aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

enip/cip: improve output & style

Browse Source 
Remove printf, remove \n from SCLogDebug. Add SCLogError for
rule parsing issues.

Fix various style issues
pull/2319/head
Victor Julien 9 years ago
parent 92b393ee9a
commit 72b5da4313
5 changed files with 145 additions and 147 deletions
Show Stats Download Patch File Download Diff File

162
src/app-layer-enip-common.c
Unescape Escape View File

@ -46,7 +46,7 @@ int ENIPExtractUint8(uint8_t *res, uint8_t *input, uint16_t *offset, uint32_t in
if (*offset > (input_len - sizeof(uint8_t)))
{
SCLogDebug("ENIPExtractUint8: Parsing beyond payload length\n");
SCLogDebug("ENIPExtractUint8: Parsing beyond payload length");
return 0;
}
@ -66,7 +66,7 @@ int ENIPExtractUint16(uint16_t *res, uint8_t *input, uint16_t *offset, uint32_t
if (*offset > (input_len - sizeof(uint16_t)))
{
SCLogDebug("ENIPExtractUint16: Parsing beyond payload length\n");
SCLogDebug("ENIPExtractUint16: Parsing beyond payload length");
return 0;
}
@ -87,7 +87,7 @@ int ENIPExtractUint32(uint32_t *res, uint8_t *input, uint16_t *offset, uint32_t
if (*offset > (input_len - sizeof(uint32_t)))
{
SCLogDebug("ENIPExtractUint32: Parsing beyond payload length\n");
SCLogDebug("ENIPExtractUint32: Parsing beyond payload length");
return 0;
}
@ -108,7 +108,7 @@ int ENIPExtractUint64(uint64_t *res, uint8_t *input, uint16_t *offset, uint32_t
if (*offset > (input_len - sizeof(uint64_t)))
{
SCLogDebug("ENIPExtractUint64: Parsing beyond payload length\n");
SCLogDebug("ENIPExtractUint64: Parsing beyond payload length");
return 0;
}
@ -232,43 +232,43 @@ int DecodeENIPPDU(uint8_t *input, uint32_t input_len,
switch (enip_data->header.command)
{
case NOP:
SCLogDebug("DecodeENIP - NOP\n");
SCLogDebug("DecodeENIP - NOP");
break;
case LIST_SERVICES:
SCLogDebug("DecodeENIP - LIST_SERVICES\n");
SCLogDebug("DecodeENIP - LIST_SERVICES");
break;
case LIST_IDENTITY:
SCLogDebug("DecodeENIP - LIST_IDENTITY\n");
SCLogDebug("DecodeENIP - LIST_IDENTITY");
break;
case LIST_INTERFACES:
SCLogDebug("DecodeENIP - LIST_INTERFACES\n");
SCLogDebug("DecodeENIP - LIST_INTERFACES");
break;
case REGISTER_SESSION:
SCLogDebug("DecodeENIP - REGISTER_SESSION\n");
SCLogDebug("DecodeENIP - REGISTER_SESSION");
break;
case UNREGISTER_SESSION:
SCLogDebug("DecodeENIP - UNREGISTER_SESSION\n");
SCLogDebug("DecodeENIP - UNREGISTER_SESSION");
break;
case SEND_RR_DATA:
SCLogDebug(
"DecodeENIP - SEND_RR_DATA - parse Common Packet Format\n");
"DecodeENIP - SEND_RR_DATA - parse Common Packet Format");
ret = DecodeCommonPacketFormatPDU(input, input_len, enip_data,
offset);
break;
case SEND_UNIT_DATA:
SCLogDebug(
"DecodeENIP - SEND UNIT DATA - parse Common Packet Format\n");
"DecodeENIP - SEND UNIT DATA - parse Common Packet Format");
ret = DecodeCommonPacketFormatPDU(input, input_len, enip_data,
offset);
break;
case INDICATE_STATUS:
SCLogDebug("DecodeENIP - INDICATE_STATUS\n");
SCLogDebug("DecodeENIP - INDICATE_STATUS");
break;
case CANCEL:
SCLogDebug("DecodeENIP - CANCEL\n");
SCLogDebug("DecodeENIP - CANCEL");
break;
default:
SCLogDebug("DecodeENIP - UNSUPPORTED COMMAND 0x%x\n",
SCLogDebug("DecodeENIP - UNSUPPORTED COMMAND 0x%x",
enip_data->header.command);
}
@ -290,7 +290,7 @@ int DecodeCommonPacketFormatPDU(uint8_t *input, uint32_t input_len,
if (enip_data->header.length < sizeof(ENIPEncapDataHdr))
{
SCLogDebug("DecodeCommonPacketFormat: Malformed ENIP packet\n");
SCLogDebug("DecodeCommonPacketFormat: Malformed ENIP packet");
return 0;
}
@ -380,15 +380,15 @@ int DecodeCommonPacketFormatPDU(uint8_t *input, uint32_t input_len,
{
case CONNECTED_DATA_ITEM:
SCLogDebug(
"DecodeCommonPacketFormat - CONNECTED DATA ITEM - parse CIP\n");
"DecodeCommonPacketFormat - CONNECTED DATA ITEM - parse CIP");
DecodeCIPPDU(input, input_len, enip_data, offset);
break;
case UNCONNECTED_DATA_ITEM:
SCLogDebug("DecodeCommonPacketFormat - UNCONNECTED DATA ITEM\n");
