From: Russ Combs (rucombs) Date: Wed, 25 Aug 2021 21:09:49 +0000 (+0000) Subject: Merge pull request #2902 in SNORT/snort3 from ~RUCOMBS/snort3:cleanup to master X-Git-Tag: 3.1.11.0~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a8dd0cd8b2299cb75ecc635797f49d589b76d959;p=thirdparty%2Fsnort3.git Merge pull request #2902 in SNORT/snort3 from ~RUCOMBS/snort3:cleanup to master Squashed commit of the following: commit 21d87e82a398504981aafc80de89f7c94ba2ea56 Author: russ Date: Wed Aug 11 16:23:14 2021 -0400 build: update help for --enable-tsc-clock to include arm Thanks to liangxwa01 for reporting the issue. commit 1bc12be15964930e688c8ee28593ba4687e6f21a Author: russ Date: Sat Jun 5 20:10:49 2021 -0400 style: remove C style (void) arglists commit e03855cbd592afe0717d68cf96157379e61277bc Author: russ Date: Sat May 29 05:43:05 2021 -0400 sip: deprecate max_requestName_len in favor of max_request_name_len commit ed31851fd733ef36f30042492bc692ae8a73943e Author: Russ Combs Date: Fri May 21 11:51:00 2021 -0400 dns, ssh: remove obsolete stream insert checks commit 18b15b46f42fe83d3ba0bc5da332f951681e8d6d Author: Russ Combs Date: Fri May 21 11:45:17 2021 -0400 style: remove or update crufty preprocessor comments commit 9dfff0600fac18652f3be6a5ee7025b79e04ce92 Author: Russ Combs Date: Wed May 12 15:51:13 2021 -0400 README: mention vars in default config commit c6baa917361b3651e30d7ec63f37c696ef29512c Author: Russ Combs Date: Wed May 12 15:50:17 2021 -0400 lua: update comments in the default config commit ad0ae3d85affd820f4534704bca732e2129752ca Author: Russ Combs Date: Wed May 12 15:24:27 2021 -0400 style: remove crufty comments --- diff --git a/README.md b/README.md index 34126e39d..c7b3280f7 100644 --- a/README.md +++ b/README.md @@ -37,10 +37,10 @@ Here are some key features of Snort++: * Autogenerate reference documentation * Provide better cross platform support * Facilitate component testing +* Use a shared network map Additional features on the roadmap include: -* Use a shared network map * Support pipelining of packet processing * Support hardware offload and data plane integration * Support proxy mode @@ -124,7 +124,9 @@ Follow these steps: # RUN SNORT -Here are some examples. +Here are some examples. If you are using Talos rules and/or configs, you +should first set any needed variables at the top of snort.lua and +snort_defaults.lua. * Snort++ provides lots of help from the command line, including: @@ -205,8 +207,7 @@ It also covers new features not demonstrated here: # SQUEAL `o")~` -We hope you are as excited about Snort++ as we are. Although a lot of work -remains, we wanted to give you a chance to try it out and let us know what -you think on the snort-users list. In the meantime, we'll keep our snout -to the grindstone. +We hope you are as excited about Snort++ as we are. Let us know what you +think on the snort-users list. In the meantime, we'll keep our snout to +the grindstone. diff --git a/cmake/create_options.cmake b/cmake/create_options.cmake index 9c563d99a..d1f7e9f47 100644 --- a/cmake/create_options.cmake +++ b/cmake/create_options.cmake @@ -22,7 +22,7 @@ option ( ENABLE_PIGLET "enable piglet test harness" OFF ) option ( ENABLE_COREFILES "Prevent Snort from generating core files" ON ) option ( ENABLE_LARGE_PCAP "Enable support for pcaps larger than 2 GB" OFF ) option ( ENABLE_STDLOG "Use file descriptor 3 instead of stdout for alerts" OFF ) -option ( ENABLE_TSC_CLOCK "Use timestamp counter register clock (x86 only)" OFF ) +option ( ENABLE_TSC_CLOCK "Use timestamp counter register clock (x86 and arm only)" OFF ) # documentation option ( MAKE_HTML_DOC "Create the HTML documentation" ON ) diff --git a/configure_cmake.sh b/configure_cmake.sh index 4774712be..b5c6dc392 100755 --- a/configure_cmake.sh +++ b/configure_cmake.sh @@ -45,7 +45,7 @@ Optional Features: --enable-shell enable command line shell support --enable-large-pcap enable support for pcaps larger than 2 GB --enable-stdlog use file descriptor 3 instead of stdout for alerts - --enable-tsc-clock use timestamp counter register clock (x86 only) + --enable-tsc-clock use timestamp counter register clock (x86 and arm only) --enable-debug-msgs enable debug printing options (bugreports and developers only) --enable-debug enable debugging options (bugreports and developers diff --git a/lua/snort.lua b/lua/snort.lua index e0b5a3d3d..10028f4f3 100644 --- a/lua/snort.lua +++ b/lua/snort.lua @@ -98,6 +98,8 @@ appid = reputation = { -- configure one or both of these, then uncomment reputation + -- (see also related path vars at the top of snort_defaults.lua) + --blacklist = 'blacklist file name with ip lists' --whitelist = 'whitelist file name with ip lists' } @@ -173,7 +175,7 @@ ips = -- use include for rules files; be sure to set your path -- note that rules files can include other rules files - --include = 'snort3-community.rules', + -- (see also related path vars at the top of snort_defaults.lua) variables = default_variables } diff --git a/lua/snort_defaults.lua b/lua/snort_defaults.lua index 39f503894..36f42256f 100644 --- a/lua/snort_defaults.lua +++ b/lua/snort_defaults.lua @@ -1,27 +1,24 @@ --------------------------------------------------------------------------- -- Snort++ defaults --- --- include in your snort.lua with a dofile statement +--------------------------------------------------------------------------- + +-- this file defines the external defaults for Snort. all simple scalar +-- types have a builtin default, including those in list items, however +-- lists defaults are provided here instead of compiling them into the +-- binary. this makes it easier to copy and paste or edit for your +-- environment. + +-- include in your snort.lua -- after you set HOME_NET and EXTERNAL_NET --- + -- use these by assignment, eg -- ftp_server = default_ftp_server ---------------------------------------------------------------------------- --------------------------------------------------------------------------- --- Set paths, ports, and nets: --- --- variables with 'PATH' in the name are vars --- variables with 'PORT' in the name are portvars --- variables with 'NET' in the name are ipvars --- variables with 'SERVER' in the name are ipvars +-- default paths - used in Talos configs --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --- default paths ---------------------------------------------------------------------------- -- Path to your rules files (this can be a relative path) - RULE_PATH = '../rules' BUILTIN_RULE_PATH = '../builtin_rules' PLUGIN_RULE_PATH = '../so_rules' @@ -31,41 +28,30 @@ WHITE_LIST_PATH = '../lists' BLACK_LIST_PATH = '../lists' --------------------------------------------------------------------------- --- default