{ service = 'dnp3', proto = 'tcp', client_first = true,
to_server = { '|05 64|' }, to_client = { '|05 64|' } },
- { service = 'netflow', proto = 'udp', client_first = true,
+ { service = 'netflow', proto = 'udp', client_first = true,
to_server = netflow_versions },
{ service = 'http2', proto = 'tcp', client_first = true,
p->value = SnortConfig::get_static_name(val);
}
-bool HexBook::add_spell(const char* key, const char*& val)
+bool HexBook::add_spell(const char* key, const char*& val, ArcaneType proto)
{
+ // In case of 'ANY' as proto, pattern should be added
+ // to both UDP and TCP collections
+ if ( proto == ArcaneType::ANY )
+ {
+ auto val_local = val;
+
+ bool ret1 = add_spell(key, val_local, ArcaneType::UDP);
+ bool ret2 = add_spell(key, val, ArcaneType::TCP);
+
+ return ret1 || ret2;
+ }
+
HexVector hv;
if ( !translate(key, hv) )
}
unsigned i = 0;
- MagicPage* p = root;
+ MagicPage* p = get_root(proto);
while ( i < hv.size() )
{
}
MagicBook::MagicBook()
-{ root = new MagicPage(*this); }
+{ root = new MagicPage[(int)ArcaneType::MAX] { *this, *this }; }
MagicBook::~MagicBook()
-{ delete root; }
+{ delete[] root; }
#ifndef MAGIC_H
#define MAGIC_H
+#include <cassert>
#include <string>
#include <vector>
MagicBook(const MagicBook&) = delete;
MagicBook& operator=(const MagicBook&) = delete;
- virtual bool add_spell(const char* key, const char*& val) = 0;
+ enum class ArcaneType
+ {
+ TCP,
+ UDP,
+ ANY,
+ MAX = ANY
+ };
+
+ virtual bool add_spell(const char* key, const char*& val, ArcaneType proto) = 0;
virtual const char* find_spell(const uint8_t* data, unsigned len, const MagicPage*& p,
const MagicPage*& bookmark) const;
- const MagicPage* page1() const
- { return root; }
+ const MagicPage* page1(ArcaneType proto) const
+ {
+ assert(proto < ArcaneType::MAX);
+ return &root[(int)proto];
+ }
protected:
MagicBook();
MagicPage* root;
+ MagicPage* get_root(ArcaneType proto) const
+ {
+ assert(proto < ArcaneType::MAX);
+ return &root[(int)proto];
+ }
+
virtual const MagicPage* find_spell(const uint8_t*, unsigned,
const MagicPage*, unsigned, const MagicPage*&) const = 0;
};
public:
SpellBook();
- bool add_spell(const char*, const char*&) override;
+ bool add_spell(const char*, const char*&, ArcaneType) override;
private:
bool translate(const char*, HexVector&);
public:
HexBook() = default;
- bool add_spell(const char*, const char*&) override;
+ bool add_spell(const char*, const char*&, ArcaneType) override;
private:
bool translate(const char*, HexVector&);
#define WILD 0x100
-SpellBook::SpellBook()
+SpellBook::SpellBook() : MagicBook()
{
- // allows skipping leading whitespace only
- root->next[(int)' '] = root;
- root->next[(int)'\t'] = root;
- root->next[(int)'\r'] = root;
- root->next[(int)'\n'] = root;
+ // applying for both TCP and UDP arrays
+ for (size_t idx = 0; idx < (int)ArcaneType::MAX; ++idx)
+ {
+ MagicPage* r = &root[idx];
+
+ // allows skipping leading whitespace only
+ root[idx].next[(int)' '] = r;
+ root[idx].next[(int)'\t'] = r;
+ root[idx].next[(int)'\r'] = r;
+ root[idx].next[(int)'\n'] = r;
+ }
}
bool SpellBook::translate(const char* in, HexVector& out)
p->value = snort::SnortConfig::get_static_name(val);
}
-bool SpellBook::add_spell(const char* key, const char*& val)
+bool SpellBook::add_spell(const char* key, const char*& val, ArcaneType proto)
{
+ // In case of 'ANY' as proto, pattern should be added
+ // to both UDP and TCP collections
+ if ( proto == ArcaneType::ANY )
+ {
+ auto val_local = val;
+
+ bool ret1 = add_spell(key, val_local, ArcaneType::UDP);
+ bool ret2 = add_spell(key, val, ArcaneType::TCP);
+
+ return ret1 || ret2;
+ }
+
HexVector hv;
if ( !translate(key, hv) )
}
unsigned i = 0;
- MagicPage* p = root;
+ MagicPage* p = get_root(proto);
// Perform a longest prefix match before inserting the pattern.
