From: Maurizio Abba Date: Thu, 10 Mar 2016 13:58:21 +0000 (+0000) Subject: decode-events: counters for decode events errors X-Git-Tag: suricata-3.0.1RC1~40 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=44a7c12ad0afb6a6187090e485ed1268d49619a3;p=thirdparty%2Fsuricata.git decode-events: counters for decode events errors We want to add counters in order to track the number of times we hit a decode event. A decode event is related to an error in the protocol decoding over a certain packet. This patch fist modifies the decode-event list, reordering it in order to separate single packet events from stream-related events and adding the prefix "decoder" to decode events. The counters are created during the decode setup and the relative event counter is increased every time a packet with the flag PKT_IS_INVALID is finalized in the decode phase --- diff --git a/src/decode-events.c b/src/decode-events.c index cecf77c54d..f4a5bdd1ca 100644 --- a/src/decode-events.c +++ b/src/decode-events.c @@ -23,5 +23,219 @@ #include "suricata-common.h" +#include "decode-events.h" /* code moved to app-layer-events */ +const struct DecodeEvents_ DEvents[] = { + /* IPV4 EVENTS */ + { "decoder.ipv4.pkt_too_small", IPV4_PKT_TOO_SMALL, }, + { "decoder.ipv4.hlen_too_small", IPV4_HLEN_TOO_SMALL, }, + { "decoder.ipv4.iplen_smaller_than_hlen", IPV4_IPLEN_SMALLER_THAN_HLEN, }, + { "decoder.ipv4.trunc_pkt", IPV4_TRUNC_PKT, }, + + /* IPV4 OPTIONS */ + { "decoder.ipv4.opt_invalid", IPV4_OPT_INVALID, }, + { "decoder.ipv4.opt_invalid_len", IPV4_OPT_INVALID_LEN, }, + { "decoder.ipv4.opt_malformed", IPV4_OPT_MALFORMED, }, + { "decoder.ipv4.opt_pad_required", IPV4_OPT_PAD_REQUIRED, }, + { "decoder.ipv4.opt_eol_required", IPV4_OPT_EOL_REQUIRED, }, + { "decoder.ipv4.opt_duplicate", IPV4_OPT_DUPLICATE, }, + { "decoder.ipv4.opt_unknown", IPV4_OPT_UNKNOWN, }, + { "decoder.ipv4.wrong_ip_version", IPV4_WRONG_IP_VER, }, + { "decoder.ipv4.icmpv6", IPV4_WITH_ICMPV6, }, + + /* ICMP EVENTS */ + { "decoder.icmpv4.pkt_too_small", ICMPV4_PKT_TOO_SMALL, }, + { "decoder.icmpv4.unknown_type", ICMPV4_UNKNOWN_TYPE, }, + { "decoder.icmpv4.unknown_code", ICMPV4_UNKNOWN_CODE, }, + { "decoder.icmpv4.ipv4_trunc_pkt", ICMPV4_IPV4_TRUNC_PKT, }, + { "decoder.icmpv4.ipv4_unknown_ver", ICMPV4_IPV4_UNKNOWN_VER, }, + + /* ICMPv6 EVENTS */ + { "decoder.icmpv6.unknown_type", ICMPV6_UNKNOWN_TYPE,}, + { "decoder.icmpv6.unknown_code", ICMPV6_UNKNOWN_CODE,}, + { "decoder.icmpv6.pkt_too_small", ICMPV6_PKT_TOO_SMALL,}, + { "decoder.icmpv6.ipv6_unknown_version", ICMPV6_IPV6_UNKNOWN_VER,}, + { "decoder.icmpv6.ipv6_trunc_pkt", ICMPV6_IPV6_TRUNC_PKT,}, + { "decoder.icmpv6.mld_message_with_invalid_hl", ICMPV6_MLD_MESSAGE_WITH_INVALID_HL,}, + { "decoder.icmpv6.unassigned_type", ICMPV6_UNASSIGNED_TYPE,}, + { "decoder.icmpv6.experimentation_type", ICMPV6_EXPERIMENTATION_TYPE,}, + + /* IPV6 EVENTS */ + { "decoder.ipv6.pkt_too_small", IPV6_PKT_TOO_SMALL, }, + { "decoder.ipv6.trunc_pkt", IPV6_TRUNC_PKT, }, + { "decoder.ipv6.trunc_exthdr", IPV6_TRUNC_EXTHDR, }, + { "decoder.ipv6.exthdr_dupl_fh", IPV6_EXTHDR_DUPL_FH, }, + { "decoder.ipv6.exthdr_useless_fh", IPV6_EXTHDR_USELESS_FH, }, + { "decoder.ipv6.exthdr_dupl_rh", IPV6_EXTHDR_DUPL_RH, }, + { "decoder.ipv6.exthdr_dupl_hh", IPV6_EXTHDR_DUPL_HH, }, + { "decoder.ipv6.exthdr_dupl_dh", IPV6_EXTHDR_DUPL_DH, }, + { "decoder.ipv6.exthdr_dupl_ah", IPV6_EXTHDR_DUPL_AH, }, + { "decoder.ipv6.exthdr_dupl_eh", IPV6_EXTHDR_DUPL_EH, }, + { "decoder.ipv6.exthdr_invalid_optlen", IPV6_EXTHDR_INVALID_OPTLEN, }, + { "decoder.ipv6.wrong_ip_version", IPV6_WRONG_IP_VER, }, + { "decoder.ipv6.exthdr_ah_res_not_null", IPV6_EXTHDR_AH_RES_NOT_NULL, }, + { "decoder.ipv6.hopopts_unknown_opt", IPV6_HOPOPTS_UNKNOWN_OPT, }, + { "decoder.ipv6.hopopts_only_padding", IPV6_HOPOPTS_ONLY_PADDING, }, + { "decoder.ipv6.dstopts_unknown_opt", IPV6_DSTOPTS_UNKNOWN_OPT, }, + { "decoder.ipv6.dstopts_only_padding", IPV6_DSTOPTS_ONLY_PADDING, }, + { "decoder.ipv6.rh_type_0", IPV6_EXTHDR_RH_TYPE_0, }, + { "decoder.ipv6.zero_len_padn", IPV6_EXTHDR_ZERO_LEN_PADN, }, + { "decoder.ipv6.fh_non_zero_reserved_field", IPV6_FH_NON_ZERO_RES_FIELD, }, + { "decoder.ipv6.data_after_none_header", IPV6_DATA_AFTER_NONE_HEADER, }, + { "decoder.ipv6.unknown_next_header", IPV6_UNKNOWN_NEXT_HEADER, }, + { "decoder.ipv6.icmpv4", IPV6_WITH_ICMPV4, }, + + /* TCP