set ( UTIL_APPID_SOURCES
appid_utils/fw_avltree.cc
appid_utils/fw_avltree.h
- appid_utils/ip_funcs.cc
appid_utils/ip_funcs.h
- appid_utils/network_set.cc
- appid_utils/network_set.h
appid_utils/sf_mlmp.cc
appid_utils/sf_mlmp.h
appid_utils/sf_multi_mpse.cc
#include "appid_discovery.h"
#include "appid_http_session.h"
#include "appid_session.h"
-#ifdef USE_RNA_CONFIG
-#include "appid_utils/network_set.h"
-#include "appid_utils/ip_funcs.h"
-#endif
#include "detector_plugins/detector_pattern.h"
#include "host_port_app_cache.h"
#include "main/snort_config.h"
AppIdModuleConfig::~AppIdModuleConfig()
{
-#ifdef USE_RNA_CONFIG
- snort_free((void*)conf_file);
-#endif
snort_free((void*)app_detector_dir);
}
std::array<AppId, APP_ID_PORT_ARRAY_SIZE> AppIdConfig::udp_port_only = {APP_ID_NONE};
std::array<AppId, 256> AppIdConfig::ip_protocol = {APP_ID_NONE};
-
-AppIdConfig::AppIdConfig(AppIdModuleConfig* config)
- : mod_config(config)
-{
-#ifdef USE_RNA_CONFIG
- for ( unsigned i = 0; i < MAX_ZONES; i++ )
- net_list_by_zone[ i ] = nullptr;
-#endif
-
- for ( unsigned i = 0; i < APP_ID_PORT_ARRAY_SIZE; i++ )
- {
- tcp_port_exclusions_src[ i ] = nullptr;
- udp_port_exclusions_src[ i ] = nullptr;
- tcp_port_exclusions_dst[ i ] = nullptr;
- udp_port_exclusions_dst[ i ] = nullptr;
- }
-}
-
-AppIdConfig::~AppIdConfig()
-{
- cleanup();
-}
-
// FIXIT-M: RELOAD - Move app info table cleanup back to AppId config destructor - cleanup()
void AppIdConfig::pterm()
{
globfree(&globs);
}
-#ifdef USE_RNA_CONFIG
-void AppIdConfig::configure_analysis_networks(char* toklist[], uint32_t flag)
-{
- NetworkSet* my_net_list;
- RNAIpv6AddrSet* ias6;
- char* p;
-
- if (toklist[0])
- {
- if (strchr(toklist[0], ':'))
- {
- ias6 = ParseIpv6Cidr(toklist[0]);
- if (ias6)
- {
- NSIPv6Addr six;
- char min_ip[INET6_ADDRSTRLEN];
- char max_ip[INET6_ADDRSTRLEN];
- int zone;
-
- if (toklist[1])
- {
- long tmp = strtol(toklist[1], &p, 10);
-
- if (!*toklist[1] || *p != 0 || tmp >= MAX_ZONES || tmp < -1)
- {
- ErrorMessage("Invalid Analyze: %s '%s'", toklist[0], toklist[1]);
- zone = -1;
- }
- else
- zone = (int)tmp;
- }
- else
- zone = -1;
- ias6->addr_flags |= flag;
- six = ias6->range_min;
- NetworkSetManager::ntoh_ipv6(&six);
- inet_ntop(AF_INET6, (struct in6_addr*)&six, min_ip, sizeof(min_ip));
- six = ias6->range_max;
- NetworkSetManager::ntoh_ipv6(&six);
- inet_ntop(AF_INET6, (struct in6_addr*)&six, max_ip, sizeof(max_ip));
- if (zone >= 0)
- {
- if (!(my_net_list = net_list_by_zone[zone]))
- {
- if (NetworkSetManager::create(&my_net_list))
- ErrorMessage("%s", "Failed to create a network set");
- else
- {
- my_net_list->next = net_list_list;
- net_list_list = my_net_list;
- }
- net_list_by_zone[zone] = my_net_list;
- }
- }
- else
- my_net_list = net_list;
- if (my_net_list && NetworkSetManager::add_cidr_block6_ex(my_net_list,
- &ias6->range_min, ias6->netmask, ias6->addr_flags & IPFUNCS_EXCEPT_IP, 0,
- ias6->addr_flags & (~IPFUNCS_EXCEPT_IP)))
- {
- ErrorMessage(
- "Failed to add an IP address set to the list of monitored networks");
- }
- snort_free(ias6);
- }
- else
- ErrorMessage("Invalid analysis parameter: %s", toklist[0]);
- }
- else
- {
- RNAIpAddrSet* ias = ParseIpCidr(toklist[0], app_id_netmasks);
-
- if (ias)
- {
- int zone;
-
- if (toklist[1])
- {
- unsigned long tmp = strtol(toklist[1], &p, 10);
-
- if (!*toklist[1] || *p != 0 || tmp >= MAX_ZONES || tmp < -1)
- {
- ErrorMessage("Invalid Analyze: %s '%s'", toklist[0], toklist[1]);
- zone = -1;
- }
- else
- zone = (int)tmp;
- }
- else
- zone = -1;
- ias->addr_flags |= flag;
- if (zone >= 0)
- {
- if (!(my_net_list = net_list_by_zone[zone]))
- {
- if (NetworkSetManager::create(&my_net_list))
- ErrorMessage("%s", "Failed to create a network set");
- else
- {
- my_net_list->next = net_list_list;
- net_list_list = my_net_list;
- }
- net_list_by_zone[zone] = my_net_list;
- }
- }
- else
- my_net_list = net_list;
- if (my_net_list && NetworkSetManager::add_cidr_block_ex(my_net_list,
- ias->range_min,
- ias->netmask,
- ias->addr_flags & IPFUNCS_EXCEPT_IP, 0,
- ias->addr_flags & (~IPFUNCS_EXCEPT_IP)))
- {
- ErrorMessage(
- "Failed to add an IP address set to the list of monitored networks");
- }
- snort_free(ias);
- }
- else
- ErrorMessage("Invalid analysis parameter: %s", toklist[0]);
- }
- }
-}
-
-int AppIdConfig::add_port_exclusion(AppIdPortExclusions& port_exclusions, const
- ip::snort_in6_addr* ip,
- const ip::snort_in6_addr* netmask, int family, uint16_t port)
-{
- SF_LIST* pe_list;
-
- PortExclusion* port_ex = (PortExclusion*)snort_calloc(sizeof(PortExclusion));
- port_ex->ip = *ip;
- if (family == AF_INET)
- {
- port_ex->netmask.u6_addr32[0] = port_ex->netmask.u6_addr32[1] =
- port_ex->netmask.u6_addr32[2] = ~0;
- port_ex->netmask.u6_addr32[3] = netmask->u6_addr32[3];
- }
- else
- port_ex->netmask = *netmask;
-
- if ((pe_list = port_exclusions[port]) == nullptr)
- {
- pe_list = port_exclusions[port] = sflist_new();
- if (pe_list == nullptr)
- {
- snort_free(port_ex);
- ErrorMessage("Config: Failed to allocate memory for port exclusion list");
- return -1;
- }
- }
-
- /* add this PortExclusion to the sflist for this port */
- sflist_add_tail(pe_list, port_ex);
- return 0;
-}
-
-void AppIdConfig::process_port_exclusion(char* toklist[])
-{
- int i = 1;
- char* p;
- RNAIpv6AddrSet* ias6;
- IpProtocol proto;
- unsigned long dir;
- unsigned long port;
- ip::snort_in6_addr ip;
- ip::snort_in6_addr netmask;
- int family;
-
- if (!toklist[i])
- {
- ErrorMessage("Config: Port exclusion direction omitted");
- return;
- }
-
- if (strcasecmp(toklist[i], "dst") == 0)
- dir = 2;
- else if (strcasecmp(toklist[i], "src") == 0)
- dir = 1;
- else if (strcasecmp(toklist[i], "both") == 0)
- dir = 3;
- else
- {
- ErrorMessage("Config: Invalid port exclusion direction specified");
- return;
- }
-
- i++;
- if (!toklist[i])
- {
- ErrorMessage("Config: Port exclusion protocol omitted");
- return;
- }
-
- if (strcasecmp(toklist[i], "tcp") == 0)
- proto = IpProtocol::TCP;
- else if (strcasecmp(toklist[i], "udp") == 0)
- proto = IpProtocol::UDP;
- else
- {
- ErrorMessage("Config: Invalid port exclusion protocol specified");
- return;
- }
-
- i++;
- if (!toklist[i])
- {
- ErrorMessage("Config: Port exclusion port omitted");
- return;
- }
-
- port = strtoul(toklist[i], &p, 10);
- if (!*toklist[i] || *p || port >= APP_ID_PORT_ARRAY_SIZE)
- {
- ErrorMessage("Config: Invalid port exclusion port specified");
- return;
- }
-
- i++;
- if (!toklist[i])
- {
- ErrorMessage("Config: Port exclusion address omitted");
- return;
- }
-
- if (strchr(toklist[i], ':'))
- {
- ias6 = ParseIpv6Cidr(toklist[i]);
- if (!ias6 || ias6->addr_flags)
- {
- if (ias6)
- snort_free(ias6);
- ErrorMessage("Config: Invalid port exclusion address specified");
- return;
- }
- NetworkSetManager::hton_swap_ipv6(&ias6->range_min, &ip);
- NetworkSetManager::hton_swap_ipv6(&ias6->netmask_mask, &netmask);
- family = AF_INET6;
- snort_free(ias6);
- }
- else
- {
- RNAIpAddrSet* ias = ParseIpCidr(toklist[i], app_id_netmasks);
- if (!ias || ias->addr_flags)
- {
- if (ias)
- snort_free(ias);
- ErrorMessage("Config: Invalid port exclusion address specified");
- return;
- }
- family = AF_INET;
- copyIpv4ToIpv6Network(&ip, htonl(ias->range_min));
- copyIpv4ToIpv6Network(&netmask, htonl(ias->netmask_mask));
- snort_free(ias);
- }
-
- if (dir & 1)
- {
- if (proto == IpProtocol::TCP)
- add_port_exclusion(tcp_port_exclusions_src, &ip, &netmask, family, (uint16_t)port);
- else
- add_port_exclusion(udp_port_exclusions_src, &ip, &netmask, family, (uint16_t)port);
- }
-
- if (dir & 2)
- {
- if (proto == IpProtocol::TCP)
