From 72b5da43137f4194251373c09a190960954ba210 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Fri, 30 Sep 2016 08:23:39 +0200 Subject: [PATCH] enip/cip: improve output & style Remove printf, remove \n from SCLogDebug. Add SCLogError for rule parsing issues. Fix various style issues --- src/app-layer-enip-common.c | 162 ++++++++++++++++++------------------ src/app-layer-enip-common.h | 38 ++++----- src/app-layer-enip.c | 26 +++--- src/detect-cipservice.c | 31 +++---- src/detect-engine-enip.c | 35 ++++---- 5 files changed, 145 insertions(+), 147 deletions(-) diff --git a/src/app-layer-enip-common.c b/src/app-layer-enip-common.c index 72ebc00be2..3af8268145 100644 --- a/src/app-layer-enip-common.c +++ b/src/app-layer-enip-common.c @@ -46,7 +46,7 @@ int ENIPExtractUint8(uint8_t *res, uint8_t *input, uint16_t *offset, uint32_t in if (*offset > (input_len - sizeof(uint8_t))) { - SCLogDebug("ENIPExtractUint8: Parsing beyond payload length\n"); + SCLogDebug("ENIPExtractUint8: Parsing beyond payload length"); return 0; } @@ -66,7 +66,7 @@ int ENIPExtractUint16(uint16_t *res, uint8_t *input, uint16_t *offset, uint32_t if (*offset > (input_len - sizeof(uint16_t))) { - SCLogDebug("ENIPExtractUint16: Parsing beyond payload length\n"); + SCLogDebug("ENIPExtractUint16: Parsing beyond payload length"); return 0; } @@ -87,7 +87,7 @@ int ENIPExtractUint32(uint32_t *res, uint8_t *input, uint16_t *offset, uint32_t if (*offset > (input_len - sizeof(uint32_t))) { - SCLogDebug("ENIPExtractUint32: Parsing beyond payload length\n"); + SCLogDebug("ENIPExtractUint32: Parsing beyond payload length"); return 0; } @@ -108,7 +108,7 @@ int ENIPExtractUint64(uint64_t *res, uint8_t *input, uint16_t *offset, uint32_t if (*offset > (input_len - sizeof(uint64_t))) { - SCLogDebug("ENIPExtractUint64: Parsing beyond payload length\n"); + SCLogDebug("ENIPExtractUint64: Parsing beyond payload length"); return 0; } @@ -232,43 +232,43 @@ int DecodeENIPPDU(uint8_t *input, uint32_t input_len, switch (enip_data->header.command) { case NOP: - SCLogDebug("DecodeENIP - NOP\n"); + SCLogDebug("DecodeENIP - NOP"); break; case LIST_SERVICES: - SCLogDebug("DecodeENIP - LIST_SERVICES\n"); + SCLogDebug("DecodeENIP - LIST_SERVICES"); break; case LIST_IDENTITY: - SCLogDebug("DecodeENIP - LIST_IDENTITY\n"); + SCLogDebug("DecodeENIP - LIST_IDENTITY"); break; case LIST_INTERFACES: - SCLogDebug("DecodeENIP - LIST_INTERFACES\n"); + SCLogDebug("DecodeENIP - LIST_INTERFACES"); break; case REGISTER_SESSION: - SCLogDebug("DecodeENIP - REGISTER_SESSION\n"); + SCLogDebug("DecodeENIP - REGISTER_SESSION"); break; case UNREGISTER_SESSION: - SCLogDebug("DecodeENIP - UNREGISTER_SESSION\n"); + SCLogDebug("DecodeENIP - UNREGISTER_SESSION"); break; case SEND_RR_DATA: SCLogDebug( - "DecodeENIP - SEND_RR_DATA - parse Common Packet Format\n"); + "DecodeENIP - SEND_RR_DATA - parse Common Packet Format"); ret = DecodeCommonPacketFormatPDU(input, input_len, enip_data, offset); break; case SEND_UNIT_DATA: SCLogDebug( - "DecodeENIP - SEND UNIT DATA - parse Common Packet Format\n"); + "DecodeENIP - SEND UNIT DATA - parse Common Packet Format"); ret = DecodeCommonPacketFormatPDU(input, input_len, enip_data, offset); break; case INDICATE_STATUS: - SCLogDebug("DecodeENIP - INDICATE_STATUS\n"); + SCLogDebug("DecodeENIP - INDICATE_STATUS"); break; case CANCEL: - SCLogDebug("DecodeENIP - CANCEL\n"); + SCLogDebug("DecodeENIP - CANCEL"); break; default: - SCLogDebug("DecodeENIP - UNSUPPORTED COMMAND 0x%x\n", + SCLogDebug("DecodeENIP - UNSUPPORTED COMMAND 0x%x", enip_data->header.command); } @@ -290,7 +290,7 @@ int DecodeCommonPacketFormatPDU(uint8_t *input, uint32_t input_len, if (enip_data->header.length < sizeof(ENIPEncapDataHdr)) { - SCLogDebug("DecodeCommonPacketFormat: Malformed ENIP packet\n"); + SCLogDebug("DecodeCommonPacketFormat: Malformed ENIP packet"); return 0; } @@ -380,15 +380,15 @@ int DecodeCommonPacketFormatPDU(uint8_t *input, uint32_t input_len, { case CONNECTED_DATA_ITEM: SCLogDebug( - "DecodeCommonPacketFormat - CONNECTED DATA ITEM - parse CIP\n"); + "DecodeCommonPacketFormat - CONNECTED DATA ITEM - parse CIP"); DecodeCIPPDU(input, input_len, enip_data, offset); break; case UNCONNECTED_DATA_ITEM: - SCLogDebug("DecodeCommonPacketFormat - UNCONNECTED DATA ITEM\n"); + SCLogDebug("DecodeCommonPacketFormat - UNCONNECTED DATA ITEM"); DecodeCIPPDU(input, input_len, enip_data, offset); break; default: - SCLogDebug("DecodeCommonPacketFormat - UNKNOWN TYPE 0x%x\n\n", + SCLogDebug("DecodeCommonPacketFormat - UNKNOWN TYPE 0x%x", enip_data->encap_data_item.type); return 0; } @@ -412,20 +412,20 @@ int DecodeCIPPDU(uint8_t *input, uint32_t input_len, if (enip_data->encap_data_item.length == 0) { - SCLogDebug("DecodeCIP: No CIP Data\n"); + SCLogDebug("DecodeCIP: No CIP Data"); return 0; } if (offset > (input_len - sizeof(uint8_t))) { - SCLogDebug("DecodeCIP: Parsing beyond payload length\n"); + SCLogDebug("DecodeCIP: Parsing beyond payload length"); return 0; } uint8_t service = 0; service = *(input + offset); - //SCLogDebug("CIP Service 0x%x\n", service); + //SCLogDebug("CIP Service 0x%x", service); //use service code first bit to determine request/response, no need to save or push offset if (service >> 7) @@ -456,7 +456,7 @@ int DecodeCIPRequestPDU(uint8_t *input, uint32_t input_len, if (enip_data->encap_data_item.length < sizeof(CIPReqHdr)) { - SCLogDebug("DecodeCIPRequest - Malformed CIP Data\n"); + SCLogDebug("DecodeCIPRequest - Malformed CIP Data"); return 0; } @@ -474,14 +474,14 @@ int DecodeCIPRequestPDU(uint8_t *input, uint32_t input_len, if (service > MAX_CIP_SERVICE) { // service codes of value 0x80 or greater are not permitted because in the CIP protocol the highest order bit is used to flag request(0)/response(1) - SCLogDebug("DecodeCIPRequest - INVALID CIP SERVICE 0x%x\n", service); + SCLogDebug("DecodeCIPRequest - INVALID CIP SERVICE 0x%x", service); return 0; } //reached maximum number of services if (enip_data->service_count > 32) { - SCLogDebug("DecodeCIPRequest: Maximum services reached\n"); + SCLogDebug("DecodeCIPRequest: Maximum services reached"); return 0; } @@ -489,14 +489,14 @@ int DecodeCIPRequestPDU(uint8_t *input, uint32_t input_len, CIPServiceEntry *node = CIPServiceAlloc(enip_data); if (node == NULL) { - SCLogDebug("DecodeCIPRequest: Unable to create CIP service\n"); + SCLogDebug("DecodeCIPRequest: Unable to create CIP service"); return 0; } node->direction = 0; node->service = service; node->request.path_size = path_size; node->request.path_offset = offset; - // SCLogDebug("DecodeCIPRequestPDU: service 0x%x size %d\n", node->service, + // SCLogDebug("DecodeCIPRequestPDU: service 0x%x size %d", node->service, // node->request.path_size); DecodeCIPRequestPathPDU(input, input_len, node, offset); @@ -507,53 +507,53 @@ int DecodeCIPRequestPDU(uint8_t *input, uint32_t input_len, switch (service) { case CIP_RESERVED: - SCLogDebug("DecodeCIPRequest - CIP_RESERVED\n"); + SCLogDebug("DecodeCIPRequest - CIP_RESERVED"); break; case CIP_GET_ATTR_ALL: - SCLogDebug("DecodeCIPRequest - CIP_GET_ATTR_ALL\n"); + SCLogDebug("DecodeCIPRequest - CIP_GET_ATTR_ALL"); break; case CIP_GET_ATTR_LIST: - SCLogDebug("DecodeCIPRequest - CIP_GET_ATTR_LIST\n"); + SCLogDebug("DecodeCIPRequest - CIP_GET_ATTR_LIST"); break; case CIP_SET_ATTR_LIST: - SCLogDebug("DecodeCIPRequest - CIP_SET_ATTR_LIST\n"); + SCLogDebug("DecodeCIPRequest - CIP_SET_ATTR_LIST"); break; case CIP_RESET: - SCLogDebug("DecodeCIPRequest - CIP_RESET\n"); + SCLogDebug("DecodeCIPRequest - CIP_RESET"); break; case CIP_START: - SCLogDebug("DecodeCIPRequest - CIP_START\n"); + SCLogDebug("DecodeCIPRequest - CIP_START"); break; case CIP_STOP: - SCLogDebug("DecodeCIPRequest - CIP_STOP\n"); + SCLogDebug("DecodeCIPRequest - CIP_STOP"); break; case CIP_CREATE: - SCLogDebug("DecodeCIPRequest - CIP_CREATE\n"); + SCLogDebug("DecodeCIPRequest - CIP_CREATE"); break; case CIP_DELETE: - SCLogDebug("DecodeCIPRequest - CIP_DELETE\n"); + SCLogDebug("DecodeCIPRequest - CIP_DELETE"); break; case CIP_MSP: - SCLogDebug("DecodeCIPRequest - CIP_MSP\n"); + SCLogDebug("DecodeCIPRequest - CIP_MSP"); DecodeCIPRequestMSPPDU(input, input_len, enip_data, offset); break; case CIP_APPLY_ATTR: - SCLogDebug("DecodeCIPRequest - CIP_APPLY_ATTR\n"); + SCLogDebug("DecodeCIPRequest - CIP_APPLY_ATTR"); break; case CIP_KICK_TIMER: - SCLogDebug("DecodeCIPRequest - CIP_KICK_TIMER\n"); + SCLogDebug("DecodeCIPRequest - CIP_KICK_TIMER"); break; case CIP_OPEN_CONNECTION: - SCLogDebug("DecodeCIPRequest - CIP_OPEN_CONNECTION\n"); + SCLogDebug("DecodeCIPRequest - CIP_OPEN_CONNECTION"); break; case CIP_CHANGE_START: - SCLogDebug("DecodeCIPRequest - CIP_CHANGE_START\n"); + SCLogDebug("DecodeCIPRequest - CIP_CHANGE_START"); break; case CIP_GET_STATUS: - SCLogDebug("DecodeCIPRequest - CIP_GET_STATUS\n"); + SCLogDebug("DecodeCIPRequest - CIP_GET_STATUS"); break; default: - SCLogDebug("DecodeCIPRequest - CIP SERVICE 0x%x\n", service); + SCLogDebug("DecodeCIPRequest - CIP SERVICE 0x%x", service); } return ret; @@ -572,12 +572,12 @@ int DecodeCIPRequestPDU(uint8_t *input, uint32_t input_len, int DecodeCIPRequestPathPDU(uint8_t *input, uint32_t input_len, CIPServiceEntry *node, uint16_t offset) { - //SCLogDebug("DecodeCIPRequestPath: service 0x%x size %d length %d\n", + //SCLogDebug("DecodeCIPRequestPath: service 0x%x size %d length %d", // node->service, node->request.path_size, input_len); if (node->request.path_size < 1) { - //SCLogDebug("DecodeCIPRequestPath: empty path or CIP Response\n"); + //SCLogDebug("DecodeCIPRequestPath: empty path or CIP Response"); return 0; } @@ -613,7 +613,7 @@ int DecodeCIPRequestPathPDU(uint8_t *input, uint32_t input_len, return 0; } class = (uint16_t) req_path_class8; - SCLogDebug("DecodeCIPRequestPathPDU: 8bit class 0x%x\n", class); + SCLogDebug("DecodeCIPRequestPathPDU: 8bit class 0x%x", class); seg = SCMalloc(sizeof(SegmentEntry)); if (unlikely(seg == NULL)) @@ -638,7 +638,7 @@ int DecodeCIPRequestPathPDU(uint8_t *input, uint32_t input_len, return 0; } //uint16_t attrib = (uint16_t) req_path_attr8; - //SCLogDebug("DecodeCIPRequestPath: 8bit attr 0x%x\n", attrib); + //SCLogDebug("DecodeCIPRequestPath: 8bit attr 0x%x", attrib); seg = SCMalloc(sizeof(SegmentEntry)); if (unlikely(seg == NULL)) @@ -659,7 +659,7 @@ int DecodeCIPRequestPathPDU(uint8_t *input, uint32_t input_len, return 0; } class = req_path_class16; - SCLogDebug("DecodeCIPRequestPath: 16bit class 0x%x\n", class); + SCLogDebug("DecodeCIPRequestPath: 16bit class 0x%x", class); seg = SCMalloc(sizeof(SegmentEntry)); if (unlikely(seg == NULL)) @@ -695,7 +695,7 @@ int DecodeCIPRequestPathPDU(uint8_t *input, uint32_t input_len, break; default: SCLogDebug( - "DecodeCIPRequestPath: UNKNOWN SEGMENT 0x%x service 0x%x\n", + "DecodeCIPRequestPath: UNKNOWN SEGMENT 0x%x service 0x%x", segment, node->service); return 0; } @@ -712,7 +712,7 @@ int DecodeCIPRequestPathPDU(uint8_t *input, uint32_t input_len, { return 0; } - SCLogDebug("DecodeCIPRequestPathPDU: attribute list count %d\n", + SCLogDebug("DecodeCIPRequestPathPDU: attribute list count %d", attr_list_count); for (int i = 0; i < attr_list_count; i++) { @@ -720,7 +720,7 @@ int DecodeCIPRequestPathPDU(uint8_t *input, uint32_t input_len, { return 0; } - SCLogDebug("DecodeCIPRequestPathPDU: attribute %d\n", attribute); + SCLogDebug("DecodeCIPRequestPathPDU: attribute %d", attribute); //save attrs AttributeEntry *attr = SCMalloc(sizeof(AttributeEntry)); if (unlikely(attr == NULL)) @@ -749,7 +749,7 @@ int DecodeCIPResponsePDU(uint8_t *input, uint32_t input_len, if (enip_data->encap_data_item.length < sizeof(CIPRespHdr)) { - SCLogDebug("DecodeCIPResponse - Malformed CIP Data\n"); + SCLogDebug("DecodeCIPResponse - Malformed CIP Data"); return 0; } @@ -770,15 +770,15 @@ int DecodeCIPResponsePDU(uint8_t *input, uint32_t input_len, return 0; } - //SCLogDebug("DecodeCIPResponse: service 0x%x\n",service); + //SCLogDebug("DecodeCIPResponse: service 0x%x",service); service &= 0x7f; //strip off top bit to get service code. Responses have first bit as 1 - SCLogDebug("CIP service 0x%x status 0x%x\n", service, status); + SCLogDebug("CIP service 0x%x status 0x%x", service, status); //reached maximum number of services if (enip_data->service_count > 32) { - SCLogDebug("DecodeCIPRequest: Maximum services reached\n"); + SCLogDebug("DecodeCIPRequest: Maximum services reached"); return 0; } @@ -786,67 +786,67 @@ int DecodeCIPResponsePDU(uint8_t *input, uint32_t input_len, CIPServiceEntry *node = CIPServiceAlloc(enip_data); if (node == NULL) { - SCLogDebug("DecodeCIPRequest: Unable to create CIP service\n"); + SCLogDebug("DecodeCIPRequest: Unable to create CIP service"); return 0; } node->direction = 1; node->service = service; node->response.status = status; - SCLogDebug("DecodeCIPResponsePDU: service 0x%x size %d\n", node->service, + SCLogDebug("DecodeCIPResponsePDU: service 0x%x size %d", node->service, node->request.path_size); //list of CIP services is large and can be vendor specific, store CIP service anyways and let the rule decide the action switch (service) { case CIP_RESERVED: - SCLogDebug("DecodeCIPResponse - CIP_RESERVED\n"); + SCLogDebug("DecodeCIPResponse - CIP_RESERVED"); break; case CIP_GET_ATTR_ALL: - SCLogDebug("DecodeCIPResponse - CIP_GET_ATTR_ALL\n"); + SCLogDebug("DecodeCIPResponse - CIP_GET_ATTR_ALL"); break; case CIP_GET_ATTR_LIST: - SCLogDebug("DecodeCIPResponse - CIP_GET_ATTR_LIST\n"); + SCLogDebug("DecodeCIPResponse - CIP_GET_ATTR_LIST"); break; case CIP_SET_ATTR_LIST: - SCLogDebug("DecodeCIPResponse - CIP_SET_ATTR_LIST\n"); + SCLogDebug("DecodeCIPResponse - CIP_SET_ATTR_LIST"); break; case CIP_RESET: - SCLogDebug("DecodeCIPResponse - CIP_RESET\n"); + SCLogDebug("DecodeCIPResponse - CIP_RESET"); break; case CIP_START: - SCLogDebug("DecodeCIPResponse - CIP_START\n"); + SCLogDebug("DecodeCIPResponse - CIP_START"); break; case CIP_STOP: - SCLogDebug("DecodeCIPResponse - CIP_STOP\n"); + SCLogDebug("DecodeCIPResponse - CIP_STOP"); break; case CIP_CREATE: - SCLogDebug("DecodeCIPResponse - CIP_CREATE\n"); + SCLogDebug("DecodeCIPResponse - CIP_CREATE"); break; case CIP_DELETE: - SCLogDebug("DecodeCIPResponse - CIP_DELETE\n"); + SCLogDebug("DecodeCIPResponse - CIP_DELETE"); break; case CIP_MSP: - SCLogDebug("DecodeCIPResponse - CIP_MSP\n"); + SCLogDebug("DecodeCIPResponse - CIP_MSP"); DecodeCIPResponseMSPPDU(input, input_len, enip_data, offset); break; case CIP_APPLY_ATTR: - SCLogDebug("DecodeCIPResponse - CIP_APPLY_ATTR\n"); + SCLogDebug("DecodeCIPResponse - CIP_APPLY_ATTR"); break; case CIP_KICK_TIMER: - SCLogDebug("DecodeCIPResponse - CIP_KICK_TIMER\n"); + SCLogDebug("DecodeCIPResponse - CIP_KICK_TIMER"); break; case CIP_OPEN_CONNECTION: - SCLogDebug("DecodeCIPResponse - CIP_OPEN_CONNECTION\n"); + SCLogDebug("DecodeCIPResponse - CIP_OPEN_CONNECTION"); break; case CIP_CHANGE_START: - SCLogDebug("DecodeCIPResponse - CIP_CHANGE_START\n"); + SCLogDebug("DecodeCIPResponse - CIP_CHANGE_START"); break; case CIP_GET_STATUS: - SCLogDebug("DecodeCIPResponse - CIP_GET_STATUS\n"); + SCLogDebug("DecodeCIPResponse - CIP_GET_STATUS"); break; default: - SCLogDebug("DecodeCIPResponse - CIP SERVICE 0x%x\n", service); + SCLogDebug("DecodeCIPResponse - CIP SERVICE 0x%x", service); } return ret; @@ -867,7 +867,7 @@ int DecodeCIPRequestMSPPDU(uint8_t *input, uint32_t input_len, int ret = 1; if (offset >= (input_len - sizeof(uint16_t))) { - SCLogDebug("DecodeCIPRequestMSPPDU: Parsing beyond payload length\n"); + SCLogDebug("DecodeCIPRequestMSPPDU: Parsing beyond payload length"); return 0; } //use temp_offset just to grab the service offset, don't want to use and push offset @@ -876,13 +876,13 @@ int DecodeCIPRequestMSPPDU(uint8_t *input, uint32_t input_len, ByteExtractUint16(&num_services, BYTE_LITTLE_ENDIAN, sizeof(uint16_t), (const uint8_t *) (input + temp_offset)); temp_offset += sizeof(uint16_t); - //SCLogDebug("DecodeCIPRequestMSP number of services %d\n",num_services); + //SCLogDebug("DecodeCIPRequestMSP number of services %d",num_services); for (int svc = 1; svc < num_services + 1; svc++) { if (temp_offset >= (input_len - sizeof(uint16_t))) { - SCLogDebug("DecodeCIPRequestMSPPDU: Parsing beyond payload length\n"); + SCLogDebug("DecodeCIPRequestMSPPDU: Parsing beyond payload length"); return 0; } @@ -890,7 +890,7 @@ int DecodeCIPRequestMSPPDU(uint8_t *input, uint32_t input_len, ByteExtractUint16(&svc_offset, BYTE_LITTLE_ENDIAN, sizeof(uint16_t), (const uint8_t *) (input + temp_offset)); temp_offset += sizeof(uint16_t); - //SCLogDebug("parseCIPRequestMSP service %d offset %d\n",svc, svc_offset); + //SCLogDebug("parseCIPRequestMSP service %d offset %d",svc, svc_offset); DecodeCIPPDU(input, input_len, enip_data, offset + svc_offset); //parse CIP at found offset } @@ -915,7 +915,7 @@ int DecodeCIPResponseMSPPDU(uint8_t *input, uint32_t input_len, if (offset >= (input_len - sizeof(uint16_t))) { - SCLogDebug("DecodeCIPResponseMSPPDU: Parsing beyond payload length\n"); + SCLogDebug("DecodeCIPResponseMSPPDU: Parsing beyond payload length"); return 0; } //use temp_offset just to grab the service offset, don't want to use and push offset @@ -924,13 +924,13 @@ int DecodeCIPResponseMSPPDU(uint8_t *input, uint32_t input_len, ByteExtractUint16(&num_services, BYTE_LITTLE_ENDIAN, sizeof(uint16_t), (const uint8_t *) (input + temp_offset)); temp_offset += sizeof(uint16_t); - //SCLogDebug("DecodeCIPResponseMSP number of services %d\n", num_services); + //SCLogDebug("DecodeCIPResponseMSP number of services %d", num_services); for (int svc = 0; svc < num_services; svc++) { if (temp_offset >= (input_len - sizeof(uint16_t))) { - SCLogDebug("DecodeCIPResponseMSP: Parsing beyond payload length\n"); + SCLogDebug("DecodeCIPResponseMSP: Parsing beyond payload length"); return 0; } @@ -938,7 +938,7 @@ int DecodeCIPResponseMSPPDU(uint8_t *input, uint32_t input_len, ByteExtractUint16(&svc_offset, BYTE_LITTLE_ENDIAN, sizeof(uint16_t), (const uint8_t *) (input + temp_offset)); temp_offset += sizeof(uint16_t); - //SCLogDebug("parseCIPResponseMSP service %d offset %d\n", svc, svc_offset); + //SCLogDebug("parseCIPResponseMSP service %d offset %d", svc, svc_offset); DecodeCIPPDU(input, input_len, enip_data, offset + svc_offset); //parse CIP at found offset } diff --git a/src/app-layer-enip-common.h b/src/app-layer-enip-common.h index 77777c8837..dec1f0510a 100644 --- a/src/app-layer-enip-common.h +++ b/src/app-layer-enip-common.h @@ -156,29 +156,29 @@ typedef struct CIPRespHdr_ typedef struct SegmentEntry_ { - uint16_t segment; //segment type - uint16_t value; //segment value (class or attribute) + uint16_t segment; /**< segment type */ + uint16_t value; /**< segment value (class or attribute) */ -TAILQ_ENTRY(SegmentEntry_) next; + TAILQ_ENTRY(SegmentEntry_) next; } SegmentEntry; typedef struct AttributeEntry_ { - uint16_t attribute; //segment class + uint16_t attribute; /**< segment class */ -TAILQ_ENTRY(AttributeEntry_) next; + TAILQ_ENTRY(AttributeEntry_) next; } AttributeEntry; typedef struct CIPServiceEntry_ { - uint8_t service; //cip service + uint8_t service; /**< cip service */ uint8_t direction; union { struct { - uint8_t path_size; //cip path size - uint16_t path_offset; //offset to cip path + uint8_t path_size; /**< cip path size */ + uint16_t path_offset; /**< offset to cip path */ } request; struct { @@ -186,8 +186,8 @@ typedef struct CIPServiceEntry_ } response; }; - TAILQ_HEAD(, SegmentEntry_) segment_list; /**< list for CIP segment */ - TAILQ_HEAD(, AttributeEntry_) attrib_list; /**< list for CIP segment */ + TAILQ_HEAD(, SegmentEntry_) segment_list; /**< list for CIP segment */ + TAILQ_HEAD(, AttributeEntry_) attrib_list; /**< list for CIP segment */ TAILQ_ENTRY(CIPServiceEntry_) next; } CIPServiceEntry; @@ -195,18 +195,18 @@ typedef struct CIPServiceEntry_ typedef struct ENIPTransaction_ { struct ENIPState_ *enip; - uint16_t tx_num; /**< internal: id */ - uint16_t tx_id; /**< transaction id */ - uint16_t service_count; /**< transaction id */ + uint16_t tx_num; /**< internal: id */ + uint16_t tx_id; /**< transaction id */ + uint16_t service_count; - ENIPEncapHdr header; //encapsulation header - ENIPEncapDataHdr encap_data_header; //encapsulation data header - ENIPEncapAddresItem encap_addr_item; //encapsulated address item - ENIPEncapDataItem encap_data_item; //encapsulated data item + ENIPEncapHdr header; /**< encapsulation