assert(p->is_udp());
if ( p->ptrs.dp == port && p->dsize > max )
- SnortEventqAdd(DPX_GID, DPX_SID);
+ DetectionEngine::queue_event(DPX_GID, DPX_SID);
++dpxstats.total_packets;
}
#include <assert.h>
#include <strings.h>
+#include "detection/detection_engine.h"
#include "events/event_queue.h"
#include "main/thread.h"
while ( (sid = ffs(mask)) )
{
- SnortEventqAdd(gid, sid);
+ DetectionEngine::queue_event(gid, sid);
mask ^= (1 << (sid-1));
}
}
#include "hi_stream_splitter.h"
+<<<<<<< HEAD
#include "events/event_queue.h"
#include "main/snort_debug.h"
+=======
+#include "hi_events.h"
+#include "main/snort_debug.h"
+#include "detection/detection_engine.h"
+>>>>>>> refactor event queue into DetectionEngine
#include "protocols/packet.h"
#include "stream/stream.h"
#include "utils/util.h"
static inline void hi_paf_event_post()
{
- SnortEventqAdd(
- GID_HTTP_CLIENT,
- HI_CLIENT_UNBOUNDED_POST);
+ DetectionEngine::queue_event(GID_HTTP_CLIENT, HI_CLIENT_UNBOUNDED_POST);
}
static inline void hi_paf_event_simple()
{
- SnortEventqAdd(
- GID_HTTP_CLIENT,
- HI_CLIENT_SIMPLE_REQUEST);
+ DetectionEngine::queue_event(GID_HTTP_CLIENT, HI_CLIENT_SIMPLE_REQUEST);
}
static inline void hi_paf_event_msg_size()
{
- SnortEventqAdd(
- GID_HTTP_SERVER,
- HI_CLISRV_MSG_SIZE_EXCEPTION);
+ DetectionEngine::queue_event(GID_HTTP_SERVER, HI_CLISRV_MSG_SIZE_EXCEPTION);
}
static inline void hi_paf_event_pipe()
{
- SnortEventqAdd(
- GID_HTTP_CLIENT,
- HI_CLIENT_PIPELINE_MAX);
+ DetectionEngine::queue_event(GID_HTTP_CLIENT, HI_CLIENT_PIPELINE_MAX);
}
static inline StreamSplitter::Status hi_exec(Hi5State* s, Action a, int c)
#include "fp_detect.h"
+#include "detection/detection_engine.h"
#include "events/event.h"
#include "filters/rate_filter.h"
#include "filters/sfthreshold.h"
/*
** QueueEvent
*/
- if ( SnortEventqAdd(otn) )
+ if ( DetectionEngine::queue_event(otn) )
pc.queue_limit++;
tcnt++;
** event (gid,sid pair). This is now required to get events
** to be logged. The decoders and preprocessors are still
** configured independently, which allows them to inspect and
-** call the alerting functions SnortEventqAdd, GenerateSnortEvent()
+** call the alerting functions DetectionEngine::queue_event, GenerateSnortEvent()
** and GenerateEvent2() for portscan.cc. The GenerateSnortEvent()
** function now finds and otn and calls fpLogEvent.
**
** mapping, and then adjusts it's inspection or detection
** accordingly.
**
-** SnortEventqAdd() - only adds events that have an otn
+** DetectionEngine::queue_event() - only adds events that have an otn
**
*/
static THREAD_LOCAL unsigned s_events = 0;
//-------------------------------------------------
-/*
-** Set default values
-*/
+
EventQueueConfig* EventQueueConfigNew()
{
- EventQueueConfig* eqc =
- (EventQueueConfig*)snort_calloc(sizeof(EventQueueConfig));
+ EventQueueConfig* eqc = (EventQueueConfig*)snort_calloc(sizeof(EventQueueConfig));
eqc->max_events = 8;
eqc->log_events = 3;
snort_free(eqc);
}
-// Return 0 if no OTN since -1 return indicates queue limit reached. See
-// fpFinalSelectEvent()
-int SnortEventqAdd(const OptTreeNode* otn)
-{
- RuleTreeNode* rtn = getRtnFromOtn(otn);
-
- if ( !rtn )
- {
- // If the rule isn't in the current policy,
- // don't add it to the event queue.
- return 0;
- }
-
- SF_EVENTQ* pq = DetectionEngine::get_event_queue();
- EventNode* en = (EventNode*)sfeventq_event_alloc(pq);
-
- if ( !en )
- return -1;
-
- en->otn = otn;
- en->rtn = rtn;
-
- if ( sfeventq_add(pq, en) )
- return -1;
-
- s_events++;
- return 0;
-}
-
-// Preprocessors and decoder will call this function since
-// they don't have access to the OTN.
-int SnortEventqAdd(uint32_t gid, uint32_t sid, RuleType type)
-{
- OptTreeNode* otn = GetOTN(gid, sid);
-
- if ( !otn )
- return 0;
-
- SF_EVENTQ* pq = DetectionEngine::get_event_queue();
- EventNode* en = (EventNode*)sfeventq_event_alloc(pq);
-
- if ( !en )
- return -1;
-
- en->otn = otn;
- en->rtn = nullptr; // lookup later after ips policy selection
- en->type = type;
-
- if ( sfeventq_add(pq, en) )
- return -1;
-
- s_events++;
- return 0;
-}
-
-bool event_is_enabled(uint32_t gid, uint32_t sid)
-{
- OptTreeNode* otn = GetOTN(gid, sid);
- return ( otn != nullptr );
-}
-
-static int LogSnortEvents(void* event, void* user)
-{
- if ( !event || !user )
- return 0;
-
- EventNode* en = (EventNode*)event;
-
- if ( !en->rtn )
- {
- en->rtn = getRtnFromOtn(en->otn);
-
- if ( !en->rtn )
- return 0; // not enabled
- }
-
- if ( s_events > 0 )
- s_events--;
-
- fpLogEvent(en->rtn, en->otn, (Packet*)user);
- sfthreshold_reset();
-
- return 0;
-}
-
-/*
-** We return whether we logged events or not. We've add a eventq user
-** structure so we can track whether the events logged were rule events
-** or preprocessor/decoder events. The reason being that we don't want
-** to flush a TCP stream for preprocessor/decoder events, and cause
-** early flushing of the stream.
-*/
-int SnortEventqLog(Packet* p)
-{
- SF_EVENTQ* pq = DetectionEngine::get_event_queue();
- sfeventq_action(pq, LogSnortEvents, (void*)p);
- return 0;
-}
-
-static inline void reset_counts()
-{
- pc.log_limit += s_events;
- s_events = 0;
-}
-
-void SnortEventqResetCounts()
-{
- reset_counts();
-}
-
-void SnortEventqReset()
-{
- SF_EVENTQ* pq = DetectionEngine::get_event_queue();
- sfeventq_reset(pq);
- reset_counts();
-}
-
EventQueueConfig* EventQueueConfigNew();
void EventQueueConfigFree(EventQueueConfig*);
-SO_PUBLIC void SnortEventqReset();
-void SnortEventqResetCounts();
-
-SO_PUBLIC int SnortEventqLog(struct Packet*);
-SO_PUBLIC int SnortEventqAdd(const struct OptTreeNode*);
-SO_PUBLIC int SnortEventqAdd(uint32_t gid, uint32_t sid, RuleType = RULE_TYPE__NONE);
-SO_PUBLIC bool event_is_enabled(uint32_t gid, uint32_t sid);
-
#endif
* This function has been updated to find an otn and route the call to fpLogEvent
* if possible. This requires a rule be written for each decoder event,
* and possibly some preporcessor events. The bulk of eventing is handled vie the
- * SnortEventqAdd() and SnortEventLog() functions - whichalready route the events to
- * the fpLogEvent()function.
+ * DetectionEngine::queue_event() and SnortEventLog() functions - whichalready
+ * route the events to the fpLogEvent()function.
