PPP Support

16 years ago · dec11038c6
parent 1c2240cfeb
commit dec11038c6
9 changed files with 332 additions and 19 deletions
--- a/src/Makefile.am
+++ b/src/Makefile.am
@ -9,6 +9,7 @@ source-pcap-file.c source-pcap-file.h \
 decode.c decode.h \
 decode-ethernet.c decode-ethernet.h \
 decode-sll.c decode-sll.h \
+decode-ppp.c decode-ppp.h \
 decode-ipv4.c decode-ipv4.h \
 decode-ipv6.c decode-ipv6.h \
 decode-icmpv4.c decode-icmpv4.h \
--- a/src/decode-events.h
+++ b/src/decode-events.h
@ -40,6 +40,13 @@ enum {

    /* ETHERNET EVENTS */
    ETHERNET_PKT_TOO_SMALL,
+
+    /* PPP EVENTS */
+    PPP_PKT_TOO_SMALL,
+    PPPVJU_PKT_TOO_SMALL,
+    PPPIPV4_PKT_TOO_SMALL,
+    PPPIPV6_PKT_TOO_SMALL,
+    PPP_WRONG_TYPE,
 };

 #endif /* __DECODE_EVENTS_H__ */
--- a/src/decode-ipv4.c
+++ b/src/decode-ipv4.c
@ -77,18 +77,25 @@ void DecodeIPV4(ThreadVars *t, Packet *p, u_int8_t *pkt, u_int16_t len, PacketQu
    inet_ntop(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), s, sizeof(s));
    inet_ntop(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), d, sizeof(d));
    printf("IPV4 %s->%s PROTO: %u OFFSET: %u RF: %u DF: %u MF: %u ID: %u\n", s,d,
-        IPV4_GET_IPPROTO(p), IPV4_GET_IPOFFSET(p), IPV4_GET_RF(p),
-        IPV4_GET_DF(p), IPV4_GET_MF(p), IPV4_GET_IPID(p));
+            IPV4_GET_IPPROTO(p), IPV4_GET_IPOFFSET(p), IPV4_GET_RF(p),
+            IPV4_GET_DF(p), IPV4_GET_MF(p), IPV4_GET_IPID(p));
 #endif /* DEBUG */

