detection_util.h
detect_trace.h
ips_context.h
+ ips_context_data.h
regex_offload.h
rule_option_types.h
rules.h
fp_utils.cc
fp_utils.h
ips_context.cc
+ ips_context_data.cc
pattern_match_data.h
pcrm.cc
pcrm.h
#include "detect_trace.h"
#include "ips_context.h"
+#include "ips_context_data.h"
#ifdef UNIT_TEST
#include "catch/snort_catch.h"
#include "fp_config.h"
#include "fp_detect.h"
#include "ips_context.h"
+#include "ips_context_data.h"
#include "regex_offload.h"
static THREAD_LOCAL RegexOffload* offloader = nullptr;
#include "ips_context.h"
#include <cassert>
+#include "detection/detection_engine.h"
+#include "detection/ips_context_data.h"
#include "events/event_queue.h"
#include "events/sfeventq.h"
#include "main/snort_config.h"
using namespace snort;
-//--------------------------------------------------------------------------
-// context data
-//--------------------------------------------------------------------------
-
-// ips_id is not a member of context data so that
-// tests (and only tests) can reset the id
-static unsigned ips_id = 0;
-
-// Only 5 inspectors currently use the ips context data.
-// FIXIT-L This limit should to be updated if any more inspectors/modules use it.
-constexpr unsigned max_ips_id = 32;
-
-unsigned IpsContextData::get_ips_id()
-{
- ++ips_id;
- assert( ips_id < max_ips_id );
- return ips_id;
-}
-
//--------------------------------------------------------------------------
// context methods
//--------------------------------------------------------------------------
};
int TestData::count = 0;
-
-TEST_CASE("IpsContextData id", "[IpsContextData]")
-{
- ips_id = 0;
-
- auto id1 = IpsContextData::get_ips_id();
- auto id2 = IpsContextData::get_ips_id();
- CHECK(id1 != id2);
-
- CHECK(max_ips_id > id2 );
-}
+static unsigned ips_id = 0;
TEST_CASE("IpsContext basic", "[IpsContext]")
{
namespace snort
{
+class IpsContextData;
struct SnortConfig;
struct Replacement
{
SnortProtocolId proto_id;
};
-class SO_PUBLIC IpsContextData
-{
-public:
- virtual ~IpsContextData() = default;
-
- static unsigned get_ips_id();
- virtual void clear() {}
-
-protected:
- IpsContextData() = default;
-};
-
class SO_PUBLIC IpsContext
{
public:
std::vector<Replacement> rpl;
static const unsigned buf_size = Codec::PKT_MAX;
+ // Only 5 inspectors currently use the ips context data.
+ // FIXIT-L This limit should to be updated if any more inspectors/modules use it.
+ static constexpr unsigned max_ips_id = 32;
private:
FlowSnapshot flow;
--- /dev/null
+//--------------------------------------------------------------------------
+// Copyright (C) 2018-2018 Cisco and/or its affiliates. All rights reserved.
+//
+// This program is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License Version 2 as published
+// by the Free Software Foundation. You may not use, modify or distribute
+// this program under any other version of the GNU General Public License.
+//
+// This program is distributed in the hope that it will be useful, but
+// WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+// General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+//--------------------------------------------------------------------------
+
+// ips_context_data.cc author Russ Combs <rucombs@cisco.com>
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include "ips_context_data.h"
+
+#include <cassert>
+#include "detection/ips_context.h"
+
+#ifdef UNIT_TEST
+#include "catch/snort_catch.h"
+#endif
+
+using namespace snort;
+
+//--------------------------------------------------------------------------
+// context data
+//--------------------------------------------------------------------------
+
+// ips_id is not a member of context data so that
+// tests (and only tests) can reset the id
+static unsigned ips_id = 0;
+static unsigned max_id = IpsContext::max_ips_id;
+
+unsigned IpsContextData::get_ips_id()
+{
+ ++ips_id;
+ assert( ips_id < max_id );
+ return ips_id;
+}
+
+//--------------------------------------------------------------------------
+// unit tests
+//--------------------------------------------------------------------------
+
+#ifdef UNIT_TEST
+
+TEST_CASE("IpsContextData id", "[IpsContextData]")
+{
+ ips_id = 0;
+
+ auto id1 = IpsContextData::get_ips_id();
+ auto id2 = IpsContextData::get_ips_id();
+ CHECK(id1 != id2);
+
+ CHECK(max_id > id2 );
+}
+
+#endif
+
--- /dev/null
+//--------------------------------------------------------------------------
+// Copyright (C) 2018-2018 Cisco and/or its affiliates. All rights reserved.
