udp decoding added icmp unreachables added to reject

17 years ago · 7006085195
parent 3f7195454b
commit 7006085195
11 changed files with 210 additions and 14560 deletions
--- a/aclocal.m4
+++ b/aclocal.m4
--- a/7008
+++ b/7008
--- a/src/Makefile.am
+++ b/src/Makefile.am
@ -10,6 +10,7 @@ decode-ipv6.c decode-ipv6.h \
 decode-icmpv4.c decode-icmpv4.h \
 decode-icmpv6.c decode-icmpv6.h \
 decode-tcp.c decode-tcp.h \
+decode-udp.c decode-udp.h \
 flow.c flow.h \
 flow-queue.c flow-queue.h \
 flow-hash.c flow-hash.h \
--- a/src/decode-events.h
+++ b/src/decode-events.h
@ -30,6 +30,11 @@ enum {
    TCP_OPT_INVALID_LEN,
    TCP_OPT_DUPLICATE, /* option length isn't right */

+    /* UDP EVENTS */
+    UDP_PKT_TOO_SMALL,
+    UDP_HLEN_TOO_SMALL,
+    UDP_HLEN_INVALID,
+
 };

 #endif /* __DECODE_EVENTS_H__ */
--- a/src/decode-ipv4.c
+++ b/src/decode-ipv4.c
@ -88,6 +88,7 @@ void DecodeIPV4(ThreadVars *t, Packet *p, u_int8_t *pkt, u_int16_t len)
            break;
        case IPPROTO_UDP:
            //printf("DecodeIPV4: next layer is UDP\n");
+        	return(DecodeUDP(t, p, pkt + IPV4_GET_HLEN(p), len - IPV4_GET_HLEN(p)));
            break;
        case IPPROTO_ICMP:
            //printf("DecodeIPV4: next layer is ICMP\n");
--- a/src/decode-udp.c
+++ b/src/decode-udp.c
@ -0,0 +1,48 @@
+/* Copyright (c) 2008 Victor Julien <victor@inliniac.net> */
+
+#include "decode.h"
+#include "decode-udp.h"
+#include "decode-events.h"
+
+static int DecodeUDPPacket(ThreadVars *t, Packet *p, u_int8_t *pkt, u_int16_t len)
+{
+    p->udph = (UDPHdr *)pkt;
+
+    if (len < UDP_GET_LEN(p)) {
+        DECODER_SET_EVENT(p, UDP_PKT_TOO_SMALL);
+        return -1;
+    }
+
+    if (len < UDP_HEADER_LEN) {
+        DECODER_SET_EVENT(p, UDP_HLEN_TOO_SMALL);
+        return -1;
+    }
+
+    if (len != UDP_GET_LEN(p)) {
+        DECODER_SET_EVENT(p, UDP_HLEN_INVALID);
+        return -1;
+    }
+
+    SET_UDP_SRC_PORT(p,&p->sp);
+    SET_UDP_DST_PORT(p,&p->dp);
+
+    p->tcp_payload = pkt + UDP_HEADER_LEN;
+    p->tcp_payload_len = len - UDP_HEADER_LEN;
+
+    p->proto = IPPROTO_UDP;
+
+    return 0;
+}
+
+void DecodeUDP(ThreadVars *t, Packet *p, u_int8_t *pkt, u_int16_t len)
+{
+    if (DecodeUDPPacket(t, p,pkt,len) < 0)
+        return;
+
+#ifdef DEBUG
+    printf("UDP sp: %u -> dp: %u - HLEN: %u LEN: %u TEST: %u\n",
+        UDP_GET_SRC_PORT(p), UDP_GET_DST_PORT(p), UDP_HEADER_LEN, p->tcp_payload_len);
+#endif
+
+    return;
+}
--- a/src/decode-udp.h
+++ b/src/decode-udp.h
@ -0,0 +1,31 @@
+/* Copyright (c) 2008 Victor Julien <victor@inliniac.net> */
+
+#ifndef __DECODE_UDP_H__
+#define __DECODE_UDP_H__
+
+#define UDP_HEADER_LEN         8
+
+#define UDP_GET_RAW_LEN(udph)                ntohs((udph)->uh_len)
+#define UDP_GET_RAW_SRC_PORT(udph)           ntohs((udph)->uh_sport)
+#define UDP_GET_RAW_DST_PORT(udph)           ntohs((udph)->uh_dport)
+
+#define UDP_GET_LEN(p)                       UDP_GET_RAW_LEN(p->udph)
+#define UDP_GET_SRC_PORT(p)                  UDP_GET_RAW_SRC_PORT(p->udph)
+#define UDP_GET_DST_PORT(p)                  UDP_GET_RAW_DST_PORT(p->udph)
+
+/* UDP header structure */
+typedef struct _UDPHdr
+{
+	u_int16_t uh_sport;  /* source port */
+	u_int16_t uh_dport;  /* destination port */
+	u_int16_t uh_len;    /* length */
+	u_int16_t uh_sum;    /* checksum */
+} UDPHdr;
+
+typedef struct _UDPVars
+{
+    u_int8_t hlen;
+}
+UDPVars;
+
+#endif /* __DECODE_UDP_H__ */
--- a/src/decode.h
+++ b/src/decode.h
@ -38,6 +38,7 @@
 #include "decode-icmpv4.h"
 #include "decode-icmpv6.h"
 #include "decode-tcp.h"
+#include "decode-udp.h"

