Restore old barnyard2 support.

Some old version of barnyard2 were needing a workaround in the packet header building. THis patch introduces a enable-old-barnyard2 configure flag which can be used to restore this behaviour.
14 years ago · 50ddd2df43
parent 2f24987f15
commit 50ddd2df43
2 changed files with 30 additions and 0 deletions
--- a/configure.in
+++ b/configure.in
@ -804,6 +804,13 @@ AC_CHECK_HEADER(pcap.h,,[AC_ERROR(pcap.h not found ...)])
        CFLAGS="${CFLAGS} -DUNIFIED_NATIVE_TIMEVAL"
    ])

+# enable workaround for old barnyard2 for unified alert output
+    AC_ARG_ENABLE(old-barnyard2,
+           AS_HELP_STRING([--enable-old-barnyard2], [Use workaround for old barnyard2 in unified2 output]),,[enable_old_barnyard2=no])
+    AS_IF([test "x$enable_old_barnyard2" = "xyes"], [
+        CFLAGS="${CFLAGS} -DHAVE_OLD_BARNYARD2"
+    ])
+
 # enable debug output
    AC_ARG_ENABLE(debug,
           AS_HELP_STRING([--enable-debug], [Enable debug output]),,[enable_debug=no])
@ -1057,6 +1064,7 @@ Suricata Configuration:
  GCC march native enabled: ${enable_gccmarch_native}
  GCC Profile enabled:      ${enable_gccprofile}
  Unified native time:      ${enable_unified_native_timeval}
+  Old barnyard2 support:    ${enable_old_barnyard2}
  Non-bundled htp:          ${enable_non_bundled_htp}
  PCRE jit:                 ${enable_pcre_jit}
 "
--- a/src/alert-unified2-alert.c
+++ b/src/alert-unified2-alert.c
@ -689,6 +689,28 @@ int Unified2PacketTypeAlert (Unified2AlertThread *aun, Packet *p, void *stream,
        aun->offset = len;
        len += GET_PKT_LEN(p);
        aun->length = len;
+
+#ifdef HAVE_OLD_BARNYARD2
+        /* Fake datalink to avoid bug with old barnyard2 */
+        if (PKT_IS_IPV6(p) && (!p->ethh)) {
+            /* Fake this */
+            ethh_offset = 14;
+            datalink = DLT_EN10MB;
+            phdr->linktype = htonl(datalink);
+            aun->length += ethh_offset;
+            if (aun->length > aun->datalen) {
+                SCLogError(SC_ERR_INVALID_VALUE, "len is too big for thread data: %d vs %d",
+                        len, aun->datalen - aun->offset);
+                return -1;
+            }
+            ethhdr.eth_type = htons(ETHERNET_TYPE_IPV6);
+            ethhdr.eth_type = htons(ETHERNET_TYPE_IP);
+
+            memcpy(aun->data + aun->offset, &ethhdr, 14);
+            aun->offset += ethh_offset;
+        }
+#endif
+
        if (len > aun->datalen) {
            SCLogError(SC_ERR_INVALID_VALUE, "len is too big for thread data: %d vs %d",
                    len, aun->datalen - aun->offset);