{
memset(this, 0, offsetof(DecodeData, ip_api));
ip_api.reset();
+ sp = 0;
+ dp = 0;
}
inline void set_pkt_type(PktType pkt_type)
static int sfxhash_nearest_powerof2(int nrows)
{
- unsigned i;
-
nrows -= 1;
- for (i=1; i<sizeof(nrows) * 8; i <<= 1)
+ for (unsigned i=1; i<sizeof(nrows) * 8; i <<= 1)
nrows = nrows | (nrows >> i);
nrows += 1;
SFXHASH_FREE_FCN usrfree,
int recycle_flag)
{
- int i;
- SFXHASH* h;
-
if ( nrows > 0 ) /* make sure we have a prime number */
{
/* If nrows is not a power of two, need to find the
}
/* Allocate the table structure from general memory */
- h = (SFXHASH*)snort_calloc(sizeof(SFXHASH));
+ SFXHASH* h = (SFXHASH*)snort_calloc(sizeof(SFXHASH));
/* this has a default hashing function */
h->sfhashfcn = sfhashfcn_new(nrows);
return 0;
}
- for ( i=0; i<nrows; i++ )
- {
- h->table[i] = 0;
- }
+ for ( int i = 0; i < nrows; i++ )
+ h->table[i] = nullptr;
h->anrfree = anrfree;
h->usrfree = usrfree;
*/
static void sfxhash_delete_free_list(SFXHASH* t)
{
- SFXHASH_NODE* cur = NULL;
- SFXHASH_NODE* next = NULL;
-
- if (t == NULL || t->fhead == NULL)
+ if (t == nullptr || t->fhead == nullptr)
return;
- cur = t->fhead;
-
- while (cur != NULL)
+ SFXHASH_NODE* cur = t->fhead;
+ while (cur != nullptr)
{
- next = cur->gnext;
+ SFXHASH_NODE* next = cur->gnext;
s_free(t, (void*)cur);
cur = next;
}
- t->fhead = NULL;
- t->ftail = NULL;
+ t->fhead = nullptr;
+ t->ftail = nullptr;
}
/*!
*/
void sfxhash_delete(SFXHASH* h)
{
- unsigned i;
- SFXHASH_NODE* node, * onode;
-
if ( !h )
return;
if ( h->table )
{
- for (i=0; i<h->nrows; i++)
+ for (unsigned i = 0; i < h->nrows; i++)
{
- for ( node=h->table[i]; node; )
+ for ( SFXHASH_NODE* node = h->table[i]; node; )
{
- onode = node;
+ SFXHASH_NODE* onode = node;
node = node->next;
/* Notify user that we are about to free this node function */
if ( h->usrfree )
h->usrfree(onode->key, onode->data);
- s_free(h,onode);
+ s_free(h, onode);
}
}
s_free(h, h->table);
- h->table = 0;
+ h->table = nullptr;
}
sfxhash_delete_free_list(h);
*/
int sfxhash_make_empty(SFXHASH* h)
{
- SFXHASH_NODE* n = NULL;
- SFXHASH_NODE* tmp = NULL;
- unsigned i;
+ SFXHASH_NODE* tmp = nullptr;
- if (h == NULL)
+ if (h == nullptr)
return -1;
- for (i = 0; i < h->nrows; i++)
+ for (unsigned i = 0; i < h->nrows; i++)
{
- for (n = h->table[i]; n != NULL; n = tmp)
+ for (SFXHASH_NODE* n = h->table[i]; n != nullptr; n = tmp)
{
tmp = n->next;
if (sfxhash_free_node(h, n) != SFXHASH_OK)
h->max_nodes = 0;
h->crow = 0;
- h->cnode = NULL;
+ h->cnode = nullptr;
h->count = 0;
- h->ghead = NULL;
- h->gtail = NULL;
+ h->ghead = nullptr;
+ h->gtail = nullptr;
h->anr_count = 0;
h->anr_tries = 0;
h->find_success = 0;
*/
static SFXHASH_NODE* sfxhash_newnode(SFXHASH* t)
{
- SFXHASH_NODE* hnode;
-
/* Recycle Old Nodes - if any */
- hnode = sfxhash_get_free_node(t);
+ SFXHASH_NODE* hnode = sfxhash_get_free_node(t);
/* Allocate memory for a node */
if ( !hnode )
}
/* either we are returning a node or we're all full and the user
- * won't let us allocate anymore and we return NULL */
+ * won't let us allocate anymore and we return nullptr */
return hnode;
}
/*
*
* Find a Node based on the key, return the node and the index.
- * The index is valid even if the return value is NULL, in which
+ * The index is valid even if the return value is nullptr, in which
* case the index is the corect row in which the node should be
* created.
*
static SFXHASH_NODE* sfxhash_find_node_row(SFXHASH* t, const void* key, int* rindex)
{
- unsigned hashkey;
- int index;
- SFXHASH_NODE* hnode;
-
- hashkey = t->sfhashfcn->hash_fcn(t->sfhashfcn,
- (unsigned char*)key,
- t->keysize);
+ unsigned hashkey = t->sfhashfcn->hash_fcn(t->sfhashfcn, (unsigned char*)key, t->keysize);
/* printf("hashkey: %u t->keysize: %d\n", hashkey, t->keysize);
flowkey_fprint(stdout, key);
// index = hashkey % t->nrows;
/* Modulus is slow. Switched to a table size that is a power of 2. */
- index = hashkey & (t->nrows - 1);
-
+ int index = hashkey & (t->nrows - 1);
*rindex = index;
- for ( hnode=t->table[index]; hnode; hnode=hnode->next )
+ for (SFXHASH_NODE* hnode = t->table[index]; hnode; hnode = hnode->next )
{
- if ( !t->sfhashfcn->keycmp_fcn(hnode->key,key,t->keysize) )
+ if ( !t->sfhashfcn->keycmp_fcn(hnode->key, key, t->keysize) )
{
if ( t->splay > 0 )
- movetofront(t,hnode);
+ movetofront(t, hnode);
t->find_success++;
return hnode;
}
t->find_fail++;
- return NULL;
+ return nullptr;
}
/*!
*/
static int sfxhash_add_ex(SFXHASH* t, const void* key, void* data, void** data_ptr)
{
- int index;
- SFXHASH_NODE* hnode;
+ int index = 0;
/* Enforce uniqueness: Check for the key in the table */
- hnode = sfxhash_find_node_row(t, key, &index);
-
+ SFXHASH_NODE* hnode = sfxhash_find_node_row(t, key, &index);
if ( hnode )
{
t->cnode = hnode;
int sfxhash_add(SFXHASH* t, void* key, void* data)
{
- return sfxhash_add_ex(t, key, data, NULL);
+ return sfxhash_add_ex(t, key, data, nullptr);
}
/*!
*/
SFXHASH_NODE* sfxhash_get_node(SFXHASH* t, const void* key)
{
- int index;
- SFXHASH_NODE* hnode;
+ int index = 0;
+ SFXHASH_NODE* hnode = nullptr;
/* Enforce uniqueness: Check for the key in the table */
hnode = sfxhash_find_node_row(t, key, &index);
-
if ( hnode )
{
t->cnode = hnode;
hnode = sfxhash_newnode(t);
if ( !hnode )
{
- return NULL;
+ return nullptr;
}
/* Set up the new key pointer */
}
else
{
- hnode->data = NULL;
+ hnode->data = nullptr;
}
/* Link the node into the table row list */
*/
SFXHASH_NODE* sfxhash_find_node(SFXHASH* t, const void* key)
{
- int rindex;
+ int rindex = 0;
return sfxhash_find_node_row(t, key, &rindex);
}
*/
void* sfxhash_find(SFXHASH* t, void* key)
{
- SFXHASH_NODE* hnode;
- int rindex;
-
- hnode = sfxhash_find_node_row(t, key, &rindex);
-
+ int rindex = 0;
+ SFXHASH_NODE* hnode = sfxhash_find_node_row(t, key, &rindex);
if ( hnode )
return hnode->data;
- return NULL;
+ return nullptr;
}
/**
*
* t table pointer
*
- * return the head of the list or NULL
+ * return the head of the list or nullptr
*/
SFXHASH_NODE* sfxhash_ghead(SFXHASH* t)
{
return t->ghead;
}
- return NULL;
+ return nullptr;
}
/**
*
* n current node
*
- * return the next node in the list or NULL when at the end
+ * return the next node in the list or nullptr when at the end
*/
SFXHASH_NODE* sfxhash_gnext(SFXHASH_NODE* n)
{
return n->gnext;
}
- return NULL;
+ return nullptr;
}
/**
*
* n current node
*
- * return the next node in the list or NULL when at the end
+ * return the next node in the list or nullptr when at the end
*/
SFXHASH_NODE* sfxhash_gfindnext(SFXHASH* t)
{
- SFXHASH_NODE* n;
-
- n = t->gnode;
+ SFXHASH_NODE* n = t->gnode;
if (n)
t->gnode = n->gnext;
return n;
*
* t table pointer
*
- * return the head of the list or NULL
+ * return the head of the list or nullptr
*/
SFXHASH_NODE* sfxhash_gfindfirst(SFXHASH* t)
{
if (t->ghead)
t->gnode = t->ghead->gnext;
else
- t->gnode = NULL;
+ t->gnode = nullptr;
return t->ghead;
}
- return NULL;
+ return nullptr;
}
/*!
*/
void* sfxhash_mru(SFXHASH* t)
{
- SFXHASH_NODE* hnode;
-
- hnode = sfxhash_ghead(t);
-
+ SFXHASH_NODE* hnode = sfxhash_ghead(t);
if ( hnode )
return hnode->data;
- return NULL;
+ return nullptr;
}
/*!
