From bb298f4ca13659ab7e6a658bf30ea0866a83d3b1 Mon Sep 17 00:00:00 2001 From: "Hui Cao (huica)" Date: Fri, 20 Oct 2017 10:46:07 -0400 Subject: [PATCH] Merge pull request #1042 in SNORT/snort3 from policy_version1 to master Squashed commit of the following: commit 88e9d5b60af1c6599fb396810255b4e92a932873 Author: Steve Chew Date: Fri Oct 13 20:54:59 2017 -0400 IpsPolicy: added uuid field to IPS policy for firewall usage. --- cmake/FindUUID.cmake | 33 ++++++++ cmake/create_pkg_config.cmake | 4 + cmake/include_libraries.cmake | 1 + config.cmake.h.in | 2 + configure.ac | 51 +++++++++++- configure_cmake.sh | 10 +++ doc/tutorial.txt | 2 + snort.pc.in | 3 +- src/CMakeLists.txt | 2 + src/main/modules.cc | 16 ++++ src/main/policy.h | 7 ++ tools/snort2lua/config_states/CMakeLists.txt | 1 + tools/snort2lua/config_states/Makefile.am | 1 + tools/snort2lua/config_states/config_api.cc | 4 +- .../snort2lua/config_states/config_deleted.cc | 12 --- .../config_states/config_policy_uuid.cc | 81 +++++++++++++++++++ 16 files changed, 214 insertions(+), 16 deletions(-) create mode 100644 cmake/FindUUID.cmake create mode 100644 tools/snort2lua/config_states/config_policy_uuid.cc diff --git a/cmake/FindUUID.cmake b/cmake/FindUUID.cmake new file mode 100644 index 000000000..a2c3b7e8e --- /dev/null +++ b/cmake/FindUUID.cmake @@ -0,0 +1,33 @@ +# Find the native UUID include file and library. + +find_package(PkgConfig) +pkg_check_modules(PKG_HINT uuid) + +find_path (UUID_INCLUDE_DIR + NAMES uuid.h + HINTS ${UUID_INCLUDE_DIR_HINT} ${PKG_HINT_INCLUDE_DIRS} +) + +if (UUID_INCLUDE_DIR) + find_library(UUID_LIBRARY + NAMES uuid + HINTS ${UUID_LIBRARIES_DIR_HINT} ${PKG_HINT_LIBRARY_DIRS} + ) +else() + set(UUID_INCLUDE_DIR "") +endif() + +if (UUID_LIBRARY) + set(HAVE_UUID "1") + + include(FindPackageHandleStandardArgs) + + find_package_handle_standard_args(UUID + UUID_INCLUDE_DIR UUID_LIBRARY + ) + + mark_as_advanced(UUID_INCLUDE_DIR UUID_LIBRARY) +else() + set(UUID_LIBRARY "") +endif() + diff --git a/cmake/create_pkg_config.cmake b/cmake/create_pkg_config.cmake index 6f2333bcc..4e92841b3 100644 --- a/cmake/create_pkg_config.cmake +++ b/cmake/create_pkg_config.cmake @@ -56,6 +56,10 @@ if(PCRE_INCLUDE_DIR) set(PCRE_CPPFLAGS "-I${PCRE_INCLUDE_DIR}") endif() +if(UUID_INCLUDE_DIR) + set(UUID_CPPFLAGS "-I${UUID_INCLUDE_DIR}") +endif() + # create & install pkgconfig file configure_file( diff --git a/cmake/include_libraries.cmake b/cmake/include_libraries.cmake index fd6cfb214..9588ddd7b 100644 --- a/cmake/include_libraries.cmake +++ b/cmake/include_libraries.cmake @@ -23,3 +23,4 @@ find_package(HS QUIET 4.4.0) find_package(SafeC QUIET) find_package(Flatbuffers QUIET) find_package(ICONV QUIET) +find_package(UUID QUIET) diff --git a/config.cmake.h.in b/config.cmake.h.in index 09f5ce4eb..ba08d1588 100644 --- a/config.cmake.h.in +++ b/config.cmake.h.in @@ -240,6 +240,8 @@ #cmakedefine HAVE_ICONV 1 +#cmakedefine HAVE_UUID 1 + /* Library specific functions */ diff --git a/configure.ac b/configure.ac index 7ac104eec..9dc52bee2 100644 --- a/configure.ac +++ b/configure.ac @@ -12,7 +12,7 @@ # enables # unit tests # required libs (daq / sfbpf, dnet, hwloc, luajit, openssl / crypto, pcap, pcre, zlib) -# optional libs (hyperscan, iconv, lzma, safec) +# optional libs (hyperscan, iconv, lzma, safec, uuid) # outputs # # if you add an AC_DEFINE() for a symbol that appears in an exported @@ -1078,6 +1078,54 @@ if test "x$SAFEC_LIB" != "xno"; then fi fi +#-------------------------------------------------------------------------- +# uuid +#-------------------------------------------------------------------------- +# +AC_MSG_CHECKING([for uuid pkg-config presence]) +PKG_CHECK_EXISTS([uuid], [ have_uuid_pkgconfig="yes" ], [ have_uuid_pkgconfig="no" ]) +AC_MSG_RESULT(${have_uuid_pkgconfig}) + +UUID_CPPFLAGS="" +if test "${have_uuid_pkgconfig}" = "yes" ; then + UUID_CPPFLAGS=`${PKG_CONFIG} --cflags uuid` + UUID_LDFLAGS=`${PKG_CONFIG} --libs-only-L uuid` +fi + +AC_ARG_WITH(uuid_includes, + AS_HELP_STRING([--with-uuid-includes=DIR],[uuid include directory]), + [with_uuid_includes="$withval"],[with_uuid_includes="no"]) + +if test "x$with_uuid_includes" != "xno"; then + UUID_CPPFLAGS="-I${with_uuid_includes}" +fi + +AC_ARG_WITH(uuid_libraries, + AS_HELP_STRING([--with-uuid-libraries=DIR],[uuid library directory]), + [with_uuid_libraries="$withval"],[with_uuid_libraries="no"]) + +if test "x$with_uuid_libraries" != "xno"; then + UUID_LDFLAGS="-L${with_uuid_libraries}" +fi + +CPPFLAGS="${CPPFLAGS} ${UUID_CPPFLAGS}" +LDFLAGS="${LDFLAGS} ${UUID_LDFLAGS}" + +# Verify that we have the headers +UUID_H="" +AC_CHECK_HEADERS(uuid.h, UUID_H="yes") + +# Verify that we have the library +UUID_L="" +AC_CHECK_LIB(uuid, uuid_parse, UUID_L="yes") + +if test "x$UUID_L" = "xyes"; then + if test "x$UUID_H" = "xyes"; then + AC_DEFINE([HAVE_UUID],[1],[can build uuid code]) + LIBS="${LIBS} -luuid" + fi +fi + #-------------------------------------------------------------------------- # outputs #-------------------------------------------------------------------------- @@ -1119,6 +1167,7 @@ AC_SUBST(PCAP_CPPFLAGS) AC_SUBST(HWLOC_CPPFLAGS) AC_SUBST(LUAJIT_CPPFLAGS) AC_SUBST(PCRE_CPPFLAGS) +AC_SUBST(UUID_CPPFLAGS) AC_SUBST(DNET_CPPFLAGS) AC_SUBST(DAQ_CPPFLAGS) AC_SUBST(FLATBUFFERS_CPPFLAGS) diff --git a/configure_cmake.sh b/configure_cmake.sh index a5f455fa1..45f6a85f9 100755 --- a/configure_cmake.sh +++ b/configure_cmake.sh @@ -90,6 +90,10 @@ Optional Packages: flatbuffers include directory --with-flatbuffers-libraries=DIR flatbuffers library directory + --with-uuid-includes=DIR + libuuid include directory + --with-uuid-libraries=DIR + libuuid library directory Some influential environment variables: SIGNAL_SNORT_RELOAD= @@ -351,6 +355,12 @@ while [ $# -ne 0 ]; do --with-flatbuffers-libraries=*) append_cache_entry FLATBUFFERS_LIBRARIES_DIR_HINT PATH $optarg ;; + --with-uuid-includes=*) + append_cache_entry UUID_INCLUDE_DIR_HINT PATH $optarg + ;; + --with-uuid-libraries=*) + append_cache_entry UUID_LIBRARIES_DIR_HINT PATH $optarg + ;; SIGNAL_SNORT_RELOAD=*) append_cache_entry SIGNAL_SNORT_RELOAD STRING $optarg ;; diff --git a/doc/tutorial.txt b/doc/tutorial.txt index ca78c3a43..d67e8cb59 100644 --- a/doc/tutorial.txt +++ b/doc/tutorial.txt @@ -63,6 +63,8 @@ Optional: * w3m from http://sourceforge.net/projects/w3m/ to build the plain text manual +* uuid from uuid-dev package for unique identifiers + === Building * Optionally built features are listed in the reference section. diff --git a/snort.pc.in b/snort.pc.in index d791de1cd..9aa826f29 100644 --- a/snort.pc.in +++ b/snort.pc.in @@ -9,7 +9,7 @@ mandir=@mandir@ infodir=@infodir@ cpp_opts=DAQ LUAJIT -cpp_opts_other=DNET FLATBUFFERS HWLOC HYPERSCAN LZMA OPENSSL PCAP PCRE +cpp_opts_other=DNET FLATBUFFERS HWLOC HYPERSCAN LZMA OPENSSL PCAP PCRE UUID PCAP_CPPFLAGS=@PCAP_CPPFLAGS@ LUAJIT_CPPFLAGS=@LUAJIT_CPPFLAGS@ @@ -21,6 +21,7 @@ HWLOC_CPPFLAGS=@HWLOC_CPPFLAGS@ PCRE_CPPFLAGS=@PCRE_CPPFLAGS@ LZMA_CPPFLAGS=@LZMA_CPPFLAGS@ HYPERSCAN_CPPFLAGS=@HYPERSCAN_CPPFLAGS@ +UUID_CPPFLAGS=@UUID_CPPFLAGS@ Name: Snort++ Description: Snort 3.0 Project diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index e9ac1b9e3..9d55d6554 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -14,6 +14,7 @@ set(EXTERNAL_LIBRARIES ${PCRE_LIBRARIES} ${SAFEC_LIBRARIES} ${SFBPF_LIBRARIES} + ${UUID_LIBRARY} ${ZLIB_LIBRARIES} ) @@ -26,6 +27,7 @@ set(EXTERNAL_INCLUDES ${PCRE_INCLUDE_DIR} ${SAFEC_INCLUDE_DIR} ${SFBPF_INCLUDE_DIR} + ${UUID_INCLUDE_DIR} ${ZLIB_INCLUDE_DIRS} ) diff --git a/src/main/modules.cc b/src/main/modules.cc index 5ccdd638f..7d8aefa3e 100644 --- a/src/main/modules.cc +++ b/src/main/modules.cc @@ -1121,6 +1121,11 @@ static const Parameter ips_params[] = { "rules", Parameter::PT_STRING, nullptr, nullptr, "snort rules and includes" }, +#ifdef HAVE_UUID + { "uuid", Parameter::PT_STRING, nullptr, nullptr, + "IPS policy uuid" }, +#endif + { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } }; @@ -1173,6 +1178,17 @@ bool IpsModule::set(const char*, Value& v, SnortConfig* sc) else if ( v.is("rules") ) p->rules = v.get_string(); +#ifdef HAVE_UUID + else if ( v.is("uuid") ) + { + if(uuid_parse(v.get_string(), p->uuid) != 0) + { + ParseError("Invalid IPS UUID: %s", v.get_string()); + uuid_clear(p->uuid); + } + } +#endif + else return false; diff --git a/src/main/policy.h b/src/main/policy.h index aed77260a..84fe44adc 100644 --- a/src/main/policy.h +++ b/src/main/policy.h @@ -26,6 +26,12 @@ // -- inspection - for flow handling // -- ips - for rule handling +#ifdef HAVE_UUID +#include +#else +typedef unsigned char uuid_t[16]; +#endif + #include #include @@ -127,6 +133,7 @@ public: public: PolicyId policy_id; uint32_t user_policy_id = 0; + uuid_t uuid{}; PolicyMode policy_mode; bool enable_builtin_rules; diff --git a/tools/snort2lua/config_states/CMakeLists.txt b/tools/snort2lua/config_states/CMakeLists.txt index d9bb6b2d0..11f7c1f4e 100644 --- a/tools/snort2lua/config_states/CMakeLists.txt +++ b/tools/snort2lua/config_states/CMakeLists.txt @@ -23,6 +23,7 @@ add_library( config_states config_paf_max.cc config_policy_id.cc config_policy_mode.cc + config_policy_uuid.cc config_ppm.cc config_profile.cc config_reference.cc diff --git a/tools/snort2lua/config_states/Makefile.am b/tools/snort2lua/config_states/Makefile.am index a5baae0fd..aaddfadce 100644 --- a/tools/snort2lua/config_states/Makefile.am +++ b/tools/snort2lua/config_states/Makefile.am @@ -26,6 +26,7 @@ config_paf_max.cc \ config_ppm.cc \ config_policy_id.cc \ config_policy_mode.cc \ +config_policy_uuid.cc \ config_profile.cc \ config_reference.cc \ config_response.cc \ diff --git a/tools/snort2lua/config_states/config_api.cc b/tools/snort2lua/config_states/config_api.cc index 8897c8e8f..8495bbe64 100644 --- a/tools/snort2lua/config_states/config_api.cc +++ b/tools/snort2lua/config_states/config_api.cc @@ -116,8 +116,8 @@ extern const ConvertMap* pcre_match_limit_recursion_map; extern const ConvertMap* pkt_count_map; extern const ConvertMap* ppm_map; extern const ConvertMap* policy_id_map; +extern const ConvertMap* policy_uuid_map; extern const ConvertMap* policy_mode_map; -extern const ConvertMap* policy_version_map; extern const ConvertMap* profile_preprocs_map; extern const ConvertMap* profile_rules_map; extern const ConvertMap* protected_content_map; @@ -235,8 +235,8 @@ const std::vector