From: Tom Peters (thopeter) <thopeter@cisco.com>
Date: Mon, 6 Nov 2017 22:18:57 +0000 (-0500)
Subject: Merge pull request #1059 in SNORT/snort3 from realip to master
X-Git-Tag: 3.0.0-241~26
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d63d2123d1a50f2e3ba7ca965033b90814dbdbc3;p=thirdparty%2Fsnort3.git

Merge pull request #1059 in SNORT/snort3 from realip to master

Squashed commit of the following:

commit 5bcd29db69fb205855053f36b823131d2a63a372
Author: Steven Baigal <sbaigal@cisco.com>
Date:   Thu Oct 26 16:18:03 2017 -0400

    added reading real IP/Port from DAQ
---

diff --git a/src/codecs/ip/cd_ipv4.cc b/src/codecs/ip/cd_ipv4.cc
index 45f619407..4c752b18c 100644
--- a/src/codecs/ip/cd_ipv4.cc
+++ b/src/codecs/ip/cd_ipv4.cc
@@ -226,6 +226,17 @@ bool Ipv4Codec::decode(const RawData& raw, CodecData& codec, DecodeData& snort)
 
     // set the api now since this layer has been verified as valid
     snort.ip_api.set(iph);
+    // update to real IP when needed
+    if ((raw.pkth->flags & DAQ_PKT_FLAG_REAL_ADDRESSES) and codec.ip_layer_cnt == 1)
+    {
+        SfIp real_src;
+        SfIp real_dst;
+        real_src.set(&raw.pkth->real_sIP,
+            ((raw.pkth->flags & DAQ_PKT_FLAG_REAL_SIP_V6) ? AF_INET6 : AF_INET));
+        real_dst.set(&raw.pkth->real_dIP,
+            ((raw.pkth->flags & DAQ_PKT_FLAG_REAL_DIP_V6) ? AF_INET6 : AF_INET));
+        snort.ip_api.update(real_src, real_dst);
+    }
 
     /*
      * IP Header tests: Land attack, and Loop back test
diff --git a/src/codecs/ip/cd_ipv6.cc b/src/codecs/ip/cd_ipv6.cc
index 708b65d48..947f90927 100644
--- a/src/codecs/ip/cd_ipv6.cc
+++ b/src/codecs/ip/cd_ipv6.cc
@@ -189,6 +189,17 @@ bool Ipv6Codec::decode(const RawData& raw, CodecData& codec, DecodeData& snort)
     IPV6CheckIsatap(ip6h, snort, codec); // check for isatap before overwriting the ip_api.
 
     snort.ip_api.set(ip6h);
+    // update to real IP when needed
+    if ((raw.pkth->flags & DAQ_PKT_FLAG_REAL_ADDRESSES) and codec.ip_layer_cnt == 1)
+    {
+        SfIp real_src;
+        SfIp real_dst;
+        real_src.set(&raw.pkth->real_sIP,
+            ((raw.pkth->flags & DAQ_PKT_FLAG_REAL_SIP_V6) ? AF_INET6 : AF_INET));
+        real_dst.set(&raw.pkth->real_dIP,
+            ((raw.pkth->flags & DAQ_PKT_FLAG_REAL_DIP_V6) ? AF_INET6 : AF_INET));
+        snort.ip_api.update(real_src, real_dst);
+    }
 
     IPV6MiscTests(snort, codec);
     CheckIPV6Multicast(ip6h, codec);
diff --git a/src/codecs/ip/cd_tcp.cc b/src/codecs/ip/cd_tcp.cc
index f0f954cdf..ac939a0e7 100644
--- a/src/codecs/ip/cd_tcp.cc
+++ b/src/codecs/ip/cd_tcp.cc
@@ -277,8 +277,16 @@ bool TcpCodec::decode(const RawData& raw, CodecData& codec, DecodeData& snort)
     codec.lyr_len = tcph_len - codec.invalid_bytes; // set in DecodeTCPOptions()
     codec.proto_bits |= PROTO_BIT__TCP;
     snort.tcph = tcph;
-    snort.sp = tcph->src_port();
-    snort.dp = tcph->dst_port();
+    if ((raw.pkth->flags & DAQ_PKT_FLAG_REAL_ADDRESSES) and (codec.ip_layer_cnt == 1))
+    {
+        snort.sp = ntohs(raw.pkth->n_real_sPort);
+        snort.dp = ntohs(raw.pkth->n_real_dPort);
+    }
+    else
+    {
+        snort.sp = tcph->src_port();
+        snort.dp = tcph->dst_port();
+    }
     snort.set_pkt_type(PktType::TCP);
 
     TCPMiscTests(tcph, snort, codec);
diff --git a/src/codecs/ip/cd_udp.cc b/src/codecs/ip/cd_udp.cc
index 49e7d85be..c074bf106 100644
--- a/src/codecs/ip/cd_udp.cc
+++ b/src/codecs/ip/cd_udp.cc
@@ -281,8 +281,19 @@ bool UdpCodec::decode(const RawData& raw, CodecData& codec, DecodeData& snort)
             return false;
         }
     }
-    const uint16_t src_port = udph->src_port();
-    const uint16_t dst_port =  udph->dst_port();
+    uint16_t src_port;
+    uint16_t dst_port;
+
+    if ((raw.pkth->flags & DAQ_PKT_FLAG_REAL_ADDRESSES) and (codec.ip_layer_cnt == 1))
+    {
+        src_port = ntohs(raw.pkth->n_real_sPort);
+        dst_port = ntohs(raw.pkth->n_real_dPort);
+    }
+    else
+    {
+        src_port = udph->src_port();
+        dst_port =  udph->dst_port();
+    }
 
