stream_user = { }
stream_file = { }
+appid = { }
arp_spoof = { }
back_orifice = { }
dnp3 = { }
)
set ( UTIL_APPID_SOURCES
- appid_utils/common_util.h
+ appid_utils/appid_utils.cc
+ appid_utils/appid_utils.h
appid_utils/fw_avltree.cc
appid_utils/fw_avltree.h
appid_utils/ip_funcs.cc
appid_utils/ip_funcs.h
appid_utils/network_set.cc
appid_utils/network_set.h
- appid_utils/output_file.cc
- appid_utils/output_file.h
- appid_utils/sfksearch.cc
- appid_utils/sfksearch.h
appid_utils/sf_mlmp.cc
appid_utils/sf_mlmp.h
appid_utils/sf_multi_mpse.cc
appid_utils/sf_multi_mpse.h
- appid_utils/sfutil.cc
- appid_utils/sfutil.h
)
set ( APPID_SOURCES
appid_config.h
appid_session.cc
appid_session.h
- appid.h
appid_inspector.cc
appid_inspector.h
appid_module.cc
app_info_table.cc
app_info_table.h
application_ids.h
- flow_error.h
- fw_appid.cc
- fw_appid.h
host_port_app_cache.cc
host_port_app_cache.h
http_common.h
service_plugins/service_util.h
util_file_list = \
-appid_utils/common_util.h \
+appid_utils/appid_utils.cc \
+appid_utils/appid_utils.h \
appid_utils/fw_avltree.cc \
appid_utils/fw_avltree.h \
appid_utils/ip_funcs.cc \
appid_utils/ip_funcs.h \
appid_utils/network_set.cc \
appid_utils/network_set.h \
-appid_utils/output_file.cc \
-appid_utils/output_file.h \
-appid_utils/sfksearch.cc \
-appid_utils/sfksearch.h \
appid_utils/sf_mlmp.cc \
appid_utils/sf_mlmp.h \
appid_utils/sf_multi_mpse.cc \
-appid_utils/sf_multi_mpse.h \
-appid_utils/sfutil.cc \
-appid_utils/sfutil.h
+appid_utils/sf_multi_mpse.h
file_list = \
app_forecast.cc \
appid_config.h \
appid_session.cc \
appid_session.h \
-appid.h \
appid_inspector.cc \
appid_inspector.h \
appid_module.cc \
app_info_table.cc \
app_info_table.h \
application_ids.h \
-flow_error.h \
-fw_appid.cc \
-fw_appid.h \
host_port_app_cache.cc \
host_port_app_cache.h \
http_common.h \
return 0;
}
+void checkSandboxDetection(AppId appId)
+{
+ if (AppIdConfig::get_appid_config()->mod_config->instance_id)
+ {
+ auto entry = AppInfoManager::get_instance().get_app_info_entry(appId);
+ if ( entry && ( entry->flags & APPINFO_FLAG_ACTIVE ) )
+ {
+ DebugFormat(DEBUG_APPID, "Detected application %d is active.\n", entry->appId);
+ }
+ else if( appId != 0 )
+ {
+ if(entry)
+ {
+ DebugFormat(DEBUG_APPID, "Detected application %d is not active.\n", appId);
+ }
+ else
+ {
+ DebugFormat(DEBUG_APPID,
+ "No entry in application info table for detected application %d.\n",
+ appId);
+ }
+ }
+ }
+}
+
AppInfoTableEntry* AppInfoManager::get_app_info_entry(AppId appId, const AppInfoTable& lookup_table)
{
AppId tmp;
if (entry)
entry->flags |= APPINFO_FLAG_ACTIVE;
else
- DebugFormat(DEBUG_APPID, "AppInfo: AppId %d is UNKNOWN\n", appId);
-
+ ErrorMessage("AppInfo: AppId %d has no entry in application info table\n", appId);
}
void AppInfoManager::load_appid_config(const char* path)
{
- FILE* config_file;
- char* token;
char buf[1024];
- char referred_app_list[4096];
- int referred_app_index;
- char* conf_type;
- char* conf_key;
- char* conf_val;
unsigned line = 0;
- int max_tp_flow_depth;
- char* context;
- config_file = fopen(path, "r");
+ FILE* config_file = fopen(path, "r");
if (config_file == nullptr)
return;
- DebugFormat(DEBUG_INSPECTOR, "Loading configuration file %s\n", path);
+ DebugFormat(DEBUG_APPID, "Loading configuration file %s\n", path);
while (fgets(buf, sizeof(buf), config_file) != nullptr)
{
+ char* context;
+
line++;
- token = strtok_r(buf, CONF_SEPARATORS, &context);
+ char* token = strtok_r(buf, CONF_SEPARATORS, &context);
if (token == nullptr)
{
- ErrorMessage("Could not read configuration at line %s:%u\n", path, line);
+ ParseWarning(WARN_CONF, "No 'conf_type' value at line %s:%u\n", path, line);
continue;
}
- conf_type = token;
+ char* conf_type = token;
token = strtok_r(nullptr, CONF_SEPARATORS, &context);
if (token == nullptr)
{
- ErrorMessage("Could not read configuration value at line %s:%u\n", path, line);
+ ParseWarning(WARN_CONF, "No 'conf_key' value at line %s:%u\n", path, line);
continue;
}
- conf_key = token;
+ char* conf_key = token;
token = strtok_r(nullptr, CONF_SEPARATORS, &context);
if (token == nullptr)
{
- ErrorMessage("Could not read configuration value at line %s:%u\n", path, line);
+ ParseWarning(WARN_CONF, "No 'conf_val' value at line %s:%u\n", path, line);
continue;
}
- conf_val = token;
+ char* conf_val = token;
/* APPID configurations are for anything else - currently we only have ssl_reinspect */
if (!(strcasecmp(conf_type, "appid")))
{
if (!(strcasecmp(conf_key, "max_tp_flow_depth")))
{
- max_tp_flow_depth = atoi(conf_val);
+ int max_tp_flow_depth = atoi(conf_val);
if (max_tp_flow_depth < MIN_MAX_TP_FLOW_DEPTH || max_tp_flow_depth >
MAX_MAX_TP_FLOW_DEPTH)
{
- DebugFormat(DEBUG_INSPECTOR,
+ ParseWarning(WARN_CONF,
"AppId: invalid max_tp_flow_depth %d, must be between %d and %d\n.",
max_tp_flow_depth, MIN_MAX_TP_FLOW_DEPTH, MAX_MAX_TP_FLOW_DEPTH);
}
else
{
- DebugFormat(DEBUG_INSPECTOR,
+ DebugFormat(DEBUG_APPID,
"AppId: setting max thirdparty inspection flow depth to %d packets.\n",
max_tp_flow_depth);
AppIdConfig::get_appid_config()->mod_config->max_tp_flow_depth = max_tp_flow_depth;
{
if (!(strcasecmp(conf_val, "enabled")))
{
- DebugMessage(DEBUG_INSPECTOR,
+ DebugMessage(DEBUG_APPID,
"AppId: TCP probes will be analyzed by NAVL.\n");
AppIdConfig::get_appid_config()->mod_config->tp_allow_probes = 1;
}
else if (!(strcasecmp(conf_key, "tp_client_app")))
{
- DebugFormat(DEBUG_INSPECTOR,
+ DebugFormat(DEBUG_APPID,
"AppId: if thirdparty reports app %d, we will use it as a client.\n",
atoi(conf_val));
set_app_info_flags(atoi(conf_val), APPINFO_FLAG_TP_CLIENT);
}
else if (!(strcasecmp(conf_key, "ssl_reinspect")))
{
- DebugFormat(DEBUG_INSPECTOR,
+ DebugFormat(DEBUG_APPID,
"AppId: adding app %d to list of SSL apps that get more granular inspection.\n",
atoi(conf_val));
set_app_info_flags(atoi(conf_val), APPINFO_FLAG_SSL_INSPECT);
{
if (!(strcasecmp(conf_val, "disabled")))
{
- DEBUG_WRAP(DebugMessage(DEBUG_INSPECTOR,
- "AppId: disabling safe search enforcement.\n"); );
+ DebugMessage(DEBUG_APPID, "AppId: disabling safe search enforcement.\n");
AppIdConfig::get_appid_config()->mod_config->disable_safe_search = 1;
}
}
else if (!(strcasecmp(conf_key, "ssl_squelch")))
{
- DebugFormat(DEBUG_INSPECTOR,
+ DebugFormat(DEBUG_APPID,
"AppId: adding app %d to list of SSL apps that may open a second SSL connection.\n",
atoi(conf_val));
set_app_info_flags(atoi(conf_val), APPINFO_FLAG_SSL_SQUELCH);
}
else if (!(strcasecmp(conf_key, "defer_to_thirdparty")))
{
- DebugFormat(DEBUG_INSPECTOR,
+ DebugFormat(DEBUG_APPID,
"AppId: adding app %d to list of apps where we should take thirdparty ID over the NDE's.\n",
atoi(conf_val));
set_app_info_flags(atoi(conf_val), APPINFO_FLAG_DEFER);
}
else if (!(strcasecmp(conf_key, "defer_payload_to_thirdparty")))
{
- DebugFormat(DEBUG_INSPECTOR,
+ DebugFormat(DEBUG_APPID,
"AppId: adding app %d to list of apps where we should take "
"thirdparty payload ID over the NDE's.\n",
atoi(conf_val));
{
if (!(strcasecmp(conf_val, "disabled")))
{
- DebugMessage(DEBUG_INSPECTOR,
+ DebugMessage(DEBUG_APPID,
"AppId: HTTP UserID collection disabled.\n");
AppIdConfig::get_appid_config()->mod_config->chp_userid_disabled = 1;
continue;
{
if (!(strcasecmp(conf_val, "disabled")))
{
- DebugMessage(DEBUG_INSPECTOR,
+ DebugMessage(DEBUG_APPID,
"AppId: HTTP Body header reading disabled.\n");
AppIdConfig::get_appid_config()->mod_config->chp_body_collection_disabled = 1;
continue;
{
if (!(strcasecmp(conf_val, "disabled")))
{
- DEBUG_WRAP(DebugMessage(DEBUG_INSPECTOR,
- "AppId: HTTP future flow creation disabled.\n"); );
+ DebugMessage(DEBUG_APPID, "AppId: HTTP future flow creation disabled.\n");
AppIdConfig::get_appid_config()->mod_config->chp_fflow_disabled = 1;
continue;
}
{
if (!(strcasecmp(conf_val, "disabled")))
{
- DEBUG_WRAP(DebugMessage(DEBUG_INSPECTOR, "AppId: FTP userID disabled.\n"); );
+ DebugMessage(DEBUG_APPID, "AppId: FTP userID disabled.\n");
AppIdConfig::get_appid_config()->mod_config->ftp_userid_disabled = 1;
continue;
}
token = strtok_r(nullptr, CONF_SEPARATORS, &context);
if (token == nullptr)
{
- ErrorMessage("Could not read app_priority at line %u\n", line);
+ ParseWarning(WARN_CONF, "Could not read app_priority at line %u\n", line);
continue;
}
conf_val = token;
uint8_t temp_val;
temp_val = strtol(conf_val, nullptr, 10);
set_app_info_priority (temp_appid, temp_val);
- DebugFormat(DEBUG_INSPECTOR,"AppId: %d Setting priority bit %d .\n",
+ DebugFormat(DEBUG_APPID,"AppId: %d Setting priority bit %d .\n",
temp_appid, temp_val);
}
else if (!(strcasecmp(conf_key, "referred_appId")))
}
else if (!AppIdConfig::get_appid_config()->mod_config->referred_appId_disabled)
{
- referred_app_index=0;
- referred_app_index += sprintf(referred_app_list, "%d ", atoi(conf_val));
+ char referred_app_list[4096];
+ int referred_app_index = snprintf(referred_app_list, 4096, "%d ", atoi(conf_val));
set_app_info_flags(atoi(conf_val), APPINFO_FLAG_REFERRED);
while ((token = strtok_r(nullptr, CONF_SEPARATORS, &context)) != nullptr)
{
- referred_app_index += sprintf(referred_app_list+referred_app_index, "%d ",
- atoi(token));
- set_app_info_flags(atoi(token), APPINFO_FLAG_REFERRED);
+ AppId id = atoi(token);
+ referred_app_index += snprintf(referred_app_list + referred_app_index,
+ 4096 - referred_app_index, "%d ", id);
+ set_app_info_flags(id, APPINFO_FLAG_REFERRED);
}
- DebugFormat(DEBUG_INSPECTOR,
+ DebugFormat(DEBUG_APPID,
"AppId: adding appIds to list of referred web apps: %s\n",
referred_app_list);
}
}
else if (!(strcasecmp(conf_key, "ignore_thirdparty_appid")))
{
- LogMessage("AppId: adding app %d to list of ignore thirdparty apps.\n", atoi(
- conf_val));
+ DebugFormat(DEBUG_APPID, "AppId: adding app %d to list of ignore thirdparty apps.\n",
+ atoi(conf_val));
set_app_info_flags(atoi(conf_val), APPINFO_FLAG_IGNORE);
}
else if (!(strcasecmp(conf_key, "http2_detection")))
// ports.
if (!(strcasecmp(conf_val, "disabled")))
{
- LogMessage("AppId: disabling internal HTTP/2 detection.\n");
+ DebugMessage(DEBUG_APPID, "AppId: disabling internal HTTP/2 detection.\n");
AppIdConfig::get_appid_config()->mod_config->http2_detection_enabled = false;
}
else if (!(strcasecmp(conf_val, "enabled")))
{
- LogMessage("AppId: enabling internal HTTP/2 detection.\n");
+ DebugMessage(DEBUG_APPID, "AppId: enabling internal HTTP/2 detection.\n");
AppIdConfig::get_appid_config()->mod_config->http2_detection_enabled = true;
}
else
{
- LogMessage("AppId: ignoring invalid option for http2_detection: %s\n",
+ ParseWarning(WARN_CONF, "AppId: ignoring invalid option for http2_detection: %s\n",
conf_val);
}
}
}
}
+
fclose(config_file);
}
tableFile = fopen(filepath, "r");
if (tableFile == nullptr)
{
- ParseError("Could not open AppMapping Table file: %s, no AppId rule support", filepath);
+ ParseWarning(WARN_RULES,
+ "Could not open AppMapping Table file: %s, no AppId rule support", filepath);
return;
}
- DebugFormat(DEBUG_INSPECTOR, "AppInfo read from %s\n", filepath);
+ DebugFormat(DEBUG_APPID, "AppInfo read from %s\n", filepath);
while (fgets(buf, sizeof(buf), tableFile))
{
#include "utils/util.h"
#define APP_PRIORITY_DEFAULT 2
+#define SF_APPID_MAX 40000
+#define SF_APPID_BUILDIN_MAX 30000
+#define SF_APPID_CSD_MIN 1000000
+#define SF_APPID_DYNAMIC_MIN 2000000
struct RNAClientAppModule;
struct RNAServiceElement;
void load_appid_config(const char* path);
AppInfoTableEntry* get_app_info_entry(AppId appId, const AppInfoTable& lookup_table);
std::mutex custom_app_mutex;
-
};
+void checkSandboxDetection(AppId appId);
+
#endif
+++ /dev/null
-//--------------------------------------------------------------------------
-// Copyright (C) 2014-2016 Cisco and/or its affiliates. All rights reserved.
-// Copyright (C) 2005-2013 Sourcefire, Inc.
-//
-// This program is free software; you can redistribute it and/or modify it
-// under the terms of the GNU General Public License Version 2 as published
-// by the Free Software Foundation. You may not use, modify or distribute
-// this program under any other version of the GNU General Public License.
-//
-// This program is distributed in the hope that it will be useful, but
-// WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-// General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License along
-// with this program; if not, write to the Free Software Foundation, Inc.,
-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-//--------------------------------------------------------------------------
-
-// appid.h author Sourcefire Inc.
-
-#ifndef APPID_H
-#define APPID_H
-
-#define SF_APPID_MAX 40000
-#define SF_APPID_BUILDIN_MAX 30000
-#define APPID_MAX_PRIORITY 3
-#define SF_APPID_CSD_MIN 1000000
-#define SF_APPID_DYNAMIC_MIN 2000000
-#define NUMBER_OF_PTYPES 9
-
-#define RESPONSE_CODE_PACKET_THRESHHOLD 0
-
-enum APPID_SESSION_DIRECTION
-{
- APP_ID_FROM_INITIATOR,
- APP_ID_FROM_RESPONDER,
- APP_ID_APPID_SESSION_DIRECTION_MAX // Maximum value of a direction (must be last in the list)
-};
-
-enum SERVICE_HOST_INFO_CODE
-{
- SERVICE_HOST_INFO_NETBIOS_NAME = 1
-};
-
-#define FINGERPRINT_UDP_FLAGS_XENIX 0x00000800
-#define FINGERPRINT_UDP_FLAGS_NT 0x00001000
-#define FINGERPRINT_UDP_FLAGS_MASK (FINGERPRINT_UDP_FLAGS_XENIX | FINGERPRINT_UDP_FLAGS_NT)
-
-using AppIdFreeFCN = void(*)(void*);
-
-#endif
-
#include "appid_api.h"
#include "app_info_table.h"
-#include "appid.h"
#include "service_plugins/service_base.h"
#include "app_info_table.h"
-#include "fw_appid.h"
#include "utils/util.h"
if (appIdSession && appIdSession->common.flow_type == APPID_FLOW_TYPE_NORMAL)
{
if (appIdSession->rnaServiceState != RNA_STATE_FINISHED ||
- !TPIsAppIdDone(appIdSession->tpsession) ||
+ !is_third_party_appid_done(appIdSession->tpsession) ||
appIdSession->get_session_flags(APPID_SESSION_HTTP_SESSION | APPID_SESSION_CONTINUE) ||
(appIdSession->get_session_flags(APPID_SESSION_ENCRYPTED) &&
(appIdSession->get_session_flags(APPID_SESSION_DECRYPTED) ||
{
if (asd->get_session_flags(APPID_SESSION_NO_TPI))
return true;
- return TPIsAppIdAvailable(asd->tpsession);
+ return is_third_party_appid_available(asd->tpsession);
}
return false;
}
if ( asd )
{
appHA->flags = APPID_HA_FLAGS_APP;
- if (TPIsAppIdAvailable(asd->tpsession))
+ if (is_third_party_appid_available(asd->tpsession))
appHA->flags |= APPID_HA_FLAGS_TP_DONE;
if (asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED))
appHA->flags |= APPID_HA_FLAGS_SVC_DONE;
#include "app_info_table.h"
#include "appid_utils/network_set.h"
#include "appid_utils/ip_funcs.h"
-#include "appid_utils/common_util.h"
-#include "appid_utils/sfutil.h"
+#include "appid_utils/appid_utils.h"
#include "main/snort_debug.h"
#include "log/messages.h"
#include "utils/util.h"
#define ODP_PORT_DETECTORS "odp/port/*"
#define CUSTOM_PORT_DETECTORS "custom/port/*"
#define MAX_DISPLAY_SIZE 65536
+#define MAX_LINE 2048
static AppIdConfig* appid_config = nullptr;
unsigned appIdPolicyId;
uint16_t port;
};
-static THREAD_LOCAL SF_LIST genericConfigList; ///< List of AppidGenericConfigItem structures
+static THREAD_LOCAL SF_LIST appid_custom_configs;
AppIdModuleConfig::~AppIdModuleConfig()
{
return appid_config;
}
-void AppIdConfig::add_generic_config_element(const char* name, void* pData)
+void AppidConfigElement::add_generic_config_element(const char* name, void* data)
{
- AppidGenericConfigItem* pConfigItem;
+ AppidConfigElement* ce;
- pConfigItem = (AppidGenericConfigItem*)snort_calloc(sizeof(AppidGenericConfigItem));
- pConfigItem->name = snort_strdup(name);
- pConfigItem->pData = pData;
- sflist_add_tail(&genericConfigList, pConfigItem);
+ ce = (AppidConfigElement*)snort_calloc(sizeof(AppidConfigElement));
+ ce->name = snort_strdup(name);
+ ce->value = data;
+ sflist_add_tail(&appid_custom_configs, ce);
}
-void* AppIdConfig::find_generic_config_element(const char* name)
+void* AppidConfigElement::find_generic_config_element(const char* name)
{
- AppidGenericConfigItem* pConfigItem;
+ AppidConfigElement* ce;
SF_LNODE* next;
// Search a module's configuration by its name
- for (pConfigItem = (AppidGenericConfigItem*)sflist_first(
- (SF_LIST*)&genericConfigList, &next);
- pConfigItem != nullptr;
- pConfigItem = (AppidGenericConfigItem*)sflist_next(&next))
+ for (ce = (AppidConfigElement*)sflist_first(&appid_custom_configs, &next);
+ ce != nullptr;
+ ce = (AppidConfigElement*)sflist_next(&next))
{
- if (strcmp(pConfigItem->name, name) == 0)
- return pConfigItem->pData;
+ if (strcmp(ce->name, name) == 0)
+ return ce->value;
}
return nullptr;
}
-void AppIdConfig::remove_generic_config_element(const char* name)
+void AppidConfigElement::remove_generic_config_element(const char* name)
{
SF_LNODE* iter;
- AppidGenericConfigItem* cfg;
+ AppidConfigElement* ce;
// Search a module's configuration by its name
- for (cfg = (AppidGenericConfigItem*)sflist_first(&genericConfigList, &iter);
- cfg != nullptr;
- cfg = (AppidGenericConfigItem*)sflist_next(&iter))
+ for (ce = (AppidConfigElement*)sflist_first(&appid_custom_configs, &iter);
+ ce != nullptr;
+ ce = (AppidConfigElement*)sflist_next(&iter))
{
- if (strcmp(cfg->name, name) == 0)
+ if (strcmp(ce->name, name) == 0)
{
- snort_free(cfg->name);
- snort_free(cfg);
- sflist_remove_node(&genericConfigList, iter);
+ snort_free(ce->name);
+ snort_free(ce);
+ sflist_remove_node(&appid_custom_configs, iter);
break;
}
}
zone = -1;
ias6->addr_flags |= flag;
six = ias6->range_min;
- NSIPv6AddrHtoN(&six);
+ NetworkSetManager::ntoh_ipv6(&six);
inet_ntop(AF_INET6, (struct in6_addr*)&six, min_ip, sizeof(min_ip));
six = ias6->range_max;
- NSIPv6AddrHtoN(&six);
+ NetworkSetManager::ntoh_ipv6(&six);
inet_ntop(AF_INET6, (struct in6_addr*)&six, max_ip, sizeof(max_ip));
- LogMessage("Adding %s-%s (0x%08X) with zone %d\n", min_ip, max_ip,
+ DebugFormat(DEBUG_APPID, "Adding %s-%s (0x%08X) with zone %d\n", min_ip, max_ip,
ias6->addr_flags, zone);
if (zone >= 0)
{
if (!(my_net_list = net_list_by_zone[zone]))
{
- if (NetworkSet_New(&my_net_list))
+ if (NetworkSetManager::create(&my_net_list))
ErrorMessage("%s", "Failed to create a network set");
else
{
}
else
my_net_list = net_list;
- if (my_net_list && NetworkSet_AddCidrBlock6Ex(my_net_list, &ias6->range_min,
- ias6->netmask,
- ias6->addr_flags & IPFUNCS_EXCEPT_IP, 0,
+ if (my_net_list && NetworkSetManager::add_cidr_block6_ex(my_net_list,
+ &ias6->range_min, ias6->netmask, ias6->addr_flags & IPFUNCS_EXCEPT_IP, 0,
ias6->addr_flags & (~IPFUNCS_EXCEPT_IP)))
{
ErrorMessage(
else
zone = -1;
ias->addr_flags |= flag;
- LogMessage("Adding 0x%08X-0x%08X (0x%08X) with zone %d\n", ias->range_min,
- ias->range_max,
- ias->addr_flags, zone);
+ DebugFormat(DEBUG_APPID, "Adding 0x%08X-0x%08X (0x%08X) with zone %d\n",
+ ias->range_min, ias->range_max, ias->addr_flags, zone);
if (zone >= 0)
{
if (!(my_net_list = net_list_by_zone[zone]))
{
- if (NetworkSet_New(&my_net_list))
+ if (NetworkSetManager::create(&my_net_list))
ErrorMessage("%s", "Failed to create a network set");
else
{
}
else
my_net_list = net_list;
- if (my_net_list && NetworkSet_AddCidrBlockEx(my_net_list, ias->range_min,
+ if (my_net_list && NetworkSetManager::add_cidr_block_ex(my_net_list, ias->range_min,
ias->netmask,
ias->addr_flags & IPFUNCS_EXCEPT_IP, 0,
ias->addr_flags & (~IPFUNCS_EXCEPT_IP)))
ErrorMessage("Config: Invalid port exclusion address specified");
return;
}
- NSIPv6AddrHtoNConv(&ias6->range_min, &ip);
- NSIPv6AddrHtoNConv(&ias6->netmask_mask, &netmask);
+ NetworkSetManager::hton_swap_ipv6(&ias6->range_min, &ip);
+ NetworkSetManager::hton_swap_ipv6(&ias6->netmask_mask, &netmask);
family = AF_INET6;
snort_free(ias6);
}
unsigned line = 0;
NetworkSet* my_net_list;
- if (NetworkSet_New(&net_list))
+ if (NetworkSetManager::create(&net_list))
FatalError("Failed to allocate a network set");
net_list_list = net_list;
if (!config_file || (!config_file[0]))
{
char addrString[sizeof("0.0.0.0/0")];
- LogMessage("Defaulting to monitoring all Snort traffic for AppID.\n");
+ DebugMessage(DEBUG_APPID, "Defaulting to monitoring all Snort traffic for AppID.\n");
toklist[1] = nullptr;
toklist[0] = addrString;
strcpy(addrString,"0.0.0.0/0");
while (fgets(linebuffer, MAX_LINE, fp) != nullptr)
{
line++;
-
- strip(linebuffer);
-
+ AppIdUtils::strip(linebuffer);
cptr = linebuffer;
while (isspace((int)*cptr))
if (*cptr && (*cptr != '#') && (*cptr != 0x0a))
{
memset(toklist, 0, sizeof(toklist));
- /* tokenize the line */
- num_toks = Tokenize(cptr, toklist);
+ num_toks = AppIdUtils::tokenize(cptr, toklist);
if (num_toks < 2)
{
fclose(fp);
return -1;
}
if (!(strcasecmp(toklist[0], "config")))
- {
process_config_directive(toklist, reload);
- }
else if (!(strcasecmp(toklist[0], "portexclusion")))
- {
process_port_exclusion(toklist);
- }
}
}
{
char* instance_toklist[2];
char addrString[sizeof("0.0.0.0/0")];
- LogMessage("Defaulting to monitoring all Snort traffic for AppID.\n");
+ DebugMessage(DEBUG_APPID, "Defaulting to monitoring all Snort traffic for AppID.\n");
instance_toklist[0] = addrString;
instance_toklist[1] = nullptr;
strcpy(addrString,"0.0.0.0/0");
{
if (my_net_list != net_list)
{
- if (NetworkSet_AddSet(my_net_list, net_list))
+ if (NetworkSetManager::add_set(my_net_list, net_list))
ErrorMessage("Failed to add any network list to a zone network list");
}
}
net_list_count = 0;
for (my_net_list = net_list_list; my_net_list; my_net_list = net_list->next)
{
- if (NetworkSet_Reduce(my_net_list))
+ if (NetworkSetManager::reduce(my_net_list))
ErrorMessage("Failed to reduce the IP address sets");
- net_list_count += NetworkSet_CountEx(my_net_list) + NetworkSet_Count6Ex(my_net_list);
+ net_list_count += NetworkSetManager::count_ex(my_net_list) + NetworkSetManager::count6_ex(my_net_list);
}
return 0;
appid_config = this;
map_app_names_to_snort_ids();
appIdPolicyId = 53;
- InitNetmasks(app_id_netmasks);
+ AppIdUtils::init_netmasks(app_id_netmasks);
app_info_mgr.init_appid_info_table(mod_config->app_detector_dir);
sflist_init(&appid_config->client_app_args);
load_analysis_config(mod_config->conf_file, 0, mod_config->instance_id);
read_port_detectors(ODP_PORT_DETECTORS);
read_port_detectors(CUSTOM_PORT_DETECTORS);
ThirdPartyAppIDInit(mod_config);
- show();
if ( mod_config->dump_ports )
{
return true;
}
-static void free_config_items(ConfigItem* ci)
+static void free_config_items(AppidConfigElement* ci)
{
if (ci)
{
while ((net_list = net_list_list))
{
net_list_list = net_list->next;
- NetworkSet_Destroy(net_list);
+ NetworkSetManager::destroy(net_list);
}
free_port_exclusion_list(tcp_port_exclusions_src);
for (i = 0; i < my_net_list->count6; i++)
{
six = my_net_list->pnetwork6[i]->range_min;
- NSIPv6AddrHtoN(&six);
+ NetworkSetManager::ntoh_ipv6(&six);
p = inet_ntop(AF_INET6, (struct in6_addr*)&six, inet_buffer, sizeof(inet_buffer));
six = my_net_list->pnetwork6[i]->range_max;
- NSIPv6AddrHtoN(&six);
+ NetworkSetManager::ntoh_ipv6(&six);
p2 = inet_ntop(AF_INET6, (struct in6_addr*)&six, inet_buffer2, sizeof(inet_buffer2));
LogMessage(" %s%s-%s %04X\n", (my_net_list->pnetwork6[i]->info.ip_not) ? "!" : "",
p ?
for (i = 0; i < my_net_list->count6; i++)
{
six = my_net_list->pnetwork6[i]->range_min;
- NSIPv6AddrHtoN(&six);
+ NetworkSetManager::ntoh_ipv6(&six);
p = inet_ntop(AF_INET6, (struct in6_addr*)&six, inet_buffer, sizeof(inet_buffer));
six = my_net_list->pnetwork6[i]->range_max;
- NSIPv6AddrHtoN(&six);
+ NetworkSetManager::ntoh_ipv6(&six);
p2 = inet_ntop(AF_INET6, (struct in6_addr*)&six, inet_buffer2, sizeof(inet_buffer2));
LogMessage(" %s%s-%s %04X\n", (my_net_list->pnetwork6[i]->info.ip_not) ? "!" :
"",
void AppIdConfig::display_port_config()
{
- unsigned i;
- int first;
+ bool first = true;
- first = 1;
- for (i = 0; i < sizeof(tcp_port_only) / sizeof(AppId); i++)
- {
+ for ( auto& i : tcp_port_only )
if (tcp_port_only[i])
{
if (first)
{
LogMessage(" TCP Port-Only Services\n");
- first = 0;
+ first = false;
}
LogMessage(" %5u - %u\n", i, tcp_port_only[i]);
}
- }
- first = 1;
- for (i = 0; i<sizeof(udp_port_only) / sizeof(AppId); i++)
- {
+ first = true;
+ for ( auto& i : udp_port_only )
if (udp_port_only[i])
{
if (first)
{
LogMessage(" UDP Port-Only Services\n");
- first = 0;
+ first = false;
}
LogMessage(" %5u - %u\n", i, udp_port_only[i]);
}
- }
}
#ifndef APP_ID_CONFIG_H
#define APP_ID_CONFIG_H
-#include "appid.h"
+#include <array>
+
#include "client_plugins/client_app_config.h"
#include "detector_plugins/detector_sip.h"
#include "service_plugins/service_config.h"
// Currently, IMAP, PO3 and MDNS use this data structure. Lua modules currently
// do not have any configuration. They can use this data structure in the future,
// if needed.