    /* check what next decoder to invoke */
    switch (IPV4_GET_IPPROTO(p)) {
+        case IPPROTO_IP:
+            /* check PPP VJ uncompressed packets and decode tcp dummy */
+            if(p->ppph != NULL && ntohs(p->ppph->protocol) == PPP_VJ_UCOMP)    {
+
+                return(DecodeTCP(t, p, pkt + IPV4_GET_HLEN(p), len -  IPV4_GET_HLEN(p)));
+            }
+            break;
        case IPPROTO_TCP:
            return(DecodeTCP(t, p, pkt + IPV4_GET_HLEN(p), len - IPV4_GET_HLEN(p)));
            break;
        case IPPROTO_UDP:
            //printf("DecodeIPV4: next layer is UDP\n");
-        	return(DecodeUDP(t, p, pkt + IPV4_GET_HLEN(p), len - IPV4_GET_HLEN(p)));
+            return(DecodeUDP(t, p, pkt + IPV4_GET_HLEN(p), len - IPV4_GET_HLEN(p)));
            break;
        case IPPROTO_ICMP:
            //printf("DecodeIPV4: next layer is ICMP\n");
--- a/src/decode-ppp.c
+++ b/src/decode-ppp.c
@ -0,0 +1,222 @@
+/* Copyright (c) 2009 Open Infosec Foundation
+ *  Written by Breno Silva Pinto <breno.silva@gmail.com> */
+
+#include "decode.h"
+#include "decode-ppp.h"
+#include "decode-events.h"
+
+#include "util-unittest.h"
+
+
+void DecodePPP(ThreadVars *t, Packet *p, u_int8_t *pkt, u_int16_t len, PacketQueue *pq)
+{
+
+    if(len < PPP_HEADER_LEN)    {
+        DECODER_SET_EVENT(p,PPP_PKT_TOO_SMALL);
+        return;
+    }
+
+    p->ppph = (PPPHdr *)pkt;
+
+    if(p->ppph == NULL)
+        return;
+
+#ifdef DEBUG
+    printf("DecodePPP: p %p pkt %p PPP protocol %04x Len: %d\n", p, pkt, ntohs(p->ppph->protocol), len);
+#endif
+
+    switch (ntohs(p->ppph->protocol))
+    {
+        case PPP_VJ_COMP:
+        case PPP_IPX:
+        case PPP_OSI:
+        case PPP_NS:
+        case PPP_DECNET:
+        case PPP_APPLE:
+        case PPP_BRPDU:
+        case PPP_STII:
+        case PPP_VINES:
+        case PPP_HELLO:
+        case PPP_LUXCOM:
+        case PPP_SNS:
+        case PPP_MPLS_UCAST:
+        case PPP_MPLS_MCAST:
+        case PPP_IPCP:
+        case PPP_OSICP:
+        case PPP_NSCP:
+        case PPP_DECNETCP:
+        case PPP_APPLECP:
+        case PPP_IPXCP:
+        case PPP_STIICP:
+        case PPP_VINESCP:
+        case PPP_IPV6CP:
+        case PPP_MPLSCP:
+        case PPP_LCP:
+        case PPP_PAP:
+        case PPP_LQM:
+        case PPP_CHAP:
+            break;
+
+        case PPP_VJ_UCOMP:
+
+            if(len < (PPP_HEADER_LEN + IPV4_HEADER_LEN))    {
+                DECODER_SET_EVENT(p,PPPVJU_PKT_TOO_SMALL);
+                return;
+            }
+
+
+            if(IPV4_GET_RAW_VER((IPV4Hdr *)(pkt + PPP_HEADER_LEN)) == 4) {
+                DecodeIPV4(t, p, pkt + PPP_HEADER_LEN, len - PPP_HEADER_LEN, pq );
+            }
+            break;
+
+        case PPP_IP:
+            if(len < (PPP_HEADER_LEN + IPV4_HEADER_LEN))    {
+                DECODER_SET_EVENT(p,PPPIPV4_PKT_TOO_SMALL);
+                return;
+            }
+
+            DecodeIPV4(t, p, pkt + PPP_HEADER_LEN, len - PPP_HEADER_LEN, pq );
+            break;
+
+            /* PPP IPv6 was not tested */
+        case PPP_IPV6:
+            if(len < (PPP_HEADER_LEN + IPV6_HEADER_LEN))    {
