1 /*
2 ** Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved.
3 ** Copyright (C) 2002-2013 Sourcefire, Inc.
4 ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com>
5 **
6 ** This program is free software; you can redistribute it and/or modify
7 ** it under the terms of the GNU General Public License Version 2 as
8 ** published by the Free Software Foundation. You may not use, modify or
9 ** distribute this program under any other version of the GNU General
10 ** Public License.
11 **
12 ** This program is distributed in the hope that it will be useful,
13 ** but WITHOUT ANY WARRANTY; without even the implied warranty of
14 ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 ** GNU General Public License for more details.
16 **
17 ** You should have received a copy of the GNU General Public License
18 ** along with this program; if not, write to the Free Software
19 ** Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
20 */
21
22 /* $Id$ */
23
24 #ifndef __DECODE_H__
25 #define __DECODE_H__
26
27
28 /* I N C L U D E S **********************************************************/
29
30 #ifdef HAVE_CONFIG_H
31 #include "config.h"
32 #endif
33
34 #include <stddef.h>
35 #include <sys/types.h>
36
37 #ifndef WIN32
38 #include <sys/socket.h>
39 #include <netinet/in.h>
40 #include <net/if.h>
41 #else /* !WIN32 */
42 #include <netinet/in_systm.h>
43 #ifndef IFNAMSIZ
44 #define IFNAMESIZ MAX_ADAPTER_NAME
45 #endif /* !IFNAMSIZ */
46 #endif /* !WIN32 */
47
48 #include <daq.h>
49 #include <sfbpf_dlt.h>
50
51 #include "bitop.h"
52 #include "ipv6_port.h"
53 #include "sf_ip.h"
54 #include "sf_iph.h"
55 #include "sf_protocols.h"
56 #include "util.h"
57 #include "sf_types.h"
58 #include "sf_sdlist_types.h"
59 #include "preprocids.h"
60
61 struct _SnortConfig;
62
63 /* D E F I N E S ************************************************************/
64
65 #define ETHERNET_MTU 1500
66 #define ETHERNET_TYPE_IP 0x0800
67 #define ETHERNET_TYPE_ARP 0x0806
68 #define ETHERNET_TYPE_REVARP 0x8035
69 #define ETHERNET_TYPE_EAPOL 0x888e
70 #define ETHERNET_TYPE_IPV6 0x86dd
71 #define ETHERNET_TYPE_IPX 0x8137
72 #define ETHERNET_TYPE_PPPoE_DISC 0x8863 /* discovery stage */
73 #define ETHERNET_TYPE_PPPoE_SESS 0x8864 /* session stage */
74 #define ETHERNET_TYPE_8021Q 0x8100
75 #define ETHERNET_TYPE_8021AD 0x88a8
76 #define ETHERNET_TYPE_QINQ_NS1 0x9100 /* Q-in-Q non standard */
77 #define ETHERNET_TYPE_QINQ_NS2 0x9200 /* Q-in-Q non standard */
78 #define ETHERNET_TYPE_LOOP 0x9000
79 #define ETHERNET_TYPE_MPLS_UNICAST 0x8847
80 #define ETHERNET_TYPE_MPLS_MULTICAST 0x8848
81 #define ETHERNET_TYPE_ERSPAN_TYPE2 0x88be
82 #define ETHERNET_TYPE_ERSPAN_TYPE3 0x22eb
83 #define ETHERNET_TYPE_FPATH 0x8903
84 #define ETHERNET_TYPE_CISCO_META 0x8909
85
86 #define ETH_DSAP_SNA 0x08 /* SNA */
87 #define ETH_SSAP_SNA 0x00 /* SNA */
88 #define ETH_DSAP_STP 0x42 /* Spanning Tree Protocol */
89 #define ETH_SSAP_STP 0x42 /* Spanning Tree Protocol */
90 #define ETH_DSAP_IP 0xaa /* IP */
91 #define ETH_SSAP_IP 0xaa /* IP */
92
93 #define ETH_ORG_CODE_ETHR 0x000000 /* Encapsulated Ethernet */
94 #define ETH_ORG_CODE_CDP 0x00000c /* Cisco Discovery Proto */
95
96 #define FABRICPATH_HEADER_LEN 16
97 #define ETHERNET_HEADER_LEN 14
98 #define ETHERNET_MAX_LEN_ENCAP 1518 /* 802.3 (+LLC) or ether II ? */
99 #define FABRICPATH_HEADER_LEN 16
100
101 #define CISCO_META_PREHEADER_LEN 2
102 #define CISCO_META_VALID_OPT_LEN 4 /* length of valid options */
103 #define CISCO_META_OPT_LEN_SHIFT 13 /* right shift opt_len_type to get option length */
104 #define CISCO_META_OPT_TYPE_MASK 0x1FFF /* mask opt_len_type to get option type */
105 #define CISCO_META_OPT_TYPE_SGT 1
106
107 #define PPPOE_HEADER_LEN 6
108
109 #define VLAN_HEADER_LEN 4
110
111 #ifndef NO_NON_ETHER_DECODER
112 #define MINIMAL_TOKENRING_HEADER_LEN 22
113 #define MINIMAL_IEEE80211_HEADER_LEN 10 /* Ack frames and others */
114 #define IEEE802_11_DATA_HDR_LEN 24 /* Header for data packets */
115 #define TR_HLEN MINIMAL_TOKENRING_HEADER_LEN
116 #define TOKENRING_LLC_LEN 8
117 #define SLIP_HEADER_LEN 16
118
119 /* Frame type/subype combinations with version = 0 */
120 /*** FRAME TYPE ***** HEX **** SUBTYPE TYPE DESCRIPT ********/
121 #define WLAN_TYPE_MGMT_ASREQ 0x0 /* 0000 00 Association Req */
122 #define WLAN_TYPE_MGMT_ASRES 0x10 /* 0001 00 Assocaition Res */
123 #define WLAN_TYPE_MGMT_REREQ 0x20 /* 0010 00 Reassoc. Req. */
124 #define WLAN_TYPE_MGMT_RERES 0x30 /* 0011 00 Reassoc. Resp. */
125 #define WLAN_TYPE_MGMT_PRREQ 0x40 /* 0100 00 Probe Request */
126 #define WLAN_TYPE_MGMT_PRRES 0x50 /* 0101 00 Probe Response */
127 #define WLAN_TYPE_MGMT_BEACON 0x80 /* 1000 00 Beacon */
128 #define WLAN_TYPE_MGMT_ATIM 0x90 /* 1001 00 ATIM message */
129 #define WLAN_TYPE_MGMT_DIS 0xa0 /* 1010 00 Disassociation */
130 #define WLAN_TYPE_MGMT_AUTH 0xb0 /* 1011 00 Authentication */
131 #define WLAN_TYPE_MGMT_DEAUTH 0xc0 /* 1100 00 Deauthentication*/
132
133 #define WLAN_TYPE_CONT_PS 0xa4 /* 1010 01 Power Save */
134 #define WLAN_TYPE_CONT_RTS 0xb4 /* 1011 01 Request to send */
135 #define WLAN_TYPE_CONT_CTS 0xc4 /* 1100 01 Clear to sene */
136 #define WLAN_TYPE_CONT_ACK 0xd4 /* 1101 01 Acknowledgement */
137 #define WLAN_TYPE_CONT_CFE 0xe4 /* 1110 01 Cont. Free end */
138 #define WLAN_TYPE_CONT_CFACK 0xf4 /* 1111 01 CF-End + CF-Ack */
139
140 #define WLAN_TYPE_DATA_DATA 0x08 /* 0000 10 Data */
141 #define WLAN_TYPE_DATA_DTCFACK 0x18 /* 0001 10 Data + CF-Ack */
142 #define WLAN_TYPE_DATA_DTCFPL 0x28 /* 0010 10 Data + CF-Poll */
143 #define WLAN_TYPE_DATA_DTACKPL 0x38 /* 0011 10 Data+CF-Ack+CF-Pl */
144 #define WLAN_TYPE_DATA_NULL 0x48 /* 0100 10 Null (no data) */
145 #define WLAN_TYPE_DATA_CFACK 0x58 /* 0101 10 CF-Ack (no data)*/
146 #define WLAN_TYPE_DATA_CFPL 0x68 /* 0110 10 CF-Poll (no data)*/
147 #define WLAN_TYPE_DATA_ACKPL 0x78 /* 0111 10 CF-Ack+CF-Poll */
148
149 /*** Flags for IEEE 802.11 Frame Control ***/
150 /* The following are designed to be bitwise-AND-d in an 8-bit u_char */
151 #define WLAN_FLAG_TODS 0x0100 /* To DS Flag 10000000 */
152 #define WLAN_FLAG_FROMDS 0x0200 /* From DS Flag 01000000 */
153 #define WLAN_FLAG_FRAG 0x0400 /* More Frag 00100000 */
154 #define WLAN_FLAG_RETRY 0x0800 /* Retry Flag 00010000 */
155 #define WLAN_FLAG_PWRMGMT 0x1000 /* Power Mgmt. 00001000 */
156 #define WLAN_FLAG_MOREDAT 0x2000 /* More Data 00000100 */
157 #define WLAN_FLAG_WEP 0x4000 /* Wep Enabled 00000010 */
158 #define WLAN_FLAG_ORDER 0x8000 /* Strict Order 00000001 */
159
160 /* IEEE 802.1x eapol types */
161 #define EAPOL_TYPE_EAP 0x00 /* EAP packet */
162 #define EAPOL_TYPE_START 0x01 /* EAPOL start */
163 #define EAPOL_TYPE_LOGOFF 0x02 /* EAPOL Logoff */
164 #define EAPOL_TYPE_KEY 0x03 /* EAPOL Key */
165 #define EAPOL_TYPE_ASF 0x04 /* EAPOL Encapsulated ASF-Alert */
166
167 /* Extensible Authentication Protocol Codes RFC 2284*/
168 #define EAP_CODE_REQUEST 0x01
169 #define EAP_CODE_RESPONSE 0x02
170 #define EAP_CODE_SUCCESS 0x03
171 #define EAP_CODE_FAILURE 0x04
172 /* EAP Types */
173 #define EAP_TYPE_IDENTITY 0x01
174 #define EAP_TYPE_NOTIFY 0x02
175 #define EAP_TYPE_NAK 0x03
