"Fossies" - the Fresh Open Source Software Archive

Member "snort-2.9.17/src/generators.h" (16 Oct 2020, 46622 Bytes) of package /linux/misc/snort-2.9.17.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) C and C++ source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file. For more information about "generators.h" see the Fossies "Dox" file reference documentation and the latest Fossies "Diffs" side-by-side code changes report: 2.9.16.1_vs_2.9.17.

    1 /* $Id$ */
    2 /*
    3 ** Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved.
    4 ** Copyright (C) 2002-2013 Sourcefire, Inc.
    5 ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com>
    6 **
    7 ** This program is free software; you can redistribute it and/or modify
    8 ** it under the terms of the GNU General Public License Version 2 as
    9 ** published by the Free Software Foundation.  You may not use, modify or
   10 ** distribute this program under any other version of the GNU General
   11 ** Public License.
   12 **
   13 ** This program is distributed in the hope that it will be useful,
   14 ** but WITHOUT ANY WARRANTY; without even the implied warranty of
   15 ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   16 ** GNU General Public License for more details.
   17 **
   18 ** You should have received a copy of the GNU General Public License
   19 ** along with this program; if not, write to the Free Software
   20 ** Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
   21 */
   22 
   23 #ifndef __GENERATORS_H__
   24 #define __GENERATORS_H__
   25 
   26 #define GENERATOR_SNORT_ENGINE        1
   27 
   28 #define GENERATOR_TAG                 2
   29 #define    TAG_LOG_PKT                1
   30 
   31 #define GENERATOR_SPP_BO            105
   32 #define     BO_TRAFFIC_DETECT           1
   33 #define     BO_CLIENT_TRAFFIC_DETECT    2
   34 #define     BO_SERVER_TRAFFIC_DETECT    3
   35 #define     BO_SNORT_BUFFER_ATTACK      4
   36 
   37 #define GENERATOR_SPP_RPC_DECODE    106
   38 #define     RPC_FRAG_TRAFFIC                1
   39 #define     RPC_MULTIPLE_RECORD             2
   40 #define     RPC_LARGE_FRAGSIZE              3
   41 #define     RPC_INCOMPLETE_SEGMENT          4
   42 #define     RPC_ZERO_LENGTH_FRAGMENT        5
   43 
   44 #define GENERATOR_SPP_ARPSPOOF      112
   45 #define     ARPSPOOF_UNICAST_ARP_REQUEST         1
   46 #define     ARPSPOOF_ETHERFRAME_ARP_MISMATCH_SRC  2
   47 #define     ARPSPOOF_ETHERFRAME_ARP_MISMATCH_DST  3
   48 #define     ARPSPOOF_ARP_CACHE_OVERWRITE_ATTACK   4
   49 
   50 #define GENERATOR_SNORT_DECODE      116
   51 #define     DECODE_NOT_IPV4_DGRAM                 1
   52 #define     DECODE_IPV4_INVALID_HEADER_LEN        2
   53 #define     DECODE_IPV4_DGRAM_LT_IPHDR            3
   54 #define     DECODE_IPV4OPT_BADLEN                 4
   55 #define     DECODE_IPV4OPT_TRUNCATED              5
   56 #define     DECODE_IPV4_DGRAM_GT_CAPLEN           6
   57 
   58 #define     DECODE_TCP_DGRAM_LT_TCPHDR            45
   59 #define     DECODE_TCP_INVALID_OFFSET             46
   60 #define     DECODE_TCP_LARGE_OFFSET               47
   61 
   62 #define     DECODE_TCPOPT_BADLEN                  54
   63 #define     DECODE_TCPOPT_TRUNCATED               55
   64 #define     DECODE_TCPOPT_TTCP                    56
   65 #define     DECODE_TCPOPT_OBSOLETE                57
   66 #define     DECODE_TCPOPT_EXPERIMENT              58
   67 #define     DECODE_TCPOPT_WSCALE_INVALID          59
   68 
   69 #define     DECODE_UDP_DGRAM_LT_UDPHDR            95
   70 #define     DECODE_UDP_DGRAM_INVALID_LENGTH       96
   71 #define     DECODE_UDP_DGRAM_SHORT_PACKET         97
   72 #define     DECODE_UDP_DGRAM_LONG_PACKET          98
   73 
   74 #define     DECODE_ICMP_DGRAM_LT_ICMPHDR          105
   75 #define     DECODE_ICMP_DGRAM_LT_TIMESTAMPHDR     106
   76 #define     DECODE_ICMP_DGRAM_LT_ADDRHDR          107
   77 
   78 #define     DECODE_ARP_TRUNCATED                  109
   79 #define     DECODE_EAPOL_TRUNCATED                110
   80 #define     DECODE_EAPKEY_TRUNCATED               111
   81 #define     DECODE_EAP_TRUNCATED                  112
   82 
   83 #define     DECODE_BAD_PPPOE                      120
   84 #define     DECODE_BAD_VLAN                       130
   85 #define     DECODE_BAD_VLAN_ETHLLC                131
   86 #define     DECODE_BAD_VLAN_OTHER                 132
   87 #define     DECODE_BAD_80211_ETHLLC               133
   88 #define     DECODE_BAD_80211_OTHER                134
   89 
   90 #define     DECODE_BAD_TRH                        140
   91 #define     DECODE_BAD_TR_ETHLLC                  141
   92 #define     DECODE_BAD_TR_MR_LEN                  142
   93 #define     DECODE_BAD_TRHMR                      143
   94 
   95 #define     DECODE_BAD_TRAFFIC_LOOPBACK           150
   96 #define     DECODE_BAD_TRAFFIC_SAME_SRCDST        151
   97 
   98 #ifdef GRE
   99 #define     DECODE_GRE_DGRAM_LT_GREHDR            160
  100 #define     DECODE_GRE_MULTIPLE_ENCAPSULATION     161
  101 #define     DECODE_GRE_INVALID_VERSION            162
  102 #define     DECODE_GRE_INVALID_HEADER             163
  103 #define     DECODE_GRE_V1_INVALID_HEADER          164
  104 #define     DECODE_GRE_TRANS_DGRAM_LT_TRANSHDR    165
  105 #endif  /* GRE */
  106 
  107 /** MPLS takes 170 block **/
  108 #define     DECODE_BAD_MPLS                       170
  109 #define     DECODE_BAD_MPLS_LABEL0                171
  110 #define     DECODE_BAD_MPLS_LABEL1                172
  111 #define     DECODE_BAD_MPLS_LABEL2                173
  112 #define     DECODE_BAD_MPLS_LABEL3                174
  113 #define     DECODE_MPLS_RESERVED_LABEL            175
  114 #define     DECODE_MPLS_LABEL_STACK               176
  115 
  116 #define     DECODE_ICMP_ORIG_IP_TRUNCATED         250
  117 #define     DECODE_ICMP_ORIG_IP_VER_MISMATCH      251
  118 #define     DECODE_ICMP_ORIG_DGRAM_LT_ORIG_IP     252
  119 #define     DECODE_ICMP_ORIG_PAYLOAD_LT_64        253
  120 #define     DECODE_ICMP_ORIG_PAYLOAD_GT_576       254
  121 #define     DECODE_ICMP_ORIG_IP_WITH_FRAGOFFSET   255
  122 
  123 #define     DECODE_IPV6_MIN_TTL                   270
  124 #define     DECODE_IPV6_IS_NOT                    271
  125 #define     DECODE_IPV6_TRUNCATED_EXT             272
  126 #define     DECODE_IPV6_TRUNCATED                 273
  127 #define     DECODE_IPV6_DGRAM_LT_IPHDR            274
  128 #define     DECODE_IPV6_DGRAM_GT_CAPLEN           275
  129 #define     DECODE_IPV6_DST_ZERO                  276
  130 #define     DECODE_IPV6_SRC_MULTICAST             277
  131 #define     DECODE_IPV6_DST_RESERVED_MULTICAST    278
  132 #define     DECODE_IPV6_BAD_OPT_TYPE              279
  133 #define     DECODE_IPV6_BAD_MULTICAST_SCOPE       280
  134 #define     DECODE_IPV6_BAD_NEXT_HEADER           281
  135 #define     DECODE_IPV6_ROUTE_AND_HOPBYHOP        282
  136 #define     DECODE_IPV6_TWO_ROUTE_HEADERS         283
  137 
  138 #define     DECODE_ICMPV6_TOO_BIG_BAD_MTU         285
  139 #define     DECODE_ICMPV6_UNREACHABLE_NON_RFC_2463_CODE    286
  140 #define     DECODE_ICMPV6_SOLICITATION_BAD_CODE   287
  141 #define     DECODE_ICMPV6_ADVERT_BAD_CODE         288
  142 #define     DECODE_ICMPV6_SOLICITATION_BAD_RESERVED     289
  143 #define     DECODE_ICMPV6_ADVERT_BAD_REACHABLE    290
  144 
  145 #define     DECODE_IPV6_TUNNELED_IPV4_TRUNCATED   291
  146 #define     DECODE_IPV6_DSTOPTS_WITH_ROUTING      292
  147 #define     DECODE_IP_MULTIPLE_ENCAPSULATION      293
  148 
  149 #define     DECODE_ESP_HEADER_TRUNC               294
  150 #define     DECODE_IPV6_BAD_OPT_LEN               295
  151 #define     DECODE_IPV6_UNORDERED_EXTENSIONS      296
  152 
  153 #define     DECODE_GTP_MULTIPLE_ENCAPSULATION     297
  154 #define     DECODE_GTP_BAD_LEN                    298
  155 
  156 #define     DECODE_DECODING_DEPTH_EXCEEDED        300
  157 
  158 //-----------------------------------------------------
  159 // remember to add rules to preproc_rules/decoder.rules
  160 // add the new decoder rules to the following enum.
