Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: support current pflog format (>= OpenBSD 4.9)

From: Russ Combs <rcombs () sourcefire com>
Date: Mon, 26 Mar 2012 08:16:29 -0400
Thanks, we'll take a look at it.

Russ

On Sun, Mar 25, 2012 at 2:17 AM, Ryan McBride <mcbride () openbsd org> wrote:


pflog format changed over a year ago, here is a patch against 2.9.2.1 to
support the expanded pflog header size.


--- decode.h.orig       Fri Jan 13 07:11:40 2012
+++ decode.h    Sun Mar 25 14:22:47 2012
@@ -797,13 +797,14 @@ typedef struct _SLLHdr {


 /*
- * Snort supports 3 versions of the OpenBSD pflog header:
+ * Snort supports 4 versions of the OpenBSD pflog header:
 *
 * Pflog1_Hdr:  CVS = 1.3,  DLT_OLD_PFLOG = 17,  Length = 28
 * Pflog2_Hdr:  CVS = 1.8,  DLT_PFLOG     = 117, Length = 48
 * Pflog3_Hdr:  CVS = 1.12, DLT_PFLOG     = 117, Length = 64
+ * Pflog4_Hdr:  CVS = 1.16, DLT_PFLOG     = 117, Length = 100
 *
- * Since they have the same DLT, Pflog{2,3}Hdr are distinguished
+ * Since they have the same DLT, Pflog{2,3,4}Hdr are distinguished
 * by their actual length.  The minimum required length excludes
 * padding.
 */
@@ -871,6 +872,33 @@ typedef struct _Pflog3_hdr
 #define PFLOG3_HDRLEN (sizeof(struct _Pflog3_hdr))
 #define PFLOG3_HDRMIN (PFLOG3_HDRLEN - PFLOG_PADLEN)

+typedef struct _Pflog4_hdr
+{
+    uint8_t  length;
+    uint8_t  af;
+    uint8_t  action;
+    uint8_t  reason;
+    char     ifname[IFNAMSIZ];
+    char     ruleset[PFLOG_RULELEN];
+    uint32_t rulenr;
+    uint32_t subrulenr;
+    uint32_t uid;
+    uint32_t pid;
+    uint32_t rule_uid;
+    uint32_t rule_pid;
+    uint8_t  dir;
+    uint8_t  rewritten;
+    uint8_t  naf;
+    u_int8_t pad[1];
+    uint8_t  saddr[16];
+    uint8_t  daddr[16];
+    uint16_t sport;
+    uint16_t dport;
+} Pflog4Hdr;
+
+#define PFLOG4_HDRLEN (sizeof(struct _Pflog4_hdr))
+#define PFLOG4_HDRMIN (PFLOG4_HDRLEN)  /* no trailing padding */
+
 /*
 * ssl_pkttype values.
 */
@@ -1760,6 +1788,7 @@ typedef struct _Packet
    Pflog1Hdr *pf1h;            /* OpenBSD pflog interface header -
version 1 */
    Pflog2Hdr *pf2h;            /* OpenBSD pflog interface header -
version 2 */
    Pflog3Hdr *pf3h;            /* OpenBSD pflog interface header -
version 3 */
+    Pflog4Hdr *pf4h;            /* OpenBSD pflog interface header -
version 4 */

 #ifdef DLT_LINUX_SLL
    const SLLHdr *sllh;         /* Linux cooked sockets header */
--- decode.c.orig       Fri Jan 13 07:11:40 2012
+++ decode.c    Sun Mar 25 14:22:51 2012
@@ -6865,20 +6865,36 @@ void DecodePflog(Packet * p, const DAQ_PktHdr_t *
pkth
        return;
    }
    /* lay the pf header structure over the packet data */
-    if ( *((uint8_t*)pkt) < PFLOG3_HDRMIN )
+    switch(*((uint8_t*)pkt))
    {
-        p->pf2h = (Pflog2Hdr*)pkt;
-        pflen = p->pf2h->length;
-        hlen = PFLOG2_HDRLEN;
-        af = p->pf2h->af;
+        case PFLOG2_HDRMIN:
+            p->pf2h = (Pflog2Hdr*)pkt;
+            pflen = p->pf2h->length;
+            hlen = PFLOG2_HDRLEN;
+            af = p->pf2h->af;
+            break;
+        case PFLOG3_HDRMIN:
+            p->pf3h = (Pflog3Hdr*)pkt;
+            pflen = p->pf3h->length;
+            hlen = PFLOG3_HDRLEN;
+            af = p->pf3h->af;
+            break;
+        case PFLOG4_HDRMIN:
+            p->pf4h = (Pflog4Hdr*)pkt;
+            pflen = p->pf4h->length;
+            hlen = PFLOG4_HDRLEN;
+            af = p->pf4h->af;
+            break;
+        default:
+            if (ScLogVerbose())
+            {
+                ErrorMessage("unrecognized pflog header length! "
+                        "(%d)\n", *((uint8_t*)pkt));
+            }
+            PREPROC_PROFILE_END(decodePerfStats);
+            return;
    }
-    else
-    {
-        p->pf3h = (Pflog3Hdr*)pkt;
-        pflen = p->pf3h->length;
-        hlen = PFLOG3_HDRLEN;
-        af = p->pf3h->af;
-    }
+
    /* now that we know a little more, do a little more validation */
    if(cap_len < hlen)
    {


------------------------------------------------------------------------------
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here
http://p.sf.net/sfu/sfd2d-msazure
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!


------------------------------------------------------------------------------
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here 
http://p.sf.net/sfu/sfd2d-msazure
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: