#include "hi_main.h"
-#include "detection/detect.h"
+#include "detection/detection_engine.h"
+#include "detection/detection_util.h"
#include "file_api/file_flows.h"
#include "log/messages.h"
#include "log/unified2.h"
DisableDetect();
return 0;
}
- // see comments on call to snort_detect() below
{
ProfileExclude exclude(hiPerfStats);
get_data_bus().publish(PACKET_EVENT, p);
*/
{
Profile exclude(hiPerfStats);
- snort_detect(p);
+ DetectionEngine::process(p);
}
/*
if ( iCallDetect == 0 )
{
- /* snort_detect called at least once from above pkt processing loop. */
+ // DetectionEngine::process called at least once from above pkt processing loop.
// FIXIT-M this throws off nfp rules like this:
// alert tcp any any -> any any ( sid:1; msg:"1"; flags:S; )
// (check shutdown counts)
set (DETECTION_INCLUDES
detect.h
detection_defines.h
+ detection_engine.h
+ detection_options.h
detection_util.h
ips_context.h
rule_option_types.h
context_switcher.cc
context_switcher.h
detect.cc
+ detection_engine.cc
detection_options.cc
detection_options.h
detection_util.cc
x_include_HEADERS = \
detect.h \
detection_defines.h \
+detection_engine.h \
+detection_options.h \
detection_util.h \
ips_context.h \
rule_option_types.h \
context_switcher.cc \
context_switcher.h \
detect.cc \
+detection_engine.cc \
detection_options.cc \
detection_options.h \
detection_util.cc \
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-/* Dan Roelker <droelker@sourcefire.com>
-** Marc Norton <mnorton@sourcefire.com>
-** NOTES
-** 5.7.02: Added interface for new detection engine. (Norton/Roelker)
+
+/* Dan Roelker <droelker@sourcefire.com>
+** Marc Norton <mnorton@sourcefire.com>
**
+** 5.7.02: Added interface for new detection engine. (Norton/Roelker)
*/
#ifdef HAVE_CONFIG_H
#include "utils/stats.h"
#include "detection_defines.h"
+#include "detection_engine.h"
#include "fp_detect.h"
#include "tag.h"
-#include "treenodes.h"
#define CHECK_SRC_IP 0x01
#define CHECK_DST_IP 0x02
Active::apply_delayed_action(p);
if ( do_detect )
- snort_detect(p);
+ DetectionEngine::process(p);
}
check_tags_flag = 1;
return 0;
}
-/****************************************************************************
- *
- * Function: snort_detect(Packet *)
- *
- * Purpose: Apply the rules lists to the current packet
- *
- * Arguments: p => ptr to the decoded packet struct
- *
- * Returns: 1 == detection event
- * 0 == no detection
- *
- ***************************************************************************/
-bool snort_detect(Packet* p)
-{
- Profile profile(detectPerfStats);
-
- if ((p == NULL) || !p->ptrs.ip_api.is_valid())
- {
- return false;
- }
-
- if (p->packet_flags & PKT_PASS_RULE)
- {
- /* If we've already seen a pass rule on this,
- * no need to continue do inspection.
- */
- return false;
- }
-
- // FIXIT-M restrict detect to current ip layer
- // Curently, if a rule is found on any IP layer, we perform the detect routine
- // on the entire packet. Instead, we should only perform detect on that layer!!
- switch ( p->type() )
- {
- case PktType::IP:
- case PktType::TCP:
- case PktType::UDP:
- case PktType::ICMP:
- case PktType::PDU:
- case PktType::FILE:
- {
- if ( PacketLatency::fastpath() )
- return false;
-
- /*
- ** This is where we short circuit so
- ** that we can do IP checks.
- */
- return fpEvalPacket(p);
- }
-
- default:
- return false;
- }
-}
-
static int CheckAddrPort(
sfip_var_t* rule_addr,
PortObject* po,
void snort_inspect(Packet*);
void snort_log(Packet*);
-// detection only (no decode or inspection)
-SO_PUBLIC bool snort_detect(Packet*);
-
// parsing
int RuleListEnd(Packet*, RuleTreeNode*, RuleFpList*, int);
int OptListEnd(void* option_data, class Cursor&, Packet*);
}
/*
-**
-** NAME
-** fpEvalPacket::
-**
** DESCRIPTION
-** This function is the interface to the snort_detect() routine.