  161 
  162 #define     DECODE_START_INDEX                    400
  163 
  164 enum {
  165     DECODE_TCP_XMAS = DECODE_START_INDEX,
  166     DECODE_TCP_NMAP_XMAS,
  167     DECODE_DOS_NAPTHA,
  168     DECODE_SYN_TO_MULTICAST,
  169     DECODE_ZERO_TTL,
  170     DECODE_BAD_FRAGBITS,
  171     DECODE_UDP_IPV6_ZERO_CHECKSUM,
  172     DECODE_IP4_LEN_OFFSET,
  173     DECODE_IP4_SRC_THIS_NET,
  174     DECODE_IP4_DST_THIS_NET,
  175     DECODE_IP4_SRC_MULTICAST,
  176     DECODE_IP4_SRC_RESERVED,
  177     DECODE_IP4_DST_RESERVED,
  178     DECODE_IP4_SRC_BROADCAST,
  179     DECODE_IP4_DST_BROADCAST,
  180     DECODE_ICMP4_DST_MULTICAST,
  181     DECODE_ICMP4_DST_BROADCAST,
  182     DECODE_ICMP4_TYPE_OTHER = 418,
  183     DECODE_TCP_BAD_URP,
  184     DECODE_TCP_SYN_FIN,
  185     DECODE_TCP_SYN_RST,
  186     DECODE_TCP_MUST_ACK,
  187     DECODE_TCP_NO_SYN_ACK_RST,
  188     DECODE_ETH_HDR_TRUNC,
  189     DECODE_IP4_HDR_TRUNC,
  190     DECODE_ICMP4_HDR_TRUNC,
  191     DECODE_ICMP6_HDR_TRUNC,
  192     DECODE_IP4_MIN_TTL,
  193     DECODE_IP6_ZERO_HOP_LIMIT,
  194     DECODE_IP4_DF_OFFSET,
  195     DECODE_ICMP6_TYPE_OTHER,
  196     DECODE_ICMP6_DST_MULTICAST,
  197     DECODE_TCP_SHAFT_SYNFLOOD,
  198     DECODE_ICMP_PING_NMAP,
  199     DECODE_ICMP_ICMPENUM,
  200     DECODE_ICMP_REDIRECT_HOST,
  201     DECODE_ICMP_REDIRECT_NET,
  202     DECODE_ICMP_TRACEROUTE_IPOPTS,
  203     DECODE_ICMP_SOURCE_QUENCH,
  204     DECODE_ICMP_BROADSCAN_SMURF_SCANNER,
  205     DECODE_ICMP_DST_UNREACH_ADMIN_PROHIBITED,
  206     DECODE_ICMP_DST_UNREACH_DST_HOST_PROHIBITED,
  207     DECODE_ICMP_DST_UNREACH_DST_NET_PROHIBITED,
  208     DECODE_IP_OPTION_SET,
  209     DECODE_UDP_LARGE_PACKET,
  210     DECODE_TCP_PORT_ZERO,
  211     DECODE_UDP_PORT_ZERO,
  212     DECODE_IP_RESERVED_FRAG_BIT,
  213     DECODE_IP_UNASSIGNED_PROTO,
  214     DECODE_IP_BAD_PROTO,
  215     DECODE_ICMP_PATH_MTU_DOS,
  216     DECODE_ICMP_DOS_ATTEMPT,
  217     DECODE_IPV6_ISATAP_SPOOF,
  218     DECODE_PGM_NAK_OVERFLOW,
  219     DECODE_IGMP_OPTIONS_DOS,
  220     DECODE_IP6_EXCESS_EXT_HDR,
  221     DECODE_ICMPV6_UNREACHABLE_NON_RFC_4443_CODE,
  222     DECODE_IPV6_BAD_FRAG_PKT,
  223     DECODE_ZERO_LENGTH_FRAG,
  224     DECODE_ICMPV6_NODE_INFO_BAD_CODE,
  225     DECODE_IPV6_ROUTE_ZERO,
  226     DECODE_ERSPAN_HDR_VERSION_MISMATCH,
  227     DECODE_ERSPAN2_DGRAM_LT_HDR,
  228     DECODE_ERSPAN3_DGRAM_LT_HDR,
  229     DECODE_AUTH_HDR_TRUNC,
  230     DECODE_AUTH_HDR_BAD_LEN,
  231     DECODE_FPATH_HDR_TRUNC,
  232     DECODE_CISCO_META_HDR_TRUNC,
  233     DECODE_CISCO_META_HDR_OPT_LEN,
  234     DECODE_CISCO_META_HDR_OPT_TYPE,
  235     DECODE_CISCO_META_HDR_SGT,
  236     DECODE_INDEX_MAX
  237 };
  238 
  239 
  240 //-----------------------------------------------------
  241 /*
  242 **  HttpInspect Generator IDs
  243 **
  244 **  IMPORTANT::
  245 **    Whenever events are added to the internal HttpInspect
  246 **    event queue, you must also add the event here.  The
  247 **    trick is that whatever the number is in HttpInspect,
  248 **    it must be +1 when you define it here.
