bool begin(const char*, int, SnortConfig*) override;
bool set(const char*, Value& v, SnortConfig*) override;
+ Usage get_usage() const override
+ { return INSPECT; }
+
public:
std::string key;
unsigned long limit;
bool set(const char*, Value& v, SnortConfig*) override;
+ Usage get_usage() const override
+ { return INSPECT; }
+
public:
uint16_t port;
uint16_t max;
ProfileStats* get_profile() const override
{ return &pkt_num_perf_stats; }
+ Usage get_usage() const override
+ { return DETECT; }
+
+public:
RangeCheck data;
};
ProfileStats* get_profile() const override
{ return &tcpUrgPerfStats; }
+ Usage get_usage() const override
+ { return DETECT; }
+
+public:
RangeCheck data;
};
bool set(const char*, Value&, SnortConfig*) override;
bool begin(const char*, int, SnortConfig*) override;
+ Usage get_usage() const override
+ { return CONTEXT; }
+
public:
bool upper;
};
bool set(const char*, Value&, SnortConfig*) override
{ return false; }
+
+ Usage get_usage() const override
+ { return CONTEXT; }
};
//-------------------------------------------------------------------------
ProfileStats* get_profile() const override
{ return &reactPerfStats; }
+ Usage get_usage() const override
+ { return DETECT; }
+
+public:
bool msg;
};
ProfileStats* get_profile() const override
{ return &rejPerfStats; }
+ Usage get_usage() const override
+ { return DETECT; }
+
+public:
uint32_t flags;
};
bool begin(const char*, int, SnortConfig*) override;
bool end(const char*, int, SnortConfig*) override;
+ Usage get_usage() const override
+ { return DETECT; }
+
public:
bool disable_replace;
};
{ return GID_DECODE; }
const RuleMap* get_rules() const override;
+
+ Usage get_usage() const override
+ { return CONTEXT; }
};
#endif
{
const PegInfo pegs[]
{
- { "bad_checksum", "non-zero icmp checksums" },
- { nullptr, nullptr }
+ { CountType::SUM, "bad_checksum", "non-zero icmp checksums" },
+ { CountType::END, nullptr, nullptr }
};
struct Stats
{
const PegInfo pegs[]
{
- { "bad_icmp6_checksum", "nonzero icmp6 checksums" },
- { nullptr, nullptr }
+ { CountType::SUM, "bad_icmp6_checksum", "nonzero icmp6 checksums" },
+ { CountType::END, nullptr, nullptr }
};
struct Stats
{
const PegInfo pegs[]
{
- { "bad_checksum", "nonzero ip checksums" },
- { nullptr, nullptr }
+ { CountType::SUM, "bad_checksum", "nonzero ip checksums" },
+ { CountType::END, nullptr, nullptr }
};
struct Stats
{
const PegInfo pegs[]
{
- { "bad_tcp4_checksum", "nonzero tcp over ip checksums" },
- { "bad_tcp6_checksum", "nonzero tcp over ipv6 checksums" },
- { nullptr, nullptr }
+ { CountType::SUM, "bad_tcp4_checksum", "nonzero tcp over ip checksums" },
+ { CountType::SUM, "bad_tcp6_checksum", "nonzero tcp over ipv6 checksums" },
+ { CountType::END, nullptr, nullptr }
};
struct Stats
{
const PegInfo pegs[]
{
- { "bad_udp4_checksum", "nonzero udp over ipv4 checksums" },
- { "bad_udp6_checksum", "nonzero udp over ipv6 checksums" },
- { nullptr, nullptr }
+ { CountType::SUM, "bad_udp4_checksum", "nonzero udp over ipv4 checksums" },
+ { CountType::SUM, "bad_udp6_checksum", "nonzero udp over ipv6 checksums" },
+ { CountType::END, nullptr, nullptr }
};
struct Stats
static const PegInfo mpls_pegs[] =
{
- { "total_packets", "total mpls labeled packets processed" },
- { "total_bytes", "total mpls labeled bytes processed" },
- { nullptr, nullptr }
+ { CountType::SUM, "total_packets", "total mpls labeled packets processed" },
+ { CountType::SUM, "total_bytes", "total mpls labeled bytes processed" },
+ { CountType::END, nullptr, nullptr }
};
struct MplsStats
static const PegInfo file_connector_pegs[] =
{
- { "messages", "total messages" },
- { nullptr, nullptr }
+ { CountType::SUM, "messages", "total messages" },
+ { CountType::END, nullptr, nullptr }
};
extern THREAD_LOCAL SimpleStats file_connector_stats;
ProfileStats* get_profile() const override;
+ Usage get_usage() const override
+ { return GLOBAL; }
+
private:
FileConnectorConfig::FileConnectorConfigSet* config_set;
FileConnectorConfig* config;
THREAD_LOCAL ProfileStats file_connector_perfstats;
void show_stats(PegCount*, const PegInfo*, unsigned, const char*) { }
-
void show_stats(PegCount*, const PegInfo*, IndexVec&, const char*) { }
-
void show_stats(PegCount*, const PegInfo*, IndexVec&, const char*, FILE*) { }
#ifdef DEBUG_MSGS
Connector* connector_rb;
void show_stats(PegCount*, const PegInfo*, unsigned, const char*) { }
-
void show_stats(PegCount*, const PegInfo*, IndexVec&, const char*) { }
-
void show_stats(PegCount*, const PegInfo*, IndexVec&, const char*, FILE*) { }
const char* get_instance_file(std::string& file, const char* name)
FileConnectorConfig::FileConnectorConfigSet* FileConnectorModule::get_and_clear_config()
{
- FileConnectorConfig::FileConnectorConfigSet* config_set = new FileConnectorConfig::FileConnectorConfigSet;
+ FileConnectorConfig::FileConnectorConfigSet* config_set =
+ new FileConnectorConfig::FileConnectorConfigSet;
return config_set;
}
ProfileStats* FileConnectorModule::get_profile() const { return nullptr; }
bool FileConnectorModule::set(const char*, Value&, SnortConfig*) { return true; }
-
bool FileConnectorModule::begin(const char*, int, SnortConfig*) { return true; }
-
bool FileConnectorModule::end(const char*, int, SnortConfig*) { return true; }
const PegInfo* FileConnectorModule::get_pegs() const { return nullptr; }
-
PegCount* FileConnectorModule::get_counts() const { return nullptr; }
-
TEST_GROUP(file_connector)
{
void setup()
static const PegInfo tcp_connector_pegs[] =
{
- { "messages", "total messages" },
- { nullptr, nullptr }
+ { CountType::SUM, "messages", "total messages" },
+ { CountType::END, nullptr, nullptr }
};
extern THREAD_LOCAL SimpleStats tcp_connector_stats;
ProfileStats* get_profile() const override;
+ Usage get_usage() const override
+ { return GLOBAL; }
+
private:
TcpConnectorConfig::TcpConnectorConfigSet* config_set;
TcpConnectorConfig* config;
THREAD_LOCAL ProfileStats tcp_connector_perfstats;
void show_stats(PegCount*, const PegInfo*, unsigned, const char*) { }
-
void show_stats(PegCount*, const PegInfo*, IndexVec&, const char*) { }
-
void show_stats(PegCount*, const PegInfo*, IndexVec&, const char*, FILE*) { }
#ifdef DEBUG_MSGS
Connector* connector;
void show_stats(PegCount*, const PegInfo*, unsigned, const char*) { }
-
void show_stats(PegCount*, const PegInfo*, IndexVec&, const char*) { }
-
void show_stats(PegCount*, const PegInfo*, IndexVec&, const char*, FILE*) { }
unsigned get_instance_id()
ProfileStats* TcpConnectorModule::get_profile() const { return nullptr; }
bool TcpConnectorModule::set(const char*, Value&, SnortConfig*) { return true; }
-
bool TcpConnectorModule::begin(const char*, int, SnortConfig*) { return true; }
-
bool TcpConnectorModule::end(const char*, int, SnortConfig*) { return true; }
const PegInfo* TcpConnectorModule::get_pegs() const { return nullptr; }
-
PegCount* TcpConnectorModule::get_counts() const { return nullptr; }
TEST_GROUP(tcp_connector)
{
if (pg->mpse[i]->get_pattern_count() != 0)
{
- if (pg->mpse[i]->prep_patterns(sc) != 0)
+ if ( !sc->test_mode() or sc->mem_check() )
{
- FatalError("Failed to compile port group patterns.\n");
+ if ( pg->mpse[i]->prep_patterns(sc) != 0 )
+ FatalError("Failed to compile port group patterns.\n");
}
if (fp->get_debug_mode())
static const PegInfo fl_pegs[] =
{
- { "total_events", "total file events" },
-
- { nullptr, nullptr }
+ { CountType::SUM, "total_events", "total file events" },
+ { CountType::END, nullptr, nullptr }
};
//-------------------------------------------------------------------------
bool set(const char*, Value& v, SnortConfig*) override;
+ Usage get_usage() const override
+ { return INSPECT; }
+
public:
FileLogConfig config;
};
static const PegInfo file_pegs[] =
{
- { "total_files", "number of files processed" },
- { "total_file_data", "number of file data bytes processed" },
- { "cache_failures", "number of file cache add failures" },
- { nullptr, nullptr }
+ { CountType::SUM, "total_files", "number of files processed" },
+ { CountType::SUM, "total_file_data", "number of file data bytes processed" },
+ { CountType::SUM, "cache_failures", "number of file cache add failures" },
+ { CountType::END, nullptr, nullptr }
};
FileIdModule::FileIdModule() : Module(FILE_ID_NAME, FILE_ID_HELP, file_id_params) { }
void load_config(FileConfig*& dst);
+ Usage get_usage() const override
+ { return GLOBAL; }
+
private:
FileMagicRule rule;
FileMagicData magic;
#include "ha.h"
-extern THREAD_LOCAL SimpleStats ha_stats;
extern THREAD_LOCAL ProfileStats ha_perf_stats;
//-------------------------------------------------------------------------
return true;
}
-PegCount* HighAvailabilityModule::get_counts() const
-{ return (PegCount*)&ha_stats; }
-
bool begin(const char*, int, SnortConfig*) override;
bool end(const char*, int, SnortConfig*) override;
- PegCount* get_counts() const override;
+ PegCount* get_counts() const override
+ { return (PegCount*)&ha_stats; }
+
+ const PegInfo* get_pegs() const override
+ { return simple_pegs; }
+
ProfileStats* get_profile() const override;
+ Usage get_usage() const override
+ { return GLOBAL; }
+
private:
HighAvailabilityConfig config;
};
* Having these predefined stats improves consistency and provides convenience.
*/
#define SESSION_PEGS(module) \
- { "sessions", "total " module " sessions" }, \
- { "max", "max " module " sessions" }, \
- { "created", module " session trackers created" }, \
- { "released", module " session trackers released" }, \
- { "timeouts", module " session timeouts" }, \
- { "prunes", module " session prunes" }
+ { CountType::SUM, "sessions", "total " module " sessions" }, \
+ { CountType::MAX, "max", "max " module " sessions" }, \
+ { CountType::SUM, "created", module " session trackers created" }, \
+ { CountType::SUM, "released", module " session trackers released" }, \
+ { CountType::SUM, "timeouts", module " session timeouts" }, \
+ { CountType::SUM, "prunes", module " session prunes" }
// See above. Add to end of stats array.
#define SESSION_STATS \
PegCount timeouts; \
PegCount prunes
-#define SESSION_STAT_TYPES \
- CountType sessions = CountType::SUM; \
- CountType max = CountType::MAX; \
- CountType created = CountType::SUM; \
- CountType released = CountType::SUM; \
- CountType timeouts = CountType::SUM; \
- CountType prunes = CountType::SUM
-
// Do not change the semantics of max. Max = the highest seen during the perf interval.
// To obtain max over the entire run, determine the maximum of reported max pegs.
#define SESSION_STATS_ADD(stats) \
// basic stats support - note that where these are used, the number of
// elements in stats must be the same as the number of elements in the peg
-// info.
+// info (and in the same sequence).
#include "main/snort_types.h"
typedef uint64_t PegCount;
+enum CountType
+{
+ END, // sentinel value
+ SUM, // tracks cumulative total number of items seen (eg #events)
+ NOW, // gives snapshot of current number of items (eg current #sessions)
+ MAX, // tracks maximum value seen (eg max #sessions)
+};
+
struct SimpleStats
{
PegCount total_packets;
struct PegInfo
{
+ CountType type;
const char* name;
const char* help;
};
-enum CountType
-{
- SUM, // Tracks cumulative total number of items seen.
- NOW, // Gives snapshot of current number of items.
- MAX, // Tracks maximum value seen.
