sf_snort_packet.h

入侵检测SNORT.最近更新的基于网络检测的IDS.希望能给大家带来方便.

typedef struct _IPv6Hdr
{ 
    u_int32_t vcl;      /* version, class, and label */
    u_int16_t len;      /* length of the payload */
    u_int8_t  next;     /* next header
                         * Uses the same flags as
                         * the IPv4 protocol field */
    u_int8_t  hop_lmt;  /* hop limit */ 
    sfip_t ip_src;
    sfip_t ip_dst;
} IP6Hdr; 

typedef struct _IP6FragHdr 
{
    uint8_t   ip6f_nxt;     /* next header */
    uint8_t   ip6f_reserved;    /* reserved field */
    uint16_t  ip6f_offlg;   /* offset, reserved, and flag */
    uint32_t  ip6f_ident;   /* identification */
} IP6FragHdr;

typedef struct _ICMP6
{
    u_int8_t type;
    u_int8_t code;
    u_int16_t csum;

} ICMP6Hdr;

#define ICMP6_UNREACH 1
#define ICMP6_BIG    2
#define ICMP6_TIME   3
#define ICMP6_PARAMS 4
#define ICMP6_ECHO   128
#define ICMP6_REPLY  129

/* Minus 1 due to the 'body' field  */
#define ICMP6_MIN_HEADER_LEN (sizeof(ICMP6Hdr) )

struct _SFSnortPacket;


/* IPHeader access calls */
sfip_t *    ip4_ret_src(struct _SFSnortPacket *);
sfip_t *    ip4_ret_dst(struct _SFSnortPacket *);
u_int16_t   ip4_ret_tos(struct _SFSnortPacket *);
u_int8_t    ip4_ret_ttl(struct _SFSnortPacket *);
u_int16_t   ip4_ret_len(struct _SFSnortPacket *);
u_int16_t   ip4_ret_id(struct _SFSnortPacket *);
u_int8_t    ip4_ret_proto(struct _SFSnortPacket *);
u_int16_t   ip4_ret_off(struct _SFSnortPacket *);
u_int8_t    ip4_ret_ver(struct _SFSnortPacket *);
u_int8_t    ip4_ret_hlen(struct _SFSnortPacket *);

sfip_t *    orig_ip4_ret_src(struct _SFSnortPacket *);
sfip_t *    orig_ip4_ret_dst(struct _SFSnortPacket *);
u_int16_t   orig_ip4_ret_tos(struct _SFSnortPacket *);
u_int8_t    orig_ip4_ret_ttl(struct _SFSnortPacket *);
u_int16_t   orig_ip4_ret_len(struct _SFSnortPacket *);
u_int16_t   orig_ip4_ret_id(struct _SFSnortPacket *);
u_int8_t    orig_ip4_ret_proto(struct _SFSnortPacket *);
u_int16_t   orig_ip4_ret_off(struct _SFSnortPacket *);
u_int8_t    orig_ip4_ret_ver(struct _SFSnortPacket *);
u_int8_t    orig_ip4_ret_hlen(struct _SFSnortPacket *);

sfip_t *    ip6_ret_src(struct _SFSnortPacket *);
sfip_t *    ip6_ret_dst(struct _SFSnortPacket *);
u_int16_t   ip6_ret_toc(struct _SFSnortPacket *);
u_int8_t    ip6_ret_hops(struct _SFSnortPacket *);
u_int16_t   ip6_ret_len(struct _SFSnortPacket *);
u_int16_t   ip6_ret_id(struct _SFSnortPacket *);
u_int8_t    ip6_ret_next(struct _SFSnortPacket *);
u_int16_t   ip6_ret_off(struct _SFSnortPacket *);
u_int8_t    ip6_ret_ver(struct _SFSnortPacket *);
u_int8_t    ip6_ret_hlen(struct _SFSnortPacket *);

sfip_t *    orig_ip6_ret_src(struct _SFSnortPacket *);
sfip_t *    orig_ip6_ret_dst(struct _SFSnortPacket *);
u_int16_t   orig_ip6_ret_toc(struct _SFSnortPacket *);
u_int8_t    orig_ip6_ret_hops(struct _SFSnortPacket *);
u_int16_t   orig_ip6_ret_len(struct _SFSnortPacket *);
u_int16_t   orig_ip6_ret_id(struct _SFSnortPacket *);
u_int8_t    orig_ip6_ret_next(struct _SFSnortPacket *);
u_int16_t   orig_ip6_ret_off(struct _SFSnortPacket *);
u_int8_t    orig_ip6_ret_ver(struct _SFSnortPacket *);
u_int8_t    orig_ip6_ret_hlen(struct _SFSnortPacket *);