  249 */
  250 // these are client specific events
  251 #define GENERATOR_SPP_HTTP_INSPECT_CLIENT           119
  252 #define     HI_CLIENT_ASCII                         1   /* done */
  253 #define     HI_CLIENT_DOUBLE_DECODE                 2   /* done */
  254 #define     HI_CLIENT_U_ENCODE                      3   /* done */
  255 #define     HI_CLIENT_BARE_BYTE                     4   /* done */
  256 /* Base 36 is deprecated and essentially a noop
  257  * Leaving here in case anyone out there has historical data with
  258  * alerts of this type */
  259 #define     HI_CLIENT_BASE36                        5   /* done */
  260 #define     HI_CLIENT_UTF_8                         6   /* done */
  261 #define     HI_CLIENT_IIS_UNICODE                   7   /* done */
  262 #define     HI_CLIENT_MULTI_SLASH                   8   /* done */
  263 #define     HI_CLIENT_IIS_BACKSLASH                 9   /* done */
  264 #define     HI_CLIENT_SELF_DIR_TRAV                 10  /* done */
  265 #define     HI_CLIENT_DIR_TRAV                      11  /* done */
  266 #define     HI_CLIENT_APACHE_WS                     12  /* done */
  267 #define     HI_CLIENT_IIS_DELIMITER                 13  /* done */
  268 #define     HI_CLIENT_NON_RFC_CHAR                  14  /* done */
  269 #define     HI_CLIENT_OVERSIZE_DIR                  15  /* done */
  270 #define     HI_CLIENT_LARGE_CHUNK                   16  /* done */
  271 #define     HI_CLIENT_PROXY_USE                     17  /* done */
  272 #define     HI_CLIENT_WEBROOT_DIR                   18  /* done */
  273 #define     HI_CLIENT_LONG_HDR                      19  /* done */
  274 #define     HI_CLIENT_MAX_HEADERS                   20  /* done */
  275 #define     HI_CLIENT_MULTIPLE_CONTLEN              21
  276 #define     HI_CLIENT_CHUNK_SIZE_MISMATCH           22
  277 #define     HI_CLIENT_INVALID_TRUEIP                23
  278 #define     HI_CLIENT_MULTIPLE_HOST_HDRS            24
  279 #define     HI_CLIENT_LONG_HOSTNAME                 25
  280 #define     HI_CLIENT_EXCEEDS_SPACES                26
  281 #define     HI_CLIENT_CONSECUTIVE_SMALL_CHUNK_SIZES 27
  282 #define     HI_CLIENT_UNBOUNDED_POST                28
  283 #define     HI_CLIENT_MULTIPLE_TRUEIP_IN_SESSION    29
  284 #define     HI_CLIENT_BOTH_TRUEIP_XFF_HDRS          30 
  285 #define     HI_CLIENT_UNKNOWN_METHOD                31
  286 #define     HI_CLIENT_SIMPLE_REQUEST                32
  287 #define     HI_CLIENT_UNESCAPED_SPACE_URI           33
  288 #define     HI_CLIENT_PIPELINE_MAX                  34
  289 
  290 #define     HI_CLIENT_INVALID_RANGE_UNIT_FMT        36
  291 #define     HI_CLIENT_RANGE_NON_GET_METHOD          37
  292 #define     HI_CLIENT_RANGE_FIELD_ERROR             38
  293 
  294 // these are either server specific or both client / server
  295 #define GENERATOR_SPP_HTTP_INSPECT                 120 
  296 #define     HI_ANOM_SERVER_ALERT                    1   /* done */
  297 #define     HI_SERVER_INVALID_STATCODE              2
  298 #define     HI_SERVER_NO_CONTLEN                    3
  299 #define     HI_SERVER_UTF_NORM_FAIL                 4
  300 #define     HI_SERVER_UTF7                          5
  301 #define     HI_SERVER_DECOMPR_FAILED                6
  302 #define     HI_SERVER_CONSECUTIVE_SMALL_CHUNK_SIZES 7 
  303 #define     HI_CLISRV_MSG_SIZE_EXCEPTION            8 
  304 #define     HI_SERVER_JS_OBFUSCATION_EXCD           9 
  305 #define     HI_SERVER_JS_EXCESS_WS                  10 
  306 #define     HI_SERVER_MIXED_ENCODINGS               11
  307 #define     HI_SERVER_SWF_ZLIB_FAILURE              12
  308 #define     HI_SERVER_SWF_LZMA_FAILURE              13
  309 #define     HI_SERVER_PDF_DEFLATE_FAILURE           14
  310 #define     HI_SERVER_PDF_UNSUP_COMP_TYPE           15
  311 #define     HI_SERVER_PDF_CASC_COMP                 16
  312 #define     HI_SERVER_PDF_PARSE_FAILURE             17
  313 
  314 #define     HI_SERVER_INVALID_CONTENT_RANGE_UNIT_FMT 30
  315 #define     HI_SERVER_RANGE_FIELD_ERROR             31
  316 
  317 
  318 #define GENERATOR_PSNG                             122
  319 #define     PSNG_TCP_PORTSCAN                      1
  320 #define     PSNG_TCP_DECOY_PORTSCAN                2
  321 #define     PSNG_TCP_PORTSWEEP                     3
  322 #define     PSNG_TCP_DISTRIBUTED_PORTSCAN          4
  323 #define     PSNG_TCP_FILTERED_PORTSCAN             5
  324 #define     PSNG_TCP_FILTERED_DECOY_PORTSCAN       6
  325 #define     PSNG_TCP_PORTSWEEP_FILTERED            7
  326 #define     PSNG_TCP_FILTERED_DISTRIBUTED_PORTSCAN 8
  327 
  328 #define     PSNG_IP_PORTSCAN                       9
  329 #define     PSNG_IP_DECOY_PORTSCAN                 10
  330 #define     PSNG_IP_PORTSWEEP                      11
  331 #define     PSNG_IP_DISTRIBUTED_PORTSCAN           12
  332 #define     PSNG_IP_FILTERED_PORTSCAN              13
  333 #define     PSNG_IP_FILTERED_DECOY_PORTSCAN        14
  334 #define     PSNG_IP_PORTSWEEP_FILTERED             15
  335 #define     PSNG_IP_FILTERED_DISTRIBUTED_PORTSCAN  16
  336 
  337 #define     PSNG_UDP_PORTSCAN                      17
  338 #define     PSNG_UDP_DECOY_PORTSCAN                18
  339 #define     PSNG_UDP_PORTSWEEP                     19
  340 #define     PSNG_UDP_DISTRIBUTED_PORTSCAN          20
  341 #define     PSNG_UDP_FILTERED_PORTSCAN             21
  342 #define     PSNG_UDP_FILTERED_DECOY_PORTSCAN       22
  343 #define     PSNG_UDP_PORTSWEEP_FILTERED            23
  344 #define     PSNG_UDP_FILTERED_DISTRIBUTED_PORTSCAN 24
  345 
  346 #define     PSNG_ICMP_PORTSWEEP                    25
  347 #define     PSNG_ICMP_PORTSWEEP_FILTERED           26
  348 
  349 #define     PSNG_OPEN_PORT                         27
  350 
  351 #define GENERATOR_SPP_FRAG3                       123
  352 #define     FRAG3_IPOPTIONS                         1
  353 #define     FRAG3_TEARDROP                          2
  354 #define     FRAG3_SHORT_FRAG                        3
  355 #define     FRAG3_ANOMALY_OVERSIZE                  4
  356 #define     FRAG3_ANOMALY_ZERO                      5
  357 #define     FRAG3_ANOMALY_BADSIZE_SM                6
  358 #define     FRAG3_ANOMALY_BADSIZE_LG                7
  359 #define     FRAG3_ANOMALY_OVLP                      8
  360 /* 123:9, 123:10 are OBE w/ addition of 116:458
  361  * (aka DECODE_IPV6_BAD_FRAG_PKT).
  362  * Leave these here so they are not reused.
  363  * ------
  364 #define     FRAG3_IPV6_BSD_ICMP_FRAG                9
  365 #define     FRAG3_IPV6_BAD_FRAG_PKT                10
  366  * ------
  367 */
  368 #define     FRAG3_MIN_TTL_EVASION                  11
  369 #define     FRAG3_EXCESSIVE_OVERLAP                12
  370 #define     FRAG3_TINY_FRAGMENT                    13
  371 
  372 #define GENERATOR_SMTP                             124
  373 #define     SMTP_COMMAND_OVERFLOW                  1
  374 #define     SMTP_DATA_HDR_OVERFLOW                 2
  375 #define     SMTP_RESPONSE_OVERFLOW                 3
  376 #define     SMTP_SPECIFIC_CMD_OVERFLOW             4
  377 #define     SMTP_UNKNOWN_CMD                       5
  378 #define     SMTP_ILLEGAL_CMD                       6
  379 #define     SMTP_HEADER_NAME_OVERFLOW              7
  380 #define     SMTP_XLINK2STATE_OVERFLOW              8
  381 /* This alert is obsolete. *
  382 * #define     SMTP_DECODE_MEMCAP_EXCEEDED            9*/
  383 #define     SMTP_B64_DECODING_FAILED               10 
  384 #define     SMTP_QP_DECODING_FAILED                11
  385 /* Do not delete or reuse this SID. Commenting this SID as this alert is no longer valid.*
  386 * #define     SMTP_BITENC_DECODING_FAILED            12
  387 */
  388 #define     SMTP_UU_DECODING_FAILED                13
  389     
  390 /*
  391 **  FTPTelnet Generator IDs
  392 **
  393 **  IMPORTANT::
  394 **    Whenever events are added to the internal FTP or Telnet
  395 **    event queues, you must also add the event here.  The
  396 **    trick is that whatever the number is in FTPTelnet,
  397 **    it must be +1 when you define it here.