+//
+// This program is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License Version 2 as published
+// by the Free Software Foundation. You may not use, modify or distribute
+// this program under any other version of the GNU General Public License.
+//
+// This program is distributed in the hope that it will be useful, but
+// WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+// General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+//--------------------------------------------------------------------------
+
+// ips_context_data.h author Russ Combs <rucombs@cisco.com>
+
+#ifndef IPS_CONTEXT_DATA_H
+#define IPS_CONTEXT_DATA_H
+
+#include "main/snort_types.h"
+
+#include "detection/detection_engine.h"
+
+namespace snort
+{
+class SO_PUBLIC IpsContextData
+{
+public:
+ virtual ~IpsContextData() = default;
+
+ static unsigned get_ips_id();
+ template<typename T>
+ static T* get(unsigned ips_id)
+ {
+ T* data = (T*)DetectionEngine::get_data(ips_id);
+ if ( ! data )
+ {
+ data = new T;
+ DetectionEngine::set_data(ips_id, data);
+ }
+ return data;
+ }
+ virtual void clear() {}
+
+protected:
+ IpsContextData() = default;
+};
+}
+#endif
+
decode_b64.h
decode_base.h
file_mime_config.h
+ file_mime_context_data.h
file_mime_decode.h
file_mime_log.h
file_mime_paf.h
add_library ( mime OBJECT
${MIME_INCLUDES}
file_mime_config.cc
+ file_mime_context_data.cc
file_mime_decode.cc
file_mime_log.cc
file_mime_paf.cc
buffer->reset_saved();
}
-DecodeResult B64Decode::decode_data(const uint8_t* start, const uint8_t* end)
+DecodeResult B64Decode::decode_data(const uint8_t* start, const uint8_t* end, uint8_t* decode_buf)
{
uint32_t act_encode_size = 0, act_decode_size = 0;
uint32_t i = 0;
- if (!buffer->check_restore_buffer())
+ if (!buffer->check_restore_buffer() || !decode_buf)
{
reset_decode_state();
return DECODE_EXCEEDED;
buffer->reset_saved();
if (snort::sf_base64decode(buffer->get_encode_buff(), act_encode_size,
- buffer->get_decode_buff(), buffer->get_decode_avail(), &act_decode_size) != 0)
+ decode_buf, buffer->get_decode_avail(), &act_decode_size) != 0)
{
reset_decode_state();
return DECODE_FAIL;
}
decoded_bytes = act_decode_size;
- decodePtr = buffer->get_decode_buff();
+ decodePtr = decode_buf;
buffer->update_buffer(act_encode_size, act_decode_size);
decode_bytes_read = buffer->get_decode_bytes_read();
return DECODE_SUCCESS;
~B64Decode() override;
// Main function to decode file data
- DecodeResult decode_data(const uint8_t* start, const uint8_t* end) override;
+ DecodeResult decode_data(const uint8_t* start, const uint8_t* end, uint8_t* decode_buf) override;
void reset_decode_state() override;
virtual ~DataDecode() = default;
// Main function to decode file data
- virtual DecodeResult decode_data(const uint8_t* start, const uint8_t* end) = 0;
+ virtual DecodeResult decode_data(const uint8_t* start, const uint8_t* end, uint8_t* decode_buf) = 0;
// Retrieve the decoded data the previous decode_data() call
int get_decoded_data(const uint8_t** buf, uint32_t* size);
