# DOWNLOAD
-There are two source tarballs, one for autotools and one for cmake:
+There is a source tarball available in the Downloads section on snort.org:
- snort-3.0.0-a3-auto.tar.gz
- snort-3.0.0-a3-cmake.tar.gz
+ snort-3.0.0-a3.tar.gz
You can also get the code with:
git clone git://github.com/snortadmin/snort3.git
-There are separate extras packages for autotools and cmake that provide
-additional features and demonstrate how to build plugins. The source for
-extras is in git repo as well.
+There are separate extras packages for cmake that provide additional
+features and demonstrate how to build plugins. The source for extras
+is in snort3_extra.git repo.
# BUILD SNORT
+++ /dev/null
-/Makefile.in
-/aclocal.m4
-/autom4te.cache/
-/compile
-/config.guess
-/config.sub
-/configure
-/depcomp
-/install-sh
-/ltmain.sh
-/m4/libtool.m4
-/m4/ltoptions.m4
-/m4/ltsugar.m4
-/m4/ltversion.m4
-/m4/lt~obsolete.m4
-/missing
-/config.h.in
+++ /dev/null
-cmake_minimum_required ( VERSION 3.4.3 )
-project( snort_extra CXX C )
-
-set (EXTRA_VERSION_MAJOR 1)
-set (EXTRA_VERSION_MINOR 0)
-set (EXTRA_VERSION_PATCH 0)
-set (EXTRA_VERSION "${EXTRA_VERSION_MAJOR}.${EXTRA_VERSION_MINOR}.${EXTRA_VERSION_PATCH}")
-
-set (CMAKE_CXX_STANDARD 11)
-set (CMAKE_CXX_STANDARD_REQUIRED ON)
-set (CMAKE_CXX_EXTENSIONS OFF)
-
-set (CMAKE_C_STANDARD 99)
-set (CMAKE_C_STANDARD_REQUIRED ON)
-set (CMAKE_C_EXTENSIONS ON)
-
-set (CMAKE_MODULE_PATH "${PROJECT_SOURCE_DIR}/cmake")
-# Pull in definitions of various install directories
-include (GNUInstallDirs)
-include (${CMAKE_MODULE_PATH}/create_options.cmake)
-include (${CMAKE_MODULE_PATH}/configure_options.cmake)
-
-set (CPACK_GENERATOR TGZ)
-set (CPACK_PACKAGE_NAME "snort_extra")
-set (CPACK_PACKAGE_VENDOR "Cisco")
-set (CPACK_PACKAGE_VERSION_MAJOR "${EXTRA_VERSION_MAJOR}")
-set (CPACK_PACKAGE_VERSION_MINOR "${EXTRA_VERSION_MINOR}")
-set (CPACK_PACKAGE_VERSION_PATCH "${EXTRA_VERSION_PATCH}")
-set (CPACK_PACKAGE_ICON "${CMAKE_SOURCE_DIR}/doc/images/snort.png")
-set (CPACK_PACKAGE_INSTALL_DIRECTORY "snort")
-set (CPACK_RESOURCE_FILE_LICENSE "${CMAKE_SOURCE_DIR}/LICENSE")
-set (CPACK_RESOURCE_FILE_README "${CMAKE_SOURCE_DIR}/README")
-set (CPACK_SOURCE_PACKAGE_FILE_NAME "${CPACK_PACKAGE_NAME}-${CPACK_PACKAGE_VERSION_MAJOR}.${CPACK_PACKAGE_VERSION_MINOR}.${CPACK_PACKAGE_VERSION_PATCH}")
-set (CPACK_SOURCE_IGNORE_FILES "${CMAKE_BINARY_DIR}/*")
-set (CPACK_SOURCE_GENERATOR TGZ)
-
-include(CPack)
-
-set ( C_FLAGS "" CACHE STRING "" )
-set ( CXX_FLAGS "" CACHE STRING "" )
-
-set ( CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${C_FLAGS}" CACHE STRING "" FORCE )
-set ( CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${CXX_FLAGS}" CACHE STRING "" FORCE )
-
-execute_process (
- COMMAND pkg-config --variable=cpp_opts snort
- OUTPUT_VARIABLE CPP_OPTS
-)
-string ( REGEX REPLACE "[\r\n]" " " CPP_OPTS "${CPP_OPTS}" )
-separate_arguments ( CPP_OPTS )
-
-foreach ( OPT ${CPP_OPTS} )
- execute_process (
- COMMAND pkg-config --variable=${OPT}_CPPFLAGS snort
- OUTPUT_VARIABLE CPPFLAGS
- )
-
- string ( REGEX REPLACE "[\r\n]" " " CPPFLAGS "${CPPFLAGS}" )
- set ( ${OPT}_CPPFLAGS "${CPPFLAGS}" CACHE STRING "" )
-
- set ( CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${${OPT}_CPPFLAGS}" CACHE STRING "" FORCE )
- set ( CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${${OPT}_CPPFLAGS}" CACHE STRING "" FORCE )
-endforeach ( OPT )
-
-execute_process (
- COMMAND pkg-config --variable=cpp_opts_other snort
- OUTPUT_VARIABLE CPP_OPTS_OTHER
-)
-string ( REGEX REPLACE "[\r\n]" " " CPP_OPTS_OTHER "${CPP_OPTS_OTHER}" )
-separate_arguments ( CPP_OPTS_OTHER )
-
-foreach ( OPT ${CPP_OPTS_OTHER} )
- execute_process (
- COMMAND pkg-config --variable=${OPT}_CPPFLAGS snort
- OUTPUT_VARIABLE CPPFLAGS
- )
-
- string ( REGEX REPLACE "[\r\n]" " " CPPFLAGS "${CPPFLAGS}" )
- set ( ${OPT}_CPPFLAGS "${CPPFLAGS}" CACHE STRING "" )
-
- set ( CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${${OPT}_CPPFLAGS}" CACHE STRING "" FORCE )
- set ( CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${${OPT}_CPPFLAGS}" CACHE STRING "" FORCE )
-endforeach ( OPT )
-
-# Set these after all tests are done but *before* any subdirectories are included
-# or other targets declared.
-set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${EXTRA_C_FLAGS}")
-set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${EXTRA_CXX_FLAGS}")
-set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} ${EXTRA_LINKER_FLAGS}")
-set(CMAKE_MODULE_LINKER_FLAGS "${CMAKE_MODULE_LINKER_FLAGS} ${EXTRA_LINKER_FLAGS}")
-foreach (EXTRA_LIBRARY IN LISTS EXTRA_LIBRARIES)
- link_libraries(${EXTRA_LIBRARY})
-endforeach (EXTRA_LIBRARY)
-
-add_subdirectory ( src )
-
-message("
--------------------------------------------------------
-${CMAKE_PROJECT_NAME} version ${EXTRA_VERSION}
-
-Install options:
- prefix: ${CMAKE_INSTALL_PREFIX}
-
-Compiler options:
- CC: ${CMAKE_C_COMPILER}
- CXX: ${CMAKE_CXX_COMPILER}
- CFLAGS: ${CMAKE_C_FLAGS}
- CXXFLAGS: ${CMAKE_CXX_FLAGS}
- EXE_LDFLAGS: ${CMAKE_EXE_LINKER_FLAGS}
- MODULE_LDFLAGS: ${CMAKE_MODULE_LINKER_FLAGS}
-")
+++ /dev/null
-*****************************************************************************
-The text that follows is the GNU General Public License, Version 2 (GPL V2)
-and governs your use, modification and/or distribution of SNORT.
-
-Section 9 of the GPL V2 acknowledges that the Free Software Foundation may
-publish revised and/or new versions of the GPL V2 from time to time. Section 9
-further states that a licensee of a program subject to the GPL V2 could be
-free to use any such revised and/or new versions under two different scenarios:
-
-1. "Failure to Specify." Section 9 of the GPL V2 allows a licensee of a
-program governed by an unspecified version of the General Public License to
-choose any version of the General Public License ever published by the Free
-Software Foundation to govern his or her use of such program.
-
-This provision is not applicable to your use of SNORT because we have
-expressly stated in a number of instances that any third party's use,
-modification or distribution of SNORT is governed by GPL V2.
-
-2. "Any Later Version." At the end of the terms and condition of the GPL V2 is
-a section called "How to Apply these Terms to Your New Program," which
-provides guidance to a developer on how to apply the GPL V2 to a third party's
-use, modification and/or distribution of his/her program. Among other things,
-this guidance suggests that the developer attach certain notices to the
-program. Of particular importance is the following notice:
-
-"This program is free software; you can redistribute it and/or modify it under
-the terms of the GNU General Public License as published by the Free Software
-Foundation; either version 2 of the License, or (at your option) any later
-version."
-
-Thus if a developer follows strictly the guidance provided by the Free
-Software Foundation, Section 9 of the GPL V2 provides the licensee the option
-to either use, modify or distribute the program under GPL V2 or under any
-later version published by the Free Software Foundation.
-
-SNORT is an open source project that is governed exclusively by the GPL V2
-and any third party desiring to use, modify or distribute SNORT must do so by
-strictly following the terms and conditions of GPL V2. Anyone using, modifying
-or distributing SNORT does not have the option to chose to use, modify or
-distribute SNORT under any revised or new version of the GPL, including
-without limitation, the GNU General Public License Version 3.
-
-For ease of reference, the comparable notice that is used with SNORT
-(contained in the 'README' file) is as follows:
-
-"This program is free software; you can redistribute it and/or modify it under
-the terms of the GNU General Public License Version 2 as published by the Free
-Software Foundation. You may not use, modify or distribute this program under
-any other version of the GNU General Public License."
-
-If you have any questions about this statement, please feel free to email
-snort-info@snort.org.
-*****************************************************************************
-
- GNU GENERAL PUBLIC LICENSE
- Version 2, June 1991
-
- Copyright (C) 1989, 1991 Free Software Foundation, Inc.
- 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
- Everyone is permitted to copy and distribute verbatim copies
- of this license document, but changing it is not allowed.
-
- Preamble
-
- The licenses for most software are designed to take away your
-freedom to share and change it. By contrast, the GNU General Public
-License is intended to guarantee your freedom to share and change free
-software--to make sure the software is free for all its users. This
-General Public License applies to most of the Free Software
-Foundation's software and to any other program whose authors commit to
-using it. (Some other Free Software Foundation software is covered by
-the GNU Library General Public License instead.) You can apply it to
-your programs, too.
-
- When we speak of free software, we are referring to freedom, not
-price. Our General Public Licenses are designed to make sure that you
-have the freedom to distribute copies of free software (and charge for
-this service if you wish), that you receive source code or can get it
-if you want it, that you can change the software or use pieces of it
-in new free programs; and that you know you can do these things.
-
- To protect your rights, we need to make restrictions that forbid
-anyone to deny you these rights or to ask you to surrender the rights.
-These restrictions translate to certain responsibilities for you if you
-distribute copies of the software, or if you modify it.
-
- For example, if you distribute copies of such a program, whether
-gratis or for a fee, you must give the recipients all the rights that
-you have. You must make sure that they, too, receive or can get the
-source code. And you must show them these terms so they know their
-rights.
-
- We protect your rights with two steps: (1) copyright the software, and
-(2) offer you this license which gives you legal permission to copy,
-distribute and/or modify the software.
-
- Also, for each author's protection and ours, we want to make certain
-that everyone understands that there is no warranty for this free
-software. If the software is modified by someone else and passed on, we
-want its recipients to know that what they have is not the original, so
-that any problems introduced by others will not reflect on the original
-authors' reputations.
-
- Finally, any free program is threatened constantly by software
-patents. We wish to avoid the danger that redistributors of a free
-program will individually obtain patent licenses, in effect making the
-program proprietary. To prevent this, we have made it clear that any
-patent must be licensed for everyone's free use or not licensed at all.
-
- The precise terms and conditions for copying, distribution and
-modification follow.
-\f
- GNU GENERAL PUBLIC LICENSE
- TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
-
- 0. This License applies to any program or other work which contains
-a notice placed by the copyright holder saying it may be distributed
-under the terms of this General Public License. The "Program", below,
-refers to any such program or work, and a "work based on the Program"
-means either the Program or any derivative work under copyright law:
-that is to say, a work containing the Program or a portion of it,
-either verbatim or with modifications and/or translated into another
-language. (Hereinafter, translation is included without limitation in
-the term "modification".) Each licensee is addressed as "you".
-
-Activities other than copying, distribution and modification are not
-covered by this License; they are outside its scope. The act of
-running the Program is not restricted, and the output from the Program
-is covered only if its contents constitute a work based on the
-Program (independent of having been made by running the Program).
-Whether that is true depends on what the Program does.
-
- 1. You may copy and distribute verbatim copies of the Program's
-source code as you receive it, in any medium, provided that you
-conspicuously and appropriately publish on each copy an appropriate
-copyright notice and disclaimer of warranty; keep intact all the
-notices that refer to this License and to the absence of any warranty;
-and give any other recipients of the Program a copy of this License
-along with the Program.
-
-You may charge a fee for the physical act of transferring a copy, and
-you may at your option offer warranty protection in exchange for a fee.
-
- 2. You may modify your copy or copies of the Program or any portion
-of it, thus forming a work based on the Program, and copy and
-distribute such modifications or work under the terms of Section 1
-above, provided that you also meet all of these conditions:
-
- a) You must cause the modified files to carry prominent notices
- stating that you changed the files and the date of any change.
-
- b) You must cause any work that you distribute or publish, that in
- whole or in part contains or is derived from the Program or any
- part thereof, to be licensed as a whole at no charge to all third
- parties under the terms of this License.
-
- c) If the modified program normally reads commands interactively
- when run, you must cause it, when started running for such
- interactive use in the most ordinary way, to print or display an
- announcement including an appropriate copyright notice and a
- notice that there is no warranty (or else, saying that you provide
- a warranty) and that users may redistribute the program under
- these conditions, and telling the user how to view a copy of this
- License. (Exception: if the Program itself is interactive but
- does not normally print such an announcement, your work based on
- the Program is not required to print an announcement.)
-\f
-These requirements apply to the modified work as a whole. If
-identifiable sections of that work are not derived from the Program,
-and can be reasonably considered independent and separate works in
-themselves, then this License, and its terms, do not apply to those
-sections when you distribute them as separate works. But when you
-distribute the same sections as part of a whole which is a work based
-on the Program, the distribution of the whole must be on the terms of
-this License, whose permissions for other licensees extend to the
-entire whole, and thus to each and every part regardless of who wrote it.
-
-Thus, it is not the intent of this section to claim rights or contest
-your rights to work written entirely by you; rather, the intent is to
-exercise the right to control the distribution of derivative or
-collective works based on the Program.
-
-In addition, mere aggregation of another work not based on the Program
-with the Program (or with a work based on the Program) on a volume of
-a storage or distribution medium does not bring the other work under
-the scope of this License.
-
- 3. You may copy and distribute the Program (or a work based on it,
-under Section 2) in object code or executable form under the terms of
-Sections 1 and 2 above provided that you also do one of the following:
-
- a) Accompany it with the complete corresponding machine-readable
- source code, which must be distributed under the terms of Sections
- 1 and 2 above on a medium customarily used for software interchange; or,
-
- b) Accompany it with a written offer, valid for at least three
- years, to give any third party, for a charge no more than your
- cost of physically performing source distribution, a complete
- machine-readable copy of the corresponding source code, to be
- distributed under the terms of Sections 1 and 2 above on a medium
- customarily used for software interchange; or,
-
- c) Accompany it with the information you received as to the offer
- to distribute corresponding source code. (This alternative is
- allowed only for noncommercial distribution and only if you
- received the program in object code or executable form with such
- an offer, in accord with Subsection b above.)
-
-The source code for a work means the preferred form of the work for
-making modifications to it. For an executable work, complete source
-code means all the source code for all modules it contains, plus any
-associated interface definition files, plus the scripts used to
-control compilation and installation of the executable. However, as a
-special exception, the source code distributed need not include
-anything that is normally distributed (in either source or binary
-form) with the major components (compiler, kernel, and so on) of the
-operating system on which the executable runs, unless that component
-itself accompanies the executable.
-
-If distribution of executable or object code is made by offering
-access to copy from a designated place, then offering equivalent
-access to copy the source code from the same place counts as
-distribution of the source code, even though third parties are not
-compelled to copy the source along with the object code.
-\f
- 4. You may not copy, modify, sublicense, or distribute the Program
-except as expressly provided under this License. Any attempt
-otherwise to copy, modify, sublicense or distribute the Program is
-void, and will automatically terminate your rights under this License.
-However, parties who have received copies, or rights, from you under
-this License will not have their licenses terminated so long as such
-parties remain in full compliance.
-
- 5. You are not required to accept this License, since you have not
-signed it. However, nothing else grants you permission to modify or
-distribute the Program or its derivative works. These actions are
-prohibited by law if you do not accept this License. Therefore, by
-modifying or distributing the Program (or any work based on the
-Program), you indicate your acceptance of this License to do so, and
-all its terms and conditions for copying, distributing or modifying
-the Program or works based on it.
-
- 6. Each time you redistribute the Program (or any work based on the
-Program), the recipient automatically receives a license from the
-original licensor to copy, distribute or modify the Program subject to
-these terms and conditions. You may not impose any further
-restrictions on the recipients' exercise of the rights granted herein.
-You are not responsible for enforcing compliance by third parties to
-this License.
-
- 7. If, as a consequence of a court judgment or allegation of patent
-infringement or for any other reason (not limited to patent issues),
-conditions are imposed on you (whether by court order, agreement or
-otherwise) that contradict the conditions of this License, they do not
-excuse you from the conditions of this License. If you cannot
-distribute so as to satisfy simultaneously your obligations under this
-License and any other pertinent obligations, then as a consequence you
-may not distribute the Program at all. For example, if a patent
-license would not permit royalty-free redistribution of the Program by
-all those who receive copies directly or indirectly through you, then
-the only way you could satisfy both it and this License would be to
-refrain entirely from distribution of the Program.
-
-If any portion of this section is held invalid or unenforceable under
-any particular circumstance, the balance of the section is intended to
-apply and the section as a whole is intended to apply in other
-circumstances.
-
-It is not the purpose of this section to induce you to infringe any
-patents or other property right claims or to contest validity of any
-such claims; this section has the sole purpose of protecting the
-integrity of the free software distribution system, which is
-implemented by public license practices. Many people have made
-generous contributions to the wide range of software distributed
-through that system in reliance on consistent application of that
-system; it is up to the author/donor to decide if he or she is willing
-to distribute software through any other system and a licensee cannot
-impose that choice.
-
-This section is intended to make thoroughly clear what is believed to
-be a consequence of the rest of this License.
-\f
- 8. If the distribution and/or use of the Program is restricted in
-certain countries either by patents or by copyrighted interfaces, the
-original copyright holder who places the Program under this License
-may add an explicit geographical distribution limitation excluding
-those countries, so that distribution is permitted only in or among
-countries not thus excluded. In such case, this License incorporates
-the limitation as if written in the body of this License.
-
- 9. The Free Software Foundation may publish revised and/or new versions
-of the General Public License from time to time. Such new versions will
-be similar in spirit to the present version, but may differ in detail to
-address new problems or concerns.
-
-Each version is given a distinguishing version number. If the Program
-specifies a version number of this License which applies to it and "any
-later version", you have the option of following the terms and conditions
-either of that version or of any later version published by the Free
-Software Foundation. If the Program does not specify a version number of
-this License, you may choose any version ever published by the Free Software
-Foundation.
-
- 10. If you wish to incorporate parts of the Program into other free
-programs whose distribution conditions are different, write to the author
-to ask for permission. For software which is copyrighted by the Free
-Software Foundation, write to the Free Software Foundation; we sometimes
-make exceptions for this. Our decision will be guided by the two goals
-of preserving the free status of all derivatives of our free software and
-of promoting the sharing and reuse of software generally.
-
- NO WARRANTY
-
- 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
-FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
-OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
-PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
-OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
-TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
-PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
-REPAIR OR CORRECTION.
-
- 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
-WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
-REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
-INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
-OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
-TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
-YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
-PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGES.
-
- END OF TERMS AND CONDITIONS
-\f
- How to Apply These Terms to Your New Programs
-
- If you develop a new program, and you want it to be of the greatest
-possible use to the public, the best way to achieve this is to make it
-free software which everyone can redistribute and change under these terms.
-
- To do so, attach the following notices to the program. It is safest
-to attach them to the start of each source file to most effectively
-convey the exclusion of warranty; and each file should have at least
-the "copyright" line and a pointer to where the full notice is found.
-
- <one line to give the program's name and a brief idea of what it does.>
- Copyright (C) 19yy <name of author>
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
- USA
-
-
-Also add information on how to contact you by electronic and paper mail.
-
-If the program is interactive, make it output a short notice like this
-when it starts in an interactive mode:
-
- Gnomovision version 69, Copyright (C) 19yy name of author
- Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
- This is free software, and you are welcome to redistribute it
- under certain conditions; type `show c' for details.
-
-The hypothetical commands `show w' and `show c' should show the appropriate
-parts of the General Public License. Of course, the commands you use may
-be called something other than `show w' and `show c'; they could even be
-mouse-clicks or menu items--whatever suits your program.
-
-You should also get your employer (if you work as a programmer) or your
-school, if any, to sign a "copyright disclaimer" for the program, if
-necessary. Here is a sample; alter the names:
-
- Yoyodyne, Inc., hereby disclaims all copyright interest in the program
- `Gnomovision' (which makes passes at compilers) written by James Hacker.
-
- <signature of Ty Coon>, 1 April 1989
- Ty Coon, President of Vice
-
-This General Public License does not permit incorporating your program into
-proprietary programs. If your program is a subroutine library, you may
-consider it more useful to permit linking proprietary applications with the
-library. If this is what you want to do, use the GNU Library General
-Public License instead of this License.
+++ /dev/null
-*****************************************************************************
-The text that follows is the GNU General Public License, Version 2 (GPL V2)
-and governs your use, modification and/or distribution of SNORT.
-
-Section 9 of the GPL V2 acknowledges that the Free Software Foundation may
-publish revised and/or new versions of the GPL V2 from time to time. Section 9
-further states that a licensee of a program subject to the GPL V2 could be
-free to use any such revised and/or new versions under two different scenarios:
-
-1. "Failure to Specify." Section 9 of the GPL V2 allows a licensee of a
-program governed by an unspecified version of the General Public License to
-choose any version of the General Public License ever published by the Free
-Software Foundation to govern his or her use of such program.
-
-This provision is not applicable to your use of SNORT because we have
-expressly stated in a number of instances that any third party's use,
-modification or distribution of SNORT is governed by GPL V2.
-
-2. "Any Later Version." At the end of the terms and condition of the GPL V2 is
-a section called "How to Apply these Terms to Your New Program," which
-provides guidance to a developer on how to apply the GPL V2 to a third party's
-use, modification and/or distribution of his/her program. Among other things,
-this guidance suggests that the developer attach certain notices to the
-program. Of particular importance is the following notice:
-
-"This program is free software; you can redistribute it and/or modify it under
-the terms of the GNU General Public License as published by the Free Software
-Foundation; either version 2 of the License, or (at your option) any later
-version."
-
-Thus if a developer follows strictly the guidance provided by the Free
-Software Foundation, Section 9 of the GPL V2 provides the licensee the option
-to either use, modify or distribute the program under GPL V2 or under any
-later version published by the Free Software Foundation.
-
-SNORT is an open source project that is governed exclusively by the GPL V2
-and any third party desiring to use, modify or distribute SNORT must do so by
-strictly following the terms and conditions of GPL V2. Anyone using, modifying
-or distributing SNORT does not have the option to chose to use, modify or
-distribute SNORT under any revised or new version of the GPL, including
-without limitation, the GNU General Public License Version 3.
-
-For ease of reference, the comparable notice that is used with SNORT
-(contained in the 'README' file) is as follows:
-
-"This program is free software; you can redistribute it and/or modify it under
-the terms of the GNU General Public License Version 2 as published by the Free
-Software Foundation. You may not use, modify or distribute this program under
-any other version of the GNU General Public License."
-
-If you have any questions about this statement, please feel free to email
-snort-info@snort.org.
-*****************************************************************************
-
- GNU GENERAL PUBLIC LICENSE
- Version 2, June 1991
-
- Copyright (C) 1989, 1991 Free Software Foundation, Inc.
- 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
- Everyone is permitted to copy and distribute verbatim copies
- of this license document, but changing it is not allowed.
-
- Preamble
-
- The licenses for most software are designed to take away your
-freedom to share and change it. By contrast, the GNU General Public
-License is intended to guarantee your freedom to share and change free
-software--to make sure the software is free for all its users. This
-General Public License applies to most of the Free Software
-Foundation's software and to any other program whose authors commit to
-using it. (Some other Free Software Foundation software is covered by
-the GNU Library General Public License instead.) You can apply it to
-your programs, too.
-
- When we speak of free software, we are referring to freedom, not
-price. Our General Public Licenses are designed to make sure that you
-have the freedom to distribute copies of free software (and charge for
-this service if you wish), that you receive source code or can get it
-if you want it, that you can change the software or use pieces of it
-in new free programs; and that you know you can do these things.
-
- To protect your rights, we need to make restrictions that forbid
-anyone to deny you these rights or to ask you to surrender the rights.
-These restrictions translate to certain responsibilities for you if you
-distribute copies of the software, or if you modify it.
-
- For example, if you distribute copies of such a program, whether
-gratis or for a fee, you must give the recipients all the rights that
-you have. You must make sure that they, too, receive or can get the
-source code. And you must show them these terms so they know their
-rights.
-
- We protect your rights with two steps: (1) copyright the software, and
-(2) offer you this license which gives you legal permission to copy,
-distribute and/or modify the software.
-
- Also, for each author's protection and ours, we want to make certain
-that everyone understands that there is no warranty for this free
-software. If the software is modified by someone else and passed on, we
-want its recipients to know that what they have is not the original, so
-that any problems introduced by others will not reflect on the original
-authors' reputations.
-
- Finally, any free program is threatened constantly by software
-patents. We wish to avoid the danger that redistributors of a free
-program will individually obtain patent licenses, in effect making the
-program proprietary. To prevent this, we have made it clear that any
-patent must be licensed for everyone's free use or not licensed at all.
-
- The precise terms and conditions for copying, distribution and
-modification follow.
-\f
- GNU GENERAL PUBLIC LICENSE
- TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
-
- 0. This License applies to any program or other work which contains
-a notice placed by the copyright holder saying it may be distributed
-under the terms of this General Public License. The "Program", below,
-refers to any such program or work, and a "work based on the Program"
-means either the Program or any derivative work under copyright law:
-that is to say, a work containing the Program or a portion of it,
-either verbatim or with modifications and/or translated into another
-language. (Hereinafter, translation is included without limitation in
-the term "modification".) Each licensee is addressed as "you".
-
-Activities other than copying, distribution and modification are not
-covered by this License; they are outside its scope. The act of
-running the Program is not restricted, and the output from the Program
-is covered only if its contents constitute a work based on the
-Program (independent of having been made by running the Program).
-Whether that is true depends on what the Program does.
-
- 1. You may copy and distribute verbatim copies of the Program's
-source code as you receive it, in any medium, provided that you
-conspicuously and appropriately publish on each copy an appropriate
-copyright notice and disclaimer of warranty; keep intact all the
-notices that refer to this License and to the absence of any warranty;
-and give any other recipients of the Program a copy of this License
-along with the Program.
-
-You may charge a fee for the physical act of transferring a copy, and
-you may at your option offer warranty protection in exchange for a fee.
-
- 2. You may modify your copy or copies of the Program or any portion
-of it, thus forming a work based on the Program, and copy and
-distribute such modifications or work under the terms of Section 1
-above, provided that you also meet all of these conditions:
-
- a) You must cause the modified files to carry prominent notices
- stating that you changed the files and the date of any change.
-
- b) You must cause any work that you distribute or publish, that in
- whole or in part contains or is derived from the Program or any
- part thereof, to be licensed as a whole at no charge to all third
- parties under the terms of this License.
-
- c) If the modified program normally reads commands interactively
- when run, you must cause it, when started running for such
- interactive use in the most ordinary way, to print or display an
- announcement including an appropriate copyright notice and a
- notice that there is no warranty (or else, saying that you provide
- a warranty) and that users may redistribute the program under
- these conditions, and telling the user how to view a copy of this
- License. (Exception: if the Program itself is interactive but
- does not normally print such an announcement, your work based on
- the Program is not required to print an announcement.)
-\f
-These requirements apply to the modified work as a whole. If
-identifiable sections of that work are not derived from the Program,
-and can be reasonably considered independent and separate works in
-themselves, then this License, and its terms, do not apply to those
-sections when you distribute them as separate works. But when you
-distribute the same sections as part of a whole which is a work based
-on the Program, the distribution of the whole must be on the terms of
-this License, whose permissions for other licensees extend to the
-entire whole, and thus to each and every part regardless of who wrote it.
-
-Thus, it is not the intent of this section to claim rights or contest
-your rights to work written entirely by you; rather, the intent is to
-exercise the right to control the distribution of derivative or
-collective works based on the Program.
-
-In addition, mere aggregation of another work not based on the Program
-with the Program (or with a work based on the Program) on a volume of
-a storage or distribution medium does not bring the other work under
-the scope of this License.
-
- 3. You may copy and distribute the Program (or a work based on it,
-under Section 2) in object code or executable form under the terms of
-Sections 1 and 2 above provided that you also do one of the following:
-
- a) Accompany it with the complete corresponding machine-readable
- source code, which must be distributed under the terms of Sections
- 1 and 2 above on a medium customarily used for software interchange; or,
-
- b) Accompany it with a written offer, valid for at least three
- years, to give any third party, for a charge no more than your
- cost of physically performing source distribution, a complete
- machine-readable copy of the corresponding source code, to be
- distributed under the terms of Sections 1 and 2 above on a medium
- customarily used for software interchange; or,
-
- c) Accompany it with the information you received as to the offer
- to distribute corresponding source code. (This alternative is
- allowed only for noncommercial distribution and only if you
- received the program in object code or executable form with such
- an offer, in accord with Subsection b above.)
-
-The source code for a work means the preferred form of the work for
-making modifications to it. For an executable work, complete source
-code means all the source code for all modules it contains, plus any
-associated interface definition files, plus the scripts used to
-control compilation and installation of the executable. However, as a
-special exception, the source code distributed need not include
-anything that is normally distributed (in either source or binary
-form) with the major components (compiler, kernel, and so on) of the
-operating system on which the executable runs, unless that component
-itself accompanies the executable.
-
-If distribution of executable or object code is made by offering
-access to copy from a designated place, then offering equivalent
-access to copy the source code from the same place counts as
-distribution of the source code, even though third parties are not
-compelled to copy the source along with the object code.
-\f
- 4. You may not copy, modify, sublicense, or distribute the Program
-except as expressly provided under this License. Any attempt
-otherwise to copy, modify, sublicense or distribute the Program is
-void, and will automatically terminate your rights under this License.
-However, parties who have received copies, or rights, from you under
-this License will not have their licenses terminated so long as such
-parties remain in full compliance.
-
- 5. You are not required to accept this License, since you have not
-signed it. However, nothing else grants you permission to modify or
-distribute the Program or its derivative works. These actions are
-prohibited by law if you do not accept this License. Therefore, by
-modifying or distributing the Program (or any work based on the
-Program), you indicate your acceptance of this License to do so, and
-all its terms and conditions for copying, distributing or modifying
-the Program or works based on it.
-
- 6. Each time you redistribute the Program (or any work based on the
-Program), the recipient automatically receives a license from the
-original licensor to copy, distribute or modify the Program subject to
-these terms and conditions. You may not impose any further
-restrictions on the recipients' exercise of the rights granted herein.
-You are not responsible for enforcing compliance by third parties to
-this License.
-
- 7. If, as a consequence of a court judgment or allegation of patent
-infringement or for any other reason (not limited to patent issues),
-conditions are imposed on you (whether by court order, agreement or
-otherwise) that contradict the conditions of this License, they do not
-excuse you from the conditions of this License. If you cannot
-distribute so as to satisfy simultaneously your obligations under this
-License and any other pertinent obligations, then as a consequence you
-may not distribute the Program at all. For example, if a patent
-license would not permit royalty-free redistribution of the Program by
-all those who receive copies directly or indirectly through you, then
-the only way you could satisfy both it and this License would be to
-refrain entirely from distribution of the Program.
-
-If any portion of this section is held invalid or unenforceable under
-any particular circumstance, the balance of the section is intended to
-apply and the section as a whole is intended to apply in other
-circumstances.
-
-It is not the purpose of this section to induce you to infringe any
-patents or other property right claims or to contest validity of any
-such claims; this section has the sole purpose of protecting the
-integrity of the free software distribution system, which is
-implemented by public license practices. Many people have made
-generous contributions to the wide range of software distributed
-through that system in reliance on consistent application of that
-system; it is up to the author/donor to decide if he or she is willing
-to distribute software through any other system and a licensee cannot
-impose that choice.
-
-This section is intended to make thoroughly clear what is believed to
-be a consequence of the rest of this License.
