suricata
decode-raw.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2013 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup decode
20  *
21  * @{
22  */
23 
24 
25 /**
26  * \file
27  *
28  * \author William Metcalf <william.metcalf@gmail.com>
29  *
30  * Decode RAW
31  */
32 
33 #include "suricata-common.h"
34 #include "decode.h"
35 #include "decode-raw.h"
36 #include "decode-events.h"
37 
38 #include "util-unittest.h"
39 #include "util-debug.h"
40 
41 #include "pkt-var.h"
42 #include "util-profiling.h"
43 #include "host.h"
44 
45 
46 int DecodeRaw(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, uint32_t len, PacketQueue *pq)
47 {
48  StatsIncr(tv, dtv->counter_raw);
49 
50  /* If it is ipv4 or ipv6 it should at least be the size of ipv4 */
51  if (unlikely(len < IPV4_HEADER_LEN)) {
52  ENGINE_SET_INVALID_EVENT(p, IPV4_PKT_TOO_SMALL);
53  return TM_ECODE_FAILED;
54  }
55 
56 
57 
58  if (IP_GET_RAW_VER(pkt) == 4) {
59  if (unlikely(GET_PKT_LEN(p) > USHRT_MAX)) {
60  return TM_ECODE_FAILED;
61  }
62  SCLogDebug("IPV4 Packet");
63  DecodeIPV4(tv, dtv, p, GET_PKT_DATA(p), GET_PKT_LEN(p), pq);
64  } else if (IP_GET_RAW_VER(pkt) == 6) {
65  if (unlikely(GET_PKT_LEN(p) > USHRT_MAX)) {
66  return TM_ECODE_FAILED;
67  }
68  SCLogDebug("IPV6 Packet");
69  DecodeIPV6(tv, dtv, p, GET_PKT_DATA(p), GET_PKT_LEN(p), pq);
70  } else {
71  SCLogDebug("Unknown ip version %d", IP_GET_RAW_VER(pkt));
72  ENGINE_SET_EVENT(p,IPRAW_INVALID_IPV);
73  }
74  return TM_ECODE_OK;
75 }
76 
77 #ifdef UNITTESTS
78 #include "flow.h"
79 #include "flow-util.h"
80 
81 /** DecodeRawtest01
82  * \brief Valid Raw packet
83  * \retval 0 Expected test value
84  */
85 static int DecodeRawTest01 (void)
86 {
87 
88  /* IPV6/TCP/no eth header */
89  uint8_t raw_ip[] = {
90  0x60, 0x00, 0x00, 0x00, 0x00, 0x28, 0x06, 0x40,
91  0x20, 0x01, 0x06, 0x18, 0x04, 0x00, 0x00, 0x00,
92  0x00, 0x00, 0x00, 0x00, 0x51, 0x99, 0xcc, 0x70,
93  0x20, 0x01, 0x06, 0x18, 0x00, 0x01, 0x80, 0x00,
94  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05,
95  0x8c, 0x9b, 0x00, 0x50, 0x6a, 0xe7, 0x07, 0x36,
96  0x00, 0x00, 0x00, 0x00, 0xa0, 0x02, 0x16, 0x30,
97  0x29, 0x9c, 0x00, 0x00, 0x02, 0x04, 0x05, 0x8c,
98  0x04, 0x02, 0x08, 0x0a, 0x00, 0xdd, 0x1a, 0x39,
99  0x00, 0x00, 0x00, 0x00, 0x01, 0x03, 0x03, 0x02 };
100  Packet *p = PacketGetFromAlloc();
101  if (unlikely(p == NULL))
102  return 0;
103  ThreadVars tv;
104  DecodeThreadVars dtv;
105 
106  memset(&dtv, 0, sizeof(DecodeThreadVars));
107  memset(&tv, 0, sizeof(ThreadVars));
108 
109  if (PacketCopyData(p, raw_ip, sizeof(raw_ip)) == -1) {
110  SCFree(p);
111  return 0;
112  }
113 
114  FlowInitConfig(FLOW_QUIET);
115 
116  DecodeRaw(&tv, &dtv, p, raw_ip, GET_PKT_LEN(p), NULL);