*/
void* sfxhash_lru(SFXHASH* t)
{
- SFXHASH_NODE* hnode;
-
- hnode = t->gtail;
-
+ SFXHASH_NODE* hnode = t->gtail;
if ( hnode )
return hnode->data;
- return NULL;
+ return nullptr;
}
/*!
*/
SFXHASH_NODE* sfxhash_mru_node(SFXHASH* t)
{
- SFXHASH_NODE* hnode;
-
- hnode = sfxhash_ghead(t);
-
+ SFXHASH_NODE* hnode = sfxhash_ghead(t);
if ( hnode )
return hnode;
- return NULL;
+ return nullptr;
}
/*!
*/
SFXHASH_NODE* sfxhash_lru_node(SFXHASH* t)
{
- SFXHASH_NODE* hnode;
-
- hnode = t->gtail;
-
+ SFXHASH_NODE* hnode = t->gtail;
if ( hnode )
return hnode;
- return NULL;
+ return nullptr;
}
/*!
*/
unsigned sfxhash_maxdepth(SFXHASH* t)
{
- unsigned i;
unsigned max_depth = 0;
SFXHASH_NODE* hnode;
- for ( i=0; i<t->nrows; i++ )
+ for ( unsigned i = 0; i < t->nrows; i++ )
{
unsigned cur_depth = 0;
- for (hnode = t->table[i]; hnode != NULL; hnode = hnode->next)
+ for (hnode = t->table[i]; hnode != nullptr; hnode = hnode->next)
{
cur_depth++;
}
*/
int sfxhash_remove(SFXHASH* t, void* key)
{
- SFXHASH_NODE* hnode;
- unsigned hashkey, index;
-
- hashkey = t->sfhashfcn->hash_fcn(t->sfhashfcn,
- (unsigned char*)key,
- t->keysize);
+ unsigned hashkey = t->sfhashfcn->hash_fcn(t->sfhashfcn, (unsigned char*)key, t->keysize);
// index = hashkey % t->nrows;
/* Modulus is slow */
- index = hashkey & (t->nrows - 1);
+ unsigned index = hashkey & (t->nrows - 1);
- for ( hnode=t->table[index]; hnode; hnode=hnode->next )
+ for ( SFXHASH_NODE* hnode = t->table[index]; hnode; hnode = hnode->next )
{
- if ( !t->sfhashfcn->keycmp_fcn(hnode->key,key,t->keysize) )
+ if ( !t->sfhashfcn->keycmp_fcn(hnode->key, key, t->keysize) )
{
return sfxhash_free_node(t, hnode);
}
*/
SFXHASH_NODE* sfxhash_findfirst(SFXHASH* t)
{
- SFXHASH_NODE* n;
-
if (!t)
- return NULL;
+ return nullptr;
/* Start with 1st row */
- for ( t->crow=0; t->crow < t->nrows; t->crow++ )
+ for ( t->crow = 0; t->crow < t->nrows; t->crow++ )
{
/* Get 1st Non-Null node in row list */
t->cnode = t->table[ t->crow ];
if ( t->cnode )
{
- n = t->cnode;
+ SFXHASH_NODE* n = t->cnode;
sfxhash_next(t); // load t->cnode with the next entry
return n;
}
}
- return NULL;
+ return nullptr;
}
/*!
*/
SFXHASH_NODE* sfxhash_findnext(SFXHASH* t)
{
- SFXHASH_NODE* n;
-
- n = t->cnode;
+ SFXHASH_NODE* n = t->cnode;
if ( !n ) /* Done, no more entries */
{
- return NULL;
+ return nullptr;
}
/*
if ( !t->datasize )
return SFXHASH_ERR;
- *data = NULL;
+ *data = nullptr;
- return sfxhash_add_ex(t, key, NULL, data);
+ return sfxhash_add_ex(t, key, nullptr, data);
}
/*
struct SFXHASH_NODE
{
- struct SFXHASH_NODE* gnext, * gprev; // global node list - used for ageing nodes
- struct SFXHASH_NODE* next, * prev; // row node list
+ struct SFXHASH_NODE* gnext; // global node list - used for ageing nodes
+ struct SFXHASH_NODE* gprev;
+ struct SFXHASH_NODE* next; // row node list
+ struct SFXHASH_NODE* prev;
int rindex; // row index of table this node belongs to.
unsigned find_success;
SFXHASH_NODE* ghead, * gtail; // global - root of all nodes allocated in table
-
SFXHASH_NODE* fhead, * ftail; // list of free nodes, which are recyled
SFXHASH_NODE* gnode; // gfirst/gnext node ptr */
int recycle_nodes; // recycle nodes. Nodes are not freed, but are used for
if (entry)
entry->flags |= APPINFO_FLAG_ACTIVE;
else
- ErrorMessage("AppInfo: AppId %d has no entry in application info table\n", appId);
+ WarningMessage("AppInfo: AppId %d has no entry in application info table\n", appId);
}
void AppInfoManager::load_appid_config(const char* path)
#define APP_INFO_TABLE_H
#include <cstdint>
-#include <map>
+#include <unordered_map>
#include <mutex>
#include "application_ids.h"
char* app_name_key = nullptr;
};
-typedef std::map<AppId, AppInfoTableEntry*> AppInfoTable;
-typedef std::map<std::string, AppInfoTableEntry*> AppInfoNameTable;
+typedef std::
unordered_map<AppId, AppInfoTableEntry*> AppInfoTable;
+typedef std::unordered_map<std::string, AppInfoTableEntry*> AppInfoNameTable;
class AppInfoManager
{
static THREAD_LOCAL SF_LIST appid_custom_configs;
+AppIdModuleConfig::AppIdModuleConfig()
+{
+ session_log_filter.sip.clear();
+ session_log_filter.dip.clear();
+}
+
AppIdModuleConfig::~AppIdModuleConfig()
{
snort_free((void*)conf_file);
class AppIdModuleConfig
{
public:
- AppIdModuleConfig() { }
+ AppIdModuleConfig();
~AppIdModuleConfig();
const char* conf_file = nullptr;
if (thirdparty_appid_module)
thirdparty_appid_module->print_stats();
LogMessage(" Total packets ignored : %" PRIu64 "\n", appid_stats.ignored_packets);
- dump_service_state_stats();
+ AppIdServiceState::dump_stats();
}
AppIdInspector::AppIdInspector(const AppIdModuleConfig* pc)
void AppIdInspector::tinit()
{
init_appid_statistics(*config);
- hostPortAppCacheInit();
+ HostPortCache::initialize();
init_appid_forecast();
init_http_detector();
init_service_plugins();
finalize_sip_ua();
ssl_detector_process_patterns();
dns_host_detector_process_patterns();
-
- if (init_service_state(config->memcap))
- exit(-1);
+ AppIdServiceState::initialize(config->memcap);
}
void AppIdInspector::tterm()
{
cleanup_appid_statistics();
- hostPortAppCacheFini();
+ HostPortCache::terminate();
clean_appid_forecast();
service_dns_host_clean();
service_ssl_clean();
AppIdSession::release_free_list_flow_data();
LuaDetectorManager::terminate();
- clean_service_state();
+ AppIdServiceState::clean();
}
void AppIdInspector::eval(Packet* pkt)
AppIdSession* AppIdSession::allocate_session(const Packet* p, IpProtocol proto, int direction)
{
- const sfip_t* ip;
uint16_t port = 0;
- ip = (direction == APP_ID_FROM_INITIATOR)
+ const sfip_t* ip = (direction == APP_ID_FROM_INITIATOR)
? p->ptrs.ip_api.get_src() : p->ptrs.ip_api.get_dst();
if ( ( proto == IpProtocol::TCP || proto == IpProtocol::UDP ) && ( p->ptrs.sp != p->ptrs.dp ) )
port = (direction == APP_ID_FROM_INITIATOR) ? p->ptrs.sp : p->ptrs.dp;
if (thirdparty_appid_module)
if (!(tpsession = thirdparty_appid_module->session_create()))
ErrorMessage("Could not allocate third party session data");
+
+ length_sequence.proto = IpProtocol::PROTO_NOT_SET;
+ length_sequence.sequence_cnt = 0;
+ memset(length_sequence.sequence, '\0', sizeof(length_sequence.sequence));
+ session_logging_id[0] = '\0';
}
AppIdSession::~AppIdSession()
{
if( !in_expected_cache)
- delete_shared_data();
+ {
+ update_appid_statistics(this);
+ if (flow)
+ FailInProcessService(this, config);
+ }
+
+ delete_shared_data();
+
+ free_flow_data();
}
// FIXIT-L X Move this to somewhere more generally available/appropriate.
