1 /*
2 * sf_snort_packet.h
3 *
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License Version 2 as
6 * published by the Free Software Foundation. You may not use, modify or
7 * distribute this program under any other version of the GNU General
8 * Public License.
9 *
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
14 *
15 * You should have received a copy of the GNU General Public License
16 * along with this program; if not, write to the Free Software
17 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
18 *
19 * Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved.
20 * Copyright (C) 2005-2013 Sourcefire, Inc.
21 *
22 * Author: Steve Sturges
23 * Andy Mullican
24 *
25 * Date: 5/2005
26 *
27 * Sourcefire Black-box Plugin API for rules
28 *
29 */
30
31 #ifndef _SF_SNORT_PACKET_H_
32 #define _SF_SNORT_PACKET_H_
33
34 #ifndef WIN32
35 #include <sys/types.h>
36 #include <netinet/in.h>
37 #else
38 #include <winsock2.h>
39 #include <windows.h>
40 #endif
41
42 #include <daq.h>
43 #include <sfbpf_dlt.h>
44
45 #include "sf_ip.h"
46 #include "sf_protocols.h"
47 #include "preprocids.h"
48
49 #define VLAN_HDR_LEN 4
50
51 /* for vrt backwards compatibility */
52 #define pcap_header pkt_header
53
54 typedef int (*LogFunction)(void *ssnptr, uint8_t **buf, uint32_t *len, uint32_t *type);
55
56 typedef DAQ_PktHdr_t SFDAQ_PktHdr_t;
57
58 #define VTH_PRIORITY(vh) ((ntohs((vh)->vth_pri_cfi_vlan) & 0xe000) >> 13)
59 #define VTH_CFI(vh) ((ntohs((vh)->vth_pri_cfi_vlan) & 0x1000) >> 12)
60 #define VTH_VLAN(vh) ((uint16_t)(ntohs((vh)->vth_pri_cfi_vlan) & 0x0FFF))
61
62 typedef struct _VlanHeader
63 {
64 uint16_t vth_pri_cfi_vlan;
65 uint16_t vth_proto; /* protocol field... */
66
67 } VlanHeader;
68
69 /*#define NO_NON_ETHER_DECODER */
70 #define ETHER_HDR_LEN 14
71 #define ETHERNET_TYPE_IP 0x0800
72 #define ETHERNET_TYPE_IPV6 0x86dd
73 #define ETHERNET_TYPE_8021Q 0x8100
74 /*
75 * Cisco MetaData header
76 */
77
78 typedef struct _CiscoMetaHdr
79 {
80 uint8_t version; // This must be 1
81 uint8_t length; //This is the header size in bytes / 8
82 } CiscoMetaHdr;
83
84 /*
85 * Cisco MetaData header options
86 */
87
88 typedef struct _CiscoMetaOpt
89 {
90 uint16_t opt_len_type; /* 3-bit length + 13-bit type. Length of 0 = 4. Type must be 1. */
91 uint16_t sgt; /* Can be any value except 0xFFFF */
92 } CiscoMetaOpt;
93
94
95 typedef struct _EtherHeader
96 {
97 uint8_t ether_destination[6];
98 uint8_t ether_source[6];
99 uint16_t ethernet_type;
100
101 } EtherHeader;
102
103 /* We must twiddle to align the offset the ethernet header and align
104 * the IP header on solaris -- maybe this will work on HPUX too.
