decode: support Cisco Fabric Path / DCE

Cisco Fabric Path is ethernet wrapped in an ethernet like header with 2 extra bytes. The ethernet type is in the same location so the ethernet decoder can be used with some validation for the extra length.
9 years ago · 95015a3f6d
parent a8da6bbd71
commit 95015a3f6d
5 changed files with 23 additions and 1 deletions
--- a/rules/decoder-events.rules
+++ b/rules/decoder-events.rules
@ -137,5 +137,8 @@ alert pkthdr any any -> any any (msg:"SURICATA ERSPAN pkt too small"; decode-eve
 alert pkthdr any any -> any any (msg:"SURICATA ERSPAN unsupported version"; decode-event:erspan.unsupported_version; sid: 2200106; rev:1;)
 alert pkthdr any any -> any any (msg:"SURICATA ERSPAN too many vlan layers"; decode-event:erspan.too_many_vlan_layers; sid: 2200107; rev:1;)

-# next sid is 2200110
+# Cisco Fabric Path/DCE
+alert pkthdr any any -> any any (msg:"SURICATA DCE packet too small"; decode-event:dce.pkt_too_small; sid:2200110; rev:1;)
+
+# next sid is 2200111

--- a/src/decode-ethernet.c
+++ b/src/decode-ethernet.c
@ -85,6 +85,14 @@ int DecodeEthernet(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p,
            DecodeMPLS(tv, dtv, p, pkt + ETHERNET_HEADER_LEN,
                       len - ETHERNET_HEADER_LEN, pq);
            break;
+        case ETHERNET_TYPE_DCE:
+            if (unlikely(len < ETHERNET_DCE_HEADER_LEN)) {
+                ENGINE_SET_INVALID_EVENT(p, DCE_PKT_TOO_SMALL);
+            } else {
+                DecodeEthernet(tv, dtv, p, pkt + ETHERNET_DCE_HEADER_LEN,
+                    len - ETHERNET_DCE_HEADER_LEN, pq);
+            }
+            break;
        default:
            SCLogDebug("p %p pkt %p ether type %04x not supported", p,
                       pkt, ntohs(p->ethh->eth_type));
--- a/src/decode-ethernet.h
+++ b/src/decode-ethernet.h
@ -26,6 +26,9 @@

 #define ETHERNET_HEADER_LEN           14

+/* Cisco Fabric Path / DCE header length. */
+#define ETHERNET_DCE_HEADER_LEN       ETHERNET_HEADER_LEN + 2
+
 /* Ethernet types -- taken from Snort and Libdnet */
 #define ETHERNET_TYPE_PUP             0x0200 /* PUP protocol */
 #define ETHERNET_TYPE_IP              0x0800
@ -42,6 +45,8 @@
 #define ETHERNET_TYPE_LOOP            0x9000
 #define ETHERNET_TYPE_8021QINQ        0x9100
 #define ETHERNET_TYPE_ERSPAN          0x88BE
+#define ETHERNET_TYPE_DCE             0x8903 /* Data center ethernet,
+                                              * Cisco Fabric Path */

 typedef struct EthernetHdr_ {
    uint8_t eth_dst[6];
--- a/src/decode-events.c
+++ b/src/decode-events.c
@ -178,6 +178,9 @@ const struct DecodeEvents_ DEvents[] = {
    { "decoder.erspan.unsupported_version", ERSPAN_UNSUPPORTED_VERSION, },
    { "decoder.erspan.too_many_vlan_layers", ERSPAN_TOO_MANY_VLAN_LAYERS, },

+    /* Cisco Fabric Path/DCE events. */
+    { "decoder.dce.pkt_too_small", DCE_PKT_TOO_SMALL, },
+
    /* STREAM EVENTS */
    { "stream.3whs_ack_in_wrong_dir", STREAM_3WHS_ACK_IN_WRONG_DIR, },
    { "stream.3whs_async_wrong_seq", STREAM_3WHS_ASYNC_WRONG_SEQ, },
--- a/src/decode-events.h
+++ b/src/decode-events.h
@ -187,6 +187,9 @@ enum {
    ERSPAN_UNSUPPORTED_VERSION,
    ERSPAN_TOO_MANY_VLAN_LAYERS,

+    /* Cisco Fabric Path/DCE events. */
+    DCE_PKT_TOO_SMALL,
+
    /* END OF DECODE EVENTS ON SINGLE PACKET */
    DECODE_EVENT_PACKET_MAX,