header */ + ENIPEncapDataHdr encap_data_header; /**< encapsulation data header */ + ENIPEncapAddresItem encap_addr_item; /**< encapsulated address item */ + ENIPEncapDataItem encap_data_item; /**< encapsulated data item */ TAILQ_HEAD(, CIPServiceEntry_) service_list; /**< list for CIP */ - AppLayerDecoderEvents *decoder_events; /**< per tx events */ + AppLayerDecoderEvents *decoder_events; /**< per tx events */ TAILQ_ENTRY(ENIPTransaction_) next; DetectEngineState *de_state; @@ -216,7 +216,7 @@ typedef struct ENIPTransaction_ typedef struct ENIPState_ { TAILQ_HEAD(, ENIPTransaction_) tx_list; /**< transaction list */ - ENIPTransaction *curr; /**< ptr to current tx */ + ENIPTransaction *curr; /**< ptr to current tx */ ENIPTransaction *iter; uint64_t transaction_max; uint64_t tx_with_detect_state_cnt; diff --git a/src/app-layer-enip.c b/src/app-layer-enip.c index db50221a4c..a480d304db 100644 --- a/src/app-layer-enip.c +++ b/src/app-layer-enip.c @@ -150,7 +150,7 @@ int ENIPStateGetEventInfo(const char *event_name, int *event_id, AppLayerEventTy */ void *ENIPStateAlloc(void) { - SCLogDebug("ENIPStateAlloc \n"); + SCLogDebug("ENIPStateAlloc"); void *s = SCMalloc(sizeof(ENIPState)); if (unlikely(s == NULL)) return NULL; @@ -169,7 +169,7 @@ void *ENIPStateAlloc(void) static void ENIPTransactionFree(ENIPTransaction *tx, ENIPState *state) { SCEnter(); - SCLogDebug("ENIPTransactionFree \n"); + SCLogDebug("ENIPTransactionFree"); CIPServiceEntry *svc = NULL; while ((svc = TAILQ_FIRST(&tx->service_list))) { @@ -214,7 +214,7 @@ static void ENIPTransactionFree(ENIPTransaction *tx, ENIPState *state) void ENIPStateFree(void *s) { SCEnter(); - SCLogDebug("ENIPStateFree \n"); + SCLogDebug("ENIPStateFree"); if (s) { ENIPState *enip_state = (ENIPState *) s; @@ -241,7 +241,7 @@ void ENIPStateFree(void *s) * \retval tx or NULL */ static ENIPTransaction *ENIPTransactionAlloc(ENIPState *state) { - SCLogDebug("ENIPStateTransactionAlloc \n"); + SCLogDebug("ENIPStateTransactionAlloc"); ENIPTransaction *tx = (ENIPTransaction *) SCCalloc(1, sizeof(ENIPTransaction)); if (unlikely(tx == NULL)) @@ -268,7 +268,7 @@ static ENIPTransaction *ENIPTransactionAlloc(ENIPState *state) void ENIPStateTransactionFree(void *state, uint64_t tx_id) { SCEnter(); - SCLogDebug("ENIPStateTransactionFree \n"); + SCLogDebug("ENIPStateTransactionFree"); ENIPState *enip_state = state; ENIPTransaction *tx = NULL; TAILQ_FOREACH(tx, &enip_state->tx_list, next) @@ -329,23 +329,23 @@ static int ENIPParse(Flow *f, void *state, AppLayerParserState *pstate, if (tx == NULL) SCReturnInt(0); - SCLogDebug("ENIPParse input len %d\n", input_len); + SCLogDebug("ENIPParse input len %d", input_len); DecodeENIPPDU(input, input_len, tx); uint32_t pkt_len = tx->header.length + sizeof(ENIPEncapHdr); - SCLogDebug("ENIPParse packet len %d\n", pkt_len); + SCLogDebug("ENIPParse packet len %d", pkt_len); if (pkt_len > input_len) { - SCLogDebug("Invalid packet length \n"); + SCLogDebug("Invalid packet length"); break; } input += pkt_len; input_len -= pkt_len; - //SCLogDebug("remaining %d\n", input_len); + //SCLogDebug("remaining %d", input_len); if (input_len < sizeof(ENIPEncapHdr)) { - //SCLogDebug("Not enough data\n"); //not enough data for ENIP + //SCLogDebug("Not enough data"); //not enough data for ENIP break; } } @@ -358,10 +358,10 @@ static int ENIPParse(Flow *f, void *state, AppLayerParserState *pstate, static uint16_t ENIPProbingParser(uint8_t *input, uint32_t input_len, uint32_t *offset) { - // SCLogDebug("ENIPProbingParser %d\n", input_len); + // SCLogDebug("ENIPProbingParser %d", input_len); if (input_len < sizeof(ENIPEncapHdr)) { - printf("Length too small to be a ENIP header \n"); + SCLogDebug("length too small to be a ENIP header"); return ALPROTO_UNKNOWN; } @@ -409,7 +409,7 @@ void RegisterENIPUDPParsers(void) } else { - printf("Protocol detection and parser disabled for %s protocol.", + SCLogConfig("Protocol detection and parser disabled for %s protocol.", proto_name); return; } diff --git a/src/detect-cipservice.c b/src/detect-cipservice.c