networks +-- default networks - used in Talos rules --------------------------------------------------------------------------- +-- define servers on your network you want to protect --- List of DNS servers on your network DNS_SERVERS = HOME_NET - --- List of ftp servers on your network FTP_SERVERS = HOME_NET - --- List of web servers on your network HTTP_SERVERS = HOME_NET - --- List of sip servers on your network SIP_SERVERS = HOME_NET - --- List of SMTP servers on your network SMTP_SERVERS = HOME_NET - --- List of sql servers on your network SQL_SERVERS = HOME_NET - --- List of ssh servers on your network SSH_SERVERS = HOME_NET - --- List of telnet servers on your network TELNET_SERVERS = HOME_NET --------------------------------------------------------------------------- -- default ports - used in Talos rules --------------------------------------------------------------------------- +-- define ports on your network you want to protect +-- where possible, use the wizard for inspection instead of explicit port +-- bindings. this gives you some port independence and allows you find c&c +-- channels hard port bindings would miss. Talos rules will still use these +-- ports if there is no match on service. --- List of ports you run ftp servers on FTP_PORTS = ' 21 2100 3535' --- List of ports you run web servers on HTTP_PORTS = [[ 80 81 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128 @@ -75,27 +61,24 @@ HTTP_PORTS = 50002 55555 ]] --- List of ports you run mail servers on MAIL_PORTS = ' 110 143' --- List of ports you might see oracle attacks on ORACLE_PORTS = ' 1024:' --- List of ports you run SIP servers on SIP_PORTS = ' 5060 5061 5600' --- List of ports you want to look for SSH connections on SSH_PORTS = ' 22' --- List of ports for file inspection FILE_DATA_PORTS = HTTP_PORTS .. MAIL_PORTS --------------------------------------------------------------------------- -- default variables --------------------------------------------------------------------------- -default_variables = { - nets = { +default_variables = +{ + nets = + { HOME_NET = HOME_NET, EXTERNAL_NET = EXTERNAL_NET, DNS_SERVERS = DNS_SERVERS, @@ -107,14 +90,16 @@ default_variables = { SSH_SERVERS = SSH_SERVERS, TELNET_SERVERS = TELNET_SERVERS, }, - paths = { + paths = + { RULE_PATH = RULE_PATH, BUILTIN_RULE_PATH = BUILTIN_RULE_PATH, PLUGIN_RULE_PATH = PLUGIN_RULE_PATH, WHITE_LIST_PATH = WHITE_LIST_PATH, BLACK_LIST_PATH = BLACK_LIST_PATH, }, - ports = { + ports = + { FTP_PORTS = FTP_PORTS, HTTP_PORTS = HTTP_PORTS, MAIL_PORTS = MAIL_PORTS, diff --git a/src/detection/detection_engine.cc b/src/detection/detection_engine.cc index 46154430b..1598582fb 100644 --- a/src/detection/detection_engine.cc +++ b/src/detection/detection_engine.cc @@ -714,8 +714,8 @@ static int log_events(void* event, void* user) /* ** We return whether we logged events or not. We've add a eventq user ** structure so we can track whether the events logged were rule events -** or preprocessor/decoder events. The reason being that we don't want -** to flush a TCP stream for preprocessor/decoder events, and cause +** or builtin events. The reason being that we don't want +** to flush a TCP stream for builtin events, and cause ** early flushing of the stream. */ int DetectionEngine::log_events(Packet* p) diff --git a/src/detection/fp_detect.cc b/src/detection/fp_detect.cc index 3b82f9c84..fc24bbbb0 100644 --- a/src/detection/fp_detect.cc +++ b/src/detection/fp_detect.cc @@ -241,7 +241,7 @@ int fpLogEvent(const RuleTreeNode* rtn, const OptTreeNode* otn, Packet* p) } /* If this packet has been passed based on detection rules, - * check the decoder/preprocessor events (they have been added to Event queue already). + * check the builtin events (they have been added to Event queue already). * If its order is lower than 'pass', it should have been passed. * This is consistent with other detection rules */ const SnortConfig* sc = p->context->conf; diff --git a/src/events/event_queue.cc b/src/events/event_queue.cc index 595066b5b..eaa2d90b7 100644 --- a/src/events/event_queue.cc +++ b/src/events/event_queue.cc @@ -29,16 +29,16 @@ ** ** Notes: ** 11/1/05 Updates to add support for rules for all events in -** decoders and preprocessors and the detection engine. +** decoders and inspectors and the detection engine. ** Added support for rule by rule flushing control via ** metadata. Also added code to check for an otn for every ** event (gid,sid pair). This is now required to get events -** to be logged. The decoders and preprocessors are still +** to be logged. The decoders and inspectors are still ** configured independently, which allows them to inspect and ** call the alerting functions DetectionEngine::queue_event. ** ** Any event that has no otn associated with it's gid,sid pair -** will/should not alert, even if the preprocessor or decoder is +** will/should not alert, even if the inspector or decoder is ** configured to detect an alertable event. ** ** In the future, preporcessor may have an api that gets called diff --git a/src/filters/sfrf.cc b/src/filters/sfrf.cc index 11f98c75f..8d6dbbe69 100644 --- a/src/filters/sfrf.cc +++ b/src/filters/sfrf.cc @@ -467,7 +467,7 @@ int SFRF_TestThreshold( if ( gid >= SFRF_MAX_GENID ) return status; /* bogus gid */ - // Some events (like 'TCP connection closed' raised by preprocessor may + // Some events (like 'TCP connection closed' raised by inspector may // not have any configured threshold but may impact thresholds for other // events (like 'TCP connection opened' _updateDependentThresholds(config, gid, sid, sip, dip, curTime); diff --git a/src/flow/expect_cache.cc b/src/flow/expect_cache.cc index 1f185780d..6324dce0f 100644 --- a/src/flow/expect_cache.cc +++ b/src/flow/expect_cache.cc @@ -299,9 +299,9 @@ ExpectCache::~ExpectCache() /**Either expect or expect future session. * - * Preprocessors may add sessions to be expected altogether or to be associated - * with some data. For example, FTP preprocessor may add data channel that - * should be expected. Alternatively, FTP preprocessor may add session with + * Inspectors may add sessions to be expected altogether or to be associated + * with some data. For example, FTP inspector may add data channel that + * should be expected. Alternatively, FTP inspector may add session with * snort protocol ID FTP-DATA. * * It is assumed that only one of cliPort or srvPort should be known (!0). This @@ -310,7 +310,7 @@ ExpectCache::~ExpectCache() * therefore acceptable design optimization. * * Also, snort_protocol_id is assumed to be consistent between different - * preprocessors. Each session can be assigned only one snort protocol ID. + * inspectors. Each