#include "config.h"
#endif
+#include <daq.h>
#include <daq_dlt.h>
#include <random>
// set the api now since this layer has been verified as valid
snort.ip_api.set(iph);
// update to real IP when needed
- if ((raw.pkth->flags & DAQ_PKT_FLAG_REAL_ADDRESSES) and codec.ip_layer_cnt == 1)
+ const DAQ_NAPTInfo_t* napti = (const DAQ_NAPTInfo_t*) daq_msg_get_meta(raw.daq_msg, DAQ_PKT_META_NAPT_INFO);
+ if (napti && codec.ip_layer_cnt == 1)
{
SfIp real_src;
SfIp real_dst;
- real_src.set(&raw.pkth->real_sIP,
- ((raw.pkth->flags & DAQ_PKT_FLAG_REAL_SIP_V6) ? AF_INET6 : AF_INET));
- real_dst.set(&raw.pkth->real_dIP,
- ((raw.pkth->flags & DAQ_PKT_FLAG_REAL_DIP_V6) ? AF_INET6 : AF_INET));
+ real_src.set(&napti->src_addr, daq_napt_info_src_addr_family(napti));
+ real_dst.set(&napti->dst_addr, daq_napt_info_dst_addr_family(napti));
snort.ip_api.update(real_src, real_dst);
}
#include "config.h"
#endif
+#include <daq.h>
#include <daq_dlt.h>
#include "codecs/codec_module.h"
snort.ip_api.set(ip6h);
// update to real IP when needed
- if ((raw.pkth->flags & DAQ_PKT_FLAG_REAL_ADDRESSES) and codec.ip_layer_cnt == 1)
+ const DAQ_NAPTInfo_t* napti = (const DAQ_NAPTInfo_t*) daq_msg_get_meta(raw.daq_msg, DAQ_PKT_META_NAPT_INFO);
+ if (napti && codec.ip_layer_cnt == 1)
{
SfIp real_src;
SfIp real_dst;
- real_src.set(&raw.pkth->real_sIP,
- ((raw.pkth->flags & DAQ_PKT_FLAG_REAL_SIP_V6) ? AF_INET6 : AF_INET));
- real_dst.set(&raw.pkth->real_dIP,
- ((raw.pkth->flags & DAQ_PKT_FLAG_REAL_DIP_V6) ? AF_INET6 : AF_INET));
+ real_src.set(&napti->src_addr, daq_napt_info_src_addr_family(napti));
+ real_dst.set(&napti->dst_addr, daq_napt_info_dst_addr_family(napti));
snort.ip_api.update(real_src, real_dst);
}
#include "config.h"
#endif
+#include <daq.h>
+
#include "codecs/codec_module.h"
#include "framework/codec.h"
#include "log/log.h"
snort.set_pkt_type(PktType::TCP);
snort.tcph = tcph;
- if ((raw.pkth->flags & DAQ_PKT_FLAG_REAL_ADDRESSES) and (codec.ip_layer_cnt == 1))
+ const DAQ_NAPTInfo_t* napti = (const DAQ_NAPTInfo_t*) daq_msg_get_meta(raw.daq_msg, DAQ_PKT_META_NAPT_INFO);
+ if (napti && codec.ip_layer_cnt == 1)
{
- snort.sp = ntohs(raw.pkth->n_real_sPort);
- snort.dp = ntohs(raw.pkth->n_real_dPort);
+ snort.sp = ntohs(napti->src_port);
+ snort.dp = ntohs(napti->dst_port);
}
else
{
#include "config.h"
#endif
+#include <daq.h>
+
#include "codecs/codec_module.h"
#include "framework/codec.h"
#include "log/text_log.h"
uint16_t src_port;
uint16_t dst_port;
- if ((raw.pkth->flags & DAQ_PKT_FLAG_REAL_ADDRESSES) and (codec.ip_layer_cnt == 1))
+ const DAQ_NAPTInfo_t* napti = (const DAQ_NAPTInfo_t*) daq_msg_get_meta(raw.daq_msg, DAQ_PKT_META_NAPT_INFO);
+ if (napti && codec.ip_layer_cnt == 1)
{
- src_port = ntohs(raw.pkth->n_real_sPort);
- dst_port = ntohs(raw.pkth->n_real_dPort);
+ src_port = ntohs(napti->src_port);
+ dst_port = ntohs(napti->dst_port);
}
else
{
#include "config.h"
#endif
+#include <daq.h>
+
#include "codecs/codec_module.h"
#include "framework/codec.h"
#include "log/text_log.h"
codec.lyr_len = sizeof(vlan::VlanTagHdr);
- if (raw.pkth->flags & DAQ_PKT_FLAG_IGNORE_VLAN)
+ const DAQ_PktHdr_t* pkth = daq_msg_get_pkthdr(raw.daq_msg);
+ if (pkth->flags & DAQ_PKT_FLAG_IGNORE_VLAN)
return true;
// Vlan IDs 0 and 4095 are reserved.