*/
uint32_t GenerateSnortEvent(Packet* p, uint32_t gid, uint32_t sid)
{
#include "codec.h"
#include "codecs/codec_module.h"
+#include "detection/detection_engine.h"
#include "events/event_queue.h"
EncState::EncState(const ip::IpApi& api, EncodeFlags f, IpProtocol pr,
if ( codec.codec_flags & CODEC_STREAM_REBUILT )
return;
- SnortEventqAdd(GID_DECODE, sid);
+ DetectionEngine::queue_event(GID_DECODE, sid);
}
bool Codec::CheckIPV6HopOptions(const RawData& raw, CodecData& codec)
#include "packet_latency.h"
+#include "detection/detection_engine.h"
#include "log/messages.h"
#include "main/snort_config.h"
#include "protocols/packet.h"
static struct SnortEventHandler : public EventHandler
{
void handle(const Event&) override
- { SnortEventqAdd(GID_LATENCY, LATENCY_EVENT_PACKET_FASTPATHED); }
+ { DetectionEngine::queue_event(GID_LATENCY, LATENCY_EVENT_PACKET_FASTPATHED); }
} event_handler;
static struct SnortLogHandler : public EventHandler
#include "rule_latency.h"
+#include "detection/detection_engine.h"
#include "detection/detection_options.h"
#include "detection/treenodes.h"
#include "main/snort_config.h"
switch ( e.type )
{
case Event::EVENT_ENABLED:
- SnortEventqAdd(GID_LATENCY, LATENCY_EVENT_RULE_TREE_ENABLED);
+ DetectionEngine::queue_event(GID_LATENCY, LATENCY_EVENT_RULE_TREE_ENABLED);
break;
case Event::EVENT_SUSPENDED:
- SnortEventqAdd(GID_LATENCY, LATENCY_EVENT_RULE_TREE_SUSPENDED);
+ DetectionEngine::queue_event(GID_LATENCY, LATENCY_EVENT_RULE_TREE_SUSPENDED);
break;
default:
#include "config.h"
#endif
+#include "detection/detection_engine.h"
#include "events/event_queue.h"
#include "log/messages.h"
#include "profiler/profiler.h"
case ARPOP_REQUEST:
if (memcmp((u_char*)eh->ether_dst, (u_char*)bcast, 6) != 0)
{
- SnortEventqAdd(GID_ARP_SPOOF,
- ARPSPOOF_UNICAST_ARP_REQUEST);
-
- DebugMessage(DEBUG_INSPECTOR,
- "MODNAME: Unicast request\n");
+ DetectionEngine::queue_event(GID_ARP_SPOOF, ARPSPOOF_UNICAST_ARP_REQUEST);
+ DebugMessage(DEBUG_INSPECTOR, "MODNAME: Unicast request\n");
}
else if (memcmp((u_char*)eh->ether_src,
(u_char*)ah->arp_sha, 6) != 0)
{
- SnortEventqAdd(GID_ARP_SPOOF,
- ARPSPOOF_ETHERFRAME_ARP_MISMATCH_SRC);
-
- DebugMessage(DEBUG_INSPECTOR,
- "MODNAME: Ethernet/ARP mismatch request\n");
+ DetectionEngine::queue_event(GID_ARP_SPOOF, ARPSPOOF_ETHERFRAME_ARP_MISMATCH_SRC);
+ DebugMessage(DEBUG_INSPECTOR, "MODNAME: Ethernet/ARP mismatch request\n");
}
break;
case ARPOP_REPLY:
if (memcmp((u_char*)eh->ether_src,
(u_char*)ah->arp_sha, 6) != 0)
{
- SnortEventqAdd(GID_ARP_SPOOF,
- ARPSPOOF_ETHERFRAME_ARP_MISMATCH_SRC);
-
- DebugMessage(DEBUG_INSPECTOR,
- "MODNAME: Ethernet/ARP mismatch reply src\n");
+ DetectionEngine::queue_event(GID_ARP_SPOOF, ARPSPOOF_ETHERFRAME_ARP_MISMATCH_SRC);
+ DebugMessage(DEBUG_INSPECTOR, "MODNAME: Ethernet/ARP mismatch reply src\n");
}
else if (memcmp((u_char*)eh->ether_dst,
(u_char*)ah->arp_tha, 6) != 0)
{
- SnortEventqAdd(GID_ARP_SPOOF,
- ARPSPOOF_ETHERFRAME_ARP_MISMATCH_DST);
-
- DebugMessage(DEBUG_INSPECTOR,
- "MODNAME: Ethernet/ARP mismatch reply dst\n");
+ DetectionEngine::queue_event(GID_ARP_SPOOF, ARPSPOOF_ETHERFRAME_ARP_MISMATCH_DST);
+ DebugMessage(DEBUG_INSPECTOR, "MODNAME: Ethernet/ARP mismatch reply dst\n");
}
break;
}
// in p doesn't match the MAC address in ipme, then generate an alert
if ( cmp_ether_src || cmp_arp_sha )
{
- SnortEventqAdd(GID_ARP_SPOOF, ARPSPOOF_ARP_CACHE_OVERWRITE_ATTACK);
-
- DebugMessage(DEBUG_INSPECTOR,
- "MODNAME: Attempted ARP cache overwrite attack\n");
+ DetectionEngine::queue_event(GID_ARP_SPOOF, ARPSPOOF_ARP_CACHE_OVERWRITE_ATTACK);
+ DebugMessage(DEBUG_INSPECTOR, "MODNAME: Attempted ARP cache overwrite attack\n");
}
}
else if (BLACKLISTED == decision)
{
- SnortEventqAdd(GID_REPUTATION, REPUTATION_EVENT_BLACKLIST);
+ DetectionEngine::queue_event(GID_REPUTATION, REPUTATION_EVENT_BLACKLIST);
Active::drop_packet(p, true);
// disable all preproc analysis and detection for this packet
DetectionEngine::disable_all();
}
else if (MONITORED == decision)
{
- SnortEventqAdd(GID_REPUTATION, REPUTATION_EVENT_MONITOR);
+ DetectionEngine::queue_event(GID_REPUTATION, REPUTATION_EVENT_MONITOR);
reputationstats.monitored++;
}
else if (WHITELISTED_TRUST == decision)
{
- SnortEventqAdd(GID_REPUTATION, REPUTATION_EVENT_WHITELIST);
+ DetectionEngine::queue_event(GID_REPUTATION, REPUTATION_EVENT_WHITELIST);
p->packet_flags |= PKT_IGNORE;
DetectionEngine::disable_all();
p->disable_inspect = true;
#include "codecs/codec_module.h"
#include "codecs/ip/checksum.h"
+#include "detection/detection_engine.h"
#include "log/text_log.h"
#include "main/snort_config.h"
#include "main/snort_debug.h"
// If we have reached the MAX_LAYERS, we keep decoding
// but no longer keep track of the layers.
if ( p->num_layers == CodecManager::max_layers )
- SnortEventqAdd(GID_DECODE, DECODE_TOO_MANY_LAYERS);
+ DetectionEngine::queue_event(GID_DECODE, DECODE_TOO_MANY_LAYERS);
else
push_layer(p, prev_prot_id, raw.data, codec_data.lyr_len);
(to_utype(prev_prot_id) <= std::numeric_limits<uint8_t>::max()) &&
!(codec_data.codec_flags & CODEC_STREAM_REBUILT) )
{
- SnortEventqAdd(GID_DECODE, DECODE_IP_UNASSIGNED_PROTO);
+ DetectionEngine::queue_event(GID_DECODE, DECODE_IP_UNASSIGNED_PROTO);
}
}
}
#include "config.h"
#endif
+#include "detection/detection_engine.h"
#include "events/event_queue.h"
#include "framework/inspector.h"
#include "framework/module.h"
if ( len >= BO_BUF_ATTACK_SIZE )
{
- SnortEventqAdd(GID_BO, BO_SNORT_BUFFER_ATTACK);
+ DetectionEngine::queue_event(GID_BO, BO_SNORT_BUFFER_ATTACK);
return BO_FROM_UNKNOWN;
}
if ( bo_direction == BO_FROM_CLIENT )
{
- SnortEventqAdd(GID_BO, BO_CLIENT_TRAFFIC_DETECT);
+ DetectionEngine::queue_event(GID_BO, BO_CLIENT_TRAFFIC_DETECT);
DebugMessage(DEBUG_INSPECTOR, "Client packet\n");
}
else if ( bo_direction == BO_FROM_SERVER )
{
- SnortEventqAdd(GID_BO, BO_SERVER_TRAFFIC_DETECT);
+ DetectionEngine::queue_event(GID_BO, BO_SERVER_TRAFFIC_DETECT);
DebugMessage(DEBUG_INSPECTOR, "Server packet\n");
}
else
- SnortEventqAdd(GID_BO, BO_TRAFFIC_DETECT);
+ DetectionEngine::queue_event(GID_BO, BO_TRAFFIC_DETECT);
}
}
}
#ifndef DCE_COMMON_H
#define DCE_COMMON_H
-#include "events/event_queue.h"
+#include "detection/detection_engine.h"
#include "framework/counts.h"
#include "framework/endianness.h"
#include "framework/value.h"
inline void dce_alert(uint32_t gid, uint32_t sid, dce2CommonStats* stats)
{
- SnortEventqAdd(gid,sid);
+ DetectionEngine::queue_event(gid,sid);
stats->events++;
}
#include "dnp3.h"
+#include "detection/detection_engine.h"
#include "events/event_queue.h"
#include "protocols/packet.h"
if (truncated_pdu)
{
- SnortEventqAdd(GID_DNP3, DNP3_DROPPED_FRAME);
+ DetectionEngine::queue_event(GID_DNP3, DNP3_DROPPED_FRAME);
}
return true;
/* Raise an alert so it's clear the buffer was reset.
