detection_engine.h
detection_options.h
detection_util.h
+ detect_trace.h
ips_context.h
regex_offload.h
rule_option_types.h
detection_options.cc
detection_options.h
detection_util.cc
+ detect_trace.cc
fp_config.cc
fp_config.h
fp_create.cc
detection_engine.h \
detection_options.h \
detection_util.h \
+detect_trace.h \
ips_context.h \
regex_offload.h \
rule_option_types.h \
detection_options.cc \
detection_options.h \
detection_util.cc \
+detect_trace.cc \
fp_config.cc \
fp_config.h \
fp_create.cc \
#include "main/snort_debug.h"
#include "utils/stats.h"
+#include "detect_trace.h"
#include "ips_context.h"
#ifdef UNIT_TEST
{
assert(busy.empty());
assert(idle.size() > 0);
- trace_logf(detection, "%" PRIu64 " cs::start %u (i=%zu, b=%zu)\n",
+ trace_logf(detection, TRACE_DETECTION_ENGINE, "%" PRIu64 " cs::start %u (i=%zu, b=%zu)\n",
pc.total_from_daq, idle.back()->get_slot(), idle.size(), busy.size());
busy.push_back(idle.back());
idle.pop_back();
void ContextSwitcher::stop()
{
assert(busy.size() == 1);
- trace_logf(detection, "%" PRIu64 " cs::stop %u (i=%zu, b=%zu)\n",
+ trace_logf(detection, TRACE_DETECTION_ENGINE, "%" PRIu64 " cs::stop %u (i=%zu, b=%zu)\n",
pc.total_from_daq, busy.back()->get_slot(), idle.size(), busy.size());
idle.push_back(busy.back());
busy.pop_back();
void ContextSwitcher::abort()
{
- trace_logf(detection, "%" PRIu64 " cs::abort (i=%zu, b=%zu)\n",
+ trace_logf(detection, TRACE_DETECTION_ENGINE, "%" PRIu64 " cs::abort (i=%zu, b=%zu)\n",
pc.total_from_daq, idle.size(), busy.size());
for ( unsigned i = 0; i < hold.capacity(); ++i )
{
IpsContext* ContextSwitcher::interrupt()
{
assert(!idle.empty());
- trace_logf(detection, "%" PRIu64 " cs::interrupt %u (i=%zu, b=%zu)\n",
+ trace_logf(detection, TRACE_DETECTION_ENGINE, "%" PRIu64 " cs::interrupt %u (i=%zu, b=%zu)\n",
pc.total_from_daq, idle.back()->get_slot(), idle.size(), busy.size());
busy.push_back(idle.back());
idle.pop_back();
IpsContext* ContextSwitcher::complete()
{
assert(!busy.empty());
- trace_logf(detection, "%" PRIu64 " cs::complete %u (i=%zu, b=%zu)\n",
+ trace_logf(detection, TRACE_DETECTION_ENGINE, "%" PRIu64 " cs::complete %u (i=%zu, b=%zu)\n",
pc.total_from_daq, busy.back()->get_slot(), idle.size(), busy.size());
idle.push_back(busy.back());
busy.pop_back();
unsigned ContextSwitcher::suspend()
{
assert(!busy.empty());
- trace_logf(detection, "%" PRIu64 " cs::suspend %u (i=%zu, b=%zu)\n",
+ trace_logf(detection, TRACE_DETECTION_ENGINE, "%" PRIu64 " cs::suspend %u (i=%zu, b=%zu)\n",
pc.total_from_daq, busy.back()->get_slot(), idle.size(), busy.size());
IpsContext* c = busy.back();
busy.pop_back();
void ContextSwitcher::resume(unsigned slot)
{
assert(slot <= hold.capacity());
- trace_logf(detection, "%" PRIu64 " cs::resume %u (i=%zu, b=%zu)\n",
+ trace_logf(detection, TRACE_DETECTION_ENGINE, "%" PRIu64 " cs::resume %u (i=%zu, b=%zu)\n",
pc.total_from_daq, slot, idle.size(), busy.size());
busy.push_back(hold[slot]);
hold[slot] = nullptr;
--- /dev/null
+//--------------------------------------------------------------------------
+// Copyright (C) 2017-2017 Cisco and/or its affiliates. All rights reserved.
