From: Shravan Rangarajuvenkata (shrarang) Date: Mon, 16 Dec 2019 16:09:58 +0000 (+0000) Subject: Merge pull request #1898 in SNORT/snort3 from ~SHRARANG/snort3:appid_cleanup to master X-Git-Tag: 3.0.0-267~7 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c0ba18b585e44228c1af251c0c2f10ec3a2dd97f;p=thirdparty%2Fsnort3.git Merge pull request #1898 in SNORT/snort3 from ~SHRARANG/snort3:appid_cleanup to master Squashed commit of the following: commit 868f316b3e1642a3cc1045b1bd4351d298f195ed Author: Shravan Rangaraju Date: Wed Dec 11 15:52:40 2019 -0500 appid: cleanup unused code --- diff --git a/src/network_inspectors/appid/CMakeLists.txt b/src/network_inspectors/appid/CMakeLists.txt index 917e3a337..8b1668d8e 100644 --- a/src/network_inspectors/appid/CMakeLists.txt +++ b/src/network_inspectors/appid/CMakeLists.txt @@ -145,10 +145,7 @@ set ( DP_APPID_SOURCES set ( UTIL_APPID_SOURCES appid_utils/fw_avltree.cc appid_utils/fw_avltree.h - appid_utils/ip_funcs.cc appid_utils/ip_funcs.h - appid_utils/network_set.cc - appid_utils/network_set.h appid_utils/sf_mlmp.cc appid_utils/sf_mlmp.h appid_utils/sf_multi_mpse.cc diff --git a/src/network_inspectors/appid/appid_config.cc b/src/network_inspectors/appid/appid_config.cc index a8b81f119..1c6082d81 100644 --- a/src/network_inspectors/appid/appid_config.cc +++ b/src/network_inspectors/appid/appid_config.cc @@ -33,10 +33,6 @@ #include "appid_discovery.h" #include "appid_http_session.h" #include "appid_session.h" -#ifdef USE_RNA_CONFIG -#include "appid_utils/network_set.h" -#include "appid_utils/ip_funcs.h" -#endif #include "detector_plugins/detector_pattern.h" #include "host_port_app_cache.h" #include "main/snort_config.h" @@ -94,9 +90,6 @@ static void map_app_names_to_snort_ids(SnortConfig* sc) AppIdModuleConfig::~AppIdModuleConfig() { -#ifdef USE_RNA_CONFIG - snort_free((void*)conf_file); -#endif snort_free((void*)app_detector_dir); } @@ -106,29 +99,6 @@ std::array AppIdConfig::tcp_port_only = {APP_ID_N std::array AppIdConfig::udp_port_only = {APP_ID_NONE}; std::array AppIdConfig::ip_protocol = {APP_ID_NONE}; - -AppIdConfig::AppIdConfig(AppIdModuleConfig* config) - : mod_config(config) -{ -#ifdef USE_RNA_CONFIG - for ( unsigned i = 0; i < MAX_ZONES; i++ ) - net_list_by_zone[ i ] = nullptr; -#endif - - for ( unsigned i = 0; i < APP_ID_PORT_ARRAY_SIZE; i++ ) - { - tcp_port_exclusions_src[ i ] = nullptr; - udp_port_exclusions_src[ i ] = nullptr; - tcp_port_exclusions_dst[ i ] = nullptr; - udp_port_exclusions_dst[ i ] = nullptr; - } -} - -AppIdConfig::~AppIdConfig() -{ - cleanup(); -} - // FIXIT-M: RELOAD - Move app info table cleanup back to AppId config destructor - cleanup() void AppIdConfig::pterm() { @@ -270,481 +240,6 @@ next: ; globfree(&globs); } -#ifdef USE_RNA_CONFIG -void AppIdConfig::configure_analysis_networks(char* toklist[], uint32_t flag) -{ - NetworkSet* my_net_list; - RNAIpv6AddrSet* ias6; - char* p; - - if (toklist[0]) - { - if (strchr(toklist[0], ':')) - { - ias6 = ParseIpv6Cidr(toklist[0]); - if (ias6) - { - NSIPv6Addr six; - char min_ip[INET6_ADDRSTRLEN]; - char max_ip[INET6_ADDRSTRLEN]; - int zone; - - if (toklist[1]) - { - long tmp = strtol(toklist[1], &p, 10); - - if (!*toklist[1] || *p != 0 || tmp >= MAX_ZONES || tmp < -1) - { - ErrorMessage("Invalid Analyze: %s '%s'", toklist[0], toklist[1]); - zone = -1; - } - else - zone = (int)tmp; - } - else - zone = -1; - ias6->addr_flags |= flag; - six = ias6->range_min; - NetworkSetManager::ntoh_ipv6(&six); - inet_ntop(AF_INET6, (struct in6_addr*)&six, min_ip, sizeof(min_ip)); - six = ias6->range_max; - NetworkSetManager::ntoh_ipv6(&six); - inet_ntop(AF_INET6, (struct in6_addr*)&six, max_ip, sizeof(max_ip)); - if (zone >= 0) - { - if (!(my_net_list = net_list_by_zone[zone])) - { - if (NetworkSetManager::create(&my_net_list)) - ErrorMessage("%s", "Failed to create a network set"); - else - { - my_net_list->next = net_list_list; - net_list_list = my_net_list; - } - net_list_by_zone[zone] = my_net_list; - } - } - else - my_net_list = net_list; - if (my_net_list && NetworkSetManager::add_cidr_block6_ex(my_net_list, - &ias6->range_min, ias6->netmask, ias6->addr_flags & IPFUNCS_EXCEPT_IP, 0, - ias6->addr_flags & (~IPFUNCS_EXCEPT_IP))) - { - ErrorMessage( - "Failed to add an IP address set to the list of monitored networks"); - } - snort_free(ias6); - } - else - ErrorMessage("Invalid analysis parameter: %s", toklist[0]); - } - else - { - RNAIpAddrSet* ias = ParseIpCidr(toklist[0], app_id_netmasks); - - if (ias) - { - int zone; - - if (toklist[1]) - { - unsigned long tmp = strtol(toklist[1], &p, 10); - - if (!*toklist[1] || *p != 0 || tmp >= MAX_ZONES || tmp < -1) - { - ErrorMessage("Invalid Analyze: %s '%s'", toklist[0], toklist[1]); - zone = -1; - } - else - zone = (int)tmp; - } - else - zone = -1; - ias->addr_flags |= flag; - if (zone >= 0) - { - if (!(my_net_list = net_list_by_zone[zone])) - { - if (NetworkSetManager::create(&my_net_list)) - ErrorMessage("%s", "Failed to create a network set"); - else - { - my_net_list->next = net_list_list; - net_list_list = my_net_list; - } - net_list_by_zone[zone] = my_net_list; - } - } - else - my_net_list = net_list; - if (my_net_list && NetworkSetManager::add_cidr_block_ex(my_net_list, - ias->range_min, - ias->netmask, - ias->addr_flags & IPFUNCS_EXCEPT_IP, 0, - ias->addr_flags & (~IPFUNCS_EXCEPT_IP))) - { - ErrorMessage( - "Failed to add an IP address set to the list of monitored networks"); - } - snort_free(ias); - } - else - ErrorMessage("Invalid analysis parameter: %s", toklist[0]); - } - } -} - -int AppIdConfig::add_port_exclusion(AppIdPortExclusions& port_exclusions, const - ip::snort_in6_addr* ip, - const ip::snort_in6_addr* netmask, int family, uint16_t port) -{ - SF_LIST* pe_list; - - PortExclusion* port_ex = (PortExclusion*)snort_calloc(sizeof(PortExclusion)); - port_ex->ip = *ip; - if (family == AF_INET) - { - port_ex->netmask.u6_addr32[0] = port_ex->netmask.u6_addr32[1] = - port_ex->netmask.u6_addr32[2] = ~0; - port_ex->netmask.u6_addr32[3] = netmask->u6_addr32[3]; - } - else - port_ex->netmask = *netmask; - - if ((pe_list = port_exclusions[port]) == nullptr) - { - pe_list = port_exclusions[port] = sflist_new(); - if (pe_list == nullptr) - { - snort_free(port_ex); - ErrorMessage("Config: Failed to allocate memory for port exclusion list"); - return -1; - } - } - - /* add this PortExclusion to the sflist for this port */ - sflist_add_tail(pe_list, port_ex); - return 0; -} - -void AppIdConfig::process_port_exclusion(char* toklist[]) -{ - int i = 1; - char* p; - RNAIpv6AddrSet* ias6; - IpProtocol proto; - unsigned long dir; - unsigned long port; - ip::snort_in6_addr ip; - ip::snort_in6_addr netmask; - int family; - - if (!toklist[i]) - { - ErrorMessage("Config: Port exclusion direction omitted"); - return; - } - - if (strcasecmp(toklist[i], "dst") == 0) - dir = 2; - else if (strcasecmp(toklist[i], "src") == 0) - dir = 1; - else if (strcasecmp(toklist[i], "both") == 0) - dir = 3; - else - { - ErrorMessage("Config: Invalid port exclusion direction specified"); - return; - } - - i++; - if (!toklist[i]) - { - ErrorMessage("Config: Port exclusion protocol omitted"); - return; - } - - if (strcasecmp(toklist[i], "tcp") == 0) - proto = IpProtocol::TCP; - else if (strcasecmp(toklist[i], "udp") == 0) - proto = IpProtocol::UDP; - else - { - ErrorMessage("Config: Invalid port exclusion protocol specified"); - return; - } - - i++; - if (!toklist[i]) - { - ErrorMessage("Config: Port exclusion port omitted"); - return; - } - - port = strtoul(toklist[i], &p, 10); - if (!*toklist[i] || *p || port >= APP_ID_PORT_ARRAY_SIZE) - { - ErrorMessage("Config: Invalid port exclusion port specified"); - return; - } - - i++; - if (!toklist[i]) - { - ErrorMessage("Config: Port exclusion address omitted"); - return; - } - - if (strchr(toklist[i], ':')) - { - ias6 = ParseIpv6Cidr(toklist[i]); - if (!ias6 || ias6->addr_flags) - { - if (ias6) - snort_free(ias6); - ErrorMessage("Config: Invalid port exclusion address specified"); - return; - } - NetworkSetManager::hton_swap_ipv6(&ias6->range_min, &ip); - NetworkSetManager::hton_swap_ipv6(&ias6->netmask_mask, &netmask); - family = AF_INET6; - snort_free(ias6); - } - else - { - RNAIpAddrSet* ias = ParseIpCidr(toklist[i], app_id_netmasks); - if (!ias || ias->addr_flags) - { - if (ias) - snort_free(ias); - ErrorMessage("Config: Invalid port exclusion address specified"); - return; - } - family = AF_INET; - copyIpv4ToIpv6Network(&ip, htonl(ias->range_min)); - copyIpv4ToIpv6Network(&netmask, htonl(ias->netmask_mask)); - snort_free(ias); - } - - if (dir & 1) - { - if (proto == IpProtocol::TCP) - add_port_exclusion(tcp_port_exclusions_src, &ip, &netmask, family, (uint16_t)port); - else - add_port_exclusion(udp_port_exclusions_src, &ip, &netmask, family, (uint16_t)port); - } - - if (dir & 2) - { - if (proto == IpProtocol::TCP) - add_port_exclusion(tcp_port_exclusions_dst, &ip, &netmask, family, (uint16_t)port); - else - add_port_exclusion(udp_port_exclusions_dst, &ip, &netmask, family, (uint16_t)port); - } -} - -void AppIdConfig::process_config_directive(char* toklist[], int /* reload */) -{ - char* curtok; - int i; - - /* the first tok is "config" or we wouldn't be here now */ - i = 1; - curtok = toklist[i]; - i++; - - if (!strcasecmp(curtok, "Analyze")) - { - configure_analysis_networks(&toklist[i], IPFUNCS_HOSTS_IP | IPFUNCS_APPLICATION); - } - else if (!strcasecmp(curtok, "AnalyzeHost")) - { - configure_analysis_networks(&toklist[i], IPFUNCS_HOSTS_IP | IPFUNCS_APPLICATION); - } - else if (!strcasecmp(curtok, "AnalyzeUser")) - { - configure_analysis_networks(&toklist[i], IPFUNCS_USER_IP | IPFUNCS_APPLICATION); - } - else if (!strcasecmp(curtok, "AnalyzeHostUser")) - { - configure_analysis_networks(&toklist[i], - IPFUNCS_HOSTS_IP | IPFUNCS_USER_IP | IPFUNCS_APPLICATION); - } - else if (!strcasecmp(curtok, "AnalyzeApplication")) - { - configure_analysis_networks(&toklist[i], IPFUNCS_APPLICATION); - } -} - -static int strip(char* data) -{ - int size; - char* idx; - - idx = data; - size = 0; - - while (*idx) - { - if ((*idx == '\n') || (*idx == '\r')) - { - *idx = 0; - break; - } - if (*idx == '\t') - { - *idx = ' '; - } - size++; - idx++; - } - - return size; -} - -#define MAX_TOKS 256 -static int tokenize(char* data, char* toklist[]) -{ - char** ap; - int argcount = 0; - int i = 0; - int drop_further = 0; - - for (ap = (char**)toklist; ap < &toklist[MAX_TOKS] && (*ap = strsep(&data, " ")) != nullptr; ) - { - if (**ap != '\0') - { - ap++; - argcount++; - } - } - - *ap = nullptr; - - /* scan for comments */ - while (i < argcount) - { - char* tok = toklist[i]; - - if (tok[0] == '#' && !drop_further) - { - argcount = i; - drop_further = 1; - } - - if (drop_further) - { - toklist[i] = nullptr; - } - - i++; - } - - return argcount; -} - -int AppIdConfig::load_analysis_config(const char* config_file, int reload, int instance_id) -{ - char linebuffer[MAX_LINE]; - char* toklist[MAX_TOKS]; - NetworkSet* my_net_list; - - if (NetworkSetManager::create(&net_list)) - FatalError("Failed to allocate a network set"); - net_list_list = net_list; - - if (!config_file || (!config_file[0])) - { - char addrString[sizeof("0.0.0.0/0")]; - toklist[1] = nullptr; - toklist[0] = addrString; - strcpy(addrString,"0.0.0.0/0"); - configure_analysis_networks(toklist, IPFUNCS_HOSTS_IP | IPFUNCS_USER_IP | - IPFUNCS_APPLICATION); - strcpy(addrString,"::/0"); - configure_analysis_networks(toklist, IPFUNCS_HOSTS_IP | IPFUNCS_USER_IP | - IPFUNCS_APPLICATION); - toklist[0] = nullptr; - } - else - { - FILE* fp; - - if (!(fp = fopen(config_file, "r"))) - { - ErrorMessage("Unable to open %s", config_file); - return -1; - } - unsigned line = 0; - - while (fgets(linebuffer, MAX_LINE, fp) != nullptr) - { - line++; - strip(linebuffer); - char* cptr = linebuffer; - - while (isspace((int)*cptr)) - cptr++; - - if (*cptr && (*cptr != '#') && (*cptr != 0x0a)) - { - memset(toklist, 0, sizeof(toklist)); - - if (tokenize(cptr, toklist) < 2) - { - fclose(fp); - ErrorMessage("Invalid configuration file line %u", line); - return -1; - } - if (!(strcasecmp(toklist[0], "config"))) - process_config_directive(toklist, reload); - else if (!(strcasecmp(toklist[0], "portexclusion"))) - process_port_exclusion(toklist); - } - } - - fclose(fp); - } - - if (instance_id) - { - char* instance_toklist[2]; - char addrString[sizeof("0.0.0.0/0")]; - instance_toklist[0] = addrString; - instance_toklist[1] = nullptr; - strcpy(addrString,"0.0.0.0/0"); - configure_analysis_networks(instance_toklist, IPFUNCS_APPLICATION); - strcpy(addrString,"::/0"); - configure_analysis_networks(instance_toklist, IPFUNCS_APPLICATION); - } - - for (my_net_list = net_list_list; my_net_list; my_net_list = net_list->next) - { - if (my_net_list != net_list) - { - if (NetworkSetManager::add_set(my_net_list, net_list)) - ErrorMessage("Failed to add any network list to a zone network list"); - } - } - net_list_count = 0; - for (my_net_list = net_list_list; my_net_list; my_net_list = net_list->next) - { - if (NetworkSetManager::reduce(my_net_list)) - ErrorMessage("Failed to reduce the IP address sets"); - net_list_count += NetworkSetManager::count_ex(my_net_list) + NetworkSetManager::count6_ex( - my_net_list); - } - - return 0; -} - -#endif - -void AppIdConfig::set_safe_search_enforcement(bool enabled) -{ - mod_config->safe_search_enabled = enabled; -} - bool AppIdConfig::init_appid(SnortConfig* sc) { // FIXIT-M: RELOAD - Get rid of "once" flag @@ -768,9 +263,6 @@ bool AppIdConfig::init_appid(SnortConfig* sc) read_port_detectors(CUSTOM_PORT_DETECTORS); once = true; } -#ifdef USE_RNA_CONFIG - load_analysis_config(mod_config->conf_file, 0, mod_config->instance_id); -#endif #ifdef ENABLE_APPID_THIRD_PARTY TPLibHandler::pinit(mod_config); @@ -779,35 +271,6 @@ bool AppIdConfig::init_appid(SnortConfig* sc) return true; } -static void free_port_exclusion_list(AppIdPortExclusions& pe_list) -{ - for ( unsigned i = 0; i < APP_ID_PORT_ARRAY_SIZE; i++ ) - { - if ( pe_list[i] != nullptr ) - { - sflist_free_all(pe_list[i], &snort_free); - pe_list[i] = nullptr; - } - } -} - -void AppIdConfig::cleanup() -{ -#ifdef USE_RNA_CONFIG - NetworkSet* net_list; ///< list of network sets - while ((net_list = net_list_list)) - { - net_list_list = net_list->next; - NetworkSetManager::destroy(net_list); - } -#endif - - free_port_exclusion_list(tcp_port_exclusions_src); - free_port_exclusion_list(tcp_port_exclusions_dst); - free_port_exclusion_list(udp_port_exclusions_src); - free_port_exclusion_list(udp_port_exclusions_dst); -} - AppId AppIdConfig::get_port_service_id(IpProtocol proto, uint16_t port) { AppId appId; @@ -825,114 +288,10 @@ AppId AppIdConfig::get_protocol_service_id(IpProtocol proto) return ip_protocol[(uint16_t)proto]; } -static void display_port_exclusion_list(SF_LIST* pe_list, uint16_t port) -{ - char inet_buffer[INET6_ADDRSTRLEN]; - char inet_buffer2[INET6_ADDRSTRLEN]; - PortExclusion* pe; - SF_LNODE* lnext; - - if (!pe_list) - return; - - for (pe = (PortExclusion*)sflist_first(pe_list, &lnext); - pe; - pe = (PortExclusion*)sflist_next(&lnext)) - { - const char* p = inet_ntop(pe->family, &pe->ip, inet_buffer, sizeof(inet_buffer)); - const char* p2 = inet_ntop(pe->family, &pe->netmask, inet_buffer2, sizeof(inet_buffer2)); - LogMessage(" %d on %s/%s\n", port, p ? p : "ERROR", p2 ? p2 : "ERROR"); - } -} - void AppIdConfig::show() { - unsigned i; - if (!mod_config->tp_appid_path.empty()) LogMessage(" 3rd Party Dir: %s\n", mod_config->tp_appid_path.c_str()); - -#ifdef USE_RNA_CONFIG - struct in_addr ia; - NSIPv6Addr six; - char inet_buffer[INET6_ADDRSTRLEN]; - char inet_buffer2[INET6_ADDRSTRLEN]; - const char* p; - const char* p2; - - LogMessage(" Monitoring Networks for any zone:\n"); - for (i = 0; i < net_list->count; i++) - { - ia.s_addr = htonl(net_list->pnetwork[i]->range_min); - p = inet_ntop(AF_INET, &ia, inet_buffer, sizeof(inet_buffer)); - ia.s_addr = htonl(net_list->pnetwork[i]->range_max); - p2 = inet_ntop(AF_INET, &ia, inet_buffer2, sizeof(inet_buffer2)); - LogMessage(" %s%s-%s %04X\n", (net_list->pnetwork[i]->info.ip_not) ? "!" : "", - p ? - p : "ERROR", - p2 ? p2 : "ERROR", net_list->pnetwork[i]->info.type); - } - for (i = 0; i < net_list->count6; i++) - { - six = net_list->pnetwork6[i]->range_min; - NetworkSetManager::ntoh_ipv6(&six); - p = inet_ntop(AF_INET6, (struct in6_addr*)&six, inet_buffer, sizeof(inet_buffer)); - six = net_list->pnetwork6[i]->range_max; - NetworkSetManager::ntoh_ipv6(&six); - p2 = inet_ntop(AF_INET6, (struct in6_addr*)&six, inet_buffer2, sizeof(inet_buffer2)); - LogMessage(" %s%s-%s %04X\n", (net_list->pnetwork6[i]->info.ip_not) ? "!" : "", - p ? - p : "ERROR", - p2 ? p2 : "ERROR", net_list->pnetwork6[i]->info.type); - } - - for (int j = 0; j < MAX_ZONES; j++) - { - if (!(net_list = net_list_by_zone[j])) - continue; - LogMessage(" Monitoring Networks for zone %d:\n", j); - for (i = 0; i < net_list->count; i++) - { - ia.s_addr = htonl(net_list->pnetwork[i]->range_min); - p = inet_ntop(AF_INET, &ia, inet_buffer, sizeof(inet_buffer)); - ia.s_addr = htonl(net_list->pnetwork[i]->range_max); - p2 = inet_ntop(AF_INET, &ia, inet_buffer2, sizeof(inet_buffer2)); - LogMessage(" %s%s-%s %04X\n", (net_list->pnetwork[i]->info.ip_not) ? "!" : - "", - p ? p : "ERROR", - p2 ? p2 : "ERROR", net_list->pnetwork[i]->info.type); - } - for (i = 0; i < net_list->count6; i++) - { - six = net_list->pnetwork6[i]->range_min; - NetworkSetManager::ntoh_ipv6(&six); - p = inet_ntop(AF_INET6, (struct in6_addr*)&six, inet_buffer, sizeof(inet_buffer)); - six = net_list->pnetwork6[i]->range_max; - NetworkSetManager::ntoh_ipv6(&six); - p2 = inet_ntop(AF_INET6, (struct in6_addr*)&six, inet_buffer2, sizeof(inet_buffer2)); - LogMessage(" %s%s-%s %04X\n", (net_list->pnetwork6[i]->info.ip_not) ? "!" : - "", - p ? p : "ERROR", - p2 ? p2 : "ERROR", net_list->pnetwork6[i]->info.type); - } - } -#endif - - LogMessage(" Excluded TCP Ports for Src:\n"); - for (i = 0; i < APP_ID_PORT_ARRAY_SIZE; i++) - display_port_exclusion_list(tcp_port_exclusions_src[i], i); - - LogMessage(" Excluded TCP Ports for Dst:\n"); - for (i = 0; i < APP_ID_PORT_ARRAY_SIZE; i++) - display_port_exclusion_list(tcp_port_exclusions_dst[i], i); - - LogMessage(" Excluded UDP Ports Src:\n"); - for (i = 0; i < APP_ID_PORT_ARRAY_SIZE; i++) - display_port_exclusion_list(udp_port_exclusions_src[i], i); - - LogMessage(" Excluded UDP Ports Dst:\n"); - for (i = 0; i < APP_ID_PORT_ARRAY_SIZE; i++) - display_port_exclusion_list(udp_port_exclusions_dst[i], i); } void AppIdConfig::display_port_config() diff --git a/src/network_inspectors/appid/appid_config.h b/src/network_inspectors/appid/appid_config.h index a29383567..e6f2a52eb 100644 --- a/src/network_inspectors/appid/appid_config.h +++ b/src/network_inspectors/appid/appid_config.h @@ -61,9 +61,6 @@ public: AppIdModuleConfig() = default; ~AppIdModuleConfig(); -#ifdef USE_RNA_CONFIG - const char* conf_file = nullptr; -#endif // FIXIT-L: DECRYPT_DEBUG - Move this to ssl-module #ifdef REG_TEST // To manually restart appid detection for an SSL-decrypted flow (single session only), @@ -113,24 +110,16 @@ typedef std::array AppIdPortExclusions; class AppIdConfig { public: - AppIdConfig(AppIdModuleConfig*); - ~AppIdConfig(); + AppIdConfig(AppIdModuleConfig* config) : mod_config(config) + { } bool init_appid(snort::SnortConfig*); static void pterm(); - void cleanup(); void show(); - void set_safe_search_enforcement(bool enabled); AppId get_port_service_id(IpProtocol, uint16_t