/src/suricata7/src/decode-erspan.c
Line | Count | Source |
1 | | /* Copyright (C) 2020-2021 Open Information Security Foundation |
2 | | * |
3 | | * You can copy, redistribute or modify this Program under the terms of |
4 | | * the GNU General Public License version 2 as published by the Free |
5 | | * Software Foundation. |
6 | | * |
7 | | * This program is distributed in the hope that it will be useful, |
8 | | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
9 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
10 | | * GNU General Public License for more details. |
11 | | * |
12 | | * You should have received a copy of the GNU General Public License |
13 | | * version 2 along with this program; if not, write to the Free Software |
14 | | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA |
15 | | * 02110-1301, USA. |
16 | | */ |
17 | | |
18 | | /** |
19 | | * \ingroup decode |
20 | | * |
21 | | * @{ |
22 | | */ |
23 | | |
24 | | |
25 | | /** |
26 | | * \file |
27 | | * |
28 | | * \author Victor Julien <victor@inliniac.net> |
29 | | * |
30 | | * Decodes ERSPAN Types I and II |
31 | | */ |
32 | | |
33 | | #include "suricata-common.h" |
34 | | #include "suricata.h" |
35 | | #include "decode.h" |
36 | | #include "decode-events.h" |
37 | | #include "decode-erspan.h" |
38 | | |
39 | | #include "util-validate.h" |
40 | | #include "util-unittest.h" |
41 | | #include "util-debug.h" |
42 | | |
43 | | /** |
44 | | * \brief Functions to decode ERSPAN Type I and II packets |
45 | | */ |
46 | | |
47 | | /* |
48 | | * \brief ERSPAN Type I was configurable in 5.0.x but is no longer configurable. |
49 | | * |
50 | | * Issue a warning if a configuration setting is found. |
51 | | */ |
52 | | void DecodeERSPANConfig(void) |
53 | 71 | { |
54 | 71 | int enabled = 0; |
55 | 71 | if (ConfGetBool("decoder.erspan.typeI.enabled", &enabled) == 1) { |
56 | 0 | SCLogWarning("ERSPAN Type I is no longer configurable and it is always" |
57 | 0 | " enabled; ignoring configuration setting."); |
58 | 0 | } |
59 | 71 | } |
60 | | |
61 | | /** |
62 | | * \brief ERSPAN Type I |
63 | | */ |
64 | | int DecodeERSPANTypeI(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, |
65 | | const uint8_t *pkt, uint32_t len) |
66 | 531 | { |
67 | 531 | StatsIncr(tv, dtv->counter_erspan); |
68 | | |
69 | 531 | return DecodeEthernet(tv, dtv, p, pkt, len); |
70 | 531 | } |
71 | | |
72 | | /** |
73 | | * \brief ERSPAN Type II |
74 | | */ |
75 | | int DecodeERSPAN(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len) |
76 | 5.34k | { |
77 | 5.34k | DEBUG_VALIDATE_BUG_ON(pkt == NULL); |
78 | | |
79 | 5.34k | StatsIncr(tv, dtv->counter_erspan); |
80 | | |
81 | 5.34k | if (len < sizeof(ErspanHdr)) { |
82 | 718 | ENGINE_SET_EVENT(p,ERSPAN_HEADER_TOO_SMALL); |
83 | 718 | return TM_ECODE_FAILED; |
84 | 718 | } |
85 | 4.62k | if (!PacketIncreaseCheckLayers(p)) { |
86 | 84 | return TM_ECODE_FAILED; |
87 | 84 | } |
88 | | |
89 | 4.54k | const ErspanHdr *ehdr = (const ErspanHdr *)pkt; |
90 | 4.54k | uint16_t version = SCNtohs(ehdr->ver_vlan) >> 12; |
91 | 4.54k | uint16_t vlan_id = SCNtohs(ehdr->ver_vlan) & 0x0fff; |
92 | | |
93 | 4.54k | SCLogDebug("ERSPAN: version %u vlan %u", version, vlan_id); |
94 | | |
95 | | /* only v1 is tested at this time */ |
96 | 4.54k | if (version != 1) { |
97 | 1.98k | ENGINE_SET_EVENT(p,ERSPAN_UNSUPPORTED_VERSION); |
98 | 1.98k | return TM_ECODE_FAILED; |
99 | 1.98k | } |
100 | | |
101 | 2.55k | if (vlan_id > 0) { |
102 | 1.86k | if (p->vlan_idx > VLAN_MAX_LAYER_IDX) { |
103 | 0 | ENGINE_SET_EVENT(p,ERSPAN_TOO_MANY_VLAN_LAYERS); |
104 | 0 | return TM_ECODE_FAILED; |
105 | 0 | } |
106 | 1.86k | p->vlan_id[p->vlan_idx] = vlan_id; |
107 | 1.86k | p->vlan_idx++; |
108 | 1.86k | } |
109 | | |
110 | 2.55k | return DecodeEthernet(tv, dtv, p, pkt + sizeof(ErspanHdr), len - sizeof(ErspanHdr)); |
111 | 2.55k | } |
112 | | |
113 | | /** |
114 | | * @} |
115 | | */ |