find_package(PkgConfig)
pkg_check_modules(PKG_HINT uuid)
+if (APPLE)
+ set(APPLE_UUID_INCLUDE_DIR "/usr/include/uuid")
+ set(UUID_LIBRARY_NAME "System")
+else()
+ set(APPLE_INCLUDE_DIR "")
+ set(UUID_LIBRARY_NAME "uuid")
+endif()
+
find_path (UUID_INCLUDE_DIR
NAMES uuid.h
- HINTS ${UUID_INCLUDE_DIR_HINT} ${PKG_HINT_INCLUDE_DIRS}
+ HINTS ${UUID_INCLUDE_DIR_HINT} ${PKG_HINT_INCLUDE_DIRS} ${APPLE_UUID_INCLUDE_DIR}
)
if (UUID_INCLUDE_DIR)
find_library(UUID_LIBRARY
- NAMES uuid
+ NAMES ${UUID_LIBRARY_NAME}
HINTS ${UUID_LIBRARIES_DIR_HINT} ${PKG_HINT_LIBRARY_DIRS}
)
else()
AC_MSG_RESULT(${have_uuid_pkgconfig})
UUID_CPPFLAGS=""
+if test "${macos}" = "yes"; then
+ UUID_CPPFLAGS="-I/usr/include/uuid"
+ UUID_LDFLAGS="-lSystem"
+ UUID_LIBNAME="System"
+else
+ UUID_LIBNAME="uuid"
+fi
+
if test "${have_uuid_pkgconfig}" = "yes" ; then
UUID_CPPFLAGS=`${PKG_CONFIG} --cflags uuid`
UUID_LDFLAGS=`${PKG_CONFIG} --libs-only-L uuid`
# Verify that we have the library
UUID_L=""
-AC_CHECK_LIB(uuid, uuid_parse, UUID_L="yes")
+AC_CHECK_LIB("${UUID_LIBNAME}", uuid_parse, UUID_L="yes")
if test "x$UUID_L" = "xyes"; then
if test "x$UUID_H" = "xyes"; then
AC_DEFINE([HAVE_UUID],[1],[can build uuid code])
- LIBS="${LIBS} -luuid"
+ LIBS="${LIBS} -l${UUID_LIBNAME}"
fi
fi
{
memcpy(ho->ether_src, hi->ether_src, sizeof(ho->ether_src));
- if ( snort_conf->eth_dst )
- memcpy(ho->ether_dst, snort_conf->eth_dst, sizeof(ho->ether_dst));
+ if ( SnortConfig::get_conf()->eth_dst )
+ memcpy(ho->ether_dst, SnortConfig::get_conf()->eth_dst, sizeof(ho->ether_dst));
else
memcpy(ho->ether_dst, hi->ether_dst, sizeof(ho->ether_dst));
}
{
memcpy(ho->ether_src, hi->ether_dst, sizeof(ho->ether_src));
- if ( snort_conf->eth_dst )
- memcpy(ho->ether_dst, snort_conf->eth_dst, sizeof(ho->ether_dst));
+ if ( SnortConfig::get_conf()->eth_dst )
+ memcpy(ho->ether_dst, SnortConfig::get_conf()->eth_dst, sizeof(ho->ether_dst));
else
memcpy(ho->ether_dst, hi->ether_src, sizeof(ho->ether_dst));
}
static bool ff_pkt_num(Args& a)
{
print_label(a, "pkt_num");
- TextLog_Print(json_log, STDu64, pc.total_from_daq);
+ TextLog_Print(json_log, STDu64, get_packet_number());
return true;
}
// must be called AFTER setting next_prot_id
if (snort.ip_api.is_ip6())
{
- if ( snort_conf->hit_ip6_maxopts(codec.ip6_extension_count) )
+ if ( SnortConfig::get_conf()->hit_ip6_maxopts(codec.ip6_extension_count) )
{
codec_event(codec, DECODE_IP6_EXCESS_EXT_HDR);
return false;
return false;
}
- if ( snort_conf->hit_ip6_maxopts(codec.ip6_extension_count) )
+ if ( SnortConfig::get_conf()->hit_ip6_maxopts(codec.ip6_extension_count) )
codec_event(codec, DECODE_IP6_EXCESS_EXT_HDR);
if (dsthdr->ip6dest_nxt == IpProtocol::ROUTING)
// must be called AFTER setting next_prot_id
if (snort.ip_api.is_ip6())
{
- if ( snort_conf->hit_ip6_maxopts(codec.ip6_extension_count) )
+ if ( SnortConfig::get_conf()->hit_ip6_maxopts(codec.ip6_extension_count) )
{
codec_event(codec, DECODE_IP6_EXCESS_EXT_HDR);
return false;
return false;
}
- if ( snort_conf->hit_ip6_maxopts(codec.ip6_extension_count) )
+ if ( SnortConfig::get_conf()->hit_ip6_maxopts(codec.ip6_extension_count) )
{
codec_event(codec, DECODE_IP6_EXCESS_EXT_HDR);
return false;
return false;
}
- if ( snort_conf->hit_ip6_maxopts(codec.ip6_extension_count) )
+ if ( SnortConfig::get_conf()->hit_ip6_maxopts(codec.ip6_extension_count) )
{
codec_event(codec, DECODE_IP6_EXCESS_EXT_HDR);
return false;
return false;
}
- if ( snort_conf->hit_ip_maxlayers(codec.ip_layer_cnt) )
+ if ( SnortConfig::get_conf()->hit_ip_maxlayers(codec.ip_layer_cnt) )
{
codec_event(codec, DECODE_IP_MULTIPLE_ENCAPSULATION);
return false;
return false;
}
- if ( snort_conf->hit_ip_maxlayers(codec.ip_layer_cnt) )
+ if ( SnortConfig::get_conf()->hit_ip_maxlayers(codec.ip_layer_cnt) )
{
codec_event(codec, DECODE_IP_MULTIPLE_ENCAPSULATION);
return false;
bool MobilityCodec::decode(const RawData&, CodecData& codec, DecodeData&)
{
- if ( snort_conf->hit_ip6_maxopts(codec.ip6_extension_count) )
+ if ( SnortConfig::get_conf()->hit_ip6_maxopts(codec.ip6_extension_count) )
{
codec_event(codec, DECODE_IP6_EXCESS_EXT_HDR);
return false;
if (raw.len < ip::MIN_EXT_LEN)
return false;
- if ( snort_conf->hit_ip6_maxopts(codec.ip6_extension_count) )
+ if ( SnortConfig::get_conf()->hit_ip6_maxopts(codec.ip6_extension_count) )
{
codec_event(codec, DECODE_IP6_EXCESS_EXT_HDR);
return false;
return false;
}
- if ( snort_conf->hit_ip6_maxopts(codec.ip6_extension_count) )
+ if ( SnortConfig::get_conf()->hit_ip6_maxopts(codec.ip6_extension_count) )
{
codec_event(codec, DECODE_IP6_EXCESS_EXT_HDR);
return false;
{
memcpy(ho->ether_src, hi->ether_src, sizeof(ho->ether_src));
- if ( snort_conf->eth_dst )
- memcpy(ho->ether_dst, snort_conf->eth_dst, sizeof(ho->ether_dst));
+ if ( SnortConfig::get_conf()->eth_dst )
+ memcpy(ho->ether_dst, SnortConfig::get_conf()->eth_dst, sizeof(ho->ether_dst));
else
memcpy(ho->ether_dst, hi->ether_dst, sizeof(ho->ether_dst));
}
{
memcpy(ho->ether_src, hi->ether_dst, sizeof(ho->ether_src));
- if ( snort_conf->eth_dst )
- memcpy(ho->ether_dst, snort_conf->eth_dst, sizeof(ho->ether_dst));
+ if ( SnortConfig::get_conf()->eth_dst )
+ memcpy(ho->ether_dst, SnortConfig::get_conf()->eth_dst, sizeof(ho->ether_dst));
else
memcpy(ho->ether_dst, hi->ether_src, sizeof(ho->ether_dst));
}
//--------------------------------------------------------------------------
void DetectionEngine::thread_init()
-{ offloader = new RegexOffload(snort_conf->offload_threads); }
+{ offloader = new RegexOffload(SnortConfig::get_conf()->offload_threads); }
void DetectionEngine::thread_term()
{ delete offloader; }
{
ContextSwitcher* sw = Snort::get_switcher();
- if ( p->type() != PktType::PDU or (p->dsize < snort_conf->offload_limit) or !sw->can_hold() )
+ if ( p->type() != PktType::PDU or (p->dsize < SnortConfig::get_conf()->offload_limit) or !sw->can_hold() )
{
fp_local(p);
return false;
pc.total_from_daq, id, offloader->count());
p->flow->set_offloaded();
- p->context->conf = snort_conf;
+ p->context->conf = SnortConfig::get_conf();
offloader->put(id, p);
pc.offloads++;
if ( !p )
return;
- if ( n > snort_conf->event_trace_max )
- n = snort_conf->event_trace_max;
+ if ( n > SnortConfig::get_conf()->event_trace_max )
+ n = SnortConfig::get_conf()->event_trace_max;
for ( idx = 0; idx < n; idx++)
{
void EventTrace_Init()
{
- if ( snort_conf->event_trace_max > 0 )
+ if ( SnortConfig::get_conf()->event_trace_max > 0 )
{
time_t now = time(nullptr);
char time_buf[26];
tlog = TextLog_Init ("event_trace.txt", 4*1024, 8*1024*1024);
TextLog_Print(tlog, "\nTrace started at %s", time_buf);
- TextLog_Print(tlog, "Trace max_data is %u bytes\n", snort_conf->event_trace_max);
+ TextLog_Print(tlog, "Trace max_data is %u bytes\n", SnortConfig::get_conf()->event_trace_max);
}
}
inline int EventTrace_IsEnabled()
{
- return ( snort_conf->event_trace_max > 0 );
+ return ( SnortConfig::get_conf()->event_trace_max > 0 );
