#include "suricata-common.h"
+#include "decode-events.h"
/* code moved to app-layer-events */
+const struct DecodeEvents_ DEvents[] = {
+ /* IPV4 EVENTS */
+ { "decoder.ipv4.pkt_too_small", IPV4_PKT_TOO_SMALL, },
+ { "decoder.ipv4.hlen_too_small", IPV4_HLEN_TOO_SMALL, },
+ { "decoder.ipv4.iplen_smaller_than_hlen", IPV4_IPLEN_SMALLER_THAN_HLEN, },
+ { "decoder.ipv4.trunc_pkt", IPV4_TRUNC_PKT, },
+
+ /* IPV4 OPTIONS */
+ { "decoder.ipv4.opt_invalid", IPV4_OPT_INVALID, },
+ { "decoder.ipv4.opt_invalid_len", IPV4_OPT_INVALID_LEN, },
+ { "decoder.ipv4.opt_malformed", IPV4_OPT_MALFORMED, },
+ { "decoder.ipv4.opt_pad_required", IPV4_OPT_PAD_REQUIRED, },
+ { "decoder.ipv4.opt_eol_required", IPV4_OPT_EOL_REQUIRED, },
+ { "decoder.ipv4.opt_duplicate", IPV4_OPT_DUPLICATE, },
+ { "decoder.ipv4.opt_unknown", IPV4_OPT_UNKNOWN, },
+ { "decoder.ipv4.wrong_ip_version", IPV4_WRONG_IP_VER, },
+ { "decoder.ipv4.icmpv6", IPV4_WITH_ICMPV6, },
+
+ /* ICMP EVENTS */
+ { "decoder.icmpv4.pkt_too_small", ICMPV4_PKT_TOO_SMALL, },
+ { "decoder.icmpv4.unknown_type", ICMPV4_UNKNOWN_TYPE, },
+ { "decoder.icmpv4.unknown_code", ICMPV4_UNKNOWN_CODE, },
+ { "decoder.icmpv4.ipv4_trunc_pkt", ICMPV4_IPV4_TRUNC_PKT, },
+ { "decoder.icmpv4.ipv4_unknown_ver", ICMPV4_IPV4_UNKNOWN_VER, },
+
+ /* ICMPv6 EVENTS */
+ { "decoder.icmpv6.unknown_type", ICMPV6_UNKNOWN_TYPE,},
+ { "decoder.icmpv6.unknown_code", ICMPV6_UNKNOWN_CODE,},
+ { "decoder.icmpv6.pkt_too_small", ICMPV6_PKT_TOO_SMALL,},
+ { "decoder.icmpv6.ipv6_unknown_version", ICMPV6_IPV6_UNKNOWN_VER,},
+ { "decoder.icmpv6.ipv6_trunc_pkt", ICMPV6_IPV6_TRUNC_PKT,},
+ { "decoder.icmpv6.mld_message_with_invalid_hl", ICMPV6_MLD_MESSAGE_WITH_INVALID_HL,},
+ { "decoder.icmpv6.unassigned_type", ICMPV6_UNASSIGNED_TYPE,},
+ { "decoder.icmpv6.experimentation_type", ICMPV6_EXPERIMENTATION_TYPE,},
+
+ /* IPV6 EVENTS */
+ { "decoder.ipv6.pkt_too_small", IPV6_PKT_TOO_SMALL, },
+ { "decoder.ipv6.trunc_pkt", IPV6_TRUNC_PKT, },
+ { "decoder.ipv6.trunc_exthdr", IPV6_TRUNC_EXTHDR, },
+ { "decoder.ipv6.exthdr_dupl_fh", IPV6_EXTHDR_DUPL_FH, },
+ { "decoder.ipv6.exthdr_useless_fh", IPV6_EXTHDR_USELESS_FH, },
+ { "decoder.ipv6.exthdr_dupl_rh", IPV6_EXTHDR_DUPL_RH, },
+ { "decoder.ipv6.exthdr_dupl_hh", IPV6_EXTHDR_DUPL_HH, },
+ { "decoder.ipv6.exthdr_dupl_dh", IPV6_EXTHDR_DUPL_DH, },
+ { "decoder.ipv6.exthdr_dupl_ah", IPV6_EXTHDR_DUPL_AH, },
+ { "decoder.ipv6.exthdr_dupl_eh", IPV6_EXTHDR_DUPL_EH, },
+ { "decoder.ipv6.exthdr_invalid_optlen", IPV6_EXTHDR_INVALID_OPTLEN, },
+ { "decoder.ipv6.wrong_ip_version", IPV6_WRONG_IP_VER, },
+ { "decoder.ipv6.exthdr_ah_res_not_null", IPV6_EXTHDR_AH_RES_NOT_NULL, },
+ { "decoder.ipv6.hopopts_unknown_opt", IPV6_HOPOPTS_UNKNOWN_OPT, },
+ { "decoder.ipv6.hopopts_only_padding", IPV6_HOPOPTS_ONLY_PADDING, },
+ { "decoder.ipv6.dstopts_unknown_opt", IPV6_DSTOPTS_UNKNOWN_OPT, },
+ { "decoder.ipv6.dstopts_only_padding", IPV6_DSTOPTS_ONLY_PADDING, },
+ { "decoder.ipv6.rh_type_0", IPV6_EXTHDR_RH_TYPE_0, },
+ { "decoder.ipv6.zero_len_padn", IPV6_EXTHDR_ZERO_LEN_PADN, },
+ { "decoder.ipv6.fh_non_zero_reserved_field", IPV6_FH_NON_ZERO_RES_FIELD, },
+ { "decoder.ipv6.data_after_none_header", IPV6_DATA_AFTER_NONE_HEADER, },
+ { "decoder.ipv6.unknown_next_header", IPV6_UNKNOWN_NEXT_HEADER, },
+ { "decoder.ipv6.icmpv4", IPV6_WITH_ICMPV4, },
+
+ /* TCP EVENTS */
+ { "decoder.tcp.pkt_too_small", TCP_PKT_TOO_SMALL, },
+ { "decoder.tcp.hlen_too_small", TCP_HLEN_TOO_SMALL, },
+ { "decoder.tcp.invalid_optlen", TCP_INVALID_OPTLEN, },
+
+ /* TCP OPTIONS */