-};
-
SO_PUBLIC extern const struct PegInfo simple_pegs[];
#define array_size(a) (sizeof(a)/sizeof(a[0]))
return true;
}
-void Module::sum_stats_helper(bool accumulate_now_stats, const CountType* const count_types)
+void Module::sum_stats(bool accumulate_now_stats)
{
if ( num_counts < 0 )
reset_stats();
PegCount* p = get_counts();
+ const PegInfo* q = get_pegs();
if ( !p )
return;
+ assert(q);
+
if ( global_stats() )
{
for ( int i = 0; i < num_counts; i++ )
{
for ( int i = 0; i < num_counts; i++ )
{
- if(count_types)
- {
- switch (count_types[i])
- {
- case CountType::SUM:
- add_peg_count(i, p[i]);
- p[i] = 0;
- break;
-
- case CountType::NOW:
- if(accumulate_now_stats)
- add_peg_count(i, p[i]);
- break;
-
- case CountType::MAX:
- set_max_peg_count(i, p[i]);
- break;
- }
- }
- else
+ switch ( q[i].type )
{
+ case CountType::END:
+ break;
+
+ case CountType::SUM:
add_peg_count(i, p[i]);
p[i] = 0;
+ break;
+
+ case CountType::NOW:
+ if ( accumulate_now_stats )
+ add_peg_count(i, p[i]);
+ break;
+
+ case CountType::MAX:
+ set_max_peg_count(i, p[i]);
+ break;
}
}
}
}
-void Module::sum_stats(bool)
-{
- sum_stats_helper(false, nullptr);
-}
-
void Module::show_interval_stats(IndexVec& peg_idxs, FILE* fh)
{
if ( num_counts > 0 )
void Module::reset_stats()
{
- if( num_counts <= 0 )
+ if ( num_counts <= 0 )
{
num_counts = 0;
const PegInfo* pegs = get_pegs();
const PegInfo simple_pegs[] =
{
- { "packets", "total packets" },
- { nullptr, nullptr }
+ { CountType::SUM, "packets", "total packets" },
+ { CountType::END, nullptr, nullptr }
};
bool verified_set(const char*, Value&, SnortConfig*);
bool verified_end(const char*, int, SnortConfig*);
+ enum Usage
+ {
+ GLOBAL,
+ CONTEXT,
+ INSPECT,
+ DETECT
+ };
+
+ virtual Usage get_usage() const
+ { return CONTEXT; }
+
protected:
Module(const char* name, const char* help);
Module(const char* name, const char* help, const Parameter*,
bool is_list = false, Trace* = nullptr);
- void sum_stats_helper(bool accumulate_now_stats,
- const CountType* const count_types);
-
private:
friend class ModuleManager;
void init(const char*, const char* = nullptr);
const PegInfo lru_cache_shared_peg_names[] =
{
- { "lru_cache_adds", "lru cache added new entry" },
- { "lru_cache_replaces", "lru cache replaced existing entry" },
- { "lru_cache_prunes", "lru cache pruned entry to make space for new entry" },
- { "lru_cache_find_hits", "lru cache found entry in cache" },
- { "lru_cache_find_misses", "lru cache did not find entry in cache" },
- { "lru_cache_removes", "lru cache found entry and removed it" },
- { "lru_cache_clears", "lru cache clear API calls" },
- { nullptr, nullptr },
+ { CountType::SUM, "lru_cache_adds", "lru cache added new entry" },
+ { CountType::SUM, "lru_cache_replaces", "lru cache replaced existing entry" },
+ { CountType::SUM, "lru_cache_prunes", "lru cache pruned entry to make space for new entry" },
+ { CountType::SUM, "lru_cache_find_hits", "lru cache found entry in cache" },
+ { CountType::SUM, "lru_cache_find_misses", "lru cache did not find entry in cache" },
+ { CountType::SUM, "lru_cache_removes", "lru cache found entry and removed it" },
+ { CountType::SUM, "lru_cache_clears", "lru cache clear API calls" },
+ { CountType::END, nullptr, nullptr },
};
void sum_stats(bool) override;
+ Usage get_usage() const override
+ { return GLOBAL; }
+
private:
static const Parameter host_cache_params[];
static const Parameter service_params[];
const PegInfo host_tracker_pegs[] =
{
- { "service_adds", "host service adds" },
- { "service_finds", "host service finds" },
- { "service_removes", "host service removes" },
- { nullptr, nullptr },
+ { CountType::SUM, "service_adds", "host service adds" },
+ { CountType::SUM, "service_finds", "host service finds" },
+ { CountType::SUM, "service_removes", "host service removes" },
+ { CountType::END, nullptr, nullptr },
};
const Parameter HostTrackerModule::service_params[] =
{
public:
HostTrackerModule() : Module("host_tracker", host_tracker_help, host_tracker_params, true)
- {
- host = nullptr;
- }
+ { host = nullptr; }
~HostTrackerModule()
- {
- assert(!host);
- }
+ { assert(!host); }
const PegInfo* get_pegs() const override;
PegCount* get_counts() const override;
bool begin(const char*, int, SnortConfig*) override;
bool end(const char*, int, SnortConfig*) override;
+ Usage get_usage() const override
+ { return GLOBAL; }
+
private:
static const Parameter host_tracker_params[];
static const Parameter service_params[];
ProfileStats* get_profile() const override
{ return &tcpAckPerfStats; }
+ Usage get_usage() const override
+ { return DETECT; }
+
+public:
RangeCheck data;
};
ProfileStats* get_profile() const override
{ return &asn1PerfStats; }
+ Usage get_usage() const override
+ { return DETECT; }
+
+public:
ASN1_CTXT data;
};
ProfileStats* get_profile() const override
{ return &base64PerfStats; }
+ Usage get_usage() const override
+ { return DETECT; }
+
+public:
Base64DecodeData data;
};
ProfileStats* get_profile() const override
{ return &lenCheckPerfStats; }
+ Usage get_usage() const override
+ { return DETECT; }
+
+public:
RangeCheck data;
};
ProfileStats* get_profile() const override
{ return &byteExtractPerfStats; }
+ Usage get_usage() const override
+ { return DETECT; }
+
+public:
ByteExtractData data;
};
ProfileStats* get_profile() const override
{ return &byteJumpPerfStats; }
+ Usage get_usage() const override
+ { return DETECT; }
+
+public:
ByteJumpData data;
string var;
};
ProfileStats* get_profile() const override
{ return &byteMathPerfStats; }
+ Usage get_usage() const override
+ { return DETECT; }
+
+public:
ByteMathData data;
string rvalue_var;
string off_var;
ProfileStats* get_profile() const override
{ return &byteTestPerfStats; }
+ Usage get_usage() const override
+ { return DETECT; }
+
+public:
ByteTestData data;
string cmp_var;
string off_var;
public:
ClassTypeModule() : Module(s_name, s_help, s_params) { }
bool set(const char*, Value&, SnortConfig*) override;
+
+ Usage get_usage() const override
+ { return DETECT; }
+
+public:
ClassType* type;
};
ContentData* get_data();
+ Usage get_usage() const override
+ { return DETECT; }
+
private:
ContentData* cd;
};
ProfileStats* get_profile() const override
{ return &cvsPerfStats; }
+ Usage get_usage() const override
+ { return DETECT; }
+
+public:
CvsRuleOption data;
};
bool set(const char*, Value&, SnortConfig*) override;
bool begin(const char*, int, SnortConfig*) override;
+ Usage get_usage() const override
+ { return DETECT; }
+
+public:
THDX_STRUCT thdx;
DetectionFilterConfig* dfc;
};
ProfileStats* get_profile() const override
{ return &dsizePerfStats; }
+ Usage get_usage() const override
+ { return DETECT; }
+
+public:
RangeCheck data;
};
ProfileStats* get_profile() const override
{ return &fileDataPerfStats; }
+
+ Usage get_usage() const override
+ { return DETECT; }
};
//-------------------------------------------------------------------------
ProfileStats* get_profile() const override
{ return &fileTypePerfStats; }
+ Usage get_usage() const override
+ { return DETECT; }
+
+public:
TypeBitSet types;
};
ProfileStats* get_profile() const override
{ return &tcpFlagsPerfStats; }
+ Usage get_usage() const override
+ { return DETECT; }
+
+public:
TcpFlagCheckData data;
};
ProfileStats* get_profile() const override
{ return &flowCheckPerfStats; }
+ Usage get_usage() const override
+ { return DETECT; }
+
+public:
FlowCheckData data;
};
ProfileStats* get_profile() const override
{ return &flowBitsPerfStats; }
+ Usage get_usage() const override
+ { return DETECT; }
+
public:
string args;
};
FragBitsData get_fragBits_data();
+ Usage get_usage() const override
+ { return DETECT; }
+
private:
FragBitsData fragBitsData;
};
ProfileStats* get_profile() const override
{ return &fragOffsetPerfStats; }
+ Usage get_usage() const override
+ { return DETECT; }
+
+public:
RangeCheck data;
};
public:
GidModule() : Module(s_name, s_help, s_params) { }
bool set(const char*, Value&, SnortConfig*) override;
+
+ Usage get_usage() const override
+ { return DETECT; }
+
+public:
int gid;
};
HashMatchData* get_data();
+ Usage get_usage() const override
+ { return DETECT; }
+
private:
HashMatchData* hmd;
HashPsIdx idx;
ProfileStats* get_profile() const override
{ return &icmpIdPerfStats; }
+ Usage get_usage() const override
+ { return DETECT; }
+
+public:
RangeCheck data;
};
ProfileStats* get_profile() const override
{ return &icmpSeqPerfStats; }
+ Usage get_usage() const override
+ { return DETECT; }
+
+public:
RangeCheck data;
};
ProfileStats* get_profile() const override
{ return &icmpCodePerfStats; }
+ Usage get_usage() const override
+ { return DETECT; }
+
+public:
RangeCheck data;
};
ProfileStats* get_profile() const override
{ return &ipIdPerfStats; }
+ Usage get_usage() const override
+ { return DETECT; }
+
+public:
RangeCheck data;
};
ProfileStats* get_profile() const override
{ return &ipProtoPerfStats; }
+ Usage get_usage() const override
+ { return DETECT; }
+
+public:
IpProtoData data;
};
ProfileStats* get_profile() const override
{ return &ipOptionPerfStats; }
+ Usage get_usage() const override
+ { return DETECT; }
+
+public:
IpOptionData data;
};
ProfileStats* get_profile() const override
{ return &isDataAtPerfStats; }
+ Usage get_usage() const override
+ { return DETECT; }
+
+public:
IsDataAtData data;
};
ProfileStats* get_profile() const override
{ return &icmpTypePerfStats; }
+ Usage get_usage() const override
+ { return DETECT; }
+
+public:
RangeCheck data;
};
ProfileStats* get_profile() const override
{ return &luaIpsPerfStats; }
+ Usage get_usage() const override
+ { return DETECT; }
+
public:
std::string args;
};
public:
MetadataModule() : Module(s_name, s_help, s_params) { }
bool set(const char*, Value&, SnortConfig*) override;
+
+ Usage get_usage() const override
+ { return DETECT; }
};
bool MetadataModule::set(const char*, Value& v, SnortConfig*)
public:
MsgModule() : Module(s_name, s_help, s_params) { }
bool set(const char*, Value&, SnortConfig*) override;
+
+ Usage get_usage() const override
+ { return DETECT; }
+
+public:
std::string msg;
};
PcreData* get_data();
+ Usage get_usage() const override
+ { return DETECT; }
+
private:
PcreData* data;
};
ProfileStats* get_profile() const override
{ return &pktDataPerfStats; }
+
+ Usage get_usage() const override
+ { return DETECT; }
};
//-------------------------------------------------------------------------
public:
PriorityModule() : Module(s_name, s_help, s_params) { }
bool set(const char*, Value&, SnortConfig*) override;
+
+ Usage get_usage() const override
+ { return DETECT; }
+
+public:
int priority;
};
ProfileStats* get_profile() const override
{ return &rawDataPerfStats; }
+
+ Usage get_usage() const override
+ { return DETECT; }
};
//-------------------------------------------------------------------------
bool set(const char*, Value&, SnortConfig*) override;
bool begin(const char*, int, SnortConfig*) override;
+ Usage get_usage() const override
+ { return DETECT; }
+
+public:
std::string scheme;
std::string id;
SnortConfig* snort_config;
config.reset();
}
+ Usage get_usage() const override
+ { return DETECT; }
+
private:
RegexConfig config;
};
public:
RemModule() : Module(s_name, s_help, s_params) { }
bool set(const char*, Value&, SnortConfig*) override;
+
+ Usage get_usage() const override
+ { return DETECT; }
};
bool RemModule::set(const char*, Value& v, SnortConfig*)
ProfileStats* get_profile() const override
{ return &replacePerfStats; }
+ Usage get_usage() const override
+ { return DETECT; }
+
+public:
string data;
};
public:
RevModule() : Module(s_name, s_help, s_params) { }
bool set(const char*, Value&, SnortConfig*) override;
+
+ Usage get_usage() const override
+ { return DETECT; }
+
+public:
int rev;
};
{ return &rpcCheckPerfStats; }
bool set(Value&, uint32_t& field, int flag);
+
+ Usage get_usage() const override
+ { return DETECT; }
+
+public:
RpcCheckData data;
};
const PegInfo sd_pegs[] =
{
- { "below_threshold", "sd_pattern matched but missed threshold" },
- { "pattern_not_found", "sd_pattern did not not match" },
- { "terminated", "hyperscan terminated" },
- { nullptr, nullptr }
+ { CountType::SUM, "below_threshold", "sd_pattern matched but missed threshold" },
+ { CountType::SUM, "pattern_not_found", "sd_pattern did not not match" },
+ { CountType::SUM, "terminated", "hyperscan terminated" },
+ { CountType::END, nullptr, nullptr }
};
static THREAD_LOCAL SdStats s_stats;
void get_data(SdPatternConfig& c)
{ c = config; }
+ Usage get_usage() const override
+ { return DETECT; }
+
private:
SdPatternConfig config;
};
ProfileStats* get_profile() const override
{ return &tcpSeqPerfStats; }
+ Usage get_usage() const override
+ { return DETECT; }
+
+public:
RangeCheck data;
};
bool set(const char*, Value&, SnortConfig*) override;
bool begin(const char*, int, SnortConfig*) override;
+ Usage get_usage() const override
+ { return DETECT; }
+
+public:
struct SnortConfig* snort_config;
vector<string> services;
};
ProfileStats* get_profile() const override
{ return &sessionPerfStats; }
+ Usage get_usage() const override
+ { return DETECT; }
+
+public:
SessionData data;
};
public:
SidModule() : Module(s_name, s_help, s_params) { }
bool set(const char*, Value&, SnortConfig*) override;
+
+ Usage get_usage() const override
+ { return DETECT; }
+
+public:
int sid;
};
ProfileStats* get_profile() const override
{ return &soPerfStats; }
+ Usage get_usage() const override
+ { return DETECT; }
+
+public:
string name;
};
public:
SoidModule() : Module(s_name, s_help, s_params) { }
bool set(const char*, Value&, SnortConfig*) override;
+
+ Usage get_usage() const override
+ { return DETECT; }
+
+public:
std::string soid;
};
bool end(const char*, int, SnortConfig*) override;
TagData* get_data();
+
+ Usage get_usage() const override
+ { return DETECT; }
+
+public:
TagData* tag;
};
ProfileStats* get_profile() const override
{ return &ipTosPerfStats; }
+ Usage get_usage() const override
+ { return DETECT; }
+
+public:
RangeCheck data;
};
ProfileStats* get_profile() const override
{ return &ttlCheckPerfStats; }
+ Usage get_usage() const override
+ { return DETECT; }
+
+public:
RangeCheck data;
};
ProfileStats* get_profile() const override
{ return &tcpWinPerfStats; }
+ Usage get_usage() const override
+ { return DETECT; }
+
+public:
RangeCheck data;
};
static const PegInfo latency_pegs[] =
{
- { "total_packets", "total packets monitored" },
- { "total_usecs", "total usecs elapsed" },
- { "max_usecs", "maximum usecs elapsed" },
- { "packet_timeouts", "packets that timed out" },
- { "total_rule_evals", "total rule evals monitored" },
- { "rule_eval_timeouts", "rule evals that timed out" },
- { "rule_tree_enables", "rule tree re-enables" },
- { nullptr, nullptr }
+ { CountType::SUM, "total_packets", "total packets monitored" },
+ { CountType::SUM, "total_usecs", "total usecs elapsed" },
+ { CountType::SUM, "max_usecs", "maximum usecs elapsed" },
+ { CountType::SUM, "packet_timeouts", "packets that timed out" },
+ { CountType::SUM, "total_rule_evals", "total rule evals monitored" },
+ { CountType::SUM, "rule_eval_timeouts", "rule evals that timed out" },
+ { CountType::SUM, "rule_tree_enables", "rule tree re-enables" },
+ { CountType::END, nullptr, nullptr }
};
// -----------------------------------------------------------------------------
const PegInfo* get_pegs() const override;
PegCount* get_counts() const override;
+
+ Usage get_usage() const override
+ { return CONTEXT; }
};
#endif
bool set(const char*, Value&, SnortConfig*) override;
bool begin(const char*, int, SnortConfig*) override;
+ Usage get_usage() const override
+ { return CONTEXT; }
+
public:
bool file;
string sep;
bool set(const char*, Value&, SnortConfig*) override;
bool begin(const char*, int, SnortConfig*) override;
+ Usage get_usage() const override
+ { return CONTEXT; }
+
public:
bool file;
unsigned long limit;
bool set(const char*, Value&, SnortConfig*) override;
bool begin(const char*, int, SnortConfig*) override;
+ Usage get_usage() const override
+ { return CONTEXT; }
+
public:
bool file;
unsigned long limit;
ProfileStats* get_profile() const override
