SnortExtras: src/codecs/cd_token_ring/cd_token_ring.cc

"Fossies" - the Fresh Open Source Software Archive

Member "snort3_extra-3.0.3-1/src/codecs/cd_token_ring/cd_token_ring.cc" (23 Sep 2020, 7186 Bytes) of package /linux/misc/snort3_extra-3.0.3-1.tar.gz:

As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) C and C++ source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file. For more information about "cd_token_ring.cc" see the Fossies "Dox" file reference documentation and the latest Fossies "Diffs" side-by-side code changes report:

1.0.0-beta2_vs_3.0.3-1.

1 //-------------------------------------------------------------------------- 2 // Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved. 3 // Copyright (C) 2002-2013 Sourcefire, Inc. 4 // Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> 5 // 6 // This program is free software; you can redistribute it and/or modify it 7 // under the terms of the GNU General Public License Version 2 as published 8 // by the Free Software Foundation. You may not use, modify or distribute 9 // this program under any other version of the GNU General Public License. 10 // 11 // This program is distributed in the hope that it will be useful, but 12 // WITHOUT ANY WARRANTY; without even the implied warranty of 13 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14 // General Public License for more details. 15 // 16 // You should have received a copy of the GNU General Public License along 17 // with this program; if not, write to the Free Software Foundation, Inc., 18 // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 19 //-------------------------------------------------------------------------- 20 // token_ring.h author Josh Rosenbaum <jrosenba@cisco.com> 21 22 #include <daq_dlt.h> 23 24 #include "codecs/codec_module.h" 25 #include "framework/codec.h" 26 #include "protocols/token_ring.h" 27 28 using namespace snort; 29 30 namespace 31 { 32 #define TR_NAME "token_ring" 33 #define TR_HELP "support for token ring decoding" 34 35 static const RuleMap tkr_rules[] = 36 { 37 { DECODE_BAD_TRH, "bad Token Ring header" }, 38 { DECODE_BAD_TR_ETHLLC, "bad Token Ring ETHLLC header" }, 39 { DECODE_BAD_TR_MR_LEN, "bad Token Ring MRLEN header" }, 40 { DECODE_BAD_TRHMR, "bad Token Ring MR header" }, 41 { 0, nullptr } 42 }; 43 44 class TrCodecModule : public BaseCodecModule 45 { 46 public: 47 TrCodecModule() : BaseCodecModule(TR_NAME, TR_HELP) { } 48 49 const RuleMap* get_rules() const override 50 { return tkr_rules; } 51 }; 52 53 class TrCodec : public Codec 54 { 55 public: 56 TrCodec() : Codec(TR_NAME) { } 57 58 void get_data_link_type(std::vector<int>&) override; 59 bool decode(const RawData&, CodecData&, DecodeData&) override; 60 }; 61 62 // THESE ARE NEVER USED!! 63 #define MINIMAL_TOKENRING_HEADER_LEN 22 64 #define TR_HLEN MINIMAL_TOKENRING_HEADER_LEN 65 #define TOKENRING_LLC_LEN 8 66 // DELETE FIN 67 68 #define TR_ALEN 6 /* octets in an Ethernet header */ 69 70 #define AC 0x10 71 #define LLC_FRAME 0x40 72 73 #define TRMTU 2000 /* 2000 bytes */ 74 #define TR_RII 0x80 75 #define TR_RCF_DIR_BIT 0x80 76 #define TR_RCF_LEN_MASK 0x1f00 77 #define TR_RCF_BROADCAST 0x8000 /* all-routes broadcast */ 78 #define TR_RCF_LIMITED_BROADCAST 0xC000 /* single-route broadcast */ 79 #define TR_RCF_FRAME2K 0x20 80 #define TR_RCF_BROADCAST_MASK 0xC000 81 } // namespace 82 83 void TrCodec::get_data_link_type(std::vector<int>& v) 84 { 85 v.push_back(DLT_IEEE802); 86 } 87 88 //void DecodeTRPkt(Packet * p, const DAQ_PktHdr_t * pkthdr, const uint8_t * pkt) 89 bool TrCodec::decode(const RawData& raw, CodecData& codec, DecodeData&) 90 { 91 const uint32_t cap_len = raw.len; 92 uint32_t dataoff; /* data offset is variable here */ 93 94 if (cap_len < sizeof(token_ring::Trh_hdr)) 95 { 96 codec_event(codec, DECODE_BAD_TRH); 97 return false; 98 } 99 100 /* lay the tokenring header structure over the packet data */ 101 //const token_ring::Trh_hdr *trh = reinterpret_cast<const token_ring::Trh_hdr *>(raw_pkt); 102 103 /* 104 * according to rfc 1042: 105 * 106 * The presence of a Routing Information Field is indicated by the Most 107 * Significant Bit (MSB) of the source address, called the Routing 108 * Information Indicator (RII). If the RII equals zero, a RIF is 109 * not present. If the RII equals 1, the RIF is present. 