// must be called AFTER setting next_prot_id
if (snort.ip_api.is_ip6())
{
- if ( SnortConfig::get_conf()->hit_ip6_maxopts(codec.ip6_extension_count) )
+ if ( codec.conf->hit_ip6_maxopts(codec.ip6_extension_count) )
{
codec_event(codec, DECODE_IP6_EXCESS_EXT_HDR);
return false;
return false;
}
- if ( SnortConfig::get_conf()->hit_ip6_maxopts(codec.ip6_extension_count) )
+ if ( codec.conf->hit_ip6_maxopts(codec.ip6_extension_count) )
codec_event(codec, DECODE_IP6_EXCESS_EXT_HDR);
if (dsthdr->ip6dest_nxt == IpProtocol::ROUTING)
uint8_t pad_length;
uint8_t ip_proto;
- if (!SnortConfig::esp_decoding())
+ if (!codec.conf->esp_decoding())
return false;
/* The ESP header contains a crypto Initialization Vector (IV) and
// must be called AFTER setting next_prot_id
if (snort.ip_api.is_ip6())
{
- if ( SnortConfig::get_conf()->hit_ip6_maxopts(codec.ip6_extension_count) )
+ if ( codec.conf->hit_ip6_maxopts(codec.ip6_extension_count) )
{
codec_event(codec, DECODE_IP6_EXCESS_EXT_HDR);
return false;
return false;
}
- if ( SnortConfig::get_conf()->hit_ip6_maxopts(codec.ip6_extension_count) )
+ if ( codec.conf->hit_ip6_maxopts(codec.ip6_extension_count) )
{
codec_event(codec, DECODE_IP6_EXCESS_EXT_HDR);
return false;
return false;
}
- if (SnortConfig::tunnel_bypass_enabled(TUNNEL_GRE))
+ if (codec.conf->tunnel_bypass_enabled(TUNNEL_GRE))
codec.tunnel_bypass = true;
codec.lyr_len = len;
return false;
}
- if ( SnortConfig::get_conf()->hit_ip6_maxopts(codec.ip6_extension_count) )
+ if ( codec.conf->hit_ip6_maxopts(codec.ip6_extension_count) )
{
codec_event(codec, DECODE_IP6_EXCESS_EXT_HDR);
return false;
const ICMPHdr* const icmph = reinterpret_cast<const ICMPHdr*>(raw.data);
uint16_t len = 0;
- if (SnortConfig::icmp_checksums() && !valid_checksum_from_daq(raw))
+ if (snort::get_network_policy()->icmp_checksums() && !valid_checksum_from_daq(raw))
{
uint16_t csum = checksum::cksum_add((const uint16_t*)icmph, raw.len);
const icmp::Icmp6Hdr* const icmp6h = reinterpret_cast<const icmp::Icmp6Hdr*>(raw.data);
- if ( SnortConfig::icmp_checksums() && !valid_checksum_from_daq(raw))
+ if ( snort::get_network_policy()->icmp_checksums() && !valid_checksum_from_daq(raw))
{
checksum::Pseudoheader6 ph6;
COPY4(ph6.hdr.sip, snort.ip_api.get_src()->get_ip6_ptr());
return false;
}
- if ( SnortConfig::get_conf()->hit_ip_maxlayers(codec.ip_layer_cnt) )
+ if ( codec.conf->hit_ip_maxlayers(codec.ip_layer_cnt) )
{
codec_event(codec, DECODE_IP_MULTIPLE_ENCAPSULATION);
return false;
/* If the previous layer was not IP-in-IP, this is not a 4-in-6 tunnel */
if ( codec.codec_flags & CODEC_NON_IP_TUNNEL )
codec.codec_flags &= ~CODEC_NON_IP_TUNNEL;
- else if ( SnortConfig::tunnel_bypass_enabled(TUNNEL_4IN6) )
+ else if ( codec.conf->tunnel_bypass_enabled(TUNNEL_4IN6) )
codec.tunnel_bypass = true;
}
else if (snort.ip_api.is_ip4())
/* If the previous layer was not IP-in-IP, this is not a 4-in-4 tunnel */
if ( codec.codec_flags & CODEC_NON_IP_TUNNEL )
codec.codec_flags &= ~CODEC_NON_IP_TUNNEL;
- else if (SnortConfig::tunnel_bypass_enabled(TUNNEL_4IN4))
+ else if (codec.conf->tunnel_bypass_enabled(TUNNEL_4IN4))
codec.tunnel_bypass = true;
}
*/
IP4AddrTests(iph, codec, snort);
- if (SnortConfig::ip_checksums() && !valid_checksum_from_daq(raw))
+ if (snort::get_network_policy()->ip_checksums() && !valid_checksum_from_daq(raw))
{
// routers drop packets with bad IP checksums, we don't really need to check them...
int16_t csum = checksum::ip_cksum((const uint16_t*)iph, hlen);
if ( msb_src == ip::IP4_MULTICAST )
codec_event(codec, DECODE_IP4_SRC_MULTICAST);
- if ( SnortConfig::is_address_anomaly_check_enabled() )
+ if ( codec.conf->is_address_anomaly_check_enabled() )
{
if ( msb_src == ip::IP4_RESERVED || sfvar_ip_in(MulticastReservedIp, snort.ip_api.get_src()) )
codec_event(codec, DECODE_IP4_SRC_RESERVED);
********************* L O G G E R ******************************
*******************************************************************/
-void Ipv4Codec::log(TextLog* const text_log, const uint8_t* raw_pkt,
- const uint16_t lyr_len)
+void Ipv4Codec::log(TextLog* const text_log, const uint8_t* raw_pkt, const uint16_t lyr_len)
{
const ip::IP4Hdr* const ip4h = reinterpret_cast<const ip::IP4Hdr*>(raw_pkt);
// FIXIT-RC this does NOT obfuscate correctly
- if (SnortConfig::obfuscate())
+ if (SnortConfig::get_conf()->obfuscate())
{
TextLog_Print(text_log, "xxx.xxx.xxx.xxx -> xxx.xxx.xxx.xxx");
}
return false;
}
- if ( SnortConfig::get_conf()->hit_ip_maxlayers(codec.ip_layer_cnt) )
+ if ( codec.conf->hit_ip_maxlayers(codec.ip_layer_cnt) )
{
codec_event(codec, DECODE_IP_MULTIPLE_ENCAPSULATION);
return false;
/* If the previous layer was not IP-in-IP, this is not a 6-in-4 tunnel */
if ( codec.codec_flags & CODEC_NON_IP_TUNNEL )
codec.codec_flags &= ~CODEC_NON_IP_TUNNEL;
- else if ( SnortConfig::tunnel_bypass_enabled(TUNNEL_6IN4) )
+ else if ( codec.conf->tunnel_bypass_enabled(TUNNEL_6IN4) )
codec.tunnel_bypass = true;
}
else if (snort.ip_api.is_ip6())
/* If the previous layer was not IP-in-IP, this is not a 6-in-6 tunnel */
if ( codec.codec_flags & CODEC_NON_IP_TUNNEL )
codec.codec_flags &= ~CODEC_NON_IP_TUNNEL;
- else if (SnortConfig::tunnel_bypass_enabled(TUNNEL_6IN6))
+ else if (codec.conf->tunnel_bypass_enabled(TUNNEL_6IN6))
codec.tunnel_bypass = true;
}
const ip::IP6Hdr* const ip6h = reinterpret_cast<const ip::IP6Hdr*>(raw_pkt);
// FIXIT-RC this does NOT obfuscate correctly
- if (SnortConfig::obfuscate())
+ if (SnortConfig::get_conf()->obfuscate())
{
TextLog_Print(text_log, "x:x:x:x::x:x:x:x -> x:x:x:x::x:x:x:x");
}
bool MobilityCodec::decode(const RawData& raw, CodecData& codec, DecodeData&)
{
const MobileIPV6Header* const mip6 = reinterpret_cast<const MobileIPV6Header*>(raw.data);
- if ( SnortConfig::get_conf()->hit_ip6_maxopts(codec.ip6_extension_count) )
+ if ( codec.conf->hit_ip6_maxopts(codec.ip6_extension_count) )
{
codec_event(codec, DECODE_IP6_EXCESS_EXT_HDR);
return false;
if (raw.len < ip::MIN_EXT_LEN)
return false;
- if ( SnortConfig::get_conf()->hit_ip6_maxopts(codec.ip6_extension_count) )
+ if ( codec.conf->hit_ip6_maxopts(codec.ip6_extension_count) )
{
codec_event(codec, DECODE_IP6_EXCESS_EXT_HDR);
return false;
return false;
}
- if ( SnortConfig::get_conf()->hit_ip6_maxopts(codec.ip6_extension_count) )
+ if ( codec.conf->hit_ip6_maxopts(codec.ip6_extension_count) )
{
codec_event(codec, DECODE_IP6_EXCESS_EXT_HDR);
return false;
return false;
}
- if (SnortConfig::tcp_checksums() && !valid_checksum_from_daq(raw))
+ if (snort::get_network_policy()->tcp_checksums() && !valid_checksum_from_daq(raw))
{
PegCount* bad_cksum_cnt;
bool valid;
}
}
- if ( SnortConfig::is_address_anomaly_check_enabled() )
+ if ( codec.conf->is_address_anomaly_check_enabled() )
{
if ( sfvar_ip_in(SynToMulticastDstIp, snort.ip_api.get_dst()) )
codec_event(codec, DECODE_SYN_TO_MULTICAST);
return false;
}
- if (SnortConfig::udp_checksums() && !valid_checksum_from_daq(raw))
+ if (snort::get_network_policy()->udp_checksums() && !valid_checksum_from_daq(raw))
{
PegCount* bad_cksum_cnt;
bool valid;
codec.proto_bits |= PROTO_BIT__MPLS;
if (!iRet)
{
- iRet = SnortConfig::get_mpls_payload_type();
+ iRet = codec.conf->get_mpls_payload_type();
}
}
tmpMplsHdr++;
stack_len -= MPLS_HEADER_LEN;
- if ((SnortConfig::get_mpls_stack_depth() != -1) &&
- (chainLen++ >= SnortConfig::get_mpls_stack_depth()))
+ if ((codec.conf->get_mpls_stack_depth() != -1) &&
+ (chainLen++ >= codec.conf->get_mpls_stack_depth()))
{
codec_event(codec, DECODE_MPLS_LABEL_STACK);
}
} /* while bos not 1, peel off more labels */
- if (SnortConfig::tunnel_bypass_enabled(TUNNEL_MPLS))
+ if (codec.conf->tunnel_bypass_enabled(TUNNEL_MPLS))
codec.tunnel_bypass = true;
codec.lyr_len = (const uint8_t*)tmpMplsHdr - raw.data;
/* when label == 2, IPv6 is expected;
* when label == 0, IPv4 is expected */
- if ( (label && ( SnortConfig::get_mpls_payload_type() != MPLS_PAYLOADTYPE_IPV6) )
- || ( (!label) && (SnortConfig::get_mpls_payload_type() != MPLS_PAYLOADTYPE_IPV4)))
+ if ( (label && ( codec.conf->get_mpls_payload_type() != MPLS_PAYLOADTYPE_IPV6) )
+ || ( (!label) && (codec.conf->get_mpls_payload_type() != MPLS_PAYLOADTYPE_IPV4)))
{
if ( !label )
codec_event(codec, DECODE_BAD_MPLS_LABEL0);
}
if ( !iRet )
{
- iRet = SnortConfig::get_mpls_payload_type();
+ iRet = codec.conf->get_mpls_payload_type();
}
return iRet;
}
return false;
}
- if ( SnortConfig::tunnel_bypass_enabled(TUNNEL_GTP) )
+ if ( codec.conf->tunnel_bypass_enabled(TUNNEL_GTP) )
codec.tunnel_bypass = true;
codec.lyr_len = len;
// the two are not necessarily the same.
// FIXIT-RC this does NOT obfuscate correctly
- if (SnortConfig::obfuscate())
+ if (SnortConfig::get_conf()->obfuscate())
{
TextLog_Print(text_log, "xxx.xxx.xxx.xxx -> xxx.xxx.xxx.xxx");
}
codec.proto_bits |= PROTO_BIT__TEREDO;
codec.codec_flags |= CODEC_TEREDO_SEEN; // for ipv6 codec
- if ( SnortConfig::tunnel_bypass_enabled(TUNNEL_TEREDO) )
+ if ( codec.conf->tunnel_bypass_enabled(TUNNEL_TEREDO) )
codec.tunnel_bypass = true;
if ( (!teredo::is_teredo_port(snort.sp)) && (!teredo::is_teredo_port(snort.dp)) )
if ( hdr->flags != 0x08 )
return false;
- if ( SnortConfig::tunnel_bypass_enabled(TUNNEL_VXLAN) )
+ if ( codec.conf->tunnel_bypass_enabled(TUNNEL_VXLAN) )
codec.tunnel_bypass = true;
codec.lyr_len = VXLAN_MIN_HDR_LEN;
ho->ether_type = enc.ethertype_set() ?
htons(to_utype(enc.next_ethertype)) : hi->ether_type;
+ const SnortConfig* sc = SnortConfig::get_conf();
+
if ( enc.forward() )
{
memcpy(ho->ether_src, hi->ether_src, sizeof(ho->ether_src));
- if ( SnortConfig::get_conf()->eth_dst )
- memcpy(ho->ether_dst, SnortConfig::get_conf()->eth_dst, sizeof(ho->ether_dst));
+ if ( sc->eth_dst )
+ memcpy(ho->ether_dst, sc->eth_dst, sizeof(ho->ether_dst));
else
memcpy(ho->ether_dst, hi->ether_dst, sizeof(ho->ether_dst));
}
{
memcpy(ho->ether_src, hi->ether_dst, sizeof(ho->ether_src));
- if ( SnortConfig::get_conf()->eth_dst )
- memcpy(ho->ether_dst, SnortConfig::get_conf()->eth_dst, sizeof(ho->ether_dst));
+ if ( sc->eth_dst )
+ memcpy(ho->ether_dst, sc->eth_dst, sizeof(ho->ether_dst));
else
memcpy(ho->ether_dst, hi->ether_src, sizeof(ho->ether_dst));
}
void CallLogFuncs(Packet* p, ListHead* head, Event* event, const char* msg)
{
- event->event_id = event_id | SnortConfig::get_event_log_id();
+ event->event_id = event_id | p->context->conf->get_event_log_id();
DetectionEngine::set_check_tags(false);
pc.log_pkts++;
event.sig_info = const_cast<SigInfo*>(&otn->sigInfo);
event.ref_time.tv_sec = p->pkth->ts.tv_sec;
event.ref_time.tv_usec = p->pkth->ts.tv_usec;
- event.event_id = event_id | SnortConfig::get_event_log_id();
+ event.event_id = event_id | p->context->conf->get_event_log_id();
event.event_reference = event.event_id;
DetectionEngine::set_check_tags(false);
event.sig_info = const_cast<SigInfo*>(&otn->sigInfo);
event.ref_time.tv_sec = p->pkth->ts.tv_sec;
event.ref_time.tv_usec = p->pkth->ts.tv_usec;
- event.event_id = event_id | SnortConfig::get_event_log_id();
+ event.event_id = event_id | p->context->conf->get_event_log_id();
event.event_reference = event.event_id;
pc.total_alert_pkts++;
void DetectionEngine::thread_init()
{
- SnortConfig* sc = SnortConfig::get_conf();
+ const SnortConfig* sc = SnortConfig::get_conf();
FastPatternConfig* fp = sc->fast_pattern_config;
const MpseApi* offload_search_api = fp->get_offload_search_api();
IpsContext* c = Analyzer::get_switcher()->get_next();
if ( parent )
{
- c->snapshot_flow(parent->flow);
+ if ( parent->flow )
+ c->snapshot_flow(parent->flow);
c->packet_number = parent->context->packet_number;
c->wire_packet = parent->context->wire_packet;
}
assert(p == p->context->packet);
assert(p->context == sw->get_context());
- p->context->conf = SnortConfig::get_conf();
-
debug_logf(detection_trace, TRACE_DETECTION_ENGINE,
"%" PRIu64 " de::offload %" PRIu64 " (r=%d)\n",
p->context->packet_number, p->context->context_num, offloader->count());
ContextSwitcher* sw = Analyzer::get_switcher();
fp_partial(p);
- if ( p->dsize >= SnortConfig::get_conf()->offload_limit and
+ if ( p->dsize >= p->context->conf->offload_limit and
p->context->searches.items.size() > 0 )
{
if ( offloader->available() )
if ( p->ptrs.decode_flags & DECODE_ERR_FLAGS )
{
- if ( SnortConfig::inline_mode() and
- SnortConfig::checksum_drop(p->ptrs.decode_flags & DECODE_ERR_CKSUM_ALL) )
+ if ( p->context->conf->inline_mode() and
+ // FIXIT-H check specific proto checksum drop flags
+ snort::get_network_policy()->checksum_drops(p->ptrs.decode_flags & DECODE_ERR_CKSUM_ALL) )
{
p->active->drop_packet(p);
}
if ( !p )
return;
- if ( n > SnortConfig::get_conf()->event_trace_max )
- n = SnortConfig::get_conf()->event_trace_max;
+ const SnortConfig* sc = SnortConfig::get_conf();
+
+ if ( n > sc->event_trace_max )
+ n = sc->event_trace_max;
for ( idx = 0; idx < n; idx++)
{
void EventTrace_Init()
{
- if ( SnortConfig::get_conf()->event_trace_max > 0 )
+ const SnortConfig* sc = SnortConfig::get_conf();
+
+ if ( sc->event_trace_max > 0 )
{
time_t now = time(nullptr);
char time_buf[26];
tlog = TextLog_Init ("event_trace.txt", 4*1024, 8*1024*1024);
TextLog_Print(tlog, "\nTrace started at %s", time_buf);
- TextLog_Print(tlog, "Trace max_data is %u bytes\n", SnortConfig::get_conf()->event_trace_max);
+ TextLog_Print(tlog, "Trace max_data is %u bytes\n", sc->event_trace_max);
}
}
void EventTrace_Log(const snort::Packet*, const OptTreeNode*, int action);
-inline int EventTrace_IsEnabled()
+inline int EventTrace_IsEnabled(const snort::SnortConfig* sc)
{
- return ( snort::SnortConfig::get_conf()->event_trace_max > 0 );
+ return ( sc->event_trace_max > 0 );
}
#endif
void set_debug_mode()
{ debug = true; }
- bool get_debug_mode()
+ bool get_debug_mode() const
{ return debug; }
void set_stream_insert(bool enable)
{ inspect_stream_insert = enable; }
- bool get_stream_insert()
+ bool get_stream_insert() const
{ return inspect_stream_insert; }
void set_max_queue_events(unsigned num_events)
{ max_queue_events = num_events; }
- unsigned get_max_queue_events()
+ unsigned get_max_queue_events() const
{ return max_queue_events; }
void set_bleed_over_port_limit(unsigned n)
{ bleedover_port_limit = n; }
- int get_bleed_over_port_limit()
+ int get_bleed_over_port_limit() const
{ return bleedover_port_limit; }
- int get_single_rule_group()
+ int get_single_rule_group() const
{ return portlists_flags & PL_SINGLE_RULE_GROUP; }
- int get_bleed_over_warnings()
+ int get_bleed_over_warnings() const
{ return portlists_flags & PL_BLEEDOVER_WARNINGS_ENABLED; }
- int get_debug_print_nc_rules()
+ int get_debug_print_nc_rules() const
{ return portlists_flags & PL_DEBUG_PRINT_NC_DETECT_RULES; }
- int get_debug_print_rule_group_build_details()
+ int get_debug_print_rule_group_build_details() const
{ return portlists_flags & PL_DEBUG_PRINT_RULEGROUP_BUILD; }
- int get_debug_print_rule_groups_compiled()
+ int get_debug_print_rule_groups_compiled() const
{ return portlists_flags & PL_DEBUG_PRINT_RULEGROUPS_COMPILED; }
- int get_debug_print_rule_groups_uncompiled()
+ int get_debug_print_rule_groups_uncompiled() const
{ return portlists_flags & PL_DEBUG_PRINT_RULEGROUPS_UNCOMPILED; }
void set_debug_print_fast_patterns(bool b)
{ debug_print_fast_pattern = b; }
- bool get_debug_print_fast_patterns()
+ bool get_debug_print_fast_patterns() const
{ return debug_print_fast_pattern; }
void set_split_any_any(bool enable)
{ split_any_any = enable; }
- bool get_split_any_any()
+ bool get_split_any_any() const
{ return split_any_any; }
void set_single_rule_group()
void set_search_opt(bool flag)
{ search_opt = flag; }
- bool get_search_opt()
+ bool get_search_opt() const
{ return search_opt; }
bool set_search_method(const char*);
void set_queue_limit(unsigned);
- unsigned get_queue_limit()
+ unsigned get_queue_limit() const
{ return queue_limit; }
- const snort::MpseApi* get_search_api()
+ const snort::MpseApi* get_search_api() const
{ return search_api; }
- const snort::MpseApi* get_offload_search_api()
+ const snort::MpseApi* get_offload_search_api() const
{ return offload_search_api; }
- bool get_trim()
+ bool get_trim() const
{ return trim; }
void trimmed()
{ num_patterns_trimmed++; }
- int get_num_patterns_trimmed()
+ int get_num_patterns_trimmed() const
{ return num_patterns_trimmed; }
- int get_num_patterns_truncated()
+ int get_num_patterns_truncated() const
{ return num_patterns_truncated; }
unsigned set_max(unsigned bytes);
}
static int fpFinishPortGroupRule(
- SnortConfig* sc, Mpse* mpse, OptTreeNode* otn, PatternMatchData* pmd,
+ Mpse* mpse, OptTreeNode* otn, PatternMatchData* pmd,
FastPatternConfig* fp, Mpse::MpseType mpse_type, bool get_final_pat)
{
const char* pattern;
Mpse::PatternDescriptor desc(
pmd->is_no_case(), pmd->is_negated(), pmd->is_literal(), pmd->mpse_flags);
- mpse->add_pattern(sc, (const uint8_t*)pattern, pattern_length, desc, pmx);
+ mpse->add_pattern((const uint8_t*)pattern, pattern_length, desc, pmx);
return 0;
}
return 0;
}
-static void fpAddAlternatePatterns(SnortConfig* sc, Mpse* mpse,
- OptTreeNode* otn, PatternMatchData* pmd, FastPatternConfig* fp, Mpse::MpseType mpse_type)
+static void fpAddAlternatePatterns(
+ Mpse* mpse, OptTreeNode* otn, PatternMatchData* pmd, FastPatternConfig* fp,
+ Mpse::MpseType mpse_type)
{
- fpFinishPortGroupRule(sc, mpse, otn, pmd, fp, mpse_type, false);
+ fpFinishPortGroupRule(mpse, otn, pmd, fp, mpse_type, false);
}
static int fpAddPortGroupRule(
add_nfp_rule = true;
// Now add patterns
- if (fpFinishPortGroupRule(sc, pg->mpsegrp[main_pmd->pm_type]->normal_mpse,
+ if (fpFinishPortGroupRule(pg->mpsegrp[main_pmd->pm_type]->normal_mpse,
otn, main_pmd, fp, Mpse::MPSE_TYPE_NORMAL, true) == 0)
{
if (main_pmd->pattern_size > otn->longestPatternLen)
// Add Alternative patterns
for (auto p : pmv)
- fpAddAlternatePatterns(sc, pg->mpsegrp[main_pmd->pm_type]->normal_mpse,
+ fpAddAlternatePatterns(pg->mpsegrp[main_pmd->pm_type]->normal_mpse,
otn, p, fp, Mpse::MPSE_TYPE_NORMAL);
}
}
add_nfp_rule = true;
// Now add patterns
- if (fpFinishPortGroupRule(sc, pg->mpsegrp[main_pmd->pm_type]->offload_mpse,
+ if (fpFinishPortGroupRule(pg->mpsegrp[main_pmd->pm_type]->offload_mpse,
otn, ol_pmd, fp, Mpse::MPSE_TYPE_OFFLOAD, true) == 0)
{
if (ol_pmd->pattern_size > otn->longestPatternLen)
// Add Alternative patterns
for (auto p : pmv_ol)
- fpAddAlternatePatterns(sc, pg->mpsegrp[main_pmd->pm_type]->offload_mpse,
+ fpAddAlternatePatterns(pg->mpsegrp[main_pmd->pm_type]->offload_mpse,
otn, p, fp, Mpse::MPSE_TYPE_OFFLOAD);
}
}
static void fp_immediate(Packet*);
static void fp_immediate(MpseGroup*, Packet*, const uint8_t*, unsigned);
-static inline void init_match_info(OtnxMatchData* omd)
+static inline void init_match_info(const IpsContext* c)
{
- for ( unsigned i = 0; i < SnortConfig::get_conf()->num_rule_types; i++ )
- omd->matchInfo[i].iMatchCount = 0;
+ for ( unsigned i = 0; i < c->conf->num_rule_types; i++ )
+ c->otnx->matchInfo[i].iMatchCount = 0;
- omd->have_match = false;
+ c->otnx->have_match = false;
}
// called by fpLogEvent(), which does the filtering etc.
static inline void fpLogOther(
Packet* p, const RuleTreeNode* rtn, const OptTreeNode* otn, int action)
{
- if ( EventTrace_IsEnabled() )
+ if ( EventTrace_IsEnabled(p->context->conf) )
EventTrace_Log(p, otn, action);
if ( PacketTracer::is_active() )
}
if ((p->packet_flags & PKT_STREAM_UNEST_UNI) &&
- SnortConfig::assure_established() &&
+ p->context->conf->assure_established() &&
(!(p->packet_flags & PKT_REBUILT_STREAM)) &&
!otn->stateless() )
{
* check the decoder/preprocessor events (they have been added to Event queue already).
* If its order is lower than 'pass', it should have been passed.
