1 /* $Id$ */ 2 /* 3 ** Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved. 4 ** Copyright (C) 2002-2013 Sourcefire, Inc. 5 ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> 6 ** 7 ** This program is free software; you can redistribute it and/or modify 8 ** it under the terms of the GNU General Public License Version 2 as 9 ** published by the Free Software Foundation. You may not use, modify or 10 ** distribute this program under any other version of the GNU General 11 ** Public License. 12 ** 13 ** This program is distributed in the hope that it will be useful, 14 ** but WITHOUT ANY WARRANTY; without even the implied warranty of 15 ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 16 ** GNU General Public License for more details. 17 ** 18 ** You should have received a copy of the GNU General Public License 19 ** along with this program; if not, write to the Free Software 20 ** Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 21 */ 22 23 #ifndef __GENERATORS_H__ 24 #define __GENERATORS_H__ 25 26 #define GENERATOR_SNORT_ENGINE 1 27 28 #define GENERATOR_TAG 2 29 #define TAG_LOG_PKT 1 30 31 #define GENERATOR_SPP_BO 105 32 #define BO_TRAFFIC_DETECT 1 33 #define BO_CLIENT_TRAFFIC_DETECT 2 34 #define BO_SERVER_TRAFFIC_DETECT 3 35 #define BO_SNORT_BUFFER_ATTACK 4 36 37 #define GENERATOR_SPP_RPC_DECODE 106 38 #define RPC_FRAG_TRAFFIC 1 39 #define RPC_MULTIPLE_RECORD 2 40 #define RPC_LARGE_FRAGSIZE 3 41 #define RPC_INCOMPLETE_SEGMENT 4 42 #define RPC_ZERO_LENGTH_FRAGMENT 5 43 44 #define GENERATOR_SPP_ARPSPOOF 112 45 #define ARPSPOOF_UNICAST_ARP_REQUEST 1 46 #define ARPSPOOF_ETHERFRAME_ARP_MISMATCH_SRC 2 47 #define ARPSPOOF_ETHERFRAME_ARP_MISMATCH_DST 3 48 #define ARPSPOOF_ARP_CACHE_OVERWRITE_ATTACK 4 49 50 #define GENERATOR_SNORT_DECODE 116 51 #define DECODE_NOT_IPV4_DGRAM 1 52 #define DECODE_IPV4_INVALID_HEADER_LEN 2 53 #define DECODE_IPV4_DGRAM_LT_IPHDR 3 54 #define DECODE_IPV4OPT_BADLEN 4 55 #define DECODE_IPV4OPT_TRUNCATED 5 56 #define DECODE_IPV4_DGRAM_GT_CAPLEN 6 57 58 #define DECODE_TCP_DGRAM_LT_TCPHDR 45 59 #define DECODE_TCP_INVALID_OFFSET 46 60 #define DECODE_TCP_LARGE_OFFSET 47 61 62 #define DECODE_TCPOPT_BADLEN 54 63 #define DECODE_TCPOPT_TRUNCATED 55 64 #define DECODE_TCPOPT_TTCP 56 65 #define DECODE_TCPOPT_OBSOLETE 57 66 #define DECODE_TCPOPT_EXPERIMENT 58 67 #define DECODE_TCPOPT_WSCALE_INVALID 59 68 69 #define DECODE_UDP_DGRAM_LT_UDPHDR 95 70 #define DECODE_UDP_DGRAM_INVALID_LENGTH 96 71 #define DECODE_UDP_DGRAM_SHORT_PACKET 97 72 #define DECODE_UDP_DGRAM_LONG_PACKET 98 73 74 #define DECODE_ICMP_DGRAM_LT_ICMPHDR 105 75 #define DECODE_ICMP_DGRAM_LT_TIMESTAMPHDR 106 76 #define DECODE_ICMP_DGRAM_LT_ADDRHDR 107 77 78 #define DECODE_ARP_TRUNCATED 109 79 #define DECODE_EAPOL_TRUNCATED 110 80 #define DECODE_EAPKEY_TRUNCATED 111 81 #define DECODE_EAP_TRUNCATED 112 82 83 #define DECODE_BAD_PPPOE 120 84 #define DECODE_BAD_VLAN 130 85 #define DECODE_BAD_VLAN_ETHLLC 131 86 #define DECODE_BAD_VLAN_OTHER 132 87 #define DECODE_BAD_80211_ETHLLC 133 88 #define DECODE_BAD_80211_OTHER 134 89 90 #define DECODE_BAD_TRH 140 91 #define DECODE_BAD_TR_ETHLLC 141 92 #define DECODE_BAD_TR_MR_LEN 142 93 #define DECODE_BAD_TRHMR 143 94 95 #define DECODE_BAD_TRAFFIC_LOOPBACK 150 96 #define DECODE_BAD_TRAFFIC_SAME_SRCDST 151 97 98 #ifdef GRE 99 #define DECODE_GRE_DGRAM_LT_GREHDR 160 100 #define DECODE_GRE_MULTIPLE_ENCAPSULATION 161 101 #define DECODE_GRE_INVALID_VERSION 162 102 #define DECODE_GRE_INVALID_HEADER 163 103 #define DECODE_GRE_V1_INVALID_HEADER 164 104 #define DECODE_GRE_TRANS_DGRAM_LT_TRANSHDR 165 105 #endif /* GRE */ 106 107 /** MPLS takes 170 block **/ 108 #define DECODE_BAD_MPLS 170 109 #define DECODE_BAD_MPLS_LABEL0 171 110 #define DECODE_BAD_MPLS_LABEL1 172 111 #define DECODE_BAD_MPLS_LABEL2 173 112 #define DECODE_BAD_MPLS_LABEL3 174 113 #define DECODE_MPLS_RESERVED_LABEL 175 114 #define DECODE_MPLS_LABEL_STACK 176 115 116 #define DECODE_ICMP_ORIG_IP_TRUNCATED 250 117 #define DECODE_ICMP_ORIG_IP_VER_MISMATCH 251 118 #define DECODE_ICMP_ORIG_DGRAM_LT_ORIG_IP 252 119 #define DECODE_ICMP_ORIG_PAYLOAD_LT_64 253 120 #define DECODE_ICMP_ORIG_PAYLOAD_GT_576 254 121 #define DECODE_ICMP_ORIG_IP_WITH_FRAGOFFSET 255 122 123 #define DECODE_IPV6_MIN_TTL 270 124 #define DECODE_IPV6_IS_NOT 271 125 #define DECODE_IPV6_TRUNCATED_EXT 272 126 #define DECODE_IPV6_TRUNCATED 273 127 #define DECODE_IPV6_DGRAM_LT_IPHDR 274 128 #define DECODE_IPV6_DGRAM_GT_CAPLEN 275 129 #define DECODE_IPV6_DST_ZERO 276 130 #define DECODE_IPV6_SRC_MULTICAST 277 131 #define DECODE_IPV6_DST_RESERVED_MULTICAST 278 132 #define DECODE_IPV6_BAD_OPT_TYPE 279 133 #define DECODE_IPV6_BAD_MULTICAST_SCOPE 280 134 #define DECODE_IPV6_BAD_NEXT_HEADER 281 135 #define DECODE_IPV6_ROUTE_AND_HOPBYHOP 282 136 #define DECODE_IPV6_TWO_ROUTE_HEADERS 283 137 138 #define DECODE_ICMPV6_TOO_BIG_BAD_MTU 285 139 #define DECODE_ICMPV6_UNREACHABLE_NON_RFC_2463_CODE 286 140 #define DECODE_ICMPV6_SOLICITATION_BAD_CODE 287 141 #define DECODE_ICMPV6_ADVERT_BAD_CODE 288 142 #define DECODE_ICMPV6_SOLICITATION_BAD_RESERVED 289 143 #define DECODE_ICMPV6_ADVERT_BAD_REACHABLE 290 144 145 #define DECODE_IPV6_TUNNELED_IPV4_TRUNCATED 291 146 #define DECODE_IPV6_DSTOPTS_WITH_ROUTING 292 147 #define DECODE_IP_MULTIPLE_ENCAPSULATION 293 148 149 #define DECODE_ESP_HEADER_TRUNC 294 150 #define DECODE_IPV6_BAD_OPT_LEN 295 151 #define DECODE_IPV6_UNORDERED_EXTENSIONS 296 152 153 #define