105 */
106 #if defined (SOLARIS) || defined (SUNOS) || defined (__sparc__) || defined(__sparc64__) || defined (HPUX)
107 #define SUN_SPARC_TWIDDLE 2
108 #else
109 #define SUN_SPARC_TWIDDLE 0
110 #endif
111
112 #define IP_RESBIT 0x8000
113 #ifdef IP_DONTFRAG
114 #undef IP_DONTFRAG
115 #endif
116 #define IP_DONTFRAG 0x4000
117 #define IP_MOREFRAGS 0x2000
118
119 #ifndef IP_MAXPKT
120 #define IP_MAXPKT 65535 /* maximum packet size */
121 #endif /* IP_MAXPACKET */
122
123 #define IP_HDR_LEN 20
124
125 #if !defined(SFLINUX) && defined(DAQ_CAPA_CARRIER_ID)
126 #if defined(DAQ_VERSION) && DAQ_VERSION > 10
127 #define GET_SFOUTER_IPH_PROTOID(p, pkt_header) ((uint32_t)(p->pkt_header->carrier_id) ? p->pkt_header->carrier_id : 0 )
128 #else
129 #define GET_SFOUTER_IPH_PROTOID(p, pkt_header) ((uint32_t)((p)->outer_ip4_header ? (IS_IP6(p) ? ((p)->outer_ip6h.next) : ((p)->outer_ip4h.ip_proto)):0))
130 #endif
131 #endif
132
133 typedef struct _IPV4Header
134 {
135 uint8_t version_headerlength;
136 uint8_t type_service;
137 uint16_t data_length;
138 uint16_t identifier;
139 uint16_t offset;
140 uint8_t time_to_live;
141 uint8_t proto;
142 uint16_t checksum;
143 struct in_addr source;
144 struct in_addr destination;
145 } IPV4Header;
146
147 #define MAX_LOG_FUNC 32
148 #define MAX_IP_OPTIONS 40
149
150 /* ip option codes */
151 #define IPOPTION_EOL 0x00
152 #define IPOPTION_NOP 0x01
153 #define IPOPTION_RR 0x07
154 #define IPOPTION_RTRALT 0x94
155 #define IPOPTION_TS 0x44
156 #define IPOPTION_SECURITY 0x82
157 #define IPOPTION_LSRR 0x83
158 #define IPOPTION_LSRR_E 0x84
159 #define IPOPTION_SATID 0x88
160 #define IPOPTION_SSRR 0x89
161
162 typedef struct _IPOptions
163 {
164 uint8_t option_code;
165 uint8_t length;
166 uint8_t *option_data;
167 } IPOptions;
168
169
170 #define TCP_HDR_LEN 20
171
172 typedef struct _TCPHeader
173 {
174 uint16_t source_port;
175 uint16_t destination_port;
176 uint32_t sequence;
177 uint32_t acknowledgement;
178 uint8_t offset_reserved;
179 uint8_t flags;
180 uint16_t window;
181 uint16_t checksum;
182 uint16_t urgent_pointer;
183 } TCPHeader;
184
185 #define TCPHEADER_FIN 0x01
186 #define TCPHEADER_SYN 0x02
187 #define TCPHEADER_RST 0x04
188 #define TCPHEADER_PUSH 0x08
189 #define TCPHEADER_ACK 0x10
190 #define TCPHEADER_URG 0x20
191 #define TCPHEADER_ECE 0x40
192 #define TCPHEADER_CWR 0x80
193 #define TCPHEADER_NORESERVED (TCPHEADER_FIN|TCPHEADER_SYN|TCPHEADER_RST \
194 |TCPHEADER_PUSH|TCPHEADER_ACK|TCPHEADER_URG)
195
196 #define MAX_TCP_OPTIONS 40
197 /* tcp option codes */
198 #define TCPOPT_EOL 0x00
199 #define TCPOPT_NOP 0x01
200 #define TCPOPT_MSS 0x02
201 #define TCPOPT_WSCALE 0x03 /* window scale factor (rfc1072) */
202 #define TCPOPT_SACKOK 0x04 /* selective ack ok (rfc1072) */
203 #define TCPOPT_SACK 0x05 /* selective ack (rfc1072) */
204 #define TCPOPT_ECHO 0x06 /* echo (rfc1072) */
205 #define TCPOPT_ECHOREPLY 0x07 /* echo (rfc1072) */
206 #define TCPOPT_TIMESTAMP 0x08 /* timestamps (rfc1323) */
207 #define TCPOPT_CC 0x11 /* T/TCP CC options (rfc1644) */