bool AppIdSession::do_service_discovery(IpProtocol protocol, int direction, AppId client_app_id,
AppId payload_app_id, Packet* p)
{
- AppInfoTableEntry* entry;
+ AppInfoTableEntry* entry = nullptr;
bool isTpAppidDiscoveryDone = false;
if (rnaServiceState != RNA_STATE_FINISHED)
void AppIdSession::do_application_discovery(Packet* p)
{
- IpProtocol protocol;
+ IpProtocol protocol = IpProtocol::PROTO_NOT_SET;
AppId client_app_id = 0;
AppId payload_app_id = 0;
bool isTpAppidDiscoveryDone = false;
- uint64_t flow_flags;
- int direction;
- const sfip_t* ip;
- uint16_t port;
+ int direction = 0;
+ const sfip_t* ip = nullptr;
if( is_packet_ignored(p) )
return;
direction = p->is_from_client() ? APP_ID_FROM_INITIATOR : APP_ID_FROM_RESPONDER;
}
- flow_flags = AppIdSession::is_session_monitored(p, direction, asd);
+ uint64_t flow_flags = AppIdSession::is_session_monitored(p, direction, asd);
if (!(flow_flags & (APPID_SESSION_DISCOVER_APP | APPID_SESSION_SPECIAL_MONITORED)))
{
if (!asd)
else if ( p->is_tcp() && p->ptrs.tcph )
{
+ uint16_t port = 0;
const auto* tcph = p->ptrs.tcph;
if ( tcph->is_rst() && asd->previous_tcp_flags == TH_SYN )
{
- AppIdServiceIDState* id_state;
-
asd->set_session_flags(APPID_SESSION_SYN_RST);
if (sfip_is_set(&asd->service_ip))
{
port = p->ptrs.sp;
}
- id_state = get_service_id_state(ip, IpProtocol::TCP, port,
+ AppIdServiceIDState* id_state = AppIdServiceState::get(ip, IpProtocol::TCP, port,
AppIdServiceDetectionLevel(asd));
if (id_state)
id_state->reset_time = packet_time();
else if ((packet_time() - id_state->reset_time) >= 60)
{
- remove_service_id_state(ip, IpProtocol::TCP, port,
+ AppIdServiceState::remove(ip, IpProtocol::TCP, port,
AppIdServiceDetectionLevel(asd));
asd->set_session_flags(APPID_SESSION_SERVICE_DELETED);
}
/*HostPort based AppId. */
if (!(asd->scan_flags & SCAN_HOST_PORT_FLAG))
{
- HostPortVal* hv;
+ HostPortVal* hv = nullptr;
+ uint16_t port = 0;
asd->scan_flags |= SCAN_HOST_PORT_FLAG;
if (direction == APP_ID_FROM_INITIATOR)
port = p->ptrs.sp;
}
- if ((hv = hostPortAppCacheFind(ip, port, protocol)))
+ if ((hv = HostPortCache::find(ip, port, protocol)))
{
switch (hv->type)
{
SF_LIST* pe_list;
PortExclusion* pe;
const sfip_t* s_ip;
- uint16_t port;
AppIdConfig* config = AppIdConfig::get_appid_config();
if ( pkt->is_tcp() )
return 0;
/* check the source port */
- port = reversed ? pkt->ptrs.dp : pkt->ptrs.sp;
+ uint16_t port = reversed ? pkt->ptrs.dp : pkt->ptrs.sp;
if ( port && (pe_list = src_port_exclusions[port]) != nullptr )
{
s_ip = reversed ? pkt->ptrs.ip_api.get_dst() : pkt->ptrs.ip_api.get_src();
uint64_t AppIdSession::is_session_monitored(const Packet* p, int dir, AppIdSession* asd)
{
- uint64_t flags;
+ uint64_t flags = 0;
uint64_t flow_flags = APPID_SESSION_DISCOVER_APP;
flow_flags |= (dir == APP_ID_FROM_INITIATOR) ?
flowData = tmp_fd->next;
if (tmp_fd->fd_data && tmp_fd->fd_free)
tmp_fd->fd_free(tmp_fd->fd_data);
- tmp_fd->next = fd_free_list;
- fd_free_list = tmp_fd;
+
+ snort_free( tmp_fd );
+ //tmp_fd->next = fd_free_list;
+ //fd_free_list = tmp_fd;
}
}
void AppIdSession::delete_shared_data()
{
- RNAServiceSubtype* rna_service_subtype;
-
- /*check daq flag */
- update_appid_statistics(this);
-
- if (flow)
- FailInProcessService(this, config);
- free_flow_data();
-
if (thirdparty_appid_module)
{
thirdparty_appid_module->session_delete(tpsession, 0);
snort_free(serviceVendor);
snort_free(serviceVersion);
snort_free(netbios_name);
- while ((rna_service_subtype = subtype))
+
+ RNAServiceSubtype* rna_ss = subtype;
+ while ( rna_ss )
{
- subtype = rna_service_subtype->next;
- snort_free(*(void**)&rna_service_subtype->service);
- snort_free(*(void**)&rna_service_subtype->vendor);
- snort_free(*(void**)&rna_service_subtype->version);
- snort_free(rna_service_subtype);
+ subtype = rna_ss->next;
+ snort_free(*(void**)&rna_ss->service);
+ snort_free(*(void**)&rna_ss->vendor);
+ snort_free(*(void**)&rna_ss->version);
+ snort_free(rna_ss);
+ rna_ss = subtype;
}
+
if (candidate_service_list)
{
sflist_free(candidate_service_list);
for (pfd = &flowData; *pfd && (*pfd)->fd_id != id; pfd = &(*pfd)->next)
;
+
if ((fd = *pfd))
{
*pfd = fd->next;
struct AppIdFlowData
{
- AppIdFlowData* next;
- unsigned fd_id;
- void* fd_data;
- AppIdFreeFCN fd_free;
+ AppIdFlowData* next = nullptr;
+ unsigned fd_id = 0;
+ void* fd_data = nullptr;
+ AppIdFreeFCN fd_free = nullptr;
};
struct CommonAppIdData
{
- APPID_FLOW_TYPE flow_type;
- unsigned policyId;
+ CommonAppIdData()
+ {
+ initiator_ip.clear();
+ }
+
+ APPID_FLOW_TYPE flow_type = APPID_FLOW_TYPE_IGNORE;
+ unsigned policyId = 0;
//flags shared with other preprocessor via session attributes.
- uint64_t flags;
+ uint64_t flags = 0;
sfip_t initiator_ip;
- uint16_t initiator_port;
+ uint16_t initiator_port = 0;
};
#define SCAN_HTTP_VIA_FLAG (1<<0)
struct fflow_info
{
- uint32_t sip;
- uint32_t dip;
- uint16_t sport;
- uint16_t dport;
- IpProtocol protocol;
- AppId appId;
- int flow_prepared;
+ uint32_t sip = 0;
+ uint32_t dip = 0;
+ uint16_t sport = 0;
+ uint16_t dport = 0;
+ IpProtocol protocol = IpProtocol::PROTO_NOT_SET;
+ AppId appId = APP_ID_NONE;
+ int flow_prepared = 0;
};
#define RESPONSE_CODE_PACKET_THRESHHOLD 0
struct httpSession
{
- char* host;
- uint16_t host_buflen;
- char* url;
- char* uri;
- uint16_t uri_buflen;
- char* via;
- char* useragent;
- uint16_t useragent_buflen;
- char* response_code;
- uint16_t response_code_buflen;
- char* referer;
- uint16_t referer_buflen;
- char* cookie;
- uint16_t cookie_buflen;
- char* content_type;
- uint16_t content_type_buflen;
- char* location;
- uint16_t location_buflen;
- char* body;
- uint16_t body_buflen;
- char* req_body;
- uint16_t req_body_buflen;
- char* server;
- char* x_working_with;
- char* new_field[HTTP_FIELD_MAX+1];
- uint16_t new_field_len[HTTP_FIELD_MAX+1];
- uint16_t fieldOffset[HTTP_FIELD_MAX+1];
- uint16_t fieldEndOffset[HTTP_FIELD_MAX+1];
- fflow_info* fflow;
- bool new_field_contents;
- int chp_finished;
- AppId chp_candidate;
- AppId chp_alt_candidate;
- int chp_hold_flow;
- int ptype_req_counts[NUMBER_OF_PTYPES];
- int total_found;
- unsigned app_type_flags;
- int num_matches;
- int num_scans;
- int get_offsets_from_rebuilt;
- bool skip_simple_detect;
- sfip_t* xffAddr;
- const char** xffPrecedence;
- int numXffFields;
+ char* host = nullptr;
+ uint16_t host_buflen = 0;
+ char* url = nullptr;
+ char* uri = nullptr;
+ uint16_t uri_buflen = 0;
+ char* via = nullptr;
+ char* useragent = nullptr;
+ uint16_t useragent_buflen = 0;
+ char* response_code = nullptr;
+ uint16_t response_code_buflen = 0;
+ char* referer = nullptr;
+ uint16_t referer_buflen = 0;
+ char* cookie = nullptr;
+ uint16_t cookie_buflen = 0;
+ char* content_type = nullptr;
+ uint16_t content_type_buflen = 0;
+ char* location = nullptr;
+ uint16_t location_buflen = 0;
+ char* body = nullptr;
+ uint16_t body_buflen = 0;
+ char* req_body = nullptr;
+ uint16_t req_body_buflen = 0;
+ char* server = nullptr;
+ char* x_working_with = nullptr;
+ char* new_field[HTTP_FIELD_MAX+1] = { nullptr };
+ uint16_t new_field_len[HTTP_FIELD_MAX+1] = { 0 };
+ uint16_t fieldOffset[HTTP_FIELD_MAX+1] = { 0 };
+ uint16_t fieldEndOffset[HTTP_FIELD_MAX+1] = { 0 };
+ fflow_info* fflow = nullptr;
+ bool new_field_contents = false;
+ int chp_finished = 0;
+ AppId chp_candidate = APP_ID_NONE;
+ AppId chp_alt_candidate = APP_ID_NONE;
+ int chp_hold_flow = 0;
+ int ptype_req_counts[NUMBER_OF_PTYPES] = { 0 };
+ int total_found = 0;
+ unsigned app_type_flags = 0;
+ int num_matches = 0;
+ int num_scans = 0;
+ int get_offsets_from_rebuilt = 0;
+ bool skip_simple_detect = false;
+ sfip_t* xffAddr = nullptr;