}
#endif
** If we hit the max number of unique events for any rule type alert,
** log or pass, then we don't add it to the list.
*/
- if ( pmi->iMatchCount >= (int)snort_conf->fast_pattern_config->get_max_queue_events() ||
+ if ( pmi->iMatchCount >= (int)SnortConfig::get_conf()->fast_pattern_config->get_max_queue_events() ||
pmi->iMatchCount >= MAX_EVENT_MATCH)
{
pc.match_limit++;
int k;
const OptTreeNode* otn;
int tcnt = 0;
- EventQueueConfig* eq = snort_conf->event_queue_config;
+ EventQueueConfig* eq = SnortConfig::get_conf()->event_queue_config;
RuleTreeNode* rtn;
for ( i = 0; i < o->iMatchInfoArraySize; i++ )
c.stash = new MpseStash;
c.otnx = (OtnxMatchData*)snort_calloc(sizeof(OtnxMatchData));
- c.otnx->iMatchInfoArraySize = snort_conf->num_rule_types;
+ c.otnx->iMatchInfoArraySize = SnortConfig::get_conf()->num_rule_types;
c.otnx->matchInfo = (MatchInfo*)snort_calloc(
- snort_conf->num_rule_types, sizeof(MatchInfo));
+ SnortConfig::get_conf()->num_rule_types, sizeof(MatchInfo));
c.context_num = 0;
}
omd->p = p;
omd->check_ports = check_ports;
- bool user_mode = snort_conf->sopgTable->user_mode;
+ bool user_mode = SnortConfig::get_conf()->sopgTable->user_mode;
trace_log(detection, TRACE_RULE_EVAL, "Fast pattern search\n");
int8_t curr_ip_layer = 0;
bool repeat = false;
uint16_t tmp_dsize = 0;
- FastPatternConfig* fp = snort_conf->fast_pattern_config;
+ FastPatternConfig* fp = SnortConfig::get_conf()->fast_pattern_config;
print_pkt_info(p);
{
PortGroup* any = nullptr, * ip_group = nullptr;
- if ( !prmFindRuleGroupIp(snort_conf->prmIpRTNX, ANYPORT, &ip_group, &any) )
+ if ( !prmFindRuleGroupIp(SnortConfig::get_conf()->prmIpRTNX, ANYPORT, &ip_group, &any) )
return;
- if ( snort_conf->fast_pattern_config->get_debug_print_nc_rules() )
+ if ( SnortConfig::get_conf()->fast_pattern_config->get_debug_print_nc_rules() )
LogMessage("fpEvalHeaderIp: ip_group=%p, any=%p\n", (void*)ip_group, (void*)any);
if ( ip_group )
{
PortGroup* any = nullptr, * type = nullptr;
- if ( !prmFindRuleGroupIcmp(snort_conf->prmIcmpRTNX, p->ptrs.icmph->type, &type, &any) )
+ if ( !prmFindRuleGroupIcmp(SnortConfig::get_conf()->prmIcmpRTNX, p->ptrs.icmph->type, &type, &any) )
return;
if ( type )
{
PortGroup* src = nullptr, * dst = nullptr, * any = nullptr;
- if ( !prmFindRuleGroupTcp(snort_conf->prmTcpRTNX, p->ptrs.dp, p->ptrs.sp, &src, &dst, &any) )
+ if ( !prmFindRuleGroupTcp(SnortConfig::get_conf()->prmTcpRTNX, p->ptrs.dp, p->ptrs.sp, &src, &dst, &any) )
return;
DebugFormat(DEBUG_ATTRIBUTE,
{
PortGroup* src = nullptr, * dst = nullptr, * any = nullptr;
- if ( !prmFindRuleGroupUdp(snort_conf->prmUdpRTNX, p->ptrs.dp, p->ptrs.sp, &src, &dst, &any) )
+ if ( !prmFindRuleGroupUdp(SnortConfig::get_conf()->prmUdpRTNX, p->ptrs.dp, p->ptrs.sp, &src, &dst, &any) )
return;
DebugFormat(DEBUG_ATTRIBUTE,
{
DebugMessage(DEBUG_ATTRIBUTE, "pkt_from_server\n");
- svc = snort_conf->sopgTable->get_port_group(proto, false, proto_ordinal);
- file = snort_conf->sopgTable->get_port_group(proto, false, SNORT_PROTO_FILE);
+ svc = SnortConfig::get_conf()->sopgTable->get_port_group(proto, false, proto_ordinal);
+ file = SnortConfig::get_conf()->sopgTable->get_port_group(proto, false, SNORT_PROTO_FILE);
}
if (p->is_from_client()) /* to srv */
{
DebugMessage(DEBUG_ATTRIBUTE, "pkt_from_client\n");
- svc = snort_conf->sopgTable->get_port_group(proto, true, proto_ordinal);
- file = snort_conf->sopgTable->get_port_group(proto, true, SNORT_PROTO_FILE);
+ svc = SnortConfig::get_conf()->sopgTable->get_port_group(proto, true, proto_ordinal);
+ file = SnortConfig::get_conf()->sopgTable->get_port_group(proto, true, SNORT_PROTO_FILE);
}
DebugFormat(DEBUG_ATTRIBUTE,
break;
case PktType::PDU:
- if ( snort_conf->sopgTable->user_mode )
+ if ( SnortConfig::get_conf()->sopgTable->user_mode )
fpEvalHeaderSvc(p, omd, SNORT_PROTO_USER);
// use ports if we don't know service or don't have rules
pkth = new DAQ_PktHdr_t;
buf = new uint8_t[buf_size];
- const EventQueueConfig* qc = snort_conf->event_queue_config;
+ const EventQueueConfig* qc = SnortConfig::get_conf()->event_queue_config;
equeue = sfeventq_new(qc->max_events, qc->log_events, sizeof(EventNode));
packet->context = this;
/* If no Src/Dst rules - use the generic set, if any exist */
if ( p->prmGeneric and (p->prmGeneric->rule_count > 0) )
{
- if ( snort_conf->fast_pattern_config->get_split_any_any() or (!*src and !*dst) )
+ if ( SnortConfig::get_conf()->fast_pattern_config->get_split_any_any() or (!*src and !*dst) )
{
*gen = p->prmGeneric;
}
assert(req->packet);
assert(req->packet->flow->is_offloaded());
- snort_conf = req->packet->context->conf; // FIXIT-H reload issue
+ SnortConfig::set_conf(req->packet->context->conf); // FIXIT-H reload issue
fp_offload(req->packet);
req->offload = false;
OptTreeNode* GetOTN(uint32_t gid, uint32_t sid)
{
- OptTreeNode* otn = OtnLookup(snort_conf->otn_map, gid, sid);
+ OptTreeNode* otn = OtnLookup(SnortConfig::get_conf()->otn_map, gid, sid);
if ( !otn )
return nullptr;
FileCache::FileCache()
{
- int max_files = snort_conf->file_config.max_files_cached;
+ int max_files = SnortConfig::get_conf()->file_config.max_files_cached;
fileHash = sfxhash_new(max_files, sizeof(FileHashKey), sizeof(FileNode),
0, 1, nullptr, file_cache_free_func, 1);
if (!fileHash)
file_signature_context = nullptr;
file_capture = nullptr;
file_segments = nullptr;
- inspector = (FileInspect*)InspectorManager::acquire(FILE_ID_NAME, snort_conf);
+ inspector = (FileInspect*)InspectorManager::acquire(FILE_ID_NAME, SnortConfig::get_conf());
file_config = inspector->config;
}
dip = &cleared;
}
- if ((snort_conf == nullptr) || (snort_conf->rate_filter_config == nullptr))
+ if ((SnortConfig::get_conf() == nullptr) ||
+ (SnortConfig::get_conf()->rate_filter_config == nullptr))
{
/* this should not happen, see the create fcn */
return -1;
if ( p->is_from_server() )
{
return SFRF_TestThreshold(
- snort_conf->rate_filter_config, gid, sid, dip, sip,
+ SnortConfig::get_conf()->rate_filter_config, gid, sid, dip, sip,
p->pkth->ts.tv_sec, SFRF_COUNT_INCREMENT);
}
}
return SFRF_TestThreshold(
- snort_conf->rate_filter_config, gid, sid, sip, dip,
+ SnortConfig::get_conf()->rate_filter_config, gid, sid, sip, dip,
p->pkth->ts.tv_sec, SFRF_COUNT_INCREMENT);
}
const SfIp* sip, const SfIp* dip,
long curtime)
{
- if ((snort_conf->threshold_config == nullptr) ||
- !snort_conf->threshold_config->enabled)
+ if ((SnortConfig::get_conf()->threshold_config == nullptr) ||
+ !SnortConfig::get_conf()->threshold_config->enabled)
{
return 0;
}
if (!thd_checked)
{
thd_checked = 1;
- thd_answer = sfthd_test_threshold(snort_conf->threshold_config->thd_objs,
+ thd_answer = sfthd_test_threshold(SnortConfig::get_conf()->threshold_config->thd_objs,
thd_runtime, gen_id, sig_id, sip, dip, curtime);
}
if ( flow->flow_state != Flow::FlowState::SETUP )
{
- set_inspection_policy(snort_conf, flow->inspection_policy_id);
- set_ips_policy(snort_conf, flow->ips_policy_id);
- set_network_policy(snort_conf, flow->network_policy_id);
+ set_inspection_policy(SnortConfig::get_conf(), flow->inspection_policy_id);
+ set_ips_policy(SnortConfig::get_conf(), flow->ips_policy_id);
+ set_network_policy(SnortConfig::get_conf(), flow->network_policy_id);
}
else
return true;
}
+void Inspector::add_ref()
+{ ++ref_count[slot]; }
+
+void Inspector::rem_ref()
+{ --ref_count[slot]; }
unsigned get_ref(unsigned i) { return ref_count[i]; }
void set_ref(unsigned i, unsigned r) { ref_count[i] = r; }
- void add_ref() { ++ref_count[slot]; }
- void rem_ref() { --ref_count[slot]; }
+ void add_ref();
+ void rem_ref();
bool is_inactive();
// Stubs whose sole purpose is to make the test code link
static SnortConfig my_config;
THREAD_LOCAL SnortConfig *snort_conf = &my_config;
+
SnortConfig::SnortConfig(SnortConfig*)
{ snort_conf->run_flags = 0;} // run_flags is used indirectly from SFHASHFCN class by calling SnortConfig::static_hash()
+
SnortConfig::~SnortConfig() = default;
+
+SnortConfig* SnortConfig::get_conf()
+{ return snort_conf; }
+
// implement functions for virtual
FileVerdict FilePolicy::type_lookup(Flow* , FileContext* ) { return FILE_VERDICT_UNKNOWN;}
FileVerdict FilePolicy::type_lookup(Flow* , FileInfo* ) { return FILE_VERDICT_UNKNOWN;}
static void dirty_handler(int signal)
{
- snort_conf->dirty_pig = true;
+ SnortConfig::get_conf()->dirty_pig = true;
exit_handler(signal);
}
bool host_cache_add_service(const SfIp& ipaddr, Protocol ipproto, Port port, const char* /*service*/)
{
HostIpKey ipkey((const uint8_t*) ipaddr.get_ip6_ptr());
- uint16_t proto = 0; // FIXIT-M not safe with multithreads snort_conf->proto_ref->add(service));
+ uint16_t proto = 0; // FIXIT-M not safe with multithreads SnortConfig::get_conf()->proto_ref->add(service));
HostApplicationEntry app_entry(ipproto, port, proto);
std::shared_ptr<HostTracker> ht;
found_offset = -1;
- SnortState* ss = snort_conf->state + get_instance_id();
+ SnortState* ss = SnortConfig::get_conf()->state + get_instance_id();
assert(ss->pcre_ovector);
int result = pcre_exec(
start_offset, /* start at offset 0 in the subject */
0, /* options(handled at compile time */
ss->pcre_ovector, /* vector for substring information */
- snort_conf->pcre_ovector_size); /* number of elements in the vector */
+ SnortConfig::get_conf()->pcre_ovector_size); /* number of elements in the vector */
if (result >= 0)
{
if ( pos > c.size() )
return NO_MATCH;
- SnortState* ss = snort_conf->state + get_instance_id();
+ SnortState* ss = SnortConfig::get_conf()->state + get_instance_id();
assert(ss->regex_scratch);
s_to = 0;
const uint8_t* buf = c.start();
unsigned int buflen = c.length();
- SnortState* ss = snort_conf->state + get_instance_id();
+ SnortState* ss = SnortConfig::get_conf()->state + get_instance_id();
assert(ss->sdpattern_scratch);
hsContext ctx(config, p, start, buf, buflen);
const char* addr;
- if (snort_conf->homenet.contains(dst) == SFIP_CONTAINS)
+ if (SnortConfig::get_conf()->homenet.contains(dst) == SFIP_CONTAINS)
{
- if (snort_conf->homenet.contains(src) == SFIP_NOT_CONTAINS)
+ if (SnortConfig::get_conf()->homenet.contains(src) == SFIP_NOT_CONTAINS)
{
addr = p->ptrs.ip_api.get_src()->ntoa();
}
}
else
{
- if (snort_conf->homenet.contains(src) == SFIP_CONTAINS)
+ if (SnortConfig::get_conf()->homenet.contains(src) == SFIP_CONTAINS)
{
addr = p->ptrs.ip_api.get_dst()->ntoa();
}
SnortConfig::~SnortConfig() { }
+SnortConfig* SnortConfig::get_conf()
+{ return snort_conf; }
+
unsigned get_instance_id()
{ return 0; }
static struct SnortConfigWrapper : public ConfigWrapper
{
const PacketLatencyConfig* operator->() const override
- { return &snort_conf->latency->packet_latency; }
+ { return &SnortConfig::get_conf()->latency->packet_latency; }
} config;
static struct SnortConfigWrapper : public ConfigWrapper
{
const RuleLatencyConfig* operator->() const override
- { return &snort_conf->latency->rule_latency; }
+ { return &SnortConfig::get_conf()->latency->rule_latency; }
} config;
if (SnortConfig::obfuscate())
{
ObfuscateIpToText(p->ptrs.ip_api.get_src(),
- snort_conf->homenet, snort_conf->obfuscation_net, src);
+ SnortConfig::get_conf()->homenet, SnortConfig::get_conf()->obfuscation_net, src);
ObfuscateIpToText(p->ptrs.ip_api.get_dst(),
- snort_conf->homenet, snort_conf->obfuscation_net, dst);
+ SnortConfig::get_conf()->homenet, SnortConfig::get_conf()->obfuscation_net, dst);
TextLog_Print(log, ip_fmt, src, dst);
}
if (SnortConfig::obfuscate())
{
ObfuscateIpToText(p->ptrs.ip_api.get_src(),
- snort_conf->homenet, snort_conf->obfuscation_net, src);
+ SnortConfig::get_conf()->homenet, SnortConfig::get_conf()->obfuscation_net, src);
ObfuscateIpToText(p->ptrs.ip_api.get_dst(),
- snort_conf->homenet, snort_conf->obfuscation_net, dst);
+ SnortConfig::get_conf()->homenet, SnortConfig::get_conf()->obfuscation_net, dst);
TextLog_Print(log, ip_fmt, src, p->ptrs.sp, dst, p->ptrs.dp);
}
buf_name = p->get_pseudo_type();
}
- const HexAsciiLayout& hal = snort_conf->output_wide_hex() ? hal_wide : hal_std;
+ const HexAsciiLayout& hal = SnortConfig::get_conf()->output_wide_hex() ? hal_wide : hal_std;
const char* hdr_off = SnortConfig::verbose_byte_dump() ? hal.offset_hdr : "";
const char* ins_name = p->flow and p->flow->gadget ? p->flow->gadget->get_name() : "snort";
void ParseWarning(WarningGroup wg, const char* format, ...)