port); AppId get_protocol_service_id(IpProtocol); unsigned max_service_info = 0; -#ifdef USE_RNA_CONFIG - unsigned net_list_count = 0; - NetworkSet* net_list_list = nullptr; - NetworkSet* net_list = nullptr; - std::array net_list_by_zone; -#endif //FIXIT-L remove static when reload is supported (once flag removed) static std::array tcp_port_only; // port-only TCP services @@ -139,21 +128,11 @@ public: SF_LIST client_app_args; // List of Client App arguments // for each potential port, an sflist of PortExclusion structs - AppIdPortExclusions tcp_port_exclusions_src; - AppIdPortExclusions udp_port_exclusions_src; - AppIdPortExclusions tcp_port_exclusions_dst; - AppIdPortExclusions udp_port_exclusions_dst; AppIdModuleConfig* mod_config = nullptr; unsigned appIdPolicyId = 53; private: void read_port_detectors(const char* files); - void configure_analysis_networks(char* toklist[], uint32_t flag); - int add_port_exclusion(AppIdPortExclusions&, const snort::ip::snort_in6_addr* ip, - const snort::ip::snort_in6_addr* netmask, int family, uint16_t port); - void process_port_exclusion(char* toklist[]); - void process_config_directive(char* toklist[], int /* reload */); - int load_analysis_config(const char* config_file, int reload, int instance_id); void display_port_config(); // FIXIT-M: RELOAD - Remove static, once app_info_mgr cleanup is // removed from AppIdConfig::pterm diff --git a/src/network_inspectors/appid/appid_discovery.cc b/src/network_inspectors/appid/appid_discovery.cc index 36c4c46e9..91c747af1 100644 --- a/src/network_inspectors/appid/appid_discovery.cc +++ b/src/network_inspectors/appid/appid_discovery.cc @@ -40,7 +40,6 @@ #include "appid_inspector.h" #include "appid_session.h" #include "appid_utils/ip_funcs.h" -#include "appid_utils/network_set.h" #include "client_plugins/client_discovery.h" #include "detector_plugins/detector_dns.h" #include "detector_plugins/http_url_patterns.h" @@ -174,129 +173,28 @@ void AppIdDiscovery::publish_appid_event(AppidChangeBits& change_bits, Flow* flo } } -static inline int match_pe_network(const SfIp* pktAddr, const PortExclusion* pe) -{ - const uint32_t* pkt = pktAddr->get_ip6_ptr(); - const uint32_t* nm = pe->netmask.u6_addr32; - const uint32_t* peIP = pe->ip.u6_addr32; - return (((pkt[0] & nm[0]) == peIP[0]) - && ((pkt[1] & nm[1]) == peIP[1]) - && ((pkt[2] & nm[2]) == peIP[2]) - && ((pkt[3] & nm[3]) == peIP[3])); -} - -static inline int check_port_exclusion(const Packet* pkt, bool reversed, AppIdInspector& inspector) -{ - AppIdPortExclusions* src_port_exclusions; - AppIdPortExclusions* dst_port_exclusions; - SF_LIST* pe_list; - PortExclusion* pe; - const SfIp* s_ip; - AppIdConfig* config = inspector.get_appid_config(); - - if ( pkt->is_tcp() ) - { - src_port_exclusions = &config->tcp_port_exclusions_src; - dst_port_exclusions = &config->tcp_port_exclusions_dst; - } - else if ( pkt->is_udp() ) - { - src_port_exclusions = &config->udp_port_exclusions_src; - dst_port_exclusions = &config->udp_port_exclusions_dst; - } - else - return 0; - - /* check the source port */ - uint16_t port = reversed ? pkt->ptrs.dp : pkt->ptrs.sp; - if ( port && (pe_list = (*src_port_exclusions)[port]) != nullptr ) - { - s_ip = reversed ? pkt->ptrs.ip_api.get_dst() : pkt->ptrs.ip_api.get_src(); - - SF_LNODE* node; - - /* walk through the list of port exclusions for this port */ - for ( pe = (PortExclusion*)sflist_first(pe_list, &node); - pe; - pe = (PortExclusion*)sflist_next(&node) ) - { - if ( match_pe_network(s_ip, pe)) - return 1; - } - } - - /* check the dest port */ - port = reversed ? pkt->ptrs.sp : pkt->ptrs.dp; - if ( port && (pe_list = (*dst_port_exclusions)[port]) != nullptr ) - { - s_ip = reversed ? pkt->ptrs.ip_api.get_src() : pkt->ptrs.ip_api.get_dst(); - - SF_LNODE* node; - /* walk through the list of port exclusions for this port */ - for ( pe = (PortExclusion*)sflist_first(pe_list, &node); - pe; - pe = (PortExclusion*)sflist_next(&node) ) - { - if ( match_pe_network(s_ip, pe)) - return 1; - } - } - - return 0; -} - static inline unsigned get_ipfuncs_flags(const Packet* p, bool dst) { const SfIp* sf_ip; - unsigned flags; - int32_t zone; -#ifdef USE_RNA_CONFIG - NSIPv6Addr ip6; - NetworkSet* net_list; - AppIdConfig* config = AppIdInspector::get_inspector()->get_appid_config(); -#endif if (!dst) { - zone = p->pkth->ingress_group; sf_ip = p->ptrs.ip_api.get_src(); } else { - zone = (p->pkth->egress_index == DAQ_PKTHDR_UNKNOWN) ? + int32_t zone = (p->pkth->egress_index == DAQ_PKTHDR_UNKNOWN) ? p->pkth->ingress_group : p->pkth->egress_group; if (zone == DAQ_PKTHDR_FLOOD) return 0; sf_ip = p->ptrs.ip_api.get_dst(); } -#ifdef USE_RNA_CONFIG - if (zone >= 0 && zone < MAX_ZONES && config->net_list_by_zone[zone]) - net_list = config->net_list_by_zone[zone]; - else - net_list = config->net_list; - - if ( sf_ip->is_ip4() ) - { - if (sf_ip->get_ip4_value() == 0xFFFFFFFF) - return IPFUNCS_CHECKED; - NetworkSetManager::contains_ex(net_list, ntohl(sf_ip->get_ip4_value()), &flags); - } - else - { - memcpy(&ip6, sf_ip->get_ip6_ptr(), sizeof(ip6)); - NetworkSetManager::ntoh_ipv6(&ip6); - NetworkSetManager::contains6_ex(net_list, &ip6, &flags); - } -#else - UNUSED(zone); if (sf_ip->is_ip4() && sf_ip->get_ip4_value() == 0xFFFFFFFF) return IPFUNCS_CHECKED; - // FIXIT-M Defaulting to checking everything everywhere until RNA config is reimplemented - flags = IPFUNCS_HOSTS_IP | IPFUNCS_USER_IP | IPFUNCS_APPLICATION; -#endif - return flags | IPFUNCS_CHECKED; + // FIXIT-M Defaulting to checking everything everywhere until RNA config is reimplemented + return IPFUNCS_HOSTS_IP | IPFUNCS_USER_IP | IPFUNCS_APPLICATION | IPFUNCS_CHECKED; } static inline bool is_special_session_monitored(const Packet* p) @@ -362,22 +260,6 @@ static bool set_network_attributes(AppIdSession* asd, Packet* p, IpProtocol& pro static bool is_packet_ignored(AppIdSession* asd, Packet* p, AppidSessionDirection direction) { -#ifdef REMOVED_WHILE_NOT_IN_USE - bool is_http2 = false; // FIXIT-M _dpd.streamAPI->is_session_http2(p->flow); - - if (is_http2) - { - if (asd) - asd->is_http2 = true; - if ( !p->is_rebuilt() ) - { - // For HTTP/2, only examine packets that have been rebuilt as HTTP/1 packets. - appid_stats.ignored_packets++; - return true; - } - } - else -#endif if ( p->is_rebuilt() && !p->flow->is_proxied() ) { // FIXIT-M: In snort2x, a rebuilt packet was ignored whether it had a session or not. @@ -407,8 +289,7 @@ static bool is_packet_ignored(AppIdSession* asd, Packet* p, AppidSessionDirectio return false; } -static uint64_t is_session_monitored(const AppIdSession& asd, const Packet* p, AppidSessionDirection dir, - AppIdInspector& inspector) +static uint64_t is_session_monitored(const AppIdSession& asd, const Packet* p, AppidSessionDirection dir) { uint64_t flags; uint64_t flow_flags = APPID_SESSION_DISCOVER_APP; @@ -420,13 +301,6 @@ static uint64_t is_session_monitored(const AppIdSession& asd, const Packet* p, A // accordingly if ( asd.common.policyId != asd.config->appIdPolicyId ) { - if ( check_port_exclusion(p, dir == APP_ID_FROM_RESPONDER, inspector) ) - { - flow_flags |= APPID_SESSION_INITIATOR_CHECKED | APPID_SESSION_RESPONDER_CHECKED; - flow_flags &= ~(APPID_SESSION_INITIATOR_MONITORED | - APPID_SESSION_RESPONDER_MONITORED); - return flow_flags; - } if (dir == APP_ID_FROM_INITIATOR) { if (asd.get_session_flags(APPID_SESSION_INITIATOR_CHECKED)) @@ -537,17 +411,12 @@ static uint64_t is_session_monitored(const AppIdSession& asd, const Packet* p, A return flow_flags; } -static uint64_t is_session_monitored(const Packet* p, AppidSessionDirection dir, - AppIdInspector& inspector) +static uint64_t is_session_monitored(const Packet* p, AppidSessionDirection dir) { uint64_t flags; uint64_t flow_flags = APPID_SESSION_DISCOVER_APP; - if ( check_port_exclusion(p, false, inspector) ) - { - flow_flags |= APPID_SESSION_INITIATOR_CHECKED | APPID_SESSION_RESPONDER_CHECKED; - } - else if (dir == APP_ID_FROM_INITIATOR) + if (dir == APP_ID_FROM_INITIATOR) { flags = get_ipfuncs_flags(p, false); flow_flags |= APPID_SESSION_INITIATOR_CHECKED; @@ -603,9 +472,9 @@ bool AppIdDiscovery::handle_unmonitored_session(AppIdSession* asd, const Packet* uint64_t& flow_flags) { if (asd) - flow_flags = is_session_monitored(*asd, p, dir, inspector); + flow_flags = is_session_monitored(*asd, p, dir); else - flow_flags = is_session_monitored(p, dir, inspector); + flow_flags = is_session_monitored(p, dir); if ( flow_flags & (APPID_SESSION_DISCOVER_APP | APPID_SESSION_SPECIAL_MONITORED) ) return false; diff --git a/src/network_inspectors/appid/appid_inspector.cc b/src/network_inspectors/appid/appid_inspector.cc index 93f61e0d2..8436d6ee5 100644 --- a/src/network_inspectors/appid/appid_inspector.cc +++ b/src/network_inspectors/appid/appid_inspector.cc @@ -127,11 +127,6 @@ bool AppIdInspector::configure(SnortConfig* sc) } return true; - - // FIXIT-M some of this stuff may be needed in some fashion... -#ifdef REMOVED_WHILE_NOT_IN_USE - _dpd.registerSslAppIdLookup(sslAppGroupIdLookup); -#endif } void AppIdInspector::show(SnortConfig*) diff --git a/src/network_inspectors/appid/appid_module.cc b/src/network_inspectors/appid/appid_module.cc index 1336a7dec..99f361c5b 100644 --- a/src/network_inspectors/appid/appid_module.cc +++ b/src/network_inspectors/appid/appid_module.cc @@ -55,10 +55,6 @@ THREAD_LOCAL AppIdStats appid_stats; static const Parameter s_params[] = { -#ifdef USE_RNA_CONFIG - { "conf", Parameter::PT_STRING, nullptr, nullptr, - "RNA configuration file" }, // FIXIT-L eliminate reference to "RNA" -#endif // FIXIT-L: DECRYPT_DEBUG - Move this to ssl-module #ifdef REG_TEST { "first_decrypted_packet_debug", Parameter::PT_INT, "0:max32", "0", @@ -249,11 +245,6 @@ const