208 #define TCPOPT_CCNEW 0x12 /* T/TCP CC options (rfc1644) */
209 #define TCPOPT_CCECHO 0x13 /* T/TCP CC options (rfc1644) */
210
211 typedef IPOptions TCPOptions;
212
213 #define UDP_HDR_LEN 8
214
215 typedef struct _UDPHeader
216 {
217 uint16_t source_port;
218 uint16_t destination_port;
219 uint16_t data_length;
220 uint16_t checksum;
221 } UDPHeader;
222
223 typedef struct _ICMPSequenceID
224 {
225 uint16_t id;
226 uint16_t seq;
227 } ICMPSequenceID;
228
229 typedef struct _ICMPHeader
230 {
231 uint8_t type;
232 uint8_t code;
233 uint16_t checksum;
234
235 union
236 {
237 /* type 12 */
238 uint8_t parameter_problem_ptr;
239
240 /* type 5 */
241 struct in_addr gateway_addr;
242
243 /* type 8, 0 */
244 ICMPSequenceID echo;
245
246 /* type 13, 14 */
247 ICMPSequenceID timestamp;
248
249 /* type 15, 16 */
250 ICMPSequenceID info;
251
252 int voidInfo;
253
254 /* type 3/code=4 (Path MTU, RFC 1191) */
255 struct path_mtu
256 {
257 uint16_t voidInfo;
258 uint16_t next_mtu;
259 } path_mtu;
260
261 /* type 9 */
262 struct router_advertisement
263 {
264 uint8_t number_addrs;
265 uint8_t entry_size;
266 uint16_t lifetime;
267 } router_advertisement;
268 } icmp_header_union;
269
270 #define icmp_parameter_ptr icmp_header_union.parameter_problem_ptr
271 #define icmp_gateway_addr icmp_header_union.gateway_waddr
272 #define icmp_echo_id icmp_header_union.echo.id
273 #define icmp_echo_seq icmp_header_union.echo.seq
274 #define icmp_timestamp_id icmp_header_union.timestamp.id
275 #define icmp_timestamp_seq icmp_header_union.timestamp.seq
276 #define icmp_info_id icmp_header_union.info.id
277 #define icmp_info_seq icmp_header_union.info.seq
278 #define icmp_void icmp_header_union.void
279 #define icmp_nextmtu icmp_header_union.path_mtu.nextmtu
280 #define icmp_ra_num_addrs icmp_header_union.router_advertisement.number_addrs
281 #define icmp_ra_entry_size icmp_header_union.router_advertisement.entry_size
282 #define icmp_ra_lifetime icmp_header_union.router_advertisement.lifetime
283
284 union
285 {
286 /* timestamp */
287 struct timestamp
288 {
289 uint32_t orig;
290 uint32_t receive;
291 uint32_t transmit;
292 } timestamp;
293
294 /* IP header for unreach */
295 struct ipv4_header
296 {
297 IPV4Header *ip;
298 /* options and then 64 bits of data */
299 } ipv4_header;
300
301 /* Router Advertisement */
302 struct router_address
303 {
304 uint32_t addr;
305 uint32_t preference;
306 } router_address;
307
308 /* type 17, 18 */
309 uint32_t mask;
310
311 char data[1];
312
313 } icmp_data_union;
314 #define icmp_orig_timestamp icmp_data_union.timestamp.orig
315 #define icmp_recv_timestamp icmp_data_union.timestamp.receive
316 #define icmp_xmit_timestamp icmp_data_union.timestamp.transmit
317 #define icmp_ipheader icmp_data_union.ip_header
318 #define icmp_ra_addr0 icmp_data_union.router_address
319 #define icmp_mask icmp_data_union.mask
320 #define icmp_data icmp_data_union.data
321 } ICMPHeader;
322
323 #define ICMP_ECHO_REPLY 0 /* Echo Reply */
