From: Anoop Saldanha Date: Sat, 29 Sep 2012 04:59:56 +0000 (+0530) Subject: Add a packet src for every packet generated inside suricata. X-Git-Tag: suricata-1.4beta2~4 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b33986c8878404c48f2411db49c62cf61d8c9c07;p=thirdparty%2Fsuricata.git Add a packet src for every packet generated inside suricata. --- diff --git a/src/decode-gre.c b/src/decode-gre.c index b7ae22915c..f390840b94 100644 --- a/src/decode-gre.c +++ b/src/decode-gre.c @@ -201,6 +201,7 @@ void DecodeGRE(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, u Packet *tp = PacketPseudoPktSetup(p, pkt + header_len, len - header_len, IPPROTO_IP); if (tp != NULL) { + PKT_SET_SRC(tp, PKT_SRC_DECODER_GRE); DecodeTunnel(tv, dtv, tp, GET_PKT_DATA(tp), GET_PKT_LEN(tp), pq, IPPROTO_IP); PacketEnqueue(pq,tp); @@ -215,6 +216,7 @@ void DecodeGRE(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, u Packet *tp = PacketPseudoPktSetup(p, pkt + header_len, len - header_len, PPP_OVER_GRE); if (tp != NULL) { + PKT_SET_SRC(tp, PKT_SRC_DECODER_GRE); DecodeTunnel(tv, dtv, tp, GET_PKT_DATA(tp), GET_PKT_LEN(tp), pq, PPP_OVER_GRE); PacketEnqueue(pq,tp); @@ -229,6 +231,7 @@ void DecodeGRE(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, u Packet *tp = PacketPseudoPktSetup(p, pkt + header_len, len - header_len, IPPROTO_IPV6); if (tp != NULL) { + PKT_SET_SRC(tp, PKT_SRC_DECODER_GRE); DecodeTunnel(tv, dtv, tp, GET_PKT_DATA(tp), GET_PKT_LEN(tp), pq, IPPROTO_IPV6); PacketEnqueue(pq,tp); @@ -243,6 +246,7 @@ void DecodeGRE(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, u Packet *tp = PacketPseudoPktSetup(p, pkt + header_len, len - header_len, VLAN_OVER_GRE); if (tp != NULL) { + PKT_SET_SRC(tp, PKT_SRC_DECODER_GRE); DecodeTunnel(tv, dtv, tp, GET_PKT_DATA(tp), GET_PKT_LEN(tp), pq, VLAN_OVER_GRE); PacketEnqueue(pq,tp); diff --git a/src/decode-ipv4.c b/src/decode-ipv4.c index 7dbaaf0192..7c60bb974a 100644 --- a/src/decode-ipv4.c +++ b/src/decode-ipv4.c @@ -580,6 +580,7 @@ void DecodeIPV4(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, IPV4_GET_IPLEN(p) - IPV4_GET_HLEN(p), IPV4_GET_IPPROTO(p)); if (tp != NULL) { + PKT_SET_SRC(tp, PKT_SRC_DECODER_IPV4); /* send that to the Tunnel decoder */ DecodeTunnel(tv, dtv, tp, GET_PKT_DATA(tp), GET_PKT_LEN(tp), pq, IPV4_GET_IPPROTO(p)); diff --git a/src/decode-ipv6.c b/src/decode-ipv6.c index 67e4ac6f09..23b6fb6c40 100644 --- a/src/decode-ipv6.c +++ b/src/decode-ipv6.c @@ -60,6 +60,7 @@ static void DecodeIPv4inIPv6(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, u if (pq != NULL) { Packet *tp = PacketPseudoPktSetup(p, pkt, plen, IPPROTO_IP); if (tp != NULL) { + PKT_SET_SRC(tp, PKT_SRC_DECODER_IPV6); DecodeTunnel(tv, dtv, tp, GET_PKT_DATA(tp), GET_PKT_LEN(tp), pq, IPPROTO_IP); PacketEnqueue(pq,tp); @@ -88,6 +89,7 @@ static void DecodeIP6inIP6(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uin if (pq != NULL) { Packet *tp = PacketPseudoPktSetup(p, pkt, plen, IPPROTO_IPV6); if (tp != NULL) { + PKT_SET_SRC(tp, PKT_SRC_DECODER_IPV6); DecodeTunnel(tv, dtv, tp, GET_PKT_DATA(tp), GET_PKT_LEN(tp), pq, IPPROTO_IP); PacketEnqueue(pq,tp); diff --git a/src/decode-teredo.c