+ { "decoder.tcp.opt_invalid_len", TCP_OPT_INVALID_LEN, },
+ { "decoder.tcp.opt_duplicate", TCP_OPT_DUPLICATE, },
+
+ /* UDP EVENTS */
+ { "decoder.udp.pkt_too_small", UDP_PKT_TOO_SMALL, },
+ { "decoder.udp.hlen_too_small", UDP_HLEN_TOO_SMALL, },
+ { "decoder.udp.hlen_invalid", UDP_HLEN_INVALID, },
+
+ /* SLL EVENTS */
+ { "decoder.sll.pkt_too_small", SLL_PKT_TOO_SMALL, },
+
+ /* ETHERNET EVENTS */
+ { "decoder.ethernet.pkt_too_small", ETHERNET_PKT_TOO_SMALL, },
+
+ /* PPP EVENTS */
+ { "decoder.ppp.pkt_too_small", PPP_PKT_TOO_SMALL, },
+ { "decoder.ppp.vju_pkt_too_small", PPPVJU_PKT_TOO_SMALL, },
+ { "decoder.ppp.ip4_pkt_too_small", PPPIPV4_PKT_TOO_SMALL, },
+ { "decoder.ppp.ip6_pkt_too_small", PPPIPV6_PKT_TOO_SMALL, },
+ { "decoder.ppp.wrong_type", PPP_WRONG_TYPE, }, /** unknown & invalid protocol */
+ { "decoder.ppp.unsup_proto", PPP_UNSUP_PROTO, }, /** unsupported but valid protocol */
+
+ /* PPPOE EVENTS */
+ { "decoder.pppoe.pkt_too_small", PPPOE_PKT_TOO_SMALL, },
+ { "decoder.pppoe.wrong_code", PPPOE_WRONG_CODE, },
+ { "decoder.pppoe.malformed_tags", PPPOE_MALFORMED_TAGS, },
+
+ /* GRE EVENTS */
+ { "decoder.gre.pkt_too_small", GRE_PKT_TOO_SMALL, },
+ { "decoder.gre.wrong_version", GRE_WRONG_VERSION, },
+ { "decoder.gre.version0_recur", GRE_VERSION0_RECUR, },
+ { "decoder.gre.version0_flags", GRE_VERSION0_FLAGS, },
+ { "decoder.gre.version0_hdr_too_big", GRE_VERSION0_HDR_TOO_BIG, },
+ { "decoder.gre.version0_malformed_sre_hdr", GRE_VERSION0_MALFORMED_SRE_HDR, },
+ { "decoder.gre.version1_chksum", GRE_VERSION1_CHKSUM, },
+ { "decoder.gre.version1_route", GRE_VERSION1_ROUTE, },
+ { "decoder.gre.version1_ssr", GRE_VERSION1_SSR, },
+ { "decoder.gre.version1_recur", GRE_VERSION1_RECUR, },
+ { "decoder.gre.version1_flags", GRE_VERSION1_FLAGS, },
+ { "decoder.gre.version1_no_key", GRE_VERSION1_NO_KEY, },
+ { "decoder.gre.version1_wrong_protocol", GRE_VERSION1_WRONG_PROTOCOL, },
+ { "decoder.gre.version1_malformed_sre_hdr", GRE_VERSION1_MALFORMED_SRE_HDR, },
+ { "decoder.gre.version1_hdr_too_big", GRE_VERSION1_HDR_TOO_BIG, },
+
+ /* VLAN EVENTS */
+ { "decoder.vlan.header_too_small",VLAN_HEADER_TOO_SMALL, },
+ { "decoder.vlan.unknown_type",VLAN_UNKNOWN_TYPE, },
+ { "decoder.vlan.too_many_layers", VLAN_HEADER_TOO_MANY_LAYERS, },
+
+ /* RAW EVENTS */
+ { "decoder.ipraw.invalid_ip_version",IPRAW_INVALID_IPV, },
+
+ /* LINKTYPE NULL EVENTS */
+ { "decoder.ltnull.pkt_too_small", LTNULL_PKT_TOO_SMALL, },
+ { "decoder.ltnull.unsupported_type", LTNULL_UNSUPPORTED_TYPE, },
+
+ /* SCTP EVENTS */
+ { "decoder.sctp.pkt_too_small", SCTP_PKT_TOO_SMALL, },
+
+ /* Fragmentation reasembly events. */
+ { "decoder.ipv4.frag_too_large", IPV4_FRAG_PKT_TOO_LARGE, },
+ { "decoder.ipv6.frag_too_large", IPV6_FRAG_PKT_TOO_LARGE, },
+ { "decoder.ipv4.frag_overlap", IPV4_FRAG_OVERLAP, },
+ { "decoder.ipv6.frag_overlap", IPV6_FRAG_OVERLAP, },
+ /* Fragment ignored due to internal error */
+ { "decoder.ipv4.frag_ignored", IPV4_FRAG_IGNORED, },
+ { "decoder.ipv6.frag_ignored", IPV6_FRAG_IGNORED, },
+
+ /* IPv4 in IPv6 events */
+ { "decoder.ipv6.ipv4_in_ipv6_too_small", IPV4_IN_IPV6_PKT_TOO_SMALL, },
+ { "decoder.ipv6.ipv4_in_ipv6_wrong_version", IPV4_IN_IPV6_WRONG_IP_VER, },
+ /* IPv6 in IPv6 events */
+ { "decoder.ipv6.ipv6_in_ipv6_too_small", IPV6_IN_IPV6_PKT_TOO_SMALL, },
+ { "decoder.ipv6.ipv6_in_ipv6_wrong_version", IPV6_IN_IPV6_WRONG_IP_VER, },
+
+ /* MPLS events */
+ { "decoder.mpls.bad_label_router_alert", MPLS_BAD_LABEL_ROUTER_ALERT, },
+ { "decoder.mpls.bad_label_implicit_null", MPLS_BAD_LABEL_IMPLICIT_NULL, },
