1 /* Copyright (C) 2007-2013 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
23  */
24 
25 #ifndef __DECODE_EVENTS_H__
26 #define __DECODE_EVENTS_H__
27 
28 /* packet decoder events */
29 enum {
30     /* IPV4 EVENTS */
31     IPV4_PKT_TOO_SMALL = 0,       /**< ipv4 pkt smaller than minimum header size */
32     IPV4_HLEN_TOO_SMALL,          /**< ipv4 header smaller than minimum size */
33     IPV4_IPLEN_SMALLER_THAN_HLEN, /**< ipv4 pkt len smaller than ip header size */
34     IPV4_TRUNC_PKT,               /**< truncated ipv4 packet */
35 
36     /* IPV4 OPTIONS */
37     IPV4_OPT_INVALID,      /**< invalid ip options */
38     IPV4_OPT_INVALID_LEN,  /**< ip options with invalid len */
39     IPV4_OPT_MALFORMED,    /**< malformed ip options */
40     IPV4_OPT_PAD_REQUIRED, /**< pad bytes are needed in ip options */
41     IPV4_OPT_EOL_REQUIRED, /**< "end of list" needed in ip options */
42     IPV4_OPT_DUPLICATE,    /**< duplicated ip option */
43     IPV4_OPT_UNKNOWN,      /**< unknown ip option */
44     IPV4_WRONG_IP_VER,     /**< wrong ip version in ip options */
45     IPV4_WITH_ICMPV6,      /**< IPv4 packet with ICMPv6 header */
46 
47     /* ICMP EVENTS */
48     ICMPV4_PKT_TOO_SMALL,    /**< icmpv4 packet smaller than minimum size */
49     ICMPV4_UNKNOWN_TYPE,     /**< icmpv4 unknown type */
50     ICMPV4_UNKNOWN_CODE,     /**< icmpv4 unknown code */
51     ICMPV4_IPV4_TRUNC_PKT,   /**< truncated icmpv4 packet */
52     ICMPV4_IPV4_UNKNOWN_VER, /**< unknown version in icmpv4 packet*/
53 
54     /* ICMPv6 EVENTS */
55     ICMPV6_UNKNOWN_TYPE,                /**< icmpv6 unknown type */
56     ICMPV6_UNKNOWN_CODE,                /**< icmpv6 unknown code */
57     ICMPV6_PKT_TOO_SMALL,               /**< icmpv6 smaller than minimum size */
58     ICMPV6_IPV6_UNKNOWN_VER,            /**< unknown version in icmpv6 packet */
59     ICMPV6_IPV6_TRUNC_PKT,              /**< truncated icmpv6 packet */
60     ICMPV6_MLD_MESSAGE_WITH_INVALID_HL, /**< invalid MLD that doesn't have HL 1 */
61     ICMPV6_UNASSIGNED_TYPE,             /**< unsassigned ICMPv6 type */
62     ICMPV6_EXPERIMENTATION_TYPE,        /**< uprivate experimentation ICMPv6 type */
63 
64     /* IPV6 EVENTS */
65     IPV6_PKT_TOO_SMALL,     /**< ipv6 packet smaller than minimum size */
66     IPV6_TRUNC_PKT,         /**< truncated ipv6 packet */
67     IPV6_TRUNC_EXTHDR,      /**< truncated ipv6 extension header */
68     IPV6_EXTHDR_DUPL_FH,    /**< duplicated "fragment" header in ipv6 extension headers */
69     IPV6_EXTHDR_USELESS_FH, /**< useless FH: offset 0 + no more fragments */
70     IPV6_EXTHDR_DUPL_RH,    /**< duplicated "routing" header in ipv6 extension headers */
71     IPV6_EXTHDR_DUPL_HH,    /**< duplicated "hop-by-hop" header in ipv6 extension headers */
72     IPV6_EXTHDR_DUPL_DH,    /**< duplicated "destination" header in ipv6 extension headers */
73     IPV6_EXTHDR_DUPL_AH,    /**< duplicated "authentication" header in ipv6 extension headers */