  398 */
  399 #define GENERATOR_SPP_FTPP_FTP                     125
  400 #define FTPP_FTP_TELNET_CMD                   1
  401 #define FTPP_FTP_INVALID_CMD                  2
  402 #define FTPP_FTP_PARAMETER_LENGTH_OVERFLOW    3
  403 #define FTPP_FTP_MALFORMED_PARAMETER          4
  404 #define FTPP_FTP_PARAMETER_STR_FORMAT         5
  405 #define FTPP_FTP_RESPONSE_LENGTH_OVERFLOW     6
  406 #define FTPP_FTP_ENCRYPTED                    7
  407 #define FTPP_FTP_BOUNCE                       8
  408 #define GENERATOR_SPP_FTPP_TELNET                  126
  409 #define FTPP_TELNET_AYT_OVERFLOW              1
  410 #define FTPP_TELNET_ENCRYPTED                 2
  411 #define FTPP_TELNET_SUBNEG_BEGIN_NO_END       3
  412 
  413 #define GENERATOR_SPP_ISAKMP                 127
  414 
  415 #define GENERATOR_SPP_SSH                    128
  416 #define     SSH_EVENT_RESPOVERFLOW             1
  417 #define     SSH_EVENT_CRC32                    2
  418 #define     SSH_EVENT_SECURECRT                3
  419 #define     SSH_EVENT_PROTOMISMATCH            4
  420 #define     SSH_EVENT_WRONGDIR                 5
  421 #define     SSH_EVENT_PAYLOAD_SIZE             6
  422 #define     SSH_EVENT_VERSION                  7
  423 
  424 #define GENERATOR_SPP_STREAM                     129
  425 #define     STREAM_SYN_ON_EST                      1
  426 #define     STREAM_DATA_ON_SYN                     2
  427 #define     STREAM_DATA_ON_CLOSED                  3
  428 #define     STREAM_BAD_TIMESTAMP                   4
  429 #define     STREAM_BAD_SEGMENT                     5
  430 #define     STREAM_WINDOW_TOO_LARGE                6
  431 #define     STREAM_EXCESSIVE_TCP_OVERLAPS          7
  432 #define     STREAM_DATA_AFTER_RESET                8
  433 #define     STREAM_SESSION_HIJACKED_CLIENT         9
  434 #define     STREAM_SESSION_HIJACKED_SERVER        10
  435 #define     STREAM_DATA_WITHOUT_FLAGS             11
  436 #define     STREAM_SMALL_SEGMENT                  12
  437 #define     STREAM_4WAY_HANDSHAKE                 13
  438 #define     STREAM_NO_TIMESTAMP                   14
  439 #define     STREAM_BAD_RST                        15
  440 #define     STREAM_BAD_FIN                        16
  441 #define     STREAM_BAD_ACK                        17
  442 #define     STREAM_DATA_AFTER_RST_RCVD            18
  443 #define     STREAM_WINDOW_SLAM                    19
  444 #define     STREAM_NO_3WHS                        20
  445 
  446 #define GENERATOR_DNS                             131
  447 #define     DNS_EVENT_OBSOLETE_TYPES                1
  448 #define     DNS_EVENT_EXPERIMENTAL_TYPES            2
  449 #define     DNS_EVENT_RDATA_OVERFLOW                3
  450 
  451 #define GENERATOR_SKYPE                           132
  452 
  453 #define GENERATOR_DCE2                              133
  454 #define     DCE2_EVENT__MEMCAP                        1
  455 #define     DCE2_EVENT__SMB_BAD_NBSS_TYPE             2
  456 #define     DCE2_EVENT__SMB_BAD_TYPE                  3
  457 #define     DCE2_EVENT__SMB_BAD_ID                    4
  458 #define     DCE2_EVENT__SMB_BAD_WCT                   5
  459 #define     DCE2_EVENT__SMB_BAD_BCC                   6
  460 #define     DCE2_EVENT__SMB_BAD_FORMAT                7
  461 #define     DCE2_EVENT__SMB_BAD_OFF                   8
  462 #define     DCE2_EVENT__SMB_TDCNT_ZERO                9
  463 #define     DCE2_EVENT__SMB_NB_LT_SMBHDR             10
  464 #define     DCE2_EVENT__SMB_NB_LT_COM                11
  465 #define     DCE2_EVENT__SMB_NB_LT_BCC                12
  466 #define     DCE2_EVENT__SMB_NB_LT_DSIZE              13
  467 #define     DCE2_EVENT__SMB_TDCNT_LT_DSIZE           14
  468 #define     DCE2_EVENT__SMB_DSENT_GT_TDCNT           15
  469 #define     DCE2_EVENT__SMB_BCC_LT_DSIZE             16
  470 #define     DCE2_EVENT__SMB_INVALID_DSIZE            17
  471 #define     DCE2_EVENT__SMB_EXCESSIVE_TREE_CONNECTS  18
  472 #define     DCE2_EVENT__SMB_EXCESSIVE_READS          19
  473 #define     DCE2_EVENT__SMB_EXCESSIVE_CHAINING       20
  474 #define     DCE2_EVENT__SMB_MULT_CHAIN_SS            21
  475 #define     DCE2_EVENT__SMB_MULT_CHAIN_TC            22
  476 #define     DCE2_EVENT__SMB_CHAIN_SS_LOGOFF          23
  477 #define     DCE2_EVENT__SMB_CHAIN_TC_TDIS            24
  478 #define     DCE2_EVENT__SMB_CHAIN_OPEN_CLOSE         25
  479 #define     DCE2_EVENT__SMB_INVALID_SHARE            26
  480 #define     DCE2_EVENT__CO_BAD_MAJ_VERSION           27
  481 #define     DCE2_EVENT__CO_BAD_MIN_VERSION           28
  482 #define     DCE2_EVENT__CO_BAD_PDU_TYPE              29
  483 #define     DCE2_EVENT__CO_FLEN_LT_HDR               30
  484 #define     DCE2_EVENT__CO_FLEN_LT_SIZE              31
  485 #define     DCE2_EVENT__CO_ZERO_CTX_ITEMS            32
  486 #define     DCE2_EVENT__CO_ZERO_TSYNS                33
  487 #define     DCE2_EVENT__CO_FRAG_LT_MAX_XMIT_FRAG     34
  488 #define     DCE2_EVENT__CO_FRAG_GT_MAX_XMIT_FRAG     35
  489 #define     DCE2_EVENT__CO_ALTER_CHANGE_BYTE_ORDER   36
  490 #define     DCE2_EVENT__CO_FRAG_DIFF_CALL_ID         37
  491 #define     DCE2_EVENT__CO_FRAG_DIFF_OPNUM           38
  492 #define     DCE2_EVENT__CO_FRAG_DIFF_CTX_ID          39
  493 #define     DCE2_EVENT__CL_BAD_MAJ_VERSION           40
  494 #define     DCE2_EVENT__CL_BAD_PDU_TYPE              41
  495 #define     DCE2_EVENT__CL_DATA_LT_HDR               42
  496 #define     DCE2_EVENT__CL_BAD_SEQ_NUM               43
  497 #define     DCE2_EVENT__SMB_V1                       44
  498 #define     DCE2_EVENT__SMB_V2                       45
  499 #define     DCE2_EVENT__SMB_INVALID_BINDING          46
  500 #define     DCE2_EVENT__SMB2_EXCESSIVE_COMPOUNDING   47
  501 #define     DCE2_EVENT__SMB_DCNT_ZERO                48
  502 #define     DCE2_EVENT__SMB_DCNT_MISMATCH            49
  503 #define     DCE2_EVENT__SMB_MAX_REQS_EXCEEDED        50
  504 #define     DCE2_EVENT__SMB_REQS_SAME_MID            51
  505 #define     DCE2_EVENT__SMB_DEPR_DIALECT_NEGOTIATED  52
  506 #define     DCE2_EVENT__SMB_DEPR_COMMAND_USED        53
  507 #define     DCE2_EVENT__SMB_UNUSUAL_COMMAND_USED     54
  508 #define     DCE2_EVENT__SMB_INVALID_SETUP_COUNT      55
  509 #define     DCE2_EVENT__SMB_MULTIPLE_NEGOTIATIONS    56
  510 #define     DCE2_EVENT__SMB_EVASIVE_FILE_ATTRS       57
  511 #define     DCE2_EVENT__SMB_INVALID_FILE_OFFSET      58
  512 #define     DCE2_EVENT__SMB_BAD_NEXT_COMMAND_OFFSET  59
  513 
  514 #define GENERATOR_PPM                               134
  515 #define     PPM_EVENT_RULE_TREE_DISABLED              1
  516 #define     PPM_EVENT_RULE_TREE_ENABLED               2
  517 #define     PPM_EVENT_PACKET_ABORTED                  3
  518 
  519 #define GENERATOR_INTERNAL                          135
  520 #define     INTERNAL_EVENT_SYN_RECEIVED               1
  521 #define     INTERNAL_EVENT_SESSION_ADD                2
  522 #define     INTERNAL_EVENT_SESSION_DEL                3
  523 
  524 #define GENERATOR_SPP_REPUTATION                    136
  525 
  526 #define GENERATOR_SPP_SSLPP                         137
  527 
  528 #define GENERATOR_SPP_SDF_RULES                     138
  529 #define GENERATOR_SPP_SDF_PREPROC                   139
  530 // #define GENERATOR_SPP_SIP                        140 // Defined in spp_sip.h file, not here.
  531 // #define GENERATOR_SPP_IMAP                       141 // Defined in imap_log.h file
  532 // #define GENERATOR_SPP_POP                        142 // Defined in pop_log.h file.
