snort_devel.txt
extending.txt
style.txt
+ versions.txt
)
foreach ( file_name ${UNBUILT_SOURCES} )
toc::[]
+== Versions
+
+include::versions.txt[]
+
== Extending Snort
include::extending.txt[]
--- /dev/null
+
+=== Versions
+
+Snort 3 does not follow semantic versioning (major.minor.patch) because
+<non-technical reasons>.
+
+The Snort 3 version is of the form 3.A.R.B where:
+
+* 3 is fixed for now.
+
+* A is bumped when the API changes as defined in framework/snort_api.h.
+
+* R is bumped for each regular release (nominally every 2 weeks).
+
+* B is the build number supplied at the time of build and is always zero
+ for github releases.
+
+Some background on plugin versions is required to fully explain the
+significance of A.
+
+There are several Snort 3 plugin types defined in these headers:
+
+* framework/codec.h
+* framework/connector.h
+* framework/inspector.h
+* framework/ips_action.h
+* framework/ips_option.h
+* framework/logger.h
+* framework/mpse.h
+* framework/policy_selector.h
+* framework/so_rule.h
+
+Each of the above has its own version number that pertains specifically to the file
+in which it is defined. In addition, these plugins have a common part defined in:
+
+* framework/base_api.h.
+
+The above file specifies a version number for the common part shared by all plugins
+which includes all the other files found in framework/snort_api.h.
+
+These API version numbers are not included in the Snort 3 version but, if any
+of them changes, indicating a change to the plugin API, then A is bumped to
+indicate that a new version of the API exists. So A will be bumped for any of
+the following:
+
+* base API version change
+* plugin API version change
+* DAQ version change
+
+There are many other exported features apart from those included directly in
+framework/snort_api.h and if you use them, you must rebuild your plugins with
+each new release. If you just use the snort_api.h includes, you will only need
+to rebuild your plugins if A changes.
+
+For the best security efficacy and stability, there is no requirement to
+maintain backward compatibility, so you may need to tweak code when you
+rebuild your plugin. Developers will not change the APIs without good reason,
+but existing code will be changed as needed and these changes may break your
+plugin.
+
+That said, if you want to reduce the number of times you release plugins, you
+can study the change set to see if it affects you. Due to the complexity of
+Snort and the API, this is possible but cannot be recommended.
+
+As of this writing the version is 3.1.85 and this will be merged with the 3.2.0
+release. The significance of the A component prior to 3.2.0 is not well defined.
+
* IpsOption - for detection in Snort rules
* IpsAction - for custom actions
* Logger - for handling events
-* Mpse - for fast pattern matching
-* So - for dynamic rules
+* MPSE - for fast pattern matching
+* SO - for dynamic rules
The power of plugins is that they have a very focused purpose and can be
created with relative ease. For example, you can extend the rule language
The base tracker is used to gather running statistics about Snort and its
running modules. All Snort modules gather, at the very least, counters for the
number of packets reaching it. Most supplement these counts with those for
-domain specific functions, such as http_inspect’s number of GET requests seen.
+domain specific functions, such as the number of GET requests seen by http_inspect.
Statistics are gathered live and can be reported at regular intervals. The stats
reported correspond only to the interval in question and are reset at the
-set ( ACTIONS_INCLUDES
- actions.h
-)
-
set (IPS_ACTION_SOURCES
- actions.cc
actions_module.cc
actions_module.h
ips_actions.cc
ips_actions.h
+)
+
+set( PLUGIN_LIST
act_alert.cc
act_block.cc
act_drop.cc
act_file_id.cc
act_log.cc
act_pass.cc
+ act_react.cc
act_reject.cc
act_replace.cc
-)
-
-set( PLUGIN_LIST
- act_react.cc
)
if (STATIC_IPS_ACTIONS)
${IPS_ACTION_SOURCES}
)
+ add_dynamic_module(act_alert ips_actions act_alert.cc actions_module.cc)
+ add_dynamic_module(act_block ips_actions act_block.cc actions_module.cc)
+ add_dynamic_module(act_drop ips_actions act_drop.cc actions_module.cc)
+ add_dynamic_module(act_file_id ips_actions act_file_id.cc actions_module.cc)
+ add_dynamic_module(act_log ips_actions act_log.cc actions_module.cc)
+ add_dynamic_module(act_pass ips_actions act_pass.cc actions_module.cc)
add_dynamic_module(act_react ips_actions act_react.cc actions_module.cc)
+ add_dynamic_module(act_reject ips_actions act_reject.cc actions_module.cc)
+ add_dynamic_module(act_replace ips_actions act_replace.cc actions_module.cc)
endif (STATIC_IPS_ACTIONS)
-install (FILES ${ACTIONS_INCLUDES}
- DESTINATION "${INCLUDE_INSTALL_PATH}/actions"
-)
-
#include "config.h"
#endif
-#include "actions/actions_module.h"
#include "framework/ips_action.h"
#include "framework/module.h"
#include "protocols/packet.h"
-#include "actions.h"
+#include "actions_module.h"
using namespace snort;
public:
AlertAction() : IpsAction(action_name, nullptr) { }
- void exec(Packet*, const OptTreeNode* otn) override;
+ void exec(Packet*, const ActInfo&) override;
};
-void AlertAction::exec(Packet* p, const OptTreeNode* otn)
+void AlertAction::exec(Packet* p, const ActInfo& ai)
{
- Actions::alert(p, otn);
+ alert(p, ai);
++alert_stats.alert;
}
alert_dtor
};
+#ifdef BUILDING_SO
+SO_PUBLIC const BaseApi* snort_plugins[] =
+#else
const BaseApi* act_alert[] =
+#endif
{
&alert_api.base,
nullptr
#include "config.h"
#endif
-#include "actions/actions_module.h"
#include "framework/ips_action.h"
#include "framework/module.h"
#include "packet_io/active.h"
#include "protocols/packet.h"
-#include "actions.h"
+#include "actions_module.h"
using namespace snort;
public:
BlockAction() : IpsAction(action_name, nullptr) { }
- void exec(Packet*, const OptTreeNode* otn) override;
+ void exec(Packet*, const ActInfo&) override;
bool drops_traffic() override { return true; }
};
-void BlockAction::exec(Packet* p, const OptTreeNode* otn)
+void BlockAction::exec(Packet* p, const ActInfo& ai)
{
p->active->block_session(p);
p->active->set_drop_reason("ips");
- Actions::alert(p, otn);
+ alert(p, ai);
++block_stats.block;
}
block_dtor
};
+#ifdef BUILDING_SO
+SO_PUBLIC const BaseApi* snort_plugins[] =
+#else
const BaseApi* act_block[] =
+#endif
{
&block_api.base,
nullptr
#include "config.h"
#endif
-#include "actions/actions_module.h"
#include "framework/ips_action.h"
#include "framework/module.h"
#include "packet_io/active.h"
#include "protocols/packet.h"
-#include "actions.h"
+#include "actions_module.h"
using namespace snort;
public:
DropAction() : IpsAction(action_name, nullptr) { }
- void exec(Packet*, const OptTreeNode* otn) override;
+ void exec(Packet*, const ActInfo&) override;
bool drops_traffic() override { return true; }
};
-void DropAction::exec(Packet* p, const OptTreeNode* otn)
+void DropAction::exec(Packet* p, const ActInfo& ai)
{
p->active->drop_packet(p);
p->active->set_drop_reason("ips");
- Actions::alert(p, otn);
+ alert(p, ai);
++drop_stats.drop;
}
drop_dtor
};
+#ifdef BUILDING_SO
+SO_PUBLIC const BaseApi* snort_plugins[] =
+#else
const BaseApi* act_drop[] =
+#endif
{
&drop_api.base,
nullptr
#include "config.h"
#endif
-#include "actions.h"
-#include "actions/actions_module.h"
-#include "detection/detect.h"
#include "file_api/file_flows.h"
-#include "file_api/file_identifier.h"
+#include "file_api/file_lib.h"
+#include "framework/ips_action.h"
#include "managers/action_manager.h"
#include "parser/parser.h"
-#include "utils/stats.h"
+
+#include "actions_module.h"
using namespace snort;
{
public:
File_IdAction() : IpsAction(action_name, nullptr) { }
- void exec(Packet*, const OptTreeNode* otn) override;
+ void exec(Packet*, const ActInfo&) override;
};
-void File_IdAction::exec(Packet* p, const OptTreeNode* otn)
+void File_IdAction::exec(Packet* p, const ActInfo& ai)
{
if (!p->flow)
return;
+
FileFlows* files = FileFlows::get_file_flows(p->flow, false);
+
if (!files)
return;
+
FileContext* file = files->get_current_file_context();
+
if (!file)
return;
- file->set_file_type(otn->sigInfo.file_id);
+ file->set_file_type(get_file_id(ai));
++file_id_stats.file_id;
}
file_id_dtor
};
+#ifdef BUILDING_SO
+SO_PUBLIC const BaseApi* snort_plugins[] =
+#else
const BaseApi* act_file_id[] =
+#endif
{
&file_id_api.base,
nullptr
#include "config.h"
#endif
-#include "actions/actions_module.h"
+#include <cassert>
+
#include "framework/ips_action.h"
#include "framework/module.h"
#include "protocols/packet.h"
-#include "actions.h"
+#include "actions_module.h"
using namespace snort;
public:
LogAction() : IpsAction(action_name, nullptr) { }
- void exec(Packet*, const OptTreeNode* otn) override;
+ void exec(Packet*, const ActInfo&) override;
};
-void LogAction::exec(Packet* p, const OptTreeNode* otn)
+void LogAction::exec(Packet* p, const ActInfo& ai)
{
- if ( otn )
+ if ( log_it(ai) )
{
- Actions::log(p, otn);
+ log(p, ai);
++log_stats.log;
}
}
log_dtor
};
+#ifdef BUILDING_SO
+SO_PUBLIC const BaseApi* snort_plugins[] =
+#else
const BaseApi* act_log[] =
+#endif
{
&log_api.base,
nullptr
#include "config.h"
#endif
-#include "actions/actions_module.h"
+#include <cassert>
+
#include "framework/ips_action.h"
#include "framework/module.h"
#include "protocols/packet.h"
-#include "actions.h"
+#include "actions_module.h"
using namespace snort;
public:
PassAction() : IpsAction(action_name, nullptr) { }
- void exec(Packet*, const OptTreeNode*) override;
+ void exec(Packet*, const ActInfo&) override;
};
-void PassAction::exec(Packet* p, const OptTreeNode* otn)
+void PassAction::exec(Packet* p, const ActInfo& ai)
{
- if ( otn )
+ if ( log_it(ai) )
{
- Actions::pass();
+ pass();
p->packet_flags |= PKT_PASS_RULE;
++pass_stats.pass;
}
pass_dtor
};
+#ifdef BUILDING_SO
+SO_PUBLIC const BaseApi* snort_plugins[] =
+#else
const BaseApi* act_pass[] =
+#endif
{
&pass_api.base,
nullptr
#include "utils/util.h"
#include "utils/util_cstring.h"
-#include "actions.h"
-
using namespace snort;
using namespace HttpCommon;
using namespace Http2Enums;
~ReactAction() override
{ delete config; }
- void exec(Packet*, const OptTreeNode* otn) override;
+ void exec(Packet*, const ActInfo&) override;
bool drops_traffic() override { return true; }
private:
ReactActiveAction react_act_action;
};
-void ReactAction::exec(Packet* p, const OptTreeNode* otn)
+void ReactAction::exec(Packet* p, const ActInfo& ai)
{
p->active->drop_packet(p);
p->active->set_drop_reason("ips");
- Actions::alert(p, otn);
+ alert(p, ai);
++react_stats.react;
}
#include "packet_io/active.h"
#include "profiler/profiler.h"
-#include "actions.h"
-
using namespace snort;
#define action_name "reject"
public:
RejectAction(uint32_t f = REJ_RST_BOTH);
- void exec(Packet*, const OptTreeNode* otn) override;
+ void exec(Packet*, const ActInfo&) override;
private:
RejectActiveAction rej_act_action;
RejectAction::RejectAction(uint32_t f) : IpsAction(action_name, &rej_act_action) , rej_act_action(f)
{ }
-void RejectAction::exec(Packet* p, const OptTreeNode* otn)
+void RejectAction::exec(Packet* p, const ActInfo& ai)
{
p->active->set_delayed_action(Active::ACT_RESET, get_active_action());
p->active->set_drop_reason("ips");
p->active->reset_again();
p->active->update_status(p);
- Actions::alert(p, otn);
+ alert(p, ai);
++reject_stats.reject;
}
rej_dtor
};
+#ifdef BUILDING_SO
+SO_PUBLIC const BaseApi* snort_plugins[] =
+#else
const BaseApi* act_reject[] =
+#endif
{
&rej_api.base,
nullptr
#include "packet_io/active.h"
#include "protocols/packet.h"
-#include "actions.h"
-
using namespace snort;
#define action_name "rewrite"
public:
ReplaceAction() : IpsAction(action_name, &rep_act_action) { }
- void exec(Packet*, const OptTreeNode* otn) override;
+ void exec(Packet*, const ActInfo&) override;
private:
ReplaceActiveAction rep_act_action;
};
-void ReplaceAction::exec(Packet* p, const OptTreeNode* otn)
+void ReplaceAction::exec(Packet* p, const ActInfo& ai)
{
p->active->rewrite_packet(p);
- Actions::alert(p, otn);
+ alert(p, ai);
++replace_stats.replace;
}
rep_dtor
};
+#ifdef BUILDING_SO
+SO_PUBLIC const BaseApi* snort_plugins[] =
+#else
const BaseApi* act_replace[] =
+#endif
{
&rep_api.base,
nullptr
+++ /dev/null
-//--------------------------------------------------------------------------
-// Copyright (C) 2014-2024 Cisco and/or its affiliates. All rights reserved.
-//
-// This program is free software; you can redistribute it and/or modify it
-// under the terms of the GNU General Public License Version 2 as published
-// by the Free Software Foundation. You may not use, modify or distribute
-// this program under any other version of the GNU General Public License.
-//
-// This program is distributed in the hope that it will be useful, but
-// WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-// General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License along
-// with this program; if not, write to the Free Software Foundation, Inc.,
-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-//--------------------------------------------------------------------------
-
-#ifdef HAVE_CONFIG_H
-#include "config.h"
-#endif
-
-#include "actions.h"
-
-#include "detection/detect.h"
-#include "managers/action_manager.h"
-#include "parser/parser.h"
-#include "utils/stats.h"
-
-using namespace snort;
-
-void Actions::pass()
-{
- pc.pass_pkts++;
-}
-
-void Actions::log(Packet* p, const OptTreeNode* otn)
-{
- RuleTreeNode* rtn = getRtnFromOtn(otn);
- if (!rtn)
- return;
-
- CallLogFuncs(p, otn, rtn->listhead);
-}
-
-void Actions::alert(Packet* p, const OptTreeNode* otn)
-{
- if (!otn)
- return;
-
- RuleTreeNode* rtn = getRtnFromOtn(otn);
- if (!rtn)
- return;
-
- /* Call OptTreeNode specific output functions */
- if (otn->outputFuncs)
- {
- ListHead lh = {}; // FIXIT-L use of ListHead for CallLogFuncs() is a little unwieldy here
- lh.LogList = otn->outputFuncs;
- CallLogFuncs(p, otn, &lh);
- }
- CallAlertFuncs(p, otn, rtn->listhead);
- CallLogFuncs(p, otn, rtn->listhead);
-}
-
-std::string Actions::get_string(Actions::Type action)
-{
- return ActionManager::get_action_string(action);
-}
-
-Actions::Type Actions::get_type(const char* s)
-{
- return ActionManager::get_action_type(s);
-}
-
-Actions::Type Actions::get_max_types()
-{
- return ActionManager::get_max_action_types();
-}
-
-bool Actions::is_valid_action(Actions::Type action)
-{
- if ( action < get_max_types() )
- return true;
-
- return false;
-}
-
-std::string Actions::get_default_priorities(bool alert_before_pass)
-{
- return ActionManager::get_action_priorities(alert_before_pass);
-}
#include "config.h"
#endif
+#include "actions_module.h"
+
#include <algorithm>
#include <vector>
-#include "actions_module.h"
-#include "actions/actions.h"
#include "log/messages.h"
#include "managers/action_manager.h"
#include "managers/module_manager.h"
using namespace snort;
#ifdef STATIC_IPS_ACTIONS
-extern const BaseApi* act_react[];
-#endif
extern const BaseApi* act_alert[];
extern const BaseApi* act_block[];
extern const BaseApi* act_drop[];
extern const BaseApi* act_file_id[];
extern const BaseApi* act_log[];
extern const BaseApi* act_pass[];
+extern const BaseApi* act_react[];
extern const BaseApi* act_reject[];
extern const BaseApi* act_replace[];
+#endif
void load_actions()
{
#ifdef STATIC_IPS_ACTIONS
- PluginManager::load_plugins(act_react);
-#endif
PluginManager::load_plugins(act_alert);
PluginManager::load_plugins(act_block);
PluginManager::load_plugins(act_drop);
PluginManager::load_plugins(act_file_id);
PluginManager::load_plugins(act_log);
PluginManager::load_plugins(act_pass);
+ PluginManager::load_plugins(act_react);
PluginManager::load_plugins(act_reject);
PluginManager::load_plugins(act_replace);
+#endif
}
#include "codecs/codec_module.h"
#include "framework/codec.h"
-#include "log/log.h"
#include "log/log_text.h"
#include "main/snort_config.h"
#include "parser/parse_ip.h"
const tcp::TCPHdr* const tcph = reinterpret_cast<const tcp::TCPHdr*>(raw_pkt);
/* print TCP flags */
- CreateTCPFlagString(tcph, tcpFlags);
+ tcph->stringify_flags(tcpFlags);
TextLog_Puts(text_log, tcpFlags); /* We don't care about the null */
/* print other TCP info */
dtor, // dtor
};
-const CodecApi* default_codec[] =
-{
- &default_api,
- nullptr
-};
+const CodecApi* default_codec = &default_api;
#include <CppUTestExt/MockSupport.h>
void show_stats(PegCount*, const PegInfo*, unsigned, const char*) { }
-void show_stats(PegCount*, const PegInfo*, const IndexVec&, const char*, FILE*) { }
+void show_stats(PegCount*, const PegInfo*, const std::vector<unsigned>&, const char*, FILE*) { }
namespace snort
{
THREAD_LOCAL ProfileStats file_connector_perfstats;
void show_stats(PegCount*, const PegInfo*, unsigned, const char*) { }
-void show_stats(PegCount*, const PegInfo*, const IndexVec&, const char*, FILE*) { }
+void show_stats(PegCount*, const PegInfo*, const std::vector<unsigned>&, const char*, FILE*) { }
namespace snort
{
Connector* connector_rb;
void show_stats(PegCount*, const PegInfo*, unsigned, const char*) { }
-void show_stats(PegCount*, const PegInfo*, const IndexVec&, const char*, FILE*) { }
+void show_stats(PegCount*, const PegInfo*, const std::vector<unsigned>&, const char*, FILE*) { }
namespace snort
{
#include <unistd.h>
#include "log/messages.h"
-#include "main/thread.h"
#include "profiler/profiler_defs.h"
#include "tcp_connector_module.h"
THREAD_LOCAL ProfileStats tcp_connector_perfstats;
void show_stats(PegCount*, const PegInfo*, unsigned, const char*) { }
-void show_stats(PegCount*, const PegInfo*, const IndexVec&, const char*, FILE*) { }
+void show_stats(PegCount*, const PegInfo*, const std::vector<unsigned>&, const char*, FILE*) { }
namespace snort
{
Connector* connector;
void show_stats(PegCount*, const PegInfo*, unsigned, const char*) { }
-void show_stats(PegCount*, const PegInfo*, const IndexVec&, const char*, FILE*) { }
+void show_stats(PegCount*, const PegInfo*, const std::vector<unsigned>&, const char*, FILE*) { }
namespace snort
{
static unsigned pending_cmds_count; //counter to serialize commands across control connections
};
-#define LogRespond(cn, ...) do { if (cn) cn->respond(__VA_ARGS__); else LogMessage(__VA_ARGS__); } while(0)
-#define LogfRespond(cn, fh, ...) do { if (cn) cn->respond(__VA_ARGS__); else LogMessage(fh, __VA_ARGS__); } while(0)
+#define LogRespond(cn, ...) \
+ do { if (cn) cn->respond(__VA_ARGS__); else snort::LogMessage(__VA_ARGS__); } while(0)
+
+#define LogfRespond(cn, fh, ...) \
+ do { if (cn) cn->respond(__VA_ARGS__); else snort::LogMessage(fh, __VA_ARGS__); } while(0)
#endif
#include "log/messages.h"
#include "main/shell.h"
#include "main/snort_config.h"
+#include "main/thread.h"
#include "utils/stats.h"
#include "utils/util.h"
#include "utils/util_cstring.h"
#include <cassert>
-#include "detection/detection_util.h"
#include "utils/util.h"
#include "file_decomp_pdf.h"
#include <cassert>
-#include "main/thread.h"
#include "utils/util.h"
#ifdef UNIT_TEST
#include "detection/detection_engine.h"
#include "helpers/literal_search.h"
+#include "helpers/utf.h"
#include "ips_options/ips_vba_data.h"
#include "trace/trace_api.h"
#include "utils/util.h"
-#include "utils/util_utf.h"
#define OLE_MAX_FILENAME_LEN_UTF16 64
#define OLE_MAX_FILENAME_ASCII 32
#include "detection/detection_engine.h"
#include "helpers/literal_search.h"
-#include "utils/util_utf.h"
+#include "helpers/utf.h"
#include <CppUTest/CommandLineTestRunner.h>
#include <CppUTest/TestHarness.h>
set (DETECTION_INCLUDES
- detect.h
+ detection_buf.h
detection_engine.h
- detection_options.h
- detection_util.h
- detect_trace.h
+ extract.h
ips_context.h
ips_context_chain.h
ips_context_data.h
- regex_offload.h
- rule_option_types.h
- rules.h
- signature.h
- treenodes.h
pattern_match_data.h
+ rule_option_types.h
)
add_library (detection OBJECT
context_switcher.cc
context_switcher.h
detect.cc
+ detect.h
+ detection_continuation.h
detection_engine.cc
detection_module.cc
detection_module.h
detection_options.cc
detection_options.h
- detection_util.cc
detect_trace.cc
+ detect_trace.h
+ event_trace.cc
+ event_trace.h
+ extract.cc
fp_config.cc
fp_config.h
fp_create.cc
pcrm.cc
pcrm.h
regex_offload.cc
+ regex_offload.h
rtn_checks.cc
rtn_checks.h
rules.cc
+ rules.h
service_map.cc
service_map.h
sfrim.cc
sfrim.h
signature.cc
+ signature.h
treenodes.cc
+ treenodes.h
tag.cc
tag.h
)
debug_logf(detection_trace, TRACE_DETECTION_ENGINE, nullptr,
"(wire) %" PRIu64 " cs::start %" PRIu64 " (i=%zu, b=%zu)\n",
- get_packet_number(), c->context_num, idle.size(), busy.size());
+ pc.analyzed_pkts, c->context_num, idle.size(), busy.size());
idle.pop_back();
debug_logf(detection_trace, TRACE_DETECTION_ENGINE, nullptr,
"(wire) %" PRIu64 " cs::stop %" PRIu64 " (i=%zu, b=%zu)\n",
- get_packet_number(), c->context_num, idle.size(), busy.size());
+ pc.analyzed_pkts, c->context_num, idle.size(), busy.size());
c->clear();
{
debug_logf(detection_trace, TRACE_DETECTION_ENGINE, nullptr,
"(wire) %" PRIu64 " cs::abort (i=%zu, b=%zu)\n",
- get_packet_number(), idle.size(), busy.size());
+ pc.analyzed_pkts, idle.size(), busy.size());
busy.clear();
c->context_num = ++global_context_num;
debug_logf(detection_trace, TRACE_DETECTION_ENGINE, nullptr,
"%" PRIu64 " cs::interrupt %" PRIu64 " (i=%zu, b=%zu)\n",
- busy.empty() ? get_packet_number() : busy.back()->packet_number,
+ busy.empty() ? pc.analyzed_pkts : busy.back()->packet_number,
busy.empty() ? 0 : busy.back()->context_num, idle.size(), busy.size());
idle.pop_back();
#include <vector>
#include "detection/ips_context_chain.h"
-#include "utils/primed_allocator.h"
+#include "helpers/primed_allocator.h"
namespace snort
{
#include "latency/packet_latency.h"
#include "main/snort_config.h"
#include "managers/event_manager.h"
-#include "managers/inspector_manager.h"
#include "packet_io/active.h"
#include "ports/port_object.h"
#include "profiler/profiler_defs.h"
void CallLogFuncs(Packet* p, ListHead* head, Event* event, const char* msg)
{
- event->update_event_id(p->context->conf->get_event_log_id());
-
- DetectionEngine::set_check_tags(false);
+ DetectionEngine::set_check_tags(p, false);
pc.log_pkts++;
OutputSet* idx = head ? head->LogList : nullptr;
void CallLogFuncs(Packet* p, const OptTreeNode* otn, ListHead* head)
{
- Event event;
-
- // FIXIT-L this and the same below should be refactored to not need const_cast
- event.sig_info = const_cast<SigInfo*>(&otn->sigInfo);
- event.ref_time.tv_sec = p->pkth->ts.tv_sec;
- event.ref_time.tv_usec = p->pkth->ts.tv_usec;
- event.update_event_id_and_ref(p->context->conf->get_event_log_id());
- if (head and head->ruleListNode)
- event.action_string = head->ruleListNode->name;
+ const char* act = (head and head->ruleListNode) ? head->ruleListNode->name : "";
+ Event event(p->pkth->ts.tv_sec, p->pkth->ts.tv_usec, otn->sigInfo, otn->buffer_setters, act);
- DetectionEngine::set_check_tags(false);
+ DetectionEngine::set_check_tags(p, false);
pc.log_pkts++;
const uint8_t* data = nullptr;
void CallAlertFuncs(Packet* p, const OptTreeNode* otn, ListHead* head)
{
- Event event;
-
- event.sig_info = const_cast<SigInfo*>(&otn->sigInfo);
- event.buffs_to_dump = otn->buffer_setters;
- event.ref_time.tv_sec = p->pkth->ts.tv_sec;
- event.ref_time.tv_usec = p->pkth->ts.tv_usec;
- event.update_event_id_and_ref(p->context->conf->get_event_log_id());
- if (head and head->ruleListNode)
- event.action_string = head->ruleListNode->name;
+ const char* act = (head and head->ruleListNode) ? head->ruleListNode->name : "";
+ Event event(p->pkth->ts.tv_sec, p->pkth->ts.tv_usec, otn->sigInfo, otn->buffer_setters, act);
pc.total_alert_pkts++;
*/
void check_tags(Packet* p)
{
- SigInfo info;
- Event event(info);
-
- if ( DetectionEngine::get_check_tags() and !(p->packet_flags & PKT_REBUILT_STREAM) )
+ if ( DetectionEngine::get_check_tags(p) and !(p->packet_flags & PKT_REBUILT_STREAM) )
{
- void* listhead = nullptr;
+ SigInfo info;
+ ListHead* listhead = nullptr;
+ struct timeval tv;
+ uint32_t id;
+ const char* act;
- if (CheckTagList(p, event, &listhead))
+ if (CheckTagList(p, info, listhead, tv, id, act))
{
- /* if we find a match, we want to send the packet to the
- * logging mechanism
- */
- CallLogFuncs(p, (ListHead*)listhead, &event, "Tagged Packet");
+ Event event(tv.tv_sec, tv.tv_usec, info, nullptr, act, id);
+ CallLogFuncs(p, listhead, &event, "Tagged Packet");
}
}
}
#ifndef DETECT_H
#define DETECT_H
-#include "detection/rules.h"
#include "main/snort_types.h"
-#include "main/thread.h"
namespace snort
{
struct ProfileStats;
}
+struct ListHead;
+struct OptTreeNode;
+
extern THREAD_LOCAL snort::ProfileStats eventqPerfStats;
// main loop hooks
bool snort_log(snort::Packet*);
// alerts
-void CallLogFuncs(snort::Packet*, ListHead*, struct Event*, const char*);
+void CallLogFuncs(snort::Packet*, ListHead*, class Event*, const char*);
void CallLogFuncs(snort::Packet*, const OptTreeNode*, ListHead*);
void CallAlertFuncs(snort::Packet*, const OptTreeNode*, ListHead*);
#include "detect_trace.h"
#include "log/log.h"
-#include "main/thread.h"
#include "protocols/packet.h"
#include "utils/stats.h"
#include "utils/util.h"
#include "framework/cursor.h"
#include "main/snort_types.h"
-#include "main/thread.h"
namespace snort
{
//--------------------------------------------------------------------------
-// Copyright (C) 2014-2024 Cisco and/or its affiliates. All rights reserved.
-// Copyright (C) 2002-2013 Sourcefire, Inc.
-// Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com>
+// Copyright (C) 2024-2023 Cisco and/or its affiliates. All rights reserved.
//
// This program is free software; you can redistribute it and/or modify it
// under the terms of the GNU General Public License Version 2 as published
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-#ifndef DETECTION_UTIL_H
-#define DETECTION_UTIL_H
+#ifndef DETECTION_BUF_H
+#define DETECTION_BUF_H
-// this is a legacy junk-drawer file that needs to be refactored
-// it provides file and alt data and event trace foo.
+// buffers used by DetectionEngine and IpsContext
#include <cassert>
-
-#include "actions/actions.h"
-#include "main/snort_config.h"
+#include <cstdint>
#define DECODE_BLEN 65535
unsigned size = 0;
};
-// FIXIT-RC event trace should be placed in its own files
-void EventTrace_Init();
-void EventTrace_Term();
-
-void EventTrace_Log(const snort::Packet*, const OptTreeNode*, Actions::Type action);
-
-inline int EventTrace_IsEnabled(const snort::SnortConfig* sc)
-{
- return ( sc->event_trace_max > 0 );
-}
-
#endif
#include "framework/cursor.h"
#include "framework/ips_option.h"
-#include "ips_options/extract.h"
+#include "helpers/grouped_list.h"
#include "latency/rule_latency.h"
#include "latency/rule_latency_state.h"
#include "main/snort_config.h"
#include "main/thread_config.h"
#include "protocols/packet.h"
#include "trace/trace_api.h"
-#include "utils/grouped_list.h"
#include "utils/stats.h"
#include "detection_options.h"
#include "detect_trace.h"
+#include "extract.h"
#include "ips_context.h"
#include "rule_option_types.h"
#include "treenodes.h"
#include "detection_engine.h"
+#include "events/event_queue.h"
#include "events/sfeventq.h"
#include "filters/sfthreshold.h"
#include "framework/endianness.h"
+#include "framework/ips_action.h"
#include "helpers/ring.h"
#include "latency/packet_latency.h"
#include "main/analyzer.h"
#include "main/snort_config.h"
-#include "main/thread.h"
#include "managers/inspector_manager.h"
#include "managers/mpse_manager.h"
#include "packet_io/active.h"
-#include "packet_tracer/packet_tracer.h"
+#include "packet_io/packet_tracer.h"
#include "parser/parser.h"
#include "profiler/profiler_defs.h"
#include "protocols/packet.h"
#include "utils/stats.h"
#include "context_switcher.h"
+#include "detection_buf.h"
#include "detection_module.h"
-#include "detection_util.h"
#include "detect.h"
#include "detect_trace.h"
#include "fp_config.h"
#include "ips_context_data.h"
#include "regex_offload.h"
-static THREAD_LOCAL RegexOffload* offloader = nullptr;
-
using namespace snort;
+static THREAD_LOCAL RegexOffload* offloader = nullptr;
+bool DetectionEngine::offload_enabled = false;
+
//--------------------------------------------------------------------------
// basic de
//--------------------------------------------------------------------------
}
}
+void DetectionEngine::enable_offload()
+{ offload_enabled = true; }
+
void DetectionEngine::reset()
{
IpsContext* c = Analyzer::get_switcher()->get_context();
{
if ( flow )
p->context->snapshot_flow(flow);
- c->packet_number = get_packet_number();
+ c->packet_number = pc.analyzed_pkts;
c->wire_packet = nullptr;
}
void DetectionEngine::finish_inspect_with_latency(Packet* p)
{
- DetectionEngine::set_check_tags();
+ DetectionEngine::set_check_tags(p);
// By checking tagging here, we make sure that we log the
// tagged packet whether it generates an alert or not.
sw->complete();
}
-uint8_t* DetectionEngine::get_buffer(unsigned& max)
-{
- max = IpsContext::buf_size;
- return Analyzer::get_switcher()->get_context()->buf;
-}
-
uint8_t* DetectionEngine::get_next_buffer(unsigned& max)
{
max = IpsContext::buf_size;
void DetectionEngine::set_detects(Packet* p, IpsContext::ActiveRules ar)
{ p->context->active_rules = ar; }
-void DetectionEngine::set_check_tags(bool enable)
-{ Analyzer::get_switcher()->get_context()->check_tags = enable; }
+void DetectionEngine::set_check_tags(Packet* p, bool enable)
+{ p->context->check_tags = enable; }
-bool DetectionEngine::get_check_tags()
-{ return Analyzer::get_switcher()->get_context()->check_tags; }
+bool DetectionEngine::get_check_tags(Packet* p)
+{ return p->context->check_tags; }
//--------------------------------------------------------------------------
// offload / onload
while ( offloader->count() )
{
debug_logf(detection_trace, TRACE_DETECTION_ENGINE, nullptr,
- "(wire) %" PRIu64 " de::sleep\n", get_packet_number());
+ "(wire) %" PRIu64 " de::sleep\n", pc.analyzed_pkts);
onload();
}
debug_logf(detection_trace, TRACE_DETECTION_ENGINE, nullptr,
- "(wire) %" PRIu64 " de::idle (r=%d)\n", get_packet_number(),
+ "(wire) %" PRIu64 " de::idle (r=%d)\n", pc.analyzed_pkts,
offloader->count());
offloader->stop();
while ( flow->is_suspended() )
{
debug_logf(detection_trace, TRACE_DETECTION_ENGINE, nullptr,
- "(wire) %" PRIu64 " de::sleep\n", get_packet_number());
+ "(wire) %" PRIu64 " de::sleep\n", pc.analyzed_pkts);
resume_ready_suspends(flow->context_chain); // FIXIT-M makes onload reentrant-safe
onload();
if ( !all_disabled(p) )
{
if ( PacketTracer::is_daq_activated() )
- PacketTracer::pt_timer_start();
+ PacketTracer::restart_timer();
- if ( detect(p, true) )
+ if ( detect(p, offload_enabled) )
return false; // don't finish out offloaded packets
}
}
// packet (PDU), first call set_next_packet(). If rebuild is successful,
// then instantiate a new DetectionEngine to detect that packet.
-#include "detection/detection_util.h"
+#include "detection/detection_buf.h"
#include "detection/ips_context.h"
#include "main/snort_types.h"
-struct DataPointer;
+struct OptTreeNode;
struct Replacement;
namespace snort
static Packet* set_next_packet(const Packet* parent = nullptr, Flow* flow = nullptr);
static uint8_t* get_next_buffer(unsigned& max);
+ static void enable_offload();
static bool offload(Packet*);
static void onload(Flow*);
static uint8_t* get_buffer(unsigned& max);
static inline DataPointer get_alt_buffer(const Packet*);
static inline DataBuffer& acquire_alt_buffer(const Packet*);
- static inline void reset_alt_buffer(Packet*);
+ static void inline reset_alt_buffer(Packet*);
static void set_data(unsigned id, IpsContextData*);
static IpsContextData* get_data(unsigned id);
static bool detect(Packet*, bool offload_ok = false);
static bool inspect(Packet*);
- static int queue_event(const struct OptTreeNode*);
+ static int queue_event(const OptTreeNode*);
static int queue_event(unsigned gid, unsigned sid);
static void disable_all(Packet*);
static IpsContext::ActiveRules get_detects(Packet*);
static void set_detects(Packet*, IpsContext::ActiveRules);
- static void set_check_tags(bool enable = true);
- static bool get_check_tags();
+ static void set_check_tags(Packet*, bool enable = true);
+ static bool get_check_tags(Packet*);
static void wait_for_context();
static void finish_packet(Packet*, bool flow_deletion = false);
private:
+ static bool offload_enabled;
IpsContext* context;
};
#include "trace/trace.h"
#include "detect_trace.h"
+#include "detection_engine.h"
using namespace snort;
if ( sc->offload_threads and ThreadConfig::get_instance_max() != 1 )
ParseError("You can not enable experimental offload with more than one packet thread.");
+ if ( sc->offload_limit < 99999 )
+ DetectionEngine::enable_offload();
+
return true;
}
#define DETECTION_MODULE_H
#include "framework/module.h"
+#include "utils/stats.h"
namespace snort
{
};
}
-#endif // DETECTION_MODULE_H
+#endif
+
#include "hash/hash_defs.h"
#include "hash/hash_key_operations.h"
#include "hash/xhash.h"
-#include "ips_options/extract.h"
#include "ips_options/ips_flowbits.h"
#include "latency/packet_latency.h"
#include "latency/rule_latency_state.h"
#include "detection_continuation.h"
#include "detection_engine.h"
#include "detection_module.h"
-#include "detection_util.h"
#include "detect_trace.h"
+#include "extract.h"
#include "fp_create.h"
#include "fp_detect.h"
#include "ips_context.h"
if ( continue_loop && rval == (int)IpsOption::MATCH && node->relative_children )
{
IpsOption* opt = (IpsOption*)node->option_data;
- continue_loop = opt->retry(cursor, orig_cursor);
+ continue_loop = opt->retry(cursor);
}
else
continue_loop = false;
#include "config.h"
#endif
-#include "detection_util.h"
+#include "event_trace.h"
-#include "actions/actions.h"
#include "events/event.h"
+#include "framework/ips_action.h"
#include "log/text_log.h"
#include "protocols/packet.h"
#include "utils/stats.h"
}
}
-void EventTrace_Log(const Packet* p, const OptTreeNode* otn, Actions::Type action)
+void EventTrace_Log(const Packet* p, const OptTreeNode* otn, IpsAction::Type action)
{
- std::string acts = Actions::get_string(action);
+ std::string acts = IpsAction::get_string(action);
if ( !tlog )
return;
TextLog_Print(tlog,
"\nEvt=%u, Gid=%u, Sid=%u, Rev=%u, Act=%s\n",
- get_event_id(), otn->sigInfo.gid, otn->sigInfo.sid, otn->sigInfo.rev, acts.c_str());
+ Event::get_curr_seq_num(), otn->sigInfo.gid, otn->sigInfo.sid, otn->sigInfo.rev, acts.c_str());
TextLog_Print(tlog,
"Pkt=" STDu64 ", Sec=%lu.%6lu, Len=%u, Cap=%u\n",
--- /dev/null
+//--------------------------------------------------------------------------
+// Copyright (C) 2014-2024 Cisco and/or its affiliates. All rights reserved.
+// Copyright (C) 2002-2013 Sourcefire, Inc.
+// Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com>
+//
+// This program is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License Version 2 as published
+// by the Free Software Foundation. You may not use, modify or distribute
+// this program under any other version of the GNU General Public License.
+//
+// This program is distributed in the hope that it will be useful, but
+// WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+// General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+//--------------------------------------------------------------------------
+
+#ifndef EVENT_TRACE_H
+#define EVENT_TRACE_H
+
+// facility for logging IPS events and packets regardless of filtering
+
+#include <cassert>
+
+#include "framework/ips_action.h"
+#include "main/snort_config.h"
+
+void EventTrace_Init();
+void EventTrace_Term();
+
+void EventTrace_Log(const snort::Packet*, const struct OptTreeNode*, snort::IpsAction::Type action);
+
+inline int EventTrace_IsEnabled(const snort::SnortConfig* sc)
+{
+ return ( sc->event_trace_max > 0 );
+}
+
+#endif
+
#include "framework/cursor.h"
#include "framework/endianness.h"
#include "main/snort_types.h"
-#include "main/thread.h"
#include "protocols/packet.h"
#define ENDIAN_BIG 0x1
int endianness, int bytes_to_grab, const uint8_t* ptr,
const uint8_t* start, const uint8_t* end, uint32_t* value);
-void set_cursor_bounds(const ByteData& settings, const Cursor& c,
+SO_PUBLIC void set_cursor_bounds(const ByteData& settings, const Cursor& c,
const uint8_t*& start, const uint8_t*& ptr, const uint8_t*& end);
-int32_t data_extraction(const ByteData& settings, Packet* p,
+SO_PUBLIC int32_t data_extraction(const ByteData& settings, Packet* p,
uint32_t& result_var, const uint8_t* start,
const uint8_t* ptr, const uint8_t* end);
-int32_t extract_data(const ByteData& settings, const Cursor& c, Packet* p,
+SO_PUBLIC int32_t extract_data(const ByteData& settings, const Cursor& c, Packet* p,
uint32_t& result_var);
SO_PUBLIC void set_byte_order(uint8_t& order, uint8_t flag, const char* opt);
#include "hash/ghash.h"
#include "hash/hash_defs.h"
#include "hash/xhash.h"
+#include "log/log_stats.h"
#include "log/messages.h"
#include "main/snort.h"
#include "main/snort_config.h"
#include <vector>
-#include "actions/actions.h"
#include "events/event.h"
+#include "events/event_queue.h"
#include "filters/rate_filter.h"
#include "filters/sfthreshold.h"
+#include "framework/act_info.h"
#include "framework/cursor.h"
+#include "framework/ips_action.h"
#include "framework/mpse.h"
#include "latency/packet_latency.h"
#include "latency/rule_latency.h"
#include "main/snort_config.h"
#include "managers/action_manager.h"
#include "packet_io/active.h"
-#include "packet_tracer/packet_tracer.h"
+#include "packet_io/packet_tracer.h"
#include "parser/parser.h"
#include "profiler/profiler_defs.h"
#include "protocols/icmp4.h"
#include "utils/util.h"
#include "context_switcher.h"
-#include "detect.h"
#include "detect_trace.h"
+#include "detection_buf.h"
#include "detection_continuation.h"
#include "detection_engine.h"
#include "detection_module.h"
#include "detection_options.h"
-#include "detection_util.h"
+#include "event_trace.h"
#include "fp_config.h"
#include "fp_create.h"
#include "fp_utils.h"
if ( tr_len > 0 )
{
tr_context[tr_len-1] = ' ';
- PacketTracer::daq_log("IPS+%" PRId64"++%s$",
- TO_NSECS(pt_timer->get()),
- tr_context);
+ PacketTracer::daq_log("IPS+%" PRId64"++%s$", PacketTracer::get_time(), tr_context);
tr_len = 0;
tr_context[0] = '\0';
// called by fpLogEvent(), which does the filtering etc.
// this handles the non-rule-actions (responses).
static inline void fpLogOther(
- Packet* p, const RuleTreeNode* rtn, const OptTreeNode* otn, Actions::Type action)
+ Packet* p, const RuleTreeNode* rtn, const OptTreeNode* otn, IpsAction::Type action)
{
if ( EventTrace_IsEnabled(p->context->conf) )
EventTrace_Log(p, otn, action);
if ( PacketTracer::is_active() )
{
- std::string act = Actions::get_string(action);
+ std::string act = IpsAction::get_string(action);
PacketTracer::log("Event: %u:%u:%u, Action %s\n",
otn->sigInfo.gid, otn->sigInfo.sid,
otn->sigInfo.rev, act.c_str());
if ( PacketTracer::is_daq_activated() )
{
- std::string act = Actions::get_string(action);
+ std::string act = IpsAction::get_string(action);
tr_len += snprintf(tr_context+tr_len, sizeof(tr_context) - tr_len,
"gid:%u, sid:%u, rev:%u, action:%s, msg:%s\n",
otn->sigInfo.gid, otn->sigInfo.sid,
// perform rate filtering tests - impacts action taken
rateAction = RateFilter_Test(otn, p);
- override = ( rateAction >= Actions::get_max_types() );
+ override = ( rateAction >= IpsAction::get_max_types() );
if ( override )
- rateAction -= Actions::get_max_types();
+ rateAction -= IpsAction::get_max_types();
// internal events are no-ops
if ( (rateAction < 0) && EventIsInternal(otn->sigInfo.gid) )
** that are drop rules. We just don't want to see the alert.
*/
IpsAction * act = get_ips_policy()->action[action];
- act->exec(p);
+ ActInfo ai(otn, false);
+ act->exec(p, ai);
- if ( p->active && p->flow &&
- (p->active->get_action() >= Active::ACT_DROP) )
+ if ( p->active && p->flow && (p->active->get_action() >= Active::ACT_DROP) )
{
if ( p->active->can_partial_block_session() )
p->flow->flags.ips_pblock_event_suppressed = true;
const SnortConfig* sc = p->context->conf;
if ( (p->packet_flags & PKT_PASS_RULE) &&
- (sc->get_eval_index(rtn->action) > sc->get_eval_index(Actions::get_type("pass"))) )
+ (sc->get_eval_index(rtn->action) > sc->get_eval_index(IpsAction::get_type("pass"))) )
{
fpLogOther(p, rtn, otn, rtn->action);
return 1;
}
otn->state[get_instance_id()].alerts++;
+ uint16_t eseq = Event::get_next_seq_num();
+ IpsAction* act = get_ips_policy()->action[action];
+ ActInfo ai(otn);
- incr_event_id();
-
- IpsAction * act = get_ips_policy()->action[action];
- act->exec(p, otn);
- SetTags(p, otn, get_event_id());
-
+ act->exec(p, ai);
+ SetTags(p, otn, eseq);
fpLogOther(p, rtn, otn, action);
return 0;
{
/* bail if were not dumping events in all the action groups,
* and we've already got some events */
- if (!p->context->conf->process_all_events() && (tcnt > 0))
+ if (!p->context->conf->event_queue_config->process_all_events && (tcnt > 0))
return 1;
if ( omd->matchInfo[i].iMatchCount )
const OptTreeNode* otn = omd->matchInfo[i].MatchArray[0];
RuleTreeNode* rtn = getRtnFromOtn(otn);
IpsAction* act = get_ips_policy()->action[rtn->action];
- act->exec(p, otn);
+ ActInfo ai(otn);
+ act->exec(p, ai);
}
}
// rule groups are selected based on traffic and any fast pattern
// matches trigger rule tree evaluation.
-#include "main/thread.h"
#include "profiler/profiler_defs.h"
#include "target_based/snort_protocols.h"
#include "ips_options/ips_flowbits.h"
#include "log/messages.h"
#include "main/snort_config.h"
+#include "main/thread.h"
#include "parser/parse_conf.h"
#include "pattern_match_data.h"
#include "ports/port_group.h"
#include <list>
-#include "detection/detection_util.h"
+#include "detection/detection_buf.h"
#include "framework/codec.h"
#include "framework/mpse.h"
#include "framework/mpse_batch.h"
#include "latency/packet_latency.h"
#include "latency/rule_latency.h"
#include "main/snort_config.h"
-#include "main/thread.h"
#include "main/thread_config.h"
#include "managers/module_manager.h"
#include "utils/stats.h"
#include <map>
#include <string>
-#include "actions/actions.h"
+#include "framework/ips_action.h"
#include "main/policy.h"
#define GID_DEFAULT 1
struct RuleListNode
{
ListHead* RuleList; /* The rule list associated with this node */
- Actions::Type mode; /* the rule mode */
+ snort::IpsAction::Type mode; /* the rule mode */
unsigned evalIndex; /* eval index for this rule set */
char* name; /* name of this rule list */
RuleListNode* next; /* the next RuleListNode */
private:
RuleTreeNode* dup_rtn(RuleTreeNode*, IpsPolicy*);
void update_rtn(snort::SnortConfig*, RuleTreeNode*, const RuleState&);
- void apply(snort::SnortConfig*, OptTreeNode*, unsigned ips_num, const RuleState&);
+ void apply(snort::SnortConfig*, struct OptTreeNode*, unsigned ips_num, const RuleState&);
private:
std::map<RuleKey, RuleState> map;
#include "signature.h"
-#include "actions/actions.h"
#include "framework/decode_data.h"
#include "filters/sfthd.h"
+#include "framework/ips_action.h"
#include "hash/hash_defs.h"
#include "hash/ghash.h"
#include "helpers/json_stream.h"
auto pid = snort::get_ips_policy(sc, i)->user_policy_id;
json.put("policy", pid);
- std::string action = Actions::get_string(rtn->action);
+ std::string action = IpsAction::get_string(rtn->action);
json.put("action", action.c_str());
const char* s = rtn->enabled() ? "yes" : "no";
uint16_t event_id;
struct timeval event_time;
- void* log_list; // retain custom logging if any from triggering alert
+ struct ListHead* log_list; // retain custom logging if any from triggering alert
};
/* G L O B A L S **************************************************/
// (consecutive) sessions to be captured.
static const unsigned s_max_sessions = 1;
-
/* P R O T O T Y P E S ********************************************/
-static TagNode* TagAlloc(XHash*);
static void TagFree(XHash*, TagNode*);
static int PruneTagCache(uint32_t, int);
-static int PruneTime(XHash* tree, uint32_t thetime);
-static void TagSession(const Packet*, TagData*, uint32_t, uint16_t, void*);
-static void TagHost(const Packet*, TagData*, uint32_t, uint16_t, void*);
-static void AddTagNode(const Packet*, TagData*, int, uint32_t, uint16_t, void*);
-static inline void SwapTag(TagNode*);
class TagSessionCache : public XHash
{
return tag_node;
}
-/**Frees allocated TagNode.
- *
- * @param hash - pointer to XHash that should point to either ssn_tag_cache_ptr
- * or host_tag_cache_ptr.
- * @param node - pointer to node to be freed
- */
-static void TagFree(
- XHash* hash,
- TagNode* node
- )
+static void TagFree(XHash* hash, TagNode* node)
{
if (node == nullptr)
return;
tag_memory_usage -= memory_per_node(hash);
}
-/**
- * swap the sips and dips, dp's and sp's
- *
- * @param np TagNode ptr
- */
static inline void SwapTag(TagNode* np)
{
SfIp tip;
delete host_tag_cache;
}
-static void TagSession(const Packet* p, TagData* tag, uint32_t time, uint16_t event_id, void* log_list)
-{
- AddTagNode(p, tag, TAG_SESSION, time, event_id, log_list);
-}
-
-static void TagHost(const Packet* p, TagData* tag, uint32_t time, uint16_t event_id, void* log_list)
-{
- int mode;
-
- switch (tag->tag_direction)
- {
- case TAG_HOST_DST:
- mode = TAG_HOST_DST;
- break;
- case TAG_HOST_SRC:
- mode = TAG_HOST_SRC;
- break;
- default:
- mode = TAG_HOST_SRC;
- break;
- }
-
- AddTagNode(p, tag, mode, time, event_id, log_list);
-}
-
static void AddTagNode(const Packet* p, TagData* tag, int mode, uint32_t now,
- uint16_t event_id, void* log_list)
+ uint16_t event_id, ListHead* log_list)
{
TagNode* idx; /* index pointer */
TagNode* returned;
}
}
-int CheckTagList(Packet* p, Event& event, void** log_list)
+static void TagSession(const Packet* p, TagData* tag, uint32_t time, uint16_t event_id, ListHead* log_list)
+{
+ AddTagNode(p, tag, TAG_SESSION, time, event_id, log_list);
+}
+
+static void TagHost(const Packet* p, TagData* tag, uint32_t time, uint16_t event_id, ListHead* log_list)
+{
+ int mode;
+
+ switch (tag->tag_direction)
+ {
+ case TAG_HOST_DST:
+ mode = TAG_HOST_DST;
+ break;
+ case TAG_HOST_SRC:
+ mode = TAG_HOST_SRC;
+ break;
+ default:
+ mode = TAG_HOST_SRC;
+ break;
+ }
+
+ AddTagNode(p, tag, mode, time, event_id, log_list);
+}
+
+int CheckTagList(
+ Packet* p, SigInfo& info, ListHead*& ret_list, struct timeval& ret_time, uint32_t& ret_id, const char*& ret_act)
{
TagNode idx;
TagNode* returned = nullptr;
if ( create_event )
{
- event.set_event(GID_TAG, TAG_LOG_PKT, 1, 1, 1, returned->event_id,
- p->context->conf->get_event_log_id(), returned->event_time);
-
- *log_list = returned->log_list;
+ info.gid = GID_TAG;
+ info.sid = TAG_LOG_PKT;
+ info.rev = 1;
+ info.class_id = 1;
+ info.priority = 1;
+
+ ret_time = returned->event_time;
+ ret_id = returned->event_id;
+ ret_list = returned->log_list;
+ ret_act = (ret_list and ret_list->ruleListNode) ? ret_list->ruleListNode->name : "";
}
if ( !returned->metric )
return 0;
}
+static int PruneTime(XHash* tree, uint32_t thetime)
+{
+ int pruned = 0;
+ TagNode* lru_node = nullptr;
+
+ while ((lru_node = (TagNode*)tree->get_lru_user_data()) != nullptr)
+ {
+ if ((lru_node->last_access + TAG_PRUNE_QUANTUM) < thetime)
+ {
+ if (tree->release_node(&lru_node->key) != HASH_OK)
+ {
+ LogMessage("WARNING: failed to remove tagNode from hash.\n");
+ }
+ pruned++;
+ }
+ else
+ {
+ break;
+ }
+ }
+
+ return pruned;
+}
+
static int PruneTagCache(uint32_t thetime, int mustdie)
{
int pruned = 0;
return pruned;
}
-static int PruneTime(XHash* tree, uint32_t thetime)
-{
- int pruned = 0;
- TagNode* lru_node = nullptr;
-
- while ((lru_node = (TagNode*)tree->get_lru_user_data()) != nullptr)
- {
- if ((lru_node->last_access + TAG_PRUNE_QUANTUM) < thetime)
- {
- if (tree->release_node(&lru_node->key) != HASH_OK)
- {
- LogMessage("WARNING: failed to remove tagNode from hash.\n");
- }
- pruned++;
- }
- else
- {
- break;
- }
- }
-
- return pruned;
-}
-
void SetTags(const Packet* p, const OptTreeNode* otn, uint16_t event_id)
{
if (otn != nullptr && otn->tag != nullptr)
if (otn->tag->tag_type != 0)
{
RuleTreeNode* rtn = getRtnFromOtn(otn);
- void* log_list = rtn ? rtn->listhead : nullptr;
+ ListHead* log_list = rtn ? rtn->listhead : nullptr;
switch (otn->tag->tag_type)
{
struct Packet;
}
+class Event;
+struct ListHead;
struct OptTreeNode;
-struct Event;
+struct SigInfo;
#define GID_TAG 2
#define TAG_LOG_PKT 1
void InitTag();
void CleanupTag();
-int CheckTagList(snort::Packet*, Event&, void**);
+int CheckTagList(snort::Packet*, SigInfo&, ListHead*&, struct timeval&, uint32_t& id, const char*& action);
void SetTags(const snort::Packet*, const OptTreeNode*, uint16_t);
#endif
#include <string>
-#include "actions/actions.h"
#include "detection/signature.h"
#include "detection/rule_option_types.h"
+#include "framework/ips_action.h"
#include "framework/pdu_section.h"
#include "main/policy.h"
#include "main/snort_types.h"
// Multiple OTNs can reference this RTN with the same policy.
unsigned int otnRefCount = 0; // FIXIT-L shared_ptr?
- Actions::Type action = 0;
+ snort::IpsAction::Type action = 0;
uint8_t flags = 0;
set (INCLUDES
event.h
- event_queue.h
)
add_library (events OBJECT
event.cc
event_queue.cc
+ event_queue.h
sfeventq.cc
sfeventq.h
${INCLUDES}
#include "detection/signature.h"
#include "main/snort_config.h"
+#include "main/thread.h"
using namespace snort;
static THREAD_LOCAL uint16_t g_event_id;
+static SigInfo s_dummy;
-uint16_t get_event_id()
-{
- return g_event_id;
-}
-
-void incr_event_id()
-{
- g_event_id++;
-}
-
-static uint32_t calc_event_id(uint16_t id, uint16_t log_id)
+static uint32_t calc_event_id(uint16_t id)
{
// Use instance ID to make log_id unique per packet thread. Even if
// it overflows, value will still be unique if there are less than
// 65k threads.
+ uint16_t log_id = SnortConfig::get_conf()->get_event_log_id();
log_id += snort::get_instance_id();
return (id | (log_id << 16));
}
-void Event::update_event_id(uint16_t log_id)
+uint16_t Event::get_curr_seq_num()
+{ return g_event_id; }
+
+uint16_t Event::get_next_seq_num()
+{ return ++g_event_id; }
+
+uint32_t Event::get_next_event_id()
{
- event_id = calc_event_id(g_event_id, log_id);
+ uint16_t eseq = get_next_seq_num();
+ return calc_event_id(eseq);
}
-void Event::update_event_id_and_ref(uint16_t log_id)
+Event::Event() : sig_info(s_dummy) { }
+
+Event::Event(uint32_t sec, uint32_t usec, const SigInfo& si, const char** bufs, const char* act) :
+ sig_info(si)
{
- event_id = calc_event_id(g_event_id, log_id);
+ ts_sec = sec;
+ ts_usec = usec;
+
+ buffs_to_dump = bufs;
+ action = act;
+
+ event_id = calc_event_id(g_event_id);
event_reference = event_id;
}
-uint32_t Event::update_and_get_event_id(void)
+Event::Event(uint32_t sec, uint32_t usec, const SigInfo& si, const char** bufs, const char* act, uint32_t ref) :
+ sig_info(si)
{
- /* return event id based on g_event_id. */
- incr_event_id();
+ ts_sec = sec;
+ ts_usec = usec;
+
+ buffs_to_dump = bufs;
+ action = act;
- return calc_event_id(g_event_id,
- SnortConfig::get_conf()->get_event_log_id());
+ event_id = get_next_event_id();
+ event_reference = calc_event_id(ref);
}
-void Event::set_event(uint32_t gid, uint32_t sid, uint32_t rev,
- uint32_t classification, uint32_t priority, uint16_t event_ref,
- uint16_t log_id, const struct timeval& tv, const std::string& act)
+uint32_t Event::get_seconds() const
+{ return ts_sec; }
+
+void Event::get_timestamp(uint32_t& sec, uint32_t& usec) const
+{ sec = ts_sec; usec = ts_usec; }
+
+uint32_t Event::get_event_id() const
+{ return event_id; }
+
+uint32_t Event::get_event_reference() const
+{ return event_reference; }
+
+uint32_t Event::get_gid() const
+{ return sig_info.gid; }
+
+uint32_t Event::get_sid() const
+{ return sig_info.sid; }
+
+uint32_t Event::get_rev() const
+{ return sig_info.rev; }
+
+void Event::get_sig_ids(uint32_t& gid, uint32_t& sid, uint32_t& rev) const
{
- sig_info->gid = gid;
- sig_info->sid = sid;
- sig_info->rev = rev;
- sig_info->class_id = classification;
- sig_info->priority = priority;
-
- event_id = update_and_get_event_id();
-
- if (event_ref)
- event_reference = calc_event_id(event_ref, log_id);
- else
- event_reference = event_id;
-
- ref_time.tv_sec = tv.tv_sec;
- ref_time.tv_usec = tv.tv_usec;
- action_string = act;
+ gid = sig_info.gid;
+ sid = sig_info.sid;
+ rev = sig_info.rev;
+}
+
+const char* Event::get_msg() const
+{
+ if ( sig_info.message.empty() )
+ return nullptr;
+
+ return sig_info.message.c_str();
+}
+
+const char* Event::get_class_type() const
+{
+ if ( !sig_info.class_type or sig_info.class_type->text.empty() )
+ return nullptr;
+
+ return sig_info.class_type->text.c_str();
}
+const char** Event::get_buffers() const
+{ return buffs_to_dump; }
+
+const char* Event::get_action() const
+{ return action; }
+
+uint32_t Event::get_class_id() const
+{ return sig_info.class_id; }
+
+uint32_t Event::get_priority() const
+{ return sig_info.priority; }
+
+bool Event::get_target(bool& src) const
+{
+ if ( sig_info.target == TARGET_SRC )
+ {
+ src = true;
+ return true;
+ }
+ else if ( sig_info.target == TARGET_DST )
+ {
+ src = false;
+ return true;
+ }
+ return false;
+}
+
+const SigInfo& Event::get_sig_info() const
+{ return sig_info; }
+
//--------------------------------------------------------------------------
// Copyright (C) 2014-2024 Cisco and/or its affiliates. All rights reserved.
-// Copyright (C) 2002-2013 Sourcefire, Inc.
-// Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com>
//
// This program is free software; you can redistribute it and/or modify it
// under the terms of the GNU General Public License Version 2 as published
#ifndef EVENT_H
#define EVENT_H
-#include "main/thread.h"
+#include "main/snort_types.h"
struct SigInfo;
-/* we must use fixed size of 32 bits, because on-disk
- * format of savefiles uses 32-bit tv_sec (and tv_usec)
- */
-struct sf_timeval32
+class SO_PUBLIC Event
{
- uint32_t tv_sec; /* seconds */
- uint32_t tv_usec; /* microseconds */
-};
+public:
+ Event();
+ Event(uint32_t sec, uint32_t usec, const SigInfo&, const char** buffers, const char* action);
+ Event(uint32_t sec, uint32_t usec, const SigInfo&, const char** buffers, const char* action, uint32_t ref);
-struct Event
-{
- SigInfo* sig_info = nullptr;
- struct sf_timeval32 ref_time = { 0, 0 }; /* reference time for the event reference */
- const char* alt_msg = nullptr;
- std::string action_string;
- const char** buffs_to_dump = nullptr;
+ static uint16_t get_curr_seq_num();
+ static uint16_t get_next_seq_num();
+ static uint32_t get_next_event_id();
+
+ const SigInfo& get_sig_info() const;
+
+ uint32_t get_seconds() const;
+ void get_timestamp(uint32_t& sec, uint32_t& usec) const;
- Event() = default;
- Event(SigInfo& si)
- { sig_info = &si; }
+ uint32_t get_event_id() const;
+ uint32_t get_event_reference() const;
- uint32_t get_event_id() const { return event_id; }
- void set_event_id(uint32_t id) { event_id = id; }
+ const char** get_buffers() const;
+ const char* get_action() const;
- uint32_t get_event_reference() const { return event_reference; }
- void set_event_reference(uint32_t ref) { event_reference = ref; }
+ uint32_t get_gid() const;
+ uint32_t get_sid() const;
+ uint32_t get_rev() const;
- void update_event_id(uint16_t log_id);
- void update_event_id_and_ref(uint16_t log_id);
- SO_PUBLIC static uint32_t update_and_get_event_id();
+ void get_sig_ids(uint32_t& gid, uint32_t& sid, uint32_t& rev) const;
- void set_event(uint32_t gid, uint32_t sid, uint32_t rev,
- uint32_t classification, uint32_t priority, uint16_t event_ref,
- uint16_t log_id, const struct timeval& tv, const std::string& act = "");
+ const char* get_msg() const;
+ const char* get_class_type() const;
+ uint32_t get_class_id() const;
+ uint32_t get_priority() const;
+
+ // returns false if not specified; otherwise src indicates target is source or dest
+ bool get_target(bool& src) const;
private:
+ const SigInfo& sig_info;
+ const char* action = nullptr;
+ const char** buffs_to_dump = nullptr;
+
+ uint32_t ts_sec = 0;
+ uint32_t ts_usec = 0;
+
uint32_t event_id = 0;
uint32_t event_reference = 0; // reference to other events that have gone off,
// such as in the case of tagged packets...