{ return &luaLogPerfStats; }
+ Usage get_usage() const override
+ { return CONTEXT; }
+
public:
std::string args;
};
bool begin(const char*, int, SnortConfig*) override;
bool end(const char*, int, SnortConfig*) override;
+ Usage get_usage() const override
+ { return CONTEXT; }
+
public:
string file;
RuleVector rulez;
bool begin(const char*, int, SnortConfig*) override;
bool end(const char*, int, SnortConfig*) override;
+ Usage get_usage() const override
+ { return CONTEXT; }
+
public:
int facility;
int level;
bool set(const char*, Value&, SnortConfig*) override;
bool begin(const char*, int, SnortConfig*) override;
+ Usage get_usage() const override
+ { return CONTEXT; }
+
public:
bool print_to_file;
uint8_t flags;
bool set(const char*, Value&, SnortConfig*) override;
bool begin(const char*, int, SnortConfig*) override;
+ Usage get_usage() const override
+ { return CONTEXT; }
+
public:
bool file;
bool raw;
bool set(const char*, Value&, SnortConfig*) override;
bool begin(const char*, int, SnortConfig*) override;
+ Usage get_usage() const override
+ { return CONTEXT; }
+
public:
unsigned long limit;
};
bool set(const char*, Value&, SnortConfig*) override;
bool begin(const char*, int, SnortConfig*) override;
+ Usage get_usage() const override
+ { return CONTEXT; }
+
public:
unsigned limit;
bool nostamp;
PegCount* get_counts() const override
{ return (PegCount*) &pc; }
+
+ Usage get_usage() const override
+ { return GLOBAL; }
};
bool DetectionModule::set(const char* fqn, Value& v, SnortConfig* sc)
public:
EventQueueModule() : Module("event_queue", event_queue_help, event_queue_params) { }
bool set(const char*, Value&, SnortConfig*) override;
+
+ Usage get_usage() const override
+ { return CONTEXT; }
};
bool EventQueueModule::set(const char*, Value& v, SnortConfig* sc)
{ "show_fast_patterns", Parameter::PT_BOOL, nullptr, "false",
"print fast pattern info for each rule" },
- { "split_any_any", Parameter::PT_BOOL, nullptr, "false",
+ { "split_any_any", Parameter::PT_BOOL, nullptr, "true",
"evaluate any-any rules separately to save memory" },
{ nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
const PegInfo mpse_pegs[] =
{
- { "max_queued", "maximum fast pattern matches queued for further evaluation" },
- { "total_flushed", "fast pattern matches discarded due to overflow" },
- { "total_inserts", "total fast pattern hits" },
- { "total_unique", "total unique fast pattern hits" },
- { "non_qualified_events", "total non-qualified events" },
- { "qualified_events", "total qualified events" },
- { "searched_bytes", "total bytes searched" },
- { nullptr, nullptr }
+ { CountType::SUM, "max_queued", "maximum fast pattern matches queued for further evaluation" },
+ { CountType::SUM, "total_flushed", "fast pattern matches discarded due to overflow" },
+ { CountType::SUM, "total_inserts", "total fast pattern hits" },
+ { CountType::SUM, "total_unique", "total unique fast pattern hits" },
+ { CountType::SUM, "non_qualified_events", "total non-qualified events" },
+ { CountType::SUM, "qualified_events", "total qualified events" },
+ { CountType::SUM, "searched_bytes", "total bytes searched" },
+ { CountType::END, nullptr, nullptr }
};
class SearchEngineModule : public Module
PegCount* get_counts() const override
{ return (PegCount*)&pmqs; }
+
+ Usage get_usage() const override
+ { return GLOBAL; }
};
bool SearchEngineModule::set(const char*, Value& v, SnortConfig* sc)
public:
ProfilerModule() : Module("profiler", profiler_help, profiler_params) { }
bool set(const char*, Value&, SnortConfig*) override;
+
+ Usage get_usage() const override
+ { return GLOBAL; }
};
bool ProfilerModule::set(const char* fqn, Value& v, SnortConfig* sc)
bool begin(const char*, int, SnortConfig*) override;
bool end(const char*, int, SnortConfig*) override;
+ Usage get_usage() const override
+ { return GLOBAL; }
+
private:
string name;
string text;
bool begin(const char*, int, SnortConfig*) override;
bool end(const char*, int, SnortConfig*) override;
+ Usage get_usage() const override
+ { return GLOBAL; }
+
private:
string name;
string url;
public:
AlertsModule() : Module("alerts", alerts_help, alerts_params) { }
bool set(const char*, Value&, SnortConfig*) override;
+
+ Usage get_usage() const override
+ { return GLOBAL; }
};
bool AlertsModule::set(const char*, Value& v, SnortConfig* sc)
public:
OutputModule() : Module("output", output_help, output_params) { }
bool set(const char*, Value&, SnortConfig*) override;
+
+ Usage get_usage() const override
+ { return GLOBAL; }
};
bool OutputModule::set(const char*, Value& v, SnortConfig* sc)
public:
ActiveModule() : Module("active", active_help, active_params) { }
bool set(const char*, Value&, SnortConfig*) override;
+
+ Usage get_usage() const override
+ { return GLOBAL; }
};
bool ActiveModule::set(const char*, Value& v, SnortConfig* sc)
public:
PacketsModule() : Module("packets", packets_help, packets_params) { }
bool set(const char*, Value&, SnortConfig*) override;
+
+ Usage get_usage() const override
+ { return GLOBAL; }
};
bool PacketsModule::set(const char*, Value& v, SnortConfig* sc)
AttributeTableModule() :
Module("attribute_table", attribute_table_help, attribute_table_params) { }
bool set(const char*, Value&, SnortConfig*) override;
+
+ Usage get_usage() const override
+ { return GLOBAL; }
};
bool AttributeTableModule::set(const char*, Value& v, SnortConfig* sc)
public:
NetworkModule() : Module("network", network_help, network_params) { }
bool set(const char*, Value&, SnortConfig*) override;
+
+ Usage get_usage() const override
+ { return CONTEXT; }
};
bool NetworkModule::set(const char*, Value& v, SnortConfig* sc)
public:
IpsModule() : Module("ips", ips_help, ips_params) { }
bool set(const char*, Value&, SnortConfig*) override;
+
+ Usage get_usage() const override
+ { return DETECT; }
};
bool IpsModule::set(const char*, Value& v, SnortConfig*)
bool begin(const char*, int, SnortConfig*) override;
bool end(const char*, int, SnortConfig*) override;
+ Usage get_usage() const override
+ { return GLOBAL; }
+
private:
int thread;
CpuSet* cpuset;
bool begin(const char*, int, SnortConfig*) override;
bool end(const char*, int, SnortConfig*) override;
+ Usage get_usage() const override
+ { return DETECT; }
+
private:
THDX_STRUCT thdx;
};
bool begin(const char*, int, SnortConfig*) override;
bool end(const char*, int, SnortConfig*) override;
+ Usage get_usage() const override
+ { return DETECT; }
+
private:
THDX_STRUCT thdx;
};
bool begin(const char*, int, SnortConfig*) override;
bool end(const char*, int, SnortConfig*) override;
+ Usage get_usage() const override
+ { return DETECT; }
+
private:
tSFRFConfigNode thdx;
};
bool begin(const char*, int, SnortConfig*) override;
bool end(const char*, int, SnortConfig*) override;
+ Usage get_usage() const override
+ { return DETECT; }
+
private:
RuleState state;
};
bool begin(const char*, int, SnortConfig*) override;
bool end(const char*, int, SnortConfig*) override;
+ Usage get_usage() const override
+ { return GLOBAL; }
+
private:
ApplicationEntry* app;
HostAttributeEntry* host;
RUN_FLAG__SHELL = 0x00800000,
#endif
#ifdef PIGLET
- RUN_FLAG__PIGLET = 0x01000000
+ RUN_FLAG__PIGLET = 0x01000000,
#endif
+ RUN_FLAG__MEM_CHECK = 0x02000000,
};
enum OutputFlag
static bool test_mode()
{ return snort_conf->run_flags & RUN_FLAG__TEST; }
+ static bool mem_check()
+ { return snort_conf->run_flags & RUN_FLAG__MEM_CHECK; }
+
static bool daemon_mode()
{ return snort_conf->run_flags & RUN_FLAG__DAEMON; }
{ "--max-packet-threads", Parameter::PT_INT, "0:", "1",
"<count> configure maximum number of packet threads (same as -z)" },
+ { "--mem-check", Parameter::PT_IMPLIED, nullptr, nullptr,
+ "like -T but also compile search engines" },
+
{ "--nostamps", Parameter::PT_IMPLIED, nullptr, nullptr,
"don't include timestamps in log file names" },
void sum_stats(bool) override
{ } // accumulate externally
+ Usage get_usage() const override
+ { return GLOBAL; }
+
private:
int instance_id;
};
else if ( v.is("--markup") )
config_markup(sc, v.get_string());
+ else if ( v.is("--mem-check") )
+ sc->run_flags |= (RUN_FLAG__TEST | RUN_FLAG__MEM_CHECK);
+
else if ( v.is("--nostamps") )
sc->set_no_logging_timestamps(true);
return PluginManager::get_type_name(api->type);
}
+static const char* mod_use(Module::Usage use)
+{
+ switch ( use )
+ {
+ case Module::GLOBAL : return "global";
+ case Module::CONTEXT: return "context";
+ case Module::INSPECT: return "inspect";
+ case Module::DETECT : return "detect";
+ }
+ assert(false);
+ return "error";
+}
+
void ModuleManager::show_module(const char* name)
{
if ( !name || !*name )
cout << endl << "What: " << Markup::escape(h) << endl;
cout << endl << "Type: " << mod_type(p->api) << endl;
+ cout << endl << "Usage: " << mod_use(m->get_usage()) << endl;
const Parameter* params = m->get_parameters();
const Parameter* def_params = m->get_default_parameters();
cout << "no match" << endl;
}
+static const char* peg_op(CountType ct)
+{
+ switch ( ct )
+ {
+ case CountType::SUM: return " (sum)";
+ case CountType::NOW: return " (now)";
+ case CountType::MAX: return " (max)";
+ default: break;
+ }
+ assert(false);
+ return "error";
+}
+
void ModuleManager::show_pegs(const char* pfx, bool exact)
{
s_modules.sort(comp_gids);
cout << "." << Markup::escape(pegs->name);
cout << Markup::emphasis_off();
cout << ": " << Markup::escape(pegs->help);
+ cout << Markup::escape(peg_op(pegs->type));
cout << endl;
++pegs;
}
MemoryModule();
bool set(const char*, Value&, SnortConfig*) override;
+
+ Usage get_usage() const override
+ { return GLOBAL; }
};
#endif
// FIXIT-M define and implement a flexible solution for maintaining protocol specific stats
const PegInfo appid_pegs[] =
{
- { "packets", "count of packets received" },
- { "processed_packets", "count of packets processed" },
- { "ignored_packets", "count of packets ignored" },
- { "aim_clients", "count of aim clients discovered" },
- { "battlefield_flows", "count of battle field flows discovered" },
- { "bgp_flows", "count of bgp flows discovered" },
- { "bit_clients", "count of bittorrent clients discovered" },
- { "bit_flows", "count of bittorrent flows discovered" },
- { "bittracker_clients", "count of bittorrent tracker clients discovered" },
- { "bootp_flows", "count of bootp flows discovered" },
- { "dcerpc_tcp_flows", "count of dce rpc flows over tcp discovered" },
- { "dcerpc_udp_flows", "count of dce rpc flows over udp discovered" },
- { "direct_connect_flows", "count of direct connect flows discovered" },
- { "dns_tcp_flows", "count of dns flows over tcp discovered" },
- { "dns_udp_flows", "count of dns flows over udp discovered" },
- { "ftp_flows", "count of ftp flows discovered" },
- { "ftps_flows", "count of ftps flows discovered" },
- { "http_flows", "count of http flows discovered" },
- { "imap_flows", "count of imap service flows discovered" },
- { "imaps_flows", "count of imap TLS service flows discovered" },
- { "irc_flows", "count of irc service flows discovered" },
- { "kerberos_clients", "count of kerberos clients discovered" },
- { "kerberos_flows", "count of kerberos service flows discovered" },
- { "kerberos_users", "count of kerberos users discovered" },
- { "lpr_flows", "count of lpr service flows discovered" },
- { "mdns_flows", "count of mdns service flows discovered" },
- { "msn_clients", "count of msn clients discovered" },
- { "mysql_flows", "count of mysql service flows discovered" },
- { "netbios_dgm_flows", "count of netbios-dgm service flows discovered" },
- { "netbios_ns_flows", "count of netbios-ns service flows discovered" },
- { "netbios_ssn_flows", "count of netbios-ssn service flows discovered" },
- { "nntp_flows", "count of nntp flows discovered" },
- { "ntp_flows", "count of ntp flows discovered" },
- { "pop_flows", "count of pop service flows discovered" },
- { "pop3_clients", "count of pop3 clients discovered" },
- { "pop3s_clients", "count of pop3s clients discovered" },
- { "radius_flows", "count of radius flows discovered" },
- { "rexec_flows", "count of rexec flows discovered" },
- { "rfb_flows", "count of rfb flows discovered" },
- { "rlogin_flows", "count of rlogin flows discovered" },
- { "rpc_flows", "count of rpc flows discovered" },
- { "rshell_flows", "count of rshell flows discovered" },
- { "rsync_flows", "count of rsync service flows discovered" },
- { "rtmp_flows", "count of rtmp flows discovered" },
- { "rtp_clients", "count of rtp clients discovered" },
- { "sip_clients", "count of SIP clients discovered" },
- { "sip_flows", "count of SIP flows discovered" },
- { "smtp_aol_clients", "count of AOL smtp clients discovered" },
- { "smtp_applemail_clients", "count of Apple Mail smtp clients discovered" },
- { "smtp_eudora_clients", "count of Eudora smtp clients discovered" },
- { "smtp_eudora_pro_clients", "count of Eudora Pro smtp clients discovered" },
- { "smtp_evolution_clients", "count of Evolution smtp clients discovered" },
- { "smtp_kmail_clients", "count of KMail smtp clients discovered" },
- { "smtp_lotus_notes_clients", "count of Lotus Notes smtp clients discovered" },
- { "smtp_microsoft_outlook_clients", "count of Microsoft Outlook smtp clients discovered" },
- { "smtp_microsoft_outlook_express_clients",
- "count of Microsoft Outlook Express smtp clients discovered" },
- { "smtp_microsoft_outlook_imo_clients",
- "count of Microsoft Outlook IMO smtp clients discovered" },
- { "smtp_mutt_clients", "count of Mutt smtp clients discovered" },
- { "smtp_thunderbird_clients", "count of Thunderbird smtp clients discovered" },
- { "smtp_flows", "count of smtp flows discovered" },
- { "smtps_flows", "count of smtps flows discovered" },
- { "snmp_flows", "count of snmp flows discovered" },
- { "ssh_clients", "count of ssh clients discovered" },
- { "ssh_flows", "count of ssh flows discovered" },
- { "ssl_flows", "count of ssl flows discovered" },
- { "telnet_flows", "count of telnet flows discovered" },
- { "tftp_flows", "count of tftp flows discovered" },
- { "timbuktu_clients", "count of timbuktu clients discovered" },
- { "timbuktu_flows", "count of timbuktu flows discovered" },
- { "tns_clients", "count of tns clients discovered" },
- { "tns_flows", "count of tns flows discovered" },
- { "vnc_clients", "count of vnc clients discovered" },
- { "yahoo_messenger_clients", "count of Yahoo Messenger clients discovered" },
- { nullptr, nullptr }
+ { CountType::SUM, "packets", "count of packets received" },
+ { CountType::SUM, "processed_packets", "count of packets processed" },
+ { CountType::SUM, "ignored_packets", "count of packets ignored" },
+ { CountType::SUM, "aim_clients", "count of aim clients discovered" },
+ { CountType::SUM, "battlefield_flows", "count of battle field flows discovered" },
+ { CountType::SUM, "bgp_flows", "count of bgp flows discovered" },
+ { CountType::SUM, "bit_clients", "count of bittorrent clients discovered" },
+ { CountType::SUM, "bit_flows", "count of bittorrent flows discovered" },
+ { CountType::SUM, "bittracker_clients", "count of bittorrent tracker clients discovered" },
+ { CountType::SUM, "bootp_flows", "count of bootp flows discovered" },
+ { CountType::SUM, "dcerpc_tcp_flows", "count of dce rpc flows over tcp discovered" },
+ { CountType::SUM, "dcerpc_udp_flows", "count of dce rpc flows over udp discovered" },
+ { CountType::SUM, "direct_connect_flows", "count of direct connect flows discovered" },
+ { CountType::SUM, "dns_tcp_flows", "count of dns flows over tcp discovered" },
+ { CountType::SUM, "dns_udp_flows", "count of dns flows over udp discovered" },
+ { CountType::SUM, "ftp_flows", "count of ftp flows discovered" },
+ { CountType::SUM, "ftps_flows", "count of ftps flows discovered" },
+ { CountType::SUM, "http_flows", "count of http flows discovered" },
+ { CountType::SUM, "imap_flows", "count of imap service flows discovered" },
+ { CountType::SUM, "imaps_flows", "count of imap TLS service flows discovered" },
+ { CountType::SUM, "irc_flows", "count of irc service flows discovered" },
+ { CountType::SUM, "kerberos_clients", "count of kerberos clients discovered" },
