From dceba89cf1fec57ff8e36e6077488c15fc748f23 Mon Sep 17 00:00:00 2001 From: Russ Combs Date: Fri, 21 Oct 2016 21:26:26 -0400 Subject: [PATCH] refactor event queue into DetectionEngine --- extra/src/inspectors/dpx/dpx.cc | 2 +- extra/src/inspectors/http_server/hi_events.cc | 3 +- .../http_server/hi_stream_splitter.cc | 22 ++- src/detection/fp_detect.cc | 3 +- src/events/event_queue.cc | 128 +----------------- src/events/event_queue.h | 8 -- src/events/event_wrapper.cc | 4 +- src/framework/codec.cc | 3 +- src/latency/packet_latency.cc | 3 +- src/latency/rule_latency.cc | 5 +- src/network_inspectors/arp_spoof/arp_spoof.cc | 35 ++--- .../reputation/reputation_inspect.cc | 6 +- src/protocols/packet_manager.cc | 5 +- .../back_orifice/back_orifice.cc | 9 +- src/service_inspectors/dce_rpc/dce_common.h | 4 +- src/service_inspectors/dnp3/dnp3.cc | 3 +- .../dnp3/dnp3_reassembly.cc | 18 +-- src/service_inspectors/dns/dns.cc | 8 +- src/service_inspectors/ftp_telnet/pp_ftp.cc | 42 +++--- .../ftp_telnet/pp_telnet.cc | 9 +- src/service_inspectors/gtp/gtp_parser.cc | 3 +- .../http_inspect/http_event_gen.h | 3 +- .../http_inspect/test/http_module_test.cc | 4 +- .../test/http_transaction_test.cc | 2 +- .../http_inspect/test/http_uri_norm_test.cc | 2 +- src/service_inspectors/imap/imap.cc | 12 +- src/service_inspectors/modbus/modbus.cc | 3 +- .../modbus/modbus_decode.cc | 11 +- src/service_inspectors/modbus/modbus_paf.cc | 3 +- src/service_inspectors/pop/pop.cc | 12 +- .../rpc_decode/rpc_decode.cc | 11 +- src/service_inspectors/sip/sip.cc | 6 +- src/service_inspectors/sip/sip_dialog.cc | 7 +- src/service_inspectors/sip/sip_parser.cc | 53 ++++---- src/service_inspectors/smtp/smtp.cc | 25 ++-- src/service_inspectors/smtp/smtp_paf.cc | 3 +- .../smtp/smtp_xlink2state.cc | 3 +- src/service_inspectors/ssh/ssh.cc | 31 +++-- src/service_inspectors/ssl/ssl_inspector.cc | 12 +- src/stream/ip/ip_defrag.cc | 22 +-- src/stream/tcp/tcp_event_logger.cc | 5 +- src/utils/stats.cc | 3 +- 42 files changed, 216 insertions(+), 340 deletions(-) diff --git a/extra/src/inspectors/dpx/dpx.cc b/extra/src/inspectors/dpx/dpx.cc index bfa863dbe..c54feb380 100644 --- a/extra/src/inspectors/dpx/dpx.cc +++ b/extra/src/inspectors/dpx/dpx.cc @@ -74,7 +74,7 @@ void Dpx::eval(Packet* p) assert(p->is_udp()); if ( p->ptrs.dp == port && p->dsize > max ) - SnortEventqAdd(DPX_GID, DPX_SID); + DetectionEngine::queue_event(DPX_GID, DPX_SID); ++dpxstats.total_packets; } diff --git a/extra/src/inspectors/http_server/hi_events.cc b/extra/src/inspectors/http_server/hi_events.cc index e6f245787..7eff44ac1 100644 --- a/extra/src/inspectors/http_server/hi_events.cc +++ b/extra/src/inspectors/http_server/hi_events.cc @@ -27,6 +27,7 @@ #include #include +#include "detection/detection_engine.h" #include "events/event_queue.h" #include "main/thread.h" @@ -45,7 +46,7 @@ static void queue(unsigned gid, uint64_t mask) while ( (sid = ffs(mask)) ) { - SnortEventqAdd(gid, sid); + DetectionEngine::queue_event(gid, sid); mask ^= (1 << (sid-1)); } } diff --git a/extra/src/inspectors/http_server/hi_stream_splitter.cc b/extra/src/inspectors/http_server/hi_stream_splitter.cc index ef9ab821f..17038bba1 100644 --- a/extra/src/inspectors/http_server/hi_stream_splitter.cc +++ b/extra/src/inspectors/http_server/hi_stream_splitter.cc @@ -49,8 +49,14 @@ #include "hi_stream_splitter.h" +<<<<<<< HEAD #include "events/event_queue.h" #include "main/snort_debug.h" +======= +#include "hi_events.h" +#include "main/snort_debug.h" +#include "detection/detection_engine.h" +>>>>>>> refactor event queue into DetectionEngine #include "protocols/packet.h" #include "stream/stream.h" #include "utils/util.h" @@ -654,30 +660,22 @@ static inline int xton(int c) static inline void hi_paf_event_post() { - SnortEventqAdd( - GID_HTTP_CLIENT, - HI_CLIENT_UNBOUNDED_POST); + DetectionEngine::queue_event(GID_HTTP_CLIENT, HI_CLIENT_UNBOUNDED_POST); } static inline void hi_paf_event_simple() { - SnortEventqAdd( - GID_HTTP_CLIENT, - HI_CLIENT_SIMPLE_REQUEST); + DetectionEngine::queue_event(GID_HTTP_CLIENT, HI_CLIENT_SIMPLE_REQUEST); } static inline void hi_paf_event_msg_size() { - SnortEventqAdd( - GID_HTTP_SERVER, - HI_CLISRV_MSG_SIZE_EXCEPTION); + DetectionEngine::queue_event(GID_HTTP_SERVER, HI_CLISRV_MSG_SIZE_EXCEPTION); } static inline void hi_paf_event_pipe() { - SnortEventqAdd( - GID_HTTP_CLIENT, - HI_CLIENT_PIPELINE_MAX); + DetectionEngine::queue_event(GID_HTTP_CLIENT, HI_CLIENT_PIPELINE_MAX); } static inline StreamSplitter::Status hi_exec(Hi5State* s, Action a, int c) diff --git a/src/detection/fp_detect.cc b/src/detection/fp_detect.cc index d4abf7677..3de73cc0b 100644 --- a/src/detection/fp_detect.cc +++ b/src/detection/fp_detect.cc @@ -40,6 +40,7 @@ #include "fp_detect.h" +#include "detection/detection_engine.h" #include "events/event.h" #include "filters/rate_filter.h" #include "filters/sfthreshold.h" @@ -730,7 +731,7 @@ static inline int fpFinalSelectEvent(OTNX_MATCH_DATA* o, Packet* p) /* ** QueueEvent */ - if ( SnortEventqAdd(otn) ) + if ( DetectionEngine::queue_event(otn) ) pc.queue_limit++; tcnt++; diff --git a/src/events/event_queue.cc b/src/events/event_queue.cc index 62d7fea46..83b9176b8 100644 --- a/src/events/event_queue.cc +++ b/src/events/event_queue.cc @@ -35,7 +35,7 @@ ** event (gid,sid pair). This is now required to get events ** to be logged. The decoders and preprocessors are still ** configured independently, which allows them to inspect and -** call the alerting functions SnortEventqAdd, GenerateSnortEvent() +** call the alerting functions DetectionEngine::queue_event, GenerateSnortEvent() ** and GenerateEvent2() for portscan.cc. The GenerateSnortEvent() ** function now finds and otn and calls fpLogEvent. ** @@ -48,7 +48,7 @@ ** mapping, and then adjusts it's inspection or detection ** accordingly. ** -** SnortEventqAdd() - only adds events that have an otn +** DetectionEngine::queue_event() - only adds events that have an otn ** */ @@ -72,13 +72,10 @@ static THREAD_LOCAL unsigned s_events = 0; //------------------------------------------------- -/* -** Set default values -*/ + EventQueueConfig* EventQueueConfigNew() { - EventQueueConfig* eqc = - (EventQueueConfig*)snort_calloc(sizeof(EventQueueConfig)); + EventQueueConfig* eqc = (EventQueueConfig*)snort_calloc(sizeof(EventQueueConfig)); eqc->max_events = 8; eqc->log_events = 3; @@ -97,120 +94,3 @@ void EventQueueConfigFree(EventQueueConfig* eqc) snort_free(eqc); } -// Return 0 if no OTN since -1 return indicates queue limit reached. See -// fpFinalSelectEvent() -int SnortEventqAdd(const OptTreeNode* otn) -{ - RuleTreeNode* rtn = getRtnFromOtn(otn); - - if ( !rtn ) - { - // If the rule isn't in the current policy, - // don't add it to the event queue. - return 0; - } - - SF_EVENTQ* pq = DetectionEngine::get_event_queue(); - EventNode* en = (EventNode*)sfeventq_event_alloc(pq); - - if ( !en ) - return -1; - - en->otn = otn; - en->rtn = rtn; - - if ( sfeventq_add(pq, en) ) - return -1; - - s_events++; - return 0; -} - -// Preprocessors and decoder will call this function since -// they don't have access to the OTN. -int SnortEventqAdd(uint32_t gid, uint32_t sid, RuleType type) -{ - OptTreeNode* otn = GetOTN(gid, sid); - - if ( !otn ) - return 0; - - SF_EVENTQ* pq = DetectionEngine::get_event_queue(); - EventNode* en = (EventNode*)sfeventq_event_alloc(pq); - - if ( !en ) - return -1; - - en->otn = otn; - en->rtn = nullptr; // lookup later after ips policy selection - en->type = type; - - if ( sfeventq_add(pq, en) ) - return -1; - - s_events++; - return 0; -} - -bool event_is_enabled(uint32_t gid, uint32_t sid) -{ - OptTreeNode* otn = GetOTN(gid, sid); - return ( otn != nullptr ); -} - -static int LogSnortEvents(void* event, void* user) -{ - if ( !event || !user ) - return 0; - - EventNode* en = (EventNode*)event; - - if ( !en->rtn ) - { - en->rtn = getRtnFromOtn(en->otn); - - if ( !en->rtn ) - return 0; // not enabled - } - - if ( s_events > 0 ) - s_events--; - - fpLogEvent(en->rtn, en->otn, (Packet*)user); - sfthreshold_reset(); - - return 0; -} - -/* -** We return whether we logged events or not. We've add a eventq user -** structure so we can track whether the events logged were rule events -** or preprocessor/decoder events. The reason being that we don't want -** to flush a TCP stream for preprocessor/decoder events, and cause -** early flushing of the stream. -*/ -int SnortEventqLog(Packet* p) -{ - SF_EVENTQ* pq = DetectionEngine::get_event_queue(); - sfeventq_action(pq, LogSnortEvents, (void*)p); - return 