};
-uint16_t get_event_id();
-void incr_event_id();
-
#endif
set( FILE_API_INCLUDES
file_api.h
file_capture.h
- file_config.h
file_flows.h
- file_identifier.h
file_lib.h
- file_module.h
- file_segment.h
file_service.h
)
file_cache.cc
file_cache.h
file_config.cc
+ file_config.h
file_flows.cc
file_identifier.cc
+ file_identifier.h
+ file_inspect.cc
+ file_inspect.h
file_lib.cc
file_log.cc
file_mempool.cc
file_mempool.h
file_module.cc
+ file_module.h
+ file_policy.cc
+ file_policy.h
file_segment.cc
+ file_segment.h
file_service.cc
file_stats.cc
file_stats.h
#include "main/snort_config.h"
#include "main/thread_config.h"
#include "packet_io/active.h"
-#include "packet_tracer/packet_tracer.h"
+#include "packet_io/packet_tracer.h"
#include "time/packet_time.h"
#include "file_flows.h"
+#include "file_module.h"
#include "file_service.h"
#include "file_stats.h"
#include <cassert>
+#include "log/log_stats.h"
#include "log/messages.h"
+#include "main/thread.h"
#include "utils/stats.h"
#include "utils/util.h"
#include "file_config.h"
-#include "main/snort_config.h"
#include "managers/inspector_manager.h"
+#include "main/snort_config.h"
#include "parser/parse_utils.h"
#include "file_flows.h"
+#include "file_inspect.h"
using namespace snort;
#include "detection/detection_engine.h"
#include "log/messages.h"
#include "main/snort_config.h"
+#include "main/thread.h"
#include "managers/inspector_manager.h"
-#include "packet_tracer/packet_tracer.h"
+#include "packet_io/packet_tracer.h"
#include "protocols/packet.h"
#include "trace/trace_api.h"
PacketTracer::daq_log("file+%" PRId64"+Matched policy id %u, identification %s, signature %s, capture %s+"
"File with ID %lu, name %s, type %s, size %lu, SHA %s detected. Verdict %s.$",
- TO_NSECS(pt_timer->get()),
+ PacketTracer::get_time(),
context->get_policy_id(),
((context->is_file_type_enabled() || context->get_file_type() || context->get_file_sig_sha256()) ? "<on>" : "<off>"),
((context->is_file_signature_enabled() || context->get_file_sig_sha256()) ? "<on>" : "<off>"),
}
if (PacketTracer::is_daq_activated())
- PacketTracer::pt_timer_start();
+ PacketTracer::restart_timer();
if (!cacheable)
context->set_not_cacheable();
}
if (PacketTracer::is_daq_activated())
- PacketTracer::pt_timer_start();
+ PacketTracer::restart_timer();
context = find_main_file_context(position, direction, file_index);
current_file_id = pending_file_id = file_id;
}
-FileInspect::FileInspect(FileIdModule* fm)
-{
- fm->load_config(config);
-}
-
-FileInspect:: ~FileInspect()
-{
- if (config)
- delete config;
-}
-
-bool FileInspect::configure(SnortConfig*)
-{
- if (!config)
- return true;
-
- FileCache* file_cache = FileService::get_file_cache();
- if (file_cache)
- {
- file_cache->set_block_timeout(config->file_block_timeout);
- file_cache->set_lookup_timeout(config->file_lookup_timeout);
- file_cache->set_max_files(config->max_files_cached);
- }
-
- return true;
-}
-
-static void file_config_show(const FileConfig* fc)
-{
- if ( ConfigLogger::log_flag("enable_type", FileService::is_file_type_id_enabled()) )
- ConfigLogger::log_value("type_depth", fc->file_type_depth);
-
- if ( ConfigLogger::log_flag("enable_signature", FileService::is_file_signature_enabled()) )
- ConfigLogger::log_value("signature_depth", fc->file_signature_depth);
-
- if ( ConfigLogger::log_flag("block_timeout_lookup", fc->block_timeout_lookup) )
- ConfigLogger::log_value("block_timeout", fc->file_block_timeout);
-
- if ( ConfigLogger::log_flag("enable_capture", FileService::is_file_capture_enabled()) )
- {
- ConfigLogger::log_value("capture_memcap", fc->capture_memcap);
- ConfigLogger::log_value("capture_max_size", fc->capture_max_size);
- ConfigLogger::log_value("capture_min_size", fc->capture_min_size);
- ConfigLogger::log_value("capture_block_size", fc->capture_block_size);
- }
-
- ConfigLogger::log_value("lookup_timeout", fc->file_lookup_timeout);
- ConfigLogger::log_value("max_files_cached", fc->max_files_cached);
- ConfigLogger::log_value("max_files_per_flow", fc->max_files_per_flow);
- ConfigLogger::log_value("show_data_depth", fc->show_data_depth);
-
- ConfigLogger::log_flag("trace_type", fc->trace_type);
- ConfigLogger::log_flag("trace_signature", fc->trace_signature);
- ConfigLogger::log_flag("trace_stream", fc->trace_stream);
-}
-
-void FileInspect::show(const SnortConfig*) const
-{
- if ( config )
- file_config_show(config);
-}
-
-static Module* mod_ctor()
-{ return new FileIdModule; }
-
-static void mod_dtor(Module* m)
-{ delete m; }
-
-static void file_init()
-{
- FileFlows::init();
-}
-
-static void file_term()
-{
-}
-
-static Inspector* file_ctor(Module* m)
-{
- FileIdModule* mod = (FileIdModule*)m;
- return new FileInspect(mod);
-}
-
-static void file_dtor(Inspector* p)
-{
- delete p;
-}
-
-static const InspectApi file_inspect_api =
-{
- {
- PT_INSPECTOR,
- sizeof(InspectApi),
- INSAPI_VERSION,
- 0,
- API_RESERVED,
- API_OPTIONS,
- FILE_ID_NAME,
- FILE_ID_HELP,
- mod_ctor,
- mod_dtor
- },
- IT_FILE,
- PROTO_BIT__NONE,
- nullptr,
- "file",
- file_init,
- file_term,
- nullptr, // tinit
- nullptr, // tterm
- file_ctor,
- file_dtor,
- nullptr, // ssn
- nullptr // reset
-};
-
-const BaseApi* sin_file_flow = &file_inspect_api.base;
// This provides a wrapper to manage several file contexts
#include "flow/flow.h"
+#include "helpers/event_gen.h"
#include "main/snort_types.h"
-#include "utils/event_gen.h"
#include "file_api.h"
-#include "file_module.h"
#include <map>
+static const uint32_t FILE_ID_GID = 150;
+
+enum FileSid
+{
+ EVENT__NONE = -1,
+ EVENT_FILE_DROPPED_OVER_LIMIT = 1,
+ EVENT__MAX_VALUE
+};
+
using FileEventGen = EventGen<EVENT__MAX_VALUE, EVENT__NONE, FILE_ID_GID>;
+class FileInspect;
+
namespace snort
{
class FileContext;
class Flow;
-class FileInspect : public Inspector
-{
-public:
- FileInspect(FileIdModule*);
- ~FileInspect() override;
- void eval(Packet*) override { }
- bool configure(SnortConfig*) override;
- void show(const SnortConfig*) const override;
- FileConfig* config;
-};
-
class SO_PUBLIC FileFlows : public FlowData
{
public:
- FileFlows(Flow* f, FileInspect* inspect) : FlowData(file_flow_data_id, inspect), flow(f) { }
+ FileFlows(Flow* f, FileInspect* fi) : FlowData(file_flow_data_id, (Inspector*)fi), flow(f) { }
~FileFlows() override;
std::mutex file_flow_context_mutex;
static void init()
--- /dev/null
+//--------------------------------------------------------------------------
+// Copyright (C) 2014-2023 Cisco and/or its affiliates. All rights reserved.
+// Copyright (C) 2012-2013 Sourcefire, Inc.
+//
+// This program is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License Version 2 as published
+// by the Free Software Foundation. You may not use, modify or distribute
+// this program under any other version of the GNU General Public License.
+//
+// This program is distributed in the hope that it will be useful, but
+// WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+// General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+//--------------------------------------------------------------------------
+/*
+ ** Author(s): Hui Cao <huica@cisco.com>
+ **
+ ** NOTES
+ ** 8.15.15 - Initial Source Code. Hui Cao
+ */
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include "file_inspect.h"
+
+#include "log/messages.h"
+
+#include "file_cache.h"
+#include "file_config.h"
+#include "file_flows.h"
+#include "file_module.h"
+#include "file_service.h"
+
+using namespace snort;
+
+FileInspect::FileInspect(FileIdModule* fm)
+{
+ fm->load_config(config);
+}
+
+FileInspect:: ~FileInspect()
+{
+ if (config)
+ delete config;
+}
+
+bool FileInspect::configure(SnortConfig*)
+{
+ if (!config)
+ return true;
+
+ FileCache* file_cache = FileService::get_file_cache();
+ if (file_cache)
+ {
+ file_cache->set_block_timeout(config->file_block_timeout);
+ file_cache->set_lookup_timeout(config->file_lookup_timeout);
+ file_cache->set_max_files(config->max_files_cached);
+ }
+
+ return true;
+}
+
+static void file_config_show(const FileConfig* fc)
+{
+ if ( ConfigLogger::log_flag("enable_type", FileService::is_file_type_id_enabled()) )
+ ConfigLogger::log_value("type_depth", fc->file_type_depth);
+
+ if ( ConfigLogger::log_flag("enable_signature", FileService::is_file_signature_enabled()) )
+ ConfigLogger::log_value("signature_depth", fc->file_signature_depth);
+
+ if ( ConfigLogger::log_flag("block_timeout_lookup", fc->block_timeout_lookup) )
+ ConfigLogger::log_value("block_timeout", fc->file_block_timeout);
+
+ if ( ConfigLogger::log_flag("enable_capture", FileService::is_file_capture_enabled()) )
+ {
+ ConfigLogger::log_value("capture_memcap", fc->capture_memcap);
+ ConfigLogger::log_value("capture_max_size", fc->capture_max_size);
+ ConfigLogger::log_value("capture_min_size", fc->capture_min_size);
+ ConfigLogger::log_value("capture_block_size", fc->capture_block_size);
+ }
+
+ ConfigLogger::log_value("lookup_timeout", fc->file_lookup_timeout);
+ ConfigLogger::log_value("max_files_cached", fc->max_files_cached);
+ ConfigLogger::log_value("max_files_per_flow", fc->max_files_per_flow);
+ ConfigLogger::log_value("show_data_depth", fc->show_data_depth);
+
+ ConfigLogger::log_flag("trace_type", fc->trace_type);
+ ConfigLogger::log_flag("trace_signature", fc->trace_signature);
+ ConfigLogger::log_flag("trace_stream", fc->trace_stream);
+}
+
+void FileInspect::show(const SnortConfig*) const
+{
+ if ( config )
+ file_config_show(config);
+}
+
+static Module* mod_ctor()
+{ return new FileIdModule; }
+
+static void mod_dtor(Module* m)
+{ delete m; }
+
+static void file_init()
+{
+ FileFlows::init();
+}
+
+static Inspector* file_ctor(Module* m)
+{
+ FileIdModule* mod = (FileIdModule*)m;
+ return new FileInspect(mod);
+}
+
+static void file_dtor(Inspector* p)
+{
+ delete p;
+}
+
+static const InspectApi file_inspect_api =
+{
+ {
+ PT_INSPECTOR,
+ sizeof(InspectApi),
+ INSAPI_VERSION,
+ 0,
+ API_RESERVED,
+ API_OPTIONS,
+ FILE_ID_NAME,
+ FILE_ID_HELP,
+ mod_ctor,
+ mod_dtor
+ },
+ IT_FILE,
+ PROTO_BIT__NONE,
+ nullptr,
+ "file",
+ file_init,
+ nullptr,
+ nullptr, // tinit
+ nullptr, // tterm
+ file_ctor,
+ file_dtor,
+ nullptr, // ssn
+ nullptr // reset
+};
+
+const BaseApi* sin_file_flow = &file_inspect_api.base;
+
--- /dev/null
+//--------------------------------------------------------------------------
+// Copyright (C) 2015-2023 Cisco and/or its affiliates. All rights reserved.
+//
+// This program is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License Version 2 as published
+// by the Free Software Foundation. You may not use, modify or distribute
+// this program under any other version of the GNU General Public License.
+//
+// This program is distributed in the hope that it will be useful, but
+// WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+// General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+//--------------------------------------------------------------------------
+
+// author Hui Cao <huica@cisco.com>
+
+#ifndef FILE_INSPECT_H
+#define FILE_INSPECT_H
+
+// file processing configuration
+//
+#include "framework/inspector.h"
+
+class FileInspect : public snort::Inspector
+{
+public:
+ FileInspect(class FileIdModule*);
+ ~FileInspect() override;
+ void eval(snort::Packet*) override { }
+ bool configure(snort::SnortConfig*) override;
+ void show(const snort::SnortConfig*) const override;
+ class FileConfig* config;
+};
+
+#endif
+
#include <iostream>
#include <iomanip>
-#include "hash/hashes.h"
+#include "detection/fp_detect.h"
#include "framework/data_bus.h"
-#include "main/snort_config.h"
#include "managers/inspector_manager.h"
-#include "packet_tracer/packet_tracer.h"
+#include "hash/hashes.h"
+#include "helpers/utf.h"
+#include "main/snort_config.h"
+#include "packet_io/packet_tracer.h"
#include "profiler/profiler.h"
#include "protocols/packet.h"
#include "pub_sub/intrinsic_event_ids.h"
#include "utils/util.h"
-#include "utils/util_utf.h"
#include "file_api.h"
+#include "file_cache.h"
#include "file_capture.h"
#include "file_config.h"
-#include "file_cache.h"
#include "file_flows.h"
-#include "file_service.h"
+#include "file_inspect.h"
+#include "file_module.h"
#include "file_segment.h"
+#include "file_service.h"
#include "file_stats.h"
-#include "file_module.h"
-#include "detection/fp_detect.h"
using namespace snort;
{
if (file_signature_context)
snort_free(file_signature_context);
+
if (file_capture)
stop_file_capture();
- if (file_segments)
- delete file_segments;
+
+ delete file_segments;
InspectorManager::release(inspector);
}
{"Unknown", "Log", "Stop", "Block", "Reset", "Pending", "Stop Capture", "INVALID"};
class FileConfig;
+class FileInspect;
class FileSegments;
namespace snort
{
class FileCapture;
-class FileInspect;
class Flow;
class SO_PUBLIC FileInfo
{ }
void show(const SnortConfig*) const override;
- void eval(Packet*) override { }
bool configure(SnortConfig*) override
{
#include "framework/module.h"
#include "file_config.h"
+#include "file_flows.h"
#include "file_identifier.h"
#include "trace/trace_api.h"
#include "utils/util.h"
+
//-------------------------------------------------------------------------
// file_id module
//-------------------------------------------------------------------------
-static const uint32_t FILE_ID_GID = 150;
-
#define FILE_DEBUG(module_name, module_id, log_level, p, ...) \
trace_logf(log_level, module_name , module_id, p, __VA_ARGS__)
std::string magic_file;
};
-enum FileSid
-{
- EVENT__NONE = -1,
- EVENT_FILE_DROPPED_OVER_LIMIT = 1,
- EVENT__MAX_VALUE
-};
-
#endif
#include "config.h"
#endif
-#include "framework/file_policy.h"
+#include "file_policy.h"
#include "file_api/file_capture.h"
#include "file_api/file_lib.h"
#include "file_stats.h"
+#include "log/log_stats.h"
#include "log/messages.h"
#include "utils/stats.h"
#include "utils/util.h"
#define FILE_STATS_H
#include "framework/counts.h"
-#include "main/thread.h"
#include "file_api.h"
#include "file_config.h"
#include "hash/xhash.h"
#include "log/messages.h"
-#include "main/thread.h"
#include "utils/util.h"
#include "sfthd.h"
#include "sfrf.h"
-#include "main/thread.h"
#include "detection/rules.h"
#include "framework/ips_action.h"
#include "hash/ghash.h"
// if the count were not incremented in such cases, the
// threshold would never be exceeded.
if ( !cfgNode->seconds && (dynNode->count > cfgNode->count)
- && Actions::is_valid_action(cfgNode->newAction) )
+ && IpsAction::is_valid_action(cfgNode->newAction) )
{
IpsAction* act = get_ips_policy()->action[cfgNode->newAction];
if ( act->drops_traffic() )
dynNode->filterState = FS_ON;
dynNode->overRate = 1;
- return Actions::get_max_types() + cfgNode->newAction;
+ return IpsAction::get_max_types() + cfgNode->newAction;
}
static void updateDependentThresholds(RateFilterConfig* config, unsigned gid,
#include <ctime>
#include <mutex>
-#include "actions/actions.h"
#include "framework/counts.h"
+#include "framework/ips_action.h"
#include "main/policy.h"
#include "sfip/sf_ip.h"
#include "sfip/sf_ipvar.h"
SFRF_TRACK tracking;
unsigned count;
unsigned seconds;
- Actions::Type newAction;
+
+ // Action that replaces original rule action on reaching threshold
+ snort::IpsAction::Type newAction;
+
+ // Threshold action duration in seconds before reverting to original rule action
unsigned timeout;
sfip_var_t* applyTo;
};
cfg.tracking = p->track;
cfg.count = p->count;
cfg.seconds = p->seconds;
- cfg.newAction = (Actions::Type)RULE_NEW;
+ cfg.newAction = (IpsAction::Type)RULE_NEW;
cfg.timeout = p->timeout;
cfg.applyTo = p->ip ? sfip_var_from_string(p->ip, "sfrf_test") : nullptr;
status = SFRF_TestThreshold(rfc, p->gid, p->sid, get_network_policy()->policy_id,
&sip, &dip, curtime, op);
- if ( status >= Actions::get_max_types() )
- status -= Actions::get_max_types();
+ if ( status >= IpsAction::get_max_types() )
+ status -= IpsAction::get_max_types();
return status;
}
#include "hash/ghash.h"
#include "hash/hash_defs.h"
#include "hash/xhash.h"
-#include "main/thread.h"
#include "sfip/sf_ipvar.h"
#include "utils/sflsq.h"
#include "utils/util.h"
return 0;
}
-
/*!
Add a permanent threshold object to the threshold table. Multiple
objects may be defined for each gen_id and sig_id pair. Internally
set (FLOW_INCLUDES
deferred_trust.h
- expect_cache.h
+ expect_flow.h
flow.h
flow_data.h
flow_key.h
ha.h
session.h
stash_item.h
+ stream_flow.h
)
add_library (flow OBJECT
expect_cache.cc
flow.cc
flow_cache.cc
+ expect_cache.h
flow_cache.h
flow_config.h
flow_control.cc
#endif
#include "expect_cache.h"
+#include "expect_flow.h"
#include "detection/ips_context.h"
#include "hash/zhash.h"
+#include "packet_io/packet_tracer.h"
#include "packet_io/sfdaq_instance.h"
-#include "packet_tracer/packet_tracer.h"
#include "protocols/packet.h"
#include "protocols/vlan.h"
#include "pub_sub/expect_events.h"
// ExpectCache is used to track anticipated flows (like ftp data channels).
// when the flow is found, it updated with the given info.
-//-------------------------------------------------------------------------
-// data structs
-// -- key has IP address and port pairs; one port must be zero (wild card)
-// forming a 3-tuple
-// -- node struct is stored in hash table by key
-// -- each node struct has one or more list structs linked together
-// -- each list struct has a list of flow data
-// -- when a new expect is added, a new list struct is created if a new
-// node is created or the last list struct of an existing node already
-// has the same preproc id in the flow data list
-// -- when a new expect is added, the last list struct is used if the
-// given preproc id is not already in the flow data list
-// -- nodes are preallocated and stored in hash table; if there is no node
-// available when an expect is added, LRU nodes are pruned
-// -- list structs are also preallocated and stored in free list; if there
-// is no list struct available when an expect is added, LRU nodes are
-// pruned freeing up both nodes and list structs
-// -- the number of list structs per node is capped at MAX_LIST; once
-// reached, requests to add new expects requiring new list structs fail
-// -- the number of data structs per list struct is not capped
-// -- example: ftp preproc adds a new 3-tuple twice for 2 expected data
-// channels -> new node with 2 list structs linked to it
-// -- example: ftp preproc adds a new 3-tuple once and then another
-// preproc expects the same 3-tuple -> new node with one list struct
-// is created for ftp and the next request goes in that same list
-// struct
-// -- new list structs are appended to node's list struct chain
-// -- matching expected sessions are pulled off from the head of the node's
-// list struct chain
-//
-// FIXIT-M expiration is by node struct but should be by list struct, ie
-// individual sessions, not all sessions to a given 3-tuple
-// (this would make pruning a little harder unless we add linkage
-// a la FlowCache)
-//-------------------------------------------------------------------------
-#include <vector>
#include "flow/flow_key.h"
#include "target_based/snort_protocols.h"
{
class Flow;
class FlowData;
-struct Packet;
-struct SO_PUBLIC ExpectFlow
-{
- struct ExpectFlow* next;
- snort::FlowData* data;
-
- ~ExpectFlow();
- void clear();
- int add_flow_data(snort::FlowData*);
- snort::FlowData* get_flow_data(unsigned);
- static std::vector<ExpectFlow*>* get_expect_flows();
- static void reset_expect_flows();
- static void handle_expected_flows(const snort::Packet*);
-};
+struct ExpectFlow;
+struct Packet;
}
class ExpectCache
--- /dev/null
+//--------------------------------------------------------------------------
+// Copyright (C) 2014-2023 Cisco and/or its affiliates. All rights reserved.
+// Copyright (C) 2013-2013 Sourcefire, Inc.
+//
+// This program is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License Version 2 as published
+// by the Free Software Foundation. You may not use, modify or distribute
+// this program under any other version of the GNU General Public License.
+//
+// This program is distributed in the hope that it will be useful, but
+// WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+// General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+//--------------------------------------------------------------------------
+
+// expect_cache.h author Russ Combs <rucombs@cisco.com>
+
+#ifndef EXPECT_FLOW_H
+#define EXPECT_FLOW_H
+
+// ExpectCache is used to track anticipated flows (like ftp data channels).
+// when the flow is found, it updated with the given info.
+
+//-------------------------------------------------------------------------
+// data structs
+// -- key has IP address and port pairs; one port must be zero (wild card)
+// forming a 3-tuple
+// -- node struct is stored in hash table by key
+// -- each node struct has one or more list structs linked together
+// -- each list struct has a list of flow data
+// -- when a new expect is added, a new list struct is created if a new
+// node is created or the last list struct of an existing node already
+// has the same preproc id in the flow data list
+// -- when a new expect is added, the last list struct is used if the
+// given preproc id is not already in the flow data list
+// -- nodes are preallocated and stored in hash table; if there is no node
+// available when an expect is added, LRU nodes are pruned
+// -- list structs are also preallocated and stored in free list; if there
+// is no list struct available when an expect is added, LRU nodes are
+// pruned freeing up both nodes and list structs
+// -- the number of list structs per node is capped at MAX_LIST; once
+// reached, requests to add new expects requiring new list structs fail
+// -- the number of data structs per list struct is not capped
+// -- example: ftp preproc adds a new 3-tuple twice for 2 expected data
+// channels -> new node with 2 list structs linked to it
+// -- example: ftp preproc adds a new 3-tuple once and then another
+// preproc expects the same 3-tuple -> new node with one list struct
+// is created for ftp and the next request goes in that same list
+// struct
+// -- new list structs are appended to node's list struct chain
+// -- matching expected sessions are pulled off from the head of the node's
+// list struct chain
+//
+// FIXIT-M expiration is by node struct but should be by list struct, ie
+// individual sessions, not all sessions to a given 3-tuple
+// (this would make pruning a little harder unless we add linkage
+// a la FlowCache)
+//-------------------------------------------------------------------------
+
+#include <vector>
+
+#include "main/snort_types.h"
+
+struct ExpectNode;
+
+namespace snort
+{
+class FlowData;
+struct Packet;
+
+struct SO_PUBLIC ExpectFlow
+{
+ struct ExpectFlow* next;
+ snort::FlowData* data;
+
+ ~ExpectFlow();
+ void clear();
+ int add_flow_data(snort::FlowData*);
+ snort::FlowData* get_flow_data(unsigned);
+ static std::vector<ExpectFlow*>* get_expect_flows();
+ static void reset_expect_flows();
+ static void handle_expected_flows(const snort::Packet*);
+};
+}
+
+#endif
+
#include "framework/data_bus.h"
#include "framework/decode_data.h"
#include "framework/inspector.h"
-#include "network_inspectors/appid/application_ids.h"
#include "protocols/layer.h"
#include "sfip/sf_ip.h"
#include "target_based/snort_protocols.h"
{
class FlowHAState;
struct FlowKey;
-class IpsContext;
struct Packet;
typedef void (* StreamAppDataFree)(void*);
char ignore_direction;
};
-class SO_PUBLIC StreamFlowIntf
-{
-public:
- virtual FlowData* get_stream_flow_data(const Flow* flow) = 0;
- virtual void set_stream_flow_data(Flow* flow, FlowData* flow_data) = 0;
- virtual void get_stream_id(const Flow* flow, int64_t& stream_id) = 0;
- virtual void* get_hi_msg_section(const Flow* flow) = 0;
- virtual void set_hi_msg_section(Flow* flow, void* section) = 0;
- virtual AppId get_appid_from_stream(const Flow*) { return APP_ID_NONE; }
- // Stream based flows should override this interface to return parent flow
- // when child flow is passed as input
- virtual Flow* get_stream_parent_flow(Flow* cflow) { return cflow; }
-};
-
// this struct is organized by member size for compactness
class SO_PUBLIC Flow
{
IpsContextChain context_chain;
FlowData* current_flow_data = nullptr;
FlowStats flowstats = {};
- StreamFlowIntf* stream_intf = nullptr;
+ class StreamFlowIntf* stream_intf = nullptr;
SfIp client_ip = {};
SfIp server_ip = {};
#endif
#include "main/thread_config.h"
#include "packet_io/active.h"
-#include "packet_tracer/packet_tracer.h"
+#include "packet_io/packet_tracer.h"
#include "stream/base/stream_module.h"
#include "stream/tcp/tcp_stream_session.h"
#include "stream/tcp/tcp_trace.h"
#include <memory>
#include "framework/counts.h"
-#include "main/analyzer_command.h"
-#include "main/thread.h"
-
#include "flow_config.h"
+#include "main/analyzer_command.h"
#include "prune_stats.h"
#include "filter_flow_critera.h"
#include "detection/detection_engine.h"
#include "main/snort_config.h"
-#include "managers/inspector_manager.h"
#include "packet_io/active.h"
-#include "packet_tracer/packet_tracer.h"
+#include "packet_io/packet_tracer.h"
#include "protocols/icmp4.h"
#include "protocols/tcp.h"
#include "protocols/udp.h"
#ifndef FLOW_DATA_H
#define FLOW_DATA_H
+// FlowData is how inspectors maintain flow state
+// use Flow::set/get_flow_data() to attach to a flow
+
#include "main/snort_types.h"
namespace snort
class SO_PUBLIC FlowData
{
public:
- FlowData(unsigned u, Inspector* = nullptr);
virtual ~FlowData();
unsigned get_id()
Inspector* get_handler() { return handler; }
- // deprecated - do not implement
- virtual size_t size_of() { return 0; }
-
virtual void handle_expected(Packet*) { }
virtual void handle_retransmit(Packet*) { }
virtual void handle_eof(Packet*) { }
+protected:
+ FlowData(unsigned u, Inspector* = nullptr);
+
public: // FIXIT-L privatize
FlowData* next;
FlowData* prev;
#include "hash/hash_key_operations.h"
#include "utils/cpp_macros.h"
-class HashKeyOperations;
-
namespace snort
{
struct SfIp;
#include <cassert>
+#include "main/snort_config.h"
#include "pub_sub/auxiliary_ip_event.h"
#include "pub_sub/stash_events.h"
#ifndef FLOW_STASH_H
#define FLOW_STASH_H
+// a generic store for shared flow data
+
#include <list>
#include <map>
#include <string>
#include <unordered_map>
-#include "main/snort_config.h"
#include "main/snort_types.h"
#include "sfip/sf_ip.h"
void store(const std::string& key, std::string* val, unsigned pubid = 0, unsigned evid = 0);
void store(const std::string& key, StashGenericObject* val, unsigned pubid = 0, unsigned evid = 0);
- bool store(const snort::SfIp&, const SnortConfig* sc = nullptr);
+ bool store(const snort::SfIp&, const struct SnortConfig* = nullptr);
std::list<snort::SfIp>& get_aux_ip_list()
{ return aux_ip_fifo; }
#include <cassert>
-#include "framework/bits.h"
-#include "main/thread.h"
+#include "main/snort_types.h"
+#include "utils/bits.h"
//-------------------------------------------------------------------------
#include <sys/time.h>
#include "framework/module.h"
-#include "main/thread.h"
#define HA_NAME "high_availability"
#define HA_HELP "implement flow tracking high availability"
#ifndef STASH_ITEM_H
#define STASH_ITEM_H
+// stored in the FlowStash
+
#include <cstdint>
#include <string>
--- /dev/null
+//--------------------------------------------------------------------------
+// Copyright (C) 2014-2024 Cisco and/or its affiliates. All rights reserved.
+//
+// This program is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License Version 2 as published
+// by the Free Software Foundation. You may not use, modify or distribute
+// this program under any other version of the GNU General Public License.
+//
+// This program is distributed in the hope that it will be useful, but
+// WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+// General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+//--------------------------------------------------------------------------
+
+// stream_flow.h author Abhijit Pal <abhpal@cisco.com>
+
+#ifndef STREAM_FLOW_H
+#define STREAM_FLOW_H
+
+// for munged services like http2
+
+#include "network_inspectors/appid/application_ids.h"
+
+namespace snort
+{
+class Flow;
+class FlowData;
+
+class SO_PUBLIC StreamFlowIntf
+{
+public:
+ virtual FlowData* get_stream_flow_data(const Flow*) = 0;
+ virtual void set_stream_flow_data(Flow*, FlowData*) = 0;
+ virtual void get_stream_id(const Flow*, int64_t& stream_id) = 0;
+ virtual void* get_hi_msg_section(const Flow*) = 0;
+ virtual void set_hi_msg_section(Flow*, void* section) = 0;
+ virtual AppId get_appid_from_stream(const Flow*) { return APP_ID_NONE; }
+ // Stream based flows should override this interface to return parent flow
+ // when child flow is passed as input
+ virtual Flow* get_stream_parent_flow(Flow* cflow) { return cflow; }
+};
+
+}
+#endif
+
#include "main/analyzer.h"
#include "main/thread_config.h"
#include "managers/inspector_manager.h"
+#include "main/policy.h"
+#include "main/snort_config.h"
+#include "main/thread_config.h"
#include "packet_io/active.h"
+#include "packet_io/packet_tracer.h"
#include "protocols/icmp4.h"
#include "protocols/tcp.h"
#include "protocols/udp.h"
using namespace snort;
-THREAD_LOCAL bool Active::s_suspend = false;
-THREAD_LOCAL Active::ActiveSuspendReason Active::s_suspend_reason = Active::ASP_NONE;
-
THREAD_LOCAL const Trace* stream_trace = nullptr;
THREAD_LOCAL FlowControl* flow_con = nullptr;
-void Active::drop_packet(snort::Packet const*, bool) { }
Analyzer* Analyzer::get_local_analyzer() { return nullptr; }
void Analyzer::resume(uint64_t) { }
+
+void Active::drop_packet(snort::Packet const*, bool) { }
+void Active::suspend(ActiveSuspendReason) { }
+void Active::resume() { }
void Active::set_drop_reason(char const*) { }
-ExpectCache::ExpectCache(uint32_t) { }
-ExpectCache::~ExpectCache() = default;
-bool ExpectCache::check(Packet*, Flow*) { return true; }
+
+DetectionEngine::DetectionEngine() = default;
+DetectionEngine::~DetectionEngine() = default;
void DetectionEngine::disable_all(Packet*) { }
+
+const SnortConfig* SnortConfig::get_conf() { return nullptr; }
+
Flow* HighAvailabilityManager::import(Packet&, FlowKey&) { return nullptr; }
bool HighAvailabilityManager::in_standby(Flow*) { return false; }
-SfIpRet SfIp::set(void const*, int) { return SFIP_SUCCESS; }
-const SnortConfig* SnortConfig::get_conf() { return nullptr; }
+
uint8_t TraceApi::get_constraints_generation() { return 0; }
void TraceApi::filter(const Packet&) {}
+
void ThreadConfig::preemptive_kick() {}
+unsigned ThreadConfig::get_instance_max() { return 0; }
+
+SfIpRet SfIp::set(void const*, int) { return SFIP_SUCCESS; }
SfIpRet SfIp::set(void const*) { return SFIP_SUCCESS; }
SfIpRet SfIp::pton(const int, const char* ) { return SFIP_SUCCESS; }
+
const char* SfIp::ntop(char* buf, int) const
{ buf[0] = 0; return buf; }
-unsigned ThreadConfig::get_instance_max() { return 0; }
+
bool ControlConn::respond(const char*, ...) { return true; }
+
class TcpStreamTracker;
const char* stream_tcp_state_to_str(const TcpStreamTracker&) { return "error"; }
+
void LogMessage(const char*, ...) { }
+
namespace snort
{
Flow::~Flow() = default;
}
}
+ExpectCache::ExpectCache(uint32_t) { }
+ExpectCache::~ExpectCache() = default;
+
+bool ExpectCache::check(Packet*, Flow*) { return true; }
+
int ExpectCache::add_flow(const Packet*, PktType, IpProtocol, const SfIp*, uint16_t,
const SfIp*, uint16_t, char, FlowData*, SnortProtocolId, bool, bool, bool, bool)
{
#include "detection/detection_engine.h"
#include "main/policy.h"
#include "main/snort_config.h"
-#include "managers/inspector_manager.h"
#include "packet_io/active.h"
-#include "packet_tracer/packet_tracer.h"
+#include "packet_io/packet_tracer.h"
#include "protocols/icmp4.h"
#include "protocols/packet.h"
#include "protocols/tcp.h"
using namespace snort;
-THREAD_LOCAL bool Active::s_suspend = false;
-THREAD_LOCAL Active::ActiveSuspendReason Active::s_suspend_reason = Active::ASP_NONE;
-
void Active::drop_packet(snort::Packet const*, bool) { }
+void Active::suspend(ActiveSuspendReason) { }
+void Active::resume() { }
void Active::set_drop_reason(char const*) { }
FlowCache::FlowCache(const FlowCacheConfig& cfg) : config(cfg) { }
FlowCache::~FlowCache() = default;
Flow::~Flow() = default;
DetectionEngine::DetectionEngine() { context = nullptr; }
DetectionEngine::~DetectionEngine() = default;
-ExpectCache::~ExpectCache() = default;
unsigned FlowCache::purge() { return 1; }
unsigned FlowCache::get_flows_allocated() const { return 0; }
Flow* FlowCache::find(const FlowKey*) { return nullptr; }
void Flow::set_mpls_layer_per_dir(Packet*) { }
void DetectionEngine::disable_all(Packet*) { }
ExpectCache::ExpectCache(uint32_t) { }
+ExpectCache::~ExpectCache() = default;
bool ExpectCache::check(Packet*, Flow*) { return true; }
Flow* HighAvailabilityManager::import(Packet&, FlowKey&) { return nullptr; }
#include <string>
#include "flow/flow_stash.h"
+#include "main/snort_config.h"
#include "pub_sub/stash_events.h"
#include "utils/util.h"
#include "main/policy.h"
#include "main/snort_config.h"
#include "main/thread_config.h"
-#include "packet_tracer/packet_tracer.h"
+#include "packet_io/packet_tracer.h"
#include "protocols/layer.h"
#include "protocols/packet.h"
#include "stream/stream.h"
Packet::~Packet() = default;
uint32_t Packet::get_flow_geneve_vni() const { return 0; }
-THREAD_LOCAL PacketTracer* s_pkt_trace = nullptr;
+THREAD_LOCAL PacketTracer* PacketTracer::s_pkt_trace = nullptr;
PacketTracer::~PacketTracer() = default;
void PacketTracer::log(const char*, ...) { }
set (FRAMEWORK_INCLUDES
base_api.h
- bits.h
codec.h
+ connector.h
counts.h
cursor.h
data_bus.h
ips_action.h
ips_option.h
logger.h
- lua_api.h
module.h
mpse.h
mpse_batch.h
- packet_constraints.h
parameter.h
+ pig_pen.h
pdu_section.h
policy_selector.h
+ plugins.h
range.h
so_rule.h
value.h
- connector.h
)
add_library ( framework OBJECT
${FRAMEWORK_INCLUDES}
+ act_info.h
codec.cc
cursor.cc
data_bus.cc
- file_policy.cc
inspector.cc
+ ips_info.h
+ ips_action.cc
ips_option.cc
- packet_constraints.cc
+ lua_api.h
parameter.cc
+ pig_pen.cc
module.cc
mpse.cc
mpse_batch.cc
value.cc
)
-install (FILES ${FRAMEWORK_INCLUDES} ${CMAKE_CURRENT_BINARY_DIR}/api_options.h
+install (FILES ${FRAMEWORK_INCLUDES}
+ ${CMAKE_CURRENT_BINARY_DIR}/api_options.h
+ ${CMAKE_CURRENT_BINARY_DIR}/snort_api.h
DESTINATION "${INCLUDE_INSTALL_PATH}/framework"
)
add_custom_target(api_options ALL DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/api_options.h)
+add_custom_command(
+ OUTPUT
+ ${CMAKE_CURRENT_BINARY_DIR}/snort_api.h
+ COMMAND
+ ${CMAKE_CURRENT_SOURCE_DIR}/plug_gen.sh ${CMAKE_CXX_COMPILER} ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR} > ${CMAKE_CURRENT_BINARY_DIR}/snort_api.h
+ DEPENDS
+ ${CMAKE_CURRENT_SOURCE_DIR}/plug_gen.sh
+ ${CMAKE_CURRENT_SOURCE_DIR}/plugins.h
+ ${CMAKE_CURRENT_BINARY_DIR}/api_options.h
+)
+
+add_custom_target(snort_api ALL DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/snort_api.h)
+
set_property(
DIRECTORY
PROPERTY
- ADDITIONAL_MAKE_CLEAN_FILES api_options.h
+ ADDITIONAL_MAKE_CLEAN_FILES api_options.h snort_api.h
)
add_catch_test( parameter_test
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
+// act_info.h author Russ Combs <rucombs@cisco.com>
-#ifndef ACTIONS_H
-#define ACTIONS_H
+#ifndef ACT_INFO_H
+#define ACT_INFO_H
-// Define action types and provide hooks to apply a given action to a packet
-
-#include <cstdint>
-#include <string>
-
-#include "main/snort_types.h"
-
-struct OptTreeNode;
+// enables keeping OTN private
namespace snort
{
-struct Packet;
-}
+ class IpsAction;
+};
-class SO_PUBLIC Actions
+class ActInfo
{
public:
- using Type = uint8_t;
-public:
- static std::string get_string(Type);
- static Type get_type(const char*);
- static Type get_max_types();
- static bool is_valid_action(Type);
- static std::string get_default_priorities(bool alert_before_pass = false);
-
- static void pass();
- static void log(snort::Packet*, const OptTreeNode*);
- static void alert(snort::Packet*, const OptTreeNode*);
+ ActInfo(const OptTreeNode* o, bool b = true)
+ { otn = o; log = b; }
+
+private:
+ friend class snort::IpsAction;
+
+ const struct OptTreeNode* otn;
+ bool log;
};
+
#endif
#include <cstdint>
-// this is the current version of the base api
-// must be prefixed to subtype version
-#define BASE_API_VERSION 19
-
// set options to API_OPTIONS to ensure compatibility
#ifndef API_OPTIONS
#include "framework/api_options.h"
#endif
+// the current version of the Snort API
+// must be prefixed to subtype version
+
+// depends on includes installed in framework/snort_api.h
+// see framework/plugins.h
+
+#define BASE_API_VERSION 20
+
// set the reserved field to this to be future proof
#define API_RESERVED 0
struct BaseApi
{
PlugType type;
- uint32_t size;
- uint32_t api_version;
- uint32_t version;
- uint64_t reserved;
- const char* options;
- const char* name;
- const char* help;
- snort::ModNewFunc mod_ctor;
+ uint32_t size; // sizeof(plugin-api)
+ uint32_t api_version; // (BASE_API_VERSION << 16) | plugin-api-version)
+ uint32_t version; // version of plugin
+ uint64_t reserved; // zero
+ const char* options; // API_OPTIONS
+ const char* name; // plugin name
+ const char* help; // short help text
+ ModNewFunc mod_ctor;
ModDelFunc mod_dtor;
};
}
#include "codecs/codec_module.h"
#include "detection/detection_engine.h"
-#include "events/event_queue.h"
#ifdef UNIT_TEST
#include "catch/snort_catch.h"
// Codec is a type of plugin that provides protocol-specific encoding and
// decoding.
+// the CDAPI_VERSION will change if anything in this file changes.
+// see also framework/base_api.h.
+
#include <cstdint>
#include <vector>
{
enum CodecSid : uint32_t;
-namespace ip
-{
-class IpApi;
-}
-namespace tcp
-{
-struct TCPHdr;
-}
-namespace udp
-{
-struct UDPHdr;
-}
-namespace icmp
-{
-struct ICMPHdr;
-}
+namespace ip { class IpApi; }
+namespace tcp { struct TCPHdr; }
+namespace udp { struct UDPHdr; }
+namespace icmp { struct ICMPHdr; }
class Flow;
//-------------------------------------------------------------------------
// this is the current version of the api
-#define CDAPI_VERSION ((BASE_API_VERSION << 16) | 1)
+#define CDAPI_VERSION ((BASE_API_VERSION << 16) | 2)
typedef Codec* (* CdNewFunc)(Module*);
typedef void (* CdDelFunc)(Codec*);
CdDelFunc dtor; // clean up instance data
};
}
-#endif /* FRAMEWORK_CODEC_H */
+#endif
// Connector provides out-of-band communications among packet processing
// threads, high-availability partners, and other threads.
+// the CONNECTOR_API_VERSION will change if anything in this file changes.
+// see also framework/base_api.h.
+
#include <string>
#include <vector>
namespace snort
{
// this is the current version of the api
-#define CONNECTOR_API_VERSION ((BASE_API_VERSION << 16) | 0)
+#define CONNECTOR_API_VERSION ((BASE_API_VERSION << 16) | 1)
//-------------------------------------------------------------------------
// api for class
// other methods are packet thread specific
//-------------------------------------------------------------------------
-struct ConnectorApi;
class ConnectorConfig;
struct ConnectorMsg
enum CountType
{
END, // sentinel value
- SUM, // tracks cumulative total number of items seen (eg #events)
- NOW, // gives snapshot of current number of items (eg current #sessions)
- MAX, // tracks maximum value seen (eg max #sessions)
+ SUM, // running total: tracks cumulative total number of items seen (eg #events)
+ NOW, // current level: gives snapshot of current number of items (eg current #sessions)
+ MAX, // maximum level: tracks maximum value seen (eg max #sessions)
};
struct SimpleStats
#include "cursor.h"
+#include "detection/detection_buf.h"
#include "detection/detection_engine.h"
-#include "detection/detection_util.h"
#include "protocols/packet.h"
#include "detection/ips_context.h"
#ifndef CURSOR_H
#define CURSOR_H
-// Cursor provides a formal way of using buffers when doing detection with
-// IpsOptions.
+// Cursor provides access to the current buffer pointer used by IpsOptions
+// during signature evaluation.
#include <assert.h>
#include <cstdint>
namespace snort
{
-class SO_PUBLIC Endianness
+class Endianness
{
public:
Endianness() = default;
using namespace snort;
+#ifndef _WIN64
+unsigned THREAD_LOCAL Inspector::slot = 0;
+#endif
+
//-------------------------------------------------------------------------
// packet handler stuff
//-------------------------------------------------------------------------
-unsigned THREAD_LOCAL Inspector::slot = 0;
-
Inspector::Inspector()
{
unsigned max = ThreadConfig::get_instance_max();
}
void Inspector::add_ref()
-{ ++ref_count[slot]; }
+{ ++ref_count[get_slot()]; }
void Inspector::rem_ref()
-{ --ref_count[slot]; }
+{ --ref_count[get_slot()]; }
void Inspector::add_global_ref()
{ ++ref_count[0]; }
}
void Inspector::set_thread_specific_data(void* tsd)
-{ thread_specific_data->data[slot] = tsd; }
+{ thread_specific_data->data[get_slot()] = tsd; }
void* Inspector::get_thread_specific_data() const
-{ return thread_specific_data->data[slot]; }
+{ return thread_specific_data->data[get_slot()]; }
static const char* InspectorTypeNames[IT_MAX] =
{
// decoding a packet and detection. There are several types that operate
// in different ways. These correspond to Snort 2X preprocessors.
+// the INSAPI_VERSION will change if anything in this file changes.
+// see also framework/base_api.h.
+
#include <atomic>
#include <cstring>
#include <memory>
#include <vector>
#include "framework/base_api.h"
-#include "main/thread.h"
#include "target_based/snort_protocols.h"
class Session;
struct Packet;
// this is the current version of the api
-#define INSAPI_VERSION ((BASE_API_VERSION << 16) | 0)
+#define INSAPI_VERSION ((BASE_API_VERSION << 16) | 1)
struct InspectionBuffer
{
// clear is a bookend to eval() for the active service inspector
// clear is called when Snort is done with the previously eval'd
// packet to release any thread-local or flow-based data
- virtual void eval(Packet*) = 0;
+ virtual void eval(Packet*) { }
virtual void clear(Packet*) { }
// framework support
virtual const uint8_t* adjust_log_packet(Packet*, uint16_t&)
{ return nullptr; }
-public:
- static THREAD_LOCAL unsigned slot;
+ static unsigned get_slot()
+#ifndef _WIN64
+ { return slot; }
+#else
+ { return get_instance_id(); }
+#endif
protected:
// main thread functions
const char* alias_name = nullptr;
uint64_t network_policy_user_id = 0;
bool network_policy_user_id_set = false;
+
+#ifndef _WIN64
+private:
+ friend class InspectorManager;
+ static THREAD_LOCAL unsigned slot;
+#endif
};
// at present there is no sequencing among like types except that appid
--- /dev/null
+//--------------------------------------------------------------------------
+// Copyright (C) 2024-2024 Cisco and/or its affiliates. All rights reserved.
+//
+// This program is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License Version 2 as published
+// by the Free Software Foundation. You may not use, modify or distribute
+// this program under any other version of the GNU General Public License.
+//
+// This program is distributed in the hope that it will be useful, but
+// WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+// General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+//--------------------------------------------------------------------------
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include "ips_action.h"
+
+#include "detection/detect.h"
+#include "detection/treenodes.h"
+#include "managers/action_manager.h"
+#include "parser/parser.h"
+#include "utils/stats.h"
+
+#include "act_info.h"
+
+using namespace snort;
+
+namespace snort
+{
+
+std::string IpsAction::get_string(IpsAction::Type action)
+{ return ActionManager::get_action_string(action); }
+
+IpsAction::Type IpsAction::get_type(const char* s)
+{ return ActionManager::get_action_type(s); }
+
+IpsAction::Type IpsAction::get_max_types()
+{ return ActionManager::get_max_action_types(); }
+
+bool IpsAction::is_valid_action(IpsAction::Type action)
+{
+ if ( action < get_max_types() )
+ return true;
+
+ return false;
+}
+
+std::string IpsAction::get_default_priorities(bool alert_before_pass)
+{ return ActionManager::get_action_priorities(alert_before_pass); }
+
+bool IpsAction::log_it(const ActInfo& ai) const
+{ return ai.log; }
+
+uint64_t IpsAction::get_file_id(const ActInfo& ai) const
+{ return ai.otn->sigInfo.file_id; }
+
+void IpsAction::pass()
+{
+ pc.pass_pkts++;
+}
+
+void IpsAction::log(Packet* p, const ActInfo& ai)
+{
+ RuleTreeNode* rtn = getRtnFromOtn(ai.otn);
+
+ if (!rtn)
+ return;
+
+ CallLogFuncs(p, ai.otn, rtn->listhead);
+}
+
+void IpsAction::alert(Packet* p, const ActInfo& ai)
+{
+ if (!ai.otn or !log_it(ai))
+ return;
+
+ RuleTreeNode* rtn = getRtnFromOtn(ai.otn);
+ if (!rtn)
+ return;
+
+ /* Call OptTreeNode specific output functions */
+ if (ai.otn->outputFuncs)
+ {
+ ListHead lh = { }; // FIXIT-L use of ListHead for CallLogFuncs() is a little unwieldy here
+ lh.LogList = ai.otn->outputFuncs;
+ CallLogFuncs(p, ai.otn, &lh);
+ }
+ CallAlertFuncs(p, ai.otn, rtn->listhead);
+ CallLogFuncs(p, ai.otn, rtn->listhead);
+}
+
+} // snort
+
// These can be used to execute external controls like updating an external
// firewall.
+// the ACTAPI_VERSION will change if anything in this file changes.
+// see also framework/base_api.h.
+
+#include <cstdint>
+#include <string>
+
#include "framework/base_api.h"
#include "main/snort_types.h"
#include "packet_io/active_action.h"
// this is the current version of the api
-#define ACTAPI_VERSION ((BASE_API_VERSION << 16) | 1)
+#define ACTAPI_VERSION ((BASE_API_VERSION << 16) | 2)
//-------------------------------------------------------------------------
// api for class
//-------------------------------------------------------------------------
-struct OptTreeNode;
+class ActInfo;
+
namespace snort
{
struct Packet;
class SO_PUBLIC IpsAction
{
public:
+ using Type = uint8_t;
+
enum IpsActionPriority : uint16_t
{
IAP_OTHER = 1,
const char* get_name() const { return name; }
ActiveAction* get_active_action() const { return active_action; }
- virtual void exec(Packet*, const OptTreeNode* otn = nullptr) = 0;
+ virtual void exec(Packet*, const ActInfo&) = 0;
virtual bool drops_traffic() { return false; }
+ static std::string get_string(Type);
+ static Type get_type(const char*);
+ static Type get_max_types();
+ static bool is_valid_action(Type);
+ static std::string get_default_priorities(bool alert_before_pass = false);
+
+ bool log_it(const ActInfo&) const;
+ uint64_t get_file_id(const ActInfo&) const;
+
+ void pass();
+ void log(snort::Packet*, const ActInfo&);
+ void alert(snort::Packet*, const ActInfo&);
+
protected:
IpsAction(const char* s, ActiveAction* a)
{
--- /dev/null
+//--------------------------------------------------------------------------
+// Copyright (C) 2024-2024 Cisco and/or its affiliates. All rights reserved.
+//
+// This program is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License Version 2 as published
+// by the Free Software Foundation. You may not use, modify or distribute
+// this program under any other version of the GNU General Public License.
+//
+// This program is distributed in the hope that it will be useful, but
+// WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+// General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+//--------------------------------------------------------------------------
+// ips_info.h author Russ Combs <rucombs@cisco.com>
+
+#ifndef IPS_INFO_H
+#define IPS_INFO_H
+
+// enables keeping OTN private
+
+namespace snort
+{
+ struct SnortConfig;
+ class IpsOption;
+};
+
+struct OptTreeNode;
+
+struct IpsInfo
+{
+public:
+ IpsInfo(OptTreeNode* o, snort::SnortConfig* s)
+ { otn = o; sc = s; }
+
+private:
+ friend class snort::IpsOption;
+
+ OptTreeNode* otn;
+ snort::SnortConfig* sc;
+};
+
+#endif
+
#include <cstring>
+#include "detection/rules.h"
+#include "detection/signature.h"
+#include "detection/treenodes.h"
+#include "filters/detection_filter.h"
+#include "filters/sfthd.h"
+#include "framework/ips_info.h"
#include "hash/hash_key_operations.h"
+#include "main/snort_config.h"
+#include "managers/so_manager.h"
+#include "parser/parse_conf.h"
+#include "utils/util.h"
using namespace snort;
+namespace snort
+{
//-------------------------------------------------------------------------
IpsOption::IpsOption(const char* s, option_type_t t)
return section_to_flag(PS_NONE);
}
+//-------------------------------------------------------------------------
+// static / instantiator methods
+//-------------------------------------------------------------------------
+
+bool IpsOption::has_plugin(IpsInfo& info, const char* name)
+{ return otn_has_plugin(info.otn, name); }
+
+void IpsOption::set_priority(const IpsInfo& info, uint32_t pri)
+{ info.otn->sigInfo.priority = pri; }
+
+void IpsOption::set_classtype(IpsInfo& info, const char* type)
+{
+ const ClassType* ct = get_classification(info.sc, type);
+
+ if ( !ct and info.sc->dump_rule_info() )
+ {
+ add_classification(info.sc, type, type, 1);
+ ct = get_classification(info.sc, type);
+ }
+
+ info.otn->sigInfo.class_type = ct;
+
+ if ( ct )
+ {
+ info.otn->sigInfo.class_id = ct->id;
+ info.otn->sigInfo.priority = ct->priority;
+ }
+}
+
+void IpsOption::set_detection_filter(IpsInfo& info, bool track_src, uint32_t count, uint32_t seconds)
+{
+ THDX_STRUCT thdx = { };
+ thdx.type = THD_TYPE_DETECT;
+ thdx.tracking = (track_src ? THD_TRK_SRC : THD_TRK_DST);
+ thdx.count = count;
+ thdx.seconds = seconds;
+ info.otn->detection_filter = detection_filter_create(info.sc->detection_filter_config, &thdx);
+}
+
+void IpsOption::set_enabled(IpsInfo& info, Enable ie)
+{
+ if ( !info.sc->rule_states )
+ info.sc->rule_states = new RuleStateMap;
+
+ IpsPolicy::Enable e;
+
+ switch (ie)
+ {
+ case IpsOption::NO: e = IpsPolicy::DISABLED; break;
+ case IpsOption::INHERIT: e = IpsPolicy::INHERIT_ENABLE; break;
+ default: e = IpsPolicy::ENABLED; break;
+ }
+ info.otn->set_enabled(e);
+}
+
+void IpsOption::set_file_id(const IpsInfo& info, uint64_t fid)
+{ info.otn->sigInfo.file_id = fid; }
+
+void IpsOption::set_flowbits_check(IpsInfo& info)
+{ info.otn->set_flowbits_check(); }
+
+void IpsOption::set_stateless(IpsInfo& info)
+{ info.otn->set_stateless(); }
+
+void IpsOption::set_to_client(IpsInfo& info)
+{ info.otn->set_to_client(); }
+
+void IpsOption::set_to_server(IpsInfo& info)
+{ info.otn->set_to_server(); }
+
+void IpsOption::set_gid(const IpsInfo& info, uint32_t gid)
+{ info.otn->sigInfo.gid = gid; }
+
+void IpsOption::set_sid(const IpsInfo& info, uint32_t sid)
+{ info.otn->sigInfo.sid = sid; }
+
+void IpsOption::set_rev(const IpsInfo& info, uint32_t rev)
+{ info.otn->sigInfo.rev = rev; }
+
+void IpsOption::set_message(const IpsInfo& info, const char* msg)
+{ info.otn->sigInfo.message = msg; }
+
+void IpsOption::set_metadata_match(IpsInfo& info)
+{ info.otn->set_metadata_match(); }
+
+void IpsOption::set_tag(IpsInfo& info, TagData* td)
+{ info.otn->tag = td; }
+
+void IpsOption::set_target(const IpsInfo& info, bool src_ip)
+{ info.otn->sigInfo.target = (src_ip ? TARGET_SRC : TARGET_DST); }
+
+void IpsOption::add_reference(IpsInfo& info, const char* scheme, const char* id)
+{ ::add_reference(info.sc, info.otn, scheme, id); }
+
+void IpsOption::add_service(IpsInfo& info, const char* svc)
+{ add_service_to_otn(info.sc, info.otn, svc); }
+
+void IpsOption::set_soid(IpsInfo& info, const char* s)
+{ info.otn->soid = snort_strdup(s); }
+
+const char* IpsOption::get_soid(const IpsInfo& info)
+{ return info.otn->soid; }
+
+IpsOption::SoEvalFunc IpsOption::get_so_eval(IpsInfo& info, const char* name, void*& data)
+{ return SoManager::get_so_eval(info.otn->soid, name, &data, info.sc); }
+
+SnortProtocolId IpsOption::get_protocol_id(const IpsInfo& info)
+{ return info.otn->snort_protocol_id; }
+
+SoRules* IpsOption::get_so_rules(const IpsInfo& info)
+{ return info.sc->so_rules; }
+
+} // snort
+
//-------------------------------------------------------------------------
// UNIT TESTS
//-------------------------------------------------------------------------
StubIpsOption main_ips("ips_test",
option_type_t::RULE_OPTION_TYPE_OTHER);
- SECTION("buffer test")
- {
- REQUIRE(main_ips.get_buffer()); // only until api is updated
- }
-
SECTION("IpsOperator == test")
{
StubIpsOption case_diff_name("not_hello_world",
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// ips_manager.h author Russ Combs <rucombs@cisco.com>
+// ips_option.h author Russ Combs <rucombs@cisco.com>
#ifndef IPS_OPTION_H
#define IPS_OPTION_H
// All IPS rule keywords are realized as IpsOptions instantiated when rules
// are parsed.
+// the IPSAPI_VERSION will change if anything in this file changes.
+// see also framework/base_api.h.
+
+#include <cinttypes>
+
#include "detection/rule_option_types.h"
#include "framework/base_api.h"
+#include "framework/cursor.h"
+#include "framework/pdu_section.h"
#include "main/snort_types.h"
#include "target_based/snort_protocols.h"
-#include "pdu_section.h"
-
//-------------------------------------------------------------------------
// api for class
// eval and action are packet thread specific
//-------------------------------------------------------------------------
class Cursor;
-struct OptTreeNode;
+struct IpsInfo;
struct PatternMatchData;
+struct TagData;
+struct SoRules;
namespace snort
{
class Module;
// this is the current version of the api
-#define IPSAPI_VERSION ((BASE_API_VERSION << 16) | 0)
+#define IPSAPI_VERSION ((BASE_API_VERSION << 16) | 1)
enum CursorActionType
{
// packet threads
virtual bool is_relative() { return false; }
- // 2nd cursor is deprecated, do not use
- virtual bool retry(Cursor&, const Cursor&) { return false; }
+ virtual bool retry(Cursor&) { return false; }
virtual void action(Packet*) { }
enum EvalStatus { NO_MATCH, MATCH, NO_ALERT, FAILED_BIT };
bool is_buffer_setter() const
{ return get_cursor_type() > CAT_ADJUST; }
- const char* get_buffer()
- { return buffer; }
-
virtual section_flags get_pdu_section(bool to_server) const;
+ // these methods are only available to the instantiator method (IpsNewFunc)
+ static bool has_plugin(IpsInfo&, const char* name);
+
+ static void set_priority(const IpsInfo&, uint32_t);
+ static void set_classtype(IpsInfo&, const char*);
+ static void set_reference(IpsInfo&, const char* scheme, const char* id);
+
+ enum Enable { NO, YES, INHERIT };
+ static void set_enabled(IpsInfo&, Enable);
+
+ static void set_flowbits_check(IpsInfo&);
+ static void set_detection_filter(IpsInfo&, bool track_src, uint32_t count, uint32_t seconds); // don't install header
+
+ static void set_stateless(IpsInfo&);
+ static void set_to_client(IpsInfo&);
+ static void set_to_server(IpsInfo&);
+
+ static void set_gid(const IpsInfo&, uint32_t);
+ static void set_sid(const IpsInfo&, uint32_t);
+ static void set_rev(const IpsInfo&, uint32_t);
+
+ static void set_message(const IpsInfo&, const char*);
+ static void set_metadata_match(IpsInfo&);
+
+ static void set_tag(IpsInfo&, TagData*);
+ static void set_target(const IpsInfo&, bool src_ip);
+
+ static void set_file_id(const IpsInfo&, uint64_t);
+ static void add_reference(IpsInfo&, const char*, const char*);
+ static void add_service(IpsInfo&, const char*);
+
+ static void set_soid(IpsInfo&, const char*);
+ static const char* get_soid(const IpsInfo&);
+
+ typedef snort::IpsOption::EvalStatus (* SoEvalFunc)(void*, class Cursor&, snort::Packet*);
+ static SoEvalFunc get_so_eval(IpsInfo&, const char* name, void*& data);
+
+ static SnortProtocolId get_protocol_id(const IpsInfo&);
+
+ static SoRules* get_so_rules(const IpsInfo&);
+
protected:
IpsOption(const char* s, option_type_t t = RULE_OPTION_TYPE_OTHER);
private:
const char* name;
- const char* buffer = "error"; // FIXIT-API to be deleted; here to avoid an api update
option_type_t type;
};
typedef void (* IpsOptFunc)(const SnortConfig*);
-typedef IpsOption* (* IpsNewFunc)(Module*, OptTreeNode*);
+typedef IpsOption* (* IpsNewFunc)(Module*, IpsInfo&);
typedef void (* IpsDelFunc)(IpsOption*);
struct IpsApi
BaseApi base;
RuleOptType type;
- unsigned max_per_rule;
- unsigned protos;
+ unsigned max_per_rule; // max instances of this keyword per IPS rule
+ unsigned protos; // bitmask of PROTO_BIT_* from decode_data.h
IpsOptFunc pinit;
IpsOptFunc pterm;
#ifndef LOGGER_H
#define LOGGER_H
-// Logger is used to log packets and events. Events are thresholded before
+// Logger is used to log packets and IPS events. Events are thresholded before
// they reach the Logger. Packets may be logged along with events or as a
// result of tagging.
+// the LOGAPI_VERSION will change if anything in this file changes.
+// see also framework/base_api.h.
+
#include "framework/base_api.h"
#include "main/snort_types.h"
-struct Event;
+class Event;
+
namespace snort
{
struct Packet;
// this is the current version of the api
-#define LOGAPI_VERSION ((BASE_API_VERSION << 16) | 0)
+#define LOGAPI_VERSION ((BASE_API_VERSION << 16) | 1)
#define OUTPUT_TYPE_FLAG__NONE 0x0
#define OUTPUT_TYPE_FLAG__ALERT 0x1
struct LogApi
{
BaseApi base;
- unsigned flags;
+ unsigned flags; // bitmask of OUTPUT_TYPE_FLAG__*
LogNewFunc ctor;
LogDelFunc dtor;
};
#include "main/thread_config.h"
#include "trace/trace.h"
+#include "utils/stats.h"
using namespace snort;
}
}
-void Module::show_interval_stats(IndexVec& peg_idxs, FILE* fh)
+void Module::show_interval_stats(std::vector<unsigned>& peg_idxs, FILE* fh)
{
if ( num_counts > 0 )
::show_stats(get_counts(), get_pegs(), peg_idxs, get_name(), fh);
//--------------------------------------------------------------------------
// module.h author Russ Combs <rucombs@cisco.com>
-// FIXIT-M add trace param(s)
-// FIXIT-M add memcap related
-// FIXIT-L add set_default method
-
#ifndef MODULE_H
#define MODULE_H
#include "framework/parameter.h"
#include "framework/value.h"
#include "main/snort_types.h"
-#include "utils/stats.h"
+#include "main/thread.h"
struct lua_State;
{ return false; }
virtual void sum_stats(bool dump_stats);
- virtual void show_interval_stats(IndexVec&, FILE*);
virtual void show_stats();
+ virtual void show_interval_stats(std::vector<unsigned>&, FILE*);
virtual void reset_stats();
virtual void init_stats(bool new_thread=false);
virtual void main_accumulate_stats();
bool verified_set(const char*, Value&, SnortConfig*);
bool verified_end(const char*, int, SnortConfig*);
- enum Usage
- {
- GLOBAL,
- CONTEXT,
- INSPECT,
- DETECT
- };
+ enum Usage { GLOBAL, CONTEXT, INSPECT, DETECT };
virtual Usage get_usage() const
{ return CONTEXT; }
#include <cassert>
#include "profiler/profiler_defs.h"
-#include "search_engines/pat_stats.h"
#include "managers/mpse_manager.h"
#include "managers/module_manager.h"
#include "main/snort_config.h"
Mpse::Mpse(const char* m) : method(m)
{ }
-int Mpse::search(
- const unsigned char* T, int n, MpseMatch match,
- void* context, int* current_state)
-{
- pmqs.matched_bytes += n;
- return _search(T, n, match, context, current_state);
-}
-
int Mpse::search_all(
const unsigned char* T, int n, MpseMatch match,
void* context, int* current_state)
{
- pmqs.matched_bytes += n;
- return _search(T, n, match, context, current_state);
+ return search(T, n, match, context, current_state);
}
void Mpse::search(MpseBatch& batch, MpseType mpse_type)
-{
- _search(batch, mpse_type);
-}
-
-void Mpse::_search(MpseBatch& batch, MpseType mpse_type)
{
int start_state;
// machine from the patterns, and search either a single buffer or a set
// of (related) buffers for patterns.
