From: Steven Baigal (sbaigal) Date: Fri, 13 Jan 2023 15:27:06 +0000 (+0000) Subject: Pull request #3711: netflow: grab the proto off of the netflow record - not the wire... X-Git-Tag: 3.1.52.0~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fc29fb053bd7857b1b244a979d1cb0735ec4aabc;p=thirdparty%2Fsnort3.git Pull request #3711: netflow: grab the proto off of the netflow record - not the wire packet Merge in SNORT/snort3 from ~MMATIRKO/snort3:netflow_proto to master Squashed commit of the following: commit bffc80a39a33507892dae4a2575544323a7003a7 Author: Michael Matirko Date: Mon Dec 19 15:12:07 2022 -0500 netflow: grab the proto off of the netflow record - not the wire packet --- diff --git a/src/network_inspectors/rna/rna_pnd.cc b/src/network_inspectors/rna/rna_pnd.cc index c6610e491..38da31fd5 100644 --- a/src/network_inspectors/rna/rna_pnd.cc +++ b/src/network_inspectors/rna/rna_pnd.cc @@ -229,6 +229,7 @@ void RnaPnd::analyze_netflow_host(NetFlowEvent* nfe) return; } + // Note: this is the ethertype for the wire packet itself, not the NetFlow flows uint16_t ptype = rna_get_eth(p); if ( ptype > to_utype(ProtocolId::ETHERTYPE_MINIMUM) ) { @@ -237,7 +238,8 @@ void RnaPnd::analyze_netflow_host(NetFlowEvent* nfe) packet_time()); } - ptype = to_utype(p->get_ip_proto_next()); + // Remaining fields (port, proto, etc.) are parsed from the NetFlow record + ptype = nfe->get_record()->proto; if ( ht->add_xport_proto(ptype) ) logger.log(RNA_EVENT_NEW, NEW_XPORT_PROTOCOL, p, &ht, ptype, src_mac, src_ip_ptr, packet_time()); @@ -278,7 +280,7 @@ void RnaPnd::analyze_netflow_service(NetFlowEvent* nfe) if ( proto == IpProtocol::TCP ) logger.log(RNA_EVENT_NEW, NEW_TCP_SERVICE, p, &ht, (const struct in6_addr*) src_ip.get_ip6_ptr(), mac_addr, &ha); - else + else if ( proto == IpProtocol::UDP ) logger.log(RNA_EVENT_NEW, NEW_UDP_SERVICE, p, &ht, (const struct in6_addr*) src_ip.get_ip6_ptr(), mac_addr, &ha);