Snort mailing list archives
snort patch to understand pflog (ond and new)
From: leitao () async com br (Breno Leitão)
Date: Fri, 3 Dec 2004 18:28:23 -0200
On Thu, Dec 02, 2004 at 11:23:49PM -0200, Breno Leitão wrote:
Jeremy, we did the patch and it seems working. Now snort could understand new and old pflog format.
Here is the our patch. I will send it attached, but i didn't know if it is a good
idea. Sorry if i take the wrong way. :-)
-----Cut Here----
diff -u /home/async/src/snort-2.3.0RC1-ORIG/src/decode.c src/decode.c
--- /home/async/src/snort-2.3.0RC1-ORIG/src/decode.c Tue Oct 5 15:55:18 2004
+++ src/decode.c Thu Dec 2 22:56:07 2004
@@ -1079,6 +1079,79 @@
#endif /* DLT_LINUX_SLL */
/*
+ * Function: DecodeOldPflog(Packet *, struct pcap_pkthdr *, u_int8_t *)
+ *
+ * Purpose: Pass old pflog format device packets off to IP or IP6 -fleck
+ *
+ * Arguments: p => pointer to the decoded packet struct
+ * pkthdr => ptr to the packet header
+ * pkt => pointer to the packet data
+ *
+ * Returns: void function
+ *
+ */
+void DecodeOldPflog(Packet * p, struct pcap_pkthdr * pkthdr, u_int8_t * pkt)
+{
+ u_int32_t pkt_len; /* suprisingly, the length of the packet */
+ u_int32_t cap_len; /* caplen value */
+
+ bzero((char *) p, sizeof(Packet));
+
+ p->pkth = pkthdr;
+ p->pkt = pkt;
+
+ /* set the lengths we need */
+ pkt_len = pkthdr->len; /* total packet length */
+ cap_len = pkthdr->caplen; /* captured packet length */
+
+ if(snaplen < pkt_len)
+ pkt_len = cap_len;
+
+ DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n");
+ DebugMessage(DEBUG_DECODE, "caplen: %lu pktlen: %lu\n",
+ (unsigned long)cap_len, (unsigned long)pkt_len););
+
+ /* do a little validation */
+ if(p->pkth->caplen < OLDPFLOG_HDRLEN)
+ {
+ if(pv.verbose_flag)
+ {
+ ErrorMessage("Captured data length < Pflog header length! "
+ "(%d bytes)\n", p->pkth->caplen);
+ }
+ return;
+ }
+
+ /* lay the pf header structure over the packet data */
+ p->opfh = (OldPflogHdr *) pkt;
+
+ /* get the network type - should only be AF_INET or AF_INET6 */
+ switch(ntohl(p->opfh->af))
+ {
+ case AF_INET: /* IPv4 */
+ DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "IP datagram size calculated to be %lu "
+ "bytes\n", (unsigned long)(cap_len - OLDPFLOG_HDRLEN)););
+
+ DecodeIP(p->pkt + OLDPFLOG_HDRLEN, cap_len - OLDPFLOG_HDRLEN, p);
+ return;
+
+#ifdef AF_INET6
+ case AF_INET6: /* IPv6 */
+ DecodeIPV6(p->pkt + OLDPFLOG_HDRLEN, (cap_len - OLDPFLOG_HDRLEN));
+ return;
+#endif
+
+ default:
+ /* To my knowledge, pflog devices can only
+ * pass IP and IP6 packets. -fleck
+ */
+ pc.other++;
+ return;
+ }
+
+ return;
+}
+/*
* Function: DecodePflog(Packet *, struct pcap_pkthdr *, u_int8_t *)
*
* Purpose: Pass pflog device packets off to IP or IP6 -fleck
@@ -1126,7 +1199,7 @@
p->pfh = (PflogHdr *) pkt;
/* get the network type - should only be AF_INET or AF_INET6 */
- switch(ntohl(p->pfh->af))
+ switch(p->pfh->af)
{
case AF_INET: /* IPv4 */
DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "IP datagram size calculated to be %lu "
diff -u /home/async/src/snort-2.3.0RC1-ORIG/src/decode.h src/decode.h
--- /home/async/src/snort-2.3.0RC1-ORIG/src/decode.h Mon Sep 13 14:44:49 2004
+++ src/decode.h Thu Dec 2 21:54:56 2004
@@ -688,12 +688,12 @@
} SLLHdr;
-/* OpenBSD pf firewall pflog0 header
+/* Old OpenBSD pf firewall pflog0 header
* (information from pf source in kernel)
* the rule, reason, and action codes tell why the firewall dropped it -fleck
*/
-typedef struct _Pflog_hdr
+typedef struct _OldPflog_hdr
{
u_int32_t af;
char intf[IFNAMSIZ];
@@ -701,11 +701,31 @@
u_short reason;
u_short action;
u_short dir;
+} OldPflogHdr;
+
+#define OLDPFLOG_HDRLEN sizeof(struct _OldPflog_hdr)
+
+/* OpenBSD pf firewall pflog0 header
+ * (information from pf source in kernel)
+ * the rule, reason, and action codes tell why the firewall dropped it -fleck
+ */
+
+typedef struct _Pflog_hdr
+{
+ int8_t length;
+ sa_family_t af;
+ u_int8_t action;
+ u_int8_t reason;
+ char ifname[IFNAMSIZ];
+ char ruleset[16];
+ u_int32_t rulenr;
+ u_int32_t subrulenr;
+ u_int8_t dir;
+ u_int8_t pad[3];
} PflogHdr;
#define PFLOG_HDRLEN sizeof(struct _Pflog_hdr)
-
/*
* ssl_pkttype values.