EVENTS */ + { "decoder.tcp.pkt_too_small", TCP_PKT_TOO_SMALL, }, + { "decoder.tcp.hlen_too_small", TCP_HLEN_TOO_SMALL, }, + { "decoder.tcp.invalid_optlen", TCP_INVALID_OPTLEN, }, + + /* TCP OPTIONS */ + { "decoder.tcp.opt_invalid_len", TCP_OPT_INVALID_LEN, }, + { "decoder.tcp.opt_duplicate", TCP_OPT_DUPLICATE, }, + + /* UDP EVENTS */ + { "decoder.udp.pkt_too_small", UDP_PKT_TOO_SMALL, }, + { "decoder.udp.hlen_too_small", UDP_HLEN_TOO_SMALL, }, + { "decoder.udp.hlen_invalid", UDP_HLEN_INVALID, }, + + /* SLL EVENTS */ + { "decoder.sll.pkt_too_small", SLL_PKT_TOO_SMALL, }, + + /* ETHERNET EVENTS */ + { "decoder.ethernet.pkt_too_small", ETHERNET_PKT_TOO_SMALL, }, + + /* PPP EVENTS */ + { "decoder.ppp.pkt_too_small", PPP_PKT_TOO_SMALL, }, + { "decoder.ppp.vju_pkt_too_small", PPPVJU_PKT_TOO_SMALL, }, + { "decoder.ppp.ip4_pkt_too_small", PPPIPV4_PKT_TOO_SMALL, }, + { "decoder.ppp.ip6_pkt_too_small", PPPIPV6_PKT_TOO_SMALL, }, + { "decoder.ppp.wrong_type", PPP_WRONG_TYPE, }, /** unknown & invalid protocol */ + { "decoder.ppp.unsup_proto", PPP_UNSUP_PROTO, }, /** unsupported but valid protocol */ + + /* PPPOE EVENTS */ + { "decoder.pppoe.pkt_too_small", PPPOE_PKT_TOO_SMALL, }, + { "decoder.pppoe.wrong_code", PPPOE_WRONG_CODE, }, + { "decoder.pppoe.malformed_tags", PPPOE_MALFORMED_TAGS, }, + + /* GRE EVENTS */ + { "decoder.gre.pkt_too_small", GRE_PKT_TOO_SMALL, }, + { "decoder.gre.wrong_version", GRE_WRONG_VERSION, }, + { "decoder.gre.version0_recur", GRE_VERSION0_RECUR, }, + { "decoder.gre.version0_flags", GRE_VERSION0_FLAGS, }, + { "decoder.gre.version0_hdr_too_big", GRE_VERSION0_HDR_TOO_BIG, }, + { "decoder.gre.version0_malformed_sre_hdr", GRE_VERSION0_MALFORMED_SRE_HDR, }, + { "decoder.gre.version1_chksum", GRE_VERSION1_CHKSUM, }, + { "decoder.gre.version1_route", GRE_VERSION1_ROUTE, }, + { "decoder.gre.version1_ssr", GRE_VERSION1_SSR, }, + { "decoder.gre.version1_recur", GRE_VERSION1_RECUR, }, + { "decoder.gre.version1_flags", GRE_VERSION1_FLAGS, }, + { "decoder.gre.version1_no_key", GRE_VERSION1_NO_KEY, }, + { "decoder.gre.version1_wrong_protocol", GRE_VERSION1_WRONG_PROTOCOL, }, + { "decoder.gre.version1_malformed_sre_hdr", GRE_VERSION1_MALFORMED_SRE_HDR, }, + { "decoder.gre.version1_hdr_too_big", GRE_VERSION1_HDR_TOO_BIG, }, + + /* VLAN EVENTS */ + { "decoder.vlan.header_too_small",VLAN_HEADER_TOO_SMALL, }, + { "decoder.vlan.unknown_type",VLAN_UNKNOWN_TYPE, }, + { "decoder.vlan.too_many_layers", VLAN_HEADER_TOO_MANY_LAYERS, }, + + /* RAW EVENTS */ + { "decoder.ipraw.invalid_ip_version",IPRAW_INVALID_IPV, }, + + /* LINKTYPE NULL EVENTS */ + { "decoder.ltnull.pkt_too_small", LTNULL_PKT_TOO_SMALL, }, + { "decoder.ltnull.unsupported_type", LTNULL_UNSUPPORTED_TYPE, }, + + /* SCTP EVENTS */ + { "decoder.sctp.pkt_too_small", SCTP_PKT_TOO_SMALL, }, + + /* Fragmentation reasembly events. */ + { "decoder.ipv4.frag_too_large", IPV4_FRAG_PKT_TOO_LARGE, }, + { "decoder.ipv6.frag_too_large", IPV6_FRAG_PKT_TOO_LARGE, }, + { "decoder.ipv4.frag_overlap", IPV4_FRAG_OVERLAP, }, + { "decoder.ipv6.frag_overlap", IPV6_FRAG_OVERLAP, }, + /* Fragment ignored due to internal error */ + { "decoder.ipv4.frag_ignored", IPV4_FRAG_IGNORED, }, + { "decoder.ipv6.frag_ignored", IPV6_FRAG_IGNORED, }, + + /* IPv4 in IPv6 events */ + { "decoder.ipv6.ipv4_in_ipv6_too_small", IPV4_IN_IPV6_PKT_TOO_SMALL, }, + { "decoder.ipv6.ipv4_in_ipv6_wrong_version", IPV4_IN_IPV6_WRONG_IP_VER, }, + /* IPv6 