74     IPV6_EXTHDR_DUPL_EH,    /**< duplicated "ESP" header in ipv6 extension headers */
75 
76     IPV6_EXTHDR_INVALID_OPTLEN,  /**< the opt len in an hop or dst hdr is invalid. */
77     IPV6_WRONG_IP_VER,           /**< wrong version in ipv6 */
78     IPV6_EXTHDR_AH_RES_NOT_NULL, /**< AH hdr reserved fields not null (rfc 4302) */
79 
80     IPV6_HOPOPTS_UNKNOWN_OPT,  /**< unknown HOP opt */
81     IPV6_HOPOPTS_ONLY_PADDING, /**< all options in HOP opts are padding */
82     IPV6_DSTOPTS_UNKNOWN_OPT,  /**< unknown DST opt */
83     IPV6_DSTOPTS_ONLY_PADDING, /**< all options in DST opts are padding */
84 
85     IPV6_EXTHDR_RH_TYPE_0,       /**< RH 0 is deprecated as per rfc5095 */
86     IPV6_EXTHDR_ZERO_LEN_PADN,   /**< padN w/o data (0 len) */
87     IPV6_FH_NON_ZERO_RES_FIELD,  /**< reserved field not zero */
88     IPV6_DATA_AFTER_NONE_HEADER, /**< data after 'none' (59) header */
89 
90     IPV6_UNKNOWN_NEXT_HEADER, /**< unknown/unsupported next header */
91     IPV6_WITH_ICMPV4,         /**< IPv6 packet with ICMPv4 header */
92 
93     /* TCP EVENTS */
94     TCP_PKT_TOO_SMALL,  /**< tcp packet smaller than minimum size */
95     TCP_HLEN_TOO_SMALL, /**< tcp header smaller than minimum size */
96     TCP_INVALID_OPTLEN, /**< invalid len in tcp options */
97 
98     /* TCP OPTIONS */
99     TCP_OPT_INVALID_LEN, /**< tcp option with invalid len */
100     TCP_OPT_DUPLICATE,   /**< duplicated tcp option */
101 
102     /* UDP EVENTS */
103     UDP_PKT_TOO_SMALL,  /**< udp packet smaller than minimum size */
104     UDP_HLEN_TOO_SMALL, /**< udp header smaller than minimum size */
105     UDP_HLEN_INVALID,   /**< invalid len of upd header */
106 
107     /* SLL EVENTS */
108     SLL_PKT_TOO_SMALL, /**< sll packet smaller than minimum size */
109 
110     /* ETHERNET EVENTS */
111     ETHERNET_PKT_TOO_SMALL, /**< ethernet packet smaller than minimum size */
112 
113     /* PPP EVENTS */
114     PPP_PKT_TOO_SMALL,     /**< ppp packet smaller than minimum size */
115     PPPVJU_PKT_TOO_SMALL,  /**< ppp vj uncompressed packet smaller than minimum size */
116     PPPIPV4_PKT_TOO_SMALL, /**< ppp ipv4 packet smaller than minimum size */
117     PPPIPV6_PKT_TOO_SMALL, /**< ppp ipv6 packet smaller than minimum size */
118     PPP_WRONG_TYPE,        /**< wrong type in ppp frame */
119     PPP_UNSUP_PROTO,       /**< protocol not supported for ppp */
120 
121     /* PPPOE EVENTS */
122     PPPOE_PKT_TOO_SMALL,  /**< pppoe packet smaller than minimum size */
123     PPPOE_WRONG_CODE,     /**< wrong code for pppoe */
124     PPPOE_MALFORMED_TAGS, /**< malformed tags in pppoe */
125 
126     /* GRE EVENTS */
127     GRE_PKT_TOO_SMALL,              /**< gre packet smaller than minimum size */
128     GRE_WRONG_VERSION,              /**< wrong version in gre header */
129     GRE_VERSION0_RECUR,             /**< gre v0 recursion control */
130     GRE_VERSION0_FLAGS,             /**< gre v0 flags */
