From: Michael Altizer (mialtize) Date: Wed, 1 Apr 2020 21:08:11 +0000 (+0000) Subject: Merge pull request #2112 in SNORT/snort3 from ~MIALTIZE/snort3:cmd to master X-Git-Tag: 3.0.1-2~45 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=536f5519606ab37d897d8620bb3cec29eb864693;p=thirdparty%2Fsnort3.git Merge pull request #2112 in SNORT/snort3 from ~MIALTIZE/snort3:cmd to master Squashed commit of the following: commit 629a62312051ee2a5a01debab91ffa0166113dcb Author: Michael Altizer Date: Thu Mar 26 17:14:42 2020 -0400 loggers: Add SGT field to CSV and JSON loggers commit 54211092635b918760eee6e9eea24f35a42aac2e Author: Michael Altizer Date: Thu Mar 26 17:14:42 2020 -0400 codecs: Clean up CiscoMetaData implementation --- diff --git a/src/codecs/link/CMakeLists.txt b/src/codecs/link/CMakeLists.txt index 289bff94f..81593ae82 100644 --- a/src/codecs/link/CMakeLists.txt +++ b/src/codecs/link/CMakeLists.txt @@ -36,4 +36,3 @@ if(STATIC_CODECS) ) endif(STATIC_CODECS) -add_subdirectory(test) diff --git a/src/codecs/link/cd_ciscometadata.cc b/src/codecs/link/cd_ciscometadata.cc index 47ab16c8a..55e46d1ea 100644 --- a/src/codecs/link/cd_ciscometadata.cc +++ b/src/codecs/link/cd_ciscometadata.cc @@ -23,9 +23,8 @@ #include "codecs/codec_module.h" #include "framework/codec.h" -#include "log/messages.h" +#include "log/text_log.h" #include "protocols/cisco_meta_data.h" -#include "protocols/layer.h" using namespace snort; @@ -39,10 +38,32 @@ static const RuleMap ciscometadata_rules[] = { DECODE_CISCO_META_HDR_TRUNC, "truncated Cisco Metadata header" }, { DECODE_CISCO_META_HDR_OPT_LEN, "invalid Cisco Metadata option length" }, { DECODE_CISCO_META_HDR_OPT_TYPE, "invalid Cisco Metadata option type" }, - { DECODE_CISCO_META_HDR_SGT, "invalid Cisco Metadata SGT" }, + { DECODE_CISCO_META_HDR_SGT, "invalid Cisco Metadata security group tag" }, { 0, nullptr } }; +static const PegInfo ciscometadata_pegs[] = +{ + { CountType::SUM, "truncated_hdr", "total truncated Cisco Metadata headers" }, + { CountType::SUM, "invalid_hdr_ver", "total invalid Cisco Metadata header versions" }, + { CountType::SUM, "invalid_hdr_len", "total invalid Cisco Metadata header lengths" }, + { CountType::SUM, "invalid_opt_len", "total invalid Cisco Metadata option lengths" }, + { CountType::SUM, "invalid_opt_type", "total invalid Cisco Metadata option types" }, + { CountType::SUM, "invalid_sgt", "total invalid Cisco Metadata security group tags" }, + { CountType::END, nullptr, nullptr } +}; + +struct CiscoMetaDataStats +{ + PegCount truncated_hdr; + PegCount invalid_hdr_ver; + PegCount invalid_hdr_len; + PegCount invalid_opt_len; + PegCount invalid_opt_type; + PegCount invalid_sgt; +}; +static THREAD_LOCAL CiscoMetaDataStats ciscometadata_stats; + class CiscoMetaDataModule : public CodecModule { public: @@ -50,6 +71,12 @@ public: const RuleMap* get_rules() const override { return ciscometadata_rules; } + + const PegInfo* get_pegs() const override + { return ciscometadata_pegs; } + + PegCount* get_counts() const override + { return (PegCount*) &ciscometadata_stats; } }; class CiscoMetaDataCodec : public Codec @@ -59,13 +86,15 @@ public: void get_protocol_ids(std::vector& v) override; bool decode(const RawData&, CodecData&, DecodeData&) override; + void log(TextLog* const, const