suricata
decode-events.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2013 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  */
23 
24 #include "suricata-common.h"
25 
26 #include "decode-events.h"
27 /* code moved to app-layer-events */
28 
29 const struct DecodeEvents_ DEvents[] = {
30  /* IPV4 EVENTS */
31  { "decoder.ipv4.pkt_too_small", IPV4_PKT_TOO_SMALL, },
32  { "decoder.ipv4.hlen_too_small", IPV4_HLEN_TOO_SMALL, },
33  { "decoder.ipv4.iplen_smaller_than_hlen", IPV4_IPLEN_SMALLER_THAN_HLEN, },
34  { "decoder.ipv4.trunc_pkt", IPV4_TRUNC_PKT, },
35 
36  /* IPV4 OPTIONS */
37  { "decoder.ipv4.opt_invalid", IPV4_OPT_INVALID, },
38  { "decoder.ipv4.opt_invalid_len", IPV4_OPT_INVALID_LEN, },
39  { "decoder.ipv4.opt_malformed", IPV4_OPT_MALFORMED, },
40  { "decoder.ipv4.opt_pad_required", IPV4_OPT_PAD_REQUIRED, },
41  { "decoder.ipv4.opt_eol_required", IPV4_OPT_EOL_REQUIRED, },
42  { "decoder.ipv4.opt_duplicate", IPV4_OPT_DUPLICATE, },
43  { "decoder.ipv4.opt_unknown", IPV4_OPT_UNKNOWN, },
44  { "decoder.ipv4.wrong_ip_version", IPV4_WRONG_IP_VER, },
45  { "decoder.ipv4.icmpv6", IPV4_WITH_ICMPV6, },
46 
47  /* ICMP EVENTS */
48  { "decoder.icmpv4.pkt_too_small", ICMPV4_PKT_TOO_SMALL, },
49  { "decoder.icmpv4.unknown_type", ICMPV4_UNKNOWN_TYPE, },
50  { "decoder.icmpv4.unknown_code", ICMPV4_UNKNOWN_CODE, },
51  { "decoder.icmpv4.ipv4_trunc_pkt", ICMPV4_IPV4_TRUNC_PKT, },
52  { "decoder.icmpv4.ipv4_unknown_ver", ICMPV4_IPV4_UNKNOWN_VER, },
53 
54  /* ICMPv6 EVENTS */
55  { "decoder.icmpv6.unknown_type", ICMPV6_UNKNOWN_TYPE,},
56  { "decoder.icmpv6.unknown_code", ICMPV6_UNKNOWN_CODE,},
57  { "decoder.icmpv6.pkt_too_small", ICMPV6_PKT_TOO_SMALL,},
58  { "decoder.icmpv6.ipv6_unknown_version", ICMPV6_IPV6_UNKNOWN_VER,},
59  { "decoder.icmpv6.ipv6_trunc_pkt", ICMPV6_IPV6_TRUNC_PKT,},
60  { "decoder.icmpv6.mld_message_with_invalid_hl", ICMPV6_MLD_MESSAGE_WITH_INVALID_HL,},
61  { "decoder.icmpv6.unassigned_type", ICMPV6_UNASSIGNED_TYPE,},
62  { "decoder.icmpv6.experimentation_type", ICMPV6_EXPERIMENTATION_TYPE,},
63 
64  /* IPV6 EVENTS */
65  { "decoder.ipv6.pkt_too_small", IPV6_PKT_TOO_SMALL, },
66  { "decoder.ipv6.trunc_pkt", IPV6_TRUNC_PKT, },
67  { "decoder.ipv6.trunc_exthdr", IPV6_TRUNC_EXTHDR, },
68  { "decoder.ipv6.exthdr_dupl_fh", IPV6_EXTHDR_DUPL_FH, },
69  { "decoder.ipv6.exthdr_useless_fh", IPV6_EXTHDR_USELESS_FH, },
70  { "decoder.ipv6.exthdr_dupl_rh", IPV6_EXTHDR_DUPL_RH, },
71  { "decoder.ipv6.exthdr_dupl_hh", IPV6_EXTHDR_DUPL_HH, },
72  { "decoder.ipv6.exthdr_dupl_dh", IPV6_EXTHDR_DUPL_DH, },