reset_decoded_bytes();
}
-DecodeResult BitDecode::decode_data(const uint8_t* start, const uint8_t* end)
+DecodeResult BitDecode::decode_data(const uint8_t* start, const uint8_t* end, uint8_t*)
{
uint32_t bytes_avail = 0;
uint32_t act_size = end - start;
BitDecode(int max_depth, int detect_depth);
// Main function to decode file data
- DecodeResult decode_data(const uint8_t* start, const uint8_t* end) override;
+ DecodeResult decode_data(const uint8_t* start, const uint8_t* end, uint8_t* decode_buf) override;
void reset_decode_state() override;
uint32_t encode_avail = get_encode_avail();
if (encode_avail ==0 || decode_avail ==0 ||
- (!encodeBuf) || (!decodeBuf))
+ (!encodeBuf))
{
return false;
}
return;
encodeBuf = (uint8_t*)snort_alloc(buf_size);
- decodeBuf = (uint8_t*)snort_alloc(buf_size);
}
DecodeBuffer::~DecodeBuffer()
{
if (encodeBuf)
snort_free(encodeBuf);
- if (decodeBuf)
- snort_free(decodeBuf);
}
void DecodeBuffer::update_buffer(uint32_t act_encode_size, uint32_t act_decode_size)
void update_buffer(uint32_t act_encode_size, uint32_t act_decode_size);
void reset_saved();
- uint8_t* get_decode_buff() { return decodeBuf; }
uint8_t* get_encode_buff() { return encodeBuf; }
uint32_t get_decode_bytes_read() { return decode_bytes_read; }
uint32_t get_decode_avail();
uint32_t prev_encoded_bytes;
uint8_t* prev_encoded_buf;
uint8_t* encodeBuf = nullptr;
- uint8_t* decodeBuf = nullptr;
uint32_t encode_bytes_read;
uint32_t decode_bytes_read;
int code_depth;
buffer->reset_saved();
}
-DecodeResult QPDecode::decode_data(const uint8_t* start, const uint8_t* end)
+DecodeResult QPDecode::decode_data(const uint8_t* start, const uint8_t* end, uint8_t *decode_buf)
{
uint32_t act_encode_size = 0, act_decode_size = 0, bytes_read = 0;
- if (!buffer->check_restore_buffer())
+ if (!buffer->check_restore_buffer() || !decode_buf)
{
reset_decode_state();
return DECODE_EXCEEDED;
act_encode_size = act_encode_size + buffer->get_prev_encoded_bytes();
if (sf_qpdecode((char *)buffer->get_encode_buff(), act_encode_size,
- (char *)buffer->get_decode_buff(), buffer->get_decode_avail(),
- &bytes_read, &act_decode_size) != 0)
+ (char *)decode_buf, buffer->get_decode_avail(), &bytes_read,
+ &act_decode_size) != 0)
{
reset_decode_state();
return DECODE_FAIL;
buffer->reset_saved();
decoded_bytes = act_decode_size;
- decodePtr = buffer->get_decode_buff();
+ decodePtr = decode_buf;
buffer->update_buffer(act_encode_size, act_decode_size);
decode_bytes_read = buffer->get_decode_bytes_read();
return DECODE_SUCCESS;
~QPDecode() override;
// Main function to decode file data
- DecodeResult decode_data(const uint8_t* start, const uint8_t* end) override;
+ DecodeResult decode_data(const uint8_t* start, const uint8_t* end, uint8_t* decode_buf) override;
void reset_decode_state() override;
begin_found = end_found = false;
}
-DecodeResult UUDecode::decode_data(const uint8_t* start, const uint8_t* end)
+DecodeResult UUDecode::decode_data(const uint8_t* start, const uint8_t* end, uint8_t* decode_buf)