+ { "decoder.mpls.bad_label_reserved", MPLS_BAD_LABEL_RESERVED, },
+ { "decoder.mpls.unknown_payload_type", MPLS_UNKNOWN_PAYLOAD_TYPE, },
+
+ /* ERSPAN events */
+ { "decoder.erspan.header_too_small", ERSPAN_HEADER_TOO_SMALL, },
+ { "decoder.erspan.unsupported_version", ERSPAN_UNSUPPORTED_VERSION, },
+ { "decoder.erspan.too_many_vlan_layers", ERSPAN_TOO_MANY_VLAN_LAYERS, },
+
+ /* STREAM EVENTS */
+ { "stream.3whs_ack_in_wrong_dir", STREAM_3WHS_ACK_IN_WRONG_DIR, },
+ { "stream.3whs_async_wrong_seq", STREAM_3WHS_ASYNC_WRONG_SEQ, },
+ { "stream.3whs_right_seq_wrong_ack_evasion", STREAM_3WHS_RIGHT_SEQ_WRONG_ACK_EVASION, },
+ { "stream.3whs_synack_in_wrong_direction", STREAM_3WHS_SYNACK_IN_WRONG_DIRECTION, },
+ { "stream.3whs_synack_resend_with_different_ack", STREAM_3WHS_SYNACK_RESEND_WITH_DIFFERENT_ACK, },
+ { "stream.3whs_synack_resend_with_diff_seq", STREAM_3WHS_SYNACK_RESEND_WITH_DIFF_SEQ, },
+ { "stream.3whs_synack_toserver_on_syn_recv", STREAM_3WHS_SYNACK_TOSERVER_ON_SYN_RECV, },
+ { "stream.3whs_synack_with_wrong_ack", STREAM_3WHS_SYNACK_WITH_WRONG_ACK, },
+ { "stream.3whs_synack_flood", STREAM_3WHS_SYNACK_FLOOD, },
+ { "stream.3whs_syn_resend_diff_seq_on_syn_recv", STREAM_3WHS_SYN_RESEND_DIFF_SEQ_ON_SYN_RECV, },
+ { "stream.3whs_syn_toclient_on_syn_recv", STREAM_3WHS_SYN_TOCLIENT_ON_SYN_RECV, },
+ { "stream.3whs_wrong_seq_wrong_ack", STREAM_3WHS_WRONG_SEQ_WRONG_ACK, },
+ { "stream.4whs_synack_with_wrong_ack", STREAM_4WHS_SYNACK_WITH_WRONG_ACK, },
+ { "stream.4whs_synack_with_wrong_syn", STREAM_4WHS_SYNACK_WITH_WRONG_SYN, },
+ { "stream.4whs_wrong_seq", STREAM_4WHS_WRONG_SEQ, },
+ { "stream.4whs_invalid_ack", STREAM_4WHS_INVALID_ACK, },
+ { "stream.closewait_ack_out_of_window", STREAM_CLOSEWAIT_ACK_OUT_OF_WINDOW, },
+ { "stream.closewait_fin_out_of_window", STREAM_CLOSEWAIT_FIN_OUT_OF_WINDOW, },
+ { "stream.closewait_pkt_before_last_ack", STREAM_CLOSEWAIT_PKT_BEFORE_LAST_ACK, },
+ { "stream.closewait_invalid_ack", STREAM_CLOSEWAIT_INVALID_ACK, },
+ { "stream.closing_ack_wrong_seq", STREAM_CLOSING_ACK_WRONG_SEQ, },
+ { "stream.closing_invalid_ack", STREAM_CLOSING_INVALID_ACK, },
+ { "stream.est_packet_out_of_window", STREAM_EST_PACKET_OUT_OF_WINDOW, },
+ { "stream.est_pkt_before_last_ack", STREAM_EST_PKT_BEFORE_LAST_ACK, },
+ { "stream.est_synack_resend", STREAM_EST_SYNACK_RESEND, },
+ { "stream.est_synack_resend_with_different_ack", STREAM_EST_SYNACK_RESEND_WITH_DIFFERENT_ACK, },
+ { "stream.est_synack_resend_with_diff_seq", STREAM_EST_SYNACK_RESEND_WITH_DIFF_SEQ, },
+ { "stream.est_synack_toserver", STREAM_EST_SYNACK_TOSERVER, },
+ { "stream.est_syn_resend", STREAM_EST_SYN_RESEND, },
+ { "stream.est_syn_resend_diff_seq", STREAM_EST_SYN_RESEND_DIFF_SEQ, },
+ { "stream.est_syn_toclient", STREAM_EST_SYN_TOCLIENT, },
+ { "stream.est_invalid_ack", STREAM_EST_INVALID_ACK, },
+ { "stream.fin_invalid_ack", STREAM_FIN_INVALID_ACK, },
+ { "stream.fin1_ack_wrong_seq", STREAM_FIN1_ACK_WRONG_SEQ, },
+ { "stream.fin1_fin_wrong_seq", STREAM_FIN1_FIN_WRONG_SEQ, },
+ { "stream.fin1_invalid_ack", STREAM_FIN1_INVALID_ACK, },
+ { "stream.fin2_ack_wrong_seq", STREAM_FIN2_ACK_WRONG_SEQ, },
+ { "stream.fin2_fin_wrong_seq", STREAM_FIN2_FIN_WRONG_SEQ, },
+ { "stream.fin2_invalid_ack", STREAM_FIN2_INVALID_ACK, },
+ { "stream.fin_but_no_session", STREAM_FIN_BUT_NO_SESSION, },
+ { "stream.fin_out_of_window", STREAM_FIN_OUT_OF_WINDOW, },
+ { "stream.lastack_ack_wrong_seq", STREAM_LASTACK_ACK_WRONG_SEQ, },
+ { "stream.lastack_invalid_ack", STREAM_LASTACK_INVALID_ACK, },