-\f
- 8. If the distribution and/or use of the Program is restricted in
-certain countries either by patents or by copyrighted interfaces, the
-original copyright holder who places the Program under this License
-may add an explicit geographical distribution limitation excluding
-those countries, so that distribution is permitted only in or among
-countries not thus excluded. In such case, this License incorporates
-the limitation as if written in the body of this License.
-
- 9. The Free Software Foundation may publish revised and/or new versions
-of the General Public License from time to time. Such new versions will
-be similar in spirit to the present version, but may differ in detail to
-address new problems or concerns.
-
-Each version is given a distinguishing version number. If the Program
-specifies a version number of this License which applies to it and "any
-later version", you have the option of following the terms and conditions
-either of that version or of any later version published by the Free
-Software Foundation. If the Program does not specify a version number of
-this License, you may choose any version ever published by the Free Software
-Foundation.
-
- 10. If you wish to incorporate parts of the Program into other free
-programs whose distribution conditions are different, write to the author
-to ask for permission. For software which is copyrighted by the Free
-Software Foundation, write to the Free Software Foundation; we sometimes
-make exceptions for this. Our decision will be guided by the two goals
-of preserving the free status of all derivatives of our free software and
-of promoting the sharing and reuse of software generally.
-
- NO WARRANTY
-
- 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
-FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
-OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
-PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
-OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
-TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
-PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
-REPAIR OR CORRECTION.
-
- 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
-WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
-REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
-INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
-OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
-TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
-YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
-PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGES.
-
- END OF TERMS AND CONDITIONS
-\f
- How to Apply These Terms to Your New Programs
-
- If you develop a new program, and you want it to be of the greatest
-possible use to the public, the best way to achieve this is to make it
-free software which everyone can redistribute and change under these terms.
-
- To do so, attach the following notices to the program. It is safest
-to attach them to the start of each source file to most effectively
-convey the exclusion of warranty; and each file should have at least
-the "copyright" line and a pointer to where the full notice is found.
-
- <one line to give the program's name and a brief idea of what it does.>
- Copyright (C) 19yy <name of author>
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
- USA
-
-
-Also add information on how to contact you by electronic and paper mail.
-
-If the program is interactive, make it output a short notice like this
-when it starts in an interactive mode:
-
- Gnomovision version 69, Copyright (C) 19yy name of author
- Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
- This is free software, and you are welcome to redistribute it
- under certain conditions; type `show c' for details.
-
-The hypothetical commands `show w' and `show c' should show the appropriate
-parts of the General Public License. Of course, the commands you use may
-be called something other than `show w' and `show c'; they could even be
-mouse-clicks or menu items--whatever suits your program.
-
-You should also get your employer (if you work as a programmer) or your
-school, if any, to sign a "copyright disclaimer" for the program, if
-necessary. Here is a sample; alter the names:
-
- Yoyodyne, Inc., hereby disclaims all copyright interest in the program
- `Gnomovision' (which makes passes at compilers) written by James Hacker.
-
- <signature of Ty Coon>, 1 April 1989
- Ty Coon, President of Vice
-
-This General Public License does not permit incorporating your program into
-proprietary programs. If your program is a subroutine library, you may
-consider it more useful to permit linking proprietary applications with the
-library. If this is what you want to do, use the GNU Library General
-Public License instead of this License.
+++ /dev/null
-Snort++ Extras
-
-Snort++ is all about plugins. It has over 200 by default and makes it easy
-to add more in C++ or LuaJIT. This file will walk you through building and
-running a set of extra example plugins. If you haven't installed and
-verified Snort++, you will need to do that first. We will cover the
-following topics:
-
-* Overview
-* Download
-* Build Extras
-* Run Extras
-* Next Steps
-
-OVERVIEW
-
-The following things are pluggable in Snort++:
-
-* codec - decode and encode support for a given protocol
-* data - additional configuration for inspectors
-* inspector - replaces Snort preprocessors
-* ips_option - IPS rule option like content and byte_test
-* ips_action - IPS rule action like alert and block
-* search_engine - fast pattern matcher
-* logger - event handers
-* SO rules - dynamic rules
-
-DOWNLOAD
-
-There is one extra tarball:
-
- snort_extra-1.0.0-a1-130.tar.gz
-
-If you cloned from github, you have already have everything.
-
-BUILD EXTRAS
-
-Follow these steps:
-
-1. Set up source directory:
-
-* If you are using a github clone:
-
- cd extra/
-
-* Otherwise do this:
-
- tar zxf extra-tarball
- cd snort_extra-1.0.0*
-
-2. Setup install path using pkgconfig (same as for snort):
-
- export PKG_CONFIG_PATH=$my_path/lib/pkgconfig
-
-3. Compile and install:
-
- ./configure_cmake.sh
- cd build
- make
- make install
-
-Note:
-
-* cmake --help will list any available generators, such as Xcode. Feel
- free to use one, however help with those will be provided separately.
-* each individual plugin directory is a standalone cmake project, and does
- not depend on any other part of the extra/ build tree
-
-RUN EXTRAS
-
-In the following, replace a.pcap with your favorite.
-
-* The following demonstrates a C++ logger and a LuaJIT logger:
-
- $my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules \
- -r a.pcap --plugin-path $my_path/lib/snort_extra -A alert_ex
-
- $my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules \
- -r a.pcap --script-path $my_path/lib/snort_extra -A lualert
-
-You can edit $my_path/lib/snort_extra/loggers/alert.lua to tweak the output
-format and rerun the above command to try it out.
-
-* The last example demonstrates a LuaJIT rule option called find. The rule,
- supplied on stdin, uses the Lua [[ multiline string ]] delimiters to avoid
- shell escape issues:
-
- echo 'alert tcp any any -> any 80 ( sid:1; msg:"test"; http_method; find:"pat = [[GET]]"; )' | \
- $my_path/bin/snort -c $my_path/etc/snort/snort.lua -r a.pcap \
- -A cmg --script-path $my_path/lib/snort_extra --stdin-rules
-
-NEXT STEPS o")~
-
-There is no design guide yet but you can develop your own plugins in C++ by
-using the examples as a starting point. In addition, IPS options and
-loggers can also be written in LuaJIT. The API may change going forward,
-but you are encouraged to roll your own now and let us know how it goes so
-we can incorporate any suggestions in the final design.
-
+++ /dev/null
-#
-# Loosely based on:
-# https://raw.githubusercontent.com/peti/autoconf-archive/master/m4/ax_code_coverage.m4
-# - and -
-# https://raw.githubusercontent.com/bilke/cmake-modules/master/CodeCoverage.cmake
-#
-
-find_program( GCOV_PATH gcov )
-
-if(NOT GCOV_PATH)
- message(FATAL_ERROR "gcov not found! Aborting...")
-endif()
-
-if("${CMAKE_CXX_COMPILER_ID}" MATCHES "(Apple)?[Cc]lang")
- if("${CMAKE_CXX_COMPILER_VERSION}" VERSION_LESS 3)
- message(FATAL_ERROR "Clang version must be 3.0.0 or greater! Aborting...")
- endif()
-elseif(NOT "${CMAKE_CXX_COMPILER_ID}" STREQUAL "GNU")
- message(FATAL_ERROR "Compiler is not GNU gcc! Aborting...")
-endif()
-
-set(COVERAGE_COMPILER_FLAGS "-O0 -g -fprofile-arcs -ftest-coverage")
-
-if(CMAKE_C_COMPILER_ID STREQUAL "GNU")
- set(COVERAGE_LINKER_FLAGS "")
- set(COVERAGE_LIBRARIES "gcov")
-else()
- set(COVERAGE_LINKER_FLAGS "--coverage")
- set(COVERAGE_LIBRARIES "")
-endif()
-
-mark_as_advanced(
- COVERAGE_COMPILER_FLAGS
- COVERAGE_LINKER_FLAGS
- COVERAGE_LIBRARIES
-)
+++ /dev/null
-# map cmake options to compiler defines and do miscellaneous further configuration work
-# cmake options are defined in cmake/create_options.cmake
-
-include(CheckCXXCompilerFlag)
-
-# debugging
-
-# FIXIT-L Properly handle NDEBUG through CMAKE_BUILD_TYPE
-if ( ENABLE_DEBUG )
- string ( APPEND DEBUGGING_C_FLAGS " -g -DDEBUG" )
-else ()
- string ( APPEND DEBUGGING_C_FLAGS " -DNDEBUG" )
-endif ( ENABLE_DEBUG )
-
-if ( ENABLE_GDB )
- string ( APPEND DEBUGGING_C_FLAGS " -g -ggdb" )
-endif ( ENABLE_GDB )
-
-# ASAN and TSAN are mutually exclusive, so have them absolutely set SANITIZER_*_FLAGS first.
-if ( ENABLE_ADDRESS_SANITIZER )
- set ( ASAN_CXX_FLAGS "-fsanitize=address -fno-omit-frame-pointer" )
- set ( ASAN_LINKER_FLAGS "-fsanitize=address" )
- set ( CMAKE_REQUIRED_FLAGS "${ASAN_LINKER_FLAGS}" )
- check_cxx_compiler_flag ( "${ASAN_CXX_FLAGS}" HAVE_ADDRESS_SANITIZER )
- unset ( CMAKE_REQUIRED_FLAGS )
- if ( HAVE_ADDRESS_SANITIZER )
- set ( SANITIZER_CXX_FLAGS "${ASAN_CXX_FLAGS}" )
- set ( SANITIZER_LINKER_FLAGS "${ASAN_LINKER_FLAGS}" )
- else ()
- message ( SEND_ERROR "Could not enable the address sanitizer!" )
- endif ()
-endif ( ENABLE_ADDRESS_SANITIZER )
-
-if ( ENABLE_THREAD_SANITIZER )
- set ( TSAN_CXX_FLAGS "-fsanitize=thread -fno-omit-frame-pointer" )
- set ( TSAN_LINKER_FLAGS "-fsanitize=thread" )
- set ( CMAKE_REQUIRED_FLAGS "${TSAN_LINKER_FLAGS}" )
- check_cxx_compiler_flag ( "${TSAN_CXX_FLAGS}" HAVE_THREAD_SANITIZER )
- unset ( CMAKE_REQUIRED_FLAGS )
- if ( HAVE_THREAD_SANITIZER )
- set ( SANITIZER_CXX_FLAGS "${TSAN_CXX_FLAGS}" )
- set ( SANITIZER_LINKER_FLAGS "${TSAN_LINKER_FLAGS}" )
- else ()
- message ( SEND_ERROR "Could not enable the thread sanitizer!" )
- endif ()
-endif ( ENABLE_THREAD_SANITIZER )
-
-if ( ENABLE_UB_SANITIZER )
- set ( UBSAN_CXX_FLAGS "-fsanitize=undefined -fno-sanitize=alignment -fno-omit-frame-pointer" )
- set ( UBSAN_LINKER_FLAGS "-fsanitize=undefined -fno-sanitize=alignment" )
- set ( CMAKE_REQUIRED_FLAGS "${UBSAN_LINKER_FLAGS}" )
- check_cxx_compiler_flag ( "${UBSAN_CXX_FLAGS}" HAVE_UB_SANITIZER )
- unset ( CMAKE_REQUIRED_FLAGS )
- if ( HAVE_UB_SANITIZER )
- string ( APPEND SANITIZER_CXX_FLAGS " ${UBSAN_CXX_FLAGS}" )
- string ( APPEND SANITIZER_LINKER_FLAGS " ${UBSAN_LINKER_FLAGS}" )
- else ()
- message ( SEND_ERROR "Could not enable the undefined behavior sanitizer!" )
- endif ()
-endif ( ENABLE_UB_SANITIZER )
-
-if ( ENABLE_CODE_COVERAGE )
- include(${CMAKE_MODULE_PATH}/CodeCoverage.cmake)
-endif ( ENABLE_CODE_COVERAGE )
-
-
-# Accumulate extra flags and libraries
-#[[
-message("
- DEBUGGING_C_FLAGS = ${DEBUGGING_C_FLAGS}
- SANITIZER_CXX_FLAGS = ${SANITIZER_CXX_FLAGS}
- SANITIZER_LINKER_FLAGS = ${SANITIZER_LINKER_FLAGS}
- COVERAGE_COMPILER_FLAGS = ${COVERAGE_COMPILER_FLAGS}
- COVERAGE_LINKER_FLAGS = ${COVERAGE_LINKER_FLAGS}
- COVERAGE_LIBRARIES = ${COVERAGE_LIBRARIES}
-")
-]]
-set ( EXTRA_C_FLAGS "${EXTRA_C_FLAGS} ${HARDENED_CXX_FLAGS} ${DEBUGGING_C_FLAGS} ${SANITIZER_CXX_FLAGS} ${COVERAGE_COMPILER_FLAGS}" )
-set ( EXTRA_CXX_FLAGS "${EXTRA_CXX_FLAGS} ${HARDENED_CXX_FLAGS} ${DEBUGGING_C_FLAGS} ${SANITIZER_CXX_FLAGS} ${COVERAGE_COMPILER_FLAGS}" )
-set ( EXTRA_LINKER_FLAGS "${EXTRA_LINKER_FLAGS} ${HARDENED_LINKER_FLAGS} ${SANITIZER_LINKER_FLAGS} ${COVERAGE_LINKER_FLAGS}" )
-foreach (EXTRA_LIBRARY IN LISTS COVERAGE_LIBRARIES)
- list ( APPEND EXTRA_LIBRARIES ${EXTRA_LIBRARY} )
-endforeach ()
+++ /dev/null
-# All of the possible user options. All of these options will show up
-# in the CACHE. If you'd like to change one of these values,
-# use `ccmake ${PATH_TO_SOURCE}`.
-# Alternatively, you can pass them to cmake on the command line using
-# the '-D' flag:
-# cmake -DENABLE_FOO=ON -DCMAKE_INSTALL_PREFIX=/my/install/path $cmake_src_path
-
-# debugging
-option ( ENABLE_DEBUG "Enable debugging options (bugreports and developers only)" OFF )
-option ( ENABLE_GDB "Enable gdb debugging information" ON )
-option ( ENABLE_ADDRESS_SANITIZER "enable address sanitizer support" OFF )
-option ( ENABLE_THREAD_SANITIZER "enable thread sanitizer support" OFF )
-option ( ENABLE_UB_SANITIZER "enable undefined behavior sanitizer support" OFF )
-option ( ENABLE_CODE_COVERAGE "Whether to enable code coverage support" OFF )
-
+++ /dev/null
-#!/bin/sh
-# Convenience wrapper for easily viewing/setting options that
-# the project's CMake scripts will recognize
-
-set -e
-command="$0 $*"
-
-# check for `cmake` command
-type cmake > /dev/null 2>&1 || {
- echo "\
-This package requires CMake, please install it first, then you may
-use this configure script to access CMake equivalent functionality.\
-" >&2;
- exit 1;
-}
-
-usage="\
-Usage: $0 [OPTION]... [VAR=VALUE]...
-
- --builddir= The build directory
- --generator= run cmake --help for a list of generators
- --prefix= Snort++ installation prefix
-
-Optional Features:
- --disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no)
- --enable-FEATURE[=ARG] include FEATURE [ARG=yes]
- --enable-code-coverage Whether to enable code coverage support
- --enable-debug enable debugging options (bugreports and developers
- only)
- --disable-gdb disable gdb debugging information
- --enable-address-sanitizer
- enable address sanitizer support
- --enable-thread-sanitizer
- enable thread sanitizer support
- --enable-ub-sanitizer
- enable undefined behavior sanitizer support
-"
-
-sourcedir="$( cd "$( dirname "$0" )" && pwd )"
-
-# Function to append a CMake cache entry definition to the
-# CMakeCacheEntries variable
-# $1 is the cache entry variable name
-# $2 is the cache entry variable type
-# $3 is the cache entry variable value
-append_cache_entry () {
- CMakeCacheEntries="$CMakeCacheEntries -D $1:$2=$3"
-}
-
-# set defaults
-builddir=build
-prefix=/usr/local/snort
-CMakeCacheEntries=""
-append_cache_entry CMAKE_INSTALL_PREFIX PATH $prefix
-
-
-# parse arguments
-while [ $# -ne 0 ]; do
- case "$1" in
- -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
- *) optarg= ;;
- esac
-
- case "$1" in
- --help|-h)
- echo "${usage}" 1>&2
- exit 1
- ;;
- --builddir=*)
- builddir=$optarg
- ;;
- --define=*)
- CMakeCacheEntries="$CMakeCacheEntries -D$optarg"
- ;;
- --generator=*)
- CMakeGenerator="$optarg"
- ;;
- --prefix=*)
- prefix=$optarg
- append_cache_entry CMAKE_INSTALL_PREFIX PATH $optarg
- ;;
- --enable-code-coverage)
- append_cache_entry ENABLE_CODE_COVERAGE BOOL true
- ;;
- --disable-code-coverage)
- append_cache_entry ENABLE_CODE_COVERAGE BOOL false
- ;;
- --enable-debug)
- append_cache_entry ENABLE_DEBUG BOOL true
- ;;
- --disable-debug)
- append_cache_entry ENABLE_DEBUG BOOL false
- ;;
- --enable-gdb)
- append_cache_entry ENABLE_GDB BOOL true
- ;;
- --disable-gdb)
- append_cache_entry ENABLE_GDB BOOL false
- ;;
- --enable-address-sanitizer)
- append_cache_entry ENABLE_ADDRESS_SANITIZER BOOL true
- ;;
- --disable-address-sanitizer)
- append_cache_entry ENABLE_ADDRESS_SANITIZER BOOL false
- ;;
- --enable-thread-sanitizer)
- append_cache_entry ENABLE_THREAD_SANITIZER BOOL true
- ;;
- --disable-thread-sanitizer)
- append_cache_entry ENABLE_THREAD_SANITIZER BOOL false
- ;;
- --enable-ub-sanitizer)
- append_cache_entry ENABLE_UB_SANITIZER BOOL true
- ;;
- --disable-ub-sanitizer)
- append_cache_entry ENABLE_UB_SANITIZER BOOL false
- ;;
- *)
- echo "Invalid option '$1'. Try $0 --help to see available options."
- exit 1
- ;;
- esac
- shift
-done
-
-if [ -d $builddir ]; then
- # If build directory exists, check if it has a CMake cache
- if [ -f $builddir/CMakeCache.txt ]; then
- # If the CMake cache exists, delete it so that this configuration
- # is not tainted by a previous one
- rm -f $builddir/CMakeCache.txt
- fi
-else
- # Create build directory
- mkdir -p $builddir
-fi
-
-echo "Build Directory : $builddir"
-echo "Source Directory: $sourcedir"
-cd $builddir
-
-[ "$CMakeGenerator" ] && gen="-G $CMakeGenerator"
-
-cmake $gen \
- -DCMAKE_CXX_FLAGS:STRING="$CXXFLAGS $CPPFLAGS" \
- -DCMAKE_C_FLAGS:STRING="$CFLAGS $CPPFLAGS" \
- -DCMAKE_EXPORT_COMPILE_COMMANDS=ON \
- $CMakeCacheEntries $sourcedir
-
-echo "# This is the command used to configure this build" > config.status
-echo $command >> config.status
-chmod u+x config.status
-
+++ /dev/null
-#!/bin/sh
-
-USAGE="Usage: $0 <start> <expander:./scripts> <templates:./templates>"
-
-if [ "$1" = "-h" ]; then
- echo $USAGE >&2
- exit
-fi
-
-RECURSE=${1:-$PWD}
-SCRIPT_PATH=./scripts
-TEMPLATE_PATH=./templates
-
-EXPAND=${SCRIPT_PATH}/expand_template.rb
-
-template=${TEMPLATE_PATH}/CMakeLists.txt.erb
-
-[ -n "$DRY_RUN" ] && ECHO=echo || ECHO=
-
-for project_dir in $(find $RECURSE -mindepth 3 -type d); do
- project_base=${project_dir##*/}
-
- template_base=${template##*/}
-
- [ -n "$DRY_RUN" ] && \
- echo $EXPAND $template $project_dir '>' $project_dir/${template_base%.erb} || \
- $EXPAND $template $project_dir > $project_dir/${template_base%.erb}
-done
+++ /dev/null
-#!/usr/bin/env ruby
-
-require 'erb'
-
-USAGE = "Usage: #{$0} <template> [<dir:$PWD>]"
-
-class Build
- attr_reader :version
-end
-
-class CMake < Build
- def self.get_version(binary)
- `#{binary} --version`[/version ((?:\d+\.)*\d*)/, 1]
- end
-
- def initialize(binary = "cmake")
- @binary = binary
- @version = CMake.get_version @binary
- end
-end
-
-class Automake < Build
-end
-
-class Project
- attr_reader :name, :libname, :dirname, :sources, :scripts, :miscs, :language
-
- def initialize(name, libname, dirname, sources, scripts, miscs, language)
- @name = name
- @libname = libname
- @dirname = dirname
- @sources = sources
- @scripts = scripts
- @miscs = miscs
- @language = language
- end
-end
-
-class Generate
- attr_reader :project_boilerplate, :platform_boilerplate
-
- def initialize(project, platform)
- @project_boilerplate = project
- @platform_boilerplate = platform
- end
-end
-
-class Build
- def initialize(build_systems, project, generate)
- @cmake = build_systems[:cmake]
- @automake = build_systems[:automake]
- @project = project
- @generate = generate
- end
-
- def get_binding
- binding
- end
-end
-
-def template(t, b)
- erb = ERB.new(t, 0, "%")
- erb.result(b)
-end
-
-def die(msg)
- STDERR.puts("error: #{msg}")
- exit 1
-end
-
-def usage(code = 0)
- STDERR.puts USAGE
- exit code
-end
-
-def die_with_usage(msg)
- STDERR.puts("error: #{msg}")
- usage 1
-end
-
-def main
- if ARGV.include? '-h'
- usage
- end
-
- template_path = ARGV.shift
- die_with_usage("you must specify a template file") unless template_path
-
- unless File.file? template_path
- die("specified template file does not exist: #{template_path}")
- end
-
- project_dir = ARGV.shift
- project_dir ||= `pwd`.chomp
- project_dir = File.absolute_path(project_dir)
-
- unless File.directory? project_dir
- die("specified start directory does not exist: #{project_dir}")
- end
-
- project_name = File.basename project_dir
- project_dirname = File.basename File.dirname project_dir
-
- project_c_sources = Dir[File.join(project_dir, "*.c")].collect do |path|
- File.basename path
- end
-
- project_cxx_sources = Dir[File.join(project_dir, "*.cc")].collect do |path|
- File.basename path
- end
-
- project_header_sources = Dir[File.join(project_dir, "*.h")].collect do |path|
- File.basename path
- end
-
- project_sources = (project_c_sources + project_cxx_sources + project_header_sources).sort
-
- project_scripts = Dir[File.join(project_dir, "*.lua")].collect do |path|
- File.basename path
- end.sort
-
- project_miscs = Dir[File.join(project_dir, "*.txt")].collect do |path|
- File.basename path
- end.select do |name|
- !["CMakeLists.txt"].include?(name)
- end.sort
-
- if !project_cxx_sources.empty?
- project_language = "CXX"
- elsif !project_c_sources.empty?
- project_language = "C"
- else
- project_language = nil
- end
-
- cmake = CMake.new
- generate = Generate.new true, true
- project = Project.new project_name,
- project_name,
- project_dirname,
- project_sources,
- project_scripts,
- project_miscs,
- project_language
-
- build = Build.new({cmake: cmake}, project, generate)
-
- File.open(template_path) do |f|
- puts template f.read, build.get_binding
- end
-end
-
-main
+++ /dev/null
-include(CheckIncludeFileCXX)
-
-add_subdirectory ( codecs )
-add_subdirectory ( daqs )
-add_subdirectory ( inspectors )
-add_subdirectory ( ips_options )
-add_subdirectory ( loggers )
-add_subdirectory ( search_engines )
-add_subdirectory ( so_rules )
-
-CHECK_INCLUDE_FILE_CXX( "${CMAKE_INSTALL_PREFIX}/include/snort/network_inspectors/appid/tp_appid_module_api.h" ENABLE_APPID_THIRD_PARTY ${CMAKE_CXX_FLAGS})
-
-if ( ENABLE_APPID_THIRD_PARTY )
- add_subdirectory ( tp_appid )
-endif()
+++ /dev/null
-add_subdirectory ( cd_eapol )
-add_subdirectory ( cd_linux_sll )
-add_subdirectory ( cd_null )
-add_subdirectory ( cd_pflog )
-add_subdirectory ( cd_pbb )
-add_subdirectory ( cd_ppp )
-add_subdirectory ( cd_raw4 )
-add_subdirectory ( cd_raw6 )
-add_subdirectory ( cd_slip )
-add_subdirectory ( cd_token_ring )
-add_subdirectory ( cd_wlan )
+++ /dev/null
-cmake_minimum_required ( VERSION 3.4.3 )
-project ( cd_eapol CXX )
-
-set (CMAKE_CXX_STANDARD 11)
-set (CMAKE_CXX_STANDARD_REQUIRED ON)
-set (CMAKE_CXX_EXTENSIONS OFF)
-
-if ( APPLE )
- set ( CMAKE_MACOSX_RPATH OFF )
-endif ( APPLE )
-
-include ( FindPkgConfig )
-pkg_search_module ( SNORT3 REQUIRED snort>=3 )
-
-add_library (
- cd_eapol MODULE
- cd_eapol.cc
-)
-
-if ( APPLE )
- set_target_properties (
- cd_eapol
- PROPERTIES
- LINK_FLAGS "-undefined dynamic_lookup"
- )
-endif ( APPLE )
-
-set_target_properties (
- cd_eapol
- PROPERTIES
- PREFIX ""
-)
-
-target_include_directories (
- cd_eapol PUBLIC
- ${SNORT3_INCLUDE_DIRS}
-)
-
-install (
- TARGETS cd_eapol
- LIBRARY
- DESTINATION "${CMAKE_INSTALL_LIBDIR}/${CMAKE_PROJECT_NAME}/codecs"
-)
+++ /dev/null
-//--------------------------------------------------------------------------
-// Copyright (C) 2014-2018 Cisco and/or its affiliates. All rights reserved.
-//
-// This program is free software; you can redistribute it and/or modify it
-// under the terms of the GNU General Public License Version 2 as published
-// by the Free Software Foundation. You may not use, modify or distribute
-// this program under any other version of the GNU General Public License.
-//
-// This program is distributed in the hope that it will be useful, but
-// WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-// General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License along
-// with this program; if not, write to the Free Software Foundation, Inc.,
-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-//--------------------------------------------------------------------------
-// cd_eapol.cc author Josh Rosenbaum <jrosenba@cisco.com>
-
-#include "codecs/codec_module.h"
-#include "framework/codec.h"
-#include "protocols/eapol.h"
-
-#define CD_EAPOL_NAME "eapol"
-#define CD_EAPOL_HELP "support for extensible authentication protocol over LAN"
-
-using namespace snort;
-
-namespace
-{
-static const RuleMap eapol_rules[] =
-{
- { DECODE_EAPOL_TRUNCATED, "truncated EAP header" },
- { DECODE_EAPKEY_TRUNCATED, "EAP key truncated" },
- { DECODE_EAP_TRUNCATED, "EAP header truncated" },
- { 0, nullptr }
-};
-
-class EapolModule : public CodecModule
-{
-public:
- EapolModule() : CodecModule(CD_EAPOL_NAME, CD_EAPOL_HELP) { }
-
- const RuleMap* get_rules() const override
- { return eapol_rules; }
-};
-
-class EapolCodec : public Codec
-{
-public:
- EapolCodec() : Codec(CD_EAPOL_NAME) { }
-
- bool decode(const RawData&, CodecData&, DecodeData&) override;
- void get_protocol_ids(std::vector<ProtocolId>&) override;
-
-private:
- void DecodeEAP(const RawData&, const CodecData&);
- void DecodeEapolKey(const RawData&, const CodecData&);
-};
-} // namespace
-
-void EapolCodec::get_protocol_ids(std::vector<ProtocolId>& v)
-{ v.push_back(ProtocolId::ETHERTYPE_EAPOL); }
-
-void EapolCodec::DecodeEAP(const RawData& raw, const CodecData& codec)
-{
- if (raw.len < sizeof(eapol::EAPHdr))
- codec_event(codec, DECODE_EAP_TRUNCATED);
-}
-
-void EapolCodec::DecodeEapolKey(const RawData& raw, const CodecData& codec)
-{
- if (raw.len < sizeof(eapol::EapolKey))
- codec_event(codec, DECODE_EAPKEY_TRUNCATED);
-}
-
-/*************************************************
- ************** main codec functions ************
- *************************************************/
-
-bool EapolCodec::decode(const RawData& raw, CodecData& codec, DecodeData&)
-{
- const eapol::EtherEapol* const eplh =
- reinterpret_cast<const eapol::EtherEapol*>(raw.data);
-
- if (raw.len < sizeof(eapol::EtherEapol))
- {
- codec_event(codec, DECODE_EAPOL_TRUNCATED);
- return false;
- }
-
- if (eplh->eaptype == EAPOL_TYPE_EAP)
- DecodeEAP(raw, codec);
-
- else if (eplh->eaptype == EAPOL_TYPE_KEY)
- DecodeEapolKey(raw, codec);
-
- return true;
-}
-
-//-------------------------------------------------------------------------
-// api
-//-------------------------------------------------------------------------
-
-static Module* mod_ctor()
-{ return new EapolModule; }
-
-static void mod_dtor(Module* m)
-{ delete m; }
-
-static Codec* ctor(Module*)
-{ return new EapolCodec(); }
-
-static void dtor(Codec* cd)
-{ delete cd; }
-
-static const CodecApi eapol_api =
-{
- {
- PT_CODEC,
- sizeof(CodecApi),
- CDAPI_VERSION,
- 0,
- API_RESERVED,
- API_OPTIONS,
- CD_EAPOL_NAME,
- CD_EAPOL_HELP,
- mod_ctor,
- mod_dtor,
- },
- nullptr, // pinit
- nullptr, // pterm
- nullptr, // tinit
- nullptr, // tterm
- ctor, // ctor
- dtor, // dtor
-};
-
-SO_PUBLIC const BaseApi* snort_plugins[] =
-{
- &eapol_api.base,
- nullptr
-};
+++ /dev/null
-cmake_minimum_required ( VERSION 3.4.3 )
-project ( cd_linux_sll CXX )
-
-set (CMAKE_CXX_STANDARD 11)
-set (CMAKE_CXX_STANDARD_REQUIRED ON)
-set (CMAKE_CXX_EXTENSIONS OFF)
-
-if ( APPLE )
- set ( CMAKE_MACOSX_RPATH OFF )
-endif ( APPLE )
-
-include ( FindPkgConfig )
-pkg_search_module ( SNORT3 REQUIRED snort>=3 )
-
-add_library (
- cd_linux_sll MODULE
- cd_linux_sll.cc
-)
-
-if ( APPLE )
- set_target_properties (
- cd_linux_sll
- PROPERTIES
- LINK_FLAGS "-undefined dynamic_lookup"
- )
-endif ( APPLE )
-
-set_target_properties (
- cd_linux_sll
- PROPERTIES
- PREFIX ""
-)
-
-target_include_directories (
- cd_linux_sll PUBLIC
- ${SNORT3_INCLUDE_DIRS}
-)
-
-install (
- TARGETS cd_linux_sll
- LIBRARY
- DESTINATION "${CMAKE_INSTALL_LIBDIR}/${CMAKE_PROJECT_NAME}/codecs"
-)
+++ /dev/null
-//--------------------------------------------------------------------------
-// Copyright (C) 2014-2018 Cisco and/or its affiliates. All rights reserved.
-//
-// This program is free software; you can redistribute it and/or modify it
-// under the terms of the GNU General Public License Version 2 as published
-// by the Free Software Foundation. You may not use, modify or distribute
-// this program under any other version of the GNU General Public License.