{
- if ( !(snort_conf->warning_flags & (1 << wg)) )
+ if ( !(SnortConfig::get_conf()->warning_flags & (1 << wg)) )
return;
char buf[STD_BUF+1];
static void WriteLogMessage(FILE* fh, bool prefer_fh, const char* format, va_list& ap)
{
- if ( snort_conf && !prefer_fh )
+ if ( SnortConfig::get_conf() && !prefer_fh )
{
if ( SnortConfig::log_quiet() )
return;
{
va_list ap;
- if ( snort_conf and SnortConfig::log_quiet() )
+ if ( SnortConfig::get_conf() and SnortConfig::log_quiet() )
return;
va_start(ap, format);
- if ( snort_conf and SnortConfig::log_syslog() )
+ if ( SnortConfig::get_conf() and SnortConfig::log_syslog() )
{
char buf[STD_BUF+1];
vsnprintf(buf, STD_BUF, format, ap);
va_start(ap, format);
- if ( snort_conf and SnortConfig::log_syslog() )
+ if ( SnortConfig::get_conf() and SnortConfig::log_syslog() )
{
char buf[STD_BUF+1];
vsnprintf(buf, STD_BUF, format, ap);
buf[STD_BUF] = '\0';
- if ( snort_conf and SnortConfig::log_syslog() )
+ if ( SnortConfig::get_conf() and SnortConfig::log_syslog() )
{
syslog(LOG_CONS | LOG_DAEMON | LOG_ERR, "FATAL ERROR: %s", buf);
}
static void ff_pkt_num(Args&)
{
- TextLog_Print(csv_log, STDu64, pc.total_from_daq);
+ TextLog_Print(csv_log, STDu64, get_packet_number());
}
static void ff_priority(Args& a)
if (sid == 0)
return nullptr;
- for (hashNode = sfghash_findfirst(snort_conf->otn_map);
+ for (hashNode = sfghash_findfirst(SnortConfig::get_conf()->otn_map);
hashNode;
- hashNode = sfghash_findnext(snort_conf->otn_map))
+ hashNode = sfghash_findnext(SnortConfig::get_conf()->otn_map))
{
OptTreeNode* otn = (OptTreeNode*)hashNode->data;
RuleTreeNode* rtn = getRuntimeRtnFromOtn(otn);
if (SnortConfig::obfuscate())
{
- ObfuscateIpToText(p->ptrs.ip_api.get_src(), snort_conf->homenet,
- snort_conf->obfuscation_net, src);
+ ObfuscateIpToText(p->ptrs.ip_api.get_src(), SnortConfig::get_conf()->homenet,
+ SnortConfig::get_conf()->obfuscation_net, src);
- ObfuscateIpToText(p->ptrs.ip_api.get_dst(), snort_conf->homenet,
- snort_conf->obfuscation_net, dst);
+ ObfuscateIpToText(p->ptrs.ip_api.get_dst(), SnortConfig::get_conf()->homenet,
+ SnortConfig::get_conf()->obfuscation_net, dst);
SnortSnprintfAppend(event_string, sizeof(event_string), ip_fmt, src, dst);
}
if (SnortConfig::obfuscate())
{
- ObfuscateIpToText(p->ptrs.ip_api.get_src(), snort_conf->homenet,
- snort_conf->obfuscation_net, src);
+ ObfuscateIpToText(p->ptrs.ip_api.get_src(), SnortConfig::get_conf()->homenet,
+ SnortConfig::get_conf()->obfuscation_net, src);
- ObfuscateIpToText(p->ptrs.ip_api.get_dst(), snort_conf->homenet,
- snort_conf->obfuscation_net, dst);
+ ObfuscateIpToText(p->ptrs.ip_api.get_dst(), SnortConfig::get_conf()->homenet,
+ SnortConfig::get_conf()->obfuscation_net, dst);
SnortSnprintfAppend(event_string, sizeof(event_string), ip_fmt,
src, p->ptrs.sp, dst, p->ptrs.dp);
assert(!athread);
LogMessage("++ [%u] %s\n", idx, analyzer->get_source());
- Swapper* ps = new Swapper(snort_conf, SFAT_GetConfig());
+ Swapper* ps = new Swapper(SnortConfig::get_conf(), SFAT_GetConfig());
athread = new std::thread(std::ref(*analyzer), ps, ++run_num);
}
}
current_request->respond(".. reloading configuration\n");
- SnortConfig* old = snort_conf;
+ SnortConfig* old = SnortConfig::get_conf();
SnortConfig* sc = Snort::get_reload_config(fname);
if ( !sc )
current_request->respond("== reload failed\n");
return 0;
}
- snort_conf = sc;
+ SnortConfig::set_conf(sc);
proc_stats.conf_reloads++;
bool from_shell = ( L != nullptr );
return 0;
}
- SnortConfig* old = snort_conf;
+ SnortConfig* old = SnortConfig::get_conf();
SnortConfig* sc = Snort::get_updated_policy(old, fname, nullptr);
if ( !sc )
current_request->respond("== reload failed\n");
return 0;
}
- snort_conf = sc;
+ SnortConfig::set_conf(sc);
proc_stats.policy_reloads++;
bool from_shell = ( L != nullptr );
}
Shell sh = Shell(fname);
- sh.configure(snort_conf);
+ sh.configure(SnortConfig::get_conf());
tTargetBasedConfig* old = SFAT_GetConfig();
tTargetBasedConfig* tc = SFAT_Swap();
return 0;
}
- SnortConfig* old = snort_conf;
+ SnortConfig* old = SnortConfig::get_conf();
SnortConfig* sc = Snort::get_updated_policy(old, nullptr, iname);
if ( !sc )
current_request->respond("== reload failed\n");
return 0;
}
- snort_conf = sc;
+ SnortConfig::set_conf(sc);
proc_stats.inspector_deletions++;
bool from_shell = ( L != nullptr );
if ( SnortConfig::test_mode() )
return true;
- if ( use_shell(snort_conf) )
+ if ( use_shell(SnortConfig::get_conf()) )
return false;
/* FIXIT-L X This should really check if the DAQ module was unset as it could be explicitly
if ( SnortConfig::read_mode() && !Trough::get_queue_size() )
return true;
- if ( !SnortConfig::read_mode() && !SFDAQ::get_input_spec(snort_conf, 0) )
+ if ( !SnortConfig::read_mode() && !SFDAQ::get_input_spec(SnortConfig::get_conf(), 0) )
return true;
}
warnings);
// force test mode to exit w/o stats
- snort_conf->run_flags |= RUN_FLAG__TEST;
+ SnortConfig::get_conf()->run_flags |= RUN_FLAG__TEST;
return false;
}
- if ( snort_conf->run_flags & RUN_FLAG__PAUSE )
+ if ( SnortConfig::get_conf()->run_flags & RUN_FLAG__PAUSE )
{
LogMessage("Paused; resume to start packet processing\n");
paused = true;
LogMessage("Commencing packet processing\n");
#ifdef SHELL
- if ( use_shell(snort_conf) )
+ if ( use_shell(SnortConfig::get_conf()) )
{
LogMessage("Entering command shell\n");
ControlMgmt::add_control(STDOUT_FILENO, true);
if (!SnortConfig::read_mode())
{
for (swine = 0; swine < max_pigs; swine++)
- pigs[swine].prep(SFDAQ::get_input_spec(snort_conf, swine));
+ pigs[swine].prep(SFDAQ::get_input_spec(SnortConfig::get_conf(), swine));
}
// Iterate over the drove, spawn them as allowed, and handle their deaths.
// FIXIT-P This incurs locking on all threads to retrieve stats. It could be reimplemented to
// optimize for large thread counts by retrieving stats in the command and accumulating in the
// main thread.
- ModuleManager::accumulate(snort_conf);
+ ModuleManager::accumulate(SnortConfig::get_conf());
}
ACGetStats::~ACGetStats()
int ControlMgmt::setup_socket_family()
{
int family = AF_UNSPEC;
- if ( snort_conf->remote_control_port )
+ if ( SnortConfig::get_conf()->remote_control_port )
{
memset(&in_addr, 0, sizeof(in_addr));
in_addr.sin_family = AF_INET;
in_addr.sin_addr.s_addr = htonl(0x7F000001);
- in_addr.sin_port = htons(snort_conf->remote_control_port);
+ in_addr.sin_port = htons(SnortConfig::get_conf()->remote_control_port);
sock_addr = (struct sockaddr*)&in_addr;
sock_addr_size = sizeof(in_addr);
family = AF_INET;
}
- else if ( !snort_conf->remote_control_socket.empty() )
+ else if ( !SnortConfig::get_conf()->remote_control_socket.empty() )
{
std::string fullpath;
- const char* path_sep = strrchr(snort_conf->remote_control_socket.c_str(), '/');
+ const char* path_sep = strrchr(SnortConfig::get_conf()->remote_control_socket.c_str(), '/');
if (path_sep != nullptr)
- fullpath = snort_conf->remote_control_socket;
+ fullpath = SnortConfig::get_conf()->remote_control_socket;
else
- get_instance_file(fullpath, snort_conf->remote_control_socket.c_str());
+ get_instance_file(fullpath, SnortConfig::get_conf()->remote_control_socket.c_str());
memset(&unix_addr, 0, sizeof(unix_addr));
unix_addr.sun_family = AF_UNIX;
[[noreturn]] static void show_help(SnortConfig* sc, const char* val, HelpType ht)
{
- snort_conf = new SnortConfig;
+ SnortConfig::set_conf(new SnortConfig);
ScriptManager::load_scripts(sc->script_paths);
PluginManager::load_plugins(sc->plugin_path);
ModuleManager::init();
ModuleManager::term();
PluginManager::release_plugins();
ScriptManager::release_scripts();
- delete snort_conf;
+ delete SnortConfig::get_conf();
exit(0);
}
}
//-------------------------------------------------------------------------
-// detection policy module
+// inspection policy module
+//-------------------------------------------------------------------------
+
+static const Parameter inspection_params[] =
+{
+ { "id", Parameter::PT_INT, "0:65535", "0",
+ "correlate policy and events with other items in configuration" },
+
+#ifdef HAVE_UUID
+ { "uuid", Parameter::PT_STRING, nullptr, nullptr,
+ "correlate events by uuid" },
+#endif
+
+ { "mode", Parameter::PT_ENUM, "inline | inline-test", "inline-test",
+ "set policy mode" },
+
+ { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
+};
+
+#define inspection_help \
+ "configure basic inspection policy parameters"
+
+class InspectionModule : public Module
+{
+public:
+ InspectionModule() : Module("inspection", inspection_help, inspection_params) { }
+ bool set(const char*, Value&, SnortConfig*) override;
+
+ Usage get_usage() const override
+ { return INSPECT; }
+};
+
+bool InspectionModule::set(const char*, Value& v, SnortConfig* sc)
+{
+ InspectionPolicy* p = get_inspection_policy();
+
+ if ( v.is("id") )
+ {
+ p->user_policy_id = v.get_long();