typedef struct _IPH_API 
{
    sfip_t *    (*iph_ret_src)(struct _SFSnortPacket *);
    sfip_t *    (*iph_ret_dst)(struct _SFSnortPacket *);
    u_int16_t   (*iph_ret_tos)(struct _SFSnortPacket *);
    u_int8_t    (*iph_ret_ttl)(struct _SFSnortPacket *);
    u_int16_t   (*iph_ret_len)(struct _SFSnortPacket *);
    u_int16_t   (*iph_ret_id)(struct _SFSnortPacket *);
    u_int8_t    (*iph_ret_proto)(struct _SFSnortPacket *);
    u_int16_t   (*iph_ret_off)(struct _SFSnortPacket *);
    u_int8_t    (*iph_ret_ver)(struct _SFSnortPacket *);
    u_int8_t    (*iph_ret_hlen)(struct _SFSnortPacket *);

    sfip_t *    (*orig_iph_ret_src)(struct _SFSnortPacket *);
    sfip_t *    (*orig_iph_ret_dst)(struct _SFSnortPacket *);
    u_int16_t   (*orig_iph_ret_tos)(struct _SFSnortPacket *);
    u_int8_t    (*orig_iph_ret_ttl)(struct _SFSnortPacket *);
    u_int16_t   (*orig_iph_ret_len)(struct _SFSnortPacket *);
    u_int16_t   (*orig_iph_ret_id)(struct _SFSnortPacket *);
    u_int8_t    (*orig_iph_ret_proto)(struct _SFSnortPacket *);
    u_int16_t   (*orig_iph_ret_off)(struct _SFSnortPacket *);
    u_int8_t    (*orig_iph_ret_ver)(struct _SFSnortPacket *);
    u_int8_t    (*orig_iph_ret_hlen)(struct _SFSnortPacket *);
} IPH_API;

extern IPH_API ip4;
extern IPH_API ip6;

#define iph_is_valid(p) (p->family != NO_IP)
/* Sets the callbacks to point at the family selected by 
 * "family".  "family" is either AF_INET or AF_INET6 */
void set_callbacks(struct _SFSnortPacket *p, int family);

#define NO_IP 0

#define IP6_HDR_LEN     40
#endif

typedef struct _MplsHdr
{
    u_int32_t label;
    u_int8_t  exp;
    u_int8_t  bos; 
    u_int8_t  ttl;
} MplsHdr;

typedef struct _SFSnortPacket
{
    const struct pcap_pkthdr *pcap_header; /* Is this GPF'd? */
    const u_int8_t *pkt_data;

    const void *fddi_header;
    void *fddi_saps;
    void *fddi_sna;
    void *fddi_iparp;
    void *fddi_other;

    const void *tokenring_header;
    void *tokenring_header_llc;
    void *tokenring_header_mr;

    const void *sll_header;

    void *pflog1_header;
    void *pflog2_header;
    void *pflog3_header;

    const EtherHeader *ether_header;
    const void *vlan_tag_header;

    void *ether_header_llc;
    void *ether_header_other;

    const void *wifi_header;

    const void *ether_arp_header;

    const void *ether_eapol_header; /* 802.1x */
    void *eapol_headear;
    u_int8_t *eapol_type;
    void *eapol_key;

    const void *ppp_over_ether_header;

    const IPV4Header *ip4_header, *orig_ip4_header;

    //int ip_payload_length;
    //int ip_payload_offset;

    u_int32_t ip4_options_length;
    void *ip4_options_data;

    const TCPHeader *tcp_header, *orig_tcp_header;
    u_int32_t tcp_options_length;
    void *tcp_options_data;

    const UDPHeader *udp_header, *orig_udp_header;
    const ICMPHeader *icmp_header, *orig_icmp_header;

    const u_int8_t *payload;
    u_int16_t payload_size;
    u_int16_t normalized_payload_size;

    u_int16_t actual_ip_length;

    u_int8_t ip_fragmented;
    u_int16_t ip_fragment_offset;
    u_int8_t ip_more_fragments;
    u_int8_t ip_dont_fragment;
    u_int8_t ip_reserved;

    u_int16_t src_port;
    u_int16_t dst_port;
    u_int16_t orig_src_port;
    u_int16_t orig_dst_port;
    u_int32_t pcap_cap_len;

    u_int8_t num_uris;

    void *stream_session_ptr;
    void *fragmentation_tracking_ptr;
    void *flow_ptr;
    void *stream_ptr;