+//
+// This program is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License Version 2 as published
+// by the Free Software Foundation. You may not use, modify or distribute
+// this program under any other version of the GNU General Public License.
+//
+// This program is distributed in the hope that it will be useful, but
+// WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+// General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+//--------------------------------------------------------------------------
+
+// detect_trace.cc author Maya Dagon <mdagon@cisco.com>
+
+#include "detect_trace.h"
+
+#include <cctype>
+#include <string>
+
+#include "log/log.h"
+#include "main/snort_debug.h"
+#include "main/thread.h"
+#include "utils/stats.h"
+#include "utils/util.h"
+#include "packet_io/active.h"
+
+#include "fp_create.h"
+#include "treenodes.h"
+
+using namespace std;
+
+Trace TRACE_NAME(detection);
+
+#ifdef DEBUG_MSGS
+
+const uint64_t trace_buffer = TRACE_BUFFER_MINIMAL | TRACE_BUFFER_VERBOSE;
+
+static THREAD_LOCAL char* cursor_name = nullptr;
+static THREAD_LOCAL unsigned cursor_pos = -1;
+static THREAD_LOCAL Packet* pkt = nullptr;
+
+void clear_trace_cursor_info()
+{
+ if (cursor_name != nullptr)
+ {
+ snort_free(cursor_name);
+ cursor_name = nullptr;
+ }
+ cursor_pos = -1;
+}
+
+void print_pkt_info(Packet* p)
+{
+ const char* dir;
+ string dst_addr, src_addr;
+ unsigned src_port = 0, dst_port = 0;
+
+ pkt = p; //save packet pointer for later
+
+ if ( pkt->is_from_client() )
+ dir = "C2S";
+ else if ( pkt->is_from_server() )
+ dir = "S2C";
+ else
+ dir = "UNK";
+
+ if ( pkt->has_ip() or pkt->is_data() )
+ {
+ src_addr = string(pkt->ptrs.ip_api.get_src()->ntoa());
+ dst_addr = string(pkt->ptrs.ip_api.get_dst()->ntoa());
+ }
+
+ if ( pkt->proto_bits & (PROTO_BIT__TCP|PROTO_BIT__UDP) )
+ {
+ src_port = pkt->ptrs.sp;
+ dst_port = pkt->ptrs.dp;
+ }
+
+ trace_logf(detection, TRACE_RULE_EVAL,"packet %" PRIu64 " %s %s:%u %s:%u\n",
+ pc.total_from_daq, dir, src_addr.c_str(), src_port, dst_addr.c_str(), dst_port);
+}
+
+void print_pattern(const PatternMatchData* pmd)
+{
+ string hex, txt, opts;
+
+ get_pattern_info(pmd, pmd->pattern_buf, pmd->pattern_size, hex, txt, opts);
+ trace_logf(detection, TRACE_RULE_EVAL,
+ "Fast pattern %s[%u] = '%s' |%s| %s\n",
+ pm_type_strings[pmd->pm_type], pmd->pattern_size,
+ txt.c_str(), hex.c_str(), opts.c_str());
+}
+
+void dump_buffer(const uint8_t* buff, unsigned len)
+{
+ if (!trace_enabled(detection_trace, trace_buffer))
+ return;
+
+ if (len == 0)
+ {
+ trace_log(detection, "Buffer dump - empty buffer\n");
+ return;
+ }
+
+ assert (pkt != nullptr);
+ LogNetData(buff, len, pkt);
+}
+
+void node_eval_trace(const detection_option_tree_node_t* node, const Cursor& cursor)
+{
+ const char* name = cursor.get_name();
+ unsigned pos = cursor.get_pos();
+
+ if (node->option_type != RULE_OPTION_TYPE_LEAF_NODE )
+ {
+ trace_logf(detection, TRACE_RULE_EVAL,
+ "Evaulating option %s, cursor name %s, cursor position %u\n",
+ ((IpsOption*)node->option_data)->get_name(), name, pos);