SCLogDebug("DecodeCommonPacketFormat - UNCONNECTED DATA ITEM");
DecodeCIPPDU(input, input_len, enip_data, offset);
break;
default:
SCLogDebug("DecodeCommonPacketFormat - UNKNOWN TYPE 0x%x\n\n",
SCLogDebug("DecodeCommonPacketFormat - UNKNOWN TYPE 0x%x",
enip_data->encap_data_item.type);
return 0;
}
@ -412,20 +412,20 @@ int DecodeCIPPDU(uint8_t *input, uint32_t input_len,
if (enip_data->encap_data_item.length == 0)
{
SCLogDebug("DecodeCIP: No CIP Data\n");
SCLogDebug("DecodeCIP: No CIP Data");
return 0;
}
if (offset > (input_len - sizeof(uint8_t)))
{
SCLogDebug("DecodeCIP: Parsing beyond payload length\n");
SCLogDebug("DecodeCIP: Parsing beyond payload length");
return 0;
}
uint8_t service = 0;
service = *(input + offset);
//SCLogDebug("CIP Service 0x%x\n", service);
//SCLogDebug("CIP Service 0x%x", service);
//use service code first bit to determine request/response, no need to save or push offset
if (service >> 7)
@ -456,7 +456,7 @@ int DecodeCIPRequestPDU(uint8_t *input, uint32_t input_len,
if (enip_data->encap_data_item.length < sizeof(CIPReqHdr))
{
SCLogDebug("DecodeCIPRequest - Malformed CIP Data\n");
SCLogDebug("DecodeCIPRequest - Malformed CIP Data");
return 0;
}
@ -474,14 +474,14 @@ int DecodeCIPRequestPDU(uint8_t *input, uint32_t input_len,
if (service > MAX_CIP_SERVICE)
{ // service codes of value 0x80 or greater are not permitted because in the CIP protocol the highest order bit is used to flag request(0)/response(1)
SCLogDebug("DecodeCIPRequest - INVALID CIP SERVICE 0x%x\n", service);
SCLogDebug("DecodeCIPRequest - INVALID CIP SERVICE 0x%x", service);
return 0;
}
//reached maximum number of services
if (enip_data->service_count > 32)
{
SCLogDebug("DecodeCIPRequest: Maximum services reached\n");
SCLogDebug("DecodeCIPRequest: Maximum services reached");
return 0;
}
@ -489,14 +489,14 @@ int DecodeCIPRequestPDU(uint8_t *input, uint32_t input_len,
CIPServiceEntry *node = CIPServiceAlloc(enip_data);
if (node == NULL)
{
SCLogDebug("DecodeCIPRequest: Unable to create CIP service\n");
SCLogDebug("DecodeCIPRequest: Unable to create CIP service");
return 0;
}
node->direction = 0;
node->service = service;
node->request.path_size = path_size;
node->request.path_offset = offset;
// SCLogDebug("DecodeCIPRequestPDU: service 0x%x size %d\n", node->service,
// SCLogDebug("DecodeCIPRequestPDU: service 0x%x size %d", node->service,
// node->request.path_size);
DecodeCIPRequestPathPDU(input, input_len, node, offset);
@ -507,53 +507,53 @@ int DecodeCIPRequestPDU(uint8_t *input, uint32_t input_len,
switch (service)
{
case CIP_RESERVED:
SCLogDebug("DecodeCIPRequest - CIP_RESERVED\n");
SCLogDebug("DecodeCIPRequest - CIP_RESERVED");
break;
case CIP_GET_ATTR_ALL:
SCLogDebug("DecodeCIPRequest - CIP_GET_ATTR_ALL\n");
SCLogDebug("DecodeCIPRequest - CIP_GET_ATTR_ALL");
break;
case CIP_GET_ATTR_LIST:
SCLogDebug("DecodeCIPRequest - CIP_GET_ATTR_LIST\n");
SCLogDebug("DecodeCIPRequest - CIP_GET_ATTR_LIST");
break;
case CIP_SET_ATTR_LIST:
SCLogDebug("DecodeCIPRequest - CIP_SET_ATTR_LIST\n");
SCLogDebug("DecodeCIPRequest - CIP_SET_ATTR_LIST");
break;
case CIP_RESET:
SCLogDebug("DecodeCIPRequest - CIP_RESET\n");
SCLogDebug("DecodeCIPRequest - CIP_RESET");
break;
case CIP_START:
SCLogDebug("DecodeCIPRequest - CIP_START\n");
SCLogDebug("DecodeCIPRequest - CIP_START");
break;
case CIP_STOP:
SCLogDebug("DecodeCIPRequest - CIP_STOP\n");
SCLogDebug("DecodeCIPRequest - CIP_STOP");
break;
case CIP_CREATE:
SCLogDebug("DecodeCIPRequest - CIP_CREATE\n");
SCLogDebug("DecodeCIPRequest - CIP_CREATE");
break;
case CIP_DELETE:
SCLogDebug("DecodeCIPRequest - CIP_DELETE\n");
SCLogDebug("DecodeCIPRequest - CIP_DELETE");
break;
case CIP_MSP:
SCLogDebug("DecodeCIPRequest - CIP_MSP\n");
SCLogDebug("DecodeCIPRequest - CIP_MSP");
DecodeCIPRequestMSPPDU(input, input_len, enip_data, offset);
break;
case CIP_APPLY_ATTR:
SCLogDebug("DecodeCIPRequest - CIP_APPLY_ATTR\n");