+ { "stream.rst_but_no_session", STREAM_RST_BUT_NO_SESSION, },
+ { "stream.timewait_ack_wrong_seq", STREAM_TIMEWAIT_ACK_WRONG_SEQ, },
+ { "stream.timewait_invalid_ack", STREAM_TIMEWAIT_INVALID_ACK, },
+ { "stream.pkt_invalid_timestamp", STREAM_PKT_INVALID_TIMESTAMP, },
+ { "stream.pkt_invalid_ack", STREAM_PKT_INVALID_ACK, },
+ { "stream.pkt_broken_ack", STREAM_PKT_BROKEN_ACK, },
+ { "stream.rst_invalid_ack", STREAM_RST_INVALID_ACK, },
+ { "stream.shutdown_syn_resend", STREAM_SHUTDOWN_SYN_RESEND, },
+ { "stream.pkt_retransmission", STREAM_PKT_RETRANSMISSION, },
+ { "stream.reassembly_segment_before_base_seq", STREAM_REASSEMBLY_SEGMENT_BEFORE_BASE_SEQ, },
+ { "stream.reassembly_no_segment", STREAM_REASSEMBLY_NO_SEGMENT, },
+ { "stream.reassembly_seq_gap", STREAM_REASSEMBLY_SEQ_GAP, },
+ { "stream.reassembly_overlap_different_data", STREAM_REASSEMBLY_OVERLAP_DIFFERENT_DATA, },
+ { "stream.pkt_bad_window_update", STREAM_PKT_BAD_WINDOW_UPDATE, },
+
+ { NULL, 0 },
+};
/* packet decoder events */
enum {
/* IPV4 EVENTS */
- IPV4_PKT_TOO_SMALL = 1, /**< ipv4 pkt smaller than minimum header size */
+ IPV4_PKT_TOO_SMALL = 0, /**< ipv4 pkt smaller than minimum header size */
IPV4_HLEN_TOO_SMALL, /**< ipv4 header smaller than minimum size */
IPV4_IPLEN_SMALLER_THAN_HLEN, /**< ipv4 pkt len smaller than ip header size */
IPV4_TRUNC_PKT, /**< truncated ipv4 packet */
LTNULL_PKT_TOO_SMALL, /**< pkt too small for lt:null */
LTNULL_UNSUPPORTED_TYPE, /**< pkt has a type that the decoder doesn't support */
+ /* SCTP EVENTS */
+ SCTP_PKT_TOO_SMALL, /**< sctp packet smaller than minimum size */
+
+ /* Fragmentation reasembly events. */
+ IPV4_FRAG_PKT_TOO_LARGE,
+ IPV6_FRAG_PKT_TOO_LARGE,
+ IPV4_FRAG_OVERLAP,
+ IPV6_FRAG_OVERLAP,
+ IPV4_FRAG_TOO_LARGE,
+ IPV6_FRAG_TOO_LARGE,
+
+ /* Fragment ignored due to internal error */
+ IPV4_FRAG_IGNORED,
+ IPV6_FRAG_IGNORED,
+
+ /* IPv4 in IPv6 events */
+ IPV4_IN_IPV6_PKT_TOO_SMALL,
+ IPV4_IN_IPV6_WRONG_IP_VER,
+
+ /* IPv6 in IPv6 events */
+ IPV6_IN_IPV6_PKT_TOO_SMALL,
+ IPV6_IN_IPV6_WRONG_IP_VER,
+
+ /* MPLS decode events. */
+ MPLS_HEADER_TOO_SMALL,
+ MPLS_BAD_LABEL_ROUTER_ALERT,
+ MPLS_BAD_LABEL_IMPLICIT_NULL,
+ MPLS_BAD_LABEL_RESERVED,
+ MPLS_UNKNOWN_PAYLOAD_TYPE,
+
+ /* ERSPAN events */
+ ERSPAN_HEADER_TOO_SMALL,
+ ERSPAN_UNSUPPORTED_VERSION,
+ ERSPAN_TOO_MANY_VLAN_LAYERS,
+
+ /* END OF DECODE EVENTS ON SINGLE PACKET */
+ DECODE_EVENT_PACKET_MAX,
+
/* STREAM EVENTS */
STREAM_3WHS_ACK_IN_WRONG_DIR,
STREAM_3WHS_ASYNC_WRONG_SEQ,
STREAM_REASSEMBLY_OVERLAP_DIFFERENT_DATA,
- /* SCTP EVENTS */
- SCTP_PKT_TOO_SMALL, /**< sctp packet smaller than minimum size */
-
- /* Fragmentation reasembly events. */
- IPV4_FRAG_PKT_TOO_LARGE,
- IPV6_FRAG_PKT_TOO_LARGE,
- IPV4_FRAG_OVERLAP,
- IPV6_FRAG_OVERLAP,
- IPV4_FRAG_TOO_LARGE,
- IPV6_FRAG_TOO_LARGE,
- /* Fragment ignored due to internal error */
- IPV4_FRAG_IGNORED,
- IPV6_FRAG_IGNORED,
-
- /* IPv4 in IPv6 events */
- IPV4_IN_IPV6_PKT_TOO_SMALL,
- IPV4_IN_IPV6_WRONG_IP_VER,
- /* IPv6 in IPv6 events */
- IPV6_IN_IPV6_PKT_TOO_SMALL,
- IPV6_IN_IPV6_WRONG_IP_VER,
+ /* should always be last! */
+ DECODE_EVENT_MAX,
+};
- /* MPLS decode events. */
- MPLS_HEADER_TOO_SMALL,
- MPLS_BAD_LABEL_ROUTER_ALERT,
- MPLS_BAD_LABEL_IMPLICIT_NULL,
- MPLS_BAD_LABEL_RESERVED,
- MPLS_UNKNOWN_PAYLOAD_TYPE,
+#define EVENT_IS_DECODER_PACKET_ERROR(e) \
+ ((e) < (DECODE_EVENT_PACKET_MAX))
- /* ERSPAN events */
- ERSPAN_HEADER_TOO_SMALL,
- ERSPAN_UNSUPPORTED_VERSION,
- ERSPAN_TOO_MANY_VLAN_LAYERS,
+/* supported decoder events */
- /* should always be last! */