{
ip::IpApi* ip_api = &p->ptrs.ip_api;
+ // FIXIT-M This does not work properly for NAT "real" v6 addresses on top of v4 packet data
+ // (it will only compare a portion of the address)
if (ip_api->is_ip4())
{
if (ip_api->get_src()->fast_eq4(client_ip))
return (flow->ssn_state.session_flags & bidir) == bidir;
}
-// FIXIT-L init_roles* should take const Packet*
-static void init_roles_ip(Packet* p, Flow* flow)
+static void init_roles_ip(const Packet* p, Flow* flow)
{
flow->ssn_state.direction = FROM_CLIENT;
flow->client_ip.set(*p->ptrs.ip_api.get_src());
flow->server_ip.set(*p->ptrs.ip_api.get_dst());
}
-static void init_roles_tcp(Packet* p, Flow* flow)
+static void init_roles_tcp(const Packet* p, Flow* flow)
{
if ( p->ptrs.tcph->is_syn_only() )
{
flow->ssn_state.direction = FROM_CLIENT;
flow->client_ip.set(*p->ptrs.ip_api.get_src());
- flow->client_port = ntohs(p->ptrs.tcph->th_sport);
+ flow->client_port = p->ptrs.sp;
flow->server_ip.set(*p->ptrs.ip_api.get_dst());
- flow->server_port = ntohs(p->ptrs.tcph->th_dport);
+ flow->server_port = p->ptrs.dp;
}
else if ( p->ptrs.tcph->is_syn_ack() )
{
flow->ssn_state.direction = FROM_SERVER;
flow->client_ip.set(*p->ptrs.ip_api.get_dst());
- flow->client_port = ntohs(p->ptrs.tcph->th_dport);
+ flow->client_port = p->ptrs.dp;
flow->server_ip.set(*p->ptrs.ip_api.get_src());
- flow->server_port = ntohs(p->ptrs.tcph->th_sport);
+ flow->server_port = p->ptrs.sp;
}
else if (p->ptrs.sp > p->ptrs.dp)
{
flow->ssn_state.direction = FROM_CLIENT;
flow->client_ip.set(*p->ptrs.ip_api.get_src());
- flow->client_port = ntohs(p->ptrs.tcph->th_sport);
+ flow->client_port = p->ptrs.sp;
flow->server_ip.set(*p->ptrs.ip_api.get_dst());
- flow->server_port = ntohs(p->ptrs.tcph->th_dport);
+ flow->server_port = p->ptrs.dp;
}
else
{
flow->ssn_state.direction = FROM_SERVER;
flow->client_ip.set(*p->ptrs.ip_api.get_dst());
- flow->client_port = ntohs(p->ptrs.tcph->th_dport);
+ flow->client_port = p->ptrs.dp;
flow->server_ip.set(*p->ptrs.ip_api.get_src());
- flow->server_port = ntohs(p->ptrs.tcph->th_sport);
+ flow->server_port = p->ptrs.sp;
}
}
-static void init_roles_udp(Packet* p, Flow* flow)
+static void init_roles_udp(const Packet* p, Flow* flow)
{
flow->ssn_state.direction = FROM_CLIENT;
flow->client_ip.set(*p->ptrs.ip_api.get_src());
- flow->client_port = ntohs(p->ptrs.udph->uh_sport);
+ flow->client_port = p->ptrs.sp;
flow->server_ip.set(*p->ptrs.ip_api.get_dst());
- flow->server_port = ntohs(p->ptrs.udph->uh_dport);
+ flow->server_port = p->ptrs.dp;
}
-static void init_roles_user(Packet* p, Flow* flow)
+static void init_roles_user(const Packet* p, Flow* flow)
{
if ( p->ptrs.decode_flags & DECODE_C2S )
{
}
}
+// FIXIT-L init_roles should take const Packet*
static void init_roles(Packet* p, Flow* flow)
{
switch ( flow->pkt_type )
* that IP is stored in port_l.