* This is consistent with other detection rules */
- if ( (p->packet_flags & PKT_PASS_RULE)
- && (SnortConfig::get_eval_index(rtn->action) > SnortConfig::get_eval_index(Actions::PASS)) )
+ const SnortConfig* sc = p->context->conf;
+
+ if ( (p->packet_flags & PKT_PASS_RULE) &&
+ (sc->get_eval_index(rtn->action) > sc->get_eval_index(Actions::PASS)) )
{
fpLogOther(p, rtn, otn, rtn->action);
return 1;
RuleTreeNode* rtn = getRuntimeRtnFromOtn(otn);
unsigned evalIndex = rtn->listhead->ruleListNode->evalIndex;
+ const SnortConfig* sc = SnortConfig::get_conf();
+
/* bounds check index */
- if ( evalIndex >= SnortConfig::get_conf()->num_rule_types )
+ if ( evalIndex >= sc->num_rule_types )
{
pc.match_limit++;
return 1;
** If we hit the max number of unique events for any rule type alert,
** log or pass, then we don't add it to the list.
*/
- if ( pmi->iMatchCount >= SnortConfig::get_conf()->fast_pattern_config->get_max_queue_events() ||
+ if ( pmi->iMatchCount >= sc->fast_pattern_config->get_max_queue_events() ||
pmi->iMatchCount >= MAX_EVENT_MATCH)
{
pc.match_limit++;
return 0;
unsigned tcnt = 0;
- EventQueueConfig* eq = SnortConfig::get_conf()->event_queue_config;
+ EventQueueConfig* eq = p->context->conf->event_queue_config;
int (*compar)(const void *, const void *);
compar = ( eq->order == SNORT_EVENTQ_PRIORITY )
? &sortOrderByPriority : sortOrderByContentLength;
- for ( unsigned i = 0; i < SnortConfig::get_conf()->num_rule_types; i++ )
+ for ( unsigned i = 0; i < p->context->conf->num_rule_types; i++ )
{
/* bail if were not dumping events in all the action groups,
* and we've already got some events */
- if (!SnortConfig::process_all_events() && (tcnt > 0))
+ if (!p->context->conf->process_all_events() && (tcnt > 0))
return 1;
if ( omd->matchInfo[i].iMatchCount )
void fp_set_context(IpsContext& c)
{
- FastPatternConfig* fp = SnortConfig::get_conf()->fast_pattern_config;
+ FastPatternConfig* fp = c.conf->fast_pattern_config;
c.stash = new MpseStash(fp->get_queue_limit());
c.otnx = (OtnxMatchData*)snort_calloc(sizeof(OtnxMatchData));
c.otnx->matchInfo = (MatchInfo*)snort_calloc(MAX_NUM_RULE_TYPES, sizeof(MatchInfo));
if ( DetectionEngine::content_enabled(p) )
{
- FastPatternConfig* fp = SnortConfig::get_conf()->fast_pattern_config;
+ FastPatternConfig* fp = p->context->conf->fast_pattern_config;
if ( fp->get_stream_insert() || !(p->packet_flags & PKT_STREAM_INSERT) )
if ( fp_search(port_group, p) )
const uint8_t* tmp_payload = nullptr;
uint16_t tmp_dsize = 0;
- FastPatternConfig* fp = SnortConfig::get_conf()->fast_pattern_config;
+ FastPatternConfig* fp = p->context->conf->fast_pattern_config;
if (ip_rule)
{
{
PortGroup* any = nullptr, * ip_group = nullptr;
- if ( !prmFindRuleGroupIp(SnortConfig::get_conf()->prmIpRTNX, ANYPORT, &ip_group, &any) )
+ if ( !prmFindRuleGroupIp(p->context->conf->prmIpRTNX, ANYPORT, &ip_group, &any) )
return;
- if ( SnortConfig::get_conf()->fast_pattern_config->get_debug_print_nc_rules() )
+ if ( p->context->conf->fast_pattern_config->get_debug_print_nc_rules() )
LogMessage("fpEvalHeaderIp: ip_group=%p, any=%p\n", (void*)ip_group, (void*)any);
if ( ip_group )
{
PortGroup* any = nullptr, * type = nullptr;
- if ( !prmFindRuleGroupIcmp(SnortConfig::get_conf()->prmIcmpRTNX, p->ptrs.icmph->type, &type, &any) )
+ if ( !prmFindRuleGroupIcmp(p->context->conf->prmIcmpRTNX, p->ptrs.icmph->type, &type, &any) )
return;
if ( type )
{
PortGroup* src = nullptr, * dst = nullptr, * any = nullptr;
- if ( !prmFindRuleGroupTcp(SnortConfig::get_conf()->prmTcpRTNX, p->ptrs.dp, p->ptrs.sp, &src, &dst, &any) )
+ if ( !prmFindRuleGroupTcp(p->context->conf->prmTcpRTNX, p->ptrs.dp, p->ptrs.sp, &src, &dst, &any) )
return;
if ( dst )
{
PortGroup* src = nullptr, * dst = nullptr, * any = nullptr;
- if ( !prmFindRuleGroupUdp(SnortConfig::get_conf()->prmUdpRTNX, p->ptrs.dp, p->ptrs.sp, &src, &dst, &any) )
+ if ( !prmFindRuleGroupUdp(p->context->conf->prmUdpRTNX, p->ptrs.dp, p->ptrs.sp, &src, &dst, &any) )
return;
if ( dst )
if (snort_protocol_id != UNKNOWN_PROTOCOL_ID and snort_protocol_id != INVALID_PROTOCOL_ID)
{
if (p->is_from_server()) /* to cli */
- svc = SnortConfig::get_conf()->sopgTable->get_port_group(false, snort_protocol_id);
+ svc = p->context->conf->sopgTable->get_port_group(false, snort_protocol_id);
if (p->is_from_client()) /* to srv */
- svc = SnortConfig::get_conf()->sopgTable->get_port_group(true, snort_protocol_id);
+ svc = p->context->conf->sopgTable->get_port_group(true, snort_protocol_id);
}
if ( svc )
stash->enable_process();
stash->init();
stash->disable_process();
- init_match_info(c->otnx);
+ init_match_info(c);
c->searches.mf = rule_tree_queue;
c->searches.context = c;
assert(!c->searches.items.size());
pkth = new DAQ_PktHdr_t;
buf = new uint8_t[buf_size];
- const EventQueueConfig* qc = SnortConfig::get_conf()->event_queue_config;
+ conf = SnortConfig::get_conf();
+ const EventQueueConfig* qc = conf->event_queue_config;
equeue = sfeventq_new(qc->max_events, qc->log_events, sizeof(EventNode));
packet->context = this;
DAQ_PktHdr_t* pkth;
uint8_t* buf;
- SnortConfig* conf;
+ const SnortConfig* conf;
MpseBatch searches;
MpseStash* stash;
OtnxMatchData* otnx;
ThreadRegexOffload::ThreadRegexOffload(unsigned max) : RegexOffload(max)
{
unsigned i = ThreadConfig::get_instance_max();
+ const SnortConfig* sc = SnortConfig::get_conf();
for ( auto* req : idle )
- req->thread = new std::thread(worker, req, SnortConfig::get_conf(), i++);
+ req->thread = new std::thread(worker, req, sc, i++);
}
ThreadRegexOffload::~ThreadRegexOffload()
}
void ThreadRegexOffload::worker(
- RegexRequest* req, SnortConfig* initial_config, unsigned id)
+ RegexRequest* req, const SnortConfig* initial_config, unsigned id)
{
set_instance_id(id);
SnortConfig::set_conf(initial_config);
bool get(snort::Packet*&) override;
private:
- static void worker(RegexRequest*, snort::SnortConfig*, unsigned id);
+ static void worker(RegexRequest*, const snort::SnortConfig*, unsigned id);
};
#endif
#include "tag.h"
+#include "detection/ips_context.h"
#include "events/event.h"
#include "hash/hash_defs.h"
#include "hash/xhash.h"
* bandwidth sensors. */
/* Use the global max.
If its non-0, check count for this tag node */
- if ( SnortConfig::get_tagged_packet_limit() &&
- returned->pkt_count >= SnortConfig::get_tagged_packet_limit() )
+ if ( p->context->conf->get_tagged_packet_limit() &&
+ returned->pkt_count >= p->context->conf->get_tagged_packet_limit() )
{
returned->metric = 0;
}
/* set event reference details */
event.ref_time.tv_sec = returned->event_time.tv_sec;
event.ref_time.tv_usec = returned->event_time.tv_usec;
- event.event_reference = returned->event_id | SnortConfig::get_event_log_id();
+ event.event_reference = returned->event_id | p->context->conf->get_event_log_id();
*log_list = returned->log_list;
}
event.sig_info->priority = priority;
/* this one gets set automatically */
- event.event_id = ++event_id | SnortConfig::get_event_log_id();
+ event.event_id = ++event_id | SnortConfig::get_conf()->get_event_log_id();
if (event_ref)
event.event_reference = event_ref;
timercmp(&file_ctx->pending_expire_time, &now, <))
{
// Timed out while waiting for pending verdict.
- FileConfig* fc = get_file_config(SnortConfig::get_conf());
+ FileConfig* fc = get_file_config(p->context->conf);
// Block session on timeout if configured, otherwise use the
// current action.
return "NA";
}
-FileConfig* get_file_config(SnortConfig* sc)
+FileConfig* get_file_config(const SnortConfig* sc)
{
+ if ( !sc )
+ sc = SnortConfig::get_conf();
+
FileInspect* fi = (FileInspect*)InspectorManager::get_inspector(FILE_ID_NAME, true, sc);
if (fi)
};
std::string file_type_name(uint32_t id);
-FileConfig* get_file_config(snort::SnortConfig* sc = nullptr);
+FileConfig* get_file_config(const snort::SnortConfig* sc = nullptr);
#endif
return nullptr;
}
-FileContext* FileFlows::get_file_context(uint64_t file_id, bool to_create,
- uint64_t multi_file_processing_id)
+FileContext* FileFlows::get_file_context(
+ uint64_t file_id, bool to_create, uint64_t multi_file_processing_id)
{
// First check if this file is currently being processed
if (!multi_file_processing_id)
ConfigLogger::log_value("verdict_delay", fc->verdict_delay);
}
-void FileInspect::show(SnortConfig*)
+void FileInspect::show(const SnortConfig*) const
{
if ( config )
file_config_show(config);
~FileInspect() override;
void eval(Packet*) override { }
bool configure(SnortConfig*) override;
- void show(SnortConfig*) override;
+ void show(const SnortConfig*) const override;
FileConfig* config;
};
public:
FileLog(const FileLogConfig& conf) { config = conf; }
- void show(SnortConfig*) override;
+ void show(const SnortConfig*) const override;
void eval(Packet*) override { }
bool configure(SnortConfig*) override
FileLogConfig config;
};
-void FileLog::show(SnortConfig*)
+void FileLog::show(const SnortConfig*) const
{
ConfigLogger::log_flag("log_pkt_time", config.log_pkt_time);
ConfigLogger::log_flag("log_sys_time", config.log_sys_time);
#include "log/messages.h"
#include "main/snort_config.h"
#include "mime/file_mime_process.h"
+#include "search_engines/search_tool.h"
#include "file_cache.h"
#include "file_capture.h"
FileFlows::init();
}
-void FileService::post_init()
+void FileService::post_init(const SnortConfig* sc)
{
+ SearchTool::set_conf(sc);
MimeSession::init();
+ SearchTool::set_conf(nullptr);
+
const FileConfig* const conf = get_file_config();
if (!conf)
}
}
-void FileService::verify_reload(SnortConfig* sc)
+void FileService::verify_reload(const SnortConfig* sc)
{
const FileConfig* const conf = get_file_config(sc);
static void init();
// Called after permission is dropped
- static void post_init();
+ static void post_init(const SnortConfig*);
// Called during reload
- static void verify_reload(SnortConfig*);
+ static void verify_reload(const SnortConfig*);
// This must be called when snort exits
static void close();
#include "rate_filter.h"
+#include "detection/ips_context.h"
#include "detection/rules.h"
#include "detection/treenodes.h"
#include "hash/ghash.h"
dip = &cleared;
}
- if ((SnortConfig::get_conf() == nullptr) ||
- (SnortConfig::get_conf()->rate_filter_config == nullptr))
- {
- /* this should not happen, see the create fcn */
- return -1;
- }
+ RateFilterConfig* rfc = p->context->conf->rate_filter_config;
if ( EventIsInternal(gid) )
{
// events and these require: src -> client, dst -> server.
if ( p->is_from_server() )
{
- return SFRF_TestThreshold(SnortConfig::get_conf()->rate_filter_config, gid, sid,
- dip, sip, p->pkth->ts.tv_sec, SFRF_COUNT_INCREMENT);
+ return SFRF_TestThreshold(
+ rfc, gid, sid, dip, sip, p->pkth->ts.tv_sec, SFRF_COUNT_INCREMENT);
}
}
- return SFRF_TestThreshold(SnortConfig::get_conf()->rate_filter_config, gid, sid,
- sip, dip, p->pkth->ts.tv_sec, SFRF_COUNT_INCREMENT);
+ return SFRF_TestThreshold(
+ rfc, gid, sid, sip, dip, p->pkth->ts.tv_sec, SFRF_COUNT_INCREMENT);
}
#endif
#include "catch/snort_catch.h"
+#include "main/snort_config.h"
#include "parser/parse_ip.h"
#include "sfip/sf_ip.h"
//---------------------------------------------------------------
-static void Init(unsigned cap)
+static void Init(const SnortConfig* sc, unsigned cap)
{
// FIXIT-L must set policies because they may have been invalidated
// by prior tests with transient SnortConfigs. better to fix sfrf
// to use a SnortConfig parameter or make this a make check test
// with a separate executable.
- set_default_policy();
+ set_default_policy(sc);
rfc = RateFilter_ConfigNew();
rfc->memcap = cap;
TEST_CASE("sfrf default memcap", "[sfrf]")
{
- Init(MEM_DEFAULT);
+ SnortConfig sc;
+ Init(&sc, MEM_DEFAULT);
SECTION("setup")
{
TEST_CASE("sfrf minimum memcap", "[sfrf]")
{
- Init(MEM_MINIMUM);
+ SnortConfig sc;
+ Init(&sc, MEM_MINIMUM);
SECTION("setup")
{
#endif
#include "catch/snort_catch.h"
+#include "main/snort_config.h"
#include "hash/xhash.h"
#include "parser/parse_ip.h"
#include "sfip/sf_ip.h"
//---------------------------------------------------------------
-static void Init(ThreshData* base, int max)
+static void Init(const SnortConfig* sc, ThreshData* base, int max)
{
// FIXIT-L must set policies because they may have been invalidated
// by prior tests with transient SnortConfigs. better to fix sfthd
// to use a SnortConfig parameter or make this a make check test
// with a separate executable.
- set_default_policy();
+ set_default_policy(sc);
int i;
int id = 0;
}
}
-static void InitDefault()
+static void InitDefault(const SnortConfig* sc)
{
pThdObjs = sfthd_objs_new();
pThd = sfthd_new(MEM_DEFAULT, MEM_DEFAULT);
- Init(thData, NUM_THDS);
+ Init(sc, thData, NUM_THDS);
}
-static void InitMincap()
+static void InitMincap(const SnortConfig* sc)
{
pThdObjs = sfthd_objs_new();
pThd = sfthd_new(MEM_MINIMUM, MEM_MINIMUM+1);
- Init(thData, NUM_THDS);
+ Init(sc, thData, NUM_THDS);
}
-static void InitDetect()
+static void InitDetect(const SnortConfig* sc)
{
dThd = sfthd_local_new(MEM_DEFAULT);
- Init(ruleData, NUM_RULS);
+ Init(sc, ruleData, NUM_RULS);
}
static void Term()
TEST_CASE("sfthd normal", "[sfthd]")
{
- InitDefault();
+ SnortConfig sc;
+ InitDefault(&sc);
SECTION("setup")
{
TEST_CASE("sfthd mincap", "[sfthd]")
{
- InitMincap();
+ SnortConfig sc;
+ InitMincap(&sc);
SECTION("setup")
{
TEST_CASE("sfthd detect", "[sfthd]")
{
- InitDetect();
+ SnortConfig sc;
+ InitDetect(&sc);
SECTION("rules")
{
int sfthreshold_test(unsigned gen_id, unsigned sig_id, const SfIp* sip,
const SfIp* dip, long curtime, PolicyId policy_id)
{
- if ((SnortConfig::get_conf()->threshold_config == nullptr) ||
- !SnortConfig::get_conf()->threshold_config->enabled)
- {
- return 0;
- }
-
if (!thd_checked)
{
thd_checked = 1;
#include "expect_cache.h"
+#include "detection/ips_context.h"
#include "hash/zhash.h"
#include "packet_io/sfdaq_instance.h"
#include "protocols/packet.h"
PktType type = p->type();
IpProtocol ip_proto = p->get_ip_proto_next();
- bool reversed_key = key.init(type, ip_proto, dstIP, p->ptrs.dp, srcIP, p->ptrs.sp,
- vlanId, mplsId, addressSpaceId);
+ bool reversed_key = key.init(p->context->conf, type, ip_proto, dstIP, p->ptrs.dp,
+ srcIP, p->ptrs.sp, vlanId, mplsId, addressSpaceId);
/*
Lookup order:
/* If this is 0, we're ignoring, otherwise setting id of new session */
if (!node->snort_protocol_id)
- ignoring = node->direction ? true : false;
- else if (lws->ssn_state.snort_protocol_id != node->snort_protocol_id)
+ ignoring = node->direction != 0;
+ else
lws->ssn_state.snort_protocol_id = node->snort_protocol_id;
if (!node->count)
uint16_t vlanId = (ctrlPkt->proto_bits & PROTO_BIT__VLAN) ? layer::get_vlan_layer(ctrlPkt)->vid() : 0;
uint32_t mplsId = (ctrlPkt->proto_bits & PROTO_BIT__MPLS) ? ctrlPkt->ptrs.mplsHdr.label : 0;
uint16_t addressSpaceId = ctrlPkt->pkth->address_space_id;
+
FlowKey key;
- bool reversed_key = key.init(type, ip_proto, cliIP, cliPort, srvIP, srvPort,
- vlanId, mplsId, addressSpaceId);
+ bool reversed_key = key.init(ctrlPkt->context->conf, type, ip_proto, cliIP, cliPort,
+ srvIP, srvPort, vlanId, mplsId, addressSpaceId);
bool new_node = false;
ExpectNode* node = static_cast<ExpectNode*> ( hash_table->get_user_data(&key) );
if ( (p->ptrs.decode_flags & DECODE_FRAG) )
{
- key->init(type, ip_proto, ip_api.get_src(), ip_api.get_dst(), ip_api.id(),
- vlanId, mplsId, addressSpaceId);
+ key->init(p->context->conf, type, ip_proto, ip_api.get_src(),
+ ip_api.get_dst(), ip_api.id(), vlanId, mplsId, addressSpaceId);
}
else if ( type == PktType::ICMP )
{
- key->init(type, ip_proto, ip_api.get_src(), p->ptrs.icmph->type, ip_api.get_dst(), 0,
- vlanId, mplsId, addressSpaceId);
+ key->init(p->context->conf, type, ip_proto, ip_api.get_src(), p->ptrs.icmph->type,
+ ip_api.get_dst(), 0, vlanId, mplsId, addressSpaceId);
}
else
{
- key->init(type, ip_proto, ip_api.get_src(), p->ptrs.sp, ip_api.get_dst(), p->ptrs.dp,
- vlanId, mplsId, addressSpaceId);
+ key->init(p->context->conf, type, ip_proto, ip_api.get_src(), p->ptrs.sp,
+ ip_api.get_dst(), p->ptrs.dp, vlanId, mplsId, addressSpaceId);
}
}
// guessing direction based on ports is misleading
return false;
- if ( !p->ptrs.tcph->is_syn_only() or SnortConfig::get_conf()->track_on_syn() )
+ if ( !p->ptrs.tcph->is_syn_only() or p->context->conf->track_on_syn() )
return true;
const unsigned DECODE_TCP_HS = DECODE_TCP_MSS | DECODE_TCP_TS | DECODE_TCP_WS;
if ( flow->flow_state != Flow::FlowState::SETUP )
{
- set_inspection_policy(SnortConfig::get_conf(), flow->inspection_policy_id);
- set_ips_policy(SnortConfig::get_conf(), flow->ips_policy_id);
- set_network_policy(SnortConfig::get_conf(), flow->network_policy_id);
+ const SnortConfig* sc = SnortConfig::get_conf();
+ set_inspection_policy(sc, flow->inspection_policy_id);
+ set_ips_policy(sc, flow->ips_policy_id);
+ set_network_policy(sc, flow->network_policy_id);
}
else
// init foo
//-------------------------------------------------------------------------
inline bool FlowKey::init4(
- IpProtocol ip_proto,
+ const SnortConfig* sc, IpProtocol ip_proto,
const SfIp *srcIP, uint16_t srcPort,
const SfIp *dstIP, uint16_t dstPort,
uint32_t mplsId, bool order)
port_h = srcPort;
reversed = true;
}
- if (SnortConfig::mpls_overlapping_ip() &&
+ if (sc->mpls_overlapping_ip() &&
ip::isPrivateIP(src) && ip::isPrivateIP(dst))
mplsLabel = mplsId;
else
}
inline bool FlowKey::init6(
- IpProtocol ip_proto,
+ const SnortConfig* sc, IpProtocol ip_proto,
const SfIp *srcIP, uint16_t srcPort,
const SfIp *dstIP, uint16_t dstPort,
uint32_t mplsId, bool order)
reversed = true;
}
- if (SnortConfig::mpls_overlapping_ip())
+ if (sc->mpls_overlapping_ip())
mplsLabel = mplsId;
else
mplsLabel = 0;
return reversed;
}
-void FlowKey::init_vlan(uint16_t vlanId)
+void FlowKey::init_vlan(const SnortConfig* sc, uint16_t vlanId)
{
- if (!SnortConfig::get_vlan_agnostic())
+ if (!sc->get_vlan_agnostic())
vlan_tag = vlanId;
else
vlan_tag = 0;
}
-void FlowKey::init_address_space(uint16_t addrSpaceId)
+void FlowKey::init_address_space(const SnortConfig* sc, uint16_t addrSpaceId)
{
- if (!SnortConfig::address_space_agnostic())
+ if (!sc->address_space_agnostic())
addressSpaceId = addrSpaceId;
else
addressSpaceId = 0;
}
-void FlowKey::init_mpls(uint32_t mplsId)
+void FlowKey::init_mpls(const SnortConfig* sc, uint32_t mplsId)
{
- if (SnortConfig::mpls_overlapping_ip())
+ if (sc->mpls_overlapping_ip())
mplsLabel = mplsId;
else
mplsLabel = 0;
}
bool FlowKey::init(
+ const SnortConfig* sc,
PktType type, IpProtocol ip_proto,
const SfIp *srcIP, uint16_t srcPort,
const SfIp *dstIP, uint16_t dstPort,
if (srcIP->is_ip4() && dstIP->is_ip4())
{
version = 4;
- reversed = init4(ip_proto, srcIP, srcPort, dstIP, dstPort, mplsId);
+ reversed = init4(sc, ip_proto, srcIP, srcPort, dstIP, dstPort, mplsId);
}
else
{
version = 6;
- reversed = init6(ip_proto, srcIP, srcPort, dstIP, dstPort, mplsId);
+ reversed = init6(sc, ip_proto, srcIP, srcPort, dstIP, dstPort, mplsId);
}
pkt_type = type;
ip_protocol = (uint8_t)ip_proto;
- init_vlan(vlanId);
- init_address_space(addrSpaceId);
+ init_vlan(sc, vlanId);
+ init_address_space(sc, addrSpaceId);
padding = 0;
return reversed;
}
bool FlowKey::init(
+ const SnortConfig* sc,
PktType type, IpProtocol ip_proto,
const SfIp *srcIP, const SfIp *dstIP,
uint32_t id, uint16_t vlanId,
if (srcIP->is_ip4() && dstIP->is_ip4())
{
version = 4;
- init4(ip_proto, srcIP, srcPort, dstIP, dstPort, mplsId, false);
+ init4(sc, ip_proto, srcIP, srcPort, dstIP, dstPort, mplsId, false);
ip_protocol = (uint8_t)ip_proto;
}
else
{
version = 6;
- init6(ip_proto, srcIP, srcPort, dstIP, dstPort, mplsId, false);
+ init6(sc, ip_proto, srcIP, srcPort, dstIP, dstPort, mplsId, false);
ip_protocol = 0;
}
pkt_type = type;
- init_vlan(vlanId);
- init_address_space(addrSpaceId);
+ init_vlan(sc, vlanId);
+ init_address_space(sc, addrSpaceId);
padding = 0;
return false;
namespace snort
{
struct SfIp;
+struct SnortConfig;
class FlowHashKeyOps : public HashKeyOperations
{
The IP-only init() will always return false as we will not reorder its
addresses at this time. */
bool init(
- PktType, IpProtocol,
+ const SnortConfig*, PktType, IpProtocol,
const snort::SfIp *srcIP, uint16_t srcPort,
const snort::SfIp *dstIP, uint16_t dstPort,
uint16_t vlanId, uint32_t mplsId, uint16_t addrSpaceId);
bool init(
- PktType, IpProtocol,
+ const SnortConfig*, PktType, IpProtocol,
const snort::SfIp *srcIP, const snort::SfIp *dstIP,
uint32_t id, uint16_t vlanId,
uint32_t mplsId, uint16_t addrSpaceId);
- void init_mpls(uint32_t);
- void init_vlan(uint16_t);
- void init_address_space(uint16_t);
+ void init_mpls(const SnortConfig*, uint32_t);
+ void init_vlan(const SnortConfig*, uint16_t);
+ void init_address_space(const SnortConfig*, uint16_t);
// If this data structure changes size, compare must be updated!