-//
-// This program is distributed in the hope that it will be useful, but
-// WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-// General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License along
-// with this program; if not, write to the Free Software Foundation, Inc.,
-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-//--------------------------------------------------------------------------
-// cd_linux_sll.cc author Josh Rosenbaum <jrosenba@cisco.com>
-
-#include <sfbpf_dlt.h>
-
-#include "framework/codec.h"
-#include "protocols/linux_sll.h"
-
-#define CD_LINUX_SLL_NAME "linux_sll"
-#define CD_LINUX_SLL_HELP_STR "support for Linux SLL"
-#define CD_LINUX_SLL_HELP ADD_DLT(CD_LINUX_SLL_HELP_STR, DLT_LINUX_SLL)
-
-using namespace snort;
-
-namespace
-{
-class LinuxSllCodec : public Codec
-{
-public:
- LinuxSllCodec() : Codec(CD_LINUX_SLL_NAME) { }
-
- void get_data_link_type(std::vector<int>&) override;
- bool decode(const RawData&, CodecData&, DecodeData&) override;
-};
-} // namespace
-
-void LinuxSllCodec::get_data_link_type(std::vector<int>& v)
-{
- v.push_back(DLT_LINUX_SLL);
-}
-
-bool LinuxSllCodec::decode(const RawData& raw, CodecData& data, DecodeData&)
-{
- /* do a little validation */
- if (raw.len < linux_sll::SLL_HDR_LEN)
- return false;
-
- /* lay the ethernet structure over the packet data */
- const linux_sll::SLLHdr* const sllh = reinterpret_cast<const linux_sll::SLLHdr*>(raw.data);
-
- /* grab out the network type */
- data.next_prot_id = static_cast<ProtocolId>(ntohs(sllh->sll_protocol));
- data.lyr_len = linux_sll::SLL_HDR_LEN;
- data.codec_flags |= CODEC_ETHER_NEXT;
- return true;
-}
-
-//-------------------------------------------------------------------------
-// api
-//-------------------------------------------------------------------------
-
-static Codec* ctor(Module*)
-{ return new LinuxSllCodec(); }
-
-static void dtor(Codec* cd)
-{ delete cd; }
-
-static const CodecApi linux_ssl_api =
-{
- {
- PT_CODEC,
- sizeof(CodecApi),
- CDAPI_VERSION,
- 0,
- API_RESERVED,
- API_OPTIONS,
- CD_LINUX_SLL_NAME,
- CD_LINUX_SLL_HELP,
- nullptr,
- nullptr,
- },
- nullptr,
- nullptr,
- nullptr,
- nullptr,
- ctor,
- dtor,
-};
-
-SO_PUBLIC const BaseApi* snort_plugins[] =
-{
- &linux_ssl_api.base,
- nullptr
-};
+++ /dev/null
-cmake_minimum_required ( VERSION 3.4.3 )
-project ( cd_null CXX )
-
-set (CMAKE_CXX_STANDARD 11)
-set (CMAKE_CXX_STANDARD_REQUIRED ON)
-set (CMAKE_CXX_EXTENSIONS OFF)
-
-if ( APPLE )
- set ( CMAKE_MACOSX_RPATH OFF )
-endif ( APPLE )
-
-include ( FindPkgConfig )
-pkg_search_module ( SNORT3 REQUIRED snort>=3 )
-
-add_library (
- cd_null MODULE
- cd_null.cc
-)
-
-if ( APPLE )
- set_target_properties (
- cd_null
- PROPERTIES
- LINK_FLAGS "-undefined dynamic_lookup"
- )
-endif ( APPLE )
-
-set_target_properties (
- cd_null
- PROPERTIES
- PREFIX ""
-)
-
-target_include_directories (
- cd_null PUBLIC
- ${SNORT3_INCLUDE_DIRS}
-)
-
-install (
- TARGETS cd_null
- LIBRARY
- DESTINATION "${CMAKE_INSTALL_LIBDIR}/${CMAKE_PROJECT_NAME}/codecs"
-)
+++ /dev/null
-//--------------------------------------------------------------------------
-// Copyright (C) 2014-2018 Cisco and/or its affiliates. All rights reserved.
-//
-// This program is free software; you can redistribute it and/or modify it
-// under the terms of the GNU General Public License Version 2 as published
-// by the Free Software Foundation. You may not use, modify or distribute
-// this program under any other version of the GNU General Public License.
-//
-// This program is distributed in the hope that it will be useful, but
-// WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-// General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License along
-// with this program; if not, write to the Free Software Foundation, Inc.,
-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-//--------------------------------------------------------------------------
-// cd_null.cc author Josh Rosenbaum <jrosenba@cisco.com>
-
-#include <sfbpf_dlt.h>
-
-#include "framework/codec.h"
-
-#define CD_NULL_NAME "null"
-#define CD_NULL_HELP_STR "support for null encapsulation"
-#define CD_NULL_HELP ADD_DLT(CD_NULL_HELP_STR, DLT_NULL)
-
-using namespace snort;
-
-namespace
-{
-class NullCodec : public Codec
-{
-public:
- NullCodec() : Codec(CD_NULL_NAME) { }
-
- bool decode(const RawData&, CodecData&, DecodeData&) override;
- void get_data_link_type(std::vector<int>&) override;
-};
-} // namespace
-
-static const uint16_t NULL_HDRLEN = 4;
-
-bool NullCodec::decode(const RawData& raw, CodecData& data, DecodeData&)
-{
- if (raw.len < NULL_HDRLEN)
- return false;
-
- data.lyr_len = NULL_HDRLEN;
- data.next_prot_id = ProtocolId::ETHERTYPE_IPV4;
- return true;
-}
-
-void NullCodec::get_data_link_type(std::vector<int>& v)
-{ v.push_back(DLT_NULL); }
-
-//-------------------------------------------------------------------------
-// api
-//-------------------------------------------------------------------------
-
-static Codec* ctor(Module*)
-{ return new NullCodec(); }
-
-static void dtor(Codec* cd)
-{ delete cd; }
-
-static const CodecApi null_api =
-{
- {
- PT_CODEC,
- sizeof(CodecApi),
- CDAPI_VERSION,
- 0,
- API_RESERVED,
- API_OPTIONS,
- CD_NULL_NAME,
- CD_NULL_HELP,
- nullptr,
- nullptr,
- },
- nullptr, // pinit
- nullptr, // pterm
- nullptr, // tinit
- nullptr, // tterm
- ctor, // ctor
- dtor, // dtor
-};
-
-SO_PUBLIC const BaseApi* snort_plugins[] =
-{
- &null_api.base,
- nullptr
-};
+++ /dev/null
-cmake_minimum_required ( VERSION 3.4.3 )
-project ( cd_pbb CXX )
-
-set (CMAKE_CXX_STANDARD 11)
-set (CMAKE_CXX_STANDARD_REQUIRED ON)
-set (CMAKE_CXX_EXTENSIONS OFF)
-
-if ( APPLE )
- set ( CMAKE_MACOSX_RPATH OFF )
-endif ( APPLE )
-
-include ( FindPkgConfig )
-pkg_search_module ( SNORT3 REQUIRED snort>=3 )
-
-add_library (
- cd_pbb MODULE
- cd_pbb.cc
-)
-
-if ( APPLE )
- set_target_properties (
- cd_pbb
- PROPERTIES
- LINK_FLAGS "-undefined dynamic_lookup"
- )
-endif ( APPLE )
-
-set_target_properties (
- cd_pbb
- PROPERTIES
- PREFIX ""
-)
-
-target_include_directories (
- cd_pbb PUBLIC
- ${SNORT3_INCLUDE_DIRS}
-)
-
-install (
- TARGETS cd_pbb
- LIBRARY
- DESTINATION "${CMAKE_INSTALL_LIBDIR}/${CMAKE_PROJECT_NAME}/codecs"
-)
+++ /dev/null
-//--------------------------------------------------------------------------
-// Copyright (C) 2017-2018 Cisco and/or its affiliates. All rights reserved.
-//
-// This program is free software; you can redistribute it and/or modify it
-// under the terms of the GNU General Public License Version 2 as published
-// by the Free Software Foundation. You may not use, modify or distribute
-// this program under any other version of the GNU General Public License.
-//
-// This program is distributed in the hope that it will be useful, but
-// WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-// General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License along
-// with this program; if not, write to the Free Software Foundation, Inc.,
-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-//--------------------------------------------------------------------------
-
-// cd_pbb.cc author Russ Combs <rucombs@cisco.com>
-
-#ifdef HAVE_CONFIG_H
-#include "config.h"
-#endif
-
-#include <sfbpf_dlt.h>
-
-#include "codecs/codec_module.h"
-#include "framework/codec.h"
-#include "log/text_log.h"
-#include "main/snort_config.h"
-#include "protocols/packet_manager.h"
-
-using namespace snort;
-
-#define CD_PBB_NAME "pbb"
-#define CD_PBB_HELP "support for 802.1ah protocol"
-
-#define ETHERTYPE_8021AH 0x88E7
-
-namespace
-{
-struct PbbHdr
-{
- uint32_t i_sid;
- uint8_t ether_dst[6];
- uint8_t ether_src[6];
- uint16_t ether_type;
-
- inline ProtocolId ethertype() const
- { return (ProtocolId)ntohs(ether_type); }
-} __attribute__((__packed__));
-
-static const RuleMap pbb_rules[] =
-{
- // FIXIT-H need own gid
- { DECODE_ETH_HDR_TRUNC, "truncated ethernet header" },
- { 0, nullptr }
-};
-
-class PbbModule : public CodecModule
-{
-public:
- PbbModule() : CodecModule(CD_PBB_NAME, CD_PBB_HELP) { }
-
- const RuleMap* get_rules() const override
- { return pbb_rules; }
-};
-
-class PbbCodec : public Codec
-{
-public:
- PbbCodec() : Codec(CD_PBB_NAME) { }
-
- void get_protocol_ids(std::vector<ProtocolId>&) override;
- void log(TextLog* const, const uint8_t* pkt, const uint16_t len) override;
- bool decode(const RawData&, CodecData&, DecodeData&) override;
- bool encode(const uint8_t* const raw_in, const uint16_t raw_len,
- EncState&, Buffer&, Flow*) override;
- void format(bool reverse, uint8_t* raw_pkt, DecodeData& snort) override;
- void update(const ip::IpApi&, const EncodeFlags, uint8_t* raw_pkt,
- uint16_t lyr_len, uint32_t& updated_len) override;
-};
-} // namespace
-
-void PbbCodec::get_protocol_ids(std::vector<ProtocolId>& v)
-{
- v.push_back((ProtocolId)ETHERTYPE_8021AH);
-}
-
-bool PbbCodec::decode(const RawData& raw, CodecData& codec, DecodeData&)
-{
- if (raw.len < sizeof(PbbHdr))
- {
- codec_event(codec, DECODE_ETH_HDR_TRUNC);
- return false;
- }
-
- const PbbHdr* pbb = reinterpret_cast<const PbbHdr*>(raw.data);
-
- ProtocolId next_prot = pbb->ethertype();
-
- codec.proto_bits |= PROTO_BIT__ETH;
- codec.lyr_len = sizeof(PbbHdr);
- codec.next_prot_id = next_prot;
-
- return true;
-}
-
-void PbbCodec::log(TextLog* const text_log, const uint8_t* raw_pkt,
- const uint16_t len)
-{
- const PbbHdr* pbb = reinterpret_cast<const PbbHdr*>(raw_pkt);
-
- /* src addr */
- TextLog_Print(text_log, "%02X:%02X:%02X:%02X:%02X:%02X -> ", pbb->ether_src[0],
- pbb->ether_src[1], pbb->ether_src[2], pbb->ether_src[3],
- pbb->ether_src[4], pbb->ether_src[5]);
-
- /* dest addr */
- TextLog_Print(text_log, "%02X:%02X:%02X:%02X:%02X:%02X", pbb->ether_dst[0],
- pbb->ether_dst[1], pbb->ether_dst[2], pbb->ether_dst[3],
- pbb->ether_dst[4], pbb->ether_dst[5]);
-
- TextLog_Print(text_log, " len:%hu", len);
- TextLog_Print(text_log, " type:0x%04X", pbb->ethertype());
-}
-
-//-------------------------------------------------------------------------
-// ethernet
-//-------------------------------------------------------------------------
-
-bool PbbCodec::encode(const uint8_t* const raw_in, const uint16_t /*raw_len*/,
- EncState& enc, Buffer& buf, Flow*)
-{
- const PbbHdr* hi = reinterpret_cast<const PbbHdr*>(raw_in);
-
- // not raw ip -> encode layer 2
- bool raw = ( enc.flags & ENC_FLAG_RAW );
-
- if ( !raw || (buf.size() != 0) )
- {
- // we get here for outer-most layer when not raw ip
- // we also get here for any encapsulated ethernet layer.
- if ( !buf.allocate(sizeof(PbbHdr)) )
- return false;
-
- PbbHdr* ho = reinterpret_cast<PbbHdr*>(buf.data());
- ho->ether_type = enc.ethertype_set() ?
- htons(to_utype(enc.next_ethertype)) : hi->ether_type;
-
- if ( enc.forward() )
- {
- memcpy(ho->ether_src, hi->ether_src, sizeof(ho->ether_src));
-
- if ( SnortConfig::get_conf()->eth_dst )
- memcpy(ho->ether_dst, SnortConfig::get_conf()->eth_dst, sizeof(ho->ether_dst));
- else
- memcpy(ho->ether_dst, hi->ether_dst, sizeof(ho->ether_dst));
- }
- else
- {
- memcpy(ho->ether_src, hi->ether_dst, sizeof(ho->ether_src));
-
- if ( SnortConfig::get_conf()->eth_dst )
- memcpy(ho->ether_dst, SnortConfig::get_conf()->eth_dst, sizeof(ho->ether_dst));
- else
- memcpy(ho->ether_dst, hi->ether_src, sizeof(ho->ether_dst));
- }
- }
-
- enc.next_ethertype = ProtocolId::ETHERTYPE_NOT_SET;
- enc.next_proto = IpProtocol::PROTO_NOT_SET;
- return true;
-}
-
-void PbbCodec::format(bool reverse, uint8_t* raw_pkt, DecodeData&)
-{
- PbbHdr* ch = reinterpret_cast<PbbHdr*>(raw_pkt);
-
- if ( reverse )
- {
- uint8_t tmp_addr[6];
-
- memcpy(tmp_addr, ch->ether_dst, sizeof(ch->ether_dst));
- memcpy(ch->ether_dst, ch->ether_src, sizeof(ch->ether_src));
- memcpy(ch->ether_src, tmp_addr, sizeof(ch->ether_src));
- }
-}
-
-void PbbCodec::update(const ip::IpApi&, const EncodeFlags, uint8_t*,
- uint16_t lyr_len, uint32_t& updated_len)
-{
- updated_len += lyr_len;
-}
-
-//-------------------------------------------------------------------------
-// api
-//-------------------------------------------------------------------------
-
-static Module* mod_ctor()
-{ return new PbbModule; }
-
-static void mod_dtor(Module* m)
-{ delete m; }
-
-static Codec* ctor(Module*)
-{ return new PbbCodec(); }
-
-static void dtor(Codec* cd)
-{ delete cd; }
-
-static const CodecApi pbb_api =
-{
- {
- PT_CODEC,
- sizeof(CodecApi),
- CDAPI_VERSION,
- 0,
- API_RESERVED,
- API_OPTIONS,
- CD_PBB_NAME,
- CD_PBB_HELP,
- mod_ctor,
- mod_dtor,
- },
- nullptr, // pinit
- nullptr, // pterm
- nullptr, // tinit
- nullptr, // tterm
- ctor, // ctor
- dtor, // dtor
-};
-
-SO_PUBLIC const BaseApi* snort_plugins[] =
-{
- &pbb_api.base,
- nullptr
-};
-
+++ /dev/null
-cmake_minimum_required ( VERSION 3.4.3 )
-project ( cd_pflog CXX )
-
-set (CMAKE_CXX_STANDARD 11)
-set (CMAKE_CXX_STANDARD_REQUIRED ON)
-set (CMAKE_CXX_EXTENSIONS OFF)
-
-if ( APPLE )
- set ( CMAKE_MACOSX_RPATH OFF )
-endif ( APPLE )
-
-include ( FindPkgConfig )
-pkg_search_module ( SNORT3 REQUIRED snort>=3 )
-
-add_library (
- cd_pflog MODULE
- cd_pflog.cc
-)
-
-if ( APPLE )
- set_target_properties (
- cd_pflog
- PROPERTIES
- LINK_FLAGS "-undefined dynamic_lookup"
- )
-endif ( APPLE )
-
-set_target_properties (
- cd_pflog
- PROPERTIES
- PREFIX ""
-)
-
-target_include_directories (
- cd_pflog PUBLIC
- ${SNORT3_INCLUDE_DIRS}
-)
-
-install (
- TARGETS cd_pflog
- LIBRARY
- DESTINATION "${CMAKE_INSTALL_LIBDIR}/${CMAKE_PROJECT_NAME}/codecs"
-)
+++ /dev/null
-//--------------------------------------------------------------------------
-// Copyright (C) 2014-2018 Cisco and/or its affiliates. All rights reserved.
-// Copyright (C) 2002-2013 Sourcefire, Inc.
-//
-// This program is free software; you can redistribute it and/or modify it
-// under the terms of the GNU General Public License Version 2 as published
-// by the Free Software Foundation. You may not use, modify or distribute
-// this program under any other version of the GNU General Public License.
-//
-// This program is distributed in the hope that it will be useful, but
-// WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-// General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License along
-// with this program; if not, write to the Free Software Foundation, Inc.,
-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-//--------------------------------------------------------------------------
-
-#include <net/if.h>
-#include <sfbpf_dlt.h>
-
-#include "framework/codec.h"
-
-using namespace snort;
-
-#define PFLOG_NAME "pflog"
-#define PFLOG_HELP_STR "support for OpenBSD PF log"
-
-#define PFLOG_HELP ADD_DLT(PFLOG_HELP_STR, DLT_PFLOG)
-
-namespace
-{
-/*
- * Snort supports 3 versions of the OpenBSD pflog header:
- *
- * Pflog1_Hdr: CVS = 1.3, DLT_OLD_PFLOG = 17, Length = 28
- * Pflog2_Hdr: CVS = 1.8, DLT_PFLOG = 117, Length = 48
- * Pflog3_Hdr: CVS = 1.12, DLT_PFLOG = 117, Length = 64
- * Pflog4_Hdr: CVS = 1.172, DLT_PFLOG = 117, Length = 100
- *
- * Since they have the same DLT, Pflog{2,3,4}Hdr are distinguished
- * by their actual length. The minimum required length excludes
- * padding.
- */
-/* Old OpenBSD pf firewall pflog0 header (information from pf source in kernel)
- * the rule, reason, and action codes tell why the firewall dropped it -fleck
- */
-
-class PflogCodec : public Codec
-{
-public:
- PflogCodec() : Codec(PFLOG_NAME) { }
-
- bool decode(const RawData&, CodecData&, DecodeData&) override;
- void get_data_link_type(std::vector<int>&) override;
-};
-
-struct Pflog1Hdr
-{
- uint32_t af;
- char intf[IFNAMSIZ];
- int16_t rule;
- uint16_t reason;
- uint16_t action;
- uint16_t dir;
-};
-
-#define PFLOG1_HDRLEN (sizeof(struct _Pflog1_hdr))
-
-/*
- * Note that on OpenBSD, af type is sa_family_t. On Linux, that's an unsigned
- * short, but on OpenBSD, that's a uint8_t, so we should explicitly use uint8_t
- * here. - ronaldo
- */
-
-#define PFLOG_RULELEN 16
-#define PFLOG_PADLEN 3
-
-struct Pflog2Hdr
-{
- int8_t length;
- uint8_t af;
- uint8_t action;
- uint8_t reason;
- char ifname[IFNAMSIZ];
- char ruleset[PFLOG_RULELEN];
- uint32_t rulenr;
- uint32_t subrulenr;
- uint8_t dir;
- uint8_t pad[PFLOG_PADLEN];
-};
-
-#define PFLOG2_HDRLEN (sizeof(Pflog2Hdr))
-#define PFLOG2_HDRMIN (PFLOG2_HDRLEN - PFLOG_PADLEN)
-
-struct Pflog3Hdr
-{
- int8_t length;
- uint8_t af;
- uint8_t action;
- uint8_t reason;
- char ifname[IFNAMSIZ];
- char ruleset[PFLOG_RULELEN];
- uint32_t rulenr;
- uint32_t subrulenr;
- uint32_t uid;
- uint32_t pid;
- uint32_t rule_uid;
- uint32_t rule_pid;
- uint8_t dir;
- uint8_t pad[PFLOG_PADLEN];
-};
-
-#define PFLOG3_HDRLEN (sizeof(Pflog3Hdr))
-#define PFLOG3_HDRMIN (PFLOG3_HDRLEN - PFLOG_PADLEN)
-
-struct Pflog4Hdr
-{
- uint8_t length;
- uint8_t af;
- uint8_t action;
- uint8_t reason;
- char ifname[IFNAMSIZ];
- char ruleset[PFLOG_RULELEN];
- uint32_t rulenr;
- uint32_t subrulenr;
- uint32_t uid;
- uint32_t pid;
- uint32_t rule_uid;
- uint32_t rule_pid;
- uint8_t dir;
- uint8_t rewritten;
- uint8_t pad[2];
- uint8_t saddr[16];
- uint8_t daddr[16];
- uint16_t sport;
- uint16_t dport;
-};
-
-#define PFLOG4_HDRLEN sizeof(struct Pflog4Hdr)
-#define PFLOG4_HDRMIN sizeof(struct Pflog4Hdr)
-} // namespace
-
-void PflogCodec::get_data_link_type(std::vector<int>& v)
-{ v.push_back(DLT_PFLOG); }
-
-bool PflogCodec::decode(const RawData& raw, CodecData& codec, DecodeData&)
-{
- const uint32_t cap_len = raw.len;
- uint8_t af, pflen;
- uint32_t hlen;
- uint32_t padlen = PFLOG_PADLEN;
-
- if (cap_len < PFLOG2_HDRMIN)
- return false;
-
- /* lay the pf header structure over the packet data */
- switch (*((const uint8_t*)raw.data))
- {
- case PFLOG2_HDRMIN:
- {
- const Pflog2Hdr* const pf2h =
- reinterpret_cast<const Pflog2Hdr*>(raw.data);
- pflen = pf2h->length;
- hlen = PFLOG2_HDRLEN;
- af = pf2h->af;
- break;
- }
- case PFLOG3_HDRMIN:
- {
- const Pflog3Hdr* const pf3h =
- reinterpret_cast<const Pflog3Hdr*>(raw.data);
- pflen = pf3h->length;
- hlen = PFLOG3_HDRLEN;
- af = pf3h->af;
- break;
- }
- case PFLOG4_HDRMIN:
- {
- const Pflog4Hdr* const pf4h =
- reinterpret_cast<const Pflog4Hdr*>(raw.data);
- pflen = pf4h->length;
- hlen = PFLOG4_HDRLEN;
- af = pf4h->af;
- padlen = sizeof(pf4h->pad);
- break;
- }
- default:
- return false;
- }
-
- /* now that we know a little more, do a little more validation */
- if (cap_len < hlen)
- return false;
-
- /* note that the pflen may exclude the padding which is always present */
- if (pflen < hlen - padlen || pflen > hlen)
- return false;
-
- /* check the network type - should only be AF_INET or AF_INET6 */
- switch (af)
- {
- case AF_INET: /* IPv4 */
- codec.next_prot_id = ProtocolId::ETHERTYPE_IPV4;
- break;
-
- case AF_INET6: /* IPv6 */
- codec.next_prot_id = ProtocolId::ETHERTYPE_IPV6;
- break;
-
- default:
- /* FIXIT-L add decoder drop event for unknown pflog network type
- * To my knowledge, pflog devices can only
- * pass IP and IP6 packets. -fleck
- */
- break;
- }
-
- codec.lyr_len = hlen;
- return true;
-}
-
-//-------------------------------------------------------------------------
-// api
-//-------------------------------------------------------------------------
-
-static Codec* ctor(Module*)
-{ return new PflogCodec(); }
-
-static void dtor(Codec* cd)
-{ delete cd; }
-
-static const CodecApi pflog_api =
-{
- {
- PT_CODEC,
- sizeof(CodecApi),
- CDAPI_VERSION,
- 0,
- API_RESERVED,
- API_OPTIONS,
- PFLOG_NAME,
- PFLOG_HELP,
- nullptr, // mod_ctor
- nullptr // mod_dtor
- },
- nullptr, // ginit
- nullptr, // gterm
- nullptr, // tinit
- nullptr, // tterm
- ctor,
- dtor,
-};
-
-SO_PUBLIC const BaseApi* snort_plugins[] =
-{
- &pflog_api.base,
- nullptr
-};
+++ /dev/null
-cmake_minimum_required ( VERSION 3.4.3 )
-project ( cd_ppp CXX )
-
-set (CMAKE_CXX_STANDARD 11)
-set (CMAKE_CXX_STANDARD_REQUIRED ON)
-set (CMAKE_CXX_EXTENSIONS OFF)
-
-if ( APPLE )
- set ( CMAKE_MACOSX_RPATH OFF )
-endif ( APPLE )
-
-include ( FindPkgConfig )
-pkg_search_module ( SNORT3 REQUIRED snort>=3 )
-
-add_library (
- cd_ppp MODULE
- cd_ppp.cc
-)
-
-if ( APPLE )
- set_target_properties (
- cd_ppp
- PROPERTIES
- LINK_FLAGS "-undefined dynamic_lookup"
- )
-endif ( APPLE )
-
-set_target_properties (
- cd_ppp
- PROPERTIES
- PREFIX ""
-)
-
-target_include_directories (
- cd_ppp PUBLIC
- ${SNORT3_INCLUDE_DIRS}
-)
-
-install (
- TARGETS cd_ppp
- LIBRARY
- DESTINATION "${CMAKE_INSTALL_LIBDIR}/${CMAKE_PROJECT_NAME}/codecs"
-)
+++ /dev/null
-//--------------------------------------------------------------------------
-// Copyright (C) 2014-2018 Cisco and/or its affiliates. All rights reserved.
-//
-// This program is free software; you can redistribute it and/or modify it
-// under the terms of the GNU General Public License Version 2 as published
-// by the Free Software Foundation. You may not use, modify or distribute
-// this program under any other version of the GNU General Public License.
-//
-// This program is distributed in the hope that it will be useful, but
-// WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-// General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License along
-// with this program; if not, write to the Free Software Foundation, Inc.,
-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-//--------------------------------------------------------------------------
-// cd_ppp.cc author Josh Rosenbaum <jrosenba@cisco.com>
-
-#include <sfbpf_dlt.h>
-
-#include "framework/codec.h"
-
-using namespace snort;
-
-#define PPP_NAME "ppp"
-#define PPP_HELP_STR "support for point-to-point encapsulation"
-#define PPP_HELP ADD_DLT(PPP_HELP_STR, DLT_PPP)
-
-namespace
-{
-class PPPCodec : public Codec
-{
-public:
- PPPCodec() : Codec(PPP_NAME) { }
-
- bool decode(const RawData&, CodecData&, DecodeData&) override;
- void get_data_link_type(std::vector<int>&) override;
-};
-} // namespace
-
-static constexpr uint8_t CHDLC_ADDR_BROADCAST = 0xff;
-static constexpr uint8_t CHDLC_CTRL_UNNUMBERED = 0x03;
-
-void PPPCodec::get_data_link_type(std::vector<int>& v)
-{ v.push_back(DLT_PPP); }
-
-bool PPPCodec::decode(const RawData& raw, CodecData& codec, DecodeData&)
-{
- if (raw.len < 2)
- return false;
-
- if (raw.data[0] == CHDLC_ADDR_BROADCAST && raw.data[1] == CHDLC_CTRL_UNNUMBERED)
- {
- /*
- * Check for full HDLC header (rfc1662 section 3.2)
- */
- codec.lyr_len = 2;
- }
-
- codec.next_prot_id = ProtocolId::ETHERTYPE_PPP;
- return true;
-}
-
-//-------------------------------------------------------------------------
-// api
-//-------------------------------------------------------------------------
-
-static Codec* ctor(Module*)
-{ return new PPPCodec(); }
-
-static void dtor(Codec* cd)
-{ delete cd; }
-
-static const CodecApi ppp_api =
-{
- {
- PT_CODEC,
- sizeof(CodecApi),
- CDAPI_VERSION,
- 0,
- API_RESERVED,
- API_OPTIONS,
- PPP_NAME,
- PPP_HELP,
- nullptr, // mod_ctor
- nullptr, // mod_dtor
- },
- nullptr, // pinit
- nullptr, // pterm
- nullptr, // tinit
- nullptr, // tterm
- ctor,
- dtor,
-};
-
-SO_PUBLIC const BaseApi* snort_plugins[] =
-{
- &ppp_api.base,
- nullptr
-};
+++ /dev/null
-cmake_minimum_required ( VERSION 3.4.3 )
-project ( cd_raw4 CXX )
-
-set (CMAKE_CXX_STANDARD 11)
-set (CMAKE_CXX_STANDARD_REQUIRED ON)
-set (CMAKE_CXX_EXTENSIONS OFF)
-
-if ( APPLE )
- set ( CMAKE_MACOSX_RPATH OFF )
-endif ( APPLE )
-
-include ( FindPkgConfig )
-pkg_search_module ( SNORT3 REQUIRED snort>=3 )
-
-add_library (
- cd_raw4 MODULE
- cd_raw4.cc
-)
-
-if ( APPLE )
- set_target_properties (
- cd_raw4
- PROPERTIES
- LINK_FLAGS "-undefined dynamic_lookup"
- )
-endif ( APPLE )
-
-set_target_properties (
- cd_raw4
- PROPERTIES
- PREFIX ""
-)
-
-target_include_directories (
- cd_raw4 PUBLIC
- ${SNORT3_INCLUDE_DIRS}
-)
-
-install (
- TARGETS cd_raw4
- LIBRARY
- DESTINATION "${CMAKE_INSTALL_LIBDIR}/${CMAKE_PROJECT_NAME}/codecs"
-)
+++ /dev/null
-//--------------------------------------------------------------------------
-// Copyright (C) 2014-2018 Cisco and/or its affiliates. All rights reserved.
-//
-// This program is free software; you can redistribute it and/or modify it
-// under the terms of the GNU General Public License Version 2 as published
-// by the Free Software Foundation. You may not use, modify or distribute
-// this program under any other version of the GNU General Public License.
-//
-// This program is distributed in the hope that it will be useful, but
-// WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-// General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License along
-// with this program; if not, write to the Free Software Foundation, Inc.,
-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-//--------------------------------------------------------------------------
-// cd_raw4.cc author Josh Rosenbaum <jrosenba@cisco.com>
-
-#include <sfbpf_dlt.h>
-
-#include "framework/codec.h"
-
-using namespace snort;
-
-#define CD_RAW4_NAME "raw4"
-#define CD_RAW4_HELP_STR "support for unencapsulated IPv4"
-#define CD_RAW4_HELP ADD_DLT(ADD_DLT(CD_RAW4_HELP_STR, DLT_RAW), DLT_IPV4)
-
-namespace
-{
-class Raw4Codec : public Codec
-{
-public:
- Raw4Codec() : Codec(CD_RAW4_NAME) { }
-
- bool decode(const RawData&, CodecData&, DecodeData&) override;
- void get_data_link_type(std::vector<int>&) override;
-};
-} // namespace
-
-bool Raw4Codec::decode(const RawData&, CodecData& data, DecodeData&)
-{
- data.next_prot_id = ProtocolId::ETHERTYPE_IPV4;
- return true;
-}
-
-void Raw4Codec::get_data_link_type(std::vector<int>& v)
-{
- v.push_back(DLT_RAW);
- v.push_back(DLT_IPV4);
-}
-
-//-------------------------------------------------------------------------
-// api
-//-------------------------------------------------------------------------
-
-static Codec* ctor(Module*)
-{ return new Raw4Codec(); }
-
-static void dtor(Codec* cd)
-{ delete cd; }
-
-static const CodecApi raw4_api =
-{
- {
- PT_CODEC,
- sizeof(CodecApi),
- CDAPI_VERSION,
- 0,
- API_RESERVED,
- API_OPTIONS,
- CD_RAW4_NAME,
- CD_RAW4_HELP,
- nullptr,
- nullptr,
- },
- nullptr, // pinit
- nullptr, // pterm
- nullptr, // tinit
- nullptr, // tterm
- ctor, // ctor
- dtor, // dtor
-};
-
-SO_PUBLIC const BaseApi* snort_plugins[] =
-{
- &raw4_api.base,
- nullptr
-};
+++ /dev/null
-cmake_minimum_required ( VERSION 3.4.3 )
-project ( cd_raw6 CXX )
-
-set (CMAKE_CXX_STANDARD 11)
-set (CMAKE_CXX_STANDARD_REQUIRED ON)
-set (CMAKE_CXX_EXTENSIONS OFF)
-
-if ( APPLE )
- set ( CMAKE_MACOSX_RPATH OFF )
-endif ( APPLE )
-
-include ( FindPkgConfig )
-pkg_search_module ( SNORT3 REQUIRED snort>=3 )
-
-add_library (
- cd_raw6 MODULE
- cd_raw6.cc
-)
-
-if ( APPLE )
- set_target_properties (
- cd_raw6
- PROPERTIES
- LINK_FLAGS "-undefined dynamic_lookup"
- )
-endif ( APPLE )
-
-set_target_properties (
- cd_raw6
- PROPERTIES
- PREFIX ""
-)
-
-target_include_directories (
- cd_raw6 PUBLIC
- ${SNORT3_INCLUDE_DIRS}
-)
-
-install (
- TARGETS cd_raw6
- LIBRARY
- DESTINATION "${CMAKE_INSTALL_LIBDIR}/${CMAKE_PROJECT_NAME}/codecs"
-)
+++ /dev/null
-//--------------------------------------------------------------------------
-// Copyright (C) 2014-2018 Cisco and/or its affiliates. All rights reserved.
-//
-// This program is free software; you can redistribute it and/or modify it
-// under the terms of the GNU General Public License Version 2 as published
-// by the Free Software Foundation. You may not use, modify or distribute
-// this program under any other version of the GNU General Public License.
