}
}
},
+ "sll2": {
+ "type": "object",
+ "description": "The number of times the SLL2 header was too small to be valid",
+ "additionalProperties": false,
+ "properties": {
+ "pkt_too_small": {
+ "type": "integer"
+ }
+ }
+ },
"tcp": {
"type": "object",
"additionalProperties": false,
"sll": {
"type": "integer"
},
+ "sll2": {
+ "type": "integer",
+ "description": "The number of SLL2 frames encountered"
+ },
"tcp": {
"type": "integer"
},
decode-raw.h \
decode-sctp.h \
decode-sll.h \
+ decode-sll2.h \
decode-tcp.h \
decode-template.h \
decode-teredo.h \
decode-raw.c \
decode-sctp.c \
decode-sll.c \
+ decode-sll2.c \
decode-tcp.c \
decode-template.c \
decode-teredo.c \
SLL_PKT_TOO_SMALL,
},
+ /* SLL2 EVENTS */
+ {
+ "decoder.sll2.pkt_too_small",
+ SLL2_PKT_TOO_SMALL,
+ },
+
/* ETHERNET EVENTS */
{
"decoder.ethernet.pkt_too_small",
/* SLL EVENTS */
SLL_PKT_TOO_SMALL, /**< sll packet smaller than minimum size */
+ /* SLL2 EVENTS */
+ SLL2_PKT_TOO_SMALL, /**< sll2 packet smaller than minimum size */
+
/* ETHERNET EVENTS */
ETHERNET_PKT_TOO_SMALL, /**< ethernet packet smaller than minimum size */
ETHERNET_UNKNOWN_ETHERTYPE, /**< ethertype unknown/unhandled*/
--- /dev/null
+/* Copyright (C) 2025 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+/**
+ * \ingroup decode
+ *
+ * @{
+ */
+
+/**
+ * \file
+ *
+ * \author Jeff Lucovsky <jeff.lucovsky@corelight.com>
+ *
+ * Decodes Sll2
+ */
+
+#include "suricata-common.h"
+#include "decode.h"
+#include "decode-sll2.h"
+#include "decode-events.h"
+
+#include "util-validate.h"
+#include "util-debug.h"
+
+int DecodeSll2(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
+{
+ DEBUG_VALIDATE_BUG_ON(pkt == NULL);
+
+ StatsIncr(tv, dtv->counter_sll2);
+
+ if (unlikely(len < SLL2_HEADER_LEN)) {
+ ENGINE_SET_INVALID_EVENT(p, SLL2_PKT_TOO_SMALL);
+ return TM_ECODE_FAILED;
+ }
+ if (!PacketIncreaseCheckLayers(p)) {
+ return TM_ECODE_FAILED;
+ }
+
+ Sll2Hdr *sll2h = (Sll2Hdr *)pkt;
+
+ SCLogDebug("p %p pkt %p sll2_protocol %04x", p, pkt, SCNtohs(sll2h->sll_protocol));
+
+ DecodeNetworkLayer(
+ tv, dtv, SCNtohs(sll2h->sll_protocol), p, pkt + SLL2_HEADER_LEN, len - SLL2_HEADER_LEN);
+
+ return TM_ECODE_OK;
+}
+/**
+ * @}
+ */
--- /dev/null
+/* Copyright (C) 2025 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+/**
+ * \file
+ *
+ * \author Jeff Lucovsky (jeff.lucovsky@corelight.com)
+ */
+
+#ifndef SURICATA_DECODE_SLL2_H
+#define SURICATA_DECODE_SLL2_H
+
+#define SLL2_HEADER_LEN 20
+
+typedef struct Sll2Hdr_ {
+ uint16_t sll_protocol; /* protocol */
+ uint16_t sll2_reservd; /* reserved */
+ uint32_t sll_ifindex; /* interface index*/
+ uint16_t sll2_arphdtotype; /* ARPHRD_ type*/
+ uint8_t sll2_pkttype; /* packet type */
+ uint8_t sll2_addrlen; /* link-layer addr len*/
+ uint8_t sll2_addr[8]; /* link-layer address */
+} __attribute__((__packed__)) Sll2Hdr;
+
+#endif /* SURICATA_DECODE_SLL2_H */
dtv->counter_raw = StatsRegisterCounter("decoder.raw", tv);
dtv->counter_null = StatsRegisterCounter("decoder.null", tv);
dtv->counter_sll = StatsRegisterCounter("decoder.sll", tv);
+ dtv->counter_sll2 = StatsRegisterCounter("decoder.sll2", tv);
dtv->counter_tcp = StatsRegisterCounter("decoder.tcp", tv);
dtv->counter_tcp_syn = StatsRegisterCounter("tcp.syn", tv);
uint16_t counter_ethertype_unknown;
uint16_t counter_sll;
+ uint16_t counter_sll2;
uint16_t counter_raw;
uint16_t counter_null;
uint16_t counter_sctp;
/* decoder functions */
int DecodeEthernet(ThreadVars *, DecodeThreadVars *, Packet *, const uint8_t *, uint32_t);
int DecodeSll(ThreadVars *, DecodeThreadVars *, Packet *, const uint8_t *, uint32_t);
+int DecodeSll2(ThreadVars *, DecodeThreadVars *, Packet *, const uint8_t *, uint32_t);
int DecodePPP(ThreadVars *, DecodeThreadVars *, Packet *, const uint8_t *, uint32_t);
int DecodePPPOESession(ThreadVars *, DecodeThreadVars *, Packet *, const uint8_t *, uint32_t);
int DecodePPPOEDiscovery(ThreadVars *, DecodeThreadVars *, Packet *, const uint8_t *, uint32_t);
case LINKTYPE_LINUX_SLL:
DecodeSll(tv, dtv, p, data, len);
break;
+ case LINKTYPE_LINUX_SLL2:
+ DecodeSll2(tv, dtv, p, data, len);
+ break;
case LINKTYPE_PPP:
DecodePPP(tv, dtv, p, data, len);
break;
TmEcode ValidateLinkType(int datalink, DecoderFunc *DecoderFn)
{
switch (datalink) {
+ case LINKTYPE_LINUX_SLL2:
+ *DecoderFn = DecodeSll2;
+ break;
case LINKTYPE_LINUX_SLL:
*DecoderFn = DecodeSll;
break;
SCDatalinkValueNameInsert(datalink_value_map, LINKTYPE_NULL, "NULL");
SCDatalinkValueNameInsert(datalink_value_map, LINKTYPE_ETHERNET, "EN10MB");
SCDatalinkValueNameInsert(datalink_value_map, LINKTYPE_LINUX_SLL, "LINUX_SLL");
+ SCDatalinkValueNameInsert(datalink_value_map, LINKTYPE_LINUX_SLL2, "LINUX_SLL2");
SCDatalinkValueNameInsert(datalink_value_map, LINKTYPE_PPP, "PPP");
SCDatalinkValueNameInsert(datalink_value_map, LINKTYPE_RAW, "RAW");
SCDatalinkValueNameInsert(datalink_value_map, LINKTYPE_RAW2, "RAW2");
#define LINKTYPE_NULL DLT_NULL
#define LINKTYPE_ETHERNET DLT_EN10MB
#define LINKTYPE_LINUX_SLL 113
+#define LINKTYPE_LINUX_SLL2 276
#define LINKTYPE_PPP 9
#define LINKTYPE_RAW DLT_RAW
/* http://www.tcpdump.org/linktypes.html defines DLT_RAW as 101, yet others don't.
projects / thirdparty / suricata.git / commitdiff