- DECODE_EVENT_MAX,
+struct DecodeEvents_ {
+ char *event_name;
+ uint8_t code;
};
+extern const struct DecodeEvents_ DEvents[DECODE_EVENT_MAX];
#endif /* __DECODE_EVENTS_H__ */
void PacketDecodeFinalize(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p)
{
- if (p->flags & PKT_IS_INVALID)
+ if (p->flags & PKT_IS_INVALID) {
StatsIncr(tv, dtv->counter_invalid);
-
+ int i = 0;
+ for (i = 0; i < p->events.cnt; i++) {
+ if (EVENT_IS_DECODER_PACKET_ERROR(p->events.events[i])) {
+ StatsIncr(tv, dtv->counter_invalid_events[p->events.events[i]]);
+ }
+ }
+ }
#ifdef __SC_CUDA_SUPPORT__
if (dtv->cuda_vars.mpm_is_cuda)
CudaBufferPacket(&dtv->cuda_vars, p);
StatsRegisterCounter("defrag.ipv6.timeouts", tv);
dtv->counter_defrag_max_hit =
StatsRegisterCounter("defrag.max_frag_hits", tv);
-
+
+ int i = 0;
+ for (i = 0; i < DECODE_EVENT_PACKET_MAX; i++) {
+ dtv->counter_invalid_events[i] = StatsRegisterCounter(
+ DEvents[i].event_name, tv);
+ }
+
return;
}
uint16_t counter_flow_memcap;
+ uint16_t counter_invalid_events[DECODE_EVENT_PACKET_MAX];
/* thread data for flow logging api: only used at forced
* flow recycle during lookups */
void *output_flow_thread_data;
/* Need to get the DEvents[] array */
-#define DETECT_EVENTS
#include "detect-engine-event.h"
#include "util-unittest.h"
-#define PARSE_REGEX "\\S[0-9A-z_]+[.][A-z0-9_+]+$"
+#define PARSE_REGEX "\\S[0-9A-z_]+[.][A-z0-9_+.]+$"
static pcre *parse_regex;
static pcre_extra *parse_regex_study;
*/
static int DetectDecodeEventSetup (DetectEngineCtx *de_ctx, Signature *s, char *rawstr)
{
- return _DetectEngineEventSetup(de_ctx, s, rawstr, DETECT_DECODE_EVENT);
+ char drawstr[MAX_SUBSTRINGS * 2] = "decoder.";
+
+ /* decoder:$EVENT alias command develop as decode-event:decoder.$EVENT */
+ strlcat(drawstr, rawstr, 2 * MAX_SUBSTRINGS - strlen("decoder.") - 1);
+
+ return _DetectEngineEventSetup(de_ctx, s, drawstr, DETECT_DECODE_EVENT);
}
/**
int EngineEventTestParse01 (void)
{
DetectEngineEventData *de = NULL;
- de = DetectEngineEventParse("ipv4.pkt_too_small");
+ de = DetectEngineEventParse("decoder.ipv4.pkt_too_small");
if (de) {
DetectEngineEventFree(de);
return 1;
int EngineEventTestParse02 (void)
{
DetectEngineEventData *de = NULL;
- de = DetectEngineEventParse("PPP.pkt_too_small");
+ de = DetectEngineEventParse("decoder.PPP.pkt_too_small");
if (de) {
DetectEngineEventFree(de);
return 1;
int EngineEventTestParse03 (void)
{
DetectEngineEventData *de = NULL;
- de = DetectEngineEventParse("IPV6.PKT_TOO_SMALL");
+ de = DetectEngineEventParse("decoder.IPV6.PKT_TOO_SMALL");
if (de) {
DetectEngineEventFree(de);
return 1;
int EngineEventTestParse04 (void)
{
DetectEngineEventData *de = NULL;
- de = DetectEngineEventParse("IPV6.INVALID_EVENT");
+ de = DetectEngineEventParse("decoder.IPV6.INVALID_EVENT");
if (de) {
DetectEngineEventFree(de);
return 1;
int EngineEventTestParse05 (void)
{
DetectEngineEventData *de = NULL;
- de = DetectEngineEventParse("IPV-6,INVALID_CHAR");
+ de = DetectEngineEventParse("decoder.IPV-6,INVALID_CHAR");
if (de) {
DetectEngineEventFree(de);
return 1;
ENGINE_SET_EVENT(p,PPP_PKT_TOO_SMALL);
- de = DetectEngineEventParse("ppp.pkt_too_small");
+ de = DetectEngineEventParse("decoder.ppp.pkt_too_small");
if (de == NULL)
goto error;
/* prototypes */
void DetectEngineEventRegister (void);
-/* supported decoder events */
-
-#ifdef DETECT_EVENTS
-struct DetectEngineEvents_ {
- char *event_name;
- uint8_t code;
-} DEvents[] = {
- /* IPV4 EVENTS */
- { "ipv4.pkt_too_small", IPV4_PKT_TOO_SMALL, },
