* The reassembly buffer used is big enough for the headers.
*
********************************************************************/
-static inline void DCE2_CoSetRdata(DCE2_SsnData* sd, DCE2_CoTracker* cot,
- uint8_t* co_ptr, uint16_t stub_len)
+static inline void DCE2_CoSetRdata(DCE2_CoTracker* cot, uint8_t* co_ptr, uint16_t stub_len)
{
DceRpcCoHdr* co_hdr = (DceRpcCoHdr*)co_ptr;
/* If we've set the fragment tracker context id or opnum, use them. */
(cot->frag_tracker.opnum != DCE2_SENTINEL) ?
(uint16_t)cot->frag_tracker.opnum : (uint16_t)cot->opnum;
- if (DCE2_SsnFromClient(sd->wire_pkt))
+ if ( DetectionEngine::get_current_packet()->is_from_client() )
{
DceRpcCoRequest* co_req = (DceRpcCoRequest*)((uint8_t*)co_hdr + sizeof(DceRpcCoHdr));
/* Doesn't really matter if this wraps ... it is basically just for presentation */
co_hdr->ptype = DCERPC_PDU_TYPE__RESPONSE;
}
-static inline DCE2_CoSeg* DCE2_CoGetSegPtr(DCE2_SsnData* sd, DCE2_CoTracker* cot)
+static inline DCE2_CoSeg* DCE2_CoGetSegPtr(DCE2_CoTracker* cot)
{
- if (DCE2_SsnFromServer(sd->wire_pkt))
+ if ( DetectionEngine::get_current_packet()->is_from_server() )
return &cot->srv_seg;
return &cot->cli_seg;
return DCE2_RET__ERROR;
}
- if (DCE2_SsnFromClient(sd->wire_pkt) && (cot->max_xmit_frag != DCE2_SENTINEL))
+ if (DetectionEngine::get_current_packet()->is_from_client() && (cot->max_xmit_frag != DCE2_SENTINEL))
{
if (frag_len > cot->max_xmit_frag)
{
return (int)auth_len;
}
-/********************************************************************
- * Function: DCE2_CoGetFragBuf()
- *
- * Returns the appropriate fragmentation buffer.
- *
- ********************************************************************/
-static DCE2_Buffer* DCE2_CoGetFragBuf(DCE2_SsnData* sd, DCE2_CoFragTracker* ft)
+static DCE2_Buffer* DCE2_CoGetFragBuf(DCE2_CoFragTracker* ft)
{
- if (DCE2_SsnFromServer(sd->wire_pkt))
+ if ( DetectionEngine::get_current_packet()->is_from_server() )
return ft->srv_stub_buf;
return ft->cli_stub_buf;
static Packet* DCE2_CoGetRpkt(DCE2_SsnData* sd, DCE2_CoTracker* cot,
DCE2_CoRpktType co_rtype, DCE2_RpktType* rtype)
{
- DCE2_CoSeg* seg_buf = DCE2_CoGetSegPtr(sd, cot);
- DCE2_Buffer* frag_buf = DCE2_CoGetFragBuf(sd, &cot->frag_tracker);
+ DCE2_CoSeg* seg_buf = DCE2_CoGetSegPtr(cot);
+ DCE2_Buffer* frag_buf = DCE2_CoGetFragBuf(&cot->frag_tracker);
const uint8_t* frag_data = nullptr, * seg_data = nullptr;
uint32_t frag_len = 0, seg_len = 0;
Packet* rpkt = nullptr;
if ( frag_data )
{
- rpkt = DCE2_GetRpkt(sd->wire_pkt, *rtype, frag_data, frag_len);
+ rpkt = DCE2_GetRpkt(DetectionEngine::get_current_packet(), *rtype, frag_data, frag_len);
if ( rpkt and seg_data )
{
}
else if ( seg_data )
{
- rpkt = DCE2_GetRpkt(sd->wire_pkt, *rtype, seg_data, seg_len);
+ rpkt = DCE2_GetRpkt(DetectionEngine::get_current_packet(), *rtype, seg_data, seg_len);
}
return rpkt;
DCE2_CoRpktType co_rtype, const DceRpcCoHdr** co_hdr)
{
dce2CommonStats* dce_common_stats = dce_get_proto_stats_ptr(sd);
- int co_hdr_len = DCE2_SsnFromClient(sd->wire_pkt) ? DCE2_MOCK_HDR_LEN__CO_CLI :
- DCE2_MOCK_HDR_LEN__CO_SRV;
- int smb_hdr_len = DCE2_SsnFromClient(sd->wire_pkt) ? DCE2_MOCK_HDR_LEN__SMB_CLI :
- DCE2_MOCK_HDR_LEN__SMB_SRV;
+ bool from_client = DetectionEngine::get_current_packet()->is_from_client();
+
+ int co_hdr_len = from_client ? DCE2_MOCK_HDR_LEN__CO_CLI : DCE2_MOCK_HDR_LEN__CO_SRV;
+ int smb_hdr_len = from_client ? DCE2_MOCK_HDR_LEN__SMB_CLI : DCE2_MOCK_HDR_LEN__SMB_SRV;
if (sd->trans == DCE2_TRANS_TYPE__TCP)
{