176 #define EAP_TYPE_MD5 0x04
177 #define EAP_TYPE_OTP 0x05
178 #define EAP_TYPE_GTC 0x06
179 #define EAP_TYPE_TLS 0x0d
180 #endif // NO_NON_ETHER_DECODER
181
182 /* Cisco HDLC header values */
183 #define CHDLC_HEADER_LEN 4
184 #define CHDLC_ADDR_UNICAST 0x0f
185 #define CHDLC_ADDR_MULTICAST 0x8f
186 #define CHDLC_ADDR_BROADCAST 0xff
187 #define CHDLC_CTRL_UNNUMBERED 0x03
188
189 /* Teredo values */
190 #define TEREDO_PORT 3544
191 #define TEREDO_INDICATOR_ORIGIN 0x00
192 #define TEREDO_INDICATOR_ORIGIN_LEN 8
193 #define TEREDO_INDICATOR_AUTH 0x01
194 #define TEREDO_INDICATOR_AUTH_MIN_LEN 13
195 #define TEREDO_MIN_LEN 2
196
197 /* GTP values */
198
199 #define GTP_MIN_LEN 8
200 #define GTP_V0_HEADER_LEN 20
201 #define GTP_V1_HEADER_LEN 12
202 /* ESP constants */
203 #define ESP_HEADER_LEN 8
204 #define ESP_AUTH_DATA_LEN 12
205 #define ESP_TRAILER_LEN 2
206
207 #define MAX_PORTS 65536
208
209 /* ppp header structure
210 *
211 * Actually, this is the header for RFC1332 Section 3
212 * IPCP Configuration Options for sending IP datagrams over a PPP link
213 *
214 */
215 struct ppp_header {
216 unsigned char address;
217 unsigned char control;
218 unsigned short protocol;
219 };
220
221 #ifndef PPP_HDRLEN
222 #define PPP_HDRLEN sizeof(struct ppp_header)
223 #endif
224
225 #define PPP_IP 0x0021 /* Internet Protocol */
226 #define PPP_IPV6 0x0057 /* Internet Protocol v6 */
227 #define PPP_VJ_COMP 0x002d /* VJ compressed TCP/IP */
228 #define PPP_VJ_UCOMP 0x002f /* VJ uncompressed TCP/IP */
229 #define PPP_IPX 0x002b /* Novell IPX Protocol */
230
231 /* otherwise defined in /usr/include/ppp_defs.h */
232 #ifndef PPP_MTU
233 #define PPP_MTU 1500
234 #endif
235
236 /* NULL aka LoopBack interfaces */
237 #define NULL_HDRLEN 4
238
239 /* enc interface */
240 struct enc_header {
241 uint32_t af;
242 uint32_t spi;
243 uint32_t flags;
244 };
245 #define ENC_HEADER_LEN 12
246
247 /* otherwise defined in /usr/include/ppp_defs.h */
248 #define IP_HEADER_LEN 20
249 #define TCP_HEADER_LEN 20
250 #define UDP_HEADER_LEN 8
251 #define ICMP_HEADER_LEN 4
252 #define ICMP_NORMAL_LEN 8
253
254 #define IP_OPTMAX 40
255 #define TCP_OPTLENMAX 40 /* (((2^4) - 1) * 4 - TCP_HEADER_LEN) */
256
257 #define LOG_FUNC_MAX 32
258
259 #ifndef IP_MAXPACKET
260 #define IP_MAXPACKET 65535 /* maximum packet size */
261 #endif /* IP_MAXPACKET */
262
263
264 /* http://www.iana.org/assignments/ipv6-parameters
265 *
266 * IPv6 Options (not Extension Headers)
267 */
268 #define IP6_OPT_TUNNEL_ENCAP 0x04
269 #define IP6_OPT_QUICK_START 0x06
270 #define IP6_OPT_CALIPSO 0x07
271 #define IP6_OPT_HOME_ADDRESS 0xC9
272 #define IP6_OPT_ENDPOINT_IDENT 0x8A
273
274 // these are bits in th_flags:
275 #define TH_FIN 0x01
276 #define TH_SYN 0x02
277 #define TH_RST 0x04
278 #define TH_PUSH 0x08
279 #define TH_ACK 0x10
280 #define TH_URG 0x20
281 #define TH_ECE 0x40
282 #define TH_CWR 0x80
283 #define TH_RES2 TH_ECE // TBD TH_RES* should be deleted (see log.c)
284 #define TH_RES1 TH_CWR
285 #define TH_NORESERVED (TH_FIN|TH_SYN|TH_RST|TH_PUSH|TH_ACK|TH_URG)
286
287 // these are bits in th_offx2:
288 #define TH_RSV 0x0E // reserved bits
289 #define TH_NS 0x01 // ECN nonce bit
290
291 /* http://www.iana.org/assignments/tcp-parameters
292 *
293 * tcp options stuff. used to be in <netinet/tcp.h> but it breaks
294 * things on AIX
295 */
296 #define TCPOPT_EOL 0 /* End of Option List [RFC793] */
297 #define TCPOLEN_EOL 1 /* Always one byte */
298
299 #define TCPOPT_NOP 1 /* No-Option [RFC793] */
300 #define TCPOLEN_NOP 1 /* Always one byte */
301
302 #define TCPOPT_MAXSEG 2 /* Maximum Segment Size [RFC793] */
303 #define TCPOLEN_MAXSEG 4 /* Always 4 bytes */
304
305 #define TCPOPT_WSCALE 3 /* Window scaling option [RFC1323] */
306 #define TCPOLEN_WSCALE 3 /* 1 byte with logarithmic values */
307
308 #define TCPOPT_SACKOK 4 /* Experimental [RFC2018]*/
309 #define TCPOLEN_SACKOK 2
310
311 #define TCPOPT_SACK 5 /* Experimental [RFC2018] variable length */
312
313 #define TCPOPT_ECHO 6 /* Echo (obsoleted by option 8) [RFC1072] */
314 #define TCPOLEN_ECHO 6 /* 6 bytes */
315
316 #define TCPOPT_ECHOREPLY 7 /* Echo Reply (obsoleted by option 8)[RFC1072] */
317 #define TCPOLEN_ECHOREPLY 6 /* 6 bytes */
318
319 #define TCPOPT_TIMESTAMP 8 /* Timestamp [RFC1323], 10 bytes */
320 #define TCPOLEN_TIMESTAMP 10
321
322 #define TCPOPT_PARTIAL_PERM 9 /* Partial Order Permitted/ Experimental [RFC1693] */
323 #define TCPOLEN_PARTIAL_PERM 2 /* Partial Order Permitted/ Experimental [RFC1693] */
324
325 #define TCPOPT_PARTIAL_SVC 10 /* Partial Order Profile [RFC1693] */
326 #define TCPOLEN_PARTIAL_SVC 3 /* 3 bytes long -- Experimental */
327
328 /* atleast decode T/TCP options... */
329 #define TCPOPT_CC 11 /* T/TCP Connection count [RFC1644] */
330 #define TCPOPT_CC_NEW 12 /* CC.NEW [RFC1644] */
331 #define TCPOPT_CC_ECHO 13 /* CC.ECHO [RFC1644] */
332 #define TCPOLEN_CC 6 /* page 17 of rfc1644 */
333 #define TCPOLEN_CC_NEW 6 /* page 17 of rfc1644 */
334 #define TCPOLEN_CC_ECHO 6 /* page 17 of rfc1644 */
335
336 #define TCPOPT_ALTCSUM 15 /* TCP Alternate Checksum Data [RFC1146], variable length */
337 #define TCPOPT_SKEETER 16 /* Skeeter [Knowles] */
338 #define TCPOPT_BUBBA 17 /* Bubba [Knowles] */
339
340 #define TCPOPT_TRAILER_CSUM 18 /* Trailer Checksum Option [Subbu & Monroe] */
341 #define TCPOLEN_TRAILER_CSUM 3
342
343 #define TCPOPT_MD5SIG 19 /* MD5 Signature Option [RFC2385] */
344 #define TCPOLEN_MD5SIG 18
345
346 /* Space Communications Protocol Standardization */
347 #define TCPOPT_SCPS 20 /* Capabilities [Scott] */
348 #define TCPOPT_SELNEGACK 21 /* Selective Negative Acknowledgements [Scott] */
349 #define TCPOPT_RECORDBOUND 22 /* Record Boundaries [Scott] */
350 #define TCPOPT_CORRUPTION 23 /* Corruption experienced [Scott] */
351
352 #define TCPOPT_SNAP 24 /* SNAP [Sukonnik] -- anyone have info?*/
353 #define TCPOPT_UNASSIGNED 25 /* Unassigned (released 12/18/00) */
354 #define TCPOPT_COMPRESSION 26 /* TCP Compression Filter [Bellovin] */
355 /* http://www.research.att.com/~smb/papers/draft-bellovin-tcpcomp-00.txt*/
356
357 #define TCPOPT_AUTH 29 /* [RFC5925] - The TCP Authentication Option
358 Intended to replace MD5 Signature Option [RFC2385] */
359
360 #define TCPOPT_TFO 34 /* [RFC7413] - TCP Fast Open */
361
362 #define TCP_OPT_TRUNC -1
363 #define TCP_OPT_BADLEN -2
364
365 /* Why are these lil buggers here? Never Used. -- cmg */
366 #define TCPOLEN_TSTAMP_APPA (TCPOLEN_TIMESTAMP+2) /* appendix A / rfc 1323 */
367 #define TCPOPT_TSTAMP_HDR \
368 (TCPOPT_NOP<<24|TCPOPT_NOP<<16|TCPOPT_TIMESTAMP<<8|TCPOLEN_TIMESTAMP)
369
370 /*
371 * Default maximum segment size for TCP.
372 * With an IP MSS of 576, this is 536,
373 * but 512 is probably more convenient.
374 * This should be defined as MIN(512, IP_MSS - sizeof (struct tcpiphdr)).
375 */
376
377 #ifndef TCP_MSS
378 #define TCP_MSS 512
379 #endif
380
381 #ifndef TCP_MAXWIN
382 #define TCP_MAXWIN 65535 /* largest value for (unscaled) window */
383 #endif
384
385 #ifndef TCP_MAX_WINSHIFT
386 #define TCP_MAX_WINSHIFT 14 /* maximum window shift */
387 #endif
388
389 /*
390 * User-settable options (used with setsockopt).