+ const char** xffPrecedence = nullptr;
+ int numXffFields = 0;
#if RESPONSE_CODE_PACKET_THRESHHOLD
- unsigned response_code_packets;
+ unsigned response_code_packets = 0;
#endif
};
+
// For dnsSession.state:
#define DNS_GOT_QUERY 0x01
#define DNS_GOT_RESPONSE 0x02
struct dnsSession
{
- uint8_t state; // state
- uint8_t host_len; // for host
- uint8_t response_type; // response: RCODE
- uint16_t id; // DNS msg ID
- uint16_t host_offset; // for host
- uint16_t record_type; // query: QTYPE
- uint32_t ttl; // response: TTL
- char* host; // host (usually query, but could be response for reverse lookup)
+ uint8_t state = 0; // state
+ uint8_t host_len = 0; // for host
+ uint8_t response_type = 0; // response: RCODE
+ uint16_t id = 0; // DNS msg ID
+ uint16_t host_offset = 0; // for host
+ uint16_t record_type = 0; // query: QTYPE
+ uint32_t ttl = 0; // response: TTL
+ char* host = nullptr; // host (usually query, but could be response for reverse lookup)
};
struct _RNAServiceSubtype;
struct tlsSession
{
- char* tls_host;
- int tls_host_strlen;
- char* tls_cname;
- int tls_cname_strlen;
- char* tls_orgUnit;
- int tls_orgUnit_strlen;
+ char* tls_host = nullptr;
+ int tls_host_strlen = 0;
+ char* tls_cname = nullptr;
+ int tls_cname_strlen = 0;
+ char* tls_orgUnit = nullptr;
+ int tls_orgUnit_strlen = 0;
};
void map_app_names_to_snort_ids();
static THREAD_LOCAL time_t bucketInterval;
static THREAD_LOCAL time_t bucketEnd;
-static const char appid_stats_file_suffix[] = "_appid_stats.log";
+static const char appid_stats_file_suffix[] = "appid_stats.log";
static size_t rollSize;
static time_t rollPeriod;
static bool enableAppStats;
app_name = "__none";
else
{
- ErrorMessage("invalid appid in appStatRecord (%u)\n", record->app_id);
if (cooked_client)
snprintf(tmpBuff, MAX_EVENT_APPNAME_LEN, "_err_cl_%u",app_id);
else
return 0;
}
+static inline uint8_t* continue_buffer_scan(const uint8_t* start, const uint8_t* end, MatchedPatterns* mp,
+ DetectorHTTPPattern* match)
+{
+ uint8_t* bp = (uint8_t*) (start) + mp->index + match->pattern_size;
+ if( (bp >= end) || (*bp != ' ' && *bp != 0x09 && *bp != '/') )
+ return nullptr;
+ else
+ return ++bp;
+}
+
void identify_user_agent(const uint8_t* start, int size, AppId* serviceAppId, AppId* ClientAppId,
char** version)
{
- int skypeDetect;
- int mobileDetect;
- int safariDetect;
- unsigned int appleEmailDetect;
- int firefox_detected, android_browser_detected;
- int dominant_pattern_detected;
- int longest_misc_match;
- const uint8_t* end;
+ char temp_ver[MAX_VERSION_SIZE] = { 0 };
MatchedPatterns* mp = nullptr;
- MatchedPatterns* tmp;
- DetectorHTTPPattern* match;
- uint8_t* buffPtr;
- unsigned int i;
- char temp_ver[MAX_VERSION_SIZE];
- temp_ver[0] = 0;
+ uint8_t* buffPtr = nullptr;
detectorHttpConfig->client_agent_matcher->find_all((const char*)start, size, &http_pattern_match, false, (void*)&mp);
-
if (mp)
{
- end = start + size;
- temp_ver[0] = 0;
- skypeDetect = 0;
- mobileDetect = 0;
- safariDetect = 0;
- firefox_detected = 0;
- android_browser_detected = 0;
- dominant_pattern_detected = 0;
- longest_misc_match = 0;
- i = 0;
+ const uint8_t* end = start + size;
+ int skypeDetect = 0;
+ int mobileDetect = 0;
+ int safariDetect = 0;
+ int firefox_detected = 0;
+ int android_browser_detected = 0;
+ int dominant_pattern_detected = 0;
+ bool appleEmailDetect = true;
+ int longest_misc_match = 0;
+ unsigned i = 0;
+
*ClientAppId = APP_ID_NONE;
*serviceAppId = APP_ID_HTTP;
- for (tmp = mp; tmp; tmp = tmp->next)
+ for (MatchedPatterns* tmp = mp; tmp; tmp = tmp->next)
{
- match = (DetectorHTTPPattern*)tmp->mpattern;
+ DetectorHTTPPattern* match = (DetectorHTTPPattern*)tmp->mpattern;
switch (match->client_app)
{
case APP_ID_INTERNET_EXPLORER:
case APP_ID_FIREFOX:
if (dominant_pattern_detected)
break;
- buffPtr = (uint8_t*)start + tmp->index + match->pattern_size;
- if (*buffPtr != ' ' && *buffPtr != 0x09 && *buffPtr != '/')
+ buffPtr = continue_buffer_scan(start, end, tmp, match);
+ if(!buffPtr)
break;
- buffPtr++;
while (i < MAX_VERSION_SIZE-1 && buffPtr < end)
{
if (*buffPtr != ' ' && *buffPtr != 0x09 && *buffPtr != ';' && *buffPtr != ')')
case APP_ID_CHROME:
if (dominant_pattern_detected)
break;
- buffPtr = (uint8_t*)start + tmp->index + match->pattern_size;
- if (*buffPtr != ' ' && *buffPtr != 0x09 && *buffPtr != '/')
+ buffPtr = continue_buffer_scan(start, end, tmp, match);
+ if(!buffPtr)
break;
- buffPtr++;
while (i < MAX_VERSION_SIZE-1 && buffPtr < end)
{
if (*buffPtr != ' ' && *buffPtr != 0x09 && *buffPtr != ';' && *buffPtr != ')')
case APP_ID_ANDROID_BROWSER:
if (dominant_pattern_detected)
break;
- buffPtr = (uint8_t*)start + tmp->index + match->pattern_size;
- if (*buffPtr != ' ' && *buffPtr != 0x09 && *buffPtr != '/')
+ buffPtr = continue_buffer_scan(start, end, tmp, match);
+ if(!buffPtr)
break;
- buffPtr++;
while (i < MAX_VERSION_SIZE-1 && buffPtr < end)
{
if (*buffPtr != ' ' && *buffPtr != 0x09 && *buffPtr != ';' && *buffPtr != ')')
break;
case APP_ID_WINDOWS_MEDIA_PLAYER:
case APP_ID_BITTORRENT:
- buffPtr = (uint8_t*)start + tmp->index + match->pattern_size;
- if (*buffPtr != ' ' && *buffPtr != 0x09 && *buffPtr != '/')
+ buffPtr = continue_buffer_scan(start, end, tmp, match);
+ if(!buffPtr)
break;
- buffPtr++;
while (i < MAX_VERSION_SIZE-1 && buffPtr < end)
{
if (*buffPtr != ' ' && *buffPtr != 0x09 && *buffPtr != ';' && *buffPtr != ')')
break;
case APP_ID_APPLE_EMAIL:
- appleEmailDetect = 1;
+ appleEmailDetect = true;
for (i = 0; i < 3 && appleEmailDetect; i++)
{
buffPtr = (uint8_t*)strstr((char*)start, (char*)APPLE_EMAIL_PATTERNS[i]);
- appleEmailDetect = ((uint8_t*)buffPtr && (i != 0 || (i == 0 && buffPtr ==
- ((uint8_t*)start))));
+ appleEmailDetect = ((uint8_t*)buffPtr &&
+ (i != 0 || (i == 0 && buffPtr == ((uint8_t*)start))));
}
if (appleEmailDetect)
{
}
}
}
+
if (mobileDetect && safariDetect && !dominant_pattern_detected)
{
*serviceAppId = APP_ID_HTTP;
}
done:
- optionallyReplaceWithStrdup(version,temp_ver);
+ optionallyReplaceWithStrdup(version, temp_ver);
FreeMatchStructures(mp);
}
#include "host_port_app_cache.h"
+#include <map>
+
#include "appid_config.h"
-#include "hash/sfxhash.h"
#include "log/messages.h"
#include "sfip/sf_ip.h"
-THREAD_LOCAL SFXHASH* hostPortCache = nullptr;
-
-void hostPortAppCacheInit()
+struct HostPortKey
{
- auto hash = sfxhash_new( 2048, sizeof(HostPortKey), sizeof(HostPortVal),
- 0, 0, nullptr, nullptr, 0);
+ HostPortKey()
+ {
+ ip.clear();
+ port = 0;
+ proto = IpProtocol::PROTO_NOT_SET;
+ }
- if ( hash )
- hostPortCache = hash;
- else
- ErrorMessage("failed to allocate HostPort map");
+ bool operator<(HostPortKey right) const
+ {
+ if( sfip_lesser(&ip, &right.ip) )
+ return true;
+ else if( sfip_lesser(&right.ip, &ip) )
+ return false;
+ else
+ {
+ if( port < right.port)
+ return true;
+ else if( right.port < port )
+ return false;
+ else if( proto < right.proto)
+ return true;
+ else
+ return false;
+ }
+ }
+
+ sfip_t ip;
+ uint16_t port;
+ IpProtocol proto;
+};
+
+THREAD_LOCAL std::map<HostPortKey, HostPortVal>* host_port_cache = nullptr;
+
+void HostPortCache::initialize()
+{
+ host_port_cache = new std::map<HostPortKey, HostPortVal>;
}
-void hostPortAppCacheFini()
+void HostPortCache::terminate()
{
- if ( hostPortCache )
- {
- sfxhash_delete(hostPortCache);
- hostPortCache = nullptr;
- }
+ host_port_cache->empty();
+ delete host_port_cache;
+ host_port_cache = nullptr;
}
-HostPortVal* hostPortAppCacheFind(const sfip_t* snort_ip, uint16_t port, IpProtocol protocol)
+HostPortVal* HostPortCache::find(const sfip_t* ip, uint16_t port, IpProtocol protocol)
{
HostPortKey hk;
- sfip_set_ip(&hk.ip, snort_ip);
+
+ sfip_set_ip(&hk.ip, ip);