if (rpkt_type == DCE2_RPKT_TYPE__SMB_CO_FRAG)
{
- DCE2_CoSetRdata(sd, cot, wrdata + smb_hdr_len,
+ DCE2_CoSetRdata(cot, wrdata + smb_hdr_len,
(uint16_t)(rpkt->dsize - (smb_hdr_len + co_hdr_len)));
- if (DCE2_SsnFromClient(sd->wire_pkt))
+ if ( from_client )
dce_common_stats->co_cli_frag_reassembled++;
else
dce_common_stats->co_srv_frag_reassembled++;
}
else
{
- if (DCE2_SsnFromClient(sd->wire_pkt))
+ if ( from_client )
dce_common_stats->co_cli_seg_reassembled++;
else
dce_common_stats->co_srv_seg_reassembled++;
case DCE2_RPKT_TYPE__TCP_CO_SEG:
if (rpkt_type == DCE2_RPKT_TYPE__TCP_CO_FRAG)
{
- DCE2_CoSetRdata(sd, cot, wrdata, (uint16_t)(rpkt->dsize - co_hdr_len));
+ DCE2_CoSetRdata(cot, wrdata, (uint16_t)(rpkt->dsize - co_hdr_len));
- if (DCE2_SsnFromClient(sd->wire_pkt))
+ if ( from_client )
dce_common_stats->co_cli_frag_reassembled++;
else
dce_common_stats->co_srv_frag_reassembled++;
}
else
{
- if (DCE2_SsnFromClient(sd->wire_pkt))
+ if ( from_client )
dce_common_stats->co_cli_seg_reassembled++;
else
dce_common_stats->co_cli_seg_reassembled++;
DCE2_BufferMinAddFlag mflag = DCE2_BUFFER_MIN_ADD_FLAG__USE;
DCE2_Ret status;
dce2CommonStats* dce_common_stats = dce_get_proto_stats_ptr(sd);
+ Packet* p = DetectionEngine::get_current_packet();
if (sd->trans == DCE2_TRANS_TYPE__TCP)
{
Profile profile(dce2_smb_pstat_co_frag);
}
- if (DCE2_SsnFromClient(sd->wire_pkt))
+ if ( p->is_from_client() )
{
if (frag_len > dce_common_stats->co_cli_max_frag_size)
dce_common_stats->co_cli_max_frag_size = frag_len;
if (frag_buf == nullptr)
{
- if (DCE2_SsnFromServer(sd->wire_pkt))
+ if ( p->is_from_server() )
{
cot->frag_tracker.srv_stub_buf =
DCE2_BufferNew(size, DCE2_CO__MIN_ALLOC_SIZE);
const DceRpcCoHdr* co_hdr, const uint8_t* frag_ptr, uint16_t frag_len)
{
DCE2_Ret ret_val;
- DCE2_Buffer* frag_buf = DCE2_CoGetFragBuf(sd, &cot->frag_tracker);
+ DCE2_Buffer* frag_buf = DCE2_CoGetFragBuf(&cot->frag_tracker);
uint16_t max_frag_data;
/* Check for potential overflow */
if (sd->trans == DCE2_TRANS_TYPE__SMB)
- max_frag_data = DCE2_GetRpktMaxData(sd, DCE2_RPKT_TYPE__SMB_CO_FRAG);
+ max_frag_data = DCE2_GetRpktMaxData(DCE2_RPKT_TYPE__SMB_CO_FRAG);
else
- max_frag_data = DCE2_GetRpktMaxData(sd, DCE2_RPKT_TYPE__TCP_CO_FRAG);
+ max_frag_data = DCE2_GetRpktMaxData(DCE2_RPKT_TYPE__TCP_CO_FRAG);
ret_val = dce_co_handle_frag(sd, cot,co_hdr, frag_ptr, frag_len,frag_buf,max_frag_data);
if (ret_val == DCE2_RET__SUCCESS)
int auth_len = DCE2_CoGetAuthLen(sd, co_hdr, frag_ptr, frag_len);
if (auth_len == -1)
return;
- DCE2_CoSetRopts(sd, cot, co_hdr, sd->wire_pkt);
+ DCE2_CoSetRopts(sd, cot, co_hdr, DetectionEngine::get_current_packet() );
}
else
{
break;
}
- DCE2_CoSetRopts(sd, cot, co_hdr, sd->wire_pkt);
+ DCE2_CoSetRopts(sd, cot, co_hdr, DetectionEngine::get_current_packet() );
/* If we're configured to do defragmentation */
if (DCE2_GcDceDefrag((dce2CommonProtoConf*)sd->config))
cot->ctx_id = ctx_id;
cot->call_id = DceRpcCoCallId(co_hdr);
+ Packet* p = DetectionEngine::get_current_packet();
+
if (DceRpcCoFirstFrag(co_hdr) && DceRpcCoLastFrag(co_hdr))
{
int auth_len = DCE2_CoGetAuthLen(sd, co_hdr, frag_ptr, frag_len);
if (auth_len == -1)
return;
- DCE2_CoSetRopts(sd, cot, co_hdr, sd->wire_pkt);
+ DCE2_CoSetRopts(sd, cot, co_hdr, p);
}
else
{
if (auth_len == -1)
return;
- DCE2_CoSetRopts(sd, cot, co_hdr, sd->wire_pkt);
+ DCE2_CoSetRopts(sd, cot, co_hdr, p);
/* If we're configured to do defragmentation */
if (DCE2_GcDceDefrag((dce2CommonProtoConf*)sd->config))
DCE2_MOVE(frag_ptr, frag_len, sizeof(DceRpcCoHdr));