- add_port_exclusion(tcp_port_exclusions_dst, &ip, &netmask, family, (uint16_t)port);
- else
- add_port_exclusion(udp_port_exclusions_dst, &ip, &netmask, family, (uint16_t)port);
- }
-}
-
-void AppIdConfig::process_config_directive(char* toklist[], int /* reload */)
-{
- char* curtok;
- int i;
-
- /* the first tok is "config" or we wouldn't be here now */
- i = 1;
- curtok = toklist[i];
- i++;
-
- if (!strcasecmp(curtok, "Analyze"))
- {
- configure_analysis_networks(&toklist[i], IPFUNCS_HOSTS_IP | IPFUNCS_APPLICATION);
- }
- else if (!strcasecmp(curtok, "AnalyzeHost"))
- {
- configure_analysis_networks(&toklist[i], IPFUNCS_HOSTS_IP | IPFUNCS_APPLICATION);
- }
- else if (!strcasecmp(curtok, "AnalyzeUser"))
- {
- configure_analysis_networks(&toklist[i], IPFUNCS_USER_IP | IPFUNCS_APPLICATION);
- }
- else if (!strcasecmp(curtok, "AnalyzeHostUser"))
- {
- configure_analysis_networks(&toklist[i],
- IPFUNCS_HOSTS_IP | IPFUNCS_USER_IP | IPFUNCS_APPLICATION);
- }
- else if (!strcasecmp(curtok, "AnalyzeApplication"))
- {
- configure_analysis_networks(&toklist[i], IPFUNCS_APPLICATION);
- }
-}
-
-static int strip(char* data)
-{
- int size;
- char* idx;
-
- idx = data;
- size = 0;
-
- while (*idx)
- {
- if ((*idx == '\n') || (*idx == '\r'))
- {
- *idx = 0;
- break;
- }
- if (*idx == '\t')
- {
- *idx = ' ';
- }
- size++;
- idx++;
- }
-
- return size;
-}
-
-#define MAX_TOKS 256
-static int tokenize(char* data, char* toklist[])
-{
- char** ap;
- int argcount = 0;
- int i = 0;
- int drop_further = 0;
-
- for (ap = (char**)toklist; ap < &toklist[MAX_TOKS] && (*ap = strsep(&data, " ")) != nullptr; )
- {
- if (**ap != '\0')
- {
- ap++;
- argcount++;
- }
- }
-
- *ap = nullptr;
-
- /* scan for comments */
- while (i < argcount)
- {
- char* tok = toklist[i];
-
- if (tok[0] == '#' && !drop_further)
- {
- argcount = i;
- drop_further = 1;
- }
-
- if (drop_further)
- {
- toklist[i] = nullptr;
- }
-
- i++;
- }
-
- return argcount;
-}
-
-int AppIdConfig::load_analysis_config(const char* config_file, int reload, int instance_id)
-{
- char linebuffer[MAX_LINE];
- char* toklist[MAX_TOKS];
- NetworkSet* my_net_list;
-
- if (NetworkSetManager::create(&net_list))
- FatalError("Failed to allocate a network set");
- net_list_list = net_list;
-
- if (!config_file || (!config_file[0]))
- {
- char addrString[sizeof("0.0.0.0/0")];
- toklist[1] = nullptr;
- toklist[0] = addrString;
- strcpy(addrString,"0.0.0.0/0");
- configure_analysis_networks(toklist, IPFUNCS_HOSTS_IP | IPFUNCS_USER_IP |
- IPFUNCS_APPLICATION);
- strcpy(addrString,"::/0");
- configure_analysis_networks(toklist, IPFUNCS_HOSTS_IP | IPFUNCS_USER_IP |
- IPFUNCS_APPLICATION);
- toklist[0] = nullptr;
- }
- else
- {
- FILE* fp;
-
- if (!(fp = fopen(config_file, "r")))
- {
- ErrorMessage("Unable to open %s", config_file);
- return -1;
- }
- unsigned line = 0;
-
- while (fgets(linebuffer, MAX_LINE, fp) != nullptr)
- {
- line++;
- strip(linebuffer);
- char* cptr = linebuffer;
-
- while (isspace((int)*cptr))
- cptr++;
-
- if (*cptr && (*cptr != '#') && (*cptr != 0x0a))
- {
- memset(toklist, 0, sizeof(toklist));
-
- if (tokenize(cptr, toklist) < 2)
- {
- fclose(fp);
- ErrorMessage("Invalid configuration file line %u", line);
- return -1;
- }
- if (!(strcasecmp(toklist[0], "config")))
- process_config_directive(toklist, reload);
- else if (!(strcasecmp(toklist[0], "portexclusion")))
- process_port_exclusion(toklist);
- }
- }
-
- fclose(fp);
- }
-
- if (instance_id)
- {
- char* instance_toklist[2];
- char addrString[sizeof("0.0.0.0/0")];
- instance_toklist[0] = addrString;
- instance_toklist[1] = nullptr;
- strcpy(addrString,"0.0.0.0/0");
- configure_analysis_networks(instance_toklist, IPFUNCS_APPLICATION);
- strcpy(addrString,"::/0");
- configure_analysis_networks(instance_toklist, IPFUNCS_APPLICATION);
- }
-
- for (my_net_list = net_list_list; my_net_list; my_net_list = net_list->next)
- {
- if (my_net_list != net_list)
- {
- if (NetworkSetManager::add_set(my_net_list, net_list))
- ErrorMessage("Failed to add any network list to a zone network list");
- }
- }
- net_list_count = 0;
- for (my_net_list = net_list_list; my_net_list; my_net_list = net_list->next)
- {
- if (NetworkSetManager::reduce(my_net_list))
- ErrorMessage("Failed to reduce the IP address sets");
- net_list_count += NetworkSetManager::count_ex(my_net_list) + NetworkSetManager::count6_ex(
- my_net_list);
- }
-
- return 0;
-}
-
-#endif
-
-void AppIdConfig::set_safe_search_enforcement(bool enabled)
-{
- mod_config->safe_search_enabled = enabled;
-}
-
bool AppIdConfig::init_appid(SnortConfig* sc)
{
// FIXIT-M: RELOAD - Get rid of "once" flag
read_port_detectors(CUSTOM_PORT_DETECTORS);
once = true;
}
-#ifdef USE_RNA_CONFIG
- load_analysis_config(mod_config->conf_file, 0, mod_config->instance_id);
-#endif
#ifdef ENABLE_APPID_THIRD_PARTY
TPLibHandler::pinit(mod_config);
return true;
}
-static void free_port_exclusion_list(AppIdPortExclusions& pe_list)
-{
- for ( unsigned i = 0; i < APP_ID_PORT_ARRAY_SIZE; i++ )
- {
- if ( pe_list[i] != nullptr )
- {
- sflist_free_all(pe_list[i], &snort_free);
- pe_list[i] = nullptr;
- }
- }
-}
-
-void AppIdConfig::cleanup()
-{
-#ifdef USE_RNA_CONFIG
- NetworkSet* net_list; ///< list of network sets
- while ((net_list = net_list_list))
- {
- net_list_list = net_list->next;
- NetworkSetManager::destroy(net_list);
- }
-#endif
-
- free_port_exclusion_list(tcp_port_exclusions_src);
- free_port_exclusion_list(tcp_port_exclusions_dst);
- free_port_exclusion_list(udp_port_exclusions_src);
- free_port_exclusion_list(udp_port_exclusions_dst);
-}
-
AppId AppIdConfig::get_port_service_id(IpProtocol proto, uint16_t port)
{
AppId appId;
return ip_protocol[(uint16_t)proto];
}
-static void display_port_exclusion_list(SF_LIST* pe_list, uint16_t port)
-{
- char inet_buffer[INET6_ADDRSTRLEN];
- char inet_buffer2[INET6_ADDRSTRLEN];
- PortExclusion* pe;
- SF_LNODE* lnext;
-
- if (!pe_list)
- return;
-
- for (pe = (PortExclusion*)sflist_first(pe_list, &lnext);
- pe;
- pe = (PortExclusion*)sflist_next(&lnext))
- {
- const char* p = inet_ntop(pe->family, &pe->ip, inet_buffer, sizeof(inet_buffer));
- const char* p2 = inet_ntop(pe->family, &pe->netmask, inet_buffer2, sizeof(inet_buffer2));
- LogMessage(" %d on %s/%s\n", port, p ? p : "ERROR", p2 ? p2 : "ERROR");
- }
-}
-
void AppIdConfig::show()
{
- unsigned i;
-
if (!mod_config->tp_appid_path.empty())
LogMessage(" 3rd Party Dir: %s\n", mod_config->tp_appid_path.c_str());
-
-#ifdef USE_RNA_CONFIG
- struct in_addr ia;
- NSIPv6Addr six;
- char inet_buffer[INET6_ADDRSTRLEN];
- char inet_buffer2[INET6_ADDRSTRLEN];
- const char* p;
- const char* p2;
-
- LogMessage(" Monitoring Networks for any zone:\n");
- for (i = 0; i < net_list->count; i++)
- {
- ia.s_addr = htonl(net_list->pnetwork[i]->range_min);
- p = inet_ntop(AF_INET, &ia, inet_buffer, sizeof(inet_buffer));
- ia.s_addr = htonl(net_list->pnetwork[i]->range_max);
- p2 = inet_ntop(AF_INET, &ia, inet_buffer2, sizeof(inet_buffer2));
- LogMessage(" %s%s-%s %04X\n", (net_list->pnetwork[i]->info.ip_not) ? "!" : "",
- p ?
- p : "ERROR",
- p2 ? p2 : "ERROR", net_list->pnetwork[i]->info.type);
- }
- for (i = 0; i < net_list->count6; i++)
- {
- six = net_list->pnetwork6[i]->range_min;
- NetworkSetManager::ntoh_ipv6(&six);
- p = inet_ntop(AF_INET6, (struct in6_addr*)&six, inet_buffer, sizeof(inet_buffer));
- six = net_list->pnetwork6[i]->range_max;
- NetworkSetManager::ntoh_ipv6(&six);
- p2 = inet_ntop(AF_INET6, (struct in6_addr*)&six, inet_buffer2, sizeof(inet_buffer2));
- LogMessage(" %s%s-%s %04X\n", (net_list->pnetwork6[i]->info.ip_not) ? "!" : "",
- p ?
- p : "ERROR",
- p2 ? p2 : "ERROR", net_list->pnetwork6[i]->info.type);
- }
-
- for (int j = 0; j < MAX_ZONES; j++)
- {
- if (!(net_list = net_list_by_zone[j]))
- continue;
- LogMessage(" Monitoring Networks for zone %d:\n", j);
- for (i = 0; i < net_list->count; i++)
- {
- ia.s_addr = htonl(net_list->pnetwork[i]->range_min);
- p = inet_ntop(AF_INET, &ia, inet_buffer, sizeof(inet_buffer));
- ia.s_addr = htonl(net_list->pnetwork[i]->range_max);
- p2 = inet_ntop(AF_INET, &ia, inet_buffer2, sizeof(inet_buffer2));
- LogMessage(" %s%s-%s %04X\n", (net_list->pnetwork[i]->info.ip_not) ? "!" :
- "",
- p ? p : "ERROR",
- p2 ? p2 : "ERROR", net_list->pnetwork[i]->info.type);
- }
- for (i = 0; i < net_list->count6; i++)
- {
- six = net_list->pnetwork6[i]->range_min;
- NetworkSetManager::ntoh_ipv6(&six);
- p = inet_ntop(AF_INET6, (struct in6_addr*)&six, inet_buffer, sizeof(inet_buffer));
- six = net_list->pnetwork6[i]->range_max;
- NetworkSetManager::ntoh_ipv6(&six);
- p2 = inet_ntop(AF_INET6, (struct in6_addr*)&six, inet_buffer2, sizeof(inet_buffer2));
- LogMessage(" %s%s-%s %04X\n", (net_list->pnetwork6[i]->info.ip_not) ? "!" :
- "",
- p ? p : "ERROR",
- p2 ? p2 : "ERROR", net_list->pnetwork6[i]->info.type);
- }
- }
-#endif
-
- LogMessage(" Excluded TCP Ports for Src:\n");
- for (i = 0; i < APP_ID_PORT_ARRAY_SIZE; i++)
- display_port_exclusion_list(tcp_port_exclusions_src[i], i);
-
- LogMessage(" Excluded TCP Ports for Dst:\n");
- for (i = 0; i < APP_ID_PORT_ARRAY_SIZE; i++)
- display_port_exclusion_list(tcp_port_exclusions_dst[i], i);
-
- LogMessage(" Excluded UDP Ports Src:\n");
- for (i = 0; i < APP_ID_PORT_ARRAY_SIZE; i++)
- display_port_exclusion_list(udp_port_exclusions_src[i], i);
-
- LogMessage(" Excluded UDP Ports Dst:\n");
- for (i = 0; i < APP_ID_PORT_ARRAY_SIZE; i++)
- display_port_exclusion_list(udp_port_exclusions_dst[i], i);
}
void AppIdConfig::display_port_config()
AppIdModuleConfig() = default;
~AppIdModuleConfig();
-#ifdef USE_RNA_CONFIG
- const char* conf_file = nullptr;
-#endif
// FIXIT-L: DECRYPT_DEBUG - Move this to ssl-module
#ifdef REG_TEST
// To manually restart appid detection for an SSL-decrypted flow (single session only),
class AppIdConfig
{
public:
- AppIdConfig(AppIdModuleConfig*);
- ~AppIdConfig();
+ AppIdConfig(AppIdModuleConfig* config) : mod_config(config)
+ { }
bool init_appid(snort::SnortConfig*);
static void pterm();
- void cleanup();
void show();
- void set_safe_search_enforcement(bool enabled);
AppId get_port_service_id(IpProtocol, uint16_t port);
AppId get_protocol_service_id(IpProtocol);
unsigned max_service_info = 0;
-#ifdef USE_RNA_CONFIG
- unsigned net_list_count = 0;
- NetworkSet* net_list_list = nullptr;
- NetworkSet* net_list = nullptr;
- std::array<NetworkSet*, MAX_ZONES> net_list_by_zone;
-#endif
//FIXIT-L remove static when reload is supported (once flag removed)
static std::array<AppId, APP_ID_PORT_ARRAY_SIZE> tcp_port_only; // port-only TCP services
SF_LIST client_app_args; // List of Client App arguments
// for each potential port, an sflist of PortExclusion structs
- AppIdPortExclusions tcp_port_exclusions_src;
- AppIdPortExclusions udp_port_exclusions_src;
- AppIdPortExclusions tcp_port_exclusions_dst;
- AppIdPortExclusions udp_port_exclusions_dst;
AppIdModuleConfig* mod_config = nullptr;
unsigned appIdPolicyId = 53;
private:
void read_port_detectors(const char* files);
- void configure_analysis_networks(char* toklist[], uint32_t flag);
- int add_port_exclusion(AppIdPortExclusions&, const snort::ip::snort_in6_addr* ip,
- const snort::ip::snort_in6_addr* netmask, int family, uint16_t port);
- void process_port_exclusion(char* toklist[]);
- void process_config_directive(char* toklist[], int /* reload */);
- int load_analysis_config(const char* config_file, int reload, int instance_id);
void display_port_config();
// FIXIT-M: RELOAD - Remove static, once app_info_mgr cleanup is
// removed from AppIdConfig::pterm
#include "appid_inspector.h"
#include "appid_session.h"
#include "appid_utils/ip_funcs.h"
-#include "appid_utils/network_set.h"
#include "client_plugins/client_discovery.h"
#include "detector_plugins/detector_dns.h"
#include "detector_plugins/http_url_patterns.h"
}
}
-static inline int match_pe_network(const SfIp* pktAddr, const PortExclusion* pe)
-{
- const uint32_t* pkt = pktAddr->get_ip6_ptr();
- const uint32_t* nm = pe->netmask.u6_addr32;
- const uint32_t* peIP = pe->ip.u6_addr32;
- return (((pkt[0] & nm[0]) == peIP[0])
- && ((pkt[1] & nm[1]) == peIP[1])
- && ((pkt[2] & nm[2]) == peIP[2])
- && ((pkt[3] & nm[3]) == peIP[3]));
-}
-
-static inline int check_port_exclusion(const Packet* pkt, bool reversed, AppIdInspector& inspector)
-{
- AppIdPortExclusions* src_port_exclusions;
- AppIdPortExclusions* dst_port_exclusions;
- SF_LIST* pe_list;
- PortExclusion* pe;
- const SfIp* s_ip;
- AppIdConfig* config = inspector.get_appid_config();
-
- if ( pkt->is_tcp() )
- {
- src_port_exclusions = &config->tcp_port_exclusions_src;
- dst_port_exclusions = &config->tcp_port_exclusions_dst;
- }
- else if ( pkt->is_udp() )
- {
- src_port_exclusions = &config->udp_port_exclusions_src;
- dst_port_exclusions = &config->udp_port_exclusions_dst;
- }
- else
- return 0;
-
- /* check the source port */
- uint16_t port = reversed ? pkt->ptrs.dp : pkt->ptrs.sp;
- if ( port && (pe_list = (*src_port_exclusions)[port]) != nullptr )
- {
- s_ip = reversed ? pkt->ptrs.ip_api.get_dst() : pkt->ptrs.ip_api.get_src();
-
- SF_LNODE* node;
-
- /* walk through the list of port exclusions for this port */
- for ( pe = (PortExclusion*)sflist_first(pe_list, &node);
- pe;
- pe = (PortExclusion*)sflist_next(&node) )
- {
- if ( match_pe_network(s_ip, pe))
- return 1;
- }
- }
-
- /* check the dest port */
- port = reversed ? pkt->ptrs.sp : pkt->ptrs.dp;
- if ( port && (pe_list = (*dst_port_exclusions)[port]) != nullptr )
- {
- s_ip = reversed ? pkt->ptrs.ip_api.get_src() : pkt->ptrs.ip_api.get_dst();
-
- SF_LNODE* node;
- /* walk through the list of port exclusions for this port */
- for ( pe = (PortExclusion*)sflist_first(pe_list, &node);
- pe;
- pe = (PortExclusion*)sflist_next(&node) )
- {
- if ( match_pe_network(s_ip, pe))
- return 1;
- }
- }
-
- return 0;
-}
-
static inline unsigned get_ipfuncs_flags(const Packet* p, bool dst)
{
const SfIp* sf_ip;
- unsigned flags;
- int32_t zone;
-#ifdef USE_RNA_CONFIG
- NSIPv6Addr ip6;
- NetworkSet* net_list;
- AppIdConfig* config = AppIdInspector::get_inspector()->get_appid_config();
-#endif
if (!dst)
{
- zone = p->pkth->ingress_group;
sf_ip = p->ptrs.ip_api.get_src();
}
else
{
- zone = (p->pkth->egress_index == DAQ_PKTHDR_UNKNOWN) ?
+ int32_t zone = (p->pkth->egress_index == DAQ_PKTHDR_UNKNOWN) ?
p->pkth->ingress_group : p->pkth->egress_group;
if (zone == DAQ_PKTHDR_FLOOD)
return 0;
sf_ip = p->ptrs.ip_api.get_dst();
}
-#ifdef USE_RNA_CONFIG
- if (zone >= 0 && zone < MAX_ZONES && config->net_list_by_zone[zone])
- net_list = config->net_list_by_zone[zone];
- else
- net_list = config->net_list;
-
- if ( sf_ip->is_ip4() )
- {
- if (sf_ip->get_ip4_value() == 0xFFFFFFFF)
- return IPFUNCS_CHECKED;
- NetworkSetManager::contains_ex(net_list, ntohl(sf_ip->get_ip4_value()), &flags);
- }
- else
- {
- memcpy(&ip6, sf_ip->get_ip6_ptr(), sizeof(ip6));
- NetworkSetManager::ntoh_ipv6(&ip6);
- NetworkSetManager::contains6_ex(net_list, &ip6, &flags);
- }
-#else
- UNUSED(zone);
if (sf_ip->is_ip4() && sf_ip->get_ip4_value() == 0xFFFFFFFF)
return IPFUNCS_CHECKED;
- // FIXIT-M Defaulting to checking everything everywhere until RNA config is reimplemented
- flags = IPFUNCS_HOSTS_IP | IPFUNCS_USER_IP | IPFUNCS_APPLICATION;
-#endif
- return flags | IPFUNCS_CHECKED;
+ // FIXIT-M Defaulting to checking everything everywhere until RNA config is reimplemented
+ return IPFUNCS_HOSTS_IP | IPFUNCS_USER_IP | IPFUNCS_APPLICATION | IPFUNCS_CHECKED;
}
static inline bool is_special_session_monitored(const Packet* p)
static bool is_packet_ignored(AppIdSession* asd, Packet* p, AppidSessionDirection direction)
{
-#ifdef REMOVED_WHILE_NOT_IN_USE
- bool is_http2 = false; // FIXIT-M _dpd.streamAPI->is_session_http2(p->flow);
-
- if (is_http2)
- {
- if (asd)
- asd->is_http2 = true;
- if ( !p->is_rebuilt() )
- {
- // For HTTP/2, only examine packets that have been rebuilt as HTTP/1 packets.
- appid_stats.ignored_packets++;
- return true;
- }
- }
- else
-#endif
if ( p->is_rebuilt() && !p->flow->is_proxied() )
{
// FIXIT-M: In snort2x, a rebuilt packet was ignored whether it had a session or not.
return false;
}
-static uint64_t is_session_monitored(const AppIdSession& asd, const Packet* p, AppidSessionDirection dir,
- AppIdInspector& inspector)
+static uint64_t is_session_monitored(const AppIdSession& asd, const Packet* p, AppidSessionDirection dir)
{
uint64_t flags;
uint64_t flow_flags = APPID_SESSION_DISCOVER_APP;
// accordingly
if ( asd.common.policyId != asd.config->appIdPolicyId )
{
- if ( check_port_exclusion(p, dir == APP_ID_FROM_RESPONDER, inspector) )
- {
- flow_flags |= APPID_SESSION_INITIATOR_CHECKED | APPID_SESSION_RESPONDER_CHECKED;
- flow_flags &= ~(APPID_SESSION_INITIATOR_MONITORED |
- APPID_SESSION_RESPONDER_MONITORED);
- return flow_flags;
- }
if (dir == APP_ID_FROM_INITIATOR)
{
if (asd.get_session_flags(APPID_SESSION_INITIATOR_CHECKED))
return flow_flags;
}
-static uint64_t is_session_monitored(const Packet* p, AppidSessionDirection dir,
- AppIdInspector& inspector)
+static uint64_t is_session_monitored(const Packet* p, AppidSessionDirection dir)
{
uint64_t flags;
uint64_t flow_flags = APPID_SESSION_DISCOVER_APP;
- if ( check_port_exclusion(p, false, inspector) )
- {
- flow_flags |= APPID_SESSION_INITIATOR_CHECKED | APPID_SESSION_RESPONDER_CHECKED;
- }
- else if (dir == APP_ID_FROM_INITIATOR)
+ if (dir == APP_ID_FROM_INITIATOR)
{
flags = get_ipfuncs_flags(p, false);
flow_flags |= APPID_SESSION_INITIATOR_CHECKED;
uint64_t& flow_flags)
{
if (asd)
- flow_flags = is_session_monitored(*asd, p, dir, inspector);
+ flow_flags = is_session_monitored(*asd, p, dir);
else
- flow_flags = is_session_monitored(p, dir, inspector);
+ flow_flags = is_session_monitored(p, dir);
if ( flow_flags & (APPID_SESSION_DISCOVER_APP | APPID_SESSION_SPECIAL_MONITORED) )
return false;
}
return true;
-
- // FIXIT-M some of this stuff may be needed in some fashion...
