suricata
decode-raw.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2013 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup decode
20  *
21  * @{
22  */
23 
24 
25 /**
26  * \file
27  *
28  * \author William Metcalf <william.metcalf@gmail.com>
29  *
30  * Decode RAW
31  */
32 
33 #include "suricata-common.h"
34 #include "decode.h"
35 #include "decode-raw.h"
36 #include "decode-events.h"
37 
38 #include "util-unittest.h"
39 #include "util-debug.h"
40 
41 #include "pkt-var.h"
42 #include "util-profiling.h"
43 #include "host.h"
44 
45 
46 int DecodeRaw(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p,
47  const uint8_t *pkt, uint32_t len, PacketQueue *pq)
48 {
49  StatsIncr(tv, dtv->counter_raw);
50 
51  /* If it is ipv4 or ipv6 it should at least be the size of ipv4 */
52  if (unlikely(len < IPV4_HEADER_LEN)) {
53  ENGINE_SET_INVALID_EVENT(p, IPV4_PKT_TOO_SMALL);
54  return TM_ECODE_FAILED;
55  }
56 
57 
58 
59  if (IP_GET_RAW_VER(pkt) == 4) {
60  if (unlikely(GET_PKT_LEN(p) > USHRT_MAX)) {
61  return TM_ECODE_FAILED;
62  }
63  SCLogDebug("IPV4 Packet");
64  DecodeIPV4(tv, dtv, p, GET_PKT_DATA(p), GET_PKT_LEN(p), pq);
65  } else if (IP_GET_RAW_VER(pkt) == 6) {
66  if (unlikely(GET_PKT_LEN(p) > USHRT_MAX)) {
67  return TM_ECODE_FAILED;
68  }
69  SCLogDebug("IPV6 Packet");
70  DecodeIPV6(tv, dtv, p, GET_PKT_DATA(p), GET_PKT_LEN(p), pq);
71  } else {
72  SCLogDebug("Unknown ip version %d", IP_GET_RAW_VER(pkt));
73  ENGINE_SET_EVENT(p,IPRAW_INVALID_IPV);
74  }
75  return TM_ECODE_OK;
76 }
77 
78 #ifdef UNITTESTS
79 #include "flow.h"
80 #include "flow-util.h"
81 
82 /** DecodeRawtest01
83  * \brief Valid Raw packet
84  * \retval 0 Expected test value
85  */
86 static int DecodeRawTest01 (void)
87 {
88 
89  /* IPV6/TCP/no eth header */
90  uint8_t raw_ip[] = {
91  0x60, 0x00, 0x00, 0x00, 0x00, 0x28, 0x06, 0x40,
92  0x20, 0x01, 0x06, 0x18, 0x04, 0x00, 0x00, 0x00,
93  0x00, 0x00, 0x00, 0x00, 0x51, 0x99, 0xcc, 0x70,
94  0x20, 0x01, 0x06, 0x18, 0x00, 0x01, 0x80, 0x00,
95  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05,
96  0x8c, 0x9b, 0x00, 0x50, 0x6a, 0xe7, 0x07, 0x36,
97  0x00, 0x00, 0x00, 0x00, 0xa0, 0x02, 0x16, 0x30,
98  0x29, 0x9c, 0x00, 0x00, 0x02, 0x04, 0x05, 0x8c,
99  0x04, 0x02, 0x08, 0x0a, 0x00, 0xdd, 0x1a, 0x39,
100  0x00, 0x00, 0x00, 0x00, 0x01, 0x03, 0x03, 0x02 };
101  Packet *p = PacketGetFromAlloc();
102  if (unlikely(p == NULL))
103  return 0;
104  ThreadVars tv;
105  DecodeThreadVars dtv;
106 
107  memset(&dtv, 0, sizeof(DecodeThreadVars));
108  memset(&tv, 0, sizeof(ThreadVars));
109 
110  if (PacketCopyData(p, raw_ip, sizeof(raw_ip)) == -1) {
111  SCFree(p);
112  return 0;
113  }
114 
115  FlowInitConfig(FLOW_QUIET);
116 
117  DecodeRaw(&tv, &dtv, p, raw_ip, GET_PKT_LEN(p), NULL);