+                DECODER_SET_EVENT(p,PPPIPV6_PKT_TOO_SMALL);
+                return;
+            }
+
+            DecodeIPV6(t, p, pkt + PPP_HEADER_LEN, len - PPP_HEADER_LEN);
+            break;
+
+        default:
+#ifdef	DEBUG
+            printf("Unknown PPP protocol: %x\n",ntohs(p->ppph->protocol));
+#endif
+            DECODER_SET_EVENT(p,PPP_WRONG_TYPE);
+            return;
+    }
+
+    return;
+}
+
+/*  DecodePPPtest01
+ *  Decode malformed ip layer PPP packet
+ *  Expected test value: 1
+ */
+
+static int DecodePPPtest01 (void)   {
+    u_int8_t raw_ppp[] = { 0xff ,0x03 ,0x00 ,0x21 ,0x45 ,0xc0 ,0x00 };
+    Packet p;
+    ThreadVars tv;
+
+
+    memset(&tv, 0, sizeof(ThreadVars));
+    memset(&p, 0, sizeof(Packet));
+
+    DecodePPP(&tv, &p, raw_ppp, sizeof(raw_ppp), NULL);
+
+    /* Function my returns here with expected value */
+
+    if(DECODER_ISSET_EVENT(&p,PPPIPV4_PKT_TOO_SMALL))  {
+        return 1;
+    }
+
+    return 0;
+}
+
+/*  DecodePPPtest02
+ *  Decode malformed ppp layer packet
+ *  Expected test value: 1
+ */
+
+static int DecodePPPtest02 (void)   {
+    u_int8_t raw_ppp[] = { 0xff ,0x03 ,0x00 ,0xff ,0x45 ,0xc0 ,0x00 ,0x2c ,0x4d ,0xed ,0x00 ,0x00 ,0xff ,0x06 ,0xd5 ,0x17, 0xbf ,0x01 ,0x0d ,0x01 ,0xbf ,0x01 ,0x0d ,0x03 ,0xea ,0x37 ,0x00 ,0x17 ,0x6d ,0x0b ,0xba ,0xc3, 0x00 ,0x00 ,0x00 ,0x00 ,0x60 ,0x02 ,0x10 ,0x20 ,0xdd ,0xe1 ,0x00 ,0x00};
+    Packet p;
+    ThreadVars tv;
+
+
+    memset(&tv, 0, sizeof(ThreadVars));
+    memset(&p, 0, sizeof(Packet));
+
+    DecodePPP(&tv, &p, raw_ppp, sizeof(raw_ppp), NULL);
+
+    /* Function must returns here */
+
+    if(DECODER_ISSET_EVENT(&p,PPP_WRONG_TYPE))  {
+        return 1;
+    }
+
+    return 0;
+}
+
+/*  DecodePPPtest03
+ *  Decode right PPP packet
+ *  Expected test value: 1
+ */
+
+
+static int DecodePPPtest03 (void)   {
+    u_int8_t raw_ppp[] = { 0xff ,0x03 ,0x00 ,0x21 ,0x45 ,0xc0 ,0x00 ,0x2c ,0x4d ,0xed ,0x00 ,0x00 ,0xff ,0x06 ,0xd5 ,0x17, 0xbf ,0x01 ,0x0d ,0x01 ,0xbf ,0x01 ,0x0d ,0x03 ,0xea ,0x37 ,0x00 ,0x17 ,0x6d ,0x0b ,0xba ,0xc3, 0x00 ,0x00 ,0x00 ,0x00 ,0x60 ,0x02 ,0x10 ,0x20 ,0xdd ,0xe1 ,0x00 ,0x00};
+    Packet p;
+    ThreadVars tv;
+
+
+    memset(&tv, 0, sizeof(ThreadVars));
+    memset(&p, 0, sizeof(Packet));
+
+    DecodePPP(&tv, &p, raw_ppp, sizeof(raw_ppp), NULL);
+
+    if(p.ppph == NULL) {
+        return 0;
+    }
+
+    if(DECODER_ISSET_EVENT(&p,PPP_PKT_TOO_SMALL))  {
+        return 0;
+    }
+
+    if(DECODER_ISSET_EVENT(&p,PPPIPV4_PKT_TOO_SMALL))  {
+        return 0;
+    }
+
+    if(DECODER_ISSET_EVENT(&p,PPP_WRONG_TYPE))  {
+        return 0;
+    }
+
+    /* Function must return here */
+
+    return 1;
+}
+
+
+/*  DecodePPPtest04
+ *  Check if ppp header is null
+ *  Expected test value: 1
+ */
+
+static int DecodePPPtest04 (void)   {
+    u_int8_t raw_ppp[] = { 0xff ,0x03 ,0x00 ,0x21 ,0x45 ,0xc0 ,0x00 ,0x2c ,0x4d ,0xed ,0x00 ,0x00 ,0xff ,0x06 ,0xd5 ,0x17, 0xbf ,0x01 ,0x0d ,0x01 ,0xbf ,0x01 ,0x0d ,0x03 ,0xea ,0x37 ,0x00 ,0x17 ,0x6d ,0x0b ,0xba ,0xc3, 0x00 ,0x00 ,0x00 ,0x00 ,0x60 ,0x02 ,0x10 ,0x20 ,0xdd ,0xe1 ,0x00 ,0x00};
+    Packet p;
+    ThreadVars tv;
+
+
+    memset(&tv, 0, sizeof(ThreadVars));