-#include <cassert>
+// the SEAPI_VERSION will change if anything in this file changes.
+// see also framework/base_api.h.
+
#include <string>
#include "framework/base_api.h"
#include "main/snort_types.h"
-#include "main/thread.h"
#include "search_engines/search_common.h"
+//#include "framework/mpse_batch.h"
namespace snort
{
// this is the current version of the api
-#define SEAPI_VERSION ((BASE_API_VERSION << 16) | 0)
+#define SEAPI_VERSION ((BASE_API_VERSION << 16) | 1)
struct SnortConfig;
-class Mpse;
struct MpseApi;
struct MpseBatch;
-struct ProfileStats;
class SO_PUBLIC Mpse
{
virtual void reuse_search() { }
- int search(
- const uint8_t* T, int n, MpseMatch, void* context, int* current_state);
+ virtual int search(
+ const uint8_t* T, int n, MpseMatch, void* context, int* current_state) = 0;
virtual int search_all(
const uint8_t* T, int n, MpseMatch, void* context, int* current_state);
- void search(MpseBatch&, MpseType);
+ virtual void search(MpseBatch&, MpseType);
virtual MpseRespType receive_responses(MpseBatch&, MpseType)
{ return MPSE_RESP_COMPLETE_SUCCESS; }
protected:
Mpse(const char* method);
- virtual int _search(
- const uint8_t* T, int n, MpseMatch, void* context, int* current_state) = 0;
-
- virtual void _search(MpseBatch&, MpseType);
-
private:
std::string method;
int verbose = 0;
struct MpseApi
{
BaseApi base;
- uint32_t flags;
+ uint32_t flags; // bitmask of MPSE_*
MpseOptFunc activate;
MpseOptFunc setup;
#include "mpse_batch.h"
#include "profiler/profiler_defs.h"
-#include "search_engines/pat_stats.h"
#include "managers/mpse_manager.h"
#include "managers/module_manager.h"
#include "main/snort_config.h"
#ifndef MPSE_BATCH_H
#define MPSE_BATCH_H
+#include <cassert>
#include <unordered_map>
#include <vector>
// PS_ERROR is used for invalid combination of sections:
// trailer and body sections can be combined only if it's a request trailer in a to_client direction
// When updating this enum, also update section_to_str
-enum PduSection { PS_NONE = 0, PS_HEADER, PS_HEADER_BODY, PS_BODY, PS_TRAILER, PS_MAX = PS_TRAILER,
- PS_ERROR };
+enum PduSection { PS_NONE = 0, PS_HEADER, PS_HEADER_BODY, PS_BODY, PS_TRAILER, PS_MAX = PS_TRAILER, PS_ERROR };
// Bitmask with all of supported sections
using section_flags = uint16_t;
--- /dev/null
+//--------------------------------------------------------------------------
+// Copyright (C) 2024-2024 Cisco and/or its affiliates. All rights reserved.
+//
+// This program is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License Version 2 as published
+// by the Free Software Foundation. You may not use, modify or distribute
+// this program under any other version of the GNU General Public License.
+//
+// This program is distributed in the hope that it will be useful, but
+// WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+// General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+//--------------------------------------------------------------------------
+// pig_pen.cc author Russ Combs <rucombs@cisco.com>
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include "pig_pen.h"
+
+#include "detection/detection_engine.h"
+#include "log/log.h"
+#include "main/process.h"
+#include "main/snort.h"
+#include "managers/inspector_manager.h"
+#include "profiler/profiler_impl.h"
+#include "utils/stats.h"
+
+using namespace snort;
+
+//--------------------------------------------------------------------------
+// inspector foo
+//--------------------------------------------------------------------------
+
+Inspector* PigPen::get_binder()
+{ return InspectorManager::get_binder(); }
+
+Inspector* PigPen::get_file_inspector(const SnortConfig* sc)
+{ return InspectorManager::get_file_inspector(sc); }
+
+Inspector* PigPen::acquire_file_inspector()
+{ return InspectorManager::acquire_file_inspector(); }
+
+Inspector* PigPen::get_service_inspector(const SnortProtocolId id)
+{ return InspectorManager::get_service_inspector(id); }
+
+Inspector* PigPen::get_service_inspector(const char* svc)
+{ return InspectorManager::get_service_inspector(svc); }
+
+Inspector* PigPen::get_inspector(const char* key, bool dflt_only, const SnortConfig* sc)
+{ return InspectorManager::get_inspector(key, dflt_only, sc); }
+
+Inspector* PigPen::get_inspector(const char* key, Module::Usage use, InspectorType type)
+{ return InspectorManager::get_inspector(key, use, type); }
+
+void PigPen::release(Inspector* pi)
+{ InspectorManager::release(pi); }
+
+//--------------------------------------------------------------------------
+// process foo
+//--------------------------------------------------------------------------
+
+bool PigPen::snort_is_reloading()
+{ return Snort::is_reloading(); }
+
+void PigPen::install_oops_handler()
+{ ::install_oops_handler(); }
+
+void PigPen::remove_oops_handler()
+{ ::remove_oops_handler(); }
+
+//--------------------------------------------------------------------------
+// detection foo
+//--------------------------------------------------------------------------
+
+bool PigPen::inspect_rebuilt(Packet* pdu)
+{
+ DetectionEngine de;
+ return de.inspect(pdu);
+}
+
+//--------------------------------------------------------------------------
+// stats foo
+//--------------------------------------------------------------------------
+
+uint64_t PigPen::get_packet_number()
+{ return pc.analyzed_pkts; }
+
+void PigPen::show_runtime_memory_stats()
+{ Profiler::show_runtime_memory_stats(); }
+
+//--------------------------------------------------------------------------
+// log foo
+//--------------------------------------------------------------------------
+
+const char* PigPen::get_protocol_name(uint8_t ip_proto)
+{ return ::get_protocol_name(ip_proto); }
+
--- /dev/null
+//--------------------------------------------------------------------------
+// Copyright (C) 2024-2024 Cisco and/or its affiliates. All rights reserved.
+//
+// This program is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License Version 2 as published
+// by the Free Software Foundation. You may not use, modify or distribute
+// this program under any other version of the GNU General Public License.
+//
+// This program is distributed in the hope that it will be useful, but
+// WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+// General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+//--------------------------------------------------------------------------
+// pig_pen.h author Russ Combs <rucombs@cisco.com>
+
+#ifndef FRAMEWORK_PIG_PEN_H
+#define FRAMEWORK_PIG_PEN_H
+
+#include "framework/inspector.h"
+#include "framework/module.h"
+#include "main/snort_types.h"
+#include "target_based/snort_protocols.h"
+
+struct PacketCount;
+
+namespace snort
+{
+struct Packet;
+
+struct SO_PUBLIC PigPen
+{
+ // inspector foo
+ static Inspector* get_binder();
+
+ static Inspector* get_file_inspector(const SnortConfig* = nullptr);
+ static Inspector* acquire_file_inspector();
+
+ static Inspector* get_service_inspector(const SnortProtocolId);
+ static Inspector* get_service_inspector(const char*);
+
+ // This assumes that, in a multi-tenant scenario, this is called with the correct network and inspection
+ // policies are set correctly
+ static Inspector* get_inspector(const char* key, bool dflt_only = false, const SnortConfig* = nullptr);
+
+ // This cannot be called in or before the inspector configure phase for a new snort config during reload
+ static Inspector* get_inspector(const char* key, Module::Usage, InspectorType);
+
+ static void release(Inspector*);
+
+ // process foo
+ static bool snort_is_reloading();
+
+ static void install_oops_handler();
+ static void remove_oops_handler();
+
+ // analyzer foo
+ static bool inspect_rebuilt(Packet*);
+
+ // stats foo
+ static uint64_t get_packet_number();
+ static void show_runtime_memory_stats();
+
+ // log foo
+ static const char* get_protocol_name(uint8_t ip_proto);
+};
+
+}
+#endif
+
--- /dev/null
+#!/bin/sh
+
+cxx=$1
+src=$2
+bin=$3
+
+plugs=framework/plugins.h
+
+cd $src/..
+
+echo "// the set of versioned headers installed by Snort"
+echo "// this file is generated automatically - do not edit"
+echo "// see framework/plugins.h for details"
+echo
+
+$cxx -MM $plugs -I. -I$bin/.. | \
+ sed -e "s/ /\n/g" | \
+ grep ".*.h$" | grep -v "$plugs" | \
+ sed -e "s/^/#include \"/" -e "s/$/\"/" -e 's/.*api_options.h.*/#include "framework\/api_options.h"/' | \
+ sort
+
--- /dev/null
+//--------------------------------------------------------------------------
+// Copyright (C) 2024-2024 Cisco and/or its affiliates. All rights reserved.
+//
+// This program is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License Version 2 as published
+// by the Free Software Foundation. You may not use, modify or distribute
+// this program under any other version of the GNU General Public License.
+//
+// This program is distributed in the hope that it will be useful, but
+// WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+// General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+//--------------------------------------------------------------------------
+// plugins.h author Russ Combs <rucombs@cisco.com>
+
+#ifndef PLUGINS_H
+#define PLUGINS_H
+
+// top level headers required by plugins
+// used to establish base header dependencies
+
+// the base API is comprised of the set of headers installed
+// in framework/snort_api.h less these plugin specific headers
+// which have their own API versions:
+
+#include "framework/codec.h"
+#include "framework/connector.h"
+#include "framework/inspector.h"
+#include "framework/ips_action.h"
+#include "framework/ips_option.h"
+#include "framework/logger.h"
+#include "framework/mpse.h"
+#include "framework/policy_selector.h"
+#include "framework/so_rule.h"
+
+// forward decls we must explicitly include here to
+// generate the complete set of API dependencies:
+
+#include "flow/flow.h"
+#include "framework/module.h"
+#include "framework/pig_pen.h"
+#include "protocols/packet.h"
+
+#endif
+
// Policy selectors provide a method to select the network policy and default inspection
// and IPS policies for a given packet
+// the POLICY_SELECTOR_API_VERSION will change if anything in this file changes.
+// see also framework/base_api.h.
+
#include <string>
#include "framework/base_api.h"
namespace snort
{
-#define POLICY_SELECTOR_API_VERSION ((BASE_API_VERSION << 16) | 0)
+#define POLICY_SELECTOR_API_VERSION ((BASE_API_VERSION << 16) | 1)
struct Packet;
class PolicySelector;
#include "config.h"
#endif
-#include "framework/range.h"
+#include "range.h"
#include <cerrno>
#include <cstdlib>
// like a text rule except that it can call function hooks. It can also
// define its own rule options and any other plugins it may need.
+// the SOAPI_VERSION will change if anything in this file changes.
+// see also framework/base_api.h.
+
#include "framework/base_api.h"
#include "framework/ips_option.h"
#include "main/snort_types.h"
}
// this is the current version of the api
-#define SOAPI_VERSION ((BASE_API_VERSION << 16) | 0)
+#define SOAPI_VERSION ((BASE_API_VERSION << 16) | 1)
//-------------------------------------------------------------------------
// rule format is: header ( [<stub opts>;] soid:<tag>; [<remaining opts>;] )
typedef snort::IpsOption::EvalStatus (* SoEvalFunc)(void*, class Cursor&, snort::Packet*);
typedef SoEvalFunc (* SoNewFunc)(const char* key, void**);
+
typedef void (* SoDelFunc)(void*);
typedef void (* SoAuxFunc)();
add_cpputest( data_bus_test
SOURCES ../data_bus.cc
)
+
+# libapi_def.a is actually a text file with the preprocessed header source
+
+if ( ENABLE_UNIT_TESTS )
+ add_library(api_def api_def.cc)
+ target_compile_options(api_def PRIVATE -E)
+ install(TARGETS api_def)
+endif ()
+
+
--- /dev/null
+//--------------------------------------------------------------------------
+// Copyright (C) 2024-2024 Cisco and/or its affiliates. All rights reserved.
+//
+// This program is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License Version 2 as published
+// by the Free Software Foundation. You may not use, modify or distribute
+// this program under any other version of the GNU General Public License.
+//
+// This program is distributed in the hope that it will be useful, but
+// WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+// General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+//--------------------------------------------------------------------------
+// api_def.cpp author Russ Combs <rucombs@cisco.com>
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+// this file is solely used to produce compiler preprocessor output
+// for detecting changes to the Snort plugin interface.
+
+#undef API_OPTIONS
+#define API_OPTIONS 0
+
+#include "framework/plugins.h"
+
+int main() { return 0; }
+
#include "framework/data_bus.h"
#include "main/snort_config.h"
-#include "main/thread.h"
#include "utils/stats.h"
#include <CppUTest/CommandLineTestRunner.h>
#include <cstring>
#include <sstream>
-#include "framework/bits.h"
#include "framework/parameter.h"
#include "main/snort_types.h"
+#include "utils/bits.h"
namespace snort
{
set (HASH_INCLUDES
- ghash.h
hashes.h
- hash_defs.h
hash_key_operations.h
lru_cache_local.h
lru_cache_shared.h
add_library( hash OBJECT
${HASH_INCLUDES}
ghash.cc
+ ghash.h
+ hash_defs.h
hashes.cc
hash_lru_cache.cc
hash_lru_cache.h
typedef void (* gHashFree)(void*);
-class SO_PUBLIC GHash
+class GHash
{
public:
GHash(int nrows, unsigned keysize, bool userkey, gHashFree);
#include <random>
#include "main/snort_config.h"
+#include "main/thread.h"
#include "utils/util.h"
#include "primetable.h"
#include "hash/hash_defs.h"
#include "main/snort_config.h"
+#include "main/thread.h"
#include "utils/util.h"
#include <CppUTest/CommandLineTestRunner.h>
#include "hash/hash_defs.h"
#include "main/snort_config.h"
+#include "main/thread.h"
#include "utils/util.h"
#include <CppUTest/CommandLineTestRunner.h>
#include <vector>
#include "framework/counts.h"
+#include "helpers/memcap_allocator.h"
#include "main/snort_types.h"
-#include "utils/memcap_allocator.h"
class HashLruCache;
set (HELPERS_INCLUDES
${HYPER_HEADERS}
base64_encoder.h
+ ber.h
bitop.h
+ boyer_moore.h
boyer_moore_search.h
buffer_data.h
+ event_gen.h
+ infractions.h
json_stream.h
literal_search.h
- process.h
+ memcap_allocator.h
scratch_allocator.h
sigsafe.h
+ utf.h
)
add_library (helpers OBJECT
${HELPERS_INCLUDES}
${HYPER_SOURCES}
base64_encoder.cc
+ ber.cc
+ boyer_moore.cc
boyer_moore_search.cc
buffer_data.cc
- chunk.cc
- chunk.h
directory.cc
directory.h
discovery_filter.cc
discovery_filter.h
flag_context.h
+ grouped_list.h
json_stream.cc
- json_stream.h
literal_search.cc
markup.cc
markup.h
- process.cc
+ primed_allocator.h
ring.h
ring_logic.h
sigsafe.cc
scratch_allocator.cc
+ streambuf.cc
+ streambuf.h
+ utf.cc
)
install (FILES ${HELPERS_INCLUDES}
#include "config.h"
#endif
-#include "util_ber.h"
+#include "ber.h"
namespace snort
{
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// util_ber.h author Brandon Stultz <brastult@cisco.com>
+// ber.h author Brandon Stultz <brastult@cisco.com>
-#ifndef UTIL_BER_H
-#define UTIL_BER_H
+#ifndef BER_H
+#define BER_H
#include "main/snort_types.h"
#include "framework/cursor.h"
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
// buffer_data.h author Amarnath Nayak <amarnaya@cisco.com>
+
#ifndef BUFFER_DATA_H
#define BUFFER_DATA_H
This directory contains new utility classes and methods for use by the
-framework.
+framework. Utility funcitons, defines, etc. should go in src/utils/.
+
+On stream buffer, there are two classes inherited from std::streambuf:
+
+* istreambuf_glue class for reading operations
+* ostreambuf_infl class for writing operations
+
+The input stream buffer presents a continuous sequence of bytes to the client,
+gathered from different sources. For example:
+
+ char* s1 = "world";
+ char* s2 = "!";
+ char* s3 = "Hello ";
+
+These sources being fed to the stream buffer as s3, s1, s2 will form
+"Hello world!" sequence.
+
+In order to do that, istreambuf_glue class represents each source as a chunk of
+data, which has its own position in the resulting sequence.
+The chunk structure contains a pointer to the source, source size, and
+the chunk's offset in the resulting sequence.
+
+Reading is done sequentially within the current chunk. When the end of chunk
+reached, the buffer switches to the next one, setting std::streambuf pointers.
+
+Positioning the cursor is done in two steps:
+
+1. Calculate the final cursor position (absolute or by offset).
+
+2. Find the right chunk and local offset in it to set cursor there.
+
+Currently, no intermediate buffering done between chunks (like alignment,
+prepending/appending the next chunk). The buffer doesn't take ownership over
+the source's memory.
+
+The output stream buffer is mostly like std::stringbuf. The main purpose of it
+is having an extensible dynamic array, where clients could write their data,
+not worrying about resizing and memory management.
+
+Aside from that, ostreambuf_infl can give away ownership over its memory,
+which could be useful for final consumer.
+
+From performance perspective, ostreambuf_infl can reserve an amount of memory
+before actual operations. Also, memory extending is done by predefined
+portions of 2^11^, 2^12^, 2^13^, 2^14^, 2^15^, 2^15^, 2^15^...
+This tries to minimize the number of memory reallocation.
#include "log/messages.h"
#include "main/snort_config.h"
-#include "main/thread.h"
#include "utils/util.h"
#include "hyper_scratch_allocator.h"
}
+namespace
+{
struct ScanContext
{
unsigned index;
bool found = false;
};
+}
static int hs_match(unsigned int, unsigned long long, unsigned long long to, unsigned int, void* context)
{
+
+add_catch_test( bitop_test )
+
+add_cpputest( boyer_moore_test
+ SOURCES
+ ../boyer_moore.cc
+)
+
add_cpputest( boyer_moore_search_test
SOURCES
../boyer_moore_search.cc
)
+add_catch_test( grouped_list_test
+ SOURCES
+ ../grouped_list.h
+)
+
if ( HAVE_HYPERSCAN )
add_cpputest( hyper_search_test
SOURCES
)
endif()
-add_catch_test( bitop_test )
-
add_catch_test( json_stream_test
SOURCES
json_stream_test.cc
../json_stream.cc
)
+add_cpputest( memcap_allocator_test )
+
+add_catch_test( streambuf_test
+ SOURCES
+ ../streambuf.cc
+)
+
#include <cstring>
#include <vector>
-#include "utils/grouped_list.h"
+#include "helpers/grouped_list.h"
using namespace snort;
using namespace std;
#include <iostream>
#include <vector>
-#include "utils/streambuf.h"
+#include "helpers/streambuf.h"
using namespace snort;
using namespace std;
#include "config.h"
#endif
-#include "util_utf.h"
+#include "utf.h"
#include <cassert>
#include <cstring>
cache_allocator.h
cache_interface.h
host_cache.h
- host_cache_segmented.h
host_tracker.h
)
host_tracker_module.cc
host_tracker_module.h
host_tracker.cc
+ host_tracker_stats.h
)
add_subdirectory ( test )
CacheInterface* get_cache_ptr() { return Base::get_lru(); }
template <class U>
- HostCacheAllocIp(const HostCacheAllocIp<U>& other)
+ HostCacheAllocIp(const HostCacheAllocIp<U>& other)
{
this->lru = other.get_lru();
}
template <class U>
- HostCacheAllocIp(HostCacheAllocIp<U>&& other) noexcept
+ HostCacheAllocIp(HostCacheAllocIp<U>&& other) noexcept
{
this->lru = other.get_lru();
}
#include "hash/lru_cache_shared.h"
#include "host_tracker.h"
+#include "log/log_stats.h"
#include "log/messages.h"
#include "main/snort_config.h"
#include "sfip/sf_ip.h"
-#include "utils/stats.h"
#include "cache_allocator.h"
#include "cache_interface.h"
//--------------------------------------------------------------------------
-// Copyright (C) 2015-2024 Cisco and/or its affiliates. All rights reserved.
+// Copyright (C) 2023-2024 Cisco and/or its affiliates. All rights reserved.
//
// This program is free software; you can redistribute it and/or modify it
// under the terms of the GNU General Public License Version 2 as published
#ifndef HOST_CACHE_SEGMENTED_H
#define HOST_CACHE_SEGMENTED_H
-#ifdef HAVE_CONFIG_H
-#include "config.h"
-#endif
-
#include <atomic>
#include <cassert>
#include <numeric>
#include "host_cache.h"
+#include "log/log_stats.h"
#include "log/messages.h"
#define DEFAULT_HOST_CACHE_SEGMENTS 4
#include "config.h"
#endif
+#include "host_tracker.h"
+#include "host_tracker_stats.h"
+
#include <algorithm>
#include "flow/flow.h"
#include "cache_allocator.cc"
#include "host_cache.h"
#include "host_cache_segmented.h"
-#include "host_tracker.h"
using namespace snort;
using namespace std;
#include <mutex>
#include <list>
#include <set>
+#include <string>
#include <unordered_set>
#include <vector>
#include "framework/counts.h"
#include "main/snort_types.h"
-#include "main/thread.h"
#include "network_inspectors/appid/application_ids.h"
#include "protocols/protocol_ids.h"
#include "protocols/vlan.h"
#include "cache_allocator.h"
-struct HostTrackerStats
-{
- PegCount service_adds;
- PegCount service_finds;
-};
-
-extern THREAD_LOCAL struct HostTrackerStats host_tracker_stats;
-
class RNAFlow;
namespace snort
return ++nat_count;
}
- void set_cache_idx(uint8_t idx)
- {
+ void set_cache_idx(uint8_t idx)
+ {
std::lock_guard<std::mutex> lck(host_tracker_lock);
- cache_idx = idx;
+ cache_idx = idx;
}
- void init_visibility(size_t v)
+ void init_visibility(size_t v)
{
std::lock_guard<std::mutex> lck(host_tracker_lock);
visibility = v;
uint32_t nat_count_start; // the time nat counting starts for this host
size_t visibility;
- uint8_t cache_idx = 0;
+ uint8_t cache_idx = 0;
uint32_t num_visible_services = 0;
uint32_t num_visible_clients = 0;
uint32_t num_visible_macs = 0;
-
+
CacheInterface * cache_interface = nullptr;
// These three do not lock independently; they are used by payload discovery and called
#endif
#include "host_tracker_module.h"
+#include "host_tracker_stats.h"
#include "host_cache_segmented.h"
#include "log/messages.h"
--- /dev/null
+//--------------------------------------------------------------------------
+// Copyright (C) 2024-2024 Cisco and/or its affiliates. All rights reserved.
+//
+// This program is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License Version 2 as published
+// by the Free Software Foundation. You may not use, modify or distribute
+// this program under any other version of the GNU General Public License.
+//
+// This program is distributed in the hope that it will be useful, but
+// WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+// General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+//--------------------------------------------------------------------------
+
+// host_tracker_stats.h author Russ Combs <rucombs@cisco.com>
+
+#ifndef HOST_TRACKER_STATS_H
+#define HOST_TRACKER_STATS_H
+
+// private HostTracker data (not installed)
+
+#include "framework/counts.h"
+
+struct HostTrackerStats
+{
+ PegCount service_adds;
+ PegCount service_finds;
+};
+
+extern THREAD_LOCAL struct HostTrackerStats host_tracker_stats;
+
+#endif
+
CacheInterface* get_cache_ptr() { return Base::get_lru(); }
template <class U>
- Allocator(const Allocator<U>& other)
+ Allocator(const Allocator<U>& other)
{
lru = other.lru;
}
template <class U>
- Allocator(const Allocator<U>&& other)
+ Allocator(const Allocator<U>&& other)
{
lru = other.lru;
}
};
TEST(host_cache_allocator_ht, allocate_update)
-{
+{
//declare a list with allocator cache
std::list<string, Allocator<string>> test_list;
CHECK(test_list.get_allocator().get_lru() == &cache1);
} // end of namespace snort
void show_stats(PegCount*, const PegInfo*, unsigned, const char*) { }
-void show_stats(PegCount*, const PegInfo*, const IndexVec&, const char*, FILE*) { }
+void show_stats(PegCount*, const PegInfo*, const std::vector<unsigned>&, const char*, FILE*) { }
template <class T>
HostCacheAllocIp<T>::HostCacheAllocIp()
// cache, because sum_stats resets the pegs.
module.sum_stats(true);
- // add 3 entries to segment 3
+ // add 3 entries to segment 3
SfIp ip1, ip2, ip3;
ip1.set("1.1.1.1");
ip2.set("2.2.2.2");
ip3.set("3.3.3.3");
-
+
host_cache.find_else_create(ip1, nullptr);
host_cache.find_else_create(ip2, nullptr);
host_cache.find_else_create(ip3, nullptr);
// pruning in thread is not done when reload_mutex is already locked
for(auto cache : host_cache.seg_list)
cache->reload_mutex.lock();
-
+
std::thread test_negative(try_reload_prune, false);
test_negative.join();
str = module.get_host_cache_segment_stats(-1);
contain = str.find("total cache segments: 4") != std::string::npos;
CHECK_TRUE(contain);
-
-
}
TEST(host_cache_module, log_host_cache_messages)
#include "host_tracker/host_cache.h"
#include "host_tracker/host_cache_segmented.h"
#include "host_tracker/host_tracker_module.h"
+#include "host_tracker/host_tracker_stats.h"
#include "main/snort_config.h"
#include "main/thread_config.h"
#include "target_based/snort_protocols.h"
// Fake show_stats to avoid bringing in a ton of dependencies.
void show_stats(PegCount*, const PegInfo*, unsigned, const char*) { }
-void show_stats(PegCount*, const PegInfo*, const IndexVec&, const char*, FILE*) { }
+void show_stats(PegCount*, const PegInfo*, const std::vector<unsigned>&, const char*, FILE*) { }
SfIp expected_addr;
-set(IPS_INCLUDES
- extract.h
-)
SET( PLUGIN_LIST
ips_ack.cc
ips_byte_jump.cc
ips_byte_math.cc
ips_byte_test.cc
+ ips_classtype.cc
+ ips_content.cc
ips_cvs.cc
+ ips_dsize.cc
ips_enable.cc
+ ips_file_data.cc
+ ips_file_meta.cc
ips_file_type.cc
ips_flags.cc
+ ips_flow.cc
ips_fragbits.cc
ips_fragoffset.cc
ips_gid.cc
+ ips_hash.cc
ips_icmp_id.cc
ips_icmp_seq.cc
ips_icode.cc
ips_ip_proto.cc
ips_isdataat.cc
ips_itype.cc
+ ips_js_data.cc
+ ips_metadata.cc
ips_msg.cc
ips_pcre.cc
+ ips_pkt_data.cc
ips_priority.cc
ips_raw_data.cc
+ ips_reference.cc
ips_rem.cc
ips_rev.cc
ips_rpc.cc
ips_seq.cc
+ ips_service.cc
ips_sid.cc
ips_soid.cc
ips_tag.cc
ips_tos.cc
ips_ttl.cc
ips_window.cc
- ips_vba_data.cc
- ips_vba_data.h
)
-
set (IPS_SOURCES
- ${IPS_INCLUDES}
- extract.cc
- ips_classtype.cc
- ips_content.cc
ips_detection_filter.cc
- ips_dsize.cc
- ips_file_data.cc
- ips_file_meta.cc
- ips_flow.cc
ips_flowbits.cc
ips_flowbits.h
- ips_hash.cc
- ips_js_data.cc
ips_luajit.cc
- ips_metadata.cc
ips_options.cc
ips_options.h
- ips_pkt_data.cc
- ips_reference.cc
ips_replace.cc
- ips_service.cc
ips_so.cc
ips_vba_data.cc
ips_vba_data.h
add_library ( ips_options OBJECT
${IPS_SOURCES}
- ${OPTION_LIST}
${PLUGIN_LIST}
)
add_library ( ips_options OBJECT
${IPS_SOURCES}
- ${OPTION_LIST}
)
+ add_dynamic_module(ips_content ips_options ips_content.cc)
+ add_dynamic_module(ips_hash ips_options ips_hash.cc)
add_dynamic_module(ips_ack ips_options ips_ack.cc)
add_dynamic_module(ips_base64 ips_options ips_base64.cc)
add_dynamic_module(ips_ber_data ips_options ips_ber_data.cc)
add_dynamic_module(ips_ber_skip ips_options ips_ber_skip.cc)
add_dynamic_module(ips_bufferlen ips_options ips_bufferlen.cc)
- add_dynamic_module(ips_byte_extract ips_options extract.cc ips_byte_extract.cc)
- add_dynamic_module(ips_byte_jump ips_options extract.cc ips_byte_jump.cc)
- add_dynamic_module(ips_byte_math ips_options extract.cc ips_byte_math.cc)
- add_dynamic_module(ips_byte_test ips_options extract.cc ips_byte_test.cc)
+ add_dynamic_module(ips_byte_extract ips_options ips_byte_extract.cc)
+ add_dynamic_module(ips_byte_jump ips_options ips_byte_jump.cc)
+ add_dynamic_module(ips_byte_math ips_options ips_byte_math.cc)
+ add_dynamic_module(ips_byte_test ips_options ips_byte_test.cc)
+ add_dynamic_module(ips_classtype ips_options ips_classtype.cc)
add_dynamic_module(ips_cvs ips_options ips_cvs.cc)
+ add_dynamic_module(ips_dsize ips_options ips_dsize.cc)
add_dynamic_module(ips_enable ips_options ips_enable.cc)
+ add_dynamic_module(ips_file_data ips_options ips_file_data.cc)
+ add_dynamic_module(ips_file_meta ips_options ips_file_meta.cc)
add_dynamic_module(ips_file_type ips_options ips_file_type.cc)
add_dynamic_module(ips_flags ips_options ips_flags.cc)
+ add_dynamic_module(ips_flow ips_options ips_flow.cc)
add_dynamic_module(ips_fragbits ips_options ips_fragbits.cc)
add_dynamic_module(ips_fragoffset ips_options ips_fragoffset.cc)
add_dynamic_module(ips_gid ips_options ips_gid.cc)
add_dynamic_module(ips_ip_proto ips_options ips_ip_proto.cc)
add_dynamic_module(ips_isdataat ips_options ips_isdataat.cc)
add_dynamic_module(ips_itype ips_options ips_itype.cc)
+ add_dynamic_module(ips_js_data ips_options ips_js_data.cc)
+ add_dynamic_module(ips_metadata ips_options ips_metadata.cc)
add_dynamic_module(ips_msg ips_options ips_msg.cc)
add_dynamic_module(ips_pcre ips_options ips_pcre.cc)
+ add_dynamic_module(ips_pkt_data ips_options ips_pkt_data.cc)
add_dynamic_module(ips_priority ips_options ips_priority.cc)
add_dynamic_module(ips_raw_data ips_options ips_raw_data.cc)
+ add_dynamic_module(ips_reference ips_options ips_reference.cc)
add_dynamic_module(ips_rem ips_options ips_rem.cc)
add_dynamic_module(ips_rev ips_options ips_rev.cc)
add_dynamic_module(ips_rpc ips_options ips_rpc.cc)
+ add_dynamic_module(ips_service ips_options ips_service.cc)
add_dynamic_module(ips_sid ips_options ips_sid.cc)
add_dynamic_module(ips_seq ips_options ips_seq.cc)
add_dynamic_module(ips_soid ips_options ips_soid.cc)
add_subdirectory(test)
-install(FILES ${IPS_INCLUDES}
- DESTINATION "${INCLUDE_INSTALL_PATH}/ips_options/"
-)
delete m;
}
-static IpsOption* ack_ctor(Module* p, OptTreeNode*)
+static IpsOption* ack_ctor(Module* p, IpsInfo&)
{
AckModule* m = (AckModule*)p;
return new TcpAckOption(m->data);
#endif
#include "detection/detection_engine.h"
-#include "detection/treenodes.h"
#include "hash/hash_key_operations.h"
#include "framework/cursor.h"
#include "framework/ips_option.h"
delete m;
}
-static IpsOption* base64_decode_ctor(Module* p, OptTreeNode*)
+static IpsOption* base64_decode_ctor(Module* p, IpsInfo&)
{
B64DecodeModule* m = (B64DecodeModule*)p;
return new Base64DecodeOption(m->data);
//-------------------------------------------------------------------------
static class IpsOption* base64_data_ctor(
- Module*, OptTreeNode* otn)
+ Module*, IpsInfo& info)
{
- if ( !otn_has_plugin(otn, "base64_decode") )
+ if ( !IpsOption::has_plugin(info, "base64_decode") )
{
ParseError("base64_decode needs to be specified before base64_data in a rule");
return nullptr;
#include "framework/ips_option.h"
#include "framework/module.h"
#include "hash/hash_key_operations.h"
+#include "helpers/ber.h"
#include "profiler/profiler.h"
-#include "utils/util_ber.h"
using namespace snort;
delete m;
}
-static IpsOption* ber_data_ctor(Module* p, OptTreeNode*)
+static IpsOption* ber_data_ctor(Module* p, IpsInfo&)
{
BerDataModule* m = (BerDataModule*)p;
return new BerDataOption(m->type);
#include "framework/ips_option.h"
#include "framework/module.h"
#include "hash/hash_key_operations.h"
+#include "helpers/ber.h"
#include "profiler/profiler.h"
-#include "utils/util_ber.h"
using namespace snort;
delete m;
}
-static IpsOption* ber_skip_ctor(Module* p, OptTreeNode*)
+static IpsOption* ber_skip_ctor(Module* p, IpsInfo&)
{
BerSkipModule* m = (BerSkipModule*)p;
return new BerSkipOption(m->type, m->optional);
delete m;
}
-static IpsOption* len_ctor(Module* p, OptTreeNode*)
+static IpsOption* len_ctor(Module* p, IpsInfo&)
{
LenModule* m = (LenModule*)p;
return new LenOption(m->data, m->relative);
#include "config.h"
#endif
-#include "detection/treenodes.h"
+#include "detection/extract.h"
#include "framework/cursor.h"
#include "framework/endianness.h"
+#include "framework/ips_info.h"
#include "framework/ips_option.h"
#include "framework/module.h"
#include "hash/hash_key_operations.h"
#include "protocols/packet.h"
#include "utils/util.h"
-#include "extract.h"
-
#ifdef UNIT_TEST
#include <catch/snort_catch.h>
#include "service_inspectors/dce_rpc/dce_common.h"
delete m;
}
-static IpsOption* byte_extract_ctor(Module* p, OptTreeNode*)
+static IpsOption* byte_extract_ctor(Module* p, IpsInfo&)
{
ExtractModule* m = (ExtractModule*)p;
ByteExtractData& data = m->data;
"~name", Parameter::PT_STRING, nullptr, nullptr,
"name of the variable that will be used in other rule options"};
v.set(&p);
+
obj.set(nullptr, v, nullptr);
+ IpsInfo info(nullptr, nullptr);
if (i < NUM_IPS_OPTIONS_VARS)
{
- IpsOption* res = byte_extract_ctor(&obj, nullptr);
+ IpsOption* res = byte_extract_ctor(&obj, info);
delete res;
}
else
{
- IpsOption* res_null = byte_extract_ctor(&obj, nullptr);
- CHECK(nullptr == res_null);
+ IpsOption* res_null = byte_extract_ctor(&obj, info);
+ CHECK(res_null == nullptr);
delete[] obj.data.name;
}
}
#include "config.h"
#endif
+#include "detection/extract.h"
#include "framework/cursor.h"
#include "framework/endianness.h"
#include "framework/ips_option.h"
#include "profiler/profiler.h"
#include "protocols/packet.h"
-#include "extract.h"
-
using namespace snort;
using namespace std;
delete m;
}
-static IpsOption* byte_jump_ctor(Module* p, OptTreeNode*)
+static IpsOption* byte_jump_ctor(Module* p, IpsInfo&)
{
ByteJumpModule* m = (ByteJumpModule*)p;
return new ByteJumpOption(m->data);
#include "config.h"
#endif
+#include "detection/extract.h"
#include "framework/cursor.h"
#include "framework/endianness.h"
+#include "framework/ips_info.h"
#include "framework/ips_option.h"
#include "framework/module.h"
#include "hash/hash_key_operations.h"
#include "protocols/packet.h"
#include "utils/util.h"
-#include "extract.h"
-
#ifdef UNIT_TEST
#include "catch/snort_catch.h"
#include "service_inspectors/dce_rpc/dce_common.h"
delete m;
}
-static IpsOption* byte_math_ctor(Module* p, OptTreeNode*)
+static IpsOption* byte_math_ctor(Module* p, IpsInfo&)
{
ByteMathModule* m = (ByteMathModule*)p;
ByteMathData& data = m->data;
Parameter p{"result", Parameter::PT_STRING, nullptr, nullptr,
"name of the variable to store the result"};
v.set(&p);
+
obj.set(nullptr, v, nullptr);
+ IpsInfo info(nullptr, nullptr);
+
if (i < NUM_IPS_OPTIONS_VARS)
{
- IpsOption* res = byte_math_ctor(&obj, nullptr);
+ IpsOption* res = byte_math_ctor(&obj, info);
delete res;
}
else
{
- IpsOption* res_null = byte_math_ctor(&obj, nullptr);
- CHECK(nullptr == res_null);
+ IpsOption* res_null = byte_math_ctor(&obj, info);
+ CHECK(res_null == nullptr);
delete[] obj.data.result_name;
}
}
#include "config.h"
#endif
+#include "detection/extract.h"
#include "framework/cursor.h"
#include "framework/endianness.h"
#include "framework/ips_option.h"
#include "catch/snort_catch.h"
#endif
-#include "extract.h"
-
using namespace snort;
using namespace std;
delete m;
}
-static IpsOption* byte_test_ctor(Module* p, OptTreeNode*)
+static IpsOption* byte_test_ctor(Module* p, IpsInfo&)
{
ByteTestModule* m = (ByteTestModule*)p;
return new ByteTestOption(m->data);
#include "config.h"
#endif
-#include "detection/treenodes.h"
+#include <string>
+
#include "framework/decode_data.h"
#include "framework/ips_option.h"
#include "framework/module.h"
{ return DETECT; }
public:
- const ClassType* type = nullptr;
+ std::string classtype;
};
-bool ClassTypeModule::set(const char*, Value& v, SnortConfig* sc)
+bool ClassTypeModule::set(const char*, Value& v, SnortConfig*)
{
assert(v.is("~"));
- type = get_classification(sc, v.get_string());
-
- if ( !type and sc->dump_rule_info() )
- {
- const char* s = v.get_string();
- add_classification(sc, s, s, 1);
- type = get_classification(sc, s);
- }
- return type != nullptr;
+ classtype = v.get_string();
+ return true;
}
//-------------------------------------------------------------------------
delete m;
}
-static IpsOption* classtype_ctor(Module* p, OptTreeNode* otn)
+static IpsOption* classtype_ctor(Module* p, IpsInfo& info)
{
ClassTypeModule* m = (ClassTypeModule*)p;
- otn->sigInfo.class_type = m->type;
-
- if ( m->type )
- {
- otn->sigInfo.class_id = m->type->id;
- otn->sigInfo.priority = m->type->priority;
- }
+ IpsOption::set_classtype(info, m->classtype.c_str());
return nullptr;
}
nullptr
};
-const BaseApi* ips_classtype = &classtype_api.base;
+#ifdef BUILDING_SO
+SO_PUBLIC const BaseApi* snort_plugins[] =
+#else
+const BaseApi* ips_classtype[] =
+#endif
+{
+ &classtype_api.base,
+ nullptr
+};
#include "config.h"
#endif
+#include "detection/extract.h"
#include "detection/pattern_match_data.h"
-#include "detection/treenodes.h"
#include "framework/cursor.h"
#include "framework/ips_option.h"
#include "framework/module.h"
#include "parser/parse_utils.h"
#include "profiler/profiler.h"
#include "utils/util.h"
-#include "utils/stats.h"
-
-#include "extract.h"
using namespace snort;
bool is_relative() override
{ return config->pmd.is_relative(); }
- bool retry(Cursor&, const Cursor&) override;
+ bool retry(Cursor&) override;
ContentData* get_data()
{ return config; }
return c.get_delta() + pmd.pattern_size <= pmd.depth;
}
-bool ContentOption::retry(Cursor& c, const Cursor&)
+bool ContentOption::retry(Cursor& c)
{
return ::retry(config->pmd, c);
}
delete m;
}
-static IpsOption* content_ctor(Module* p, OptTreeNode*)
+static IpsOption* content_ctor(Module* p, IpsInfo&)
{
ContentModule* m = (ContentModule*)p;
ContentData* cd = m->get_data();
nullptr
};
-// FIXIT-L need boyer_moore.cc funcs but they
-// aren't otherwise called
-//#ifdef BUILDING_SO
-//SO_PUBLIC const BaseApi* snort_plugins[] =
-//{
-// &content_api.base,
-// nullptr
-//};
-//#else
-const BaseApi* ips_content = &content_api.base;
-//#endif
+#ifdef BUILDING_SO
+SO_PUBLIC const BaseApi* snort_plugins[] =
+#else
+const BaseApi* ips_content[] =
+#endif
+{
+ &content_api.base,
+ nullptr
+};
delete m;
}
-static IpsOption* cvs_ctor(Module* p, OptTreeNode*)
+static IpsOption* cvs_ctor(Module* p, IpsInfo&)
{
CvsModule* m = (CvsModule*)p;
return new CvsOption(m->data);
class StubIpsOption : public IpsOption
{
public:
- StubIpsOption(const char* name, option_type_t option_type) :
- IpsOption(name, option_type)
- {}
+ StubIpsOption(const char* name) : IpsOption(name) { }
};
TEST_CASE("CvsOption test", "[ips_cvs]")
SECTION("not equal as IpsOptions")
{
- StubIpsOption opt_other("not_cvs",
- option_type_t::RULE_OPTION_TYPE_OTHER);
+ StubIpsOption opt_other("not_cvs");
REQUIRE_FALSE(cvs_opt == opt_other);
}
//--------------------------------------------------------------------------
// Copyright (C) 2014-2024 Cisco and/or its affiliates. All rights reserved.
-// Copyright (C) 2002-2013 Sourcefire, Inc.
-// Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com>
//
// This program is free software; you can redistribute it and/or modify it
// under the terms of the GNU General Public License Version 2 as published
#include "config.h"
#endif
-#include "detection/treenodes.h"
#include "filters/detection_filter.h"
#include "filters/sfthd.h"
#include "framework/decode_data.h"
public:
DetectionFilterModule() : Module(s_name, s_help, s_params) { }
bool set(const char*, Value&, SnortConfig*) override;
- bool begin(const char*, int, SnortConfig*) override;
ProfileStats* get_profile() const override
{ return &detectionFilterPerfStats; }
{ return DETECT; }
public:
- THDX_STRUCT thdx = {};
- DetectionFilterConfig* dfc = nullptr;
+ bool trk_src = false;
+ uint32_t count = 0, seconds = 0;
};
-bool DetectionFilterModule::begin(const char*, int, SnortConfig* sc)
-{
- memset(&thdx, 0, sizeof(thdx));
- thdx.type = THD_TYPE_DETECT;
- dfc = sc->detection_filter_config;
- return true;
-}
-
bool DetectionFilterModule::set(const char*, Value& v, SnortConfig*)
{
if ( v.is("track") )
- thdx.tracking = v.get_uint8() ? THD_TRK_DST : THD_TRK_SRC;
+ trk_src = v.get_uint8() == 0;
else if ( v.is("count") )
- thdx.count = v.get_uint32();
+ count = v.get_uint32();
else if ( v.is("seconds") )
- thdx.seconds = v.get_uint32();
+ seconds = v.get_uint32();
return true;
}
delete m;
}
-static IpsOption* detection_filter_ctor(Module* p, OptTreeNode* otn)
+static IpsOption* detection_filter_ctor(Module* p, IpsInfo& info)
{
DetectionFilterModule* m = (DetectionFilterModule*)p;
- otn->detection_filter = detection_filter_create(m->dfc, &m->thdx);
+ IpsOption::set_detection_filter(info, m->trk_src, m->count, m->seconds);
return nullptr;
}
nullptr
};
-const BaseApi* ips_detection_filter = &detection_filter_api.base;
+const BaseApi* ips_detection_filter[] =
+{
+ &detection_filter_api.base,
+ nullptr
+};
delete m;
}
-static IpsOption* dsize_ctor(Module* p, OptTreeNode*)
+static IpsOption* dsize_ctor(Module* p, IpsInfo&)
{
DsizeModule* m = (DsizeModule*)p;
return new DsizeOption(m->data);
#include "config.h"
#endif
-#include "detection/treenodes.h"
-#include "detection/rules.h"
#include "framework/decode_data.h"
#include "framework/ips_option.h"
#include "framework/module.h"
{ return DETECT; }
public:
- IpsPolicy::Enable enable = IpsPolicy::Enable::ENABLED;
+ IpsOption::Enable enable = IpsOption::NO;
};
-bool EnableModule::begin(const char*, int, SnortConfig* sc)
+bool EnableModule::begin(const char*, int, SnortConfig*)
{
- if ( !sc->rule_states )
- sc->rule_states = new RuleStateMap;
-
- enable = IpsPolicy::Enable::ENABLED;
+ enable = IpsOption::YES;
return true;
}
bool EnableModule::set(const char*, Value& v, SnortConfig*)
{
assert(v.is("~enable"));
- enable = IpsPolicy::Enable(v.get_uint8());
+ enable = IpsOption::Enable(v.get_uint8());
return true;
}
delete m;
}
-static IpsOption* enable_ctor(Module* p, OptTreeNode* otn)
+static IpsOption* enable_ctor(Module* p, IpsInfo& info)
{
EnableModule* m = (EnableModule*)p;
- otn->set_enabled(m->enable);
+ IpsOption::set_enabled(info, m->enable);
return nullptr;
}
delete m;
}
-static IpsOption* file_data_ctor(Module*, OptTreeNode*)
+static IpsOption* file_data_ctor(Module*, IpsInfo&)
{
return new FileDataOption;
}
#include "config.h"
#endif
-#include <unordered_map>
-
-#include "detection/detection_engine.h"
-#include "detection/treenodes.h"
#include "file_api/file_flows.h"
-#include "framework/cursor.h"
#include "framework/ips_option.h"
#include "framework/module.h"
-#include "main/thread_config.h"
-#include "profiler/profiler.h"
-#include "protocols/packet.h"
using namespace snort;
bool FileMetaModule::end(const char*, int, SnortConfig* sc)
{
- set_rule_id_from_type(sc, fmc.file_id, fmc.file_type,fmc.category, fmc.version, fmc.groups);
+ set_rule_id_from_type(sc, fmc.file_id, fmc.file_type, fmc.category, fmc.version, fmc.groups);
return true;
}
delete m;
}
-static IpsOption* file_meta_ctor(Module* p, OptTreeNode* otn)
+static IpsOption* file_meta_ctor(Module* p, IpsInfo& info)
{
FileMetaModule* m = (FileMetaModule*)p;
- otn->sigInfo.file_id = m->fmc.file_id;
+ IpsOption::set_file_id(info, m->fmc.file_id);
return nullptr;
}
nullptr
};
-const BaseApi* ips_file_meta = &file_meta_api.base;
+#ifdef BUILDING_SO
+SO_PUBLIC const BaseApi* snort_plugins[] =
+#else
+const BaseApi* ips_file_meta[] =
+#endif
+{
+ &file_meta_api.base,
+ nullptr
+};
delete m;
}
-static IpsOption* file_type_ctor(Module* m, OptTreeNode*)
+static IpsOption* file_type_ctor(Module* m, IpsInfo&)
{
FileTypeModule* mod = (FileTypeModule*)m;
return new FileTypeOption(mod->types);
delete m;
}
-static IpsOption* flags_ctor(Module* p, OptTreeNode*)
+static IpsOption* flags_ctor(Module* p, IpsInfo&)
{
FlagsModule* m = (FlagsModule*)p;
return new TcpFlagOption(m->data);
#include "config.h"
#endif
-#include "detection/treenodes.h"
#include "framework/ips_option.h"
#include "framework/module.h"
#include "hash/hash_key_operations.h"
delete m;
}
-static IpsOption* flow_ctor(Module* p, OptTreeNode* otn)
+static IpsOption* flow_ctor(Module* p, IpsInfo& info)
{
FlowModule* m = (FlowModule*)p;
if ( m->data.stateless )
- otn->set_stateless();
+ IpsOption::set_stateless(info);
if ( m->data.from_server )
- otn->set_to_client();
+ IpsOption::set_to_client(info);
else if ( m->data.from_client )
- otn->set_to_server();
+ IpsOption::set_to_server(info);
- if (otn->snort_protocol_id == SNORT_PROTO_ICMP)
+ if (IpsOption::get_protocol_id(info) == SNORT_PROTO_ICMP)
{
if ( (m->data.only_reassembled != ONLY_FRAG) &&
(m->data.ignore_reassembled != IGNORE_FRAG) )
nullptr
};
-const BaseApi* ips_flow = &flow_api.base;
+#ifdef BUILDING_SO
+SO_PUBLIC const BaseApi* snort_plugins[] =
+#else
+const BaseApi* ips_flow[] =
+#endif
+{
+ &flow_api.base,
+ nullptr
+};
#include <unordered_map>
-#include "detection/treenodes.h"
#include "framework/ips_option.h"
#include "framework/module.h"
#include "hash/hash_defs.h"
#include "log/messages.h"
#include "protocols/packet.h"
#include "profiler/profiler.h"
-#include "utils/sflsq.h"
-#include "utils/util.h"
using namespace snort;
delete fb;
}
-static IpsOption* flowbits_ctor(Module* p, OptTreeNode* otn)
+static IpsOption* flowbits_ctor(Module* p, IpsInfo& info)
{
FlowbitsModule* m = (FlowbitsModule*)p;
FlowBitCheck* fbc = m->get_data();
FlowBitsOption* opt = new FlowBitsOption(fbc);
if ( opt->is_checker() )
- otn->set_flowbits_check();
+ IpsOption::set_flowbits_check(info);
return opt;
}
nullptr
};
-const BaseApi* ips_flowbits = &flowbits_api.base;
+const BaseApi* ips_flowbits[] =
+{
+ &flowbits_api.base,
+ nullptr
+};
delete m;
}
-static IpsOption* fragbits_ctor(Module* p, OptTreeNode*)
+static IpsOption* fragbits_ctor(Module* p, IpsInfo&)
{
FragBitsModule* fragBitsModule = (FragBitsModule*)p;
return new FragBitsOption( fragBitsModule->get_fragBits_data() );
delete m;
}
-static IpsOption* fragoffset_ctor(Module* p, OptTreeNode*)
+static IpsOption* fragoffset_ctor(Module* p, IpsInfo&)
{
FragOffsetModule* m = (FragOffsetModule*)p;
return new FragOffsetOption(m->data);
#include "config.h"
#endif
-#include "detection/treenodes.h"
#include "framework/decode_data.h"
#include "framework/ips_option.h"
#include "framework/module.h"
delete m;
}
-static IpsOption* gid_ctor(Module* p, OptTreeNode* otn)
+static IpsOption* gid_ctor(Module* p, IpsInfo& info)
{
GidModule* m = (GidModule*)p;
- otn->sigInfo.gid = m->gid;
+ IpsOption::set_gid(info, m->gid);
return nullptr;
}
#include <array>
#include <cassert>
+#include "detection/extract.h"
#include "framework/cursor.h"
#include "framework/ips_option.h"
#include "framework/module.h"
#include "parser/parse_utils.h"
#include "profiler/profiler.h"
-#include "extract.h"
-
using namespace snort;
enum HashPsIdx
return new HashModule(IPS_OPT, HPI_MD5);
}
-static IpsOption* md5_opt_ctor(Module* p, OptTreeNode*)
+static IpsOption* md5_opt_ctor(Module* p, IpsInfo&)
{
HashModule* m = (HashModule*)p;
HashMatchData* hmd = m->get_data();
return new HashModule(IPS_OPT, HPI_SHA256);
}
-static IpsOption* sha256_opt_ctor(Module* p, OptTreeNode*)
+static IpsOption* sha256_opt_ctor(Module* p, IpsInfo&)
{
HashModule* m = (HashModule*)p;
HashMatchData* hmd = m->get_data();
return new HashModule(IPS_OPT, HPI_SHA512);
}
-static IpsOption* sha512_opt_ctor(Module* p, OptTreeNode*)
+static IpsOption* sha512_opt_ctor(Module* p, IpsInfo&)
{
HashModule* m = (HashModule*)p;
HashMatchData* hmd = m->get_data();
// plugins
//-------------------------------------------------------------------------
-// can't be linked dynamically yet
-//#ifdef BUILDING_SO
-//SO_PUBLIC const BaseApi* snort_plugins[] =
-//{
-// &md5_api.base,
-// &sha256_api.base,
-// &sha512_api.base,
-// nullptr
-//};
-//#else
-const BaseApi* ips_md5 = &md5_api.base;
-const BaseApi* ips_sha256 = &sha256_api.base;
-const BaseApi* ips_sha512 = &sha512_api.base;
-//#endif
+#ifdef BUILDING_SO
+SO_PUBLIC const BaseApi* snort_plugins[] =
+#else
+const BaseApi* ips_hash[] =
+#endif
+{
+ &md5_api.base,
+ &sha256_api.base,
+ &sha512_api.base,
+ nullptr
+};
//-------------------------------------------------------------------------
// UNIT TESTS
delete m;
}
-static IpsOption* icmp_id_ctor(Module* p, OptTreeNode*)
+static IpsOption* icmp_id_ctor(Module* p, IpsInfo&)
{
IcmpIdModule* m = (IcmpIdModule*)p;
return new IcmpIdOption(m->data);
delete m;
}
-static IpsOption* icmp_seq_ctor(Module* p, OptTreeNode*)
+static IpsOption* icmp_seq_ctor(Module* p, IpsInfo&)
{
IcmpSeqModule* m = (IcmpSeqModule*)p;
return new IcmpSeqOption(m->data);
delete m;
}
-static IpsOption* icode_ctor(Module* p, OptTreeNode*)
+static IpsOption* icode_ctor(Module* p, IpsInfo&)
{
IcodeModule* m = (IcodeModule*)p;
return new IcodeOption(m->data);
// api methods
//-------------------------------------------------------------------------
-static IpsOption* id_ctor(Module* p, OptTreeNode*)
+static IpsOption* id_ctor(Module* p, IpsInfo&)
{
IpIdModule* m = (IpIdModule*)p;
return new IpIdOption(m->data);
delete m;
}
-static IpsOption* ip_proto_ctor(Module* p, OptTreeNode*)
+static IpsOption* ip_proto_ctor(Module* p, IpsInfo&)
{
IpProtoModule* m = (IpProtoModule*)p;
return new IpProtoOption(m->data);
delete m;
}
-static IpsOption* ipopts_ctor(Module* p, OptTreeNode*)
+static IpsOption* ipopts_ctor(Module* p, IpsInfo&)
{
IpOptModule* m = (IpOptModule*)p;
return new IpOptOption(m->data);
#include <cstdlib>
+#include "detection/extract.h"
#include "framework/cursor.h"
#include "framework/ips_option.h"
#include "framework/module.h"
#include "profiler/profiler.h"
#include "utils/snort_bounds.h"
-#include "extract.h"
-
using namespace snort;
#define s_name "isdataat"
delete m;
}
-static IpsOption* isdataat_ctor(Module* p, OptTreeNode*)
+static IpsOption* isdataat_ctor(Module* p, IpsInfo&)
{
IsDataAtModule* m = (IsDataAtModule*)p;
return new IsDataAtOption(m->data);
delete m;
}
-static IpsOption* itype_ctor(Module* p, OptTreeNode*)
+static IpsOption* itype_ctor(Module* p, IpsInfo&)
{
ItypeModule* m = (ItypeModule*)p;
return new IcmpTypeOption(m->data);
static void mod_dtor(Module* m)
{ delete m; }
-static IpsOption* js_data_ctor(Module*, OptTreeNode*)
+static IpsOption* js_data_ctor(Module*, IpsInfo&)
{ return new JSDataOption; }
static void js_data_dtor(IpsOption* opt)
#include "framework/decode_data.h"
#include "framework/module.h"
#include "hash/hash_key_operations.h"
-#include "helpers/chunk.h"
#include "lua/lua.h"
#include "log/messages.h"
#include "main/thread_config.h"
#include "managers/plugin_manager.h"
#include "managers/script_manager.h"
#include "profiler/profiler.h"
+#include "utils/chunk.h"
#include "utils/util.h"
using namespace snort;
delete m;
}
-static IpsOption* opt_ctor(Module* m, struct OptTreeNode*)
+static IpsOption* opt_ctor(Module* m, struct IpsInfo&)
{
const char* key = IpsManager::get_option_keyword();
std::string* chunk = ScriptManager::get_chunk(key);
#include "config.h"
#endif
-#include "detection/treenodes.h"
#include "framework/decode_data.h"
#include "framework/ips_option.h"
#include "framework/module.h"
delete m;
}
-static IpsOption* metadata_ctor(Module* p, OptTreeNode* otn)
+static IpsOption* metadata_ctor(Module* p, IpsInfo& info)
{
MetadataModule* m = (MetadataModule*)p;
+
if ( m->match )
- otn->set_metadata_match();
+ IpsOption::set_metadata_match(info);
+
return nullptr;
}
nullptr
};
-const BaseApi* ips_metadata = &metadata_api.base;
+#ifdef BUILDING_SO
+SO_PUBLIC const BaseApi* snort_plugins[] =
+#else
+const BaseApi* ips_metadata[] =
+#endif
+{
+ &metadata_api.base,
+ nullptr
+};
#include "config.h"
#endif
-#include "detection/treenodes.h"
#include "framework/decode_data.h"
#include "framework/ips_option.h"
#include "framework/module.h"
delete m;
}
-static IpsOption* msg_ctor(Module* p, OptTreeNode* otn)
+static IpsOption* msg_ctor(Module* p, IpsInfo& info)
{
MsgModule* m = (MsgModule*)p;
- otn->sigInfo.message = m->msg;
+ IpsOption::set_message(info, m->msg.c_str());
return nullptr;
}
using namespace snort;
-extern const BaseApi* ips_classtype;
-extern const BaseApi* ips_content;
-extern const BaseApi* ips_detection_filter;
-extern const BaseApi* ips_dsize;
-extern const BaseApi* ips_file_data;
-extern const BaseApi* ips_file_meta;
-extern const BaseApi* ips_flow;
-extern const BaseApi* ips_flowbits;
-extern const BaseApi* ips_js_data;
-extern const BaseApi* ips_md5;
-extern const BaseApi* ips_metadata;
-extern const BaseApi* ips_pkt_data;
-extern const BaseApi* ips_reference;
-extern const BaseApi* ips_replace;
-extern const BaseApi* ips_service;
-extern const BaseApi* ips_sha256;
-extern const BaseApi* ips_sha512;
-extern const BaseApi* ips_so;
-extern const BaseApi* ips_vba_data;
+// these have various dependencies:
+extern const BaseApi* ips_detection_filter[]; // perf stats
+extern const BaseApi* ips_flowbits[]; // public methods like flowbits_setter
+extern const BaseApi* ips_replace[]; // needs snort::SFDAQ::can_replace
+extern const BaseApi* ips_so[]; // needs SO manager
+extern const BaseApi* ips_vba_data[]; // FIXIT-L some trace dependency
#ifdef STATIC_IPS_OPTIONS
extern const BaseApi* ips_ack[];
extern const BaseApi* ips_base64[];
extern const BaseApi* ips_ber_data[];
extern const BaseApi* ips_ber_skip[];
+extern const BaseApi* ips_bufferlen[];
extern const BaseApi* ips_byte_extract[];
extern const BaseApi* ips_byte_jump[];
extern const BaseApi* ips_byte_math[];
extern const BaseApi* ips_byte_test[];
+extern const BaseApi* ips_classtype[];
+extern const BaseApi* ips_content[];
extern const BaseApi* ips_cvs[];
+extern const BaseApi* ips_dsize[];
extern const BaseApi* ips_enable[];
+extern const BaseApi* ips_file_data[];
+extern const BaseApi* ips_file_meta[];
extern const BaseApi* ips_file_type[];
extern const BaseApi* ips_flags[];
+extern const BaseApi* ips_flow[];
extern const BaseApi* ips_fragbits[];
extern const BaseApi* ips_fragoffset[];
extern const BaseApi* ips_gid[];
+extern const BaseApi* ips_hash[];
extern const BaseApi* ips_icmp_id[];
extern const BaseApi* ips_icmp_seq[];
extern const BaseApi* ips_icode[];
extern const BaseApi* ips_ip_proto[];
extern const BaseApi* ips_isdataat[];
extern const BaseApi* ips_itype[];
+extern const BaseApi* ips_js_data[];
+extern const BaseApi* ips_metadata[];
extern const BaseApi* ips_msg[];
extern const BaseApi* ips_pcre[];
+extern const BaseApi* ips_pkt_data[];
extern const BaseApi* ips_priority[];
extern const BaseApi* ips_raw_data[];
+extern const BaseApi* ips_reference[];
extern const BaseApi* ips_rem[];
extern const BaseApi* ips_rev[];
extern const BaseApi* ips_rpc[];
extern const BaseApi* ips_seq[];
+extern const BaseApi* ips_service[];
extern const BaseApi* ips_sid[];
extern const BaseApi* ips_soid[];
extern const BaseApi* ips_target[];
extern const BaseApi* ips_tag[];
extern const BaseApi* ips_tos[];
extern const BaseApi* ips_ttl[];
-extern const BaseApi* ips_bufferlen[];
extern const BaseApi* ips_window[];
+
#ifdef HAVE_HYPERSCAN
extern const BaseApi* ips_regex[];
extern const BaseApi* ips_sd_pattern[];
#endif
#endif
-static const BaseApi* ips_options[] =
-{
- ips_classtype,
- ips_content,
- ips_detection_filter,
- ips_dsize,
- ips_file_data,
- ips_file_meta,
- ips_flow,
- ips_flowbits,
- ips_js_data,
- ips_md5,
- ips_metadata,
- ips_pkt_data,
- ips_reference,
- ips_replace,
- ips_service,
- ips_sha256,
- ips_sha512,
- ips_so,
- ips_vba_data,
- nullptr
-};
-
void load_ips_options()
{
- PluginManager::load_plugins(ips_options);
+ PluginManager::load_plugins(ips_detection_filter);
+ PluginManager::load_plugins(ips_flowbits);
+ PluginManager::load_plugins(ips_replace);
+ PluginManager::load_plugins(ips_so);
+ PluginManager::load_plugins(ips_vba_data);
#ifdef STATIC_IPS_OPTIONS
+ PluginManager::load_plugins(ips_content);
PluginManager::load_plugins(ips_ack);
PluginManager::load_plugins(ips_base64);
PluginManager::load_plugins(ips_ber_data);
PluginManager::load_plugins(ips_ber_skip);
+ PluginManager::load_plugins(ips_bufferlen);
PluginManager::load_plugins(ips_byte_extract);
PluginManager::load_plugins(ips_byte_jump);
PluginManager::load_plugins(ips_byte_math);
PluginManager::load_plugins(ips_byte_test);
+ PluginManager::load_plugins(ips_classtype);
PluginManager::load_plugins(ips_cvs);
+ PluginManager::load_plugins(ips_dsize);
PluginManager::load_plugins(ips_enable);
+ PluginManager::load_plugins(ips_file_data);
+ PluginManager::load_plugins(ips_file_meta);
PluginManager::load_plugins(ips_file_type);
PluginManager::load_plugins(ips_flags);
+ PluginManager::load_plugins(ips_flow);
PluginManager::load_plugins(ips_fragbits);
PluginManager::load_plugins(ips_fragoffset);
PluginManager::load_plugins(ips_gid);
+ PluginManager::load_plugins(ips_hash);
PluginManager::load_plugins(ips_icmp_id);
PluginManager::load_plugins(ips_icmp_seq);
PluginManager::load_plugins(ips_icode);
PluginManager::load_plugins(ips_ip_proto);
PluginManager::load_plugins(ips_isdataat);
PluginManager::load_plugins(ips_itype);
+ PluginManager::load_plugins(ips_js_data);
+ PluginManager::load_plugins(ips_metadata);
PluginManager::load_plugins(ips_msg);
PluginManager::load_plugins(ips_pcre);
+ PluginManager::load_plugins(ips_pkt_data);
PluginManager::load_plugins(ips_priority);
PluginManager::load_plugins(ips_raw_data);
+ PluginManager::load_plugins(ips_reference);
PluginManager::load_plugins(ips_rem);
PluginManager::load_plugins(ips_rev);
PluginManager::load_plugins(ips_rpc);
PluginManager::load_plugins(ips_seq);
+ PluginManager::load_plugins(ips_service);
PluginManager::load_plugins(ips_sid);
PluginManager::load_plugins(ips_soid);
PluginManager::load_plugins(ips_target);
PluginManager::load_plugins(ips_tag);
PluginManager::load_plugins(ips_tos);
PluginManager::load_plugins(ips_ttl);
- PluginManager::load_plugins(ips_bufferlen);
PluginManager::load_plugins(ips_window);
#ifdef HAVE_HYPERSCAN
PluginManager::load_plugins(ips_regex);
#include "framework/ips_option.h"
#include "framework/module.h"
#include "framework/parameter.h"
+#include "framework/pig_pen.h"
#include "hash/hash_key_operations.h"
#include "helpers/scratch_allocator.h"
#include "log/messages.h"
#include "managers/ips_manager.h"
#include "managers/module_manager.h"
#include "profiler/profiler.h"
+#include "utils/stats.h"
#include "utils/util.h"
using namespace snort;
static THREAD_LOCAL ProfileStats pcrePerfStats;
+//-------------------------------------------------------------------------
+// stats foo
+//-------------------------------------------------------------------------
+
+struct PcreStats
+{
+ PegCount pcre_rules;
+#ifdef HAVE_HYPERSCAN
+ PegCount pcre_to_hyper;
+#endif
+ PegCount pcre_native;
+ PegCount pcre_negated;
+ PegCount pcre_match_limit;
+ PegCount pcre_recursion_limit;
+ PegCount pcre_error;
+};
+
+const PegInfo pcre_pegs[] =
+{
+ { CountType::SUM, "pcre_rules", "total rules processed with pcre option" },
+#ifdef HAVE_HYPERSCAN
+ { CountType::SUM, "pcre_to_hyper", "total pcre rules by hyperscan engine" },
+#endif
+ { CountType::SUM, "pcre_native", "total pcre rules compiled by pcre engine" },
+ { CountType::SUM, "pcre_negated", "total pcre rules using negation syntax" },
+ { CountType::SUM, "pcre_match_limit", "total number of times pcre hit the match limit" },
+ { CountType::SUM, "pcre_recursion_limit", "total number of times pcre hit the recursion limit" },
+ { CountType::SUM, "pcre_error", "total number of times pcre returns error" },
+
+ { CountType::END, nullptr, nullptr }
+};
+
+PcreStats pcre_stats;
+
//-------------------------------------------------------------------------
// implementation foo
//-------------------------------------------------------------------------
}
else if (result == PCRE_ERROR_MATCHLIMIT)
{
- pc.pcre_match_limit++;
+ pcre_stats.pcre_match_limit++;
matched = false;
}
else if (result == PCRE_ERROR_RECURSIONLIMIT)
{
- pc.pcre_recursion_limit++;
+ pcre_stats.pcre_recursion_limit++;
matched = false;
}
else
{
- pc.pcre_error++;
+ pcre_stats.pcre_error++;
return false;
}
{ return (config->options & SNORT_PCRE_RELATIVE) != 0; }
EvalStatus eval(Cursor&, Packet*) override;
- bool retry(Cursor&, const Cursor&) override;
+ bool retry(Cursor&) override;
PcreData* get_data()
{ return config; }
// using content, but more advanced pcre won't work for the relative /
// overlap case.
