From 3eab71515382175be985fe53fe0262f7f661b1b3 Mon Sep 17 00:00:00 2001
From: Gurvinder Singh <gurvindersinghdahiya@gmail.com>
Date: Fri, 24 Sep 2010 18:28:23 +0200
Subject: [PATCH] support for printing protocol names for known protocol

---
 src/Makefile.am       |  1 +
 src/alert-fastlog.c   | 33 +++++++++++++--
 src/suricata.c        |  3 ++
 src/util-proto-name.c | 94 +++++++++++++++++++++++++++++++++++++++++++
 src/util-proto-name.h | 36 +++++++++++++++++
 5 files changed, 163 insertions(+), 4 deletions(-)
 create mode 100644 src/util-proto-name.c
 create mode 100644 src/util-proto-name.h

diff --git a/src/Makefile.am b/src/Makefile.am
index c549ca9494..0d612e89b3 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -176,6 +176,7 @@ util-decode-asn1.c util-decode-asn1.h \
 util-ringbuffer.c util-ringbuffer.h \
 util-validate.h \
 util-memcmp.c util-memcmp.h \
+util-proto-name.c util-proto-name.h \
 tm-modules.c tm-modules.h \
 tm-queues.c tm-queues.h \
 tm-queuehandlers.c tm-queuehandlers.h \
diff --git a/src/alert-fastlog.c b/src/alert-fastlog.c
index 0831709af7..6c3b41e294 100644
--- a/src/alert-fastlog.c
+++ b/src/alert-fastlog.c
@@ -58,6 +58,7 @@
 #include "util-cuda-handlers.h"
 #include "util-privs.h"
 #include "util-print.h"
+#include "util-proto-name.h"
 
 #define DEFAULT_LOG_FILENAME "fast.log"
 
@@ -144,8 +145,19 @@ TmEcode AlertFastLogIPv4(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq,
         inet_ntop(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, sizeof(srcip));
         inet_ntop(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, sizeof(dstip));
 
-        fprintf(aft->file_ctx->fp, "%s  [**] [%" PRIu32 ":%" PRIu32 ":%" PRIu32 "] %s [**] [Classification: %s] [Priority: %" PRIu32 "] {%" PRIu32 "} %s:%" PRIu32 " -> %s:%" PRIu32 "",
-                timebuf, pa->gid, pa->sid, pa->rev, pa->msg, pa->class_msg, pa->prio, IPV4_GET_IPPROTO(p), srcip, p->sp, dstip, p->dp);
+        if (SCProtoNameValid(IPV4_GET_IPPROTO(p)) == TRUE) {
+            fprintf(aft->file_ctx->fp, "%s  [**] [%" PRIu32 ":%" PRIu32 ":%"
+                    PRIu32 "] %s [**] [Classification: %s] [Priority: %"PRIu32"]"
+                    " {%s} %s:%" PRIu32 " -> %s:%" PRIu32 "", timebuf,
+                    pa->gid, pa->sid, pa->rev, pa->msg, pa->class_msg, pa->prio,
+                    known_proto[IPV4_GET_IPPROTO(p)], srcip, p->sp, dstip, p->dp);
+        } else {
+            fprintf(aft->file_ctx->fp, "%s  [**] [%" PRIu32 ":%" PRIu32 ":%"
+                    PRIu32 "] %s [**] [Classification: %s] [Priority: %"PRIu32"]"
+                    " {PROTO:%03" PRIu32 "} %s:%" PRIu32 " -> %s:%" PRIu32 "", timebuf,
+                    pa->gid, pa->sid, pa->rev, pa->msg, pa->class_msg, pa->prio,
+                    IPV4_GET_IPPROTO(p), srcip, p->sp, dstip, p->dp);
+        }
 
         if(pa->references != NULL)  {
             fprintf(aft->file_ctx->fp," ");
@@ -186,8 +198,21 @@ TmEcode AlertFastLogIPv6(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq,
         inet_ntop(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip));
         inet_ntop(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip));
 
-        fprintf(aft->file_ctx->fp, "%s  [**] [%" PRIu32 ":%" PRIu32 ":%" PRIu32 "] %s [**] [Classification: %s] [Priority: %" PRIu32 "] {%" PRIu32 "} %s:%" PRIu32 " -> %s:%" PRIu32 "",
-                timebuf, pa->gid, pa->sid, pa->rev, pa->msg, pa->class_msg, pa->prio, IPV6_GET_L4PROTO(p), srcip, p->sp, dstip, p->dp);
+        if (SCProtoNameValid(IPV6_GET_L4PROTO(p)) == TRUE) {
+            fprintf(aft->file_ctx->fp, "%s  [**] [%" PRIu32 ":%" PRIu32 ":%"
+                    "" PRIu32 "] %s [**] [Classification: %s] [Priority: %"
+                    "" PRIu32 "] {%s} %s:%" PRIu32 " -> %s:%" PRIu32 "",
+                    timebuf, pa->gid, pa->sid, pa->rev, pa->msg, pa->class_msg,
+                    pa->prio, known_proto[IPV6_GET_L4PROTO(p)], srcip, p->sp,
+                    dstip, p->dp);
+
+        } else {
+            fprintf(aft->file_ctx->fp, "%s  [**] [%" PRIu32 ":%" PRIu32 ":%"
+                    "" PRIu32 "] %s [**] [Classification: %s] [Priority: %"
+                    "" PRIu32 "] {PROTO:%03" PRIu32 "} %s:%" PRIu32 " -> %s:%" PRIu32 "",
+                    timebuf, pa->gid, pa->sid, pa->rev, pa->msg, pa->class_msg,
+                    pa->prio, IPV6_GET_L4PROTO(p), srcip, p->sp, dstip, p->dp);
+        }
 