AppIdModuleConfig* AppIdModule::get_data() bool AppIdModule::set(const char* fqn, Value& v, SnortConfig* c) { -#ifdef USE_RNA_CONFIG - if ( v.is("conf") ) - config->conf_file = snort_strdup(v.get_string()); - else -#endif // FIXIT-L: DECRYPT_DEBUG - Move this to ssl-module #ifdef REG_TEST if ( v.is("first_decrypted_packet_debug") ) diff --git a/src/network_inspectors/appid/appid_session.cc b/src/network_inspectors/appid/appid_session.cc index bb1b81fe6..8b08e9ced 100644 --- a/src/network_inspectors/appid/appid_session.cc +++ b/src/network_inspectors/appid/appid_session.cc @@ -44,7 +44,6 @@ #include "appid_http_session.h" #include "appid_inspector.h" #include "appid_stats.h" -#include "appid_utils/ip_funcs.h" #include "lua_detector_api.h" #include "service_plugins/service_ssl.h" #ifdef ENABLE_APPID_THIRD_PARTY diff --git a/src/network_inspectors/appid/appid_utils/ip_funcs.cc b/src/network_inspectors/appid/appid_utils/ip_funcs.cc deleted file mode 100644 index 4b0d28ce6..000000000 --- a/src/network_inspectors/appid/appid_utils/ip_funcs.cc +++ /dev/null @@ -1,267 +0,0 @@ -//-------------------------------------------------------------------------- -// Copyright (C) 2014-2019 Cisco and/or its affiliates. All rights reserved. -// Copyright (C) 2005-2013 Sourcefire, Inc. -// -// This program is free software; you can redistribute it and/or modify it -// under the terms of the GNU General Public License Version 2 as published -// by the Free Software Foundation. You may not use, modify or distribute -// this program under any other version of the GNU General Public License. -// -// This program is distributed in the hope that it will be useful, but -// WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -// General Public License for more details. -// -// You should have received a copy of the GNU General Public License along -// with this program; if not, write to the Free Software Foundation, Inc., -// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -//-------------------------------------------------------------------------- - -// ip_funcs.cc author Sourcefire Inc. - -#ifdef HAVE_CONFIG_H -#include "config.h" -#endif - -#include "ip_funcs.h" - -#ifdef USE_RNA_CONFIG - -#include -#include "log/messages.h" -#include "utils/util.h" - -// FIXIT-L - These utility functions should probably go in the shared src/utils/ instead of just -// appid if they are truly generic. - -// convert tabs to space, convert new line or carriage return to null -// and stop returning the length of the converted string -static int strip(char* data) -{ - int size; - char* idx; - - idx = data; - size = 0; - - while (*idx) - { - if ((*idx == '\n') || (*idx == '\r')) - { - *idx = 0; - break; - } - if (*idx == '\t') - { - *idx = ' '; - } - size++; - idx++; - } - - return size; -} - -// split string pointed to by 'data' into tokens based on the set of delimiters -// defined by the 'separator string, return number of tokens -static int split(char* data, char** toklist, int max_toks, const char* separator) -{ - char** ap; - int argcount = 0; - - memset(toklist, 0, max_toks * sizeof(*toklist)); - for (ap = (char**)toklist; - ap < &toklist[max_toks] && (*ap = strsep(&data, separator)) != nullptr; ) - { - if (**ap != '\0') - { - ap++; - argcount++; - } - } - - return argcount; -} - -RNAIpAddrSet* ParseIpCidr(char* ipstring, uint32_t* netmasks) -{ - char* toks[2]; - int num_toks; - RNAIpAddrSet* ias; - char* cp; - struct in_addr ia; - - if (ipstring == nullptr) - return nullptr; - - ias = (RNAIpAddrSet*)snort_calloc(sizeof(RNAIpAddrSet)); - strip(ipstring); - cp = ipstring; - if (*cp == 'h') - { - ias->addr_flags |= IPFUNCS_HOSTS_IP; - cp++; - } - - if (*cp == 's') - { - ias->addr_flags |= IPFUNCS_APPLICATION; - cp++; - } - - if (*cp == '!') - { - ias->addr_flags |= IPFUNCS_EXCEPT_IP; - cp++; - } - - if (!strcasecmp(ipstring, "any")) - { - ias->range_max = ~0; - return ias; - } - - num_toks = split(cp, toks, 2, "/"); - - if (inet_pton(AF_INET, toks[0], &ia) <= 0) - { - ErrorMessage("IPFunctions: %s failed to translate", toks[0]); - snort_free(ias); - return nullptr; - } - - ias->range_min = ntohl(ia.s_addr); - - if (num_toks > 1) - { - ias->netmask = (unsigned)strtoul(toks[1], nullptr, 0); - - if (ias->netmask < 32) - { - ias->netmask_mask = netmasks[ias->netmask]; - ias->range_min &= ias->netmask_mask; - ias->range_max = ias->range_min + ~ias->netmask_mask; - } - else - { - ias->netmask = 32; - ias->netmask_mask = netmasks[ias->netmask]; - ias->range_min &= ias->netmask_mask; - ias->range_max = ias->range_min; - } - } - else - { - ias->netmask = 32; - ias->netmask_mask = netmasks[ias->netmask]; - ias->range_min &= ias->netmask_mask; - ias->range_max = ias->range_min; - } - - return ias; -} - -RNAIpv6AddrSet* ParseIpv6Cidr(char* ipstring) -{ - char* toks[2]; - int num_toks; - RNAIpv6AddrSet* ias; - char* cp; - struct in6_addr ia; - - if (ipstring == nullptr) - return nullptr; - - ias = (RNAIpv6AddrSet*)snort_calloc(sizeof(*ias)); - strip(ipstring); - cp = ipstring; - if (*cp == 'h') - { - ias->addr_flags |= IPFUNCS_HOSTS_IP; - cp++; - } - - if (*cp == 's') - { - ias->addr_flags |= IPFUNCS_APPLICATION; - cp++; - } - - if (*cp == '!') - { - ias->addr_flags |= IPFUNCS_EXCEPT_IP; - cp++; - } - - if (!strcasecmp(ipstring, "any")) - { - ias->range_max.lo = ULLONG_MAX; - ias->range_max.hi = ULLONG_MAX; - return ias; - } - - num_toks = split(cp, toks, 2, "/"); - - if (inet_pton(AF_INET6, toks[0], &ia) <= 0) - { - ErrorMessage("IPFunctions: %s failed to translate", toks[0]); - snort_free(ias); - return nullptr; - } - memcpy(&ias->range_min, (const void*)&ia, sizeof(ias->range_min)); - NetworkSetManager::ntoh_ipv6(&ias->range_min); - - if (num_toks > 1) - { - ias->netmask = (unsigned)strtoul(toks[1], nullptr, 0); - - /* Convert cidr to netmask */ - if (!ias->netmask) - { - ias->range_max.hi = ULLONG_MAX; - ias->range_max.lo = ULLONG_MAX; - } - else if (ias->netmask < 64) - { - ias->netmask_mask.hi = ULLONG_MAX << (64 - ias->netmask); - ias->range_min.hi &= ias->netmask_mask.hi; - ias->range_min.lo = 0; - ias->range_max.hi = ias->range_min.hi + ~ias->netmask_mask.hi; - ias->range_max.lo = ULLONG_MAX; - } - else if (ias->netmask == 64) - { - ias->netmask_mask.hi = ULLONG_MAX; - ias->range_min.hi &= ias->netmask_mask.hi; - ias->range_min.lo = 0; - ias->range_max.hi = ias->range_min.hi + ~ias->netmask_mask.hi; - ias->range_max.lo = ULLONG_MAX; - } - else if (ias->netmask < 128) - { - ias->netmask_mask.hi = ULLONG_MAX; - ias->netmask_mask.lo = ULLONG_MAX << (128 - ias->netmask); - ias->range_min.lo &= ias->netmask_mask.lo; - ias->range_max.hi = ias->range_min.hi; - ias->range_max.lo = ias->range_min.lo + ~ias->netmask_mask.lo; - } - else - { - ias->netmask_mask.hi = ULLONG_MAX; - ias->netmask_mask.lo = ULLONG_MAX; - ias->range_max = ias->range_min; - } - } - else - { - ias->netmask = 128; - ias->netmask_mask.lo = ULLONG_MAX; - ias->netmask_mask.hi = ULLONG_MAX; - ias->range_max = ias->range_min; - } - - return ias; -} - -#endif - diff --git a/src/network_inspectors/appid/appid_utils/ip_funcs.h b/src/network_inspectors/appid/appid_utils/ip_funcs.h index cf28d840e..d4d130f54 100644 --- a/src/network_inspectors/appid/appid_utils/ip_funcs.h +++ b/src/network_inspectors/appid/appid_utils/ip_funcs.h @@ -22,13 +22,6 @@ #ifndef IP_FUNCS_H #define IP_FUNCS_H -#include -#include - -#include "sfip/sf_ip.h" - -#include "network_set.h" - #define IPFUNCS_EXCEPT_IP 0x01 #define IPFUNCS_SECONDARY_IP 0x02 #define IPFUNCS_USER_IP 0x04 @@ -36,50 +29,4 @@ #define IPFUNCS_APPLICATION 0x10 #define IPFUNCS_CHECKED 0x80000000 -#ifdef USE_RNA_CONFIG -struct RNAIpAddrSet -{ - uint32_t range_min; - uint32_t range_max; - uint32_t addr_flags; - unsigned netmask; - uint32_t netmask_mask; -}; - -RNAIpAddrSet* ParseIpCidr(char*, uint32_t*); - -struct RNAIpv6AddrSet -{ - NSIPv6Addr range_min; - NSIPv6Addr range_max; - uint32_t addr_flags; - unsigned netmask; - NSIPv6Addr netmask_mask; -}; - -RNAIpv6AddrSet* ParseIpv6Cidr(char*); - -inline void copyIpv4ToIpv6Network(ip::snort_in6_addr* keyIp, const uint32_t ip) -{ - keyIp->u6_addr32[0] = keyIp->u6_addr32[1] = 0; - keyIp->u6_addr16[4] = 0; - keyIp->u6_addr16[5] = 0xFFFF; - keyIp->u6_addr32[3] = ip; -} - -//these functions are needed since snort does not store IPv4 address in highest 4 bytes -//of 16 byte ip. -inline void copySnortIpToIpv6Network(ip::snort_in6_addr* keyIp, const SfIp* snortIp) -{ - memcpy(keyIp, snortIp->get_ip6_ptr(), sizeof(*keyIp)); -} - -inline int cmpSnortIpToHostKey(const ip::snort_in6_addr* keyIp, const SfIp* snortIp) -{ - return memcmp(keyIp, snortIp->get_ip6_ptr(), sizeof(*keyIp)); -} - #endif - -#endif - diff --git a/src/network_inspectors/appid/appid_utils/network_set.cc b/src/network_inspectors/appid/appid_utils/network_set.cc deleted file mode 100644 index 84753b57d..000000000 --- a/src/network_inspectors/appid/appid_utils/network_set.cc +++ /dev/null @@ -1,1136 +0,0 @@ -//-------------------------------------------------------------------------- -// Copyright (C) 2014-2019 Cisco and/or its affiliates. All rights reserved. -// Copyright (C) 2005-2013 Sourcefire, Inc. -// -// This program is free software; you can redistribute it and/or modify it -// under the terms of the GNU General Public License Version 2 as published -// by the Free Software Foundation. You may not use, modify or distribute -// this program under any other version of the GNU General Public License. -// -// This program is distributed in the hope that it will be useful, but -// WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -// General Public License for more details. -// -// You should have received a copy of the GNU General Public License along -// with this program; if not, write to the Free Software