Could signify device trouble. */
- SnortEventqAdd(GID_DNP3, DNP3_REASSEMBLY_BUFFER_CLEARED);
+ DetectionEngine::queue_event(GID_DNP3, DNP3_REASSEMBLY_BUFFER_CLEARED);
}
else
{
if ((DNP3_TRANSPORT_SEQ(trans_header->control) == rdata->last_seq) &&
(DNP3_TRANSPORT_FIN(trans_header->control)))
{
- SnortEventqAdd(GID_DNP3, DNP3_DROPPED_SEGMENT);
+ DetectionEngine::queue_event(GID_DNP3, DNP3_DROPPED_SEGMENT);
rdata->state = DNP3_REASSEMBLY_STATE__DONE;
return false;
}
if (DNP3_TRANSPORT_SEQ(trans_header->control) !=
((rdata->last_seq + 1) % 0x40 ))
{
- SnortEventqAdd(GID_DNP3, DNP3_DROPPED_SEGMENT);
+ DetectionEngine::queue_event(GID_DNP3, DNP3_DROPPED_SEGMENT);
return false;
}
{
if ( !(dnp3_func_is_defined( (uint16_t)session->func)) )
{
- SnortEventqAdd(GID_DNP3, DNP3_RESERVED_FUNCTION);
+ DetectionEngine::queue_event(GID_DNP3, DNP3_RESERVED_FUNCTION);
}
}
if ((config.check_crc) &&
(dnp3_check_crc((unsigned char*)pdu_start, sizeof(dnp3_link_header_t)+2) == false))
{
- SnortEventqAdd(GID_DNP3, DNP3_BAD_CRC);
+ DetectionEngine::queue_event(GID_DNP3, DNP3_BAD_CRC);
return false;
}
if ((config.check_crc) &&
(dnp3_check_crc((unsigned char*)cursor, (DNP3_CHUNK_SIZE+DNP3_CRC_SIZE)) == false))
{
- SnortEventqAdd(GID_DNP3, DNP3_BAD_CRC);
+ DetectionEngine::queue_event(GID_DNP3, DNP3_BAD_CRC);
return false;
}
{
if ((config.check_crc) && (dnp3_check_crc((unsigned char*)cursor, bytes_left) == false))
{
- SnortEventqAdd(GID_DNP3, DNP3_BAD_CRC);
+ DetectionEngine::queue_event(GID_DNP3, DNP3_BAD_CRC);
return false;
}
if (bad_addr)
{
- SnortEventqAdd(GID_DNP3, DNP3_RESERVED_ADDRESS);
+ DetectionEngine::queue_event(GID_DNP3, DNP3_RESERVED_ADDRESS);
return false;
}
if (link->len < DNP3_MIN_TRANSPORT_LEN)
{
- SnortEventqAdd(GID_DNP3, DNP3_DROPPED_FRAME);
+ DetectionEngine::queue_event(GID_DNP3, DNP3_DROPPED_FRAME);
return false;
}
#include "dns.h"
-#include "events/event_queue.h"
+#include "detection/detection_engine.h"
#include "log/messages.h"
#include "profiler/profiler.h"
#include "protocols/packet.h"
if (overflow_check > 0xFFFF)
{
/* Alert on obsolete DNS RR types */
- SnortEventqAdd(GID_DNS, DNS_EVENT_RDATA_OVERFLOW);
+ DetectionEngine::queue_event(GID_DNS, DNS_EVENT_RDATA_OVERFLOW);
dnsSessionData->curr_txt.alerted = 1;
}
case DNS_RR_TYPE_MD:
case DNS_RR_TYPE_MF:
/* Alert on obsolete DNS RR types */
- SnortEventqAdd(GID_DNS, DNS_EVENT_OBSOLETE_TYPES);
+ DetectionEngine::queue_event(GID_DNS, DNS_EVENT_OBSOLETE_TYPES);
bytes_unused = SkipDNSRData(data, bytes_unused, dnsSessionData);
break;
case DNS_RR_TYPE_NULL:
case DNS_RR_TYPE_MINFO:
/* Alert on experimental DNS RR types */
- SnortEventqAdd(GID_DNS, DNS_EVENT_EXPERIMENTAL_TYPES);
+ DetectionEngine::queue_event(GID_DNS, DNS_EVENT_EXPERIMENTAL_TYPES);
bytes_unused = SkipDNSRData(data, bytes_unused, dnsSessionData);
break;
case DNS_RR_TYPE_A:
#include "pp_ftp.h"
+#include "detection/detection_engine.h"
#include "detection/detection_util.h"
#include "file_api/file_service.h"
#include "protocols/packet.h"
if (numPercents >= MAX_PERCENT_SIGNS)
{
/* Alert on string format attack in parameter */
- SnortEventqAdd(GID_FTP, FTP_PARAMETER_STR_FORMAT);
+ DetectionEngine::queue_event(GID_FTP, FTP_PARAMETER_STR_FORMAT);
return FTPP_ALERTED;
}
}
/* Alert on invalid IP address for PORT */
if (alert)
{
- SnortEventqAdd(GID_FTP, FTP_BOUNCE);
+ DetectionEngine::queue_event(GID_FTP, FTP_BOUNCE);
/* Return here -- because we will likely want to
* inspect the data traffic over a bounced data
* connection */
if (iRet != FTPP_SUCCESS && iRet != FTPP_NORMALIZED)
{
if (iRet == FTPP_ALERT)
- SnortEventqAdd(GID_FTP, FTP_EVASIVE_TELNET_CMD);
+ DetectionEngine::queue_event(GID_FTP, FTP_EVASIVE_TELNET_CMD);
return iRet;
}
if ( (iMode == FTPP_SI_CLIENT_MODE) ||
(iMode == FTPP_SI_SERVER_MODE) )
{
- SnortEventqAdd(GID_FTP, FTP_TELNET_CMD);
+ DetectionEngine::queue_event(GID_FTP, FTP_TELNET_CMD);
return FTPP_ALERT; /* Nothing else to do since we alerted */
}
{
/* Could check that response msg includes "TLS" */
session->encr_state = AUTH_TLS_ENCRYPTED;
- SnortEventqAdd(GID_FTP, FTP_ENCRYPTED);
- DebugMessage(DEBUG_FTPTELNET,
- "FTP stream is now TLS encrypted\n");
+ DetectionEngine::queue_event(GID_FTP, FTP_ENCRYPTED);
+ DebugMessage(DEBUG_FTPTELNET, "FTP stream is now TLS encrypted\n");
}
break;
case AUTH_SSL_CMD_ISSUED:
{
/* Could check that response msg includes "SSL" */
session->encr_state = AUTH_SSL_ENCRYPTED;
- SnortEventqAdd(GID_FTP, FTP_ENCRYPTED);
- DebugMessage(DEBUG_FTPTELNET,
- "FTP stream is now SSL encrypted\n");
+ DetectionEngine::queue_event(GID_FTP, FTP_ENCRYPTED);
+ DebugMessage(DEBUG_FTPTELNET, "FTP stream is now SSL encrypted\n");
}
break;
case AUTH_UNKNOWN_CMD_ISSUED:
if (rsp_code == 234)
{
session->encr_state = AUTH_UNKNOWN_ENCRYPTED;
- SnortEventqAdd(GID_FTP, FTP_ENCRYPTED);
- DebugMessage(DEBUG_FTPTELNET,
- "FTP stream is now encrypted\n");
+ DetectionEngine::queue_event(GID_FTP, FTP_ENCRYPTED);
+ DebugMessage(DEBUG_FTPTELNET, "FTP stream is now encrypted\n");
}
break;
}
if (ftpssn->encr_state == 0)
{
ftpssn->encr_state = AUTH_UNKNOWN_ENCRYPTED;
- SnortEventqAdd(GID_FTP, FTP_ENCRYPTED);
+ DetectionEngine::queue_event(GID_FTP, FTP_ENCRYPTED);
if (!ftpssn->server_conf->check_encrypted_data)
{
if ( req->cmd_size > ftpssn->server_conf->max_cmd_len )
{
/* Alert, cmd not found */
- SnortEventqAdd(GID_FTP, FTP_INVALID_CMD);
+ DetectionEngine::queue_event(GID_FTP, FTP_INVALID_CMD);
state = FTP_CMD_INV;
}
else
if ((iRet == FTPP_NOT_FOUND) || (CmdConf == nullptr))
{
/* Alert, cmd not found */
- SnortEventqAdd(GID_FTP, FTP_INVALID_CMD);
+ DetectionEngine::queue_event(GID_FTP, FTP_INVALID_CMD);
state = FTP_CMD_INV;
}
else
if (ftpssn->encr_state == 0)
{
ftpssn->encr_state = AUTH_UNKNOWN_ENCRYPTED;
- SnortEventqAdd(GID_FTP, FTP_ENCRYPTED);