 /* Address */
 typedef struct _Address
@ -50,8 +51,8 @@ typedef struct _Address
    } address;
 } Address;

-#define addr_data32 address.address_un_data32 
-#define addr_data16 address.address_un_data16 
+#define addr_data32 address.address_un_data32
+#define addr_data16 address.address_un_data16
 #define addr_data8  address.address_un_data8

 /* Set the IPv4 addressesinto the Addrs of the Packet.
@ -97,6 +98,14 @@ typedef struct _Address
 #define SET_TCP_DST_PORT(pkt,prt) { \
    SET_PORT(TCP_GET_DST_PORT((pkt)), *prt); \
 }
+/* Set the UDP ports into the Ports of the Packet.
+ * Make sure p->udph is initialized and validated. */
+#define SET_UDP_SRC_PORT(pkt,prt) { \
+    SET_PORT(UDP_GET_SRC_PORT((pkt)), *prt); \
+}
+#define SET_UDP_DST_PORT(pkt,prt) { \
+    SET_PORT(UDP_GET_DST_PORT((pkt)), *prt); \
+}

 #define GET_IPV4_SRC_ADDR_U32(p) ((p)->src.addr_data32[0])
 #define GET_IPV4_DST_ADDR_U32(p) ((p)->dst.addr_data32[0])
@ -123,8 +132,7 @@ typedef u_int16_t Port;
 #define PKT_IS_IPV4(p) (((p)->ip4h != NULL))
 #define PKT_IS_IPV6(p) (((p)->ip6h != NULL))
 #define PKT_IS_TCP(p)  (((p)->tcph != NULL))
-/* XXX */
-#define PKT_IS_UDP(p)  (0)
+#define PKT_IS_UDP(p)  (((p)->udph != NULL))
 #define PKT_IS_ICMPV4  (((p)->icmpv4 != NULL))
 #define PKT_IS_ICMPV6  (((p)->icmpv6 != NULL))

@ -164,7 +172,7 @@ typedef struct _HttpUri {

 typedef struct _Packet
 {
-    /* Addresses, Ports and protocol 
+    /* Addresses, Ports and protocol
     * these are on top so we can use
     * the Packet as a hash key */
    Address src;
@ -224,6 +232,11 @@ typedef struct _Packet
    u_int8_t *tcp_payload;
    u_int16_t tcp_payload_len;

+    UDPHdr *udph;
+    UDPVars udpvars;
+    u_int8_t *udp_payload;
+    u_int16_t udp_payload_len;
+
    /* decoder events: review how many events we have */
    u_int8_t events[65535/8];

@ -248,7 +261,7 @@ typedef struct _Packet
 } Packet;

 /* clear key vars so we don't need to call the expensive
- * memset or bzero 
+ * memset or bzero
 */
 #define CLEAR_PACKET(p) { \
    if ((p)->tcph != NULL) { \
@ -311,6 +324,7 @@ void DecodeIPV6(ThreadVars *, Packet *, u_int8_t *, u_int16_t);
 void DecodeICMPV4(ThreadVars *, Packet *, u_int8_t *, u_int16_t);
 void DecodeICMPV6(ThreadVars *, Packet *, u_int8_t *, u_int16_t);
 void DecodeTCP(ThreadVars *, Packet *, u_int8_t *, u_int16_t);
+void DecodeUDP(ThreadVars *, Packet *, u_int8_t *, u_int16_t);
 void DecodeHTTP(ThreadVars *, Packet *, u_int8_t *, u_int16_t);