uint8_t* raw_pkt, const uint16_t lyr_len) override; }; -constexpr uint8_t CISCO_META_OPT_LEN_SHIFT = 4; +constexpr uint8_t CISCO_META_VALID_HDR_VER = 1; +constexpr uint8_t CISCO_META_VALID_HDR_LEN = 1; +constexpr uint16_t CISCO_META_VALID_OPT_LEN = 0; +constexpr uint8_t CISCO_META_OPT_LEN_SHIFT = 13; constexpr uint16_t CISCO_META_OPT_TYPE_SGT = 1; -constexpr uint16_t CISCO_META_OPT_TYPE_MASK = 0x1FFF; //mask opt_len_type to get option type -// Currently we only support one CiscoMetaDataHdr which is size of 1 byte. -constexpr uint8_t SUPPORTED_HDR_LEN = 1; +constexpr uint16_t CISCO_META_OPT_TYPE_MASK = 0x1FFF; // mask opt_len_type to get option type } // namespace void CiscoMetaDataCodec::get_protocol_ids(std::vector& v) @@ -73,18 +102,9 @@ void CiscoMetaDataCodec::get_protocol_ids(std::vector& v) bool CiscoMetaDataCodec::decode(const RawData& raw, CodecData& codec, DecodeData&) { - uint16_t len; - uint16_t type; - - /* 2 octets for ethertype + 2 octets for CiscoMetaDataHdr - * + 4 octets for CiscoMetaDataOpt - */ - uint32_t total_len = (sizeof(uint16_t) - + sizeof(cisco_meta_data::CiscoMetaDataHdr) - + sizeof(cisco_meta_data::CiscoMetaDataOpt)); - - if (raw.len < total_len) + if (raw.len < sizeof(cisco_meta_data::CiscoMetaDataHdr)) { + ciscometadata_stats.truncated_hdr++; codec_event(codec, DECODE_CISCO_META_HDR_TRUNC); return false; } @@ -92,50 +112,49 @@ bool CiscoMetaDataCodec::decode(const RawData& raw, CodecData& codec, DecodeData const cisco_meta_data::CiscoMetaDataHdr* const cmdh = reinterpret_cast(raw.data); - if (SUPPORTED_HDR_LEN != cmdh->length) + if (cmdh->version != CISCO_META_VALID_HDR_VER) { - codec_event(codec, DECODE_CISCO_META_HDR_TRUNC); + ciscometadata_stats.invalid_hdr_ver++; return false; } - const cisco_meta_data::CiscoMetaDataOpt* cmd_option = - reinterpret_cast(raw.data - + sizeof(cisco_meta_data::CiscoMetaDataHdr)); + if (cmdh->length != CISCO_META_VALID_HDR_LEN) + { + ciscometadata_stats.invalid_hdr_len++; + return false; + } // Top 3 bits (length) must be equal to 0 // Bottom 13 bits (type) must be 1 to indicate SGT - len = ntohs(cmd_option->opt_len_type) >> CISCO_META_OPT_LEN_SHIFT; - type = ntohs(cmd_option->opt_len_type) & CISCO_META_OPT_TYPE_MASK; + uint16_t len = ntohs(cmdh->opt_len_type) >> CISCO_META_OPT_LEN_SHIFT; + uint16_t type = ntohs(cmdh->opt_len_type) & CISCO_META_OPT_TYPE_MASK; - // 0 indicates 4 octets which is sizeof(CiscoMetaDataOpt) - if (len != 0) + // 0 indicates no additional options beyond SGT, which is all we support + if (len > CISCO_META_VALID_OPT_LEN) { + ciscometadata_stats.invalid_opt_len++; codec_event(codec, DECODE_CISCO_META_HDR_OPT_LEN); return false; } if (type != CISCO_META_OPT_TYPE_SGT) { + ciscometadata_stats.invalid_opt_type++; codec_event(codec, DECODE_CISCO_META_HDR_OPT_TYPE); return false; } /* Tag value 0xFFFF is invalid */ - if (cmd_option->sgt == 0xFFFF) + if (cmdh->sgt == 0xFFFF) { + ciscometadata_stats.invalid_sgt++; codec_event(codec, DECODE_CISCO_META_HDR_SGT); return false; } -#ifdef REG_TEST - LogMessage("Value of sgt %d\n", ntohs(cmd_option->sgt)); -#endif - - codec.lyr_len = total_len; + codec.lyr_len = sizeof(cisco_meta_data::CiscoMetaDataHdr); - //The last 2 octets of the header will be the real ethtype - codec.next_prot_id = static_cast - (ntohs(*((const