*outbuf = snort_strndup(begin, end-begin);
}
-static uint32_t ddToIp(char* start, int size)
-{
- uint32_t ret_addr = 0;
- char* p;
- int tmp = 0;
- int octet = 3;
- int digit_count = 1;
- int done = 0;
-
- for (p = start;
- p < start+size;
- p++)
- {
- if (isdigit(*p))
- {
- // if there are more than three digits in a row
- if (digit_count > 3)
- {
- // this might be a spurrious digit after the IP address
- if (octet == 0 && tmp && tmp <= 255)
- {
- ret_addr += tmp;
- done = 1;
- break;
- }
- else
- return 0;
- }
- // otherwise, increase the value of tmp
- tmp *= 10;
- tmp += *p - '0';
- digit_count++;
- }
- // 0x2e is '.'
- else if (*p == 0x2e)
- {
- // make sure we don't have random dots in there
- if (!tmp)
- return 0;
- // otherwise, increase the return value
- else
- {
- // octet value must fit in 8-bit boundary
- if (tmp > 255)
- return 0;
- ret_addr += tmp <<octet*8;
- //maybe this is an extraneous '.' at the end
- if (octet == 0)
- {
- done = 1;
- break;
- }
- octet--;
- digit_count = 1;
- tmp = 0;
- }
- }
- // this might be a character right after the IP address
- else if (octet == 0 && tmp && tmp <= 255)
- {
- ret_addr += tmp;
- done = 1;
- break;
- }
- // bail out if we see something funny
- else
- return 0;
- }
- if (octet || tmp > 255)
- return 0;
- if (!done)
- ret_addr += tmp;
- return htonl(ret_addr);
-}
-
-static uint32_t ffSetIp(char* buf, int buf_size, int start, int psize)
-{
- uint32_t ret_address;
-
- ret_address = ddToIp(buf+start+psize, buf_size);
-
- return ret_address;
-}
-
-static uint16_t ffSetPort(char* buf, int buf_size, int start, int psize)
-{
- uint16_t temp_port = 0;
- uint16_t new_digit;
- char* p;
- int i;
-
- for (p = buf+start+psize, i = 1; p < buf+buf_size && isdigit(*p); p++, i++)
- {
- new_digit = *p -'0';
- // we don't want to try to put a value gt 65535 into a uint_16t
- if ((i > 5) || (temp_port > 6535 || (temp_port == 6535 && new_digit > 5)))
- return 0;
- temp_port *= 10;
- temp_port += *p - '0';
- }
-
- return temp_port;
-}
-
-static IpProtocol ffSetProtocol(char* buf, int buf_size, int start, int psize)
-{
- uint8_t temp_protocol = 0;
- uint8_t new_digit;
- char* p;
- int i;
-
- for (p = buf+start+psize, i = 1; p < buf+buf_size && isdigit(*p); p++, i++)
- {
- new_digit = *p - '0';
- // we don't want to try to put a value gt 255 into a uint8_t
- if ((i > 3) || (temp_protocol > 25 || (temp_protocol == 25 && new_digit > 5)))
- return IpProtocol::PROTO_NOT_SET;
-
- temp_protocol *= 10;
- temp_protocol += new_digit;
- }
-
- return (IpProtocol)temp_protocol;
-}
-
-#if MUST_FIX
- // FIXIT-H: We do not have a packet when we get called from
- // the HTTP inspector. Is there an alternative?
