Added support for the csum-<protocol> rules keyword to the detection engine. Keywords added are ipv4-csum, tcpv4-csum, tcpv6-csum, udpv4-csum, udpv6-csum, icmpv4-csum and icmpv6-csum

src/Makefile.am

@@ -61,6 +61,7 @@ detect-flow.c detect-flow.h \
 detect-dsize.c detect-dsize.h \
 detect-decode-event.c detect-decode-event.h \
 detect-noalert.c detect-noalert.h \
+detect-csum.c detect-csum.h \
 util-print.c util-print.h \
 util-mpm.c util-mpm.h \
 util-binsearch.c util-binsearch.h \

src/decode-icmpv4.c

@@ -13,7 +13,7 @@
  *
  * \retval csum Checksum for the ICMP packet
  */
-static inline uint16_t ICMPV4CalculateChecksum(uint16_t *pkt, uint16_t tlen)
+inline uint16_t ICMPV4CalculateChecksum(uint16_t *pkt, uint16_t tlen)
 {
     uint16_t pad = 0;
     uint32_t csum = pkt[0];
@@ -76,6 +76,7 @@ void DecodeICMPV4(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt
 #endif
 
     p->proto = IPPROTO_ICMP;
+
     return;
 }
 

src/decode-icmpv4.h

@@ -133,6 +133,12 @@ typedef struct ICMPV4Hdr_
     /* XXX incomplete */
 } ICMPV4Hdr;
 
+typedef struct ICMPV4Cache_ {
+    /* checksum computed over the icmpv4 packet */
+    int32_t comp_csum;
+} ICMPV4Cache;
+
+inline uint16_t ICMPV4CalculateChecksum(uint16_t *, uint16_t);
 void DecodeICMPV4RegisterTests(void);
 
 #endif /* __DECODE_ICMPV4_H__ */

src/decode-icmpv6.c

@@ -15,8 +15,8 @@
  *
  * \retval csum Checksum for the ICMPV6 packet
  */
-static inline uint16_t ICMPV6CalculateChecksum(uint16_t *shdr, uint16_t *pkt,
-                                               uint16_t tlen)
+inline uint16_t ICMPV6CalculateChecksum(uint16_t *shdr, uint16_t *pkt,
+                                        uint16_t tlen)
 {
     uint16_t pad = 0;
     uint32_t csum = shdr[0];

src/decode-icmpv6.h

@@ -73,6 +73,12 @@ typedef struct ICMPV6Hdr_
     /* XXX incomplete */
 } ICMPV6Hdr;
 
+typedef struct ICMPV6Cache_ {
+    /* checksum computed over the icmpv6 packet */
+    int32_t comp_csum;
+} ICMPV6Cache;
+
+inline uint16_t ICMPV6CalculateChecksum(uint16_t *, uint16_t *, uint16_t);
 void DecodeICMPV6RegisterTests(void);
 
 #endif /* __DECODE_ICMPV6_H__ */

src/decode-ipv4.c

@@ -19,7 +19,7 @@
  *
  * \retval csum Checksum for the IP packet
  */
-static inline uint16_t IPV4CalculateChecksum(uint16_t *pkt, uint16_t hlen)
+inline uint16_t IPV4CalculateChecksum(uint16_t *pkt, uint16_t hlen)
 {
     uint32_t csum = pkt[0];
 

src/decode-ipv4.h

@@ -165,6 +165,7 @@ typedef struct IPV4Cache_
     uint8_t ip_ttl;        /* time to live field */
     uint8_t ip_proto;      /* datagram protocol */
     uint16_t ip_csum;      /* checksum */
+    int32_t comp_csum;     /* checksum computed over the ipv4 packet */
     uint32_t ip_src_u32;   /* source IP */
     uint32_t ip_dst_u32;   /* dest IP */
 
@@ -189,6 +190,7 @@ typedef struct IPV4Vars_
     IPV4Opt *o_rtralt;
 } IPV4Vars;
 
+inline uint16_t IPV4CalculateChecksum(uint16_t *, uint16_t);
 void DecodeIPV4RegisterTests(void);
 
 #endif /* __DECODE_IPV4_H__ */

src/decode-tcp.c

@@ -18,8 +18,8 @@
  *
  * \retval csum Checksum for the TCP packet
  */
-static inline uint16_t TCPCalculateChecksum(uint16_t *shdr, uint16_t *pkt,
-                                            uint16_t tlen)
+inline uint16_t TCPCalculateChecksum(uint16_t *shdr, uint16_t *pkt,
+                                     uint16_t tlen)
 {
     uint16_t pad = 0;
     uint32_t csum = shdr[0];
@@ -78,8 +78,8 @@ static inline uint16_t TCPCalculateChecksum(uint16_t *shdr, uint16_t *pkt,
  *
  * \retval csum Checksum for the TCP packet
  */
-static inline uint16_t TCPV6CalculateChecksum(uint16_t *shdr, uint16_t *pkt,
-                                              uint16_t tlen)
+inline uint16_t TCPV6CalculateChecksum(uint16_t *shdr, uint16_t *pkt,
+                                       uint16_t tlen)
 {
     uint16_t pad = 0;
     uint32_t csum = shdr[0];

src/decode-tcp.h

@@ -105,6 +105,11 @@ typedef struct TCPVars_
     TCPOpt *mss;
 } TCPVars;
 