+ DetectionEngine::queue_event(GID_FTP, FTP_ENCRYPTED);
if (!ftpssn->server_conf->check_encrypted_data)
{
(req->param_size > ftpssn->client_conf->max_resp_len))
{
/* Alert on response message overflow */
- SnortEventqAdd(GID_FTP, FTP_RESPONSE_LENGTH_OVERFLOW);
+ DetectionEngine::queue_event(GID_FTP, FTP_RESPONSE_LENGTH_OVERFLOW);
iRet = FTPP_ALERT;
}
(req->param_size > ftpssn->client_conf->max_resp_len))
{
/* Alert on response message overflow */
- SnortEventqAdd(GID_FTP, FTP_RESPONSE_LENGTH_OVERFLOW);
+ DetectionEngine::queue_event(GID_FTP, FTP_RESPONSE_LENGTH_OVERFLOW);
iRet = FTPP_ALERT;
}
break;
(req->param_size > ftpssn->client_conf->max_resp_len))
{
/* Alert on response message overflow */
- SnortEventqAdd(GID_FTP, FTP_RESPONSE_LENGTH_OVERFLOW);
+ DetectionEngine::queue_event(GID_FTP, FTP_RESPONSE_LENGTH_OVERFLOW);
iRet = FTPP_ALERT;
}
break;
if ( req->param_size > max )
{
/* Alert on param length overrun */
- SnortEventqAdd(GID_FTP, FTP_PARAMETER_LENGTH_OVERFLOW);
+ DetectionEngine::queue_event(GID_FTP, FTP_PARAMETER_LENGTH_OVERFLOW);
DebugFormat(DEBUG_FTPTELNET, "FTP command: %.*s"
"parameter length overrun %u > %u \n",
req->cmd_size, req->cmd_begin, req->param_size, max);
if (iRet < 0)
{
/* Set Alert on malformatted parameter */
- SnortEventqAdd(GID_FTP, FTP_MALFORMED_PARAMETER);
+ DetectionEngine::queue_event(GID_FTP, FTP_MALFORMED_PARAMETER);
iRet = FTPP_ALERT;
break;
}
#include "pp_telnet.h"
+#include "detection/detection_engine.h"
#include "detection/detection_util.h"
#include "protocols/packet.h"
#include "stream/stream.h"
if (tnssn)
{
tnssn->encr_state = 1;
- SnortEventqAdd(GID_TELNET, TELNET_ENCRYPTED);
+ DetectionEngine::queue_event(GID_TELNET, TELNET_ENCRYPTED);
if (!tnssn->telnet_conf->check_encrypted_data)
{
tnssn->telnet_conf->ayt_threshold))
{
/* Alert on consecutive AYT commands */
- SnortEventqAdd(GID_TELNET, TELNET_AYT_OVERFLOW);
+ DetectionEngine::queue_event(GID_TELNET, TELNET_AYT_OVERFLOW);
tnssn->consec_ayt = 0;
return FTPP_ALERT;
}
if (tnssn)
{
tnssn->encr_state = 1;
- SnortEventqAdd(GID_TELNET, TELNET_ENCRYPTED);
+ DetectionEngine::queue_event(GID_TELNET, TELNET_ENCRYPTED);
if (!tnssn->telnet_conf->check_encrypted_data)
{
else
{
/* Alert on SB without SE */
- SnortEventqAdd(GID_TELNET, TELNET_SB_NO_SE);
+ DetectionEngine::queue_event(GID_TELNET, TELNET_SB_NO_SE);
ret = FTPP_ALERT;
}
#include <arpa/inet.h>
+#include "detection/detection_engine.h"
#include "events/event_queue.h"
#include "log/messages.h"
static inline void alert(int sid)
{
- SnortEventqAdd(GID_GTP, sid);
+ DetectionEngine::queue_event(GID_GTP, sid);
gtp_stats.events++;
}
#include <bitset>
#include <cassert>
+#include "detection/detection_engine.h"
#include "events/event_queue.h"
#include "utils/util.h"
assert(((int)sid > 0) && ((int)sid <= MAX));
if (!events_generated[sid-1])
{
- SnortEventqAdd(HttpEnums::HTTP_GID, (uint32_t)sid);
+ DetectionEngine::queue_event(HttpEnums::HTTP_GID, (uint32_t)sid);
events_generated[sid-1] = true;
}
}
#include "config.h"
#endif
+#include "detection/detection_engine.h"
#include "log/messages.h"
-#include "events/event_queue.h"
#include "service_inspectors/http_inspect/http_module.h"
#include "service_inspectors/http_inspect/http_test_manager.h"
void show_stats(SimpleStats*, const char*) { }
void Value::get_bits(std::bitset<256ul>&) const {}
-int SnortEventqAdd(unsigned int, unsigned int, RuleType) { return 0; }
+int DetectionEngine::queue_event(unsigned int, unsigned int, RuleType) { return 0; }
int32_t str_to_code(const uint8_t*, const int32_t, const StrCode []) { return 0; }
int32_t substr_to_code(const uint8_t*, const int32_t, const StrCode []) { return 0; }
unsigned FlowData::flow_id = 0;
FlowData::FlowData(unsigned, Inspector*) {}
FlowData::~FlowData() {}
-int SnortEventqAdd(unsigned int, unsigned int, RuleType) { return 0; }
+int DetectionEngine::queue_event(unsigned int, unsigned int, RuleType) { return 0; }
THREAD_LOCAL PegCount HttpModule::peg_counts[1];
class HttpUnitTestSetup
void show_stats(SimpleStats*, const char*) { }
void Value::get_bits(std::bitset<256ul>&) const {}
-int SnortEventqAdd(unsigned int, unsigned int, RuleType) { return 0; }
+int DetectionEngine::queue_event(unsigned int, unsigned int, RuleType) { return 0; }
HttpJsNorm::HttpJsNorm(int, const HttpParaList::UriParam& uri_param_) :
max_javascript_whitespaces(0), uri_param(uri_param_), javascript_search_mpse(nullptr),
#include "imap.h"
-#include "events/event_queue.h"
+#include "detection/detection_engine.h"
#include "log/messages.h"
#include "main/snort_debug.h"
#include "profiler/profiler.h"
}
else
{
- SnortEventqAdd(GID_IMAP, IMAP_UNKNOWN_CMD);
+ DetectionEngine::queue_event(GID_IMAP, IMAP_UNKNOWN_CMD);
DebugMessage(DEBUG_IMAP, "No known command found\n");
return eol;
}
}
if ( (*ptr != '*') && (*ptr !='+') && (*ptr != '\r') && (*ptr != '\n') )
{
- SnortEventqAdd(GID_IMAP, IMAP_UNKNOWN_RESP);
+ DetectionEngine::queue_event(GID_IMAP, IMAP_UNKNOWN_RESP);
DebugMessage(DEBUG_IMAP, "Server response not found\n");
}
}
switch ( decode_state->get_decode_type() )
{
case DECODE_B64:
- SnortEventqAdd(GID_IMAP, IMAP_B64_DECODING_FAILED);
+ DetectionEngine::queue_event(GID_IMAP, IMAP_B64_DECODING_FAILED);
break;
case DECODE_QP:
- SnortEventqAdd(GID_IMAP, IMAP_QP_DECODING_FAILED);
+ DetectionEngine::queue_event(GID_IMAP, IMAP_QP_DECODING_FAILED);
break;
case DECODE_UU:
- SnortEventqAdd(GID_IMAP, IMAP_UU_DECODING_FAILED);
+ DetectionEngine::queue_event(GID_IMAP, IMAP_UU_DECODING_FAILED);
break;
default:
#include "modbus.h"
#include "events/event_queue.h"
+#include "detection/detection_engine.h"
#include "profiler/profiler.h"
#include "protocols/packet.h"
// If a packet is rebuilt, but not a full PDU, then it's garbage that
// got flushed at the end of a stream.