{
uint32_t act_encode_size = 0, act_decode_size = 0, bytes_read = 0;
- if (!buffer->check_restore_buffer())
+ if (!buffer->check_restore_buffer() || !decode_buf)
{
reset_decode_state();
return DECODE_EXCEEDED;
act_encode_size = act_encode_size + buffer->get_prev_encoded_bytes();
- if (sf_uudecode(buffer->get_encode_buff(), act_encode_size, buffer->get_decode_buff(),
+ if (sf_uudecode(buffer->get_encode_buff(), act_encode_size, decode_buf,
buffer->get_decode_avail(), &bytes_read, &act_decode_size,
&(begin_found), &(end_found)) != 0)
{
buffer->reset_saved();
decoded_bytes = act_decode_size;
- decodePtr = buffer->get_decode_buff();
+ decodePtr = decode_buf;
buffer->update_buffer(act_encode_size, act_decode_size);
decode_bytes_read = buffer->get_decode_bytes_read();
return DECODE_SUCCESS;
~UUDecode() override;
// Main function to decode file data
- DecodeResult decode_data(const uint8_t* start, const uint8_t* end) override;
+ DecodeResult decode_data(const uint8_t* start, const uint8_t* end, uint8_t* decode_buf) override;
void reset_decode_state() override;
--- /dev/null
+//--------------------------------------------------------------------------
+// Copyright (C) 2018-2018 Cisco and/or its affiliates. All rights reserved.
+//
+// This program is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License Version 2 as published
+// by the Free Software Foundation. You may not use, modify or distribute
+// this program under any other version of the GNU General Public License.
+//
+// This program is distributed in the hope that it will be useful, but
+// WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+// General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+//--------------------------------------------------------------------------
+// file_mime_context_data.cc author Bhagya Tholpady <bbantwal@cisco.com>
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include "file_mime_context_data.h"
+
+#include "detection/detection_engine.h"
+#include "utils/util.h"
+
+using namespace snort;
+
+#define MAX_DEPTH 65536
+unsigned MimeDecodeContextData::mime_ips_id = 0;
+
+MimeDecodeContextData::MimeDecodeContextData()
+{
+ decode_buf = (uint8_t*)snort_alloc(MAX_DEPTH);
+}
+MimeDecodeContextData::~MimeDecodeContextData()
+{
+ snort_free(decode_buf);
+ decode_buf = nullptr;
+}
+
+void MimeDecodeContextData::init()
+{ mime_ips_id = IpsContextData::get_ips_id(); }
+
+uint8_t* MimeDecodeContextData::get_decode_buf()
+{
+ MimeDecodeContextData* data = IpsContextData::get<MimeDecodeContextData>(mime_ips_id);
+
+ return data->decode_buf;
+}
+
--- /dev/null
+//--------------------------------------------------------------------------
+// Copyright (C) 2018-2018 Cisco and/or its affiliates. All rights reserved.
+//
+// This program is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License Version 2 as published
+// by the Free Software Foundation. You may not use, modify or distribute
+// this program under any other version of the GNU General Public License.