DECODE_GTP_MULTIPLE_ENCAPSULATION 297 154 #define DECODE_GTP_BAD_LEN 298 155 156 #define DECODE_DECODING_DEPTH_EXCEEDED 300 157 158 //----------------------------------------------------- 159 // remember to add rules to preproc_rules/decoder.rules 160 // add the new decoder rules to the following enum. 161 162 #define DECODE_START_INDEX 400 163 164 enum { 165 DECODE_TCP_XMAS = DECODE_START_INDEX, 166 DECODE_TCP_NMAP_XMAS, 167 DECODE_DOS_NAPTHA, 168 DECODE_SYN_TO_MULTICAST, 169 DECODE_ZERO_TTL, 170 DECODE_BAD_FRAGBITS, 171 DECODE_UDP_IPV6_ZERO_CHECKSUM, 172 DECODE_IP4_LEN_OFFSET, 173 DECODE_IP4_SRC_THIS_NET, 174 DECODE_IP4_DST_THIS_NET, 175 DECODE_IP4_SRC_MULTICAST, 176 DECODE_IP4_SRC_RESERVED, 177 DECODE_IP4_DST_RESERVED, 178 DECODE_IP4_SRC_BROADCAST, 179 DECODE_IP4_DST_BROADCAST, 180 DECODE_ICMP4_DST_MULTICAST, 181 DECODE_ICMP4_DST_BROADCAST, 182 DECODE_ICMP4_TYPE_OTHER = 418, 183 DECODE_TCP_BAD_URP, 184 DECODE_TCP_SYN_FIN, 185 DECODE_TCP_SYN_RST, 186 DECODE_TCP_MUST_ACK, 187 DECODE_TCP_NO_SYN_ACK_RST, 188 DECODE_ETH_HDR_TRUNC, 189 DECODE_IP4_HDR_TRUNC, 190 DECODE_ICMP4_HDR_TRUNC, 191 DECODE_ICMP6_HDR_TRUNC, 192 DECODE_IP4_MIN_TTL, 193 DECODE_IP6_ZERO_HOP_LIMIT, 194 DECODE_IP4_DF_OFFSET, 195 DECODE_ICMP6_TYPE_OTHER, 196 DECODE_ICMP6_DST_MULTICAST, 197 DECODE_TCP_SHAFT_SYNFLOOD, 198 DECODE_ICMP_PING_NMAP, 199 DECODE_ICMP_ICMPENUM, 200 DECODE_ICMP_REDIRECT_HOST, 201 DECODE_ICMP_REDIRECT_NET, 202 DECODE_ICMP_TRACEROUTE_IPOPTS, 203 DECODE_ICMP_SOURCE_QUENCH, 204 DECODE_ICMP_BROADSCAN_SMURF_SCANNER, 205 DECODE_ICMP_DST_UNREACH_ADMIN_PROHIBITED, 206 DECODE_ICMP_DST_UNREACH_DST_HOST_PROHIBITED, 207 DECODE_ICMP_DST_UNREACH_DST_NET_PROHIBITED, 208 DECODE_IP_OPTION_SET, 209 DECODE_UDP_LARGE_PACKET, 210 DECODE_TCP_PORT_ZERO, 211 DECODE_UDP_PORT_ZERO, 212 DECODE_IP_RESERVED_FRAG_BIT, 213 DECODE_IP_UNASSIGNED_PROTO, 214 DECODE_IP_BAD_PROTO, 215 DECODE_ICMP_PATH_MTU_DOS, 216 DECODE_ICMP_DOS_ATTEMPT, 217 DECODE_IPV6_ISATAP_SPOOF, 218 DECODE_PGM_NAK_OVERFLOW, 219 DECODE_IGMP_OPTIONS_DOS, 220 DECODE_IP6_EXCESS_EXT_HDR, 221 DECODE_ICMPV6_UNREACHABLE_NON_RFC_4443_CODE, 222 DECODE_IPV6_BAD_FRAG_PKT, 223 DECODE_ZERO_LENGTH_FRAG, 224 DECODE_ICMPV6_NODE_INFO_BAD_CODE, 225 DECODE_IPV6_ROUTE_ZERO, 226 DECODE_ERSPAN_HDR_VERSION_MISMATCH, 227 DECODE_ERSPAN2_DGRAM_LT_HDR, 228 DECODE_ERSPAN3_DGRAM_LT_HDR, 229 DECODE_AUTH_HDR_TRUNC, 230 DECODE_AUTH_HDR_BAD_LEN, 231 DECODE_FPATH_HDR_TRUNC, 232 DECODE_CISCO_META_HDR_TRUNC, 233 DECODE_CISCO_META_HDR_OPT_LEN, 234 DECODE_CISCO_META_HDR_OPT_TYPE, 235 DECODE_CISCO_META_HDR_SGT, 236 DECODE_INDEX_MAX 237 }; 238 239 240 //----------------------------------------------------- 241 /* 242 ** HttpInspect Generator IDs 243 ** 244 ** IMPORTANT:: 245 ** Whenever events are added to the internal HttpInspect 246 ** event queue, you must also add the event here. The 247 ** trick is that whatever the number is in HttpInspect, 248 ** it must be +1 when you define it here. 249 */ 250 // these are client specific events 251 #define GENERATOR_SPP_HTTP_INSPECT_CLIENT 119 252 #define HI_CLIENT_ASCII 1 /* done */ 253 #define HI_CLIENT_DOUBLE_DECODE 2 /* done */ 254 #define HI_CLIENT_U_ENCODE 3 /* done */ 255 #define HI_CLIENT_BARE_BYTE 4 /* done */ 256 /* Base 36 is deprecated and essentially a noop 257 * Leaving here in case anyone out there has historical data with 258 * alerts of this type */ 259 #define HI_CLIENT_BASE36 5 /* done */ 260 #define HI_CLIENT_UTF_8 6 /* done */ 261 #define HI_CLIENT_IIS_UNICODE 7 /* done */ 262 #define HI_CLIENT_MULTI_SLASH 8 /* done */ 263 #define HI_CLIENT_IIS_BACKSLASH 9 /* done */ 264 #define HI_CLIENT_SELF_DIR_TRAV 10 /* done */ 265 #define HI_CLIENT_DIR_TRAV 11 /* done */ 266 #define HI_CLIENT_APACHE_WS 12 /* done */ 267 #define HI_CLIENT_IIS_DELIMITER 13 /* done */ 268 #define HI_CLIENT_NON_RFC_CHAR 14 /* done */ 269 #define HI_CLIENT_OVERSIZE_DIR 15 /* done */ 270 #define HI_CLIENT_LARGE_CHUNK 16 /* done */ 271 #define HI_CLIENT_PROXY_USE 17 /* done */ 272 #define HI_CLIENT_WEBROOT_DIR 18 /* done */ 273 #define HI_CLIENT_LONG_HDR 19 /* done */ 274 #define HI_CLIENT_MAX_HEADERS 20 /* done */ 275 #define HI_CLIENT_MULTIPLE_CONTLEN 21 276 #define HI_CLIENT_CHUNK_SIZE_MISMATCH 22 277 #define HI_CLIENT_INVALID_TRUEIP 23 278 #define HI_CLIENT_MULTIPLE_HOST_HDRS 24 279 #define HI_CLIENT_LONG_HOSTNAME 25 280 #define HI_CLIENT_EXCEEDS_SPACES 26 281 #define HI_CLIENT_CONSECUTIVE_SMALL_CHUNK_SIZES 27 282 #define HI_CLIENT_UNBOUNDED_POST 28 283 #define HI_CLIENT_MULTIPLE_TRUEIP_IN_SESSION 29 284 #define HI_CLIENT_BOTH_TRUEIP_XFF_HDRS 30 285 #define HI_CLIENT_UNKNOWN_METHOD 31 286 #define HI_CLIENT_SIMPLE_REQUEST 32 287 #define HI_CLIENT_UNESCAPED_SPACE_URI 33 288 #define HI_CLIENT_PIPELINE_MAX 34 289 290 #define HI_CLIENT_INVALID_RANGE_UNIT_FMT 36 291 #define HI_CLIENT_RANGE_NON_GET_METHOD 37 292 #define HI_CLIENT_RANGE_FIELD_ERROR 38 293 294 // these are either server specific or both client / server 295 #define GENERATOR_SPP_HTTP_INSPECT 120 296 #define HI_ANOM_SERVER_ALERT 1 /* done */ 297 #define HI_SERVER_INVALID_STATCODE 2 298 #define HI_SERVER_NO_CONTLEN 3 299 #define HI_SERVER_UTF_NORM_FAIL 4 300 #define HI_SERVER_UTF7 5 301 #define HI_SERVER_DECOMPR_FAILED 6 302 #define HI_SERVER_CONSECUTIVE_SMALL_CHUNK_SIZES 7 303 #define HI_CLISRV_MSG_SIZE_EXCEPTION 8 304 #define HI_SERVER_JS_OBFUSCATION_EXCD 9 305 #define HI_SERVER_JS_EXCESS_WS 10 306 #define HI_SERVER_MIXED_ENCODINGS 11 307 #define