  533 #define     SDF_COMBO_ALERT                           1
  534 
  535 
  536 #define GENERATOR_SPP_GTP                           143
  537 
  538 #define GENERATOR_SPP_MODBUS                        144
  539 
  540 #define GENERATOR_SPP_DNP3                          145
  541 
  542 // #define GENERATOR_FILE_TYPE                      146 //Defined in file_service.h
  543 // #define GENERATOR_FILE_SIGNATURE                 147 //Defined in file_service.h
  544 
  545 #define GENERATOR_SPP_CIP                           148
  546 #define GENERATOR_SPP_S7COMMPLUS                    149
  547 
  548 
  549 /*  This is where all the alert messages will be archived for each
  550     internal alerts */
  551 
  552 #define ARPSPOOF_UNICAST_ARP_REQUEST_STR "(spp_arpspoof) Unicast ARP request"
  553 #define ARPSPOOF_ETHERFRAME_ARP_MISMATCH_SRC_STR \
  554 "(spp_arpspoof) Ethernet/ARP Mismatch request for Source"
  555 #define ARPSPOOF_ETHERFRAME_ARP_MISMATCH_DST_STR \
  556 "(spp_arpspoof) Ethernet/ARP Mismatch request for Destination"
  557 #define ARPSPOOF_ARP_CACHE_OVERWRITE_ATTACK_STR \
  558 "(spp_arpspoof) Attempted ARP cache overwrite attack"
  559 
  560 #define BO_TRAFFIC_DETECT_STR "(spo_bo) Back Orifice Traffic detected"
  561 #define BO_CLIENT_TRAFFIC_DETECT_STR "(spo_bo) Back Orifice Client Traffic detected"
  562 #define BO_SERVER_TRAFFIC_DETECT_STR "(spo_bo) Back Orifice Server Traffic detected"
  563 #define BO_SNORT_BUFFER_ATTACK_STR "(spo_bo) Back Orifice Snort buffer attack"
  564 
  565 /*   FRAG3 strings */
  566 #define FRAG3_IPOPTIONS_STR "(spp_frag3) Inconsistent IP Options on Fragmented Packets"
  567 #define FRAG3_TEARDROP_STR "(spp_frag3) Teardrop attack"
  568 #define FRAG3_SHORT_FRAG_STR "(spp_frag3) Short fragment, possible DoS attempt"
  569 #define FRAG3_ANOM_OVERSIZE_STR "(spp_frag3) Fragment packet ends after defragmented packet"
  570 #define FRAG3_ANOM_ZERO_STR "(spp_frag3) Zero-byte fragment packet"
  571 #define FRAG3_ANOM_BADSIZE_SM_STR "(spp_frag3) Bad fragment size, packet size is negative"
  572 #define FRAG3_ANOM_BADSIZE_LG_STR "(spp_frag3) Bad fragment size, packet size is greater than 65536"
  573 #define FRAG3_ANOM_OVLP_STR "(spp_frag3) Fragmentation overlap"
  574 /* 123:9, 123:10 are OBE w/ addition of 116:458
  575  * (aka DECODE_IPV6_BAD_FRAG_PKT).
  576  * Leave these here so they are not reused.
  577  * ------
  578 #define FRAG3_IPV6_BSD_ICMP_FRAG_STR "(spp_frag3) IPv6 BSD mbufs remote kernel buffer overflow"
  579 #define FRAG3_IPV6_BAD_FRAG_PKT_STR "(spp_frag3) Bogus fragmentation packet. Possible BSD attack"
  580  * ------
  581  */
  582 #define FRAG3_MIN_TTL_EVASION_STR "(spp_frag3) TTL value less than configured minimum, not using for reassembly"
  583 #define FRAG3_EXCESSIVE_OVERLAP_STR "(spp_frag3) Excessive fragment overlap"
  584 #define FRAG3_TINY_FRAGMENT_STR "(spp_frag3) Tiny fragment"
  585 
  586 /*   Stream strings */
  587 #define STREAM_SYN_ON_EST_STR "Syn on established session"
  588 #define STREAM_DATA_ON_SYN_STR "Data on SYN packet"
  589 #define STREAM_DATA_ON_CLOSED_STR "Data sent on stream not accepting data"
  590 #define STREAM_BAD_TIMESTAMP_STR "TCP Timestamp is outside of PAWS window"
  591 #define STREAM_BAD_SEGMENT_STR "Bad segment, adjusted size <= 0"
  592 #define STREAM_WINDOW_TOO_LARGE_STR "Window size (after scaling) larger than policy allows"
  593 #define STREAM_EXCESSIVE_TCP_OVERLAPS_STR "Limit on number of overlapping TCP packets reached"
  594 #define STREAM_DATA_AFTER_RESET_STR "Data sent on stream after TCP Reset sent"
  595 #define STREAM_SESSION_HIJACKED_CLIENT_STR "TCP Client possibly hijacked, different Ethernet Address"
  596 #define STREAM_SESSION_HIJACKED_SERVER_STR "TCP Server possibly hijacked, different Ethernet Address"
  597 #define STREAM_DATA_WITHOUT_FLAGS_STR "TCP Data with no TCP Flags set"
  598 #define STREAM_SMALL_SEGMENT_STR "Consecutive TCP small segments exceeding threshold"
  599 #define STREAM_4WAY_HANDSHAKE_STR "4-way handshake detected"
  600 #define STREAM_NO_TIMESTAMP_STR "TCP Timestamp is missing"
  601 #define STREAM_BAD_RST_STR "Reset outside window"
  602 #define STREAM_BAD_FIN_STR "FIN number is greater than prior FIN"
  603 #define STREAM_BAD_ACK_STR "ACK number is greater than prior FIN"
  604 #define STREAM_DATA_AFTER_RST_RCVD_STR "Data sent on stream after TCP Reset received"
  605 #define STREAM_WINDOW_SLAM_STR "TCP window closed before receiving data"
  606 #define STREAM_NO_3WHS_STR "TCP session without 3-way handshake"
  607 
  608 #define STREAM_INTERNAL_EVENT_STR ""
  609 
  610 /* PPM strings */
  611 #define PPM_EVENT_RULE_TREE_DISABLED_STR "PPM Rule Options Disabled by Rule Latency"
  612 #define PPM_EVENT_RULE_TREE_ENABLED_STR  "PPM Rule Options Re-enabled by Rule Latency"
  613 #define PPM_EVENT_PACKET_ABORTED_STR     "PPM Packet Aborted due to Latency"
  614 
  615 /*   Snort decoder strings */
  616 #define DECODE_NOT_IPV4_DGRAM_STR "(snort_decoder) WARNING: Not IPv4 datagram"
  617 #define DECODE_IPV4_INVALID_HEADER_LEN_STR "(snort_decoder) WARNING: hlen < IP_HEADER_LEN"
  618 #define DECODE_IPV4_DGRAM_LT_IPHDR_STR "(snort_decoder) WARNING: IP dgm len < IP Hdr len"
  619 #define DECODE_IPV4OPT_BADLEN_STR      "(snort_decoder) WARNING: Ipv4 Options found with bad lengths"
  620 #define DECODE_IPV4OPT_TRUNCATED_STR   "(snort_decoder) WARNING: Truncated Ipv4 Options"
  621 #define DECODE_IPV4_DGRAM_GT_CAPLEN_STR "(snort_decoder) WARNING: IP dgm len > captured len"
  622 #define DECODE_NOT_IPV6_DGRAM_STR      "(snort_decoder) WARNING: Not an IPv6 datagram"
  623 
  624 #define DECODE_TCP_DGRAM_LT_TCPHDR_STR "(snort_decoder) WARNING: TCP packet len is smaller than 20 bytes"
  625 #define DECODE_TCP_INVALID_OFFSET_STR "(snort_decoder) WARNING: TCP Data Offset is less than 5"
  626 #define DECODE_TCP_LARGE_OFFSET_STR "(snort_decoder) WARNING: TCP Header length exceeds packet length"
  627 
  628 #define DECODE_TCPOPT_BADLEN_STR      "(snort_decoder) WARNING: Tcp Options found with bad lengths"
  629 #define DECODE_TCPOPT_TRUNCATED_STR   "(snort_decoder) WARNING: Truncated Tcp Options"
  630 #define DECODE_TCPOPT_TTCP_STR        "(snort_decoder) WARNING: T/TCP Detected"
