Date: Wed, 13 May 2015 00:17:57 +0000 (UTC) From: Kubilay Kocak <koobs@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r386186 - in head/security/suricata: . files Message-ID: <201505130017.t4D0Hvxf088786@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: koobs Date: Wed May 13 00:17:57 2015 New Revision: 386186 URL: https://svnweb.freebsd.org/changeset/ports/386186 Log: security/suricata: Add PPPoE support Backport upstream Pull Request #1416 [1] adding support for LINKTYPE_NULL. [1] https://github.com/inliniac/suricata/pull/1416 [2] https://redmine.openinfosecfoundation.org/issues/1445 Submitted by: Bill Meeks <bmeeks8 bellsouth net> (via gnn) Added: head/security/suricata/files/patch-PR1416 (contents, props changed) Modified: head/security/suricata/Makefile Modified: head/security/suricata/Makefile ============================================================================== --- head/security/suricata/Makefile Tue May 12 23:56:46 2015 (r386185) +++ head/security/suricata/Makefile Wed May 13 00:17:57 2015 (r386186) @@ -3,6 +3,7 @@ PORTNAME= suricata PORTVERSION= 2.0.8 +PORTREVISION= 1 CATEGORIES= security MASTER_SITES= http://www.openinfosecfoundation.org/download/ \ http://mirrors.rit.edu/zi/ Added: head/security/suricata/files/patch-PR1416 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/suricata/files/patch-PR1416 Wed May 13 00:17:57 2015 (r386186) @@ -0,0 +1,264 @@ +#From d3b1545e77fc75bdc2ba2e39e307c36b4683d237 Mon Sep 17 00:00:00 2001 +#From: Victor Julien <victor@inliniac.net> +#Subject: [PATCH] pcap: implement LINKTYPE_NULL +# Implement LINKTYPE_NULL for pcap live and pcap file. +# https://github.com/inliniac/suricata/pull/1416 + +diff -rupN ./rules/decoder-events.rules ./rules.new/decoder-events.rules +--- ./rules/decoder-events.rules 2015-02-25 07:31:10.000000000 -0500 ++++ ./rules.new/decoder-events.rules 2015-04-16 21:32:05.000000000 -0400 +@@ -116,5 +116,10 @@ alert pkthdr any any -> any any (msg:"SU + alert pkthdr any any -> any any (msg:"SURICATA IPv6-in-IPv6 packet too short"; decode-event:ipv6.ipv6_in_ipv6_too_small; sid:2200084; rev:1;) + alert pkthdr any any -> any any (msg:"SURICATA IPv6-in-IPv6 invalid protocol"; decode-event:ipv6.ipv6_in_ipv6_wrong_version; sid:2200085; rev:1;) + +-# next sid is 2200098 ++# linktype null ++alert pkthdr any any -> any any (msg:"SURICATA NULL pkt too small"; decode-event:ltnull.pkt_too_small; sid: 2200103; rev:1;) ++# packet has type not supported by Suricata's decoders ++alert pkthdr any any -> any any (msg:"SURICATA NULL unsupported type"; decode-event:ltnull.unsupported_type; sid: 2200104; rev:1;) ++ ++# next sid is 2200105 + +diff -rupN ./src/Makefile.am new/src/Makefile.am +--- ./src/Makefile.am 2015-02-25 07:31:10.000000000 -0500 ++++ ./src.new/Makefile.am 2015-04-16 21:33:58.000000000 -0400 +@@ -47,6 +47,7 @@ decode-icmpv4.c decode-icmpv4.h \ + decode-icmpv6.c decode-icmpv6.h \ + decode-ipv4.c decode-ipv4.h \ + decode-ipv6.c decode-ipv6.h \ ++decode-null.c decode-null.h \ + decode-ppp.c decode-ppp.h \ + decode-pppoe.c decode-pppoe.h \ + decode-raw.c decode-raw.h \ +diff -rupN ./src/decode-events.h ./src.new/decode-events.h +--- ./src/decode-events.h 2015-02-25 07:31:10.000000000 -0500 ++++ ./src.new/decode-events.h 2015-04-16 21:36:01.000000000 -0400 +@@ -145,6 +145,10 @@ enum { + /* RAW EVENTS */ + IPRAW_INVALID_IPV, /**< invalid ip version in ip raw */ + ++ /* LINKTYPE NULL EVENTS */ ++ LTNULL_PKT_TOO_SMALL, /**< pkt too small for lt:null */ ++ LTNULL_UNSUPPORTED_TYPE, /**< pkt has a type that the decoder doesn't support */ ++ + /* STREAM EVENTS */ + STREAM_3WHS_ACK_IN_WRONG_DIR, + STREAM_3WHS_ASYNC_WRONG_SEQ, +diff -rupN ./src/decode-null.c ./src.new/decode-null.c +--- ./src/decode-null.c 1969-12-31 19:00:00.000000000 -0500 ++++ ./src.new/decode-null.c 2015-04-16 20:53:44.000000000 -0400 +@@ -0,0 +1,89 @@ ++/* Copyright (C) 2015 Open Information Security Foundation ++ * ++ * You can copy, redistribute or modify this Program under the terms of ++ * the GNU General Public License version 2 as published by the Free ++ * Software Foundation. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * version 2 along with this program; if not, write to the Free Software ++ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA ++ * 02110-1301, USA. ++ */ ++ ++/** ++ * \ingroup decode ++ * ++ * @{ ++ */ ++ ++ ++/** ++ * \file ++ * ++ * \author Victor Julien <victor@inliniac.net> ++ * ++ * Decode linkype null: ++ * http://www.tcpdump.org/linktypes.html ++ */ ++ ++#include "suricata-common.h" ++#include "decode.h" ++#include "decode-raw.h" ++#include "decode-events.h" ++ ++#include "util-unittest.h" ++#include "util-debug.h" ++ ++#include "pkt-var.h" ++#include "util-profiling.h" ++#include "host.h" ++ ++#define HDR_SIZE 4 ++ ++int DecodeNull(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, uint16_t len, PacketQueue *pq) ++{ ++ SCPerfCounterIncr(dtv->counter_null, tv->sc_perf_pca); ++ ++ if (unlikely(len < HDR_SIZE)) { ++ ENGINE_SET_INVALID_EVENT(p, LTNULL_PKT_TOO_SMALL); ++ return TM_ECODE_FAILED; ++ } ++ ++ uint32_t type = *((uint32_t *)pkt); ++ switch(type) { ++ case AF_INET: ++ SCLogDebug("IPV4 Packet"); ++ DecodeIPV4(tv, dtv, p, GET_PKT_DATA(p)+HDR_SIZE, GET_PKT_LEN(p)-HDR_SIZE, pq); ++ break; ++ case AF_INET6: ++ SCLogDebug("IPV6 Packet"); ++ DecodeIPV6(tv, dtv, p, GET_PKT_DATA(p)+HDR_SIZE, GET_PKT_LEN(p)-HDR_SIZE, pq); ++ break; ++ default: ++ SCLogDebug("Unknown Null packet type version %" PRIu32 "", type); ++ ENGINE_SET_EVENT(p, LTNULL_UNSUPPORTED_TYPE); ++ break; ++ } ++ return TM_ECODE_OK; ++} ++ ++#ifdef UNITTESTS ++ ++#endif /* UNITTESTS */ ++ ++/** ++ * \brief Registers Null unit tests ++ */ ++void DecodeNullRegisterTests(void) ++{ ++#ifdef UNITTESTS ++#endif /* UNITTESTS */ ++} ++/** ++ * @} ++ */ +diff -rupN ./src/decode-null.h ./src.new/decode-null.h +--- ./src/decode-null.h 1969-12-31 19:00:00.000000000 -0500 ++++ ./src.new/decode-null.h 2015-04-16 20:53:44.000000000 -0400 +@@ -0,0 +1,28 @@ ++/* Copyright (C) 2007-2010 Open Information Security Foundation ++ * ++ * You can copy, redistribute or modify this Program under the terms of ++ * the GNU General Public License version 2 as published by the Free ++ * Software Foundation. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * version 2 along with this program; if not, write to the Free Software ++ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA ++ * 02110-1301, USA. ++ */ ++ ++/** ++ * \file ++ * ++ * \author Victor Julien <victor@inliniac.net> ++ */ ++ ++#ifndef __DECODE_NULL_H__ ++#define __DECODE_NULL_H__ ++void DecodeNullRegisterTests(void); ++#endif /* __DECODE_NULL_H__ */ ++ +diff -rupN ./src/decode.c ./src.new/decode.c +--- ./src/decode.c 2015-02-25 07:31:10.000000000 -0500 ++++ ./src.new/decode.c 2015-04-16 21:38:28.000000000 -0400 +@@ -387,6 +387,8 @@ void DecodeRegisterPerfCounters(DecodeTh + SC_PERF_TYPE_UINT64, "NULL"); + dtv->counter_raw = SCPerfTVRegisterCounter("decoder.raw", tv, + SC_PERF_TYPE_UINT64, "NULL"); ++ dtv->counter_null = SCPerfTVRegisterCounter("decoder.null", tv, ++ SC_PERF_TYPE_UINT64, "NULL"); + dtv->counter_sll = SCPerfTVRegisterCounter("decoder.sll", tv, + SC_PERF_TYPE_UINT64, "NULL"); + dtv->counter_tcp = SCPerfTVRegisterCounter("decoder.tcp", tv, +diff -rupN ./src/decode.h ./src.new/decode.h +--- ./src/decode.h 2015-02-25 07:31:10.000000000 -0500 ++++ ./src.new/decode.h 2015-04-16 21:42:38.000000000 -0400 +@@ -78,6 +78,7 @@ enum PktSrcEnum { + #include "decode-udp.h" + #include "decode-sctp.h" + #include "decode-raw.h" ++#include "decode-null.h" + #include "decode-vlan.h" + + #include "detect-reference.h" +@@ -576,6 +577,7 @@ typedef struct DecodeThreadVars_ + uint16_t counter_eth; + uint16_t counter_sll; + uint16_t counter_raw; ++ uint16_t counter_null; + uint16_t counter_tcp; + uint16_t counter_udp; + uint16_t counter_sctp; +@@ -821,6 +823,7 @@ int DecodePPP(ThreadVars *, DecodeThread + int DecodePPPOESession(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint16_t, PacketQueue *); + int DecodePPPOEDiscovery(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint16_t, PacketQueue *); + int DecodeTunnel(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint16_t, PacketQueue *, uint8_t) __attribute__ ((warn_unused_result)); ++int DecodeNull(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint16_t, PacketQueue *); + int DecodeRaw(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint16_t, PacketQueue *); + int DecodeIPV4(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint16_t, PacketQueue *); + int DecodeIPV6(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint16_t, PacketQueue *); +@@ -921,8 +924,13 @@ void AddressDebugPrint(Address *); + #endif + #endif + ++#ifndef DLT_NULL ++#define DLT_NULL 0 ++#endif ++ + /** libpcap shows us the way to linktype codes + * \todo we need more & maybe put them in a separate file? */ ++#define LINKTYPE_NULL DLT_NULL + #define LINKTYPE_ETHERNET DLT_EN10MB + #define LINKTYPE_LINUX_SLL 113 + #define LINKTYPE_PPP 9 +diff -rupN ./src/detect-engine-event.h ./src.new/detect-engine-event.h +--- ./src/detect-engine-event.h 2015-02-25 07:31:10.000000000 -0500 ++++ ./src.new/detect-engine-event.h 2015-04-16 21:44:38.000000000 -0400 +@@ -154,6 +154,10 @@ struct DetectEngineEvents_ { + /* RAW EVENTS */ + { "ipraw.invalid_ip_version",IPRAW_INVALID_IPV, }, + ++ /* LINKTYPE NULL EVENTS */ ++ { "ltnull.pkt_too_small", LTNULL_PKT_TOO_SMALL, }, ++ { "ltnull.unsupported_type", LTNULL_UNSUPPORTED_TYPE, }, ++ + /* STREAM EVENTS */ + { "stream.3whs_ack_in_wrong_dir", STREAM_3WHS_ACK_IN_WRONG_DIR, }, + { "stream.3whs_async_wrong_seq", STREAM_3WHS_ASYNC_WRONG_SEQ, }, +diff -rupN ./src/source-pcap-file.c ./src.new/source-pcap-file.c +--- ./src/source-pcap-file.c 2015-02-25 07:31:12.000000000 -0500 ++++ ./src.new/source-pcap-file.c 2015-04-16 21:47:27.000000000 -0400 +@@ -320,6 +320,9 @@ TmEcode ReceivePcapFileThreadInit(Thread + case LINKTYPE_RAW: + pcap_g.Decoder = DecodeRaw; + break; ++ case LINKTYPE_NULL: ++ pcap_g.Decoder = DecodeNull; ++ break; + + default: + SCLogError(SC_ERR_UNIMPLEMENTED, "datalink type %" PRId32 " not " +diff -rupN ./src/source-pcap.c ./src.new/source-pcap.c +--- ./src/source-pcap.c 2015-02-25 07:31:12.000000000 -0500 ++++ ./src.new/source-pcap.c 2015-04-16 21:46:10.000000000 -0400 +@@ -741,6 +741,9 @@ TmEcode DecodePcap(ThreadVars *tv, Packe + case LINKTYPE_RAW: + DecodeRaw(tv, dtv, p, GET_PKT_DATA(p), GET_PKT_LEN(p), pq); + break; ++ case LINKTYPE_NULL: ++ DecodeNull(tv, dtv, p, GET_PKT_DATA(p), GET_PKT_LEN(p), pq); ++ break; + default: + SCLogError(SC_ERR_DATALINK_UNIMPLEMENTED, "Error: datalink type %" PRId32 " not yet supported in module DecodePcap", p->datalink); + break;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201505130017.t4D0Hvxf088786>