391 */
392 #ifndef TCP_NODELAY
393 #define TCP_NODELAY 0x01 /* don't delay send to coalesce packets */
394 #endif
395
396 #ifndef TCP_MAXSEG
397 #define TCP_MAXSEG 0x02 /* set maximum segment size */
398 #endif
399
400 #define SOL_TCP 6 /* TCP level */
401
402
403
404 #define L2TP_PORT 1701
405 #define DHCP_CLIENT_PORT 68
406 #define DHCP_SERVER_PORT 67
407
408 #ifndef NO_NON_ETHER_DECODER
409 /* Start Token Ring */
410 #define TR_ALEN 6 /* octets in an Ethernet header */
411 #define IPARP_SAP 0xaa
412
413 #define AC 0x10
414 #define LLC_FRAME 0x40
415
416 #define TRMTU 2000 /* 2000 bytes */
417 #define TR_RII 0x80
418 #define TR_RCF_DIR_BIT 0x80
419 #define TR_RCF_LEN_MASK 0x1f00
420 #define TR_RCF_BROADCAST 0x8000 /* all-routes broadcast */
421 #define TR_RCF_LIMITED_BROADCAST 0xC000 /* single-route broadcast */
422 #define TR_RCF_FRAME2K 0x20
423 #define TR_RCF_BROADCAST_MASK 0xC000
424 /* End Token Ring */
425
426 /* Start FDDI */
427 #define FDDI_ALLC_LEN 13
428 #define FDDI_ALEN 6
429 #define FDDI_MIN_HLEN (FDDI_ALLC_LEN + 3)
430
431 #define FDDI_DSAP_SNA 0x08 /* SNA */
432 #define FDDI_SSAP_SNA 0x00 /* SNA */
433 #define FDDI_DSAP_STP 0x42 /* Spanning Tree Protocol */
434 #define FDDI_SSAP_STP 0x42 /* Spanning Tree Protocol */
435 #define FDDI_DSAP_IP 0xaa /* IP */
436 #define FDDI_SSAP_IP 0xaa /* IP */
437
438 #define FDDI_ORG_CODE_ETHR 0x000000 /* Encapsulated Ethernet */
439 #define FDDI_ORG_CODE_CDP 0x00000c /* Cisco Discovery
440 * Proto(?) */
441
442 #define ETHERNET_TYPE_CDP 0x2000 /* Cisco Discovery Protocol */
443 /* End FDDI */
444 #endif // NO_NON_ETHER_DECODER
445
446 #define ARPOP_REQUEST 1 /* ARP request */
447 #define ARPOP_REPLY 2 /* ARP reply */
448 #define ARPOP_RREQUEST 3 /* RARP request */
449 #define ARPOP_RREPLY 4 /* RARP reply */
450
451 /* PPPoE types */
452 #define PPPoE_CODE_SESS 0x00 /* PPPoE session */
453 #define PPPoE_CODE_PADI 0x09 /* PPPoE Active Discovery Initiation */
454 #define PPPoE_CODE_PADO 0x07 /* PPPoE Active Discovery Offer */
455 #define PPPoE_CODE_PADR 0x19 /* PPPoE Active Discovery Request */
456 #define PPPoE_CODE_PADS 0x65 /* PPPoE Active Discovery Session-confirmation */
457 #define PPPoE_CODE_PADT 0xa7 /* PPPoE Active Discovery Terminate */
458
459 /* PPPoE tag types */
460 #define PPPoE_TAG_END_OF_LIST 0x0000
461 #define PPPoE_TAG_SERVICE_NAME 0x0101
462 #define PPPoE_TAG_AC_NAME 0x0102
463 #define PPPoE_TAG_HOST_UNIQ 0x0103
464 #define PPPoE_TAG_AC_COOKIE 0x0104
465 #define PPPoE_TAG_VENDOR_SPECIFIC 0x0105
466 #define PPPoE_TAG_RELAY_SESSION_ID 0x0110
467 #define PPPoE_TAG_SERVICE_NAME_ERROR 0x0201
468 #define PPPoE_TAG_AC_SYSTEM_ERROR 0x0202
469 #define PPPoE_TAG_GENERIC_ERROR 0x0203
470
471
472 #define ICMP_ECHOREPLY 0 /* Echo Reply */
473 #define ICMP_DEST_UNREACH 3 /* Destination Unreachable */
474 #define ICMP_SOURCE_QUENCH 4 /* Source Quench */
475 #define ICMP_REDIRECT 5 /* Redirect (change route) */
476 #define ICMP_ECHO 8 /* Echo Request */
477 #define ICMP_ROUTER_ADVERTISE 9 /* Router Advertisement */
478 #define ICMP_ROUTER_SOLICIT 10 /* Router Solicitation */
479 #define ICMP_TIME_EXCEEDED 11 /* Time Exceeded */
480 #define ICMP_PARAMETERPROB 12 /* Parameter Problem */
481 #define ICMP_TIMESTAMP 13 /* Timestamp Request */
482 #define ICMP_TIMESTAMPREPLY 14 /* Timestamp Reply */
483 #define ICMP_INFO_REQUEST 15 /* Information Request */
484 #define ICMP_INFO_REPLY 16 /* Information Reply */
485 #define ICMP_ADDRESS 17 /* Address Mask Request */
486 #define ICMP_ADDRESSREPLY 18 /* Address Mask Reply */
487 #define NR_ICMP_TYPES 18
488
489 /* Codes for ICMP UNREACHABLES */
490 #define ICMP_NET_UNREACH 0 /* Network Unreachable */
491 #define ICMP_HOST_UNREACH 1 /* Host Unreachable */
492 #define ICMP_PROT_UNREACH 2 /* Protocol Unreachable */
493 #define ICMP_PORT_UNREACH 3 /* Port Unreachable */
494 #define ICMP_FRAG_NEEDED 4 /* Fragmentation Needed/DF set */
495 #define ICMP_SR_FAILED 5 /* Source Route failed */
496 #define ICMP_NET_UNKNOWN 6
497 #define ICMP_HOST_UNKNOWN 7
498 #define ICMP_HOST_ISOLATED 8
499 #define ICMP_PKT_FILTERED_NET 9
500 #define ICMP_PKT_FILTERED_HOST 10
501 #define ICMP_NET_UNR_TOS 11
502 #define ICMP_HOST_UNR_TOS 12
503 #define ICMP_PKT_FILTERED 13 /* Packet filtered */
504 #define ICMP_PREC_VIOLATION 14 /* Precedence violation */
505 #define ICMP_PREC_CUTOFF 15 /* Precedence cut off */
506 #define NR_ICMP_UNREACH 15 /* instead of hardcoding immediate
507 * value */
508
509 #define ICMP_REDIR_NET 0
510 #define ICMP_REDIR_HOST 1
511 #define ICMP_REDIR_TOS_NET 2
512 #define ICMP_REDIR_TOS_HOST 3
513
514 #define ICMP_TIMEOUT_TRANSIT 0
515 #define ICMP_TIMEOUT_REASSY 1
516
517 #define ICMP_PARAM_BADIPHDR 0
518 #define ICMP_PARAM_OPTMISSING 1
519 #define ICMP_PARAM_BAD_LENGTH 2
520
521 /* ip option type codes */
522 #ifndef IPOPT_EOL
523 #define IPOPT_EOL 0x00
524 #endif
525
526 #ifndef IPOPT_NOP
527 #define IPOPT_NOP 0x01
528 #endif
529
530 #ifndef IPOPT_RR
531 #define IPOPT_RR 0x07
532 #endif
533
534 #ifndef IPOPT_RTRALT
535 #define IPOPT_RTRALT 0x94
536 #endif
537
538 #ifndef IPOPT_TS
539 #define IPOPT_TS 0x44
540 #endif
541
542 #ifndef IPOPT_SECURITY
543 #define IPOPT_SECURITY 0x82
544 #endif
545
546 #ifndef IPOPT_LSRR
547 #define IPOPT_LSRR 0x83
548 #endif
549
550 #ifndef IPOPT_LSRR_E
551 #define IPOPT_LSRR_E 0x84
552 #endif
553
554 #ifndef IPOPT_ESEC
555 #define IPOPT_ESEC 0x85
556 #endif
557
558 #ifndef IPOPT_SATID
559 #define IPOPT_SATID 0x88
560 #endif
561
562 #ifndef IPOPT_SSRR
563 #define IPOPT_SSRR 0x89
564 #endif
565
566
567 /* tcp option codes */
568 #define TOPT_EOL 0x00
569 #define TOPT_NOP 0x01
570 #define TOPT_MSS 0x02
571 #define TOPT_WS 0x03
572 #define TOPT_TS 0x08
573 #ifndef TCPOPT_WSCALE
574 #define TCPOPT_WSCALE 3 /* window scale factor (rfc1072) */
575 #endif
576 #ifndef TCPOPT_SACKOK
577 #define TCPOPT_SACKOK 4 /* selective ack ok (rfc1072) */
578 #endif
579 #ifndef TCPOPT_SACK
580 #define TCPOPT_SACK 5 /* selective ack (rfc1072) */
581 #endif
582 #ifndef TCPOPT_ECHO
583 #define TCPOPT_ECHO 6 /* echo (rfc1072) */
584 #endif
585 #ifndef TCPOPT_ECHOREPLY
586 #define TCPOPT_ECHOREPLY 7 /* echo (rfc1072) */
587 #endif
588 #ifndef TCPOPT_TIMESTAMP
589 #define TCPOPT_TIMESTAMP 8 /* timestamps (rfc1323) */
590 #endif
591 #ifndef TCPOPT_CC
592 #define TCPOPT_CC 11 /* T/TCP CC options (rfc1644) */
593 #endif
594 #ifndef TCPOPT_CCNEW
595 #define TCPOPT_CCNEW 12 /* T/TCP CC options (rfc1644) */
596 #endif
597 #ifndef TCPOPT_CCECHO
598 #define TCPOPT_CCECHO 13 /* T/TCP CC options (rfc1644) */
599 #endif
600
601 #define EXTRACT_16BITS(p) ((u_short) ntohs (*(u_short *)(p)))
602
603 #ifdef WORDS_MUSTALIGN
604
605 #if defined(__GNUC__)
606 /* force word-aligned ntohl parameter */
607 #define EXTRACT_32BITS(p) ({ uint32_t __tmp; memmove(&__tmp, (p), sizeof(uint32_t)); (uint32_t) ntohl(__tmp);})
608 #endif /* __GNUC__ */
609
610 #else
611
612 /* allows unaligned ntohl parameter - dies w/SIGBUS on SPARCs */
613 #define EXTRACT_32BITS(p) ((uint32_t) ntohl (*(uint32_t *)(p)))
614
615 #endif /* WORDS_MUSTALIGN */
616
617 /* packet status flags */
618 #define PKT_REBUILT_FRAG 0x00000001 /* is a rebuilt fragment */
619 #define PKT_REBUILT_STREAM 0x00000002 /* is a rebuilt stream */
620 #define PKT_STREAM_UNEST_UNI 0x00000004 /* is from an unestablished stream and
621 * we've only seen traffic in one direction */
622 #define PKT_STREAM_EST 0x00000008 /* is from an established stream */
623
624 #define PKT_STREAM_INSERT 0x00000010 /* this packet has been queued for stream reassembly */
625 #define PKT_STREAM_TWH 0x00000020 /* packet completes the 3-way handshake */
626 #define PKT_FROM_SERVER 0x00000040 /* this packet came from the server
627 side of a connection (TCP) */
628 #define PKT_FROM_CLIENT 0x00000080 /* this packet came from the client
629 side of a connection (TCP) */
630
631 #define PKT_PDU_HEAD 0x00000100 /* start of PDU */
632 #define PKT_PDU_TAIL 0x00000200 /* end of PDU */
633 #define PKT_UNSURE_ENCAP 0x00000400 /* packet may have incorrect encapsulation layer. */
634 /* don't alert if "next layer" is invalid. */
635 #define PKT_HTTP_DECODE 0x00000800 /* this packet has normalized http */
636
637 #define PKT_IGNORE 0x00001000 /* this packet should be ignored, based on port */
638 #define PKT_TRUST 0x00002000 /* this packet should fallback to being whitelisted if no other verdict was specified */
639 #define PKT_ALLOW_MULTIPLE_DETECT 0x00004000 /* packet has either pipelined mime attachements */
640 /* or pipeline http requests */
641 #define PKT_PAYLOAD_OBFUSCATE 0x00008000
642
643 #define PKT_STATELESS 0x00010000 /* Packet has matched a stateless rule */
644 #define PKT_PASS_RULE 0x00020000 /* this packet has matched a pass rule */
645 #define PKT_IP_RULE 0x00040000 /* this packet is being evaluated against an IP rule */
646 #define PKT_IP_RULE_2ND 0x00080000 /* this packet is being evaluated against an IP rule */
647
648 #define PKT_LOGGED 0x00100000 /* this packet has been logged */
649 #define PKT_PSEUDO 0x00200000 /* is a pseudo packet */