SCLogDebug("DecodeCIPRequest - CIP_APPLY_ATTR");
break;
case CIP_KICK_TIMER:
SCLogDebug("DecodeCIPRequest - CIP_KICK_TIMER\n");
SCLogDebug("DecodeCIPRequest - CIP_KICK_TIMER");
break;
case CIP_OPEN_CONNECTION:
SCLogDebug("DecodeCIPRequest - CIP_OPEN_CONNECTION\n");
SCLogDebug("DecodeCIPRequest - CIP_OPEN_CONNECTION");
break;
case CIP_CHANGE_START:
SCLogDebug("DecodeCIPRequest - CIP_CHANGE_START\n");
SCLogDebug("DecodeCIPRequest - CIP_CHANGE_START");
break;
case CIP_GET_STATUS:
SCLogDebug("DecodeCIPRequest - CIP_GET_STATUS\n");
SCLogDebug("DecodeCIPRequest - CIP_GET_STATUS");
break;
default:
SCLogDebug("DecodeCIPRequest - CIP SERVICE 0x%x\n", service);
SCLogDebug("DecodeCIPRequest - CIP SERVICE 0x%x", service);
}
return ret;
@ -572,12 +572,12 @@ int DecodeCIPRequestPDU(uint8_t *input, uint32_t input_len,
int DecodeCIPRequestPathPDU(uint8_t *input, uint32_t input_len,
CIPServiceEntry *node, uint16_t offset)
{
//SCLogDebug("DecodeCIPRequestPath: service 0x%x size %d length %d\n",
//SCLogDebug("DecodeCIPRequestPath: service 0x%x size %d length %d",
// node->service, node->request.path_size, input_len);
if (node->request.path_size < 1)
{
//SCLogDebug("DecodeCIPRequestPath: empty path or CIP Response\n");
//SCLogDebug("DecodeCIPRequestPath: empty path or CIP Response");
return 0;
}
@ -613,7 +613,7 @@ int DecodeCIPRequestPathPDU(uint8_t *input, uint32_t input_len,
return 0;
}
class = (uint16_t) req_path_class8;
SCLogDebug("DecodeCIPRequestPathPDU: 8bit class 0x%x\n", class);
SCLogDebug("DecodeCIPRequestPathPDU: 8bit class 0x%x", class);
seg = SCMalloc(sizeof(SegmentEntry));
if (unlikely(seg == NULL))
@ -638,7 +638,7 @@ int DecodeCIPRequestPathPDU(uint8_t *input, uint32_t input_len,
return 0;
}
//uint16_t attrib = (uint16_t) req_path_attr8;
//SCLogDebug("DecodeCIPRequestPath: 8bit attr 0x%x\n", attrib);
//SCLogDebug("DecodeCIPRequestPath: 8bit attr 0x%x", attrib);
seg = SCMalloc(sizeof(SegmentEntry));
if (unlikely(seg == NULL))
@ -659,7 +659,7 @@ int DecodeCIPRequestPathPDU(uint8_t *input, uint32_t input_len,
return 0;
}
class = req_path_class16;
SCLogDebug("DecodeCIPRequestPath: 16bit class 0x%x\n", class);
SCLogDebug("DecodeCIPRequestPath: 16bit class 0x%x", class);
seg = SCMalloc(sizeof(SegmentEntry));
if (unlikely(seg == NULL))
@ -695,7 +695,7 @@ int DecodeCIPRequestPathPDU(uint8_t *input, uint32_t input_len,
break;
default:
SCLogDebug(
"DecodeCIPRequestPath: UNKNOWN SEGMENT 0x%x service 0x%x\n",
"DecodeCIPRequestPath: UNKNOWN SEGMENT 0x%x service 0x%x",
segment, node->service);
return 0;
}
@ -712,7 +712,7 @@ int DecodeCIPRequestPathPDU(uint8_t *input, uint32_t input_len,
{
return 0;
}
SCLogDebug("DecodeCIPRequestPathPDU: attribute list count %d\n",
SCLogDebug("DecodeCIPRequestPathPDU: attribute list count %d",
attr_list_count);
for (int i = 0; i < attr_list_count; i++)
{
@ -720,7 +720,7 @@ int DecodeCIPRequestPathPDU(uint8_t *input, uint32_t input_len,
{
return 0;
}
SCLogDebug("DecodeCIPRequestPathPDU: attribute %d\n", attribute);
SCLogDebug("DecodeCIPRequestPathPDU: attribute %d", attribute);
//save attrs
AttributeEntry *attr = SCMalloc(sizeof(AttributeEntry));
if (unlikely(attr == NULL))
@ -749,7 +749,7 @@ int DecodeCIPResponsePDU(uint8_t *input, uint32_t input_len,
if (enip_data->encap_data_item.length < sizeof(CIPRespHdr))
{
SCLogDebug("DecodeCIPResponse - Malformed CIP Data\n");
SCLogDebug("DecodeCIPResponse - Malformed CIP Data");
return 0;
}
@ -770,15 +770,15 @@ int DecodeCIPResponsePDU(uint8_t *input, uint32_t input_len,
return 0;
}
//SCLogDebug("DecodeCIPResponse: service 0x%x\n",service);
//SCLogDebug("DecodeCIPResponse: service 0x%x",service);
service &= 0x7f; //strip off top bit to get service code. Responses have first bit as 1
SCLogDebug("CIP service 0x%x status 0x%x\n", service, status);
SCLogDebug("CIP service 0x%x status 0x%x", service, status);
//reached maximum number of services
if (enip_data->service_count > 32)
{