-struct AppidGenericConfigItem
+struct AppidConfigElement
{
char* name; ///< Module name
- void* pData; ///< Module configuration data
+ void* value; ///< Module configuration data
+
+ static void add_generic_config_element(const char* name, void* pData);
+ static void* find_generic_config_element(const char* name);
+ static void remove_generic_config_element(const char* name);
};
struct AppIdSessionLogFilter
static AppIdConfig* get_appid_config();
void set_safe_search_enforcement(int enabled);
- // add, find, remove generic config items...
- void add_generic_config_element(const char* name, void* pData);
- void* find_generic_config_element(const char* name);
- void remove_generic_config_element(const char* name);
-
unsigned max_service_info = 0;
unsigned net_list_count = 0;
NetworkSet* net_list_list = nullptr;
NetworkSet* net_list = nullptr;
NetworkSet* net_list_by_zone[MAX_ZONES] = { nullptr };
- AppId tcp_port_only[65536] = { 0 }; ///< Service IDs for port-only TCP services
- AppId udp_port_only[65536] = { 0 }; ///< Service IDs for port-only UDP services
- AppId ip_protocol[255] = { 0 }; ///< Service IDs for non-TCP / UDP protocol services
+ std::array<AppId, 65535> tcp_port_only; ///< Service IDs for port-only TCP services
+ std::array<AppId, 65535> udp_port_only; ///< Service IDs for port-only UDP services
+ AppId ip_protocol[255] = { 0 }; ///< Service IDs for non-TCP / UDP protocol services
SF_LIST client_app_args; ///< List of Client App arguments
// for each potential port, an sflist of PortExclusion structs
SF_LIST* tcp_port_exclusions_src[APP_ID_PORT_ARRAY_SIZE] = { nullptr };
session->scan_flags |= SCAN_HTTP_VIA_FLAG;
}
- session->processHTTPPacket(direction);
+ session->process_http_packet(direction);
session->set_session_flags(APPID_SESSION_SERVICE_DETECTED | APPID_SESSION_HTTP_SESSION);
if (direction == APP_ID_FROM_INITIATOR)
appid_stats.http_flows++;
#include "profiler/profiler.h"
#include "appid_stats.h"
#include "appid_session.h"
-#include "fw_appid.h"
#include "lua_detector_module.h"
#include "lua_detector_api.h"
#include "host_port_app_cache.h"
bool AppIdInspector::configure(SnortConfig*)
{
active_config = new AppIdConfig( ( AppIdModuleConfig* )config);
- if(config->debug)
- show(nullptr);
get_data_bus().subscribe(HTTP_REQUEST_HEADER_EVENT_KEY, new HttpEventHandler(HttpEventHandler::REQUEST_EVENT));
get_data_bus().subscribe(HTTP_RESPONSE_HEADER_EVENT_KEY, new HttpEventHandler(HttpEventHandler::RESPONSE_EVENT));
LogMessage(" appStats Rollover time: %lu secs\n",
config->app_stats_rollover_time);
LogMessage("\n");
+ active_config->show();
+
}
void AppIdInspector::tinit()
#include "app_info_table.h"
#include "appid_module.h"
-#include "fw_appid.h"
#include "appid_stats.h"
#include "app_forecast.h"
#include "host_port_app_cache.h"
static int16_t snortId_for_ftp_data;
static int16_t snortId_for_http2;
+inline int ThirdPartyAppIDFoundProto(AppId proto, AppId* proto_list)
+{
+ unsigned int proto_cnt = 0;
+ while (proto_list[proto_cnt] != APP_ID_NONE)
+ if (proto_list[proto_cnt++] == proto)
+ return 1; // found
+
+ return 0; // not found
+}
+
+inline int testSSLAppIdForReinspect(AppId app_id)
+{
+ if (app_id <= SF_APPID_MAX &&
+ (app_id == APP_ID_SSL || AppInfoManager::get_instance().get_app_info_flags(app_id, APPINFO_FLAG_SSL_INSPECT)))
+ return 1;
+ else
+ return 0;
+}
+
+void AppIdSession::add_user(AppIdSession* asd, const char* username, AppId appId, int success)
+{
+ if (asd->username)
+ snort_free(asd->username);
+ asd->username = snort_strdup(username);
+ asd->username_service = appId;
+ if (success)
+ asd->set_session_flags(APPID_SESSION_LOGIN_SUCCEEDED);
+ else
+ asd->clear_session_flags(APPID_SESSION_LOGIN_SUCCEEDED);
+}
+
+void AppIdSession::add_payload(AppIdSession* asd, AppId payload_id)
+{
+ checkSandboxDetection(payload_id);
+ asd->payload_app_id = payload_id;
+}
+
void map_app_names_to_snort_ids()
{
/* init globals for snortId compares */
if ((payload_app_id == APP_ID_HTTP_TUNNEL) && (tp_app_id == APP_ID_SSL))
set_payload_app_id_data(APP_ID_HTTP_SSL_TUNNEL, NULL);
- processHTTPPacket(p, direction, nullptr);
+ process_http_packet(p, direction, nullptr);
// If SSL over HTTP tunnel, make sure Snort knows that it's encrypted.
if (payload_app_id == APP_ID_HTTP_SSL_TUNNEL)
snort_app_id = APP_ID_SSL;
- if (TPIsAppIdAvailable(tpsession) && tp_app_id == APP_ID_HTTP
+ if (is_third_party_appid_available(tpsession) && tp_app_id == APP_ID_HTTP
&& !get_session_flags(APPID_SESSION_APP_REINSPECT))
{
rna_client_state = RNA_STATE_FINISHED;
#endif
-bool AppIdSession::do_service_discovery(IpProtocol protocol, int direction, AppId ClientAppId,
- AppId payloadAppId, Packet* p)
+bool AppIdSession::do_service_discovery(IpProtocol protocol, int direction, AppId client_app_id,
+ AppId payload_app_id, Packet* p)
{
AppInfoTableEntry* entry;
bool isTpAppidDiscoveryDone = false;
if (rnaServiceState != RNA_STATE_FINISHED)
{
Profile serviceMatchPerfStats_profile_context(serviceMatchPerfStats);
- uint32_t prevRnaServiceState;
- prevRnaServiceState = rnaServiceState;
+ uint32_t prevRnaServiceState = rnaServiceState;
//decision to directly call validator or go through elaborate service_state tracking
//is made once at the beginning of sesssion.
if (rnaServiceState == RNA_STATE_NONE && p->dsize)
rnaServiceState = RNA_STATE_FINISHED;
}
}
- else if (TPIsAppIdAvailable(tpsession))
+ else if (is_third_party_appid_available(tpsession))
{
if (tp_app_id > APP_ID_NONE)
{
if (rnaServiceState == RNA_STATE_STATEFUL&&
prevRnaServiceState == RNA_STATE_STATEFUL &&
!get_session_flags(APPID_SESSION_NO_TPI) &&
- TPIsAppIdAvailable(tpsession) &&
+ is_third_party_appid_available(tpsession) &&
tp_app_id > APP_ID_NONE && tp_app_id < SF_APPID_MAX)
{
entry = app_info_mgr->get_app_info_entry(tp_app_id);
stop_rna_service_inspection(p, direction);
}
}
+
if (rnaServiceState == RNA_STATE_STATEFUL)
{
AppIdDiscoverService(p, direction, this);
&& dsession && dsession->host)
{
size_t size = dsession->host_len;
- dns_host_scan_hostname((const uint8_t*) (dsession->host), size, &ClientAppId, &payloadAppId);
- set_client_app_id_data(ClientAppId, nullptr);
+ dns_host_scan_hostname((const uint8_t*) (dsession->host), size, &client_app_id, &payload_app_id);
+ set_client_app_id_data(client_app_id, nullptr);
}
else if (serviceAppId == APP_ID_RTMP)
examine_rtmp_metadata();
}
}
}
+
return isTpAppidDiscoveryDone;
}
{
if (p->flow->get_session_flags() & SSNFLAG_MIDSTREAM)
rna_client_state = RNA_STATE_FINISHED;
- else if (TPIsAppIdAvailable(tpsession) && ( tp_app_id > APP_ID_NONE )
+ else if (is_third_party_appid_available(tpsession) && ( tp_app_id > APP_ID_NONE )
&& ( tp_app_id < SF_APPID_MAX ) )
{
entry = app_info_mgr->get_app_info_entry(tp_app_id);
//stop rna inspection as soon as tp has classified a valid AppId later in the session
if ((rna_client_state == RNA_STATE_STATEFUL || rna_client_state == RNA_STATE_DIRECT)
&& rna_client_state == prevRnaClientState && !get_session_flags(APPID_SESSION_NO_TPI)
- && TPIsAppIdAvailable(tpsession) && tp_app_id > APP_ID_NONE && tp_app_id < SF_APPID_MAX)
+ && is_third_party_appid_available(tpsession) && tp_app_id > APP_ID_NONE && tp_app_id < SF_APPID_MAX)
{
entry = app_info_mgr->get_app_info_entry(tp_app_id);
if (!(entry && entry->clntValidator && entry->clntValidator == rna_client_data
void AppIdSession::do_application_discovery(Packet* p)
{
IpProtocol protocol;
- AppId serviceAppId = 0;
- AppId ClientAppId = 0;
- AppId payloadAppId = 0;
+ AppId client_app_id = 0;
+ AppId payload_app_id = 0;
bool isTpAppidDiscoveryDone = false;
uint64_t flow_flags;
int direction;
{
size_t size = asd->dsession->host_len;
dns_host_scan_hostname((const uint8_t*)asd->dsession->host, size,
- &ClientAppId, &payloadAppId);
- asd->set_client_app_id_data(ClientAppId, nullptr);
+ &client_app_id, &payload_app_id);
+ asd->set_client_app_id_data(client_app_id, nullptr);
}
else if (asd->serviceAppId == APP_ID_RTMP)
asd->examine_rtmp_metadata();
{
// FIXIT-M commented out assignment causes analysis warning
/*isTpAppidDiscoveryDone = */
- asd->do_service_discovery(protocol, direction, ClientAppId, payloadAppId, p);
+ asd->do_service_discovery(protocol, direction, client_app_id, payload_app_id, p);
isTpAppidDiscoveryDone = asd->do_client_discovery(direction, p);
asd->set_session_flags(APPID_SESSION_ADDITIONAL_PACKET);
}
}
}
- serviceAppId = asd->pick_service_app_id();
- payloadAppId = asd->pick_payload_app_id();
+ AppId serviceAppId = asd->pick_service_app_id();
+ payload_app_id = asd->pick_payload_app_id();
if (serviceAppId > APP_ID_NONE)
{
#endif
}
- p->flow->set_application_ids(serviceAppId, asd->pick_client_app_id(), payloadAppId, asd->pick_misc_app_id());
+ p->flow->set_application_ids(serviceAppId, asd->pick_client_app_id(), payload_app_id, asd->pick_misc_app_id());
/* Set the field that the Firewall queries to see if we have a search engine. */
- if (asd->search_support_type == UNKNOWN_SEARCH_ENGINE && payloadAppId > APP_ID_NONE)
+ if (asd->search_support_type == UNKNOWN_SEARCH_ENGINE && payload_app_id > APP_ID_NONE)
{
- uint flags = AppInfoManager::get_instance().get_app_info_flags(payloadAppId, APPINFO_FLAG_SEARCH_ENGINE |
+ uint flags = AppInfoManager::get_instance().get_app_info_flags(payload_app_id, APPINFO_FLAG_SEARCH_ENGINE |
APPINFO_FLAG_SUPPORTED_SEARCH);
asd->search_support_type =
(flags & APPINFO_FLAG_SEARCH_ENGINE) ?
}
LogMessage("AppIdDbg %s appId: %u (safe)search_support_type=%s\n",
- asd->session_logging_id, payloadAppId, typeString);
+ asd->session_logging_id, payload_app_id, typeString);
}
}
if ( serviceAppId != APP_ID_NONE )
{
- if ( payloadAppId != APP_ID_NONE && payloadAppId != asd->pastIndicator)
+ if ( payload_app_id != APP_ID_NONE && payload_app_id != asd->pastIndicator)
{
- asd->pastIndicator = payloadAppId;
- check_session_for_AF_indicator(p, direction, (ApplicationId)payloadAppId);
+ asd->pastIndicator = payload_app_id;
+ check_session_for_AF_indicator(p, direction, (ApplicationId)payload_app_id);
}
if (asd->payload_app_id == APP_ID_NONE && asd->pastForecast != serviceAppId &&
{
if (sf_ip->ip32[0] == 0xFFFFFFFF)
return IPFUNCS_CHECKED;
- NetworkSet_ContainsEx(net_list, ntohl(sf_ip->ip32[0]), &flags);
+ NetworkSetManager::contains_ex(net_list, ntohl(sf_ip->ip32[0]), &flags);
}
else
{
memcpy(&ip6, sf_ip->ip32, sizeof(ip6));
- NSIPv6AddrNtoH(&ip6);
- NetworkSet_Contains6Ex(net_list, &ip6, &flags);
+ NetworkSetManager::ntoh_ipv6(&ip6);
+ NetworkSetManager::contains6_ex(net_list, &ip6, &flags);
}
return flags | IPFUNCS_CHECKED;
}
}
-void AppIdSession::set_client_app_id_data(AppId clientAppId, char** version)
+void AppIdSession::set_client_app_id_data(AppId id, char** version)
{
- if (clientAppId <= APP_ID_NONE || clientAppId == APP_ID_HTTP)
+ if (id <= APP_ID_NONE || id == APP_ID_HTTP)
return;
- if (client_app_id != clientAppId)
+ if (id != client_app_id)
{
unsigned prev_priority = app_info_mgr->get_app_info_priority(client_app_id);
- unsigned curr_priority = app_info_mgr->get_app_info_priority(clientAppId);
+ unsigned curr_priority = app_info_mgr->get_app_info_priority(id);
- if (config->mod_config->instance_id)
- checkSandboxDetection(clientAppId);
+ checkSandboxDetection(id);
if ((client_app_id) && (prev_priority > curr_priority ))
return;
- client_app_id = clientAppId;
+ client_app_id = id;
if (client_version)
snort_free(client_version);
{
size_t size;
int ret;
- AppId clientAppId = 0;
+ AppId client_app_id = 0;
AppId payload_app_id = 0;
if ((scan_flags & SCAN_SSL_HOST_FLAG) && tsession->tls_host)
{
size = strlen(tsession->tls_host);
if ((ret = ssl_scan_hostname((const uint8_t*)tsession->tls_host, size,
- &clientAppId, &payload_app_id)))
+ &client_app_id, &payload_app_id)))
{
- set_client_app_id_data(clientAppId, nullptr);
+ set_client_app_id_data(client_app_id, nullptr);
set_payload_app_id_data((ApplicationId)payload_app_id, nullptr);
- setSSLSquelch(p, ret, (ret == 1 ? payload_app_id : clientAppId));
+ setSSLSquelch(p, ret, (ret == 1 ? payload_app_id : client_app_id));
}
scan_flags &= ~SCAN_SSL_HOST_FLAG;
}
{
size = strlen(tsession->tls_cname);
if ((ret = ssl_scan_cname((const uint8_t*)tsession->tls_cname, size,
- &clientAppId, &payload_app_id)))
+ &client_app_id, &payload_app_id)))
{
- set_client_app_id_data(clientAppId, nullptr);
+ set_client_app_id_data(client_app_id, nullptr);
set_payload_app_id_data((ApplicationId)payload_app_id, nullptr);
- setSSLSquelch(p, ret, (ret == 1 ? payload_app_id : clientAppId));
+ setSSLSquelch(p, ret, (ret == 1 ? payload_app_id : client_app_id));
}
snort_free(tsession->tls_cname);
tsession->tls_cname = nullptr;
{
size = strlen(tsession->tls_orgUnit);
if ((ret = ssl_scan_cname((const uint8_t*)tsession->tls_orgUnit, size,
- &clientAppId, &payload_app_id)))
+ &client_app_id, &payload_app_id)))
{
- set_client_app_id_data(clientAppId, nullptr);
+ set_client_app_id_data(client_app_id, nullptr);
set_payload_app_id_data((ApplicationId)payload_app_id, nullptr);
- setSSLSquelch(p, ret, (ret == 1 ? payload_app_id : clientAppId));
+ setSSLSquelch(p, ret, (ret == 1 ? payload_app_id : client_app_id));
}
snort_free(tsession->tls_orgUnit);
tsession->tls_orgUnit = nullptr;
void AppIdSession::examine_rtmp_metadata()
{
AppId serviceAppId = 0;
- AppId ClientAppId = 0;
- AppId payloadAppId = 0;
+ AppId client_app_id = 0;
+ AppId payload_app_id = 0;
AppId referredPayloadAppId = 0;
char* version = nullptr;
if (hsession->url)
{
if (((get_appid_from_url(nullptr, hsession->url, &version,
- hsession->referer, &ClientAppId, &serviceAppId,
- &payloadAppId, &referredPayloadAppId, 1)) ||
+ hsession->referer, &client_app_id, &serviceAppId,
+ &payload_app_id, &referredPayloadAppId, 1)) ||
(get_appid_from_url(nullptr, hsession->url, &version,
- hsession->referer, &ClientAppId, &serviceAppId,
- &payloadAppId, &referredPayloadAppId, 0))) == 1)
+ hsession->referer, &client_app_id, &serviceAppId,
+ &payload_app_id, &referredPayloadAppId, 0))) == 1)
{
/* do not overwrite a previously-set client or service */
- if (ClientAppId <= APP_ID_NONE)
- set_client_app_id_data(ClientAppId, nullptr);
+ if (client_app_id <= APP_ID_NONE)
+ set_client_app_id_data(client_app_id, nullptr);
if (serviceAppId <= APP_ID_NONE)
set_service_appid_data(serviceAppId, nullptr, nullptr);
/* DO overwrite a previously-set data */
- set_payload_app_id_data((ApplicationId)payloadAppId, nullptr);
+ set_payload_app_id_data((ApplicationId)payload_app_id, nullptr);
set_referred_payload_app_id_data(referredPayloadAppId);
}
}
if (referred_payload_app_id != id)
{
- if (config->mod_config->instance_id)
- checkSandboxDetection(id);
-
+ checkSandboxDetection(id);
referred_payload_app_id = id;
}
}
unsigned prev_priority = app_info_mgr->get_app_info_priority(payload_app_id);
unsigned curr_priority = app_info_mgr->get_app_info_priority(id);
- if (config->mod_config->instance_id)
- checkSandboxDetection(id);
+ checkSandboxDetection(id);
if ((payload_app_id ) && (prev_priority > curr_priority ))
return;
if (id <= APP_ID_NONE)
return;
- //in drambuie, 3rd party is in INIT state after processing first GET requuest.
+ // 3rd party is in INIT state after processing first GET request.
if (id == APP_ID_HTTP)
{
if (client_service_app_id == APP_ID_NONE)
- {
client_service_app_id = id;
- }
return;
}
if (serviceAppId != id)
{
serviceAppId = id;
-
- if (config->mod_config->instance_id)
- checkSandboxDetection(id);
+ checkSandboxDetection(id);
/* Clear out previous values of vendor & version */
if (serviceVendor)
if (serviceAppId > APP_ID_NONE && !deferred)
return serviceAppId;
- if (TPIsAppIdAvailable(tpsession))
+ if (is_third_party_appid_available(tpsession))
{
if (tp_app_id > APP_ID_NONE)
return tp_app_id;
if (serviceAppId > APP_ID_NONE && !deferred)
return serviceAppId;
- if (TPIsAppIdAvailable(tpsession) && tp_app_id > APP_ID_NONE)
+ if (is_third_party_appid_available(tpsession) && tp_app_id > APP_ID_NONE)
return tp_app_id;
else if (deferred)
return serviceAppId;
}
}
-int AppIdSession::processHTTPPacket(int direction)
+int AppIdSession::process_http_packet(int direction)
{
Profile http_profile_context(httpPerfStats);
constexpr auto RESPONSE_CODE_LENGTH = 3;
HeaderMatchedPatterns hmp;
- httpSession* http_session;
int size;
char* version = nullptr;
char* vendorVersion = nullptr;
AppId service_id = 0;
AppId client_id = 0;
AppId payload_id = 0;
- AppId referredPayloadAppId = 0;
- char* host;
- char* url;
- char* useragent;
- char* referer;
- char* via;
- http_session = hsession;
+ httpSession* http_session = hsession;
if (!http_session)
{
clear_app_id_data();
}
#endif
}
- host = http_session->host;
- url = http_session->url;
- via = http_session->via;
- useragent = http_session->useragent;
- referer = http_session->referer;
+ char* host = http_session->host;
+ char* url = http_session->url;
+ char* via = http_session->via;
+ char* useragent = http_session->useragent;
+ char* referer = http_session->referer;
memset(&hmp, 0, sizeof(hmp));
if (serviceAppId == APP_ID_NONE)
{
serviceAppId = APP_ID_HTTP;
- if (config->mod_config->instance_id)
- checkSandboxDetection(APP_ID_HTTP);
+ checkSandboxDetection(APP_ID_HTTP);
}
if (session_logging_enabled)
if (!http_session->chp_finished || http_session->chp_hold_flow)
processCHP(&version, nullptr);
- if (!http_session->skip_simple_detect) // false unless a match happened with a call to
- // processCHP().
+ if (!http_session->skip_simple_detect) // true if processCHP found match
{
if (!get_session_flags(APPID_SESSION_APP_REINSPECT))
{
// Scan Server Header for Vendor & Version
-
// FIXIT-M: Should we be checking the scan_flags even when
// thirdparty_appid_module is off?
if ((thirdparty_appid_module && (scan_flags & SCAN_HTTP_VENDOR_FLAG) &&
LogMessage("AppIdDbg %s User Agent is service %d\n", session_logging_id,
service_id);
set_service_appid_data(service_id, nullptr, nullptr);
- if (session_logging_enabled && client_id > APP_ID_NONE && client_id !=
- APP_ID_HTTP && client_app_id != client_id)
+ if (session_logging_enabled && client_id > APP_ID_NONE &&
+ client_id != APP_ID_HTTP && client_app_id != client_id)
LogMessage("AppIdDbg %s User Agent is client %d\n", session_logging_id,
client_id);
set_client_app_id_data(client_id, &version);
if (scan_flags & SCAN_HTTP_HOST_URL_FLAG)
{
+ AppId referredPayloadAppId = 0;
+
if (version)
{
snort_free(version);
version = nullptr;
}
+
if (get_appid_from_url(host, url, &version, referer, &client_id, &service_id,
&payload_id, &referredPayloadAppId, 0) == 1)
{
if (tp_payload_app_id > APP_ID_NONE)
{
entry = app_info_mgr->get_app_info_entry(tp_payload_app_id);
- // only move tpPayloadAppId to client if its got a clientAppId
+ // only move tpPayloadAppId to client if its got a client_app_id
if (entry && entry->clientId > APP_ID_NONE)
{
misc_app_id = client_app_id;
else if (payload_app_id > APP_ID_NONE)
{
entry = app_info_mgr->get_app_info_entry(payload_app_id);
- // only move payloadAppId to client if it has a ClientAppid
+ // only move payload_app_id to client if it has a ClientAppid
if (entry && entry->clientId > APP_ID_NONE)
{
misc_app_id = client_app_id;
#include "protocols/packet.h"
#include "utils/sflsq.h"
-#include "appid.h"
#include "appid_api.h"
#include "application_ids.h"
-#include "flow_error.h"
#include "length_app_cache.h"
#include "service_state.h"
+#include "http_common.h"
#include "thirdparty_appid_api.h"
#include "thirdparty_appid_types.h"
-#include "http_common.h"
+#include "thirdparty_appid_utils.h"
+
+struct RNAServiceElement;
+struct RNAServiceSubtype;
+struct RNAClientAppModule;
+class AppInfoManager;
+
+using AppIdFreeFCN = void(*)(void*);
#define MAX_ATTR_LEN 1024
#define HTTP_PREFIX "http://"
(APPID_SESSION_RESPONDER_MONITORED | \
APPID_SESSION_INITIATOR_MONITORED | APPID_SESSION_DISCOVER_USER | \
APPID_SESSION_SPECIAL_MONITORED)
+
+// flow status codes
+enum AppIdFlowStatusCodes
+{
+ APPID_SESSION_SUCCESS = 0,
+ APPID_SESSION_ENULL,
+ APPID_SESSION_EINVALID,
+ APPID_SESSION_ENOMEM,
+ APPID_SESSION_NOTFOUND,
+ APPID_SESSION_BADJUJU,
+ APPID_SESSION_DISABLED,
+ APPID_SESSION_EUNSUPPORTED,
+ APPID_SESSION_STOP_PROCESSING,
+ APPID_SESSION_EEXISTS
+};
+
#define MAX_SESSION_LOGGING_ID_LEN (39+1+5+4+39+1+5+1+3+1+1+1+2+1+10+1+1+1+10+1)
-struct RNAServiceElement;
-struct RNAServiceSubtype;
-struct RNAClientAppModule;
-class AppInfoManager;
+#define MIN_SFTP_PACKET_COUNT 30
+#define MAX_SFTP_PACKET_COUNT 55
enum RNA_INSPECTION_STATE
{
RNA_STATE_FINISHED
};
+enum APPID_SESSION_DIRECTION
+{
+ APP_ID_FROM_INITIATOR,
+ APP_ID_FROM_RESPONDER,
+ APP_ID_APPID_SESSION_DIRECTION_MAX // Maximum value of a direction (must be last in the list)
+};
+
struct AppIdFlowData
{
AppIdFlowData* next;
int flow_prepared;
};
+#define RESPONSE_CODE_PACKET_THRESHHOLD 0
+
struct httpSession
{
char* host;
static AppIdSession* create_future_session(const Packet*, const sfip_t*, uint16_t, const sfip_t*,
uint16_t, IpProtocol, int16_t, int);
static void do_application_discovery(Packet*);
- int processHTTPPacket(int);
+ static void add_user(AppIdSession*, const char* username, AppId, int success);
+ static void add_payload(AppIdSession*, AppId);
AppIdConfig* config = nullptr;
CommonAppIdData common;
uint16_t service_port = 0;
IpProtocol protocol = IpProtocol::PROTO_NOT_SET;
uint8_t previous_tcp_flags = 0;
+
// AppId matching service side
+ RNA_INSPECTION_STATE rnaServiceState = RNA_STATE_NONE;
AppId serviceAppId = APP_ID_NONE;
AppId portServiceAppId = APP_ID_NONE;
- // RNAServiceElement for identifying detector
const RNAServiceElement* serviceData = nullptr;
- RNA_INSPECTION_STATE rnaServiceState = RNA_STATE_NONE;
char* serviceVendor = nullptr;
char* serviceVersion = nullptr;
RNAServiceSubtype* subtype = nullptr;
char* netbios_name = nullptr;
SF_LIST* candidate_service_list = nullptr;
unsigned int num_candidate_services_tried = 0;
- int got_incompatible_services = 0;
+ bool got_incompatible_services = false;
- /**AppId matching client side */
+ // AppId matching client side
+ RNA_INSPECTION_STATE rna_client_state = RNA_STATE_NONE;
AppId client_app_id = APP_ID_NONE;
AppId client_service_app_id = APP_ID_NONE;
char* client_version = nullptr;
- /**RNAClientAppModule for identifying client detector*/
const RNAClientAppModule* rna_client_data = nullptr;
- RNA_INSPECTION_STATE rna_client_state = RNA_STATE_NONE;
SF_LIST* candidate_client_list = nullptr;
unsigned int num_candidate_clients_tried = 0;
bool tried_reverse_service = false;
- /**AppId matching payload*/
+ // AppId matching payload
AppId payload_app_id = APP_ID_NONE;
AppId referred_payload_app_id = APP_ID_NONE;
AppId misc_app_id = APP_ID_NONE;
- //appId determined by 3rd party library
+ // appId determined by 3rd party library
AppId tp_app_id = APP_ID_NONE;
AppId tp_payload_app_id = APP_ID_NONE;
AppId fw_pick_payload_app_id();
AppId fw_pick_referred_payload_app_id();
bool is_ssl_session_decrypted();
- int processHTTPPacket(Packet*, int, HttpParsedHeaders* const);
+ int process_http_packet(Packet*, int, HttpParsedHeaders* const);
+ int process_http_packet(int);
private:
bool do_client_discovery(int, Packet*);
static THREAD_LOCAL AppIdFlowData* fd_free_list;
};
+inline bool is_third_party_appid_done(void* tp_session)
+{
+ if (thirdparty_appid_module)
+ {
+ unsigned state;
+
+ if (tp_session)
+ state = thirdparty_appid_module->session_state_get(tp_session);
+ else
+ state = TP_STATE_INIT;
+
+ return (state == TP_STATE_CLASSIFIED || state == TP_STATE_TERMINATED
+ || state == TP_STATE_HA);
+ }
+
+ return true;
+}
+
+inline bool is_third_party_appid_available(void* tp_session)
+{
+ if (thirdparty_appid_module)
+ {
+ unsigned state;
+
+ if (tp_session)
+ state = thirdparty_appid_module->session_state_get(tp_session);
+ else
+ state = TP_STATE_INIT;
+
+ return (state == TP_STATE_CLASSIFIED || state == TP_STATE_TERMINATED
+ || state == TP_STATE_MONITORING);
+ }
+
+ return true;
+}
+
#endif
#include "appid_session.h"
#include "app_info_table.h"
#include "appid_utils/fw_avltree.h"
-#include "appid_utils/output_file.h"
#define URLCATBUCKETS 100
#define URLREPBUCKETS 5
return bucket;
}
+static FILE* open_stats_log_file(const char* const filename, time_t tstamp)
+{
+ FILE* fp;
+ char output_fullpath[512];
+ time_t curr_time;
+
+ if (tstamp)
+ curr_time = tstamp;
+ else
+ curr_time = time(nullptr);
+
+ snprintf(output_fullpath, sizeof(output_fullpath), "%s.%lu", filename, curr_time);
+ LogMessage("Opening %s for AppId statistics logging.\n", output_fullpath);
+
+ if ((fp = fopen(output_fullpath, "w")) == nullptr)
+ {
+ ErrorMessage("Unable to open output file \"%s\": %s\n for AppId statistics logging.",output_fullpath, strerror(errno));
+ }
+ return fp;
+}
+
+static FILE* rollover_stats_log_file(const char* const filename, FILE* const oldfp, time_t tstamp)
+{
+ fclose(oldfp);
+ return open_stats_log_file(filename, tstamp);
+}
+
static void dump_statistics()
{
struct StatsBucket* bucket = nullptr;
{
if (!appfp)
{
- appfp = openOutputFile(appid_stats_filename, currTime);
+ appfp = open_stats_log_file(appid_stats_filename, currTime);
appTime = currTime;
appSize = 0;
}
else if (((currTime - appTime) > rollPeriod) ||
((appSize + buffSize) > rollSize))
{
- appfp = rolloverOutputFile(appid_stats_filename, appfp, currTime);
+ appfp = rollover_stats_log_file(appid_stats_filename, appfp, currTime);
appTime = currTime;
appSize = 0;
}
// sfutil.cc author Sourcefire Inc.