+ { CountType::SUM, "kerberos_flows", "count of kerberos service flows discovered" },
+ { CountType::SUM, "kerberos_users", "count of kerberos users discovered" },
+ { CountType::SUM, "lpr_flows", "count of lpr service flows discovered" },
+ { CountType::SUM, "mdns_flows", "count of mdns service flows discovered" },
+ { CountType::SUM, "msn_clients", "count of msn clients discovered" },
+ { CountType::SUM, "mysql_flows", "count of mysql service flows discovered" },
+ { CountType::SUM, "netbios_dgm_flows", "count of netbios-dgm service flows discovered" },
+ { CountType::SUM, "netbios_ns_flows", "count of netbios-ns service flows discovered" },
+ { CountType::SUM, "netbios_ssn_flows", "count of netbios-ssn service flows discovered" },
+ { CountType::SUM, "nntp_flows", "count of nntp flows discovered" },
+ { CountType::SUM, "ntp_flows", "count of ntp flows discovered" },
+ { CountType::SUM, "pop_flows", "count of pop service flows discovered" },
+ { CountType::SUM, "pop3_clients", "count of pop3 clients discovered" },
+ { CountType::SUM, "pop3s_clients", "count of pop3s clients discovered" },
+ { CountType::SUM, "radius_flows", "count of radius flows discovered" },
+ { CountType::SUM, "rexec_flows", "count of rexec flows discovered" },
+ { CountType::SUM, "rfb_flows", "count of rfb flows discovered" },
+ { CountType::SUM, "rlogin_flows", "count of rlogin flows discovered" },
+ { CountType::SUM, "rpc_flows", "count of rpc flows discovered" },
+ { CountType::SUM, "rshell_flows", "count of rshell flows discovered" },
+ { CountType::SUM, "rsync_flows", "count of rsync service flows discovered" },
+ { CountType::SUM, "rtmp_flows", "count of rtmp flows discovered" },
+ { CountType::SUM, "rtp_clients", "count of rtp clients discovered" },
+ { CountType::SUM, "sip_clients", "count of SIP clients discovered" },
+ { CountType::SUM, "sip_flows", "count of SIP flows discovered" },
+ { CountType::SUM, "smtp_aol_clients", "count of AOL smtp clients discovered" },
+ { CountType::SUM, "smtp_applemail_clients", "count of Apple Mail smtp clients discovered" },
+ { CountType::SUM, "smtp_eudora_clients", "count of Eudora smtp clients discovered" },
+ { CountType::SUM, "smtp_eudora_pro_clients", "count of Eudora Pro smtp clients discovered" },
+ { CountType::SUM, "smtp_evolution_clients", "count of Evolution smtp clients discovered" },
+ { CountType::SUM, "smtp_kmail_clients", "count of KMail smtp clients discovered" },
+ { CountType::SUM, "smtp_lotus_notes_clients", "count of Lotus Notes smtp clients discovered" },
+ { CountType::SUM,
+ "smtp_microsoft_outlook_clients", "count of Microsoft Outlook smtp clients discovered" },
+ { CountType::SUM, "smtp_microsoft_outlook_express_clients",
+ "count of Microsoft Outlook Express smtp clients discovered" },
+ { CountType::SUM, "smtp_microsoft_outlook_imo_clients",
+ "count of Microsoft Outlook IMO smtp clients discovered" },
+ { CountType::SUM, "smtp_mutt_clients", "count of Mutt smtp clients discovered" },
+ { CountType::SUM, "smtp_thunderbird_clients", "count of Thunderbird smtp clients discovered" },
+ { CountType::SUM, "smtp_flows", "count of smtp flows discovered" },
+ { CountType::SUM, "smtps_flows", "count of smtps flows discovered" },
+ { CountType::SUM, "snmp_flows", "count of snmp flows discovered" },
+ { CountType::SUM, "ssh_clients", "count of ssh clients discovered" },
+ { CountType::SUM, "ssh_flows", "count of ssh flows discovered" },
+ { CountType::SUM, "ssl_flows", "count of ssl flows discovered" },
+ { CountType::SUM, "telnet_flows", "count of telnet flows discovered" },
+ { CountType::SUM, "tftp_flows", "count of tftp flows discovered" },
+ { CountType::SUM, "timbuktu_clients", "count of timbuktu clients discovered" },
+ { CountType::SUM, "timbuktu_flows", "count of timbuktu flows discovered" },
+ { CountType::SUM, "tns_clients", "count of tns clients discovered" },
+ { CountType::SUM, "tns_flows", "count of tns flows discovered" },
+ { CountType::SUM, "vnc_clients", "count of vnc clients discovered" },
+ { CountType::SUM, "yahoo_messenger_clients", "count of Yahoo Messenger clients discovered" },
+ { CountType::END, nullptr, nullptr }
};
static const Parameter session_log_filter[] =
const AppIdModuleConfig* get_data();
+ Usage get_usage() const override
+ { return CONTEXT; }
+
private:
AppIdModuleConfig* config;
};
ProfileStats* get_profile() const override
{ return &appidRuleOptionPerfStats; }
+ Usage get_usage() const override
+ { return DETECT; }
+
+public:
AppIdRuleOptionData opt_data;
};
const RuleMap* get_rules() const override;
ProfileStats* get_profile() const override;
+ Usage get_usage() const override
+ { return INSPECT; }
+
private:
ArpSpoofConfig* config;
IPMacEntry host;
static const PegInfo bind_pegs[] =
{
- { "packets", "initial bindings" },
- { "resets", "reset bindings" },
- { "blocks", "block bindings" },
- { "allows", "allow bindings" },
- { "inspects", "inspect bindings" },
- { nullptr, nullptr }
+ { CountType::SUM, "packets", "initial bindings" },
+ { CountType::SUM, "resets", "reset bindings" },
+ { CountType::SUM, "blocks", "block bindings" },
+ { CountType::SUM, "allows", "allow bindings" },
+ { CountType::SUM, "inspects", "inspect bindings" },
+ { CountType::END, nullptr, nullptr }
};
//-------------------------------------------------------------------------
std::vector<Binding*>& get_data();
+ Usage get_usage() const override
+ { return INSPECT; }
+
private:
Binding* work;
std::vector<Binding*> bindings;
const PegInfo norm_names[] =
{
- { "ip4_trim", "eth packets trimmed to datagram size" },
- { "ip4_tos", "type of service normalizations" },
- { "ip4_df", "don't frag bit normalizations" },
- { "ip4_rf", "reserved flag bit clears" },
- { "ip4_ttl", "time-to-live normalizations" },
- { "ip4_opts", "ip4 options cleared" },
- { "icmp4_echo", "icmp4 ping normalizations" },
- { "ip6_hops", "ip6 hop limit normalizations" },
- { "ip6_options", "ip6 options cleared" },
- { "icmp6_echo", "icmp6 echo normalizations" },
- { "tcp_syn_options", "SYN only options cleared from non-SYN packets" },
- { "tcp_options", "packets with options cleared" },
- { "tcp_padding", "packets with padding cleared" },
- { "tcp_reserved", "packets with reserved bits cleared" },
- { "tcp_nonce", "packets with nonce bit cleared" },
- { "tcp_urgent_ptr", "packets without data with urgent pointer cleared" },
- { "tcp_ecn_pkt", "packets with ECN bits cleared" },
- { "tcp_ts_ecr", "timestamp cleared on non-ACKs" },
- { "tcp_req_urg", "cleared urgent pointer when urgent flag is not set" },
- { "tcp_req_pay", "cleared urgent pointer and urgent flag when there is no payload" },
- { "tcp_req_urp", "cleared the urgent flag if the urgent pointer is not set" },
- { nullptr, nullptr }
+ { CountType::SUM, "ip4_trim", "eth packets trimmed to datagram size" },
+ { CountType::SUM, "ip4_tos", "type of service normalizations" },
+ { CountType::SUM, "ip4_df", "don't frag bit normalizations" },
+ { CountType::SUM, "ip4_rf", "reserved flag bit clears" },
+ { CountType::SUM, "ip4_ttl", "time-to-live normalizations" },
+ { CountType::SUM, "ip4_opts", "ip4 options cleared" },
+ { CountType::SUM, "icmp4_echo", "icmp4 ping normalizations" },
+ { CountType::SUM, "ip6_hops", "ip6 hop limit normalizations" },
+ { CountType::SUM, "ip6_options", "ip6 options cleared" },
+ { CountType::SUM, "icmp6_echo", "icmp6 echo normalizations" },
+ { CountType::SUM, "tcp_syn_options", "SYN only options cleared from non-SYN packets" },
+ { CountType::SUM, "tcp_options", "packets with options cleared" },
+ { CountType::SUM, "tcp_padding", "packets with padding cleared" },
+ { CountType::SUM, "tcp_reserved", "packets with reserved bits cleared" },
+ { CountType::SUM, "tcp_nonce", "packets with nonce bit cleared" },
+ { CountType::SUM, "tcp_urgent_ptr", "packets without data with urgent pointer cleared" },
+ { CountType::SUM, "tcp_ecn_pkt", "packets with ECN bits cleared" },
+ { CountType::SUM, "tcp_ts_ecr", "timestamp cleared on non-ACKs" },
+ { CountType::SUM, "tcp_req_urg", "cleared urgent pointer when urgent flag is not set" },
+ { CountType::SUM, "tcp_req_pay",
+ "cleared urgent pointer and urgent flag when there is no payload" },
+ { CountType::SUM, "tcp_req_urp", "cleared the urgent flag if the urgent pointer is not set" },
+ { CountType::END, nullptr, nullptr }
};
static THREAD_LOCAL PegCount normStats[PC_MAX+PC_TCP_MAX][NORM_MODE_MAX];
test_text.push_back(test_info);
test.help = test_text.back()->c_str();
+ test.type = norm.type;
test_pegs.push_back(test);
}
const NormalizerConfig* get_config()
{ return &config; }
+ Usage get_usage() const override
+ { return INSPECT; }
+
private:
bool set_ip4(const char*, Value&, SnortConfig*);
bool set_tcp(const char*, Value&, SnortConfig*);
const PegInfo cap_names[] =
{
- { "processed", "packets processed against filter" },
- { "captured", "packets matching dumped after matching filter" },
- { nullptr, nullptr }
+ { CountType::SUM, "processed", "packets processed against filter" },
+ { CountType::SUM, "captured", "packets matching dumped after matching filter" },
+ { CountType::END, nullptr, nullptr }
};
static const Parameter s_capture[] =
void get_config(CaptureConfig&);
+ Usage get_usage() const override
+ { return CONTEXT; }
+
private:
CaptureConfig config;
};
void real_sum_stats() { Module::sum_stats(false); }
+ Usage get_usage() const override
+ { return INSPECT; }
+
private:
PegCount* counts;
PegInfo pegs[6] =
{
- { "zero", ""},
- { "one", ""},
- { "two", ""},
- { "three", ""},
- { "four", ""},
- { nullptr, nullptr }
+ { CountType::SUM, "zero", ""},
+ { CountType::SUM, "one", ""},
+ { CountType::SUM, "two", ""},
+ { CountType::SUM, "three", ""},
+ { CountType::SUM, "four", ""},
+ { CountType::END, nullptr, nullptr }
};
};
void get_config(PerfConfig&);
+ Usage get_usage() const override
+ { return CONTEXT; }
+
private:
PerfConfig config;
PortscanConfig* get_data();
+ Usage get_usage() const override
+ { return CONTEXT; }
+
private:
PS_ALERT_CONF* get_alert_conf(const char* fqn);
const PegInfo reputation_peg_names[] =
{
- { "packets", "total packets processed" },
- { "blacklisted", "number of packets blacklisted" },
- { "whitelisted", "number of packets whitelisted" },
- { "monitored", "number of packets monitored" },
- { "memory_allocated", "total memory allocated" },
+ { CountType::SUM, "packets", "total packets processed" },
+ { CountType::SUM, "blacklisted", "number of packets blacklisted" },
+ { CountType::SUM, "whitelisted", "number of packets whitelisted" },
+ { CountType::SUM, "monitored", "number of packets monitored" },
+ { CountType::SUM, "memory_allocated", "total memory allocated" },
- { nullptr, nullptr }
+ { CountType::END, nullptr, nullptr }
};
const char* NestedIPKeyword[] =
ReputationConfig* get_data();
+ Usage get_usage() const override
+ { return GLOBAL; }
+
private:
ReputationConfig* conf;
};
const PegInfo* get_pegs() const override;
PegCount* get_counts() const override;
+
+ Usage get_usage() const override
+ { return GLOBAL; }
+
private:
SFDAQConfig* config;
SFDAQInstanceConfig* instance_config;
const PegInfo* get_pegs() const override;
PegCount* get_counts() const override;
ProfileStats* get_profile() const override;
+
+ Usage get_usage() const override
+ { return INSPECT; }
};
const PegInfo* BoModule::get_pegs() const
static const PegInfo dce_http_proxy_pegs[] =
{
- { "http_proxy_sessions", "successful http proxy sessions" },
- { "http_proxy_session_failures", "failed http proxy sessions" },
- { nullptr, nullptr }
+ { CountType::SUM, "http_proxy_sessions", "successful http proxy sessions" },
+ { CountType::SUM, "http_proxy_session_failures", "failed http proxy sessions" },
+ { CountType::END, nullptr, nullptr }
};
DceHttpProxyModule::DceHttpProxyModule() : Module(DCE_HTTP_PROXY_NAME, DCE_HTTP_PROXY_HELP)
const PegInfo* get_pegs() const override;
PegCount* get_counts() const override;
+
+ Usage get_usage() const override
+ { return INSPECT; }
};
#define DCE_HTTP_PROXY_NAME "dce_http_proxy"
static const PegInfo dce_http_server_pegs[] =
{
- { "http_server_sessions", "successful http server sessions" },
- { "http_server_session_failures", "failed http server sessions" },
- { nullptr, nullptr }
+ { CountType::SUM, "http_server_sessions", "successful http server sessions" },
+ { CountType::SUM, "http_server_session_failures", "failed http server sessions" },
+ { CountType::END, nullptr, nullptr }
};
DceHttpServerModule::DceHttpServerModule() : Module(DCE_HTTP_SERVER_NAME, DCE_HTTP_SERVER_HELP)
const PegInfo* get_pegs() const override;
PegCount* get_counts() const override;
+
+ Usage get_usage() const override
+ { return INSPECT; }
};
#define DCE_HTTP_SERVER_NAME "dce_http_server"
static const PegInfo dce2_smb_pegs[] =
{
- { "events", "total events" },
- { "pdus", "total connection-oriented PDUs" },
- { "binds", "total connection-oriented binds" },
- { "bind_acks", "total connection-oriented binds acks" },
- { "alter_contexts", "total connection-oriented alter contexts" },
- { "alter_context_responses", "total connection-oriented alter context responses" },
- { "bind_naks", "total connection-oriented bind naks" },
- { "requests", "total connection-oriented requests" },
- { "responses", "total connection-oriented responses" },
- { "cancels", "total connection-oriented cancels" },
- { "orphaned", "total connection-oriented orphaned" },
- { "faults", "total connection-oriented faults" },
- { "auth3s", "total connection-oriented auth3s" },
- { "shutdowns", "total connection-oriented shutdowns" },
- { "rejects", "total connection-oriented rejects" },
- { "ms_rpc_http_pdus", "total connection-oriented MS requests to send RPC over HTTP" },
- { "other_requests", "total connection-oriented other requests" },
- { "other_responses", "total connection-oriented other responses" },
- { "request_fragments", "total connection-oriented request fragments" },
- { "response_fragments", "total connection-oriented response fragments" },
- { "client_max_fragment_size", "connection-oriented client maximum fragment size" },
- { "client_min_fragment_size", "connection-oriented client minimum fragment size" },
- { "client_segs_reassembled", "total connection-oriented client segments reassembled" },
- { "client_frags_reassembled", "total connection-oriented client fragments reassembled" },
- { "server_max_fragment_size", "connection-oriented server maximum fragment size" },
- { "server_min_fragment_size", "connection-oriented server minimum fragment size" },
- { "server_segs_reassembled", "total connection-oriented server segments reassembled" },
- { "server_frags_reassembled", "total connection-oriented server fragments reassembled" },
- { "sessions", "total smb sessions" },
- { "packets", "total smb packets" },
- { "ignored_bytes", "total ignored bytes" },
- { "smb_client_segs_reassembled", "total smb client segments reassembled" },
- { "smb_server_segs_reassembled", "total smb server segments reassembled" },
- { "max_outstanding_requests", "total smb maximum outstanding requests" },
- { "files_processed", "total smb files processed" },
- { "smbv2_create", "total number of SMBv2 create packets seen" },
- { "smbv2_write", "total number of SMBv2 write packets seen" },
- { "smbv2_read", "total number of SMBv2 read packets seen" },
- { "smbv2_set_info", "total number of SMBv2 set info packets seen" },
- { "smbv2_tree_connect", "total number of SMBv2 tree connect packets seen" },
- { "smbv2_tree_disconnect", "total number of SMBv2 tree disconnect packets seen" },
- { "smbv2_close", "total number of SMBv2 close packets seen" },
- { "concurrent_sessions", "total concurrent sessions" },
- { "max_concurrent_sessions", "maximum concurrent sessions" },
- { nullptr, nullptr }
+ { CountType::SUM, "events", "total events" },
+ { CountType::SUM, "pdus", "total connection-oriented PDUs" },
+ { CountType::SUM, "binds", "total connection-oriented binds" },
+ { CountType::SUM, "bind_acks", "total connection-oriented binds acks" },
+ { CountType::SUM, "alter_contexts", "total connection-oriented alter contexts" },
+ { CountType::SUM, "alter_context_responses",
+ "total connection-oriented alter context responses" },
+ { CountType::SUM, "bind_naks", "total connection-oriented bind naks" },
+ { CountType::SUM, "requests", "total connection-oriented requests" },
+ { CountType::SUM, "responses", "total connection-oriented responses" },
+ { CountType::SUM, "cancels", "total connection-oriented cancels" },
+ { CountType::SUM, "orphaned", "total connection-oriented orphaned" },
+ { CountType::SUM, "faults", "total connection-oriented faults" },
+ { CountType::SUM, "auth3s", "total connection-oriented auth3s" },
+ { CountType::SUM, "shutdowns", "total connection-oriented shutdowns" },
+ { CountType::SUM, "rejects", "total connection-oriented rejects" },
+ { CountType::SUM, "ms_rpc_http_pdus",
+ "total connection-oriented MS requests to send RPC over HTTP" },
+ { CountType::SUM, "other_requests", "total connection-oriented other requests" },
+ { CountType::SUM, "other_responses", "total connection-oriented other responses" },
+ { CountType::SUM, "request_fragments", "total connection-oriented request fragments" },
+ { CountType::SUM, "response_fragments", "total connection-oriented response fragments" },
+ { CountType::SUM, "client_max_fragment_size",
+ "connection-oriented client maximum fragment size" },
+ { CountType::SUM, "client_min_fragment_size",
+ "connection-oriented client minimum fragment size" },
+ { CountType::SUM, "client_segs_reassembled",
+ "total connection-oriented client segments reassembled" },
+ { CountType::SUM, "client_frags_reassembled",
+ "total connection-oriented client fragments reassembled" },
+ { CountType::SUM, "server_max_fragment_size",
+ "connection-oriented server maximum fragment size" },
+ { CountType::SUM, "server_min_fragment_size",
+ "connection-oriented server minimum fragment size" },
+ { CountType::SUM, "server_segs_reassembled",
+ "total connection-oriented server segments reassembled" },
+ { CountType::SUM, "server_frags_reassembled",
+ "total connection-oriented server fragments reassembled" },
+ { CountType::SUM, "sessions", "total smb sessions" },
+ { CountType::SUM, "packets", "total smb packets" },
+ { CountType::SUM, "ignored_bytes", "total ignored bytes" },
+ { CountType::SUM, "smb_client_segs_reassembled", "total smb client segments reassembled" },
+ { CountType::SUM, "smb_server_segs_reassembled", "total smb server segments reassembled" },
+ { CountType::SUM, "max_outstanding_requests", "total smb maximum outstanding requests" },
+ { CountType::SUM, "files_processed", "total smb files processed" },
+ { CountType::SUM, "smbv2_create", "total number of SMBv2 create packets seen" },
+ { CountType::SUM, "smbv2_write", "total number of SMBv2 write packets seen" },
+ { CountType::SUM, "smbv2_read", "total number of SMBv2 read packets seen" },
+ { CountType::SUM, "smbv2_set_info", "total number of SMBv2 set info packets seen" },
+ { CountType::SUM, "smbv2_tree_connect", "total number of SMBv2 tree connect packets seen" },
+ { CountType::SUM, "smbv2_tree_disconnect",
+ "total number of SMBv2 tree disconnect packets seen" },
+ { CountType::SUM, "smbv2_close", "total number of SMBv2 close packets seen" },
+ { CountType::NOW, "concurrent_sessions", "total concurrent sessions" },
+ { CountType::MAX, "max_concurrent_sessions", "maximum concurrent sessions" },
+ { CountType::END, nullptr, nullptr }
};
-static const char* dce2SmbFingerprintPolicyStrings[] = { "Disabled", "Client","Server",
- "Client and Server" };
+static const char* dce2SmbFingerprintPolicyStrings[] =
+{ "Disabled", "Client","Server", "Client and Server" };
static const Parameter s_params[] =
{
bool set(const char*, Value&, SnortConfig*) override;
unsigned get_gid() const override
- {
- return GID_DCE2;
- }
+ { return GID_DCE2; }
const RuleMap* get_rules() const override;
const PegInfo* get_pegs() const override;
ProfileStats* get_profile(unsigned, const char*&, const char*&) const override;
void get_data(dce2SmbProtoConf&);
+ Usage get_usage() const override
+ { return INSPECT; }
+
private:
dce2SmbProtoConf config;
};
static const PegInfo dce2_tcp_pegs[] =
{
- { "events", "total events" },
- { "pdus", "total connection-oriented PDUs" },
- { "binds", "total connection-oriented binds" },
- { "bind_acks", "total connection-oriented binds acks" },
- { "alter_contexts", "total connection-oriented alter contexts" },
- { "alter_context_responses", "total connection-oriented alter context responses" },
- { "bind_naks", "total connection-oriented bind naks" },
- { "requests", "total connection-oriented requests" },
- { "responses", "total connection-oriented responses" },
- { "cancels", "total connection-oriented cancels" },
- { "orphaned", "total connection-oriented orphaned" },
- { "faults", "total connection-oriented faults" },
- { "auth3s", "total connection-oriented auth3s" },
- { "shutdowns", "total connection-oriented shutdowns" },
- { "rejects", "total connection-oriented rejects" },
- { "ms_rpc_http_pdus", "total connection-oriented MS requests to send RPC over HTTP" },
- { "other_requests", "total connection-oriented other requests" },
- { "other_responses", "total connection-oriented other responses" },
- { "request_fragments", "total connection-oriented request fragments" },
- { "response_fragments", "total connection-oriented response fragments" },
- { "client_max_fragment_size", "connection-oriented client maximum fragment size" },
- { "client_min_fragment_size", "connection-oriented client minimum fragment size" },
- { "client_segs_reassembled", "total connection-oriented client segments reassembled" },
- { "client_frags_reassembled", "total connection-oriented client fragments reassembled" },
- { "server_max_fragment_size", "connection-oriented server maximum fragment size" },
- { "server_min_fragment_size", "connection-oriented server minimum fragment size" },
- { "server_segs_reassembled", "total connection-oriented server segments reassembled" },
- { "server_frags_reassembled", "total connection-oriented server fragments reassembled" },
- { "tcp_sessions", "total tcp sessions" },
- { "tcp_packets", "total tcp packets" },
- { "concurrent_sessions", "total concurrent sessions" },
- { "max_concurrent_sessions", "maximum concurrent sessions" },
- { nullptr, nullptr }
+ { CountType::SUM, "events", "total events" },
+ { CountType::SUM, "pdus", "total connection-oriented PDUs" },
+ { CountType::SUM, "binds", "total connection-oriented binds" },
+ { CountType::SUM, "bind_acks", "total connection-oriented binds acks" },
+ { CountType::SUM, "alter_contexts", "total connection-oriented alter contexts" },
+ { CountType::SUM, "alter_context_responses",
+ "total connection-oriented alter context responses" },
+ { CountType::SUM, "bind_naks", "total connection-oriented bind naks" },
+ { CountType::SUM, "requests", "total connection-oriented requests" },
+ { CountType::SUM, "responses", "total connection-oriented responses" },
+ { CountType::SUM, "cancels", "total connection-oriented cancels" },
+ { CountType::SUM, "orphaned", "total connection-oriented orphaned" },
+ { CountType::SUM, "faults", "total connection-oriented faults" },
+ { CountType::SUM, "auth3s", "total connection-oriented auth3s" },
+ { CountType::SUM, "shutdowns", "total connection-oriented shutdowns" },
+ { CountType::SUM, "rejects", "total connection-oriented rejects" },
+ { CountType::SUM, "ms_rpc_http_pdus",
+ "total connection-oriented MS requests to send RPC over HTTP" },
+ { CountType::SUM, "other_requests", "total connection-oriented other requests" },
+ { CountType::SUM, "other_responses", "total connection-oriented other responses" },
+ { CountType::SUM, "request_fragments", "total connection-oriented request fragments" },
+ { CountType::SUM, "response_fragments", "total connection-oriented response fragments" },
+ { CountType::SUM, "client_max_fragment_size",
+ "connection-oriented client maximum fragment size" },
+ { CountType::SUM, "client_min_fragment_size",
+ "connection-oriented client minimum fragment size" },
+ { CountType::SUM, "client_segs_reassembled",
+ "total connection-oriented client segments reassembled" },
+ { CountType::SUM, "client_frags_reassembled",
+ "total connection-oriented client fragments reassembled" },
+ { CountType::SUM, "server_max_fragment_size",
+ "connection-oriented server maximum fragment size" },
+ { CountType::SUM, "server_min_fragment_size",
+ "connection-oriented server minimum fragment size" },
+ { CountType::SUM, "server_segs_reassembled",
+ "total connection-oriented server segments reassembled" },
+ { CountType::SUM, "server_frags_reassembled",
+ "total connection-oriented server fragments reassembled" },
+ { CountType::SUM, "tcp_sessions", "total tcp sessions" },
+ { CountType::SUM, "tcp_packets", "total tcp packets" },
+ { CountType::NOW, "concurrent_sessions", "total concurrent sessions" },
+ { CountType::MAX, "max_concurrent_sessions", "maximum concurrent sessions" },
+ { CountType::END, nullptr, nullptr }
};
Dce2TcpModule::Dce2TcpModule() : Module(DCE2_TCP_NAME, DCE2_TCP_HELP, s_params)
bool set(const char*, Value&, SnortConfig*) override;
unsigned get_gid() const override
- {
- return GID_DCE2;
- }
+ { return GID_DCE2; }
const RuleMap* get_rules() const override;
const PegInfo* get_pegs() const override;
ProfileStats* get_profile(unsigned, const char*&, const char*&) const override;
void get_data(dce2TcpProtoConf&);
+ Usage get_usage() const override
+ { return INSPECT; }
+
private:
dce2TcpProtoConf config;
};
static const PegInfo dce2_udp_pegs[] =
{
- { "events", "total events" },
- { "udp_sessions", "total udp sessions" },
- { "udp_packets", "total udp packets" },
- { "requests", "total connection-less requests" },
- { "acks", "total connection-less acks" },
- { "cancels", "total connection-less cancels" },
- { "client_facks", "total connection-less client facks" },
- { "ping", "total connection-less ping" },
- { "responses", "total connection-less responses" },
- { "rejects", "total connection-less rejects" },
- { "cancel_acks", "total connection-less cancel acks" },
- { "server_facks", "total connection-less server facks" },
- { "faults", "total connection-less faults" },
- { "no_calls", "total connection-less no calls" },
- { "working", "total connection-less working" },
- { "other_requests", "total connection-less other requests" },
- { "other_responses", "total connection-less other responses" },
- { "fragments", "total connection-less fragments" },
- { "max_fragment_size", "connection-less maximum fragment size" },
- { "frags_reassembled", "total connection-less fragments reassembled" },
- { "max_seqnum", "max connection-less seqnum" },
- { "concurrent_sessions", "total concurrent sessions" },
- { "max_concurrent_sessions", "maximum concurrent sessions" },
- { nullptr, nullptr }
+ { CountType::SUM, "events", "total events" },
+ { CountType::SUM, "udp_sessions", "total udp sessions" },
+ { CountType::SUM, "udp_packets", "total udp packets" },
+ { CountType::SUM, "requests", "total connection-less requests" },
+ { CountType::SUM, "acks", "total connection-less acks" },
+ { CountType::SUM, "cancels", "total connection-less cancels" },
+ { CountType::SUM, "client_facks", "total connection-less client facks" },
+ { CountType::SUM, "ping", "total connection-less ping" },
+ { CountType::SUM, "responses", "total connection-less responses" },
+ { CountType::SUM, "rejects", "total connection-less rejects" },
+ { CountType::SUM, "cancel_acks", "total connection-less cancel acks" },
+ { CountType::SUM, "server_facks", "total connection-less server facks" },
+ { CountType::SUM, "faults", "total connection-less faults" },
+ { CountType::SUM, "no_calls", "total connection-less no calls" },
+ { CountType::SUM, "working", "total connection-less working" },
+ { CountType::SUM, "other_requests", "total connection-less other requests" },
+ { CountType::SUM, "other_responses", "total connection-less other responses" },
+ { CountType::SUM, "fragments", "total connection-less fragments" },
+ { CountType::SUM, "max_fragment_size", "connection-less maximum fragment size" },
+ { CountType::SUM, "frags_reassembled", "total connection-less fragments reassembled" },
+ { CountType::SUM, "max_seqnum", "max connection-less seqnum" },
+ { CountType::NOW, "concurrent_sessions", "total concurrent sessions" },
+ { CountType::MAX, "max_concurrent_sessions", "maximum concurrent sessions" },
+ { CountType::END, nullptr, nullptr }
};
Dce2UdpModule::Dce2UdpModule() : Module(DCE2_UDP_NAME, DCE2_UDP_HELP, s_params)
bool set(const char*, Value&, SnortConfig*) override;
unsigned get_gid() const override
- {
- return GID_DCE2;
- }
+ { return GID_DCE2; }
const RuleMap* get_rules() const override;
const PegInfo* get_pegs() const override;
ProfileStats* get_profile(unsigned, const char*&, const char*&) const override;
void get_data(dce2UdpProtoConf&);
+ Usage get_usage() const override
+ { return INSPECT; }
+
private:
dce2UdpProtoConf config;
};
bool set(const char*, Value&, SnortConfig*) override;
ProfileStats* get_profile() const override;
+ Usage get_usage() const override
+ { return DETECT; }
+
+public:
RangeCheck version;
bool any_frag;
Uuid uuid;
ProfileStats* get_profile() const override;
~Dce2OpnumModule();
+ Usage get_usage() const override
+ { return DETECT; }
+
+public:
DCE2_Opnum opnum;
};
public:
Dce2StubDataModule() : Module(s_name, s_help) { }
ProfileStats* get_profile() const override;
+
+ Usage get_usage() const override
+ { return DETECT; }
};
ProfileStats* Dce2StubDataModule::get_profile() const
static const PegInfo dnp3_pegs[] =
{
- { "total_packets", "total packets" },
- { "udp_packets", "total udp packets" },
- { "tcp_pdus", "total tcp pdus" },
- { "dnp3_link_layer_frames", "total dnp3 link layer frames" },
- { "dnp3_application_pdus", "total dnp3 application pdus" },
- { "concurrent_sessions", "total concurrent dnp3 sessions" },
- { "max_concurrent_sessions", "maximum concurrent dnp3 sessions" },
-
- { nullptr, nullptr }
+ { CountType::SUM, "total_packets", "total packets" },
+ { CountType::SUM, "udp_packets", "total udp packets" },
+ { CountType::SUM, "tcp_pdus", "total tcp pdus" },
+ { CountType::SUM, "dnp3_link_layer_frames", "total dnp3 link layer frames" },
+ { CountType::SUM, "dnp3_application_pdus", "total dnp3 application pdus" },
+ { CountType::NOW, "concurrent_sessions", "total concurrent dnp3 sessions" },
+ { CountType::MAX, "max_concurrent_sessions", "maximum concurrent dnp3 sessions" },
+ { CountType::END, nullptr, nullptr }
};
Dnp3Module::Dnp3Module() : Module(DNP3_NAME, DNP3_HELP, s_params)
bool set(const char*, Value&, SnortConfig*) override;
unsigned get_gid() const override
- {
- return GID_DNP3;
- }
+ { return GID_DNP3; }
const RuleMap* get_rules() const override;
const PegInfo* get_pegs() const override;
PegCount* get_counts() const override;
ProfileStats* get_profile() const override;
+ Usage get_usage() const override
+ { return INSPECT; }
+
void get_data(dnp3ProtoConf&);
private:
public:
Dnp3DataModule() : Module(s_name, s_help) { }
ProfileStats* get_profile() const override;
+
+ Usage get_usage() const override
+ { return DETECT; }
};
ProfileStats* Dnp3DataModule::get_profile() const
bool set(const char*, Value&, SnortConfig*) override;
ProfileStats* get_profile() const override;
+ Usage get_usage() const override
+ { return DETECT; }
+
+public:
uint16_t func;
};
bool set(const char*, Value&, SnortConfig*) override;
ProfileStats* get_profile() const override;
+ Usage get_usage() const override
+ { return DETECT; }
+
+public:
uint16_t flags;
};
bool set(const char*, Value&, SnortConfig*) override;
ProfileStats* get_profile() const override;
+ Usage get_usage() const override
+ { return DETECT; }
+
+public:
uint8_t group;
uint8_t var;
};
const PegInfo dns_peg_names[] =
{
- { "packets", "total packets processed" },
- { "requests", "total dns requests" },
- { "responses", "total dns responses" },
- { "concurrent_sessions", "total concurrent dns sessions" },
- { "max_concurrent_sessions", "maximum concurrent dns sessions" },
+ { CountType::SUM, "packets", "total packets processed" },
+ { CountType::SUM, "requests", "total dns requests" },