HI_SERVER_SWF_ZLIB_FAILURE 12 308 #define HI_SERVER_SWF_LZMA_FAILURE 13 309 #define HI_SERVER_PDF_DEFLATE_FAILURE 14 310 #define HI_SERVER_PDF_UNSUP_COMP_TYPE 15 311 #define HI_SERVER_PDF_CASC_COMP 16 312 #define HI_SERVER_PDF_PARSE_FAILURE 17 313 314 #define HI_SERVER_INVALID_CONTENT_RANGE_UNIT_FMT 30 315 #define HI_SERVER_RANGE_FIELD_ERROR 31 316 #define HI_SERVER_NON_RANGE_GET_PARTIAL_METHOD 32 317 318 319 #define GENERATOR_PSNG 122 320 #define PSNG_TCP_PORTSCAN 1 321 #define PSNG_TCP_DECOY_PORTSCAN 2 322 #define PSNG_TCP_PORTSWEEP 3 323 #define PSNG_TCP_DISTRIBUTED_PORTSCAN 4 324 #define PSNG_TCP_FILTERED_PORTSCAN 5 325 #define PSNG_TCP_FILTERED_DECOY_PORTSCAN 6 326 #define PSNG_TCP_PORTSWEEP_FILTERED 7 327 #define PSNG_TCP_FILTERED_DISTRIBUTED_PORTSCAN 8 328 329 #define PSNG_IP_PORTSCAN 9 330 #define PSNG_IP_DECOY_PORTSCAN 10 331 #define PSNG_IP_PORTSWEEP 11 332 #define PSNG_IP_DISTRIBUTED_PORTSCAN 12 333 #define PSNG_IP_FILTERED_PORTSCAN 13 334 #define PSNG_IP_FILTERED_DECOY_PORTSCAN 14 335 #define PSNG_IP_PORTSWEEP_FILTERED 15 336 #define PSNG_IP_FILTERED_DISTRIBUTED_PORTSCAN 16 337 338 #define PSNG_UDP_PORTSCAN 17 339 #define PSNG_UDP_DECOY_PORTSCAN 18 340 #define PSNG_UDP_PORTSWEEP 19 341 #define PSNG_UDP_DISTRIBUTED_PORTSCAN 20 342 #define PSNG_UDP_FILTERED_PORTSCAN 21 343 #define PSNG_UDP_FILTERED_DECOY_PORTSCAN 22 344 #define PSNG_UDP_PORTSWEEP_FILTERED 23 345 #define PSNG_UDP_FILTERED_DISTRIBUTED_PORTSCAN 24 346 347 #define PSNG_ICMP_PORTSWEEP 25 348 #define PSNG_ICMP_PORTSWEEP_FILTERED 26 349 350 #define PSNG_OPEN_PORT 27 351 352 #define GENERATOR_SPP_FRAG3 123 353 #define FRAG3_IPOPTIONS 1 354 #define FRAG3_TEARDROP 2 355 #define FRAG3_SHORT_FRAG 3 356 #define FRAG3_ANOMALY_OVERSIZE 4 357 #define FRAG3_ANOMALY_ZERO 5 358 #define FRAG3_ANOMALY_BADSIZE_SM 6 359 #define FRAG3_ANOMALY_BADSIZE_LG 7 360 #define FRAG3_ANOMALY_OVLP 8 361 /* 123:9, 123:10 are OBE w/ addition of 116:458 362 * (aka DECODE_IPV6_BAD_FRAG_PKT). 363 * Leave these here so they are not reused. 364 * ------ 365 #define FRAG3_IPV6_BSD_ICMP_FRAG 9 366 #define FRAG3_IPV6_BAD_FRAG_PKT 10 367 * ------ 368 */ 369 #define FRAG3_MIN_TTL_EVASION 11 370 #define FRAG3_EXCESSIVE_OVERLAP 12 371 #define FRAG3_TINY_FRAGMENT 13 372 373 #define GENERATOR_SMTP 124 374 #define SMTP_COMMAND_OVERFLOW 1 375 #define SMTP_DATA_HDR_OVERFLOW 2 376 #define SMTP_RESPONSE_OVERFLOW 3 377 #define SMTP_SPECIFIC_CMD_OVERFLOW 4 378 #define SMTP_UNKNOWN_CMD 5 379 #define SMTP_ILLEGAL_CMD 6 380 #define SMTP_HEADER_NAME_OVERFLOW 7 381 #define SMTP_XLINK2STATE_OVERFLOW 8 382 /* This alert is obsolete. * 383 * #define SMTP_DECODE_MEMCAP_EXCEEDED 9*/ 384 #define SMTP_B64_DECODING_FAILED 10 385 #define SMTP_QP_DECODING_FAILED 11 386 /* Do not delete or reuse this SID. Commenting this SID as this alert is no longer valid.* 387 * #define SMTP_BITENC_DECODING_FAILED 12 388 */ 389 #define SMTP_UU_DECODING_FAILED 13 390 391 /* 392 ** FTPTelnet Generator IDs 393 ** 394 ** IMPORTANT:: 395 ** Whenever events are added to the internal FTP or Telnet 396 ** event queues, you must also add the event here. The 397 ** trick is that whatever the number is in FTPTelnet, 398 ** it must be +1 when you define it here. 399 */ 400 #define GENERATOR_SPP_FTPP_FTP 125 401 #define FTPP_FTP_TELNET_CMD 1 402 #define FTPP_FTP_INVALID_CMD 2 403 #define FTPP_FTP_PARAMETER_LENGTH_OVERFLOW 3 404 #define FTPP_FTP_MALFORMED_PARAMETER 4 405 #define FTPP_FTP_PARAMETER_STR_FORMAT 5 406 #define FTPP_FTP_RESPONSE_LENGTH_OVERFLOW 6 407 #define FTPP_FTP_ENCRYPTED 7 408 #define FTPP_FTP_BOUNCE 8 409 #define GENERATOR_SPP_FTPP_TELNET 126 410 #define FTPP_TELNET_AYT_OVERFLOW 1 411 #define FTPP_TELNET_ENCRYPTED 2 412 #define FTPP_TELNET_SUBNEG_BEGIN_NO_END 3 413 414 #define GENERATOR_SPP_ISAKMP 127 415 416 #define GENERATOR_SPP_SSH 128 417 #define SSH_EVENT_RESPOVERFLOW 1 418 #define SSH_EVENT_CRC32 2 419 #define SSH_EVENT_SECURECRT 3 420 #define SSH_EVENT_PROTOMISMATCH 4 421 #define SSH_EVENT_WRONGDIR 5 422 #define SSH_EVENT_PAYLOAD_SIZE 6 423 #define SSH_EVENT_VERSION 7 424 425 #define GENERATOR_SPP_STREAM 129 426 #define STREAM_SYN_ON_EST 1 427 #define STREAM_DATA_ON_SYN 2 428 #define STREAM_DATA_ON_CLOSED 3 429 #define STREAM_BAD_TIMESTAMP 4 430 #define STREAM_BAD_SEGMENT 5 431 #define STREAM_WINDOW_TOO_LARGE 6 432 #define STREAM_EXCESSIVE_TCP_OVERLAPS 7 433 #define STREAM_DATA_AFTER_RESET 8 434 #define STREAM_SESSION_HIJACKED_CLIENT 9 435 #define STREAM_SESSION_HIJACKED_SERVER 10 436 #define STREAM_DATA_WITHOUT_FLAGS 11 437 #define STREAM_SMALL_SEGMENT 12 438 #define STREAM_4WAY_HANDSHAKE 13 439 #define STREAM_NO_TIMESTAMP 14 440 #define STREAM_BAD_RST 15 441 #define STREAM_BAD_FIN 16 442 #define STREAM_BAD_ACK 17 443 #define STREAM_DATA_AFTER_RST_RCVD 18 444 #define STREAM_WINDOW_SLAM 19 445 #define STREAM_NO_3WHS 20 446 447 #define GENERATOR_DNS 131 448 #define DNS_EVENT_OBSOLETE_TYPES 1 449 #define DNS_EVENT_EXPERIMENTAL_TYPES 2 450 #define DNS_EVENT_RDATA_OVERFLOW 3 451 452 #define GENERATOR_SKYPE 132 453 454 #define GENERATOR_DCE2 133 455 #define DCE2_EVENT__MEMCAP 1 456 #define DCE2_EVENT__SMB_BAD_NBSS_TYPE 2 457 #define DCE2_EVENT__SMB_BAD_TYPE 3 458 #define DCE2_EVENT__SMB_BAD_ID 4 459 #define DCE2_EVENT__SMB_BAD_WCT 5 460 #define DCE2_EVENT__SMB_BAD_BCC 6 461 #define DCE2_EVENT__SMB_BAD_FORMAT 7 462 #define DCE2_EVENT__SMB_BAD_OFF 8 463 #define DCE2_EVENT__SMB_TDCNT_ZERO 9 464 #define DCE2_EVENT__SMB_NB_LT_SMBHDR 