b/src/decode-teredo.c index 844b365b76..87265349f6 100644 --- a/src/decode-teredo.c +++ b/src/decode-teredo.c @@ -88,6 +88,7 @@ int DecodeTeredo(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, Packet *tp = PacketPseudoPktSetup(p, start, blen, IPPROTO_IPV6); if (tp != NULL) { + PKT_SET_SRC(tp, PKT_SRC_DECODER_TEREDO); /* send that to the Tunnel decoder */ DecodeTunnel(tv, dtv, tp, GET_PKT_DATA(tp), GET_PKT_LEN(tp), pq, IPPROTO_IPV6); diff --git a/src/decode.h b/src/decode.h index b2a9b8fd65..a514e7fa4e 100644 --- a/src/decode.h +++ b/src/decode.h @@ -39,6 +39,18 @@ typedef enum { CHECKSUM_VALIDATION_KERNEL, } ChecksumValidationMode; +enum { + PKT_SRC_WIRE = 1, + PKT_SRC_DECODER_GRE, + PKT_SRC_DECODER_IPV4, + PKT_SRC_DECODER_IPV6, + PKT_SRC_DECODER_TEREDO, + PKT_SRC_DEFRAG, + PKT_SRC_STREAM_TCP_STREAM_END_PSEUDO, + PKT_SRC_FFR_V2, + PKT_SRC_FFR_SHUTDOWN, +}; + #include "source-nfq.h" #include "source-ipfw.h" #include "source-pcap.h" @@ -489,6 +501,8 @@ typedef struct Packet_ uint16_t mpm_offsets[CUDA_MAX_PAYLOAD_SIZE + 1]; #endif + uint8_t pkt_src; + #ifdef PROFILING PktProfiling profile; #endif @@ -676,6 +690,7 @@ typedef struct DecodeThreadVars_ (p)->root = NULL; \ (p)->livedev = NULL; \ (p)->ReleaseData = NULL; \ + (p)->pkt_src = 0; \ PACKET_RESET_CHECKSUMS((p)); \ PACKET_PROFILING_RESET((p)); \ } while (0) @@ -922,5 +937,7 @@ void AddressDebugPrint(Address *); /** \brief return 1 if the packet is a pseudo packet */ #define PKT_IS_PSEUDOPKT(p) ((p)->flags & PKT_PSEUDO_STREAM_END) +#define PKT_SET_SRC(p, src_val) ((p)->pkt_src = src_val) + #endif /* __DECODE_H__ */ diff --git a/src/defrag.c b/src/defrag.c index cb8fba25a0..74757be063 100644 --- a/src/defrag.c +++ b/src/defrag.c @@ -289,6 +289,7 @@ Defrag4Reassemble(ThreadVars *tv, DefragTracker *tracker, Packet *p) "fragmentation re-assembly, dumping fragments."); goto remove_tracker; } + PKT_SET_SRC(rp, PKT_SRC_DEFRAG); rp->recursion_level = p->recursion_level; int fragmentable_offset = 0; @@ -402,6 +403,7 @@ Defrag6Reassemble(ThreadVars *tv, DefragTracker *tracker, Packet *p) "fragmentation re-assembly, dumping fragments."); goto remove_tracker; } + PKT_SET_SRC(rp, PKT_SRC_DEFRAG); int fragmentable_offset = 0; int fragmentable_len = 0; diff --git a/src/flow-timeout.c b/src/flow-timeout.c index c3b15cc119..ed4b59ecca 100644 --- a/src/flow-timeout.c +++ b/src/flow-timeout.c @@ -364,6 +364,7 @@ int FlowForceReassemblyForFlowV2(Flow *f, int server, int client) if (p1 == NULL) { return 1; } + PKT_SET_SRC(p1, PKT_SRC_FFR_V2); if (server == 1) { p2 = FlowForceReassemblyPseudoPacketGet(0, f, ssn, 0); @@ -372,6 +373,7 @@ int FlowForceReassemblyForFlowV2(Flow *f, int server, int client) TmqhOutputPacketpool(NULL, p1); return 1; } + PKT_SET_SRC(p2, PKT_SRC_FFR_V2); p3 = FlowForceReassemblyPseudoPacketGet(1, f, ssn, 1); if (p3 == NULL) { @@ -381,6 +383,7 @@ int FlowForceReassemblyForFlowV2(Flow *f, int server, int client) TmqhOutputPacketpool(NULL, p2); return 1; } + PKT_SET_SRC(p3, PKT_SRC_FFR_V2); } else { p2 = FlowForceReassemblyPseudoPacketGet(0, f, ssn, 1); if (p2 == NULL) { @@ -388,6 +391,7 @@ int FlowForceReassemblyForFlowV2(Flow *f, int server, int client) TmqhOutputPacketpool(NULL, p1); return 