From: Mike Stepanek (mstepane) Date: Tue, 2 Jul 2019 17:24:36 +0000 (-0400) Subject: Merge pull request #1659 in SNORT/snort3 from ~MDAGON/snort3:hpack_int to master X-Git-Tag: 3.0.0-258~11 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=275ed3b2c5f607e6e9dae20105757c096dfc4a49;p=thirdparty%2Fsnort3.git Merge pull request #1659 in SNORT/snort3 from ~MDAGON/snort3:hpack_int to master Squashed commit of the following: commit 1aa88db8a750eb3efc4a66b0483cb515a60d613e Author: mdagon Date: Thu Jun 20 16:42:53 2019 -0400 http2: decode HPACK uint --- diff --git a/src/service_inspectors/http2_inspect/CMakeLists.txt b/src/service_inspectors/http2_inspect/CMakeLists.txt index 84d7b8f8a..90b40758f 100644 --- a/src/service_inspectors/http2_inspect/CMakeLists.txt +++ b/src/service_inspectors/http2_inspect/CMakeLists.txt @@ -5,6 +5,8 @@ set (FILE_LIST http2_enum.h http2_flow_data.cc http2_flow_data.h + http2_hpack_decode.cc + http2_hpack_decode.h http2_inspect.cc http2_inspect_impl.cc http2_inspect.h diff --git a/src/service_inspectors/http2_inspect/http2_enum.h b/src/service_inspectors/http2_inspect/http2_enum.h index ae0c26fa4..a1fc4ca1d 100644 --- a/src/service_inspectors/http2_inspect/http2_enum.h +++ b/src/service_inspectors/http2_inspect/http2_enum.h @@ -49,9 +49,22 @@ enum PEG_COUNT { PEG_CONCURRENT_SESSIONS = 0, PEG_MAX_CONCURRENT_SESSIONS, PEG_F enum EventSid { EVENT__NONE = -1, + EVENT_INT_DECODE_FAILURE = 1, + EVENT_INT_LEADING_ZEROS = 2, EVENT__MAX_VALUE }; +// All the infractions we might find while parsing and analyzing a message +enum Infraction +{ + INF__NONE = -1, + INF_INT_EMPTY_BUFF = 0, + INF_INT_MISSING_BYTES = 1, + INF_INT_OVERFLOW = 2, + INF_INT_LEADING_ZEROS = 3, + INF__MAX_VALUE +}; + } // end namespace Http2Enums #endif diff --git a/src/service_inspectors/http2_inspect/http2_hpack_decode.cc b/src/service_inspectors/http2_inspect/http2_hpack_decode.cc new file mode 100644 index 000000000..e723012bd --- /dev/null +++ b/src/service_inspectors/http2_inspect/http2_hpack_decode.cc @@ -0,0 +1,101 @@ +//-------------------------------------------------------------------------- +// Copyright (C) 2019-2019 Cisco and/or its affiliates. All rights reserved. +// +// This program is free software; you can redistribute it and/or modify it +// under the terms of the GNU General Public License Version 2 as published +// by the Free Software Foundation. You may not use, modify or distribute +// this program under any other version of the GNU General Public License. +// +// This program is distributed in the hope that it will be useful, but +// WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +//-------------------------------------------------------------------------- +// http2_hpack_decode.cc author Maya Dagon + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "http2_hpack_decode.h" + +#include "http2_enum.h" + +using namespace Http2Enums; + +static const uint8_t VAL_MASK = 0x7F; +static const uint8_t FLAG_BIT = 0x80; + +Http2HpackIntDecode::Http2HpackIntDecode(uint8_t prefix, Http2EventGen* events, + Http2Infractions* infractions) : prefix_mask(((uint16_t)1 << prefix) - 1), events(events), + infractions(infractions) +{ + assert ((0 < prefix) && (prefix < 9)); +} + +bool Http2HpackIntDecode::translate(const Field& msg, int32_t& bytes_consumed, uint64_t& result) +{ + bytes_consumed = 0; + result = 0; + + if (bytes_consumed >= msg.length()) + { + *infractions += INF_INT_EMPTY_BUFF; + events->create_event(EVENT_INT_DECODE_FAILURE); + return false; + } + + const uint8_t* buff = msg.start(); + const uint8_t prefix_val = buff[bytes_consumed++] & prefix_mask; + + if (prefix_val < prefix_mask) + { + result = prefix_val; + return true; + } + + uint8_t byte = 0; + for (uint8_t multiplier = 0; multiplier < 64; multiplier += 7) + { + if (bytes_consumed >= msg.length()) + { + *infractions += INF_INT_MISSING_BYTES; + events->create_event(EVENT_INT_DECODE_FAILURE); + return false; + } + byte = buff[bytes_consumed++]; + + // For multiplier == 63, do overflow checks + if (multiplier == 63) + { + if (((byte & FLAG_BIT) != 0) || ((byte & VAL_MASK) > 1) || + ((result + ((uint64_t)(byte & VAL_MASK) << multiplier) + prefix_mask) < result)) + { + *infractions += INF_INT_OVERFLOW; + events->create_event(EVENT_INT_DECODE_FAILURE); + return false; + } + } + + result += (uint64_t)(byte & VAL_MASK) << multiplier; + + if ((byte & FLAG_BIT) == 0) + break; + } + + // Alert on leading 0s, allow for value 2^N-1 + if (((byte & VAL_MASK) == 0) && (bytes_consumed != 2)) + { + *infractions += INF_INT_LEADING_ZEROS; + events->create_event(EVENT_INT_LEADING_ZEROS); + } + + result += prefix_mask; + + return true; +} + diff --git a/src/service_inspectors/http2_inspect/http2_hpack_decode.h b/src/service_inspectors/http2_inspect/http2_hpack_decode.h new file mode 100644 index 000000000..bc2211111 --- /dev/null +++ b/src/service_inspectors/http2_inspect/http2_hpack_decode.h @@ -0,0 +1,47 @@ +//-------------------------------------------------------------------------- +// Copyright (C) 2019-2019 Cisco and/or its affiliates. All rights reserved. +// +// This program is free software; you can redistribute it and/or modify it +// under the terms of the GNU General Public License Version 2 as published +// by the Free Software Foundation. You may not use, modify or distribute +// this program under any other version of the GNU General Public License. +// +// This program is distributed in the hope that it will be useful, but +// WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +//-------------------------------------------------------------------------- +// http2_hpack_decode.h author Maya Dagon + +#ifndef HTTP2_HPACK_DECODE_H +#define HTTP2_HPACK_DECODE_H + +#include "http2_enum.h" +#include "main/snort_types.h" +#include "service_inspectors/http_inspect/http_field.h" +#include "utils/event_gen.h" +#include "utils/infractions.h" + +using Http2Infractions = Infractions; + +using Http2EventGen = EventGen; + +class Http2HpackIntDecode +{ +public: + Http2HpackIntDecode(uint8_t prefix, Http2EventGen* events, Http2Infractions* infractions); + bool translate(const Field& msg, int32_t& bytes_consumed, uint64_t& result); + +private: + const uint8_t prefix_mask; + Http2EventGen* const events; + Http2Infractions* const infractions; +}; + +#endif + diff --git a/src/service_inspectors/http2_inspect/http2_tables.cc b/src/service_inspectors/http2_inspect/http2_tables.cc index e765bb84e..cb52a6795 100644 --- a/src/service_inspectors/http2_inspect/http2_tables.cc +++ b/src/service_inspectors/http2_inspect/http2_tables.cc @@ -30,6 +30,8 @@ using namespace Http2Enums; const snort::RuleMap Http2Module::http2_events[] = { + { EVENT_INT_DECODE_FAILURE, "Failed to decode integer value" }, + { EVENT_INT_LEADING_ZEROS, "Integer value has leading zeros" }, { 0, nullptr } }; diff --git a/src/service_inspectors/http2_inspect/test/CMakeLists.txt b/src/service_inspectors/http2_inspect/test/CMakeLists.txt index 017e0287e..6402e3e66 100644 --- a/src/service_inspectors/http2_inspect/test/CMakeLists.txt +++ b/src/service_inspectors/http2_inspect/test/CMakeLists.txt @@ -14,4 +14,7 @@ add_cpputest( http2_stream_splitter_impl_test ../http2_tables.cc ../../../framework/module.cc ) - +add_cpputest( http2_hpack_decode_test + SOURCES + ../http2_hpack_decode.cc +) diff --git a/src/service_inspectors/http2_inspect/test/http2_hpack_decode_test.cc b/src/service_inspectors/http2_inspect/test/http2_hpack_decode_test.cc new file mode 100644 index 000000000..facce5ec3 --- /dev/null +++ b/src/service_inspectors/http2_inspect/test/http2_hpack_decode_test.cc @@ -0,0 +1,348 @@ +//-------------------------------------------------------------------------- +// Copyright (C) 2019-2019 Cisco and/or its affiliates. All rights reserved. +// +// This program is free software; you can redistribute it and/or modify it +// under the terms of the GNU General Public License Version 2 as published +// by the Free Software Foundation. You may not use, modify or distribute +// this program under any other version of the GNU General Public