10 465 #define DCE2_EVENT__SMB_NB_LT_COM 11 466 #define DCE2_EVENT__SMB_NB_LT_BCC 12 467 #define DCE2_EVENT__SMB_NB_LT_DSIZE 13 468 #define DCE2_EVENT__SMB_TDCNT_LT_DSIZE 14 469 #define DCE2_EVENT__SMB_DSENT_GT_TDCNT 15 470 #define DCE2_EVENT__SMB_BCC_LT_DSIZE 16 471 #define DCE2_EVENT__SMB_INVALID_DSIZE 17 472 #define DCE2_EVENT__SMB_EXCESSIVE_TREE_CONNECTS 18 473 #define DCE2_EVENT__SMB_EXCESSIVE_READS 19 474 #define DCE2_EVENT__SMB_EXCESSIVE_CHAINING 20 475 #define DCE2_EVENT__SMB_MULT_CHAIN_SS 21 476 #define DCE2_EVENT__SMB_MULT_CHAIN_TC 22 477 #define DCE2_EVENT__SMB_CHAIN_SS_LOGOFF 23 478 #define DCE2_EVENT__SMB_CHAIN_TC_TDIS 24 479 #define DCE2_EVENT__SMB_CHAIN_OPEN_CLOSE 25 480 #define DCE2_EVENT__SMB_INVALID_SHARE 26 481 #define DCE2_EVENT__CO_BAD_MAJ_VERSION 27 482 #define DCE2_EVENT__CO_BAD_MIN_VERSION 28 483 #define DCE2_EVENT__CO_BAD_PDU_TYPE 29 484 #define DCE2_EVENT__CO_FLEN_LT_HDR 30 485 #define DCE2_EVENT__CO_FLEN_LT_SIZE 31 486 #define DCE2_EVENT__CO_ZERO_CTX_ITEMS 32 487 #define DCE2_EVENT__CO_ZERO_TSYNS 33 488 #define DCE2_EVENT__CO_FRAG_LT_MAX_XMIT_FRAG 34 489 #define DCE2_EVENT__CO_FRAG_GT_MAX_XMIT_FRAG 35 490 #define DCE2_EVENT__CO_ALTER_CHANGE_BYTE_ORDER 36 491 #define DCE2_EVENT__CO_FRAG_DIFF_CALL_ID 37 492 #define DCE2_EVENT__CO_FRAG_DIFF_OPNUM 38 493 #define DCE2_EVENT__CO_FRAG_DIFF_CTX_ID 39 494 #define DCE2_EVENT__CL_BAD_MAJ_VERSION 40 495 #define DCE2_EVENT__CL_BAD_PDU_TYPE 41 496 #define DCE2_EVENT__CL_DATA_LT_HDR 42 497 #define DCE2_EVENT__CL_BAD_SEQ_NUM 43 498 #define DCE2_EVENT__SMB_V1 44 499 #define DCE2_EVENT__SMB_V2 45 500 #define DCE2_EVENT__SMB_INVALID_BINDING 46 501 #define DCE2_EVENT__SMB2_EXCESSIVE_COMPOUNDING 47 502 #define DCE2_EVENT__SMB_DCNT_ZERO 48 503 #define DCE2_EVENT__SMB_DCNT_MISMATCH 49 504 #define DCE2_EVENT__SMB_MAX_REQS_EXCEEDED 50 505 #define DCE2_EVENT__SMB_REQS_SAME_MID 51 506 #define DCE2_EVENT__SMB_DEPR_DIALECT_NEGOTIATED 52 507 #define DCE2_EVENT__SMB_DEPR_COMMAND_USED 53 508 #define DCE2_EVENT__SMB_UNUSUAL_COMMAND_USED 54 509 #define DCE2_EVENT__SMB_INVALID_SETUP_COUNT 55 510 #define DCE2_EVENT__SMB_MULTIPLE_NEGOTIATIONS 56 511 #define DCE2_EVENT__SMB_EVASIVE_FILE_ATTRS 57 512 #define DCE2_EVENT__SMB_INVALID_FILE_OFFSET 58 513 #define DCE2_EVENT__SMB_BAD_NEXT_COMMAND_OFFSET 59 514 515 #define GENERATOR_PPM 134 516 #define PPM_EVENT_RULE_TREE_DISABLED 1 517 #define PPM_EVENT_RULE_TREE_ENABLED 2 518 #define PPM_EVENT_PACKET_ABORTED 3 519 520 #define GENERATOR_INTERNAL 135 521 #define INTERNAL_EVENT_SYN_RECEIVED 1 522 #define INTERNAL_EVENT_SESSION_ADD 2 523 #define INTERNAL_EVENT_SESSION_DEL 3 524 525 #define GENERATOR_SPP_REPUTATION 136 526 527 #define GENERATOR_SPP_SSLPP 137 528 529 #define GENERATOR_SPP_SDF_RULES 138 530 #define GENERATOR_SPP_SDF_PREPROC 139 531 // #define GENERATOR_SPP_SIP 140 // Defined in spp_sip.h file, not here. 532 // #define GENERATOR_SPP_IMAP 141 // Defined in imap_log.h file 533 // #define GENERATOR_SPP_POP 142 // Defined in pop_log.h file. 534 #define SDF_COMBO_ALERT 1 535 536 537 #define GENERATOR_SPP_GTP 143 538 539 #define GENERATOR_SPP_MODBUS 144 540 541 #define GENERATOR_SPP_DNP3 145 542 543 // #define GENERATOR_FILE_TYPE 146 //Defined in file_service.h 544 // #define GENERATOR_FILE_SIGNATURE 147 //Defined in file_service.h 545 546 #define GENERATOR_SPP_CIP 148 547 #define GENERATOR_SPP_S7COMMPLUS 149 548 549 550 /* This is where all the alert messages will be archived for each 551 internal alerts */ 552 553 #define ARPSPOOF_UNICAST_ARP_REQUEST_STR "(spp_arpspoof) Unicast ARP request" 554 #define ARPSPOOF_ETHERFRAME_ARP_MISMATCH_SRC_STR \ 555 "(spp_arpspoof) Ethernet/ARP Mismatch request for Source" 556 #define ARPSPOOF_ETHERFRAME_ARP_MISMATCH_DST_STR \ 557 "(spp_arpspoof) Ethernet/ARP Mismatch request for Destination" 558 #define ARPSPOOF_ARP_CACHE_OVERWRITE_ATTACK_STR \ 559 "(spp_arpspoof) Attempted ARP cache overwrite attack" 560 561 #define BO_TRAFFIC_DETECT_STR "(spo_bo) Back Orifice Traffic detected" 562 #define BO_CLIENT_TRAFFIC_DETECT_STR "(spo_bo) Back Orifice Client Traffic detected" 563 #define BO_SERVER_TRAFFIC_DETECT_STR "(spo_bo) Back Orifice Server Traffic detected" 564 #define BO_SNORT_BUFFER_ATTACK_STR "(spo_bo) Back Orifice Snort buffer attack" 565 566 /* FRAG3 strings */ 567 #define FRAG3_IPOPTIONS_STR "(spp_frag3) Inconsistent IP Options on Fragmented Packets" 568 #define FRAG3_TEARDROP_STR "(spp_frag3) Teardrop attack" 569 #define FRAG3_SHORT_FRAG_STR "(spp_frag3) Short fragment, possible DoS attempt" 570 #define FRAG3_ANOM_OVERSIZE_STR "(spp_frag3) Fragment packet ends after defragmented packet" 571 #define FRAG3_ANOM_ZERO_STR "(spp_frag3) Zero-byte fragment packet" 572 #define FRAG3_ANOM_BADSIZE_SM_STR "(spp_frag3) Bad fragment size, packet size is negative" 573 #define FRAG3_ANOM_BADSIZE_LG_STR "(spp_frag3) Bad fragment size, packet size is greater than 65536" 574 #define FRAG3_ANOM_OVLP_STR "(spp_frag3) Fragmentation overlap" 575 /* 123:9, 123:10 are OBE w/ addition of 116:458 576 * (aka DECODE_IPV6_BAD_FRAG_PKT). 577 * Leave these here so they are not reused. 