Support "new" pflog format (revision 1.16 of if_pflog.h, 2010/09/21)

ok sthen
2012-04-07 08:31:39 +00:00 · 2012-04-07 08:31:39 +00:00 · f3c236e952
commit f3c236e952
parent 8b35cace70
3 changed files with 116 additions and 2 deletions
--- a/net/snort/Makefile
+++ b/net/snort/Makefile
@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.64 2012/03/29 13:38:49 sthen Exp $
+# $OpenBSD: Makefile,v 1.65 2012/04/07 08:31:39 mcbride Exp $

 SHARED_ONLY = 		Yes

@ -9,7 +9,7 @@ COMMENT =		highly flexible sniffer/NIDS
 # The following hack allows it to work but XXX if updating, the
 # MASTER_SITES URL will need to be adjusted, not just DISTNAME.
 DISTNAME = 		snort-2.8.6
-REVISION=		1
+REVISION=		2
 MASTER_SITES = 		http://dl.snort.org/downloads/14?/ \
 			http://distfiles.nl/

--- a/net/snort/patches/patch-src_decode_c
+++ b/net/snort/patches/patch-src_decode_c
@ -0,0 +1,52 @@
+$OpenBSD: patch-src_decode_c,v 1.1 2012/04/07 08:31:39 mcbride Exp $
+--- src/decode.c.orig	Fri Mar 19 02:50:54 2010
+++ src/decode.c	Sat Mar 24 11:23:57 2012
+@@ -2343,20 +2343,36 @@ void DecodePflog(Packet * p, const struct pcap_pkthdr 
+         return;
+     }
+     /* lay the pf header structure over the packet data */
+-    if ( *((uint8_t*)pkt) < PFLOG3_HDRMIN )
+    switch(*((uint8_t*)pkt))
+     {
+-        p->pf2h = (Pflog2Hdr*)pkt;
+-        pflen = p->pf2h->length;
+-        hlen = PFLOG2_HDRLEN;
+-        af = p->pf2h->af;
+        case PFLOG2_HDRMIN:
+            p->pf2h = (Pflog2Hdr*)pkt;
+            pflen = p->pf2h->length;
+            hlen = PFLOG2_HDRLEN;
+            af = p->pf2h->af;
+            break;
+        case PFLOG3_HDRMIN:
+            p->pf3h = (Pflog3Hdr*)pkt;
+            pflen = p->pf3h->length;
+            hlen = PFLOG3_HDRLEN;
+            af = p->pf3h->af;
+            break;
+        case PFLOG4_HDRMIN:
+            p->pf4h = (Pflog4Hdr*)pkt;
+            pflen = p->pf4h->length;
+            hlen = PFLOG4_HDRLEN;
+            af = p->pf4h->af;
+            break;
+        default:
+            if (ScLogVerbose())
+            {
+                ErrorMessage("unrecognized pflog header length! "
+                        "(%d)\n", *((uint8_t*)pkt));
+            }
+            PREPROC_PROFILE_END(decodePerfStats);
+            return;
+     }
+-    else
+-    {
+-        p->pf3h = (Pflog3Hdr*)pkt;
+-        pflen = p->pf3h->length;
+-        hlen = PFLOG3_HDRLEN;
+-        af = p->pf3h->af;
+-    }
+   
+     /* now that we know a little more, do a little more validation */
+     if(p->pkth->caplen < hlen)
+     {
--- a/net/snort/patches/patch-src_decode_h
+++ b/net/snort/patches/patch-src_decode_h
@ -0,0 +1,62 @@
+$OpenBSD: patch-src_decode_h,v 1.1 2012/04/07 08:31:39 mcbride Exp $
+--- src/decode.h.orig	Fri Mar 19 02:50:54 2010
+++ src/decode.h	Sat Apr  7 16:10:11 2012
+@@ -749,13 +749,14 @@ typedef struct _SLLHdr {
+ 
+ 
+ /*
+- * Snort supports 3 versions of the OpenBSD pflog header:
+ * Snort supports 4 versions of the OpenBSD pflog header:
+  *
+  * Pflog1_Hdr:  CVS = 1.3,  DLT_OLD_PFLOG = 17,  Length = 28
+  * Pflog2_Hdr:  CVS = 1.8,  DLT_PFLOG     = 117, Length = 48
+  * Pflog3_Hdr:  CVS = 1.12, DLT_PFLOG     = 117, Length = 64
+ * Pflog4_Hdr:  CVS = 1.16, DLT_PFLOG     = 117, Length = 100
+  *
+- * Since they have the same DLT, Pflog{2,3}Hdr are distinguished
+ * Since they have the same DLT, Pflog{2,3,4}Hdr are distinguished
+  * by their actual length.  The minimum required length excludes
+  * padding.
+  */
+@@ -823,6 +824,33 @@ typedef struct _Pflog3_hdr
+ #define PFLOG3_HDRLEN (sizeof(struct _Pflog3_hdr))
+ #define PFLOG3_HDRMIN (PFLOG3_HDRLEN - PFLOG_PADLEN)
+ 
+typedef struct _Pflog4_hdr
+{
+    uint8_t  length;
+    uint8_t  af;
+    uint8_t  action;
+    uint8_t  reason;
+    char     ifname[IFNAMSIZ];
+    char     ruleset[PFLOG_RULELEN];
+    uint32_t rulenr;
+    uint32_t subrulenr;
+    uint32_t uid;
+    uint32_t pid;
+    uint32_t rule_uid;
+    uint32_t rule_pid;
+    uint8_t  dir;
+    uint8_t  rewritten;
+    uint8_t  naf;
+    uint8_t  pad[1];
+    uint8_t  saddr[16];
+    uint8_t  daddr[16];
+    uint16_t sport;
+    uint16_t dport;
+} Pflog4Hdr;
+
+#define PFLOG4_HDRLEN (sizeof(struct _Pflog4_hdr))
+#define PFLOG4_HDRMIN (PFLOG4_HDRLEN)	/* no trailing padding */
+
+ /*
+  * ssl_pkttype values.
+  */
+@@ -1627,6 +1655,7 @@ typedef struct _Packet
+     Pflog1Hdr *pf1h;            /* OpenBSD pflog interface header - version 1 */
+     Pflog2Hdr *pf2h;            /* OpenBSD pflog interface header - version 2 */
+     Pflog3Hdr *pf3h;            /* OpenBSD pflog interface header - version 3 */
+    Pflog4Hdr *pf4h;            /* OpenBSD pflog interface header - version 4 */
+ 
+     const SLLHdr *sllh;         /* Linux cooked sockets header */
+     const WifiHdr *wifih;       /* wireless LAN header */