From: Jason Ish Date: Thu, 13 Mar 2025 16:36:08 +0000 (-0600) Subject: af-packet: add event for packets truncated by af-packet X-Git-Tag: suricata-8.0.0-beta1~267 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d78f2c9a4e2b59f44daeddff098915084493d08d;p=thirdparty%2Fsuricata.git af-packet: add event for packets truncated by af-packet Ticket: #7458 --- diff --git a/etc/schema.json b/etc/schema.json index 5f81e4e064..ff05ed0bc7 100644 --- a/etc/schema.json +++ b/etc/schema.json @@ -5408,6 +5408,17 @@ "event": { "type": "object", "properties": { + "afpacket": { + "type": "object", + "properties": { + "trunc_pkt": { + "description": + "Number of packets truncated by AF_PACKET", + "type": "integer" + } + }, + "additionalProperties": false + }, "arp": { "type": "object", "properties": { diff --git a/rules/decoder-events.rules b/rules/decoder-events.rules index 1247b0ee26..6374a2c4cf 100644 --- a/rules/decoder-events.rules +++ b/rules/decoder-events.rules @@ -152,5 +152,8 @@ alert pkthdr any any -> any any (msg:"SURICATA CHDLC packet too small"; decode-e alert pkthdr any any -> any any (msg:"SURICATA packet with too many layers"; decode-event:too_many_layers; classtype:protocol-command-decode; sid:2200116; rev:1;) -# next sid is 2200122 +# Capture events. +alert pkthdr any any -> any any (msg:"SURICATA AF-PACKET truncated packet"; decode-event:afpacket.trunc_pkt; classtype:protocol-command-decode; sid:2200122; rev:1;) + +# next sid is 2200123 diff --git a/src/decode-events.c b/src/decode-events.c index 40d28a0d81..7648a911e6 100644 --- a/src/decode-events.c +++ b/src/decode-events.c @@ -27,6 +27,11 @@ /* code moved to app-layer-events */ const struct DecodeEvents_ DEvents[] = { + /* CAPTURE EVENTS */ + { + "decoder.afpacket.trunc_pkt", + AFP_TRUNC_PKT, + }, /* IPV4 EVENTS */ { "decoder.ipv4.pkt_too_small", diff --git a/src/decode-events.h b/src/decode-events.h index b29ecf4792..6acd1ef045 100644 --- a/src/decode-events.h +++ b/src/decode-events.h @@ -27,8 +27,11 @@ /* packet decoder events */ enum { + /* AF_PACKET EVENTS */ + AFP_TRUNC_PKT = 0, /**< packet truncated by af-packet */ + /* IPV4 EVENTS */ - IPV4_PKT_TOO_SMALL = 0, /**< ipv4 pkt smaller than minimum header size */ + IPV4_PKT_TOO_SMALL, /**< ipv4 pkt smaller than minimum header size */ IPV4_HLEN_TOO_SMALL, /**< ipv4 header smaller than minimum size */ IPV4_IPLEN_SMALLER_THAN_HLEN, /**< ipv4 pkt len smaller than ip header size */ IPV4_TRUNC_PKT, /**< truncated ipv4 packet */ diff --git a/src/source-af-packet.c b/src/source-af-packet.c index 140bfd0da0..41e605fa85 100644 --- a/src/source-af-packet.c +++ b/src/source-af-packet.c @@ -779,6 +779,7 @@ static void AFPReadFromRingSetupPacket( if (h.h2->tp_len > h.h2->tp_snaplen) { SCLogDebug("Packet length (%d) > snaplen (%d), truncating", h.h2->tp_len, h.h2->tp_snaplen); + ENGINE_SET_INVALID_EVENT(p, AFP_TRUNC_PKT); } /* get vlan id from header */ @@ -980,6 +981,11 @@ static inline int AFPParsePacketV3(AFPThreadVars *ptv, struct tpacket_block_desc p->afp_v.vlan_tci = (uint16_t)ppd->hv1.tp_vlan_tci; } + if (ppd->tp_len > ppd->tp_snaplen) { + SCLogDebug("Packet length (%d) > snaplen (%d), truncating", ppd->tp_len, ppd->tp_snaplen); + ENGINE_SET_INVALID_EVENT(p, AFP_TRUNC_PKT); + } + (void)PacketSetData(p, (unsigned char *)ppd + ppd->tp_mac, ppd->tp_snaplen); p->ReleasePacket = AFPReleasePacketV3;