-bool PcreOption::retry(Cursor&, const Cursor&)
+bool PcreOption::retry(Cursor&)
{
if ((config->options & (SNORT_PCRE_INVERT | SNORT_PCRE_ANCHORED)))
{
{ nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
};
-struct PcreStats
-{
- PegCount pcre_rules;
-#ifdef HAVE_HYPERSCAN
- PegCount pcre_to_hyper;
-#endif
- PegCount pcre_native;
- PegCount pcre_negated;
-};
-
-const PegInfo pcre_pegs[] =
-{
- { CountType::SUM, "pcre_rules", "total rules processed with pcre option" },
-#ifdef HAVE_HYPERSCAN
- { CountType::SUM, "pcre_to_hyper", "total pcre rules by hyperscan engine" },
-#endif
- { CountType::SUM, "pcre_native", "total pcre rules compiled by pcre engine" },
- { CountType::SUM, "pcre_negated", "total pcre rules using negation syntax" },
- { CountType::END, nullptr, nullptr }
-};
-
-PcreStats pcre_stats;
-
#define s_help \
"rule option for matching payload data with pcre"
static void mod_dtor(Module* m)
{ delete m; }
-static IpsOption* pcre_ctor(Module* p, OptTreeNode* otn)
+static IpsOption* pcre_ctor(Module* p, IpsInfo& info)
{
pcre_stats.pcre_rules++;
PcreModule* m = (PcreModule*)p;
{
pcre_stats.pcre_to_hyper++;
const IpsApi* opt_api = IpsManager::get_option_api(mod_regex_name);
- return opt_api->ctor(mod_regex, otn);
+ return opt_api->ctor(mod_regex, info);
}
else
#else
- UNUSED(otn);
+ UNUSED(info);
#endif
{
pcre_stats.pcre_native++;
delete m;
}
-static IpsOption* pkt_data_ctor(Module*, OptTreeNode*)
+static IpsOption* pkt_data_ctor(Module*, IpsInfo&)
{
return new PktDataOption;
}
nullptr
};
-const BaseApi* ips_pkt_data = &pkt_data_api.base;
+#ifdef BUILDING_SO
+SO_PUBLIC const BaseApi* snort_plugins[] =
+#else
+const BaseApi* ips_pkt_data[] =
+#endif
+{
+ &pkt_data_api.base,
+ nullptr
+};
{ return DETECT; }
public:
- int priority = 0;
+ uint32_t priority = 0;
};
bool PriorityModule::set(const char*, Value& v, SnortConfig*)
delete m;
}
-static IpsOption* priority_ctor(Module* p, OptTreeNode* otn)
+static IpsOption* priority_ctor(Module* p, IpsInfo& info)
{
PriorityModule* m = (PriorityModule*)p;
- otn->sigInfo.priority = m->priority;
+ IpsOption::set_priority(info, m->priority);
return nullptr;
}
delete m;
}
-static IpsOption* raw_data_ctor(Module*, OptTreeNode*)
+static IpsOption* raw_data_ctor(Module*, IpsInfo&)
{
return new RawDataOption;
}
#include "config.h"
#endif
-#include "detection/treenodes.h"
#include "framework/decode_data.h"
#include "framework/ips_option.h"
#include "framework/module.h"
public:
std::string scheme;
std::string id;
- SnortConfig* snort_config = nullptr;
};
-bool ReferenceModule::begin(const char*, int, SnortConfig* sc)
+bool ReferenceModule::begin(const char*, int, SnortConfig*)
{
scheme.clear();
id.clear();
- snort_config = sc;
return true;
}
delete m;
}
-static IpsOption* reference_ctor(Module* p, OptTreeNode* otn)
+static IpsOption* reference_ctor(Module* p, IpsInfo& info)
{
ReferenceModule* m = (ReferenceModule*)p;
- add_reference(m->snort_config, otn, m->scheme, m->id);
+ IpsOption::add_reference(info, m->scheme.c_str(), m->id.c_str());
return nullptr;
}
nullptr
};
-const BaseApi* ips_reference = &reference_api.base;
+#ifdef BUILDING_SO
+SO_PUBLIC const BaseApi* snort_plugins[] =
+#else
+const BaseApi* ips_reference[] =
+#endif
+{
+ &reference_api.base,
+ nullptr
+};
#include <cassert>
#include "detection/pattern_match_data.h"
-#include "detection/treenodes.h"
#include "framework/cursor.h"
#include "framework/ips_option.h"
#include "framework/module.h"
bool is_relative() override
{ return config.pmd.is_relative(); }
- bool retry(Cursor&, const Cursor&) override;
+ bool retry(Cursor&) override;
PatternMatchData* get_pattern(SnortProtocolId, RuleDirection) override
{ return &config.pmd; }
return false;
}
+namespace
+{
struct ScanContext
{
unsigned index;
bool found = false;
};
+}
static int hs_match(
unsigned int /*id*/, unsigned long long /*from*/, unsigned long long to,
return NO_MATCH;
}
-bool RegexOption::retry(Cursor&, const Cursor&)
+bool RegexOption::retry(Cursor&)
{ return !is_relative(); }
//-------------------------------------------------------------------------
static void mod_dtor(Module* p)
{ delete p; }
-static IpsOption* regex_ctor(Module* m, OptTreeNode*)
+static IpsOption* regex_ctor(Module* m, IpsInfo&)
{
RegexModule* mod = (RegexModule*)m;
RegexConfig c;
delete m;
}
-static IpsOption* rem_ctor(Module*, OptTreeNode*)
+static IpsOption* rem_ctor(Module*, IpsInfo&)
{
return nullptr;
}
#endif
#include "detection/detection_engine.h"
-#include "detection/treenodes.h"
#include "framework/cursor.h"
#include "framework/ips_option.h"
#include "framework/module.h"
delete m;
}
-static IpsOption* replace_ctor(Module* p, OptTreeNode*)
+static IpsOption* replace_ctor(Module* p, IpsInfo&)
{
ReplModule* m = (ReplModule*)p;
return new ReplaceOption(m->data);
#include "config.h"
#endif
-#include "detection/treenodes.h"
#include "framework/decode_data.h"
#include "framework/ips_option.h"
#include "framework/module.h"
delete m;
}
-static IpsOption* rev_ctor(Module* p, OptTreeNode* otn)
+static IpsOption* rev_ctor(Module* p, IpsInfo& info)
{
RevModule* m = (RevModule*)p;
- otn->sigInfo.rev = m->rev;
+ IpsOption::set_rev(info, m->rev);
return nullptr;
}
delete m;
}
-static IpsOption* rpc_ctor(Module* p, OptTreeNode*)
+static IpsOption* rpc_ctor(Module* p, IpsInfo&)
{
RpcModule* m = (RpcModule*)p;
return new RpcOption(m->data);
#include <hs_runtime.h>
#include "detection/pattern_match_data.h"
-#include "detection/treenodes.h"
#include "framework/cursor.h"
#include "framework/ips_option.h"
#include "framework/module.h"
delete p;
}
-static IpsOption* sd_pattern_ctor(Module* m, OptTreeNode*)
+static IpsOption* sd_pattern_ctor(Module* m, IpsInfo&)
{
SdPatternModule* mod = (SdPatternModule*)m;
SdPatternConfig c;
delete m;
}
-static IpsOption* seq_ctor(Module* p, OptTreeNode*)
+static IpsOption* seq_ctor(Module* p, IpsInfo&)
{
SeqModule* m = (SeqModule*)p;
return new TcpSeqOption(m->data);
class ServiceModule : public Module
{
public:
- ServiceModule() : Module(s_name, s_help, s_params)
- { snort_config = nullptr; }
+ ServiceModule() : Module(s_name, s_help, s_params) { }
bool set(const char*, Value&, SnortConfig*) override;
bool begin(const char*, int, SnortConfig*) override;
{ return DETECT; }
public:
- struct SnortConfig* snort_config;
vector<string> services;
};
-bool ServiceModule::begin(const char*, int, SnortConfig* sc)
+bool ServiceModule::begin(const char*, int, SnortConfig*)
{
- snort_config = sc;
services.clear();
return true;
}
delete m;
}
-static IpsOption* service_ctor(Module* p, OptTreeNode* otn)
+static IpsOption* service_ctor(Module* p, IpsInfo& info)
{
ServiceModule* m = (ServiceModule*)p;
for ( const auto& service : m->services )
- add_service_to_otn(m->snort_config, otn, service.c_str());
+ IpsOption::add_service(info, service.c_str());
return nullptr;
}
nullptr
};
-const BaseApi* ips_service = &service_api.base;
+#ifdef BUILDING_SO
+SO_PUBLIC const BaseApi* snort_plugins[] =
+#else
+const BaseApi* ips_service[] =
+#endif
+{
+ &service_api.base,
+ nullptr
+};
#include "config.h"
#endif
-#include "detection/treenodes.h"
#include "framework/decode_data.h"
#include "framework/ips_option.h"
#include "framework/module.h"
delete m;
}
-static IpsOption* sid_ctor(Module* p, OptTreeNode* otn)
+static IpsOption* sid_ctor(Module* p, IpsInfo& info)
{
SidModule* m = (SidModule*)p;
- otn->sigInfo.sid = m->sid;
+ IpsOption::set_sid(info, m->sid);
return nullptr;
}
#include "config.h"
#endif
-#include "detection/treenodes.h"
#include "framework/ips_option.h"
#include "framework/module.h"
#include "framework/so_rule.h"
class SoOption : public IpsOption
{
public:
- SoOption(const char*, const char*, bool, SoEvalFunc f, void* v, SnortConfig*);
+ SoOption(const char*, const char*, bool, SoEvalFunc f, void* v, SoRules*);
~SoOption() override;
uint32_t hash() const override;
};
SoOption::SoOption(
- const char* id, const char* s, bool r, SoEvalFunc f, void* v, SnortConfig* sc)
+ const char* id, const char* s, bool r, SoEvalFunc f, void* v, SoRules* sos)
: IpsOption(s_name)
{
soid = id;
relative_flag = r;
func = f;
data = v;
- so_rules = sc->so_rules;
+ so_rules = sos;
}
SoOption::~SoOption()
public:
string name;
bool relative_flag = false;
- SnortConfig* cfg = nullptr;
};
-bool SoModule::begin(const char*, int, SnortConfig* sc)
+bool SoModule::begin(const char*, int, SnortConfig*)
{
name.clear();
relative_flag = false;
- cfg = sc;
return true;
}
delete m;
}
-static IpsOption* so_ctor(Module* p, OptTreeNode* otn)
+static IpsOption* so_ctor(Module* p, IpsInfo& info)
{
void* data = nullptr;
SoModule* m = (SoModule*)p;
const char* name = m->name.c_str();
bool relative_flag = m->relative_flag;
+ const char* soid = IpsOption::get_soid(info);
- if ( !otn->soid )
+ if ( !soid )
{
ParseError("no soid before so:%s", name);
return nullptr;
}
- SoEvalFunc func = SoManager::get_so_eval(otn->soid, name, &data, m->cfg);
+ SoEvalFunc func = IpsOption::get_so_eval(info, name, data);
if ( !func )
{
ParseError("can't link so:%s", name);
return nullptr;
}
- return new SoOption(otn->soid, name, relative_flag, func, data, m->cfg);
+ SoRules* sos = IpsOption::get_so_rules(info);
+
+ return new SoOption(soid, name, relative_flag, func, data, sos);
}
static void so_dtor(IpsOption* p)
nullptr
};
-const BaseApi* ips_so = &so_api.base;
+const BaseApi* ips_so[] =
+{
+ &so_api.base,
+ nullptr
+};
#include "config.h"
#endif
-#include "detection/treenodes.h"
#include "framework/decode_data.h"
#include "framework/ips_option.h"
#include "framework/module.h"
delete m;
}
-static IpsOption* soid_ctor(Module* p, OptTreeNode* otn)
+static IpsOption* soid_ctor(Module* p, IpsInfo& info)
{
SoidModule* m = (SoidModule*)p;
- otn->soid = snort_strdup(m->soid.c_str());
+ IpsOption::set_soid(info, m->soid.c_str());
return nullptr;
}
#endif
#include "detection/tag.h"
-#include "detection/treenodes.h"
#include "framework/decode_data.h"
#include "framework/ips_option.h"
#include "framework/module.h"
delete m;
}
-static IpsOption* tag_ctor(Module* p, OptTreeNode* otn)
+static IpsOption* tag_ctor(Module* p, IpsInfo& info)
{
TagModule* m = (TagModule*)p;
- otn->tag = m->get_data();
+ IpsOption::set_tag(info, m->get_data());
return nullptr;
}
#include "config.h"
#endif
-#include "detection/treenodes.h"
#include "framework/decode_data.h"
#include "framework/ips_option.h"
#include "framework/module.h"
{ return DETECT; }
public:
- Target target = Target::TARGET_NONE;
+ bool target = false;
};
bool TargetModule::set(const char*, Value& v, SnortConfig*)
{
assert(v.is("~"));
- assert(v.get_uint8() <= TARGET_MAX);
- target = static_cast<Target>(v.get_uint8() + 1);
+ target = v.get_uint8() ? false : true;
return true;
}
delete m;
}
-static IpsOption* target_ctor(Module* p, OptTreeNode* otn)
+static IpsOption* target_ctor(Module* p, IpsInfo& info)
{
TargetModule* m = (TargetModule*)p;
- otn->sigInfo.target = m->target;
+ IpsOption::set_target(info, m->target);
return nullptr;
}
delete m;
}
-static IpsOption* tos_ctor(Module* p, OptTreeNode*)
+static IpsOption* tos_ctor(Module* p, IpsInfo&)
{
TosModule* m = (TosModule*)p;
return new IpTosOption(m->data);
delete m;
}
-static IpsOption* ttl_ctor(Module* p, OptTreeNode*)
+static IpsOption* ttl_ctor(Module* p, IpsInfo&)
{
TtlModule* m = (TtlModule*)p;
return new TtlOption(m->data);
delete m;
}
-static IpsOption* vba_data_ctor(Module*, OptTreeNode*)
+static IpsOption* vba_data_ctor(Module*, IpsInfo&)
{
return new VbaDataOption;
}
nullptr
};
-#ifdef BUILDING_SO
-SO_PUBLIC const BaseApi* snort_plugins[] =
-#else
const BaseApi* ips_vba_data[] =
-#endif
{
&vba_data_api.base,
nullptr
delete m;
}
-static IpsOption* window_ctor(Module* p, OptTreeNode*)
+static IpsOption* window_ctor(Module* p, IpsInfo&)
{
WindowModule* m = (WindowModule*)p;
return new TcpWinOption(m->data);
add_cpputest( ips_regex_test
SOURCES
../ips_regex.cc
- ../../framework/module.cc
../../framework/ips_option.cc
+ ../../framework/module.cc
../../framework/value.cc
- ../../helpers/scratch_allocator.cc
../../helpers/hyper_scratch_allocator.cc
+ ../../helpers/scratch_allocator.cc
../../sfip/sf_ip.cc
$<TARGET_OBJECTS:catch_tests>
LIBS
#include "framework/base_api.h"
#include "framework/counts.h"
#include "framework/cursor.h"
+#include "framework/ips_info.h"
#include "framework/ips_option.h"
#include "framework/module.h"
#include "log/messages.h"
#include "main/snort_config.h"
#include "main/thread_config.h"
+#include "managers/so_manager.h"
#include "ports/port_group.h"
#include "profiler/profiler_defs.h"
#include "protocols/packet.h"
MemoryContext::MemoryContext(MemoryTracker&) { }
MemoryContext::~MemoryContext() = default;
-
-THREAD_LOCAL bool TimeProfilerStats::enabled = false;
}
extern const BaseApi* ips_regex;
{ set("pkt_data", p->data, p->dsize); }
void show_stats(PegCount*, const PegInfo*, unsigned, const char*) { }
-void show_stats(PegCount*, const PegInfo*, const IndexVec&, const char*, FILE*) { }
+void show_stats(PegCount*, const PegInfo*, const std::vector<unsigned>&, const char*, FILE*) { }
OptTreeNode::~OptTreeNode() = default;
+SO_PUBLIC bool snort::otn_has_plugin(OptTreeNode*, const char*)
+{ return false; }
+
+const ClassType* get_classification(snort::SnortConfig*, const char*)
+{ return nullptr; }
+
+void add_classification(snort::SnortConfig*, const char*, const char*, unsigned)
+{ }
+
+struct THD_NODE* detection_filter_create(DetectionFilterConfig*, struct THDX_STRUCT*)
+{ return nullptr; }
+
+void add_reference(snort::SnortConfig*, OptTreeNode*, const std::string&, const std::string&)
+{ }
+
+void add_reference(IpsInfo&, const char*, const char*)
+{ }
+
+void add_service_to_otn(snort::SnortConfig*, OptTreeNode*, const char*)
+{ }
+
+SoEvalFunc SoManager::get_so_eval(const char*, const char*, void**, snort::SnortConfig*)
+{ return nullptr; }
+
//-------------------------------------------------------------------------
// helpers
//-------------------------------------------------------------------------
mod->set(ips_regex->name, vs, nullptr);
mod->end(ips_regex->name, 0, nullptr);
- OptTreeNode otn;
+ IpsInfo info(nullptr, nullptr);
const IpsApi* api = (const IpsApi*) ips_regex;
- IpsOption* opt = api->ctor(mod, &otn);
+ IpsOption* opt = api->ctor(mod, info);
return opt;
}
Cursor c(&pkt);
CHECK(opt->eval(c, &pkt) == IpsOption::MATCH);
CHECK(!strcmp((const char*) c.start(), " stew *"));
- CHECK(opt->retry(c,c));
+ CHECK(opt->retry(c));
}
TEST(ips_regex_option, no_match_delta)
CHECK(opt->is_relative());
CHECK(opt->eval(c, &pkt) == IpsOption::NO_MATCH);
- CHECK(!opt->retry(c,c));
+ CHECK(!opt->retry(c));
}
//-------------------------------------------------------------------------
#ifndef JS_ENUM_H
#define JS_ENUM_H
-#include "utils/event_gen.h"
+#include "helpers/event_gen.h"
namespace jsn
{
#ifndef JS_NORM_H
#define JS_NORM_H
-#include "utils/event_gen.h"
+#include "helpers/event_gen.h"
#include "js_config.h"
#include "js_enum.h"
#include <FlexLexer.h>
+#include "helpers/streambuf.h"
#include "js_tokenizer.h"
-#include "utils/streambuf.h"
-
namespace jsn
{
#include <FlexLexer.h>
#include <cstring>
+#include "helpers/streambuf.h"
#include "js_norm/js_norm.h"
#include "js_norm/pdf_tokenizer.h"
-#include "utils/streambuf.h"
namespace snort
{
${js_tokenizer_OUTPUTS}
../js_identifier_ctx.cc
../js_normalizer.cc
- ${CMAKE_SOURCE_DIR}/src/utils/streambuf.cc
+ ${CMAKE_SOURCE_DIR}/src/helpers/streambuf.cc
${CMAKE_SOURCE_DIR}/src/utils/util_cstring.cc
js_test_options.cc
js_test_stubs.cc
${js_tokenizer_OUTPUTS}
../js_identifier_ctx.cc
../js_normalizer.cc
- ${CMAKE_SOURCE_DIR}/src/utils/streambuf.cc
+ ${CMAKE_SOURCE_DIR}/src/helpers/streambuf.cc
${CMAKE_SOURCE_DIR}/src/utils/util_cstring.cc
js_test_options.cc
js_test_stubs.cc
${js_tokenizer_OUTPUTS}
../js_identifier_ctx.cc
../js_normalizer.cc
- ${CMAKE_SOURCE_DIR}/src/utils/streambuf.cc
+ ${CMAKE_SOURCE_DIR}/src/helpers/streambuf.cc
${CMAKE_SOURCE_DIR}/src/utils/util_cstring.cc
js_test_options.cc
js_test_stubs.cc
../js_identifier_ctx.cc
../js_norm.cc
../js_normalizer.cc
- ${CMAKE_SOURCE_DIR}/src/utils/streambuf.cc
+ ${CMAKE_SOURCE_DIR}/src/helpers/streambuf.cc
js_test_stubs.cc
)
${js_tokenizer_OUTPUTS}
../js_identifier_ctx.cc
../js_normalizer.cc
- ${CMAKE_SOURCE_DIR}/src/utils/streambuf.cc
+ ${CMAKE_SOURCE_DIR}/src/helpers/streambuf.cc
${CMAKE_SOURCE_DIR}/src/utils/util_cstring.cc
js_test_options.cc
js_test_stubs.cc
add_catch_test( pdf_tokenizer_benchmark
SOURCES
${pdf_tokenizer_OUTPUTS}
- ${CMAKE_SOURCE_DIR}/src/utils/streambuf.cc
+ ${CMAKE_SOURCE_DIR}/src/helpers/streambuf.cc
${CMAKE_SOURCE_DIR}/src/utils/util_cstring.cc
js_test_stubs.cc
)
#include <FlexLexer.h>
#include "catch/catch.hpp"
+#include "helpers/streambuf.h"
#include "js_norm/pdf_tokenizer.h"
-#include "utils/streambuf.h"
using namespace jsn;
using namespace snort;
#ifndef LATENCY_STATS_H
#define LATENCY_STATS_H
-#include "main/thread.h"
#include "framework/counts.h"
struct LatencyStats
#include "detection/detection_options.h"
#include "detection/treenodes.h"
#include "main/snort_config.h"
+#include "main/thread.h"
#include "log/messages.h"
#include "protocols/packet.h"
#include "utils/stats.h"
set (LOG_INCLUDES
- log.h
+ log_stats.h
log_text.h
messages.h
obfuscator.h
add_library ( log OBJECT
${LOG_INCLUDES}
log.cc
+ log.h
+ log_errors.h
+ log_stats.cc
log_text.cc
messages.cc
obfuscator.cc
#include "log.h"
+#include <netdb.h>
#include <mutex>
+#include "main/thread.h"
#include "protocols/packet.h"
-#include "protocols/tcp.h"
#include "utils/util.h"
#include "utils/util_cstring.h"
#define DEFAULT_DAEMON_ALERT_FILE "alert"
-namespace snort
-{
-// Input is packet and an nine-byte (including null) character array. Results
-// are put into the character array.
-void CreateTCPFlagString(const tcp::TCPHdr* const tcph, char* flagBuffer)
-{
- /* parse TCP flags */
- *flagBuffer++ = (char)((tcph->th_flags & TH_RES1) ? '1' : '*');
- *flagBuffer++ = (char)((tcph->th_flags & TH_RES2) ? '2' : '*');
- *flagBuffer++ = (char)((tcph->th_flags & TH_URG) ? 'U' : '*');
- *flagBuffer++ = (char)((tcph->th_flags & TH_ACK) ? 'A' : '*');
- *flagBuffer++ = (char)((tcph->th_flags & TH_PUSH) ? 'P' : '*');
- *flagBuffer++ = (char)((tcph->th_flags & TH_RST) ? 'R' : '*');
- *flagBuffer++ = (char)((tcph->th_flags & TH_SYN) ? 'S' : '*');
- *flagBuffer++ = (char)((tcph->th_flags & TH_FIN) ? 'F' : '*');
- *flagBuffer = '\0';
-}
-}
-
/****************************************************************************
*
* Function: OpenAlertFile(char *)
log_mutex.unlock();
}
+//--------------------------------------------------------------------
+// protocol translation
+//--------------------------------------------------------------------
+
+static char** protocol_names = nullptr;
+
+const char* get_protocol_name(uint8_t ip_proto)
+{
+ assert(protocol_names and protocol_names[ip_proto]);
+ return protocol_names[ip_proto];
+}
+
+void InitProtoNames()
+{
+ if ( !protocol_names )
+ protocol_names = (char**)snort_calloc(NUM_IP_PROTOS, sizeof(char*));
+
+ for ( int i = 0; i < NUM_IP_PROTOS; i++ )
+ {
+ struct protoent* pt = getprotobynumber(i); // main thread only
+
+ if (pt != nullptr)
+ {
+ protocol_names[i] = snort_strdup(pt->p_name);
+
+ for ( size_t j = 0; j < strlen(protocol_names[i]); j++ )
+ protocol_names[i][j] = toupper(protocol_names[i][j]);
+ }
+ else
+ {
+ char protoname[10];
+ SnortSnprintf(protoname, sizeof(protoname), "PROTO:%03d", i);
+ protocol_names[i] = snort_strdup(protoname);
+ }
+ }
+}
+
+void CleanupProtoNames()
+{
+ if (protocol_names != nullptr)
+ {
+ int i;
+
+ for (i = 0; i < NUM_IP_PROTOS; i++)
+ {
+ if (protocol_names[i] != nullptr)
+ snort_free(protocol_names[i]);
+ }
+
+ snort_free(protocol_names);
+ protocol_names = nullptr;
+ }
+}
+
#ifndef LOG_H
#define LOG_H
+// this is for legacy logging like stream_ip debug and stream_tcp show rebuilt.
+// it should not be used for new code. existing uses should be converted to the
+// trace logger system or directly call TextLog which this wraps.
+
#include <cstdio>
#include "main/snort_types.h"
namespace snort
{
-namespace tcp { struct TCPHdr; }
-struct Packet;
-
-SO_PUBLIC void CreateTCPFlagString(const tcp::TCPHdr* const, char*);
+ struct Packet;
}
FILE* OpenAlertFile(const char*, bool is_critical=true);
void LogFlow(snort::Packet*);
void LogNetData(const uint8_t* data, const int len, snort::Packet*);
+void InitProtoNames();
+void CleanupProtoNames();
+
+const char* get_protocol_name(uint8_t ip_proto);
+
#endif
--- /dev/null
+//--------------------------------------------------------------------------
+// Copyright (C) 2014-2023 Cisco and/or its affiliates. All rights reserved.
+//
+// This program is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License Version 2 as published
+// by the Free Software Foundation. You may not use, modify or distribute
+// this program under any other version of the GNU General Public License.
+//
+// This program is distributed in the hope that it will be useful, but
+// WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+// General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+//--------------------------------------------------------------------------
+
+#ifndef LOG_ERRORS_H
+#define LOG_ERRORS_H
+
+void reset_parse_errors();
+unsigned get_parse_errors();
+unsigned get_parse_warnings();
+void reset_reload_errors();
+unsigned get_reload_errors();
+std::string& get_reload_errors_description();
+
+#endif
+
--- /dev/null
+//--------------------------------------------------------------------------
+// Copyright (C) 2014-2023 Cisco and/or its affiliates. All rights reserved.
+//
+// This program is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License Version 2 as published
+// by the Free Software Foundation. You may not use, modify or distribute
+// this program under any other version of the GNU General Public License.
+//
+// This program is distributed in the hope that it will be useful, but
+// WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+// General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+//--------------------------------------------------------------------------
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include "log_stats.h"
+
+#include "control/control.h"
+
+#include "messages.h"
+
+//using namespace snort;
+
+//-------------------------------------------------------------------------
+
+static THREAD_LOCAL ControlConn* s_ctrlcon = nullptr;
+
+void snort::set_log_conn(ControlConn* cc)
+{ s_ctrlcon = cc; }
+
+//-------------------------------------------------------------------------
+
+#define STATS_SEPARATOR \
+ "--------------------------------------------------"
+
+static inline void LogSeparator(FILE* fh = stdout)
+{
+ LogfRespond(s_ctrlcon, fh, "%s\n", STATS_SEPARATOR);
+}
+
+static double CalcPct(uint64_t cnt, uint64_t total)
+{
+ double pct = 0.0;
+
+ if (total == 0.0)
+ {
+ pct = (double)cnt;
+ }
+ else
+ {
+ pct = (double)cnt / (double)total;
+ }
+
+ pct *= 100.0;
+
+ return pct;
+}
+
+//-------------------------------------------------------------------------
+
+void snort::LogText(const char* s, FILE* fh)
+{
+ LogfRespond(s_ctrlcon, fh, "%s\n", s);
+}
+
+void snort::LogLabel(const char* s, FILE* fh)
+{
+ if ( *s == ' ' )
+ {
+ LogfRespond(s_ctrlcon, fh, "%s\n", s);
+ }
+ else
+ {
+ LogSeparator(fh);
+ LogfRespond(s_ctrlcon, fh, "%s\n", s);
+ }
+}
+
+void snort::LogValue(const char* s, const char* v, FILE* fh)
+{
+ LogfRespond(s_ctrlcon, fh, "%25.25s: %s\n", s, v);
+}
+
+void snort::LogCount(const char* s, uint64_t c, FILE* fh)
+{
+ if ( c )
+ {
+ LogfRespond(s_ctrlcon, fh, "%25.25s: " STDu64 "\n", s, c);
+ }
+}
+
+void snort::LogStat(const char* s, uint64_t n, uint64_t tot, FILE* fh)
+{
+ if ( n )
+ {
+ LogfRespond(s_ctrlcon, fh, "%25.25s: " FMTu64("-12") "\t(%7.3f%%)\n", s, n, CalcPct(n, tot));
+ }
+}
+
+void snort::LogStat(const char* s, double d, FILE* fh)
+{
+ if ( d )
+ {
+ LogfRespond(s_ctrlcon, fh, "%25.25s: %g\n", s, d);
+ }
+}
+
--- /dev/null
+//--------------------------------------------------------------------------
+// Copyright (C) 2014-2023 Cisco and/or its affiliates. All rights reserved.
+//
+// This program is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License Version 2 as published
+// by the Free Software Foundation. You may not use, modify or distribute
+// this program under any other version of the GNU General Public License.
+//
+// This program is distributed in the hope that it will be useful, but
+// WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+// General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+//--------------------------------------------------------------------------
+
+#ifndef LOG_STATS_H
+#define LOG_STATS_H
+
+// used for logging pegs
+
+#include <cstdint>
+#include <cstdio>
+
+#include "main/snort_types.h"
+
+class ControlConn;
+
+namespace snort
+{
+void set_log_conn(ControlConn*);
+
+SO_PUBLIC void LogLabel(const char*, FILE* = stdout);
+SO_PUBLIC void LogText(const char*, FILE* = stdout);
+SO_PUBLIC void LogValue(const char*, const char*, FILE* = stdout);
+SO_PUBLIC void LogCount(const char*, uint64_t, FILE* = stdout);
+
+SO_PUBLIC void LogStat(const char*, uint64_t n, uint64_t tot, FILE* = stdout);
+SO_PUBLIC void LogStat(const char*, double, FILE* = stdout);
+}
+
+#endif
+
#include "detection/detection_engine.h"
#include "detection/signature.h"
#include "events/event.h"
+#include "framework/pig_pen.h"
#include "main/snort_config.h"
#include "network_inspectors/appid/appid_api.h"
#include "packet_io/sfdaq.h"
#include "utils/util.h"
#include "utils/util_net.h"
-#include "log.h"
#include "messages.h"
#include "obfuscator.h"
*/
void LogPriorityData(TextLog* log, const Event& e)
{
- if ( e.sig_info->class_type and !e.sig_info->class_type->text.empty() )
- TextLog_Print(log, "[Classification: %s] ", e.sig_info->class_type->text.c_str());
+ const char* ct = e.get_class_type();
- TextLog_Print(log, "[Priority: %d] ", e.sig_info->priority);
+ if ( ct )
+ TextLog_Print(log, "[Classification: %s] ", ct);
+
+ TextLog_Print(log, "[Priority: %d] ", e.get_priority());
}
/*--------------------------------------------------------------------
{
const ip::IP6Hdr* const ip6h = p->ptrs.ip_api.get_ip6h(); // nullptr if ipv4
const ip::IP6Frag* const ip6_frag = layer::get_inner_ip6_frag();
+ const char* proto = PigPen::get_protocol_name(to_utype(p->get_ip_proto_next()));
TextLog_Print(log, "%s TTL:%u TOS:0x%X ID:%u IpLen:%u DgmLen:%u",
- protocol_names[to_utype(p->get_ip_proto_next())],
- ip6h->hop_lim(),
- ip6h->tos(),
- (ip6_frag ? ip6_frag->id() : 0),
- ip::IP6_HEADER_LEN,
+ proto, ip6h->hop_lim(), ip6h->tos(), (ip6_frag ? ip6_frag->id() : 0), ip::IP6_HEADER_LEN,
(ip6h->len() + ip::IP6_HEADER_LEN));
if (!ip6_frag)
}
else
{
+ const char* proto = PigPen::get_protocol_name(to_utype(ip4h->proto()));
+
TextLog_Print(log, "%s TTL:%u TOS:0x%X ID:%u IpLen:%u DgmLen:%u",
- protocol_names[to_utype(ip4h->proto())],
- ip4h->ttl(),
- ip4h->tos(),
- ip4h->id(),
- ip4h->hlen(),
- ip4h->len());
+ proto, ip4h->ttl(), ip4h->tos(), ip4h->id(), ip4h->hlen(), ip4h->len());
if (ip4h->rb())
TextLog_Puts(log, " RB");
return;
}
/* print TCP flags */
- CreateTCPFlagString(tcph, tcpFlags);
- TextLog_Puts(log, tcpFlags); /* We don't care about the null */
+ tcph->stringify_flags(tcpFlags);
+ TextLog_Puts(log, tcpFlags);
/* print other TCP info */
TextLog_Print(log, " Seq: 0x%lX Ack: 0x%lX Win: 0x%X TcpLen: %d",
void LogXrefs(TextLog* log, const Event& e)
{
- for ( const auto ref : e.sig_info->refs )
+ const SigInfo& sig_info = e.get_sig_info();
+
+ for ( const auto ref : sig_info.refs )
{
if ( !ref->system )
TextLog_Print(log, "[Xref => %s]", ref->id.c_str());
#include "log/text_log.h"
-struct Event;
+class Event;
namespace snort
{
#endif
#include "messages.h"
+#include "log_errors.h"
#include <syslog.h>
#include <cstring>
#include "main/snort_config.h"
+#include "main/thread.h"
#include "parser/parser.h"
#include "time/packet_time.h"
#include "utils/util_cstring.h"
WARN_MAX
};
-void reset_parse_errors();
-unsigned get_parse_errors();
-unsigned get_parse_warnings();
-void reset_reload_errors();
-unsigned get_reload_errors();
-std::string& get_reload_errors_description();
-
namespace snort
{
SO_PUBLIC void ParseWarning(WarningGroup, const char*, ...) __attribute__((format (printf, 2, 3)));
#include "detection/detection_engine.h"
#include "detection/ips_context.h"
-#include "detection/signature.h"
#include "events/event.h"
#include "flow/flow_key.h"
#include "framework/logger.h"
#include "framework/module.h"
#include "helpers/base64_encoder.h"
-#include "log/log.h"
#include "log/log_text.h"
#include "log/text_log.h"
#include "packet_io/active.h"
#include "protocols/udp.h"
#include "protocols/vlan.h"
#include "protocols/geneve.h"
-#include "utils/stats.h"
using namespace snort;
using namespace std;
// field formatting functions
//-------------------------------------------------------------------------
+namespace
+{
struct Args
{
Packet* pkt;
const char* msg;
const Event& event;
};
+}
static void ff_action(const Args& a)
{
static void ff_class(const Args& a)
{
- const char* cls = "none";
- if ( a.event.sig_info->class_type and !a.event.sig_info->class_type->text.empty() )
- cls = a.event.sig_info->class_type->text.c_str();
+ const char* cls = a.event.get_class_type();
+ if ( !cls ) cls = "none";
TextLog_Puts(csv_log, cls);
}
static void ff_gid(const Args& a)
{
- TextLog_Print(csv_log, "%u", a.event.sig_info->gid);
+ TextLog_Print(csv_log, "%u", a.event.get_gid());
}
static void ff_icmp_code(const Args& a)
static void ff_priority(const Args& a)
{
- TextLog_Print(csv_log, "%u", a.event.sig_info->priority);
+ TextLog_Print(csv_log, "%u", a.event.get_priority());
}
static void ff_proto(const Args& a)
static void ff_rev(const Args& a)
{
- TextLog_Print(csv_log, "%u", a.event.sig_info->rev);
+ TextLog_Print(csv_log, "%u", a.event.get_rev());
}
static void ff_rule(const Args& a)
{
- TextLog_Print(csv_log, "%u:%u:%u",
- a.event.sig_info->gid, a.event.sig_info->sid, a.event.sig_info->rev);
+ uint32_t gid, sid, rev;
+ a.event.get_sig_ids(gid, sid, rev);
+ TextLog_Print(csv_log, "%u:%u:%u", gid, sid, rev);
}
static void ff_seconds(const Args& a)
static void ff_sid(const Args& a)
{
- TextLog_Print(csv_log, "%u", a.event.sig_info->sid);
+ TextLog_Print(csv_log, "%u", a.event.get_sid());
}
static void ff_src_addr(const Args& a)
static void ff_target(const Args& a)
{
SfIpString addr = "";
+ bool src;
- if ( a.event.sig_info->target == TARGET_SRC )
- a.pkt->ptrs.ip_api.get_src()->ntop(addr);
-
- else if ( a.event.sig_info->target == TARGET_DST )
- a.pkt->ptrs.ip_api.get_dst()->ntop(addr);
+ if ( !a.event.get_target(src) )
+ return;
+ if ( src )
+ a.pkt->ptrs.ip_api.get_src()->ntop(addr);
else
- return;
+ a.pkt->ptrs.ip_api.get_dst()->ntop(addr);
TextLog_Print(csv_log, "%s", addr);
}
if (a.pkt->ptrs.tcph )
{
char tcpFlags[9];
- CreateTCPFlagString(a.pkt->ptrs.tcph, tcpFlags);
+ a.pkt->ptrs.tcph->stringify_flags(tcpFlags);
TextLog_Print(csv_log, "%s", tcpFlags);
}
}
#include <vector>
#include "detection/detection_engine.h"
-#include "detection/signature.h"
#include "events/event.h"
#include "flow/flow.h"
#include "flow/session.h"
TextLog_Puts(fast_log, " [**] ");
- TextLog_Print(fast_log, "[%u:%u:%u] ",
- event.sig_info->gid, event.sig_info->sid, event.sig_info->rev);
+ uint32_t gid, sid, rev;
+ event.get_sig_ids(gid, sid, rev);
+ TextLog_Print(fast_log, "[%u:%u:%u] ", gid, sid, rev);
if (p->context->conf->alert_interface())
TextLog_Print(fast_log, " <%s> ", SFDAQ::get_input_spec());
const DataPointer& buf = DetectionEngine::get_alt_buffer(p);
- if ( buf.len and event.sig_info->gid != 116 )
+ if ( buf.len and event.get_gid() != 116 )
LogNetData(fast_log, buf.data, buf.len, p, "alt");
if ( log_buffers )
- log_ips_buffers(p, event.buffs_to_dump, buffers_depth);
+ log_ips_buffers(p, event.get_buffers(), buffers_depth);
}
//-------------------------------------------------------------------------
#endif
#include "detection/ips_context.h"
-#include "detection/signature.h"
#include "events/event.h"
#include "framework/logger.h"
#include "framework/module.h"
{
TextLog_Puts(full_log, "[**] ");
- TextLog_Print(full_log, "[%u:%u:%u] ",
- event.sig_info->gid, event.sig_info->sid, event.sig_info->rev);
+ uint32_t gid, sid, rev;
+ event.get_sig_ids(gid, sid, rev);
+ TextLog_Print(full_log, "[%u:%u:%u] ", gid, sid, rev);
if (p->context->conf->alert_interface())
{
#endif
#include "detection/detection_engine.h"
-#include "detection/signature.h"
#include "events/event.h"
#include "flow/flow_key.h"
#include "framework/logger.h"
#include "framework/module.h"
#include "helpers/base64_encoder.h"
-#include "log/log.h"
#include "log/log_text.h"
#include "log/text_log.h"
#include "packet_io/active.h"
#include "protocols/tcp.h"
#include "protocols/udp.h"
#include "protocols/vlan.h"
-#include "utils/stats.h"
using namespace snort;
using namespace std;
// field formatting functions
//-------------------------------------------------------------------------
+namespace
+{
struct Args
{
Packet* pkt;
const Event& event;
bool comma;
};
+}
static void print_label(const Args& a, const char* label)
{
static bool ff_class(const Args& a)
{
- const char* cls = "none";
-
- if ( a.event.sig_info->class_type and !a.event.sig_info->class_type->text.empty() )
- cls = a.event.sig_info->class_type->text.c_str();
+ const char* cls = a.event.get_class_type();
+ if ( !cls ) cls = "none";
print_label(a, "class");
TextLog_Quote(json_log, cls);
static bool ff_gid(const Args& a)
{
print_label(a, "gid");
- TextLog_Print(json_log, "%u", a.event.sig_info->gid);
+ TextLog_Print(json_log, "%u", a.event.get_gid());
return true;
}
static bool ff_priority(const Args& a)
{
print_label(a, "priority");
- TextLog_Print(json_log, "%u", a.event.sig_info->priority);
+ TextLog_Print(json_log, "%u", a.event.get_priority());
return true;
}
static bool ff_rev(const Args& a)
{
print_label(a, "rev");
- TextLog_Print(json_log, "%u", a.event.sig_info->rev);
+ TextLog_Print(json_log, "%u", a.event.get_rev());
return true;
}
{
print_label(a, "rule");
- TextLog_Print(json_log, "\"%u:%u:%u\"",
- a.event.sig_info->gid, a.event.sig_info->sid, a.event.sig_info->rev);
+ uint32_t gid, sid, rev;
+ a.event.get_sig_ids(gid, sid, rev);
+ TextLog_Print(json_log, "\"%u:%u:%u\"", gid, sid, rev);
return true;
}
static bool ff_sid(const Args& a)
{
print_label(a, "sid");
- TextLog_Print(json_log, "%u", a.event.sig_info->sid);
+ TextLog_Print(json_log, "%u", a.event.get_sid());
return true;
}
static bool ff_target(const Args& a)
{
SfIpString addr = "";
+ bool src;
- if ( a.event.sig_info->target == TARGET_SRC )
- a.pkt->ptrs.ip_api.get_src()->ntop(addr);
+ if ( !a.event.get_target(src) )
+ return false;
- else if ( a.event.sig_info->target == TARGET_DST )
- a.pkt->ptrs.ip_api.get_dst()->ntop(addr);
+ if ( src )
+ a.pkt->ptrs.ip_api.get_src()->ntop(addr);
else
- return false;
+ a.pkt->ptrs.ip_api.get_dst()->ntop(addr);
print_label(a, "target");
TextLog_Quote(json_log, addr);
if (a.pkt->ptrs.tcph )
{
char tcpFlags[9];
- CreateTCPFlagString(a.pkt->ptrs.tcph, tcpFlags);
+ a.pkt->ptrs.tcph->stringify_flags(tcpFlags);
print_label(a, "tcp_flags");
TextLog_Quote(json_log, tcpFlags);
#endif
#include "detection/ips_context.h"
-#include "detection/signature.h"
#include "events/event.h"
#include "framework/logger.h"
#include "framework/module.h"
-#include "helpers/chunk.h"
#include "log/messages.h"
#include "lua/lua.h"
#include "main/thread_config.h"
#include "managers/script_manager.h"
#include "profiler/profiler_defs.h"
#include "protocols/packet.h"
+#include "utils/chunk.h"
using namespace snort;
SO_PUBLIC const SnortEvent* get_event()
{
assert(event);
-
- lua_event.gid = event->sig_info->gid;
- lua_event.sid = event->sig_info->sid;
- lua_event.rev = event->sig_info->rev;
+ event->get_sig_ids(lua_event.gid, lua_event.sid, lua_event.rev);
lua_event.event_id = event->get_event_id();
lua_event.event_ref = event->get_event_reference();
- if ( !event->sig_info->message.empty() )
- lua_event.msg = event->sig_info->message.c_str();
- else
- lua_event.msg = "";
+ lua_event.msg = event->get_msg();
+ if ( !lua_event.msg ) lua_event.msg = "";
return &lua_event;
}
#include <syslog.h>
#include "detection/ips_context.h"
-#include "detection/signature.h"
#include "events/event.h"
#include "framework/logger.h"
#include "framework/module.h"
+#include "framework/pig_pen.h"
#include "log/messages.h"
#include "main/snort_config.h"
#include "packet_io/sfdaq.h"
if ((p != nullptr) && p->ptrs.ip_api.is_valid())
{
- SnortSnprintfAppend(event_string, sizeof(event_string),
- "[%u:%u:%u] ", event.sig_info->gid, event.sig_info->sid, event.sig_info->rev);
+ uint32_t gid, sid, rev;
+ event.get_sig_ids(gid, sid, rev);
+ SnortSnprintfAppend(event_string, sizeof(event_string), "[%u:%u:%u] ", gid, sid, rev);
if (msg != nullptr)
SnortSnprintfAppend(event_string, sizeof(event_string), "%s ", msg);
else
SnortSnprintfAppend(event_string, sizeof(event_string), "ALERT ");
- if ( event.sig_info->class_type and !event.sig_info->class_type->text.empty() )
+ if ( auto cls = event.get_class_type() )
{
SnortSnprintfAppend(event_string, sizeof(event_string),
- "[Classification: %s] ", event.sig_info->class_type->text.c_str());
+ "[Classification: %s] ", cls);
}
- if (event.sig_info->priority != 0)
+ if (event.get_priority() != 0)
{
SnortSnprintfAppend(event_string, sizeof(event_string),
- "[Priority: %u] ", event.sig_info->priority);
+ "[Priority: %u] ", event.get_priority());
}
if (p->context->conf->alert_interface())
"<%s> ", SFDAQ::get_input_spec());
}
- IpProtocol ip_proto = p->get_ip_proto_next();
- if (protocol_names[to_utype(ip_proto)] != nullptr)
- {
- SnortSnprintfAppend(event_string, sizeof(event_string),
- "{%s} ", protocol_names[to_utype(ip_proto)]);
- }
- else
- {
- SnortSnprintfAppend(event_string, sizeof(event_string),
- "{%d} ", static_cast<uint8_t>(ip_proto));
- }
+ IpProtocol ip_proto = p->get_ip_proto_next();
+
+ const char* proto = PigPen::get_protocol_name(to_utype(ip_proto));
+ SnortSnprintfAppend(event_string, sizeof(event_string), "{%s} ", proto);
if ((p->ptrs.decode_flags & DECODE_FRAG)
|| ((ip_proto != IpProtocol::TCP)
#include <map>
#include <sstream>
-#include "detection/signature.h"
#include "events/event.h"
#include "framework/logger.h"
#include "framework/module.h"
stringstream key;
string message;
- key << "["
- << event.sig_info->gid << ":"
- << event.sig_info->sid << ":"
- << event.sig_info->rev
- << "]";
+ uint32_t gid, sid, rev;
+ event.get_sig_ids(gid, sid, rev);
+ key << "[" << gid << ":" << sid << ":" << rev << "]";
auto rule_iter = alerts.find(key.str());
rule.key = key.str();
rule.msg = message;
- rule.gid = event.sig_info->gid;
- rule.sid = event.sig_info->sid;
- rule.rev = event.sig_info->rev;
+ rule.gid = gid;
+ rule.sid = sid;
+ rule.rev = rev;
rule.count = 1;
// rule not in map, add it
#include <sys/un.h>
-#include "detection/signature.h"
#include "events/event.h"
#include "framework/logger.h"
#include "framework/module.h"
#include "log/messages.h"
+#include "main/thread.h"
#include "protocols/packet.h"
#include "utils/util.h"
#include "utils/util_cstring.h"
*/
struct pcap_pkthdr32
{
- struct sf_timeval32 ts; /* packet timestamp */
+ uint32_t ts_sec; /* packet timestamp */
+ uint32_t ts_usec;
uint32_t caplen; /* packet capture length */
uint32_t len; /* packet "real" length */
};
uint32_t event_id;
uint32_t event_ref;
- struct sf_timeval32 ref_time;
+
+ uint32_t ts_sec;
+ uint32_t ts_usec;
};
struct UnixSock
// FIXIT-L minimize or eliminate memset
memset((char*)&us.alert,0,sizeof(us.alert));
- us.alert.gid = event.sig_info->gid;
- us.alert.sid = event.sig_info->sid;
- us.alert.rev = event.sig_info->rev;
+ event.get_sig_ids(us.alert.gid, us.alert.sid, us.alert.rev);
- us.alert.class_id = event.sig_info->class_id;
- us.alert.priority = event.sig_info->priority;
+ us.alert.class_id = event.get_class_id();
+ us.alert.priority = event.get_priority();
us.alert.event_id = event.get_event_id();
us.alert.event_ref = event.get_event_reference();
- us.alert.ref_time = event.ref_time;
+
+ event.get_timestamp(us.alert.ts_sec, us.alert.ts_usec);
if (p && p->pkt)
{
- us.alert.pkth.ts.tv_sec = (uint32_t)p->pkth->ts.tv_sec;
- us.alert.pkth.ts.tv_usec = (uint32_t)p->pkth->ts.tv_usec;
+ us.alert.pkth.ts_sec = (uint32_t)p->pkth->ts.tv_sec;
+ us.alert.pkth.ts_usec = (uint32_t)p->pkth->ts.tv_usec;
us.alert.pkth.caplen = p->pktlen;
us.alert.pkth.len = p->pkth->pktlen;
memmove(us.alert.pkt, (const void*)p->pkt, us.alert.pkth.caplen);
#endif
#include "detection/ips_context.h"
-#include "detection/signature.h"
#include "events/event.h"
#include "framework/logger.h"
#include "framework/module.h"
if (e != nullptr)
{
- TextLog_Print(test_file, " gid:%u sid:%u rev:%u\t",
- e->sig_info->gid, e->sig_info->sid, e->sig_info->rev);
+ uint32_t gid, sid, rev;
+ e->get_sig_ids(gid, sid, rev);
+ TextLog_Print(test_file, " gid:%u sid:%u rev:%u\t", gid, sid, rev);
}
if (flags & ALERT_FLAG_MSG)
#include "framework/module.h"
#include "log/messages.h"
#include "main/snort_config.h"
+#include "main/thread.h"
#include "packet_io/sfdaq.h"
#include "packet_io/sfdaq_config.h"
#include "protocols/packet.h"
#include <cassert>
-#include "detection/signature.h"
-#include "detection/detection_util.h"
#include "detection/detection_engine.h"
#include "events/event.h"
#include "framework/logger.h"
#include "log/unified2.h"
#include "log/u2_packet.h"
#include "main/snort_config.h"
+#include "main/thread.h"
#include "network_inspectors/appid/appid_api.h"
#include "packet_io/active.h"
#include "packet_io/sfdaq.h"
u2_event.snort_id = 0; // FIXIT-H alert_event define / use
u2_event.event_id = htonl(event->get_event_id());
- u2_event.event_second = htonl(event->ref_time.tv_sec);
- u2_event.event_microsecond = htonl(event->ref_time.tv_usec);
- u2_event.rule_gid = htonl(event->sig_info->gid);
- u2_event.rule_sid = htonl(event->sig_info->sid);
- u2_event.rule_rev = htonl(event->sig_info->rev);
- u2_event.rule_class = htonl(event->sig_info->class_id);
- u2_event.rule_priority = htonl(event->sig_info->priority);
+ uint32_t sec, usec;
+ event->get_timestamp(sec, usec);
+ u2_event.event_second = htonl(sec);
+ u2_event.event_microsecond = htonl(usec);
+
+ uint32_t gid, sid, rev;
+ event->get_sig_ids(gid, sid, rev);
+
+ u2_event.rule_gid = htonl(gid);
+ u2_event.rule_sid = htonl(sid);
+ u2_event.rule_rev = htonl(rev);
+
+ u2_event.rule_class = htonl(event->get_class_id());
+ u2_event.rule_priority = htonl(event->get_priority());
if ( p )
{
logheader.linktype = u2.base_proto;
logheader.event_id = htonl(event->get_event_reference());
- logheader.event_second = htonl(event->ref_time.tv_sec);
+ logheader.event_second = htonl(event->get_seconds());
logheader.packet_second = htonl((uint32_t)p->pkth->ts.tv_sec);
logheader.packet_microsecond = htonl((uint32_t)p->pkth->ts.tv_usec);
+
pkt_length = ( p->is_rebuilt() ) ? p->dsize : p->pktlen;
logheader.packet_length = htonl(pkt_length + u2h_len);
write_len += pkt_length + u2h_len;
memset(&alertdata, 0, sizeof(alertdata));
alertdata.event_id = htonl(event->get_event_id());
- alertdata.event_second = htonl(event->ref_time.tv_sec);
- alertdata.event_microsecond = htonl(event->ref_time.tv_usec);
- alertdata.generator_id = htonl(event->sig_info->gid);
- alertdata.signature_id = htonl(event->sig_info->sid);
- alertdata.signature_revision = htonl(event->sig_info->rev);
- alertdata.classification_id = htonl(event->sig_info->class_id);
- alertdata.priority_id = htonl(event->sig_info->priority);
+
+ uint32_t sec, usec;
+ event->get_timestamp(sec, usec);
+ alertdata.event_second = htonl(sec);
+ alertdata.event_microsecond = htonl(usec);
+
+ uint32_t gid, sid, rev;
+ event->get_sig_ids(gid, sid, rev);
+
+ alertdata.generator_id = htonl(gid);
+ alertdata.signature_id = htonl(sid);
+ alertdata.signature_revision = htonl(rev);
+
+ alertdata.classification_id = htonl(event->get_class_id());
+ alertdata.priority_id = htonl(event->get_priority());
if (p)
{
memset(&alertdata, 0, sizeof(alertdata));
alertdata.event_id = htonl(event->get_event_id());
- alertdata.event_second = htonl(event->ref_time.tv_sec);
- alertdata.event_microsecond = htonl(event->ref_time.tv_usec);
- alertdata.generator_id = htonl(event->sig_info->gid);
- alertdata.signature_id = htonl(event->sig_info->sid);
- alertdata.signature_revision = htonl(event->sig_info->rev);
- alertdata.classification_id = htonl(event->sig_info->class_id);
- alertdata.priority_id = htonl(event->sig_info->priority);
+
+ uint32_t sec, usec;
+ event->get_timestamp(sec, usec);
+ alertdata.event_second = htonl(sec);
+ alertdata.event_microsecond = htonl(usec);
+
+ uint32_t gid, sid, rev;
+ event->get_sig_ids(gid, sid, rev);
+
+ alertdata.generator_id = htonl(gid);
+ alertdata.signature_id = htonl(sid);
+ alertdata.signature_revision = htonl(rev);
+
+ alertdata.classification_id = htonl(event->get_class_id());
+ alertdata.priority_id = htonl(event->get_priority());
if (p)
{
if (p->ptrs.ip_api.is_ip6())
{
uint32_t tenant_id = p->pkth->tenant_id;
+ uint32_t sec = event.get_seconds();
+
const SfIp* ip = p->ptrs.ip_api.get_src();
- _WriteExtraData(&config, p->obfuscator, event.get_event_id(), tenant_id, event.ref_time.tv_sec,
+ _WriteExtraData(&config, p->obfuscator, event.get_event_id(), tenant_id, sec,
(const uint8_t*) ip->get_ip6_ptr(), sizeof(struct in6_addr), EVENT_INFO_IPV6_SRC);
+
ip = p->ptrs.ip_api.get_dst();
- _WriteExtraData(&config, p->obfuscator, event.get_event_id(), tenant_id, event.ref_time.tv_sec,
+ _WriteExtraData(&config, p->obfuscator, event.get_event_id(), tenant_id, sec,
(const uint8_t*) ip->get_ip6_ptr(), sizeof(struct in6_addr), EVENT_INFO_IPV6_DST);
}
}
}
if ( p->flow )
- Stream::update_flow_alert(
- p->flow, p, event.sig_info->gid, event.sig_info->sid,
- event.get_event_id(), event.ref_time.tv_sec);
+ {
+ uint32_t sec = event.get_seconds();
+ Stream::update_flow_alert(p->flow, p, event.get_gid(), event.get_sid(), event.get_event_id(), sec);
+ }
if ( p->xtradata_mask )
{
LogFunction* log_funcs;
uint32_t max_count = Stream::get_xtra_data_map(log_funcs);
+ uint32_t sec = event.get_seconds();
if ( max_count > 0 )
AlertExtraData(p->flow, &config, log_funcs, max_count, p->xtradata_mask,
- { /* gid */ 0, /* sid */ 0, event.get_event_id(), event.ref_time.tv_sec });
+ { /* gid */ 0, /* sid */ 0, event.get_event_id(), sec });
}
}
return;
}
alert_event(p, msg, &config, &event);
+ uint32_t sec = event.get_seconds();
+
if ( p->flow )
- Stream::update_flow_alert(
- p->flow, p, event.sig_info->gid, event.sig_info->sid,
- event.get_event_id(), event.ref_time.tv_sec);
+ {
+ Stream::update_flow_alert( p->flow, p, event.get_gid(), event.get_sid(), event.get_event_id(), sec);
+ }
if ( p->xtradata_mask )
{
if ( max_count > 0 )
AlertExtraData(p->flow, &config, log_funcs, max_count, p->xtradata_mask,
- { /* gid */ 0, /* sid */ 0, event.get_event_id(), event.ref_time.tv_sec });
+ { /* gid */ 0, /* sid */ 0, event.get_event_id(), sec });
}
}
#include "control/control.h"
#include "detection/signature.h"
#include "framework/module.h"
-#include "helpers/process.h"
#include "helpers/ring.h"
+#include "log/log_errors.h"
#include "log/messages.h"
#include "lua/lua.h"
#include "main/analyzer.h"
#include "main/analyzer_command.h"
+#include "main/process.h"
#include "main/reload_tracker.h"
#include "main/shell.h"
#include "main/snort.h"
#include "trace/trace_api.h"
#include "trace/trace_config.h"
#include "trace/trace_logger.h"
-#include "utils/util.h"
#include "utils/safec.h"
+#include "utils/stats.h"
+#include "utils/util.h"
#if defined(UNIT_TEST) || defined(BENCHMARK_TEST)
#include "catch/unit_test.h"
set (INCLUDES
- analyzer.h
analyzer_command.h
policy.h
reload_tracker.h
reload_tuner.h
- snort.h
snort_config.h
snort_types.h
- swapper.h
thread.h
thread_config.h
)
add_library (main OBJECT
analyzer.cc
+ analyzer.h
analyzer_command.cc
help.cc
help.h
modules.h
network_module.cc
network_module.h
+ numa.h
oops_handler.cc
oops_handler.h
policy.cc
+ process.cc
+ process.h
reload_tracker.cc
shell.h
shell.cc
snort_module.h
snort_module.cc
swapper.cc
+ swapper.h
thread.cc
thread_config.h
thread_config.cc
#include "detection/detect.h"
#include "detection/detection_engine.h"
#include "detection/ips_context.h"
+#include "detection/event_trace.h"
#include "detection/tag.h"
#include "file_api/file_service.h"
#include "filters/detection_filter.h"
#include "main/swapper.h"
#include "main.h"
#include "managers/action_manager.h"
+#include "managers/codec_manager.h"
#include "managers/inspector_manager.h"
#include "managers/ips_manager.h"
#include "managers/event_manager.h"
#include "managers/module_manager.h"
#include "memory/memory_cap.h"
#include "packet_io/active.h"
+#include "packet_io/packet_tracer.h"
#include "packet_io/sfdaq.h"
#include "packet_io/sfdaq_config.h"
#include "packet_io/sfdaq_instance.h"
#include "packet_io/sfdaq_module.h"
-#include "packet_tracer/packet_tracer.h"
-#include "profiler/profiler.h"
+#include "profiler/profiler_impl.h"
#include "pub_sub/daq_message_event.h"
#include "pub_sub/finalize_packet_event.h"
#include "side_channel/side_channel.h"
Packet* p = switcher->get_context()->packet;
p->context->wire_packet = p;
- p->context->packet_number = get_packet_number();
+ p->context->packet_number = pc.analyzed_pkts;
select_default_policy(*pkthdr, p->context->conf);
DetectionEngine::reset();
/*
* Public packet processing methods
*/
-bool Analyzer::inspect_rebuilt(Packet* p)
-{
- DetectionEngine de;
- return main_hook(p);
-}
-
bool Analyzer::process_rebuilt_packet(Packet* p, const DAQ_PktHdr_t* pkthdr, const uint8_t* pkt,
uint32_t pktlen)
{
// to handle all trace log messages
TraceApi::thread_init(sc->trace_config);
- CodecManager::thread_init(sc);
+ CodecManager::thread_init();
// this depends on instantiated daq capabilities
// so it is done here instead of init()
NUM_STATES
};
- SO_PUBLIC static Analyzer* get_local_analyzer();
+ static Analyzer* get_local_analyzer();
static ContextSwitcher* get_switcher();
static void set_main_hook(MainHook_f);
void post_process_packet(snort::Packet*);
bool process_rebuilt_packet(snort::Packet*, const DAQ_PktHdr_t*, const uint8_t* pkt, uint32_t pktlen);
- SO_PUBLIC bool inspect_rebuilt(snort::Packet*);
void finalize_daq_message(DAQ_Msg_h, DAQ_Verdict);
void add_to_retry_queue(DAQ_Msg_h, snort::Flow*);
#include "framework/module.h"
#include "helpers/markup.h"
-#include "helpers/process.h"
+#include "main/process.h"
#include "managers/event_manager.h"
#include "managers/inspector_manager.h"
#include "managers/module_manager.h"
#include "detection/fp_config.h"
#include "detection/rules.h"
#include "detection/tag.h"
+#include "events/event_queue.h"
+#include "file_api/file_policy.h"
#include "file_api/file_service.h"
#include "filters/detection_filter.h"
#include "filters/rate_filter.h"
#include "filters/sfthd.h"
#include "filters/sfthreshold.h"
#include "flow/ha_module.h"
-#include "framework/file_policy.h"
#include "framework/module.h"
#include "host_tracker/host_tracker_module.h"
#include "host_tracker/host_cache_module.h"
#include "managers/plugin_manager.h"
#include "memory/memory_module.h"
#include "packet_io/active.h"
+#include "packet_io/active_counts.h"
+#include "packet_io/packet_tracer_module.h"
#include "packet_io/sfdaq_module.h"
-#include "packet_tracer/packet_tracer_module.h"
#include "parser/config_file.h"
#include "parser/parse_conf.h"
#include "parser/parse_ip.h"
{ CountType::SUM, "total_unique", "total unique fast pattern hits" },
{ CountType::SUM, "non_qualified_events", "total non-qualified events" },
{ CountType::SUM, "qualified_events", "total qualified events" },
- { CountType::SUM, "searched_bytes", "total bytes searched" },
{ CountType::END, nullptr, nullptr }
};
{ return active_pegs; }
PegCount* get_counts() const override
- { return (PegCount*) &active_counts; }
+ { return (PegCount*) get_active_counts(); }
Usage get_usage() const override
{ return GLOBAL; }
else if ( v.is("new_action") )
{
- thdx.newAction = Actions::get_type(v.get_string());
+ thdx.newAction = IpsAction::get_type(v.get_string());
- if ( !Actions::is_valid_action(thdx.newAction) )
+ if ( !IpsAction::is_valid_action(thdx.newAction) )
ParseError("unknown new_action type rate_filter configuration %s",
v.get_string());
}
// ideally, modules.cc would be refactored into several files.