in IPv6 events */ + { "decoder.ipv6.ipv6_in_ipv6_too_small", IPV6_IN_IPV6_PKT_TOO_SMALL, }, + { "decoder.ipv6.ipv6_in_ipv6_wrong_version", IPV6_IN_IPV6_WRONG_IP_VER, }, + + /* MPLS events */ + { "decoder.mpls.bad_label_router_alert", MPLS_BAD_LABEL_ROUTER_ALERT, }, + { "decoder.mpls.bad_label_implicit_null", MPLS_BAD_LABEL_IMPLICIT_NULL, }, + { "decoder.mpls.bad_label_reserved", MPLS_BAD_LABEL_RESERVED, }, + { "decoder.mpls.unknown_payload_type", MPLS_UNKNOWN_PAYLOAD_TYPE, }, + + /* ERSPAN events */ + { "decoder.erspan.header_too_small", ERSPAN_HEADER_TOO_SMALL, }, + { "decoder.erspan.unsupported_version", ERSPAN_UNSUPPORTED_VERSION, }, + { "decoder.erspan.too_many_vlan_layers", ERSPAN_TOO_MANY_VLAN_LAYERS, }, + + /* STREAM EVENTS */ + { "stream.3whs_ack_in_wrong_dir", STREAM_3WHS_ACK_IN_WRONG_DIR, }, + { "stream.3whs_async_wrong_seq", STREAM_3WHS_ASYNC_WRONG_SEQ, }, + { "stream.3whs_right_seq_wrong_ack_evasion", STREAM_3WHS_RIGHT_SEQ_WRONG_ACK_EVASION, }, + { "stream.3whs_synack_in_wrong_direction", STREAM_3WHS_SYNACK_IN_WRONG_DIRECTION, }, + { "stream.3whs_synack_resend_with_different_ack", STREAM_3WHS_SYNACK_RESEND_WITH_DIFFERENT_ACK, }, + { "stream.3whs_synack_resend_with_diff_seq", STREAM_3WHS_SYNACK_RESEND_WITH_DIFF_SEQ, }, + { "stream.3whs_synack_toserver_on_syn_recv", STREAM_3WHS_SYNACK_TOSERVER_ON_SYN_RECV, }, + { "stream.3whs_synack_with_wrong_ack", STREAM_3WHS_SYNACK_WITH_WRONG_ACK, }, + { "stream.3whs_synack_flood", STREAM_3WHS_SYNACK_FLOOD, }, + { "stream.3whs_syn_resend_diff_seq_on_syn_recv", STREAM_3WHS_SYN_RESEND_DIFF_SEQ_ON_SYN_RECV, }, + { "stream.3whs_syn_toclient_on_syn_recv", STREAM_3WHS_SYN_TOCLIENT_ON_SYN_RECV, }, + { "stream.3whs_wrong_seq_wrong_ack", STREAM_3WHS_WRONG_SEQ_WRONG_ACK, }, + { "stream.4whs_synack_with_wrong_ack", STREAM_4WHS_SYNACK_WITH_WRONG_ACK, }, + { "stream.4whs_synack_with_wrong_syn", STREAM_4WHS_SYNACK_WITH_WRONG_SYN, }, + { "stream.4whs_wrong_seq", STREAM_4WHS_WRONG_SEQ, }, + { "stream.4whs_invalid_ack", STREAM_4WHS_INVALID_ACK, }, + { "stream.closewait_ack_out_of_window", STREAM_CLOSEWAIT_ACK_OUT_OF_WINDOW, }, + { "stream.closewait_fin_out_of_window", STREAM_CLOSEWAIT_FIN_OUT_OF_WINDOW, }, + { "stream.closewait_pkt_before_last_ack", STREAM_CLOSEWAIT_PKT_BEFORE_LAST_ACK, }, + { "stream.closewait_invalid_ack", STREAM_CLOSEWAIT_INVALID_ACK, }, + { "stream.closing_ack_wrong_seq", STREAM_CLOSING_ACK_WRONG_SEQ, }, + { "stream.closing_invalid_ack", STREAM_CLOSING_INVALID_ACK, }, + { "stream.est_packet_out_of_window", STREAM_EST_PACKET_OUT_OF_WINDOW, }, + { "stream.est_pkt_before_last_ack", STREAM_EST_PKT_BEFORE_LAST_ACK, }, + { "stream.est_synack_resend", STREAM_EST_SYNACK_RESEND, }, + { "stream.est_synack_resend_with_different_ack", STREAM_EST_SYNACK_RESEND_WITH_DIFFERENT_ACK, }, + { "stream.est_synack_resend_with_diff_seq", STREAM_EST_SYNACK_RESEND_WITH_DIFF_SEQ, }, + { "stream.est_synack_toserver", STREAM_EST_SYNACK_TOSERVER, }, + { "stream.est_syn_resend", STREAM_EST_SYN_RESEND, }, + { "stream.est_syn_resend_diff_seq", STREAM_EST_SYN_RESEND_DIFF_SEQ, }, + { "stream.est_syn_toclient", STREAM_EST_SYN_TOCLIENT, }, + { "stream.est_invalid_ack", STREAM_EST_INVALID_ACK, }, + { "stream.fin_invalid_ack", STREAM_FIN_INVALID_ACK, }, + { "stream.fin1_ack_wrong_seq", STREAM_FIN1_ACK_WRONG_SEQ, }, + { "stream.fin1_fin_wrong_seq", STREAM_FIN1_FIN_WRONG_SEQ, }, + { "stream.fin1_invalid_ack", STREAM_FIN1_INVALID_ACK, }, + { "stream.fin2_ack_wrong_seq", STREAM_FIN2_ACK_WRONG_SEQ, }, + { "stream.fin2_fin_wrong_seq", STREAM_FIN2_FIN_WRONG_SEQ, }, + { "stream.fin2_invalid_ack", STREAM_FIN2_INVALID_ACK, }, + { "stream.fin_but_no_session", STREAM_FIN_BUT_NO_SESSION, }, + { "stream.fin_out_of_window", STREAM_FIN_OUT_OF_WINDOW, }, + { "stream.lastack_ack_wrong_seq", STREAM_LASTACK