#include "codecs/codec_module.h"
#include "framework/codec.h"
-#include "protocols/gre.h"
#include "log/text_log.h"
+#include "main/snort_config.h"
+#include "packet_io/active.h"
+#include "protocols/gre.h"
#define CD_GRE_NAME "gre"
#define CD_GRE_HELP "support for generic routing encapsulation"
return false;
}
+ if (SnortConfig::tunnel_bypass_enabled(TUNNEL_GRE))
+ Active::set_tunnel_bypass();
+
codec.lyr_len = len;
codec.next_prot_id = greh->proto();
codec.codec_flags |= CODEC_NON_IP_TUNNEL | CODEC_ETHER_NEXT;
else if ( SnortConfig::tunnel_bypass_enabled(TUNNEL_4IN6) )
Active::set_tunnel_bypass();
}
+ else if (snort.ip_api.is_ip4())
+ {
+ /* If Teredo or GRE seen, this is not an 4in4 tunnel */
+ if ( codec.codec_flags & CODEC_NON_IP_TUNNEL )
+ codec.codec_flags &= ~CODEC_NON_IP_TUNNEL;
+ else if (SnortConfig::tunnel_bypass_enabled(TUNNEL_4IN4))
+ Active::set_tunnel_bypass();
+ }
// set the api now since this layer has been verified as valid
snort.ip_api.set(iph);
else if ( SnortConfig::tunnel_bypass_enabled(TUNNEL_6IN4) )
Active::set_tunnel_bypass();
}
+ else if (snort.ip_api.is_ip6())
+ {
+ /* If Teredo or GRE seen, this is not an 6in6 tunnel */
+ if ( codec.codec_flags & CODEC_NON_IP_TUNNEL )
+ codec.codec_flags &= ~CODEC_NON_IP_TUNNEL;
+ else if (SnortConfig::tunnel_bypass_enabled(TUNNEL_6IN6))
+ Active::set_tunnel_bypass();
+ }
IPV6CheckIsatap(ip6h, snort, codec); // check for isatap before overwriting the ip_api.
#include "flow/flow.h"
#include "framework/codec.h"
#include "main/snort_config.h"
+#include "packet_io/active.h"
#include "utils/safec.h"
#define CD_MPLS_NAME "mpls"
}
} /* while bos not 1, peel off more labels */
+ if (SnortConfig::tunnel_bypass_enabled(TUNNEL_MPLS))
+ Active::set_tunnel_bypass();
+
codec.lyr_len = (const uint8_t*)tmpMplsHdr - raw.data;
switch (iRet)
"don't alert w/o established session (note: rule action still taken)" },
{ "tunnel_verdicts", Parameter::PT_STRING, nullptr, nullptr,
- "let DAQ handle non-allow verdicts for GTP|Teredo|6in4|4in6 traffic" },
+ "let DAQ handle non-allow verdicts for gtp|teredo|6in4|4in6|4in4|6in6|gre|mpls traffic" },
{ nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
};
else if (!strcasecmp(tok, "4in6"))
tunnel_mask |= TUNNEL_4IN6;
+ else if (!strcasecmp(tok, "4in4"))
+ tunnel_mask |= TUNNEL_4IN4;
+
+ else if (!strcasecmp(tok, "6in6"))
+ tunnel_mask |= TUNNEL_6IN6;
+
+ else if (!strcasecmp(tok, "gre"))
+ tunnel_mask |= TUNNEL_GRE;
+
+ else if (!strcasecmp(tok, "mpls"))
+ tunnel_mask |= TUNNEL_MPLS;
+
else
{
ParseError("unknown tunnel bypass protocol");
TUNNEL_GTP = 0x01,
TUNNEL_TEREDO = 0x02,
TUNNEL_6IN4 = 0x04,
- TUNNEL_4IN6 = 0x08
+ TUNNEL_4IN6 = 0x08,
+ TUNNEL_4IN4 = 0x10,
+ TUNNEL_6IN6 = 0x20,
+ TUNNEL_GRE = 0x40,
+ TUNNEL_MPLS = 0x80
};
struct srmm_table_t;
{ CountType::SUM, "whitelist", "total whitelist verdicts" },
{ CountType::SUM, "blacklist", "total blacklist verdicts" },
{ CountType::SUM, "ignore", "total ignore verdicts" },
+ { CountType::SUM, "retry", "total retry verdicts" },
// FIXIT-L these are not exactly DAQ counts - but they are related
{ CountType::SUM, "internal_blacklist",
g_daq_stats.packets_filtered += daq_stats->packets_filtered;
g_daq_stats.packets_injected += daq_stats->packets_injected;
- for ( unsigned i = 0; i < MAX_SFDAQ_VERDICT; i++ )
+ for ( unsigned i = 0; i < MAX_DAQ_VERDICT; i++ )
g_daq_stats.verdicts[i] += daq_stats->verdicts[i];
sum_stats((PegCount*)&gaux, (PegCount*)&aux_counts, sizeof(aux_counts)/sizeof(PegCount));
- // FIXIT-H why do we set gaux in sum_stats then zero it here?
- memset(&gaux, 0, sizeof(gaux));
+ memset(&aux_counts, 0, sizeof(aux_counts));
}
//-------------------------------------------------------------------------
daq_stats.outstanding = pkts_out;
daq_stats.injected = pkts_inj;
- for ( unsigned i = 0; i < MAX_SFDAQ_VERDICT; i++ )
+ for ( unsigned i = 0; i < MAX_DAQ_VERDICT; i++ )
daq_stats.verdicts[i] = g_daq_stats.verdicts[i];
daq_stats.internal_blacklist = gaux.internal_blacklist;
// Provides facilities for displaying Snort exit stats
+#include <daq_common.h>
#include <vector>
#include "framework/counts.h"
};
//-------------------------------------------------------------------------
-// FIXIT-L 2.0.4 introduces the retry verdict
-// no way to reliably optionally leverage this with dynamic loaded daqs
-
// FIXIT-L daq stats should be moved to sfdaq
-#define MAX_SFDAQ_VERDICT 6
-
struct DAQStats
{
PegCount pcaps;
PegCount filtered;
PegCount outstanding;
PegCount injected;
- PegCount verdicts[MAX_SFDAQ_VERDICT];
+ PegCount verdicts[MAX_DAQ_VERDICT];
PegCount internal_blacklist;
PegCount internal_whitelist;
PegCount skipped;
projects / thirdparty / snort3.git / commitdiff