#include "framework/counts.h"
-#include "main/thread.h"
-
void module_init();
const char* get_lua_defaults();
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// util_numa.h author Raza Shafiq <rshafiq@cisco.com>
+// numa.h author Raza Shafiq <rshafiq@cisco.com>
-#ifndef NUMA_UTILS_H
-#define NUMA_UTILS_H
-
-#ifdef HAVE_NUMA
+#ifndef NUMA_H
+#define NUMA_H
#include <numa.h>
#include <numaif.h>
return set_mempolicy(mode, nodemask, maxnode);
}
};
+
class HwlocWrapper
{
public:
return hwloc_bitmap_intersects(set1, set2);
}
};
-#endif // HAVE_NUMA
-#endif // NUMA_UTILS_H
+#endif
+
#include "daq_common.h"
-#include "actions/actions.h"
#include "detection/detection_engine.h"
-#include "framework/file_policy.h"
+#include "file_api/file_policy.h"
+#include "framework/ips_action.h"
#include "framework/policy_selector.h"
#include "js_norm/js_config.h"
#include "log/messages.h"
// detection policy
//-------------------------------------------------------------------------
-IpsPolicy::IpsPolicy(PolicyId id) : action(Actions::get_max_types(), nullptr)
+IpsPolicy::IpsPolicy(PolicyId id) : action(IpsAction::get_max_types(), nullptr)
{
policy_id = id;
policy_mode = POLICY_MODE__MAX;
#include "process.h"
#include <fcntl.h>
+#include <grp.h>
+#include <luajit.h>
+#include <openssl/crypto.h>
+#include <pcap.h>
+#include <pcre.h>
+#include <pwd.h>
+#include <sys/file.h>
+#include <sys/resource.h>
+#include <sys/stat.h>
+#include <zlib.h>
+
+#ifdef HAVE_HYPERSCAN
+#include <hs_compile.h>
+#endif
+
+#ifdef HAVE_LZMA
+#include <lzma.h>
+#endif
+
+#ifdef HAVE_JEMALLOC
+#include <jemalloc/jemalloc.h>
+#endif
#ifdef HAVE_LIBUNWIND
#define UNW_LOCAL_ONLY
#include <malloc.h>
#endif
+extern "C" {
+#include <daq.h>
+}
+
#include <csignal>
+#include <fstream>
#include <iostream>
#include "log/messages.h"
-#include "main.h"
-#include "main/oops_handler.h"
-#include "main/snort_config.h"
+#include "helpers/markup.h"
+#include "helpers/ring.h"
+#include "helpers/sigsafe.h"
+#include "packet_io/sfdaq.h"
+#include "protocols/packet.h" // For NUM_IP_PROTOS
#include "utils/cpp_macros.h"
#include "utils/stats.h"
#include "utils/util.h"
-#include "markup.h"
-#include "ring.h"
-#include "sigsafe.h"
+#include "main.h"
+#include "oops_handler.h"
+#include "snort_config.h"
using namespace snort;
malloc_trim(0);
#endif
}
+
+//-------------------------------------------------------------------------
+// other foo
+//-------------------------------------------------------------------------
+
+// Store interesting data in memory that would not otherwise be visible
+// in a CORE(5) file
+
+#ifdef BUILD
+ #define SNORT_VERSION_STRING ("### Snort Version " VERSION " Build " BUILD "\n")
+#else
+ #define SNORT_VERSION_STRING ("### Snort Version " VERSION "\n")
+#endif
+#define SNORT_VERSION_STRLEN sizeof(SNORT_VERSION_STRING)
+char __snort_version_string[SNORT_VERSION_STRLEN];
+
+void StoreSnortInfoStrings()
+{
+ strncpy(__snort_version_string, SNORT_VERSION_STRING,
+ sizeof(__snort_version_string));
+}
+
+#undef SNORT_VERSION_STRING
+#undef SNORT_VERSION_STRLEN
+
+int DisplayBanner()
+{
+ const char* ljv = LUAJIT_VERSION;
+ while ( *ljv && !isdigit(*ljv) )
+ ++ljv;
+
+ LogMessage("\n");
+ LogMessage(" ,,_ -*> Snort++ <*-\n");
+#ifdef BUILD
+ LogMessage(" o\" )~ Version %s (Build %s)\n", VERSION, BUILD);
+#else
+ LogMessage(" o\" )~ Version %s\n", VERSION);
+#endif
+ LogMessage(" '''' By Martin Roesch & The Snort Team\n");
+ LogMessage(" http://snort.org/contact#team\n");
+ LogMessage(" Copyright (C) 2014-2024 Cisco and/or its affiliates."
+ " All rights reserved.\n");
+ LogMessage(" Copyright (C) 1998-2013 Sourcefire, Inc., et al.\n");
+ LogMessage(" Using DAQ version %s\n", daq_version_string());
+#ifdef HAVE_HYPERSCAN
+ LogMessage(" Using Hyperscan version %s\n", hs_version());
+#endif
+#ifdef HAVE_JEMALLOC
+ const char* jv;
+ size_t sz = sizeof(jv);
+ mallctl("version", &jv, &sz, NULL, 0);
+ LogMessage(" Using Jemalloc version %s\n", jv);
+#endif
+ LogMessage(" Using %s\n", pcap_lib_version());
+ LogMessage(" Using LuaJIT version %s\n", ljv);
+#ifdef HAVE_LZMA
+ LogMessage(" Using LZMA version %s\n", lzma_version_string());
+#endif
+ LogMessage(" Using %s\n", OpenSSL_version(SSLEAY_VERSION));
+ LogMessage(" Using PCRE version %s\n", pcre_version());
+ LogMessage(" Using ZLIB version %s\n", zlib_version);
+
+ LogMessage("\n");
+
+ return 0;
+}
+
+// get offset seconds from GMT
+int gmt2local(time_t t)
+{
+ if (t == 0)
+ t = time(nullptr);
+
+ struct tm gmt;
+ struct tm* lt = gmtime_r(&t, &gmt);
+ if (lt == nullptr)
+ return 0;
+
+ struct tm loc;
+ localtime_r(&t, &loc);
+
+ int dt = (loc.tm_hour - gmt.tm_hour) * 60 * 60 +
+ (loc.tm_min - gmt.tm_min) * 60;
+
+ int dir = loc.tm_year - gmt.tm_year;
+
+ if (dir == 0)
+ dir = loc.tm_yday - gmt.tm_yday;
+
+ dt += dir * 24 * 60 * 60;
+
+ return(dt);
+}
+
+static FILE* pid_lockfile = nullptr;
+static FILE* pid_file = nullptr;
+
+void CreatePidFile(pid_t pid)
+{
+ SnortConfig* sc = SnortConfig::get_main_conf();
+
+ sc->pid_filename = sc->log_dir;
+ sc->pid_filename += "/snort.pid";
+
+ std::string pid_lockfilename;
+
+ if ( !sc->no_lock_pid_file() )
+ {
+ pid_lockfilename = sc->pid_filename;
+ pid_lockfilename += ".lck";
+
+ /* First, lock the PID file */
+ pid_lockfile = fopen(pid_lockfilename.c_str(), "w");
+
+ if ( pid_lockfile )
+ {
+ struct flock lock;
+ int lock_fd = fileno(pid_lockfile);
+
+ lock.l_type = F_WRLCK;
+ lock.l_whence = SEEK_SET;
+ lock.l_start = 0;
+ lock.l_len = 0;
+
+ if (fcntl(lock_fd, F_SETLK, &lock) == -1)
+ {
+ ClosePidFile();
+ ParseError("Failed to Lock PID File \"%s\" for PID \"%d\"",
+ sc->pid_filename.c_str(), (int)pid);
+ return;
+ }
+ }
+ }
+
+ /* Okay, were able to lock PID file, now open and write PID */
+ pid_file = fopen(sc->pid_filename.c_str(), "w");
+ if (pid_file)
+ {
+ LogMessage("Writing PID \"%d\" to file \"%s\"\n", (int)pid,
+ sc->pid_filename.c_str());
+ fprintf(pid_file, "%d\n", (int)pid);
+ fflush(pid_file);
+ }
+ else
+ {
+ if (pid_lockfile)
+ {
+ fclose(pid_lockfile);
+ pid_lockfile = nullptr;
+ }
+ const char* error = get_error(errno);
+ ErrorMessage("Failed to create pid file %s, Error: %s\n",
+ sc->pid_filename.c_str(), error);
+ sc->pid_filename.clear();
+ }
+ if ( !pid_lockfilename.empty() )
+ unlink(pid_lockfilename.c_str());
+}
+
+void ClosePidFile()
+{
+ if (pid_file)
+ {
+ fclose(pid_file);
+ pid_file = nullptr;
+ }
+ if (pid_lockfile)
+ {
+ fclose(pid_lockfile);
+ pid_lockfile = nullptr;
+ }
+}
+
+// set safe UserID and GroupID, if needed
+bool SetUidGid(int user_id, int group_id)
+{
+ // Were any changes requested?
+ if (group_id == -1 && user_id == -1)
+ return true;
+
+ if (group_id != -1)
+ {
+ if (setgid(group_id) < 0)
+ {
+ ParseError("Cannot set GID: %d", group_id);
+ return false;
+ }
+ LogMessage("Set GID to %d\n", group_id);
+ }
+
+ if (user_id != -1)
+ {
+ if (setuid(user_id) < 0)
+ {
+ ParseError("Cannot set UID: %d", user_id);
+ return false;
+ }
+ LogMessage("Set UID to %d\n", user_id);
+ }
+
+ return true;
+}
+
+// set the groups of the process based on the UserID with the GroupID added
+void InitGroups(int user_id, int group_id)
+{
+ if ((user_id != -1) && (getuid() == 0))
+ {
+ struct passwd* pw = getpwuid(user_id); // main thread only
+
+ if (pw != nullptr)
+ {
+ /* getpwuid and initgroups may use the same static buffers */
+ char* username = snort_strdup(pw->pw_name);
+
+ if (initgroups(username, group_id) < 0)
+ ParseError("Can not initgroups(%s,%d)", username, group_id);
+
+ snort_free(username);
+ }
+
+ /** Just to be on the safe side... **/
+ endgrent();
+ endpwent();
+ }
+}
+
+//-------------------------------------------------------------------------
+
+// read the BPF filters in from a file, return the processed BPF string
+std::string read_infile(const char* key, const char* fname)
+{
+ int fd = open(fname, O_RDONLY);
+ struct stat buf;
+
+ if (fd < 0)
+ {
+ ErrorMessage("Failed to open file: %s with error: %s", fname, get_error(errno));
+ return "";
+ }
+
+ if (fstat(fd, &buf) < 0)
+ {
+ ParseError("can't stat %s: %s", fname, get_error(errno));
+ close(fd);
+ return "";
+ }
+
+ //check that its a regular file and not a directory or special file
+ if (!S_ISREG(buf.st_mode) )
+ {
+ ParseError("not a regular file: %s", fname);
+ close(fd);
+ return "";
+ }
+
+ std::string line;
+ std::ifstream bpf_file(fname);
+
+ if (bpf_file.is_open())
+ {
+ std::stringstream file_content;
+ file_content << bpf_file.rdbuf();
+ line = file_content.str();
+
+ bpf_file.close();
+ }
+ else
+ {
+ ParseError("can't open file %s = %s: %s", key, fname, get_error(errno));
+ close(fd);
+ return "";
+ }
+ close(fd);
+ return line;
+}
+
+typedef char PathBuf[PATH_MAX+1];
+
+static const char* CurrentWorkingDir(PathBuf& buf)
+{
+ if ( !getcwd(buf, sizeof(buf)-1) )
+ return nullptr;
+
+ buf[sizeof(buf)-1] = '\0';
+ return buf;
+}
+
+static char* GetAbsolutePath(const char* dir, PathBuf& buf)
+{
+ assert(dir);
+ errno = 0;
+
+ if ( !realpath(dir, buf) )
+ {
+ LogMessage("Couldn't determine absolute path for '%s': %s\n", dir, get_error(errno));
+ return nullptr;
+ }
+
+ return buf;
+}
+
+// Chroot and adjust the log_dir reference
+bool EnterChroot(std::string& root_dir, std::string& log_dir)
+{
+ if (log_dir.empty())
+ {
+ ParseError("Log directory not specified");
+ return false;
+ }
+ PathBuf pwd;
+ PathBuf abs_log_dir;
+
+ if ( !GetAbsolutePath(log_dir.c_str(), abs_log_dir) )
+ return false;
+
+ /* change to the desired root directory */
+ if (chdir(root_dir.c_str()) != 0)
+ {
+ ParseError("EnterChroot: Can not chdir to \"%s\": %s", root_dir.c_str(),
+ get_error(errno));
+ return false;
+ }
+
+ /* always returns an absolute pathname */
+ const char* abs_root_dir = CurrentWorkingDir(pwd);
+ if (!abs_root_dir)
+ {
+ ParseError("Couldn't retrieve current working directory");
+ return false;
+ }
+ size_t abs_root_dir_len = strlen(abs_root_dir);
+
+ if (strncmp(abs_root_dir, abs_log_dir, abs_root_dir_len))
+ {
+ ParseError("Specified log directory is not contained with the chroot jail");
+ return false;
+ }
+
+ if (chroot(abs_root_dir) < 0)
+ {
+ ParseError("Can not chroot to \"%s\": absolute: %s: %s",
+ root_dir.c_str(), abs_root_dir, get_error(errno));
+ return false;
+ }
+
+
+ /* Immediately change to the root directory of the jail. */
+ if (chdir("/") < 0)
+ {
+ ParseError("Can not chdir to \"/\" after chroot: %s",
+ get_error(errno));
+ return false;
+ }
+
+
+ if (abs_root_dir_len >= strlen(abs_log_dir))
+ log_dir = "/";
+ else
+ log_dir = abs_log_dir + abs_root_dir_len;
+
+
+ LogMessage("Chroot directory = %s\n", root_dir.c_str());
+
+ return true;
+}
+
+#if defined(NOCOREFILE)
+void SetNoCores()
+{
+ struct rlimit rlim;
+
+ getrlimit(RLIMIT_CORE, &rlim);
+ rlim.rlim_max = 0;
+ setrlimit(RLIMIT_CORE, &rlim);
+}
+#endif
+
#ifndef PROCESS_H
#define PROCESS_H
+#include <sys/time.h>
+#include <string>
#include "main/snort_types.h"
+
// process oriented services like signal handling, heap info, etc.
enum PigSignal
void init_signals();
void term_signals();
-SO_PUBLIC void install_oops_handler();
-SO_PUBLIC void remove_oops_handler();
+void install_oops_handler();
+void remove_oops_handler();
void help_signals();
void daemonize();
void trim_heap();
+void StoreSnortInfoStrings();
+int DisplayBanner();
+
+int gmt2local(time_t);
+std::string read_infile(const char* key, const char* fname);
+
+void CreatePidFile(pid_t);
+void ClosePidFile();
+
+bool SetUidGid(int, int);
+void InitGroups(int, int);
+
+bool EnterChroot(std::string& root_dir, std::string& log_dir);
+
+#if defined(NOCOREFILE)
+void SetNoCores();
+#endif
+
#endif
#include "filters/sfthreshold.h"
#include "flow/ha.h"
#include "framework/mpse.h"
-#include "helpers/process.h"
#include "host_tracker/host_cache.h"
#include "host_tracker/host_cache_segmented.h"
#include "host_tracker/host_tracker_module.h"
#include "ips_options/ips_options.h"
#include "log/log.h"
-#include "log/messages.h"
+#include "log/log_errors.h"
#include "loggers/loggers.h"
#include "main.h"
+#include "main/process.h"
#include "main/shell.h"
#include "managers/codec_manager.h"
#include "managers/inspector_manager.h"
#include "trace/trace_api.h"
#include "trace/trace_config.h"
#include "trace/trace_logger.h"
+#include "utils/stats.h"
#include "utils/util.h"
#ifdef SHELL
ModuleManager::reset_stats(sc);
if (sc->alert_before_pass())
- sc->rule_order = Actions::get_default_priorities(true);
+ sc->rule_order = IpsAction::get_default_priorities(true);
sc->setup();
/* Need to do this after dynamic detection stuff is initialized, too */
IpsManager::global_init(sc);
+ PacketManager::global_init(sc->num_layers);
sc->post_setup();
sc->update_reload_id();
const MpseApi* search_api = sc->fast_pattern_config->get_search_api();
const MpseApi* offload_search_api = sc->fast_pattern_config->get_offload_search_api();
- MpseManager::activate_search_engine(search_api, sc);
+ if ( search_api )
+ MpseManager::activate_search_engine(search_api, sc);
- if ((offload_search_api != nullptr) and (offload_search_api != search_api))
+ if ( offload_search_api and offload_search_api != search_api )
MpseManager::activate_search_engine(offload_search_api, sc);
/* Finish up the pcap list and put in the queues */
detection_filter_term();
term_signals();
-
}
void Snort::clean_exit(int)
return sc;
}
-OopsHandlerSuspend::OopsHandlerSuspend()
-{
- remove_oops_handler();
-}
-
-OopsHandlerSuspend::~OopsHandlerSuspend()
-{
- install_oops_handler();
-}
// Snort is the top-level application class.
#include <daq_common.h>
-#include "main/snort_types.h"
-
class ContextSwitcher;
namespace snort
static void cleanup();
static bool has_dropped_privileges();
- SO_PUBLIC static bool is_reloading();
- inline SO_PUBLIC static bool is_exiting() { return already_exiting; }
+ static bool is_exiting() { return already_exiting; }
+ static bool is_reloading();
private:
static void init(int, char**);
static bool privileges_dropped;
static bool already_exiting;
};
-
-// RAII-style mechanism for removal and reinstallation of Snort's crash handler
-class SO_PUBLIC OopsHandlerSuspend
-{
-public:
- OopsHandlerSuspend();
- ~OopsHandlerSuspend();
-};
}
#endif
#include "detection/fp_create.h"
#include "dump_config/json_config_output.h"
#include "dump_config/text_config_output.h"
+#include "events/event_queue.h"
#include "file_api/file_service.h"
#include "filters/detection_filter.h"
#include "filters/rate_filter.h"
#include "flow/ha_module.h"
#include "framework/policy_selector.h"
#include "hash/xhash.h"
-#include "helpers/process.h"
#include "host_tracker/host_cache_segmented.h"
#include "latency/latency_config.h"
#include "log/messages.h"
+#include "main/policy.h"
+#include "main/process.h"
#include "managers/action_manager.h"
#include "managers/event_manager.h"
#include "managers/inspector_manager.h"
(fast_pattern_config->get_search_api() !=
get_conf()->fast_pattern_config->get_search_api())) )
{
- MpseManager::stop_search_engine(fast_pattern_config->get_search_api());
+ if ( fast_pattern_config->get_search_api() )
+ MpseManager::stop_search_engine(fast_pattern_config->get_search_api());
}
delete fast_pattern_config;
ParseRules(this);
// Allocate evalOrder before calling the OrderRuleLists
- evalOrder = new int[Actions::get_max_types()]();
+ evalOrder = new int[IpsAction::get_max_types()]();
OrderRuleLists(this);
static_names.emplace(name, name);
return static_names[name].c_str();
}
+
+int SnortConfig::get_classification_id(const char* name)
+{
+ auto& cls = get_conf()->classifications;
+ auto itr = cls.find(name);
+
+ if (itr != cls.end())
+ return itr->second->id;
+
+ return 0;
+}
+
#include <unordered_map>
#include <vector>
-#include "actions/actions.h"
-#include "events/event_queue.h"
-#include "framework/bits.h"
+#include "framework/inspector.h"
+#include "framework/ips_action.h"
#include "helpers/scratch_allocator.h"
#include "main/policy.h"
-#include "main/thread.h"
#include "sfip/sf_cidr.h"
+#include "utils/bits.h"
#define DEFAULT_LOG_DIR "."
uint16_t get_event_log_id() const
{ return event_log_id; }
- bool process_all_events() const
- { return event_queue_config->process_all_events; }
-
- int get_eval_index(Actions::Type type) const
+ int get_eval_index(IpsAction::Type type) const
{ return evalOrder[type]; }
// output stuff
{ return logging_flags & LOGGING_FLAG__SHOW_PLUGINS; }
SO_PUBLIC static const char* get_static_name(const char* name);
+ SO_PUBLIC static int get_classification_id(const char* name);
};
}
#include "parser/vars.h"
#include "trace/trace_api.h"
#include "trace/trace_config.h"
+#include "utils/stats.h"
#if defined(UNIT_TEST) || defined(BENCHMARK_TEST)
#include "catch/unit_test.h"
// the snort module is for handling command line args,
// shell commands, and basic application stats
-#include "main/thread.h"
+#include "main/snort_types.h"
namespace snort
{
#endif
#endif
+// `__thread` is a gnu extension that at present is slightly faster than
+// `thread_local` (possibly due to the lack of dynamic initialization)
+#ifdef USE_THREAD_LOCAL
+# define THREAD_LOCAL thread_local
+#else
+# define THREAD_LOCAL __thread
+#endif
+
#if !defined(__GNUC__) || __GNUC__ < 2 || \
(__GNUC__ == 2 && __GNUC_MINOR__ < 5)
#define __attribute__(x) /* delete __attribute__ if non-gcc or gcc1 */
class Analyzer;
-class SO_PUBLIC Swapper
+class Swapper
{
public:
Swapper(snort::SnortConfig*);
// distill_verdict_stubs.h author Ron Dempster <rdempste@cisco.com>
#include "detection/context_switcher.h"
+#include "detection/detection_buf.h"
#include "detection/detection_engine.h"
-#include "detection/detection_util.h"
#include "detection/ips_context.h"
#include "detection/tag.h"
#include "file_api/file_service.h"
#include "main/swapper.h"
#include "main/thread_config.h"
#include "memory/memory_cap.h"
-#include "network_inspectors/packet_tracer/packet_tracer.h"
#include "packet_io/active.h"
+#include "packet_io/packet_tracer.h"
#include "packet_io/sfdaq.h"
#include "packet_io/sfdaq_instance.h"
#include "packet_io/sfdaq_module.h"
-#include "profiler/profiler.h"
-#include "profiler/profiler_defs.h"
+#include "profiler/profiler_impl.h"
+#include "profiler/time_profiler_defs.h"
#include "protocols/packet.h"
#include "protocols/packet_manager.h"
#include "side_channel/side_channel.h"
THREAD_LOCAL DAQStats daq_stats;
THREAD_LOCAL bool RuleContext::enabled = false;
+THREAD_LOCAL bool snort::TimeProfilerStats::enabled;
+THREAD_LOCAL snort::PacketTracer* snort::PacketTracer::s_pkt_trace;
void Profiler::start() { }
void Profiler::stop(uint64_t) { }
void PacketLatency::tterm() { }
void SideChannelManager::thread_init() { }
void SideChannelManager::thread_term() { }
-void CodecManager::thread_init(const snort::SnortConfig*) { }
+void CodecManager::thread_init() { }
void CodecManager::thread_term() { }
void EventManager::open_outputs() { }
void EventManager::close_outputs() { }
namespace snort
{
static struct timeval s_packet_time = { 0, 0 };
-THREAD_LOCAL PacketTracer* s_pkt_trace;
-THREAD_LOCAL TimeContext* ProfileContext::curr_time = nullptr;
-THREAD_LOCAL bool TimeProfilerStats::enabled = false;
THREAD_LOCAL PacketCount pc;
void packet_gettimeofday(struct timeval* tv) { *tv = s_packet_time; }
#include "main/snort_types.h"
-#define THREAD_LOCAL_TBD
-//#define THREAD_LOCAL // for single-threaded debugging
-
-// `__thread` is a gnu extension that at present is slightly faster than
-// `thread_local` (possibly due to the lack of dynamic initialization)
-#ifdef USE_THREAD_LOCAL
-# define THREAD_LOCAL thread_local
-#else
-# define THREAD_LOCAL __thread
-#endif
-
enum SThreadType
{
STHREAD_TYPE_OTHER,
#include "time/periodic.h"
#include "utils/util.h"
-#ifdef HAVE_NUMA
-#include "utils/util_numa.h"
-#endif
-
#ifdef UNIT_TEST
#include "catch/snort_catch.h"
#endif
+#ifdef HAVE_NUMA
+#include "numa.h"
+#endif
+
using namespace snort;
using namespace std;
${CMAKE_CURRENT_BINARY_DIR}/lua_coreinit.h
)
-set( MANAGERS_INCLUDES
- codec_manager.h
- event_manager.h
- inspector_manager.h
-)
-
add_subdirectory(test)
add_library( managers OBJECT
${LUA_INCLUDES}
- ${MANAGERS_INCLUDES}
${CPP_INCLUDES}
action_manager.h
action_manager.cc
codec_manager.cc
+ codec_manager.h
event_manager.cc
+ event_manager.h
inspector_manager.cc
+ inspector_manager.h
ips_manager.cc
ips_manager.h
lua_plugin_defs.h
include_directories (${CMAKE_CURRENT_BINARY_DIR})
-install (FILES ${MANAGERS_INCLUDES}
- DESTINATION "${INCLUDE_INSTALL_PATH}/managers"
-)
-
install (FILES ${LUA_INCLUDES}
DESTINATION "${INCLUDE_INSTALL_PATH}/lua"
)
};
using ACList = vector<ActionClass>;
-using ACTypeList = unordered_map<string, Actions::Type>;
+using ACTypeList = unordered_map<string, IpsAction::Type>;
using ACPriorityList = map<IpsAction::IpsActionPriority, string, std::greater<int>>;
static ACList s_actors;
static ACTypeList s_act_types;
static ACPriorityList s_act_priorities;
-static Actions::Type s_act_index = 0;
+static IpsAction::Type s_act_index = 0;
static THREAD_LOCAL ACList* s_tl_actors = nullptr;
s_act_priorities.emplace(api->priority, api->base.name);
}
-std::string ActionManager::get_action_string(Actions::Type action)
+std::string ActionManager::get_action_string(IpsAction::Type action)
{
if ( action < s_act_index )
{
auto it = std::find_if(s_act_types.cbegin(), s_act_types.cend(),
- [action](const std::pair<const std::string, Actions::Type>& type){ return type.second == action; });
+ [action](const std::pair<const std::string, IpsAction::Type>& type){ return type.second == action; });
if ( it != s_act_types.cend())
return (*it).first;
}
return "ERROR";
}
-Actions::Type ActionManager::get_action_type(const char* s)
+IpsAction::Type ActionManager::get_action_type(const char* s)
{
auto type = s_act_types.find(s);
return get_max_action_types();
}
-Actions::Type ActionManager::get_max_action_types()
+IpsAction::Type ActionManager::get_max_action_types()
{
return s_act_index;
}
if ( !ips )
ips = get_ips_policy();
- Actions::Type idx = rln->mode;
+ IpsAction::Type idx = rln->mode;
if (ips->action[idx] == nullptr)
{
ips->action[idx] = act;
// which is just a single response deferred until end of current packet
// processing.
-#include "actions/actions.h"
#include "framework/ips_action.h"
#include "framework/module.h"
namespace snort
{
struct ActionApi;
-class IpsAction;
struct SnortConfig;
struct Packet;
}
snort::SnortConfig*, IpsPolicy* ips = nullptr );
static void initialize_policies(snort::SnortConfig*);
- static std::string get_action_string(Actions::Type);
- static Actions::Type get_action_type(const char*);
- static Actions::Type get_max_action_types();
+ static std::string get_action_string(snort::IpsAction::Type);
+ static snort::IpsAction::Type get_action_type(const char*);
+ static snort::IpsAction::Type get_max_action_types();
static std::string get_action_priorities(bool);
static void thread_init(const snort::SnortConfig*);
THREAD_LOCAL ProtocolId CodecManager::grinder_id = ProtocolId::ETHERTYPE_NOT_SET;
THREAD_LOCAL uint8_t CodecManager::grinder = 0;
-THREAD_LOCAL uint8_t CodecManager::max_layers = DEFAULT_LAYERMAX;
// This is hardcoded into Snort++
extern const CodecApi* default_codec;
s_proto_map.fill(0);
}
-void CodecManager::instantiate(CodecApiWrapper& wrap, Module* m, SnortConfig*)
+void CodecManager::instantiate(CodecApiWrapper& wrap, Module* m)
{
if (!wrap.init)
{
}
}
-void CodecManager::instantiate(const CodecApi* cd_api, Module* m, SnortConfig* sc)
+void CodecManager::instantiate(const CodecApi* cd_api, Module* m)
{
CodecApiWrapper& wrap = get_api_wrapper(cd_api);
- instantiate(wrap, m, sc);
+ instantiate(wrap, m);
}
void CodecManager::instantiate()
CodecApiWrapper tmp_wrap;
tmp_wrap.api = default_codec;
tmp_wrap.init = false;
- instantiate(tmp_wrap, nullptr, nullptr);
+ instantiate(tmp_wrap, nullptr);
// default codec is the api ... I want the codec.
s_protocols[0] = s_protocols[get_codec(default_codec->base.name)];
// and instantiate every codec which does not have a module
for (CodecApiWrapper& wrap : s_codecs)
- instantiate(wrap, nullptr, nullptr);
+ instantiate(wrap, nullptr);
}
-void CodecManager::thread_init(const SnortConfig* sc)
+void CodecManager::thread_init()
{
- max_layers = sc->num_layers;
-
for ( CodecApiWrapper& wrap : s_codecs )
if (wrap.api->tinit)
wrap.api->tinit();
#include <array>
#include <vector>
-#include "main/thread.h"
+#include "main/snort_types.h"
#include "protocols/protocol_ids.h"
namespace snort
class Module;
class PacketManager;
struct ProfileStats;
-struct SnortConfig;
}
//-------------------------------------------------------------------------
// global plugin initializer
static void add_plugin(const struct snort::CodecApi*);
// instantiate a specific codec with a codec specific Module
- static void instantiate(const snort::CodecApi*, snort::Module*, snort::SnortConfig*);
+ static void instantiate(const snort::CodecApi*, snort::Module*);
// instantiate any codec for which a module has not been provided.
static void instantiate();
// destroy all global codec related information
static void release_plugins();
// initialize the current threads DLT and Packet struct
- static void thread_init(const snort::SnortConfig*);
+ static void thread_init();
// destroy thread_local data
static void thread_term();
// print all of the codec plugins
static void dump_plugins();
- static uint8_t get_max_layers()
- { return max_layers; }
-
private:
struct CodecApiWrapper;
static std::vector<CodecApiWrapper> s_codecs;
static std::array<ProtocolIndex, num_protocol_ids> s_proto_map;
- static std::array<snort::Codec*, UINT8_MAX> s_protocols;
+ static std::array<snort::Codec*, num_protocol_idx> s_protocols;
static THREAD_LOCAL ProtocolId grinder_id;
static THREAD_LOCAL ProtocolIndex grinder;
- static THREAD_LOCAL uint8_t max_layers;
/*
* Private helper functions. These are all declared here
*/
// Private struct defined in an anonymous namespace.
- static void instantiate(CodecApiWrapper&, snort::Module*, snort::SnortConfig*);
+ static void instantiate(CodecApiWrapper&, snort::Module*);
static CodecApiWrapper& get_api_wrapper(const snort::CodecApi* cd_api);
static uint8_t get_codec(const char* const keyword);
};
struct Packet;
struct SnortConfig;
}
-struct Event;
+class Event;
struct OutputSet;
//-------------------------------------------------------------------------
#include <vector>
#include "binder/bind_module.h"
-#include "detection/detect.h"
#include "detection/detection_engine.h"
#include "detection/fp_utils.h"
-#include "flow/expect_cache.h"
+#include "flow/expect_flow.h"
#include "flow/flow.h"
#include "flow/session.h"
+#include "log/log_stats.h"
#include "log/messages.h"
#include "main/shell.h"
#include "main/snort.h"
void InspectorList::tterm_removed()
{
for ( auto& ri : removed_ilist )
- ri.instance->tterm(ri.handlers[Inspector::slot]);
+ ri.instance->tterm(ri.handlers[Inspector::get_slot()]);
}
static PHInstance* get_instance(InspectorList* il, const char* keyword);
PHObjectList* TrafficPolicy::get_specific_handlers()
{
+ unsigned slot = Inspector::get_slot();
assert(ts_handlers);
- PHObjectList* handlers = ts_handlers->olists[Inspector::slot];
+ PHObjectList* handlers = ts_handlers->olists[slot];
if (!handlers)
{
handlers = new PHObjectList;
- ts_handlers->olists[Inspector::slot] = handlers;
+ ts_handlers->olists[slot] = handlers;
}
return handlers;
}
void SingleInstanceInspectorPolicy::tterm_removed()
{
if (removed_instance)
- removed_instance->tterm(s_tl_handlers[Inspector::slot]);
+ removed_instance->tterm(s_tl_handlers[Inspector::get_slot()]);
}
void SingleInstanceInspectorPolicy::print_config(SnortConfig* sc, const char* title)
}
}
-Binder* InspectorManager::get_binder()
-{
- InspectionPolicy* pi = get_inspection_policy();
-
- if ( !pi )
- return nullptr;
-
- assert(pi->framework_policy);
- return (Binder*)pi->framework_policy->binder;
-}
-
void InspectorManager::clear_removed_inspectors(SnortConfig* sc)
{
SingleInstanceInspectorPolicy* fid = sc->policy_map->get_file_id();
}
}
-Inspector* InspectorManager::get_file_inspector(const SnortConfig* sc)
-{
- if ( !sc )
- sc = SnortConfig::get_conf();
- SingleInstanceInspectorPolicy* fid = sc->policy_map->get_file_id();
- return fid->instance ? fid->instance->handler : nullptr;
-}
-
-// FIXIT-P cache get_inspector() returns or provide indexed lookup
-Inspector* InspectorManager::get_inspector(const char* key, bool dflt_only, const SnortConfig* snort_config)
-{
- InspectionPolicy* pi;
- NetworkPolicy* ni;
-
- const SnortConfig* sc = snort_config;
- if ( !sc )
- sc = SnortConfig::get_conf();
- assert(sc);
- if ( dflt_only )
- {
- ni = get_default_network_policy(sc);
- pi = ni->get_inspection_policy(0);
- }
- else
- {
- pi = get_inspection_policy();
- // During reload, get_network_policy will return the network policy from the new snort config
- // for a given tenant
- ni = get_network_policy();
- if (!snort_config)
- {
- // If no snort config is passed in, it means that this is either a normally running system with
- // the correct network policy set or that get_inspector is being called from Inspector::configure
- // and it is expecting the inspector from the running configuration and not the new snort config
- if (ni)
- {
- PolicyMap* pm = sc->policy_map;
- NetworkPolicy* np = pm->get_user_network(ni->user_policy_id);
- if (np)
- {
- // If network policy is correct, then no need to change the inspection policy
- if (np != ni && pi)
- pi = np->get_user_inspection_policy(pi->user_policy_id);
- ni = np;
- }
- else
- pi = nullptr;
- }
- else
- pi = nullptr;
- }
- }
-
- if ( pi )
- {
- PHInstance* p = get_instance(pi->framework_policy, key);
- if ( p )
- return p->handler;
- }
-
- if ( ni && ni->traffic_policy )
- {
- PHInstance* p = get_instance(ni->traffic_policy, key);
- if ( p )
- return p->handler;
- }
-
- GlobalInspectorPolicy* pp = sc->policy_map->get_global_inspector_policy();
- PHInstance* p = get_instance(pp, key);
- if ( p )
- return p->handler;
-
- SingleInstanceInspectorPolicy* ft = sc->policy_map->get_flow_tracking();
- if ( ft->instance && ft->instance->name == key )
- return ft->instance->handler;
-
- SingleInstanceInspectorPolicy* fid = sc->policy_map->get_file_id();
- if ( fid->instance && fid->instance->name == key )
- return fid->instance->handler;
-
- return nullptr;
-}
-
-Inspector* InspectorManager::get_inspector(const char* key, Module::Usage usage, InspectorType type)
-{
- const SnortConfig* sc = SnortConfig::get_conf();
- if (!sc)
- return nullptr;
-
- if (Module::GLOBAL == usage && IT_FILE == type)
- {
- SingleInstanceInspectorPolicy* fid = sc->policy_map->get_file_id();
- assert(fid);
- return (fid->instance && fid->instance->name == key) ? fid->instance->handler : nullptr;
- }
- else if (Module::GLOBAL == usage && IT_STREAM == type)
- {
- SingleInstanceInspectorPolicy* ft = sc->policy_map->get_flow_tracking();
- assert(ft);
- return (ft->instance && ft->instance->name == key) ? ft->instance->handler : nullptr;
- }
- else
- {
- if (Module::GLOBAL == usage && IT_SERVICE != type)
- {
- GlobalInspectorPolicy* il = sc->policy_map->get_global_inspector_policy();
- assert(il);
- PHInstance* p = il->get_instance_by_type(key, type);
- return p ? p->handler : nullptr;
- }
- else if (Module::CONTEXT == usage)
- {
- NetworkPolicy* np = get_network_policy();
- if (!np)
- return nullptr;
- PolicyMap* pm = sc->policy_map;
- np = pm->get_user_network(np->user_policy_id);
- if (!np)
- return nullptr;
- TrafficPolicy* il = np->traffic_policy;
- assert(il);
- PHInstance* p = il->get_instance_by_type(key, type);
- return p ? p->handler : nullptr;
- }
- else
- {
- NetworkPolicy* orig_np = get_network_policy();
- if (!orig_np)
- return nullptr;
- PolicyMap* pm = sc->policy_map;
- NetworkPolicy* np = pm->get_user_network(orig_np->user_policy_id);
- if (!np)
- return nullptr;
- InspectionPolicy* ip = get_inspection_policy();
- if (!ip)
- return nullptr;
- // If network policy is correct, then no need to change the inspection policy
- if (np != orig_np)
- {
- ip = np->get_user_inspection_policy(ip->user_policy_id);
- if (!ip)
- return nullptr;
- }
- FrameworkPolicy* il = ip->framework_policy;
- assert(il);
- PHInstance* p = il->get_instance_by_type(key, type);
- return p ? p->handler : nullptr;
- }
- }
-}
-
-Inspector* InspectorManager::get_service_inspector_by_service(const char* key)
+Inspector* InspectorManager::get_service_inspector(const char* key)
{
InspectionPolicy* pi = get_inspection_policy();
return (g != pi->framework_policy->inspector_cache_by_service.end()) ? g->second : nullptr;
}
-Inspector* InspectorManager::get_service_inspector_by_id(const SnortProtocolId protocol_id)
+Inspector* InspectorManager::get_service_inspector(const SnortProtocolId protocol_id)
{
InspectionPolicy* pi = get_inspection_policy();
void InspectorManager::thread_init(const SnortConfig* sc)
{
SnortConfig::update_thread_reload_id();
+#ifndef _WIN64
Inspector::slot = get_instance_id();
+#endif
// Initial build out of this thread's configured plugin registry
PHObjectList* g_handlers = new PHObjectList;
- s_tl_handlers[Inspector::slot] = g_handlers;
+ s_tl_handlers[Inspector::get_slot()] = g_handlers;
for ( auto* p : sc->framework_config->clist )
{
PHObject& phg = get_thread_local_plugin(p->api, g_handlers);
sc->policy_map->set_inspector_tinit_complete(instance_id, true);
// Update this thread's configured plugin registry with any newly configured inspectors
- PHObjectList* g_handlers = s_tl_handlers[Inspector::slot];
+ PHObjectList* g_handlers = s_tl_handlers[Inspector::get_slot()];
for ( auto* p : sc->framework_config->clist )
{
PHObject& phg = get_thread_local_plugin(p->api, g_handlers);
void InspectorManager::thread_stop(const SnortConfig* sc)
{
// If thread_init() was never called, we have nothing to do.
- PHObjectList* g_handlers = s_tl_handlers[Inspector::slot];
+ PHObjectList* g_handlers = s_tl_handlers[Inspector::get_slot()];
if ( !g_handlers )
return;
void InspectorManager::thread_term()
{
// If thread_init() was never called, we have nothing to do.
- PHObjectList* handlers = s_tl_handlers[Inspector::slot];
+ PHObjectList* handlers = s_tl_handlers[Inspector::get_slot()];
if ( !handlers )
return;
phg.api.tterm();
}
delete handlers;
- s_tl_handlers[Inspector::slot] = nullptr;
+ s_tl_handlers[Inspector::get_slot()] = nullptr;
}
//-------------------------------------------------------------------------
return ok;
}
-Inspector* InspectorManager::acquire_file_inspector()
-{
- Inspector* pi = get_file_inspector();
-
- if ( !pi )
- FatalError("unconfigured file inspector\n");
- else
- pi->add_global_ref();
-
- return pi;
-}
-
-void InspectorManager::release(Inspector* pi)
-{
- assert(pi);
- pi->rem_global_ref();
-}
-
bool InspectorManager::configure(SnortConfig* sc, bool cloned)
{
if ( !s_sorted )
p->context->clear_inspectors = false;
}
+Inspector* InspectorManager::get_binder()
+{
+ InspectionPolicy* pi = get_inspection_policy();
+
+ if ( !pi )
+ return nullptr;
+
+ assert(pi->framework_policy);
+ return pi->framework_policy->binder;
+}
+
+Inspector* InspectorManager::get_file_inspector(const SnortConfig* sc)
+{
+ if ( !sc )
+ sc = SnortConfig::get_conf();
+ SingleInstanceInspectorPolicy* fid = sc->policy_map->get_file_id();
+ return fid->instance ? fid->instance->handler : nullptr;
+}
+
+Inspector* InspectorManager::acquire_file_inspector()
+{
+ Inspector* pi = get_file_inspector();
+
+ if ( !pi )
+ FatalError("unconfigured file inspector\n");
+ else
+ pi->add_global_ref();
+
+ return pi;
+}
+
+// FIXIT-P cache get_inspector() returns or provide indexed lookup
+Inspector* InspectorManager::get_inspector(const char* key, bool dflt_only, const SnortConfig* snort_config)
+{
+ InspectionPolicy* pi;
+ NetworkPolicy* ni;
+
+ const SnortConfig* sc = snort_config;
+ if ( !sc )
+ sc = SnortConfig::get_conf();
+ assert(sc);
+ if ( dflt_only )
+ {
+ ni = get_default_network_policy(sc);
+ pi = ni->get_inspection_policy(0);
+ }
+ else
+ {
+ pi = get_inspection_policy();
+ // During reload, get_network_policy will return the network policy from the new snort config
+ // for a given tenant
+ ni = get_network_policy();
+ if (!snort_config)
+ {
+ // If no snort config is passed in, it means that this is either a normally running system with
+ // the correct network policy set or that get_inspector is being called from Inspector::configure
+ // and it is expecting the inspector from the running configuration and not the new snort config
+ if (ni)
+ {
+ PolicyMap* pm = sc->policy_map;
+ NetworkPolicy* np = pm->get_user_network(ni->user_policy_id);
+ if (np)
+ {
+ // If network policy is correct, then no need to change the inspection policy
+ if (np != ni && pi)
+ pi = np->get_user_inspection_policy(pi->user_policy_id);
+ ni = np;
+ }
+ else
+ pi = nullptr;
+ }
+ else
+ pi = nullptr;
+ }
+ }
+
+ if ( pi )
+ {
+ PHInstance* p = get_instance(pi->framework_policy, key);
+ if ( p )
+ return p->handler;
+ }
+
+ if ( ni && ni->traffic_policy )
+ {
+ PHInstance* p = get_instance(ni->traffic_policy, key);
+ if ( p )
+ return p->handler;
+ }
+
+ GlobalInspectorPolicy* pp = sc->policy_map->get_global_inspector_policy();
+ PHInstance* p = get_instance(pp, key);
+ if ( p )
+ return p->handler;
+
+ SingleInstanceInspectorPolicy* ft = sc->policy_map->get_flow_tracking();
+ if ( ft->instance && ft->instance->name == key )
+ return ft->instance->handler;
+
+ SingleInstanceInspectorPolicy* fid = sc->policy_map->get_file_id();
+ if ( fid->instance && fid->instance->name == key )
+ return fid->instance->handler;
+
+ return nullptr;
+}
+
+Inspector* InspectorManager::get_inspector(const char* key, Module::Usage usage, InspectorType type)
+{
+ const SnortConfig* sc = SnortConfig::get_conf();
+ if (!sc)
+ return nullptr;
+
+ if (Module::GLOBAL == usage && IT_FILE == type)
+ {
+ SingleInstanceInspectorPolicy* fid = sc->policy_map->get_file_id();
+ assert(fid);
+ return (fid->instance && fid->instance->name == key) ? fid->instance->handler : nullptr;
+ }
+ else if (Module::GLOBAL == usage && IT_STREAM == type)
+ {
+ SingleInstanceInspectorPolicy* ft = sc->policy_map->get_flow_tracking();
+ assert(ft);
+ return (ft->instance && ft->instance->name == key) ? ft->instance->handler : nullptr;
+ }
+ else
+ {
+ if (Module::GLOBAL == usage && IT_SERVICE != type)
+ {
+ GlobalInspectorPolicy* il = sc->policy_map->get_global_inspector_policy();
+ assert(il);
+ PHInstance* p = il->get_instance_by_type(key, type);
+ return p ? p->handler : nullptr;
+ }
+ else if (Module::CONTEXT == usage)
+ {
+ NetworkPolicy* np = get_network_policy();
+ if (!np)
+ return nullptr;
+ PolicyMap* pm = sc->policy_map;
+ np = pm->get_user_network(np->user_policy_id);
+ if (!np)
+ return nullptr;
+ TrafficPolicy* il = np->traffic_policy;
+ assert(il);
+ PHInstance* p = il->get_instance_by_type(key, type);
+ return p ? p->handler : nullptr;
+ }
+ else
+ {
+ NetworkPolicy* orig_np = get_network_policy();
+ if (!orig_np)
+ return nullptr;
+ PolicyMap* pm = sc->policy_map;
+ NetworkPolicy* np = pm->get_user_network(orig_np->user_policy_id);
+ if (!np)
+ return nullptr;
+ InspectionPolicy* ip = get_inspection_policy();
+ if (!ip)
+ return nullptr;
+ // If network policy is correct, then no need to change the inspection policy
+ if (np != orig_np)
+ {
+ ip = np->get_user_inspection_policy(ip->user_policy_id);
+ if (!ip)
+ return nullptr;
+ }
+ FrameworkPolicy* il = ip->framework_policy;
+ assert(il);
+ PHInstance* p = il->get_instance_by_type(key, type);
+ return p ? p->handler : nullptr;
+ }
+ }
+}
+
+void InspectorManager::release(Inspector* pi)
+{
+ assert(pi);
+ pi->rem_global_ref();
+}
+
static void destroy_global_inspector_policy(GlobalInspectorPolicy*, bool cloned);
static InspectSsnFunc get_session(uint16_t proto);
- SO_PUBLIC static Inspector* get_file_inspector(const SnortConfig* = nullptr);
-
- // This assumes that, in a multi-tenant scenario, this is called with the correct network and inspection
- // policies are set correctly
- SO_PUBLIC static Inspector* get_inspector(const char* key, bool dflt_only = false, const SnortConfig* = nullptr);
-
- // This cannot be called in or before the inspector configure phase for a new snort config during reload
- SO_PUBLIC static Inspector* get_inspector(const char* key, Module::Usage, InspectorType);
-
- SO_PUBLIC static Inspector* get_service_inspector_by_service(const char*);
- static Inspector* get_service_inspector_by_id(const SnortProtocolId);
-
- SO_PUBLIC static Binder* get_binder();
-
- SO_PUBLIC static Inspector* acquire_file_inspector();
- SO_PUBLIC static void release(Inspector*);
-
static bool configure(SnortConfig*, bool cloned = false);
static void prepare_inspectors(SnortConfig*);
static void prepare_controls(SnortConfig*);
static void reconcile_inspectors(const SnortConfig*, SnortConfig*, bool cloned = false);
static void clear_removed_inspectors(SnortConfig*);
+ static Inspector* get_binder();
+
+ static Inspector* acquire_file_inspector();
+ static Inspector* get_file_inspector(const SnortConfig* = nullptr);
+
+ static Inspector* get_service_inspector(const SnortProtocolId);
+ static Inspector* get_service_inspector(const char*);
+
+ // This assumes that, in a multi-tenant scenario, this is called with the correct network and inspection
+ // policies are set correctly
+ static Inspector* get_inspector(const char* key, bool dflt_only = false, const SnortConfig* = nullptr);
+
+ // This cannot be called in or before the inspector configure phase for a new snort config during reload
+ static Inspector* get_inspector(const char* key, Module::Usage, InspectorType);
+
+ static void release(Inspector*);
+
private:
static void bumble(Packet*);
template<bool T> static void full_inspection(Packet*);
#include "detection/fp_detect.h"
#include "detection/treenodes.h"
+#include "framework/ips_info.h"
#include "log/messages.h"
#include "main/snort_config.h"
return nullptr;
}
- IpsOption* ips = opt->api->ctor(mod, otn);
+ IpsInfo info(otn, sc);
+ IpsOption* ips = opt->api->ctor(mod, info);
type = opt->api->type;
current_keyword.clear();
#include "managers/inspector_manager.h"
#include "parser/parse_conf.h"
#include "parser/parser.h"
-#include "profiler/profiler.h"
+#include "profiler/profiler_impl.h"
#include "protocols/packet_manager.h"
#include "utils/util.h"
#include <sstream>
#include <sys/stat.h>
-#include "framework/codec.h"
-#include "framework/connector.h"
-#include "framework/logger.h"
-#include "framework/mpse.h"
-#include "framework/policy_selector.h"
+#include "framework/plugins.h"
#include "helpers/directory.h"
#include "helpers/markup.h"
#include "log/messages.h"
static bool compatible_builds(const char* plug_opts)
{
const char* snort_opts = API_OPTIONS;
+ assert(snort_opts);
- if ( !snort_opts and !plug_opts )
- return true;
-
- if ( !snort_opts or !plug_opts )
+ if ( !plug_opts )
return false;
if ( strcmp(snort_opts, plug_opts) )
const BaseApi* api, SoHandlePtr handle, const char* file, SnortConfig* sc)
{
if ( api->type >= PT_MAX )
+ {
+ ParseWarning(WARN_PLUGINS, "%s: invalid plugin type: %u", file, (unsigned)api->type);
return false;
+ }
Symbol* sym = symbols + api->type;
static bool load_lib(const char* file, SnortConfig* sc)
{
- struct stat fs;
void* handle;
- if ( stat(file, &fs) || !(fs.st_mode & S_IFREG) )
- return false;
-
if ( !(handle = dlopen(file, RTLD_NOW|RTLD_LOCAL)) )
{
if ( const char* err = dlerror() )
for ( auto& path : path_list )
{
if ( stat(path.c_str(), &sb) )
+ {
+ ParseWarning(WARN_PLUGINS, "%s: can't get file status", path.c_str());
continue;
-
+ }
if ( sb.st_mode & S_IFDIR )
{
Directory d(path.c_str(), lib_pattern);
while ( const char* f = d.next() )
load_lib(f, sc);
}
- else
+ else if ( sb.st_mode & S_IFREG )
{
if ( path.find("/") == string::npos )
path = "./" + path;
load_lib(path.c_str(), sc);
}
+ else
+ ParseWarning(WARN_PLUGINS, "%s: not a directory or regular file", path.c_str());
}
}
switch ( api->type )
{
case PT_CODEC:
- CodecManager::instantiate((const CodecApi*)api, mod, sc);
+ CodecManager::instantiate((const CodecApi*)api, mod);
break;
case PT_INSPECTOR:
#include "framework/policy_selector.h"
#include "framework/module.h"
#include "main/snort_config.h"
+#include "log/log_stats.h"
#include "log/messages.h"
#include "utils/util.h"
class SoProxy : public Inspector
{
public:
- void eval(Packet*) override { }
bool configure(SnortConfig* sc) override
{
copy(sc->so_rules->handles.begin(), sc->so_rules->handles.end(), back_inserter(handles));
// stubs.h author Ron Dempster <rdempste@cisco.com>
#include "detection/detection_engine.h"
-#include "flow/expect_cache.h"
+#include "flow/expect_flow.h"
#include "main/policy.h"
#include "main/snort.h"
#include "main/snort_config.h"
namespace snort
{
-unsigned THREAD_LOCAL Inspector::slot = 0;
[[noreturn]] void FatalError(const char*,...) { exit(-1); }
void LogMessage(const char*, ...) { }
void LogLabel(const char*, FILE*) { }
void ParseError(const char*, ...) { }
void WarningMessage(const char*, ...) { }
+
DataBus::DataBus() { }
DataBus::~DataBus() { }
void DataBus::publish(unsigned, unsigned, Packet*, Flow*) { }
unsigned DataBus::get_id(const PubKey&) { return 0; }
+
void DetectionEngine::disable_content(Packet*) { }
+
unsigned SnortConfig::get_thread_reload_id() { return 1; }
void SnortConfig::update_thread_reload_id() { }
+
+THREAD_LOCAL unsigned Inspector::slot = 0;
+bool Inspector::is_inactive() { return true; }
Inspector::Inspector() { ref_count = nullptr; }
Inspector::~Inspector() { }
bool Inspector::likes(Packet*) { return false; }
void Inspector::allocate_thread_storage() { }
void Inspector::copy_thread_storage(snort::Inspector*) { }
const char* InspectApi::get_type(InspectorType) { return ""; }
+
unsigned ThreadConfig::get_instance_max() { return 1; }
bool Snort::is_reloading() { return false; }
SnortProtocolId ProtocolReference::find(const char*) const { return UNKNOWN_PROTOCOL_ID; }
void Module::sum_stats(bool) { }
void Module::init_stats(bool) { }
void Module::main_accumulate_stats() { }
-void Module::show_interval_stats(IndexVec&, FILE*) { }
+void Module::show_interval_stats(std::vector<unsigned>&, FILE*) { }
void Module::show_stats() { }
void Module::reset_stats() { }
Module* ModuleManager::get_module(const char*) { return nullptr; }
using namespace snort;
-bool Inspector::is_inactive() { return true; }
-
NetworkPolicy* snort::get_network_policy()
{ return (NetworkPolicy*)mock().getData("network_policy").getObjectPointer(); }
NetworkPolicy* PolicyMap::get_user_network(uint64_t) const
public:
TestInspector() = default;
~TestInspector() override = default;
- void eval(Packet*) override { }
};
class TestModule : public Module
#include "control/control.h"
#include "log/messages.h"
-#include "main/thread.h"
namespace memory
{
#include <cassert>
#include <vector>
+#include "log/log_stats.h"
#include "log/messages.h"
#include "main/snort_config.h"
#include "main/snort_types.h"
#include <cassert>
-#include "main/snort.h"
-#include "main/thread.h"
#include "profiler/memory_profiler_active_context.h"
#include "memory_allocator.h"
THREAD_LOCAL const Trace* memory_trace = nullptr;
-void Periodic::register_handler(PeriodicHook, void*, uint16_t, uint32_t) { }
-
-void Profiler::register_module(const char*, const char*, snort::Module*) { }
-
void ModuleManager::accumulate_module(const char*) { }
//--------------------------------------------------------------------------
decode_b64.h
decode_base.h
file_mime_config.h
- file_mime_context_data.h
file_mime_decode.h
file_mime_log.h
file_mime_paf.h
add_library ( mime OBJECT
${MIME_INCLUDES}
- file_mime_config.cc
- file_mime_context_data.cc
- file_mime_decode.cc
- file_mime_log.cc
- file_mime_paf.cc
- file_mime_process.cc
- decode_base.cc
decode_b64.cc
+ decode_base.cc
decode_bit.cc
decode_bit.h
decode_buffer.cc
decode_qp.h
decode_uu.cc
decode_uu.h
+ file_mime_config.cc
+ file_mime_context_data.cc
+ file_mime_context_data.h
+ file_mime_decode.cc
+ file_mime_log.cc
+ file_mime_paf.cc
+ file_mime_process.cc
)
install (FILES ${MIME_INCLUDES}
{
// FIXIT-L inbuf should probably be const uint8_t*
SO_PUBLIC int sf_base64decode(
- uint8_t* inbuf, uint32_t inbuf_size,
- uint8_t* outbuf, uint32_t outbuf_size,
- uint32_t* bytes_written
- );
+ uint8_t* inbuf, uint32_t inbuf_size, uint8_t* outbuf, uint32_t outbuf_size, uint32_t* bytes_written);
}
#endif
add_subdirectory(kaizen)
add_subdirectory(normalize)
add_subdirectory(packet_capture)
-add_subdirectory(packet_tracer)
add_subdirectory(perf_monitor)
add_subdirectory(port_scan)
add_subdirectory(reputation)
$<TARGET_OBJECTS:binder>
$<TARGET_OBJECTS:kaizen>
$<TARGET_OBJECTS:normalize>
- $<TARGET_OBJECTS:packet_tracer>
$<TARGET_OBJECTS:port_scan>
$<TARGET_OBJECTS:reputation>
$<TARGET_OBJECTS:rna>
#include "flow/flow.h"
#include "framework/counts.h"
-#include "main/thread.h"
#include "target_based/snort_protocols.h"
#include "utils/util.h"
bool AppIdApi::is_inspection_needed(const Inspector& inspector) const
{
- AppIdInspector* appid_inspector = (AppIdInspector*) InspectorManager::get_inspector(MOD_NAME,
- true);
+ AppIdInspector* appid_inspector = (AppIdInspector*)InspectorManager::get_inspector(MOD_NAME, true);
if (!appid_inspector)
return false;
const char* AppIdApi::get_appid_detector_directory() const
{
- AppIdInspector* inspector = (AppIdInspector*) InspectorManager::get_inspector(MOD_NAME, true);
+ AppIdInspector* inspector = (AppIdInspector*)InspectorManager::get_inspector(MOD_NAME, true);
if (!inspector)
return "";
#ifndef APPID_DEBUG_H
#define APPID_DEBUG_H
+#include <algorithm>
#include <cstring>
#include <daq_common.h>
#include "detection/detection_engine.h"
#include "protocols/ipv6.h"
#include "protocols/protocol_ids.h"
-#include "main/thread.h"
#include "sfip/sf_ip.h"
class AppIdSession;
#include "host_tracker/host_cache.h"
#include "host_tracker/host_cache_segmented.h"
-#include "packet_tracer/packet_tracer.h"
+#include "log/messages.h"
+#include "packet_io/packet_tracer.h"
#include "profiler/profiler.h"
#include "protocols/packet.h"
#include "protocols/tcp.h"
PacketTracer::daq_log("AppID+%" PRId64"++service: %s(%d), "
"client: %s(%d), payload: %s(%d), misc: %s(%d)$",
- TO_NSECS(pt_timer->get()),
+ PacketTracer::get_time(),
(service_app_name ? service_app_name : ""), service_id,
(client_app_name ? client_app_name : ""), client_id,
(payload_app_name ? payload_app_name : ""), payload_id,
return false;
AppIdInspector* inspector =
- static_cast<AppIdInspector*>(
- InspectorManager::get_inspector(MOD_NAME, MOD_USAGE, appid_inspector_api.type));
+ static_cast<AppIdInspector*>(InspectorManager::get_inspector(MOD_NAME, MOD_USAGE, appid_inspector_api.type));
+
if (!inspector or !pkt_thread_odp_ctxt)
return false;
return false;
AppIdInspector* inspector =
- static_cast<AppIdInspector*>(
- InspectorManager::get_inspector(MOD_NAME, MOD_USAGE, appid_inspector_api.type));
+ static_cast<AppIdInspector*>(InspectorManager::get_inspector(MOD_NAME, MOD_USAGE, appid_inspector_api.type));
+
if (!inspector or !pkt_thread_odp_ctxt)
return false;
return false;
AppIdInspector* inspector =
- static_cast<AppIdInspector*>(
- InspectorManager::get_inspector(MOD_NAME, MOD_USAGE, appid_inspector_api.type));
+ static_cast<AppIdInspector*>(InspectorManager::get_inspector(MOD_NAME, MOD_USAGE, appid_inspector_api.type));
+
if (!inspector or !pkt_thread_odp_ctxt)
return false;
#include <cassert>
#include "detection/detection_engine.h"
+#include "flow/stream_flow.h"
+
#include "app_info_table.h"
#include "app_cpu_profile_table.h"
#include "appid_debug.h"
#include "flow/flow.h"
#include "main/analyzer_command.h"
-#include "managers/inspector_manager.h"
+#include "main/snort_config.h"
#include "managers/module_manager.h"
-#include "packet_tracer/packet_tracer.h"
+#include "packet_io/packet_tracer.h"
#include "profiler/profiler.h"
#include "pub_sub/appid_event_ids.h"
#include "pub_sub/intrinsic_event_ids.h"
if (p->flow)
{
if (PacketTracer::is_daq_activated())
- PacketTracer::pt_timer_start();
+ PacketTracer::restart_timer();
AppIdDiscovery::do_application_discovery(p, *this, *pkt_thread_odp_ctxt, pkt_thread_tp_appid_ctxt);
// FIXIT-L tag verdict reason as appid for daq
return 0;
}
- AppIdInspector* inspector = (AppIdInspector*) InspectorManager::get_inspector(MOD_NAME);
+ AppIdInspector* inspector = (AppIdInspector*)InspectorManager::get_inspector(MOD_NAME, true);
+
if (!inspector)
{
ReloadTracker::failed(ctrlcon, "appid not enabled");
ctrlcon->respond("== reload pending; retry\n");
return 0;
}
- AppIdInspector* inspector = (AppIdInspector*) InspectorManager::get_inspector(MOD_NAME);
+ AppIdInspector* inspector = (AppIdInspector*)InspectorManager::get_inspector(MOD_NAME, true);
+
if (!inspector)
{
ctrlcon->respond("== reload detectors failed - appid not enabled\n");
#include <unordered_map>
#include <vector>
+#include "framework/inspector.h"
+#include "log/log_stats.h"
#include "log/messages.h"
-#include "main/thread.h"
+#include "main/thread_config.h"
#include "trace/trace.h"
-#include "utils/stats.h"
#include "app_info_table.h"
#include "appid_debug.h"
#include "application_ids.h"
#include "framework/counts.h"
+#include "log/messages.h"
+#include "utils/util.h"
struct AppIdStats
{
#include "appid_session_api.h"
#include "flow/ha.h"
-#include "managers/inspector_manager.h"
#include "appid_inspector.h"
#include "appid_peg_counts.h"
#include "appid_session.h"
using namespace snort;
-THREAD_LOCAL uint32_t AppIdSessionApi::appid_flow_data_id = 0;
+static THREAD_LOCAL uint32_t appid_flow_data_id = 0;
AppIdSessionApi::AppIdSessionApi(const AppIdSession* asd, const SfIp& ip) :
- StashGenericObject(STASH_GENERIC_OBJECT_APPID), asd(asd), initiator_ip(ip)
-{
- session_id = std::to_string(get_instance_id()) + "." + std::to_string(++appid_flow_data_id);
-}
+ StashGenericObject(STASH_GENERIC_OBJECT_APPID), asd(asd), initiator_ip(ip),
+ session_id(std::to_string(get_instance_id()) + "." + std::to_string(++appid_flow_data_id))
+{ }
AppId AppIdSessionApi::get_service_app_id() const
{
ClientAppDescriptor client;
PayloadAppDescriptor payload;
- static THREAD_LOCAL uint32_t appid_flow_data_id;
-
void set_ss_application_ids(AppId service, AppId client, AppId payload, AppId misc,
AppId referred, AppidChangeBits& change_bits, Flow& flow);
void set_ss_application_ids(AppId client, AppId payload, AppidChangeBits& change_bits, Flow& flow);
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// appid_session.h author Sourcefire Inc.