_ACK_WRONG_SEQ, }, + { "stream.lastack_invalid_ack", STREAM_LASTACK_INVALID_ACK, }, + { "stream.rst_but_no_session", STREAM_RST_BUT_NO_SESSION, }, + { "stream.timewait_ack_wrong_seq", STREAM_TIMEWAIT_ACK_WRONG_SEQ, }, + { "stream.timewait_invalid_ack", STREAM_TIMEWAIT_INVALID_ACK, }, + { "stream.pkt_invalid_timestamp", STREAM_PKT_INVALID_TIMESTAMP, }, + { "stream.pkt_invalid_ack", STREAM_PKT_INVALID_ACK, }, + { "stream.pkt_broken_ack", STREAM_PKT_BROKEN_ACK, }, + { "stream.rst_invalid_ack", STREAM_RST_INVALID_ACK, }, + { "stream.shutdown_syn_resend", STREAM_SHUTDOWN_SYN_RESEND, }, + { "stream.pkt_retransmission", STREAM_PKT_RETRANSMISSION, }, + { "stream.reassembly_segment_before_base_seq", STREAM_REASSEMBLY_SEGMENT_BEFORE_BASE_SEQ, }, + { "stream.reassembly_no_segment", STREAM_REASSEMBLY_NO_SEGMENT, }, + { "stream.reassembly_seq_gap", STREAM_REASSEMBLY_SEQ_GAP, }, + { "stream.reassembly_overlap_different_data", STREAM_REASSEMBLY_OVERLAP_DIFFERENT_DATA, }, + { "stream.pkt_bad_window_update", STREAM_PKT_BAD_WINDOW_UPDATE, }, + + { NULL, 0 }, +}; diff --git a/src/decode-events.h b/src/decode-events.h index 51889387a1..8e73952543 100644 --- a/src/decode-events.h +++ b/src/decode-events.h @@ -28,7 +28,7 @@ /* packet decoder events */ enum { /* IPV4 EVENTS */ - IPV4_PKT_TOO_SMALL = 1, /**< ipv4 pkt smaller than minimum header size */ + IPV4_PKT_TOO_SMALL = 0, /**< ipv4 pkt smaller than minimum header size */ IPV4_HLEN_TOO_SMALL, /**< ipv4 header smaller than minimum size */ IPV4_IPLEN_SMALLER_THAN_HLEN, /**< ipv4 pkt len smaller than ip header size */ IPV4_TRUNC_PKT, /**< truncated ipv4 packet */ @@ -152,6 +152,44 @@ enum { LTNULL_PKT_TOO_SMALL, /**< pkt too small for lt:null */ LTNULL_UNSUPPORTED_TYPE, /**< pkt has a type that the decoder doesn't support */ + /* SCTP EVENTS */ + SCTP_PKT_TOO_SMALL, /**< sctp packet smaller than minimum size */ + + /* Fragmentation reasembly events. */ + IPV4_FRAG_PKT_TOO_LARGE, + IPV6_FRAG_PKT_TOO_LARGE, + IPV4_FRAG_OVERLAP, + IPV6_FRAG_OVERLAP, + IPV4_FRAG_TOO_LARGE, + IPV6_FRAG_TOO_LARGE, + + /* Fragment ignored due to internal error */ + IPV4_FRAG_IGNORED, + IPV6_FRAG_IGNORED, + + /* IPv4 in IPv6 events */ + IPV4_IN_IPV6_PKT_TOO_SMALL, + IPV4_IN_IPV6_WRONG_IP_VER, + + /* IPv6 in IPv6 events */ + IPV6_IN_IPV6_PKT_TOO_SMALL, + IPV6_IN_IPV6_WRONG_IP_VER, + + /* MPLS decode events. */ + MPLS_HEADER_TOO_SMALL, + MPLS_BAD_LABEL_ROUTER_ALERT, + MPLS_BAD_LABEL_IMPLICIT_NULL, + MPLS_BAD_LABEL_RESERVED, + MPLS_UNKNOWN_PAYLOAD_TYPE, + + /* ERSPAN events */ + ERSPAN_HEADER_TOO_SMALL, + ERSPAN_UNSUPPORTED_VERSION, + ERSPAN_TOO_MANY_VLAN_LAYERS, + + /* END OF DECODE EVENTS ON SINGLE PACKET */ + DECODE_EVENT_PACKET_MAX, + /* STREAM EVENTS */ STREAM_3WHS_ACK_IN_WRONG_DIR, STREAM_3WHS_ASYNC_WRONG_SEQ, @@ -214,41 +252,19 @@ enum { STREAM_REASSEMBLY_OVERLAP_DIFFERENT_DATA, - /* SCTP EVENTS */ - SCTP_PKT_TOO_SMALL, /**< sctp packet smaller than minimum size */ - - /* Fragmentation reasembly events. */ - IPV4_FRAG_PKT_TOO_LARGE, - IPV6_FRAG_PKT_TOO_LARGE, - IPV4_FRAG_OVERLAP, - IPV6_FRAG_OVERLAP, - IPV4_FRAG_TOO_LARGE, - IPV6_FRAG_TOO_LARGE, - /* Fragment ignored due to internal error */ - IPV4_FRAG_IGNORED, - IPV6_FRAG_IGNORED, - - /* IPv4 in IPv6 events */ - IPV4_IN_IPV6_PKT_TOO_SMALL, - IPV4_IN_IPV6_WRONG_IP_VER, - /* IPv6 in IPv6 events */ - IPV6_IN_IPV6_PKT_TOO_SMALL, - IPV6_IN_IPV6_WRONG_IP_VER, + /* should always be last! */ + DECODE_EVENT_MAX, +}; - /* MPLS decode events. */ - MPLS_HEADER_TOO_SMALL, - MPLS_BAD_LABEL_ROUTER_ALERT, - MPLS_BAD_LABEL_IMPLICIT_NULL, - MPLS_BAD_LABEL_RESERVED, - MPLS_UNKNOWN_PAYLOAD_TYPE, +#define EVENT_IS_DECODER_PACKET_ERROR(e) \ + ((e) < (DECODE_EVENT_PACKET_MAX)) - /* ERSPAN events */ - ERSPAN_HEADER_TOO_SMALL, - ERSPAN_UNSUPPORTED_VERSION, - ERSPAN_TOO_MANY_VLAN_LAYERS, +/* supported decoder events */ - /* should