324 #define ICMP_DEST_UNREACHABLE 3 /* Destination Unreachable */
325 #define ICMP_SOURCE_QUENCH 4 /* Source Quench */
326 #define ICMP_REDIRECT 5 /* Redirect (change route) */
327 #define ICMP_ECHO_REQUEST 8 /* Echo Request */
328 #define ICMP_ROUTER_ADVERTISEMENT 9 /* Router Advertisement */
329 #define ICMP_ROUTER_SOLICITATION 10 /* Router Solicitation */
330 #define ICMP_TIME_EXCEEDED 11 /* Time Exceeded */
331 #define ICMP_PARAMETER_PROBLEM 12 /* Parameter Problem */
332 #define ICMP_TIMESTAMP_REQUEST 13 /* Timestamp Request */
333 #define ICMP_TIMESTAMP_REPLY 14 /* Timestamp Reply */
334 #define ICMP_INFO_REQUEST 15 /* Information Request */
335 #define ICMP_INFO_REPLY 16 /* Information Reply */
336 #define ICMP_ADDRESS_REQUEST 17 /* Address Mask Request */
337 #define ICMP_ADDRESS_REPLY 18 /* Address Mask Reply */
338
339 #define INVALID_CHECKSUM_IP 0x01
340 #define INVALID_CHECKSUM_TCP 0x02
341 #define INVALID_CHECKSUM_UDP 0x04
342 #define INVALID_CHECKSUM_ICMP 0x08
343 #define INVALID_CHECKSUM_IGMP 0x10
344 #define INVALID_CHECKSUM_ALL 0x1F
345 #define INVALID_TTL 0x20
346
347 typedef struct _IPv6Extension
348 {
349 uint8_t option_type;
350 const uint8_t *option_data;
351 } IP6Extension;
352
353 typedef struct _IPAddresses
354 {
355 sfaddr_t ip_src; /* source IP */
356 sfaddr_t ip_dst; /* dest IP */
357 } IPAddresses;
358
359 typedef struct _IPv4Hdr
360 {
361 uint8_t ip_verhl; /* version & header length */
362 uint8_t ip_tos; /* type of service */
363 uint16_t ip_len; /* datagram length */
364 uint16_t ip_id; /* identification */
365 uint16_t ip_off; /* fragment offset */
366 uint8_t ip_ttl; /* time to live field */
367 uint8_t ip_proto; /* datagram protocol */
368 uint16_t ip_csum; /* checksum */
369 IPAddresses* ip_addrs; /* IP addresses*/
370 } IP4Hdr;
371
372 typedef struct _IP6RawHdr
373 {
374 uint32_t vcl; /* version, class, and label */
375 uint16_t payload_len; /* length of the payload */
376 uint8_t next_header; /* same values as ip4 protocol field + new ip6 values */
377 uint8_t hop_limit; /* same usage as ip4 ttl */
378
379 struct in6_addr src_addr;
380 struct in6_addr dst_addr;
381 } IP6RawHdr;
382
383 #define ip6_vcl vcl
384 #define ip6_payload_len payload_len
385 #define ip6_next_header next_header
386 #define ip6_hop_limit hop_limit
387 #define ip6_hops hop_limit
388
389 typedef struct _IPv6Hdr
390 {
391 uint32_t vcl; /* version, class, and label */
392 uint16_t len; /* length of the payload */
393 uint8_t next; /* next header
394 * Uses the same flags as
395 * the IPv4 protocol field */
396 uint8_t hop_lmt; /* hop limit */
397 IPAddresses* ip_addrs; /* IP addresses*/
398 } IP6Hdr;
399
400 typedef struct _IP6FragHdr
401 {
402 uint8_t ip6f_nxt; /* next header */
403 uint8_t ip6f_reserved; /* reserved field */
404 uint16_t ip6f_offlg; /* offset, reserved, and flag */
405 uint32_t ip6f_ident; /* identification */
406 } IP6FragHdr;
407
408 typedef struct _ICMP6
409 {
410 uint8_t type;
411 uint8_t code;
412 uint16_t csum;
413
414 } ICMP6Hdr;
415
