[-]
[+]
|
Changed |
snort.spec
|
|
[-]
[+]
|
Added |
snort-2.9.2.2_ipv6_preproc.patch
^
|
@@ -0,0 +1,3908 @@
+diff -uNr snort-2.9.2.2-clean/configure.in snort-2.9.2.2/configure.in
+--- snort-2.9.2.2-clean/configure.in 2012-03-17 22:59:12.000000000 +0100
++++ snort-2.9.2.2/configure.in 2012-05-12 20:58:03.844857685 +0200
+@@ -1704,6 +1704,7 @@
+ src/dynamic-preprocessors/ssl/Makefile \
+ src/dynamic-preprocessors/modbus/Makefile \
+ src/dynamic-preprocessors/dnp3/Makefile \
++src/dynamic-preprocessors/ipv6/Makefile \
+ src/dynamic-preprocessors/rzb_saac/Makefile \
+ src/output-plugins/Makefile \
+ src/preprocessors/Makefile \
+diff -uNr snort-2.9.2.2-clean/src/dynamic-preprocessors/ipv6/Makefile.am snort-2.9.2.2/src/dynamic-preprocessors/ipv6/Makefile.am
+--- snort-2.9.2.2-clean/src/dynamic-preprocessors/ipv6/Makefile.am 1970-01-01 01:00:00.000000000 +0100
++++ snort-2.9.2.2/src/dynamic-preprocessors/ipv6/Makefile.am 2012-05-12 20:58:22.853272639 +0200
+@@ -0,0 +1,33 @@
++## $Id
++AUTOMAKE_OPTIONS=foreign no-dependencies
++
++INCLUDES = -I../include -I${srcdir}/../libs
++
++libdir = ${exec_prefix}/lib/snort_dynamicpreprocessor
++
++lib_LTLIBRARIES = libsf_ipv6_preproc.la
++
++libsf_ipv6_preproc_la_LDFLAGS = -shared -export-dynamic -module @XCCFLAGS@
++if SO_WITH_STATIC_LIB
++libsf_ipv6_preproc_la_LIBADD = ../libsf_dynamic_preproc.la
++else
++nodist_libsf_ipv6_preproc_la_SOURCES = \
++../include/sf_dynamic_preproc_lib.c \
++../include/sfPolicyUserData.c
++endif
++
++libsf_ipv6_preproc_la_SOURCES = \
++sf_ip.c \
++spp_ipv6.c \
++spp_ipv6_constants.h \
++spp_ipv6_data_structs.c \
++spp_ipv6_data_structs.h \
++spp_ipv6.h \
++spp_ipv6_parse.c \
++spp_ipv6_ruleopt.c
++
++EXTRA_DIST =
++
++all-local: $(LTLIBRARIES)
++ $(MAKE) DESTDIR=`pwd`/../build install-libLTLIBRARIES
++
+diff -uNr snort-2.9.2.2-clean/src/dynamic-preprocessors/ipv6/sf_ip.c snort-2.9.2.2/src/dynamic-preprocessors/ipv6/sf_ip.c
+--- snort-2.9.2.2-clean/src/dynamic-preprocessors/ipv6/sf_ip.c 1970-01-01 01:00:00.000000000 +0100
++++ snort-2.9.2.2/src/dynamic-preprocessors/ipv6/sf_ip.c 2012-05-12 20:58:22.787208307 +0200
+@@ -0,0 +1,589 @@
++/*
++** Copyright (C) 1998-2012 Sourcefire, Inc.
++** Adam Keeton
++** Kevin Liu <kliu@sourcefire.com>
++**
++** $Id$
++** This program is free software; you can redistribute it and/or modify
++** it under the terms of the GNU General Public License Version 2 as
++** published by the Free Software Foundation. You may not use, modify or
++** distribute this program under any other version of the GNU General
++** Public License.
++**
++** This program is distributed in the hope that it will be useful,
++** but WITHOUT ANY WARRANTY; without even the implied warranty of
++** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++** GNU General Public License for more details.
++**
++** You should have received a copy of the GNU General Public License
++** along with this program; if not, write to the Free Software
++** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
++*/
++
++/*
++ * Adam Keeton
++ * sf_ip.c
++ * 11/17/06
++ *
++ * Library for managing IP addresses of either v6 or v4 families.
++*/
++
++#ifdef HAVE_CONFIG_H
++#include "config.h"
++#endif
++
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <ctype.h>
++#include <math.h> /* For ceil */
++#include "sf_ip.h"
++
++/* For inet_pton */
++#ifndef WIN32
++#include <sys/types.h>
++#include <sys/socket.h>
++#include <arpa/inet.h>
++#endif /* WIN32 */
++
++#if 0
++/* Support function .. but could see some external uses */
++static inline int sfip_length(sfip_t *ip) {
++ ARG_CHECK1(ip, 0);
++
++ if(sfip_family(ip) == AF_INET) return 4;
++ return 16;
++}
++#endif
++
++/* Support function */
++// note that an ip6 address may have a trailing dotted quad form
++// but that it always has at least 2 ':'s; furthermore there is
++// no valid ip4 format (including mask) with 2 ':'s
++// we don't have to figure out if the format is entirely legal
++// we just have to be able to tell correct formats apart
++static inline int sfip_str_to_fam(const char *str) {
++ const char* s;
++ ARG_CHECK1(str, 0);
++ s = strchr(str, (int)':');
++ if ( s && strchr(s+1, (int)':') ) return AF_INET6;
++ if ( strchr(str, (int)'.') ) return AF_INET;
++ return AF_UNSPEC;
++}
++
++/* Place-holder allocation incase we want to do something more indepth later */
++static inline sfip_t *_sfip_alloc() {
++ /* Note: using calloc here instead of SnortAlloc since the dynamic libs
++ * can't presently resolve SnortAlloc */
++ return (sfip_t*)calloc(sizeof(sfip_t), 1);
++}
++
++/* Masks off 'val' bits from the IP contained within 'ip' */
++static inline int sfip_cidr_mask(sfip_t *ip, int val) {
++ int i;
++ unsigned int mask = 0;
++ unsigned int *p;
++ int index = (int)ceil(val / 32.0) - 1;
++
++ ARG_CHECK1(ip, SFIP_ARG_ERR);
++
++ p = ip->ip32;
++
++ if( val < 0 ||
++ ((sfip_family(ip) == AF_INET6) && val > 128) ||
++ ((sfip_family(ip) == AF_INET) && val > 32) ) {
++ return SFIP_ARG_ERR;
++ }
++
++ /* Build the netmask by converting "val" into
++ * the corresponding number of bits that are set */
++ for(i = 0; i < 32- (val - (index * 32)); i++)
++ mask = (mask<<1) + 1;
++
++ p[index] = htonl((ntohl(p[index]) & ~mask));
++
++ index++;
++
++ /* 0 off the rest of the IP */
++ for( ; index<4; index++) p[index] = 0;
++
++ return SFIP_SUCCESS;
++}
++
++/* Allocate IP address from a character array describing the IP */
++sfip_t *sfip_alloc(const char *ip, SFIP_RET *status) {
++ SFIP_RET tmp;
++ sfip_t *ret;
++
++ if(!ip) {
++ if(status)
++ *status = SFIP_ARG_ERR;
++ return NULL;
++ }
++
++ if((ret = _sfip_alloc()) == NULL) {
++ if(status)
++ *status = SFIP_ALLOC_ERR;
++ return NULL;
++ }
++
++ if( (tmp = sfip_pton(ip, ret)) != SFIP_SUCCESS) {
++ if(status)
++ *status = tmp;
++
++ sfip_free(ret);
++ return NULL;
++ }
++
++ if(status)
++ *status = SFIP_SUCCESS;
++
++ return ret;
++}
++
++/* Allocate IP address from an array of 8 byte integers */
++sfip_t *sfip_alloc_raw(void *ip, int family, SFIP_RET *status) {
++ sfip_t *ret;
++
|
[-]
[+]
|
Added |
snort-2.9.2.2_ipv6_preproc.patch.old
^
|
@@ -0,0 +1,3133 @@
+--- src/dynamic-preprocessors/Makefile.in.orig 2012-05-12 20:26:37.760390797 +0200
++++ src/dynamic-preprocessors/Makefile.in 2012-05-12 20:26:45.329269245 +0200
+@@ -128,7 +128,7 @@
+ ETAGS = etags
+ CTAGS = ctags
+ DIST_SUBDIRS = . libs ftptelnet pop imap smtp ssh dns ssl dcerpc2 sdf \
+- sip reputation gtp modbus dnp3 rzb_saac
++ sip reputation gtp modbus dnp3 ipv6 rzb_saac
+ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ am__relativize = \
+ dir0=`pwd`; \
+--- src/dynamic-preprocessors/Makefile.am.orig 2012-05-12 20:26:11.234263661 +0200
++++ src/dynamic-preprocessors/Makefile.am 2012-05-12 20:26:25.801269762 +0200
+@@ -488,7 +488,7 @@
+ endif
+
+ if HAVE_DYNAMIC_PLUGINS
+-SUBDIRS = . libs ftptelnet pop imap smtp ssh dns ssl dcerpc2 sdf sip reputation gtp modbus dnp3 $(RZB_SAAC_DIR)
++SUBDIRS = . libs ftptelnet pop imap smtp ssh dns ssl dcerpc2 sdf sip reputation gtp modbus dnp3 ipv6 $(RZB_SAAC_DIR)
+ endif
+
+ clean-local:
+diff -uNr src/dynamic-preprocessors/ipv6//Makefile.am src/dynamic-preprocessors/ipv6//Makefile.am
+--- src/dynamic-preprocessors/ipv6//Makefile.am 1970-01-01 01:00:00.000000000 +0100
++++ src/dynamic-preprocessors/ipv6//Makefile.am 2012-05-12 20:25:08.669267964 +0200
+@@ -0,0 +1,33 @@
++## $Id
++AUTOMAKE_OPTIONS=foreign no-dependencies
++
++INCLUDES = -I../include -I${srcdir}/../libs
++
++libdir = ${exec_prefix}/lib/snort_dynamicpreprocessor
++
++lib_LTLIBRARIES = libsf_ipv6_preproc.la
++
++libsf_ipv6_preproc_la_LDFLAGS = -shared -export-dynamic -module @XCCFLAGS@
++if SO_WITH_STATIC_LIB
++libsf_ipv6_preproc_la_LIBADD = ../libsf_dynamic_preproc.la
++else
++nodist_libsf_ipv6_preproc_la_SOURCES = \
++../include/sf_dynamic_preproc_lib.c \
++../include/sfPolicyUserData.c
++endif
++
++libsf_ipv6_preproc_la_SOURCES = \
++sf_ip.c \
++spp_ipv6.c \
++spp_ipv6_constants.h \
++spp_ipv6_data_structs.c \
++spp_ipv6_data_structs.h \
++spp_ipv6.h \
++spp_ipv6_parse.c \
++spp_ipv6_ruleopt.c
++
++EXTRA_DIST =
++
++all-local: $(LTLIBRARIES)
++ $(MAKE) DESTDIR=`pwd`/../build install-libLTLIBRARIES
++
+diff -uNr src/dynamic-preprocessors/ipv6//sf_ip.c src/dynamic-preprocessors/ipv6//sf_ip.c
+--- src/dynamic-preprocessors/ipv6//sf_ip.c 1970-01-01 01:00:00.000000000 +0100
++++ src/dynamic-preprocessors/ipv6//sf_ip.c 2012-05-12 20:19:37.317266955 +0200
+@@ -0,0 +1,589 @@
++/*
++** Copyright (C) 1998-2012 Sourcefire, Inc.
++** Adam Keeton
++** Kevin Liu <kliu@sourcefire.com>
++**
++** $Id$
++** This program is free software; you can redistribute it and/or modify
++** it under the terms of the GNU General Public License Version 2 as
++** published by the Free Software Foundation. You may not use, modify or
++** distribute this program under any other version of the GNU General
++** Public License.
++**
++** This program is distributed in the hope that it will be useful,
++** but WITHOUT ANY WARRANTY; without even the implied warranty of
++** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++** GNU General Public License for more details.
++**
++** You should have received a copy of the GNU General Public License
++** along with this program; if not, write to the Free Software
++** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
++*/
++
++/*
++ * Adam Keeton
++ * sf_ip.c
++ * 11/17/06
++ *
++ * Library for managing IP addresses of either v6 or v4 families.
