1 /* $Id$ */ 2 /* 3 ** Copyright (C) 2002-2009 Sourcefire, Inc. 4 ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> 5 ** 6 ** This program is free software; you can redistribute it and/or modify 7 ** it under the terms of the GNU General Public License Version 2 as 8 ** published by the Free Software Foundation. You may not use, modify or 9 ** distribute this program under any other version of the GNU General 10 ** Public License. 11 ** 12 ** This program is distributed in the hope that it will be useful, 13 ** but WITHOUT ANY WARRANTY; without even the implied warranty of 14 ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 ** GNU General Public License for more details. 16 ** 17 ** You should have received a copy of the GNU General Public License 18 ** along with this program; if not, write to the Free Software 19 ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 20 */ 21 22 #ifndef __GENERATORS_H__ 23 #define __GENERATORS_H__ 24 25 #define GENERATOR_SNORT_ENGINE 1 26 27 #define GENERATOR_TAG 2 28 #define TAG_LOG_PKT 1 29 30 #define GENERATOR_SPP_BO 105 31 #define BO_TRAFFIC_DETECT 1 32 #define BO_CLIENT_TRAFFIC_DETECT 2 33 #define BO_SERVER_TRAFFIC_DETECT 3 34 #define BO_SNORT_BUFFER_ATTACK 4 35 36 #define GENERATOR_SPP_RPC_DECODE 106 37 #define RPC_FRAG_TRAFFIC 1 38 #define RPC_MULTIPLE_RECORD 2 39 #define RPC_LARGE_FRAGSIZE 3 40 #define RPC_INCOMPLETE_SEGMENT 4 41 #define RPC_ZERO_LENGTH_FRAGMENT 5 42 43 #define GENERATOR_SPP_ARPSPOOF 112 44 #define ARPSPOOF_UNICAST_ARP_REQUEST 1 45 #define ARPSPOOF_ETHERFRAME_ARP_MISMATCH_SRC 2 46 #define ARPSPOOF_ETHERFRAME_ARP_MISMATCH_DST 3 47 #define ARPSPOOF_ARP_CACHE_OVERWRITE_ATTACK 4 48 49 #define GENERATOR_SNORT_DECODE 116 50 #define DECODE_NOT_IPV4_DGRAM 1 51 #define DECODE_IPV4_INVALID_HEADER_LEN 2 52 #define DECODE_IPV4_DGRAM_LT_IPHDR 3 53 #define DECODE_IPV4OPT_BADLEN 4 54 #define DECODE_IPV4OPT_TRUNCATED 5 55 #define DECODE_IPV4_DGRAM_GT_CAPLEN 6 56 57 #define DECODE_TCP_DGRAM_LT_TCPHDR 45 58 #define DECODE_TCP_INVALID_OFFSET 46 59 #define DECODE_TCP_LARGE_OFFSET 47 60 61 #define DECODE_TCPOPT_BADLEN 54 62 #define DECODE_TCPOPT_TRUNCATED 55 63 #define DECODE_TCPOPT_TTCP 56 64 #define DECODE_TCPOPT_OBSOLETE 57 65 #define DECODE_TCPOPT_EXPERIMENT 58 66 #define DECODE_TCPOPT_WSCALE_INVALID 59 67 68 #define DECODE_UDP_DGRAM_LT_UDPHDR 95 69 #define DECODE_UDP_DGRAM_INVALID_LENGTH 96 70 #define DECODE_UDP_DGRAM_SHORT_PACKET 97 71 #define DECODE_UDP_DGRAM_LONG_PACKET 98 72 73 #define DECODE_ICMP_DGRAM_LT_ICMPHDR 105 74 #define DECODE_ICMP_DGRAM_LT_TIMESTAMPHDR 106 75 #define DECODE_ICMP_DGRAM_LT_ADDRHDR 107 76 77 #define DECODE_ARP_TRUNCATED 109 78 #define DECODE_EAPOL_TRUNCATED 110 79 #define DECODE_EAPKEY_TRUNCATED 111 80 #define DECODE_EAP_TRUNCATED 112 81 82 #define DECODE_BAD_PPPOE 120 83 #define DECODE_BAD_VLAN 130 84 #define DECODE_BAD_VLAN_ETHLLC 131 85 #define DECODE_BAD_VLAN_OTHER 132 86 #define DECODE_BAD_80211_ETHLLC 133 87 #define DECODE_BAD_80211_OTHER 134 88 89 #define DECODE_BAD_TRH 140 90 #define DECODE_BAD_TR_ETHLLC 141 91 #define DECODE_BAD_TR_MR_LEN 142 92 #define DECODE_BAD_TRHMR 143 93 94 #define DECODE_BAD_TRAFFIC_LOOPBACK 150 