+ { CountType::SUM, "responses", "total dns responses" },
+ { CountType::NOW, "concurrent_sessions", "total concurrent dns sessions" },
+ { CountType::MAX, "max_concurrent_sessions", "maximum concurrent dns sessions" },
- { nullptr, nullptr }
+ { CountType::END, nullptr, nullptr }
};
-
-
/*
* Function prototype(s)
*/
const PegInfo* get_pegs() const override;
PegCount* get_counts() const override;
ProfileStats* get_profile() const override;
+
+ Usage get_usage() const override
+ { return INSPECT; }
};
#endif
bool set(const char*, Value&, SnortConfig*) override
{ return false; }
+
+ Usage get_usage() const override
+ { return INSPECT; }
};
const PegInfo* FtpDataModule::get_pegs() const
static const PegInfo ftp_pegs[] =
{
- { "total_packets", "total packets" },
- { "concurrent_sessions", "total concurrent ftp sessions" },
- { "max_concurrent_sessions", "maximum concurrent ftp sessions" },
+ { CountType::SUM, "total_packets", "total packets" },
+ { CountType::NOW, "concurrent_sessions", "total concurrent ftp sessions" },
+ { CountType::MAX, "max_concurrent_sessions", "maximum concurrent ftp sessions" },
- { nullptr, nullptr }
+ { CountType::END, nullptr, nullptr }
};
//-------------------------------------------------------------------------
FTP_CLIENT_PROTO_CONF* get_data();
const BounceTo* get_bounce(unsigned idx);
+ Usage get_usage() const override
+ { return INSPECT; }
+
private:
FTP_CLIENT_PROTO_CONF* conf;
std::vector<BounceTo*> bounce_to;
static const PegInfo telnet_pegs[] =
{
- { "total_packets", "total packets" },
- { "concurrent_sessions", "total concurrent telnet sessions" },
- { "max_concurrent_sessions", "maximum concurrent telnet sessions" },
+ { CountType::SUM, "total_packets", "total packets" },
+ { CountType::NOW, "concurrent_sessions", "total concurrent telnet sessions" },
+ { CountType::MAX, "max_concurrent_sessions", "maximum concurrent telnet sessions" },
- { nullptr, nullptr }
+ { CountType::END, nullptr, nullptr }
};
static const RuleMap telnet_rules[] =
PegCount* get_counts() const override;
ProfileStats* get_profile() const override;
+ Usage get_usage() const override
+ { return INSPECT; }
+
TELNET_PROTO_CONF* get_data();
private:
const PegInfo peg_names[] =
{
- { "sessions", "total sessions processed" },
- { "concurrent_sessions", "total concurrent gtp sessions" },
- { "max_concurrent_sessions", "maximum concurrent gtp sessions" },
- { "events", "requests" },
- { "unknown_types", "unknown message types" },
- { "unknown_infos", "unknown information elements" },
-
- { nullptr, nullptr }
+ { CountType::SUM, "sessions", "total sessions processed" },
+ { CountType::NOW, "concurrent_sessions", "total concurrent gtp sessions" },
+ { CountType::MAX, "max_concurrent_sessions", "maximum concurrent gtp sessions" },
+ { CountType::SUM, "events", "requests" },
+ { CountType::SUM, "unknown_types", "unknown message types" },
+ { CountType::SUM, "unknown_infos", "unknown information elements" },
+
+ { CountType::END, nullptr, nullptr }
};
const PegInfo* GtpInspectModule::get_pegs() const
ProfileStats* get_profile() const override
{ return >p_inspect_prof; }
+ Usage get_usage() const override
+ { return INSPECT; }
+
public:
GtpStuff stuff;
std::vector<GtpStuff> temp;
ProfileStats* get_profile() const override
{ return >p_info_prof; }
+ Usage get_usage() const override
+ { return DETECT; }
+
+public:
uint8_t types[MAX_GTP_VERSION_CODE + 1];
};
ProfileStats* get_profile() const override
{ return >p_type_prof; }
+ Usage get_usage() const override
+ { return DETECT; }
+
+public:
ByteBitSet types[MAX_GTP_VERSION_CODE + 1];
};
ProfileStats* get_profile() const override
{ return >p_ver_prof; }
+ Usage get_usage() const override
+ { return DETECT; }
+
+public:
uint8_t version;
};
static PegCount get_peg_counts(HttpEnums::PEG_COUNT counter)
{ return peg_counts[counter]; }
+ Usage get_usage() const override
+ { return INSPECT; }
+
#ifdef REG_TEST
static const PegInfo* get_peg_names() { return peg_names; }
static const PegCount* get_peg_counts() { return peg_counts; }
const PegInfo HttpModule::peg_names[PEG_COUNT_MAX+1] =
{
- { "flows", "HTTP connections inspected" },
- { "scans", "TCP segments scanned looking for HTTP messages" },
- { "reassembles", "TCP segments combined into HTTP messages" },
- { "inspections", "total message sections inspected" },
- { "requests", "HTTP request messages inspected" },
- { "responses", "HTTP response messages inspected" },
- { "get_requests", "GET requests inspected" },
- { "head_requests", "HEAD requests inspected" },
- { "post_requests", "POST requests inspected" },
- { "put_requests", "PUT requests inspected" },
- { "delete_requests", "DELETE requests inspected" },
- { "connect_requests", "CONNECT requests inspected" },
- { "options_requests", "OPTIONS requests inspected" },
- { "trace_requests", "TRACE requests inspected" },
- { "other_requests", "other request methods inspected" },
- { "request_bodies", "POST, PUT, and other requests with message bodies" },
- { "chunked", "chunked message bodies" },
- { "uri_normalizations", "URIs needing to be normalization" },
- { "uri_path", "URIs with path problems" },
- { "uri_coding", "URIs with character coding problems" },
- { "concurrent_sessions", "total concurrent http sessions" },
- { "max_concurrent_sessions", "maximum concurrent http sessions" },
- { nullptr, nullptr }
+ { CountType::SUM, "flows", "HTTP connections inspected" },
+ { CountType::SUM, "scans", "TCP segments scanned looking for HTTP messages" },
+ { CountType::SUM, "reassembles", "TCP segments combined into HTTP messages" },
+ { CountType::SUM, "inspections", "total message sections inspected" },
+ { CountType::SUM, "requests", "HTTP request messages inspected" },
+ { CountType::SUM, "responses", "HTTP response messages inspected" },
+ { CountType::SUM, "get_requests", "GET requests inspected" },
+ { CountType::SUM, "head_requests", "HEAD requests inspected" },
+ { CountType::SUM, "post_requests", "POST requests inspected" },
+ { CountType::SUM, "put_requests", "PUT requests inspected" },
+ { CountType::SUM, "delete_requests", "DELETE requests inspected" },
+ { CountType::SUM, "connect_requests", "CONNECT requests inspected" },
+ { CountType::SUM, "options_requests", "OPTIONS requests inspected" },
+ { CountType::SUM, "trace_requests", "TRACE requests inspected" },
+ { CountType::SUM, "other_requests", "other request methods inspected" },
+ { CountType::SUM, "request_bodies", "POST, PUT, and other requests with message bodies" },
+ { CountType::SUM, "chunked", "chunked message bodies" },
+ { CountType::SUM, "uri_normalizations", "URIs needing to be normalization" },
+ { CountType::SUM, "uri_path", "URIs with path problems" },
+ { CountType::SUM, "uri_coding", "URIs with character coding problems" },
+ { CountType::NOW, "concurrent_sessions", "total concurrent http sessions" },
+ { CountType::MAX, "max_concurrent_sessions", "maximum concurrent http sessions" },
+ { CountType::END, nullptr, nullptr }
};
const int8_t HttpEnums::as_hex[256] =
bool set(const char*, Value&, SnortConfig*) override;
bool end(const char*, int, SnortConfig*) override;
+ Usage get_usage() const override
+ { return DETECT; }
+
private:
friend class HttpIpsOption;
static THREAD_LOCAL std::array<ProfileStats, PsIdx::PSI_MAX> http_ps;
const PegInfo imap_peg_names[] =
{
- { "packets", "total packets processed" },
- { "sessions", "total imap sessions" },
- { "concurrent_sessions", "total concurrent imap sessions" },
- { "max_concurrent_sessions", "maximum concurrent imap sessions" },
- { "b64_attachments", "total base64 attachments decoded" },
- { "b64_decoded_bytes", "total base64 decoded bytes" },
- { "qp_attachments", "total quoted-printable attachments decoded" },
- { "qp_decoded_bytes", "total quoted-printable decoded bytes" },
- { "uu_attachments", "total uu attachments decoded" },
- { "uu_decoded_bytes", "total uu decoded bytes" },
- { "non_encoded_attachments", "total non-encoded attachments extracted" },
- { "non_encoded_bytes", "total non-encoded extracted bytes" },
-
- { nullptr, nullptr }
+ { CountType::SUM, "packets", "total packets processed" },
+ { CountType::SUM, "sessions", "total imap sessions" },
+ { CountType::NOW, "concurrent_sessions", "total concurrent imap sessions" },
+ { CountType::MAX, "max_concurrent_sessions", "maximum concurrent imap sessions" },
+ { CountType::SUM, "b64_attachments", "total base64 attachments decoded" },
+ { CountType::SUM, "b64_decoded_bytes", "total base64 decoded bytes" },
+ { CountType::SUM, "qp_attachments", "total quoted-printable attachments decoded" },
+ { CountType::SUM, "qp_decoded_bytes", "total quoted-printable decoded bytes" },
+ { CountType::SUM, "uu_attachments", "total uu attachments decoded" },
+ { CountType::SUM, "uu_decoded_bytes", "total uu decoded bytes" },
+ { CountType::SUM, "non_encoded_attachments", "total non-encoded attachments extracted" },
+ { CountType::SUM, "non_encoded_bytes", "total non-encoded extracted bytes" },
+
+ { CountType::END, nullptr, nullptr }
};
ImapFlowData::ImapFlowData() : FlowData(inspector_id)
PegCount* get_counts() const override;
ProfileStats* get_profile() const override;
+ Usage get_usage() const override
+ { return INSPECT; }
+
IMAP_PROTO_CONF* get_data();
private:
ProfileStats* get_profile() const override
{ return &modbus_data_prof; }
+
+ Usage get_usage() const override
+ { return DETECT; }
};
//-------------------------------------------------------------------------
ProfileStats* get_profile() const override
{ return &modbus_func_prof; }
+ Usage get_usage() const override
+ { return DETECT; }
+
public:
uint8_t func;
};
ProfileStats* get_profile() const override
{ return &modbus_unit_prof; }
+ Usage get_usage() const override
+ { return DETECT; }
+
public:
uint8_t unit;
};
const PegInfo peg_names[] =
{
- { "sessions", "total sessions processed" },
- { "frames", "total Modbus messages" },
- { "concurrent_sessions", "total concurrent modbus sessions" },
- { "max_concurrent_sessions", "maximum concurrent modbus sessions" },
+ { CountType::SUM, "sessions", "total sessions processed" },
+ { CountType::SUM, "frames", "total Modbus messages" },
+ { CountType::NOW, "concurrent_sessions", "total concurrent modbus sessions" },
+ { CountType::MAX, "max_concurrent_sessions", "maximum concurrent modbus sessions" },
- { nullptr, nullptr }
+ { CountType::END, nullptr, nullptr }
};
const PegInfo* ModbusModule::get_pegs() const
ProfileStats* get_profile() const override
{ return &modbus_prof; }
+
+ Usage get_usage() const override
+ { return INSPECT; }
};
#endif
const PegInfo pop_peg_names[] =
{
- { "packets", "total packets processed" },
- { "sessions", "total pop sessions" },
- { "concurrent_sessions", "total concurrent pop sessions" },
- { "max_concurrent_sessions", "maximum concurrent pop sessions" },
- { "b64_attachments", "total base64 attachments decoded" },
- { "b64_decoded_bytes", "total base64 decoded bytes" },
- { "qp_attachments", "total quoted-printable attachments decoded" },
- { "qp_decoded_bytes", "total quoted-printable decoded bytes" },
- { "uu_attachments", "total uu attachments decoded" },
- { "uu_decoded_bytes", "total uu decoded bytes" },
- { "non_encoded_attachments", "total non-encoded attachments extracted" },
- { "non_encoded_bytes", "total non-encoded extracted bytes" },
-
- { nullptr, nullptr }
+ { CountType::SUM, "packets", "total packets processed" },
+ { CountType::SUM, "sessions", "total pop sessions" },
+ { CountType::NOW, "concurrent_sessions", "total concurrent pop sessions" },
+ { CountType::MAX, "max_concurrent_sessions", "maximum concurrent pop sessions" },
+ { CountType::SUM, "b64_attachments", "total base64 attachments decoded" },
+ { CountType::SUM, "b64_decoded_bytes", "total base64 decoded bytes" },
+ { CountType::SUM, "qp_attachments", "total quoted-printable attachments decoded" },
+ { CountType::SUM, "qp_decoded_bytes", "total quoted-printable decoded bytes" },
+ { CountType::SUM, "uu_attachments", "total uu attachments decoded" },
+ { CountType::SUM, "uu_decoded_bytes", "total uu decoded bytes" },
+ { CountType::SUM, "non_encoded_attachments", "total non-encoded attachments extracted" },
+ { CountType::SUM, "non_encoded_bytes", "total non-encoded extracted bytes" },
+
+ { CountType::END, nullptr, nullptr }
};
PegCount* get_counts() const override;
ProfileStats* get_profile() const override;
+ Usage get_usage() const override
+ { return INSPECT; }
+
POP_PROTO_CONF* get_data();
private:
static const PegInfo rpc_pegs[] =
{
- { "total_packets", "total packets" },
- { "concurrent_sessions", "total concurrent rpc sessions" },
- { "max_concurrent_sessions", "maximum concurrent rpc sessions" },
+ { CountType::SUM, "total_packets", "total packets" },
+ { CountType::NOW, "concurrent_sessions", "total concurrent rpc sessions" },
+ { CountType::MAX, "max_concurrent_sessions", "maximum concurrent rpc sessions" },
- { nullptr, nullptr }
+ { CountType::END, nullptr, nullptr }
};
RpcDecodeModule::RpcDecodeModule() : Module(s_name, s_help, s_params)
const PegInfo* get_pegs() const override;
PegCount* get_counts() const override;
ProfileStats* get_profile() const override;
+
+ Usage get_usage() const override
+ { return INSPECT; }
};
#endif
ProfileStats* get_profile() const override
{ return &sip_ps[idx]; }
+ Usage get_usage() const override
+ { return DETECT; }
+
private:
SipIdx idx;
};
ProfileStats* get_profile() const override
{ return &sipMethodRuleOptionPerfStats; }
+ Usage get_usage() const override
+ { return DETECT; }
+
+public:
SipMethodRuleOptData smod;
private:
ProfileStats* get_profile() const override
{ return &sipStatCodeRuleOptionPerfStats; }
+ Usage get_usage() const override
+ { return DETECT; }
+
+public:
SipStatCodeRuleOptData ssod;
private:
static const PegInfo sip_pegs[] =
{
- { "packets", "total packets" },
- { "sessions", "total sessions" },
- { "concurrent_sessions", "total concurrent sip sessions" },
- { "max_concurrent_sessions", "maximum concurrent sip sessions" },
- { "events", "events generated" },
- { "dialogs", "total dialogs" },
- { "ignored_channels", "total channels ignored" },
- { "ignored_sessions", "total sessions ignored" },
- { "total_requests", "total requests" },
- { "invite", "invite" },
- { "cancel", "cancel" },
- { "ack", "ack" },
- { "bye", "bye" },
- { "register", "register" },
- { "options", "options" },
- { "refer", "refer" },
- { "subscribe", "subscribe" },
- { "update", "update" },
- { "join", "join" },
- { "info", "info" },
- { "message", "message" },
- { "notify", "notify" },
- { "prack", "prack" },
- { "total_responses", "total responses" },
- { "code_1xx", "1xx" },
- { "code_2xx", "2xx" },
- { "code_3xx", "3xx" },
- { "code_4xx", "4xx" },
- { "code_5xx", "5xx" },
- { "code_6xx", "6xx" },
- { "code_7xx", "7xx" },
- { "code_8xx", "8xx" },
- { "code_9xx", "9xx" },
- { nullptr, nullptr }
+ { CountType::SUM, "packets", "total packets" },
+ { CountType::SUM, "sessions", "total sessions" },
+ { CountType::NOW, "concurrent_sessions", "total concurrent sip sessions" },
+ { CountType::MAX, "max_concurrent_sessions", "maximum concurrent sip sessions" },
+ { CountType::SUM, "events", "events generated" },
+ { CountType::SUM, "dialogs", "total dialogs" },
+ { CountType::SUM, "ignored_channels", "total channels ignored" },
+ { CountType::SUM, "ignored_sessions", "total sessions ignored" },
+ { CountType::SUM, "total_requests", "total requests" },
+ { CountType::SUM, "invite", "invite" },
+ { CountType::SUM, "cancel", "cancel" },
+ { CountType::SUM, "ack", "ack" },
+ { CountType::SUM, "bye", "bye" },
+ { CountType::SUM, "register", "register" },
+ { CountType::SUM, "options", "options" },
+ { CountType::SUM, "refer", "refer" },
+ { CountType::SUM, "subscribe", "subscribe" },
+ { CountType::SUM, "update", "update" },
+ { CountType::SUM, "join", "join" },
+ { CountType::SUM, "info", "info" },
+ { CountType::SUM, "message", "message" },
+ { CountType::SUM, "notify", "notify" },
+ { CountType::SUM, "prack", "prack" },
+ { CountType::SUM, "total_responses", "total responses" },
