if ( SnortConfig::icmp_checksums() && !valid_checksum_from_daq(raw))
{
checksum::Pseudoheader6 ph6;
- COPY4(ph6.sip, snort.ip_api.get_src()->get_ip6_ptr());
- COPY4(ph6.dip, snort.ip_api.get_dst()->get_ip6_ptr());
- ph6.zero = 0;
- ph6.protocol = codec.ip6_csum_proto;
- ph6.len = htons((unsigned short)raw.len);
+ COPY4(ph6.hdr.sip, snort.ip_api.get_src()->get_ip6_ptr());
+ COPY4(ph6.hdr.dip, snort.ip_api.get_dst()->get_ip6_ptr());
+ ph6.hdr.zero = 0;
+ ph6.hdr.protocol = codec.ip6_csum_proto;
+ ph6.hdr.len = htons((uint16_t)raw.len);
- uint16_t csum = checksum::icmp_cksum((const uint16_t*)(icmp6h), raw.len, &ph6);
+ uint16_t csum = checksum::icmp_cksum((const uint16_t*)(icmp6h), raw.len, ph6);
if (csum && !codec.is_cooked())
{
checksum::Pseudoheader6 ps6;
h->cksum = 0;
- memcpy(ps6.sip, api.get_src()->get_ip6_ptr(), sizeof(ps6.sip));
- memcpy(ps6.dip, api.get_dst()->get_ip6_ptr(), sizeof(ps6.dip));
- ps6.zero = 0;
- ps6.protocol = IpProtocol::ICMPV6;
- ps6.len = htons((uint16_t)updated_len);
- h->cksum = checksum::icmp_cksum((uint16_t*)h, updated_len, &ps6);
+ memcpy(ps6.hdr.sip, api.get_src()->get_ip6_ptr(), sizeof(ps6.hdr.sip));
+ memcpy(ps6.hdr.dip, api.get_dst()->get_ip6_ptr(), sizeof(ps6.hdr.dip));
+ ps6.hdr.zero = 0;
+ ps6.hdr.protocol = IpProtocol::ICMPV6;
+ ps6.hdr.len = htons((uint16_t)updated_len);
+ h->cksum = checksum::icmp_cksum((uint16_t*)h, updated_len, ps6);
}
}
// must be called AFTER setting next_prot_id
// Mobility Header must always be the last header in the header chain of an IPv6 packet
CheckIPv6ExtensionOrder(codec, IpProtocol::MOBILITY_IPV6);
-
+
return true;
}
const ip::IP4Hdr* ip4h = snort.ip_api.get_ip4h();
checksum::Pseudoheader ph;
- ph.sip = ip4h->get_src();
- ph.dip = ip4h->get_dst();
- ph.zero = 0;
- ph.protocol = ip4h->proto();
- ph.len = htons((uint16_t) raw.len);
+ ph.hdr.sip = ip4h->get_src();
+ ph.hdr.dip = ip4h->get_dst();
+ ph.hdr.zero = 0;
+ ph.hdr.protocol = ip4h->proto();
+ ph.hdr.len = htons((uint16_t) raw.len);
- return (checksum::tcp_cksum((const uint16_t*) raw.data, raw.len, &ph) == 0);
+ return (checksum::tcp_cksum((const uint16_t*) raw.data, raw.len, ph) == 0);
}
bool TcpCodec::valid_checksum6(const RawData& raw, const CodecData& codec, DecodeData& snort)
const ip::IP6Hdr* const ip6h = snort.ip_api.get_ip6h();
checksum::Pseudoheader6 ph6;
- COPY4(ph6.sip, ip6h->get_src()->u6_addr32);
- COPY4(ph6.dip, ip6h->get_dst()->u6_addr32);
- ph6.zero = 0;
- ph6.protocol = codec.ip6_csum_proto;
- ph6.len = htons((uint16_t) raw.len);
+ COPY4(ph6.hdr.sip, ip6h->get_src()->u6_addr32);
+ COPY4(ph6.hdr.dip, ip6h->get_dst()->u6_addr32);
+ ph6.hdr.zero = 0;
+ ph6.hdr.protocol = codec.ip6_csum_proto;
+ ph6.hdr.len = htons((uint16_t) raw.len);
- return (checksum::tcp_cksum((const uint16_t*) raw.data, raw.len, &ph6) == 0);
+ return (checksum::tcp_cksum((const uint16_t*) raw.data, raw.len, ph6) == 0);
}
bool TcpCodec::decode(const RawData& raw, CodecData& codec, DecodeData& snort)
int len = buf.size();
const ip::IP4Hdr* const ip4h = ip_api.get_ip4h();
- ps.sip = ip4h->get_src();
- ps.dip = ip4h->get_dst();
- ps.zero = 0;
- ps.protocol = IpProtocol::TCP;
- ps.len = htons((uint16_t)len);
- tcph_out->th_sum = checksum::tcp_cksum((uint16_t*)tcph_out, len, &ps);
+ ps.hdr.sip = ip4h->get_src();
+ ps.hdr.dip = ip4h->get_dst();
+ ps.hdr.zero = 0;
+ ps.hdr.protocol = IpProtocol::TCP;
+ ps.hdr.len = htons((uint16_t)len);
+ tcph_out->th_sum = checksum::tcp_cksum((uint16_t*)tcph_out, len, ps);
}
else if (ip_api.is_ip6())
{
int len = buf.size();
const ip::IP6Hdr* const ip6h = ip_api.get_ip6h();
- memcpy(&ps6.sip, ip6h->get_src()->u6_addr8, sizeof(ps6.sip));
- memcpy(&ps6.dip, ip6h->get_dst()->u6_addr8, sizeof(ps6.dip));
- ps6.zero = 0;
- ps6.protocol = IpProtocol::TCP;
- ps6.len = htons((uint16_t)len);
- tcph_out->th_sum = checksum::tcp_cksum((uint16_t*)tcph_out, len, &ps6);
+ memcpy(&ps6.hdr.sip, ip6h->get_src()->u6_addr8, sizeof(ps6.hdr.sip));
+ memcpy(&ps6.hdr.dip, ip6h->get_dst()->u6_addr8, sizeof(ps6.hdr.dip));
+ ps6.hdr.zero = 0;
+ ps6.hdr.protocol = IpProtocol::TCP;
+ ps6.hdr.len = htons((uint16_t)len);
+ tcph_out->th_sum = checksum::tcp_cksum((uint16_t*)tcph_out, len, ps6);
}
return true;
{
checksum::Pseudoheader ps;
const ip::IP4Hdr* const ip4h = api.get_ip4h();
- ps.sip = ip4h->get_src();
- ps.dip = ip4h->get_dst();
- ps.zero = 0;
- ps.protocol = IpProtocol::TCP;
- ps.len = htons((uint16_t)updated_len);
- h->th_sum = checksum::tcp_cksum((uint16_t*)h, updated_len, &ps);
+ ps.hdr.sip = ip4h->get_src();
+ ps.hdr.dip = ip4h->get_dst();
+ ps.hdr.zero = 0;
+ ps.hdr.protocol = IpProtocol::TCP;
+ ps.hdr.len = htons((uint16_t)updated_len);
+ h->th_sum = checksum::tcp_cksum((uint16_t*)h, updated_len, ps);
}
else
{
checksum::Pseudoheader6 ps6;
const ip::IP6Hdr* const ip6h = api.get_ip6h();
- memcpy(ps6.sip, ip6h->get_src()->u6_addr32, sizeof(ps6.sip));
- memcpy(ps6.dip, ip6h->get_dst()->u6_addr32, sizeof(ps6.dip));
- ps6.zero = 0;
- ps6.protocol = IpProtocol::TCP;
- ps6.len = htons((uint16_t)updated_len);
- h->th_sum = checksum::tcp_cksum((uint16_t*)h, updated_len, &ps6);
+ memcpy(ps6.hdr.sip, ip6h->get_src()->u6_addr32, sizeof(ps6.hdr.sip));
+ memcpy(ps6.hdr.dip, ip6h->get_dst()->u6_addr32, sizeof(ps6.hdr.dip));
+ ps6.hdr.zero = 0;
+ ps6.hdr.protocol = IpProtocol::TCP;
+ ps6.hdr.len = htons((uint16_t)updated_len);
+ h->th_sum = checksum::tcp_cksum((uint16_t*)h, updated_len, ps6);
}
}
}
const ip::IP4Hdr* const ip4h = snort.ip_api.get_ip4h();
checksum::Pseudoheader ph;
- ph.sip = ip4h->get_src();
- ph.dip = ip4h->get_dst();
- ph.zero = 0;
- ph.protocol = ip4h->proto();
- ph.len = htons((uint16_t) raw.len);
+ ph.hdr.sip = ip4h->get_src();
+ ph.hdr.dip = ip4h->get_dst();
+ ph.hdr.zero = 0;
+ ph.hdr.protocol = ip4h->proto();
+ ph.hdr.len = htons((uint16_t) raw.len);
- return (checksum::udp_cksum((const uint16_t*) raw.data, raw.len, &ph) == 0);
+ return (checksum::udp_cksum((const uint16_t*) raw.data, raw.len, ph) == 0);
}
bool UdpCodec::valid_checksum6(const RawData& raw, const CodecData& codec, const DecodeData& snort)
const ip::IP6Hdr* const ip6h = snort.ip_api.get_ip6h();
checksum::Pseudoheader6 ph6;
- COPY4(ph6.sip, ip6h->ip6_src.u6_addr32);
- COPY4(ph6.dip, ip6h->ip6_dst.u6_addr32);
- ph6.zero = 0;
- ph6.protocol = codec.ip6_csum_proto;
- ph6.len = htons((uint16_t) raw.len);
+ COPY4(ph6.hdr.sip, ip6h->get_src()->u6_addr32);
+ COPY4(ph6.hdr.dip, ip6h->get_dst()->u6_addr32);
+ ph6.hdr.zero = 0;
+ ph6.hdr.protocol = codec.ip6_csum_proto;
+ ph6.hdr.len = htons((uint16_t) raw.len);
- return (checksum::udp_cksum((const uint16_t*) raw.data, raw.len, &ph6) == 0);
+ return (checksum::udp_cksum((const uint16_t*) raw.data, raw.len, ph6) == 0);
}
void UdpCodec::get_protocol_ids(std::vector<ProtocolId>& v)
{
checksum::Pseudoheader ps;
const ip::IP4Hdr* const ip4h = ip_api.get_ip4h();
- ps.sip = ip4h->get_src();
- ps.dip = ip4h->get_dst();
- ps.zero = 0;
- ps.protocol = IpProtocol::UDP;
- ps.len = udph_out->uh_len;
- udph_out->uh_chk = checksum::udp_cksum((uint16_t*)udph_out, len, &ps);
+ ps.hdr.sip = ip4h->get_src();
+ ps.hdr.dip = ip4h->get_dst();
+ ps.hdr.zero = 0;
+ ps.hdr.protocol = IpProtocol::UDP;
+ ps.hdr.len = udph_out->uh_len;
+ udph_out->uh_chk = checksum::udp_cksum((uint16_t*)udph_out, len, ps);
}
else if (ip_api.is_ip6())
{
checksum::Pseudoheader6 ps6;
const ip::IP6Hdr* const ip6h = ip_api.get_ip6h();
- memcpy(ps6.sip, ip6h->get_src()->u6_addr8, sizeof(ps6.sip));
- memcpy(ps6.dip, ip6h->get_dst()->u6_addr8, sizeof(ps6.dip));
- ps6.zero = 0;
- ps6.protocol = IpProtocol::UDP;
- ps6.len = udph_out->uh_len;
- udph_out->uh_chk = checksum::udp_cksum((uint16_t*)udph_out, len, &ps6);
+ memcpy(ps6.hdr.sip, ip6h->get_src()->u6_addr8, sizeof(ps6.hdr.sip));
+ memcpy(ps6.hdr.dip, ip6h->get_dst()->u6_addr8, sizeof(ps6.hdr.dip));
+ ps6.hdr.zero = 0;
+ ps6.hdr.protocol = IpProtocol::UDP;
+ ps6.hdr.len = udph_out->uh_len;
+ udph_out->uh_chk = checksum::udp_cksum((uint16_t*)udph_out, len, ps6);
}
enc.next_proto = IpProtocol::UDP;
{
checksum::Pseudoheader ps;
const ip::IP4Hdr* const ip4h = ip_api.get_ip4h();
- ps.sip = ip4h->get_src();
- ps.dip = ip4h->get_dst();
- ps.zero = 0;
- ps.protocol = IpProtocol::UDP;
- ps.len = htons((uint16_t)updated_len);
- h->uh_chk = checksum::udp_cksum((uint16_t*)h, updated_len, &ps);
+ ps.hdr.sip = ip4h->get_src();
+ ps.hdr.dip = ip4h->get_dst();
+ ps.hdr.zero = 0;
+ ps.hdr.protocol = IpProtocol::UDP;
+ ps.hdr.len = htons((uint16_t)updated_len);
+ h->uh_chk = checksum::udp_cksum((uint16_t*)h, updated_len, ps);
}
else if (ip_api.is_ip6())
{
checksum::Pseudoheader6 ps6;
const ip::IP6Hdr* const ip6h = ip_api.get_ip6h();
- memcpy(ps6.sip, ip6h->ip6_src.u6_addr32, sizeof(ps6.sip));
- memcpy(ps6.dip, ip6h->ip6_dst.u6_addr32, sizeof(ps6.dip));
- ps6.zero = 0;
- ps6.protocol = IpProtocol::UDP;
- ps6.len = htons((uint16_t)updated_len);
- h->uh_chk = checksum::udp_cksum((uint16_t*)h, updated_len, &ps6);
+ memcpy(ps6.hdr.sip, ip6h->get_src()->u6_addr32, sizeof(ps6.hdr.sip));
+ memcpy(ps6.hdr.dip, ip6h->get_dst()->u6_addr32, sizeof(ps6.hdr.dip));
+ ps6.hdr.zero = 0;
+ ps6.hdr.protocol = IpProtocol::UDP;
+ ps6.hdr.len = htons((uint16_t)updated_len);
+ h->uh_chk = checksum::udp_cksum((uint16_t*)h, updated_len, ps6);
}
}
}
namespace checksum
{
-struct Pseudoheader6
+union Pseudoheader
{
- uint32_t sip[4];
- uint32_t dip[4];
- uint8_t zero;
- IpProtocol protocol;
- uint16_t len;
+ struct
+ {
+ uint32_t sip;
+ uint32_t dip;
+ uint8_t zero;
+ IpProtocol protocol;
+ uint16_t len;
+ } hdr;
+ uint16_t arr[6];
+ static_assert(sizeof(hdr) == sizeof(arr), "IPv4 pseudoheader must be 12 bytes");
};
-struct Pseudoheader
+union Pseudoheader6
{
- uint32_t sip;
- uint32_t dip;
- uint8_t zero;
- IpProtocol protocol;
- uint16_t len;
+ struct
+ {
+ uint32_t sip[4];
+ uint32_t dip[4];
+ uint8_t zero;
+ IpProtocol protocol;
+ uint16_t len;
+ } hdr;
+ uint16_t arr[18];
+ static_assert(sizeof(hdr) == sizeof(arr), "IPv6 pseudoheader must be 36 bytes");
};
// calculate the checksum for this general case.
static uint16_t cksum_add(const uint16_t* buf, std::size_t buf_len);
-inline uint16_t tcp_cksum(const uint16_t* buf, std::size_t len, const Pseudoheader* const);
-inline uint16_t tcp_cksum(const uint16_t* buf, std::size_t len, const Pseudoheader6* const);
-inline uint16_t udp_cksum(const uint16_t* buf, std::size_t len, const Pseudoheader* const);
-inline uint16_t udp_cksum(const uint16_t* buf, std::size_t len, const Pseudoheader6* const);
-inline uint16_t icmp_cksum(const uint16_t* buf, std::size_t len, const Pseudoheader6* const);
+inline uint16_t tcp_cksum(const uint16_t* buf, std::size_t len, const Pseudoheader&);
+inline uint16_t tcp_cksum(const uint16_t* buf, std::size_t len, const Pseudoheader6&);
+inline uint16_t udp_cksum(const uint16_t* buf, std::size_t len, const Pseudoheader&);
+inline uint16_t udp_cksum(const uint16_t* buf, std::size_t len, const Pseudoheader6&);
+inline uint16_t icmp_cksum(const uint16_t* buf, std::size_t len, const Pseudoheader6&);
inline uint16_t icmp_cksum(const uint16_t* buf, std::size_t len);
inline uint16_t ip_cksum(const uint16_t* buf, std::size_t len);
*/
namespace detail
{
-struct PsuedoheaderUnion
-{
- union
- {
- Pseudoheader ph4;
- uint16_t ph4_arr[12];
- };
-};
-
-struct Psuedoheader6Union
-{
- union
- {
- Pseudoheader ph6;
- uint16_t ph6_arr[18];
- };
-};
-
inline uint16_t cksum_add(const uint16_t* buf, std::size_t len, uint32_t cksum)
{
const uint16_t* sp = buf;
return (uint16_t)(~cksum);
}
-inline void add_ipv4_pseudoheader(const Pseudoheader* const ph4,
- uint32_t& cksum)
+inline void add_ipv4_pseudoheader(const Pseudoheader& ph4, uint32_t& cksum)
{
- /*
- * This mess is necessary to make static analyzers happy.
- * Otherwise they assume we are reading garbage values
- */
- const PsuedoheaderUnion* const ph4_u = reinterpret_cast
- <const PsuedoheaderUnion*>(ph4);
- const uint16_t* const h = ph4_u->ph4_arr;
+ const uint16_t* h = ph4.arr;
/* ipv4 pseudo header must have 12 bytes */
cksum += h[0];
cksum += h[5];
}
-inline void add_ipv6_pseudoheader(const Pseudoheader6* const ph6,
- uint32_t& cksum)
+inline void add_ipv6_pseudoheader(const Pseudoheader6& ph6, uint32_t& cksum)
{
- /*
- * This mess is necessary to make static analyzers happy.