++*/
++
++#ifdef HAVE_CONFIG_H
++#include "config.h"
++#endif
++
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <ctype.h>
++#include <math.h> /* For ceil */
++#include "sf_ip.h"
++
++/* For inet_pton */
++#ifndef WIN32
++#include <sys/types.h>
++#include <sys/socket.h>
++#include <arpa/inet.h>
++#endif /* WIN32 */
++
++#if 0
++/* Support function .. but could see some external uses */
++static inline int sfip_length(sfip_t *ip) {
++ ARG_CHECK1(ip, 0);
++
++ if(sfip_family(ip) == AF_INET) return 4;
++ return 16;
++}
++#endif
++
++/* Support function */
++// note that an ip6 address may have a trailing dotted quad form
++// but that it always has at least 2 ':'s; furthermore there is
++// no valid ip4 format (including mask) with 2 ':'s
++// we don't have to figure out if the format is entirely legal
++// we just have to be able to tell correct formats apart
++static inline int sfip_str_to_fam(const char *str) {
++ const char* s;
++ ARG_CHECK1(str, 0);
++ s = strchr(str, (int)':');
++ if ( s && strchr(s+1, (int)':') ) return AF_INET6;
++ if ( strchr(str, (int)'.') ) return AF_INET;
++ return AF_UNSPEC;
++}
++
++/* Place-holder allocation incase we want to do something more indepth later */
++static inline sfip_t *_sfip_alloc() {
++ /* Note: using calloc here instead of SnortAlloc since the dynamic libs
++ * can't presently resolve SnortAlloc */
++ return (sfip_t*)calloc(sizeof(sfip_t), 1);
++}
++
++/* Masks off 'val' bits from the IP contained within 'ip' */
++static inline int sfip_cidr_mask(sfip_t *ip, int val) {
++ int i;
++ unsigned int mask = 0;
++ unsigned int *p;
++ int index = (int)ceil(val / 32.0) - 1;
++
++ ARG_CHECK1(ip, SFIP_ARG_ERR);
++
++ p = ip->ip32;
++
++ if( val < 0 ||
++ ((sfip_family(ip) == AF_INET6) && val > 128) ||
++ ((sfip_family(ip) == AF_INET) && val > 32) ) {
++ return SFIP_ARG_ERR;
++ }
++
++ /* Build the netmask by converting "val" into
++ * the corresponding number of bits that are set */
++ for(i = 0; i < 32- (val - (index * 32)); i++)
++ mask = (mask<<1) + 1;
++
++ p[index] = htonl((ntohl(p[index]) & ~mask));
++
++ index++;
++
++ /* 0 off the rest of the IP */
++ for( ; index<4; index++) p[index] = 0;
++
++ return SFIP_SUCCESS;
++}
++
++/* Allocate IP address from a character array describing the IP */
++sfip_t *sfip_alloc(const char *ip, SFIP_RET *status) {
++ SFIP_RET tmp;
++ sfip_t *ret;
++
++ if(!ip) {
++ if(status)
++ *status = SFIP_ARG_ERR;
++ return NULL;
++ }
++
++ if((ret = _sfip_alloc()) == NULL) {
++ if(status)
++ *status = SFIP_ALLOC_ERR;
++ return NULL;
++ }
++
++ if( (tmp = sfip_pton(ip, ret)) != SFIP_SUCCESS) {
++ if(status)
++ *status = tmp;
++
++ sfip_free(ret);
++ return NULL;
++ }
|
[-]
[+]
|
Added |
spp_ipv6_20120512.tar.bz2/include/decode.h
^
|
@@ -0,0 +1,2025 @@
+/*
+** Copyright (C) 2002-2012 Sourcefire, Inc.
+** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com>
+**
+** This program is free software; you can redistribute it and/or modify
+** it under the terms of the GNU General Public License Version 2 as
+** published by the Free Software Foundation. You may not use, modify or
+** distribute this program under any other version of the GNU General
+** Public License.
+**
+** This program is distributed in the hope that it will be useful,
+** but WITHOUT ANY WARRANTY; without even the implied warranty of
+** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+** GNU General Public License for more details.
+**
+** You should have received a copy of the GNU General Public License
+** along with this program; if not, write to the Free Software
+** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+*/
+
+/* $Id$ */
+
+#ifndef __DECODE_H__
+#define __DECODE_H__
+
+
+/* I N C L U D E S **********************************************************/
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include <stddef.h>
+#include <sys/types.h>
+
+#ifndef WIN32
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <net/if.h>
+#else /* !WIN32 */
+#include <netinet/in_systm.h>
+#ifndef IFNAMSIZ
+#define IFNAMESIZ MAX_ADAPTER_NAME
+#endif /* !IFNAMSIZ */
+#endif /* !WIN32 */
+
+#include <daq.h>
+#include <sfbpf_dlt.h>
+
+#include "bitop.h"
+#include "ipv6_port.h"
+#include "sf_ip.h"
+#include "sf_protocols.h"
+#include "sfdaq.h"
+#include "util.h"
+
+/* D E F I N E S ************************************************************/
+
+#define ETHERNET_MTU 1500
+#define ETHERNET_TYPE_IP 0x0800
+#define ETHERNET_TYPE_ARP 0x0806
+#define ETHERNET_TYPE_REVARP 0x8035
+#define ETHERNET_TYPE_EAPOL 0x888e
+#define ETHERNET_TYPE_IPV6 0x86dd
+#define ETHERNET_TYPE_IPX 0x8137
+#define ETHERNET_TYPE_PPPoE_DISC 0x8863 /* discovery stage */
+#define ETHERNET_TYPE_PPPoE_SESS 0x8864 /* session stage */
+#define ETHERNET_TYPE_8021Q 0x8100
+#define ETHERNET_TYPE_LOOP 0x9000
+#define ETHERNET_TYPE_MPLS_UNICAST 0x8847
+#define ETHERNET_TYPE_MPLS_MULTICAST 0x8848
+
+#define ETH_DSAP_SNA 0x08 /* SNA */
+#define ETH_SSAP_SNA 0x00 /* SNA */
+#define ETH_DSAP_STP 0x42 /* Spanning Tree Protocol */
+#define ETH_SSAP_STP 0x42 /* Spanning Tree Protocol */
+#define ETH_DSAP_IP 0xaa /* IP */
+#define ETH_SSAP_IP 0xaa /* IP */
+
+#define ETH_ORG_CODE_ETHR 0x000000 /* Encapsulated Ethernet */
+#define ETH_ORG_CODE_CDP 0x00000c /* Cisco Discovery Proto */
+
+#define ETHERNET_HEADER_LEN 14
+#define ETHERNET_MAX_LEN_ENCAP 1518 /* 802.3 (+LLC) or ether II ? */
+#define PPPOE_HEADER_LEN 6
+
+#define VLAN_HEADER_LEN 4
+
+#ifndef NO_NON_ETHER_DECODER
+#define MINIMAL_TOKENRING_HEADER_LEN 22
+#define MINIMAL_IEEE80211_HEADER_LEN 10 /* Ack frames and others */
+#define IEEE802_11_DATA_HDR_LEN 24 /* Header for data packets */
+#define TR_HLEN MINIMAL_TOKENRING_HEADER_LEN
+#define TOKENRING_LLC_LEN 8
+#define SLIP_HEADER_LEN 16
+
+/* Frame type/subype combinations with version = 0 */
+ /*** FRAME TYPE ***** HEX **** SUBTYPE TYPE DESCRIPT ********/
+#define WLAN_TYPE_MGMT_ASREQ 0x0 /* 0000 00 Association Req */
+#define WLAN_TYPE_MGMT_ASRES 0x10 /* 0001 00 Assocaition Res */
+#define WLAN_TYPE_MGMT_REREQ 0x20 /* 0010 00 Reassoc. Req. */
+#define WLAN_TYPE_MGMT_RERES 0x30 /* 0011 00 Reassoc. Resp. */
+#define WLAN_TYPE_MGMT_PRREQ 0x40 /* 0100 00 Probe Request */
+#define WLAN_TYPE_MGMT_PRRES 0x50 /* 0101 00 Probe Response */
+#define WLAN_TYPE_MGMT_BEACON 0x80 /* 1000 00 Beacon */
+#define WLAN_TYPE_MGMT_ATIM 0x90 /* 1001 00 ATIM message */
+#define WLAN_TYPE_MGMT_DIS 0xa0 /* 1010 00 Disassociation */
+#define WLAN_TYPE_MGMT_AUTH 0xb0 /* 1011 00 Authentication */
+#define WLAN_TYPE_MGMT_DEAUTH 0xc0 /* 1100 00 Deauthentication*/
+
+#define WLAN_TYPE_CONT_PS 0xa4 /* 1010 01 Power Save */
+#define WLAN_TYPE_CONT_RTS 0xb4 /* 1011 01 Request to send */
+#define WLAN_TYPE_CONT_CTS 0xc4 /* 1100 01 Clear to sene */
+#define WLAN_TYPE_CONT_ACK 0xd4 /* 1101 01 Acknowledgement */
+#define WLAN_TYPE_CONT_CFE 0xe4 /* 1110 01 Cont. Free end */
+#define WLAN_TYPE_CONT_CFACK 0xf4 /* 1111 01 CF-End + CF-Ack */
+
+#define WLAN_TYPE_DATA_DATA 0x08 /* 0000 10 Data */
+#define WLAN_TYPE_DATA_DTCFACK 0x18 /* 0001 10 Data + CF-Ack */
+#define WLAN_TYPE_DATA_DTCFPL 0x28 /* 0010 10 Data + CF-Poll */
+#define WLAN_TYPE_DATA_DTACKPL 0x38 /* 0011 10 Data+CF-Ack+CF-Pl */
+#define WLAN_TYPE_DATA_NULL 0x48 /* 0100 10 Null (no data) */
+#define WLAN_TYPE_DATA_CFACK 0x58 /* 0101 10 CF-Ack (no data)*/
+#define WLAN_TYPE_DATA_CFPL 0x68 /* 0110 10 CF-Poll (no data)*/
+#define WLAN_TYPE_DATA_ACKPL 0x78 /* 0111 10 CF-Ack+CF-Poll */
+
+/*** Flags for IEEE 802.11 Frame Control ***/
+/* The following are designed to be bitwise-AND-d in an 8-bit u_char */
+#define WLAN_FLAG_TODS 0x0100 /* To DS Flag 10000000 */
+#define WLAN_FLAG_FROMDS 0x0200 /* From DS Flag 01000000 */
+#define WLAN_FLAG_FRAG 0x0400 /* More Frag 00100000 */
+#define WLAN_FLAG_RETRY 0x0800 /* Retry Flag 00010000 */
+#define WLAN_FLAG_PWRMGMT 0x1000 /* Power Mgmt. 00001000 */
+#define WLAN_FLAG_MOREDAT 0x2000 /* More Data 00000100 */
+#define WLAN_FLAG_WEP 0x4000 /* Wep Enabled 00000010 */
+#define WLAN_FLAG_ORDER 0x8000 /* Strict Order 00000001 */
+
+/* IEEE 802.1x eapol types */
+#define EAPOL_TYPE_EAP 0x00 /* EAP packet */
+#define EAPOL_TYPE_START 0x01 /* EAPOL start */
+#define EAPOL_TYPE_LOGOFF 0x02 /* EAPOL Logoff */
+#define EAPOL_TYPE_KEY 0x03 /* EAPOL Key */
+#define EAPOL_TYPE_ASF 0x04 /* EAPOL Encapsulated ASF-Alert */
+
+/* Extensible Authentication Protocol Codes RFC 2284*/
+#define EAP_CODE_REQUEST 0x01
+#define EAP_CODE_RESPONSE 0x02
+#define EAP_CODE_SUCCESS 0x03
+#define EAP_CODE_FAILURE 0x04
+/* EAP Types */
+#define EAP_TYPE_IDENTITY 0x01
+#define EAP_TYPE_NOTIFY 0x02
+#define EAP_TYPE_NAK 0x03
+#define EAP_TYPE_MD5 0x04
+#define EAP_TYPE_OTP 0x05
+#define EAP_TYPE_GTC 0x06
+#define EAP_TYPE_TLS 0x0d
+#endif // NO_NON_ETHER_DECODER
+
+/* Cisco HDLC header values */
+#define CHDLC_HEADER_LEN 4
+#define CHDLC_ADDR_UNICAST 0x0f
+#define CHDLC_ADDR_MULTICAST 0x8f
+#define CHDLC_ADDR_BROADCAST 0xff
+#define CHDLC_CTRL_UNNUMBERED 0x03
+
+/* Teredo values */
+#define TEREDO_PORT 3544
+#define TEREDO_INDICATOR_ORIGIN 0x00
+#define TEREDO_INDICATOR_ORIGIN_LEN 8
+#define TEREDO_INDICATOR_AUTH 0x01
+#define TEREDO_INDICATOR_AUTH_MIN_LEN 13
+#define TEREDO_MIN_LEN 2
+
+/* GTP values */
+
+#define GTP_MIN_LEN 8
+#define GTP_V0_HEADER_LEN 20
+#define GTP_V1_HEADER_LEN 12
+/* ESP constants */
+#define ESP_HEADER_LEN 8
+#define ESP_AUTH_DATA_LEN 12
+#define ESP_TRAILER_LEN 2
+
+#define MAX_PORTS 65536
+
+/* ppp header structure
+ *
+ * Actually, this is the header for RFC1332 Section 3
+ * IPCP Configuration Options for sending IP datagrams over a PPP link
+ *
+ */
+struct ppp_header {
+ unsigned char address;
+ unsigned char control;
+ unsigned short protocol;
+};
+
+#ifndef PPP_HDRLEN
+ #define PPP_HDRLEN sizeof(struct ppp_header)
+#endif
+
+#define PPP_IP 0x0021 /* Internet Protocol */
+#define PPP_VJ_COMP 0x002d /* VJ compressed TCP/IP */
+#define PPP_VJ_UCOMP 0x002f /* VJ uncompressed TCP/IP */
+#define PPP_IPX 0x002b /* Novell IPX Protocol */
+
+/* otherwise defined in /usr/include/ppp_defs.h */
+#ifndef PPP_MTU
+ #define PPP_MTU 1500
+#endif
+