0; -} - -static inline void reset_counts() -{ - pc.log_limit += s_events; - s_events = 0; -} - -void SnortEventqResetCounts() -{ - reset_counts(); -} - -void SnortEventqReset() -{ - SF_EVENTQ* pq = DetectionEngine::get_event_queue(); - sfeventq_reset(pq); - reset_counts(); -} - diff --git a/src/events/event_queue.h b/src/events/event_queue.h index cacffc322..baf337739 100644 --- a/src/events/event_queue.h +++ b/src/events/event_queue.h @@ -44,13 +44,5 @@ struct EventNode EventQueueConfig* EventQueueConfigNew(); void EventQueueConfigFree(EventQueueConfig*); -SO_PUBLIC void SnortEventqReset(); -void SnortEventqResetCounts(); - -SO_PUBLIC int SnortEventqLog(struct Packet*); -SO_PUBLIC int SnortEventqAdd(const struct OptTreeNode*); -SO_PUBLIC int SnortEventqAdd(uint32_t gid, uint32_t sid, RuleType = RULE_TYPE__NONE); -SO_PUBLIC bool event_is_enabled(uint32_t gid, uint32_t sid); - #endif diff --git a/src/events/event_wrapper.cc b/src/events/event_wrapper.cc index fc288b0db..c3020738f 100644 --- a/src/events/event_wrapper.cc +++ b/src/events/event_wrapper.cc @@ -50,8 +50,8 @@ * This function has been updated to find an otn and route the call to fpLogEvent * if possible. This requires a rule be written for each decoder event, * and possibly some preporcessor events. The bulk of eventing is handled vie the - * SnortEventqAdd() and SnortEventLog() functions - whichalready route the events to - * the fpLogEvent()function. + * DetectionEngine::queue_event() and SnortEventLog() functions - whichalready + * route the events to the fpLogEvent()function. */ uint32_t GenerateSnortEvent(Packet* p, uint32_t gid, uint32_t sid) { diff --git a/src/framework/codec.cc b/src/framework/codec.cc index 9862d46ff..eef6c7bb1 100644 --- a/src/framework/codec.cc +++ b/src/framework/codec.cc @@ -24,6 +24,7 @@ #include "codec.h" #include "codecs/codec_module.h" +#include "detection/detection_engine.h" #include "events/event_queue.h" EncState::EncState(const ip::IpApi& api, EncodeFlags f, IpProtocol pr, @@ -81,7 +82,7 @@ void Codec::codec_event(const CodecData& codec, CodecSid sid) if ( codec.codec_flags & CODEC_STREAM_REBUILT ) return; - SnortEventqAdd(GID_DECODE, sid); + DetectionEngine::queue_event(GID_DECODE, sid); } bool Codec::CheckIPV6HopOptions(const RawData& raw, CodecData& codec) diff --git a/src/latency/packet_latency.cc b/src/latency/packet_latency.cc index b9cb49673..516ba01f6 100644 --- a/src/latency/packet_latency.cc +++ b/src/latency/packet_latency.cc @@ -24,6 +24,7 @@ #include "packet_latency.h" +#include "detection/detection_engine.h" #include "log/messages.h" #include "main/snort_config.h" #include "protocols/packet.h" @@ -193,7 +194,7 @@ static struct SnortConfigWrapper : public ConfigWrapper static struct SnortEventHandler : public EventHandler { void handle(const Event&) override - { SnortEventqAdd(GID_LATENCY, LATENCY_EVENT_PACKET_FASTPATHED); } + { DetectionEngine::queue_event(GID_LATENCY, LATENCY_EVENT_PACKET_FASTPATHED); } } event_handler; static struct SnortLogHandler : public EventHandler diff --git a/src/latency/rule_latency.cc b/src/latency/rule_latency.cc index d43744240..1cce46fa5 100644 --- a/src/latency/rule_latency.cc +++ b/src/latency/rule_latency.cc @@ -24,6 +24,7 @@ #include "rule_latency.h" +#include "detection/detection_engine.h" #include "detection/detection_options.h" #include "detection/treenodes.h" #include "main/snort_config.h" @@ -295,11 +296,11 @@ static struct SnortEventHandler : public EventHandler switch ( e.type ) { case Event::EVENT_ENABLED: - SnortEventqAdd(GID_LATENCY, LATENCY_EVENT_RULE_TREE_ENABLED); + DetectionEngine::queue_event(GID_LATENCY, LATENCY_EVENT_RULE_TREE_ENABLED); break; case Event::EVENT_SUSPENDED: - SnortEventqAdd(GID_LATENCY, LATENCY_EVENT_RULE_TREE_SUSPENDED); + DetectionEngine::queue_event(GID_LATENCY, LATENCY_EVENT_RULE_TREE_SUSPENDED); break; default: diff --git a/src/network_inspectors/arp_spoof/arp_spoof.cc b/src/network_inspectors/arp_spoof/arp_spoof.cc index 986592694..5215154f5 100644 --- a/src/network_inspectors/arp_spoof/arp_spoof.cc +++ b/src/network_inspectors/arp_spoof/arp_spoof.cc @@ -71,6 +71,7 @@ #include "config.h" #endif +#include "detection/detection_engine.h" #include "events/event_queue.h" #include "log/messages.h" #include "profiler/profiler.h" @@ -187,40 +188,28 @@ void ArpSpoof::eval(Packet* p) case ARPOP_REQUEST: if (memcmp((u_char*)eh->ether_dst, (u_char*)bcast, 6) != 0) { - SnortEventqAdd(GID_ARP_SPOOF, - ARPSPOOF_UNICAST_ARP_REQUEST); - - DebugMessage(DEBUG_INSPECTOR, - "MODNAME: Unicast request\n"); + DetectionEngine::queue_event(GID_ARP_SPOOF, ARPSPOOF_UNICAST_ARP_REQUEST); + DebugMessage(DEBUG_INSPECTOR, "MODNAME: Unicast request\n"); } else if (memcmp((u_char*)eh->ether_src, (u_char*)ah->arp_sha, 6) != 0) { - SnortEventqAdd(GID_ARP_SPOOF, - ARPSPOOF_ETHERFRAME_ARP_MISMATCH_SRC); - - DebugMessage(DEBUG_INSPECTOR, - "MODNAME: Ethernet/ARP mismatch request\n"); + DetectionEngine::queue_event(GID_ARP_SPOOF, ARPSPOOF_ETHERFRAME_ARP_MISMATCH_SRC); + DebugMessage(DEBUG_INSPECTOR, "MODNAME: Ethernet/ARP mismatch request\n"); } break; case ARPOP_REPLY: if (memcmp((u_char*)eh->ether_src, (u_char*)ah->arp_sha, 6) != 0) { - SnortEventqAdd(GID_ARP_SPOOF, - ARPSPOOF_ETHERFRAME_ARP_MISMATCH_SRC); - - DebugMessage(DEBUG_INSPECTOR, - "MODNAME: Ethernet/ARP mismatch reply src\n"); + DetectionEngine::queue_event(GID_ARP_SPOOF, ARPSPOOF_ETHERFRAME_ARP_MISMATCH_SRC); + DebugMessage(DEBUG_INSPECTOR, "MODNAME: Ethernet/ARP mismatch reply src\n"); } else if (memcmp((u_char*)eh->ether_dst, (u_char*)ah->arp_tha, 6) != 0) { - SnortEventqAdd(GID_ARP_SPOOF, - ARPSPOOF_ETHERFRAME_ARP_MISMATCH_DST); - - DebugMessage(DEBUG_INSPECTOR, - "MODNAME: Ethernet/ARP mismatch reply dst\n"); + DetectionEngine::queue_event(GID_ARP_SPOOF, ARPSPOOF_ETHERFRAME_ARP_MISMATCH_DST); + DebugMessage(DEBUG_INSPECTOR, "MODNAME: Ethernet/ARP mismatch reply dst\n"); } break; } @@ -242,10 +231,8 @@ void ArpSpoof::eval(Packet* p) // in p doesn't match the MAC address in ipme, then generate an alert if ( cmp_ether_src || cmp_arp_sha ) { - SnortEventqAdd(GID_ARP_SPOOF, ARPSPOOF_ARP_CACHE_OVERWRITE_ATTACK); - - DebugMessage(DEBUG_INSPECTOR, - "MODNAME: Attempted ARP cache overwrite attack\n"); + DetectionEngine::queue_event(GID_ARP_SPOOF, ARPSPOOF_ARP_CACHE_OVERWRITE_ATTACK); + DebugMessage(DEBUG_INSPECTOR, "MODNAME: Attempted ARP cache overwrite attack\n"); } } diff --git a/src/network_inspectors/reputation/reputation_inspect.cc b/src/network_inspectors/reputation/reputation_inspect.cc index 914df8276..a96bdc17d 100644 --- a/src/network_inspectors/reputation/reputation_inspect.cc +++ b/src/network_inspectors/reputation/reputation_inspect.cc @@ -297,7 +297,7 @@ static void snort_reputation(ReputationConfig* config, Packet* p) else if (BLACKLISTED == decision) { - SnortEventqAdd(GID_REPUTATION, REPUTATION_EVENT_BLACKLIST); + DetectionEngine::queue_event(GID_REPUTATION, REPUTATION_EVENT_BLACKLIST); Active::drop_packet(p, true); // disable all preproc analysis and detection for this packet DetectionEngine::disable_all(); @@ -312,12 +312,12 @@ static void snort_reputation(ReputationConfig* config, Packet* p) } else if (MONITORED == decision) { - SnortEventqAdd(GID_REPUTATION, REPUTATION_EVENT_MONITOR); + DetectionEngine::queue_event(GID_REPUTATION, REPUTATION_EVENT_MONITOR); reputationstats.monitored++; } else if (WHITELISTED_TRUST == decision) { - SnortEventqAdd(GID_REPUTATION, REPUTATION_EVENT_WHITELIST); + DetectionEngine::queue_event(GID_REPUTATION, REPUTATION_EVENT_WHITELIST); p->packet_flags |= PKT_IGNORE; DetectionEngine::disable_all(); p->disable_inspect = true; diff --git a/src/protocols/packet_manager.cc b/src/protocols/packet_manager.cc index 2d6704893..07c94f64b 100644 --- a/src/protocols/packet_manager.cc +++ b/src/protocols/packet_manager.cc @@ -27,6 +27,7 @@ #include "codecs/codec_module.h" #include "codecs/ip/checksum.h" +#include "detection/detection_engine.h" #include "log/text_log.h" #include "main/snort_config.h" #include "main/snort_debug.h" @@ -199,7 +200,7 @@ void PacketManager::decode( // If we have reached the MAX_LAYERS, we keep decoding // but no longer keep track of the layers. if ( p->num_layers == CodecManager::max_layers ) - SnortEventqAdd(GID_DECODE, DECODE_TOO_MANY_LAYERS); + DetectionEngine::queue_event(GID_DECODE, DECODE_TOO_MANY_LAYERS); else push_layer(p, prev_prot_id, raw.data, codec_data.lyr_len); @@ -274,7 +275,7 @@ void PacketManager::decode( (to_utype(prev_prot_id) <= std::numeric_limits::max()) && !