    IPOptions ip_options[MAX_IP_OPTIONS];
    u_int32_t num_ip_options;
    u_int8_t ip_last_option_invalid_flag;
    
    TCPOptions tcp_options[MAX_TCP_OPTIONS];
    u_int32_t num_tcp_options;
    u_int8_t tcp_last_option_invalid_flag;

    u_int8_t checksums_invalid;
    u_int32_t flags;
    u_int32_t number_bytes_to_check;

    void *preprocessor_bit_mask;
    void *preproc_reassembly_pkt_bit_mask;
    
#ifdef GRE
    const void *gre_header;
    const IPV4Header *outer_ip4_header; /* if IP-in-IP, this will be the outer IP header */
    char encapsulated;
#endif

#ifdef TARGET_BASED
    int16_t application_protocol_ordinal;
#endif

#ifdef SUP_IP6
    IP4Hdr ip4h, orig_ip4h;   /* and orig. headers for ICMP_*_UNREACH family */
    IP6Hdr ip6h, orig_ip6h;   /* and orig. headers for ICMP_*_UNREACH family */
    ICMP6Hdr *icmp6h, *orig_icmp6h;
    int family;
    int orig_family;

    IPH_API iph_api;
#endif

    int http_pipeline_count;  /* Counter for HTTP pipelined requests */

    const u_int8_t *ip_payload;
    const u_int8_t *ip_payload_size;
    const IPV4Header *inner_ip4_header; /* if IP-in-IP, this will be the inner IP header */
#ifdef GRE
    const u_int8_t *outer_ip_payload;
    u_int16_t outer_ip_payload_size;
#endif

    u_int32_t *mpls;
    MplsHdr   mplsHdr;

} SFSnortPacket;

#define IsIP(p) (p->ip4_header != NULL)
#define IsTCP(p) ((p->ip4_header != NULL) && (p->tcp_header != NULL))
#define IsUDP(p) ((p->ip4_header != NULL) && (p->udp_header != NULL))
#define IsICMP(p) ((p->ip4_header != NULL) && (p->icmp_header != NULL))

#define SET_IP4_VER(ip_header, value) \
    ((ip_header)->version_headerlength = \
     (unsigned char)(((ip_header)->version_headerlength & 0x0f) | (value << 4)))
#define SET_IP4_HLEN(ip_header, value) \
    ((ip_header)->version_headerlength = \
     (unsigned char)(((ip_header)->version_headerlength & 0xf0) | (value & 0x0f)))

#define SET_TCP_HDR_OFFSET(tcp_header, value) \
    ((tcp_header)->offset_reserved = \
     (unsigned char)(((tcp_header)->offset_reserved & 0x0f) | (value << 4)))

#define FLAG_REBUILT_FRAG     0x00000001
#define FLAG_REBUILT_STREAM   0x00000002
#define FLAG_STREAM_UNEST_UNI 0x00000004
#define FLAG_STREAM_UNEST_BI  0x00000008
#define FLAG_STREAM_EST       0x00000010
#define FLAG_FROM_SERVER      0x00000040	
#define FLAG_FROM_CLIENT      0x00000080
#define FLAG_HTTP_DECODE      0x00000100
#define FLAG_STREAM_INSERT    0x00000400
#define FLAG_ALT_DECODE       0x00000800
#define FLAG_STREAM_TWH       0x00001000
#define FLAG_IGNORE_PORT      0x00002000  /* this packet should be ignored, based on port */
#define FLAG_PASS_RULE        0x00004000  /* this packet has matched a pass rule */
#define FLAG_NO_DETECT        0x00008000  /* this packet should not be preprocessed */
#define FLAG_PREPROC_RPKT     0x00010000  /* set in original packet to indicate a preprocessor
                                           * has a reassembled packet */
#define FLAG_DCE_RPKT         0x00020000  /* this is a DCE/RPC reassembled packet */
#define FLAG_IP_RULE          0x00040000  /* this packet being evaluated against an ip rule */
#define FLAG_IP_RULE_2ND      0x00080000  /* this packet is being evaluated against an IP rule */
#define FLAG_STATELESS        0x10000000  /* Packet has matched a stateless rule */
#define FLAG_INLINE_DROP      0x20000000
#define FLAG_OBFUSCATED       0x40000000  /* this packet has been obfuscated */
#define FLAG_LOGGED           0x80000000  /* this packet has been logged */


#endif /* _SF_SNORT_PACKET_H_ */