATCH,
4857 DECODE_ERSPAN_HDR_VERSION_MISMATCH_STR,
4858 pkt, len);
4859 return;
4860 }
4861
4862 PushLayer(PROTO_ERSPAN, p, pkt, hlen);
4863 payload_len = len - hlen;
4864
4865 DecodeTransBridging(pkt + hlen, payload_len, p);
4866 }
4867
4868 //--------------------------------------------------------------------
4869 // decode.c::GRE
4870 //--------------------------------------------------------------------
4871
4872 /*
4873 * Function: DecodeGRE(uint8_t *, uint32_t, Packet *)
4874 *
4875 * Purpose: Decode Generic Routing Encapsulation Protocol
4876 * This will decode normal GRE and PPTP GRE.
4877 *
4878 * Arguments: pkt => ptr to the packet data
4879 * len => length from here to the end of the packet
4880 * p => pointer to decoded packet struct
4881 *
4882 * Returns: void function
4883 *
4884 * Notes: see RFCs 1701, 2784 and 2637
4885 */
4886 void DecodeGRE(const uint8_t *pkt, const uint32_t len, Packet *p)
4887 {
4888 uint32_t hlen; /* GRE header length */
4889 uint32_t payload_len;
4890
4891 if (len < GRE_HEADER_LEN)
4892 {
4893 DecoderAlertEncapsulated(p, DECODE_GRE_DGRAM_LT_GREHDR,
4894 DECODE_GRE_DGRAM_LT_GREHDR_STR,
4895 pkt, len);
4896 return;
4897 }
4898
4899 if (p->encapsulated)
4900 {
4901 /* discard packet - multiple GRE encapsulation */
4902 /* not sure if this is ever used but I am assuming it is not */
4903 DecoderAlertEncapsulated(p, DECODE_IP_MULTIPLE_ENCAPSULATION,
4904 DECODE_IP_MULTIPLE_ENCAPSULATION_STR,
4905 pkt, len);
4906 return;
4907 }
4908
4909 /* Note: Since GRE doesn't have a field to indicate header length and
4910 * can contain a few options, we need to walk through the header to
4911 * figure out the length
4912 */
4913
4914 p->greh = (GREHdr *)pkt;
4915 hlen = GRE_HEADER_LEN;
4916
4917 switch (GRE_VERSION(p->greh))
4918 {
4919 case 0x00:
4920 /* these must not be set */
4921 if (GRE_RECUR(p->greh) || GRE_FLAGS(p->greh))
4922 {
4923 DecoderAlertEncapsulated(p, DECODE_GRE_INVALID_HEADER,
4924 DECODE_GRE_INVALID_HEADER_STR,
4925 pkt, len);
4926 return;
4927 }
4928
4929 if (GRE_CHKSUM(p->greh) || GRE_ROUTE(p->greh))
4930 hlen += GRE_CHKSUM_LEN + GRE_OFFSET_LEN;
4931
4932 if (GRE_KEY(p->greh))
4933 hlen += GRE_KEY_LEN;
4934
4935 if (GRE_SEQ(p->greh))
4936 hlen += GRE_SEQ_LEN;
4937
4938 /* if this flag is set, we need to walk through all of the
4939 * Source Route Entries */
4940 if (GRE_ROUTE(p->greh))
4941 {
4942 uint16_t sre_addrfamily;
4943 uint8_t sre_offset;
4944 uint8_t sre_length;
4945 const uint8_t *sre_ptr;
4946
4947 sre_ptr = pkt + hlen;
4948
4949 while (1)
4950 {
4951 hlen += GRE_SRE_HEADER_LEN;
4952 if (hlen > len)
4953 break;
4954
4955 sre_addrfamily = ntohs(*((uint16_t *)sre_ptr));
4956 sre_ptr += sizeof(sre_addrfamily);
4957
4958 sre_offset = *((uint8_t *)sre_ptr);
4959 sre_ptr += sizeof(sre_offset);
4960
4961 sre_length = *((uint8_t *)sre_ptr);