hk.port = port;
hk.proto = protocol;
- return (HostPortVal*)sfxhash_find(hostPortCache, &hk);
+ std::map<HostPortKey, HostPortVal>::iterator it;
+ it = host_port_cache->find(hk);
+ if (it != host_port_cache->end())
+ return &it->second;
+ else
+ return nullptr;
}
-int hostPortAppCacheAdd(const sfip_t* ip, uint16_t port, IpProtocol proto, unsigned type, AppId appId)
+bool HostPortCache::add(const sfip_t* ip, uint16_t port, IpProtocol proto, unsigned type, AppId appId)
{
HostPortKey hk;
HostPortVal hv;
- memcpy(&hk.ip, ip, sizeof(hk.ip));
+
+ sfip_set_ip(&hk.ip, ip);
hk.port = port;
hk.proto = proto;
hv.appId = appId;
hv.type = type;
- return sfxhash_add(hostPortCache, &hk, &hv) ? 0 : 1;
+ (*host_port_cache)[ hk ] = hv;
+
+ return true;
}
-void hostPortAppCacheDump()
+void HostPortCache::dump()
{
- for ( SFXHASH_NODE* node = sfxhash_findfirst(hostPortCache);
- node;
- node = sfxhash_findnext(hostPortCache))
+ for ( auto& kv : *host_port_cache )
{
char inet_buffer[INET6_ADDRSTRLEN];
- HostPortKey* hk;
- HostPortVal* hv;
- hk = (HostPortKey*)node->key;
- hv = (HostPortVal*)node->data;
+ HostPortKey hk = kv.first;
+ HostPortVal hv = kv.second;
- inet_ntop(AF_INET6, &hk->ip, inet_buffer, sizeof(inet_buffer));
- printf("\tip=%s, \tport %d, \tip_proto %d, \ttype=%u, \tappId=%d\n", inet_buffer, hk->port,
- to_utype(hk->proto), hv->type, hv->appId);
+ inet_ntop(AF_INET6, &hk.ip, inet_buffer, sizeof(inet_buffer));
+ LogMessage("\tip=%s, \tport %d, \tip_proto %u, \ttype=%u, \tappId=%d\n",
+ inet_buffer, hk.port, (unsigned)hk.proto, hv.type, hv.appId);
}
}
#ifndef HOST_PORT_APP_CACHE_H
#define HOST_PORT_APP_CACHE_H
+#include "protocols/protocol_ids.h"
#include "sfip/sfip_t.h"
#include "appid_api.h"
-class AppIdConfig;
-enum class IpProtocol : uint8_t;
-
-struct HostPortKey
+struct HostPortVal
{
- sfip_t ip;
- uint16_t port;
- IpProtocol proto;
+ AppId appId;
+ unsigned type;
};
-struct HostPortVal
+class HostPortCache
{
- AppId appId;
- unsigned type;
+public:
+ static void initialize();
+ static void terminate();
+ static HostPortVal* find(const sfip_t*, uint16_t port, IpProtocol proto);
+ static bool add(const sfip_t*, uint16_t port, IpProtocol proto, unsigned type, AppId);
+ static void dump();
};
-void hostPortAppCacheInit();
-void hostPortAppCacheFini();
-HostPortVal* hostPortAppCacheFind(const sfip_t*, uint16_t port, IpProtocol proto);
-int hostPortAppCacheAdd(const sfip_t*, uint16_t port, IpProtocol proto, unsigned type, AppId);
-void hostPortAppCacheDump();
#endif
AppId find_length_app_cache(const LengthKey* key)
{
- AppId* val;
-
- val = (AppId*)sfxhash_find(lengthCache, (void*)key);
+ AppId* val = (AppId*)sfxhash_find(lengthCache, (void*)key);
if (val == nullptr)
- {
return APP_ID_NONE; /* no match */
- }
else
- {
return *val; /* match found */
- }
}
bool add_length_app_cache(const LengthKey* key, AppId val)
struct LengthSequenceEntry
{
- uint8_t direction; /* APP_ID_FROM_INITIATOR or APP_ID_FROM_RESPONDER */
- uint16_t length; /* payload size (bytes) */
+ uint8_t direction = 0; /* APP_ID_FROM_INITIATOR or APP_ID_FROM_RESPONDER */
+ uint16_t length = 0; /* payload size (bytes) */
};
struct LengthKey
{
- IpProtocol proto; /* IpProtocol::TCP or IpProtocol::UDP */
- uint8_t sequence_cnt; /* num valid entries in sequence */
+ IpProtocol proto = IpProtocol::PROTO_NOT_SET; // IpProtocol::TCP or IpProtocol::UDP
+ uint8_t sequence_cnt = 0; // num valid entries in sequence
LengthSequenceEntry sequence[LENGTH_SEQUENCE_CNT_MAX];
};
#include "log/messages.h"
#include "main/snort_debug.h"
#include "profiler/profiler.h"
+#include "protocols/protocol_ids.h"
#include "sfip/sf_ip.h"
#include "utils/util.h"
// FIXIT-M none of these params check for signedness casting issues
// FIXIT-M May want to create a lua_toipprotocol() so we can handle
// error checking in that function.
- int protocol = lua_tonumber(L, index++);
- if (protocol > UINT8_MAX)
+ unsigned protocol = lua_tonumber(L, index++);
+ if (protocol > (unsigned)IpProtocol::RESERVED)
{
- ErrorMessage("Invalid protocol value %d\n", protocol);
+ ErrorMessage("Invalid protocol value %u\n", protocol);
return -1;
}
unsigned port = lua_tointeger(L, index++);
unsigned proto = lua_tointeger(L, index++);
-
- if (proto > UINT8_MAX)
+ if (proto > (unsigned)IpProtocol::RESERVED)
{
ErrorMessage("%s:Invalid protocol value %u\n",__func__, proto);
return 0;
}
- if (!hostPortAppCacheAdd(&ip_addr, (uint16_t)port, (IpProtocol)proto, type, app_id))
+ if (!HostPortCache::add(&ip_addr, (uint16_t)port, (IpProtocol)proto, type, app_id))
ErrorMessage("%s:Failed to backend call\n",__func__);
return 0;
{
sfip_t saddr;
sfip_t daddr;
- IpProtocol proto;
- uint16_t sport, dport;
- char* pattern;
- size_t patternLen;
auto& detector_data = *UserData<Detector>::check(L, DETECTOR, 1);
if ( !detector_data->validateParams.pkt )
return 0; /*number of results */
- pattern = (char*)lua_tostring(L, 2);
- patternLen = lua_strlen (L, 2);
+ char* pattern = (char*)lua_tostring(L, 2);
+ size_t patternLen = lua_strlen (L, 2);
if (patternLen == 16)
{
return 0;
}
- sport = lua_tonumber(L, 4);
- dport = lua_tonumber(L, 5);
- proto = (IpProtocol)lua_tonumber(L, 6);
+ uint16_t sport = lua_tonumber(L, 4);
+ uint16_t dport = lua_tonumber(L, 5);
+ IpProtocol proto = (IpProtocol)lua_tonumber(L, 6);
auto detector_flow = new DetectorFlow();
UserData<DetectorFlow>::push(L, DETECTORFLOW, detector_flow);
uint16_t host_offset, uint8_t response_type, uint32_t ttl);
static void reset_dns_info(AppIdSession*);
-struct ServiceMatch
-{
- struct ServiceMatch* next;
- unsigned count;
- unsigned size;
- RNAServiceElement* svc;
-};
-
static const uint8_t zeromac[6] = { 0, 0, 0, 0, 0, 0 };
static THREAD_LOCAL DHCPInfo* dhcp_info_free_list = nullptr;
static THREAD_LOCAL FpSMBData* smb_data_free_list = nullptr;
ErrorMessage("AppId: failed to find a service element for AppId %d", appId);
}
-void AppIdFreeServiceMatchList(ServiceMatch* sm)
-{
- ServiceMatch* tmpSm;
-
- while( sm )
- {
- tmpSm = sm;
- sm = sm->next;
- snort_free(tmpSm);
- }
-}
int AddFTPServiceState(AppIdSession* asd)
{
return (sm2->size - sm1->size);
}
+void free_service_match_list(ServiceMatch* sm)
+{
+ ServiceMatch* tmpSm;
+
+ while( sm )
+ {
+ tmpSm = sm;
+ sm = sm->next;
+ snort_free(tmpSm);
+ }
+}
+
/**Perform pattern match of a packet and construct a list of services sorted in order of
* precedence criteria. Criteria is count and then size. The first service in the list is
* returned. The list itself is saved in AppIdServiceIDState. If
if (id_state)
{
id_state->svc = service;
- if (id_state->service_list != nullptr)
- AppIdFreeServiceMatchList(id_state->service_list);
-
+ id_state->free_service_match_list();
id_state->service_list = smOrderedList[0];
id_state->current_service = smOrderedList[0];
}
else
- AppIdFreeServiceMatchList(smOrderedList[0]);
+ free_service_match_list(smOrderedList[0]);
APPID_LOG_FILTER_PORTS(pkt->ptrs.dp, pkt->ptrs.sp,
"Pattern service for protocol %u (%u->%u), %s\n",
static inline RNAServiceElement* AppIdGetServiceByBruteForce(IpProtocol protocol,
const RNAServiceElement* lasService)
{
- RNAServiceElement* service;
+ RNAServiceElement* service = nullptr;
if (lasService)
service = lasService->next;
static int AppIdServiceAddServiceEx(AppIdSession* asd, const Packet* pkt, int dir,
const RNAServiceElement* svc_element, AppId appId, const char* vendor, const char* version)
{
- AppIdServiceIDState* id_state;
- uint16_t port;
- const sfip_t* ip;
+ AppIdServiceIDState* id_state = nullptr;
+ uint16_t port = 0;
+ const sfip_t* ip = nullptr;
if (!asd || !pkt || !svc_element)
{
// If UDP reversed, ensure we have the correct host tracker entry.