-#include "sfutil.h"
-#include "common_util.h"
+#include "appid_utils.h"
+#include <cctype>
#include <string.h>
-#include <stdint.h>
-#include <stdlib.h>
#include "utils/util.h"
-int Split(char* data, char** toklist, int max_toks, const char* separator)
+int AppIdUtils::split(char* data, char** toklist, int max_toks, const char* separator)
{
char** ap;
int argcount = 0;
memset(toklist, 0, max_toks * sizeof(*toklist));
for (ap = (char**)toklist;
- ap < &toklist[max_toks] && (*ap=strsep(&data, separator)) != nullptr; )
+ ap < &toklist[max_toks] && (*ap = strsep(&data, separator)) != nullptr; )
{
if (**ap != '\0')
{
return argcount;
}
-void InitNetmasks(uint32_t netmasks[])
+void AppIdUtils::init_netmasks(uint32_t netmasks[])
{
netmasks[0] = 0x0;
netmasks[1] = 0x80000000;
netmasks[32] = 0xFFFFFFFF;
}
-int strip(char* data)
+int AppIdUtils::strip(char* data)
{
int size;
char* idx;
return size;
}
-int Tokenize(char* data, char* toklist[])
+int AppIdUtils::tokenize(char* data, char* toklist[])
{
char** ap;
int argcount = 0;
return argcount;
}
+// FIXIT-L - refactor this to be a general snort utility...also look at LogBuffer() in u2spewfoo.cc
+void AppIdUtils::dump_hex(FILE* fp, const uint8_t* data, unsigned len)
+{
+ char str[18];
+ unsigned i;
+ unsigned pos;
+ char c;
+
+ for (i=0, pos=0; i<len; i++, pos++)
+ {
+ if (pos == 17)
+ {
+ str[pos] = 0;
+ fprintf(fp, " %s\n", str);
+ pos = 0;
+ }
+ else if (pos == 8)
+ {
+ str[pos] = ' ';
+ pos++;
+ fprintf(fp, "%s", " ");
+ }
+ c = (char)data[i];
+ if (isprint(c) && !isspace(c))
+ str[pos] = c;
+ else
+ str[pos] = '.';
+ fprintf(fp, "%02X ", data[i]);
+ }
+ if (pos)
+ {
+ str[pos] = 0;
+ for (; pos < 17; pos++)
+ {
+ if (pos == 8)
+ {
+ str[pos] = ' ';
+ pos++;
+ fprintf(fp, "%s", " ");
+ }
+ else
+ {
+ fprintf(fp, "%s", " ");
+ }
+ }
+ fprintf(fp, " %s\n", str);
+ }
+}
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// sfutil.h author Sourcefire Inc.
+// appid_utils.h author Sourcefire Inc.
#ifndef SFUTIL_H
#define SFUTIL_H
-#include <stdint.h>
+#include <cstdio>
+#include <cstdint>
+
+#define MAX_TOKS 256
+
+class AppIdUtils
+{
+public:
+ static int tokenize(char* data, char* toklist[]);
+ static int strip(char* data);
+ static void init_netmasks(uint32_t netmasks[]);
+ static int split(char* data, char** toklist, int max_toks, const char* separator);
+ static void dump_hex(FILE* fp, const uint8_t* data, unsigned len);
+};
-extern int Tokenize(char* data, char* toklist[]);
-extern int strip(char* data);
-extern void InitNetmasks(uint32_t netmasks[]);
-extern int Split(char* data, char** toklist, int max_toks, const char* separator);
#endif
+++ /dev/null
-//--------------------------------------------------------------------------
-// Copyright (C) 2014-2016 Cisco and/or its affiliates. All rights reserved.
-// Copyright (C) 2005-2013 Sourcefire, Inc.
-//
-// This program is free software; you can redistribute it and/or modify it
-// under the terms of the GNU General Public License Version 2 as published
-// by the Free Software Foundation. You may not use, modify or distribute
-// this program under any other version of the GNU General Public License.
-//
-// This program is distributed in the hope that it will be useful, but
-// WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-// General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License along
-// with this program; if not, write to the Free Software Foundation, Inc.,
-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-//--------------------------------------------------------------------------
-
-// common_util.h author Sourcefire Inc.
-
-#ifndef COMMON_UTIL_H
-#define COMMON_UTIL_H
-
-#include <cstdint>
-#include <cstdio>
-#include <ctime>
-#include <cctype>
-
-#include "framework/decode_data.h"
-
-struct ConfigItem
-{
- char* name; /* name of the config item */
- char* value; /* config item value */
-};
-
-#define MAX_LINE 2048
-#define MAX_TOKS 256
-
-inline void DumpHex(FILE* fp, const uint8_t* data, unsigned len)
-{
- char str[18];
- unsigned i;
- unsigned pos;
- char c;
-
- for (i=0, pos=0; i<len; i++, pos++)
- {
- if (pos == 17)
- {
- str[pos] = 0;
- fprintf(fp, " %s\n", str);
- pos = 0;
- }
- else if (pos == 8)
- {
- str[pos] = ' ';
- pos++;
- fprintf(fp, "%s", " ");
- }
- c = (char)data[i];
- if (isprint(c) && !isspace(c))
- str[pos] = c;
- else
- str[pos] = '.';
- fprintf(fp, "%02X ", data[i]);
- }
- if (pos)
- {
- str[pos] = 0;
- for (; pos < 17; pos++)
- {
- if (pos == 8)
- {
- str[pos] = ' ';
- pos++;
- fprintf(fp, "%s", " ");
- }
- else
- {
- fprintf(fp, "%s", " ");
- }
- }
- fprintf(fp, " %s\n", str);
- }
-}
-
-#endif
-
#include "ip_funcs.h"
-#include "sfutil.h"
+#include "appid_utils.h"
#include "log/messages.h"
#include "utils/util.h"
return nullptr;
ias = (RNAIpAddrSet*)snort_calloc(sizeof(RNAIpAddrSet));
- strip(ipstring);
+ AppIdUtils::strip(ipstring);
cp = ipstring;
if (*cp == 'h')
{
return ias;
}
- num_toks = Split(cp, toks, 2, "/");
+ num_toks = AppIdUtils::split(cp, toks, 2, "/");
if (inet_pton(AF_INET, toks[0], &ia) <= 0)
{
return nullptr;
ias = (RNAIpv6AddrSet*)snort_calloc(sizeof(*ias));
- strip(ipstring);
+ AppIdUtils::strip(ipstring);
cp = ipstring;
if (*cp == 'h')
{
return ias;
}
- num_toks = Split(cp, toks, 2, "/");
+ num_toks = AppIdUtils::split(cp, toks, 2, "/");
if (inet_pton(AF_INET6, toks[0], &ia) <= 0)
{
return nullptr;
}
memcpy(&ias->range_min, (const void*)&ia, sizeof(ias->range_min));
- NSIPv6AddrNtoH(&ias->range_min);
+ NetworkSetManager::ntoh_ipv6(&ias->range_min);
if (num_toks > 1)
{
#include "log/messages.h"
#include "utils/util.h"
-int NetworkSet_New(NetworkSet** network_set)
+int NetworkSetManager::create(NetworkSet** network_set)
{
- NetworkSet* tmp = nullptr;
-
if (!network_set)
return -1;
- tmp = (NetworkSet*)snort_calloc(sizeof(NetworkSet));
+ NetworkSet* tmp = (NetworkSet*)snort_calloc(sizeof(NetworkSet));
sflist_init(&tmp->networks);
tmp->ids = sfxhash_new(64, sizeof(unsigned), 0, 0, 0, nullptr, nullptr, 1);
if (tmp->ids == nullptr)
{
ErrorMessage("NetworkSet:Out of memory (wanted %zu bytes)", sizeof(NetworkSet));
- NetworkSet_Destroy(tmp);
+ destroy(tmp);
return -1;
}
if (tmp->ids6 == nullptr)
{
ErrorMessage("NetworkSet:Out of memory (wanted %zu bytes)", sizeof(NetworkSet));
- NetworkSet_Destroy(tmp);
+ destroy(tmp);
return -1;
}
*network_set = tmp;
-
return 0;
}
-int NetworkSet_Destroy(NetworkSet* network_set)
+int NetworkSetManager::destroy(NetworkSet* network_set)
{
if (!network_set)
return -1;
return 0;
}
-int NetworkSet_AddNetworkRangeEx(NetworkSet* network_set, uint32_t range_min,
+int NetworkSetManager::add_network_range_ex(NetworkSet* network_set, uint32_t range_min,
uint32_t range_max, unsigned cidr_bits, int ip_not, unsigned id, unsigned type)
{
- Network* network;
- Network* iNetwork;
- int rval;
-
if (!network_set)
return -1;
- network = (Network*)snort_calloc(sizeof(Network));
+ Network* network = (Network*)snort_calloc(sizeof(Network));
network->info.id = id;
network->info.ip_not = ip_not;
network->info.type = type;
{
SF_LNODE* iter = nullptr;
- for (iNetwork = (Network*)sflist_first(&network_set->networks, &iter);
+ for (Network* iNetwork = (Network*)sflist_first(&network_set->networks, &iter);
iNetwork;
iNetwork = (Network*)sflist_next(&iter))
{
}
sflist_add_tail(&network_set->networks, (void*)network);
- rval = sfxhash_add(network_set->ids, &network->info.id, &network->info.id);
+ int rval = sfxhash_add(network_set->ids, &network->info.id, &network->info.id);
if (rval != SFXHASH_OK && rval != SFXHASH_INTABLE)
{
ErrorMessage("NetworkSet:Out of memory");
return 0;
}
-int NetworkSet_AddNetworkRange(NetworkSet* network_set, uint32_t range_min,
+int NetworkSetManager::add_network_range(NetworkSet* network_set, uint32_t range_min,
uint32_t range_max, unsigned cidr_bits, int ip_not, unsigned id)
{
- return NetworkSet_AddNetworkRangeEx(network_set, range_min, range_max, cidr_bits, ip_not, id,
+ return add_network_range_ex(network_set, range_min, range_max, cidr_bits, ip_not, id,
0);
}
-int NetworkSet_AddNetworkRange6Ex(NetworkSet* network_set, NSIPv6Addr* range_min,
+int NetworkSetManager::add_network_range6(NetworkSet* network_set, NSIPv6Addr* range_min,
NSIPv6Addr* range_max, unsigned cidr_bits, int ip_not, unsigned id, unsigned type)
{
- Network6* network;
- Network6* iNetwork;
- int rval;
-
if (!network_set)
return -1;
- network = (Network6*)snort_calloc(sizeof(Network6));
+ Network6* network = (Network6*)snort_calloc(sizeof(Network6));
network->info.id = id;
network->info.ip_not = ip_not;
network->info.type = type;
network->info.netmask = cidr_bits;
- if (NSIPv6AddrCompare(range_min, range_max) <= 0)
+ if (compare_ipv6_address(range_min, range_max) <= 0)
{
network->range_min = *range_min;
network->range_max = *range_max;
{
SF_LNODE* iter = nullptr;
- for (iNetwork = (Network6*)sflist_first(&network_set->networks6, &iter);
+ for (Network6* iNetwork = (Network6*)sflist_first(&network_set->networks6, &iter);
iNetwork;
iNetwork = (Network6*)sflist_next(&iter))
{
if (iNetwork->info.id == network->info.id &&
- !NSIPv6AddrCompare(&iNetwork->range_min, &network->range_min) &&
- !NSIPv6AddrCompare(&iNetwork->range_max, &network->range_max))
+ !compare_ipv6_address(&iNetwork->range_min, &network->range_min) &&
+ !compare_ipv6_address(&iNetwork->range_max, &network->range_max))
{
iNetwork->info.type |= network->info.type;
snort_free(network);
}
sflist_add_tail(&network_set->networks6, (void*)network);
- rval = sfxhash_add(network_set->ids6, &network->info.id, &network->info.id);
+ int rval = sfxhash_add(network_set->ids6, &network->info.id, &network->info.id);
if (rval != SFXHASH_OK && rval != SFXHASH_INTABLE)
{
ErrorMessage("NetworkSet:Out of memory");
return 0;
}
-int NetworkSet_AddNetworkRange6(NetworkSet* network_set, NSIPv6Addr* range_min,
+int NetworkSetManager::add_network_range6(NetworkSet* network_set, NSIPv6Addr* range_min,
NSIPv6Addr* range_max, unsigned cidr_bits, int ip_not, unsigned id)
{
- return NetworkSet_AddNetworkRange6Ex(network_set, range_min, range_max, cidr_bits, ip_not, id,
+ return add_network_range6(network_set, range_min, range_max, cidr_bits, ip_not, id,
0);
}
-int NetworkSet_AddNetworkRangeOnlyIPv6(NetworkSet* network_set, int ip_not, unsigned id, unsigned
+int NetworkSetManager::add_network_range_only_ipv6(NetworkSet* network_set, int ip_not, unsigned id, unsigned
type)
{
// Use two ranges to represent all of IPv6, excluding the IPv4-mapped range, ::FFFF:*.*.*.*
- int rval;
NSIPv6Addr range_min, range_max;
range_min.lo = 0;
range_min.hi = 0;
range_max.lo = 0x0000FFFEFFFFFFFFULL; // 0x0000FFFF00000000 - 1
range_max.hi = 0;
- rval = NetworkSet_AddNetworkRange6Ex(network_set, &range_min, &range_max, 0, ip_not, id, type);
+ int rval = add_network_range6(network_set, &range_min, &range_max, 0, ip_not, id, type);
range_min.lo = 0x0001000000000000ULL; // 0x0000FFFFFFFFFFFF + 1
range_min.hi = 0;
range_max.lo = 0xFFFFFFFFFFFFFFFFULL;
range_max.hi = 0xFFFFFFFFFFFFFFFFULL;
- return rval ? rval : NetworkSet_AddNetworkRange6Ex(network_set, &range_min, &range_max, 0,
+ return rval ? rval : add_network_range6(network_set, &range_min, &range_max, 0,
ip_not, id, type);
}
-static inline int NetworkSet_AddNetwork(NetworkSet* network_set, uint32_t ip,
- unsigned cidr_bits, uint32_t mask, int ip_not, unsigned id, unsigned type)
-{
- uint32_t range_min;
- uint32_t range_max;
-
- range_min = ip & mask;
- range_max = range_min + ~mask;
- return NetworkSet_AddNetworkRangeEx(network_set, range_min, range_max, cidr_bits, ip_not, id,
- type);
-}
-
-int NetworkSet_AddCidrBlockEx(NetworkSet* network_set, uint32_t ip,
+int NetworkSetManager::add_cidr_block_ex(NetworkSet* network_set, uint32_t ip,
unsigned cidr_bits, int ip_not, unsigned id, unsigned type)
{
- uint32_t mask;
-
if (cidr_bits > 32)
return -1;
- /* Convert cidr to netmask */
- if (cidr_bits == 0)
- mask = 0;
- else
- mask = 0xffffffff << (32 - cidr_bits);
-
- return NetworkSet_AddNetwork(network_set, ip, cidr_bits, mask, ip_not, id, type);
+ uint32_t mask = (cidr_bits == 0) ? 0 : 0xffffffff << (32 - cidr_bits);
+ uint32_t range_min = ip & mask;
+ uint32_t range_max = range_min + ~mask;
+ return add_network_range_ex(network_set, range_min, range_max, cidr_bits,
+ ip_not, id, type);
}
-int NetworkSet_AddCidrBlock(NetworkSet* network_set, uint32_t ip,
+int NetworkSetManager::add_cidr_block(NetworkSet* network_set, uint32_t ip,
unsigned cidr_bits, int ip_not, unsigned id)
{
- return NetworkSet_AddCidrBlockEx(network_set, ip, cidr_bits, ip_not, id, 0);
-}
-
-static inline int NetworkSet_AddNetwork6(NetworkSet* network_set, NSIPv6Addr* ip,
- unsigned cidr_bits, NSIPv6Addr* mask, int ip_not, unsigned id, unsigned type)
-{
- NSIPv6Addr range_min;
- NSIPv6Addr range_max;
-
- range_min.lo = ip->lo & mask->lo;
- range_min.hi = ip->hi & mask->hi;
- range_max.lo = range_min.lo + ~mask->lo;
- range_max.hi = range_min.hi + ~mask->hi;
- return NetworkSet_AddNetworkRange6Ex(network_set, &range_min, &range_max, cidr_bits, ip_not,
- id, type);
+ return add_cidr_block_ex(network_set, ip, cidr_bits, ip_not, id, 0);
}
-int NetworkSet_AddCidrBlock6Ex(NetworkSet* network_set, NSIPv6Addr* ip,
+int NetworkSetManager::add_cidr_block6_ex(NetworkSet* network_set, NSIPv6Addr* ip,
unsigned cidr_bits, int ip_not, unsigned id, unsigned type)
{
NSIPv6Addr mask;
mask.lo = ULLONG_MAX << (128 - cidr_bits);
}
- return NetworkSet_AddNetwork6(network_set, ip, cidr_bits, &mask, ip_not, id, type);
+ NSIPv6Addr range_min;
+ NSIPv6Addr range_max;
+
+ range_min.lo = ip->lo & mask.lo;
+ range_min.hi = ip->hi & mask.hi;
+ range_max.lo = range_min.lo + ~mask.lo;
+ range_max.hi = range_min.hi + ~mask.hi;
+ return add_network_range6(network_set, &range_min, &range_max, cidr_bits, ip_not,
+ id, type);
}
-int NetworkSet_AddCidrBlock6(NetworkSet* network_set, NSIPv6Addr* ip,
+int NetworkSetManager::add_cidr_block6(NetworkSet* network_set, NSIPv6Addr* ip,
unsigned cidr_bits, int ip_not, unsigned id)
{
- return NetworkSet_AddCidrBlock6Ex(network_set, ip, cidr_bits, ip_not, id, 0);
+ return add_cidr_block6_ex(network_set, ip, cidr_bits, ip_not, id, 0);
}
-static inline void NetworkList_Fprintf(NetworkSet* network_set, const char* prefix, FILE* stream)
+int NetworkSetManager::log_network_set(NetworkSet* network_set, const char* prefix, FILE* stream)
{
- Network* network;
- Network6* network6;
- struct in_addr four;
- NSIPv6Addr six;
SF_LNODE* iter = nullptr;
char min_ip[INET6_ADDRSTRLEN];
char max_ip[INET6_ADDRSTRLEN];
- for (network = (Network*)sflist_first(&network_set->networks, &iter);
+ if (!network_set)
+ return -1;
+
+ if (!prefix)
+ prefix = "";
+
+ if (!stream)
+ stream = stdout;
+
+ for (Network* network = (Network*)sflist_first(&network_set->networks, &iter);
network;
network = (Network*)sflist_next(&iter))
{
+ struct in_addr four;
four.s_addr = htonl(network->range_min);
inet_ntop(AF_INET, &four, min_ip, sizeof(min_ip));
four.s_addr = htonl(network->range_max);
/* check containment for this network */
fprintf(stream, "%s%s%s-%s for %u with %08X\n", prefix, network->info.ip_not ? "!" : "",
- min_ip, max_ip,
- network->info.id, network->info.type);
+ min_ip, max_ip, network->info.id, network->info.type);
}
- for (network6 = (Network6*)sflist_first(&network_set->networks6, &iter);
+ for (Network6* network6 = (Network6*)sflist_first(&network_set->networks6, &iter);
network6;
network6 = (Network6*)sflist_next(&iter))
{
- six = network6->range_min;
- NSIPv6AddrHtoN(&six);
+ NSIPv6Addr six = network6->range_min;
+ ntoh_ipv6(&six);
inet_ntop(AF_INET6, (struct in6_addr*)&six, min_ip, sizeof(min_ip));
six = network6->range_max;
- NSIPv6AddrHtoN(&six);
+ ntoh_ipv6(&six);
inet_ntop(AF_INET6, (struct in6_addr*)&six, max_ip, sizeof(max_ip));
/* check containment for this network */
fprintf(stream, "%s%s%s-%s for %u with %08X\n", prefix, network6->info.ip_not ? "!" : "",
- min_ip, max_ip,
- network6->info.id, network6->info.type);
+ min_ip, max_ip, network6->info.id, network6->info.type);
}
-}
-
-int NetworkSet_Fprintf(NetworkSet* network_set, const char* prefix, FILE* stream)
-{
- if (!network_set)
- return -1;
-
- if (!prefix)
- prefix = "";
-
- if (!stream)
- stream = stdout;
-
- NetworkList_Fprintf(network_set, prefix, stream);
return 0;
}
-static inline int NetworkSet_OrderByNetmask(SF_LIST* ordered_networks, SF_LIST* networks, unsigned
+int NetworkSetManager::order_by_netmask(SF_LIST* ordered_networks, SF_LIST* networks, unsigned
id)
{
SF_LNODE* node = nullptr;
NODE_DATA node_data;
- NSNetworkInfo* network;
sflist_init(ordered_networks);
do
SF_LNODE* iter = nullptr;
node_data = nullptr;
- for (network = (NSNetworkInfo*)sflist_first(networks, &iter);
+ for (NSNetworkInfo* network = (NSNetworkInfo*)sflist_first(networks, &iter);
network;
network = (NSNetworkInfo*)sflist_next(&iter))
{
return 0;
}
-static inline int NetworkSet_AddList(SF_LIST* networks, SF_LIST* new_networks)
+int NetworkSetManager::add_network_list(SF_LIST* networks, SF_LIST* new_networks)
{
void* network;
return 0;
}
-static inline int NetworkSet_ReduceNetworkSet(SF_LIST* networks)
+int NetworkSetManager::reduce_network_set(SF_LIST* networks)
{
Network* ias;
Network* i_ias;
return 0;
}
-static inline int NetworkSet_ReduceNetworkSet6(SF_LIST* networks)
+int NetworkSetManager::reduce_network_set6(SF_LIST* networks)
{
Network6* ias;
Network6* i_ias;
i_ias ******
ias ***************
*/
- if (NSIPv6AddrCompare(&ias->range_min, &i_ias->range_min) <= 0 &&
- NSIPv6AddrCompare(&ias->range_max, &i_ias->range_max) >= 0)
+ if (compare_ipv6_address(&ias->range_min, &i_ias->range_min) <= 0 &&
+ compare_ipv6_address(&ias->range_max, &i_ias->range_max) >= 0)
{
sflist_remove_node(&reduced_networks, iter);
changed = true;
i_ias ************
ias ************
*/
- else if (NSIPv6AddrCompare(&ias->range_min, &i_ias->range_min) > 0 &&
- NSIPv6AddrCompare(&ias->range_min, &i_ias->range_max) <= 0)
+ else if (compare_ipv6_address(&ias->range_min, &i_ias->range_min) > 0 &&
+ compare_ipv6_address(&ias->range_min, &i_ias->range_max) <= 0)
{
tmp = i_ias->range_max;
i_ias->range_max = ias->range_min;
- NSIPv6AddrDec(&i_ias->range_max);
- if (NSIPv6AddrCompare(&ias->range_max, &tmp) < 0)
+ decrement_ipv6_addr(&i_ias->range_max);
+ if (compare_ipv6_address(&ias->range_max, &tmp) < 0)
{
new_ias = (Network6*)snort_calloc(sizeof(Network6));
*new_ias = *i_ias;
new_ias->range_min = ias->range_max;
- NSIPv6AddrInc(&new_ias->range_min);
+ increment_ipv6_addr(&new_ias->range_min);
new_ias->range_max = tmp;
sflist_add_tail(&reduced_networks, new_ias);
changed = true;
i_ias ************
ias ****
*/
- else if (NSIPv6AddrCompare(&ias->range_max, &i_ias->range_min) >= 0 &&
- NSIPv6AddrCompare(&ias->range_max, &i_ias->range_max) <= 0)
+ else if (compare_ipv6_address(&ias->range_max, &i_ias->range_min) >= 0 &&
+ compare_ipv6_address(&ias->range_max, &i_ias->range_max) <= 0)
{
tmp = i_ias->range_min;
i_ias->range_min = ias->range_max;
- NSIPv6AddrInc(&i_ias->range_min);
- if (NSIPv6AddrCompare(&ias->range_min, &tmp) > 0)
+ increment_ipv6_addr(&i_ias->range_min);
+ if (compare_ipv6_address(&ias->range_min, &tmp) > 0)
{
new_ias = (Network6*)snort_calloc(sizeof(Network6));
*new_ias = *i_ias;
new_ias->range_min = tmp;
new_ias->range_max = ias->range_min;
- NSIPv6AddrDec(&new_ias->range_max);
+ decrement_ipv6_addr(&new_ias->range_max);
sflist_add_tail(&reduced_networks, new_ias);
changed = true;
}
i_ias ******
ias ***************
*/
- if (NSIPv6AddrCompare(&ias->range_min, &i_ias->range_min) <= 0 &&
- NSIPv6AddrCompare(&ias->range_max, &i_ias->range_max) >= 0)
+ if (compare_ipv6_address(&ias->range_min, &i_ias->range_min) <= 0 &&
+ compare_ipv6_address(&ias->range_max, &i_ias->range_max) >= 0)
{
sflist_remove_node(&reduced_networks, iter);
changed = true;
i_ias ***************
ias ******
*/
- else if (NSIPv6AddrCompare(&i_ias->range_min, &ias->range_min) <= 0 &&
- NSIPv6AddrCompare(&i_ias->range_max, &ias->range_max) >= 0)
+ else if (compare_ipv6_address(&i_ias->range_min, &ias->range_min) <= 0 &&
+ compare_ipv6_address(&i_ias->range_max, &ias->range_max) >= 0)
{
ias->range_min = i_ias->range_min;
ias->range_max = i_ias->range_max;
i_ias ************
ias ************
*/
- else if (NSIPv6AddrCompare(&ias->range_min, &i_ias->range_min) > 0 &&
- NSIPv6AddrCompare(&ias->range_min, &i_ias->range_max) <= 0)
+ else if (compare_ipv6_address(&ias->range_min, &i_ias->range_min) > 0 &&
+ compare_ipv6_address(&ias->range_min, &i_ias->range_max) <= 0)
{
i_ias->range_max = ias->range_min;
- NSIPv6AddrDec(&i_ias->range_max);
+ decrement_ipv6_addr(&i_ias->range_max);
}
/*
i_ias ************
ias ************
*/
- else if (NSIPv6AddrCompare(&ias->range_max, &i_ias->range_min) >= 0 &&
- NSIPv6AddrCompare(&ias->range_max, &i_ias->range_max) < 0)
+ else if (compare_ipv6_address(&ias->range_max, &i_ias->range_min) >= 0 &&
+ compare_ipv6_address(&ias->range_max, &i_ias->range_max) < 0)
{
i_ias->range_min = ias->range_max;
- NSIPv6AddrInc(&i_ias->range_min);
+ increment_ipv6_addr(&i_ias->range_min);
}
}
else /* different types */
i_ias ******
ias ******
*/
- if (!NSIPv6AddrCompare(&ias->range_min, &i_ias->range_min) &&
- !NSIPv6AddrCompare(&ias->range_max, &i_ias->range_max))
+ if (!compare_ipv6_address(&ias->range_min, &i_ias->range_min) &&
+ !compare_ipv6_address(&ias->range_max, &i_ias->range_max))
{
i_ias->info.type = ias->info.type;
snort_free(ias);
i_ias ******
ias ***************
*/
- else if (NSIPv6AddrCompare(&ias->range_min, &i_ias->range_min) < 0 &&
- NSIPv6AddrCompare(&ias->range_max, &i_ias->range_max) >= 0)
+ else if (compare_ipv6_address(&ias->range_min, &i_ias->range_min) < 0 &&
+ compare_ipv6_address(&ias->range_max, &i_ias->range_max) >= 0)
{
sflist_remove_node(&reduced_networks, iter);
snort_free(i_ias);
i_ias ************
ias ******
*/
- else if (NSIPv6AddrCompare(&ias->range_min, &i_ias->range_min) > 0 &&
- NSIPv6AddrCompare(&ias->range_min, &i_ias->range_max) <= 0)
+ else if (compare_ipv6_address(&ias->range_min, &i_ias->range_min) > 0 &&
+ compare_ipv6_address(&ias->range_min, &i_ias->range_max) <= 0)
{
tmp = i_ias->range_max;
i_ias->range_max = ias->range_min;
- NSIPv6AddrDec(&i_ias->range_max);
- if (NSIPv6AddrCompare(&ias->range_max, &tmp) < 0)
+ decrement_ipv6_addr(&i_ias->range_max);
+ if (compare_ipv6_address(&ias->range_max, &tmp) < 0)
{
new_ias = (Network6*)snort_calloc(sizeof(Network6));