4962 sre_ptr += sizeof(sre_length);
4963
4964 if ((sre_addrfamily == 0) && (sre_length == 0))
4965 break;
4966
4967 hlen += sre_length;
4968 sre_ptr += sre_length;
4969 }
4970 }
4971
4972 break;
4973
4974 /* PPTP */
4975 case 0x01:
4976 /* these flags should never be present */
4977 if (GRE_CHKSUM(p->greh) || GRE_ROUTE(p->greh) || GRE_SSR(p->greh) ||
4978 GRE_RECUR(p->greh) || GRE_V1_FLAGS(p->greh))
4979 {
4980 DecoderAlertEncapsulated(p, DECODE_GRE_V1_INVALID_HEADER,
4981 DECODE_GRE_V1_INVALID_HEADER_STR,
4982 pkt, len);
4983 return;
4984 }
4985
4986 /* protocol must be 0x880B - PPP */
4987 if (GRE_PROTO(p->greh) != GRE_TYPE_PPP)
4988 {
4989 DecoderAlertEncapsulated(p, DECODE_GRE_V1_INVALID_HEADER,
4990 DECODE_GRE_V1_INVALID_HEADER_STR,
4991 pkt, len);
4992 return;
4993 }
4994
4995 /* this flag should always be present */
4996 if (!(GRE_KEY(p->greh)))
4997 {
4998 DecoderAlertEncapsulated(p, DECODE_GRE_V1_INVALID_HEADER,
4999 DECODE_GRE_V1_INVALID_HEADER_STR,
5000 pkt, len);
5001 return;
5002 }
5003
5004 hlen += GRE_KEY_LEN;
5005
5006 if (GRE_SEQ(p->greh))
5007 hlen += GRE_SEQ_LEN;
5008
5009 if (GRE_V1_ACK(p->greh))
5010 hlen += GRE_V1_ACK_LEN;
5011
5012 break;
5013
5014 default:
5015 DecoderAlertEncapsulated(p, DECODE_GRE_INVALID_VERSION,
5016 DECODE_GRE_INVALID_VERSION_STR,
5017 pkt, len);
5018 return;
5019 }
5020
5021 if (hlen > len)
5022 {
5023 DecoderAlertEncapsulated(p, DECODE_GRE_DGRAM_LT_GREHDR,
5024 DECODE_GRE_DGRAM_LT_GREHDR_STR,
5025 pkt, len);
5026 return;
5027 }
5028
5029 PushLayer(PROTO_GRE, p, pkt, hlen);
5030 payload_len = len - hlen;
5031
5032 if ( ScTunnelBypassEnabled(TUNNEL_GRE) )
5033 Active_SetTunnelBypass();
5034
5035 /* Send to next protocol decoder */
5036 /* As described in RFC 2784 the possible protocols are listed in
5037 * RFC 1700 under "ETHER TYPES"
5038 * See also "Current List of Protocol Types" in RFC 1701
5039 */
5040 switch (GRE_PROTO(p->greh))
5041 {
5042 case ETHERNET_TYPE_IP:
5043 DecodeIP(pkt + hlen, payload_len, p);
5044 return;
5045
5046 case GRE_TYPE_TRANS_BRIDGING:
5047 DecodeTransBridging(pkt + hlen, payload_len, p);
5048 return;
5049
5050 case ETHERNET_TYPE_ARP:
5051 case ETHERNET_TYPE_REVARP:
5052 /* clear outer IP headers */
5053 p->iph = NULL;
5054 p->family = NO_IP;
5055 DecodeARP(pkt + hlen, payload_len, p);
5056 return;
5057
5058 case ETHERNET_TYPE_IPV6:
5059 DecodeIPV6(pkt + hlen, payload_len, p);
5060 return;
5061
5062 case GRE_TYPE_PPP:
5063 DecodePppPktEncapsulated(pkt + hlen, payload_len, p);
5064 return;
5065
5066 case ETHERNET_TYPE_ERSPAN_TYPE2:
5067 DecodeERSPANType2(pkt + hlen, payload_len, p);
5068 return;
5069
5070 case ETHERNET_TYPE_ERSPAN_TYPE3:
5071 DecodeERSPANType3(pkt + hlen, payload_len, p);
5072 return;
5073
5074 #ifndef NO_NON_ETHER_DECODER
5075 case ETHERNET_TYPE_IPX:
5076 DecodeIPX(pkt + hlen, payload_len, p);
5077 return;
5078 #endif