if (asd->get_session_flags(APPID_SESSION_UDP_REVERSED))
{
- asd->id_state = get_service_id_state(ip, asd->protocol, port,
+ asd->id_state = AppIdServiceState::get(ip, asd->protocol, port,
AppIdServiceDetectionLevel(asd));
}
if (!(id_state = asd->id_state))
{
- if (!(id_state = add_service_id_state(ip, asd->protocol, port,
+ if (!(id_state = AppIdServiceState::add(ip, asd->protocol, port,
AppIdServiceDetectionLevel(asd))))
{
ErrorMessage("Add service failed to create state");
{
if (id_state->service_list)
{
- AppIdFreeServiceMatchList(id_state->service_list);
- id_state->service_list = nullptr;
+ id_state->free_service_match_list();
id_state->current_service = nullptr;
}
const sfip_t* ip = pkt->ptrs.ip_api.get_src();
uint16_t port = asd->service_port ? asd->service_port : pkt->ptrs.sp;
- if (!(id_state = add_service_id_state(ip, asd->protocol, port,
+ if (!(id_state = AppIdServiceState::add(ip, asd->protocol, port,
AppIdServiceDetectionLevel(asd))))
{
ErrorMessage("In-process service failed to create state");
const sfip_t* ip = pkt->ptrs.ip_api.get_src();
uint16_t port = asd->service_port ? asd->service_port : pkt->ptrs.sp;
- if (!(id_state = add_service_id_state(ip, asd->protocol, port,
+ if (!(id_state = AppIdServiceState::add(ip, asd->protocol, port,
AppIdServiceDetectionLevel(asd))))
{
ErrorMessage("Incompatible service failed to create state");
const sfip_t* ip = pkt->ptrs.ip_api.get_src();
uint16_t port = asd->service_port ? asd->service_port : pkt->ptrs.sp;
- if (!(id_state = add_service_id_state(ip, asd->protocol, port,
+ if (!(id_state = AppIdServiceState::add(ip, asd->protocol, port,
AppIdServiceDetectionLevel(asd))))
{
ErrorMessage("Fail service failed to create state");
*/
void FailInProcessService(AppIdSession* asd, const AppIdConfig*)
{
- AppIdServiceIDState* id_state;
-
if (asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED | APPID_SESSION_UDP_REVERSED))
return;
- id_state = get_service_id_state(&asd->service_ip, asd->protocol, asd->service_port,
- AppIdServiceDetectionLevel(asd));
+ AppIdServiceIDState* id_state = AppIdServiceState::get(&asd->service_ip,
+ asd->protocol, asd->service_port, AppIdServiceDetectionLevel(asd));
APPID_LOG_FILTER_SERVICE_PORT(asd->service_port,
"FailInProcess %" PRIx64 ", %08X:%u proto %u\n", asd->common.flags,
const RNAServiceElement* reverse_service = nullptr;
const sfip_t* reverse_ip = p->ptrs.ip_api.get_src();
asd->tried_reverse_service = true;
- if ((reverse_id_state = get_service_id_state(reverse_ip, proto, p->ptrs.sp,
+ if ((reverse_id_state = AppIdServiceState::get(reverse_ip, proto, p->ptrs.sp,
AppIdServiceDetectionLevel(asd))))
{
reverse_service = reverse_id_state->svc;
int AppIdDiscoverService(Packet* p, const int dir, AppIdSession* asd)
{
- const sfip_t* ip;
+ const sfip_t* ip = nullptr;
int ret = SERVICE_NOMATCH;
- const RNAServiceElement* service;
- AppIdServiceIDState* id_state;
- uint16_t port;
+ const RNAServiceElement* service = nullptr;
+ uint16_t port = 0;
ServiceValidationArgs args;
/* Get packet info. */
}
/* Get host tracker state. */
- id_state = asd->id_state;
+ AppIdServiceIDState* id_state = asd->id_state;
if (id_state == nullptr)
{
- id_state = get_service_id_state(ip, proto, port, AppIdServiceDetectionLevel(asd));
+ id_state = AppIdServiceState::get(ip, proto, port, AppIdServiceDetectionLevel(asd));
/* Create it if it doesn't exist yet. */
if (id_state == nullptr)
{
- if (!(id_state = add_service_id_state(ip, proto, port,
+ if (!(id_state = AppIdServiceState::add(ip, proto, port,
AppIdServiceDetectionLevel(asd))))
{
ErrorMessage("Discover service failed to create state");
if ( (id_state->state == SERVICE_ID_BRUTE_FORCE)
|| (id_state->state == SERVICE_ID_VALID) )
{
- if (id_state->service_list != nullptr)
- AppIdFreeServiceMatchList(id_state->service_list);
-
- id_state->service_list = nullptr;
+ id_state->free_service_match_list();
id_state->current_service = nullptr;
}
void add_service_to_active_list(RNAServiceValidationModule* service);
extern uint32_t app_id_instance_id;
-void AppIdFreeServiceMatchList(ServiceMatch* sm);
+void free_service_match_list(ServiceMatch* sm);
inline bool compareServiceElements(const RNAServiceElement* first,
const RNAServiceElement* second)
static const char FTP_EPSV_CMD[] = "EPSV";
static const char FTP_PORT_CMD[] = "PORT ";
static const char FTP_EPRT_CMD[] = "EPRT ";
- ServiceFTPData* fd;
- uint16_t offset;
- uint16_t init_offset;
- int code;
- int code_index;
- uint32_t address;
- uint16_t port;
- AppIdSession* fp;
+ ServiceFTPData* fd = nullptr;
+ uint16_t offset = 0;
+ uint16_t init_offset = 0;
+ int code = 0;
+ int code_index = 0;
+ uint32_t address = 0;
+ uint16_t port = 0;
+ AppIdSession* fp = nullptr;
int retval = SERVICE_INPROCESS;
AppIdSession* asd = args->asd;
const uint8_t* data = args->data;
case 229:
{
code = ftp_validate_epsv(data + init_offset,
- (uint16_t)(offset-init_offset),
- &port);
+ (uint16_t)(offset-init_offset), &port);
if (!code)
{
static int rexec_validate(ServiceValidationArgs* args)
{
- int i;
- uint32_t port;
- AppIdSession* pf;
+ int i = 0;
+ uint32_t port = 0;
+ AppIdSession* pf = nullptr;
AppIdSession* asd = args->asd;
const uint8_t* data = args->data;
Packet* pkt = args->pkt;
static int validate_packet(const uint8_t* data, uint16_t size, int dir, AppIdSession* asd,
Packet* pkt, ServiceRPCData* rd, const char** pname, uint32_t* program)
{
- const ServiceRPCCall* call;
- const ServiceRPCReply* reply;
- const ServiceRPC* rpc;
- const ServiceRPCPortmap* pm;
- const ServiceRPCAuth* a;
- const ServiceRPCPortmapReply* pmr;
- uint32_t tmp;
- uint32_t val;
- const uint8_t* end;
- AppIdSession* pf;
- const RPCProgram* rprog;
+ const ServiceRPCCall* call = nullptr;
+ const ServiceRPCReply* reply = nullptr;
+ const ServiceRPC* rpc = nullptr;
+ const ServiceRPCPortmap* pm = nullptr;
+ const ServiceRPCAuth* a = nullptr;
+ const ServiceRPCPortmapReply* pmr = nullptr;
+ uint32_t tmp = 0;
+ uint32_t val = 0;
+ const uint8_t* end = nullptr;
+ AppIdSession* pf = nullptr;
+ const RPCProgram* rprog = nullptr;
if (!size)
return SERVICE_INPROCESS;
pmr = (ServiceRPCPortmapReply*)data;
if (pmr->port)
{
- const sfip_t* sip;
- const sfip_t* dip;
-
- dip = pkt->ptrs.ip_api.get_dst();
- sip = pkt->ptrs.ip_api.get_src();
+ const sfip_t* dip = pkt->ptrs.ip_api.get_dst();
+ const sfip_t* sip = pkt->ptrs.ip_api.get_src();
tmp = ntohl(pmr->port);
pf = AppIdSession::create_future_session(pkt, dip, 0, sip, (uint16_t)tmp,
(IpProtocol)ntohl((uint32_t)rd->proto), app_id, 0);
static int rshell_validate(ServiceValidationArgs* args)
{
ServiceRSHELLData* rd = nullptr;
- ServiceRSHELLData* tmp_rd;
- int i;
- uint32_t port;
- AppIdSession* pf;
+ ServiceRSHELLData* tmp_rd = nullptr;
+ int i = 0;
+ uint32_t port = 0;
+ AppIdSession* pf = nullptr;
AppIdSession* asd = args->asd;
const uint8_t* data = args->data;
Packet* pkt = args->pkt;
goto bail;
if (port)
{
- const sfip_t* sip;
- const sfip_t* dip;
-
tmp_rd = (ServiceRSHELLData*)snort_calloc(sizeof(ServiceRSHELLData));
tmp_rd->state = RSHELL_STATE_STDERR_CONNECT_SYN;
tmp_rd->parent = rd;
- dip = pkt->ptrs.ip_api.get_dst();
- sip = pkt->ptrs.ip_api.get_src();
+ const sfip_t* dip = pkt->ptrs.ip_api.get_dst();
+ const sfip_t* sip = pkt->ptrs.ip_api.get_src();
pf = AppIdSession::create_future_session(pkt, dip, 0, sip, (uint16_t)port, IpProtocol::TCP, app_id,