- { "ipv4.hlen_too_small", IPV4_HLEN_TOO_SMALL, },
- { "ipv4.iplen_smaller_than_hlen", IPV4_IPLEN_SMALLER_THAN_HLEN, },
- { "ipv4.trunc_pkt", IPV4_TRUNC_PKT, },
-
- /* IPV4 OPTIONS */
- { "ipv4.opt_invalid", IPV4_OPT_INVALID, },
- { "ipv4.opt_invalid_len", IPV4_OPT_INVALID_LEN, },
- { "ipv4.opt_malformed", IPV4_OPT_MALFORMED, },
- { "ipv4.opt_pad_required", IPV4_OPT_PAD_REQUIRED, },
- { "ipv4.opt_eol_required", IPV4_OPT_EOL_REQUIRED, },
- { "ipv4.opt_duplicate", IPV4_OPT_DUPLICATE, },
- { "ipv4.opt_unknown", IPV4_OPT_UNKNOWN, },
- { "ipv4.wrong_ip_version", IPV4_WRONG_IP_VER, },
- { "ipv4.icmpv6", IPV4_WITH_ICMPV6, },
-
- /* ICMP EVENTS */
- { "icmpv4.pkt_too_small", ICMPV4_PKT_TOO_SMALL, },
- { "icmpv4.unknown_type", ICMPV4_UNKNOWN_TYPE, },
- { "icmpv4.unknown_code", ICMPV4_UNKNOWN_CODE, },
- { "icmpv4.ipv4_trunc_pkt", ICMPV4_IPV4_TRUNC_PKT, },
- { "icmpv4.ipv4_unknown_ver", ICMPV4_IPV4_UNKNOWN_VER, },
-
- /* ICMPv6 EVENTS */
- { "icmpv6.unknown_type", ICMPV6_UNKNOWN_TYPE,},
- { "icmpv6.unknown_code", ICMPV6_UNKNOWN_CODE,},
- { "icmpv6.pkt_too_small", ICMPV6_PKT_TOO_SMALL,},
- { "icmpv6.ipv6_unknown_version", ICMPV6_IPV6_UNKNOWN_VER,},
- { "icmpv6.ipv6_trunc_pkt", ICMPV6_IPV6_TRUNC_PKT,},
- { "icmpv6.mld_message_with_invalid_hl", ICMPV6_MLD_MESSAGE_WITH_INVALID_HL,},
- { "icmpv6.unassigned_type", ICMPV6_UNASSIGNED_TYPE,},
- { "icmpv6.experimentation_type", ICMPV6_EXPERIMENTATION_TYPE,},
-
- /* IPV6 EVENTS */
- { "ipv6.pkt_too_small", IPV6_PKT_TOO_SMALL, },
- { "ipv6.trunc_pkt", IPV6_TRUNC_PKT, },
- { "ipv6.trunc_exthdr", IPV6_TRUNC_EXTHDR, },
- { "ipv6.exthdr_dupl_fh", IPV6_EXTHDR_DUPL_FH, },
- { "ipv6.exthdr_useless_fh", IPV6_EXTHDR_USELESS_FH, },
- { "ipv6.exthdr_dupl_rh", IPV6_EXTHDR_DUPL_RH, },
- { "ipv6.exthdr_dupl_hh", IPV6_EXTHDR_DUPL_HH, },
- { "ipv6.exthdr_dupl_dh", IPV6_EXTHDR_DUPL_DH, },
- { "ipv6.exthdr_dupl_ah", IPV6_EXTHDR_DUPL_AH, },
- { "ipv6.exthdr_dupl_eh", IPV6_EXTHDR_DUPL_EH, },
- { "ipv6.exthdr_invalid_optlen", IPV6_EXTHDR_INVALID_OPTLEN, },
- { "ipv6.wrong_ip_version", IPV6_WRONG_IP_VER, },
- { "ipv6.exthdr_ah_res_not_null", IPV6_EXTHDR_AH_RES_NOT_NULL, },
- { "ipv6.hopopts_unknown_opt", IPV6_HOPOPTS_UNKNOWN_OPT, },
- { "ipv6.hopopts_only_padding", IPV6_HOPOPTS_ONLY_PADDING, },
- { "ipv6.dstopts_unknown_opt", IPV6_DSTOPTS_UNKNOWN_OPT, },
- { "ipv6.dstopts_only_padding", IPV6_DSTOPTS_ONLY_PADDING, },
- { "ipv6.rh_type_0", IPV6_EXTHDR_RH_TYPE_0, },
- { "ipv6.zero_len_padn", IPV6_EXTHDR_ZERO_LEN_PADN, },
- { "ipv6.fh_non_zero_reserved_field", IPV6_FH_NON_ZERO_RES_FIELD, },
- { "ipv6.data_after_none_header", IPV6_DATA_AFTER_NONE_HEADER, },
- { "ipv6.unknown_next_header", IPV6_UNKNOWN_NEXT_HEADER, },
- { "ipv6.icmpv4", IPV6_WITH_ICMPV4, },
-
- /* TCP EVENTS */
- { "tcp.pkt_too_small", TCP_PKT_TOO_SMALL, },
- { "tcp.hlen_too_small", TCP_HLEN_TOO_SMALL, },
- { "tcp.invalid_optlen", TCP_INVALID_OPTLEN, },
-
- /* TCP OPTIONS */
- { "tcp.opt_invalid_len", TCP_OPT_INVALID_LEN, },
- { "tcp.opt_duplicate", TCP_OPT_DUPLICATE, },
-
- /* UDP EVENTS */
- { "udp.pkt_too_small", UDP_PKT_TOO_SMALL, },
- { "udp.hlen_too_small", UDP_HLEN_TOO_SMALL, },
- { "udp.hlen_invalid", UDP_HLEN_INVALID, },
-
- /* SLL EVENTS */
- { "sll.pkt_too_small", SLL_PKT_TOO_SMALL, },
-
- /* ETHERNET EVENTS */
- { "ethernet.pkt_too_small", ETHERNET_PKT_TOO_SMALL, },
-
- /* PPP EVENTS */
- { "ppp.pkt_too_small", PPP_PKT_TOO_SMALL, },
- { "ppp.vju_pkt_too_small", PPPVJU_PKT_TOO_SMALL, },
- { "ppp.ip4_pkt_too_small", PPPIPV4_PKT_TOO_SMALL, },
- { "ppp.ip6_pkt_too_small", PPPIPV6_PKT_TOO_SMALL, },