*new_ias = *i_ias;
new_ias->range_min = ias->range_max;
- NSIPv6AddrInc(&new_ias->range_min);
+ increment_ipv6_addr(&new_ias->range_min);
new_ias->range_max = tmp;
sflist_add_tail(&reduced_networks, new_ias);
changed = true;
i_ias ************
ias ****
*/
- else if (NSIPv6AddrCompare(&ias->range_max, &i_ias->range_min) > 0 &&
- NSIPv6AddrCompare(&ias->range_max, &i_ias->range_max) < 0)
+ else if (compare_ipv6_address(&ias->range_max, &i_ias->range_min) > 0 &&
+ compare_ipv6_address(&ias->range_max, &i_ias->range_max) < 0)
{
i_ias->range_min = ias->range_max;
- NSIPv6AddrInc(&i_ias->range_min);
+ increment_ipv6_addr(&i_ias->range_min);
}
}
ias ***
*/
tmp = i_ias->range_max;
- NSIPv6AddrInc(&tmp);
+ increment_ipv6_addr(&tmp);
tmp2 = ias->range_max;
- NSIPv6AddrInc(&tmp2);
- if ((ias->range_min.lo || ias->range_min.hi) && !NSIPv6AddrCompare(&tmp,
- &ias->range_min))
+ increment_ipv6_addr(&tmp2);
+ if ((ias->range_min.lo || ias->range_min.hi) &&
+ !compare_ipv6_address(&tmp, &ias->range_min))
{
i_ias->range_max = ias->range_max;
sflist_remove_node(&reduced_networks, outer_iter);
ias *****
*/
else if ((i_ias->range_min.lo || i_ias->range_min.hi) &&
- !NSIPv6AddrCompare(&tmp2, &i_ias->range_min))
+ !compare_ipv6_address(&tmp2, &i_ias->range_min))
{
i_ias->range_min = ias->range_min;
sflist_remove_node(&reduced_networks, outer_iter);
return 0;
}
-int NetworkSet_Reduce(NetworkSet* network_set)
+int NetworkSetManager::reduce(NetworkSet* network_set)
{
SFXHASH_NODE* hnode;
unsigned id;
Network6* network6;
unsigned tmp;
int count;
- int i;
- int j;
if (!network_set)
return -1;
- for (hnode=sfxhash_gfindfirst(network_set->ids); hnode; hnode=sfxhash_gfindnext(
- network_set->ids))
+ for (hnode = sfxhash_gfindfirst(network_set->ids);
+ hnode;
+ hnode=sfxhash_gfindnext(network_set->ids))
{
id = *(unsigned*)(hnode->data);
- if ((rval = NetworkSet_OrderByNetmask(&ordered_networks, &network_set->networks, id)) != 0)
+ if ((rval = order_by_netmask(&ordered_networks, &network_set->networks, id)) != 0)
{
sflist_free_all(&ordered_networks, &snort_free);
return rval;
}
- if ((rval = NetworkSet_ReduceNetworkSet(&ordered_networks)) != 0)
+ if ((rval = reduce_network_set(&ordered_networks)) != 0)
{
sflist_free_all(&ordered_networks, &snort_free);
return rval;
}
- if ((rval = NetworkSet_AddList(&network_set->networks, &ordered_networks)) != 0)
+ if ((rval = add_network_list(&network_set->networks, &ordered_networks)) != 0)
{
sflist_free_all(&ordered_networks, &snort_free);
return rval;
}
}
- if ((rval = NetworkSet_ReduceNetworkSet(&network_set->networks)) != 0)
+ if ((rval = reduce_network_set(&network_set->networks)) != 0)
{
sflist_free_all(&ordered_networks, &snort_free);
return rval;
}
tmp = 0;
- if ((rval = NetworkSet_Count(network_set, &tmp)) != 0)
+ if ((rval = count4(network_set, &tmp)) != 0)
return rval;
count = (int)tmp;
}
network_set->pnetwork = (Network**)snort_calloc(count * sizeof(Network*));
SF_LNODE* iter = nullptr;
- for (network = (Network*)sflist_first(&network_set->networks, &iter), i = 0;
+ int i = 0;
+ for (network = (Network*)sflist_first(&network_set->networks, &iter);
network && i < count;
network = (Network*)sflist_next(&iter))
{
network_set->pnetwork[i++] = network;
}
/* bubble sort this array */
- for (i = (count - 1); i >= 0; i--)
+ for (int i = (count - 1); i >= 0; i--)
{
- for (j = 1; j <= i; j++ )
+ for (int j = 1; j <= i; j++)
{
- if (network_set->pnetwork[j-1]->range_min > network_set->pnetwork[j]->range_min)
+ if (network_set->pnetwork[j - 1]->range_min > network_set->pnetwork[j]->range_min)
{
- network = network_set->pnetwork[j-1];
- network_set->pnetwork[j-1] = network_set->pnetwork[j];
+ network = network_set->pnetwork[j - 1];
+ network_set->pnetwork[j - 1] = network_set->pnetwork[j];
network_set->pnetwork[j] = network;
}
}
}
}
- for (hnode=sfxhash_gfindfirst(network_set->ids6); hnode; hnode=sfxhash_gfindnext(
+ for (hnode = sfxhash_gfindfirst(network_set->ids6); hnode; hnode=sfxhash_gfindnext(
network_set->ids6))
{
id = *(unsigned*)(hnode->data);
- if ((rval = NetworkSet_OrderByNetmask(&ordered_networks, &network_set->networks6, id)) !=
- 0)
+ if ((rval = order_by_netmask(&ordered_networks, &network_set->networks6, id)) != 0)
{
sflist_free_all(&ordered_networks, &snort_free);
return rval;
}
- if ((rval = NetworkSet_ReduceNetworkSet6(&ordered_networks)) != 0)
+
+ if ((rval = reduce_network_set6(&ordered_networks)) != 0)
{
sflist_free_all(&ordered_networks, &snort_free);
return rval;
}
- if ((rval = NetworkSet_AddList(&network_set->networks6, &ordered_networks)) != 0)
+
+ if ((rval = add_network_list(&network_set->networks6, &ordered_networks)) != 0)
{
sflist_free_all(&ordered_networks, &snort_free);
return rval;
}
}
- if ((rval = NetworkSet_ReduceNetworkSet6(&network_set->networks6)) != 0)
+ if ((rval = reduce_network_set6(&network_set->networks6)) != 0)
{
sflist_free_all(&ordered_networks, &snort_free);
return rval;
}
tmp = 0;
- if ((rval = NetworkSet_Count6(network_set, &tmp)) != 0)
+ if ((rval = count6(network_set, &tmp)) != 0)
return rval;
count = (int)tmp;
}
network_set->pnetwork6 = (Network6**)snort_calloc(count * sizeof(Network6*));
SF_LNODE* iter = nullptr;
- for (network6 = (Network6*)sflist_first(&network_set->networks6, &iter), i = 0;
+ int i = 0;
+ for (network6 = (Network6*)sflist_first(&network_set->networks6, &iter);
network6 && i < count;
network6 = (Network6*)sflist_next(&iter))
{
network_set->pnetwork6[i++] = network6;
}
/* bubble sort this array */
- for (i = (count - 1); i >= 0; i--)
+ for (int i = (count - 1); i >= 0; i--)
{
- for (j = 1; j <= i; j++ )
+ for (int j = 1; j <= i; j++)
{
- if (NSIPv6AddrCompare(&network_set->pnetwork6[j-1]->range_min,
+ if (compare_ipv6_address(&network_set->pnetwork6[j - 1]->range_min,
&network_set->pnetwork6[j]->range_min) > 0)
{
network6 = network_set->pnetwork6[j-1];
- network_set->pnetwork6[j-1] = network_set->pnetwork6[j];
+ network_set->pnetwork6[j - 1] = network_set->pnetwork6[j];
network_set->pnetwork6[j] = network6;
}
}
return 0;
}
-NetworkSet* NetworkSet_Copy(NetworkSet* network_set)
+NetworkSet* NetworkSetManager::copy(NetworkSet* network_set)
{
NetworkSet* new_set;
- Network* network;
- Network6* network6;
SF_LNODE* iter;
if (!network_set)
return nullptr;
- if (NetworkSet_New(&new_set) != 0)
+ if (create(&new_set) != 0)
return nullptr;
- for (network = (Network*)sflist_first(&network_set->networks, &iter);
+ for (Network* network = (Network*)sflist_first(&network_set->networks, &iter);
network;
network = (Network*)sflist_next(&iter))
{
- if (NetworkSet_AddNetworkRangeEx(new_set, network->range_min, network->range_max,
+ if (add_network_range_ex(new_set, network->range_min, network->range_max,
network->info.netmask, network->info.ip_not,
network->info.id, network->info.type) != 0)
{
- NetworkSet_Destroy(new_set);
+ destroy(new_set);
return nullptr;
}
}
- for (network6 = (Network6*)sflist_first(&network_set->networks6, &iter);
+ for (Network6* network6 = (Network6*)sflist_first(&network_set->networks6, &iter);
network6;
network6 = (Network6*)sflist_next(&iter))
{
- if (NetworkSet_AddNetworkRange6Ex(new_set, &network6->range_min, &network6->range_max,
+ if (add_network_range6(new_set, &network6->range_min, &network6->range_max,
network6->info.netmask, network6->info.ip_not,
network6->info.id, network6->info.type) != 0)
{
- NetworkSet_Destroy(new_set);
+ destroy(new_set);
return nullptr;
}
}
return new_set;
}
-int NetworkSet_AddSet(NetworkSet* dest_set, NetworkSet* src_set)
+int NetworkSetManager::add_set(NetworkSet* dest_set, NetworkSet* src_set)
{
- Network* network;
- Network6* network6;
SF_LNODE* iter;
int rval;
if (!src_set || !dest_set)
return -1;
- for (network = (Network*)sflist_first(&src_set->networks, &iter);
+ for (Network* network = (Network*)sflist_first(&src_set->networks, &iter);
network;
network = (Network*)sflist_next(&iter))
{
- if ((rval=NetworkSet_AddNetworkRangeEx(dest_set, network->range_min, network->range_max,
+ if ((rval = add_network_range_ex(dest_set, network->range_min, network->range_max,
network->info.netmask, network->info.ip_not,
network->info.id, network->info.type)) != 0)
{
return rval;
}
}
- for (network6 = (Network6*)sflist_first(&src_set->networks6, &iter);
+
+ for (Network6* network6 = (Network6*)sflist_first(&src_set->networks6, &iter);
network6;
network6 = (Network6*)sflist_next(&iter))
{
- if ((rval=NetworkSet_AddNetworkRange6Ex(dest_set, &network6->range_min,
- &network6->range_max,
+ if ((rval = add_network_range6(dest_set, &network6->range_min, &network6->range_max,
network6->info.netmask, network6->info.ip_not,
network6->info.id, network6->info.type)) != 0)
{
|| ((IN6_IS_ADDR_V4MAPPED(a) || IN6_IS_ADDR_V4COMPAT(a)) && (((__const uint32_t*)(a))[3] == \
0xffffffff)))
-inline void NSIPv6PackIpv4(NSIPv6Addr* ipv6Addr, uint32_t ipv4Addr)
-{
- ipv6Addr->hi = 0ULL;
- ipv6Addr->lo = (uint64_t)ipv4Addr | 0x0000FFFF00000000ULL;
-}
-
-inline int NSIPv6UnpackIpv4(const NSIPv6Addr* ipv6Addr, uint32_t* ipv4Addr)
-{
- if (!ipv6Addr->hi)
- {
- uint64_t lo = ipv6Addr->lo & 0xFFFFFFFF00000000ULL;
- if (!lo || lo == 0x0000FFFF00000000ULL)
- {
- *ipv4Addr = (uint32_t)ipv6Addr->lo;
- return 0;
- }
- }
- return -1;
-}
-
-inline void NSIPv6AddrCopy(const NSIPv6Addr* src, NSIPv6Addr* dst)
-{
- dst->hi = src->hi;
- dst->lo = src->lo;
-}
-
-inline int NSIPv6AddrCompare(const NSIPv6Addr* a, const NSIPv6Addr* b)
-{
- if (a->hi < b->hi)
- return -1;
- else if (a->hi > b->hi)
- return 1;
- if (a->lo < b->lo)
- return -1;
- else if (a->lo > b->lo)
- return 1;
- return 0;
-}
-
-#if defined(WORDS_BIGENDIAN)
-
-#define NSIPv6AddrNtoH(ip6) do { } while (0)
-
-#else
-
-inline void NSIPv6AddrNtoH(NSIPv6Addr* ip6)
-{
- uint64_t tmp;
-
- tmp = BYTE_SWAP_64(ip6->hi);
- ip6->hi = BYTE_SWAP_64(ip6->lo);
- ip6->lo = tmp;
-}
-
-#endif
-
-#if defined(WORDS_BIGENDIAN)
-
-inline void _NSIPv6AddrConv(const NSIPv6Addr* ip6, NSIPv6Addr* ip6h)
-{
- ip6h->hi = ip6->hi;
- ip6h->lo = ip6->lo;
-}
-
-#else
-
-inline void _NSIPv6AddrConv(const NSIPv6Addr* ip6, NSIPv6Addr* ip6h)
-{
- ip6h->hi = BYTE_SWAP_64(ip6->lo);
- ip6h->lo = BYTE_SWAP_64(ip6->hi);
-}
-
-#endif
-
-inline void NSIPv6AddrNtoHConv(const ip::snort_in6_addr* ip6, NSIPv6Addr* ip6h)
-{
- _NSIPv6AddrConv((const NSIPv6Addr*)ip6, ip6h);
-}
-
-inline void NSIPv6AddrHtoNConv(const NSIPv6Addr* ip6, ip::snort_in6_addr* ip6h)
-{
- _NSIPv6AddrConv(ip6, (NSIPv6Addr*)ip6h);
-}
-
-#define NSIPv6AddrHtoN(ip6) NSIPv6AddrNtoH(ip6)
-
-inline void NSIPv6AddrInc(NSIPv6Addr* ip6)
-{
- if (ip6->lo == ULLONG_MAX)
- {
- ip6->lo = 0;
- ip6->hi++;
- }
- else
- ip6->lo++;
-}
-
-inline void NSIPv6AddrDec(NSIPv6Addr* ip6)
-{
- if (!ip6->lo)
- {
- ip6->lo = ULLONG_MAX;
- ip6->hi--;
- }
- else
- ip6->lo--;
-}
-
struct NSNetworkInfo
{
unsigned id;
unsigned count6;
};
-// Create a new network set
-int NetworkSet_New(NetworkSet** network_set);
-
-// Destroy a network set
-int NetworkSet_Destroy(NetworkSet* network_set);
-
-// Copy a network set
-NetworkSet* NetworkSet_Copy(NetworkSet* network_set);
-
-// Add a network set to another network set
-int NetworkSet_AddSet(NetworkSet* dest_set, NetworkSet* src_set);
+// FIXIT-L - this should be integrated into the snort3 general IP address support library
+class NetworkSetManager
+{
+public:
+ static int create(NetworkSet** network_set);
+ static int destroy(NetworkSet* network_set);
+ static NetworkSet* copy(NetworkSet* network_set);
+ static int add_set(NetworkSet* dest_set, NetworkSet* src_set);
+ static int add_cidr_block_ex(NetworkSet* network_set, uint32_t ip,
+ unsigned cidr_bits, int ip_not, unsigned id, unsigned type);
+ static int add_cidr_block6_ex(NetworkSet* network_set, NSIPv6Addr* ip,
+ unsigned cidr_bits, int ip_not, unsigned id, unsigned type);
+ static int add_cidr_block(NetworkSet* network_set, uint32_t ip,
+ unsigned cidr_bits, int ip_not, unsigned id);
+ static int add_cidr_block6(NetworkSet* network_set, NSIPv6Addr* ip,
+ unsigned cidr_bits, int ip_not, unsigned id);
+ static int add_network_range_ex(NetworkSet* network_set, uint32_t range_min,
+ uint32_t range_max, unsigned cidr_bits, int ip_not, unsigned id, unsigned type);
+ static int add_network_range6(NetworkSet* network_set, NSIPv6Addr* range_min,
+ NSIPv6Addr* range_max, unsigned cidr_bits, int ip_not, unsigned id, unsigned type);
+ static int add_network_range(NetworkSet* network_set, uint32_t range_min,
+ uint32_t range_max, unsigned cidr_bits, int ip_not, unsigned id);
+ static int add_network_range6(NetworkSet* network_set, NSIPv6Addr* range_min,
+ NSIPv6Addr* range_max, unsigned cidr_bits, int ip_not, unsigned id);
+ static int add_network_range_only_ipv6(NetworkSet* network_set, int ip_not,
+ unsigned id, unsigned type);
+ static int reduce(NetworkSet* network_set);
+ static int log_network_set(NetworkSet* network_set, const char* prefix, FILE* stream);
+
+ static void pack_ipv4_to_ipv6(NSIPv6Addr* ipv6Addr, uint32_t ipv4Addr)
+ {
+ ipv6Addr->hi = 0ULL;
+ ipv6Addr->lo = (uint64_t)ipv4Addr | 0x0000FFFF00000000ULL;
+ }
-// Add a network to the set using cidr block notation
-int NetworkSet_AddCidrBlockEx(NetworkSet* network_set, uint32_t ip,
- unsigned cidr_bits, int ip_not, unsigned id, unsigned type);
+ static int unpack_ipv4_from_ipv6(const NSIPv6Addr* ipv6Addr, uint32_t* ipv4Addr)
+ {
+ if (!ipv6Addr->hi)
+ {
+ uint64_t lo = ipv6Addr->lo & 0xFFFFFFFF00000000ULL;
+ if (!lo || lo == 0x0000FFFF00000000ULL)
+ {
+ *ipv4Addr = (uint32_t)ipv6Addr->lo;
+ return 0;
+ }
+ }
+ return -1;
+ }
-// Add a network to the set using cidr block notation
-int NetworkSet_AddCidrBlock6Ex(NetworkSet* network_set, NSIPv6Addr* ip,
- unsigned cidr_bits, int ip_not, unsigned id, unsigned type);
+ static void copy_ipv6_address(const NSIPv6Addr* src, NSIPv6Addr* dst)
+ {
+ dst->hi = src->hi;
+ dst->lo = src->lo;
+ }
-// Add a network to the set using cidr block notation
-int NetworkSet_AddCidrBlock(NetworkSet* network_set, uint32_t ip,
- unsigned cidr_bits, int ip_not, unsigned id);
+ static int compare_ipv6_address(const NSIPv6Addr* a, const NSIPv6Addr* b)
+ {
+ if (a->hi < b->hi)
+ return -1;
+ else if (a->hi > b->hi)
+ return 1;
+ if (a->lo < b->lo)
+ return -1;
+ else if (a->lo > b->lo)
+ return 1;
+ return 0;
+ }
-// Add a network to the set using cidr block notation
-int NetworkSet_AddCidrBlock6(NetworkSet* network_set, NSIPv6Addr* ip,
- unsigned cidr_bits, int ip_not, unsigned id);
+#if defined(WORDS_BIGENDIAN)
+#define ntoh_ipv6(ip6) do { } while (0)
+#else
+ static void ntoh_ipv6(NSIPv6Addr* ip6)
+ {
+ uint64_t tmp;
-// Add a network to the set using a range
-int NetworkSet_AddNetworkRangeEx(NetworkSet* network_set, uint32_t range_min,
- uint32_t range_max, unsigned cidr_bits, int ip_not, unsigned id, unsigned type);
+ tmp = BYTE_SWAP_64(ip6->hi);
+ ip6->hi = BYTE_SWAP_64(ip6->lo);
+ ip6->lo = tmp;
+ }
-// Add a network to the set using a range
-int NetworkSet_AddNetworkRange6Ex(NetworkSet* network_set, NSIPv6Addr* range_min,
- NSIPv6Addr* range_max, unsigned cidr_bits, int ip_not, unsigned id, unsigned type);
+#endif
-// Add a network to the set using a range
-int NetworkSet_AddNetworkRange(NetworkSet* network_set, uint32_t range_min,
- uint32_t range_max, unsigned cidr_bits, int ip_not, unsigned id);
+#if defined(WORDS_BIGENDIAN)
-// Add a network to the set using a range
-int NetworkSet_AddNetworkRange6(NetworkSet* network_set, NSIPv6Addr* range_min,
- NSIPv6Addr* range_max, unsigned cidr_bits, int ip_not, unsigned id);
+ static void _swap_ipv6(const NSIPv6Addr* ip6, NSIPv6Addr* ip6h)
+ {
+ ip6h->hi = ip6->hi;
+ ip6h->lo = ip6->lo;
+ }
-// Add a network to the set using a range of all IPv6, excluding IPv4
-int NetworkSet_AddNetworkRangeOnlyIPv6(NetworkSet* network_set, int ip_not, unsigned id, unsigned
- type);
+#else
+ static void _swap_ipv6(const NSIPv6Addr* ip6, NSIPv6Addr* ip6h)
+ {
+ ip6h->hi = BYTE_SWAP_64(ip6->lo);
+ ip6h->lo = BYTE_SWAP_64(ip6->hi);
+ }
-// Reduce the networks to a list of existing ranges
-int NetworkSet_Reduce(NetworkSet* network_set);
+#endif
-// Print the network to the specified stream
-int NetworkSet_Fprintf(NetworkSet* network_set, const char* prefix, FILE* stream);
+ static void ntoh_swap_ipv6(const ip::snort_in6_addr* ip6, NSIPv6Addr* ip6h)
+ {
+ _swap_ipv6((const NSIPv6Addr*)ip6, ip6h);
+ }
-// Test is the set contains the specied address
-inline int NetworkSet_ContainsEx(NetworkSet* network_set, uint32_t ipaddr, unsigned* type)
-{
- int low=0;
- int middle=0;
- int high=0;
+ static void hton_swap_ipv6(const NSIPv6Addr* ip6, ip::snort_in6_addr* ip6h)
+ {
+ _swap_ipv6(ip6, (NSIPv6Addr*)ip6h);
+ }
- *type = 0;
- if (!network_set)
- return 0;
- if (!network_set->count)
- return 0;
- high = network_set->count - 1;
- if (ipaddr < network_set->pnetwork[low]->range_min || ipaddr >
- network_set->pnetwork[high]->range_max)
- return 0;
- while (low <= high)
+ static void increment_ipv6_addr(NSIPv6Addr* ip6)
{
- middle = low + ((high - low)>>1);
- if (ipaddr < network_set->pnetwork[middle]->range_min)
- high = middle - 1;
- else if (ipaddr > network_set->pnetwork[middle]->range_max)
- low = middle + 1;
- else
+ if (ip6->lo == ULLONG_MAX)
{
- *type = network_set->pnetwork[middle]->info.type;
- return 1;
+ ip6->lo = 0;
+ ip6->hi++;
}
+ else
+ ip6->lo++;
}
- return 0;
-}
-// Test is the set contains the specied address
-inline int NetworkSet_Contains6Ex(NetworkSet* network_set, NSIPv6Addr* ipaddr,
- unsigned* type)
-{
- int low=0;
- int middle=0;
- int high=0;
+ static void decrement_ipv6_addr(NSIPv6Addr* ip6)
+ {
+ if (!ip6->lo)
+ {
+ ip6->lo = ULLONG_MAX;
+ ip6->hi--;
+ }
+ else
+ ip6->lo--;
+ }
- *type = 0;
- if (!network_set)
- return 0;
- if (!network_set->count6)
- return 0;
- high = network_set->count6 - 1;
- if (NSIPv6AddrCompare(ipaddr, &network_set->pnetwork6[low]->range_min) < 0 ||
- NSIPv6AddrCompare(ipaddr, &network_set->pnetwork6[high]->range_max) > 0)
+ static int contains_ex(NetworkSet* network_set, uint32_t ipaddr, unsigned* type)
{
+ int low=0;
+ int middle=0;
+ int high=0;
+
+ *type = 0;
+ if (!network_set)
+ return 0;
+ if (!network_set->count)
+ return 0;
+ high = network_set->count - 1;
+ if (ipaddr < network_set->pnetwork[low]->range_min || ipaddr >
+ network_set->pnetwork[high]->range_max)
+ return 0;
+ while (low <= high)
+ {
+ middle = low + ((high - low)>>1);
+ if (ipaddr < network_set->pnetwork[middle]->range_min)
+ high = middle - 1;
+ else if (ipaddr > network_set->pnetwork[middle]->range_max)
+ low = middle + 1;
+ else
+ {
+ *type = network_set->pnetwork[middle]->info.type;
+ return 1;
+ }
+ }
return 0;
}
- while (low <= high)
+
+ static int contains6_ex(NetworkSet* network_set, NSIPv6Addr* ipaddr, unsigned* type)
{
- middle = low + ((high - low)>>1);
- if (NSIPv6AddrCompare(ipaddr, &network_set->pnetwork6[middle]->range_min) < 0)
- high = middle - 1;
- else if (NSIPv6AddrCompare(ipaddr, &network_set->pnetwork6[middle]->range_max) > 0)
- low = middle + 1;
- else
+ int low=0;
+ int middle=0;
+ int high=0;
+
+ *type = 0;
+ if (!network_set)
+ return 0;
+ if (!network_set->count6)
+ return 0;
+ high = network_set->count6 - 1;
+ if (compare_ipv6_address(ipaddr, &network_set->pnetwork6[low]->range_min) < 0 ||
+ compare_ipv6_address(ipaddr, &network_set->pnetwork6[high]->range_max) > 0)
{
- *type = network_set->pnetwork6[middle]->info.type;
- return 1;
+ return 0;
+ }
+ while (low <= high)
+ {
+ middle = low + ((high - low)>>1);
+ if (compare_ipv6_address(ipaddr, &network_set->pnetwork6[middle]->range_min) < 0)
+ high = middle - 1;
+ else if (compare_ipv6_address(ipaddr, &network_set->pnetwork6[middle]->range_max) > 0)
+ low = middle + 1;
+ else
+ {
+ *type = network_set->pnetwork6[middle]->info.type;
+ return 1;
+ }
}
+ return 0;
}
- return 0;
-}
-
-// Test is the set contains the specied address
-inline int NetworkSet_Contains(NetworkSet* network_set, uint32_t ipaddr)
-{
- unsigned type;
- return NetworkSet_ContainsEx(network_set, ipaddr, &type);
-}
-// Test is the set contains the specied address
-inline int NetworkSet_Contains6(NetworkSet* network_set, NSIPv6Addr* ipaddr)
-{
- unsigned type;
- return NetworkSet_Contains6Ex(network_set, ipaddr, &type);
-}
+ static int contains(NetworkSet* network_set, uint32_t ipaddr)
+ {
+ unsigned type;
+ return contains_ex(network_set, ipaddr, &type);
+ }
-// Get a count of the number of networks in the set
-inline int NetworkSet_Count(NetworkSet* network_set, unsigned* count)
-{
- if (!network_set || !count)
- return -1;
+ static int contains6(NetworkSet* network_set, NSIPv6Addr* ipaddr)
+ {
+ unsigned type;
+ return contains6_ex(network_set, ipaddr, &type);
+ }
- *count = sflist_count(&network_set->networks);
+ static int count4(NetworkSet* network_set, unsigned* count)
+ {
+ if (!network_set || !count)
+ return -1;
- return 0;
-}
+ *count = sflist_count(&network_set->networks);
-// Get a count of the number of networks in the set
-inline int NetworkSet_Count6(NetworkSet* network_set, unsigned* count)
-{
- if (!network_set || !count)
- return -1;
+ return 0;
+ }
- *count = sflist_count(&network_set->networks6);
+ static int count6(NetworkSet* network_set, unsigned* count)
+ {
+ if (!network_set || !count)
+ return -1;
- return 0;
-}
+ *count = sflist_count(&network_set->networks6);
-// Get a count of the number of networks in the set
-inline unsigned NetworkSet_CountEx(NetworkSet* network_set)
-{
- if (!network_set)
return 0;
+ }
- return sflist_count(&network_set->networks);
-}
+ static unsigned count_ex(NetworkSet* network_set)
+ {
+ if (!network_set)
+ return 0;
-// Get a count of the number of networks in the set
-inline unsigned NetworkSet_Count6Ex(NetworkSet* network_set)
-{
- if (!network_set)
- return 0;
+ return sflist_count(&network_set->networks);
+ }
+
+ static unsigned count6_ex(NetworkSet* network_set)
+ {
+ if (!network_set)
+ return 0;
- return sflist_count(&network_set->networks6);
-}
+ return sflist_count(&network_set->networks6);
+ }
+private:
+ static int order_by_netmask(SF_LIST* ordered_networks, SF_LIST* networks, unsigned id);
+ static int add_network_list(SF_LIST* networks, SF_LIST* new_networks);
+ static int reduce_network_set(SF_LIST* networks);
+ static int reduce_network_set6(SF_LIST* networks);
+};
#endif
+++ /dev/null
-//--------------------------------------------------------------------------
-// Copyright (C) 2014-2016 Cisco and/or its affiliates. All rights reserved.