(codec_data.codec_flags & CODEC_STREAM_REBUILT) ) { - SnortEventqAdd(GID_DECODE, DECODE_IP_UNASSIGNED_PROTO); + DetectionEngine::queue_event(GID_DECODE, DECODE_IP_UNASSIGNED_PROTO); } } } diff --git a/src/service_inspectors/back_orifice/back_orifice.cc b/src/service_inspectors/back_orifice/back_orifice.cc index ffd104167..31a0bf297 100644 --- a/src/service_inspectors/back_orifice/back_orifice.cc +++ b/src/service_inspectors/back_orifice/back_orifice.cc @@ -109,6 +109,7 @@ #include "config.h" #endif +#include "detection/detection_engine.h" #include "events/event_queue.h" #include "framework/inspector.h" #include "framework/module.h" @@ -355,7 +356,7 @@ static int BoGetDirection(Packet* p, const char* pkt_data) if ( len >= BO_BUF_ATTACK_SIZE ) { - SnortEventqAdd(GID_BO, BO_SNORT_BUFFER_ATTACK); + DetectionEngine::queue_event(GID_BO, BO_SNORT_BUFFER_ATTACK); return BO_FROM_UNKNOWN; } @@ -519,18 +520,18 @@ void BackOrifice::eval(Packet* p) if ( bo_direction == BO_FROM_CLIENT ) { - SnortEventqAdd(GID_BO, BO_CLIENT_TRAFFIC_DETECT); + DetectionEngine::queue_event(GID_BO, BO_CLIENT_TRAFFIC_DETECT); DebugMessage(DEBUG_INSPECTOR, "Client packet\n"); } else if ( bo_direction == BO_FROM_SERVER ) { - SnortEventqAdd(GID_BO, BO_SERVER_TRAFFIC_DETECT); + DetectionEngine::queue_event(GID_BO, BO_SERVER_TRAFFIC_DETECT); DebugMessage(DEBUG_INSPECTOR, "Server packet\n"); } else - SnortEventqAdd(GID_BO, BO_TRAFFIC_DETECT); + DetectionEngine::queue_event(GID_BO, BO_TRAFFIC_DETECT); } } } diff --git a/src/service_inspectors/dce_rpc/dce_common.h b/src/service_inspectors/dce_rpc/dce_common.h index 585f3052f..bc4ea4ef9 100644 --- a/src/service_inspectors/dce_rpc/dce_common.h +++ b/src/service_inspectors/dce_rpc/dce_common.h @@ -21,7 +21,7 @@ #ifndef DCE_COMMON_H #define DCE_COMMON_H -#include "events/event_queue.h" +#include "detection/detection_engine.h" #include "framework/counts.h" #include "framework/endianness.h" #include "framework/value.h" @@ -388,7 +388,7 @@ inline bool DCE2_SsnIsServerSambaPolicy(DCE2_SsnData* sd) inline void dce_alert(uint32_t gid, uint32_t sid, dce2CommonStats* stats) { - SnortEventqAdd(gid,sid); + DetectionEngine::queue_event(gid,sid); stats->events++; } diff --git a/src/service_inspectors/dnp3/dnp3.cc b/src/service_inspectors/dnp3/dnp3.cc index a64915c41..eabd1051f 100644 --- a/src/service_inspectors/dnp3/dnp3.cc +++ b/src/service_inspectors/dnp3/dnp3.cc @@ -25,6 +25,7 @@ #include "dnp3.h" +#include "detection/detection_engine.h" #include "events/event_queue.h" #include "protocols/packet.h" @@ -140,7 +141,7 @@ static bool dnp3_process_udp(dnp3ProtoConf& config, dnp3_session_data_t* dnp3_se if (truncated_pdu) { - SnortEventqAdd(GID_DNP3, DNP3_DROPPED_FRAME); + DetectionEngine::queue_event(GID_DNP3, DNP3_DROPPED_FRAME); } return true; diff --git a/src/service_inspectors/dnp3/dnp3_reassembly.cc b/src/service_inspectors/dnp3/dnp3_reassembly.cc index d8dc520c5..27b500946 100644 --- a/src/service_inspectors/dnp3/dnp3_reassembly.cc +++ b/src/service_inspectors/dnp3/dnp3_reassembly.cc @@ -161,7 +161,7 @@ static bool dnp3_reassemble_transport(dnp3_reassembly_data_t* rdata, char* buf, /* Raise an alert so it's clear the buffer was reset. Could signify device trouble. */ - SnortEventqAdd(GID_DNP3, DNP3_REASSEMBLY_BUFFER_CLEARED); + DetectionEngine::queue_event(GID_DNP3, DNP3_REASSEMBLY_BUFFER_CLEARED); } else { @@ -169,7 +169,7 @@ static bool dnp3_reassemble_transport(dnp3_reassembly_data_t* rdata, char* buf, if ((DNP3_TRANSPORT_SEQ(trans_header->control) == rdata->last_seq) && (DNP3_TRANSPORT_FIN(trans_header->control))) { - SnortEventqAdd(GID_DNP3, DNP3_DROPPED_SEGMENT); + DetectionEngine::queue_event(GID_DNP3, DNP3_DROPPED_SEGMENT); rdata->state = DNP3_REASSEMBLY_STATE__DONE; return false; } @@ -178,7 +178,7 @@ static bool dnp3_reassemble_transport(dnp3_reassembly_data_t* rdata, char* buf, if (DNP3_TRANSPORT_SEQ(trans_header->control) != ((rdata->last_seq + 1) % 0x40 )) { - SnortEventqAdd(GID_DNP3, DNP3_DROPPED_SEGMENT); + DetectionEngine::queue_event(GID_DNP3, DNP3_DROPPED_SEGMENT); return false; } @@ -206,7 +206,7 @@ static void dnp3_check_reserved_function(dnp3_session_data_t* session) { if ( !(dnp3_func_is_defined( (uint16_t)session->func)) ) { - SnortEventqAdd(GID_DNP3, DNP3_RESERVED_FUNCTION); + DetectionEngine::queue_event(GID_DNP3, DNP3_RESERVED_FUNCTION); } } @@ -291,7 +291,7 @@ static bool dnp3_check_remove_crc(dnp3ProtoConf& config, uint8_t* pdu_start, if ((config.check_crc) && (dnp3_check_crc((unsigned char*)pdu_start, sizeof(dnp3_link_header_t)+2) == false)) { - SnortEventqAdd(GID_DNP3, DNP3_BAD_CRC); + DetectionEngine::queue_event(GID_DNP3, DNP3_BAD_CRC); return false; } @@ -305,7 +305,7 @@ static bool dnp3_check_remove_crc(dnp3ProtoConf& config, uint8_t* pdu_start, if ((config.check_crc) && (dnp3_check_crc((unsigned char*)cursor, (DNP3_CHUNK_SIZE+DNP3_CRC_SIZE)) == false)) { - SnortEventqAdd(GID_DNP3, DNP3_BAD_CRC); + DetectionEngine::queue_event(GID_DNP3, DNP3_BAD_CRC); return false; } @@ -320,7 +320,7 @@ static bool dnp3_check_remove_crc(dnp3ProtoConf& config, uint8_t* pdu_start, { if ((config.check_crc) && (dnp3_check_crc((unsigned char*)cursor, bytes_left) == false)) { - SnortEventqAdd(GID_DNP3, DNP3_BAD_CRC); + DetectionEngine::queue_event(GID_DNP3, DNP3_BAD_CRC); return false; } @@ -344,7 +344,7 @@ static bool dnp3_check_reserved_addrs(dnp3_link_header_t* link) if (bad_addr) { - SnortEventqAdd(GID_DNP3, DNP3_RESERVED_ADDRESS); + DetectionEngine::queue_event(GID_DNP3, DNP3_RESERVED_ADDRESS); return false; } @@ -374,7 +374,7 @@ bool dnp3_full_reassembly(dnp3ProtoConf& config, dnp3_session_data_t* session, P if (link->len < DNP3_MIN_TRANSPORT_LEN) { - SnortEventqAdd(GID_DNP3, DNP3_DROPPED_FRAME); + DetectionEngine::queue_event(GID_DNP3, DNP3_DROPPED_FRAME); return false; } diff --git a/src/service_inspectors/dns/dns.cc b/src/service_inspectors/dns/dns.cc index 7868b2588..f98ab6a41 100644 --- a/src/service_inspectors/dns/dns.cc +++ b/src/service_inspectors/dns/dns.cc @@ -27,7 +27,7 @@ #include "dns.h" -#include "events/event_queue.h" +#include "detection/detection_engine.h" #include "log/messages.h" #include "profiler/profiler.h" #include "protocols/packet.h" @@ -557,7 +557,7 @@ static uint16_t CheckRRTypeTXTVuln( if (overflow_check > 0xFFFF) { /* Alert on obsolete DNS RR types */ - SnortEventqAdd(GID_DNS, DNS_EVENT_RDATA_OVERFLOW); + DetectionEngine::queue_event(GID_DNS, DNS_EVENT_RDATA_OVERFLOW); dnsSessionData->curr_txt.alerted = 1; } @@ -652,7 +652,7 @@ static uint16_t ParseDNSRData( case DNS_RR_TYPE_MD: case DNS_RR_TYPE_MF: /* Alert on obsolete DNS RR types */ - SnortEventqAdd(GID_DNS, DNS_EVENT_OBSOLETE_TYPES); + DetectionEngine::queue_event(GID_DNS, DNS_EVENT_OBSOLETE_TYPES); bytes_unused = SkipDNSRData(data, bytes_unused, dnsSessionData); break; @@ -662,7 +662,7 @@ static uint16_t ParseDNSRData( case DNS_RR_TYPE_NULL: case DNS_RR_TYPE_MINFO: /* Alert on experimental DNS RR types */ - SnortEventqAdd(GID_DNS, DNS_EVENT_EXPERIMENTAL_TYPES); + DetectionEngine::queue_event(GID_DNS, DNS_EVENT_EXPERIMENTAL_TYPES); bytes_unused = SkipDNSRData(data, bytes_unused, dnsSessionData); break; case DNS_RR_TYPE_A: diff --git a/src/service_inspectors/ftp_telnet/pp_ftp.cc b/src/service_inspectors/ftp_telnet/pp_ftp.cc index b310a13e5..653757314 100644 --- a/src/service_inspectors/ftp_telnet/pp_ftp.cc +++ b/src/service_inspectors/ftp_telnet/pp_ftp.cc @@ -40,6 +40,7 @@ #include "pp_ftp.h" +#include "detection/detection_engine.h" #include "detection/detection_util.h" #include "file_api/file_service.h" #include "protocols/packet.h" @@ -594,7 +595,7 @@ static int validate_param(Packet* p, if (numPercents >= MAX_PERCENT_SIGNS) { /* Alert on string format attack in parameter */ - SnortEventqAdd(GID_FTP, FTP_PARAMETER_STR_FORMAT); + DetectionEngine::queue_event(GID_FTP, FTP_PARAMETER_STR_FORMAT); return FTPP_ALERTED; } } @@ -747,7 +748,7 @@ static int validate_param(Packet* p, /* Alert on invalid IP address for PORT */ if (alert) { - SnortEventqAdd(GID_FTP, FTP_BOUNCE); + DetectionEngine::queue_event(GID_FTP, FTP_BOUNCE); /* Return here -- because we will likely want to * inspect the data traffic over a bounced data * connection */ @@ -934,7 +935,7 @@ int initialize_ftp(FTP_SESSION* session, Packet* p, int iMode) if (iRet != FTPP_SUCCESS && iRet != FTPP_NORMALIZED) { if (iRet == FTPP_ALERT) - SnortEventqAdd(GID_FTP, FTP_EVASIVE_TELNET_CMD); + DetectionEngine::queue_event(GID_FTP, FTP_EVASIVE_TELNET_CMD); return