95 #define DECODE_BAD_TRAFFIC_SAME_SRCDST 151 96 97 #ifdef GRE 98 #define DECODE_GRE_DGRAM_LT_GREHDR 160 99 #define DECODE_GRE_MULTIPLE_ENCAPSULATION 161 100 #define DECODE_GRE_INVALID_VERSION 162 101 #define DECODE_GRE_INVALID_HEADER 163 102 #define DECODE_GRE_V1_INVALID_HEADER 164 103 #define DECODE_GRE_TRANS_DGRAM_LT_TRANSHDR 165 104 #endif /* GRE */ 105 106 /** MPLS takes 170 block **/ 107 #define DECODE_BAD_MPLS 170 108 #define DECODE_BAD_MPLS_LABEL0 171 109 #define DECODE_BAD_MPLS_LABEL1 172 110 #define DECODE_BAD_MPLS_LABEL2 173 111 #define DECODE_BAD_MPLS_LABEL3 174 112 #define DECODE_MPLS_RESERVED_LABEL 175 113 #define DECODE_MPLS_LABEL_STACK 176 114 115 #define DECODE_ICMP_ORIG_IP_TRUNCATED 250 116 #define DECODE_ICMP_ORIG_IP_NOT_IPV4 251 117 #define DECODE_ICMP_ORIG_DGRAM_LT_ORIG_IP 252 118 #define DECODE_ICMP_ORIG_PAYLOAD_LT_64 253 119 #define DECODE_ICMP_ORIG_PAYLOAD_GT_576 254 120 #define DECODE_ICMP_ORIG_IP_WITH_FRAGOFFSET 255 121 122 #define DECODE_IPV6_MIN_TTL 270 123 #define DECODE_IPV6_IS_NOT 271 124 #define DECODE_IPV6_TRUNCATED_EXT 272 125 #define DECODE_IPV6_TRUNCATED 273 126 #define DECODE_IPV6_DGRAM_LT_IPHDR 274 127 #define DECODE_IPV6_DGRAM_GT_CAPLEN 275 128 129 #define DECODE_IPV6_TUNNELED_IPV4_TRUNCATED 291 130 131 #define DECODE_TCP_XMAS 400 132 #define DECODE_TCP_NMAP_XMAS 401 133 134 #define DECODE_DOS_NAPTHA 402 135 #define DECODE_SYN_TO_MULTICAST 403 136 #define DECODE_ZERO_TTL 404 137 #define DECODE_BAD_FRAGBITS 405 138 139 140 /* 141 ** HttpInspect Generator IDs 142 ** 143 ** IMPORTANT:: 144 ** Whenever events are added to the internal HttpInspect 145 ** event queue, you must also add the event here. The 146 ** trick is that whatever the number is in HttpInspect, 147 ** it must be +1 when you define it here. 148 */ 149 #define GENERATOR_SPP_HTTP_INSPECT_CLIENT 119 150 #define HI_CLIENT_ASCII 1 /* done */ 151 #define HI_CLIENT_DOUBLE_DECODE 2 /* done */ 152 #define HI_CLIENT_U_ENCODE 3 /* done */ 153 #define HI_CLIENT_BARE_BYTE 4 /* done */ 154 #define HI_CLIENT_BASE36 5 /* done */ 155 #define HI_CLIENT_UTF_8 6 /* done */ 156 #define HI_CLIENT_IIS_UNICODE 7 /* done */ 157 #define HI_CLIENT_MULTI_SLASH 8 /* done */ 158 #define HI_CLIENT_IIS_BACKSLASH 9 /* done */ 159 #define HI_CLIENT_SELF_DIR_TRAV 10 /* done */ 160 #define HI_CLIENT_DIR_TRAV 11 /* done */ 161 #define HI_CLIENT_APACHE_WS 12 /* done */ 162 #define HI_CLIENT_IIS_DELIMITER 13 /* done */ 163 #define HI_CLIENT_NON_RFC_CHAR 14 /* done */ 164 #define HI_CLIENT_OVERSIZE_DIR 15 /* done */ 165 #define HI_CLIENT_LARGE_CHUNK 16 /* done */ 166 #define HI_CLIENT_PROXY_USE 17 /* done */ 167 #define HI_CLIENT_WEBROOT_DIR 18 /* done */ 168 #define HI_CLIENT_LONG_HDR 19 /* done */ 169 #define HI_CLIENT_MAX_HEADERS 20 /* done */ 170 171 #define GENERATOR_SPP_HTTP_INSPECT_ANOM_SERVER 120 172 #define HI_ANOM_SERVER_ALERT 1 /* done */ 173 174 #define GENERATOR_PSNG 122 175 #define PSNG_TCP_PORTSCAN 1 176 #define PSNG_TCP_DECOY_PORTSCAN 2 177 #define PSNG_TCP_PORTSWEEP 3 178 #define PSNG_TCP_DISTRIBUTED_PORTSCAN 4 179 #define PSNG_TCP_FILTERED_PORTSCAN 5 180 #define PSNG_TCP_FILTERED_DECOY_PORTSCAN 6 181 #define PSNG_TCP_PORTSWEEP_FILTERED 