static bool is_equal(const void* k1, const void* k2, size_t);
private:
bool init4(
- IpProtocol,
+ const SnortConfig*, IpProtocol,
const snort::SfIp *srcIP, uint16_t srcPort,
const snort::SfIp *dstIP, uint16_t dstPort,
uint32_t mplsId, bool order = true);
bool init6(
- IpProtocol,
+ const SnortConfig*, IpProtocol,
const snort::SfIp *srcIP, uint16_t srcPort,
const snort::SfIp *dstIP, uint16_t dstPort,
uint32_t mplsId, bool order = true);
void Flow::term() { }
void Flow::reset(bool) { }
void Flow::free_flow_data() { }
-void set_network_policy(SnortConfig*, unsigned) { }
+void set_network_policy(const SnortConfig*, unsigned) { }
void DataBus::publish(const char*, const uint8_t*, unsigned, Flow*) { }
void DataBus::publish(const char*, Packet*, Flow*) { }
-SnortConfig* SnortConfig::get_conf() { return nullptr; }
+const SnortConfig* SnortConfig::get_conf() { return nullptr; }
void Flow::set_direction(Packet*) { }
-void set_inspection_policy(SnortConfig*, unsigned) { }
-void set_ips_policy(SnortConfig*, unsigned) { }
+void set_inspection_policy(const SnortConfig*, unsigned) { }
+void set_ips_policy(const SnortConfig*, unsigned) { }
void Flow::set_mpls_layer_per_dir(Packet*) { }
void DetectionEngine::disable_all(Packet*) { }
void Stream::drop_traffic(const Packet*, char) { }
unsigned FlowCache::delete_flows(unsigned) { return 0; }
unsigned FlowCache::timeout(unsigned, time_t) { return 1; }
void Flow::init(PktType) { }
-void set_network_policy(SnortConfig*, unsigned) { }
+void set_network_policy(const SnortConfig*, unsigned) { }
void DataBus::publish(const char*, const uint8_t*, unsigned, Flow*) { }
void DataBus::publish(const char*, Packet*, Flow*) { }
-SnortConfig* SnortConfig::get_conf() { return nullptr; }
+const SnortConfig* SnortConfig::get_conf() { return nullptr; }
void FlowCache::unlink_uni(Flow*) { }
void Flow::set_direction(Packet*) { }
-void set_inspection_policy(SnortConfig*, unsigned) { }
-void set_ips_policy(SnortConfig*, unsigned) { }
+void set_inspection_policy(const SnortConfig*, unsigned) { }
+void set_ips_policy(const SnortConfig*, unsigned) { }
void Flow::set_mpls_layer_per_dir(Packet*) { }
void DetectionEngine::disable_all(Packet*) { }
void Stream::drop_traffic(const Packet*, char) { }
}
bool FlowKey::init(
+ const SnortConfig*,
PktType, IpProtocol,
const SfIp*, uint16_t,
const SfIp*, uint16_t,
}
bool FlowKey::init(
+ const SnortConfig*,
PktType, IpProtocol,
const SfIp*, const SfIp*,
uint32_t, uint16_t,
void DataBus::publish(const char*, Packet*, Flow*) {}
-SnortConfig* SnortConfig::get_conf() { return nullptr; }
+const SnortConfig* SnortConfig::get_conf() { return nullptr; }
TEST_GROUP(nondefault_timeout)
{
constexpr uint16_t CODEC_IPOPT_FLAGS = (CODEC_IPOPT_RR_SEEN |
CODEC_IPOPT_RTRALT_SEEN | CODEC_IPOPT_LEN_THREE);
+struct SnortConfig;
+
struct CodecData
{
+ const SnortConfig* conf;
+
/* This section will get reset before every decode() function call */
ProtocolId next_prot_id; /* protocol type of the next layer */
uint16_t lyr_len; /* The length of the valid part layer */
IpProtocol ip6_csum_proto; /* initialized in cd_ipv6.cc. Used for IPv6 checksums */
bool tunnel_bypass;
- CodecData(ProtocolId init_prot) : next_prot_id(init_prot), lyr_len(0),
- invalid_bytes(0), proto_bits(0), codec_flags(0), ip_layer_cnt(0), tunnel_bypass(false)
+ CodecData(const SnortConfig* sc, ProtocolId init_prot) :
+ conf(sc), next_prot_id(init_prot), lyr_len(0), invalid_bytes(0),
+ proto_bits(0), codec_flags(0), ip_layer_cnt(0), tunnel_bypass(false)
{ }
bool inline is_cooked() const
DataBus();
~DataBus();
+ // configure time methods - main thread only
void clone(DataBus& from);
void add_mapped_module(const char*);
+ // FIXIT-L ideally these would not be static or would take an inspection policy*
static void subscribe(const char* key, DataHandler*);
static void subscribe_global(const char* key, DataHandler*, SnortConfig*);
+
+ // FIXIT-L these should be called during cleanup
static void unsubscribe(const char* key, DataHandler*);
static void unsubscribe_global(const char* key, DataHandler*, SnortConfig*);
+
+ // runtime methods
static void publish(const char* key, DataEvent&, Flow* = nullptr);
// convenience methods
// access external dependencies here
// return verification status
virtual bool configure(SnortConfig*) { return true; }
- virtual void show(SnortConfig*) { }
+ virtual void show(const SnortConfig*) const { }
// Specific to Binders to notify them of an inspector being removed from the policy
// FIXIT-L Probably shouldn't be part of the base Inspector class
namespace snort
{
struct Packet;
-struct SnortConfig;
class SO_PUBLIC IpsAction : public ActiveAction
{
OPT_TYPE_MAX
};
-typedef void (* IpsOptFunc)(SnortConfig*);
+typedef void (* IpsOptFunc)(const SnortConfig*);
typedef IpsOption* (* IpsNewFunc)(Module*, OptTreeNode*);
typedef void (* IpsDelFunc)(IpsOption*);
const LogApi* api;
};
-typedef Logger* (* LogNewFunc)(struct SnortConfig*, class Module*);
+typedef Logger* (* LogNewFunc)(class Module*);
typedef void (* LogDelFunc)(Logger*);
struct LogApi
Mpse::MpseRespType Mpse::poll_responses(MpseBatch*& batch, MpseType mpse_type)
{
+ // FIXIT-L validate for reload during offload
FastPatternConfig* fp = SnortConfig::get_conf()->fast_pattern_config;
assert(fp);
};
virtual int add_pattern(
- SnortConfig* sc, const uint8_t* pat, unsigned len,
- const PatternDescriptor&, void* user) = 0;
+ const uint8_t* pat, unsigned len, const PatternDescriptor&, void* user) = 0;
virtual int prep_patterns(SnortConfig*) = 0;
typedef void (* MpseOptFunc)(SnortConfig*);
typedef void (* MpseExeFunc)();
-typedef Mpse* (* MpseNewFunc)(
- SnortConfig* sc, class Module*, const MpseAgent*);
-
+typedef Mpse* (* MpseNewFunc)(const SnortConfig*, class Module*, const MpseAgent*);
typedef void (* MpseDelFunc)(Mpse*);
typedef Mpse::MpseRespType (* MpsePollFunc)(MpseBatch*&, Mpse::MpseType);
}
}
-bool MpseGroup::create_normal_mpse(SnortConfig* sc, const MpseAgent* agent)
+bool MpseGroup::create_normal_mpse(const SnortConfig* sc, const MpseAgent* agent)
{
- FastPatternConfig* fp = sc->fast_pattern_config;
+ const FastPatternConfig* fp = sc->fast_pattern_config;
const MpseApi* search_api = nullptr;
if (fp)
}
}
-bool MpseGroup::create_normal_mpse(SnortConfig* sc, const char* type)
+bool MpseGroup::create_normal_mpse(const SnortConfig* sc, const char* type)
{
if ( !type and sc->fast_pattern_config )
type = sc->fast_pattern_config->get_search_method();
}
}
-bool MpseGroup::create_offload_mpse(SnortConfig* sc, const MpseAgent* agent)
+bool MpseGroup::create_offload_mpse(const SnortConfig* sc, const MpseAgent* agent)
{
- FastPatternConfig* fp = sc->fast_pattern_config;
+ const FastPatternConfig* fp = sc->fast_pattern_config;
const MpseApi* search_api = nullptr;
const MpseApi* offload_search_api = nullptr;
}
}
-bool MpseGroup::create_offload_mpse(SnortConfig* sc)
+bool MpseGroup::create_offload_mpse(const SnortConfig* sc)
{
const MpseApi* search_api = nullptr;
const MpseApi* offload_search_api = nullptr;
Mpse* get_offload_mpse() const
{ return offload_mpse ? offload_mpse : normal_mpse; }
- bool create_normal_mpse(SnortConfig*, const MpseAgent* agent);
- bool create_normal_mpse(SnortConfig*, const char*);
+ bool create_normal_mpse(const SnortConfig*, const MpseAgent* agent);
+ bool create_normal_mpse(const SnortConfig*, const char*);
- bool create_offload_mpse(SnortConfig*, const MpseAgent* agent);
- bool create_offload_mpse(SnortConfig*);
+ bool create_offload_mpse(const SnortConfig*, const MpseAgent* agent);
+ bool create_offload_mpse(const SnortConfig*);
inline bool can_fallback() const
{ return get_offload_mpse() != normal_mpse; }
namespace snort
{
SnortConfig::SnortConfig(snort::SnortConfig const*)
-{
- global_dbus = new DataBus();
-}
-THREAD_LOCAL SnortConfig* snort_conf = nullptr;
-SnortConfig* SnortConfig::get_conf()
+{ global_dbus = new DataBus(); }
+
+THREAD_LOCAL const SnortConfig* snort_conf = nullptr;
+
+const SnortConfig* SnortConfig::get_conf()
{ return snort_conf; }
+
+SnortConfig* SnortConfig::get_main_conf()
+{ return const_cast<SnortConfig*>(snort_conf); }
+
SnortConfig::~SnortConfig()
-{
- delete global_dbus;
-}
+{ delete global_dbus; }
static InspectionPolicy* my_inspection_policy = nullptr;
+
InspectionPolicy* get_inspection_policy()
{ return my_inspection_policy; }
}
TEST(data_bus, subscribe_global)
{
- SnortConfig* sc = SnortConfig::get_conf();
+ SnortConfig* sc = SnortConfig::get_main_conf();
UTestHandler* h = new UTestHandler();
DataBus::subscribe_global(DB_UTEST_EVENT, h, sc);
// Stubs whose sole purpose is to make the test code link
static SnortConfig my_config;
-THREAD_LOCAL SnortConfig *snort_conf = &my_config;
+THREAD_LOCAL SnortConfig* snort_conf = &my_config;
+// run_flags is used indirectly from HashFnc class by calling SnortConfig::static_hash()
SnortConfig::SnortConfig(const SnortConfig* const)
-{ snort_conf->run_flags = 0;} // run_flags is used indirectly from HashFnc class by calling SnortConfig::static_hash()
+{ snort_conf->run_flags = 0;}
SnortConfig::~SnortConfig() = default;
-SnortConfig* SnortConfig::get_conf()
+const SnortConfig* SnortConfig::get_conf()
{ return snort_conf; }
// user free function
// Stubs whose sole purpose is to make the test code link
static SnortConfig my_config;
-THREAD_LOCAL SnortConfig *snort_conf = &my_config;
+THREAD_LOCAL SnortConfig* snort_conf = &my_config;
+// run_flags is used indirectly from HashFnc class by calling SnortConfig::static_hash()
SnortConfig::SnortConfig(const SnortConfig* const)
-{ snort_conf->run_flags = 0;} // run_flags is used indirectly from HashFnc class by calling SnortConfig::static_hash()
+{ snort_conf->run_flags = 0;}
SnortConfig::~SnortConfig() = default;
-SnortConfig* SnortConfig::get_conf()
+const SnortConfig* SnortConfig::get_conf()
{ return snort_conf; }
struct xhash_test_key
static SnortConfig my_config;
THREAD_LOCAL SnortConfig *snort_conf = &my_config;
+// run_flags is used indirectly from HashFnc class by calling SnortConfig::static_hash()
SnortConfig::SnortConfig(const SnortConfig* const)
-{ snort_conf->run_flags = 0;} // run_flags is used indirectly from HashFnc class by calling SnortConfig::static_hash()
+{ snort_conf->run_flags = 0;}
SnortConfig::~SnortConfig() = default;
-SnortConfig* SnortConfig::get_conf()
+const SnortConfig* SnortConfig::get_conf()
{ return snort_conf; }
const unsigned ZHASH_ROWS = 1000;
hs_scratch_t** get_addr(SnortConfig* sc, unsigned idx)
{ return (hs_scratch_t**)&sc->state[idx][scratch_id]; }
- hs_scratch_t* get(SnortConfig* sc, unsigned idx)
+ hs_scratch_t* get(const SnortConfig* sc, unsigned idx)
{ return (hs_scratch_t*)sc->state[idx][scratch_id]; }
void set(SnortConfig* sc, unsigned idx, void* pv)
static void dirty_handler(int signal)
{
- SnortConfig::get_conf()->dirty_pig = true;
+ SnortConfig::get_main_conf()->dirty_pig = true;
exit_handler(signal);
}
if ( errno )
FatalError("failed to setsid - %s", get_error(errno));
- if ( SnortConfig::log_quiet() or SnortConfig::log_syslog() )
+ if ( SnortConfig::get_conf()->log_quiet() or SnortConfig::get_conf()->log_syslog() )
snuff_stdio();
pid_t ppid = getppid();
void SnortConfig::release_scratch(int)
{ s_state.clear(); }
-SnortConfig* SnortConfig::get_conf()
+const SnortConfig* SnortConfig::get_conf()
{ return snort_conf; }
void ParseError(const char*, ...)
void print_config()
{
- if ( snort::SnortConfig::log_verbose() )
+ if ( snort::SnortConfig::get_conf()->log_verbose() )
{
std::lock_guard<std::mutex> cache_lock(cache_mutex);
namespace snort
{
-SnortConfig* SnortConfig::get_conf() { return nullptr; }
-char* snort_strdup(const char* s) { return strdup(s); }
-Module* ModuleManager::get_module(const char*) { return nullptr; }
+const SnortConfig* SnortConfig::get_conf()
+{ return nullptr; }
+
+char* snort_strdup(const char* s)
+{ return strdup(s); }
+
+Module* ModuleManager::get_module(const char*)
+{ return nullptr; }
+
void LogMessage(const char* format,...)
{
va_list args;
#include "asn1_util.h"
-#include "main/snort_config.h"
+#include "main/thread.h"
#include "utils/util.h"
using namespace snort;
** @return none
**
*/
-void asn1_init_mem(SnortConfig* sc)
+void asn1_init_mem(int asn1_mem)
{
- asn1_config.num_nodes = sc->asn1_mem;
+ asn1_config.num_nodes = asn1_mem;
if (asn1_config.num_nodes > 0)
asn1_config.mem = (ASN1_TYPE*)snort_calloc(asn1_config.num_nodes, sizeof(ASN1_TYPE));
** @return none
**
*/
-void asn1_free_mem(SnortConfig*)
+void asn1_free_mem()
{
if (asn1_config.mem != nullptr)
{
#define ASN1_ERR_INVALID_ARG (-7)
#define ASN1_ERR_STACK (-8)
-void asn1_init_mem(snort::SnortConfig*);
-void asn1_free_mem(snort::SnortConfig*);
+void asn1_init_mem(int asn1_mem);
+void asn1_free_mem();
+
int asn1_decode(const unsigned char* data, unsigned int len, ASN1_TYPE** asn1_type);
int asn1_print_types(ASN1_TYPE* asn1_type, void* user);
-int asn1_traverse(ASN1_TYPE* asn1, void* user,
- int (* DetectFunc)(ASN1_TYPE*, void*));
+int asn1_traverse(ASN1_TYPE* asn1, void* user, int (* DetectFunc)(ASN1_TYPE*, void*));
#endif
#include "framework/ips_option.h"
#include "framework/module.h"
#include "hash/hash_key_operations.h"
+#include "main/snort_config.h"
#include "profiler/profiler.h"
#include "protocols/packet.h"
delete m;
}
+static void asn1_init(const SnortConfig* sc)
+{ asn1_init_mem(sc->asn1_mem); }
+
+static void asn1_term(const SnortConfig*)
+{ asn1_free_mem(); }
+
static IpsOption* asn1_ctor(Module* p, OptTreeNode*)
{
Asn1Module* m = (Asn1Module*)p;
},
OPT_TYPE_DETECTION,
0, 0,
- asn1_init_mem,
- asn1_free_mem,
+ asn1_init,
+ asn1_term,
nullptr,
nullptr,
asn1_ctor,
delete p;
}
-static void flowbits_verify(SnortConfig*)
+static void flowbits_verify(const SnortConfig*)
{
flowbits_verify();
}
#include <cassert>
+#include "detection/ips_context.h"
#include "framework/cursor.h"
#include "framework/ips_option.h"
#include "framework/module.h"
if (pcre_data->pe)
{
- if ((SnortConfig::get_pcre_match_limit() != 0) &&
+ if ((sc->get_pcre_match_limit() != 0) &&
!(pcre_data->options & SNORT_OVERRIDE_MATCH_LIMIT))
{
if ( !(pcre_data->pe->flags & PCRE_EXTRA_MATCH_LIMIT) )
pcre_data->pe->flags |= PCRE_EXTRA_MATCH_LIMIT;
- pcre_data->pe->match_limit = SnortConfig::get_pcre_match_limit();
+ pcre_data->pe->match_limit = sc->get_pcre_match_limit();
}
- if ((SnortConfig::get_pcre_match_limit_recursion() != 0) &&
+ if ((sc->get_pcre_match_limit_recursion() != 0) &&
!(pcre_data->options & SNORT_OVERRIDE_MATCH_LIMIT))
{
if ( !(pcre_data->pe->flags & PCRE_EXTRA_MATCH_LIMIT_RECURSION) )
pcre_data->pe->flags |= PCRE_EXTRA_MATCH_LIMIT_RECURSION;
pcre_data->pe->match_limit_recursion =
- SnortConfig::get_pcre_match_limit_recursion();
+ sc->get_pcre_match_limit_recursion();
}
}
else
{
if (!(pcre_data->options & SNORT_OVERRIDE_MATCH_LIMIT) &&
- ((SnortConfig::get_pcre_match_limit() != 0) ||
- (SnortConfig::get_pcre_match_limit_recursion() != 0)))
+ ((sc->get_pcre_match_limit() != 0) ||
+ (sc->get_pcre_match_limit_recursion() != 0)))
{
pcre_data->pe = (pcre_extra*)snort_calloc(sizeof(pcre_extra));
pcre_data->free_pe = true;
- if (SnortConfig::get_pcre_match_limit() != 0)
+ if (sc->get_pcre_match_limit() != 0)
{
pcre_data->pe->flags |= PCRE_EXTRA_MATCH_LIMIT;
- pcre_data->pe->match_limit = SnortConfig::get_pcre_match_limit();
+ pcre_data->pe->match_limit = sc->get_pcre_match_limit();
}
- if (SnortConfig::get_pcre_match_limit_recursion() != 0)
+ if (sc->get_pcre_match_limit_recursion() != 0)
{
pcre_data->pe->flags |= PCRE_EXTRA_MATCH_LIMIT_RECURSION;
pcre_data->pe->match_limit_recursion =
- SnortConfig::get_pcre_match_limit_recursion();
+ sc->get_pcre_match_limit_recursion();
}
}
}
* found_offset will be set to -1 when the find is unsuccessful OR the routine is inverted
*/
static bool pcre_search(
+ Packet* p,
const PcreData* pcre_data,
const uint8_t* buf,
unsigned len,
found_offset = -1;
- std::vector<void *> ss = SnortConfig::get_conf()->state[get_instance_id()];
+ std::vector<void *> ss = p->context->conf->state[get_instance_id()];
assert(ss[scratch_index]);
int result = pcre_exec(
start_offset, /* start at offset 0 in the subject */
0, /* options(handled at compile time */
(int*)ss[scratch_index], /* vector for substring information */
- SnortConfig::get_conf()->pcre_ovector_size); /* number of elements in the vector */
+ p->context->conf->pcre_ovector_size); /* number of elements in the vector */
if (result >= 0)
{
return false;
}
-IpsOption::EvalStatus PcreOption::eval(Cursor& c, Packet*)
+IpsOption::EvalStatus PcreOption::eval(Cursor& c, Packet* p)
{
RuleProfile profile(pcrePerfStats);
// short circuit this for testing pcre performance impact
- if ( SnortConfig::no_pcre() )
+ if ( p->context->conf->no_pcre() )
return NO_MATCH;
unsigned pos = c.get_delta();
int found_offset = -1; // where is the ending location of the pattern
- if ( pcre_search(config, c.buffer()+adj, c.size()-adj, pos, found_offset) )
+ if ( pcre_search(p, config, c.buffer()+adj, c.size()-adj, pos, found_offset) )
{
if ( found_offset > 0 )
{
Module* mod_regex = nullptr;
std::string re;
- static bool scratch_setup(SnortConfig* sc);
- static void scratch_cleanup(SnortConfig* sc);
+ static bool scratch_setup(SnortConfig*);
+ static void scratch_cleanup(SnortConfig*);
};
PcreData* PcreModule::get_data()
ParseError("can't negate replace string");
}
-static bool replace_ok()
+static bool replace_ok(const SnortConfig* sc)
{
- if ( SnortConfig::inline_mode() and SFDAQ::can_replace() )
+ if ( sc->inline_mode() and SFDAQ::can_replace() )
return true;
static THREAD_LOCAL bool warned = false;
if ( c.get_pos() < repl.size() )
return NO_MATCH;
- if ( replace_ok() )
+ if ( replace_ok(p->context->conf) )
store(c.get_pos() - repl.size());
return MATCH;
void SnortConfig::release_scratch(int) { }
-SnortConfig* SnortConfig::get_conf()
+const SnortConfig* SnortConfig::get_conf()
{ return snort_conf; }
Packet::Packet(bool) { }
if ( SFDAQ::get_base_protocol() == DLT_EN10MB )
LogEthHeader(log, p);
- else if ( SnortConfig::log_verbose() )
+ else if ( p->context->conf->log_verbose() )
ErrorMessage("Datalink %i (not supported)\n", SFDAQ::get_base_protocol());
}
const char* ip_fmt = "%s -> %s";
InetBuf src, dst;
- if (SnortConfig::obfuscate())
+ if (p->context->conf->obfuscate())
{
ObfuscateIpToText(p->ptrs.ip_api.get_src(),
- SnortConfig::get_conf()->homenet, SnortConfig::get_conf()->obfuscation_net, src);
+ p->context->conf->homenet, p->context->conf->obfuscation_net, src);
ObfuscateIpToText(p->ptrs.ip_api.get_dst(),
- SnortConfig::get_conf()->homenet, SnortConfig::get_conf()->obfuscation_net, dst);
+ p->context->conf->homenet, p->context->conf->obfuscation_net, dst);
TextLog_Print(log, ip_fmt, src, dst);
}
const char* ip_fmt = "%s:%d -> %s:%d";
InetBuf src, dst;
- if (SnortConfig::obfuscate())
+ if (p->context->conf->obfuscate())
{
ObfuscateIpToText(p->ptrs.ip_api.get_src(),
- SnortConfig::get_conf()->homenet, SnortConfig::get_conf()->obfuscation_net, src);
+ p->context->conf->homenet, p->context->conf->obfuscation_net, src);
ObfuscateIpToText(p->ptrs.ip_api.get_dst(),
- SnortConfig::get_conf()->homenet, SnortConfig::get_conf()->obfuscation_net, dst);
+ p->context->conf->homenet, p->context->conf->obfuscation_net, dst);
TextLog_Print(log, ip_fmt, src, p->ptrs.sp, dst, p->ptrs.dp);
}
LogIpAddrs(log, p);
- if (!SnortConfig::output_datalink())
+ if (!p->context->conf->output_datalink())
{
TextLog_NewLine(log);
}
*/
static void LogICMPEmbeddedIP(TextLog* log, Packet* p)
{
- if (log == nullptr || p == nullptr)
- return;
-
// FIXIT-L -- Allocating a new Packet here is ridiculously excessive.
- Packet* orig_p = new Packet;
- Packet& op = *orig_p;
+ Packet* orig = DetectionEngine::set_next_packet(p);
+ orig->context->conf = p->context->conf;
- if (!layer::set_api_ip_embed_icmp(p, op.ptrs.ip_api))
+ if (!layer::set_api_ip_embed_icmp(p, orig->ptrs.ip_api))
{
TextLog_Puts(log, "\nORIGINAL DATAGRAM TRUNCATED");
}
{
case PROTO_BIT__TCP_EMBED_ICMP:
{
- const tcp::TCPHdr* const tcph = layer::get_tcp_embed_icmp(op.ptrs.ip_api);
+ const tcp::TCPHdr* const tcph = layer::get_tcp_embed_icmp(orig->ptrs.ip_api);
if (tcph)
{
- orig_p->ptrs.sp = tcph->src_port();
- orig_p->ptrs.dp = tcph->dst_port();
- orig_p->ptrs.tcph = tcph;
- orig_p->ptrs.set_pkt_type(PktType::TCP);
+ orig->ptrs.sp = tcph->src_port();
+ orig->ptrs.dp = tcph->dst_port();
+ orig->ptrs.tcph = tcph;
+ orig->ptrs.set_pkt_type(PktType::TCP);
TextLog_Print(log, "\n** ORIGINAL DATAGRAM DUMP:\n");
- LogIPHeader(log, orig_p);
-
- TextLog_Print(log, "Seq: 0x%lX\n",
- (u_long)ntohl(orig_p->ptrs.tcph->th_seq));
+ LogIPHeader(log, orig);
+ TextLog_Print(log, "Seq: 0x%lX\n", (u_long)ntohl(orig->ptrs.tcph->th_seq));
}
break;
}
case PROTO_BIT__UDP_EMBED_ICMP:
{
- const udp::UDPHdr* const udph = layer::get_udp_embed_icmp(op.ptrs.ip_api);
+ const udp::UDPHdr* const udph = layer::get_udp_embed_icmp(orig->ptrs.ip_api);
if (udph)
{
- orig_p->ptrs.sp = udph->src_port();
- orig_p->ptrs.dp = udph->dst_port();
- orig_p->ptrs.udph = udph;
- orig_p->ptrs.set_pkt_type(PktType::UDP);
+ orig->ptrs.sp = udph->src_port();
+ orig->ptrs.dp = udph->dst_port();
+ orig->ptrs.udph = udph;
+ orig->ptrs.set_pkt_type(PktType::UDP);
TextLog_Print(log, "\n** ORIGINAL DATAGRAM DUMP:\n");
- LogIPHeader(log, orig_p);
- TextLog_Print(log, "Len: %d Csum: %d\n",
- udph->len() - udp::UDP_HEADER_LEN,
- udph->cksum());
+ LogIPHeader(log, orig);
+ TextLog_Print(
+ log, "Len: %d Csum: %d\n", udph->len() - udp::UDP_HEADER_LEN, udph->cksum());
}
break;
}
case PROTO_BIT__ICMP_EMBED_ICMP:
{
TextLog_Print(log, "\n** ORIGINAL DATAGRAM DUMP:\n");
- LogIPHeader(log, orig_p);
+ LogIPHeader(log, orig);
- const icmp::ICMPHdr* icmph = layer::get_icmp_embed_icmp(op.ptrs.ip_api);
- if (icmph != nullptr)
+ const icmp::ICMPHdr* icmph = layer::get_icmp_embed_icmp(orig->ptrs.ip_api);
+
+ if (icmph)
LogEmbeddedICMPHeader(log, icmph);
break;
}
default:
{
TextLog_Print(log, "\n** ORIGINAL DATAGRAM DUMP:\n");
- LogIPHeader(log, orig_p);
+ LogIPHeader(log, orig);
TextLog_Print(log, "Protocol: 0x%X (unknown or "
- "header truncated)", orig_p->ptrs.ip_api.proto());
+ "header truncated)", orig->ptrs.ip_api.proto());
break;
}
} /* switch */
/* if more than 8 bytes of original IP payload sent */
-
const int16_t more_bytes = p->dsize - 8;
+
if (more_bytes > 0)
- {
- TextLog_Print(log, "(%d more bytes of original packet)\n",
- more_bytes);
- }
+ TextLog_Print(log, "(%d more bytes of original packet)\n", more_bytes);
TextLog_Puts(log, "** END OF DUMP");
}
-
- delete orig_p;
}
/*--------------------------------------------------------------------
assert(p);
ip_ob_start = ip_ob_end = -1;
- if ( !SnortConfig::obfuscate() )
+ if ( !p->context->conf->obfuscate() )
return;
const ProtocolIndex ipv4_idx = PacketManager::proto_idx(ProtocolId::IPIP);
}
const HexAsciiLayout& hal = SnortConfig::get_conf()->output_wide_hex() ? hal_wide : hal_std;
- const char* hdr_off = SnortConfig::verbose_byte_dump() ? hal.offset_hdr : "";
+ const char* hdr_off = p->context->conf->verbose_byte_dump() ? hal.offset_hdr : "";
if ( !ins_name )
ins_name = p->flow and p->flow->gadget ? p->flow->gadget->get_name() : "snort";
/* loop thru the whole buffer */
while ( pb < end )
{
- if (SnortConfig::verbose_byte_dump())
+ if (p->context->conf->verbose_byte_dump())
{
TextLog_Print(log, hal.offset_fmt, offset);
offset += hal.bytes_per_frame;
void LogIPPkt(TextLog* log, Packet* p)
{
- if ( SnortConfig::output_datalink() )
+ if ( p->context->conf->output_datalink() )
{
Log2ndHeader(log, p);
void LogPayload(TextLog* log, Packet* p)
{
/* dump the application layer data */
- if (SnortConfig::output_app_data() && !SnortConfig::verbose_byte_dump())
+ if (p->context->conf->output_app_data() && !p->context->conf->verbose_byte_dump())
{
- if (SnortConfig::output_char_data())
+ if (p->context->conf->output_char_data())
{
LogCharData(log, p->data, p->dsize);
}
}
}
- else if (SnortConfig::verbose_byte_dump())
+ else if (p->context->conf->verbose_byte_dump())
{
LogNetData(log, p->pkt, p->pktlen, p);
}
FatalError("%s\n", buf);
}
+static bool log_syslog()
+{
+ const SnortConfig* sc = SnortConfig::get_conf();
+ return sc and sc->log_syslog();
+}
+
+static bool log_quiet()
+{
+ const SnortConfig* sc = SnortConfig::get_conf();
+ return sc and sc->log_quiet();
+}
+
static void WriteLogMessage(FILE* fh, bool prefer_fh, const char* format, va_list& ap)
{
- if ( SnortConfig::get_conf() && !prefer_fh )
+ if ( prefer_fh or !log_syslog() )
{
- if ( SnortConfig::log_syslog() )
- {
- char buf[STD_BUF+1];
- vsnprintf(buf, STD_BUF, format, ap);
- buf[STD_BUF] = '\0';
- syslog(LOG_DAEMON | LOG_NOTICE, "%s", buf);
- return;
- }
+ vfprintf(fh, format, ap);
+ return;
}
- vfprintf(fh, format, ap);
+ char buf[STD_BUF+1];
+ vsnprintf(buf, STD_BUF, format, ap);
+ buf[STD_BUF] = '\0';
+ syslog(LOG_DAEMON | LOG_NOTICE, "%s", buf);
}
/*
*/
void LogMessage(const char* format,...)
{
- if ( SnortConfig::get_conf() and SnortConfig::log_quiet() )
+ if ( log_quiet() )
return;
va_list ap;
void LogMessage(FILE* fh, const char* format,...)