+ sc->policy_map->set_user_inspection(p);
+ }
+
+#ifdef HAVE_UUID
+ else if ( v.is("uuid") )
+ {
+ if(uuid_parse(v.get_string(), p->uuid) != 0)
+ {
+ ParseError("Invalid Inspection UUID: %s", v.get_string());
+ uuid_clear(p->uuid);
+ }
+ }
+#endif
+
+ else if ( v.is("mode") )
+ {
+ switch ( v.get_long() )
+ {
+ case 0:
+ p->policy_mode = POLICY_MODE__INLINE;
+ break;
+ case 1:
+ p->policy_mode = POLICY_MODE__INLINE_TEST;
+ break;
+ default:
+ break;
+ }
+ }
+
+ else
+ return false;
+
+ return true;
+}
+//-------------------------------------------------------------------------
+// Ips policy module
//-------------------------------------------------------------------------
static const Parameter ips_params[] =
"snort rules and includes" },
#ifdef HAVE_UUID
- { "uuid", Parameter::PT_STRING, nullptr, nullptr,
+ { "uuid", Parameter::PT_STRING, nullptr, "00000000-0000-0000-0000-000000000000",
"IPS policy uuid" },
#endif
// these are preliminary policies
ModuleManager::add_module(new NetworkModule);
+ ModuleManager::add_module(new InspectionModule);
ModuleManager::add_module(new IpsModule);
// these modules replace config and hosts.xml
void set_user_ips_policy(unsigned policy_id)
{
- IpsPolicy *p = snort_conf->policy_map->get_user_ips(policy_id);
+ IpsPolicy *p = SnortConfig::get_conf()->policy_map->get_user_ips(policy_id);
if(!p)
{
ips_module_stats.invalid_policy_ids++;
}
void set_default_policy()
-{ set_default_policy(snort_conf); }
+{ set_default_policy(SnortConfig::get_conf()); }
bool only_inspection_policy()
{ return get_inspection_policy() && !get_ips_policy() && !get_network_policy(); }
typedef unsigned int PolicyId;
typedef struct SFGHASH PortVarTable;
+enum PolicyMode
+{
+ POLICY_MODE__PASSIVE,
+ POLICY_MODE__INLINE,
+ POLICY_MODE__INLINE_TEST,
+ POLICY_MODE__MAX
+};
+
// FIXIT-L split into separate headers
//-------------------------------------------------------------------------
public:
PolicyId policy_id;
+ PolicyMode policy_mode = POLICY_MODE__INLINE_TEST;
uint32_t user_policy_id = 0;
+ uuid_t uuid{};
struct FrameworkPolicy* framework_policy;
DataBus dbus;
// detection stuff
//-------------------------------------------------------------------------
-enum PolicyMode
-{
- POLICY_MODE__PASSIVE,
- POLICY_MODE__INLINE,
- POLICY_MODE__INLINE_TEST,
- POLICY_MODE__MAX
-};
-
// this is the ips policy post ac-split
struct IpsPolicy
{
Shell* get_shell(unsigned i = 0)
{ return i < shells.size() ? shells[i] : nullptr; }
+ void set_user_inspection(InspectionPolicy* p)
+ { user_inspection[p->user_policy_id] = p; }
+
void set_user_ips(IpsPolicy* p)
{ user_ips[p->user_policy_id] = p; }
bool cloned = false;
private:
+ std::unordered_map<unsigned, InspectionPolicy*> user_inspection;
std::unordered_map<unsigned, IpsPolicy*> user_ips;
};
/* chew up the command line */
snort_cmd_line_conf = parse_cmd_line(argc, argv);
- snort_conf = snort_cmd_line_conf;
+ SnortConfig::set_conf(snort_cmd_line_conf);
LogMessage("--------------------------------------------------\n");
LogMessage("%s Snort++ %s-%s\n", get_prompt(), VERSION, BUILD);
ScriptManager::load_scripts(snort_cmd_line_conf->script_paths);
PluginManager::load_plugins(snort_cmd_line_conf->plugin_path);
- if ( snort_conf->logging_flags & LOGGING_FLAG__SHOW_PLUGINS )
+ if ( SnortConfig::get_conf()->logging_flags & LOGGING_FLAG__SHOW_PLUGINS )
{
ModuleManager::dump_modules();
PluginManager::dump_plugins();
* command line overriding config file.
* Set the global snort_conf that will be used during run time */
sc->merge(snort_cmd_line_conf);
- snort_conf = sc;
+ SnortConfig::set_conf(sc);
#ifdef PIGLET
if ( !Piglet::piglet_mode() )
#ifdef PIGLET
if ( !Piglet::piglet_mode() )
#endif
- if ( !snort_conf->output.empty() )
- EventManager::instantiate(snort_conf->output.c_str(), snort_conf);
+ if ( !SnortConfig::get_conf()->output.empty() )
+ EventManager::instantiate(SnortConfig::get_conf()->output.c_str(), SnortConfig::get_conf());
if (SnortConfig::alert_before_pass())
{
- OrderRuleLists(snort_conf, "drop sdrop reject alert pass log");
+ OrderRuleLists(SnortConfig::get_conf(), "drop sdrop reject alert pass log");
}
- snort_conf->setup();
+ SnortConfig::get_conf()->setup();
FileService::post_init();
// Must be after CodecManager::instantiate()
- if ( !InspectorManager::configure(snort_conf) )
+ if ( !InspectorManager::configure(SnortConfig::get_conf()) )
ParseError("can't initialize inspectors");
else if ( SnortConfig::log_verbose() )
- InspectorManager::print_config(snort_conf);
+ InspectorManager::print_config(SnortConfig::get_conf());
- ModuleManager::reset_stats(snort_conf);
+ ModuleManager::reset_stats(SnortConfig::get_conf());
- if (snort_conf->file_mask != 0)
- umask(snort_conf->file_mask);
+ if (SnortConfig::get_conf()->file_mask != 0)
+ umask(SnortConfig::get_conf()->file_mask);
else
umask(077); /* set default to be sane */
/* Need to do this after dynamic detection stuff is initialized, too */
- IpsManager::global_init(snort_conf);
+ IpsManager::global_init(SnortConfig::get_conf());
- snort_conf->post_setup();
+ SnortConfig::get_conf()->post_setup();
MpseManager::activate_search_engine(
- snort_conf->fast_pattern_config->get_search_api(), snort_conf);
+ SnortConfig::get_conf()->fast_pattern_config->get_search_api(), SnortConfig::get_conf());
SFAT_Start();
Trough::setup();
// FIXIT-L refactor stuff done here and in snort_config.cc::VerifyReload()
- if ( snort_conf->bpf_filter.empty() && !snort_conf->bpf_file.empty() )
- snort_conf->bpf_filter = read_infile("bpf_file", snort_conf->bpf_file.c_str());
+ if ( SnortConfig::get_conf()->bpf_filter.empty() && !SnortConfig::get_conf()->bpf_file.empty() )
+ SnortConfig::get_conf()->bpf_filter = read_infile("bpf_file", SnortConfig::get_conf()->bpf_file.c_str());
- if ( !snort_conf->bpf_filter.empty() )
- LogMessage("Snort BPF option: %s\n", snort_conf->bpf_filter.c_str());
+ if ( !SnortConfig::get_conf()->bpf_filter.empty() )
+ LogMessage("Snort BPF option: %s\n", SnortConfig::get_conf()->bpf_filter.c_str());
- parser_term(snort_conf);
+ parser_term(SnortConfig::get_conf());
}
// this function should only include initialization that must be done as a
bool Snort::drop_privileges()
{
/* Enter the chroot jail if necessary. */
- if (!snort_conf->chroot_dir.empty() &&
- !EnterChroot(snort_conf->chroot_dir, snort_conf->log_dir))
+ if (!SnortConfig::get_conf()->chroot_dir.empty() &&
+ !EnterChroot(SnortConfig::get_conf()->chroot_dir, SnortConfig::get_conf()->log_dir))
return false;
/* Drop privileges if requested. */
initializing = false; // just in case we cut out early
term_signals();
- IpsManager::global_term(snort_conf);
+ IpsManager::global_term(SnortConfig::get_conf());
SFAT_Cleanup();
host_cache.clear();
ClosePidFile();
/* remove pid file */
- if ( !snort_conf->pid_filename.empty() )
+ if ( !SnortConfig::get_conf()->pid_filename.empty() )
{
- int ret = unlink(snort_conf->pid_filename.c_str());
+ int ret = unlink(SnortConfig::get_conf()->pid_filename.c_str());
if (ret != 0)
{
ErrorMessage("Could not remove pid file %s: %s\n",
- snort_conf->pid_filename.c_str(), get_error(errno));
+ SnortConfig::get_conf()->pid_filename.c_str(), get_error(errno));
}
}
Periodic::unregister_all();
/* free allocated memory */
- if (snort_conf == snort_cmd_line_conf)
+ if (SnortConfig::get_conf() == snort_cmd_line_conf)
{
delete snort_cmd_line_conf;
snort_cmd_line_conf = nullptr;
- snort_conf = nullptr;
+ SnortConfig::set_conf(nullptr);
}
else
{
delete snort_cmd_line_conf;
snort_cmd_line_conf = nullptr;
- delete snort_conf;
- snort_conf = nullptr;
+ delete SnortConfig::get_conf();
+ SnortConfig::set_conf(nullptr);
}
CleanupProtoNames();
SideChannelManager::term();
SnortConfig tmp;
// Have to trick LogMessage to log correctly after snort_conf is freed
- if ( snort_conf )
+ if ( SnortConfig::get_conf() )
{
tmp.logging_flags |=
- (snort_conf->logging_flags & LOGGING_FLAG__QUIET);
+ (SnortConfig::get_conf()->logging_flags & LOGGING_FLAG__QUIET);
- tmp.run_flags |= (snort_conf->run_flags & RUN_FLAG__DAEMON);
+ tmp.run_flags |= (SnortConfig::get_conf()->run_flags & RUN_FLAG__DAEMON);
tmp.logging_flags |=
- (snort_conf->logging_flags & LOGGING_FLAG__SYSLOG);
+ (SnortConfig::get_conf()->logging_flags & LOGGING_FLAG__SYSLOG);
}
term();
- snort_conf = &tmp;
+ SnortConfig::set_conf(&tmp);
LogMessage("%s Snort exiting\n", get_prompt());
closelog();
init(argc, argv);
LogMessage("%s\n", LOG_DIV);
- SFDAQ::init(snort_conf);
+ SFDAQ::init(SnortConfig::get_conf());
if ( SnortConfig::daemon_mode() )
daemonize();
FlowbitResetCounts(); // FIXIT-L updates global hash, put in sc
- if ((sc->file_mask != 0) && (sc->file_mask != snort_conf->file_mask))
+ if ((sc->file_mask != 0) && (sc->file_mask != SnortConfig::get_conf()->file_mask))
umask(sc->file_mask);
// FIXIT-L is this still needed?