+/* NULL aka LoopBack interfaces */
+#define NULL_HDRLEN 4
+
+/* enc interface */
+struct enc_header {
+ uint32_t af;
+ uint32_t spi;
+ uint32_t flags;
+};
+#define ENC_HEADER_LEN 12
+
+/* otherwise defined in /usr/include/ppp_defs.h */
+#define IP_HEADER_LEN 20
+#define TCP_HEADER_LEN 20
+#define UDP_HEADER_LEN 8
+#define ICMP_HEADER_LEN 4
+#define ICMP_NORMAL_LEN 8
+
+#define IP_OPTMAX 40
+#define IP6_EXTMAX 8
+#define TCP_OPTLENMAX 40 /* (((2^4) - 1) * 4 - TCP_HEADER_LEN) */
+
+#define LOG_FUNC_MAX 32
+
+#ifndef IP_MAXPACKET
+#define IP_MAXPACKET 65535 /* maximum packet size */
+#endif /* IP_MAXPACKET */
+
+
+/* http://www.iana.org/assignments/ipv6-parameters
+ *
+ * IPv6 Options (not Extension Headers)
+ */
+#define IP6_OPT_TUNNEL_ENCAP 0x04
+#define IP6_OPT_QUICK_START 0x06
+#define IP6_OPT_CALIPSO 0x07
+#define IP6_OPT_HOME_ADDRESS 0xC9
+#define IP6_OPT_ENDPOINT_IDENT 0x8A
+
+// these are bits in th_flags:
+#define TH_FIN 0x01
+#define TH_SYN 0x02
+#define TH_RST 0x04
+#define TH_PUSH 0x08
+#define TH_ACK 0x10
+#define TH_URG 0x20
+#define TH_ECE 0x40
+#define TH_CWR 0x80
+#define TH_RES2 TH_ECE // TBD TH_RES* should be deleted (see log.c)
+#define TH_RES1 TH_CWR
+#define TH_NORESERVED (TH_FIN|TH_SYN|TH_RST|TH_PUSH|TH_ACK|TH_URG)
+
+// these are bits in th_offx2:
+#define TH_RSV 0x0E // reserved bits
+#define TH_NS 0x01 // ECN nonce bit
+
+/* http://www.iana.org/assignments/tcp-parameters
+ *
+ * tcp options stuff. used to be in <netinet/tcp.h> but it breaks
+ * things on AIX
+ */
+#define TCPOPT_EOL 0 /* End of Option List [RFC793] */
+#define TCPOLEN_EOL 1 /* Always one byte */
+
+#define TCPOPT_NOP 1 /* No-Option [RFC793] */
+#define TCPOLEN_NOP 1 /* Always one byte */
+
+#define TCPOPT_MAXSEG 2 /* Maximum Segment Size [RFC793] */
+#define TCPOLEN_MAXSEG 4 /* Always 4 bytes */
+
+#define TCPOPT_WSCALE 3 /* Window scaling option [RFC1323] */
+#define TCPOLEN_WSCALE 3 /* 1 byte with logarithmic values */
+
+#define TCPOPT_SACKOK 4 /* Experimental [RFC2018]*/
+#define TCPOLEN_SACKOK 2
+
+#define TCPOPT_SACK 5 /* Experimental [RFC2018] variable length */
+
+#define TCPOPT_ECHO 6 /* Echo (obsoleted by option 8) [RFC1072] */
+#define TCPOLEN_ECHO 6 /* 6 bytes */
+
+#define TCPOPT_ECHOREPLY 7 /* Echo Reply (obsoleted by option 8)[RFC1072] */
+#define TCPOLEN_ECHOREPLY 6 /* 6 bytes */
+
+#define TCPOPT_TIMESTAMP 8 /* Timestamp [RFC1323], 10 bytes */
+#define TCPOLEN_TIMESTAMP 10
+
+#define TCPOPT_PARTIAL_PERM 9 /* Partial Order Permitted/ Experimental [RFC1693] */
+#define TCPOLEN_PARTIAL_PERM 2 /* Partial Order Permitted/ Experimental [RFC1693] */
+
+#define TCPOPT_PARTIAL_SVC 10 /* Partial Order Profile [RFC1693] */
+#define TCPOLEN_PARTIAL_SVC 3 /* 3 bytes long -- Experimental */
+
+/* atleast decode T/TCP options... */
+#define TCPOPT_CC 11 /* T/TCP Connection count [RFC1644] */
+#define TCPOPT_CC_NEW 12 /* CC.NEW [RFC1644] */
+#define TCPOPT_CC_ECHO 13 /* CC.ECHO [RFC1644] */
+#define TCPOLEN_CC 6 /* page 17 of rfc1644 */
+#define TCPOLEN_CC_NEW 6 /* page 17 of rfc1644 */
+#define TCPOLEN_CC_ECHO 6 /* page 17 of rfc1644 */
+
+#define TCPOPT_ALTCSUM 15 /* TCP Alternate Checksum Data [RFC1146], variable length */
+#define TCPOPT_SKEETER 16 /* Skeeter [Knowles] */
+#define TCPOPT_BUBBA 17 /* Bubba [Knowles] */
+
+#define TCPOPT_TRAILER_CSUM 18 /* Trailer Checksum Option [Subbu & Monroe] */
+#define TCPOLEN_TRAILER_CSUM 3
+
+#define TCPOPT_MD5SIG 19 /* MD5 Signature Option [RFC2385] */
+#define TCPOLEN_MD5SIG 18
+
+/* Space Communications Protocol Standardization */
+#define TCPOPT_SCPS 20 /* Capabilities [Scott] */
+#define TCPOPT_SELNEGACK 21 /* Selective Negative Acknowledgements [Scott] */
+#define TCPOPT_RECORDBOUND 22 /* Record Boundaries [Scott] */
+#define TCPOPT_CORRUPTION 23 /* Corruption experienced [Scott] */
+
+#define TCPOPT_SNAP 24 /* SNAP [Sukonnik] -- anyone have info?*/
+#define TCPOPT_UNASSIGNED 25 /* Unassigned (released 12/18/00) */
+#define TCPOPT_COMPRESSION 26 /* TCP Compression Filter [Bellovin] */
+/* http://www.research.att.com/~smb/papers/draft-bellovin-tcpcomp-00.txt*/
+
+#define TCP_OPT_TRUNC -1
+#define TCP_OPT_BADLEN -2
+
+/* Why are these lil buggers here? Never Used. -- cmg */
+#define TCPOLEN_TSTAMP_APPA (TCPOLEN_TIMESTAMP+2) /* appendix A / rfc 1323 */
+#define TCPOPT_TSTAMP_HDR \
+ (TCPOPT_NOP<<24|TCPOPT_NOP<<16|TCPOPT_TIMESTAMP<<8|TCPOLEN_TIMESTAMP)
+
+/*
+ * Default maximum segment size for TCP.
+ * With an IP MSS of 576, this is 536,
+ * but 512 is probably more convenient.
+ * This should be defined as MIN(512, IP_MSS - sizeof (struct tcpiphdr)).
+ */
+
+#ifndef TCP_MSS
+ #define TCP_MSS 512
+#endif
+
+#ifndef TCP_MAXWIN
+ #define TCP_MAXWIN 65535 /* largest value for (unscaled) window */
+#endif
+
+#ifndef TCP_MAX_WINSHIFT
+ #define TCP_MAX_WINSHIFT 14 /* maximum window shift */
+#endif
+
+/*
+ * User-settable options (used with setsockopt).
+ */
+#ifndef TCP_NODELAY
+ #define TCP_NODELAY 0x01 /* don't delay send to coalesce packets */
+#endif
+
+#ifndef TCP_MAXSEG
+ #define TCP_MAXSEG 0x02 /* set maximum segment size */
+#endif
+
+#define SOL_TCP 6 /* TCP level */
+
+
+
+#define L2TP_PORT 1701
+#define DHCP_CLIENT_PORT 68
+#define DHCP_SERVER_PORT 67
+
+#ifndef NO_NON_ETHER_DECODER
+/* Start Token Ring */
+#define TR_ALEN 6 /* octets in an Ethernet header */
+#define IPARP_SAP 0xaa
+
+#define AC 0x10
+#define LLC_FRAME 0x40
+
+#define TRMTU 2000 /* 2000 bytes */
+#define TR_RII 0x80
+#define TR_RCF_DIR_BIT 0x80
+#define TR_RCF_LEN_MASK 0x1f00
+#define TR_RCF_BROADCAST 0x8000 /* all-routes broadcast */
+#define TR_RCF_LIMITED_BROADCAST 0xC000 /* single-route broadcast */
+#define TR_RCF_FRAME2K 0x20
+#define TR_RCF_BROADCAST_MASK 0xC000
+/* End Token Ring */
+
+/* Start FDDI */
+#define FDDI_ALLC_LEN 13
+#define FDDI_ALEN 6
+#define FDDI_MIN_HLEN (FDDI_ALLC_LEN + 3)
+
+#define FDDI_DSAP_SNA 0x08 /* SNA */
+#define FDDI_SSAP_SNA 0x00 /* SNA */
+#define FDDI_DSAP_STP 0x42 /* Spanning Tree Protocol */
+#define FDDI_SSAP_STP 0x42 /* Spanning Tree Protocol */
+#define FDDI_DSAP_IP 0xaa /* IP */
+#define FDDI_SSAP_IP 0xaa /* IP */
+
+#define FDDI_ORG_CODE_ETHR 0x000000 /* Encapsulated Ethernet */
+#define FDDI_ORG_CODE_CDP 0x00000c /* Cisco Discovery
+ * Proto(?) */
+
+#define ETHERNET_TYPE_CDP 0x2000 /* Cisco Discovery Protocol */
+/* End FDDI */
+#endif // NO_NON_ETHER_DECODER
+
+#define ARPOP_REQUEST 1 /* ARP request */
+#define ARPOP_REPLY 2 /* ARP reply */
+#define ARPOP_RREQUEST 3 /* RARP request */
+#define ARPOP_RREPLY 4 /* RARP reply */
+
+/* PPPoE types */
+#define PPPoE_CODE_SESS 0x00 /* PPPoE session */
+#define PPPoE_CODE_PADI 0x09 /* PPPoE Active Discovery Initiation */
+#define PPPoE_CODE_PADO 0x07 /* PPPoE Active Discovery Offer */
+#define PPPoE_CODE_PADR 0x19 /* PPPoE Active Discovery Request */
+#define PPPoE_CODE_PADS 0x65 /* PPPoE Active Discovery Session-confirmation */
+#define PPPoE_CODE_PADT 0xa7 /* PPPoE Active Discovery Terminate */
+
+/* PPPoE tag types */
+#define PPPoE_TAG_END_OF_LIST 0x0000
+#define PPPoE_TAG_SERVICE_NAME 0x0101
+#define PPPoE_TAG_AC_NAME 0x0102
+#define PPPoE_TAG_HOST_UNIQ 0x0103
+#define PPPoE_TAG_AC_COOKIE 0x0104
+#define PPPoE_TAG_VENDOR_SPECIFIC 0x0105
+#define PPPoE_TAG_RELAY_SESSION_ID 0x0110
+#define PPPoE_TAG_SERVICE_NAME_ERROR 0x0201
+#define PPPoE_TAG_AC_SYSTEM_ERROR 0x0202
+#define PPPoE_TAG_GENERIC_ERROR 0x0203
+
+
+#define ICMP_ECHOREPLY 0 /* Echo Reply */
+#define ICMP_DEST_UNREACH 3 /* Destination Unreachable */
+#define ICMP_SOURCE_QUENCH 4 /* Source Quench */
+#define ICMP_REDIRECT 5 /* Redirect (change route) */
+#define ICMP_ECHO 8 /* Echo Request */
+#define ICMP_ROUTER_ADVERTISE 9 /* Router Advertisement */
+#define ICMP_ROUTER_SOLICIT 10 /* Router Solicitation */
+#define ICMP_TIME_EXCEEDED 11 /* Time Exceeded */
+#define ICMP_PARAMETERPROB 12 /* Parameter Problem */
+#define ICMP_TIMESTAMP 13 /* Timestamp Request */
+#define ICMP_TIMESTAMPREPLY 14 /* Timestamp Reply */
+#define ICMP_INFO_REQUEST 15 /* Information Request */
+#define ICMP_INFO_REPLY 16 /* Information Reply */
+#define ICMP_ADDRESS 17 /* Address Mask Request */
+#define ICMP_ADDRESSREPLY 18 /* Address Mask Reply */
+#define NR_ICMP_TYPES 18
+
+/* Codes for ICMP UNREACHABLES */
+#define ICMP_NET_UNREACH 0 /* Network Unreachable */
+#define ICMP_HOST_UNREACH 1 /* Host Unreachable */
+#define ICMP_PROT_UNREACH 2 /* Protocol Unreachable */
+#define ICMP_PORT_UNREACH 3 /* Port Unreachable */
+#define ICMP_FRAG_NEEDED 4 /* Fragmentation Needed/DF set */
+#define ICMP_SR_FAILED 5 /* Source Route failed */
+#define ICMP_NET_UNKNOWN 6
+#define ICMP_HOST_UNKNOWN 7
+#define ICMP_HOST_ISOLATED 8
+#define ICMP_PKT_FILTERED_NET 9
+#define ICMP_PKT_FILTERED_HOST 10
+#define ICMP_NET_UNR_TOS 11
+#define ICMP_HOST_UNR_TOS 12
+#define ICMP_PKT_FILTERED 13 /* Packet filtered */
+#define ICMP_PREC_VIOLATION 14 /* Precedence violation */
+#define ICMP_PREC_CUTOFF 15 /* Precedence cut off */
+#define NR_ICMP_UNREACH 15 /* instead of hardcoding immediate
+ * value */
+
+#define ICMP_REDIR_NET 0
+#define ICMP_REDIR_HOST 1
+#define ICMP_REDIR_TOS_NET 2
+#define ICMP_REDIR_TOS_HOST 3
+
+#define ICMP_TIMEOUT_TRANSIT 0
+#define ICMP_TIMEOUT_REASSY 1
+
+#define ICMP_PARAM_BADIPHDR 0
+#define ICMP_PARAM_OPTMISSING 1
+#define ICMP_PARAM_BAD_LENGTH 2
+
+/* ip option type codes */
+#ifndef IPOPT_EOL
+ #define IPOPT_EOL 0x00
+#endif
+
+#ifndef IPOPT_NOP
+ #define IPOPT_NOP 0x01
+#endif
+
+#ifndef IPOPT_RR
+ #define IPOPT_RR 0x07
+#endif
+
+#ifndef IPOPT_RTRALT
+ #define IPOPT_RTRALT 0x94
+#endif
+
+#ifndef IPOPT_TS
+ #define IPOPT_TS 0x44
+#endif
+
+#ifndef IPOPT_SECURITY
+ #define IPOPT_SECURITY 0x82
+#endif
+
+#ifndef IPOPT_LSRR
+ #define IPOPT_LSRR 0x83
+#endif
+
+#ifndef IPOPT_LSRR_E
+ #define IPOPT_LSRR_E 0x84
+#endif
+
+#ifndef IPOPT_ESEC
+ #define IPOPT_ESEC 0x85
+#endif
+
+#ifndef IPOPT_SATID
+ #define IPOPT_SATID 0x88
+#endif
+
+#ifndef IPOPT_SSRR
+ #define IPOPT_SSRR 0x89
+#endif
+
+
+/* tcp option codes */
+#define TOPT_EOL 0x00
+#define TOPT_NOP 0x01
+#define TOPT_MSS 0x02
+#define TOPT_WS 0x03
+#define TOPT_TS 0x08
+#ifndef TCPOPT_WSCALE