always be last! */ - DECODE_EVENT_MAX, +struct DecodeEvents_ { + char *event_name; + uint8_t code; }; +extern const struct DecodeEvents_ DEvents[DECODE_EVENT_MAX]; #endif /* __DECODE_EVENTS_H__ */ diff --git a/src/decode.c b/src/decode.c index 4be4b9e702..80d603a781 100644 --- a/src/decode.c +++ b/src/decode.c @@ -109,9 +109,15 @@ void PacketFree(Packet *p) void PacketDecodeFinalize(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p) { - if (p->flags & PKT_IS_INVALID) + if (p->flags & PKT_IS_INVALID) { StatsIncr(tv, dtv->counter_invalid); - + int i = 0; + for (i = 0; i < p->events.cnt; i++) { + if (EVENT_IS_DECODER_PACKET_ERROR(p->events.events[i])) { + StatsIncr(tv, dtv->counter_invalid_events[p->events.events[i]]); + } + } + } #ifdef __SC_CUDA_SUPPORT__ if (dtv->cuda_vars.mpm_is_cuda) CudaBufferPacket(&dtv->cuda_vars, p); @@ -419,7 +425,13 @@ void DecodeRegisterPerfCounters(DecodeThreadVars *dtv, ThreadVars *tv) StatsRegisterCounter("defrag.ipv6.timeouts", tv); dtv->counter_defrag_max_hit = StatsRegisterCounter("defrag.max_frag_hits", tv); - + + int i = 0; + for (i = 0; i < DECODE_EVENT_PACKET_MAX; i++) { + dtv->counter_invalid_events[i] = StatsRegisterCounter( + DEvents[i].event_name, tv); + } + return; } diff --git a/src/decode.h b/src/decode.h index f57dcea997..313bd3f51d 100644 --- a/src/decode.h +++ b/src/decode.h @@ -626,6 +626,7 @@ typedef struct DecodeThreadVars_ uint16_t counter_flow_memcap; + uint16_t counter_invalid_events[DECODE_EVENT_PACKET_MAX]; /* thread data for flow logging api: only used at forced * flow recycle during lookups */ void *output_flow_thread_data; diff --git a/src/detect-engine-event.c b/src/detect-engine-event.c index 6b685d7054..9a8e23967e 100644 --- a/src/detect-engine-event.c +++ b/src/detect-engine-event.c @@ -38,12 +38,11 @@ /* Need to get the DEvents[] array */ -#define DETECT_EVENTS #include "detect-engine-event.h" #include "util-unittest.h" -#define PARSE_REGEX "\\S[0-9A-z_]+[.][A-z0-9_+]+$" +#define PARSE_REGEX "\\S[0-9A-z_]+[.][A-z0-9_+.]+$" static pcre *parse_regex; static pcre_extra *parse_regex_study; @@ -252,7 +251,12 @@ static void DetectEngineEventFree(void *ptr) */ static int DetectDecodeEventSetup (DetectEngineCtx *de_ctx, Signature *s, char *rawstr) { - return _DetectEngineEventSetup(de_ctx, s, rawstr, DETECT_DECODE_EVENT); + char drawstr[MAX_SUBSTRINGS * 2] = "decoder."; + + /* decoder:$EVENT alias command develop as decode-event:decoder.$EVENT */ + strlcat(drawstr, rawstr, 2 * MAX_SUBSTRINGS - strlen("decoder.") - 1); + + return _DetectEngineEventSetup(de_ctx, s, drawstr, DETECT_DECODE_EVENT); } /** @@ -279,7 +283,7 @@ static int DetectStreamEventSetup (DetectEngineCtx *de_ctx, Signature *s, char * int EngineEventTestParse01 (void) { DetectEngineEventData *de = NULL; - de = DetectEngineEventParse("ipv4.pkt_too_small"); + de = DetectEngineEventParse("decoder.ipv4.pkt_too_small"); if (de) { DetectEngineEventFree(de); return 1; @@ -295,7 +299,7 @@ int EngineEventTestParse01 (void) int EngineEventTestParse02 (void) { DetectEngineEventData *de = NULL; - de = DetectEngineEventParse("PPP.pkt_too_small"); + de = DetectEngineEventParse("decoder.PPP.pkt_too_small"); if (de) { DetectEngineEventFree(de); return 1; @@ -310,7 +314,7 @@ int EngineEventTestParse02 (void) int EngineEventTestParse03 (void) { DetectEngineEventData *de = NULL; - de = DetectEngineEventParse("IPV6.PKT_TOO_SMALL"); + de = DetectEngineEventParse("decoder.IPV6.PKT_TOO_SMALL"); if (de) { DetectEngineEventFree(de); return 1; @@ -325,7 +329,7 @@ int EngineEventTestParse03 (void) int EngineEventTestParse04 (void) { DetectEngineEventData *de = NULL; - de = DetectEngineEventParse("IPV6.INVALID_EVENT"); + de = DetectEngineEventParse("decoder.IPV6.INVALID_EVENT"); if (de) { DetectEngineEventFree(de); return 1; @@ -340,7 +344,7 @@ int EngineEventTestParse04 (void) int