 Packet *SetupPkt (void);
--- a/src/respond-reject-libnet11.c
+++ b/src/respond-reject-libnet11.c
@ -18,6 +18,7 @@
 #include "decode.h"
 #include "decode-ipv4.h"
 #include "decode-tcp.h"
+#include "decode-udp.h"
 #include "packet-queue.h"
 #include "threads.h"
 #include "threadvars.h"
@ -38,6 +39,7 @@ typedef struct _Libnet11Packet
    struct in6_addr src6, dst6;
    u_int32_t src4, dst4;
    u_int16_t sp, dp;
+    size_t len;
 } Libnet11Packet;

 int RejectSendLibnet11L3IPv4TCP(ThreadVars *tv, Packet *p, void *data, int dir) {
@ -48,7 +50,7 @@ int RejectSendLibnet11L3IPv4TCP(ThreadVars *tv, Packet *p, void *data, int dir)
    char ebuf[LIBNET_ERRBUF_SIZE];
    libnet_ptag_t t;
    int result;
-    
+
    /* fill in struct defaults */
    lpacket.ttl = 0;
    lpacket.id = 0;
@ -61,10 +63,6 @@ int RejectSendLibnet11L3IPv4TCP(ThreadVars *tv, Packet *p, void *data, int dir)
        return 1;
    }

-    /* shut up a compiler warning
-    lpacket.src4.s_addr = 0;
-    lpacket.dst4.s_addr = 0;
-    */
    if (p->tcph == NULL)
       return 1;

@ -78,7 +76,7 @@ int RejectSendLibnet11L3IPv4TCP(ThreadVars *tv, Packet *p, void *data, int dir)

        lpacket.sp = TCP_GET_DST_PORT(p);
        lpacket.dp = TCP_GET_SRC_PORT(p);
-      
+
        lpacket.src4 = GET_IPV4_DST_ADDR_U32(p);
        lpacket.dst4 = GET_IPV4_SRC_ADDR_U32(p);
    }
@ -153,3 +151,85 @@ cleanup:
    return 0;
 }

+int RejectSendLibnet11L3IPv4ICMP(ThreadVars *tv, Packet *p, void *data, int dir) {
+    printf("going to send a ICMP host unreachable\n");
+    Libnet11Packet lpacket;
+
+    libnet_t *c; /* libnet context */
+    char ebuf[LIBNET_ERRBUF_SIZE];
+    libnet_ptag_t t;
+    int result;
+
+    /* fill in struct defaults */
+    lpacket.ttl = 0;
+    lpacket.id = 0;
+    lpacket.flow = 0;
+    lpacket.class = 0;
+
+    lpacket.len = (IPV4_GET_HLEN(p) + p->tcp_payload_len);
+    if ((c = libnet_init (LIBNET_RAW4, NULL, ebuf)) == NULL){
+        printf("RejectSendLibnet11L3IPv4ICMP libnet_init %s\n", ebuf);
+        return 1;
+    }
+
+    if (dir == REJECT_DIR_SRC) {
+        lpacket.src4 = GET_IPV4_DST_ADDR_U32(p);
+        lpacket.dst4 = GET_IPV4_SRC_ADDR_U32(p);
+    }
+    else if (dir == REJECT_DIR_DST) {
+        lpacket.src4 = GET_IPV4_SRC_ADDR_U32(p);
+        lpacket.dst4 = GET_IPV4_DST_ADDR_U32(p);
+
+    } else {
+        printf ("reset not src or dst returning\n");
+        return 1;
+    }
+
+    /* TODO come up with ttl calc function */
+    lpacket.ttl = 64;
+
+    /* build the package */
+    if ((t = libnet_build_icmpv4_unreach (
+                               3,                       /* type */
+                               10,                      /* code */
+                               0,                       /* checksum */
+                               p->ip4h,                 /* payload */
+                               lpacket.len,             /* payload length */
+                               c,                       /* libnet context */
+                               0)) < 0)                 /* libnet ptag */
+    {
+        printf("RejectSendLibnet11L3IPv4ICMP libnet_build_icmpv4_unreach %s\n", libnet_geterror(c));
+        goto cleanup;
+    }
+
+    if((t = libnet_build_ipv4(
+                        LIBNET_ICMPV4_H + LIBNET_IPV4_H +
+                        lpacket.len,                    /* entire packet length */
+                        0,                              /* tos */
+                        lpacket.id,                     /* ID */
+                        0,                              /* fragmentation flags and offset */
+                        lpacket.ttl,                    /* TTL */
+                        IPPROTO_ICMP,                   /* protocol */
+                        0,                              /* checksum */
+                        lpacket.src4,                   /* source address */
+                        lpacket.dst4,                   /* destination address */
+                        NULL,                           /* pointer to packet data (or NULL) */
+                        0,                              /* payload length */
+                        c,                              /* libnet context pointer */
+                        0)) < 0)                        /* packet id */
+    {
+        printf("RejectSendLibnet11L3IPv4ICMP %s\n", libnet_geterror(c));
+        goto cleanup;
+    }
+
+    result = libnet_write(c);
+    if (result == -1) {
+        printf("RejectSendLibnet11L3IPv4ICMP libnet_write_raw_ipv4 failed: %s\n", libnet_geterror(c));
+        goto cleanup;
+    }
+
+cleanup:
+    libnet_destroy (c);
+    return 0;
+}
+
--- a/src/respond-reject-libnet11.h
+++ b/src/respond-reject-libnet11.h
@ -4,5 +4,5 @@
 #define __RESPOND_REJECT_LIBNET11_H__