/* Client specific pdu types - some overlap with server */
- if (DCE2_SsnFromClient(sd->wire_pkt))
+ if ( DetectionEngine::get_current_packet()->is_from_client() )
{
switch (pdu_type)
{
********************************************************************/
static void DCE2_CoEarlyReassemble(DCE2_SsnData* sd, DCE2_CoTracker* cot)
{
- DCE2_Buffer* frag_buf = DCE2_CoGetFragBuf(sd, &cot->frag_tracker);
+ DCE2_Buffer* frag_buf = DCE2_CoGetFragBuf(&cot->frag_tracker);
- if (DCE2_SsnFromServer(sd->wire_pkt))
+ if ( DetectionEngine::get_current_packet()->is_from_server() )
return;
if (!DCE2_BufferIsEmpty(frag_buf))
static Packet* DCE2_CoGetSegRpkt(DCE2_SsnData* sd,
const uint8_t* data_ptr, uint32_t data_len)
{
+ Packet* p = DetectionEngine::get_current_packet();
Packet* rpkt = nullptr;
- int smb_hdr_len = DCE2_SsnFromClient(sd->wire_pkt) ? DCE2_MOCK_HDR_LEN__SMB_CLI :
- DCE2_MOCK_HDR_LEN__SMB_SRV;
+ int smb_hdr_len = p->is_from_client() ? DCE2_MOCK_HDR_LEN__SMB_CLI : DCE2_MOCK_HDR_LEN__SMB_SRV;
if (sd->trans == DCE2_TRANS_TYPE__TCP)
{
switch (sd->trans)
{
case DCE2_TRANS_TYPE__SMB:
- rpkt = DCE2_GetRpkt(sd->wire_pkt, DCE2_RPKT_TYPE__SMB_CO_SEG, data_ptr, data_len);
+ rpkt = DCE2_GetRpkt(p, DCE2_RPKT_TYPE__SMB_CO_SEG, data_ptr, data_len);
if ( !rpkt )
return nullptr;
case DCE2_TRANS_TYPE__TCP:
// FIXIT-M add HTTP cases when it is ported
- rpkt = DCE2_GetRpkt(sd->wire_pkt, DCE2_RPKT_TYPE__TCP_CO_SEG, data_ptr, data_len);
+ rpkt = DCE2_GetRpkt(p, DCE2_RPKT_TYPE__TCP_CO_SEG, data_ptr, data_len);
break;
default:
const uint8_t* frag_ptr = nullptr;
uint16_t frag_len = 0;
dce2CommonStats* dce_common_stats = dce_get_proto_stats_ptr(sd);
- int smb_hdr_len = DCE2_SsnFromClient(sd->wire_pkt) ? DCE2_MOCK_HDR_LEN__SMB_CLI :
- DCE2_MOCK_HDR_LEN__SMB_SRV;
-
- if (DCE2_SsnFromClient(sd->wire_pkt))
+ int smb_hdr_len;
+
+ if ( DetectionEngine::get_current_packet()->is_from_client() )
+ {
+ smb_hdr_len = DCE2_MOCK_HDR_LEN__SMB_CLI;
dce_common_stats->co_cli_seg_reassembled++;
+ }
else
+ {
+ smb_hdr_len = DCE2_MOCK_HDR_LEN__SMB_SRV;
dce_common_stats->co_srv_seg_reassembled++;
+ }
+
Packet* rpkt = DCE2_CoGetSegRpkt(sd, DCE2_BufferData(seg->buf), DCE2_BufferLength(seg->buf));
void DCE2_CoProcess(DCE2_SsnData* sd, DCE2_CoTracker* cot,
const uint8_t* data_ptr, uint16_t data_len)
{
- DCE2_CoSeg* seg = DCE2_CoGetSegPtr(sd, cot);
+ DCE2_CoSeg* seg = DCE2_CoGetSegPtr(cot);
dce2CommonStats* dce_common_stats = dce_get_proto_stats_ptr(sd);
uint32_t num_frags = 0;
return true;
}
-uint16_t DCE2_GetRpktMaxData(DCE2_SsnData* sd, DCE2_RpktType rtype)
+uint16_t DCE2_GetRpktMaxData(DCE2_RpktType rtype)
{
- snort::Packet* p = sd->wire_pkt;
+ snort::Packet* p = DetectionEngine::get_current_packet();
uint16_t overhead = 0;
switch (rtype)
break;
case DCE2_RPKT_TYPE__SMB_CO_SEG:
- if (DCE2_SsnFromClient(p))
+ if (p->is_from_client())
overhead += DCE2_MOCK_HDR_LEN__SMB_CLI;
else
overhead += DCE2_MOCK_HDR_LEN__SMB_SRV;
break;
case DCE2_RPKT_TYPE__SMB_CO_FRAG:
- if (DCE2_SsnFromClient(p))
+ if (p->is_from_client())
overhead += DCE2_MOCK_HDR_LEN__SMB_CLI + DCE2_MOCK_HDR_LEN__CO_CLI;
else
overhead += DCE2_MOCK_HDR_LEN__SMB_SRV + DCE2_MOCK_HDR_LEN__CO_SRV;
case DCE2_RPKT_TYPE__TCP_CO_SEG:
break;
case DCE2_RPKT_TYPE__TCP_CO_FRAG:
- if (DCE2_SsnFromClient(p))
+ if (p->is_from_client())
overhead += DCE2_MOCK_HDR_LEN__CO_CLI;
else
overhead += DCE2_MOCK_HDR_LEN__CO_SRV;
case DCE2_RPKT_TYPE__SMB_TRANS:
rpkt->pseudo_type = PSEUDO_PKT_SMB_TRANS;
- if (DCE2_SsnFromClient(p))
+ if (p->is_from_client())