EngineEventTestParse05 (void) { DetectEngineEventData *de = NULL; - de = DetectEngineEventParse("IPV-6,INVALID_CHAR"); + de = DetectEngineEventParse("decoder.IPV-6,INVALID_CHAR"); if (de) { DetectEngineEventFree(de); return 1; @@ -368,7 +372,7 @@ int EngineEventTestParse06 (void) ENGINE_SET_EVENT(p,PPP_PKT_TOO_SMALL); - de = DetectEngineEventParse("ppp.pkt_too_small"); + de = DetectEngineEventParse("decoder.ppp.pkt_too_small"); if (de == NULL) goto error; diff --git a/src/detect-engine-event.h b/src/detect-engine-event.h index 9ee152766e..3f52753bc5 100644 --- a/src/detect-engine-event.h +++ b/src/detect-engine-event.h @@ -33,226 +33,5 @@ typedef struct DetectEngineEventData_ { /* prototypes */ void DetectEngineEventRegister (void); -/* supported decoder events */ - -#ifdef DETECT_EVENTS -struct DetectEngineEvents_ { - char *event_name; - uint8_t code; -} DEvents[] = { - /* IPV4 EVENTS */ - { "ipv4.pkt_too_small", IPV4_PKT_TOO_SMALL, }, - { "ipv4.hlen_too_small", IPV4_HLEN_TOO_SMALL, }, - { "ipv4.iplen_smaller_than_hlen", IPV4_IPLEN_SMALLER_THAN_HLEN, }, - { "ipv4.trunc_pkt", IPV4_TRUNC_PKT, }, - - /* IPV4 OPTIONS */ - { "ipv4.opt_invalid", IPV4_OPT_INVALID, }, - { "ipv4.opt_invalid_len", IPV4_OPT_INVALID_LEN, }, - { "ipv4.opt_malformed", IPV4_OPT_MALFORMED, }, - { "ipv4.opt_pad_required", IPV4_OPT_PAD_REQUIRED, }, - { "ipv4.opt_eol_required", IPV4_OPT_EOL_REQUIRED, }, - { "ipv4.opt_duplicate", IPV4_OPT_DUPLICATE, }, - { "ipv4.opt_unknown", IPV4_OPT_UNKNOWN, }, - { "ipv4.wrong_ip_version", IPV4_WRONG_IP_VER, }, - { "ipv4.icmpv6", IPV4_WITH_ICMPV6, }, - - /* ICMP EVENTS */ - { "icmpv4.pkt_too_small", ICMPV4_PKT_TOO_SMALL, }, - { "icmpv4.unknown_type", ICMPV4_UNKNOWN_TYPE, }, - { "icmpv4.unknown_code", ICMPV4_UNKNOWN_CODE, }, - { "icmpv4.ipv4_trunc_pkt", ICMPV4_IPV4_TRUNC_PKT, }, - { "icmpv4.ipv4_unknown_ver", ICMPV4_IPV4_UNKNOWN_VER, }, - - /* ICMPv6 EVENTS */ - { "icmpv6.unknown_type", ICMPV6_UNKNOWN_TYPE,}, - { "icmpv6.unknown_code", ICMPV6_UNKNOWN_CODE,}, - { "icmpv6.pkt_too_small", ICMPV6_PKT_TOO_SMALL,}, - { "icmpv6.ipv6_unknown_version", ICMPV6_IPV6_UNKNOWN_VER,}, - { "icmpv6.ipv6_trunc_pkt", ICMPV6_IPV6_TRUNC_PKT,}, - { "icmpv6.mld_message_with_invalid_hl", ICMPV6_MLD_MESSAGE_WITH_INVALID_HL,}, - { "icmpv6.unassigned_type", ICMPV6_UNASSIGNED_TYPE,}, - { "icmpv6.experimentation_type", ICMPV6_EXPERIMENTATION_TYPE,}, - - /* IPV6 EVENTS */ - { "ipv6.pkt_too_small", IPV6_PKT_TOO_SMALL, }, - { "ipv6.trunc_pkt", IPV6_TRUNC_PKT, }, - { "ipv6.trunc_exthdr", IPV6_TRUNC_EXTHDR, }, - { "ipv6.exthdr_dupl_fh", IPV6_EXTHDR_DUPL_FH, }, - { "ipv6.exthdr_useless_fh", IPV6_EXTHDR_USELESS_FH, }, - { "ipv6.exthdr_dupl_rh", IPV6_EXTHDR_DUPL_RH, }, - { "ipv6.exthdr_dupl_hh", IPV6_EXTHDR_DUPL_HH, }, - { "ipv6.exthdr_dupl_dh", IPV6_EXTHDR_DUPL_DH, }, - { "ipv6.exthdr_dupl_ah", IPV6_EXTHDR_DUPL_AH, }, - { "ipv6.exthdr_dupl_eh", IPV6_EXTHDR_DUPL_EH, }, - { "ipv6.exthdr_invalid_optlen", IPV6_EXTHDR_INVALID_OPTLEN, }, - { "ipv6.wrong_ip_version", IPV6_WRONG_IP_VER, }, - { "ipv6.exthdr_ah_res_not_null", IPV6_EXTHDR_AH_RES_NOT_NULL, }, - { "ipv6.hopopts_unknown_opt", IPV6_HOPOPTS_UNKNOWN_OPT, }, - { "ipv6.hopopts_only_padding", IPV6_HOPOPTS_ONLY_PADDING, }, - { "ipv6.dstopts_unknown_opt", IPV6_DSTOPTS_UNKNOWN_OPT, }, - { "ipv6.dstopts_only_padding", IPV6_DSTOPTS_ONLY_PADDING, }, - { "ipv6.rh_type_0", IPV6_EXTHDR_RH_TYPE_0, }, - { "ipv6.zero_len_padn", IPV6_EXTHDR_ZERO_LEN_PADN, }, - { "ipv6.fh_non_zero_reserved_field", IPV6_FH_NON_ZERO_RES_FIELD, }, - { "ipv6.data_after_none_header", IPV6_DATA_AFTER_NONE_HEADER, }, - { "ipv6.unknown_next_header", IPV6_UNKNOWN_NEXT_HEADER, }, - { "ipv6.icmpv4", IPV6_WITH_ICMPV4, }, - - /* TCP EVENTS */ - { "tcp.pkt_too_small", TCP_PKT_TOO_SMALL, }, - { "tcp.hlen_too_small", TCP_HLEN_TOO_SMALL, }, - { "tcp.invalid_optlen", TCP_INVALID_OPTLEN, }, - - /* TCP