License. +// +// This program is distributed in the hope that it will be useful, but +// WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +//-------------------------------------------------------------------------- + +// http2_hpack_decode_test.cc author Maya Dagon + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "../http2_enum.h" +#include "../http2_hpack_decode.h" + +#include +#include +#include + +namespace snort +{ +// Stubs whose sole purpose is to make the test code link +int DetectionEngine::queue_event(unsigned int, unsigned int, Actions::Type) { return 0; } +} + +using namespace Http2Enums; + + +// +// The following tests should result in a successful decode, no infractions/events +// +TEST_GROUP(http2_hpack_decode_success) +{ + Http2EventGen events; + Http2Infractions inf; + Http2HpackIntDecode* const decode = new Http2HpackIntDecode(5, &events, &inf); + + void teardown() override + { + CHECK(inf.none_found() == true); + CHECK(events.none_found() == true); + delete decode; + } +}; + +TEST(http2_hpack_decode_success, 10_using_5_bits) +{ + // prepare field to decode - example from RFC 7541 c.1.1 + uint8_t buf = 10; + Field f(1, &buf, false); + // decode + int32_t bytes_processed = 0; + uint64_t res = 0; + bool success = decode->translate(f, bytes_processed, res); + // check results + CHECK(success == true); + CHECK(res == 10); + CHECK(bytes_processed == 1); +} + +TEST(http2_hpack_decode_success, 10_using_5_bits_wtail) +{ + // prepare field to decode - same as above with an extra byte as leftover + uint8_t buf[2] = { 10, 0xff }; + Field f(2, buf, false); + // decode + int32_t bytes_processed = 0; + uint64_t res = 0; + bool success = decode->translate(f, bytes_processed, res); + // check results + CHECK(success == true); + CHECK(res == 10); + CHECK(bytes_processed == 1); +} + +TEST(http2_hpack_decode_success, 1337_using_5_bits) +{ + // prepare field to decode - example from RFC 7541 c.1.2 + uint8_t buf[3] = { 31, 0x9a, 10 }; + Field f(3, buf, false); + // decode + int32_t bytes_processed = 0; + uint64_t res = 0; + bool success = decode->translate(f, bytes_processed, res); + // check results + CHECK(success == true); + CHECK(res == 1337); + CHECK(bytes_processed == 3); +} + +TEST(http2_hpack_decode_success, 42_using_8_bits) +{ + // prepare decode object + Http2HpackIntDecode decode_8(8, &events, &inf); + // prepare field to decode - example from RFC 7541 c.1.3 + uint8_t buf = 42; + Field f(1, &buf, false); + // decode + int32_t bytes_processed = 0; + uint64_t res = 0; + bool success = decode_8.translate(f, bytes_processed, res); + // check results + CHECK(success == true); + CHECK(res == 42); + CHECK(bytes_processed == 1); +} + +TEST(http2_hpack_decode_success, max_val_using_5_bit) +{ + // prepare field to decode - 2^64-1 + uint8_t buf[11] = { 31, 0xE0, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 1}; + Field f(11, buf, false); + // decode + int32_t bytes_processed = 0; + uint64_t res = 0; + bool success = decode->translate(f, bytes_processed, res); + // check results + CHECK(success == true); + CHECK(res == 0xFFFFFFFFFFFFFFFF); + CHECK(bytes_processed == 11); +} + +TEST(http2_hpack_decode_success, 31_using_5_bits) +{ + // prepare field to decode - 2^N -1 + uint8_t buf[2] = {31, 0}; + Field f(2, buf, false); + // decode + int32_t bytes_processed = 0; + uint64_t res = 0; + bool success = decode->translate(f, bytes_processed, res); + // check results + CHECK(success == true); + CHECK(res == 31); + CHECK(bytes_processed == 2); +} + +TEST(http2_hpack_decode_success, 0_using_5_bits) +{ + // prepare field to decode - 0 using 5 bits + uint8_t buf = 0; + Field f(1, &buf, false); + // decode + int32_t bytes_processed = 0; + uint64_t res = 0; + bool success = decode->translate(f, bytes_processed, res); + // check results + CHECK(success == true); + CHECK(res == 0); + CHECK(bytes_processed == 1); +} + + +// +// The following tests should result in a failure and set infractions/events +// +TEST_GROUP(http2_hpack_decode_failure) +{ +}; + +TEST(http2_hpack_decode_failure, 