** the IP protocol is processed. If it is TCP, UDP, or ICMP, we
** process the both that particular ruleset and the IP ruleset
** with in the fpEvalHeader for that protocol. If the protocol
**
** FORMAL OUTPUT
** int - 0 means that packet has been processed.
-**
*/
int fpEvalPacket(Packet* p)
{
#include "event_queue.h"
+#include "detection/detection_engine.h"
#include "detection/fp_detect.h"
#include "filters/sfthreshold.h"
#include "log/messages.h"
return 0;
}
- SF_EVENTQ* pq = Snort::get_event_queue();
+ SF_EVENTQ* pq = DetectionEngine::get_event_queue();
EventNode* en = (EventNode*)sfeventq_event_alloc(pq);
if ( !en )
if ( !otn )
return 0;
- SF_EVENTQ* pq = Snort::get_event_queue();
+ SF_EVENTQ* pq = DetectionEngine::get_event_queue();
EventNode* en = (EventNode*)sfeventq_event_alloc(pq);
if ( !en )
*/
int SnortEventqLog(Packet* p)
{
- SF_EVENTQ* pq = Snort::get_event_queue();
+ SF_EVENTQ* pq = DetectionEngine::get_event_queue();
sfeventq_action(pq, LogSnortEvents, (void*)p);
return 0;
}
void SnortEventqReset()
{
- SF_EVENTQ* pq = Snort::get_event_queue();
+ SF_EVENTQ* pq = DetectionEngine::get_event_queue();
sfeventq_reset(pq);
reset_counts();
}
*/
uint32_t GenerateSnortEvent(Packet* p, uint32_t gid, uint32_t sid)
{
- OptTreeNode* otn;
- RuleTreeNode* rtn;
+ OptTreeNode* otn = GetOTN(gid, sid);
- otn = GetOTN(gid, sid);
-
- if (otn == NULL)
+ if ( !otn )
return 0;
- rtn = getRuntimeRtnFromOtn(otn);
+ RuleTreeNode* rtn = getRuntimeRtnFromOtn(otn);
- if (rtn == NULL)
+ if ( !rtn )
return 0;
fpLogEvent(rtn, otn, p);
bool FileService::file_signature_enabled = false;
bool FileService::file_capture_enabled = false;
bool FileService::file_processing_initiated = false;
+
FileEnforcer* FileService::file_enforcer = nullptr;
FileCache* FileService::file_cache = nullptr;
#include "policy.h"
-#include "detection/detect.h"
+#include "detection/detection_engine.h"
#include "managers/inspector_manager.h"
#include "parser/vars.h"
#include "ports/port_var_table.h"
AltPktHandler() { }
void handle(DataEvent& e, Flow*)
- { snort_detect((Packet*)e.get_packet()); } // FIXIT-L not const!
+ { DetectionEngine::process((Packet*)e.get_packet()); } // FIXIT-L not const!
};
InspectionPolicy::InspectionPolicy()
#include "connectors/connectors.h"
#include "decompress/file_decomp.h"
#include "detection/context_switcher.h"
-#include "detection/detect.h"
+#include "detection/detection_engine.h"
#include "detection/detection_util.h"
#include "detection/fp_config.h"
#include "detection/fp_detect.h"
static THREAD_LOCAL Packet* s_packet = nullptr;
static THREAD_LOCAL ContextSwitcher* s_switcher = nullptr;
+ContextSwitcher* Snort::get_switcher()
+{ return s_switcher; }
+
//-------------------------------------------------------------------------
// perf stats
// FIXIT-M move these to appropriate modules
delete s_switcher;
}
-DetectionContext::DetectionContext()
-{
- s_switcher->interrupt();
-}
-
-DetectionContext::~DetectionContext()
-{ Snort::clear_detect_packet(); }
-
-Packet* DetectionContext::get_packet()
-{ return Snort::get_detect_packet(); }
-
-SF_EVENTQ* Snort::get_event_queue()
-{
- return s_switcher->get_context()->equeue;
-}
-
-Packet* Snort::set_detect_packet()
-{
- // we need to stay in the current context until rebuild is successful
- // any events while rebuilding will be logged against the current packet
- // FIXIT-H bypass the interrupt / complete
- const IpsContext* c = s_switcher->interrupt();
- Packet* p = c->packet;
- s_switcher->complete();
-
- p->pkth = c->pkth;