SCLogDebug("DecodeCIPRequest: Maximum services reached\n");
SCLogDebug("DecodeCIPRequest: Maximum services reached");
return 0;
}
@ -786,67 +786,67 @@ int DecodeCIPResponsePDU(uint8_t *input, uint32_t input_len,
CIPServiceEntry *node = CIPServiceAlloc(enip_data);
if (node == NULL)
{
SCLogDebug("DecodeCIPRequest: Unable to create CIP service\n");
SCLogDebug("DecodeCIPRequest: Unable to create CIP service");
return 0;
}
node->direction = 1;
node->service = service;
node->response.status = status;
SCLogDebug("DecodeCIPResponsePDU: service 0x%x size %d\n", node->service,
SCLogDebug("DecodeCIPResponsePDU: service 0x%x size %d", node->service,
node->request.path_size);
//list of CIP services is large and can be vendor specific, store CIP service anyways and let the rule decide the action
switch (service)
{
case CIP_RESERVED:
SCLogDebug("DecodeCIPResponse - CIP_RESERVED\n");
SCLogDebug("DecodeCIPResponse - CIP_RESERVED");
break;
case CIP_GET_ATTR_ALL:
SCLogDebug("DecodeCIPResponse - CIP_GET_ATTR_ALL\n");
SCLogDebug("DecodeCIPResponse - CIP_GET_ATTR_ALL");
break;
case CIP_GET_ATTR_LIST:
SCLogDebug("DecodeCIPResponse - CIP_GET_ATTR_LIST\n");
SCLogDebug("DecodeCIPResponse - CIP_GET_ATTR_LIST");
break;
case CIP_SET_ATTR_LIST:
SCLogDebug("DecodeCIPResponse - CIP_SET_ATTR_LIST\n");
SCLogDebug("DecodeCIPResponse - CIP_SET_ATTR_LIST");
break;
case CIP_RESET:
SCLogDebug("DecodeCIPResponse - CIP_RESET\n");
SCLogDebug("DecodeCIPResponse - CIP_RESET");
break;
case CIP_START:
SCLogDebug("DecodeCIPResponse - CIP_START\n");
SCLogDebug("DecodeCIPResponse - CIP_START");
break;
case CIP_STOP:
SCLogDebug("DecodeCIPResponse - CIP_STOP\n");
SCLogDebug("DecodeCIPResponse - CIP_STOP");
break;
case CIP_CREATE:
SCLogDebug("DecodeCIPResponse - CIP_CREATE\n");
SCLogDebug("DecodeCIPResponse - CIP_CREATE");
break;
case CIP_DELETE:
SCLogDebug("DecodeCIPResponse - CIP_DELETE\n");
SCLogDebug("DecodeCIPResponse - CIP_DELETE");
break;
case CIP_MSP:
SCLogDebug("DecodeCIPResponse - CIP_MSP\n");
SCLogDebug("DecodeCIPResponse - CIP_MSP");
DecodeCIPResponseMSPPDU(input, input_len, enip_data, offset);
break;
case CIP_APPLY_ATTR:
SCLogDebug("DecodeCIPResponse - CIP_APPLY_ATTR\n");
SCLogDebug("DecodeCIPResponse - CIP_APPLY_ATTR");
break;
case CIP_KICK_TIMER:
SCLogDebug("DecodeCIPResponse - CIP_KICK_TIMER\n");
SCLogDebug("DecodeCIPResponse - CIP_KICK_TIMER");
break;
case CIP_OPEN_CONNECTION:
SCLogDebug("DecodeCIPResponse - CIP_OPEN_CONNECTION\n");
SCLogDebug("DecodeCIPResponse - CIP_OPEN_CONNECTION");
break;
case CIP_CHANGE_START:
SCLogDebug("DecodeCIPResponse - CIP_CHANGE_START\n");
SCLogDebug("DecodeCIPResponse - CIP_CHANGE_START");
break;
case CIP_GET_STATUS:
SCLogDebug("DecodeCIPResponse - CIP_GET_STATUS\n");
SCLogDebug("DecodeCIPResponse - CIP_GET_STATUS");
break;
default:
SCLogDebug("DecodeCIPResponse - CIP SERVICE 0x%x\n", service);
SCLogDebug("DecodeCIPResponse - CIP SERVICE 0x%x", service);
}
return ret;
@ -867,7 +867,7 @@ int DecodeCIPRequestMSPPDU(uint8_t *input, uint32_t input_len,
int ret = 1;
if (offset >= (input_len - sizeof(uint16_t)))
{
SCLogDebug("DecodeCIPRequestMSPPDU: Parsing beyond payload length\n");
SCLogDebug("DecodeCIPRequestMSPPDU: Parsing beyond payload length");
return 0;
}
//use temp_offset just to grab the service offset, don't want to use and push offset
@ -876,13 +876,13 @@ int DecodeCIPRequestMSPPDU(uint8_t *input, uint32_t input_len,
ByteExtractUint16(&num_services, BYTE_LITTLE_ENDIAN, sizeof(uint16_t),
(const uint8_t *) (input + temp_offset));
temp_offset += sizeof(uint16_t);
//SCLogDebug("DecodeCIPRequestMSP number of services %d\n",num_services);
//SCLogDebug("DecodeCIPRequestMSP number of services %d",num_services);
for (int svc = 1; svc < num_services + 1; svc++)
{
if (temp_offset >= (input_len - sizeof(uint16_t)))
{
SCLogDebug("DecodeCIPRequestMSPPDU: Parsing beyond payload length\n");
SCLogDebug("DecodeCIPRequestMSPPDU: Parsing beyond payload length");