{
data_overhead = DCE2_MOCK_HDR_LEN__SMB_CLI;
memset(wrdata, 0, data_overhead);
case DCE2_RPKT_TYPE__SMB_CO_SEG:
rpkt->pseudo_type = PSEUDO_PKT_DCE_SEG;
- if (DCE2_SsnFromClient(p))
+ if (p->is_from_client())
{
data_overhead = DCE2_MOCK_HDR_LEN__SMB_CLI;
memset(wrdata, 0, data_overhead);
case DCE2_RPKT_TYPE__SMB_CO_FRAG:
rpkt->pseudo_type = PSEUDO_PKT_DCE_FRAG;
- if (DCE2_SsnFromClient(p))
+ if (p->is_from_client())
{
data_overhead = DCE2_MOCK_HDR_LEN__SMB_CLI + DCE2_MOCK_HDR_LEN__CO_CLI;
memset(wrdata, 0, data_overhead);
if (rpkt_type == DCE2_RPKT_TYPE__TCP_CO_FRAG)
{
rpkt->pseudo_type = PSEUDO_PKT_DCE_FRAG;
- if (DCE2_SsnFromClient(p))
+ if (p->is_from_client())
{
data_overhead = DCE2_MOCK_HDR_LEN__CO_CLI;
memset(wrdata, 0, data_overhead);
DCE2_Policy server_policy;
DCE2_Policy client_policy;
int flags;
- snort::Packet* wire_pkt;
uint64_t alert_mask;
DCE2_Roptions ropts;
void* config;
return UINT16_MAX;
}
-inline int DCE2_SsnFromServer(snort::Packet* p)
-{
- return p->is_from_server();
-}
-
-inline int DCE2_SsnFromClient(snort::Packet* p)
-{
- return p->is_from_client();
-}
-
inline DCE2_Policy DCE2_SsnGetPolicy(DCE2_SsnData* sd)
{
assert(sd);
- if (DCE2_SsnFromClient(sd->wire_pkt))
+ if ( snort::DetectionEngine::get_current_packet()->is_from_client() )
return sd->server_policy;
else
return sd->client_policy;
inline void DCE2_SsnSetPolicy(DCE2_SsnData* sd, DCE2_Policy policy)
{
- if (DCE2_SsnFromClient(sd->wire_pkt))
+ if ( snort::DetectionEngine::get_current_packet()->is_from_client() )
sd->client_policy = policy;
else
sd->server_policy = policy;
bool dce2_paf_abort(snort::Flow*, DCE2_SsnData*);
void DCE2_Detect(DCE2_SsnData*);
snort::Packet* DCE2_GetRpkt(snort::Packet*, DCE2_RpktType, const uint8_t*, uint32_t);
-uint16_t DCE2_GetRpktMaxData(DCE2_SsnData*, DCE2_RpktType);
+uint16_t DCE2_GetRpktMaxData(DCE2_RpktType);
DCE2_Ret DCE2_AddDataToRpkt(snort::Packet*, const uint8_t*, uint32_t);
DCE2_TransType get_dce2_trans_type(const snort::Packet* p);
p->packet_flags |= PKT_ALLOW_MULTIPLE_DETECT;
dce2_detected = 0;
- p->endianness = (snort::Endianness*)new DceEndianness();
+ p->endianness = new DceEndianness();
DCE2_SmbProcess(dce2_smb_sess);
ftracker->file_name_size = 0;
}
-static inline FileContext* get_file_context(DCE2_SmbSsnData* ssd, uint64_t file_id)
+static inline FileContext* get_file_context(uint64_t file_id)
{
- assert(ssd->sd.wire_pkt);
- FileFlows* file_flows = FileFlows::get_file_flows((ssd->sd.wire_pkt)->flow);
- if(!file_flows)
+ FileFlows* file_flows = FileFlows::get_file_flows(DetectionEngine::get_current_packet()->flow);
+
+ if ( !file_flows )
return nullptr;
+
return file_flows->get_file_context(file_id, true);
}
DCE2_FileDetect();
}
- assert(ssd->sd.wire_pkt);
- FileFlows* file_flows = FileFlows::get_file_flows((ssd->sd.wire_pkt)->flow);
- if(!file_flows)
+ FileFlows* file_flows = FileFlows::get_file_flows(DetectionEngine::get_current_packet()->flow);
+ if ( !file_flows )
return;
file_flows->file_process(ssd->ftracker.fid_v2, file_data, data_size,
if (ssd->ftracker.file_name && ssd->ftracker.file_name_size)
{
- FileContext* file = get_file_context(ssd, ssd->ftracker.fid_v2);
+ FileContext* file = get_file_context(ssd->ftracker.fid_v2);
if (file)
{
file->set_file_size(file_size);
!ssd->ftracker.tracker.file.file_size
&& ssd->ftracker.tracker.file.file_offset)
{
- FileDirection dir = DCE2_SsnFromClient(ssd->sd.wire_pkt) ? FILE_UPLOAD : FILE_DOWNLOAD;
+ FileDirection dir = DetectionEngine::get_current_packet()->is_from_client() ?