7 182 #define PSNG_TCP_FILTERED_DISTRIBUTED_PORTSCAN 8 183 184 #define PSNG_IP_PORTSCAN 9 185 #define PSNG_IP_DECOY_PORTSCAN 10 186 #define PSNG_IP_PORTSWEEP 11 187 #define PSNG_IP_DISTRIBUTED_PORTSCAN 12 188 #define PSNG_IP_FILTERED_PORTSCAN 13 189 #define PSNG_IP_FILTERED_DECOY_PORTSCAN 14 190 #define PSNG_IP_PORTSWEEP_FILTERED 15 191 #define PSNG_IP_FILTERED_DISTRIBUTED_PORTSCAN 16 192 193 #define PSNG_UDP_PORTSCAN 17 194 #define PSNG_UDP_DECOY_PORTSCAN 18 195 #define PSNG_UDP_PORTSWEEP 19 196 #define PSNG_UDP_DISTRIBUTED_PORTSCAN 20 197 #define PSNG_UDP_FILTERED_PORTSCAN 21 198 #define PSNG_UDP_FILTERED_DECOY_PORTSCAN 22 199 #define PSNG_UDP_PORTSWEEP_FILTERED 23 200 #define PSNG_UDP_FILTERED_DISTRIBUTED_PORTSCAN 24 201 202 #define PSNG_ICMP_PORTSWEEP 25 203 #define PSNG_ICMP_PORTSWEEP_FILTERED 26 204 205 #define PSNG_OPEN_PORT 27 206 207 #define GENERATOR_SPP_FRAG3 123 208 #define FRAG3_IPOPTIONS 1 209 #define FRAG3_TEARDROP 2 210 #define FRAG3_SHORT_FRAG 3 211 #define FRAG3_ANOMALY_OVERSIZE 4 212 #define FRAG3_ANOMALY_ZERO 5 213 #define FRAG3_ANOMALY_BADSIZE_SM 6 214 #define FRAG3_ANOMALY_BADSIZE_LG 7 215 #define FRAG3_ANOMALY_OVLP 8 216 #define FRAG3_IPV6_BSD_ICMP_FRAG 9 217 #define FRAG3_IPV6_BAD_FRAG_PKT 10 218 #define FRAG3_MIN_TTL_EVASION 11 219 #define FRAG3_EXCESSIVE_OVERLAP 12 220 #define FRAG3_TINY_FRAGMENT 13 221 222 #define GENERATOR_SMTP 124 223 #define SMTP_COMMAND_OVERFLOW 1 224 #define SMTP_DATA_HDR_OVERFLOW 2 225 #define SMTP_RESPONSE_OVERFLOW 3 226 #define SMTP_SPECIFIC_CMD_OVERFLOW 4 227 #define SMTP_UNKNOWN_CMD 5 228 #define SMTP_ILLEGAL_CMD 6 229 #define SMTP_HEADER_NAME_OVERFLOW 7 230 #define SMTP_XLINK2STATE_OVERFLOW 8 231 232 /* 233 ** FTPTelnet Generator IDs 234 ** 235 ** IMPORTANT:: 236 ** Whenever events are added to the internal FTP or Telnet 237 ** event queues, you must also add the event here. The 238 ** trick is that whatever the number is in FTPTelnet, 239 ** it must be +1 when you define it here. 240 */ 241 #define GENERATOR_SPP_FTPP_FTP 125 242 #define FTPP_FTP_TELNET_CMD 1 243 #define FTPP_FTP_INVALID_CMD 2 244 #define FTPP_FTP_PARAMETER_LENGTH_OVERFLOW 3 245 #define FTPP_FTP_MALFORMED_PARAMETER 4 246 #define FTPP_FTP_PARAMETER_STR_FORMAT 5 247 #define FTPP_FTP_RESPONSE_LENGTH_OVERFLOW 6 248 #define FTPP_FTP_ENCRYPTED 7 249 #define FTPP_FTP_BOUNCE 8 250 #define GENERATOR_SPP_FTPP_TELNET 126 251 #define FTPP_TELNET_AYT_OVERFLOW 1 252 #define FTPP_TELNET_ENCRYPTED 2 253 #define FTPP_TELNET_SUBNEG_BEGIN_NO_END 3 254 255 #define GENERATOR_SPP_ISAKMP 127 256 257 #define GENERATOR_SPP_SSH 128 258 #define SSH_EVENT_RESPOVERFLOW 1 259 #define SSH_EVENT_CRC32 2 260 #define SSH_EVENT_SECURECRT 3 261 #define SSH_EVENT_PROTOMISMATCH 4 262 #define SSH_EVENT_WRONGDIR 5 263 #define SSH_EVENT_PAYLOAD_SIZE 6 264 #define SSH_EVENT_VERSION 7 265 266 #define GENERATOR_SPP_STREAM5 129 267 #define STREAM5_SYN_ON_EST 1 268 #define STREAM5_DATA_ON_SYN 2 269 #define STREAM5_DATA_ON_CLOSED 3 270 #define STREAM5_BAD_TIMESTAMP 4 271 #define STREAM5_BAD_SEGMENT 5 272 #define STREAM5_WINDOW_TOO_LARGE 6 273 #define STREAM5_EXCESSIVE_TCP_OVERLAPS 7 274 #define STREAM5_DATA_AFTER_RESET 8 275 #define