decode: support Cisco Fabric Path / DCE

author Jason Ish <ish@unx.ca>

Sun, 14 Aug 2016 18:44:51 +0000 (12:44 -0600)

committer Jason Ish <ish@unx.ca>

Fri, 26 Aug 2016 14:39:40 +0000 (08:39 -0600)
author Jason Ish <ish@unx.ca>
Sun, 14 Aug 2016 18:44:51 +0000 (12:44 -0600)
committer Jason Ish <ish@unx.ca>
Fri, 26 Aug 2016 14:39:40 +0000 (08:39 -0600)
diff --git a/rules/decoder-events.rules b/rules/decoder-events.rules

index 4a20197fd5c3c9c74972878817088cbe18604fb8..7240ea06785bdda1f3e154ddbcbdf61799812a2d 100644 (file)
--- a/rules/decoder-events.rules
+++ b/rules/decoder-events.rules
@@ -137,5 +137,8 @@ alert pkthdr any any -> any any (msg:"SURICATA ERSPAN pkt too small"; decode-eve
  alert pkthdr any any -> any any (msg:"SURICATA ERSPAN unsupported version"; decode-event:erspan.unsupported_version; sid: 2200106; rev:1;)
  alert pkthdr any any -> any any (msg:"SURICATA ERSPAN too many vlan layers"; decode-event:erspan.too_many_vlan_layers; sid: 2200107; rev:1;)
  
-# next sid is 2200110
+# Cisco Fabric Path/DCE
+alert pkthdr any any -> any any (msg:"SURICATA DCE packet too small"; decode-event:dce.pkt_too_small; sid:2200110; rev:1;)
+
+# next sid is 2200111
  
diff --git a/src/decode-ethernet.c b/src/decode-ethernet.c

index cd82886c6bb6b094448398fbe99932ec78e6efbf..1c5e83e97a5e41c71c6e988b8f6b99c7827b9ea9 100644 (file)
--- a/src/decode-ethernet.c
+++ b/src/decode-ethernet.c
@@ -85,6 +85,14 @@ int DecodeEthernet(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p,
              DecodeMPLS(tv, dtv, p, pkt + ETHERNET_HEADER_LEN,
                         len - ETHERNET_HEADER_LEN, pq);
              break;
+        case ETHERNET_TYPE_DCE:
+            if (unlikely(len < ETHERNET_DCE_HEADER_LEN)) {
+                ENGINE_SET_INVALID_EVENT(p, DCE_PKT_TOO_SMALL);
+            } else {
+                DecodeEthernet(tv, dtv, p, pkt + ETHERNET_DCE_HEADER_LEN,
+                    len - ETHERNET_DCE_HEADER_LEN, pq);
+            }
+            break;
          default:
              SCLogDebug("p %p pkt %p ether type %04x not supported", p,
                         pkt, ntohs(p->ethh->eth_type));
diff --git a/src/decode-ethernet.h b/src/decode-ethernet.h

index 094d2548e785fbac60ccb78a697f15748507e7d0..33f443da84a30c15441b3fbf61ffaaa2d134bf18 100644 (file)
--- a/src/decode-ethernet.h
+++ b/src/decode-ethernet.h
@@ -26,6 +26,9 @@
  
  #define ETHERNET_HEADER_LEN           14
  
+/* Cisco Fabric Path / DCE header length. */
+#define ETHERNET_DCE_HEADER_LEN       ETHERNET_HEADER_LEN + 2
+
  /* Ethernet types -- taken from Snort and Libdnet */
  #define ETHERNET_TYPE_PUP             0x0200 /* PUP protocol */
  #define ETHERNET_TYPE_IP              0x0800
@@ -42,6 +45,8 @@
  #define ETHERNET_TYPE_LOOP            0x9000
  #define ETHERNET_TYPE_8021QINQ        0x9100
  #define ETHERNET_TYPE_ERSPAN          0x88BE
+#define ETHERNET_TYPE_DCE             0x8903 /* Data center ethernet,
+                                              * Cisco Fabric Path */
  
  typedef struct EthernetHdr_ {
      uint8_t eth_dst[6];
diff --git a/src/decode-events.c b/src/decode-events.c

index f4a5bdd1ca812106952ff6f7c08adfc6ceebfdc3..d7e4ecc946c568dc6718663997d51f082af9fb4f 100644 (file)
--- a/src/decode-events.c
+++ b/src/decode-events.c
@@ -178,6 +178,9 @@ const struct DecodeEvents_ DEvents[] = {
      { "decoder.erspan.unsupported_version", ERSPAN_UNSUPPORTED_VERSION, },
      { "decoder.erspan.too_many_vlan_layers", ERSPAN_TOO_MANY_VLAN_LAYERS, },
  
+    /* Cisco Fabric Path/DCE events. */
+    { "decoder.dce.pkt_too_small", DCE_PKT_TOO_SMALL, },
+
      /* STREAM EVENTS */
      { "stream.3whs_ack_in_wrong_dir", STREAM_3WHS_ACK_IN_WRONG_DIR, },
      { "stream.3whs_async_wrong_seq", STREAM_3WHS_ASYNC_WRONG_SEQ, },
diff --git a/src/decode-events.h b/src/decode-events.h

index 8e7395254300652cdf2908fb5c4cb5f51b05f9cb..2d249aba16831f0c295679170b4afda19c291e27 100644 (file)
--- a/src/decode-events.h
+++ b/src/decode-events.h
@@ -187,6 +187,9 @@ enum {
      ERSPAN_UNSUPPORTED_VERSION,
      ERSPAN_TOO_MANY_VLAN_LAYERS,
  
+    /* Cisco Fabric Path/DCE events. */
+    DCE_PKT_TOO_SMALL,
+
      /* END OF DECODE EVENTS ON SINGLE PACKET */
      DECODE_EVENT_PACKET_MAX,
author	Jason Ish <ish@unx.ca>
	Sun, 14 Aug 2016 18:44:51 +0000 (12:44 -0600)
committer	Jason Ish <ish@unx.ca>
	Fri, 26 Aug 2016 14:39:40 +0000 (08:39 -0600)
rules/decoder-events.rules		patch \| blob \| blame \| history
src/decode-ethernet.c		patch \| blob \| blame \| history
src/decode-ethernet.h		patch \| blob \| blame \| history
src/decode-events.c		patch \| blob \| blame \| history
src/decode-events.h		patch \| blob \| blame \| history