650 #define PKT_MODIFIED 0x00400000 /* packet had normalizations, etc. */
651 #ifdef NORMALIZER
652 #define PKT_RESIZED 0x00800000 /* packet has new size; must set modified too */
653 #endif
654
655 // neither of these flags will be set for (full) retransmissions or non-data segments
656 // a partial overlap results in out of sequence condition
657 // out of sequence condition is sticky
658 #define PKT_STREAM_ORDER_OK 0x01000000 /* this segment is in order, w/o gaps */
659 #define PKT_STREAM_ORDER_BAD 0x02000000 /* this stream had at least one gap */
660 #define PKT_REASSEMBLED_OLD 0x04000000 /* for backwards compat with so rules */
661
662 #define PKT_IPREP_SOURCE_TRIGGERED 0x08000000
663 #define PKT_IPREP_DATA_SET 0x10000000
664 #define PKT_FILE_EVENT_SET 0x20000000
665 #define PKT_EARLY_REASSEMBLY 0x40000000 /* this packet. part of the expected stream, should have stream reassembly set */
666 #define PKT_RETRANSMIT 0x80000000 /* this packet is identified as re-transmitted one */
667 #define PKT_PURGE 0x0100000000 /* Stream will not flush the data */
668 #define PKT_H1_ABORT 0x0200000000 /* Used by H1 and H2 paf */
669 #define PKT_UPGRADE_PROTO 0x0400000000 /* Used by H1 paf */
670 #define PKT_PSEUDO_FLUSH 0x0800000000
671 #define PKT_FAST_BLOCK 0x1000000000 /* pkt blocked by fast-blocking */
672 #define PKT_EVAL_DROP 0x2000000000 /* Packet with PKT_EVAL_DROP is evaluated if it is needed to dropped */
673
674 #define PKT_PDU_FULL (PKT_PDU_HEAD | PKT_PDU_TAIL)
675
676 #define REASSEMBLED_PACKET_FLAGS (PKT_REBUILT_STREAM|PKT_REASSEMBLED_OLD)
677
678 typedef enum {
679 PSEUDO_PKT_IP,
680 PSEUDO_PKT_TCP,
681 PSEUDO_PKT_DCE_RPKT,
682 PSEUDO_PKT_SMB_SEG,
683 PSEUDO_PKT_DCE_SEG,
684 PSEUDO_PKT_DCE_FRAG,
685 PSEUDO_PKT_SMB_TRANS,
686 PSEUDO_PKT_PS,
687 PSEUDO_PKT_SDF,
688 PSEUDO_PKT_MAX
689 } PseudoPacketType;
690
691 /* error flags */
692 #define PKT_ERR_CKSUM_IP 0x01
693 #define PKT_ERR_CKSUM_TCP 0x02
694 #define PKT_ERR_CKSUM_UDP 0x04
695 #define PKT_ERR_CKSUM_ICMP 0x08
696 #define PKT_ERR_CKSUM_IGMP 0x10
697 #define PKT_ERR_CKSUM_ANY 0x1F
698 #define PKT_ERR_BAD_TTL 0x20
699 #define PKT_ERR_SYN_RL_DROP 0x40
700
701 /* D A T A S T R U C T U R E S *********************************************/
702 typedef int (*LogFunction)(void *ssnptr, uint8_t **buf, uint32_t *len, uint32_t *type);
703
704 #ifndef NO_NON_ETHER_DECODER
705 /* Start Token Ring Data Structures */
706
707 #ifdef _MSC_VER
708 /* Visual C++ pragma to disable warning messages about nonstandard bit field type */
709 #pragma warning( disable : 4214 )
710 #endif
711
712 /* LLC structure */
713 typedef struct _Trh_llc
714 {
715 uint8_t dsap;
716 uint8_t ssap;
717 uint8_t protid[3];
718 uint16_t ethertype;
719 } Trh_llc;
720
721 /* RIF structure
722 * Linux/tcpdump patch defines tokenring header in dump way, since not
723 * every tokenring header with have RIF data... we define it separately, and
724 * a bit more split up
725 */
726
727 #ifdef _MSC_VER
728 /* Visual C++ pragma to disable warning messages about nonstandard bit field type */
729 #pragma warning( disable : 4214 )
730 #endif
731
732
733 /* These are macros to use the bitlevel accesses in the Trh_Mr header
734
735 they haven't been tested and they aren't used much so here is a
736 listing of what used to be there
737
738 #if defined(WORDS_BIGENDIAN)
739 uint16_t bcast:3, len:5, dir:1, lf:3, res:4;
740 #else
741 uint16_t len:5, length of RIF field, including RC itself
742 bcast:3, broadcast indicator
743 res:4, reserved
744 lf:3, largest frame size
745 dir:1; direction
746 */
747
748 #define TRH_MR_BCAST(trhmr) ((ntohs((trhmr)->bcast_len_dir_lf_res) & 0xe000) >> 13)
749 #define TRH_MR_LEN(trhmr) ((ntohs((trhmr)->bcast_len_dir_lf_res) & 0x1F00) >> 8)
750 #define TRH_MR_DIR(trhmr) ((ntohs((trhmr)->bcast_len_dir_lf_res) & 0x0080) >> 7)
751 #define TRH_MR_LF(trhmr) ((ntohs((trhmr)->bcast_len_dir_lf_res) & 0x0070) >> 4)
752 #define TRH_MR_RES(trhmr) ((ntohs((trhmr)->bcast_len_dir_lf_res) & 0x000F))
753
754 typedef struct _Trh_mr
755 {
756 uint16_t bcast_len_dir_lf_res; /* broadcast/res/framesize/direction */
757 uint16_t rseg[8];
758 } Trh_mr;
759 #ifdef _MSC_VER
760 /* Visual C++ pragma to enable warning messages about nonstandard bit field type */
761 #pragma warning( default : 4214 )
762 #endif
763
764
765 typedef struct _Trh_hdr
766 {
767 uint8_t ac; /* access control field */
768 uint8_t fc; /* frame control field */
769 uint8_t daddr[TR_ALEN]; /* src address */
770 uint8_t saddr[TR_ALEN]; /* dst address */
771 } Trh_hdr;
772
773 #ifdef WIN32
774 /* Visual C++ pragma to enable warning messages about nonstandard bit field type */
775 #pragma warning( default : 4214 )
776 #endif
777 /* End Token Ring Data Structures */
778
779
780 /* Start FDDI Data Structures */
781
782 /* FDDI header is always this: -worm5er */
783 typedef struct _Fddi_hdr
784 {
785 uint8_t fc; /* frame control field */
786 uint8_t daddr[FDDI_ALEN]; /* src address */
787 uint8_t saddr[FDDI_ALEN]; /* dst address */
788 } Fddi_hdr;
789
790 /* splitting the llc up because of variable lengths of the LLC -worm5er */
791 typedef struct _Fddi_llc_saps
792 {
793 uint8_t dsap;
794 uint8_t ssap;
795 } Fddi_llc_saps;
796
797 /* I've found sna frames have two addition bytes after the llc saps -worm5er */
798 typedef struct _Fddi_llc_sna
799 {
800 uint8_t ctrl_fld[2];
801 } Fddi_llc_sna;
802
803 /* I've also found other frames that seem to have only one byte... We're only
804 really intersted in the IP data so, until we want other, I'm going to say
805 the data is one byte beyond this frame... -worm5er */
806 typedef struct _Fddi_llc_other
807 {
808 uint8_t ctrl_fld[1];
809 } Fddi_llc_other;
810
811 /* Just like TR the ip/arp data is setup as such: -worm5er */
812 typedef struct _Fddi_llc_iparp
813 {
814 uint8_t ctrl_fld;
815 uint8_t protid[3];
816 uint16_t ethertype;
817 } Fddi_llc_iparp;
818
819 /* End FDDI Data Structures */
820
821
822 /* 'Linux cooked captures' data
823 * (taken from tcpdump source).
824 */
825
826 #define SLL_HDR_LEN 16 /* total header length */
827 #define SLL_ADDRLEN 8 /* length of address field */
828 typedef struct _SLLHdr {
829 uint16_t sll_pkttype; /* packet type */
830 uint16_t sll_hatype; /* link-layer address type */
831 uint16_t sll_halen; /* link-layer address length */
832 uint8_t sll_addr[SLL_ADDRLEN]; /* link-layer address */
833 uint16_t sll_protocol; /* protocol */
834 } SLLHdr;
835
836
837 /*
838 * Snort supports 3 versions of the OpenBSD pflog header:
839 *
840 * Pflog1_Hdr: CVS = 1.3, DLT_OLD_PFLOG = 17, Length = 28
841 * Pflog2_Hdr: CVS = 1.8, DLT_PFLOG = 117, Length = 48
842 * Pflog3_Hdr: CVS = 1.12, DLT_PFLOG = 117, Length = 64
843 * Pflog3_Hdr: CVS = 1.172, DLT_PFLOG = 117, Length = 100
844 *
845 * Since they have the same DLT, Pflog{2,3}Hdr are distinguished
846 * by their actual length. The minimum required length excludes
847 * padding.
848 */
849 /* Old OpenBSD pf firewall pflog0 header
850 * (information from pf source in kernel)
851 * the rule, reason, and action codes tell why the firewall dropped it -fleck
852 */
853
854 typedef struct _Pflog1_hdr
855 {
856 uint32_t af;
857 char intf[IFNAMSIZ];
858 int16_t rule;
859 uint16_t reason;
860 uint16_t action;
861 uint16_t dir;
862 } Pflog1Hdr;
863
864 #define PFLOG1_HDRLEN (sizeof(struct _Pflog1_hdr))
865
866 /*
867 * Note that on OpenBSD, af type is sa_family_t. On linux, that's an unsigned
868 * short, but on OpenBSD, that's a uint8_t, so we should explicitly use uint8_t
869 * here. - ronaldo
870 */
871
872 #define PFLOG_RULELEN 16
873 #define PFLOG_PADLEN 3
874
875 typedef struct _Pflog2_hdr
876 {
877 int8_t length;
878 uint8_t af;
879 uint8_t action;
880 uint8_t reason;
881 char ifname[IFNAMSIZ];
882 char ruleset[PFLOG_RULELEN];
883 uint32_t rulenr;
884 uint32_t subrulenr;
885 uint8_t dir;
886 uint8_t pad[PFLOG_PADLEN];
887 } Pflog2Hdr;
888
889 #define PFLOG2_HDRLEN (sizeof(struct _Pflog2_hdr))
890 #define PFLOG2_HDRMIN (PFLOG2_HDRLEN - PFLOG_PADLEN)
891
892 typedef struct _Pflog3_hdr
893 {
894 int8_t length;
895 uint8_t af;
896 uint8_t action;
897 uint8_t reason;
898 char ifname[IFNAMSIZ];
899 char ruleset[PFLOG_RULELEN];
900 uint32_t rulenr;
901 uint32_t subrulenr;
902 uint32_t uid;
903 uint32_t pid;
904 uint32_t rule_uid;
905 uint32_t rule_pid;
906 uint8_t dir;
907 uint8_t pad[PFLOG_PADLEN];
908 } Pflog3Hdr;
909
910 #define PFLOG3_HDRLEN (sizeof(struct _Pflog3_hdr))
911 #define PFLOG3_HDRMIN (PFLOG3_HDRLEN - PFLOG_PADLEN)
912
913
914 typedef struct _Pflog4_hdr
915 {
916 uint8_t length;
917 uint8_t af;
918 uint8_t action;
919 uint8_t reason;
920 char ifname[IFNAMSIZ];
921 char ruleset[PFLOG_RULELEN];
922 uint32_t rulenr;
923 uint32_t subrulenr;
924 uint32_t uid;
925 uint32_t pid;
926 uint32_t rule_uid;
927 uint32_t rule_pid;
928 uint8_t dir;
929 uint8_t rewritten;
930 uint8_t pad[2];
931 uint8_t saddr[16];
932 uint8_t daddr[16];
933 uint16_t sport;
934 uint16_t dport;
935 } Pflog4Hdr;
936
937 #define PFLOG4_HDRLEN sizeof(struct _Pflog4_hdr)
938 #define PFLOG4_HDRMIN sizeof(struct _Pflog4_hdr)
939
940 /*
941 * ssl_pkttype values.