-#ifdef REMOVED_WHILE_NOT_IN_USE
- _dpd.registerSslAppIdLookup(sslAppGroupIdLookup);
-#endif
}
void AppIdInspector::show(SnortConfig*)
static const Parameter s_params[] =
{
-#ifdef USE_RNA_CONFIG
- { "conf", Parameter::PT_STRING, nullptr, nullptr,
- "RNA configuration file" }, // FIXIT-L eliminate reference to "RNA"
-#endif
// FIXIT-L: DECRYPT_DEBUG - Move this to ssl-module
#ifdef REG_TEST
{ "first_decrypted_packet_debug", Parameter::PT_INT, "0:max32", "0",
bool AppIdModule::set(const char* fqn, Value& v, SnortConfig* c)
{
-#ifdef USE_RNA_CONFIG
- if ( v.is("conf") )
- config->conf_file = snort_strdup(v.get_string());
- else
-#endif
// FIXIT-L: DECRYPT_DEBUG - Move this to ssl-module
#ifdef REG_TEST
if ( v.is("first_decrypted_packet_debug") )
#include "appid_http_session.h"
#include "appid_inspector.h"
#include "appid_stats.h"
-#include "appid_utils/ip_funcs.h"
#include "lua_detector_api.h"
#include "service_plugins/service_ssl.h"
#ifdef ENABLE_APPID_THIRD_PARTY
+++ /dev/null
-//--------------------------------------------------------------------------
-// Copyright (C) 2014-2019 Cisco and/or its affiliates. All rights reserved.
-// Copyright (C) 2005-2013 Sourcefire, Inc.
-//
-// This program is free software; you can redistribute it and/or modify it
-// under the terms of the GNU General Public License Version 2 as published
-// by the Free Software Foundation. You may not use, modify or distribute
-// this program under any other version of the GNU General Public License.
-//
-// This program is distributed in the hope that it will be useful, but
-// WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-// General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License along
-// with this program; if not, write to the Free Software Foundation, Inc.,
-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-//--------------------------------------------------------------------------
-
-// ip_funcs.cc author Sourcefire Inc.
-
-#ifdef HAVE_CONFIG_H
-#include "config.h"
-#endif
-
-#include "ip_funcs.h"
-
-#ifdef USE_RNA_CONFIG
-
-#include <netinet/in.h>
-#include "log/messages.h"
-#include "utils/util.h"
-
-// FIXIT-L - These utility functions should probably go in the shared src/utils/ instead of just
-// appid if they are truly generic.
-
-// convert tabs to space, convert new line or carriage return to null
-// and stop returning the length of the converted string
-static int strip(char* data)
-{
- int size;
- char* idx;
-
- idx = data;
- size = 0;
-
- while (*idx)
- {
- if ((*idx == '\n') || (*idx == '\r'))
- {
- *idx = 0;
- break;
- }
- if (*idx == '\t')
- {
- *idx = ' ';
- }
- size++;
- idx++;
- }
-
- return size;
-}
-
-// split string pointed to by 'data' into tokens based on the set of delimiters
-// defined by the 'separator string, return number of tokens
-static int split(char* data, char** toklist, int max_toks, const char* separator)
-{
- char** ap;
- int argcount = 0;
-
- memset(toklist, 0, max_toks * sizeof(*toklist));
- for (ap = (char**)toklist;
- ap < &toklist[max_toks] && (*ap = strsep(&data, separator)) != nullptr; )
- {
- if (**ap != '\0')
- {
- ap++;
- argcount++;
- }
- }
-
- return argcount;
-}
-
-RNAIpAddrSet* ParseIpCidr(char* ipstring, uint32_t* netmasks)
-{
- char* toks[2];
- int num_toks;
- RNAIpAddrSet* ias;
- char* cp;
- struct in_addr ia;
-
- if (ipstring == nullptr)
- return nullptr;
-
- ias = (RNAIpAddrSet*)snort_calloc(sizeof(RNAIpAddrSet));
- strip(ipstring);
- cp = ipstring;
- if (*cp == 'h')
- {
- ias->addr_flags |= IPFUNCS_HOSTS_IP;
- cp++;
- }
-
- if (*cp == 's')
- {
- ias->addr_flags |= IPFUNCS_APPLICATION;
- cp++;
- }
-
- if (*cp == '!')
- {
- ias->addr_flags |= IPFUNCS_EXCEPT_IP;
- cp++;
- }
-
- if (!strcasecmp(ipstring, "any"))
- {
- ias->range_max = ~0;
- return ias;
- }
-
- num_toks = split(cp, toks, 2, "/");
-
- if (inet_pton(AF_INET, toks[0], &ia) <= 0)
- {
- ErrorMessage("IPFunctions: %s failed to translate", toks[0]);
- snort_free(ias);
- return nullptr;
- }
-
- ias->range_min = ntohl(ia.s_addr);
-
- if (num_toks > 1)
- {
- ias->netmask = (unsigned)strtoul(toks[1], nullptr, 0);
-
- if (ias->netmask < 32)
- {
- ias->netmask_mask = netmasks[ias->netmask];
- ias->range_min &= ias->netmask_mask;
- ias->range_max = ias->range_min + ~ias->netmask_mask;
- }
- else
- {
- ias->netmask = 32;
- ias->netmask_mask = netmasks[ias->netmask];
- ias->range_min &= ias->netmask_mask;
- ias->range_max = ias->range_min;
- }
- }
- else
- {
- ias->netmask = 32;
- ias->netmask_mask = netmasks[ias->netmask];
- ias->range_min &= ias->netmask_mask;
- ias->range_max = ias->range_min;
- }
-
- return ias;
-}
-
-RNAIpv6AddrSet* ParseIpv6Cidr(char* ipstring)
-{
- char* toks[2];
- int num_toks;
- RNAIpv6AddrSet* ias;
- char* cp;
- struct in6_addr ia;
-
- if (ipstring == nullptr)
- return nullptr;
-
- ias = (RNAIpv6AddrSet*)snort_calloc(sizeof(*ias));
- strip(ipstring);
- cp = ipstring;
- if (*cp == 'h')
- {
- ias->addr_flags |= IPFUNCS_HOSTS_IP;
- cp++;
- }
-
- if (*cp == 's')
- {
- ias->addr_flags |= IPFUNCS_APPLICATION;
- cp++;
- }
-
- if (*cp == '!')
- {
- ias->addr_flags |= IPFUNCS_EXCEPT_IP;
- cp++;
- }
-
- if (!strcasecmp(ipstring, "any"))
- {
- ias->range_max.lo = ULLONG_MAX;
- ias->range_max.hi = ULLONG_MAX;
- return ias;
- }
-
- num_toks = split(cp, toks, 2, "/");
-
- if (inet_pton(AF_INET6, toks[0], &ia) <= 0)
- {
- ErrorMessage("IPFunctions: %s failed to translate", toks[0]);
- snort_free(ias);
- return nullptr;
- }
- memcpy(&ias->range_min, (const void*)&ia, sizeof(ias->range_min));
- NetworkSetManager::ntoh_ipv6(&ias->range_min);
-
- if (num_toks > 1)
- {
- ias->netmask = (unsigned)strtoul(toks[1], nullptr, 0);
-
- /* Convert cidr to netmask */
- if (!ias->netmask)
- {
- ias->range_max.hi = ULLONG_MAX;
- ias->range_max.lo = ULLONG_MAX;
- }
- else if (ias->netmask < 64)
- {
- ias->netmask_mask.hi = ULLONG_MAX << (64 - ias->netmask);
- ias->range_min.hi &= ias->netmask_mask.hi;
- ias->range_min.lo = 0;
- ias->range_max.hi = ias->range_min.hi + ~ias->netmask_mask.hi;
- ias->range_max.lo = ULLONG_MAX;
- }
- else if (ias->netmask == 64)
- {
- ias->netmask_mask.hi = ULLONG_MAX;
- ias->range_min.hi &= ias->netmask_mask.hi;
- ias->range_min.lo = 0;
- ias->range_max.hi = ias->range_min.hi + ~ias->netmask_mask.hi;
- ias->range_max.lo = ULLONG_MAX;
- }
- else if (ias->netmask < 128)
- {
- ias->netmask_mask.hi = ULLONG_MAX;
- ias->netmask_mask.lo = ULLONG_MAX << (128 - ias->netmask);
- ias->range_min.lo &= ias->netmask_mask.lo;
- ias->range_max.hi = ias->range_min.hi;
- ias->range_max.lo = ias->range_min.lo + ~ias->netmask_mask.lo;
- }
- else
- {
- ias->netmask_mask.hi = ULLONG_MAX;
- ias->netmask_mask.lo = ULLONG_MAX;
- ias->range_max = ias->range_min;
- }
- }
- else
- {
- ias->netmask = 128;
- ias->netmask_mask.lo = ULLONG_MAX;
- ias->netmask_mask.hi = ULLONG_MAX;
- ias->range_max = ias->range_min;
- }
-
- return ias;
-}
-
-#endif
-
#ifndef IP_FUNCS_H
#define IP_FUNCS_H
-#include <cstdint>
-#include <cstring>
-
-#include "sfip/sf_ip.h"
-
-#include "network_set.h"
-
#define IPFUNCS_EXCEPT_IP 0x01
#define IPFUNCS_SECONDARY_IP 0x02
#define IPFUNCS_USER_IP 0x04
#define IPFUNCS_APPLICATION 0x10
#define IPFUNCS_CHECKED 0x80000000
-#ifdef USE_RNA_CONFIG
-struct RNAIpAddrSet
-{
- uint32_t range_min;
- uint32_t range_max;
- uint32_t addr_flags;
- unsigned netmask;
- uint32_t netmask_mask;
-};
-
-RNAIpAddrSet* ParseIpCidr(char*, uint32_t*);
-
-struct RNAIpv6AddrSet
-{
- NSIPv6Addr range_min;
- NSIPv6Addr range_max;
- uint32_t addr_flags;
- unsigned netmask;
- NSIPv6Addr netmask_mask;
-};
-
-RNAIpv6AddrSet* ParseIpv6Cidr(char*);
-
-inline void copyIpv4ToIpv6Network(ip::snort_in6_addr* keyIp, const uint32_t ip)
-{
- keyIp->u6_addr32[0] = keyIp->u6_addr32[1] = 0;
- keyIp->u6_addr16[4] = 0;
- keyIp->u6_addr16[5] = 0xFFFF;
- keyIp->u6_addr32[3] = ip;
-}
-
-//these functions are needed since snort does not store IPv4 address in highest 4 bytes
-//of 16 byte ip.
-inline void copySnortIpToIpv6Network(ip::snort_in6_addr* keyIp, const SfIp* snortIp)
-{
- memcpy(keyIp, snortIp->get_ip6_ptr(), sizeof(*keyIp));
-}
-
-inline int cmpSnortIpToHostKey(const ip::snort_in6_addr* keyIp, const SfIp* snortIp)
-{
- return memcmp(keyIp, snortIp->get_ip6_ptr(), sizeof(*keyIp));
-}
-
#endif
-
-#endif
-
+++ /dev/null
-//--------------------------------------------------------------------------
-// Copyright (C) 2014-2019 Cisco and/or its affiliates. All rights reserved.
-// Copyright (C) 2005-2013 Sourcefire, Inc.
-//
-// This program is free software; you can redistribute it and/or modify it
-// under the terms of the GNU General Public License Version 2 as published
-// by the Free Software Foundation. You may not use, modify or distribute
-// this program under any other version of the GNU General Public License.
-//
-// This program is distributed in the hope that it will be useful, but
-// WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-// General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License along
-// with this program; if not, write to the Free Software Foundation, Inc.,
-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-//--------------------------------------------------------------------------
-
-// network_set.cc author Sourcefire Inc.