while ( i < hv.size() )
#include "trace/trace.h"
#include "curses.h"
-#include "magic.h"
using namespace snort;
using namespace std;
{ "service", Parameter::PT_STRING, nullptr, nullptr,
"name of service" },
- { "proto", Parameter::PT_SELECT, "tcp | udp", "tcp",
+ { "proto", Parameter::PT_SELECT, "tcp | udp | any", "any",
"protocol to scan" },
{ "client_first", Parameter::PT_BOOL, nullptr, "true",
{ "service", Parameter::PT_STRING, nullptr, nullptr,
"name of service" },
- { "proto", Parameter::PT_SELECT, "tcp | udp", "tcp",
+ { "proto", Parameter::PT_SELECT, "tcp | udp | any", "any",
"protocol to scan" },
{ "client_first", Parameter::PT_BOOL, nullptr, "true",
if ( v.is("service") )
service = v.get_string();
- // FIXIT-L implement proto and client_first
else if ( v.is("proto") )
- return true;
+ {
+ if ( !strcmp(v.get_string(), "tcp") )
+ proto = MagicBook::ArcaneType::TCP;
+ else if ( !strcmp(v.get_string(), "udp") )
+ proto = MagicBook::ArcaneType::UDP;
+ else
+ proto = MagicBook::ArcaneType::ANY;
+ }
+ // FIXIT-H implement client_first
else if ( v.is("client_first") )
return true;
return true;
}
-static bool add_spells(MagicBook* b, const string& service, const vector<string>& patterns, bool hex)
+static bool add_spells(MagicBook* b, const string& service, const vector<string>& patterns,
+ bool hex, MagicBook::ArcaneType proto)
{
for ( const auto& p : patterns )
{
const char* val = service.c_str();
- if ( !b->add_spell(p.c_str(), val) )
+
+ if ( !b->add_spell(p.c_str(), val, proto) )
{
if ( !val )
{
{
service.clear();
c2s_patterns.clear();
+ s2c_patterns.clear();
}
else if ( !strcmp(fqn, "wizard.hexes") )
{
return false;
}
- if ( !add_spells(c2s_hexes, service, c2s_patterns, true) )
+ if ( !add_spells(c2s_hexes, service, c2s_patterns, true, proto) )
return false;
- if ( !add_spells(s2c_hexes, service, s2c_patterns, true) )
+ if ( !add_spells(s2c_hexes, service, s2c_patterns, true, proto) )
return false;
}
}
return false;
}
- if ( !add_spells(c2s_spells, service, c2s_patterns, false) )
+ if ( !add_spells(c2s_spells, service, c2s_patterns, false, proto) )
return false;
- if ( !add_spells(s2c_spells, service, s2c_patterns, false) )
+ if ( !add_spells(s2c_spells, service, s2c_patterns, false, proto) )
return false;
}
}
#include "framework/module.h"
+#include "magic.h"
+
#define WIZ_NAME "wizard"
#define WIZ_HELP "inspector that implements port-independent protocol identification"
CurseBook* curses = nullptr;
uint16_t max_search_depth = 0;
+
+ MagicBook::ArcaneType proto;
};
#endif
inline bool finished(Wand& w)
{ return !w.hex and !w.spell and w.curse_tracker.empty(); }
- void reset(Wand&, bool, bool);
+ void reset(Wand&, bool, MagicBook::MagicBook::ArcaneType);
bool cast_spell(Wand&, Flow*, const uint8_t*, unsigned, uint16_t&);
bool spellbind(const MagicPage*&, Flow*, const uint8_t*, unsigned, const MagicPage*&);
{
wizard = w;
w->add_ref();
- w->reset(wand, true, c2s);
+ // Used only in case of TCP traffic
+ w->reset(wand, c2s, MagicBook::ArcaneType::TCP);
}
MagicSplitter::~MagicSplitter()
delete curses;
}
-void Wizard::reset(Wand& w, bool tcp, bool c2s)
+void Wizard::reset(Wand& w, bool c2s, MagicBook::ArcaneType proto)
{
w.bookmark = nullptr;
if ( c2s )
{
- w.hex = c2s_hexes->page1();
- w.spell = c2s_spells->page1();
+ w.hex = c2s_hexes->page1(proto);
+ w.spell = c2s_spells->page1(proto);
}
else
{
- w.hex = s2c_hexes->page1();
- w.spell = s2c_spells->page1();
+ w.hex = s2c_hexes->page1(proto);
+ w.spell = s2c_spells->page1(proto);
}
+ bool tcp = MagicBook::ArcaneType::TCP == proto;
+
if ( w.curse_tracker.empty() )
{
for ( const CurseDetails* curse : curses->get_curses(tcp) )
bool c2s = p->is_from_client();
Wand wand;
- reset(wand, false, c2s);
+ reset(wand, c2s, MagicBook::ArcaneType::UDP);
uint16_t udp_processed_bytes = 0;
++tstats.udp_scans;
projects / thirdparty / snort3.git / commitdiff