STREAM5_SESSION_HIJACKED_CLIENT 9 276 #define STREAM5_SESSION_HIJACKED_SERVER 10 277 #define STREAM5_DATA_WITHOUT_FLAGS 11 278 #define STREAM5_SMALL_SEGMENT 12 279 280 #define GENERATOR_DCERPC 130 281 #define DCERPC_MEMORY_OVERFLOW 1 282 283 #define GENERATOR_DNS 131 284 #define DNS_EVENT_OBSOLETE_TYPES 1 285 #define DNS_EVENT_EXPERIMENTAL_TYPES 2 286 #define DNS_EVENT_RDATA_OVERFLOW 3 287 288 #define GENERATOR_SKYPE 132 289 290 #define GENERATOR_DCE2 133 291 #define DCE2_EVENT__MEMCAP 1 292 #define DCE2_EVENT__SMB_BAD_NBSS_TYPE 2 293 #define DCE2_EVENT__SMB_BAD_TYPE 3 294 #define DCE2_EVENT__SMB_BAD_ID 4 295 #define DCE2_EVENT__SMB_BAD_WCT 5 296 #define DCE2_EVENT__SMB_BAD_BCC 6 297 #define DCE2_EVENT__SMB_BAD_FORMAT 7 298 #define DCE2_EVENT__SMB_BAD_OFF 8 299 #define DCE2_EVENT__SMB_TDCNT_ZERO 9 300 #define DCE2_EVENT__SMB_NB_LT_SMBHDR 10 301 #define DCE2_EVENT__SMB_NB_LT_COM 11 302 #define DCE2_EVENT__SMB_NB_LT_BCC 12 303 #define DCE2_EVENT__SMB_NB_LT_DSIZE 13 304 #define DCE2_EVENT__SMB_TDCNT_LT_DSIZE 14 305 #define DCE2_EVENT__SMB_DSENT_GT_TDCNT 15 306 #define DCE2_EVENT__SMB_BCC_LT_DSIZE 16 307 #define DCE2_EVENT__SMB_INVALID_DSIZE 17 308 #define DCE2_EVENT__SMB_EXCESSIVE_TREE_CONNECTS 18 309 #define DCE2_EVENT__SMB_EXCESSIVE_READS 19 310 #define DCE2_EVENT__SMB_EXCESSIVE_CHAINING 20 311 #define DCE2_EVENT__SMB_MULT_CHAIN_SS 21 312 #define DCE2_EVENT__SMB_MULT_CHAIN_TC 22 313 #define DCE2_EVENT__SMB_CHAIN_SS_LOGOFF 23 314 #define DCE2_EVENT__SMB_CHAIN_TC_TDIS 24 315 #define DCE2_EVENT__SMB_CHAIN_OPEN_CLOSE 25 316 #define DCE2_EVENT__SMB_INVALID_SHARE 26 317 #define DCE2_EVENT__CO_BAD_MAJ_VERSION 27 318 #define DCE2_EVENT__CO_BAD_MIN_VERSION 28 319 #define DCE2_EVENT__CO_BAD_PDU_TYPE 29 320 #define DCE2_EVENT__CO_FLEN_LT_HDR 30 321 #define DCE2_EVENT__CO_FLEN_LT_SIZE 31 322 #define DCE2_EVENT__CO_ZERO_CTX_ITEMS 32 323 #define DCE2_EVENT__CO_ZERO_TSYNS 33 324 #define DCE2_EVENT__CO_FRAG_LT_MAX_XMIT_FRAG 34 325 #define DCE2_EVENT__CO_FRAG_GT_MAX_XMIT_FRAG 35 326 #define DCE2_EVENT__CO_ALTER_CHANGE_BYTE_ORDER 36 327 #define DCE2_EVENT__CO_FRAG_DIFF_CALL_ID 37 328 #define DCE2_EVENT__CO_FRAG_DIFF_OPNUM 38 329 #define DCE2_EVENT__CO_FRAG_DIFF_CTX_ID 39 330 #define DCE2_EVENT__CL_BAD_MAJ_VERSION 40 331 #define DCE2_EVENT__CL_BAD_PDU_TYPE 41 332 #define DCE2_EVENT__CL_DATA_LT_HDR 42 333 #define DCE2_EVENT__CL_BAD_SEQ_NUM 43 334 335 #define GENERATOR_PPM 134 336 #define PPM_EVENT_RULE_TREE_DISABLED 1 337 #define PPM_EVENT_RULE_TREE_ENABLED 2 338 339 #define GENERATOR_INTERNAL 135 340 #define INTERNAL_EVENT_SYN_RECEIVED 1 341 #define INTERNAL_EVENT_SESSION_ADD 2 342 #define INTERNAL_EVENT_SESSION_DEL 3 343 344 /* Reserved for Marty's IP blacklisting patch 345 #define GENERATOR_SPP_IPLIST 136 */ 346 347 #define GENERATOR_SPP_SSLPP 137 348 349 /* This is where all the alert messages will be archived for each 350 internal alerts */ 351 352 #define ARPSPOOF_UNICAST_ARP_REQUEST_STR "(spp_arpspoof) Unicast ARP request" 353 #define ARPSPOOF_ETHERFRAME_ARP_MISMATCH_SRC_STR \ 354 "(spp_arpspoof) Ethernet/ARP Mismatch request for Source" 355 #define ARPSPOOF_ETHERFRAME_ARP_MISMATCH_DST_STR \ 356 "(spp_arpspoof) Ethernet/ARP