Foundation, Inc., -// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -//-------------------------------------------------------------------------- - -// network_set.cc author Sourcefire Inc. - -#ifdef HAVE_CONFIG_H -#include "config.h" -#endif - -#include "network_set.h" - -#ifdef USE_RNA_CONFIG - -#include - -#include "log/messages.h" -#include "utils/util.h" - -int NetworkSetManager::create(NetworkSet** network_set) -{ - if (!network_set) - return -1; - - NetworkSet* tmp = (NetworkSet*)snort_calloc(sizeof(NetworkSet)); - sflist_init(&tmp->networks); - sflist_init(&tmp->networks6); - *network_set = tmp; - return 0; -} - -int NetworkSetManager::destroy(NetworkSet* network_set) -{ - if (!network_set) - return -1; - - if (network_set->pnetwork) - { - snort_free(network_set->pnetwork); - network_set->pnetwork = nullptr; - } - sflist_static_free_all(&network_set->networks, &snort_free); - network_set->ids.clear(); - if (network_set->pnetwork6) - { - snort_free(network_set->pnetwork6); - network_set->pnetwork6 = nullptr; - } - sflist_static_free_all(&network_set->networks6, &snort_free); - network_set->ids6.clear(); - snort_free(network_set); - - return 0; -} - -int NetworkSetManager::add_network_range_ex(NetworkSet* network_set, uint32_t range_min, - uint32_t range_max, unsigned cidr_bits, int ip_not, unsigned id, unsigned type) -{ - if (!network_set) - return -1; - - Network* network = (Network*)snort_calloc(sizeof(Network)); - network->info.id = id; - network->info.ip_not = ip_not; - network->info.type = type; - network->info.netmask = cidr_bits; - if (range_min <= range_max) - { - network->range_min = range_min; - network->range_max = range_max; - } - else - { - network->range_min = range_max; - network->range_max = range_min; - } - - if (!network->info.ip_not) - { - SF_LNODE* iter = nullptr; - - for (Network* iNetwork = (Network*)sflist_first(&network_set->networks, &iter); - iNetwork; - iNetwork = (Network*)sflist_next(&iter)) - { - if (iNetwork->info.id == network->info.id && - iNetwork->range_min == network->range_min && - iNetwork->range_max == network->range_max) - { - iNetwork->info.type |= network->info.type; - snort_free(network); - return 0; - } - } - } - - sflist_add_tail(&network_set->networks, (void*)network); - if (network_set->ids.emplace(network->info.id).second == false) - { - ErrorMessage("NetworkSet: Failed to add id %u\n", network->info.id); - return -1; - } - - return 0; -} - -int NetworkSetManager::add_network_range(NetworkSet* network_set, uint32_t range_min, - uint32_t range_max, unsigned cidr_bits, int ip_not, unsigned id) -{ - return add_network_range_ex(network_set, range_min, range_max, cidr_bits, ip_not, id, - 0); -} - -int NetworkSetManager::add_network_range6(NetworkSet* network_set, NSIPv6Addr* range_min, - NSIPv6Addr* range_max, unsigned cidr_bits, int ip_not, unsigned id, unsigned type) -{ - if (!network_set) - return -1; - - Network6* network = (Network6*)snort_calloc(sizeof(Network6)); - network->info.id = id; - network->info.ip_not = ip_not; - network->info.type = type; - network->info.netmask = cidr_bits; - if (compare_ipv6_address(range_min, range_max) <= 0) - { - network->range_min = *range_min; - network->range_max = *range_max; - } - else - { - network->range_min = *range_max; - network->range_max = *range_min; - } - - if (!network->info.ip_not) - { - SF_LNODE* iter = nullptr; - - for (Network6* iNetwork = (Network6*)sflist_first(&network_set->networks6, &iter); - iNetwork; - iNetwork = (Network6*)sflist_next(&iter)) - { - if (iNetwork->info.id == network->info.id && - !compare_ipv6_address(&iNetwork->range_min, &network->range_min) && - !compare_ipv6_address(&iNetwork->range_max, &network->range_max)) - { - iNetwork->info.type |= network->info.type; - snort_free(network); - return 0; - } - } - } - - sflist_add_tail(&network_set->networks6, (void*)network); - if (network_set->ids6.emplace(network->info.id).second == false) - { - ErrorMessage("NetworkSet: Failed to add IPv6 id %u\n", network->info.id); - return -1; - } - - return 0; -} - -int NetworkSetManager::add_network_range6(NetworkSet* network_set, NSIPv6Addr* range_min, - NSIPv6Addr* range_max, unsigned cidr_bits, int ip_not, unsigned id) -{ - return add_network_range6(network_set, range_min, range_max, cidr_bits, ip_not, id, - 0); -} - -int NetworkSetManager::add_network_range_only_ipv6( - NetworkSet* network_set, int ip_not, unsigned id, unsigned type) -{ - // Use two ranges to represent all of IPv6, excluding the IPv4-mapped range, ::FFFF:*.*.*.* - NSIPv6Addr range_min, range_max; - range_min.lo = 0; - range_min.hi = 0; - range_max.lo = 0x0000FFFEFFFFFFFFULL; // 0x0000FFFF00000000 - 1 - range_max.hi = 0; - int rval = add_network_range6(network_set, &range_min, &range_max, 0, ip_not, id, type); - range_min.lo = 0x0001000000000000ULL; // 0x0000FFFFFFFFFFFF + 1 - range_min.hi = 0; - range_max.lo = 0xFFFFFFFFFFFFFFFFULL; - range_max.hi = 0xFFFFFFFFFFFFFFFFULL; - return rval ? rval : add_network_range6(network_set, &range_min, &range_max, 0, - ip_not, id, type); -} - -int NetworkSetManager::add_cidr_block_ex(NetworkSet* network_set, uint32_t ip, - unsigned cidr_bits, int ip_not, unsigned id, unsigned type) -{ - if (cidr_bits > 32) - return -1; - - uint32_t mask = (cidr_bits == 0) ? 0 : 0xffffffff << (32 - cidr_bits); - uint32_t range_min = ip & mask; - uint32_t range_max = range_min + ~mask; - return add_network_range_ex(network_set, range_min, range_max, cidr_bits, - ip_not, id, type); -} - -int NetworkSetManager::add_cidr_block(NetworkSet* network_set, uint32_t ip, - unsigned cidr_bits, int ip_not, unsigned id) -{ - return add_cidr_block_ex(network_set, ip, cidr_bits, ip_not, id, 0); -} - -int NetworkSetManager::add_cidr_block6_ex(NetworkSet* network_set, NSIPv6Addr* ip, - unsigned cidr_bits, int ip_not, unsigned id, unsigned type) -{ - NSIPv6Addr mask; - - if (cidr_bits > 128) - return -1; - - /* Convert cidr to netmask */ - if (!cidr_bits) - { - mask.hi = 0; - mask.lo = 0; - } - else if (cidr_bits < 64) - { - mask.hi = ULLONG_MAX << (64 - cidr_bits); - mask.lo = 0; - } - else if (cidr_bits == 64) - { - mask.hi = ULLONG_MAX; - mask.lo = 0; - } - else - { - mask.hi = ULLONG_MAX; - mask.lo = ULLONG_MAX << (128 - cidr_bits); - } - - NSIPv6Addr range_min; - NSIPv6Addr range_max; - - range_min.lo = ip->lo & mask.lo; - range_min.hi = ip->hi & mask.hi; - range_max.lo = range_min.lo + ~mask.lo; - range_max.hi = range_min.hi + ~mask.hi; - return add_network_range6(network_set, &range_min, &range_max, cidr_bits, ip_not, - id, type); -} - -int NetworkSetManager::add_cidr_block6(NetworkSet* network_set, NSIPv6Addr* ip, - unsigned cidr_bits, int ip_not, unsigned id) -{ - return add_cidr_block6_ex(network_set, ip, cidr_bits, ip_not, id, 0); -} - -int NetworkSetManager::log_network_set(NetworkSet* network_set, const char* prefix, FILE* stream) -{ - SF_LNODE* iter = nullptr; - char min_ip[INET6_ADDRSTRLEN]; - char max_ip[INET6_ADDRSTRLEN]; - - if (!network_set) - return -1; - - if (!prefix) - prefix = ""; - - if (!stream) - stream = stdout; - - for (Network* network = (Network*)sflist_first(&network_set->networks, &iter); - network; - network = (Network*)sflist_next(&iter)) - { - struct in_addr four; - four.s_addr = htonl(network->range_min); - inet_ntop(AF_INET, &four, min_ip, sizeof(min_ip)); - four.s_addr = htonl(network->range_max); - inet_ntop(AF_INET, &four, max_ip, sizeof(max_ip)); - - /* check containment for this network */ - fprintf(stream, "%s%s%s-%s for %u with %08X\n", prefix, network->info.ip_not ? "!" : "", - min_ip, max_ip, network->info.id, network->info.type); - } - - for (Network6* network6 = (Network6*)sflist_first(&network_set->networks6, &iter); - network6; - network6 = (Network6*)sflist_next(&iter)) - { - NSIPv6Addr six = network6->range_min; - ntoh_ipv6(&six); - inet_ntop(AF_INET6, (struct in6_addr*)&six, min_ip, sizeof(min_ip)); - six = network6->range_max; - ntoh_ipv6(&six); - inet_ntop(AF_INET6, (struct in6_addr*)&six, max_ip, sizeof(max_ip)); - - /* check containment for this network */ - fprintf(stream, "%s%s%s-%s for %u with %08X\n", prefix, network6->info.ip_not ? "!" : "", - min_ip, max_ip, network6->info.id, network6->info.type); - } - - return 0; -} - -int NetworkSetManager::order_by_netmask(SF_LIST* ordered_networks, SF_LIST* networks, unsigned - id) -{ - SF_LNODE* node = nullptr; - NODE_DATA node_data; - - sflist_init(ordered_networks); - do - { - SF_LNODE* iter = nullptr; - - node_data = nullptr; - for (NSNetworkInfo* network = (NSNetworkInfo*)sflist_first(networks, &iter); - network; - network = (NSNetworkInfo*)sflist_next(&iter)) - { - if ( network->id == id && (node_data == nullptr || - network->netmask < ((NSNetworkInfo*)node_data)->netmask || - ( ( network->netmask == ((NSNetworkInfo*)node_data)->netmask) && - !network->ip_not ) ) ) - { - node_data = network; - node = iter; - } - } - - if (node_data) - { - sflist_add_tail(ordered_networks, node_data); - sflist_remove_node(networks, node); - } - } - while (node_data); - - return 0; -} - -int NetworkSetManager::add_network_list(SF_LIST* networks, SF_LIST* new_networks) -{ - void* network; - - while ((network = sflist_remove_head(new_networks))) - sflist_add_tail(networks, network); - - return 0; -} - -int NetworkSetManager::reduce_network_set(SF_LIST* networks) -{ - Network* ias; - Network* i_ias; - Network* new_ias; - uint32_t tmp; - bool changed; - SF_LIST reduced_networks; - - if (!sflist_count(networks)) - return 0; - - sflist_init(&reduced_networks); - while ( ( ias = (Network*)sflist_remove_head(networks) ) ) - { - SF_LNODE* iter = nullptr; - - /* ias is lowest in the list, so it takes precedence */ - if (ias->info.ip_not) - { - i_ias = (Network*)sflist_first(&reduced_networks, &iter); - while (i_ias) - { - changed = false; - - /* - i_ias ****** - ias *************** - */ - if (ias->range_min <= i_ias->range_min && ias->range_max >= i_ias->range_max) - { - sflist_remove_node(&reduced_networks, iter); - changed = true; - } - /* - i_ias ************ - ias *** - or - i_ias ************ - ias ************ - */ - else if (ias->range_min > i_ias->range_min && ias->range_min <= i_ias->range_max) - { - tmp = i_ias->range_max; - i_ias->range_max = ias->range_min - 1; - if (ias->range_max < tmp) - { - new_ias = (Network*)snort_calloc(sizeof(Network)); - *new_ias = *i_ias; - new_ias->range_min = ias->range_max + 1; - new_ias->range_max = tmp; - sflist_add_tail(&reduced_networks, new_ias); - changed = true; - } - } - /* - i_ias ************ - ias ************ - or - i_ias ************ - ias **** - */ - else if (ias->range_max >= i_ias->range_min && ias->range_max <= i_ias->range_max) - { - tmp = i_ias->range_min; - i_ias->range_min = ias->range_max + 1; - if (ias->range_min > tmp) - { - new_ias = (Network*)snort_calloc(sizeof(Network)); - *new_ias = *i_ias; - new_ias->range_min = tmp; - new_ias->range_max = ias->range_min - 1; - sflist_add_tail(&reduced_networks, new_ias); - changed = true; - } - } - - if (changed) - i_ias = (Network*)sflist_first(&reduced_networks, &iter); - else - i_ias = (Network*)sflist_next(&iter); - } - - snort_free(ias); - } - else - { - i_ias = (Network*)sflist_first(&reduced_networks, &iter); - while (i_ias) - { - changed = false; - if (ias->info.type == i_ias->info.type) - { - /* - i_ias ****** - ias *************** - */ - if (ias->range_min <= i_ias->range_min && ias->range_max >= i_ias->range_max) - { - sflist_remove_node(&reduced_networks, iter); - changed = true; - snort_free(i_ias); - i_ias = nullptr; - } - /* - i_ias *************** - ias ****** - */ - else if (i_ias->range_min <= ias->range_min && i_ias->range_max >= - ias->range_max) - { - ias->range_min = i_ias->range_min; - ias->range_max = i_ias->range_max; - sflist_remove_node(&reduced_networks, iter); - changed = true; - snort_free(i_ias); - i_ias = nullptr; - } - /* - i_ias ************ - ias ************ - */ - else if (ias->range_min > i_ias->range_min && ias->range_min <= - i_ias->range_max) - { - i_ias->range_max = ias->range_min - 1; - } - /* - i_ias ************ - ias ************ - */ - else if (ias->range_max >= i_ias->range_min && ias->range_max < - i_ias->range_max) - { - i_ias->range_min = ias->range_max + 1; - } - } - else /* different types */ - { - /* - i_ias ****** - ias ****** - */ - if (ias->range_min == i_ias->range_min && ias->range_max == i_ias->range_max) - { - i_ias->info.type = ias->info.type; - snort_free(ias); - ias = nullptr; - break; - } - /* - i_ias ****** - ias *************** - */ - else if (ias->range_min < i_ias->range_min && ias->range_max >= - i_ias->range_max) - { - sflist_remove_node(&reduced_networks, iter); - snort_free(i_ias); - i_ias = nullptr; - changed = true; - } - /* - i_ias ************ - ias *** - or - i_ias ************ - ias ************ - or - i_ias ************ - ias ****** - */ - else if (ias->range_min > i_ias->range_min && ias->range_min <= - i_ias->range_max) - { - tmp = i_ias->range_max; - i_ias->range_max = ias->range_min - 1; - if (ias->range_max < tmp) - { - new_ias = (Network*)snort_calloc(sizeof(Network)); - *new_ias = *i_ias; - new_ias->range_min = ias->range_max + 1; - new_ias->range_max = tmp; - sflist_add_tail(&reduced_networks, new_ias); - changed = true; - } - } - /* - i_ias ************ - ias ************ - or - i_ias ************ - ias **** - */ - else if (ias->range_max > i_ias->range_min && ias->range_max < - i_ias->range_max) - { - i_ias->range_min = ias->range_max + 1; - } - } - - if (changed) - i_ias = (Network*)sflist_first(&reduced_networks, &iter); - else - i_ias = (Network*)sflist_next(&iter); - } - - if (ias) - sflist_add_tail(&reduced_networks, ias); - } - } - - /* Minimize the ranges */ - SF_LNODE* outer_iter; - ias = (Network*)sflist_first(&reduced_networks, &outer_iter); - while (ias) - { - /* i_ias is lowest in the list, so it takes precedence */ - changed = false; - SF_LNODE* inner_iter = outer_iter; - - i_ias = (Network*)sflist_next(&inner_iter); - while ( i_ias ) - { - if (ias->info.type == i_ias->info.type) - { - /* - i_ias ************ - ias *** - */ - if (ias->range_min && (i_ias->range_max+1) == ias->range_min) - { - i_ias->range_max = ias->range_max; - sflist_remove_node(&reduced_networks, outer_iter); - snort_free(ias); - changed = true; - break; - } - /* - i_ias ************ - ias ***** - */ - else if (i_ias->range_min && (ias->range_max+1) == i_ias->range_min) - { - i_ias->range_min = ias->range_min; - sflist_remove_node(&reduced_networks, outer_iter); - snort_free(ias); - changed = true; - break; - } - } - - i_ias = (Network*)sflist_next(&inner_iter); - } - - if (changed) - ias = (Network*)sflist_first(&reduced_networks, &outer_iter); - else - ias = (Network*)sflist_next(&outer_iter); - } - - sflist_static_free_all(networks, &snort_free); - while ((ias = (Network*)sflist_remove_head(&reduced_networks))) - { - sflist_add_tail(networks, ias); - } - return 0; -} - -int NetworkSetManager::reduce_network_set6(SF_LIST* networks) -{ - Network6* ias; - Network6* i_ias; - Network6* new_ias; - NSIPv6Addr tmp; - NSIPv6Addr tmp2; - bool changed; - SF_LIST reduced_networks; - - if (!sflist_count(networks)) - return 0; - - sflist_init(&reduced_networks); - while ((ias = (Network6*)sflist_remove_head(networks))) - { - SF_LNODE* iter = nullptr; - - /* ias is lowest in the list, so it takes precedence */ - if (ias->info.ip_not) - { - i_ias = (Network6*)sflist_first(&reduced_networks, &iter); - while (i_ias) - { - changed = false; - - /* - i_ias ****** - ias *************** - */ - if (compare_ipv6_address(&ias->range_min, &i_ias->range_min) <= 0 && - compare_ipv6_address(&ias->range_max, &i_ias->range_max) >= 0) - { - sflist_remove_node(&reduced_networks, iter); - changed = true; - } - /* - i_ias ************ - ias *** - or - i_ias ************ - ias ************ - */ - else if (compare_ipv6_address(&ias->range_min, &i_ias->range_min) > 0 && - compare_ipv6_address(&ias->range_min, &i_ias->range_max) <= 0) - { - tmp = i_ias->range_max; - i_ias->range_max = ias->range_min; - decrement_ipv6_addr(&i_ias->range_max); - if (compare_ipv6_address(&ias->range_max, &tmp) < 0) - { - new_ias = (Network6*)snort_calloc(sizeof(Network6)); - *new_ias = *i_ias; - new_ias->range_min = ias->range_max; - increment_ipv6_addr(&new_ias->range_min); - new_ias->range_max = tmp; - sflist_add_tail(&reduced_networks, new_ias); - changed = true; - } - } - /* - i_ias ************ - ias ************ - or - i_ias ************ - ias **** - */ - else if (compare_ipv6_address(&ias->range_max, &i_ias->range_min) >= 0 && - compare_ipv6_address(&ias->range_max, &i_ias->range_max) <= 0) - { - tmp = i_ias->range_min; - i_ias->range_min = ias->range_max; - increment_ipv6_addr(&i_ias->range_min); - if (compare_ipv6_address(&ias->range_min, &tmp) > 0) - { - new_ias = (Network6*)snort_calloc(sizeof(Network6)); - *new_ias = *i_ias; - new_ias->range_min = tmp; - new_ias->range_max = ias->range_min; - decrement_ipv6_addr(&new_ias->range_max); - sflist_add_tail(&reduced_networks, new_ias); - changed = true; - } - } - - if (changed) - i_ias = (Network6*)sflist_first(&reduced_networks, &iter); - else - i_ias = (Network6*)sflist_next(&iter); - } - snort_free(ias); - } - else - { - i_ias = (Network6*)sflist_first(&reduced_networks, &iter); - while (i_ias) - { - changed = false; - if (ias->info.type == i_ias->info.type) - { - /* - i_ias ****** - ias *************** - */ - if (compare_ipv6_address(&ias->range_min, &i_ias->range_min) <= 0 && - compare_ipv6_address(&ias->range_max, &i_ias->range_max) >= 0) - { - sflist_remove_node(&reduced_networks, iter); - changed = true; - snort_free(i_ias); - i_ias = nullptr; - } - /* - i_ias *************** - ias ****** - */ - else if (compare_ipv6_address(&i_ias->range_min, &ias->range_min) <= 0 && - compare_ipv6_address(&i_ias->range_max, &ias->range_max) >= 0) - { - ias->range_min = i_ias->range_min; - ias->range_max = i_ias->range_max; - sflist_remove_node(&reduced_networks, iter); - changed = true; - snort_free(i_ias); - i_ias = nullptr; - } - /* - i_ias ************ - ias ************ - */ - else if (compare_ipv6_address(&ias->range_min, &i_ias->range_min) > 0 && - compare_ipv6_address(&ias->range_min, &i_ias->range_max) <= 0) - { - i_ias->range_max = ias->range_min; - decrement_ipv6_addr(&i_ias->range_max); - } - /* - i_ias ************ - ias ************ - */ - else if (compare_ipv6_address(&ias->range_max, &i_ias->range_min) >= 0 && - compare_ipv6_address(&ias->range_max, &i_ias->range_max) < 0) - { - i_ias->range_min = ias->range_max; - increment_ipv6_addr(&i_ias->range_min); - } - } - else /* different types */ - { - /* - i_ias ****** - ias ****** - */ - if (!compare_ipv6_address(&ias->range_min, &i_ias->range_min) && - !compare_ipv6_address(&ias->range_max, &i_ias->range_max)) - { - i_ias->info.type = ias->info.type; - snort_free(ias); - ias = nullptr; - break; - } - /* - i_ias ****** - ias *************** - */ - else if (compare_ipv6_address(&ias->range_min, &i_ias->range_min) < 0 && - compare_ipv6_address(&ias->range_max, &i_ias->range_max) >= 0) - { - sflist_remove_node(&reduced_networks, iter); - snort_free(i_ias); - i_ias = nullptr; - changed = true; - } - /* - i_ias ************ - ias *** - or - i_ias ************ - ias ************ - or - i_ias ************ - ias ****** - */ - else if (compare_ipv6_address(&ias->range_min, &i_ias->range_min) > 0 && - compare_ipv6_address(&ias->range_min, &i_ias->range_max) <= 0) - { - tmp = i_ias->range_max; - i_ias->range_max = ias->range_min; - decrement_ipv6_addr(&i_ias->range_max); - if (compare_ipv6_address(&ias->range_max, &tmp) < 0) - { - new_ias = (Network6*)snort_calloc(sizeof(Network6)); - *new_ias = *i_ias; - new_ias->range_min = ias->range_max; - increment_ipv6_addr(&new_ias->range_min); - new_ias->range_max = tmp; - sflist_add_tail(&reduced_networks, new_ias); - changed = true; - } - } - /* - i_ias ************ - ias ************ - or - i_ias ************ - ias **** - */ - else if (compare_ipv6_address(&ias->range_max, &i_ias->range_min) > 0 && - compare_ipv6_address(&ias->range_max, &i_ias->range_max) < 0) - { - i_ias->range_min = ias->range_max; - increment_ipv6_addr(&i_ias->range_min); - } - } - - if (changed) - i_ias = (Network6*)sflist_first(&reduced_networks, &iter); - else - i_ias = (Network6*)sflist_next(&iter); - } - - if (ias) - sflist_add_tail(&reduced_networks, ias); - } - } - - /* Minimize the ranges */ - SF_LNODE* outer_iter; - ias = (Network6*)sflist_first(&reduced_networks, &outer_iter); - while (ias) - { - /* i_ias is lowest in the list, so it takes precedence */ - changed = false; - SF_LNODE* inner_iter = outer_iter; - i_ias = (Network6*)sflist_next(&inner_iter); - while ( i_ias ) - { - if (ias->info.type == i_ias->info.type) - { - /* - i_ias ************ - ias *** - */ - tmp = i_ias->range_max; - increment_ipv6_addr(&tmp); - tmp2 = ias->range_max; - increment_ipv6_addr(&tmp2); - if ((ias->range_min.lo || ias->range_min.hi) && - !compare_ipv6_address(&tmp, &ias->range_min)) - { - i_ias->range_max = ias->range_max; - sflist_remove_node(&reduced_networks, outer_iter); - snort_free(ias); - changed = true; - break; - } - /* - i_ias ************ - ias ***** - */ - else if ((i_ias->range_min.lo || i_ias->range_min.hi) && - !compare_ipv6_address(&tmp2, &i_ias->range_min)) - { - i_ias->range_min = ias->range_min; - sflist_remove_node(&reduced_networks, outer_iter); - snort_free(ias); - changed = true; - break; - } - } - - i_ias = (Network6*)sflist_next(&inner_iter); - } - - if (changed) - ias = (Network6*)sflist_first(&reduced_networks, &outer_iter); - else - ias = (Network6*)sflist_next(&outer_iter); - } - - sflist_static_free_all(networks, &snort_free); - while ((ias = (Network6*)sflist_remove_head(&reduced_networks))) - { - sflist_add_tail(networks, ias); - } - return 0; -} - -int NetworkSetManager::reduce(NetworkSet* network_set) -{ - int rval; - SF_LIST ordered_networks; - Network* network; - Network6* network6; - unsigned tmp; - int count; - - if (!network_set) - return -1; - - for (auto& id : network_set->ids) - { - if ((rval = order_by_netmask(&ordered_networks, &network_set->networks, id)) != 0) - { - sflist_free_all(&ordered_networks, &snort_free); - return rval; - } - if ((rval = reduce_network_set(&ordered_networks)) != 0) - { - sflist_free_all(&ordered_networks, &snort_free); - return rval; - } - if ((rval = add_network_list(&network_set->networks, &ordered_networks)) != 0) - { - sflist_free_all(&ordered_networks, &snort_free); - return rval; - } - } - if ((rval = reduce_network_set(&network_set->networks)) != 0) - { - sflist_free_all(&ordered_networks, &snort_free); - return rval; - } - - tmp = 0; - if ((rval = count4(network_set, &tmp)) != 0) - return rval; - - count = (int)tmp; - if (count > 0) - { - network_set->count = count; - if (network_set->pnetwork) - { - snort_free(network_set->pnetwork); - network_set->pnetwork = nullptr; - } - network_set->pnetwork = (Network**)snort_calloc(count * sizeof(Network*)); - SF_LNODE* iter = nullptr; - int k = 0; - for (network = (Network*)sflist_first(&network_set->networks, &iter); - network && k < count; - network = (Network*)sflist_next(&iter)) - { - network_set->pnetwork[k++] = network; - } - /* bubble sort this array */ - for (int i = (count - 1); i >= 0; i--) - { - for (int j = 1; j <= i; j++) - { - if (network_set->pnetwork[j - 1]->range_min > network_set->pnetwork[j]->range_min) - { - network = network_set->pnetwork[j - 1]; - network_set->pnetwork[j - 1] = network_set->pnetwork[j]; - network_set->pnetwork[j] = network; - } - } - } - } - - for (auto& id : network_set->ids6) - { - if ((rval = order_by_netmask(&ordered_networks, &network_set->networks6, id)) != 0) - { - sflist_free_all(&ordered_networks, &snort_free); - return rval; - } - - if ((rval = reduce_network_set6(&ordered_networks)) != 0) - { - sflist_free_all(&ordered_networks, &snort_free); - return rval; - } - - if ((rval = add_network_list(&network_set->networks6, &ordered_networks)) != 0) - { - sflist_free_all(&ordered_networks, &snort_free); - return rval; - } - } - if ((rval = reduce_network_set6(&network_set->networks6)) != 0) - { - sflist_free_all(&ordered_networks, &snort_free); - return rval; - } - - tmp = 0; - if ((rval = count6(network_set, &tmp)) != 0) - return rval; - - count = (int)tmp; - if (count > 0) - { - network_set->count6 = count; - if (network_set->pnetwork6) - { - snort_free(network_set->pnetwork6); - network_set->pnetwork6 = nullptr; - } - network_set->pnetwork6 = (Network6**)snort_calloc(count * sizeof(Network6*)); - SF_LNODE* iter = nullptr; - int k = 0; - for (network6 = (Network6*)sflist_first(&network_set->networks6, &iter); - network6 && k < count; - network6 = (Network6*)sflist_next(&iter)) - { - network_set->pnetwork6[k++] = network6; - } - /* bubble sort this array */ - for (int i = (count - 1); i >= 0; i--) - { - for (int j = 1; j <= i; j++) - { - if (compare_ipv6_address(&network_set->pnetwork6[j - 1]->range_min, - &network_set->pnetwork6[j]->range_min) > 0) - { - network6 = network_set->pnetwork6[j-1]; - network_set->pnetwork6[j - 1] = network_set->pnetwork6[j]; - network_set->pnetwork6[j] = network6; - } - } - } - } - return 0; -} - -NetworkSet* NetworkSetManager::copy(NetworkSet* network_set) -{ - NetworkSet* new_set; - SF_LNODE* iter; - - if (!network_set) - return nullptr; - - if (create(&new_set) != 0) - return nullptr; - - for (Network* network = (Network*)sflist_first(&network_set->networks, &iter); - network; - network = (Network*)sflist_next(&iter)) - { - if (add_network_range_ex(new_set, network->range_min, network->range_max, - network->info.netmask, network->info.ip_not, - network->info.id, network->info.type) != 0) - { - destroy(new_set); - return nullptr; - } - } - for (Network6* network6 = (Network6*)sflist_first(&network_set->networks6, &iter); - network6; - network6 = (Network6*)sflist_next(&iter)) - { - if (add_network_range6(new_set, &network6->range_min, &network6->range_max, - network6->info.netmask, network6->info.ip_not, - network6->info.id, network6->info.type) != 0) - { - destroy(new_set); - return nullptr; - } - } - return new_set; -} - -int NetworkSetManager::add_set(NetworkSet* dest_set, NetworkSet* src_set) -{ - SF_LNODE* iter; - int rval; - - if (!src_set || !dest_set) - return -1; - - for (Network* network = (Network*)sflist_first(&src_set->networks, &iter); - network; - network = (Network*)sflist_next(&iter)) - { - if ((rval = add_network_range_ex(dest_set, network->range_min, network->range_max, - network->info.netmask, network->info.ip_not, - network->info.id, network->info.type)) != 0) - { - return rval; - } - } - - for (Network6* network6 = (Network6*)sflist_first(&src_set->networks6, &iter); - network6; - network6 = (Network6*)sflist_next(&iter)) - { - if ((rval = add_network_range6(dest_set, &network6->range_min, &network6->range_max, - network6->info.netmask, network6->info.ip_not, - network6->info.id, network6->info.type)) != 0) - { - return rval; - } - } - return 0; -} - -#endif - diff --git a/src/network_inspectors/appid/appid_utils/network_set.h b/src/network_inspectors/appid/appid_utils/network_set.h deleted file mode 100644 index eed575e33..000000000 --- a/src/network_inspectors/appid/appid_utils/network_set.h +++ /dev/null @@ -1,365 +0,0 @@ -//-------------------------------------------------------------------------- -// Copyright (C) 2014-2019 Cisco and/or its affiliates. All rights reserved. -// Copyright (C) 2005-2013 Sourcefire, Inc. -// -// This program is free software; you can redistribute it and/or modify it -// under the terms of the GNU General Public License Version 2 as published -// by the Free Software Foundation. You may not use, modify or distribute -// this program under any other version of the GNU General Public License. -// -// This program is distributed in the hope that it will be useful, but -// WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -// General Public License for more details. -// -// You should have received a copy of the GNU General Public License along -// with this program; if not, write to the Free Software Foundation, Inc., -// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -//-------------------------------------------------------------------------- - -// network_set.h author Sourcefire Inc. - -#ifndef NETWORK_SET_H -#define NETWORK_SET_H - -#ifdef USE_RNA_CONFIG - -#include -#include - -#include "protocols/ipv6.h" -#include "utils/sflsq.h" - -// network_set.h author Sourcefire Inc. - -#ifndef ULLONG_MAX -# define ULLONG_MAX 18446744073709551615ULL -#endif - -#define BYTE_SWAP_16(x) \ - ((uint16_t)((((uint16_t)(x) & 0xff00) >> 8) | \ - (((uint16_t)(x) & 0x00ff) << 8))) - -#define BYTE_SWAP_32(x) \ - ((uint32_t)((((uint32_t)(x) & 0xff000000) >> 24) | \ - (((uint32_t)(x) & 0x00ff0000) >> 8) | \ - (((uint32_t)(x) & 0x0000ff00) << 8) | \ - (((uint32_t)(x) & 0x000000ff) << 24))) - -#define BYTE_SWAP_64(x) \ - ((uint64_t)((((uint64_t)(x) & 0xff00000000000000ULL) >> 56) | \ - (((uint64_t)(x) & 0x00ff000000000000ULL) >> 40) | \ - (((uint64_t)(x) & 0x0000ff0000000000ULL) >> 24) | \ - (((uint64_t)(x) & 0x000000ff00000000ULL) >> 8) | \ - (((uint64_t)(x) & 0x00000000ff000000ULL) << 8) | \ - (((uint64_t)(x) & 