+    memset(&p, 0, sizeof(Packet));
+
+    DecodePPP(&tv, &p, raw_ppp, sizeof(raw_ppp), NULL);
+
+    if(p.ppph == NULL) {
+        return 0;
+    }
+
+    /* Function must returns here */
+
+    return 1;
+}
+void DecodePPPRegisterTests(void) {
+    UtRegisterTest("DecodePPPtest01", DecodePPPtest01, 1);
+    UtRegisterTest("DecodePPPtest02", DecodePPPtest02, 1);
+    UtRegisterTest("DecodePPPtest03", DecodePPPtest03, 1);
+    UtRegisterTest("DecodePPPtest04", DecodePPPtest04, 1);
+}
+
--- a/src/decode-ppp.h
+++ b/src/decode-ppp.h
@ -0,0 +1,56 @@
+/* Copyright (c) 2009 Open Infosec Foundation
+ *  Written by Breno Silva Pinto <breno.silva@gmail.com> */
+
+#ifndef __DECODE_PPP_H__
+#define __DECODE_PPP_H__
+
+/* Point to Point Protocol RFC1331 - Supported tyes */
+
+#define PPP_IP         0x0021        	/* Internet Protocol */
+#define PPP_IPV6       0x0057        	/* Internet Protocol version 6 */
+#define PPP_VJ_UCOMP   0x002f        	/* VJ uncompressed TCP/IP */
+
+/* Unsupported PPP types (libpcap source reference) */
+
+#define PPP_IPX        0x002b        	/* Novell IPX Protocol */
+#define PPP_VJ_COMP    0x002d        	/* VJ compressed TCP/IP */
+#define PPP_IPX        0x002b        	/* Novell IPX Protocol */
+#define PPP_OSI	       0x0023  		/* OSI Network Layer */
+#define PPP_NS         0x0025  		/* Xerox NS IDP */
+#define PPP_DECNET     0x0027  		/* DECnet Phase IV */
+#define PPP_APPLE      0x0029  		/* Appletalk */
+#define PPP_BRPDU      0x0031  		/* Bridging PDU */
+#define PPP_STII       0x0033  		/* Stream Protocol (ST-II) */
+#define PPP_VINES      0x0035  		/* Banyan Vines */
+#define PPP_HELLO      0x0201  		/* 802.1d Hello Packets */
+#define PPP_LUXCOM     0x0231  		/* Luxcom */
+#define PPP_SNS        0x0233  		/* Sigma Network Systems */
+#define PPP_MPLS_UCAST 0x0281 		/* rfc 3032 */
+#define PPP_MPLS_MCAST 0x0283 		/* rfc 3022 */
+#define PPP_IPCP       0x8021  		/* IP Control Protocol */
+#define PPP_OSICP      0x8023  		/* OSI Network Layer Control Protocol */
+#define PPP_NSCP       0x8025  		/* Xerox NS IDP Control Protocol */
+#define PPP_DECNETCP   0x8027  		/* DECnet Control Protocol */
+#define PPP_APPLECP    0x8029  		/* Appletalk Control Protocol */
+#define PPP_IPXCP      0x802b  		/* Novell IPX Control Protocol */
+#define PPP_STIICP     0x8033  		/* Strean Protocol Control Protocol */
+#define PPP_VINESCP    0x8035  		/* Banyan Vines Control Protocol */
+#define PPP_IPV6CP     0x8057  		/* IPv6 Control Protocol */
+#define PPP_MPLSCP     0x8281 		/* rfc 3022 */
+#define PPP_LCP        0xc021  		/* Link Control Protocol */
+#define PPP_PAP        0xc023  		/* Password Authentication Protocol */
+#define PPP_LQM        0xc025  		/* Link Quality Monitoring */
+#define PPP_CHAP       0xc223  		/* Challenge Handshake Authentication Protocol */
+
+typedef struct _PPPHdr {
+    u_int8_t address;
+    u_int8_t control;
+    u_int16_t protocol;
+} PPPHdr;
+
+#define PPP_HEADER_LEN (sizeof(struct _PPPHdr))
+
+void DecodePPPRegisterTests(void);
+
+#endif /* __DECODE_PPP_H__ */
+
--- a/src/decode.h
+++ b/src/decode.h
@ -33,6 +33,7 @@
 #include "action-globals.h"