OPTIONS */ - { "tcp.opt_invalid_len", TCP_OPT_INVALID_LEN, }, - { "tcp.opt_duplicate", TCP_OPT_DUPLICATE, }, - - /* UDP EVENTS */ - { "udp.pkt_too_small", UDP_PKT_TOO_SMALL, }, - { "udp.hlen_too_small", UDP_HLEN_TOO_SMALL, }, - { "udp.hlen_invalid", UDP_HLEN_INVALID, }, - - /* SLL EVENTS */ - { "sll.pkt_too_small", SLL_PKT_TOO_SMALL, }, - - /* ETHERNET EVENTS */ - { "ethernet.pkt_too_small", ETHERNET_PKT_TOO_SMALL, }, - - /* PPP EVENTS */ - { "ppp.pkt_too_small", PPP_PKT_TOO_SMALL, }, - { "ppp.vju_pkt_too_small", PPPVJU_PKT_TOO_SMALL, }, - { "ppp.ip4_pkt_too_small", PPPIPV4_PKT_TOO_SMALL, }, - { "ppp.ip6_pkt_too_small", PPPIPV6_PKT_TOO_SMALL, }, - { "ppp.wrong_type", PPP_WRONG_TYPE, }, /** unknown & invalid protocol */ - { "ppp.unsup_proto", PPP_UNSUP_PROTO, }, /** unsupported but valid protocol */ - - /* PPPOE EVENTS */ - { "pppoe.pkt_too_small", PPPOE_PKT_TOO_SMALL, }, - { "pppoe.wrong_code", PPPOE_WRONG_CODE, }, - { "pppoe.malformed_tags", PPPOE_MALFORMED_TAGS, }, - - /* GRE EVENTS */ - { "gre.pkt_too_small", GRE_PKT_TOO_SMALL, }, - { "gre.wrong_version", GRE_WRONG_VERSION, }, - { "gre.version0_recur", GRE_VERSION0_RECUR, }, - { "gre.version0_flags", GRE_VERSION0_FLAGS, }, - { "gre.version0_hdr_too_big", GRE_VERSION0_HDR_TOO_BIG, }, - { "gre.version0_malformed_sre_hdr", GRE_VERSION0_MALFORMED_SRE_HDR, }, - { "gre.version1_chksum", GRE_VERSION1_CHKSUM, }, - { "gre.version1_route", GRE_VERSION1_ROUTE, }, - { "gre.version1_ssr", GRE_VERSION1_SSR, }, - { "gre.version1_recur", GRE_VERSION1_RECUR, }, - { "gre.version1_flags", GRE_VERSION1_FLAGS, }, - { "gre.version1_no_key", GRE_VERSION1_NO_KEY, }, - { "gre.version1_wrong_protocol", GRE_VERSION1_WRONG_PROTOCOL, }, - { "gre.version1_malformed_sre_hdr", GRE_VERSION1_MALFORMED_SRE_HDR, }, - { "gre.version1_hdr_too_big", GRE_VERSION1_HDR_TOO_BIG, }, - - /* VLAN EVENTS */ - { "vlan.header_too_small",VLAN_HEADER_TOO_SMALL, }, - { "vlan.unknown_type",VLAN_UNKNOWN_TYPE, }, - { "vlan.too_many_layers", VLAN_HEADER_TOO_MANY_LAYERS, }, - - /* RAW EVENTS */ - { "ipraw.invalid_ip_version",IPRAW_INVALID_IPV, }, - - /* LINKTYPE NULL EVENTS */ - { "ltnull.pkt_too_small", LTNULL_PKT_TOO_SMALL, }, - { "ltnull.unsupported_type", LTNULL_UNSUPPORTED_TYPE, }, - - /* STREAM EVENTS */ - { "stream.3whs_ack_in_wrong_dir", STREAM_3WHS_ACK_IN_WRONG_DIR, }, - { "stream.3whs_async_wrong_seq", STREAM_3WHS_ASYNC_WRONG_SEQ, }, - { "stream.3whs_right_seq_wrong_ack_evasion", STREAM_3WHS_RIGHT_SEQ_WRONG_ACK_EVASION, }, - { "stream.3whs_synack_in_wrong_direction", STREAM_3WHS_SYNACK_IN_WRONG_DIRECTION, }, - { "stream.3whs_synack_resend_with_different_ack", STREAM_3WHS_SYNACK_RESEND_WITH_DIFFERENT_ACK, }, - { "stream.3whs_synack_resend_with_diff_seq", STREAM_3WHS_SYNACK_RESEND_WITH_DIFF_SEQ, }, - { "stream.3whs_synack_toserver_on_syn_recv", STREAM_3WHS_SYNACK_TOSERVER_ON_SYN_RECV, }, - { "stream.3whs_synack_with_wrong_ack", STREAM_3WHS_SYNACK_WITH_WRONG_ACK, }, - { "stream.3whs_synack_flood", STREAM_3WHS_SYNACK_FLOOD, }, - { "stream.3whs_syn_resend_diff_seq_on_syn_recv", STREAM_3WHS_SYN_RESEND_DIFF_SEQ_ON_SYN_RECV, }, - { "stream.3whs_syn_toclient_on_syn_recv", STREAM_3WHS_SYN_TOCLIENT_ON_SYN_RECV, }, - { "stream.3whs_wrong_seq_wrong_ack", STREAM_3WHS_WRONG_SEQ_WRONG_ACK, }, - { "stream.4whs_synack_with_wrong_ack", STREAM_4WHS_SYNACK_WITH_WRONG_ACK, }, - { "stream.4whs_synack_with_wrong_syn", STREAM_4WHS_SYNACK_WITH_WRONG_SYN, }, - { "stream.4whs_wrong_seq", STREAM_4WHS_WRONG_SEQ, }, - { "stream.4whs_invalid_ack", STREAM_4WHS_INVALID_ACK, }, - { "stream.closewait_ack_out_of_window", STREAM_CLOSEWAIT_ACK_OUT_OF_WINDOW, }, - { "stream.closewait_fin_out_of_window", STREAM_CLOSEWAIT_FIN_OUT_OF_WINDOW, }, - { "stream.closewait_pkt_before_last_ack", STREAM_CLOSEWAIT_PKT_BEFORE_LAST_ACK, }, - { "stream.closewait_invalid_ack", STREAM_CLOSEWAIT_INVALID_ACK, }, - { "stream