+ { CountType::SUM, "code_1xx", "1xx" },
+ { CountType::SUM, "code_2xx", "2xx" },
+ { CountType::SUM, "code_3xx", "3xx" },
+ { CountType::SUM, "code_4xx", "4xx" },
+ { CountType::SUM, "code_5xx", "5xx" },
+ { CountType::SUM, "code_6xx", "6xx" },
+ { CountType::SUM, "code_7xx", "7xx" },
+ { CountType::SUM, "code_8xx", "8xx" },
+ { CountType::SUM, "code_9xx", "9xx" },
+ { CountType::END, nullptr, nullptr }
};
//-------------------------------------------------------------------------
PegCount* get_counts() const override;
ProfileStats* get_profile() const override;
+ Usage get_usage() const override
+ { return INSPECT; }
+
SIP_PROTO_CONF* get_data();
private:
const PegInfo smtp_peg_names[] =
{
- { "packets", "total packets processed" },
- { "sessions", "total smtp sessions" },
- { "concurrent_sessions", "total concurrent smtp sessions" },
- { "max_concurrent_sessions", "maximum concurrent smtp sessions" },
- { "b64_attachments", "total base64 attachments decoded" },
- { "b64_decoded_bytes", "total base64 decoded bytes" },
- { "qp_attachments", "total quoted-printable attachments decoded" },
- { "qp_decoded_bytes", "total quoted-printable decoded bytes" },
- { "uu_attachments", "total uu attachments decoded" },
- { "uu_decoded_bytes", "total uu decoded bytes" },
- { "non_encoded_attachments", "total non-encoded attachments extracted" },
- { "non_encoded_bytes", "total non-encoded extracted bytes" },
-
- { nullptr, nullptr }
+ { CountType::SUM, "packets", "total packets processed" },
+ { CountType::SUM, "sessions", "total smtp sessions" },
+ { CountType::NOW, "concurrent_sessions", "total concurrent smtp sessions" },
+ { CountType::MAX, "max_concurrent_sessions", "maximum concurrent smtp sessions" },
+ { CountType::SUM, "b64_attachments", "total base64 attachments decoded" },
+ { CountType::SUM, "b64_decoded_bytes", "total base64 decoded bytes" },
+ { CountType::SUM, "qp_attachments", "total quoted-printable attachments decoded" },
+ { CountType::SUM, "qp_decoded_bytes", "total quoted-printable decoded bytes" },
+ { CountType::SUM, "uu_attachments", "total uu attachments decoded" },
+ { CountType::SUM, "uu_decoded_bytes", "total uu decoded bytes" },
+ { CountType::SUM, "non_encoded_attachments", "total non-encoded attachments extracted" },
+ { CountType::SUM, "non_encoded_bytes", "total non-encoded extracted bytes" },
+
+ { CountType::END, nullptr, nullptr }
};
static void snort_smtp(SMTP_PROTO_CONF* GlobalConf, Packet* p);
SMTP_PROTO_CONF* get_data();
const SmtpCmd* get_cmd(unsigned idx);
+ Usage get_usage() const override
+ { return INSPECT; }
+
private:
void add_commands(Value&, uint32_t flags);
const PegInfo ssh_pegs[] =
{
- { "packets", "total packets" },
- { "concurrent_sessions", "total concurrent ssh sessions" },
- { "max_concurrent_sessions", "maximum concurrent ssh sessions" },
- { nullptr, nullptr }
+ { CountType::SUM, "packets", "total packets" },
+ { CountType::NOW, "concurrent_sessions", "total concurrent ssh sessions" },
+ { CountType::MAX, "max_concurrent_sessions", "maximum concurrent ssh sessions" },
+ { CountType::END, nullptr, nullptr }
};
//-------------------------------------------------------------------------
PegCount* get_counts() const override;
ProfileStats* get_profile() const override;
+ Usage get_usage() const override
+ { return INSPECT; }
+
SSH_PROTO_CONF* get_data();
private:
ProfileStats* get_profile() const override
{ return &sslStateRuleOptionPerfStats; }
+ Usage get_usage() const override
+ { return DETECT; }
+
+public:
SslStateRuleOptionData ssod;
};
ProfileStats* get_profile() const override
{ return &sslVersionRuleOptionPerfStats; }
+ Usage get_usage() const override
+ { return DETECT; }
+
+public:
SslVersionRuleOptionData svod;
};
const PegInfo ssl_peg_names[] =
{
- { "packets", "total packets processed" },
- { "decoded", "ssl packets decoded" },
- { "client_hello", "total client hellos" },
- { "server_hello", "total server hellos" },
- { "certificate", "total ssl certificates" },
- { "server_done", "total server done" },
- { "client_key_exchange", "total client key exchanges" },
- { "server_key_exchange", "total server key exchanges" },
- { "change_cipher", "total change cipher records" },
- { "finished", "total handshakes finished" },
- { "client_application", "total client application records" },
- { "server_application", "total server application records" },
- { "alert", "total ssl alert records" },
- { "unrecognized_records", "total unrecognized records" },
- { "handshakes_completed", "total completed ssl handshakes" },
- { "bad_handshakes", "total bad handshakes" },
- { "sessions_ignored", "total sessions ignore" },
- { "detection_disabled", "total detection disabled" },
- { "concurrent_sessions", "total concurrent ssl sessions" },
- { "max_concurrent_sessions", "maximum concurrent ssl sessions" },
-
- { nullptr, nullptr }
+ { CountType::SUM, "packets", "total packets processed" },
+ { CountType::SUM, "decoded", "ssl packets decoded" },
+ { CountType::SUM, "client_hello", "total client hellos" },
+ { CountType::SUM, "server_hello", "total server hellos" },
+ { CountType::SUM, "certificate", "total ssl certificates" },
+ { CountType::SUM, "server_done", "total server done" },
+ { CountType::SUM, "client_key_exchange", "total client key exchanges" },
+ { CountType::SUM, "server_key_exchange", "total server key exchanges" },
+ { CountType::SUM, "change_cipher", "total change cipher records" },
+ { CountType::SUM, "finished", "total handshakes finished" },
+ { CountType::SUM, "client_application", "total client application records" },
+ { CountType::SUM, "server_application", "total server application records" },
+ { CountType::SUM, "alert", "total ssl alert records" },
+ { CountType::SUM, "unrecognized_records", "total unrecognized records" },
+ { CountType::SUM, "handshakes_completed", "total completed ssl handshakes" },
+ { CountType::SUM, "bad_handshakes", "total bad handshakes" },
+ { CountType::SUM, "sessions_ignored", "total sessions ignore" },
+ { CountType::SUM, "detection_disabled", "total detection disabled" },
+ { CountType::NOW, "concurrent_sessions", "total concurrent ssl sessions" },
+ { CountType::MAX, "max_concurrent_sessions", "maximum concurrent ssl sessions" },
+
+ { CountType::END, nullptr, nullptr }
};
SslFlowData::SslFlowData() : FlowData(inspector_id)
PegCount* get_counts() const override;
ProfileStats* get_profile() const override;
+ Usage get_usage() const override
+ { return INSPECT; }
+
SSL_PROTO_CONF* get_data();
private:
MagicBook* get_book(bool c2s, bool hex);
CurseBook* get_curse_book();
+ Usage get_usage() const override
+ { return GLOBAL; }
+
private:
void add_spells(MagicBook*, std::string&);
const PegInfo wiz_pegs[] =
{
- { "tcp_scans", "tcp payload scans" },
- { "tcp_hits", "tcp identifications" },
- { "udp_scans", "udp payload scans" },
- { "udp_hits", "udp identifications" },
- { "user_scans", "user payload scans" },
- { "user_hits", "user identifications" },
- { nullptr, nullptr }
+ { CountType::SUM, "tcp_scans", "tcp payload scans" },
+ { CountType::SUM, "tcp_hits", "tcp identifications" },
+ { CountType::SUM, "udp_scans", "udp payload scans" },
+ { CountType::SUM, "udp_hits", "udp identifications" },
+ { CountType::SUM, "user_scans", "user payload scans" },
+ { CountType::SUM, "user_hits", "user identifications" },
+ { CountType::END, nullptr, nullptr }
};
THREAD_LOCAL WizStats tstats;
return true;
}
-PegCount* SideChannelModule::get_counts() const
-{ return (PegCount*)&sc_stats; }
-
bool begin(const char*, int, SnortConfig*) override;
bool end(const char*, int, SnortConfig*) override;
- PegCount* get_counts() const override;
+ PegCount* get_counts() const override
+ { return (PegCount*)&sc_stats; }
+
+ const PegInfo* get_pegs() const override
+ { return simple_pegs; }
+
ProfileStats* get_profile() const override;
+ Usage get_usage() const override
+ { return GLOBAL; }
+
private:
SideChannelConfig* config = nullptr;
};
THREAD_LOCAL BaseStats stream_base_stats;
#define PROTO_PEGS(proto_str) \
- { proto_str "_flows", "total " proto_str " sessions" }, \
- { proto_str "_total_prunes", "total " proto_str " sessions pruned" }, \
- { proto_str "_idle_prunes", proto_str " sessions pruned due to timeout" }, \
- { proto_str "_excess_prunes", proto_str " sessions pruned due to excess" }, \
- { proto_str "_uni_prunes", proto_str " uni sessions pruned" }, \
- { proto_str "_preemptive_prunes", proto_str " sessions pruned during preemptive pruning" }, \
- { proto_str "_memcap_prunes", proto_str " sessions pruned due to memcap" }, \
- { proto_str "_ha_prunes", proto_str " sessions pruned by high availability sync" }
+ { CountType::SUM, proto_str "_flows", "total " proto_str " sessions" }, \
+ { CountType::SUM, proto_str "_total_prunes", "total " proto_str " sessions pruned" }, \
+ { CountType::SUM, proto_str "_idle_prunes", proto_str " sessions pruned due to timeout" }, \
+ { CountType::SUM, proto_str "_excess_prunes", proto_str " sessions pruned due to excess" }, \
+ { CountType::SUM, proto_str "_uni_prunes", proto_str " uni sessions pruned" }, \
+ { CountType::SUM, proto_str "_preemptive_prunes", proto_str " sessions pruned during preemptive pruning" }, \
+ { CountType::SUM, proto_str "_memcap_prunes", proto_str " sessions pruned due to memcap" }, \
+ { CountType::SUM, proto_str "_ha_prunes", proto_str " sessions pruned by high availability sync" }
#define SET_PROTO_COUNTS(proto, pkttype) \
stream_base_stats.proto ## _flows = flow_con->get_flows(PktType::pkttype); \
PROTO_PEGS("udp"),
PROTO_PEGS("user"),
PROTO_PEGS("file"),
- { nullptr, nullptr }
+ { CountType::END, nullptr, nullptr }
};
// FIXIT-L dependency on stats define in another file
void show_stats() override;
void reset_stats() override;
+ Usage get_usage() const override
+ { return GLOBAL; }
+
private:
StreamModuleConfig config;
};
bool begin(const char*, int, SnortConfig*) override;
bool set(const char*, Value&, SnortConfig*) override;
+ Usage get_usage() const override
+ { return INSPECT; }
+
+public:
bool upload;
};
PegCount* StreamIcmpModule::get_counts() const
{ return (PegCount*)&icmpStats; }
-void StreamIcmpModule::sum_stats(bool accumulate_now_stats)
-{
- assert(sizeof(IcmpStats)/sizeof(PegCount) == sizeof(IcmpStatTypes)/sizeof(CountType));
-
- static const IcmpStatTypes icmp_stat_types;
- static const CountType* const count_types = (const CountType*)&icmp_stat_types;
-
- sum_stats_helper(accumulate_now_stats, count_types);
-}
-
SESSION_STATS;
};
-struct IcmpStatTypes
-{
- SESSION_STAT_TYPES;
-
- IcmpStatTypes() {}
-};
-
//-------------------------------------------------------------------------
// stream_icmp module
//-------------------------------------------------------------------------
ProfileStats* get_profile(unsigned, const char*&, const char*&) const override;
const PegInfo* get_pegs() const override;
PegCount* get_counts() const override;
- void sum_stats(bool) override;
+
+ Usage get_usage() const override
+ { return INSPECT; }
StreamIcmpConfig* get_data();
const PegInfo icmp_pegs[] =
{
SESSION_PEGS("icmp"),
- { nullptr, nullptr }
+ { CountType::END, nullptr, nullptr }
};
THREAD_LOCAL IcmpStats icmpStats;
PegCount* StreamIpModule::get_counts() const
{ return (PegCount*)&ip_stats; }
-void StreamIpModule::sum_stats(bool accumulate_now_stats)
-{
- assert(sizeof(IpStats)/sizeof(PegCount) == sizeof(IpStatTypes)/sizeof(CountType));
-
- static const IpStatTypes ip_stat_types;
- static const CountType* const count_types = (const CountType*)&ip_stat_types;
-
- sum_stats_helper(accumulate_now_stats, count_types);
-}
-
PegCount fragmented_bytes; // total_ipfragmented_bytes
};
-struct IpStatTypes
-{
- SESSION_STAT_TYPES;
- CountType total = CountType::SUM;
- CountType current_frags = CountType::NOW;
-
- // FIXIT-M max_frags appears to be unused.
- CountType max_frags = CountType::SUM;
-
- CountType reassembles = CountType::SUM;
- CountType discards = CountType::SUM;
- CountType frag_timeouts = CountType::SUM;
- CountType overlaps = CountType::SUM;
- CountType anomalies = CountType::SUM;
- CountType alerts = CountType::SUM;
- CountType drops = CountType::SUM;
- CountType trackers_created = CountType::SUM;
- CountType trackers_released = CountType::SUM;
- CountType trackers_cleared = CountType::SUM;
- CountType trackers_completed = CountType::SUM;
- CountType nodes_created = CountType::SUM;
- CountType nodes_released = CountType::SUM;
- CountType mem_in_use = CountType::NOW;
- CountType reassembled_bytes = CountType::SUM;
- CountType fragmented_bytes = CountType::SUM;
-
- IpStatTypes() {}
-};
-
extern const PegInfo ip_pegs[];
extern THREAD_LOCAL struct IpStats ip_stats;
extern THREAD_LOCAL ProfileStats ip_perf_stats;
ProfileStats* get_profile(unsigned, const char*&, const char*&) const override;
const PegInfo* get_pegs() const override;
PegCount* get_counts() const override;
- void sum_stats(bool) override;
StreamIpConfig* get_data();
unsigned get_gid() const override
{ return GID_DEFRAG; }
+ Usage get_usage() const override
+ { return INSPECT; }
+
private:
StreamIpConfig* config;
};
const PegInfo ip_pegs[] =
{
SESSION_PEGS("ip"),
- { "total_frags", "total fragments" },
- { "current_frags", "current fragments" },
- { "max_frags", "max fragments" },
- { "reassembled", "reassembled datagrams" },
- { "discards", "fragments discarded" },
- { "frag_timeouts", "datagrams abandoned" },
- { "overlaps", "overlapping fragments" },
- { "anomalies", "anomalies detected" },
- { "alerts", "alerts generated" },
- { "drops", "fragments dropped" },
- { "trackers_added", "datagram trackers created" },
- { "trackers_freed", "datagram trackers released" },
- { "trackers_cleared", "datagram trackers cleared" },
- { "trackers_completed", "datagram trackers completed" },
- { "nodes_inserted", "fragments added to tracker" },
- { "nodes_deleted", "fragments deleted from tracker" },
- { "memory_used", "current memory usage in bytes" },
- { "reassembled_bytes", "total reassembled bytes" },
- { "fragmented_bytes", "total fragmented bytes" },
- { nullptr, nullptr }
+ { CountType::SUM, "total_frags", "total fragments" },
+ { CountType::NOW, "current_frags", "current fragments" },
+ { CountType::SUM, "max_frags", "max fragments" },
+ { CountType::SUM, "reassembled", "reassembled datagrams" },
+ { CountType::SUM, "discards", "fragments discarded" },
+ { CountType::SUM, "frag_timeouts", "datagrams abandoned" },
+ { CountType::SUM, "overlaps", "overlapping fragments" },
+ { CountType::SUM, "anomalies", "anomalies detected" },
+ { CountType::SUM, "alerts", "alerts generated" },
+ { CountType::SUM, "drops", "fragments dropped" },
+ { CountType::SUM, "trackers_added", "datagram trackers created" },
+ { CountType::SUM, "trackers_freed", "datagram trackers released" },
+ { CountType::SUM, "trackers_cleared", "datagram trackers cleared" },
+ { CountType::SUM, "trackers_completed", "datagram trackers completed" },
+ { CountType::SUM, "nodes_inserted", "fragments added to tracker" },
+ { CountType::SUM, "nodes_deleted", "fragments deleted from tracker" },
+ { CountType::NOW, "memory_used", "current memory usage in bytes" },
+ { CountType::SUM, "reassembled_bytes", "total reassembled bytes" },
+ { CountType::SUM, "fragmented_bytes", "total fragmented bytes" },
+ { CountType::END, nullptr, nullptr }
};
THREAD_LOCAL IpStats ip_stats;
ProfileStats* get_profile() const override
{ return &streamReassembleRuleOptionPerfStats; }
+ Usage get_usage() const override
+ { return DETECT; }
+
+public:
StreamReassembleRuleOptionData srod;
};
ProfileStats* get_profile() const override
{ return &streamSizePerfStats; }
+ Usage get_usage() const override
+ { return DETECT; }
+
+public:
RangeCheck ssod;
int direction;
};
const PegInfo tcp_pegs[] =
{
SESSION_PEGS("tcp"),
- { "resyns", "SYN received on established session" },
- { "discards", "tcp packets discarded" },
- { "events", "events generated" },
- { "ignored", "tcp packets ignored" },
- { "untracked", "tcp packets not tracked" },
- { "syn_trackers", "tcp session tracking started on syn" },
- { "syn_ack_trackers", "tcp session tracking started on syn-ack" },