- * Otherwise they assume we are reading garbage values
- */
- const Psuedoheader6Union* const ph6_u = reinterpret_cast
- <const Psuedoheader6Union*>(ph6);
- const uint16_t* const h = ph6_u->ph6_arr;
+ const uint16_t* h = ph6.arr;
/* PseudoHeader must have 36 bytes */
cksum += h[0];
inline uint16_t icmp_cksum(const uint16_t* buf,
std::size_t len,
- const Pseudoheader6* const ph)
+ const Pseudoheader6& ph)
{
uint32_t cksum = 0;
inline uint16_t tcp_cksum(const uint16_t* h,
std::size_t len,
- const Pseudoheader* const ph)
+ const Pseudoheader& ph)
{
uint32_t cksum = 0;
inline uint16_t tcp_cksum(const uint16_t* buf,
std::size_t len,
- const Pseudoheader6* const ph)
+ const Pseudoheader6& ph)
{
uint32_t cksum = 0;
inline uint16_t udp_cksum(const uint16_t* buf,
std::size_t len,
- const Pseudoheader* const ph)
+ const Pseudoheader& ph)
{
uint32_t cksum = 0;
inline uint16_t udp_cksum(const uint16_t* buf,
std::size_t len,
- const Pseudoheader6* const ph)
+ const Pseudoheader6& ph)
{
uint32_t cksum = 0;
break;
}
//if bos is false we are believed to NOT be at the bottom of the stack
- //and if we arent at the bottom of the stack then we should NOT see
+ //and if we arent at the bottom of the stack then we should NOT see
//label 0 or 2 (according to RFC 3032)
- else
+ else
{
if ( label == 0 )
codec_event(codec, DECODE_BAD_MPLS_LABEL0);
- //it MUST be label 2
+ //it MUST be label 2
else
codec_event(codec, DECODE_BAD_MPLS_LABEL2);
}
const EthLlcOther* ehllcother = reinterpret_cast<const EthLlcOther*>(raw.data +
sizeof(EthLlc));
-
+
if (ehllcother->org_code[0] == 0 &&
ehllcother->org_code[1] == 0 &&
ehllcother->org_code[2] == 0)
{
if (errno != EINTR)
{
-
+
char error_msg[1024] = {0};
if (strerror_r(errno, error_msg, sizeof(error_msg)) == 0)
ErrorMessage("TcpC Input Thread: Error polling on socket %d: %s\n", pfds[0].fd, error_msg);
if (strerror_r(errno, error_msg, sizeof(error_msg)) == 0)
ErrorMessage("accept() failure: %s\n", error_msg);
else
- ErrorMessage("accept() failure: %d\n", errno);
+ ErrorMessage("accept() failure: %d\n", errno);
return nullptr;
}
void LogMessage(const char*, ...) { }
}
-int connect (int, const struct sockaddr*, socklen_t) { return s_connect_return; }
+int connect (int, const struct sockaddr*, socklen_t) { return s_connect_return; }
ssize_t send (int, const void*, size_t n, int)
{
if ( n == sizeof(TcpConnectorMsgHdr) )
} // namespace snort
//--------------------------------------------------------------------------
-// unit tests
+// unit tests
//--------------------------------------------------------------------------
#ifdef UNIT_TEST
}
//--------------------------------------------------------------------------
-// unit tests
+// unit tests
//--------------------------------------------------------------------------
#ifdef UNIT_TEST
}
//--------------------------------------------------------------------------
-// unit tests
+// unit tests
//--------------------------------------------------------------------------
#ifdef UNIT_TEST
IpsContext* c = idle.back();
assert(c->state == IpsContext::IDLE);
assert(!c->has_callbacks());
-
+
c->context_num = ++global_context_num;
trace_logf(detection, TRACE_DETECTION_ENGINE, "(wire) %" PRIu64 " cs::start %" PRIu64 " (i=%zu, b=%zu)\n",
get_packet_number(), c->context_num, idle.size(), busy.size());
c->packet->active = c->packet->active_inst;
c->packet->active->reset();
- c->packet->action = &c->packet->action_inst;
+ c->packet->action = &c->packet->action_inst;
c->state = IpsContext::BUSY;
busy.emplace_back(c);
if ( c->packet->flow )
c->packet->flow->context_chain.abort();
-
+
c->abort();
c->state = IpsContext::IDLE;
c->clear_callbacks();
c->clear_context_data();
c->state = IpsContext::IDLE;
idle.emplace_back(c);
-
+
if ( busy.empty() )
return nullptr;
IpsContext* c = busy.back();
assert(c->state == IpsContext::BUSY);
-
+
trace_logf(detection, TRACE_DETECTION_ENGINE, "%" PRIu64 " cs::suspend %" PRIu64 " (i=%zu, b=%zu, wh=%zu)\n",
c->packet_number, c->context_num, idle.size(), busy.size(), contexts.size() - idle.size() - busy.size());
_2_ _3_
/ | \ / | \
*4*5 6 7 8 9
-
+
6 2 7 8 9 3 1
*/
CHECK(c5->state == IpsContext::BUSY);
mgr.complete();
CHECK(c5->state == IpsContext::IDLE);
-
+
c6 = mgr.interrupt();
CHECK(c6->state == IpsContext::BUSY);
c6->packet->set_offloaded();
CHECK(c1->state == IpsContext::SUSPENDED);
std::vector<IpsContext*> expected = { c6, c2, c7, c8, c9, c3, c1 };
-
+
for ( auto& e : expected )
{
mgr.resume(e);
c->packet->flow = new Flow;
mgr.push(c);
}
-
+
mgr.start();
c1 = mgr.get_context();
mgr.suspend();
p->active = parent->active;
p->action = parent->action;
}
-
+
// processing but parent is already gone (flow cache flush etc..)
else if ( Analyzer::get_switcher()->get_context() )
{
p->active = get_current_packet()->active;
p->action = get_current_packet()->action;
}
-
+
// shutdown, so use a dummy so null checking is not needed everywhere
else
{
// this also handles block pending state
Stream::check_flow_closed(p);
- if ( inspected and !p->context->next() )
+ if ( inspected and !p->context->next() )
InspectorManager::clear(p);
clear_events(p);
}
void DetectionEngine::add_replacement(const std::string& s, unsigned off)
-{
+{
Replacement r;
r.data = s;
r.offset = off;
- Analyzer::get_switcher()->get_context()->rpl.emplace_back(r);
+ Analyzer::get_switcher()->get_context()->rpl.emplace_back(r);
}
bool DetectionEngine::get_replacement(std::string& s, unsigned& off)
-{
+{
if ( Analyzer::get_switcher()->get_context()->rpl.empty() )
return false;
trace_logf(detection, TRACE_DETECTION_ENGINE,
"%" PRIu64 " de::onload %" PRIu64 " (r=%d)\n",
p->context->packet_number, p->context->context_num, offloader->count());
-
+
p->clear_offloaded();
-
+
IpsContextChain& chain = p->flow ? p->flow->context_chain :
Analyzer::get_switcher()->non_flow_chain;
-
+
resume_ready_suspends(chain);
}
}
ContextSwitcher* sw = Analyzer::get_switcher();
sw->resume(p->context);
-
- if ( p->is_detection_enabled(p->packet_flags & PKT_FROM_CLIENT) )
+
+ if ( p->is_detection_enabled(p->packet_flags & PKT_FROM_CLIENT) )
fp_complete(p);
}
static int queue_event(const struct OptTreeNode*);
static int queue_event(unsigned gid, unsigned sid, Actions::Type = Actions::NONE);
-
+
static void disable_all(Packet*);
static bool all_disabled(Packet*);
otn->sigInfo.gid, otn->sigInfo.sid,
otn->sigInfo.rev, Actions::get_string((Actions::Type)action));
}
-
+
// rule option actions are queued here (eg replace)
otn_trigger_actions(otn, p);
TEST_CASE("IpsContext Link", "[IpsContext]")
{
IpsContext c0, c1, c2;
-
+
CHECK(c0.dependencies() == nullptr);
CHECK(c0.next() == nullptr);
c0.link(&c1);
c1.link(&c2);
c2.link(&c3);
-
+
// mid list
// c0 <- c1 <- c2 <- c3
// c0 <- c2 <- c3
CHECK(c2.next() == nullptr);
CHECK(c3.dependencies() == nullptr);
CHECK(c3.next() == nullptr);
-
+
// only
c2.abort();
CHECK(c2.dependencies() == nullptr);
next_to_process->depends_on = depends_on;
if ( depends_on )
- depends_on->next_to_process = next_to_process;
+ depends_on->next_to_process = next_to_process;
depends_on = next_to_process = nullptr;
}
uint64_t context_num;
uint64_t packet_number;
ActiveRules active_rules;
- State state;
+ State state;
bool check_tags;
bool clear_inspectors;
else
{
assert(!_front);
- _front = _back = new_back;
+ _front = _back = new_back;
}
}
{
IpsContextChain chain;
IpsContext a, b, c;
-
+
chain.push_back(&a);
chain.push_back(&b);
chain.push_back(&c);
{
IpsContextChain chain;
IpsContext a, b;
-
+
chain.push_back(&a);
chain.push_back(&b);
chain.abort();
unsigned IpsContextData::ips_id = 0;
unsigned IpsContextData::get_ips_id()
-{
+{
++ips_id;
assert(ips_id < IpsContext::max_ips_id);
- return ips_id;
+ return ips_id;
}
void IpsContextData::clear_ips_id()
** event (gid,sid pair). This is now required to get events
** to be logged. The decoders and preprocessors are still
** configured independently, which allows them to inspect and
-** call the alerting functions DetectionEngine::queue_event.
+** call the alerting functions DetectionEngine::queue_event.
**
** Any event that has no otn associated with it's gid,sid pair
** will/should not alert, even if the preprocessor or decoder is
node->count = 0;
last = nullptr;
/* Only add TCP and UDP expected flows for now via the DAQ module. */
- if ((ip_proto == IpProtocol::TCP || ip_proto == IpProtocol::UDP)
- && ctrlPkt->daq_instance)
+ if ((ip_proto == IpProtocol::TCP || ip_proto == IpProtocol::UDP) && ctrlPkt->daq_instance)
ctrlPkt->daq_instance->add_expected(ctrlPkt, cliIP, cliPort, srvIP, srvPort,
ip_proto, 1000, 0);
}
if (assistant_gadget)
assistant_gadget->rem_ref();
-
+
if ( ha_state )
delete ha_state;
}
void Flow::set_service(Packet* pkt, const char* new_service)
-{
+{
service = new_service;
DataBus::publish(FLOW_SERVICE_CHANGE_EVENT, pkt);
-}
+}
unsigned FlowCache::delete_active_flows(unsigned mode, unsigned num_to_delete, unsigned &deleted)
{
unsigned flows_to_check = hash_table->get_count();
- while ( num_to_delete && flows_to_check-- )
- {
- auto flow = static_cast<Flow*>(hash_table->first());
- assert(flow);
- if ( (mode == ALLOWED_FLOWS_ONLY and (flow->was_blocked() || flow->is_suspended()))
- or (mode == OFFLOADED_FLOWS_TOO and flow->was_blocked()) )
- {
- if (!hash_table->touch())
- break;
-
- continue;
- }
-
- // we have a winner...
- hash_table->remove(flow->key);
- if ( flow->next )
- unlink_uni(flow);
-
- if ( flow->was_blocked() )
- delete_stats.update(FlowDeleteState::BLOCKED);
- else if ( flow->is_suspended() )
+ while ( num_to_delete && flows_to_check-- )
+ {
+ auto flow = static_cast<Flow*>(hash_table->first());
+ assert(flow);
+ if ( (mode == ALLOWED_FLOWS_ONLY and (flow->was_blocked() || flow->is_suspended()))
+ or (mode == OFFLOADED_FLOWS_TOO and flow->was_blocked()) )
+ {
+ if (!hash_table->touch())
+ break;
+
+ continue;
+ }
+
+ // we have a winner...
+ hash_table->remove(flow->key);
+ if ( flow->next )
+ unlink_uni(flow);
+
+ if ( flow->was_blocked() )
+ delete_stats.update(FlowDeleteState::BLOCKED);
+ else if ( flow->is_suspended() )
delete_stats.update(FlowDeleteState::OFFLOADED);
- else
+ else
delete_stats.update(FlowDeleteState::ALLOWED);
- delete flow;
- --flows_allocated;
- ++deleted;
- --num_to_delete;
- }
+ delete flow;
+ --flows_allocated;
+ ++deleted;
+ --num_to_delete;
+ }
- return num_to_delete;
+ return num_to_delete;
}
unsigned FlowCache::delete_flows(unsigned num_to_delete)
const FlowCacheConfig& get_flow_cache_config() const
{ return config; }
- unsigned get_flows_allocated() const
- { return flows_allocated; }
-
+ unsigned get_flows_allocated() const
+ { return flows_allocated; }
private:
void push(snort::Flow*);
void remove(snort::Flow*);
void retire(snort::Flow*);
unsigned prune_unis(PktType);
- unsigned delete_active_flows
- (unsigned mode, unsigned num_to_delete, unsigned &deleted);
+ unsigned delete_active_flows
+ (unsigned mode, unsigned num_to_delete, unsigned &deleted);
private:
static const unsigned cleanup_flows = 1;
int add_expected(
const snort::Packet* ctrlPkt, PktType, IpProtocol,
const snort::SfIp *srcIP, uint16_t srcPort,
- const snort::SfIp *dstIP, uint16_t dstPort,
+ const snort::SfIp *dstIP, uint16_t dstPort,
char direction, snort::FlowData*);
int add_expected(
{
if (FlowKey::compare(&key, flow->key, 0) == 0)
{
- if (flow->flow_state == Flow::FlowState::BLOCK)
- {
+ if (flow->flow_state == Flow::FlowState::BLOCK)
+ {
flow->disable_inspection();
p.disable_inspect = true;
}
int ExpectCache::add_flow(const Packet*, PktType, IpProtocol, const SfIp*, uint16_t,
const SfIp*, uint16_t, char, FlowData*, SnortProtocolId)
-{
- return 1;
+{
+ return 1;
}
TEST_GROUP(flow_prune) { };
// Do not delete blocked flow
TEST(flow_prune, blocked_flow_prune_flows)
-{
+{
FlowCacheConfig fcg;
fcg.max_flows = 2;
FlowCache *cache = new FlowCache(fcg);
FlowKey flow_key;
memset(&flow_key, 0, sizeof(FlowKey));
flow_key.pkt_type = PktType::TCP;
-
+
flow_key.port_l = first_port;
cache->allocate(&flow_key);
flow_key.port_l = first_port;
CHECK(cache->find(&flow_key) != nullptr);
- // Prune one flow. This should delete the MRU flow, since
+ // Prune one flow. This should delete the MRU flow, since
// LRU flow is blocked
CHECK(cache->delete_flows(1) == 1);
int main(int argc, char** argv)
{
return CommandLineTestRunner::RunAllTests(argc, argv);
-}
+}
Flow* FlowCache::allocate(const FlowKey*) { return nullptr; }
void FlowCache::push(Flow*) { }
bool FlowCache::prune_one(PruneReason, bool) { return true; }
-unsigned FlowCache::delete_flows(unsigned) { return 0; }
+unsigned FlowCache::delete_flows(unsigned) { return 0; }
unsigned FlowCache::timeout(unsigned, time_t) { return 1; }
void Flow::init(PktType) { }
-void set_network_policy(SnortConfig*, unsigned) { }
+void set_network_policy(SnortConfig*, unsigned) { }
void DataBus::publish(const char*, const uint8_t*, unsigned, Flow*) { }
void DataBus::publish(const char*, Packet*, Flow*) { }
SnortConfig* SnortConfig::get_conf() { return nullptr; }
flow->set_default_session_timeout(validate, true);
flow->set_hard_expiration();
flow->set_expire(&pkt, validate);
-
+
CHECK( flow->is_hard_expiration() == true);
CHECK( flow->expire_time == validate );
-
+
delete flow;
}
Buffer buf(raw_buf, 1);
buf.allocate(1);
buf.clear();
-
+
CHECK( buf.data() == &raw_buf[1] ); // 1 past the "known" buffer
CHECK( buf.size() == 0 );
}
CHECK(rc.validate("2<>4", ":8"));
// in hex
CHECK(rc.validate("2<>4", "0x1:0x0A"));
-
+
// invalid low
CHECK(!rc.validate("2<>4", "3:"));
// invalid hi
void hashfcn_free(HashFnc* p)
{
if ( p )
- {
snort_free(p);
- }
}
unsigned hashfcn_hash(HashFnc* p, const unsigned char* d, int n)
}
}
-size_t str_to_hash(const uint8_t *str, int length )
+uint32_t str_to_hash(const uint8_t *str, size_t length)
{
- size_t a = 0, b = 0, c = 0;
+ uint32_t a = 0, b = 0, c = 0;
- for (int i = 0, j = 0; i < length; i += 4)
+ for (size_t i = 0, j = 0; i < length; i += 4)
{
- size_t tmp = 0;
- int k = length - i;
+ uint32_t tmp = 0;