return 0;
}
@ -890,7 +890,7 @@ int DecodeCIPRequestMSPPDU(uint8_t *input, uint32_t input_len,
ByteExtractUint16(&svc_offset, BYTE_LITTLE_ENDIAN, sizeof(uint16_t),
(const uint8_t *) (input + temp_offset));
temp_offset += sizeof(uint16_t);
//SCLogDebug("parseCIPRequestMSP service %d offset %d\n",svc, svc_offset);
//SCLogDebug("parseCIPRequestMSP service %d offset %d",svc, svc_offset);
DecodeCIPPDU(input, input_len, enip_data, offset + svc_offset); //parse CIP at found offset
}
@ -915,7 +915,7 @@ int DecodeCIPResponseMSPPDU(uint8_t *input, uint32_t input_len,
if (offset >= (input_len - sizeof(uint16_t)))
{
SCLogDebug("DecodeCIPResponseMSPPDU: Parsing beyond payload length\n");
SCLogDebug("DecodeCIPResponseMSPPDU: Parsing beyond payload length");
return 0;
}
//use temp_offset just to grab the service offset, don't want to use and push offset
@ -924,13 +924,13 @@ int DecodeCIPResponseMSPPDU(uint8_t *input, uint32_t input_len,
ByteExtractUint16(&num_services, BYTE_LITTLE_ENDIAN, sizeof(uint16_t),
(const uint8_t *) (input + temp_offset));
temp_offset += sizeof(uint16_t);
//SCLogDebug("DecodeCIPResponseMSP number of services %d\n", num_services);
//SCLogDebug("DecodeCIPResponseMSP number of services %d", num_services);
for (int svc = 0; svc < num_services; svc++)
{
if (temp_offset >= (input_len - sizeof(uint16_t)))
{
SCLogDebug("DecodeCIPResponseMSP: Parsing beyond payload length\n");
SCLogDebug("DecodeCIPResponseMSP: Parsing beyond payload length");
return 0;
}
@ -938,7 +938,7 @@ int DecodeCIPResponseMSPPDU(uint8_t *input, uint32_t input_len,
ByteExtractUint16(&svc_offset, BYTE_LITTLE_ENDIAN, sizeof(uint16_t),
(const uint8_t *) (input + temp_offset));
temp_offset += sizeof(uint16_t);
//SCLogDebug("parseCIPResponseMSP service %d offset %d\n", svc, svc_offset);
//SCLogDebug("parseCIPResponseMSP service %d offset %d", svc, svc_offset);
DecodeCIPPDU(input, input_len, enip_data, offset + svc_offset); //parse CIP at found offset
}

38
src/app-layer-enip-common.h
Unescape Escape View File

@ -156,29 +156,29 @@ typedef struct CIPRespHdr_
typedef struct SegmentEntry_
{
uint16_t segment; //segment type
uint16_t value; //segment value (class or attribute)
uint16_t segment; /**< segment type */
uint16_t value; /**< segment value (class or attribute) */
TAILQ_ENTRY(SegmentEntry_) next;
TAILQ_ENTRY(SegmentEntry_) next;
} SegmentEntry;
typedef struct AttributeEntry_
{
uint16_t attribute; //segment class
uint16_t attribute; /**< segment class */
TAILQ_ENTRY(AttributeEntry_) next;
TAILQ_ENTRY(AttributeEntry_) next;
} AttributeEntry;
typedef struct CIPServiceEntry_
{
uint8_t service; //cip service
uint8_t service; /**< cip service */
uint8_t direction;
union
{
struct
{
uint8_t path_size; //cip path size
uint16_t path_offset; //offset to cip path
uint8_t path_size; /**< cip path size */
uint16_t path_offset; /**< offset to cip path */
} request;
struct
{
@ -186,8 +186,8 @@ typedef struct CIPServiceEntry_
} response;
};
TAILQ_HEAD(, SegmentEntry_) segment_list; /**< list for CIP segment */
TAILQ_HEAD(, AttributeEntry_) attrib_list; /**< list for CIP segment */
TAILQ_HEAD(, SegmentEntry_) segment_list; /**< list for CIP segment */
TAILQ_HEAD(, AttributeEntry_) attrib_list; /**< list for CIP segment */
TAILQ_ENTRY(CIPServiceEntry_) next;
} CIPServiceEntry;
@ -195,18 +195,18 @@ typedef struct CIPServiceEntry_
typedef struct ENIPTransaction_
{
struct ENIPState_ *enip;
uint16_t tx_num; /**< internal: id */
uint16_t tx_id; /**< transaction id */
uint16_t service_count; /**< transaction id */
uint16_t tx_num; /**< internal: id */
uint16_t tx_id; /**< transaction id */
uint16_t service_count;
ENIPEncapHdr header; //encapsulation header
ENIPEncapDataHdr encap_data_header; //encapsulation data header
ENIPEncapAddresItem encap_addr_item; //encapsulated address item
ENIPEncapDataItem encap_data_item; //encapsulated data item
ENIPEncapHdr header; /**< encapsulation header */