iRet; } @@ -945,7 +946,7 @@ int initialize_ftp(FTP_SESSION* session, Packet* p, int iMode) if ( (iMode == FTPP_SI_CLIENT_MODE) || (iMode == FTPP_SI_SERVER_MODE) ) { - SnortEventqAdd(GID_FTP, FTP_TELNET_CMD); + DetectionEngine::queue_event(GID_FTP, FTP_TELNET_CMD); return FTPP_ALERT; /* Nothing else to do since we alerted */ } @@ -1237,9 +1238,8 @@ static int do_stateful_checks(FTP_SESSION* session, Packet* p, { /* Could check that response msg includes "TLS" */ session->encr_state = AUTH_TLS_ENCRYPTED; - SnortEventqAdd(GID_FTP, FTP_ENCRYPTED); - DebugMessage(DEBUG_FTPTELNET, - "FTP stream is now TLS encrypted\n"); + DetectionEngine::queue_event(GID_FTP, FTP_ENCRYPTED); + DebugMessage(DEBUG_FTPTELNET, "FTP stream is now TLS encrypted\n"); } break; case AUTH_SSL_CMD_ISSUED: @@ -1247,18 +1247,16 @@ static int do_stateful_checks(FTP_SESSION* session, Packet* p, { /* Could check that response msg includes "SSL" */ session->encr_state = AUTH_SSL_ENCRYPTED; - SnortEventqAdd(GID_FTP, FTP_ENCRYPTED); - DebugMessage(DEBUG_FTPTELNET, - "FTP stream is now SSL encrypted\n"); + DetectionEngine::queue_event(GID_FTP, FTP_ENCRYPTED); + DebugMessage(DEBUG_FTPTELNET, "FTP stream is now SSL encrypted\n"); } break; case AUTH_UNKNOWN_CMD_ISSUED: if (rsp_code == 234) { session->encr_state = AUTH_UNKNOWN_ENCRYPTED; - SnortEventqAdd(GID_FTP, FTP_ENCRYPTED); - DebugMessage(DEBUG_FTPTELNET, - "FTP stream is now encrypted\n"); + DetectionEngine::queue_event(GID_FTP, FTP_ENCRYPTED); + DebugMessage(DEBUG_FTPTELNET, "FTP stream is now encrypted\n"); } break; } @@ -1414,7 +1412,7 @@ int check_ftp(FTP_SESSION* ftpssn, Packet* p, int iMode) if (ftpssn->encr_state == 0) { ftpssn->encr_state = AUTH_UNKNOWN_ENCRYPTED; - SnortEventqAdd(GID_FTP, FTP_ENCRYPTED); + DetectionEngine::queue_event(GID_FTP, FTP_ENCRYPTED); if (!ftpssn->server_conf->check_encrypted_data) { @@ -1435,7 +1433,7 @@ int check_ftp(FTP_SESSION* ftpssn, Packet* p, int iMode) if ( req->cmd_size > ftpssn->server_conf->max_cmd_len ) { /* Alert, cmd not found */ - SnortEventqAdd(GID_FTP, FTP_INVALID_CMD); + DetectionEngine::queue_event(GID_FTP, FTP_INVALID_CMD); state = FTP_CMD_INV; } else @@ -1447,7 +1445,7 @@ int check_ftp(FTP_SESSION* ftpssn, Packet* p, int iMode) if ((iRet == FTPP_NOT_FOUND) || (CmdConf == nullptr)) { /* Alert, cmd not found */ - SnortEventqAdd(GID_FTP, FTP_INVALID_CMD); + DetectionEngine::queue_event(GID_FTP, FTP_INVALID_CMD); state = FTP_CMD_INV; } else @@ -1493,7 +1491,7 @@ int check_ftp(FTP_SESSION* ftpssn, Packet* p, int iMode) if (ftpssn->encr_state == 0) { ftpssn->encr_state = AUTH_UNKNOWN_ENCRYPTED; - SnortEventqAdd(GID_FTP, FTP_ENCRYPTED); + DetectionEngine::queue_event(GID_FTP, FTP_ENCRYPTED); if (!ftpssn->server_conf->check_encrypted_data) { @@ -1677,7 +1675,7 @@ int check_ftp(FTP_SESSION* ftpssn, Packet* p, int iMode) (req->param_size > ftpssn->client_conf->max_resp_len)) { /* Alert on response message overflow */ - SnortEventqAdd(GID_FTP, FTP_RESPONSE_LENGTH_OVERFLOW); + DetectionEngine::queue_event(GID_FTP, FTP_RESPONSE_LENGTH_OVERFLOW); iRet = FTPP_ALERT; } @@ -1696,7 +1694,7 @@ int check_ftp(FTP_SESSION* ftpssn, Packet* p, int iMode) (req->param_size > ftpssn->client_conf->max_resp_len)) { /* Alert on response message overflow */ - SnortEventqAdd(GID_FTP, FTP_RESPONSE_LENGTH_OVERFLOW); + DetectionEngine::queue_event(GID_FTP, FTP_RESPONSE_LENGTH_OVERFLOW); iRet = FTPP_ALERT; } break; @@ -1709,7 +1707,7 @@ int check_ftp(FTP_SESSION* ftpssn, Packet* p, int iMode) (req->param_size > ftpssn->client_conf->max_resp_len)) { /* Alert on response message overflow */ - SnortEventqAdd(GID_FTP, FTP_RESPONSE_LENGTH_OVERFLOW); + DetectionEngine::queue_event(GID_FTP, FTP_RESPONSE_LENGTH_OVERFLOW); iRet = FTPP_ALERT; } break; @@ -1726,7 +1724,7 @@ int check_ftp(FTP_SESSION* ftpssn, Packet* p, int iMode) if ( req->param_size > max ) { /* Alert on param length overrun */ - SnortEventqAdd(GID_FTP, FTP_PARAMETER_LENGTH_OVERFLOW); + DetectionEngine::queue_event(GID_FTP, FTP_PARAMETER_LENGTH_OVERFLOW); DebugFormat(DEBUG_FTPTELNET, "FTP command: %.*s" "parameter length overrun %u > %u \n", req->cmd_size, req->cmd_begin, req->param_size, max); @@ -1825,7 +1823,7 @@ int check_ftp(FTP_SESSION* ftpssn, Packet* p, int iMode) if (iRet < 0) { /* Set Alert on malformatted parameter */ - SnortEventqAdd(GID_FTP, FTP_MALFORMED_PARAMETER); + DetectionEngine::queue_event(GID_FTP, FTP_MALFORMED_PARAMETER); iRet = FTPP_ALERT; break; } diff --git a/src/service_inspectors/ftp_telnet/pp_telnet.cc b/src/service_inspectors/ftp_telnet/pp_telnet.cc index 8158fc7f3..0d94f7955 100644 --- a/src/service_inspectors/ftp_telnet/pp_telnet.cc +++ b/src/service_inspectors/ftp_telnet/pp_telnet.cc @@ -47,6 +47,7 @@ #include "pp_telnet.h" +#include "detection/detection_engine.h" #include "detection/detection_util.h" #include "protocols/packet.h" #include "stream/stream.h" @@ -142,7 +143,7 @@ int normalize_telnet( if (tnssn) { tnssn->encr_state = 1; - SnortEventqAdd(GID_TELNET, TELNET_ENCRYPTED); + DetectionEngine::queue_event(GID_TELNET, TELNET_ENCRYPTED); if (!tnssn->telnet_conf->check_encrypted_data) { @@ -249,7 +250,7 @@ int normalize_telnet( tnssn->telnet_conf->ayt_threshold)) { /* Alert on consecutive AYT commands */ - SnortEventqAdd(GID_TELNET, TELNET_AYT_OVERFLOW); + DetectionEngine::queue_event(GID_TELNET, TELNET_AYT_OVERFLOW); tnssn->consec_ayt = 0; return FTPP_ALERT; } @@ -339,7 +340,7 @@ int normalize_telnet( if (tnssn) { tnssn->encr_state = 1; - SnortEventqAdd(GID_TELNET, TELNET_ENCRYPTED); + DetectionEngine::queue_event(GID_TELNET, TELNET_ENCRYPTED); if (!tnssn->telnet_conf->check_encrypted_data) { @@ -385,7 +386,7 @@ int normalize_telnet( else { /* Alert on SB without SE */ - SnortEventqAdd(GID_TELNET, TELNET_SB_NO_SE); + DetectionEngine::queue_event(GID_TELNET, TELNET_SB_NO_SE); ret = FTPP_ALERT; } diff --git a/src/service_inspectors/gtp/gtp_parser.cc b/src/service_inspectors/gtp/gtp_parser.cc index 08f2ea911..834ac3afd 100644 --- a/src/service_inspectors/gtp/gtp_parser.cc +++ b/src/service_inspectors/gtp/gtp_parser.cc @@ -28,6 +28,7 @@ #include +#include "detection/detection_engine.h" #include "events/event_queue.h" #include "log/messages.h" @@ -38,7 +39,7 @@ static inline void alert(int sid) { - SnortEventqAdd(GID_GTP, sid); + DetectionEngine::queue_event(GID_GTP, sid); gtp_stats.events++; } diff --git a/src/service_inspectors/http_inspect/http_event_gen.h b/src/service_inspectors/http_inspect/http_event_gen.h index 454516539..0c93aeded 100644 --- a/src/service_inspectors/http_inspect/http_event_gen.h +++ b/src/service_inspectors/http_inspect/http_event_gen.h @@ -23,6 +23,7 @@ #include #include +#include "detection/detection_engine.h" #include "events/event_queue.h" #include "utils/util.h" @@ -42,7 +43,7 @@ public: assert(((int)sid > 0) && ((int)sid <= MAX)); if (!events_generated[sid-1]) { - SnortEventqAdd(HttpEnums::HTTP_GID, (uint32_t)sid); + DetectionEngine::queue_event(HttpEnums::HTTP_GID, (uint32_t)sid); events_generated[sid-1] = true; } } diff --git a/src/service_inspectors/http_inspect/test/http_module_test.cc b/src/service_inspectors/http_inspect/test/http_module_test.cc index 38c434311..cf918d80a 100644 --- a/src/service_inspectors/http_inspect/test/http_module_test.cc +++ b/src/service_inspectors/http_inspect/test/http_module_test.cc @@ -23,8 +23,8 @@ #include "config.h" #endif +#include "detection/detection_engine.h" #include "log/messages.h" -#include "events/event_queue.h" #include "service_inspectors/http_inspect/http_module.h" #include "service_inspectors/http_inspect/http_test_manager.h" @@ -46,7 +46,7 @@ void show_stats(PegCount*, const PegInfo*, IndexVec&, const char*, FILE*) { } void show_stats(SimpleStats*, const char*) { } void Value::get_bits(std::bitset<256ul>&) const {} -int SnortEventqAdd(unsigned int, unsigned int, RuleType) { return 0; } +int DetectionEngine::queue_event(unsigned int, unsigned int, RuleType) { return 0; } int32_t str_to_code(const uint8_t*, const int32_t, const StrCode []) { return 0; } int32_t substr_to_code(const uint8_t*, const int32_t, const StrCode []) { return 0; } diff --git a/src/service_inspectors/http_inspect/test/http_transaction_test.cc b/src/service_inspectors/http_inspect/test/http_transaction_test.cc index 92c5bb0a3..0fe26a305 100644 --- a/src/service_inspectors/http_inspect/test/http_transaction_test.cc +++ b/src/service_inspectors/http_inspect/test/http_transaction_test.cc @@ -38,7 +38,7 @@ using namespace HttpEnums; unsigned FlowData::flow_id = 