1; } + PKT_SET_SRC(p2, PKT_SRC_FFR_V2); } } else if (client == 2) { @@ -396,6 +400,7 @@ int FlowForceReassemblyForFlowV2(Flow *f, int server, int client) if (p1 == NULL) { return 1; } + PKT_SET_SRC(p1, PKT_SRC_FFR_V2); p2 = FlowForceReassemblyPseudoPacketGet(1, f, ssn, 1); if (p2 == NULL) { @@ -403,11 +408,13 @@ int FlowForceReassemblyForFlowV2(Flow *f, int server, int client) TmqhOutputPacketpool(NULL, p1); return 1; } + PKT_SET_SRC(p2, PKT_SRC_FFR_V2); } else { p1 = FlowForceReassemblyPseudoPacketGet(0, f, ssn, 1); if (p1 == NULL) { return 1; } + PKT_SET_SRC(p1, PKT_SRC_FFR_V2); if (server == 2) { p2 = FlowForceReassemblyPseudoPacketGet(1, f, ssn, 1); @@ -416,6 +423,7 @@ int FlowForceReassemblyForFlowV2(Flow *f, int server, int client) TmqhOutputPacketpool(NULL, p1); return 1; } + PKT_SET_SRC(p2, PKT_SRC_FFR_V2); } } @@ -425,6 +433,7 @@ int FlowForceReassemblyForFlowV2(Flow *f, int server, int client) if (p1 == NULL) { return 1; } + PKT_SET_SRC(p1, PKT_SRC_FFR_V2); p2 = FlowForceReassemblyPseudoPacketGet(1, f, ssn, 1); if (p2 == NULL) { @@ -432,11 +441,13 @@ int FlowForceReassemblyForFlowV2(Flow *f, int server, int client) TmqhOutputPacketpool(NULL, p1); return 1; } + PKT_SET_SRC(p2, PKT_SRC_FFR_V2); } else if (server == 2) { p1 = FlowForceReassemblyPseudoPacketGet(1, f, ssn, 1); if (p1 == NULL) { return 1; } + PKT_SET_SRC(p1, PKT_SRC_FFR_V2); } else { /* impossible */ BUG_ON(1); @@ -568,6 +579,7 @@ static inline void FlowForceReassemblyForHash(void) FBLOCK_UNLOCK(fb); return; } + PKT_SET_SRC(p, PKT_SRC_FFR_SHUTDOWN); if (stream_pseudo_pkt_detect_prev_TV != NULL) { stream_pseudo_pkt_detect_prev_TV-> @@ -598,6 +610,7 @@ static inline void FlowForceReassemblyForHash(void) FBLOCK_UNLOCK(fb); return; } + PKT_SET_SRC(p, PKT_SRC_FFR_SHUTDOWN); if (stream_pseudo_pkt_detect_prev_TV != NULL) { stream_pseudo_pkt_detect_prev_TV-> @@ -624,6 +637,7 @@ static inline void FlowForceReassemblyForHash(void) FBLOCK_UNLOCK(fb); } + PKT_SET_SRC(reassemble_p, PKT_SRC_FFR_SHUTDOWN); TmqhOutputPacketpool(NULL, reassemble_p); return; } diff --git a/src/source-af-packet.c b/src/source-af-packet.c index ccff2cd468..9cd8687680 100644 --- a/src/source-af-packet.c +++ b/src/source-af-packet.c @@ -523,6 +523,7 @@ int AFPRead(AFPThreadVars *ptv) if (p == NULL) { SCReturnInt(AFP_FAILURE); } + PKT_SET_SRC(p, PKT_SRC_WIRE); /* get timestamp of packet via ioctl */ if (ioctl(ptv->socket, SIOCGSTAMP, &p->ts) == -1) { @@ -718,6 +719,7 @@ int AFPReadFromRing(AFPThreadVars *ptv) if (p == NULL) { SCReturnInt(AFP_FAILURE); } + PKT_SET_SRC(p, PKT_SRC_WIRE); /* Suricata will treat packet so telling it is busy, this * status will be reset to 0 (ie TP_STATUS_KERNEL) in the release diff --git a/src/source-erf-dag.c b/src/source-erf-dag.c index 150d21723b..5ba67a1ef3 100644 --- a/src/source-erf-dag.c +++ b/src/source-erf-dag.c @@ -481,6 +481,7 @@ static inline TmEcode ProcessErfDagRecord(ErfDagThreadVars *ewtn, char *prec) ewtn->dagstream, ewtn->dagname); SCReturnInt(TM_ECODE_FAILED); } + PKT_SET_SRC(p, PKT_SRC_WIRE); SET_PKT_LEN(p, wlen); p->datalink = LINKTYPE_ETHERNET; diff --git a/src/source-erf-file.c b/src/source-erf-file.c index 