.closing_ack_wrong_seq", STREAM_CLOSING_ACK_WRONG_SEQ, }, - { "stream.closing_invalid_ack", STREAM_CLOSING_INVALID_ACK, }, - { "stream.est_packet_out_of_window", STREAM_EST_PACKET_OUT_OF_WINDOW, }, - { "stream.est_pkt_before_last_ack", STREAM_EST_PKT_BEFORE_LAST_ACK, }, - { "stream.est_synack_resend", STREAM_EST_SYNACK_RESEND, }, - { "stream.est_synack_resend_with_different_ack", STREAM_EST_SYNACK_RESEND_WITH_DIFFERENT_ACK, }, - { "stream.est_synack_resend_with_diff_seq", STREAM_EST_SYNACK_RESEND_WITH_DIFF_SEQ, }, - { "stream.est_synack_toserver", STREAM_EST_SYNACK_TOSERVER, }, - { "stream.est_syn_resend", STREAM_EST_SYN_RESEND, }, - { "stream.est_syn_resend_diff_seq", STREAM_EST_SYN_RESEND_DIFF_SEQ, }, - { "stream.est_syn_toclient", STREAM_EST_SYN_TOCLIENT, }, - { "stream.est_invalid_ack", STREAM_EST_INVALID_ACK, }, - { "stream.fin_invalid_ack", STREAM_FIN_INVALID_ACK, }, - { "stream.fin1_ack_wrong_seq", STREAM_FIN1_ACK_WRONG_SEQ, }, - { "stream.fin1_fin_wrong_seq", STREAM_FIN1_FIN_WRONG_SEQ, }, - { "stream.fin1_invalid_ack", STREAM_FIN1_INVALID_ACK, }, - { "stream.fin2_ack_wrong_seq", STREAM_FIN2_ACK_WRONG_SEQ, }, - { "stream.fin2_fin_wrong_seq", STREAM_FIN2_FIN_WRONG_SEQ, }, - { "stream.fin2_invalid_ack", STREAM_FIN2_INVALID_ACK, }, - { "stream.fin_but_no_session", STREAM_FIN_BUT_NO_SESSION, }, - { "stream.fin_out_of_window", STREAM_FIN_OUT_OF_WINDOW, }, - { "stream.lastack_ack_wrong_seq", STREAM_LASTACK_ACK_WRONG_SEQ, }, - { "stream.lastack_invalid_ack", STREAM_LASTACK_INVALID_ACK, }, - { "stream.rst_but_no_session", STREAM_RST_BUT_NO_SESSION, }, - { "stream.timewait_ack_wrong_seq", STREAM_TIMEWAIT_ACK_WRONG_SEQ, }, - { "stream.timewait_invalid_ack", STREAM_TIMEWAIT_INVALID_ACK, }, - { "stream.pkt_invalid_timestamp", STREAM_PKT_INVALID_TIMESTAMP, }, - { "stream.pkt_invalid_ack", STREAM_PKT_INVALID_ACK, }, - { "stream.pkt_broken_ack", STREAM_PKT_BROKEN_ACK, }, - { "stream.rst_invalid_ack", STREAM_RST_INVALID_ACK, }, - { "stream.shutdown_syn_resend", STREAM_SHUTDOWN_SYN_RESEND, }, - { "stream.pkt_retransmission", STREAM_PKT_RETRANSMISSION, }, - { "stream.reassembly_segment_before_base_seq", STREAM_REASSEMBLY_SEGMENT_BEFORE_BASE_SEQ, }, - { "stream.reassembly_no_segment", STREAM_REASSEMBLY_NO_SEGMENT, }, - { "stream.reassembly_seq_gap", STREAM_REASSEMBLY_SEQ_GAP, }, - { "stream.reassembly_overlap_different_data", STREAM_REASSEMBLY_OVERLAP_DIFFERENT_DATA, }, - { "stream.pkt_bad_window_update", STREAM_PKT_BAD_WINDOW_UPDATE, }, - - /* SCTP EVENTS */ - { "sctp.pkt_too_small", SCTP_PKT_TOO_SMALL, }, - - /* Fragmentation reasembly events. */ - { "ipv4.frag_too_large", IPV4_FRAG_PKT_TOO_LARGE, }, - { "ipv6.frag_too_large", IPV6_FRAG_PKT_TOO_LARGE, }, - { "ipv4.frag_overlap", IPV4_FRAG_OVERLAP, }, - { "ipv6.frag_overlap", IPV6_FRAG_OVERLAP, }, - /* Fragment ignored due to internal error */ - { "ipv4.frag_ignored", IPV4_FRAG_IGNORED, }, - { "ipv6.frag_ignored", IPV6_FRAG_IGNORED, }, - - /* IPv4 in IPv6 events */ - { "ipv6.ipv4_in_ipv6_too_small", IPV4_IN_IPV6_PKT_TOO_SMALL, }, - { "ipv6.ipv4_in_ipv6_wrong_version", IPV4_IN_IPV6_WRONG_IP_VER, }, - /* IPv6 in IPv6 events */ - { "ipv6.ipv6_in_ipv6_too_small", IPV6_IN_IPV6_PKT_TOO_SMALL, }, - { "ipv6.ipv6_in_ipv6_wrong_version", IPV6_IN_IPV6_WRONG_IP_VER, }, - - /* MPLS events */ - { "mpls.bad_label_router_alert", MPLS_BAD_LABEL_ROUTER_ALERT, }, - { "mpls.bad_label_implicit_null", MPLS_BAD_LABEL_IMPLICIT_NULL, }, - { "mpls.bad_label_reserved", MPLS_BAD_LABEL_RESERVED, }, - { "mpls.unknown_payload_type", MPLS_UNKNOWN_PAYLOAD_TYPE, }, - - /* ERSPAN events */ - { "erspan.header_too_small", ERSPAN_HEADER_TOO_SMALL, }, - { "erspan.unsupported_version", ERSPAN_UNSUPPORTED_VERSION, }, - { "erspan.too_many_vlan_layers", ERSPAN_TOO_MANY_VLAN_LAYERS, }, - - { NULL, 0 }, -}; -#endif /* DETECT_EVENTS */ - #endif /*__DETECT_ENGINE_EVENT_H__ */