{
- if ( fh == stdout and SnortConfig::get_conf() and SnortConfig::log_quiet() )
+ if ( fh == stdout and log_quiet() )
return;
va_list ap;
va_start(ap, format);
- if ( SnortConfig::get_conf() and SnortConfig::log_syslog() )
+ if ( log_syslog() )
{
char buf[STD_BUF+1];
vsnprintf(buf, STD_BUF, format, ap);
va_start(ap, format);
- if ( SnortConfig::get_conf() and SnortConfig::log_syslog() )
+ if ( log_syslog() )
{
char buf[STD_BUF+1];
vsnprintf(buf, STD_BUF, format, ap);
buf[STD_BUF] = '\0';
- if ( SnortConfig::get_conf() and SnortConfig::log_syslog() )
+ if ( log_syslog() )
{
syslog(LOG_CONS | LOG_DAEMON | LOG_ERR, "FATAL ERROR: %s", buf);
}
static void mod_dtor(Module* m)
{ delete m; }
-static Logger* csv_ctor(SnortConfig*, Module* mod)
+static Logger* csv_ctor(Module* mod)
{ return new CsvLogger((CsvModule*)mod); }
static void csv_dtor(Logger* p)
TextLog_Print(fast_log, "[%u:%u:%u] ",
event.sig_info->gid, event.sig_info->sid, event.sig_info->rev);
- if (SnortConfig::alert_interface())
+ if (p->context->conf->alert_interface())
TextLog_Print(fast_log, " <%s> ", SFDAQ::get_input_spec());
if ( msg )
TextLog_Print(fast_log, "{%s} ", p->get_type());
LogIpAddrs(fast_log, p);
- if ( packet || SnortConfig::output_app_data() )
+ if ( packet || p->context->conf->output_app_data() )
{
log_data(p, event);
}
static void mod_dtor(Module* m)
{ delete m; }
-static Logger* fast_ctor(SnortConfig*, Module* mod)
+static Logger* fast_ctor(Module* mod)
{ return new FastLogger((FastModule*)mod); }
static void fast_dtor(Logger* p)
#include "config.h"
#endif
+#include "detection/ips_context.h"
#include "detection/signature.h"
#include "events/event.h"
#include "framework/logger.h"
TextLog_Print(full_log, "[%u:%u:%u] ",
event.sig_info->gid, event.sig_info->sid, event.sig_info->rev);
- if (SnortConfig::alert_interface())
+ if (p->context->conf->alert_interface())
{
const char* iface = SFDAQ::get_input_spec();
TextLog_Print(full_log, " <%s> ", iface);
TextLog_Puts(full_log, "[**]\n");
}
- if (p && p->has_ip())
+ if (p->has_ip())
{
LogPriorityData(full_log, event);
TextLog_NewLine(full_log);
LogTimeStamp(full_log, p);
TextLog_Putc(full_log, ' ');
- if (p && p->has_ip())
+ if (p->has_ip())
{
/* print the packet header to the alert file */
- if (SnortConfig::output_datalink())
+ if (p->context->conf->output_datalink())
{
Log2ndHeader(full_log, p);
}
static void mod_dtor(Module* m)
{ delete m; }
-static Logger* full_ctor(SnortConfig*, Module* mod)
+static Logger* full_ctor(Module* mod)
{ return new FullLogger((FullModule*)mod); }
static void full_dtor(Logger* p)
static void mod_dtor(Module* m)
{ delete m; }
-static Logger* json_ctor(SnortConfig*, Module* mod)
+static Logger* json_ctor(Module* mod)
{ return new JsonLogger((JsonModule*)mod); }
static void json_dtor(Logger* p)
delete m;
}
-static Logger* log_ctor(SnortConfig*, Module* m)
+static Logger* log_ctor(Module* m)
{
const char* key = m->get_name();
std::string* chunk = ScriptManager::get_chunk(key);
if (sid == 0)
return nullptr;
- for (hashNode = SnortConfig::get_conf()->otn_map->find_first();
+ const SnortConfig* sc = SnortConfig::get_conf();
+
+ for (hashNode = sc->otn_map->find_first();
hashNode;
- hashNode = SnortConfig::get_conf()->otn_map->find_next())
+ hashNode = sc->otn_map->find_next())
{
OptTreeNode* otn = (OptTreeNode*)hashNode->data;
RuleTreeNode* rtn = getRuntimeRtnFromOtn(otn);
static void mod_dtor(Module* m)
{ delete m; }
-static Logger* sf_sock_ctor(SnortConfig*, Module* mod)
+static Logger* sf_sock_ctor(Module* mod)
{ return new SfSocketLogger((SfSocketModule*)mod); }
static void sf_sock_dtor(Logger* p)
#include <syslog.h>
+#include "detection/ips_context.h"
#include "detection/signature.h"
#include "events/event.h"
#include "framework/logger.h"
return 0;
}
-#define syslog_options \
- "cons | ndelay | perror | pid"
+#ifdef LOG_PERROR
+#define syslog_options "cons | ndelay | perror | pid"
+#else
+#define syslog_options "cons | ndelay | pid"
+#endif
static int get_options(const char* s)
{
return true;
}
-bool SyslogModule::end(const char*, int, SnortConfig*)
+bool SyslogModule::end(const char*, int, SnortConfig* sc)
{
- if ( SnortConfig::daemon_mode() )
+ if ( sc->daemon_mode() )
options |= LOG_PID;
return true;
"[Priority: %u] ", event.sig_info->priority);
}
- if (SnortConfig::alert_interface())
+ if (p->context->conf->alert_interface())
{
SnortSnprintfAppend(event_string, sizeof(event_string),
"<%s> ", SFDAQ::get_input_spec());
const char* ip_fmt = "%s -> %s";
InetBuf src, dst;
- if (SnortConfig::obfuscate())
+ if (p->context->conf->obfuscate())
{
- ObfuscateIpToText(p->ptrs.ip_api.get_src(), SnortConfig::get_conf()->homenet,
- SnortConfig::get_conf()->obfuscation_net, src);
+ ObfuscateIpToText(p->ptrs.ip_api.get_src(), p->context->conf->get_conf()->homenet,
+ p->context->conf->get_conf()->obfuscation_net, src);
- ObfuscateIpToText(p->ptrs.ip_api.get_dst(), SnortConfig::get_conf()->homenet,
- SnortConfig::get_conf()->obfuscation_net, dst);
+ ObfuscateIpToText(p->ptrs.ip_api.get_dst(), p->context->conf->get_conf()->homenet,
+ p->context->conf->get_conf()->obfuscation_net, dst);
SnortSnprintfAppend(event_string, sizeof(event_string), ip_fmt, src, dst);
}
const char* ip_fmt = "%s:%d -> %s:%d";
InetBuf src, dst;
- if (SnortConfig::obfuscate())
+ if (p->context->conf->obfuscate())
{
- ObfuscateIpToText(p->ptrs.ip_api.get_src(), SnortConfig::get_conf()->homenet,
- SnortConfig::get_conf()->obfuscation_net, src);
+ ObfuscateIpToText(p->ptrs.ip_api.get_src(), p->context->conf->get_conf()->homenet,
+ p->context->conf->get_conf()->obfuscation_net, src);
- ObfuscateIpToText(p->ptrs.ip_api.get_dst(), SnortConfig::get_conf()->homenet,
- SnortConfig::get_conf()->obfuscation_net, dst);
+ ObfuscateIpToText(p->ptrs.ip_api.get_dst(), p->context->conf->get_conf()->homenet,
+ p->context->conf->get_conf()->obfuscation_net, dst);
SnortSnprintfAppend(event_string, sizeof(event_string), ip_fmt,
src, p->ptrs.sp, dst, p->ptrs.dp);
static void mod_dtor(Module* m)
{ delete m; }
-static Logger* syslog_ctor(SnortConfig*, Module* mod)
+static Logger* syslog_ctor(Module* mod)
{ return new SyslogLogger((SyslogModule*)mod); }
static void syslog_dtor(Logger* p)
static void mod_dtor(Module* m)
{ delete m; }
-static Logger* talos_ctor(SnortConfig*, Module* mod)
+static Logger* talos_ctor(Module* mod)
{ return new TalosLogger((TalosModule*)mod); }
static void talos_dtor(Logger* p)
static void mod_dtor(Module* m)
{ delete m; }
-static Logger* unix_sock_ctor(SnortConfig*, Module*)
+static Logger* unix_sock_ctor(Module*)
{ return new UnixSockLogger; }
static void unix_sock_dtor(Logger* p)
PacketManager::log_protocols(test_file, p);
TextLog_NewLine(test_file);
- if ( p->dsize and SnortConfig::output_app_data() )
+ if ( p->dsize and p->context->conf->output_app_data() )
LogNetData(test_file, p->data, p->dsize, p);
TextLog_NewLine(test_file);
static void mod_dtor(Module* m)
{ delete m; }
-static Logger* codec_log_ctor(SnortConfig*, Module* mod)
+static Logger* codec_log_ctor(Module* mod)
{ return new CodecLogger((LogCodecModule*)mod); }
static void codec_log_dtor(Logger* p)
static void mod_dtor(Module* m)
{ delete m; }
-static Logger* hext_ctor(SnortConfig*, Module* mod)
+static Logger* hext_ctor(Module* mod)
{
return new HextLogger((HextModule*)mod);
}
#include <pcap.h>
+#include "detection/ips_context.h"
#include "framework/logger.h"
#include "framework/module.h"
#include "log/messages.h"
pcap_dump((uint8_t*)context.dumpd, &pcaphdr, p->pkt);
context.size += dumpSize;
- if (!SnortConfig::line_buffered_logging()) // FIXIT-L misnomer
+ if (!p->context->conf->line_buffered_logging()) // FIXIT-L misnomer
{
fflush( (FILE*)context.dumpd);
}
void PcapLogger::open()
{
- TcpdumpInitLogFile(config, SnortConfig::output_no_timestamp());
+ TcpdumpInitLogFile(config, SnortConfig::get_conf()->output_no_timestamp());
}
void PcapLogger::close()
static void mod_dtor(Module* m)
{ delete m; }
-static Logger* tcpdump_ctor(SnortConfig*, Module* mod)
+static Logger* tcpdump_ctor(Module* mod)
{ return new PcapLogger((TcpdumpModule*)mod); }
static void tcpdump_dtor(Logger* p)
return true;
}
-bool U2Module::begin(const char*, int, SnortConfig*)
+bool U2Module::begin(const char*, int, SnortConfig* sc)
{
limit = 0;
- nostamp = SnortConfig::output_no_timestamp();
+ nostamp = sc->output_no_timestamp();
legacy_events = false;
return true;
}
static void mod_dtor(Module* m)
{ delete m; }
-static Logger* u2_ctor(SnortConfig*, Module* mod)
+static Logger* u2_ctor(Module* mod)
{ return new U2Logger((U2Module*)mod); }
static void u2_dtor(Logger* p)
const char* get_prompt()
{ return prompt; }
-static bool use_shell(SnortConfig* sc)
+static bool use_shell(const SnortConfig* sc)
{
#ifdef SHELL
return ( sc->run_flags & RUN_FLAG__SHELL );
bool Pig::prep(const char* source)
{
- SnortConfig* sc = SnortConfig::get_conf();
+ const SnortConfig* sc = SnortConfig::get_conf();
SFDAQInstance *instance = new SFDAQInstance(source, idx, sc->daq_config);
+
if (!SFDAQ::init_instance(instance, sc->bpf_filter))
{
delete instance;
assert(!athread);
LogMessage("++ [%u] %s\n", idx, analyzer->get_source());
- Swapper* ps = new Swapper(SnortConfig::get_conf(), HostAttributes::get_host_attributes_table());
+ Swapper* ps = new Swapper(SnortConfig::get_main_conf(), HostAttributes::get_host_attributes_table());
athread = new std::thread(std::ref(*analyzer), ps, ++run_num);
}
}
current_request->respond(".. reloading configuration\n");
- SnortConfig* old = SnortConfig::get_conf();
+ const SnortConfig* old = SnortConfig::get_conf();
SnortConfig* sc = Snort::get_reload_config(fname, plugin_path);
if ( !sc )
else
current_request->respond("== reload failed - bad config\n");
- SnortConfig::set_parser_conf(nullptr);
return 0;
}
current_request->respond(".. swapping configuration\n", from_shell);
main_broadcast_command(new ACSwap(new Swapper(old, sc, old_tc, tc), current_request, from_shell), from_shell);
- SnortConfig::set_parser_conf(nullptr);
return 0;
}
return 0;
}
- SnortConfig* old = SnortConfig::get_conf();
+ SnortConfig* old = SnortConfig::get_main_conf();
SnortConfig* sc = Snort::get_updated_policy(old, fname, nullptr);
if ( !sc )
return 0;
}
- SnortConfig* old = SnortConfig::get_conf();
+ SnortConfig* old = SnortConfig::get_main_conf();
SnortConfig* sc = Snort::get_updated_module(old, fname);
if ( !sc )
}
proc_stats.attribute_table_overflow = 0;
- HostAttributes::load_hosts_file(SnortConfig::get_conf(), fname);
+ HostAttributes::load_hosts_file(SnortConfig::get_main_conf(), fname);
HostAttributesTable* old = HostAttributes::get_host_attributes_table();
HostAttributesTable* tc = HostAttributes::activate();
return 0;
}
- SnortConfig* old = SnortConfig::get_conf();
+ SnortConfig* old = SnortConfig::get_main_conf();
SnortConfig* sc = Snort::get_updated_policy(old, nullptr, iname);
if ( !sc )
// main foo
//-------------------------------------------------------------------------
-static bool just_validate()
+static bool just_validate(const SnortConfig* sc)
{
- if ( SnortConfig::test_mode() )
+ if ( sc->test_mode() )
return true;
- if ( use_shell(SnortConfig::get_conf()) )
+ if ( use_shell(sc) )
return false;
- if ( SnortConfig::get_conf()->daq_config->module_configs.empty() )
+ if ( sc->daq_config->module_configs.empty() )
{
- if ( SnortConfig::read_mode() && !Trough::get_queue_size() )
+ if ( sc->read_mode() && !Trough::get_queue_size() )
return true;
- if ( !SnortConfig::read_mode() && !SFDAQ::get_input_spec(SnortConfig::get_conf()->daq_config, 0) )
+ if ( !sc->read_mode() && !SFDAQ::get_input_spec(sc->daq_config, 0) )
return true;
}
if ( unsigned k = get_parse_errors() )
FatalError("see prior %u errors (%u warnings)\n", k, warnings);
- if ( SnortConfig::conf_error_out() )
+ SnortConfig* sc = SnortConfig::get_main_conf();
+
+ if ( sc->conf_error_out() )
{
if ( warnings )
FatalError("see prior %u warnings\n", warnings);
}
- if ( SnortConfig::dump_msg_map() )
+ if ( sc->dump_msg_map() )
{
- dump_msg_map(SnortConfig::get_conf());
+ dump_msg_map(sc);
return false;
}
- if ( SnortConfig::dump_rule_deps() )
+ if ( sc->dump_rule_deps() )
{
- dump_rule_deps(SnortConfig::get_conf());
+ dump_rule_deps(sc);
return false;
}
- if ( SnortConfig::dump_rule_meta() )
+ if ( sc->dump_rule_meta() )
{
- dump_rule_meta(SnortConfig::get_conf());
+ dump_rule_meta(sc);
return false;
}
- if ( SnortConfig::dump_rule_state() )
+ if ( sc->dump_rule_state() )
{
- dump_rule_state(SnortConfig::get_conf());
+ dump_rule_state(sc);
return false;
}
- if ( just_validate() )
+ if ( just_validate(sc) )
{
LogMessage("\nSnort successfully validated the configuration (with %u warnings).\n",
warnings);
// force test mode to exit w/o stats
- SnortConfig::get_conf()->run_flags |= RUN_FLAG__TEST;
+ sc->run_flags |= RUN_FLAG__TEST;
return false;
}
- if ( SnortConfig::get_conf()->run_flags & RUN_FLAG__PAUSE )
+ if ( sc->run_flags & RUN_FLAG__PAUSE )
{
LogMessage("Paused; resume to start packet processing\n");
paused = true;
LogMessage("Commencing packet processing\n");
#ifdef SHELL
- if ( use_shell(SnortConfig::get_conf()) )
+ if ( use_shell(sc) )
{
LogMessage("Entering command shell\n");
ControlMgmt::add_control(STDOUT_FILENO, true);
{
unsigned swine = 0, pending_privileges = 0;
- if (SnortConfig::change_privileges())
+ if (SnortConfig::get_conf()->change_privileges())
pending_privileges = max_pigs;
// Preemptively prep all pigs in live traffic mode
- if (!SnortConfig::read_mode())
+ if (!SnortConfig::get_conf()->read_mode())
{
for (unsigned i = 0; i < max_pigs; i++)
{
PacketTracer::activate(*p);
// FIXIT-M should not need to set policies here
- set_default_policy();
+ set_default_policy(p->context->conf);
p->user_inspection_policy_id = get_inspection_policy()->user_policy_id;
p->user_ips_policy_id = get_ips_policy()->user_policy_id;
p->user_network_policy_id = get_network_policy()->user_policy_id;
daq_stats.internal_blacklist++;
verdict = DAQ_VERDICT_BLOCK;
}
- else if ( SnortConfig::inline_mode() || act->packet_force_dropped() )
+ else if ( p->context->conf->inline_mode() || act->packet_force_dropped() )
verdict = DAQ_VERDICT_BLACKLIST;
else
verdict = DAQ_VERDICT_IGNORE;
void Analyzer::process_daq_pkt_msg(DAQ_Msg_h msg, bool retry)
{
const DAQ_PktHdr_t* pkthdr = daq_msg_get_pkthdr(msg);
- set_default_policy();
pc.analyzed_pkts++;
DetectionEngine::wait_for_context();
switcher->start();
+
Packet* p = switcher->get_context()->packet;
oops_handler->set_current_packet(p);
p->context->wire_packet = p;
p->context->packet_number = get_packet_number();
+ set_default_policy(p->context->conf);
DetectionEngine::reset();
-
sfthreshold_reset();
Active::clear_queue(p);
p->daq_msg = msg;
p->daq_instance = daq_instance;
+
PacketManager::decode(p, pkthdr, daq_msg_get_data(msg), daq_msg_get_data_len(msg), false, retry);
+
if (process_packet(p))
{
post_process_daq_pkt_msg(p);
for ( unsigned i = 0; i < max_contexts; ++i )
switcher->push(new IpsContext);
- SnortConfig* sc = SnortConfig::get_conf();
+ const SnortConfig* sc = SnortConfig::get_conf();
// This should be called as soon as possible
// to handle all trace log messages
detection_filter_init(sc->detection_filter_config);
EventManager::open_outputs();
- IpsManager::setup_options();
+ IpsManager::setup_options(sc);
ActionManager::thread_init(sc);
FileService::thread_init();
SideChannelManager::thread_init();
SFRF_Alloc(sc->rate_filter_config->memcap);
}
-void Analyzer::reinit(SnortConfig* sc)
+void Analyzer::reinit(const SnortConfig* sc)
{
InspectorManager::thread_reinit(sc);
ActionManager::thread_reinit(sc);
void Analyzer::term()
{
- SnortConfig* sc = SnortConfig::get_conf();
+ const SnortConfig* sc = SnortConfig::get_conf();
HighAvailabilityManager::thread_term_beginning();
DetectionEngine::idle();
InspectorManager::thread_stop(sc);
- ModuleManager::accumulate(sc);
- InspectorManager::thread_term(sc);
- ActionManager::thread_term(sc);
+ ModuleManager::accumulate();
+ InspectorManager::thread_term();
+ ActionManager::thread_term();
- IpsManager::clear_options();
+ IpsManager::clear_options(sc);
EventManager::close_outputs();
CodecManager::thread_term();
HighAvailabilityManager::thread_term();
ps->apply(*this);
delete ps;
- if (SnortConfig::pcap_show())
+ if (SnortConfig::get_conf()->pcap_show())
show_source();
// init here to pin separately from packet threads
// Perform all packet thread initialization actions that need to be taken with escalated
// privileges prior to starting the DAQ module.
- SnortConfig::get_conf()->thread_config->implement_thread_affinity(STHREAD_TYPE_PACKET,
- get_instance_id());
+ SnortConfig::get_conf()->thread_config->implement_thread_affinity(
+ STHREAD_TYPE_PACKET, get_instance_id());
SFDAQ::set_local_instance(daq_instance);
set_state(State::INITIALIZED);
void pause();
void resume(uint64_t msg_cnt);
void reload_daq();
- void reinit(snort::SnortConfig*);
+ void reinit(const snort::SnortConfig*);
void rotate();
snort::SFDAQInstance* get_daq_instance() { return daq_instance; }
// FIXIT-P This incurs locking on all threads to retrieve stats. It
// could be reimplemented to optimize for large thread counts by
// retrieving stats in the command and accumulating in the main thread.
- ModuleManager::accumulate(SnortConfig::get_conf());
+ ModuleManager::accumulate();
return true;
}
{
ps->apply(analyzer);
- SnortConfig* sc = ps->get_new_conf();
+ const SnortConfig* sc = ps->get_new_conf();
if ( sc )
{
std::list<ReloadResourceTuner*>* reload_tuners;
int ControlMgmt::setup_socket_family()
{
int family = AF_UNSPEC;
- if (SnortConfig::get_conf()->remote_control_port)
+ const SnortConfig* sc = SnortConfig::get_conf();
+
+ if (sc->remote_control_port)
{
memset(&in_addr, 0, sizeof(in_addr));
in_addr.sin_family = AF_INET;
in_addr.sin_addr.s_addr = htonl(0x7F000001);
- in_addr.sin_port = htons(SnortConfig::get_conf()->remote_control_port);
+ in_addr.sin_port = htons(sc->remote_control_port);
sock_addr = (struct sockaddr*)&in_addr;
sock_addr_size = sizeof(in_addr);
family = AF_INET;
}
- else if (!SnortConfig::get_conf()->remote_control_socket.empty())
+ else if (!sc->remote_control_socket.empty())
{
string fullpath;
- const char* path_sep = strrchr(SnortConfig::get_conf()->remote_control_socket.c_str(), '/');
+ const char* path_sep = strrchr(sc->remote_control_socket.c_str(), '/');
if (path_sep != nullptr)
- fullpath = SnortConfig::get_conf()->remote_control_socket;
+ fullpath = sc->remote_control_socket;
else
- get_instance_file(fullpath, SnortConfig::get_conf()->remote_control_socket.c_str());
+ get_instance_file(fullpath, sc->remote_control_socket.c_str());
memset(&unix_addr, 0, sizeof(unix_addr));
unix_addr.sun_family = AF_UNIX;
sc->tagged_packet_limit = v.get_uint32();
else if ( v.is("verbose") )
- v.update_mask(sc->logging_flags, LOGGING_FLAG__VERBOSE);
-
+ {
+ if ( v.get_bool() )
+ v.update_mask(sc->logging_flags, LOGGING_FLAG__VERBOSE);
+ }
else if ( v.is("wide_hex_dump") )
v.update_mask(sc->output_flags, OUTPUT_FLAG__WIDE_HEX);
bool ProcessModule::set(const char*, Value& v, SnortConfig* sc)
{
if ( v.is("daemon") )
- sc->set_daemon(v.get_bool());
-
+ {
+ if ( v.get_bool() ) // FIXIT-M fix cmd line vs conf conflicts
+ sc->set_daemon(true);
+ }
else if ( v.is("chroot") )
sc->set_chroot_dir(v.get_string());
sc->policy_map->get_ips_policy(i) : nullptr;
}
-InspectionPolicy* get_default_inspection_policy(SnortConfig* sc)
+InspectionPolicy* get_default_inspection_policy(const SnortConfig* sc)
{ return sc->policy_map->get_inspection_policy(0); }
void set_ips_policy(IpsPolicy* p)
void set_network_policy(NetworkPolicy* p)
{ s_traffic_policy = p; }
-IpsPolicy* get_user_ips_policy(SnortConfig* sc, unsigned policy_id)
+IpsPolicy* get_user_ips_policy(const SnortConfig* sc, unsigned policy_id)
{
return sc->policy_map->get_user_ips(policy_id);
}
-IpsPolicy* get_empty_ips_policy(SnortConfig* sc)
+IpsPolicy* get_empty_ips_policy(const SnortConfig* sc)
{
return sc->policy_map->get_empty_ips();
}
-NetworkPolicy* get_user_network_policy(SnortConfig* sc, unsigned policy_id)
+NetworkPolicy* get_user_network_policy(const SnortConfig* sc, unsigned policy_id)
{
return sc->policy_map->get_user_network(policy_id);
}
} // namespace snort
-void set_network_policy(SnortConfig* sc, unsigned i)
+void set_network_policy(const SnortConfig* sc, unsigned i)
{
PolicyMap* pm = sc->policy_map;
void set_inspection_policy(InspectionPolicy* p)
{ s_inspection_policy = p; }
-void set_inspection_policy(SnortConfig* sc, unsigned i)
+void set_inspection_policy(const SnortConfig* sc, unsigned i)
{
PolicyMap* pm = sc->policy_map;
set_inspection_policy(pm->get_inspection_policy(i));
}
-void set_ips_policy(SnortConfig* sc, unsigned i)
+void set_ips_policy(const SnortConfig* sc, unsigned i)
{
PolicyMap* pm = sc->policy_map;
set_ips_policy(pm->get_ips_policy(i));
}
-void set_policies(SnortConfig* sc, Shell* sh)
+void set_policies(const SnortConfig* sc, Shell* sh)
{
auto policies = sc->policy_map->get_policies(sh);
set_network_policy(policies->network);
}
-void set_default_policy(SnortConfig* sc)
+void set_default_policy(const SnortConfig* sc)
{
set_network_policy(sc->policy_map->get_network_policy(0));
set_inspection_policy(sc->policy_map->get_inspection_policy(0));
set_ips_policy(sc->policy_map->get_ips_policy(0));
}
-void set_default_policy()
-{ set_default_policy(SnortConfig::get_conf()); }
-
bool default_inspection_policy()
{
if ( !get_inspection_policy() )
public:
NetworkPolicy(PolicyId = 0);
+ bool checksum_drops(uint16_t codec_cksum_err_flag)
+ { return (checksum_drop & codec_cksum_err_flag) != 0; }
+
+ bool ip_checksums()
+ { return (checksum_eval & CHECKSUM_FLAG__IP) != 0; }
+
+ bool udp_checksums()
+ { return (checksum_eval & CHECKSUM_FLAG__UDP) != 0; }
+
+ bool tcp_checksums()
+ { return (checksum_eval & CHECKSUM_FLAG__TCP) != 0; }
+
+ bool icmp_checksums()
+ { return (checksum_eval & CHECKSUM_FLAG__ICMP) != 0; }
+
public:
PolicyId policy_id;
uint32_t user_policy_id = 0;
SO_PUBLIC InspectionPolicy* get_inspection_policy();
SO_PUBLIC IpsPolicy* get_ips_policy();
SO_PUBLIC IpsPolicy* get_ips_policy(const snort::SnortConfig*, unsigned i = 0);
-SO_PUBLIC InspectionPolicy* get_default_inspection_policy(snort::SnortConfig*);
-SO_PUBLIC void set_ips_policy(IpsPolicy* p);
-SO_PUBLIC void set_network_policy(NetworkPolicy* p);
-SO_PUBLIC IpsPolicy* get_user_ips_policy(snort::SnortConfig* sc, unsigned policy_id);
-SO_PUBLIC IpsPolicy* get_empty_ips_policy(snort::SnortConfig* sc);
-SO_PUBLIC NetworkPolicy* get_user_network_policy(snort::SnortConfig* sc, unsigned policy_id);
+SO_PUBLIC InspectionPolicy* get_default_inspection_policy(const snort::SnortConfig*);
+SO_PUBLIC void set_ips_policy(IpsPolicy*);
+SO_PUBLIC void set_network_policy(NetworkPolicy*);
+SO_PUBLIC IpsPolicy* get_user_ips_policy(const snort::SnortConfig*, unsigned policy_id);
+SO_PUBLIC IpsPolicy* get_empty_ips_policy(const snort::SnortConfig*);
+SO_PUBLIC NetworkPolicy* get_user_network_policy(const snort::SnortConfig*, unsigned policy_id);
}
-void set_network_policy(snort::SnortConfig*, unsigned = 0);
+void set_network_policy(const snort::SnortConfig*, unsigned = 0);
void set_inspection_policy(InspectionPolicy*);
-void set_inspection_policy(snort::SnortConfig*, unsigned = 0);
+void set_inspection_policy(const snort::SnortConfig*, unsigned = 0);
-void set_ips_policy(snort::SnortConfig*, unsigned = 0);
+void set_ips_policy(const snort::SnortConfig*, unsigned = 0);
-void set_policies(snort::SnortConfig*, Shell*);
-void set_default_policy();
-void set_default_policy(snort::SnortConfig*);
+void set_policies(const snort::SnortConfig*, Shell*);
+void set_default_policy(const snort::SnortConfig*);
bool default_inspection_policy();
bool only_inspection_policy();
if ( !overrides.empty() )
load_string(lua, overrides.c_str());
- if ( SnortConfig::log_verbose() )
+ if ( SnortConfig::get_conf()->log_verbose() )
print_whitelist();
load_string(lua, ModuleManager::get_lua_finalize());
PluginManager::load_so_plugins(sc);
- if ( snort_cmd_line_conf->logging_flags & LOGGING_FLAG__SHOW_PLUGINS )
+ if ( sc->logging_flags & LOGGING_FLAG__SHOW_PLUGINS )
{
ModuleManager::dump_modules();
PluginManager::dump_plugins();
HighAvailabilityManager::configure(sc->ha_config);
- if (SnortConfig::alert_before_pass())
+ if (sc->alert_before_pass())
sc->rule_order = "reset block drop alert pass log";
sc->setup();
// Must be after CodecManager::instantiate()
if ( !InspectorManager::configure(sc) )
ParseError("can't initialize inspectors");
- else if ( SnortConfig::log_verbose() )
+ else if ( sc->log_verbose() )
InspectorManager::print_config(sc);
// Must be after InspectorManager::configure()
- FileService::post_init();
+ FileService::post_init(sc);
ModuleManager::reset_stats(sc);
bool Snort::drop_privileges()
{
- /* Enter the chroot jail if necessary. */
- if (!SnortConfig::get_conf()->chroot_dir.empty() &&
- !EnterChroot(SnortConfig::get_conf()->chroot_dir, SnortConfig::get_conf()->log_dir))
+ SnortConfig* sc = SnortConfig::get_main_conf();
+
+ // Enter the chroot jail if necessary.