+ #define TCPOPT_WSCALE 3 /* window scale factor (rfc1072) */
+#endif
+#ifndef TCPOPT_SACKOK
+ #define TCPOPT_SACKOK 4 /* selective ack ok (rfc1072) */
+#endif
+#ifndef TCPOPT_SACK
+ #define TCPOPT_SACK 5 /* selective ack (rfc1072) */
+#endif
+#ifndef TCPOPT_ECHO
+ #define TCPOPT_ECHO 6 /* echo (rfc1072) */
+#endif
+#ifndef TCPOPT_ECHOREPLY
+ #define TCPOPT_ECHOREPLY 7 /* echo (rfc1072) */
+#endif
+#ifndef TCPOPT_TIMESTAMP
+ #define TCPOPT_TIMESTAMP 8 /* timestamps (rfc1323) */
+#endif
+#ifndef TCPOPT_CC
+ #define TCPOPT_CC 11 /* T/TCP CC options (rfc1644) */
+#endif
+#ifndef TCPOPT_CCNEW
+ #define TCPOPT_CCNEW 12 /* T/TCP CC options (rfc1644) */
+#endif
+#ifndef TCPOPT_CCECHO
+ #define TCPOPT_CCECHO 13 /* T/TCP CC options (rfc1644) */
+#endif
+
+#define EXTRACT_16BITS(p) ((u_short) ntohs (*(u_short *)(p)))
+
+#ifdef WORDS_MUSTALIGN
+
+#if defined(__GNUC__)
+/* force word-aligned ntohl parameter */
+ #define EXTRACT_32BITS(p) ({ uint32_t __tmp; memmove(&__tmp, (p), sizeof(uint32_t)); (uint32_t) ntohl(__tmp);})
+#endif /* __GNUC__ */
+
+#else
+
+/* allows unaligned ntohl parameter - dies w/SIGBUS on SPARCs */
+ #define EXTRACT_32BITS(p) ((uint32_t) ntohl (*(uint32_t *)(p)))
+
+#endif /* WORDS_MUSTALIGN */
+
+/* packet status flags */
+#define PKT_REBUILT_FRAG 0x00000001 /* is a rebuilt fragment */
+#define PKT_REBUILT_STREAM 0x00000002 /* is a rebuilt stream */
+#define PKT_STREAM_UNEST_UNI 0x00000004 /* is from an unestablished stream and
+ * we've only seen traffic in one direction */
+#define PKT_STREAM_EST 0x00000008 /* is from an established stream */
+
+#define PKT_STREAM_INSERT 0x00000010 /* this packet has been queued for stream reassembly */
+#define PKT_STREAM_TWH 0x00000020 /* packet completes the 3-way handshake */
+#define PKT_FROM_SERVER 0x00000040 /* this packet came from the server
+ side of a connection (TCP) */
+#define PKT_FROM_CLIENT 0x00000080 /* this packet came from the client
+ side of a connection (TCP) */
+
+#define PKT_PDU_HEAD 0x00000100 /* start of PDU */
+#define PKT_PDU_TAIL 0x00000200 /* end of PDU */
+#define PKT_UNSURE_ENCAP 0x00000400 /* packet may have incorrect encapsulation layer. */
+ /* don't alert if "next layer" is invalid. */
+#define PKT_HTTP_DECODE 0x00000800 /* this packet has normalized http */
+
+#define PKT_IGNORE_PORT 0x00001000 /* this packet should be ignored, based on port */
+#define PKT_NO_DETECT 0x00002000 /* this packet should not be preprocessed */
+#define PKT_ALLOW_MULTIPLE_DETECT 0x00004000 /* packet has either pipelined mime attachements */
+ /* or pipeline http requests */
+#define PKT_PAYLOAD_OBFUSCATE 0x00008000
+
+#define PKT_STATELESS 0x00010000 /* Packet has matched a stateless rule */
+#define PKT_PASS_RULE 0x00020000 /* this packet has matched a pass rule */
+#define PKT_IP_RULE 0x00040000 /* this packet is being evaluated against an IP rule */
+#define PKT_IP_RULE_2ND 0x00080000 /* this packet is being evaluated against an IP rule */
+
+#define PKT_LOGGED 0x00100000 /* this packet has been logged */
+#define PKT_PSEUDO 0x00200000 /* is a pseudo packet */
+#define PKT_MODIFIED 0x00400000 /* packet had normalizations, etc. */
+#ifdef NORMALIZER
+#define PKT_RESIZED 0x00800000 /* packet has new size; must set modified too */
+#endif
+
+// neither of these flags will be set for (full) retransmissions or non-data segments
+// a partial overlap results in out of sequence condition
+// out of sequence condition is sticky
+#define PKT_STREAM_ORDER_OK 0x01000000 /* this segment is in order, w/o gaps */
+#define PKT_STREAM_ORDER_BAD 0x02000000 /* this stream had at last one gap */
+#define PKT_REASSEMBLED_OLD 0x04000000 /* for backwards compat with so rules */
+
+// 0x0F800000 are available
+
+#define PKT_PDU_FULL (PKT_PDU_HEAD | PKT_PDU_TAIL)
+
+#define REASSEMBLED_PACKET_FLAGS (PKT_REBUILT_STREAM|PKT_REASSEMBLED_OLD)
+
+typedef enum {
+ PSEUDO_PKT_IP,
+ PSEUDO_PKT_TCP,
+ PSEUDO_PKT_DCE_RPKT,
+ PSEUDO_PKT_SMB_SEG,
+ PSEUDO_PKT_DCE_SEG,
+ PSEUDO_PKT_DCE_FRAG,
+ PSEUDO_PKT_SMB_TRANS,
+ PSEUDO_PKT_PS,
+ PSEUDO_PKT_SDF,
+ PSEUDO_PKT_MAX
+} PseudoPacketType;
+
+/* error flags */
+#define PKT_ERR_CKSUM_IP 0x01
+#define PKT_ERR_CKSUM_TCP 0x02
+#define PKT_ERR_CKSUM_UDP 0x04
+#define PKT_ERR_CKSUM_ICMP 0x08
+#define PKT_ERR_CKSUM_IGMP 0x10
+#define PKT_ERR_CKSUM_ANY 0x1F
+#define PKT_ERR_BAD_TTL 0x20
+
+/* D A T A S T R U C T U R E S *********************************************/
+typedef int (*LogFunction)(void *ssnptr, uint8_t **buf, uint32_t *len, uint32_t *type);
+
+#ifndef NO_NON_ETHER_DECODER
+/* Start Token Ring Data Structures */
+
+#ifdef _MSC_VER
+ /* Visual C++ pragma to disable warning messages about nonstandard bit field type */
+ #pragma warning( disable : 4214 )
+#endif
+
+/* LLC structure */
+typedef struct _Trh_llc
+{
+ uint8_t dsap;
+ uint8_t ssap;
+ uint8_t protid[3];
+ uint16_t ethertype;
+} Trh_llc;
+
+/* RIF structure
+ * Linux/tcpdump patch defines tokenring header in dump way, since not
+ * every tokenring header with have RIF data... we define it separately, and
+ * a bit more split up
+ */
+
+#ifdef _MSC_VER
+ /* Visual C++ pragma to disable warning messages about nonstandard bit field type */
+ #pragma warning( disable : 4214 )
+#endif
+
+
+/* These are macros to use the bitlevel accesses in the Trh_Mr header
+
+ they haven't been tested and they aren't used much so here is a
+ listing of what used to be there
+
+ #if defined(WORDS_BIGENDIAN)
+ uint16_t bcast:3, len:5, dir:1, lf:3, res:4;
+ #else
+ uint16_t len:5, length of RIF field, including RC itself
+ bcast:3, broadcast indicator
+ res:4, reserved
+ lf:3, largest frame size
+ dir:1; direction
+*/
+
+#define TRH_MR_BCAST(trhmr) ((ntohs((trhmr)->bcast_len_dir_lf_res) & 0xe000) >> 13)
+#define TRH_MR_LEN(trhmr) ((ntohs((trhmr)->bcast_len_dir_lf_res) & 0x1F00) >> 8)
+#define TRH_MR_DIR(trhmr) ((ntohs((trhmr)->bcast_len_dir_lf_res) & 0x0080) >> 8)
+#define TRH_MR_LF(trhmr) ((ntohs((trhmr)->bcast_len_dir_lf_res) & 0x0070) >> 7)
+#define TRH_MR_RES(trhmr) ((ntohs((trhmr)->bcast_len_dir_lf_res) & 0x000F))
+
+typedef struct _Trh_mr
+{
+ uint16_t bcast_len_dir_lf_res; /* broadcast/res/framesize/direction */
+ uint16_t rseg[8];
+} Trh_mr;
+#ifdef _MSC_VER
+ /* Visual C++ pragma to enable warning messages about nonstandard bit field type */
+ #pragma warning( default : 4214 )
+#endif
+
+
+typedef struct _Trh_hdr
+{
+ uint8_t ac; /* access control field */
+ uint8_t fc; /* frame control field */
+ uint8_t daddr[TR_ALEN]; /* src address */
+ uint8_t saddr[TR_ALEN]; /* dst address */
+} Trh_hdr;
+
+#ifdef WIN32
+ /* Visual C++ pragma to enable warning messages about nonstandard bit field type */
+ #pragma warning( default : 4214 )
+#endif
+/* End Token Ring Data Structures */
+
+
+/* Start FDDI Data Structures */
+
+/* FDDI header is always this: -worm5er */
+typedef struct _Fddi_hdr
+{
+ uint8_t fc; /* frame control field */
+ uint8_t daddr[FDDI_ALEN]; /* src address */
+ uint8_t saddr[FDDI_ALEN]; /* dst address */
+} Fddi_hdr;
+
+/* splitting the llc up because of variable lengths of the LLC -worm5er */
+typedef struct _Fddi_llc_saps
+{
+ uint8_t dsap;
+ uint8_t ssap;
+} Fddi_llc_saps;
+
+/* I've found sna frames have two addition bytes after the llc saps -worm5er */
+typedef struct _Fddi_llc_sna
+{
+ uint8_t ctrl_fld[2];
+} Fddi_llc_sna;
+
+/* I've also found other frames that seem to have only one byte... We're only
+really intersted in the IP data so, until we want other, I'm going to say
+the data is one byte beyond this frame... -worm5er */
+typedef struct _Fddi_llc_other
+{
+ uint8_t ctrl_fld[1];
+} Fddi_llc_other;
+
+/* Just like TR the ip/arp data is setup as such: -worm5er */
+typedef struct _Fddi_llc_iparp
+{
+ uint8_t ctrl_fld;
+ uint8_t protid[3];
+ uint16_t ethertype;
+} Fddi_llc_iparp;
+
+/* End FDDI Data Structures */
+
+
+/* 'Linux cooked captures' data
+ * (taken from tcpdump source).
+ */
+
+#define SLL_HDR_LEN 16 /* total header length */
+#define SLL_ADDRLEN 8 /* length of address field */
+typedef struct _SLLHdr {
+ uint16_t sll_pkttype; /* packet type */
+ uint16_t sll_hatype; /* link-layer address type */
+ uint16_t sll_halen; /* link-layer address length */
+ uint8_t sll_addr[SLL_ADDRLEN]; /* link-layer address */
+ uint16_t sll_protocol; /* protocol */
+} SLLHdr;
+
+
+/*
+ * Snort supports 3 versions of the OpenBSD pflog header:
+ *
+ * Pflog1_Hdr: CVS = 1.3, DLT_OLD_PFLOG = 17, Length = 28
+ * Pflog2_Hdr: CVS = 1.8, DLT_PFLOG = 117, Length = 48
+ * Pflog3_Hdr: CVS = 1.12, DLT_PFLOG = 117, Length = 64
+ *
+ * Since they have the same DLT, Pflog{2,3}Hdr are distinguished
+ * by their actual length. The minimum required length excludes
+ * padding.
+ */
+/* Old OpenBSD pf firewall pflog0 header
+ * (information from pf source in kernel)
+ * the rule, reason, and action codes tell why the firewall dropped it -fleck
+ */
+
+typedef struct _Pflog1_hdr
+{
+ uint32_t af;
+ char intf[IFNAMSIZ];
+ int16_t rule;
+ uint16_t reason;
+ uint16_t action;
+ uint16_t dir;
+} Pflog1Hdr;
+
+#define PFLOG1_HDRLEN (sizeof(struct _Pflog1_hdr))
+
+/*
+ * Note that on OpenBSD, af type is sa_family_t. On linux, that's an unsigned
+ * short, but on OpenBSD, that's a uint8_t, so we should explicitly use uint8_t
+ * here. - ronaldo
+ */
+
+#define PFLOG_RULELEN 16
+#define PFLOG_PADLEN 3
+
+typedef struct _Pflog2_hdr
+{
+ int8_t length;
+ uint8_t af;
+ uint8_t action;
+ uint8_t reason;
+ char ifname[IFNAMSIZ];
+ char ruleset[PFLOG_RULELEN];
+ uint32_t rulenr;
+ uint32_t subrulenr;
+ uint8_t dir;
+ uint8_t pad[PFLOG_PADLEN];
+} Pflog2Hdr;
+
+#define PFLOG2_HDRLEN (sizeof(struct _Pflog2_hdr))
+#define PFLOG2_HDRMIN (PFLOG2_HDRLEN - PFLOG_PADLEN)
+
+typedef struct _Pflog3_hdr
+{
+ int8_t length;
+ uint8_t af;
+ uint8_t action;
+ uint8_t reason;
+ char ifname[IFNAMSIZ];
+ char ruleset[PFLOG_RULELEN];
+ uint32_t rulenr;
+ uint32_t subrulenr;
+ uint32_t uid;
+ uint32_t pid;
+ uint32_t rule_uid;
+ uint32_t rule_pid;
+ uint8_t dir;
+ uint8_t pad[PFLOG_PADLEN];
+} Pflog3Hdr;
+
+#define PFLOG3_HDRLEN (sizeof(struct _Pflog3_hdr))
+#define PFLOG3_HDRMIN (PFLOG3_HDRLEN - PFLOG_PADLEN)
+
+/*
+ * ssl_pkttype values.