config_api = pkt_count_map, ppm_map, policy_id_map, + policy_uuid_map, policy_mode_map, - policy_version_map, profile_preprocs_map, profile_rules_map, protected_content_map, diff --git a/tools/snort2lua/config_states/config_deleted.cc b/tools/snort2lua/config_states/config_deleted.cc index cf1cd2408..a2eaad686 100644 --- a/tools/snort2lua/config_states/config_deleted.cc +++ b/tools/snort2lua/config_states/config_deleted.cc @@ -507,18 +507,6 @@ static const ConvertMap layer2resets_api = }; const ConvertMap* layer2resets_map = &layer2resets_api; -/************************************************* - **************** policy_version *************** - *************************************************/ - -static const std::string policy_version = "policy_version"; -static const ConvertMap policy_version_api = -{ - policy_version, - deleted_ctor<& policy_version>, -}; -const ConvertMap* policy_version_map = &policy_version_api; - /************************************************* **************** so_rule_memcap *************** *************************************************/ diff --git a/tools/snort2lua/config_states/config_policy_uuid.cc b/tools/snort2lua/config_states/config_policy_uuid.cc new file mode 100644 index 000000000..80a9905cc --- /dev/null +++ b/tools/snort2lua/config_states/config_policy_uuid.cc @@ -0,0 +1,81 @@ +//-------------------------------------------------------------------------- +// Copyright (C) 2014-2017 Cisco and/or its affiliates. All rights reserved. +// +// This program is free software; you can redistribute it and/or modify it +// under the terms of the GNU General Public License Version 2 as published +// by the Free Software Foundation. You may not use, modify or distribute +// this program under any other version of the GNU General Public License. +// +// This program is distributed in the hope that it will be useful, but +// WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +//-------------------------------------------------------------------------- +// config_policy_uuid.cc author Steve Chew + +#include + +#include "conversion_state.h" +#include "data/dt_data.h" + +namespace config +{ +namespace +{ +class PolicyUuid : public ConversionState +{ +public: + PolicyUuid(Converter& c) : ConversionState(c) { } + bool convert(std::istringstream& data_stream) override; +}; +} // namespace + +bool PolicyUuid::convert(std::istringstream& data_stream) +{ + bool rc = true; + std::string policy_version; + std::string policy_revision; + + if (data_stream >> policy_version >> policy_revision) + { + // Had both a base policy version and revision. Use revision UUID. + cv.get_table_api().open_table("ips"); + cv.get_table_api().add_option("uuid", policy_revision); + cv.get_table_api().close_table(); + } + else if (!policy_version.empty()) + { + // Had only a base policy version. + cv.get_table_api().open_table("ips"); + cv.get_table_api().add_option("uuid", policy_version); + cv.get_table_api().close_table(); + } + else + { + data_api.failed_conversion(data_stream, "config policy_version: failed to find UUID."); + rc = false; + } + + return rc; +} + +/************************** + ******* A P I *********** + **************************/ + +static ConversionState* ctor(Converter& c) +{ return new PolicyUuid(c); } + +static const ConvertMap policy_uuid_api = +{ + "policy_version", + ctor, +}; + +const ConvertMap* policy_uuid_map = &policy_uuid_api; +} // namespace config + -- 2.47.3