         if(pa->references != NULL)  {
             fprintf(aft->file_ctx->fp," ");
diff --git a/src/suricata.c b/src/suricata.c
index 087aee65bc..f964af3f8f 100644
--- a/src/suricata.c
+++ b/src/suricata.c
@@ -145,6 +145,7 @@
 #include "util-ringbuffer.h"
 #include "util-mem.h"
 #include "util-memcmp.h"
+#include "util-proto-name.h"
 
 /*
  * we put this here, because we only use it here in main.
@@ -805,6 +806,7 @@ int main(int argc, char **argv)
     SCProfilingInit();
 #endif /* PROFILING */
     SCReputationInitCtx();
+    SCProtoNameInit();
 
     TagInitCtx();
 
@@ -1248,6 +1250,7 @@ int main(int argc, char **argv)
     RunModeShutDown();
     OutputDeregisterAll();
     TimeDeinit();
+    SCProtoNameDeInit();
 
 #ifdef PROFILING
     if (profiling_rules_enabled)
diff --git a/src/util-proto-name.c b/src/util-proto-name.c
new file mode 100644
index 0000000000..84c71eb0a8
--- /dev/null
+++ b/src/util-proto-name.c
@@ -0,0 +1,94 @@
+/* Copyright (C) 2007-2010 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+/**
+ * \file
+ *
+ * \author Gurvinder Singh <gurvindersinghdahiya@gmail.com>
+ *
+ * File to provide the protocol names based on protocol numbers defined in the
+ * specified protocol file.
+ */
+
+#include "suricata-common.h"
+#include "util-proto-name.h"
+
+/**
+ *  \brief  Function to load the protocol names from the specified protocol
+ *          file.
+ */
+void SCProtoNameInit()
+{
+    /* Load the known protocols name from the /etc/protocols file */
+    FILE *fp = fopen(PROTO_FILE,"r");
+    if (fp != NULL) {
+        char line[200];
+        char *ptr = NULL;
+        while(fgets(line, sizeof(line), fp) != NULL) {
+            if (line[0] == '#')
+                continue;
+
+            char *name = strtok_r(line," \t", &ptr);
+            if (name == NULL)
+                continue;
+            char *proto_ch = strtok_r(NULL," \t", &ptr);
+            if (proto_ch == NULL)
+                continue;
+            int proto = atoi(proto_ch);
+            if (proto >= 255)
+                continue;
+            char *cname = strtok_r(NULL, " \t", &ptr);
+
+            if (cname != NULL) {
+                known_proto[proto] = strdup(cname);
+            } else {
+                known_proto[proto] = strdup(name);
+            }
+        }
+        fclose(fp);
+    }
+}
+
+/**
+ * \brief   Function to check if the received protocol number is valid and do
+ *          we have corresponding name entry for this number or not.
+ *
+ * @param proto Protocol number to be validated
+ * @return  On success returns TRUE otherwise FALSE
+ */
+uint8_t SCProtoNameValid(uint16_t proto)
+{
+    uint8_t ret = FALSE;
+    if ((proto <= 255) && known_proto[proto] != NULL)
+    {
+        ret = TRUE;
+    }
+
+    return ret;
+}
+
+/**
+ *  \brief  Function to clears the memory used in storing the protocol names.
+ */
+void SCProtoNameDeInit()
+{
+    /* clears the memory of loaded protocol names */
+    for (uint8_t cnt=0;cnt < 255;cnt++) {
+        if(known_proto[cnt] != NULL)
+            SCFree(known_proto[cnt]);
+    }
+}
\ No newline at end of file
diff --git a/src/util-proto-name.h b/src/util-proto-name.h
new file mode 100644
index 0000000000..b3ffa2e414
--- /dev/null
+++ b/src/util-proto-name.h
@@ -0,0 +1,36 @@
+/* Copyright (C) 2007-2010 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+/**
+ * \file
+ *
+ * \author Gurvinder Singh <gurvindersinghdahiya@gmail.com>
+ */
+
+#ifndef _UTIL_PROTO_NAME_H
+#define	_UTIL_PROTO_NAME_H
+
+#define PROTO_FILE  "/etc/protocols"
+
+/* Structure to hold the information related to known protocol in /etc/protocols */
+char *known_proto[255];
+uint8_t SCProtoNameValid(uint16_t );
+void SCProtoNameInit(void);
+void SCProtoNameDeInit(void);
+
+#endif	/* _UTIL_PROTO_NAME_H */
+