578 * ------ 579 #define FRAG3_IPV6_BSD_ICMP_FRAG_STR "(spp_frag3) IPv6 BSD mbufs remote kernel buffer overflow" 580 #define FRAG3_IPV6_BAD_FRAG_PKT_STR "(spp_frag3) Bogus fragmentation packet. Possible BSD attack" 581 * ------ 582 */ 583 #define FRAG3_MIN_TTL_EVASION_STR "(spp_frag3) TTL value less than configured minimum, not using for reassembly" 584 #define FRAG3_EXCESSIVE_OVERLAP_STR "(spp_frag3) Excessive fragment overlap" 585 #define FRAG3_TINY_FRAGMENT_STR "(spp_frag3) Tiny fragment" 586 587 /* Stream strings */ 588 #define STREAM_SYN_ON_EST_STR "Syn on established session" 589 #define STREAM_DATA_ON_SYN_STR "Data on SYN packet" 590 #define STREAM_DATA_ON_CLOSED_STR "Data sent on stream not accepting data" 591 #define STREAM_BAD_TIMESTAMP_STR "TCP Timestamp is outside of PAWS window" 592 #define STREAM_BAD_SEGMENT_STR "Bad segment, adjusted size <= 0" 593 #define STREAM_WINDOW_TOO_LARGE_STR "Window size (after scaling) larger than policy allows" 594 #define STREAM_EXCESSIVE_TCP_OVERLAPS_STR "Limit on number of overlapping TCP packets reached" 595 #define STREAM_DATA_AFTER_RESET_STR "Data sent on stream after TCP Reset sent" 596 #define STREAM_SESSION_HIJACKED_CLIENT_STR "TCP Client possibly hijacked, different Ethernet Address" 597 #define STREAM_SESSION_HIJACKED_SERVER_STR "TCP Server possibly hijacked, different Ethernet Address" 598 #define STREAM_DATA_WITHOUT_FLAGS_STR "TCP Data with no TCP Flags set" 599 #define STREAM_SMALL_SEGMENT_STR "Consecutive TCP small segments exceeding threshold" 600 #define STREAM_4WAY_HANDSHAKE_STR "4-way handshake detected" 601 #define STREAM_NO_TIMESTAMP_STR "TCP Timestamp is missing" 602 #define STREAM_BAD_RST_STR "Reset outside window" 603 #define STREAM_BAD_FIN_STR "FIN number is greater than prior FIN" 604 #define STREAM_BAD_ACK_STR "ACK number is greater than prior FIN" 605 #define STREAM_DATA_AFTER_RST_RCVD_STR "Data sent on stream after TCP Reset received" 606 #define STREAM_WINDOW_SLAM_STR "TCP window closed before receiving data" 607 #define STREAM_NO_3WHS_STR "TCP session without 3-way handshake" 608 609 #define STREAM_INTERNAL_EVENT_STR "" 610 611 /* PPM strings */ 612 #define PPM_EVENT_RULE_TREE_DISABLED_STR "PPM Rule Options Disabled by Rule Latency" 613 #define PPM_EVENT_RULE_TREE_ENABLED_STR "PPM Rule Options Re-enabled by Rule Latency" 614 #define PPM_EVENT_PACKET_ABORTED_STR "PPM Packet Aborted due to Latency" 615 616 /* Snort decoder strings */ 617 #define DECODE_NOT_IPV4_DGRAM_STR "(snort_decoder) WARNING: Not IPv4 datagram" 618 #define DECODE_IPV4_INVALID_HEADER_LEN_STR "(snort_decoder) WARNING: hlen < IP_HEADER_LEN" 619 #define DECODE_IPV4_DGRAM_LT_IPHDR_STR "(snort_decoder) WARNING: IP dgm len < IP Hdr len" 620 #define DECODE_IPV4OPT_BADLEN_STR "(snort_decoder) WARNING: Ipv4 Options found with bad lengths" 621 #define DECODE_IPV4OPT_TRUNCATED_STR "(snort_decoder) WARNING: Truncated Ipv4 Options" 622 #define DECODE_IPV4_DGRAM_GT_CAPLEN_STR "(snort_decoder) WARNING: IP dgm len > captured len" 623 #define DECODE_NOT_IPV6_DGRAM_STR "(snort_decoder) WARNING: Not an IPv6 datagram" 624 625 #define DECODE_TCP_DGRAM_LT_TCPHDR_STR "(snort_decoder) WARNING: TCP packet len is smaller than 20 bytes" 626 #define DECODE_TCP_INVALID_OFFSET_STR "(snort_decoder) WARNING: TCP Data Offset is less than 5" 627 #define DECODE_TCP_LARGE_OFFSET_STR "(snort_decoder) WARNING: TCP Header length exceeds packet length" 628 629 #define DECODE_TCPOPT_BADLEN_STR "(snort_decoder) WARNING: Tcp Options found with bad lengths" 630 #define DECODE_TCPOPT_TRUNCATED_STR "(snort_decoder) WARNING: Truncated Tcp Options" 631 #define DECODE_TCPOPT_TTCP_STR "(snort_decoder) WARNING: T/TCP Detected" 632 #define DECODE_TCPOPT_OBSOLETE_STR "(snort_decoder) WARNING: Obsolete TCP Options found" 633 #define DECODE_TCPOPT_EXPERIMENT_STR "(snort_decoder) WARNING: Experimental Tcp Options found" 634 #define DECODE_TCPOPT_WSCALE_INVALID_STR "(snort_decoder) WARNING: Tcp Window Scale Option found with length > 14" 635 636 #define DECODE_UDP_DGRAM_LT_UDPHDR_STR "(snort_decoder) WARNING: Truncated UDP Header" 637 #define DECODE_UDP_DGRAM_INVALID_LENGTH_STR "(snort_decoder) WARNING: Invalid UDP header, length field < 8" 638 #define DECODE_UDP_DGRAM_SHORT_PACKET_STR "(snort_decoder) WARNING: Short UDP packet, length field > payload length" 639 #define DECODE_UDP_DGRAM_LONG_PACKET_STR "(snort_decoder) WARNING: Long UDP packet, length field < payload length" 640 641 #define DECODE_ICMP_DGRAM_LT_ICMPHDR_STR "(snort_decoder) WARNING: ICMP Header Truncated" 642 #define DECODE_ICMP_DGRAM_LT_TIMESTAMPHDR_STR "(snort_decoder) WARNING: ICMP Timestamp Header Truncated" 643 #define DECODE_ICMP_DGRAM_LT_ADDRHDR_STR "(snort_decoder) WARNING: ICMP Address Header Truncated" 644 #define DECODE_IPV4_DGRAM_UNKNOWN_STR "(snort_decoder) WARNING: Unknown Datagram decoding problem" 645 #define DECODE_ARP_TRUNCATED_STR "(snort_decoder) WARNING: Truncated ARP" 646 #define DECODE_EAPOL_TRUNCATED_STR "(snort_decoder) WARNING: Truncated EAP Header" 647 #define DECODE_EAPKEY_TRUNCATED_STR "(snort_decoder) WARNING: EAP Key Truncated" 648 #define DECODE_EAP_TRUNCATED_STR "(snort_decoder) WARNING: EAP Header Truncated" 649 #define DECODE_BAD_PPPOE_STR "(snort_decoder) WARNING: Bad PPPOE frame detected" 650 #define DECODE_BAD_VLAN_STR "(snort_decoder) WARNING: Bad VLAN Frame" 651 #define DECODE_BAD_VLAN_ETHLLC_STR "(snort_decoder) WARNING: Bad LLC header" 652 #define DECODE_BAD_VLAN_OTHER_STR "(snort_decoder) WARNING: Bad Extra LLC Info" 653 #define DECODE_BAD_80211_ETHLLC_STR "(snort_decoder) WARNING: Bad 802.11 LLC header" 654 #define DECODE_BAD_80211_OTHER_STR "(snort_decoder) WARNING: Bad 802.11 Extra LLC Info" 655 656 #define DECODE_BAD_TRH_STR "(snort_decoder) WARNING: Bad Token Ring Header" 657 #define DECODE_BAD_TR_ETHLLC_STR "(snort_decoder) WARNING: Bad Token Ring ETHLLC Header" 658 #define DECODE_BAD_TR_MR_LEN_STR "(snort_decoder) WARNING: Bad Token Ring MRLENHeader" 659 #define DECODE_BAD_TRHMR_STR "(snort_decoder) WARNING: Bad Token Ring MR Header" 660 661 #define DECODE_BAD_TRAFFIC_LOOPBACK_STR "(snort decoder) WARNING: Bad Traffic Loopback IP" 662 #define DECODE_BAD_TRAFFIC_SAME_SRCDST_STR "(snort decoder) WARNING: Bad Traffic Same Src/Dst IP" 663 664 #ifdef GRE 665 #define DECODE_GRE_DGRAM_LT_GREHDR_STR "(snort decoder) WARNING: GRE header length > payload length" 666 #define DECODE_GRE_MULTIPLE_ENCAPSULATION_STR "(snort decoder) WARNING: Multiple encapsulations in packet" 667 #define DECODE_GRE_INVALID_VERSION_STR "(snort decoder) WARNING: Invalid GRE version" 668 #define DECODE_GRE_INVALID_HEADER_STR "(snort decoder) WARNING: Invalid GRE header" 669 #define DECODE_GRE_V1_INVALID_HEADER_STR "(snort decoder) WARNING: Invalid GRE v.1 PPTP header" 670 #define DECODE_GRE_TRANS_DGRAM_LT_TRANSHDR_STR "(snort decoder) WARNING: GRE Trans header length > payload length" 671 #endif /* GRE */ 672 673 #define DECODE_ICMP_ORIG_IP_TRUNCATED_STR "(snort_decoder) WARNING: ICMP Original IP Header Truncated" 674 #define DECODE_ICMP_ORIG_IP_VER_MISMATCH_STR "(snort_decoder) WARNING: ICMP version and Original IP Header versions differ" 675 #define DECODE_ICMP_ORIG_DGRAM_LT_ORIG_IP_STR "(snort_decoder) WARNING: ICMP Original Datagram Length < Original IP Header Length" 676 #define DECODE_ICMP_ORIG_PAYLOAD_LT_64_STR "(snort_decoder) WARNING: ICMP Original IP Payload < 64 bits" 677 #define DECODE_ICMP_ORIG_PAYLOAD_GT_576_STR "(snort_decoder) WARNING: ICMP Origianl IP Payload > 576 bytes" 678 #define DECODE_ICMP_ORIG_IP_WITH_FRAGOFFSET_STR "(snort_decoder) WARNING: ICMP Original IP Fragmented and Offset Not 0" 679 680 #define DECODE_IPV6_MIN_TTL_STR "(snort decoder) WARNING: IPv6 packet below TTL limit" 681 #define DECODE_IPV6_IS_NOT_STR "(snort decoder) WARNING: IPv6 header claims to not be IPv6" 682 #define DECODE_IPV6_TRUNCATED_EXT_STR "(snort decoder) WARNING: IPV6 truncated extension header" 683 #define DECODE_IPV6_TRUNCATED_STR "(snort decoder) WARNING: IPV6 truncated header" 684 #define DECODE_IPV6_DGRAM_LT_IPHDR_STR "(snort_decoder) WARNING: IP dgm len < IP Hdr len" 685 #define DECODE_IPV6_DGRAM_GT_CAPLEN_STR "(snort_decoder) WARNING: IP dgm len > captured len" 686 687 #define DECODE_IPV6_DST_ZERO_STR "(snort_decoder) WARNING: IPv6 packet with destination address ::0" 688 #define DECODE_IPV6_SRC_MULTICAST_STR "(snort_decoder) WARNING: IPv6 packet with multicast source address" 689 #define DECODE_IPV6_DST_RESERVED_MULTICAST_STR "(snort_decoder) WARNING: IPv6 packet with reserved multicast destination address" 690 #define DECODE_IPV6_BAD_OPT_TYPE_STR "(snort_decoder) WARNING: IPv6 header includes an undefined option type" 691 #define DECODE_IPV6_BAD_MULTICAST_SCOPE_STR "(snort_decoder) WARNING: IPv6 address includes an unassigned multicast scope value" 692 #define DECODE_IPV6_BAD_NEXT_HEADER_STR "(snort_decoder) WARNING: IPv6 header includes an invalid value for the \"next header\" field" 693 #define DECODE_IPV6_ROUTE_AND_HOPBYHOP_STR "(snort_decoder) WARNING: IPv6 header includes a routing extension header followed by a hop-by-hop header" 694 #define DECODE_IPV6_TWO_ROUTE_HEADERS_STR "(snort_decoder) WARNING: IPv6 header includes two routing extension headers" 695 #define DECODE_IPV6_DSTOPTS_WITH_ROUTING_STR "(snort_decoder) WARNING: IPv6 header has destination options followed by a routing header" 696 #define DECODE_ICMPV6_TOO_BIG_BAD_MTU_STR "(snort_decoder) WARNING: ICMPv6 packet of type 2 (message too big) with MTU field < 1280" 697 #define DECODE_ICMPV6_UNREACHABLE_NON_RFC_2463_CODE_STR "(snort_decoder) WARNING: ICMPv6 packet of type 1 (destination unreachable) with non-RFC 2463 code" 698 #define DECODE_ICMPV6_SOLICITATION_BAD_CODE_STR "(snort_decoder) WARNING: ICMPv6 router solicitation packet with a code not equal to 0" 699 #define DECODE_ICMPV6_ADVERT_BAD_CODE_STR "(snort_decoder) WARNING: ICMPv6 router advertisement packet with a code not equal to 0" 700 #define DECODE_ICMPV6_SOLICITATION_BAD_RESERVED_STR "(snort_decoder) WARNING: ICMPv6 router solicitation packet with the reserved field not equal to 0" 701 #define DECODE_ICMPV6_ADVERT_BAD_REACHABLE_STR "(snort_decoder) WARNING: ICMPv6 router advertisement packet with the reachable time field set > 1 hour" 702 703 #define DECODE_IPV6_TUNNELED_IPV4_TRUNCATED_STR "(snort_decoder) WARNING: IPV6 tunneled over IPv4, IPv6 header truncated, possible Linux Kernel attack" 704 705 #define DECODE_IP_MULTIPLE_ENCAPSULATION_STR "(snort_decoder) WARNING: Two or more IP (v4 and/or v6) encapsulation layers present" 706 707 #define DECODE_ESP_HEADER_TRUNC_STR "(snort_decoder) WARNING: truncated Encapsulated Security Payload (ESP) header" 708 709 #define DECODE_IPV6_BAD_OPT_LEN_STR "(snort_decoder) WARNING: IPv6 header includes an option which is too big for the containing header" 710 711 #define DECODE_IPV6_UNORDERED_EXTENSIONS_STR "(snort_decoder) WARNING: IPv6 packet includes out-of-order extension headers" 712 #define DECODE_GTP_MULTIPLE_ENCAPSULATION_STR "(snort_decoder) WARNING: Two or more GTP encapsulation layers present" 713 #define DECODE_GTP_BAD_LEN_STR "(snort_decoder) WARNING: GTP header length is invalid" 714 #define