+ FILE_UPLOAD : FILE_DOWNLOAD;
+
ssd->ftracker.tracker.file.file_size = ssd->ftracker.tracker.file.file_offset;
uint64_t fileId_persistent = alignedNtohq(&(smb_close_hdr->fileId_persistent));
- FileContext* file = get_file_context(ssd, fileId_persistent);
+ FileContext* file = get_file_context(fileId_persistent);
if (file)
{
file->set_file_size(ssd->ftracker.tracker.file.file_size);
uint64_t file_size = alignedNtohq((const uint64_t*)file_data);
ssd->ftracker.tracker.file.file_size = file_size;
uint64_t fileId_persistent = alignedNtohq(&(smb_set_info_hdr->fileId_persistent));
- FileContext* file = get_file_context(ssd, fileId_persistent);
+ FileContext* file = get_file_context(fileId_persistent);
if (file)
{
file->set_file_size(ssd->ftracker.tracker.file.file_size);
// This is the main entry point for SMB2 processing.
void DCE2_Smb2Process(DCE2_SmbSsnData* ssd)
{
- Packet* p = ssd->sd.wire_pkt;
+ Packet* p = DetectionEngine::get_current_packet();
const uint8_t* data_ptr = p->data;
uint16_t data_len = p->dsize;
else if (ssd->pdu_state == DCE2_SMB_PDU_STATE__RAW_DATA)
{
/*continue processing raw data*/
- FileDirection dir = DCE2_SsnFromClient(ssd->sd.wire_pkt) ? FILE_UPLOAD : FILE_DOWNLOAD;
+ FileDirection dir = p->is_from_client() ? FILE_UPLOAD : FILE_DOWNLOAD;
DCE2_Smb2ProcessFileData(ssd, data_ptr, data_len, dir);
ssd->ftracker.tracker.file.file_offset += data_len;
}
if ((ssd->fb_ftracker != nullptr) && (ssd->fb_ftracker == ssd->cur_rtracker->ftracker))
{
- FileVerdict verdict = DCE2_get_file_verdict(ssd);
+ FileVerdict verdict = DCE2_get_file_verdict();
if ((verdict == FILE_VERDICT_BLOCK) || (verdict == FILE_VERDICT_REJECT))
ssd->block_pdus = true;
********************************************************************/
static void DCE2_SmbSetNewFileAPIFileTracker(DCE2_SmbSsnData* ssd);
static void DCE2_SmbResetFileChunks(DCE2_SmbFileTracker* ssd);
-static void DCE2_SmbFinishFileAPI(DCE2_SmbSsnData* ssd);
+static void DCE2_SmbFinishFileAPI(DCE2_SmbSsnData*);
static void DCE2_SmbFinishFileBlockVerdict(DCE2_SmbSsnData* ssd);
/********************************************************************
smb_hdr->smb_uid = SmbHtons((const uint16_t*)&uid);
smb_hdr->smb_tid = SmbHtons((const uint16_t*)&tid);
- if (DCE2_SsnFromClient(ssd->sd.wire_pkt))
+ if ( DetectionEngine::get_current_packet()->is_from_client() )
{
SmbWriteAndXReq* writex =
(SmbWriteAndXReq*)((uint8_t*)smb_hdr + sizeof(SmbNtHdr));
|| (data_len == nullptr) || (*data_len == 0))
return nullptr;
- Packet* rpkt = DCE2_GetRpkt(ssd->sd.wire_pkt, rtype, *data, *data_len);
+ Packet* rpkt = DCE2_GetRpkt(DetectionEngine::get_current_packet(), rtype, *data, *data_len);
if ( !rpkt )
return nullptr;
switch (rtype)
{
case DCE2_RPKT_TYPE__SMB_TRANS:
- if (DCE2_SmbType(ssd) == SMB_TYPE__REQUEST)
+ if (DCE2_SmbType() == SMB_TYPE__REQUEST)
header_len = DCE2_MOCK_HDR_LEN__SMB_CLI;
else
header_len = DCE2_MOCK_HDR_LEN__SMB_SRV;
{
DCE2_Buffer* seg_buf;
- if (DCE2_SsnFromServer(ssd->sd.wire_pkt))
+ if ( DetectionEngine::get_current_packet()->is_from_server() )
seg_buf = ssd->srv_seg;
else
seg_buf = ssd->cli_seg;
{
DCE2_Buffer* buf;
- if (DCE2_SsnFromClient(ssd->sd.wire_pkt))
+ if ( DetectionEngine::get_current_packet()->is_from_client() )
buf = ssd->cli_seg;
else
buf = ssd->srv_seg;
ssd->fapi_ftracker = nullptr;
}
-static FileContext* DCE2_get_main_file_context(DCE2_SmbSsnData* ssd)
+static FileContext* DCE2_get_main_file_context()
{
- assert(ssd->sd.wire_pkt);
- FileFlows* file_flows = FileFlows::get_file_flows((ssd->sd.wire_pkt)->flow);
+ FileFlows* file_flows = FileFlows::get_file_flows(DetectionEngine::get_current_packet()->flow);
assert(file_flows);
return file_flows->get_current_file_context();
}
-FileVerdict DCE2_get_file_verdict(DCE2_SmbSsnData* ssd)
+FileVerdict DCE2_get_file_verdict()
{
- FileContext* file = DCE2_get_main_file_context(ssd);