+ size_t k = length - i;
if (k > 4)
- k=4;
+ k = 4;
- for (int m = 0; m < k; m++)
- {
- tmp |= *(str + i + m) << m*8;
- }
+ for (size_t m = 0; m < k; m++)
+ tmp |= *(str + i + m) << m * 8;
switch (j)
{
if (j == 3)
{
- mix(a,b,c);
+ mix(a, b, c);
j = 0;
}
}
- finalize(a,b,c);
+ finalize(a, b, c);
return c;
}
} //namespace snort
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-#ifndef HashFnc_H
-#define HashFnc_H
+#ifndef HASHFCN_H
+#define HASHFCN_H
#include "main/snort_types.h"
-#define rot(x,k) (((x)<<(k)) | ((x)>>(32-(k))))
-
-#define mix(a,b,c) \
-{ \
- (a) -= (c); (a) ^= rot(c, 4); (c) += (b); \
- (b) -= (a); (b) ^= rot(a, 6); (a) += (c); \
- (c) -= (b); (c) ^= rot(b, 8); (b) += (a); \
- (a) -= (c); (a) ^= rot(c,16); (c) += (b); \
- (b) -= (a); (b) ^= rot(a,19); (a) += (c); \
- (c) -= (b); (c) ^= rot(b, 4); (b) += (a); \
-}
-
-#define finalize(a,b,c) \
-{ \
- (c) ^= (b); (c) -= rot(b,14); \
- (a) ^= (c); (a) -= rot(c,11); \
- (b) ^= (a); (b) -= rot(a,25); \
- (c) ^= (b); (c) -= rot(b,16); \
- (a) ^= (c); (a) -= rot(c,4); \
- (b) ^= (a); (b) -= rot(a,14); \
- (c) ^= (b); (c) -= rot(b,24); \
+namespace
+{
+ inline uint32_t rot(uint32_t x, unsigned k) { return (x << k) | (x >> (32 - k)); }
+ inline void mix(uint32_t& a, uint32_t& b, uint32_t& c)
+ {
+ a -= c; a ^= rot(c, 4); c += b;
+ b -= a; b ^= rot(a, 6); a += c;
+ c -= b; c ^= rot(b, 8); b += a;
+ a -= c; a ^= rot(c,16); c += b;
+ b -= a; b ^= rot(a,19); a += c;
+ c -= b; c ^= rot(b, 4); b += a;
+ }
+ inline void finalize(uint32_t& a, uint32_t& b, uint32_t& c)
+ {
+ c ^= b; c -= rot(b,14);
+ a ^= c; a -= rot(c,11);
+ b ^= a; b -= rot(a,25);
+ c ^= b; c -= rot(b,16);
+ a ^= c; a -= rot(c,4);
+ b ^= a; b -= rot(a,14);
+ c ^= b; c -= rot(b,24);
+ }
}
namespace snort
// n == 0 => strlen(s)
const char* s, unsigned n = 0);
-SO_PUBLIC size_t str_to_hash(const uint8_t *str, int length);
+SO_PUBLIC uint32_t str_to_hash(const uint8_t *str, size_t length);
}
struct HashFnc
HashFnc*,
// FIXIT-H use types for these callbacks
unsigned (* hash_fcn)(HashFnc* p, const unsigned char* d, int n),
- int (* keycmp_fcn)(const void* s1, const void* s2, size_t n) );
+ int (* keycmp_fcn)(const void* s1, const void* s2, size_t n));
#endif
// it should not be found
CHECK(ghash_find(t, str) == nullptr);
-
+
// try to remove a node that is not in the table
CHECK(ghash_remove(t, str) == GHASH_ERR);
std::shared_ptr<std::string> data(new std::string("12345"));
LruCacheShared<int, std::string, std::hash<int> > lru_cache(1);
- CHECK(false == lru_cache.find_else_insert(1,data));
+ CHECK(false == lru_cache.find_else_insert(1,data));
CHECK(1 == lru_cache.size());
- CHECK(true == lru_cache.find_else_insert(1,data));
+ CHECK(true == lru_cache.find_else_insert(1,data));
CHECK(1 == lru_cache.size());
}
TEST(xhash, free_anr_lru_invalid_test)
{
int ret = xhash_free_anr_lru(nullptr);
- CHECK(ret == XHASH_ERR);
+ CHECK(ret == XHASH_ERR);
}
-// Create a free node in xhash and verifies if xhash_free_anr_lru() deletes it
+// Create a free node in xhash and verifies if xhash_free_anr_lru() deletes it
TEST(xhash, free_anr_lru_delete_free_node_test)
{
XHash* test_table = xhash_new(3, sizeof(struct xhash_test_key),
CHECK(ret == XHASH_OK);
ret = xhash_free_anr_lru(test_table);
- CHECK(ret == XHASH_OK);
+ CHECK(ret == XHASH_OK);
XHashNode* xhnode = xhash_find_node(test_table, &xtk);
CHECK(xhnode == nullptr);
unsigned max_work = 0;
unsigned new_memcap = test_table->mc.memused-1;
- ret = xhash_change_memcap(test_table, new_memcap, &max_work);
+ ret = xhash_change_memcap(test_table, new_memcap, &max_work);
CHECK(ret == XHASH_OK);
CHECK(test_table->mc.memcap == new_memcap);
xhash_delete(test_table);
else if ( v.is("bitmask") )
data.bitmask_val = v.get_uint32();
-
+
else
return false;
* msg: "got DEADBEEF!";)
*
* alert tcp any any -> any any \
- * (byte_test:2, =, 568, 0, bitmask 0x3FF0; \
+ * (byte_test:2, =, 568, 0, bitmask 0x3FF0; \
* msg:"got 568 after applying bitmask 0x3FF0 on 2 bytes extracted";)
*
* Effect:
// could be configurable; and should be should be shared with u2
Inspector* ins = InspectorManager::get_inspector("http_inspect");
-
+
if ( !ins )
return;
if ( !sc )
{
if (get_reload_errors())
- current_request->respond("== reload failed - restart required\n");
+ current_request->respond("== reload failed - restart required\n");
else
- current_request->respond("== reload failed - bad config\n");
+ current_request->respond("== reload failed - bad config\n");
SnortConfig::set_parser_conf(nullptr);
return 0;
LogMessage("== daq module reload complete\n");
}
-SFDAQInstance* AnalyzerCommand::get_daq_instance(Analyzer& analyzer)
+SFDAQInstance* AnalyzerCommand::get_daq_instance(Analyzer& analyzer)
{
return analyzer.get_daq_instance();
}
fd = f;
while ( (bytes_read < sizeof(read_buf)) and ((n = ::read(fd, &buf, 1)) > 0) )
{
- read_buf[bytes_read++] = buf;
+ read_buf[bytes_read++] = buf;
- if (buf == '\n')
+ if (buf == '\n')
{
newline_found = true;
break;
{
if (remote_only && (fd == STDOUT_FILENO))
return;
-
+
if ( fd < 1 )
{
if (!remote_only)
int size;
if (name)
- {
+ {
size = snprintf(buf, buf_len, "%s: ", name);
if ( size >= buf_len )
size = buf_len - 1;
const InspectionPolicy* const pi = pm->get_inspection_policy(i);
if ( !pi || !pi->framework_policy )
- continue;
+ continue;
const PHInstance* const p = get_instance(pi->framework_policy, key);
static unsigned get_errors();
static void dump_stats(SnortConfig*, const char* skip = nullptr, bool dynamic = false);
-
+
static void accumulate(SnortConfig*);
static void accumulate_offload(const char* name);
static void reset_stats(SnortConfig*);
case PT_INSPECTOR:
// probes must always be global. they run regardless of selected policy.
- assert( (m && ((const InspectApi*)p.api)->type == IT_PROBE) ?
+ assert( (m && ((const InspectApi*)p.api)->type == IT_PROBE) ?
m->get_usage() == Module::GLOBAL :
true );
// Handle the if condition in AppIdConfig::init_appid
static bool once = false;
if (!once)
- {
+ {
AppIdConfig::app_info_mgr.init_appid_info_table(mod_config, sc);
HostPortCache::initialize();
HttpPatternMatchers* http_matchers = HttpPatternMatchers::get_instance();
uint16_t port;
const SfIp* ip;
AppIdHttpSession* hsession = asd.get_http_session();
-
+
const TunnelDest* tun_dest = hsession->get_tun_dest();
if(tun_dest)
{
payload_id = asd.pick_payload_app_id();
client_id = asd.pick_client_app_id();
- misc_id = asd.pick_misc_app_id();;
+ misc_id = asd.pick_misc_app_id();
bool is_http_tunnel = ((asd.payload.get_id() == APP_ID_HTTP_TUNNEL) || (asd.payload.get_id() == APP_ID_HTTP_SSL_TUNNEL)) ? true:false;
if (is_check_host_cache_valid(asd, service_id, client_id, payload_id, misc_id) or (is_http_tunnel))
#define SCAN_HTTP_VENDOR_FLAG (1<<6)
#define SCAN_HTTP_XWORKINGWITH_FLAG (1<<7)
#define SCAN_HTTP_CONTENT_TYPE_FLAG (1<<8)
-#define SCAN_HTTP_URI_FLAG (1<<9)
+#define SCAN_HTTP_URI_FLAG (1<<9)
class AppIdPatternMatchNode
{
void reset()
{
- host.clear();;
+ host.clear();
state = 0;
response_type = 0;
id = 0;
{
Profile profile(appid_perf_stats);
appid_stats.packets++;
-
+
if (p->flow)
{
AppIdDiscovery::do_application_discovery(p, *this);
if (tp_payload_app_id_deferred)
return tp_payload_app_id;
-
+
if (payload.get_id() > APP_ID_NONE)
return payload.get_id();
{
APP_ID_FROM_INITIATOR,
APP_ID_FROM_RESPONDER,
- APP_ID_APPID_SESSION_DIRECTION_MAX
+ APP_ID_APPID_SESSION_DIRECTION_MAX
};
#endif
}
void SipServiceDetector::createRtpFlow(AppIdSession& asd, const Packet* pkt, const SfIp* cliIp,
- uint16_t cliPort, const SfIp* srvIp, uint16_t srvPort, IpProtocol proto, int16_t app_id)
+ uint16_t cliPort, const SfIp* srvIp, uint16_t srvPort, IpProtocol protocol, int16_t app_id)
{
// FIXIT-RC: Passing app_id instead of SnortProtocolId to
// create_future_session is incorrect. We need to look up
// snort_protocol_id.
AppIdSession* fp = AppIdSession::create_future_session(
- pkt, cliIp, cliPort, srvIp, srvPort, proto, app_id,
+ pkt, cliIp, cliPort, srvIp, srvPort, protocol, app_id,
APPID_EARLY_SESSION_FLAG_FW_RULE);
if ( fp )
// create an RTCP flow as well
AppIdSession* fp2 = AppIdSession::create_future_session(
- pkt, cliIp, cliPort + 1, srvIp, srvPort + 1, proto, app_id,
+ pkt, cliIp, cliPort + 1, srvIp, srvPort + 1, protocol, app_id,
APPID_EARLY_SESSION_FLAG_FW_RULE);
if ( fp2 )
static void set_client(SipUdpClientDetector* cd) { SipEventHandler::client = cd; }
static void set_service(SipServiceDetector* sd) { SipEventHandler::service = sd; }
-
+
void subscribe(snort::SnortConfig* sc)
{ snort::DataBus::subscribe_global(SIP_EVENT_TYPE_SIP_DIALOG_KEY, this, sc); }
if(args.asd.get_session_flags(APPID_SESSION_SERVICE_DETECTED))
args.asd.clear_session_flags(APPID_SESSION_CONTINUE | APPID_SESSION_CLIENT_GETS_SERVER_PACKETS);
else
- args.asd.clear_session_flags(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS);
+ args.asd.clear_session_flags(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS);
args.asd.set_client_detected();
return APPID_SUCCESS;
}
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-
-// http_xff_fields.h author Sourcefire Inc.
-
+
+// http_xff_fields.h author Sourcefire Inc.
+
#ifndef HTTP_XFF_FIELDS_H
#define HTTP_XFF_FIELDS_H
// FIXIT-M: RELOAD - Don't use this class, required now to store LSD objects
class LuaObject {
-
+
public:
LuaObject() = default;
virtual ~LuaObject() = default;
};
class LuaServiceObject: public LuaObject
-{
+{
public:
ServiceDetector* sd;
LuaServiceObject(AppIdDiscovery* sdm, const std::string& detector_name,
};
class LuaClientObject : public LuaObject
-{
+{
public:
ClientDetector* cd;
LuaClientObject(AppIdDiscovery* cdm, const std::string& detector_name,
inline void set_control(lua_State* L, int is_control)
{
- lua_pushboolean (L, is_control); // push flag to stack
+ lua_pushboolean (L, is_control); // push flag to stack
lua_setglobal(L, "is_control"); // create global key to store value
lua_pop(L, 1);
}
uint16_t port;
int part_code_resp = 0;
int part_code_len;
-
+
};
#pragma pack(1)
return 0;
}
-static FtpEolReturn ftp_parse_response(const uint8_t* data, uint16_t& offset,
+static FtpEolReturn ftp_parse_response(const uint8_t* data, uint16_t& offset,
uint16_t size, ServiceFTPData& fd, FTPReplyState rstate)
{
for (; offset < size; ++offset)
code += (code_raw[index] - '0') * 100;
else
ret = false;
- break;
+ break;
case 2:
if (ret and fd.rstate == FTP_REPLY_BEGIN and code_raw[index ] >='0' and code_raw[index] <= '5')
code += (code_raw[index] - '0') * 10;
else if (ret and fd.rstate != FTP_REPLY_BEGIN and code_raw[index ] >='1' and code_raw[index] <= '5')
code += (code_raw[index] - '0') * 10;
- else
+ else
ret = false;
- break;
- case 1:
+ break;
+ case 1:
if (ret and isdigit(code_raw[index ]))
code += (code_raw[index] - '0') ;
- else
+ else
ret = false;
break;
default:
break;
}
}
-
+
return ret;
}
fd.code = 0;
ret_code = check_ret_digit_code(code_hdr->code, 3,1, fd.code, fd );
-
+
if(!ret_code)
- return -1;
+ return -1;
if (code_hdr->sp == '-')
fd.rstate = FTP_REPLY_MULTI;
}
fd.rstate = FTP_REPLY_MID;
-
+
if ( ftp_parse_response(data, offset, size, fd, tmp_state ) == FTP_INCORRECT_EOL)
return -1;
if (fd.rstate == FTP_REPLY_MID)
fd.rstate = FTP_REPLY_LONG;
-
+
break;
case FTP_REPLY_MULTI:
if (size - offset < (int)sizeof(ServiceFTPCode))
if (fd.rstate == FTP_REPLY_MID)
fd.rstate = FTP_REPLY_LONG;
-
+
}
else
{
if(!ret_code)
return -1;
fd.code = tmp + fd.part_code_resp;
- fd.part_code_resp = 0;
+ fd.part_code_resp = 0;
if (ftp_parse_response(data, offset, size, fd, FTP_REPLY_LONG) == FTP_INCORRECT_EOL)
return -1;
}
void FtpServiceDetector::create_expected_session(AppIdSession& asd, const Packet* pkt, const SfIp* cliIp,
- uint16_t cliPort, const SfIp* srvIp, uint16_t srvPort, IpProtocol proto,
+ uint16_t cliPort, const SfIp* srvIp, uint16_t srvPort, IpProtocol protocol,
int flags, AppidSessionDirection dir)
{
// FIXIT-M - Avoid thread locals
ftp_data_snort_protocol_id = SnortConfig::get_conf()->proto_ref->find("ftp-data");
AppIdSession* fp = AppIdSession::create_future_session(pkt, cliIp, cliPort, srvIp, srvPort,
- proto, ftp_data_snort_protocol_id, flags);
+ protocol, ftp_data_snort_protocol_id, flags);
if (fp) // initialize data session
{
int validate(AppIdDiscoveryArgs&) override;
private:
- void create_expected_session(AppIdSession& asd,const snort::Packet* pkt,
+ void create_expected_session(AppIdSession&, const snort::Packet*,
const snort::SfIp* cliIp, uint16_t cliPort, const snort::SfIp* srvIp,
- uint16_t srvPort, IpProtocol proto, int flags, AppidSessionDirection dir);
+ uint16_t srvPort, IpProtocol, int flags, AppidSessionDirection);
};
#endif
}
void MdnsServiceDetector::release_thread_resources()
-{
+{
MatchedPatterns* node;
destroy_match_list();
void RexecServiceDetector::rexec_bail(ServiceREXECData* rd)
{
- if (!rd)
+ if (!rd)
return;
rd->state = REXEC_STATE_BAIL;
if(rd->child)
}
goto bail;
case REXEC_STATE_STDERR_WAIT:
- if(!size)
+ if(!size)
break;
goto bail;
case REXEC_STATE_STDERR_DONE:
goto fail;
if (size == 1 || *data == 0x01)
{
- if(size !=1)
+ if(size !=1)
{
data++;
size--;
}
}
if(rd->child)
- {
+ {
if(rd->child->state == RSHELL_STATE_STDERR_WAIT)
rd->child->state = RSHELL_STATE_STDERR_DONE;
else
goto fail;
- }
+ }
args.asd.clear_session_flags(APPID_SESSION_CONTINUE);
goto success;
}
{
if ((start = strstr(cert_name, COMMON_NAME_STR)))
{
- int length;
+ int length;
start += strlen(COMMON_NAME_STR);
length = strlen(start);
if (length > 2 and *start == '*' and *(start+1) == '.')
AppidChangeBits change_bits;
hsession.set_field(REQ_URI_FID, new std::string("[2001:db8:85a3::8a2e:370:7334]:51413"), change_bits);
hsession.set_tun_dest();
- tun_dest = hsession.get_tun_dest();
+ tun_dest = hsession.get_tun_dest();
CHECK(tun_dest != nullptr);
CHECK_EQUAL(tun_dest->port, 51413);
CHECK_EQUAL((ipv6 == tun_dest->ip), true);
namespace snort
{
// Note: without SO_PUBLIC this is not being exported so tp_mock.so won't
-// load because of undefined symbol error.