0_len_field) +{ + // prepare decode object + Http2EventGen local_events; + Http2Infractions local_inf; + Http2HpackIntDecode decode_8(8, &local_events, &local_inf); + // prepare field to decode - use field length 0 + uint8_t buf = 42; + Field f(0, &buf, false); + // decode + int32_t bytes_processed = 0; + uint64_t res = 0; + bool success = decode_8.translate(f, bytes_processed, res); + // check results + CHECK(success == false); + CHECK(bytes_processed == 0); + CHECK(local_inf.get_raw() == (1< 63 + uint8_t buf[13] = { 31, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x81, 1 }; + Field f(13, buf, false); + // decode + int32_t bytes_processed = 0; + uint64_t res = 0; + bool success = local_decode.translate(f, bytes_processed, res); + // check results + CHECK(success == false); + CHECK(bytes_processed == 11); + CHECK(local_inf.get_raw() == (1< #include "http_enum.h" -#include "http_event_gen.h" -#include "http_infractions.h" +#include "http_event.h" //------------------------------------------------------------------------- // HttpCutter class and subclasses diff --git a/src/service_inspectors/http_inspect/http_event_gen.h b/src/service_inspectors/http_inspect/http_event.h similarity index 64% rename from src/service_inspectors/http_inspect/http_event_gen.h rename to src/service_inspectors/http_inspect/http_event.h index 60bb96201..f5c33c718 100644 --- a/src/service_inspectors/http_inspect/http_event_gen.h +++ b/src/service_inspectors/http_inspect/http_event.h @@ -15,41 +15,28 @@ // with this program; if not, write to the Free Software Foundation, Inc., // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. //-------------------------------------------------------------------------- -// http_event_gen.h author Tom Peters +// http_event.h author Tom Peters -#ifndef HTTP_EVENT_GEN_H -#define HTTP_EVENT_GEN_H +#ifndef HTTP_EVENT_H +#define HTTP_EVENT_H #include -#include -#include "detection/detection_engine.h" #include "events/event_queue.h" +#include "utils/event_gen.h" +#include "utils/infractions.h" #include "utils/util_cstring.h" #include "http_enum.h" //------------------------------------------------------------------------- -// Event generator class +// HTTP Event generator class //------------------------------------------------------------------------- -class HttpEventGen +class HttpEventGen : public EventGen { public: - virtual ~HttpEventGen() = default; - - virtual void create_event(int sid) - { - if (sid == HttpEnums::EVENT__NONE) - return; - assert((sid > 0) && (sid <= MAX)); - if (!events_generated[sid-1]) - { - snort::DetectionEngine::queue_event(HttpEnums::HTTP_GID, (uint32_t)sid); - events_generated[sid-1] = true; - } - } - void generate_misformatted_http(const uint8_t* buffer, uint32_t length) { if ( snort::SnortStrnStr((const char*)buffer, length, "HTTP/") != nullptr ) @@ -59,18 +46,23 @@ public: } // The following methods are for convenience of debug and test output only! - uint64_t get_raw() const { return - (events_generated & std::bitset(0xFFFFFFFFFFFFFFFF)).to_ulong(); } uint64_t get_raw2() const { return - ((events_generated >> BASE_1XX_EVENTS) & std::bitset(0xFFFFFFFFFFFFFFFF)).to_ulong(); } + ((events_generated >> BASE_1XX_EVENTS) & bitmask).to_ulong(); } + uint64_t get_raw3() const { return - ((events_generated >> BASE_2XX_EVENTS) & std::bitset(0xFFFFFFFFFFFFFFFF)).to_ulong(); } + ((events_generated >> BASE_2XX_EVENTS) & bitmask).to_ulong(); } + private: static const unsigned BASE_1XX_EVENTS = 100; static const unsigned BASE_2XX_EVENTS = 200; - static const int MAX = HttpEnums::EVENT__MAX_VALUE; - std::bitset events_generated = 0; }; + +//------------------------------------------------------------------------- +// Http Infractions +//------------------------------------------------------------------------- + +using HttpInfractions = Infractions; + #endif diff --git a/src/service_inspectors/http_inspect/http_flow_data.h b/src/service_inspectors/http_inspect/http_flow_data.h index dea0c1ee7..42769c327 100644 --- a/src/service_inspectors/http_inspect/http_flow_data.h +++ b/src/service_inspectors/http_inspect/http_flow_data.h @@ -29,8 +29,7 @@ #include "utils/util_utf.h" #include "decompress/file_decomp.h" -#include "http_infractions.h" -#include "http_event_gen.h" +#include "http_event.h" class HttpTransaction; class HttpJsNorm; diff --git a/src/service_inspectors/http_inspect/http_header_normalizer.h b/src/service_inspectors/http_inspect/http_header_normalizer.h index 3d9c142f6..32d6a6a13 100644 --- a/src/service_inspectors/http_inspect/http_header_normalizer.h +++ b/src/service_inspectors/http_inspect/http_header_normalizer.h @@ -21,7 +21,6 @@ #define HTTP_HEADER_NORMALIZER_H #include "http_field.h" -#include "http_infractions.h" #include "http_normalizers.h" //------------------------------------------------------------------------- diff --git a/src/service_inspectors/http_inspect/http_js_norm.h b/src/service_inspectors/http_inspect/http_js_norm.h index 7088ff2b7..cbc3098dd 100644 --- a/src/service_inspectors/http_inspect/http_js_norm.h +++ b/src/service_inspectors/http_inspect/http_js_norm.h @@ -25,8 +25,7 @@ #include "search_engines/search_tool.h" #include "http_field.h" -#include "http_event_gen.h" -#include "http_infractions.h" +#include "http_event.h" #include "http_module.h" //------------------------------------------------------------------------- diff --git a/src/service_inspectors/http_inspect/http_normalizers.h b/src/service_inspectors/http_inspect/http_normalizers.h index 80f831dd7..d241a6252 100644 --- a/src/service_inspectors/http_inspect/http_normalizers.h +++ b/src/service_inspectors/http_inspect/http_normalizers.h @@ -20,8 +20,7 @@ #ifndef HTTP_NORMALIZERS_H #define HTTP_NORMALIZERS_H -#include "http_infractions.h" -#include "http_event_gen.h" +#include "http_event.h" #include "http_field.h" #include "http_str_to_code.h" diff --git a/src/service_inspectors/http_inspect/http_transaction.cc b/src/service_inspectors/http_inspect/http_transaction.cc index 122fc0122..dff62b007 100644 --- a/src/service_inspectors/http_inspect/http_transaction.cc +++ b/src/service_inspectors/http_inspect/http_transaction.cc @@ -23,8 +23,7 @@ #include "http_transaction.h" -#include "http_event_gen.h" -#include "http_infractions.h" +#include "http_event.h" #include "http_msg_body.h" #include "http_msg_header.h" #include "http_msg_request.h" diff --git a/src/service_inspectors/http_inspect/http_transaction.h b/src/service_inspectors/http_inspect/http_transaction.h index 115581fe6..7ddc70e41 100644 --- a/src/service_inspectors/http_inspect/http_transaction.h +++ b/src/service_inspectors/http_inspect/http_transaction.h @@ -30,8 +30,9 @@ class HttpMsgTrailer; class HttpMsgSection; class HttpMsgBody; class HttpMsgHeadShared; -class HttpInfractions; class HttpEventGen; +template class Infractions; +using HttpInfractions = Infractions; class HttpTransaction { diff --git a/src/service_inspectors/http_inspect/http_uri.h b/src/service_inspectors/http_inspect/http_uri.h index 7bc5ec78b..2834baa40 100644 --- a/src/service_inspectors/http_inspect/http_uri.h +++ b/src/service_inspectors/http_inspect/http_uri.h @@ -24,8 +24,7 @@ #include "http_module.h" #include "http_uri_norm.h" #include "http_field.h" -#include "http_infractions.h" -#include "http_event_gen.h" +#include "http_event.h" //------------------------------------------------------------------------- // HttpUri class diff --git a/src/service_inspectors/http_inspect/http_uri_norm.h b/src/service_inspectors/http_inspect/http_uri_norm.h index f62f519cf..47a66f95e 100644 --- a/src/service_inspectors/http_inspect/http_uri_norm.h +++ b/src/service_inspectors/http_inspect/http_uri_norm.h @@ -26,8 +26,7 @@ #include "http_enum.h" #include "http_field.h" #include "http_module.h" -#include "http_infractions.h" -#include "http_event_gen.h" +#include "http_event.h" class UriNormalizer { diff --git a/src/utils/CMakeLists.txt b/src/utils/CMakeLists.txt index 806cb0c02..ebe7046f6 100644 --- a/src/utils/CMakeLists.txt +++ b/src/utils/CMakeLists.txt @@ -3,6 +3,8 @@ set( UTIL_INCLUDES bitop.h