-//
-// This program is distributed in the hope that it will be useful, but
-// WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-// General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License along
-// with this program; if not, write to the Free Software Foundation, Inc.,
-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-//--------------------------------------------------------------------------
-// cd_raw6.cc author Josh Rosenbaum <jrosenba@cisco.com>
-
-#include <sfbpf_dlt.h>
-
-#include "framework/codec.h"
-
-using namespace snort;
-
-#define CD_RAW6_NAME "raw6"
-#define CD_RAW6_HELP_STR "support for unencapsulated IPv6"
-#define CD_RAW6_HELP ADD_DLT(CD_RAW6_HELP_STR, DLT_IPV6)
-
-namespace
-{
-class Raw6Codec : public Codec
-{
-public:
- Raw6Codec() : Codec(CD_RAW6_NAME) { }
-
- bool decode(const RawData&, CodecData&, DecodeData&) override;
- void get_data_link_type(std::vector<int>&) override;
-};
-} // namespace
-
-bool Raw6Codec::decode(const RawData&, CodecData& data, DecodeData&)
-{
- data.next_prot_id = ProtocolId::ETHERTYPE_IPV6;
- return true;
-}
-
-void Raw6Codec::get_data_link_type(std::vector<int>& v)
-{ v.push_back(DLT_IPV6); }
-
-//-------------------------------------------------------------------------
-// api
-//-------------------------------------------------------------------------
-
-static Codec* ctor(Module*)
-{ return new Raw6Codec(); }
-
-static void dtor(Codec* cd)
-{ delete cd; }
-
-static const CodecApi raw6_api =
-{
- {
- PT_CODEC,
- sizeof(CodecApi),
- CDAPI_VERSION,
- 0,
- API_RESERVED,
- API_OPTIONS,
- CD_RAW6_NAME,
- CD_RAW6_HELP,
- nullptr,
- nullptr,
- },
- nullptr, // pinit
- nullptr, // pterm
- nullptr, // tinit
- nullptr, // tterm
- ctor, // ctor
- dtor, // dtor
-};
-
-SO_PUBLIC const BaseApi* snort_plugins[] =
-{
- &raw6_api.base,
- nullptr
-};
+++ /dev/null
-cmake_minimum_required ( VERSION 3.4.3 )
-project ( cd_slip CXX )
-
-set (CMAKE_CXX_STANDARD 11)
-set (CMAKE_CXX_STANDARD_REQUIRED ON)
-set (CMAKE_CXX_EXTENSIONS OFF)
-
-if ( APPLE )
- set ( CMAKE_MACOSX_RPATH OFF )
-endif ( APPLE )
-
-include ( FindPkgConfig )
-pkg_search_module ( SNORT3 REQUIRED snort>=3 )
-
-add_library (
- cd_slip MODULE
- cd_slip.cc
-)
-
-if ( APPLE )
- set_target_properties (
- cd_slip
- PROPERTIES
- LINK_FLAGS "-undefined dynamic_lookup"
- )
-endif ( APPLE )
-
-set_target_properties (
- cd_slip
- PROPERTIES
- PREFIX ""
-)
-
-target_include_directories (
- cd_slip PUBLIC
- ${SNORT3_INCLUDE_DIRS}
-)
-
-install (
- TARGETS cd_slip
- LIBRARY
- DESTINATION "${CMAKE_INSTALL_LIBDIR}/${CMAKE_PROJECT_NAME}/codecs"
-)
+++ /dev/null
-//--------------------------------------------------------------------------
-// Copyright (C) 2014-2018 Cisco and/or its affiliates. All rights reserved.
-//
-// This program is free software; you can redistribute it and/or modify it
-// under the terms of the GNU General Public License Version 2 as published
-// by the Free Software Foundation. You may not use, modify or distribute
-// this program under any other version of the GNU General Public License.
-//
-// This program is distributed in the hope that it will be useful, but
-// WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-// General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License along
-// with this program; if not, write to the Free Software Foundation, Inc.,
-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-//--------------------------------------------------------------------------
-// cd_sip.cc author Josh Rosenbaum <jrosenba@cisco.com>
-
-#include <sfbpf_dlt.h>
-
-#include "framework/codec.h"
-
-using namespace snort;
-
-#define CD_SLIP_NAME "slip"
-#define CD_SLIP_HELP_STR "support for slip protocol"
-#define CD_SLIP_HELP ADD_DLT(CD_SLIP_HELP_STR, DLT_SLIP)
-
-const uint16_t SLIP_HEADER_LEN = 16;
-
-namespace
-{
-class SlipCodec : public Codec
-{
-public:
- SlipCodec() : Codec(CD_SLIP_NAME) { }
-
- bool decode(const RawData&, CodecData&, DecodeData&) override;
- void get_data_link_type(std::vector<int>&) override;
-};
-} // namespace
-
-void SlipCodec::get_data_link_type(std::vector<int>& v)
-{
- v.push_back(DLT_SLIP);
-}
-
-bool SlipCodec::decode(const RawData& raw, CodecData& codec, DecodeData&)
-{
- if (raw.len < SLIP_HEADER_LEN)
- return false;
-
- // set the fields which will be sent back to the packet manager
- codec.lyr_len = SLIP_HEADER_LEN;
- codec.next_prot_id = ProtocolId::ETHERTYPE_IPV4;
- return true;
-}
-
-//-------------------------------------------------------------------------
-// api
-//-------------------------------------------------------------------------
-
-static Codec* ctor(Module*)
-{ return new SlipCodec(); }
-
-static void dtor(Codec* cd)
-{ delete cd; }
-
-static const CodecApi slip_api =
-{
- {
- PT_CODEC,
- sizeof(CodecApi),
- CDAPI_VERSION,
- 0,
- API_RESERVED,
- API_OPTIONS,
- CD_SLIP_NAME,
- CD_SLIP_HELP,
- nullptr,
- nullptr
- },
- nullptr,
- nullptr,
- nullptr,
- nullptr,
- ctor,
- dtor
-};
-
-SO_PUBLIC const BaseApi* snort_plugins[] =
-{
- &slip_api.base,
- nullptr
-};
+++ /dev/null
-cmake_minimum_required ( VERSION 3.4.3 )
-project ( cd_token_ring CXX )
-
-set (CMAKE_CXX_STANDARD 11)
-set (CMAKE_CXX_STANDARD_REQUIRED ON)
-set (CMAKE_CXX_EXTENSIONS OFF)
-
-if ( APPLE )
- set ( CMAKE_MACOSX_RPATH OFF )
-endif ( APPLE )
-
-include ( FindPkgConfig )
-pkg_search_module ( SNORT3 REQUIRED snort>=3 )
-
-add_library (
- cd_token_ring MODULE
- cd_token_ring.cc
-)
-
-if ( APPLE )
- set_target_properties (
- cd_token_ring
- PROPERTIES
- LINK_FLAGS "-undefined dynamic_lookup"
- )
-endif ( APPLE )
-
-set_target_properties (
- cd_token_ring
- PROPERTIES
- PREFIX ""
-)
-
-target_include_directories (
- cd_token_ring PUBLIC
- ${SNORT3_INCLUDE_DIRS}
-)
-
-install (
- TARGETS cd_token_ring
- LIBRARY
- DESTINATION "${CMAKE_INSTALL_LIBDIR}/${CMAKE_PROJECT_NAME}/codecs"
-)
+++ /dev/null
-//--------------------------------------------------------------------------
-// Copyright (C) 2014-2018 Cisco and/or its affiliates. All rights reserved.
-// Copyright (C) 2002-2013 Sourcefire, Inc.
-// Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com>
-//
-// This program is free software; you can redistribute it and/or modify it
-// under the terms of the GNU General Public License Version 2 as published
-// by the Free Software Foundation. You may not use, modify or distribute
-// this program under any other version of the GNU General Public License.
-//
-// This program is distributed in the hope that it will be useful, but
-// WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-// General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License along
-// with this program; if not, write to the Free Software Foundation, Inc.,
-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-//--------------------------------------------------------------------------
-// token_ring.h author Josh Rosenbaum <jrosenba@cisco.com>
-
-#include <sfbpf_dlt.h>
-
-#include "codecs/codec_module.h"
-#include "framework/codec.h"
-#include "protocols/token_ring.h"
-
-using namespace snort;
-
-namespace
-{
-#define TR_NAME "token_ring"
-#define TR_HELP "support for token ring decoding"
-
-static const RuleMap tkr_rules[] =
-{
- { DECODE_BAD_TRH, "bad Token Ring header" },
- { DECODE_BAD_TR_ETHLLC, "bad Token Ring ETHLLC header" },
- { DECODE_BAD_TR_MR_LEN, "bad Token Ring MRLEN header" },
- { DECODE_BAD_TRHMR, "bad Token Ring MR header" },
- { 0, nullptr }
-};
-
-class TrCodecModule : public CodecModule
-{
-public:
- TrCodecModule() : CodecModule(TR_NAME, TR_HELP) { }
-
- const RuleMap* get_rules() const override
- { return tkr_rules; }
-};
-
-class TrCodec : public Codec
-{
-public:
- TrCodec() : Codec(TR_NAME) { }
-
- void get_data_link_type(std::vector<int>&) override;
- bool decode(const RawData&, CodecData&, DecodeData&) override;
-};
-
-// THESE ARE NEVER USED!!
-#define MINIMAL_TOKENRING_HEADER_LEN 22
-#define TR_HLEN MINIMAL_TOKENRING_HEADER_LEN
-#define TOKENRING_LLC_LEN 8
-// DELETE FIN
-
-#define TR_ALEN 6 /* octets in an Ethernet header */
-
-#define AC 0x10
-#define LLC_FRAME 0x40
-
-#define TRMTU 2000 /* 2000 bytes */
-#define TR_RII 0x80
-#define TR_RCF_DIR_BIT 0x80
-#define TR_RCF_LEN_MASK 0x1f00
-#define TR_RCF_BROADCAST 0x8000 /* all-routes broadcast */
-#define TR_RCF_LIMITED_BROADCAST 0xC000 /* single-route broadcast */
-#define TR_RCF_FRAME2K 0x20
-#define TR_RCF_BROADCAST_MASK 0xC000
-} // namespace
-
-void TrCodec::get_data_link_type(std::vector<int>& v)
-{
- v.push_back(DLT_IEEE802);
-}
-
-//void DecodeTRPkt(Packet * p, const DAQ_PktHdr_t * pkthdr, const uint8_t * pkt)
-bool TrCodec::decode(const RawData& raw, CodecData& codec, DecodeData&)
-{
- const uint32_t cap_len = raw.len;
- uint32_t dataoff; /* data offset is variable here */
-
- if (cap_len < sizeof(token_ring::Trh_hdr))
- {
- codec_event(codec, DECODE_BAD_TRH);
- return false;
- }
-
- /* lay the tokenring header structure over the packet data */
- //const token_ring::Trh_hdr *trh = reinterpret_cast<const token_ring::Trh_hdr *>(raw_pkt);
-
- /*
- * according to rfc 1042:
- *
- * The presence of a Routing Information Field is indicated by the Most
- * Significant Bit (MSB) of the source address, called the Routing
- * Information Indicator (RII). If the RII equals zero, a RIF is
- * not present. If the RII equals 1, the RIF is present.
- * ..
- * However the MSB is already zeroed by this moment, so there's no
- * real way to figure out whether RIF is presented in packet, so we are
- * doing some tricks to find IPARP signature..
- */
-
- /*
- * first I assume that we have single-ring network with no RIF
- * information presented in frame
- */
- if (cap_len < (sizeof(token_ring::Trh_hdr) + sizeof(token_ring::Trh_llc)))
- {
- codec_event(codec, DECODE_BAD_TR_ETHLLC);
- return false;
- }
-
- const token_ring::Trh_llc* trhllc =
- reinterpret_cast<const token_ring::Trh_llc*>(raw.data + sizeof(token_ring::Trh_hdr));
-
- if (trhllc->dsap != IPARP_SAP && trhllc->ssap != IPARP_SAP)
- {
- /*
- * DSAP != SSAP != 0xAA .. either we are having frame which doesn't
- * carry IP datagrams or has RIF information present. We assume
- * the latter ...
- */
-
- if (cap_len < (sizeof(token_ring::Trh_hdr) + sizeof(token_ring::Trh_llc) +
- sizeof(token_ring::Trh_mr)))
- {
- codec_event(codec, DECODE_BAD_TRHMR);
- return false;
- }
-
- const token_ring::Trh_mr* const trhmr =
- reinterpret_cast<const token_ring::Trh_mr*>(raw.data + sizeof(token_ring::Trh_hdr));
-
- if (cap_len < (sizeof(token_ring::Trh_hdr) + sizeof(token_ring::Trh_llc) +
- sizeof(token_ring::Trh_mr) + TRH_MR_LEN(trhmr)))
- {
- codec_event(codec, DECODE_BAD_TR_MR_LEN);
- return false;
- }
-
- dataoff = sizeof(token_ring::Trh_hdr) + TRH_MR_LEN(trhmr) + sizeof(token_ring::Trh_llc);
- }
- else
- {
- dataoff = sizeof(token_ring::Trh_hdr) + sizeof(token_ring::Trh_llc);
- }
-
- /*
- * ideally we would need to check both SSAP, DSAP, and protoid fields: IP
- * datagrams and ARP requests and replies are transmitted in standard
- * 802.2 LLC Type 1 Unnumbered Information format, control code 3, with
- * the DSAP and the SSAP fields of the 802.2 header set to 170, the
- * assigned global SAP value for SNAP [6]. The 24-bit Organization Code
- * in the SNAP is zero, and the remaining 16 bits are the EtherType from
- * Assigned Numbers [7] (IP = 2048, ARP = 2054). .. but we would check
- * SSAP and DSAP and assume this would be enough to trust.
- */
- if (trhllc->dsap != IPARP_SAP && trhllc->ssap != IPARP_SAP)
- {
- return false;
- }
-
- codec.lyr_len = dataoff;
- codec.next_prot_id = trhllc->ethertype();
- codec.codec_flags |= CODEC_ETHER_NEXT;
- return true;
-}
-
-//-------------------------------------------------------------------------
-// api
-//-------------------------------------------------------------------------
-
-static Module* mod_ctor()
-{ return new TrCodecModule; }
-
-static void mod_dtor(Module* m)
-{ delete m; }
-
-static Codec* ctor(Module*)
-{ return new TrCodec(); }
-
-static void dtor(Codec* cd)
-{ delete cd; }
-
-static const CodecApi tr_api =
-{
- {
- PT_CODEC,
- sizeof(CodecApi),
- CDAPI_VERSION,
- 0,
- API_RESERVED,
- API_OPTIONS,
- TR_NAME,
- TR_HELP,
- mod_ctor,
- mod_dtor
- },
- nullptr, // pinit
- nullptr, // pterm
- nullptr, // tinit
- nullptr, // tterm
- ctor,
- dtor,
-};
-
-SO_PUBLIC const BaseApi* snort_plugins[] =
-{
- &tr_api.base,
- nullptr
-};
-
+++ /dev/null
-cmake_minimum_required ( VERSION 3.4.3 )
-project ( cd_wlan CXX )
-
-set (CMAKE_CXX_STANDARD 11)
-set (CMAKE_CXX_STANDARD_REQUIRED ON)
-set (CMAKE_CXX_EXTENSIONS OFF)
-
-if ( APPLE )
- set ( CMAKE_MACOSX_RPATH OFF )
-endif ( APPLE )
-
-include ( FindPkgConfig )
-pkg_search_module ( SNORT3 REQUIRED snort>=3 )
-
-add_library (
- cd_wlan MODULE
- cd_wlan.cc
-)
-
-if ( APPLE )
- set_target_properties (
- cd_wlan
- PROPERTIES
- LINK_FLAGS "-undefined dynamic_lookup"
- )
-endif ( APPLE )
-
-set_target_properties (
- cd_wlan
- PROPERTIES
- PREFIX ""
-)
-
-target_include_directories (
- cd_wlan PUBLIC
- ${SNORT3_INCLUDE_DIRS}
-)
-
-install (
- TARGETS cd_wlan
- LIBRARY
- DESTINATION "${CMAKE_INSTALL_LIBDIR}/${CMAKE_PROJECT_NAME}/codecs"
-)
+++ /dev/null
-//--------------------------------------------------------------------------
-// Copyright (C) 2014-2018 Cisco and/or its affiliates. All rights reserved.
-// Copyright (C) 2002-2013 Sourcefire, Inc.
-//
-// This program is free software; you can redistribute it and/or modify it
-// under the terms of the GNU General Public License Version 2 as published
-// by the Free Software Foundation. You may not use, modify or distribute
-// this program under any other version of the GNU General Public License.
-//
-// This program is distributed in the hope that it will be useful, but
-// WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-// General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License along
-// with this program; if not, write to the Free Software Foundation, Inc.,
-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-//--------------------------------------------------------------------------
-// cd_wlan.cc author Josh Rosenbaum <jrosenba@cisco.com>
-
-#include <sfbpf_dlt.h>
-
-#include "codecs/codec_module.h"
-#include "framework/codec.h"
-#include "log/text_log.h"
-#include "protocols/wlan.h"
-
-using namespace snort;
-
-#define CD_WLAN_NAME "wlan"
-#define CD_WLAN_HELP_STR "support for wireless local area network protocol"
-#define CD_WLAN_HELP ADD_DLT(CD_WLAN_HELP_STR, DLT_IEEE802_11)
-
-namespace
-{
-static const RuleMap wlan_rules[] =
-{
- { DECODE_BAD_80211_ETHLLC, "bad 802.11 LLC header" },
- { DECODE_BAD_80211_OTHER, "bad 802.11 extra LLC info" },
- { 0, nullptr }
-};
-
-class WlanCodecModule : public CodecModule
-{
-public:
- WlanCodecModule() : CodecModule(CD_WLAN_NAME, CD_WLAN_HELP) { }
-
- const RuleMap* get_rules() const override
- { return wlan_rules; }
-};
-
-class WlanCodec : public Codec
-{
-public:
- WlanCodec() : Codec(CD_WLAN_NAME) { }
-
- bool decode(const RawData&, CodecData&, DecodeData&) override;
- void get_data_link_type(std::vector<int>&) override;
- void get_protocol_ids(std::vector<ProtocolId>& v) override;
- void log(TextLog* const, const uint8_t* pkt, const uint16_t len) override;
-};
-
-#define MINIMAL_IEEE80211_HEADER_LEN 10 /* Ack frames and others */
-#define IEEE802_11_DATA_HDR_LEN 24 /* Header for data packets */
-} // namespace
-
-void WlanCodec::get_data_link_type(std::vector<int>& v)
-{ v.push_back(DLT_IEEE802_11); }
-
-void WlanCodec::get_protocol_ids(std::vector<ProtocolId>& v)
-{ v.push_back(ProtocolId::ETHERNET_802_11); }
-
-bool WlanCodec::decode(const RawData& raw, CodecData& codec, DecodeData&)
-{
- if (raw.len < MINIMAL_IEEE80211_HEADER_LEN)
- return false;
-
- /* lay the wireless structure over the packet data */
- const wlan::WifiHdr* wifih = reinterpret_cast<const wlan::WifiHdr*>(raw.data);
-
- /* determine frame type */
- switch (wifih->frame_control & 0x00ff)
- {
- /* management frames */
- case WLAN_TYPE_MGMT_ASREQ:
- case WLAN_TYPE_MGMT_ASRES:
- case WLAN_TYPE_MGMT_REREQ:
- case WLAN_TYPE_MGMT_RERES:
- case WLAN_TYPE_MGMT_PRREQ:
- case WLAN_TYPE_MGMT_PRRES:
- case WLAN_TYPE_MGMT_BEACON:
- case WLAN_TYPE_MGMT_ATIM:
- case WLAN_TYPE_MGMT_DIS:
- case WLAN_TYPE_MGMT_AUTH:
- case WLAN_TYPE_MGMT_DEAUTH:
- break;
-
- /* Control frames */
- case WLAN_TYPE_CONT_PS:
- case WLAN_TYPE_CONT_RTS:
- case WLAN_TYPE_CONT_CTS:
- case WLAN_TYPE_CONT_ACK:
- case WLAN_TYPE_CONT_CFE:
- case WLAN_TYPE_CONT_CFACK:
- break;
- /* Data packets without data */
- case WLAN_TYPE_DATA_NULL:
- case WLAN_TYPE_DATA_CFACK:
- case WLAN_TYPE_DATA_CFPL:
- case WLAN_TYPE_DATA_ACKPL:
-
- break;
- case WLAN_TYPE_DATA_DTCFACK:
- case WLAN_TYPE_DATA_DTCFPL:
- case WLAN_TYPE_DATA_DTACKPL:
- case WLAN_TYPE_DATA_DATA:
- {
- codec.lyr_len = IEEE802_11_DATA_HDR_LEN;
- codec.next_prot_id = ProtocolId::ETHERNET_LLC;
-
- break;
- }
- default:
- break;
- }
-
- return true;
-}
-
-void WlanCodec::log(TextLog* const text_log, const uint8_t* raw_pkt,
- const uint16_t /*lyr_len*/)
-{
- const wlan::WifiHdr* wifih = reinterpret_cast<const wlan::WifiHdr*>(raw_pkt);
-
- /* src addr */
- TextLog_Print(text_log, "addr1(%02X:%02X:%02X:%02X:%02X:%02X) -> ",
- wifih->addr1[0], wifih->addr1[1], wifih->addr1[2],
- wifih->addr1[3], wifih->addr1[4], wifih->addr1[5]);
-
- /* dest addr */
- TextLog_Print(text_log, "%02X:%02X:%02X:%02X:%02X:%02X)",
- wifih->addr2[0], wifih->addr2[1], wifih->addr2[2],
- wifih->addr2[3], wifih->addr2[4], wifih->addr2[5]);
-
- TextLog_NewLine(text_log);
- TextLog_Putc(text_log, '\t');
- TextLog_Print(text_log, "frame_control:%02x duration_id:%02x "
- "seq_control:%02x", ntohs(wifih->frame_control),
- ntohs(wifih->duration_id), ntohs(wifih->seq_control));
-}
-
-//-------------------------------------------------------------------------
-// api
-//-------------------------------------------------------------------------
-
-static Module* mod_ctor()
-{ return new WlanCodecModule; }
-
-static void mod_dtor(Module* m)
-{ delete m; }
-
-static Codec* ctor(Module*)
-{ return new WlanCodec(); }
-
-static void dtor(Codec* cd)
-{ delete cd; }
-
-static const CodecApi wlan_api =
-{
- {
- PT_CODEC,
- sizeof(CodecApi),
- CDAPI_VERSION,
- 0,
- API_RESERVED,
- API_OPTIONS,
- CD_WLAN_NAME,
- CD_WLAN_HELP,
- mod_ctor,
- mod_dtor
- },
- nullptr,
- nullptr,
- nullptr,
- nullptr,
- ctor,
- dtor,
-};
-
-SO_PUBLIC const BaseApi* snort_plugins[] =
-{
- &wlan_api.base,
- nullptr
-};
+++ /dev/null
-add_subdirectory ( daq_socket )
-add_subdirectory ( daq_regtest )
-
+++ /dev/null
-cmake_minimum_required ( VERSION 3.4.3 )
-project ( daq_regtest C )
-
-set (CMAKE_C_STANDARD 99)
-set (CMAKE_C_STANDARD_REQUIRED ON)
-set (CMAKE_C_EXTENSIONS ON)
-
-if ( APPLE )
- set ( CMAKE_MACOSX_RPATH OFF )
-endif ( APPLE )
-
-include ( FindPkgConfig )
-pkg_search_module ( SNORT3 REQUIRED snort>=3 )
-
-add_library (
- daq_regtest MODULE
- daq_regtest.c
-)
-
-if ( APPLE )
- set_target_properties (
- daq_regtest
- PROPERTIES
- LINK_FLAGS "-undefined dynamic_lookup"
- )
-endif ( APPLE )
-
-set_target_properties (
- daq_regtest
- PROPERTIES
- PREFIX ""
-)
-
-target_include_directories (
- daq_regtest PUBLIC
- ${SNORT3_INCLUDE_DIRS}
-)
-
-install (
- TARGETS daq_regtest
- LIBRARY
- DESTINATION "${CMAKE_INSTALL_LIBDIR}/${CMAKE_PROJECT_NAME}/daqs"
-)
+++ /dev/null
-/*--------------------------------------------------------------------------
-// Copyright (C) 2017-2018 Cisco and/or its affiliates. All rights reserved.
-//
-// This program is free software; you can redistribute it and/or modify it
-// under the terms of the GNU General Public License Version 2 as published
-// by the Free Software Foundation. You may not use, modify or distribute
-// this program under any other version of the GNU General Public License.
-//
-// This program is distributed in the hope that it will be useful, but
-// WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-// General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License along
-// with this program; if not, write to the Free Software Foundation, Inc.,
-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-//--------------------------------------------------------------------------
-*/
-/* daq_regtest.c author Bhagya Tholpady <bbantwal@cisco.com> */
-
-#ifdef HAVE_CONFIG_H
-#include "config.h"
-#endif
-
-#include <daq.h>
-#include <daq_api.h>
-#include <stdlib.h>
-#include <string.h>
-
-#define DAQ_MOD_VERSION 0
-#define DAQ_NAME "regtest"
-#define DAQ_TYPE (DAQ_TYPE_FILE_CAPABLE | DAQ_TYPE_INTF_CAPABLE | \
- DAQ_TYPE_INLINE_CAPABLE | DAQ_TYPE_MULTI_INSTANCE)
-#define REGTEST_DEBUG_FILE "daq_regtest_debug"
-#define REGTEST_CONFIG_FILE "daq_regtest.conf"
-
-typedef struct
-{
- char* buf;
- int config_num;
-}DAQRegTestConfig;
-
-typedef struct
-{
- DAQRegTestConfig* daq_regtest_cfg;
- FILE* debug_fh;
- int daq_config_reads;
- const DAQ_Module_t* module;
- void *handle;
- int skip;
- int trace;
- uint32_t caps_cfg;
- DAQ_PktHdr_t retry_hdr;
- uint8_t* retry_data;
- unsigned packets_before_retry;
- unsigned retry_packet_countdown;
- void* user;
- DAQ_Analysis_Func_t wrapped_packet_callback;
-}DAQRegTestContext;
-
-static const DAQ_Verdict verdict_translation_table[MAX_DAQ_VERDICT] = {
- DAQ_VERDICT_PASS, /* DAQ_VERDICT_PASS */
- DAQ_VERDICT_BLOCK, /* DAQ_VERDICT_BLOCK */
- DAQ_VERDICT_PASS, /* DAQ_VERDICT_REPLACE */
- DAQ_VERDICT_PASS, /* DAQ_VERDICT_WHITELIST */
- DAQ_VERDICT_BLOCK, /* DAQ_VERDICT_BLACKLIST */
- DAQ_VERDICT_PASS, /* DAQ_VERDICT_IGNORE */
- DAQ_VERDICT_BLOCK /* DAQ_VERDICT_RETRY */
-};
-
-// packet tracer configuration from command line daq-var skip and trace
-// --daq-var skip=10 --daq-var trace=5 would trace packets 11 through 15 only
-static void daq_regtest_get_vars(DAQRegTestContext* context, const DAQ_Config_t* cfg)
-{
- DAQ_Dict* entry;
-
- context->skip = 0;
- context->trace = 0;
- context->packets_before_retry = 0;
- context->caps_cfg = 0;
- for ( entry = cfg->values; entry; entry = entry->next)
- {
- if ( !strcmp(entry->key, "skip") )
- {
- context->skip = atoi(entry->value);
- }
- else if ( !strcmp(entry->key, "trace") )
- {
- context->trace = atoi(entry->value);
- }
- else if ( !strcmp(entry->key, "packets_before_retry") )
- {
- context->packets_before_retry = atoi(entry->value);
- }
- else if ( !strcmp(entry->key, "caps") )
- {
- // DAQ capabilities in hex, e.g. caps=0x00004000
- context->caps_cfg = strtol(entry->value, NULL, 0);
- }
- }
-}
-
-static int daq_regtest_parse_config(DAQRegTestContext *context, DAQRegTestConfig** new_config, char* errBuf, size_t errMax)
-{
- long size = 0;
- FILE* fh = fopen(REGTEST_CONFIG_FILE, "r");
-
- if (!fh)
- {
- if ( errBuf )
- snprintf(errBuf, errMax, "%s: failed to open the daq_regtest config file", DAQ_NAME);
- return DAQ_ERROR;
- }
- DAQRegTestConfig* config = calloc(1, sizeof(DAQRegTestConfig));
- if ( !config )
- {
- if ( errBuf )
- snprintf(errBuf, errMax, "%s: failed to allocate daq_regtest config", DAQ_NAME);
- fclose(fh);
- return DAQ_ERROR_NOMEM;
- }
-
- fseek(fh, 0, SEEK_END);
- size = ftell(fh);
- config->buf = (char*) calloc(size, sizeof(char));
- if ( !config->buf )
- {
- if ( errBuf )
- snprintf(errBuf, errMax, "%s: failed to allocate daq_regtest buffer", DAQ_NAME);
- free(config);
- fclose(fh);
- return DAQ_ERROR_NOMEM;
- }
- rewind(fh);
- if ( fgets(config->buf, size, fh) == NULL )
- {
- if ( errBuf )
- snprintf(errBuf, errMax, "%s: failed to read daq_regtest config file", DAQ_NAME);
- free(config);
- fclose(fh);
- return DAQ_ERROR;
- }
- context->daq_config_reads++;
- config->config_num = context->daq_config_reads;
- *new_config = config;
- fclose(fh);
-
- return DAQ_SUCCESS;
-}
-
-static int daq_regtest_init_context(DAQRegTestContext* context, char* errBuf, size_t errMax)
-{
- context->debug_fh = NULL;
- return daq_regtest_parse_config(context, &(context->daq_regtest_cfg), errBuf, errMax);
-}
-static void daq_regtest_cleanup(DAQRegTestContext* context)
-{
- context->module = NULL;
- context->handle = NULL;
-
- if ( context->debug_fh )
- fclose(context->debug_fh);
-
- if ( context->daq_regtest_cfg )
- {
- if ( context->daq_regtest_cfg->buf )
- free(context->daq_regtest_cfg->buf);
- free(context->daq_regtest_cfg);
- }
-
- free(context);
-}
-
-//-------------------------------------------------------------------------
-// daq
-//-------------------------------------------------------------------------
-
-static void daq_regtest_shutdown (void* handle)
-{
- DAQRegTestContext* context = (DAQRegTestContext*)handle;
-
- if (context->debug_fh)
- fprintf (context->debug_fh, "daq_regtest shutdown\n");
-
- context->module->shutdown(context->handle);
- daq_regtest_cleanup(context);
-}
-
-static void daq_regtest_debug(DAQRegTestContext* context, char* msg)
-{
- if (context->debug_fh)
- {
- fprintf (context->debug_fh, "%s\n", msg);
- fprintf (context->debug_fh, "daq_regtest config : \n\tbuf = %s \n\tconfig_num = %d \n",
- context->daq_regtest_cfg->buf, context->daq_regtest_cfg->config_num);
- fflush(context->debug_fh);
- }
-}
-
-//-------------------------------------------------------------------------
-
-static int daq_regtest_initialize (
- const DAQ_Config_t* cfg, void** handle, char* errBuf, size_t errMax)
-{
- DAQRegTestContext* context;
- int rval = DAQ_SUCCESS;
-
- context = calloc(1, sizeof(*context));
- if ( !context )
- {
- snprintf(errBuf, errMax, "%s: Couldn't allocate memory for the new daq_regtest context!", DAQ_NAME);
- return DAQ_ERROR_NOMEM;
- }
-
- rval = daq_regtest_init_context(context, errBuf, errMax);
-
- if ( rval != DAQ_SUCCESS )
- {
- free(context);
- return rval;
- }
-
- daq_regtest_get_vars(context, cfg);
-
- context->module = daq_find_module("dump");
-
- if (!context->module)
- {
- snprintf(errBuf, errMax, "%s: Can't find dump daq required by daq_regtest module!", DAQ_NAME);
- daq_regtest_cleanup(context);
- return DAQ_ERROR;
- }
-
- context->debug_fh = fopen(REGTEST_DEBUG_FILE, "w");
-
- rval = context->module->initialize(cfg, &context->handle, errBuf, errMax);
- if ( rval != DAQ_SUCCESS )
- {
- daq_regtest_cleanup(context);
- return rval;
- }
- daq_regtest_debug(context, "daq_regtest initialized");
- *handle = context;
- return rval;
-}
-
-//-------------------------------------------------------------------------
-
-static int daq_regtest_start (void* handle)
-{
- DAQRegTestContext* context = (DAQRegTestContext*)handle;
- return context->module->start(context->handle);
-}
-
-static int daq_regtest_stop (void* handle)
-{
- DAQRegTestContext* context = (DAQRegTestContext*)handle;
- return context->module->stop(context->handle);
-}
-
-//-------------------------------------------------------------------------
-
-static int daq_regtest_inject (
- void* handle, const DAQ_PktHdr_t* hdr, const uint8_t* buf, uint32_t len,
- int reverse)
-{
- DAQRegTestContext* context = (DAQRegTestContext*)handle;
- return context->module->inject(context->handle, hdr, buf, len, reverse);
-}
-
-static DAQ_Verdict daq_handle_retry_request(DAQRegTestContext* context, const DAQ_PktHdr_t* hdr,
- const uint8_t* data)
-{
- // FIXIT-L for current reg test needs or snort only 1 pending retry is required so if we
- // get a 2nd request we just let it pass. future support for >1 pending retries
- // can be implemented with a list holding the hdr & data for each retry packet.