+// load because of undefined symbol error.
SO_PUBLIC void ErrorMessage(const char* format,...)
{
va_list ap;
hsession->set_offset(REQ_URI_FID,
attribute_data.http_request_uri_begin(),
attribute_data.http_request_uri_end());
- asd.scan_flags |= SCAN_HTTP_URI_FLAG;
+ asd.scan_flags |= SCAN_HTTP_URI_FLAG;
if (appidDebug->is_active())
LogMessage("AppIdDbg %s URI (%u-%u) is %s\n", appidDebug->get_debug_session(),
attribute_data.http_request_uri_begin(),
asd.scan_flags |= SCAN_HTTP_USER_AGENT_FLAG;
}
}
-
- if ( ( asd.scan_flags & SCAN_HTTP_USER_AGENT_FLAG ) and
+
+ if ( ( asd.scan_flags & SCAN_HTTP_USER_AGENT_FLAG ) and
asd.client.get_id() <= APP_ID_NONE and
- ( field = hsession->get_field(REQ_AGENT_FID) ) and
+ ( field = hsession->get_field(REQ_AGENT_FID) ) and
( size = attribute_data.http_request_user_agent_end() -
attribute_data.http_request_user_agent_begin() ) > 0 )
{
char *version = nullptr;
HttpPatternMatchers* http_matchers = HttpPatternMatchers::get_instance();
-
- http_matchers->identify_user_agent(field->c_str(), size, service_id,
+
+ http_matchers->identify_user_agent(field->c_str(), size, service_id,
client_id, &version);
-
+
asd.set_client_appid_data(client_id, change_bits, version);
-
+
// do not overwrite a previously-set service
if ( service_id <= APP_ID_NONE )
asd.set_service_appid_data(service_id, change_bits);
-
+
asd.scan_flags |= ~SCAN_HTTP_USER_AGENT_FLAG;
snort_free(version);
- }
+ }
if ( hsession->get_field(MISC_URL_FID) || (confidence == 100 &&
asd.session_packet_count > asd.config->mod_config->rtmp_max_packets) )
if ( !when.src_nets && !when.dst_nets )
return dr;
-
+
const SfIp* src_ip;
const SfIp* dst_ip;
{
if ( !when.split_ports )
return dr;
-
+
uint16_t src_port;
uint16_t dst_port;
if ( !p )
{
- src_port = flow->client_port;
- dst_port = flow->server_port;
+ src_port = flow->client_port;
+ dst_port = flow->server_port;
}
else if ( p->is_tcp() or p->is_udp() )
{
{
if (!check_service(service))
return false;
- }
+ }
else if ( !check_service(flow) )
return false;
{
Binder* binder = InspectorManager::get_binder();
AssistantGadgetEvent* assistant_event = (AssistantGadgetEvent*)&event;
-
+
if (binder)
binder->handle_assistant_gadget(assistant_event->get_service(),
assistant_event->get_packet());
Profile profile(bindPerfStats);
Stuff stuff;
Flow* flow = p->flow;
-
+
get_bindings(flow, stuff, p, service);
apply_assistant(flow, stuff, service);
}
//-------------------------------------------------------------------------
// using string* instead of string because clang++ 5.1
-// vector::back() does not seem to return a reference
+// vector::back() does not seem to return a reference
//
// FIXIT-L these are static since get_pegs() is const
// consider making that non-const
{
filter = f;
enable = true;
- }
+ }
}
bool PacketCaptureDebug::execute(Analyzer&, void**)
if ( !capture_initialized() )
if ( !capture_init() )
return;
-
+
if ( p->is_cooked() )
return;
LogMessage("Debugging packet tracer disabled\n");
s_pkt_trace->shell_enabled = false;
}
- else
+ else
s_pkt_trace->update_constraints(constraints);
}
if ( p.pkth->flags & DAQ_PKT_FLAG_TRACE_ENABLED )
s_pkt_trace->daq_activated = true;
- else
+ else
s_pkt_trace->daq_activated = false;
if (s_pkt_trace->daq_activated or s_pkt_trace->user_enabled or s_pkt_trace->shell_enabled)
}
void PacketTracer::log(const char* format, va_list ap)
-{
+{
// FIXIT-L Need to find way to add 'PktTracerDbg' string as part of format string.
std::string dbg_str;
if (shell_enabled) // only add debug string during shell execution
{
- dbg_str = "PktTracerDbg ";
+ dbg_str = "PktTracerDbg ";
if (strcmp(format, "\n") != 0)
dbg_str += get_debug_session();
dbg_str += format;
const SfIp* actual_sip = p.ptrs.ip_api.get_src();
const SfIp* actual_dip = p.ptrs.ip_api.get_dst();
-
+
IpProtocol proto = p.get_ip_proto_next();
actual_sip->ntop(sipstr, sizeof(sipstr));
CHECK(!TestPacketTracer::is_daq_enabled());
// user configuration remain enabled
CHECK(TestPacketTracer::is_user_enabled());
-
+
TestPacketTracer::thread_term();
}
TestPacketTracer::register_verdict_reason(low1, PacketTracer::PRIORITY_LOW);
TestPacketTracer::register_verdict_reason(low2, PacketTracer::PRIORITY_LOW);
TestPacketTracer::register_verdict_reason(high, PacketTracer::PRIORITY_HIGH);
-
+
// Init
CHECK((TestPacketTracer::get_reason() == VERDICT_REASON_NO_BLOCK));
-
+
// Update
TestPacketTracer::set_reason(low1);
CHECK((TestPacketTracer::get_reason() == low1));
-
+
// Don't update if already set
TestPacketTracer::set_reason(VERDICT_REASON_NO_BLOCK);
CHECK((TestPacketTracer::get_reason() == low1));
TestPacketTracer::log(mute_2, "this should also log\n");
val = TestPacketTracer::get_buff();
CHECK((val == expected));
-
+
TestPacketTracer::thread_term();
}
typedef uint8_t TracerMute;
static const int max_buff_size = 2048;
- // static functions
+ // static functions
static void set_log_file(const std::string&);
static void thread_init();
static void thread_term();
static void configure(bool status, const std::string& file_name);
static void set_constraints(const PTSessionConstraints* constraints);
static void activate(const snort::Packet&);
-
+
static SO_PUBLIC void pause();
static SO_PUBLIC void unpause();
static SO_PUBLIC bool is_paused();
static SO_PUBLIC bool is_active();
-
+
static SO_PUBLIC TracerMute get_mute();
static SO_PUBLIC void register_verdict_reason(uint8_t reason_code, uint8_t priority);
char debug_session[PT_DEBUG_SESSION_ID_SIZE];
PTSessionConstraints info;
-
+
// static functions
template<typename T = PacketTracer> static void _thread_init();
SO_PUBLIC extern THREAD_LOCAL PacketTracer* s_pkt_trace;
-inline bool PacketTracer::is_active()
+inline bool PacketTracer::is_active()
{ return s_pkt_trace ? s_pkt_trace->active : false; }
}
-
+
#endif
{
if (enable)
PacketTracer::set_constraints(&constraints);
- else
+ else
PacketTracer::set_constraints(nullptr);
return true;
}
bool PacketTracerModule::end(const char*, int, SnortConfig*)
{
- if (config != nullptr)
+ if (config != nullptr)
{
PacketTracer::configure(config->enabled, config->file);
delete config;
for( unsigned i = 0; i < values.size(); i++ )
{
bool head = false;
-
+
for( unsigned j = 0; j < values[i].size(); j++ )
{
switch( types[i][j] )
case FT_PEG_COUNT:
if( *values[i][j].pc != 0 )
{
- if( !head )
+ if( !head )
{
ss << ",\"" << section_names[i] << "\":{";
head = true;
kvp.emplace_back(50);
kvp.emplace_back(0);
kvp.emplace_back(70);
-
+
f.write(fh, (time_t)1234567890);
one = 0;
Snort Accepts:
- IP-Address 192.168.1.1
- IP-Address/MaskBits 192.168.1.0/24
- IP-Address/Mask 192.168.1.0/255.255.255.0
+ IP-Address 192.168.1.1
+ IP-Address/MaskBits 192.168.1.0/24
+ IP-Address/Mask 192.168.1.0/255.255.255.0
These can all be handled via the CIDR block notation : IP/MaskBits
Snort Accepts:
- IP-Address 192.168.1.1
- IP-Address/MaskBits 192.168.1.0/24
- IP-Address/Mask 192.168.1.0/255.255.255.0
+ IP-Address 192.168.1.1
+ IP-Address/MaskBits 192.168.1.0/24
+ IP-Address/Mask 192.168.1.0/255.255.255.0
These can all be handled via the CIDR block notation : IP/MaskBits
static void make_open_port_info(Packet* p, uint16_t port)
{
DataBuffer& buf = DetectionEngine::get_alt_buffer(p);
-
+
SfIpString ip_str;
buf.len = safe_snprintf((char*)buf.data, sizeof(buf.data),
{ nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
};
-static const Parameter daq_module_param[] =
+static const Parameter daq_module_param[] =
{
{ "name", Parameter::PT_STRING, nullptr, nullptr, "DAQ module name (required)" },
{ "mode", Parameter::PT_ENUM, "passive | inline | read-file", "passive", "DAQ module mode" },
}
//--------------------------------------------------------------------------
-// unit tests
+// unit tests
//--------------------------------------------------------------------------
#ifdef UNIT_TEST
struct GetProfileFromModule : public GetProfileFunctor
{
- GetProfileFromModule(const std::string& name, Module* m) :
- GetProfileFunctor(name), m(m) { }
+ GetProfileFromModule(const std::string& pn, Module* m) :
+ GetProfileFunctor(pn), m(m) { }
const ProfileStats* operator()() override
{
struct GetProfileFromFunction : public GetProfileFunctor
{
- GetProfileFromFunction(const std::string& name, get_profile_stats_fn fn) :
- GetProfileFunctor(name), fn(fn) { }
+ GetProfileFromFunction(const std::string& pn, get_profile_stats_fn fn) :
+ GetProfileFunctor(pn), fn(fn) { }
const ProfileStats* operator()() override
{ return fn(name.c_str()); }
checksum::Pseudoheader6 ps6;
const int ip_len = buf.size();
- memcpy(ps6.sip, ip6h->get_src()->u6_addr8, sizeof(ps6.sip));
- memcpy(ps6.dip, ip6h->get_dst()->u6_addr8, sizeof(ps6.dip));
- ps6.zero = 0;
- ps6.protocol = IpProtocol::ICMPV6;
- ps6.len = htons((uint16_t)(ip_len));
+ memcpy(ps6.hdr.sip, ip6h->get_src()->u6_addr8, sizeof(ps6.hdr.sip));
+ memcpy(ps6.hdr.dip, ip6h->get_dst()->u6_addr8, sizeof(ps6.hdr.dip));
+ ps6.hdr.zero = 0;
+ ps6.hdr.protocol = IpProtocol::ICMPV6;
+ ps6.hdr.len = htons((uint16_t)(ip_len));
- icmph->csum = checksum::icmp_cksum((uint16_t*)buf.data(), ip_len, &ps6);
+ icmph->csum = checksum::icmp_cksum((uint16_t*)buf.data(), ip_len, ps6);
if (encode(p, flags, inner_ip_index, IpProtocol::ICMPV6, buf))
{
#define SSL_IS_CKEYX(x) ((x) & SSL_CLIENT_KEYX_FLAG)
#define SSL_IS_APP(x) (((x) & SSL_SAPP_FLAG) || ((x) & SSL_CAPP_FLAG))
#define SSL_IS_ALERT(x) ((x) & SSL_ALERT_FLAG)
-#define SSL_CLEAR_TEMPORARY_FLAGS(x) x &= ~SSL_STATEFLAGS;
+#define SSL_CLEAR_TEMPORARY_FLAGS(x) (x) &= ~SSL_STATEFLAGS
/* Verifies that the error flags haven't been triggered */
#define SSL_IS_CLEAN(x) \
using namespace snort;
-#define MEMASSERT(p,s) if (!(p)) { fprintf(stderr,"ACSM-No Memory: %s\n",s); exit(0); }
-
static int max_memory = 0;
static void* AC_MALLOC(int n)
{
ACSM_PATTERN* p;
p = (ACSM_PATTERN*)AC_MALLOC(sizeof(ACSM_PATTERN));
- MEMASSERT(p, "CopyMatchListEntry");
memcpy(p, px, sizeof (ACSM_PATTERN));
px->udata->ref_count++;
p->next = nullptr;
{
ACSM_PATTERN* p;
p = (ACSM_PATTERN*)AC_MALLOC(sizeof(ACSM_PATTERN));
- MEMASSERT(p, "AddMatchListEntry");
memcpy(p, px, sizeof (ACSM_PATTERN));
p->next = acsm->acsmStateTable[state].MatchList;
acsm->acsmStateTable[state].MatchList = p;
ACSM_STRUCT* acsmNew(const MpseAgent* agent)
{
ACSM_STRUCT* p = (ACSM_STRUCT*)AC_MALLOC (sizeof (ACSM_STRUCT));
- MEMASSERT(p, "acsmNew");
if (p)
{
{
ACSM_PATTERN* plist;
plist = (ACSM_PATTERN*)AC_MALLOC (sizeof (ACSM_PATTERN));
- MEMASSERT(plist, "acsmAddPattern");
plist->patrn = (uint8_t*)AC_MALLOC (n);
ConvertCaseEx (plist->patrn, pat, n);
plist->casepatrn = (uint8_t*)AC_MALLOC (n);
memcpy(plist->casepatrn, pat, n);
plist->udata = (ACSM_USERDATA*)AC_MALLOC(sizeof(ACSM_USERDATA));
- MEMASSERT(plist->udata, "acsmAddPattern");
plist->udata->ref_count = 1;
plist->udata->id = user;
}
acsm->acsmStateTable =
(ACSM_STATETABLE*)AC_MALLOC (sizeof (ACSM_STATETABLE) * acsm->acsmMaxStates);
- MEMASSERT(acsm->acsmStateTable, "_acsmCompile");
/* Initialize state zero as a branch */
acsm->acsmNumStates = 0;
#define printf LogMessage
-#define MEMASSERT(p,s) if (!(p)) { FatalError("ACSM-No Memory: %s\n",s); }
-
static int acsm2_total_memory = 0;
static int acsm2_pattern_memory = 0;
static int acsm2_matchlist_memory = 0;
ACSM_PATTERN2* p;
p = (ACSM_PATTERN2*)AC_MALLOC(sizeof (ACSM_PATTERN2), ACSM2_MEMORY_TYPE__MATCHLIST);
- MEMASSERT(p, "CopyMatchListEntry");
memcpy(p, px, sizeof (ACSM_PATTERN2));
ACSM_PATTERN2* p;
p = (ACSM_PATTERN2*)AC_MALLOC(sizeof (ACSM_PATTERN2), ACSM2_MEMORY_TYPE__MATCHLIST);
- MEMASSERT(p, "AddMatchListEntry");
memcpy(p, px, sizeof (ACSM_PATTERN2));
p->next = acsm->acsmMatchList[state];
ACSM_STRUCT2* acsmNew2(const MpseAgent* agent, int format)
{
ACSM_STRUCT2* p = (ACSM_STRUCT2*)AC_MALLOC(sizeof (ACSM_STRUCT2), ACSM2_MEMORY_TYPE__NONE);
- MEMASSERT(p, "acsmNew");
if (p)
{
plist = (ACSM_PATTERN2*)
AC_MALLOC(sizeof (ACSM_PATTERN2), ACSM2_MEMORY_TYPE__PATTERN);
- MEMASSERT(plist, "acsmAddPattern");
plist->patrn =
(uint8_t*)AC_MALLOC(n, ACSM2_MEMORY_TYPE__PATTERN);
- MEMASSERT(plist->patrn, "acsmAddPattern");
ConvertCaseEx(plist->patrn, pat, n);
plist->casepatrn =
(uint8_t*)AC_MALLOC(n, ACSM2_MEMORY_TYPE__PATTERN);
- MEMASSERT(plist->casepatrn, "acsmAddPattern");
memcpy(plist->casepatrn, pat, n);
acsm->acsmTransTable =
(trans_node_t**)AC_MALLOC(sizeof(trans_node_t*) * acsm->acsmMaxStates,
ACSM2_MEMORY_TYPE__TRANSTABLE);
- MEMASSERT(acsm->acsmTransTable, "_acsmCompile2");
/* Alloc a MatchList table - this has a list of pattern matches for each state, if any */
acsm->acsmMatchList =
(ACSM_PATTERN2**)AC_MALLOC(sizeof(ACSM_PATTERN2*) * acsm->acsmMaxStates,
ACSM2_MEMORY_TYPE__MATCHLIST);
- MEMASSERT(acsm->acsmMatchList, "_acsmCompile2");
/* Initialize state zero as a branch */
acsm->acsmNumStates = 0;
(acstate_t*)AC_MALLOC(sizeof(acstate_t) * acsm->acsmNumStates,
ACSM2_MEMORY_TYPE__FAILSTATE);
- MEMASSERT(acsm->acsmFailState, "_acsmCompile2");
-
/* Alloc a separate state transition table == in state 's' due to event 'k', transition to
'next' state */
acsm->acsmNextState =
(acstate_t**)AC_MALLOC_DFA(acsm->acsmNumStates * sizeof(acstate_t*), acsm->sizeofstate);
- MEMASSERT(acsm->acsmNextState, "_acsmCompile2-NextState");
-
/* Build the NFA */
Build_NFA(acsm);
{
uint8_t* ps;
uint8_t** NextState = (uint8_t**)acsm->acsmNextState;
- AC_SEARCH;
+ AC_SEARCH
}
break;
case 2:
{
uint16_t* ps;
uint16_t** NextState = (uint16_t**)acsm->acsmNextState;
- AC_SEARCH;
+ AC_SEARCH
}
break;
default:
{
acstate_t* ps;
acstate_t** NextState = acsm->acsmNextState;
- AC_SEARCH;
+ AC_SEARCH
}
break;
}
{
uint8_t* ps;
uint8_t** NextState = (uint8_t**)acsm->acsmNextState;
- AC_SEARCH_ALL;
+ AC_SEARCH_ALL
}
break;
case 2:
{
uint16_t* ps;
uint16_t** NextState = (uint16_t**)acsm->acsmNextState;
- AC_SEARCH_ALL;
+ AC_SEARCH_ALL
}
break;
default:
{
acstate_t* ps;
acstate_t** NextState = acsm->acsmNextState;
- AC_SEARCH_ALL;
+ AC_SEARCH_ALL
}
break;
}
uint16_t frag_len = 0;
dce2CommonStats* dce_common_stats = dce_get_proto_stats_ptr(sd);
int smb_hdr_len;
-
+
if ( DetectionEngine::get_current_packet()->is_from_client() )
{
smb_hdr_len = DCE2_MOCK_HDR_LEN__SMB_CLI;
}
endian = (byte_order == DCERPC_BO_FLAG__BIG_ENDIAN) ? ENDIAN_BIG : ENDIAN_LITTLE;
-
+
return true;
}
{
switch(trans)
{
- case DCE2_TRANS_TYPE__SMB:
+ case DCE2_TRANS_TYPE__SMB:
return DceContextData::smb_ips_id;
case DCE2_TRANS_TYPE__TCP:
return DceContextData::tcp_ips_id;
{
switch(trans)
{
- case DCE2_TRANS_TYPE__SMB:
+ case DCE2_TRANS_TYPE__SMB:
DceContextData::smb_ips_id = id;
break;
case DCE2_TRANS_TYPE__TCP:
static void DCE2_ListInsertHead(DCE2_List* list, DCE2_ListNode* n)
{
if ((list == nullptr) || (n == nullptr))
- return;
+ return;
if (list->head == nullptr)
{
uint32_t next_command_offset;
/* SMB protocol allows multiple smb commands to be grouped in a single packet.