-
-#ifdef HAVE_CONFIG_H
-#include "config.h"
-#endif
-
-#include "network_set.h"
-
-#ifdef USE_RNA_CONFIG
-
-#include <sys/socket.h>
-
-#include "log/messages.h"
-#include "utils/util.h"
-
-int NetworkSetManager::create(NetworkSet** network_set)
-{
- if (!network_set)
- return -1;
-
- NetworkSet* tmp = (NetworkSet*)snort_calloc(sizeof(NetworkSet));
- sflist_init(&tmp->networks);
- sflist_init(&tmp->networks6);
- *network_set = tmp;
- return 0;
-}
-
-int NetworkSetManager::destroy(NetworkSet* network_set)
-{
- if (!network_set)
- return -1;
-
- if (network_set->pnetwork)
- {
- snort_free(network_set->pnetwork);
- network_set->pnetwork = nullptr;
- }
- sflist_static_free_all(&network_set->networks, &snort_free);
- network_set->ids.clear();
- if (network_set->pnetwork6)
- {
- snort_free(network_set->pnetwork6);
- network_set->pnetwork6 = nullptr;
- }
- sflist_static_free_all(&network_set->networks6, &snort_free);
- network_set->ids6.clear();
- snort_free(network_set);
-
- return 0;
-}
-
-int NetworkSetManager::add_network_range_ex(NetworkSet* network_set, uint32_t range_min,
- uint32_t range_max, unsigned cidr_bits, int ip_not, unsigned id, unsigned type)
-{
- if (!network_set)
- return -1;
-
- Network* network = (Network*)snort_calloc(sizeof(Network));
- network->info.id = id;
- network->info.ip_not = ip_not;
- network->info.type = type;
- network->info.netmask = cidr_bits;
- if (range_min <= range_max)
- {
- network->range_min = range_min;
- network->range_max = range_max;
- }
- else
- {
- network->range_min = range_max;
- network->range_max = range_min;
- }
-
- if (!network->info.ip_not)
- {
- SF_LNODE* iter = nullptr;
-
- for (Network* iNetwork = (Network*)sflist_first(&network_set->networks, &iter);
- iNetwork;
- iNetwork = (Network*)sflist_next(&iter))
- {
- if (iNetwork->info.id == network->info.id &&
- iNetwork->range_min == network->range_min &&
- iNetwork->range_max == network->range_max)
- {
- iNetwork->info.type |= network->info.type;
- snort_free(network);
- return 0;
- }
- }
- }
-
- sflist_add_tail(&network_set->networks, (void*)network);
- if (network_set->ids.emplace(network->info.id).second == false)
- {
- ErrorMessage("NetworkSet: Failed to add id %u\n", network->info.id);
- return -1;
- }
-
- return 0;
-}
-
-int NetworkSetManager::add_network_range(NetworkSet* network_set, uint32_t range_min,
- uint32_t range_max, unsigned cidr_bits, int ip_not, unsigned id)
-{
- return add_network_range_ex(network_set, range_min, range_max, cidr_bits, ip_not, id,
- 0);
-}
-
-int NetworkSetManager::add_network_range6(NetworkSet* network_set, NSIPv6Addr* range_min,
- NSIPv6Addr* range_max, unsigned cidr_bits, int ip_not, unsigned id, unsigned type)
-{
- if (!network_set)
- return -1;
-
- Network6* network = (Network6*)snort_calloc(sizeof(Network6));
- network->info.id = id;
- network->info.ip_not = ip_not;
- network->info.type = type;
- network->info.netmask = cidr_bits;
- if (compare_ipv6_address(range_min, range_max) <= 0)
- {
- network->range_min = *range_min;
- network->range_max = *range_max;
- }
- else
- {
- network->range_min = *range_max;
- network->range_max = *range_min;
- }
-
- if (!network->info.ip_not)
- {
- SF_LNODE* iter = nullptr;
-
- for (Network6* iNetwork = (Network6*)sflist_first(&network_set->networks6, &iter);
- iNetwork;
- iNetwork = (Network6*)sflist_next(&iter))
- {
- if (iNetwork->info.id == network->info.id &&
- !compare_ipv6_address(&iNetwork->range_min, &network->range_min) &&
- !compare_ipv6_address(&iNetwork->range_max, &network->range_max))
- {
- iNetwork->info.type |= network->info.type;
- snort_free(network);
- return 0;
- }
- }
- }
-
- sflist_add_tail(&network_set->networks6, (void*)network);
- if (network_set->ids6.emplace(network->info.id).second == false)
- {
- ErrorMessage("NetworkSet: Failed to add IPv6 id %u\n", network->info.id);
- return -1;
- }
-
- return 0;
-}
-
-int NetworkSetManager::add_network_range6(NetworkSet* network_set, NSIPv6Addr* range_min,
- NSIPv6Addr* range_max, unsigned cidr_bits, int ip_not, unsigned id)
-{
- return add_network_range6(network_set, range_min, range_max, cidr_bits, ip_not, id,
- 0);
-}
-
-int NetworkSetManager::add_network_range_only_ipv6(
- NetworkSet* network_set, int ip_not, unsigned id, unsigned type)
-{
- // Use two ranges to represent all of IPv6, excluding the IPv4-mapped range, ::FFFF:*.*.*.*
- NSIPv6Addr range_min, range_max;
- range_min.lo = 0;
- range_min.hi = 0;
- range_max.lo = 0x0000FFFEFFFFFFFFULL; // 0x0000FFFF00000000 - 1
- range_max.hi = 0;
- int rval = add_network_range6(network_set, &range_min, &range_max, 0, ip_not, id, type);
- range_min.lo = 0x0001000000000000ULL; // 0x0000FFFFFFFFFFFF + 1
- range_min.hi = 0;
- range_max.lo = 0xFFFFFFFFFFFFFFFFULL;
- range_max.hi = 0xFFFFFFFFFFFFFFFFULL;
- return rval ? rval : add_network_range6(network_set, &range_min, &range_max, 0,
- ip_not, id, type);
-}
-
-int NetworkSetManager::add_cidr_block_ex(NetworkSet* network_set, uint32_t ip,
- unsigned cidr_bits, int ip_not, unsigned id, unsigned type)
-{
- if (cidr_bits > 32)
- return -1;
-
- uint32_t mask = (cidr_bits == 0) ? 0 : 0xffffffff << (32 - cidr_bits);
- uint32_t range_min = ip & mask;
- uint32_t range_max = range_min + ~mask;
- return add_network_range_ex(network_set, range_min, range_max, cidr_bits,
- ip_not, id, type);
-}
-
-int NetworkSetManager::add_cidr_block(NetworkSet* network_set, uint32_t ip,
- unsigned cidr_bits, int ip_not, unsigned id)
-{
- return add_cidr_block_ex(network_set, ip, cidr_bits, ip_not, id, 0);
-}
-
-int NetworkSetManager::add_cidr_block6_ex(NetworkSet* network_set, NSIPv6Addr* ip,
- unsigned cidr_bits, int ip_not, unsigned id, unsigned type)
-{
- NSIPv6Addr mask;
-
- if (cidr_bits > 128)
- return -1;
-
- /* Convert cidr to netmask */
- if (!cidr_bits)
- {
- mask.hi = 0;
- mask.lo = 0;
- }
- else if (cidr_bits < 64)
- {
- mask.hi = ULLONG_MAX << (64 - cidr_bits);
- mask.lo = 0;
- }
- else if (cidr_bits == 64)
- {
- mask.hi = ULLONG_MAX;
- mask.lo = 0;
- }
- else
- {
- mask.hi = ULLONG_MAX;
- mask.lo = ULLONG_MAX << (128 - cidr_bits);
- }
-
- NSIPv6Addr range_min;
- NSIPv6Addr range_max;
-
- range_min.lo = ip->lo & mask.lo;
- range_min.hi = ip->hi & mask.hi;
- range_max.lo = range_min.lo + ~mask.lo;
- range_max.hi = range_min.hi + ~mask.hi;
- return add_network_range6(network_set, &range_min, &range_max, cidr_bits, ip_not,
- id, type);
-}
-
-int NetworkSetManager::add_cidr_block6(NetworkSet* network_set, NSIPv6Addr* ip,
- unsigned cidr_bits, int ip_not, unsigned id)
-{
- return add_cidr_block6_ex(network_set, ip, cidr_bits, ip_not, id, 0);
-}
-
-int NetworkSetManager::log_network_set(NetworkSet* network_set, const char* prefix, FILE* stream)
-{
- SF_LNODE* iter = nullptr;
- char min_ip[INET6_ADDRSTRLEN];
- char max_ip[INET6_ADDRSTRLEN];
-
- if (!network_set)
- return -1;
-
- if (!prefix)
- prefix = "";
-
- if (!stream)
- stream = stdout;
-
- for (Network* network = (Network*)sflist_first(&network_set->networks, &iter);
- network;
- network = (Network*)sflist_next(&iter))
- {
- struct in_addr four;
- four.s_addr = htonl(network->range_min);
- inet_ntop(AF_INET, &four, min_ip, sizeof(min_ip));
- four.s_addr = htonl(network->range_max);
- inet_ntop(AF_INET, &four, max_ip, sizeof(max_ip));
-
- /* check containment for this network */
- fprintf(stream, "%s%s%s-%s for %u with %08X\n", prefix, network->info.ip_not ? "!" : "",
- min_ip, max_ip, network->info.id, network->info.type);
- }
-
- for (Network6* network6 = (Network6*)sflist_first(&network_set->networks6, &iter);
- network6;
- network6 = (Network6*)sflist_next(&iter))
- {
- NSIPv6Addr six = network6->range_min;
- ntoh_ipv6(&six);
- inet_ntop(AF_INET6, (struct in6_addr*)&six, min_ip, sizeof(min_ip));
- six = network6->range_max;
- ntoh_ipv6(&six);
- inet_ntop(AF_INET6, (struct in6_addr*)&six, max_ip, sizeof(max_ip));
-
- /* check containment for this network */
- fprintf(stream, "%s%s%s-%s for %u with %08X\n", prefix, network6->info.ip_not ? "!" : "",
- min_ip, max_ip, network6->info.id, network6->info.type);
- }
-
- return 0;
-}
-
-int NetworkSetManager::order_by_netmask(SF_LIST* ordered_networks, SF_LIST* networks, unsigned
- id)
-{
- SF_LNODE* node = nullptr;
- NODE_DATA node_data;
-
- sflist_init(ordered_networks);
- do
- {
- SF_LNODE* iter = nullptr;
-
- node_data = nullptr;
- for (NSNetworkInfo* network = (NSNetworkInfo*)sflist_first(networks, &iter);
- network;
- network = (NSNetworkInfo*)sflist_next(&iter))
- {
- if ( network->id == id && (node_data == nullptr ||
- network->netmask < ((NSNetworkInfo*)node_data)->netmask ||
- ( ( network->netmask == ((NSNetworkInfo*)node_data)->netmask) &&
- !network->ip_not ) ) )
- {
- node_data = network;
- node = iter;
- }
- }
-
- if (node_data)
- {
- sflist_add_tail(ordered_networks, node_data);
- sflist_remove_node(networks, node);
- }
- }
- while (node_data);
-
- return 0;
-}
-
-int NetworkSetManager::add_network_list(SF_LIST* networks, SF_LIST* new_networks)
-{
- void* network;
-
- while ((network = sflist_remove_head(new_networks)))
- sflist_add_tail(networks, network);
-
- return 0;
-}
-
-int NetworkSetManager::reduce_network_set(SF_LIST* networks)
-{
- Network* ias;
- Network* i_ias;
- Network* new_ias;
- uint32_t tmp;
- bool changed;
- SF_LIST reduced_networks;
-
- if (!sflist_count(networks))
- return 0;
-
- sflist_init(&reduced_networks);