117  if (p->ip6h == NULL) {
118  printf("expected a valid ipv6 header but it was NULL: ");
119  FlowShutdown();
120  SCFree(p);
121  return 0;
122  }
123 
124  PACKET_RECYCLE(p);
125  FlowShutdown();
126  SCFree(p);
127  return 1;
128 
129 }
130 /** DecodeRawtest02
131  * \brief Valid Raw packet
132  * \retval 0 Expected test value
133  */
134 static int DecodeRawTest02 (void)
135 {
136 
137  /* IPV4/TCP/no eth header */
138  uint8_t raw_ip[] = {
139  0x45, 0x00, 0x00, 0x30, 0x00, 0xad, 0x40, 0x00,
140  0x7f, 0x06, 0xac, 0xc5, 0xc0, 0xa8, 0x67, 0x02,
141  0xc0, 0xa8, 0x66, 0x02, 0x0b, 0xc7, 0x00, 0x50,
142  0x1d, 0xb3, 0x12, 0x37, 0x00, 0x00, 0x00, 0x00,
143  0x70, 0x02, 0x40, 0x00, 0xb8, 0xc8, 0x00, 0x00,
144  0x02, 0x04, 0x05, 0xb4, 0x01, 0x01, 0x04, 0x02 };
145 
146  Packet *p = PacketGetFromAlloc();
147  if (unlikely(p == NULL))
148  return 0;
149  ThreadVars tv;
150  DecodeThreadVars dtv;
151 
152  memset(&dtv, 0, sizeof(DecodeThreadVars));
153  memset(&tv, 0, sizeof(ThreadVars));
154 
155  if (PacketCopyData(p, raw_ip, sizeof(raw_ip)) == -1) {
156  SCFree(p);
157  return 0;
158  }
159 
160  FlowInitConfig(FLOW_QUIET);
161 
162  DecodeRaw(&tv, &dtv, p, raw_ip, GET_PKT_LEN(p), NULL);
163  if (p->ip4h == NULL) {
164  printf("expected a valid ipv4 header but it was NULL: ");
165  PACKET_RECYCLE(p);
166  FlowShutdown();
167  SCFree(p);
168  return 0;
169  }
170 
171  PACKET_RECYCLE(p);
172  FlowShutdown();
173  SCFree(p);
174  return 1;
175 }
176 /** DecodeRawtest03
177  * \brief Valid Raw packet
178  * \retval 0 Expected test value
179  */
180 static int DecodeRawTest03 (void)
181 {
182 
183  /* IPV13 */
184  uint8_t raw_ip[] = {
185  0xdf, 0x00, 0x00, 0x3d, 0x49, 0x42, 0x40, 0x00,
186  0x40, 0x06, 0xcf, 0x8a, 0x0a, 0x1f, 0x03, 0xaf,
187  0x0a, 0x1f, 0x0a, 0x02, 0xa5, 0xe7, 0xde, 0xad,
188  0x00, 0x0c, 0xe2, 0x0e, 0x8b, 0xfe, 0x0c, 0xe7,
189  0x80, 0x18, 0x00, 0xb7, 0xaf, 0xeb, 0x00, 0x00,
190  0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xab, 0x4f,
191  0x34, 0x40, 0x67, 0x31, 0x3b, 0x63, 0x61, 0x74,
192  0x20, 0x6b, 0x65, 0x79, 0x3b };
193 
194  Packet *p = PacketGetFromAlloc();
195  if (unlikely(p == NULL))
196  return 0;
197  ThreadVars tv;
198  DecodeThreadVars dtv;
199 
200  memset(&dtv, 0, sizeof(DecodeThreadVars));
201  memset(&tv, 0, sizeof(ThreadVars));
202 
203  if (PacketCopyData(p, raw_ip, sizeof(raw_ip)) == -1) {
204  SCFree(p);
205  return 0;
206  }
207 
208  FlowInitConfig(FLOW_QUIET);
209 
210  DecodeRaw(&tv, &dtv, p, raw_ip, GET_PKT_LEN(p), NULL);
211  if (!ENGINE_ISSET_EVENT(p,IPRAW_INVALID_IPV)) {
212  printf("expected IPRAW_INVALID_IPV to be set but it wasn't: ");
213  FlowShutdown();
214  SCFree(p);
215  return 0;
216  }
217  PACKET_RECYCLE(p);
218  FlowShutdown();