+// appid_types.h author Sourcefire Inc.
#ifndef APPID_TYPES_H
#define APPID_TYPES_H
#include "config.h"
#endif
+#include <cassert>
+
#include "sf_mlmp.h"
#include "search_engines/search_tool.h"
#define MAX_VER_LEN 4
#define LAST_BANNER_OFFSET (BIT_BANNER_LEN+RES_LEN+SHA_LEN+PEER_ID_LEN - 1)
+namespace
+{
enum BITState
{
BIT_STATE_BANNER = 0,
uint8_t code;
};
#pragma pack()
+} // anonymous
BitClientDetector::BitClientDetector(ClientDiscovery* cdm)
{
#define UDP_BIT_COMMON_END_LEN (sizeof(UDP_BIT_COMMON_END)-1)
#define UDP_BIT_END_LEN (UDP_BIT_COMMON_END_LEN+2)
+namespace
+{
enum BITState
{
BIT_STATE_BANNER = 0,
BITType type;
unsigned pos;
};
+} // anonymous
BitTrackerClientDetector::BitTrackerClientDetector(ClientDiscovery* cdm)
{
#include <algorithm>
+#include "log/messages.h"
#include "managers/inspector_manager.h"
#include "utils/util.h"
#include "appid_debug.h"
#ifdef REG_TEST
AppIdInspector* inspector =
- (AppIdInspector*) InspectorManager::get_inspector(MOD_NAME, true);
+ (AppIdInspector*)InspectorManager::get_inspector(MOD_NAME, true);
if (inspector and inspector->get_ctxt().config.log_eve_process_client_mappings)
appid_log(nullptr, TRACE_INFO_LEVEL, "Adding EVE Client App pattern %d %s %d\n",
p->app_id, p->pattern.c_str(), p->confidence);
#define COMPATIBLE_BROWSER_STRING " (Compat)"
+namespace
+{
struct MatchedPatterns
{
DetectorHTTPPattern* mpattern;
// matching character.
MatchedPatterns* next;
};
+}
static DetectorHTTPPatterns static_content_type_patterns =
{
}
return 0;
}
-/*
+/*
Only patterns that match end of the payload AND
(match the start of the payload
or match after '.'
if (!mp)
return false;
-
+
MatchedSslPatterns* tmp = mp;
while (tmp)
// LCOV_EXCL_START
DiscoveryFilter::~DiscoveryFilter(){}
void show_stats(PegCount*, const PegInfo*, unsigned, const char*) { }
-void show_stats(PegCount*, const PegInfo*, const IndexVec&, const char*, FILE*) { }
+void show_stats(PegCount*, const PegInfo*, const std::vector<unsigned>&, const char*, FILE*) { }
// LCOV_EXCL_STOP
#ifndef SIP_UNIT_TEST
AppIdInspector(AppIdModule&) { }
~AppIdInspector() override = default;
bool configure(snort::SnortConfig*) override;
-// LCOV_EXCL_START
- void eval(Packet*) override { }
- void show(const SnortConfig*) const override { }
- void tinit() override { }
- void tterm() override { }
-// LCOV_EXCL_STOP
private:
AppIdContext* ctxt = nullptr;
};
#include <map>
#include "host_port_app_cache.h"
-#include "main/thread.h"
+
+#include "log/messages.h"
#include "managers/inspector_manager.h"
+
#include "appid_config.h"
#include "appid_debug.h"
#include "appid_inspector.h"
HostPortVal hv;
hk.ip = *ip;
- AppIdInspector* inspector =
- (AppIdInspector*)InspectorManager::get_inspector(MOD_NAME, false, sc);
+ AppIdInspector* inspector = (AppIdInspector*)InspectorManager::get_inspector(MOD_NAME, true, sc);
assert(inspector);
+
const AppIdContext& ctxt = inspector->get_ctxt();
hk.port = (ctxt.get_odp_ctxt().allow_port_wildcard_host_cache)? 0 : port;
hk.proto = proto;
HostAppIdsVal hv;
hk.ip = *ip;
- AppIdInspector* inspector =
- (AppIdInspector*)InspectorManager::get_inspector(MOD_NAME, false, sc);
+ AppIdInspector* inspector = (AppIdInspector*)InspectorManager::get_inspector(MOD_NAME, true, sc);
assert(inspector);
+
const AppIdContext& ctxt = inspector->get_ctxt();
hk.port = (ctxt.get_odp_ctxt().allow_port_wildcard_host_cache)? 0 : port;
hk.proto = proto;
memcpy(&hk.netmask[0], netmask, 16);
- AppIdInspector* inspector =
- (AppIdInspector*)InspectorManager::get_inspector(MOD_NAME, false, sc);
+ AppIdInspector* inspector = (AppIdInspector*)InspectorManager::get_inspector(MOD_NAME, true, sc);
assert(inspector);
+
const AppIdContext& ctxt = inspector->get_ctxt();
hk.port = (ctxt.get_odp_ctxt().allow_port_wildcard_host_cache)? 0 : port;
hk.proto = proto;
delete m;
}
-static IpsOption* appid_option_ips_ctor(Module* p, OptTreeNode*)
+static IpsOption* appid_option_ips_ctor(Module* p, IpsInfo&)
{
AppIdOptionModule* m = (AppIdOptionModule*)p;
return new AppIdIpsOption(m->appid_table);
#include <fstream>
#include "log/messages.h"
+#include "main/snort_config.h"
#include "appid_config.h"
#include "appid_debug.h"
#include <lua.hpp>
#include <lua/lua.h>
-#include "main/thread.h"
#include "main/thread_config.h"
#include "protocols/protocol_ids.h"
#include <algorithm>
+#include "log/messages.h"
#include "managers/inspector_manager.h"
#include "utils/util.h"
#include "appid_debug.h"
#ifdef REG_TEST
AppIdInspector* inspector =
- (AppIdInspector*) InspectorManager::get_inspector(MOD_NAME, true);
+ (AppIdInspector*)InspectorManager::get_inspector(MOD_NAME, true);
if (inspector and inspector->get_ctxt().config.log_alpn_service_mappings)
appid_log(nullptr, TRACE_INFO_LEVEL, "Adding ALPN service App pattern %d %s\n",
p->app_id, p->pattern.c_str());
+++ /dev/null
-//--------------------------------------------------------------------------
-// Copyright (C) 2020-2024 Cisco and/or its affiliates. All rights reserved.
-//
-// This program is free software; you can redistribute it and/or modify it
-// under the terms of the GNU General Public License Version 2 as published
-// by the Free Software Foundation. You may not use, modify or distribute
-// this program under any other version of the GNU General Public License.
-//
-// This program is distributed in the hope that it will be useful, but
-// WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-// General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License along
-// with this program; if not, write to the Free Software Foundation, Inc.,
-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-//--------------------------------------------------------------------------
-
-// service_netbios_test.cc author Kani Murthi<kamurthi@cisco.com>
-// unit test for service_netbios
-#ifdef HAVE_CONFIG_H
-#include "config.h"
-#endif
-
-#include "network_inspectors/appid/service_plugins/service_detector.cc"
-#include "network_inspectors/appid/service_plugins/service_netbios.cc"
-#include "protocols/packet.h"
-#include "service_plugin_mock.h"
-
-#include <CppUTest/CommandLineTestRunner.h>
-#include <CppUTest/TestHarness.h>
-#include <CppUTestExt/MockSupport.h>
-
-void ServiceDiscovery::initialize(AppIdInspector&) {}
-void ServiceDiscovery::reload() {}
-void ServiceDiscovery::finalize_service_patterns() {}
-void ServiceDiscovery::match_by_pattern(AppIdSession&, const Packet*, IpProtocol) {}
-void ServiceDiscovery::get_port_based_services(IpProtocol, uint16_t, AppIdSession&) {}
-void ServiceDiscovery::get_next_service(const Packet*, const AppidSessionDirection, AppIdSession&)
-{}
-int ServiceDiscovery::identify_service(AppIdSession&, Packet*, AppidSessionDirection,
- AppidChangeBits&) { return 0; }
-int ServiceDiscovery::add_ftp_service_state(AppIdSession&) { return 0; }
-bool ServiceDiscovery::do_service_discovery(AppIdSession&, Packet*, AppidSessionDirection,
- AppidChangeBits&) { return false; }
-int ServiceDiscovery::incompatible_data(AppIdSession&, const Packet*,AppidSessionDirection,
- ServiceDetector*) { return 0; }
-int ServiceDiscovery::fail_service(AppIdSession&, const Packet*, AppidSessionDirection,
- ServiceDetector*, ServiceDiscoveryState*) { return 0; }
-int ServiceDiscovery::add_service_port(AppIdDetector*,
- const ServiceDetectorPort&) { return APPID_EINVALID; }
-void AppIdSessionApi::set_netbios_name(AppidChangeBits&, const char*) {}
-void AppIdSessionApi::set_netbios_domain(AppidChangeBits&, const char*) {}
-
-TEST_GROUP(service_netbios_test){};
-
-TEST(service_netbios_test, check_add_smb_info_pointer )
-{
- const uint8_t data[] = { 0x11, 0x02, 0x45, 0x63, 0xac, 0x1f, 0x13, 0x49, 0x00, 0x8a, 0x00, 0xd7,
- 0x00, 0x00, 0x20, 0x45, 0x50, 0x45, 0x4c, 0x45, 0x4a, 0x43, 0x4e, 0x44, 0x42, 0x44, 0x46,
- 0x45, 0x46, 0x44, 0x47, 0x45, 0x43, 0x45, 0x44, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43,
- 0x41, 0x43, 0x41, 0x41, 0x41, 0x00, 0x20, 0x46, 0x48, 0x45, 0x50, 0x46, 0x43, 0x45, 0x4c,
- 0x45, 0x48, 0x46, 0x43, 0x45, 0x50, 0x46, 0x46, 0x46, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43,
- 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x42, 0x4e, 0x00, 0xff, 0x53, 0x4d, 0x42, 0x25,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00,
- 0x2f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x2f, 0x00, 0x56, 0x00, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00,
- 0x02, 0x00, 0x40, 0x00, 0x5c, 0x4d, 0x41, 0x49, 0x4c, 0x53, 0x4c, 0x4f, 0x54, 0x5c, 0x42,
- 0x52, 0x4f, 0x57, 0x53, 0x45, 0x00, 0x01, 0x00, 0x60, 0xea, 0x00, 0x00, 0x4f, 0x4b, 0x49,
- 0x2d, 0x31, 0x35, 0x45, 0x36, 0x42, 0x43, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00,
- 0x03, 0x22, 0x41, 0x00, 0x0f, 0x01, 0x55, 0xaa, 0x43, 0x68, 0x61, 0x6e, 0x64, 0x72, 0x61,
- 0x27, 0x73, 0x20, 0x63, 0x75, 0x62, 0x65, 0x01};
- uint16_t size =215;
- AppidSessionDirection dir = APP_ID_FROM_INITIATOR;
- AppIdInspector ins;
- OdpContext odp_ctxt(config, nullptr);
- snort::Packet pkt;
- AppidChangeBits cb;
- SfIp ip;
- AppIdSession asd(IpProtocol::TCP, &ip, 21, ins, odp_ctxt);
- AppIdDiscoveryArgs args(data, size, dir, asd, &pkt,cb);
- ServiceDiscovery& s_discovery_manager = asd.get_odp_ctxt().get_service_disco_mgr();
- args.pkt->ptrs.sp = args.pkt->ptrs.dp = 138;
- NbdgmServiceDetector nsd(&s_discovery_manager);
- nsd.validate(args);
- FpSMBData *smb_ptr1 = (FpSMBData*)(asd.get_flow_data(APPID_SESSION_DATA_SMB_DATA));
- nsd.validate(args);
- FpSMBData *smb_ptr2 = (FpSMBData*)(asd.get_flow_data(APPID_SESSION_DATA_SMB_DATA));
- CHECK(smb_ptr1 == smb_ptr2);
- asd.free_flow_data();
- delete &asd.get_api();
-}
-
-int main(int argc, char** argv)
-{
- int return_value = CommandLineTestRunner::RunAllTests(argc, argv);
- return return_value;
-}
#include "appid_detector.h"
#include "appid_module.h"
#include "appid_peg_counts.h"
-#include "utils/stats.h"
#define APPID_UT_ID 1492
memcpy(p, str, n);
return p;
}
-class InspectorManager
-{
-public:
-SO_PUBLIC static Inspector* get_inspector(const char*, bool, SnortConfig*) {return nullptr;}
-};
Module::Module(const char*, const char*) {}
Module::Module(const char*, const char*, const Parameter*, bool)
{}
int dcerpc_validate(const uint8_t*, int){return 0; }
AppIdDiscovery::~AppIdDiscovery() { }
void show_stats(PegCount*, const PegInfo*, unsigned, const char*) { }
-void show_stats(PegCount*, const PegInfo*, const IndexVec&, const char*, FILE*) { }
+void show_stats(PegCount*, const PegInfo*, const vector<unsigned>&, const char*, FILE*) { }
AppIdConfig config;
AppIdContext ctxt(config);
class AppIdInspector : public snort::Inspector
{
public:
- void eval(Packet*) override { }
bool configure(snort::SnortConfig*) override { return true; }
};
#include <string>
#include "framework/data_bus.h"
+#include "managers/inspector_manager.h"
#include "protocols/protocol_ids.h"
#include "pub_sub/appid_event_ids.h"
#include "service_inspectors/http_inspect/http_msg_header.h"
#include "host_tracker/host_cache.h"
#include "network_inspectors/appid/appid_discovery.cc"
#include "network_inspectors/appid/appid_peg_counts.h"
-#include "network_inspectors/packet_tracer/packet_tracer.h"
+#include "packet_io/packet_tracer.h"
#include "pub_sub/appid_event_ids.h"
#include "search_engines/search_tool.h"
#include "utils/sflsq.cc"
const char* AppIdApi::get_application_name(AppId, OdpContext&) { return NULL; }
// Stubs for packet tracer
-THREAD_LOCAL PacketTracer* s_pkt_trace = nullptr;
-THREAD_LOCAL Stopwatch<SnortClock>* pt_timer = nullptr;
void PacketTracer::daq_log(const char*, ...) { }
-void FatalError(const char* fmt, ...) { (void)fmt; exit(1); }
-void WarningMessage(const char*,...) { }
+uint64_t PacketTracer::get_time() { return 0; }
+THREAD_LOCAL PacketTracer* PacketTracer::s_pkt_trace = nullptr;
// Stubs for packet
Packet::Packet(bool) {}
void LogLabel(const char*, FILE*) {}
void LogText(const char*, FILE*) {}
+void FatalError(const char* fmt, ...) { (void)fmt; exit(1); }
+void WarningMessage(const char*,...) { }
+
// Stubs for utils
char* snort_strdup(const char* str)
{
#include "framework/data_bus.h"
#include "protocols/protocol_ids.h"
+#include "profiler/profiler_impl.h"
#include "service_inspectors/http_inspect/http_msg_header.h"
#include "tp_appid_module_api.h"
#include "tp_appid_session_api.h"
#include "network_inspectors/appid/appid_session_api.cc"
+#include "managers/inspector_manager.h"
+
#include "appid_mock_definitions.h"
#include "appid_mock_session.h"
#define TP_SUPPORTED 1
#include "tp_lib_handler.h"
+
+#include "profiler/profiler.h"
+
#include "appid_config.h"
#include "log_message_mock.h"
{ return 0; }
void appid_log(const snort::Packet*, unsigned char, char const*, ...) { }
-
THREAD_LOCAL ProfileStats tp_appid_perf_stats;
THREAD_LOCAL bool TimeProfilerStats::enabled = false;
-MemoryContext::MemoryContext(MemoryTracker&) { }
-MemoryContext::~MemoryContext() = default;
-THREAD_LOCAL TimeContext* ProfileContext::curr_time = nullptr;
-
TEST_GROUP(tp_lib_handler)
{
#endif
#include "tp_appid_module_api.h"
+
#include "managers/module_manager.h"
+#include "profiler/profiler.h"
+
#include "appid_module.h"
#include "tp_lib_handler.h"
#include <vector>
#include <string>
-#include "main/thread.h"
-#include "profiler/profiler_defs.h"
+#include "main/snort_types.h"
+
#include "tp_appid_types.h"
#define THIRD_PARTY_APPID_API_VERSION 6
#include <iostream>
#include <dlfcn.h>
+#include "main/snort_config.h"
#include "profiler/profiler.h"
#include "protocols/packet.h"
#include "stream/stream.h"
#include <sstream>
#include "detection/detection_engine.h"
-#include "events/event_queue.h"
#include "log/messages.h"
#include "profiler/profiler.h"
#include "protocols/arp.h"
{ "service", Parameter::PT_STRING, nullptr, nullptr,
"override default configuration" },
- // FIXIT-D deprecated zone parameters to be removed
- { "zones", Parameter::PT_STRING, nullptr, nullptr,
- "deprecated alias for groups" },
-
- { "src_zone", Parameter::PT_STRING, nullptr, nullptr,
- "deprecated alias for src_groups" },
-
- { "dst_zone", Parameter::PT_STRING, nullptr, nullptr,
- "deprecated alias for dst_groups" },
-
{ nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
};
return false;
binding.when.add_criteria(BindWhen::Criteria::BWC_SPLIT_INTFS);
}
- else if ( v.is("groups") || v.is("zones") )
+ else if ( v.is("groups") )
{
if (!parse_int_set<int16_t>(v, binding.when.src_groups))
return false;
binding.when.add_criteria(BindWhen::Criteria::BWC_GROUPS);
}
- else if ( v.is("src_groups") || v.is("src_zone") )
+ else if ( v.is("src_groups") )
{
if (!parse_int_set<int16_t>(v, binding.when.src_groups))
return false;
binding.when.add_criteria(BindWhen::Criteria::BWC_SPLIT_GROUPS);
}
- else if ( v.is("dst_groups") || v.is("dst_zone") )
+ else if ( v.is("dst_groups") )
{
if (!parse_int_set<int16_t>(v, binding.when.dst_groups))
return false;
#include "detection/detection_engine.h"
#include "flow/flow.h"
+#include "framework/pig_pen.h"
#include "log/messages.h"
+#include "main/snort_config.h"
#include "managers/inspector_manager.h"
#include "packet_io/active.h"
#include "profiler/profiler.h"
#include "pub_sub/assistant_gadget_event.h"
#include "pub_sub/intrinsic_event_ids.h"
#include "pub_sub/stream_event_ids.h"
+#include "sfip/sf_cidr.h"
#include "stream/stream.h"
#include "stream/stream_splitter.h"
#include "target_based/host_attributes.h"
if (protocol_id == UNKNOWN_PROTOCOL_ID)
return nullptr;
- return InspectorManager::get_service_inspector_by_id(protocol_id);
+ return InspectorManager::get_service_inspector(protocol_id);
}
static std::string to_string(const sfip_var_t* list)
void Stuff::apply_assistant(Flow& flow, const char* service)
{
if (!gadget)
- gadget = InspectorManager::get_service_inspector_by_service(service);
+ gadget = InspectorManager::get_service_inspector(service);
if (gadget)
flow.set_assistant_gadget(gadget);
bool configure(SnortConfig*) override;
void show(const SnortConfig*) const override;
- void eval(Packet*) override { }
-
void handle_packet(const Packet*);
void handle_flow_setup(Flow&, bool standby = false);
void handle_flow_service_change(Flow&);
void handle(DataEvent& e, Flow*) override
{
- Binder* binder = InspectorManager::get_binder();
+ Binder* binder = (Binder*)InspectorManager::get_binder();
if (binder)
binder->handle_packet(e.get_packet());
}
void handle(DataEvent&, Flow* flow) override
{
- Binder* binder = InspectorManager::get_binder();
+ Binder* binder = (Binder*)InspectorManager::get_binder();
if (binder && flow && !flow->flags.ha_flow)
binder->handle_flow_setup(*flow);
}
void handle(DataEvent&, Flow* flow) override
{
- Binder* binder = InspectorManager::get_binder();
+ Binder* binder = (Binder*)InspectorManager::get_binder();
if (binder && flow)
binder->handle_flow_service_change(*flow);
}
void handle(DataEvent&, Flow* flow) override
{
- Binder* binder = InspectorManager::get_binder();
+ Binder* binder = (Binder*)InspectorManager::get_binder();
if (binder && flow)
binder->handle_flow_setup(*flow, true);
}
void handle(DataEvent& event, Flow* flow) override
{
- Binder* binder = InspectorManager::get_binder();
+ Binder* binder = (Binder*)InspectorManager::get_binder();
AssistantGadgetEvent* assistant_event = (AssistantGadgetEvent*)&event;
if (binder && flow)
{
if (flow && Flow::FlowState::INSPECT == flow->flow_state)
{
- Binder* binder = InspectorManager::get_binder();
+ Binder* binder = (Binder*)InspectorManager::get_binder();
if (binder)
binder->handle_flow_after_reload(*flow);
}
get_policy_bindings(flow, service);
// If policy selection produced a new binder to use, use that instead.
- Binder* sub = InspectorManager::get_binder();
+ Binder* sub = (Binder*)InspectorManager::get_binder();
if (sub && sub != this)
{
sub->get_bindings(flow, stuff, service);
get_policy_bindings(p);
// If policy selection produced a new binder to use, use that instead.
- Binder* sub = InspectorManager::get_binder();
+ Binder* sub = (Binder*)InspectorManager::get_binder();
if (sub && sub != this)
{
sub->get_bindings(p, stuff);
{
const char* name = use.name.c_str();
Inspector* ins = InspectorManager::get_inspector(name, use.global_type, sc);
+
if (ins)
{
switch (ins->get_api()->type)
#include <string>
-#include "framework/bits.h"
#include "main/policy.h"
#include "sfip/sf_ipvar.h"
+#include "utils/bits.h"
namespace snort
{
#define NORM_STATS_H
#include "framework/counts.h"
-#include "main/thread.h"
#include "normalize.h"
#include "framework/inspector.h"
#include "log/messages.h"
#include "packet_io/sfdaq.h"
-#include "packet_io/sfdaq_instance.h"
#include "protocols/packet.h"
#include "utils/util.h"
+++ /dev/null
-set (PACKET_TRACER_INCLUDES
- packet_tracer.h
-)
-
-add_library ( packet_tracer OBJECT
- ${PACKET_TRACER_INCLUDES}
- packet_tracer.cc
- packet_tracer_module.h
- packet_tracer_module.cc
-)
-
-install(FILES ${PACKET_TRACER_INCLUDES}
- DESTINATION "${INCLUDE_INSTALL_PATH}/network_inspectors/packet_tracer"
-)
\ No newline at end of file
#include "catch/snort_catch.h"
#endif
+#include "main/thread.h"
+
#define TRACKER_NAME PERF_NAME "_cpu"
using namespace snort;
#include <sstream>
-#include "utils/stats.h"
-
#if HAVE_CONFIG_H
#include "config.h"
#endif
#include <lua.hpp>
#include "control/control.h"
+#include "framework/pig_pen.h"
#include "log/messages.h"
#include "main/analyzer_command.h"
-#include "main/snort.h"
+#include "main/snort_config.h"
#include "managers/module_manager.h"
#include "perf_monitor.h"
static int enable_flow_ip_profiling(lua_State* L)
{
PerfMonitor* perf_monitor =
- (PerfMonitor*)InspectorManager::get_inspector(PERF_NAME, true);
+ (PerfMonitor*)PigPen::get_inspector(PERF_NAME, true);
if (!perf_monitor)
{
static int disable_flow_ip_profiling(lua_State* L)
{
PerfMonitor* perf_monitor =
- (PerfMonitor*)InspectorManager::get_inspector(PERF_NAME, true);
+ (PerfMonitor*)PigPen::get_inspector(PERF_NAME, true);
if (!perf_monitor)
{
bool status = false;
ControlConn* ctrlcon = ControlConn::query_from_lua(L);
- PerfMonitor* perf_monitor = (PerfMonitor*)InspectorManager::get_inspector(PERF_NAME, true);
+ PerfMonitor* perf_monitor = (PerfMonitor*)PigPen::get_inspector(PERF_NAME, true);
if (perf_monitor)
status = perf_monitor->is_flow_ip_enabled();
bool PerfMonModule::end(const char* fqn, int idx, SnortConfig* sc)
{
- if ( Snort::is_reloading() && strcmp(fqn, "perf_monitor") == 0 )
+ if ( PigPen::snort_is_reloading() && strcmp(fqn, "perf_monitor") == 0 )
sc->register_reload_handler(new PerfMonReloadTuner(config->flowip_memcap));
if ( idx != 0 && strcmp(fqn, "perf_monitor.modules") == 0 )
// state optimized for run time using indices
// can't be determined until all modules have loaded (PerfMonitor::configure)
snort::Module* ptr;
- IndexVec pegs;
+ std::vector<unsigned> pegs;
void set_name(const std::string& name);
void set_peg_names(snort::Value& peg_names);
#include "perf_monitor.h"
#include "framework/data_bus.h"
+#include "framework/pig_pen.h"
#include "hash/hash_defs.h"
#include "hash/xhash.h"
#include "log/messages.h"
#include "main/analyzer_command.h"
-#include "main/thread.h"
#include "profiler/profiler.h"
#include "protocols/packet.h"
#include "pub_sub/intrinsic_event_ids.h"
bool PerfMonReloadTuner::tinit()
{
- PerfMonitor* pm = (PerfMonitor*)InspectorManager::get_inspector(PERF_NAME, true);
+ PerfMonitor* pm = (PerfMonitor*)PigPen::get_inspector(PERF_NAME, true);
auto* new_constraints = pm->get_constraints();
if (new_constraints->flow_ip_enabled)
if (ready_to_process(p))
{
#ifdef ENABLE_MEMORY_PROFILER
- Profiler::show_runtime_memory_stats();
+ PigPen::show_runtime_memory_stats();
#endif
for (unsigned i = 0; i < trackers->size(); i++)
{
#ifndef PERF_MONITOR_H
#define PERF_MONITOR_H
-#include "managers/inspector_manager.h"
#include "protocols/packet.h"
#include "base_tracker.h"
#include "log/messages.h"
#include "main/snort_config.h"
+#include "main/thread.h"
#include "utils/util.h"
#include "utils/util_cstring.h"
#include <sstream>
-#include "utils/stats.h"
+#include "log/log_stats.h"
#ifdef UNIT_TEST
#include <cstdio>
#include "detection/detection_engine.h"
#include "log/messages.h"
-#include "managers/inspector_manager.h"
#include "profiler/profiler.h"
#include "utils/util.h"
#include "utils/util_cstring.h"
#include "stream/stream.h"
#include "time/packet_time.h"
#include "utils/cpp_macros.h"
-#include "utils/stats.h"
#include "ps_inspect.h"
#include "ps_pegs.h"
#endif
#include "ps_module.h"
+
+#include "framework/pig_pen.h"
#include "log/messages.h"
-#include "main/snort.h"
#include "main/snort_config.h"
#include <cassert>
bool PortScanModule::end(const char* fqn, int, SnortConfig* sc)
{
- if ( Snort::is_reloading() && strcmp(fqn, "port_scan") == 0 )
+ if ( PigPen::snort_is_reloading() && strcmp(fqn, "port_scan") == 0 )
sc->register_reload_handler(new PortScanReloadTuner(config->memcap));
return true;
}
#include "reputation_commands.h"
#include "control/control.h"
+#include "framework/pig_pen.h"
#include "log/messages.h"
#include "main/analyzer_command.h"
-#include "managers/inspector_manager.h"
+#include "main/snort_config.h"
#include "reputation_common.h"
#include "reputation_inspect.h"
static int reload(lua_State* L)
{
ControlConn* ctrlcon = ControlConn::query_from_lua(L);
- Reputation* ins = static_cast<Reputation*>(InspectorManager::get_inspector(REPUTATION_NAME));
+ Reputation* ins = static_cast<Reputation*>(PigPen::get_inspector(REPUTATION_NAME));
+
if (ins)
main_broadcast_command(new ReputationReload(ctrlcon, *ins), ctrlcon);
else
#ifndef REPUTATION_COMMON_H
#define REPUTATION_COMMON_H
-#define REPUTATION_NAME "reputation"
-#define REPUTATION_HELP "reputation inspection"
-
#define GID_REPUTATION 136
-#define REPUTATION_EVENT_BLOCKLIST_SRC 1
-#define REPUTATION_EVENT_ALLOWLIST_SRC 2
-#define REPUTATION_EVENT_MONITOR_SRC 3
-#define REPUTATION_EVENT_BLOCKLIST_DST 4
-#define REPUTATION_EVENT_ALLOWLIST_DST 5
-#define REPUTATION_EVENT_MONITOR_DST 6
-
#endif
#define REPUTATION_CONFIG_H
#include "framework/counts.h"
-#include "main/thread.h"
#include "sfrt/sfrt.h"
#include <vector>
#include "reputation_inspect.h"
-#include "detection/detect.h"
#include "detection/detection_engine.h"
-#include "events/event_queue.h"
#include "log/messages.h"
#include "main/snort.h"
#include "main/snort_config.h"
-#include "managers/inspector_manager.h"
-#include "network_inspectors/packet_tracer/packet_tracer.h"
#include "packet_io/active.h"
+#include "packet_io/packet_tracer.h"
#include "profiler/profiler.h"
#include "protocols/packet.h"
#include "pub_sub/auxiliary_ip_event.h"
sfip_ntop(ip, addr, sizeof(addr));
PacketTracer::daq_log("SI-IP+%" PRId64"+%s list id %u+Matched ip %s, action %s$",
- TO_NSECS(pt_timer->get()),
+ PacketTracer::get_time(),
(TRUSTED_SRC == decision or TRUSTED_DST == decision)?"Do_not_block":"Block",
iplist_id, addr, to_string(decision));
}
return;
if (PacketTracer::is_daq_activated())
- PacketTracer::pt_timer_start();
+ PacketTracer::restart_timer();
ReputationData* data = static_cast<ReputationData*>(inspector.get_thread_specific_data());
assert(data);
#include "reputation_config.h"
#include "reputation_common.h"
+#define REPUTATION_NAME "reputation"
+#define REPUTATION_HELP "reputation inspection"
+
+#define REPUTATION_EVENT_BLOCKLIST_SRC 1
+#define REPUTATION_EVENT_ALLOWLIST_SRC 2
+#define REPUTATION_EVENT_MONITOR_SRC 3
+#define REPUTATION_EVENT_BLOCKLIST_DST 4
+#define REPUTATION_EVENT_ALLOWLIST_DST 5
+#define REPUTATION_EVENT_MONITOR_DST 6
+
namespace snort
{
struct SnortConfig;
set (RNA_INCLUDES
+ rna_cpe_os.h
rna_fingerprint.h
rna_fingerprint_smb.h
rna_fingerprint_tcp.h
rna_fingerprint_ua.h
rna_fingerprint_udp.h
- rna_flow.h
rna_inspector.h
- rna_logger.h
+ rna_logger_event.h
rna_name.h
- rna_cpe_os.h
+ rna_tracker.h
)
set ( RNA_SOURCES
rna_fingerprint_udp.cc
rna_inspector.cc
rna_flow.cc
+ rna_flow.h
rna_logger.cc
+ rna_logger.h
rna_logger_common.h
rna_mac_cache.cc
rna_mac_cache.h
#include "data_purge_cmd.h"
-#include "managers/inspector_manager.h"
-
#include "rna_inspector.h"
#include "rna_name.h"
#include "rna_pnd.h"
#include <algorithm>
#include <cstring>
-#include "main/thread.h"
using namespace snort;
using namespace std;
#include "catch/snort_catch.h"
#endif
-#include "main/thread.h"
#include "pub_sub/dhcp_events.h"
using namespace snort;
#include "sfip/sf_ip.h"
#include "rna_fingerprint_tcp.h"
+#include "rna_tracker.h"
namespace snort
{
class DiscoveryFilter;
-using RnaTracker = std::shared_ptr<snort::HostTracker>;
-
class RNAFlow : public snort::FlowData
{
public:
#include "log/messages.h"
#include "main/snort.h"
-#include "managers/inspector_manager.h"
#include "protocols/packet.h"
#include "pub_sub/appid_event_ids.h"
#include "pub_sub/dhcp_events.h"
#include "rna_fingerprint.h"
#include "rna_logger_common.h"
+#include "rna_logger_event.h"
#include "rna_module.h"
#ifdef UNIT_TEST
#ifndef RNA_LOGGER_H
#define RNA_LOGGER_H
-#include "events/event.h"
#include "host_tracker/host_cache.h"
#include "host_tracker/host_tracker.h"
#include "rna_cpe_os.h"
-#include "rna_flow.h"
+#include "rna_tracker.h"
namespace snort
{
-class Flow;
struct Packet;
class FpFingerprint;
}
-struct RnaLoggerEvent : public Event
-{
- RnaLoggerEvent (uint16_t t, uint16_t st, const uint8_t* mc, const RnaTracker* rt,
- const snort::HostMac* hmp, uint16_t pr, void* cv, const snort::HostApplication* hap,
- const snort::FpFingerprint* fpr, const snort::HostClient* hcp, const char* u,
- int32_t app, const char* di, bool jb, uint32_t ls, uint32_t nm,
- const struct in6_addr* rtr, const snort::Packet* p, const char* nb_name,
- const std::vector<const char*>* cpe) : type(t), subtype(st),
- mac(mc), ht(rt), hm(hmp), proto(pr), cond_var(cv), ha(hap), fp(fpr), hc(hcp),
- user(u), appid(app), device_info(di), jail_broken(jb), lease(ls), netmask(nm),
- router(rtr), pkt(p), netbios_name(nb_name), cpe_os(cpe) { }
-
- uint32_t event_time = 0;
- uint16_t type;
- uint16_t subtype;
- const struct in6_addr* ip = nullptr;
- const uint8_t* mac;
- const RnaTracker* ht;
- const snort::HostMac* hm;
- uint16_t proto;
- void* cond_var;
- const snort::HostApplication* ha;
- const snort::FpFingerprint* fp;
- const snort::HostClient* hc;
- const char* user;
- AppId appid;
- const char* device_info;
- bool jail_broken;
- uint32_t lease;
- uint32_t netmask;
- const struct in6_addr* router;
- const snort::Packet* pkt;
- const char* netbios_name = nullptr;
- const std::vector<const char*>* cpe_os = nullptr;
-};
-
class RnaLogger
{
public:
--- /dev/null
+//--------------------------------------------------------------------------
+// Copyright (C) 2014-2023 Cisco and/or its affiliates. All rights reserved.
+// Copyright (C) 2003-2013 Sourcefire, Inc.
+//
+// This program is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License Version 2 as published
+// by the Free Software Foundation. You may not use, modify or distribute
+// this program under any other version of the GNU General Public License.
+//
+// This program is distributed in the hope that it will be useful, but
+// WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+// General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+//--------------------------------------------------------------------------
+
+#ifndef RNA_LOGGER_EVENT_H
+#define RNA_LOGGER_EVENT_H
+
+#include "events/event.h"
+#include "host_tracker/host_cache.h"
+#include "host_tracker/host_tracker.h"
+#include "rna_cpe_os.h"
+#include "rna_tracker.h"
+
+namespace snort
+{
+struct Packet;
+class FpFingerprint;
+}
+
+struct RnaLoggerEvent : public Event
+{
+ RnaLoggerEvent (uint16_t t, uint16_t st, const uint8_t* mc, const RnaTracker* rt,
+ const snort::HostMac* hmp, uint16_t pr, void* cv, const snort::HostApplication* hap,
+ const snort::FpFingerprint* fpr, const snort::HostClient* hcp, const char* u,
+ int32_t app, const char* di, bool jb, uint32_t ls, uint32_t nm,
+ const struct in6_addr* rtr, const snort::Packet* p, const char* nb_name,
+ const std::vector<const char*>* cpe) :
+
+ type(t), subtype(st), mac(mc), ht(rt), hm(hmp), proto(pr), cond_var(cv), ha(hap),
+ fp(fpr), hc(hcp), user(u), appid(app), device_info(di), jail_broken(jb), lease(ls),
+ netmask(nm), router(rtr), pkt(p), netbios_name(nb_name), cpe_os(cpe) { }
+
+ uint32_t event_time = 0;
+ uint16_t type;
+ uint16_t subtype;
+ const struct in6_addr* ip = nullptr;
+ const uint8_t* mac;
+ const RnaTracker* ht;
+ const snort::HostMac* hm;
+ uint16_t proto;
+ void* cond_var;
+ const snort::HostApplication* ha;
+ const snort::FpFingerprint* fp;
+ const snort::HostClient* hc;
+ const char* user;
+ AppId appid;
+ const char* device_info;
+ bool jail_broken;
+ uint32_t lease;
+ uint32_t netmask;
+ const struct in6_addr* router;
+ const snort::Packet* pkt;
+ const char* netbios_name = nullptr;
+ const std::vector<const char*>* cpe_os = nullptr;
+};
+
+#endif
#include <sys/stat.h>
#include "control/control.h"
+#include "framework/pig_pen.h"
#include "host_tracker/host_cache.h"
#include "host_tracker/host_cache_segmented.h"
#include "log/messages.h"
#include "lua/lua.h"
#include "main/snort_config.h"
-#include "managers/inspector_manager.h"
#include "managers/module_manager.h"
#include "utils/util.h"
static int dump_mac_cache(lua_State* L)
{
RnaModule* mod = (RnaModule*) ModuleManager::get_module(RNA_NAME);
- Inspector* rna = InspectorManager::get_inspector(RNA_NAME, true);
+ Inspector* rna = PigPen::get_inspector(RNA_NAME, true);
if ( rna && mod )
mod->log_mac_cache( luaL_optstring(L, 1, nullptr) );
return 0;
static int purge_data(lua_State* L)
{
- Inspector* rna = InspectorManager::get_inspector(RNA_NAME, true);
+ Inspector* rna = PigPen::get_inspector(RNA_NAME, true);
if ( rna )
{
HostCacheMac* mac_cache = new HostCacheMac(MAC_CACHE_INITIAL_SIZE);
static int delete_mac_host(lua_State* L)
{
- Inspector* rna = InspectorManager::get_inspector(RNA_NAME, true);
+ Inspector* rna = PigPen::get_inspector(RNA_NAME, true);
if ( rna )
{
uint8_t mac[MAC_SIZE] = {0};
static int delete_mac_host_proto(lua_State* L)
{
- Inspector* rna = InspectorManager::get_inspector(RNA_NAME, true);
+ Inspector* rna = PigPen::get_inspector(RNA_NAME, true);
if ( rna )
{
uint8_t mac[MAC_SIZE] = {0};
--- /dev/null
+//--------------------------------------------------------------------------
+// Copyright (C) 2021-2023 Cisco and/or its affiliates. All rights reserved.
+//
+// This program is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License Version 2 as published
+// by the Free Software Foundation. You may not use, modify or distribute
+// this program under any other version of the GNU General Public License.
+//
+// This program is distributed in the hope that it will be useful, but
+// WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+// General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+//--------------------------------------------------------------------------
+
+// rna_tracker.h author Silviu Minut <sminut@cisco.com>
+
+#ifndef RNA_TRACKER_H
+#define RNA_TRACKER_H
+
+#include "host_tracker/host_tracker.h"
+
+using RnaTracker = std::shared_ptr<snort::HostTracker>;
+
+#endif
+
void set_host_cache_mac(HostCacheMac*) { }
-Inspector* InspectorManager::get_inspector(const char*, bool, const SnortConfig*)
-{
- return nullptr;
-}
+Inspector* PigPen::get_inspector(const char*, bool, const SnortConfig*)
+{ return nullptr; }
void HostTracker::remove_flows() { }
set ( PACKET_IO_INCLUDES
active.h
+ active_action.h
+ packet_constraints.h
+ packet_tracer.h
sfdaq.h
sfdaq_instance.h
)
endif ()
add_library (packet_io OBJECT
+ ${PACKET_IO_INCLUDES}
active.cc
- active.h
- active_action.h
+ active_counts.h
+ packet_constraints.cc
+ packet_tracer.cc
+ packet_tracer_module.cc
+ packet_tracer_module.h
sfdaq.cc
- sfdaq.h
sfdaq_config.cc
sfdaq_config.h
sfdaq_instance.cc
- sfdaq_instance.h
sfdaq_module.cc
sfdaq_module.h
trough.cc
#include "utils/dnet_header.h"
#include "active_action.h"
+#include "active_counts.h"
#include "sfdaq.h"
#include "sfdaq_instance.h"
#include "sfdaq_module.h"
{ "reset", "cant_reset", "would_reset", "force_reset" },
};
-THREAD_LOCAL uint8_t Active::s_attempts = 0;
-THREAD_LOCAL bool Active::s_suspend = false;
-THREAD_LOCAL Active::ActiveSuspendReason Active::s_suspend_reason = Active::ASP_NONE;
-THREAD_LOCAL Active::Counts snort::active_counts;
+static THREAD_LOCAL uint8_t s_attempts = 0;
+static THREAD_LOCAL bool s_suspend = false;
+static THREAD_LOCAL Active::ActiveSuspendReason s_suspend_reason = Active::ASP_NONE;
+
+static THREAD_LOCAL Active::Counts active_counts;
typedef int (* send_t) (
DAQ_Msg_h msg, int rev, const uint8_t* buf, uint32_t len);
static std::unordered_map<std::string, uint8_t> drop_reason_id_map;
+PegCount* get_active_counts()
+{ return (PegCount*)&active_counts; }
+
//--------------------------------------------------------------------
// helpers
}
}
+void Active::suspend(ActiveSuspendReason suspend_reason)
+{
+ s_suspend = true;
+ s_suspend_reason = suspend_reason;
+}
+
+bool Active::is_suspended()
+{ return s_suspend; }
+
+void Active::resume()
+{
+ s_suspend = false;
+ s_suspend_reason = ASP_NONE;
+}
+
+bool Active::can_partial_block_session() const
+{ return active_status == AST_CANT and s_suspend_reason > ASP_NONE and s_suspend_reason != ASP_TIMEOUT; }
+
+bool Active::keep_pruned_flow() const
+{ return ( s_suspend_reason == ASP_PRUNE ) or ( s_suspend_reason == ASP_RELOAD ); }
+
+bool Active::keep_timedout_flow() const
+{ return ( s_suspend_reason == ASP_TIMEOUT ); }
+
+Active::ActiveWouldReason Active::get_whd_reason_from_suspend_reason()
+{
+ switch ( s_suspend_reason )
+ {
+ case ASP_NONE: return WHD_NONE;
+ case ASP_PRUNE: return WHD_PRUNE;
+ case ASP_TIMEOUT: return WHD_TIMEOUT;
+ case ASP_RELOAD: return WHD_RELOAD;
+ case ASP_EXIT: return WHD_EXIT;
+ }
+ return WHD_NONE;
+}
+
void Active::update_status(const Packet* p, bool force)
{
if ( s_suspend )
static bool thread_init(const SnortConfig*);
static void thread_term();
- static void suspend(ActiveSuspendReason suspend_reason)
- {
- s_suspend = true;
- s_suspend_reason = suspend_reason;
- }
-
- static bool is_suspended()
- { return s_suspend; }
+ static void suspend(ActiveSuspendReason);
+ static bool is_suspended();
+ static void resume();
- static void resume()
- {
- s_suspend = false;
- s_suspend_reason = ASP_NONE;
- }
-
- static ActiveWouldReason get_whd_reason_from_suspend_reason()
- {
- switch ( s_suspend_reason )
- {
- case ASP_NONE: return WHD_NONE;
- case ASP_PRUNE: return WHD_PRUNE;
- case ASP_TIMEOUT: return WHD_TIMEOUT;
- case ASP_RELOAD: return WHD_RELOAD;
- case ASP_EXIT: return WHD_EXIT;
- }
- return WHD_NONE;
- }
+ static ActiveWouldReason get_whd_reason_from_suspend_reason();
void send_reset(Packet*, EncodeFlags);
void send_unreach(Packet*, snort::UnreachResponse);
ActiveWouldReason get_would_be_dropped_reason() const
{ return active_would_reason; }
- bool can_partial_block_session() const
- { return active_status == AST_CANT and s_suspend_reason > ASP_NONE and s_suspend_reason != ASP_TIMEOUT; }
-
- bool keep_pruned_flow() const
- { return ( s_suspend_reason == ASP_PRUNE ) or ( s_suspend_reason == ASP_RELOAD ); }
-
- bool keep_timedout_flow() const
- { return ( s_suspend_reason == ASP_TIMEOUT ); }
+ bool can_partial_block_session() const;
+ bool keep_pruned_flow() const;
+ bool keep_timedout_flow() const;
bool packet_retry_requested() const
{ return active_action == ACT_RETRY; }
private:
static const char* act_str[ACT_MAX][AST_MAX];
- static THREAD_LOCAL uint8_t s_attempts;
- static THREAD_LOCAL bool s_suspend;
- static THREAD_LOCAL ActiveSuspendReason s_suspend_reason;
int active_tunnel_bypass = 0;
const char* drop_reason = nullptr;
ActiveAction* delayed_reject = nullptr; // set with set_delayed_action()
};
-struct SO_PUBLIC ActiveSuspendContext
+struct ActiveSuspendContext
{
ActiveSuspendContext(Active::ActiveSuspendReason suspend_reason)
{ Active::suspend(suspend_reason); }
{ Active::resume(); }
};
-extern THREAD_LOCAL Active::Counts active_counts;
}
#endif
--- /dev/null
+//--------------------------------------------------------------------------
+// Copyright (C) 2014-2023 Cisco and/or its affiliates. All rights reserved.
+// Copyright (C) 2005-2013 Sourcefire, Inc.
+//
+// This program is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License Version 2 as published
+// by the Free Software Foundation. You may not use, modify or distribute
+// this program under any other version of the GNU General Public License.
+//
+// This program is distributed in the hope that it will be useful, but
+// WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+// General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+//--------------------------------------------------------------------------
+
+// active_counts.h author Russ Combs <rcombs@sourcefire.com>
+
+#ifndef ACTIVE_COUNTS_H
+#define ACTIVE_COUNTS_H
+
+// private Active accessors (not installed)
+
+#include "framework/counts.h"
+
+PegCount* get_active_counts();
+
+#endif
+
#include "packet_constraints.h"
-#include "protocols/packet.h"
-
+#include <algorithm>
#include <cstring>
+#include "protocols/packet.h"
+
namespace {
inline bool match_constraints(const snort::PacketConstraints& cs,
#include <sstream>
#include "detection/ips_context.h"
-#include "log/log.h"
#include "log/messages.h"
-#include "packet_io/active.h"
-#include "packet_io/sfdaq_instance.h"
+#include "main/thread.h"
#include "protocols/eth.h"
#include "protocols/icmp4.h"
#include "protocols/ip.h"
#include "protocols/tcp.h"
#include "utils/util.h"
+#include "active.h"
+#include "sfdaq_instance.h"
+
#ifdef UNIT_TEST
#include "catch/snort_catch.h"
#endif
// -----------------------------------------------------------------------------
// FIXIT-M refactor the way this is used so all methods are members called against this pointer
-THREAD_LOCAL PacketTracer* snort::s_pkt_trace = nullptr;
-
-THREAD_LOCAL Stopwatch<SnortClock>* snort::pt_timer = nullptr;
+#ifdef _WIN64
+static THREAD_LOCAL PacketTracer* s_pkt_trace = nullptr;
+#else
+namespace snort
+{
+THREAD_LOCAL PacketTracer* PacketTracer::s_pkt_trace = nullptr;
+};
+#endif
// so modules can register regardless of when packet trace is activated
static THREAD_LOCAL struct{ unsigned val = 0; } global_mutes;
static std::string log_file = "-";
static bool config_status = false;
+// %s %u -> %s %u %u AS=%u ID=%u GR=%hd-%hd
+// IPv6 Port -> IPv6 Port Proto AS=ASNum ID=InstanceNum GR=SrcGroupNum-DstGroupNum
+#define PT_DEBUG_SESSION_ID_SIZE ((39+1+5+1+2+1+39+1+5+1+3+1+2+1+10+1+2+1+10+32)+1)
+static constexpr int max_buff_size = 2048;
+
// -----------------------------------------------------------------------------
// static functions
// -----------------------------------------------------------------------------
+#ifdef _WIN64
+bool PacketTracer::is_active()
+{ return s_pkt_trace ? s_pkt_trace->active : false; }
+
+bool PacketTracer::is_daq_activated()
+{ return s_pkt_trace ? s_pkt_trace->daq_activated : false; }
+#endif
+
void PacketTracer::set_log_file(const std::string& file)
{ log_file = file; }
// template needed for unit tests
template<typename T> void PacketTracer::_thread_init()
{
- if ( s_pkt_trace == nullptr )
- s_pkt_trace = new T();
-
- if ( pt_timer == nullptr )
- pt_timer = new Stopwatch<SnortClock>;
-
- s_pkt_trace->mutes.resize(global_mutes.val, false);
- s_pkt_trace->open_file();
- s_pkt_trace->user_enabled = config_status;
+ assert(!s_pkt_trace);
+ s_pkt_trace = new T();
}
-template void PacketTracer::_thread_init<PacketTracer>();
void PacketTracer::thread_init()
-{ _thread_init(); }
+{ _thread_init<PacketTracer>(); }
void PacketTracer::thread_term()
{
- if ( s_pkt_trace )
- {
- delete s_pkt_trace;
- s_pkt_trace = nullptr;
- }
-
- if (pt_timer)
- {
- delete pt_timer;
- pt_timer = nullptr;
- }
+ delete s_pkt_trace;
+ s_pkt_trace = nullptr;
}
void PacketTracer::dump(char* output_buff, unsigned int len)
s_pkt_trace->active = false;
}
-void PacketTracer::pt_timer_start()
+uint64_t PacketTracer::get_time()
+{ return TO_NSECS(s_pkt_trace->pt_timer->get()); }
+
+void PacketTracer::start_timer()
+{ s_pkt_trace->pt_timer->start(); }
+
+void PacketTracer::reset_timer()
+{ s_pkt_trace->pt_timer->reset(); }
+
+void PacketTracer::restart_timer()
{
- pt_timer->reset();
- pt_timer->start();
+ s_pkt_trace->pt_timer->reset();
+ s_pkt_trace->pt_timer->start();
}
// -----------------------------------------------------------------------------
// non-static functions
// -----------------------------------------------------------------------------
-// destructor
+PacketTracer::PacketTracer()
+{
+ pt_timer = new Stopwatch<SnortClock>;
+ buffer = new char[max_buff_size] { };
+ daq_buffer = new char[max_buff_size] { };
+ debug_session = new char[PT_DEBUG_SESSION_ID_SIZE];
+
+ mutes.resize(global_mutes.val, false);
+ open_file();
+ user_enabled = config_status;
+}
+
PacketTracer::~PacketTracer()
{
if ( log_fh && log_fh != stdout )
fclose(log_fh);
log_fh = nullptr;
}
+ delete[] debug_session;
+ delete[] daq_buffer;
+ delete[] buffer;
+ delete pt_timer;
}
void PacketTracer::populate_buf(const char* format, va_list ap, char* buffer, uint32_t& buff_len)
case PktType::TCP:
{
char tcpFlags[10];
- CreateTCPFlagString(p.ptrs.tcph, tcpFlags);
+ p.ptrs.tcph->stringify_flags(tcpFlags);
if (p.ptrs.tcph->th_flags & TH_ACK)
PacketTracer::log("Packet %" PRIu64 ": TCP %s, %s, seq %u, ack %u, dsize %u%s\n",
TestPacketTracer::daq_log("%s", test_str);
}
// when buffer limit is reached, buffer length will stopped at max_buff_size-1
- CHECK((TestPacketTracer::get_buff_len() == (TestPacketTracer::max_buff_size-1)));
- CHECK((TestPacketTracer::get_daq_buff_len() == (TestPacketTracer::max_buff_size-1)));
+ CHECK((TestPacketTracer::get_buff_len() == (max_buff_size-1)));
+ CHECK((TestPacketTracer::get_daq_buff_len() == (max_buff_size-1)));
// continue logging will not change anything
TestPacketTracer::log("%s", test_str);
- CHECK((TestPacketTracer::get_buff_len() == (TestPacketTracer::max_buff_size-1)));
+ CHECK((TestPacketTracer::get_buff_len() == (max_buff_size-1)));
TestPacketTracer::daq_log("%s", test_str);
- CHECK((TestPacketTracer::get_daq_buff_len() == (TestPacketTracer::max_buff_size-1)));
+ CHECK((TestPacketTracer::get_daq_buff_len() == (max_buff_size-1)));
TestPacketTracer::thread_term();
}
TEST_CASE("dump", "[PacketTracer]")
{
- char test_string[TestPacketTracer::max_buff_size];
+ char test_string[max_buff_size];
char test_str[] = "ABCD", results[] = "ABCD3=400";
TestPacketTracer::thread_init();
TestPacketTracer::set_user_enable(true);
TestPacketTracer::log("%s%d=%d", test_str, 3, 400);
- TestPacketTracer::dump(test_string, TestPacketTracer::max_buff_size);
+ TestPacketTracer::dump(test_string, max_buff_size);
CHECK(!strcmp(test_string, results));
CHECK((TestPacketTracer::get_buff_len() == 0));
// dump again
- TestPacketTracer::dump(test_string, TestPacketTracer::max_buff_size);
+ TestPacketTracer::dump(test_string, max_buff_size);
CHECK(!strcmp(test_string, ""));
CHECK((TestPacketTracer::get_buff_len() == 0));
#include <cstring>
#include <vector>
-#include "framework/packet_constraints.h"
#include "main/snort_types.h"
-#include "main/thread.h"
+#include "packet_io/packet_constraints.h"
#include "protocols/ipv6.h"
#include "protocols/protocol_ids.h"
#include "sfip/sf_ip.h"
class PacketTracer
{
public:
- PacketTracer() = default;
+ PacketTracer();
virtual ~PacketTracer();
typedef uint8_t TracerMute;
- static const int max_buff_size = 2048;
// static functions
static void set_log_file(const std::string&);
static SO_PUBLIC void pause();
static SO_PUBLIC void unpause();
static SO_PUBLIC bool is_paused();
+
+#ifdef _WIN64
static SO_PUBLIC bool is_active();
static SO_PUBLIC bool is_daq_activated();
+#else
+ static bool is_active()
+ { return s_pkt_trace ? s_pkt_trace->active : false; }
+
+ static bool is_daq_activated()
+ { return s_pkt_trace ? s_pkt_trace->daq_activated : false; }
+#endif
static SO_PUBLIC TracerMute get_mute();
static SO_PUBLIC void log_msg_only(const char* format, ...) __attribute__((format (printf, 1, 2)));
static SO_PUBLIC void daq_log(const char* format, ...) __attribute__((format (printf, 1, 2)));
- static SO_PUBLIC void pt_timer_start();
-protected:
+ static SO_PUBLIC void start_timer();
+ static SO_PUBLIC void restart_timer();
+ static SO_PUBLIC void reset_timer();
+ static SO_PUBLIC uint64_t get_time();
+
+protected:
+#ifndef _WIN64
+ static SO_PUBLIC THREAD_LOCAL PacketTracer* s_pkt_trace;
+#endif
// non-static variable
+ Stopwatch<SnortClock>* pt_timer = nullptr;
FILE* log_fh = stdout;
+
+ char* buffer;
+ char* daq_buffer;
+ char* debug_session;
+
std::vector<bool> mutes;
- char buffer[max_buff_size] = {0};
+
unsigned buff_len = 0;
- char daq_buffer[max_buff_size] = {0};
unsigned daq_buff_len = 0;
-
unsigned pause_count = 0;
+
bool user_enabled = false;
bool daq_activated = false;
bool shell_enabled = false;
void update_constraints(const PacketConstraints* constraints);
const char *get_debug_session() { return debugstr.c_str(); }
- virtual void open_file();
+ void open_file();
virtual void dump_to_daq(Packet*);
- virtual void reset(bool);
+ void reset(bool);
};
-SO_PUBLIC extern THREAD_LOCAL PacketTracer* s_pkt_trace;
-SO_PUBLIC extern THREAD_LOCAL Stopwatch<SnortClock>* pt_timer;
-
-inline bool PacketTracer::is_active()
-{ return s_pkt_trace ? s_pkt_trace->active : false; }
-
-inline bool PacketTracer::is_daq_activated()
-{ return s_pkt_trace ? s_pkt_trace->daq_activated : false; }
-
-struct SO_PUBLIC PacketTracerSuspend
+struct PacketTracerSuspend
{
PacketTracerSuspend()
{ PacketTracer::pause(); }
#include "log/messages.h"
#include "main/snort_config.h"
+#include "main/thread.h"
#include "protocols/packet.h"
#include "protocols/vlan.h"
#ifndef SFDAQ_MODULE_H
#define SFDAQ_MODULE_H
+#include <daq_common.h>
+
#include "framework/module.h"
namespace snort
#include "cmd_line.h"
#include "framework/module.h"
+#include "log/log_errors.h"
#include "log/messages.h"
#include "main/help.h"
#include "main/snort_config.h"
#include <sstream>
#include <string>
-#include "detection/detect.h"
#include "detection/detection_engine.h"
#include "log/messages.h"
#include "main/analyzer.h"
#include "parse_rule.h"
-#include "actions/actions.h"
-#include "detection/detect.h"
+#include "detection/extract.h"
#include "detection/fp_config.h"
#include "detection/fp_utils.h"
#include "detection/rtn_checks.h"
#include "detection/treenodes.h"
#include "framework/decode_data.h"
+#include "framework/ips_action.h"
#include "hash/xhash.h"
+#include "log/log_stats.h"
#include "log/messages.h"
#include "main/snort_config.h"
#include "main/thread_config.h"
#include "sfip/sf_vartable.h"
#include "target_based/snort_protocols.h"
#include "utils/util.h"
-#include "ips_options/extract.h"
#include "parser.h"
#include "parse_conf.h"
assert(s);
- rtn.action = Actions::get_type(s);
+ rtn.action = IpsAction::get_type(s);
- if ( !Actions::is_valid_action(rtn.action) )
+ if ( !IpsAction::is_valid_action(rtn.action) )
{
s_ignore = true;
ParseError("unknown rule action '%s'", s);
return;
}
- if (!strcmp(s,"file_id"))
+ if (!strcmp(s, "file_id"))
action_file_id = true;
else
action_file_id = false;
#include <string>
-bool parse_byte_code(const char*, bool& negate, std::string&);
-int parse_int(const char*, const char* tag, int low = -65535, int high = 65535);
+#include "main/snort_types.h"
+
+SO_PUBLIC bool parse_byte_code(const char*, bool& negate, std::string&);
+SO_PUBLIC int parse_int(const char*, const char* tag, int low = -65535, int high = 65535);
#endif
#include "detection/rules.h"
#include "detection/sfrim.h"
#include "dump_config/config_output.h"
+#include "events/event_queue.h"
#include "filters/detection_filter.h"
#include "filters/rate_filter.h"
#include "filters/sfthreshold.h"
#include "hash/xhash.h"
#include "helpers/directory.h"
#include "ips_options/ips_flowbits.h"
+#include "log/log_stats.h"
#include "log/messages.h"
#include "main/modules.h"
#include "main/shell.h"
* Returns: the ListHead for the rule type
*
***************************************************************************/
-RuleListNode* CreateRuleType(SnortConfig* sc, const char* name, Actions::Type mode)
+RuleListNode* CreateRuleType(SnortConfig* sc, const char* name, IpsAction::Type mode)
{
RuleListNode* node;
const char* order = sc->rule_order.c_str();
if ( !*order )
{
- default_priorities = Actions::get_default_priorities();
+ default_priorities = IpsAction::get_default_priorities();
order = default_priorities.c_str();
}
struct SnortConfig;
}
+struct OptTreeNode;
+
void parser_init();
void parser_term(snort::SnortConfig*);
int ParseBool(const char* arg);
-int addRtnToOtn(snort::SnortConfig*, struct OptTreeNode*, RuleTreeNode*);
-int addRtnToOtn(snort::SnortConfig*, struct OptTreeNode*, RuleTreeNode*, PolicyId);
+int addRtnToOtn(snort::SnortConfig*, OptTreeNode*, RuleTreeNode*);
+int addRtnToOtn(snort::SnortConfig*, OptTreeNode*, RuleTreeNode*, PolicyId);
void set_strict_rtn_reduction(bool);
bool same_headers(RuleTreeNode*, RuleTreeNode*);
RuleTreeNode* deleteRtnFromOtn(OptTreeNode*, snort::SnortConfig* sc = nullptr);
-RuleTreeNode* deleteRtnFromOtn(struct OptTreeNode*, PolicyId, snort::SnortConfig* sc = nullptr, bool remove = true);
+RuleTreeNode* deleteRtnFromOtn(OptTreeNode*, PolicyId, snort::SnortConfig* sc = nullptr, bool remove = true);
-inline RuleTreeNode* getRtnFromOtn(const struct OptTreeNode* otn, PolicyId policyId)
+inline RuleTreeNode* getRtnFromOtn(const OptTreeNode* otn, PolicyId policyId)
{
if (otn && otn->proto_nodes && (otn->proto_node_num > (unsigned)policyId))
{
return nullptr;
}
-inline RuleTreeNode* getRtnFromOtn(const struct OptTreeNode* otn)
+inline RuleTreeNode* getRtnFromOtn(const OptTreeNode* otn)
{
return getRtnFromOtn(otn, snort::get_ips_policy()->policy_id);
}
-RuleListNode* CreateRuleType(snort::SnortConfig* sc, const char* name, Actions::Type action_type);
+RuleListNode* CreateRuleType(snort::SnortConfig* sc, const char* name, snort::IpsAction::Type action_type);
void FreeRuleTreeNode(RuleTreeNode*);
void DestroyRuleTreeNode(RuleTreeNode*);
#include "detection/detection_engine.h"
#include "flow/session.h"
+#include "main/snort_config.h"
#include "packet_io/active.h"
#include "protocols/packet.h"
#include "service_inspectors/http2_inspect/http2_flow_data.h"
#include "detection/detection_engine.h"
#include "flow/flow.h"
+#include "main/snort_config.h"
#include "main/thread_config.h"
#include "packet_io/active.h"
#include "protocols/packet.h"
}
void show_stats(PegCount*, const PegInfo*, unsigned, const char*) { }
-void show_stats(PegCount*, const PegInfo*, const IndexVec&, const char*, FILE*) { }
+void show_stats(PegCount*, const PegInfo*, const std::vector<unsigned>&, const char*, FILE*) { }
// MockInspector class
#include "detection/ips_context.h"
#include "framework/policy_selector.h"
#include "log/messages.h"
+#include "main/policy.h"
#include "policy_selectors/int_set_to_string.h"
#include "profiler/profiler.h"
#include "framework/module.h"
#include "framework/policy_selector.h"
+
#include "address_space_selection.h"
#define ADDRESS_SPACE_SELECT_NAME "address_space_selector"
#include "detection/ips_context.h"
#include "framework/policy_selector.h"
#include "log/messages.h"
+#include "main/policy.h"
#include "policy_selectors/int_set_to_string.h"
#include "profiler/profiler.h"
#ifndef PORT_OBJECT2_H
#define PORT_OBJECT2_H
-#include "framework/bits.h"
+#include "utils/bits.h"
#include "utils/sflsq.h"
//-------------------------------------------------------------------------
#ifndef PORT_UTILS_H
#define PORT_UTILS_H
-#include "framework/bits.h"
#include "protocols/packet.h"
+#include "utils/bits.h"
#include "utils/sflsq.h"
struct PortObject;
set ( PROFILER_INCLUDES
memory_defs.h
- memory_context.h
memory_profiler_defs.h
profiler.h
profiler_defs.h
json_view.cc
json_view.h
memory_context.cc
+ memory_context.h
memory_profiler.cc
memory_profiler.h
profiler.cc
+ profiler_impl.h
profiler_module.cc
profiler_module.h
profiler_nodes.cc
#include "config.h"
#endif
-#include "profiler.h"
+#include "profiler_impl.h"
#include <cassert>
#include <numeric>
#include "main/snort_config.h"
#include "main/thread_config.h"
#include "time/stopwatch.h"
+#include "utils/stats.h"
#include "memory_context.h"
#include "memory_profiler.h"
using namespace snort;
-THREAD_LOCAL ProfileStats totalPerfStats;
-THREAD_LOCAL ProfileStats otherPerfStats;
+static THREAD_LOCAL ProfileStats totalPerfStats;
+static THREAD_LOCAL ProfileStats otherPerfStats;
-THREAD_LOCAL TimeContext* ProfileContext::curr_time = nullptr;
THREAD_LOCAL Stopwatch<SnortClock>* run_timer = nullptr;
THREAD_LOCAL uint64_t first_pkt_num = 0;
THREAD_LOCAL bool consolidated_once = false;
static ProfilerNodeMap s_profiler_nodes;
+#ifndef _WIN64
+THREAD_LOCAL TimeContext* ProfileContext::curr_time = nullptr;
+#else
+static THREAD_LOCAL TimeContext* curr_time = nullptr;
+
+TimeContext* ProfileContext::get_curr_time()
+{ return curr_time; }
+
+void ProfileContext::set_curr_time(TimeContext* t)
+{ curr_time = t; }
+#endif
+
+ProfileStats* Profiler::get_total_perf_stats()
+{ return &totalPerfStats; }
+
+ProfileStats* Profiler::get_other_perf_stats()
+{ return &otherPerfStats; }
+
void Profiler::register_module(Module* m)
{
if ( m->get_profile() )
void Profiler::start()
{
- first_pkt_num = (uint64_t)get_packet_number();
+ first_pkt_num = pc.analyzed_pkts;
run_timer = new Stopwatch<SnortClock>;
run_timer->start();
consolidated_once = false;
#ifndef PROFILER_H
#define PROFILER_H
-#include "main/thread.h"
#include "profiler_defs.h"
-namespace snort
-{
-class Module;
-}
-class ControlConn;
-class ProfilerNodeMap;
-class Profiler
-{
-public:
- static void register_module(snort::Module*);
- static void register_module(const char*, const char*, snort::Module*);
-
- static void start();
- static void stop(uint64_t);
-
- static void consolidate_stats(snort::ProfilerType = snort::PROFILER_TYPE_BOTH);
-
- static void reset_stats(snort::ProfilerType = snort::PROFILER_TYPE_BOTH);
- static void prepare_stats();
- static void show_stats();
- static ProfilerNodeMap& get_profiler_nodes();
- SO_PUBLIC static void show_runtime_memory_stats();
-};
-
-extern THREAD_LOCAL snort::ProfileStats totalPerfStats;
-extern THREAD_LOCAL snort::ProfileStats otherPerfStats;
-
#endif
#define PROFILER_DEFS_H
#include "main/snort_types.h"
-#include "main/thread.h"
#include "memory_defs.h"
#include "memory_profiler_defs.h"
#include "rule_profiler_defs.h"
public:
ProfileContext(ProfileStats& stats) : time(stats.time), memory(stats.memory)
{
- prev_time = curr_time;
+ prev_time = get_curr_time();
if ( prev_time )
prev_time->pause();
- curr_time = &time;
+ set_curr_time(&time);
}
~ProfileContext()
{
if ( prev_time )
prev_time->resume();
- curr_time = prev_time;
+ set_curr_time(prev_time);
}
+private:
+#ifdef _WIN64
+ static TimeContext* get_curr_time();
+ static void set_curr_time(TimeContext*);
+#else
+ static THREAD_LOCAL TimeContext* curr_time;
+
+ static TimeContext* get_curr_time()
+ { return curr_time; }
+
+ static void set_curr_time(TimeContext* t)
+ { curr_time = t; }
+#endif
+
private:
TimeContext time;
MemoryContext memory;
TimeContext* prev_time;
- static THREAD_LOCAL TimeContext* curr_time;
};
using get_profile_stats_fn = ProfileStats* (*)(const char*);
--- /dev/null
+//--------------------------------------------------------------------------
+// Copyright (C) 2015-2023 Cisco and/or its affiliates. All rights reserved.