So loop through to parse all the smb commands.
- Reference: https://msdn.microsoft.com/en-us/library/cc246614.aspx
+ Reference: https://msdn.microsoft.com/en-us/library/cc246614.aspx
"A nonzero value for the NextCommand field in the SMB2 header indicates a compound
request. NextCommand in the SMB2 header of a request specifies an offset, in bytes,
from the beginning of the SMB2 header under consideration to the start of the 8-byte
#include "dce_smb.h"
+namespace
+{
+inline void DCE2_SMB_PAF_SHIFT(uint64_t& x64, const uint8_t& x8)
+{
+ x64 <<= 8;
+ x64 |= (uint64_t) x8;
+}
+}
+
using namespace snort;
/*********************************************************************
ss->paf_state = DCE2_PAF_SMB_STATES__0;
return StreamSplitter::FLUSH;
}
-
+
ss->paf_state = (DCE2_PafSmbStates)(((int)ss->paf_state) + 1);
break;
case DCE2_PAF_SMB_STATES__7:
nb_len = NbssLen((const NbssHdr*)&nb_hdr);
*fp = (nb_len + sizeof(NbssHdr) + n) - ss->paf_state;
ss->paf_state = DCE2_PAF_SMB_STATES__0;
-
+
return StreamSplitter::FLUSH;
default:
DCE2_SMB_PAF_SHIFT(ss->nb_hdr, data[n]);
#include "stream/stream_splitter.h"
-#define DCE2_SMB_PAF_SHIFT(x64, x8) { (x64) <<= 8; (x64) |= (uint64_t)(x8); }
-
// Enumerations for PAF states
enum DCE2_PafSmbStates
{
if (ftracker == nullptr)
return DCE2_RET__ERROR;
- DCE2_Update_Ftracker_from_ReqTracker(ftracker, ssd->cur_rtracker);
+ DCE2_Update_Ftracker_from_ReqTracker(ftracker, ssd->cur_rtracker);
if (!ftracker->is_ipc)
{
Packet* rpkt = DCE2_SmbGetRpkt(ssd, &data_ptr, &data_len, DCE2_RPKT_TYPE__SMB_TRANS);
if (rpkt == nullptr)
- return DCE2_RET__ERROR;
+ return DCE2_RET__ERROR;
status = DCE2_SmbTransactionReq(ssd, ttracker, data_ptr, data_len,
DCE2_BufferData(ttracker->pbuf), DCE2_BufferLength(ttracker->pbuf));
|| ((file_data_depth != 0)
&& (ftracker->ff_bytes_processed >= (uint64_t)file_data_depth)))
{
- // Bytes processed is at or beyond file data depth - finished.
+ // Bytes processed is at or beyond file data depth - finished.
DCE2_SmbRemoveFileTracker(ssd, ftracker);
return;
}
* flush just before it */
if ((num_requests == 1) || (n <= len))
tmp_fp += ds->frag_len;
-
+
ds->paf_state = DCE2_PAF_TCP_STATES__0;
continue; // we incremented n already
default:
#define DNS_RR_TYPE_A 0x0001
#define DNS_RR_TYPE_NS 0x0002
#define DNS_RR_TYPE_MD 0x0003 // obsolete
-#define DNS_RR_TYPE_MF 0x0004 // obsolete
+#define DNS_RR_TYPE_MF 0x0004 // obsolete
#define DNS_RR_TYPE_CNAME 0x0005
#define DNS_RR_TYPE_SOA 0x0006
#define DNS_RR_TYPE_MB 0x0007 // experimental
FileFlows* file_flows = FileFlows::get_file_flows(flow);
if ( file_flows )
{
- file_flows->file_process(DetectionEngine::get_current_packet(),
+ file_flows->file_process(DetectionEngine::get_current_packet(),
nullptr, 0, SNORT_FILE_END, to_server(), fdfd->session.path_hash);
}
}
if (msg->version > MAX_GTP_VERSION_CODE)
return false;
-
+
/*Check whether this is GTP or GTP', Exit if GTP'*/
if (!(hdr->flag & 0x10))
return false;
EvalStatus eval(Cursor&, Packet*) override;
public:
- // byte n is for version n (named types can have
+ // byte n is for version n (named types can have
// different codes in different versions)
uint8_t types[MAX_GTP_VERSION_CODE + 1];
};
EvalStatus eval(Cursor&, Packet*) override;
public:
- // set n is for version n (named types can have
+ // set n is for version n (named types can have
// different codes in different versions)
ByteBitSet types[MAX_GTP_VERSION_CODE + 1];
};
// Message buffers available to clients
// This enum must remain synchronized with Http2Api::classic_buffer_names[]
-enum HTTP2_BUFFER { HTTP2_BUFFER_FRAME_HEADER = 1, HTTP2_BUFFER_FRAME_DATA, HTTP2_BUFFER_DECODED_HEADER,
+enum HTTP2_BUFFER { HTTP2_BUFFER_FRAME_HEADER = 1, HTTP2_BUFFER_FRAME_DATA, HTTP2_BUFFER_DECODED_HEADER,
HTTP2_BUFFER_MAX };
// Peg counts
INF__MAX_VALUE
};
-enum HeaderFrameFlags
+enum HeaderFrameFlags
{
END_STREAM = 0x1,
END_HEADERS = 0x4,
enum SettingsFrameIds
{
HEADER_TABLE_SIZE = 1,
- ENABLE_PUSH,
+ ENABLE_PUSH,
MAX_CONCURRENT_STREAMS,
INITIAL_WINDOW_SIZE,
MAX_FRAME_SIZE,
// Used by scan, reassemble and eval to communicate
uint8_t frame_type[2] = { Http2Enums::FT__NONE, Http2Enums::FT__NONE };
-
+
// Internal to reassemble()
uint32_t frame_header_offset[2] = { 0, 0 };
uint32_t frame_data_offset[2] = { 0, 0 };
const uint8_t* header_start = header.start();
return ((header_start[stream_id_index] & 0x7f) << 24) +
- (header_start[stream_id_index + 1] << 16) +
+ (header_start[stream_id_index + 1] << 16) +
(header_start[stream_id_index + 2] << 8) +
header_start[stream_id_index + 3];
}
HttpCommon::SourceId source_id;
const static uint8_t flags_index = 4;
- const static uint8_t stream_id_index = 5;
+ const static uint8_t stream_id_index = 5;
const static uint32_t INVALID_STREAM_ID = 0xFFFFFFFF;
};
#endif
using namespace Http2Enums;
Http2HeadersFrame::Http2HeadersFrame(const uint8_t* header_buffer, const int32_t header_len,
- const uint8_t* data_buffer, const int32_t data_len, Http2FlowData* session_data,
- HttpCommon::SourceId source_id) : Http2Frame(header_buffer, header_len, data_buffer, data_len,
- session_data, source_id)
+ const uint8_t* data_buffer, const int32_t data_len, Http2FlowData* ssn_data,
+ HttpCommon::SourceId src_id) : Http2Frame(header_buffer, header_len, data_buffer, data_len,
+ ssn_data, src_id)
{
uint8_t hpack_headers_offset = 0;
// Allocate stuff
decoded_headers = new uint8_t[MAX_OCTETS];
decoded_headers_size = 0;
-
+
start_line_generator = Http2StartLine::new_start_line_generator(source_id,
session_data->events[source_id], session_data->infractions[source_id]);
{
public:
~Http2HeadersFrame() override;
-
+
const Field& get_buf(unsigned id) override;
friend Http2Frame* Http2Frame::new_frame(const uint8_t* header_buffer, const int32_t header_len,
private:
Http2HeadersFrame(const uint8_t* header_buffer, const int32_t header_len,
- const uint8_t* data_buffer, const int32_t data_len, Http2FlowData* session_data,
- HttpCommon::SourceId source_id);
+ const uint8_t* data_buffer, const int32_t data_len, Http2FlowData* ssn_data,
+ HttpCommon::SourceId src_id);
Http2StartLine* start_line_generator = nullptr;
uint8_t* decoded_headers = nullptr; // working buffer to store decoded headers
return true;
if (!isHuffman)
- return get_string(in_buff, encoded_len, bytes_consumed, out_buff, out_len, bytes_written,
+ return get_string(in_buff, encoded_len, bytes_consumed, out_buff, out_len, bytes_written,
events, infractions);
return get_huffman_string(in_buff, encoded_len, bytes_consumed, out_buff, out_len,
break;
default:
- break;
+ break;
}
}
uint8_t* out_buff, const uint32_t out_len, uint32_t& bytes_written, Http2EventGen* events,
Http2Infractions* infractions) const;
bool get_huffman_string(const uint8_t* in_buff, const uint32_t encoded_len,
- uint32_t& bytes_consumed, uint8_t* out_buff, const uint32_t out_len, uint32_t&
+ uint32_t& bytes_consumed, uint8_t* out_buff, const uint32_t out_len, uint32_t&
bytes_written, Http2EventGen* events, Http2Infractions* infractions) const;
bool get_next_byte(const uint8_t* in_buff, const uint32_t last_byte,
uint32_t& bytes_consumed, uint8_t& cur_bit, uint8_t match_len, uint8_t& byte,
bool& another_search) const;
-
+
const Http2HpackIntDecode decode7;
};
};
const HpackTableEntry* HpackIndexTable::lookup(uint64_t index) const
-{
+{
if (index <= STATIC_MAX_INDEX)
return &static_table[index];
else
// 00000
{5, (char)176, HUFFMAN_MATCH}, {5, (char)176, HUFFMAN_MATCH}, {5, (char)176, HUFFMAN_MATCH}, {5, (char)176, HUFFMAN_MATCH},
{5, (char)176, HUFFMAN_MATCH}, {5, (char)176, HUFFMAN_MATCH}, {5, (char)176, HUFFMAN_MATCH}, {5, (char)176, HUFFMAN_MATCH},
- // 00001
+ // 00001
{5, (char)177, HUFFMAN_MATCH}, {5, (char)177, HUFFMAN_MATCH}, {5, (char)177, HUFFMAN_MATCH}, {5, (char)177, HUFFMAN_MATCH},
{5, (char)177, HUFFMAN_MATCH}, {5, (char)177, HUFFMAN_MATCH}, {5, (char)177, HUFFMAN_MATCH}, {5, (char)177, HUFFMAN_MATCH},
// 00010
Http2EventGen* events, Http2Infractions* infractions);
private:
- Http2RequestLine(Http2EventGen* events, Http2Infractions* infractions) : Http2StartLine(events,
- infractions) { }
+ Http2RequestLine(Http2EventGen* evs, Http2Infractions* infrs) : Http2StartLine(evs, infrs) { }
Field method;
Field path;
}
static uint32_t get_parameter_value(const uint8_t* data_buffer)
-{
+{
static const uint8_t frame_value_index = 2;
return (data_buffer[frame_value_index] << 24) +
(data_buffer[frame_value_index + 1] << 16) +
}
Http2SettingsFrame::Http2SettingsFrame(const uint8_t* header_buffer, const int32_t header_len,
- const uint8_t* data_buffer, const int32_t data_len, Http2FlowData* session_data,
- HttpCommon::SourceId source_id) : Http2Frame(header_buffer, header_len, data_buffer, data_len,
- session_data, source_id)
+ const uint8_t* data_buffer, const int32_t data_len, Http2FlowData* ssn_data,
+ HttpCommon::SourceId src_id) : Http2Frame(header_buffer, header_len, data_buffer, data_len,
+ ssn_data, src_id)
{
if (!sanity_check())
{
if (SfAck & get_flags())
return;
-
+
parse_settings_frame();
}
void Http2SettingsFrame::parse_settings_frame()
{
- int32_t data_pos = 0;
+ int32_t data_pos = 0;
while (data_pos < data.length())
{
continue;
}
- session_data->connection_settings[source_id].set_param(parameter_id, parameter_value);
+ session_data->connection_settings[source_id].set_param(parameter_id, parameter_value);
}
}
bad_frame = true;
else if (ack and data.length() > 0)
bad_frame = true;
-
+
return !(bad_frame);
}
}
#endif
-uint32_t Http2ConnectionSettings::get_param(uint16_t id)
-{
+uint32_t Http2ConnectionSettings::get_param(uint16_t id)
+{
assert(id >= HEADER_TABLE_SIZE);
assert(id <= MAX_HEADER_LIST_SIZE);
- return parameters[id - 1];
+ return parameters[id - 1];
}
-void Http2ConnectionSettings::set_param(uint16_t id, uint32_t value)
-{
+void Http2ConnectionSettings::set_param(uint16_t id, uint32_t value)
+{
assert(id >= HEADER_TABLE_SIZE);
assert(id <= MAX_HEADER_LIST_SIZE);
- parameters[id - 1] = value;
+ parameters[id - 1] = value;
}
private:
Http2SettingsFrame(const uint8_t* header_buffer, const int32_t header_len,
- const uint8_t* data_buffer, const int32_t data_len, Http2FlowData* session_data,
- HttpCommon::SourceId source_id);
+ const uint8_t* data_buffer, const int32_t data_len, Http2FlowData* ssn_data,
+ HttpCommon::SourceId src_id);
void parse_settings_frame();
bool sanity_check();
class Http2ConnectionSettings
{
public:
- uint32_t get_param(uint16_t id);
- void set_param(uint16_t id, uint32_t value);
+ uint32_t get_param(uint16_t id);
+ void set_param(uint16_t id, uint32_t value);
private:
void validate_param_id(uint16_t id);
- static const uint16_t PARAMETER_COUNT = 6;
+ static const uint16_t PARAMETER_COUNT = 6;
uint32_t parameters[PARAMETER_COUNT] = {
4096, // Header table size
1, // Push promise
bool Http2StatusLine::generate_start_line()
{
uint32_t bytes_written = 0;
-
+
// Account for one space and trailing crlf
static const uint8_t NUM_RESPONSE_LINE_EXTRA_CHARS = 3;
Http2EventGen* events, Http2Infractions* infractions);
private:
- Http2StatusLine(Http2EventGen* events, Http2Infractions* infractions) : Http2StartLine(events,
- infractions) { }
+ Http2StatusLine(Http2EventGen* evs, Http2Infractions* infrs) : Http2StartLine(evs, infrs) { }
Field status;
{
// Continuation of ongoing data frame
session_data->num_frame_headers[source_id] = 0;
-
+
// If this is a new frame section, update next frame section length
if (session_data->scan_remaining_frame_octets[source_id] == 0)
{
session_data->scan_remaining_frame_octets[source_id] -= length;
session_data->total_bytes_in_split[source_id] += length;
return status = StreamSplitter::SEARCH;
- }
+ }
// Have full frame section, flush and update leftover
session_data->total_bytes_in_split[source_id] +=
return status;
}
-// FIXIT-M If there are any errors in header decoding, this currently tells stream not to send
+// FIXIT-M If there are any errors in header decoding, this currently tells stream not to send
// headers to detection. This behavior may need to be changed.