942 */
943
944 #define LINUX_SLL_HOST 0
945 #define LINUX_SLL_BROADCAST 1
946 #define LINUX_SLL_MULTICAST 2
947 #define LINUX_SLL_OTHERHOST 3
948 #define LINUX_SLL_OUTGOING 4
949
950 /* ssl protocol values */
951
952 #define LINUX_SLL_P_802_3 0x0001 /* Novell 802.3 frames without 802.2 LLC header */
953 #define LINUX_SLL_P_802_2 0x0004 /* 802.2 frames (not D/I/X Ethernet) */
954 #endif // NO_NON_ETHER_DECODER
955
956
957 #ifdef _MSC_VER
958 /* Visual C++ pragma to disable warning messages
959 * about nonstandard bit field type
960 */
961 #pragma warning( disable : 4214 )
962 #endif
963
964 #define VTH_PRIORITY(vh) ((ntohs((vh)->vth_pri_cfi_vlan) & 0xe000) >> 13)
965 #define VTH_CFI(vh) ((ntohs((vh)->vth_pri_cfi_vlan) & 0x1000) >> 12)
966 #define VTH_VLAN(vh) ((uint16_t)(ntohs((vh)->vth_pri_cfi_vlan) & 0x0FFF))
967
968 typedef struct _VlanTagHdr
969 {
970 uint16_t vth_pri_cfi_vlan;
971 uint16_t vth_proto; /* protocol field... */
972 } VlanTagHdr;
973 #ifdef _MSC_VER
974 /* Visual C++ pragma to enable warning messages about nonstandard bit field type */
975 #pragma warning( default : 4214 )
976 #endif
977
978
979 typedef struct _EthLlc
980 {
981 uint8_t dsap;
982 uint8_t ssap;
983 } EthLlc;
984
985 typedef struct _EthLlcOther
986 {
987 uint8_t ctrl;
988 uint8_t org_code[3];
989 uint16_t proto_id;
990 } EthLlcOther;
991
992 /* We must twiddle to align the offset the ethernet header and align
993 * the IP header on solaris -- maybe this will work on HPUX too.
994 */
995 #if defined (SOLARIS) || defined (SUNOS) || defined (__sparc__) || defined(__sparc64__) || defined (HPUX)
996 #define SPARC_TWIDDLE 2
997 #else
998 #define SPARC_TWIDDLE 0
999 #endif
1000
1001 /*
1002 * Cisco FabricPath / Data Center Ethernet header
1003 */
1004
1005 typedef struct _FPathHdr
1006 {
1007 uint8_t fpath_dst[6];
1008 uint8_t fpath_src[6];
1009 uint16_t fpath_type;
1010 uint16_t fptag_extra; /* 10-bit FTag + 6-bit TTL */
1011 } FPathHdr;
1012
1013 typedef struct _CiscoMetaHdr
1014 {
1015 uint8_t version; // This must be 1
1016 uint8_t length; //This is the header size in bytes / 8
1017 } CiscoMetaHdr;
1018
1019 /*
1020 * Cisco MetaData header options
1021 */
1022
1023 typedef struct _CiscoMetaOpt
1024 {
1025 uint16_t opt_len_type; /* 3-bit length + 13-bit type. Length of 0 = 4. Type must be 1. */
1026 uint16_t sgt; /* Can be any value except 0xFFFF */
1027 } CiscoMetaOpt;
1028
1029 /*
1030 * Ethernet header
1031 */
1032
1033 typedef struct _EtherHdr
1034 {
1035 uint8_t ether_dst[6];
1036 uint8_t ether_src[6];
1037 uint16_t ether_type;
1038
1039 } EtherHdr;
1040
1041
1042 #ifndef NO_NON_ETHER_DECODER
1043 /*
1044 * Wireless Header (IEEE 802.11)
1045 */
1046 typedef struct _WifiHdr
1047 {
1048 uint16_t frame_control;
1049 uint16_t duration_id;
1050 uint8_t addr1[6];
1051 uint8_t addr2[6];
1052 uint8_t addr3[6];
1053 uint16_t seq_control;
1054 uint8_t addr4[6];
1055 } WifiHdr;
1056 #endif // NO_NON_ETHER_DECODER
1057
1058
1059 /* Can't add any fields not in the real header here
1060 because of how the decoder uses structure overlaying */
1061 #ifdef _MSC_VER
1062 /* Visual C++ pragma to disable warning messages
1063 * about nonstandard bit field type
1064 */
1065 #pragma warning( disable : 4214 )
1066 #endif
1067
1068 /* tcpdump shows us the way to cross platform compatibility */
1069 #define IP_VER(iph) (((iph)->ip_verhl & 0xf0) >> 4)
1070 #define IP_HLEN(iph) ((iph)->ip_verhl & 0x0f)
1071
1072 /* we need to change them as well as get them */
1073 #define SET_IP_VER(iph, value) ((iph)->ip_verhl = (unsigned char)(((iph)->ip_verhl & 0x0f) | (value << 4)))
1074 #define SET_IP_HLEN(iph, value) ((iph)->ip_verhl = (unsigned char)(((iph)->ip_verhl & 0xf0) | (value & 0x0f)))
1075
1076 #define NUM_IP_PROTOS 256
1077
1078 /* Last updated 6/2/2010.
1079 Source: http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xml */
1080 #define MIN_UNASSIGNED_IP_PROTO 143
1081
1082 #ifndef IPPROTO_SWIPE
1083 #define IPPROTO_SWIPE 53
1084 #endif
1085 #ifndef IPPROTO_IP_MOBILITY
1086 #define IPPROTO_IP_MOBILITY 55
1087 #endif
1088 #ifndef IPPROTO_SUN_ND
1089 #define IPPROTO_SUN_ND 77
1090 #endif
1091 #ifndef IPPROTO_PIM
1092 #define IPPROTO_PIM 103
1093 #endif
1094 #ifndef IPPROTO_PGM
1095 #define IPPROTO_PGM 113
1096 #endif
1097
1098 typedef struct _IPHdr
1099 {
1100 uint8_t ip_verhl; /* version & header length */
1101 uint8_t ip_tos; /* type of service */
1102 uint16_t ip_len; /* datagram length */
1103 uint16_t ip_id; /* identification */
1104 uint16_t ip_off; /* fragment offset */
1105 uint8_t ip_ttl; /* time to live field */
1106 uint8_t ip_proto; /* datagram protocol */
1107 uint16_t ip_csum; /* checksum */
1108 struct in_addr ip_src; /* source IP */
1109 struct in_addr ip_dst; /* dest IP */
1110 } IPHdr;
1111
1112 typedef struct _IPAddresses
1113 {
1114 sfaddr_t ip_src; /* source IP */
1115 sfaddr_t ip_dst; /* dest IP */
1116 } IPAddresses;
1117
1118 typedef struct _IPv4Hdr
1119 {
1120 uint8_t ip_verhl; /* version & header length */
1121 uint8_t ip_tos; /* type of service */
1122 uint16_t ip_len; /* datagram length */
1123 uint16_t ip_id; /* identification */
1124 uint16_t ip_off; /* fragment offset */
1125 uint8_t ip_ttl; /* time to live field */
1126 uint8_t ip_proto; /* datagram protocol */
1127 uint16_t ip_csum; /* checksum */
1128 IPAddresses* ip_addrs; /* IP addresses*/
1129 } IP4Hdr;
1130
1131 typedef struct _IPv6Hdr
1132 {
1133 uint32_t vcl; /* version, class, and label */
1134 uint16_t len; /* length of the payload */
1135 uint8_t next; /* next header
1136 * Uses the same flags as
1137 * the IPv4 protocol field */
1138 uint8_t hop_lmt; /* hop limit */
1139 IPAddresses* ip_addrs; /* IP addresses*/
1140 } IP6Hdr;
1141
1142 /* IPv6 address */
1143 #ifndef s6_addr
1144 struct in6_addr
1145 {
1146 union
1147 {
1148 uint8_t u6_addr8[16];
1149 uint16_t u6_addr16[8];
1150 uint32_t u6_addr32[4];
1151 } in6_u;
1152 #define s6_addr in6_u.u6_addr8
1153 #define s6_addr16 in6_u.u6_addr16
1154 #define s6_addr32 in6_u.u6_addr32
1155 };
1156 #endif
1157
1158 typedef struct _IP6RawHdr
1159 {
1160 uint32_t ip6_vtf; /* 4 bits version, 8 bits TC,
1161 20 bits flow-ID */
1162 uint16_t ip6_payload_len; /* payload length */
1163 uint8_t ip6_next; /* next header */
1164 uint8_t ip6_hoplim; /* hop limit */
1165
1166 struct in6_addr ip6_src; /* source address */
1167 struct in6_addr ip6_dst; /* destination address */
1168 } IP6RawHdr;
1169
1170 #define ip6flow ip6_vtf
1171 #define ip6plen ip6_payload_len
1172 #define ip6nxt ip6_next
1173 #define ip6hlim ip6_hoplim
1174 #define ip6hops ip6_hoplim
1175
1176 #define IPRAW_HDR_VER(p_rawiph) \
1177 (ntohl(p_rawiph->ip6_vtf) >> 28)
1178
1179 #define IP6_HDR_LEN 40
1180
1181 #ifndef IP_PROTO_HOPOPTS
1182 # define IP_PROTO_HOPOPTS 0
1183 #endif
1184
1185 #define IP_PROTO_NONE 59
1186 #define IP_PROTO_ROUTING 43
1187 #define IP_PROTO_FRAGMENT 44
1188 #define IP_PROTO_AH 51
1189 #define IP_PROTO_DSTOPTS 60
1190 #define IP_PROTO_ICMPV6 58
1191 #define IP_PROTO_IPV6 41
1192 #define IP_PROTO_IPIP 4
1193
1194 #define IP6F_OFFSET_MASK 0xfff8 /* mask out offset from _offlg */
1195 #define IP6F_MF_MASK 0x0001 /* more-fragments flag */
1196
1197 #define IP6F_OFFSET(fh) ((ntohs((fh)->ip6f_offlg) & IP6F_OFFSET_MASK) >> 3)
1198 #define IP6F_RES(fh) (fh)->ip6f_reserved
1199 #define IP6F_MF(fh) (ntohs((fh)->ip6f_offlg) & IP6F_MF_MASK )
1200
1201 /* to store references to IP6 Extension Headers */
1202 typedef struct _IP6Option
1203 {
1204 uint8_t type;
1205 const uint8_t *data;
1206 } IP6Option;
1207
1208 /* Generic Extension Header */
1209 typedef struct _IP6Extension
1210 {
1211 uint8_t ip6e_nxt;
1212 uint8_t ip6e_len;
1213 /* options follow */
1214 uint8_t ip6e_pad[6];
1215 } IP6Extension;
1216
1217 typedef struct _IP6HopByHop
1218 {
1219 uint8_t ip6hbh_nxt;
1220 uint8_t ip6hbh_len;
1221 /* options follow */
1222 uint8_t ip6hbh_pad[6];
1223 } IP6HopByHop;
1224
1225 typedef struct _IP6Dest
1226 {
1227 uint8_t ip6dest_nxt;
1228 uint8_t ip6dest_len;
1229 /* options follow */
1230 uint8_t ip6dest_pad[6];
1231 } IP6Dest;
1232
1233 typedef struct _IP6Route
1234 {
1235 uint8_t ip6rte_nxt;
1236 uint8_t ip6rte_len;
1237 uint8_t ip6rte_type;
1238 uint8_t ip6rte_seg_left;
1239 /* type specific data follows */
1240 } IP6Route;
1241
1242 typedef struct _IP6Route0
1243 {
1244 uint8_t ip6rte0_nxt;
1245 uint8_t ip6rte0_len;
1246 uint8_t ip6rte0_type;
1247 uint8_t ip6rte0_seg_left;
1248 uint8_t ip6rte0_reserved;
1249 uint8_t ip6rte0_bitmap[3];