DECODE_TCP_XMAS_STR "(snort_decoder) WARNING: XMAS Attack Detected" 715 #define DECODE_TCP_NMAP_XMAS_STR "(snort_decoder) WARNING: Nmap XMAS Attack Detected" 716 717 #define DECODE_DOS_NAPTHA_STR "(snort_decoder) WARNING: DOS NAPTHA Vulnerability Detected" 718 #define DECODE_SYN_TO_MULTICAST_STR "(snort_decoder) WARNING: Bad Traffic SYN to multicast address" 719 #define DECODE_ZERO_TTL_STR "(snort_decoder) WARNING: IPV4 packet with zero TTL" 720 #define DECODE_BAD_FRAGBITS_STR "(snort_decoder) WARNING: IPV4 packet with bad frag bits (Both MF and DF set)" 721 #define DECODE_UDP_IPV6_ZERO_CHECKSUM_STR "(snort_decoder) WARNING: Invalid IPv6 UDP packet, checksum zero" 722 #define DECODE_IP4_LEN_OFFSET_STR "(snort_decoder) WARNING: IPV4 packet frag offset + length exceed maximum" 723 #define DECODE_IP4_SRC_THIS_NET_STR "(snort_decoder) WARNING: IPV4 packet from 'current net' source address" 724 #define DECODE_IP4_DST_THIS_NET_STR "(snort_decoder) WARNING: IPV4 packet to 'current net' dest address" 725 #define DECODE_IP4_SRC_MULTICAST_STR "(snort_decoder) WARNING: IPV4 packet from multicast source address" 726 #define DECODE_IP4_SRC_RESERVED_STR "(snort_decoder) WARNING: IPV4 packet from reserved source address" 727 #define DECODE_IP4_DST_RESERVED_STR "(snort_decoder) WARNING: IPV4 packet to reserved dest address" 728 #define DECODE_IP4_SRC_BROADCAST_STR "(snort_decoder) WARNING: IPV4 packet from broadcast source address" 729 #define DECODE_IP4_DST_BROADCAST_STR "(snort_decoder) WARNING: IPV4 packet to broadcast dest address" 730 #define DECODE_ICMP4_DST_MULTICAST_STR "(snort_decoder) WARNING: ICMP4 packet to multicast dest address" 731 #define DECODE_ICMP4_DST_BROADCAST_STR "(snort_decoder) WARNING: ICMP4 packet to broadcast dest address" 732 #define DECODE_ICMP4_TYPE_OTHER_STR "(snort_decoder) WARNING: ICMP4 type other" 733 #define DECODE_TCP_BAD_URP_STR "(snort_decoder) WARNING: TCP urgent pointer exceeds payload length or no payload" 734 #define DECODE_TCP_SYN_FIN_STR "(snort_decoder) WARNING: TCP SYN with FIN" 735 #define DECODE_TCP_SYN_RST_STR "(snort_decoder) WARNING: TCP SYN with RST" 736 #define DECODE_TCP_MUST_ACK_STR "(snort_decoder) WARNING: TCP PDU missing ack for established session" 737 #define DECODE_TCP_NO_SYN_ACK_RST_STR "(snort_decoder) WARNING: TCP has no SYN, ACK, or RST" 738 #define DECODE_ETH_HDR_TRUNC_STR "(snort_decoder) WARNING: truncated eth header" 739 #define DECODE_IP4_HDR_TRUNC_STR "(snort_decoder) WARNING: truncated IP4 header" 740 #define DECODE_ICMP4_HDR_TRUNC_STR "(snort_decoder) WARNING: truncated ICMP4 header" 741 #define DECODE_ICMP6_HDR_TRUNC_STR "(snort_decoder) WARNING: truncated ICMP6 header" 742 #define DECODE_IP4_MIN_TTL_STR "(snort decoder) WARNING: IPV4 packet below TTL limit" 743 #define DECODE_IP6_ZERO_HOP_LIMIT_STR "(snort decoder) WARNING: IPV6 packet has zero hop limit" 744 #define DECODE_IP4_DF_OFFSET_STR "(snort_decoder) WARNING: IPV4 packet both DF and offset set" 745 #define DECODE_ICMP6_TYPE_OTHER_STR "(snort_decoder) WARNING: ICMP6 type not decoded" 746 #define DECODE_ICMP6_DST_MULTICAST_STR "(snort_decoder) WARNING: ICMP6 packet to multicast address" 747 #define DECODE_TCP_SHAFT_SYNFLOOD_STR "(snort_decoder) WARNING: DDOS shaft synflood" 748 #define DECODE_ICMP_PING_NMAP_STR "(snort_decoder) WARNING: ICMP PING NMAP" 749 #define DECODE_ICMP_ICMPENUM_STR "(snort_decoder) WARNING: ICMP icmpenum v1.1.1" 750 #define DECODE_ICMP_REDIRECT_HOST_STR "(snort_decoder) WARNING: ICMP redirect host" 751 #define DECODE_ICMP_REDIRECT_NET_STR "(snort_decoder) WARNING: ICMP redirect net" 752 #define DECODE_ICMP_TRACEROUTE_IPOPTS_STR "(snort_decoder) WARNING: ICMP traceroute ipopts" 753 #define DECODE_ICMP_SOURCE_QUENCH_STR "(snort_decoder) WARNING: ICMP Source Quench" 754 #define DECODE_ICMP_BROADSCAN_SMURF_SCANNER_STR "(snort_decoder) WARNING: Broadscan Smurf Scanner" 755 #define DECODE_ICMP_DST_UNREACH_ADMIN_PROHIBITED_STR "(snort_decoder) WARNING: ICMP Destination Unreachable Communication Administratively Prohibited" 756 #define DECODE_ICMP_DST_UNREACH_DST_HOST_PROHIBITED_STR "(snort_decoder) WARNING: ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited" 757 #define DECODE_ICMP_DST_UNREACH_DST_NET_PROHIBITED_STR "(snort_decoder) WARNING: ICMP Destination Unreachable Communication with Destination Network is Administratively Prohibited" 758 #define DECODE_IP_OPTION_SET_STR "(snort_decoder) WARNING: MISC IP option set" 759 #define DECODE_UDP_LARGE_PACKET_STR "(snort_decoder) WARNING: MISC Large UDP Packet" 760 #define DECODE_TCP_PORT_ZERO_STR "(snort_decoder) WARNING: BAD-TRAFFIC TCP port 0 traffic" 761 #define DECODE_UDP_PORT_ZERO_STR "(snort_decoder) WARNING: BAD-TRAFFIC UDP port 0 traffic" 762 #define DECODE_IP_RESERVED_FRAG_BIT_STR "(snort_decoder) WARNING: BAD-TRAFFIC IP reserved bit set" 763 #define DECODE_IP_UNASSIGNED_PROTO_STR "(snort_decoder) WARNING: BAD-TRAFFIC Unassigned/Reserved IP protocol" 764 #define DECODE_IP_BAD_PROTO_STR "(snort_decoder) WARNING: BAD-TRAFFIC Bad IP protocol" 765 #define DECODE_ICMP_PATH_MTU_DOS_STR "(snort_decoder) WARNING: ICMP PATH MTU denial of service attempt" 766 #define DECODE_ICMP_DOS_ATTEMPT_STR "(snort_decoder) WARNING: BAD-TRAFFIC linux ICMP header dos attempt" 767 #define DECODE_IPV6_ISATAP_SPOOF_STR "(snort_decoder) WARNING: BAD-TRAFFIC ISATAP-addressed IPv6 traffic spoofing attempt" 768 #define DECODE_PGM_NAK_OVERFLOW_STR "(snort_decoder) WARNING: BAD-TRAFFIC PGM nak list overflow attempt" 769 #define DECODE_IGMP_OPTIONS_DOS_STR "(snort_decoder) WARNING: DOS IGMP IP Options validation attempt" 770 #define DECODE_IP6_EXCESS_EXT_HDR_STR "(snort_decoder) WARNING: too many IP6 extension headers" 771 #define DECODE_ICMPV6_UNREACHABLE_NON_RFC_4443_CODE_STR "(snort_decoder) WARNING: ICMPv6 packet of type 1 (destination unreachable) with non-RFC 4443 code" 772 #define DECODE_IPV6_BAD_FRAG_PKT_STR "(snort_decoder) WARNING: bogus fragmentation packet. Possible BSD attack" 773 #define DECODE_ZERO_LENGTH_FRAG_STR "(snort_decoder) WARNING: fragment with zero length" 774 #define DECODE_ICMPV6_NODE_INFO_BAD_CODE_STR "(snort_decoder) WARNING: ICMPv6 node info query/response packet with a code greater than 2" 775 #define DECODE_IPV6_ROUTE_ZERO_STR "(snort decoder) WARNING: IPV6 routing type 0 extension header" 776 #define DECODE_ERSPAN_HDR_VERSION_MISMATCH_STR "(snort_decoder) WARNING: ERSpan Header version mismatch" 777 #define DECODE_ERSPAN2_DGRAM_LT_HDR_STR "(snort_decoder) WARNING: captured < ERSpan Type2 Header Length" 778 #define DECODE_ERSPAN3_DGRAM_LT_HDR_STR "(snort_decoder) WARNING: captured < ERSpan Type3 Header Length" 779 #define DECODE_AUTH_HDR_TRUNC_STR "(snort_decoder) WARNING: truncated authentication header" 780 #define DECODE_AUTH_HDR_BAD_LEN_STR "(snort_decoder) WARNING: authentication header bad length" 781 #define DECODE_FPATH_HDR_TRUNC_STR "(snort_decoder) WARNING: truncated FabricPath header" 782 #define DECODE_CISCO_META_HDR_TRUNC_STR "(snort_decoder) WARNING: truncated Cisco Metadata header" 783 #define DECODE_CISCO_META_HDR_OPT_LEN_STR "(snort_decoder) WARNING: Invalid Cisco Metadata option length" 784 #define DECODE_CISCO_META_HDR_OPT_TYPE_STR "(snort_decoder) WARNING: Invalid Cisco Metadata option type" 785 #define DECODE_CISCO_META_HDR_SGT_STR "(snort_decoder) WARNING: Invalid Cisco Metadata SGT" 786 787 /* RPC decode preprocessor strings */ 788 #define RPC_FRAG_TRAFFIC_STR "(spp_rpc_decode) Fragmented RPC Records" 789 #define RPC_MULTIPLE_RECORD_STR "(spp_rpc_decode) Multiple RPC Records" 790 #define RPC_LARGE_FRAGSIZE_STR "(spp_rpc_decode) Large RPC Record Fragment" 791 #define RPC_INCOMPLETE_SEGMENT_STR "(spp_rpc_decode) Incomplete RPC segment" 792 #define RPC_ZERO_LENGTH_FRAGMENT_STR "(spp_rpc_decode) Zero-length RPC Fragment" 793 794 #define PSNG_TCP_PORTSCAN_STR "(portscan) TCP Portscan" 795 #define PSNG_TCP_DECOY_PORTSCAN_STR "(portscan) TCP Decoy Portscan" 796 #define PSNG_TCP_PORTSWEEP_STR "(portscan) TCP Portsweep" 797 #define PSNG_TCP_DISTRIBUTED_PORTSCAN_STR "(portscan) TCP Distributed Portscan" 798 #define PSNG_TCP_FILTERED_PORTSCAN_STR "(portscan) TCP Filtered Portscan" 799 #define PSNG_TCP_FILTERED_DECOY_PORTSCAN_STR "(portscan) TCP Filtered Decoy Portscan" 800 #define PSNG_TCP_FILTERED_DISTRIBUTED_PORTSCAN_STR "(portscan) TCP Filtered Distributed Portscan" 801 #define PSNG_TCP_PORTSWEEP_FILTERED_STR "(portscan) TCP Filtered Portsweep" 802 803 #define PSNG_IP_PORTSCAN_STR "(portscan) IP Protocol Scan" 804 #define PSNG_IP_DECOY_PORTSCAN_STR "(portscan) IP Decoy Protocol Scan" 805 #define PSNG_IP_PORTSWEEP_STR "(portscan) IP Protocol Sweep" 806 #define PSNG_IP_DISTRIBUTED_PORTSCAN_STR "(portscan) IP Distributed Protocol Scan" 807 #define PSNG_IP_FILTERED_PORTSCAN_STR "(portscan) IP Filtered Protocol Scan" 808 #define PSNG_IP_FILTERED_DECOY_PORTSCAN_STR "(portscan) IP Filtered Decoy Protocol Scan" 809 #define PSNG_IP_FILTERED_DISTRIBUTED_PORTSCAN_STR "(portscan) IP Filtered Distributed Protocol Scan" 810 #define PSNG_IP_PORTSWEEP_FILTERED_STR "(portscan) IP Filtered Protocol Sweep" 811 812 #define PSNG_UDP_PORTSCAN_STR "(portscan) UDP Portscan" 813 #define PSNG_UDP_DECOY_PORTSCAN_STR "(portscan) UDP Decoy Portscan" 814 #define PSNG_UDP_PORTSWEEP_STR "(portscan) UDP Portsweep" 815 #define PSNG_UDP_DISTRIBUTED_PORTSCAN_STR "(portscan) UDP Distributed Portscan" 816 #define PSNG_UDP_FILTERED_PORTSCAN_STR "(portscan) UDP Filtered Portscan" 817 #define PSNG_UDP_FILTERED_DECOY_PORTSCAN_STR "(portscan) UDP Filtered Decoy Portscan" 818 #define PSNG_UDP_FILTERED_DISTRIBUTED_PORTSCAN_STR "(portscan) UDP Filtered Distributed Portscan" 819 #define PSNG_UDP_PORTSWEEP_FILTERED_STR "(portscan) UDP Filtered Portsweep" 820 821 #define PSNG_ICMP_PORTSWEEP_STR "(portscan) ICMP Sweep" 822 #define PSNG_ICMP_PORTSWEEP_FILTERED_STR "(portscan) ICMP Filtered Sweep" 823 824 #define PSNG_OPEN_PORT_STR "(portscan) Open Port" 825 826 #define DECODE_BAD_MPLS_STR "(snort_decoder) WARNING: Bad MPLS Frame" 827 #define DECODE_BAD_MPLS_LABEL0_STR "(snort_decoder) WARNING: MPLS Label 0 Appears in Nonbottom Header" 828 #define DECODE_BAD_MPLS_LABEL1_STR "(snort_decoder) WARNING: MPLS Label 1 Appears in Bottom Header" 829 #define DECODE_BAD_MPLS_LABEL2_STR "(snort_decoder) WARNING: MPLS Label 2 Appears in Nonbottom Header" 830 #define DECODE_BAD_MPLS_LABEL3_STR "(snort_decoder) WARNING: MPLS Label 3 Appears in Header" 831 #define DECODE_MPLS_RESERVEDLABEL_STR "(snort_decoder) WARNING: MPLS Label 4, 5,.. or 15 Appears in Header" 832 #define DECODE_MPLS_LABEL_STACK_STR "(snort_decoder) WARNING: Too Many MPLS headers" 833 #define DECODE_MULTICAST_MPLS_STR "(snort_decoder) WARNING: Multicast MPLS traffic detected" 834 835 #define DECODE_DECODING_DEPTH_EXCEEDED_STR "(snort_decoder) WARNING: Too many levels for decoding" 836 837 #endif /* __GENERATORS_H__ */ 838