- while ( ( ias = (Network*)sflist_remove_head(networks) ) )
- {
- SF_LNODE* iter = nullptr;
-
- /* ias is lowest in the list, so it takes precedence */
- if (ias->info.ip_not)
- {
- i_ias = (Network*)sflist_first(&reduced_networks, &iter);
- while (i_ias)
- {
- changed = false;
-
- /*
- i_ias ******
- ias ***************
- */
- if (ias->range_min <= i_ias->range_min && ias->range_max >= i_ias->range_max)
- {
- sflist_remove_node(&reduced_networks, iter);
- changed = true;
- }
- /*
- i_ias ************
- ias ***
- or
- i_ias ************
- ias ************
- */
- else if (ias->range_min > i_ias->range_min && ias->range_min <= i_ias->range_max)
- {
- tmp = i_ias->range_max;
- i_ias->range_max = ias->range_min - 1;
- if (ias->range_max < tmp)
- {
- new_ias = (Network*)snort_calloc(sizeof(Network));
- *new_ias = *i_ias;
- new_ias->range_min = ias->range_max + 1;
- new_ias->range_max = tmp;
- sflist_add_tail(&reduced_networks, new_ias);
- changed = true;
- }
- }
- /*
- i_ias ************
- ias ************
- or
- i_ias ************
- ias ****
- */
- else if (ias->range_max >= i_ias->range_min && ias->range_max <= i_ias->range_max)
- {
- tmp = i_ias->range_min;
- i_ias->range_min = ias->range_max + 1;
- if (ias->range_min > tmp)
- {
- new_ias = (Network*)snort_calloc(sizeof(Network));
- *new_ias = *i_ias;
- new_ias->range_min = tmp;
- new_ias->range_max = ias->range_min - 1;
- sflist_add_tail(&reduced_networks, new_ias);
- changed = true;
- }
- }
-
- if (changed)
- i_ias = (Network*)sflist_first(&reduced_networks, &iter);
- else
- i_ias = (Network*)sflist_next(&iter);
- }
-
- snort_free(ias);
- }
- else
- {
- i_ias = (Network*)sflist_first(&reduced_networks, &iter);
- while (i_ias)
- {
- changed = false;
- if (ias->info.type == i_ias->info.type)
- {
- /*
- i_ias ******
- ias ***************
- */
- if (ias->range_min <= i_ias->range_min && ias->range_max >= i_ias->range_max)
- {
- sflist_remove_node(&reduced_networks, iter);
- changed = true;
- snort_free(i_ias);
- i_ias = nullptr;
- }
- /*
- i_ias ***************
- ias ******
- */
- else if (i_ias->range_min <= ias->range_min && i_ias->range_max >=
- ias->range_max)
- {
- ias->range_min = i_ias->range_min;
- ias->range_max = i_ias->range_max;
- sflist_remove_node(&reduced_networks, iter);
- changed = true;
- snort_free(i_ias);
- i_ias = nullptr;
- }
- /*
- i_ias ************
- ias ************
- */
- else if (ias->range_min > i_ias->range_min && ias->range_min <=
- i_ias->range_max)
- {
- i_ias->range_max = ias->range_min - 1;
- }
- /*
- i_ias ************
- ias ************
- */
- else if (ias->range_max >= i_ias->range_min && ias->range_max <
- i_ias->range_max)
- {
- i_ias->range_min = ias->range_max + 1;
- }
- }
- else /* different types */
- {
- /*
- i_ias ******
- ias ******
- */
- if (ias->range_min == i_ias->range_min && ias->range_max == i_ias->range_max)
- {
- i_ias->info.type = ias->info.type;
- snort_free(ias);
- ias = nullptr;
- break;
- }
- /*
- i_ias ******
- ias ***************
- */
- else if (ias->range_min < i_ias->range_min && ias->range_max >=
- i_ias->range_max)
- {
- sflist_remove_node(&reduced_networks, iter);
- snort_free(i_ias);
- i_ias = nullptr;
- changed = true;
- }
- /*
- i_ias ************
- ias ***
- or
- i_ias ************
- ias ************
- or
- i_ias ************
- ias ******
- */
- else if (ias->range_min > i_ias->range_min && ias->range_min <=
- i_ias->range_max)
- {
- tmp = i_ias->range_max;
- i_ias->range_max = ias->range_min - 1;
- if (ias->range_max < tmp)
- {
- new_ias = (Network*)snort_calloc(sizeof(Network));
- *new_ias = *i_ias;
- new_ias->range_min = ias->range_max + 1;
- new_ias->range_max = tmp;
- sflist_add_tail(&reduced_networks, new_ias);
- changed = true;
- }
- }
- /*
- i_ias ************
- ias ************
- or
- i_ias ************
- ias ****
- */
- else if (ias->range_max > i_ias->range_min && ias->range_max <
- i_ias->range_max)
- {
- i_ias->range_min = ias->range_max + 1;
- }
- }
-
- if (changed)
- i_ias = (Network*)sflist_first(&reduced_networks, &iter);
- else
- i_ias = (Network*)sflist_next(&iter);
- }
-
- if (ias)
- sflist_add_tail(&reduced_networks, ias);
- }
- }
-
- /* Minimize the ranges */
- SF_LNODE* outer_iter;
- ias = (Network*)sflist_first(&reduced_networks, &outer_iter);
- while (ias)
- {
- /* i_ias is lowest in the list, so it takes precedence */
- changed = false;
- SF_LNODE* inner_iter = outer_iter;
-
- i_ias = (Network*)sflist_next(&inner_iter);
- while ( i_ias )
- {
- if (ias->info.type == i_ias->info.type)
- {
- /*
- i_ias ************
- ias ***
- */
- if (ias->range_min && (i_ias->range_max+1) == ias->range_min)
- {
- i_ias->range_max = ias->range_max;
- sflist_remove_node(&reduced_networks, outer_iter);
- snort_free(ias);
- changed = true;
- break;
- }
- /*
- i_ias ************
- ias *****
- */
- else if (i_ias->range_min && (ias->range_max+1) == i_ias->range_min)
- {
- i_ias->range_min = ias->range_min;
- sflist_remove_node(&reduced_networks, outer_iter);
- snort_free(ias);
- changed = true;
- break;
- }
- }
-
- i_ias = (Network*)sflist_next(&inner_iter);
- }
-
- if (changed)
- ias = (Network*)sflist_first(&reduced_networks, &outer_iter);
- else
- ias = (Network*)sflist_next(&outer_iter);
- }
-
- sflist_static_free_all(networks, &snort_free);
- while ((ias = (Network*)sflist_remove_head(&reduced_networks)))
- {
- sflist_add_tail(networks, ias);
- }
- return 0;
-}
-
-int NetworkSetManager::reduce_network_set6(SF_LIST* networks)
-{
- Network6* ias;
- Network6* i_ias;
- Network6* new_ias;
- NSIPv6Addr tmp;
- NSIPv6Addr tmp2;
- bool changed;
- SF_LIST reduced_networks;
-
- if (!sflist_count(networks))
- return 0;
-
- sflist_init(&reduced_networks);
- while ((ias = (Network6*)sflist_remove_head(networks)))
- {
- SF_LNODE* iter = nullptr;
-
- /* ias is lowest in the list, so it takes precedence */
- if (ias->info.ip_not)
- {
- i_ias = (Network6*)sflist_first(&reduced_networks, &iter);
- while (i_ias)
- {
- changed = false;
-
- /*
- i_ias ******
- ias ***************
- */
- if (compare_ipv6_address(&ias->range_min, &i_ias->range_min) <= 0 &&
- compare_ipv6_address(&ias->range_max, &i_ias->range_max) >= 0)
- {
- sflist_remove_node(&reduced_networks, iter);
- changed = true;
- }
- /*
- i_ias ************
- ias ***
- or
- i_ias ************
- ias ************
- */
- else if (compare_ipv6_address(&ias->range_min, &i_ias->range_min) > 0 &&
- compare_ipv6_address(&ias->range_min, &i_ias->range_max) <= 0)
- {
- tmp = i_ias->range_max;
- i_ias->range_max = ias->range_min;
- decrement_ipv6_addr(&i_ias->range_max);
- if (compare_ipv6_address(&ias->range_max, &tmp) < 0)
- {
- new_ias = (Network6*)snort_calloc(sizeof(Network6));
- *new_ias = *i_ias;
- new_ias->range_min = ias->range_max;
- increment_ipv6_addr(&new_ias->range_min);
- new_ias->range_max = tmp;
- sflist_add_tail(&reduced_networks, new_ias);
- changed = true;
- }
- }
- /*
- i_ias ************
- ias ************
- or
- i_ias ************
- ias ****
- */
- else if (compare_ipv6_address(&ias->range_max, &i_ias->range_min) >= 0 &&
- compare_ipv6_address(&ias->range_max, &i_ias->range_max) <= 0)
- {
- tmp = i_ias->range_min;
- i_ias->range_min = ias->range_max;
- increment_ipv6_addr(&i_ias->range_min);
- if (compare_ipv6_address(&ias->range_min, &tmp) > 0)
- {
- new_ias = (Network6*)snort_calloc(sizeof(Network6));
- *new_ias = *i_ias;
- new_ias->range_min = tmp;
- new_ias->range_max = ias->range_min;
- decrement_ipv6_addr(&new_ias->range_max);
- sflist_add_tail(&reduced_networks, new_ias);
- changed = true;
- }
- }
-
- if (changed)
- i_ias = (Network6*)sflist_first(&reduced_networks, &iter);
- else
- i_ias = (Network6*)sflist_next(&iter);
- }
- snort_free(ias);
- }
- else
- {
- i_ias = (Network6*)sflist_first(&reduced_networks, &iter);
- while (i_ias)
- {
- changed = false;
- if (ias->info.type == i_ias->info.type)
- {
- /*
- i_ias ******
- ias ***************
- */
- if (compare_ipv6_address(&ias->range_min, &i_ias->range_min) <= 0 &&
- compare_ipv6_address(&ias->range_max, &i_ias->range_max) >= 0)
- {
- sflist_remove_node(&reduced_networks, iter);
- changed = true;
- snort_free(i_ias);
- i_ias = nullptr;
- }
- /*
- i_ias ***************
- ias ******
- */
- else if (compare_ipv6_address(&i_ias->range_min, &ias->range_min) <= 0 &&
- compare_ipv6_address(&i_ias->range_max, &ias->range_max) >= 0)
- {
- ias->range_min = i_ias->range_min;
- ias->range_max = i_ias->range_max;
- sflist_remove_node(&reduced_networks, iter);
- changed = true;
- snort_free(i_ias);
- i_ias = nullptr;
- }
- /*
- i_ias ************
- ias ************
- */
- else if (compare_ipv6_address(&ias->range_min, &i_ias->range_min) > 0 &&
- compare_ipv6_address(&ias->range_min, &i_ias->range_max) <= 0)
- {
- i_ias->range_max = ias->range_min;
- decrement_ipv6_addr(&i_ias->range_max);
- }
- /*
- i_ias ************
- ias ************
- */
- else if (compare_ipv6_address(&ias->range_max, &i_ias->range_min) >= 0 &&
- compare_ipv6_address(&ias->range_max, &i_ias->range_max) < 0)
- {
- i_ias->range_min = ias->range_max;
- increment_ipv6_addr(&i_ias->range_min);
- }
- }
- else /* different types */
- {
- /*
- i_ias ******
- ias ******
- */
- if (!compare_ipv6_address(&ias->range_min, &i_ias->range_min) &&
- !compare_ipv6_address(&ias->range_max, &i_ias->range_max))
- {
- i_ias->info.type = ias->info.type;
- snort_free(ias);
- ias = nullptr;
- break;
- }