uint16_t*)(raw.data + codec.lyr_len - sizeof(uint16_t))))); + codec.next_prot_id = static_cast(ntohs(cmdh->ether_type)); codec.codec_flags |= CODEC_ETHER_NEXT; codec.proto_bits |= PROTO_BIT__CISCO_META_DATA; @@ -143,6 +162,16 @@ bool CiscoMetaDataCodec::decode(const RawData& raw, CodecData& codec, DecodeData return true; } +void CiscoMetaDataCodec::log(TextLog* const text_log, const uint8_t* raw_pkt, + const uint16_t /*lyr_len*/) +{ + const cisco_meta_data::CiscoMetaDataHdr* const cmdh = + reinterpret_cast(raw_pkt); + + TextLog_Print(text_log, "Ver:%hhu SGT:%hu EtherNext:0x%X", + cmdh->version, cmdh->sgt_val(), ntohs(cmdh->ether_type)); +} + //------------------------------------------------------------------------- // api //------------------------------------------------------------------------- diff --git a/src/codecs/link/test/CMakeLists.txt b/src/codecs/link/test/CMakeLists.txt deleted file mode 100644 index 1ac67d6eb..000000000 --- a/src/codecs/link/test/CMakeLists.txt +++ /dev/null @@ -1,4 +0,0 @@ -add_cpputest( cisco_meta_data_test - SOURCES - ../../../protocols/layer.cc -) diff --git a/src/codecs/link/test/cisco_meta_data_test.cc b/src/codecs/link/test/cisco_meta_data_test.cc deleted file mode 100644 index 740b09187..000000000 --- a/src/codecs/link/test/cisco_meta_data_test.cc +++ /dev/null @@ -1,115 +0,0 @@ -//-------------------------------------------------------------------------- -// Copyright (C) 2019-2020 Cisco and/or its affiliates. All rights reserved. -// -// This program is free software; you can redistribute it and/or modify it -// under the terms of the GNU General Public License Version 2 as published -// by the Free Software Foundation. You may not use, modify or distribute -// this program under any other version of the GNU General Public License. -// -// This program is distributed in the hope that it will be useful, but -// WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -// General Public License for more details. -// -// You should have received a copy of the GNU General Public License along -// with this program; if not, write to the Free Software Foundation, Inc., -// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -//-------------------------------------------------------------------------- - -// cisco_meta_data_test.cc author Sunirmal Mukherjee -// unit test main - -#ifdef HAVE_CONFIG_H -#include "config.h" -#endif - - -#include "protocols/cisco_meta_data.h" -#include "protocols/ip.h" -#include "protocols/layer.h" -#include "protocols/packet.h" - -#include -#include - -using namespace snort; - -//------------------------------------------------------------------------- -// tests -//------------------------------------------------------------------------- - -Packet::Packet(bool) { } -Packet::~Packet() = default; - -namespace snort -{ -void ip::IpApi::set(ip::IP4Hdr const* iph) -{ - return; -} - -void ip::IpApi::set(ip::IP6Hdr const* iph) -{ - return; -} - -void ip::IpApi::reset() -{ - return; -} - -const uint8_t* ip::IpApi::ip_data() const -{ - return nullptr; -} -} - -static inline void push_layer(Packet* p, - ProtocolId prot_id, - const uint8_t* hdr_start, - uint32_t len) -{ - Layer& lyr = p->layers[p->num_layers++]; - lyr.prot_id = prot_id; - lyr.start = hdr_start; - lyr.length = (uint16_t)len; -} - -TEST_GROUP(cisco_meta_data_test) -{ -}; - -TEST(cisco_meta_data_test, cisco_meta_data_class_test) -{ - Packet pkt(false); - Layer layers; - uint8_t * cmd_data; - int len; - int sgt; - - pkt.num_layers = 0; - pkt.layers = &layers; - - cmd_data = new uint8_t[sizeof(cisco_meta_data::CiscoMetaDataHdr) + - sizeof(cisco_meta_data::CiscoMetaDataOpt)]; - - cisco_meta_data::CiscoMetaDataOpt* cmd_options = - reinterpret_cast(cmd_data + - sizeof(cisco_meta_data::CiscoMetaDataHdr)); - - cmd_options->sgt = 512; - - len = (sizeof(cisco_meta_data::CiscoMetaDataHdr) + sizeof(cisco_meta_data::CiscoMetaDataOpt)); - pkt.proto_bits |= PROTO_BIT__CISCO_META_DATA; - push_layer(&pkt, ProtocolId::ETHERTYPE_CISCO_META, cmd_data, len); - sgt = htons(layer::get_cisco_meta_data_layer(&pkt)->sgt_val()); - CHECK(sgt == cmd_options->sgt); - - delete[] cmd_data; -} - -int main(int argc, char** argv) -{ - return CommandLineTestRunner::RunAllTests(argc, argv); -} - diff --git a/src/codecs/link/test/dev_notes.txt b/src/codecs/link/test/dev_notes.txt deleted file mode 100644 index 65051eeaf..000000000 --- a/src/codecs/link/test/dev_notes.txt +++ /dev/null @@ -1,8 +0,0 @@ -This is the test case to parse SGT(Security Group Tag/Trustsec) from CiscoMetaData. - -CiscoMetaData - A proprietary header in ethernet layer, called CiscoMetaDataHdr. - After CiscoMetaDataHdr, packet contains CiscoMetaDataOpt which carries - SGT data. - -Here created a dummy packet which has CiscoMetaDataHdr integrated and pushing it to layer stack. -To validate the sgt data, parsing it from layer and comparing with the expected. diff --git a/src/loggers/alert_csv.cc b/src/loggers/alert_csv.cc index c3451bb82..9ae5838ea 100644 --- a/src/loggers/alert_csv.cc +++ b/src/loggers/alert_csv.cc @@ -41,6 +41,7 @@ #include "log/text_log.h" #include "packet_io/active.h" #include "packet_io/sfdaq.h" +#include "protocols/cisco_meta_data.h" #include "protocols/eth.h" #include "protocols/icmp4.h" #include "protocols/tcp.h" @@ -340,6 +341,15 @@ static void ff_service(const Args& a) TextLog_Puts(csv_log, svc); } +static void ff_sgt(const Args& a) +{ + if (a.pkt->proto_bits & PROTO_BIT__CISCO_META_DATA) + { + const cisco_meta_data::CiscoMetaDataHdr* cmdh = layer::get_cisco_meta_data_layer(a.pkt); + TextLog_Print(csv_log, "%hu", cmdh->sgt_val()); + } +} + static void ff_sid(const Args& a) { TextLog_Print(csv_log, "%u", a.event.sig_info->sid); @@ -465,19 +475,19 @@ static const CsvFunc csv_func[] = ff_eth_type, ff_flowstart_time, ff_gid, ff_icmp_code, ff_icmp_id, ff_icmp_seq, ff_icmp_type, ff_iface, ff_ip_id, ff_ip_len, ff_msg, ff_mpls, ff_pkt_gen, ff_pkt_len, ff_pkt_num, ff_priority, ff_proto, ff_rev, ff_rule, ff_seconds, ff_server_bytes, - ff_server_pkts, ff_service, ff_sid, ff_src_addr, ff_src_ap, ff_src_port, ff_target, - ff_tcp_ack, ff_tcp_flags,ff_tcp_len, ff_tcp_seq, ff_tcp_win, ff_timestamp, ff_tos, - ff_ttl, ff_udp_len, ff_vlan + ff_server_pkts, ff_service, ff_sgt, ff_sid, ff_src_addr, ff_src_ap, ff_src_port, + ff_target, ff_tcp_ack, ff_tcp_flags,ff_tcp_len, ff_tcp_seq, ff_tcp_win, ff_timestamp, + ff_tos, ff_ttl, ff_udp_len, ff_vlan }; #define csv_range \ - "action | class | b64_data | client_bytes | client_pkts | dir | dst_addr | " \ - "dst_ap | dst_port | eth_dst | eth_len | eth_src | eth_type | flowstart_time | "\ - "gid | icmp_code | icmp_id | icmp_seq | icmp_type | iface | "\ - "ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | " \ + "action | class | b64_data | client_bytes | client_pkts | dir | " \ + "dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src | " \ + "eth_type | flowstart_time | gid | icmp_code | icmp_id | icmp_seq | " \ + "icmp_type | iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | " \ "pkt_num | priority | proto | rev | rule | seconds | server_bytes | " \ - "server_pkts | service | sid | src_addr | src_ap | src_port | target | " \ - "tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp | " \ + "server_pkts | service | sgt| sid | src_addr | src_ap | src_port | " \ + "target | tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp | " \ "tos | ttl | udp_len | vlan" #define csv_deflt \ diff --git a/src/loggers/alert_json.cc b/src/loggers/alert_json.cc index 386f1bdcf..cf7025300 100644 --- a/src/loggers/alert_json.cc +++ b/src/loggers/alert_json.cc @@ -42,6 +42,7 @@ #include "log/text_log.h" #include "packet_io/active.h" #include "packet_io/sfdaq.h" +#include "protocols/cisco_meta_data.h" #include "protocols/eth.h" #include "protocols/icmp4.h" #include "protocols/tcp.h" @@ -470,6 +471,18 @@ static bool ff_service(const Args& a) return true; } +static bool ff_sgt(const Args& a) +{ + if (a.pkt->proto_bits & PROTO_BIT__CISCO_META_DATA) + { + const cisco_meta_data::CiscoMetaDataHdr* cmdh = layer::get_cisco_meta_data_layer(a.pkt); + print_label(a, "sgt"); + TextLog_Print(json_log, "%hu", cmdh->sgt_val()); + return true; + } + return false; +} + static bool ff_sid(const Args& a) { print_label(a, "sid"); @@ -650,22 +663,23 @@ typedef bool (*JsonFunc)(const Args&); static const JsonFunc json_func[] = { ff_action, ff_class, ff_b64_data, ff_client_bytes, ff_client_pkts, ff_dir, - ff_dst_addr, ff_dst_ap, ff_dst_port, ff_eth_dst, ff_eth_len, ff_eth_src, ff_eth_type, - ff_flowstart_time, ff_gid, ff_icmp_code, ff_icmp_id, ff_icmp_seq, ff_icmp_type, - ff_iface, ff_ip_id, ff_ip_len, ff_msg, ff_mpls, ff_pkt_gen, ff_pkt_len, + ff_dst_addr, ff_dst_ap, ff_dst_port, ff_eth_dst, ff_eth_len, ff_eth_src, + ff_eth_type, ff_flowstart_time, ff_gid, ff_icmp_code, ff_icmp_id, ff_icmp_seq, + ff_icmp_type, ff_iface, ff_ip_id, ff_ip_len, ff_msg, ff_mpls, ff_pkt_gen, ff_pkt_len, ff_pkt_num, ff_priority, ff_proto, ff_rev, ff_rule, ff_seconds, ff_server_bytes, - ff_server_pkts, ff_service, ff_sid, ff_src_addr, ff_src_ap, ff_src_port, ff_target, - ff_tcp_ack, ff_tcp_flags, ff_tcp_len, ff_tcp_seq, ff_tcp_win, ff_timestamp, ff_tos, - ff_ttl, ff_udp_len, ff_vlan + ff_server_pkts, ff_service, ff_sgt, ff_sid, ff_src_addr, ff_src_ap, ff_src_port, + ff_target, ff_tcp_ack, ff_tcp_flags,ff_tcp_len, ff_tcp_seq, ff_tcp_win, ff_timestamp, + ff_tos, ff_ttl, ff_udp_len, ff_vlan }; #define json_range \ - "action | class | b64_data | client_bytes | client_pkts | dir | dst_addr | dst_ap | " \ - "dst_port | eth_dst | eth_len | eth_src | eth_type | flowstart_time | " \ - "gid | icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id | ip_len | " \ - "msg | mpls | pkt_gen | pkt_len | pkt_num | priority | proto | rev | rule | " \ - "seconds | server_bytes | server_pkts | service | sid | src_addr | src_ap | src_port | target | " \ - "tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp | " \ + "action | class | b64_data | client_bytes | client_pkts | dir | " \ + "dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src | " \ + "eth_type | flowstart_time | gid | icmp_code | icmp_id | icmp_seq | " \ + "icmp_type | iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | " \ + "pkt_num | priority | proto | rev | rule | seconds | server_bytes | " \ + "server_pkts | service | sgt| sid | src_addr | src_ap | src_port | " \ + "target | tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp | " \ "tos | ttl | udp_len | vlan" #define json_deflt \ diff --git a/src/protocols/cisco_meta_data.h b/src/protocols/cisco_meta_data.h index 79edbc719..9bca3b811 100644 --- a/src/protocols/cisco_meta_data.h +++ b/src/protocols/cisco_meta_data.h @@ -15,7 +15,7 @@ // with this program; if not, write to the Free Software Foundation, Inc., // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. //-------------------------------------------------------------------------- -// cisco_meta_data.h author Sunirmal Mukherjee +// cisco_meta_data.h author Michael Altizer #ifndef PROTOCOLS_CISCO_META_DATA_H #define PROTOCOLS_CISCO_META_DATA_H @@ -28,14 +28,11 @@ namespace cisco_meta_data { struct CiscoMetaDataHdr { - uint8_t version; // This must be 1 - uint8_t length; //This is the header size in bytes / 8 -}; - -struct CiscoMetaDataOpt -{ - uint16_t opt_len_type; // 3-bit length + 13-bit type. Type must be 1 - uint16_t sgt; // Can be any value except 0xFFFF + uint8_t version; // MetaData header version + uint8_t length; // Header size in quadwords + uint16_t opt_len_type; // 3-bit length + 13-bit type + uint16_t sgt; // Security Group Tag (anything but 0xFFFF) + uint16_t ether_type; // Ethertype for following layer inline uint16_t sgt_val() const { return ntohs(sgt); } diff --git a/src/protocols/layer.cc b/src/protocols/layer.cc index 3ca218f33..c39afa776 100644 --- a/src/protocols/layer.cc +++ b/src/protocols/layer.cc @@ -150,18 +150,14 @@ const vlan::VlanTagHdr* get_vlan_layer(const Packet* const p) return reinterpret_cast(lyr->start); } -const cisco_meta_data::CiscoMetaDataOpt* get_cisco_meta_data_layer(const Packet* const p) +const cisco_meta_data::CiscoMetaDataHdr* get_cisco_meta_data_layer(const Packet* const p) { assert( p->proto_bits & PROTO_BIT__CISCO_META_DATA ); - uint8_t num_layers = p->num_layers; - const Layer* lyr = p->layers; - const Layer* cmd_lyr; - cmd_lyr = find_layer(lyr, num_layers, ProtocolId::ETHERTYPE_CISCO_META, + const Layer* lyr = find_layer(p->layers, p->num_layers, ProtocolId::ETHERTYPE_CISCO_META, ProtocolId::ETHERTYPE_CISCO_META); - return reinterpret_cast(cmd_lyr->start - + sizeof(snort::cisco_meta_data::CiscoMetaDataHdr)); + return reinterpret_cast(lyr->start); } const eth::EtherHdr* get_eth_layer(const Packet* const p) diff --git a/src/protocols/layer.h b/src/protocols/layer.h index a9d339a6e..5d8244b83 100644 --- a/src/protocols/layer.h +++ b/src/protocols/layer.h @@ -21,7 +21,6 @@ #define PROTOCOLS_LAYER_H #include "main/snort_types.h" -#include "protocols/cisco_meta_data.h" #include "protocols/protocol_ids.h" namespace snort @@ -33,22 +32,17 @@ struct Layer uint16_t length; }; -// forward declaring relevant structs. Since we're only return a pointer, +// forward