Snort mailing list archives
snort patch to understand pflog (ond and new)
From: leitao () async com br (Breno Leitão)
Date: Fri, 3 Dec 2004 18:28:23 -0200
On Thu, Dec 02, 2004 at 11:23:49PM -0200, Breno Leitão wrote:
Jeremy, we did the patch and it seems working. Now snort could understand new and old pflog format.
Here is the our patch. I will send it attached, but i didn't know if it is a good idea. Sorry if i take the wrong way. :-) -----Cut Here---- diff -u /home/async/src/snort-2.3.0RC1-ORIG/src/decode.c src/decode.c --- /home/async/src/snort-2.3.0RC1-ORIG/src/decode.c Tue Oct 5 15:55:18 2004 +++ src/decode.c Thu Dec 2 22:56:07 2004 @@ -1079,6 +1079,79 @@ #endif /* DLT_LINUX_SLL */ /* + * Function: DecodeOldPflog(Packet *, struct pcap_pkthdr *, u_int8_t *) + * + * Purpose: Pass old pflog format device packets off to IP or IP6 -fleck + * + * Arguments: p => pointer to the decoded packet struct + * pkthdr => ptr to the packet header + * pkt => pointer to the packet data + * + * Returns: void function + * + */ +void DecodeOldPflog(Packet * p, struct pcap_pkthdr * pkthdr, u_int8_t * pkt) +{ + u_int32_t pkt_len; /* suprisingly, the length of the packet */ + u_int32_t cap_len; /* caplen value */ + + bzero((char *) p, sizeof(Packet)); + + p->pkth = pkthdr; + p->pkt = pkt; + + /* set the lengths we need */ + pkt_len = pkthdr->len; /* total packet length */ + cap_len = pkthdr->caplen; /* captured packet length */ + + if(snaplen < pkt_len) + pkt_len = cap_len; + + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n"); + DebugMessage(DEBUG_DECODE, "caplen: %lu pktlen: %lu\n", + (unsigned long)cap_len, (unsigned long)pkt_len);); + + /* do a little validation */ + if(p->pkth->caplen < OLDPFLOG_HDRLEN) + { + if(pv.verbose_flag) + { + ErrorMessage("Captured data length < Pflog header length! " + "(%d bytes)\n", p->pkth->caplen); + } + return; + } + + /* lay the pf header structure over the packet data */ + p->opfh = (OldPflogHdr *) pkt; + + /* get the network type - should only be AF_INET or AF_INET6 */ + switch(ntohl(p->opfh->af)) + { + case AF_INET: /* IPv4 */ + DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "IP datagram size calculated to be %lu " + "bytes\n", (unsigned long)(cap_len - OLDPFLOG_HDRLEN));); + + DecodeIP(p->pkt + OLDPFLOG_HDRLEN, cap_len - OLDPFLOG_HDRLEN, p); + return; + +#ifdef AF_INET6 + case AF_INET6: /* IPv6 */ + DecodeIPV6(p->pkt + OLDPFLOG_HDRLEN, (cap_len - OLDPFLOG_HDRLEN)); + return; +#endif + + default: + /* To my knowledge, pflog devices can only + * pass IP and IP6 packets. -fleck + */ + pc.other++; + return; + } + + return; +} +/* * Function: DecodePflog(Packet *, struct pcap_pkthdr *, u_int8_t *) * * Purpose: Pass pflog device packets off to IP or IP6 -fleck @@ -1126,7 +1199,7 @@ p->pfh = (PflogHdr *) pkt; /* get the network type - should only be AF_INET or AF_INET6 */ - switch(ntohl(p->pfh->af)) + switch(p->pfh->af) { case AF_INET: /* IPv4 */ DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "IP datagram size calculated to be %lu " diff -u /home/async/src/snort-2.3.0RC1-ORIG/src/decode.h src/decode.h --- /home/async/src/snort-2.3.0RC1-ORIG/src/decode.h Mon Sep 13 14:44:49 2004 +++ src/decode.h Thu Dec 2 21:54:56 2004 @@ -688,12 +688,12 @@ } SLLHdr; -/* OpenBSD pf firewall pflog0 header +/* Old OpenBSD pf firewall pflog0 header * (information from pf source in kernel) * the rule, reason, and action