  631 #define DECODE_TCPOPT_OBSOLETE_STR    "(snort_decoder) WARNING: Obsolete TCP Options found"
  632 #define DECODE_TCPOPT_EXPERIMENT_STR  "(snort_decoder) WARNING: Experimental Tcp Options found"
  633 #define DECODE_TCPOPT_WSCALE_INVALID_STR "(snort_decoder) WARNING: Tcp Window Scale Option found with length > 14"
  634 
  635 #define DECODE_UDP_DGRAM_LT_UDPHDR_STR "(snort_decoder) WARNING: Truncated UDP Header"
  636 #define DECODE_UDP_DGRAM_INVALID_LENGTH_STR "(snort_decoder) WARNING: Invalid UDP header, length field < 8"
  637 #define DECODE_UDP_DGRAM_SHORT_PACKET_STR "(snort_decoder) WARNING: Short UDP packet, length field > payload length"
  638 #define DECODE_UDP_DGRAM_LONG_PACKET_STR "(snort_decoder) WARNING: Long UDP packet, length field < payload length"
  639 
  640 #define DECODE_ICMP_DGRAM_LT_ICMPHDR_STR "(snort_decoder) WARNING: ICMP Header Truncated"
  641 #define DECODE_ICMP_DGRAM_LT_TIMESTAMPHDR_STR "(snort_decoder) WARNING: ICMP Timestamp Header Truncated"
  642 #define DECODE_ICMP_DGRAM_LT_ADDRHDR_STR "(snort_decoder) WARNING: ICMP Address Header Truncated"
  643 #define DECODE_IPV4_DGRAM_UNKNOWN_STR "(snort_decoder) WARNING: Unknown Datagram decoding problem"
  644 #define DECODE_ARP_TRUNCATED_STR "(snort_decoder) WARNING: Truncated ARP"
  645 #define DECODE_EAPOL_TRUNCATED_STR "(snort_decoder) WARNING: Truncated EAP Header"
  646 #define DECODE_EAPKEY_TRUNCATED_STR "(snort_decoder) WARNING: EAP Key Truncated"
  647 #define DECODE_EAP_TRUNCATED_STR "(snort_decoder) WARNING: EAP Header Truncated"
  648 #define DECODE_BAD_PPPOE_STR "(snort_decoder) WARNING: Bad PPPOE frame detected"
  649 #define DECODE_BAD_VLAN_STR "(snort_decoder) WARNING: Bad VLAN Frame"
  650 #define DECODE_BAD_VLAN_ETHLLC_STR "(snort_decoder) WARNING: Bad LLC header"
  651 #define DECODE_BAD_VLAN_OTHER_STR "(snort_decoder) WARNING: Bad Extra LLC Info"
  652 #define DECODE_BAD_80211_ETHLLC_STR "(snort_decoder) WARNING: Bad 802.11 LLC header"
  653 #define DECODE_BAD_80211_OTHER_STR "(snort_decoder) WARNING: Bad 802.11 Extra LLC Info"
  654 
  655 #define DECODE_BAD_TRH_STR "(snort_decoder) WARNING: Bad Token Ring Header"
  656 #define DECODE_BAD_TR_ETHLLC_STR "(snort_decoder) WARNING: Bad Token Ring ETHLLC Header"
  657 #define DECODE_BAD_TR_MR_LEN_STR "(snort_decoder) WARNING: Bad Token Ring MRLENHeader"
  658 #define DECODE_BAD_TRHMR_STR "(snort_decoder) WARNING: Bad Token Ring MR Header"
  659 
  660 #define     DECODE_BAD_TRAFFIC_LOOPBACK_STR     "(snort decoder) WARNING: Bad Traffic Loopback IP"
  661 #define     DECODE_BAD_TRAFFIC_SAME_SRCDST_STR  "(snort decoder) WARNING: Bad Traffic Same Src/Dst IP"
  662 
  663 #ifdef GRE
  664 #define DECODE_GRE_DGRAM_LT_GREHDR_STR "(snort decoder) WARNING: GRE header length > payload length"
  665 #define DECODE_GRE_MULTIPLE_ENCAPSULATION_STR "(snort decoder) WARNING: Multiple encapsulations in packet"
  666 #define DECODE_GRE_INVALID_VERSION_STR "(snort decoder) WARNING: Invalid GRE version"
  667 #define DECODE_GRE_INVALID_HEADER_STR "(snort decoder) WARNING: Invalid GRE header"
  668 #define DECODE_GRE_V1_INVALID_HEADER_STR "(snort decoder) WARNING: Invalid GRE v.1 PPTP header"
  669 #define DECODE_GRE_TRANS_DGRAM_LT_TRANSHDR_STR "(snort decoder) WARNING: GRE Trans header length > payload length"
  670 #endif  /* GRE */
  671 
  672 #define DECODE_ICMP_ORIG_IP_TRUNCATED_STR "(snort_decoder) WARNING: ICMP Original IP Header Truncated"
  673 #define DECODE_ICMP_ORIG_IP_VER_MISMATCH_STR "(snort_decoder) WARNING: ICMP version and Original IP Header versions differ"
  674 #define DECODE_ICMP_ORIG_DGRAM_LT_ORIG_IP_STR "(snort_decoder) WARNING: ICMP Original Datagram Length < Original IP Header Length"
  675 #define DECODE_ICMP_ORIG_PAYLOAD_LT_64_STR "(snort_decoder) WARNING: ICMP Original IP Payload < 64 bits"
  676 #define DECODE_ICMP_ORIG_PAYLOAD_GT_576_STR "(snort_decoder) WARNING: ICMP Origianl IP Payload > 576 bytes"
  677 #define DECODE_ICMP_ORIG_IP_WITH_FRAGOFFSET_STR "(snort_decoder) WARNING: ICMP Original IP Fragmented and Offset Not 0"
  678 
  679 #define DECODE_IPV6_MIN_TTL_STR "(snort decoder) WARNING: IPv6 packet below TTL limit"
  680 #define DECODE_IPV6_IS_NOT_STR "(snort decoder) WARNING: IPv6 header claims to not be IPv6"
  681 #define DECODE_IPV6_TRUNCATED_EXT_STR "(snort decoder) WARNING: IPV6 truncated extension header"
  682 #define DECODE_IPV6_TRUNCATED_STR "(snort decoder) WARNING: IPV6 truncated header"
  683 #define DECODE_IPV6_DGRAM_LT_IPHDR_STR "(snort_decoder) WARNING: IP dgm len < IP Hdr len"
  684 #define DECODE_IPV6_DGRAM_GT_CAPLEN_STR "(snort_decoder) WARNING: IP dgm len > captured len"
  685 
  686 #define DECODE_IPV6_DST_ZERO_STR "(snort_decoder) WARNING: IPv6 packet with destination address ::0"
  687 #define DECODE_IPV6_SRC_MULTICAST_STR "(snort_decoder) WARNING: IPv6 packet with multicast source address"
  688 #define DECODE_IPV6_DST_RESERVED_MULTICAST_STR "(snort_decoder) WARNING: IPv6 packet with reserved multicast destination address"
  689 #define DECODE_IPV6_BAD_OPT_TYPE_STR "(snort_decoder) WARNING: IPv6 header includes an undefined option type"
  690 #define DECODE_IPV6_BAD_MULTICAST_SCOPE_STR "(snort_decoder) WARNING: IPv6 address includes an unassigned multicast scope value"
  691 #define DECODE_IPV6_BAD_NEXT_HEADER_STR "(snort_decoder) WARNING: IPv6 header includes an invalid value for the \"next header\" field"
  692 #define DECODE_IPV6_ROUTE_AND_HOPBYHOP_STR "(snort_decoder) WARNING: IPv6 header includes a routing extension header followed by a hop-by-hop header"
  693 #define DECODE_IPV6_TWO_ROUTE_HEADERS_STR "(snort_decoder) WARNING: IPv6 header includes two routing extension headers"
  694 #define DECODE_IPV6_DSTOPTS_WITH_ROUTING_STR "(snort_decoder) WARNING: IPv6 header has destination options followed by a routing header"
  695 #define DECODE_ICMPV6_TOO_BIG_BAD_MTU_STR "(snort_decoder) WARNING: ICMPv6 packet of type 2 (message too big) with MTU field < 1280"
  696 #define DECODE_ICMPV6_UNREACHABLE_NON_RFC_2463_CODE_STR "(snort_decoder) WARNING: ICMPv6 packet of type 1 (destination unreachable) with non-RFC 2463 code"
  697 #define DECODE_ICMPV6_SOLICITATION_BAD_CODE_STR "(snort_decoder) WARNING: ICMPv6 router solicitation packet with a code not equal to 0"
  698 #define DECODE_ICMPV6_ADVERT_BAD_CODE_STR "(snort_decoder) WARNING: ICMPv6 router advertisement packet with a code not equal to 0"
  699 #define DECODE_ICMPV6_SOLICITATION_BAD_RESERVED_STR "(snort_decoder) WARNING: ICMPv6 router solicitation packet with the reserved field not equal to 0"
  700 #define DECODE_ICMPV6_ADVERT_BAD_REACHABLE_STR "(snort_decoder) WARNING: ICMPv6 router advertisement packet with the reachable time field set > 1 hour"
  701 
  702 #define DECODE_IPV6_TUNNELED_IPV4_TRUNCATED_STR "(snort_decoder) WARNING: IPV6 tunneled over IPv4, IPv6 header truncated, possible Linux Kernel attack"
  703 
  704 #define DECODE_IP_MULTIPLE_ENCAPSULATION_STR "(snort_decoder) WARNING: Two or more IP (v4 and/or v6) encapsulation layers present"
  705 
  706 #define DECODE_ESP_HEADER_TRUNC_STR "(snort_decoder) WARNING: truncated Encapsulated Security Payload (ESP) header"
  707 
  708 #define DECODE_IPV6_BAD_OPT_LEN_STR "(snort_decoder) WARNING: IPv6 header includes an option which is too big for the containing header"
  709 
  710 #define DECODE_IPV6_UNORDERED_EXTENSIONS_STR "(snort_decoder) WARNING: IPv6 packet includes out-of-order extension headers"
  711 #define DECODE_GTP_MULTIPLE_ENCAPSULATION_STR "(snort_decoder) WARNING: Two or more GTP encapsulation layers present"
  712 #define DECODE_GTP_BAD_LEN_STR "(snort_decoder) WARNING: GTP header length is invalid"
  713 #define DECODE_TCP_XMAS_STR "(snort_decoder) WARNING: XMAS Attack Detected"
  714 #define DECODE_TCP_NMAP_XMAS_STR "(snort_decoder) WARNING: Nmap XMAS Attack Detected"
  715 
  716 #define DECODE_DOS_NAPTHA_STR "(snort_decoder) WARNING: DOS NAPTHA Vulnerability Detected"
  717 #define DECODE_SYN_TO_MULTICAST_STR "(snort_decoder) WARNING: Bad Traffic SYN to multicast address"
  718 #define DECODE_ZERO_TTL_STR "(snort_decoder) WARNING: IPV4 packet with zero TTL"
  719 #define DECODE_BAD_FRAGBITS_STR "(snort_decoder) WARNING: IPV4 packet with bad frag bits (Both MF and DF set)"
  720 #define DECODE_UDP_IPV6_ZERO_CHECKSUM_STR "(snort_decoder) WARNING: Invalid IPv6 UDP packet, checksum zero"
  721 #define DECODE_IP4_LEN_OFFSET_STR "(snort_decoder) WARNING: IPV4 packet frag offset + length exceed maximum"
  722 #define DECODE_IP4_SRC_THIS_NET_STR "(snort_decoder) WARNING: IPV4 packet from 'current net' source address"
  723 #define DECODE_IP4_DST_THIS_NET_STR "(snort_decoder) WARNING: IPV4 packet to 'current net' dest address"
  724 #define DECODE_IP4_SRC_MULTICAST_STR "(snort_decoder) WARNING: IPV4 packet from multicast source address"
  725 #define DECODE_IP4_SRC_RESERVED_STR "(snort_decoder) WARNING: IPV4 packet from reserved source address"
  726 #define DECODE_IP4_DST_RESERVED_STR "(snort_decoder) WARNING: IPV4 packet to reserved dest address"
  727 #define DECODE_IP4_SRC_BROADCAST_STR "(snort_decoder) WARNING: IPV4 packet from broadcast source address"
  728 #define DECODE_IP4_DST_BROADCAST_STR "(snort_decoder) WARNING: IPV4 packet to broadcast dest address"
  729 #define DECODE_ICMP4_DST_MULTICAST_STR "(snort_decoder) WARNING: ICMP4 packet to multicast dest address"
  730 #define DECODE_ICMP4_DST_BROADCAST_STR "(snort_decoder) WARNING: ICMP4 packet to broadcast dest address"
  731 #define DECODE_ICMP4_TYPE_OTHER_STR "(snort_decoder) WARNING: ICMP4 type other"
  732 #define DECODE_TCP_BAD_URP_STR "(snort_decoder) WARNING: TCP urgent pointer exceeds payload length or no payload"
  733 #define DECODE_TCP_SYN_FIN_STR "(snort_decoder) WARNING: TCP SYN with FIN"
  734 #define DECODE_TCP_SYN_RST_STR "(snort_decoder) WARNING: TCP SYN with RST"
  735 #define DECODE_TCP_MUST_ACK_STR "(snort_decoder) WARNING: TCP PDU missing ack for established session"
  736 #define DECODE_TCP_NO_SYN_ACK_RST_STR "(snort_decoder) WARNING: TCP has no SYN, ACK, or RST"
  737 #define DECODE_ETH_HDR_TRUNC_STR "(snort_decoder) WARNING: truncated eth header"
  738 #define DECODE_IP4_HDR_TRUNC_STR "(snort_decoder) WARNING: truncated IP4 header"
  739 #define DECODE_ICMP4_HDR_TRUNC_STR "(snort_decoder) WARNING: truncated ICMP4 header"
  740 #define DECODE_ICMP6_HDR_TRUNC_STR "(snort_decoder) WARNING: truncated ICMP6 header"
  741 #define DECODE_IP4_MIN_TTL_STR "(snort decoder) WARNING: IPV4 packet below TTL limit"
  742 #define DECODE_IP6_ZERO_HOP_LIMIT_STR "(snort decoder) WARNING: IPV6 packet has zero hop limit"
  743 #define DECODE_IP4_DF_OFFSET_STR "(snort_decoder) WARNING: IPV4 packet both DF and offset set"
  744 #define DECODE_ICMP6_TYPE_OTHER_STR "(snort_decoder) WARNING: ICMP6 type not decoded"
  745 #define DECODE_ICMP6_DST_MULTICAST_STR "(snort_decoder) WARNING: ICMP6 packet to multicast address"
  746 #define DECODE_TCP_SHAFT_SYNFLOOD_STR "(snort_decoder) WARNING: DDOS shaft synflood"
  747 #define DECODE_ICMP_PING_NMAP_STR "(snort_decoder) WARNING: ICMP PING NMAP"
  748 #define DECODE_ICMP_ICMPENUM_STR "(snort_decoder) WARNING: ICMP icmpenum v1.1.1"
  749 #define DECODE_ICMP_REDIRECT_HOST_STR "(snort_decoder) WARNING: ICMP redirect host"
  750 #define DECODE_ICMP_REDIRECT_NET_STR "(snort_decoder) WARNING: ICMP redirect net"
  751 #define DECODE_ICMP_TRACEROUTE_IPOPTS_STR "(snort_decoder) WARNING: ICMP traceroute ipopts"
  752 #define DECODE_ICMP_SOURCE_QUENCH_STR "(snort_decoder) WARNING: ICMP Source Quench"
  753 #define DECODE_ICMP_BROADSCAN_SMURF_SCANNER_STR "(snort_decoder) WARNING: Broadscan Smurf Scanner"
  754 #define DECODE_ICMP_DST_UNREACH_ADMIN_PROHIBITED_STR "(snort_decoder) WARNING: ICMP Destination Unreachable Communication Administratively Prohibited"
  755 #define DECODE_ICMP_DST_UNREACH_DST_HOST_PROHIBITED_STR "(snort_decoder) WARNING: ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited"
  756 #define DECODE_ICMP_DST_UNREACH_DST_NET_PROHIBITED_STR "(snort_decoder) WARNING: ICMP Destination Unreachable Communication with Destination Network is Administratively Prohibited"
  757 #define DECODE_IP_OPTION_SET_STR "(snort_decoder) WARNING: MISC IP option set"
  758 #define DECODE_UDP_LARGE_PACKET_STR "(snort_decoder) WARNING: MISC Large UDP Packet"
  759 #define DECODE_TCP_PORT_ZERO_STR "(snort_decoder) WARNING: BAD-TRAFFIC TCP port 0 traffic"
  760 #define DECODE_UDP_PORT_ZERO_STR "(snort_decoder) WARNING: BAD-TRAFFIC UDP port 0 traffic"