- if ( !context->retry_data )
- {
- context->retry_hdr = *hdr;
- context->retry_data = malloc(hdr->caplen);
- if ( context->retry_data )
- {
- memcpy(context->retry_data, data, hdr->caplen);
- context->retry_packet_countdown = context->packets_before_retry;
- return DAQ_VERDICT_BLOCK;
- }
- }
-
- return DAQ_VERDICT_PASS;
-}
-
-static void daq_handle_pending_retry(DAQRegTestContext* context)
-{
- if ( !context->retry_packet_countdown )
- {
- context->retry_hdr.flags |= DAQ_PKT_FLAG_RETRY_PACKET;
- DAQ_Verdict verdict = context->wrapped_packet_callback(context->user,
- &context->retry_hdr, context->retry_data);
-
- if (verdict >= MAX_DAQ_VERDICT)
- verdict = DAQ_VERDICT_PASS;
- verdict = verdict_translation_table[verdict];
- if ( verdict == DAQ_VERDICT_PASS )
- context->module->inject(context->handle, &context->retry_hdr, context->retry_data,
- context->retry_hdr.pktlen, 0);
- free(context->retry_data);
- context->retry_data = NULL;
- }
- else
- context->retry_packet_countdown--;
-}
-
-//-------------------------------------------------------------------------
-static DAQ_Verdict daq_regtest_packet_callback(void* user, const DAQ_PktHdr_t* hdr,
- const uint8_t* data)
-{
- DAQRegTestContext* context = (DAQRegTestContext*)user;
-
- if ( context->skip == 0 && context->trace > 0 )
- {
- DAQ_PktHdr_t* pkthdr = (DAQ_PktHdr_t*)hdr;
- pkthdr->flags |= DAQ_PKT_FLAG_TRACE_ENABLED;
- }
-
- if ( context->skip > 0 )
- context->skip--;
- else if ( context->trace > 0 )
- context->trace--;
-
- if ( context->retry_data )
- daq_handle_pending_retry(context);
-
- DAQ_Verdict verdict = context->wrapped_packet_callback(context->user,
- hdr, data);
- if ( verdict == DAQ_VERDICT_RETRY )
- verdict = daq_handle_retry_request(context, hdr, data);
-
- return verdict;
-}
-
-static int daq_regtest_acquire (
- void* handle, int cnt, DAQ_Analysis_Func_t callback, DAQ_Meta_Func_t meta, void* user)
-{
- DAQRegTestContext* context = (DAQRegTestContext*)handle;
- context->wrapped_packet_callback = callback;
- context->user = user;
- context->retry_data = NULL;
-
- return context->module->acquire(context->handle, cnt, daq_regtest_packet_callback, meta, handle);
-}
-
-//-------------------------------------------------------------------------
-
-static int daq_regtest_breakloop (void* handle)
-{
- DAQRegTestContext* context = (DAQRegTestContext*)handle;
- return context->module->breakloop(context->handle);
-}
-
-static DAQ_State daq_regtest_check_status (void* handle)
-{
- DAQRegTestContext* context = (DAQRegTestContext*)handle;
- return context->module->check_status(context->handle);
-}
-
-static int daq_regtest_get_stats (void* handle, DAQ_Stats_t* stats)
-{
- DAQRegTestContext* context = (DAQRegTestContext*)handle;
- return context->module->get_stats(context->handle, stats);
-}
-
-static void daq_regtest_reset_stats (void* handle)
-{
- DAQRegTestContext* context = (DAQRegTestContext*)handle;
- context->module->reset_stats(context->handle);
-}
-
-static int daq_regtest_get_snaplen (void* handle)
-{
- DAQRegTestContext* context = (DAQRegTestContext*)handle;
- return context->module->get_snaplen(context->handle);
-}
-
-static uint32_t daq_regtest_get_capabilities (void* handle)
-{
- DAQRegTestContext* context = (DAQRegTestContext*)handle;
- uint32_t caps = context->module->get_capabilities(context->handle);
- caps |= DAQ_CAPA_RETRY;
- caps |= context->caps_cfg;
- return caps;
-}
-
-static int daq_regtest_get_datalink_type(void *handle)
-{
- DAQRegTestContext* context = (DAQRegTestContext*)handle;
- return context->module->get_datalink_type(context->handle);
-}
-
-static const char* daq_regtest_get_errbuf (void* handle)
-{
- DAQRegTestContext* context = (DAQRegTestContext*)handle;
- return context->module->get_errbuf(context->handle);
-}
-
-static void daq_regtest_set_errbuf (void* handle, const char* s)
-{
- DAQRegTestContext* context = (DAQRegTestContext*)handle;
- context->module->set_errbuf(context->handle, s);
-}
-
-static int daq_regtest_get_device_index(void* handle, const char* device)
-{
- DAQRegTestContext* context = (DAQRegTestContext*)handle;
- return context->module->get_device_index(context->handle, device);
-}
-
-static int daq_regtest_modify_flow(void *handle, const DAQ_PktHdr_t *hdr, const DAQ_ModFlow_t *modify)
-{
- DAQRegTestContext* context = (DAQRegTestContext*)handle;
-
- if (modify->type == DAQ_MODFLOW_TYPE_PKT_TRACE)
- {
- if (modify->length != sizeof(DAQ_ModFlowPktTrace_t))
- return DAQ_ERROR_INVAL;
-
- const DAQ_ModFlowPktTrace_t* mod_tr = (const DAQ_ModFlowPktTrace_t *) modify->value;
- printf("DAQ_REGTEST_PKT_TRACE (%d)\n%s\n", mod_tr->pkt_trace_data_len,
- mod_tr->pkt_trace_data);
- }
- if (context->module->modify_flow)
- return context->module->modify_flow(context->handle, hdr, modify);
- else
- return DAQ_SUCCESS;
-}
-
-static int daq_regtest_set_filter (void* handle, const char* filter)
-{
- DAQRegTestContext* context = (DAQRegTestContext*)handle;
- return context->module->set_filter(context->handle, filter);
-}
-
-static int daq_regtest_hup_prep(void *handle, void **new_config)
-{
- DAQRegTestContext* context = (DAQRegTestContext*)handle;
- DAQRegTestConfig* newConf;
- int rval = DAQ_SUCCESS;
-
- if ( ( rval = daq_regtest_parse_config(context, &newConf, NULL, 0) ) == DAQ_SUCCESS )
- {
- daq_regtest_debug(context, "daq_regtest hup_prep succeeded");
- *new_config = newConf;
- }
- else
- daq_regtest_debug(context, "daq_regtest hup_prep failed");
- return rval;
-}
-
-static int daq_regtest_hup_apply(void *handle, void *new_config, void **old_config)
-{
- DAQRegTestContext* context = (DAQRegTestContext*)handle;
- DAQRegTestConfig* config = (DAQRegTestConfig*)new_config;
-
- *old_config = context->daq_regtest_cfg;
- context->daq_regtest_cfg = config;
- daq_regtest_debug(context, "daq_regtest hup_apply succeeded");
-
- return DAQ_SUCCESS;
-}
-
-static int daq_regtest_hup_post(void *handle, void *old_config)
-{
- DAQRegTestContext* context = (DAQRegTestContext*)handle;
- DAQRegTestConfig* config = (DAQRegTestConfig*)old_config;
-
- daq_regtest_debug(context, "daq_regtest hup_post succeeded");
-
- if ( config->buf )
- free(config->buf);
- free(config);
-
- return DAQ_SUCCESS;
-}
-
-
-//-------------------------------------------------------------------------
-
-DAQ_SO_PUBLIC DAQ_Module_t DAQ_MODULE_DATA =
-{
- .api_version = DAQ_API_VERSION,
- .module_version = DAQ_MOD_VERSION,
- .name = DAQ_NAME,
- .type = DAQ_TYPE,
- .initialize = daq_regtest_initialize,
- .set_filter = daq_regtest_set_filter,
- .start = daq_regtest_start,
- .acquire = daq_regtest_acquire,
- .inject = daq_regtest_inject,
- .breakloop = daq_regtest_breakloop,
- .stop = daq_regtest_stop,
- .shutdown = daq_regtest_shutdown,
- .check_status = daq_regtest_check_status,
- .get_stats = daq_regtest_get_stats,
- .reset_stats = daq_regtest_reset_stats,
- .get_snaplen = daq_regtest_get_snaplen,
- .get_capabilities = daq_regtest_get_capabilities,
- .get_datalink_type = daq_regtest_get_datalink_type,
- .get_errbuf = daq_regtest_get_errbuf,
- .set_errbuf = daq_regtest_set_errbuf,
- .get_device_index = daq_regtest_get_device_index,
- .modify_flow = daq_regtest_modify_flow,
- .hup_prep = daq_regtest_hup_prep,
- .hup_apply = daq_regtest_hup_apply,
- .hup_post = daq_regtest_hup_post,
-};
+++ /dev/null
-cmake_minimum_required ( VERSION 3.4.3 )
-project ( daq_socket C )
-
-set (CMAKE_C_STANDARD 99)
-set (CMAKE_C_STANDARD_REQUIRED ON)
-set (CMAKE_C_EXTENSIONS ON)
-
-if ( APPLE )
- set ( CMAKE_MACOSX_RPATH OFF )
-endif ( APPLE )
-
-include ( FindPkgConfig )
-pkg_search_module ( SNORT3 REQUIRED snort>=3 )
-
-add_library (
- daq_socket MODULE
- daq_socket.c
-)
-
-if ( APPLE )
- set_target_properties (
- daq_socket
- PROPERTIES
- LINK_FLAGS "-undefined dynamic_lookup"
- )
-endif ( APPLE )
-
-set_target_properties (
- daq_socket
- PROPERTIES
- PREFIX ""
-)
-
-target_include_directories (
- daq_socket PUBLIC
- ${SNORT3_INCLUDE_DIRS}
-)
-
-install (
- TARGETS daq_socket
- LIBRARY
- DESTINATION "${CMAKE_INSTALL_LIBDIR}/${CMAKE_PROJECT_NAME}/daqs"
-)
+++ /dev/null
-/*--------------------------------------------------------------------------
-// Copyright (C) 2015-2018 Cisco and/or its affiliates. All rights reserved.
-//
-// This program is free software; you can redistribute it and/or modify it
-// under the terms of the GNU General Public License Version 2 as published
-// by the Free Software Foundation. You may not use, modify or distribute
-// this program under any other version of the GNU General Public License.
-//
-// This program is distributed in the hope that it will be useful, but
-// WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-// General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License along
-// with this program; if not, write to the Free Software Foundation, Inc.,
-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-//--------------------------------------------------------------------------
-*/
-/* daq_socket.c author Russ Combs <rucombs@cisco.com> */
-
-#include <errno.h>
-#include <netinet/in.h>
-// putting types.h here because of Bug in FreeBSD
-#include <sys/types.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#include <stdlib.h>
-#include <string.h>
-#include <stdio.h>
-#include <sys/socket.h>
-#include <sys/time.h>
-#include <sys/unistd.h>
-
-#include <daq_api.h>
-#include <sfbpf_dlt.h>
-
-#include <daqs/daq_user.h>
-
-#define DAQ_MOD_VERSION 0
-#define DAQ_NAME "socket"
-#define DAQ_TYPE (DAQ_TYPE_INTF_CAPABLE | DAQ_TYPE_INLINE_CAPABLE | DAQ_TYPE_MULTI_INSTANCE)
-#define DEFAULT_PORT 8000
-
-typedef struct {
- int sock_a; // recv from b
- int sock_b; // recv from a
- int sock_c; // connect
-
- int use_a;
- int port;
- int passive;
- int stop;
-
- unsigned timeout;
- unsigned snaplen;
-
- struct sockaddr_in sin_a;
- struct sockaddr_in sin_b;
-
- DAQ_UsrHdr_t pci;
-
- uint8_t* buf;
- char error[DAQ_ERRBUF_SIZE];
-
- DAQ_State state;
- DAQ_Stats_t stats;
-} SockImpl;
-
-//-------------------------------------------------------------------------
-// socket functions
-//-------------------------------------------------------------------------
-
-static int sock_setup(SockImpl* impl)
-{
- struct sockaddr_in sin;
-
- if ( (impl->sock_c = socket(PF_INET, SOCK_STREAM, 0)) == -1 )
- {
- DPE(impl->error, "%s: can't create listener socket (%s)\n", __func__, strerror(errno));
- return -1;
- }
-
- sin.sin_family = PF_INET;
- sin.sin_addr.s_addr = INADDR_ANY;
- sin.sin_port = htons(impl->port);
-
- if ( bind(impl->sock_c, (struct sockaddr*)&sin, sizeof(sin)) == -1 )
- {
- DPE(impl->error, "%s: can't bind listener socket (%s)\n", __func__, strerror(errno));
- return -1;
- }
-
- if ( listen(impl->sock_c, 2) == -1 )
- {
- DPE(impl->error, "%s: can't listen on socket (%s)\n", __func__, strerror(errno));
- return -1;
- }
- return 0;
-}
-
-static void sock_cleanup(SockImpl* impl)
-{
- if ( impl->sock_c >= 0 )
- close(impl->sock_c);
-
- if ( impl->sock_a >= 0 )
- close(impl->sock_a);
-
- if ( impl->sock_b >= 0 )
- close(impl->sock_b);
-
- impl->sock_c = impl->sock_a = impl->sock_b = -1;
-}
-
-static int sock_recv(SockImpl* impl, int* sock)
-{
- int n = recv(*sock, impl->buf, impl->snaplen, 0);
-
- if ( n <= 0 )
- {
- if (errno != EINTR)
- {
- DPE(impl->error, "%s: can't recv from socket (%s)\n", __func__, strerror(errno));
- impl->pci.flags = DAQ_USR_FLAG_END_FLOW;
- *sock = -1;
- }
- return 0;
- }
- return n;
-}
-
-static int sock_send(
- SockImpl* impl, int sock, const uint8_t* buf, uint32_t len)
-{
- if ( sock < 0 )
- return 0;
-
- int n = send(sock, buf, len, 0);
-
- while ( 0 <= n && (uint32_t)n < len )
- {
- buf += n;
- len -= n;
- n = send(sock, buf, len, 0);
- }
- if ( n == -1 )
- {
- DPE(impl->error, "%s: can't send on socket (%s)\n", __func__, strerror(errno));
- return -1;
- }
- return 0;
-}
-
-static int sock_accept(SockImpl* impl, int* sock, struct sockaddr_in* psin)
-{
- const char* banner;
- socklen_t len = sizeof(*psin);
- *sock = accept(impl->sock_c, (struct sockaddr*)psin, &len);
-
- if ( *sock == -1 )
- {
- DPE(impl->error, "%s: can't accept incoming connection (%s)\n", __func__, strerror(errno));
- return -1;
- }
- banner = impl->use_a ? "client\n" : "server\n";
- sock_send(impl, *sock, (const uint8_t*)banner, 7);
-
- impl->pci.flags = DAQ_USR_FLAG_START_FLOW;
- return 0;
-}
-
-static int sock_poll(SockImpl* impl, int* sock, struct sockaddr_in* psin)
-{
- int max_fd;
- fd_set inputs;
-
- if ( impl->sock_c < 0 )
- return 0;
-
- FD_ZERO(&inputs);
- FD_SET(impl->sock_c, &inputs);
- max_fd = impl->sock_c;
-
- if ( *sock > 0 )
- {
- FD_SET(*sock, &inputs);
-
- if ( *sock > max_fd )
- max_fd = *sock;
- }
-
- struct timeval timeout;
- timeout.tv_sec = 1;
- timeout.tv_usec = 0;
-
- if ( !select(max_fd+1, &inputs, NULL, NULL, &timeout) )
- return 0;
-
- else if ( *sock >= 0 && FD_ISSET(*sock, &inputs) )
- return sock_recv(impl, sock);
-
- else if ( *sock < 0 && FD_ISSET(impl->sock_c, &inputs) )
- return sock_accept(impl, sock, psin);
-
- return 0;
-}
-
-//-------------------------------------------------------------------------
-// daq utilities
-//-------------------------------------------------------------------------
-
-static void clear(SockImpl* impl)
-{
- if ( impl->sock_a < 0 )
- {
- impl->sin_a.sin_addr.s_addr = 0;
- impl->sin_a.sin_port = 0;
- }
- if ( impl->sock_b < 0 )
- {
- impl->sin_b.sin_addr.s_addr = 0;
- impl->sin_b.sin_port = 0;
- }
-}
-
-static void set_pkt_hdr(SockImpl* impl, DAQ_PktHdr_t* phdr, ssize_t len)
-{
- struct timeval t;
- gettimeofday(&t, NULL);
-
- phdr->ts.tv_sec = t.tv_sec;
- phdr->ts.tv_usec = t.tv_usec;
- phdr->caplen = len;
- phdr->pktlen = len;
- phdr->ingress_index = -1;
- phdr->egress_index = -1;
- phdr->ingress_group = -1;
- phdr->egress_group = -1;
- phdr->flags = 0;
- phdr->address_space_id = 0;
- phdr->opaque = 0;
-
- // use_a already toggled
- if ( impl->use_a )
- {
- impl->pci.src_addr = impl->sin_b.sin_addr.s_addr;
- impl->pci.dst_addr = impl->sin_a.sin_addr.s_addr;
- impl->pci.src_port = impl->sin_b.sin_port;
- impl->pci.dst_port = impl->sin_a.sin_port;
- impl->pci.flags &= ~DAQ_USR_FLAG_TO_SERVER;
- }
- else
- {
- impl->pci.src_addr = impl->sin_a.sin_addr.s_addr;
- impl->pci.dst_addr = impl->sin_b.sin_addr.s_addr;
- impl->pci.src_port = impl->sin_a.sin_port;
- impl->pci.dst_port = impl->sin_b.sin_port;
- impl->pci.flags |= DAQ_USR_FLAG_TO_SERVER;
- }
-
- if ( impl->pci.flags & DAQ_USR_FLAG_END_FLOW )
- clear(impl);
-
- phdr->priv_ptr = &impl->pci;
-}
-
-// forward all but drops, retries and blacklists:
-static const int s_fwd[MAX_DAQ_VERDICT] = { 1, 0, 1, 1, 0, 1, 0 };
-
-static int socket_daq_process(
- SockImpl* impl, DAQ_Analysis_Func_t cb, void* user)
-{
- DAQ_PktHdr_t hdr;
- int* sock = impl->use_a ? &impl->sock_a : &impl->sock_b;
- struct sockaddr_in* psin = impl->use_a ? &impl->sin_a : &impl->sin_b;
- impl->pci.flags = 0;
-
- int n = sock_poll(impl, sock, psin);
-
- // don't toggle w/o at least one connection so client is always 1st
- if ( impl->sock_a > -1 || impl->sock_b > -1 )
- impl->use_a = !impl->use_a;
-
- if ( n <= 0 && !impl->pci.flags )
- return n;
-
- set_pkt_hdr(impl, &hdr, n);
- DAQ_Verdict verdict = cb(user, &hdr, impl->buf);
-
- if ( verdict >= MAX_DAQ_VERDICT )
- verdict = DAQ_VERDICT_BLOCK;
-
- impl->stats.verdicts[verdict]++;
-
- if ( impl->passive || s_fwd[verdict] )
- {
- // already toggled use_a, so we get a->b or b->a
- sock = impl->use_a ? &impl->sock_a : &impl->sock_b;
- sock_send(impl, *sock, impl->buf, n);
- }
- return n;
-}
-
-static int socket_daq_config (
- SockImpl* impl, const DAQ_Config_t* cfg, char* errBuf, size_t errMax)
-{
- DAQ_Dict* entry;
-
- if ( cfg->name )
- {
- char* end = NULL;
- impl->port = (int)strtol(cfg->name, &end, 0);
- }
- for ( entry = cfg->values; entry; entry = entry->next)
- {
- if ( !entry->value || !*entry->value )
- {
- snprintf(errBuf, errMax, "%s: variable needs value (%s)\n", __func__, entry->key);
- return DAQ_ERROR;
- }
- else if ( !strcmp(entry->key, "port") )
- {
- char* end = entry->value;
- impl->port = (int)strtol(entry->value, &end, 0);
-
- if ( *end || impl->port <= 0 || impl->port > 65535 )
- {
- snprintf(errBuf, errMax, "%s: bad port (%s)\n", __func__, entry->value);
- return DAQ_ERROR;
- }
- }
- else if ( !strcmp(entry->key, "proto") )
- {
- if ( !strcmp(entry->value, "tcp") )
- impl->pci.ip_proto = IPPROTO_TCP;
-
- else if ( !strcmp(entry->value, "udp") )
- impl->pci.ip_proto = IPPROTO_UDP;
- else
- {
- snprintf(errBuf, errMax, "%s: bad proto (%s)\n", __func__, entry->value);
- return DAQ_ERROR;
- }
- }
- else
- {
- snprintf(errBuf, errMax,
- "%s: unsupported variable (%s=%s)\n", __func__, entry->key, entry->value);
- return DAQ_ERROR;
- }
- }
- if ( !impl->pci.ip_proto )
- impl->pci.ip_proto = IPPROTO_TCP;
-
- if ( !impl->port )
- impl->port = DEFAULT_PORT;
-
- impl->snaplen = cfg->snaplen ? cfg->snaplen : IP_MAXPACKET;
- impl->timeout = cfg->timeout;
- impl->passive = ( cfg->mode == DAQ_MODE_PASSIVE );
-
- return DAQ_SUCCESS;
-}
-
-//-------------------------------------------------------------------------
-// daq
-//-------------------------------------------------------------------------
-
-static void socket_daq_shutdown (void* handle)
-{
- SockImpl* impl = (SockImpl*)handle;
-
- if ( impl->buf )
- free(impl->buf);
-
- free(impl);
-}
-
-//-------------------------------------------------------------------------
-
-static int socket_daq_initialize (
- const DAQ_Config_t* cfg, void** handle, char* errBuf, size_t errMax)
-{
- SockImpl* impl = calloc(1, sizeof(*impl));
-
- if ( !impl )
- {
- snprintf(errBuf, errMax, "%s: failed to allocate the ipfw context!", __func__);
- return DAQ_ERROR_NOMEM;
- }
-
- if ( socket_daq_config(impl, cfg, errBuf, errMax) != DAQ_SUCCESS )
- {
- socket_daq_shutdown(impl);
- return DAQ_ERROR;
- }
- impl->buf = malloc(impl->snaplen);
-
- if ( !impl->buf )
- {
- snprintf(errBuf, errMax, "%s: failed to allocate the ipfw buffer!", __func__);
- socket_daq_shutdown(impl);
- return DAQ_ERROR_NOMEM;
- }
-
- impl->sock_c = impl->sock_a = impl->sock_b = -1;
- impl->use_a = 1;
- impl->state = DAQ_STATE_INITIALIZED;
-
- *handle = impl;
- return DAQ_SUCCESS;
-}
-
-//-------------------------------------------------------------------------
-
-static int socket_daq_start (void* handle)
-{
- SockImpl* impl = (SockImpl*)handle;
-
- if ( sock_setup(impl) )
- return DAQ_ERROR;
-
- impl->state = DAQ_STATE_STARTED;
- return DAQ_SUCCESS;
-}
-
-static int socket_daq_stop (void* handle)
-{
- SockImpl* impl = (SockImpl*)handle;
- sock_cleanup(impl);
- impl->state = DAQ_STATE_STOPPED;
- return DAQ_SUCCESS;
-}
-
-//-------------------------------------------------------------------------
-
-static int socket_daq_inject (
- void* handle, const DAQ_PktHdr_t* hdr, const uint8_t* buf, uint32_t len,
- int reverse)
-{
- (void)hdr;
-
- SockImpl* impl = (SockImpl*)handle;
- int sock;
-
- if ( reverse )
- sock = impl->use_a ? impl->sock_b : impl->sock_a;
- else
- sock = impl->use_a ? impl->sock_a : impl->sock_b;
-
- int status = sock_send(impl, sock, buf, len);
-
- if ( status )
- return DAQ_ERROR;
-
- impl->stats.packets_injected++;
- return DAQ_SUCCESS;
-}
-
-//-------------------------------------------------------------------------
-
-static int socket_daq_acquire (
- void* handle, int cnt, DAQ_Analysis_Func_t callback, DAQ_Meta_Func_t meta, void* user)
-{
- (void)meta;
-
- SockImpl* impl = (SockImpl*)handle;
- int hit = 0, miss = 0;
- impl->stop = 0;
-
- while ( hit < cnt || cnt <= 0 )
- {
- int status = socket_daq_process(impl, callback, user);
-
- if ( status > 0 )
- {
- hit++;
- miss = 0;
- }
- else if ( status < 0 )
- return DAQ_ERROR;
-
- else if ( ++miss == 2 || impl->stop )
- break;
- }
- return DAQ_SUCCESS;
-}
-
-//-------------------------------------------------------------------------
-
-static int socket_daq_breakloop (void* handle)
-{
- SockImpl* impl = (SockImpl*)handle;
- impl->stop = 1;
- return DAQ_SUCCESS;
-}
-
-static DAQ_State socket_daq_check_status (void* handle)
-{
- SockImpl* impl = (SockImpl*)handle;
- return impl->state;
-}
-
-static int socket_daq_get_stats (void* handle, DAQ_Stats_t* stats)
-{
- SockImpl* impl = (SockImpl*)handle;
- *stats = impl->stats;
- return DAQ_SUCCESS;
-}
-
-static void socket_daq_reset_stats (void* handle)
-{
- SockImpl* impl = (SockImpl*)handle;
- memset(&impl->stats, 0, sizeof(impl->stats));
-}
-
-static int socket_daq_get_snaplen (void* handle)
-{
- SockImpl* impl = (SockImpl*)handle;
- return impl->snaplen;
-}
-
-static uint32_t socket_daq_get_capabilities (void* handle)
-{
- (void)handle;
- return DAQ_CAPA_BLOCK | DAQ_CAPA_REPLACE | DAQ_CAPA_INJECT | DAQ_CAPA_INJECT_RAW
- | DAQ_CAPA_BREAKLOOP | DAQ_CAPA_UNPRIV_START;
-}
-
-static int socket_daq_get_datalink_type(void *handle)
-{
- (void)handle;
- return DLT_USER;
-}
-
-static const char* socket_daq_get_errbuf (void* handle)
-{
- SockImpl* impl = (SockImpl*)handle;
- return impl->error;
-}
-
-static void socket_daq_set_errbuf (void* handle, const char* s)
-{
- SockImpl* impl = (SockImpl*)handle;
- DPE(impl->error, "%s", s ? s : "");
-}
-
-static int socket_daq_get_device_index(void* handle, const char* device)
-{
- (void)handle;
- (void)device;
- return DAQ_ERROR_NOTSUP;
-}
-
-static int socket_daq_set_filter (void* handle, const char* filter)
-{
- (void)handle;
- (void)filter;
- return DAQ_ERROR_NOTSUP;
-}
-
-static int socket_query_flow(void* handle, const DAQ_PktHdr_t* hdr, DAQ_QueryFlow_t* query)
-{
- SockImpl* impl = (SockImpl*)handle;
-
- if ( hdr->priv_ptr != &impl->pci ) // sanity check
- return DAQ_ERROR_INVAL;
-
- if ( query->type == DAQ_USR_QUERY_PCI )
- {
- query->value = &impl->pci;
- query->length = sizeof(impl->pci);
- return DAQ_SUCCESS;
- }
- return DAQ_ERROR_NOTSUP;
-}
-
-//-------------------------------------------------------------------------
-
-DAQ_SO_PUBLIC DAQ_Module_t DAQ_MODULE_DATA =
-{
- .api_version = DAQ_API_VERSION,
- .module_version = DAQ_MOD_VERSION,
- .name = DAQ_NAME,
- .type = DAQ_TYPE,
- .initialize = socket_daq_initialize,
- .set_filter = socket_daq_set_filter,
- .start = socket_daq_start,
- .acquire = socket_daq_acquire,
- .inject = socket_daq_inject,
- .breakloop = socket_daq_breakloop,
- .stop = socket_daq_stop,
- .shutdown = socket_daq_shutdown,
- .check_status = socket_daq_check_status,
- .get_stats = socket_daq_get_stats,
- .reset_stats = socket_daq_reset_stats,
- .get_snaplen = socket_daq_get_snaplen,
- .get_capabilities = socket_daq_get_capabilities,
- .get_datalink_type = socket_daq_get_datalink_type,
- .get_errbuf = socket_daq_get_errbuf,
- .set_errbuf = socket_daq_set_errbuf,
- .get_device_index = socket_daq_get_device_index,
- .modify_flow = NULL,
- .hup_prep = NULL,
- .hup_apply = NULL,
- .hup_post = NULL,
- .dp_add_dc = NULL,
- .query_flow = socket_query_flow
-};
+++ /dev/null
-add_subdirectory ( dpx )
-add_subdirectory ( data_log )
-add_subdirectory ( reg_test )
+++ /dev/null
-cmake_minimum_required ( VERSION 3.4.3 )
-project ( data_log CXX )
-
-set (CMAKE_CXX_STANDARD 11)
-set (CMAKE_CXX_STANDARD_REQUIRED ON)
-set (CMAKE_CXX_EXTENSIONS OFF)
-
-if ( APPLE )
- set ( CMAKE_MACOSX_RPATH OFF )
-endif ( APPLE )
-
-include ( FindPkgConfig )
-pkg_search_module ( SNORT3 REQUIRED snort>=3 )
-
-add_library (
- data_log MODULE
- data_log.cc
-)
-
-if ( APPLE )
- set_target_properties (
- data_log
- PROPERTIES
- LINK_FLAGS "-undefined dynamic_lookup"
- )
-endif ( APPLE )
-
-set_target_properties (
- data_log
- PROPERTIES
- PREFIX ""
-)
-
-target_include_directories (
- data_log PUBLIC
- ${SNORT3_INCLUDE_DIRS}
-)
-
-install (
- TARGETS data_log
- LIBRARY
- DESTINATION "${CMAKE_INSTALL_LIBDIR}/${CMAKE_PROJECT_NAME}/inspectors"
-)
+++ /dev/null
-//--------------------------------------------------------------------------
-// Copyright (C) 2015-2018 Cisco and/or its affiliates. All rights reserved.
-//
-// This program is free software; you can redistribute it and/or modify it
-// under the terms of the GNU General Public License Version 2 as published
-// by the Free Software Foundation. You may not use, modify or distribute
-// this program under any other version of the GNU General Public License.