session can be assigned only one snort protocol ID. * When new snort_protocol_id mismatches existing snort_protocol_id, new * snort_protocol_id and associated data is not stored. * diff --git a/src/ips_options/ips_byte_jump.cc b/src/ips_options/ips_byte_jump.cc index 19a69ce2c..fc02f806a 100644 --- a/src/ips_options/ips_byte_jump.cc +++ b/src/ips_options/ips_byte_jump.cc @@ -36,7 +36,7 @@ * and skip forward that number of bytes * ["big"]: process data as big endian (default) * ["little"]: process data as little endian - * ["dce"]: let the DCE/RPC 2 preprocessor determine the byte order of the + * ["dce"]: let the DCE/RPC 2 inspector determine the byte order of the * value to be converted * ["string"]: converted bytes represented as a string needing conversion * ["hex"]: converted string data is represented in hexadecimal diff --git a/src/log/messages.cc b/src/log/messages.cc index ce48e9cc3..56be484b0 100644 --- a/src/log/messages.cc +++ b/src/log/messages.cc @@ -188,16 +188,7 @@ static void WriteLogMessage(FILE* fh, bool prefer_fh, const char* format, va_lis syslog(LOG_DAEMON | LOG_NOTICE, "%s", buf); } -/* - * Function: LogMessage(const char *, ...) - * - * Purpose: Print a message to stdout or with logfacility. - * - * Arguments: format => the formatted error string to print out - * ... => format commands/fillers - * - * Returns: void function - */ +// print an info message to stdout or syslog void LogMessage(const char* format,...) { if ( SnortConfig::log_quiet() ) @@ -224,16 +215,7 @@ void LogMessage(FILE* fh, const char* format,...) va_end(ap); } -/* - * Function: WarningMessage(const char *, ...) - * - * Purpose: Print a message to stderr or with logfacility. - * - * Arguments: format => the formatted error string to print out - * ... => format commands/fillers - * - * Returns: void function - */ +// print a warning message to stderr or syslog void WarningMessage(const char* format,...) { va_list ap; @@ -255,16 +237,7 @@ void WarningMessage(const char* format,...) va_end(ap); } -/* - * Function: ErrorMessage(const char *, ...) - * - * Purpose: Print a message to stderr. - * - * Arguments: format => the formatted error string to print out - * ... => format commands/fillers - * - * Returns: void function - */ +// print a warning message to stderr or syslog void ErrorMessage(const char* format,...) { va_list ap; @@ -285,17 +258,8 @@ void ErrorMessage(const char* format,...) va_end(ap); } -/* - * Function: FatalError(const char *, ...) - * - * Purpose: When a fatal error occurs, this function prints the error message - * and cleanly shuts down the program - * - * Arguments: format => the formatted error string to print out - * ... => format commands/fillers - * - * Returns: void function - */ +// when a fatal error occurs, this function prints the error message +// and cleanly shuts down the program [[noreturn]] void FatalError(const char* format,...) { char buf[STD_BUF+1]; diff --git a/src/managers/action_manager.h b/src/managers/action_manager.h index 990d2bbcd..0c297fedb 100644 --- a/src/managers/action_manager.h +++ b/src/managers/action_manager.h @@ -73,7 +73,7 @@ public: static std::string get_action_string(Actions::Type); static Actions::Type get_action_type(const char*); - static Actions::Type get_max_action_types(void); + static Actions::Type get_max_action_types(); static std::string get_action_priorities(bool); static void thread_init(const snort::SnortConfig*); diff --git a/src/network_inspectors/appid/appid_session.cc b/src/network_inspectors/appid/appid_session.cc index ef39c7981..41ee0b4ce 100644 --- a/src/network_inspectors/appid/appid_session.cc +++ b/src/network_inspectors/appid/appid_session.cc @@ -323,7 +323,7 @@ void AppIdSession::sync_with_snort_protocol_id(AppId newAppId, Packet* p) if (newAppId <= APP_ID_NONE or newAppId >= SF_APPID_MAX) return; - // Certain AppIds are not useful to identifying snort preprocessor choices + // Certain AppIds are not useful to identifying snort inspector choices switch (newAppId) { case APP_ID_FTPS: diff --git a/src/network_inspectors/appid/tp_appid_utils.cc b/src/network_inspectors/appid/tp_appid_utils.cc index a5c02837e..3b3158ea3 100644 --- a/src/network_inspectors/appid/tp_appid_utils.cc +++ b/src/network_inspectors/appid/tp_appid_utils.cc @@ -626,8 +626,8 @@ bool do_tp_discovery(ThirdPartyAppIdContext& tp_appid_ctxt, AppIdSession& asd, I (Stream::get_snort_protocol_id(p->flow) == asd.config.snort_proto_ids[PROTO_INDEX_FTP_DATA])) { - // If we see SSL on an FTP data channel set tpAppId back - // to APP_ID_NONE so the FTP preprocessor picks up the flow. + // If we see SSL on an FTP data channel set tpAppId back + // to APP_ID_NONE so the FTP inspector picks up the flow. tp_app_id = APP_ID_NONE; } diff --git a/src/network_inspectors/arp_spoof/arp_spoof.cc b/src/network_inspectors/arp_spoof/arp_spoof.cc index 51e6210ae..8333d3765 100644 --- a/src/network_inspectors/arp_spoof/arp_spoof.cc +++ b/src/network_inspectors/arp_spoof/arp_spoof.cc @@ -18,13 +18,13 @@ // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. //-------------------------------------------------------------------------- -/* Snort ARPspoof Preprocessor Plugin +/* Snort ARPspoof Plugin * by Jeff Nathan * Version 0.1.4 * * Purpose: * - * This preprocessor looks for anomalies in ARP traffic and attempts to + * This inspector looks for anomalies in ARP traffic and attempts to * maliciously overwrite ARP cache information on hosts. * * Arguments: diff --git a/src/service_inspectors/cip/cip_definitions.h b/src/service_inspectors/cip/cip_definitions.h index eebae3d3f..582045a2b 100644 --- a/src/service_inspectors/cip/cip_definitions.h +++ b/src/service_inspectors/cip/cip_definitions.h @@ -18,7 +18,7 @@ // cip_definitions.h author RA/Cisco -/* Description: Common types for the CIP preprocessor. */ +/* Description: Common types for the CIP inspector. */ #ifndef CIP_DEFINITIONS_H #define CIP_DEFINITIONS_H @@ -33,7 +33,7 @@ struct Packet; #define MSEC_PER_SEC (1000) #define USEC_PER_SEC (1000000) -// CIP preprocessor configuration +// CIP inspector configuration struct CipProtoConf { // Unconnected timeout, seconds. diff --git a/src/service_inspectors/cip/cip_paf.cc b/src/service_inspectors/cip/cip_paf.cc index 24bafb369..5f28fd122 100644 --- a/src/service_inspectors/cip/cip_paf.cc +++ b/src/service_inspectors/cip/cip_paf.cc @@ -18,7 +18,7 @@ // cip_paf.cc author RA/Cisco -/* Description: Protocol-Aware Flushing (PAF) code for the CIP preprocessor.