- { "ppp.wrong_type", PPP_WRONG_TYPE, }, /** unknown & invalid protocol */
- { "ppp.unsup_proto", PPP_UNSUP_PROTO, }, /** unsupported but valid protocol */
-
- /* PPPOE EVENTS */
- { "pppoe.pkt_too_small", PPPOE_PKT_TOO_SMALL, },
- { "pppoe.wrong_code", PPPOE_WRONG_CODE, },
- { "pppoe.malformed_tags", PPPOE_MALFORMED_TAGS, },
-
- /* GRE EVENTS */
- { "gre.pkt_too_small", GRE_PKT_TOO_SMALL, },
- { "gre.wrong_version", GRE_WRONG_VERSION, },
- { "gre.version0_recur", GRE_VERSION0_RECUR, },
- { "gre.version0_flags", GRE_VERSION0_FLAGS, },
- { "gre.version0_hdr_too_big", GRE_VERSION0_HDR_TOO_BIG, },
- { "gre.version0_malformed_sre_hdr", GRE_VERSION0_MALFORMED_SRE_HDR, },
- { "gre.version1_chksum", GRE_VERSION1_CHKSUM, },
- { "gre.version1_route", GRE_VERSION1_ROUTE, },
- { "gre.version1_ssr", GRE_VERSION1_SSR, },
- { "gre.version1_recur", GRE_VERSION1_RECUR, },
- { "gre.version1_flags", GRE_VERSION1_FLAGS, },
- { "gre.version1_no_key", GRE_VERSION1_NO_KEY, },
- { "gre.version1_wrong_protocol", GRE_VERSION1_WRONG_PROTOCOL, },
- { "gre.version1_malformed_sre_hdr", GRE_VERSION1_MALFORMED_SRE_HDR, },
- { "gre.version1_hdr_too_big", GRE_VERSION1_HDR_TOO_BIG, },
-
- /* VLAN EVENTS */
- { "vlan.header_too_small",VLAN_HEADER_TOO_SMALL, },
- { "vlan.unknown_type",VLAN_UNKNOWN_TYPE, },
- { "vlan.too_many_layers", VLAN_HEADER_TOO_MANY_LAYERS, },
-
- /* RAW EVENTS */
- { "ipraw.invalid_ip_version",IPRAW_INVALID_IPV, },
-
- /* LINKTYPE NULL EVENTS */
- { "ltnull.pkt_too_small", LTNULL_PKT_TOO_SMALL, },
- { "ltnull.unsupported_type", LTNULL_UNSUPPORTED_TYPE, },
-
- /* STREAM EVENTS */
- { "stream.3whs_ack_in_wrong_dir", STREAM_3WHS_ACK_IN_WRONG_DIR, },
- { "stream.3whs_async_wrong_seq", STREAM_3WHS_ASYNC_WRONG_SEQ, },
- { "stream.3whs_right_seq_wrong_ack_evasion", STREAM_3WHS_RIGHT_SEQ_WRONG_ACK_EVASION, },
- { "stream.3whs_synack_in_wrong_direction", STREAM_3WHS_SYNACK_IN_WRONG_DIRECTION, },
- { "stream.3whs_synack_resend_with_different_ack", STREAM_3WHS_SYNACK_RESEND_WITH_DIFFERENT_ACK, },
- { "stream.3whs_synack_resend_with_diff_seq", STREAM_3WHS_SYNACK_RESEND_WITH_DIFF_SEQ, },
- { "stream.3whs_synack_toserver_on_syn_recv", STREAM_3WHS_SYNACK_TOSERVER_ON_SYN_RECV, },
- { "stream.3whs_synack_with_wrong_ack", STREAM_3WHS_SYNACK_WITH_WRONG_ACK, },
- { "stream.3whs_synack_flood", STREAM_3WHS_SYNACK_FLOOD, },
- { "stream.3whs_syn_resend_diff_seq_on_syn_recv", STREAM_3WHS_SYN_RESEND_DIFF_SEQ_ON_SYN_RECV, },
- { "stream.3whs_syn_toclient_on_syn_recv", STREAM_3WHS_SYN_TOCLIENT_ON_SYN_RECV, },
- { "stream.3whs_wrong_seq_wrong_ack", STREAM_3WHS_WRONG_SEQ_WRONG_ACK, },
- { "stream.4whs_synack_with_wrong_ack", STREAM_4WHS_SYNACK_WITH_WRONG_ACK, },
- { "stream.4whs_synack_with_wrong_syn", STREAM_4WHS_SYNACK_WITH_WRONG_SYN, },
- { "stream.4whs_wrong_seq", STREAM_4WHS_WRONG_SEQ, },
- { "stream.4whs_invalid_ack", STREAM_4WHS_INVALID_ACK, },
- { "stream.closewait_ack_out_of_window", STREAM_CLOSEWAIT_ACK_OUT_OF_WINDOW, },
- { "stream.closewait_fin_out_of_window", STREAM_CLOSEWAIT_FIN_OUT_OF_WINDOW, },
- { "stream.closewait_pkt_before_last_ack", STREAM_CLOSEWAIT_PKT_BEFORE_LAST_ACK, },
- { "stream.closewait_invalid_ack", STREAM_CLOSEWAIT_INVALID_ACK, },
- { "stream.closing_ack_wrong_seq", STREAM_CLOSING_ACK_WRONG_SEQ, },
- { "stream.closing_invalid_ack", STREAM_CLOSING_INVALID_ACK, },
- { "stream.est_packet_out_of_window", STREAM_EST_PACKET_OUT_OF_WINDOW, },
- { "stream.est_pkt_before_last_ack", STREAM_EST_PKT_BEFORE_LAST_ACK, },
- { "stream.est_synack_resend", STREAM_EST_SYNACK_RESEND, },