+ FileContext* file = DCE2_get_main_file_context();
if ( !file )
return FILE_VERDICT_UNKNOWN;
return file->verdict;
*del_req_fmt = SMB_FMT__ASCII;
}
-static void DCE2_SmbInjectDeletePdu(DCE2_SmbSsnData* ssd, DCE2_SmbFileTracker* ftracker)
+static void DCE2_SmbInjectDeletePdu(DCE2_SmbFileTracker* ftracker)
{
Packet* inject_pkt = snort::Snort::get_packet();
- if ( inject_pkt->flow != ssd->sd.wire_pkt->flow )
+ Packet* p = DetectionEngine::get_current_packet();
+
+ if ( inject_pkt->flow != p->flow )
return;
NbssHdr* nb_hdr = (NbssHdr*)dce2_smb_delete_pdu;
Active::inject_data(inject_pkt, 0, (uint8_t*)nb_hdr, len);
}
-static FileVerdict DCE2_SmbLookupFileVerdict(DCE2_SmbSsnData* ssd)
+static FileVerdict DCE2_SmbLookupFileVerdict()
{
Profile profile(dce2_smb_pstat_smb_file_api);
- FileContext* file = DCE2_get_main_file_context(ssd);
+ FileContext* file = DCE2_get_main_file_context();
if ( !file )
return FILE_VERDICT_UNKNOWN;
FileVerdict verdict = file->verdict;
if (verdict == FILE_VERDICT_PENDING)
- verdict = file->file_signature_lookup(ssd->sd.wire_pkt->flow);
+ verdict = file->file_signature_lookup(DetectionEngine::get_current_packet()->flow);
return verdict;
}
{
Profile profile(dce2_smb_pstat_smb_file);
- FileVerdict verdict = DCE2_SmbLookupFileVerdict(ssd);
+ FileVerdict verdict = DCE2_SmbLookupFileVerdict();
if ((verdict == FILE_VERDICT_BLOCK) || (verdict == FILE_VERDICT_REJECT))
{
- DCE2_SmbInjectDeletePdu(ssd, ssd->fb_ftracker);
+ DCE2_SmbInjectDeletePdu(ssd->fb_ftracker);
}
ssd->fb_ftracker = nullptr;
static void DCE2_SmbFinishFileAPI(DCE2_SmbSsnData* ssd)
{
- Packet* p = ssd->sd.wire_pkt;
+ Packet* p = DetectionEngine::get_current_packet();
DCE2_SmbFileTracker* ftracker = ssd->fapi_ftracker;
if (ftracker == nullptr)
{
if (upload)
{
- FileVerdict verdict = DCE2_get_file_verdict(ssd);
+ FileVerdict verdict = DCE2_get_file_verdict();
if ((verdict == FILE_VERDICT_BLOCK) || (verdict == FILE_VERDICT_REJECT))
ssd->fb_ftracker = ftracker;
}
Profile profile(dce2_smb_pstat_smb_file_api);
- FileFlows* file_flows = FileFlows::get_file_flows(ssd->sd.wire_pkt->flow);
+ FileFlows* file_flows = FileFlows::get_file_flows(DetectionEngine::get_current_packet()->flow);
if (!file_flows->file_process(data_ptr, (int)data_len, position, upload,
DCE2_SmbIsVerdictSuspend(upload, position)))
{
{
if (upload)
{
- FileVerdict verdict = DCE2_get_file_verdict(ssd);
+ FileVerdict verdict = DCE2_get_file_verdict();
if ((verdict == FILE_VERDICT_BLOCK) || (verdict == FILE_VERDICT_REJECT)
|| (verdict == FILE_VERDICT_PENDING))
DCE2_SmbFileTracker* ftracker, const uint8_t* data_ptr,
uint32_t data_len, bool upload);
void DCE2_FileDetect();
-FileVerdict DCE2_get_file_verdict(DCE2_SmbSsnData* );
+FileVerdict DCE2_get_file_verdict();
void DCE2_SmbInitDeletePdu();
void DCE2_Update_Ftracker_from_ReqTracker(DCE2_SmbFileTracker*, DCE2_SmbRequestTracker*);
* SMB_TYPE__RESPONSE if packet is from server
*
********************************************************************/
-inline int DCE2_SmbType(DCE2_SmbSsnData* ssd)
+inline int DCE2_SmbType()
{
- if (DCE2_SsnFromClient(ssd->sd.wire_pkt))
+ if ( snort::DetectionEngine::get_current_packet()->is_from_client() )
return SMB_TYPE__REQUEST;
else
return SMB_TYPE__RESPONSE;
inline DCE2_Buffer** DCE2_SmbGetSegBuffer(DCE2_SmbSsnData* ssd)
{
- if (DCE2_SsnFromServer(ssd->sd.wire_pkt))
+ if ( snort::DetectionEngine::get_current_packet()->is_from_server() )
return &ssd->srv_seg;
return &ssd->cli_seg;
}
dce2_tcp_sess->sd.trans = DCE2_TRANS_TYPE__TCP;
dce2_tcp_sess->sd.server_policy = config->common.policy;
dce2_tcp_sess->sd.client_policy = DCE2_POLICY__WINXP;
- dce2_tcp_sess->sd.wire_pkt = p;
dce2_tcp_sess->sd.config = (void*)config;
}
&& (DceRpcCoVersMin(co_hdr) == DCERPC_PROTO_MINOR_VERS__0)
&& ((p->is_from_client()
&& DceRpcCoPduType(co_hdr) == DCERPC_PDU_TYPE__BIND)
- || (DCE2_SsnFromServer(p)
+ || (p->is_from_server()