-// Copyright (C) 2005-2013 Sourcefire, Inc.
-//
-// This program is free software; you can redistribute it and/or modify it
-// under the terms of the GNU General Public License Version 2 as published
-// by the Free Software Foundation. You may not use, modify or distribute
-// this program under any other version of the GNU General Public License.
-//
-// This program is distributed in the hope that it will be useful, but
-// WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-// General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License along
-// with this program; if not, write to the Free Software Foundation, Inc.,
-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-//--------------------------------------------------------------------------
-
-// output_file.cc author Sourcefire Inc.
-
-#include "output_file.h"
-
-#include <errno.h>
-#include <string.h>
-#include "log/messages.h"
-
-FILE* openOutputFile(const char* const filename, time_t tstamp)
-{
- FILE* fp;
- char output_fullpath[512];
- time_t curr_time;
-
- if (tstamp)
- curr_time = tstamp;
- else
- curr_time = time(nullptr);
- snprintf(output_fullpath, sizeof(output_fullpath), "%s.%lu", filename, curr_time);
- LogMessage("*** Opening %s for output\n",output_fullpath);
- if ((fp = fopen(output_fullpath, "w")) == nullptr)
- {
- ErrorMessage("Unable to open output file \"%s\": %s\n",output_fullpath, strerror(errno));
- }
- return fp;
-}
-
-FILE* rolloverOutputFile(const char* const filename, FILE* const oldfp, time_t tstamp)
-{
- fclose(oldfp);
-
- return openOutputFile(filename, tstamp);
-}
-
+++ /dev/null
-//--------------------------------------------------------------------------
-// Copyright (C) 2014-2016 Cisco and/or its affiliates. All rights reserved.
-// Copyright (C) 2005-2013 Sourcefire, Inc.
-//
-// This program is free software; you can redistribute it and/or modify it
-// under the terms of the GNU General Public License Version 2 as published
-// by the Free Software Foundation. You may not use, modify or distribute
-// this program under any other version of the GNU General Public License.
-//
-// This program is distributed in the hope that it will be useful, but
-// WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-// General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License along
-// with this program; if not, write to the Free Software Foundation, Inc.,
-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-//--------------------------------------------------------------------------
-
-// output_file.h author Sourcefire Inc.
-
-#ifndef OUTPUT_FILE
-#define OUTPUT_FILE
-
-#include <stdio.h>
-#include <time.h>
-
-FILE* openOutputFile(const char* const filename, time_t tstamp);
-FILE* rolloverOutputFile(const char* const filename, FILE* const oldfp, time_t tstamp);
-
-#endif
-
primaryPatternNode;
primaryPatternNode = primaryPatternNode->nextPrimaryNode)
{
- DebugFormat(DEBUG_INSPECTOR, "%s%u. Primary id %u. partTotal %u, Data %p\n", prefix,
+ DebugFormat(DEBUG_APPID, "%s%u. Primary id %u. partTotal %u, Data %p\n", prefix,
rootNode->level+1,
primaryPatternNode->patternNode.patternId,
primaryPatternNode->patternNode.partTotal,
ddPatternNode;
ddPatternNode = ddPatternNode->nextPattern)
{
- DebugFormat(DEBUG_INSPECTOR, "%s\t part %u/%u: Pattern %s, size %u\n", prefix,
+ DebugFormat(DEBUG_APPID, "%s\t part %u/%u: Pattern %s, size %u\n", prefix,
ddPatternNode->partNum,
ddPatternNode->partTotal,
(char*)ddPatternNode->pattern.pattern,
#if _MLMP_DEBUG
tPatternNode* ddPatternNode;
- DebugMessage(DEBUG_INSPECTOR, "\tMatches found -------------------\n"); for (tmpList =
+ DebugMessage(DEBUG_APPID, "\tMatches found -------------------\n"); for (tmpList =
patternMatchList;
tmpList;
tmpList = tmpList->next)
{
ddPatternNode = tmpList->patternNode;
{
- DebugFormat(DEBUG_INSPECTOR,
+ DebugFormat(DEBUG_APPID,
"\t\tid %d, Pattern %s, size %u, partNum %u, partTotal %u, userData %p\n",
ddPatternNode->patternId,
ddPatternNode->pattern.pattern,
{
ddPatternNode = bestNode;
{
- DebugFormat(DEBUG_INSPECTOR,
+ DebugFormat(DEBUG_APPID,
"\t\tSELECTED Id %d, pattern %s, size %u, partNum %u, partTotal %u, userData %p\n",
ddPatternNode->patternId,
ddPatternNode->pattern.pattern,
ddPatternNode->userData);
}
}
- DebugMessage(DEBUG_INSPECTOR, "\tMatches end -------------------\n");
+ DebugMessage(DEBUG_APPID, "\tMatches end -------------------\n");
#endif
return bestNode;
}
/*sort matches by patternId, and then by partId or pattern// */
#if _MLMP_DEBUG
- DebugFormat(DEBUG_INSPECTOR,
+ DebugFormat(DEBUG_APPID,
"\tCallback id %d, Pattern %s, size %u, partNum %u, partTotal %u, userData %p\n",
target->patternId,
target->pattern.pattern,
+++ /dev/null
-//--------------------------------------------------------------------------
-// Copyright (C) 2014-2016 Cisco and/or its affiliates. All rights reserved.
-// Copyright (C) 2005-2013 Sourcefire, Inc.
-//
-// This program is free software; you can redistribute it and/or modify it
-// under the terms of the GNU General Public License Version 2 as published
-// by the Free Software Foundation. You may not use, modify or distribute
-// this program under any other version of the GNU General Public License.
-//
-// This program is distributed in the hope that it will be useful, but
-// WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-// General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License along
-// with this program; if not, write to the Free Software Foundation, Inc.,
-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-//--------------------------------------------------------------------------
-
-// sfksearch.cc author Sourcefire Inc.
-
-/*
-*
-* Basic Keyword Search Trie - uses linked lists to build the finite automata
-*
-* Keyword-Match: Performs the equivalent of a multi-string strcmp()
-* - use for token testing after parsing the language tokens using lex or the like.
-*
-* Keyword-Search: searches the input text for one of multiple keywords,
-* and supports case sensitivite and case insensitive patterns.
-*
-*/
-
-#include "sfksearch.h"
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <sys/types.h>
-#include <ctype.h>
-
-#include "utils/util.h"
-
-static void KTrieFree(KTRIENODE* n);
-
-static unsigned int mtot = 0;
-
-unsigned int KTrieMemUsed(void) { return mtot; }
-
-void KTrieInitMemUsed(void)
-{
- mtot = 0;
-}
-
-/*
-* Allocate Memory
-*/
-static void* KTRIE_MALLOC(int n)
-{
- void* p;
-
- if (n < 1)
- return nullptr;
-
- p = snort_calloc(n);
- mtot += n;
-
- return p;
-}
-
-/*
-* Free Memory
-*/
-static void KTRIE_FREE(void* p)
-{
- if (p == nullptr)
- return;
-
- snort_free(p);
-}
-
-/*
-* Local/Tmp nocase array
-*/
-static unsigned char Tnocase[65*1024];
-
-/*
-** Case Translation Table
-*/
-static unsigned char xlatcase[256];
-
-static void init_xlatcase(void)
-{
- int i;
- static int first=1;
-
- if ( !first )
- return; /* thread safe */
-
- for (i=0; i<256; i++)
- {
- xlatcase[ i ] = (unsigned char)tolower(i);
- }
-
- first=0;
-}
-
-static inline void ConvertCaseEx(unsigned char* d, const unsigned char* s, int m)
-{
- int i;
- for ( i=0; i < m; i++ )
- {
- d[i] = xlatcase[ s[i] ];
- }
-}
-
-KTRIE_STRUCT* KTrieNew(int method, void (* userfree)(void* p),
- void (* optiontreefree)(void** p),
- void (* neg_list_free)(void** p))
-{
- KTRIE_STRUCT* ts = (KTRIE_STRUCT*)KTRIE_MALLOC(sizeof(KTRIE_STRUCT) );
-
- if ( !ts )
- return 0;
-
- memset(ts, 0, sizeof(KTRIE_STRUCT));
-
- init_xlatcase();
-
- ts->memory = sizeof(KTRIE_STRUCT);
- ts->nchars = 0;
- ts->npats = 0;
- ts->end_states = 0;
- ts->method = method; /* - old method, 1 = queue */
- ts->userfree = userfree;
- ts->optiontreefree = optiontreefree;
- ts->neg_list_free = neg_list_free;
-
- return ts;
-}
-
-int KTriePatternCount(KTRIE_STRUCT* k)
-{
- return k->npats;
-}
-
-/*
- * Deletes memory that was used in creating trie
- * and nodes
- */
-void KTrieDelete(KTRIE_STRUCT* k)
-{
- KTRIEPATTERN* p = nullptr;
- KTRIEPATTERN* pnext = nullptr;
- int i;
-
- if (k == nullptr)
- return;
-
- p = k->patrn;
-
- while (p != nullptr)
- {
- pnext = p->next;
-
- if (k->userfree && p->id)
- k->userfree(p->id);
-
- if (k->optiontreefree)
- {
- if (p && p->rule_option_tree)
- k->optiontreefree(&p->rule_option_tree);
- }
-
- if (k->neg_list_free)
- {
- if (p && p->neg_list)
- k->neg_list_free(&p->neg_list);
- }
-
- KTRIE_FREE(p->P);
- KTRIE_FREE(p->Pcase);
- KTRIE_FREE(p);
-
- p = pnext;
- }
-
- for (i = 0; i < KTRIE_ROOT_NODES; i++)
- KTrieFree(k->root[i]);
-
- KTRIE_FREE(k);
-}
-
-/*
- * Recursively delete all nodes in trie
- */
-static void KTrieFree(KTRIENODE* n)
-{
- if (n == nullptr)
- return;
-
- KTrieFree(n->child);
- KTrieFree(n->sibling);
-
- KTRIE_FREE(n);
-}
-
-static KTRIEPATTERN* KTrieNewPattern(unsigned char* P, int n)
-{
- KTRIEPATTERN* p;
-
- if (n < 1)
- return nullptr;
-
- p = (KTRIEPATTERN*)KTRIE_MALLOC(sizeof(KTRIEPATTERN) );
-
- if (p == nullptr)
- return nullptr;
-
- /* Save as a nocase string */
- p->P = (unsigned char*)KTRIE_MALLOC(n);
- if ( !p->P )
- {
- KTRIE_FREE(p);
- return nullptr;
- }
-
- ConvertCaseEx(p->P, P, n);
-
- /* Save Case specific version */
- p->Pcase = (unsigned char*)KTRIE_MALLOC(n);
- if ( !p->Pcase )
- {
- KTRIE_FREE(p->P);
- KTRIE_FREE(p);
- return nullptr;
- }
-
- memcpy(p->Pcase, P, n);
-
- p->n = n;
- p->next = nullptr;
-
- return p;
-}
-
-/*
-* Add Pattern info to the list of patterns
-*/
-int KTrieAddPattern(KTRIE_STRUCT* ts, unsigned char* P, int n,
- int nocase, int negative, void* id)
-{
- KTRIEPATTERN* pnew;
-
- if ( !ts->patrn )
- {
- pnew = ts->patrn = KTrieNewPattern(P, n);
-
- if ( !pnew )
- return -1;
- }
- else
- {
- pnew = KTrieNewPattern(P, n);
-
- if ( !pnew )
- return -1;
-
- pnew->next = ts->patrn; /* insert at head of list */
-
- ts->patrn = pnew;
- }
-
- pnew->nocase = nocase;
- pnew->negative = negative;
- pnew->id = id;
- pnew->mnext = nullptr;
-
- ts->npats++;
- ts->memory += sizeof(KTRIEPATTERN) + 2 * n; /* Case and nocase */
-
- return 0;
-}
-
-static KTRIENODE* KTrieCreateNode(KTRIE_STRUCT* ts)
-{
- KTRIENODE* t=(KTRIENODE*)KTRIE_MALLOC(sizeof(KTRIENODE) );
-
- if (!t)
- return 0;
-
- memset(t,0,sizeof(KTRIENODE));
-
- ts->memory += sizeof(KTRIENODE);
-
- return t;
-}
-
-/*
-* Insert a Pattern in the Trie
-*/
-static int KTrieInsert(KTRIE_STRUCT* ts, KTRIEPATTERN* px)
-{
- int type = 0;
- int n = px->n;
- unsigned char* P = px->P;
- KTRIENODE* root;
-
- /* Make sure we at least have a root character for the tree */
- if ( !ts->root[*P] )
- {
- ts->root[*P] = root = KTrieCreateNode(ts);
- if ( !root )
- return -1;
- root->edge = *P;
- }
- else
- {
- root = ts->root[*P];
- }
-
- /* Walk existing Patterns */
- while ( n )
- {
- if ( root->edge == *P )
- {
- P++;
- n--;
-
- if ( n && root->child )
- {
- root=root->child;
- }
- else /* cannot continue */
- {
- type = 0; /* Expand the tree via the child */
- break;
- }
- }
- else
- {
- if ( root->sibling )
- {
- root=root->sibling;
- }
- else /* cannot continue */
- {
- type = 1; /* Expand the tree via the sibling */
- break;
- }
- }
- }
-
- /*
- * Add the next char of the Keyword, if any
- */
- if ( n )
- {
- if ( type == 0 )
- {
- /*
- * Start with a new child to finish this Keyword
- */
- root->child= KTrieCreateNode(ts);
- if ( !root->child )
- return -1;
- root=root->child;
- root->edge = *P;
- P++;
- n--;
- ts->nchars++;
- }
- else
- {
- /*
- * Start a new sibling bracnch to finish this Keyword
- */
- root->sibling= KTrieCreateNode(ts);
- if ( !root->sibling )
- return -1;
- root=root->sibling;
- root->edge = *P;
- P++;
- n--;
- ts->nchars++;
- }
- }
-
- /*
- * Finish the keyword as child nodes
- */
- while ( n )
- {
- root->child = KTrieCreateNode(ts);
- if ( !root->child )
- return -1;
- root=root->child;
- root->edge = *P;
- P++;
- n--;
- ts->nchars++;
- }
-
- if ( root->pkeyword )
- {
- px->mnext = root->pkeyword; /* insert duplicates at front of list */
- root->pkeyword = px;
- ts->duplicates++;
- }
- else
- {
- root->pkeyword = px;
- ts->end_states++;
- }
-
- return 0;
-}
-
-static void Build_Bad_Character_Shifts(KTRIE_STRUCT* kt)
-{
- int i,k;
- KTRIEPATTERN* plist;
-
- /* Calc the min pattern size */
- kt->bcSize = 32000;
-
- for ( plist=kt->patrn; plist!=nullptr; plist=plist->next )
- {
- if ( plist->n < kt->bcSize )
- {
- kt->bcSize = plist->n; /* smallest pattern size */
- }
- }
-
- /*
- * Initialze the Bad Character shift table.
- */
- for (i = 0; i < KTRIE_ROOT_NODES; i++)
- {
- kt->bcShift[i] = (unsigned short)kt->bcSize;
- }
-
- /*
- * Finish the Bad character shift table
- */
- for ( plist=kt->patrn; plist!=nullptr; plist=plist->next )
- {
- int shift, cindex;
-
- for ( k=0; k<kt->bcSize; k++ )
- {
- shift = kt->bcSize - 1 - k;
-
- cindex = plist->P[ k ];
-
- if ( shift < kt->bcShift[ cindex ] )
- {
- kt->bcShift[ cindex ] = (unsigned short)shift;
- }
- }
- }
-}
-
-static int KTrieBuildMatchStateNode(KTRIENODE* root,
- int (* build_tree)(void* id, void** existing_tree),
- int (* neg_list_func)(void* id, void** list))
-{
- int cnt = 0;
- KTRIEPATTERN* p;
-
- if (!root)
- return 0;
-
- /* each and every prefix match at this root*/
- if (root->pkeyword)
- {
- for (p = root->pkeyword; p; p = p->mnext)
- {
- if (p->id)
- {
- if (p->negative)
- {
- neg_list_func(p->id, &root->pkeyword->neg_list);
- }
- else
- {
- build_tree(p->id, &root->pkeyword->rule_option_tree);
- }
- }
-
- cnt++;
- }
-
- /* Last call to finalize the tree for this root */
- build_tree(nullptr, &root->pkeyword->rule_option_tree);
- }
-
- /* for child of this root */
- if (root->child)
- {
- cnt += KTrieBuildMatchStateNode(root->child, build_tree, neg_list_func);
- }
-
- /* 1st sibling of this root -- other siblings will be processed from
- * within the processing for root->sibling. */
- if (root->sibling)
- {
- cnt += KTrieBuildMatchStateNode(root->sibling, build_tree, neg_list_func);
- }
-
- return cnt;
-}
-
-static int KTrieBuildMatchStateTrees(KTRIE_STRUCT* ts,
- int (* build_tree)(void* id, void** existing_tree),
- int (* neg_list_func)(void* id, void** list))
-{
- int i, cnt = 0;
- KTRIENODE* root;
-
- /* Find the states that have a MatchList */
- for (i = 0; i < KTRIE_ROOT_NODES; i++)
- {
- root = ts->root[i];
- /* each and every prefix match at this root*/
- if (root)
- {
- cnt += KTrieBuildMatchStateNode(root, build_tree, neg_list_func);
- }
- }
-
- return cnt;
-}
-
-/*
-* Build the Keyword TRIE
-*
-*/
-int KTrieCompile(KTRIE_STRUCT* ts,
- int (* build_tree)(void* id, void** existing_tree),
- int (* neg_list_func)(void* id, void** list))
-{
- KTRIEPATTERN* p;
- /*
- static int tmem=0;
- */
-
- /*
- * Build the Keyword TRIE
- */
- for ( p=ts->patrn; p; p=p->next )
- {
- if ( KTrieInsert(ts, p) )
- return -1;
- }
-
- /*
- * Build A Setwise Bad Character Shift Table
- */
- Build_Bad_Character_Shifts(ts);
-
- /*
- tmem += ts->memory;
- printf(" Compile stats: %d patterns, %d chars, %d duplicate patterns, %d bytes, %d total-bytes\n",ts->npats,ts->nchars,ts->duplicates,ts->memory,tmem);
- */
- if (build_tree && neg_list_func)
- {
- KTrieBuildMatchStateTrees(ts, build_tree, neg_list_func);
- }
-
- return 0;
-}
-
-void sfksearch_print_qinfo(void)
-{
-#ifdef SFKSEARCH_TRACK_Q
- if ( snort_conf->max_inq )
- {
- LogMessage("lowmem: queue size = %u, max = %u\n", snort_conf->max_inq,SFK_MAX_INQ);
- LogMessage("lowmem: queue flushes = " STDu64 "\n", snort_conf->tot_inq_flush);
- LogMessage("lowmem: queue inserts = " STDu64 "\n", snort_conf->tot_inq_inserts);
- LogMessage("lowmem: queue uinserts = " STDu64 "\n", snort_conf->tot_inq_uinserts);
- }
-#endif
-}
-
-static inline void _init_queue(SFK_PMQ* b)
-{
- b->inq=0;
- b->inq_flush=0;
-}
-
-/* uniquely insert into q */
-static inline int _add_queue(SFK_PMQ* b, KTRIEPATTERN* p)
-{
- int i;
-
-#ifdef SFKSEARCH_TRACK_Q
- snort_conf->tot_inq_inserts++;
-#endif
-
- for (i=(int)(b->inq)-1; i>=0; i--)
- if ( p == b->q[i] )
- return 0;
-
-#ifdef SFKSEARCH_TRACK_Q
- snort_conf->tot_inq_uinserts++;
-#endif
-
- if ( b->inq < SFK_MAX_INQ )
- {
- b->q[ b->inq++ ] = p;
- }
-
- if ( b->inq == SFK_MAX_INQ )
- {
-#ifdef SFKSEARCH_TRACK_Q
- b->inq_flush++;
-#endif
- return 1;
- }
- return 0;
-}
-
-static inline unsigned _process_queue(SFK_PMQ* q,
- int (* match)(void* id, void* tree, int index, void* data, void* neg_list),
- void* data)
-{
- KTRIEPATTERN* pk;
- unsigned int i;
-
-#ifdef SFKSEARCH_TRACK_Q
- if ( q->inq > snort_conf->max_inq )
- snort_conf->max_inq = q->inq;
- snort_conf->tot_inq_flush += q->inq_flush;
-#endif
-
- for ( i=0; i<q->inq; i++ )
- {
- pk = q->q[i];
- if (pk)
- {
- if (match (pk->id, pk->rule_option_tree, 0, data, pk->neg_list) > 0)
- {
- q->inq=0;
- return 1;
- }
- }
- }
- q->inq=0;
- return 0;
-}
-
-static inline int KTriePrefixMatchQ(KTRIE_STRUCT* kt,
- const unsigned char* T,
- int n,
- int (* match)(void* id, void* tree, int index, void* data, void* neg_list),
- void* data)
-{
- KTRIENODE* root;
-
- root = kt->root[ xlatcase[*T] ];
-
- if ( !root )
- return 0;
-
- while ( n )
- {
- if ( root->edge == xlatcase[*T] )
- {
- T++;
- n--;
-
- if ( root->pkeyword )
- {
- if ( _add_queue(&kt->q, root->pkeyword) )
- {
- if ( _process_queue(&kt->q,match,data) )
- {
- return 1;
- }
- }
- }
-
- if ( n && root->child )
- {
- root = root->child;
- }
- else /* cannot continue -- match is over */
- {
- break;
- }
- }
- else
- {
- if ( root->sibling )
- {
- root = root->sibling;
- }
- else /* cannot continue */
- {
- break;
- }
- }
- }
-
- return 0;
-}
-
-/*
-* Search - Algorithm
-*
-* This routine will log any substring of T that matches a keyword,
-* and processes all prefix matches. This is used for generic
-* pattern searching with a set of keywords and a body of text.
-*
-*
-*
-* kt- Trie Structure
-* T - nocase text
-* Tc- case specific text
-* n - text length
-*
-* returns:
-* # pattern matches
-*/
-static inline int KTriePrefixMatch(KTRIE_STRUCT* kt,
- const unsigned char* T,
- const unsigned char*,
- const unsigned char* bT,
- int n,
- int (* match)(void* id, void* tree, int index, void* data, void* neg_list),
- void* data)
-{
- KTRIENODE* root = kt->root[ *T ];
- int nfound = 0;
- KTRIEPATTERN* pk;
- int index;
-
- /* Check if any keywords start with this character */
- if ( !root )
- return 0;
-
- while ( n )
- {
- if ( root->edge == *T )
- {
- T++;
- n--;
-
- pk = root->pkeyword;
- if (pk)
- {
- index = (int)(T - bT - pk->n );
- nfound++;
- if (match (pk->id, pk->rule_option_tree, index, data, pk->neg_list) > 0)
- {
- return nfound;
- }
- }
-
- if ( n && root->child )
- {
- root = root->child;
- }
- else /* cannot continue -- match is over */
- {
- break;
- }
- }
- else
- {
- if ( root->sibling )
- {
- root = root->sibling;
- }
- else /* cannot continue */
- {
- break;
- }
- }
- }
-
- return nfound;
-}
-
-static inline int KTrieSearchQ(KTRIE_STRUCT* ks, const unsigned char* T, int n,
- int (* match)(void* id, void* tree, int index, void* data, void* neg_list),
- void* data)
-{
- _init_queue(&ks->q);
- while ( n > 0 )
- {
- if ( KTriePrefixMatchQ(ks, T++, n--, match, data) )
- return 0;
- }
- _process_queue(&ks->q,match,data);
-
- return 0;
-}
-
-static inline int KTrieSearchNoBC(KTRIE_STRUCT* ks, const unsigned char* Tx,
- int n,
- int (* match)(void* id, void* tree, int index, void* data, void* neg_list),
- void* data)
-{
- int nfound = 0;
- const unsigned char* T, * bT;
-
- ConvertCaseEx(Tnocase, Tx, n);
-
- T = Tnocase;
- bT = T;
-
- for (; n>0; n--, T++, Tx++ )
- {
- nfound += KTriePrefixMatch(ks, T, Tx, bT, n, match, data);
- }
-
- return nfound;
-}
-
-static inline int KTrieSearchBC(KTRIE_STRUCT* ks, const unsigned char* Tx,
- int n,
- int (* match)(void* id, void* tree, int index, void* data, void* neg_list),
- void* data)
-{
- int tshift;
- const unsigned char* Tend;
- const unsigned char* T, * bT;
- int nfound = 0;
- short* bcShift = (short*)ks->bcShift;
- int bcSize = ks->bcSize;
-
- ConvertCaseEx(Tnocase, Tx, n);
-
- T = Tnocase;
- bT = T;
-
- Tend = T + n - bcSize;
-
- bcSize--;
-
- for (; T <= Tend; n--, T++, Tx++ )
- {
- while ( (tshift = bcShift[ *( T + bcSize ) ]) > 0 )
- {
- T += tshift;
- Tx += tshift;
- if ( T > Tend )
- return nfound;
- }
-
- nfound += KTriePrefixMatch(ks, T, Tx, bT, n, match, data);
- }
-
- return nfound;
-}
-
-int KTrieSearch(KTRIE_STRUCT* ks, const unsigned char* T, int n,
- int (* match)(void* id, void* tree, int index, void* data, void* neg_list),
- void* data)
-{
- if ( ks->method == KTRIEMETHOD_QUEUE )
- {
- /*if( ks->bcSize < 3) */
- return KTrieSearchQ(ks, T, n, match, data);
- /*else
- return KTrieSearchQBC( ks, T, n, match, data ); */
- }
- else
- {
- if ( ks->bcSize < 3)
- return KTrieSearchNoBC(ks, T, n, match, data);
- else
- return KTrieSearchBC(ks, T, n, match, data);
- }
-}
-
-/*
-*
-* TEST DRIVER FOR KEYWORD TRIE
-*
-*/
-#ifdef KTRIE_MAIN
-
-char** gargv;
-
-int trie_nmatches = 0;
-
-int match(unsigned id, int index, void* data)
-{
- trie_nmatches++;
- data = data;
- printf("id=%d found at index=%d, %s\n",id,index,gargv[id]);
- return 0;
-}
-
-int main(int argc, char** argv)
-{
- int i;
- KTRIE_STRUCT* ts;
- int nocase=1; /* don't care about case */
-
- gargv = argv;
-
- ts = KTrieNew();
-
- if ( argc < 3 )
- {
- printf("%s text pat1 pat2 ... patn [-c(ase-sensitive)\n",argv[0]);
- printf("search for keywords-default, or match keywords\n");
- exit(0);
- }
-
- for (i=1; i<argc; i++)
- {
- if ( strcmp(argv[i],"-c")==0 )
- nocase=0; /* ignore case */
- }
-
- printf("New TRIE created\n");
-
- for (i=2; i<argc; i++)
- {
- if ( argv[i][0]=='-' )
- continue;
-
- KTrieAddPattern(ts, (unsigned char*)argv[i], strlen(argv[i]), nocase, i);
- }
-
- printf("Patterns added \n");
-
- KTrieCompile(ts);
-
- printf("Patterns compiled \n");
- printf("--> %d characters, %d patterns, %d bytes allocated\n",ts->nchars,ts->npats,ts->memory);
-
- printf("Searching...\n");
-
- KTrieSearch(ts, (unsigned char*)argv[1], strlen(argv[1]), match, 0);
-
- printf("%d matches found\n",trie_nmatches);
-
- printf("normal pgm finish.\n");
-
- return 0;
-}
-
-#endif
-
+++ /dev/null
-//--------------------------------------------------------------------------
-// Copyright (C) 2014-2016 Cisco and/or its affiliates. All rights reserved.