+ */
+
+#define LINUX_SLL_HOST 0
+#define LINUX_SLL_BROADCAST 1
+#define LINUX_SLL_MULTICAST 2
+#define LINUX_SLL_OTHERHOST 3
+#define LINUX_SLL_OUTGOING 4
+
+/* ssl protocol values */
+
+#define LINUX_SLL_P_802_3 0x0001 /* Novell 802.3 frames without 802.2 LLC header */
+#define LINUX_SLL_P_802_2 0x0004 /* 802.2 frames (not D/I/X Ethernet) */
+#endif // NO_NON_ETHER_DECODER
+
+
+#ifdef _MSC_VER
+ /* Visual C++ pragma to disable warning messages
+ * about nonstandard bit field type
+ */
+ #pragma warning( disable : 4214 )
+#endif
+
+#define VTH_PRIORITY(vh) ((ntohs((vh)->vth_pri_cfi_vlan) & 0xe000) >> 13)
+#define VTH_CFI(vh) ((ntohs((vh)->vth_pri_cfi_vlan) & 0x0100) >> 12)
+#define VTH_VLAN(vh) ((unsigned short)(ntohs((vh)->vth_pri_cfi_vlan) & 0x0FFF))
+
+typedef struct _VlanTagHdr
+{
+ uint16_t vth_pri_cfi_vlan;
+ uint16_t vth_proto; /* protocol field... */
+} VlanTagHdr;
+#ifdef _MSC_VER
+ /* Visual C++ pragma to enable warning messages about nonstandard bit field type */
+ #pragma warning( default : 4214 )
+#endif
+
+
+typedef struct _EthLlc
+{
+ uint8_t dsap;
+ uint8_t ssap;
+} EthLlc;
+
+typedef struct _EthLlcOther
+{
+ uint8_t ctrl;
+ uint8_t org_code[3];
+ uint16_t proto_id;
+} EthLlcOther;
+
+/* We must twiddle to align the offset the ethernet header and align
+ * the IP header on solaris -- maybe this will work on HPUX too.
+ */
+#if defined (SOLARIS) || defined (SUNOS) || defined (__sparc__) || defined(__sparc64__) || defined (HPUX)
+#define SPARC_TWIDDLE 2
+#else
+#define SPARC_TWIDDLE 0
+#endif
+
+/*
+ * Ethernet header
+ */
+
+typedef struct _EtherHdr
+{
+ uint8_t ether_dst[6];
+ uint8_t ether_src[6];
+ uint16_t ether_type;
+
+} EtherHdr;
+
+
+#ifndef NO_NON_ETHER_DECODER
+/*
+ * Wireless Header (IEEE 802.11)
+ */
+typedef struct _WifiHdr
+{
+ uint16_t frame_control;
+ uint16_t duration_id;
+ uint8_t addr1[6];
+ uint8_t addr2[6];
+ uint8_t addr3[6];
+ uint16_t seq_control;
+ uint8_t addr4[6];
+} WifiHdr;
+#endif // NO_NON_ETHER_DECODER
+
+
+/* Can't add any fields not in the real header here
+ because of how the decoder uses structure overlaying */
+#ifdef _MSC_VER
+ /* Visual C++ pragma to disable warning messages
+ * about nonstandard bit field type
+ */
+ #pragma warning( disable : 4214 )
+#endif
+
+/* tcpdump shows us the way to cross platform compatibility */
+#define IP_VER(iph) (((iph)->ip_verhl & 0xf0) >> 4)
+#define IP_HLEN(iph) ((iph)->ip_verhl & 0x0f)
+
+/* we need to change them as well as get them */
+#define SET_IP_VER(iph, value) ((iph)->ip_verhl = (unsigned char)(((iph)->ip_verhl & 0x0f) | (value << 4)))
+#define SET_IP_HLEN(iph, value) ((iph)->ip_verhl = (unsigned char)(((iph)->ip_verhl & 0xf0) | (value & 0x0f)))
+
+#define NUM_IP_PROTOS 256
+
+/* Last updated 6/2/2010.
+ Source: http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xml */
+#define MIN_UNASSIGNED_IP_PROTO 143
+
+#ifndef IPPROTO_SWIPE
+#define IPPROTO_SWIPE 53
+#endif
+#ifndef IPPROTO_IP_MOBILITY
+#define IPPROTO_IP_MOBILITY 55
+#endif
+#ifndef IPPROTO_SUN_ND
+#define IPPROTO_SUN_ND 77
+#endif
+#ifndef IPPROTO_PIM
+#define IPPROTO_PIM 103
+#endif
+#ifndef IPPROTO_PGM
+#define IPPROTO_PGM 113
+#endif
+
+typedef struct _IPHdr
+{
+ uint8_t ip_verhl; /* version & header length */
+ uint8_t ip_tos; /* type of service */
+ uint16_t ip_len; /* datagram length */
+ uint16_t ip_id; /* identification */
+ uint16_t ip_off; /* fragment offset */
+ uint8_t ip_ttl; /* time to live field */
+ uint8_t ip_proto; /* datagram protocol */
+ uint16_t ip_csum; /* checksum */
+ struct in_addr ip_src; /* source IP */
+ struct in_addr ip_dst; /* dest IP */
+} IPHdr;
+
+typedef struct _IPv4Hdr
+{
+ uint8_t ip_verhl; /* version & header length */
+ uint8_t ip_tos; /* type of service */
+ uint16_t ip_len; /* datagram length */
+ uint16_t ip_id; /* identification */
+ uint16_t ip_off; /* fragment offset */
+ uint8_t ip_ttl; /* time to live field */
+ uint8_t ip_proto; /* datagram protocol */
+ uint16_t ip_csum; /* checksum */
+ sfip_t ip_src; /* source IP */
+ sfip_t ip_dst; /* dest IP */
+} IP4Hdr;
+
+typedef struct _IPv6Hdr
+{
+ uint32_t vcl; /* version, class, and label */
+ uint16_t len; /* length of the payload */
+ uint8_t next; /* next header
+ * Uses the same flags as
+ * the IPv4 protocol field */
+ uint8_t hop_lmt; /* hop limit */
+ sfip_t ip_src;
+ sfip_t ip_dst;
+} IP6Hdr;
+
+/* IPv6 address */
+#ifndef s6_addr
+struct in6_addr
+{
+ union
+ {
+ uint8_t u6_addr8[16];
+ uint16_t u6_addr16[8];
+ uint32_t u6_addr32[4];
+ } in6_u;
+#define s6_addr in6_u.u6_addr8
+#define s6_addr16 in6_u.u6_addr16
+#define s6_addr32 in6_u.u6_addr32
+};
+#endif
+
+typedef struct _IP6RawHdr
+{
+ union
+ {
+ struct _IP6HdrCtl
+ {
+ uint32_t ip6_un1_flow; /* 4 bits version, 8 bits TC,
+ 20 bits flow-ID */
+ uint16_t ip6_un1_plen; /* payload length */
+ uint8_t ip6_un1_nxt; /* next header */
+ uint8_t ip6_un1_hlim; /* hop limit */
+ } IP6HdrCtl;
+ uint8_t ip6_un2_vfc; /* 4 bits version, top 4 bits tclass */
+ } IP6Ctl;
+
+ struct in6_addr ip6_src; /* source address */
+ struct in6_addr ip6_dst; /* destination address */
+} IP6RawHdr;
+
+#define ip6vfc IP6Ctl.ip6_un2_vfc
+#define ip6flow IP6Ctl.IP6HdrCtl.ip6_un1_flow
+#define ip6plen IP6Ctl.IP6HdrCtl.ip6_un1_plen
+#define ip6nxt IP6Ctl.IP6HdrCtl.ip6_un1_nxt
+#define ip6hlim IP6Ctl.IP6HdrCtl.ip6_un1_hlim
+#define ip6hops IP6Ctl.IP6HdrCtl.ip6_un1_hlim
+
+#define IP6_HDR_LEN 40
+
+#ifndef IP_PROTO_HOPOPTS
+# define IP_PROTO_HOPOPTS 0
+#endif
+
+#define IP_PROTO_NONE 59
+#define IP_PROTO_ROUTING 43
+#define IP_PROTO_FRAGMENT 44
+#define IP_PROTO_AH 51
+#define IP_PROTO_DSTOPTS 60
+#define IP_PROTO_ICMPV6 58
+#define IP_PROTO_IPV6 41
+#define IP_PROTO_IPIP 4
+
+#define IP6F_OFFSET_MASK 0xfff8 /* mask out offset from _offlg */
+#define IP6F_MF_MASK 0x0001 /* more-fragments flag */
+
+#define IP6F_OFFSET(fh) ((ntohs((fh)->ip6f_offlg) & IP6F_OFFSET_MASK) >> 3)
+#define IP6F_RES(fh) (fh)->ip6f_reserved
+#define IP6F_MF(fh) (ntohs((fh)->ip6f_offlg) & IP6F_MF_MASK )
+
+/* to store references to IP6 Extension Headers */
+typedef struct _IP6Option
+{
+ uint8_t type;
+ const uint8_t *data;
+} IP6Option;
+
+/* Generic Extension Header */
+typedef struct _IP6Extension
+{
+ uint8_t ip6e_nxt;
+ uint8_t ip6e_len;
+ /* options follow */
+ uint8_t ip6e_pad[6];
+} IP6Extension;
+
+typedef struct _IP6HopByHop
+{
+ uint8_t ip6hbh_nxt;
+ uint8_t ip6hbh_len;
+ /* options follow */
+ uint8_t ip6hbh_pad[6];
+} IP6HopByHop;
+
+typedef struct _IP6Dest
+{
+ uint8_t ip6dest_nxt;
+ uint8_t ip6dest_len;
+ /* options follow */
+ uint8_t ip6dest_pad[6];
+} IP6Dest;
+
+typedef struct _IP6Route
+{
+ uint8_t ip6rte_nxt;
+ uint8_t ip6rte_len;
+ uint8_t ip6rte_type;
+ uint8_t ip6rte_seg_left;
+ /* type specific data follows */
+} IP6Route;
+
+typedef struct _IP6Route0
+{
+ uint8_t ip6rte0_nxt;
+ uint8_t ip6rte0_len;
+ uint8_t ip6rte0_type;
+ uint8_t ip6rte0_seg_left;
+ uint8_t ip6rte0_reserved;
+ uint8_t ip6rte0_bitmap[3];
+ struct in6_addr ip6rte0_addr[1]; /* Up to 23 IP6 addresses */
+} IP6Route0;
+
+/* Fragment header */
+typedef struct _IP6Frag
+{
+ uint8_t ip6f_nxt; /* next header */
+ uint8_t ip6f_reserved; /* reserved field */
+ uint16_t ip6f_offlg; /* offset, reserved, and flag */
+ uint32_t ip6f_ident; /* identification */
+} IP6Frag;
+
+typedef struct _ICMP6
+{
+ uint8_t type;
+ uint8_t code;
+ uint16_t csum;
+
+} ICMP6Hdr;
+
+typedef struct _ICMP6TooBig
+{
+ uint8_t type;
+ uint8_t code;
+ uint16_t csum;
+ uint32_t mtu;
+} ICMP6TooBig;
+
+typedef struct _ICMP6RouterAdvertisement
+{
+ uint8_t type;
+ uint8_t code;
+ uint16_t csum;
+ uint8_t num_addrs;
+ uint8_t addr_entry_size;
+ uint16_t lifetime;
+ uint32_t reachable_time;
+ uint32_t retrans_time;
+} ICMP6RouterAdvertisement;
+
+typedef struct _ICMP6RouterSolicitation
+{
+ uint8_t type;
+ uint8_t code;
+ uint16_t csum;
+ uint32_t reserved;
+} ICMP6RouterSolicitation;
+
+#define ICMP6_UNREACH 1
+#define ICMP6_BIG 2
+#define ICMP6_TIME 3
+#define ICMP6_PARAMS 4
+#define ICMP6_ECHO 128
+#define ICMP6_REPLY 129
+#define ICMP6_SOLICITATION 133
+#define ICMP6_ADVERTISEMENT 134
+
+/* Minus 1 due to the 'body' field */
+#define ICMP6_MIN_HEADER_LEN (sizeof(ICMP6Hdr) )
+
+struct _Packet;
+
+/* IPHeader access calls */
+sfip_t * ip4_ret_src(const struct _Packet *);
+sfip_t * ip4_ret_dst(const struct _Packet *);
+uint16_t ip4_ret_tos(const struct _Packet *);
+uint8_t ip4_ret_ttl(const struct _Packet *);
+uint16_t ip4_ret_len(const struct _Packet *);
+uint32_t ip4_ret_id(const struct _Packet *);
+uint8_t ip4_ret_proto(const struct _Packet *);
+uint16_t ip4_ret_off(const struct _Packet *);
+uint8_t ip4_ret_ver(const struct _Packet *);
+uint8_t ip4_ret_hlen(const struct _Packet *);
+
+sfip_t * orig_ip4_ret_src(const struct _Packet *);
+sfip_t * orig_ip4_ret_dst(const struct _Packet *);
+uint16_t orig_ip4_ret_tos(const struct _Packet *);
+uint8_t orig_ip4_ret_ttl(const struct _Packet *);
+uint16_t orig_ip4_ret_len(const struct _Packet *);
+uint32_t orig_ip4_ret_id(const struct _Packet *);
+uint8_t orig_ip4_ret_proto(const struct _Packet *);
+uint16_t orig_ip4_ret_off(const struct _Packet *);
+uint8_t orig_ip4_ret_ver(const struct _Packet *);
+uint8_t orig_ip4_ret_hlen(const struct _Packet *);
+
+sfip_t * ip6_ret_src(const struct _Packet *);
+sfip_t * ip6_ret_dst(const struct _Packet *);
+uint16_t ip6_ret_toc(const struct _Packet *);
+uint8_t ip6_ret_hops(const struct _Packet *);
+uint16_t ip6_ret_len(const struct _Packet *);
+uint32_t ip6_ret_id(const struct _Packet *);
+uint8_t ip6_ret_next(const struct _Packet *);
+uint16_t ip6_ret_off(const struct _Packet *);
+uint8_t ip6_ret_ver(const struct _Packet *);
+uint8_t ip6_ret_hlen(const struct _Packet *);
+
+sfip_t * orig_ip6_ret_src(const struct _Packet *);
+sfip_t * orig_ip6_ret_dst(const struct _Packet *);
+uint16_t orig_ip6_ret_toc(const struct _Packet *);
+uint8_t orig_ip6_ret_hops(const struct _Packet *);
+uint16_t orig_ip6_ret_len(const struct _Packet *);
+uint32_t orig_ip6_ret_id(const struct _Packet *);
+uint8_t orig_ip6_ret_next(const struct _Packet *);
+uint16_t orig_ip6_ret_off(const struct _Packet *);
+uint8_t orig_ip6_ret_ver(const struct _Packet *);
+uint8_t orig_ip6_ret_hlen(const struct _Packet *);
+
+typedef struct _IPH_API
+{
+ sfip_t * (*iph_ret_src)(const struct _Packet *);
+ sfip_t * (*iph_ret_dst)(const struct _Packet *);
+ uint16_t (*iph_ret_tos)(const struct _Packet *);
+ uint8_t (*iph_ret_ttl)(const struct _Packet *);
+ uint16_t (*iph_ret_len)(const struct _Packet *);
+ uint32_t (*iph_ret_id)(const struct _Packet *);
+ uint8_t (*iph_ret_proto)(const struct _Packet *);
+ uint16_t (*iph_ret_off)(const struct _Packet *);
+ uint8_t (*iph_ret_ver)(const struct _Packet *);
+ uint8_t (*iph_ret_hlen)(const struct _Packet *);
+
+ sfip_t * (*orig_iph_ret_src)(const struct _Packet *);
+ sfip_t * (*orig_iph_ret_dst)(const struct _Packet *);
+ uint16_t (*orig_iph_ret_tos)(const struct _Packet *);
+ uint8_t (*orig_iph_ret_ttl)(const struct _Packet *);
+ uint16_t (*orig_iph_ret_len)(const struct _Packet *);