     /* fill in the printout data structs */
     snort.udph = udph;
diff --git a/src/protocols/ip.cc b/src/protocols/ip.cc
index c92069d18..ce38433fd 100644
--- a/src/protocols/ip.cc
+++ b/src/protocols/ip.cc
@@ -81,6 +81,12 @@ bool IpApi::set(const uint8_t* raw_ip_data)
     return false;
 }
 
+void IpApi::update(const SfIp& sip, const SfIp& dip)
+{
+    src.set(sip);
+    dst.set(dip);
+}
+
 uint16_t IpApi::tos() const
 {
     switch ( type )
diff --git a/src/protocols/ip.h b/src/protocols/ip.h
index a9637bf42..faa6b0660 100644
--- a/src/protocols/ip.h
+++ b/src/protocols/ip.h
@@ -49,6 +49,7 @@ public:
     void set(const IP6Hdr* h6);
     void set(const SfIp& src, const SfIp& dst);
     bool set(const uint8_t* raw_ip_data);
+    void update(const SfIp& sip, const SfIp& dip);
     void reset();
 
     // return the 16 bits associated with this IP layers frag_offset/flags
diff --git a/src/protocols/packet_manager.cc b/src/protocols/packet_manager.cc
index 3c6012a25..6c1fe80e0 100644
--- a/src/protocols/packet_manager.cc
+++ b/src/protocols/packet_manager.cc
@@ -610,6 +610,13 @@ static void set_hdr(
     pkth->flags = phdr->flags & (~DAQ_PKT_FLAG_HW_TCP_CS_GOOD);
     pkth->address_space_id = phdr->address_space_id;
     pkth->opaque = opaque;
+    if (pkth->flags & DAQ_PKT_FLAG_REAL_ADDRESSES)
+    {
+        pkth->n_real_sPort = phdr->n_real_sPort;
+        pkth->n_real_dPort = phdr->n_real_dPort;
+        pkth->real_sIP = phdr->real_sIP;
+        pkth->real_dIP = phdr->real_dIP;
+    }
 }
 
 //-------------------------------------------------------------------------
diff --git a/src/stream/libtcp/tcp_stream_session.cc b/src/stream/libtcp/tcp_stream_session.cc
index 1205d7cd1..ef92044f8 100644
--- a/src/stream/libtcp/tcp_stream_session.cc
+++ b/src/stream/libtcp/tcp_stream_session.cc
@@ -363,6 +363,13 @@ void TcpStreamSession::SetPacketHeaderFoo(const Packet* p)
     }
     daq_flags = p->pkth->flags;
     address_space_id = p->pkth->address_space_id;
+    if (daq_flags & DAQ_PKT_FLAG_REAL_ADDRESSES)
+    {
+        memcpy(real_src_ip.u6_addr8, &p->pkth->real_sIP, sizeof(ip::snort_in6_addr));
+        memcpy(real_dst_ip.u6_addr8, &p->pkth->real_dIP, sizeof(ip::snort_in6_addr));
+        real_src_port = p->pkth->n_real_sPort;
+        real_dst_port = p->pkth->n_real_dPort;
+    }
 }
 
 void TcpStreamSession::GetPacketHeaderFoo(DAQ_PktHdr_t* pkth, uint32_t dir)
@@ -384,6 +391,13 @@ void TcpStreamSession::GetPacketHeaderFoo(DAQ_PktHdr_t* pkth, uint32_t dir)
     pkth->opaque = 0;
     pkth->flags = daq_flags;
     pkth->address_space_id = address_space_id;
+    if (daq_flags & DAQ_PKT_FLAG_REAL_ADDRESSES)
+    {
+        memcpy(&pkth->real_sIP, real_src_ip.u6_addr8, sizeof(ip::snort_in6_addr));
+        memcpy(&pkth->real_dIP, real_dst_ip.u6_addr8, sizeof(ip::snort_in6_addr));
+        pkth->n_real_sPort = real_src_port;
+        pkth->n_real_dPort = real_dst_port;
+    }
 }
 
 void TcpStreamSession::SwapPacketHeaderFoo()
diff --git a/src/stream/libtcp/tcp_stream_session.h b/src/stream/libtcp/tcp_stream_session.h
index 4a58ab032..1b31cac57 100644
--- a/src/stream/libtcp/tcp_stream_session.h
+++ b/src/stream/libtcp/tcp_stream_session.h
@@ -24,6 +24,7 @@
 
 #include "detection/detection_engine.h"
 #include "flow/session.h"
+#include "protocols/ipv6.h"
 #include "stream/libtcp/tcp_stream_tracker.h"
 #include "stream/tcp/tcp_stream_config.h"
 
@@ -143,6 +144,12 @@ public:
     TcpStreamConfig* config = nullptr;
     TcpEventLogger tel;
 
+private:
+    ip::snort_in6_addr real_src_ip;
+    ip::snort_in6_addr real_dst_ip;
+    uint16_t real_src_port;
+    uint16_t real_dst_port;
+
 protected:
     virtual void set_os_policy() = 0;