&& DceRpcCoPduType(co_hdr) == DCERPC_PDU_TYPE__BIND_ACK))
&& (DceRpcCoFragLen(co_hdr) >= sizeof(DceRpcCoHdr)))
{
dce2_udp_stats.udp_sessions++;
dce2_udp_sess->sd.trans = DCE2_TRANS_TYPE__UDP;
- dce2_udp_sess->sd.wire_pkt = p;
dce2_udp_sess->sd.config = (void*)config;
return dce2_udp_sess;
{
const DceRpcClHdr* cl_hdr;
DCE2_ClActTracker* at;
- const uint8_t* data_ptr = sd->wire_pkt->data;
- uint16_t data_len = sd->wire_pkt->dsize;
+ Packet* p = DetectionEngine::get_current_packet();
+ const uint8_t* data_ptr = p->data;
+ uint16_t data_len = p->dsize;
if (data_len < sizeof(DceRpcClHdr))
{
if (at == nullptr)
return;
- if (DCE2_SsnFromClient(sd->wire_pkt))
+ if ( p->is_from_client() )
{
switch (DceRpcClPduType(cl_hdr))
{
case DCERPC_PDU_TYPE__RESPONSE:
{
trace_log(dce_udp, "Response from client. Changing stream direction.\n");
- Packet* p = sd->wire_pkt;
ip::IpApi* ip_api = &p->ptrs.ip_api;
p->flow->session->update_direction(SSN_DIR_FROM_SERVER,
sd->ropts.iface_vers = DceRpcClIfaceVers(cl_hdr);
sd->ropts.opnum = DceRpcClOpnum(cl_hdr);
sd->ropts.stub_data = (const uint8_t*)cl_hdr + sizeof(DceRpcClHdr);
- DceEndianness* endianness = (DceEndianness*)sd->wire_pkt->endianness;
+ DceEndianness* endianness = (DceEndianness*)DetectionEngine::get_current_packet()->endianness;
endianness->hdr_byte_order = DceRpcClByteOrder(cl_hdr);
endianness->data_byte_order = DceRpcClByteOrder(cl_hdr);
DCE2_Detect(sd);
sd->ropts.first_frag = DceRpcClFirstFrag(cl_hdr);
DCE2_CopyUuid(&sd->ropts.iface, &ft->iface, DCERPC_BO_FLAG__NONE);
sd->ropts.iface_vers = ft->iface_vers;
- DceEndianness* endianness = (DceEndianness*)sd->wire_pkt->endianness;
+ DceEndianness* endianness = (DceEndianness*)DetectionEngine::get_current_packet()->endianness;
endianness->hdr_byte_order = DceRpcClByteOrder(cl_hdr);
if (ft->data_byte_order != DCE2_SENTINEL)
stub_len += fnode->frag_len;
}
- Packet* rpkt = DCE2_GetRpkt(
- sd->wire_pkt, DCE2_RPKT_TYPE__UDP_CL_FRAG, dce2_cl_rbuf, stub_len);
+ Packet* rpkt = DCE2_GetRpkt(DetectionEngine::get_current_packet(),
+ DCE2_RPKT_TYPE__UDP_CL_FRAG, dce2_cl_rbuf, stub_len);
if ( !rpkt )
return;
sd->ropts.first_frag = 1;
DCE2_CopyUuid(&sd->ropts.iface, &ft->iface, DCERPC_BO_FLAG__NONE);
sd->ropts.iface_vers = ft->iface_vers;
- DceEndianness* endianness = (DceEndianness*)sd->wire_pkt->endianness;
+ DceEndianness* endianness = (DceEndianness*)DetectionEngine::get_current_packet()->endianness;
endianness->hdr_byte_order = DceRpcClByteOrder(cl_hdr);
if (ft->data_byte_order != DCE2_SENTINEL)
********************************************************************/
static inline uint32_t* DCE2_SmbGetIgnorePtr(DCE2_SmbSsnData* ssd)
{
- if (DCE2_SsnFromServer(ssd->sd.wire_pkt))
+ if ( DetectionEngine::get_current_packet()->is_from_server() )
return &ssd->srv_ignore_bytes;
return &ssd->cli_ignore_bytes;
}
********************************************************************/
static inline DCE2_SmbDataState* DCE2_SmbGetDataState(DCE2_SmbSsnData* ssd)
{
- if (DCE2_SsnFromServer(ssd->sd.wire_pkt))
+ if ( DetectionEngine::get_current_packet()->is_from_server() )
return &ssd->srv_data_state;
return &ssd->cli_data_state;
}
********************************************************************/
static DCE2_Ret DCE2_SmbHdrChecks(DCE2_SmbSsnData* ssd, const SmbNtHdr* smb_hdr)
{
- Packet* p = ssd->sd.wire_pkt;
+ Packet* p = DetectionEngine::get_current_packet();
bool is_seg_buf = DCE2_SmbIsSegBuffer(ssd, (const uint8_t*)smb_hdr);
- if ((DCE2_SsnFromServer(p) && (SmbType(smb_hdr) == SMB_TYPE__REQUEST)) ||
- (DCE2_SsnFromClient(p) && (SmbType(smb_hdr) == SMB_TYPE__RESPONSE)))
+ if ((p->is_from_server() && (SmbType(smb_hdr) == SMB_TYPE__REQUEST)) ||
+ (p->is_from_client() && (SmbType(smb_hdr) == SMB_TYPE__RESPONSE)))
{
if (is_seg_buf)
DCE2_SmbSegAlert(ssd, DCE2_SMB_BAD_TYPE);
// Set this to the first matching request in the queue