118  if (p->ip6h == NULL) {
119  printf("expected a valid ipv6 header but it was NULL: ");
120  FlowShutdown();
121  SCFree(p);
122  return 0;
123  }
124 
125  PACKET_RECYCLE(p);
126  FlowShutdown();
127  SCFree(p);
128  return 1;
129 
130 }
131 /** DecodeRawtest02
132  * \brief Valid Raw packet
133  * \retval 0 Expected test value
134  */
135 static int DecodeRawTest02 (void)
136 {
137 
138  /* IPV4/TCP/no eth header */
139  uint8_t raw_ip[] = {
140  0x45, 0x00, 0x00, 0x30, 0x00, 0xad, 0x40, 0x00,
141  0x7f, 0x06, 0xac, 0xc5, 0xc0, 0xa8, 0x67, 0x02,
142  0xc0, 0xa8, 0x66, 0x02, 0x0b, 0xc7, 0x00, 0x50,
143  0x1d, 0xb3, 0x12, 0x37, 0x00, 0x00, 0x00, 0x00,
144  0x70, 0x02, 0x40, 0x00, 0xb8, 0xc8, 0x00, 0x00,
145  0x02, 0x04, 0x05, 0xb4, 0x01, 0x01, 0x04, 0x02 };
146 
147  Packet *p = PacketGetFromAlloc();
148  if (unlikely(p == NULL))
149  return 0;
150  ThreadVars tv;
151  DecodeThreadVars dtv;
152 
153  memset(&dtv, 0, sizeof(DecodeThreadVars));
154  memset(&tv, 0, sizeof(ThreadVars));
155 
156  if (PacketCopyData(p, raw_ip, sizeof(raw_ip)) == -1) {
157  SCFree(p);
158  return 0;
159  }
160 
161  FlowInitConfig(FLOW_QUIET);
162 
163  DecodeRaw(&tv, &dtv, p, raw_ip, GET_PKT_LEN(p), NULL);
164  if (p->ip4h == NULL) {
165  printf("expected a valid ipv4 header but it was NULL: ");
166  PACKET_RECYCLE(p);
167  FlowShutdown();
168  SCFree(p);
169  return 0;
170  }
171 
172  PACKET_RECYCLE(p);
173  FlowShutdown();
174  SCFree(p);
175  return 1;
176 }
177 /** DecodeRawtest03
178  * \brief Valid Raw packet
179  * \retval 0 Expected test value
180  */
181 static int DecodeRawTest03 (void)
182 {
183 
184  /* IPV13 */
185  uint8_t raw_ip[] = {
186  0xdf, 0x00, 0x00, 0x3d, 0x49, 0x42, 0x40, 0x00,
187  0x40, 0x06, 0xcf, 0x8a, 0x0a, 0x1f, 0x03, 0xaf,
188  0x0a, 0x1f, 0x0a, 0x02, 0xa5, 0xe7, 0xde, 0xad,
189  0x00, 0x0c, 0xe2, 0x0e, 0x8b, 0xfe, 0x0c, 0xe7,
190  0x80, 0x18, 0x00, 0xb7, 0xaf, 0xeb, 0x00, 0x00,
191  0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xab, 0x4f,
192  0x34, 0x40, 0x67, 0x31, 0x3b, 0x63, 0x61, 0x74,
193  0x20, 0x6b, 0x65, 0x79, 0x3b };
194 
195  Packet *p = PacketGetFromAlloc();
196  if (unlikely(p == NULL))
197  return 0;
198  ThreadVars tv;
199  DecodeThreadVars dtv;
200 
201  memset(&dtv, 0, sizeof(DecodeThreadVars));
202  memset(&tv, 0, sizeof(ThreadVars));
203 
204  if (PacketCopyData(p, raw_ip, sizeof(raw_ip)) == -1) {
205  SCFree(p);
206  return 0;
207  }
208 
209  FlowInitConfig(FLOW_QUIET);
210 
211  DecodeRaw(&tv, &dtv, p, raw_ip, GET_PKT_LEN(p), NULL);
212  if (!ENGINE_ISSET_EVENT(p,IPRAW_INVALID_IPV)) {
213  printf("expected IPRAW_INVALID_IPV to be set but it wasn't: ");
214  FlowShutdown();
215  SCFree(p);
216  return 0;
217  }
218  PACKET_RECYCLE(p);