73  { "decoder.ipv6.exthdr_dupl_ah", IPV6_EXTHDR_DUPL_AH, },
74  { "decoder.ipv6.exthdr_dupl_eh", IPV6_EXTHDR_DUPL_EH, },
75  { "decoder.ipv6.exthdr_invalid_optlen", IPV6_EXTHDR_INVALID_OPTLEN, },
76  { "decoder.ipv6.wrong_ip_version", IPV6_WRONG_IP_VER, },
77  { "decoder.ipv6.exthdr_ah_res_not_null", IPV6_EXTHDR_AH_RES_NOT_NULL, },
78  { "decoder.ipv6.hopopts_unknown_opt", IPV6_HOPOPTS_UNKNOWN_OPT, },
79  { "decoder.ipv6.hopopts_only_padding", IPV6_HOPOPTS_ONLY_PADDING, },
80  { "decoder.ipv6.dstopts_unknown_opt", IPV6_DSTOPTS_UNKNOWN_OPT, },
81  { "decoder.ipv6.dstopts_only_padding", IPV6_DSTOPTS_ONLY_PADDING, },
82  { "decoder.ipv6.rh_type_0", IPV6_EXTHDR_RH_TYPE_0, },
83  { "decoder.ipv6.zero_len_padn", IPV6_EXTHDR_ZERO_LEN_PADN, },
84  { "decoder.ipv6.fh_non_zero_reserved_field", IPV6_FH_NON_ZERO_RES_FIELD, },
85  { "decoder.ipv6.data_after_none_header", IPV6_DATA_AFTER_NONE_HEADER, },
86  { "decoder.ipv6.unknown_next_header", IPV6_UNKNOWN_NEXT_HEADER, },
87  { "decoder.ipv6.icmpv4", IPV6_WITH_ICMPV4, },
88 
89  /* TCP EVENTS */
90  { "decoder.tcp.pkt_too_small", TCP_PKT_TOO_SMALL, },
91  { "decoder.tcp.hlen_too_small", TCP_HLEN_TOO_SMALL, },
92  { "decoder.tcp.invalid_optlen", TCP_INVALID_OPTLEN, },
93 
94  /* TCP OPTIONS */
95  { "decoder.tcp.opt_invalid_len", TCP_OPT_INVALID_LEN, },
96  { "decoder.tcp.opt_duplicate", TCP_OPT_DUPLICATE, },
97 
98  /* UDP EVENTS */
99  { "decoder.udp.pkt_too_small", UDP_PKT_TOO_SMALL, },
100  { "decoder.udp.hlen_too_small", UDP_HLEN_TOO_SMALL, },
101  { "decoder.udp.hlen_invalid", UDP_HLEN_INVALID, },
102 
103  /* SLL EVENTS */
104  { "decoder.sll.pkt_too_small", SLL_PKT_TOO_SMALL, },
105 
106  /* ETHERNET EVENTS */
107  { "decoder.ethernet.pkt_too_small", ETHERNET_PKT_TOO_SMALL, },
108 
109  /* PPP EVENTS */
110  { "decoder.ppp.pkt_too_small", PPP_PKT_TOO_SMALL, },
111  { "decoder.ppp.vju_pkt_too_small", PPPVJU_PKT_TOO_SMALL, },
112  { "decoder.ppp.ip4_pkt_too_small", PPPIPV4_PKT_TOO_SMALL, },
113  { "decoder.ppp.ip6_pkt_too_small", PPPIPV6_PKT_TOO_SMALL, },
114  { "decoder.ppp.wrong_type", PPP_WRONG_TYPE, }, /** unknown & invalid protocol */
115  { "decoder.ppp.unsup_proto", PPP_UNSUP_PROTO, }, /** unsupported but valid protocol */
116 
117  /* PPPOE EVENTS */
118  { "decoder.pppoe.pkt_too_small", PPPOE_PKT_TOO_SMALL, },
119  { "decoder.pppoe.wrong_code", PPPOE_WRONG_CODE, },
120  { "decoder.pppoe.malformed_tags", PPPOE_MALFORMED_TAGS, },
121 
122  /* GRE EVENTS */
123  { "decoder.gre.pkt_too_small", GRE_PKT_TOO_SMALL, },
124  { "decoder.gre.wrong_version", GRE_WRONG_VERSION, },