Mismatch request for Destination" 357 #define ARPSPOOF_ARP_CACHE_OVERWRITE_ATTACK_STR \ 358 "(spp_arpspoof) Attempted ARP cache overwrite attack" 359 360 #define BO_TRAFFIC_DETECT_STR "(spo_bo) Back Orifice Traffic detected" 361 #define BO_CLIENT_TRAFFIC_DETECT_STR "(spo_bo) Back Orifice Client Traffic detected" 362 #define BO_SERVER_TRAFFIC_DETECT_STR "(spo_bo) Back Orifice Server Traffic detected" 363 #define BO_SNORT_BUFFER_ATTACK_STR "(spo_bo) Back Orifice Snort buffer attack" 364 365 /* FRAG3 strings */ 366 #define FRAG3_IPOPTIONS_STR "(spp_frag3) Inconsistent IP Options on Fragmented Packets" 367 #define FRAG3_TEARDROP_STR "(spp_frag3) Teardrop attack" 368 #define FRAG3_SHORT_FRAG_STR "(spp_frag3) Short fragment, possible DoS attempt" 369 #define FRAG3_ANOM_OVERSIZE_STR "(spp_frag3) Fragment packet ends after defragmented packet" 370 #define FRAG3_ANOM_ZERO_STR "(spp_frag3) Zero-byte fragment packet" 371 #define FRAG3_ANOM_BADSIZE_SM_STR "(spp_frag3) Bad fragment size, packet size is negative" 372 #define FRAG3_ANOM_BADSIZE_LG_STR "(spp_frag3) Bad fragment size, packet size is greater than 65536" 373 #define FRAG3_ANOM_OVLP_STR "(spp_frag3) Fragmentation overlap" 374 #define FRAG3_IPV6_BSD_ICMP_FRAG_STR "(spp_frag3) IPv6 BSD mbufs remote kernel buffer overflow" 375 #define FRAG3_IPV6_BAD_FRAG_PKT_STR "(spp_frag3) Bogus fragmentation packet. Possible BSD attack" 376 #define FRAG3_MIN_TTL_EVASION_STR "(spp_frag3) TTL value less than configured minimum, not using for reassembly" 377 #define FRAG3_EXCESSIVE_OVERLAP_STR "(spp_frag3) Excessive fragment overlap" 378 #define FRAG3_TINY_FRAGMENT_STR "(spp_frag3) Tiny fragment" 379 380 /* Stream5 strings */ 381 #define STREAM5_SYN_ON_EST_STR "Syn on established session" 382 #define STREAM5_DATA_ON_SYN_STR "Data on SYN packet" 383 #define STREAM5_DATA_ON_CLOSED_STR "Data sent on stream not accepting data" 384 #define STREAM5_BAD_TIMESTAMP_STR "TCP Timestamp is outside of PAWS window" 385 #define STREAM5_BAD_SEGMENT_STR "Bad segment, adjusted size <= 0" 386 #define STREAM5_WINDOW_TOO_LARGE_STR "Window size (after scaling) larger than policy allows" 387 #define STREAM5_EXCESSIVE_TCP_OVERLAPS_STR "Limit on number of overlapping TCP packets reached" 388 #define STREAM5_DATA_AFTER_RESET_STR "Data sent on stream after TCP Reset" 389 #define STREAM5_SESSION_HIJACKED_CLIENT_STR "TCP Client possibly hijacked, different Ethernet Address" 390 #define STREAM5_SESSION_HIJACKED_SERVER_STR "TCP Server possibly hijacked, different Ethernet Address" 391 #define STREAM5_DATA_WITHOUT_FLAGS_STR "TCP Data with no TCP Flags set" 392 #define STREAM5_SMALL_SEGMENT_STR "Consecutive TCP small segments exceeding threshold" 393 394 #define STREAM5_INTERNAL_EVENT_STR "" 395 396 /* PPM strings */ 397 #define PPM_EVENT_RULE_TREE_DISABLED_STR "Rule Options Disabled by Rule Latency" 398 #define PPM_EVENT_RULE_TREE_ENABLED_STR "Rule Options Re-enabled by Rule Latency" 399 400 /* Snort decoder strings */ 401 #define DECODE_NOT_IPV4_DGRAM_STR "(snort_decoder) WARNING: Not IPv4 datagram!" 