1 //--------------------------------------------------------------------------
2 // Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved.
3 //
4 // This program is free software; you can redistribute it and/or modify it
5 // under the terms of the GNU General Public License Version 2 as published
6 // by the Free Software Foundation.  You may not use, modify or distribute
7 // this program under any other version of the GNU General Public License.
8 //
9 // This program is distributed in the hope that it will be useful, but
10 // WITHOUT ANY WARRANTY; without even the implied warranty of
11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
12 // General Public License for more details.
13 //
14 // You should have received a copy of the GNU General Public License along
15 // with this program; if not, write to the Free Software Foundation, Inc.,
16 // 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
17 //--------------------------------------------------------------------------
18 // decode_data.h author Josh Rosenbaum <jrosenba@cisco.com>
19 
20 #ifndef FRAMEWORK_DECODE_DATA_H
21 #define FRAMEWORK_DECODE_DATA_H
22 
23 // Captures decode information from Codecs.
24 
25 #include "protocols/ip.h"
26 #include "protocols/mpls.h"
27 
28 namespace snort
29 {
30 namespace tcp
31 {
32 struct TCPHdr;
33 }
34 namespace udp
35 {
36 struct UDPHdr;
37 }
38 namespace icmp
39 {
40 struct ICMPHdr;
41 }
42 }
43 
44 /* NOTE: if A protocol is added, update DecodeFlags! */
45 enum class PktType : std::uint8_t
46 {
47     NONE, IP, TCP, UDP, ICMP, PDU, FILE, MAX
48 };
49 
50 // the first several of these bits must map to PktType
51 // eg PROTO_BIT__IP == BIT(PktType::IP), etc.
52 #define PROTO_BIT__NONE             0x000000
53 #define PROTO_BIT__IP               0x000001
54 #define PROTO_BIT__TCP              0x000002
55 #define PROTO_BIT__UDP              0x000004
56 #define PROTO_BIT__ICMP             0x000008
57 #define PROTO_BIT__PDU              0x000010
58 #define PROTO_BIT__FILE             0x000020
59 #define PROTO_BIT__ARP              0x000040
60 #define PROTO_BIT__TEREDO           0x000080
61 #define PROTO_BIT__GTP              0x000100
62 #define PROTO_BIT__MPLS             0x000200
63 #define PROTO_BIT__VLAN             0x000400
64 #define PROTO_BIT__ETH              0x000800
65 #define PROTO_BIT__TCP_EMBED_ICMP   0x001000
66 #define PROTO_BIT__UDP_EMBED_ICMP   0x002000
67 #define PROTO_BIT__ICMP_EMBED_ICMP  0x004000
68 #define PROTO_BIT__ICMP_EMBED_OTHER 0x008000
69 #define PROTO_BIT__IP6_EXT          0x010000
70 #define PROTO_BIT__CISCO_META_DATA  0x020000
71 #define PROTO_BIT__VXLAN            0x040000
72 #define PROTO_BIT__UDP_TUNNELED     0x080000
73 #define PROTO_BIT__OTHER            0x100000
74 #define PROTO_BIT__GENEVE           0x200000
75 #define PROTO_BIT__ALL              0x3FFFFF
76 
77 #define PROTO_BIT__ICMP_EMBED \
78     (PROTO_BIT__TCP_EMBED_ICMP | PROTO_BIT__UDP_EMBED_ICMP | \
79     PROTO_BIT__ICMP_EMBED_ICMP | PROTO_BIT__ICMP_EMBED_OTHER)
80 
81 #define PROTO_BIT__ANY_IP   (PROTO_BIT__IP | PROTO_BIT__TCP | PROTO_BIT__UDP | PROTO_BIT__ICMP)
82 #define PROTO_BIT__ANY_PDU  (PROTO_BIT__TCP | PROTO_BIT__UDP | PROTO_BIT__PDU)
83 #define PROTO_BIT__ANY_SSN  (PROTO_BIT__ANY_IP | PROTO_BIT__PDU | PROTO_BIT__FILE)
84 #define PROTO_BIT__ANY_TYPE (PROTO_BIT__ANY_SSN | PROTO_BIT__ARP)
85 
86 enum DecodeFlags : std::uint16_t
87 {
88     DECODE_ERR_CKSUM_IP =   0x0001,  // error flags
89     DECODE_ERR_CKSUM_TCP =  0x0002,
90     DECODE_ERR_CKSUM_UDP =  0x0004,
91     DECODE_ERR_CKSUM_ICMP = 0x0008,
92     DECODE_ERR_BAD_TTL =    0x0010,
93 
94     DECODE_ERR_CKSUM_ALL = ( DECODE_ERR_CKSUM_IP | DECODE_ERR_CKSUM_TCP |
95         DECODE_ERR_CKSUM_UDP | DECODE_ERR_CKSUM_ICMP ),
96     DECODE_ERR_FLAGS = ( DECODE_ERR_CKSUM_ALL | DECODE_ERR_BAD_TTL ),
97 
98     DECODE_PKT_TRUST =      0x0020,  // trust this packet
99     DECODE_FRAG =           0x0040,  // ip - fragmented packet
100     DECODE_MF =             0x0080,  // ip - more fragments
101     DECODE_DF =             0x0100,  // ip - don't fragment
102 
103     // using decode flags in lieu of creating user layer for now
104     DECODE_C2S =            0x0200,  // user - client to server
105     DECODE_SOF =            0x0400,  // user - start of flow
106     DECODE_EOF =            0x0800,  // user - end of flow
107     DECODE_GTP =            0x1000,
108 
109     DECODE_TCP_MSS =        0x2000,
110     DECODE_TCP_TS =         0x4000,
111     DECODE_TCP_WS =         0x8000,
112 };
113 
114 struct DecodeData
115 {
116     /*
117      * these three pointers are each referenced literally
118      * dozens if not hundreds of times.  NOTHING else should be added!!
119      */
120     const snort::tcp::TCPHdr* tcph;
121     const snort::udp::UDPHdr* udph;
122     const snort::icmp::ICMPHdr* icmph;
123 
124     uint16_t sp;            /* source port (TCP/UDP) */
125     uint16_t dp;            /* dest port (TCP/UDP) */
126 
127     uint16_t decode_flags;
128     PktType type;
129 
130     snort::ip::IpApi ip_api;
131     snort::mpls::MplsHdr mplsHdr;  // FIXIT-L need to zero this?
132 
resetDecodeData133     inline void reset()
134     {
135         memset(this, 0, offsetof(DecodeData, ip_api));
136         ip_api.reset();
137         sp = 0;
138         dp = 0;
139     }
140 
set_pkt_typeDecodeData141     inline void set_pkt_type(PktType pkt_type)
142     { type = pkt_type; }
143 
get_pkt_typeDecodeData144     inline PktType get_pkt_type() const
145     { return type; }
146 };
147 
148 #endif
149 
150