-//
-// This program is distributed in the hope that it will be useful, but
-// WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-// General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License along
-// with this program; if not, write to the Free Software Foundation, Inc.,
-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-//--------------------------------------------------------------------------
-// data_log.cc author Russ Combs <rcombs@sourcefire.com>
-
-#include <ctime>
-
-#include "flow/flow.h"
-#include "framework/data_bus.h"
-#include "framework/inspector.h"
-#include "framework/module.h"
-#include "log/messages.h"
-#include "log/text_log.h"
-#include "pub_sub/http_events.h"
-#include "time/packet_time.h"
-
-using namespace snort;
-
-static const char* s_name = "data_log";
-static const char* s_help = "log selected published data to data.log";
-
-static THREAD_LOCAL TextLog* tlog = nullptr;
-static THREAD_LOCAL SimpleStats dl_stats;
-
-//-------------------------------------------------------------------------
-// data stuff
-//-------------------------------------------------------------------------
-
-class LogHandler : public DataHandler
-{
-public:
- LogHandler(const std::string& s)
- { key = s; }
-
- void handle(DataEvent& e, Flow*) override;
-
-private:
- void log(const uint8_t*, int32_t);
- std::string key;
-};
-
-void LogHandler::log(const uint8_t* s, int32_t n)
-{
- if ( !s or !*s or n <= 0 )
- return;
-
- TextLog_Print(tlog, ", ");
- TextLog_Write(tlog, (const char*)s, (unsigned)n);
-}
-
-void LogHandler::handle(DataEvent& e, Flow* f)
-{
- time_t pt = packet_time();
- struct tm st;
- char buf[26];
- SfIpString ip_str;
-
- gmtime_r(&pt, &st);
- asctime_r(&st, buf);
- buf[sizeof(buf)-2] = '\0';
-
- TextLog_Print(tlog, "%s, ", buf);
- TextLog_Print(tlog, "%s, %d, ", f->client_ip.ntop(ip_str), f->client_port);
- TextLog_Print(tlog, "%s, %d", f->server_ip.ntop(ip_str), f->server_port);
-
- HttpEvent* he = (HttpEvent*)&e;
- int32_t n;
- const uint8_t* s;
-
- s = he->get_server(n);
- log(s, n);
-
- s = he->get_host(n);
- log(s, n);
-
- s = he->get_uri(n);
- log(s, n);
-
- n = he->get_response_code();
- if ( n > 0 )
- TextLog_Print(tlog, ", %d", n);
-
- s = he->get_user_agent(n);
- log(s, n);
-
- TextLog_NewLine(tlog);
- dl_stats.total_packets++;
-}
-
-//-------------------------------------------------------------------------
-// inspector stuff
-//-------------------------------------------------------------------------
-
-class DataLog : public Inspector
-{
-public:
- DataLog(const std::string& s, unsigned long n)
- {
- key = s;
- limit = n;
- }
-
- void show(SnortConfig*) override;
- void eval(Packet*) override { }
-
- bool configure(SnortConfig*) override
- {
- DataBus::subscribe(key.c_str(), new LogHandler(key));
- return true;
- }
-
- void tinit() override
- { tlog = TextLog_Init(s_name, 64*K_BYTES, limit); }
-
- void tterm() override
- { TextLog_Term(tlog); }
-
-private:
- std::string key;
- unsigned long limit;
-};
-
-void DataLog::show(SnortConfig*)
-{
- LogMessage("%s config:\n", s_name);
- LogMessage(" key = %s\n", key.c_str());
-}
-
-//-------------------------------------------------------------------------
-// module stuff
-//-------------------------------------------------------------------------
-
-static const Parameter dl_params[] =
-{
- { "key", Parameter::PT_SELECT, "http_request_header_event | http_response_header_event",
- "http_request_header_event ", "name of the event to log" },
-
- { "limit", Parameter::PT_INT, "0:", "0",
- "set maximum size in MB before rollover (0 is unlimited)" },
-
- { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
-};
-
-class DataLogModule : public Module
-{
-public:
- DataLogModule() : Module(s_name, s_help, dl_params)
- { }
-
- const PegInfo* get_pegs() const override
- { return simple_pegs; }
-
- PegCount* get_counts() const override
- { return (PegCount*)&dl_stats; }
-
- bool begin(const char*, int, SnortConfig*) override;
- bool set(const char*, Value& v, SnortConfig*) override;
-
- Usage get_usage() const override
- { return INSPECT; }
-
-public:
- std::string key;
- unsigned long limit;
-};
-
-bool DataLogModule::begin(const char*, int, SnortConfig*)
-{
- key.clear();
- limit = 0;
- return true;
-}
-
-bool DataLogModule::set(const char*, Value& v, SnortConfig*)
-{
- if ( v.is("key") )
- key = v.get_string();
-
- else if ( v.is("limit") )
- limit = v.get_long() * M_BYTES;
-
- else
- return false;
-
- return true;
-}
-
-//-------------------------------------------------------------------------
-// api stuff
-//-------------------------------------------------------------------------
-
-static Module* mod_ctor()
-{ return new DataLogModule; }
-
-static void mod_dtor(Module* m)
-{ delete m; }
-
-static Inspector* dl_ctor(Module* m)
-{
- DataLogModule* mod = (DataLogModule*)m;
- return new DataLog(mod->key, mod->limit);
-}
-
-static void dl_dtor(Inspector* p)
-{
- delete p;
-}
-
-static const InspectApi dl_api
-{
- {
- PT_INSPECTOR,
- sizeof(InspectApi),
- INSAPI_VERSION,
- 0,
- API_RESERVED,
- API_OPTIONS,
- s_name,
- s_help,
- mod_ctor,
- mod_dtor
- },
- IT_PASSIVE,
- PROTO_BIT__NONE,
- nullptr, // buffers
- nullptr, // service
- nullptr, // pinit
- nullptr, // pterm
- nullptr, // tinit,
- nullptr, // tterm,
- dl_ctor,
- dl_dtor,
- nullptr, // ssn
- nullptr // reset
-};
-
-SO_PUBLIC const BaseApi* snort_plugins[] =
-{
- &dl_api.base,
- nullptr
-};
-
+++ /dev/null
-cmake_minimum_required ( VERSION 3.4.3 )
-project ( dpx CXX )
-
-set (CMAKE_CXX_STANDARD 11)
-set (CMAKE_CXX_STANDARD_REQUIRED ON)
-set (CMAKE_CXX_EXTENSIONS OFF)
-
-if ( APPLE )
- set ( CMAKE_MACOSX_RPATH OFF )
-endif ( APPLE )
-
-include ( FindPkgConfig )
-pkg_search_module ( SNORT3 REQUIRED snort>=3 )
-
-add_library (
- dpx MODULE
- dpx.cc
-)
-
-if ( APPLE )
- set_target_properties (
- dpx
- PROPERTIES
- LINK_FLAGS "-undefined dynamic_lookup"
- )
-endif ( APPLE )
-
-set_target_properties (
- dpx
- PROPERTIES
- PREFIX ""
-)
-
-target_include_directories (
- dpx PUBLIC
- ${SNORT3_INCLUDE_DIRS}
-)
-
-install (
- TARGETS dpx
- LIBRARY
- DESTINATION "${CMAKE_INSTALL_LIBDIR}/${CMAKE_PROJECT_NAME}/inspectors"
-)
+++ /dev/null
-//--------------------------------------------------------------------------
-// Copyright (C) 2014-2018 Cisco and/or its affiliates. All rights reserved.
-//
-// This program is free software; you can redistribute it and/or modify it
-// under the terms of the GNU General Public License Version 2 as published
-// by the Free Software Foundation. You may not use, modify or distribute
-// this program under any other version of the GNU General Public License.
-//
-// This program is distributed in the hope that it will be useful, but
-// WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-// General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License along
-// with this program; if not, write to the Free Software Foundation, Inc.,
-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-//--------------------------------------------------------------------------
-// dpx.cc author Russ Combs <rcombs@sourcefire.com>
-
-#include "detection/detection_engine.h"
-#include "events/event_queue.h"
-#include "framework/inspector.h"
-#include "framework/module.h"
-#include "log/messages.h"
-#include "profiler/profiler.h"
-#include "protocols/packet.h"
-
-using namespace snort;
-
-#define DPX_GID 256
-#define DPX_SID 1
-
-static const char* s_name = "dpx";
-static const char* s_help = "dynamic inspector example";
-
-static THREAD_LOCAL ProfileStats dpxPerfStats;
-
-static THREAD_LOCAL SimpleStats dpxstats;
-
-//-------------------------------------------------------------------------
-// class stuff
-//-------------------------------------------------------------------------
-
-class Dpx : public Inspector
-{
-public:
- Dpx(uint16_t port, uint16_t max);
-
- void show(SnortConfig*) override;
- void eval(Packet*) override;
-
-private:
- uint16_t port;
- uint16_t max;
-};
-
-Dpx::Dpx(uint16_t p, uint16_t m)
-{
- port = p;
- max = m;
-}
-
-void Dpx::show(SnortConfig*)
-{
- LogMessage("%s config:\n", s_name);
- LogMessage(" port = %d\n", port);
- LogMessage(" max = %d\n", max);
-}
-
-void Dpx::eval(Packet* p)
-{
- // precondition - what we registered for
- assert(p->is_udp());
-
- if ( p->ptrs.dp == port && p->dsize > max )
- DetectionEngine::queue_event(DPX_GID, DPX_SID);
-
- ++dpxstats.total_packets;
-}
-
-//-------------------------------------------------------------------------
-// module stuff
-//-------------------------------------------------------------------------
-
-static const Parameter dpx_params[] =
-{
- { "port", Parameter::PT_PORT, nullptr, nullptr,
- "port to check" },
-
- { "max", Parameter::PT_INT, "0:65535", "0",
- "maximum payload before alert" },
-
- { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
-};
-
-static const RuleMap dpx_rules[] =
-{
- { DPX_SID, "too much data sent to port" },
- { 0, nullptr }
-};
-
-class DpxModule : public Module
-{
-public:
- DpxModule() : Module(s_name, s_help, dpx_params)
- { }
-
- unsigned get_gid() const override
- { return DPX_GID; }
-
- const RuleMap* get_rules() const override
- { return dpx_rules; }
-
- const PegInfo* get_pegs() const override
- { return simple_pegs; }
-
- PegCount* get_counts() const override
- { return (PegCount*)&dpxstats; }
-
- ProfileStats* get_profile() const override
- { return &dpxPerfStats; }
-
- bool set(const char*, Value& v, SnortConfig*) override;
-
- Usage get_usage() const override
- { return INSPECT; }
-
-public:
- uint16_t port;
- uint16_t max;
-};
-
-bool DpxModule::set(const char*, Value& v, SnortConfig*)
-{
- if ( v.is("port") )
- port = v.get_long();
-
- else if ( v.is("max") )
- max = v.get_long();
-
- else
- return false;
-
- return true;
-}
-
-//-------------------------------------------------------------------------
-// api stuff
-//-------------------------------------------------------------------------
-
-static Module* mod_ctor()
-{ return new DpxModule; }
-
-static void mod_dtor(Module* m)
-{ delete m; }
-
-static Inspector* dpx_ctor(Module* m)
-{
- DpxModule* mod = (DpxModule*)m;
- return new Dpx(mod->port, mod->max);
-}
-
-static void dpx_dtor(Inspector* p)
-{
- delete p;
-}
-
-static const InspectApi dpx_api
-{
- {
- PT_INSPECTOR,
- sizeof(InspectApi),
- INSAPI_VERSION,
- 0,
- API_RESERVED,
- API_OPTIONS,
- s_name,
- s_help,
- mod_ctor,
- mod_dtor
- },
- IT_NETWORK,
- PROTO_BIT__UDP,
- nullptr, // buffers
- nullptr, // service
- nullptr, // pinit
- nullptr, // pterm
- nullptr, // tinit
- nullptr, // tterm
- dpx_ctor,
- dpx_dtor,
- nullptr, // ssn
- nullptr // reset
-};
-
-SO_PUBLIC const BaseApi* snort_plugins[] =
-{
- &dpx_api.base,
- nullptr
-};
-
+++ /dev/null
-cmake_minimum_required ( VERSION 3.4.3 )
-project ( reg_test CXX )
-
-set (CMAKE_CXX_STANDARD 11)
-set (CMAKE_CXX_STANDARD_REQUIRED ON)
-set (CMAKE_CXX_EXTENSIONS OFF)
-
-if ( APPLE )
- set ( CMAKE_MACOSX_RPATH OFF )
-endif ( APPLE )
-
-include ( FindPkgConfig )
-pkg_search_module ( SNORT3 REQUIRED snort>=3 )
-
-add_library (
- reg_test MODULE
- reg_test.cc
-)
-
-if ( APPLE )
- set_target_properties (
- reg_test
- PROPERTIES
- LINK_FLAGS "-undefined dynamic_lookup"
- )
-endif ( APPLE )
-
-set_target_properties (
- reg_test
- PROPERTIES
- PREFIX ""
-)
-
-target_include_directories (
- reg_test PUBLIC
- ${SNORT3_INCLUDE_DIRS}
-)
-
-install (
- TARGETS reg_test
- LIBRARY
- DESTINATION "${CMAKE_INSTALL_LIBDIR}/${CMAKE_PROJECT_NAME}/inspectors"
-)
+++ /dev/null
-//--------------------------------------------------------------------------
-// Copyright (C) 2017-2018 Cisco and/or its affiliates. All rights reserved.
-//
-// This program is free software; you can redistribute it and/or modify it
-// under the terms of the GNU General Public License Version 2 as published
-// by the Free Software Foundation. You may not use, modify or distribute
-// this program under any other version of the GNU General Public License.
-//
-// This program is distributed in the hope that it will be useful, but
-// WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-// General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License along
-// with this program; if not, write to the Free Software Foundation, Inc.,
-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-//--------------------------------------------------------------------------
-// rti_service.cc author davis mcpherson <davmcphe@cisco.com>
-
-#include <ctime>
-
-#include "flow/expect_cache.h"
-#include "flow/flow.h"
-#include "framework/data_bus.h"
-#include "framework/inspector.h"
-#include "framework/module.h"
-#include "log/messages.h"
-#include "packet_io/active.h"
-#include "pub_sub/expect_events.h"
-#include "time/packet_time.h"
-#include "utils/util_cstring.h"
-
-using namespace snort;
-
-static const char* s_name = "reg_test";
-static const char* s_help = "The regression test inspector (rti) is used when special packet handling is required for a reg test";
-
-struct RtiStats
-{
- PegCount total_packets;
- PegCount retry_requests;
- PegCount retry_packets;
-};
-
-const PegInfo rti_pegs[] =
-{
- { CountType::SUM, "packets", "total packets" },
- { CountType::SUM, "retry_requests", "total retry packets requested" },
- { CountType::SUM, "retry_packets", "total retried packets received" },
- { CountType::END, nullptr, nullptr }
-};
-
-static THREAD_LOCAL RtiStats rti_stats;
-
-//-------------------------------------------------------------------------
-// module stuff
-//-------------------------------------------------------------------------
-
-static const Parameter rti_params[] =
-{
- { "test_daq_retry", Parameter::PT_BOOL, nullptr, "true",
- "test daq packet retry feature" },
-
- { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
-};
-
-class RtiServiceModule : public Module
-{
-public:
- RtiServiceModule() : Module(s_name, s_help, rti_params)
- { }
-
- const PegInfo* get_pegs() const override
- { return rti_pegs; }
-
- PegCount* get_counts() const override
- { return (PegCount*)&rti_stats; }
-
- bool set(const char*, Value& v, SnortConfig*) override;
-
- bool is_test_daq_retry() { return test_daq_retry; }
-
-public:
- bool test_daq_retry = true;
-};
-
-bool RtiServiceModule::set(const char*, Value& v, SnortConfig*)
-{
- if ( v.is("test_daq_retry") )
- test_daq_retry = v.get_bool();
- else
- return false;
-
- return true;
-}
-
-//-------------------------------------------------------------------------
-// flow data stuff
-//-------------------------------------------------------------------------
-class RegTestFlowData : public FlowData
-{
-public:
- RegTestFlowData();
- ~RegTestFlowData() override;
- static void init()
- { inspector_id = FlowData::create_flow_data_id(); }
-
- void handle_expected(Packet*) override;
-
-public:
- static unsigned inspector_id;
- unsigned test_id;
- static unsigned test_id_counter;
-};
-
-unsigned RegTestFlowData::inspector_id = 0;
-unsigned RegTestFlowData::test_id_counter = 100;
-
-RegTestFlowData::RegTestFlowData() : FlowData(inspector_id)
-{
- test_id = test_id_counter++;
-}
-
-RegTestFlowData::~RegTestFlowData()
-{
- LogMessage("Reg test: delete flow data, test_id=%d\n", test_id);
-}
-
-void RegTestFlowData::handle_expected(Packet*)
-{
- LogMessage("Reg test: handle expected, test_id=%d\n", test_id);
-}
-
-//-------------------------------------------------------------------------
-// event handler stuff
-//-------------------------------------------------------------------------
-#define LOG_BUFF_SIZE 1024
-class ExpectEventHandler : public DataHandler
-{
-public:
- ExpectEventHandler()
- { }
-
- void handle(DataEvent&, Flow*) override;
-};
-
-
-void ExpectEventHandler::handle(DataEvent& event, Flow*)
-{
- ExpectEvent* expect_event = (ExpectEvent*)&event;
- char cstr[INET6_ADDRSTRLEN], sstr[INET6_ADDRSTRLEN];
- expect_event->get_packet()->flow->client_ip.ntop(cstr, sizeof(cstr));
- expect_event->get_packet()->flow->server_ip.ntop(sstr, sizeof(sstr));
- LogMessage("Reg test: received expect event. packet %s:%d -> %s:%d\n",
- cstr, expect_event->get_packet()->flow->client_port,
- sstr, expect_event->get_packet()->flow->server_port);
- ExpectFlow* flow = expect_event->get_expect_flow();
- RegTestFlowData* fd = (RegTestFlowData*)flow->get_flow_data(RegTestFlowData::inspector_id);
- if (!fd)
- {
- fd = new RegTestFlowData();
- LogMessage("Reg test: created a new flow data, test_id=%u, adding ... ", fd->test_id);
- unsigned added_test_id = fd->test_id;
- flow->add_flow_data(fd);
- fd = (RegTestFlowData*)flow->get_flow_data(RegTestFlowData::inspector_id);
- if (fd && fd->test_id == added_test_id)
- LogMessage("succeed!\n");
- else
- LogMessage("failed!\n");
- }
-
- char buff[LOG_BUFF_SIZE];
- safe_snprintf(buff, LOG_BUFF_SIZE, "Expected flows triggered by packet:");
- std::vector<ExpectFlow*>* expected_flows = ExpectFlow::get_expect_flows();
- if(expected_flows)
- {
- for (auto ef : *expected_flows)
- {
- RegTestFlowData* fd = (RegTestFlowData*)ef->get_flow_data(RegTestFlowData::inspector_id);
- if (fd)
- sfsnprintfappend(buff, LOG_BUFF_SIZE, " %u", fd->test_id);
- }
- }
- LogMessage("%s\n", buff);
-}
-
-//-------------------------------------------------------------------------
-// inspector stuff
-//-------------------------------------------------------------------------
-
-class RtiService : public Inspector
-{
-public:
- RtiService(RtiServiceModule* mod);
-
- void show(SnortConfig*) override;
- void eval(Packet* p) override;
- bool configure(SnortConfig*) override
- {
- DataBus::subscribe(EXPECT_EVENT_TYPE_EARLY_SESSION_CREATE_KEY, new ExpectEventHandler());
- return true;
- }
-
-private:
- bool test_daq_retry;
- void do_daq_packet_retry_test(Packet* p);
-};
-
-RtiService::RtiService(RtiServiceModule* mod)
-{
- test_daq_retry = mod->is_test_daq_retry();
- rti_stats.total_packets = 0;
-}
-
-void RtiService::eval(Packet* p)
-{
- if ( test_daq_retry )
- do_daq_packet_retry_test(p);
-
- rti_stats.total_packets++;
-}
-
-void RtiService::show(SnortConfig*)
-{
- LogMessage("%s config:\n", s_name);
-}
-
-void RtiService::do_daq_packet_retry_test(Packet* p)
-{
- if (p->dsize)
- {
- if (p->data[0] == 'A')
- {
- static bool retry_packet = true;
- static bool expect_retry_packet = false;
-
- if (retry_packet)
- {
- Active::daq_retry_packet(p);
- retry_packet = false;
- expect_retry_packet = true;
- rti_stats.retry_requests++;
- }
- else if (expect_retry_packet)
- {
- if ( p->pkth->flags & DAQ_PKT_FLAG_RETRY_PACKET )
- {
- expect_retry_packet = false;
- rti_stats.retry_packets++;
- }
- }
- }
- }
-}
-
-//-------------------------------------------------------------------------
-// api stuff
-//-------------------------------------------------------------------------
-static void reg_test_init()
-{
- RegTestFlowData::init();
-}
-
-static Module* mod_ctor()
-{ return new RtiServiceModule; }
-
-static void mod_dtor(Module* m)
-{ delete m; }
-
-static Inspector* rti_ctor(Module* m)
-{ return new RtiService((RtiServiceModule*)m); }
-
-static void rti_dtor(Inspector* p)
-{ delete p; }
-
-static const InspectApi rti_api
-{
- {
- PT_INSPECTOR,
- sizeof(InspectApi),
- INSAPI_VERSION,
- 0,
- API_RESERVED,
- API_OPTIONS,
- s_name,
- s_help,
- mod_ctor,
- mod_dtor
- },
- IT_PACKET,
- PROTO_BIT__ANY_PDU,
- nullptr, // buffers
- s_name, // service
- reg_test_init, // pinit
- nullptr, // pterm
- nullptr, // tinit,
- nullptr, // tterm,
- rti_ctor,
- rti_dtor,
- nullptr, // ssn
- nullptr // reset
-};
-
-SO_PUBLIC const BaseApi* snort_plugins[] =
-{
- &rti_api.base,
- nullptr
-};
-
+++ /dev/null
-add_subdirectory ( ips_pkt_num )
-add_subdirectory ( ips_mss )
-add_subdirectory ( ips_urg )
-add_subdirectory ( ips_wscale )
-add_subdirectory ( find )
+++ /dev/null
-cmake_minimum_required ( VERSION 3.4.3 )
-project ( find )
-
-install (
- FILES find.lua
- DESTINATION "${CMAKE_INSTALL_LIBDIR}/${CMAKE_PROJECT_NAME}/ips_options"
-)
+++ /dev/null
--- ----------------------------------------------------------
--- ips_option example:
---
--- define keyword find
---
--- configure snort with
---
--- ./configure_cmake.sh --prefix=my/prefix
---
--- then set up the path as follows:
---
--- export LUA_PATH=my/prefix/include/snort/lua/?.lua\;\;
---
--- write a rule as follows:
---
--- alert tcp any any -> any 80 ( \
--- msg:"luajit example"; sid:1; \
--- content:"GET"; \
--- find:"pat='HTTP/1%.%d'"; )
---
--- the arg string is (in general) optional
--- if present, it will be put in a table named args, eg:
---
--- args { pat='GET .+ HTTP/1.1' }
---
--- this table is defined before init is called
--- the args string, if present, must be valid lua code like
--- name1 = value1, name2 = 'value2'.
--- ----------------------------------------------------------
-
--- this pulls in snort bindings with ffi
-require("snort_plugin")
-
--- init() is optional
--- if present, called once when script is loaded
--- here we return bool indicating args ok
-function init ()
- if ( args.pat == nil ) then
- return 'missing pat'
- end
-
- if ( type(args.pat) ~= 'string' ) then
- return 'pat must be string'
- end
-
- return true
-end
-
--- eval() is required
--- eval must return a bool (match == true)
-function eval ()
- -- buf is a luajit cdata
- local buf = ffi.C.get_buffer()
-
- -- str is a lua string
- local str = ffi.string(buf.data, buf.len)
-
- local i,j = string.find(str, args.pat)
-
- return (i and (i > 0))
-end
-
--- plugin table is required
-plugin =
-{
- type = "ips_option", -- only available type currently
- name = "find", -- rule option keyword
- version = 0 -- optional, defaults to zero
-}
-
+++ /dev/null
-cmake_minimum_required ( VERSION 3.4.3 )
-project ( ips_mss CXX )
-
-set (CMAKE_CXX_STANDARD 11)
-set (CMAKE_CXX_STANDARD_REQUIRED ON)
-set (CMAKE_CXX_EXTENSIONS OFF)
-
-if ( APPLE )
- set ( CMAKE_MACOSX_RPATH OFF )
-endif ( APPLE )
-
-include ( FindPkgConfig )
-pkg_search_module ( SNORT3 REQUIRED snort>=3 )
-
-add_library (
- ips_mss MODULE
- ips_mss.cc
-)
-
-if ( APPLE )
- set_target_properties (
- ips_mss
- PROPERTIES
- LINK_FLAGS "-undefined dynamic_lookup"
- )
-endif ( APPLE )
-
-set_target_properties (
- ips_mss
- PROPERTIES
- PREFIX ""
-)
-
-target_include_directories (
- ips_mss PUBLIC
- ${SNORT3_INCLUDE_DIRS}
-)
-
-install (
- TARGETS ips_mss
- LIBRARY
- DESTINATION "${CMAKE_INSTALL_LIBDIR}/${CMAKE_PROJECT_NAME}/ips_options"
-)
+++ /dev/null
-//--------------------------------------------------------------------------
-// Copyright (C) 2017-2018 Cisco and/or its affiliates. All rights reserved.
-//
-// This program is free software; you can redistribute it and/or modify it
-// under the terms of the GNU General Public License Version 2 as published
-// by the Free Software Foundation. You may not use, modify or distribute
-// this program under any other version of the GNU General Public License.
-//
-// This program is distributed in the hope that it will be useful, but
-// WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-// General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License along
-// with this program; if not, write to the Free Software Foundation, Inc.,
-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-//--------------------------------------------------------------------------
-
-// ips_mss.cc author Russ Combs <rucombs@cisco.com>
-
-#include "framework/ips_option.h"
-#include "framework/module.h"
-#include "framework/range.h"
-#include "hash/hashfcn.h"
-#include "profiler/profiler.h"
-#include "protocols/packet.h"
-#include "protocols/tcp.h"
-#include "protocols/tcp_options.h"
-
-using namespace snort;
-
-static const char* s_name = "mss";
-static const char* s_help = "detection for TCP maximum segment size";
-
-static THREAD_LOCAL ProfileStats tcpMssPerfStats;
-
-//-------------------------------------------------------------------------
-// option
-//-------------------------------------------------------------------------
-
-class TcpMssOption : public IpsOption
-{
-public:
- TcpMssOption(const RangeCheck& c) : IpsOption(s_name)
- { config = c; }
-
- uint32_t hash() const override;
- bool operator==(const IpsOption&) const override;
-
- EvalStatus eval(Cursor&, Packet*) override;
-
-private:
- RangeCheck config;
-};
-
-uint32_t TcpMssOption::hash() const
-{
- uint32_t a, b, c;
-
- a = config.op;
- b = config.min;
- c = config.max;
-
- mix_str(a,b,c,get_name());
- finalize(a,b,c);
-
- return c;
-}
-
-bool TcpMssOption::operator==(const IpsOption& ips) const
-{
- if ( strcmp(s_name, ips.get_name()) )
- return false;
-
- const TcpMssOption& rhs = (const TcpMssOption&)ips;
- return ( config == rhs.config );
-}
-
-static bool get_mss(Packet* p, uint16_t& mss)
-{
- if ( !p->ptrs.tcph )
- return false;
-
- tcp::TcpOptIterator iter(p->ptrs.tcph, p);
-
- for (const auto& opt : iter)
- {
- if (opt.code == tcp::TcpOptCode::MAXSEG)
- {
- mss = opt.data[0] << 8 | opt.data[1];
- return true;
- }
- }
- return false;
-}
-
-IpsOption::EvalStatus TcpMssOption::eval(Cursor&, Packet* p)
-{
- Profile profile(tcpMssPerfStats);
- uint16_t mss;
-
- if ( get_mss(p, mss) and config.eval(mss) )
- return MATCH;
-
- return NO_MATCH;
-}
-
-//-------------------------------------------------------------------------
-// module
-//-------------------------------------------------------------------------
-
-#define RANGE "0:65535"
-
-static const Parameter s_params[] =
-{
- { "~range", Parameter::PT_INTERVAL, RANGE, nullptr,
- "check if TCP MSS is in given range" },
-
- { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
-};
-
-class MssModule : public Module
-{
-public:
- MssModule() : Module(s_name, s_help, s_params) { }
-
- bool begin(const char*, int, SnortConfig*) override;
- bool set(const char*, Value&, SnortConfig*) override;
-
- ProfileStats* get_profile() const override
- { return &tcpMssPerfStats; }
-
- Usage get_usage() const override
- { return DETECT; }
-
-public:
- RangeCheck data;
-};
-
-bool MssModule::begin(const char*, int, SnortConfig*)
-{
- data.init();
- return true;
-}
-
-bool MssModule::set(const char*, Value& v, SnortConfig*)
-{
- if ( !v.is("~range") )
- return false;
-
- return data.validate(v.get_string(), RANGE);
-}
-
-//-------------------------------------------------------------------------
-// api methods
-//-------------------------------------------------------------------------
-
-static Module* mod_ctor()
-{
- return new MssModule;
-}
-
-static void mod_dtor(Module* m)
-{
- delete m;
-}
-
-static IpsOption* mss_ctor(Module* p, OptTreeNode*)
-{
- MssModule* m = (MssModule*)p;
- return new TcpMssOption(m->data);
-}
-
-static void mss_dtor(IpsOption* p)
-{
- delete p;
-}
-
-static const IpsApi mss_api =
-{
- {
- PT_IPS_OPTION,
- sizeof(IpsApi),
- IPSAPI_VERSION,
- 0,
- API_RESERVED,
- API_OPTIONS,
- s_name,
- s_help,
- mod_ctor,
- mod_dtor
- },
- OPT_TYPE_DETECTION,
- 1, PROTO_BIT__TCP,
- nullptr, // pinit
- nullptr, // pterm
- nullptr, // tinit
- nullptr, // tterm
- mss_ctor,
- mss_dtor,
- nullptr
-};
-
-SO_PUBLIC const BaseApi* snort_plugins[] =
-{
- &mss_api.base,
- nullptr
-};
-
+++ /dev/null
-cmake_minimum_required ( VERSION 3.4.3 )
-project ( ips_pkt_num CXX )
-
-set (CMAKE_CXX_STANDARD 11)
-set (CMAKE_CXX_STANDARD_REQUIRED ON)
-set (CMAKE_CXX_EXTENSIONS OFF)
-
-if ( APPLE )
- set ( CMAKE_MACOSX_RPATH OFF )
-endif ( APPLE )
-
-include ( FindPkgConfig )
-pkg_search_module ( SNORT3 REQUIRED snort>=3 )
-
-add_library (
- ips_pkt_num MODULE
- ips_pkt_num.cc
-)
-
-if ( APPLE )
- set_target_properties (
- ips_pkt_num
- PROPERTIES
- LINK_FLAGS "-undefined dynamic_lookup"
- )
-endif ( APPLE )
-
-set_target_properties (
- ips_pkt_num
- PROPERTIES
- PREFIX ""
-)
-
-target_include_directories (
- ips_pkt_num PUBLIC
- ${SNORT3_INCLUDE_DIRS}
-)
-
-install (
- TARGETS ips_pkt_num
- LIBRARY
- DESTINATION "${CMAKE_INSTALL_LIBDIR}/${CMAKE_PROJECT_NAME}/ips_options"
-)
+++ /dev/null
-//--------------------------------------------------------------------------
-// Copyright (C) 2014-2018 Cisco and/or its affiliates. All rights reserved.
-//
-// This program is free software; you can redistribute it and/or modify it
-// under the terms of the GNU General Public License Version 2 as published
-// by the Free Software Foundation. You may not use, modify or distribute
-// this program under any other version of the GNU General Public License.
-//
-// This program is distributed in the hope that it will be useful, but
-// WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-// General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License along
-// with this program; if not, write to the Free Software Foundation, Inc.,
-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-//--------------------------------------------------------------------------
-
-// ips_pkt_num.cc author Russ Combs <rucombs@cisco.com>
-
-#include "framework/decode_data.h"
-#include "framework/ips_option.h"
-#include "framework/module.h"
-#include "framework/range.h"
-#include "hash/hashfcn.h"
-#include "profiler/profiler.h"
-
-using namespace snort;
-
-static const char* s_name = "pkt_num";
-static const char* s_help = "alert on raw packet number";
-
-static THREAD_LOCAL ProfileStats pkt_num_perf_stats;
-
-//-------------------------------------------------------------------------
-// option
-//-------------------------------------------------------------------------
-
-class PktNumOption : public IpsOption
-{
-public:
- PktNumOption(const RangeCheck& c) : IpsOption(s_name)
- { config = c; }
-
- uint32_t hash() const override;
- bool operator==(const IpsOption&) const override;
-
- EvalStatus eval(Cursor&, Packet*) override;
-
-private:
- RangeCheck config;
-};
-
-uint32_t PktNumOption::hash() const
-{
- uint32_t a, b, c;
-
- a = config.op;
- b = config.min;
- c = config.max;
-
- mix_str(a,b,c,get_name());
- finalize(a,b,c);
-
- return c;
-}
-
-bool PktNumOption::operator==(const IpsOption& ips) const
-{
- if ( strcmp(s_name, ips.get_name()) )
- return false;
-
- const PktNumOption& rhs = (const PktNumOption&)ips;
- return ( config == rhs.config );
-}
-
-IpsOption::EvalStatus PktNumOption::eval(Cursor&, Packet*)
-{
- Profile profile(pkt_num_perf_stats);
-
- if ( config.eval(get_packet_number()) )
- return MATCH;
-
- return NO_MATCH;
-}
-
-//-------------------------------------------------------------------------
-// module
-//-------------------------------------------------------------------------
-
-#define RANGE "1:"
-
-static const Parameter s_params[] =
-{
- { "~range", Parameter::PT_INTERVAL, RANGE, nullptr,
- "check if packet number is in given range" },
-
- { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
-};
-
-class PktNumModule : public Module
-{
-public:
- PktNumModule() : Module(s_name, s_help, s_params) { }
-
- bool begin(const char*, int, SnortConfig*) override;
- bool set(const char*, Value&, SnortConfig*) override;
-
- ProfileStats* get_profile() const override
- { return &pkt_num_perf_stats; }
-
- Usage get_usage() const override
- { return DETECT; }
-
-public:
- RangeCheck data;
-};
-
-bool PktNumModule::begin(const char*, int, SnortConfig*)
-{
- data.init();
- return true;
-}
-
-bool PktNumModule::set(const char*, Value& v, SnortConfig*)
-{
- if ( !v.is("~range") )
- return false;
-
- return data.validate(v.get_string(), RANGE);
-}
-
-//-------------------------------------------------------------------------
-// api methods
-//-------------------------------------------------------------------------
-
-static Module* mod_ctor()
-{
- return new PktNumModule;
-}
-
-static void mod_dtor(Module* m)
-{
- delete m;
-}
-
-static IpsOption* pkt_num_ctor(Module* p, OptTreeNode*)
-{
- PktNumModule* m = (PktNumModule*)p;
- return new PktNumOption(m->data);
-}
-
-static void pkt_num_dtor(IpsOption* p)
-{
- delete p;
-}
-
-static const IpsApi pkt_num_api =
-{
- {
- PT_IPS_OPTION,
- sizeof(IpsApi),
- IPSAPI_VERSION,
- 0,
- API_RESERVED,
- API_OPTIONS,
- s_name,
- s_help,
- mod_ctor,
- mod_dtor
- },
- OPT_TYPE_DETECTION,
- 1, PROTO_BIT__TCP,
- nullptr, // pinit
- nullptr, // pterm
- nullptr, // tinit
- nullptr, // tterm
- pkt_num_ctor,
- pkt_num_dtor,
- nullptr
-};
-
-SO_PUBLIC const BaseApi* snort_plugins[] =
-{
- &pkt_num_api.base,
- nullptr
-};
-
+++ /dev/null
-cmake_minimum_required ( VERSION 3.4.3 )
-project ( ips_urg CXX )
-
-set (CMAKE_CXX_STANDARD 11)
-set (CMAKE_CXX_STANDARD_REQUIRED ON)
-set (CMAKE_CXX_EXTENSIONS OFF)
-
-if ( APPLE )
- set ( CMAKE_MACOSX_RPATH OFF )
-endif ( APPLE )
-
-include ( FindPkgConfig )
-pkg_search_module ( SNORT3 REQUIRED snort>=3 )
-
-add_library (
- ips_urg MODULE
- ips_urg.cc
-)
-
-if ( APPLE )
- set_target_properties (
- ips_urg
- PROPERTIES
- LINK_FLAGS "-undefined dynamic_lookup"
- )
-endif ( APPLE )
-
-set_target_properties (
- ips_urg
- PROPERTIES
- PREFIX ""
-)
-
-target_include_directories (
- ips_urg PUBLIC
- ${SNORT3_INCLUDE_DIRS}
-)
-
-install (
- TARGETS ips_urg
- LIBRARY
- DESTINATION "${CMAKE_INSTALL_LIBDIR}/${CMAKE_PROJECT_NAME}/ips_options"
-)
+++ /dev/null
-//--------------------------------------------------------------------------
-// Copyright (C) 2014-2018 Cisco and/or its affiliates. All rights reserved.