416 #define ICMP6_UNREACH 1
417 #define ICMP6_BIG 2
418 #define ICMP6_TIME 3
419 #define ICMP6_PARAMS 4
420 #define ICMP6_ECHO 128
421 #define ICMP6_REPLY 129
422
423 /* Minus 1 due to the 'body' field */
424 #define ICMP6_MIN_HEADER_LEN (sizeof(ICMP6Hdr) )
425
426 struct _SFSnortPacket;
427
428 typedef struct _IPH_API
429 {
430 sfaddr_t * (*iph_ret_src)(const struct _SFSnortPacket *);
431 sfaddr_t * (*iph_ret_dst)(const struct _SFSnortPacket *);
432 uint16_t (*iph_ret_tos)(const struct _SFSnortPacket *);
433 uint8_t (*iph_ret_ttl)(const struct _SFSnortPacket *);
434 uint16_t (*iph_ret_len)(const struct _SFSnortPacket *);
435 uint32_t (*iph_ret_id)(const struct _SFSnortPacket *);
436 uint8_t (*iph_ret_proto)(const struct _SFSnortPacket *);
437 uint16_t (*iph_ret_off)(const struct _SFSnortPacket *);
438 uint8_t (*iph_ret_ver)(const struct _SFSnortPacket *);
439 uint8_t (*iph_ret_hlen)(const struct _SFSnortPacket *);
440
441 sfaddr_t * (*orig_iph_ret_src)(const struct _SFSnortPacket *);
442 sfaddr_t * (*orig_iph_ret_dst)(const struct _SFSnortPacket *);
443 uint16_t (*orig_iph_ret_tos)(const struct _SFSnortPacket *);
444 uint8_t (*orig_iph_ret_ttl)(const struct _SFSnortPacket *);
445 uint16_t (*orig_iph_ret_len)(const struct _SFSnortPacket *);
446 uint32_t (*orig_iph_ret_id)(const struct _SFSnortPacket *);
447 uint8_t (*orig_iph_ret_proto)(const struct _SFSnortPacket *);
448 uint16_t (*orig_iph_ret_off)(const struct _SFSnortPacket *);
449 uint8_t (*orig_iph_ret_ver)(const struct _SFSnortPacket *);
450 uint8_t (*orig_iph_ret_hlen)(const struct _SFSnortPacket *);
451 char version;
452 } IPH_API;
453
454 typedef enum {
455 PSEUDO_PKT_IP,
456 PSEUDO_PKT_TCP,
457 PSEUDO_PKT_DCE_RPKT,
458 PSEUDO_PKT_SMB_SEG,
459 PSEUDO_PKT_DCE_SEG,
460 PSEUDO_PKT_DCE_FRAG,
461 PSEUDO_PKT_SMB_TRANS,
462 PSEUDO_PKT_PS,
463 PSEUDO_PKT_SDF,
464 PSEUDO_PKT_MAX
465 } PseudoPacketType;
466
467 #include "ipv6_port.h"
468
469 #define IP6_HEADER_LEN 40
470
471 #define IPH_API_V4 4
472 #define IPH_API_V6 6
473
474 extern IPH_API ip4;
475 extern IPH_API ip6;
476
477 #define iph_is_valid(p) ((p)->family != NO_IP)
478
479 #define NO_IP 0
480
481 #define IP6_HDR_LEN 40
482
483 typedef struct _MplsHdr
484 {
485 uint32_t label;
486 uint8_t exp;
487 uint8_t bos;
488 uint8_t ttl;
489 } MplsHdr;
490
491 typedef struct _H2PriSpec
492 {
493 uint32_t stream_id;
494 uint32_t weight;
495 uint8_t exclusive;
496 } H2PriSpec;
497
498 typedef struct _H2Hdr
499 {
500 uint32_t length;
501 uint32_t stream_id;
502 uint8_t type;
503 uint8_t flags;
504 uint8_t reserved;
505 H2PriSpec pri;
506 } H2Hdr;
507
508 #define MAX_PROTO_LAYERS 32
509
510 typedef struct {
511 PROTO_ID proto_id;
512 uint16_t proto_length;
513 uint8_t* proto_start;
514 } ProtoLayer;
515
516 // for backwards compatibility with VRT .so rules
517 #define stream_session_ptr stream_session
518
519 // forward declaration for snort list management type
520 struct sfSDList;
521
522 // forward declaration for snort expected session created due to this packet.