402 #define DECODE_IPV4_INVALID_HEADER_LEN_STR "(snort_decoder) WARNING: hlen < IP_HEADER_LEN!" 403 #define DECODE_IPV4_DGRAM_LT_IPHDR_STR "(snort_decoder) WARNING: IP dgm len < IP Hdr len!" 404 #define DECODE_IPV4OPT_BADLEN_STR "(snort_decoder): Ipv4 Options found with bad lengths" 405 #define DECODE_IPV4OPT_TRUNCATED_STR "(snort_decoder): Truncated Ipv4 Options" 406 #define DECODE_IPV4_DGRAM_GT_CAPLEN_STR "(snort_decoder) WARNING: IP dgm len > captured len!" 407 #define DECODE_NOT_IPV6_DGRAM_STR "(snort_decoder) WARNING: Not an IPv6 datagram" 408 409 #define DECODE_TCP_DGRAM_LT_TCPHDR_STR "(snort_decoder) TCP packet len is smaller than 20 bytes!" 410 #define DECODE_TCP_INVALID_OFFSET_STR "(snort_decoder) WARNING: TCP Data Offset is less than 5!" 411 #define DECODE_TCP_LARGE_OFFSET_STR "(snort_decoder) WARNING: TCP Header length exceeds packet length!" 412 413 #define DECODE_TCPOPT_BADLEN_STR "(snort_decoder): Tcp Options found with bad lengths" 414 #define DECODE_TCPOPT_TRUNCATED_STR "(snort_decoder): Truncated Tcp Options" 415 #define DECODE_TCPOPT_TTCP_STR "(snort_decoder): T/TCP Detected" 416 #define DECODE_TCPOPT_OBSOLETE_STR "(snort_decoder): Obsolete TCP Options found" 417 #define DECODE_TCPOPT_EXPERIMENT_STR "(snort_decoder): Experimental Tcp Options found" 418 #define DECODE_TCPOPT_WSCALE_INVALID_STR "(snort_decoder): Tcp Window Scale Option found with length > 14" 419 420 #define DECODE_UDP_DGRAM_LT_UDPHDR_STR "(snort_decoder) WARNING: Truncated UDP Header!" 421 #define DECODE_UDP_DGRAM_INVALID_LENGTH_STR "(snort_decoder): Invalid UDP header, length field < 8" 422 #define DECODE_UDP_DGRAM_SHORT_PACKET_STR "(snort_decoder): Short UDP packet, length field > payload length" 423 #define DECODE_UDP_DGRAM_LONG_PACKET_STR "(snort_decoder): Long UDP packet, length field < payload length" 424 425 #define DECODE_ICMP_DGRAM_LT_ICMPHDR_STR "(snort_decoder) WARNING: ICMP Header Truncated!" 426 #define DECODE_ICMP_DGRAM_LT_TIMESTAMPHDR_STR "(snort_decoder) WARNING: ICMP Timestamp Header Truncated!" 427 #define DECODE_ICMP_DGRAM_LT_ADDRHDR_STR "(snort_decoder) WARNING: ICMP Address Header Truncated!" 428 #define DECODE_IPV4_DGRAM_UNKNOWN_STR "(snort_decoder) Unknown Datagram decoding problem!" 429 #define DECODE_ARP_TRUNCATED_STR "(snort_decoder) WARNING: Truncated ARP!" 430 #define DECODE_EAPOL_TRUNCATED_STR "(snort_decoder) WARNING: Truncated EAP Header!" 431 #define DECODE_EAPKEY_TRUNCATED_STR "(snort_decoder) WARNING: EAP Key Truncated!" 432 #define DECODE_EAP_TRUNCATED_STR "(snort_decoder) WARNING: EAP Header Truncated!" 433 #define DECODE_BAD_PPPOE_STR "(snort_decoder) WARNING: Bad PPPOE frame detected!" 434 #define DECODE_BAD_VLAN_STR "(snort_decoder) WARNING: Bad VLAN Frame!" 435 #define DECODE_BAD_VLAN_ETHLLC_STR "(snort_decoder) WARNING: Bad LLC header!" 436 #define DECODE_BAD_VLAN_OTHER_STR "(snort_decoder) WARNING: Bad Extra LLC Info!" 437 #define DECODE_BAD_80211_ETHLLC_STR "(snort_decoder) WARNING: Bad 802.11 LLC header!" 438 #define DECODE_BAD_80211_OTHER_STR "(snort_decoder) WARNING: Bad 802.11 Extra LLC Info!" 439 440 #define DECODE_BAD_TRH_STR "(snort_decoder) WARNING: Bad Token Ring Header!" 441 #define DECODE_BAD_TR_ETHLLC_STR "(snort_decoder) WARNING: Bad Token Ring ETHLLC Header!" 