Snort mailing list archives
Re: support current pflog format (>= OpenBSD 4.9)
From: Russ Combs <rcombs () sourcefire com>
Date: Mon, 26 Mar 2012 08:16:29 -0400
Thanks, we'll take a look at it. Russ On Sun, Mar 25, 2012 at 2:17 AM, Ryan McBride <mcbride () openbsd org> wrote:
pflog format changed over a year ago, here is a patch against 2.9.2.1 to support the expanded pflog header size. --- decode.h.orig Fri Jan 13 07:11:40 2012 +++ decode.h Sun Mar 25 14:22:47 2012 @@ -797,13 +797,14 @@ typedef struct _SLLHdr { /* - * Snort supports 3 versions of the OpenBSD pflog header: + * Snort supports 4 versions of the OpenBSD pflog header: * * Pflog1_Hdr: CVS = 1.3, DLT_OLD_PFLOG = 17, Length = 28 * Pflog2_Hdr: CVS = 1.8, DLT_PFLOG = 117, Length = 48 * Pflog3_Hdr: CVS = 1.12, DLT_PFLOG = 117, Length = 64 + * Pflog4_Hdr: CVS = 1.16, DLT_PFLOG = 117, Length = 100 * - * Since they have the same DLT, Pflog{2,3}Hdr are distinguished + * Since they have the same DLT, Pflog{2,3,4}Hdr are distinguished * by their actual length. The minimum required length excludes * padding. */ @@ -871,6 +872,33 @@ typedef struct _Pflog3_hdr #define PFLOG3_HDRLEN (sizeof(struct _Pflog3_hdr)) #define PFLOG3_HDRMIN (PFLOG3_HDRLEN - PFLOG_PADLEN) +typedef struct _Pflog4_hdr +{ + uint8_t length; + uint8_t af; + uint8_t action; + uint8_t reason; + char ifname[IFNAMSIZ]; + char ruleset[PFLOG_RULELEN]; + uint32_t rulenr; + uint32_t subrulenr; + uint32_t uid; + uint32_t pid; + uint32_t rule_uid; + uint32_t rule_pid; + uint8_t dir; + uint8_t rewritten; + uint8_t naf; + u_int8_t pad[1]; + uint8_t saddr[16]; + uint8_t daddr[16]; + uint16_t sport; + uint16_t dport; +} Pflog4Hdr; + +#define PFLOG4_HDRLEN (sizeof(struct _Pflog4_hdr)) +#define PFLOG4_HDRMIN (PFLOG4_HDRLEN) /* no trailing padding */ + /* * ssl_pkttype values. */ @@ -1760,6 +1788,7 @@ typedef struct _Packet Pflog1Hdr *pf1h; /* OpenBSD pflog interface header - version 1 */ Pflog2Hdr *pf2h; /* OpenBSD pflog interface header - version 2 */ Pflog3Hdr *pf3h; /* OpenBSD pflog interface header - version 3 */ + Pflog4Hdr *pf4h; /* OpenBSD pflog interface header - version 4 */ #ifdef DLT_LINUX_SLL const SLLHdr *sllh; /* Linux cooked sockets header */ --- decode.c.orig Fri Jan 13 07:11:40 2012 +++ decode.c Sun Mar 25 14:22:51 2012 @@ -6865,20 +6865,36 @@ void DecodePflog(Packet * p, const DAQ_PktHdr_t * pkth return; } /* lay the pf header structure over the packet data */ - if ( *((uint8_t*)pkt) < PFLOG3_HDRMIN ) + switch(*((uint8_t*)pkt)) { - p->pf2h = (Pflog2Hdr*)pkt; - pflen = p->pf2h->length; - hlen = PFLOG2_HDRLEN; - af = p->pf2h->af; + case PFLOG2_HDRMIN: + p->pf2h = (Pflog2Hdr*)pkt; + pflen = p->pf2h->length; + hlen = PFLOG2_HDRLEN; + af = p->pf2h->af; + break; + case PFLOG3_HDRMIN: + p->pf3h = (Pflog3Hdr*)pkt; + pflen = p->pf3h->length; + hlen = PFLOG3_HDRLEN; + af = p->pf3h->af; + break; + case PFLOG4_HDRMIN: + p->pf4h = (Pflog4Hdr*)pkt; + pflen = p->pf4h->length; + hlen = PFLOG4_HDRLEN; + af = p->pf4h->af; + break; + default: + if (ScLogVerbose()) + { + ErrorMessage("unrecognized pflog header length! " + "(%d)\n", *((uint8_t*)pkt)); + } + PREPROC_PROFILE_END(decodePerfStats); + return; } - else - { - p->pf3h = (Pflog3Hdr*)pkt; - pflen = p->pf3h->length; - hlen = PFLOG3_HDRLEN; - af = p->pf3h->af; - } + /* now that we know a little more, do a little more validation */ if(cap_len < hlen) { ------------------------------------------------------------------------------ This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- support current pflog format (>= OpenBSD 4.9) Ryan McBride (Mar 24)
- Re: support current pflog format (>= OpenBSD 4.9) Russ Combs (Mar 26)