📄 snort_dce2.c
字号:
p->tcp_header = (TCPHeader *)((uint8_t *)p->ip4_header + IP_HDR_LEN); SET_TCP_HDR_OFFSET((TCPHeader *)p->tcp_header, 0x5); ((TCPHeader *)p->tcp_header)->flags = TCPHEADER_PUSH | TCPHEADER_ACK; p->payload = (uint8_t *)p->tcp_header + TCP_HDR_LEN;#ifdef SUP_IP6 _dpd.ip6Build((void *)p, p->ip4_header, AF_INET);#endif}/********************************************************************* * Function: DCE2_InitUdpRpkt() * * Purpose: Allocate and initialize reassembly packet for UDP. * * Arguments: None * * Returns: None * *********************************************************************/void DCE2_InitUdpRpkt(SFSnortPacket *p){ DCE2_InitCommonRpkt(p); ((IPV4Header *)p->ip4_header)->proto = IPPROTO_UDP; p->udp_header = (UDPHeader *)((uint8_t *)p->ip4_header + IP_HDR_LEN); p->payload = (uint8_t *)p->udp_header + UDP_HDR_LEN;#ifdef SUP_IP6 _dpd.ip6Build((void *)p, p->ip4_header, AF_INET);#endif}/********************************************************************* * Function: DCE2_InitCommonRpkt() * * Purpose: Initializes fields common to both UDP and TCP. * * Arguments: * SFSnortPacket * - the packet to initialize * * Returns: None * *********************************************************************/static void DCE2_InitCommonRpkt(SFSnortPacket *p){ p->pkt_data = ((uint8_t *)p->pcap_header) + sizeof(struct pcap_pkthdr); p->ether_header = (void *)((uint8_t *)p->pkt_data + SUN_SPARC_TWIDDLE); ((EtherHeader *)p->ether_header)->ethernet_type = htons(0x0800); p->ip4_header = (IPV4Header *)((uint8_t *)p->ether_header + ETHER_HDR_LEN); SET_IP4_VER((IPV4Header *)p->ip4_header, 0x4); SET_IP4_HLEN((IPV4Header *)p->ip4_header, 0x5); ((IPV4Header *)p->ip4_header)->time_to_live = 0xF0; ((IPV4Header *)p->ip4_header)->type_service = 0x10;}#ifdef SUP_IP6/********************************************************************* * Function: DCE2_InitTcp6Rpkt() * * Purpose: Allocate and initialize reassembly packet for IPv6 TCP. * * Arguments: None * * Returns: None * *********************************************************************/static void DCE2_InitTcp6Rpkt(SFSnortPacket *p){ DCE2_InitCommonRpkt6(p); p->inner_ip6h.next = ((IPV4Header *)p->ip4_header)->proto = IPPROTO_TCP; p->tcp_header = (TCPHeader *)((uint8_t *)p->ip4_header + IP6_HEADER_LEN); SET_TCP_HDR_OFFSET((TCPHeader *)p->tcp_header, 0x5); ((TCPHeader *)p->tcp_header)->flags = TCPHEADER_PUSH | TCPHEADER_ACK; p->payload = (u_int8_t *)p->tcp_header + TCP_HDR_LEN;}/********************************************************************* * Function: DCE2_InitUdp6Rpkt() * * Purpose: Allocate and initialize reassembly packet for IPv6 UDP. * * Arguments: None * * Returns: None * *********************************************************************/static void DCE2_InitUdp6Rpkt(SFSnortPacket *p){ DCE2_InitCommonRpkt6(p); p->inner_ip6h.next = ((IPV4Header *)p->ip4_header)->proto = IPPROTO_UDP; p->udp_header = (UDPHeader *)((uint8_t *)p->ip4_header + IP6_HEADER_LEN); p->payload = (uint8_t *)p->udp_header + UDP_HDR_LEN;}/********************************************************************* * Function: DCE2_InitCommonRpkt6() * * Purpose: Initializes fields common to both IPv6 UDP and TCP. * * Arguments: * SFSnortPacket * - the packet to initialize * * Returns: None * *********************************************************************/static void DCE2_InitCommonRpkt6(SFSnortPacket *p){ p->pkt_data = ((uint8_t *)p->pcap_header) + sizeof(struct pcap_pkthdr); p->ether_header = (void *)((uint8_t *)p->pkt_data + SUN_SPARC_TWIDDLE); ((EtherHeader *)p->ether_header)->ethernet_type = htons(0x0800); p->ip4_header = (IPV4Header *)((uint8_t *)p->ether_header + ETHER_HDR_LEN); SET_IP4_VER((IPV4Header *)p->ip4_header, 0x4); SET_IP4_HLEN((IPV4Header *)p->ip4_header, 0x5); ((IPV4Header *)p->ip4_header)->type_service = 0x10; p->inner_ip6h.hop_lmt = ((IPV4Header *)p->ip4_header)->time_to_live = 0xF0; p->inner_ip6h.len = IP6_HEADER_LEN >> 2; _dpd.ip6SetCallbacks((void *)p, AF_INET6, SET_CALLBACK_IP); p->ip6h = &p->inner_ip6h; p->ip4h = &p->inner_ip4h;}#endif/********************************************************************* * Function: DCE2_AllocPkt() * * Purpose: Allocates a packet struct. * * Arguments: None * * Returns: * SFSnortPacket * - the packet to allocated * *********************************************************************/static SFSnortPacket * DCE2_AllocPkt(void){ SFSnortPacket *p = (SFSnortPacket *)DCE2_Alloc(sizeof(SFSnortPacket), DCE2_MEM_TYPE__INIT); if (p == NULL) return NULL; p->pcap_header = (struct pcap_pkthdr *)DCE2_Alloc(DCE2_PKTH_SIZE, DCE2_MEM_TYPE__INIT); if (p->pcap_header == NULL) { DCE2_Free((void *)p, sizeof(SFSnortPacket), DCE2_MEM_TYPE__INIT); return NULL; } return p;}/********************************************************************* * Function: DCE2_GetRpkt() * * Purpose: * * Arguments: * SFSnortPacket * - pointer to packet off wire * const uint8_t * - pointer to data to attach to reassembly packet * uint16_t - length of data * * Returns: * SFSnortPacket * - pointer to reassembly packet * *********************************************************************/SFSnortPacket * DCE2_GetRpkt(const SFSnortPacket *wire_pkt, DCE2_RpktType rpkt_type, const uint8_t *data, uint32_t data_len){ SFSnortPacket *rpkt; uint16_t caplen, ip_len, payload_len; DCE2_Ret status; uint16_t data_overhead = 0; int rpkt_flag; switch (rpkt_type) { case DCE2_RPKT_TYPE__SMB_SEG:#ifdef SUP_IP6 if (IS_IP4(wire_pkt)) rpkt = dce2_smb_seg_rpkt; else rpkt = dce2_smb_seg_rpkt6;#else rpkt = dce2_smb_seg_rpkt;#endif rpkt_flag = FLAG_SMB_SEG; break; case DCE2_RPKT_TYPE__SMB_TRANS:#ifdef SUP_IP6 if (IS_IP4(wire_pkt)) rpkt = dce2_smb_trans_rpkt; else rpkt = dce2_smb_trans_rpkt6;#else rpkt = dce2_smb_trans_rpkt;#endif data_overhead = DCE2_MOCK_HDR_LEN__SMB; rpkt_flag = FLAG_SMB_TRANS; break; case DCE2_RPKT_TYPE__SMB_CO_SEG:#ifdef SUP_IP6 if (IS_IP4(wire_pkt)) rpkt = dce2_smb_co_seg_rpkt; else rpkt = dce2_smb_co_seg_rpkt6;#else rpkt = dce2_smb_co_seg_rpkt;#endif data_overhead = DCE2_MOCK_HDR_LEN__SMB; rpkt_flag = FLAG_DCE_SEG; break; case DCE2_RPKT_TYPE__SMB_CO_FRAG:#ifdef SUP_IP6 if (IS_IP4(wire_pkt)) rpkt = dce2_smb_co_frag_rpkt; else rpkt = dce2_smb_co_frag_rpkt6;#else rpkt = dce2_smb_co_frag_rpkt;#endif data_overhead = DCE2_MOCK_HDR_LEN__SMB + DCE2_MOCK_HDR_LEN__CO; rpkt_flag = FLAG_DCE_FRAG; break; case DCE2_RPKT_TYPE__TCP_CO_SEG:#ifdef SUP_IP6 if (IS_IP4(wire_pkt)) rpkt = dce2_tcp_co_seg_rpkt; else rpkt = dce2_tcp_co_seg_rpkt6;#else rpkt = dce2_tcp_co_seg_rpkt;#endif rpkt_flag = FLAG_DCE_SEG; break; case DCE2_RPKT_TYPE__TCP_CO_FRAG:#ifdef SUP_IP6 if (IS_IP4(wire_pkt)) rpkt = dce2_tcp_co_frag_rpkt; else rpkt = dce2_tcp_co_frag_rpkt6;#else rpkt = dce2_tcp_co_frag_rpkt;#endif data_overhead = DCE2_MOCK_HDR_LEN__CO; rpkt_flag = FLAG_DCE_FRAG; break; case DCE2_RPKT_TYPE__UDP_CL_FRAG:#ifdef SUP_IP6 if (IS_IP4(wire_pkt)) rpkt = dce2_udp_cl_frag_rpkt; else rpkt = dce2_udp_cl_frag_rpkt6;#else rpkt = dce2_udp_cl_frag_rpkt;#endif data_overhead = DCE2_MOCK_HDR_LEN__CL; rpkt_flag = FLAG_DCE_FRAG; break; default: DCE2_Log("%s(%d) => Invalid reassembly packet type.\n", __FILE__, __LINE__); return NULL; }#ifdef SUP_IP6 if (IS_IP4(wire_pkt)) { if (wire_pkt->tcp_header != NULL) { caplen = ETHER_HDR_LEN + IP_HDR_LEN + TCP_HDR_LEN; ip_len = (uint16_t)(IP_HDR_LEN + TCP_HDR_LEN); payload_len = IP_MAXPKT - (IP_HDR_LEN + TCP_HDR_LEN); } else if (wire_pkt->udp_header != NULL) { caplen = ETHER_HDR_LEN + IP_HDR_LEN + UDP_HDR_LEN; ip_len = (uint16_t)(IP_HDR_LEN + UDP_HDR_LEN); payload_len = IP_MAXPKT - (IP_HDR_LEN + UDP_HDR_LEN); } else { DCE2_Log("%s(%d) => Not a TCP or UDP packet.\n", __FILE__, __LINE__); return NULL; } } else { if (wire_pkt->tcp_header != NULL) { caplen = ETHER_HDR_LEN + IP6_HDR_LEN + TCP_HDR_LEN; ip_len = (uint16_t)(IP6_HDR_LEN + TCP_HDR_LEN); payload_len = IP_MAXPKT - (IP6_HDR_LEN + TCP_HDR_LEN); } else if (wire_pkt->udp_header != NULL) { caplen = ETHER_HDR_LEN + IP6_HDR_LEN + UDP_HDR_LEN; ip_len = (uint16_t)(IP6_HDR_LEN + UDP_HDR_LEN); payload_len = IP_MAXPKT - (IP6_HDR_LEN + UDP_HDR_LEN); } else { DCE2_Log("%s(%d) => Not a TCP or UDP packet.\n", __FILE__, __LINE__); return NULL; } }#else if (wire_pkt->tcp_header != NULL) { caplen = ETHER_HDR_LEN + IP_HDR_LEN + TCP_HDR_LEN; ip_len = (uint16_t)(IP_HDR_LEN + TCP_HDR_LEN); payload_len = IP_MAXPKT - (IP_HDR_LEN + TCP_HDR_LEN); } else if (wire_pkt->udp_header != NULL) { caplen = ETHER_HDR_LEN + IP_HDR_LEN + UDP_HDR_LEN; ip_len = (uint16_t)(IP_HDR_LEN + UDP_HDR_LEN); payload_len = IP_MAXPKT - (IP_HDR_LEN + UDP_HDR_LEN); } else { DCE2_Log("%s(%d) => Not a TCP or UDP packet.