/* Transfer any user defined rule type outputs to the new rule list */
{
- RuleListNode* cur = snort_conf->rule_lists;
+ RuleListNode* cur = SnortConfig::get_conf()->rule_lists;
for (; cur != nullptr; cur = cur->next)
{
sc->post_setup();
if ( sc->fast_pattern_config->get_search_api() !=
- snort_conf->fast_pattern_config->get_search_api() )
+ SnortConfig::get_conf()->fast_pattern_config->get_search_api() )
{
MpseManager::activate_search_engine(sc->fast_pattern_config->get_search_api(), sc);
}
{
show_source(intf);
- snort_conf->thread_config->implement_thread_affinity(STHREAD_TYPE_PACKET, get_instance_id());
+ SnortConfig::get_conf()->thread_config->implement_thread_affinity(STHREAD_TYPE_PACKET, get_instance_id());
// FIXIT-M the start-up sequence is a little off due to dropping privs
SFDAQInstance *daq_instance = new SFDAQInstance(intf);
SFDAQ::set_local_instance(daq_instance);
- if (!daq_instance->configure(snort_conf))
+ if (!daq_instance->configure(SnortConfig::get_conf()))
{
SFDAQ::set_local_instance(nullptr);
delete daq_instance;
for ( unsigned i = 0; i < max_contexts; ++i )
s_switcher->push(new IpsContext);
- CodecManager::thread_init(snort_conf);
+ CodecManager::thread_init(SnortConfig::get_conf());
// this depends on instantiated daq capabilities
// so it is done here instead of init()
- Active::init(snort_conf);
+ Active::init(SnortConfig::get_conf());
InitTag();
EventTrace_Init();
- detection_filter_init(snort_conf->detection_filter_config);
+ detection_filter_init(SnortConfig::get_conf()->detection_filter_config);
DetectionEngine::thread_init();
EventManager::open_outputs();
IpsManager::setup_options();
- ActionManager::thread_init(snort_conf);
+ ActionManager::thread_init(SnortConfig::get_conf());
FileService::thread_init();
SideChannelManager::thread_init();
HighAvailabilityManager::thread_init(); // must be before InspectorManager::thread_init();
- InspectorManager::thread_init(snort_conf);
+ InspectorManager::thread_init(SnortConfig::get_conf());
PacketTracer::thread_init();
if (SnortConfig::packet_trace_enabled())
PacketTracer::enable_user_trace();
{
HighAvailabilityManager::thread_term_beginning();
- if ( !snort_conf->dirty_pig )
+ if ( !SnortConfig::get_conf()->dirty_pig )
Stream::purge_flows();
DetectionEngine::idle();
- InspectorManager::thread_stop(snort_conf);
- ModuleManager::accumulate(snort_conf);
- InspectorManager::thread_term(snort_conf);
- ActionManager::thread_term(snort_conf);
+ InspectorManager::thread_stop(SnortConfig::get_conf());
+ ModuleManager::accumulate(SnortConfig::get_conf());
+ InspectorManager::thread_term(SnortConfig::get_conf());
+ ActionManager::thread_term(SnortConfig::get_conf());
IpsManager::clear_options();
EventManager::close_outputs();
pc.total_from_daq++;
packet_time_update(&pkthdr->ts);
- if ( snort_conf->pkt_skip && pc.total_from_daq <= snort_conf->pkt_skip )
+ if ( SnortConfig::get_conf()->pkt_skip && pc.total_from_daq <= SnortConfig::get_conf()->pkt_skip )
return DAQ_VERDICT_PASS;
s_switcher->start();
s_packet->pkth = nullptr; // no longer avail upon sig segv
- if ( snort_conf->pkt_cnt && pc.total_from_daq >= snort_conf->pkt_cnt )
+ if ( SnortConfig::get_conf()->pkt_cnt && pc.total_from_daq >= SnortConfig::get_conf()->pkt_cnt )
SFDAQ::break_loop(-1);
else if ( break_time() )
#define OUTPUT_FAST "alert_fast"
THREAD_LOCAL SnortConfig* snort_conf = nullptr;
+
uint32_t SnortConfig::warning_flags = 0;
//-------------------------------------------------------------------------
if ( fast_pattern_config &&
(!snort_conf || this == snort_conf ||
(fast_pattern_config->get_search_api() !=
- snort_conf->fast_pattern_config->get_search_api())) )
+ get_conf()->fast_pattern_config->get_search_api())) )
{
MpseManager::stop_search_engine(fast_pattern_config->get_search_api());
}
bool SnortConfig::verify()
{
- if (snort_conf->asn1_mem != asn1_mem)
+ if (get_conf()->asn1_mem != asn1_mem)
{
ErrorMessage("Snort Reload: Changing the asn1 memory configuration "
"requires a restart.\n");
return false;
}
- if ( bpf_filter != snort_conf->bpf_filter )
+ if ( bpf_filter != get_conf()->bpf_filter )
{
ErrorMessage("Snort Reload: Changing the bpf filter configuration "
"requires a restart.\n");
return false;
}
- if ( respond_attempts != snort_conf->respond_attempts ||
- respond_device != snort_conf->respond_device )
+ if ( respond_attempts != get_conf()->respond_attempts ||
+ respond_device != get_conf()->respond_device )
{
ErrorMessage("Snort Reload: Changing config response "
"requires a restart.\n");
return false;
}
- if (snort_conf->chroot_dir != chroot_dir)
+ if (get_conf()->chroot_dir != chroot_dir)
{
ErrorMessage("Snort Reload: Changing the chroot directory "
"configuration requires a restart.\n");
return false;
}
- if ((snort_conf->run_flags & RUN_FLAG__DAEMON) !=
+ if ((get_conf()->run_flags & RUN_FLAG__DAEMON) !=
(run_flags & RUN_FLAG__DAEMON))
{
ErrorMessage("Snort Reload: Changing to or from daemon mode "
}
/* Orig log dir because a chroot might have changed it */
- if (snort_conf->orig_log_dir != orig_log_dir)
+ if (get_conf()->orig_log_dir != orig_log_dir)
{
ErrorMessage("Snort Reload: Changing the log directory "
"configuration requires a restart.\n");
return false;
}
- if (snort_conf->max_attribute_hosts != max_attribute_hosts)
+ if (get_conf()->max_attribute_hosts != max_attribute_hosts)
{
ErrorMessage("Snort Reload: Changing max_attribute_hosts "
"configuration requires a restart.\n");
return false;
}
- if (snort_conf->max_attribute_services_per_host != max_attribute_services_per_host)
+ if (get_conf()->max_attribute_services_per_host != max_attribute_services_per_host)
{
ErrorMessage("Snort Reload: Changing max_attribute_services_per_host "
"configuration requires a restart.\n");
return false;
}
- if ((snort_conf->run_flags & RUN_FLAG__NO_PROMISCUOUS) !=
+ if ((get_conf()->run_flags & RUN_FLAG__NO_PROMISCUOUS) !=
(run_flags & RUN_FLAG__NO_PROMISCUOUS))
{
ErrorMessage("Snort Reload: Changing to or from promiscuous mode "
return false;
}
- if (snort_conf->group_id != group_id)
+ if (get_conf()->group_id != group_id)
{
ErrorMessage("Snort Reload: Changing the group id "
"configuration requires a restart.\n");
return false;
}
- if (snort_conf->user_id != user_id)
+ if (get_conf()->user_id != user_id)
{
ErrorMessage("Snort Reload: Changing the user id "
"configuration requires a restart.\n");
return false;
}
- if (snort_conf->daq_config->mru_size != daq_config->mru_size)
+ if (get_conf()->daq_config->mru_size != daq_config->mru_size)
{
ErrorMessage("Snort Reload: Changing the packet snaplen "
"configuration requires a restart.\n");
return false;
}
- if (snort_conf->threshold_config->memcap !=
+ if (get_conf()->threshold_config->memcap !=
threshold_config->memcap)
{
ErrorMessage("Snort Reload: Changing the threshold memcap "
return false;
}
- if (snort_conf->rate_filter_config->memcap !=
+ if (get_conf()->rate_filter_config->memcap !=
rate_filter_config->memcap)
{
ErrorMessage("Snort Reload: Changing the rate filter memcap "
return false;
}
- if (snort_conf->detection_filter_config->memcap !=
+ if (get_conf()->detection_filter_config->memcap !=
detection_filter_config->memcap)
{
ErrorMessage("Snort Reload: Changing the detection filter memcap "
bool SnortConfig::tunnel_bypass_enabled(uint8_t proto)
{
- return (!((snort_conf->tunnel_mask & proto) or SFDAQ::get_tunnel_bypass(proto)));
-}
\ No newline at end of file
+ return (!((get_conf()->tunnel_mask & proto) or SFDAQ::get_tunnel_bypass(proto)));
+}
+
+SO_PUBLIC SnortConfig* SnortConfig::get_conf()
+{ return snort_conf; }
+
+void SnortConfig::set_conf(SnortConfig* conf)
+{ snort_conf = conf; }
struct SFDAQConfig;
class ThreadConfig;
-SO_PUBLIC extern THREAD_LOCAL SnortConfig* snort_conf;
-
// SnortState members are updated during runtime. an array in SnortConfig is
// used instead of thread_locals because these must get changed on reload
// FIXIT-L register this data to avoid explicit dependency
// Static convenience accessor methods
static long int get_mpls_stack_depth()
- { return snort_conf->mpls_stack_depth; }
+ { return get_conf()->mpls_stack_depth; }
static long int get_mpls_payload_type()
- { return snort_conf->mpls_payload_type; }
+ { return get_conf()->mpls_payload_type; }
static bool mpls_overlapping_ip()
- { return snort_conf->run_flags & RUN_FLAG__MPLS_OVERLAPPING_IP; }
+ { return get_conf()->run_flags & RUN_FLAG__MPLS_OVERLAPPING_IP; }
static bool mpls_multicast()
- { return snort_conf->run_flags & RUN_FLAG__MPLS_MULTICAST; }
+ { return get_conf()->run_flags & RUN_FLAG__MPLS_MULTICAST; }
static bool deep_teredo_inspection()
- { return snort_conf->enable_teredo; }
+ { return get_conf()->enable_teredo; }
static bool gtp_decoding()
- { return snort_conf->gtp_ports; }
+ { return get_conf()->gtp_ports; }
static bool is_gtp_port(uint16_t port)
- { return snort_conf->gtp_ports->test(port); }
+ { return get_conf()->gtp_ports->test(port); }
static bool esp_decoding()
- { return snort_conf->enable_esp; }
+ { return get_conf()->enable_esp; }
// mode related
static bool test_mode()
- { return snort_conf->run_flags & RUN_FLAG__TEST; }
+ { return get_conf()->run_flags & RUN_FLAG__TEST; }
static bool mem_check()
- { return snort_conf->run_flags & RUN_FLAG__MEM_CHECK; }
+ { return get_conf()->run_flags & RUN_FLAG__MEM_CHECK; }
static bool daemon_mode()
- { return snort_conf->run_flags & RUN_FLAG__DAEMON; }
+ { return get_conf()->run_flags & RUN_FLAG__DAEMON; }
static bool read_mode()
- { return snort_conf->run_flags & RUN_FLAG__READ; }
+ { return get_conf()->run_flags & RUN_FLAG__READ; }
static bool inline_mode()
{ return ::get_ips_policy()->policy_mode == POLICY_MODE__INLINE; }
{ return ::get_ips_policy()->policy_mode == POLICY_MODE__INLINE_TEST; }
static bool adaptor_inline_mode()
- { return snort_conf->run_flags & RUN_FLAG__INLINE; }
+ { return get_conf()->run_flags & RUN_FLAG__INLINE; }
static bool adaptor_inline_test_mode()
- { return snort_conf->run_flags & RUN_FLAG__INLINE_TEST; }
+ { return get_conf()->run_flags & RUN_FLAG__INLINE_TEST; }
// logging stuff
static bool log_syslog()
- { return snort_conf->logging_flags & LOGGING_FLAG__SYSLOG; }
+ { return get_conf()->logging_flags & LOGGING_FLAG__SYSLOG; }
static bool log_verbose()
- { return snort_conf->logging_flags & LOGGING_FLAG__VERBOSE; }
+ { return get_conf()->logging_flags & LOGGING_FLAG__VERBOSE; }
static bool log_quiet()
- { return snort_conf->logging_flags & LOGGING_FLAG__QUIET; }
+ { return get_conf()->logging_flags & LOGGING_FLAG__QUIET; }
// event stuff
static uint32_t get_event_log_id()
- { return snort_conf->event_log_id; }
+ { return get_conf()->event_log_id; }
static bool process_all_events()
- { return snort_conf->event_queue_config->process_all_events; }
+ { return get_conf()->event_queue_config->process_all_events; }
static int get_eval_index(RuleType type)
- { return snort_conf->evalOrder[type]; }
+ { return get_conf()->evalOrder[type]; }
static int get_default_rule_state()
- { return snort_conf->default_rule_state; }
+ { return get_conf()->default_rule_state; }
SO_PUBLIC static bool tunnel_bypass_enabled(uint8_t proto);
// output stuff
static bool output_include_year()
- { return snort_conf->output_flags & OUTPUT_FLAG__INCLUDE_YEAR; }
+ { return get_conf()->output_flags & OUTPUT_FLAG__INCLUDE_YEAR; }
static bool output_use_utc()
- { return snort_conf->output_flags & OUTPUT_FLAG__USE_UTC; }
+ { return get_conf()->output_flags & OUTPUT_FLAG__USE_UTC; }
static bool output_datalink()
- { return snort_conf->output_flags & OUTPUT_FLAG__SHOW_DATA_LINK; }
+ { return get_conf()->output_flags & OUTPUT_FLAG__SHOW_DATA_LINK; }
static bool verbose_byte_dump()
- { return snort_conf->output_flags & OUTPUT_FLAG__VERBOSE_DUMP; }
+ { return get_conf()->output_flags & OUTPUT_FLAG__VERBOSE_DUMP; }
static bool obfuscate()
- { return snort_conf->output_flags & OUTPUT_FLAG__OBFUSCATE; }
+ { return get_conf()->output_flags & OUTPUT_FLAG__OBFUSCATE; }
static bool output_app_data()
- { return snort_conf->output_flags & OUTPUT_FLAG__APP_DATA; }
+ { return get_conf()->output_flags & OUTPUT_FLAG__APP_DATA; }
static bool output_char_data()
- { return snort_conf->output_flags & OUTPUT_FLAG__CHAR_DATA; }