219  FlowShutdown();
220  SCFree(p);
221  return 1;
222 }
223 
224 #endif /* UNITTESTS */
225 
226 /**
227  * \brief Registers Raw unit tests
228  * \todo More Raw tests
229  */
230 void DecodeRawRegisterTests(void)
231 {
232 #ifdef UNITTESTS
233  UtRegisterTest("DecodeRawTest01", DecodeRawTest01);
234  UtRegisterTest("DecodeRawTest02", DecodeRawTest02);
235  UtRegisterTest("DecodeRawTest03", DecodeRawTest03);
236 #endif /* UNITTESTS */
237 }
238 /**
239  * @}
240  */
ENGINE_SET_EVENT
#define ENGINE_SET_EVENT(p, e)
Definition: decode.h:993
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:335
ENGINE_ISSET_EVENT
#define ENGINE_ISSET_EVENT(p, e)
Definition: decode.h:1008
DecodeRawRegisterTests
void DecodeRawRegisterTests(void)
Registers Raw unit tests.
Definition: decode-raw.c:230
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
FLOW_QUIET
#define FLOW_QUIET
Definition: flow.h:38
PacketQueue_
Definition: decode.h:621
PACKET_RECYCLE
#define PACKET_RECYCLE(p)
Definition: decode.h:815
DecodeThreadVars_::counter_raw
uint16_t counter_raw
Definition: decode.h:655
Packet_::ip6h
IPV6Hdr * ip6h
Definition: decode.h:503
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:633
IP_GET_RAW_VER
#define IP_GET_RAW_VER(pkt)
Definition: decode.h:250
StatsIncr
void StatsIncr(ThreadVars *tv, uint16_t id)
Increments the local counter.
Definition: counters.c:168
Packet_
Definition: decode.h:408
Packet_::ip4h
IPV4Hdr * ip4h
Definition: decode.h:501
DecodeIPV6
int DecodeIPV6(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint16_t len, PacketQueue *pq)
Definition: decode-ipv6.c:585
SCFree
#define SCFree(a)
Definition: util-mem.h:322
DecodeIPV4
int DecodeIPV4(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint16_t len, PacketQueue *pq)
Definition: decode-ipv4.c:517
FlowShutdown
void FlowShutdown(void)
shutdown the flow engine
Definition: flow.c:670
GET_PKT_DATA
#define GET_PKT_DATA(p)
Definition: decode.h:226
DecodeRaw
int DecodeRaw(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len, PacketQueue *pq)
Definition: decode-raw.c:46
PacketCopyData
int PacketCopyData(Packet *p, const uint8_t *pktdata, uint32_t pktlen)
Copy data to Packet payload and set packet length.
Definition: decode.c:259
len
uint8_t len
Definition: app-layer-dnp3.h:2649
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
GET_PKT_LEN
#define GET_PKT_LEN(p)
Definition: decode.h:225
IPV4_HEADER_LEN
#define IPV4_HEADER_LEN
Definition: decode-ipv4.h:28
ENGINE_SET_INVALID_EVENT
#define ENGINE_SET_INVALID_EVENT(p, e)
Definition: decode.h:1001
PacketGetFromAlloc
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition: decode.c:141
FlowInitConfig
void FlowInitConfig(char quiet)
initialize the configuration
Definition: flow.c:515