const StreamBuffer implement_reassemble(Http2FlowData* session_data, unsigned total,
unsigned offset, const uint8_t* data, unsigned len, uint32_t flags,
session_data->num_frame_headers[source_id] = 0;
session_data->scan_octets_seen[source_id] = 0;
- // Return 0-length non-null buffer to stream which signals detection required, but don't
+ // Return 0-length non-null buffer to stream which signals detection required, but don't
// create pkt_data buffer
frame_buf.data = (const uint8_t*)"";
}
return frame_buf;
}
-ValidationResult validate_preface(const uint8_t* data, const uint32_t length,
+ValidationResult validate_preface(const uint8_t* data, const uint32_t length,
const uint32_t octets_seen)
{
const uint32_t preface_length = 24;
if ((octets_seen + length) < preface_length)
return V_TBD;
-
+
return V_GOOD;
}
TEST(http2_hpack_string_decode_success, huffman_2_bytes_aligned)
{
- // prepare buf to decode - Huffman "&&"
+ // prepare buf to decode - Huffman "&&"
uint8_t buf[3] = {0x82, 0xf8, 0xf8};
// decode
uint32_t bytes_processed = 0, bytes_written = 0;
TEST(http2_hpack_string_decode_success, huffman_2_bytes_unaligned)
{
- // prepare buf to decode - Huffman "%%"
+ // prepare buf to decode - Huffman "%%"
uint8_t buf[3] = {0x82, 0x55, 0x5f};
// decode
uint32_t bytes_processed = 0, bytes_written = 0;
TEST(http2_hpack_string_decode_success, huffman_rfc_example1)
{
- // prepare buf to decode - Huffman "www.example.com" , RFC c.4.1
+ // prepare buf to decode - Huffman "www.example.com" , RFC c.4.1
uint8_t buf[13] = {0x8c, 0xf1, 0xe3, 0xc2, 0xe5, 0xf2, 0x3a, 0x6b, 0xa0, 0xab, 0x90, 0xf4, 0xff};
// decode
uint32_t bytes_processed = 0, bytes_written = 0;
{
// prepare buf to decode - Huffman "Mon, 21 Oct 2013 20:13:21 GMT" , RFC c.6.1
uint8_t buf[23] = {0x96, 0xd0, 0x7a, 0xbe, 0x94, 0x10, 0x54, 0xd4, 0x44, 0xa8, 0x20,
- 0x05, 0x95, 0x04, 0x0b, 0x81, 0x66, 0xe0, 0x82, 0xa6, 0x2d, 0x1b, 0xff};
+ 0x05, 0x95, 0x04, 0x0b, 0x81, 0x66, 0xe0, 0x82, 0xa6, 0x2d, 0x1b, 0xff};
// decode
uint32_t bytes_processed = 0, bytes_written = 0;
uint8_t res[35];
{
// prepare buf to decode - Huffman "foo=ASDJKHQKBZXOQWEOPIUAXQWEOIU; max-age=3600; version=1" , RFC c.6.3
uint8_t buf[46] = {0xad, 0x94, 0xe7, 0x82, 0x1d, 0xd7, 0xf2, 0xe6, 0xc7, 0xb3, 0x35, 0xdf,
- 0xdf, 0xcd, 0x5b, 0x39, 0x60, 0xd5, 0xaf, 0x27, 0x08, 0x7f, 0x36, 0x72,
- 0xc1, 0xab, 0x27, 0x0f, 0xb5, 0x29, 0x1f, 0x95, 0x87, 0x31, 0x60, 0x65,
- 0xc0, 0x03, 0xed, 0x4e, 0xe5, 0xb1, 0x06, 0x3d, 0x50, 0x07};
+ 0xdf, 0xcd, 0x5b, 0x39, 0x60, 0xd5, 0xaf, 0x27, 0x08, 0x7f, 0x36, 0x72,
+ 0xc1, 0xab, 0x27, 0x0f, 0xb5, 0x29, 0x1f, 0x95, 0x87, 0x31, 0x60, 0x65,
+ 0xc0, 0x03, 0xed, 0x4e, 0xe5, 0xb1, 0x06, 0x3d, 0x50, 0x07};
// decode
uint32_t bytes_processed = 0, bytes_written = 0;
uint8_t res[73];
{
// prepare buf to decode - "abcdefghijklmnopqrstuvwxyz"
uint8_t buf[21] = {0x94, 0x1c, 0x64, 0x90, 0xb2, 0xcd, 0x39, 0xba, 0x75, 0xa2, 0x9a, 0x8f, 0x5f, 0x6b,
- 0x10, 0x9b, 0x7b, 0xf8, 0xf3, 0xeb, 0xdf};
+ 0x10, 0x9b, 0x7b, 0xf8, 0xf3, 0xeb, 0xdf};
// decode
uint32_t bytes_processed = 0, bytes_written = 0;
uint8_t res[32];
{
// prepare buf to decode - "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
uint8_t buf[24] = {0x97, 0x86, 0xed, 0xeb, 0xf8, 0x30, 0xe2, 0xc7, 0x93, 0x2e, 0x6c, 0xfa, 0x34, 0xea,
- 0xd7, 0xb3, 0x6e, 0xed, 0xfc, 0x38, 0xf2, 0xfc, 0xe7, 0xfb};
+ 0xd7, 0xb3, 0x6e, 0xed, 0xfc, 0x38, 0xf2, 0xfc, 0xe7, 0xfb};
// decode
uint32_t bytes_processed = 0, bytes_written = 0;
uint8_t res[36];
TEST(http2_hpack_string_decode_success, huffman_decoding_all_possible_symbols_4)
{
// prepare buf to decode - ' !"#$%&\'()*+,-./:;<=>?@[\]^_`{|}~'
- uint8_t buf[45] = {0xAC, 0x53, 0xF8, 0xFE, 0x7F, 0xEB, 0xFF, 0x2A, 0xFC, 0X7F, 0xAF, 0xEB, 0xFB, 0xF9, 0xFF, 0x7F, 0x4B, 0x2E, 0xC5, 0xCF, 0xBF, 0xFF, 0x90, 0x7F, 0xDF, 0xF9, 0xFF, 0xAF, 0xFD, 0xFF, 0xFF, 0x0F, 0xFE, 0x7F, 0xF9, 0x17, 0xFF, 0xDF, 0xFF, 0xDF, 0xF3, 0xFF, 0xDF, 0xFE, 0xFF};
+ uint8_t buf[45] = {0xAC, 0x53, 0xF8, 0xFE, 0x7F, 0xEB, 0xFF, 0x2A, 0xFC, 0X7F, 0xAF, 0xEB, 0xFB, 0xF9,
+ 0xFF, 0x7F, 0x4B, 0x2E, 0xC5, 0xCF, 0xBF, 0xFF, 0x90, 0x7F, 0xDF, 0xF9, 0xFF, 0xAF, 0xFD, 0xFF, 0xFF,
+ 0x0F, 0xFE, 0x7F, 0xF9, 0x17, 0xFF, 0xDF, 0xFF, 0xDF, 0xF3, 0xFF, 0xDF, 0xFE, 0xFF};
// decode
uint32_t bytes_processed = 0, bytes_written = 0;
uint8_t res[70];
TEST(http2_hpack_string_decode_success, huffman_decoding_all_possible_symbols_hex_00_0F)
{
// prepare buf to decode - encoded 0x00-0x0F
- uint8_t buf[55] = {0xB6, 0xFF, 0xC7, 0xFF, 0xFD, 0x8F, 0xFF, 0xFF, 0xE2, 0xFF, 0xFF, 0xFE, 0x3F, 0xFF, 0xFF, 0xE4, 0xFF, 0xFF, 0xFE, 0x5F, 0xFF, 0xFF, 0xE6, 0xFF, 0xFF, 0xFE, 0x7F, 0xFF, 0xFF, 0xE8, 0xFF, 0xFF, 0xEA, 0xFF, 0xFF, 0xFF, 0xF3, 0xFF, 0xFF, 0xFA, 0x7F, 0xFF, 0xFF, 0xAB, 0xFF, 0xFF, 0xFF, 0xDF, 0xFF, 0xFF, 0xEB, 0xFF, 0xFF, 0xFE, 0xCF};
+ uint8_t buf[55] = {0xB6, 0xFF, 0xC7, 0xFF, 0xFD, 0x8F, 0xFF, 0xFF, 0xE2, 0xFF, 0xFF, 0xFE, 0x3F, 0xFF,
+ 0xFF, 0xE4, 0xFF, 0xFF, 0xFE, 0x5F, 0xFF, 0xFF, 0xE6, 0xFF, 0xFF, 0xFE, 0x7F, 0xFF, 0xFF, 0xE8, 0xFF,
+ 0xFF, 0xEA, 0xFF, 0xFF, 0xFF, 0xF3, 0xFF, 0xFF, 0xFA, 0x7F, 0xFF, 0xFF, 0xAB, 0xFF, 0xFF, 0xFF, 0xDF,
+ 0xFF, 0xFF, 0xEB, 0xFF, 0xFF, 0xFE, 0xCF};
// decode
uint32_t bytes_processed = 0, bytes_written = 0;
uint8_t res[88];
TEST(http2_hpack_string_decode_success, huffman_decoding_all_possible_symbols_hex_10_1F)
{
// prepare buf to decode - encoded 0x10-0x1F
- uint8_t buf[58] = {0xB9, 0xFF, 0xFF, 0xFE, 0xDF, 0xFF, 0xFF, 0xEE, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xF0, 0xFF, 0xFF, 0xFF, 0x1F, 0xFF, 0xFF, 0xF2, 0xFF, 0xFF, 0xFF, 0xFB, 0xFF, 0xFF, 0xFC, 0xFF, 0xFF, 0xFF, 0xD3, 0xFF, 0xFF, 0xFD, 0x7F, 0xFF, 0xFF, 0xDB, 0xFF, 0xFF, 0xFD, 0xFF, 0xFF, 0xFF, 0xE3, 0xFF, 0xFF, 0xFE, 0x7F, 0xFF, 0xFF, 0xEB, 0xFF, 0xFF, 0xFE, 0xFF};
+ uint8_t buf[58] = {0xB9, 0xFF, 0xFF, 0xFE, 0xDF, 0xFF, 0xFF, 0xEE, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF,
+ 0xF0, 0xFF, 0xFF, 0xFF, 0x1F, 0xFF, 0xFF, 0xF2, 0xFF, 0xFF, 0xFF, 0xFB, 0xFF, 0xFF, 0xFC, 0xFF, 0xFF,
+ 0xFF, 0xD3, 0xFF, 0xFF, 0xFD, 0x7F, 0xFF, 0xFF, 0xDB, 0xFF, 0xFF, 0xFD, 0xFF, 0xFF, 0xFF, 0xE3, 0xFF,
+ 0xFF, 0xFE, 0x7F, 0xFF, 0xFF, 0xEB, 0xFF, 0xFF, 0xFE, 0xFF};
// decode
uint32_t bytes_processed = 0, bytes_written = 0;
uint8_t res[93];
TEST(http2_hpack_string_decode_success, huffman_decoding_all_possible_symbols_hex_7F_8F)
{
// prepare buf to decode - encoded 0x7F-0x8F
- uint8_t buf[49] = {0xB0, 0xFF, 0xFF, 0xFF, 0xCF, 0xFF, 0xE6, 0xFF, 0xFF, 0x4B, 0xFF, 0xF9, 0xFF, 0xFF, 0xA3, 0xFF, 0xFD, 0x3F, 0xFF, 0xF5, 0x3F, 0xFF, 0xD5, 0xFF, 0xFF, 0xB3, 0xFF, 0xFE, 0xB7, 0xFF, 0xFD, 0xAF, 0xFF, 0xFB, 0x7F, 0xFF, 0xF7, 0x3F, 0xFF, 0xEE, 0xFF, 0xFF, 0xDE, 0xFF, 0xFF, 0xEB, 0xFF, 0xFF, 0xBF};
+ uint8_t buf[49] = {0xB0, 0xFF, 0xFF, 0xFF, 0xCF, 0xFF, 0xE6, 0xFF, 0xFF, 0x4B, 0xFF, 0xF9, 0xFF, 0xFF,
+ 0xA3, 0xFF, 0xFD, 0x3F, 0xFF, 0xF5, 0x3F, 0xFF, 0xD5, 0xFF, 0xFF, 0xB3, 0xFF, 0xFE, 0xB7, 0xFF, 0xFD,
+ 0xAF, 0xFF, 0xFB, 0x7F, 0xFF, 0xF7, 0x3F, 0xFF, 0xEE, 0xFF, 0xFF, 0xDE, 0xFF, 0xFF, 0xEB, 0xFF, 0xFF,
+ 0xBF};
// decode
uint32_t bytes_processed = 0, bytes_written = 0;
uint8_t res[79];
TEST(http2_hpack_string_decode_success, huffman_decoding_all_possible_symbols_hex_90_9F)
{
// prepare buf to decode - encoded 0x90-0x9F
- uint8_t buf[47] = {0xAE, 0xFF, 0xFF, 0xEC, 0xFF, 0xFF, 0xED, 0xFF, 0xFF, 0x5F, 0xFF, 0xFF, 0x07, 0xFF, 0xFF, 0x77, 0xFF, 0xFE, 0x1F, 0xFF, 0xFC, 0x5F, 0xFF, 0xF8, 0xFF, 0xFF, 0xF2, 0x7F, 0xFF, 0x73, 0xFF, 0xFD, 0x8F, 0xFF, 0xFC, 0xBF, 0xFF, 0xEC, 0xFF, 0xFF, 0xE6, 0xFF, 0xFF, 0xCF, 0xFF, 0xFF, 0xDF};
+ uint8_t buf[47] = {0xAE, 0xFF, 0xFF, 0xEC, 0xFF, 0xFF, 0xED, 0xFF, 0xFF, 0x5F, 0xFF, 0xFF, 0x07, 0xFF,
+ 0xFF, 0x77, 0xFF, 0xFE, 0x1F, 0xFF, 0xFC, 0x5F, 0xFF, 0xF8, 0xFF, 0xFF, 0xF2, 0x7F, 0xFF, 0x73, 0xFF,
+ 0xFD, 0x8F, 0xFF, 0xFC, 0xBF, 0xFF, 0xEC, 0xFF, 0xFF, 0xE6, 0xFF, 0xFF, 0xCF, 0xFF, 0xFF, 0xDF};
// decode
uint32_t bytes_processed = 0, bytes_written = 0;
TEST(http2_hpack_string_decode_success, huffman_decoding_all_possible_symbols_hex_A0_AF)
{
// prepare buf to decode - encoded 0xA0-0xAF
- uint8_t buf[46] = {0xAD, 0xFF, 0xFF, 0x6B, 0xFF, 0xFB, 0xBF, 0xFF, 0xD3, 0xFF, 0xFE, 0xDF, 0xFF, 0xFB, 0x9F, 0xFF, 0xFA, 0x3F, 0xFF, 0xF4, 0xFF, 0xFF, 0x7B, 0xFF, 0xFF, 0x57, 0xFF, 0xFB, 0xBF, 0xFF, 0xEF, 0x7F, 0xFF, 0xF8, 0x7F, 0xFF, 0x7F, 0xFF, 0xFD, 0xFF, 0xFF, 0xFD, 0x7F, 0xFF, 0xFB, 0x3F};
+ uint8_t buf[46] = {0xAD, 0xFF, 0xFF, 0x6B, 0xFF, 0xFB, 0xBF, 0xFF, 0xD3, 0xFF, 0xFE, 0xDF, 0xFF, 0xFB,
+ 0x9F, 0xFF, 0xFA, 0x3F, 0xFF, 0xF4, 0xFF, 0xFF, 0x7B, 0xFF, 0xFF, 0x57, 0xFF, 0xFB, 0xBF, 0xFF, 0xEF,
+ 0x7F, 0xFF, 0xF8, 0x7F, 0xFF, 0x7F, 0xFF, 0xFD, 0xFF, 0xFF, 0xFD, 0x7F, 0xFF, 0xFB, 0x3F};
// decode
uint32_t bytes_processed = 0, bytes_written = 0;
TEST(http2_hpack_string_decode_success, huffman_decoding_all_possible_symbols_hex_B0_BF)
{
// prepare buf to decode - encoded 0xB0-0xBF
- uint8_t buf[45] = {0xAC, 0xFF, 0xFF, 0x07, 0xFF, 0xF8, 0x7F, 0xFF, 0xE0, 0xFF, 0xFF, 0x17, 0xFF, 0xFE, 0xDF, 0xFF, 0xF8, 0x7F, 0xFF, 0xF7, 0x7F, 0xFF, 0xEF, 0xFF, 0xFE, 0xAF, 0xFF, 0xF8, 0xBF, 0xFF, 0xE3, 0xFF, 0xFF, 0x93, 0xFF, 0xFF, 0x87, 0xFF, 0xFC, 0xBF, 0xFF, 0xF3, 0x7F, 0xFF, 0xF1};
+ uint8_t buf[45] = {0xAC, 0xFF, 0xFF, 0x07, 0xFF, 0xF8, 0x7F, 0xFF, 0xE0, 0xFF, 0xFF, 0x17, 0xFF, 0xFE,
+ 0xDF, 0xFF, 0xF8, 0x7F, 0xFF, 0xF7, 0x7F, 0xFF, 0xEF, 0xFF, 0xFE, 0xAF, 0xFF, 0xF8, 0xBF, 0xFF, 0xE3,
+ 0xFF, 0xFF, 0x93, 0xFF, 0xFF, 0x87, 0xFF, 0xFC, 0xBF, 0xFF, 0xF3, 0x7F, 0xFF, 0xF1};
// decode
uint32_t bytes_processed = 0, bytes_written = 0;
TEST(http2_hpack_string_decode_success, huffman_decoding_all_possible_symbols_hex_C0_CF)
{
// prepare buf to decode - encoded 0xC0-0xCF
- uint8_t buf[50] = {0xB1, 0xFF, 0xFF, 0xF8, 0x3F, 0xFF, 0xFE, 0x1F, 0xFF, 0xEB, 0xFF, 0xFE, 0x3F, 0xFF, 0xF3, 0xFF, 0xFF, 0xF2, 0xFF, 0xFF, 0xA3, 0xFF, 0xFF, 0xD9, 0xFF, 0xFF, 0xF1, 0x7F, 0xFF, 0xFC, 0x7F, 0xFF, 0xFF, 0x27, 0xFF, 0xFF, 0xDE, 0xFF, 0xFF, 0xFB, 0xFF, 0xFF, 0xFF, 0x2F, 0xFF, 0xFF, 0x8F, 0xFF, 0xFF, 0xB7};
+ uint8_t buf[50] = {0xB1, 0xFF, 0xFF, 0xF8, 0x3F, 0xFF, 0xFE, 0x1F, 0xFF, 0xEB, 0xFF, 0xFE, 0x3F, 0xFF,