+ { return get_conf()->output_flags & OUTPUT_FLAG__CHAR_DATA; }
static bool alert_interface()
- { return snort_conf->output_flags & OUTPUT_FLAG__ALERT_IFACE; }
+ { return get_conf()->output_flags & OUTPUT_FLAG__ALERT_IFACE; }
static bool output_no_timestamp()
- { return snort_conf->output_flags & OUTPUT_FLAG__NO_TIMESTAMP; }
+ { return get_conf()->output_flags & OUTPUT_FLAG__NO_TIMESTAMP; }
static bool line_buffered_logging()
- { return snort_conf->output_flags & OUTPUT_FLAG__LINE_BUFFER; }
+ { return get_conf()->output_flags & OUTPUT_FLAG__LINE_BUFFER; }
static bool output_wide_hex()
- { return snort_conf->output_flags & OUTPUT_FLAG__WIDE_HEX; }
+ { return get_conf()->output_flags & OUTPUT_FLAG__WIDE_HEX; }
static bool alert_refs()
- { return snort_conf->output_flags & OUTPUT_FLAG__ALERT_REFS; }
+ { return get_conf()->output_flags & OUTPUT_FLAG__ALERT_REFS; }
// run flags
static bool no_lock_pid_file()
- { return snort_conf->run_flags & RUN_FLAG__NO_LOCK_PID_FILE; }
+ { return get_conf()->run_flags & RUN_FLAG__NO_LOCK_PID_FILE; }
static bool create_pid_file()
- { return snort_conf->run_flags & RUN_FLAG__CREATE_PID_FILE; }
+ { return get_conf()->run_flags & RUN_FLAG__CREATE_PID_FILE; }
static bool pcap_show()
- { return snort_conf->run_flags & RUN_FLAG__PCAP_SHOW; }
+ { return get_conf()->run_flags & RUN_FLAG__PCAP_SHOW; }
static bool treat_drop_as_alert()
- { return snort_conf->run_flags & RUN_FLAG__TREAT_DROP_AS_ALERT; }
+ { return get_conf()->run_flags & RUN_FLAG__TREAT_DROP_AS_ALERT; }
static bool treat_drop_as_ignore()
- { return snort_conf->run_flags & RUN_FLAG__TREAT_DROP_AS_IGNORE; }
+ { return get_conf()->run_flags & RUN_FLAG__TREAT_DROP_AS_IGNORE; }
static bool alert_before_pass()
- { return snort_conf->run_flags & RUN_FLAG__ALERT_BEFORE_PASS; }
+ { return get_conf()->run_flags & RUN_FLAG__ALERT_BEFORE_PASS; }
static bool no_pcre()
- { return snort_conf->run_flags & RUN_FLAG__NO_PCRE; }
+ { return get_conf()->run_flags & RUN_FLAG__NO_PCRE; }
static bool conf_error_out()
- { return snort_conf->run_flags & RUN_FLAG__CONF_ERROR_OUT; }
+ { return get_conf()->run_flags & RUN_FLAG__CONF_ERROR_OUT; }
static bool assure_established()
- { return snort_conf->run_flags & RUN_FLAG__ASSURE_EST; }
+ { return get_conf()->run_flags & RUN_FLAG__ASSURE_EST; }
// FIXIT-L snort_conf needed for static hash before initialized
static bool static_hash()
- { return snort_conf && snort_conf->run_flags & RUN_FLAG__STATIC_HASH; }
+ { return get_conf() && get_conf()->run_flags & RUN_FLAG__STATIC_HASH; }
// other stuff
static uint8_t min_ttl()
{ return ::get_network_policy()->new_ttl; }
static long int get_pcre_match_limit()
- { return snort_conf->pcre_match_limit; }
+ { return get_conf()->pcre_match_limit; }
static long int get_pcre_match_limit_recursion()
- { return snort_conf->pcre_match_limit_recursion; }
+ { return get_conf()->pcre_match_limit_recursion; }
static const ProfilerConfig* get_profiler()
- { return snort_conf->profiler; }
+ { return get_conf()->profiler; }
static long int get_tagged_packet_limit()
- { return snort_conf->tagged_packet_limit; }
+ { return get_conf()->tagged_packet_limit; }
static uint32_t get_max_attribute_hosts()
- { return snort_conf->max_attribute_hosts; }
+ { return get_conf()->max_attribute_hosts; }
static uint32_t get_max_services_per_host()
- { return snort_conf->max_attribute_services_per_host; }
+ { return get_conf()->max_attribute_services_per_host; }
static int get_uid()
- { return snort_conf->user_id; }
+ { return get_conf()->user_id; }
static int get_gid()
- { return snort_conf->group_id; }
+ { return get_conf()->group_id; }
static bool get_vlan_agnostic()
- { return snort_conf->vlan_agnostic; }
+ { return get_conf()->vlan_agnostic; }
static bool address_space_agnostic()
- { return snort_conf->addressspace_agnostic; }
+ { return get_conf()->addressspace_agnostic; }
static bool change_privileges()
{
- return snort_conf->user_id != -1 || snort_conf->group_id != -1 ||
- !snort_conf->chroot_dir.empty();
+ return get_conf()->user_id != -1 || get_conf()->group_id != -1 ||
+ !get_conf()->chroot_dir.empty();
}
static bool packet_trace_enabled()
{
- return snort_conf->enable_packet_trace;
+ return get_conf()->enable_packet_trace;
}
+
+ // Use this to access current thread's conf from other units
+ static void set_conf(SnortConfig*);
+ SO_PUBLIC static SnortConfig* get_conf();
};
#endif
va_list ap;
va_start(ap, fmt);
- if ( snort_conf and SnortConfig::log_syslog() )
+ if ( SnortConfig::get_conf() and SnortConfig::log_syslog() )
{
char buf[STD_BUF];
int buf_len = sizeof(buf);
vsnprintf(buf_ptr, buf_len, fmt, ap);
- if ( snort_conf and SnortConfig::log_syslog() )
+ if ( SnortConfig::get_conf() and SnortConfig::log_syslog() )
syslog(LOG_DAEMON | LOG_DEBUG, "%s", buf);
else
output(buf, stdout);
void Swapper::apply()
{
if ( new_conf )
- snort_conf = new_conf;
+ SnortConfig::set_conf(new_conf);
if ( new_attribs )
SFAT_SetConfig(new_attribs);
const char* get_instance_file(std::string& file, const char* name)
{
bool sep = false;
- file = !snort_conf->log_dir.empty() ? snort_conf->log_dir : "./";
+ file = !SnortConfig::get_conf()->log_dir.empty() ? SnortConfig::get_conf()->log_dir : "./";
if ( file.back() != '/' )
file += '/';
- if ( !snort_conf->run_prefix.empty() )
+ if ( !SnortConfig::get_conf()->run_prefix.empty() )
{
- file += snort_conf->run_prefix;
+ file += SnortConfig::get_conf()->run_prefix;
sep = true;
}
- if ( (ThreadConfig::get_instance_max() > 1) || snort_conf->id_zero )
+ if ( (ThreadConfig::get_instance_max() > 1) || SnortConfig::get_conf()->id_zero )
{
char id[8];
- snprintf(id, sizeof(id), "%u", get_instance_id() + snort_conf->id_offset);
+ snprintf(id, sizeof(id), "%u", get_instance_id() + SnortConfig::get_conf()->id_offset);
file += id;
sep = true;
}
- if ( snort_conf->id_subdir )
+ if ( SnortConfig::get_conf()->id_subdir )
{
file += '/';
struct stat s;
{
for ( auto* p : s_options )
if ( p->init && p->api->tinit )
- p->api->tinit(snort_conf);
+ p->api->tinit(SnortConfig::get_conf());
}
void IpsManager::clear_options()
{
for ( auto* p : s_options )
if ( p->init && p->api->tterm )
- p->api->tterm(snort_conf);
+ p->api->tterm(SnortConfig::get_conf());
}
bool IpsManager::verify(SnortConfig* sc)
Mpse* MpseManager::get_search_engine(const char* type)
{
- if ( !type and snort_conf->fast_pattern_config )
- type = snort_conf->fast_pattern_config->get_search_method();
+ if ( !type and SnortConfig::get_conf()->fast_pattern_config )
+ type = SnortConfig::get_conf()->fast_pattern_config->get_search_method();
if ( !type )
type = "ac_bnfa";
Mpse* eng = api->ctor(nullptr, mod, nullptr);
eng->set_api(api);
- if ( snort_conf->fast_pattern_config and snort_conf->fast_pattern_config->get_search_opt() )
+ if ( SnortConfig::get_conf()->fast_pattern_config and SnortConfig::get_conf()->fast_pattern_config->get_search_opt() )
eng->set_opt(1);
return eng;
if ( !thread_cap )
return true;
- const auto& config = *snort_conf->memory;
+ const auto& config = *SnortConfig::get_conf()->memory;
return memory::free_space(n, thread_cap, s_tracker, prune_handler) || config.soft;
}
void MemoryCap::calculate(unsigned num_threads)
{
assert(!is_packet_thread());
- const MemoryConfig& config = *snort_conf->memory;
+ const MemoryConfig& config = *SnortConfig::get_conf()->memory;
auto main_thread_used = s_tracker.used();
void MemoryCap::print()
{
- const MemoryConfig& config = *snort_conf->memory;
+ const MemoryConfig& config = *SnortConfig::get_conf()->memory;
if ( SnortConfig::log_verbose() or s_tracker.allocations )
LogLabel("memory (heap)");
static std::mutex apr_mutex;
std::lock_guard<std::mutex> lock(apr_mutex);
- int16_t id = snort_conf->proto_ref->add(protocol);
+ int16_t id = SnortConfig::get_conf()->proto_ref->add(protocol);
return id;
}
static void map_app_names_to_snort_ids()
{
/* init globals for snortId compares */
- snortId_for_unsynchronized = snort_conf->proto_ref->add("unsynchronized");
- snortId_for_ftp_data = snort_conf->proto_ref->add("ftp-data");
- snortId_for_http2 = snort_conf->proto_ref->add("http2");
+ snortId_for_unsynchronized = SnortConfig::get_conf()->proto_ref->add("unsynchronized");
+ snortId_for_ftp_data = SnortConfig::get_conf()->proto_ref->add("ftp-data");
+ snortId_for_http2 = SnortConfig::get_conf()->proto_ref->add("http2");
}
AppIdModuleConfig::AppIdModuleConfig()
if ( !flow->ssn_state.application_protocol )
return nullptr;
- const char* s = snort_conf->proto_ref->get_name(flow->ssn_state.application_protocol);
+ const char* s = SnortConfig::get_conf()->proto_ref->get_name(flow->ssn_state.application_protocol);
return InspectorManager::get_inspector(s);
}
flow->ssn_state.application_protocol = ins->get_service();
}
else if ( flow->service )
- flow->ssn_state.application_protocol = snort_conf->proto_ref->find(flow->service);
+ flow->ssn_state.application_protocol = SnortConfig::get_conf()->proto_ref->find(flow->service);
if ( !flow->is_stream() )
return 0;
if ( pb->use.inspection_index )
{
- set_inspection_policy(snort_conf, pb->use.inspection_index - 1);
+ set_inspection_policy(SnortConfig::get_conf(), pb->use.inspection_index - 1);
flow->inspection_policy_id = pb->use.inspection_index - 1;
}
if ( pb->use.ips_index )
{
- set_ips_policy(snort_conf, pb->use.ips_index - 1);
+ set_ips_policy(SnortConfig::get_conf(), pb->use.ips_index - 1);
flow->ips_policy_id = pb->use.ips_index - 1;
}
if ( pb->use.network_index )
{
- set_network_policy(snort_conf, pb->use.network_index - 1);
+ set_network_policy(SnortConfig::get_conf(), pb->use.network_index - 1);
flow->network_policy_id = pb->use.network_index - 1;
}
// ether header + min payload (excludes FCS, which makes it 64 total)
#define ETH_MIN_LEN 60
-static inline NormMode get_norm_mode(const NormalizerConfig* const c, const Packet * const p)
+static inline NormMode get_norm_mode(const Packet * const p)
{
- NormMode mode = c->norm_mode;
+ NormMode mode = NORM_MODE_ON;
+
+ if ( get_inspection_policy()->policy_mode != POLICY_MODE__INLINE )
+ mode = NORM_MODE_TEST;
if ( !SFDAQ::forwarding_packet(p->pkth) )
mode = NORM_MODE_TEST;
IP4Hdr* h = (IP4Hdr*)const_cast<uint8_t*>(p->layers[layer].start);
uint16_t fragbits = ntohs(h->ip_off);
uint16_t origbits = fragbits;
- const NormMode mode = get_norm_mode(c, p);
+ const NormMode mode = get_norm_mode(p);
if ( Norm_IsEnabled(c, NORM_IP4_TRIM) && (layer == 1) )
{
//-----------------------------------------------------------------------
static int Norm_ICMP4(
- NormalizerConfig* c, Packet* p, uint8_t layer, int changes)
+ NormalizerConfig*, Packet* p, uint8_t layer, int changes)
{
ICMPHdr* h = reinterpret_cast<ICMPHdr*>(const_cast<uint8_t*>(p->layers[layer].start));
- const NormMode mode = get_norm_mode(c, p);
+ const NormMode mode = get_norm_mode(p);
if ( (h->type == ICMP_ECHO || h->type == ICMP_ECHOREPLY) &&
(h->code != icmp::IcmpCode::ECHO_CODE) )
if ( h->ip6_hoplim < SnortConfig::min_ttl() )
{
- const NormMode mode = get_norm_mode(c, p);
+ const NormMode mode = get_norm_mode(p);
if ( mode == NORM_MODE_ON )
{
//-----------------------------------------------------------------------
static int Norm_ICMP6(
- NormalizerConfig* c, Packet* p, uint8_t layer, int changes)
+ NormalizerConfig*, Packet* p, uint8_t layer, int changes)
{
ICMPHdr* h = reinterpret_cast<ICMPHdr*>(const_cast<uint8_t*>(p->layers[layer].start));
(uint16_t)h->type == icmp::Icmp6Types::ECHO_REPLY) &&
(h->code != 0) )
{
- const NormMode mode = get_norm_mode(c, p);
+ const NormMode mode = get_norm_mode(p);
if ( mode == NORM_MODE_ON )
{
#define IP6_OPT_PAD_N 1
static int Norm_IP6_Opts(
- NormalizerConfig* c, Packet* p, uint8_t layer, int changes)
+ NormalizerConfig*, Packet* p, uint8_t layer, int changes)
{
- NormMode mode = get_norm_mode(c, p);
+ NormMode mode = get_norm_mode(p);
if ( mode == NORM_MODE_ON )
{
NormalizerConfig* c, Packet* p, uint8_t layer, int changes)
{
tcp::TCPHdr* h = reinterpret_cast<tcp::TCPHdr*>(const_cast<uint8_t*>(p->layers[layer].start));
- const NormMode mode = get_norm_mode(c, p);
+ const NormMode mode = get_norm_mode(p);
if ( Norm_IsEnabled(c, NORM_TCP_RSV) )
{
// these must be in the same order PROTO_IDs are defined!