523 struct _ExpectNode;
524
525 // NOTE: Any modifcation to _SFSnortPacket, please bump up REQ_ENGINE_LIB_MINOR
526 typedef struct _SFSnortPacket
527 {
528 const SFDAQ_PktHdr_t *pkt_header; /* Is this GPF'd? */
529 const uint8_t *pkt_data;
530
531 void *ether_arp_header;
532 const EtherHeader *ether_header;
533 const VlanHeader *vlan_tag_header;
534 void *ether_header_llc;
535 void *ether_header_other;
536 const void *ppp_over_ether_header;
537 const void *gre_header;
538 uint32_t *mpls;
539 const CiscoMetaHdr *cmdh; /* Cisco Metadata Header */
540
541 const IPV4Header *ip4_header, *orig_ip4_header;
542 const IPV4Header *inner_ip4_header;
543 const IPV4Header *outer_ip4_header;
544 const TCPHeader *tcp_header, *orig_tcp_header;
545 const UDPHeader *udp_header, *orig_udp_header;
546 const UDPHeader *inner_udph; /* if Teredo + UDP, this will be the inner UDP header */
547 const UDPHeader *outer_udph; /* if Teredo + UDP, this will be the outer UDP header */
548 const ICMPHeader *icmp_header, *orig_icmp_header;
549
550 const uint8_t *payload;
551 const uint8_t *ip_payload;
552 const uint8_t *outer_ip_payload;
553
554 void *stream_session;
555 void *fragmentation_tracking_ptr;
556
557 IP4Hdr *ip4h, *orig_ip4h;
558 IP6Hdr *ip6h, *orig_ip6h;
559 ICMP6Hdr *icmp6h, *orig_icmp6h;
560
561 IPH_API* iph_api;
562 IPH_API* orig_iph_api;
563 IPH_API* outer_iph_api;
564 IPH_API* outer_orig_iph_api;
565
566 int family;
567 int orig_family;
568 int outer_family;
569
570 PreprocEnableMask preprocessor_bit_mask;
571
572 uint64_t flags;
573
574 uint32_t xtradata_mask;
575
576 uint16_t proto_bits;
577
578 uint16_t payload_size;
579 uint16_t ip_payload_size;
580 uint16_t normalized_payload_size;
581 uint16_t actual_ip_length;
582 uint16_t outer_ip_payload_size;
583
584 uint16_t ip_fragment_offset;
585 uint16_t ip_frag_length;
586 uint16_t ip4_options_length;
587 uint16_t tcp_options_length;
588
589 uint16_t src_port;
590 uint16_t dst_port;
591 uint16_t orig_src_port;
592 uint16_t orig_dst_port;
593
594 int16_t application_protocol_ordinal;
595
596 uint8_t ip_fragmented;
597 uint8_t ip_more_fragments;
598 uint8_t ip_dont_fragment;
599 uint8_t ip_reserved;
600
601 uint8_t num_ip_options;
602 uint8_t num_tcp_options;
603 uint8_t num_ip6_extensions;
604 uint8_t ip6_frag_extension;
605
606 uint8_t invalid_flags;
607 uint8_t encapsulated;
608 uint8_t GTPencapsulated;
609 uint8_t GREencapsulated;
610 uint8_t IPnIPencapsulated;
611 uint8_t non_ip_pkt;
612 uint8_t next_layer_index;
613
614 #ifndef NO_NON_ETHER_DECODER
615 const void *fddi_header;
616 void *fddi_saps;
617 void *fddi_sna;
618 void *fddi_iparp;
619 void *fddi_other;
620
621 const void *tokenring_header;
622 void *tokenring_header_llc;
623 void *tokenring_header_mr;
624
625 void *pflog1_header;
626 void *pflog2_header;
627 void *pflog3_header;
628 void *pflog4_header;
629
630 #ifdef DLT_LINUX_SLL
631 const void *sll_header;
632 #endif
633 #ifdef DLT_IEEE802_11
634 const void *wifi_header;
635 #endif
636 const void *ether_eapol_header;
637 const void *eapol_headear;
638 const uint8_t *eapol_type;
639 void *eapol_key;
640 #endif
641
642 IPOptions ip_options[MAX_IP_OPTIONS];
643 TCPOptions tcp_options[MAX_TCP_OPTIONS];
644 IP6Extension *ip6_extensions;
645 CiscoMetaOpt *cmd_options; /* Cisco Metadata header options */
646
647 const uint8_t *ip_frag_start;
648 const uint8_t *ip4_options_data;
649 const uint8_t *tcp_options_data;
650
651 const IP6RawHdr* raw_ip6_header;
652 ProtoLayer proto_layers[MAX_PROTO_LAYERS];
653
654 IPAddresses inner_ips, inner_orig_ips;
655 IP4Hdr inner_ip4h, inner_orig_ip4h;
656 IP6Hdr inner_ip6h, inner_orig_ip6h;
657 IPAddresses outer_ips, outer_orig_ips;
658 IP4Hdr outer_ip4h, outer_orig_ip4h;
659 IP6Hdr outer_ip6h, outer_orig_ip6h;
660
661 MplsHdr mplsHdr;
662 H2Hdr *h2Hdr;
663
664 PseudoPacketType pseudo_type;
665 uint16_t max_payload;
666
667 /**policyId provided in configuration file. Used for correlating configuration
668 * with event output
669 */
670 uint16_t configPolicyId;
671
672 uint32_t iplist_id;
673 unsigned char iprep_layer;
674
675 uint8_t ps_proto; /* Used for portscan and unified2 logging */
676
677 uint8_t ips_os_selected;
678 void *cur_pp;
679
680 // Expected session created due to this packet.
