[Snort-devel] support current pflog format (>= OpenBSD 4.9)

Russ Combs rcombs at ...402...
Mon Mar 26 08:16:29 EDT 2012


Thanks, we'll take a look at it.

Russ

On Sun, Mar 25, 2012 at 2:17 AM, Ryan McBride <mcbride at ...76...> wrote:

> pflog format changed over a year ago, here is a patch against 2.9.2.1 to
> support the expanded pflog header size.
>
>
> --- decode.h.orig       Fri Jan 13 07:11:40 2012
> +++ decode.h    Sun Mar 25 14:22:47 2012
> @@ -797,13 +797,14 @@ typedef struct _SLLHdr {
>
>
>  /*
> - * Snort supports 3 versions of the OpenBSD pflog header:
> + * Snort supports 4 versions of the OpenBSD pflog header:
>  *
>  * Pflog1_Hdr:  CVS = 1.3,  DLT_OLD_PFLOG = 17,  Length = 28
>  * Pflog2_Hdr:  CVS = 1.8,  DLT_PFLOG     = 117, Length = 48
>  * Pflog3_Hdr:  CVS = 1.12, DLT_PFLOG     = 117, Length = 64
> + * Pflog4_Hdr:  CVS = 1.16, DLT_PFLOG     = 117, Length = 100
>  *
> - * Since they have the same DLT, Pflog{2,3}Hdr are distinguished
> + * Since they have the same DLT, Pflog{2,3,4}Hdr are distinguished
>  * by their actual length.  The minimum required length excludes
>  * padding.
>  */
> @@ -871,6 +872,33 @@ typedef struct _Pflog3_hdr
>  #define PFLOG3_HDRLEN (sizeof(struct _Pflog3_hdr))
>  #define PFLOG3_HDRMIN (PFLOG3_HDRLEN - PFLOG_PADLEN)
>
> +typedef struct _Pflog4_hdr
> +{
> +    uint8_t  length;
> +    uint8_t  af;
> +    uint8_t  action;
> +    uint8_t  reason;
> +    char     ifname[IFNAMSIZ];
> +    char     ruleset[PFLOG_RULELEN];
> +    uint32_t rulenr;
> +    uint32_t subrulenr;
> +    uint32_t uid;
> +    uint32_t pid;
> +    uint32_t rule_uid;
> +    uint32_t rule_pid;
> +    uint8_t  dir;
> +    uint8_t  rewritten;
> +    uint8_t  naf;
> +    u_int8_t pad[1];
> +    uint8_t  saddr[16];
> +    uint8_t  daddr[16];
> +    uint16_t sport;
> +    uint16_t dport;
> +} Pflog4Hdr;
> +
> +#define PFLOG4_HDRLEN (sizeof(struct _Pflog4_hdr))
> +#define PFLOG4_HDRMIN (PFLOG4_HDRLEN)  /* no trailing padding */
> +
>  /*
>  * ssl_pkttype values.
>  */
> @@ -1760,6 +1788,7 @@ typedef struct _Packet
>     Pflog1Hdr *pf1h;            /* OpenBSD pflog interface header -
> version 1 */
>     Pflog2Hdr *pf2h;            /* OpenBSD pflog interface header -
> version 2 */
>     Pflog3Hdr *pf3h;            /* OpenBSD pflog interface header -
> version 3 */
> +    Pflog4Hdr *pf4h;            /* OpenBSD pflog interface header -
> version 4 */
>
>  #ifdef DLT_LINUX_SLL
>     const SLLHdr *sllh;         /* Linux cooked sockets header */
> --- decode.c.orig       Fri Jan 13 07:11:40 2012
> +++ decode.c    Sun Mar 25 14:22:51 2012
> @@ -6865,20 +6865,36 @@ void DecodePflog(Packet * p, const DAQ_PktHdr_t *
> pkth
>         return;
>     }
>     /* lay the pf header structure over the packet data */
> -    if ( *((uint8_t*)pkt) < PFLOG3_HDRMIN )
> +    switch(*((uint8_t*)pkt))
>     {
> -        p->pf2h = (Pflog2Hdr*)pkt;
> -        pflen = p->pf2h->length;
> -        hlen = PFLOG2_HDRLEN;
> -        af = p->pf2h->af;
> +        case PFLOG2_HDRMIN:
> +            p->pf2h = (Pflog2Hdr*)pkt;
> +            pflen = p->pf2h->length;
> +            hlen = PFLOG2_HDRLEN;
> +            af = p->pf2h->af;
> +            break;
> +        case PFLOG3_HDRMIN:
> +            p->pf3h = (Pflog3Hdr*)pkt;
> +            pflen = p->pf3h->length;
> +            hlen = PFLOG3_HDRLEN;
> +            af = p->pf3h->af;
> +            break;
> +        case PFLOG4_HDRMIN:
> +            p->pf4h = (Pflog4Hdr*)pkt;
> +            pflen = p->pf4h->length;
> +            hlen = PFLOG4_HDRLEN;
> +            af = p->pf4h->af;
> +            break;
> +        default:
> +            if (ScLogVerbose())
> +            {
> +                ErrorMessage("unrecognized pflog header length! "
> +                        "(%d)\n", *((uint8_t*)pkt));
> +            }
> +            PREPROC_PROFILE_END(decodePerfStats);
> +            return;
>     }
> -    else
> -    {
> -        p->pf3h = (Pflog3Hdr*)pkt;
> -        pflen = p->pf3h->length;
> -        hlen = PFLOG3_HDRLEN;
> -        af = p->pf3h->af;
> -    }
> +
>     /* now that we know a little more, do a little more validation */
>     if(cap_len < hlen)
>     {
>
>
> ------------------------------------------------------------------------------
> This SF email is sponsosred by:
> Try Windows Azure free for 90 days Click Here
> http://p.sf.net/sfu/sfd2d-msazure
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20120326/de7f51fe/attachment.html>


More information about the Snort-devel mailing list