-//
-// This program is free software; you can redistribute it and/or modify it
-// under the terms of the GNU General Public License Version 2 as published
-// by the Free Software Foundation. You may not use, modify or distribute
-// this program under any other version of the GNU General Public License.
-//
-// This program is distributed in the hope that it will be useful, but
-// WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-// General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License along
-// with this program; if not, write to the Free Software Foundation, Inc.,
-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-//--------------------------------------------------------------------------
-
-// ips_urg.cc author Russ Combs <rucombs@cisco.com>
-
-#include "framework/ips_option.h"
-#include "framework/module.h"
-#include "framework/range.h"
-#include "hash/hashfcn.h"
-#include "profiler/profiler.h"
-#include "protocols/packet.h"
-#include "protocols/tcp.h"
-
-using namespace snort;
-
-static const char* s_name = "urg";
-static const char* s_help = "detection for TCP urgent pointer";
-
-static THREAD_LOCAL ProfileStats tcpUrgPerfStats;
-
-//-------------------------------------------------------------------------
-// option
-//-------------------------------------------------------------------------
-
-class TcpUrgOption : public IpsOption
-{
-public:
- TcpUrgOption(const RangeCheck& c) : IpsOption(s_name)
- { config = c; }
-
- uint32_t hash() const override;
- bool operator==(const IpsOption&) const override;
-
- EvalStatus eval(Cursor&, Packet*) override;
-
-private:
- RangeCheck config;
-};
-
-uint32_t TcpUrgOption::hash() const
-{
- uint32_t a, b, c;
-
- a = config.op;
- b = config.min;
- c = config.max;
-
- mix_str(a,b,c,get_name());
- finalize(a,b,c);
-
- return c;
-}
-
-bool TcpUrgOption::operator==(const IpsOption& ips) const
-{
- if ( strcmp(s_name, ips.get_name()) )
- return false;
-
- const TcpUrgOption& rhs = (const TcpUrgOption&)ips;
- return ( config == rhs.config );
-}
-
-IpsOption::EvalStatus TcpUrgOption::eval(Cursor&, Packet* p)
-{
- Profile profile(tcpUrgPerfStats);
-
- if ( p->ptrs.tcph and p->ptrs.tcph->are_flags_set(TH_URG) and
- config.eval(p->ptrs.tcph->urp()) )
- {
- return MATCH;
- }
-
- return NO_MATCH;
-}
-
-//-------------------------------------------------------------------------
-// module
-//-------------------------------------------------------------------------
-
-#define RANGE "0:65535"
-
-static const Parameter s_params[] =
-{
- { "~range", Parameter::PT_INTERVAL, RANGE, nullptr,
- "check if tcp urgent offset is in given range" },
-
- { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
-};
-
-class UrgModule : public Module
-{
-public:
- UrgModule() : Module(s_name, s_help, s_params) { }
-
- bool begin(const char*, int, SnortConfig*) override;
- bool set(const char*, Value&, SnortConfig*) override;
-
- ProfileStats* get_profile() const override
- { return &tcpUrgPerfStats; }
-
- Usage get_usage() const override
- { return DETECT; }
-
-public:
- RangeCheck data;
-};
-
-bool UrgModule::begin(const char*, int, SnortConfig*)
-{
- data.init();
- return true;
-}
-
-bool UrgModule::set(const char*, Value& v, SnortConfig*)
-{
- if ( !v.is("~range") )
- return false;
-
- return data.validate(v.get_string(), RANGE);
-}
-
-//-------------------------------------------------------------------------
-// api methods
-//-------------------------------------------------------------------------
-
-static Module* mod_ctor()
-{
- return new UrgModule;
-}
-
-static void mod_dtor(Module* m)
-{
- delete m;
-}
-
-static IpsOption* urg_ctor(Module* p, OptTreeNode*)
-{
- UrgModule* m = (UrgModule*)p;
- return new TcpUrgOption(m->data);
-}
-
-static void urg_dtor(IpsOption* p)
-{
- delete p;
-}
-
-static const IpsApi urg_api =
-{
- {
- PT_IPS_OPTION,
- sizeof(IpsApi),
- IPSAPI_VERSION,
- 0,
- API_RESERVED,
- API_OPTIONS,
- s_name,
- s_help,
- mod_ctor,
- mod_dtor
- },
- OPT_TYPE_DETECTION,
- 1, PROTO_BIT__TCP,
- nullptr, // pinit
- nullptr, // pterm
- nullptr, // tinit
- nullptr, // tterm
- urg_ctor,
- urg_dtor,
- nullptr
-};
-
-SO_PUBLIC const BaseApi* snort_plugins[] =
-{
- &urg_api.base,
- nullptr
-};
-
+++ /dev/null
-cmake_minimum_required ( VERSION 3.4.3 )
-project ( ips_wscale CXX )
-
-set (CMAKE_CXX_STANDARD 11)
-set (CMAKE_CXX_STANDARD_REQUIRED ON)
-set (CMAKE_CXX_EXTENSIONS OFF)
-
-if ( APPLE )
- set ( CMAKE_MACOSX_RPATH OFF )
-endif ( APPLE )
-
-include ( FindPkgConfig )
-pkg_search_module ( SNORT3 REQUIRED snort>=3 )
-
-add_library (
- ips_wscale MODULE
- ips_wscale.cc
-)
-
-if ( APPLE )
- set_target_properties (
- ips_wscale
- PROPERTIES
- LINK_FLAGS "-undefined dynamic_lookup"
- )
-endif ( APPLE )
-
-set_target_properties (
- ips_wscale
- PROPERTIES
- PREFIX ""
-)
-
-target_include_directories (
- ips_wscale PUBLIC
- ${SNORT3_INCLUDE_DIRS}
-)
-
-install (
- TARGETS ips_wscale
- LIBRARY
- DESTINATION "${CMAKE_INSTALL_LIBDIR}/${CMAKE_PROJECT_NAME}/ips_options"
-)
+++ /dev/null
-//--------------------------------------------------------------------------
-// Copyright (C) 2017-2018 Cisco and/or its affiliates. All rights reserved.
-//
-// This program is free software; you can redistribute it and/or modify it
-// under the terms of the GNU General Public License Version 2 as published
-// by the Free Software Foundation. You may not use, modify or distribute
-// this program under any other version of the GNU General Public License.
-//
-// This program is distributed in the hope that it will be useful, but
-// WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-// General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License along
-// with this program; if not, write to the Free Software Foundation, Inc.,
-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-//--------------------------------------------------------------------------
-
-// ips_wscale.cc author Russ Combs <rucombs@cisco.com>
-
-#include "framework/ips_option.h"
-#include "framework/module.h"
-#include "framework/range.h"
-#include "hash/hashfcn.h"
-#include "profiler/profiler.h"
-#include "protocols/packet.h"
-#include "protocols/tcp.h"
-#include "protocols/tcp_options.h"
-
-using namespace snort;
-
-static const char* s_name = "wscale";
-static const char* s_help = "detection for TCP window scale";
-
-static THREAD_LOCAL ProfileStats tcpWscalePerfStats;
-
-//-------------------------------------------------------------------------
-// option
-//-------------------------------------------------------------------------
-
-class TcpWscaleOption : public IpsOption
-{
-public:
- TcpWscaleOption(const RangeCheck& c) : IpsOption(s_name)
- { config = c; }
-
- uint32_t hash() const override;
- bool operator==(const IpsOption&) const override;
-
- EvalStatus eval(Cursor&, Packet*) override;
-
-private:
- RangeCheck config;
-};
-
-uint32_t TcpWscaleOption::hash() const
-{
- uint32_t a, b, c;
-
- a = config.op;
- b = config.min;
- c = config.max;
-
- mix_str(a,b,c,get_name());
- finalize(a,b,c);
-
- return c;
-}
-
-bool TcpWscaleOption::operator==(const IpsOption& ips) const
-{
- if ( strcmp(s_name, ips.get_name()) )
- return false;
-
- const TcpWscaleOption& rhs = (const TcpWscaleOption&)ips;
- return ( config == rhs.config );
-}
-
-static bool get_wscale(Packet* p, uint16_t& wscale)
-{
- if ( !p->ptrs.tcph )
- return false;
-
- tcp::TcpOptIterator iter(p->ptrs.tcph, p);
-
- for (const auto& opt : iter)
- {
- if (opt.code == tcp::TcpOptCode::WSCALE)
- {
- wscale = opt.data[0];
- return true;
- }
- }
- return false;
-}
-
-IpsOption::EvalStatus TcpWscaleOption::eval(Cursor&, Packet* p)
-{
- Profile profile(tcpWscalePerfStats);
- uint16_t wscale;
-
- if ( get_wscale(p, wscale) and config.eval(wscale) )
- return MATCH;
-
- return NO_MATCH;
-}
-
-//-------------------------------------------------------------------------
-// module
-//-------------------------------------------------------------------------
-
-#define RANGE "0:65535"
-
-static const Parameter s_params[] =
-{
- { "~range", Parameter::PT_INTERVAL, RANGE, nullptr,
- "check if TCP window scale is in given range" },
-
- { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
-};
-
-class WscaleModule : public Module
-{
-public:
- WscaleModule() : Module(s_name, s_help, s_params) { }
-
- bool begin(const char*, int, SnortConfig*) override;
- bool set(const char*, Value&, SnortConfig*) override;
-
- ProfileStats* get_profile() const override
- { return &tcpWscalePerfStats; }
-
- Usage get_usage() const override
- { return DETECT; }
-
-public:
- RangeCheck data;
-};
-
-bool WscaleModule::begin(const char*, int, SnortConfig*)
-{
- data.init();
- return true;
-}
-
-bool WscaleModule::set(const char*, Value& v, SnortConfig*)
-{
- if ( !v.is("~range") )
- return false;
-
- return data.validate(v.get_string(), RANGE);
-}
-
-//-------------------------------------------------------------------------
-// api methods
-//-------------------------------------------------------------------------
-
-static Module* mod_ctor()
-{
- return new WscaleModule;
-}
-
-static void mod_dtor(Module* m)
-{
- delete m;
-}
-
-static IpsOption* wscale_ctor(Module* p, OptTreeNode*)
-{
- WscaleModule* m = (WscaleModule*)p;
- return new TcpWscaleOption(m->data);
-}
-
-static void wscale_dtor(IpsOption* p)
-{
- delete p;
-}
-
-static const IpsApi wscale_api =
-{
- {
- PT_IPS_OPTION,
- sizeof(IpsApi),
- IPSAPI_VERSION,
- 0,
- API_RESERVED,
- API_OPTIONS,
- s_name,
- s_help,
- mod_ctor,
- mod_dtor
- },
- OPT_TYPE_DETECTION,
- 1, PROTO_BIT__TCP,
- nullptr, // pinit
- nullptr, // pterm
- nullptr, // tinit
- nullptr, // tterm
- wscale_ctor,
- wscale_dtor,
- nullptr
-};
-
-SO_PUBLIC const BaseApi* snort_plugins[] =
-{
- &wscale_api.base,
- nullptr
-};
-
+++ /dev/null
-add_subdirectory ( alert_ex )
-add_subdirectory ( alert_lua )
-add_subdirectory ( log_null )
+++ /dev/null
-cmake_minimum_required ( VERSION 3.4.3 )
-project ( alert_ex CXX )
-
-set (CMAKE_CXX_STANDARD 11)
-set (CMAKE_CXX_STANDARD_REQUIRED ON)
-set (CMAKE_CXX_EXTENSIONS OFF)
-
-if ( APPLE )
- set ( CMAKE_MACOSX_RPATH OFF )
-endif ( APPLE )
-
-include ( FindPkgConfig )
-pkg_search_module ( SNORT3 REQUIRED snort>=3 )
-
-add_library (
- alert_ex MODULE
- alert_ex.cc
-)
-
-if ( APPLE )
- set_target_properties (
- alert_ex
- PROPERTIES
- LINK_FLAGS "-undefined dynamic_lookup"
- )
-endif ( APPLE )
-
-set_target_properties (
- alert_ex
- PROPERTIES
- PREFIX ""
-)
-
-target_include_directories (
- alert_ex PUBLIC
- ${SNORT3_INCLUDE_DIRS}
-)
-
-install (
- TARGETS alert_ex
- LIBRARY
- DESTINATION "${CMAKE_INSTALL_LIBDIR}/${CMAKE_PROJECT_NAME}/loggers"
-)
+++ /dev/null
-//--------------------------------------------------------------------------
-// Copyright (C) 2014-2018 Cisco and/or its affiliates. All rights reserved.
-// Copyright (C) 2013-2013 Sourcefire, Inc.
-//
-// This program is free software; you can redistribute it and/or modify it
-// under the terms of the GNU General Public License Version 2 as published
-// by the Free Software Foundation. You may not use, modify or distribute
-// this program under any other version of the GNU General Public License.
-//
-// This program is distributed in the hope that it will be useful, but
-// WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-// General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License along
-// with this program; if not, write to the Free Software Foundation, Inc.,
-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-//--------------------------------------------------------------------------
-
-// alert_ex.cc author Russ Combs <rucombs@cisco.com>
-
-#include <iostream>
-
-#include "detection/signature.h"
-#include "events/event.h"
-#include "framework/logger.h"
-#include "framework/module.h"
-
-using namespace snort;
-using namespace std;
-
-static const char* s_name = "alert_ex";
-static const char* s_help = "output gid:sid:rev for alerts";
-
-//-------------------------------------------------------------------------
-// module stuff
-//-------------------------------------------------------------------------
-
-static const Parameter s_params[] =
-{
- { "upper", Parameter::PT_BOOL, nullptr, "false",
- "true/false -> convert to upper/lower case" },
-
- { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
-};
-
-class ExModule : public Module
-{
-public:
- ExModule() : Module(s_name, s_help, s_params) { }
-
- bool set(const char*, Value&, SnortConfig*) override;
- bool begin(const char*, int, SnortConfig*) override;
-
- Usage get_usage() const override
- { return CONTEXT; }
-
-public:
- bool upper;
-};
-
-bool ExModule::set(const char*, Value& v, SnortConfig*)
-{
- if ( v.is("packet") )
- upper = v.get_bool();
-
- else
- return false;
-
- return true;
-}
-
-bool ExModule::begin(const char*, int, SnortConfig*)
-{
- upper = true;
- return true;
-}
-
-//-------------------------------------------------------------------------
-// logger stuff
-//-------------------------------------------------------------------------
-
-class ExLogger : public Logger
-{
-public:
- ExLogger(ExModule* m)
- { upper = m->upper; }
-
- void alert(Packet*, const char* msg, const Event&) override;
-
-private:
- bool upper;
-};
-
-void ExLogger::alert(Packet*, const char* msg, const Event& e)
-{
- string s = msg;
-
- if ( upper )
- transform(s.begin(), s.end(), s.begin(), ::toupper);
- else
- transform(s.begin(), s.end(), s.begin(), ::tolower);
-
- cout << e.sig_info->gid << ":";
- cout << e.sig_info->sid << ":";
- cout << e.sig_info->rev << " ";
- cout << s << endl;
-}
-
-//-------------------------------------------------------------------------
-// api stuff
-//-------------------------------------------------------------------------
-
-static Module* mod_ctor()
-{ return new ExModule; }
-
-static void mod_dtor(Module* m)
-{ delete m; }
-
-static Logger* ex_ctor(SnortConfig*, Module* mod)
-{
- return new ExLogger((ExModule*)mod);
-}
-
-static void ex_dtor(Logger* p)
-{ delete p; }
-
-static const LogApi ex_api =
-{
- {
- PT_LOGGER,
- sizeof(LogApi),
- LOGAPI_VERSION,
- 0,
- API_RESERVED,
- API_OPTIONS,
- s_name,
- s_help,
- mod_ctor,
- mod_dtor
- },
- OUTPUT_TYPE_FLAG__ALERT,
- ex_ctor,
- ex_dtor
-};
-
-SO_PUBLIC const BaseApi* snort_plugins[] =
-{
- &ex_api.base,
- nullptr
-};
-
+++ /dev/null
-cmake_minimum_required ( VERSION 3.4.3 )
-project ( alert_lua )
-
-install (
- FILES alert.lua
- DESTINATION "${CMAKE_INSTALL_LIBDIR}/${CMAKE_PROJECT_NAME}/loggers"
-)
+++ /dev/null
--- ----------------------------------------------------------
--- logger example:
---
--- define keyword lualert
---
--- configure snort with
---
--- ./configure_cmake.sh --prefix=my/prefix
---
--- then set up the path as follows:
---
--- export LUA_PATH=my/prefix/include/snort/lua/?.lua\;\;
---
--- You can use with -A lualert by adding lualert to your
--- snort.lua:
---
--- lualert =
--- {
--- args = "num = 1, str = 'bar', cond = true"
--- }
---
--- the arg string is (in general) optional
--- if present, it will be put in a table named args, eg:
---
--- args = { num = 1, str = 'bar', cond = true }
---
--- this table is defined before init is called
--- the args string, if present, must be valid lua code like
--- above.
--- ----------------------------------------------------------
-
--- this pulls in snort bindings with ffi
-require("snort_plugin")
-
--- init() is optional
--- if present, called once when script is loaded
--- here we return bool indicating args ok
-function init ()
- return true
-end
-
--- alert() is required
-function alert ()
- -- get luajit structs
- local evt = ffi.C.get_event()
- local pkt = ffi.C.get_packet()
-
- -- str is a luajit string
- local str = ffi.string(evt.msg)
-
- -- FIXIT - this gets:
- -- bad argument #2 to 'format' (number expected, got cdata)
- --print(string.format('%ld %d:%d:%d %s',
- -- pkt.num, evt.gid, evt.sid, evt.rev, str))
-
- print(string.format('%d:%d:%d %s',
- evt.gid, evt.sid, evt.rev, str))
-end
-
--- plugin table is required
-plugin =
-{
- type = "logger",
- name = "lualert", -- eg -A lualert
- version = 0 -- optional version of this file
-}
-
+++ /dev/null
-cmake_minimum_required ( VERSION 3.4.3 )
-project ( log_null CXX )
-
-set (CMAKE_CXX_STANDARD 11)
-set (CMAKE_CXX_STANDARD_REQUIRED ON)
-set (CMAKE_CXX_EXTENSIONS OFF)
-
-if ( APPLE )
- set ( CMAKE_MACOSX_RPATH OFF )
-endif ( APPLE )
-
-include ( FindPkgConfig )
-pkg_search_module ( SNORT3 REQUIRED snort>=3 )
-
-add_library (
- log_null MODULE
- log_null.cc
-)
-
-if ( APPLE )
- set_target_properties (
- log_null
- PROPERTIES
- LINK_FLAGS "-undefined dynamic_lookup"
- )
-endif ( APPLE )
-
-set_target_properties (
- log_null
- PROPERTIES
- PREFIX ""
-)
-
-target_include_directories (
- log_null PUBLIC
- ${SNORT3_INCLUDE_DIRS}
-)
-
-install (
- TARGETS log_null
- LIBRARY
- DESTINATION "${CMAKE_INSTALL_LIBDIR}/${CMAKE_PROJECT_NAME}/loggers"
-)
+++ /dev/null
-//--------------------------------------------------------------------------
-// Copyright (C) 2014-2018 Cisco and/or its affiliates. All rights reserved.
-// Copyright (C) 2002-2013 Sourcefire, Inc.
-// Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com>
-//
-// This program is free software; you can redistribute it and/or modify it
-// under the terms of the GNU General Public License Version 2 as published
-// by the Free Software Foundation. You may not use, modify or distribute
-// this program under any other version of the GNU General Public License.
-//
-// This program is distributed in the hope that it will be useful, but
-// WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-// General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License along
-// with this program; if not, write to the Free Software Foundation, Inc.,
-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-//--------------------------------------------------------------------------
-
-/* This module is a NULL placeholder for people that want to turn off
- * logging for whatever reason. Please note that logging is separate from
- * alerting, they are completely separate output facilities within Snort.
- */
-
-#include "framework/logger.h"
-#include "framework/module.h"
-
-using namespace snort;
-
-#define s_name "log_null"
-#define s_help "disable logging of packets"
-
-//-------------------------------------------------------------------------
-// log_null module
-//-------------------------------------------------------------------------
-
-class NullLogger : public Logger
-{
-public:
- NullLogger() = default;
-};
-
-static Logger* null_ctor(SnortConfig*, Module*)
-{ return new NullLogger; }
-
-static void null_dtor(Logger* p)
-{ delete p; }
-
-static LogApi null_api
-{
- {
- PT_LOGGER,
- sizeof(LogApi),
- LOGAPI_VERSION,
- 0,
- API_RESERVED,
- API_OPTIONS,
- s_name,
- s_help,
- nullptr, // mod_ctor,
- nullptr //mod_dtor
- },
- OUTPUT_TYPE_FLAG__LOG,
- null_ctor,
- null_dtor
-};
-
-SO_PUBLIC const BaseApi* snort_plugins[] =
-{
- &null_api.base,
- nullptr
-};
-
+++ /dev/null
-add_subdirectory ( lowmem )
+++ /dev/null
-cmake_minimum_required ( VERSION 3.4.3 )
-project ( lowmem CXX )
-
-set (CMAKE_CXX_STANDARD 11)
-set (CMAKE_CXX_STANDARD_REQUIRED ON)
-set (CMAKE_CXX_EXTENSIONS OFF)
-
-if ( APPLE )
- set ( CMAKE_MACOSX_RPATH OFF )
-endif ( APPLE )
-
-include ( FindPkgConfig )
-pkg_search_module ( SNORT3 REQUIRED snort>=3 )
-
-add_library (
- lowmem MODULE
- lowmem.cc
- sfksearch.cc
- sfksearch.h
- trie_api.cc
-)
-
-if ( APPLE )
- set_target_properties (
- lowmem
- PROPERTIES
- LINK_FLAGS "-undefined dynamic_lookup"
- )
-endif ( APPLE )
-
-set_target_properties (
- lowmem
- PROPERTIES
- PREFIX ""
-)
-
-target_include_directories (
- lowmem PUBLIC
- ${SNORT3_INCLUDE_DIRS}
-)
-
-install (
- TARGETS lowmem
- LIBRARY
- DESTINATION "${CMAKE_INSTALL_LIBDIR}/${CMAKE_PROJECT_NAME}/search_engines"
-)
+++ /dev/null
-//--------------------------------------------------------------------------
-// Copyright (C) 2014-2018 Cisco and/or its affiliates. All rights reserved.
-// Copyright (C) 2002-2013 Sourcefire, Inc.
-//
-// This program is free software; you can redistribute it and/or modify it
-// under the terms of the GNU General Public License Version 2 as published
-// by the Free Software Foundation. You may not use, modify or distribute
-// this program under any other version of the GNU General Public License.
-//
-// This program is distributed in the hope that it will be useful, but
-// WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-// General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License along
-// with this program; if not, write to the Free Software Foundation, Inc.,
-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-//--------------------------------------------------------------------------
-
-/*
-* An abstracted interface to the Multi-Pattern Matching routines,
-* thats why we're passing 'void *' objects around.
-*
-* Marc A Norton <mnorton@sourcefire.com>
-*
-* Updates:
-* 3/06 - Added AC_BNFA search
-*/
-// lowmem.cc author Russ Combs <rucombs@cisco.com>
-
-#include "log/messages.h"
-#include "framework/mpse.h"
-
-#include "sfksearch.h"
-
-using namespace snort;
-
-//-------------------------------------------------------------------------
-// "lowmem"
-//-------------------------------------------------------------------------
-
-class LowmemMpse : public Mpse
-{
-private:
- KTRIE_STRUCT* obj;
-
-public:
- LowmemMpse(SnortConfig*, const MpseAgent* agent)
- : Mpse("lowmem")
- { obj = KTrieNew(0, agent); }
-
- ~LowmemMpse() override
- { KTrieDelete(obj); }
-
- int add_pattern(
- SnortConfig*, const uint8_t* P, unsigned m,
- const PatternDescriptor& desc, void* user) override
- {
- return KTrieAddPattern(obj, P, m, desc.no_case, desc.negated, user);
- }
-
- int prep_patterns(SnortConfig* sc) override
- {
- return KTrieCompile(sc, obj);
- }
-
- int _search(
- const uint8_t* T, int n, MpseMatch match,
- void* context, int* current_state) override
- {
- *current_state = 0;
- return KTrieSearch(obj, T, n, match, context);
- }
-
- int get_pattern_count() override
- { return KTriePatternCount(obj); }
-};
-
-//-------------------------------------------------------------------------
-// api
-//-------------------------------------------------------------------------
-
-static Mpse* lm_ctor(SnortConfig* sc, class Module*, const MpseAgent* agent)
-{
- return new LowmemMpse(sc, agent);
-}
-
-static void lm_dtor(Mpse* p)
-{
- delete p;
-}
-
-static void lm_init()
-{
- KTrie_init_xlatcase();
- KTrieInitMemUsed();
-}
-
-static void lm_print()
-{
- if ( !KTrieMemUsed() )
- return;
-
- double x = (double)KTrieMemUsed();
-
- LogMessage("[ LowMem Search-Method Memory Used : %g %s ]\n",
- (x > 1.e+6) ? x/1.e+6 : x/1.e+3,
- (x > 1.e+6) ? "MBytes" : "KBytes");
-}
-
-static const MpseApi lm_api =
-{
- {
- PT_SEARCH_ENGINE,
- sizeof(MpseApi),
- SEAPI_VERSION,
- 0,
- API_RESERVED,
- API_OPTIONS,
- "lowmem",
- "Keyword Trie (low memory, moderate performance) MPSE",
- nullptr,
- nullptr
- },
- MPSE_BASE,
- nullptr,
- nullptr,
- nullptr,
- nullptr,
- lm_ctor,
- lm_dtor,
- lm_init,
- lm_print,
-};
-
-const BaseApi* se_lowmem = &lm_api.base;
-
+++ /dev/null
-//--------------------------------------------------------------------------
-// Copyright (C) 2001 Marc Norton
-// Copyright (C) 2014-2018 Cisco and/or its affiliates. All rights reserved.
-// Copyright (C) 2003-2013 Sourcefire, Inc.
-//
-// This program is free software; you can redistribute it and/or modify it
-// under the terms of the GNU General Public License Version 2 as published
-// by the Free Software Foundation. You may not use, modify or distribute
-// this program under any other version of the GNU General Public License.
-//
-// This program is distributed in the hope that it will be useful, but
-// WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-// General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License along
-// with this program; if not, write to the Free Software Foundation, Inc.,
-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-//--------------------------------------------------------------------------
-/*
-* ksearch.c
-*
-* Basic Keyword Search Trie - uses linked lists to build the finite automata
-*
-* Keyword-Match: Performs the equivalent of a multi-string strcmp()
-* - use for token testing after parsing the language tokens using lex or the like.
-*
-* Keyword-Search: searches the input text for one of multiple keywords,
-* and supports case sensitive and case insensitive patterns.
-*/
-
-#include "sfksearch.h"
-
-#include <cassert>
-
-#include "main/thread.h"
-#include "utils/util.h"
-
-static void KTrieFree(KTRIENODE* n);
-
-static unsigned int mtot = 0;
-
-unsigned int KTrieMemUsed()
-{
- return mtot;
-}
-
-void KTrieInitMemUsed()
-{
- mtot = 0;
-}
-
-/*
-* Allocate Memory
-*/
-static void* KTRIE_MALLOC(int n)
-{
- assert(n > 0);
- void* p = snort_calloc(n);
- mtot += n;
- return p;
-}
-
-/*
-* Free Memory
-*/
-static void KTRIE_FREE(void* p)
-{
- if ( p )
- snort_free(p);
-}
-
-/*
-* Local/Tmp nocase array
-*/
-static THREAD_LOCAL uint8_t Tnocase[65*1024];
-
-/*
-** Case Translation Table
-*/
-static uint8_t xlatcase[256];
-
-/*
-*
-*/
-void KTrie_init_xlatcase()
-{
- for (int i=0; i<256; i++)
- {
- xlatcase[ i ] = (uint8_t)tolower(i);
- }
-}
-
-/*
-*
-*/
-static inline void ConvertCaseEx(uint8_t* d, const uint8_t* s, int m)
-{
- int i;
- for ( i=0; i < m; i++ )
- {
- d[i] = xlatcase[ s[i] ];
- }
-}
-
-/*
-*
-*/
-KTRIE_STRUCT* KTrieNew(int method, const MpseAgent* agent)
-{
- KTRIE_STRUCT* ts = (KTRIE_STRUCT*)KTRIE_MALLOC(sizeof(*ts));
-
- ts->memory = sizeof(*ts);
- ts->nchars = 0;
- ts->npats = 0;
- ts->end_states = 0;
- ts->method = method; /* - old method, 1 = queue */
- ts->agent = agent;
-
- return ts;
-}
-
-int KTriePatternCount(KTRIE_STRUCT* k)
-{
- return k->npats;
-}
-
-/*
- * Deletes memory that was used in creating trie
- * and nodes
- */
-void KTrieDelete(KTRIE_STRUCT* k)
-{
- if ( !k )
- return;
-
- KTRIEPATTERN* p = k->patrn;
- KTRIEPATTERN* pnext = nullptr;
-
- while ( p )
- {
- pnext = p->next;
-
- if (k->agent && p->user)
- k->agent->user_free(p->user);
-
- if (k->agent)
- {
- if (p && p->rule_option_tree)
- k->agent->tree_free(&p->rule_option_tree);
- }
-
- if (k->agent)
- {
- if (p && p->neg_list)
- k->agent->list_free(&p->neg_list);
- }
-
- KTRIE_FREE(p->P);
- KTRIE_FREE(p->Pcase);
- KTRIE_FREE(p);
-
- p = pnext;
- }
-
- for ( int i = 0; i < KTRIE_ROOT_NODES; i++ )
- KTrieFree(k->root[i]);
-
- KTRIE_FREE(k);
-}
-
-/*
- * Recursively delete all nodes in trie
- */
-static void KTrieFree(KTRIENODE* n)
-{
- if ( !n )
- return;
-
- KTrieFree(n->child);
- KTrieFree(n->sibling);
-
- KTRIE_FREE(n);
-}
-
-/*
-*
-*/
-static KTRIEPATTERN* KTrieNewPattern(const uint8_t* P, unsigned n)
-{
- if (n < 1)
- return nullptr;
-
- KTRIEPATTERN* p = (KTRIEPATTERN*)KTRIE_MALLOC(sizeof(*p));
-
- /* Save as a nocase string */
- p->P = (uint8_t*)KTRIE_MALLOC(n);
-
- ConvertCaseEx(p->P, P, n);
-
- /* Save Case specific version */
- p->Pcase = (uint8_t*)KTRIE_MALLOC(n);
- memcpy(p->Pcase, P, n);
-
- p->n = n;
- p->next = nullptr;
-
- return p;
-}
-
-/*
-* Add Pattern info to the list of patterns
-*/
-int KTrieAddPattern(
- KTRIE_STRUCT* ts, const uint8_t* P, unsigned n,
- bool nocase, bool negative, void* user)
-{
- KTRIEPATTERN* pnew;
-
- if ( !ts->patrn )
- {
- pnew = ts->patrn = KTrieNewPattern(P, n);
-
- if ( !pnew )
- return -1;
- }
- else
- {
- pnew = KTrieNewPattern(P, n);
-
- if ( !pnew )
- return -1;
-
- pnew->next = ts->patrn; /* insert at head of list */
-
- ts->patrn = pnew;
- }
-
- pnew->nocase = nocase;
- pnew->negative = negative;
- pnew->user = user;
- pnew->mnext = nullptr;
-
- ts->npats++;
- ts->memory += sizeof(KTRIEPATTERN) + 2 * n; /* Case and nocase */
-
- return 0;
-}
-
-/*
-*
-*/
-static KTRIENODE* KTrieCreateNode(KTRIE_STRUCT* ts)
-{
- KTRIENODE* t = (KTRIENODE*)KTRIE_MALLOC(sizeof(*t));
- ts->memory += sizeof(*t);
- return t;
-}
-
-/*
-* Insert a Pattern in the Trie
-*/
-static int KTrieInsert(KTRIE_STRUCT* ts, KTRIEPATTERN* px)
-{
- int type = 0;
- int n = px->n;
- uint8_t* P = px->P;
- KTRIENODE* root;
-
- /* Make sure we at least have a root character for the tree */
- if ( !ts->root[*P] )
- {
- ts->root[*P] = root = KTrieCreateNode(ts);
- if ( !root )
- return -1;
- root->edge = *P;
- }
- else
- {
- root = ts->root[*P];
- }
-
- /* Walk existing Patterns */
- while ( n )
- {
- if ( root->edge == *P )
- {
- P++;
- n--;
-
- if ( n && root->child )
- {
- root=root->child;
- }
- else /* cannot continue */
- {
- type = 0; /* Expand the tree via the child */
- break;
- }
- }
- else
- {
- if ( root->sibling )
- {
- root=root->sibling;
- }
- else /* cannot continue */
- {
- type = 1; /* Expand the tree via the sibling */
- break;
- }
- }
- }
-
- /*
- * Add the next char of the Keyword, if any
- */
- if ( n )
- {
- if ( type == 0 )
- {
- /*
- * Start with a new child to finish this Keyword
- */
- root->child= KTrieCreateNode(ts);
- if ( !root->child )
- return -1;
- root=root->child;
- root->edge = *P;
- P++;
- n--;
- ts->nchars++;
- }
- else
- {
- /*
- * Start a new sibling branch to finish this Keyword
- */
- root->sibling= KTrieCreateNode(ts);
- if ( !root->sibling )
- return -1;
- root=root->sibling;
- root->edge = *P;
- P++;
- n--;
- ts->nchars++;
- }
- }
-
- /*
- * Finish the keyword as child nodes
- */
- while ( n )
- {
- root->child = KTrieCreateNode(ts);
- if ( !root->child )
- return -1;
- root=root->child;
- root->edge = *P;
- P++;
- n--;
- ts->nchars++;
- }
-
- if ( root->pkeyword )
- {
- px->mnext = root->pkeyword; /* insert duplicates at front of list */
- root->pkeyword = px;
- ts->duplicates++;
- }
- else
- {
- root->pkeyword = px;
- ts->end_states++;
- }
-
- return 0;
-}
-
-/*
-*
-*/
-static void Build_Bad_Character_Shifts(KTRIE_STRUCT* kt)
-{
- KTRIEPATTERN* plist;
-
- /* Calc the min pattern size */
- kt->bcSize = 32000;
-
- for ( plist=kt->patrn; plist; plist=plist->next )
- {
- if ( plist->n < kt->bcSize )
- {
- kt->bcSize = plist->n; /* smallest pattern size */
- }
- }
-
- /*
- * Initialize the Bad Character shift table.