+typedef struct TCPCache_ {
+    /* checksum computed over the tcp(for both ipv4 and ipv6) packet */
+    int32_t comp_csum;
+} TCPCache;
+
 #define CLEAR_TCP_PACKET(p) { \
     (p)->tcph = NULL; \
     (p)->tcpvars.tcp_opt_cnt = 0; \
@@ -114,6 +119,8 @@ typedef struct TCPVars_
     (p)->tcpvars.mss = NULL; \
 }
 
+inline uint16_t TCPCalculateChecksum(uint16_t *, uint16_t *, uint16_t);
+inline uint16_t TCPV6CalculateChecksum(uint16_t *, uint16_t *, uint16_t);
 void DecodeTCPRegisterTests(void);
 
 #endif /* __DECODE_TCP_H__ */

src/decode-udp.c

@@ -18,8 +18,8 @@
  *
  * \retval csum Checksum for the UDP packet
  */
-static inline uint16_t UDPV4CalculateChecksum(uint16_t *shdr, uint16_t *pkt,
-                                              uint16_t tlen)
+inline uint16_t UDPV4CalculateChecksum(uint16_t *shdr, uint16_t *pkt,
+                                       uint16_t tlen)
 {
     uint16_t pad = 0;
     uint32_t csum = shdr[0];
@@ -77,8 +77,8 @@ static inline uint16_t UDPV4CalculateChecksum(uint16_t *shdr, uint16_t *pkt,
  *
  * \retval csum Checksum for the UDP packet
  */
-static inline uint16_t UDPV6CalculateChecksum(uint16_t *shdr, uint16_t *pkt,
-                                              uint16_t tlen)
+inline uint16_t UDPV6CalculateChecksum(uint16_t *shdr, uint16_t *pkt,
+                                       uint16_t tlen)
 {
     uint16_t pad = 0;
     uint32_t csum = shdr[0];
@@ -150,6 +150,7 @@ static int DecodeUDPPacket(ThreadVars *t, Packet *p, uint8_t *pkt, uint16_t len)
     SET_UDP_SRC_PORT(p,&p->sp);
     SET_UDP_DST_PORT(p,&p->dp);
 
+    p->udpvars.hlen = UDP_HEADER_LEN;
     p->payload = pkt + UDP_HEADER_LEN;
     p->payload_len = len - UDP_HEADER_LEN;
 

src/decode-udp.h

@@ -28,6 +28,13 @@ typedef struct UDPVars_
     uint8_t hlen;
 } UDPVars;
 
+typedef struct UDPCache_ {
+    /* checksum computed over the udp(for both ipv4 and ipv6) packet */
+    int32_t comp_csum;
+} UDPCache;
+
+inline uint16_t UDPV4CalculateChecksum(uint16_t *, uint16_t *, uint16_t);
+inline uint16_t UDPV6CalculateChecksum(uint16_t *, uint16_t *, uint16_t);
 void DecodeUDPV4RegisterTests(void);
 
 #endif /* __DECODE_UDP_H__ */

src/decode.h

@@ -254,13 +254,17 @@ typedef struct Packet_
     IPV6ExtHdrs ip6eh;
 
     ICMPV4Hdr *icmpv4h;
+    ICMPV4Cache icmpv4c;
     ICMPV6Hdr *icmpv6h;
+    ICMPV6Cache icmpv6c;
 
     TCPHdr *tcph;
     TCPVars tcpvars;
+    TCPCache tcpc;
 
     UDPHdr *udph;
     UDPVars udpvars;
+    UDPCache udpc;
 
     /* ptr to the payload of the packet
      * with it's length. */
@@ -356,6 +360,15 @@ typedef struct DecodeThreadVars_
     (p)->recursion_level = 0; \
 }
 
+/* reset these to -1(indicates that the packet is fresh from the queue) */
+#define RESET_PACKET_CSUMS(p) { \
+    (p)->ip4c.comp_csum = -1; \
+    (p)->tcpc.comp_csum = -1; \
+    (p)->udpc.comp_csum = -1;  \
+    (p)->icmpv4c.comp_csum = -1; \
+    (p)->icmpv6c.comp_csum = -1; \
+}
+
 
 /* macro's for setting the action
  * handle the case of a root packet

src/detect-csum.h

@@ -0,0 +1,16 @@
+#ifndef __DETECT_CSUM_H__
+#define __DETECT_CSUM_H__
+
+#define DETECT_CSUM_VALID "valid"
+#define DETECT_CSUM_INVALID "invalid"
+
+typedef struct DetectCsumData_ {
+    /* Indicates if the csum-<protocol> keyword in a rule holds the
+       keyvalue "valid" or "invalid" */
+    int16_t valid;
+} DetectCsumData;
+
+void DetectCsumRegister(void);
+
+#endif /* __DETECT_CSUM_H__ */
+

src/detect.h

@@ -399,6 +399,13 @@ enum {
     DETECT_PKTVAR,
     DETECT_NOALERT,
     DETECT_FLOWBITS,
+    DETECT_IPV4_CSUM,
+    DETECT_TCPV4_CSUM,
+    DETECT_TCPV6_CSUM,
+    DETECT_UDPV4_CSUM,
+    DETECT_UDPV6_CSUM,
+    DETECT_ICMPV4_CSUM,
+    DETECT_ICMPV6_CSUM,
 
     DETECT_ADDRESS,
     DETECT_PROTO,

src/eidps.c

@@ -156,6 +156,9 @@ Packet *SetupPkt (void)
         printf("SetupPkt: allocated a new packet...\n");
     }
 
+    /* reset the packet csum fields */
+    RESET_PACKET_CSUMS(p);
+
     return p;
 }