if ( p->packet_flags & (PKT_REBUILT_STREAM|PKT_PDU_HEAD) )
- SnortEventqAdd(GID_MODBUS, MODBUS_BAD_LENGTH);
+ DetectionEngine::queue_event(GID_MODBUS, MODBUS_BAD_LENGTH);
return;
}
#include "modbus_decode.h"
+#include "detection/detection_engine.h"
#include "events/event_queue.h"
#include "protocols/packet.h"
}
if (!check_passed)
- SnortEventqAdd(GID_MODBUS, MODBUS_BAD_LENGTH);
+ DetectionEngine::queue_event(GID_MODBUS, MODBUS_BAD_LENGTH);
}
static void ModbusCheckResponseLengths(modbus_session_data_t* session, Packet* p)
}
if (!check_passed)
- SnortEventqAdd(GID_MODBUS, MODBUS_BAD_LENGTH);
+ DetectionEngine::queue_event(GID_MODBUS, MODBUS_BAD_LENGTH);
}
static void ModbusCheckReservedFuncs(modbus_header_t* header, Packet* p)
sub_func = ntohs(sub_func);
if ((sub_func == 19) || (sub_func >= 21))
- SnortEventqAdd(GID_MODBUS, MODBUS_RESERVED_FUNCTION);
+ DetectionEngine::queue_event(GID_MODBUS, MODBUS_RESERVED_FUNCTION);
}
break;
case 0x7D:
case 0x7E:
case 0x7F:
- SnortEventqAdd(GID_MODBUS, MODBUS_RESERVED_FUNCTION);
+ DetectionEngine::queue_event(GID_MODBUS, MODBUS_RESERVED_FUNCTION);
break;
}
}
multiplexing with some other protocols over serial line. */
if (header->protocol_id != MODBUS_PROTOCOL_ID)
{
- SnortEventqAdd(GID_MODBUS, MODBUS_BAD_PROTO_ID);
+ DetectionEngine::queue_event(GID_MODBUS, MODBUS_BAD_PROTO_ID);
return false;
}
#include "modbus_paf.h"
+#include "detection/detection_engine.h"
#include "events/event_queue.h"
#include "modbus.h"
if ((modbus_length < MODBUS_MIN_HDR_LEN) ||
(modbus_length > MODBUS_MAX_HDR_LEN))
{
- SnortEventqAdd(GID_MODBUS, MODBUS_BAD_LENGTH);
+ DetectionEngine::queue_event(GID_MODBUS, MODBUS_BAD_LENGTH);
}
*fp = modbus_length + bytes_processed;
#include "pop.h"
-#include "events/event_queue.h"
+#include "detection/detection_engine.h"
#include "log/messages.h"
#include "main/snort_debug.h"
#include "profiler/profiler.h"
}
else
{
- SnortEventqAdd(GID_POP, POP_UNKNOWN_CMD);
+ DetectionEngine::queue_event(GID_POP, POP_UNKNOWN_CMD);
DebugMessage(DEBUG_POP, "No known command found\n");
return eol;
}
}
else if (*ptr == '+')
{
- SnortEventqAdd(GID_POP, POP_UNKNOWN_RESP);
+ DetectionEngine::queue_event(GID_POP, POP_UNKNOWN_RESP);
DebugMessage(DEBUG_POP, "Server response not found\n");
}
}
switch ( decode_state->get_decode_type() )
{
case DECODE_B64:
- SnortEventqAdd(GID_POP, POP_B64_DECODING_FAILED);
+ DetectionEngine::queue_event(GID_POP, POP_B64_DECODING_FAILED);
break;
case DECODE_QP:
- SnortEventqAdd(GID_POP, POP_QP_DECODING_FAILED);
+ DetectionEngine::queue_event(GID_POP, POP_QP_DECODING_FAILED);
break;
case DECODE_UU:
- SnortEventqAdd(GID_POP, POP_UU_DECODING_FAILED);
+ DetectionEngine::queue_event(GID_POP, POP_UU_DECODING_FAILED);
break;
default:
#endif
#include "detection/detection_util.h"
+#include "detection/detection_engine.h"
#include "framework/data_bus.h"
#include "log/messages.h"
#include "profiler/profiler.h"
switch (event)
{
case RPC_FRAG_TRAFFIC:
- SnortEventqAdd(GID_RPC_DECODE, RPC_FRAG_TRAFFIC);
+ DetectionEngine::queue_event(GID_RPC_DECODE, RPC_FRAG_TRAFFIC);
break;
case RPC_MULTIPLE_RECORD:
- SnortEventqAdd(GID_RPC_DECODE, RPC_MULTIPLE_RECORD);
+ DetectionEngine::queue_event(GID_RPC_DECODE, RPC_MULTIPLE_RECORD);
break;
case RPC_LARGE_FRAGSIZE:
- SnortEventqAdd(GID_RPC_DECODE, RPC_LARGE_FRAGSIZE);
+ DetectionEngine::queue_event(GID_RPC_DECODE, RPC_LARGE_FRAGSIZE);
break;
case RPC_INCOMPLETE_SEGMENT:
- SnortEventqAdd(GID_RPC_DECODE, RPC_INCOMPLETE_SEGMENT);
+ DetectionEngine::queue_event(GID_RPC_DECODE, RPC_INCOMPLETE_SEGMENT);
break;
case RPC_ZERO_LENGTH_FRAGMENT:
- SnortEventqAdd(GID_RPC_DECODE, RPC_ZERO_LENGTH_FRAGMENT);
+ DetectionEngine::queue_event(GID_RPC_DECODE, RPC_ZERO_LENGTH_FRAGMENT);
break;
default:
#include "sip.h"
+#include "detection/detection_engine.h"
#include "events/event_queue.h"
#include "log/messages.h"
#include "managers/inspector_manager.h"
THREAD_LOCAL ProfileStats sipPerfStats;
-/*
- * Function prototype(s)
- */
static void snort_sip(SIP_PROTO_CONF* GlobalConf, Packet* p);
static void FreeSipData(void*);
if (numSessions > config->maxNumSessions)
{
if (!MaxSessionsAlerted)
- SnortEventqAdd(GID_SIP, SIP_EVENT_MAX_SESSIONS);
+ DetectionEngine::queue_event(GID_SIP, SIP_EVENT_MAX_SESSIONS);
MaxSessionsAlerted = 1;
return NULL;
}
#include "sip_dialog.h"
+#include "detection/detection_engine.h"
#include "events/event_queue.h"
#include "framework/data_bus.h"
#include "main/snort_debug.h"
DebugFormat(DEBUG_SIP, "Dialog state code: %hu\n",
dialog->status_code);
- SnortEventqAdd(GID_SIP, SIP_EVENT_AUTH_INVITE_REPLAY_ATTACK);
+ DetectionEngine::queue_event(GID_SIP, SIP_EVENT_AUTH_INVITE_REPLAY_ATTACK);
return false;
}
if (SIP_DLG_ESTABLISHED == dialog->state)
{
ret = SIP_checkMediaChange(sipMsg, dialog);
if (false == ret)
- SnortEventqAdd(GID_SIP, SIP_EVENT_AUTH_INVITE_DIFF_SESSION);
+ DetectionEngine::queue_event(GID_SIP, SIP_EVENT_AUTH_INVITE_DIFF_SESSION);
SIP_updateMedias(sipMsg->mediaSession, &dialog->mediaSessions);
}
else if (SIP_DLG_TERMINATED == dialog->state)
/*If the number of dialogs exceeded, release the oldest one*/
if ((dList->num_dialogs >= config->maxNumDialogsInSession) && (!dialog))
{
- SnortEventqAdd(GID_SIP, SIP_EVENT_MAX_DIALOGS_IN_A_SESSION);
+ DetectionEngine::queue_event(GID_SIP, SIP_EVENT_MAX_DIALOGS_IN_A_SESSION);
SIP_deleteDialog(oldDialog, dList);
}
#include "sip_parser.h"
+#include "detection/detection_engine.h"
#include "events/event_queue.h"
#include "main/snort_debug.h"