- */
- for ( int i = 0; i < KTRIE_ROOT_NODES; i++ )
- {
- kt->bcShift[i] = (unsigned short)kt->bcSize;
- }
-
- /*
- * Finish the Bad character shift table
- */
- for ( plist=kt->patrn; plist; plist=plist->next )
- {
- for ( int k=0; k<kt->bcSize; k++ )
- {
- int shift = kt->bcSize - 1 - k;
- int cindex = plist->P[ k ];
-
- if ( shift < kt->bcShift[ cindex ] )
- {
- kt->bcShift[ cindex ] = (unsigned short)shift;
- }
- }
- }
-}
-
-static int KTrieBuildMatchStateNode(
- snort::SnortConfig* sc, KTRIENODE* root, KTRIE_STRUCT* ts)
-{
- int cnt = 0;
- KTRIEPATTERN* p;
-
- if (!root)
- return 0;
-
- /* each and every prefix match at this root*/
- if (root->pkeyword)
- {
- for (p = root->pkeyword; p; p = p->mnext)
- {
- if (p->user)
- {
- if (p->negative)
- {
- ts->agent->negate_list(p->user, &root->pkeyword->neg_list);
- }
- else
- {
- ts->agent->build_tree(sc, p->user, &root->pkeyword->rule_option_tree);
- }
- }
-
- cnt++;
- }
-
- /* Last call to finalize the tree for this root */
- ts->agent->build_tree(sc, nullptr, &root->pkeyword->rule_option_tree);
- }
-
- /* for child of this root */
- if (root->child)
- {
- cnt += KTrieBuildMatchStateNode(sc, root->child, ts);
- }
-
- /* 1st sibling of this root -- other siblings will be processed from
- * within the processing for root->sibling. */
- if (root->sibling)
- {
- cnt += KTrieBuildMatchStateNode(sc, root->sibling, ts);
- }
-
- return cnt;
-}
-
-static int KTrieBuildMatchStateTrees(snort::SnortConfig* sc, KTRIE_STRUCT* ts)
-{
- int cnt = 0;
-
- /* Find the states that have a MatchList */
- for (int i = 0; i < KTRIE_ROOT_NODES; i++)
- {
- KTRIENODE* root = ts->root[i];
-
- /* each and every prefix match at this root*/
- if ( root and ts->agent )
- {
- cnt += KTrieBuildMatchStateNode(sc, root, ts);
- }
- }
-
- return cnt;
-}
-
-/*
-* Build the Keyword TRIE
-*
-*/
-static inline int _KTrieCompile(KTRIE_STRUCT* ts)
-{
- KTRIEPATTERN* p;
- /*
- static int tmem=0; // unused
- */
-
- /*
- * Build the Keyword TRIE
- */
- for ( p=ts->patrn; p; p=p->next )
- {
- if ( KTrieInsert(ts, p) )
- return -1;
- }
-
- /*
- * Build A Setwise Bad Character Shift Table
- */
- Build_Bad_Character_Shifts(ts);
-
- /*
- tmem += ts->memory;
- printf(" Compile stats: %d patterns, %d chars, %d duplicate patterns, %d bytes, %d total-bytes\n",ts->npats,ts->nchars,ts->duplicates,ts->memory,tmem);
- */
-
- return 0;
-}
-
-int KTrieCompile(snort::SnortConfig* sc, KTRIE_STRUCT* ts)
-{
- int rval;
-
- if ((rval = _KTrieCompile(ts)))
- return rval;
-
- if ( ts->agent )
- KTrieBuildMatchStateTrees(sc, ts);
-
- return 0;
-}
-
-void sfksearch_print_qinfo()
-{
-}
-
-/*
-* Search - Algorithm
-*
-* This routine will log any substring of T that matches a keyword,
-* and processes all prefix matches. This is used for generic
-* pattern searching with a set of keywords and a body of text.
-*
-*
-*
-* kt- Trie Structure
-* T - nocase text
-* Tc- case specific text
-* n - text length
-*
-* returns:
-* # pattern matches
-*/
-static inline int KTriePrefixMatch(
- KTRIE_STRUCT* kt, const uint8_t* T, const uint8_t*, const uint8_t* bT, int n,
- MpseMatch match, void* context)
-{
- KTRIENODE* root = kt->root[ *T ];
- int nfound = 0;
- KTRIEPATTERN* pk;
- int index;
-
- /* Check if any keywords start with this character */
- if ( !root )
- return 0;
-
- while ( n )
- {
- if ( root->edge == *T )
- {
- T++;
- n--;
-
- pk = root->pkeyword;
- if (pk)
- {
- index = (int)(T - bT);
- nfound++;
- if (match (pk->user, pk->rule_option_tree, index, context, pk->neg_list) > 0)
- {
- return nfound;
- }
- }
-
- if ( n && root->child )
- {
- root = root->child;
- }
- else /* cannot continue -- match is over */
- {
- break;
- }
- }
- else
- {
- if ( root->sibling )
- {
- root = root->sibling;
- }
- else /* cannot continue */
- {
- break;
- }
- }
- }
-
- return nfound;
-}
-
-/*
-*
-*/
-static inline int KTrieSearchNoBC(
- KTRIE_STRUCT* ks, const uint8_t* Tx, int n, MpseMatch match, void* context)
-{
- int nfound = 0;
- const uint8_t* T, * bT;
-
- ConvertCaseEx(Tnocase, Tx, n);
-
- T = Tnocase;
- bT = T;
-
- for (; n>0; n--, T++, Tx++ )
- {
- nfound += KTriePrefixMatch(ks, T, Tx, bT, n, match, context);
- }
-
- return nfound;
-}
-
-/*
-*
-*/
-static inline int KTrieSearchBC(
- KTRIE_STRUCT* ks, const uint8_t* Tx, int n, MpseMatch match, void* context)
-{
- const uint8_t* Tend;
- const uint8_t* T, * bT;
- int nfound = 0;
- short* bcShift = (short*)ks->bcShift;
- int bcSize = ks->bcSize;
-
- ConvertCaseEx(Tnocase, Tx, n);
-
- T = Tnocase;
- bT = T;
-
- Tend = T + n - bcSize;
-
- bcSize--;
-
- for (; T <= Tend; n--, T++, Tx++ )
- {
- int tshift;
-
- while ( (tshift = bcShift[ *( T + bcSize ) ]) > 0 )
- {
- T += tshift;
- Tx += tshift;
- if ( T > Tend )
- return nfound;
- }
-
- nfound += KTriePrefixMatch(ks, T, Tx, bT, n, match, context);
- }
-
- return nfound;
-}
-
-int KTrieSearch(
- KTRIE_STRUCT* ks, const uint8_t* T, int n, MpseMatch match, void* context)
-{
- if ( ks->bcSize < 3 )
- return KTrieSearchNoBC(ks, T, n, match, context);
- else
- return KTrieSearchBC(ks, T, n, match, context);
-}
-
-// TEST DRIVER FOR KEYWORD TRIE
-#ifdef KTRIE_MAIN
-
-char** gargv;
-
-int trie_nmatches = 0;
-
-int match(unsigned id, int index, void* context)
-{
- trie_nmatches++;
- data = context;
- printf("id=%u found at index=%d, %s\n", id, index, gargv[id]);
- return 0;
-}
-
-int main(int argc, char** argv)
-{
- int i;
- KTRIE_STRUCT* ts;
- int nocase=1; // don't care about case
-
- gargv = argv;
-
- ts = KTrieNew();
-
- if ( argc < 3 )
- {
- printf("%s text pat1 pat2 ... patn [-c(ase-sensitive)\n",argv[0]);
- printf("search for keywords-default, or match keywords\n");
- exit(0);
- }
-
- for (i=1; i<argc; i++)
- {
- if ( strcmp(argv[i],"-c")==0 )
- nocase=0; /* ignore case */
- }
-
- printf("New TRIE created\n");
-
- for (i=2; i<argc; i++)
- {
- if ( argv[i][0]=='-' )
- continue;
-
- KTrieAddPattern(ts, (uint8_t*)argv[i], strlen(argv[i]), nocase, i);
- }
-
- printf("Patterns added \n");
-
- KTrieCompile(nullptr, ts);
-
- printf("Patterns compiled \n");
- printf("--> %d characters, %d patterns, %d bytes allocated\n",ts->nchars,ts->npats,ts->memory);
-
- printf("Searching...\n");
-
- KTrieSearch(ts, (uint8_t*)argv[1], strlen(argv[1]), match, 0);
-
- printf("%d matches found\n",trie_nmatches);
-
- printf("normal pgm finish.\n");
-
- return 0;
-}
-
-#endif
-
+++ /dev/null
-//--------------------------------------------------------------------------
-// Copyright (C) 2014-2018 Cisco and/or its affiliates. All rights reserved.
-// Copyright (C) 2003-2013 Sourcefire, Inc.
-// Copyright (C) 2001 Marc Norton
-//
-// This program is free software; you can redistribute it and/or modify it
-// under the terms of the GNU General Public License Version 2 as published
-// by the Free Software Foundation. You may not use, modify or distribute
-// this program under any other version of the GNU General Public License.
-//
-// This program is distributed in the hope that it will be useful, but
-// WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-// General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License along
-// with this program; if not, write to the Free Software Foundation, Inc.,
-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-//--------------------------------------------------------------------------
-
-#ifndef SFKSEARCH_H
-#define SFKSEARCH_H
-
-// ksearch.h - Trie based multi-pattern matcher
-
-#include <cstdint>
-#include "search_engines/search_common.h"
-
-namespace snort
-{
-struct SnortConfig;
-}
-
-struct KTRIEPATTERN
-{
- KTRIEPATTERN* next; /* global list of all patterns*/
- KTRIEPATTERN* mnext; /* matching list of duplicate keywords*/
-
- uint8_t* P; /* no case*/
- uint8_t* Pcase; /* case sensitive*/
-
- void* user;
- void* rule_option_tree;
- void* neg_list;
-
- int n;
- int nocase;
- int negative;
-};
-
-struct KTRIENODE
-{
- int edge; /* character*/
-
- KTRIENODE* sibling;
- KTRIENODE* child;
-
- KTRIEPATTERN* pkeyword;
-};
-
-#define KTRIE_ROOT_NODES 256
-
-struct KTRIE_STRUCT
-{
- KTRIEPATTERN* patrn; /* List of patterns, built as they are added*/
- KTRIENODE* root[KTRIE_ROOT_NODES]; /* KTrie nodes*/
-
- const struct MpseAgent* agent;
-
- int memory;
- int nchars;
- int npats;
- int duplicates;
- int method;
- int end_states; /* should equal npats - duplicates*/
-
- int bcSize;
- unsigned short bcShift[KTRIE_ROOT_NODES];
-};
-
-void KTrie_init_xlatcase();
-
-KTRIE_STRUCT* KTrieNew(int method, const MpseAgent*);
-
-int KTrieAddPattern(
- KTRIE_STRUCT*, const uint8_t* P, unsigned n,
- bool nocase, bool negative, void* id);
-
-int KTrieCompile(snort::SnortConfig*, KTRIE_STRUCT*);
-
-int KTrieSearch(KTRIE_STRUCT*, const uint8_t* T, int n, MpseMatch, void* context);
-
-unsigned int KTrieMemUsed();
-void KTrieInitMemUsed();
-
-void KTrieDelete(KTRIE_STRUCT*);
-int KTriePatternCount(KTRIE_STRUCT*);
-
-void sfksearch_print_qinfo();
-
-#endif
-
+++ /dev/null
-//--------------------------------------------------------------------------
-// Copyright (C) 2014-2018 Cisco and/or its affiliates. All rights reserved.
-// Copyright (C) 2013-2013 Sourcefire, Inc.
-//
-// This program is free software; you can redistribute it and/or modify it
-// under the terms of the GNU General Public License Version 2 as published
-// by the Free Software Foundation. You may not use, modify or distribute
-// this program under any other version of the GNU General Public License.
-//
-// This program is distributed in the hope that it will be useful, but
-// WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-// General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License along
-// with this program; if not, write to the Free Software Foundation, Inc.,
-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-//--------------------------------------------------------------------------
-// trie_api.cc author Russ Combs <rucombs@cisco.com>
-
-#include "framework/base_api.h"
-#include "main/snort_types.h"
-
-extern const snort::BaseApi* se_lowmem;
-
-SO_PUBLIC const snort::BaseApi* snort_plugins[] =
-{
- se_lowmem,
- nullptr
-};
-
+++ /dev/null
-add_subdirectory ( sid_18758 )
+++ /dev/null
-cmake_minimum_required ( VERSION 3.4.3 )
-project ( sid_18758 CXX )
-
-set (CMAKE_CXX_STANDARD 11)
-set (CMAKE_CXX_STANDARD_REQUIRED ON)
-set (CMAKE_CXX_EXTENSIONS OFF)
-
-if ( APPLE )
- set ( CMAKE_MACOSX_RPATH OFF )
-endif ( APPLE )
-
-include ( FindPkgConfig )
-pkg_search_module ( SNORT3 REQUIRED snort>=3 )
-
-add_library (
- sid_18758 MODULE
- sid_18758.cc
- sid_18758.h
-)
-
-if ( APPLE )
- set_target_properties (
- sid_18758
- PROPERTIES
- LINK_FLAGS "-undefined dynamic_lookup"
- )
-endif ( APPLE )
-
-set_target_properties (
- sid_18758
- PROPERTIES
- PREFIX ""
-)
-
-target_include_directories (
- sid_18758 PUBLIC
- ${SNORT3_INCLUDE_DIRS}
-)
-
-install (
- TARGETS sid_18758
- LIBRARY
- DESTINATION "${CMAKE_INSTALL_LIBDIR}/${CMAKE_PROJECT_NAME}/so_rules"
-)
+++ /dev/null
-//--------------------------------------------------------------------------
-// Copyright (C) 2014-2018 Cisco and/or its affiliates. All rights reserved.
-//
-// This program is free software; you can redistribute it and/or modify it
-// under the terms of the GNU General Public License Version 2 as published
-// by the Free Software Foundation. You may not use, modify or distribute
-// this program under any other version of the GNU General Public License.
-//
-// This program is distributed in the hope that it will be useful, but
-// WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-// General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License along
-// with this program; if not, write to the Free Software Foundation, Inc.,
-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-//--------------------------------------------------------------------------
-// sid_18758.cc author Russ Combs <rucombs@cisco.com>
-
-#include "sid_18758.h"
-
-#include "framework/so_rule.h"
-
-using namespace snort;
-
-static IpsOption::EvalStatus eval(void*, Cursor&, Packet*)
-{
- return IpsOption::MATCH;
-}
-
-static SoEvalFunc ctor(const char* /*so*/, void** pv)
-{
- // so == "eval" here because that's our only so: option
- // but we could use multiple so: options and bind to
- // different functions based on the value of so
- // *pv can point to any data we need to use with so
- *pv = nullptr;
- return eval;
-}
-
-static void dtor(void* /*pv*/)
-{
- // cast pv to your type here
- // and then delete it
-}
-
-static const SoApi so_api =
-{
- {
- PT_SO_RULE,
- sizeof(SoApi),
- SOAPI_VERSION,
- 8,
- API_RESERVED,
- API_OPTIONS,
- "3|18758",
- "SO rule example",
- nullptr,
- nullptr
- },
- (const uint8_t*)rule_18758,
- rule_18758_len,
- nullptr, // pinit
- nullptr, // pterm
- nullptr, // tinit
- nullptr, // tterm
- ctor,
- dtor,
-};
-
-// other snort plugins can be put in this list as needed
-// eg multiple rules in one so, custom rule options, etc.
-SO_PUBLIC const BaseApi* snort_plugins[] =
-{
- &so_api.base,
- nullptr
-};
-
+++ /dev/null
-#ifndef SID_18758_H
-#define SID_18758_H
-
-#include <cstdint>
-
-const uint8_t rule_18758[] =
-{
- 0x61, 0x6C, 0x65, 0x72, 0x74, 0x20, 0x74, 0x63, 0x70, 0x20, 0x24, 0x48, 0x4F, 0x4D, 0x45, 0x5F,
- 0x4E, 0x45, 0x54, 0x20, 0x61, 0x6E, 0x79, 0x20, 0x2D, 0x3E, 0x20, 0x24, 0x45, 0x58, 0x54, 0x45,
- 0x52, 0x4E, 0x41, 0x4C, 0x5F, 0x4E, 0x45, 0x54, 0x20, 0x24, 0x48, 0x54, 0x54, 0x50, 0x5F, 0x50,
- 0x4F, 0x52, 0x54, 0x53, 0x0A, 0x28, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x6D, 0x73, 0x67, 0x3A, 0x22,
- 0x46, 0x49, 0x4C, 0x45, 0x2D, 0x49, 0x44, 0x45, 0x4E, 0x54, 0x49, 0x46, 0x59, 0x20, 0x4D, 0x69,
- 0x63, 0x72, 0x6F, 0x73, 0x6F, 0x66, 0x74, 0x20, 0x57, 0x69, 0x6E, 0x64, 0x6F, 0x77, 0x73, 0x20,
- 0x56, 0x69, 0x73, 0x75, 0x61, 0x6C, 0x20, 0x42, 0x61, 0x73, 0x69, 0x63, 0x20, 0x73, 0x63, 0x72,
- 0x69, 0x70, 0x74, 0x20, 0x66, 0x69, 0x6C, 0x65, 0x20, 0x64, 0x6F, 0x77, 0x6E, 0x6C, 0x6F, 0x61,
- 0x64, 0x20, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x22, 0x3B, 0x0A, 0x20, 0x20, 0x20, 0x20,
- 0x6D, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x3A, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65,
- 0x20, 0x68, 0x74, 0x74, 0x70, 0x3B, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x72, 0x65, 0x66, 0x65, 0x72,
- 0x65, 0x6E, 0x63, 0x65, 0x3A, 0x75, 0x72, 0x6C, 0x2C, 0x65, 0x6E, 0x2E, 0x77, 0x69, 0x6B, 0x69,
- 0x70, 0x65, 0x64, 0x69, 0x61, 0x2E, 0x6F, 0x72, 0x67, 0x2F, 0x77, 0x69, 0x6B, 0x69, 0x2F, 0x56,
- 0x62, 0x73, 0x3B, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x63, 0x6C, 0x61, 0x73, 0x73, 0x74, 0x79, 0x70,
- 0x65, 0x3A, 0x6D, 0x69, 0x73, 0x63, 0x2D, 0x61, 0x63, 0x74, 0x69, 0x76, 0x69, 0x74, 0x79, 0x3B,
- 0x0A, 0x20, 0x20, 0x20, 0x20, 0x73, 0x69, 0x64, 0x3A, 0x31, 0x38, 0x37, 0x35, 0x38, 0x3B, 0x0A,
- 0x20, 0x20, 0x20, 0x20, 0x72, 0x65, 0x76, 0x3A, 0x38, 0x3B, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x73,
- 0x6F, 0x69, 0x64, 0x3A, 0x33, 0x7C, 0x31, 0x38, 0x37, 0x35, 0x38, 0x3B, 0x0A, 0x23, 0x20, 0x65,
- 0x76, 0x65, 0x72, 0x79, 0x74, 0x68, 0x69, 0x6E, 0x67, 0x20, 0x61, 0x62, 0x6F, 0x76, 0x65, 0x20,
- 0x61, 0x70, 0x70, 0x65, 0x61, 0x72, 0x73, 0x20, 0x69, 0x6E, 0x20, 0x73, 0x74, 0x75, 0x62, 0x0A,
- 0x23, 0x20, 0x74, 0x68, 0x65, 0x20, 0x66, 0x6F, 0x6C, 0x6C, 0x6F, 0x77, 0x69, 0x6E, 0x67, 0x20,
- 0x64, 0x65, 0x74, 0x65, 0x63, 0x74, 0x69, 0x6F, 0x6E, 0x20, 0x6F, 0x70, 0x74, 0x69, 0x6F, 0x6E,
- 0x73, 0x20, 0x61, 0x72, 0x65, 0x20, 0x6E, 0x6F, 0x74, 0x20, 0x69, 0x6E, 0x20, 0x70, 0x72, 0x6F,
- 0x74, 0x65, 0x63, 0x74, 0x65, 0x64, 0x20, 0x73, 0x74, 0x75, 0x62, 0x0A, 0x20, 0x20, 0x20, 0x20,
- 0x66, 0x6C, 0x6F, 0x77, 0x3A, 0x74, 0x6F, 0x5F, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x2C, 0x65,
- 0x73, 0x74, 0x61, 0x62, 0x6C, 0x69, 0x73, 0x68, 0x65, 0x64, 0x3B, 0x0A, 0x20, 0x20, 0x20, 0x20,
- 0x68, 0x74, 0x74, 0x70, 0x5F, 0x75, 0x72, 0x69, 0x3B, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x63, 0x6F,
- 0x6E, 0x74, 0x65, 0x6E, 0x74, 0x3A, 0x22, 0x2E, 0x76, 0x62, 0x73, 0x22, 0x2C, 0x20, 0x6E, 0x6F,
- 0x63, 0x61, 0x73, 0x65, 0x3B, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x70, 0x63, 0x72, 0x65, 0x3A, 0x22,
- 0x2F, 0x5C, 0x78, 0x32, 0x65, 0x76, 0x62, 0x73, 0x28, 0x5B, 0x5C, 0x3F, 0x5C, 0x78, 0x35, 0x63,
- 0x5C, 0x78, 0x32, 0x66, 0x5D, 0x7C, 0x24, 0x29, 0x2F, 0x73, 0x6D, 0x69, 0x22, 0x3B, 0x0A, 0x20,
- 0x20, 0x20, 0x20, 0x73, 0x6F, 0x3A, 0x65, 0x76, 0x61, 0x6C, 0x3B, 0x0A, 0x29, 0x0A, 0x00,
-};
-const unsigned rule_18758_len = 0;
-
-#endif
+++ /dev/null
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
-(
- msg:"FILE-IDENTIFY Microsoft Windows Visual Basic script file download request";
- metadata:service http;
- reference:url,en.wikipedia.org/wiki/Vbs;
- classtype:misc-activity;
- sid:18758;
- rev:8;
- soid:3|18758;
-# everything above appears in stub
-# the following detection options are not in protected stub
- flow:to_server,established;
- http_uri;
- content:".vbs", nocase;
- pcre:"/\x2evbs([\?\x5c\x2f]|$)/smi";
- so:eval;
-)
+++ /dev/null
-add_subdirectory ( mock )
+++ /dev/null
-cmake_minimum_required ( VERSION 3.4.3 )
-project ( lowmem CXX )
-
-set (CMAKE_CXX_STANDARD 11)
-set (CMAKE_CXX_STANDARD_REQUIRED ON)
-set (CMAKE_CXX_EXTENSIONS OFF)
-
-if ( APPLE )
- set ( CMAKE_MACOSX_RPATH OFF )
-endif ( APPLE )
-
-include ( FindPkgConfig )
-pkg_search_module ( SNORT3 REQUIRED snort>=3 )
-
-add_library (
- tp_mock MODULE
- tp_mock.cc
-)
-
-if ( APPLE )
- set_target_properties (
- tp_lib
- PROPERTIES
- LINK_FLAGS "-undefined dynamic_lookup"
- )
-endif ( APPLE )
-
-set_target_properties (
- tp_mock
- PROPERTIES
- PREFIX ""
- )
-
-set_property(TARGET tp_mock PROPERTY ENABLE_EXPORTS 1)
-
-target_include_directories (
- tp_mock PUBLIC
- ${SNORT3_INCLUDE_DIRS}
-)
-
-install (
- TARGETS tp_mock
- LIBRARY
- DESTINATION "${CMAKE_INSTALL_LIBDIR}/${CMAKE_PROJECT_NAME}/tp_appid"
-)
+++ /dev/null
-//--------------------------------------------------------------------------
-// Copyright (C) 2016-2018 Cisco and/or its affiliates. All rights reserved.
-//
-// This program is free software; you can redistribute it and/or modify it
-// under the terms of the GNU General Public License Version 2 as published
-// by the Free Software Foundation. You may not use, modify or distribute
-// this program under any other version of the GNU General Public License.
-//
-// This program is distributed in the hope that it will be useful, but
-// WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-// General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License along
-// with this program; if not, write to the Free Software Foundation, Inc.,
-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-//--------------------------------------------------------------------------
-
-// Brief description:
-//
-// Minimalist example of an implementation of a third party library for appid
-// detection.
-// Snort interacts with this library via 3 classes:
-// 1) TPLibHandler - to load the third party library.
-// 2) ThirdPartyAppIDModule - to initialize and clean-up whatever we might need
-// 3) ThirdPartyAppIDSession - for the actual information extracted from packets
-// The third party library must provide implementations to the abstract classes
-// ThirdPartyAppIDModule and ThirdPartyAppIDSession and must also implement the
-// object factory functions returning pointers to the derived classes.
-//
-//
-// Standalone compilation:
-// g++ -g -Wall -I/path/to/snort3/src -c tp_mock.cc
-// g++ -std=c++11 -g -Wall -I/path/to/snort3/src -shared -fPIC -o libtp_mock.so tp_mock.cc
-// As a module (dynamically loaded) - see CMakeLists.txt
-
-#include <iostream>
-
-#ifdef HAVE_CONFIG_H
-#include "config.h"
-#endif
-
-#include "main/snort_types.h"
-
-#include "network_inspectors/appid/tp_appid_module_api.h"
-#include "network_inspectors/appid/tp_appid_session_api.h"
-
-#define THIRD_PARTY_APPID_MODULE_NAME "NAVL"
-
-#define WhereMacro __FILE__ << ": " << __FUNCTION__ << ": " << __LINE__
-
-using namespace std;
-
-class ThirdPartyAppIDModuleImpl : public ThirdPartyAppIDModule
-{
-public:
- ThirdPartyAppIDModuleImpl(uint32_t ver, const char* mname)
- : ThirdPartyAppIDModule(ver, mname)
- {
- cerr << WhereMacro << endl;
- }
-
- ~ThirdPartyAppIDModuleImpl()
- {
- cerr << WhereMacro << endl;
- }
-
- int pinit(ThirdPartyConfig& config)
- {
- cerr << WhereMacro
- << ": main thread initialization, possibly load other libraries." << endl;
- return 0;
- }
-
- int tinit()
- {
- cerr << WhereMacro << ": per worker thread initialization." << endl;
- return 0;
- }
-
- int reconfigure(const ThirdPartyConfig& config)
- {
- cerr << WhereMacro << ": do not call pinit() during reconfigure." << endl;
- return 0;
- }
-
- int pfini()
- {
- cerr << WhereMacro << ": main thread clean-up." << endl;
- return 0;
- }
-
- int tfini()
- {
- cerr << WhereMacro << ": per worker-thread clean-up." << endl;
- return 0;
- }
-
- int print_stats() { return 0; }
- int reset_stats() { return 0; }
-};
-
-class ThirdPartyAppIDSessionImpl : public ThirdPartyAppIDSession
-{
-public:
-
- bool reset() { return 1; }
- bool process(const snort::Packet&,
- AppidSessionDirection direction,
- vector<AppId>& proto_list,
- ThirdPartyAppIDAttributeData& attribute_data)
- {
- cerr << WhereMacro
- << ": third party packet parsing and appid processing." << endl;
- return 1;
- }
-
- int disable_flags(uint32_t session_flags) { return 0; }
- TPState get_state() { return state; }
- void set_state(TPState s) { state=s; }
- void clear_attr(TPSessionAttr attr) { flags &= ~attr; }
- void set_attr(TPSessionAttr attr) { flags |= attr; }
- unsigned get_attr(TPSessionAttr attr) { return flags & attr; }
-
-private:
- unsigned flags=0;
-};
-
-// Object factories to create module and session.
-// This is the only way for outside callers to create module and session
-// once the .so has been loaded.
-extern "C"
-{
- SO_PUBLIC ThirdPartyAppIDModuleImpl* create_third_party_appid_module()
- {
- return new ThirdPartyAppIDModuleImpl(1,"third party");
- }
-}
-
-extern "C"
-{
- SO_PUBLIC ThirdPartyAppIDSessionImpl* create_third_party_appid_session()
- {
- return new ThirdPartyAppIDSessionImpl;
- }
-}
-
+++ /dev/null
-%if @generate.project_boilerplate
-cmake_minimum_required ( VERSION 3.4.3 )
-project ( <%= @project.name %><% if @project.language == "CXX" %> CXX<% elsif @project.language == "C" %> C<% end %> )
-%end
-%if !@project.sources.empty?
-%if @generate.platform_boilerplate
-
-%if @project.language == "CXX"
-set (CMAKE_CXX_STANDARD 11)
-set (CMAKE_CXX_STANDARD_REQUIRED ON)
-set (CMAKE_CXX_EXTENSIONS OFF)
-%elsif @project.language == "C"
-set (CMAKE_C_STANDARD 99)
-set (CMAKE_C_STANDARD_REQUIRED ON)
-set (CMAKE_C_EXTENSIONS ON)
-%end
-
-if ( APPLE )
- set ( CMAKE_MACOSX_RPATH OFF )
-endif ( APPLE )
-%end
-
-include ( FindPkgConfig )
-pkg_search_module ( SNORT3 REQUIRED snort>=3 )
-
-add_library (
- <%= @project.libname %> MODULE
-%for source in @project.sources
- <%= source %>
-%end
-)
-
-if ( APPLE )
- set_target_properties (
- <%= @project.libname %>
- PROPERTIES
- LINK_FLAGS "-undefined dynamic_lookup"
- )
-endif ( APPLE )
-
-set_target_properties (
- <%= @project.libname %>
- PROPERTIES
- PREFIX ""
-)
-
-target_include_directories (
- <%= @project.libname %> PUBLIC
- ${SNORT3_INCLUDE_DIRS}
-)
-
-install (
- TARGETS <%= @project.libname %>
- LIBRARY
- DESTINATION "${CMAKE_INSTALL_LIBDIR}/${CMAKE_PROJECT_NAME}/<%= @project.dirname %>"
-)
-%end
-%if !@project.scripts.empty?
-
-install (
- FILES<% for script in @project.scripts %> <%= script %><% end %>
- DESTINATION "${CMAKE_INSTALL_LIBDIR}/${CMAKE_PROJECT_NAME}/<%= @project.dirname %>"
-)
-%end
projects / thirdparty / snort3.git / commitdiff