5079
5080 case ETHERNET_TYPE_LOOP:
5081 DecodeEthLoopback(pkt + hlen, payload_len, p);
5082 return;
5083
5084 /* not sure if this occurs, but 802.1q is an Ether type */
5085 case ETHERNET_TYPE_8021Q:
5086 DecodeVlan(pkt + hlen, payload_len, p);
5087 return;
5088
5089 #ifdef MPLS_RFC4023_SUPPORT
5090 case ETHERNET_TYPE_MPLS_MULTICAST:
5091 if(!ScMplsMulticast())
5092 {
5093 DecoderEvent(p, DECODE_BAD_MPLS,
5094 DECODE_MULTICAST_MPLS_STR, 1, 1);
5095 }
5096 /* Fall through */
5097 case ETHERNET_TYPE_MPLS_UNICAST:
5098 DecodeMPLS(p->pkt + LEN_VLAN_LLC_OTHER,
5099 len - LEN_VLAN_LLC_OTHER, p);
5100 return;
5101 #endif
5102
5103 default:
5104 // TBD add decoder drop event for unknown gre/eth type
5105 pc.other++;
5106 p->data = pkt + hlen;
5107 p->dsize = (uint16_t)payload_len;
5108 return;
5109 }
5110 }
5111 #endif // GRE
5112
5113 //--------------------------------------------------------------------
5114 // decode.c::GTP
5115 //--------------------------------------------------------------------
5116
5117 /* Function: DecodeGTP(uint8_t *, uint32_t, Packet *)
5118 *
5119 * GTP (GPRS Tunneling Protocol) is layered over UDP.
5120 * Decode these (if present) and go to DecodeIPv6/DecodeIP.
5121 *
5122 */
5123
5124 void DecodeGTP(const uint8_t *pkt, uint32_t len, Packet *p)
5125 {
5126 uint32_t header_len;
5127 uint8_t next_hdr_type;
5128 uint8_t version;
5129 uint8_t ip_ver;
5130 GTPHdr *hdr;
5131
5132 DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Start GTP decoding.\n"););
5133
5134 hdr = (GTPHdr *) pkt;
5135
5136 if (p->GTPencapsulated)
5137 {
5138 DecoderAlertEncapsulated(p, DECODE_GTP_MULTIPLE_ENCAPSULATION,
5139 DECODE_GTP_MULTIPLE_ENCAPSULATION_STR,
5140 pkt, len);
5141 return;
5142 }
5143 else
5144 {
5145 p->GTPencapsulated = 1;
5146 }
5147 /*Check the length*/
5148 if (len < GTP_MIN_LEN)
5149 return;
5150 /* We only care about PDU*/
5151 if ( hdr->type != 255)
5152 return;
5153 /*Check whether this is GTP or GTP', Exit if GTP'*/
5154 if (!(hdr->flag & 0x10))
5155 return;
5156
5157 /*The first 3 bits are version number*/
5158 version = (hdr->flag & 0xE0) >> 5;
5159 switch (version)
5160 {
5161 case 0: /*GTP v0*/
5162 DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "GTP v0 packets.\n"););
5163
5164 header_len = GTP_V0_HEADER_LEN;
5165 /*Check header fields*/
5166 if (len < header_len)
5167 {
5168 DecoderEvent(p, EVARGS(GTP_BAD_LEN), 1, 1);
5169 return;
5170 }
5171
5172 p->proto_bits |= PROTO_BIT__GTP;
5173
5174 /*Check the length field. */
5175 if (len != ((unsigned int)ntohs(hdr->length) + header_len))
5176 {
5177 DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Calculated length %d != %d in header.\n",
5178 len - header_len, ntohs(hdr->length)););
5179 DecoderEvent(p, EVARGS(GTP_BAD_LEN), 1, 1);
5180 return;
5181 }
5182
5183 break;
5184 case 1: /*GTP v1*/