- p->data = c->buf;
- p->reset();
- return p;
-}
-
-Packet* Snort::get_detect_packet()
-{
- Packet* p = s_switcher->get_context()->packet;
- return p;
-}
-
-void Snort::clear_detect_packet()
-{
- Packet* p = get_detect_packet();
- SnortEventqLog(p);
- SnortEventqReset();
-
- if ( p->endianness )
- {
- delete p->endianness;
- p->endianness = nullptr;
- }
-
- s_switcher->complete();
-}
-
-void Snort::detect_rebuilt_packet(Packet* p)
+void Snort::inspect(Packet* p)
{
// Need to include this b/c call is outside the detect tree
Profile detect_profile(detectPerfStats);
auto save_do_detect = do_detect;
auto save_do_detect_content = do_detect_content;
- DetectionContext dc;
+ DetectionEngine de;
main_hook(p);
DetectReset(); // FIXIT-H context
set_policy(p); // FIXIT-M should not need this here
- /* just throw away the packet if we are configured to ignore this port */
if ( !(p->packet_flags & PKT_IGNORE) )
{
DetectReset();
typedef void (* MainHook_f)(Packet*);
-// FIXIT-H this needs to move to detection
-class SO_PUBLIC DetectionContext
-{
-public:
- DetectionContext();
- ~DetectionContext();
-
- Packet* get_packet();
-};
-
-class SO_PUBLIC Snort
+class Snort
{
public:
static SnortConfig* get_reload_config(const char* fname);
static void capture_packet();
- // FIXIT-H these need to move to detection
- static Packet* set_detect_packet();
- static Packet* get_detect_packet();
- static void clear_detect_packet();
- static void detect_rebuilt_packet(Packet*);
-
- static struct SF_EVENTQ* get_event_queue();
-
static DAQ_Verdict process_packet(
Packet*, const DAQ_PktHdr_t*, const uint8_t* pkt, bool is_frag=false);
static DAQ_Verdict packet_callback(void*, const DAQ_PktHdr_t*, const uint8_t*);
+ static void inspect(Packet*);
+
static void set_main_hook(MainHook_f);
+ static class ContextSwitcher* get_switcher();
SO_PUBLIC static Packet* get_packet();
#include "dce_co.h"
+#include "detection/detection_engine.h"
#include "main/snort_debug.h"
-#include "main/snort.h"
#include "utils/util.h"
#include "dce_smb.h"
********************************************************************/
static void DCE2_CoReassemble(DCE2_SsnData* sd, DCE2_CoTracker* cot, DCE2_CoRpktType co_rtype)
{
- DetectionContext dc;
+ DetectionEngine de;
DceRpcCoHdr* co_hdr = nullptr;
Packet* rpkt = dce_co_reassemble(sd,cot,co_rtype,&co_hdr);
********************************************************************/
static void DCE2_CoSegDecode(DCE2_SsnData* sd, DCE2_CoTracker* cot, DCE2_CoSeg* seg)
{
- DetectionContext dc;
+ DetectionEngine de;
const uint8_t* frag_ptr = nullptr;
uint16_t frag_len = 0;
#include "dce_common.h"
-#include "detection/detect.h"
+#include "detection/detection_engine.h"
#include "ips_options/extract.h"
#include "log/messages.h"
-#include "main/snort.h"
+#include "main/snort_debug.h"
#include "utils/safec.h"
#include "dce_smb_utils.h"
// FIXIT-M add HTTP case when these are ported
// Same for all other instances of profiling
- snort_detect(pkt);
+ DetectionEngine::process(pkt);
dce2_detected = 1;
}
if ( using_rpkt )
{
using_rpkt = false;
- DetectionContext dc;
+ DetectionEngine de;
DCE2_Detect(sd);
return;
}
- Packet* top_pkt = Snort::get_detect_packet();
+ Packet* top_pkt = DetectionEngine::get_current_packet();
DCE2_PrintRoptions(&sd->ropts);
DebugMessage(DEBUG_DCE_COMMON, "Payload:\n");
Packet* DCE2_GetRpkt(Packet* p,DCE2_RpktType rpkt_type,
const uint8_t* data, uint32_t data_len)
{
- Packet* rpkt = Snort::set_detect_packet();
+ Packet* rpkt = DetectionEngine::set_packet();