- /*
- i_ias ******
- ias ***************
- */
- else if (compare_ipv6_address(&ias->range_min, &i_ias->range_min) < 0 &&
- compare_ipv6_address(&ias->range_max, &i_ias->range_max) >= 0)
- {
- sflist_remove_node(&reduced_networks, iter);
- snort_free(i_ias);
- i_ias = nullptr;
- changed = true;
- }
- /*
- i_ias ************
- ias ***
- or
- i_ias ************
- ias ************
- or
- i_ias ************
- ias ******
- */
- else if (compare_ipv6_address(&ias->range_min, &i_ias->range_min) > 0 &&
- compare_ipv6_address(&ias->range_min, &i_ias->range_max) <= 0)
- {
- tmp = i_ias->range_max;
- i_ias->range_max = ias->range_min;
- decrement_ipv6_addr(&i_ias->range_max);
- if (compare_ipv6_address(&ias->range_max, &tmp) < 0)
- {
- new_ias = (Network6*)snort_calloc(sizeof(Network6));
- *new_ias = *i_ias;
- new_ias->range_min = ias->range_max;
- increment_ipv6_addr(&new_ias->range_min);
- new_ias->range_max = tmp;
- sflist_add_tail(&reduced_networks, new_ias);
- changed = true;
- }
- }
- /*
- i_ias ************
- ias ************
- or
- i_ias ************
- ias ****
- */
- else if (compare_ipv6_address(&ias->range_max, &i_ias->range_min) > 0 &&
- compare_ipv6_address(&ias->range_max, &i_ias->range_max) < 0)
- {
- i_ias->range_min = ias->range_max;
- increment_ipv6_addr(&i_ias->range_min);
- }
- }
-
- if (changed)
- i_ias = (Network6*)sflist_first(&reduced_networks, &iter);
- else
- i_ias = (Network6*)sflist_next(&iter);
- }
-
- if (ias)
- sflist_add_tail(&reduced_networks, ias);
- }
- }
-
- /* Minimize the ranges */
- SF_LNODE* outer_iter;
- ias = (Network6*)sflist_first(&reduced_networks, &outer_iter);
- while (ias)
- {
- /* i_ias is lowest in the list, so it takes precedence */
- changed = false;
- SF_LNODE* inner_iter = outer_iter;
- i_ias = (Network6*)sflist_next(&inner_iter);
- while ( i_ias )
- {
- if (ias->info.type == i_ias->info.type)
- {
- /*
- i_ias ************
- ias ***
- */
- tmp = i_ias->range_max;
- increment_ipv6_addr(&tmp);
- tmp2 = ias->range_max;
- increment_ipv6_addr(&tmp2);
- if ((ias->range_min.lo || ias->range_min.hi) &&
- !compare_ipv6_address(&tmp, &ias->range_min))
- {
- i_ias->range_max = ias->range_max;
- sflist_remove_node(&reduced_networks, outer_iter);
- snort_free(ias);
- changed = true;
- break;
- }
- /*
- i_ias ************
- ias *****
- */
- else if ((i_ias->range_min.lo || i_ias->range_min.hi) &&
- !compare_ipv6_address(&tmp2, &i_ias->range_min))
- {
- i_ias->range_min = ias->range_min;
- sflist_remove_node(&reduced_networks, outer_iter);
- snort_free(ias);
- changed = true;
- break;
- }
- }
-
- i_ias = (Network6*)sflist_next(&inner_iter);
- }
-
- if (changed)
- ias = (Network6*)sflist_first(&reduced_networks, &outer_iter);
- else
- ias = (Network6*)sflist_next(&outer_iter);
- }
-
- sflist_static_free_all(networks, &snort_free);
- while ((ias = (Network6*)sflist_remove_head(&reduced_networks)))
- {
- sflist_add_tail(networks, ias);
- }
- return 0;
-}
-
-int NetworkSetManager::reduce(NetworkSet* network_set)
-{
- int rval;
- SF_LIST ordered_networks;
- Network* network;
- Network6* network6;
- unsigned tmp;
- int count;
-
- if (!network_set)
- return -1;
-
- for (auto& id : network_set->ids)
- {
- if ((rval = order_by_netmask(&ordered_networks, &network_set->networks, id)) != 0)
- {
- sflist_free_all(&ordered_networks, &snort_free);
- return rval;
- }
- if ((rval = reduce_network_set(&ordered_networks)) != 0)
- {
- sflist_free_all(&ordered_networks, &snort_free);
- return rval;
- }
- if ((rval = add_network_list(&network_set->networks, &ordered_networks)) != 0)
- {
- sflist_free_all(&ordered_networks, &snort_free);
- return rval;
- }
- }
- if ((rval = reduce_network_set(&network_set->networks)) != 0)
- {
- sflist_free_all(&ordered_networks, &snort_free);
- return rval;
- }
-
- tmp = 0;
- if ((rval = count4(network_set, &tmp)) != 0)
- return rval;
-
- count = (int)tmp;
- if (count > 0)
- {
- network_set->count = count;
- if (network_set->pnetwork)
- {
- snort_free(network_set->pnetwork);
- network_set->pnetwork = nullptr;
- }
- network_set->pnetwork = (Network**)snort_calloc(count * sizeof(Network*));
- SF_LNODE* iter = nullptr;
- int k = 0;
- for (network = (Network*)sflist_first(&network_set->networks, &iter);
- network && k < count;
- network = (Network*)sflist_next(&iter))
- {
- network_set->pnetwork[k++] = network;
- }
- /* bubble sort this array */
- for (int i = (count - 1); i >= 0; i--)
- {
- for (int j = 1; j <= i; j++)
- {
- if (network_set->pnetwork[j - 1]->range_min > network_set->pnetwork[j]->range_min)
- {
- network = network_set->pnetwork[j - 1];
- network_set->pnetwork[j - 1] = network_set->pnetwork[j];
- network_set->pnetwork[j] = network;
- }
- }
- }
- }
-
- for (auto& id : network_set->ids6)
- {
- if ((rval = order_by_netmask(&ordered_networks, &network_set->networks6, id)) != 0)
- {
- sflist_free_all(&ordered_networks, &snort_free);
- return rval;
- }
-
- if ((rval = reduce_network_set6(&ordered_networks)) != 0)
- {
- sflist_free_all(&ordered_networks, &snort_free);
- return rval;
- }
-
- if ((rval = add_network_list(&network_set->networks6, &ordered_networks)) != 0)
- {
- sflist_free_all(&ordered_networks, &snort_free);
- return rval;
- }
- }
- if ((rval = reduce_network_set6(&network_set->networks6)) != 0)
- {
- sflist_free_all(&ordered_networks, &snort_free);
- return rval;
- }
-
- tmp = 0;
- if ((rval = count6(network_set, &tmp)) != 0)
- return rval;
-
- count = (int)tmp;
- if (count > 0)
- {
- network_set->count6 = count;
- if (network_set->pnetwork6)
- {
- snort_free(network_set->pnetwork6);
- network_set->pnetwork6 = nullptr;
- }
- network_set->pnetwork6 = (Network6**)snort_calloc(count * sizeof(Network6*));
- SF_LNODE* iter = nullptr;
- int k = 0;
- for (network6 = (Network6*)sflist_first(&network_set->networks6, &iter);
- network6 && k < count;
- network6 = (Network6*)sflist_next(&iter))
- {
- network_set->pnetwork6[k++] = network6;
- }
- /* bubble sort this array */
- for (int i = (count - 1); i >= 0; i--)
- {
- for (int j = 1; j <= i; j++)
- {
- if (compare_ipv6_address(&network_set->pnetwork6[j - 1]->range_min,
- &network_set->pnetwork6[j]->range_min) > 0)
- {
- network6 = network_set->pnetwork6[j-1];
- network_set->pnetwork6[j - 1] = network_set->pnetwork6[j];
- network_set->pnetwork6[j] = network6;
- }
- }
- }
- }
- return 0;
-}
-
-NetworkSet* NetworkSetManager::copy(NetworkSet* network_set)
-{
- NetworkSet* new_set;
- SF_LNODE* iter;
-
- if (!network_set)
- return nullptr;
-
- if (create(&new_set) != 0)
- return nullptr;
-
- for (Network* network = (Network*)sflist_first(&network_set->networks, &iter);
- network;
- network = (Network*)sflist_next(&iter))
- {
- if (add_network_range_ex(new_set, network->range_min, network->range_max,
- network->info.netmask, network->info.ip_not,
- network->info.id, network->info.type) != 0)
- {
- destroy(new_set);
- return nullptr;
- }
- }
- for (Network6* network6 = (Network6*)sflist_first(&network_set->networks6, &iter);
- network6;
- network6 = (Network6*)sflist_next(&iter))
- {
- if (add_network_range6(new_set, &network6->range_min, &network6->range_max,
- network6->info.netmask, network6->info.ip_not,
- network6->info.id, network6->info.type) != 0)
- {
- destroy(new_set);
- return nullptr;
- }
- }
- return new_set;
-}
-
-int NetworkSetManager::add_set(NetworkSet* dest_set, NetworkSet* src_set)
-{
- SF_LNODE* iter;
- int rval;
-
- if (!src_set || !dest_set)
- return -1;
-
- for (Network* network = (Network*)sflist_first(&src_set->networks, &iter);
- network;
- network = (Network*)sflist_next(&iter))
- {
- if ((rval = add_network_range_ex(dest_set, network->range_min, network->range_max,
- network->info.netmask, network->info.ip_not,
- network->info.id, network->info.type)) != 0)
- {
- return rval;
- }
- }
-
- for (Network6* network6 = (Network6*)sflist_first(&src_set->networks6, &iter);
- network6;
- network6 = (Network6*)sflist_next(&iter))
- {
- if ((rval = add_network_range6(dest_set, &network6->range_min, &network6->range_max,
- network6->info.netmask, network6->info.ip_not,
- network6->info.id, network6->info.type)) != 0)
- {
- return rval;
- }
- }
- return 0;
-}
-
-#endif
-
+++ /dev/null
-//--------------------------------------------------------------------------
-// Copyright (C) 2014-2019 Cisco and/or its affiliates. All rights reserved.
-// Copyright (C) 2005-2013 Sourcefire, Inc.
-//
-// This program is free software; you can redistribute it and/or modify it
-// under the terms of the GNU General Public License Version 2 as published
-// by the Free Software Foundation. You may not use, modify or distribute
-// this program under any other version of the GNU General Public License.
-//
-// This program is distributed in the hope that it will be useful, but
-// WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-// General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License along
-// with this program; if not, write to the Free Software Foundation, Inc.,
-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-//--------------------------------------------------------------------------
-
-// network_set.h author Sourcefire Inc.
-
-#ifndef NETWORK_SET_H
-#define NETWORK_SET_H
-
-#ifdef USE_RNA_CONFIG
-
-#include <cstdio>
-#include <unordered_set>
-
-#include "protocols/ipv6.h"
-#include "utils/sflsq.h"
-
-// network_set.h author Sourcefire Inc.