5185 DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "GTP v1 packets.\n"););
5186
5187 /*Check the length based on optional fields and extension header*/
5188 if (hdr->flag & 0x07)
5189 {
5190
5191 header_len = GTP_V1_HEADER_LEN;
5192
5193 /*Check optional fields*/
5194 if (len < header_len)
5195 {
5196 DecoderEvent(p, EVARGS(GTP_BAD_LEN), 1, 1);
5197 return;
5198 }
5199 next_hdr_type = *(pkt + header_len - 1);
5200
5201 /*Check extension headers*/
5202 while (next_hdr_type)
5203 {
5204 uint16_t ext_hdr_len;
5205 /*check length before reading data*/
5206 if (len < header_len + 4)
5207 {
5208 DecoderEvent(p, EVARGS(GTP_BAD_LEN), 1, 1);
5209 return;
5210 }
5211
5212 ext_hdr_len = *(pkt + header_len);
5213
5214 if (!ext_hdr_len)
5215 {
5216 DecoderEvent(p, EVARGS(GTP_BAD_LEN), 1, 1);
5217 return;
5218 }
5219 /*Extension header length is a unit of 4 octets*/
5220 header_len += ext_hdr_len * 4;
5221
5222 /*check length before reading data*/
5223 if (len < header_len)
5224 {
5225 DecoderEvent(p, EVARGS(GTP_BAD_LEN), 1, 1);
5226 return;
5227 }
5228 next_hdr_type = *(pkt + header_len - 1);
5229 }
5230 }
5231 else
5232 header_len = GTP_MIN_LEN;
5233
5234 p->proto_bits |= PROTO_BIT__GTP;
5235
5236 /*Check the length field. */
5237 if (len != ((unsigned int)ntohs(hdr->length) + GTP_MIN_LEN))
5238 {
5239 DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Calculated length %d != %d in header.\n",
5240 len - GTP_MIN_LEN, ntohs(hdr->length)););
5241 DecoderEvent(p, EVARGS(GTP_BAD_LEN), 1, 1);
5242 return;
5243 }
5244
5245 break;
5246 default:
5247 DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Unknown protocol version.\n"););
5248 return;
5249
5250 }
5251
5252 PushLayer(PROTO_GTP, p, pkt, header_len);
5253
5254 if ( ScTunnelBypassEnabled(TUNNEL_GTP) )
5255 Active_SetTunnelBypass();
5256
5257 len -= header_len;
5258 if (len > 0)
5259 {
5260 ip_ver = *(pkt+header_len) & 0xF0;
5261 if (ip_ver == 0x40)
5262 DecodeIP(pkt+header_len, len, p);
5263 else if (ip_ver == 0x60)
5264 DecodeIPV6(pkt+header_len, len, p);
5265 p->packet_flags &= ~PKT_UNSURE_ENCAP;
5266 }
5267
5268 }
5269
5270 //--------------------------------------------------------------------
5271 // decode.c::UDP
5272 //--------------------------------------------------------------------
5273
5274 /* UDP-layer decoder alerts */
5275 static inline void UDPMiscTests(Packet *p)
5276 {
5277 if ( Event_Enabled(DECODE_UDP_LARGE_PACKET) )
5278 {
5279 if (p->dsize > 4000)
5280 DecoderEvent(p, EVARGS(UDP_LARGE_PACKET), 1, 1);
5281 }
5282
5283 if ( Event_Enabled(DECODE_UDP_PORT_ZERO) )
5284 {
5285 if (p->udph->uh_sport == 0 || p->udph->uh_dport == 0)
5286 DecoderEvent(p, EVARGS(UDP_PORT_ZERO), 1, 1);
5287 }
5288 }
5289
5290 /*
5291 * Function: DecodeUDP(uint8_t *, const uint32_t, Packet *)
5292 *
5293 * Purpose: Decode the UDP transport layer
5294 *
5295 * Arguments: pkt => ptr to the packet data