#include "utils/util.h"
/*Check SIP version number, end with SP*/
if (!(sip_is_valid_version(buff + SIP_KEYWORD_LEN) && (*(buff + SIP_VERSION_LEN) == ' ')))
{
- SnortEventqAdd(GID_SIP, SIP_EVENT_INVALID_VERSION);
+ DetectionEngine::queue_event(GID_SIP, SIP_EVENT_INVALID_VERSION);
}
space = (char*)strchr(buff, ' ');
statusCode = SnortStrtoul(space + 1, NULL, 10);
if (( statusCode > MAX_STAT_CODE) || (statusCode < MIN_STAT_CODE ))
{
- SnortEventqAdd(GID_SIP, SIP_EVENT_BAD_STATUS_CODE);
+ DetectionEngine::queue_event(GID_SIP, SIP_EVENT_BAD_STATUS_CODE);
msg->status_code = MAX_STAT_CODE + 1;
}
else
DebugFormat(DEBUG_SIP, "uri: %.*s, length: %hu\n", msg->uriLen, msg->uri,
msg->uriLen);
if (0 == msg->uriLen)
- SnortEventqAdd(GID_SIP, SIP_EVENT_EMPTY_REQUEST_URI);
+ DetectionEngine::queue_event(GID_SIP, SIP_EVENT_EMPTY_REQUEST_URI);
else if (config->maxUriLen && (msg->uriLen > config->maxUriLen))
- SnortEventqAdd(GID_SIP, SIP_EVENT_BAD_URI);
+ DetectionEngine::queue_event(GID_SIP, SIP_EVENT_BAD_URI);
version = space + 1;
if (version + SIP_VERSION_LEN > end)
/*Check SIP version number, end with CRLF*/
if (!sip_is_valid_version(*lineEnd - SIP_VERSION_NUM_LEN - numOfLineBreaks))
{
- SnortEventqAdd(GID_SIP, SIP_EVENT_INVALID_VERSION);
+ DetectionEngine::queue_event(GID_SIP, SIP_EVENT_INVALID_VERSION);
}
if (NULL == method)
{
- SnortEventqAdd(GID_SIP, SIP_EVENT_UNKOWN_METHOD);
+ DetectionEngine::queue_event(GID_SIP, SIP_EVENT_UNKOWN_METHOD);
return false;
}
}
int ret = true;
if (0 == msg->fromLen)
{
- SnortEventqAdd(GID_SIP, SIP_EVENT_EMPTY_FROM);
+ DetectionEngine::queue_event(GID_SIP, SIP_EVENT_EMPTY_FROM);
ret = false;
}
else if (config->maxFromLen && (msg->fromLen > config->maxFromLen))
{
- SnortEventqAdd(GID_SIP, SIP_EVENT_BAD_FROM);
+ DetectionEngine::queue_event(GID_SIP, SIP_EVENT_BAD_FROM);
ret = false;
}
if (0 == msg->toLen)
{
- SnortEventqAdd(GID_SIP, SIP_EVENT_EMPTY_TO);
+ DetectionEngine::queue_event(GID_SIP, SIP_EVENT_EMPTY_TO);
ret = false;
}
else if (config->maxToLen && (msg->toLen > config->maxToLen))
{
- SnortEventqAdd(GID_SIP, SIP_EVENT_BAD_TO);
+ DetectionEngine::queue_event(GID_SIP, SIP_EVENT_BAD_TO);
ret = false;
}
if (0 == msg->callIdLen)
{
- SnortEventqAdd(GID_SIP, SIP_EVENT_EMPTY_CALL_ID);
+ DetectionEngine::queue_event(GID_SIP, SIP_EVENT_EMPTY_CALL_ID);
ret = false;
}
else if ( config->maxCallIdLen && (msg->callIdLen > config->maxCallIdLen))
{
- SnortEventqAdd(GID_SIP, SIP_EVENT_BAD_CALL_ID);
+ DetectionEngine::queue_event(GID_SIP, SIP_EVENT_BAD_CALL_ID);
ret = false;
}
if (msg->cseqnum > MAX_NUM_32BIT)
{
- SnortEventqAdd(GID_SIP, SIP_EVENT_BAD_CSEQ_NUM);
+ DetectionEngine::queue_event(GID_SIP, SIP_EVENT_BAD_CSEQ_NUM);
ret = false;
}
if ( config->maxRequestNameLen && (msg->cseqNameLen > config->maxRequestNameLen))
{
- SnortEventqAdd(GID_SIP, SIP_EVENT_BAD_CSEQ_NAME);
+ DetectionEngine::queue_event(GID_SIP, SIP_EVENT_BAD_CSEQ_NAME);
ret = false;
}
/*Alert here after parsing*/
if (0 == msg->viaLen)
{
- SnortEventqAdd(GID_SIP, SIP_EVENT_EMPTY_VIA);
+ DetectionEngine::queue_event(GID_SIP, SIP_EVENT_EMPTY_VIA);
ret = false;
}
else if (config->maxViaLen && (msg->viaLen > config->maxViaLen))
{
- SnortEventqAdd(GID_SIP, SIP_EVENT_BAD_VIA);
+ DetectionEngine::queue_event(GID_SIP, SIP_EVENT_BAD_VIA);
ret = false;
}
// Contact is required for invite message
if ((0 == msg->contactLen)&&(msg->methodFlag == SIP_METHOD_INVITE)&&(0 == msg->status_code))
{
- SnortEventqAdd(GID_SIP, SIP_EVENT_EMPTY_CONTACT);
+ DetectionEngine::queue_event(GID_SIP, SIP_EVENT_EMPTY_CONTACT);
ret = false;
}
else if (config->maxContactLen && (msg->contactLen > config->maxContactLen))
{
- SnortEventqAdd(GID_SIP, SIP_EVENT_BAD_CONTACT);
+ DetectionEngine::queue_event(GID_SIP, SIP_EVENT_BAD_CONTACT);
ret = false;
}
if ((0 == msg->contentTypeLen) && (msg->content_len > 0))
{
- SnortEventqAdd(GID_SIP, SIP_EVENT_EMPTY_CONTENT_TYPE);
+ DetectionEngine::queue_event(GID_SIP, SIP_EVENT_EMPTY_CONTENT_TYPE);
ret = false;
}
if (NULL == method)
{
- SnortEventqAdd(GID_SIP, SIP_EVENT_INVALID_CSEQ_NAME);
+ DetectionEngine::queue_event(GID_SIP, SIP_EVENT_INVALID_CSEQ_NAME);
return SIP_PARSE_ERROR;
}
else
msg->methodFlag = method->methodFlag;
else if ( method->methodFlag != msg->methodFlag)
{
- SnortEventqAdd(GID_SIP, SIP_EVENT_MISMATCH_METHOD);
+ DetectionEngine::queue_event(GID_SIP, SIP_EVENT_MISMATCH_METHOD);
}
DebugFormat(DEBUG_SIP, "Found the method: %s, Flag: 0x%x\n",
method->methodName, method->methodFlag);
msg->content_len = SnortStrtoul(start, &next, 10);
if ( config->maxContentLen && (msg->content_len > config->maxContentLen))
- SnortEventqAdd(GID_SIP, SIP_EVENT_BAD_CONTENT_LEN);
+ DetectionEngine::queue_event(GID_SIP, SIP_EVENT_BAD_CONTENT_LEN);
/*Check the length of the value*/
if (next > start + SIP_CONTENT_LEN) // This check is to prevent overflow
{
if (config->maxContentLen)
- SnortEventqAdd(GID_SIP, SIP_EVENT_BAD_CONTENT_LEN);
+ DetectionEngine::queue_event(GID_SIP, SIP_EVENT_BAD_CONTENT_LEN);
return SIP_PARSE_ERROR;
}
DebugFormat(DEBUG_SIP, "Content length: %u\n", msg->content_len);
msg->bodyLen = end - start;
/*Disable this check for TCP. Revisit this again when PAF enabled for SIP*/
if ((!msg->isTcp)&&(msg->content_len > msg->bodyLen))
- SnortEventqAdd(GID_SIP, SIP_EVENT_MISMATCH_CONTENT_LEN);
+ DetectionEngine::queue_event(GID_SIP, SIP_EVENT_MISMATCH_CONTENT_LEN);
if (msg->content_len < msg->bodyLen)
status = sip_body_parse(msg, start, start + msg->content_len, &nextIndex);