-static void fflowCreate(char* adata, fflow_info* fflow, Packet* p, AppId target_appid)
-{
- char* saddr_string = nullptr;
- char* daddr_string = nullptr;
- char* sport_string = nullptr;
- char* dport_string = nullptr;
- char* protocol_string = nullptr;
- char* appid = nullptr;
- const sfip_t* sip;
- const sfip_t* dip;
- int temp_port = 0;
- char* brk;
-
- /*
- The Action Data for this action is special
- THE SEQUENCE MUST BE
- source_address source_port dest_address dest_port protocol appid
- DELIMITED BY A SPACE
- if any value is '*', that means we should have already set this value with a previous action
- */
- if (!(saddr_string = strtok_r(adata, " ", &brk)))
- return;
- if (!(sport_string = strtok_r(nullptr, " ", &brk)))
- return;
- if (!(daddr_string = strtok_r(nullptr, " ", &brk)))
- return;
- if (!(dport_string = strtok_r(nullptr, " ", &brk)))
- return;
- if (!(protocol_string = strtok_r(nullptr, " ", &brk)))
- return;
- if (!(appid = strtok_r(nullptr, " ", &brk)))
- return;
-
- switch (*saddr_string)
- {
- case 'S':
- sip = p->ptrs.ip_api.get_src();
- fflow->sip = sip->ip32[0];
- break;
- case 'D':
- sip = p->ptrs.ip_api.get_dst();
- fflow->sip = sip->ip32[0];
- break;
- case '0':
- sip = 0;
- break;
- case '*':
- if (!fflow->sip)
- return;
- break;
- default:
- if ((!fflow->sip) && (!(fflow->sip = ddToIp(saddr_string, strlen(saddr_string)))))
- return;
- }
-
- switch (*sport_string)
- {
- case 'S':
- if (strlen(sport_string) > 2)
- {
- if ((temp_port = strtol(sport_string+1, nullptr, 10)))
- fflow->sport = p->ptrs.sp + temp_port;
- else
- return;
- }
- else
- fflow->sport = p->ptrs.sp;
- break;
- case 'D':
- if (strlen(sport_string) > 2)
- {
- if ((temp_port = strtol(sport_string+1, nullptr, 10)))
- fflow->sport = p->ptrs.dp + temp_port;
- else
- return;
- }
- else
- fflow->sport = p->ptrs.dp;
- break;
- case '0':
- fflow->sport = 0;
- break;
- case '*':
- if (!fflow->sport)
- return;
- break;
- default:
- if ((!fflow->sport) && (!(fflow->sport = ffSetPort(sport_string, strlen(sport_string), 0,
- 0))))
- return;
- }
-
- switch (*daddr_string)
- {
- case 'S':
- dip = p->ptrs.ip_api.get_src();
- fflow->dip = dip->ip32[0];
- break;
- case 'D':
- dip = p->ptrs.ip_api.get_dst();
- fflow->dip = dip->ip32[0];
- break;
- case '0':
- fflow->dip = 0;
- break;
- case '*':
- if (!fflow->dip)
- return;
- break;
- default:
- if ((!fflow->dip) && (!(fflow->dip = ddToIp(daddr_string, strlen(daddr_string)))))
- return;
- }
-
- switch (*dport_string)
- {
- case 'S':
- if (strlen(dport_string) > 2)
- {
- if ((temp_port = strtol(dport_string+1, nullptr, 10)))
- fflow->dport = p->ptrs.dp + temp_port;
- else
- return;
- }
- else
- fflow->dport = p->ptrs.sp;
- break;
- case 'D':
- if (strlen(dport_string) > 2)
- {
- if ((temp_port = strtol(dport_string+1, nullptr, 10)))
- fflow->dport = p->ptrs.dp + temp_port;
- else
- return;
- }
- else
- fflow->dport = p->ptrs.dp;
- break;
- case '0':
- fflow->dport = 0;
- break;
- case '*':
- if (!fflow->dport)
- return;
- break;
- default:
- if ((!fflow->dport) && (!(fflow->dport = ffSetPort(dport_string, strlen(dport_string), 0,
- 0))))
- return;
- }
-
- switch (*protocol_string)
- {
- case 'T':
- fflow->protocol = IpProtocol::TCP;
- break;
- case 'U':
- fflow->protocol = IpProtocol::UDP;
- break;
- case '0':
- fflow->protocol = IpProtocol::PROTO_NOT_SET;
- break;
- case 'S':
- case 'D':
- fflow->protocol = p->is_tcp() ? IpProtocol::TCP : IpProtocol::UDP;
- break;
- case '*':
- if ( fflow->protocol == IpProtocol::PROTO_NOT_SET )
- return;
- break;
- default:
- if ( fflow->protocol == IpProtocol::PROTO_NOT_SET )