cpp_macros.h endian.h + event_gen.h + infractions.h kmap.h primed_allocator.h safec.h diff --git a/src/utils/event_gen.h b/src/utils/event_gen.h new file mode 100644 index 000000000..b86e95786 --- /dev/null +++ b/src/utils/event_gen.h @@ -0,0 +1,61 @@ +//-------------------------------------------------------------------------- +// Copyright (C) 2014-2019 Cisco and/or its affiliates. All rights reserved. +// +// This program is free software; you can redistribute it and/or modify it +// under the terms of the GNU General Public License Version 2 as published +// by the Free Software Foundation. You may not use, modify or distribute +// this program under any other version of the GNU General Public License. +// +// This program is distributed in the hope that it will be useful, but +// WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +//-------------------------------------------------------------------------- +// event_gen.h author Tom Peters + +#ifndef EVENT_GEN_H +#define EVENT_GEN_H + +#include +#include + +#include "detection/detection_engine.h" + +//------------------------------------------------------------------------- +// Event generator class +//------------------------------------------------------------------------- + +template +class EventGen +{ +public: + virtual ~EventGen() = default; + + virtual void create_event(int sid) + { + if (sid == EVENT_NONE) + return; + assert((sid > 0) && (sid <= EVENT_MAX)); + if (!events_generated[sid-1]) + { + snort::DetectionEngine::queue_event(GID, (uint32_t)sid); + events_generated[sid-1] = true; + } + } + + bool none_found() const { return events_generated == 0; } + + // The following method is for convenience of debug and test output only! + uint64_t get_raw() const { return + (events_generated & bitmask).to_ulong(); } + +protected: + std::bitset events_generated = 0; + const std::bitset bitmask = 0xFFFFFFFFFFFFFFFF; +}; + +#endif diff --git a/src/service_inspectors/http_inspect/http_infractions.h b/src/utils/infractions.h similarity index 77% rename from src/service_inspectors/http_inspect/http_infractions.h rename to src/utils/infractions.h index 5a63d7ced..4d4a63d97 100644 --- a/src/service_inspectors/http_inspect/http_infractions.h +++ b/src/utils/infractions.h @@ -15,37 +15,36 @@ // with this program; if not, write to the Free Software Foundation, Inc., // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. //-------------------------------------------------------------------------- -// http_infractions.h author Tom Peters +// infractions.h author Tom Peters -#ifndef HTTP_INFRACTIONS_H -#define HTTP_INFRACTIONS_H +#ifndef INFRACTIONS_H +#define INFRACTIONS_H #include #include -#include "http_enum.h" - //------------------------------------------------------------------------- // Infractions class //------------------------------------------------------------------------- -class HttpInfractions +template +class Infractions { public: - HttpInfractions() = default; - HttpInfractions(int inf) + Infractions() = default; + Infractions(int inf) { - if (inf == HttpEnums::INF__NONE) + if (inf == NONE) return; assert((inf >= 0) && (inf < MAX)); infractions[inf] = true; } bool none_found() const { return infractions == 0; } - HttpInfractions& operator+=(const HttpInfractions& rhs) + Infractions& operator+=(const Infractions& rhs) { infractions |= rhs.infractions; return *this; } - friend HttpInfractions operator+(HttpInfractions lhs, const HttpInfractions& rhs) + friend Infractions operator+(Infractions lhs, const Infractions& rhs) { lhs += rhs; return lhs; } - friend bool operator&(const HttpInfractions& lhs, const HttpInfractions& rhs) + friend bool operator&(const Infractions& lhs, const Infractions& rhs) { return (lhs.infractions & rhs.infractions) != 0; } // The following methods are for convenience of debug and test output only! @@ -55,9 +54,7 @@ public: ((infractions >> 64) & std::bitset(0xFFFFFFFFFFFFFFFF)).to_ulong(); } private: - static const int MAX = HttpEnums::INF__MAX_VALUE; std::bitset infractions = 0; }; #endif -