1250 struct in6_addr ip6rte0_addr[1]; /* Up to 23 IP6 addresses */
1251 } IP6Route0;
1252
1253 /* Fragment header */
1254 typedef struct _IP6Frag
1255 {
1256 uint8_t ip6f_nxt; /* next header */
1257 uint8_t ip6f_reserved; /* reserved field */
1258 uint16_t ip6f_offlg; /* offset, reserved, and flag */
1259 uint32_t ip6f_ident; /* identification */
1260 } IP6Frag;
1261
1262 typedef struct _ICMP6
1263 {
1264 uint8_t type;
1265 uint8_t code;
1266 uint16_t csum;
1267
1268 } ICMP6Hdr;
1269
1270 typedef struct _ICMP6TooBig
1271 {
1272 uint8_t type;
1273 uint8_t code;
1274 uint16_t csum;
1275 uint32_t mtu;
1276 } ICMP6TooBig;
1277
1278 typedef struct _ICMP6RouterAdvertisement
1279 {
1280 uint8_t type;
1281 uint8_t code;
1282 uint16_t csum;
1283 uint8_t num_addrs;
1284 uint8_t addr_entry_size;
1285 uint16_t lifetime;
1286 uint32_t reachable_time;
1287 uint32_t retrans_time;
1288 } ICMP6RouterAdvertisement;
1289
1290 typedef struct _ICMP6RouterSolicitation
1291 {
1292 uint8_t type;
1293 uint8_t code;
1294 uint16_t csum;
1295 uint32_t reserved;
1296 } ICMP6RouterSolicitation;
1297
1298 typedef struct _ICMP6NodeInfo
1299 {
1300 uint8_t type;
1301 uint8_t code;
1302 uint16_t csum;
1303 uint16_t qtype;
1304 uint16_t flags;
1305 uint64_t nonce;
1306 } ICMP6NodeInfo;
1307
1308 #define ICMP6_UNREACH 1
1309 #define ICMP6_BIG 2
1310 #define ICMP6_TIME 3
1311 #define ICMP6_PARAMS 4
1312 #define ICMP6_ECHO 128
1313 #define ICMP6_REPLY 129
1314 #define ICMP6_SOLICITATION 133
1315 #define ICMP6_ADVERTISEMENT 134
1316 #define ICMP6_NODE_INFO_QUERY 139
1317 #define ICMP6_NODE_INFO_RESPONSE 140
1318
1319 /* Minus 1 due to the 'body' field */
1320 #define ICMP6_MIN_HEADER_LEN (sizeof(ICMP6Hdr) )
1321
1322 #ifdef _MSC_VER
1323 /* Visual C++ pragma to enable warning messages about nonstandard bit field type */
1324 #pragma warning( default : 4214 )
1325 #endif
1326
1327
1328 /* Can't add any fields not in the real header here
1329 because of how the decoder uses structure overlaying */
1330 #ifdef _MSC_VER
1331 /* Visual C++ pragma to disable warning
1332 * messages about nonstandard bit field type
1333 */
1334 #pragma warning( disable : 4214 )
1335 #endif
1336
1337 #ifndef IPPROTO_IPIP
1338 #define IPPROTO_IPIP 4
1339 #endif
1340
1341 /* GRE related stuff */
1342 typedef struct _GREHdr
1343 {
1344 uint8_t flags;
1345 uint8_t version;
1346 uint16_t ether_type;
1347
1348 } GREHdr;
1349
1350 #ifdef GRE
1351
1352 #ifndef IPPROTO_GRE
1353 #define IPPROTO_GRE 47
1354 #endif
1355
1356 #define GRE_TYPE_TRANS_BRIDGING 0x6558
1357 #define GRE_TYPE_PPP 0x880B
1358
1359 #define GRE_HEADER_LEN 4
1360 #define GRE_CHKSUM_LEN 2
1361 #define GRE_OFFSET_LEN 2
1362 #define GRE_KEY_LEN 4
1363 #define GRE_SEQ_LEN 4
1364 #define GRE_SRE_HEADER_LEN 4
1365
1366 #define GRE_CHKSUM(x) (x->flags & 0x80)
1367 #define GRE_ROUTE(x) (x->flags & 0x40)
1368 #define GRE_KEY(x) (x->flags & 0x20)
1369 #define GRE_SEQ(x) (x->flags & 0x10)
1370 #define GRE_SSR(x) (x->flags & 0x08)
1371 #define GRE_RECUR(x) (x->flags & 0x07)
1372 #define GRE_VERSION(x) (x->version & 0x07)
1373 #define GRE_FLAGS(x) (x->version & 0xF8)
1374 #define GRE_PROTO(x) ntohs(x->ether_type)
1375
1376 /* GRE version 1 used with PPTP */
1377 #define GRE_V1_HEADER_LEN 8
1378 #define GRE_V1_ACK_LEN 4
1379 #define GRE_V1_FLAGS(x) (x->version & 0x78)
1380 #define GRE_V1_ACK(x) (x->version & 0x80)
1381
1382 typedef struct _ERSpanType2Hdr
1383 {
1384 uint16_t ver_vlan;
1385 uint16_t flags_spanId;
1386 uint32_t pad;
1387 } ERSpanType2Hdr;
1388
1389 typedef struct _ERSpanType3Hdr
1390 {
1391 uint16_t ver_vlan;
1392 uint16_t flags_spanId;
1393 uint32_t timestamp;
1394 uint16_t pad0;
1395 uint16_t pad1;
1396 uint32_t pad2;
1397 uint32_t pad3;
1398 } ERSpanType3Hdr;
1399
1400 #define ERSPAN_VERSION(x) ((ntohs(x->ver_vlan) & 0xf000) >> 12)
1401 #define ERSPAN_VLAN(x) (ntohs(x->ver_vlan) & 0x0fff)
1402 #define ERSPAN_SPAN_ID(x) (ntohs(x->flags_spanId) & 0x03ff)
1403 #define ERSPAN3_TIMESTAMP(x) (x->timestamp)
1404
1405 #endif /* GRE */
1406
1407
1408 /* more macros for TCP offset */
1409 #define TCP_OFFSET(tcph) (((tcph)->th_offx2 & 0xf0) >> 4)
1410 #define TCP_X2(tcph) ((tcph)->th_offx2 & 0x0f)
1411
1412 #define TCP_ISFLAGSET(tcph, flags) (((tcph)->th_flags & (flags)) == (flags))
1413
1414 /* we need to change them as well as get them */
1415 #define SET_TCP_OFFSET(tcph, value) ((tcph)->th_offx2 = (unsigned char)(((tcph)->th_offx2 & 0x0f) | (value << 4)))
1416 #define SET_TCP_X2(tcph, value) ((tcph)->th_offx2 = (unsigned char)(((tcph)->th_offx2 & 0xf0) | (value & 0x0f)))
1417
1418 typedef struct _TCPHdr
1419 {
1420 uint16_t th_sport; /* source port */
1421 uint16_t th_dport; /* destination port */
1422 uint32_t th_seq; /* sequence number */
1423 uint32_t th_ack; /* acknowledgement number */
1424 uint8_t th_offx2; /* offset and reserved */
1425 uint8_t th_flags;
1426 uint16_t th_win; /* window */
1427 uint16_t th_sum; /* checksum */
1428 uint16_t th_urp; /* urgent pointer */
1429
1430 } TCPHdr;
1431 #ifdef _MSC_VER
1432 /* Visual C++ pragma to enable warning messages
1433 * about nonstandard bit field type
1434 */
1435 #pragma warning( default : 4214 )
1436 #endif
1437
1438
1439 typedef struct _UDPHdr
1440 {
1441 uint16_t uh_sport;
1442 uint16_t uh_dport;
1443 uint16_t uh_len;
1444 uint16_t uh_chk;
1445
1446 } UDPHdr;
1447
1448
1449 typedef struct _ICMPHdr
1450 {
1451 uint8_t type;
1452 uint8_t code;
1453 uint16_t csum;
1454 union
1455 {
1456 struct
1457 {
1458 uint8_t pptr;
1459 uint8_t pres1;
1460 uint16_t pres2;
1461 } param;
1462
1463 struct in_addr gwaddr;
1464
1465 struct idseq
1466 {
1467 uint16_t id;
1468 uint16_t seq;
1469 } idseq;
1470
1471 uint32_t sih_void;
1472
1473 struct pmtu
1474 {
1475 uint16_t ipm_void;
1476 uint16_t nextmtu;
1477 } pmtu;
1478
1479 struct rtradv
1480 {
1481 uint8_t num_addrs;
1482 uint8_t wpa;
1483 uint16_t lifetime;
1484 } rtradv;
1485 } icmp_hun;
1486
1487 #define s_icmp_pptr icmp_hun.param.pptr
1488 #define s_icmp_gwaddr icmp_hun.gwaddr
1489 #define s_icmp_id icmp_hun.idseq.id
1490 #define s_icmp_seq icmp_hun.idseq.seq
1491 #define s_icmp_void icmp_hun.sih_void
1492 #define s_icmp_pmvoid icmp_hun.pmtu.ipm_void
1493 #define s_icmp_nextmtu icmp_hun.pmtu.nextmtu
1494 #define s_icmp_num_addrs icmp_hun.rtradv.num_addrs
1495 #define s_icmp_wpa icmp_hun.rtradv.wpa
1496 #define s_icmp_lifetime icmp_hun.rtradv.lifetime
1497
1498 union
1499 {
1500 /* timestamp */
1501 struct ts
1502 {
1503 uint32_t otime;
1504 uint32_t rtime;
1505 uint32_t ttime;
1506 } ts;
1507
1508 /* IP header for unreach */
1509 struct ih_ip
1510 {
1511 IPHdr *ip;
1512 /* options and then 64 bits of data */
1513 } ip;
1514
1515 struct ra_addr
1516 {
1517 uint32_t addr;
1518 uint32_t preference;
1519 } radv;
1520
1521 uint32_t mask;
1522
1523 char data[1];
1524
1525 } icmp_dun;
1526 #define s_icmp_otime icmp_dun.ts.otime
1527 #define s_icmp_rtime icmp_dun.ts.rtime
1528 #define s_icmp_ttime icmp_dun.ts.ttime
1529 #define s_icmp_ip icmp_dun.ih_ip
1530 #define s_icmp_radv icmp_dun.radv
1531 #define s_icmp_mask icmp_dun.mask
1532 #define s_icmp_data icmp_dun.data
1533
1534 } ICMPHdr;
1535
1536
1537 typedef struct _ARPHdr
1538 {
1539 uint16_t ar_hrd; /* format of hardware address */
1540 uint16_t ar_pro; /* format of protocol address */
1541 uint8_t ar_hln; /* length of hardware address */
1542 uint8_t ar_pln; /* length of protocol address */
1543 uint16_t ar_op; /* ARP opcode (command) */
1544 } ARPHdr;
1545
1546
1547
1548 typedef struct _EtherARP
1549 {
1550 ARPHdr ea_hdr; /* fixed-size header */
1551 uint8_t arp_sha[6]; /* sender hardware address */
1552 uint8_t arp_spa[4]; /* sender protocol address */
1553 uint8_t arp_tha[6]; /* target hardware address */
1554 uint8_t arp_tpa[4]; /* target protocol address */
1555 } EtherARP;
1556
1557
1558 #ifndef NO_NON_ETHER_DECODER
1559 typedef struct _EtherEapol
1560 {
1561 uint8_t version; /* EAPOL proto version */
1562 uint8_t eaptype; /* EAPOL Packet type */
1563 uint16_t len; /* Packet body length */
1564 } EtherEapol;
1565
1566 typedef struct _EAPHdr
1567 {
1568 uint8_t code;
1569 uint8_t id;
1570 uint16_t len;
1571 } EAPHdr;
1572
1573 typedef struct _EapolKey
1574 {
1575 uint8_t type;
1576 uint8_t length[2];
1577 uint8_t counter[8];
1578 uint8_t iv[16];
1579 uint8_t index;
1580 uint8_t sig[16];
1581 } EapolKey;
1582 #endif // NO_NON_ETHER_DECODER
1583
1584 typedef struct _Options
1585 {
1586 uint8_t code;
1587 uint8_t len; /* length of the data section */
1588 const uint8_t *data;
1589 } Options;
1590