110 * .. 111 * However the MSB is already zeroed by this moment, so there's no 112 * real way to figure out whether RIF is presented in packet, so we are 113 * doing some tricks to find IPARP signature.. 114 */ 115 116 /* 117 * first I assume that we have single-ring network with no RIF 118 * information presented in frame 119 */ 120 if (cap_len < (sizeof(token_ring::Trh_hdr) + sizeof(token_ring::Trh_llc))) 121 { 122 codec_event(codec, DECODE_BAD_TR_ETHLLC); 123 return false; 124 } 125 126 const token_ring::Trh_llc* trhllc = 127 reinterpret_cast<const token_ring::Trh_llc*>(raw.data + sizeof(token_ring::Trh_hdr)); 128 129 if (trhllc->dsap != IPARP_SAP && trhllc->ssap != IPARP_SAP) 130 { 131 /* 132 * DSAP != SSAP != 0xAA .. either we are having frame which doesn't 133 * carry IP datagrams or has RIF information present. We assume 134 * the latter ... 135 */ 136 137 if (cap_len < (sizeof(token_ring::Trh_hdr) + sizeof(token_ring::Trh_llc) + 138 sizeof(token_ring::Trh_mr))) 139 { 140 codec_event(codec, DECODE_BAD_TRHMR); 141 return false; 142 } 143 144 const token_ring::Trh_mr* const trhmr = 145 reinterpret_cast<const token_ring::Trh_mr*>(raw.data + sizeof(token_ring::Trh_hdr)); 146 147 if (cap_len < (sizeof(token_ring::Trh_hdr) + sizeof(token_ring::Trh_llc) + 148 sizeof(token_ring::Trh_mr) + TRH_MR_LEN(trhmr))) 149 { 150 codec_event(codec, DECODE_BAD_TR_MR_LEN); 151 return false; 152 } 153 154 dataoff = sizeof(token_ring::Trh_hdr) + TRH_MR_LEN(trhmr) + sizeof(token_ring::Trh_llc); 155 } 156 else 157 { 158 dataoff = sizeof(token_ring::Trh_hdr) + sizeof(token_ring::Trh_llc); 159 } 160 161 /* 162 * ideally we would need to check both SSAP, DSAP, and protoid fields: IP 163 * datagrams and ARP requests and replies are transmitted in standard 164 * 802.2 LLC Type 1 Unnumbered Information format, control code 3, with 165 * the DSAP and the SSAP fields of the 802.2 header set to 170, the 166 * assigned global SAP value for SNAP [6]. The 24-bit Organization Code 167 * in the SNAP is zero, and the remaining 16 bits are the EtherType from 168 * Assigned Numbers [7] (IP = 2048, ARP = 2054). .. but we would check 169 * SSAP and DSAP and assume this would be enough to trust. 170 */ 171 if (trhllc->dsap != IPARP_SAP && trhllc->ssap != IPARP_SAP) 172 { 173 return false; 174 } 175 176 codec.lyr_len = dataoff; 177 codec.next_prot_id = trhllc->ethertype(); 178 codec.codec_flags |= CODEC_ETHER_NEXT; 179 return true; 180 } 181 182 //------------------------------------------------------------------------- 183 // api 184 //------------------------------------------------------------------------- 185 186 static Module* mod_ctor() 187 { return new TrCodecModule; } 188 189 static void mod_dtor(Module* m) 190 { delete m; } 191 192 static Codec* ctor(Module*) 193 { return new TrCodec(); } 194 195 static void dtor(Codec* cd) 196 { delete cd; } 197 198 static const CodecApi tr_api = 199 { 200 { 201 PT_CODEC, 202 sizeof(CodecApi), 203 CDAPI_VERSION, 204 0, 205 API_RESERVED, 206 API_OPTIONS, 207 TR_NAME, 208 TR_HELP, 209 mod_ctor, 210 mod_dtor 211 }, 212 nullptr, // pinit 213 nullptr, // pterm 214 nullptr, // tinit 215 nullptr, // tterm 216 ctor, 217 dtor, 218 }; 219 220 SO_PUBLIC const BaseApi* snort_plugins[] = 221 { 222 &tr_api.base, 223 nullptr 224 }; 225