5296 * len => length from here to the end of the packet
5297 * p => pointer to decoded packet struct
5298 *
5299 * Returns: void function
5300 */
5301 static inline void PopUdp (Packet* p)
5302 {
5303 p->udph = p->outer_udph;
5304 p->outer_udph = NULL;
5305 pc.discards++;
5306 pc.udisc++;
5307
5308 // required for detect.c to short-circuit preprocessing
5309 if ( !p->dsize )
5310 p->dsize = p->ip_dsize;
5311 }
5312
5313 void DecodeUDP(const uint8_t * pkt, const uint32_t len, Packet * p)
5314 {
5315 uint16_t uhlen;
5316 u_char fragmented_udp_flag = 0;
5317
5318 if (p->proto_bits & (PROTO_BIT__TEREDO | PROTO_BIT__GTP))
5319 p->outer_udph = p->udph;
5320
5321 if(len < sizeof(UDPHdr))
5322 {
5323 DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
5324 "Truncated UDP header (%d bytes)\n", len););
5325
5326 DecoderEvent(p, DECODE_UDP_DGRAM_LT_UDPHDR,
5327 DECODE_UDP_DGRAM_LT_UDPHDR_STR, 1, 1);
5328
5329 PopUdp(p);
5330 return;
5331 }
5332
5333 /* set the ptr to the start of the UDP header */
5334 p->inner_udph = p->udph = (UDPHdr *) pkt;
5335
5336 if (!p->frag_flag)
5337 {
5338 uhlen = ntohs(p->udph->uh_len);
5339 }
5340 else
5341 {
5342 if(IS_IP6(p))
5343 {
5344 uint16_t ip_len = ntohs(GET_IPH_LEN(p));
5345 /* subtract the distance from udp header to 1st ip6 extension */
5346 /* This gives the length of the UDP "payload", when fragmented */
5347 uhlen = ip_len - ((u_char *)p->udph - (u_char *)p->ip6_extensions[0].data);
5348 }
5349 else
5350 {
5351 uint16_t ip_len = ntohs(GET_IPH_LEN(p));
5352 /* Don't forget, IP_HLEN is a word - multiply x 4 */
5353 uhlen = ip_len - (GET_IPH_HLEN(p) * 4 );
5354 }
5355 fragmented_udp_flag = 1;
5356 }
5357
5358 /* verify that the header len is a valid value */
5359 if(uhlen < UDP_HEADER_LEN)
5360 {
5361 DecoderEvent(p, DECODE_UDP_DGRAM_INVALID_LENGTH,
5362 DECODE_UDP_DGRAM_INVALID_LENGTH_STR, 1, 1);
5363
5364 PopUdp(p);
5365 return;
5366 }
5367
5368 /* make sure there are enough bytes as designated by length field */
5369 if(uhlen > len)
5370 {
5371 DecoderEventDrop(p, DECODE_UDP_DGRAM_SHORT_PACKET,
5372 DECODE_UDP_DGRAM_SHORT_PACKET_STR,
5373 ScDecoderOversizedAlerts(),
5374 ScDecoderOversizedDrops());
5375
5376 PopUdp(p);
5377 return;
5378 }
5379 else if(uhlen < len)
5380 {
5381 DecoderEvent(p, DECODE_UDP_DGRAM_LONG_PACKET,
5382 DECODE_UDP_DGRAM_LONG_PACKET_STR, 1, 1);
5383
5384 PopUdp(p);
5385 return;
5386 }
5387
5388 if (ScUdpChecksums())
5389 {
5390 /* look at the UDP checksum to make sure we've got a good packet */
5391 uint16_t csum;
5392 if(IS_IP4(p))
5393 {
5394 pseudoheader ph;
5395 ph.sip = p->iph->ip_src.s_addr;
5396 ph.dip = p->iph->ip_dst.s_addr;
5397 ph.zero = 0;
5398 ph.protocol = GET_IPH_PROTO(p);
5399 ph.len = p->udph->uh_len;
5400 /* Don't do checksum calculation if
5401 * 1) Fragmented, OR
5402 * 2) UDP header chksum value is 0.