declaring relevant structs. Since we're only returning a pointer, // there is no need for the actual header files -namespace vlan -{ -struct VlanTagHdr; -} - namespace arp { struct EtherARP; } -namespace gre +namespace cisco_meta_data { -struct GREHdr; +struct CiscoMetaDataHdr; } namespace eapol @@ -61,6 +55,16 @@ namespace eth struct EtherHdr; } +namespace gre +{ +struct GREHdr; +} + +namespace icmp +{ +struct ICMPHdr; +} + namespace ip { class IpApi; @@ -77,14 +81,14 @@ namespace udp struct UDPHdr; } -namespace wlan +namespace vlan { -struct WifiHdr; +struct VlanTagHdr; } -namespace icmp +namespace wlan { -struct ICMPHdr; +struct WifiHdr; } struct Packet; @@ -94,31 +98,34 @@ namespace layer // Set by PacketManager. Ensure you can call layer:: without a packet pointers void set_packet_pointer(const Packet* const); +SO_PUBLIC const uint8_t* get_root_layer(const Packet* const); + SO_PUBLIC const uint8_t* get_inner_layer(const Packet*, ProtocolId proto); SO_PUBLIC const uint8_t* get_outer_layer(const Packet*, ProtocolId proto); SO_PUBLIC const arp::EtherARP* get_arp_layer(const Packet*); -SO_PUBLIC const vlan::VlanTagHdr* get_vlan_layer(const Packet*); -SO_PUBLIC const gre::GREHdr* get_gre_layer(const Packet*); +SO_PUBLIC const cisco_meta_data::CiscoMetaDataHdr* get_cisco_meta_data_layer(const Packet* const); SO_PUBLIC const eapol::EtherEapol* get_eapol_layer(const Packet*); SO_PUBLIC const eth::EtherHdr* get_eth_layer(const Packet*); +SO_PUBLIC const gre::GREHdr* get_gre_layer(const Packet*); +SO_PUBLIC const vlan::VlanTagHdr* get_vlan_layer(const Packet*); SO_PUBLIC const wlan::WifiHdr* get_wifi_layer(const Packet*); -SO_PUBLIC const uint8_t* get_root_layer(const Packet* const); + /* return a pointer to the outermost UDP layer */ SO_PUBLIC const udp::UDPHdr* get_outer_udp_lyr(const Packet* const); // return the inner ip layer's index in the p->layers array -SO_PUBLIC int get_inner_ip_lyr_index(const Packet* const p); -SO_PUBLIC const Layer* get_mpls_layer(const Packet* const p); +SO_PUBLIC int get_inner_ip_lyr_index(const Packet* const); +SO_PUBLIC const Layer* get_mpls_layer(const Packet* const); // Two versions of this because ip_defrag:: wants to call this on // its rebuilt packet, not on the current packet. Extra function // header will be removed once layer is a part of the Packet struct SO_PUBLIC const ip::IP6Frag* get_inner_ip6_frag(); -SO_PUBLIC const ip::IP6Frag* get_inner_ip6_frag(const Packet* const p); +SO_PUBLIC const ip::IP6Frag* get_inner_ip6_frag(const Packet* const); // returns -1 on failure if no frag layer exists. // else, returns zero based ip6 index -SO_PUBLIC int get_inner_ip6_frag_index(const Packet* const p); +SO_PUBLIC int get_inner_ip6_frag_index(const Packet* const); // ICMP with Embedded IP layer @@ -181,9 +188,6 @@ SO_PUBLIC bool set_inner_ip_api(const Packet* const, ip::IpApi&, SO_PUBLIC bool set_outer_ip_api(const Packet* const, ip::IpApi&, int8_t& curr_layer); SO_PUBLIC bool set_outer_ip_api(const Packet* const, ip::IpApi&, IpProtocol& next_ip_proto, int8_t& curr_layer); - -/* This is the api to get CiscoMetaData layer to fetch SGT value from it */ -SO_PUBLIC const cisco_meta_data::CiscoMetaDataOpt* get_cisco_meta_data_layer(const Packet* const p); } // namespace layer } // namespace snort #endif