+ uint32_t (*orig_iph_ret_id)(const struct _Packet *);
+ uint8_t (*orig_iph_ret_proto)(const struct _Packet *);
+ uint16_t (*orig_iph_ret_off)(const struct _Packet *);
+ uint8_t (*orig_iph_ret_ver)(const struct _Packet *);
+ uint8_t (*orig_iph_ret_hlen)(const struct _Packet *);
+ char ver;
+} IPH_API;
+
+#ifdef SUP_IP6
+extern IPH_API ip4;
+extern IPH_API ip6;
+
+#define IPH_API_V4 4
+#define IPH_API_V6 6
+
+#define iph_is_valid(p) ((p)->family != NO_IP)
+#define NO_IP 0
+#endif
+
+#ifdef _MSC_VER
+ /* Visual C++ pragma to enable warning messages about nonstandard bit field type */
+ #pragma warning( default : 4214 )
+#endif
+
+
+/* Can't add any fields not in the real header here
+ because of how the decoder uses structure overlaying */
+#ifdef _MSC_VER
+ /* Visual C++ pragma to disable warning
+ * messages about nonstandard bit field type
+ */
+ #pragma warning( disable : 4214 )
+#endif
+
+#ifndef IPPROTO_IPIP
+#define IPPROTO_IPIP 4
+#endif
+
+/* GRE related stuff */
+typedef struct _GREHdr
+{
+ uint8_t flags;
+ uint8_t version;
+ uint16_t ether_type;
+
+} GREHdr;
+
+#ifdef GRE
+
+#ifndef IPPROTO_GRE
+#define IPPROTO_GRE 47
+#endif
+
+#define GRE_TYPE_TRANS_BRIDGING 0x6558
+#define GRE_TYPE_PPP 0x880B
+
+#define GRE_HEADER_LEN 4
+#define GRE_CHKSUM_LEN 2
+#define GRE_OFFSET_LEN 2
+#define GRE_KEY_LEN 4
+#define GRE_SEQ_LEN 4
+#define GRE_SRE_HEADER_LEN 4
+
+#define GRE_CHKSUM(x) (x->flags & 0x80)
+#define GRE_ROUTE(x) (x->flags & 0x40)
+#define GRE_KEY(x) (x->flags & 0x20)
+#define GRE_SEQ(x) (x->flags & 0x10)
+#define GRE_SSR(x) (x->flags & 0x08)
+#define GRE_RECUR(x) (x->flags & 0x07)
+#define GRE_VERSION(x) (x->version & 0x07)
+#define GRE_FLAGS(x) (x->version & 0xF8)
+#define GRE_PROTO(x) ntohs(x->ether_type)
+
+/* GRE version 1 used with PPTP */
+#define GRE_V1_HEADER_LEN 8
+#define GRE_V1_ACK_LEN 4
+#define GRE_V1_FLAGS(x) (x->version & 0x78)
+#define GRE_V1_ACK(x) (x->version & 0x80)
+
+#endif /* GRE */
+
+
+/* more macros for TCP offset */
+#define TCP_OFFSET(tcph) (((tcph)->th_offx2 & 0xf0) >> 4)
+#define TCP_X2(tcph) ((tcph)->th_offx2 & 0x0f)
+
+#define TCP_ISFLAGSET(tcph, flags) (((tcph)->th_flags & (flags)) == (flags))
+
+/* we need to change them as well as get them */
+#define SET_TCP_OFFSET(tcph, value) ((tcph)->th_offx2 = (unsigned char)(((tcph)->th_offx2 & 0x0f) | (value << 4)))
+#define SET_TCP_X2(tcph, value) ((tcph)->th_offx2 = (unsigned char)(((tcph)->th_offx2 & 0xf0) | (value & 0x0f)))
+
+typedef struct _TCPHdr
+{
+ uint16_t th_sport; /* source port */
+ uint16_t th_dport; /* destination port */
+ uint32_t th_seq; /* sequence number */
+ uint32_t th_ack; /* acknowledgement number */
+ uint8_t th_offx2; /* offset and reserved */
+ uint8_t th_flags;
+ uint16_t th_win; /* window */
+ uint16_t th_sum; /* checksum */
+ uint16_t th_urp; /* urgent pointer */
+
+} TCPHdr;
+#ifdef _MSC_VER
+ /* Visual C++ pragma to enable warning messages
+ * about nonstandard bit field type
+ */
+ #pragma warning( default : 4214 )
+#endif
+
+
+typedef struct _UDPHdr
+{
+ uint16_t uh_sport;
+ uint16_t uh_dport;
+ uint16_t uh_len;
+ uint16_t uh_chk;
+
+} UDPHdr;
+
+
+typedef struct _ICMPHdr
+{
+ uint8_t type;
+ uint8_t code;
+ uint16_t csum;
+ union
+ {
+ struct
+ {
+ uint8_t pptr;
+ uint8_t pres1;
+ uint16_t pres2;
+ } param;
+
+ struct in_addr gwaddr;
+
+ struct idseq
+ {
+ uint16_t id;
+ uint16_t seq;
+ } idseq;
+
+ uint32_t sih_void;
+
+ struct pmtu
+ {
+ uint16_t ipm_void;
+ uint16_t nextmtu;
+ } pmtu;
+
+ struct rtradv
+ {
+ uint8_t num_addrs;
+ uint8_t wpa;
+ uint16_t lifetime;
+ } rtradv;
+ } icmp_hun;
+
+#define s_icmp_pptr icmp_hun.param.pptr
+#define s_icmp_gwaddr icmp_hun.gwaddr
+#define s_icmp_id icmp_hun.idseq.id
+#define s_icmp_seq icmp_hun.idseq.seq
+#define s_icmp_void icmp_hun.sih_void
+#define s_icmp_pmvoid icmp_hun.pmtu.ipm_void
+#define s_icmp_nextmtu icmp_hun.pmtu.nextmtu
+#define s_icmp_num_addrs icmp_hun.rtradv.num_addrs
+#define s_icmp_wpa icmp_hun.rtradv.wpa
+#define s_icmp_lifetime icmp_hun.rtradv.lifetime
+
+ union
+ {
+ /* timestamp */
+ struct ts
+ {
+ uint32_t otime;
+ uint32_t rtime;
+ uint32_t ttime;
+ } ts;
+
+ /* IP header for unreach */
+ struct ih_ip
+ {
+ IPHdr *ip;
+ /* options and then 64 bits of data */
+ } ip;
+
+ struct ra_addr
+ {
+ uint32_t addr;
+ uint32_t preference;
+ } radv;
+
+ uint32_t mask;
+
+ char data[1];
+
+ } icmp_dun;
+#define s_icmp_otime icmp_dun.ts.otime
+#define s_icmp_rtime icmp_dun.ts.rtime
+#define s_icmp_ttime icmp_dun.ts.ttime
+#define s_icmp_ip icmp_dun.ih_ip
+#define s_icmp_radv icmp_dun.radv
+#define s_icmp_mask icmp_dun.mask
+#define s_icmp_data icmp_dun.data
+
+} ICMPHdr;
+
+
+typedef struct _ARPHdr
+{
+ uint16_t ar_hrd; /* format of hardware address */
+ uint16_t ar_pro; /* format of protocol address */
+ uint8_t ar_hln; /* length of hardware address */
+ uint8_t ar_pln; /* length of protocol address */
+ uint16_t ar_op; /* ARP opcode (command) */
+} ARPHdr;
+
+
+
+typedef struct _EtherARP
+{
+ ARPHdr ea_hdr; /* fixed-size header */
+ uint8_t arp_sha[6]; /* sender hardware address */
+ uint8_t arp_spa[4]; /* sender protocol address */
+ uint8_t arp_tha[6]; /* target hardware address */
+ uint8_t arp_tpa[4]; /* target protocol address */
+} EtherARP;
+
+
+#ifndef NO_NON_ETHER_DECODER
+typedef struct _EtherEapol
+{
+ uint8_t version; /* EAPOL proto version */
+ uint8_t eaptype; /* EAPOL Packet type */
+ uint16_t len; /* Packet body length */
+} EtherEapol;
+
+typedef struct _EAPHdr
+{
+ uint8_t code;
+ uint8_t id;
+ uint16_t len;
+} EAPHdr;
+
+typedef struct _EapolKey
+{
+ uint8_t type;
+ uint8_t length[2];
+ uint8_t counter[8];
+ uint8_t iv[16];
+ uint8_t index;
+ uint8_t sig[16];
+} EapolKey;
+#endif // NO_NON_ETHER_DECODER
+
+typedef struct _Options
+{
+ uint8_t code;
+ uint8_t len; /* length of the data section */
+ const uint8_t *data;
+} Options;
+
+/* PPPoEHdr Header; EtherHdr plus the PPPoE Header */
+typedef struct _PPPoEHdr
+{
+ unsigned char ver_type; /* pppoe version/type */
+ unsigned char code; /* pppoe code CODE_* */
+ unsigned short session; /* session id */
+ unsigned short length; /* payload length */
+ /* payload follows */
+} PPPoEHdr;
+
+/* PPPoE tag; the payload is a sequence of these */
+typedef struct _PPPoE_Tag
+{
+ unsigned short type; /* tag type TAG_* */
+ unsigned short length; /* tag length */
+ /* payload follows */
+} PPPoE_Tag;
+
+#define MPLS_HEADER_LEN 4
+#define NUM_RESERVED_LABELS 16
+
+typedef struct _MplsHdr
+{
+ uint32_t label;
+ uint8_t exp;
+ uint8_t bos;
+ uint8_t ttl;
+} MplsHdr;
+
+#define PGM_NAK_ERR -1
+#define PGM_NAK_OK 0
+#define PGM_NAK_VULN 1
+
+typedef struct _PGM_NAK_OPT
+{
+ uint8_t type; /* 02 = vuln */
+ uint8_t len;
+ uint8_t res[2];
+ uint32_t seq[1]; /* could be many many more, but 1 is sufficient */
+} PGM_NAK_OPT;
+
+typedef struct _PGM_NAK
+{
+ uint32_t seqnum;
+ uint16_t afil1;
+ uint16_t res1;
+ uint32_t src;
+ uint16_t afi2;
+ uint16_t res2;
+ uint32_t multi;
+ PGM_NAK_OPT opt;
+} PGM_NAK;
+
+typedef struct _PGM_HEADER
+{
+ uint16_t srcport;
+ uint16_t dstport;
+ uint8_t type;
+ uint8_t opt;
+ uint16_t checksum;
+ uint8_t gsd[6];
+ uint16_t length;
+ PGM_NAK nak;
+} PGM_HEADER;
+
+/* GTP basic Header */
+typedef struct _GTPHdr
+{
+ uint8_t flag; /* flag: version (bit 6-8), PT (5), E (3), S (2), PN (1) */
+ uint8_t type; /* message type */
+ uint16_t length; /* length */
+
+} GTPHdr;
+
+#define LAYER_MAX 32
+
+// REMEMBER match any changes you make here in:
+// dynamic-plugins/sf_engine/sf_snort_packet.h
+typedef struct _Packet
+{
+ const DAQ_PktHdr_t *pkth; // packet meta data
+ const uint8_t *pkt; // raw packet data
+
+ //vvv------------------------------------------------
+ // TODO convenience stuff to be refactored for layers
+ //^^^------------------------------------------------
+
+ //vvv-----------------------------
+ EtherARP *ah;
+ const EtherHdr *eh; /* standard TCP/IP/Ethernet/ARP headers */
+ const VlanTagHdr *vh;
+ EthLlc *ehllc;
+ EthLlcOther *ehllcother;
+ const PPPoEHdr *pppoeh; /* Encapsulated PPP of Ether header */
+ const GREHdr *greh;
+ uint32_t *mpls;
+
+ const IPHdr *iph, *orig_iph;/* and orig. headers for ICMP_*_UNREACH family */
+ const IPHdr *inner_iph; /* if IP-in-IP, this will be the inner IP header */
+ const IPHdr *outer_iph; /* if IP-in-IP, this will be the outer IP header */
+ const TCPHdr *tcph, *orig_tcph;
+ const UDPHdr *udph, *orig_udph;
+ const UDPHdr *inner_udph; /* if Teredo + UDP, this will be the inner UDP header */
+ const UDPHdr *outer_udph; /* if Teredo + UDP, this will be the outer UDP header */
+ const ICMPHdr *icmph, *orig_icmph;
+
+ const uint8_t *data; /* packet payload pointer */
+ const uint8_t *ip_data; /* IP payload pointer */
+ const uint8_t *outer_ip_data; /* Outer IP payload pointer */
+ const uint8_t *ip_frag_start;
+ const uint8_t *ip_options_data;
+ const uint8_t *tcp_options_data;
+ //^^^-----------------------------
+
+ void *ssnptr; /* for tcp session tracking info... */
+ void *fragtracker; /* for ip fragmentation tracking info... */
+ void *flow; /* for flow info */
+ void *streamptr; /* for tcp pkt dump */
+ void *policyEngineData;
+
+ //vvv-----------------------------
+ IP4Hdr *ip4h, *orig_ip4h; /* SUP_IP6 members */
+ IP6Hdr *ip6h, *orig_ip6h;
+ ICMP6Hdr *icmp6h, *orig_icmp6h;
+
+ IPH_API* iph_api;
+ IPH_API* orig_iph_api;
+ IPH_API* outer_iph_api;
+ IPH_API* outer_orig_iph_api;
+
+ IP4Hdr inner_ip4h, inner_orig_ip4h;
+ IP6Hdr inner_ip6h, inner_orig_ip6h;
+ IP4Hdr outer_ip4h, outer_orig_ip4h;
+ IP6Hdr outer_ip6h, outer_orig_ip6h;
+
+ MplsHdr mplsHdr;
+
+ int family;
+ int orig_family;
+ int outer_family;
+ int bytes_to_inspect; /* Number of bytes to check against rules */
+ /* this is not set - always 0 (inspect all) */
+
+ /* int ip_payload_len; */ /* Replacement for IP_LEN(p->iph->ip_len) << 2 */
+ /* int ip_payload_off; */ /* IP_LEN(p->iph->ip_len) << 2 + p->data */
+ //^^^-----------------------------
+
+ uint32_t preprocessor_bits; /* flags for preprocessors to check */
+ uint32_t preproc_reassembly_pkt_bits;
+
+ uint32_t http_pipeline_count; /* Counter for HTTP pipelined requests */
+ uint32_t packet_flags; /* special flags for the packet */
+ uint16_t proto_bits;
+
+ //vvv-----------------------------
+ uint16_t dsize; /* packet payload size */
+ uint16_t ip_dsize; /* IP payload size */
+ uint16_t alt_dsize; /* the dsize of a packet before munging (used for log)*/
+ uint16_t actual_ip_len; /* for logging truncated pkts (usually by small snaplen)*/
+ uint16_t outer_ip_dsize; /* Outer IP payload size */
+ //^^^-----------------------------
+
+ uint16_t frag_offset; /* fragment offset number */
+ uint16_t ip_frag_len;
+ uint16_t ip_options_len;
+ uint16_t tcp_options_len;
+
+ //vvv-----------------------------
+ uint16_t sp; /* source port (TCP/UDP) */
+ uint16_t dp; /* dest port (TCP/UDP) */
+ uint16_t orig_sp; /* source port (TCP/UDP) of original datagram */
+ uint16_t orig_dp; /* dest port (TCP/UDP) of original datagram */
+ //^^^-----------------------------
+ // and so on ...