  761 #define DECODE_IP_RESERVED_FRAG_BIT_STR "(snort_decoder) WARNING: BAD-TRAFFIC IP reserved bit set"
  762 #define DECODE_IP_UNASSIGNED_PROTO_STR "(snort_decoder) WARNING: BAD-TRAFFIC Unassigned/Reserved IP protocol"
  763 #define DECODE_IP_BAD_PROTO_STR "(snort_decoder) WARNING: BAD-TRAFFIC Bad IP protocol"
  764 #define DECODE_ICMP_PATH_MTU_DOS_STR "(snort_decoder) WARNING: ICMP PATH MTU denial of service attempt"
  765 #define DECODE_ICMP_DOS_ATTEMPT_STR "(snort_decoder) WARNING: BAD-TRAFFIC linux ICMP header dos attempt"
  766 #define DECODE_IPV6_ISATAP_SPOOF_STR "(snort_decoder) WARNING: BAD-TRAFFIC ISATAP-addressed IPv6 traffic spoofing attempt"
  767 #define DECODE_PGM_NAK_OVERFLOW_STR "(snort_decoder) WARNING: BAD-TRAFFIC PGM nak list overflow attempt"
  768 #define DECODE_IGMP_OPTIONS_DOS_STR "(snort_decoder) WARNING: DOS IGMP IP Options validation attempt"
  769 #define DECODE_IP6_EXCESS_EXT_HDR_STR "(snort_decoder) WARNING: too many IP6 extension headers"
  770 #define DECODE_ICMPV6_UNREACHABLE_NON_RFC_4443_CODE_STR "(snort_decoder) WARNING: ICMPv6 packet of type 1 (destination unreachable) with non-RFC 4443 code"
  771 #define DECODE_IPV6_BAD_FRAG_PKT_STR "(snort_decoder) WARNING: bogus fragmentation packet. Possible BSD attack"
  772 #define DECODE_ZERO_LENGTH_FRAG_STR "(snort_decoder) WARNING: fragment with zero length"
  773 #define DECODE_ICMPV6_NODE_INFO_BAD_CODE_STR "(snort_decoder) WARNING: ICMPv6 node info query/response packet with a code greater than 2"
  774 #define DECODE_IPV6_ROUTE_ZERO_STR "(snort decoder) WARNING: IPV6 routing type 0 extension header"
  775 #define DECODE_ERSPAN_HDR_VERSION_MISMATCH_STR "(snort_decoder) WARNING: ERSpan Header version mismatch"
  776 #define DECODE_ERSPAN2_DGRAM_LT_HDR_STR "(snort_decoder) WARNING: captured < ERSpan Type2 Header Length"
  777 #define DECODE_ERSPAN3_DGRAM_LT_HDR_STR "(snort_decoder) WARNING: captured < ERSpan Type3 Header Length"
  778 #define DECODE_AUTH_HDR_TRUNC_STR "(snort_decoder) WARNING: truncated authentication header"
  779 #define DECODE_AUTH_HDR_BAD_LEN_STR "(snort_decoder) WARNING: authentication header bad length"
  780 #define DECODE_FPATH_HDR_TRUNC_STR "(snort_decoder) WARNING: truncated FabricPath header"
  781 #define DECODE_CISCO_META_HDR_TRUNC_STR "(snort_decoder) WARNING: truncated Cisco Metadata header"
  782 #define DECODE_CISCO_META_HDR_OPT_LEN_STR "(snort_decoder) WARNING: Invalid Cisco Metadata option length"
  783 #define DECODE_CISCO_META_HDR_OPT_TYPE_STR "(snort_decoder) WARNING: Invalid Cisco Metadata option type"
  784 #define DECODE_CISCO_META_HDR_SGT_STR "(snort_decoder) WARNING: Invalid Cisco Metadata SGT"
  785 
  786 /*  RPC decode preprocessor strings */
  787 #define RPC_FRAG_TRAFFIC_STR "(spp_rpc_decode) Fragmented RPC Records"
  788 #define RPC_MULTIPLE_RECORD_STR "(spp_rpc_decode) Multiple RPC Records"
  789 #define RPC_LARGE_FRAGSIZE_STR  "(spp_rpc_decode) Large RPC Record Fragment"
  790 #define RPC_INCOMPLETE_SEGMENT_STR "(spp_rpc_decode) Incomplete RPC segment"
  791 #define RPC_ZERO_LENGTH_FRAGMENT_STR "(spp_rpc_decode) Zero-length RPC Fragment"
  792 
  793 #define PSNG_TCP_PORTSCAN_STR "(portscan) TCP Portscan"
  794 #define PSNG_TCP_DECOY_PORTSCAN_STR "(portscan) TCP Decoy Portscan"
  795 #define PSNG_TCP_PORTSWEEP_STR "(portscan) TCP Portsweep"
  796 #define PSNG_TCP_DISTRIBUTED_PORTSCAN_STR "(portscan) TCP Distributed Portscan"
  797 #define PSNG_TCP_FILTERED_PORTSCAN_STR "(portscan) TCP Filtered Portscan"
  798 #define PSNG_TCP_FILTERED_DECOY_PORTSCAN_STR "(portscan) TCP Filtered Decoy Portscan"
  799 #define PSNG_TCP_FILTERED_DISTRIBUTED_PORTSCAN_STR "(portscan) TCP Filtered Distributed Portscan"
  800 #define PSNG_TCP_PORTSWEEP_FILTERED_STR "(portscan) TCP Filtered Portsweep"
  801 
  802 #define PSNG_IP_PORTSCAN_STR "(portscan) IP Protocol Scan"
  803 #define PSNG_IP_DECOY_PORTSCAN_STR "(portscan) IP Decoy Protocol Scan"
  804 #define PSNG_IP_PORTSWEEP_STR "(portscan) IP Protocol Sweep"
  805 #define PSNG_IP_DISTRIBUTED_PORTSCAN_STR "(portscan) IP Distributed Protocol Scan"
  806 #define PSNG_IP_FILTERED_PORTSCAN_STR "(portscan) IP Filtered Protocol Scan"
  807 #define PSNG_IP_FILTERED_DECOY_PORTSCAN_STR "(portscan) IP Filtered Decoy Protocol Scan"
  808 #define PSNG_IP_FILTERED_DISTRIBUTED_PORTSCAN_STR "(portscan) IP Filtered Distributed Protocol Scan"
  809 #define PSNG_IP_PORTSWEEP_FILTERED_STR "(portscan) IP Filtered Protocol Sweep"
  810 
  811 #define PSNG_UDP_PORTSCAN_STR "(portscan) UDP Portscan"
  812 #define PSNG_UDP_DECOY_PORTSCAN_STR "(portscan) UDP Decoy Portscan"
  813 #define PSNG_UDP_PORTSWEEP_STR "(portscan) UDP Portsweep"
  814 #define PSNG_UDP_DISTRIBUTED_PORTSCAN_STR "(portscan) UDP Distributed Portscan"
  815 #define PSNG_UDP_FILTERED_PORTSCAN_STR "(portscan) UDP Filtered Portscan"
  816 #define PSNG_UDP_FILTERED_DECOY_PORTSCAN_STR "(portscan) UDP Filtered Decoy Portscan"
  817 #define PSNG_UDP_FILTERED_DISTRIBUTED_PORTSCAN_STR "(portscan) UDP Filtered Distributed Portscan"
  818 #define PSNG_UDP_PORTSWEEP_FILTERED_STR "(portscan) UDP Filtered Portsweep"
  819 
  820 #define PSNG_ICMP_PORTSWEEP_STR "(portscan) ICMP Sweep"
  821 #define PSNG_ICMP_PORTSWEEP_FILTERED_STR "(portscan) ICMP Filtered Sweep"
  822 
  823 #define PSNG_OPEN_PORT_STR "(portscan) Open Port"
  824 
  825 #define DECODE_BAD_MPLS_STR "(snort_decoder) WARNING: Bad MPLS Frame"
  826 #define DECODE_BAD_MPLS_LABEL0_STR "(snort_decoder) WARNING: MPLS Label 0 Appears in Nonbottom Header"
  827 #define DECODE_BAD_MPLS_LABEL1_STR "(snort_decoder) WARNING: MPLS Label 1 Appears in Bottom Header"
  828 #define DECODE_BAD_MPLS_LABEL2_STR "(snort_decoder) WARNING: MPLS Label 2 Appears in Nonbottom Header"
  829 #define DECODE_BAD_MPLS_LABEL3_STR "(snort_decoder) WARNING: MPLS Label 3 Appears in Header"
  830 #define DECODE_MPLS_RESERVEDLABEL_STR "(snort_decoder) WARNING: MPLS Label 4, 5,.. or 15 Appears in Header"
  831 #define DECODE_MPLS_LABEL_STACK_STR "(snort_decoder) WARNING: Too Many MPLS headers"
  832 #define DECODE_MULTICAST_MPLS_STR "(snort_decoder) WARNING: Multicast MPLS traffic detected"
  833 
  834 #define DECODE_DECODING_DEPTH_EXCEEDED_STR "(snort_decoder) WARNING: Too many levels for decoding"
  835 
  836 #endif /* __GENERATORS_H__ */