ENIPEncapDataHdr encap_data_header; /**< encapsulation data header */
ENIPEncapAddresItem encap_addr_item; /**< encapsulated address item */
ENIPEncapDataItem encap_data_item; /**< encapsulated data item */
TAILQ_HEAD(, CIPServiceEntry_) service_list; /**< list for CIP */
AppLayerDecoderEvents *decoder_events; /**< per tx events */
AppLayerDecoderEvents *decoder_events; /**< per tx events */
TAILQ_ENTRY(ENIPTransaction_) next;
DetectEngineState *de_state;
@ -216,7 +216,7 @@ typedef struct ENIPTransaction_
typedef struct ENIPState_
{
TAILQ_HEAD(, ENIPTransaction_) tx_list; /**< transaction list */
ENIPTransaction *curr; /**< ptr to current tx */
ENIPTransaction *curr; /**< ptr to current tx */
ENIPTransaction *iter;
uint64_t transaction_max;
uint64_t tx_with_detect_state_cnt;

26
src/app-layer-enip.c
Unescape Escape View File

@ -150,7 +150,7 @@ int ENIPStateGetEventInfo(const char *event_name, int *event_id, AppLayerEventTy
*/
void *ENIPStateAlloc(void)
{
SCLogDebug("ENIPStateAlloc \n");
SCLogDebug("ENIPStateAlloc");
void *s = SCMalloc(sizeof(ENIPState));
if (unlikely(s == NULL))
return NULL;
@ -169,7 +169,7 @@ void *ENIPStateAlloc(void)
static void ENIPTransactionFree(ENIPTransaction *tx, ENIPState *state)
{
SCEnter();
SCLogDebug("ENIPTransactionFree \n");
SCLogDebug("ENIPTransactionFree");
CIPServiceEntry *svc = NULL;
while ((svc = TAILQ_FIRST(&tx->service_list)))
{
@ -214,7 +214,7 @@ static void ENIPTransactionFree(ENIPTransaction *tx, ENIPState *state)
void ENIPStateFree(void *s)
{
SCEnter();
SCLogDebug("ENIPStateFree \n");
SCLogDebug("ENIPStateFree");
if (s)
{
ENIPState *enip_state = (ENIPState *) s;
@ -241,7 +241,7 @@ void ENIPStateFree(void *s)
* \retval tx or NULL */
static ENIPTransaction *ENIPTransactionAlloc(ENIPState *state)
{
SCLogDebug("ENIPStateTransactionAlloc \n");
SCLogDebug("ENIPStateTransactionAlloc");
ENIPTransaction *tx = (ENIPTransaction *) SCCalloc(1,
sizeof(ENIPTransaction));
if (unlikely(tx == NULL))
@ -268,7 +268,7 @@ static ENIPTransaction *ENIPTransactionAlloc(ENIPState *state)
void ENIPStateTransactionFree(void *state, uint64_t tx_id)
{
SCEnter();
SCLogDebug("ENIPStateTransactionFree \n");
SCLogDebug("ENIPStateTransactionFree");
ENIPState *enip_state = state;
ENIPTransaction *tx = NULL;
TAILQ_FOREACH(tx, &enip_state->tx_list, next)
@ -329,23 +329,23 @@ static int ENIPParse(Flow *f, void *state, AppLayerParserState *pstate,
if (tx == NULL)
SCReturnInt(0);
SCLogDebug("ENIPParse input len %d\n", input_len);
SCLogDebug("ENIPParse input len %d", input_len);
DecodeENIPPDU(input, input_len, tx);
uint32_t pkt_len = tx->header.length + sizeof(ENIPEncapHdr);
SCLogDebug("ENIPParse packet len %d\n", pkt_len);
SCLogDebug("ENIPParse packet len %d", pkt_len);
if (pkt_len > input_len)
{
SCLogDebug("Invalid packet length \n");
SCLogDebug("Invalid packet length");
break;
}
input += pkt_len;
input_len -= pkt_len;
//SCLogDebug("remaining %d\n", input_len);
//SCLogDebug("remaining %d", input_len);
if (input_len < sizeof(ENIPEncapHdr))
{
//SCLogDebug("Not enough data\n"); //not enough data for ENIP
//SCLogDebug("Not enough data"); //not enough data for ENIP
break;
}
}
@ -358,10 +358,10 @@ static int ENIPParse(Flow *f, void *state, AppLayerParserState *pstate,
static uint16_t ENIPProbingParser(uint8_t *input, uint32_t input_len,
uint32_t *offset)
{
// SCLogDebug("ENIPProbingParser %d\n", input_len);
// SCLogDebug("ENIPProbingParser %d", input_len);
if (input_len < sizeof(ENIPEncapHdr))
{
printf("Length too small to be a ENIP header \n");
SCLogDebug("length too small to be a ENIP header");
return ALPROTO_UNKNOWN;
}
@ -409,7 +409,7 @@ void RegisterENIPUDPParsers(void)
} else
{
printf("Protocol detection and parser disabled for %s protocol.",
SCLogConfig("Protocol detection and parser disabled for %s protocol.",
proto_name);
return;
}

31
src/detect-cipservice.c
Unescape Escape View File