-
-#ifndef ULLONG_MAX
-# define ULLONG_MAX 18446744073709551615ULL
-#endif
-
-#define BYTE_SWAP_16(x) \
- ((uint16_t)((((uint16_t)(x) & 0xff00) >> 8) | \
- (((uint16_t)(x) & 0x00ff) << 8)))
-
-#define BYTE_SWAP_32(x) \
- ((uint32_t)((((uint32_t)(x) & 0xff000000) >> 24) | \
- (((uint32_t)(x) & 0x00ff0000) >> 8) | \
- (((uint32_t)(x) & 0x0000ff00) << 8) | \
- (((uint32_t)(x) & 0x000000ff) << 24)))
-
-#define BYTE_SWAP_64(x) \
- ((uint64_t)((((uint64_t)(x) & 0xff00000000000000ULL) >> 56) | \
- (((uint64_t)(x) & 0x00ff000000000000ULL) >> 40) | \
- (((uint64_t)(x) & 0x0000ff0000000000ULL) >> 24) | \
- (((uint64_t)(x) & 0x000000ff00000000ULL) >> 8) | \
- (((uint64_t)(x) & 0x00000000ff000000ULL) << 8) | \
- (((uint64_t)(x) & 0x0000000000ff0000ULL) << 24) | \
- (((uint64_t)(x) & 0x000000000000ff00ULL) << 40) | \
- (((uint64_t)(x) & 0x00000000000000ffULL) << 56)))
-
-#if defined(WORDS_BIGENDIAN)
-struct NSIPv6Addr
-{
- uint64_t hi = 0;
- uint64_t lo = 0;
-};
-#else
-struct NSIPv6Addr
-{
- uint64_t lo = 0;
- uint64_t hi = 0;
-};
-#endif
-
-//IPv6 address a must be in network order
-#define NSIP_IS_ADDR_MULTICAST(a) \
- (IN6_IS_ADDR_MULTICAST(a) \
- || ((IN6_IS_ADDR_V4MAPPED(a) || IN6_IS_ADDR_V4COMPAT(a)) && (((__const uint32_t*)(a))[3] == \
- 0xffffffff)))
-
-struct NSNetworkInfo
-{
- unsigned id;
- unsigned netmask;
- int ip_not;
- unsigned type;
-};
-
-struct Network
-{
- NSNetworkInfo info;
- uint32_t range_min;
- uint32_t range_max;
-};
-
-struct Network6
-{
- NSNetworkInfo info;
- NSIPv6Addr range_min;
- NSIPv6Addr range_max;
-};
-
-struct NetworkSet
-{
- NetworkSet* next;
- SF_LIST networks;
- std::unordered_set<unsigned> ids;
- Network** pnetwork;
- unsigned count;
- SF_LIST networks6;
- std::unordered_set<unsigned> ids6;
- Network6** pnetwork6;
- unsigned count6;
-};
-
-// FIXIT-L - this should be integrated into the snort3 general IP address support library
-class NetworkSetManager
-{
-public:
- static int create(NetworkSet**);
- static int destroy(NetworkSet*);
- static NetworkSet* copy(NetworkSet*);
- static int add_set(NetworkSet* dest_set, NetworkSet* src_set);
- static int add_cidr_block_ex(NetworkSet*, uint32_t ip,
- unsigned cidr_bits, int ip_not, unsigned id, unsigned type);
- static int add_cidr_block6_ex(NetworkSet*, NSIPv6Addr*,
- unsigned cidr_bits, int ip_not, unsigned id, unsigned type);
- static int add_cidr_block(NetworkSet*, uint32_t ip,
- unsigned cidr_bits, int ip_not, unsigned id);
- static int add_cidr_block6(NetworkSet*, NSIPv6Addr*,
- unsigned cidr_bits, int ip_not, unsigned id);
- static int add_network_range_ex(NetworkSet*, uint32_t range_min,
- uint32_t range_max, unsigned cidr_bits, int ip_not, unsigned id, unsigned type);
- static int add_network_range6(NetworkSet*, NSIPv6Addr* range_min,
- NSIPv6Addr* range_max, unsigned cidr_bits, int ip_not, unsigned id, unsigned type);
- static int add_network_range(NetworkSet*, uint32_t range_min,
- uint32_t range_max, unsigned cidr_bits, int ip_not, unsigned id);
- static int add_network_range6(NetworkSet*, NSIPv6Addr* range_min,
- NSIPv6Addr* range_max, unsigned cidr_bits, int ip_not, unsigned id);
- static int add_network_range_only_ipv6(NetworkSet*, int ip_not,
- unsigned id, unsigned type);
- static int reduce(NetworkSet*);
- static int log_network_set(NetworkSet*, const char* prefix, FILE* stream);
-
- static void pack_ipv4_to_ipv6(NSIPv6Addr* ipv6Addr, uint32_t ipv4Addr)
- {
- ipv6Addr->hi = 0ULL;
- ipv6Addr->lo = (uint64_t)ipv4Addr | 0x0000FFFF00000000ULL;
- }
-
- static int unpack_ipv4_from_ipv6(const NSIPv6Addr* ipv6Addr, uint32_t* ipv4Addr)
- {
- if (!ipv6Addr->hi)
- {
- uint64_t lo = ipv6Addr->lo & 0xFFFFFFFF00000000ULL;
- if (!lo || lo == 0x0000FFFF00000000ULL)
- {
- *ipv4Addr = (uint32_t)ipv6Addr->lo;
- return 0;
- }
- }
- return -1;
- }
-
- static void copy_ipv6_address(const NSIPv6Addr* src, NSIPv6Addr* dst)
- {
- dst->hi = src->hi;
- dst->lo = src->lo;
- }
-
- static int compare_ipv6_address(const NSIPv6Addr* a, const NSIPv6Addr* b)
- {
- if (a->hi < b->hi)
- return -1;
- else if (a->hi > b->hi)
- return 1;
- if (a->lo < b->lo)
- return -1;
- else if (a->lo > b->lo)
- return 1;
- return 0;
- }
-
- static void ntoh_ipv6(NSIPv6Addr* ip6)
- {
-#if !defined(WORDS_BIGENDIAN)
- uint64_t tmp;
-
- tmp = BYTE_SWAP_64(ip6->hi);
- ip6->hi = BYTE_SWAP_64(ip6->lo);
- ip6->lo = tmp;
-#endif
- }
-
-
- static void _swap_ipv6(const NSIPv6Addr* ip6, NSIPv6Addr* ip6h)
- {
-#if defined(WORDS_BIGENDIAN)
- ip6h->hi = ip6->hi;
- ip6h->lo = ip6->lo;
-#else
- ip6h->hi = BYTE_SWAP_64(ip6->lo);
- ip6h->lo = BYTE_SWAP_64(ip6->hi);
-#endif
- }
-
- static void ntoh_swap_ipv6(const ip::snort_in6_addr* ip6, NSIPv6Addr* ip6h)
- {
- _swap_ipv6((const NSIPv6Addr*)ip6, ip6h);
- }
-
- static void hton_swap_ipv6(const NSIPv6Addr* ip6, ip::snort_in6_addr* ip6h)
- {
- _swap_ipv6(ip6, (NSIPv6Addr*)ip6h);
- }
-
- static void increment_ipv6_addr(NSIPv6Addr* ip6)
- {
- if (ip6->lo == ULLONG_MAX)
- {
- ip6->lo = 0;
- ip6->hi++;
- }
- else
- ip6->lo++;
- }
-
- static void decrement_ipv6_addr(NSIPv6Addr* ip6)
- {
- if (!ip6->lo)
- {
- ip6->lo = ULLONG_MAX;
- ip6->hi--;
- }
- else
- ip6->lo--;
- }
-
- static int contains_ex(NetworkSet* network_set, uint32_t ipaddr, unsigned* type)
- {
- int low=0;
- int high=0;
- *type = 0;
-
- if (!network_set)
- return 0;
-
- if (!network_set->count)
- return 0;
-
- high = network_set->count - 1;
-
- if (ipaddr < network_set->pnetwork[low]->range_min || ipaddr >
- network_set->pnetwork[high]->range_max)
- return 0;
-
- while (low <= high)
- {
- int middle = low + ((high - low)>>1);
-
- if (ipaddr < network_set->pnetwork[middle]->range_min)
- high = middle - 1;
- else if (ipaddr > network_set->pnetwork[middle]->range_max)
- low = middle + 1;
- else
- {
- *type = network_set->pnetwork[middle]->info.type;
- return 1;
- }
- }
- return 0;
- }
-
- static int contains6_ex(NetworkSet* network_set, NSIPv6Addr* ipaddr, unsigned* type)
- {
- int low=0;
- int high=0;
- *type = 0;
-
- if (!network_set)
- return 0;
-
- if (!network_set->count6)
- return 0;
-
- high = network_set->count6 - 1;
-
- if (compare_ipv6_address(ipaddr, &network_set->pnetwork6[low]->range_min) < 0 ||
- compare_ipv6_address(ipaddr, &network_set->pnetwork6[high]->range_max) > 0)
- {
- return 0;
- }
- while (low <= high)
- {
- int middle = low + ((high - low)>>1);
-
- if (compare_ipv6_address(ipaddr, &network_set->pnetwork6[middle]->range_min) < 0)
- high = middle - 1;
- else if (compare_ipv6_address(ipaddr, &network_set->pnetwork6[middle]->range_max) > 0)
- low = middle + 1;
- else
- {
- *type = network_set->pnetwork6[middle]->info.type;
- return 1;
- }
- }
- return 0;
- }
-
- static int contains(NetworkSet* network_set, uint32_t ipaddr)
- {
- unsigned type;
- return contains_ex(network_set, ipaddr, &type);
- }
-
- static int contains6(NetworkSet* network_set, NSIPv6Addr* ipaddr)
- {
- unsigned type;
- return contains6_ex(network_set, ipaddr, &type);
- }
-
- static int count4(NetworkSet* network_set, unsigned* count)
- {
- if (!network_set || !count)
- return -1;
-
- *count = sflist_count(&network_set->networks);
-
- return 0;
- }
-
- static int count6(NetworkSet* network_set, unsigned* count)
- {
- if (!network_set || !count)
- return -1;
-
- *count = sflist_count(&network_set->networks6);
-
- return 0;
- }
-
- static unsigned count_ex(NetworkSet* network_set)
- {
- if (!network_set)
- return 0;
-
- return sflist_count(&network_set->networks);
- }
-
- static unsigned count6_ex(NetworkSet* network_set)
- {
- if (!network_set)
- return 0;
-
- return sflist_count(&network_set->networks6);
- }
-
-private:
- static int order_by_netmask(SF_LIST* ordered_networks, SF_LIST* networks, unsigned id);
- static int add_network_list(SF_LIST* networks, SF_LIST* new_networks);
- static int reduce_network_set(SF_LIST* networks);
- static int reduce_network_set6(SF_LIST* networks);
-};
-#endif
-
-#endif
-
return 0;
}
-#ifdef USE_RNA_CONFIG
-static unsigned isIPv4HostMonitored(uint32_t ip4, int32_t zone)
-{
- NetworkSet* net_list;
- unsigned flags;
- AppIdConfig* config = AppIdInspector::get_inspector()->get_appid_config();
-
- if (zone >= 0 && zone < MAX_ZONES && config->net_list_by_zone[zone])
- net_list = config->net_list_by_zone[zone];
- else
- net_list = config->net_list;
-
- NetworkSetManager::contains_ex(net_list, ip4, &flags);
- return flags;
-}
-
-#else
static unsigned isIPv4HostMonitored(uint32_t, int32_t)
{
// FIXIT-M Defaulting to checking everything everywhere until RNA config is reimplemented
return IPFUNCS_HOSTS_IP | IPFUNCS_USER_IP | IPFUNCS_APPLICATION;
}
-#endif
-
void BootpServiceDetector::add_new_dhcp_lease(AppIdSession& asd, const uint8_t* mac, uint32_t ip,
int32_t zone,
uint32_t subnetmask, uint32_t leaseSecs, uint32_t router)
// Stubs for config
AppIdModuleConfig::~AppIdModuleConfig() {}
-AppIdConfig::AppIdConfig(AppIdModuleConfig*) {}
-AppIdConfig::~AppIdConfig() {}
static AppIdModuleConfig app_config;
static AppIdConfig my_app_config(&app_config);
AppId AppIdConfig::get_port_service_id(IpProtocol, uint16_t)
AppIdSession* mock_session = nullptr;
AppIdSessionApi* appid_session_api = nullptr;
-//Stub for config
-AppIdConfig::AppIdConfig(AppIdModuleConfig* mod)
-{
- this->mod_config = mod;
- this->mod_config->check_host_port_app_cache = false;
-}
-
TEST_GROUP(appid_session_api)
{
void setup() override
projects / thirdparty / snort3.git / commitdiff