125  { "decoder.gre.version0_recur", GRE_VERSION0_RECUR, },
126  { "decoder.gre.version0_flags", GRE_VERSION0_FLAGS, },
127  { "decoder.gre.version0_hdr_too_big", GRE_VERSION0_HDR_TOO_BIG, },
128  { "decoder.gre.version0_malformed_sre_hdr", GRE_VERSION0_MALFORMED_SRE_HDR, },
129  { "decoder.gre.version1_chksum", GRE_VERSION1_CHKSUM, },
130  { "decoder.gre.version1_route", GRE_VERSION1_ROUTE, },
131  { "decoder.gre.version1_ssr", GRE_VERSION1_SSR, },
132  { "decoder.gre.version1_recur", GRE_VERSION1_RECUR, },
133  { "decoder.gre.version1_flags", GRE_VERSION1_FLAGS, },
134  { "decoder.gre.version1_no_key", GRE_VERSION1_NO_KEY, },
135  { "decoder.gre.version1_wrong_protocol", GRE_VERSION1_WRONG_PROTOCOL, },
136  { "decoder.gre.version1_malformed_sre_hdr", GRE_VERSION1_MALFORMED_SRE_HDR, },
137  { "decoder.gre.version1_hdr_too_big", GRE_VERSION1_HDR_TOO_BIG, },
138 
139  /* VLAN EVENTS */
140  { "decoder.vlan.header_too_small",VLAN_HEADER_TOO_SMALL, },
141  { "decoder.vlan.unknown_type",VLAN_UNKNOWN_TYPE, },
142  { "decoder.vlan.too_many_layers", VLAN_HEADER_TOO_MANY_LAYERS, },
143  { "decoder.ieee8021ah.header_too_small", IEEE8021AH_HEADER_TOO_SMALL, },
144 
145  /* RAW EVENTS */
146  { "decoder.ipraw.invalid_ip_version",IPRAW_INVALID_IPV, },
147 
148  /* LINKTYPE NULL EVENTS */
149  { "decoder.ltnull.pkt_too_small", LTNULL_PKT_TOO_SMALL, },
150  { "decoder.ltnull.unsupported_type", LTNULL_UNSUPPORTED_TYPE, },
151 
152  /* SCTP EVENTS */
153  { "decoder.sctp.pkt_too_small", SCTP_PKT_TOO_SMALL, },
154 
155  /* Fragmentation reasembly events. */
156  { "decoder.ipv4.frag_pkt_too_large", IPV4_FRAG_PKT_TOO_LARGE, },
157  { "decoder.ipv6.frag_pkt_too_large", IPV6_FRAG_PKT_TOO_LARGE, },
158  { "decoder.ipv4.frag_overlap", IPV4_FRAG_OVERLAP, },
159  { "decoder.ipv6.frag_overlap", IPV6_FRAG_OVERLAP, },
160  /* Fragment ignored due to internal error */
161  { "decoder.ipv4.frag_ignored", IPV4_FRAG_IGNORED, },
162  { "decoder.ipv6.frag_ignored", IPV6_FRAG_IGNORED, },
163 
164  /* IPv4 in IPv6 events */
165  { "decoder.ipv6.ipv4_in_ipv6_too_small", IPV4_IN_IPV6_PKT_TOO_SMALL, },
166  { "decoder.ipv6.ipv4_in_ipv6_wrong_version", IPV4_IN_IPV6_WRONG_IP_VER, },
167  /* IPv6 in IPv6 events */
168  { "decoder.ipv6.ipv6_in_ipv6_too_small", IPV6_IN_IPV6_PKT_TOO_SMALL, },
169  { "decoder.ipv6.ipv6_in_ipv6_wrong_version", IPV6_IN_IPV6_WRONG_IP_VER, },
170 
171  /* MPLS events */
172  { "decoder.mpls.header_too_small", MPLS_HEADER_TOO_SMALL, },
173  { "decoder.mpls.bad_label_router_alert", MPLS_BAD_LABEL_ROUTER_ALERT, },
174  { "decoder.mpls.bad_label_implicit_null", MPLS_BAD_LABEL_IMPLICIT_NULL, },