- { "stream.est_synack_resend_with_different_ack", STREAM_EST_SYNACK_RESEND_WITH_DIFFERENT_ACK, },
- { "stream.est_synack_resend_with_diff_seq", STREAM_EST_SYNACK_RESEND_WITH_DIFF_SEQ, },
- { "stream.est_synack_toserver", STREAM_EST_SYNACK_TOSERVER, },
- { "stream.est_syn_resend", STREAM_EST_SYN_RESEND, },
- { "stream.est_syn_resend_diff_seq", STREAM_EST_SYN_RESEND_DIFF_SEQ, },
- { "stream.est_syn_toclient", STREAM_EST_SYN_TOCLIENT, },
- { "stream.est_invalid_ack", STREAM_EST_INVALID_ACK, },
- { "stream.fin_invalid_ack", STREAM_FIN_INVALID_ACK, },
- { "stream.fin1_ack_wrong_seq", STREAM_FIN1_ACK_WRONG_SEQ, },
- { "stream.fin1_fin_wrong_seq", STREAM_FIN1_FIN_WRONG_SEQ, },
- { "stream.fin1_invalid_ack", STREAM_FIN1_INVALID_ACK, },
- { "stream.fin2_ack_wrong_seq", STREAM_FIN2_ACK_WRONG_SEQ, },
- { "stream.fin2_fin_wrong_seq", STREAM_FIN2_FIN_WRONG_SEQ, },
- { "stream.fin2_invalid_ack", STREAM_FIN2_INVALID_ACK, },
- { "stream.fin_but_no_session", STREAM_FIN_BUT_NO_SESSION, },
- { "stream.fin_out_of_window", STREAM_FIN_OUT_OF_WINDOW, },
- { "stream.lastack_ack_wrong_seq", STREAM_LASTACK_ACK_WRONG_SEQ, },
- { "stream.lastack_invalid_ack", STREAM_LASTACK_INVALID_ACK, },
- { "stream.rst_but_no_session", STREAM_RST_BUT_NO_SESSION, },
- { "stream.timewait_ack_wrong_seq", STREAM_TIMEWAIT_ACK_WRONG_SEQ, },
- { "stream.timewait_invalid_ack", STREAM_TIMEWAIT_INVALID_ACK, },
- { "stream.pkt_invalid_timestamp", STREAM_PKT_INVALID_TIMESTAMP, },
- { "stream.pkt_invalid_ack", STREAM_PKT_INVALID_ACK, },
- { "stream.pkt_broken_ack", STREAM_PKT_BROKEN_ACK, },
- { "stream.rst_invalid_ack", STREAM_RST_INVALID_ACK, },
- { "stream.shutdown_syn_resend", STREAM_SHUTDOWN_SYN_RESEND, },
- { "stream.pkt_retransmission", STREAM_PKT_RETRANSMISSION, },
- { "stream.reassembly_segment_before_base_seq", STREAM_REASSEMBLY_SEGMENT_BEFORE_BASE_SEQ, },
- { "stream.reassembly_no_segment", STREAM_REASSEMBLY_NO_SEGMENT, },
- { "stream.reassembly_seq_gap", STREAM_REASSEMBLY_SEQ_GAP, },
- { "stream.reassembly_overlap_different_data", STREAM_REASSEMBLY_OVERLAP_DIFFERENT_DATA, },
- { "stream.pkt_bad_window_update", STREAM_PKT_BAD_WINDOW_UPDATE, },
-
- /* SCTP EVENTS */
- { "sctp.pkt_too_small", SCTP_PKT_TOO_SMALL, },
-
- /* Fragmentation reasembly events. */
- { "ipv4.frag_too_large", IPV4_FRAG_PKT_TOO_LARGE, },
- { "ipv6.frag_too_large", IPV6_FRAG_PKT_TOO_LARGE, },
- { "ipv4.frag_overlap", IPV4_FRAG_OVERLAP, },
- { "ipv6.frag_overlap", IPV6_FRAG_OVERLAP, },
- /* Fragment ignored due to internal error */
- { "ipv4.frag_ignored", IPV4_FRAG_IGNORED, },
- { "ipv6.frag_ignored", IPV6_FRAG_IGNORED, },
-
- /* IPv4 in IPv6 events */
- { "ipv6.ipv4_in_ipv6_too_small", IPV4_IN_IPV6_PKT_TOO_SMALL, },
- { "ipv6.ipv4_in_ipv6_wrong_version", IPV4_IN_IPV6_WRONG_IP_VER, },
- /* IPv6 in IPv6 events */
- { "ipv6.ipv6_in_ipv6_too_small", IPV6_IN_IPV6_PKT_TOO_SMALL, },
- { "ipv6.ipv6_in_ipv6_wrong_version", IPV6_IN_IPV6_WRONG_IP_VER, },
-
- /* MPLS events */
- { "mpls.bad_label_router_alert", MPLS_BAD_LABEL_ROUTER_ALERT, },
- { "mpls.bad_label_implicit_null", MPLS_BAD_LABEL_IMPLICIT_NULL, },
- { "mpls.bad_label_reserved", MPLS_BAD_LABEL_RESERVED, },
- { "mpls.unknown_payload_type", MPLS_UNKNOWN_PAYLOAD_TYPE, },
-
- /* ERSPAN events */
- { "erspan.header_too_small", ERSPAN_HEADER_TOO_SMALL, },
- { "erspan.unsupported_version", ERSPAN_UNSUPPORTED_VERSION, },
- { "erspan.too_many_vlan_layers", ERSPAN_TOO_MANY_VLAN_LAYERS, },
-
- { NULL, 0 },
-};
-#endif /* DETECT_EVENTS */
-
#endif /*__DETECT_ENGINE_EVENT_H__ */
projects / thirdparty / suricata.git / commitdiff