 int RejectSendLibnet11L3IPv4TCP(ThreadVars *, Packet *, void *,int);
-
+int RejectSendLibnet11L3IPv4ICMP(ThreadVars *, Packet *, void *,int);
 #endif /* __RESPOND_REJECT_LIBNET11_H__ */
--- a/src/respond-reject.c
+++ b/src/respond-reject.c
@ -4,7 +4,7 @@
 *
 */

-/* RespondReject is a threaded wrapper for sending Rejects 
+/* RespondReject is a threaded wrapper for sending Rejects
 *
 * TODO
 * - RespondRejectFunc returns 1 on error, 0 on ok... why? For now it should
@ -42,13 +42,13 @@ void TmModuleRespondRejectRegister (void) {
 }

 int RespondRejectFunc(ThreadVars *tv, Packet *p, void *data) {
- 
-    /* ACTION_REJECT defaults to rejecting the SRC */ 
+
+    /* ACTION_REJECT defaults to rejecting the SRC */
    if (p->action != ACTION_REJECT && p->action != ACTION_REJECT_DST &&
        p->action != ACTION_REJECT_BOTH) {
        return 0;
    }
-    
+
    if (PKT_IS_IPV4(p)) {
        if (PKT_IS_TCP(p)) {
            return RejectSendIPv4TCP(tv, p, data);
@ -87,10 +87,20 @@ int RejectSendIPv4TCP(ThreadVars *tv, Packet *p, void *data) {
    return 0;
 }

-/* XXX VJ implement this when we have UDP decoding implemented */
 int RejectSendIPv4ICMP(ThreadVars *tv, Packet *p, void *data) {
-    printf ("we would send a ipv4 icmp reset here\n");
-    return 1;
+    if (p->action == ACTION_REJECT) {
+        return RejectSendLibnet11L3IPv4ICMP(tv, p, data, REJECT_DIR_SRC);
+    } else if (p->action == ACTION_REJECT_DST) {
+        return RejectSendLibnet11L3IPv4ICMP(tv, p, data, REJECT_DIR_DST);
+    } else if(p->action == ACTION_REJECT_BOTH) {
+        if (RejectSendLibnet11L3IPv4ICMP(tv, p, data, REJECT_DIR_SRC) == 0 &&
+            RejectSendLibnet11L3IPv4ICMP(tv, p, data, REJECT_DIR_DST) == 0) {
+            return 0;
+        } else {
+            return 1;
+        }
+    }
+    return 0;
 }

 int RejectSendIPv6TCP(ThreadVars *tv, Packet *p, void *data) {