1591 /* PPPoEHdr Header; EtherHdr plus the PPPoE Header */
1592 typedef struct _PPPoEHdr
1593 {
1594 unsigned char ver_type; /* pppoe version/type */
1595 unsigned char code; /* pppoe code CODE_* */
1596 unsigned short session; /* session id */
1597 unsigned short length; /* payload length */
1598 /* payload follows */
1599 } PPPoEHdr;
1600
1601 /* PPPoE tag; the payload is a sequence of these */
1602 typedef struct _PPPoE_Tag
1603 {
1604 unsigned short type; /* tag type TAG_* */
1605 unsigned short length; /* tag length */
1606 /* payload follows */
1607 } PPPoE_Tag;
1608
1609 #define MPLS_HEADER_LEN 4
1610 #define NUM_RESERVED_LABELS 16
1611 #ifdef MPLS_RFC4023_SUPPORT
1612 #define IPPROTO_MPLS 137
1613 #endif
1614
1615 typedef struct _MplsHdr
1616 {
1617 uint32_t label;
1618 uint8_t exp;
1619 uint8_t bos;
1620 uint8_t ttl;
1621 } MplsHdr;
1622
1623 typedef struct _H2PriSpec
1624 {
1625 uint32_t stream_id;
1626 uint32_t weight;
1627 uint8_t exclusive;
1628 } H2PriSpec;
1629
1630 typedef struct _H2Hdr
1631 {
1632 uint32_t length;
1633 uint32_t stream_id;
1634 uint8_t type;
1635 uint8_t flags;
1636 uint8_t reserved;
1637 H2PriSpec pri;
1638 } H2Hdr;
1639
1640 #define PGM_NAK_ERR -1
1641 #define PGM_NAK_OK 0
1642 #define PGM_NAK_VULN 1
1643
1644 typedef struct _PGM_NAK_OPT
1645 {
1646 uint8_t type; /* 02 = vuln */
1647 uint8_t len;
1648 uint8_t res[2];
1649 uint32_t seq[1]; /* could be many many more, but 1 is sufficient */
1650 } PGM_NAK_OPT;
1651
1652 typedef struct _PGM_NAK
1653 {
1654 uint32_t seqnum;
1655 uint16_t afil1;
1656 uint16_t res1;
1657 uint32_t src;
1658 uint16_t afi2;
1659 uint16_t res2;
1660 uint32_t multi;
1661 PGM_NAK_OPT opt;
1662 } PGM_NAK;
1663
1664 typedef struct _PGM_HEADER
1665 {
1666 uint16_t srcport;
1667 uint16_t dstport;
1668 uint8_t type;
1669 uint8_t opt;
1670 uint16_t checksum;
1671 uint8_t gsd[6];
1672 uint16_t length;
1673 PGM_NAK nak;
1674 } PGM_HEADER;
1675
1676 /* GTP basic Header */
1677 typedef struct _GTPHdr
1678 {
1679 uint8_t flag; /* flag: version (bit 6-8), PT (5), E (3), S (2), PN (1) */
1680 uint8_t type; /* message type */
1681 uint16_t length; /* length */
1682
1683 } GTPHdr;
1684
1685 #define LAYER_MAX 32
1686
1687 // forward declaration for snort expected session created due to this packet.
1688 struct _ExpectNode;
1689
1690 // REMEMBER match any changes you make here in:
1691 // dynamic-plugins/sf_engine/sf_snort_packet.h
1692 typedef struct _Packet
1693 {
1694 const DAQ_PktHdr_t *pkth; // packet meta data
1695 const uint8_t *pkt; // raw packet data
1696
1697 //vvv------------------------------------------------
1698 // TODO convenience stuff to be refactored for layers
1699 //^^^------------------------------------------------
1700
1701 //vvv-----------------------------
1702 EtherARP *ah;
1703 const EtherHdr *eh; /* standard TCP/IP/Ethernet/ARP headers */
1704 const VlanTagHdr *vh;
1705 EthLlc *ehllc;
1706 EthLlcOther *ehllcother;
1707 const PPPoEHdr *pppoeh; /* Encapsulated PPP of Ether header */
1708 const GREHdr *greh;
1709 uint32_t *mpls;
1710 const CiscoMetaHdr *cmdh; /* Cisco Metadata Header */
1711
1712 const IPHdr *iph, *orig_iph;/* and orig. headers for ICMP_*_UNREACH family */
1713 const IPHdr *inner_iph; /* if IP-in-IP, this will be the inner IP header */
1714 const IPHdr *outer_iph; /* if IP-in-IP, this will be the outer IP header */
1715 const TCPHdr *tcph, *orig_tcph;
1716 const UDPHdr *udph, *orig_udph;
1717 const UDPHdr *inner_udph; /* if Teredo + UDP, this will be the inner UDP header */
1718 const UDPHdr *outer_udph; /* if Teredo + UDP, this will be the outer UDP header */
1719 const ICMPHdr *icmph, *orig_icmph;
1720
1721 const uint8_t *data; /* packet payload pointer */
1722 const uint8_t *ip_data; /* IP payload pointer */
1723 const uint8_t *outer_ip_data; /* Outer IP payload pointer */
1724 //^^^-----------------------------
1725
1726 void *ssnptr; /* for tcp session tracking info... */
1727 void *fragtracker; /* for ip fragmentation tracking info... */
1728
1729 //vvv-----------------------------
1730 IP4Hdr *ip4h, *orig_ip4h;
1731 IP6Hdr *ip6h, *orig_ip6h;
1732 ICMP6Hdr *icmp6h, *orig_icmp6h;
1733
1734 IPH_API* iph_api;
1735 IPH_API* orig_iph_api;
1736 IPH_API* outer_iph_api;
1737 IPH_API* outer_orig_iph_api;
1738
1739 int family;
1740 int orig_family;
1741 int outer_family;
1742 //^^^-----------------------------
1743
1744 PreprocEnableMask preprocessor_bits; /* flags for preprocessors to check */
1745
1746 uint64_t packet_flags; /* special flags for the packet */
1747
1748 uint32_t xtradata_mask;
1749
1750 uint16_t proto_bits;
1751
1752 //vvv-----------------------------
1753 uint16_t dsize; /* packet payload size */
1754 uint16_t ip_dsize; /* IP payload size */
1755 uint16_t alt_dsize; /* the dsize of a packet before munging (used for log)*/
1756 uint16_t actual_ip_len; /* for logging truncated pkts (usually by small snaplen)*/
1757 uint16_t outer_ip_dsize; /* Outer IP payload size */
1758 //^^^-----------------------------
1759
1760 uint16_t frag_offset; /* fragment offset number */
1761 uint16_t ip_frag_len;
1762 uint16_t ip_options_len;
1763 uint16_t tcp_options_len;
1764
1765 //vvv-----------------------------
1766 uint16_t sp; /* source port (TCP/UDP) */
1767 uint16_t dp; /* dest port (TCP/UDP) */
1768 uint16_t orig_sp; /* source port (TCP/UDP) of original datagram */
1769 uint16_t orig_dp; /* dest port (TCP/UDP) of original datagram */
1770 //^^^-----------------------------
1771 // and so on ...
1772
1773 int16_t application_protocol_ordinal;
1774
1775 uint8_t frag_flag; /* flag to indicate a fragmented packet */
1776 uint8_t mf; /* more fragments flag */
1777 uint8_t df; /* don't fragment flag */
1778 uint8_t rf; /* IP reserved bit */
1779
1780 uint8_t ip_option_count; /* number of options in this packet */
1781 uint8_t tcp_option_count;
1782 uint8_t ip6_extension_count;
1783 uint8_t ip6_frag_index;
1784
1785 uint8_t error_flags; /* flags indicate checksum errors, bad TTLs, etc. */
1786 uint8_t encapsulated;
1787 uint8_t GTPencapsulated;
1788 uint8_t GREencapsulated;
1789 uint8_t IPnIPencapsulated;
1790 uint8_t non_ip_pkt;
1791 uint8_t next_layer; /* index into layers for next encap */
1792
1793 #ifndef NO_NON_ETHER_DECODER
1794 const Fddi_hdr *fddihdr; /* FDDI support headers */
1795 Fddi_llc_saps *fddisaps;
1796 Fddi_llc_sna *fddisna;
1797 Fddi_llc_iparp *fddiiparp;
1798 Fddi_llc_other *fddiother;
1799
1800 const Trh_hdr *trh; /* Token Ring support headers */
1801 Trh_llc *trhllc;
1802 Trh_mr *trhmr;
1803
1804 Pflog1Hdr *pf1h; /* OpenBSD pflog interface header - version 1 */
1805 Pflog2Hdr *pf2h; /* OpenBSD pflog interface header - version 2 */
1806 Pflog3Hdr *pf3h; /* OpenBSD pflog interface header - version 3 */
1807 Pflog4Hdr *pf4h; /* OpenBSD pflog interface header - version 4 */
1808
1809 #ifdef DLT_LINUX_SLL
1810 const SLLHdr *sllh; /* Linux cooked sockets header */
1811 #endif
1812 #ifdef DLT_IEEE802_11
1813 const WifiHdr *wifih; /* wireless LAN header */
1814 #endif
1815 const EtherEapol *eplh; /* 802.1x EAPOL header */
1816 const EAPHdr *eaph;
1817 const uint8_t *eaptype;
1818 EapolKey *eapolk;
1819 #endif
1820
1821 // nothing after this point is zeroed ...
1822 Options ip_options[IP_OPTMAX]; /* ip options decode structure */
1823 Options tcp_options[TCP_OPTLENMAX]; /* tcp options decode struct */
1824 IP6Option *ip6_extensions; /* IPv6 Extension References */
1825 CiscoMetaOpt *cmd_options; /* Cisco Metadata header options */
1826
1827 const uint8_t *ip_frag_start;
1828 const uint8_t *ip_options_data;
1829 const uint8_t *tcp_options_data;
1830
1831 const IP6RawHdr* raw_ip6h; // innermost raw ip6 header
1832 Layer layers[LAYER_MAX]; /* decoded encapsulations */
1833
1834 IPAddresses inner_ips, inner_orig_ips;
1835 IP4Hdr inner_ip4h, inner_orig_ip4h;
1836 IP6Hdr inner_ip6h, inner_orig_ip6h;
1837 IPAddresses outer_ips, outer_orig_ips;
1838 IP4Hdr outer_ip4h, outer_orig_ip4h;
1839 IP6Hdr outer_ip6h, outer_orig_ip6h;
1840
1841 MplsHdr mplsHdr;
1842 H2Hdr *h2Hdr;
1843
1844 PseudoPacketType pseudo_type; // valid only when PKT_PSEUDO is set
1845 uint16_t max_dsize;
1846
1847 /**policyId provided in configuration file. Used for correlating configuration
1848 * with event output
1849 */
1850 uint16_t configPolicyId;
1851
1852 uint32_t iplist_id;
1853 unsigned char iprep_layer;
1854
1855 uint8_t ps_proto; // Used for portscan and unified2 logging
1856
1857 uint8_t ips_os_selected;
1858 void *cur_pp;
1859
1860 // Expected session created due to this packet.