-// Copyright (C) 2003-2013 Sourcefire, Inc.
-// Copyright (C) 2001 Marc Norton
-//
-// This program is free software; you can redistribute it and/or modify it
-// under the terms of the GNU General Public License Version 2 as published
-// by the Free Software Foundation. You may not use, modify or distribute
-// this program under any other version of the GNU General Public License.
-//
-// This program is distributed in the hope that it will be useful, but
-// WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-// General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License along
-// with this program; if not, write to the Free Software Foundation, Inc.,
-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-//--------------------------------------------------------------------------
-
-// sfksearch.h author Sourcefire Inc.
-
-#ifndef KTRIE_H
-#define KTRIE_H
-
-// Trie based multi-pattern matcher
-
-#define ALPHABET_SIZE 256
-
-#ifdef WIN32
-#define inline __inline
-#endif
-
-#define KTRIEMETHOD_STD 0
-#define KTRIEMETHOD_QUEUE 1
-
-struct KTRIEPATTERN
-{
- KTRIEPATTERN* next; /* global list of all patterns */
- KTRIEPATTERN* mnext; /* matching list of duplicate keywords */
-
- unsigned char* P; /* no case */
- unsigned char* Pcase; /* case sensitive */
- int n;
- int nocase;
- int negative;
- void* id;
- void* rule_option_tree;
- void* neg_list;
-};
-
-struct KTRIENODE
-{
- int edge; /* character */
-
- KTRIENODE* sibling;
- KTRIENODE* child;
-
- KTRIEPATTERN* pkeyword;
-};
-
-#define KTRIE_ROOT_NODES 256
-
-#define SFK_MAX_INQ 32
-struct SFK_PMQ
-{
- unsigned inq;
- unsigned inq_flush;
- KTRIEPATTERN* q[SFK_MAX_INQ];
-};
-
-struct KTRIE_STRUCT
-{
- KTRIEPATTERN* patrn; /* List of patterns, built as they are added */
-
- KTRIENODE* root[KTRIE_ROOT_NODES]; /* KTrie nodes */
-
- int memory;
- int nchars;
- int npats;
- int duplicates;
- int method;
- int end_states; /* should equal npats - duplicates */
-
- int bcSize;
- unsigned short bcShift[KTRIE_ROOT_NODES];
- void (* userfree)(void* p);
- void (* optiontreefree)(void** p);
- void (* neg_list_free)(void** p);
- SFK_PMQ q;
-};
-
-KTRIE_STRUCT* KTrieNew(int method, void (* userfree)(void* p),
- void (* optiontreefree)(void** p),
- void (* neg_list_free)(void** p));
-int KTrieAddPattern(KTRIE_STRUCT* ts, unsigned char* P, int n,
- int nocase, int negative, void* id);
-int KTrieCompile(KTRIE_STRUCT* ts,
- int (* build_tree)(void* id, void** existing_tree),
- int (* neg_list_func)(void* id, void** list));
-int KTrieSearch(KTRIE_STRUCT* ts, const unsigned char* T, int n,
- int (* match)(void* id, void* tree, int index, void* data, void* neg_list),
- void* data);
-unsigned int KTrieMemUsed();
-void KTrieInitMemUsed();
-void KTrieDelete(KTRIE_STRUCT* k);
-int KTriePatternCount(KTRIE_STRUCT* k);
-
-void sfksearch_print_qinfo();
-
-#endif
-
enum ApplicationId : int32_t
{
- APP_ID_UNKNOWN = -1, // searched and not found any matching app id
+ APP_ID_UNKNOWN = -1, // searched and not found any matching app id
APP_ID_NONE = 0, // AppId not searched
APP_ID_3COM_TSMUX = 2,
APP_ID_ZOHO_WIKI = 532,
APP_ID_ZYNGA = 533,
APP_ID_ZYNGA_POKER = 534,
-
APP_ID_1_800_FLOWERS = 535,
APP_ID_100BAO = 536,
APP_ID_2CHANNEL = 537,
APP_ID_LYCOS = 2775,
APP_ID_DOGPILE = 2804,
APP_ID_SPDY = 2886,
- APP_ID_HTTP2 = 2889, // only used for some quick bookkeeping -- treat as HTTP
+ APP_ID_HTTP2 = 2889, // only used for some quick bookkeeping -- treat as HTTP
APP_ID_ANYCONNECT = 2921,
APP_ID_ANYCONNECT_SSL_CLIENT = 2922,
APP_ID_ANYCONNECT_IPSEC_CLIENT = 2923,
APP_ID_HTTP_SSL_TUNNEL = 3860,
APP_ID_FTP_ACTIVE = 4002,
APP_ID_FTP_PASSIVE = 4003,
- APP_ID_UNKNOWN_UI = 65535 // this causes the UI to render Unknown instead of pending or blank
+ APP_ID_UNKNOWN_UI = 65535 // this causes the UI to render Unknown instead of pending or blank
};
struct AppRegistryEntry
item;
item = (RNAClientAppModuleConfigItem*)sflist_next(&cursor) )
{
- DebugFormat(DEBUG_INSPECTOR, "Processing %s: %s\n", item->name, item->value);
+ DebugFormat(DEBUG_APPID, "Processing %s: %s\n", item->name, item->value);
if (strcasecmp(item->name, "enabled") == 0)
aim_config.enabled = atoi(item->value);
}
{
for (unsigned i = 0; i < sizeof(patterns)/sizeof(*patterns); i++)
{
- DebugFormat(DEBUG_INSPECTOR, "registering pattern length %u at %d\n",
+ DebugFormat(DEBUG_APPID, "registering pattern length %u at %d\n",
patterns[i].length, patterns[i].index);
init_api->RegisterPattern(&aim_validate, IpProtocol::TCP, patterns[i].pattern,
for (unsigned j = 0; j < sizeof(appIdRegistry)/sizeof(*appIdRegistry); j++)
{
- DebugFormat(DEBUG_INSPECTOR, "registering appId: %d\n",
+ DebugFormat(DEBUG_APPID, "registering appId: %d\n",
appIdRegistry[j].appId);
init_api->RegisterAppId(&aim_validate, appIdRegistry[j].appId, appIdRegistry[j].additionalInfo);
struct InitClientAppAPI
{
- void (* RegisterPattern)(RNAClientAppFCN, IpProtocol proto, const uint8_t* const pattern,
+ void (*RegisterPattern)(RNAClientAppFCN, IpProtocol proto, const uint8_t* const pattern,
unsigned size, int position);
- void (* RegisterPatternEx)(RNAClientAppFCN, IpProtocol proto, const uint8_t* const pattern,
+ void (*RegisterPatternEx)(RNAClientAppFCN, IpProtocol proto, const uint8_t* const pattern,
unsigned size, int position, Detector*);
- void (* RegisterPatternNoCase)(RNAClientAppFCN, IpProtocol proto, const uint8_t* const pattern,
+ void (*RegisterPatternNoCase)(RNAClientAppFCN, IpProtocol proto, const uint8_t* const pattern,
unsigned size, int position);
- void (* RegisterAppId)(RNAClientAppFCN, AppId, uint32_t additionalInfo);
+ void (*RegisterAppId)(RNAClientAppFCN, AppId, uint32_t additionalInfo);
int debug;
uint32_t instance_id;
AppIdConfig* pAppidConfig; ///< AppId context for which this API should be used
// client_app_base.cc author Ron Dempster <Ron.Dempster@sourcefire.com>
+#include "client_app_base.h"
+
#include <time.h>
#include <string.h>
#include <stdlib.h>
#include <netinet/in.h>
#include <arpa/inet.h>
-#include "client_app_base.h"
-
#include "main/snort_debug.h"
#include "log/messages.h"
#include "protocols/packet.h"
#include "appid_api.h"
#include "appid_config.h"
-#include "fw_appid.h"
+#include "app_info_table.h"
#include "client_app_api.h"
#include "client_app_base.h"
#include "client_app_msn.h"
&client_app_flowdata_add,
&AppIdAddClientApp,
&AppIdAddClientAppInfo,
- &AppIdAddUser,
- &AppIdAddPayload
+ &AppIdSession::add_user,
+ &AppIdSession::add_payload
};
static void CClientAppRegisterPattern(RNAClientAppFCN fcn, IpProtocol proto,
extern RNAClientAppModule pattern_tcp_client_mod;
extern RNAClientAppModule http_client_mod;
-static RNAClientAppModule* static_client_list[] =
+static RNAClientAppModule* builtin_client_plugins[] =
{
&ssh_client_mod,
&msn_client_mod,
&dns_tcp_client_mod,
&http_client_mod
};
-const uint32_t NUM_STATIC_CLIENTS = sizeof(static_client_list)/sizeof(RNAClientAppModule*);
+const uint32_t NUM_BUILTIN_CLIENT_PLUGINS = sizeof(builtin_client_plugins)/sizeof(RNAClientAppModule*);
static THREAD_LOCAL ClientAppConfig* client_app_config = nullptr;
AppInfoTableEntry* pEntry = AppInfoManager::get_instance().get_app_info_entry(appId);
if (!pEntry)
{
- ParseError(
+ ParseWarning(WARN_RULES,
"AppId: ID to Name mapping entry missing for AppId: %d. No rule support for this ID.",
appId);
return;
}
}
-int ClientAppLoadCallback(void* symbol)
+int load_client_application_plugin(void* symbol)
{
static THREAD_LOCAL unsigned client_module_index = 0;
RNAClientAppModule* cam = (RNAClientAppModule*)symbol;
}
if (cam->proto == IpProtocol::TCP)
- {
list = &client_app_config->tcp_client_app_list;
- }
else if (cam->proto == IpProtocol::UDP)
- {
list = &client_app_config->udp_client_app_list;
- }
else
{
ErrorMessage("Client %s did not have a valid protocol (%u)",
if (li->module == cam)
break;
}
+
if (!li)
{
li = (RNAClientAppRecord*)snort_calloc(sizeof(RNAClientAppRecord));
return 0;
}
-int LoadClientAppModules()
-{
- unsigned i;
-
- for (i = 0; i < NUM_STATIC_CLIENTS; i++)
- {
- if (ClientAppLoadCallback(static_client_list[i]))
- return -1;
- }
-
- return 0;
-}
static void AddModuleConfigItem(char* module_name, char* item_name, char* item_value)
{
static int ClientAppParseArgs(SF_LIST* args)
{
- ConfigItem* ci;
+ AppidConfigElement* ci;
SF_LNODE* cursor;
- for (ci = (ConfigItem*)sflist_first(args, &cursor);
+ for (ci = (AppidConfigElement*)sflist_first(args, &cursor);
ci;
- ci = (ConfigItem*)sflist_next(&cursor))
+ ci = (AppidConfigElement*)sflist_next(&cursor))
{
- ClientAppParseOption(ci->name, ci->value);
+ ClientAppParseOption(ci->name, (char*)ci->value);
}
#ifdef DEBUG
}
}
+static int load_builtin_client_plugins()
+{
+ unsigned i;
+
+ for (i = 0; i < NUM_BUILTIN_CLIENT_PLUGINS; i++)
+ {
+ if (load_client_application_plugin(builtin_client_plugins[i]))
+ return -1;
+ }
+
+ return 0;
+}
+
/**
* Initialize the configuration of the client app module
*
RNAClientAppRecord* li;
client_app_config = new ClientAppConfig;
- if (LoadClientAppModules())
+ if (load_builtin_client_plugins())
exit(-1);
sflist_init(&client_app_config->module_configs);
void finalize_client_plugins();
void UnconfigureClientApp(AppIdConfig*);
void clean_client_plugins();
-int ClientAppLoadCallback(void* symbol);
-int LoadClientAppModules();
+int load_client_application_plugin(void* symbol);
void ClientAppRegisterPattern(RNAClientAppFCN, IpProtocol proto, const uint8_t* const pattern,
unsigned size, int position, unsigned nocase, Detector*);
const ClientAppApi* getClientApi();
struct RNAServiceValidationModule;
struct RNAClientAppModule;
-using DetectorFlowdataGet = void*(*)(AppIdSession*, unsigned);
-using DetectorFlowdataAdd = int(*)(AppIdSession*, void*, unsigned, AppIdFreeFCN);
+using DetectorFlowdataGet = void* (*)(AppIdSession*, unsigned);
+using DetectorFlowdataAdd = int (*)(AppIdSession*, void*, unsigned, AppIdFreeFCN);
struct DetectorApi
{
// compound detector with both service and client side.
struct RNADetectorValidationModule
{
- /**service side.*/
RNAServiceValidationModule* service;
-
- /**client side.*/
RNAClientAppModule* client;
-
const DetectorApi* api;
unsigned flow_data_index;
};
return -1;
if (svm->client)
- if (ClientAppLoadCallback(svm->client))
+ if (load_client_application_plugin(svm->client))
return -1;
svm->api = &detector_api;
unsigned i;
for (i=0; i < sizeof(appIdRegistry)/sizeof(*appIdRegistry); i++)
{
- DebugFormat(DEBUG_INSPECTOR, "registering appId: %d\n", appIdRegistry[i].appId);
+ DebugFormat(DEBUG_APPID, "registering appId: %d\n", appIdRegistry[i].appId);
init_api->RegisterAppId(&dns_udp_validate, appIdRegistry[i].appId,
appIdRegistry[i].additionalInfo);
}
#include "search_engines/search_tool.h"
#include "utils/util.h"
-/*#define DEBUG_IMAP_DETECTOR 1 */
-
static const unsigned IMAP_USER_NAME_MAX_LEN = 32;
static const unsigned IMAP_TAG_MAX_LEN = 6;
static const unsigned MIN_CMDS = 3;
unsigned count;
unsigned parens;
char tagValue[IMAP_TAG_MAX_LEN+1];
-#ifdef DEBUG_IMAP_DETECTOR
- IMAPState last_state;
-#endif
};
static int imap_init(const InitServiceAPI* const init_api);
}
cmd_matcher->prep();
- AppIdConfig::get_appid_config()->add_generic_config_element(client_app_mod.name, cmd_matcher);
+ AppidConfigElement::add_generic_config_element(client_app_mod.name, cmd_matcher);
ca_config.enabled = 1;
static void clean()
{
SearchTool* cmd_matcher =
- (SearchTool*)AppIdConfig::get_appid_config()->find_generic_config_element(client_app_mod.name);
+ (SearchTool*)AppidConfigElement::find_generic_config_element(client_app_mod.name);
if (cmd_matcher)
delete cmd_matcher;
- AppIdConfig::get_appid_config()->remove_generic_config_element(client_app_mod.name);
+ AppidConfigElement::remove_generic_config_element(client_app_mod.name);
}
static int pattern_match(void* id, void*, int index, void* data, void*)
for (; data < end; data++)
{
-#ifdef DEBUG_IMAP_DETECTOR
- if (id->state != id->last_state)
- {
- DebugFormat(DEBUG_INSPECTOR,"%p State %d\n",asd, id->state);
- id->last_state = id->state;
- }
-#endif
switch (id->state)
{
case IMAP_STATE_BEGIN:
ClientAppData* fd;
char tag[IMAP_TAG_MAX_LEN+1] = { 0 };
SearchTool* cmd_matcher =
- (SearchTool*)AppIdConfig::get_appid_config()->find_generic_config_element(client_app_mod.name);
+ (SearchTool*)AppidConfigElement::find_generic_config_element(client_app_mod.name);
#ifdef APP_ID_USES_REASSEMBLED
Stream::flush_response_flush(pkt);
unsigned cname_len;
char cname[256];
char ver[2];
-#ifdef DEBUG_MSGS
- KerberosState last_state;
-#endif
unsigned flags;
};
item;
item = (RNAClientAppModuleConfigItem*)sflist_next(&iter))
{
- DebugFormat(DEBUG_INSPECTOR,"Processing %s: %s\n",item->name, item->value);
+ DebugFormat(DEBUG_APPID,"Processing %s: %s\n",item->name, item->value);
if (strcasecmp(item->name, "enabled") == 0)
krb_client_config.enabled = atoi(item->value);
{
for (i=0; i < sizeof(client_patterns)/sizeof(*client_patterns); i++)
{
- DebugFormat(DEBUG_INSPECTOR,"registering pattern with length %u\n",
+ DebugFormat(DEBUG_APPID,"registering pattern with length %u\n",
client_patterns[i].length);
init_api->RegisterPattern(&krb_client_validate, IpProtocol::UDP,
client_patterns[i].pattern, client_patterns[i].length, -1);
unsigned j;
for (j=0; j < sizeof(appIdRegistry)/sizeof(*appIdRegistry); j++)
{
- DebugFormat(DEBUG_INSPECTOR,"registering appId: %d\n",appIdRegistry[j].appId);
+ DebugFormat(DEBUG_APPID,"registering appId: %d\n",appIdRegistry[j].appId);
init_api->RegisterAppId(&krb_client_validate, appIdRegistry[j].appId,
appIdRegistry[j].additionalInfo);
}
for (i=0; i < sizeof(service_patterns)/sizeof(*service_patterns); i++)
{
- DebugFormat(DEBUG_INSPECTOR,"registering pattern with length %u\n",
+ DebugFormat(DEBUG_APPID,"registering pattern with length %u\n",
service_patterns[i].length);
init_api->RegisterPatternUser(&krb_server_validate, IpProtocol::UDP,
service_patterns[i].pattern, service_patterns[i].length, -1, "kerberos");
unsigned j;
for (j=0; j < sizeof(appIdRegistry)/sizeof(*appIdRegistry); j++)
{
- DebugFormat(DEBUG_INSPECTOR,"registering appId: %d\n",appIdRegistry[j].appId);
+ DebugFormat(DEBUG_APPID,"registering appId: %d\n",appIdRegistry[j].appId);
init_api->RegisterAppId(&krb_server_validate, appIdRegistry[j].appId,
appIdRegistry[j].additionalInfo);
}
while (s < end)
{
-#ifdef DEBUG_MSGS
- if (krbs->state != krbs->last_state)
- {
- DebugFormat(DEBUG_INSPECTOR,"%p State %d\n", (void*)asd, krbs->state);
- krbs->last_state = krbs->state;
- }
-#endif
switch (krbs->state)
{
case KRB_STATE_TCP_LENGTH:
krbs->pos++;
break;
case KRB_STATE_APP:
- DebugFormat(DEBUG_INSPECTOR,"%p Type %d (%02X)\n",
+ DebugFormat(DEBUG_APPID,"%p Type %d (%02X)\n",
(void*)asd, *s & (~ASN_1_TYPE_MASK), *s);
if ((*s & ASN_1_TYPE_MASK) != (ASN_1_APPLICATION|ASN_1_CONSTRUCT))
return KRB_FAILED;
krbs->tag = 0xa2;
break;
case KRB_STATE_FIELD:
- DebugFormat(DEBUG_INSPECTOR,"%p Tag %02X\n", (void*)asd, *s);
+ DebugFormat(DEBUG_APPID,"%p Tag %02X\n", (void*)asd, *s);
if (krbs->msg_len < 2 || *s <= krbs->tag || (*s & ASN_1_TYPE_MASK) != 0xa0)
return KRB_FAILED;
krbs->tag = *s;
{
if (krbs->msg_len <= 1)
{
- DebugFormat(DEBUG_INSPECTOR,"%p Valid\n", (void*)asd);
+ DebugFormat(DEBUG_APPID,"%p Valid\n", (void*)asd);
if (!krbs->added)
{
client_app_mod.api->add_app(asd, APP_ID_KERBEROS, APP_ID_KERBEROS,
break;
case KRB_STATE_FIELD_LEVEL2:
- DebugFormat(DEBUG_INSPECTOR,"%p Tag %02X\n", (void*)asd, *s);
+ DebugFormat(DEBUG_APPID,"%p Tag %02X\n", (void*)asd, *s);
if (krbs->msg_len <= 1)
{
krbs->state = KRB_STATE_APP;
{
if (krbs->pos)
{
- DebugFormat(DEBUG_INSPECTOR,"%p Name %u\n", (void*)asd, krbs->pos);
+ DebugFormat(DEBUG_APPID,"%p Name %u\n", (void*)asd, krbs->pos);
krbs->cname[krbs->pos] = 0;
}
if (krbs->msg_len <= 1)
while (s < end)
{
-#ifdef DEBUG_MSGS
- if (krbs->state != krbs->last_state)
- {
- DebugFormat(DEBUG_INSPECTOR,"%p State %d\n", (void*)asd, krbs->state);
- krbs->last_state = krbs->state;
- }
-#endif
switch (krbs->state)
{
case KRB_STATE_TCP_LENGTH:
krbs->pos++;
break;
case KRB_STATE_APP:
- DebugFormat(DEBUG_INSPECTOR,"%p Type %d (%02X)\n",
+ DebugFormat(DEBUG_APPID,"%p Type %d (%02X)\n",
(void*)asd, *s & (~ASN_1_TYPE_MASK), *s);
if ((*s & ASN_1_TYPE_MASK) != (ASN_1_APPLICATION|ASN_1_CONSTRUCT))
return KRB_FAILED;
krbs->pos++;
break;
case KRB_STATE_ERROR_VALUE:
- DebugFormat(DEBUG_INSPECTOR,"%p Error %hhu\n", (void*)asd, *s);
+ DebugFormat(DEBUG_APPID,"%p Error %hhu\n", (void*)asd, *s);
if (krbs->msg_len <= 1)
{
krbs->flags |= KRB_FLAG_SERVICE_DETECTED;
if (*s == KDC_ERR_PREAUTH_FAILED)
{
- DebugFormat(DEBUG_INSPECTOR,"%p unAuthorized\n", (void*)asd);
+ DebugFormat(DEBUG_APPID,"%p unAuthorized\n", (void*)asd);
krbs->flags |= KRB_FLAG_AUTH_FAILED;
}
krbs->state = KRB_STATE_FIELD;
break;
case KRB_STATE_FIELD:
- DebugFormat(DEBUG_INSPECTOR,"%p Tag %02X\n", (void*)asd, *s);
+ DebugFormat(DEBUG_APPID,"%p Tag %02X\n", (void*)asd, *s);
if (krbs->msg_len < 2 || *s <= krbs->tag || (*s & ASN_1_TYPE_MASK) != 0xa0)
return KRB_FAILED;
krbs->tag = *s;
{
if (krbs->pos)
{
- DebugFormat(DEBUG_INSPECTOR,"%p Name %u\n", (void*)asd, krbs->pos);
+ DebugFormat(DEBUG_APPID,"%p Name %u\n", (void*)asd, krbs->pos);
krbs->cname[krbs->pos] = 0;
krbs->flags |= KRB_FLAG_USER_DETECTED;
}
if (krbs->msg_len <= 1)
{
/*end of server response message */
- DebugFormat(DEBUG_INSPECTOR,"%p Valid\n", (void*)asd);
+ DebugFormat(DEBUG_APPID,"%p Valid\n", (void*)asd);
if (krbs->flags & KRB_FLAG_SERVICE_DETECTED)
{
if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED) && pkt)
const uint8_t* end = (data + size);
DetectorData* fd;
-#ifdef DEBUG_MSGS
- DebugFormat(DEBUG_INSPECTOR, "%p Processing %u %hu->%hu %hu %d",
- (void*)asd, (unsigned int)asd->protocol, pkt->ptrs.sp, pkt->ptrs.dp, size, dir);
-#else
- UNUSED(pkt);
-#endif
-
#ifdef APP_ID_USES_REASSEMBLED
Stream::flush_response_flush(pkt);
+#else
+ UNUSED(pkt);
#endif
if (!size)
fd->clnt_state.state = KRB_STATE_APP;
fd->svr_state.state = KRB_STATE_APP;
}
-#ifdef DEBUG_MSGS
- fd->clnt_state.last_state = KRB_STATE_INVALID;
- fd->svr_state.last_state = KRB_STATE_INVALID;
-#endif
}
if (!fd->set_flags)
{
if (krb_walk_client_packet(&fd->clnt_state, s, end, asd) == KRB_FAILED)
{
- DebugFormat(DEBUG_INSPECTOR,"%p Failed\n", (void*)asd);
+ DebugFormat(DEBUG_APPID,"%p Failed\n", (void*)asd);
asd->set_session_flags(APPID_SESSION_CLIENT_DETECTED);
asd->clear_session_flags(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS);
return CLIENT_APP_SUCCESS;
else if (krb_walk_server_packet(&fd->svr_state, s, end, asd, nullptr, dir,
fd->clnt_state.cname) == KRB_FAILED)
{
- DebugFormat(DEBUG_INSPECTOR,"%p Server Failed\n", (void*)asd);
+ DebugFormat(DEBUG_APPID,"%p Server Failed\n", (void*)asd);
asd->clear_session_flags(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS);
}
return CLIENT_APP_INPROCESS;
const uint8_t* s = data;
const uint8_t* end = (data + size);
- DebugFormat(DEBUG_INSPECTOR, "%p Processing %u %hu->%hu %hu %d",
+ DebugFormat(DEBUG_APPID, "%p Processing %u %hu->%hu %hu %d",
(void*)asd, (unsigned int)asd->protocol, pkt->ptrs.sp, pkt->ptrs.dp, size, dir);
if (dir != APP_ID_FROM_RESPONDER)
fd->clnt_state.state = KRB_STATE_APP;
fd->svr_state.state = KRB_STATE_APP;
}
-#ifdef DEBUG_MSGS
- fd->clnt_state.last_state = KRB_STATE_INVALID;
- fd->svr_state.last_state = KRB_STATE_INVALID;
-#endif
}
if (fd->need_continue)
if (krb_walk_server_packet(&fd->svr_state, s, end, asd, pkt, dir, fd->clnt_state.cname) ==
KRB_FAILED)
{
- DebugFormat(DEBUG_INSPECTOR,"%p Failed\n", (void*)asd);
+ DebugFormat(DEBUG_APPID,"%p Failed\n", (void*)asd);
if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED))
{
service_mod.api->fail_service(asd, pkt, dir, &svc_element,
}
cmd_matcher->prep();
- init_api->pAppidConfig->add_generic_config_element(client_app_mod.name, cmd_matcher);
+ AppidConfigElement::add_generic_config_element(client_app_mod.name, cmd_matcher);
pop3_config.enabled = 1;
item;
item = (RNAClientAppModuleConfigItem*)sflist_next(&iter))
{
- DebugFormat(DEBUG_INSPECTOR,"Processing %s: %s\n",item->name, item->value);
+ DebugFormat(DEBUG_APPID,"Processing %s: %s\n",item->name, item->value);
if (strcasecmp(item->name, "enabled") == 0)
{
pop3_config.enabled = atoi(item->value);
{
for (i=0; i < sizeof(patterns)/sizeof(*patterns); i++)
{
- DebugFormat(DEBUG_INSPECTOR,"registering pattern: %s\n",
+ DebugFormat(DEBUG_APPID,"registering pattern: %s\n",
(const char*)patterns[i].pattern);
init_api->RegisterPatternNoCase(&pop3_ca_validate, IpProtocol::TCP,
patterns[i].pattern, patterns[i].length, 0);
unsigned j;
for (j=0; j < sizeof(appIdRegistry)/sizeof(*appIdRegistry); j++)
{
- DebugFormat(DEBUG_INSPECTOR,"registering appId: %d\n",appIdRegistry[j].appId);
+ DebugFormat(DEBUG_APPID,"registering appId: %d\n",appIdRegistry[j].appId);
init_api->RegisterAppId(&pop3_ca_validate, appIdRegistry[j].appId,
appIdRegistry[j].additionalInfo);
}
unsigned j;
for (j=0; j < sizeof(appIdRegistry)/sizeof(*appIdRegistry); j++)
{
- DebugFormat(DEBUG_INSPECTOR,"registering appId: %d\n",appIdRegistry[j].appId);
+ DebugFormat(DEBUG_APPID,"registering appId: %d\n",appIdRegistry[j].appId);
init_api->RegisterAppId(&pop3_validate, appIdRegistry[j].appId,
appIdRegistry[j].additionalInfo);
}
static void pop3_ca_clean()
{
SearchTool* cmd_matcher =
- (SearchTool*)AppIdConfig::get_appid_config()->find_generic_config_element(client_app_mod.name);
+ (SearchTool*)AppidConfigElement::find_generic_config_element(client_app_mod.name);
if (cmd_matcher)
delete cmd_matcher;
- AppIdConfig::get_appid_config()->remove_generic_config_element(client_app_mod.name);
+ AppidConfigElement::remove_generic_config_element(client_app_mod.name);
}
static int pop3_pattern_match(void* id, void*, int index, void* data, void*)
if (dir == APP_ID_FROM_RESPONDER)
{
#ifdef DEBUG_POP3
- DebugFormat(DEBUG_INSPECTOR,"%p Calling server\n",asd);
- DumpHex(SF_DEBUG_FILE, data, size);
+ DebugFormat(DEBUG_APPID,"%p Calling server\n",asd);
+ AppIdUtils::DumpHex(SF_DEBUG_FILE, data, size);
#endif
if (pop3_server_validate(dd, data, size, asd, 0))
}
#ifdef DEBUG_POP3
- DebugFormat(DEBUG_INSPECTOR,"%p Client\n",asd);
- DumpHex(SF_DEBUG_FILE, data, size);
+ DebugFormat(DEBUG_APPID,"%p Client\n",asd);
+ AppIdUtils::DumpHex(SF_DEBUG_FILE, data, size);
#endif
while ((length = (end - s)))
{
unsigned pattern_index;
SearchTool* cmd_matcher =
- (SearchTool*)AppIdConfig::get_appid_config()->find_generic_config_element(client_app_mod.name);
+ (SearchTool*)AppidConfigElement::find_generic_config_element(client_app_mod.name);
cmd = nullptr;
cmd_matcher->find_all((char*)s, (length > longest_pattern ? longest_pattern : length),
goto inprocess;
#ifdef DEBUG_POP3
- DebugFormat(DEBUG_INSPECTOR,"%p Dir %d\n",asd, dir);
- DumpHex(SF_DEBUG_FILE, data, size);
+ DebugFormat(DEBUG_APPID,"%p Dir %d\n",asd, dir);
+ AppIdUtils::DumpHex(SF_DEBUG_FILE, data, size);
#endif
dd = (POP3DetectorData*)pop3_detector_mod.api->data_get(asd,
#include "detector_sip.h"
-#include "appid/appid_module.h"
-#include "appid_utils/sf_mlmp.h"
-#include "fw_appid.h"
-#include "http_url_patterns.h"
-#include "service_plugins/service_base.h"
-#include "utils/util.h"
-
#include "log/messages.h"
#include "main/snort_debug.h"
+#include "utils/util.h"
#include "pub_sub/sip_events.h"
+#include "service_inspectors/sip/sip_common.h"
+#include "appid_module.h"
+#include "app_info_table.h"
+#include "client_plugins/client_app_api.h"
+#include "service_plugins/service_base.h"
+#include "http_url_patterns.h"
+#include "appid_utils/sf_mlmp.h"
+
using namespace std;
+#include "app_info_table.h"
+#include "client_plugins/client_app_api.h"
+#include "service_plugins/service_base.h"
+#include "http_url_patterns.h"
+#include "appid_utils/sf_mlmp.h"
+
static const char SIP_REGISTER_BANNER[] = "REGISTER ";
static const char SIP_INVITE_BANNER[] = "INVITE ";
static const char SIP_CANCEL_BANNER[] = "CANCEL ";
static AppRegistryEntry appIdClientRegistry[] =
{
- { APP_ID_SIP, APPINFO_FLAG_CLIENT_ADDITIONAL|APPINFO_FLAG_CLIENT_USER },
+ { APP_ID_SIP, APPINFO_FLAG_CLIENT_ADDITIONAL | APPINFO_FLAG_CLIENT_USER },
};
static AppRegistryEntry appIdServiceRegistry[] =
{
- { APP_ID_SIP, APPINFO_FLAG_SERVICE_ADDITIONAL|APPINFO_FLAG_CLIENT_USER },
+ { APP_ID_SIP, APPINFO_FLAG_SERVICE_ADDITIONAL | APPINFO_FLAG_CLIENT_USER },
{ APP_ID_RTP, APPINFO_FLAG_SERVICE_ADDITIONAL }
};
+++ /dev/null
-//--------------------------------------------------------------------------
-// Copyright (C) 2014-2016 Cisco and/or its affiliates. All rights reserved.