\n", __FILE__, __LINE__); return NULL; }#endif#ifdef SUP_IP6 if (wire_pkt->family == AF_INET) { IP_COPY_VALUE(rpkt->inner_ip4h.ip_src, (&wire_pkt->ip4h->ip_src)); IP_COPY_VALUE(rpkt->inner_ip4h.ip_dst, (&wire_pkt->ip4h->ip_dst)); ((IPV4Header *)rpkt->ip4_header)->source.s_addr = wire_pkt->ip4h->ip_src.ip32[0]; ((IPV4Header *)rpkt->ip4_header)->destination.s_addr = wire_pkt->ip4h->ip_dst.ip32[0]; } else { IP_COPY_VALUE(rpkt->inner_ip6h.ip_src, (&wire_pkt->ip6h->ip_src)); IP_COPY_VALUE(rpkt->inner_ip6h.ip_dst, (&wire_pkt->ip6h->ip_dst)); } rpkt->family = wire_pkt->family;#else ((IPV4Header *)rpkt->ip4_header)->source.s_addr = wire_pkt->ip4_header->source.s_addr; ((IPV4Header *)rpkt->ip4_header)->destination.s_addr = wire_pkt->ip4_header->destination.s_addr;#endif if (wire_pkt->tcp_header != NULL) { ((TCPHeader *)rpkt->tcp_header)->source_port = wire_pkt->tcp_header->source_port; ((TCPHeader *)rpkt->tcp_header)->destination_port = wire_pkt->tcp_header->destination_port; } else { ((UDPHeader *)rpkt->udp_header)->source_port = wire_pkt->udp_header->source_port; ((UDPHeader *)rpkt->udp_header)->destination_port = wire_pkt->udp_header->destination_port; } rpkt->src_port = wire_pkt->src_port; rpkt->dst_port = wire_pkt->dst_port; if(wire_pkt->ether_header != NULL) { status = DCE2_Memcpy((void *)((EtherHeader *)rpkt->ether_header)->ether_source, (void *)wire_pkt->ether_header->ether_source, (size_t)6, (void *)rpkt->ether_header->ether_source, (void *)((uint8_t *)rpkt->ether_header->ether_source + 6)); if (status != DCE2_RET__SUCCESS) { DCE2_Log("%s(%d) => Failed to ether source into reassembly packet.\n", __FILE__, __LINE__); return NULL; } status = DCE2_Memcpy((void *)((EtherHeader *)rpkt->ether_header)->ether_destination, (void *)wire_pkt->ether_header->ether_destination, (size_t)6, (void *)rpkt->ether_header->ether_destination, (void *)((uint8_t *)rpkt->ether_header->ether_destination + 6)); if (status != DCE2_RET__SUCCESS) { DCE2_Log("%s(%d) => Failed to copy ether dest into reassembly packet.\n", __FILE__, __LINE__); return NULL; } } if ((data_len + data_overhead) > payload_len) data_len = payload_len - data_overhead; status = DCE2_Memcpy((void *)(rpkt->payload + data_overhead), (void *)data, (size_t)data_len, (void *)rpkt->payload, (void *)((uint8_t *)rpkt->payload + payload_len)); if (status != DCE2_RET__SUCCESS) { DCE2_Log("%s(%d) => Failed to copy data into reassembly packet.\n", __FILE__, __LINE__); return NULL; } rpkt->payload_size = (uint16_t)(data_overhead + data_len); if (IsUDP(((SFSnortPacket *)wire_pkt))) ((UDPHeader *)rpkt->udp_header)->data_length = ntohs((uint16_t)(rpkt->payload_size + UDP_HDR_LEN)); ((struct pcap_pkthdr *)rpkt->pcap_header)->caplen = caplen + rpkt->payload_size; ((struct pcap_pkthdr *)rpkt->pcap_header)->len = rpkt->pcap_header->caplen; ((struct pcap_pkthdr *)rpkt->pcap_header)->ts.tv_sec = wire_pkt->pcap_header->ts.tv_sec; ((struct pcap_pkthdr *)rpkt->pcap_header)->ts.tv_usec = wire_pkt->pcap_header->ts.tv_usec; ip_len += rpkt->payload_size;#ifdef SUP_IP6 if (wire_pkt->family == AF_INET) rpkt->ip4h->ip_len = ((IPV4Header *)rpkt->ip4_header)->data_length = htons(ip_len); else rpkt->ip6h->len = htons(ip_len);#else ((IPV4Header *)rpkt->ip4_header)->data_length = htons(ip_len);#endif rpkt->flags = FLAG_STREAM_EST; if (DCE2_SsnFromClient(wire_pkt))⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -