From cd00499863fc0e43b436f57a372f17b43a497eb5 Mon Sep 17 00:00:00 2001 From: Jason Ish Date: Thu, 13 Mar 2025 10:36:08 -0600 Subject: [PATCH] af-packet: add event for packets truncated by af-packet Ticket: #7458 (cherry picked from commit d78f2c9a4e2b59f44daeddff098915084493d08d) --- etc/schema.json | 11 +++++++++++ rules/decoder-events.rules | 5 ++++- src/decode-events.c | 5 +++++ src/decode-events.h | 5 ++++- src/source-af-packet.c | 6 ++++++ 5 files changed, 30 insertions(+), 2 deletions(-) diff --git a/etc/schema.json b/etc/schema.json index 31e39dbdf9..28a535ff0d 100644 --- a/etc/schema.json +++ b/etc/schema.json @@ -4297,6 +4297,17 @@ "event": { "type": "object", "properties": { + "afpacket": { + "type": "object", + "properties": { + "trunc_pkt": { + "description": + "Number of packets truncated by AF_PACKET", + "type": "integer" + } + }, + "additionalProperties": false + }, "chdlc": { "type": "object", "properties": { diff --git a/rules/decoder-events.rules b/rules/decoder-events.rules index 092eebdb27..f34d859ec0 100644 --- a/rules/decoder-events.rules +++ b/rules/decoder-events.rules @@ -151,5 +151,8 @@ alert pkthdr any any -> any any (msg:"SURICATA CHDLC packet too small"; decode-e alert pkthdr any any -> any any (msg:"SURICATA packet with too many layers"; decode-event:too_many_layers; classtype:protocol-command-decode; sid:2200116; rev:1;) -# next sid is 2200121 +# Capture events. +alert pkthdr any any -> any any (msg:"SURICATA AF-PACKET truncated packet"; decode-event:afpacket.trunc_pkt; classtype:protocol-command-decode; sid:2200122; rev:1;) + +# next sid is 2200123 diff --git a/src/decode-events.c b/src/decode-events.c index 7ff2d946d1..84c41c9bf2 100644 --- a/src/decode-events.c +++ b/src/decode-events.c @@ -27,6 +27,11 @@ /* code moved to app-layer-events */ const struct DecodeEvents_ DEvents[] = { + /* CAPTURE EVENTS */ + { + "decoder.afpacket.trunc_pkt", + AFP_TRUNC_PKT, + }, /* IPV4 EVENTS */ { "decoder.ipv4.pkt_too_small", diff --git a/src/decode-events.h b/src/decode-events.h index 76169bccbf..fe9670a31c 100644 --- a/src/decode-events.h +++ b/src/decode-events.h @@ -27,8 +27,11 @@ /* packet decoder events */ enum { + /* AF_PACKET EVENTS */ + AFP_TRUNC_PKT = 0, /**< packet truncated by af-packet */ + /* IPV4 EVENTS */ - IPV4_PKT_TOO_SMALL = 0, /**< ipv4 pkt smaller than minimum header size */ + IPV4_PKT_TOO_SMALL, /**< ipv4 pkt smaller than minimum header size */ IPV4_HLEN_TOO_SMALL, /**< ipv4 header smaller than minimum size */ IPV4_IPLEN_SMALLER_THAN_HLEN, /**< ipv4 pkt len smaller than ip header size */ IPV4_TRUNC_PKT, /**< truncated ipv4 packet */ diff --git a/src/source-af-packet.c b/src/source-af-packet.c index 0ead90b1ad..f9eb66023b 100644 --- a/src/source-af-packet.c +++ b/src/source-af-packet.c @@ -781,6 +781,7 @@ static void AFPReadFromRingSetupPacket( if (h.h2->tp_len > h.h2->tp_snaplen) { SCLogDebug("Packet length (%d) > snaplen (%d), truncating", h.h2->tp_len, h.h2->tp_snaplen); + ENGINE_SET_INVALID_EVENT(p, AFP_TRUNC_PKT); } /* get vlan id from header */ @@ -982,6 +983,11 @@ static inline int AFPParsePacketV3(AFPThreadVars *ptv, struct tpacket_block_desc p->afp_v.vlan_tci = (uint16_t)ppd->hv1.tp_vlan_tci; } + if (ppd->tp_len > ppd->tp_snaplen) { + SCLogDebug("Packet length (%d) > snaplen (%d), truncating", ppd->tp_len, ppd->tp_snaplen); + ENGINE_SET_INVALID_EVENT(p, AFP_TRUNC_PKT); + } + (void)PacketSetData(p, (unsigned char *)ppd + ppd->tp_mac, ppd->tp_snaplen); p->ReleasePacket = AFPReleasePacketV3; -- 2.47.2