5403 */
5404 if( !fragmented_udp_flag && p->udph->uh_chk )
5405 {
5406 csum = in_chksum_udp(&ph,
5407 (uint16_t *)(p->udph), uhlen);
5408 }
5409 else
5410 {
5411 csum = 0;
5412 }
5413 }
5414 else
5415 {
5416 IP6RawHdr* hdr6 = (IP6RawHdr*)p->iph;
5417 pseudoheader6 ph6;
5418 COPY4(ph6.sip, hdr6->ip6_src.s6_addr32);
5419 COPY4(ph6.dip, hdr6->ip6_dst.s6_addr32);
5420 ph6.zero = 0;
5421 ph6.protocol = GET_IPH_PROTO(p);
5422 ph6.len = htons((u_short)len);
5423
5424 /* Alert on checksum value 0 for ipv6 packets */
5425 if(!p->udph->uh_chk)
5426 {
5427 csum = 1;
5428 DecoderEvent(p, DECODE_UDP_IPV6_ZERO_CHECKSUM,
5429 DECODE_UDP_IPV6_ZERO_CHECKSUM_STR, 1, 1);
5430 }
5431 /* Don't do checksum calculation if
5432 * 1) Fragmented
5433 * (UDP checksum is not optional in IP6)
5434 */
5435 else if( !fragmented_udp_flag )
5436 {
5437 csum = in_chksum_udp6(&ph6,
5438 (uint16_t *)(p->udph), uhlen);
5439 }
5440 else
5441 {
5442 csum = 0;
5443 }
5444 }
5445 if(csum)
5446 {
5447 /* Don't drop the packet if this was ESP or Teredo.
5448 Just stop decoding. */
5449 if (p->packet_flags & PKT_UNSURE_ENCAP)
5450 {
5451 PopUdp(p);
5452 return;
5453 }
5454
5455 p->error_flags |= PKT_ERR_CKSUM_UDP;
5456 DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Bad UDP Checksum\n"););
5457
5458 if ( ScIdsMode() )
5459 queueExecDrop(execUdpChksmDrop, p);
5460 }
5461 else
5462 {
5463 DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "UDP Checksum: OK\n"););
5464 }
5465 }
5466
5467 /* fill in the printout data structs */
5468 #ifdef HAVE_DAQ_REAL_ADDRESSES
5469 if (p->outer_iph || !(p->pkth->flags & DAQ_PKT_FLAG_REAL_ADDRESSES))
5470 {
5471 #endif
5472 p->sp = ntohs(p->udph->uh_sport);
5473 p->dp = ntohs(p->udph->uh_dport);
5474 #ifdef HAVE_DAQ_REAL_ADDRESSES
5475 }
5476 else
5477 {
5478 p->sp = ntohs(p->pkth->n_real_sPort);
5479 p->dp = ntohs(p->pkth->n_real_dPort);
5480 }
5481 #endif
5482
5483 DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "UDP header starts at: %p\n", p->udph););
5484
5485 PushLayer(PROTO_UDP, p, pkt, sizeof(*p->udph));
5486
5487 p->data = (uint8_t *) (pkt + UDP_HEADER_LEN);
5488
5489 /* length was validated up above */
5490 p->dsize = uhlen - UDP_HEADER_LEN;
5491
5492 p->proto_bits |= PROTO_BIT__UDP;
5493
5494 /* Drop packet if we ignore this port */
5495 if (ScIgnoreUdpPort(p->sp) || ScIgnoreUdpPort(p->dp))
5496 {
5497 /* Ignore all preprocessors for this packet */
5498 p->packet_flags |= PKT_IGNORE;
5499 return;
5500 }
5501
5502 UDPMiscTests(p);
5503
5504 if (p->sp == TEREDO_PORT ||
5505 p->dp == TEREDO_PORT ||
5506 ScDeepTeredoInspection())
5507 {
5508 if ( !p->frag_flag )
5509 DecodeTeredo(pkt + sizeof(UDPHdr), len - sizeof(UDPHdr), p);
5510 }
5511 if (ScGTPDecoding() &&
5512 (ScIsGTPPort(p->sp)||ScIsGTPPort(p->dp)))
5513 {
5514 if ( !p->frag_flag )
5515 DecodeGTP(pkt + sizeof(UDPHdr), len - sizeof(UDPHdr), p);
5516 }
5517
5518 }
5519
5520 //--------------------------------------------------------------------
5521 // decode.c::TCP
5522 //--------------------------------------------------------------------
5523
5524 /* TCP-layer decoder alerts */
5525 static inline void TCPMiscTests(Packet *p)
5526 {
5527 if ( Event_Enabled(DECODE_TCP_SHAFT_SYNFLOOD) )