*/ +/* Description: Protocol-Aware Flushing (PAF) code for the CIP inspector. */ #ifdef HAVE_CONFIG_H #include "config.h" diff --git a/src/service_inspectors/cip/cip_paf.h b/src/service_inspectors/cip/cip_paf.h index ef321fb95..6e6d267af 100644 --- a/src/service_inspectors/cip/cip_paf.h +++ b/src/service_inspectors/cip/cip_paf.h @@ -18,7 +18,7 @@ // cip_paf.h author RA/Cisco -/* Description: Protocol-Aware Flushing (PAF) code for the CIP preprocessor. */ +/* Description: Protocol-Aware Flushing (PAF) code for the CIP inspector. */ #ifndef CIP_PAF_H #define CIP_PAF_H diff --git a/src/service_inspectors/cip/ips_cip_attribute.cc b/src/service_inspectors/cip/ips_cip_attribute.cc index 4b8fea5fc..b17669490 100644 --- a/src/service_inspectors/cip/ips_cip_attribute.cc +++ b/src/service_inspectors/cip/ips_cip_attribute.cc @@ -18,7 +18,7 @@ // ips_cip_attribute.cc author Jian Wu -/* Description: Rule options for CIP preprocessor */ +/* Description: Rule options for CIP inspector */ #ifdef HAVE_CONFIG_H #include "config.h" diff --git a/src/service_inspectors/cip/ips_cip_class.cc b/src/service_inspectors/cip/ips_cip_class.cc index f76a265a6..0d03b6ded 100644 --- a/src/service_inspectors/cip/ips_cip_class.cc +++ b/src/service_inspectors/cip/ips_cip_class.cc @@ -18,7 +18,7 @@ // ips_cip_class.cc author Jian Wu -/* Description: Rule options for CIP preprocessor */ +/* Description: Rule options for CIP inspector */ #ifdef HAVE_CONFIG_H #include "config.h" diff --git a/src/service_inspectors/cip/ips_cip_connpathclass.cc b/src/service_inspectors/cip/ips_cip_connpathclass.cc index a3e9bd34c..2ba69b0d3 100644 --- a/src/service_inspectors/cip/ips_cip_connpathclass.cc +++ b/src/service_inspectors/cip/ips_cip_connpathclass.cc @@ -18,7 +18,7 @@ // ips_cip_connpathclass.cc author Jian Wu -/* Description: Rule options for CIP preprocessor */ +/* Description: Rule options for CIP inspector */ #ifdef HAVE_CONFIG_H #include "config.h" diff --git a/src/service_inspectors/cip/ips_cip_enipcommand.cc b/src/service_inspectors/cip/ips_cip_enipcommand.cc index 99f8b76c1..c576a9dfd 100644 --- a/src/service_inspectors/cip/ips_cip_enipcommand.cc +++ b/src/service_inspectors/cip/ips_cip_enipcommand.cc @@ -18,7 +18,7 @@ // ips_cip_enipcommand.cc author Jian Wu -/* Description: Rule options for CIP preprocessor */ +/* Description: Rule options for CIP inspector */ #ifdef HAVE_CONFIG_H #include "config.h" diff --git a/src/service_inspectors/cip/ips_cip_enipreq.cc b/src/service_inspectors/cip/ips_cip_enipreq.cc index 777fe6cc8..e433081c5 100644 --- a/src/service_inspectors/cip/ips_cip_enipreq.cc +++ b/src/service_inspectors/cip/ips_cip_enipreq.cc @@ -18,7 +18,7 @@ // ips_cip_enipreq.cc author Jian Wu -/* Description: Rule options for CIP preprocessor */ +/* Description: Rule options for CIP inspector */ #ifdef HAVE_CONFIG_H #include "config.h" diff --git a/src/service_inspectors/cip/ips_cip_eniprsp.cc b/src/service_inspectors/cip/ips_cip_eniprsp.cc index 8d94916df..7c209ac73 100644 --- a/src/service_inspectors/cip/ips_cip_eniprsp.cc +++ b/src/service_inspectors/cip/ips_cip_eniprsp.cc @@ -18,7 +18,7 @@ // ips_cip_eniprsp.cc author Jian Wu -/* Description: Rule options for CIP preprocessor */ +/* Description: Rule options for CIP inspector */ #ifdef HAVE_CONFIG_H #include "config.h" diff --git a/src/service_inspectors/cip/ips_cip_instance.cc b/src/service_inspectors/cip/ips_cip_instance.cc index cdad051ed..2e31a4d87 100644 --- a/src/service_inspectors/cip/ips_cip_instance.cc +++ b/src/service_inspectors/cip/ips_cip_instance.cc @@ -18,7 +18,7 @@ // ips_cip_instance.cc author Jian Wu -/* Description: Rule options for CIP preprocessor */ +/* Description: Rule options for CIP inspector */ #ifdef HAVE_CONFIG_H #include "config.h" diff --git a/src/service_inspectors/cip/ips_cip_req.cc b/src/service_inspectors/cip/ips_cip_req.cc index 4bc17e642..ff187e105 100644 --- a/src/service_inspectors/cip/ips_cip_req.cc +++ b/src/service_inspectors/cip/ips_cip_req.cc @@ -18,7 +18,7 @@ // ips_cip_req.cc author Jian Wu -/* Description: Rule options for CIP preprocessor */ +/* Description: Rule options for CIP inspector */ #ifdef HAVE_CONFIG_H #include "config.h" diff --git a/src/service_inspectors/cip/ips_cip_rsp.cc b/src/service_inspectors/cip/ips_cip_rsp.cc index 9853a82cd..8f67bc263 100644 --- a/src/service_inspectors/cip/ips_cip_rsp.cc +++ b/src/service_inspectors/cip/ips_cip_rsp.cc @@ -18,7 +18,7 @@ // ips_cip_rsp.cc author Jian Wu -/* Description: Rule options for CIP preprocessor */ +/* Description: Rule options for CIP inspector */ #ifdef HAVE_CONFIG_H #include "config.h" diff --git a/src/service_inspectors/cip/ips_cip_service.cc b/src/service_inspectors/cip/ips_cip_service.cc index 2d1a56f32..7b5e373ea 100644 --- a/src/service_inspectors/cip/ips_cip_service.cc +++ b/src/service_inspectors/cip/ips_cip_service.cc @@ -18,7 +18,7 @@ // ips_cip_service.cc author Jian Wu -/* Description: Rule options for CIP preprocessor */ +/* Description: Rule options for CIP inspector */ #ifdef HAVE_CONFIG_H #include "config.h" diff --git a/src/service_inspectors/cip/ips_cip_status.cc b/src/service_inspectors/cip/ips_cip_status.cc index ca021ef33..495f66586 100644 --- a/src/service_inspectors/cip/ips_cip_status.cc +++ b/src/service_inspectors/cip/ips_cip_status.cc @@ -18,7 +18,7 @@ // ips_cip_status.cc author Jian Wu -/* Description: Rule options for CIP preprocessor */ +/* Description: Rule options for CIP inspector */ #ifdef HAVE_CONFIG_H #include "config.h" diff --git a/src/service_inspectors/dce_rpc/dce_list.cc b/src/service_inspectors/dce_rpc/dce_list.cc index 15598c3e5..ff2a80134 100644 --- a/src/service_inspectors/dce_rpc/dce_list.cc +++ b/src/service_inspectors/dce_rpc/dce_list.cc @@ -19,7 +19,7 @@ /**************************************************************************** * Provides list, queue and stack data structures and methods for use - * with the preprocessor. + * with the inspector. * * 8/17/2008 - Initial implementation ... Todd Wease * diff --git a/src/service_inspectors/dce_rpc/dce_list.h b/src/service_inspectors/dce_rpc/dce_list.h index f3d332601..dcfc08bc5 100644 --- a/src/service_inspectors/dce_rpc/dce_list.h +++ b/src/service_inspectors/dce_rpc/dce_list.h @@ -19,7 +19,7 @@ /**************************************************************************** * Provides list, queue and stack data structures and methods for use -* with the preprocessor. +* with the inspector. * * 8/17/2008 - Initial implementation ... Todd Wease * diff --git a/src/service_inspectors/dce_rpc/dce_smb2.cc b/src/service_inspectors/dce_rpc/dce_smb2.cc index ebcde3a08..e8f9527ff 100644 --- a/src/service_inspectors/dce_rpc/dce_smb2.cc +++ b/src/service_inspectors/dce_rpc/dce_smb2.cc @@ -109,7 +109,7 @@ Dce2Smb2SessionData::Dce2Smb2SessionData(const Packet* p, memory::MemoryCap::update_allocations(sizeof(*this)); } -Dce2Smb2SessionData::~Dce2Smb2SessionData(void) +Dce2Smb2SessionData::~Dce2Smb2SessionData() { session_data_mutex.lock(); for (auto it_session : connected_sessions) diff --git a/src/service_inspectors/dce_rpc/dce_smb2_file.cc b/src/service_inspectors/dce_rpc/dce_smb2_file.cc index 167dff739..9e1344773 100644 --- a/src/service_inspectors/dce_rpc/dce_smb2_file.cc +++ b/src/service_inspectors/dce_rpc/dce_smb2_file.cc @@ -240,7 +240,7 @@ bool Dce2Smb2FileTracker::process_data(const uint32_t current_flow_key, const ui return true; } -Dce2Smb2FileTracker::~Dce2Smb2FileTracker(void) +Dce2Smb2FileTracker::~Dce2Smb2FileTracker() { if (smb_module_is_up and (is_packet_thread())) { diff --git a/src/service_inspectors/dce_rpc/dce_smb2_session.cc b/src/service_inspectors/dce_rpc/dce_smb2_session.cc index f4ad56c70..aa67f7432 100644 --- a/src/service_inspectors/dce_rpc/dce_smb2_session.cc +++ b/src/service_inspectors/dce_rpc/dce_smb2_session.cc @@ -189,7 +189,7 @@ void Dce2Smb2SessionTracker::unlink() } // Session Tracker is created and destroyed only from session cache -Dce2Smb2SessionTracker::~Dce2Smb2SessionTracker(void) +Dce2Smb2SessionTracker::~Dce2Smb2SessionTracker() { if (smb_module_is_up and (snort::is_packet_thread())) { diff --git a/src/service_inspectors/dce_rpc/dce_smb2_tree.cc b/src/service_inspectors/dce_rpc/dce_smb2_tree.cc index 1c593071b..5dc9e10aa 100644 --- a/src/service_inspectors/dce_rpc/dce_smb2_tree.cc +++ b/src/service_inspectors/dce_rpc/dce_smb2_tree.cc @@ -526,7 +526,7 @@ void Dce2Smb2TreeTracker::process(uint16_t command, uint8_t command_type, remove_request(message_id, current_flow_key); } -Dce2Smb2TreeTracker::~Dce2Smb2TreeTracker(void) +Dce2Smb2TreeTracker::~Dce2Smb2TreeTracker() { if (smb_module_is_up and (is_packet_thread())) { diff --git a/src/service_inspectors/dce_rpc/dce_udp_processing.cc b/src/service_inspectors/dce_rpc/dce_udp_processing.cc index 2a956b4e8..a99565240 100644 --- a/src/service_inspectors/dce_rpc/dce_udp_processing.cc +++ b/src/service_inspectors/dce_rpc/dce_udp_processing.cc @@ -24,7 +24,7 @@ // functionality for tracking sub-sessions or activities within a // connectionless conversation and for tracking and reassembling fragments // within each activity. Also sets appropriate data for use with -// preprocessor rule options. +// inspector rule options. #ifdef HAVE_CONFIG_H #include "config.h" diff --git a/src/service_inspectors/dce_rpc/dce_utils.h b/src/service_inspectors/dce_rpc/dce_utils.h index 29d9aa3fb..f2d8c6c2a 100644 --- a/src/service_inspectors/dce_rpc/dce_utils.h +++ b/src/service_inspectors/dce_rpc/dce_utils.h @@ -138,22 +138,9 @@ void DCE2_BufferDestroy(DCE2_Buffer* buf); const char* DCE2_UuidToStr( const Uuid*, DceRpcBoFlag, char (&buf)[DCE2_UUID_BUF_SIZE]); -/******************************************************************** - * Function: DCE2_IsSpaceChar() - * - * Determines if the character passed in is a character that - * the preprocessor considers a to be a space character. - * - * Arguments: - * const char - * The character to make the determination on. - * - * Returns: - * bool - * true if a valid space character. - * false if not a valid space character. - * - ********************************************************************/ +// Determines if the character passed in is a character that +// the inspector considers a to be a space character. + inline bool DCE2_IsSpaceChar(const char c) { if (isspace((int)c)) @@ -161,23 +148,10 @@ inline bool DCE2_IsSpaceChar(const char c) return false; } -/******************************************************************** - * Function: DCE2_IsConfigEndChar() - * - * Determines if the character passed in is a character that - * the preprocessor considers a to be an end of configuration - * character. - * - * Arguments: - * const char - * The character to make the determination on. - * - * Returns: - * bool - * true if a valid end of configuration character. - * false if not a valid end of configuration character. - * - ********************************************************************/ +// Determines if the character passed in is a character that +// the inspector considers a to be an end of configuration +// character. + inline bool DCE2_IsConfigEndChar(const char c) { if (c == DCE2_CFG_TOK__END) @@ -185,26 +159,9 @@ inline bool DCE2_IsConfigEndChar(const char c) return false; } -/******************************************************************** - * Function: DCE2_PruneWhiteSpace() - * - * Prunes whitespace surrounding string. - * String must be 0 terminated. - * - * Arguments: - * char * - * null terminated string to prune. - * int - * length of string - * - * Returns: - * char * - Pointer to the pruned string. Note that the pointer - * still points within the original string. - * - * Side effects: Spaces at the end of the string passed in as an - * argument are replaced by null bytes. - * - ********************************************************************/ +// Prunes whitespace surrounding string. +// String must be 0 terminated. + inline char* DCE2_PruneWhiteSpace(char* str) { char* end; @@ -227,20 +184,9 @@ inline char* DCE2_PruneWhiteSpace(char* str) return str; } -/******************************************************************** - * Function: DCE2_IsEmptyStr() - * - * Checks if string is null, empty or just spaces. - * String must be 0 terminated. - * - * Arguments: None - * char * - string to check - * - * Returns: - * true if string is null, empty or just spaces - * false otherwise - * - ********************************************************************/ +// Checks if string is null, empty or just spaces. +// String must be 0 terminated. + inline bool DCE2_IsEmptyStr(char* str) { char* end; diff --git a/src/service_inspectors/dce_rpc/ips_dce_opnum.cc b/src/service_inspectors/dce_rpc/ips_dce_opnum.cc index 90fac9b5f..00b8a85ed 100644 --- a/src/service_inspectors/dce_rpc/ips_dce_opnum.cc +++ b/src/service_inspectors/dce_rpc/ips_dce_opnum.cc @@ -89,7 +89,7 @@ static THREAD_LOCAL ProfileStats dce2_opnum_perf_stats; * Function: DCE2_IsOpnumChar() * * Determines if the character passed in is a character that - * the preprocessor considers a to be a valid character for a + * the inspector considers a to be a valid character for a * DCE/RPC opnum. * * Arguments: diff --git a/src/service_inspectors/dce_rpc/smb_message.cc b/src/service_inspectors/dce_rpc/smb_message.cc index 5a0074c7e..a84b7ff5f 100644 --- a/src/service_inspectors/dce_rpc/smb_message.cc +++ b/src/service_inspectors/dce_rpc/smb_message.cc @@ -1013,7 +1013,7 @@ static void DCE2_SmbProcessCommand(DCE2_SmbSsnData* ssd, const SmbNtHdr* smb_hdr * Function: DCE2_SmbInspect() * * Purpose: - * Determines whether the SMB command is something the preprocessor + * Determines whether the SMB command is something the inspector * needs to inspect. * This function returns a DCE2_SmbRequestTracker which tracks command * requests / responses. @@ -1926,9 +1926,9 @@ void DCE2_SmbInitGlobals() DCE2_SmbSetValidWordCount((uint8_t)com, SMB_TYPE__REQUEST, 16); // \PIPE\LANMAN - // Not something the preprocessor is looking at as it + // Not something the inspector is looking at as it // doesn't carry DCE/RPC but don't want to false positive - // on the preprocessor event. + // on the inspector event. DCE2_SmbSetValidWordCount((uint8_t)com, SMB_TYPE__REQUEST, 14); // Word count depends on setup count diff --git a/src/service_inspectors/dnp3/dnp3.cc b/src/service_inspectors/dnp3/dnp3.cc index 9c8f8c155..9ea3d5bc3 100644 --- a/src/service_inspectors/dnp3/dnp3.cc +++ b/src/service_inspectors/dnp3/dnp3.cc @@ -196,7 +196,6 @@ static void process_dnp3(const dnp3ProtoConf& config, Packet* p) else dnp3_sess->direction = DNP3_SERVER; - /* Do preprocessor-specific detection stuff here */ if (p->has_tcp_data()) { ++dnp3_stats.tcp_pdus; diff --git a/src/service_inspectors/dns/dns.cc b/src/service_inspectors/dns/dns.cc index bcd1e2d81..bafb17d21 100644 --- a/src/service_inspectors/dns/dns.cc +++ b/src/service_inspectors/dns/dns.cc @@ -966,10 +966,6 @@ static void snort_dns(Packet* p) if ( !Stream::is_stream_sequenced(p->flow, SSN_DIR_FROM_CLIENT) ) return; - - // If we're waiting on stream reassembly, don't process this packet. - if ( p->packet_flags & PKT_STREAM_INSERT ) - return; } // Get the direction of the packet. diff --git a/src/service_inspectors/dns/dns.h b/src/service_inspectors/dns/dns.h index 39c41bc75..3beebf251 100644 --- a/src/service_inspectors/dns/dns.h +++ b/src/service_inspectors/dns/dns.h @@ -150,7 +150,7 @@ struct DNSNameState #define DNS_RESP_STATE_ADD_RR 0x60 // Per-session data block containing current state -// of the DNS preprocessor for the session. +// of the DNS inspector for the session. struct DNSData { uint32_t state; // The current state of the session. diff --git a/src/service_inspectors/ftp_telnet/pp_ftp.cc b/src/service_inspectors/ftp_telnet/pp_ftp.cc index 946213a0f..abf41eccd 100644 --- a/src/service_inspectors/ftp_telnet/pp_ftp.cc +++ b/src/service_inspectors/ftp_telnet/pp_ftp.cc @@ -17,22 +17,10 @@ // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. //-------------------------------------------------------------------------- -/* pp_ftp.c - * - * Purpose: FTP sessions contain commands and responses. Certain - * commands are vectors of attack. This module checks - * those FTP client commands and their parameter values, as - * well as the server responses per the configuration. - * - * Arguments: None - * - * Effect: Alerts may be raised - * - * Comments: - * - */ - -/* your preprocessor header file goes here */ +// FTP sessions contain commands and responses. Certain commands are +// vectors of attack. This module checks those FTP client commands and +// their parameter values, as well as the server responses per the +// configuration. #ifdef HAVE_CONFIG_H #include "config.h" diff --git a/src/service_inspectors/ftp_telnet/pp_ftp.h b/src/service_inspectors/ftp_telnet/pp_ftp.h index 409ce8cf5..025f6ef57 100644 --- a/src/service_inspectors/ftp_telnet/pp_ftp.h +++ b/src/service_inspectors/ftp_telnet/pp_ftp.h @@ -26,9 +26,7 @@ #include "ftpp_si.h" -/* list of function prototypes for this preprocessor */ extern int check_ftp(FTP_SESSION* session, snort::Packet* p, int iMode); - extern int initialize_ftp(FTP_SESSION* session, snort::Packet* p, int iMode); #endif diff --git a/src/service_inspectors/ftp_telnet/pp_telnet.cc b/src/service_inspectors/ftp_telnet/pp_telnet.cc index 258512dd5..47e9f08bb 100644 --- a/src/service_inspectors/ftp_telnet/pp_telnet.cc +++ b/src/service_inspectors/ftp_telnet/pp_telnet.cc @@ -18,28 +18,13 @@ // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. //-------------------------------------------------------------------------- -/* Snort Preprocessor for Telnet Negotiation Normalization*/ - -/* pp_telnet.c - * - * Purpose: Telnet sessions can contain telnet negotiation strings - * that can disrupt pattern matching. This plugin detects - * negotiation strings in stream and "normalizes" them much like - * the http_decode preprocessor normalizes encoded URLs - * - * - * official registry of options - * http://www.iana.org/assignments/telnet-options - * - * Arguments: None - * - * Effect: The telnet negotiation data is removed from the data - * - * Comments: - * - */ -/* your preprocessor header file goes here */ +// Telnet sessions can contain telnet negotiation strings that can disrupt +// pattern matching. This plugin detects negotiation strings in stream and +// normalizes them much like the http_inspect normalizes encoded URLs. +// +// official registry of options +// http://www.iana.org/assignments/telnet-options #ifdef HAVE_CONFIG_H #include "config.h" @@ -79,19 +64,6 @@ const uint8_t* get_telnet_buffer(Packet* p, unsigned& len) return len ? buf.data : nullptr; } -/* - * Function: normalize_telnet(Packet *) - * - * Purpose: Perform the preprocessor's intended function. This can be - * simple (statistics collection) or complex (IP defragmentation) - * as you like. Try not to destroy the performance of the whole - * system by trying to do too much.... - * - * Arguments: p => pointer to the current packet data struct - * - * Returns: void function - * - */ int normalize_telnet( TELNET_SESSION* tnssn, Packet* p, DataBuffer& buf, int iMode, char ignoreEraseCmds, bool on_ftp_channel) diff --git a/src/service_inspectors/ftp_telnet/pp_telnet.h b/src/service_inspectors/ftp_telnet/pp_telnet.h index 2d17f4c9c..4e7608422 100644 --- a/src/service_inspectors/ftp_telnet/pp_telnet.h +++ b/src/service_inspectors/ftp_telnet/pp_telnet.h @@ -61,8 +61,9 @@ #define FTPP_IGNORE_TNC_ERASE_CMDS 1 struct DataBuffer; -/* list of function prototypes for this preprocessor */ -extern int normalize_telnet(TELNET_SESSION*, snort::Packet*, DataBuffer&, int iMode, char ignoreEraseCmd, bool on_ftp_channel); + +extern int normalize_telnet( + TELNET_SESSION*, snort::Packet*, DataBuffer&, int iMode, char ignoreEraseCmd, bool on_ftp_channel); void reset_telnet_buffer(snort::Packet*); const uint8_t* get_telnet_buffer(snort::Packet*, unsigned&); diff --git a/src/service_inspectors/gtp/gtp.cc b/src/service_inspectors/gtp/gtp.cc index e9e68530f..6ea5f68c9 100644 --- a/src/service_inspectors/gtp/gtp.cc +++ b/src/service_inspectors/gtp/gtp.cc @@ -18,7 +18,7 @@ //-------------------------------------------------------------------------- // gtp.cc author Hui Cao -// This is the main entry point for this preprocessor +// This is the main entry point for this inspector #ifdef HAVE_CONFIG_H #include "config.h" @@ -78,7 +78,7 @@ static GTP_Roptions* GTPGetNewSession(Packet* packetp) return pRopts; } -// Main runtime entry point for GTP preprocessor. +// Main runtime entry point for GTP inspector. void GTPmain(const GTPConfig& config, Packet* packetp) { /* Attempt to get a previously allocated GTP block. */ diff --git a/src/service_inspectors/gtp/gtp_inspect.cc b/src/service_inspectors/gtp/gtp_inspect.cc index aee0081de..9f4c4ace9 100644 --- a/src/service_inspectors/gtp/gtp_inspect.cc +++ b/src/service_inspectors/gtp/gtp_inspect.cc @@ -17,7 +17,6 @@ //-------------------------------------------------------------------------- // gtp_inspect.cc author Russ Combs -// adapt 2x preprocessor code to 3x inspector #ifdef HAVE_CONFIG_H #include "config.h" diff --git a/src/service_inspectors/iec104/iec104_paf.cc b/src/service_inspectors/iec104/iec104_paf.cc index 4c52c90f7..3e801b3c9 100644 --- a/src/service_inspectors/iec104/iec104_paf.cc +++ b/src/service_inspectors/iec104/iec104_paf.cc @@ -20,7 +20,7 @@ // modeled after modbus_paf.cc (author Ryan Jordan) // modeled after s7comm_paf.cc (author Pradeep Damodharan ) -// Protocol-Aware Flushing (PAF) code for the IEC104 preprocessor. +// Protocol-Aware Flushing (PAF) code for the IEC104 inspector. #ifdef HAVE_CONFIG_H #include "config.h" diff --git a/src/service_inspectors/iec104/iec104_paf.h b/src/service_inspectors/iec104/iec104_paf.h index 141296781..f5600b66e 100644 --- a/src/service_inspectors/iec104/iec104_paf.h +++ b/src/service_inspectors/iec104/iec104_paf.h @@ -23,7 +23,7 @@ #ifndef IEC104_PAF__H #define IEC104_PAF__H -// Protocol-Aware Flushing (PAF) code for the IEC104 preprocessor. +// Protocol-Aware Flushing (PAF) code for the IEC104 inspector. #include "stream/stream_splitter.h" diff --git a/src/service_inspectors/imap/imap.cc b/src/service_inspectors/imap/imap.cc index fb03f2e74..35c6029fb 100644 --- a/src/service_inspectors/imap/imap.cc +++ b/src/service_inspectors/imap/imap.cc @@ -567,16 +567,8 @@ static void IMAP_ProcessServerPacket(Packet* p, IMAPData* imap_ssn) } } -/* Main runtime entry point for IMAP preprocessor. - * Analyzes IMAP packets for anomalies/exploits. - * - * PARAMETERS: - * - * p: Pointer to current packet to process. - * contextp: Pointer to context block, not used. - * - * RETURNS: Nothing. - */ +// Analyzes IMAP packets for anomalies/exploits. + static void snort_imap(IMAP_PROTO_CONF* config, Packet* p) { /* Attempt to get a previously allocated IMAP block. */ diff --git a/src/service_inspectors/modbus/modbus_decode.cc b/src/service_inspectors/modbus/modbus_decode.cc index 58828edc3..c09d78d8d 100644 --- a/src/service_inspectors/modbus/modbus_decode.cc +++ b/src/service_inspectors/modbus/modbus_decode.cc @@ -164,7 +164,7 @@ static void ModbusCheckRequestLengths(modbus_session_data_t* session, Packet* p) /* MEI Type 0x0E is covered under the Modbus spec as "Read Device Identification". Type 0x0D is defined in the spec as "CANopen General Reference Request and Response PDU" - and falls outside the scope of the Modbus preprocessor. + and falls outside the scope of the Modbus inspector. Other values are reserved. */ @@ -315,7 +315,7 @@ static void ModbusCheckResponseLengths(modbus_session_data_t* session, Packet* p /* MEI Type 0x0E is covered under the Modbus spec as "Read Device Identification". Type 0x0D is defined in the spec as "CANopen General Reference Request and Response PDU" - and falls outside the scope of the Modbus preprocessor. + and falls outside the scope of the Modbus inspector. Other values are reserved. */ diff --git a/src/service_inspectors/modbus/modbus_paf.cc b/src/service_inspectors/modbus/modbus_paf.cc index 9d1a93f0c..00e452add 100644 --- a/src/service_inspectors/modbus/modbus_paf.cc +++ b/src/service_inspectors/modbus/modbus_paf.cc @@ -18,7 +18,7 @@ //-------------------------------------------------------------------------- // modbus_paf.cc author Ryan Jordan -// Protocol-Aware Flushing (PAF) code for the Modbus preprocessor. +// Protocol-Aware Flushing (PAF) code for the Modbus inspector. #ifdef HAVE_CONFIG_H #include "config.h" diff --git a/src/service_inspectors/modbus/modbus_paf.h b/src/service_inspectors/modbus/modbus_paf.h index e521dbbb9..568c894f7 100644 --- a/src/service_inspectors/modbus/modbus_paf.h +++ b/src/service_inspectors/modbus/modbus_paf.h @@ -22,7 +22,7 @@ #ifndef MODBUS_PAF__H #define MODBUS_PAF__H -// Protocol-Aware Flushing (PAF) code for the Modbus preprocessor. +// Protocol-Aware Flushing (PAF) code for the Modbus inspector. #include "stream/stream_splitter.h" diff --git a/src/service_inspectors/pop/pop.cc b/src/service_inspectors/pop/pop.cc index e8ee1e066..b09fc3f86 100644 --- a/src/service_inspectors/pop/pop.cc +++ b/src/service_inspectors/pop/pop.cc @@ -506,16 +506,8 @@ static void POP_ProcessServerPacket(Packet* p, POPData* pop_ssn) } } -/* Main runtime entry point for POP preprocessor. - * Analyzes POP packets for anomalies/exploits. - * - * PARAMETERS: - * - * p: Pointer to current packet to process. - * contextp: Pointer to context block, not used. - * - * RETURNS: Nothing. - */ +// Analyzes POP packets for anomalies/exploits. + static void snort_pop(POP_PROTO_CONF* config, Packet* p) { /* Attempt to get a previously allocated POP block. */ diff --git a/src/service_inspectors/rpc_decode/rpc_decode.cc b/src/service_inspectors/rpc_decode/rpc_decode.cc index fb1312e8c..7d1ffca44 100644 --- a/src/service_inspectors/rpc_decode/rpc_decode.cc +++ b/src/service_inspectors/rpc_decode/rpc_decode.cc @@ -22,7 +22,7 @@ * * Purpose: * - * This preprocessor normalizes the RPC requests from remote machines by + * This inspector normalizes the RPC requests from remote machines by * converting all fragments into one continuous stream. * This is very useful for doing things like defeating hostile attackers * trying to stealth themselves from IDSs by fragmenting the request so the @@ -564,7 +564,7 @@ static RpcSsnData* RpcSsnDataNew(Packet* p) * The minimum "valid" packet for us is 8 fields * 4 bytes * * This decoder is ignorant of TCP state so we'll have to assume - * that reassembled TCP stuff is reinjected to the preprocessor + * that reassembled TCP stuff is reinjected to the inspector * chain * * This decoder is also ignorant of multiple RPC requests in a diff --git a/src/service_inspectors/s7commplus/s7comm_paf.cc b/src/service_inspectors/s7commplus/s7comm_paf.cc index bd9a3f518..4d6c3519a 100644 --- a/src/service_inspectors/s7commplus/s7comm_paf.cc +++ b/src/service_inspectors/s7commplus/s7comm_paf.cc @@ -18,7 +18,7 @@ // s7comm_paf.cc author Pradeep Damodharan // based on work by Jeffrey Gu -// Protocol-Aware Flushing (PAF) code for the S7commplus preprocessor. +// Protocol-Aware