0; FlowData::FlowData(unsigned, Inspector*) {} FlowData::~FlowData() {} -int SnortEventqAdd(unsigned int, unsigned int, RuleType) { return 0; } +int DetectionEngine::queue_event(unsigned int, unsigned int, RuleType) { return 0; } THREAD_LOCAL PegCount HttpModule::peg_counts[1]; class HttpUnitTestSetup diff --git a/src/service_inspectors/http_inspect/test/http_uri_norm_test.cc b/src/service_inspectors/http_inspect/test/http_uri_norm_test.cc index 2a7ebf985..f83186d10 100644 --- a/src/service_inspectors/http_inspect/test/http_uri_norm_test.cc +++ b/src/service_inspectors/http_inspect/test/http_uri_norm_test.cc @@ -40,7 +40,7 @@ void show_stats( PegCount*, const PegInfo*, IndexVec&, const char*, FILE*) { } void show_stats(SimpleStats*, const char*) { } void Value::get_bits(std::bitset<256ul>&) const {} -int SnortEventqAdd(unsigned int, unsigned int, RuleType) { return 0; } +int DetectionEngine::queue_event(unsigned int, unsigned int, RuleType) { return 0; } HttpJsNorm::HttpJsNorm(int, const HttpParaList::UriParam& uri_param_) : max_javascript_whitespaces(0), uri_param(uri_param_), javascript_search_mpse(nullptr), diff --git a/src/service_inspectors/imap/imap.cc b/src/service_inspectors/imap/imap.cc index 8a107624f..9352fd97d 100644 --- a/src/service_inspectors/imap/imap.cc +++ b/src/service_inspectors/imap/imap.cc @@ -24,7 +24,7 @@ #include "imap.h" -#include "events/event_queue.h" +#include "detection/detection_engine.h" #include "log/messages.h" #include "main/snort_debug.h" #include "profiler/profiler.h" @@ -385,7 +385,7 @@ static const uint8_t* IMAP_HandleCommand(Packet* p, IMAPData* imap_ssn, const ui } else { - SnortEventqAdd(GID_IMAP, IMAP_UNKNOWN_CMD); + DetectionEngine::queue_event(GID_IMAP, IMAP_UNKNOWN_CMD); DebugMessage(DEBUG_IMAP, "No known command found\n"); return eol; } @@ -555,7 +555,7 @@ static void IMAP_ProcessServerPacket(Packet* p, IMAPData* imap_ssn) } if ( (*ptr != '*') && (*ptr !='+') && (*ptr != '\r') && (*ptr != '\n') ) { - SnortEventqAdd(GID_IMAP, IMAP_UNKNOWN_RESP); + DetectionEngine::queue_event(GID_IMAP, IMAP_UNKNOWN_RESP); DebugMessage(DEBUG_IMAP, "Server response not found\n"); } } @@ -683,13 +683,13 @@ void ImapMime::decode_alert() switch ( decode_state->get_decode_type() ) { case DECODE_B64: - SnortEventqAdd(GID_IMAP, IMAP_B64_DECODING_FAILED); + DetectionEngine::queue_event(GID_IMAP, IMAP_B64_DECODING_FAILED); break; case DECODE_QP: - SnortEventqAdd(GID_IMAP, IMAP_QP_DECODING_FAILED); + DetectionEngine::queue_event(GID_IMAP, IMAP_QP_DECODING_FAILED); break; case DECODE_UU: - SnortEventqAdd(GID_IMAP, IMAP_UU_DECODING_FAILED); + DetectionEngine::queue_event(GID_IMAP, IMAP_UU_DECODING_FAILED); break; default: diff --git a/src/service_inspectors/modbus/modbus.cc b/src/service_inspectors/modbus/modbus.cc index e431c7053..288482ea6 100644 --- a/src/service_inspectors/modbus/modbus.cc +++ b/src/service_inspectors/modbus/modbus.cc @@ -25,6 +25,7 @@ #include "modbus.h" #include "events/event_queue.h" +#include "detection/detection_engine.h" #include "profiler/profiler.h" #include "protocols/packet.h" @@ -85,7 +86,7 @@ void Modbus::eval(Packet* p) // If a packet is rebuilt, but not a full PDU, then it's garbage that // got flushed at the end of a stream. if ( p->packet_flags & (PKT_REBUILT_STREAM|PKT_PDU_HEAD) ) - SnortEventqAdd(GID_MODBUS, MODBUS_BAD_LENGTH); + DetectionEngine::queue_event(GID_MODBUS, MODBUS_BAD_LENGTH); return; } diff --git a/src/service_inspectors/modbus/modbus_decode.cc b/src/service_inspectors/modbus/modbus_decode.cc index 9b5e45866..4e38f6ebf 100644 --- a/src/service_inspectors/modbus/modbus_decode.cc +++ b/src/service_inspectors/modbus/modbus_decode.cc @@ -25,6 +25,7 @@ #include "modbus_decode.h" +#include "detection/detection_engine.h" #include "events/event_queue.h" #include "protocols/packet.h" @@ -234,7 +235,7 @@ static void ModbusCheckRequestLengths(modbus_session_data_t* session, Packet* p) } if (!check_passed) - SnortEventqAdd(GID_MODBUS, MODBUS_BAD_LENGTH); + DetectionEngine::queue_event(GID_MODBUS, MODBUS_BAD_LENGTH); } static void ModbusCheckResponseLengths(modbus_session_data_t* session, Packet* p) @@ -362,7 +363,7 @@ static void ModbusCheckResponseLengths(modbus_session_data_t* session, Packet* p } if (!check_passed) - SnortEventqAdd(GID_MODBUS, MODBUS_BAD_LENGTH); + DetectionEngine::queue_event(GID_MODBUS, MODBUS_BAD_LENGTH); } static void ModbusCheckReservedFuncs(modbus_header_t* header, Packet* p) @@ -381,7 +382,7 @@ static void ModbusCheckReservedFuncs(modbus_header_t* header, Packet* p) sub_func = ntohs(sub_func); if ((sub_func == 19) || (sub_func >= 21)) - SnortEventqAdd(GID_MODBUS, MODBUS_RESERVED_FUNCTION); + DetectionEngine::queue_event(GID_MODBUS, MODBUS_RESERVED_FUNCTION); } break; @@ -397,7 +398,7 @@ static void ModbusCheckReservedFuncs(modbus_header_t* header, Packet* p) case 0x7D: case 0x7E: case 0x7F: - SnortEventqAdd(GID_MODBUS, MODBUS_RESERVED_FUNCTION); + DetectionEngine::queue_event(GID_MODBUS, MODBUS_RESERVED_FUNCTION); break; } } @@ -419,7 +420,7 @@ bool ModbusDecode(Packet* p) multiplexing with some other protocols over serial line. */ if (header->protocol_id != MODBUS_PROTOCOL_ID) { - SnortEventqAdd(GID_MODBUS, MODBUS_BAD_PROTO_ID); + DetectionEngine::queue_event(GID_MODBUS, MODBUS_BAD_PROTO_ID); return false; } diff --git a/src/service_inspectors/modbus/modbus_paf.cc b/src/service_inspectors/modbus/modbus_paf.cc index d91da7601..c71f2e06c 100644 --- a/src/service_inspectors/modbus/modbus_paf.cc +++ b/src/service_inspectors/modbus/modbus_paf.cc @@ -26,6 +26,7 @@ #include "modbus_paf.h" +#include "detection/detection_engine.h" #include "events/event_queue.h" #include "modbus.h" @@ -78,7 +79,7 @@ StreamSplitter::Status ModbusSplitter::scan( if ((modbus_length < MODBUS_MIN_HDR_LEN) || (modbus_length > MODBUS_MAX_HDR_LEN)) { - SnortEventqAdd(GID_MODBUS, MODBUS_BAD_LENGTH); + DetectionEngine::queue_event(GID_MODBUS, MODBUS_BAD_LENGTH); } *fp = modbus_length + bytes_processed; diff --git a/src/service_inspectors/pop/pop.cc b/src/service_inspectors/pop/pop.cc index 5750e7f5e..c55589d61 100644 --- a/src/service_inspectors/pop/pop.cc +++ b/src/service_inspectors/pop/pop.cc @@ -24,7 +24,7 @@ #include "pop.h" -#include "events/event_queue.h" +#include "detection/detection_engine.h" #include "log/messages.h" #include "main/snort_debug.h" #include "profiler/profiler.h" @@ -367,7 +367,7 @@ static const uint8_t* POP_HandleCommand(Packet* p, POPData* pop_ssn, const uint8 } else { - SnortEventqAdd(GID_POP, POP_UNKNOWN_CMD); + DetectionEngine::queue_event(GID_POP, POP_UNKNOWN_CMD); DebugMessage(DEBUG_POP, "No known command found\n"); return eol; } @@ -493,7 +493,7 @@ static void POP_ProcessServerPacket(Packet* p, POPData* pop_ssn) } else if (*ptr == '+') { - SnortEventqAdd(GID_POP, POP_UNKNOWN_RESP); + DetectionEngine::queue_event(GID_POP, POP_UNKNOWN_RESP); DebugMessage(DEBUG_POP, "Server response not found\n"); } } @@ -621,13 +621,13 @@ void PopMime::decode_alert() switch ( decode_state->get_decode_type() ) { case DECODE_B64: - SnortEventqAdd(GID_POP, POP_B64_DECODING_FAILED); + DetectionEngine::queue_event(GID_POP, POP_B64_DECODING_FAILED); break; case DECODE_QP: - SnortEventqAdd(GID_POP, POP_QP_DECODING_FAILED); + DetectionEngine::queue_event(GID_POP, POP_QP_DECODING_FAILED); break; case DECODE_UU: - SnortEventqAdd(GID_POP, POP_UU_DECODING_FAILED); + DetectionEngine::queue_event(GID_POP, POP_UU_DECODING_FAILED); break; default: diff --git a/src/service_inspectors/rpc_decode/rpc_decode.cc b/src/service_inspectors/rpc_decode/rpc_decode.cc index 9b998059f..1a8d1489d 100644 --- a/src/service_inspectors/rpc_decode/rpc_decode.cc +++ b/src/service_inspectors/rpc_decode/rpc_decode.cc @@ -39,6 +39,7 @@ #endif #include "detection/detection_util.h" +#include "detection/detection_engine.h" #include "framework/data_bus.h" #include "log/messages.h" #include "profiler/profiler.h" @@ -152,23 +153,23 @@ static inline void RpcPreprocEvent( switch (event) { case RPC_FRAG_TRAFFIC: - SnortEventqAdd(GID_RPC_DECODE, RPC_FRAG_TRAFFIC); + DetectionEngine::queue_event(GID_RPC_DECODE, RPC_FRAG_TRAFFIC); break; case RPC_MULTIPLE_RECORD: - SnortEventqAdd(GID_RPC_DECODE, RPC_MULTIPLE_RECORD); + DetectionEngine::queue_event(GID_RPC_DECODE, RPC_MULTIPLE_RECORD); break; case RPC_LARGE_FRAGSIZE: - SnortEventqAdd(GID_RPC_DECODE, RPC_LARGE_FRAGSIZE); + DetectionEngine::queue_event(GID_RPC_DECODE, RPC_LARGE_FRAGSIZE); break; case RPC_INCOMPLETE_SEGMENT: - SnortEventqAdd(GID_RPC_DECODE, RPC_INCOMPLETE_SEGMENT); + DetectionEngine::queue_event(GID_RPC_DECODE, RPC_INCOMPLETE_SEGMENT); break; case RPC_ZERO_LENGTH_FRAGMENT: - SnortEventqAdd(GID_RPC_DECODE, RPC_ZERO_LENGTH_FRAGMENT); + DetectionEngine::queue_event(GID_RPC_DECODE, RPC_ZERO_LENGTH_FRAGMENT); break; default: diff --git a/src/service_inspectors/sip/sip.cc b/src/service_inspectors/sip/sip.cc index 7743d1721..a4e5b9461 100644 --- a/src/service_inspectors/sip/sip.cc +++ b/src/service_inspectors/sip/sip.cc @@ -23,6 +23,7 @@ #include "sip.h" +#include "detection/detection_engine.h" #include "events/event_queue.h" #include "log/messages.h" #include "managers/inspector_manager.h" @@ -34,9 +35,6 @@ THREAD_LOCAL ProfileStats sipPerfStats; -/* - * Function prototype(s) - */ static void snort_sip(SIP_PROTO_CONF* GlobalConf, Packet* p); static void FreeSipData(void*); @@ -54,7 +52,7 @@ static SIPData* SetNewSIPData(Packet* p, SIP_PROTO_CONF* config) if (numSessions > config->maxNumSessions) { if (!MaxSessionsAlerted) - SnortEventqAdd(GID_SIP, SIP_EVENT_MAX_SESSIONS); + DetectionEngine::queue_event(GID_SIP, SIP_EVENT_MAX_SESSIONS); MaxSessionsAlerted = 1; return NULL; } diff --git a/src/service_inspectors/sip/sip_dialog.cc b/src/service_inspectors/sip/sip_dialog.cc index a8232f9e2..58bb31946 100644 --- a/src/service_inspectors/sip/sip_dialog.cc +++ b/src/service_inspectors/sip/sip_dialog.cc @@ -25,6 +25,7 @@ #include "sip_dialog.h" +#include "detection/detection_engine.h" #include "events/event_queue.h" #include "framework/data_bus.h" #include "main/snort_debug.h" @@ -155,7 +156,7 @@ static int SIP_processInvite(SIPMsg* sipMsg, SIP_DialogData* dialog, SIP_DialogL DebugFormat(DEBUG_SIP, "Dialog state code: %hu\n", dialog->status_code); - SnortEventqAdd(GID_SIP, SIP_EVENT_AUTH_INVITE_REPLAY_ATTACK); + DetectionEngine::queue_event(GID_SIP, SIP_EVENT_AUTH_INVITE_REPLAY_ATTACK); return false; } if (SIP_DLG_ESTABLISHED == dialog->state) @@ -172,7 +173,7 @@ static int SIP_processInvite(SIPMsg* sipMsg, SIP_DialogData* dialog, SIP_DialogL { ret = SIP_checkMediaChange(sipMsg, dialog); if (false == ret) - SnortEventqAdd(GID_SIP, SIP_EVENT_AUTH_INVITE_DIFF_SESSION); + DetectionEngine::queue_event(GID_SIP, SIP_EVENT_AUTH_INVITE_DIFF_SESSION); SIP_updateMedias(sipMsg->mediaSession, &dialog->mediaSessions); } else if (SIP_DLG_TERMINATED == dialog->state) @@ -703,7 +704,7 @@ int SIP_updateDialog(SIPMsg* sipMsg, SIP_DialogList* dList, Packet* p, SIP_PROTO /*If the number of dialogs exceeded, release the oldest one*/ if ((dList->num_dialogs >= config->maxNumDialogsInSession) && (!dialog)) { - SnortEventqAdd(GID_SIP, SIP_EVENT_MAX_DIALOGS_IN_A_SESSION); + DetectionEngine::queue_event(GID_SIP, SIP_EVENT_MAX_DIALOGS_IN_A_SESSION); SIP_deleteDialog(oldDialog, dList); } diff --git a/src/service_inspectors/sip/sip_parser.cc b/src/service_inspectors/sip/sip_parser.cc index cc1551844..6a13ff462 100644 --- a/src/service_inspectors/sip/sip_parser.cc +++ b/src/service_inspectors/sip/sip_parser.cc @@ -25,6 +25,7 @@ #include "sip_parser.h" +#include "detection/detection_engine.h" #include "events/event_queue.h" #include "main/snort_debug.h" #include "utils/util.h" @@ -361,7 +362,7 @@ static bool sip_startline_parse(SIPMsg* msg, const char* buff, char* end, char** /*Check SIP version number, end with SP*/ if (!(sip_is_valid_version(buff + SIP_KEYWORD_LEN) && (*(buff + SIP_VERSION_LEN) == ' '))) { - SnortEventqAdd(GID_SIP, SIP_EVENT_INVALID_VERSION); + DetectionEngine::queue_event(GID_SIP, SIP_EVENT_INVALID_VERSION); } space = (char*)strchr(buff, ' '); @@ -370,7 +371,7 @@ static bool sip_startline_parse(SIPMsg* msg, const char* buff, char* end, char** statusCode = SnortStrtoul(space + 1, NULL, 10); if (( statusCode > MAX_STAT_CODE) || (statusCode < MIN_STAT_CODE )) { - SnortEventqAdd(GID_SIP, SIP_EVENT_BAD_STATUS_CODE); + DetectionEngine::queue_event(GID_SIP, SIP_EVENT_BAD_STATUS_CODE); msg->status_code = MAX_STAT_CODE + 1; } else @@ -415,9 +416,9 @@ static bool sip_startline_parse(SIPMsg* msg, const char* buff, char* end, char** DebugFormat(DEBUG_SIP, "uri: %.*s, length: %hu\n", msg->uriLen, msg->uri, msg->uriLen); if (0 == msg->uriLen) - SnortEventqAdd(GID_SIP, SIP_EVENT_EMPTY_REQUEST_URI); + DetectionEngine::queue_event(GID_SIP, SIP_EVENT_EMPTY_REQUEST_URI); else if (config->maxUriLen && (msg->uriLen > config->maxUriLen)) - SnortEventqAdd(GID_SIP, SIP_EVENT_BAD_URI); + DetectionEngine::queue_event(GID_SIP, SIP_EVENT_BAD_URI); version = space + 1; if (version + SIP_VERSION_LEN > end) @@ -427,12 +428,12 @@ static bool sip_startline_parse(SIPMsg* msg, const char* buff, char* end, char** /*Check SIP version number, end with CRLF*/ if (!sip_is_valid_version(*lineEnd - SIP_VERSION_NUM_LEN - numOfLineBreaks)) { - SnortEventqAdd(GID_SIP, SIP_EVENT_INVALID_VERSION); + DetectionEngine::queue_event(GID_SIP, SIP_EVENT_INVALID_VERSION); } if (NULL == method) { - SnortEventqAdd(GID_SIP, SIP_EVENT_UNKOWN_METHOD); + DetectionEngine::queue_event(GID_SIP, SIP_EVENT_UNKOWN_METHOD); return false; } } @@ -576,57 +577,57 @@ static bool sip_check_headers(SIPMsg* msg, SIP_PROTO_CONF* config) int ret = true; if (0 == msg->fromLen) { - SnortEventqAdd(GID_SIP, SIP_EVENT_EMPTY_FROM); + DetectionEngine::queue_event(GID_SIP, SIP_EVENT_EMPTY_FROM); ret = false; } else if (config->maxFromLen && (msg->fromLen > config->maxFromLen)) { - SnortEventqAdd(GID_SIP, SIP_EVENT_BAD_FROM); + DetectionEngine::queue_event(GID_SIP, SIP_EVENT_BAD_FROM); ret = false; } if (0 == msg->toLen) { - SnortEventqAdd(GID_SIP, SIP_EVENT_EMPTY_TO); + DetectionEngine::queue_event(GID_SIP, SIP_EVENT_EMPTY_TO); ret = false; } else if (config->maxToLen && (msg->toLen > config->maxToLen)) { - SnortEventqAdd(GID_SIP, SIP_EVENT_BAD_TO); + DetectionEngine::queue_event(GID_SIP, SIP_EVENT_BAD_TO); ret = false; } if (0 == msg->callIdLen) { - SnortEventqAdd(GID_SIP, SIP_EVENT_EMPTY_CALL_ID); + DetectionEngine::queue_event(GID_SIP, SIP_EVENT_EMPTY_CALL_ID); ret = false; } else if ( config->maxCallIdLen && (msg->callIdLen > config->maxCallIdLen)) { - SnortEventqAdd(GID_SIP, SIP_EVENT_BAD_CALL_ID); + DetectionEngine::queue_event(GID_SIP, SIP_EVENT_BAD_CALL_ID); ret = false; } if (msg->cseqnum > MAX_NUM_32BIT) { - SnortEventqAdd(GID_SIP, SIP_EVENT_BAD_CSEQ_NUM); + DetectionEngine::queue_event(GID_SIP, SIP_EVENT_BAD_CSEQ_NUM); ret = false; } if ( config->maxRequestNameLen && (msg->cseqNameLen > config->maxRequestNameLen)) { - SnortEventqAdd(GID_SIP, SIP_EVENT_BAD_CSEQ_NAME); + DetectionEngine::queue_event(GID_SIP, SIP_EVENT_BAD_CSEQ_NAME); ret = false; } /*Alert here after parsing*/ if (0 == msg->viaLen) { - SnortEventqAdd(GID_SIP, SIP_EVENT_EMPTY_VIA); + DetectionEngine::queue_event(GID_SIP, SIP_EVENT_EMPTY_VIA); ret = false; } else if (config->maxViaLen && (msg->viaLen > config->maxViaLen)) { - SnortEventqAdd(GID_SIP, SIP_EVENT_BAD_VIA); + DetectionEngine::queue_event(GID_SIP, SIP_EVENT_BAD_VIA); ret = false; } @@ -635,18 +636,18 @@ static bool sip_check_headers(SIPMsg* msg, SIP_PROTO_CONF* config) // Contact is required for invite message if ((0 == msg->contactLen)&&(msg->methodFlag == SIP_METHOD_INVITE)&&(0 == msg->status_code)) { - SnortEventqAdd(GID_SIP, SIP_EVENT_EMPTY_CONTACT); + DetectionEngine::queue_event(GID_SIP, SIP_EVENT_EMPTY_CONTACT); ret = false; } else if (config->maxContactLen && (msg->contactLen > config->maxContactLen)) { - SnortEventqAdd(GID_SIP, SIP_EVENT_BAD_CONTACT); + DetectionEngine::queue_event(GID_SIP, SIP_EVENT_BAD_CONTACT); ret = false; } if ((0 == msg->contentTypeLen) && (msg->content_len > 0)) { - SnortEventqAdd(GID_SIP, SIP_EVENT_EMPTY_CONTENT_TYPE); + DetectionEngine::queue_event(GID_SIP, SIP_EVENT_EMPTY_CONTENT_TYPE); ret = false; } @@ -930,7 +931,7 @@ static int sip_parse_cseq(SIPMsg* msg, const char* start, const char* end, SIP_P if (NULL == method) { - SnortEventqAdd(GID_SIP, SIP_EVENT_INVALID_CSEQ_NAME); + DetectionEngine::queue_event(GID_SIP, SIP_EVENT_INVALID_CSEQ_NAME); return SIP_PARSE_ERROR; } else @@ -940,7 +941,7 @@ static int sip_parse_cseq(SIPMsg* msg, const char* start, const char* end, SIP_P msg->methodFlag = method->methodFlag; else if ( method->methodFlag != msg->methodFlag) { - SnortEventqAdd(GID_SIP, SIP_EVENT_MISMATCH_METHOD); + DetectionEngine::queue_event(GID_SIP, SIP_EVENT_MISMATCH_METHOD); } DebugFormat(DEBUG_SIP, "Found the method: %s, Flag: 0x%x\n", method->methodName, method->methodFlag); @@ -1045,12 +1046,12 @@ static int sip_parse_content_len(SIPMsg* msg, const char* start, const char*, msg->content_len = SnortStrtoul(start, &next, 10); if ( config->maxContentLen && (msg->content_len > config->maxContentLen)) - SnortEventqAdd(GID_SIP, SIP_EVENT_BAD_CONTENT_LEN); + DetectionEngine::queue_event(GID_SIP, SIP_EVENT_BAD_CONTENT_LEN); /*Check the length of the value*/ if (next > start + SIP_CONTENT_LEN) // This check is to prevent overflow { if (config->maxContentLen) - SnortEventqAdd(GID_SIP, SIP_EVENT_BAD_CONTENT_LEN); + DetectionEngine::queue_event(GID_SIP, SIP_EVENT_BAD_CONTENT_LEN); return SIP_PARSE_ERROR; } DebugFormat(DEBUG_SIP, "Content length: %u\n", msg->content_len); @@ -1296,7 +1297,7 @@ bool sip_parse(SIPMsg* msg, const char* buff, char* end, SIP_PROTO_CONF* config) msg->bodyLen = end - start; /*Disable this check for TCP. Revisit this again when PAF enabled for SIP*/ if ((!msg->isTcp)&&(msg->content_len > msg->bodyLen)) - SnortEventqAdd(GID_SIP, SIP_EVENT_MISMATCH_CONTENT_LEN); + DetectionEngine::queue_event(GID_SIP, SIP_EVENT_MISMATCH_CONTENT_LEN); if (msg->content_len < msg->bodyLen) status = sip_body_parse(msg, start, start + msg->content_len, &nextIndex); @@ -1315,11 +1316,11 @@ bool sip_parse(SIPMsg* msg, const char* buff, char* end, SIP_PROTO_CONF* config) if (true == sip_startline_parse(msg, start + msg->content_len, end, &nextIndex, config)) { - SnortEventqAdd(GID_SIP, SIP_EVENT_MULTI_MSGS); + DetectionEngine::queue_event(GID_SIP, SIP_EVENT_MULTI_MSGS); } else { - SnortEventqAdd(GID_SIP, SIP_EVENT_MISMATCH_CONTENT_LEN); + DetectionEngine::queue_event(GID_SIP, SIP_EVENT_MISMATCH_CONTENT_LEN); } } return status; diff --git a/src/service_inspectors/smtp/smtp.cc b/src/service_inspectors/smtp/smtp.cc index 1e5b09834..8057d090a 100644 --- a/src/service_inspectors/smtp/smtp.cc +++ b/src/service_inspectors/smtp/smtp.cc @@ -22,6 +22,7 @@ #include "smtp.h" +#include "detection/detection_engine.h" #include "detection/detection_util.h" #include "log/messages.h" #include "log/unified2.h" @@ -755,10 +756,10 @@ static const uint8_t* SMTP_HandleCommand(SMTP_PROTO_CONF* config, Packet* p, SMT if (smtp_ssn->state != STATE_AUTH) { - SnortEventqAdd(GID_SMTP,SMTP_UNKNOWN_CMD); + DetectionEngine::queue_event(GID_SMTP,SMTP_UNKNOWN_CMD); if (alert_long_command_line) - SnortEventqAdd(GID_SMTP, SMTP_COMMAND_OVERFLOW); + DetectionEngine::queue_event(GID_SMTP, SMTP_COMMAND_OVERFLOW); } /* if normalizing, copy line to alt buffer */ @@ -780,18 +781,18 @@ static const uint8_t* SMTP_HandleCommand(SMTP_PROTO_CONF* config, Packet* p, SMT { if (cmd_line_len > config->cmd_config[smtp_search_info.id].max_line_len) { - SnortEventqAdd(GID_SMTP, SMTP_SPECIFIC_CMD_OVERFLOW); + DetectionEngine::queue_event(GID_SMTP, SMTP_SPECIFIC_CMD_OVERFLOW); } } else if (alert_long_command_line) { - SnortEventqAdd(GID_SMTP, SMTP_COMMAND_OVERFLOW); + DetectionEngine::queue_event(GID_SMTP, SMTP_COMMAND_OVERFLOW); } if (config->cmd_config[smtp_search_info.id].alert) { /* Are we alerting on this command? */ - SnortEventqAdd(GID_SMTP, SMTP_ILLEGAL_CMD); + DetectionEngine::queue_event(GID_SMTP, SMTP_ILLEGAL_CMD); } switch (smtp_search_info.id) @@ -852,7 +853,7 @@ static const uint8_t* SMTP_HandleCommand(SMTP_PROTO_CONF* config, Packet* p, SMT eolm) && (smtp_ssn->state_flags & SMTP_FLAG_ABORT)) { - SnortEventqAdd(GID_SMTP, SMTP_AUTH_ABORT_AUTH); + DetectionEngine::queue_event(GID_SMTP, SMTP_AUTH_ABORT_AUTH); } smtp_ssn->state_flags &= ~(SMTP_FLAG_ABORT); break; @@ -1186,7 +1187,7 @@ static void SMTP_ProcessServerPacket(SMTP_PROTO_CONF* config, Packet* p, SMTPDat if ((config->max_response_line_len != 0) && (resp_line_len > config->max_response_line_len)) { - SnortEventqAdd(GID_SMTP, SMTP_RESPONSE_OVERFLOW); + DetectionEngine::queue_event(GID_SMTP, SMTP_RESPONSE_OVERFLOW); } ptr = eol; @@ -1399,12 +1400,12 @@ int SmtpMime::handle_header_line(const uint8_t* ptr, const uint8_t* eol, header_line_len = eol - ptr; if (max_header_len) - SnortEventqAdd(GID_SMTP, SMTP_HEADER_NAME_OVERFLOW); + DetectionEngine::queue_event(GID_SMTP, SMTP_HEADER_NAME_OVERFLOW); if ((config->max_header_line_len != 0) && (header_line_len > config->max_header_line_len)) { - SnortEventqAdd(GID_SMTP, SMTP_DATA_HDR_OVERFLOW); + DetectionEngine::queue_event(GID_SMTP, SMTP_DATA_HDR_OVERFLOW); } @@ -1452,13 +1453,13 @@ void SmtpMime::decode_alert() switch ( decode_state->get_decode_type() ) { case DECODE_B64: - SnortEventqAdd(GID_SMTP, SMTP_B64_DECODING_FAILED); + DetectionEngine::queue_event(GID_SMTP, SMTP_B64_DECODING_FAILED); break; case DECODE_QP: - SnortEventqAdd(GID_SMTP, SMTP_QP_DECODING_FAILED); + DetectionEngine::queue_event(GID_SMTP, SMTP_QP_DECODING_FAILED); break; case DECODE_UU: - SnortEventqAdd(GID_SMTP, SMTP_UU_DECODING_FAILED); + DetectionEngine::queue_event(GID_SMTP, SMTP_UU_DECODING_FAILED); break; default: diff --git a/src/service_inspectors/smtp/smtp_paf.cc b/src/service_inspectors/smtp/smtp_paf.cc index 1f99b1fa5..6395fa791 100644 --- a/src/service_inspectors/smtp/smtp_paf.cc +++ b/src/service_inspectors/smtp/smtp_paf.cc @@ -22,6 +22,7 @@ #include "smtp_paf.h" +#include "detection/detection_engine.h" #include "events/event_queue.h" #include "main/snort_debug.h" #include "protocols/packet.h" @@ -309,7 +310,7 @@ static inline StreamSplitter::Status smtp_paf_client(SmtpPafData* pfdata, (((int)i + pfdata->data_info.boundary_len) > max_auth_command_line_len) && !alert_generated) { - SnortEventqAdd(GID_SMTP, SMTP_AUTH_COMMAND_OVERFLOW); + DetectionEngine::queue_event(GID_SMTP, SMTP_AUTH_COMMAND_OVERFLOW); alert_generated = true; } if (ch == '\n') diff --git a/src/service_inspectors/smtp/smtp_xlink2state.cc b/src/service_inspectors/smtp/smtp_xlink2state.cc index 3269f99c5..8428f143c 100644 --- a/src/service_inspectors/smtp/smtp_xlink2state.cc +++ b/src/service_inspectors/smtp/smtp_xlink2state.cc @@ -26,6 +26,7 @@ #include "smtp_xlink2state.h" +#include "detection/detection_engine.h" #include "events/event_queue.h" #include "packet_io/active.h" @@ -246,7 +247,7 @@ int ParseXLink2State(SMTP_PROTO_CONF* config, Packet* p, SMTPData* smtp_ssn, con if (config->xlink2state == DROP_XLINK2STATE) Active::reset_session(p); - SnortEventqAdd(GID_SMTP, SMTP_XLINK2STATE_OVERFLOW); + DetectionEngine::queue_event(GID_SMTP, SMTP_XLINK2STATE_OVERFLOW); smtp_ssn->session_flags |= SMTP_FLAG_XLINK2STATE_ALERTED; return 1; diff --git a/src/service_inspectors/ssh/ssh.cc b/src/service_inspectors/ssh/ssh.cc index cb11d2855..e7ce1e5d1 100644 --- a/src/service_inspectors/ssh/ssh.cc +++ b/src/service_inspectors/ssh/ssh.cc @@ -29,6 +29,7 @@ #include "ssh.h" +#include "detection/detection_engine.h" #include "events/event_queue.h" #include "log/messages.h" #include "profiler/profiler.h" @@ -242,10 +243,10 @@ static void snort_ssh(SSH_PROTO_CONF* config, Packet* p) { // Probable exploit in progress. if (sessp->version == SSH_VERSION_1) - SnortEventqAdd(GID_SSH, SSH_EVENT_CRC32); + DetectionEngine::queue_event(GID_SSH, SSH_EVENT_CRC32); else - SnortEventqAdd(GID_SSH, SSH_EVENT_RESPOVERFLOW); + DetectionEngine::queue_event(GID_SSH, SSH_EVENT_RESPOVERFLOW); Stream::stop_inspection(p->flow, p, SSN_DIR_BOTH, -1, 0); } @@ -331,7 +332,7 @@ static unsigned int ProcessSSHProtocolVersionExchange(SSH_PROTO_CONF* config, SS * continue checking after that point*/ (SSHCheckStrlen(&version_stringp[6], config->MaxServerVersionLen-6))) { - SnortEventqAdd(GID_SSH, SSH_EVENT_SECURECRT); + DetectionEngine::queue_event(GID_SSH, SSH_EVENT_SECURECRT); } } else if ( p->dsize >= 6 && @@ -406,7 +407,7 @@ static unsigned int ProcessSSHKeyInitExchange(SSHData* sessionp, Packet* p, if ( dsize < 4 ) { { - SnortEventqAdd(GID_SSH, SSH_EVENT_PAYLOAD_SIZE); + DetectionEngine::queue_event(GID_SSH, SSH_EVENT_PAYLOAD_SIZE); } return 0; @@ -424,7 +425,7 @@ static unsigned int ProcessSSHKeyInitExchange(SSHData* sessionp, Packet* p, if ( dsize < length ) { { - SnortEventqAdd(GID_SSH, SSH_EVENT_PAYLOAD_SIZE); + DetectionEngine::queue_event(GID_SSH, SSH_EVENT_PAYLOAD_SIZE); } return 0; @@ -440,7 +441,7 @@ static unsigned int ProcessSSHKeyInitExchange(SSHData* sessionp, Packet* p, { if (offset == 0) { - SnortEventqAdd(GID_SSH, SSH_EVENT_PAYLOAD_SIZE); + DetectionEngine::queue_event(GID_SSH, SSH_EVENT_PAYLOAD_SIZE); } return 0; @@ -459,7 +460,7 @@ static unsigned int ProcessSSHKeyInitExchange(SSHData* sessionp, Packet* p, else { /* Server msg not from server. */ - SnortEventqAdd(GID_SSH, SSH_EVENT_WRONGDIR); + DetectionEngine::queue_event(GID_SSH, SSH_EVENT_WRONGDIR); } break; case SSH_MSG_V1_CMSG_SESSION_KEY: @@ -471,7 +472,7 @@ static unsigned int ProcessSSHKeyInitExchange(SSHData* sessionp, Packet* p, else { /* Client msg not from client. */ - SnortEventqAdd(GID_SSH, SSH_EVENT_WRONGDIR); + DetectionEngine::queue_event(GID_SSH, SSH_EVENT_WRONGDIR); } break; default: @@ -530,7 +531,7 @@ static unsigned int ProcessSSHKeyInitExchange(SSHData* sessionp, Packet* p, { { /* Unrecognized version. */ - SnortEventqAdd(GID_SSH, SSH_EVENT_VERSION); + DetectionEngine::queue_event(GID_SSH, SSH_EVENT_VERSION); } return 0; @@ -586,7 +587,7 @@ static unsigned int ProcessSSHKeyExchange(SSHData* sessionp, Packet* p, } { /* Invalid packet length. */ - SnortEventqAdd(GID_SSH, SSH_EVENT_PAYLOAD_SIZE); + DetectionEngine::queue_event(GID_SSH, SSH_EVENT_PAYLOAD_SIZE); } return 0; @@ -603,7 +604,7 @@ static unsigned int ProcessSSHKeyExchange(SSHData* sessionp, Packet* p, else { /* Client msg from server. */ - SnortEventqAdd(GID_SSH, SSH_EVENT_WRONGDIR); + DetectionEngine::queue_event(GID_SSH, SSH_EVENT_WRONGDIR); } break; case SSH_MSG_KEXDH_REPLY: @@ -619,7 +620,7 @@ static unsigned int ProcessSSHKeyExchange(SSHData* sessionp, Packet* p, else { /* Server msg from client. */ - SnortEventqAdd(GID_SSH, SSH_EVENT_WRONGDIR); + DetectionEngine::queue_event(GID_SSH, SSH_EVENT_WRONGDIR); } break; case SSH_MSG_KEXDH_GEX_REQ: @@ -631,7 +632,7 @@ static unsigned int ProcessSSHKeyExchange(SSHData* sessionp, Packet* p, else { /* Server msg from client. */ - SnortEventqAdd(GID_SSH, SSH_EVENT_WRONGDIR); + DetectionEngine::queue_event(GID_SSH, SSH_EVENT_WRONGDIR); } break; case SSH_MSG_KEXDH_GEX_GRP: @@ -643,7 +644,7 @@ static unsigned int ProcessSSHKeyExchange(SSHData* sessionp, Packet* p, else { /* Client msg from server. */ - SnortEventqAdd(GID_SSH, SSH_EVENT_WRONGDIR); + DetectionEngine::queue_event(GID_SSH, SSH_EVENT_WRONGDIR); } break; case SSH_MSG_KEXDH_GEX_INIT: @@ -655,7 +656,7 @@ static unsigned int ProcessSSHKeyExchange(SSHData* sessionp, Packet* p, else { /* Server msg from client. */ - SnortEventqAdd(GID_SSH, SSH_EVENT_WRONGDIR); + DetectionEngine::queue_event(GID_SSH, SSH_EVENT_WRONGDIR); } break; case SSH_MSG_NEWKEYS: diff --git a/src/service_inspectors/ssl/ssl_inspector.cc b/src/service_inspectors/ssl/ssl_inspector.cc index 6e91429a9..a0c967e80 100644 --- a/src/service_inspectors/ssl/ssl_inspector.cc +++ b/src/service_inspectors/ssl/ssl_inspector.cc @@ -313,21 +313,21 @@ static void snort_ssl(SSL_PROTO_CONF* config, Packet* p) if (heartbleed_type & SSL_HEARTBLEED_REQUEST) { - SnortEventqAdd(GID_SSL, SSL_ALERT_HB_REQUEST); + DetectionEngine::queue_event(GID_SSL, SSL_ALERT_HB_REQUEST); } else if (heartbleed_type & SSL_HEARTBLEED_RESPONSE) { - SnortEventqAdd(GID_SSL, SSL_ALERT_HB_RESPONSE); + DetectionEngine::queue_event(GID_SSL, SSL_ALERT_HB_RESPONSE); } else if (heartbleed_type & SSL_HEARTBLEED_UNKNOWN) { if (!dir) { - SnortEventqAdd(GID_SSL, SSL_ALERT_HB_REQUEST); + DetectionEngine::queue_event(GID_SSL, SSL_ALERT_HB_REQUEST); } else { - SnortEventqAdd(GID_SSL, SSL_ALERT_HB_RESPONSE); + DetectionEngine::queue_event(GID_SSL, SSL_ALERT_HB_RESPONSE); } } if (sd->ssn_flags & SSL_ENCRYPTED_FLAG ) @@ -357,14 +357,14 @@ static void snort_ssl(SSL_PROTO_CONF* config, Packet* p) if ( (SSL_IS_CHELLO(new_flags) && SSL_IS_CHELLO(sd->ssn_flags) && SSL_IS_SHELLO(sd->ssn_flags) ) || (SSL_IS_CHELLO(new_flags) && SSL_IS_SHELLO(sd->ssn_flags) )) { - SnortEventqAdd(GID_SSL, SSL_INVALID_CLIENT_HELLO); + DetectionEngine::queue_event(GID_SSL, SSL_INVALID_CLIENT_HELLO); } else if (!(config->trustservers)) { if ( (SSL_IS_SHELLO(new_flags) && !SSL_IS_CHELLO(sd->ssn_flags) )) { if (!(Stream::missed_packets(p->flow, SSN_DIR_FROM_CLIENT))) - SnortEventqAdd(GID_SSL, SSL_INVALID_SERVER_HELLO); + DetectionEngine::queue_event(GID_SSL, SSL_INVALID_SERVER_HELLO); } } diff --git a/src/stream/ip/ip_defrag.cc b/src/stream/ip/ip_defrag.cc index a1c54fc5f..b07b1a1b9 100644 --- a/src/stream/ip/ip_defrag.cc +++ b/src/stream/ip/ip_defrag.cc @@ -214,7 +214,7 @@ static void FragPrintEngineConfig(FragEngine* engine) */ static inline void EventAnomIpOpts(FragEngine*) { - SnortEventqAdd(GID_DEFRAG, DEFRAG_IPOPTIONS); + DetectionEngine::queue_event(GID_DEFRAG, DEFRAG_IPOPTIONS); ip_stats.alerts++; } @@ -227,7 +227,7 @@ static inline void EventAnomIpOpts(FragEngine*) */ static inline void EventAttackTeardrop(FragEngine*) { - SnortEventqAdd(GID_DEFRAG, DEFRAG_TEARDROP); + DetectionEngine::queue_event(GID_DEFRAG, DEFRAG_TEARDROP); ip_stats.alerts++; } @@ -240,7 +240,7 @@ static inline void EventAttackTeardrop(FragEngine*) */ static inline void EventTinyFragments(FragEngine*) { - SnortEventqAdd(GID_DEFRAG, DEFRAG_TINY_FRAGMENT); + DetectionEngine::queue_event(GID_DEFRAG, DEFRAG_TINY_FRAGMENT); ip_stats.alerts++; } @@ -253,7 +253,7 @@ static inline void EventTinyFragments(FragEngine*) */ static inline void EventExcessiveOverlap(FragEngine*) { - SnortEventqAdd(GID_DEFRAG, DEFRAG_EXCESSIVE_OVERLAP); + DetectionEngine::queue_event(GID_DEFRAG, DEFRAG_EXCESSIVE_OVERLAP); ip_stats.alerts++; } @@ -267,7 +267,7 @@ static inline void EventExcessiveOverlap(FragEngine*) */ static inline void EventAnomShortFrag(FragEngine*) { - SnortEventqAdd(GID_DEFRAG, DEFRAG_SHORT_FRAG); + DetectionEngine::queue_event(GID_DEFRAG, DEFRAG_SHORT_FRAG); ip_stats.alerts++; ip_stats.anomalies++; } @@ -282,7 +282,7 @@ static inline void EventAnomShortFrag(FragEngine*) */ static inline void EventAnomOversize(FragEngine*) { - SnortEventqAdd(GID_DEFRAG, DEFRAG_ANOMALY_OVERSIZE); + DetectionEngine::queue_event(GID_DEFRAG, DEFRAG_ANOMALY_OVERSIZE); ip_stats.alerts++; ip_stats.anomalies++; } @@ -297,7 +297,7 @@ static inline void EventAnomOversize(FragEngine*) */ static inline void EventAnomZeroFrag(FragEngine*) { - SnortEventqAdd(GID_DEFRAG, DEFRAG_ANOMALY_ZERO); + DetectionEngine::queue_event(GID_DEFRAG, DEFRAG_ANOMALY_ZERO); ip_stats.alerts++; ip_stats.anomalies++; } @@ -311,7 +311,7 @@ static inline void EventAnomZeroFrag(FragEngine*) */ static inline void EventAnomBadsizeLg(FragEngine*) { - SnortEventqAdd(GID_DEFRAG, DEFRAG_ANOMALY_BADSIZE_LG); + DetectionEngine::queue_event(GID_DEFRAG, DEFRAG_ANOMALY_BADSIZE_LG); ip_stats.alerts++; ip_stats.anomalies++; } @@ -325,7 +325,7 @@ static inline void EventAnomBadsizeLg(FragEngine*) */ static inline void EventAnomBadsizeSm(FragEngine*) { - SnortEventqAdd(GID_DEFRAG, DEFRAG_ANOMALY_BADSIZE_SM); + DetectionEngine::queue_event(GID_DEFRAG, DEFRAG_ANOMALY_BADSIZE_SM); ip_stats.alerts++; ip_stats.anomalies++; } @@ -339,7 +339,7 @@ static inline void EventAnomBadsizeSm(FragEngine*) */ static inline void EventAnomOverlap(FragEngine*) { - SnortEventqAdd(GID_DEFRAG, DEFRAG_ANOMALY_OVLP); + DetectionEngine::queue_event(GID_DEFRAG, DEFRAG_ANOMALY_OVLP); ip_stats.alerts++; ip_stats.anomalies++; } @@ -353,7 +353,7 @@ static inline void EventAnomOverlap(FragEngine*) */ static inline void EventAnomMinTtl(FragEngine*) { - SnortEventqAdd(GID_DEFRAG, DEFRAG_MIN_TTL_EVASION); + DetectionEngine::queue_event(GID_DEFRAG, DEFRAG_MIN_TTL_EVASION); ip_stats.alerts++; } diff --git a/src/stream/tcp/tcp_event_logger.cc b/src/stream/tcp/tcp_event_logger.cc index 31666ed9f..679b2838a 100644 --- a/src/stream/tcp/tcp_event_logger.cc +++ b/src/stream/tcp/tcp_event_logger.cc @@ -25,6 +25,7 @@ #include "tcp_event_logger.h" +#include "detection/detection_engine.h" #include "detection/rules.h" #include "filters/sfrf.h" #include "main/snort_config.h" @@ -92,7 +93,7 @@ void TcpEventLogger::log_internal_event(uint32_t eventSid) if (is_internal_event_enabled(snort_conf->rate_filter_config, eventSid)) { tcpStats.internalEvents++; - SnortEventqAdd(GENERATOR_INTERNAL, eventSid); + DetectionEngine::queue_event(GENERATOR_INTERNAL, eventSid); DebugFormat(DEBUG_STREAM, "Stream raised internal event %d\n", eventSid); } } @@ -104,7 +105,7 @@ void TcpEventLogger::log_tcp_events() uint32_t idx = ffs(tcp_events); if ( idx ) { - SnortEventqAdd(GID_STREAM_TCP, tcp_event_sids[ idx ].sid); + DetectionEngine::queue_event(GID_STREAM_TCP, tcp_event_sids[ idx ].sid); tcp_events ^= tcp_event_sids[ idx ].event_id; tcpStats.events++; } diff --git a/src/utils/stats.cc b/src/utils/stats.cc index 5422819e4..502e5b599 100644 --- a/src/utils/stats.cc +++ b/src/utils/stats.cc @@ -23,6 +23,7 @@ #include "stats.h" +#include "detection/detection_engine.h" #include "file_api/file_stats.h" #include "filters/sfthreshold.h" #include "helpers/process.h" @@ -283,7 +284,7 @@ void DropStats() PacketManager::dump_stats(); // ensure proper counting of log_limit - SnortEventqResetCounts(); + DetectionEngine::reset_counts(); LogLabel("Module Statistics"); const char* exclude = "daq snort"; -- 2.47.2