*/
- if (srcIP->is_ip4())
+ if (srcIP->is_ip4() && dstIP->is_ip4())
{
version = 4;
reversed = init4(ip_proto, srcIP, srcPort, dstIP, dstPort, mplsId);
uint16_t srcPort = id & 0xFFFF;
uint16_t dstPort = id >> 16;
- if (srcIP->is_ip4())
+ if (srcIP->is_ip4() && dstIP->is_ip4())
{
version = 4;
init4(ip_proto, srcIP, srcPort, dstIP, dstPort, mplsId, false);
struct TextLog;
struct _daq_msg;
-struct _daq_pkt_hdr;
namespace snort
{
struct RawData
{
const struct _daq_msg* daq_msg;
- const _daq_pkt_hdr* pkth;
const uint8_t* data;
uint32_t len;
- RawData(const struct _daq_msg* daq_msg, const _daq_pkt_hdr* pkth, const uint8_t* data, uint32_t len) :
- daq_msg(daq_msg), pkth(pkth), data(data), len(len) { }
+ RawData(const struct _daq_msg* daq_msg, const uint8_t* data, uint32_t len) :
+ daq_msg(daq_msg), data(data), len(len) { }
};
/* Decode Flags */
#include "pp_codec_iface.h"
+#include <daq_common.h>
+
#include "framework/codec.h"
#include "lua/lua_arg.h"
#include "log/text_log.h"
#include "pp_buffer_iface.h"
#include "pp_codec_data_iface.h"
-#include "pp_daq_pkthdr_iface.h"
#include "pp_decode_data_iface.h"
#include "pp_enc_state_iface.h"
#include "pp_flow_iface.h"
{
bool result;
- auto& daq = DAQHeaderIface.get(L, 1);
auto& cd = CodecDataIface.get(L, 3);
auto& dd = DecodeDataIface.get(L, 4);
auto& self = CodecIface.get(L);
+ size_t len = 0;
+ const uint8_t* data;
+
if ( RawBufferIface.is(L, 2) )
{
- RawData rd(nullptr, &daq, get_data(RawBufferIface.get(L, 2)), get_data_length(RawBufferIface.get(L, 2)));
- result = self.decode(rd, cd, dd);
+ data = get_data(RawBufferIface.get(L, 2));
+ len = get_data_length(RawBufferIface.get(L, 2));
}
else
- {
- size_t len = 0;
- const uint8_t* data = reinterpret_cast<const uint8_t*>(luaL_checklstring(L, 2, &len));
- RawData rd(nullptr, &daq, data, len);
-
- result = self.decode(rd, cd, dd);
- }
+ data = reinterpret_cast<const uint8_t*>(luaL_checklstring(L, 2, &len));
+
+ // Create a fake DAQ packet message to pass through decoding since there is assumed to
+ // be one. The constness of the data should be safe since codecs shouldn't attempt to
+ // modify message data.
+ DAQ_PktHdr_t daq_pkth = { };
+ daq_pkth.pktlen = len;
+ DAQ_Msg_t daq_msg = { };
+ daq_msg.type = DAQ_MSG_TYPE_PACKET;
+ daq_msg.hdr = &daq_pkth;
+ daq_msg.hdr_len = sizeof(daq_pkth);
+ daq_msg.data = const_cast<uint8_t*>(data);
+ daq_msg.data_len = len;
+
+ RawData rd(&daq_msg, daq_msg.data, daq_msg.data_len);
+ result = self.decode(rd, cd, dd);
lua_pushboolean(L, result);
ProtocolIndex mapped_prot = CodecManager::grinder;
ProtocolId prev_prot_id = CodecManager::grinder_id;
- RawData raw(p->daq_msg, pkthdr, pkt, pktlen);
+ RawData raw(p->daq_msg, pkt, pktlen);
CodecData codec_data(ProtocolId::FINISHED_DECODE);
if ( cooked )
if ( !phdr )
phdr = p->pkth;
- DAQ_PktHdr_t* pkth = const_cast<DAQ_PktHdr_t*>(c->pkth);
+ assert(c->pkth == c->context->pkth);
+ DAQ_PktHdr_t* pkth = c->context->pkth;
pkth->ingress_index = phdr->ingress_index;
pkth->ingress_group = phdr->ingress_group;
pkth->egress_index = phdr->egress_index;
pkth->flags = phdr->flags & (~DAQ_PKT_FLAG_HW_TCP_CS_GOOD);
pkth->address_space_id = phdr->address_space_id;