+
+ int16_t application_protocol_ordinal;
+
+ uint8_t frag_flag; /* flag to indicate a fragmented packet */
+ uint8_t mf; /* more fragments flag */
+ uint8_t df; /* don't fragment flag */
+ uint8_t rf; /* IP reserved bit */
+
+ uint8_t uri_count; /* number of URIs in this packet */
+ uint8_t error_flags; /* flags indicate checksum errors, bad TTLs, etc. */
+ uint8_t encapsulated;
+ uint8_t GTPencapsulated;
+
+ uint8_t ip_option_count; /* number of options in this packet */
+ uint8_t tcp_option_count;
+ uint8_t ip6_extension_count;
+ uint8_t ip6_frag_index;
+
+ uint8_t ip_lastopt_bad; /* flag to indicate that option decoding was
+ halted due to a bad option */
+ uint8_t tcp_lastopt_bad; /* flag to indicate that option decoding was
+ halted due to a bad option */
+
+ uint8_t next_layer; /* index into layers for next encap */
+
+ uint32_t xtradata_mask;
+ uint32_t per_packet_xtradata;
+
+#ifndef NO_NON_ETHER_DECODER
+ const Fddi_hdr *fddihdr; /* FDDI support headers */
+ Fddi_llc_saps *fddisaps;
+ Fddi_llc_sna *fddisna;
+ Fddi_llc_iparp *fddiiparp;
+ Fddi_llc_other *fddiother;
+
+ const Trh_hdr *trh; /* Token Ring support headers */
+ Trh_llc *trhllc;
+ Trh_mr *trhmr;
+
+ Pflog1Hdr *pf1h; /* OpenBSD pflog interface header - version 1 */
+ Pflog2Hdr *pf2h; /* OpenBSD pflog interface header - version 2 */
+ Pflog3Hdr *pf3h; /* OpenBSD pflog interface header - version 3 */
+
+#ifdef DLT_LINUX_SLL
+ const SLLHdr *sllh; /* Linux cooked sockets header */
+#endif
+#ifdef DLT_IEEE802_11
+ const WifiHdr *wifih; /* wireless LAN header */
+#endif
+ const EtherEapol *eplh; /* 802.1x EAPOL header */
+ const EAPHdr *eaph;
+ const uint8_t *eaptype;
+ EapolKey *eapolk;
+#endif
+
+ // nothing after this point is zeroed ...
+ Options ip_options[IP_OPTMAX]; /* ip options decode structure */
+ Options tcp_options[TCP_OPTLENMAX]; /* tcp options decode struct */
+ IP6Option ip6_extensions[IP6_EXTMAX]; /* IPv6 Extension References */
+
+ const IP6RawHdr* raw_ip6h; // innermost raw ip6 header
+ Layer layers[LAYER_MAX]; /* decoded encapsulations */
+
+ PseudoPacketType pseudo_type; // valid only when PKT_PSEUDO is set
+ uint16_t max_dsize;
+
+ /**policyId provided in configuration file. Used for correlating configuration
+ * with event output
+ */
+ uint16_t configPolicyId;
+
+} Packet;
+
+#define PKT_ZERO_LEN offsetof(Packet, ip_options)
+
+#define PROTO_BIT__NONE 0x0000
+#define PROTO_BIT__IP 0x0001
+#define PROTO_BIT__ARP 0x0002
+#define PROTO_BIT__TCP 0x0004
+#define PROTO_BIT__UDP 0x0008
+#define PROTO_BIT__ICMP 0x0010
+#define PROTO_BIT__TEREDO 0x0020
+#define PROTO_BIT__GTP 0x0040
+#define PROTO_BIT__ALL 0xffff
+
+#define IsIP(p) (IPH_IS_VALID(p))
+#define IsTCP(p) (IsIP(p) && (GET_IPH_PROTO(p) == IPPROTO_TCP))
+#define IsUDP(p) (IsIP(p) && (GET_IPH_PROTO(p) == IPPROTO_UDP))
+#define IsICMP(p) (IsIP(p) && (GET_IPH_PROTO(p) == IPPROTO_ICMP))
+#define GET_PKT_SEQ(p) (ntohl(p->tcph->th_seq))
+
+/* Macros to deal with sequence numbers - p810 TCP Illustrated vol 2 */
+#define SEQ_LT(a,b) ((int)((a) - (b)) < 0)
+#define SEQ_LEQ(a,b) ((int)((a) - (b)) <= 0)
+#define SEQ_GT(a,b) ((int)((a) - (b)) > 0)
+#define SEQ_GEQ(a,b) ((int)((a) - (b)) >= 0)
+#define SEQ_EQ(a,b) ((int)((a) - (b)) == 0)
+
+#define BIT(i) (0x1 << (i-1))
+
+#ifdef SUP_IP6
+/* Sets the callbacks to point at the family selected by
+ * * "family". "family" is either AF_INET or AF_INET6 */
+#define CALLBACK_IP 0
+#define CALLBACK_ICMP_ORIG 1
+
+static inline void set_callbacks(struct _Packet *p, int family, char orig)
+{
+ if (p == NULL)
+ {
+ ErrorMessage("%s(%d) Can't set iph api callback: Packet is NULL.\n",
+ __FILE__, __LINE__);
+ return;
+ }
+
+ if (orig == CALLBACK_IP)
+ {
+ if(family == AF_INET)
+ p->iph_api = &ip4;
+ else
+ p->iph_api = &ip6;
+
+ p->family = family;
+ }
+ else if (orig == CALLBACK_ICMP_ORIG)
+ {
+ if(family == AF_INET)
+ p->orig_iph_api = &ip4;
+ else
+ p->orig_iph_api = &ip6;
+
+ p->orig_family = family;
+ }
+ else
+ {
+ ErrorMessage("%s(%d) Can't set iph api callback: Invalid callback "
+ "type: %c.\n", __FILE__, __LINE__, orig);
+ return;
+ }
+}
+#endif
+
+typedef struct s_pseudoheader
+{
+ uint32_t sip, dip;
+ uint8_t zero;
+ uint8_t protocol;
+ uint16_t len;
+
+} PSEUDO_HDR;
+
+/* Default classification for decoder alerts */
+#define DECODE_CLASS 25
+
+typedef struct _DecoderFlags
+{
+ char decode_alerts; /* if decode.c alerts are going to be enabled */
+ char oversized_alert; /* alert if garbage after tcp/udp payload */
+ char oversized_drop; /* alert if garbage after tcp/udp payload */
+ char drop_alerts; /* drop alerts from decoder */
+ char tcpopt_experiment; /* TcpOptions Decoder */
+ char drop_tcpopt_experiment; /* Drop alerts from TcpOptions Decoder */
+ char tcpopt_obsolete; /* Alert on obsolete TCP options */
+ char drop_tcpopt_obsolete; /* Drop on alerts from obsolete TCP options */
+ char tcpopt_ttcp; /* Alert on T/TCP options */
+ char drop_tcpopt_ttcp; /* Drop on alerts from T/TCP options */
+ char tcpopt_decode; /* alert on decoder inconsistencies */
+ char drop_tcpopt_decode; /* Drop on alerts from decoder inconsistencies */
+ char ipopt_decode; /* alert on decoder inconsistencies */
+ char drop_ipopt_decode; /* Drop on alerts from decoder inconsistencies */
+
+ /* To be moved to the frag preprocessor once it supports IPv6 */
+ char ipv6_bad_frag_pkt;
+ char bsd_icmp_frag;
+ char drop_bad_ipv6_frag;
+
+} DecoderFlags;
+
+#define ALERTMSG_LENGTH 256
+
+
+/* P R O T O T Y P E S ******************************************************/
+
+// root decoders
+void DecodeEthPkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *);
+void DecodeNullPkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *);
+void DecodeRawPkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *);
+void DecodeRawPkt6(Packet *, const DAQ_PktHdr_t*, const uint8_t *);
+
+// chained decoders
+void DecodeARP(const uint8_t *, uint32_t, Packet *);
+void DecodeEthLoopback(const uint8_t *, uint32_t, Packet *);
+void DecodeVlan(const uint8_t *, const uint32_t, Packet *);
+void DecodePppPktEncapsulated(const uint8_t *, const uint32_t, Packet *);
+void DecodePPPoEPkt(const uint8_t *, const uint32_t, Packet *);
+void DecodeIP(const uint8_t *, const uint32_t, Packet *);
+void DecodeIPV6(const uint8_t *, uint32_t, Packet *);
+void DecodeTCP(const uint8_t *, const uint32_t, Packet *);
+void DecodeUDP(const uint8_t *, const uint32_t, Packet *);
+void DecodeICMP(const uint8_t *, const uint32_t, Packet *);
+void DecodeICMP6(const uint8_t *, const uint32_t, Packet *);
+void DecodeICMPEmbeddedIP(const uint8_t *, const uint32_t, Packet *);
+void DecodeICMPEmbeddedIP6(const uint8_t *, const uint32_t, Packet *);
+void DecodeIPOptions(const uint8_t *, uint32_t, Packet *);
+void DecodeTCPOptions(const uint8_t *, uint32_t, Packet *);
+void DecodeTeredo(const uint8_t *, uint32_t, Packet *);
+void DecodeESP(const uint8_t *, uint32_t, Packet *);
+void DecodeGTP(const uint8_t *, uint32_t, Packet *);
+
+#ifdef GRE
+void DecodeGRE(const uint8_t *, const uint32_t, Packet *);
+void DecodeTransBridging(const uint8_t *, const uint32_t, Packet *);
+#endif /* GRE */
+void DecoderAlertEncapsulated(Packet *, int, const char *, const uint8_t *, uint32_t);
+
+#ifdef MPLS
+int isPrivateIP(uint32_t addr);
+void DecodeEthOverMPLS(const uint8_t*, const uint32_t, Packet*);
+void DecodeMPLS(const uint8_t*, const uint32_t, Packet*);
+#endif
+
+#ifndef NO_NON_ETHER_DECODER
+// root decoders
+void DecodeTRPkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *);
+void DecodeFDDIPkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *);
+void DecodeLinuxSLLPkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *);
+void DecodeIEEE80211Pkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *);
+void DecodeSlipPkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *);
+void DecodeI4LRawIPPkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *);
+void DecodeI4LCiscoIPPkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *);
+void DecodeChdlcPkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *);
+void DecodePflog(Packet *, const DAQ_PktHdr_t*, const uint8_t *);
+void DecodeOldPflog(Packet *, const DAQ_PktHdr_t*, const uint8_t *);
+void DecodePppPkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *);
+void DecodePppSerialPkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *);
+void DecodeEncPkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *);
+
+// chained decoders
+void DecodeEAP(const uint8_t *, const uint32_t, Packet *);
+void DecodeEapol(const uint8_t *, uint32_t, Packet *);
+void DecodeEapolKey(const uint8_t *, uint32_t, Packet *);
+void DecodeIPX(const uint8_t *, uint32_t, Packet *);
+#endif // NO_NON_ETHER_DECODER
+
+void BsdFragHashInit(int max);
+void BsdFragHashCleanup(void);
+void BsdFragHashReset(void);
+
+#if defined(WORDS_MUSTALIGN) && !defined(__GNUC__)
+uint32_t EXTRACT_32BITS (u_char *);
+#endif /* WORDS_MUSTALIGN && !__GNUC__ */
+
+extern void UpdateDecodeRulesArray(uint32_t sid, int bOn, int bAll);
+
+/*Decode functions that need to be called once the policies are set */
+extern void DecodePolicySpecific(Packet *);
+
+/* XXX not sure where this guy needs to live at the moment */
+typedef struct _PortList
+{
+ int ports[32]; /* 32 is kind of arbitrary */
+
+ int num_entries;
+
+} PortList;
+
+void InitSynToMulticastDstIp( void );
+void SynToMulticastDstIpDestroy( void );
+
+#define SFTARGET_UNKNOWN_PROTOCOL -1
+
+static inline int PacketWasCooked(Packet* p)
+{
+ return ( p->packet_flags & PKT_PSEUDO ) != 0;
+}
+
+#ifdef ENABLE_PAF
+static inline bool PacketHasFullPDU (const Packet* p)
+{
+ return ( (p->packet_flags & PKT_PDU_FULL) == PKT_PDU_FULL );
+}
+
+static inline bool PacketHasStartOfPDU (const Packet* p)
+{
+ return ( (p->packet_flags & PKT_PDU_HEAD) != 0 );
+}
+
+static inline bool PacketHasPAFPayload (const Packet* p)
+{
+ return ( (p->packet_flags & PKT_REBUILT_STREAM) || PacketHasFullPDU(p) );
+}
+#endif
+
+static inline void SetLogFuncs(Packet *p, uint32_t id, uint8_t per_packet)
+{
+ if(!id)
+ return;
+ if(per_packet)
+ p->per_packet_xtradata |= BIT(id);
+ else