@ -82,7 +82,7 @@ DetectCipServiceData *DetectCipServiceParse(char *rulestr)
const char delims[] = ",";
DetectCipServiceData *cipserviced = NULL;
//SCLogDebug("DetectCipServiceParse - rule string %s\n", rulestr);
//SCLogDebug("DetectCipServiceParse - rule string %s", rulestr);
cipserviced = SCMalloc(sizeof(DetectCipServiceData));
if (unlikely(cipserviced == NULL))
@ -104,7 +104,7 @@ DetectCipServiceData *DetectCipServiceParse(char *rulestr)
{
if (i > 2) //for now only need 3 parameters
{
printf("DetectEnipCommandParse: Too many parameters\n");
SCLogError(SC_ERR_INVALID_SIGNATURE, "too many parameters");
goto error;
}
@ -112,7 +112,7 @@ DetectCipServiceData *DetectCipServiceParse(char *rulestr)
{
if (!isdigit((int) *token))
{
printf("DetectCipServiceParse - Parameter Error %s\n", token);
SCLogError(SC_ERR_INVALID_SIGNATURE, "parameter error %s", token);
goto error;
}
} else //if on attribute
@ -126,7 +126,7 @@ DetectCipServiceData *DetectCipServiceParse(char *rulestr)
if (!isdigit((int) *token))
{
printf("DetectCipServiceParse - Attribute Error %s\n", token);
SCLogError(SC_ERR_INVALID_SIGNATURE, "attribute error %s", token);
goto error;
}
@ -135,15 +135,15 @@ DetectCipServiceData *DetectCipServiceParse(char *rulestr)
unsigned long num = atol(token);
if ((num > MAX_CIP_SERVICE) && (i == 0))//if service greater than 7 bit
{
printf("DetectEnipCommandParse: Invalid CIP service %lu\n", num);
SCLogError(SC_ERR_INVALID_SIGNATURE, "invalid CIP service %lu", num);
goto error;
} else if ((num > MAX_CIP_CLASS) && (i == 1))//if service greater than 16 bit
{
printf("DetectEnipCommandParse: Invalid CIP class %lu\n", num);
SCLogError(SC_ERR_INVALID_SIGNATURE, "invalid CIP class %lu", num);
goto error;
} else if ((num > MAX_CIP_ATTRIBUTE) && (i == 2))//if service greater than 16 bit
{
printf("DetectEnipCommandParse: Invalid CIP attribute %lu\n", num);
SCLogError(SC_ERR_INVALID_SIGNATURE, "invalid CIP attribute %lu", num);
goto error;
}
@ -158,12 +158,12 @@ DetectCipServiceData *DetectCipServiceParse(char *rulestr)
cipserviced->cipattribute = input[2];
cipserviced->tokens = i;
SCLogDebug("DetectCipServiceParse - tokens %d\n", cipserviced->tokens);
SCLogDebug("DetectCipServiceParse - service %d\n", cipserviced->cipservice);
SCLogDebug("DetectCipServiceParse - class %d\n", cipserviced->cipclass);
SCLogDebug("DetectCipServiceParse - match attribute %d\n",
SCLogDebug("DetectCipServiceParse - tokens %d", cipserviced->tokens);
SCLogDebug("DetectCipServiceParse - service %d", cipserviced->cipservice);
SCLogDebug("DetectCipServiceParse - class %d", cipserviced->cipclass);
SCLogDebug("DetectCipServiceParse - match attribute %d",
cipserviced->matchattribute);
SCLogDebug("DetectCipServiceParse - attribute %d\n",
SCLogDebug("DetectCipServiceParse - attribute %d",
cipserviced->cipattribute);
SCReturnPtr(cipserviced, "DetectENIPFunction");
@ -171,7 +171,6 @@ DetectCipServiceData *DetectCipServiceParse(char *rulestr)
error:
if (cipserviced)
SCFree(cipserviced);
printf("DetectCipServiceParse - Error Parsing Parameters\n");
SCReturnPtr(NULL, "DetectENIP");
}
@ -222,8 +221,6 @@ error:
DetectCipServiceFree(cipserviced);
if (sm != NULL)
SCFree(sm);
printf("DetectCipServiceSetup - Error\n");
SCReturnInt(-1);
}
@ -359,7 +356,7 @@ DetectEnipCommandData *DetectEnipCommandParse(char *rulestr)
unsigned long cmd = atol(rulestr);
if (cmd > MAX_ENIP_CMD) //if command greater than 16 bit
{
//printf("DetectEnipCommandParse: Invalid ENIP command %lu\n", cmd);
SCLogError(SC_ERR_INVALID_SIGNATURE, "invalid ENIP command %lu", cmd);
goto error;
}
@ -375,7 +372,6 @@ DetectEnipCommandData *DetectEnipCommandParse(char *rulestr)
error:
if (enipcmdd)
SCFree(enipcmdd);
//printf("DetectEnipCommandParse - Error Parsing Parameters\n");
return NULL;
}
@ -423,7 +419,6 @@ error:
DetectEnipCommandFree(enipcmdd);
if (sm != NULL)
SCFree(sm);
printf("DetectEnipCommandSetup - Error\n");
SCReturnInt(-1);
}

35