681 struct _ExpectNode* expectedSession;
682 } SFSnortPacket;
683
684 #define IP_INNER_LAYER 1
685 #define IP_OUTTER_LAYER 0
686
687 #define PKT_ZERO_LEN offsetof(SFSnortPacket, ip_options)
688
689 #define PROTO_BIT__IP 0x0001
690 #define PROTO_BIT__ARP 0x0002
691 #define PROTO_BIT__TCP 0x0004
692 #define PROTO_BIT__UDP 0x0008
693 #define PROTO_BIT__ICMP 0x0010
694 #define PROTO_BIT__TEREDO 0x0020
695 #define PROTO_BIT__ALL 0xffff
696
697 #define IsIP(p) (IPH_IS_VALID(p))
698 #define IsTCP(p) (IsIP(p) && p->tcp_header)
699 #define IsUDP(p) (IsIP(p) && p->udp_header)
700 #define IsICMP(p) (IsIP(p) && p->icmp_header)
701
702 #define SET_IP4_VER(ip_header, value) \
703 ((ip_header)->version_headerlength = \
704 (unsigned char)(((ip_header)->version_headerlength & 0x0f) | (value << 4)))
705 #define SET_IP4_HLEN(ip_header, value) \
706 ((ip_header)->version_headerlength = \
707 (unsigned char)(((ip_header)->version_headerlength & 0xf0) | (value & 0x0f)))
708
709 #define SET_TCP_HDR_OFFSET(tcp_header, value) \
710 ((tcp_header)->offset_reserved = \
711 (unsigned char)(((tcp_header)->offset_reserved & 0x0f) | (value << 4)))
712
713 #define BIT(i) (0x1 << (i-1))
714
715
716 /* beware: some flags are redefined in dynamic-plugins/sf_dynamic_define.h! */
717 #define FLAG_REBUILT_FRAG 0x00000001 /* is a rebuilt fragment */
718 #define FLAG_REBUILT_STREAM 0x00000002 /* is a rebuilt stream */
719 #define FLAG_STREAM_UNEST_UNI 0x00000004 /* is from an unestablished stream and
720 * we've only seen traffic in one direction */
721 #define FLAG_STREAM_EST 0x00000008 /* is from an established stream */
722
723 #define FLAG_STREAM_INSERT 0x00000010 /* this packet has been queued for stream reassembly */
724 #define FLAG_STREAM_TWH 0x00000020 /* packet completes the 3-way handshake */
725 #define FLAG_FROM_SERVER 0x00000040 /* this packet came from the server
726 side of a connection (TCP) */
727 #define FLAG_FROM_CLIENT 0x00000080 /* this packet came from the client
728 side of a connection (TCP) */
729
730 #define FLAG_PDU_HEAD 0x00000100 /* start of PDU */
731 #define FLAG_PDU_TAIL 0x00000200 /* end of PDU */
732 #define FLAG_UNSURE_ENCAP 0x00000400 /* packet may have incorrect encapsulation layer. */
733 /* don't alert if "next layer" is invalid. */
734 #define FLAG_HTTP_DECODE 0x00000800 /* this packet has normalized http */
735
736 #define FLAG_IGNORE_PORT 0x00001000 /* this packet should be ignored, based on port */
737 #define FLAG_NO_DETECT 0x00002000 /* this packet should not be preprocessed */
738 #define FLAG_ALLOW_MULTIPLE_DETECT 0x00004000 /* packet has either pipelined mime attachements */
739 /* or pipeline http requests */
740 #define FLAG_PAYLOAD_OBFUSCATE 0x00008000
741
742 #define FLAG_STATELESS 0x00010000 /* Packet has matched a stateless rule */
743 #define FLAG_PASS_RULE 0x00020000 /* this packet has matched a pass rule */
744 #define FLAG_IP_RULE 0x00040000 /* this packet is being evaluated against an IP rule */
745 #define FLAG_IP_RULE_2ND 0x00080000 /* this packet is being evaluated against an IP rule */
746