dce2_fill_rpkt_info(rpkt, p);
uint16_t data_overhead = 0;
#include "dce_smb_utils.h"
-#include "detection/detect.h"
+#include "detection/detection_engine.h"
#include "detection/detection_util.h"
#include "main/snort.h"
#include "packet_io/active.h"
void DCE2_FileDetect()
{
- Packet* top_pkt = Snort::set_detect_packet();
- DetectionContext dc;
+ Packet* top_pkt = DetectionEngine::set_packet();
+ DetectionEngine de;
DebugMessage(DEBUG_DCE_SMB, "Payload:\n");
DCE2_PrintPktData(top_pkt->data, top_pkt->dsize);
Profile profile(dce2_smb_pstat_smb_file_detect);
- snort_detect(top_pkt);
+ DetectionEngine::process(top_pkt);
// Reset file data pointer after detecting
set_file_data(nullptr, 0);
#include "dce_udp.h"
+#include "detection/detection_engine.h"
#include "flow/session.h"
#include "main/snort_debug.h"
-#include "main/snort.h"
#include "utils/safec.h"
#include "utils/util.h"
static void DCE2_ClFragReassemble(
DCE2_SsnData* sd, DCE2_ClActTracker* at, const DceRpcClHdr* cl_hdr)
{
- DetectionContext dc;
+ DetectionEngine de;
uint8_t dce2_cl_rbuf[IP_MAXPACKET];
DCE2_ClFragTracker* ft = &at->frag_tracker;
#include "dnp3_reassembly.h"
-#include "detection/detect.h"
+#include "detection/detection_engine.h"
#include "events/event_queue.h"
#include "protocols/packet.h"
{
{
ProfileExclude profile_exclude(dnp3_perf_stats);
- snort_detect(packet);
+ DetectionEngine::process(packet);
}
/* Since detection was done, reset reassembly state to avoid double alerts
if ( ret == FTPP_SUCCESS )
{
ProfileExclude exclude(ftpPerfStats);
- // Ideally, snort_detect(), called from do_detection, will look at
- // the cmd & param buffers, or the rsp & msg buffers. Current
- // architecture does not support this...
- // So, we call do_detection() here. Otherwise, we'd call it
- // from inside check_ftp -- each time we process a pipelined
- // FTP command.
+
+ // FIXIT-L ideally do_detection will look at the cmd & param buffers
+ // or the rsp & msg buffers. We should call it from inside check_ftp
+ // each time we process a pipelined FTP command.
+
do_detection(p);
}
#include <assert.h>
+#include "detection/detection_engine.h"
#include "flow/flow_control.h"
#include "flow/flow_key.h"
#include "flow/ha.h"
// FIXIT-H stream tcp needs to do this and prep pkt to handle
// shutdown alerts while rebuilding (during flush before a
// rebuilt packet is available)
- Snort::set_detect_packet();
- DetectionContext dc;
+ DetectionEngine::set_packet();
+ DetectionEngine de;
// this is a hack to work around the above issue
- DAQ_PktHdr_t* ph = (DAQ_PktHdr_t*)dc.get_packet()->pkth;
+ DAQ_PktHdr_t* ph = (DAQ_PktHdr_t*)de.get_packet()->pkth;
memset(ph, 0, sizeof(*ph));
flow_con->purge_flows(PktType::IP);
#include "log/log.h"
#include "main/snort.h"
#include "profiler/profiler.h"
+#include "detection/detection_engine.h"
#include "protocols/packet_manager.h"
#include "tcp_module.h"
Profile profile(s5TcpFlushPerfStats);
s5_pkt = Snort::set_detect_packet();
+ s5_pkt = DetectionEngine::set_packet();
+
DAQ_PktHdr_t pkth;
session->GetPacketHeaderFoo(&pkth, pkt_flags);
tcpStats.rebuilt_bytes += flushed_bytes;
ProfileExclude profile_exclude(s5TcpFlushPerfStats);
- Snort::detect_rebuilt_packet(s5_pkt);
+ Snort::inspect(s5_pkt);
}
else
{
up.packet_flags |= (p->packet_flags & (PKT_STREAM_EST|PKT_STREAM_UNEST_UNI));
trace_logf(stream_user, "detect[%d]\n", up.dsize);
- Snort::detect_rebuilt_packet(&up);
+ Snort::inspect(&up);
}
int UserTracker::scan(Packet* p, uint32_t& flags)
projects / thirdparty / snort3.git / commitdiff
