From: Tom Peters (thopeter) Date: Tue, 17 Oct 2017 19:02:03 +0000 (-0400) Subject: Merge pull request #1043 in SNORT/snort3 from daq_tunnel to master X-Git-Tag: 3.0.0-240~13 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6164f58df4a894c5a193b2ffa32a8dc84fd70ddc;p=thirdparty%2Fsnort3.git Merge pull request #1043 in SNORT/snort3 from daq_tunnel to master Squashed commit of the following: commit 940e83dcc968adf1ea4cd29c745a4dbff35b1993 Author: Steven Baigal Date: Wed Oct 11 15:36:37 2017 -0400 US131276 allow DAQ to set the tunnel bypass flags --- diff --git a/extra/src/daqs/daq_regtest/daq_regtest.c b/extra/src/daqs/daq_regtest/daq_regtest.c index 5898ba144..bc6bce904 100644 --- a/extra/src/daqs/daq_regtest/daq_regtest.c +++ b/extra/src/daqs/daq_regtest/daq_regtest.c @@ -49,6 +49,7 @@ typedef struct void *handle; int skip; int trace; + uint32_t caps_cfg; DAQ_PktHdr_t retry_hdr; uint8_t* retry_data; unsigned packets_before_retry; @@ -76,7 +77,7 @@ static void daq_regtest_get_vars(DAQRegTestContext* context, const DAQ_Config_t* context->skip = 0; context->trace = 0; context->packets_before_retry = 0; - + context->caps_cfg = 0; for ( entry = cfg->values; entry; entry = entry->next) { if ( !strcmp(entry->key, "skip") ) @@ -91,6 +92,11 @@ static void daq_regtest_get_vars(DAQRegTestContext* context, const DAQ_Config_t* { context->packets_before_retry = atoi(entry->value); } + else if ( !strcmp(entry->key, "caps") ) + { + // DAQ capabilities in hex, e.g. caps=0x00004000 + context->caps_cfg = strtol(entry->value, NULL, 0); + } } } @@ -380,6 +386,7 @@ static uint32_t daq_regtest_get_capabilities (void* handle) DAQRegTestContext* context = (DAQRegTestContext*)handle; uint32_t caps = context->module->get_capabilities(context->handle); caps |= DAQ_CAPA_RETRY; + caps |= context->caps_cfg; return caps; } diff --git a/src/codecs/ip/cd_ipv4.cc b/src/codecs/ip/cd_ipv4.cc index 42a2aa26a..509822a6a 100644 --- a/src/codecs/ip/cd_ipv4.cc +++ b/src/codecs/ip/cd_ipv4.cc @@ -209,7 +209,7 @@ bool Ipv4Codec::decode(const RawData& raw, CodecData& codec, DecodeData& snort) if ( snort.ip_api.is_ip6() ) { - /* If Teredo or GRE seen, this is not an 4in6 tunnel */ + /* If the previous layer was not IP-in-IP, this is not a 4-in-6 tunnel */ if ( codec.codec_flags & CODEC_NON_IP_TUNNEL ) codec.codec_flags &= ~CODEC_NON_IP_TUNNEL; else if ( SnortConfig::tunnel_bypass_enabled(TUNNEL_4IN6) ) @@ -217,7 +217,7 @@ bool Ipv4Codec::decode(const RawData& raw, CodecData& codec, DecodeData& snort) } else if (snort.ip_api.is_ip4()) { - /* If Teredo or GRE seen, this is not an 4in4 tunnel */ + /* If the previous layer was not IP-in-IP, this is not a 4-in-4 tunnel */ if ( codec.codec_flags & CODEC_NON_IP_TUNNEL ) codec.codec_flags &= ~CODEC_NON_IP_TUNNEL; else if (SnortConfig::tunnel_bypass_enabled(TUNNEL_4IN4)) diff --git a/src/codecs/ip/cd_ipv6.cc b/src/codecs/ip/cd_ipv6.cc index 5791c29f2..840cad297 100644 --- a/src/codecs/ip/cd_ipv6.cc +++ b/src/codecs/ip/cd_ipv6.cc @@ -171,7 +171,7 @@ bool Ipv6Codec::decode(const RawData& raw, CodecData& codec, DecodeData& snort) if ( snort.ip_api.is_ip4() ) { - /* If Teredo or GRE seen, this is not an 4in6 tunnel */ + /* If the previous layer was not IP-in-IP, this is not a 6-in-4 tunnel */ if ( codec.codec_flags & CODEC_NON_IP_TUNNEL ) codec.codec_flags &= ~CODEC_NON_IP_TUNNEL; else if ( SnortConfig::tunnel_bypass_enabled(TUNNEL_6IN4) ) @@ -179,7 +179,7 @@ bool Ipv6Codec::decode(const RawData& raw, CodecData& codec, DecodeData& snort) } else if (snort.ip_api.is_ip6()) { - /* If Teredo or GRE seen, this is not an 6in6 tunnel */ + /* If the previous layer was not IP-in-IP, this is not a 6-in-6 tunnel */ if ( codec.codec_flags & CODEC_NON_IP_TUNNEL ) codec.codec_flags &= ~CODEC_NON_IP_TUNNEL; else if (SnortConfig::tunnel_bypass_enabled(TUNNEL_6IN6)) diff --git a/src/codecs/misc/cd_gtp.cc b/src/codecs/misc/cd_gtp.cc index 203c9dfa6..6e1464ab3 100644 --- a/src/codecs/misc/cd_gtp.cc +++ b/src/codecs/misc/cd_gtp.cc @@ -205,6 +205,7 @@ bool GtpCodec::decode(const RawData& raw, CodecData& codec, DecodeData& dd) else if (ip_ver == 0x60) codec.next_prot_id = ProtocolId::IPV6; } + codec.codec_flags |= CODEC_NON_IP_TUNNEL; return true; } diff --git a/src/main/snort_config.cc b/src/main/snort_config.cc index d2e77ab66..4ee94edf1 100644 --- a/src/main/snort_config.cc +++ b/src/main/snort_config.cc @@ -46,6 +46,7 @@ #include "managers/module_manager.h" #include "managers/mpse_manager.h" #include "memory/memory_config.h" +#include "packet_io/sfdaq.h" #include "packet_io/sfdaq_config.h" #include "parser/parser.h" #include "parser/vars.h" @@ -987,3 +988,7 @@ void SnortConfig::free_rule_state_list() rule_state_list = nullptr; } +bool SnortConfig::tunnel_bypass_enabled(uint8_t proto) +{ + return (!((snort_conf->tunnel_mask & proto) or SFDAQ::get_tunnel_bypass(proto))); +} \ No newline at end of file diff --git a/src/main/snort_config.h b/src/main/snort_config.h index 0e7708963..b65e9098b 100644 --- a/src/main/snort_config.h +++ b/src/main/snort_config.h @@ -492,8 +492,7 @@ public: static int get_default_rule_state() { return snort_conf->default_rule_state; } - static bool tunnel_bypass_enabled(uint8_t proto) - { return !(snort_conf->tunnel_mask & proto); } + SO_PUBLIC static bool tunnel_bypass_enabled(uint8_t proto); // checksum stuff static bool checksum_drop(uint16_t codec_cksum_err_flag) diff --git a/src/packet_io/sfdaq.cc b/src/packet_io/sfdaq.cc index 2ea874b62..7dac36224 100644 --- a/src/packet_io/sfdaq.cc +++ b/src/packet_io/sfdaq.cc @@ -251,6 +251,11 @@ bool SFDAQ::can_retry() return local_instance && local_instance->can_retry(); } +bool SFDAQ::get_tunnel_bypass(uint8_t proto) +{ + return local_instance && local_instance->get_tunnel_bypass(proto); +} + int SFDAQ::inject(const DAQ_PktHdr_t* hdr, int rev, const uint8_t* buf, uint32_t len) { return local_instance->inject(hdr, rev, buf, len); @@ -478,9 +483,58 @@ bool SFDAQInstance::start() else daq_dlt = daq_get_datalink_type(daq_mod, daq_hand); + get_tunnel_capabilities(); + return (err == DAQ_SUCCESS); } +void SFDAQInstance::get_tunnel_capabilities() +{ + daq_tunnel_mask = 0; + if (daq_mod && daq_hand) + { + uint32_t caps = daq_get_capabilities(daq_mod, daq_hand); + + if (caps & DAQ_CAPA_DECODE_GTP) + { + daq_tunnel_mask |= TUNNEL_GTP; + } + if (caps & DAQ_CAPA_DECODE_TEREDO) + { + daq_tunnel_mask |= TUNNEL_TEREDO; + } + if (caps & DAQ_CAPA_DECODE_GRE) + { + daq_tunnel_mask |= TUNNEL_GRE; + } + if (caps & DAQ_CAPA_DECODE_4IN4) + { + daq_tunnel_mask |= TUNNEL_4IN4; + } + if (caps & DAQ_CAPA_DECODE_6IN4) + { + daq_tunnel_mask |= TUNNEL_6IN4; + } + if (caps & DAQ_CAPA_DECODE_4IN6) + { + daq_tunnel_mask |= TUNNEL_4IN6; + } + if (caps & DAQ_CAPA_DECODE_6IN6) + { + daq_tunnel_mask |= TUNNEL_6IN6; + } + if (caps & DAQ_CAPA_DECODE_MPLS) + { + daq_tunnel_mask |= TUNNEL_MPLS; + } + } +} + +bool SFDAQInstance::get_tunnel_bypass(uint8_t proto) +{ + return (daq_tunnel_mask & proto ? true : false); +} + bool SFDAQInstance::was_started() { DAQ_State s; diff --git a/src/packet_io/sfdaq.h b/src/packet_io/sfdaq.h index af0f31740..1a746ac47 100644 --- a/src/packet_io/sfdaq.h +++ b/src/packet_io/sfdaq.h @@ -70,8 +70,10 @@ public: int add_expected(const Packet* ctrlPkt, const SfIp* cliIP, uint16_t cliPort, const SfIp* srvIP, uint16_t srvPort, IpProtocol, unsigned timeout_ms, unsigned /* flags */); + bool get_tunnel_bypass(uint8_t proto); private: + void get_tunnel_capabilities(); bool set_filter(const char*); std::string interface_spec; DAQ_Meta_Func_t daq_meta_callback; @@ -79,6 +81,7 @@ private: int daq_dlt; int s_error; DAQ_Stats_t daq_stats; + uint8_t daq_tunnel_mask; }; class SFDAQ @@ -102,6 +105,7 @@ public: static bool can_inject_raw(); static bool can_replace(); static bool can_retry(); + SO_PUBLIC static bool get_tunnel_bypass(uint8_t proto); // FIXIT-M X Temporary thread-local instance helpers to be removed when no longer needed static void set_local_instance(SFDAQInstance*);