- {
- fflow->protocol = ffSetProtocol(
- protocol_string, strlen(protocol_string), 0, 0);
-
- if ( fflow->protocol == IpProtocol::PROTO_NOT_SET )
- return;
- }
- break;
- }
-
- switch (*appid)
- {
- case '*':
- fflow->appId = target_appid;
- break;
- default:
- fflow->appId = strtol(appid, nullptr, 10);
- }
-
- fflow->flow_prepared = 1;
-}
-#endif
-
-void finalize_fflow(fflow_info* fflow, unsigned app_type_flags, AppId target_appId, Packet* p)
-{
- AppIdSession* fp;
- sfip_t saddr, daddr;
-
- sfip_set_raw(&saddr, &fflow->sip, AF_INET);
- sfip_set_raw(&daddr, &fflow->dip, AF_INET);
-
- if (!(fp = AppIdSession::create_future_session(p, &saddr, fflow->sport, &daddr, fflow->dport,
- fflow->protocol, target_appId, 0)))
- return;
-
- if (app_type_flags & APP_TYPE_SERVICE)
- {
- fp->serviceAppId = target_appId;
- fp->rnaServiceState = RNA_STATE_FINISHED;
- fp->rna_client_state = RNA_STATE_FINISHED;
- }
- if (app_type_flags & APP_TYPE_CLIENT)
- {
- fp->client_app_id = target_appId;
- fp->rna_client_state = RNA_STATE_FINISHED;
- }
- if (app_type_flags & APP_TYPE_PAYLOAD)
- {
- fp->payload_app_id = target_appId;
- }
-}
-
void scan_key_chp(PatternType ptype, char* buf, int buf_size, CHPTallyAndActions& match_tally)
{
detectorHttpConfig->chp_matchers[ptype]->find_all(buf, buf_size, &chp_key_pattern_match,
do_not_further_modify_field = 1;
}
break;
- case FUTURE_APPID_SESSION_SIP:
- if (AppIdConfig::get_appid_config()->mod_config->chp_fflow_disabled)
- break;
- if (!hsession->fflow)
- hsession->fflow = (fflow_info*)snort_calloc(sizeof(fflow_info));
- if (!hsession->fflow->sip)
- hsession->fflow->sip = ffSetIp(buf, buf_size, tmp->index, match->psize);
- break;
-
- case FUTURE_APPID_SESSION_DIP:
- if (AppIdConfig::get_appid_config()->mod_config->chp_fflow_disabled)
- break;
- if (!hsession->fflow)
- hsession->fflow = (fflow_info*)snort_calloc(sizeof(fflow_info));
- if (!hsession->fflow->dip)
- hsession->fflow->dip = ffSetIp(buf, buf_size, tmp->index, match->psize);
- break;
-
- case FUTURE_APPID_SESSION_SPORT:
- if (AppIdConfig::get_appid_config()->mod_config->chp_fflow_disabled)
- break;
- if (!hsession->fflow)
- hsession->fflow = (fflow_info*)snort_calloc(sizeof(fflow_info));
- if (!hsession->fflow->sport)
- hsession->fflow->sport = ffSetPort(buf, buf_size, tmp->index, match->psize);
- break;
-
- case FUTURE_APPID_SESSION_DPORT:
- if (AppIdConfig::get_appid_config()->mod_config->chp_fflow_disabled)
- break;
- if (!hsession->fflow)
- hsession->fflow = (fflow_info*)snort_calloc(sizeof(fflow_info));
- if (!hsession->fflow->dport)
- hsession->fflow->dport = ffSetPort(buf, buf_size, tmp->index, match->psize);
- break;
-
- case FUTURE_APPID_SESSION_PROTOCOL:
- if (AppIdConfig::get_appid_config()->mod_config->chp_fflow_disabled)
- break;
- if (!hsession->fflow)
- hsession->fflow = (fflow_info*)snort_calloc(sizeof(fflow_info));
- if (hsession->fflow->protocol == IpProtocol::PROTO_NOT_SET)
- hsession->fflow->protocol = ffSetProtocol(buf, buf_size, tmp->index, match->psize);
- break;
-
- case FUTURE_APPID_SESSION_CREATE:
- if (AppIdConfig::get_appid_config()->mod_config->chp_fflow_disabled)
- break;
- if (!hsession->fflow)
- hsession->fflow = (fflow_info*)snort_calloc(sizeof(fflow_info));
-#if MUST_FIX
- // FIXIT-H: We do not have a packet when we get called from
- // the HTTP inspector. Is there an alternative?
- fflowCreate(match->action_data, hsession->fflow, p, hsession->chp_candidate);
-#endif
- break;
-
case INSERT_FIELD:
if (!do_not_further_modify_field && second_sweep_for_inserts == nullptr)
{
projects / thirdparty / snort3.git / commitdiff