+ }
+ else
+ {
+ trace_logf(detection, TRACE_RULE_EVAL, "Reached leaf, cursor name %s, cursor position %u\n",
+ name, pos);
+ }
+
+ if (!trace_enabled(detection_trace, trace_buffer))
+ return;
+
+ if (trace_enabled(detection_trace, TRACE_BUFFER_VERBOSE))
+ {
+ dump_buffer(cursor.buffer() + pos, cursor.length());
+ }
+ else if ((pos != cursor_pos) || strcmp(cursor_name, name))
+ {
+ cursor_pos = pos;
+ snort_free(cursor_name);
+ cursor_name = snort_strdup(name);
+ dump_buffer(cursor.buffer() + pos, cursor.length());
+ }
+}
+
+#else
+
+void clear_trace_cursor_info()
+{
+}
+
+void print_pkt_info(Packet*)
+{
+}
+
+void print_pattern(const PatternMatchData*)
+{
+}
+
+void dump_buffer(const uint8_t*, unsigned)
+{
+}
+
+void node_eval_trace(const detection_option_tree_node_t*, const Cursor&)
+{
+}
+
+#endif
+
--- /dev/null
+//--------------------------------------------------------------------------
+// Copyright (C) 2017-2017 Cisco and/or its affiliates. All rights reserved.
+//
+// This program is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License Version 2 as published
+// by the Free Software Foundation. You may not use, modify or distribute
+// this program under any other version of the GNU General Public License.
+//
+// This program is distributed in the hope that it will be useful, but
+// WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+// General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+//--------------------------------------------------------------------------
+
+// detect_trace.h author Maya Dagon
+
+#ifndef DETECT_TRACE_H
+#define DETECT_TRACE_H
+
+// Detection trace utility
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include "framework/cursor.h"
+#include "main/snort_types.h"
+
+#include "detection_options.h"
+#include "pattern_match_data.h"
+
+enum
+{
+ TRACE_DETECTION_ENGINE = 0x1,
+ TRACE_RULE_EVAL = 0x2,
+ TRACE_BUFFER_MINIMAL = 0x4,
+ TRACE_BUFFER_VERBOSE = 0x8,
+ TRACE_RULE_VARS = 0x10
+};
+
+void clear_trace_cursor_info();
+void print_pkt_info(Packet* p);
+void print_pattern(const PatternMatchData* pmd);
+void dump_buffer(const uint8_t* buff, unsigned len);
+void node_eval_trace(const detection_option_tree_node_t* node, const Cursor& cursor);
+
+#endif
+
#include "context_switcher.h"
#include "detection_util.h"
#include "detect.h"
+#include "detect_trace.h"
#include "fp_config.h"
#include "fp_detect.h"
#include "ips_context.h"
#include "regex_offload.h"
-Trace TRACE_NAME(detection);
-
static THREAD_LOCAL RegexOffload* offloader = nullptr;
static THREAD_LOCAL DataPointer next_file_data = { nullptr, 0 };
static THREAD_LOCAL uint64_t context_num = 0;
{
while ( offloader->count() )
{
- trace_logf(detection, "%" PRIu64 " de::sleep\n", pc.total_from_daq);
+ trace_logf(detection, TRACE_DETECTION_ENGINE, "%" PRIu64 " de::sleep\n", pc.total_from_daq);
const struct timespec blip = { 0, 1 };
nanosleep(&blip, nullptr);
onload();
}
- trace_logf(detection, "%" PRIu64 " de::idle (r=%d)\n", pc.total_from_daq, offloader->count());