0x0000000000ff0000ULL) << 24) | \ - (((uint64_t)(x) & 0x000000000000ff00ULL) << 40) | \ - (((uint64_t)(x) & 0x00000000000000ffULL) << 56))) - -#if defined(WORDS_BIGENDIAN) -struct NSIPv6Addr -{ - uint64_t hi = 0; - uint64_t lo = 0; -}; -#else -struct NSIPv6Addr -{ - uint64_t lo = 0; - uint64_t hi = 0; -}; -#endif - -//IPv6 address a must be in network order -#define NSIP_IS_ADDR_MULTICAST(a) \ - (IN6_IS_ADDR_MULTICAST(a) \ - || ((IN6_IS_ADDR_V4MAPPED(a) || IN6_IS_ADDR_V4COMPAT(a)) && (((__const uint32_t*)(a))[3] == \ - 0xffffffff))) - -struct NSNetworkInfo -{ - unsigned id; - unsigned netmask; - int ip_not; - unsigned type; -}; - -struct Network -{ - NSNetworkInfo info; - uint32_t range_min; - uint32_t range_max; -}; - -struct Network6 -{ - NSNetworkInfo info; - NSIPv6Addr range_min; - NSIPv6Addr range_max; -}; - -struct NetworkSet -{ - NetworkSet* next; - SF_LIST networks; - std::unordered_set ids; - Network** pnetwork; - unsigned count; - SF_LIST networks6; - std::unordered_set ids6; - Network6** pnetwork6; - unsigned count6; -}; - -// FIXIT-L - this should be integrated into the snort3 general IP address support library -class NetworkSetManager -{ -public: - static int create(NetworkSet**); - static int destroy(NetworkSet*); - static NetworkSet* copy(NetworkSet*); - static int add_set(NetworkSet* dest_set, NetworkSet* src_set); - static int add_cidr_block_ex(NetworkSet*, uint32_t ip, - unsigned cidr_bits, int ip_not, unsigned id, unsigned type); - static int add_cidr_block6_ex(NetworkSet*, NSIPv6Addr*, - unsigned cidr_bits, int ip_not, unsigned id, unsigned type); - static int add_cidr_block(NetworkSet*, uint32_t ip, - unsigned cidr_bits, int ip_not, unsigned id); - static int add_cidr_block6(NetworkSet*, NSIPv6Addr*, - unsigned cidr_bits, int ip_not, unsigned id); - static int add_network_range_ex(NetworkSet*, uint32_t range_min, - uint32_t range_max, unsigned cidr_bits, int ip_not, unsigned id, unsigned type); - static int add_network_range6(NetworkSet*, NSIPv6Addr* range_min, - NSIPv6Addr* range_max, unsigned cidr_bits, int ip_not, unsigned id, unsigned type); - static int add_network_range(NetworkSet*, uint32_t range_min, - uint32_t range_max, unsigned cidr_bits, int ip_not, unsigned id); - static int add_network_range6(NetworkSet*, NSIPv6Addr* range_min, - NSIPv6Addr* range_max, unsigned cidr_bits, int ip_not, unsigned id); - static int add_network_range_only_ipv6(NetworkSet*, int ip_not, - unsigned id, unsigned type); - static int reduce(NetworkSet*); - static int log_network_set(NetworkSet*, const char* prefix, FILE* stream); - - static void pack_ipv4_to_ipv6(NSIPv6Addr* ipv6Addr, uint32_t ipv4Addr) - { - ipv6Addr->hi = 0ULL; - ipv6Addr->lo = (uint64_t)ipv4Addr | 0x0000FFFF00000000ULL; - } - - static int unpack_ipv4_from_ipv6(const NSIPv6Addr* ipv6Addr, uint32_t* ipv4Addr) - { - if (!ipv6Addr->hi) - { - uint64_t lo = ipv6Addr->lo & 0xFFFFFFFF00000000ULL; - if (!lo || lo == 0x0000FFFF00000000ULL) - { - *ipv4Addr = (uint32_t)ipv6Addr->lo; - return 0; - } - } - return -1; - } - - static void copy_ipv6_address(const NSIPv6Addr* src, NSIPv6Addr* dst) - { - dst->hi = src->hi; - dst->lo = src->lo; - } - - static int compare_ipv6_address(const NSIPv6Addr* a, const NSIPv6Addr* b) - { - if (a->hi < b->hi) - return -1; - else if (a->hi > b->hi) - return 1; - if (a->lo < b->lo) - return -1; - else if (a->lo > b->lo) - return 1; - return 0; - } - - static void ntoh_ipv6(NSIPv6Addr* ip6) - { -#if !defined(WORDS_BIGENDIAN) - uint64_t tmp; - - tmp = BYTE_SWAP_64(ip6->hi); - ip6->hi = BYTE_SWAP_64(ip6->lo); - ip6->lo = tmp; -#endif - } - - - static void _swap_ipv6(const NSIPv6Addr* ip6, NSIPv6Addr* ip6h) - { -#if defined(WORDS_BIGENDIAN) - ip6h->hi = ip6->hi; - ip6h->lo = ip6->lo; -#else - ip6h->hi = BYTE_SWAP_64(ip6->lo); - ip6h->lo = BYTE_SWAP_64(ip6->hi); -#endif - } - - static void ntoh_swap_ipv6(const ip::snort_in6_addr* ip6, NSIPv6Addr* ip6h) - { - _swap_ipv6((const NSIPv6Addr*)ip6, ip6h); - } - - static void hton_swap_ipv6(const NSIPv6Addr* ip6, ip::snort_in6_addr* ip6h) - { - _swap_ipv6(ip6, (NSIPv6Addr*)ip6h); - } - - static void increment_ipv6_addr(NSIPv6Addr* ip6) - { - if (ip6->lo == ULLONG_MAX) - { - ip6->lo = 0; - ip6->hi++; - } - else - ip6->lo++; - } - - static void decrement_ipv6_addr(NSIPv6Addr* ip6) - { - if (!ip6->lo) - { - ip6->lo = ULLONG_MAX; - ip6->hi--; - } - else - ip6->lo--; - } - - static int contains_ex(NetworkSet* network_set, uint32_t ipaddr, unsigned* type) - { - int low=0; - int high=0; - *type = 0; - - if (!network_set) - return 0; - - if (!network_set->count) - return 0; - - high = network_set->count - 1; - - if (ipaddr < network_set->pnetwork[low]->range_min || ipaddr > - network_set->pnetwork[high]->range_max) - return 0; - - while (low <= high) - { - int middle = low + ((high - low)>>1); - - if (ipaddr < network_set->pnetwork[middle]->range_min) - high = middle - 1; - else if (ipaddr > network_set->pnetwork[middle]->range_max) - low = middle + 1; - else - { - *type = network_set->pnetwork[middle]->info.type; - return 1; - } - } - return 0; - } - - static int contains6_ex(NetworkSet* network_set, NSIPv6Addr* ipaddr, unsigned* type) - { - int low=0; - int high=0; - *type = 0; - - if (!network_set) - return 0; - - if (!network_set->count6) - return 0; - - high = network_set->count6 - 1; - - if (compare_ipv6_address(ipaddr, &network_set->pnetwork6[low]->range_min) < 0 || - compare_ipv6_address(ipaddr, &network_set->pnetwork6[high]->range_max) > 0) - { - return 0; - } - while (low <= high) - { - int middle = low + ((high - low)>>1); - - if (compare_ipv6_address(ipaddr, &network_set->pnetwork6[middle]->range_min) < 0) - high = middle - 1; - else if (compare_ipv6_address(ipaddr, &network_set->pnetwork6[middle]->range_max) > 0) - low = middle + 1; - else - { - *type = network_set->pnetwork6[middle]->info.type; - return 1; - } - } - return 0; - } - - static int contains(NetworkSet* network_set, uint32_t ipaddr) - { - unsigned type; - return contains_ex(network_set, ipaddr, &type); - } - - static int contains6(NetworkSet* network_set, NSIPv6Addr* ipaddr) - { - unsigned type; - return contains6_ex(network_set, ipaddr, &type); - } - - static int count4(NetworkSet* network_set, unsigned* count) - { - if (!network_set || !count) - return -1; - - *count = sflist_count(&network_set->networks); - - return 0; - } - - static int count6(NetworkSet* network_set, unsigned* count) - { - if (!network_set || !count) - return -1; - - *count = sflist_count(&network_set->networks6); - - return 0; - } - - static unsigned count_ex(NetworkSet* network_set) - { - if (!network_set) - return 0; - - return sflist_count(&network_set->networks); - } - - static unsigned count6_ex(NetworkSet* network_set) - { - if (!network_set) - return 0; - - return sflist_count(&network_set->networks6); - } - -private: - static int order_by_netmask(SF_LIST* ordered_networks, SF_LIST* networks, unsigned id); - static int add_network_list(SF_LIST* networks, SF_LIST* new_networks); - static int reduce_network_set(SF_LIST* networks); - static int reduce_network_set6(SF_LIST* networks); -}; -#endif - -#endif - diff --git a/src/network_inspectors/appid/service_plugins/service_bootp.cc b/src/network_inspectors/appid/service_plugins/service_bootp.cc index 6dc02071e..24064b129 100644 --- a/src/network_inspectors/appid/service_plugins/service_bootp.cc +++ b/src/network_inspectors/appid/service_plugins/service_bootp.cc @@ -362,31 +362,12 @@ int BootpServiceDetector::add_dhcp_info(AppIdSession& asd, unsigned op55_len, co return 0; } -#ifdef USE_RNA_CONFIG -static unsigned isIPv4HostMonitored(uint32_t ip4, int32_t zone) -{ - NetworkSet* net_list; - unsigned flags; - AppIdConfig* config = AppIdInspector::get_inspector()->get_appid_config(); - - if (zone >= 0 && zone < MAX_ZONES && config->net_list_by_zone[zone]) - net_list = config->net_list_by_zone[zone]; - else - net_list = config->net_list; - - NetworkSetManager::contains_ex(net_list, ip4, &flags); - return flags; -} - -#else static unsigned isIPv4HostMonitored(uint32_t, int32_t) { // FIXIT-M Defaulting to checking everything everywhere until RNA config is reimplemented return IPFUNCS_HOSTS_IP | IPFUNCS_USER_IP | IPFUNCS_APPLICATION; } -#endif - void BootpServiceDetector::add_new_dhcp_lease(AppIdSession& asd, const uint8_t* mac, uint32_t ip, int32_t zone, uint32_t subnetmask, uint32_t leaseSecs, uint32_t router) diff --git a/src/network_inspectors/appid/test/appid_discovery_test.cc b/src/network_inspectors/appid/test/appid_discovery_test.cc index 0b2318d26..82769df2a 100644 --- a/src/network_inspectors/appid/test/appid_discovery_test.cc +++ b/src/network_inspectors/appid/test/appid_discovery_test.cc @@ -139,8 +139,6 @@ ProfileStats* AppIdModule::get_profile() const { return nullptr; } // Stubs for config AppIdModuleConfig::~AppIdModuleConfig() {} -AppIdConfig::AppIdConfig(AppIdModuleConfig*) {} -AppIdConfig::~AppIdConfig() {} static AppIdModuleConfig app_config; static AppIdConfig my_app_config(&app_config); AppId AppIdConfig::get_port_service_id(IpProtocol, uint16_t) diff --git a/src/network_inspectors/appid/test/appid_session_api_test.cc b/src/network_inspectors/appid/test/appid_session_api_test.cc index 3ecf9db5f..ba5e3b689 100644 --- a/src/network_inspectors/appid/test/appid_session_api_test.cc +++ b/src/network_inspectors/appid/test/appid_session_api_test.cc @@ -49,13 +49,6 @@ void NbdgmServiceDetector::AppIdFreeSMBData(FpSMBData* data) AppIdSession* mock_session = nullptr; AppIdSessionApi* appid_session_api = nullptr; -//Stub for config -AppIdConfig::AppIdConfig(AppIdModuleConfig* mod) -{ - this->mod_config = mod; - this->mod_config->check_host_port_app_cache = false; -} - TEST_GROUP(appid_session_api) { void setup() override