+ if (!sc->chroot_dir.empty() && !EnterChroot(sc->chroot_dir, sc->log_dir))
return false;
- /* Drop privileges if requested. */
- if (SnortConfig::get_uid() != -1 || SnortConfig::get_gid() != -1)
+ // Drop privileges if requested.
+ if (sc->get_uid() != -1 || sc->get_gid() != -1)
{
if (!SFDAQ::can_run_unprivileged())
{
- ParseError("Cannot drop privileges - at least one of the configured DAQ modules does not support unprivileged operation.\n");
+ ParseError("Cannot drop privileges - "
+ "at least one of the configured DAQ modules does not support unprivileged operation.\n");
return false;
}
- if (!SetUidGid(SnortConfig::get_uid(), SnortConfig::get_gid()))
+ if (!SetUidGid(sc->get_uid(), sc->get_gid()))
return false;
}
{
static bool pid_file_created = false;
- if (SnortConfig::create_pid_file() && !pid_file_created)
+ if (SnortConfig::get_conf()->create_pid_file() && !pid_file_created)
{
CreatePidFile(snort_main_thread_pid);
pid_file_created = true;
if ( already_exiting )
return;
+ const SnortConfig* sc = SnortConfig::get_conf();
+
already_exiting = true;
initializing = false; // just in case we cut out early
memory::MemoryCap::print();
term_signals();
- IpsManager::global_term(SnortConfig::get_conf());
+ IpsManager::global_term(sc);
HostAttributes::cleanup();
#ifdef PIGLET
ClosePidFile();
/* remove pid file */
- if ( !SnortConfig::get_conf()->pid_filename.empty() )
+ if ( !sc->pid_filename.empty() )
{
- int ret = unlink(SnortConfig::get_conf()->pid_filename.c_str());
+ int ret = unlink(sc->pid_filename.c_str());
if (ret != 0)
{
ErrorMessage("Could not remove pid file %s: %s\n",
- SnortConfig::get_conf()->pid_filename.c_str(), get_error(errno));
+ sc->pid_filename.c_str(), get_error(errno));
}
}
TraceApi::thread_term();
/* free allocated memory */
- if (SnortConfig::get_conf() == snort_cmd_line_conf)
- {
- delete snort_cmd_line_conf;
- snort_cmd_line_conf = nullptr;
- SnortConfig::set_conf(nullptr);
- }
- else
- {
- delete snort_cmd_line_conf;
- snort_cmd_line_conf = nullptr;
+ if (sc != snort_cmd_line_conf)
+ delete sc;
- delete SnortConfig::get_conf();
- SnortConfig::set_conf(nullptr);
- }
+ delete snort_cmd_line_conf;
+ snort_cmd_line_conf = nullptr;
+ SnortConfig::set_conf(nullptr);
CleanupProtoNames();
HighAvailabilityManager::term();
OpenLogger();
init(argc, argv);
+ const SnortConfig* sc = SnortConfig::get_conf();
- if ( SnortConfig::daemon_mode() )
+ if ( sc->daemon_mode() )
daemonize();
// this must follow daemonization
snort_main_thread_pid = gettid();
/* Change groups */
- InitGroups(SnortConfig::get_uid(), SnortConfig::get_gid());
+ InitGroups(sc->get_uid(), sc->get_gid());
set_quick_exit(false);
SFDAQ::term();
FileService::close();
- if ( !SnortConfig::test_mode() ) // FIXIT-M ideally the check is in one place
+ if ( !SnortConfig::get_conf()->test_mode() ) // FIXIT-M ideally the check is in one place
PrintStatistics();
CloseLogger();
return nullptr;
}
- if ( SnortConfig::log_verbose() )
+ if ( sc->log_verbose() )
InspectorManager::print_config(sc);
- if ((sc->file_mask != 0) && (sc->file_mask != SnortConfig::get_conf()->file_mask))
- umask(sc->file_mask);
-
// FIXIT-L is this still needed?
/* Transfer any user defined rule type outputs to the new rule list */
{
return sc;
}
-SnortConfig* Snort::get_updated_policy(SnortConfig* other_conf, const char* fname, const char* iname)
+SnortConfig* Snort::get_updated_policy(
+ SnortConfig* other_conf, const char* fname, const char* iname)
{
reloading = true;
reset_parse_errors();
#define OUTPUT_U2 "unified2"
#define OUTPUT_FAST "alert_fast"
-SnortConfig* parser_conf = nullptr;
-THREAD_LOCAL SnortConfig* snort_conf = nullptr;
+static THREAD_LOCAL const SnortConfig* snort_conf = nullptr;
uint32_t SnortConfig::warning_flags = 0;
// private implementation
//-------------------------------------------------------------------------
-static PolicyMode init_policy_mode(PolicyMode mode)
+static PolicyMode init_policy_mode(const SnortConfig* sc, PolicyMode mode)
{
switch ( mode )
{
case POLICY_MODE__PASSIVE:
- if ( SnortConfig::adaptor_inline_test_mode() )
+ if ( sc->adaptor_inline_test_mode() )
return POLICY_MODE__INLINE_TEST;
break;
case POLICY_MODE__INLINE:
- if ( SnortConfig::adaptor_inline_test_mode() )
+ if ( sc->adaptor_inline_test_mode() )
return POLICY_MODE__INLINE_TEST;
- else if (!SnortConfig::adaptor_inline_mode())
+ else if (!sc->adaptor_inline_mode())
{
ParseWarning(WARN_DAQ, "adapter is in passive mode; switching policy mode to tap.");
return POLICY_MODE__PASSIVE;
break;
case POLICY_MODE__MAX:
- if ( SnortConfig::adaptor_inline_mode() )
+ if ( sc->adaptor_inline_mode() )
return POLICY_MODE__INLINE;
else
return POLICY_MODE__PASSIVE;
for ( unsigned idx = 0; idx < sc->policy_map->ips_policy_count(); ++idx )
{
ips_policy = sc->policy_map->get_ips_policy(idx);
- ips_policy->policy_mode = init_policy_mode(ips_policy->policy_mode);
+ ips_policy->policy_mode = init_policy_mode(sc, ips_policy->policy_mode);
}
for ( unsigned idx = 0; idx < sc->policy_map->inspection_policy_count(); ++idx )
{
inspection_policy = sc->policy_map->get_inspection_policy(idx);
- inspection_policy->policy_mode = init_policy_mode(inspection_policy->policy_mode);
+ inspection_policy->policy_mode = init_policy_mode(sc, inspection_policy->policy_mode);
}
}
clone(other_conf);
policy_map = new PolicyMap(other_conf->policy_map);
}
-
- set_inspection_policy(policy_map->get_inspection_policy());
- set_ips_policy(policy_map->get_ips_policy());
- set_network_policy(policy_map->get_network_policy());
}
//-------------------------------------------------------------------------
trace_config->merge_cmd_line(cmd_line->trace_config);
}
-bool SnortConfig::verify()
+bool SnortConfig::verify() const
{
bool config_ok = false;
+ const SnortConfig* sc = get_conf();
- if (get_conf()->asn1_mem != asn1_mem)
+ if ( sc->asn1_mem != asn1_mem )
ReloadError("Changing detection.asn1_mem requires a restart.\n");
- else if ( get_conf()->bpf_filter != bpf_filter )
+ else if ( sc->bpf_filter != bpf_filter )
ReloadError("Changing packets.bfp_filter requires a restart.\n");
- else if ( get_conf()->respond_attempts != respond_attempts )
+ else if ( sc->respond_attempts != respond_attempts )
ReloadError("Changing active.attempts requires a restart.\n");
- else if ( get_conf()->respond_device != respond_device )
+ else if ( sc->respond_device != respond_device )
ReloadError("Changing active.device requires a restart.\n");
- else if (get_conf()->chroot_dir != chroot_dir)
+ else if (sc->chroot_dir != chroot_dir)
ReloadError("Changing process.chroot requires a restart.\n");
- else if ((get_conf()->run_flags & RUN_FLAG__DAEMON) != (run_flags & RUN_FLAG__DAEMON))
+ else if ((sc->run_flags & RUN_FLAG__DAEMON) != (run_flags & RUN_FLAG__DAEMON))
ReloadError("Changing process.daemon requires a restart.\n");
- else if (get_conf()->orig_log_dir != orig_log_dir)
+ else if (sc->orig_log_dir != orig_log_dir)
ReloadError("Changing output.logdir requires a restart.\n");
- else if (get_conf()->group_id != group_id)
+ else if (sc->group_id != group_id)
ReloadError("Changing process.setgid requires a restart.\n");
- else if (get_conf()->user_id != user_id)
+ else if (sc->user_id != user_id)
ReloadError("Changing process.setuid requires a restart.\n");
- else if (get_conf()->daq_config->get_mru_size() != daq_config->get_mru_size())
+ else if (sc->daq_config->get_mru_size() != daq_config->get_mru_size())
ReloadError("Changing daq.snaplen requires a restart.\n");
- else if (get_conf()->threshold_config->memcap != threshold_config->memcap)
+ else if (sc->threshold_config->memcap != threshold_config->memcap)
ReloadError("Changing alerts.event_filter_memcap requires a restart.\n");
- else if (get_conf()->rate_filter_config->memcap != rate_filter_config->memcap)
+ else if (sc->rate_filter_config->memcap != rate_filter_config->memcap)
ReloadError("Changing alerts.rate_filter_memcap requires a restart.\n");
- else if (get_conf()->detection_filter_config->memcap != detection_filter_config->memcap)
+ else if (sc->detection_filter_config->memcap != detection_filter_config->memcap)
ReloadError("Changing alerts.detection_filter_memcap requires a restart.\n");
else
syslog_configured = true;
}
-bool SnortConfig::tunnel_bypass_enabled(uint16_t proto)
+bool SnortConfig::get_default_rule_state() const
{
- return (!((get_conf()->tunnel_mask & proto) or SFDAQ::get_tunnel_bypass(proto)));
+ switch ( get_ips_policy()->default_rule_state )
+ {
+ case IpsPolicy::INHERIT_ENABLE:
+ return global_default_rule_state;
+
+ case IpsPolicy::ENABLED:
+ return true;
+
+ case IpsPolicy::DISABLED:
+ return false;
+ }
+ return true;
}
-SO_PUBLIC int SnortConfig::request_scratch(ScratchAllocator* s)
+bool SnortConfig::tunnel_bypass_enabled(uint16_t proto) const
+{
+ return !((tunnel_mask & proto) or SFDAQ::get_tunnel_bypass(proto));
+}
+
+int SnortConfig::request_scratch(ScratchAllocator* s)
{
scratch_handlers.emplace_back(s);
return scratch_handlers.size() - 1;
}
-SO_PUBLIC void SnortConfig::release_scratch(int id)
+void SnortConfig::release_scratch(int id)
{
assert((unsigned)id < scratch_handlers.size());
scratch_handlers[id] = nullptr;
}
-SO_PUBLIC SnortConfig* SnortConfig::get_parser_conf()
-{ return parser_conf; }
-
-void SnortConfig::set_parser_conf(SnortConfig* sc)
-{ parser_conf = sc; }
+SnortConfig* SnortConfig::get_main_conf()
+{ return const_cast<SnortConfig*>(snort_conf); }
-SO_PUBLIC SnortConfig* SnortConfig::get_conf()
+const SnortConfig* SnortConfig::get_conf()
{ return snort_conf; }
-void SnortConfig::set_conf(SnortConfig* sc)
+void SnortConfig::set_conf(const SnortConfig* sc)
{
snort_conf = sc;
void setup();
void post_setup();
- bool verify();
+ bool verify() const;
void merge(SnortConfig*);
void clone(const SnortConfig* const);
void set_verbose(bool);
//------------------------------------------------------
- // Static convenience accessor methods
+ // accessor methods
- static long int get_mpls_stack_depth()
- { return get_conf()->mpls_stack_depth; }
+ long int get_mpls_stack_depth() const
+ { return mpls_stack_depth; }
- static long int get_mpls_payload_type()
- { return get_conf()->mpls_payload_type; }
+ long int get_mpls_payload_type() const
+ { return mpls_payload_type; }
- static bool mpls_overlapping_ip()
- { return get_conf()->run_flags & RUN_FLAG__MPLS_OVERLAPPING_IP; }
+ bool mpls_overlapping_ip() const
+ { return run_flags & RUN_FLAG__MPLS_OVERLAPPING_IP; }
- static bool mpls_multicast()
- { return get_conf()->run_flags & RUN_FLAG__MPLS_MULTICAST; }
+ bool mpls_multicast() const
+ { return run_flags & RUN_FLAG__MPLS_MULTICAST; }
- static bool esp_decoding()
- { return get_conf()->enable_esp; }
+ bool esp_decoding() const
+ { return enable_esp; }
- static bool is_address_anomaly_check_enabled()
- { return get_conf()->address_anomaly_check_enabled; }
+ bool is_address_anomaly_check_enabled() const
+ { return address_anomaly_check_enabled; }
// mode related
- static bool dump_msg_map()
- { return get_conf()->run_flags & RUN_FLAG__DUMP_MSG_MAP; }
+ bool dump_msg_map() const
+ { return run_flags & RUN_FLAG__DUMP_MSG_MAP; }
- static bool dump_rule_meta()
- { return get_conf()->run_flags & RUN_FLAG__DUMP_RULE_META; }
+ bool dump_rule_meta() const
+ { return run_flags & RUN_FLAG__DUMP_RULE_META; }
- static bool dump_rule_state()
- { return get_conf()->run_flags & RUN_FLAG__DUMP_RULE_STATE; }
+ bool dump_rule_state() const
+ { return run_flags & RUN_FLAG__DUMP_RULE_STATE; }
- static bool dump_rule_deps()
- { return get_conf()->run_flags & RUN_FLAG__DUMP_RULE_DEPS; }
+ bool dump_rule_deps() const
+ { return run_flags & RUN_FLAG__DUMP_RULE_DEPS; }
- static bool dump_rule_info()
- {
- const SnortConfig* sc = get_conf();
- return sc->dump_msg_map() or sc->dump_rule_meta() or
- sc->dump_rule_deps() or sc->dump_rule_state();
- }
+ bool dump_rule_info() const
+ { return dump_msg_map() or dump_rule_meta() or dump_rule_deps() or dump_rule_state(); }
- static bool test_mode()
- { return get_conf()->run_flags & RUN_FLAG__TEST; }
+ bool test_mode() const
+ { return run_flags & RUN_FLAG__TEST; }
- static bool mem_check()
- { return get_conf()->run_flags & RUN_FLAG__MEM_CHECK; }
+ bool mem_check() const
+ { return run_flags & RUN_FLAG__MEM_CHECK; }
- static bool daemon_mode()
- { return get_conf()->run_flags & RUN_FLAG__DAEMON; }
+ bool daemon_mode() const
+ { return run_flags & RUN_FLAG__DAEMON; }
- static bool read_mode()
- { return get_conf()->run_flags & RUN_FLAG__READ; }
+ bool read_mode() const
+ { return run_flags & RUN_FLAG__READ; }
- static bool inline_mode()
- { return snort::get_ips_policy()->policy_mode == POLICY_MODE__INLINE; }
+ bool inline_mode() const
+ { return get_ips_policy()->policy_mode == POLICY_MODE__INLINE; }
- static bool inline_test_mode()
- { return snort::get_ips_policy()->policy_mode == POLICY_MODE__INLINE_TEST; }
+ bool inline_test_mode() const
+ { return get_ips_policy()->policy_mode == POLICY_MODE__INLINE_TEST; }
- static bool show_file_codes()
- { return get_conf()->run_flags & RUN_FLAG__SHOW_FILE_CODES; }
+ bool show_file_codes() const
+ { return run_flags & RUN_FLAG__SHOW_FILE_CODES; }
- static bool adaptor_inline_mode()
- { return get_conf()->run_flags & RUN_FLAG__INLINE; }
+ bool adaptor_inline_mode() const
+ { return run_flags & RUN_FLAG__INLINE; }
- static bool adaptor_inline_test_mode()
- { return get_conf()->run_flags & RUN_FLAG__INLINE_TEST; }
+ bool adaptor_inline_test_mode() const
+ { return run_flags & RUN_FLAG__INLINE_TEST; }
// logging stuff
- static bool log_syslog()
- { return get_conf()->logging_flags & LOGGING_FLAG__SYSLOG; }
+ bool log_syslog() const
+ { return logging_flags & LOGGING_FLAG__SYSLOG; }
- static bool log_verbose()
- { return get_conf()->logging_flags & LOGGING_FLAG__VERBOSE; }
+ bool log_verbose() const
+ { return logging_flags & LOGGING_FLAG__VERBOSE; }
- static bool log_quiet()
- { return get_conf()->logging_flags & LOGGING_FLAG__QUIET; }
+ bool log_quiet() const
+ { return logging_flags & LOGGING_FLAG__QUIET; }
// event stuff
- static uint32_t get_event_log_id()
- { return get_conf()->event_log_id; }
+ uint32_t get_event_log_id() const
+ { return event_log_id; }
- static bool process_all_events()
- { return get_conf()->event_queue_config->process_all_events; }
+ bool process_all_events() const
+ { return event_queue_config->process_all_events; }
- static int get_eval_index(Actions::Type type)
- { return get_conf()->evalOrder[type]; }
-
- static bool get_default_rule_state()
- {
- switch ( get_ips_policy()->default_rule_state )
- {
- case IpsPolicy::INHERIT_ENABLE:
- return get_conf()->global_default_rule_state;
-
- case IpsPolicy::ENABLED:
- return true;
-
- case IpsPolicy::DISABLED:
- return false;
- }
- return true;
- }
-
- SO_PUBLIC static bool tunnel_bypass_enabled(uint16_t proto);
-
- // checksum stuff
- static bool checksum_drop(uint16_t codec_cksum_err_flag)
- { return snort::get_network_policy()->checksum_drop & codec_cksum_err_flag; }
-
- static bool ip_checksums()
- { return snort::get_network_policy()->checksum_eval & CHECKSUM_FLAG__IP; }
-
- static bool ip_checksum_drops()
- { return snort::get_network_policy()->checksum_drop & CHECKSUM_FLAG__IP; }
-
- static bool udp_checksums()
- { return snort::get_network_policy()->checksum_eval & CHECKSUM_FLAG__UDP; }
-
- static bool udp_checksum_drops()
- { return snort::get_network_policy()->checksum_drop & CHECKSUM_FLAG__UDP; }
-
- static bool tcp_checksums()
- { return snort::get_network_policy()->checksum_eval & CHECKSUM_FLAG__TCP; }
-
- static bool tcp_checksum_drops()
- { return snort::get_network_policy()->checksum_drop & CHECKSUM_FLAG__TCP; }
-
- static bool icmp_checksums()
- { return snort::get_network_policy()->checksum_eval & CHECKSUM_FLAG__ICMP; }
-
- static bool icmp_checksum_drops()
- { return snort::get_network_policy()->checksum_drop & CHECKSUM_FLAG__ICMP; }
+ int get_eval_index(Actions::Type type) const
+ { return evalOrder[type]; }
// output stuff
- static bool output_include_year()
- { return get_conf()->output_flags & OUTPUT_FLAG__INCLUDE_YEAR; }
+ bool output_include_year() const
+ { return output_flags & OUTPUT_FLAG__INCLUDE_YEAR; }
- static bool output_use_utc()
- { return get_conf()->output_flags & OUTPUT_FLAG__USE_UTC; }
+ bool output_use_utc() const
+ { return output_flags & OUTPUT_FLAG__USE_UTC; }
- static bool output_datalink()
- { return get_conf()->output_flags & OUTPUT_FLAG__SHOW_DATA_LINK; }
+ bool output_datalink() const
+ { return output_flags & OUTPUT_FLAG__SHOW_DATA_LINK; }
- static bool verbose_byte_dump()
- { return get_conf()->output_flags & OUTPUT_FLAG__VERBOSE_DUMP; }
+ bool verbose_byte_dump() const
+ { return output_flags & OUTPUT_FLAG__VERBOSE_DUMP; }
- static bool obfuscate()
- { return get_conf()->output_flags & OUTPUT_FLAG__OBFUSCATE; }
+ bool obfuscate() const
+ { return output_flags & OUTPUT_FLAG__OBFUSCATE; }
- static bool output_app_data()
- { return get_conf()->output_flags & OUTPUT_FLAG__APP_DATA; }
+ bool output_app_data() const
+ { return output_flags & OUTPUT_FLAG__APP_DATA; }
- static bool output_char_data()
- { return get_conf()->output_flags & OUTPUT_FLAG__CHAR_DATA; }
+ bool output_char_data() const
+ { return output_flags & OUTPUT_FLAG__CHAR_DATA; }
- static bool alert_interface()
- { return get_conf()->output_flags & OUTPUT_FLAG__ALERT_IFACE; }
+ bool alert_interface() const
+ { return output_flags & OUTPUT_FLAG__ALERT_IFACE; }
- static bool output_no_timestamp()
- { return get_conf()->output_flags & OUTPUT_FLAG__NO_TIMESTAMP; }
+ bool output_no_timestamp() const
+ { return output_flags & OUTPUT_FLAG__NO_TIMESTAMP; }
- static bool line_buffered_logging()
- { return get_conf()->output_flags & OUTPUT_FLAG__LINE_BUFFER; }
+ bool line_buffered_logging() const
+ { return output_flags & OUTPUT_FLAG__LINE_BUFFER; }
- static bool output_wide_hex()
- { return get_conf()->output_flags & OUTPUT_FLAG__WIDE_HEX; }
+ bool output_wide_hex() const
+ { return output_flags & OUTPUT_FLAG__WIDE_HEX; }
- static bool alert_refs()
- { return get_conf()->output_flags & OUTPUT_FLAG__ALERT_REFS; }
+ bool alert_refs() const
+ { return output_flags & OUTPUT_FLAG__ALERT_REFS; }
// run flags
- static bool no_lock_pid_file()
- { return get_conf()->run_flags & RUN_FLAG__NO_LOCK_PID_FILE; }
+ bool no_lock_pid_file() const
+ { return run_flags & RUN_FLAG__NO_LOCK_PID_FILE; }
- static bool create_pid_file()
- { return get_conf()->run_flags & RUN_FLAG__CREATE_PID_FILE; }
+ bool create_pid_file() const
+ { return run_flags & RUN_FLAG__CREATE_PID_FILE; }
- static bool pcap_show()
- { return get_conf()->run_flags & RUN_FLAG__PCAP_SHOW; }
+ bool pcap_show() const
+ { return run_flags & RUN_FLAG__PCAP_SHOW; }
- static bool treat_drop_as_alert()
- { return get_conf()->run_flags & RUN_FLAG__TREAT_DROP_AS_ALERT; }
+ bool treat_drop_as_alert() const
+ { return run_flags & RUN_FLAG__TREAT_DROP_AS_ALERT; }
- static bool treat_drop_as_ignore()
- { return get_conf()->run_flags & RUN_FLAG__TREAT_DROP_AS_IGNORE; }
+ bool treat_drop_as_ignore() const
+ { return run_flags & RUN_FLAG__TREAT_DROP_AS_IGNORE; }
- static bool alert_before_pass()
- { return get_conf()->run_flags & RUN_FLAG__ALERT_BEFORE_PASS; }
+ bool alert_before_pass() const
+ { return run_flags & RUN_FLAG__ALERT_BEFORE_PASS; }
- static bool no_pcre()
- { return get_conf()->run_flags & RUN_FLAG__NO_PCRE; }
+ bool no_pcre() const
+ { return run_flags & RUN_FLAG__NO_PCRE; }
- static bool conf_error_out()
- { return get_conf()->run_flags & RUN_FLAG__CONF_ERROR_OUT; }
+ bool conf_error_out() const
+ { return run_flags & RUN_FLAG__CONF_ERROR_OUT; }
- static bool assure_established()
- { return get_conf()->run_flags & RUN_FLAG__ASSURE_EST; }
-
- // FIXIT-L snort_conf needed for static hash before initialized
- static bool static_hash()
- { return get_conf() && get_conf()->run_flags & RUN_FLAG__STATIC_HASH; }
+ bool assure_established() const
+ { return run_flags & RUN_FLAG__ASSURE_EST; }
// other stuff
- static uint8_t min_ttl()
- { return snort::get_network_policy()->min_ttl; }
+ uint8_t min_ttl() const
+ { return get_network_policy()->min_ttl; }
- static uint8_t new_ttl()
- { return snort::get_network_policy()->new_ttl; }
+ uint8_t new_ttl() const
+ { return get_network_policy()->new_ttl; }
- static long int get_pcre_match_limit()
- { return get_conf()->pcre_match_limit; }
+ long int get_pcre_match_limit() const
+ { return pcre_match_limit; }
- static long int get_pcre_match_limit_recursion()
- { return get_conf()->pcre_match_limit_recursion; }
+ long int get_pcre_match_limit_recursion() const
+ { return pcre_match_limit_recursion; }
- static const ProfilerConfig* get_profiler()
- { return get_conf()->profiler; }
+ const ProfilerConfig* get_profiler() const
+ { return profiler; }
- static long int get_tagged_packet_limit()
- { return get_conf()->tagged_packet_limit; }
+ long int get_tagged_packet_limit() const
+ { return tagged_packet_limit; }
- static uint32_t get_max_attribute_hosts()
- { return get_conf()->max_attribute_hosts; }
+ uint32_t get_max_attribute_hosts() const
+ { return max_attribute_hosts; }
- static uint32_t get_max_services_per_host()
- { return get_conf()->max_attribute_services_per_host; }
+ uint32_t get_max_services_per_host() const
+ { return max_attribute_services_per_host; }
- static int get_uid()
- { return get_conf()->user_id; }
+ int get_uid() const
+ { return user_id; }
- static int get_gid()
- { return get_conf()->group_id; }
+ int get_gid() const
+ { return group_id; }
- static bool get_vlan_agnostic()
- { return get_conf()->vlan_agnostic; }
+ bool get_vlan_agnostic() const
+ { return vlan_agnostic; }
- static bool address_space_agnostic()
- { return get_conf()->addressspace_agnostic; }
+ bool address_space_agnostic() const
+ { return addressspace_agnostic; }
- static bool change_privileges()
- {
- return get_conf()->user_id != -1 || get_conf()->group_id != -1 ||
- !get_conf()->chroot_dir.empty();
- }
+ bool change_privileges() const
+ { return user_id != -1 || group_id != -1 || !chroot_dir.empty(); }
bool track_on_syn() const
{ return (run_flags & RUN_FLAG__TRACK_ON_SYN) != 0; }
void set_run_flags(RunFlag flag)
{ run_flags |= flag; }
+ const std::list<ReloadResourceTuner*>& get_reload_resource_tuners() const
+ { return reload_tuners; }
+
+ void clear_reload_resource_tuner_list()
+ { reload_tuners.clear(); }
+
+ bool get_default_rule_state() const;
+
+ SO_PUBLIC bool tunnel_bypass_enabled(uint16_t proto) const;
+
+ // FIXIT-L snort_conf needed for static hash before initialized
+ static bool static_hash()
+ { return get_conf() && get_conf()->run_flags & RUN_FLAG__STATIC_HASH; }
+
// This requests an entry in the scratch space vector and calls setup /
// cleanup as appropriate
SO_PUBLIC static int request_scratch(ScratchAllocator*);
SO_PUBLIC static void release_scratch(int);
- // Use this to access current thread's conf from other units
- static void set_conf(SnortConfig*);
- static void set_parser_conf(SnortConfig*);
+ // runtime access to const config - especially for packet threads
+ // prefer access via packet->context->conf
+ SO_PUBLIC static const SnortConfig* get_conf();
- SO_PUBLIC static SnortConfig* get_conf();
- SO_PUBLIC static SnortConfig* get_parser_conf(); // main thread only!