if (true == sip_startline_parse(msg, start + msg->content_len, end, &nextIndex,
config))
{
- SnortEventqAdd(GID_SIP, SIP_EVENT_MULTI_MSGS);
+ DetectionEngine::queue_event(GID_SIP, SIP_EVENT_MULTI_MSGS);
}
else
{
- SnortEventqAdd(GID_SIP, SIP_EVENT_MISMATCH_CONTENT_LEN);
+ DetectionEngine::queue_event(GID_SIP, SIP_EVENT_MISMATCH_CONTENT_LEN);
}
}
return status;
#include "smtp.h"
+#include "detection/detection_engine.h"
#include "detection/detection_util.h"
#include "log/messages.h"
#include "log/unified2.h"
if (smtp_ssn->state != STATE_AUTH)
{
- SnortEventqAdd(GID_SMTP,SMTP_UNKNOWN_CMD);
+ DetectionEngine::queue_event(GID_SMTP,SMTP_UNKNOWN_CMD);
if (alert_long_command_line)
- SnortEventqAdd(GID_SMTP, SMTP_COMMAND_OVERFLOW);
+ DetectionEngine::queue_event(GID_SMTP, SMTP_COMMAND_OVERFLOW);
}
/* if normalizing, copy line to alt buffer */
{
if (cmd_line_len > config->cmd_config[smtp_search_info.id].max_line_len)
{
- SnortEventqAdd(GID_SMTP, SMTP_SPECIFIC_CMD_OVERFLOW);
+ DetectionEngine::queue_event(GID_SMTP, SMTP_SPECIFIC_CMD_OVERFLOW);
}
}
else if (alert_long_command_line)
{
- SnortEventqAdd(GID_SMTP, SMTP_COMMAND_OVERFLOW);
+ DetectionEngine::queue_event(GID_SMTP, SMTP_COMMAND_OVERFLOW);
}
if (config->cmd_config[smtp_search_info.id].alert)
{
/* Are we alerting on this command? */
- SnortEventqAdd(GID_SMTP, SMTP_ILLEGAL_CMD);
+ DetectionEngine::queue_event(GID_SMTP, SMTP_ILLEGAL_CMD);
}
switch (smtp_search_info.id)
eolm)
&& (smtp_ssn->state_flags & SMTP_FLAG_ABORT))
{
- SnortEventqAdd(GID_SMTP, SMTP_AUTH_ABORT_AUTH);
+ DetectionEngine::queue_event(GID_SMTP, SMTP_AUTH_ABORT_AUTH);
}
smtp_ssn->state_flags &= ~(SMTP_FLAG_ABORT);
break;
if ((config->max_response_line_len != 0) &&
(resp_line_len > config->max_response_line_len))
{
- SnortEventqAdd(GID_SMTP, SMTP_RESPONSE_OVERFLOW);
+ DetectionEngine::queue_event(GID_SMTP, SMTP_RESPONSE_OVERFLOW);
}
ptr = eol;
header_line_len = eol - ptr;
if (max_header_len)
- SnortEventqAdd(GID_SMTP, SMTP_HEADER_NAME_OVERFLOW);
+ DetectionEngine::queue_event(GID_SMTP, SMTP_HEADER_NAME_OVERFLOW);
if ((config->max_header_line_len != 0) &&
(header_line_len > config->max_header_line_len))
{
- SnortEventqAdd(GID_SMTP, SMTP_DATA_HDR_OVERFLOW);
+ DetectionEngine::queue_event(GID_SMTP, SMTP_DATA_HDR_OVERFLOW);
}
switch ( decode_state->get_decode_type() )
{
case DECODE_B64:
- SnortEventqAdd(GID_SMTP, SMTP_B64_DECODING_FAILED);
+ DetectionEngine::queue_event(GID_SMTP, SMTP_B64_DECODING_FAILED);
break;
case DECODE_QP:
- SnortEventqAdd(GID_SMTP, SMTP_QP_DECODING_FAILED);
+ DetectionEngine::queue_event(GID_SMTP, SMTP_QP_DECODING_FAILED);
break;
case DECODE_UU:
- SnortEventqAdd(GID_SMTP, SMTP_UU_DECODING_FAILED);
+ DetectionEngine::queue_event(GID_SMTP, SMTP_UU_DECODING_FAILED);
break;
default:
#include "smtp_paf.h"
+#include "detection/detection_engine.h"
#include "events/event_queue.h"
#include "main/snort_debug.h"
#include "protocols/packet.h"
(((int)i + pfdata->data_info.boundary_len) > max_auth_command_line_len) &&
!alert_generated)
{
- SnortEventqAdd(GID_SMTP, SMTP_AUTH_COMMAND_OVERFLOW);
+ DetectionEngine::queue_event(GID_SMTP, SMTP_AUTH_COMMAND_OVERFLOW);
alert_generated = true;
}
if (ch == '\n')
#include "smtp_xlink2state.h"
+#include "detection/detection_engine.h"
#include "events/event_queue.h"
#include "packet_io/active.h"
if (config->xlink2state == DROP_XLINK2STATE)
Active::reset_session(p);
- SnortEventqAdd(GID_SMTP, SMTP_XLINK2STATE_OVERFLOW);
+ DetectionEngine::queue_event(GID_SMTP, SMTP_XLINK2STATE_OVERFLOW);
smtp_ssn->session_flags |= SMTP_FLAG_XLINK2STATE_ALERTED;
return 1;
#include "ssh.h"
+#include "detection/detection_engine.h"
#include "events/event_queue.h"
#include "log/messages.h"
#include "profiler/profiler.h"
{
// Probable exploit in progress.
if (sessp->version == SSH_VERSION_1)
- SnortEventqAdd(GID_SSH, SSH_EVENT_CRC32);
+ DetectionEngine::queue_event(GID_SSH, SSH_EVENT_CRC32);
else
- SnortEventqAdd(GID_SSH, SSH_EVENT_RESPOVERFLOW);
+ DetectionEngine::queue_event(GID_SSH, SSH_EVENT_RESPOVERFLOW);
Stream::stop_inspection(p->flow, p, SSN_DIR_BOTH, -1, 0);
}
* continue checking after that point*/
(SSHCheckStrlen(&version_stringp[6], config->MaxServerVersionLen-6)))
{
- SnortEventqAdd(GID_SSH, SSH_EVENT_SECURECRT);
+ DetectionEngine::queue_event(GID_SSH, SSH_EVENT_SECURECRT);
}
}
else if ( p->dsize >= 6 &&
if ( dsize < 4 )
{
{
- SnortEventqAdd(GID_SSH, SSH_EVENT_PAYLOAD_SIZE);
+ DetectionEngine::queue_event(GID_SSH, SSH_EVENT_PAYLOAD_SIZE);
}
return 0;
if ( dsize < length )
{
{
- SnortEventqAdd(GID_SSH, SSH_EVENT_PAYLOAD_SIZE);
+ DetectionEngine::queue_event(GID_SSH, SSH_EVENT_PAYLOAD_SIZE);
}
return 0;
{
if (offset == 0)
{
- SnortEventqAdd(GID_SSH, SSH_EVENT_PAYLOAD_SIZE);
+ DetectionEngine::queue_event(GID_SSH, SSH_EVENT_PAYLOAD_SIZE);
}
return 0;
else
{
/* Server msg not from server. */
- SnortEventqAdd(GID_SSH, SSH_EVENT_WRONGDIR);
+ DetectionEngine::queue_event(GID_SSH, SSH_EVENT_WRONGDIR);
}
break;
case SSH_MSG_V1_CMSG_SESSION_KEY:
else
{
/* Client msg not from client. */
- SnortEventqAdd(GID_SSH, SSH_EVENT_WRONGDIR);
+ DetectionEngine::queue_event(GID_SSH, SSH_EVENT_WRONGDIR);
}
break;
default:
{
{
/* Unrecognized version. */
- SnortEventqAdd(GID_SSH, SSH_EVENT_VERSION);
+ DetectionEngine::queue_event(GID_SSH, SSH_EVENT_VERSION);
}
return 0;
}
{
/* Invalid packet length. */
- SnortEventqAdd(GID_SSH, SSH_EVENT_PAYLOAD_SIZE);
+ DetectionEngine::queue_event(GID_SSH, SSH_EVENT_PAYLOAD_SIZE);
}
return 0;
else
{
/* Client msg from server. */