index 1db2a42598..2488bf30ff 100644 --- a/src/detect-cipservice.c +++ b/src/detect-cipservice.c @@ -82,7 +82,7 @@ DetectCipServiceData *DetectCipServiceParse(char *rulestr) const char delims[] = ","; DetectCipServiceData *cipserviced = NULL; - //SCLogDebug("DetectCipServiceParse - rule string %s\n", rulestr); + //SCLogDebug("DetectCipServiceParse - rule string %s", rulestr); cipserviced = SCMalloc(sizeof(DetectCipServiceData)); if (unlikely(cipserviced == NULL)) @@ -104,7 +104,7 @@ DetectCipServiceData *DetectCipServiceParse(char *rulestr) { if (i > 2) //for now only need 3 parameters { - printf("DetectEnipCommandParse: Too many parameters\n"); + SCLogError(SC_ERR_INVALID_SIGNATURE, "too many parameters"); goto error; } @@ -112,7 +112,7 @@ DetectCipServiceData *DetectCipServiceParse(char *rulestr) { if (!isdigit((int) *token)) { - printf("DetectCipServiceParse - Parameter Error %s\n", token); + SCLogError(SC_ERR_INVALID_SIGNATURE, "parameter error %s", token); goto error; } } else //if on attribute @@ -126,7 +126,7 @@ DetectCipServiceData *DetectCipServiceParse(char *rulestr) if (!isdigit((int) *token)) { - printf("DetectCipServiceParse - Attribute Error %s\n", token); + SCLogError(SC_ERR_INVALID_SIGNATURE, "attribute error %s", token); goto error; } @@ -135,15 +135,15 @@ DetectCipServiceData *DetectCipServiceParse(char *rulestr) unsigned long num = atol(token); if ((num > MAX_CIP_SERVICE) && (i == 0))//if service greater than 7 bit { - printf("DetectEnipCommandParse: Invalid CIP service %lu\n", num); + SCLogError(SC_ERR_INVALID_SIGNATURE, "invalid CIP service %lu", num); goto error; } else if ((num > MAX_CIP_CLASS) && (i == 1))//if service greater than 16 bit { - printf("DetectEnipCommandParse: Invalid CIP class %lu\n", num); + SCLogError(SC_ERR_INVALID_SIGNATURE, "invalid CIP class %lu", num); goto error; } else if ((num > MAX_CIP_ATTRIBUTE) && (i == 2))//if service greater than 16 bit { - printf("DetectEnipCommandParse: Invalid CIP attribute %lu\n", num); + SCLogError(SC_ERR_INVALID_SIGNATURE, "invalid CIP attribute %lu", num); goto error; } @@ -158,12 +158,12 @@ DetectCipServiceData *DetectCipServiceParse(char *rulestr) cipserviced->cipattribute = input[2]; cipserviced->tokens = i; - SCLogDebug("DetectCipServiceParse - tokens %d\n", cipserviced->tokens); - SCLogDebug("DetectCipServiceParse - service %d\n", cipserviced->cipservice); - SCLogDebug("DetectCipServiceParse - class %d\n", cipserviced->cipclass); - SCLogDebug("DetectCipServiceParse - match attribute %d\n", + SCLogDebug("DetectCipServiceParse - tokens %d", cipserviced->tokens); + SCLogDebug("DetectCipServiceParse - service %d", cipserviced->cipservice); + SCLogDebug("DetectCipServiceParse - class %d", cipserviced->cipclass); + SCLogDebug("DetectCipServiceParse - match attribute %d", cipserviced->matchattribute); - SCLogDebug("DetectCipServiceParse - attribute %d\n", + SCLogDebug("DetectCipServiceParse - attribute %d", cipserviced->cipattribute); SCReturnPtr(cipserviced, "DetectENIPFunction"); @@ -171,7 +171,6 @@ DetectCipServiceData *DetectCipServiceParse(char *rulestr) error: if (cipserviced) SCFree(cipserviced); - printf("DetectCipServiceParse - Error Parsing Parameters\n"); SCReturnPtr(NULL, "DetectENIP"); } @@ -222,8 +221,6 @@ error: DetectCipServiceFree(cipserviced); if (sm != NULL) SCFree(sm); - printf("DetectCipServiceSetup - Error\n"); - SCReturnInt(-1); } @@ -359,7 +356,7 @@ DetectEnipCommandData *DetectEnipCommandParse(char *rulestr) unsigned long cmd = atol(rulestr); if (cmd > MAX_ENIP_CMD) //if command greater than 16 bit { - //printf("DetectEnipCommandParse: Invalid ENIP command %lu\n", cmd); + SCLogError(SC_ERR_INVALID_SIGNATURE, "invalid ENIP command %lu", cmd); goto error; } @@ -375,7 +372,6 @@ DetectEnipCommandData *DetectEnipCommandParse(char *rulestr) error: if (enipcmdd) SCFree(enipcmdd); - //printf("DetectEnipCommandParse - Error Parsing Parameters\n"); return NULL; } @@ -423,7 +419,6 @@ error: DetectEnipCommandFree(enipcmdd); if (sm != NULL) SCFree(sm); - printf("DetectEnipCommandSetup - Error\n"); SCReturnInt(-1); } diff --git a/src/detect-engine-enip.c b/src/detect-engine-enip.c index 4efcb49fd2..2facecc084 100644 --- a/src/detect-engine-enip.c +++ b/src/detect-engine-enip.c @@ -34,24 +34,25 @@ #include "util-debug.h" +#if 0 /** * \brief Print fields from ENIP Packet * @param enip_data */ void PrintENIPAL(ENIPTransaction *enip_data) { - SCLogDebug("============================================\n"); - SCLogDebug("ENCAP HEADER cmd 0x%x, length %d, session 0x%x, status 0x%x\n", + SCLogDebug("============================================"); + SCLogDebug("ENCAP HEADER cmd 0x%x, length %d, session 0x%x, status 0x%x", enip_data->header.command, enip_data->header.length, enip_data->header.session, enip_data->header.status); - //SCLogDebug("context 0x%x option 0x%x\n", enip_data->header.context, enip_data->header.option); - SCLogDebug("ENCAP DATA HEADER handle 0x%x, timeout %d, count %d\n", + //SCLogDebug("context 0x%x option 0x%x", enip_data->header.context, enip_data->header.option); + SCLogDebug("ENCAP DATA HEADER handle 0x%x, timeout %d, count %d", enip_data->encap_data_header.interface_handle, enip_data->encap_data_header.timeout, enip_data->encap_data_header.item_count); - SCLogDebug("ENCAP ADDR ITEM type 0x%x, length %d \n", + SCLogDebug("ENCAP ADDR ITEM type 0x%x, length %d", enip_data->encap_addr_item.type, enip_data->encap_addr_item.length); - SCLogDebug("ENCAP DATA ITEM type 0x%x, length %d sequence 0x%x\n", + SCLogDebug("ENCAP DATA ITEM type 0x%x, length %d sequence 0x%x", enip_data->encap_data_item.type, enip_data->encap_data_item.length, enip_data->encap_data_item.sequence_count); @@ -60,10 +61,11 @@ void PrintENIPAL(ENIPTransaction *enip_data) int count = 0; TAILQ_FOREACH(svc, &enip_data->service_list, next) { - //SCLogDebug("CIP Service #%d : 0x%x\n", count, svc->service); + //SCLogDebug("CIP Service #%d : 0x%x", count, svc->service); count++; } } +#endif /** * \brief Matches the rule to the CIP segment in ENIP Packet @@ -72,7 +74,6 @@ void PrintENIPAL(ENIPTransaction *enip_data) */ int CIPPathMatch(CIPServiceEntry *svc, DetectCipServiceData *cipserviced) { - uint16_t class = 0; uint16_t attrib = 0; int found_class = 0; @@ -165,14 +166,16 @@ int CIPServiceMatch(ENIPTransaction *enip_data, { int count = 1; CIPServiceEntry *svc = NULL; - //SCLogDebug("CIPServiceMatchAL\n"); + //SCLogDebug("CIPServiceMatchAL"); TAILQ_FOREACH(svc, &enip_data->service_list, next) { - SCLogDebug("CIPServiceMatchAL service #%d : 0x%x dir %d \n", count, svc->service, svc->direction); + SCLogDebug("CIPServiceMatchAL service #%d : 0x%x dir %d", + count, svc->service, svc->direction); if (cipserviced->cipservice == svc->service) { // compare service - //SCLogDebug("Rule Match for cip service %d\n",cipserviced->cipservice ); + //SCLogDebug("Rule Match for cip service %d",cipserviced->cipservice ); + if (cipserviced->tokens > 1) { //if rule params have class and attribute @@ -193,7 +196,7 @@ int CIPServiceMatch(ENIPTransaction *enip_data, { if (svc->direction == 1) return 0; //don't match responses - // SCLogDebug("CIPServiceMatchAL found\n"); + // SCLogDebug("CIPServiceMatchAL found"); return 1; } } @@ -230,11 +233,11 @@ int DetectEngineInspectCIP(ThreadVars *tv, DetectEngineCtx *de_ctx, SCLogDebug("no cipservice state, no match"); SCReturnInt(0); } - // SCLogDebug("DetectEngineInspectCIP %d\n", cipserviced->cipservice); + //SCLogDebug("DetectEngineInspectCIP %d", cipserviced->cipservice); if (CIPServiceMatch(tx, cipserviced) == 1) { - // SCLogDebug("DetectCIPServiceMatchAL found\n"); + //SCLogDebug("DetectCIPServiceMatchAL found"); SCReturnInt(1); } @@ -270,11 +273,11 @@ int DetectEngineInspectENIP(ThreadVars *tv, DetectEngineCtx *de_ctx, SCReturnInt(0); } - //SCLogDebug("DetectEngineInspectENIP %d, %d\n", enipcmdd->enipcommand, tx->header.command); + //SCLogDebug("DetectEngineInspectENIP %d, %d", enipcmdd->enipcommand, tx->header.command); if (enipcmdd->enipcommand == tx->header.command) { - // SCLogDebug("DetectENIPCommandMatchAL found!\n"); + // SCLogDebug("DetectENIPCommandMatchAL found!"); SCReturnInt(1); }