- { "three_way_trackers", "tcp session tracking started on ack" },
- { "data_trackers", "tcp session tracking started on data" },
- { "segs_queued", "total segments queued" },
- { "segs_released", "total segments released" },
- { "segs_split", "tcp segments split when reassembling PDUs" },
- { "segs_used", "queued tcp segments applied to reassembled PDUs" },
- { "rebuilt_packets", "total reassembled PDUs" },
- { "rebuilt_buffers", "rebuilt PDU sections" },
- { "rebuilt_bytes", "total rebuilt bytes" },
- { "overlaps", "overlapping segments queued" },
- { "gaps", "missing data between PDUs" },
- { "exceeded_max_segs", "number of times the maximum queued segment limit was reached" },
- { "exceeded_max_bytes", "number of times the maximum queued byte limit was reached" },
- { "internal_events", "135:X events generated" },
- { "client_cleanups", "number of times data from server was flushed when session released" },
- { "server_cleanups", "number of times data from client was flushed when session released" },
- { "memory", "current memory in use" },
- { "initializing", "number of sessions currently initializing" },
- { "established", "number of sessions currently established" },
- { "closing", "number of sessions currently closing" },
- { "syns", "number of syn packets" },
- { "syn_acks", "number of syn-ack packets" },
- { "resets", "number of reset packets" },
- { "fins", "number of fin packets"},
- { nullptr, nullptr }
+ { CountType::SUM, "resyns", "SYN received on established session" },
+ { CountType::SUM, "discards", "tcp packets discarded" },
+ { CountType::SUM, "events", "events generated" },
+ { CountType::SUM, "ignored", "tcp packets ignored" },
+ { CountType::SUM, "untracked", "tcp packets not tracked" },
+ { CountType::SUM, "syn_trackers", "tcp session tracking started on syn" },
+ { CountType::SUM, "syn_ack_trackers", "tcp session tracking started on syn-ack" },
+ { CountType::SUM, "three_way_trackers", "tcp session tracking started on ack" },
+ { CountType::SUM, "data_trackers", "tcp session tracking started on data" },
+ { CountType::SUM, "segs_queued", "total segments queued" },
+ { CountType::SUM, "segs_released", "total segments released" },
+ { CountType::SUM, "segs_split", "tcp segments split when reassembling PDUs" },
+ { CountType::SUM, "segs_used", "queued tcp segments applied to reassembled PDUs" },
+ { CountType::SUM, "rebuilt_packets", "total reassembled PDUs" },
+ { CountType::SUM, "rebuilt_buffers", "rebuilt PDU sections" },
+ { CountType::SUM, "rebuilt_bytes", "total rebuilt bytes" },
+ { CountType::SUM, "overlaps", "overlapping segments queued" },
+ { CountType::SUM, "gaps", "missing data between PDUs" },
+ { CountType::SUM, "exceeded_max_segs",
+ "number of times the maximum queued segment limit was reached" },
+ { CountType::SUM, "exceeded_max_bytes",
+ "number of times the maximum queued byte limit was reached" },
+ { CountType::SUM, "internal_events", "135:X events generated" },
+ { CountType::SUM, "client_cleanups",
+ "number of times data from server was flushed when session released" },
+ { CountType::SUM, "server_cleanups",
+ "number of times data from client was flushed when session released" },
+ { CountType::NOW, "memory", "current memory in use" },
+ { CountType::NOW, "initializing", "number of sessions currently initializing" },
+ { CountType::NOW, "established", "number of sessions currently established" },
+ { CountType::NOW, "closing", "number of sessions currently closing" },
+ { CountType::SUM, "syns", "number of syn packets" },
+ { CountType::SUM, "syn_acks", "number of syn-ack packets" },
+ { CountType::SUM, "resets", "number of reset packets" },
+ { CountType::SUM, "fins", "number of fin packets"},
+ { CountType::END, nullptr, nullptr }
};
THREAD_LOCAL TcpStats tcpStats;
PegCount* StreamTcpModule::get_counts() const
{ return (PegCount*)&tcpStats; }
-void StreamTcpModule::sum_stats(bool accumulate_now_stats)
-{
- assert(sizeof(TcpStats)/sizeof(PegCount) == sizeof(TcpStatTypes)/sizeof(CountType));
-
- static const TcpStatTypes tcp_stat_types;
- static const CountType* const count_types = (const CountType*)&tcp_stat_types;
-
- sum_stats_helper(accumulate_now_stats, count_types);
-}
-
PegCount fins;
};
-struct TcpStatTypes
-{
- SESSION_STAT_TYPES;
- CountType resyns = CountType::SUM;
- CountType discards = CountType::SUM;
- CountType events = CountType::SUM;
- CountType ignored = CountType::SUM;
- CountType no_pickups = CountType::SUM;
- CountType sessions_on_syn = CountType::SUM;
- CountType sessions_on_syn_ack = CountType::SUM;
- CountType sessions_on_3way = CountType::SUM;
- CountType sessions_on_data = CountType::SUM;
- CountType segs_queued = CountType::SUM;
- CountType segs_released = CountType::SUM;
- CountType segs_split = CountType::SUM;
- CountType segs_used = CountType::SUM;
- CountType rebuilt_packets = CountType::SUM;
- CountType rebuilt_buffers = CountType::SUM;
- CountType rebuilt_bytes = CountType::SUM;
- CountType overlaps = CountType::SUM;
- CountType gaps = CountType::SUM;
- CountType exceeded_max_segs = CountType::SUM;
- CountType exceeded_max_bytes = CountType::SUM;
- CountType internalEvents = CountType::SUM;
- CountType s5tcp1 = CountType::SUM;
- CountType s5tcp2 = CountType::SUM;
- CountType mem_in_use = CountType::NOW;
- CountType sessions_initializing = CountType::NOW;
- CountType sessions_established = CountType::NOW;
- CountType sessions_closing = CountType::NOW;
- CountType syns = CountType::SUM;
- CountType syn_acks = CountType::SUM;
- CountType resets = CountType::SUM;
- CountType fins = CountType::SUM;
-
- TcpStatTypes() {}
-};
-
extern THREAD_LOCAL struct TcpStats tcpStats;
inline void inc_tcp_discards()
const RuleMap* get_rules() const override;
unsigned get_gid() const override
- {
- return GID_STREAM_TCP;
- }
+ { return GID_STREAM_TCP; }
TcpStreamConfig* get_data();
ProfileStats* get_profile(unsigned, const char*&, const char*&) const override;
const PegInfo* get_pegs() const override;
PegCount* get_counts() const override;
- void sum_stats(bool) override;
+
+ Usage get_usage() const override
+ { return INSPECT; }
private:
TcpStreamConfig* config;
static const PegInfo pegName[] =
{
- { "tcp_trim_syn", "tcp segments trimmed on SYN" },
- { "tcp_trim_rst", "RST packets with data trimmed" },
- { "tcp_trim_win", "data trimmed to window" },
- { "tcp_trim_mss", "data trimmed to MSS" },
- { "tcp_ecn_session", "ECN bits cleared" },
- { "tcp_ts_nop", "timestamp options cleared" },
- { "tcp_ips_data", "normalized segments" },
- { "tcp_block", "blocked segments" },
- { nullptr, nullptr }
+ { CountType::SUM, "tcp_trim_syn", "tcp segments trimmed on SYN" },
+ { CountType::SUM, "tcp_trim_rst", "RST packets with data trimmed" },
+ { CountType::SUM, "tcp_trim_win", "data trimmed to window" },
+ { CountType::SUM, "tcp_trim_mss", "data trimmed to MSS" },
+ { CountType::SUM, "tcp_ecn_session", "ECN bits cleared" },
+ { CountType::SUM, "tcp_ts_nop", "timestamp options cleared" },
+ { CountType::SUM, "tcp_ips_data", "normalized segments" },
+ { CountType::SUM, "tcp_block", "blocked segments" },
+ { CountType::END, nullptr, nullptr }
};
-#if 0
-static inline int SetupOK(const TcpStreamTracker* st)
-{
- return ((st->s_mgr.sub_state & SUB_SETUP_OK) == SUB_SETUP_OK);
-}
-
-int strip = ( SetupOK(peer_tracker) && SetupOK(tracker) );
-DebugMessage(DEBUG_STREAM_STATE, "listener not doing timestamps...\n");
-#endif
-
TcpNormalizer::TcpNormalizer(StreamPolicy os_policy, TcpSession* session,
TcpStreamTracker* tracker) :
os_policy(os_policy), session(session), tracker(tracker)
PegCount* get_counts() const override;
StreamUdpConfig* get_data();
+ Usage get_usage() const override
+ { return INSPECT; }
+
private:
StreamUdpConfig* config;
};
const PegInfo udp_pegs[] =
{
SESSION_PEGS("udp"),
- { "ignored", "udp packets ignored" },
- { nullptr, nullptr }
+ { CountType::SUM, "ignored", "udp packets ignored" },
+ { CountType::END, nullptr, nullptr }
};
THREAD_LOCAL UdpStats udpStats;
return true;
}
-#if 0
-const PegInfo* StreamUserModule::get_pegs() const
-{ return user_pegs; }
-
-PegCount* StreamUserModule::get_counts() const
-{ return (PegCount*)&user_stats; }
-#endif
-
struct SnortConfig;
-#if 0
-extern const PegInfo user_pegs[];
-extern THREAD_LOCAL struct UserStats user_stats;
-#endif
-
extern THREAD_LOCAL ProfileStats user_perf_stats;
extern Trace TRACE_NAME(stream_user);
bool begin(const char*, int, SnortConfig*) override;
bool end(const char*, int, SnortConfig*) override;
-#if 0
- const PegInfo* get_pegs() const override;
- PegCount* get_counts() const override;
-#endif
+ Usage get_usage() const override
+ { return INSPECT; }
StreamUserConfig* get_data();
const PegInfo daq_names[] =
{
- { "pcaps", "total files and interfaces processed" },
- { "received", "total packets received from DAQ" },
- { "analyzed", "total packets analyzed from DAQ" },
- { "dropped", "packets dropped" },
- { "filtered", "packets filtered out" },
- { "outstanding", "packets unprocessed" },
- { "injected", "active responses or replacements" },
- { "allow", "total allow verdicts" },
- { "block", "total block verdicts" },
- { "replace", "total replace verdicts" },
- { "whitelist", "total whitelist verdicts" },
- { "blacklist", "total blacklist verdicts" },
- { "ignore", "total ignore verdicts" },
+ { CountType::SUM, "pcaps", "total files and interfaces processed" },
+ { CountType::SUM, "received", "total packets received from DAQ" },
+ { CountType::SUM, "analyzed", "total packets analyzed from DAQ" },
+ { CountType::SUM, "dropped", "packets dropped" },
+ { CountType::SUM, "filtered", "packets filtered out" },
+ { CountType::SUM, "outstanding", "packets unprocessed" },
+ { CountType::SUM, "injected", "active responses or replacements" },
+ { CountType::SUM, "allow", "total allow verdicts" },
+ { CountType::SUM, "block", "total block verdicts" },
+ { CountType::SUM, "replace", "total replace verdicts" },
+ { CountType::SUM, "whitelist", "total whitelist verdicts" },
+ { CountType::SUM, "blacklist", "total blacklist verdicts" },
+ { CountType::SUM, "ignore", "total ignore verdicts" },
// FIXIT-L these are not exactly DAQ counts - but they are related
- { "internal_blacklist", "packets blacklisted internally due to lack of DAQ support" },
- { "internal_whitelist", "packets whitelisted internally due to lack of DAQ support" },
- { "skipped", "packets skipped at startup" },
- { "idle", "attempts to acquire from DAQ without available packets" },
- { "rx_bytes", "total bytes received" },
- { nullptr, nullptr }
+ { CountType::SUM, "internal_blacklist",
+ "packets blacklisted internally due to lack of DAQ support" },
+ { CountType::SUM, "internal_whitelist",
+ "packets whitelisted internally due to lack of DAQ support" },
+ { CountType::SUM, "skipped", "packets skipped at startup" },
+ { CountType::SUM, "idle", "attempts to acquire from DAQ without available packets" },
+ { CountType::SUM, "rx_bytes", "total bytes received" },
+ { CountType::END, nullptr, nullptr }
};
const PegInfo pc_names[] =
{
- { "analyzed", "packets sent to detection" },
- { "hard_evals", "non-fast pattern rule evaluations" },
- { "raw_searches", "fast pattern searches in raw packet data" },
- { "cooked_searches", "fast pattern searches in cooked packet data" },
- { "pkt_searches", "fast pattern searches in packet data" },
- { "alt_searches", "alt fast pattern searches in packet data" },
- { "key_searches", "fast pattern searches in key buffer" },
- { "header_searches", "fast pattern searches in header buffer" },
- { "body_searches", "fast pattern searches in body buffer" },
- { "file_searches", "fast pattern searches in file buffer" },
- { "offloads", "fast pattern searches that were offloaded" },
- { "alerts", "alerts not including IP reputation" },
- { "total_alerts", "alerts including IP reputation" },
- { "logged", "logged packets" },
- { "passed", "passed packets" },
- { "match_limit", "fast pattern matches not processed" },
- { "queue_limit", "events not queued because queue full" },
- { "log_limit", "events queued but not logged" },
- { "event_limit", "events filtered" },
- { "alert_limit", "events previously triggered on same PDU" },
- { nullptr, nullptr }
+ { CountType::SUM, "analyzed", "packets sent to detection" },
+ { CountType::SUM, "hard_evals", "non-fast pattern rule evaluations" },
+ { CountType::SUM, "raw_searches", "fast pattern searches in raw packet data" },
+ { CountType::SUM, "cooked_searches", "fast pattern searches in cooked packet data" },
+ { CountType::SUM, "pkt_searches", "fast pattern searches in packet data" },
+ { CountType::SUM, "alt_searches", "alt fast pattern searches in packet data" },
+ { CountType::SUM, "key_searches", "fast pattern searches in key buffer" },
+ { CountType::SUM, "header_searches", "fast pattern searches in header buffer" },
+ { CountType::SUM, "body_searches", "fast pattern searches in body buffer" },
+ { CountType::SUM, "file_searches", "fast pattern searches in file buffer" },
+ { CountType::SUM, "offloads", "fast pattern searches that were offloaded" },
+ { CountType::SUM, "alerts", "alerts not including IP reputation" },
+ { CountType::SUM, "total_alerts", "alerts including IP reputation" },
+ { CountType::SUM, "logged", "logged packets" },
+ { CountType::SUM, "passed", "passed packets" },
+ { CountType::SUM, "match_limit", "fast pattern matches not processed" },
+ { CountType::SUM, "queue_limit", "events not queued because queue full" },
+ { CountType::SUM, "log_limit", "events queued but not logged" },
+ { CountType::SUM, "event_limit", "events filtered" },
+ { CountType::SUM, "alert_limit", "events previously triggered on same PDU" },
+ { CountType::END, nullptr, nullptr }
};
const PegInfo proc_names[] =
{
- { "local_commands", "total local commands processed" },
- { "remote_commands", "total remote commands processed" },
- { "signals", "total signals processed" },
- { "conf_reloads", "number of times configuration was reloaded" },
- { "policy_reloads", "number of times policies were reloaded" },
- { "inspector_deletions", "number of times inspectors were deleted" },
- { "daq_reloads", "number of times daq configuration was reloaded" },
- { "attribute_table_reloads", "number of times hosts table was reloaded" },
- { "attribute_table_hosts", "total number of hosts in table" },
- { nullptr, nullptr }
+ { CountType::SUM, "local_commands", "total local commands processed" },
+ { CountType::SUM, "remote_commands", "total remote commands processed" },
+ { CountType::SUM, "signals", "total signals processed" },
+ { CountType::SUM, "conf_reloads", "number of times configuration was reloaded" },
+ { CountType::SUM, "policy_reloads", "number of times policies were reloaded" },
+ { CountType::SUM, "inspector_deletions", "number of times inspectors were deleted" },
+ { CountType::SUM, "daq_reloads", "number of times daq configuration was reloaded" },
+ { CountType::SUM, "attribute_table_reloads", "number of times hosts table was reloaded" },
+ { CountType::SUM, "attribute_table_hosts", "total number of hosts in table" },
+ { CountType::END, nullptr, nullptr }
};
//-------------------------------------------------------------------------
bool Detection::convert(std::istringstream& data_stream)
{
bool retval = true;
+ bool split_set = false;
std::string args;
table_api.open_table("search_engine");
{
table_api.add_diff_option_comment("split-any-any", "split_any_any");
tmpval = table_api.add_option("split_any_any", true);
+ split_set = true;
}
else if (!keyword.compare("bleedover-warnings-enabled"))
{
table_api.add_diff_option_comment("ac-split", "ac_full");
bool tmpval2 = table_api.add_option("split_any_any", true);
bool tmpval1 = table_api.add_option("search_method", "ac_full");
+ split_set = true;
tmpval = tmpval1 && tmpval2;
if (!table_api.add_option("split_any_any", true))
if (retval && !tmpval)
retval = false;
}
+ if ( !split_set )
+ {
+ table_api.add_diff_option_comment("split-any-any", "split_any_any = true by default");
+ table_api.add_option("split_any_any", false);
+ }
return retval;
}
projects / thirdparty / snort3.git / commitdiff
