"event": {
"type": "object",
"properties": {
+ "afpacket": {
+ "type": "object",
+ "properties": {
+ "trunc_pkt": {
+ "description":
+ "Number of packets truncated by AF_PACKET",
+ "type": "integer"
+ }
+ },
+ "additionalProperties": false
+ },
"chdlc": {
"type": "object",
"properties": {
alert pkthdr any any -> any any (msg:"SURICATA packet with too many layers"; decode-event:too_many_layers; classtype:protocol-command-decode; sid:2200116; rev:1;)
-# next sid is 2200121
+# Capture events.
+alert pkthdr any any -> any any (msg:"SURICATA AF-PACKET truncated packet"; decode-event:afpacket.trunc_pkt; classtype:protocol-command-decode; sid:2200122; rev:1;)
+
+# next sid is 2200123
/* code moved to app-layer-events */
const struct DecodeEvents_ DEvents[] = {
+ /* CAPTURE EVENTS */
+ {
+ "decoder.afpacket.trunc_pkt",
+ AFP_TRUNC_PKT,
+ },
/* IPV4 EVENTS */
{
"decoder.ipv4.pkt_too_small",
/* packet decoder events */
enum {
+ /* AF_PACKET EVENTS */
+ AFP_TRUNC_PKT = 0, /**< packet truncated by af-packet */
+
/* IPV4 EVENTS */
- IPV4_PKT_TOO_SMALL = 0, /**< ipv4 pkt smaller than minimum header size */
+ IPV4_PKT_TOO_SMALL, /**< ipv4 pkt smaller than minimum header size */
IPV4_HLEN_TOO_SMALL, /**< ipv4 header smaller than minimum size */
IPV4_IPLEN_SMALLER_THAN_HLEN, /**< ipv4 pkt len smaller than ip header size */
IPV4_TRUNC_PKT, /**< truncated ipv4 packet */
if (h.h2->tp_len > h.h2->tp_snaplen) {
SCLogDebug("Packet length (%d) > snaplen (%d), truncating", h.h2->tp_len, h.h2->tp_snaplen);
+ ENGINE_SET_INVALID_EVENT(p, AFP_TRUNC_PKT);
}
/* get vlan id from header */
p->afp_v.vlan_tci = (uint16_t)ppd->hv1.tp_vlan_tci;
}
+ if (ppd->tp_len > ppd->tp_snaplen) {
+ SCLogDebug("Packet length (%d) > snaplen (%d), truncating", ppd->tp_len, ppd->tp_snaplen);
+ ENGINE_SET_INVALID_EVENT(p, AFP_TRUNC_PKT);
+ }
+
(void)PacketSetData(p, (unsigned char *)ppd + ppd->tp_mac, ppd->tp_snaplen);
p->ReleasePacket = AFPReleasePacketV3;
projects / thirdparty / suricata.git / commitdiff