codes tell why the firewall dropped it -fleck */ -typedef struct _Pflog_hdr +typedef struct _OldPflog_hdr { u_int32_t af; char intf[IFNAMSIZ]; @@ -701,11 +701,31 @@ u_short reason; u_short action; u_short dir; +} OldPflogHdr; + +#define OLDPFLOG_HDRLEN sizeof(struct _OldPflog_hdr) + +/* OpenBSD pf firewall pflog0 header + * (information from pf source in kernel) + * the rule, reason, and action codes tell why the firewall dropped it -fleck + */ + +typedef struct _Pflog_hdr +{ + int8_t length; + sa_family_t af; + u_int8_t action; + u_int8_t reason; + char ifname[IFNAMSIZ]; + char ruleset[16]; + u_int32_t rulenr; + u_int32_t subrulenr; + u_int8_t dir; + u_int8_t pad[3]; } PflogHdr; #define PFLOG_HDRLEN sizeof(struct _Pflog_hdr) - /* * ssl_pkttype values. */ @@ -1064,6 +1084,8 @@ PflogHdr *pfh; /* OpenBSD pflog interface header */ + OldPflogHdr *opfh; /* Old OpenBSD pflog interface header */ + EtherHdr *eh; /* standard TCP/IP/Ethernet/ARP headers */ VlanTagHdr *vh; EthLlc *ehllc; @@ -1177,6 +1199,7 @@ void DecodeI4LCiscoIPPkt(Packet *, struct pcap_pkthdr *, u_int8_t *); void DecodeChdlcPkt(Packet *, struct pcap_pkthdr *, u_int8_t *); void DecodePflog(Packet *, struct pcap_pkthdr *, u_int8_t *); +void DecodeOldPflog(Packet *, struct pcap_pkthdr *, u_int8_t *); void DecodeIP(u_int8_t *, const u_int32_t, Packet *); void DecodeARP(u_int8_t *, u_int32_t, Packet *); void DecodeEapol(u_int8_t *, u_int32_t, Packet *); diff -u /home/async/src/snort-2.3.0RC1-ORIG/src/snort.c src/snort.c --- /home/async/src/snort-2.3.0RC1-ORIG/src/snort.c Tue Oct 5 15:55:18 2004 +++ src/snort.c Thu Dec 2 23:00:32 2004 @@ -77,6 +77,8 @@ #include "asn1.h" #include "inline.h" +#define DLT_OLDPFLOG 17 /* bpf.h should have it, but dont have cause conflicts */ + /* G L O B A L S ************************************************************/ extern OutputFuncNode *AlertList; extern OutputFuncNode *LogList; @@ -1619,6 +1621,20 @@ } grinder = DecodePflog; + + break; +#endif + +#ifdef DLT_OLDPFLOG + case DLT_OLDPFLOG: + if(!pv.readmode_flag) + { + if(!pv.quiet_flag) + LogMessage("Decoding old OpenBSD PF log on interface %s\n", + PRINT_INTERFACE(pv.interface)); + } + + grinder = DecodeOldPflog; break; #endif -----Cut Here---- Thank you guys. Cheers, Breno Henrique Leitão http://lcr.icmc.usp.br -- Async Open Source +55 (16) 3361 2331 São Carlos, SP Brazil ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort dont understand pf (openbsd) format, (continued)
- Re: Snort dont understand pf (openbsd) format Sean Brown (Nov 29)
- Re: Snort dont understand pf (openbsd) format Matt Kettler (Nov 29)
- Re: Snort dont understand pf (openbsd) format Sean Brown (Nov 29)
- Re: Snort dont understand pf (openbsd) format Matt Kettler (Nov 30)
- Re: Snort dont understand pf (openbsd) format Matt Kettler (Nov 30)
- Re: Snort dont understand pf (openbsd) format Christian Robottom Reis (Nov 30)
- Re: Snort dont understand pf (openbsd) format Sean Brown (Nov 30)
- Re: Snort dont understand pf (openbsd) format Christian Robottom Reis (Dec 01)
- Re: Snort dont understand pf (openbsd) format Jeremy Hewlett (Dec 01)
- Re: Snort dont understand pf (openbsd) format Breno Leitão (Dec 02)
- snort patch to understand pflog (ond and new) Breno Leitão (Dec 03)
- Re: Snort dont understand pf (openbsd) format M. Shirk (Dec 01)
- Re: Snort dont understand pf (openbsd) format Christian Robottom Reis (Dec 01)