44c3642fef..eb4ae4b9de 100644 --- a/src/source-erf-file.c +++ b/src/source-erf-file.c @@ -135,6 +135,7 @@ TmEcode ReceiveErfFileLoop(ThreadVars *tv, void *data, void *slot) EngineStop(); SCReturnInt(TM_ECODE_FAILED); } + PKT_SET_SRC(p, PKT_SRC_WIRE); if (ReadErfRecord(tv, p, data) != TM_ECODE_OK) { TmqhOutputPacketpool(etv->tv, p); diff --git a/src/source-ipfw.c b/src/source-ipfw.c index 573ef5d7e7..66f66808b6 100644 --- a/src/source-ipfw.c +++ b/src/source-ipfw.c @@ -373,6 +373,7 @@ TmEcode ReceiveIPFWLoop(ThreadVars *tv, void *data, void *slot) if (p == NULL) { SCReturnInt(TM_ECODE_FAILED); } + PKT_SET_SRC(p, PKT_SRC_WIRE); SCLogDebug("Received Packet Len: %d", pktlen); diff --git a/src/source-napatech.c b/src/source-napatech.c index 56c37e84b6..c12eae09ce 100644 --- a/src/source-napatech.c +++ b/src/source-napatech.c @@ -244,6 +244,7 @@ TmEcode NapatechFeedLoop(ThreadVars *tv, void *data, void *slot) if (unlikely(p == NULL)) { SCReturnInt(TM_ECODE_FAILED); } + PKT_SET_SRC(p, PKT_SRC_WIRE); p->ts.tv_sec = header->ts.tv_sec; p->ts.tv_usec = header->ts.tv_usec; diff --git a/src/source-nfq.c b/src/source-nfq.c index 373842fc96..8120c7cc99 100644 --- a/src/source-nfq.c +++ b/src/source-nfq.c @@ -379,6 +379,7 @@ static int NFQCallBack(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, if (p == NULL) { return -1; } + PKT_SET_SRC(p, PKT_SRC_WIRE); p->nfq_v.nfq_index = ntv->nfq_index; ret = NFQSetupPkt(p, qh, (void *)nfa); diff --git a/src/source-pcap-file.c b/src/source-pcap-file.c index e23e620b02..be864dd324 100644 --- a/src/source-pcap-file.c +++ b/src/source-pcap-file.c @@ -127,6 +127,7 @@ void PcapFileCallbackLoop(char *user, struct pcap_pkthdr *h, u_char *pkt) { } PACKET_PROFILING_TMM_START(p, TMM_RECEIVEPCAPFILE); + PKT_SET_SRC(p, PKT_SRC_WIRE); p->ts.tv_sec = h->ts.tv_sec; p->ts.tv_usec = h->ts.tv_usec; SCLogDebug("p->ts.tv_sec %"PRIuMAX"", (uintmax_t)p->ts.tv_sec); diff --git a/src/source-pcap.c b/src/source-pcap.c index bb7cda1593..c0e0bec778 100644 --- a/src/source-pcap.c +++ b/src/source-pcap.c @@ -210,6 +210,7 @@ void PcapCallbackLoop(char *user, struct pcap_pkthdr *h, u_char *pkt) { SCReturn; } + PKT_SET_SRC(p, PKT_SRC_WIRE); p->ts.tv_sec = h->ts.tv_sec; p->ts.tv_usec = h->ts.tv_usec; SCLogDebug("p->ts.tv_sec %"PRIuMAX"", (uintmax_t)p->ts.tv_sec); diff --git a/src/source-pfring.c b/src/source-pfring.c index 63a7bc9d06..f8bf8c2ac1 100644 --- a/src/source-pfring.c +++ b/src/source-pfring.c @@ -270,6 +270,7 @@ TmEcode ReceivePfringLoop(ThreadVars *tv, void *data, void *slot) if (p == NULL) { SCReturnInt(TM_ECODE_FAILED); } + PKT_SET_SRC(p, PKT_SRC_WIRE); /* Some flavours of PF_RING may fail to set timestamp - see PF-RING-enabled libpcap code*/ hdr.ts.tv_sec = hdr.ts.tv_usec = 0; diff --git a/src/stream-tcp.c b/src/stream-tcp.c index 55cfde7d15..dbc6ab85c5 100644 --- a/src/stream-tcp.c +++ b/src/stream-tcp.c @@ -4577,6 +4577,7 @@ void StreamTcpPseudoPacketCreateStreamEndPacket(Packet *p, TcpSession *ssn, Pack SCLogDebug("The packet received from packet allocation is NULL"); SCReturn; } + PKT_SET_SRC(np, PKT_SRC_STREAM_TCP_STREAM_END_PSEUDO); /* Setup the IP and TCP headers */ StreamTcpPseudoPacketSetupHeader(np,p);