131     GRE_VERSION0_HDR_TOO_BIG,       /**< gre v0 header bigger than maximum size */
132     GRE_VERSION0_MALFORMED_SRE_HDR, /**< gre v0 malformed source route entry header */
133     GRE_VERSION1_CHKSUM,            /**< gre v1 checksum */
134     GRE_VERSION1_ROUTE,             /**< gre v1 routing */
135     GRE_VERSION1_SSR,               /**< gre v1 strict source route */
136     GRE_VERSION1_RECUR,             /**< gre v1 recursion control */
137     GRE_VERSION1_FLAGS,             /**< gre v1 flags */
138     GRE_VERSION1_NO_KEY,            /**< gre v1 no key present in header */
139     GRE_VERSION1_WRONG_PROTOCOL,    /**< gre v1 wrong protocol */
140     GRE_VERSION1_MALFORMED_SRE_HDR, /**< gre v1 malformed source route entry header */
141     GRE_VERSION1_HDR_TOO_BIG,       /**< gre v1 header too big */
142 
143     /* VLAN EVENTS */
144     VLAN_HEADER_TOO_SMALL, /**< vlan header smaller than minimum size */
145     VLAN_UNKNOWN_TYPE,     /**< vlan unknown type */
146     VLAN_HEADER_TOO_MANY_LAYERS,
147 
148     IEEE8021AH_HEADER_TOO_SMALL,
149 
150     /* VNTAG EVENTS */
151     VNTAG_HEADER_TOO_SMALL, /**< vntag header smaller than minimum size */
152     VNTAG_UNKNOWN_TYPE,     /**< vntag unknown type */
153 
154     /* RAW EVENTS */
155     IPRAW_INVALID_IPV, /**< invalid ip version in ip raw */
156 
157     /* LINKTYPE NULL EVENTS */
158     LTNULL_PKT_TOO_SMALL,    /**< pkt too small for lt:null */
159     LTNULL_UNSUPPORTED_TYPE, /**< pkt has a type that the decoder doesn't support */
160 
161     /* SCTP EVENTS */
162     SCTP_PKT_TOO_SMALL, /**< sctp packet smaller than minimum size */
163 
164     /* Fragmentation reasembly events. */
165     IPV4_FRAG_PKT_TOO_LARGE,
166     IPV6_FRAG_PKT_TOO_LARGE,
167     IPV4_FRAG_OVERLAP,
168     IPV6_FRAG_OVERLAP,
169     IPV6_FRAG_INVALID_LENGTH,
170 
171     /* Fragment ignored due to internal error */
172     IPV4_FRAG_IGNORED,
173     IPV6_FRAG_IGNORED,
174 
175     /* IPv4 in IPv6 events */
176     IPV4_IN_IPV6_PKT_TOO_SMALL,
177     IPV4_IN_IPV6_WRONG_IP_VER,
178 
179     /* IPv6 in IPv6 events */
180     IPV6_IN_IPV6_PKT_TOO_SMALL,
181     IPV6_IN_IPV6_WRONG_IP_VER,
182 
183     /* MPLS decode events. */
184     MPLS_HEADER_TOO_SMALL,
185     MPLS_PKT_TOO_SMALL,
186     MPLS_BAD_LABEL_ROUTER_ALERT,
187     MPLS_BAD_LABEL_IMPLICIT_NULL,
188     MPLS_BAD_LABEL_RESERVED,
189     MPLS_UNKNOWN_PAYLOAD_TYPE,
190 
191     /* VXLAN events */
192     VXLAN_UNKNOWN_PAYLOAD_TYPE,
193 
194     /* Geneve events */
195     GENEVE_UNKNOWN_PAYLOAD_TYPE,
196 
197     /* ERSPAN events */
198     ERSPAN_HEADER_TOO_SMALL,
199     ERSPAN_UNSUPPORTED_VERSION,
200     ERSPAN_TOO_MANY_VLAN_LAYERS,
201 
202     /* Cisco Fabric Path/DCE events. */
203     DCE_PKT_TOO_SMALL,
204 
205     /* Cisco HDLC events. */
206     CHDLC_PKT_TOO_SMALL,
207 
208     /* generic events */
209     GENERIC_TOO_MANY_LAYERS,
210 