+ // runtime access to mutable config - main thread only, and only special cases
+ SO_PUBLIC static SnortConfig* get_main_conf();
SO_PUBLIC void register_reload_resource_tuner(ReloadResourceTuner& rrt)
{ reload_tuners.push_back(&rrt); }
- const std::list<ReloadResourceTuner*>& get_reload_resource_tuners() const
- { return reload_tuners; }
-
- void clear_reload_resource_tuner_list()
- { reload_tuners.clear(); }
+ static void set_conf(const SnortConfig*);
};
}
new_attribs = t;
}
-Swapper::Swapper(SnortConfig* sold, SnortConfig* snew)
+Swapper::Swapper(const SnortConfig* sold, SnortConfig* snew)
{
old_conf = sold;
new_conf = snew;
new_attribs = nullptr;
}
-Swapper::Swapper(SnortConfig* sold, SnortConfig* snew, HostAttributesTable* told, HostAttributesTable* tnew)
+Swapper::Swapper(
+ const SnortConfig* sold, SnortConfig* snew,
+ HostAttributesTable* told, HostAttributesTable* tnew)
{
old_conf = sold;
new_conf = snew;
{
public:
Swapper(snort::SnortConfig*, HostAttributesTable*);
- Swapper(snort::SnortConfig*, snort::SnortConfig*);
- Swapper(snort::SnortConfig*, snort::SnortConfig*, HostAttributesTable*, HostAttributesTable*);
+ Swapper(const snort::SnortConfig* sold, snort::SnortConfig* snew);
+
+ Swapper(const snort::SnortConfig* sold, snort::SnortConfig* snew,
+ HostAttributesTable*, HostAttributesTable*);
+
Swapper(HostAttributesTable*, HostAttributesTable*);
~Swapper();
static void set_reload_in_progress(bool rip) { reload_in_progress = rip; }
private:
- snort::SnortConfig* old_conf;
+ const snort::SnortConfig* old_conf;
snort::SnortConfig* new_conf;
HostAttributesTable* old_attribs;
const char* get_instance_file(std::string& file, const char* name)
{
+ const SnortConfig* sc = SnortConfig::get_conf();
+
bool sep = false;
- file = !SnortConfig::get_conf()->log_dir.empty() ?
- SnortConfig::get_conf()->log_dir : "./";
+ file = !sc->log_dir.empty() ? sc->log_dir : "./";
if ( file.back() != '/' )
file += '/';
- if ( !SnortConfig::get_conf()->run_prefix.empty() )
+ if ( !sc->run_prefix.empty() )
{
- file += SnortConfig::get_conf()->run_prefix;
+ file += sc->run_prefix;
sep = true;
}
- if ( (ThreadConfig::get_instance_max() > 1) || SnortConfig::get_conf()->id_zero )
+ if ( (ThreadConfig::get_instance_max() > 1) || sc->id_zero )
{
char id[8];
snprintf(id, sizeof(id), "%u",
- get_instance_id() + SnortConfig::get_conf()->id_offset);
+ get_instance_id() + sc->id_offset);
file += id;
sep = true;
}
- if ( SnortConfig::get_conf()->id_subdir )
+ if ( sc->id_subdir )
{
file += '/';
struct stat s;
return s_tl_actors->back();
}
-void ActionManager::thread_init(SnortConfig* sc)
+void ActionManager::thread_init(const SnortConfig* sc)
{
// Initial build out of this thread's configured plugin registry
s_tl_actors = new ACList;
}
}
-void ActionManager::thread_reinit(SnortConfig* sc)
+void ActionManager::thread_reinit(const SnortConfig* sc)
{
// Update this thread's configured plugin registry with any newly configured inspectors
for ( auto& p : sc->ips_actions_config->clist )
Active::thread_init(sc);
}
-void ActionManager::thread_term(SnortConfig*)
+void ActionManager::thread_term()
{
if (s_tl_actors)
{
static void instantiate(const snort::ActionApi*, snort::Module*, snort::SnortConfig*);
- static void thread_init(snort::SnortConfig*);
- static void thread_reinit(snort::SnortConfig*);
- static void thread_term(snort::SnortConfig*);
+ static void thread_init(const snort::SnortConfig*);
+ static void thread_reinit(const snort::SnortConfig*);
+ static void thread_term();
#ifdef PIGLET
static IpsActionWrapper* instantiate(const char*, snort::Module*);
instantiate(wrap, nullptr, nullptr);
}
-void CodecManager::thread_init(SnortConfig* sc)
+void CodecManager::thread_init(const SnortConfig* sc)
{
max_layers = sc->num_layers;
// destroy all global codec related information
static void release_plugins();
// initialize the current threads DLT and Packet struct
- static void thread_init(snort::SnortConfig*);
+ static void thread_init(const snort::SnortConfig*);
// destroy thread_local data
static void thread_term();
// print all of the codec plugins
// configuration
void EventManager::instantiate(
- Output* p, Module* mod, SnortConfig* sc)
+ Output* p, Module* mod, SnortConfig*)
{
bool enabled = false;
if ( !enabled )
return;
- p->handler = p->api->ctor(sc, mod);
+ p->handler = p->api->ctor(mod);
assert(p->handler);
p->handler->set_api(p->api);
return nullptr;
}
-LoggerWrapper* EventManager::instantiate(const char* name, Module* m, SnortConfig* sc)
+LoggerWrapper* EventManager::instantiate(const char* name, Module* m, SnortConfig*)
{
auto api = find_api(name);
if ( !api || !api->ctor )
return nullptr;
- auto p = api->ctor(sc, m);
+ auto p = api->ctor(m);
if ( !p )
return nullptr;
#include "main/snort.h"
#include "main/snort_config.h"
#include "main/thread_config.h"
+#include "search_engines/search_tool.h"
#include "protocols/packet.h"
#include "target_based/snort_protocols.h"
}
// FIXIT-P cache get_inspector() returns or provide indexed lookup
-Inspector* InspectorManager::get_inspector(const char* key, bool dflt_only, SnortConfig* sc)
+Inspector* InspectorManager::get_inspector(const char* key, bool dflt_only, const SnortConfig* sc)
{
InspectionPolicy* pi;
- if (dflt_only && (sc != nullptr))
+ if ( dflt_only )
+ {
+ if ( !sc )
+ sc = SnortConfig::get_conf();
pi = get_default_inspection_policy(sc);
- else if (dflt_only)
- pi = get_default_inspection_policy(SnortConfig::get_conf());
+ }
else
pi = get_inspection_policy();
return s_tl_handlers->back();
}
-void InspectorManager::thread_init(SnortConfig* sc)
+void InspectorManager::thread_init(const SnortConfig* sc)
{
Inspector::slot = get_instance_id();
}
// pin->tinit() only called for default policy
- set_default_policy();
+ set_default_policy(sc);
InspectionPolicy* pi = get_inspection_policy();
if ( pi && pi->framework_policy )
}
}
-void InspectorManager::thread_reinit(SnortConfig* sc)
+void InspectorManager::thread_reinit(const SnortConfig* sc)
{
// Update this thread's configured plugin registry with any newly configured inspectors
for ( auto* p : sc->framework_config->clist )
}
}
-void InspectorManager::thread_stop(SnortConfig*)
+void InspectorManager::thread_stop(const SnortConfig* sc)
{
// If thread_init() was never called, we have nothing to do.
if ( !s_tl_handlers )
return;
// pin->tterm() only called for default policy
- set_default_policy();
+ set_default_policy(sc);
InspectionPolicy* pi = get_inspection_policy();
// FIXIT-RC Any inspectors that were once configured/instantiated but
}
}
-void InspectorManager::thread_term(SnortConfig*)
+void InspectorManager::thread_term()
{
// If thread_init() was never called, we have nothing to do.
if ( !s_tl_handlers )
}
bool ok = true;
+ SearchTool::set_conf(sc);
+
for ( unsigned idx = 0; idx < sc->policy_map->inspection_policy_count(); ++idx )
{
if ( cloned and idx )
}
set_inspection_policy(sc);
+ SearchTool::set_conf(nullptr);
return ok;
}
if ( p->disable_inspect )
return;
- SnortConfig* sc = SnortConfig::get_conf();
+ const SnortConfig* sc = p->context->conf;
FrameworkPolicy* fp_dft = get_default_inspection_policy(sc)->framework_policy;
if ( !p->flow )
void InspectorManager::probe(Packet* p)
{
- InspectionPolicy* policy = SnortConfig::get_conf()->policy_map->get_inspection_policy(0);
+ InspectionPolicy* policy = p->context->conf->policy_map->get_inspection_policy(0);
FrameworkPolicy* fp = policy->framework_policy;
::execute(p, fp->probe.vec, fp->probe.num);
}
static void instantiate(
const InspectApi*, Module*, SnortConfig*, const char* name = nullptr);
- static bool delete_inspector(SnortConfig* sc, const char* iname);
+ static bool delete_inspector(SnortConfig*, const char* iname);
static void free_inspector(Inspector*);
static InspectSsnFunc get_session(uint16_t proto);
- SO_PUBLIC static Inspector* get_inspector(const char* key, bool dflt_only = false,
- SnortConfig* sc = nullptr);
+ SO_PUBLIC static Inspector* get_inspector(
+ const char* key, bool dflt_only = false, const SnortConfig* = nullptr);
+
SO_PUBLIC static Inspector* get_inspector_by_service(const char*);
SO_PUBLIC static Binder* get_binder();
static bool configure(SnortConfig*, bool cloned = false);
static void print_config(SnortConfig*);
- static void thread_init(SnortConfig*);
- static void thread_reinit(SnortConfig*);
- static void thread_stop(SnortConfig*);
- static void thread_term(SnortConfig*);
+ static void thread_init(const SnortConfig*);
+ static void thread_reinit(const SnortConfig*);
+
+ static void thread_stop(const SnortConfig*);
+ static void thread_term();
static void release_policy(FrameworkPolicy*);
static void dispatch_meta(FrameworkPolicy*, int type, const uint8_t* data);
//-------------------------------------------------------------------------
-void IpsManager::global_init(SnortConfig*)
+void IpsManager::global_init(const SnortConfig*)
{
}
-void IpsManager::global_term(SnortConfig* sc)
+void IpsManager::global_term(const SnortConfig* sc)
{
for ( auto& p : s_options )
if ( p.second->init && p.second->api->pterm )
IpsOption::set_buffer("pkt_data");
}
-void IpsManager::setup_options()
+void IpsManager::setup_options(const SnortConfig* sc)
{
for ( auto& p : s_options )
if ( p.second->init && p.second->api->tinit )
- p.second->api->tinit(SnortConfig::get_conf());
+ p.second->api->tinit(sc);
}
-void IpsManager::clear_options()
+void IpsManager::clear_options(const SnortConfig* sc)
{
for ( auto& p : s_options )
if ( p.second->init && p.second->api->tterm )
- p.second->api->tterm(SnortConfig::get_conf());
+ p.second->api->tterm(sc);
}
bool IpsManager::verify(SnortConfig* sc)
static void dump_plugins();
static void release_plugins();
static void instantiate(const snort::IpsApi*, snort::Module*, snort::SnortConfig*);
+
static bool option_begin(snort::SnortConfig*, const char* key, SnortProtocolId);
static bool option_set(
snort::SnortConfig*, const char* key, const char* opt, const char* val);
static bool option_end(
snort::SnortConfig*, OptTreeNode*, SnortProtocolId, const char* key, snort::RuleOptType&);
+
static void delete_option(snort::IpsOption*);
static const char* get_option_keyword();
+
SO_PUBLIC static const snort::IpsApi* get_option_api(const char* keyword);
- static void global_init(snort::SnortConfig*);
- static void global_term(snort::SnortConfig*);
+
+ static void global_init(const snort::SnortConfig*);
+ static void global_term(const snort::SnortConfig*);
+
static void reset_options();
- static void setup_options();
- static void clear_options();
+ static void setup_options(const snort::SnortConfig*);
+ static void clear_options(const snort::SnortConfig*);
+
static bool verify(snort::SnortConfig*);
#ifdef PIGLET
}
}
-void ModuleManager::dump_stats(SnortConfig*, const char* skip, bool dynamic)
+void ModuleManager::dump_stats(const char* skip, bool dynamic)
{
auto mod_hooks = get_all_modhooks();
mod_hooks.sort(comp_mods);
}
}
-void ModuleManager::accumulate(SnortConfig*)
+void ModuleManager::accumulate()
{
auto mod_hooks = get_all_modhooks();
static void reset_errors();
static unsigned get_errors();
- static void dump_stats(SnortConfig*, const char* skip = nullptr, bool dynamic = false);
+ static void dump_stats(const char* skip = nullptr, bool dynamic = false);
- static void accumulate(SnortConfig*);
+ static void accumulate();
static void accumulate_offload(const char* name);
static void reset_stats(SnortConfig*);
}
Mpse* MpseManager::get_search_engine(
- SnortConfig* sc, const MpseApi* api, const MpseAgent* agent)
+ const SnortConfig* sc, const MpseApi* api, const MpseAgent* agent)
{
Module* mod = ModuleManager::get_module(api->base.name);
Mpse* eng = api->ctor(sc, mod, agent);
return eng;
}
-Mpse* MpseManager::get_search_engine(const char* type)
-{
- SnortConfig* sc = SnortConfig::get_conf();
-
- if ( !type and sc->fast_pattern_config )
- type = sc->fast_pattern_config->get_search_method();
-
- if ( !type )
- type = "ac_bnfa";
-
- const MpseApi* api = get_search_api(type);
-
- if ( !api )
- return nullptr;
-
- Module* mod = ModuleManager::get_module(api->base.name);
- Mpse* eng = api->ctor(nullptr, mod, nullptr);
- eng->set_api(api);
-
- if ( sc->fast_pattern_config and sc->fast_pattern_config->get_search_opt() )
- eng->set_opt(1);
-
- return eng;
-}
-
void MpseManager::delete_search_engine(Mpse* eng)
{
const MpseApi* api = eng->get_api();
static const snort::MpseApi* get_search_api(const char* type);
static void delete_search_engine(snort::Mpse*);
- static snort::Mpse* get_search_engine(const char*);
static snort::Mpse* get_search_engine(
- snort::SnortConfig* sc,const snort::MpseApi* api, const struct MpseAgent*);
+ const snort::SnortConfig* sc,const snort::MpseApi* api, const struct MpseAgent*);
static void activate_search_engine(const snort::MpseApi*, snort::SnortConfig*);
static void setup_search_engine(const snort::MpseApi*, snort::SnortConfig*);
if ( !MemoryModule::is_active() )
return;
- if ( SnortConfig::log_verbose() or mem_stats.allocations )
+ bool verbose = SnortConfig::get_conf()->log_verbose();
+
+ if ( verbose or mem_stats.allocations )
LogLabel("memory (heap)");
- if ( SnortConfig::log_verbose() )
+ if ( verbose )
{
LogMessage(" thread cap: %zu\n", thread_cap);
LogMessage(" thread preemptive threshold: %zu\n", preemptive_threshold);
return true;
}
-void AppIdInspector::show(SnortConfig*)
+void AppIdInspector::show(const SnortConfig*) const
{
config->show();
}
~AppIdInspector() override;
bool configure(snort::SnortConfig*) override;
- void show(snort::SnortConfig*) override;
+ void show(const snort::SnortConfig*) const override;
void tinit() override;
void tterm() override;
void eval(snort::Packet*) override;
~AppIdInspector() override = default;
void eval(Packet*) override { }
bool configure(snort::SnortConfig*) override { return true; }
- void show(snort::SnortConfig*) override { }
+ void show(const SnortConfig*) const override { }
void tinit() override { }
void tterm() override { }
};
}
}
- /* If the session appears to only have the client sending data then
+ /* If the session appears to only have the client sending data then
we must mark the service unknown to prevent pending forever. */
if (asd.service_disco_state == APPID_DISCO_STATE_STATEFUL &&
asd.service.get_id() == APP_ID_NONE && asd.is_svc_taking_too_much_time())
{
asd.stop_service_inspection(p, direction);
- asd.service.set_id(APP_ID_UNKNOWN, asd.ctxt.get_odp_ctxt());
+ asd.service.set_id(APP_ID_UNKNOWN, asd.ctxt.get_odp_ctxt());
return isTpAppidDiscoveryDone;
}
#include "service_ftp.h"
+#include "detection/ips_context.h"
+
#include "appid_inspector.h"
#include "app_info_table.h"
#include "protocols/packet.h"
// FIXIT-M - Avoid thread locals
static THREAD_LOCAL SnortProtocolId ftp_data_snort_protocol_id = UNKNOWN_PROTOCOL_ID;
if(ftp_data_snort_protocol_id == UNKNOWN_PROTOCOL_ID)
- ftp_data_snort_protocol_id = SnortConfig::get_conf()->proto_ref->find("ftp-data");
+ ftp_data_snort_protocol_id = pkt->context->conf->proto_ref->find("ftp-data");
AppIdSession* fp = AppIdSession::create_future_session(pkt, cliIp, cliPort, srvIp, srvPort,
protocol, ftp_data_snort_protocol_id, flags);
#include "service_rexec.h"
+#include "detection/ips_context.h"
+
#include "appid_debug.h"
#include "appid_inspector.h"
#include "app_info_table.h"
{
case REXEC_STATE_PORT:
if(rexec_snort_protocol_id == UNKNOWN_PROTOCOL_ID)
- rexec_snort_protocol_id = SnortConfig::get_conf()->proto_ref->find("rexec");
+ rexec_snort_protocol_id = args.pkt->context->conf->proto_ref->find("rexec");
if (args.dir != APP_ID_FROM_INITIATOR)
goto bail;
#include <rpc/rpcent.h>
#endif
-#include "appid_inspector.h"
-#include "app_info_table.h"
+#include "detection/ips_context.h"
#include "log/messages.h"
#include "protocols/packet.h"
+#include "appid_inspector.h"
+#include "app_info_table.h"
+
using namespace snort;
static THREAD_LOCAL SnortProtocolId sunrpc_snort_protocol_id = UNKNOWN_PROTOCOL_ID;
if(sunrpc_snort_protocol_id == UNKNOWN_PROTOCOL_ID)
- sunrpc_snort_protocol_id = SnortConfig::get_conf()->proto_ref->find("sunrpc");
+ sunrpc_snort_protocol_id = pkt->context->conf->proto_ref->find("sunrpc");
const SfIp* dip = pkt->ptrs.ip_api.get_dst();
const SfIp* sip = pkt->ptrs.ip_api.get_src();
#include "service_rshell.h"
+#include "detection/ips_context.h"
#include "protocols/packet.h"
#include "app_info_table.h"
if (port)
{
if(rsh_error_snort_protocol_id == UNKNOWN_PROTOCOL_ID)
- rsh_error_snort_protocol_id = SnortConfig::get_conf()->proto_ref->find("rsh-error");
+ rsh_error_snort_protocol_id = args.pkt->context->conf->proto_ref->find("rsh-error");
const SfIp* dip = args.pkt->ptrs.ip_api.get_dst();
const SfIp* sip = args.pkt->ptrs.ip_api.get_src();
#include "service_snmp.h"
+#include "detection/ips_context.h"
#include "log/messages.h"
#include "protocols/packet.h"
SNMP_PDU_TRAPV2
};
-#pragma pack(1)
-
-struct ServiceSNMPHeader
-{
- uint16_t opcode;
- union
- {
- uint16_t block;
- uint16_t errorcode;
- } d;
-};
-
-#pragma pack()
-
static const uint8_t SNMP_PATTERN_2[] = { 0x02, 0x01, 0x00, 0x04 };
static const uint8_t SNMP_PATTERN_3[] = { 0x02, 0x01, 0x01, 0x04 };
static const uint8_t SNMP_PATTERN_4[] = { 0x02, 0x01, 0x03, 0x30 };
/*adding expected connection in case the server doesn't send from 161*/
if(snmp_snort_protocol_id == UNKNOWN_PROTOCOL_ID)
- snmp_snort_protocol_id = SnortConfig::get_conf()->proto_ref->find("snmp");
+ snmp_snort_protocol_id = args.pkt->context->conf->proto_ref->find("snmp");
const SfIp* dip = args.pkt->ptrs.ip_api.get_dst();
const SfIp* sip = args.pkt->ptrs.ip_api.get_src();
#include "service_tftp.h"
+#include "detection/ips_context.h"
#include "protocols/packet.h"
#include "app_info_table.h"
goto bail;
if(tftp_snort_protocol_id == UNKNOWN_PROTOCOL_ID)
- tftp_snort_protocol_id = SnortConfig::get_conf()->proto_ref->find("tftp");
+ tftp_snort_protocol_id = args.pkt->context->conf->proto_ref->find("tftp");
tmp_td = (ServiceTFTPData*)snort_calloc(sizeof(ServiceTFTPData));
tmp_td->state = TFTP_STATE_TRANSFER;
namespace snort
{
-class Inspector* InspectorManager::get_inspector(char const*, bool, SnortConfig*)
+class Inspector* InspectorManager::get_inspector(char const*, bool, const SnortConfig*)
{ return nullptr; }
}
#include <CppUTest/CommandLineTestRunner.h>
#include <CppUTest/TestHarness.h>
-snort::Inspector* snort::InspectorManager::get_inspector(char const*, bool, snort::SnortConfig*) { return nullptr; }
-void ApplicationDescriptor::set_id(const Packet&, AppIdSession&, AppidSessionDirection, AppId, AppidChangeBits&) { }
+snort::Inspector* snort::InspectorManager::get_inspector(
+ char const*, bool, const snort::SnortConfig*) { return nullptr; }
+
+void ApplicationDescriptor::set_id(
+ const Packet&, AppIdSession&, AppidSessionDirection, AppId, AppidChangeBits&) { }
+
void AppIdHttpSession::set_http_change_bits(AppidChangeBits&, HttpFieldIds) {}
class TestDetector : public AppIdDetector
AppIdInspector::~AppIdInspector() = default;
void AppIdInspector::eval(Packet*) { }
bool AppIdInspector::configure(SnortConfig*) { return true; }
-void AppIdInspector::show(SnortConfig*) { }
+void AppIdInspector::show(const SnortConfig*) const { }
void AppIdInspector::tinit() { }
void AppIdInspector::tterm() { }
AppIdContext& AppIdInspector::get_ctxt() const
#include <CppUTest/CommandLineTestRunner.h>
#include <CppUTest/TestHarness.h>
-snort::Inspector* snort::InspectorManager::get_inspector(char const*, bool, snort::SnortConfig*) { return nullptr; }
-void ApplicationDescriptor::set_id(const Packet&, AppIdSession&, AppidSessionDirection, AppId, AppidChangeBits&) { }
+snort::Inspector* snort::InspectorManager::get_inspector(
+ char const*, bool, const snort::SnortConfig*) { return nullptr; }
+
+void ApplicationDescriptor::set_id(
+ const Packet&, AppIdSession&, AppidSessionDirection, AppId, AppidChangeBits&) { }
+
void AppIdHttpSession::set_http_change_bits(AppidChangeBits&, HttpFieldIds) {}
class MockServiceDetector : public ServiceDetector
AppIdInspector::~AppIdInspector() { }
void AppIdInspector::eval(snort::Packet*) { }
bool AppIdInspector::configure(snort::SnortConfig*) { return true; }
-void AppIdInspector::show(snort::SnortConfig*) { }
+void AppIdInspector::show(const SnortConfig*) const { }
void AppIdInspector::tinit() { }
void AppIdInspector::tterm() { }
AppIdContext& AppIdInspector::get_ctxt() const { return *ctxt; }
ArpSpoof(ArpSpoofModule*);
~ArpSpoof() override;
- void show(snort::SnortConfig*) override;
+ void show(const SnortConfig*) const override;
void eval(Packet*) override;
private:
delete config;
}
-void ArpSpoof::show(SnortConfig*)
+void ArpSpoof::show(const SnortConfig*) const
{
if ( config )
arp_config_show(config);
static Inspector* get_gadget_by_id(const char* service)
{
- const SnortProtocolId id = SnortConfig::get_conf()->proto_ref->find(service);
- const char* s = SnortConfig::get_conf()->proto_ref->get_name(id);
+ const SnortConfig* sc = SnortConfig::get_conf();
+ const SnortProtocolId id = sc->proto_ref->find(service);
+ const char* s = sc->proto_ref->get_name(id);
return InspectorManager::get_inspector_by_service(s);
}
void remove_inspector_binding(SnortConfig*, const char*) override;
bool configure(SnortConfig*) override;
- void show(SnortConfig*) override;
+ void show(const SnortConfig*) const override;
void eval(Packet*) override { }
return true;
}
-void Binder::show(SnortConfig*)
+void Binder::show(const SnortConfig*) const
{
std::once_flag once;
// It gets potentially hairy if people start specifying overlapping policy types in
// overlapping rules.