*/
@@ -1064,6 +1084,8 @@
PflogHdr *pfh; /* OpenBSD pflog interface header */
+ OldPflogHdr *opfh; /* Old OpenBSD pflog interface header */
+
EtherHdr *eh; /* standard TCP/IP/Ethernet/ARP headers */
VlanTagHdr *vh;
EthLlc *ehllc;
@@ -1177,6 +1199,7 @@
void DecodeI4LCiscoIPPkt(Packet *, struct pcap_pkthdr *, u_int8_t *);
void DecodeChdlcPkt(Packet *, struct pcap_pkthdr *, u_int8_t *);
void DecodePflog(Packet *, struct pcap_pkthdr *, u_int8_t *);
+void DecodeOldPflog(Packet *, struct pcap_pkthdr *, u_int8_t *);
void DecodeIP(u_int8_t *, const u_int32_t, Packet *);
void DecodeARP(u_int8_t *, u_int32_t, Packet *);
void DecodeEapol(u_int8_t *, u_int32_t, Packet *);
diff -u /home/async/src/snort-2.3.0RC1-ORIG/src/snort.c src/snort.c
--- /home/async/src/snort-2.3.0RC1-ORIG/src/snort.c Tue Oct 5 15:55:18 2004
+++ src/snort.c Thu Dec 2 23:00:32 2004
@@ -77,6 +77,8 @@
#include "asn1.h"
#include "inline.h"
+#define DLT_OLDPFLOG 17 /* bpf.h should have it, but dont have cause conflicts */
+
/* G L O B A L S ************************************************************/
extern OutputFuncNode *AlertList;
extern OutputFuncNode *LogList;
@@ -1619,6 +1621,20 @@
}
grinder = DecodePflog;
+
+ break;
+#endif
+
+#ifdef DLT_OLDPFLOG
+ case DLT_OLDPFLOG:
+ if(!pv.readmode_flag)
+ {
+ if(!pv.quiet_flag)
+ LogMessage("Decoding old OpenBSD PF log on interface %s\n",
+ PRINT_INTERFACE(pv.interface));
+ }
+
+ grinder = DecodeOldPflog;
break;
#endif
-----Cut Here----
Thank you guys.
Cheers,
Breno Henrique Leitão
http://lcr.icmc.usp.br
--
Async Open Source
+55 (16) 3361 2331
São Carlos, SP
Brazil
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort dont understand pf (openbsd) format, (continued)
- Re: Snort dont understand pf (openbsd) format Sean Brown (Nov 29)
- Re: Snort dont understand pf (openbsd) format Matt Kettler (Nov 29)
- Re: Snort dont understand pf (openbsd) format Sean Brown (Nov 29)
- Re: Snort dont understand pf (openbsd) format Matt Kettler (Nov 30)
- Re: Snort dont understand pf (openbsd) format Matt Kettler (Nov 30)
- Re: Snort dont understand pf (openbsd) format Christian Robottom Reis (Nov 30)
- Re: Snort dont understand pf (openbsd) format Sean Brown (Nov 30)
- Re: Snort dont understand pf (openbsd) format Christian Robottom Reis (Dec 01)
- Re: Snort dont understand pf (openbsd) format Jeremy Hewlett (Dec 01)
- Re: Snort dont understand pf (openbsd) format Breno Leitão (Dec 02)
- snort patch to understand pflog (ond and new) Breno Leitão (Dec 03)
- Re: Snort dont understand pf (openbsd) format M. Shirk (Dec 01)
- Re: Snort dont understand pf (openbsd) format Christian Robottom Reis (Dec 01)