211     /* END OF DECODE EVENTS ON SINGLE PACKET */
212     DECODE_EVENT_PACKET_MAX = GENERIC_TOO_MANY_LAYERS,
213 
214     /* STREAM EVENTS */
215     STREAM_3WHS_ACK_IN_WRONG_DIR,
216     STREAM_3WHS_ASYNC_WRONG_SEQ,
217     STREAM_3WHS_RIGHT_SEQ_WRONG_ACK_EVASION,
218     STREAM_3WHS_SYNACK_IN_WRONG_DIRECTION,
219     STREAM_3WHS_SYNACK_RESEND_WITH_DIFFERENT_ACK,
220     STREAM_3WHS_SYNACK_RESEND_WITH_DIFF_SEQ,
221     STREAM_3WHS_SYNACK_TOSERVER_ON_SYN_RECV,
222     STREAM_3WHS_SYNACK_WITH_WRONG_ACK,
223     STREAM_3WHS_SYNACK_FLOOD,
224     STREAM_3WHS_SYN_RESEND_DIFF_SEQ_ON_SYN_RECV,
225     STREAM_3WHS_SYN_TOCLIENT_ON_SYN_RECV,
226     STREAM_3WHS_WRONG_SEQ_WRONG_ACK,
227     STREAM_3WHS_ACK_DATA_INJECT,
228     STREAM_4WHS_SYNACK_WITH_WRONG_ACK,
229     STREAM_4WHS_SYNACK_WITH_WRONG_SYN,
230     STREAM_4WHS_WRONG_SEQ,
231     STREAM_4WHS_INVALID_ACK,
232     STREAM_CLOSEWAIT_ACK_OUT_OF_WINDOW,
233     STREAM_CLOSEWAIT_FIN_OUT_OF_WINDOW,
234     STREAM_CLOSEWAIT_PKT_BEFORE_LAST_ACK,
235     STREAM_CLOSEWAIT_INVALID_ACK,
236     STREAM_CLOSING_ACK_WRONG_SEQ,
237     STREAM_CLOSING_INVALID_ACK,
238     STREAM_EST_PACKET_OUT_OF_WINDOW,
239     STREAM_EST_PKT_BEFORE_LAST_ACK,
240     STREAM_EST_SYNACK_RESEND,
241     STREAM_EST_SYNACK_RESEND_WITH_DIFFERENT_ACK,
242     STREAM_EST_SYNACK_RESEND_WITH_DIFF_SEQ,
243     STREAM_EST_SYNACK_TOSERVER,
244     STREAM_EST_SYN_RESEND,
245     STREAM_EST_SYN_RESEND_DIFF_SEQ,
246     STREAM_EST_SYN_TOCLIENT,
247     STREAM_EST_INVALID_ACK,
248     STREAM_FIN_INVALID_ACK,
249     STREAM_FIN1_ACK_WRONG_SEQ,
250     STREAM_FIN1_FIN_WRONG_SEQ,
251     STREAM_FIN1_INVALID_ACK,
252     STREAM_FIN2_ACK_WRONG_SEQ,
253     STREAM_FIN2_FIN_WRONG_SEQ,
254     STREAM_FIN2_INVALID_ACK,
255     STREAM_FIN_BUT_NO_SESSION,
256     STREAM_FIN_OUT_OF_WINDOW,
257     STREAM_FIN_SYN,
258     STREAM_LASTACK_ACK_WRONG_SEQ,
259     STREAM_LASTACK_INVALID_ACK,
260     STREAM_RST_BUT_NO_SESSION,
261     STREAM_TIMEWAIT_ACK_WRONG_SEQ,
262     STREAM_TIMEWAIT_INVALID_ACK,
263     STREAM_SHUTDOWN_SYN_RESEND,
264     STREAM_PKT_INVALID_TIMESTAMP,
265     STREAM_PKT_INVALID_ACK,
266     STREAM_PKT_BROKEN_ACK,
267     STREAM_RST_INVALID_ACK,
268     STREAM_PKT_RETRANSMISSION,
269     STREAM_PKT_BAD_WINDOW_UPDATE,
270 
271     STREAM_SUSPECTED_RST_INJECT,
272     STREAM_WRONG_THREAD,
273 
274     STREAM_REASSEMBLY_SEGMENT_BEFORE_BASE_SEQ,
275     STREAM_REASSEMBLY_NO_SEGMENT,
276     STREAM_REASSEMBLY_SEQ_GAP,
277     STREAM_REASSEMBLY_OVERLAP_DIFFERENT_DATA,
278 
279     /* should always be last! */
280     DECODE_EVENT_MAX,
281 };
282 
283 #define EVENT_IS_DECODER_PACKET_ERROR(e)    \
284     ((e) < (DECODE_EVENT_PACKET_MAX))
285 
286 /* supported decoder events */
287 
288 struct DecodeEvents_ {
289     const char *event_name;
290     uint8_t code;
291 };
292 /* +1 for the end of table marker */
293 extern const struct DecodeEvents_ DEvents[DECODE_EVENT_MAX + 1];
294 
295 #endif /* __DECODE_EVENTS_H__ */
296