APPID_EARLY_SESSION_FLAG_FW_RULE);
if (pf)
static int snmp_validate(ServiceValidationArgs* args)
{
- ServiceSNMPData* sd;
- ServiceSNMPData* tmp_sd;
- AppIdSession* pf;
- uint8_t pdu;
- const sfip_t* sip;
- const sfip_t* dip;
- uint8_t version;
+ ServiceSNMPData* sd = nullptr;
+ ServiceSNMPData* tmp_sd = nullptr;
+ AppIdSession* pf = nullptr;
+ uint8_t pdu = 0;
+ uint8_t version = 0;
const char* version_str = nullptr;
AppIdSession* asd = args->asd;
const uint8_t* data = args->data;
switch (sd->state)
{
case SNMP_STATE_CONNECTION:
+ {
if (pdu != SNMP_PDU_GET_RESPONSE && dir == APP_ID_FROM_RESPONDER)
{
sd->state = SNMP_STATE_R_RESPONSE;
sd->state = SNMP_STATE_RESPONSE;
/*adding expected connection in case the server doesn't send from 161*/
- dip = pkt->ptrs.ip_api.get_dst();
- sip = pkt->ptrs.ip_api.get_src();
+ const sfip_t* dip = pkt->ptrs.ip_api.get_dst();
+ const sfip_t* sip = pkt->ptrs.ip_api.get_src();
pf = AppIdSession::create_future_session(pkt, dip, 0, sip, pkt->ptrs.sp, asd->protocol, app_id, 0);
if (pf)
{
pf->scan_flags |= SCAN_HOST_PORT_FLAG;
pf->common.initiator_ip = *sip;
}
+ }
break;
case SNMP_STATE_RESPONSE:
if (pdu == SNMP_PDU_GET_RESPONSE)
bool setSSLSquelch(Packet* p, int type, AppId appId)
{
- const sfip_t* sip;
- const sfip_t* dip;
- AppIdSession* f;
+ AppIdSession* f = nullptr;
if (!AppInfoManager::get_instance().get_app_info_flags(appId, APPINFO_FLAG_SSL_SQUELCH))
return false;
- dip = p->ptrs.ip_api.get_dst();
- sip = p->ptrs.ip_api.get_src();
+ const sfip_t* dip = p->ptrs.ip_api.get_dst();
+ const sfip_t* sip = p->ptrs.ip_api.get_src();
if (!(f = AppIdSession::create_future_session(p, sip, 0, dip, p->ptrs.dp, IpProtocol::TCP,
appId, 0)))
static int tftp_validate(ServiceValidationArgs* args)
{
- ServiceTFTPData* td;
- ServiceTFTPData* tmp_td;
- int mode;
+ ServiceTFTPData* td = nullptr;
+ ServiceTFTPData* tmp_td = nullptr;
+ int mode = 0;
uint16_t block = 0;
- uint16_t tmp;
- AppIdSession* pf;
- const sfip_t* sip;
- const sfip_t* dip;
+ uint16_t tmp = 0;
+ AppIdSession* pf = nullptr;
+ const sfip_t* sip = nullptr;
+ const sfip_t* dip = nullptr;
AppIdSession* asd = args->asd;
const uint8_t* data = args->data;
Packet* pkt = args->pkt;
#include "service_state.h"
-#include "hash/sfxhash.h"
+#include <map>
+
#include "log/messages.h"
#include "service_plugins/service_base.h"
#include "sfip/sf_ip.h"
//#define DEBUG_SERVICE_STATE 1
-static THREAD_LOCAL SFXHASH* serviceStateCache4;
-static THREAD_LOCAL SFXHASH* serviceStateCache6;
-
-#define SERVICE_STATE_CACHE_ROWS 65536
-
-static int AppIdServiceStateFree(void*, void* data)
+class AppIdServiceStateKey
{
- AppIdServiceIDState* id_state = (AppIdServiceIDState*)data;
-
- if (id_state->service_list)
- {
- AppIdFreeServiceMatchList(id_state->service_list);
- id_state->service_list = nullptr;
- }
-
- return 0;
-}
-
-int init_service_state(unsigned long memcap)
+public:
+ AppIdServiceStateKey()
+ {
+ ip.clear();
+ port = 0;
+ proto = IpProtocol::PROTO_NOT_SET;
+ level = 0;
+ }
+
+ bool operator<(AppIdServiceStateKey right) const
+ {
+ if( sfip_lesser(&ip, &right.ip) )
+ return true;
+ else if( sfip_lesser(&right.ip, &ip) )
+ return false;
+ else
+ {
+ if( port < right.port )
+ return true;
+ else if( right.port < port )
+ return false;
+ else if( proto < right.proto )
+ return true;
+ else if( right.proto < proto )
+ return false;
+ else if( level < right.level )
+ return true;
+ else
+ return false;
+ }
+ }
+
+ sfip_t ip;
+ uint16_t port;
+ IpProtocol proto;
+ uint32_t level;
+};
+
+// FIXIT-L - no memcap on size of this table, do we need that?
+THREAD_LOCAL std::map<AppIdServiceStateKey, AppIdServiceIDState*>* service_state_cache = nullptr;
+
+void AppIdServiceState::initialize(unsigned long)
{
- serviceStateCache4 = sfxhash_new(SERVICE_STATE_CACHE_ROWS,
- sizeof(AppIdServiceStateKey4), sizeof(AppIdServiceIDState), memcap >> 1, 1,
- &AppIdServiceStateFree, &AppIdServiceStateFree, 1);
- if (!serviceStateCache4)
- {
- ErrorMessage("Failed to allocate a hash table");
- return -1;
- }
- serviceStateCache6 = sfxhash_new(SERVICE_STATE_CACHE_ROWS,
- sizeof(AppIdServiceStateKey6), sizeof(AppIdServiceIDState), memcap >> 1, 1,
- &AppIdServiceStateFree, &AppIdServiceStateFree, 1);
- if (!serviceStateCache6)
- {
- ErrorMessage("Failed to allocate a hash table");
- return -1;
- }
- return 0;
+ service_state_cache = new std::map<AppIdServiceStateKey, AppIdServiceIDState*>;
}
-void clean_service_state(void)
+void AppIdServiceState::clean(void)
{
- if (serviceStateCache4)
- {
- sfxhash_delete(serviceStateCache4);
- serviceStateCache4 = nullptr;
- }
+ for( auto& kv : *service_state_cache )
+ delete kv.second;
- if (serviceStateCache6)
- {
- sfxhash_delete(serviceStateCache6);
- serviceStateCache6 = nullptr;
- }
+ service_state_cache->empty();
+ delete service_state_cache;
+ service_state_cache = nullptr;
}
-void remove_service_id_state(const sfip_t* ip, IpProtocol proto, uint16_t port, uint32_t level)
+AppIdServiceIDState* AppIdServiceState::add(const sfip_t* ip, IpProtocol proto, uint16_t port,
+ uint32_t level)
{
- AppIdServiceStateKey k;
- SFXHASH* cache;
+ AppIdServiceStateKey ssk;
+ AppIdServiceIDState* ss = nullptr;
- if (sfip_family(ip) == AF_INET6)
+ sfip_set_ip(&ssk.ip, ip);
+ ssk.proto = proto;
+ ssk.port = port;
+ ssk.level = level;
+
+ std::map<AppIdServiceStateKey, AppIdServiceIDState*>::iterator it;
+ it = service_state_cache->find(ssk);
+ if( it != service_state_cache->end())
{
- k.key6.proto = proto;
- k.key6.port = port;
- memcpy(k.key6.ip, ip->ip32, sizeof(k.key6.ip));
- k.key6.level = level;
- cache = serviceStateCache6;
+ ss = it->second;
}
else
{
- k.key4.proto = proto;
- k.key4.port = port;
- k.key4.ip = ip->ip32[0];
- k.key4.level = level;
- cache = serviceStateCache4;
+ ss = new AppIdServiceIDState;
+ (*service_state_cache)[ssk] = ss;
}
- if (sfxhash_remove(cache, &k) != SFXHASH_OK)
- {
- char ipstr[INET6_ADDRSTRLEN];
- ipstr[0] = 0;
- sfip_ntop(ip, ipstr, sizeof(ipstr));
- ErrorMessage("Failed to remove from hash: %s:%u:%u\n", ipstr, (unsigned)proto,
- (unsigned)port);
- }
+#ifdef DEBUG_SERVICE_STATE
+ char ipstr[INET6_ADDRSTRLEN];
+
+ ipstr[0] = 0;
+ sfip_ntop(ip, ipstr, sizeof(ipstr));
+ DebugFormat(DEBUG_APPID, "ServiceState: Added to hash: %s:%u:%u:%u %p\n", ipstr, (unsigned)proto,
+ (unsigned)port, level, (void*)ss);
+#endif
+
+ return ss;
}
-AppIdServiceIDState* get_service_id_state(const sfip_t* ip, IpProtocol proto, uint16_t port,
+AppIdServiceIDState* AppIdServiceState::get(const sfip_t* ip, IpProtocol proto, uint16_t port,
uint32_t level)
{
- SFXHASH* cache;
- AppIdServiceStateKey k;
+ AppIdServiceStateKey ssk;
+ AppIdServiceIDState* ss = nullptr;
char ipstr[INET6_ADDRSTRLEN]; // FIXIT-M ASAN reports mem leak on ServiceMatch* objects if this is not defined
// which makes no sense, need to investigate further
- if (sfip_family(ip) == AF_INET6)
- {
- k.key6.proto = proto;
- k.key6.port = port;
- memcpy(k.key6.ip, ip->ip32, sizeof(k.key6.ip));
- k.key6.level = level;
- cache = serviceStateCache6;
- }
- else
+ sfip_set_ip(&ssk.ip, ip);
+ ssk.proto = proto;
+ ssk.port = port;
+ ssk.level = level;
+
+ std::map<AppIdServiceStateKey, AppIdServiceIDState*>::iterator it;
+ it = service_state_cache->find(ssk);
+ if( it != service_state_cache->end())
{
- k.key4.proto = proto;
- k.key4.port = port;