bool inspection_set = false, ips_set = false;
+ const SnortConfig* sc = SnortConfig::get_conf();
+
for ( unsigned i = 0; i < sz; i++ )
{
Binding* pb = bindings[i];
if ( pb->use.inspection_index and !inspection_set )
{
- set_inspection_policy(SnortConfig::get_conf(), pb->use.inspection_index - 1);
+ set_inspection_policy(sc, pb->use.inspection_index - 1);
if (!service)
flow->inspection_policy_id = pb->use.inspection_index - 1;
inspection_set = true;
if ( pb->use.ips_index and !ips_set )
{
- set_ips_policy(SnortConfig::get_conf(), pb->use.ips_index - 1);
+ set_ips_policy(sc, pb->use.ips_index - 1);
if (!service)
flow->ips_policy_id = pb->use.ips_index - 1;
ips_set = true;
#include "norm.h"
+#include "detection/ips_context.h"
#include "main/snort_config.h"
#include "packet_io/sfdaq.h"
#include "protocols/icmp4.h"
}
if ( Norm_IsEnabled(c, NORM_IP4_TTL) )
{
- if ( h->ip_ttl < SnortConfig::min_ttl() )
+ if ( h->ip_ttl < p->context->conf->min_ttl() )
{
if ( mode == NORM_MODE_ON )
{
- h->ip_ttl = SnortConfig::new_ttl();
+ h->ip_ttl = p->context->conf->new_ttl();
p->ptrs.decode_flags &= ~DECODE_ERR_BAD_TTL;
changes++;
}
ip::IP6Hdr* h =
reinterpret_cast<ip::IP6Hdr*>(const_cast<uint8_t*>(p->layers[layer].start));
- if ( h->ip6_hoplim < SnortConfig::min_ttl() )
+ if ( h->ip6_hoplim < p->context->conf->min_ttl() )
{
const NormMode mode = get_norm_mode(p);
if ( mode == NORM_MODE_ON )
{
- h->ip6_hoplim = SnortConfig::new_ttl();
+ h->ip6_hoplim = p->context->conf->new_ttl();
p->ptrs.decode_flags &= ~DECODE_ERR_BAD_TTL;
changes++;
}
Normalizer(const NormalizerConfig&);
bool configure(SnortConfig*) override;
- void show(SnortConfig*) override;
+ void show(const SnortConfig*) const override;
void eval(Packet*) override;
private:
return NORM_MODE_TEST;
}
-void Normalizer::show(SnortConfig*)
+void Normalizer::show(const SnortConfig*) const
{
print_ip4(&config);
print_ip6(&config);
PacketCapture(CaptureModule*);
// non-static functions
- void show(SnortConfig*) override;
+ void show(const SnortConfig*) const override;
void eval(Packet*) override;
void tterm() override { capture_term(); }
return false;
}
-void PacketCapture::show(SnortConfig*)
+void PacketCapture::show(const SnortConfig*) const
{
ConfigLogger::log_flag("enable", config.enabled);
if ( config.enabled )
return "";
}
-void PerfMonitor::show(SnortConfig*)
+void PerfMonitor::show(const SnortConfig*) const
{
ConfigLogger::log_flag("base", config->perf_flags & PERF_BASE);
ConfigLogger::log_flag("cpu", config->perf_flags & PERF_CPU);
~PerfMonitor() override { delete config; }
bool configure(snort::SnortConfig*) override;
- void show(snort::SnortConfig*) override;
+ void show(const snort::SnortConfig*) const override;
void eval(snort::Packet*) override;
bool ready_to_process(snort::Packet* p);
file_name, mode, get_error(errno));
}
- if (chown(file_name, SnortConfig::get_uid(),
- SnortConfig::get_gid()) != 0)
+ const SnortConfig* sc = SnortConfig::get_conf();
+
+ if (chown(file_name, sc->get_uid(), sc->get_gid()) != 0)
{
WarningMessage("perfmonitor: Unable to change permissions of "
"stats file '%s' to user:%d and group:%d: %s.\n",
- file_name, SnortConfig::get_uid(), SnortConfig::get_gid(),
- get_error(errno));
+ file_name, sc->get_uid(), sc->get_gid(), get_error(errno));
}
}
}
ps_cleanup();
}
-void PortScan::show(SnortConfig*)
+void PortScan::show(const SnortConfig*) const
{
if ( config )
portscan_config_show(config);
PortScan(class PortScanModule*);
~PortScan() override;
- void show(snort::SnortConfig*) override;
+ void show(const snort::SnortConfig*) const override;
void eval(snort::Packet*) override;
void tinit() override;
reputationstats.memory_allocated = sfrt_flat_usage(conf->ip_list);
}
-void Reputation::show(SnortConfig*)
+void Reputation::show(const SnortConfig*) const
{
ConfigLogger::log_value("blacklist", config.blacklist_path.c_str());
ConfigLogger::log_value("list_dir", config.list_dir.c_str());
public:
Reputation(ReputationConfig*);
- void show(snort::SnortConfig*) override;
+ void show(const snort::SnortConfig*) const override;
void eval(snort::Packet*) override;
private:
UNUSED(p);
}
-void RnaInspector::show(SnortConfig*)
+void RnaInspector::show(const SnortConfig*) const
{
if ( mod_conf )
{
bool configure(snort::SnortConfig*) override;
void eval(snort::Packet*) override;
- void show(snort::SnortConfig*) override;
+ void show(const snort::SnortConfig*) const override;
void tinit() override;
void tterm() override;
Active::set_enabled();
}
-bool Active::thread_init(SnortConfig* sc)
+bool Active::thread_init(const SnortConfig* sc)
{
s_attempts = sc->respond_attempts;
if ( enabled && (!SFDAQ::can_inject() || !sc->respond_device.empty()) )
{
- if ( SnortConfig::read_mode() || !open(sc->respond_device.c_str()) )
+ if ( sc->read_mode() || !open(sc->respond_device.c_str()) )
{
ParseWarning(WARN_DAQ, "active responses disabled since DAQ "
"can't inject packets.");
else if ( active_status != AST_FORCE)
{
- if ( SnortConfig::inline_mode() )
+ if ( p->context->conf->inline_mode() )
{
if ( !SFDAQ::forwarding_packet(p->pkth) )
active_status = AST_WOULD;
}
- else if ( SnortConfig::inline_test_mode() )
+ else if ( p->context->conf->inline_test_mode() )
{
active_status = AST_WOULD;
}
active_action = ACT_BLOCK;
update_status(p, force);
- if ( force or SnortConfig::inline_mode() or SnortConfig::treat_drop_as_ignore() )
+ if ( force or p->context->conf->inline_mode() or p->context->conf->treat_drop_as_ignore() )
Stream::block_flow(p);
p->disable_inspect = true;
update_status(p, force);
active_action = ACT_RESET;
- if ( force or SnortConfig::inline_mode() or SnortConfig::treat_drop_as_ignore() )
+ if ( force or p->context->conf->inline_mode() or p->context->conf->treat_drop_as_ignore() )
Stream::drop_flow(p);
if ( enabled )
public:
static void init(SnortConfig*);
- static bool thread_init(SnortConfig*);
+ static bool thread_init(const SnortConfig*);
static void thread_term();
static void set_enabled(bool on_off = true)
int rval;
- if (SnortConfig::adaptor_inline_mode())
+ if (SnortConfig::get_conf()->adaptor_inline_mode())
default_daq_mode = DAQ_MODE_INLINE;
- else if (SnortConfig::read_mode())
+
+ else if (SnortConfig::get_conf()->read_mode())
default_daq_mode = DAQ_MODE_READ_FILE;
+
else
default_daq_mode = DAQ_MODE_PASSIVE;
{
uint32_t caps = daq_instance_get_capabilities(instance);
- if (!SnortConfig::adaptor_inline_mode())
+ if (!SnortConfig::get_conf()->adaptor_inline_mode())
return true;
if (!(caps & DAQ_CAPA_BLOCK))
pool_size = mpool_info.size;
pool_available = mpool_info.available;
assert(pool_size == pool_available);
- if (SnortConfig::log_verbose())
+ if (SnortConfig::get_conf()->log_verbose())
{
LogMessage("Instance %d daq pool size: %d\n", get_instance_id(), pool_size);
LogMessage("Instance %d daq batch size: %d\n", get_instance_id(), batch_size);
static void print_parse_file(const char* msg, Location& loc)
{
- if ( SnortConfig::show_file_codes() )
+ if ( SnortConfig::get_conf()->show_file_codes() )
LogMessage("%s %s:%s:\n", msg, (loc.code ? loc.code : "?"), loc.file.c_str());
else
// or we are going to just alert instead of drop,
// or we are going to ignore session data instead of drop.
// the alert case is tested for separately with SnortConfig::treat_drop_as_alert().
-static inline int ScKeepDropRules()
+static inline int keep_drop_rules(const SnortConfig* sc)
{
- return ( SnortConfig::inline_mode() or SnortConfig::adaptor_inline_mode() or
- SnortConfig::treat_drop_as_ignore() );
+ return ( sc->inline_mode() or sc->adaptor_inline_mode() or sc->treat_drop_as_ignore() );
}
-static inline int ScLoadAsDropRules()
+static inline int load_as_drop_rules(const SnortConfig* sc)
{
- return ( SnortConfig::inline_test_mode() || SnortConfig::adaptor_inline_test_mode() );
+ return ( sc->inline_test_mode() || sc->adaptor_inline_test_mode() );
}
Actions::Type get_rule_type(const char* s)
if ( rt == Actions::NONE )
rt = ActionManager::get_action_type(s);
+ const SnortConfig* sc = SnortConfig::get_conf();
+
switch ( rt )
{
case Actions::DROP:
case Actions::BLOCK:
case Actions::RESET:
- if ( SnortConfig::treat_drop_as_alert() )
+ if ( sc->treat_drop_as_alert() )
return Actions::ALERT;
- if ( ScKeepDropRules() || ScLoadAsDropRules() )
+ if ( keep_drop_rules(sc) || load_as_drop_rules(sc) )
return rt;
return Actions::NONE;
CreateRuleType(sc, s, rtn.action);
rtn.listhead = get_rule_list(sc, s);
}
- if ( SnortConfig::get_default_rule_state() )
+ if ( sc->get_default_rule_state() )
rtn.set_enabled();
if ( !rtn.listhead )
otn->snort_protocol_id = rtn.snort_protocol_id;
- if ( SnortConfig::get_default_rule_state() )
+ if ( sc->get_default_rule_state() )
rtn.set_enabled();
IpsManager::reset_options();
SnortConfig* ParseSnortConf(const SnortConfig* boot_conf, const char* fname, bool is_fatal)
{
SnortConfig* sc = new SnortConfig(SnortConfig::get_conf()->proto_ref);
- SnortConfig::set_parser_conf(sc);
+ sc->run_flags = boot_conf->run_flags;
+ sc->output_flags = boot_conf->output_flags;
sc->logging_flags = boot_conf->logging_flags;
sc->tweaks = boot_conf->tweaks;
Module* m;
if ( key == PT_IPS_OPTION || use_defaults )
// FIXIT-L this is just a workaround, need to be able to get parsed rule module
- m = ModuleManager::get_default_module(name.c_str(), SnortConfig::get_conf());
+ m = ModuleManager::get_default_module(name.c_str(), SnortConfig::get_main_conf());
else
m = ModuleManager::get_module(name.c_str());
- auto piglet = piglet_api->ctor(lua, name, m, SnortConfig::get_conf());
+ auto piglet = piglet_api->ctor(lua, name, m, SnortConfig::get_main_conf());
assert(piglet);
#include "framework/codec.h"
#include "lua/lua_arg.h"
+#include "main/snort_config.h"
using namespace snort;
{
Lua::Args args(L);
- auto& self = CodecDataIface.create(L, ProtocolId::ETHERTYPE_NOT_SET);
+ auto& self = CodecDataIface.create(
+ L, SnortConfig::get_conf(), ProtocolId::ETHERTYPE_NOT_SET);
if ( args[1].is_table() )
args[1].check_table(set_fields, self);
{
auto& self = InspectorIface.get(L);
// FIXIT-L do we need an opaque SnortConfig interface?
- bool result = self.configure(SnortConfig::get_conf());
+ bool result = self.configure(SnortConfig::get_main_conf());
lua_pushboolean(L, result);
return 1;
}
PortObject* po = (PortObject*)h->find(name);
- if ( !po and SnortConfig::dump_rule_info() and strstr(name, "PORT") )
+ if ( !po and SnortConfig::get_conf()->dump_rule_info() and strstr(name, "PORT") )
{
po = PortObjectNew();
po->name = snort_strdup(name);
s_profiler_nodes.accumulate_flex();
- const auto* config = SnortConfig::get_profiler();
+ const auto* config = SnortConfig::get_conf()->get_profiler();
assert(config);
show_time_profiler_stats(s_profiler_nodes, config->time);
static std::vector<View> build_entries()
{
- assert(SnortConfig::get_conf());
+ const SnortConfig* sc = SnortConfig::get_conf();
+ assert(sc);
- detection_option_tree_update_otn_stats(SnortConfig::get_conf()->detection_option_tree_hash_table);
- auto* otn_map = SnortConfig::get_conf()->otn_map;
+ detection_option_tree_update_otn_stats(sc->detection_option_tree_hash_table);
+ auto* otn_map = sc->otn_map;
std::vector<View> entries;
void reset_rule_profiler_stats()
{
- assert(SnortConfig::get_conf());
- auto* otn_map = SnortConfig::get_conf()->otn_map;
+ const SnortConfig* sc = SnortConfig::get_conf();
+ assert(sc);
+
+ auto* otn_map = sc->otn_map;
for ( auto* h = otn_map->find_first(); h; h = otn_map->find_next() )
{
if (flow)
vid = flow->key->vlan_tag;
- else if ( !SnortConfig::get_vlan_agnostic() and (proto_bits & PROTO_BIT__VLAN) )
+ else if ( !context->conf->get_vlan_agnostic() and (proto_bits & PROTO_BIT__VLAN) )
vid = layer::get_vlan_layer(this)->vid();
return vid;
void PacketManager::pop_teredo(Packet* p, RawData& raw)
{
p->proto_bits &= ~PROTO_BIT__TEREDO;
- if ( SnortConfig::tunnel_bypass_enabled(TUNNEL_TEREDO) )
+ if ( p->context->conf->tunnel_bypass_enabled(TUNNEL_TEREDO) )
p->active->clear_tunnel_bypass();
const ProtocolIndex mapped_prot = CodecManager::s_proto_map[to_utype(ProtocolId::TEREDO)];
ProtocolId prev_prot_id = CodecManager::grinder_id;
RawData raw(p->daq_msg, pkt, pktlen);
- CodecData codec_data(ProtocolId::FINISHED_DECODE);
+ CodecData codec_data(p->context->conf, ProtocolId::FINISHED_DECODE);
if ( cooked )
codec_data.codec_flags |= CODEC_STREAM_REBUILT;
ACSM_STRUCT2* obj;
public:
- AcbMpse(
- SnortConfig*, const MpseAgent* agent)
- : Mpse("ac_banded")
- {
- obj = acsmNew2(agent, ACF_BANDED);
- }
+ AcbMpse(const MpseAgent* agent) : Mpse("ac_banded")
+ { obj = acsmNew2(agent, ACF_BANDED); }
~AcbMpse() override
{ acsmFree2(obj); }
{ obj->enable_dfa(); }
int add_pattern(
- SnortConfig*, const uint8_t* P, unsigned m,
- const PatternDescriptor& desc, void* user) override
+ const uint8_t* P, unsigned m, const PatternDescriptor& desc, void* user) override
{
return acsmAddPattern2(obj, P, m, desc.no_case, desc.negated, user);
}
//-------------------------------------------------------------------------
static Mpse* acb_ctor(
- SnortConfig* sc, class Module*, const MpseAgent* agent)
+ const SnortConfig*, class Module*, const MpseAgent* agent)
{
- return new AcbMpse(sc, agent);
+ return new AcbMpse(agent);
}
static void acb_dtor(Mpse* p)
bnfa_struct_t* obj;
public:
- AcBnfaMpse(SnortConfig*, const MpseAgent* agent)
- : Mpse("ac_bnfa")
+ AcBnfaMpse(const MpseAgent* agent) : Mpse("ac_bnfa")
{
obj=bnfaNew(agent);
if ( obj ) obj->bnfaMethod = 1;
}
int add_pattern(
- SnortConfig*, const uint8_t* P, unsigned m,
- const PatternDescriptor& desc, void* user) override
+ const uint8_t* P, unsigned m, const PatternDescriptor& desc, void* user) override
{
return bnfaAddPattern(obj, P, m, desc.no_case, desc.negated, user);
}
//-------------------------------------------------------------------------
static Mpse* bnfa_ctor(
- SnortConfig* sc, class Module*, const MpseAgent* agent)
+ const SnortConfig*, class Module*, const MpseAgent* agent)
{
- return new AcBnfaMpse(sc, agent);
+ return new AcBnfaMpse(agent);
}
static void bnfa_dtor(Mpse* p)
ACSM_STRUCT2* obj;
public:
- AcfMpse(SnortConfig*, const MpseAgent* agent)
- : Mpse("ac_full")
- {
- obj = acsmNew2(agent, ACF_FULL);
- }
+ AcfMpse(const MpseAgent* agent) : Mpse("ac_full")
+ { obj = acsmNew2(agent, ACF_FULL); }
~AcfMpse() override
{ acsmFree2(obj); }
}
int add_pattern(
- SnortConfig*, const uint8_t* P, unsigned m,
- const PatternDescriptor& desc, void* user) override
+ const uint8_t* P, unsigned m, const PatternDescriptor& desc, void* user) override
{
return acsmAddPattern2(obj, P, m, desc.no_case, desc.negated, user);
}
//-------------------------------------------------------------------------
static Mpse* acf_ctor(
- SnortConfig* sc, class Module*, const MpseAgent* agent)
+ const SnortConfig*, class Module*, const MpseAgent* agent)
{
- return new AcfMpse(sc, agent);
+ return new AcfMpse(agent);
}
static void acf_dtor(Mpse* p)
ACSM_STRUCT2* obj;
public:
- AcsMpse(SnortConfig*, const MpseAgent* agent)
- : Mpse("ac_sparse")
- {
- obj = acsmNew2(agent, ACF_SPARSE);
- }
+ AcsMpse(const MpseAgent* agent) : Mpse("ac_sparse")
+ { obj = acsmNew2(agent, ACF_SPARSE); }
~AcsMpse() override
{ if (obj) acsmFree2(obj); }
{ obj->enable_dfa(); }
int add_pattern(
- SnortConfig*, const uint8_t* P, unsigned m,
- const PatternDescriptor& desc, void* user) override
+ const uint8_t* P, unsigned m, const PatternDescriptor& desc, void* user) override
{
return acsmAddPattern2(obj, P, m, desc.no_case, desc.negated, user);
}
//-------------------------------------------------------------------------
static Mpse* acs_ctor(
- SnortConfig* sc, class Module*, const MpseAgent* agent)
+ const SnortConfig*, class Module*, const MpseAgent* agent)
{
- return new AcsMpse(sc, agent);
+ return new AcsMpse(agent);
}
static void acs_dtor(Mpse* p)
ACSM_STRUCT2* obj;
public:
- AcsbMpse(SnortConfig*, const MpseAgent* agent)
- : Mpse("ac_sparse_bands")
- {
- obj = acsmNew2(agent, ACF_SPARSE_BANDS);
- }
+ AcsbMpse(const MpseAgent* agent) : Mpse("ac_sparse_bands")
+ { obj = acsmNew2(agent, ACF_SPARSE_BANDS); }
~AcsbMpse() override
{ acsmFree2(obj); }
{ obj->enable_dfa(); }
int add_pattern(
- SnortConfig*, const uint8_t* P, unsigned m,
- const PatternDescriptor& desc, void* user) override
+ const uint8_t* P, unsigned m, const PatternDescriptor& desc, void* user) override
{
return acsmAddPattern2(obj, P, m, desc.no_case, desc.negated, user);
}
//-------------------------------------------------------------------------
static Mpse* acsb_ctor(
- SnortConfig* sc, class Module*, const MpseAgent* agent)
+ const SnortConfig*, class Module*, const MpseAgent* agent)
{
- return new AcsbMpse(sc, agent);
+ return new AcsbMpse(agent);
}
static void acsb_dtor(Mpse* p)
ACSM_STRUCT* obj;
public:
- AcMpse(SnortConfig*, const MpseAgent* agent)
- : Mpse("ac_std")
+ AcMpse(const MpseAgent* agent) : Mpse("ac_std")
{ obj = acsmNew(agent); }
~AcMpse() override
{ acsmFree(obj); }
int add_pattern(
- SnortConfig*, const uint8_t* P, unsigned m,
- const PatternDescriptor& desc, void* user) override
+ const uint8_t* P, unsigned m, const PatternDescriptor& desc, void* user) override
{
return acsmAddPattern(obj, P, m, desc.no_case, desc.negated, user);
}
//-------------------------------------------------------------------------
static Mpse* ac_ctor(
- SnortConfig* sc, class Module*, const MpseAgent* agent)
+ const SnortConfig*, class Module*, const MpseAgent* agent)
{
- return new AcMpse(sc, agent);
+ return new AcMpse(agent);
}
static void ac_dtor(Mpse* p)
class HyperscanMpse : public Mpse
{
public:
- HyperscanMpse(SnortConfig*, const MpseAgent* a)
+ HyperscanMpse(const MpseAgent* a)
: Mpse("hyperscan")
{
agent = a;
}
int add_pattern(
- SnortConfig*, const uint8_t* pat, unsigned len,
- const PatternDescriptor& desc, void* user) override
+ const uint8_t* pat, unsigned len, const PatternDescriptor& desc, void* user) override
{
Pattern p(pat, len, desc, user);
pvector.emplace_back(p);
{ delete p; }
static Mpse* hs_ctor(
- SnortConfig* sc, class Module*, const MpseAgent* a)
+ const SnortConfig* sc, class Module*, const MpseAgent* a)
{
if ( s_scratch.empty() )
s_scratch.resize(sc->num_slots, nullptr);
- return new HyperscanMpse(sc, a);
+ return new HyperscanMpse(a);
}
static void hs_dtor(Mpse* p)
namespace snort
{
+const SnortConfig* SearchTool::conf = nullptr;
+
SearchTool::SearchTool(const char* method, bool dfa)
{
mpsegrp = new MpseGroup;
// pattern offload search method. If a method is passed in then an offload
// search engine will not be created
- SnortConfig* sc = SnortConfig::get_parser_conf();
- assert(sc);
+ assert(conf);
- if (mpsegrp->create_normal_mpse(sc, method))
+ if (mpsegrp->create_normal_mpse(conf, method))
{
if( dfa )
mpsegrp->normal_mpse->set_opt(1);
if (method == nullptr)
{
- if (mpsegrp->create_offload_mpse(sc))
+ if (mpsegrp->create_offload_mpse(conf))
{
if ( dfa )
mpsegrp->offload_mpse->set_opt(1);
}
void SearchTool::add(const char* pat, unsigned len, int id, bool no_case)
-{
- add((const uint8_t*)pat, len, id, no_case);
-}
+{ add((const uint8_t*)pat, len, id, no_case); }
void SearchTool::add(const char* pat, unsigned len, void* id, bool no_case)
-{
- add((const uint8_t*)pat, len, id, no_case);
-}
+{ add((const uint8_t*)pat, len, id, no_case); }
void SearchTool::add(const uint8_t* pat, unsigned len, int id, bool no_case)
-{
- add(pat, len, (void*)(long)id, no_case);
-}
+{ add(pat, len, (void*)(long)id, no_case); }
void SearchTool::add(const uint8_t* pat, unsigned len, void* id, bool no_case)
{
Mpse::PatternDescriptor desc(no_case, false, true);
if ( mpsegrp->normal_mpse )
- mpsegrp->normal_mpse->add_pattern(nullptr, pat, len, desc, id);
+ mpsegrp->normal_mpse->add_pattern(pat, len, desc, id);
+
if ( mpsegrp->offload_mpse )
- mpsegrp->offload_mpse->add_pattern(nullptr, pat, len, desc, id);
+ mpsegrp->offload_mpse->add_pattern(pat, len, desc, id);
if ( len > max_len )
max_len = len;
}
int SearchTool::find(
- const char* str,
- unsigned len,
- MpseMatch mf,
- int& state,
- bool confine,
- void* user_data)
+ const char* str, unsigned len, MpseMatch mf, int& state, bool confine, void* user_data)
{
int num = 0;
- SnortConfig* sc = SnortConfig::get_conf();
- FastPatternConfig* fp = sc->fast_pattern_config;
+ const SnortConfig* sc = SnortConfig::get_conf();
+ const FastPatternConfig* fp = sc->fast_pattern_config;
if ( confine && max_len > 0 )
{
}
int SearchTool::find(
- const char* str,
- unsigned len,
- MpseMatch mf,
- bool confine,
- void* user_data)
+ const char* str, unsigned len, MpseMatch mf, bool confine, void* user_data)
{
int state = 0;
return find(str, len, mf, state, confine, user_data);
}
int SearchTool::find_all(
- const char* str,
- unsigned len,
- MpseMatch mf,
- bool confine,
- void* user_data)
+ const char* str, unsigned len, MpseMatch mf, bool confine, void* user_data)
{
int num = 0;
- SnortConfig* sc = SnortConfig::get_conf();
- FastPatternConfig* fp = sc->fast_pattern_config;
+ const SnortConfig* sc = SnortConfig::get_conf();
+ const FastPatternConfig* fp = sc->fast_pattern_config;
if ( confine && max_len > 0 )
{
class SO_PUBLIC SearchTool
{
public:
+ // FIXIT-L SnortConfig should be passed to ctor, a lot of appid plumbing
+ // for now set_conf must be called before instantiation
+ static void set_conf(const SnortConfig* sc)
+ { conf = sc; }
+
SearchTool(const char* method = nullptr, bool dfa = false);
~SearchTool();
bool confine = false, void* user_data = nullptr);
private:
+ static const SnortConfig* conf;
class MpseGroup* mpsegrp;
unsigned max_len;
};
void SnortConfig::release_scratch(int) { }
-SnortConfig* SnortConfig::get_conf()
+const SnortConfig* SnortConfig::get_conf()
{ return snort_conf; }
static unsigned parse_errors = 0;
{
Mpse::PatternDescriptor desc;
- CHECK(hs->add_pattern(nullptr, (const uint8_t*)"foo", 3, desc, s_user) == 0);
+ CHECK(hs->add_pattern((const uint8_t*)"foo", 3, desc, s_user) == 0);
CHECK(hs->prep_patterns(snort_conf) == 0);
CHECK(hs->get_pattern_count() == 1);
{
Mpse::PatternDescriptor desc(true, true, false);
- CHECK(hs->add_pattern(nullptr, (const uint8_t*)"foo", 3, desc, s_user) == 0);
+ CHECK(hs->add_pattern((const uint8_t*)"foo", 3, desc, s_user) == 0);
CHECK(hs->prep_patterns(snort_conf) == 0);
CHECK(hs->get_pattern_count() == 1);
{
Mpse::PatternDescriptor desc(false, true, false);
- CHECK(hs->add_pattern(nullptr, (const uint8_t*)"foo", 3, desc, s_user) == 0);
+ CHECK(hs->add_pattern((const uint8_t*)"foo", 3, desc, s_user) == 0);
CHECK(hs->prep_patterns(snort_conf) == 0);
CHECK(hs->get_pattern_count() == 1);
{
Mpse::PatternDescriptor desc;
- CHECK(hs->add_pattern(nullptr, (const uint8_t*)"foo", 3, desc, s_user) == 0);
- CHECK(hs->add_pattern(nullptr, (const uint8_t*)"bar", 3, desc, s_user) == 0);
- CHECK(hs->add_pattern(nullptr, (const uint8_t*)"baz", 3, desc, s_user) == 0);
+ CHECK(hs->add_pattern((const uint8_t*)"foo", 3, desc, s_user) == 0);
+ CHECK(hs->add_pattern((const uint8_t*)"bar", 3, desc, s_user) == 0);
+ CHECK(hs->add_pattern((const uint8_t*)"baz", 3, desc, s_user) == 0);
CHECK(hs->prep_patterns(snort_conf) == 0);
CHECK(hs->get_pattern_count() == 3);
{
Mpse::PatternDescriptor desc;
- CHECK(hs->add_pattern(
- nullptr, (const uint8_t*)"(foo)|(bar)|(baz)", 17, desc, s_user) == 0);