+//
+// This program is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License Version 2 as published
+// by the Free Software Foundation. You may not use, modify or distribute
+// this program under any other version of the GNU General Public License.
+//
+// This program is distributed in the hope that it will be useful, but
+// WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+// General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+//--------------------------------------------------------------------------
+
+// profiler_impl.h author Joel Cornett <jocornet@cisco.com>
+
+#ifndef PROFILER_IMPL_H
+#define PROFILER_IMPL_H
+
+#include "profiler_defs.h"
+
+namespace snort
+{
+class Module;
+struct ProfileStats;
+}
+
+class ProfilerNodeMap;
+
+class Profiler
+{
+public:
+ static void register_module(snort::Module*);
+ static void register_module(const char*, const char*, snort::Module*);
+
+ static void start();
+ static void stop(uint64_t);
+
+ static void consolidate_stats(snort::ProfilerType = snort::PROFILER_TYPE_BOTH);
+
+ static void reset_stats(snort::ProfilerType = snort::PROFILER_TYPE_BOTH);
+ static void prepare_stats();
+
+ static void show_stats();
+ static void show_runtime_memory_stats();
+
+ static ProfilerNodeMap& get_profiler_nodes();
+
+ static snort::ProfileStats* get_total_perf_stats();
+ static snort::ProfileStats* get_other_perf_stats();
+};
+
+#endif
#include "managers/module_manager.h"
#include "utils/stats.h"
+#include "profiler_impl.h"
#include "rule_profiler.h"
#include "rule_profiler_defs.h"
#include "time_profiler.h"
static void time_profiling_stop_cmd()
{
TimeProfilerStats::set_enabled(false);
- Profiler::stop((uint64_t)get_packet_number());
+ Profiler::stop(pc.analyzed_pkts);
Profiler::consolidate_stats(snort::PROFILER_TYPE_TIME);
}
class ProfilerReloadTuner : public snort::ReloadResourceTuner
{
public:
- explicit ProfilerReloadTuner(bool enable_rule, bool enable_time)
+ explicit ProfilerReloadTuner(bool enable_rule, bool enable_time)
: enable_rule(enable_rule), enable_time(enable_time)
{}
~ProfilerReloadTuner() override = default;
case 0:
name = "total";
parent = nullptr;
- return &totalPerfStats;
+ return Profiler::get_total_perf_stats();
case 1:
name = "other";
parent = nullptr;
- return &otherPerfStats;
+ return Profiler::get_other_perf_stats();
}
return nullptr;
}
// enabled is not in SnortConfig to avoid that ugly dependency
// enabled is not in TimeContext because declaring it SO_PUBLIC made TimeContext visible
// putting enabled in TimeProfilerStats seems to be the best solution
+#ifndef _WIN64
THREAD_LOCAL bool TimeProfilerStats::enabled = false;
+#else
+static THREAD_LOCAL bool enabled;
+
+void TimeProfilerStats::set_enabled(bool b)
+{ enabled = b; }
+
+bool TimeProfilerStats::is_enabled()
+{ return enabled; }
+#endif
namespace time_stats
{
hr_duration elapsed;
uint64_t checks;
mutable unsigned int ref_count;
+
+#ifndef _WIN64
static THREAD_LOCAL bool enabled;
static void set_enabled(bool b)
static bool is_enabled()
{ return enabled; }
+#else
+ static void set_enabled(bool);
+ static bool is_enabled();
+#endif
void update(hr_duration delta)
{ elapsed += delta; ++checks; }
{
struct Packet;
-// FIXIT-L can I assume api is always valid?
-// i.e. if not ip4, then ipv6?
-// or if not ip4, also make sure its not ip6
-
namespace ip
{
-// keeping this as a class to avoid confusion.
class SO_PUBLIC IpApi
{
public:
enum Type { IAT_NONE, IAT_4, IAT_6, IAT_DATA };
- // constructor and destructor MUST remain a trivial. Adding
+ // constructor and destructor MUST remain trivial. Adding
// any non-trivial code will cause a compilation failure.
IpApi() = default;
#ifndef PROTOCOLS_LAYER_H
#define PROTOCOLS_LAYER_H
+// Packet contains a Layer for each decoded encapsulation.
+
#include "main/snort_types.h"
#include "protocols/protocol_ids.h"
uint8_t bos;
uint8_t ttl;
};
-} // namespace mpls
+}
}
#endif
#include "packet.h"
#include "detection/ips_context.h"
-#include "flow/expect_cache.h"
+#include "flow/expect_flow.h"
+#include "flow/flow_key.h"
#include "framework/endianness.h"
#include "log/obfuscator.h"
+#include "main/snort_config.h"
#include "packet_io/active.h"
-#include "managers/codec_manager.h"
#include "packet_manager.h"
#include "vlan.h"
{
Packet::Packet(bool packet_data)
{
- layers = new Layer[CodecManager::get_max_layers()];
+ layers = new Layer[PacketManager::get_max_layers()];
allocated = packet_data;
if (!packet_data)
#ifndef PROTOCOLS_PACKET_H
#define PROTOCOLS_PACKET_H
+// Packet is an abstraction describing a unit of work. it may define a
+// wire packet or it may define a cooked packet. the latter contains
+// payload data only, no headers.
+
#include <daq_common.h>
#include "flow/flow.h"
#define PKT_REBUILT_FRAG 0x00000001 // is a rebuilt fragment
#define PKT_REBUILT_STREAM 0x00000002 // is a rebuilt stream
#define PKT_STREAM_UNEST_UNI 0x00000004 // is from an unestablished stream and
- // we've only seen traffic in one direction
+ // we've only seen traffic in one direction
#define PKT_STREAM_EST 0x00000008 // is from an established stream
#define PKT_STREAM_INSERT 0x00000010 // this packet has been queued for stream reassembly
constexpr uint8_t TCP_OPTLENMAX = 40; /* (((2^4) - 1) * 4 - TCP_HEADER_LEN) */
constexpr uint8_t DEFAULT_LAYERMAX = 40;
-// Packet is an abstraction describing a unit of work. it may define a
-// wire packet or it may define a cooked packet. the latter contains
-// payload data only, no headers.
struct SO_PUBLIC Packet
{
Packet(bool packet_data = true);
bool allocated;
};
-/* Macros to deal with sequence numbers - p810 TCP Illustrated vol 2 */
-#define SEQ_LT(a,b) ((int)((a) - (b)) < 0)
-#define SEQ_LEQ(a,b) ((int)((a) - (b)) <= 0)
-#define SEQ_GT(a,b) ((int)((a) - (b)) > 0)
-#define SEQ_GEQ(a,b) ((int)((a) - (b)) >= 0)
-#define SEQ_EQ(a,b) ((int)((a) - (b)) == 0)
-
#define BIT(i) (0x1 << ((i)-1))
inline void SetExtraData(Packet* p, const uint32_t xid) { p->xtradata_mask |= BIT(xid); }
#include "detection/detection_engine.h"
#include "log/text_log.h"
#include "main/snort_config.h"
+#include "managers/codec_manager.h"
#include "packet_io/active.h"
+#include "packet_io/packet_tracer.h"
#include "packet_io/sfdaq.h"
-#include "packet_tracer/packet_tracer.h"
#include "profiler/profiler_defs.h"
#include "stream/stream.h"
#include "trace/trace_api.h"
+#include "utils/stats.h"
#include "eth.h"
#include "icmp4.h"
using namespace snort;
THREAD_LOCAL ProfileStats decodePerfStats;
+uint8_t PacketManager::max_layers = DEFAULT_LAYERMAX;
+
+ProtocolIndex PacketManager::proto_idx(ProtocolId prot_id)
+{ return CodecManager::s_proto_map[to_utype(prot_id)]; }
// Decoding statistics
-// this may be my longer member declaration ... ever
-THREAD_LOCAL std::array<PegCount,PacketManager::stat_offset +
-CodecManager::s_protocols.size()> PacketManager::s_stats {
- { 0 }
-};
+static THREAD_LOCAL std::array<PegCount, PacketManager::stat_offset + num_protocol_idx> s_stats
+{ { 0 } };
-//PacketManager::s_stats{{0}};
-std::array<PegCount, PacketManager::s_stats.size()> PacketManager::g_stats;
+static std::array<PegCount, s_stats.size()> g_stats;
// names which will be printed for the first three statistics
// in s_stats/g_stats
// Encoder Foo
static THREAD_LOCAL std::array<uint8_t, Codec::PKT_MAX>* s_pkt;
+void PacketManager::global_init(uint8_t max)
+{ max_layers = max; }
+
void PacketManager::thread_init()
-{
- s_pkt = new std::array<uint8_t, Codec::PKT_MAX>{ {0} };
-}
+{ s_pkt = new std::array<uint8_t, Codec::PKT_MAX>{ {0} }; }
void PacketManager::thread_term()
-{
- delete s_pkt;
-}
+{ delete s_pkt; }
//-------------------------------------------------------------------------
// Private helper functions
inline bool PacketManager::push_layer(Packet* p, CodecData& codec_data, ProtocolId prot_id,
const uint8_t* hdr_start, uint32_t len)
{
- if ( p->num_layers == CodecManager::get_max_layers() )
+ if ( p->num_layers == max_layers )
{
if (!(codec_data.codec_flags & CODEC_LAYERS_EXCEEDED))
{
#include "framework/codec.h"
#include "framework/counts.h"
#include "main/snort_types.h"
-#include "managers/codec_manager.h"
#include "protocols/packet.h"
+#include "protocols/protocol_ids.h"
struct TextLog;
class SO_PUBLIC PacketManager
{
public:
+ static void global_init(uint8_t max_layers);
+
static void thread_init();
static void thread_term();
*
* The equivalent of Snort's PROTO_ID */
static constexpr std::size_t max_protocols() // compile time constant
- { return CodecManager::s_protocols.size(); }
+ { return num_protocol_idx; }
/* If a proto was registered in a Codec's get_protocol_ids() function,
* this function will return the 'ProtocolIndex' of the Codec to which the proto belongs.
* If none of the loaded Codecs registered that proto, this function will
* return zero. */
- static ProtocolIndex proto_idx(ProtocolId prot_id)
- { return CodecManager::s_proto_map[to_utype(prot_id)]; }
+ static ProtocolIndex proto_idx(ProtocolId);
static void accumulate();
+ static uint8_t get_max_layers()
+ { return max_layers; }
+
+ static constexpr uint8_t stat_offset = 4;
+
private:
static bool push_layer(Packet*, CodecData&, ProtocolId, const uint8_t* hdr_start, uint32_t len);
static Codec* get_layer_codec(const Layer&, int idx);
// constant offsets into the s_stats array. Notice the stat_offset
// constant which is used when adding a protocol specific codec
- static const uint8_t total_processed = 0;
- static const uint8_t other_codecs = 1;
- static const uint8_t discards = 2;
- static const uint8_t depth_exceeded = 3;
- static const uint8_t stat_offset = 4;
-
- // declared in header so it can access s_protocols
- static THREAD_LOCAL std::array<PegCount, stat_offset +
- CodecManager::s_protocols.size()> s_stats;
- // FIXIT-L gcc apparently does not consider thread_local variables to be valid in
- // constexpr expressions. As long as __thread is used instead of thread_local in gcc,
- // this is not a problem. However, if we use thread_local and gcc, the declaration
- // below will not compile.
- static std::array<PegCount, s_stats.size()> g_stats;
+ static constexpr uint8_t total_processed = 0;
+ static constexpr uint8_t other_codecs = 1;
+ static constexpr uint8_t discards = 2;
+ static constexpr uint8_t depth_exceeded = 3;
+
+ static uint8_t max_layers;
static const std::array<const char*, stat_offset> stat_names;
};
}
ETHERTYPE_CISCO_META = 0x8909,
};
+constexpr auto num_protocol_idx = UINT8_MAX;
+
static const auto num_protocol_ids =
std::numeric_limits<std::underlying_type<ProtocolId>::type>::max() + 1;
uint8_t minor;
};
-struct SSLV3ClientHelloData
+struct SO_PUBLIC SSLV3ClientHelloData
{
~SSLV3ClientHelloData();
void clear();
char* host_name = nullptr;
};
-struct SSLV3ServerCertData
+struct SO_PUBLIC SSLV3ServerCertData
{
~SSLV3ServerCertData();
void clear();
namespace snort
{
-uint32_t SSL_decode(
+SO_PUBLIC uint32_t SSL_decode(
const uint8_t* pkt, int size, uint32_t pktflags, uint32_t prevflags,
uint8_t* alert_flags, uint16_t* partial_rec_len, int hblen, uint32_t* info_flags = nullptr,
SSLV3ClientHelloData* data = nullptr, SSLV3ServerCertData* server_cert_data = nullptr);
#define GET_PKT_SEQ(p) (ntohl((p)->ptrs.tcph->th_seq))
+/* Macros to deal with sequence numbers - p810 TCP Illustrated vol 2 */
+#define SEQ_LT(a,b) ((int)((a) - (b)) < 0)
+#define SEQ_LEQ(a,b) ((int)((a) - (b)) <= 0)
+#define SEQ_GT(a,b) ((int)((a) - (b)) > 0)
+#define SEQ_GEQ(a,b) ((int)((a) - (b)) >= 0)
+#define SEQ_EQ(a,b) ((int)((a) - (b)) == 0)
+
constexpr uint8_t TCP_MIN_HEADER_LEN = 20; // this is actually the minimal TCP header length
constexpr int OPT_TRUNC = -1;
constexpr int OPT_BADLEN = -2;
inline void set_seq(uint32_t new_seq)
{ th_seq = htonl(new_seq); }
+
+ void stringify_flags(char* buf) const
+ {
+ *buf++ = (char)((th_flags & TH_RES1) ? '1' : '*');
+ *buf++ = (char)((th_flags & TH_RES2) ? '2' : '*');
+ *buf++ = (char)((th_flags & TH_URG) ? 'U' : '*');
+ *buf++ = (char)((th_flags & TH_ACK) ? 'A' : '*');
+ *buf++ = (char)((th_flags & TH_PUSH) ? 'P' : '*');
+ *buf++ = (char)((th_flags & TH_RST) ? 'R' : '*');
+ *buf++ = (char)((th_flags & TH_SYN) ? 'S' : '*');
+ *buf++ = (char)((th_flags & TH_FIN) ? 'F' : '*');
+ *buf = '\0';
+ }
};
} // namespace tcp
} // namespace snort
#include "detection/detection_engine.h"
#include "detection/ips_context.h"
#include "flow/expect_cache.h"
+#include "flow/expect_flow.h"
#include "log/text_log.h"
#include "main/snort_config.h"
#include "managers/codec_manager.h"
+#include "packet_io/packet_tracer.h"
#include "packet_io/sfdaq.h"
-#include "packet_tracer/packet_tracer.h"
#include "profiler/profiler_defs.h"
#include "stream/stream.h"
#include "trace/trace_api.h"
MockCodec mock_cd;
std::array<Codec*, UINT8_MAX> CodecManager::s_protocols { { &mock_cd } };
-THREAD_LOCAL uint8_t CodecManager::max_layers = 1;
//-----------------------------
// Test
#include "config.h"
#endif
-#include "flow/expect_cache.h"
+#include "flow/expect_flow.h"
#include "framework/api_options.h"
#include "protocols/packet.h"
#include "protocols/packet_manager.h"
const vlan::VlanTagHdr* layer::get_vlan_layer(const Packet*) { return nullptr; }
const geneve::GeneveLyr* layer::get_geneve_layer(const Packet*, bool) { return nullptr; }
void ip::IpApi::reset() {}
-THREAD_LOCAL uint8_t CodecManager::max_layers = 0;
+uint8_t PacketManager::max_layers = DEFAULT_LAYERMAX;
TEST_GROUP(get_geneve_opt_tests)
{
#include "dns_events.h"
+#include <algorithm>
+
#include "service_inspectors/dns/dns.h"
using namespace snort;
return;
fqdns.emplace_back(fqdn_ttl);
-}
+}
void DnsResponseDataEvents::add_ip(const DnsResponseIp& ip)
{
#include "config.h"
#endif
+#include "framework/module.h"
#include "framework/mpse.h"
+#include "main/snort_types.h"
+#include "profiler/profiler.h"
#include "bnfa_search.h"
using namespace snort;
+#define MOD_NAME "ac_bnfa"
+#define MOD_HELP "Aho-Corasick Binary NFA (low memory, low performance) MPSE"
+
+struct BnfaCounts
+{
+ PegCount searches;
+ PegCount matches;
+ PegCount bytes;
+};
+
+static THREAD_LOCAL BnfaCounts bnfa_counts;
+static THREAD_LOCAL ProfileStats bnfa_stats;
+
+const PegInfo bnfa_pegs[] =
+{
+ { CountType::SUM, "searches", "number of search attempts" },
+ { CountType::SUM, "matches", "number of times a match was found" },
+ { CountType::SUM, "bytes", "total bytes searched" },
+
+ { CountType::END, nullptr, nullptr }
+};
+
//-------------------------------------------------------------------------
-// "ac_bnfa"
+// module
+//-------------------------------------------------------------------------
+
+class AcBnfaModule : public Module
+{
+public:
+ AcBnfaModule() : Module(MOD_NAME, MOD_HELP) { }
+
+ ProfileStats* get_profile() const override
+ { return &bnfa_stats; }
+
+ const PegInfo* get_pegs() const override
+ { return bnfa_pegs; }
+
+ PegCount* get_counts() const override
+ { return (PegCount*)&bnfa_counts; }
+
+ Usage get_usage() const override
+ { return GLOBAL; }
+};
+
+//-------------------------------------------------------------------------
+// mpse
//-------------------------------------------------------------------------
class AcBnfaMpse : public Mpse
bnfaFree(obj);
}
- int add_pattern(
- const uint8_t* P, unsigned m, const PatternDescriptor& desc, void* user) override
- {
- return bnfaAddPattern(obj, P, m, desc.no_case, desc.negated, user);
- }
+ int add_pattern(const uint8_t* P, unsigned m, const PatternDescriptor& desc, void* user) override
+ { return bnfaAddPattern(obj, P, m, desc.no_case, desc.negated, user); }
int prep_patterns(SnortConfig* sc) override
- {
- return bnfaCompile(sc, obj);
- }
-
- int _search(
- const uint8_t* T, int n, MpseMatch match,
- void* context, int* current_state) override
- {
- /* return is actually the state */
- return _bnfa_search_csparse_nfa(
- obj, T, n, match, context, 0 /* start-state */, current_state);
- }
+ { return bnfaCompile(sc, obj); }
- // FIXIT-L Implement search_all method for AC_BNFA.
+ int get_pattern_count() const override
+ { return bnfaPatternCount(obj); }
int print_info() override
{
return 0;
}
- int get_pattern_count() const override
- {
- return bnfaPatternCount(obj);
- }
+ int search(const uint8_t*, int, MpseMatch, void*, int*) override;
+ // FIXIT-L Implement search_all method for AC_BNFA.
};
+int AcBnfaMpse::search( const uint8_t* T, int n, MpseMatch match, void* context, int* current_state)
+{
+ Profile profile(bnfa_stats); // cppcheck-suppress unreadVariable
+
+ bnfa_counts.searches++;
+ bnfa_counts.bytes += n;
+
+ int found = _bnfa_search_csparse_nfa(
+ obj, T, n, match, context, 0 /* start-state */, current_state);
+
+ bnfa_counts.matches += found;
+ return found;
+}
+
//-------------------------------------------------------------------------
// api
//-------------------------------------------------------------------------
+static Module* mod_ctor()
+{
+ return new AcBnfaModule;
+}
+
+static void mod_dtor(Module* p)
+{
+ delete p;
+}
+
static Mpse* bnfa_ctor(
const SnortConfig*, class Module*, const MpseAgent* agent)
{
0,
API_RESERVED,
API_OPTIONS,
- "ac_bnfa",
- "Aho-Corasick Binary NFA (low memory, high performance) MPSE",
- nullptr,
- nullptr
+ MOD_NAME,
+ MOD_HELP,
+ mod_ctor,
+ mod_dtor
},
MPSE_BASE,
nullptr,
#include "config.h"
#endif
+#include "framework/module.h"
#include "framework/mpse.h"
+#include "main/snort_types.h"
+#include "profiler/profiler.h"
#include "acsmx2.h"
using namespace snort;
+#define MOD_NAME "ac_full"
+#define MOD_HELP "Aho-Corasick Full (high memory, best performance), implements search_all()"
+
+struct FullCounts
+{
+ PegCount searches;
+ PegCount matches;
+ PegCount bytes;
+};
+
+static THREAD_LOCAL FullCounts full_counts;
+static THREAD_LOCAL ProfileStats full_stats;
+
+const PegInfo full_pegs[] =
+{
+ { CountType::SUM, "searches", "number of search attempts" },
+ { CountType::SUM, "matches", "number of times a match was found" },
+ { CountType::SUM, "bytes", "total bytes searched" },
+
+ { CountType::END, nullptr, nullptr }
+};
+
+//-------------------------------------------------------------------------
+// module
+//-------------------------------------------------------------------------
+
+class AcFullModule : public Module
+{
+public:
+ AcFullModule() : Module(MOD_NAME, MOD_HELP) { }
+
+ ProfileStats* get_profile() const override
+ { return &full_stats; }
+
+ const PegInfo* get_pegs() const override
+ { return full_pegs; }
+
+ PegCount* get_counts() const override
+ { return (PegCount*)&full_counts; }
+
+ Usage get_usage() const override
+ { return GLOBAL; }
+};
+
//-------------------------------------------------------------------------
-// "ac_full"
+// mpse
//-------------------------------------------------------------------------
class AcfMpse : public Mpse
~AcfMpse() override
{ acsmFree2(obj); }
- int add_pattern(
- const uint8_t* P, unsigned m, const PatternDescriptor& desc, void* user) override
- {
- return acsmAddPattern2(obj, P, m, desc.no_case, desc.negated, user);
- }
+ int add_pattern(const uint8_t* P, unsigned m, const PatternDescriptor& desc, void* user) override
+ { return acsmAddPattern2(obj, P, m, desc.no_case, desc.negated, user); }
int prep_patterns(SnortConfig* sc) override
{ return acsmCompile2(sc, obj); }
- int _search(
- const uint8_t* T, int n, MpseMatch match,
- void* context, int* current_state) override
- {
- return acsm_search_dfa_full(obj, T, n, match, context, current_state);
- }
-
- int search_all(
- const uint8_t* T, int n, MpseMatch match,
- void* context, int* current_state) override
- {
- return acsm_search_dfa_full_all(obj, T, n, match, context, current_state);
- }
-
int print_info() override
{ return acsmPrintDetailInfo2(obj); }
int get_pattern_count() const override
{ return acsmPatternCount2(obj); }
+
+ int search(const uint8_t*, int, MpseMatch, void*, int*) override;
+ int search_all(const uint8_t*, int n, MpseMatch, void*, int*) override;
};
+int AcfMpse::search(const uint8_t* T, int n, MpseMatch match, void* context, int* current_state)
+{
+ Profile profile(full_stats); // cppcheck-suppress unreadVariable
+
+ full_counts.searches++;
+ full_counts.bytes += n;
+
+ int found = acsm_search_dfa_full(obj, T, n, match, context, current_state);
+
+ full_counts.matches += found;
+ return found;
+}
+
+int AcfMpse::search_all(const uint8_t* T, int n, MpseMatch match, void* context, int* current_state)
+{
+ full_counts.searches++;
+ full_counts.bytes += n;
+
+ int found = acsm_search_dfa_full_all(obj, T, n, match, context, current_state);
+
+ full_counts.matches += found;
+ return found;
+}
+
//-------------------------------------------------------------------------
// api
//-------------------------------------------------------------------------
+static Module* mod_ctor()
+{
+ return new AcFullModule;
+}
+
+static void mod_dtor(Module* p)
+{
+ delete p;
+}
+
static Mpse* acf_ctor(
const SnortConfig*, class Module*, const MpseAgent* agent)
{
0,
API_RESERVED,
API_OPTIONS,
- "ac_full",
- "Aho-Corasick Full (high memory, best performance), implements search_all()",
- nullptr,
- nullptr
+ MOD_NAME,
+ MOD_HELP,
+ mod_ctor,
+ mod_dtor
},
MPSE_BASE,
nullptr,
#include <list>
#include <mutex>
+#include "log/log_stats.h"
#include "log/messages.h"
-#include "utils/stats.h"
#include "utils/util.h"
using namespace snort;
#include <list>
+#include "log/log_stats.h"
#include "log/messages.h"
-#include "utils/stats.h"
#include "utils/util.h"
using namespace snort;
#include "framework/mpse.h"
#include "hash/hashes.h"
#include "helpers/scratch_allocator.h"
+#include "log/log_stats.h"
#include "log/messages.h"
#include "main/snort_config.h"
#include "main/thread.h"
-#include "utils/stats.h"
+#include "profiler/profiler.h"
using namespace snort;
static const char* s_name = "hyperscan";
-static const char* s_help = "intel hyperscan-based mpse with regex support";
+static const char* s_help = "intel hyperscan-based MPSE with regex support";
+//-------------------------------------------------------------------------
+// pattern foo
+//-------------------------------------------------------------------------
+
+namespace
+{
struct Pattern
{
std::string pat;
Pattern(const uint8_t*, unsigned, const Mpse::PatternDescriptor&, void*);
void escape(const uint8_t*, unsigned, bool);
};
+}
Pattern::Pattern(
const uint8_t* s, unsigned n, const Mpse::PatternDescriptor& d, void* u)
typedef std::vector<Pattern> PatternVector;
+//-------------------------------------------------------------------------
+// scratch
+//-------------------------------------------------------------------------
+
static std::mutex s_mutex;
static hs_scratch_t* s_scratch = nullptr;
static unsigned int scratch_index;
static ScratchAllocator* scratcher = nullptr;
-struct ScanContext
+static bool scratch_setup(SnortConfig* sc)
{
- class HyperscanMpse* mpse;
- MpseMatch match_cb;
- void* match_ctx;
- int nfound = 0;
+ for ( unsigned i = 0; i < sc->num_slots; ++i )
+ {
+ hs_scratch_t** ss = (hs_scratch_t**) &sc->state[i][scratch_index];
+ hs_clone_scratch(s_scratch, ss);
+ }
- ScanContext(HyperscanMpse* m, MpseMatch cb, void* ctx)
- { mpse = m; match_cb = cb; match_ctx = ctx; }
+ return true;
+}
+
+static void scratch_cleanup(SnortConfig* sc)
+{
+ for ( unsigned i = 0; i < sc->num_slots; ++i )
+ {
+ hs_scratch_t* ss = (hs_scratch_t*)sc->state[i][scratch_index];
+ hs_free_scratch(ss);
+ sc->state[i][scratch_index] = nullptr;
+ }
+}
+
+static void scratch_update(SnortConfig* sc)
+{
+ hs_scratch_t** ss = (hs_scratch_t**) &sc->state[get_instance_id()][scratch_index];
+
+ if ( *ss == s_scratch )
+ return;
+
+ hs_free_scratch(*ss);
+ *ss = nullptr;
+
+ hs_clone_scratch(s_scratch, ss);
+}
+
+//-------------------------------------------------------------------------
+// module
+//-------------------------------------------------------------------------
+
+struct FullCounts
+{
+ PegCount searches;
+ PegCount matches;
+ PegCount bytes;
+};
+
+static THREAD_LOCAL FullCounts hyper_counts;
+static THREAD_LOCAL ProfileStats hyper_stats;
+
+const PegInfo hyper_pegs[] =
+{
+ { CountType::SUM, "searches", "number of search attempts" },
+ { CountType::SUM, "matches", "number of times a match was found" },
+ { CountType::SUM, "bytes", "total bytes searched" },
+
+ { CountType::END, nullptr, nullptr }
+};
+
+class HyperscanModule : public Module
+{
+public:
+ HyperscanModule() : Module(s_name, s_help)
+ {
+ scratcher = new SimpleScratchAllocator(scratch_setup, scratch_cleanup, scratch_update);
+ scratch_index = scratcher->get_id();
+ }
+
+ ~HyperscanModule() override
+ {
+ delete scratcher;
+ hs_free_scratch(s_scratch);
+ s_scratch = nullptr;
+ }
+ ProfileStats* get_profile() const override
+ { return &hyper_stats; }
+
+ const PegInfo* get_pegs() const override
+ { return hyper_pegs; }
+ PegCount* get_counts() const override
+ { return (PegCount*)&hyper_counts; }
+
+ Usage get_usage() const override
+ { return GLOBAL; }
};
//-------------------------------------------------------------------------
int prep_patterns(SnortConfig*) override;
void reuse_search() override;
- int _search(const uint8_t*, int, MpseMatch, void*, int*) override;
+ int search(const uint8_t*, int, MpseMatch, void*, int*) override;
int get_pattern_count() const override
{ return pvector.size(); }
{
assert(id < pvector.size());
Pattern& p = pvector[id];
+ hyper_counts.matches++;
return match_cb(p.user, p.user_tree, (int)to, match_ctx, p.user_list);
}
+namespace
+{
+struct ScanContext
+{
+ HyperscanMpse* mpse;
+ MpseMatch match_cb;
+ void* match_ctx;
+ int nfound = 0;
+
+ ScanContext(HyperscanMpse* m, MpseMatch cb, void* ctx)
+ { mpse = m; match_cb = cb; match_ctx = ctx; }
+
+};
+}
+
int HyperscanMpse::match(
unsigned id, unsigned long long /*from*/, unsigned long long to,
unsigned /*flags*/, void* pv)
return scan->mpse->match(id, to, scan->match_cb, scan->match_ctx);
}
-int HyperscanMpse::_search(
+int HyperscanMpse::search(
const uint8_t* buf, int n, MpseMatch mf, void* pv, int* current_state)
{
+ Profile profile(hyper_stats); // cppcheck-suppress unreadVariable
+
*current_state = 0;
ScanContext scan(this, mf, pv);
// scratch is null for the degenerate case w/o patterns
assert(!hs_db or ss);
+ hyper_counts.searches++;
+ hyper_counts.bytes += n;
+
hs_scan(hs_db, (const char*)buf, n, 0, ss, HyperscanMpse::match, &scan);
return scan.nfound;
}
-static bool scratch_setup(SnortConfig* sc)
-{
- for ( unsigned i = 0; i < sc->num_slots; ++i )
- {
- hs_scratch_t** ss = (hs_scratch_t**) &sc->state[i][scratch_index];
- hs_clone_scratch(s_scratch, ss);
- }
-
- return true;
-}
-
-static void scratch_cleanup(SnortConfig* sc)
-{
- for ( unsigned i = 0; i < sc->num_slots; ++i )
- {
- hs_scratch_t* ss = (hs_scratch_t*)sc->state[i][scratch_index];
- hs_free_scratch(ss);
- sc->state[i][scratch_index] = nullptr;
- }
-}
-
-static void scratch_update(SnortConfig* sc)
-{
- hs_scratch_t** ss = (hs_scratch_t**) &sc->state[get_instance_id()][scratch_index];
-
- if ( *ss == s_scratch )
- return;
-
- hs_free_scratch(*ss);
- *ss = nullptr;
-
- hs_clone_scratch(s_scratch, ss);
-}
-
-class HyperscanModule : public Module
-{
-public:
- HyperscanModule() : Module(s_name, s_help)
- {
- scratcher = new SimpleScratchAllocator(scratch_setup, scratch_cleanup, scratch_update);
- scratch_index = scratcher->get_id();
- }
-
- ~HyperscanModule() override
- {
- delete scratcher;
- hs_free_scratch(s_scratch);
- s_scratch = nullptr;
- }
-};
-
//-------------------------------------------------------------------------
// api
//-------------------------------------------------------------------------
#include "framework/counts.h"
#include "main/snort_types.h"
-#include "main/thread.h"
// pattern matcher queue statistics
PegCount tot_inq_uinserts;
PegCount non_qualified_events;
PegCount qualified_events;
- PegCount matched_bytes;
};
namespace snort
{
-SO_PUBLIC extern THREAD_LOCAL PatMatQStat pmqs;
+extern THREAD_LOCAL PatMatQStat pmqs;
}
#endif
assert(!override_method || strcmp(override_method, "hyperscan"));
const char* method = override_method ? override_method : sc->fast_pattern_config->get_search_method();
- if ( strcmp(method, "hyperscan") )
+ if ( !method or strcmp(method, "hyperscan") )
method = "ac_full";
mpsegrp = new MpseGroup;
../ac_bnfa.cc
../bnfa_search.cc
../search_tool.cc
+ ../../framework/module.cc
../../framework/mpse.cc
)
../ac_full.cc
../acsmx2.cc
../search_tool.cc
+ ../../framework/module.cc
../../framework/mpse.cc
)
using namespace snort;
-namespace snort
-{
- unsigned get_instance_id() { return 0; }
- unsigned ThreadConfig::get_instance_max() { return 1; }
-}
-
//-------------------------------------------------------------------------
// stubs, spies, etc.
//-------------------------------------------------------------------------
using namespace snort;
-namespace snort
-{
- unsigned get_instance_id() { return 0; }
- unsigned ThreadConfig::get_instance_max() { return 1; }
-}
-
//-------------------------------------------------------------------------
// stubs, spies, etc.
//-------------------------------------------------------------------------
#include "framework/mpse_batch.h"
#include "log/messages.h"
#include "main/snort_config.h"
+#include "main/thread_config.h"
#include "managers/mpse_manager.h"
-#include "search_engines/pat_stats.h"
-#include "utils/stats.h"
+#include "profiler/time_profiler_defs.h"
//-------------------------------------------------------------------------
// base stuff
DataBus::DataBus() = default;
DataBus::~DataBus() = default;
-THREAD_LOCAL PatMatQStat pmqs;
+THREAD_LOCAL bool snort::TimeProfilerStats::enabled;
+
+unsigned get_instance_id() { return 0; }
+unsigned ThreadConfig::get_instance_max() { return 1; }
unsigned parse_errors = 0;
void ParseError(const char*, ...)
using namespace snort;
void show_stats(PegCount*, const PegInfo*, unsigned, const char*) { }
-void show_stats(PegCount*, const PegInfo*, const IndexVec&, const char*, FILE*) { }
+void show_stats(PegCount*, const PegInfo*, const std::vector<unsigned>&, const char*, FILE*) { }
Mpse* mpse = nullptr;
#include "framework/mpse_batch.h"
#include "main/snort_config.h"
#include "managers/mpse_manager.h"
-#include "utils/stats.h"
-
-#include "search_engines/pat_stats.h"
extern std::vector<void *> s_state;
extern snort::ScratchAllocator* scratcher;
extern SnortConfig s_conf;
extern THREAD_LOCAL SnortConfig* snort_conf;
-extern THREAD_LOCAL PatMatQStat pmqs;
extern unsigned parse_errors;
} // namespace snort
$<TARGET_OBJECTS:s7commplus>
$<TARGET_OBJECTS:smtp>
$<TARGET_OBJECTS:ssh>
+ $<TARGET_OBJECTS:ssl>
$<TARGET_OBJECTS:wizard>
)
endif()
$<TARGET_OBJECTS:http_inspect>
$<TARGET_OBJECTS:http2_inspect>
$<TARGET_OBJECTS:sip>
- $<TARGET_OBJECTS:ssl>
$<TARGET_OBJECTS:dns>
${STATIC_INSPECTOR_OBJS}
CACHE INTERNAL "STATIC_SERVICE_INSPECTOR_PLUGINS"
#endif
#include "detection/detection_engine.h"
-#include "events/event_queue.h"
#include "framework/inspector.h"
#include "framework/module.h"
#include "log/messages.h"
#include "cip.h"
#include "detection/detection_engine.h"
-#include "events/event_queue.h"
#include "log/messages.h"
-#include "managers/inspector_manager.h"
#include "profiler/profiler.h"
#include "protocols/packet.h"
#include "pub_sub/cip_events.h"
#include "flow/flow.h"
#include "framework/counts.h"
#include "framework/data_bus.h"
-#include "main/thread.h"
#include "protocols/packet.h"
#include "cip_definitions.h"
delete m;
}
-static IpsOption* cip_attribute_ctor(Module* p, OptTreeNode*)
+static IpsOption* cip_attribute_ctor(Module* p, IpsInfo&)
{
CipAttributeModule* m = static_cast<CipAttributeModule*>(p);
return new CipAttributeOption(m->cip_attr);
delete m;
}
-static IpsOption* cip_class_ctor(Module* p, OptTreeNode*)
+static IpsOption* cip_class_ctor(Module* p, IpsInfo&)
{
CipClassModule* m = static_cast<CipClassModule*>(p);
return new CipClassOption(m->cip_class);
delete m;
}
-static IpsOption* cip_connpathclass_ctor(Module* p, OptTreeNode*)
+static IpsOption* cip_connpathclass_ctor(Module* p, IpsInfo&)
{
CipConnpathclassModule* m = static_cast<CipConnpathclassModule*>(p);
return new CipConnpathclassOption(m->cip_cpc);
delete m;
}
-static IpsOption* cip_enipcommand_ctor(Module* p, OptTreeNode*)
+static IpsOption* cip_enipcommand_ctor(Module* p, IpsInfo&)
{
CipEnipCommandModule* m = static_cast<CipEnipCommandModule*>(p);
return new CipEnipCommandOption(m->cip_enip_cmd);
delete m;
}
-static IpsOption* cip_enipreq_ctor(Module*, OptTreeNode*)
+static IpsOption* cip_enipreq_ctor(Module*, IpsInfo&)
{
return new CipEnipreqOption;
}
delete m;
}
-static IpsOption* cip_eniprsp_ctor(Module*, OptTreeNode*)
+static IpsOption* cip_eniprsp_ctor(Module*, IpsInfo&)
{
return new CipEnipRspOption;
}
delete m;
}
-static IpsOption* cip_instance_ctor(Module* p, OptTreeNode*)
+static IpsOption* cip_instance_ctor(Module* p, IpsInfo&)
{
CipInstanceModule* m = static_cast<CipInstanceModule*>(p);
return new CipInstanceOption(m->cip_inst);
delete m;
}
-static IpsOption* cip_req_ctor(Module*, OptTreeNode*)
+static IpsOption* cip_req_ctor(Module*, IpsInfo&)
{
return new CipReqOption;
}
delete m;
}
-static IpsOption* cip_rsp_ctor(Module*, OptTreeNode*)
+static IpsOption* cip_rsp_ctor(Module*, IpsInfo&)
{
return new CipRspOption;
}
delete m;
}
-static IpsOption* cip_service_ctor(Module* p, OptTreeNode*)
+static IpsOption* cip_service_ctor(Module* p, IpsInfo&)
{
CipServiceModule* m = static_cast<CipServiceModule*>(p);
return new CipServiceOption(m->cip_serv);
delete m;
}
-static IpsOption* cip_status_ctor(Module* p, OptTreeNode*)
+static IpsOption* cip_status_ctor(Module* p, IpsInfo&)
{
CipStatusModule* m = static_cast<CipStatusModule*>(p);
return new CipStatusOption(m->cip_status);
#include "dce_common.h"
#include "detection/detection_engine.h"
-#include "ips_options/extract.h"
+#include "detection/extract.h"
#include "log/messages.h"
#include "utils/safec.h"
#include "dce_expected_session.h"
-#include "managers/inspector_manager.h"
+#include "framework/pig_pen.h"
#include "pub_sub/dcerpc_events.h"
#include "stream/stream.h"
uint16_t ept_port, const char* mod_name)
{
Packet* pkt = DetectionEngine::get_current_packet();
- Dce2Tcp* inspector = (Dce2Tcp*)InspectorManager::get_inspector(mod_name, true);
+ Dce2Tcp* inspector = (Dce2Tcp*)PigPen::get_inspector(mod_name, true);
DceExpSsnManager& esm = inspector->get_esm();
const SfIp* src_ip = pkt->ptrs.ip_api.get_dst();
#include "dce_http_proxy_module.h"
-#include "managers/inspector_manager.h"
#include "stream/tcp/tcp_stream_session.h"
#include "dce_http_proxy_splitter.h"
#include "dce_common.h"
#include "framework/counts.h"
#include "framework/module.h"
-#include "main/thread.h"
class DceHttpProxyModule : public snort::Module
{
#include "dce_http_server_module.h"
-#include "managers/inspector_manager.h"
#include "stream/tcp/tcp_stream_session.h"
#include "dce_http_server_splitter.h"
#include "dce_common.h"
#include "framework/counts.h"
#include "framework/module.h"
-#include "main/thread.h"
class DceHttpServerModule : public snort::Module
{
static void init()
{ inspector_id = snort::FlowData::create_flow_data_id(); }
- size_t size_of() override
- { return sizeof(*this); }
-
public:
static unsigned inspector_id;
DCE2_SmbVersion smb_version;
#endif
#include "dce_smb2.h"
-#include "dce_smb2_commands.h"
-#include "detection/detection_util.h"
+
+#include "flow/flow_key.h"
#include "stream/stream.h"
+#include "dce_smb2_commands.h"
+
using namespace snort;
const char* smb2_command_string[SMB2_COM_MAX] = {
#endif
#include "dce_smb2_commands.h"
+
+#include "file_api/file_lib.h"
#include "hash/hash_key_operations.h"
#include "log/messages.h"
#include "packet_io/active.h"
#ifndef DCE_SMB2_COMMANDS_H
#define DCE_SMB2_COMMANDS_H
+#include "file_api/file_flows.h"
+#include "file_api/file_service.h"
+
#include "dce_smb_module.h"
#include "dce_smb_utils.h"
#include "dce_smb2_utils.h"
-#include "detection/detection_util.h"
-#include "file_api/file_flows.h"
-#include "file_api/file_service.h"
void DCE2_Smb2Setup(DCE2_Smb2SsnData*, const Smb2Hdr*,
const uint64_t sid, const uint8_t* smb_data, const uint8_t* end);
#include "config.h"
#endif
+#include "flow/flow_key.h"
+
#include "dce_smb_module.h"
#include "dce_smb_utils.h"
#include "dce_smb2_utils.h"
-#include "detection/detection_util.h"
-#include "flow/flow_key.h"
using namespace snort;
{ "valid_smb_versions", Parameter::PT_MULTI, "v1 | v2 | all", "all",
"valid SMB versions" },
- { "smb_file_inspection", Parameter::PT_ENUM, "off | on | only", nullptr,
- "deprecated (not used): file inspection controlled by smb_file_depth" },
-
{ "smb_file_depth", Parameter::PT_INT, "-1:32767", "16384",
"SMB file depth for file data (-1 = disabled, 0 = unlimited)" },
else if ( v.is("valid_smb_versions") )
set_smb_versions_mask(config,v.get_string());
- else if ( v.is("smb_file_inspection") )
- ParseWarning(WARN_CONF, "smb_file_inspection is deprecated (not used): use smb_file_depth");
-
else if ( v.is("smb_file_depth") )
config.smb_file_depth = v.get_int16();
#include "dce_smb_utils.h"
#include "detection/detection_engine.h"
-#include "detection/detection_util.h"
#include "file_api/file_api.h"
+#include "file_api/file_lib.h"
#include "hash/hash_key_operations.h"
#include "main/snort.h"
-#include "network_inspectors/packet_tracer/packet_tracer.h"
#include "packet_io/active.h"
+#include "packet_io/packet_tracer.h"
#include "trace/trace_api.h"
#include "utils/util.h"
#include "dce_tcp.h"
#include "detection/detection_engine.h"
+#include "main/snort_config.h"
#include "pub_sub/dcerpc_events.h"
#include "utils/util.h"
delete m;
}
-static IpsOption* dce2_iface_ctor(Module* p, OptTreeNode*)
+static IpsOption* dce2_iface_ctor(Module* p, IpsInfo&)
{
Dce2IfaceModule* m = (Dce2IfaceModule*)p;
return new Dce2IfaceOption(m->version, m->any_frag, m->uuid);
delete m;
}
-static IpsOption* dce2_opnum_ctor(Module* p, OptTreeNode*)
+static IpsOption* dce2_opnum_ctor(Module* p, IpsInfo&)
{
Dce2OpnumModule* m = (Dce2OpnumModule*)p;
DCE2_Opnum opnum = m->opnum;
delete m;
}
-static IpsOption* dce2_stub_data_ctor(Module*, OptTreeNode*)
+static IpsOption* dce2_stub_data_ctor(Module*, IpsInfo&)
{
return new Dce2StubDataOption;
}
#include "smb_message.h"
-#include "dce_smb.h"
-#include "dce_smb_commands.h"
-#include "dce_smb_module.h"
-#include "dce_smb_paf.h"
-#include "dce_smb_transaction.h"
-#include "dce_smb2_utils.h"
-#include "detection/detect.h"
#include "file_api/file_service.h"
#include "memory/memory_cap.h"
#include "packet_io/active.h"
#include "trace/trace_api.h"
#include "utils/util.h"
+#include "dce_smb.h"
+#include "dce_smb2.h"
+#include "dce_smb_commands.h"
+#include "dce_smb_module.h"
+#include "dce_smb_paf.h"
+#include "dce_smb_transaction.h"
+
using namespace snort;
/********************************************************************
#include "dnp3.h"
#include "detection/detection_engine.h"
-#include "events/event_queue.h"
#include "log/messages.h"
#include "protocols/packet.h"
#include "dnp3_reassembly.h"
#include "detection/detection_engine.h"
-#include "events/event_queue.h"
#include "protocols/packet.h"
#include "dnp3_map.h"
delete m;
}
-static IpsOption* dnp3_data_ctor(Module*, OptTreeNode*)
+static IpsOption* dnp3_data_ctor(Module*, IpsInfo&)
{
return new Dnp3DataOption;
}
delete m;
}
-static IpsOption* dnp3_func_ctor(Module* p, OptTreeNode*)
+static IpsOption* dnp3_func_ctor(Module* p, IpsInfo&)
{
Dnp3FuncModule* m = (Dnp3FuncModule*)p;
return new Dnp3FuncOption(m->func);
delete m;
}
-static IpsOption* dnp3_ind_ctor(Module* p, OptTreeNode*)
+static IpsOption* dnp3_ind_ctor(Module* p, IpsInfo&)
{
Dnp3IndModule* m = (Dnp3IndModule*)p;
return new Dnp3IndOption(m->flags);
delete m;
}
-static IpsOption* dnp3_obj_ctor(Module* p, OptTreeNode*)
+static IpsOption* dnp3_obj_ctor(Module* p, IpsInfo&)
{
Dnp3ObjModule* m = (Dnp3ObjModule*)p;
return new Dnp3ObjOption(m->group, m->var);
#define DNS_MODULE_H
//Interface to the DNS service inspector
-#include "framework/bits.h"
#include "framework/module.h"
-#include "main/thread.h"
+#include "utils/bits.h"
namespace snort
{
ftp_print.cc
ftp_print.h
ftp_server.h
+ kmap.cc
+ kmap.h
telnet_splitter.h
telnet_splitter.cc
ftpdata_splitter.h
#include "detection/detection_engine.h"
#include "framework/data_bus.h"
+#include "framework/pig_pen.h"
#include "log/messages.h"
-#include "managers/inspector_manager.h"
#include "pub_sub/intrinsic_event_ids.h"
#include "utils/util.h"
return rval;
// Verify that FTP client and FTP data inspectors are initialized.
