From: Jason Ish Date: Sun, 14 Aug 2016 18:44:51 +0000 (-0600) Subject: decode: support Cisco Fabric Path / DCE X-Git-Tag: suricata-3.1.2~38 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F2203%2Fhead;p=thirdparty%2Fsuricata.git decode: support Cisco Fabric Path / DCE Cisco Fabric Path is ethernet wrapped in an ethernet like header with 2 extra bytes. The ethernet type is in the same location so the ethernet decoder can be used with some validation for the extra length. --- diff --git a/rules/decoder-events.rules b/rules/decoder-events.rules index 4a20197fd5..7240ea0678 100644 --- a/rules/decoder-events.rules +++ b/rules/decoder-events.rules @@ -137,5 +137,8 @@ alert pkthdr any any -> any any (msg:"SURICATA ERSPAN pkt too small"; decode-eve alert pkthdr any any -> any any (msg:"SURICATA ERSPAN unsupported version"; decode-event:erspan.unsupported_version; sid: 2200106; rev:1;) alert pkthdr any any -> any any (msg:"SURICATA ERSPAN too many vlan layers"; decode-event:erspan.too_many_vlan_layers; sid: 2200107; rev:1;) -# next sid is 2200110 +# Cisco Fabric Path/DCE +alert pkthdr any any -> any any (msg:"SURICATA DCE packet too small"; decode-event:dce.pkt_too_small; sid:2200110; rev:1;) + +# next sid is 2200111 diff --git a/src/decode-ethernet.c b/src/decode-ethernet.c index cd82886c6b..1c5e83e97a 100644 --- a/src/decode-ethernet.c +++ b/src/decode-ethernet.c @@ -85,6 +85,14 @@ int DecodeEthernet(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, DecodeMPLS(tv, dtv, p, pkt + ETHERNET_HEADER_LEN, len - ETHERNET_HEADER_LEN, pq); break; + case ETHERNET_TYPE_DCE: + if (unlikely(len < ETHERNET_DCE_HEADER_LEN)) { + ENGINE_SET_INVALID_EVENT(p, DCE_PKT_TOO_SMALL); + } else { + DecodeEthernet(tv, dtv, p, pkt + ETHERNET_DCE_HEADER_LEN, + len - ETHERNET_DCE_HEADER_LEN, pq); + } + break; default: SCLogDebug("p %p pkt %p ether type %04x not supported", p, pkt, ntohs(p->ethh->eth_type)); diff --git a/src/decode-ethernet.h b/src/decode-ethernet.h index 094d2548e7..33f443da84 100644 --- a/src/decode-ethernet.h +++ b/src/decode-ethernet.h @@ -26,6 +26,9 @@ #define ETHERNET_HEADER_LEN 14 +/* Cisco Fabric Path / DCE header length. */ +#define ETHERNET_DCE_HEADER_LEN ETHERNET_HEADER_LEN + 2 + /* Ethernet types -- taken from Snort and Libdnet */ #define ETHERNET_TYPE_PUP 0x0200 /* PUP protocol */ #define ETHERNET_TYPE_IP 0x0800 @@ -42,6 +45,8 @@ #define ETHERNET_TYPE_LOOP 0x9000 #define ETHERNET_TYPE_8021QINQ 0x9100 #define ETHERNET_TYPE_ERSPAN 0x88BE +#define ETHERNET_TYPE_DCE 0x8903 /* Data center ethernet, + * Cisco Fabric Path */ typedef struct EthernetHdr_ { uint8_t eth_dst[6]; diff --git a/src/decode-events.c b/src/decode-events.c index f4a5bdd1ca..d7e4ecc946 100644 --- a/src/decode-events.c +++ b/src/decode-events.c @@ -178,6 +178,9 @@ const struct DecodeEvents_ DEvents[] = { { "decoder.erspan.unsupported_version", ERSPAN_UNSUPPORTED_VERSION, }, { "decoder.erspan.too_many_vlan_layers", ERSPAN_TOO_MANY_VLAN_LAYERS, }, + /* Cisco Fabric Path/DCE events. */ + { "decoder.dce.pkt_too_small", DCE_PKT_TOO_SMALL, }, + /* STREAM EVENTS */ { "stream.3whs_ack_in_wrong_dir", STREAM_3WHS_ACK_IN_WRONG_DIR, }, { "stream.3whs_async_wrong_seq", STREAM_3WHS_ASYNC_WRONG_SEQ, }, diff --git a/src/decode-events.h b/src/decode-events.h index 8e73952543..2d249aba16 100644 --- a/src/decode-events.h +++ b/src/decode-events.h @@ -187,6 +187,9 @@ enum { ERSPAN_UNSUPPORTED_VERSION, ERSPAN_TOO_MANY_VLAN_LAYERS, + /* Cisco Fabric Path/DCE events. */ + DCE_PKT_TOO_SMALL, + /* END OF DECODE EVENTS ON SINGLE PACKET */ DECODE_EVENT_PACKET_MAX,