-// Copyright (C) 2005-2013 Sourcefire, Inc.
-//
-// This program is free software; you can redistribute it and/or modify it
-// under the terms of the GNU General Public License Version 2 as published
-// by the Free Software Foundation. You may not use, modify or distribute
-// this program under any other version of the GNU General Public License.
-//
-// This program is distributed in the hope that it will be useful, but
-// WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-// General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License along
-// with this program; if not, write to the Free Software Foundation, Inc.,
-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-//--------------------------------------------------------------------------
-
-// flow_error.h author Sourcefire Inc.
-
-#ifndef FLOW_ERROR_H
-#define FLOW_ERROR_H
-
-#define APPID_SESSION_SUCCESS 0
-#define APPID_SESSION_ENULL 1
-#define APPID_SESSION_EINVALID 2
-#define APPID_SESSION_ENOMEM 3
-#define APPID_SESSION_NOTFOUND 4
-#define APPID_SESSION_BADJUJU 5
-#define APPID_SESSION_DISABLED 6
-#define APPID_SESSION_EUNSUPPORTED 7
-#define APPID_SESSION_STOP_PROCESSING 8
-#define APPID_SESSION_EEXISTS 9
-
-#endif
+++ /dev/null
-//--------------------------------------------------------------------------
-// Copyright (C) 2014-2016 Cisco and/or its affiliates. All rights reserved.
-// Copyright (C) 2005-2013 Sourcefire, Inc.
-//
-// This program is free software; you can redistribute it and/or modify it
-// under the terms of the GNU General Public License Version 2 as published
-// by the Free Software Foundation. You may not use, modify or distribute
-// this program under any other version of the GNU General Public License.
-//
-// This program is distributed in the hope that it will be useful, but
-// WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-// General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License along
-// with this program; if not, write to the Free Software Foundation, Inc.,
-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-//--------------------------------------------------------------------------
-
-// fw_appid.cc author Sourcefire Inc.
-
-#include "fw_appid.h"
-
-#include "log/messages.h"
-#include "profiler/profiler.h"
-#include "protocols/tcp.h"
-#include "target_based/snort_protocols.h"
-#include "utils/util.h"
-
-#include "appid_stats.h"
-#include "appid_config.h"
-#include "appid_module.h"
-#include "app_forecast.h"
-#include "app_info_table.h"
-#include "appid_api.h"
-#include "host_port_app_cache.h"
-#include "lua_detector_module.h"
-#include "client_plugins/client_app_base.h"
-#include "detector_plugins/detector_dns.h"
-#include "service_plugins/service_base.h"
-#include "service_plugins/service_ssl.h"
-#include "service_plugins/service_util.h"
-#include "appid_utils/common_util.h"
-#include "appid_utils/ip_funcs.h"
-#include "appid_utils/network_set.h"
-#include "time/packet_time.h"
-#include "sfip/sf_ip.h"
-
-#define HTTP_PATTERN_MAX_LEN 1024
-#define PORT_MAX 65535
-
-#ifdef APPID_UNUSED_CODE
-void reset_appid_stats(int, void*)
-{
- if (thirdparty_appid_module)
- thirdparty_appid_module->reset_stats();
-}
-#endif
-
-void AppIdAddUser(AppIdSession* asd, const char* username, AppId appId, int success)
-{
- if (asd->username)
- snort_free(asd->username);
- asd->username = snort_strdup(username);
- asd->username_service = appId;
- if (success)
- asd->set_session_flags(APPID_SESSION_LOGIN_SUCCEEDED);
- else
- asd->clear_session_flags(APPID_SESSION_LOGIN_SUCCEEDED);
-}
-
-void AppIdAddPayload(AppIdSession* asd, AppId payload_id)
-{
- if (AppIdConfig::get_appid_config()->mod_config->instance_id)
- checkSandboxDetection(payload_id);
- asd->payload_app_id = payload_id;
-}
-
-void checkSandboxDetection(AppId appId)
-{
- AppInfoTableEntry* entry;
-
- if (AppIdConfig::get_appid_config()->mod_config->instance_id)
- {
- entry = AppInfoManager::get_instance().get_app_info_entry(appId);
- if ( entry && ( entry->flags & APPINFO_FLAG_ACTIVE ) )
- fprintf(SF_DEBUG_FILE, "Detected AppId %d\n", entry->appId);
- else if( appId != 0 )
- fprintf(SF_DEBUG_FILE, "No Entry For AppId %d\n", appId);
- }
-}
+++ /dev/null
-//--------------------------------------------------------------------------
-// Copyright (C) 2014-2016 Cisco and/or its affiliates. All rights reserved.
-// Copyright (C) 2005-2013 Sourcefire, Inc.
-//
-// This program is free software; you can redistribute it and/or modify it
-// under the terms of the GNU General Public License Version 2 as published
-// by the Free Software Foundation. You may not use, modify or distribute
-// this program under any other version of the GNU General Public License.
-//
-// This program is distributed in the hope that it will be useful, but
-// WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-// General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License along
-// with this program; if not, write to the Free Software Foundation, Inc.,
-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-//--------------------------------------------------------------------------
-
-// fw_appid.h author Sourcefire Inc.
-
-#ifndef FW_APPID_H
-#define FW_APPID_H
-
-#include "client_plugins/client_app_api.h"
-#include "appid_utils/common_util.h"
-
-#include "appid.h"
-#include "appid_api.h"
-#include "appid_config.h"
-#include "appid_session.h"
-#include "application_ids.h"
-#include "app_info_table.h"
-#include "service_plugins/service_api.h"
-#include "thirdparty_appid_utils.h"
-
-#define MIN_SFTP_PACKET_COUNT 30
-#define MAX_SFTP_PACKET_COUNT 55
-
-extern uint8_t appIdPriorityArray[SF_APPID_MAX + 1];
-
-AppIdSession* getAppIdData(void* lwssn);
-
-void AppIdAddUser(AppIdSession*, const char* username, AppId, int success);
-void AppIdAddPayload(AppIdSession*, AppId);
-
-extern unsigned dhcp_fp_table_size;
-
-void checkSandboxDetection(AppId appId);
-
-inline void initializePriorityArray()
-{
- for ( int i=0; i < SF_APPID_MAX; ++i )
- appIdPriorityArray[i] = 2;
-}
-
-inline void setAppPriority(AppId app_id, uint8_t bit_val)
-{
- if ( app_id < SF_APPID_MAX && bit_val <= APPID_MAX_PRIORITY )
- appIdPriorityArray[app_id] = bit_val;
-}
-
-inline int getAppPriority(AppId app_id)
-{
- if (app_id > APP_ID_NONE && app_id < SF_APPID_MAX)
- return appIdPriorityArray[app_id];
-
- return -1;
-}
-
-inline int ThirdPartyAppIDFoundProto(AppId proto, AppId* proto_list)
-{
- unsigned int proto_cnt = 0;
- while (proto_list[proto_cnt] != APP_ID_NONE)
- if (proto_list[proto_cnt++] == proto)
- return 1; // found
-
- return 0; // not found
-}
-
-inline int TPIsAppIdDone(void* tpSession)
-{
- if (thirdparty_appid_module)
- {
- unsigned state;
-
- if (tpSession)
- state = thirdparty_appid_module->session_state_get(tpSession);
- else
- state = TP_STATE_INIT;
- return (state == TP_STATE_CLASSIFIED || state == TP_STATE_TERMINATED || state ==
- TP_STATE_HA);
- }
- return true;
-}
-
-inline int TPIsAppIdAvailable(void* tpSession)
-{
- if (thirdparty_appid_module)
- {
- unsigned state;
-
- if (tpSession)
- state = thirdparty_appid_module->session_state_get(tpSession);
- else
- state = TP_STATE_INIT;
- return (state == TP_STATE_CLASSIFIED || state == TP_STATE_TERMINATED || state ==
- TP_STATE_MONITORING);
- }
- return true;
-}
-
-inline int testSSLAppIdForReinspect(AppId app_id)
-{
- if (app_id <= SF_APPID_MAX &&
- (app_id == APP_ID_SSL || AppInfoManager::get_instance().get_app_info_flags(app_id, APPINFO_FLAG_SSL_INSPECT)))
- return 1;
- else
- return 0;
-}
-
-#endif
#ifndef HTTP_COMMON_H
#define HTTP_COMMON_H
-#include "appid.h"
#include "appid_api.h"
#include "appid_utils/sf_multi_mpse.h"
CONTENT_TYPE_PT, // 6
LOCATION_PT, // 7
BODY_PT, // 8
+ NUMBER_OF_PTYPES, // 9
MAX_PATTERN_TYPE = BODY_PT,
MAX_KEY_PATTERN = URI_PT,
};
#include "appid_module.h"
#include "app_forecast.h"
#include "app_info_table.h"
-#include "fw_appid.h"
#include "host_port_app_cache.h"
#include "http_common.h"
#include "lua_detector_flow_api.h"
/*mpse library does not hold reference to pattern therefore we dont need to allocate it. */
ud->client.appModule.userData = ud.ptr;
- ClientAppLoadCallback((void*)&(ud->client.appModule));
+ load_client_application_plugin((void*)&(ud->client.appModule));
ClientAppRegisterPattern(validate_client_application, protocol, (const uint8_t*)pattern,
size, position, 0, ud);
*/
static int add_service_application(lua_State* L)
{
- unsigned int serviceId, retValue = SERVICE_ENULL;
auto& ud = *UserData<Detector>::check(L, DETECTOR, 1);
- serviceId = lua_tonumber(L, 2);
+ unsigned serviceId = lua_tonumber(L, 2);
CHECK_INPUTS();
/*Phase2 - discuss RNAServiceSubtype will be maintained on lua side therefore the last
parameter on the following call is nullptr.
Subtype is not displayed on DC at present. */
- retValue = AppIdServiceAddService(ud->validateParams.asd, ud->validateParams.pkt,
- ud->validateParams.dir, ud->server.pServiceElement,
- serviceId, nullptr, nullptr, nullptr);
+ unsigned retValue = AppIdServiceAddService(ud->validateParams.asd, ud->validateParams.pkt,
+ ud->validateParams.dir, ud->server.pServiceElement, serviceId, nullptr, nullptr, nullptr);
lua_pushnumber(L, retValue);
return 1;
#include "lua_detector_module.h"
#include "main/snort_debug.h"
#include "sfip/sf_ip.h"
-#include "appid_utils/common_util.h"
/* Lua flag bit/index to C flag value (0 for invalid). */
static const uint64_t FLAGS_TABLE_LUA_TO_C[32]
#include <glob.h>
#include <libgen.h>
#include <lua.hpp>
+#include <libgen.h>
#include "appid_config.h"
#include "client_plugins/client_app_base.h"
{
char pattern[PATH_MAX];
snprintf(pattern, sizeof(pattern), "%s/*", path);
-
- // FIXIT-M - is glob thread safe?
glob_t globs;
+
memset(&globs, 0, sizeof(globs));
int rval = glob(pattern, 0, nullptr, &globs);
if (rval == 0 )
globfree(&globs);
}
else if(rval == GLOB_NOMATCH)
- WarningMessage("No lua detectors found in directory '%s'\n", pattern);
+ ParseWarning(WARN_CONF, "No lua detectors found in directory '%s'\n", pattern);
else
- ErrorMessage("Error reading lua detectors directory '%s'. Error Code: %d\n",
+ ParseWarning(WARN_CONF, "Error reading lua detectors directory '%s'. Error Code: %d\n",
pattern, rval);
}
name.c_str(), lua_tostring(L, -1));
return;
}
- else
- {
- if ( detector->server.pServiceElement )
- detector->server.pServiceElement->ref_count = 1;
-
- DebugFormat(DEBUG_APPID, "Initialized %s\n", name.c_str());
- }
+ else if ( detector->server.pServiceElement )
+ detector->server.pServiceElement->ref_count = 1;
}
static void init_client_detector(Detector* detector)
struct Packet;
struct DynamicPreprocessorData;
+#define APPID_EARLY_SESSION_FLAG_FW_RULE 1
+
+enum SERVICE_HOST_INFO_CODE
+{
+ SERVICE_HOST_INFO_NETBIOS_NAME = 1
+};
+
enum SERVICE_RETCODE
{
SERVICE_SUCCESS = 0,
struct RNAServiceValidationModule;
struct InitServiceAPI
{
- void (* RegisterPattern)( RNAServiceValidationFCN, IpProtocol proto, const uint8_t* pattern,
+ void (*RegisterPattern)( RNAServiceValidationFCN, IpProtocol proto, const uint8_t* pattern,
unsigned size, int position, const char* name);
- int (* AddPort)( const RNAServiceValidationPort*, RNAServiceValidationModule*);
- void (* RemovePorts)(RNAServiceValidationFCN);
- void (* RegisterPatternUser)(RNAServiceValidationFCN, IpProtocol proto,
+ int (*AddPort)( const RNAServiceValidationPort*, RNAServiceValidationModule*);
+ void (*RemovePorts)(RNAServiceValidationFCN);
+ void (*RegisterPatternUser)(RNAServiceValidationFCN, IpProtocol proto,
const uint8_t* pattern, unsigned size, int position, const char* name);
- void (* RegisterAppId)( RNAServiceValidationFCN, AppId, uint32_t additionalInfo);
+ void (*RegisterAppId)( RNAServiceValidationFCN, AppId, uint32_t additionalInfo);
int debug;
uint32_t instance_id;
AppIdConfig* pAppidConfig; ///< AppId context for which this API should be used
const char* name;
};
-typedef void*(* ServiceFlowdataGet)(AppIdSession*, unsigned);
-typedef int (* ServiceFlowdataAdd)(AppIdSession*, void*, unsigned, AppIdFreeFCN);
-typedef int (* ServiceFlowdataAddDHCP)(AppIdSession*, unsigned, const uint8_t*, unsigned, const
+typedef void* (*ServiceFlowdataGet)(AppIdSession*, unsigned);
+typedef int (*ServiceFlowdataAdd)(AppIdSession*, void*, unsigned, AppIdFreeFCN);
+typedef int (*ServiceFlowdataAddDHCP)(AppIdSession*, unsigned, const uint8_t*, unsigned, const
uint8_t*, const uint8_t*);
-#define APPID_EARLY_SESSION_FLAG_FW_RULE 1
-typedef void (* ServiceDhcpNewLease)(AppIdSession* flow, const uint8_t* mac, uint32_t ip, int32_t
+typedef void (*ServiceDhcpNewLease)(AppIdSession* flow, const uint8_t* mac, uint32_t ip, int32_t
zone, uint32_t subnetmask, uint32_t leaseSecs, uint32_t router);
-typedef void (* ServiceAnalyzeFP)(AppIdSession*, unsigned, unsigned, uint32_t);
+typedef void (*ServiceAnalyzeFP)(AppIdSession*, unsigned, unsigned, uint32_t);
-typedef int (* AddService)(AppIdSession* flow, const Packet* pkt, int dir,
+typedef int (*AddService)(AppIdSession* flow, const Packet* pkt, int dir,
const RNAServiceElement* svc_element, AppId service, const char* vendor,
const char* version, const RNAServiceSubtype* subtype);
-typedef int (* AddServiceConsumeSubtype)(AppIdSession* flow, const Packet* pkt, int dir,
+typedef int (*AddServiceConsumeSubtype)(AppIdSession* flow, const Packet* pkt, int dir,
const RNAServiceElement* svc_element, AppId service, const char* vendor, const char* version,
RNAServiceSubtype* subtype);
-typedef int (* ServiceInProcess)(AppIdSession* flow, const Packet* pkt, int dir,
+typedef int (*ServiceInProcess)(AppIdSession* flow, const Packet* pkt, int dir,
const RNAServiceElement* svc_element);
-typedef int (* FailService)(AppIdSession* flow, const Packet* pkt, int dir,
+typedef int (*FailService)(AppIdSession* flow, const Packet* pkt, int dir,
const RNAServiceElement* svc_element, unsigned flow_data_index);
-typedef int (* IncompatibleData)(AppIdSession* flow, const Packet* pkt, int dir,
+typedef int (*IncompatibleData)(AppIdSession* flow, const Packet* pkt, int dir,
const RNAServiceElement* svc_element, unsigned flow_data_index, const AppIdConfig*);
-typedef void (* AddHostInfo)(AppIdSession* flow, SERVICE_HOST_INFO_CODE code, const void* info);
-typedef void (* AddPayload)(AppIdSession*, AppId);
-typedef void (* AddUser)(AppIdSession*, const char*, AppId, int);
-typedef void (* AddMisc)(AppIdSession*, AppId);
-typedef void (* AddDnsQueryInfo)(AppIdSession* flow, uint16_t id, const uint8_t* host,
+typedef void (*AddHostInfo)(AppIdSession* flow, SERVICE_HOST_INFO_CODE code, const void* info);
+typedef void (*AddPayload)(AppIdSession*, AppId);
+typedef void (*AddUser)(AppIdSession*, const char*, AppId, int);
+typedef void (*AddMisc)(AppIdSession*, AppId);
+typedef void (*AddDnsQueryInfo)(AppIdSession* flow, uint16_t id, const uint8_t* host,
uint8_t host_len, uint16_t host_offset, uint16_t record_type);
-typedef void (* AddDnsResponseInfo)(AppIdSession* flow, uint16_t id, const uint8_t* host,
+typedef void (*AddDnsResponseInfo)(AppIdSession* flow, uint16_t id, const uint8_t* host,
uint8_t host_len, uint16_t host_offset, uint8_t response_type, uint32_t ttl);
-typedef void (* ResetDnsInfo)(AppIdSession* flow);
+typedef void (*ResetDnsInfo)(AppIdSession* flow);
struct ServiceApi
{
#include <vector>
#include <algorithm>
-
#include <limits.h>
+
+#include "app_info_table.h"
#include "service_api.h"
#include "service_battle_field.h"
#include "service_bgp.h"
#include "service_tftp.h"
#include "appid_session.h"
#include "appid_config.h"
-#include "fw_appid.h"
#include "lua_detector_api.h"
#include "lua_detector_module.h"
#include "appid_utils/ip_funcs.h"
#include "detector_plugins/detector_dns.h"
#include "detector_plugins/detector_pattern.h"
#include "detector_plugins/detector_sip.h"
+
#include "log/messages.h"
#include "main/snort_debug.h"
#include "search_engines/search_tool.h"
#define MAX_CANDIDATE_SERVICES 10
#define DHCP_OPTION55_LEN_MAX 255
+#define FINGERPRINT_UDP_FLAGS_XENIX 0x00000800
+#define FINGERPRINT_UDP_FLAGS_NT 0x00001000
+#define FINGERPRINT_UDP_FLAGS_MASK (FINGERPRINT_UDP_FLAGS_XENIX | FINGERPRINT_UDP_FLAGS_NT)
+
static void* service_flowdata_get(AppIdSession* asd, unsigned service_id);
static int service_flowdata_add(AppIdSession* asd, void* data, unsigned service_id, AppIdFreeFCN
fcn);
&AppIdServiceInProcess,
&AppIdServiceIncompatibleData,
&add_host_info,
- &AppIdAddPayload,
- &AppIdAddUser,
+ &AppIdSession::add_payload,
+ &AppIdSession::add_user,
&AppIdServiceAddServiceSubtype,
&add_miscellaneous_info,
&add_dns_query_info,
AppInfoTableEntry* pEntry = AppInfoManager::get_instance().get_app_info_entry(appId);
if (!pEntry)
{
- ParseError(
+ ParseWarning(WARN_RULES,
"AppId: ID to Name mapping entry missing for AppId: %d. No rule support for this ID.",
appId);
return;
return 0;
}
-AppId getPortServiceId(IpProtocol proto, uint16_t port, const AppIdConfig* pConfig)
+AppId getPortServiceId(IpProtocol proto, uint16_t port, const AppIdConfig* config)
{
AppId appId;
if (proto == IpProtocol::TCP)
- appId = pConfig->tcp_port_only[port];
+ appId = config->tcp_port_only[port];
else if (proto == IpProtocol::UDP)
- appId = pConfig->udp_port_only[port];
+ appId = config->udp_port_only[port];
else
- appId = pConfig->ip_protocol[(uint16_t)proto];
+ appId = config->ip_protocol[(uint16_t)proto];
checkSandboxDetection(appId);
if ((li->validate == fcn) && (li->userdata == userdata))
return li;
- for (li=service_config->udp_service_list; li; li=li->next)
+ for (li = service_config->udp_service_list; li; li = li->next)
if ((li->validate == fcn) && (li->userdata == userdata))
return li;
return;
}
- for (li=*list; li; li=li->next)
+ for (li = *list; li; li=li->next)
{
if ((li->validate == fcn) && (li->userdata == userdata))
break;
li->name = name;
}
- if (!(*patterns))
+ if ( !(*patterns) )
{
*patterns = new SearchTool("ac_full");
if (!(*patterns))
RNAServiceElement* li;
unsigned i;
- for (li=list; li; li=li->next)
+ for (li = list; li; li=li->next)
{
if (li->validate == validate && li->userdata == userdata)
break;
static void RemoveAllServicePorts()
{
- int i;
-
- for ( i= 0; i < RNA_SERVICE_MAX_PORT; i++)
+ for (unsigned i = 0; i < RNA_SERVICE_MAX_PORT; i++)
{
if (service_config->tcp_services[i])
{
service_config->tcp_services[i] = nullptr;
}
}
- for (i = 0; i < RNA_SERVICE_MAX_PORT; i++)
+ for (unsigned i = 0; i < RNA_SERVICE_MAX_PORT; i++)
{
if (service_config->udp_services[i])
{
service_config->udp_services[i] = nullptr;
}
}
- for (i = 0; i < RNA_SERVICE_MAX_PORT; i++)
+ for (unsigned i = 0; i < RNA_SERVICE_MAX_PORT; i++)
{
if (service_config->udp_reversed_services[i])
{
RNAServiceElement* li;
RNAServiceElement* serviceElement;
- DebugFormat(DEBUG_INSPECTOR, "Adding service %s for protocol %u on port %u\n",
+ DebugFormat(DEBUG_APPID, "Adding service %s for protocol %u on port %u\n",
svm->name, (unsigned)pp->proto, (unsigned)pp->port);
if (pp->proto == IpProtocol::TCP)
{
return 0;
}
- for (li=*list; li; li=li->next)
+ for (li = *list; li; li = li->next)
{
if (li->validate == pp->validate && li->userdata == userdata)
break;
void finalize_service_patterns()
{
- ServicePatternData* curr;
ServicePatternData* lists[] = { service_config->tcp_pattern_data,
service_config->udp_pattern_data };
+
for ( unsigned i = 0; i < (sizeof(lists) / sizeof(*lists)); i++)
{
- curr = lists[i];
+ ServicePatternData* curr = lists[i];
while (curr != nullptr)
{
if (curr->svc != nullptr)
service_config->tcp_pattern_data = pattern->next;
snort_free(pattern);
}
+
while ((pattern = service_config->udp_pattern_data))
{
service_config->udp_pattern_data = pattern->next;
const int, AppIdServiceIDState* id_state)
{
SearchTool* patterns = nullptr;
- ServiceMatch* match_list;
- uint32_t i;
- RNAServiceElement* service = nullptr;
std::vector<ServiceMatch*> smOrderedList;
if (proto == IpProtocol::TCP)
}
/*FRE didn't search */
- match_list = nullptr;
+ ServiceMatch* match_list = nullptr;
patterns->find_all((char*)pkt->data, pkt->dsize, &pattern_match, false, (void*)&match_list);
for (ServiceMatch* sm = match_list; sm; sm = sm->next)
std::sort(smOrderedList.begin(), smOrderedList.end(), AppIdPatternPrecedence);
+ unsigned i;
for (i = 0; i < smOrderedList.size() - 1; i++)
smOrderedList[i]->next = smOrderedList[i + 1];
smOrderedList[i]->next = nullptr;
- service = smOrderedList[0]->svc;
+ RNAServiceElement* service = smOrderedList[0]->svc;
if (id_state)
{
if (op55_len && op55_len <= DHCP_OPTION55_LEN_MAX
&& !asd->get_session_flags(APPID_SESSION_HAS_DHCP_FP))
{
- DHCPData* rdd;
-
- rdd = (DHCPData*)snort_calloc(sizeof(*rdd));
+ DHCPData* rdd = (DHCPData*)snort_calloc(sizeof(*rdd));
if (asd->add_flow_data(rdd, APPID_SESSION_DATA_DHCP_FP_DATA,
(AppIdFreeFCN)AppIdFreeDhcpData))
{
{
NetworkSet* net_list;
unsigned flags;
- AppIdConfig* pConfig = AppIdConfig::get_appid_config();
+ AppIdConfig* config = AppIdConfig::get_appid_config();
- if (zone >= 0 && zone < MAX_ZONES && pConfig->net_list_by_zone[zone])
- net_list = pConfig->net_list_by_zone[zone];
+ if (zone >= 0 && zone < MAX_ZONES && config->net_list_by_zone[zone])
+ net_list = config->net_list_by_zone[zone];
else
- net_list = pConfig->net_list;
+ net_list = config->net_list;
- NetworkSet_ContainsEx(net_list, ip4, &flags);
+ NetworkSetManager::contains_ex(net_list, ip4, &flags);
return flags;
}
uint32_t subnetmask, uint32_t leaseSecs, uint32_t router)
{
DHCPInfo* info;
- unsigned flags;
if (memcmp(mac, zeromac, 6) == 0 || ip == 0)
return;
|| asd->get_session_flags(APPID_SESSION_HAS_DHCP_INFO))
return;
- flags = isIPv4HostMonitored(ntohl(ip), zone);
+ unsigned flags = isIPv4HostMonitored(ntohl(ip), zone);
if (!(flags & IPFUNCS_HOSTS_IP))
return;
}
asd->set_session_flags(APPID_SESSION_SERVICE_DETECTED);
asd->serviceAppId = appId;
-
checkSandboxDetection(appId);
if (asd->get_session_flags(APPID_SESSION_IGNORE_HOST))
}
}
- /* If we ended up with UDP reversed, make sure we're pointing to the
- * correct host tracker entry. */
+ // If UDP reversed, ensure we have the correct host tracker entry.