src/detect-engine-enip.c
Unescape Escape View File

@ -34,24 +34,25 @@
#include "util-debug.h"
#if 0
/**
* \brief Print fields from ENIP Packet
* @param enip_data
*/
void PrintENIPAL(ENIPTransaction *enip_data)
{
SCLogDebug("============================================\n");
SCLogDebug("ENCAP HEADER cmd 0x%x, length %d, session 0x%x, status 0x%x\n",
SCLogDebug("============================================");
SCLogDebug("ENCAP HEADER cmd 0x%x, length %d, session 0x%x, status 0x%x",
enip_data->header.command, enip_data->header.length,
enip_data->header.session, enip_data->header.status);
//SCLogDebug("context 0x%x option 0x%x\n", enip_data->header.context, enip_data->header.option);
SCLogDebug("ENCAP DATA HEADER handle 0x%x, timeout %d, count %d\n",
//SCLogDebug("context 0x%x option 0x%x", enip_data->header.context, enip_data->header.option);
SCLogDebug("ENCAP DATA HEADER handle 0x%x, timeout %d, count %d",
enip_data->encap_data_header.interface_handle,
enip_data->encap_data_header.timeout,
enip_data->encap_data_header.item_count);
SCLogDebug("ENCAP ADDR ITEM type 0x%x, length %d \n",
SCLogDebug("ENCAP ADDR ITEM type 0x%x, length %d",
enip_data->encap_addr_item.type, enip_data->encap_addr_item.length);
SCLogDebug("ENCAP DATA ITEM type 0x%x, length %d sequence 0x%x\n",
SCLogDebug("ENCAP DATA ITEM type 0x%x, length %d sequence 0x%x",
enip_data->encap_data_item.type, enip_data->encap_data_item.length,
enip_data->encap_data_item.sequence_count);
@ -60,10 +61,11 @@ void PrintENIPAL(ENIPTransaction *enip_data)
int count = 0;
TAILQ_FOREACH(svc, &enip_data->service_list, next)
{
//SCLogDebug("CIP Service #%d : 0x%x\n", count, svc->service);
//SCLogDebug("CIP Service #%d : 0x%x", count, svc->service);
count++;
}
}
#endif
/**
* \brief Matches the rule to the CIP segment in ENIP Packet
@ -72,7 +74,6 @@ void PrintENIPAL(ENIPTransaction *enip_data)
*/
int CIPPathMatch(CIPServiceEntry *svc, DetectCipServiceData *cipserviced)
{
uint16_t class = 0;
uint16_t attrib = 0;
int found_class = 0;
@ -165,14 +166,16 @@ int CIPServiceMatch(ENIPTransaction *enip_data,
{
int count = 1;
CIPServiceEntry *svc = NULL;
//SCLogDebug("CIPServiceMatchAL\n");
//SCLogDebug("CIPServiceMatchAL");
TAILQ_FOREACH(svc, &enip_data->service_list, next)
{
SCLogDebug("CIPServiceMatchAL service #%d : 0x%x dir %d \n", count, svc->service, svc->direction);
SCLogDebug("CIPServiceMatchAL service #%d : 0x%x dir %d",
count, svc->service, svc->direction);
if (cipserviced->cipservice == svc->service)
{ // compare service
//SCLogDebug("Rule Match for cip service %d\n",cipserviced->cipservice );
//SCLogDebug("Rule Match for cip service %d",cipserviced->cipservice );
if (cipserviced->tokens > 1)
{ //if rule params have class and attribute
@ -193,7 +196,7 @@ int CIPServiceMatch(ENIPTransaction *enip_data,
{
if (svc->direction == 1) return 0; //don't match responses
// SCLogDebug("CIPServiceMatchAL found\n");
// SCLogDebug("CIPServiceMatchAL found");
return 1;
}
}
@ -230,11 +233,11 @@ int DetectEngineInspectCIP(ThreadVars *tv, DetectEngineCtx *de_ctx,
SCLogDebug("no cipservice state, no match");
SCReturnInt(0);
}
// SCLogDebug("DetectEngineInspectCIP %d\n", cipserviced->cipservice);
//SCLogDebug("DetectEngineInspectCIP %d", cipserviced->cipservice);
if (CIPServiceMatch(tx, cipserviced) == 1)
{
// SCLogDebug("DetectCIPServiceMatchAL found\n");
//SCLogDebug("DetectCIPServiceMatchAL found");
SCReturnInt(1);
}
@ -270,11 +273,11 @@ int DetectEngineInspectENIP(ThreadVars *tv, DetectEngineCtx *de_ctx,
SCReturnInt(0);
}
//SCLogDebug("DetectEngineInspectENIP %d, %d\n", enipcmdd->enipcommand, tx->header.command);
//SCLogDebug("DetectEngineInspectENIP %d, %d", enipcmdd->enipcommand, tx->header.command);
if (enipcmdd->enipcommand == tx->header.command)
{
// SCLogDebug("DetectENIPCommandMatchAL found!\n");
// SCLogDebug("DetectENIPCommandMatchAL found!");
SCReturnInt(1);
}

Write Preview
Loading…
Cancel
Save