pkth->opaque = opaque;
- if (pkth->flags & DAQ_PKT_FLAG_REAL_ADDRESSES)
- {
- pkth->n_real_sPort = phdr->n_real_sPort;
- pkth->n_real_dPort = phdr->n_real_dPort;
- pkth->real_sIP = phdr->real_sIP;
- pkth->real_dIP = phdr->real_dIP;
- }
}
//-------------------------------------------------------------------------
c->user_network_policy_id = p->user_network_policy_id;
// setup pkt capture header
- DAQ_PktHdr_t* pkth = const_cast<DAQ_PktHdr_t*>(c->pkth);
c->pktlen = 0;
- pkth->pktlen = 0;
- pkth->ts = p->pkth->ts;
+ assert(c->pkth == c->context->pkth);
+ c->context->pkth->pktlen = 0;
+ c->context->pkth->ts = p->pkth->ts;
total_rebuilt_pkts++;
return 0;
c->user_network_policy_id = p->user_network_policy_id;
// setup pkt capture header
- DAQ_PktHdr_t* pkth = const_cast<DAQ_PktHdr_t*>(c->pkth);
c->pktlen = len;
- pkth->pktlen = len;
- pkth->ts = p->pkth->ts;
+ assert(c->pkth == c->context->pkth);
+ c->context->pkth->pktlen = len;
+ c->context->pkth->ts = p->pkth->ts;
layer::set_packet_pointer(c); // ensure we are looking at the new packet
total_rebuilt_pkts++;
tmp_api, flags, const_cast<uint8_t*>(l.start), l.length, len);
}
- // see IP6_Update() for an explanation of this ...
if ( !(p->packet_flags & PKT_MODIFIED) || (p->packet_flags & PKT_RESIZED) )
{
- DAQ_PktHdr_t* pkth = const_cast<DAQ_PktHdr_t*>(p->pkth);
p->pktlen = len;
- pkth->pktlen = len;
+ // Only attempt to update the DAQ packet header for manufactured (defragged) packets. If
+ // this is the original wire packet, leave the header alone; the drop/inject for resize
+ // will use pktlen from Packet for the injection length.
+ // FIXIT-L there should be a better way to detect that this is manufactured packet
+ if (p->pkth == p->context->pkth)
+ p->context->pkth->pktlen = len;
}
}
}
daq_flags = p->pkth->flags;
address_space_id = p->pkth->address_space_id;
- if (daq_flags & DAQ_PKT_FLAG_REAL_ADDRESSES)
- {
- memcpy(real_src_ip.u6_addr8, &p->pkth->real_sIP, sizeof(ip::snort_in6_addr));
- memcpy(real_dst_ip.u6_addr8, &p->pkth->real_dIP, sizeof(ip::snort_in6_addr));
- real_src_port = p->pkth->n_real_sPort;
- real_dst_port = p->pkth->n_real_dPort;
- }
}
void TcpStreamSession::GetPacketHeaderFoo(DAQ_PktHdr_t* pkth, uint32_t dir)
pkth->opaque = 0;
pkth->flags = daq_flags;
pkth->address_space_id = address_space_id;
- if (daq_flags & DAQ_PKT_FLAG_REAL_ADDRESSES)
- {
- memcpy(&pkth->real_sIP, real_src_ip.u6_addr8, sizeof(ip::snort_in6_addr));
- memcpy(&pkth->real_dIP, real_dst_ip.u6_addr8, sizeof(ip::snort_in6_addr));
- pkth->n_real_sPort = real_src_port;
- pkth->n_real_dPort = real_dst_port;
- }
}
void TcpStreamSession::SwapPacketHeaderFoo()
TcpStreamConfig* config = nullptr;
TcpEventLogger tel;
-private:
- snort::ip::snort_in6_addr real_src_ip;
- snort::ip::snort_in6_addr real_dst_ip;
- uint16_t real_src_port = 0;
- uint16_t real_dst_port = 0;
-
protected:
TcpStreamSession(snort::Flow*);
virtual void set_os_policy() = 0;
if (tsd.get_pkt()->packet_flags & PKT_IGNORE)
return;
- SetPacketHeaderFoo(tsd.get_pkt() );
+ SetPacketHeaderFoo(tsd.get_pkt());
if ( flow_exceeds_config_thresholds(tsd) )
return;
projects / thirdparty / snort3.git / commitdiff