if (asd->get_session_flags(APPID_SESSION_UDP_REVERSED))
{
asd->id_state = get_service_id_state(ip, asd->protocol, port,
if (!(id_state = asd->id_state))
{
- if (!(id_state = add_service_id_state(ip, asd->protocol, port, AppIdServiceDetectionLevel(
- asd))))
+ if (!(id_state = add_service_id_state(ip, asd->protocol, port,
+ AppIdServiceDetectionLevel(asd))))
{
ErrorMessage("Add service failed to create state");
return SERVICE_ENOMEM;
const RNAServiceSubtype* subtype)
{
RNAServiceSubtype* new_subtype = nullptr;
- RNAServiceSubtype* tmp_subtype;
if (!svc_element->current_ref_count)
{
for (; subtype; subtype = subtype->next)
{
- tmp_subtype = (RNAServiceSubtype*)snort_calloc(sizeof(RNAServiceSubtype));
+ RNAServiceSubtype* tmp_subtype = (RNAServiceSubtype*)snort_calloc(sizeof(RNAServiceSubtype));
if (subtype->service)
tmp_subtype->service = snort_strdup(subtype->service);
return SERVICE_EINVALID;
}
- if (dir == APP_ID_FROM_INITIATOR || asd->get_session_flags(APPID_SESSION_IGNORE_HOST|
- APPID_SESSION_UDP_REVERSED))
+ if (dir == APP_ID_FROM_INITIATOR ||
+ asd->get_session_flags(APPID_SESSION_IGNORE_HOST | APPID_SESSION_UDP_REVERSED))
return SERVICE_SUCCESS;
if (!(id_state = asd->id_state))
{
- uint16_t port;
- const sfip_t* ip;
+ const sfip_t* ip = pkt->ptrs.ip_api.get_src();
+ uint16_t port = asd->service_port ? asd->service_port : pkt->ptrs.sp;
- ip = pkt->ptrs.ip_api.get_src();
- port = asd->service_port ? asd->service_port : pkt->ptrs.sp;
-
- if (!(id_state = add_service_id_state(ip, asd->protocol, port, AppIdServiceDetectionLevel(
- asd))))
+ if (!(id_state = add_service_id_state(ip, asd->protocol, port,
+ AppIdServiceDetectionLevel(asd))))
{
ErrorMessage("In-process service failed to create state");
return SERVICE_ENOMEM;
}
+
asd->id_state = id_state;
asd->service_ip = *ip;
asd->service_port = port;
{
if (!sfip_is_set(&asd->service_ip))
{
- const sfip_t* ip = pkt->ptrs.ip_api.get_src();
- asd->service_ip = *ip;
+ asd->service_ip = *(pkt->ptrs.ip_api.get_src());
if (!asd->service_port)
asd->service_port = pkt->ptrs.sp;
}
if (!(id_state = asd->id_state))
{
- uint16_t port;
- const sfip_t* ip;
-
- ip = pkt->ptrs.ip_api.get_src();
- port = asd->service_port ? asd->service_port : pkt->ptrs.sp;
+ const sfip_t* ip = pkt->ptrs.ip_api.get_src();
+ uint16_t port = asd->service_port ? asd->service_port : pkt->ptrs.sp;
if (!(id_state = add_service_id_state(ip, asd->protocol, port,
AppIdServiceDetectionLevel(asd))))
{
if (!sfip_is_set(&asd->service_ip))
{
- const sfip_t* ip = pkt->ptrs.ip_api.get_src();
- asd->service_ip = *ip;
+ asd->service_ip = *(pkt->ptrs.ip_api.get_src());
if (!asd->service_port)
asd->service_port = pkt->ptrs.sp;
if (!(id_state = asd->id_state))
{
- uint16_t port;
- const sfip_t* ip;
-
- ip = pkt->ptrs.ip_api.get_src();
- port = asd->service_port ? asd->service_port : pkt->ptrs.sp;
+ const sfip_t* ip = pkt->ptrs.ip_api.get_src();
+ uint16_t port = asd->service_port ? asd->service_port : pkt->ptrs.sp;
if (!(id_state = add_service_id_state(ip, asd->protocol, port,
AppIdServiceDetectionLevel(asd))))
{
if (!sfip_is_set(&asd->service_ip))
{
- const sfip_t* ip = pkt->ptrs.ip_api.get_src();
- asd->service_ip = *ip;
+ asd->service_ip = *(pkt->ptrs.ip_api.get_src());
if (!asd->service_port)
asd->service_port = pkt->ptrs.sp;
}
args.userdata = service->userdata;
ret = service->validate(&args);
if (ret == SERVICE_NOT_COMPATIBLE)
- asd->got_incompatible_services = 1;
+ asd->got_incompatible_services = true;
if (asd->session_logging_enabled)
LogMessage("AppIdDbg %s %s returned %d\n", asd->session_logging_id,
service->name ? service->name : "UNKNOWN", ret);
args.userdata = service->userdata;
result = service->validate(&args);
if (result == SERVICE_NOT_COMPATIBLE)
- asd->got_incompatible_services = 1;
+ asd->got_incompatible_services = true;
if (asd->session_logging_enabled)
LogMessage("AppIdDbg %s %s returned %d\n", asd->session_logging_id,
service->name ? service->name : "UNKNOWN", result);
unsigned i;
for (i=0; i < sizeof(appIdRegistry)/sizeof(*appIdRegistry); i++)
{
- DebugFormat(DEBUG_INSPECTOR,"registering appId: %d\n",appIdRegistry[i].appId);
+ DebugFormat(DEBUG_APPID,"registering appId: %d\n",appIdRegistry[i].appId);
init_api->RegisterAppId(&bgp_validate, appIdRegistry[i].appId,
appIdRegistry[i].additionalInfo);
}
unsigned i;
for (i=0; i < sizeof(appIdRegistry)/sizeof(*appIdRegistry); i++)
{
- DebugFormat(DEBUG_INSPECTOR,"registering appId: %d\n",appIdRegistry[i].appId);
+ DebugFormat(DEBUG_APPID,"registering appId: %d\n",appIdRegistry[i].appId);
init_api->RegisterAppId(&bit_validate, appIdRegistry[i].appId,
appIdRegistry[i].additionalInfo);
}
unsigned i;
for (i=0; i < sizeof(appIdRegistry)/sizeof(*appIdRegistry); i++)
{
- DebugFormat(DEBUG_INSPECTOR,"registering appId: %d\n",appIdRegistry[i].appId);
+ DebugFormat(DEBUG_APPID,"registering appId: %d\n",appIdRegistry[i].appId);
init_api->RegisterAppId(&bootp_validate, appIdRegistry[i].appId,
appIdRegistry[i].additionalInfo);
}
#include <cstdint>
-#include <appid.h>
#include "service_api.h"
#define RNA_SERVICE_MAX_PORT 65536
unsigned i;
for (i=0; i < sizeof(appIdRegistry)/sizeof(*appIdRegistry); i++)
{
- DebugFormat(DEBUG_INSPECTOR,"registering appId: %d\n",appIdRegistry[i].appId);
+ DebugFormat(DEBUG_APPID,"registering appId: %d\n",appIdRegistry[i].appId);
init_api->RegisterAppId(&dcerpc_udp_validate, appIdRegistry[i].appId,
appIdRegistry[i].additionalInfo);
}
unsigned i;
for (i=0; i < sizeof(appIdRegistry)/sizeof(*appIdRegistry); i++)
{
- DebugFormat(DEBUG_INSPECTOR,"registering appId: %d\n",appIdRegistry[i].appId);
+ DebugFormat(DEBUG_APPID,"registering appId: %d\n",appIdRegistry[i].appId);
init_api->RegisterAppId(&direct_connect_validate, appIdRegistry[i].appId,
appIdRegistry[i].additionalInfo);
}
//unsigned i;
for (unsigned i=0; i < sizeof(appIdRegistry)/sizeof(*appIdRegistry); i++)
{
- DebugFormat(DEBUG_INSPECTOR,"registering appId: %d\n",appIdRegistry[i].appId);
+ DebugFormat(DEBUG_APPID,"registering appId: %d\n",appIdRegistry[i].appId);
init_api->RegisterAppId(&flap_validate, appIdRegistry[i].appId,
appIdRegistry[i].additionalInfo);
}
#include "service_mdns.h"
#include "appid_module.h"
-#include "search_engines/search_tool.h"
-#include "client_plugins/client_app_base.h"
-#include "detector_plugins/http_url_patterns.h"
-#include "detector_plugins/detector_http.h"
-#include "appid_utils/common_util.h"
+
#include "appid_config.h"
+#include "app_info_table.h"
#include "appid_session.h"
-#include "fw_appid.h"
#include "http_common.h"
#include "lua_detector_api.h"
#include "service_api.h"
#include "service_base.h"
#include "service_ssl.h"
+#include "client_plugins/client_app_base.h"
+#include "detector_plugins/http_url_patterns.h"
+#include "detector_plugins/detector_http.h"
#include "main/snort_debug.h"
#include "utils/util.h"
+#include "search_engines/search_tool.h"
#define MDNS_PORT 5353
#define PATTERN_REFERENCE_PTR 3
MatchedPatterns* patternList;
};
-static int MDNS_init(const InitServiceAPI* const init_api);
+static int mdns_init(const InitServiceAPI* const init_api);
static int ReferencePointer(const char* start_ptr,const char** resp_endptr, int* start_index,
- uint16_t data_size, uint8_t* user_name_len, unsigned offset, const AppIdConfig* pConfig);
+ uint16_t data_size, uint8_t* user_name_len, unsigned offset);
static int MDNS_validate(ServiceValidationArgs* args);
static int mdnsMatcherCreate();
static void mdnsMatcherDestroy();
-static unsigned mdnsMatchListCreate(const char* data, uint16_t dataSize, const
- AppIdConfig* pConfig);
+static unsigned mdnsMatchListCreate(const char* data, uint16_t dataSize);
static void mdnsMatchListFind(const char* dataPtr, uint16_t index, const char** resp_endptr,
- int* pattern_length, const AppIdConfig* pConfig);
+ int* pattern_length);
static void mdnsMatchListDestroy();
static void MDNS_clean();
RNAServiceValidationModule mdns_service_mod =
{
"MDNS",
- &MDNS_init,
+ &mdns_init,
pp,
nullptr,
nullptr,
{ APP_ID_MDNS, APPINFO_FLAG_SERVICE_ADDITIONAL }
};
-static int MDNS_init(const InitServiceAPI* const init_api)
+static int mdns_init(const InitServiceAPI* const init_api)
{
unsigned i;
for (i=0; i < sizeof(appIdRegistry)/sizeof(*appIdRegistry); i++)
{
- DebugFormat(DEBUG_INSPECTOR,"registering appId: %d\n",appIdRegistry[i].appId);
+ DebugFormat(DEBUG_APPID,"registering appId: %d\n",appIdRegistry[i].appId);
init_api->RegisterAppId(&MDNS_validate, appIdRegistry[i].appId,
appIdRegistry[i].additionalInfo);
}
Returns 0 or 1 for successful/unsuccessful hit for pattern '@'
Returns -1 for invalid address pointer or past the data_size */
static int ReferencePointer(const char* start_ptr, const char** resp_endptr, int* start_index,
- uint16_t data_size, uint8_t* user_name_len, unsigned size, const AppIdConfig* pConfig)
+ uint16_t data_size, uint8_t* user_name_len, unsigned size)
{
int index = 0;
int pattern_length = 0;
const char* temp_start_ptr;
temp_start_ptr = start_ptr+index;
- mdnsMatchListFind(start_ptr, size - data_size + index, resp_endptr, &pattern_length, pConfig);
+ mdnsMatchListFind(start_ptr, size - data_size + index, resp_endptr, &pattern_length);
/* Contains reference pointer */
while ((index < data_size) && !(*resp_endptr) && ((uint8_t )temp_start_ptr[index] >>
SHIFT_BITS_REFERENCE_PTR != PATTERN_REFERENCE_PTR))
break;
}
index++;
- mdnsMatchListFind(start_ptr, size - data_size + index, resp_endptr, &pattern_length,
- pConfig);
+ mdnsMatchListFind(start_ptr, size - data_size + index, resp_endptr, &pattern_length);
}
if (index >= data_size)
*user_name_len = 0;
SHIFT_BITS_REFERENCE_PTR != PATTERN_REFERENCE_PTR))
{
index++;
- mdnsMatchListFind(start_ptr, size - data_size + index, resp_endptr, &pattern_length,
- pConfig);
+ mdnsMatchListFind(start_ptr, size - data_size + index, resp_endptr, &pattern_length);
}
if (index >= data_size)
*user_name_len = 0;
2. Calls the function which scans for pattern to identify the user
3. Calls the function which does the Username reporting along with the host
MDNS User Analysis*/
-static int MDNSUserAnalyser(AppIdSession* asd, const Packet* pkt, uint16_t size, const
- AppIdConfig* pConfig)
+static int MDNSUserAnalyser(AppIdSession* asd, const Packet* pkt, uint16_t size)
{
- const char* query_val;
- const char* answers;
char user_name[MAX_LENGTH_SERVICE_NAME] = "";
char* user_name_bkp = nullptr;
- const char* resp_endptr;
- const char* srv_original;
- const char* end_srv_original;
- const char* user_original;
- int query_val_int;
- int ans_count = 0;
- int start_index =0;
- int processed_ans =0;
- uint16_t data_len = 0;
- uint8_t* data_len_str;
+ int start_index = 0;
+ int processed_ans = 0;
uint8_t user_name_len = 0;
uint16_t data_size = size;
/* Scan for MDNS response, decided on Query value */
- query_val = (char*)pkt->data + QUERY_OFFSET;
- query_val_int = (short)(query_val[0]<<SHIFT_BITS | query_val[1]);
- answers = (char*)pkt->data + ANSWER_OFFSET;
- ans_count = (short)(answers[0]<< SHIFT_BITS | (answers[1] ));
+ const char* query_val = (char*)pkt->data + QUERY_OFFSET;
+ int query_val_int = (short)(query_val[0]<<SHIFT_BITS | query_val[1]);
+ const char* answers = (char*)pkt->data + ANSWER_OFFSET;
+ int ans_count = (short)(answers[0]<< SHIFT_BITS | (answers[1] ));
- if ( query_val_int ==0)
+ if ( query_val_int == 0)
{
- srv_original = (char*)pkt->data + RECORD_OFFSET;
- mdnsMatchListCreate(srv_original, size-RECORD_OFFSET, pConfig);
- end_srv_original = (char*)pkt->data + RECORD_OFFSET+data_size;
- for (processed_ans =0; processed_ans< ans_count && data_size <= size && size > 0;
+ const char* resp_endptr;
+ const char* user_original;
+
+ const char* srv_original = (char*)pkt->data + RECORD_OFFSET;
+ mdnsMatchListCreate(srv_original, size-RECORD_OFFSET);
+ const char* end_srv_original = (char*)pkt->data + RECORD_OFFSET + data_size;
+ for (processed_ans = 0; processed_ans < ans_count && data_size <= size && size > 0;
processed_ans++ )
{
- /* Call Decode Reference pointer function if referenced value instead of direct value
- */
+ // Call Decode Reference pointer function if referenced value instead of direct value
user_name_len = 0;
int ret_value = ReferencePointer(srv_original, &resp_endptr, &start_index, data_size,
- &user_name_len, size, pConfig);
+ &user_name_len, size);
int user_index =0;
int user_printable_index =0;
}
user_name_len -=user_index;
- memcpy(user_name, srv_original+start_index, user_name_len);
+ memcpy(user_name, srv_original + start_index, user_name_len);
user_name[user_name_len] = '\0';
user_index =0;
mdns_service_mod.api->add_user(asd, user_name, APP_ID_MDNS, 1);
break;
}
- /* Find the length to Jump to the next response */
+ // Find the length to Jump to the next response
if ((resp_endptr + NEXT_MESSAGE_OFFSET ) < (srv_original + data_size))
{
- data_len_str = (uint8_t*)(resp_endptr+ LENGTH_OFFSET);
- data_len = (short)( data_len_str[0]<< SHIFT_BITS | ( data_len_str[1] ));
+ uint8_t* data_len_str = (uint8_t*)(resp_endptr+ LENGTH_OFFSET);
+ uint16_t data_len = (short)( data_len_str[0]<< SHIFT_BITS | ( data_len_str[1] ));
data_size = data_size - (resp_endptr + NEXT_MESSAGE_OFFSET + data_len -
srv_original);
/* Check if user name is available in the Domain Name field */
static int MDNS_validate(ServiceValidationArgs* args)
{
- ServiceMDNSData* fd;
int ret_val;
AppIdSession* asd = args->asd;
const uint8_t* data = args->data;
Packet* pkt = args->pkt;
uint16_t size = args->size;
- fd = (ServiceMDNSData*)mdns_service_mod.api->data_get(asd, mdns_service_mod.flow_data_index);
+ ServiceMDNSData* fd = (ServiceMDNSData*)mdns_service_mod.api->data_get(asd, mdns_service_mod.flow_data_index);
if (!fd)
{
fd = (ServiceMDNSData*)snort_calloc(sizeof(ServiceMDNSData));
{
if (AppIdConfig::get_appid_config()->mod_config->mdns_user_reporting)
{
- MDNSUserAnalyser(asd, pkt, size, args->pConfig);
+ MDNSUserAnalyser(asd, pkt, size);
mdnsMatchListDestroy();
goto success;
}
(char*)patterns[i].pattern, patterns[i].length, &patterns[i]);
pMdnsConfig->mdnsMatcher->prep();
- AppIdConfig::get_appid_config()->add_generic_config_element(svc_element.name, pMdnsConfig);
+ AppidConfigElement::add_generic_config_element(svc_element.name, pMdnsConfig);
return 1;
}
static void mdnsMatcherDestroy()
{
MdnsConfig* pMdnsConfig =
- (MdnsConfig*)AppIdConfig::get_appid_config()->find_generic_config_element(svc_element.name);
+ (MdnsConfig*)AppidConfigElement::find_generic_config_element(svc_element.name);
MatchedPatterns* node;
if (pMdnsConfig->mdnsMatcher)
delete pMdnsConfig->mdnsMatcher;
snort_free(node);
}
snort_free(pMdnsConfig);
- AppIdConfig::get_appid_config()->remove_generic_config_element(svc_element.name);
+ AppidConfigElement::remove_generic_config_element(svc_element.name);
}
static int mdns_pattern_match(void* id, void*, int index, void* data, void*)
return 0;
}
-static unsigned mdnsMatchListCreate(const char* data, uint16_t dataSize, const
- AppIdConfig* pConfig)
+static unsigned mdnsMatchListCreate(const char* data, uint16_t dataSize)
{
- MdnsConfig* pMdnsConfig = (MdnsConfig*)((AppIdConfig*)pConfig)->find_generic_config_element(
- svc_element.name);
+ MdnsConfig* pMdnsConfig =
+ (MdnsConfig*)AppidConfigElement::find_generic_config_element(svc_element.name);
if (pMdnsConfig->patternList)
mdnsMatchListDestroy();
}
static void mdnsMatchListFind(const char* dataPtr, uint16_t index, const char** resp_endptr,
- int* pattern_length, const AppIdConfig* pConfig)
+ int* pattern_length)
{
- MdnsConfig* pMdnsConfig = (MdnsConfig*)((AppIdConfig*)pConfig)->find_generic_config_element(
- svc_element.name);
+ MdnsConfig* pMdnsConfig =
+ (MdnsConfig*)AppidConfigElement::find_generic_config_element(svc_element.name);
while (pMdnsConfig->patternList)
{
MatchedPatterns* element;
MdnsConfig* pMdnsConfig =
- (MdnsConfig*)AppIdConfig::get_appid_config()->find_generic_config_element(svc_element.name);
+ (MdnsConfig*)AppidConfigElement::find_generic_config_element(svc_element.name);
+
while (pMdnsConfig->patternList)
{
element = pMdnsConfig->patternList;
{
for ( unsigned i=0; i < sizeof(appIdRegistry)/sizeof(*appIdRegistry); i++ )
{
- DebugFormat(DEBUG_INSPECTOR,"registering appId: %d\n",appIdRegistry[i].appId);
+ DebugFormat(DEBUG_APPID,"registering appId: %d\n",appIdRegistry[i].appId);
init_api->RegisterAppId(&svc_mysql_validate, appIdRegistry[i].appId,
appIdRegistry[i].additionalInfo);
}
init_api->RegisterPattern(&nbss_validate, IpProtocol::TCP, NB_SMB_BANNER,
sizeof(NB_SMB_BANNER), -1, "netbios");
- DebugFormat(DEBUG_INSPECTOR,"registering appId: %d for NetBIOS-ns\n",APP_ID_NETBIOS_NS);
+ DebugFormat(DEBUG_APPID,"registering appId: %d for NetBIOS-ns\n",APP_ID_NETBIOS_NS);
init_api->RegisterAppId(&nbns_validate, APP_ID_NETBIOS_NS, APPINFO_FLAG_SERVICE_UDP_REVERSED);
- DebugFormat(DEBUG_INSPECTOR,"registering appId: %d for NetBIOS-dgm\n",APP_ID_NETBIOS_DGM);
+ DebugFormat(DEBUG_APPID,"registering appId: %d for NetBIOS-dgm\n",APP_ID_NETBIOS_DGM);
init_api->RegisterAppId(&nbdgm_validate, APP_ID_NETBIOS_DGM, APPINFO_FLAG_SERVICE_ADDITIONAL);
- DebugFormat(DEBUG_INSPECTOR,"registering appId: %d for NetBIOS-ssn\n",APP_ID_NETBIOS_SSN);
+ DebugFormat(DEBUG_APPID,"registering appId: %d for NetBIOS-ssn\n",APP_ID_NETBIOS_SSN);
init_api->RegisterAppId(&nbss_validate, APP_ID_NETBIOS_SSN, APPINFO_FLAG_SERVICE_ADDITIONAL);
- DebugFormat(DEBUG_INSPECTOR,"registering appId: %d\n",APP_ID_DCE_RPC);
+ DebugFormat(DEBUG_APPID,"registering appId: %d\n",APP_ID_DCE_RPC);
init_api->RegisterAppId(&nbss_validate, APP_ID_DCE_RPC, 0);
return 0;
unsigned i;
for (i=0; i < sizeof(appIdRegistry)/sizeof(*appIdRegistry); i++)
{
- DebugFormat(DEBUG_INSPECTOR,"registering appId: %d\n",appIdRegistry[i].appId);
+ DebugFormat(DEBUG_APPID,"registering appId: %d\n",appIdRegistry[i].appId);
init_api->RegisterAppId(&rfb_validate, appIdRegistry[i].appId,
appIdRegistry[i].additionalInfo);
}
unsigned i;
for (i=0; i < sizeof(appIdRegistry)/sizeof(*appIdRegistry); i++)
{
- DebugFormat(DEBUG_INSPECTOR,"registering appId: %d\n",appIdRegistry[i].appId);
+ DebugFormat(DEBUG_APPID,"registering appId: %d\n",appIdRegistry[i].appId);
init_api->RegisterAppId(&rlogin_validate, appIdRegistry[i].appId,
appIdRegistry[i].additionalInfo);
}
};
static int rpc_init(const InitServiceAPI* const init_api);
+static void rpc_clean();
static int rpc_validate(ServiceValidationArgs* args);
static int rpc_tcp_validate(ServiceValidationArgs* args);
nullptr,
nullptr,
0,
- nullptr,
+ &rpc_clean,
0
};
char* name;
};
-static RPCProgram* rpc_programs;
+static THREAD_LOCAL RPCProgram* rpc_programs;
static uint8_t rpc_reply_accepted_pattern[8] = { 0,0,0,1,0,0,0,0 };
static uint8_t rpc_reply_denied_pattern[8] = { 0,0,0,1,0,0,0,1 };
unsigned i;
for (i=0; i < sizeof(appIdRegistry)/sizeof(*appIdRegistry); i++)
{
- DebugFormat(DEBUG_INSPECTOR,"registering appId: %d\n",appIdRegistry[i].appId);
+ DebugFormat(DEBUG_APPID,"registering appId: %d\n",appIdRegistry[i].appId);
init_api->RegisterAppId(&rpc_validate, appIdRegistry[i].appId,
appIdRegistry[i].additionalInfo);
}
return 0;
}
+static void rpc_clean()
+{
+ RPCProgram* rpc = rpc_programs;
+
+ while( rpc )
+ {
+ RPCProgram* toast = rpc;
+ rpc = rpc->next;
+
+ if (toast->name)
+ snort_free(toast->name);
+ snort_free(toast);
+ }
+}
+
static const RPCProgram* FindRPCProgram(uint32_t program)
{
RPCProgram* rpc;
- for (rpc=rpc_programs; rpc; rpc=rpc->next)
+ for (rpc = rpc_programs; rpc; rpc = rpc->next)
{
if (program == rpc->program)
break;
for (i=0; i < sizeof(appIdRegistry)/sizeof(*appIdRegistry); i++)
{
- DebugFormat(DEBUG_INSPECTOR,"registering appId: %d\n",appIdRegistry[i].appId);
+ DebugFormat(DEBUG_APPID,"registering appId: %d\n",appIdRegistry[i].appId);
init_api->RegisterAppId(&rshell_validate, appIdRegistry[i].appId,
appIdRegistry[i].additionalInfo);
}
}
pf->scan_flags |= SCAN_HOST_PORT_FLAG;
PopulateExpectedFlow(asd, pf,
- APPID_SESSION_CONTINUE |
- APPID_SESSION_REXEC_STDERR |
- APPID_SESSION_NO_TPI |
- APPID_SESSION_SERVICE_DETECTED |
- APPID_SESSION_NOT_A_SERVICE |
+ APPID_SESSION_CONTINUE | APPID_SESSION_REXEC_STDERR | APPID_SESSION_NO_TPI |
+ APPID_SESSION_SERVICE_DETECTED | APPID_SESSION_NOT_A_SERVICE |
APPID_SESSION_PORT_SERVICE_DONE);
pf->rnaServiceState = RNA_STATE_STATEFUL;
}
unsigned i;
for (i=0; i < sizeof(appIdRegistry)/sizeof(*appIdRegistry); i++)
{
- DebugFormat(DEBUG_INSPECTOR,"registering appId: %d\n",appIdRegistry[i].appId);
+ DebugFormat(DEBUG_APPID,"registering appId: %d\n",appIdRegistry[i].appId);
init_api->RegisterAppId(&rsync_validate, appIdRegistry[i].appId,
appIdRegistry[i].additionalInfo);
}
unsigned i;
for (i = 0; i < (sizeof(appIdRegistry) / sizeof(*appIdRegistry)); i++)
{
- DebugFormat(DEBUG_INSPECTOR, "registering appId: %d\n", appIdRegistry[i].appId);
+ DebugFormat(DEBUG_APPID, "registering appId: %d\n", appIdRegistry[i].appId);
init_api->RegisterAppId(&rtmp_validate, appIdRegistry[i].appId,
appIdRegistry[i].additionalInfo);
}
asd->scan_flags |= SCAN_HTTP_HOST_URL_FLAG;
}
else
- {
snort_free(ss->swfUrl);
- }
+
ss->swfUrl = nullptr;
}
if (ss->pageUrl != nullptr)
asd->hsession->referer = ss->pageUrl;
else
snort_free(ss->pageUrl);
+
ss->pageUrl = nullptr;
}
rtmp_service_mod.api->add_service(asd, args->pkt, dir, &svc_element,
if (!ss)
{
ss = (ServiceSSHData*)snort_calloc(sizeof(ServiceSSHData));
- ssh_service_mod.api->data_add(asd, ss,
- ssh_service_mod.flow_data_index, &ssh_free_state);
+ ssh_service_mod.api->data_add(asd, ss, ssh_service_mod.flow_data_index, &ssh_free_state);
ss->state = SSH_STATE_BANNER;
ss->hstate = SSH_HEADER_BEGIN;
ss->oldhstate = OLD_SSH_HEADER_BEGIN;
#include <netinet/in.h>
#include <openssl/x509.h>
+#include "appid_module.h"
+#include "app_info_table.h"
#include "appid_session.h"
#include "service_config.h"
#include "service_base.h"
#include "service_ssl.h"
-#include "fw_appid.h"
-#include "appid_module.h"
#include "main/snort_debug.h"
#include "utils/util.h"
snort_free(hsession);
}
-int AppIdSession::processHTTPPacket(int)
+int AppIdSession::process_http_packet(int)
{
return 0;
}
}
#endif
-void ThirdPartyAppIDInit(AppIdModuleConfig* appidStaticConfig)
+void ThirdPartyAppIDInit(AppIdModuleConfig* config)
{
- const char* thirdparty_appid_dir = appidStaticConfig->thirdparty_appid_dir;
+ const char* thirdparty_appid_dir = config->thirdparty_appid_dir;
int ret;
struct ThirdPartyUtils thirdpartyUtils;
}
memset(&thirdpartyConfig, 0, sizeof(thirdpartyConfig));
- thirdpartyConfig.chp_body_collection_max = appidStaticConfig->chp_body_collection_max;
- thirdpartyConfig.ftp_userid_disabled = appidStaticConfig->ftp_userid_disabled;
+ thirdpartyConfig.chp_body_collection_max = config->chp_body_collection_max;
+ thirdpartyConfig.ftp_userid_disabled = config->ftp_userid_disabled;
thirdpartyConfig.chp_body_collection_disabled =
- appidStaticConfig->chp_body_collection_disabled;
- thirdpartyConfig.tp_allow_probes = appidStaticConfig->tp_allow_probes;
- if (appidStaticConfig->http2_detection_enabled)
+ config->chp_body_collection_disabled;
+ thirdpartyConfig.tp_allow_probes = config->tp_allow_probes;
+ if (config->http2_detection_enabled)
thirdpartyConfig.http_upgrade_reporting_enabled = 1;
else
thirdpartyConfig.http_upgrade_reporting_enabled = 0;
projects / thirdparty / snort3.git / commitdiff