// if entry is NULL, proto doesn't have normalization or it is disabled
NormalFunc normalizers[PacketManager::max_protocols()];
- NormMode norm_mode;
};
int Norm_SetConfig(NormalizerConfig*);
return true;
}
-bool NormalizeModule::end(const char* fqn, int, SnortConfig*)
+bool NormalizeModule::end(const char* fqn, int, SnortConfig* sc)
{
if ( !strcmp(fqn, NORM_NAME) )
{
NetworkPolicy* policy = get_network_policy();
+ // FIXIT-M untangle these policies. this is a workaround for loading inspection-only confs
+ if ( policy == nullptr )
+ {
+ set_network_policy(sc);
+ policy = get_network_policy();
+ set_network_policy((NetworkPolicy*)nullptr);
+ }
+
if ( (policy->new_ttl > 1) && (policy->new_ttl >= policy->min_ttl) )
{
if ( Norm_IsEnabled(&config, NORM_IP4_BASE) )
// FIXIT-L this works with one normalizer per policy
// but would be better if binder could select
// in which case normal_mask must be moved to flow
+// from cwaxman - why can't normal_mask be applied directly from Normalizer?
bool Normalizer::configure(SnortConfig*)
{
- PolicyMode mode = get_ips_policy()->policy_mode;
- // FIXIT-L norm needs a nap policy mode
- if ( mode == POLICY_MODE__PASSIVE )
- {
- config.normalizer_flags = 0;
- return true;
- }
-
+ // FIXIT-M move entire config to network policy? Leaving split loads the currently selected
+ // network policy with whichever instantiation of an inspection policy this normalize is in
NetworkPolicy* nap = get_network_policy();
+
nap->normal_mask = config.normalizer_flags;
if ( nap->new_ttl && nap->new_ttl < nap->min_ttl )
- {
nap->new_ttl = nap->min_ttl;
- }
- config.norm_mode = (mode == POLICY_MODE__INLINE) ? NORM_MODE_ON : NORM_MODE_TEST;
Norm_SetConfig(&config);
return true;
}
return ( (nap->normal_mask & nf) != 0 );
}
+// FIXIT-L should return OFF if flag isn't set. Stream will need to handle that condition
NormMode Normalize_GetMode(NormFlags nf)
{
if (Normalize_IsEnabled(nf))
{
- const PolicyMode mode = get_ips_policy()->policy_mode;
+ const PolicyMode mode = get_inspection_policy()->policy_mode;
if ( mode == POLICY_MODE__INLINE )
return NORM_MODE_ON;
-
- else if ( mode == POLICY_MODE__INLINE_TEST )
- return NORM_MODE_TEST;
}
return NORM_MODE_TEST;
}
if ( force or SnortConfig::inline_mode() or SnortConfig::treat_drop_as_ignore() )
Stream::drop_flow(p);
- if ( s_enabled and snort_conf->max_responses )
+ if ( s_enabled and SnortConfig::get_conf()->max_responses )
{
ActionManager::queue_reject(p);
return act_str[active_action][active_status];
}
+void Active::suspend()
+{ active_suspend = true; }
+
+void Active::resume()
+{ active_suspend = false; }
+
+bool Active::suspended()
+{ return active_suspend; }
+
+Active::ActiveAction Active::get_action()
+{ return active_action; }
+
+bool Active::can_block()
+{ return active_status == AST_ALLOW or active_status == AST_FORCE; }
+
+void Active::block_again()
+{ active_action = ACT_BLOCK; }
+
+void Active::reset_again()
+{ active_action = ACT_RESET; }
+
+bool Active::packet_was_dropped()
+{ return ( active_action >= ACT_DROP ); }
+
+bool Active::packet_retry_requested()
+{ return ( active_action == ACT_RETRY ); }
+
+bool Active::session_was_blocked()
+{ return ( active_action >= ACT_BLOCK); }
+
+bool Active::packet_would_be_dropped()
+{ return (active_status == AST_WOULD ); }
+
+bool Active::packet_force_dropped()
+{ return (active_status == AST_FORCE ); }
+
+void Active::set_tunnel_bypass()
+{ active_tunnel_bypass++; }
+
+void Active::clear_tunnel_bypass()
+{ active_tunnel_bypass--; }
+
+bool Active::get_tunnel_bypass()
+{ return ( active_tunnel_bypass > 0 ); }
+
+uint64_t Active::get_injects()
+{ return s_injects; }
static bool is_enabled();
static void set_enabled(bool = true);
- static void suspend()
- { active_suspend = true; }
-
- static void resume()
- { active_suspend = false; }
-
- static bool suspended()
- { return active_suspend; }
-
- static ActiveAction get_action()
- { return active_action; }
+ static void suspend();
+ static void resume();
+ static bool suspended();
+ static ActiveAction get_action();
static ActiveStatus get_status();
- static bool can_block()
- { return active_status == AST_ALLOW or active_status == AST_FORCE; }
+ static bool can_block();
static const char* get_action_string();
static void block_session(Packet*, bool force = false);
static void reset_session(Packet*, bool force = false);
- static void block_again()
- { active_action = ACT_BLOCK; }
-
- static void reset_again()
- { active_action = ACT_RESET; }
-
- static bool packet_was_dropped()
- { return ( active_action >= ACT_DROP ); }
-
- static bool packet_retry_requested()
- { return ( active_action == ACT_RETRY ); }
+ static void block_again();
+ static void reset_again();
- static bool session_was_blocked()
- { return ( active_action >= ACT_BLOCK); }
+ static bool packet_was_dropped();
+ static bool packet_retry_requested();
+ static bool session_was_blocked();
+ static bool packet_would_be_dropped();
+ static bool packet_force_dropped();
- static bool packet_would_be_dropped()
- { return (active_status == AST_WOULD ); }
+ static void set_tunnel_bypass();
+ static void clear_tunnel_bypass();
+ static bool get_tunnel_bypass();
- static bool packet_force_dropped()
- { return (active_status == AST_FORCE ); }
-
- static void set_tunnel_bypass()
- { active_tunnel_bypass++; }
-
- static void clear_tunnel_bypass()
- { active_tunnel_bypass--; }
-
- static bool get_tunnel_bypass()
- { return ( active_tunnel_bypass > 0 ); }
-
- static uint64_t get_injects()
- { return s_injects; }
+ static uint64_t get_injects();
static void set_delayed_action(ActiveAction, bool force = false);
-
static void apply_delayed_action(Packet*);
private:
}
bool piglet_mode()
-{ return snort_conf->run_flags & RUN_FLAG__PIGLET; }
+{ return SnortConfig::get_conf()->run_flags & RUN_FLAG__PIGLET; }
} // namespace Piglet
Module* m;
if ( key == PT_IPS_OPTION || use_defaults )
// FIXIT-L this is just a workaround, need to be able to get parsed rule module
- m = ModuleManager::get_default_module(name.c_str(), snort_conf);
+ m = ModuleManager::get_default_module(name.c_str(), SnortConfig::get_conf());
else
m = ModuleManager::get_module(name.c_str());
- auto piglet = piglet_api->ctor(lua, name, m, snort_conf);
+ auto piglet = piglet_api->ctor(lua, name, m, SnortConfig::get_conf());
assert(piglet);
{
auto& self = InspectorIface.get(L);
// FIXIT-L do we need an opaque SnortConfig interface?
- bool result = self.configure(snort_conf);
+ bool result = self.configure(SnortConfig::get_conf());
lua_pushboolean(L, result);
return 1;
}
static std::vector<View> build_entries()
{
- assert(snort_conf);
+ assert(SnortConfig::get_conf());
- detection_option_tree_update_otn_stats(snort_conf->detection_option_tree_hash_table);
- auto* otn_map = snort_conf->otn_map;
+ detection_option_tree_update_otn_stats(SnortConfig::get_conf()->detection_option_tree_hash_table);
+ auto* otn_map = SnortConfig::get_conf()->otn_map;
std::vector<View> entries;
void reset_rule_profiler_stats()
{
- assert(snort_conf);
- auto* otn_map = snort_conf->otn_map;
+ assert(SnortConfig::get_conf());
+ auto* otn_map = SnortConfig::get_conf()->otn_map;
for ( auto* h = sfghash_findfirst(otn_map); h; h = sfghash_findnext(otn_map) )
{
match_cb = mf;
match_ctx = pv;
- SnortState* ss = snort_conf->state + get_instance_id();
+ SnortState* ss = SnortConfig::get_conf()->state + get_instance_id();
// scratch is null for the degenerate case w/o patterns
assert(!hs_db or ss->hyperscan_scratch);
SnortConfig::~SnortConfig() { }
+SnortConfig* SnortConfig::get_conf()
+{ return snort_conf; }
+
unsigned get_instance_id()
{ return 0; }
SnortConfig::~SnortConfig() { }
+SnortConfig* SnortConfig::get_conf()
+{ return snort_conf; }
+
unsigned get_instance_id()
{ return 0; }
static void fs_init()
{
- ftp_data_app_id = snort_conf->proto_ref->add("ftp-data");
+ ftp_data_app_id = SnortConfig::get_conf()->proto_ref->add("ftp-data");
FtpFlowData::init();
}
flow->response_count = 1;
- if ( snort_conf->max_responses > 1 )
- flow->set_expire(p, snort_conf->min_interval);
+ if ( SnortConfig::get_conf()->max_responses > 1 )
+ flow->set_expire(p, SnortConfig::get_conf()->min_interval);
}
void Stream::purge_flows()
// that we only send in the still active direction(s).
static void active_response(Packet* p, Flow* lwssn)
{
- uint8_t max = snort_conf->max_responses;
+ uint8_t max = SnortConfig::get_conf()->max_responses;
if ( p->is_from_client() )
lwssn->session_state |= STREAM_STATE_DROP_CLIENT;
if ( (lwssn->response_count < max) && lwssn->expired(p) )
{
- uint32_t delay = snort_conf->min_interval;
+ uint32_t delay = SnortConfig::get_conf()->min_interval;
EncodeFlags flags =
( (lwssn->session_state & STREAM_STATE_DROP_CLIENT) &&
(lwssn->session_state & STREAM_STATE_DROP_SERVER) ) ?