219  SCFree(p);
220  return 1;
221 }
222 
223 #endif /* UNITTESTS */
224 
225 /**
226  * \brief Registers Raw unit tests
227  * \todo More Raw tests
228  */
229 void DecodeRawRegisterTests(void)
230 {
231 #ifdef UNITTESTS
232  UtRegisterTest("DecodeRawTest01", DecodeRawTest01);
233  UtRegisterTest("DecodeRawTest02", DecodeRawTest02);
234  UtRegisterTest("DecodeRawTest03", DecodeRawTest03);
235 #endif /* UNITTESTS */
236 }
237 /**
238  * @}
239  */
ENGINE_SET_EVENT
#define ENGINE_SET_EVENT(p, e)
Definition: decode.h:991
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:335
ENGINE_ISSET_EVENT
#define ENGINE_ISSET_EVENT(p, e)
Definition: decode.h:1006
DecodeRawRegisterTests
void DecodeRawRegisterTests(void)
Registers Raw unit tests.
Definition: decode-raw.c:229
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
DecodeRaw
int DecodeRaw(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, uint32_t len, PacketQueue *pq)
Definition: decode-raw.c:46
FLOW_QUIET
#define FLOW_QUIET
Definition: flow.h:38
PacketQueue_
Definition: decode.h:620
PACKET_RECYCLE
#define PACKET_RECYCLE(p)
Definition: decode.h:817
DecodeThreadVars_::counter_raw
uint16_t counter_raw
Definition: decode.h:656
DecodeIPV4
int DecodeIPV4(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, uint16_t len, PacketQueue *pq)
Definition: decode-ipv4.c:532
DecodeIPV6
int DecodeIPV6(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, uint16_t len, PacketQueue *pq)
Definition: decode-ipv6.c:584
Packet_::ip6h
IPV6Hdr * ip6h
Definition: decode.h:500
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:632
IP_GET_RAW_VER
#define IP_GET_RAW_VER(pkt)
Definition: decode.h:247
StatsIncr
void StatsIncr(ThreadVars *tv, uint16_t id)
Increments the local counter.
Definition: counters.c:163
Packet_
Definition: decode.h:405
Packet_::ip4h
IPV4Hdr * ip4h
Definition: decode.h:498
SCFree
#define SCFree(a)
Definition: util-mem.h:228
FlowShutdown
void FlowShutdown(void)
shutdown the flow engine
Definition: flow.c:667
GET_PKT_DATA
#define GET_PKT_DATA(p)
Definition: decode.h:223
len
uint8_t len
Definition: app-layer-dnp3.h:2643
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
GET_PKT_LEN
#define GET_PKT_LEN(p)
Definition: decode.h:222
IPV4_HEADER_LEN
#define IPV4_HEADER_LEN
Definition: decode-ipv4.h:28
PacketCopyData
int PacketCopyData(Packet *p, uint8_t *pktdata, uint32_t pktlen)
Copy data to Packet payload and set packet length.
Definition: decode.c:258
ENGINE_SET_INVALID_EVENT
#define ENGINE_SET_INVALID_EVENT(p, e)
Definition: decode.h:999
PacketGetFromAlloc
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition: decode.c:140
FlowInitConfig
void FlowInitConfig(char quiet)
initialize the configuration
Definition: flow.c:512