175  { "decoder.mpls.bad_label_reserved", MPLS_BAD_LABEL_RESERVED, },
176  { "decoder.mpls.unknown_payload_type", MPLS_UNKNOWN_PAYLOAD_TYPE, },
177 
178  /* ERSPAN events */
179  { "decoder.erspan.header_too_small", ERSPAN_HEADER_TOO_SMALL, },
180  { "decoder.erspan.unsupported_version", ERSPAN_UNSUPPORTED_VERSION, },
181  { "decoder.erspan.too_many_vlan_layers", ERSPAN_TOO_MANY_VLAN_LAYERS, },
182 
183  /* Cisco Fabric Path/DCE events. */
184  { "decoder.dce.pkt_too_small", DCE_PKT_TOO_SMALL, },
185 
186  /* STREAM EVENTS */
187  { "stream.3whs_ack_in_wrong_dir", STREAM_3WHS_ACK_IN_WRONG_DIR, },
188  { "stream.3whs_async_wrong_seq", STREAM_3WHS_ASYNC_WRONG_SEQ, },
189  { "stream.3whs_right_seq_wrong_ack_evasion", STREAM_3WHS_RIGHT_SEQ_WRONG_ACK_EVASION, },
190  { "stream.3whs_synack_in_wrong_direction", STREAM_3WHS_SYNACK_IN_WRONG_DIRECTION, },
191  { "stream.3whs_synack_resend_with_diff_ack", STREAM_3WHS_SYNACK_RESEND_WITH_DIFFERENT_ACK, },
192  { "stream.3whs_synack_resend_with_diff_seq", STREAM_3WHS_SYNACK_RESEND_WITH_DIFF_SEQ, },
193  { "stream.3whs_synack_toserver_on_syn_recv", STREAM_3WHS_SYNACK_TOSERVER_ON_SYN_RECV, },
194  { "stream.3whs_synack_with_wrong_ack", STREAM_3WHS_SYNACK_WITH_WRONG_ACK, },
195  { "stream.3whs_synack_flood", STREAM_3WHS_SYNACK_FLOOD, },
196  { "stream.3whs_syn_resend_diff_seq_on_syn_recv", STREAM_3WHS_SYN_RESEND_DIFF_SEQ_ON_SYN_RECV, },
197  { "stream.3whs_syn_toclient_on_syn_recv", STREAM_3WHS_SYN_TOCLIENT_ON_SYN_RECV, },
198  { "stream.3whs_wrong_seq_wrong_ack", STREAM_3WHS_WRONG_SEQ_WRONG_ACK, },
199  { "stream.3whs_ack_data_inject", STREAM_3WHS_ACK_DATA_INJECT, },
200  { "stream.4whs_synack_with_wrong_ack", STREAM_4WHS_SYNACK_WITH_WRONG_ACK, },
201  { "stream.4whs_synack_with_wrong_syn", STREAM_4WHS_SYNACK_WITH_WRONG_SYN, },
202  { "stream.4whs_wrong_seq", STREAM_4WHS_WRONG_SEQ, },
203  { "stream.4whs_invalid_ack", STREAM_4WHS_INVALID_ACK, },
204  { "stream.closewait_ack_out_of_window", STREAM_CLOSEWAIT_ACK_OUT_OF_WINDOW, },
205  { "stream.closewait_fin_out_of_window", STREAM_CLOSEWAIT_FIN_OUT_OF_WINDOW, },
206  { "stream.closewait_pkt_before_last_ack", STREAM_CLOSEWAIT_PKT_BEFORE_LAST_ACK, },
207  { "stream.closewait_invalid_ack", STREAM_CLOSEWAIT_INVALID_ACK, },
208  { "stream.closing_ack_wrong_seq", STREAM_CLOSING_ACK_WRONG_SEQ, },
209  { "stream.closing_invalid_ack", STREAM_CLOSING_INVALID_ACK, },
210  { "stream.est_packet_out_of_window", STREAM_EST_PACKET_OUT_OF_WINDOW, },
211  { "stream.est_pkt_before_last_ack", STREAM_EST_PKT_BEFORE_LAST_ACK, },