- if(!InspectorManager::get_inspector(FTP_CLIENT_NAME, false, sc))
+ if(!PigPen::get_inspector(FTP_CLIENT_NAME, false, sc))
{
ParseError("ftp_server requires that %s also be configured.", FTP_CLIENT_NAME);
return -1;
}
- if(!InspectorManager::get_inspector(FTP_DATA_NAME, false, sc))
+ if(!PigPen::get_inspector(FTP_DATA_NAME, false, sc))
{
ParseError("ftp_server requires that %s also be configured.", FTP_DATA_NAME);
return -1;
#include "config.h"
#endif
+#include "framework/pig_pen.h"
#include "main/snort_config.h"
-#include "managers/inspector_manager.h"
#include "profiler/profiler.h"
#include "protocols/packet.h"
#include "stream/stream.h"
{ delete ftp_client; }
void show(const SnortConfig*) const override;
- void eval(Packet*) override { }
FTP_CLIENT_PROTO_CONF* ftp_client;
};
FtpClient* client = (FtpClient*)p->flow->data;
if ( !client )
{
- client = (FtpClient*)InspectorManager::get_inspector(FTP_CLIENT_NAME);
+ client = (FtpClient*)PigPen::get_inspector(FTP_CLIENT_NAME);
assert(client);
p->flow->set_data(client);
}
#include "file_api/file_flows.h"
#include "file_api/file_service.h"
#include "packet_io/active.h"
-#include "packet_tracer/packet_tracer.h"
+#include "packet_io/packet_tracer.h"
#include "parser/parse_rule.h"
#include "profiler/profiler.h"
#include "protocols/tcp.h"
static void init()
{ inspector_id = snort::FlowData::create_flow_data_id(); }
- size_t size_of() override
- { return sizeof(*this); }
-
public:
static unsigned inspector_id;
FTP_SESSION session;
void handle_expected(snort::Packet*) override;
void handle_eof(snort::Packet*) override;
- size_t size_of() override
- { return sizeof(*this); }
public:
static unsigned inspector_id;
#define FTPP_UI_CONFIG_H
#include "sfip/sf_ip.h"
-#include "utils/kmap.h"
+
+#include "kmap.h"
/*
* Defines
#include <cassert>
#include <string>
-#include "util.h"
+#include "utils/util.h"
namespace snort
{
namespace snort
{
-SO_PUBLIC KMAP* KMapNew(KMapUserFreeFunc, bool nocase);
-SO_PUBLIC void KMapDelete(KMAP*);
+KMAP* KMapNew(KMapUserFreeFunc, bool nocase);
+void KMapDelete(KMAP*);
-SO_PUBLIC int KMapAdd(KMAP*, void* key, int ksize, void* userdata);
+int KMapAdd(KMAP*, void* key, int ksize, void* userdata);
-SO_PUBLIC void* KMapFind(KMAP*, void* key, int ksize);
-SO_PUBLIC void* KMapFindFirst(KMAP*);
-SO_PUBLIC void* KMapFindNext(KMAP*);
+void* KMapFind(KMAP*, void* key, int ksize);
+void* KMapFindFirst(KMAP*);
+void* KMapFindNext(KMAP*);
}
#endif
#include "pp_ftp.h"
+#include "detection/detection_buf.h"
#include "detection/detection_engine.h"
-#include "detection/detection_util.h"
#include "hash/hash_key_operations.h"
#include "file_api/file_service.h"
#include "protocols/packet.h"
#include "pp_telnet.h"
+#include "detection/detection_buf.h"
#include "detection/detection_engine.h"
-#include "detection/detection_util.h"
#include "protocols/packet.h"
#include "stream/stream.h"
#include <string>
#include "framework/counts.h"
-#include "main/thread.h"
namespace snort
{
#include "detection/detection_engine.h"
#include "detection/ips_context_data.h"
-#include "managers/inspector_manager.h"
+#include "framework/pig_pen.h"
#include "profiler/profiler.h"
#include "protocols/packet.h"
int get_message_type(int version, const char* name, snort::SnortConfig* sc)
{
- GtpInspect* ins = (GtpInspect*)InspectorManager::get_inspector(GTP_NAME, false, sc);
+ GtpInspect* ins = (GtpInspect*)PigPen::get_inspector(GTP_NAME, false, sc);
if ( !ins )
return -1;
int get_info_type(int version, const char* name, SnortConfig* sc)
{
- GtpInspect* ins = (GtpInspect*)InspectorManager::get_inspector(GTP_NAME, false, sc);
+ GtpInspect* ins = (GtpInspect*)PigPen::get_inspector(GTP_NAME, false, sc);
if ( !ins )
return -1;
#include <arpa/inet.h>
#include "detection/detection_engine.h"
-#include "events/event_queue.h"
#include "log/messages.h"
#include "trace/trace_api.h"
#include "utils/util_cstring.h"
delete m;
}
-static IpsOption* opt_ctor(Module* m, OptTreeNode*)
+static IpsOption* opt_ctor(Module* m, IpsInfo&)
{
GtpInfoModule* mod = (GtpInfoModule*)m;
return new GtpInfoOption(mod->types);
delete m;
}
-static IpsOption* opt_ctor(Module* m, OptTreeNode*)
+static IpsOption* opt_ctor(Module* m, IpsInfo&)
{
GtpTypeModule* mod = (GtpTypeModule*)m;
return new GtpTypeOption(mod->types);
delete m;
}
-static IpsOption* opt_ctor(Module* m, OptTreeNode*)
+static IpsOption* opt_ctor(Module* m, IpsInfo&)
{
GtpVersionModule* mod = (GtpVersionModule*)m;
return new GtpVersionOption(mod->version);
#include <queue>
#include <vector>
-#include "main/snort_types.h"
-#include "utils/event_gen.h"
-#include "utils/infractions.h"
#include "flow/flow.h"
+#include "flow/stream_flow.h"
+#include "helpers/event_gen.h"
+#include "helpers/infractions.h"
+#include "main/snort_types.h"
#include "service_inspectors/http_inspect/http_common.h"
#include "service_inspectors/http_inspect/http_field.h"
#include "stream/stream_splitter.h"
#ifndef HTTP2_HPACK_H
#define HTTP2_HPACK_H
+#include "helpers/event_gen.h"
+#include "helpers/infractions.h"
#include "service_inspectors/http_inspect/http_common.h"
-#include "utils/event_gen.h"
-#include "utils/infractions.h"
#include "http2_hpack_int_decode.h"
#include "http2_hpack_string_decode.h"
#include "http2_enum.h"
#include "http2_varlen_int_decode.h"
+#include "helpers/event_gen.h"
+#include "helpers/infractions.h"
#include "main/snort_types.h"
-#include "utils/event_gen.h"
-#include "utils/infractions.h"
using Http2Infractions = Infractions<Http2Enums::INF__MAX_VALUE, Http2Enums::INF__NONE>;
#ifndef HTTP2_PUSH_PROMISE_FRAME_H
#define HTTP2_PUSH_PROMISE_FRAME_H
+#include "helpers/event_gen.h"
+#include "helpers/infractions.h"
#include "service_inspectors/http_inspect/http_common.h"
-#include "utils/event_gen.h"
-#include "utils/infractions.h"
#include "http2_enum.h"
#include "http2_frame.h"
#ifndef HTTP2_START_LINE_H
#define HTTP2_START_LINE_H
+#include "helpers/event_gen.h"
+#include "helpers/infractions.h"
#include "service_inspectors/http_inspect/http_common.h"
#include "service_inspectors/http_inspect/http_field.h"
-#include "utils/event_gen.h"
-#include "utils/infractions.h"
#include "http2_enum.h"
EvalStatus eval(Cursor&, snort::Packet*) override;
uint32_t hash() const override;
bool operator==(const snort::IpsOption& ips) const override;
- static snort::IpsOption* opt_ctor(snort::Module* m, OptTreeNode*)
+ static snort::IpsOption* opt_ctor(snort::Module* m, IpsInfo&)
{ return new Http2IpsOption((Http2CursorModule*)m); }
static void opt_dtor(IpsOption* p) { delete p; }
private:
#ifndef HTTP_EVENT_H
#define HTTP_EVENT_H
-#include "utils/event_gen.h"
-#include "utils/infractions.h"
+#include "helpers/event_gen.h"
+#include "helpers/infractions.h"
#include "utils/util_cstring.h"
#include "http_enum.h"
#include <list>
#include "flow/flow.h"
-#include "utils/util_utf.h"
+#include "helpers/utf.h"
#include "decompress/file_decomp.h"
#include "http_common.h"
#include <sstream>
#include "detection/detection_engine.h"
-#include "detection/detection_util.h"
#include "service_inspectors/http2_inspect/http2_flow_data.h"
#include "log/unified2.h"
#include "protocols/packet.h"
#include "http_msg_request.h"
+#include "main/snort_config.h"
#include "pub_sub/intrinsic_event_ids.h"
#include "http_api.h"
#ifndef HTTP_MSG_SECTION_H
#define HTTP_MSG_SECTION_H
-#include "detection/detection_util.h"
#include "framework/cursor.h"
#include "framework/pdu_section.h"
#include "protocols/packet.h"
key(cm->key), fp_buffer_info(cm->rule_opt_index) {}
EvalStatus eval(Cursor&, snort::Packet*) override;
- static IpsOption* opt_ctor(snort::Module* m, OptTreeNode*)
+ static IpsOption* opt_ctor(snort::Module* m, IpsInfo&)
{ return new HttpBufferIpsOption((HttpBufferRuleOptModule*)m); }
static void opt_dtor(snort::IpsOption* p) { delete p; }
public:
using HttpRangeIpsOption::HttpRangeIpsOption;
- static IpsOption* opt_ctor(snort::Module* m, OptTreeNode*)
+ static IpsOption* opt_ctor(snort::Module* m, IpsInfo&)
{ return new HttpNumIpsOption((const HttpRangeRuleOptModule*)m); }
int32_t get_num(const HttpInspect* hi, snort::Packet* p) override
http_param == hio.http_param;
}
-bool HttpParamIpsOption::retry(Cursor& current_cursor, const Cursor&)
+bool HttpParamIpsOption::retry(Cursor& current_cursor)
{
HttpCursorData* cd = (HttpCursorData*)current_cursor.get_data(HttpCursorData::id);
uint32_t hash() const override;
bool operator==(const snort::IpsOption& ips) const override;
- static IpsOption* opt_ctor(snort::Module* m, OptTreeNode*)
+ static IpsOption* opt_ctor(snort::Module* m, IpsInfo&)
{ return new HttpParamIpsOption((HttpParamRuleOptModule*)m); }
static void opt_dtor(snort::IpsOption* p) { delete p; }
- bool retry(Cursor& , const Cursor&) override;
+ bool retry(Cursor&) override;
snort::section_flags get_pdu_section(bool) const override;
EvalStatus eval(Cursor&, snort::Packet*) override;
uint32_t hash() const override;
bool operator==(const snort::IpsOption& ips) const override;
- static IpsOption* opt_ctor(snort::Module* m, OptTreeNode*)
+ static IpsOption* opt_ctor(snort::Module* m, IpsInfo&)
{ return new HttpTestIpsOption((HttpTestRuleOptModule*)m); }
static void opt_dtor(snort::IpsOption* p) { delete p; }
uint32_t hash() const override;
bool operator==(const snort::IpsOption& ips) const override;
- static IpsOption* opt_ctor(snort::Module* m, OptTreeNode*)
+ static IpsOption* opt_ctor(snort::Module* m, IpsInfo&)
{ return new HttpVersionIpsOption((HttpVersionRuleOptModule*)m); }
static void opt_dtor(snort::IpsOption* p) { delete p; }
}
void show_stats(PegCount*, const PegInfo*, unsigned, const char*) { }
-void show_stats(PegCount*, const PegInfo*, const IndexVec&, const char*, FILE*) { }
+void show_stats(PegCount*, const PegInfo*, const std::vector<unsigned>&, const char*, FILE*) { }
int32_t str_to_code(const char*, const StrCode []) { return 0; }
int32_t str_to_code(const uint8_t*, const int32_t, const StrCode []) { return 0; }
snort::SearchTool* js_create_mpse_tag_attr() { return nullptr; }
void show_stats(PegCount*, const PegInfo*, unsigned, const char*) { }
-void show_stats(PegCount*, const PegInfo*, const IndexVec&, const char*, FILE*) { }
+void show_stats(PegCount*, const PegInfo*, const std::vector<unsigned>&, const char*, FILE*) { }
int64_t Parameter::get_int(char const*) { return 0; }
#include "iec104.h"
#include "detection/detection_engine.h"
-#include "events/event_queue.h"
#include "profiler/profiler.h"
#include "protocols/packet.h"
#include "iec104_decode.h"
#include "detection/detection_engine.h"
-#include "events/event_queue.h"
#include "log/messages.h"
#include "protocols/packet.h"
#include "trace/trace_api.h"
#include "iec104_paf.h"
#include "detection/detection_engine.h"
-#include "events/event_queue.h"
#include "profiler/profiler.h"
#include "iec104.h"
#include "iec104_parse_apdu.h"
#include "detection/detection_engine.h"
-#include "events/event_queue.h"
#include "protocols/packet.h"
#include "iec104.h"
#include <cmath>
#include "detection/detection_engine.h"
-#include "events/event_queue.h"
#include "protocols/packet.h"
#include "iec104.h"
// Detection trace utility
#include "main/snort_types.h"
-#include "main/thread.h"
namespace snort
{
delete m;
}
-static IpsOption* opt_ctor(Module* m, OptTreeNode*)
+static IpsOption* opt_ctor(Module* m, IpsInfo&)
{
Iec104ApciTypeModule* mod = (Iec104ApciTypeModule*) m;
return new Iec104ApciTypeOption(mod->apci_type);
delete m;
}
-static IpsOption* opt_ctor(Module* m, OptTreeNode*)
+static IpsOption* opt_ctor(Module* m, IpsInfo&)
{
Iec104AsduFuncModule* mod = (Iec104AsduFuncModule*) m;
return new Iec104AsduFuncOption(mod->func);
delete m;
}
-static IpsOption* opt_ctor(Module*, OptTreeNode*)
+static IpsOption* opt_ctor(Module*, IpsInfo&)
{
return new MmsDataOption;
}
#include "framework/ips_option.h"
#include "framework/module.h"
#include "hash/hash_key_operations.h"
+#include "helpers/ber.h"
#include "protocols/packet.h"
#include "profiler/profiler.h"
-#include "utils/util_ber.h"
#include "mms.h"
delete m;
}
-static IpsOption* opt_ctor(Module* m, OptTreeNode*)
+static IpsOption* opt_ctor(Module* m, IpsInfo&)
{
MmsFuncModule* mod = (MmsFuncModule*)m;
#include "mms.h"
#include "detection/detection_engine.h"
-#include "events/event_queue.h"
#include "profiler/profiler.h"
#include "protocols/packet.h"
#include "mms_decode.h"
#include "detection/detection_engine.h"
-#include "events/event_queue.h"
+#include "helpers/ber.h"
#include "log/messages.h"
#include "managers/plugin_manager.h"
#include "protocols/packet.h"
#include "trace/trace_api.h"
-#include "utils/util_ber.h"
#include "mms.h"
#include "mms_module.h"
#include "mms_splitter.h"
#include "detection/detection_engine.h"
-#include "events/event_queue.h"
+#include "helpers/ber.h"
#include "profiler/profiler.h"
-#include "utils/util_ber.h"
#include "mms.h"
#include "mms_decode.h"
#include "flow/flow.h"
#include "framework/counts.h"
#include "framework/cursor.h"
+#include "helpers/ber.h"
#include "protocols/packet.h"
#include "service_inspectors/mms/mms.h"
-#include "utils/util_ber.h"
namespace snort
{
ssn_data.packet_data_reset(direction);
}
- size_t size_of() override
- {
- return sizeof(*this);
- }
-
public:
static unsigned inspector_id;
TpktSessionData ssn_data;
delete m;
}
-static IpsOption* opt_ctor(Module*, OptTreeNode*)
+static IpsOption* opt_ctor(Module*, IpsInfo&)
{
return new ModbusDataOption;
}
delete m;
}
-static IpsOption* opt_ctor(Module* m, OptTreeNode*)
+static IpsOption* opt_ctor(Module* m, IpsInfo&)
{
ModbusFuncModule* mod = (ModbusFuncModule*)m;
return new ModbusFuncOption(mod->func);
delete m;
}
-static IpsOption* opt_ctor(Module* m, OptTreeNode*)
+static IpsOption* opt_ctor(Module* m, IpsInfo&)
{
ModbusUnitModule* mod = (ModbusUnitModule*)m;
return new ModbusUnitOption(mod->unit);
#include "modbus.h"
-#include "events/event_queue.h"
#include "detection/detection_engine.h"
#include "profiler/profiler.h"
#include "protocols/packet.h"
#include "modbus_decode.h"
#include "detection/detection_engine.h"
-#include "events/event_queue.h"
#include "protocols/packet.h"
#include "modbus.h"
#include "modbus_paf.h"
#include "detection/detection_engine.h"
-#include "events/event_queue.h"
#include "modbus.h"
#include "modbus_module.h"
set ( NETFLOW_INCLUDES
- netflow_cache.h
- netflow_headers.h
- netflow_module.h
netflow_record.h
- netflow.h
)
+
set ( FILE_LIST
${NETFLOW_INCLUDES}
+ netflow_cache.h
+ netflow_headers.h
netflow_module.cc
+ netflow_module.h
netflow.cc
+ netflow.h
)
if (STATIC_INSPECTORS)
install(FILES ${NETFLOW_INCLUDES}
DESTINATION "${INCLUDE_INSTALL_PATH}/service_inspectors/netflow"
-)
\ No newline at end of file
+)
#include "log/messages.h"
#include "managers/module_manager.h"
#include "main/reload_tuner.h"
+#include "main/snort_config.h"
#include "pub_sub/netflow_event.h"
#include "src/utils/endian.h"
#include "time/packet_time.h"
#include "config.h"
#endif
-#include "detection/detection_util.h"
+#include "detection/detection_buf.h"
#include "detection/detection_engine.h"
#include "framework/data_bus.h"
#include "log/messages.h"
delete m;
}
-static IpsOption* opt_ctor(Module*, OptTreeNode*)
+static IpsOption* opt_ctor(Module*, IpsInfo&)
{
return new S7commplusContentOption;
}
delete m;
}
-static IpsOption* opt_ctor(Module* m, OptTreeNode*)
+static IpsOption* opt_ctor(Module* m, IpsInfo&)
{
S7commplusFuncModule* mod = (S7commplusFuncModule*)m;
return new S7commplusFuncOption(mod->func);
delete m;
}
-static IpsOption* opt_ctor(Module* m, OptTreeNode*)
+static IpsOption* opt_ctor(Module* m, IpsInfo&)
{
S7commplusOpcodeModule* mod = (S7commplusOpcodeModule*)m;
return new S7commplusOpcodeOption(mod->opcode);
#include "s7comm.h"
-#include "events/event_queue.h"
#include "detection/detection_engine.h"
#include "profiler/profiler.h"
#include "protocols/packet.h"
#include "s7comm_decode.h"
#include "detection/detection_engine.h"
-#include "events/event_queue.h"
#include "protocols/packet.h"
#include "s7comm.h"
#include "s7comm_paf.h"
#include "detection/detection_engine.h"
-#include "events/event_queue.h"
#include "s7comm.h"
#include "s7comm_decode.h"
using namespace snort;
+extern const BaseApi* sin_dns[];
extern const BaseApi* sin_file[];
extern const BaseApi* sin_http[];
extern const BaseApi* sin_http2[];
extern const BaseApi* sin_sip[];
-extern const BaseApi* sin_ssl[];
-extern const BaseApi* sin_dns[];
#ifdef STATIC_INSPECTORS
extern const BaseApi* sin_bo;
extern const BaseApi* sin_modbus[];
extern const BaseApi* sin_netflow[];
extern const BaseApi* sin_s7commplus[];
+extern const BaseApi* sin_ssl[];
#endif
const BaseApi* service_inspectors[] =
PluginManager::load_plugins(sin_http);
PluginManager::load_plugins(sin_http2);
PluginManager::load_plugins(sin_sip);
- PluginManager::load_plugins(sin_ssl);
#ifdef STATIC_INSPECTORS
PluginManager::load_plugins(sin_cip);
PluginManager::load_plugins(sin_modbus);
PluginManager::load_plugins(sin_netflow);
PluginManager::load_plugins(sin_s7commplus);
+ PluginManager::load_plugins(sin_ssl);
#endif
}
return new SipCursorModule(IPS_OPT, header_help, SIP_HEADER);
}
-static IpsOption* header_opt_ctor(Module*, OptTreeNode*)
+static IpsOption* header_opt_ctor(Module*, IpsInfo&)
{
return new SipIpsOption(IPS_OPT, SIP_HEADER, CAT_SET_FAST_PATTERN);
}
return new SipCursorModule(IPS_OPT, cb_help, SIP_BODY);
}
-static IpsOption* body_opt_ctor(Module*, OptTreeNode*)
+static IpsOption* body_opt_ctor(Module*, IpsInfo&)
{
return new SipIpsOption(IPS_OPT, SIP_BODY, CAT_SET_FAST_PATTERN);
}
delete m;
}
-static IpsOption* sip_method_ctor(Module* p, OptTreeNode*)
+static IpsOption* sip_method_ctor(Module* p, IpsInfo&)
{
SipMethodModule* m = (SipMethodModule*)p;
return new SipMethodOption(m->methods);
delete m;
}
-static IpsOption* sip_stat_code_ctor(Module* p, OptTreeNode*)
+static IpsOption* sip_stat_code_ctor(Module* p, IpsInfo&)
{
SipStatCodeModule* m = (SipStatCodeModule*)p;
return new SipStatCodeOption(m->ssod);
#include "sip.h"
#include "detection/detection_engine.h"
-#include "events/event_queue.h"
#include "log/messages.h"
-#include "managers/inspector_manager.h"
#include "profiler/profiler.h"
#include "protocols/packet.h"
#include "pub_sub/sip_events.h"
// Configuration for SIP service inspector
#include "framework/counts.h"
-#include "main/thread.h"
#include "sip_common.h"
#define SIP_METHOD_DEFAULT 0x003f
#include "sip_dialog.h"
#include "detection/detection_engine.h"
-#include "events/event_queue.h"
#include "framework/data_bus.h"
#include "protocols/packet.h"
#include "protocols/vlan.h"
{ "max_request_name_len", Parameter::PT_INT, "0:65535", "20",
"maximum request name field size" },
- { "max_requestName_len", Parameter::PT_INT, "0:65535", "20",
- "deprecated - use max_request_name_len instead" },
-
{ "max_to_len", Parameter::PT_INT, "0:65535", "256",
"maximum to field size" },
else if ( v.is("max_from_len") )
conf->maxFromLen = v.get_uint16();
- // FIXIT-L max_requestName_len is deprecated - delete
- else if ( v.is("max_request_name_len") or v.is("max_requestName_len") )
+ else if ( v.is("max_request_name_len") )
conf->maxRequestNameLen = v.get_uint16();
else if ( v.is("max_to_len") )
#include "sip_parser.h"
#include "detection/detection_engine.h"
-#include "events/event_queue.h"
#include "utils/util.h"
#include "utils/util_cstring.h"
#include <string>
#include "detection/detection_engine.h"
-#include "detection/detection_util.h"
#include "js_norm/js_pdf_norm.h"
#include "log/messages.h"
#include "log/unified2.h"
#include "smtp_paf.h"
#include "detection/detection_engine.h"
-#include "events/event_queue.h"
#include "protocols/packet.h"
#include "stream/stream.h"
#include "smtp_util.h"
+#include "detection/detection_buf.h"
#include "detection/detection_engine.h"
-#include "detection/detection_util.h"
#include "protocols/packet.h"
#include "stream/stream.h"
#include "utils/safec.h"
#include "smtp_xlink2state.h"
#include "detection/detection_engine.h"
-#include "events/event_queue.h"
#include "packet_io/active.h"
#include "smtp_module.h"
#include "ssh.h"
#include "detection/detection_engine.h"
-#include "events/event_queue.h"
#include "log/messages.h"
#include "profiler/profiler.h"
#include "protocols/packet.h"
${SSL_INCLUDES}
)
-# can't be be linked dynamically yet
-#if (STATIC_INSPECTORS)
+if (STATIC_INSPECTORS)
add_library( ssl OBJECT ${FILE_LIST})
-#else (STATIC_INSPECTORS)
- #add_dynamic_module(ssl inspectors ${FILE_LIST})
+else (STATIC_INSPECTORS)
+ add_dynamic_module(ssl inspectors ${FILE_LIST})
-#endif (STATIC_INSPECTORS)
+endif (STATIC_INSPECTORS)
install(FILES ${SSL_INCLUDES}
DESTINATION "${INCLUDE_INSTALL_PATH}/service_inspectors/ssl/"
delete m;
}
-static IpsOption* ssl_state_ctor(Module* p, OptTreeNode*)
+static IpsOption* ssl_state_ctor(Module* p, IpsInfo&)
{
SslStateModule* m = (SslStateModule*)p;
return new SslStateOption(m->ssod);
delete m;
}
-static IpsOption* ssl_version_ctor(Module* p, OptTreeNode*)
+static IpsOption* ssl_version_ctor(Module* p, IpsInfo&)
{
SslVersionModule* m = (SslVersionModule*)p;
return new SslVersionOption(m->svod);
#include <memory>
#include <string>
-#include "detection/detect.h"
#include "detection/detection_engine.h"
-#include "events/event_queue.h"
#include "log/messages.h"
#include "profiler/profiler.h"
#include "protocols/packet.h"
nullptr // reset
};
-#undef BUILDING_SO // FIXIT-L can't be linked dynamically yet
-
extern const BaseApi* ips_ssl_state;
extern const BaseApi* ips_ssl_version;
static bool s7commplus_curse(const uint8_t* data, unsigned len, CurseTracker*);
#ifdef CATCH_TEST_BUILD
public:
-#endif
+#endif
static bool ssl_v2_curse(const uint8_t* data, unsigned len, CurseTracker*);
};
class DceTracker
{
-public:
+public:
DCE_State state = DCE_State::DCE_STATE__0;
uint32_t helper;
};
class MmsTracker
{
-public:
+public:
MMS_State state = MMS_State::MMS_STATE__TPKT_VER;
MMS_State last_state = MMS_State::MMS_STATE__TPKT_VER;
};
class S7commplusTracker
{
-public:
+public:
S7commplus_State state = S7commplus_State::S7COMMPLUS_STATE__TPKT_VER;
S7commplus_State last_state = S7commplus_State::S7COMMPLUS_STATE__TPKT_VER;
uint16_t func = 0;
#include <cmath> // For ceil
-#include "main/thread.h"
#include "utils/util.h"
#include "utils/util_net.h"
SO_PUBLIC const char* snort_inet_ntop(int family, const void* ip_raw, char* buf, int bufsize);
} // namespace snort
#endif
+
#include <functional>
-#include "framework/bits.h"
#include "framework/connector.h"
+#include "utils/bits.h"
#define MAXIMUM_SC_MESSAGE_CONTENT 1024
#define DISPATCH_ALL_RECEIVE 0
}
void show_stats(PegCount*, const PegInfo*, unsigned, const char*) { }
-void show_stats(PegCount*, const PegInfo*, const IndexVec&, const char*, FILE*) { }
+void show_stats(PegCount*, const PegInfo*, const std::vector<unsigned>&, const char*, FILE*) { }
namespace snort
{
flush_bucket.cc
flush_bucket.h
paf.cc
+ paf_stats.h
)
install (FILES ${STREAM_INCLUDES}
#include "stream_ha.h"
+#include <algorithm>
#include <unordered_map>
#include "flow/flow_key.h"
-#include "managers/inspector_manager.h"
#include "pub_sub/stream_event_ids.h"
#include "stream/stream.h"
#include "ip_defrag.h"
-#include "detection/detect.h"
#include "detection/detection_engine.h"
#include "log/messages.h"
#include "main/analyzer.h"
#include "time/timersub.h"
#include "trace/trace_api.h"
#include "utils/safec.h"
-#include "utils/stats.h"
#include "utils/util.h"
#include "ip_session.h"
#endif
#include "paf.h"
+#include "paf_stats.h"
#include "detection/detection_engine.h"
#include "protocols/packet.h"
+#include "protocols/tcp.h"
using namespace snort;
#define PAF_H
#include "main/snort_types.h"
-#include "main/thread.h"
-#include "profiler/profiler_defs.h"
#include "stream/stream_splitter.h"
namespace snort
struct Packet;
}
-extern THREAD_LOCAL snort::ProfileStats pafPerfStats;
-
void* paf_new(unsigned max); // create new paf config (per policy)
void paf_delete(void*); // free config
-struct SO_PUBLIC PAF_State // per session direction
+struct PAF_State // per session direction
{
uint32_t seq; // stream cursor
uint32_t pos; // last flush position
return ps->seq;
}
-SO_PUBLIC inline uint32_t paf_initialized (PAF_State* ps)
+inline uint32_t paf_initialized (PAF_State* ps)
{
return ( ps->paf != snort::StreamSplitter::START );
}
--- /dev/null
+//--------------------------------------------------------------------------
+// Copyright (C) 2024-2024 Cisco and/or its affiliates. All rights reserved.
+//
+// This program is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License Version 2 as published
+// by the Free Software Foundation. You may not use, modify or distribute
+// this program under any other version of the GNU General Public License.
+//
+// This program is distributed in the hope that it will be useful, but
+// WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+// General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+//--------------------------------------------------------------------------
+
+// paf_stats.h author Russ Combs <rcombs@sourcefire.com>
+
+#ifndef PAF_STATS_H
+#define PAF_STATS_H
+
+// private PAF accessors (not installed)
+
+#include "profiler/profiler_defs.h"
+
+extern THREAD_LOCAL snort::ProfileStats pafPerfStats;
+
+#endif
+
#include "framework/data_bus.h"
#include "main/snort.h"
#include "main/snort_config.h"
-#include "network_inspectors/packet_tracer/packet_tracer.h"
#include "packet_io/active.h"
+#include "packet_io/packet_tracer.h"
#include "protocols/vlan.h"
#include "pub_sub/stream_event_ids.h"
#include "stream/base/stream_module.h"
{ return flow_con->new_flow(key); }
void Stream::delete_flow(const FlowKey* key)
-{
- flow_con->release_flow(key);
-}
+{ flow_con->release_flow(key); }
void Stream::delete_flow(Flow* flow)
-{
- if (flow_con)
- flow_con->release_flow(flow, PruneReason::NONE);
-}
+{ flow_con->release_flow(flow, PruneReason::NONE); }
//-------------------------------------------------------------------------
// key foo
return flow->get_flow_data(flowdata_id);
}
-FlowData* Stream::get_flow_data(
- PktType type, IpProtocol proto,
- const SfIp* srcIP, uint16_t srcPort,
- const SfIp* dstIP, uint16_t dstPort,
- uint16_t vlan, uint32_t mplsId,
- uint32_t addressSpaceID, unsigned flowdata_id, uint32_t tenant_id,
- int16_t ingress_group, int16_t egress_group)
-{
- Flow* flow = get_flow(
- type, proto, srcIP, srcPort, dstIP, dstPort,
- vlan, mplsId, addressSpaceID, tenant_id, ingress_group,
- egress_group);
-
- if (!flow)
- return nullptr;
-
- return flow->get_flow_data(flowdata_id);
-}
-
-//-------------------------------------------------------------------------
//-------------------------------------------------------------------------
// session status
//-------------------------------------------------------------------------
bool swap_app_direction = false, bool expect_multi = false, bool bidirectional = false,
bool expect_persist = false);
- // Get pointer to application data for a flow based on the lookup tuples for cases where
- // Snort does not have an active packet that is relevant.
- static FlowData* get_flow_data(
- PktType type, IpProtocol proto,
- const snort::SfIp* a1, uint16_t p1, const snort::SfIp* a2, uint16_t p2,
- uint16_t vlanId, uint32_t mplsId, uint32_t addrSpaceId, unsigned flowdata_id,
- uint32_t tenant_id, int16_t ingress_group = DAQ_PKTHDR_UNKNOWN,
- int16_t egress_group = DAQ_PKTHDR_UNKNOWN);
-
// Get pointer to application data for a flow using the FlowKey as the lookup criteria
static FlowData* get_flow_data(const FlowKey*, unsigned flowdata_id);
// Handle session block pending state
static void check_flow_closed(Packet*);
- // Populate a flow key from the Packet
static void populate_flow_key(const Packet*, FlowKey*);
static void set_snort_protocol_id_from_ha(Flow*, const SnortProtocolId);
delete m;
}
-static IpsOption* reassemble_ctor(Module* p, OptTreeNode*)
+static IpsOption* reassemble_ctor(Module* p, IpsInfo&)
{
ReassembleModule* m = (ReassembleModule*)p;
return new ReassembleOption(m->srod);
TEST_CASE("IPS Stream Reassemble", "[ips_stream_reassemble][stream_tcp]")
{
// initialization code here
- REQUIRE( ( ips_stream_reassemble->api_version == (BASE_API_VERSION << 16) ) );
REQUIRE( ( strcmp(ips_stream_reassemble->name, s_name) == 0 ) );
ReassembleModule* reassembler = ( ReassembleModule* )ips_stream_reassemble->mod_ctor();
REQUIRE( reassembler != nullptr );
static void mod_dtor(Module* m)
{ delete m; }
-static IpsOption* size_ctor(Module* p, OptTreeNode*)
+static IpsOption* size_ctor(Module* p, IpsInfo&)
{
SizeModule* m = (SizeModule*)p;
return new SizeOption(m->ssod, m->direction);
#ifndef TCP_DEFS_H
#define TCP_DEFS_H
-#include "main/thread.h"
+#include <cstdint>
namespace snort
{
#include "detection/rules.h"
#include "filters/sfrf.h"
#include "main/snort_config.h"
-#include "packet_tracer/packet_tracer.h"
+#include "packet_io/packet_tracer.h"
#include "tcp_module.h"
{ EVENT_DATA_AFTER_RST_RCVD, STREAM_TCP_DATA_AFTER_RST_RCVD, "DATA_AFTER_RST_RCVD" },
{ EVENT_WINDOW_SLAM, STREAM_TCP_WINDOW_SLAM, "WINDOW_SLAM" },
{ EVENT_NO_3WHS, STREAM_TCP_NO_3WHS, "NO_3WHS" },
- { EVENT_BAD_SEGMENT, STREAM_TCP_BAD_SEGMENT, "BAD_SEGMENT" },
{ EVENT_EXCESSIVE_OVERLAP, STREAM_TCP_EXCESSIVE_TCP_OVERLAPS, "EXCESSIVE_OVERLAP" },
{ EVENT_MAX_SMALL_SEGS_EXCEEDED, STREAM_TCP_SMALL_SEGMENT, "MAX_SMALL_SEGS_EXCEEDED" },
{ EVENT_MAX_QUEUED_BYTES_EXCEEDED, STREAM_TCP_MAX_QUEUED_BYTES_EXCEEDED, "MAX_QUEUED_BYTES_EXCEEDED" },
#define EVENT_DATA_AFTER_RST_RCVD 0x00004000
#define EVENT_WINDOW_SLAM 0x00008000
#define EVENT_NO_3WHS 0x00010000
-#define EVENT_BAD_SEGMENT 0x00020000
-#define EVENT_EXCESSIVE_OVERLAP 0x00040000
-#define EVENT_MAX_SMALL_SEGS_EXCEEDED 0x00080000
-#define EVENT_MAX_QUEUED_BYTES_EXCEEDED 0x00100000
-#define EVENT_MAX_QUEUED_SEGS_EXCEEDED 0x00200000
+#define EVENT_EXCESSIVE_OVERLAP 0x00020000
+#define EVENT_MAX_SMALL_SEGS_EXCEEDED 0x00040000
+#define EVENT_MAX_QUEUED_BYTES_EXCEEDED 0x00080000
+#define EVENT_MAX_QUEUED_SEGS_EXCEEDED 0x00100000
class TcpEventLogger
{
#include "main/snort_config.h"
#include "profiler/profiler_defs.h"
#include "stream/paf.h"
+#include "stream/paf_stats.h"
#include "trace/trace.h"
#include "tcp_trace.h"
"data sent on stream not accepting data"
#define STREAM_TCP_BAD_TIMESTAMP_STR \
"TCP timestamp is outside of PAWS window"
-#define STREAM_TCP_BAD_SEGMENT_STR \
- "bad segment, adjusted size <= 0 (deprecated)"
#define STREAM_TCP_WINDOW_TOO_LARGE_STR \
"window size (after scaling) larger than policy allows"
#define STREAM_TCP_EXCESSIVE_TCP_OVERLAPS_STR \
{ STREAM_TCP_DATA_ON_SYN, STREAM_TCP_DATA_ON_SYN_STR },
{ STREAM_TCP_DATA_ON_CLOSED, STREAM_TCP_DATA_ON_CLOSED_STR },
{ STREAM_TCP_BAD_TIMESTAMP, STREAM_TCP_BAD_TIMESTAMP_STR },
- { STREAM_TCP_BAD_SEGMENT, STREAM_TCP_BAD_SEGMENT_STR },
{ STREAM_TCP_WINDOW_TOO_LARGE, STREAM_TCP_WINDOW_TOO_LARGE_STR },
{ STREAM_TCP_EXCESSIVE_TCP_OVERLAPS, STREAM_TCP_EXCESSIVE_TCP_OVERLAPS_STR },
{ STREAM_TCP_DATA_AFTER_RESET, STREAM_TCP_DATA_AFTER_RESET_STR },
#define STREAM_TCP_DATA_ON_SYN 2
#define STREAM_TCP_DATA_ON_CLOSED 3
#define STREAM_TCP_BAD_TIMESTAMP 4
-#define STREAM_TCP_BAD_SEGMENT 5
+//#define STREAM_TCP_BAD_SEGMENT 5 deleted
#define STREAM_TCP_WINDOW_TOO_LARGE 6
#define STREAM_TCP_EXCESSIVE_TCP_OVERLAPS 7
#define STREAM_TCP_DATA_AFTER_RESET 8
#include "tcp_normalizer.h"
#include "stream/stream.h"
+#include "packet_io/packet_tracer.h"
#include "tcp_module.h"
#include "tcp_stream_session.h"
#include "tcp_stream_tracker.h"
-#include "packet_tracer/packet_tracer.h"
using namespace snort;
#include "tcp_defs.h"
-#include "main/thread.h"
+#include <string>
+
#include "normalize/normalize.h"
#include "normalize/norm_stats.h"
#include "protocols/tcp_options.h"
#include "detection/detection_engine.h"
#include "log/log.h"
-#include "main/analyzer.h"
#include "packet_io/active.h"
-#include "packet_tracer/packet_tracer.h"
+#include "packet_io/packet_tracer.h"
#include "profiler/profiler.h"
#include "protocols/packet_manager.h"
#include "time/packet_time.h"
tcpStats.rebuilt_packets++;
tcpStats.rebuilt_bytes += flushed_bytes;
- if ( !Analyzer::get_local_analyzer()->inspect_rebuilt(pdu) )
+ DetectionEngine de;
+
+ if ( !de.inspect(pdu) )
last_pdu = pdu;
else
last_pdu = nullptr;
trs.flush_count++;
show_rebuilt_packet(trs, pdu);
- Analyzer::get_local_analyzer()->inspect_rebuilt(pdu);
+
+ DetectionEngine de;
+ de.inspect(pdu);
}
return bytes_copied;
#include "tcp_segment_descriptor.h"
#include "detection/rules.h"
-#include "packet_tracer/packet_tracer.h"
+#include "packet_io/packet_tracer.h"
#include "protocols/tcp_options.h"
#include "stream/tcp/tcp_defs.h"
#include "stream/tcp/tcp_stream_tracker.h"
#include "flow/flow.h"
#include "detection/ips_context.h"
+#include "main/snort_config.h"
#include "packet_io/active.h"
#include "protocols/packet.h"
#include "protocols/tcp.h"
#include "tcp_segment_node.h"
-#include "main/thread.h"
#include "utils/util.h"
#include "segment_overlap_editor.h"
#include "detection/detection_engine.h"
#include "detection/rules.h"
#include "log/log.h"
+#include "packet_io/packet_tracer.h"
#include "profiler/profiler.h"
#include "protocols/eth.h"
#include "pub_sub/intrinsic_event_ids.h"
-#include "packet_tracer/packet_tracer.h"
#include "stream_tcp.h"
#include "tcp_ha.h"
#include "tcp_state_listen.h"
-#include "packet_tracer/packet_tracer.h"
+#include "packet_io/packet_tracer.h"
#include "pub_sub/stream_event_ids.h"
#include "stream/stream.h"
#include "tcp_state_none.h"
-#include "packet_tracer/packet_tracer.h"
+#include "packet_io/packet_tracer.h"
#include "pub_sub/stream_event_ids.h"
#include "stream/stream.h"
#include "tcp_stream_session.h"
#include "framework/data_bus.h"
-#include "packet_tracer/packet_tracer.h"
+#include "packet_io/packet_tracer.h"
#include "pub_sub/stream_event_ids.h"
#include "stream/stream.h"
#include "stream/tcp/tcp_ha.h"
#include "tcp_trace.h"
#include "trace/trace_api.h"
-#include "utils/stats.h"
#include "tcp_module.h"
#include "tcp_session.h"
#ifndef TCP_TRACE_H
#define TCP_TRACE_H
-#include "main/thread.h"
namespace snort
{
#include "stream/stream_splitter.h"
#include "detection/detection_engine.h"
+#include "main/snort_config.h"
#include "stream/flush_bucket.h"
#include "stream/stream.h"
set(UDP_STREAM_INCLUDES
- stream_udp.h
- udp_ha.h
- udp_module.h
- udp_session.h
+ udp_session.h
)
add_library( stream_udp OBJECT
stream_udp.cc
+ stream_udp.h
udp_ha.cc
+ udp_ha.h
udp_module.cc
+ udp_module.h
udp_session.cc
)
install(FILES ${UDP_STREAM_INCLUDES}
DESTINATION "${INCLUDE_INSTALL_PATH}/stream/udp"
-)
\ No newline at end of file
+)
#include <sys/time.h>
#include "flow/session.h"
-#include "main/snort_types.h"
class SO_PUBLIC UdpSession : public Session
{
struct timeval ssn_time = {};
};
-void udp_stats();
-void udp_reset();
-
#endif
#include "detection/detection_engine.h"
#include "detection/rules.h"
-#include "main/analyzer.h"
+#include "framework/pig_pen.h"
#include "profiler/profiler_defs.h"
#include "protocols/packet.h"
#include "trace/trace_api.h"
up->packet_flags |= (p->packet_flags & (PKT_STREAM_EST|PKT_STREAM_UNEST_UNI));
debug_logf(stream_user_trace, up, "detect[%d]\n", up->dsize);
- Analyzer::get_local_analyzer()->inspect_rebuilt(up);
+ PigPen::inspect_rebuilt(up);
}
int UserTracker::scan(Packet* p, uint32_t& flags)
#include "main/shell.h"
#include "main/snort.h"
#include "main/snort_config.h"
-#include "main/thread.h"
using namespace snort;
#include "packet_time.h"
-#include "main/thread.h"
#include "time/timersub.h"
static THREAD_LOCAL struct timeval s_recent_packet = { 0, 0 };
#define TRACE_H
#include <cassert>
+#include <cstdint>
#include <map>
+#include <string>
#include <vector>
-#include "main/thread.h"
-
#define DEFAULT_TRACE_LOG_LEVEL 1
#define TRACE_CRITICAL_LEVEL 2
#define TRACE_ERROR_LEVEL 3
#include <cstring>
-#include "framework/packet_constraints.h"
#include "main/snort.h"
#include "main/snort_config.h"
-#include "main/thread.h"
+#include "packet_io/packet_constraints.h"
#include "protocols/packet.h"
#include "utils/safec.h"
#include <cstring>
#include "framework/module.h"
-#include "framework/packet_constraints.h"
#include "managers/module_manager.h"
+#include "packet_io/packet_constraints.h"
#include "trace_logger.h"
#include <syslog.h>
-#include "framework/packet_constraints.h"
#include "main/snort_config.h"
#include "managers/module_manager.h"
+#include "packet_io/packet_constraints.h"
#include "trace_config.h"
#include "trace_loggers.h"
#include <map>
#include <string>
-#include "framework/packet_constraints.h"
+#include "packet_io/packet_constraints.h"
namespace snort
{
#include "control/control.h"
#include "framework/module.h"
-#include "framework/packet_constraints.h"
#include "log/messages.h"
#include "main/analyzer_command.h"
#include "main/snort_config.h"
+#include "packet_io/packet_constraints.h"
#include "trace_api.h"
#include "trace_config.h"
set( UTIL_INCLUDES
- boyer_moore.h
+ bits.h
cpp_macros.h
endian.h
- event_gen.h
- infractions.h
- kmap.h
- memcap_allocator.h
- primed_allocator.h
safec.h
- sflsq.h
- stats.h
util.h
- util_ber.h
util_cstring.h
util_unfold.h
- util_utf.h
- util_numa.h
)
add_library ( utils OBJECT
${UTIL_INCLUDES}
${SNPRINTF_SOURCES}
- boyer_moore.cc
+ chunk.cc
+ chunk.h
dnet_header.h
- kmap.cc
sflsq.cc
+ sflsq.h
snort_bounds.h
stats.cc
- streambuf.cc
- streambuf.h
+ stats.h
util.cc
- util_ber.cc
util_cstring.cc
util_jsnorm.cc
util_jsnorm.h
util_net.cc
util_net.h
util_unfold.cc
- util_utf.cc
- util_numa.h
${TEST_FILES}
)
DESTINATION "${INCLUDE_INSTALL_PATH}/utils"
)
-add_subdirectory(test)
-
-This unit contains a mixed bag of legacy utilities that haven't found a home in any
-other directory. In many cases, the STL provides better options.
+This unit contains a mixed bag of legacy utilities that haven't found a home in
+any other directory. In many cases, the STL provides better options. Fully
+formed utility classes should go in src/helpers/.
-
-On stream buffer, there are two classes inherited from std::streambuf:
-
-* istreambuf_glue class for reading operations
-* ostreambuf_infl class for writing operations
-
-The input stream buffer presents a continuous sequence of bytes to the client,
-gathered from different sources. For example:
-
- char* s1 = "world";
- char* s2 = "!";
- char* s3 = "Hello ";
-
-These sources being fed to the stream buffer as s3, s1, s2 will form
-"Hello world!" sequence.
-
-In order to do that, istreambuf_glue class represents each source as a chunk of
-data, which has its own position in the resulting sequence.
-The chunk structure contains a pointer to the source, source size, and
-the chunk's offset in the resulting sequence.
-
-Reading is done sequentially within the current chunk. When the end of chunk
-reached, the buffer switches to the next one, setting std::streambuf pointers.
-
-Positioning the cursor is done in two steps:
-
-1. Calculate the final cursor position (absolute or by offset).
-
-2. Find the right chunk and local offset in it to set cursor there.
-
-Currently, no intermediate buffering done between chunks (like alignment,
-prepending/appending the next chunk). The buffer doesn't take ownership over
-the source's memory.
-
-The output stream buffer is mostly like std::stringbuf. The main purpose of it
-is having an extensible dynamic array, where clients could write their data,
-not worrying about resizing and memory management.
-
-Aside from that, ostreambuf_infl can give away ownership over its memory,
-which could be useful for final consumer.
-
-From performance perspective, ostreambuf_infl can reserve an amount of memory
-before actual operations. Also, memory extending is done by predefined
-portions of 2^11^, 2^12^, 2^13^, 2^14^, 2^15^, 2^15^, 2^15^...
-This tries to minimize the number of memory reallocation.
#include <cassert>
#include <cmath>
-#include "control/control.h"
#include "detection/detection_engine.h"
#include "file_api/file_stats.h"
#include "filters/sfthreshold.h"
#include "framework/module.h"
-#include "helpers/process.h"
+#include "log/log_stats.h"
#include "log/messages.h"
+#include "main/process.h"
#include "main/snort_config.h"
#include "memory/memory_cap.h"
#include "managers/module_manager.h"
#include "packet_io/active.h"
#include "packet_io/sfdaq.h"
#include "packet_io/trough.h"
-#include "profiler/profiler.h"
+#include "profiler/profiler_impl.h"
#include "protocols/packet_manager.h"
#include "time/timersub.h"
#include "util.h"
-#define STATS_SEPARATOR \
- "--------------------------------------------------"
#define USECS_PER_SEC 1000000.0
ProcessCount proc_stats;
namespace snort
{
-
THREAD_LOCAL PacketCount pc;
-static THREAD_LOCAL ControlConn* s_ctrlcon = nullptr;
-
-//-------------------------------------------------------------------------
-
-static inline void LogSeparator(FILE* fh = stdout)
-{
- LogfRespond(s_ctrlcon, fh, "%s\n", STATS_SEPARATOR);
-}
-
-void LogText(const char* s, FILE* fh)
-{
- LogfRespond(s_ctrlcon, fh, "%s\n", s);
-}
-
-void LogLabel(const char* s, FILE* fh)
-{
- if ( *s == ' ' )
- {
- LogfRespond(s_ctrlcon, fh, "%s\n", s);
- }
- else
- {
- LogSeparator(fh);
- LogfRespond(s_ctrlcon, fh, "%s\n", s);
- }
-}
-
-void LogValue(const char* s, const char* v, FILE* fh)
-{
- LogfRespond(s_ctrlcon, fh, "%25.25s: %s\n", s, v);
-}
-
-void LogCount(const char* s, uint64_t c, FILE* fh)
-{
- if ( c )
- {
- LogfRespond(s_ctrlcon, fh, "%25.25s: " STDu64 "\n", s, c);
- }
-}
-
-void LogStat(const char* s, uint64_t n, uint64_t tot, FILE* fh)
-{
- if ( n )
- {
- LogfRespond(s_ctrlcon, fh, "%25.25s: " FMTu64("-12") "\t(%7.3f%%)\n", s, n, CalcPct(n, tot));
- }
-}
-
-void LogStat(const char* s, double d, FILE* fh)
-{
- if ( d )
- {
- LogfRespond(s_ctrlcon, fh, "%25.25s: %g\n", s, d);
- }
-}
}
using namespace snort;
//-------------------------------------------------------------------------
-double CalcPct(uint64_t cnt, uint64_t total)
-{
- double pct = 0.0;
-
- if (total == 0.0)
- {
- pct = (double)cnt;
- }
- else
- {
- pct = (double)cnt / (double)total;
- }
-
- pct *= 100.0;
-
- return pct;
-}
-
-//-------------------------------------------------------------------------
-
static struct timeval starttime = {0, 0}, endtime = {0, 0}, currtime = {0, 0};
void TimeStart()
if ( uint64_t pps = (uint64_t)llround(num_pkts / total_secs) )
LogMessage("%25.25s: " STDu64 "\n", "pkts/sec", pps);
- if ( uint64_t mbps = (uint64_t)llround(8 * num_byts / total_secs / 1024 / 1024) )
+ if ( uint64_t mbps = (uint64_t)llround(8 * num_byts / total_secs / 1e6) )
LogMessage("%25.25s: " STDu64 "\n", "Mbits/sec", mbps);
}
{ CountType::SUM, "offload_fallback", "fast pattern offload search fallback attempts" },
{ CountType::SUM, "offload_failures", "fast pattern offload search failures" },
{ CountType::SUM, "offload_suspends", "fast pattern search suspends due to offload context chains" },
- { CountType::SUM, "pcre_match_limit", "total number of times pcre hit the match limit" },
- { CountType::SUM, "pcre_recursion_limit", "total number of times pcre hit the recursion limit" },
- { CountType::SUM, "pcre_error", "total number of times pcre returns error" },
{ CountType::SUM, "cont_creations", "total number of continuations created" },
{ CountType::SUM, "cont_recalls", "total number of continuations recalled" },
{ CountType::SUM, "cont_flows", "total number of flows using continuation" },
void DropStats(ControlConn* ctrlcon)
{
- s_ctrlcon = ctrlcon;
+ set_log_conn(ctrlcon);
+
ModuleManager::accumulate_dump_stats();
LogLabel("Packet Statistics");
ModuleManager::get_module("daq")->show_stats();
ModuleManager::get_module("memory")->show_stats();
memory::MemoryCap::print(SnortConfig::log_verbose());
- s_ctrlcon = nullptr;
+ set_log_conn(nullptr);
}
//-------------------------------------------------------------------------
void show_stats(
PegCount* pegs, const PegInfo* info,
- const IndexVec& peg_idxs, const char* module_name, FILE* fh)
+ const std::vector<unsigned>& peg_idxs, const char* module_name, FILE* fh)
{
bool head = false;
// Provides facilities for displaying Snort exit stats
#include <daq_common.h>
+#include <cstdio>
#include <vector>
#include "framework/counts.h"
#include "main/snort_types.h"
-#include "main/thread.h"
-
-using IndexVec = std::vector<unsigned>;
class ControlConn;
PegCount offload_fallback;
PegCount offload_failures;
PegCount offload_suspends;
- PegCount pcre_match_limit;
- PegCount pcre_recursion_limit;
- PegCount pcre_error;
PegCount cont_creations;
PegCount cont_recalls;
PegCount cont_flows;
namespace snort
{
-extern SO_PUBLIC THREAD_LOCAL PacketCount pc;
-
-SO_PUBLIC inline PegCount get_packet_number() { return pc.analyzed_pkts; }
-
-SO_PUBLIC void LogLabel(const char*, FILE* = stdout);
-SO_PUBLIC void LogText(const char*, FILE* = stdout);
-SO_PUBLIC void LogValue(const char*, const char*, FILE* = stdout);
-SO_PUBLIC void LogCount(const char*, uint64_t, FILE* = stdout);
-
-SO_PUBLIC void LogStat(const char*, uint64_t n, uint64_t tot, FILE* = stdout);
-SO_PUBLIC void LogStat(const char*, double, FILE* = stdout);
+extern THREAD_LOCAL PacketCount pc;
}
void sum_stats(PegCount* sums, PegCount* counts, unsigned n, bool dump_stats = false);
void show_stats(PegCount*, const PegInfo*, const char* module_name = nullptr);
void show_stats(PegCount*, const PegInfo*, unsigned n, const char* module_name = nullptr);
-void show_stats(PegCount*, const PegInfo*, const IndexVec&, const char* module_name, FILE*);
+void show_stats(PegCount*, const PegInfo*, const std::vector<unsigned>&, const char* module_name, FILE*);
void show_percent_stats(PegCount*, const char*[], unsigned n, const char* module_name = nullptr);
void sum_stats(SimpleStats* sums, SimpleStats* counts);
void show_stats(SimpleStats*, const char* module_name);
-double CalcPct(uint64_t, uint64_t);
void DropStats(ControlConn* ctrlcon = nullptr);
void PrintStatistics();
void TimeStart();
+++ /dev/null
-add_cpputest( boyer_moore_test
- SOURCES
- ../boyer_moore.cc
-)
-
-add_cpputest( memcap_allocator_test )
-
-add_catch_test( streambuf_test
- SOURCES
- ../streambuf.cc
-)
-
-add_catch_test( grouped_list_test
- SOURCES
- ../grouped_list.h
-)
#include "util.h"
-#include <fcntl.h>
-#include <grp.h>
-#include <luajit.h>
-#include <netdb.h>
-#include <openssl/crypto.h>
-#include <pcap.h>
-#include <pcre.h>
-#include <pwd.h>
-#include <sys/file.h>
-#include <sys/resource.h>
#include <sys/stat.h>
-#include <zlib.h>
-
-#ifdef HAVE_HYPERSCAN
-#include <hs_compile.h>
-#endif
-
-#ifdef HAVE_LZMA
-#include <lzma.h>
-#endif
-
-#ifdef HAVE_LIBML
-#include <libml.h>
-#endif
-
-extern "C" {
-#include <daq.h>
-}
#include <chrono>
-#include <fstream>
#include <random>
#include "log/messages.h"
#include "main/snort_config.h"
-#include "packet_io/sfdaq.h"
-#include "protocols/packet.h" // For NUM_IP_PROTOS
#include "util_cstring.h"
using namespace snort;
-/****************************************************************************
- * Store interesting data in memory that would not otherwise be visible
- * in a CORE(5) file
- ***************************************************************************/
-#ifdef BUILD
- #define SNORT_VERSION_STRING ("### Snort Version " VERSION " Build " BUILD "\n")
-#else
- #define SNORT_VERSION_STRING ("### Snort Version " VERSION "\n")
-#endif
-#define SNORT_VERSION_STRLEN sizeof(SNORT_VERSION_STRING)
-char __snort_version_string[SNORT_VERSION_STRLEN];
-
-void StoreSnortInfoStrings()
-{
- strncpy(__snort_version_string, SNORT_VERSION_STRING,
- sizeof(__snort_version_string));
-}
-
-#undef SNORT_VERSION_STRING
-#undef SNORT_VERSION_STRLEN
-
-int DisplayBanner()
-{
- const char* ljv = LUAJIT_VERSION;
- while ( *ljv && !isdigit(*ljv) )
- ++ljv;
-
- LogMessage("\n");
- LogMessage(" ,,_ -*> Snort++ <*-\n");
-#ifdef BUILD
- LogMessage(" o\" )~ Version %s (Build %s)\n", VERSION, BUILD);
-#else
- LogMessage(" o\" )~ Version %s\n", VERSION);
-#endif
- LogMessage(" '''' By Martin Roesch & The Snort Team\n");
- LogMessage(" http://snort.org/contact#team\n");
- LogMessage(" Copyright (C) 2014-2024 Cisco and/or its affiliates."
- " All rights reserved.\n");
- LogMessage(" Copyright (C) 1998-2013 Sourcefire, Inc., et al.\n");
- LogMessage(" Using DAQ version %s\n", daq_version_string());
- LogMessage(" Using LuaJIT version %s\n", ljv);
- LogMessage(" Using %s\n", OpenSSL_version(SSLEAY_VERSION));
- LogMessage(" Using %s\n", pcap_lib_version());
- LogMessage(" Using PCRE version %s\n", pcre_version());
- LogMessage(" Using ZLIB version %s\n", zlib_version);
-#ifdef HAVE_HYPERSCAN
- LogMessage(" Using Hyperscan version %s\n", hs_version());
-#endif
-#ifdef HAVE_LZMA
- LogMessage(" Using LZMA version %s\n", lzma_version_string());
-#endif
-#ifdef HAVE_LIBML
- LogMessage(" Using LibML version %s\n", libml_version());
-#endif
- LogMessage("\n");
-
- return 0;
-}
-
-// get offset seconds from GMT
-int gmt2local(time_t t)
-{
- if (t == 0)
- t = time(nullptr);
-
- struct tm gmt;
- struct tm* lt = gmtime_r(&t, &gmt);
- if (lt == nullptr)
- return 0;
-
- struct tm loc;
- localtime_r(&t, &loc);
-
- int dt = (loc.tm_hour - gmt.tm_hour) * 60 * 60 +
- (loc.tm_min - gmt.tm_min) * 60;
-
- int dir = loc.tm_year - gmt.tm_year;
-
- if (dir == 0)
- dir = loc.tm_yday - gmt.tm_yday;
-
- dt += dir * 24 * 60 * 60;
-
- return(dt);
-}
-
-static FILE* pid_lockfile = nullptr;
-static FILE* pid_file = nullptr;
-
-void CreatePidFile(pid_t pid)
-{
- SnortConfig* sc = SnortConfig::get_main_conf();
-
- sc->pid_filename = sc->log_dir;
- sc->pid_filename += "/snort.pid";
-
- std::string pid_lockfilename;
-
- if ( !sc->no_lock_pid_file() )
- {
- pid_lockfilename = sc->pid_filename;
- pid_lockfilename += ".lck";
-
- /* First, lock the PID file */
- pid_lockfile = fopen(pid_lockfilename.c_str(), "w");
-
- if ( pid_lockfile )
- {
- struct flock lock;
- int lock_fd = fileno(pid_lockfile);
-
- lock.l_type = F_WRLCK;
- lock.l_whence = SEEK_SET;
- lock.l_start = 0;
- lock.l_len = 0;
-
- if (fcntl(lock_fd, F_SETLK, &lock) == -1)
- {
- ClosePidFile();
- ParseError("Failed to Lock PID File \"%s\" for PID \"%d\"",
- sc->pid_filename.c_str(), (int)pid);
- return;
- }
- }
- }
-
- /* Okay, were able to lock PID file, now open and write PID */
- pid_file = fopen(sc->pid_filename.c_str(), "w");
- if (pid_file)
- {
- LogMessage("Writing PID \"%d\" to file \"%s\"\n", (int)pid,
- sc->pid_filename.c_str());
- fprintf(pid_file, "%d\n", (int)pid);
- fflush(pid_file);
- }
- else
- {
- if (pid_lockfile)
- {
- fclose(pid_lockfile);
- pid_lockfile = nullptr;
- }
- const char* error = get_error(errno);
- ErrorMessage("Failed to create pid file %s, Error: %s\n",
- sc->pid_filename.c_str(), error);
- sc->pid_filename.clear();
- }
- if ( !pid_lockfilename.empty() )
- unlink(pid_lockfilename.c_str());
-}
-
-void ClosePidFile()
-{
- if (pid_file)
- {
- fclose(pid_file);
- pid_file = nullptr;
- }
- if (pid_lockfile)
- {
- fclose(pid_lockfile);
- pid_lockfile = nullptr;
- }
-}
-
-// set safe UserID and GroupID, if needed
-bool SetUidGid(int user_id, int group_id)
-{
- // Were any changes requested?
- if (group_id == -1 && user_id == -1)
- return true;
-
- if (group_id != -1)
- {
- if (setgid(group_id) < 0)
- {
- ParseError("Cannot set GID: %d", group_id);
- return false;
- }
- LogMessage("Set GID to %d\n", group_id);
- }
-
- if (user_id != -1)
- {
- if (setuid(user_id) < 0)
- {
- ParseError("Cannot set UID: %d", user_id);
- return false;
- }
- LogMessage("Set UID to %d\n", user_id);
- }
-
- return true;
-}
-
-// set the groups of the process based on the UserID with the GroupID added
-void InitGroups(int user_id, int group_id)
-{
- if ((user_id != -1) && (getuid() == 0))
- {
- struct passwd* pw = getpwuid(user_id); // main thread only
-
- if (pw != nullptr)
- {
- /* getpwuid and initgroups may use the same static buffers */
- char* username = snort_strdup(pw->pw_name);
-
- if (initgroups(username, group_id) < 0)
- ParseError("Can not initgroups(%s,%d)", username, group_id);
-
- snort_free(username);
- }
-
- /** Just to be on the safe side... **/
- endgrent();
- endpwent();
- }
-}
-
-//-------------------------------------------------------------------------
-
-// FIXIT-L this is a duplicate of PacketManager::get_proto_name()
-void InitProtoNames()
-{
- if ( !protocol_names )
- protocol_names = (char**)snort_calloc(NUM_IP_PROTOS, sizeof(char*));
-
- for ( int i = 0; i < NUM_IP_PROTOS; i++ )
- {
- struct protoent* pt = getprotobynumber(i); // main thread only
-
- if (pt != nullptr)
- {
- protocol_names[i] = snort_strdup(pt->p_name);
-
- for ( size_t j = 0; j < strlen(protocol_names[i]); j++ )
- protocol_names[i][j] = toupper(protocol_names[i][j]);
- }
- else
- {
- char protoname[10];
- SnortSnprintf(protoname, sizeof(protoname), "PROTO:%03d", i);
- protocol_names[i] = snort_strdup(protoname);
- }
- }
-}
-
-void CleanupProtoNames()
-{
- if (protocol_names != nullptr)
- {
- int i;
-
- for (i = 0; i < NUM_IP_PROTOS; i++)
- {
- if (protocol_names[i] != nullptr)
- snort_free(protocol_names[i]);
- }
-
- snort_free(protocol_names);
- protocol_names = nullptr;
- }
-}
-
-// read the BPF filters in from a file, return the processed BPF string
-std::string read_infile(const char* key, const char* fname)
-{
- int fd = open(fname, O_RDONLY);
- struct stat buf;
-
- if (fd < 0)
- {
- ErrorMessage("Failed to open file: %s with error: %s", fname, get_error(errno));
- return "";
- }
-
- if (fstat(fd, &buf) < 0)
- {
- ParseError("can't stat %s: %s", fname, get_error(errno));
- close(fd);
- return "";
- }
-
- //check that its a regular file and not a directory or special file
- if (!S_ISREG(buf.st_mode) )
- {
- ParseError("not a regular file: %s", fname);
- close(fd);
- return "";
- }
-
- std::string line;
- std::ifstream bpf_file(fname);
-
- if (bpf_file.is_open())
- {
- std::stringstream file_content;
- file_content << bpf_file.rdbuf();
- line = file_content.str();
-
- bpf_file.close();
- }
- else
- {
- ParseError("can't open file %s = %s: %s", key, fname, get_error(errno));
- close(fd);
- return "";
- }
- close(fd);
- return line;
-}
-
-typedef char PathBuf[PATH_MAX+1];
-
-static const char* CurrentWorkingDir(PathBuf& buf)
-{
- if ( !getcwd(buf, sizeof(buf)-1) )
- return nullptr;
-
- buf[sizeof(buf)-1] = '\0';
- return buf;
-}
-
-static char* GetAbsolutePath(const char* dir, PathBuf& buf)
-{
- assert(dir);
- errno = 0;
-
- if ( !realpath(dir, buf) )
- {
- LogMessage("Couldn't determine absolute path for '%s': %s\n", dir, get_error(errno));
- return nullptr;
- }
-
- return buf;
-}
-
-// Chroot and adjust the log_dir reference
-bool EnterChroot(std::string& root_dir, std::string& log_dir)
-{
- if (log_dir.empty())
- {
- ParseError("Log directory not specified");
- return false;
- }
- PathBuf pwd;
- PathBuf abs_log_dir;
-
- if ( !GetAbsolutePath(log_dir.c_str(), abs_log_dir) )
- return false;
-
- /* change to the desired root directory */
- if (chdir(root_dir.c_str()) != 0)
- {
- ParseError("EnterChroot: Can not chdir to \"%s\": %s", root_dir.c_str(),
- get_error(errno));
- return false;
- }
-
- /* always returns an absolute pathname */
- const char* abs_root_dir = CurrentWorkingDir(pwd);
- if (!abs_root_dir)
- {
- ParseError("Couldn't retrieve current working directory");
- return false;
- }
- size_t abs_root_dir_len = strlen(abs_root_dir);
-
- if (strncmp(abs_root_dir, abs_log_dir, abs_root_dir_len))
- {
- ParseError("Specified log directory is not contained with the chroot jail");
- return false;
- }
-
- if (chroot(abs_root_dir) < 0)
- {
- ParseError("Can not chroot to \"%s\": absolute: %s: %s",
- root_dir.c_str(), abs_root_dir, get_error(errno));
- return false;
- }
-
-
- /* Immediately change to the root directory of the jail. */
- if (chdir("/") < 0)
- {
- ParseError("Can not chdir to \"/\" after chroot: %s",
- get_error(errno));
- return false;
- }
-
-
- if (abs_root_dir_len >= strlen(abs_log_dir))
- log_dir = "/";
- else
- log_dir = abs_log_dir + abs_root_dir_len;
-
-
- LogMessage("Chroot directory = %s\n", root_dir.c_str());
-
- return true;
-}
-
unsigned int get_random_seed()
{
unsigned int seed;
namespace snort
{
-char** protocol_names = nullptr;
-
const char* get_error(int errnum)
{
static THREAD_LOCAL char buf[128];
}
#ifdef UNIT_TEST
-TEST_CASE("gmt2local_time_out_of_range", "[util]")
-{
- REQUIRE((gmt2local(0xffffffff1fff2f)==0));
-}
-
TEST_CASE("uint8_to_printable_str go over all options", "[util]")
{
std::string print_str;
uint8_to_printable_str(pattern, 2, print_str);
CHECK((strcmp(print_str.c_str(),"a|00 |") == 0));
}
-
#endif
+
#define SECONDS_PER_HOUR 3600 /* number of seconds in a hour */
#define SECONDS_PER_MIN 60 /* number of seconds in a minute */
-void StoreSnortInfoStrings();
-int DisplayBanner();
-int gmt2local(time_t);
-std::string read_infile(const char* key, const char* fname);
-void CleanupProtoNames();
-void CreatePidFile(pid_t);
-void ClosePidFile();
-bool SetUidGid(int, int);
-void InitGroups(int, int);
-bool EnterChroot(std::string& root_dir, std::string& log_dir);
-void InitProtoNames();
unsigned int get_random_seed();
bool get_file_size(const std::string&, size_t&);
-#if defined(NOCOREFILE)
-void SetNoCores();
-#endif
-
namespace
{
inline void COPY4(uint32_t* dst, const uint32_t* src)
namespace snort
{
-// FIXIT-M provide getter function to for standardized access into the protocol_names array
-SO_PUBLIC extern char** protocol_names;
-
SO_PUBLIC const char* get_error(int errnum);
SO_PUBLIC char* snort_strdup(const char*);
SO_PUBLIC char* snort_strndup(const char*, size_t);
#define UTIL_CSTRING_H
// Utility functions and macros for interacting with and parsing C strings
+// these functions are deprecated; use C++ strings instead
#include <cctype>
#include <cerrno>
SO_PUBLIC int safe_snprintf(char*, size_t, const char*, ... )
__attribute__((format (printf, 3, 4)));
-// these functions are deprecated; use C++ strings instead
SO_PUBLIC int SnortSnprintf(char*, size_t, const char*, ...)
__attribute__((format (printf, 3, 4)));
SO_PUBLIC int SnortSnprintfAppend(char*, size_t, const char*, ...)
#include "util_jsnorm.h"
+#include <ctype.h>
+
#include <cstdlib>
#include <cstring>
#include <vector>
-#include "main/thread.h"
-
-namespace snort
-{
#define INVALID_HEX_VAL (-1)
#define MAX_BUF 8
#define NON_ASCII_CHAR 0xff
#define ANY '\0'
+namespace
+{
enum ActionPNorm
{
PNORM_ACT_DQUOTES,
ACT_UNESCAPE
};
+struct JSNorm
+{
+ uint8_t state; // cppcheck-suppress unusedStructMember
+ uint8_t event;
+ uint8_t match;
+ uint8_t other;
+ uint8_t action;
+};
+
+struct Dbuf
+{
+ char* data;
+ uint16_t size;
+ uint16_t len;
+};
+
+struct PNormState
+{
+ uint8_t fsm;
+ uint8_t fsm_other;
+ uint8_t prev_event;
+ uint8_t d_quotes;
+ uint8_t s_quotes;
+ uint16_t num_spaces;
+ char* overwrite;
+ Dbuf output;
+};
+
+struct SFCCState
+{
+ uint8_t fsm;
+ uint8_t buf[MAX_BUF];
+ uint8_t buflen;
+ uint16_t cur_flags;
+ uint16_t alert_flags;
+ Dbuf output;
+};
+
+struct JSNormState
+{
+ uint8_t fsm;
+ uint8_t prev_event;
+ uint16_t num_spaces;
+ uint8_t* unicode_map;
+ char* overwrite;
+ Dbuf dest;
+};
+
+struct UnescapeState
+{
+ uint8_t fsm;
+ uint8_t multiple_levels;
+ uint8_t prev_event;
+ uint16_t alert_flags;
+ uint16_t num_spaces;
+ int iNorm;
+ int paren_count;
+ uint8_t* unicode_map;
+ char* overwrite;
+ ActionUnsc prev_action;
+ Dbuf output;
+};
+} // anonymous
+
static const int hex_lookup[256] =
{
INVALID_HEX_VAL, INVALID_HEX_VAL, INVALID_HEX_VAL, INVALID_HEX_VAL, INVALID_HEX_VAL, INVALID_HEX_VAL, INVALID_HEX_VAL, INVALID_HEX_VAL,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
};
-struct JSNorm
-{
- uint8_t state; // cppcheck-suppress unusedStructMember
- uint8_t event;
- uint8_t match;
- uint8_t other;
- uint8_t action;
-};
-
-struct Dbuf
-{
- char* data;
- uint16_t size;
- uint16_t len;
-};
-
-struct PNormState
-{
- uint8_t fsm;
- uint8_t fsm_other;
- uint8_t prev_event;
- uint8_t d_quotes;
- uint8_t s_quotes;
- uint16_t num_spaces;
- char* overwrite;
- Dbuf output;
-};
-
-struct SFCCState
-{
- uint8_t fsm;
- uint8_t buf[MAX_BUF];
- uint8_t buflen;
- uint16_t cur_flags;
- uint16_t alert_flags;
- Dbuf output;
-};
-
-struct JSNormState
-{
- uint8_t fsm;
- uint8_t prev_event;
- uint16_t num_spaces;
- uint8_t* unicode_map;
- char* overwrite;
- Dbuf dest;
-};
-
-struct UnescapeState
-{
- uint8_t fsm;
- uint8_t multiple_levels;
- uint8_t prev_event;
- uint16_t alert_flags;
- uint16_t num_spaces;
- int iNorm;
- int paren_count;
- uint8_t* unicode_map;
- char* overwrite;
- ActionUnsc prev_action;
- Dbuf output;
-};
-
// STATES for SFCC
#define S0 0
#define S1 (S0+3)
{ Z6+ 0, ANY, Z0+ 0, Z0+ 0, ACT_NOP }
};
+using snort::JSState;
+
static void UnescapeDecode(const char* src, uint16_t srclen, const char** ptr, char** dst, size_t dst_len,
uint16_t* bytes_copied, JSState* js, uint8_t* iis_unicode_map);
return(JSNorm_exec(s, (ActionJSNorm)m->action, c, src, srclen, ptr, js));
}
+namespace snort
+{
int JSNormalizeDecode(const char* src, uint16_t srclen, char* dst, uint16_t destlen, const char** ptr,
int* bytes_copied, JSState* js, uint8_t* iis_unicode_map)
{
}
}
-
projects / thirdparty / snort3.git / commitdiff