+ 0xF3, 0xFF, 0xFF, 0xF2, 0xFF, 0xFF, 0xA3, 0xFF, 0xFF, 0xD9, 0xFF, 0xFF, 0xF1, 0x7F, 0xFF, 0xFC, 0x7F,
+ 0xFF, 0xFF, 0x27, 0xFF, 0xFF, 0xDE, 0xFF, 0xFF, 0xFB, 0xFF, 0xFF, 0xFF, 0x2F, 0xFF, 0xFF, 0x8F, 0xFF,
+ 0xFF, 0xB7};
// decode
uint32_t bytes_processed = 0, bytes_written = 0;
TEST(http2_hpack_string_decode_success, huffman_decoding_all_possible_symbols_hex_D0_DF)
{
// prepare buf to decode - encoded 0xD0-0xDF
- uint8_t buf[51] = {0xB2, 0xFF, 0xFE, 0x5F, 0xFF, 0xE3, 0xFF, 0xFF, 0xF9, 0xBF, 0xFF, 0xFF, 0x07, 0xFF, 0xFF, 0xE1, 0xFF, 0xFF, 0xF9, 0xFF, 0xFF, 0xFF, 0x17, 0xFF, 0xFF, 0x97, 0xFF, 0xF9, 0x3F, 0xFF, 0xCB, 0xFF, 0xFF, 0xF4, 0x7F, 0xFF, 0xFD, 0x3F, 0xFF, 0xFF, 0xFB, 0xFF, 0xFF, 0xF8, 0xFF, 0xFF, 0xFF, 0x27, 0xFF, 0xFF, 0xE5};
+ uint8_t buf[51] = {0xB2, 0xFF, 0xFE, 0x5F, 0xFF, 0xE3, 0xFF, 0xFF, 0xF9, 0xBF, 0xFF, 0xFF, 0x07, 0xFF,
+ 0xFF, 0xE1, 0xFF, 0xFF, 0xF9, 0xFF, 0xFF, 0xFF, 0x17, 0xFF, 0xFF, 0x97, 0xFF, 0xF9, 0x3F, 0xFF, 0xCB,
+ 0xFF, 0xFF, 0xF4, 0x7F, 0xFF, 0xFD, 0x3F, 0xFF, 0xFF, 0xFB, 0xFF, 0xFF, 0xF8, 0xFF, 0xFF, 0xFF, 0x27,
+ 0xFF, 0xFF, 0xE5};
// decode
uint32_t bytes_processed = 0, bytes_written = 0;
TEST(http2_hpack_string_decode_success, huffman_decoding_all_possible_symbols_hex_E0_EF)
{
// prepare buf to decode - encoded 0xE0-0xEF
- uint8_t buf[47] = {0xAE, 0xFF, 0xFE, 0xCF, 0xFF, 0xFF, 0x3F, 0xFF, 0xED, 0xFF, 0xFF, 0x37, 0xFF, 0xFD, 0x3F, 0xFF, 0xE7, 0xFF, 0xFF, 0x47, 0xFF, 0xFF, 0x3F, 0xFF, 0xFA, 0xBF, 0xFF, 0xEB, 0xFF, 0xFF, 0xF7, 0x7F, 0xFF, 0xFB, 0xFF, 0xFF, 0xFD, 0x3F, 0xFF, 0xFD, 0x7F, 0xFF, 0xFE, 0xAF, 0xFF, 0xFE, 0x9F};
+ uint8_t buf[47] = {0xAE, 0xFF, 0xFE, 0xCF, 0xFF, 0xFF, 0x3F, 0xFF, 0xED, 0xFF, 0xFF, 0x37, 0xFF, 0xFD,
+ 0x3F, 0xFF, 0xE7, 0xFF, 0xFF, 0x47, 0xFF, 0xFF, 0x3F, 0xFF, 0xFA, 0xBF, 0xFF, 0xEB, 0xFF, 0xFF, 0xF7,
+ 0x7F, 0xFF, 0xFB, 0xFF, 0xFF, 0xFD, 0x3F, 0xFF, 0xFD, 0x7F, 0xFF, 0xFE, 0xAF, 0xFF, 0xFE, 0x9F};
// decode
uint32_t bytes_processed = 0, bytes_written = 0;
TEST(http2_hpack_string_decode_success, huffman_decoding_all_possible_symbols_hex_F0_FF)
{
// prepare buf to decode - encoded 0xF0-0xFF
- uint8_t buf[55] = {0xB6, 0xFF, 0xFF, 0xFA, 0xFF, 0xFF, 0xFF, 0x37, 0xFF, 0xFF, 0xD9, 0xFF, 0xFF, 0xF6, 0xFF, 0xFF, 0xFE, 0x7F, 0xFF, 0xFF, 0xD1, 0xFF, 0xFF, 0xFA, 0x7F, 0xFF, 0xFF, 0x57, 0xFF, 0xFF, 0xEB, 0xFF, 0xFF, 0xFF, 0xEF, 0xFF, 0xFF, 0xD9, 0xFF, 0xFF, 0xFB, 0x7F, 0xFF, 0xFF, 0x77, 0xFF, 0xFF, 0xEF, 0xFF, 0xFF, 0xFE, 0x1F, 0xFF, 0xFF, 0x77};
+ uint8_t buf[55] = {0xB6, 0xFF, 0xFF, 0xFA, 0xFF, 0xFF, 0xFF, 0x37, 0xFF, 0xFF, 0xD9, 0xFF, 0xFF, 0xF6,
+ 0xFF, 0xFF, 0xFE, 0x7F, 0xFF, 0xFF, 0xD1, 0xFF, 0xFF, 0xFA, 0x7F, 0xFF, 0xFF, 0x57, 0xFF, 0xFF, 0xEB,
+ 0xFF, 0xFF, 0xFF, 0xEF, 0xFF, 0xFF, 0xD9, 0xFF, 0xFF, 0xFB, 0x7F, 0xFF, 0xFF, 0x77, 0xFF, 0xFF, 0xEF,
+ 0xFF, 0xFF, 0xFE, 0x1F, 0xFF, 0xFF, 0x77};
// decode
uint32_t bytes_processed = 0, bytes_written = 0;
const SourceId source_id = current_section->get_source_id();
//FIXIT-M This check may not apply to the transaction attached to the packet
- //in case of offload.
+ //in case of offload.
if (session_data->detection_status[source_id] == DET_DEACTIVATING)
{
if (source_id == SRC_CLIENT)
static bool is_webdav(HttpEnums::MethodId method)
{
- if(method > HttpEnums::MethodId::METH__WEBDAV_LOW and
+ if(method > HttpEnums::MethodId::METH__WEBDAV_LOW and
method < HttpEnums::MethodId::METH__WEBDAV_HIGH)
{
return true;
else
{
#ifdef REG_TEST
- // FIXIT-M: known case: if session clears w/o a flush point,
- // stream_tcp will flush to paf max which could be well below what
- // has been scanned so far. since no flush point was specified,
- // NHI should just deal with what it gets.
+ // FIXIT-M: known case: if session clears w/o a flush point,
+ // stream_tcp will flush to paf max which could be well below what
+ // has been scanned so far. since no flush point was specified,
+ // NHI should just deal with what it gets.
//assert(false);
#endif
return http_buf;
#define POP_PKT_FROM_CLIENT 1
#define POP_PKT_FROM_SERVER 2
-#define STATE_DATA 0 // Data state
+#define STATE_DATA 0 // Data state
#define STATE_TLS_CLIENT_PEND 1 // Got STARTTLS
#define STATE_TLS_SERVER_PEND 2 // Got STARTTLS
#define STATE_TLS_DATA 3 // Successful handshake, TLS encrypted data
std::transform(method.begin(), method.end(), method.begin(), ::toupper);
bool negated = methods.begin()->second;
- bool match = methods.find(method) != methods.cend();
+ bool match = methods.find(method) != methods.cend();
if ( negated ^ match )
return MATCH;
if (nullptr == mSession)
return;
-
+
mSession->savedFlag = SIP_SESSION_SAVED;
// Find out the media session based on session id
currSession = *dList;
{
if (currSession->sessionID == mSession->sessionID)
break;
-
+
preSession = currSession;
currSession = currSession->nextS;
}
{
if (sipMsg->dlgID.callIdHash == dialog->dlgID.callIdHash)
break;
-
+
oldDialog = dialog;
dialog = dialog->nextD;
}
CHECK_EQUAL(ret, StreamSplitter::SEARCH);
CHECK_EQUAL(ssut.splitter_get_paf_state(), SIP_PAF_FLUSH_STATE);
CHECK_EQUAL(fp, 0);
-
+
ssut.splitter_reset_states();
ssut.splitter_set_paf_state(SIP_PAF_BODY_SEARCH);
CHECK_EQUAL(ret, StreamSplitter::FLUSH);
CHECK_TRUE(ssut.is_init());
CHECK_EQUAL(fp, 7);
-
+
ssut.splitter_reset_states();
// Whole Sip body is not in one buffer
fp = 0;
}
TEST(sip_splitter_test, get_length_finish_test)
-{
+{
for(auto ch : spaces)
{
ssut.splitter_set_content_length(201);
for(auto ch : spaces)
{
ssut.splitter_process_command(ch);
- CHECK_TRUE(ssut.is_init());
+ CHECK_TRUE(ssut.is_init());
}
}
ssut.splitter_process_command('l');
CHECK_EQUAL(*ssut.splitter_get_next_letter(), '\0');
-
ssut.splitter_reset_states();
for(int i = 0; content_len_key[i] != '\0'; i++) {
ssut.splitter_process_command(content_len_key[i]);
TEST(sip_splitter_test, process_command_invalid_input_test)
{
ssut.splitter_process_command('O');
- CHECK_TRUE(ssut.is_init());
+ CHECK_TRUE(ssut.is_init());
}
TEST(sip_splitter_test, process_command_len_convert_test)
for(auto ch : blanks)
{
ssut.splitter_process_command(ch);
- CHECK_FALSE(ssut.is_init());
+ CHECK_FALSE(ssut.is_init());
}
}
{
ssut.splitter_set_next_letter_last();
ssut.splitter_process_command('\r');
- CHECK_TRUE(ssut.is_init());
+ CHECK_TRUE(ssut.is_init());
}
int main(int argc, char** argv)
SipSplitterUT(const SipSplitter& ss) : ss(ss) { };
bool splitter_is_paf()
- {
+ {
return ss.is_paf();
}
void splitter_reset_states()
- {
+ {
ss.reset_states();
}
SipPafStates splitter_get_paf_state()
- {
- return ss.paf_state;
+ {
+ return ss.paf_state;
}
SipPafBodyStatus splitter_get_body_state()
- {
+ {
return ss.body_state;
}
#define STATE_BDATA 3 // Binary data state
#define STATE_TLS_CLIENT_PEND 4 // Got STARTTLS
#define STATE_TLS_SERVER_PEND 5 // Got STARTTLS
-#define STATE_TLS_DATA 6 // Successful handshake, TLS encrypted data
+#define STATE_TLS_DATA 6 // Successful handshake, TLS encrypted data
#define STATE_AUTH 7
#define STATE_XEXCH50 8
#define STATE_UNKNOWN 9
public:
using snort::MimeSession::MimeSession;
SMTP_PROTO_CONF* config;
-#ifndef UNIT_TEST
+#ifndef UNIT_TEST
private:
-#endif
+#endif
int handle_header_line(const uint8_t* ptr, const uint8_t* eol,
int max_header_len, snort::Packet* p) override;
int normalize_data(const uint8_t* ptr, const uint8_t* data_end, snort::Packet* p) override;
#ifdef UNIT_TEST
private:
-#endif
+#endif
void decode_alert() override;
void decompress_alert() override;
void reset_state(snort::Flow* ssn) override;
struct SMTPCmdConfig
{
bool alert;
- bool normalize; // 1 if we should normalize this command
+ bool normalize; // 1 if we should normalize this command
int max_line_len; // Max length of this particular command
};
{
offset = ProcessSSHProtocolVersionExchange(config, sessp, p, direction);
if (!offset)
- // Error processing protovers exchange msg
+ // Error processing protovers exchange msg
return;
// found protocol version.
}
else
{
- /* unknown version */
+ /* unknown version */
sessionp->version = SSH_VERSION_UNKNOWN;
DetectionEngine::queue_event(GID_SSH, SSH_EVENT_VERSION);
-
+
return 0;
}
is_sslv2 = true;
paf_state = SSL_PAF_STATES_LEN2_V2;
}
- else
+ else
{
// unknown
if (last_fp > 0)
// Protocol aware flushing for SSL
// TLSPlaintext records are flushed when end-of-record meets end-of segment
-// The splitter supports both sslv2 and sslv3 record format,
-// it starts by checking the first byte, if it is a valid sslv3 content type,
+// The splitter supports both sslv2 and sslv3 record format,
+// it starts by checking the first byte, if it is a valid sslv3 content type,
// mark the session as sslv3; else if the MSB bit was set, marks it as sslv2,
// if this bit is not set, yet the session was marked sslv2 from prior detection,
// continue as sslv2
SSL_PAF_STATES_LEN2, // length byte-1
SSL_PAF_STATES_DATA, // fragment
SSL_PAF_STATES_LEN2_V2, // sslv2, length byte-1
- SSL_PAF_STATES_PAD_V2, // sslv2, padding byte if needed
+ SSL_PAF_STATES_PAD_V2, // sslv2, padding byte if needed
};
class SslSplitter : public snort::StreamSplitter
/* Adds the variable described by "src" to the variable "dst",
* using the vartable for looking variables used within "src".
- * If vartable is null variables are not supported.
+ * If vartable is null variables are not supported.
*/
SfIpRet sfvt_add_to_var(vartable_t* table, sfip_var_t* dst, const char* src)
{
if ( config.flow_cache_cfg.max_flows > 0 )
flow_con->init_exp(config.flow_cache_cfg.max_flows);
-
+
FlushBucket::set(config.footprint);
}
case PktType::MAX:
break;
- };
+ }
}
//-------------------------------------------------------------------------
// Stream handler to adjust allocated resources as needed on a config reload
bool StreamReloadResourceManager::initialize(const StreamModuleConfig& config_)
{
- // FIXIT-L - saving config here to check footprint change is a bit of a hack,
- if ( Snort::is_reloading() )
- {
- if ( config.footprint != config_.footprint )
- {
+ // FIXIT-L - saving config here to check footprint change is a bit of a hack,
+ if ( Snort::is_reloading() )
+ {
+ if ( config.footprint != config_.footprint )
+ {
// FIXIT-M - reinit FlushBucket...