212  { "stream.est_synack_resend", STREAM_EST_SYNACK_RESEND, },
213  { "stream.est_synack_resend_with_diff_ack", STREAM_EST_SYNACK_RESEND_WITH_DIFFERENT_ACK, },
214  { "stream.est_synack_resend_with_diff_seq", STREAM_EST_SYNACK_RESEND_WITH_DIFF_SEQ, },
215  { "stream.est_synack_toserver", STREAM_EST_SYNACK_TOSERVER, },
216  { "stream.est_syn_resend", STREAM_EST_SYN_RESEND, },
217  { "stream.est_syn_resend_diff_seq", STREAM_EST_SYN_RESEND_DIFF_SEQ, },
218  { "stream.est_syn_toclient", STREAM_EST_SYN_TOCLIENT, },
219  { "stream.est_invalid_ack", STREAM_EST_INVALID_ACK, },
220  { "stream.fin_invalid_ack", STREAM_FIN_INVALID_ACK, },
221  { "stream.fin1_ack_wrong_seq", STREAM_FIN1_ACK_WRONG_SEQ, },
222  { "stream.fin1_fin_wrong_seq", STREAM_FIN1_FIN_WRONG_SEQ, },
223  { "stream.fin1_invalid_ack", STREAM_FIN1_INVALID_ACK, },
224  { "stream.fin2_ack_wrong_seq", STREAM_FIN2_ACK_WRONG_SEQ, },
225  { "stream.fin2_fin_wrong_seq", STREAM_FIN2_FIN_WRONG_SEQ, },
226  { "stream.fin2_invalid_ack", STREAM_FIN2_INVALID_ACK, },
227  { "stream.fin_but_no_session", STREAM_FIN_BUT_NO_SESSION, },
228  { "stream.fin_out_of_window", STREAM_FIN_OUT_OF_WINDOW, },
229  { "stream.lastack_ack_wrong_seq", STREAM_LASTACK_ACK_WRONG_SEQ, },
230  { "stream.lastack_invalid_ack", STREAM_LASTACK_INVALID_ACK, },
231  { "stream.rst_but_no_session", STREAM_RST_BUT_NO_SESSION, },
232  { "stream.timewait_ack_wrong_seq", STREAM_TIMEWAIT_ACK_WRONG_SEQ, },
233  { "stream.timewait_invalid_ack", STREAM_TIMEWAIT_INVALID_ACK, },
234  { "stream.shutdown_syn_resend", STREAM_SHUTDOWN_SYN_RESEND, },
235  { "stream.pkt_invalid_timestamp", STREAM_PKT_INVALID_TIMESTAMP, },
236  { "stream.pkt_invalid_ack", STREAM_PKT_INVALID_ACK, },
237  { "stream.pkt_broken_ack", STREAM_PKT_BROKEN_ACK, },
238  { "stream.rst_invalid_ack", STREAM_RST_INVALID_ACK, },
239  { "stream.pkt_retransmission", STREAM_PKT_RETRANSMISSION, },
240  { "stream.pkt_bad_window_update", STREAM_PKT_BAD_WINDOW_UPDATE, },
241 
242  { "stream.suspected_rst_inject", STREAM_SUSPECTED_RST_INJECT, },
243  { "stream.wrong_thread", STREAM_WRONG_THREAD, },
244 
245  { "stream.reassembly_segment_before_base_seq", STREAM_REASSEMBLY_SEGMENT_BEFORE_BASE_SEQ, },
246  { "stream.reassembly_no_segment", STREAM_REASSEMBLY_NO_SEGMENT, },
247  { "stream.reassembly_seq_gap", STREAM_REASSEMBLY_SEQ_GAP, },
248  { "stream.reassembly_overlap_different_data", STREAM_REASSEMBLY_OVERLAP_DIFFERENT_DATA, },
249 
250  { NULL, 0 },
251 };
DecodeEvents_
Definition: decode-events.h:269
DEvents
const struct DecodeEvents_ DEvents[]
Definition: decode-events.c:29