1861 struct _ExpectNode* expectedSession;
1862 } Packet;
1863
1864 #define PKT_ZERO_LEN offsetof(Packet, ip_options)
1865
1866 #define PROTO_BIT__NONE 0x0000
1867 #define PROTO_BIT__IP 0x0001
1868 #define PROTO_BIT__ARP 0x0002
1869 #define PROTO_BIT__TCP 0x0004
1870 #define PROTO_BIT__UDP 0x0008
1871 #define PROTO_BIT__ICMP 0x0010
1872 #define PROTO_BIT__TEREDO 0x0020
1873 #define PROTO_BIT__GTP 0x0040
1874 #define PROTO_BIT__OTHER 0x8000
1875 #define PROTO_BIT__ALL 0xffff
1876
1877 #if !defined(SFLINUX) && defined(DAQ_CAPA_CARRIER_ID)
1878 #if defined(DAQ_VERSION) && DAQ_VERSION > 10
1879 #define GET_OUTER_IPH_PROTOID(p, pkt_header) ((uint32_t)(p->pkt_header->carrier_id) ? p->pkt_header->carrier_id : 0 )
1880 #else
1881 #define GET_OUTER_IPH_PROTOID(p, pkt_header) ((uint32_t)((p)->outer_iph ? (IS_IP6(p) ? ((p)->outer_ip6h.next) : ((p)->outer_ip4h.ip_proto)):0))
1882 #endif
1883 #endif
1884
1885 #define IsIP(p) (IPH_IS_VALID(p))
1886 #define IsTCP(p) (IsIP(p) && p->tcph)
1887 #define IsUDP(p) (IsIP(p) && p->udph)
1888 #define IsICMP(p) (IsIP(p) && p->icmph)
1889 #define GET_PKT_SEQ(p) (ntohl(p->tcph->th_seq))
1890
1891 /* Macros to deal with sequence numbers - p810 TCP Illustrated vol 2 */
1892 #define SEQ_LT(a,b) ((int)((a) - (b)) < 0)
1893 #define SEQ_LEQ(a,b) ((int)((a) - (b)) <= 0)
1894 #define SEQ_GT(a,b) ((int)((a) - (b)) > 0)
1895 #define SEQ_GEQ(a,b) ((int)((a) - (b)) >= 0)
1896 #define SEQ_EQ(a,b) ((int)((a) - (b)) == 0)
1897
1898 #define BIT(i) (0x1 << (i-1))
1899
1900 typedef struct s_pseudoheader
1901 {
1902 uint32_t sip, dip;
1903 uint8_t zero;
1904 uint8_t protocol;
1905 uint16_t len;
1906
1907 } PSEUDO_HDR;
1908
1909 /* Default classification for decoder alerts */
1910 #define DECODE_CLASS 25
1911
1912 typedef struct _DecoderFlags
1913 {
1914 char decode_alerts; /* if decode.c alerts are going to be enabled */
1915 char oversized_alert; /* alert if garbage after tcp/udp payload */
1916 char oversized_drop; /* alert if garbage after tcp/udp payload */
1917 char drop_alerts; /* drop alerts from decoder */
1918 char tcpopt_experiment; /* TcpOptions Decoder */
1919 char drop_tcpopt_experiment; /* Drop alerts from TcpOptions Decoder */
1920 char tcpopt_obsolete; /* Alert on obsolete TCP options */
1921 char drop_tcpopt_obsolete; /* Drop on alerts from obsolete TCP options */
1922 char tcpopt_ttcp; /* Alert on T/TCP options */
1923 char drop_tcpopt_ttcp; /* Drop on alerts from T/TCP options */
1924 char tcpopt_decode; /* alert on decoder inconsistencies */
1925 char drop_tcpopt_decode; /* Drop on alerts from decoder inconsistencies */
1926 char ipopt_decode; /* alert on decoder inconsistencies */
1927 char drop_ipopt_decode; /* Drop on alerts from decoder inconsistencies */
1928
1929 /* To be moved to the frag preprocessor once it supports IPv6 */
1930 char ipv6_bad_frag_pkt;
1931 char bsd_icmp_frag;
1932 char drop_bad_ipv6_frag;
1933
1934 } DecoderFlags;
1935
1936 #define ALERTMSG_LENGTH 256
1937
1938
1939 /* P R O T O T Y P E S ******************************************************/
1940
1941 // root decoders
1942 void DecodeEthPkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *);
1943 void DecodeNullPkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *);
1944 void DecodeRawPkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *);
1945 void DecodeRawPkt6(Packet *, const DAQ_PktHdr_t*, const uint8_t *);
1946
1947 // chained decoders
1948 void DecodeARP(const uint8_t *, uint32_t, Packet *);
1949 void DecodeEthLoopback(const uint8_t *, uint32_t, Packet *);
1950 void DecodeVlan(const uint8_t *, const uint32_t, Packet *);
1951 void DecodePppPktEncapsulated(const uint8_t *, const uint32_t, Packet *);
1952 void DecodePPPoEPkt(const uint8_t *, const uint32_t, Packet *);
1953 void DecodeIP(const uint8_t *, const uint32_t, Packet *);
1954 void DecodeIPV6(const uint8_t *, uint32_t, Packet *);
1955 void DecodeTCP(const uint8_t *, const uint32_t, Packet *);
1956 void DecodeUDP(const uint8_t *, const uint32_t, Packet *);
1957 void DecodeICMP(const uint8_t *, const uint32_t, Packet *);
1958 void DecodeICMP6(const uint8_t *, const uint32_t, Packet *);
1959 void DecodeICMPEmbeddedIP(const uint8_t *, const uint32_t, Packet *);
1960 void DecodeICMPEmbeddedIP6(const uint8_t *, const uint32_t, Packet *);
1961 void DecodeIPOptions(const uint8_t *, uint32_t, Packet *);
1962 void DecodeTCPOptions(const uint8_t *, uint32_t, Packet *);
1963 void DecodeTeredo(const uint8_t *, uint32_t, Packet *);
1964 void DecodeAH(const uint8_t *, uint32_t, Packet *);
1965 void DecodeESP(const uint8_t *, uint32_t, Packet *);
1966 void DecodeGTP(const uint8_t *, uint32_t, Packet *);
1967
1968 #ifdef GRE
1969 void DecodeGRE(const uint8_t *, const uint32_t, Packet *);
1970 void DecodeTransBridging(const uint8_t *, const uint32_t, Packet *);
1971 #endif /* GRE */
1972 void DecoderAlertEncapsulated(Packet *, int, const char *, const uint8_t *, uint32_t);
1973
1974 #ifdef MPLS
1975 int isPrivateIP(uint32_t addr);
1976 void DecodeEthOverMPLS(const uint8_t*, const uint32_t, Packet*);
1977 void DecodeMPLS(const uint8_t*, const uint32_t, Packet*);
1978 #endif
1979
1980 #ifndef NO_NON_ETHER_DECODER
1981 // root decoders
1982 void DecodeTRPkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *);
1983 void DecodeFDDIPkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *);
1984 void DecodeLinuxSLLPkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *);
1985 void DecodeIEEE80211Pkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *);
1986 void DecodeSlipPkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *);
1987 void DecodeI4LRawIPPkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *);
1988 void DecodeI4LCiscoIPPkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *);
1989 void DecodeChdlcPkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *);
1990 void DecodePflog(Packet *, const DAQ_PktHdr_t*, const uint8_t *);
1991 void DecodeOldPflog(Packet *, const DAQ_PktHdr_t*, const uint8_t *);
1992 void DecodePppPkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *);
1993 void DecodePppSerialPkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *);
1994 void DecodeEncPkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *);
1995
1996 // chained decoders
1997 void DecodeEAP(const uint8_t *, const uint32_t, Packet *);
1998 void DecodeEapol(const uint8_t *, uint32_t, Packet *);
1999 void DecodeEapolKey(const uint8_t *, uint32_t, Packet *);
2000 void DecodeIPX(const uint8_t *, uint32_t, Packet *);
2001 #endif // NO_NON_ETHER_DECODER
2002
2003 void BsdFragHashInit(int max);
2004 void BsdFragHashCleanup(void);
2005 void BsdFragHashReset(void);
2006
2007 #if defined(WORDS_MUSTALIGN) && !defined(__GNUC__)
2008 uint32_t EXTRACT_32BITS (u_char *);
2009 #endif /* WORDS_MUSTALIGN && !__GNUC__ */
2010
2011 extern void UpdateDecodeRulesArray(uint32_t sid, int bOn, int bAll);
2012
2013 /*Decode functions that need to be called once the policies are set */
2014 extern void DecodePolicySpecific(Packet *);
2015
2016 /* XXX not sure where this guy needs to live at the moment */
2017 typedef struct _PortList
2018 {
2019 int ports[32]; /* 32 is kind of arbitrary */
2020
2021 int num_entries;
2022
2023 } PortList;
2024
2025 void InitSynToMulticastDstIp( struct _SnortConfig * );
2026 void SynToMulticastDstIpDestroy( void );
2027 void InitMulticastReservedIp( struct _SnortConfig * );
2028 void MulticastReservedIpDestroy( void );
2029
2030 #define SFTARGET_UNKNOWN_PROTOCOL -1
2031
PacketWasCooked(Packet * p)2032 static inline int PacketWasCooked(Packet* p)
2033 {
2034 return ( p->packet_flags & PKT_PSEUDO ) != 0;
2035 }
2036
IsPortscanPacket(const Packet * p)2037 static inline bool IsPortscanPacket(const Packet *p)
2038 {
2039 return ((p->packet_flags & PKT_PSEUDO) && (p->pseudo_type == PSEUDO_PKT_PS));
2040 }
2041
GetEventProto(const Packet * p)2042 static inline uint8_t GetEventProto(const Packet *p)
2043 {
2044 if (IsPortscanPacket(p))
2045 return p->ps_proto;
2046 return IPH_IS_VALID(p) ? GET_IPH_PROTO(p) : 0;
2047 }
2048
PacketHasFullPDU(const Packet * p)2049 static inline bool PacketHasFullPDU (const Packet* p)
2050 {
2051 return ( (p->packet_flags & PKT_PDU_FULL) == PKT_PDU_FULL );
2052 }
2053
PacketHasStartOfPDU(const Packet * p)2054 static inline bool PacketHasStartOfPDU (const Packet* p)
2055 {
2056 return ( (p->packet_flags & PKT_PDU_HEAD) != 0 );
2057 }
2058
PacketHasPAFPayload(const Packet * p)2059 static inline bool PacketHasPAFPayload (const Packet* p)
2060 {
2061 return ( (p->packet_flags & PKT_REBUILT_STREAM) || (p->packet_flags & PKT_PDU_TAIL) );
2062 }
2063
PacketIsRebuilt(const Packet * p)2064 static inline bool PacketIsRebuilt (const Packet* p)
2065 {
2066 return ( (p->packet_flags & (PKT_REBUILT_STREAM|PKT_REBUILT_FRAG)) != 0 );
2067 }
2068
SetExtraData(Packet * p,uint32_t xid)2069 static inline void SetExtraData (Packet* p, uint32_t xid)
2070 {
2071 p->xtradata_mask |= BIT(xid);
2072 }
2073
2074 #endif /* __DECODE_H__ */
2075
2076