442 #define DECODE_BAD_TR_MR_LEN_STR "(snort_decoder) WARNING: Bad Token Ring MRLENHeader!" 443 #define DECODE_BAD_TRHMR_STR "(snort_decoder) WARNING: Bad Token Ring MR Header!" 444 445 #define DECODE_BAD_TRAFFIC_LOOPBACK_STR "(snort decoder) Bad Traffic Loopback IP" 446 #define DECODE_BAD_TRAFFIC_SAME_SRCDST_STR "(snort decoder) Bad Traffic Same Src/Dst IP" 447 448 #ifdef GRE 449 #define DECODE_GRE_DGRAM_LT_GREHDR_STR "(snort decoder) WARNING: GRE header length > payload length" 450 #define DECODE_GRE_MULTIPLE_ENCAPSULATION_STR "(snort decoder) WARNING: Multiple encapsulations in packet" 451 #define DECODE_GRE_INVALID_VERSION_STR "(snort decoder) WARNING: Invalid GRE version" 452 #define DECODE_GRE_INVALID_HEADER_STR "(snort decoder) WARNING: Invalid GRE header" 453 #define DECODE_GRE_V1_INVALID_HEADER_STR "(snort decoder) WARNING: Invalid GRE v.1 PPTP header" 454 #define DECODE_GRE_TRANS_DGRAM_LT_TRANSHDR_STR "(snort decoder) WARNING: GRE Trans header length > payload length" 455 #endif /* GRE */ 456 457 #define DECODE_ICMP_ORIG_IP_TRUNCATED_STR "(snort_decoder) WARNING: ICMP Original IP Header Truncated!" 458 #define DECODE_ICMP_ORIG_IP_NOT_IPV4_STR "(snort_decoder) WARNING: ICMP Original IP Header Not IPv4!" 459 #define DECODE_ICMP_ORIG_DGRAM_LT_ORIG_IP_STR "(snort_decoder) WARNING: ICMP Original Datagram Length < Original IP Header Length!" 460 #define DECODE_ICMP_ORIG_PAYLOAD_LT_64_STR "(snort_decoder) WARNING: ICMP Original IP Payload < 64 bits!" 461 #define DECODE_ICMP_ORIG_PAYLOAD_GT_576_STR "(snort_decoder) WARNING: ICMP Origianl IP Payload > 576 bytes!" 462 #define DECODE_ICMP_ORIG_IP_WITH_FRAGOFFSET_STR "(snort_decoder) WARNING: ICMP Original IP Fragmented and Offset Not 0!" 463 464 #define DECODE_IPV6_MIN_TTL_STR "(snort decoder) IPV6 packet exceeded TTL limit" 465 #define DECODE_IPV6_IS_NOT_STR "(snort decoder) IPv6 header claims to not be IPv6" 466 #define DECODE_IPV6_TRUNCATED_EXT_STR "(snort decoder) IPV6 truncated extension header" 467 #define DECODE_IPV6_TRUNCATED_STR "(snort decoder) IPV6 truncated header" 468 #define DECODE_IPV6_DGRAM_LT_IPHDR_STR "(snort_decoder) WARNING: IP dgm len < IP Hdr len!" 469 #define DECODE_IPV6_DGRAM_GT_CAPLEN_STR "(snort_decoder) WARNING: IP dgm len > captured len!" 470 #define DECODE_IPV6_TUNNELED_IPV4_TRUNCATED_STR "(snort_decoder) IPV6 tunneled over IPv4, IPv6 header truncated, possible Linux Kernel attack" 471 472 #define DECODE_TCP_XMAS_STR "(snort_decoder) WARNING: XMAS Attack Detected!" 473 #define DECODE_TCP_NMAP_XMAS_STR "(snort_decoder) WARNING: Nmap XMAS Attack Detected!" 474 475 #define DECODE_DOS_NAPTHA_STR "(snort_decoder) DOS NAPTHA Vulnerability Detected!" 476 #define DECODE_SYN_TO_MULTICAST_STR "(snort_decoder) Bad Traffic SYN to multicast address" 477 #define DECODE_ZERO_TTL_STR "(snort_decoder) WARNING: IPV4 packet with zero TTL" 478 #define DECODE_BAD_FRAGBITS_STR "(snort_decoder) WARNING: IPV4 packet with bad frag bits (Both MF and DF set)" 479 480 /* RPC decode preprocessor strings */ 481 #define RPC_FRAG_TRAFFIC_STR "(spp_rpc_decode) Fragmented RPC Records" 482 #define RPC_MULTIPLE_RECORD_STR "(spp_rpc_decode) Multiple RPC Records" 483 #define RPC_LARGE_FRAGSIZE_STR "(spp_rpc_decode) Large RPC Record Fragment" 484 #define RPC_INCOMPLETE_SEGMENT_STR "(spp_rpc_decode) Incomplete RPC segment" 485 #define RPC_ZERO_LENGTH_FRAGMENT_STR "(spp_rpc_decode) Zero-length RPC Fragment" 486 487 #define PSNG_TCP_PORTSCAN_STR "(portscan) TCP Portscan" 488 #define PSNG_TCP_DECOY_PORTSCAN_STR "(portscan) TCP Decoy Portscan" 489 #define PSNG_TCP_PORTSWEEP_STR "(portscan) TCP Portsweep" 490 #define PSNG_TCP_DISTRIBUTED_PORTSCAN_STR "(portscan) TCP Distributed Portscan" 491 #define PSNG_TCP_FILTERED_PORTSCAN_STR "(portscan) TCP Filtered Portscan" 492 #define PSNG_TCP_FILTERED_DECOY_PORTSCAN_STR "(portscan) TCP Filtered Decoy Portscan" 493 #define PSNG_TCP_FILTERED_DISTRIBUTED_PORTSCAN_STR "(portscan) TCP Filtered Distributed Portscan" 494 #define PSNG_TCP_PORTSWEEP_FILTERED_STR "(portscan) TCP Filtered Portsweep" 495 496 #define PSNG_IP_PORTSCAN_STR "(portscan) IP Protocol Scan" 497 #define PSNG_IP_DECOY_PORTSCAN_STR "(portscan) IP Decoy Protocol Scan" 498 #define PSNG_IP_PORTSWEEP_STR "(portscan) IP Protocol Sweep" 499 #define PSNG_IP_DISTRIBUTED_PORTSCAN_STR "(portscan) IP Distributed Protocol Scan" 500 #define PSNG_IP_FILTERED_PORTSCAN_STR "(portscan) IP Filtered Protocol Scan" 501 #define PSNG_IP_FILTERED_DECOY_PORTSCAN_STR "(portscan) IP Filtered Decoy Protocol Scan" 502 #define PSNG_IP_FILTERED_DISTRIBUTED_PORTSCAN_STR "(portscan) IP Filtered Distributed Protocol Scan" 503 #define PSNG_IP_PORTSWEEP_FILTERED_STR "(portscan) IP Filtered Protocol Sweep" 504 505 #define PSNG_UDP_PORTSCAN_STR "(portscan) UDP Portscan" 506 #define PSNG_UDP_DECOY_PORTSCAN_STR "(portscan) UDP Decoy Portscan" 507 #define PSNG_UDP_PORTSWEEP_STR "(portscan) UDP Portsweep" 508 #define PSNG_UDP_DISTRIBUTED_PORTSCAN_STR "(portscan) UDP Distributed Portscan" 509 #define PSNG_UDP_FILTERED_PORTSCAN_STR "(portscan) UDP Filtered Portscan" 510 #define PSNG_UDP_FILTERED_DECOY_PORTSCAN_STR "(portscan) UDP Filtered Decoy Portscan" 511 #define PSNG_UDP_FILTERED_DISTRIBUTED_PORTSCAN_STR "(portscan) UDP Filtered Distributed Portscan" 512 #define PSNG_UDP_PORTSWEEP_FILTERED_STR "(portscan) UDP Filtered Portsweep" 513 514 #define PSNG_ICMP_PORTSWEEP_STR "(portscan) ICMP Sweep" 515 #define PSNG_ICMP_PORTSWEEP_FILTERED_STR "(portscan) ICMP Filtered Sweep" 516 517 #define PSNG_OPEN_PORT_STR "(portscan) Open Port" 518 519 #define DECODE_BAD_MPLS_STR "(snort_decoder) WARNING: Bad MPLS Frame!" 520 #define DECODE_BAD_MPLS_LABEL0_STR "(snort_decoder) WARNING: MPLS Label 0 Appears in Nonbottom Header" 521 #define DECODE_BAD_MPLS_LABEL1_STR "(snort_decoder) WARNING: MPLS Label 1 Appears in Bottom Header" 522 #define DECODE_BAD_MPLS_LABEL2_STR "(snort_decoder) WARNING: MPLS Label 2 Appears in Nonbottom Header" 523 #define DECODE_BAD_MPLS_LABEL3_STR "(snort_decoder) WARNING: MPLS Label 3 Appears in Header" 524 #define DECODE_MPLS_RESERVEDLABEL_STR "(snort_decoder) WARNING: MPLS Label 4, 5,.. or 15 Appears in Header" 525 #define DECODE_MPLS_LABEL_STACK_STR "(snort_decoder) WARNING: Too Many MPLS headers" 526 #define DECODE_MULTICAST_MPLS_STR "(snort_decoder) WARNING: Multicast MPLS traffic detected" 527 #endif /* __GENERATORS_H__ */ 528