747 #define FLAG_LOGGED 0x00100000 /* this packet has been logged */
748 #define FLAG_PSEUDO 0x00200000 /* is a pseudo packet */
749 #define FLAG_MODIFIED 0x00400000 /* packet had normalizations, etc. */
750 #ifdef NORMALIZER
751 #define FLAG_RESIZED 0x00800000 /* packet has new size; must set modified too */
752 #endif
753
754 /* neither of these flags will be set for (full) retransmissions or non-data segments */
755 /* a partial overlap results in out of sequence condition */
756 /* out of sequence condition is sticky */
757 #define FLAG_STREAM_ORDER_OK 0x01000000 /* this segment is in order, w/o gaps */
758 #define FLAG_STREAM_ORDER_BAD 0x02000000 /* this stream had at least one gap */
759 #define FLAG_REASSEMBLED_OLD 0x04000000 /* for backwards compat with so rules */
760
761 #define FLAG_IPREP_SOURCE_TRIGGERED 0x08000000
762 #define FLAG_IPREP_DATA_SET 0x10000000
763 #define FLAG_FILE_EVENT_SET 0x20000000
764 #define FLAG_EARLY_REASSEMBLY 0x40000000 /* this packet. part of the expected stream, should have stream reassembly set */
765 #define FLAG_RETRANSMIT 0x80000000 /* this packet is identified as re-transmitted one */
766 #define FLAG_PURGE 0x0100000000 /* Stream will not flush the data */
767 #define FLAG_H1_ABORT 0x0200000000 /* Used by H1 and H2 paf */
768 #define FLAG_UPGRADE_PROTO 0x0400000000 /* Used by H1 paf */
769 #define FLAG_PSEUDO_FLUSH 0x0800000000
770 #define FLAG_FAST_BLOCK 0x1000000000
771 #define FLAG_EVAL_DROP 0x2000000000 /* Packet with FLAG_EVAL_DROP is evaluated if it is needed to dropped */
772
773
774 #define FLAG_PDU_FULL (FLAG_PDU_HEAD | FLAG_PDU_TAIL)
775
776 #define REASSEMBLED_PACKET_FLAGS (FLAG_REBUILT_STREAM|FLAG_REASSEMBLED_OLD)
777
778 #define SFTARGET_UNKNOWN_PROTOCOL -1
779
PacketWasCooked(const SFSnortPacket * p)780 static inline int PacketWasCooked(const SFSnortPacket* p)
781 {
782 return ( p->flags & FLAG_PSEUDO ) != 0;
783 }
784
IsPortscanPacket(const SFSnortPacket * p)785 static inline int IsPortscanPacket(const SFSnortPacket *p)
786 {
787 return ((p->flags & FLAG_PSEUDO) && (p->pseudo_type == PSEUDO_PKT_PS));
788 }
789
GetEventProto(const SFSnortPacket * p)790 static inline uint8_t GetEventProto(const SFSnortPacket *p)
791 {
792 if (IsPortscanPacket(p))
793 return p->ps_proto;
794 return IPH_IS_VALID(p) ? GET_IPH_PROTO(p) : 0;
795 }
796
PacketHasFullPDU(const SFSnortPacket * p)797 static inline int PacketHasFullPDU (const SFSnortPacket* p)
798 {
799 return ( (p->flags & FLAG_PDU_FULL) == FLAG_PDU_FULL );
800 }
801
PacketHasStartOfPDU(const SFSnortPacket * p)802 static inline int PacketHasStartOfPDU (const SFSnortPacket* p)
803 {
804 return ( (p->flags & FLAG_PDU_HEAD) != 0 );
805 }
806
PacketHasPAFPayload(const SFSnortPacket * p)807 static inline int PacketHasPAFPayload (const SFSnortPacket* p)
808 {
809 return ( (p->flags & FLAG_REBUILT_STREAM) || (p->flags & FLAG_PDU_TAIL) );
810 }
811
SetExtraData(SFSnortPacket * p,uint32_t xid)812 static inline void SetExtraData (SFSnortPacket* p, uint32_t xid)
813 {
814 p->xtradata_mask |= BIT(xid);
815 }
816
817 #endif /* _SF_SNORT_PACKET_H_ */
818
819