- k.key4.ip = ip->ip32[0];
- k.key4.level = level;
- cache = serviceStateCache4;
+ ss = it->second;
+ if (ss->svc && !ss->svc->ref_count)
+ {
+ ss->svc = nullptr;
+ ss->state = SERVICE_ID_NEW;
+ }
}
- AppIdServiceIDState* ss = (AppIdServiceIDState*)sfxhash_find(cache, &k);
#ifdef DEBUG_SERVICE_STATE
ipstr[0] = 0;
UNUSED(ipstr);
#endif
- if (ss && ss->svc && !ss->svc->ref_count)
- {
- ss->svc = nullptr;
- ss->state = SERVICE_ID_NEW;
- }
-
return ss;
}
-AppIdServiceIDState* add_service_id_state(const sfip_t* ip, IpProtocol proto, uint16_t port,
- uint32_t level)
+void AppIdServiceState::remove(const sfip_t* ip, IpProtocol proto, uint16_t port, uint32_t level)
{
- AppIdServiceStateKey k;
- AppIdServiceIDState* ss;
- SFXHASH* cache;
+ AppIdServiceStateKey ssk;
+
+ sfip_set_ip(&ssk.ip, ip);
+ ssk.proto = proto;
+ ssk.port = port;
+ ssk.level = level;
- if (sfip_family(ip) == AF_INET6)
+ std::map<AppIdServiceStateKey, AppIdServiceIDState*>::iterator it;
+ it = service_state_cache->find(ssk);
+ if( it != service_state_cache->end())
{
- k.key6.proto = proto;
- k.key6.port = port;
- memcpy(k.key6.ip, ip->ip32, sizeof(k.key6.ip));
- k.key6.level = level;
- cache = serviceStateCache6;
+ delete it->second;
+ service_state_cache->erase(it);
}
else
- {
- k.key4.proto = proto;
- k.key4.port = port;
- k.key4.ip = ip->ip32[0];
- k.key4.level = level;
- cache = serviceStateCache4;
- }
-
- if ((sfxhash_add_return_data_ptr(cache, &k, (void**)&ss) < 0) || !ss)
{
char ipstr[INET6_ADDRSTRLEN];
+ ipstr[0] = 0;
sfip_ntop(ip, ipstr, sizeof(ipstr));
- ErrorMessage("ServiceState: Failed to add to hash: %s:%u:%u:%u\n", ipstr, (unsigned)proto,
- (unsigned)port, level);
- return nullptr;
+ ErrorMessage("Failed to remove from hash: %s:%u:%u\n", ipstr, (unsigned)proto, port);
}
-
-#ifdef DEBUG_SERVICE_STATE
- char ipstr[INET6_ADDRSTRLEN];
-
- ipstr[0] = 0;
- sfip_ntop(ip, ipstr, sizeof(ipstr));
- DebugFormat(DEBUG_APPID, "ServiceState: Added to hash: %s:%u:%u:%u %p\n", ipstr, (unsigned)proto,
- (unsigned)port, level, (void*)ss);
-#endif
-
- return ss;
}
-void dump_service_state_stats(void)
+void AppIdServiceState::dump_stats(void)
{
+ // FIXIT-L - do we need to keep ipv4 and ipv6 separate?
+#if 0
LogMessage("Service State:\n");
if (serviceStateCache4)
{
LogMessage(" IPv6 Memory Limit: %lu\n", serviceStateCache6->mc.memcap);
LogMessage(" IPv6 Memory Used: %lu\n", serviceStateCache6->mc.memused);
}
+#endif
}
#define SERVICE_STATE_H
#include "sfip/sfip_t.h"
+#include "protocols/protocol_ids.h"
+#include "utils/util.h"
struct RNAServiceElement;
-struct ServiceMatch;
enum class IpProtocol : uint8_t;
// Service state stored in hosttracker for maintaining service matching states.
enum SERVICE_ID_STATE
{
- /**first search of service. The matching criteria is coded in ProtocolID funtion.
- */
- SERVICE_ID_NEW = 0,
-
- /**service is already detected and valid.
- */
- SERVICE_ID_VALID,
-
- /**match based on source or destination port in first packet in flow.
- */
- SERVICE_ID_PORT,
-
- /**match based on pattern in first response from server or client in
- * case of client_services.
- */
- SERVICE_ID_PATTERN,
-
- /**match based on round-robin through tcpServiceList or UdpServiceList. RNA walks
- * the list from first element to last. In a detector declares a flow incompatible
- * or the flow closes earlier than expected by detector, then the next detector is
- * tried. This can obviously delay detection under some scenarios.
- */
- SERVICE_ID_BRUTE_FORCE,
+ SERVICE_ID_NEW = 0, // service search starting
+ SERVICE_ID_VALID, // service detected
+ SERVICE_ID_PORT, // matched based on src/dest port of first packet
+ SERVICE_ID_PATTERN, // match based on pattern in first response packet
+ SERVICE_ID_BRUTE_FORCE, // match based on round-robin through tcp/udp service lists
+ // the lists are walked from first element to last. In a detector
+ // declares a flow incompatible or the flow closes earlier than
+ // expected by detector, then the next detector is tried. This can
+ // obviously delay detection under some scenarios.
};
#define DETECTOR_TYPE_PASSIVE 0
#define DETECTOR_TYPE_CONFLICT 4
#define DETECTOR_TYPE_PATTERN 5
+struct ServiceMatch
+{
+ struct ServiceMatch* next;
+ unsigned count;
+ unsigned size;
+ RNAServiceElement* svc;
+};
+
// Service state saved in hosttracker, for identifying a service across multiple flow instances.
struct AppIdServiceIDState
{
- const RNAServiceElement* svc;
+ AppIdServiceIDState()
+ {
+ last_detract.clear();
+ last_invalid_client.clear();
+ reset_time = 0;
+ }
+
+ ~AppIdServiceIDState()
+ {
+ free_service_match_list();
+ }
+
+ void free_service_match_list()
+ {
+ ServiceMatch* sm;
+
+ while( (sm = service_list) )
+ {
+ service_list = sm->next;
+ snort_free(sm);
+ }
+ }
+
+ const RNAServiceElement* svc = nullptr;
/**State of service identification.*/
- SERVICE_ID_STATE state;
- unsigned valid_count;
- unsigned detract_count;
+ SERVICE_ID_STATE state = SERVICE_ID_NEW;
+ unsigned valid_count = 0;
+ unsigned detract_count = 0;
sfip_t last_detract;
/**Number of consequetive flows that were declared incompatible by detectors. Incompatibility
* means client packet did not match.
*/
- unsigned invalid_client_count;
+ unsigned invalid_client_count = 0;
/**IP address of client in last flow that was declared incompatible. If client IP address is
* different everytime, then consequetive incompatible status indicate that flow is not using
/** Count for number of unknown sessions saved
*/
- unsigned unknowns_logged;
+ unsigned unknowns_logged = 0;
time_t reset_time;
/**List of ServiceMatch nodes which are sorted in order of pattern match. The list is contructed
* matching, but has the disadvantage of making one flow match dependent on first instance of the
* same flow.
*/
- ServiceMatch* service_list;
- ServiceMatch* current_service;
+ ServiceMatch* service_list = nullptr;
+ ServiceMatch* current_service = nullptr;
/** Is this entry currently being used in an active session? */
- bool searching;
+ bool searching = false;
};
-struct AppIdServiceStateKey4
-{
- uint16_t port;
- IpProtocol proto;
- uint32_t ip;
- uint32_t level;
-};
-struct AppIdServiceStateKey6
+class AppIdServiceState
{
- uint16_t port;
- IpProtocol proto;
- uint8_t ip[16];
- uint32_t level;
+public:
+ static void initialize(unsigned long);
+ static void clean();
+ static AppIdServiceIDState* add( const sfip_t*, IpProtocol proto, uint16_t port, uint32_t level);
+ static AppIdServiceIDState* get( const sfip_t*, IpProtocol proto, uint16_t port, uint32_t level);
+ static void remove(const sfip_t*, IpProtocol proto, uint16_t port, uint32_t level);
+ static void dump_stats();
};
-union AppIdServiceStateKey
-{
- AppIdServiceStateKey4 key4;
- AppIdServiceStateKey6 key6;
-};
-
-int init_service_state(unsigned long memcap);
-void clean_service_state();
-void remove_service_id_state(const sfip_t*, IpProtocol proto, uint16_t port, uint32_t level);
-AppIdServiceIDState* get_service_id_state( const sfip_t*, IpProtocol proto, uint16_t port, uint32_t level);
-AppIdServiceIDState* add_service_id_state( const sfip_t*, IpProtocol proto, uint16_t port, uint32_t level);
-void dump_service_state_stats();
-
#endif
{
type = IAT_NONE;
iph = nullptr;
+ src.clear();
+ dst.clear();
}
void IpApi::set(const IP4Hdr* h4)
projects / thirdparty / snort3.git / commitdiff