5528 {
5529 if ( ((p->tcph->th_flags & TH_NORESERVED) == TH_SYN ) &&
5530 (p->tcph->th_seq == htonl(674711609)) )
5531 DecoderEvent(p, EVARGS(TCP_SHAFT_SYNFLOOD), 1, 1);
5532 }
5533
5534 if ( Event_Enabled(DECODE_TCP_PORT_ZERO) )
5535 {
5536 if (p->tcph->th_sport == 0 || p->tcph->th_dport == 0)
5537 DecoderEvent(p, EVARGS(TCP_PORT_ZERO), 1, 1);
5538 }
5539 }
5540
5541 /*
5542 * Function: DecodeTCP(uint8_t *, const uint32_t, Packet *)
5543 *
5544 * Purpose: Decode the TCP transport layer
5545 *
5546 * Arguments: pkt => ptr to the packet data
5547 * len => length from here to the end of the packet
5548 * p => Pointer to packet decode struct
5549 *
5550 * Returns: void function
5551 */
5552 void DecodeTCP(const uint8_t * pkt, const uint32_t len, Packet * p)
5553 {
5554 uint32_t hlen; /* TCP header length */
5555
5556 if(len < TCP_HEADER_LEN)
5557 {
5558 DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
5559 "TCP packet (len = %d) cannot contain " "20 byte header\n", len););
5560
5561 DecoderEvent(p, DECODE_TCP_DGRAM_LT_TCPHDR,
5562 DECODE_TCP_DGRAM_LT_TCPHDR_STR, 1, 1);
5563
5564 p->tcph = NULL;
5565 pc.discards++;
5566 pc.tdisc++;
5567
5568 return;
5569 }
5570
5571 /* lay TCP on top of the data cause there is enough of it! */
5572 p->tcph = (TCPHdr *) pkt;
5573
5574 /* multiply the payload offset value by 4 */
5575 hlen = TCP_OFFSET(p->tcph) << 2;
5576
5577 DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "TCP th_off is %d, passed len is %lu\n",
5578 TCP_OFFSET(p->tcph), (unsigned long)len););
5579
5580 if(hlen < TCP_HEADER_LEN)
5581 {
5582 DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
5583 "TCP Data Offset (%d) < hlen (%d) \n",
5584 TCP_OFFSET(p->tcph), hlen););
5585
5586 DecoderEvent(p, DECODE_TCP_INVALID_OFFSET,
5587 DECODE_TCP_INVALID_OFFSET_STR, 1, 1);
5588
5589 p->tcph = NULL;
5590 pc.discards++;
5591 pc.tdisc++;
5592
5593 return;
5594 }
5595
5596 if(hlen > len)
5597 {
5598 DEBUG_WRAP(DebugMessage(DEBUG_DECODE,
5599 "TCP Data Offset(%d) < longer than payload(%d)!\n",
5600 TCP_OFFSET(p->tcph) << 2, len););
5601
5602 DecoderEventDrop(p, DECODE_TCP_LARGE_OFFSET,
5603 DECODE_TCP_LARGE_OFFSET_STR,
5604 ScDecoderOversizedAlerts(),
5605 ScDecoderOversizedDrops());
5606
5607 p->tcph = NULL;
5608 pc.discards++;
5609 pc.tdisc++;
5610
5611 return;
5612 }
5613
5614 /* Checksum code moved in front of the other decoder alerts.
5615 If it's a bad checksum (maybe due to encrypted ESP traffic), the other
5616 alerts could be false positives. */
5617 #ifdef HAVE_DAQ_DECRYPTED_SSL
5618 if (!(p->pkth->flags & DAQ_PKT_FLAG_DECRYPTED_SSL) && ScTcpChecksums())
5619 #else
5620 if (ScTcpChecksums())
5621 #endif
5622 {
5623 uint16_t csum;
5624 if(IS_IP4(p))
5625 {
5626 pseudoheader ph;
5627 ph.sip = p->iph->ip_src.s_addr;
5628 ph.dip = p->iph->ip_dst.s_addr;
5629 /* setup the pseudo header for checksum calculation */
5630 ph.zero = 0;
5631 ph.protocol = GET_IPH_PROTO(p);
5632 ph.len = htons((u_short)len);
5633
5634 /* if we're being "stateless" we probably don't care about the TCP
5635 * checksum, but it's not bad to keep around for shits and giggles */
5636 /* calculate the checksum */
5637 csum = in_chksum_tcp(&ph, (uint16_t *)(p->tcph), len);
5638 }