+ p->xtradata_mask |= BIT(id);
+}
+
+#endif /* __DECODE_H__ */
+
|
[-]
[+]
|
Added |
spp_ipv6_20120512.tar.bz2/include/sfportobject.h
^
|
@@ -0,0 +1,318 @@
+/****************************************************************************
+ *
+ * Copyright (C) 2005-2012 Sourcefire, Inc.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License Version 2 as
+ * published by the Free Software Foundation. You may not use, modify or
+ * distribute this program under any other version of the GNU General
+ * Public License.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+ *
+ ****************************************************************************/
+
+/*
+ sfportobject.h
+
+ Port List Object Management
+
+ author: marc norton
+
+ Hierarchy:
+
+ PortTable -> PortObject's
+
+ PortVar -> PortObject
+
+ PortObject -> PortObjectItems (port or port range)
+
+ */
+#ifndef SFPORTOBJECT_H
+#define SFPORTOBJECT_H
+
+#include "sflsq.h"
+#include "sfghash.h"
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#define SFPO_MAX_LPORTS 500
+#define SFPO_MAX_PORTS 65536
+
+typedef SFGHASH PortVarTable;
+
+/*
+ * PortObjectItem Flags
+ */
+#define PORT_OBJECT_NOT_FLAG 1
+
+#define PORT_OBJECT_PORT 1
+#define PORT_OBJECT_RANGE 2
+#define PORT_OBJECT_ANY 3
+
+/*
+ * Port Object Item supports
+ * port, lowport:highport, portlist
+ */
+typedef struct _PortObjectItem_s {
+
+ int type; /* ANY, RANGE, PORT */
+ int flags; /* NOT */
+
+ uint16_t hport; /* hi port */
+ uint16_t lport; /* lo port */
+
+ uint16_t cur_port; /* internal - first/next */
+ uint16_t tmp;
+
+}PortObjectItem;
+
+
+/*
+* PortObject supports a set of PortObjectItems
+*
+* A Port Set may include one or more of the following
+* Port
+* Port Range
+* List of Ports mixed with Port Ranges
+*/
+#include "bitop_funcs.h"
+
+typedef struct { /* not used yet */
+ char * name; /* user name - always use strdup or malloc for this*/
+ SF_LIST * item_list; /* list of port and port-range items */
+}PortList_x;
+
+typedef struct {
+ char * name; /* user name - always use strdup or malloc for this*/
+ int id; /* internal tracking - compiling sets this value */
+ SF_LIST * item_list; /* list of port and port-range items */
+ SF_LIST * rule_list; /* list of rules */
+ void * data; /* user data, PORT_GROUP based on rule_list - only used by any-any ports */
+ void (*data_free)(void *);
+}PortObject;
+
+typedef struct {
+ char * name; /* user name - always use strdup or malloc for this*/
+ int id; /* internal tracking - compiling sets this value */
+ SF_LIST * item_list; /* list of port and port-range items */
+ SFGHASH * rule_hash; /* hash of rule (rule-indexes) in use */
+ int port_cnt; /* count of ports using this object */
+ BITOP * bitop; /* for collecting ports that use this object */
+ void * data; /* user data, PORT_GROUP based on rule_hash */
+ void (*data_free)(void *);
+}PortObject2;
+
+/*
+ Port Table
+*/
+typedef struct _PortTable_s {
+
+ /* turns on group optimization, better speed-but more memory
+ * otherwise a single merged rule group is used.
+ */
+ int pt_optimize;
+
+ /* save the users input port objects in this list
+ * rules may be added after creation of a port object
+ * but the ports are not modified.
+ */
+ SF_LIST * pt_polist;
+ int pt_poid;
+
+ /*
+ * Array of lists of PortObject pointers to unique PortObjects,
+ * the associated rule lists are stored in Data elements in rh,
+ * the keys are the address of the PortObjects
+ */
+ SF_LIST * pt_port_lists[SFPO_MAX_PORTS];
+
+ /* Compiled / merged port object hash table */
+ SFGHASH * pt_mpo_hash;
+ SFGHASH * pt_mpxo_hash;
+
+ SF_LIST * pt_plx_list;
+
+ /* a single rule list with all rules merged together */
+ SF_LIST * pt_merged_rule_list;
+
+ /*
+ * Final Port/Rule Groupings, one port object per port, or null
+ */
+ PortObject2 * pt_port_object[SFPO_MAX_PORTS];
+
+ int pt_lrc; /* large rule count, this many rules is a large group */
+
+ /* Stats */
+ int single_merges; /* single PortObject on a port */
+ int small_merges; /* small port objects merged into a bigger object */
+ int large_single_merges; /* 1 large + some small objects */
+ int large_multi_merges; /* >1 large object merged + some small objects */
+ int non_opt_merges;
+
+}PortTable;
+
+typedef struct {
+
+ PortTable * tcp_src, * tcp_dst;
+ PortTable * udp_src, * udp_dst;
+ PortTable * icmp_src,* icmp_dst;
+ PortTable * ip_src, * ip_dst;
+
+ PortObject * tcp_anyany;
+ PortObject * udp_anyany;
+ PortObject * icmp_anyany;
+ PortObject * ip_anyany;
+
+ PortObject * tcp_nocontent;
+ PortObject * udp_nocontent;
+ PortObject * icmp_nocontent;
+ PortObject * ip_nocontent;
+
+}rule_port_tables_t;
+
+
+#define POPERR_NO_NAME 1
+#define POPERR_NO_ENDLIST_BRACKET 2
+#define POPERR_NOT_A_NUMBER 3
+#define POPERR_EXTRA_BRACKET 4
+#define POPERR_NO_DATA 5
+#define POPERR_ADDITEM_FAILED 6
+#define POPERR_MALLOC_FAILED 7
+#define POPERR_INVALID_RANGE 8
+#define POPERR_DUPLICATE_ENTRY 9
+#define POPERR_BOUNDS 10
+#define POPERR_BAD_VARIABLE 11
+
+#define POP_MAX_BUFFER_SIZE 256
+typedef struct {
+ char * s; /* current string pointer */
+ int slen; /* bytes left in string */
+ int pos; /* position in string of last GetChar() */
+ char token[POP_MAX_BUFFER_SIZE+4]; /* single number, or range, or not flag */
+ int errflag;
+ /* for handling PortObject references when parsing */
+ PortObject * po_ref;
+ SF_LNODE * poi_pos;
+ PortVarTable * pvTable;
+}POParser;
+
+/*
+ Prototypes
+*/
+
+/*
+* Port List Table
+*
+* The PortTable provides support to analyze the Port List objects defined by
+* the user as either PortVar entries or simply as inline rule port
+* list declarations.
+*/
+PortTable * PortTableNew (void);
+void PortTableFree( PortTable *p );
+int PortTableAddObject( PortTable *p, PortObject * po );
+int PortTableAddObjectRaw( PortTable *p, PortObject * po );
+int PortTableAddRule ( PortTable * p, int port, int rule );
+int PortTableCompile ( PortTable * P);
+void PortTablePrintInputEx( PortTable * p,
+ void (*rule_index_map_print)(int index, char *buf, int bufsize) );
+int PortTablePrintCompiledEx( PortTable * p,
+ void (*rule_index_map_print)(int index, char *buf, int bufsize) );
+PortObject * PortTableFindPortObjectByPort( PortTable * pt , int port );
+PortObject * PortTableFindInputPortObjectName(PortTable * pt, char * po_name);
+PortObject * PortTableFindInputPortObjectPorts( PortTable * pt , PortObject * po );
+/*
+ Port List Object
+*/
+PortObject * PortObjectNew ( void );
+PortObject2 * PortObject2New (int nrules/*guess at this */);
+void PortObjectFree ( void * p );
+void PortObject2Free ( void * p );
+int PortObjectSetName ( PortObject * po, char * name );
+PortObjectItem * PortObjectItemNew ( void );
+PortObjectItem * PortObjectItemDup ( PortObjectItem * poi );
+void PortObjectItemFree ( PortObjectItem * poi );
+int PortObjectAddItem ( PortObject * po, PortObjectItem * poi, int *errflag);
+int PortObjectAddPortObject ( PortObject * podst, PortObject * posrc, int *errflag);
+int PortObjectAddPort ( PortObject * po, int port, int not_flag );
+int PortObjectAddRange ( PortObject * po, int lport, int hport, int not_flag );
+int PortObjectAddRule ( PortObject * po, int rule );
+int PortObjectAddPortAny ( PortObject * po );
+PortObject * PortObjectDup ( PortObject * po );
+PortObject2 * PortObject2Dup ( PortObject * po );
+PortObject * PortObjectDupPorts ( PortObject * po );
+int * PortObjectExtractRuleArray( PortObject * po, int * nrules );
+int * PortObject2ExtractRuleArray( PortObject2 * po, int * nrules );
+
+int PortObjectNormalize ( PortObject * po );
+int PortObjectNegate ( PortObject * po );
+int PortObjectEqual ( PortObject * poa, PortObject * bob );
+
+void PortObjectSetAny ( PortObject * po );
+int PortObjectPortCount ( PortObject * po );
+int PortObjectHasPort ( PortObject * po, int port );
+int PortObjectHasNot ( PortObject * po );
+int PortObjectIsPureNot ( PortObject * po );
+int PortObjectHasAny ( PortObject * po );
+int PortObjectIncludesPort(PortObject * po, int port );
+char * PortObjectCharPortArray ( char * parray, PortObject * po, int * nports );
+int PortObjectRemovePorts( PortObject * a, PortObject * b );
+PortObject * PortObjectAppend(PortObject * poa, PortObject * pob );
+PortObject * PortObjectAppendPortObject(PortObject * poa, PortObject * pob );
+PortObject2 * PortObject2AppendPortObject(PortObject2 * poa, PortObject * pob );
+PortObject2 * PortObject2AppendPortObject2(PortObject2 * poa, PortObject2 * pob );
+PortObject * PortObjectAppendEx(PortObject * poa, PortObject * pob );
+PortObject2 * PortObjectAppendEx2(PortObject2 * poa, PortObject * pob );
+int PortTableNormalizeInputPortObjects( PortTable *p );
+int PortTableCompileMergePortObjects( PortTable * p );
+int PortTableConsistencyCheck( PortTable *p );
+void PortTablePrintInput( PortTable * p );
+void PortTablePrintUserRules( PortTable * p );
+void PortTablePrintPortGroups( PortTable * p );
+void PortTablePrintPortPortObjects( PortTable * p );
+int PortVarTableFree(PortVarTable * pvt);
+
+void PortObjectPrint ( PortObject * po );
+void PortObjectPrintPorts ( PortObject * po );
+void PortObjectPrintPortsRaw(PortObject * po );
+void PortObject2PrintPorts ( PortObject2 * po );
+void PortObject2Print ( PortObject2 * po );
+int PortObjectPrintDetails( PortObject * po );
+
+void PortObjectPrintEx(PortObject * po,
+ void (*print_index_map)(int index, char *buf, int bufsize) );
+void PortObject2PrintEx(PortObject2 * po,
+ void (*print_index_map)(int index, char *buf, int bufsize) );
+void PortTableSortUniqRules(
+ PortTable * p
+ );
+void RuleListSortUniq(
+ SF_LIST * rl
+ );
+
+/*
+ PortVarTable
+
+ port lists may be defined as 'name port-list'
+*/
+PortVarTable * PortVarTableCreate (void);
+int PortVarTableAdd ( PortVarTable * pvt, PortObject * po );
+PortObject * PortVarTableFind ( PortVarTable * pvt, char * name );
+
+
+/*
+ PortVars are internally stored in PortObjects
+ This function parses PortVar strings into PortObjects
+*/
+PortObject * PortObjectParseString ( PortVarTable * pvTable, POParser * pop,char * name, char * s,int nameflag );
+char * PortObjectParseError( POParser * p );
+#endif
|