 #include "decode-ethernet.h"
+#include "decode-ppp.h"
 #include "decode-sll.h"
 #include "decode-ipv4.h"
 #include "decode-ipv6.h"
@ -186,8 +187,8 @@ typedef struct _PktVar {
    u_int8_t *value;
    u_int16_t value_len;
    struct _PktVar *next; /* right now just implement this as a list,
-                            * in the long run we have thing of something
-                            * faster. */
+                           * in the long run we have thing of something
+                           * faster. */
 } PktVar;

 typedef struct _Packet
@ -235,6 +236,7 @@ typedef struct _Packet

    /* header pointers */
    EthernetHdr *ethh;
+    PPPHdr *ppph;

    IPV4Hdr *ip4h;
    IPV4Vars ip4vars;
@ -302,6 +304,7 @@ typedef struct _PacketQueue {
        CLEAR_TCP_PACKET((p)); \
    } \
    (p)->ethh = NULL; \
+    (p)->ppph = NULL; \
    (p)->ip4h = NULL; \
    (p)->ip6h = NULL; \
    (p)->action = 0; \
@ -371,6 +374,7 @@ typedef struct _PacketQueue {
 /* decoder functions */
 void DecodeEthernet(ThreadVars *, Packet *, u_int8_t *, u_int16_t, PacketQueue *);
 void DecodeSll(ThreadVars *, Packet *, u_int8_t *, u_int16_t, PacketQueue *);
+void DecodePPP(ThreadVars *, Packet *, u_int8_t *, u_int16_t, PacketQueue *);
 void DecodeTunnel(ThreadVars *, Packet *, u_int8_t *, u_int16_t, PacketQueue *);
 void DecodeIPV4(ThreadVars *, Packet *, u_int8_t *, u_int16_t, PacketQueue *);
 void DecodeIPV6(ThreadVars *, Packet *, u_int8_t *, u_int16_t);
@ -391,6 +395,7 @@ Packet *TunnelPktSetup(ThreadVars *, Packet *, u_int8_t *, u_int16_t, u_int8_t);
 * file? */
 #define LINKTYPE_ETHERNET   DLT_EN10MB
 #define LINKTYPE_LINUX_SLL  113
+#define LINKTYPE_PPP	9

 #endif /* __DECODE_H__ */

--- a/src/eidps.c
+++ b/src/eidps.c
@ -811,7 +811,8 @@ int main(int argc, char **argv)
    MpmRegisterTests();
    FlowBitRegisterTests();
    SigRegisterTests();
-    //UtRunTests();
+    DecodePPPRegisterTests();
+    UtRunTests();
    UtCleanup();
    //exit(1);

--- a/src/source-pcap-file.c
+++ b/src/source-pcap-file.c
@ -144,12 +144,19 @@ int ReceivePcapFileThreadInit(ThreadVars *tv, void *initdata, void **data) {

    int datalink = pcap_datalink(pcap_g.pcap_handle);
    printf("TmModuleReceivePcapFileRegister: datalink %d\n", datalink);
-    if (datalink == LINKTYPE_LINUX_SLL)
-        pcap_g.Decoder = DecodeSll;
-    else if (datalink == LINKTYPE_ETHERNET)
-        pcap_g.Decoder = DecodeEthernet;
-    else {
-        printf("Error: datalink type %d not yet supported in module PcapFile.\n", datalink);
+    switch(datalink)	{
+        case LINKTYPE_LINUX_SLL:
+            pcap_g.Decoder = DecodeSll;
+            break;
+        case LINKTYPE_ETHERNET:
+            pcap_g.Decoder = DecodeEthernet;
+            break;
+        case LINKTYPE_PPP:
+            pcap_g.Decoder = DecodePPP;
+            break;
+        default:
+            printf("Error: datalink type %d not yet supported in module PcapFile.\n", datalink);
+            break;
    }

    ptv->tv = tv;
--- a/src/source-pcap.c
+++ b/src/source-pcap.c
@ -130,13 +130,20 @@ int ReceivePcapThreadInit(ThreadVars *tv, void *initdata, void **data) {
    }

    int datalink = pcap_datalink(pcap_g.pcap_handle);
-    printf("TmModuleReceivePcapRegister: datalink %d\n", datalink);
-    if (datalink == LINKTYPE_LINUX_SLL)
-        pcap_g.Decoder = DecodeSll;
-    else if (datalink == LINKTYPE_ETHERNET)
-        pcap_g.Decoder = DecodeEthernet;
-    else {
-        printf("Error: datalink type %d not yet supported in module Pcap.\n", datalink);
+    printf("TmModuleReceivePcapFileRegister: datalink %d\n", datalink);
+    switch(datalink)    {
+        case LINKTYPE_LINUX_SLL:
+            pcap_g.Decoder = DecodeSll;
+            break;
+        case LINKTYPE_ETHERNET:
+            pcap_g.Decoder = DecodeEthernet;
+            break;
+        case LINKTYPE_PPP:
+            pcap_g.Decoder = DecodePPP;
+            break;
+        default:
+            printf("Error: datalink type %d not yet supported in module PcapFile.\n", datalink);
+            break;
    }