#include "stream.h"
unsigned StreamSplitter::max(Flow*)
-{ return snort_conf->max_pdu; }
+{ return SnortConfig::get_conf()->max_pdu; }
uint16_t StreamSplitter::get_flush_bucket_size()
{ return FlushBucket::get_size(); }
SECTION("reassembler initialization")
{
- bool status = reassembler->begin(nullptr, 0, snort_conf);
+ bool status = reassembler->begin(nullptr, 0, SnortConfig::get_conf());
CHECK(status);
CHECK( ( reassembler->srod.enable == 0 ) );
CHECK( ( reassembler->srod.direction == 0 ) );
void TcpEventLogger::log_internal_event(uint32_t eventSid)
{
- if (is_internal_event_enabled(snort_conf->rate_filter_config, eventSid))
+ if (is_internal_event_enabled(SnortConfig::get_conf()->rate_filter_config, eventSid))
{
tcpStats.internalEvents++;
DetectionEngine::queue_event(GENERATOR_INTERNAL, eventSid);
//--------------------------------------------------------------------------
THREAD_LOCAL SnortConfig* snort_conf = nullptr;
+SnortConfig* SnortConfig::get_conf()
+{ return snort_conf; }
+
static StreamSplitter* next_splitter = nullptr;
static int flushed = 0;
// FIXIT-M 16k per host is no longer true
// FIXIT-M init before snort_conf; move to filename and load separately
// this is a hack to get it going
- uint32_t max = snort_conf ?
+ uint32_t max = SnortConfig::get_conf() ?
SnortConfig::get_max_attribute_hosts() : DEFAULT_MAX_ATTRIBUTE_HOSTS;
lookupTable = sfrt_new(DIR_8x16, IPv6, max + 1, (max>>6) + 1);
}
ret, SnortConfig::get_max_attribute_hosts());
sfat_insufficient_space_logged = true;
}
- /* Reset return value and continue w/ only snort_conf->max_attribute_hosts */
+ /* Reset return value and continue w/ only SnortConfig::get_conf()->max_attribute_hosts */
ret = RT_SUCCESS;
}
else if ( !sfat_grammar_error_printed )
daq_stats.internal_blacklist = gaux.internal_blacklist;
daq_stats.internal_whitelist = gaux.internal_whitelist;
- daq_stats.skipped = snort_conf->pkt_skip;
+ daq_stats.skipped = SnortConfig::get_conf()->pkt_skip;
daq_stats.idle = gaux.idle;
daq_stats.rx_bytes = gaux.rx_bytes;
}
LogLabel("Module Statistics");
const char* exclude = "daq snort";
- ModuleManager::dump_stats(snort_conf, exclude);
+ ModuleManager::dump_stats(SnortConfig::get_conf(), exclude);
file_stats_print();
timing_stats();
// FIXIT-L below stats need to be made consistent with above
- print_thresholding(snort_conf->threshold_config, 1);
+ print_thresholding(SnortConfig::get_conf()->threshold_config, 1);
{
// FIXIT-L can do flag saving with RAII (much cleaner)
- int save_quiet_flag = snort_conf->logging_flags & LOGGING_FLAG__QUIET;
+ int save_quiet_flag = SnortConfig::get_conf()->logging_flags & LOGGING_FLAG__QUIET;
- snort_conf->logging_flags &= ~LOGGING_FLAG__QUIET;
+ SnortConfig::get_conf()->logging_flags &= ~LOGGING_FLAG__QUIET;
// once more for the main thread
Profiler::consolidate_stats();
Profiler::show_stats();
- snort_conf->logging_flags |= save_quiet_flag;
+ SnortConfig::get_conf()->logging_flags |= save_quiet_flag;
}
}
tvp = &tv;
}
- int localzone = snort_conf->thiszone;
+ int localzone = SnortConfig::get_conf()->thiszone;
/*
** If we're doing UTC, then make sure that the timezone is correct.
void CreatePidFile(pid_t pid)
{
- snort_conf->pid_filename = snort_conf->log_dir;
- snort_conf->pid_filename += "/snort.pid";
+ SnortConfig::get_conf()->pid_filename = SnortConfig::get_conf()->log_dir;
+ SnortConfig::get_conf()->pid_filename += "/snort.pid";
std::string pid_lockfilename;
if ( !SnortConfig::no_lock_pid_file() )
{
- pid_lockfilename = snort_conf->pid_filename;
+ pid_lockfilename = SnortConfig::get_conf()->pid_filename;
pid_lockfilename += ".lck";
/* First, lock the PID file */
{
ClosePidFile();
ParseError("Failed to Lock PID File \"%s\" for PID \"%d\"",
- snort_conf->pid_filename.c_str(), (int)pid);
+ SnortConfig::get_conf()->pid_filename.c_str(), (int)pid);
return;
}
}
}
/* Okay, were able to lock PID file, now open and write PID */
- pid_file = fopen(snort_conf->pid_filename.c_str(), "w");
+ pid_file = fopen(SnortConfig::get_conf()->pid_filename.c_str(), "w");
if (pid_file)
{
LogMessage("Writing PID \"%d\" to file \"%s\"\n", (int)pid,
- snort_conf->pid_filename.c_str());
+ SnortConfig::get_conf()->pid_filename.c_str());
fprintf(pid_file, "%d\n", (int)pid);
fflush(pid_file);
}
{
const char* error = get_error(errno);
ErrorMessage("Failed to create pid file %s, Error: %s",
- snort_conf->pid_filename.c_str(), error);
- snort_conf->pid_filename.clear();
+ SnortConfig::get_conf()->pid_filename.c_str(), error);
+ SnortConfig::get_conf()->pid_filename.clear();
}
if ( !pid_lockfilename.empty() )
unlink(pid_lockfilename.c_str());
}
/**
- * Chroot and adjust the snort_conf->log_dir reference
+ * Chroot and adjust the SnortConfig::get_conf()->log_dir reference
*/
bool EnterChroot(std::string& root_dir, std::string& log_dir)
{
namespace config
{
+namespace
+{
+class NaPolicyMode : public ConversionState
+{
+public:
+ NaPolicyMode(Converter& c) : ConversionState(c) { }
+ bool convert(std::istringstream& data_stream) override;
+};
+} // namespace
+
+bool NaPolicyMode::convert(std::istringstream& data_stream)
+{
+ bool retval = true;
+ std::string mode;
+
+ if ( data_stream >> mode)
+ {
+ if ( mode == "tap" || mode == "inline_test" )
+ {
+ table_api.open_top_level_table("inspection");
+ table_api.add_option("mode", "inline-test");
+ table_api.add_diff_option_comment("na_policy_mode", "mode");
+ table_api.close_table();
+ }
+ else if ( mode == "inline" )
+ {
+ table_api.open_top_level_table("inspection");
+ table_api.add_option("mode", "inline");
+ table_api.add_diff_option_comment("na_policy_mode", "mode");
+ table_api.close_table();
+ }
+ else
+ {
+ retval = false;
+ data_api.failed_conversion(data_stream, mode);
+ }
+ }
-//FIXIT-L add when snort supports separate inline mode and normalization inline mode
-static std::string header = "config na_policy_mode: ";
+ return retval;
+}
+
+/**************************
+ ******* A P I ***********
+ **************************/
static ConversionState* ctor(Converter& c)
-{ return new UnsupportedState<&header>(c); }
+{ return new NaPolicyMode(c); }
static const ConvertMap na_policy_mode_api =
{
};
const ConvertMap* na_policy_mode_map = &na_policy_mode_api;
+
} // namespace config
std::string policy_version;
std::string policy_revision;
+ // This could belong to either inspection or ips policy.
+ // binder[].use.*_policy logic in snort will apply these correctly
if (data_stream >> policy_version >> policy_revision)
{
// Had both a base policy version and revision. Use revision UUID.
+ cv.get_table_api().open_table("inspection");
+ cv.get_table_api().add_option("uuid", policy_revision);
+ cv.get_table_api().close_table();
cv.get_table_api().open_table("ips");
cv.get_table_api().add_option("uuid", policy_revision);
cv.get_table_api().close_table();
else if (!policy_version.empty())
{
// Had only a base policy version.
+ cv.get_table_api().open_table("inspection");
+ cv.get_table_api().add_option("uuid", policy_version);
+ cv.get_table_api().close_table();
cv.get_table_api().open_table("ips");
cv.get_table_api().add_option("uuid", policy_version);
cv.get_table_api().close_table();
}
Table* t = util::find_table(tables, table_name);
+ bool existed = (t != nullptr);
- if (t == nullptr)
+ if ( !existed )
{
t = new Table(table_name, 0);
tables.push_back(t);
open_tables.push(t);
// ignore the initial table
- if (open_tables.size() > 1)
+ if ( open_tables.size() > 1 )
top_level_tables.push(open_tables.size());
+
+ if ( !existed )
+ {
+ auto p = pending.find(table_name);
+ if ( p != pending.end() )
+ {
+ auto& q = p->second;
+ while ( q.size() )
+ {
+ q.front()(*this);
+ q.pop();
+ }
+
+ pending.erase(p);
+ }
+ }
}
void TableApi::open_table(const std::string& table_name, bool one_line)
return;
}
- Table* t;
-
// if no open tables, create a top-level table
if (!open_tables.empty())
{
- t = open_tables.top()->open_table(table_name);
+ Table* t = open_tables.top()->open_table(table_name);
+ t->set_one_line(one_line);
+ open_tables.push(t);
}
else
- {
- t = util::find_table(tables, table_name);
-
- if (t == nullptr)
- {
- t = new Table(table_name, 0);
- tables.push_back(t);
- }
- }
-
- t->set_one_line(one_line);
- open_tables.push(t);
+ open_top_level_table(table_name, one_line);
}
void TableApi::open_table(bool one_line)
return open_tables.top()->get_option(name, value);
}
+void TableApi::run_when_exists(const char* table_name, PendingFunction action)
+{
+ if ( should_delegate(table_name) )
+ delegate->run_when_exists(table_name, action);
+
+ if ( util::find_table(tables, table_name) )
+ action(*this);
+ else
+ {
+ if ( pending.find(table_name) == pending.end() )
+ pending[table_name] = std::queue<PendingFunction>();
+
+ pending[table_name].push(action);
+ }
+}
#ifndef DATA_DT_TABLE_API_H
#define DATA_DT_TABLE_API_H
-#include <string>
+#include <functional>
#include <iostream>
+#include <queue>
+#include <stack>
+#include <string>
#include <unordered_map>
#include <vector>
-#include <stack>
/*
*
class TableApi;
typedef std::unordered_map<std::string, bool> TableDelegation;
+typedef std::function<void(TableApi&)> PendingFunction;
+
class TableApi
{
public:
// and value updated successfully
bool get_option_value(const std::string& name, std::string& value);
+ // allows adding options to tables if they exist or once they are created
+ void run_when_exists(const char* table_name, PendingFunction action);
+
private:
template<typename T>
bool do_add_option(const std::string& opt_name, const T val, const std::string& s_val);
std::vector<Table*> tables;
std::stack<Table*> open_tables;
std::stack<unsigned> top_level_tables;
+ std::unordered_map<std::string, std::queue<PendingFunction>> pending;
bool curr_data_bad = false;
TableApi* delegate = nullptr;
{ "binder", true },
{ "ips", true },
{ "network", true },
+ { "normalizer", true},
};
std::string Converter::ips_pattern;
else if (keyword == "trim_mss")
table_api.add_option("trim_mss", true);
+ else if (keyword == "ftp" )
+ table_api.add_deleted_comment(keyword);
+
else if (keyword == "ecn")
{
if (util::get_string(data_stream, value, " ,"))
projects / thirdparty / snort3.git / commitdiff