// where the Mid matches. Don't set for Windows if from
// client since PID/MID are necessary
- if (((DCE2_SmbType(ssd) == SMB_TYPE__RESPONSE)
+ if (((DCE2_SmbType() == SMB_TYPE__RESPONSE)
|| !DCE2_SsnIsWindowsPolicy(&ssd->sd))
&& first_mid_rtracker == nullptr)
{
}
}
else if ((smb_bcc == 0) && (SmbCom(smb_hdr) == SMB_COM_TRANSACTION)
- && (DCE2_SmbType(ssd) == SMB_TYPE__REQUEST)
+ && (DCE2_SmbType() == SMB_TYPE__REQUEST)
&& (DCE2_SsnGetPolicy(&ssd->sd) == DCE2_POLICY__SAMBA))
{
// Current Samba errors on a zero byte count Transaction because it
while (nb_len > 0)
{
- if (ssd->block_pdus && (DCE2_SmbType(ssd) == SMB_TYPE__REQUEST))
+ if (ssd->block_pdus && (DCE2_SmbType() == SMB_TYPE__REQUEST))
{
- Active::drop_packet(ssd->sd.wire_pkt);
+ Active::drop_packet(DetectionEngine::get_current_packet());
status = DCE2_RET__IGNORE;
break;
}
}
DCE2_SmbComInfo com_info;
- com_info.smb_type = DCE2_SmbType(ssd);
+ com_info.smb_type = DCE2_SmbType();
com_info.cmd_error = DCE2_SMB_COM_ERROR__COMMAND_OK;
com_info.word_count = 0;
com_info.smb_com = smb_com;
case SMB_COM_WRITE_ANDX:
case SMB_COM_TRANSACTION:
case SMB_COM_READ_ANDX:
- if (DCE2_SsnFromClient(ssd->sd.wire_pkt) && open_chain)
+ if ( DetectionEngine::get_current_packet()->is_from_client() && open_chain)
{
DCE2_SmbQueueTmpFileTracker(ssd, ssd->cur_rtracker,
SmbUid(smb_hdr), SmbTid(smb_hdr));
smb_com = smb_com2;
}
- int smb_type = DCE2_SmbType(ssd);
+ int smb_type = DCE2_SmbType();
if (smb_type == SMB_TYPE__RESPONSE)
{
switch (smb_com)
// See if this is something we need to inspect
DCE2_Policy policy = DCE2_SsnGetServerPolicy(&ssd->sd);
DCE2_SmbRequestTracker* rtracker = nullptr;
- if (DCE2_SmbType(ssd) == SMB_TYPE__REQUEST)
+ if (DCE2_SmbType() == SMB_TYPE__REQUEST)
{
switch (smb_com)
{
return;
}
- if (DCE2_SsnFromClient(ssd->sd.wire_pkt))
+ if ( DetectionEngine::get_current_packet()->is_from_client() )
{
if (nb_len > ssd->cur_rtracker->writeraw_remaining)
{
}
else
{
- bool upload = DCE2_SsnFromClient(ssd->sd.wire_pkt) ? true : false;
+ bool upload = DetectionEngine::get_current_packet()->is_from_client();
DCE2_SmbProcessFileData(ssd, ftracker, nb_ptr, nb_len, upload);
}
dce2_smb_sess->sd.trans = DCE2_TRANS_TYPE__SMB;
dce2_smb_sess->sd.server_policy = config->common.policy;
dce2_smb_sess->sd.client_policy = DCE2_POLICY__WINXP;
- dce2_smb_sess->sd.wire_pkt = p;
dce2_smb_sess->sd.config = (void*)config;
}
********************************************************************/
static DCE2_Ret DCE2_NbssHdrChecks(DCE2_SmbSsnData* ssd, const NbssHdr* nb_hdr)
{
- Packet* p = ssd->sd.wire_pkt;
+ Packet* p = DetectionEngine::get_current_packet();
bool is_seg_buf = DCE2_SmbIsSegBuffer(ssd, (const uint8_t*)nb_hdr);
switch (NbssType(nb_hdr))
return DCE2_RET__SUCCESS;
case NBSS_SESSION_TYPE__REQUEST:
- if (DCE2_SsnFromServer(p))
+ if ( p->is_from_server() )
{
if (is_seg_buf)
DCE2_SmbSegAlert(ssd, DCE2_SMB_BAD_NBSS_TYPE);
case NBSS_SESSION_TYPE__POS_RESPONSE:
case NBSS_SESSION_TYPE__NEG_RESPONSE:
case NBSS_SESSION_TYPE__RETARGET_RESPONSE:
- if (DCE2_SsnFromClient(p))
+ if ( p->is_from_client() )
{
if (is_seg_buf)
DCE2_SmbSegAlert(ssd, DCE2_SMB_BAD_NBSS_TYPE);
{
dce2_smb_stats.smb_pkts++;
- const Packet* p = ssd->sd.wire_pkt;
+ const Packet* p = DetectionEngine::get_current_packet();
const uint8_t* data_ptr = p->data;
uint16_t data_len = p->dsize;
DCE2_Buffer** seg_buf = DCE2_SmbGetSegBuffer(ssd);
nb_ptr = DCE2_BufferData(*seg_buf);
nb_len = DCE2_BufferLength(*seg_buf);
- if (DCE2_SsnFromClient(ssd->sd.wire_pkt))
+ if ( p->is_from_client() )
dce2_smb_stats.smb_cli_seg_reassembled++;
else
dce2_smb_stats.smb_srv_seg_reassembled++;
return;
}
- snort::Packet* p = ssd->sd.wire_pkt;
+ Packet* p = DetectionEngine::get_current_packet();
DCE2_SmbVersion smb_version = DCE2_Smb2Version(p);
if (smb_version == DCE2_SMB_VERISON_1)
{
projects / thirdparty / snort3.git / commitdiff