Flushing (PAF) code for the S7commplus inspector. #ifdef HAVE_CONFIG_H #include "config.h" diff --git a/src/service_inspectors/s7commplus/s7comm_paf.h b/src/service_inspectors/s7commplus/s7comm_paf.h index 04aa9388d..117157cc2 100644 --- a/src/service_inspectors/s7commplus/s7comm_paf.h +++ b/src/service_inspectors/s7commplus/s7comm_paf.h @@ -22,7 +22,7 @@ #ifndef S7COMM_PAF__H #define S7COMM_PAF__H -// Protocol-Aware Flushing (PAF) code for the S7commplus preprocessor. +// Protocol-Aware Flushing (PAF) code for the S7commplus inspector. #include "stream/stream_splitter.h" diff --git a/src/service_inspectors/sip/sip.cc b/src/service_inspectors/sip/sip.cc index fb6bf5ed4..32e1650f7 100644 --- a/src/service_inspectors/sip/sip.cc +++ b/src/service_inspectors/sip/sip.cc @@ -146,16 +146,8 @@ static inline int SIP_Process(Packet* p, SIPData* sessp, SIP_PROTO_CONF* config) return status; } -/* Main runtime entry point for SIP preprocessor. - * Analyzes SIP packets for anomalies/exploits. - * - * PARAMETERS: - * - * p: Pointer to current packet to process. - * contextp: Pointer to context block, not used. - * - * RETURNS: Nothing. - */ +// Main runtime entry point for SIP inspector. + static void snort_sip(SIP_PROTO_CONF* config, Packet* p) { Profile profile(sipPerfStats); @@ -233,7 +225,7 @@ void Sip::show(const SnortConfig*) const ConfigLogger::log_value("max_content_len", config->maxContentLen); ConfigLogger::log_value("max_dialogs", config->maxNumDialogsInSession); ConfigLogger::log_value("max_from_len", config->maxFromLen); - ConfigLogger::log_value("max_requestName_len", config->maxRequestNameLen); + ConfigLogger::log_value("max_request_name_len", config->maxRequestNameLen); ConfigLogger::log_value("max_to_len", config->maxToLen); ConfigLogger::log_value("max_uri_len", config->maxUriLen); ConfigLogger::log_value("max_via_len", config->maxViaLen); diff --git a/src/service_inspectors/sip/sip_module.cc b/src/service_inspectors/sip/sip_module.cc index 87683eb54..b7d20d6ec 100644 --- a/src/service_inspectors/sip/sip_module.cc +++ b/src/service_inspectors/sip/sip_module.cc @@ -78,9 +78,12 @@ static const Parameter s_params[] = { "max_from_len", Parameter::PT_INT, "0:65535", "256", "maximum from field size" }, - { "max_requestName_len", Parameter::PT_INT, "0:65535", "20", + { "max_request_name_len", Parameter::PT_INT, "0:65535", "20", "maximum request name field size" }, + { "max_requestName_len", Parameter::PT_INT, "0:65535", "20", + "deprecated - use max_request_name_len instead" }, + { "max_to_len", Parameter::PT_INT, "0:65535", "256", "maximum to field size" }, @@ -215,7 +218,8 @@ bool SipModule::set(const char*, Value& v, SnortConfig*) else if ( v.is("max_from_len") ) conf->maxFromLen = v.get_uint16(); - else if ( v.is("max_requestName_len") ) + // FIXIT-L max_requestName_len is deprecated - delete + else if ( v.is("max_request_name_len") or v.is("max_requestName_len") ) conf->maxRequestNameLen = v.get_uint16(); else if ( v.is("max_to_len") ) diff --git a/src/service_inspectors/smtp/smtp.cc b/src/service_inspectors/smtp/smtp.cc index 9137e1a6a..10a07a655 100644 --- a/src/service_inspectors/smtp/smtp.cc +++ b/src/service_inspectors/smtp/smtp.cc @@ -1157,13 +1157,6 @@ static void SMTP_ProcessServerPacket( } } -/* - * Entry point to snort preprocessor for each packet - * - * @param packet standard Packet structure - * - * @return none - */ static void snort_smtp(SmtpProtoConf* config, Packet* p) { int pkt_dir; diff --git a/src/service_inspectors/ssh/ssh.cc b/src/service_inspectors/ssh/ssh.cc index c81634b4e..90d060bca 100644 --- a/src/service_inspectors/ssh/ssh.cc +++ b/src/service_inspectors/ssh/ssh.cc @@ -18,7 +18,7 @@ //-------------------------------------------------------------------------- /* - * SSH preprocessor + * SSH inspector * Author: Chris Sherwin * Contributors: Adam Keeton, Ryan Jordan */ @@ -111,16 +111,8 @@ static unsigned int SSHPacket_GetLength(const SSH2Packet* p, size_t buflen) return ssh_length; } -/* Main runtime entry point for SSH preprocessor. - * Analyzes SSH packets for anomalies/exploits. - * - * PARAMETERS: - * - * p: Pointer to current packet to process. - * contextp: Pointer to context block, not used. - * - * RETURNS: Nothing. - */ +// Main runtime entry point for SSH inspector. + static void snort_ssh(SSH_PROTO_CONF* config, Packet* p) { Profile profile(sshPerfStats); @@ -132,11 +124,6 @@ static void snort_ssh(SSH_PROTO_CONF* config, Packet* p) if (sessp->state_flags & SSH_FLG_MISSED_PACKETS) return; - // Make sure this preprocessor should run. - // check if we're waiting on stream reassembly - if ( p->packet_flags & PKT_STREAM_INSERT ) - return; - // If we picked up mid-stream or missed any packets (midstream pick up // means we've already missed packets) set missed packets flag and make // sure we don't do any more reassembly on this session diff --git a/src/service_inspectors/ssh/ssh.h b/src/service_inspectors/ssh/ssh.h index c0f600654..ff3e0b895 100644 --- a/src/service_inspectors/ssh/ssh.h +++ b/src/service_inspectors/ssh/ssh.h @@ -88,7 +88,7 @@ #define SSH_VERSION_2 (0x2) // Per-session data block containing current state -// of the SSH preprocessor for the session. +// of the SSH inspector for the session. struct SSHData { uint8_t version = SSH_VERSION_UNKNOWN; // Version of SSH detected for this session diff --git a/src/service_inspectors/ssl/ssl_inspector.cc b/src/service_inspectors/ssl/ssl_inspector.cc index 5af50c355..44fc7ba8e 100644 --- a/src/service_inspectors/ssl/ssl_inspector.cc +++ b/src/service_inspectors/ssl/ssl_inspector.cc @@ -271,16 +271,8 @@ static inline void SSLPP_process_other(SSL_PROTO_CONF* config, SSLData* sd, uint } } -/* Main runtime entry point for SSL preprocessor. - * Analyzes SSL packets for anomalies/exploits. - * - * PARAMETERS: - * - * p: Pointer to current packet to process. - * contextp: Pointer to context block, not used. - * - * RETURNS: Nothing. - */ +// Analyzes SSL packets for anomalies/exploits. + static void snort_ssl(SSL_PROTO_CONF* config, Packet* p) { Profile profile(sslPerfStats); diff --git a/tools/snort2lua/preprocessor_states/pps_sip.cc b/tools/snort2lua/preprocessor_states/pps_sip.cc index e128936b3..d076f8355 100644 --- a/tools/snort2lua/preprocessor_states/pps_sip.cc +++ b/tools/snort2lua/preprocessor_states/pps_sip.cc @@ -95,7 +95,8 @@ bool Sip::convert(std::istringstream& data_stream) else if (keyword == "max_requestName_len") { - tmpval = parse_int_option("max_requestName_len", arg_stream, false); + tmpval = parse_int_option("max_request_name_len", arg_stream, false); + table_api.add_diff_option_comment("max_requestName_len", "max_request_name_len"); } else if (keyword == "max_sessions")