+ CHECK(hs->add_pattern((const uint8_t*)"(foo)|(bar)|(baz)", 17, desc, s_user) == 0);
CHECK(hs->prep_patterns(snort_conf) == 0);
CHECK(hs->get_pattern_count() == 1);
Mpse::PatternDescriptor desc;
// from sid 23286
- CHECK(hs->add_pattern(
- nullptr, (const uint8_t*)"\\.definition\\s*\\(", 21, desc, s_user) == 0);
+ CHECK(hs->add_pattern((const uint8_t*)"\\.definition\\s*\\(", 21, desc, s_user) == 0);
CHECK(hs->prep_patterns(snort_conf) == 0);
CHECK(hs->get_pattern_count() == 1);
{
Mpse::PatternDescriptor desc;
- CHECK(hs1->add_pattern(nullptr, (const uint8_t*)"uba", 3, desc, s_user) == 0);
- CHECK(hs2->add_pattern(nullptr, (const uint8_t*)"tuba", 4, desc, s_user) == 0);
+ CHECK(hs1->add_pattern((const uint8_t*)"uba", 3, desc, s_user) == 0);
+ CHECK(hs2->add_pattern((const uint8_t*)"tuba", 4, desc, s_user) == 0);
CHECK(hs1->prep_patterns(snort_conf) == 0);
CHECK(hs2->prep_patterns(snort_conf) == 0);
SnortConfig::~SnortConfig() = default;
-SnortConfig* SnortConfig::get_conf()
-{ return snort_conf; }
-
-SnortConfig* SnortConfig::get_parser_conf()
+const SnortConfig* SnortConfig::get_conf()
{ return snort_conf; }
unsigned get_instance_id()
extern const BaseApi* se_ac_full;
Mpse* mpse = nullptr;
-Mpse* MpseManager::get_search_engine(const char *type)
-{
- const MpseApi* api;
-
- if ( !strcmp(type, "ac_bnfa") )
- api = (const MpseApi*) se_ac_bnfa;
-
- else if ( !strcmp(type, "ac_full") )
- api = (const MpseApi*) se_ac_full;
-
- else
- return nullptr;
-
- api->init();
- mpse = api->ctor(snort_conf, nullptr, &s_agent);
-
- CHECK(mpse);
-
- mpse->set_api(api);
- return mpse;
-}
-
void MpseManager::delete_search_engine(Mpse* eng)
{
const MpseApi* api = eng->get_api();
}
}
-bool MpseGroup::create_normal_mpse(SnortConfig*, const char* type)
+bool MpseGroup::create_normal_mpse(const SnortConfig*, const char* type)
{
- normal_mpse = MpseManager::get_search_engine(type);
+ const MpseApi* api;
+
+ if ( !strcmp(type, "ac_bnfa") )
+ api = (const MpseApi*) se_ac_bnfa;
+
+ else if ( !strcmp(type, "ac_full") )
+ api = (const MpseApi*) se_ac_full;
+
+ else
+ return false;
+
+ api->init();
+ mpse = api->ctor(snort_conf, nullptr, &s_agent);
+
+ CHECK(mpse);
+
+ mpse->set_api(api);
+ normal_mpse = mpse;
return true;
}
-bool MpseGroup::create_offload_mpse(SnortConfig*)
+bool MpseGroup::create_offload_mpse(const SnortConfig*)
{
offload_mpse = nullptr;
return false;
void setup() override
{
CHECK(se_ac_bnfa);
+ SearchTool::set_conf(snort_conf);
stool = new SearchTool("ac_bnfa");
+ SearchTool::set_conf(nullptr);
CHECK(stool->mpsegrp->normal_mpse);
void setup() override
{
CHECK(se_ac_full);
+ SearchTool::set_conf(snort_conf);
stool = new SearchTool("ac_full", true);
+ SearchTool::set_conf(nullptr);
CHECK(stool->mpsegrp->normal_mpse);
Cip(CipProtoConf*);
~Cip() override;
- void show(SnortConfig*) override;
+ void show(const SnortConfig*) const override;
void eval(Packet*) override;
class StreamSplitter* get_splitter(bool c2s) override
}
}
-void Cip::show(SnortConfig*)
+void Cip::show(const SnortConfig*) const
{
if (!config)
return;
return true;
}
-void print_dce2_common_config(dce2CommonProtoConf& common)
+void print_dce2_common_config(const dce2CommonProtoConf& common)
{
ConfigLogger::log_flag("limit_alerts", common.limit_alerts);
ConfigLogger::log_flag("disable_defrag", common.disable_defrag);
ConfigLogger::log_value("max_frag_len", common.max_frag_len);
}
-void print_dce2_co_config(dce2CoProtoConf& co)
+void print_dce2_co_config(const dce2CoProtoConf& co)
{
print_dce2_common_config(co.common);
}
bool dce2_set_common_config(snort::Value&, dce2CommonProtoConf&);
-void print_dce2_common_config(dce2CommonProtoConf&);
+void print_dce2_common_config(const dce2CommonProtoConf&);
bool dce2_set_co_config(snort::Value&, dce2CoProtoConf&);
-void print_dce2_co_config(dce2CoProtoConf&);
+void print_dce2_co_config(const dce2CoProtoConf&);
bool dce2_paf_abort(DCE2_SsnData*);
void DCE2_Detect(DCE2_SsnData*);
snort::Packet* DCE2_GetRpkt(snort::Packet*, DCE2_RpktType, const uint8_t*, uint32_t);
Dce2Smb(const dce2SmbProtoConf&);
~Dce2Smb() override;
- void show(SnortConfig*) override;
+ void show(const SnortConfig*) const override;
void eval(Packet*) override;
void clear(Packet*) override;
}
}
-void Dce2Smb::show(SnortConfig*)
+void Dce2Smb::show(const SnortConfig*) const
{
print_dce2_smb_conf(config);
}
config.smb_invalid_shares = nullptr;
}
-void print_dce2_smb_conf(dce2SmbProtoConf& config)
+void print_dce2_smb_conf(const dce2SmbProtoConf& config)
{
print_dce2_co_config(config.common);
dce2SmbProtoConf config;
};
-void print_dce2_smb_conf(dce2SmbProtoConf& config);
+void print_dce2_smb_conf(const dce2SmbProtoConf&);
inline int64_t DCE2_ScSmbFileDepth(const dce2SmbProtoConf* sc)
{
public:
Dce2Tcp(const dce2TcpProtoConf&);
- void show(SnortConfig*) override;
+ void show(const SnortConfig*) const override;
void eval(Packet*) override;
void clear(Packet*) override;
StreamSplitter* get_splitter(bool c2s) override
config = pc;
}
-void Dce2Tcp::show(SnortConfig*)
+void Dce2Tcp::show(const SnortConfig*) const
{
print_dce2_tcp_conf(config);
}
dce2_tcp_config = config;
}
-void print_dce2_tcp_conf(dce2TcpProtoConf& config)
+void print_dce2_tcp_conf(const dce2TcpProtoConf& config)
{
print_dce2_co_config(config.common);
}
dce2TcpProtoConf config;
};
-void print_dce2_tcp_conf(dce2TcpProtoConf& config);
+void print_dce2_tcp_conf(const dce2TcpProtoConf& config);
#endif
{
public:
Dce2Udp(const dce2UdpProtoConf&);
- void show(SnortConfig*) override;
+ void show(const SnortConfig*) const override;
void eval(Packet*) override;
void clear(Packet*) override;
config = pc;
}
-void Dce2Udp::show(SnortConfig*)
+void Dce2Udp::show(const SnortConfig*) const
{
print_dce2_udp_conf(config);
}
dce2_udp_config = config;
}
-void print_dce2_udp_conf(dce2UdpProtoConf& config)
+void print_dce2_udp_conf(const dce2UdpProtoConf& config)
{
print_dce2_common_config(config.common);
}
dce2UdpProtoConf config;
};
-void print_dce2_udp_conf(dce2UdpProtoConf& config);
+void print_dce2_udp_conf(const dce2UdpProtoConf&);
#endif
public:
Dnp3(const dnp3ProtoConf&);
- void show(SnortConfig*) override;
+ void show(const SnortConfig*) const override;
void eval(Packet*) override;
bool get_buf(InspectionBuffer::Type, Packet*, InspectionBuffer&) override;
void clear(Packet*) override;
}
-void Dnp3::show(SnortConfig*)
+void Dnp3::show(const SnortConfig*) const
{
ConfigLogger::log_flag("check_crc", config.check_crc);
}
~FtpClient() override
{ delete ftp_client; }
- void show(SnortConfig*) override;
+ void show(const SnortConfig*) const override;
void eval(Packet*) override { }
FTP_CLIENT_PROTO_CONF* ftp_client;
};
-void FtpClient::show(SnortConfig*)
+void FtpClient::show(const SnortConfig*) const
{
if ( ftp_client )
print_conf_client(ftp_client);
~FtpServer() override;
bool configure(SnortConfig*) override;
- void show(SnortConfig*) override;
+ void show(const SnortConfig*) const override;
void eval(Packet*) override;
StreamSplitter* get_splitter(bool) override;
return !FTPCheckConfigs(sc, ftp_server);
}
-void FtpServer::show(SnortConfig*)
+void FtpServer::show(const SnortConfig*) const
{
if ( ftp_server )
print_conf_server(ftp_server);
// and no IPS rules are configured.
if ( !status )
{
- IpsPolicy* empty_policy = snort::get_empty_ips_policy(SnortConfig::get_conf());
+ IpsPolicy* empty_policy = snort::get_empty_ips_policy(p->context->conf);
if ( empty_policy->policy_id == p->flow->ips_policy_id )
{
if ( PacketTracer::is_active() )
~Telnet() override;
bool configure(SnortConfig*) override;
- void show(SnortConfig*) override;
+ void show(const SnortConfig*) const override;
void eval(Packet*) override;
bool get_buf(InspectionBuffer::Type, Packet*, InspectionBuffer&) override;
return !TelnetCheckConfigs(sc, config);
}
-void Telnet::show(SnortConfig*)
+void Telnet::show(const SnortConfig*) const
{
if ( !config )
return;
return true;
}
-void HttpInspect::show(snort::SnortConfig*)
+void HttpInspect::show(const SnortConfig*) const
{
assert(params);
bool get_fp_buf(snort::InspectionBuffer::Type ibt, snort::Packet* p,
snort::InspectionBuffer& b) override;
bool configure(snort::SnortConfig*) override;
- void show(snort::SnortConfig*) override;
+ void show(const snort::SnortConfig*) const override;
void eval(snort::Packet* p) override;
void clear(snort::Packet* p) override;
~Imap() override;
bool configure(SnortConfig*) override;
- void show(SnortConfig*) override;
+ void show(const SnortConfig*) const override;
void eval(Packet*) override;
StreamSplitter* get_splitter(bool c2s) override
return true;
}
-void Imap::show(SnortConfig*)
+void Imap::show(const SnortConfig*) const
{
if ( config )
config->decode_conf.show();
~Pop() override;
bool configure(SnortConfig*) override;
- void show(SnortConfig*) override;
+ void show(const SnortConfig*) const override;
void eval(Packet*) override;
StreamSplitter* get_splitter(bool c2s) override
return true;
}
-void Pop::show(SnortConfig*)
+void Pop::show(const SnortConfig*) const
{
if ( config )
config->decode_conf.show();
Sip(SIP_PROTO_CONF*);
~Sip() override;
- void show(SnortConfig*) override;
+ void show(const SnortConfig*) const override;
void eval(Packet*) override;
bool get_buf(InspectionBuffer::Type, Packet*, InspectionBuffer&) override;
}
}
-void Sip::show(SnortConfig*)
+void Sip::show(const SnortConfig*) const
{
if ( !config )
return;
~Smtp() override;
bool configure(SnortConfig*) override;
- void show(SnortConfig*) override;
+ void show(const SnortConfig*) const override;
void eval(Packet*) override;
bool get_buf(InspectionBuffer::Type, Packet*, InspectionBuffer&) override;
void clear(Packet*) override;
return true;
}
-void Smtp::show(SnortConfig*)
+void Smtp::show(const SnortConfig*) const
{
if ( config )
config->show();
Ssh(SSH_PROTO_CONF*);
~Ssh() override;
- void show(SnortConfig*) override;
+ void show(const SnortConfig*) const override;
void eval(Packet*) override;
private:
delete config;
}
-void Ssh::show(SnortConfig*)
+void Ssh::show(const SnortConfig*) const
{
if ( !config )
return;
Ssl(SSL_PROTO_CONF*);
~Ssl() override;
- void show(SnortConfig*) override;
+ void show(const SnortConfig*) const override;
void eval(Packet*) override;
StreamSplitter* get_splitter(bool c2s) override
delete config;
}
-void Ssl::show(SnortConfig*)
+void Ssl::show(const SnortConfig*) const
{
if ( !config )
return;
/* Obfuscates this IP with an obfuscation CIDR
Makes this: ob | (this & mask) */
-void SfIp::obfuscate(SfCidr* ob)
+void SfIp::obfuscate(const SfCidr* ob)
{
const uint32_t* ob_p;
int index, i;
const char* ntop(char* buf, int bufsize) const;
const char* ntop(SfIpString) const;
- void obfuscate(SfCidr* ob);
+ void obfuscate(const SfCidr* ob);
private:
int cidr_mask(int val);
#include <functional>
+#include "detection/ips_context.h"
#include "flow/expect_cache.h"
#include "flow/flow_control.h"
#include "flow/prune_stats.h"
{
public:
StreamBase(const StreamModuleConfig*);
- void show(SnortConfig*) override;
+ void show(const SnortConfig*) const override;
void tinit() override;
void tterm() override;
FlushBucket::clear();
}
-void StreamBase::show(SnortConfig* sc)
+void StreamBase::show(const SnortConfig* sc) const
{
if ( sc )
ConfigLogger::log_flag("ip_frags_only", sc->ip_frags_only());
case PktType::IP:
if ( p->has_ip() and ((p->ptrs.decode_flags & DECODE_FRAG) or
- !SnortConfig::get_conf()->ip_frags_only()) )
+ !p->context->conf->ip_frags_only()) )
{
bool new_flow = false;
flow_con->process(PktType::IP, p, &new_flow);
{ config.upload = b; }
NORETURN_ASSERT void eval(Packet*) override;
- void show(SnortConfig*) override;
+ void show(const SnortConfig*) const override;
StreamFileConfig config;
};
assert(false);
}
-void StreamFile::show(SnortConfig*)
+void StreamFile::show(const SnortConfig*) const
{
ConfigLogger::log_flag("upload", config.upload);
}
if ( sz )
s_flush_bucket = new ConstFlushBucket(sz);
+
else if ( SnortConfig::static_hash() )
s_flush_bucket = new StaticFlushBucket;
+
else
s_flush_bucket = new RandomFlushBucket;
#include "icmp_session.h"
+#include "detection/ips_context.h"
#include "flow/flow_key.h"
#include "memory/memory_cap.h"
#include "profiler/profiler_defs.h"
// FIXIT-L see FlowKey::init*() - call those instead
// or do mpls differently for ip4 and ip6
- skey.init_vlan(vlan);
- skey.init_address_space(0);
- skey.init_mpls(0);
+ const SnortConfig* sc = p->context->conf;
+ skey.init_vlan(sc, vlan);
+ skey.init_address_space(sc, 0);
+ skey.init_mpls(sc, 0);
switch (p->type())
{
StreamIcmp(StreamIcmpConfig*);
~StreamIcmp() override;
- void show(SnortConfig*) override;
+ void show(const SnortConfig*) const override;
NORETURN_ASSERT void eval(Packet*) override;
public:
delete config;
}
-void StreamIcmp::show(SnortConfig*)
+void StreamIcmp::show(const SnortConfig*) const
{
if ( !config )
return;
return true;
}
-void Defrag::show(SnortConfig*)
+void Defrag::show() const
{
ConfigLogger::log_value("max_frags", engine.max_frags);
ConfigLogger::log_value("max_overlaps", engine.max_overlaps);
}
}
- if ((uint16_t)fragLength > SnortConfig::get_conf()->daq_config->get_mru_size())
+ if ((uint16_t)fragLength > p->context->conf->daq_config->get_mru_size())
{
debug_logf(stream_ip_trace, "Overly large fragment %d 0x%x 0x%x %d\n",
fragLength, p->ptrs.ip_api.dgram_len(), p->ptrs.ip_api.off(),
fragStart = p->data;
/* Just to double check */
- if (!fragLength or fragLength > SnortConfig::get_conf()->daq_config->get_mru_size())
+ if (!fragLength or fragLength > p->context->conf->daq_config->get_mru_size())
{
debug_logf(stream_ip_trace, "Bad fragment length:%d(0x%x) off:0x%x(%d)\n",
fragLength, p->ptrs.ip_api.dgram_len(), p->ptrs.ip_api.off(),
Defrag(FragEngine&);
bool configure(snort::SnortConfig*);
- void show(snort::SnortConfig*);
+ void show() const;
void process(snort::Packet*, FragTracker*);
void cleanup(FragTracker*);
~StreamIp() override;
bool configure(SnortConfig*) override;
- void show(SnortConfig*) override;
+ void show(const SnortConfig*) const override;
NORETURN_ASSERT void eval(Packet*) override;
StreamIpConfig* config;
Defrag* defrag;
~StreamIp() override;
bool configure(SnortConfig*) override;
- void show(SnortConfig*) override;
+ void show(const SnortConfig*) const override;
NORETURN_ASSERT void eval(Packet*) override;
return true;
}
-void StreamIp::show(SnortConfig* sc)
+void StreamIp::show(const SnortConfig*) const
{
if ( !config )
return;
- defrag->show(sc);
+ defrag->show();
ConfigLogger::log_value("session_timeout", config->session_timeout);
}
uint16_t vlan, uint32_t mplsId, uint16_t addressSpaceId)
{
FlowKey key;
- key.init(type, proto, srcIP, srcPort, dstIP, dstPort, vlan, mplsId, addressSpaceId);
+ const SnortConfig* sc = SnortConfig::get_conf();
+ key.init(sc, type, proto, srcIP, srcPort, dstIP, dstPort, vlan, mplsId, addressSpaceId);
return get_flow(&key);
}
return;
key->init(
+ SnortConfig::get_conf(),
p->type(), p->get_ip_proto_next(),
p->ptrs.ip_api.get_src(), p->ptrs.sp,
p->ptrs.ip_api.get_dst(), p->ptrs.dp,
flow->response_count = 1;
- if ( SnortConfig::get_conf()->max_responses > 1 )
- flow->set_expire(p, SnortConfig::get_conf()->min_interval);
+ if ( p->context->conf->max_responses > 1 )
+ flow->set_expire(p, p->context->conf->min_interval);
}
void Stream::purge_flows()
// that we only send in the still active direction(s).
static void active_response(Packet* p, Flow* lwssn)
{
- uint8_t max = SnortConfig::get_conf()->max_responses;
+ uint8_t max = p->context->conf->max_responses;
if ( p->is_from_client() )
lwssn->session_state |= STREAM_STATE_DROP_CLIENT;
if ( (lwssn->response_count < max) && lwssn->expired(p) )
{
- uint32_t delay = SnortConfig::get_conf()->min_interval;
+ uint32_t delay = p->context->conf->min_interval;
EncodeFlags flags =
( (lwssn->session_state & STREAM_STATE_DROP_CLIENT) &&
(lwssn->session_state & STREAM_STATE_DROP_SERVER) ) ?
SECTION("reassembler initialization")
{
- bool status = reassembler->begin(nullptr, 0, SnortConfig::get_conf());
+ bool status = reassembler->begin(nullptr, 0, SnortConfig::get_main_conf());
CHECK(status);
CHECK( ( reassembler->srod.enable == 0 ) );
CHECK( ( reassembler->srod.direction == 0 ) );
StreamTcp(TcpStreamConfig*);
~StreamTcp() override;
- void show(SnortConfig*) override;
+ void show(const SnortConfig*) const override;
bool configure(SnortConfig*) override;
void tinit() override;
void tterm() override;
StreamTcp::~StreamTcp()
{ delete config; }
-void StreamTcp::show(SnortConfig*)
+void StreamTcp::show(const SnortConfig*) const
{
if ( !config )
return;
{
if ( trs.sos.session->config->flags & STREAM_CONFIG_SHOW_PACKETS )
{
+ // FIXIT-L setting conf here is required because this is called before context start
+ pkt->context->conf = SnortConfig::get_conf();
LogFlow(pkt);
LogNetData(pkt->data, pkt->dsize, pkt);
}
update_ignored_session(tsd);
set_window_scale(*talker, *listener, tsd);
- if ( SnortConfig::is_address_anomaly_check_enabled() )
+
+ if ( p->context->conf->is_address_anomaly_check_enabled() )
check_for_session_hijack(tsd);
return true;
{
pkt_action_mask |= listener->normalizer.handle_paws(tsd);
- if ( SnortConfig::inline_mode() )
+ if ( tsd.get_pkt()->context->conf->inline_mode() )
if ( tsd.get_tcph()->is_ack() && !listener->is_ack_valid(tsd.get_seg_ack()) )
pkt_action_mask |= ACTION_BAD_PKT;
namespace snort
{
THREAD_LOCAL SnortConfig* snort_conf = nullptr;
-SnortConfig* SnortConfig::get_conf()
+
+const SnortConfig* SnortConfig::get_conf()
{ return snort_conf; }
static StreamSplitter* next_splitter = nullptr;
StreamUdp(StreamUdpConfig*);
~StreamUdp() override;
- void show(SnortConfig*) override;
+ void show(const SnortConfig*) const override;
NORETURN_ASSERT void eval(Packet*) override;
public:
delete config;
}
-void StreamUdp::show(SnortConfig*)
+void StreamUdp::show(const SnortConfig*) const
{
if ( !config )
return;
StreamUser(StreamUserConfig*);
~StreamUser() override;
- void show(SnortConfig*) override;
+ void show(const SnortConfig*) const override;
NORETURN_ASSERT void eval(Packet*) override;
delete config;
}
-void StreamUser::show(SnortConfig*)
+void StreamUser::show(const SnortConfig*) const
{
if ( !config )
return;
}
// application service not found, add it
- if ( service_count >= SnortConfig::get_max_services_per_host() )
+ if ( service_count >= SnortConfig::get_conf()->get_max_services_per_host() )
return;
ApplicationEntry* app = new ApplicationEntry(port, protocol, snort_protocol_id);
delete next_cfg;
next_cfg = new HostAttributesTable(sc->max_attribute_hosts);
- Shell sh = Shell(fname);
+ Shell sh(fname);
+
if ( !sh.configure(sc, false, true) )
{
delete next_cfg;
static THREAD_LOCAL TraceLogger* g_trace_logger = nullptr;
-void TraceApi::thread_init(SnortConfig* sc)
+void TraceApi::thread_init(const SnortConfig* sc)
{
if ( sc->trace_config->logger_factory )
g_trace_logger = sc->trace_config->logger_factory->instantiate();
g_trace_logger = nullptr;
}
-void TraceApi::thread_reinit(SnortConfig* sc)
+void TraceApi::thread_reinit(const SnortConfig* sc)
{
sc->trace_config->setup_module_trace();
}
class TraceApi
{
public:
- static void thread_init(SnortConfig* sc);
- static void thread_reinit(SnortConfig* sc);
+ static void thread_init(const SnortConfig* sc);
+ static void thread_reinit(const SnortConfig* sc);
static void thread_term();
static void log(const char* log_msg, const char* name,
LogLabel("Module Statistics");
const char* exclude = "daq snort";
- ModuleManager::dump_stats(SnortConfig::get_conf(), exclude, false);
- ModuleManager::dump_stats(SnortConfig::get_conf(), exclude, true);
+ ModuleManager::dump_stats(exclude, false);
+ ModuleManager::dump_stats(exclude, true);
LogLabel("Summary Statistics");
show_stats((PegCount*)&proc_stats, proc_names, array_size(proc_names)-1, "process");
DropStats();
timing_stats();
- // FIXIT-L can do flag saving with RAII (much cleaner)
- int save_quiet_flag = SnortConfig::get_conf()->logging_flags & LOGGING_FLAG__QUIET;
+ SnortConfig* sc = SnortConfig::get_main_conf();
- SnortConfig::get_conf()->logging_flags &= ~LOGGING_FLAG__QUIET;
+ // FIXIT-L can do flag saving with RAII (much cleaner)
+ int save_quiet_flag = sc->logging_flags & LOGGING_FLAG__QUIET;
+ sc->logging_flags &= ~LOGGING_FLAG__QUIET;
// once more for the main thread
Profiler::consolidate_stats();
-
Profiler::show_stats();
- SnortConfig::get_conf()->logging_flags |= save_quiet_flag;
+ sc->logging_flags |= save_quiet_flag;
}
//-------------------------------------------------------------------------
tvp = &tv;
}
- int localzone = SnortConfig::get_conf()->thiszone;
+ const SnortConfig* sc = SnortConfig::get_conf();
+ int localzone = sc->thiszone;
/*
** If we're doing UTC, then make sure that the timezone is correct.
*/
- if (SnortConfig::output_use_utc())
+ if (sc->output_use_utc())
localzone = 0;
int s = (tvp->tv_sec + localzone) % SECONDS_PER_DAY;
(void)SnortSnprintf(timebuf, TIMEBUF_SIZE, "%lu", tvp->tv_sec);
}
- else if (SnortConfig::output_include_year())
+ else if (sc->output_include_year())
{
int year = (lt->tm_year >= 100) ? (lt->tm_year - 100) : lt->tm_year;
void CreatePidFile(pid_t pid)
{
- SnortConfig::get_conf()->pid_filename = SnortConfig::get_conf()->log_dir;
- SnortConfig::get_conf()->pid_filename += "/snort.pid";
+ SnortConfig* sc = SnortConfig::get_main_conf();
+
+ sc->pid_filename = sc->log_dir;
+ sc->pid_filename += "/snort.pid";
std::string pid_lockfilename;
- if ( !SnortConfig::no_lock_pid_file() )
+ if ( !sc->no_lock_pid_file() )
{
- pid_lockfilename = SnortConfig::get_conf()->pid_filename;
+ pid_lockfilename = sc->pid_filename;
pid_lockfilename += ".lck";
/* First, lock the PID file */
{
ClosePidFile();
ParseError("Failed to Lock PID File \"%s\" for PID \"%d\"",
- SnortConfig::get_conf()->pid_filename.c_str(), (int)pid);
+ sc->pid_filename.c_str(), (int)pid);
return;
}
}
}
/* Okay, were able to lock PID file, now open and write PID */
- pid_file = fopen(SnortConfig::get_conf()->pid_filename.c_str(), "w");
+ pid_file = fopen(sc->pid_filename.c_str(), "w");
if (pid_file)
{
LogMessage("Writing PID \"%d\" to file \"%s\"\n", (int)pid,
- SnortConfig::get_conf()->pid_filename.c_str());
+ sc->pid_filename.c_str());
fprintf(pid_file, "%d\n", (int)pid);
fflush(pid_file);
}
fclose(pid_lockfile);
const char* error = get_error(errno);
ErrorMessage("Failed to create pid file %s, Error: %s\n",
- SnortConfig::get_conf()->pid_filename.c_str(), error);
- SnortConfig::get_conf()->pid_filename.clear();
+ sc->pid_filename.c_str(), error);
+ sc->pid_filename.clear();
}
if ( !pid_lockfilename.empty() )
unlink(pid_lockfilename.c_str());
}
/**
- * Chroot and adjust the SnortConfig::get_conf()->log_dir reference
+ * Chroot and adjust the log_dir reference
*/
bool EnterChroot(std::string& root_dir, std::string& log_dir)
{
namespace snort
{
-char* ObfuscateIpToText(const SfIp* ip, const SfCidr& homenet, SfCidr& obfunet, InetBuf& ab)
+char* ObfuscateIpToText(const SfIp* ip, const SfCidr& homenet, const SfCidr& obfunet, InetBuf& ab)
{
ab[0] = 0;
typedef char InetBuf[INET6_ADDRSTRLEN];
SO_PUBLIC char* ObfuscateIpToText(
- const struct SfIp*, const SfCidr& homenet, SfCidr& obfuscate_net, InetBuf&);
+ const struct SfIp*, const SfCidr& homenet, const SfCidr& obfuscate_net, InetBuf&);
}
#endif
projects / thirdparty / snort3.git / commitdiff