+//
+// This program is distributed in the hope that it will be useful, but
+// WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+// General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+//--------------------------------------------------------------------------
+// file_mime_context_data.h author Bhagya Tholpady <bbantwal@cisco.com>
+
+#ifndef FILE_MIME_CONTEXT_DATA_H
+#define FILE_MIME_CONTEXT_DATA_H
+
+#include "detection/ips_context_data.h"
+
+class MimeDecodeContextData : public snort::IpsContextData
+{
+public:
+ MimeDecodeContextData();
+ ~MimeDecodeContextData() override;
+
+ static unsigned mime_ips_id;
+
+ uint8_t* decode_buf = nullptr;
+
+ static void init();
+ static uint8_t* get_decode_buf();
+};
+
+#endif
+
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// file_mime_decode.cc author Bhagyashree Bantwal <bbantwal@sourcefire.com>
+// file_mime_decode.cc author Bhagya Tholpady <bbantwal@cisco.com>
#ifdef HAVE_CONFIG_H
#include "config.h"
#include "decode_bit.h"
#include "decode_qp.h"
#include "decode_uu.h"
+#include "file_mime_context_data.h"
using namespace snort;
+void MimeDecode::init()
+{ MimeDecodeContextData::init(); }
+
void MimeDecode::reset_decoded_bytes()
{
if (decoder)
if (mime_stats)
mime_stats->b64_attachments++;
decoder = new B64Decode(config->get_max_depth(config->get_b64_depth()),
- config->get_b64_depth());
+ config->get_b64_depth());
return;
}
}
if (mime_stats)
mime_stats->qp_attachments++;
decoder = new QPDecode(config->get_max_depth(config->get_qp_depth()),
- config->get_qp_depth());
+ config->get_qp_depth());
return;
}
}
if (mime_stats)
mime_stats->uu_attachments++;
decoder = new UUDecode(config->get_max_depth(config->get_uu_depth()),
- config->get_uu_depth());
+ config->get_uu_depth());
return;
}
}
DecodeResult MimeDecode::decode_data(const uint8_t* start, const uint8_t* end)
{
- return (decoder ? decoder->decode_data(start,end) : DECODE_SUCCESS);
+ uint8_t* decode_buf = MimeDecodeContextData::get_decode_buf();
+ return (decoder ? decoder->decode_data(start,end, decode_buf) : DECODE_SUCCESS);
}
int MimeDecode::get_detection_depth()
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// sf_email_attach_decode.h author Bhagyashree Bantwal <bbantwal@cisco.com>
+// file_mime_decode.h author Bhagya Bantwal <bbantwal@cisco.com>
#ifndef FILE_MIME_DECODE_H
#define FILE_MIME_DECODE_H
DecodeType get_decode_type();
+ static void init();
+
private:
DecodeType decode_type = DECODE_NONE;
snort::DecodeConfig* config;
{
const MimeToken* tmp;
+ MimeDecode::init();
+
/* Header search */
mime_hdr_search_mpse = new SearchTool;
if (mime_hdr_search_mpse == nullptr)
if ( !ips_id )
return;
- DceContextData* dcd = (DceContextData*)DetectionEngine::get_data(ips_id);
-
- if ( !dcd )
- {
- dcd = new DceContextData;
- DetectionEngine::set_data(ips_id, dcd);
- }
+ DceContextData* dcd = IpsContextData::get<DceContextData>(ips_id);
if ( !dcd->current_ropts )
{
#ifndef DCE_CONTEXT_DATA_H
#define DCE_CONTEXT_DATA_H
-#include "detection/ips_context.h"
+#include "detection/ips_context_data.h"
#include "dce_utils.h"
struct DCE2_Roptions;
#include "gtp_inspect.h"
#include "detection/detection_engine.h"
-#include "detection/ips_context.h"
+#include "detection/ips_context_data.h"
#include "managers/inspector_manager.h"
#include "profiler/profiler.h"
#include "protocols/packet.h"
GTP_IEData* get_infos()
{
- GtpContextData* gcd = (GtpContextData*)DetectionEngine::get_data(ips_id);
+ GtpContextData* gcd = IpsContextData::get<GtpContextData>(ips_id);
- if ( !gcd )
- {
- gcd = new GtpContextData;
- DetectionEngine::set_data(ips_id, gcd);
- }
return gcd->gtp_ies;
}
void HttpContextData::save_snapshot(HttpMsgSection* section)
{
- HttpContextData* hcd = (HttpContextData*)DetectionEngine::get_data(HttpContextData::ips_id);
-
- if ( !hcd )
- {
- hcd = new HttpContextData;
- DetectionEngine::set_data(HttpContextData::ips_id, hcd);
- }
+ HttpContextData* hcd = IpsContextData::get<HttpContextData>(HttpContextData::ips_id);
hcd->current_section = section;
section->add_ips_context(DetectionEngine::get_context());
#ifndef HTTP_CONTEXT_DATA_H
#define HTTP_CONTEXT_DATA_H
-#include "detection/ips_context.h"
+#include "detection/ips_context_data.h"
class HttpMsgSection;
projects / thirdparty / snort3.git / commitdiff