ReloadError("Changing of stream.footprint requires a restart\n");
return false;
- }
+ }
- config = config_;
- return true;
- }
+ config = config_;
+ return true;
+ }
- config = config_;
- return false;
+ config = config_;
+ return false;
}
bool StreamReloadResourceManager::tinit()
bool StreamReloadResourceManager::tune_resources(unsigned work_limit)
{
- // we are done if new max is > currently allocated flow objects
- if ( flow_con->get_flows_allocated() <= config.flow_cache_cfg.max_flows )
- return true;
-
- unsigned flows_to_delete =
- flow_con->get_flows_allocated() - config.flow_cache_cfg.max_flows;
- if ( flows_to_delete > work_limit )
- flows_to_delete -= flow_con->delete_flows(work_limit);
- else
- flows_to_delete -= flow_con->delete_flows(flows_to_delete);
-
- return ( flows_to_delete ) ? false : true;
+ // we are done if new max is > currently allocated flow objects
+ if ( flow_con->get_flows_allocated() <= config.flow_cache_cfg.max_flows )
+ return true;
+
+ unsigned flows_to_delete =
+ flow_con->get_flows_allocated() - config.flow_cache_cfg.max_flows;
+ if ( flows_to_delete > work_limit )
+ flows_to_delete -= flow_con->delete_flows(work_limit);
+ else
+ flows_to_delete -= flow_con->delete_flows(flows_to_delete);
+
+ return ( flows_to_delete ) ? false : true;
}
class StreamReloadResourceManager : public snort::ReloadResourceTuner
{
public:
- StreamReloadResourceManager() {}
+ StreamReloadResourceManager() {}
bool tinit() override;
bool tune_packet_context() override;
// FileSession methods
//-------------------------------------------------------------------------
-FileSession::FileSession(Flow* flow) : Session(flow)
+FileSession::FileSession(Flow* f) : Session(f)
{ memory::MemoryCap::update_allocations(sizeof(*this)); }
FileSession::~FileSession()
// IcmpSession methods
//-------------------------------------------------------------------------
-IcmpSession::IcmpSession(Flow* flow) : Session(flow)
+IcmpSession::IcmpSession(Flow* f) : Session(f)
{ memory::MemoryCap::update_allocations(sizeof(*this)); }
IcmpSession::~IcmpSession()
ssn_time.tv_sec = 0;
ssn_time.tv_usec = 0;
flow->ssn_state.session_flags |= SSNFLAG_SEEN_SENDER;
- SESSION_STATS_ADD(icmpStats);
-
+ SESSION_STATS_ADD(icmpStats)
+
StreamIcmpConfig* pc = get_icmp_cfg(flow->ssn_server);
flow->set_default_session_timeout(pc->session_timeout, false);
int IcmpSession::process(Packet* p)
{
int status;
-
+
flow->set_expire(p, flow->default_session_timeout);
if (!(flow->ssn_state.session_flags & SSNFLAG_ESTABLISHED) and !(p->is_from_client()))
// IpSession methods
//-------------------------------------------------------------------------
-IpSession::IpSession(Flow* flow) : Session(flow)
+IpSession::IpSession(Flow* f) : Session(f)
{ memory::MemoryCap::update_allocations(sizeof(*this)); }
IpSession::~IpSession()
bool IpSession::setup(Packet* p)
{
- SESSION_STATS_ADD(ip_stats);
+ SESSION_STATS_ADD(ip_stats)
memset(&tracker, 0, sizeof(tracker));
StreamIpConfig* pc = get_ip_cfg(flow->ssn_server);
if (flow->session_state & STREAM_STATE_CLOSED)
{
assert(flow_con);
-
+
// this will get called on each onload
// eventually all onloads will occur and delete will be called
if ( not flow->is_suspended() )
assert(flow && flow->session);
trace_logf(stream, "stop inspection on flow, dir %s \n",
- dir == SSN_DIR_BOTH ? "BOTH":
- ((dir == SSN_DIR_FROM_CLIENT) ? "FROM_CLIENT" : "FROM_SERVER"));
+ dir == SSN_DIR_BOTH ? "BOTH" :
+ ((dir == SSN_DIR_FROM_CLIENT) ? "FROM_CLIENT" : "FROM_SERVER"));
switch (dir)
{
else
return false;
-
+
return true;
}
void TcpSession::sterm()
{ TcpSegmentNode::clear(); }
-TcpSession::TcpSession(Flow* flow)
- : TcpStreamSession(flow)
+TcpSession::TcpSession(Flow* f) : TcpStreamSession(f)
{
tsm = TcpStateMachine::get_instance();
splitter_init = false;
const TcpStreamConfig* cfg = get_tcp_cfg(flow->ssn_server);
flow->set_default_session_timeout(cfg->session_timeout, false);
- SESSION_STATS_ADD(tcpStats);
+ SESSION_STATS_ADD(tcpStats)
tcpStats.setups++;
return true;
}
/* New session, previous was marked as reset. Clear the reset flag. */
flow->clear_session_flags(SSNFLAG_RESET);
- flow->set_expire(tsd.get_pkt(), flow->default_session_timeout);
+ flow->set_expire(tsd.get_pkt(), flow->default_session_timeout);
update_perf_base_state(TcpStreamTracker::TCP_SYN_SENT);
// UdpSession methods
//-------------------------------------------------------------------------
-UdpSession::UdpSession(Flow* flow) : Session(flow)
+UdpSession::UdpSession(Flow* f) : Session(f)
{ memory::MemoryCap::update_allocations(sizeof(*this)); }
UdpSession::~UdpSession()
StreamUdpConfig* pc = get_udp_cfg(flow->ssn_server);
flow->set_default_session_timeout(pc->session_timeout, false);
- SESSION_STATS_ADD(udpStats);
+ SESSION_STATS_ADD(udpStats)
DataBus::publish(FLOW_STATE_EVENT, p);
ProcessUdp(flow, p, pc, nullptr);
flow->markup_packet_flags(p);
-
+
flow->set_expire(p, flow->default_session_timeout);
return 0;
// may need additional refactoring
//-------------------------------------------------------------------------
-void UserSession::start(Packet* p, Flow* flow)
+void UserSession::start(Packet* p, Flow* f)
{
- Inspector* ins = flow->gadget;
+ Inspector* ins = f->gadget;
if ( !ins )
- ins = flow->clouseau;
+ ins = f->clouseau;
if ( ins )
{
}
{
- flow->pkt_type = p->type();
- flow->ip_proto = (uint8_t)p->get_ip_proto_next();
+ f->pkt_type = p->type();
+ f->ip_proto = (uint8_t)p->get_ip_proto_next();
- if (flow->ssn_state.session_flags & SSNFLAG_RESET)
- flow->ssn_state.session_flags &= ~SSNFLAG_RESET;
+ if (f->ssn_state.session_flags & SSNFLAG_RESET)
+ f->ssn_state.session_flags &= ~SSNFLAG_RESET;
- if ( (flow->ssn_state.session_flags & SSNFLAG_CLIENT_SWAP) &&
- !(flow->ssn_state.session_flags & SSNFLAG_CLIENT_SWAPPED) )
+ if ( (f->ssn_state.session_flags & SSNFLAG_CLIENT_SWAP) &&
+ !(f->ssn_state.session_flags & SSNFLAG_CLIENT_SWAPPED) )
{
- SfIp ip = flow->client_ip;
- uint16_t port = flow->client_port;
+ SfIp ip = f->client_ip;
+ uint16_t port = f->client_port;
- flow->client_ip = flow->server_ip;
- flow->server_ip = ip;
+ f->client_ip = f->server_ip;
+ f->server_ip = ip;
- flow->client_port = flow->server_port;
- flow->server_port = port;
+ f->client_port = f->server_port;
+ f->server_port = port;
- if ( !flow->two_way_traffic() )
+ if ( !f->two_way_traffic() )
{
- if ( flow->ssn_state.session_flags & SSNFLAG_SEEN_CLIENT )
+ if ( f->ssn_state.session_flags & SSNFLAG_SEEN_CLIENT )
{
- flow->ssn_state.session_flags ^= SSNFLAG_SEEN_CLIENT;
- flow->ssn_state.session_flags |= SSNFLAG_SEEN_SERVER;
+ f->ssn_state.session_flags ^= SSNFLAG_SEEN_CLIENT;
+ f->ssn_state.session_flags |= SSNFLAG_SEEN_SERVER;
}
- else if ( flow->ssn_state.session_flags & SSNFLAG_SEEN_SERVER )
+ else if ( f->ssn_state.session_flags & SSNFLAG_SEEN_SERVER )
{
- flow->ssn_state.session_flags ^= SSNFLAG_SEEN_SERVER;
- flow->ssn_state.session_flags |= SSNFLAG_SEEN_CLIENT;
+ f->ssn_state.session_flags ^= SSNFLAG_SEEN_SERVER;
+ f->ssn_state.session_flags |= SSNFLAG_SEEN_CLIENT;
}
}
- flow->ssn_state.session_flags |= SSNFLAG_CLIENT_SWAPPED;
+ f->ssn_state.session_flags |= SSNFLAG_CLIENT_SWAPPED;
}
#if 0
// FIXIT-M implement stream_user perf stats
- //flow->set_expire(p, dstPolicy->session_timeout);
+ //f->set_expire(p, dstPolicy->session_timeout);
// add user flavor to perf stats?
AddStreamSession(
- &sfBase, flow->session_state & STREAM_STATE_MIDSTREAM ? SSNFLAG_MIDSTREAM : 0);
+ &sfBase, f->session_state & STREAM_STATE_MIDSTREAM ? SSNFLAG_MIDSTREAM : 0);
StreamUpdatePerfBaseState(&sfBase, tmp->flow, TCP_STATE_SYN_SENT);
server.splitter = nullptr;
}
-void UserSession::update(Packet* p, Flow* flow)
+void UserSession::update(Packet* p, Flow* f)
{
if ( p->ptrs.sp and p->ptrs.dp )
p->packet_flags |= PKT_STREAM_EST;
else
p->packet_flags |= PKT_STREAM_UNEST_UNI;
- if ( !(flow->ssn_state.session_flags & SSNFLAG_ESTABLISHED) )
+ if ( !(f->ssn_state.session_flags & SSNFLAG_ESTABLISHED) )
{
if ( p->is_from_client() )
- flow->ssn_state.session_flags |= SSNFLAG_SEEN_CLIENT;
+ f->ssn_state.session_flags |= SSNFLAG_SEEN_CLIENT;
else
- flow->ssn_state.session_flags |= SSNFLAG_SEEN_SERVER;
+ f->ssn_state.session_flags |= SSNFLAG_SEEN_SERVER;
- if ( (flow->ssn_state.session_flags & SSNFLAG_SEEN_CLIENT) &&
- (flow->ssn_state.session_flags & SSNFLAG_SEEN_SERVER) )
+ if ( (f->ssn_state.session_flags & SSNFLAG_SEEN_CLIENT) &&
+ (f->ssn_state.session_flags & SSNFLAG_SEEN_SERVER) )
{
- flow->ssn_state.session_flags |= SSNFLAG_ESTABLISHED;
+ f->ssn_state.session_flags |= SSNFLAG_ESTABLISHED;
- flow->set_ttl(p, false);
+ f->set_ttl(p, false);
}
}
- flow->set_expire(p, flow->default_session_timeout);
+ f->set_expire(p, f->default_session_timeout);
}
void UserSession::restart(Packet* p)
// UserSession methods
//-------------------------------------------------------------------------
-UserSession::UserSession(Flow* flow) : Session(flow)
+UserSession::UserSession(Flow* f) : Session(f)
{ memory::MemoryCap::update_allocations(sizeof(*this)); }
UserSession::~UserSession()
// * is_network_protocol()
// * is_builtin_protocol()
// * is_service_protocol()
-TEST(protocol_reference, builtin_protocols)
+TEST(protocol_reference, builtin_protocols)
{
ProtocolReference refs;
template<typename T>
class PrimedAllocator
{
-public:
+public:
struct Node
{
Node* next;
if ( !this->state->ref_count )
delete state;
-
+
this->state = state;
state->ref_count++;
}
}
return reinterpret_cast<T*>(operator new(sizeof(T)));
}
-
+
void deallocate(pointer p, size_type) noexcept
{
Node* node = reinterpret_cast<Node*>(p);
{
ParseError("can't open file %s = %s: %s", key, fname, get_error(errno));
close(fd);
- return "";
+ return "";
}
close(fd);
return line;
#define SECONDS_PER_HOUR 3600 /* number of seconds in a hour */
#define SECONDS_PER_MIN 60 /* number of seconds in a minute */
-#define COPY4(x, y) \
- x[0] = (y)[0]; (x)[1] = (y)[1]; (x)[2] = (y)[2]; (x)[3] = (y)[3];
-
-#define COPY16(x,y) \
- x[0] = (y)[0]; (x)[1] = (y)[1]; (x)[2] = (y)[2]; (x)[3] = (y)[3]; \
- (x)[4] = (y)[4]; (x)[5] = (y)[5]; (x)[6] = (y)[6]; (x)[7] = (y)[7]; \
- (x)[8] = (y)[8]; (x)[9] = (y)[9]; (x)[10] = (y)[10]; (x)[11] = (y)[11]; \
- (x)[12] = (y)[12]; (x)[13] = (y)[13]; (x)[14] = (y)[14]; (x)[15] = (y)[15];
-
void StoreSnortInfoStrings();
int DisplayBanner();
int gmt2local(time_t);
void SetNoCores();
#endif
+namespace
+{
+inline void COPY4(uint32_t* dst, const uint32_t* src)
+{
+ dst[0] = src[0];
+ dst[1] = src[1];
+ dst[2] = src[2];
+ dst[3] = src[3];
+}
+}
+
inline void* snort_alloc(size_t sz)
{ return new uint8_t[sz]; }
if ( !t.key.empty() )
out << "[\"" << t.key << "\"]";
-
+
out << (t.one_line ? " = " : " =\n");
}
std::string get_value(DataApi*);
bool add_value(std::string);
void set_value(const std::string&, bool quoted);
-
+
void set_print_whitespace(bool w)
{ print_whitespace = w; }
template<typename T>
bool do_add_option(const std::string& opt_name, const T val, const std::string& s_val);
- template<typename T>
+ template<typename T>
void do_append_option(const std::string& opt_name, const T val, const std::string& s_val);
void create_append_data(std::string& fqn, Table*& t);
{ Converter::set_bind_wizard(true); }
static void bind_port(const char* /*key*/, const char* /*val*/)
-{
+{
Converter::set_bind_port(true);
Converter::set_bind_wizard(false);
}
case IT_NETWORK:
opt_name = "network_policy";
break;
-
+
default:
// This should always be set explicitly if a file name exists.
assert(false);
}
// By predetermined order
- FIRST_IF_LT(left->get_priority(), right->get_priority());
+ FIRST_IF_LT(left->get_priority(), right->get_priority())
// By priorities of options
FIRST_IF_GT(left->has_ips_policy_id(), right->has_ips_policy_id())
-
+
auto left_zone_specs = left->has_src_zone() + left->has_dst_zone();
auto right_zone_specs = right->has_src_zone() + right->has_dst_zone();
- FIRST_IF_GT(left_zone_specs, right_zone_specs);
+ FIRST_IF_GT(left_zone_specs, right_zone_specs)
FIRST_IF_GT(left->has_vlans(), right->has_vlans())
FIRST_IF_GT(left->has_service(), right->has_service())
auto left_net_specs = left->has_src_nets() + left->has_dst_nets();
auto right_net_specs = right->has_src_nets() + right->has_dst_nets();
- FIRST_IF_GT(left_net_specs, right_net_specs);
+ FIRST_IF_GT(left_net_specs, right_net_specs)
FIRST_IF_GT(left->has_nets(), right->has_nets())
auto left_port_specs = left->has_src_ports() + left->has_dst_ports();
auto right_port_specs = right->has_src_ports() + right->has_dst_ports();
- FIRST_IF_GT(left_port_specs, right_port_specs);
+ FIRST_IF_GT(left_port_specs, right_port_specs)
FIRST_IF_GT(left->has_ports(), right->has_ports())
FIRST_IF_GT(left->has_proto(), right->has_proto())
void print_binder_priorities()
{
- static unsigned const num_combos = 2 << 12;
+ static unsigned const num_combos = 2 << 12;
vector<shared_ptr<Binder>> binders;
TableApi t;
// by either the destructor or user
unsigned priority = PRIORITY_LAST;
-
+
int when_ips_policy_id = -1;
std::string when_service;
std::string when_role;
std::vector<std::string> dst_ports;
std::vector<std::string> when_src_zone;
std::vector<std::string> when_dst_zone;
- std::vector<std::string> zones;
+ std::vector<std::string> zones;
std::string use_type;
std::string use_name;
} // namespace
static std::unordered_set<std::string> string_keys = {
- "category",
- "msg",
- "type",
- "ver",
- "group",
+ "category",
+ "msg",
+ "type",
+ "ver",
+ "group",
};
static std::unordered_set<std::string> int_keys = {
- "id",
- "rev",
+ "id",
+ "rev",
};
static std::unordered_set<std::string> content_keys = {
- "content",
- "offset",
+ "content",
+ "offset",
};
bool File::convert(std::istringstream& data_stream)
}
}
- if (!ports_set)
+ if (!ports_set)
{
tcp_bind.set_when_role("server");
tcp_bind.add_when_port("53");
bind.set_when_proto("tcp");
while (data_stream >> keyword && keyword != "}")
{
- default_binding = false;;
+ default_binding = false;
bind.add_when_port(keyword);
}
}
std::string protocol;
std::string ips_policy;
- TRY_FIELD(action); // ignore since nap rules don't drop
- TRY_FIELD(src_zone);
- TRY_FIELD(src_net);
+ TRY_FIELD(action) // ignore since nap rules don't drop
+ TRY_FIELD(src_zone)
+ TRY_FIELD(src_net)
if ( src_net != "any" )
- TRY_FIELD(src_netmask);
+ TRY_FIELD(src_netmask)
- TRY_FIELD(src_port);
- TRY_FIELD(dst_zone);
- TRY_FIELD(dst_net);
+ TRY_FIELD(src_port)
+ TRY_FIELD(dst_zone)
+ TRY_FIELD(dst_net)
if ( dst_net != "any" )
- TRY_FIELD(dst_netmask);
+ TRY_FIELD(dst_netmask)
- TRY_FIELD(dst_port);
- TRY_FIELD(vlan);
- TRY_FIELD(protocol);
+ TRY_FIELD(dst_port)
+ TRY_FIELD(vlan)
+ TRY_FIELD(protocol)
for ( std::string s; data_stream >> s; ips_policy += " " + s );
bind.set_when_proto("tcp");
while (data_stream >> keyword && keyword != "}")
{
- default_binding = false;
+ default_binding = false;
bind.add_when_port(keyword);
}
}
}
}
if ( emit_max_flows )
- table_api.add_option("max_flows", tcp_max + udp_max + icmp_max + ip_max);
+ table_api.add_option("max_flows", tcp_max + udp_max + icmp_max + ip_max);
if ( emit_pruning_timeout )
- table_api.add_option("pruning_timeout", INT_MAX == pruning_timeout ? 30 : pruning_timeout);
+ table_api.add_option("pruning_timeout", INT_MAX == pruning_timeout ? 30 : pruning_timeout);
return retval;
}
if (!tmpval)
{
data_api.failed_conversion(data_stream, arg_stream.str());
- retval = false;;
+ retval = false;
}
}
table_api.close_table(); // ha stream
bind_default->print_binding(false);
}
- // Add the port bindings separately from the protocol bindings since
- // in 2.9.x they are OR'd not AND'd. Clear the ports so they're not
+ // Add the port bindings separately from the protocol bindings since
+ // in 2.9.x they are OR'd not AND'd. Clear the ports so they're not
// included with the protocol bindings.
cv.make_binder(client);
client.clear_ports();
// Sid
//
-void Sid::convert_sid(std::string& sid, std::istringstream& data_stream, RuleApi& rule_api)
+void Sid::convert_sid(std::string& sid, std::istringstream& data_stream, RuleApi& r_api)
{
int sid_num;
try
}
catch (...)
{
- rule_api.bad_rule(data_stream, "sid - invalid input, expecting int type");
+ r_api.bad_rule(data_stream, "sid - invalid input, expecting int type");
return;
}
const int sid_offset = 100;
projects / thirdparty / snort3.git / commitdiff
