Pull request #4665: unified2 : add packet dump to unified event with reassembled...

Merge in SNORT/snort3 from ~SHIBOSE/snort3:unified_udp_data to master

Squashed commit of the following:

commit e351244d1ffb8e22a6bf706f217d434101604931
Author: shibose <shibose@cisco.com>
Date:   Wed Mar 12 15:15:41 2025 +0000

    unified2 : add packet dump to unified event with reassembled udp packet

diff --git a/src/log/u2_packet.cc b/src/log/u2_packet.cc
index bedbc39dbd2b842c29971db2448527cc744e4716..c4b7e8c2bc81b09db4e5a8688f21f85169774db7 100644 (file)
--- a/src/log/u2_packet.cc
+++ b/src/log/u2_packet.cc
@@ -43,19 +43,30 @@ static const uint8_t u2_ttl = 64;
 U2PseudoHeader::U2PseudoHeader(const Packet* p)
 {
     assert(p->flow);
-
+    
     if ( p->flow->key->version == 0x4 )
     {
         cook_eth(p, u.v4.eth);
         cook_ip4(p, u.v4.ip4);
-        cook_tcp(p, u.v4.tcp);
+        memset(&(u.v4.proto), 0, sizeof(u.v4.proto));
+        if (p->ip_proto_next == IpProtocol::UDP)
+            cook_udp(p, u.v4.proto.udp);
+        else
+            cook_tcp(p, u.v4.proto.tcp);
+
         size = sizeof(u.v4) - offset;
     }
     else if ( p->flow->key->version == 0x6 )
     {
         cook_eth(p, u.v6.eth);
         cook_ip6(p, u.v6.ip6);
-        cook_tcp(p, u.v6.tcp);
+        memset(&(u.v6.proto), 0, sizeof(u.v6.proto));
+
+        if (p->ip_proto_next == IpProtocol::UDP)
+            cook_udp(p, u.v6.proto.udp);
+        else
+            cook_tcp(p, u.v6.proto.tcp);
+        
         size = sizeof(u.v6) - offset;
     }
     else size = 0;
@@ -98,7 +109,9 @@ void U2PseudoHeader::cook_eth(const Packet* p, eth::EtherHdr& h)
 
 void U2PseudoHeader::cook_ip4(const Packet* p, ip::IP4Hdr& h)
 {
-    const uint16_t overhead = sizeof(h) + sizeof(tcp::TCPHdr);
+    const uint16_t overhead = (p->ip_proto_next == IpProtocol::UDP) ? 
+            (sizeof(h) + sizeof(udp::UDPHdr)) : (sizeof(h) + sizeof(tcp::TCPHdr));
+
     const uint16_t max_data = IP_MAXPACKET - overhead;
     dsize = p->dsize;
 
@@ -107,7 +120,12 @@ void U2PseudoHeader::cook_ip4(const Packet* p, ip::IP4Hdr& h)
 
     h.ip_verhl = 0x45;
     h.ip_len = htons(overhead + dsize);
-    h.ip_proto = IpProtocol::TCP;
+
+    if (p->ip_proto_next == IpProtocol::UDP)
+        h.ip_proto = IpProtocol::UDP;
+    else
+        h.ip_proto = IpProtocol::TCP;
+
     h.ip_ttl = u2_ttl;
 
     if (p->is_from_client())
@@ -129,7 +147,9 @@ void U2PseudoHeader::cook_ip4(const Packet* p, ip::IP4Hdr& h)
 
 void U2PseudoHeader::cook_ip6(const Packet* p, ip::IP6Hdr& h)
 {
-    const uint16_t overhead = sizeof(tcp::TCPHdr);
+    const uint16_t overhead = (p->ip_proto_next == IpProtocol::UDP) ? 
+                                sizeof(udp::UDPHdr) : sizeof(tcp::TCPHdr);
+
     const uint16_t max_data = IP_MAXPACKET - overhead;
     dsize = p->dsize;
 
@@ -138,7 +158,12 @@ void U2PseudoHeader::cook_ip6(const Packet* p, ip::IP6Hdr& h)
 
     h.ip6_vtf = htonl(0x60 << 24);
     h.ip6_payload_len = htons(overhead + dsize);
-    h.ip6_next = IpProtocol::TCP;
+
+    if (p->ip_proto_next == IpProtocol::UDP)
+        h.ip6_next = IpProtocol::UDP;
+    else
+        h.ip6_next = IpProtocol::TCP;
+
     h.ip6_hoplim = u2_ttl;
 
     if (p->is_from_client())
@@ -153,6 +178,14 @@ void U2PseudoHeader::cook_ip6(const Packet* p, ip::IP6Hdr& h)
     }
 }
 
+void U2PseudoHeader::cook_udp(const Packet* p, udp::UDPHdr& h)
+{
+    h.uh_sport = htons(p->ptrs.sp);
+    h.uh_dport = htons(p->ptrs.dp);
+    h.uh_len = 0;
+    h.uh_len = htons(sizeof(h) + p->dsize);
+}
+
 void U2PseudoHeader::cook_tcp(const Packet* p, tcp::TCPHdr& h)
 {
     h.th_sport = htons(p->ptrs.sp);

diff --git a/src/log/u2_packet.h b/src/log/u2_packet.h
index fc82cd10dfa3afd5a4e80be51f7c6d02f18fe94e..1cea3358d53a97000d3a2fe11c6353948ffc78c0 100644 (file)
--- a/src/log/u2_packet.h
+++ b/src/log/u2_packet.h
@@ -28,6 +28,7 @@
 #include "protocols/ipv4.h"
 #include "protocols/ipv6.h"
 #include "protocols/tcp.h"
+#include "protocols/udp.h"
 
 #include "main/snort_types.h"
 
@@ -49,6 +50,7 @@ private:
     void cook_ip4(const Packet*, ip::IP4Hdr&);
     void cook_ip6(const Packet*, ip::IP6Hdr&);
     void cook_tcp(const Packet*, tcp::TCPHdr&);
+    void cook_udp(const Packet*, udp::UDPHdr&);
 
     static const unsigned offset = 2;
     static const unsigned max_size =
@@ -64,7 +66,11 @@ private:
             uint8_t align[offset];
             eth::EtherHdr eth;
             ip::IP4Hdr ip4;
-            tcp::TCPHdr tcp;
+            union
+            {
+                tcp::TCPHdr tcp;
+                udp::UDPHdr udp;
+            } proto;
         } v4;
 
         struct
@@ -72,7 +78,11 @@ private:
             uint8_t align[offset];
             eth::EtherHdr eth;
             ip::IP6Hdr ip6;
-            tcp::TCPHdr tcp;
+            union
+            {
+                tcp::TCPHdr tcp;
+                udp::UDPHdr udp;
+            } proto;
         } v6;
 
         uint8_t buf[max_size];