- SnortEventqAdd(GID_SSH, SSH_EVENT_WRONGDIR);
+ DetectionEngine::queue_event(GID_SSH, SSH_EVENT_WRONGDIR);
}
break;
case SSH_MSG_KEXDH_REPLY:
else
{
/* Server msg from client. */
- SnortEventqAdd(GID_SSH, SSH_EVENT_WRONGDIR);
+ DetectionEngine::queue_event(GID_SSH, SSH_EVENT_WRONGDIR);
}
break;
case SSH_MSG_KEXDH_GEX_REQ:
else
{
/* Server msg from client. */
- SnortEventqAdd(GID_SSH, SSH_EVENT_WRONGDIR);
+ DetectionEngine::queue_event(GID_SSH, SSH_EVENT_WRONGDIR);
}
break;
case SSH_MSG_KEXDH_GEX_GRP:
else
{
/* Client msg from server. */
- SnortEventqAdd(GID_SSH, SSH_EVENT_WRONGDIR);
+ DetectionEngine::queue_event(GID_SSH, SSH_EVENT_WRONGDIR);
}
break;
case SSH_MSG_KEXDH_GEX_INIT:
else
{
/* Server msg from client. */
- SnortEventqAdd(GID_SSH, SSH_EVENT_WRONGDIR);
+ DetectionEngine::queue_event(GID_SSH, SSH_EVENT_WRONGDIR);
}
break;
case SSH_MSG_NEWKEYS:
if (heartbleed_type & SSL_HEARTBLEED_REQUEST)
{
- SnortEventqAdd(GID_SSL, SSL_ALERT_HB_REQUEST);
+ DetectionEngine::queue_event(GID_SSL, SSL_ALERT_HB_REQUEST);
}
else if (heartbleed_type & SSL_HEARTBLEED_RESPONSE)
{
- SnortEventqAdd(GID_SSL, SSL_ALERT_HB_RESPONSE);
+ DetectionEngine::queue_event(GID_SSL, SSL_ALERT_HB_RESPONSE);
}
else if (heartbleed_type & SSL_HEARTBLEED_UNKNOWN)
{
if (!dir)
{
- SnortEventqAdd(GID_SSL, SSL_ALERT_HB_REQUEST);
+ DetectionEngine::queue_event(GID_SSL, SSL_ALERT_HB_REQUEST);
}
else
{
- SnortEventqAdd(GID_SSL, SSL_ALERT_HB_RESPONSE);
+ DetectionEngine::queue_event(GID_SSL, SSL_ALERT_HB_RESPONSE);
}
}
if (sd->ssn_flags & SSL_ENCRYPTED_FLAG )
if ( (SSL_IS_CHELLO(new_flags) && SSL_IS_CHELLO(sd->ssn_flags) && SSL_IS_SHELLO(sd->ssn_flags) )
|| (SSL_IS_CHELLO(new_flags) && SSL_IS_SHELLO(sd->ssn_flags) ))
{
- SnortEventqAdd(GID_SSL, SSL_INVALID_CLIENT_HELLO);
+ DetectionEngine::queue_event(GID_SSL, SSL_INVALID_CLIENT_HELLO);
}
else if (!(config->trustservers))
{
if ( (SSL_IS_SHELLO(new_flags) && !SSL_IS_CHELLO(sd->ssn_flags) ))
{
if (!(Stream::missed_packets(p->flow, SSN_DIR_FROM_CLIENT)))
- SnortEventqAdd(GID_SSL, SSL_INVALID_SERVER_HELLO);
+ DetectionEngine::queue_event(GID_SSL, SSL_INVALID_SERVER_HELLO);
}
}
*/
static inline void EventAnomIpOpts(FragEngine*)
{
- SnortEventqAdd(GID_DEFRAG, DEFRAG_IPOPTIONS);
+ DetectionEngine::queue_event(GID_DEFRAG, DEFRAG_IPOPTIONS);
ip_stats.alerts++;
}
*/
static inline void EventAttackTeardrop(FragEngine*)
{
- SnortEventqAdd(GID_DEFRAG, DEFRAG_TEARDROP);
+ DetectionEngine::queue_event(GID_DEFRAG, DEFRAG_TEARDROP);
ip_stats.alerts++;
}
*/
static inline void EventTinyFragments(FragEngine*)
{
- SnortEventqAdd(GID_DEFRAG, DEFRAG_TINY_FRAGMENT);
+ DetectionEngine::queue_event(GID_DEFRAG, DEFRAG_TINY_FRAGMENT);
ip_stats.alerts++;
}
*/
static inline void EventExcessiveOverlap(FragEngine*)
{
- SnortEventqAdd(GID_DEFRAG, DEFRAG_EXCESSIVE_OVERLAP);
+ DetectionEngine::queue_event(GID_DEFRAG, DEFRAG_EXCESSIVE_OVERLAP);
ip_stats.alerts++;
}
*/
static inline void EventAnomShortFrag(FragEngine*)
{
- SnortEventqAdd(GID_DEFRAG, DEFRAG_SHORT_FRAG);
+ DetectionEngine::queue_event(GID_DEFRAG, DEFRAG_SHORT_FRAG);
ip_stats.alerts++;
ip_stats.anomalies++;
}
*/
static inline void EventAnomOversize(FragEngine*)
{
- SnortEventqAdd(GID_DEFRAG, DEFRAG_ANOMALY_OVERSIZE);
+ DetectionEngine::queue_event(GID_DEFRAG, DEFRAG_ANOMALY_OVERSIZE);
ip_stats.alerts++;
ip_stats.anomalies++;
}
*/
static inline void EventAnomZeroFrag(FragEngine*)
{
- SnortEventqAdd(GID_DEFRAG, DEFRAG_ANOMALY_ZERO);
+ DetectionEngine::queue_event(GID_DEFRAG, DEFRAG_ANOMALY_ZERO);
ip_stats.alerts++;
ip_stats.anomalies++;
}
*/
static inline void EventAnomBadsizeLg(FragEngine*)
{
- SnortEventqAdd(GID_DEFRAG, DEFRAG_ANOMALY_BADSIZE_LG);
+ DetectionEngine::queue_event(GID_DEFRAG, DEFRAG_ANOMALY_BADSIZE_LG);
ip_stats.alerts++;
ip_stats.anomalies++;
}
*/
static inline void EventAnomBadsizeSm(FragEngine*)
{
- SnortEventqAdd(GID_DEFRAG, DEFRAG_ANOMALY_BADSIZE_SM);
+ DetectionEngine::queue_event(GID_DEFRAG, DEFRAG_ANOMALY_BADSIZE_SM);
ip_stats.alerts++;
ip_stats.anomalies++;
}
*/
static inline void EventAnomOverlap(FragEngine*)
{
- SnortEventqAdd(GID_DEFRAG, DEFRAG_ANOMALY_OVLP);
+ DetectionEngine::queue_event(GID_DEFRAG, DEFRAG_ANOMALY_OVLP);
ip_stats.alerts++;
ip_stats.anomalies++;
}
*/
static inline void EventAnomMinTtl(FragEngine*)
{
- SnortEventqAdd(GID_DEFRAG, DEFRAG_MIN_TTL_EVASION);
+ DetectionEngine::queue_event(GID_DEFRAG, DEFRAG_MIN_TTL_EVASION);
ip_stats.alerts++;
}
#include "tcp_event_logger.h"
+#include "detection/detection_engine.h"
#include "detection/rules.h"
#include "filters/sfrf.h"
#include "main/snort_config.h"
if (is_internal_event_enabled(snort_conf->rate_filter_config, eventSid))
{
tcpStats.internalEvents++;
- SnortEventqAdd(GENERATOR_INTERNAL, eventSid);
+ DetectionEngine::queue_event(GENERATOR_INTERNAL, eventSid);
DebugFormat(DEBUG_STREAM, "Stream raised internal event %d\n", eventSid);
}
}
uint32_t idx = ffs(tcp_events);
if ( idx )
{
- SnortEventqAdd(GID_STREAM_TCP, tcp_event_sids[ idx ].sid);
+ DetectionEngine::queue_event(GID_STREAM_TCP, tcp_event_sids[ idx ].sid);
tcp_events ^= tcp_event_sids[ idx ].event_id;
tcpStats.events++;
}
#include "stats.h"
+#include "detection/detection_engine.h"
#include "file_api/file_stats.h"
#include "filters/sfthreshold.h"
#include "helpers/process.h"
PacketManager::dump_stats();
// ensure proper counting of log_limit
- SnortEventqResetCounts();
+ DetectionEngine::reset_counts();
LogLabel("Module Statistics");
const char* exclude = "daq snort";
projects / thirdparty / snort3.git / commitdiff
