af-packet: add event for packets truncated by af-packet

Ticket: #7458 (cherry picked from commit d78f2c9a4e)
7 months ago · cd00499863
parent 916ed77121
commit cd00499863
5 changed files with 30 additions and 2 deletions
--- a/etc/schema.json
+++ b/etc/schema.json
@ -4297,6 +4297,17 @@
                        "event": {
                            "type": "object",
                            "properties": {
+                                "afpacket": {
+                                    "type": "object",
+                                    "properties": {
+                                        "trunc_pkt": {
+                                            "description":
+                                                    "Number of packets truncated by AF_PACKET",
+                                            "type": "integer"
+                                        }
+                                    },
+                                    "additionalProperties": false
+                                },
                                "chdlc": {
                                    "type": "object",
                                    "properties": {
--- a/rules/decoder-events.rules
+++ b/rules/decoder-events.rules
@ -151,5 +151,8 @@ alert pkthdr any any -> any any (msg:"SURICATA CHDLC packet too small"; decode-e

 alert pkthdr any any -> any any (msg:"SURICATA packet with too many layers"; decode-event:too_many_layers; classtype:protocol-command-decode; sid:2200116; rev:1;)

-# next sid is 2200121
+# Capture events.
+alert pkthdr any any -> any any (msg:"SURICATA AF-PACKET truncated packet"; decode-event:afpacket.trunc_pkt; classtype:protocol-command-decode; sid:2200122; rev:1;)
+
+# next sid is 2200123

--- a/src/decode-events.c
+++ b/src/decode-events.c
@ -27,6 +27,11 @@
 /* code moved to app-layer-events */

 const struct DecodeEvents_ DEvents[] = {
+    /* CAPTURE EVENTS */
+    {
+            "decoder.afpacket.trunc_pkt",
+            AFP_TRUNC_PKT,
+    },
    /* IPV4 EVENTS */
    {
            "decoder.ipv4.pkt_too_small",
--- a/src/decode-events.h
+++ b/src/decode-events.h
@ -27,8 +27,11 @@

 /* packet decoder events */
 enum {
+    /* AF_PACKET EVENTS */
+    AFP_TRUNC_PKT = 0, /**< packet truncated by af-packet */
+
    /* IPV4 EVENTS */
-    IPV4_PKT_TOO_SMALL = 0,       /**< ipv4 pkt smaller than minimum header size */
+    IPV4_PKT_TOO_SMALL,           /**< ipv4 pkt smaller than minimum header size */
    IPV4_HLEN_TOO_SMALL,          /**< ipv4 header smaller than minimum size */
    IPV4_IPLEN_SMALLER_THAN_HLEN, /**< ipv4 pkt len smaller than ip header size */
    IPV4_TRUNC_PKT,               /**< truncated ipv4 packet */
--- a/src/source-af-packet.c
+++ b/src/source-af-packet.c
@ -781,6 +781,7 @@ static void AFPReadFromRingSetupPacket(

    if (h.h2->tp_len > h.h2->tp_snaplen) {
        SCLogDebug("Packet length (%d) > snaplen (%d), truncating", h.h2->tp_len, h.h2->tp_snaplen);
+        ENGINE_SET_INVALID_EVENT(p, AFP_TRUNC_PKT);
    }

    /* get vlan id from header */
@ -982,6 +983,11 @@ static inline int AFPParsePacketV3(AFPThreadVars *ptv, struct tpacket_block_desc
        p->afp_v.vlan_tci = (uint16_t)ppd->hv1.tp_vlan_tci;
    }

+    if (ppd->tp_len > ppd->tp_snaplen) {
+        SCLogDebug("Packet length (%d) > snaplen (%d), truncating", ppd->tp_len, ppd->tp_snaplen);
+        ENGINE_SET_INVALID_EVENT(p, AFP_TRUNC_PKT);
+    }
+
    (void)PacketSetData(p, (unsigned char *)ppd + ppd->tp_mac, ppd->tp_snaplen);

    p->ReleasePacket = AFPReleasePacketV3;