+ trace_logf(detection, TRACE_DETECTION_ENGINE, "%" PRIu64 " de::idle (r=%d)\n", pc.total_from_daq, offloader->count());
offloader->stop();
}
}
while ( flow->is_offloaded() )
{
const struct timespec blip = { 0, 1 };
- trace_logf(detection, "%" PRIu64 " de::sleep\n", pc.total_from_daq);
+ trace_logf(detection, TRACE_DETECTION_ENGINE, "%" PRIu64 " de::sleep\n", pc.total_from_daq);
nanosleep(&blip, nullptr);
onload();
}
IpsContext* c = sw->get_context(id);
assert(c);
- trace_logf(detection, "%" PRIu64 " de::onload %u (r=%d)\n",
+ trace_logf(detection, TRACE_DETECTION_ENGINE, "%" PRIu64 " de::onload %u (r=%d)\n",
pc.total_from_daq, id, offloader->count());
Packet* p = c->packet;
assert(p->context == sw->get_context());
unsigned id = sw->suspend();
- trace_logf(detection, "%" PRIu64 " de::offload %u (r=%d)\n",
+ trace_logf(detection, TRACE_DETECTION_ENGINE, "%" PRIu64 " de::offload %u (r=%d)\n",
pc.total_from_daq, id, offloader->count());
p->flow->set_offloaded();
#include "detection_options.h"
+#include <string>
+
#include "filters/detection_filter.h"
#include "framework/cursor.h"
#include "hash/sfhashfcn.h"
#include "latency/packet_latency.h"
#include "latency/rule_latency_state.h"
#include "log/messages.h"
+#include "main/modules.h"
#include "main/snort_config.h"
+#include "main/snort_debug.h"
#include "main/thread_config.h"
#include "managers/ips_manager.h"
#include "parser/parser.h"
#include "protocols/packet_manager.h"
#include "utils/util.h"
-#include "detection_defines.h"
-#include "fp_detect.h"
-#include "pattern_match_data.h"
-
#include "detection_defines.h"
#include "detection_engine.h"
#include "detection_util.h"
+#include "detect_trace.h"
#include "fp_create.h"
#include "fp_detect.h"
#include "ips_context.h"
if ( !eval_data || !eval_data->p || !eval_data->pomd )
return 0;
+ node_eval_trace(node, cursor);
+
auto p = eval_data->p;
auto pomd = eval_data->pomd;
!(p->packet_flags & PKT_IP_RULE_2ND) &&
!(p->proto_bits & (PROTO_BIT__TEREDO|PROTO_BIT__GTP)) )
{
+ trace_log(detection, TRACE_RULE_EVAL,
+ "Was evaluated before, returning last check result\n");
return last_check.result;
}
}
DebugFormat(DEBUG_DETECT,
"[**] SID %u not matched because of service mismatch (%d!=%d [**]\n",
sig_info.sid, app_proto, sig_info.services[0].service_ordinal);
-
+ trace_logf(detection, TRACE_RULE_EVAL,
+ "SID %u not matched because of service mismatch %d!=%d \n",
+ sig_info.sid, app_proto, sig_info.services[0].service_ordinal);
break; // out of case
}
}
bool f_result = true;
if ( otn->detection_filter )
+ {
+ trace_log(detection, TRACE_RULE_EVAL,
+ "Evaluating detection filter\n");
f_result = !detection_filter_test(otn->detection_filter,
p->ptrs.ip_api.get_src(), p->ptrs.ip_api.get_dst(),
p->pkth->ts.tv_sec);
+ }
if ( f_result )
{
{
PatternMatchData* pmd = (PatternMatchData*)eval_data->pmd;
int pattern_size = pmd ? pmd->pattern_size : 0;
+#ifdef DEBUG_MSGS
+ const SigInfo& si = otn->sigInfo;
+ trace_logf(detection, TRACE_RULE_EVAL,
+ "Matched rule gid:sid:rev %u:%u:%u\n", si.gid, si.sid, si.rev);
+#endif
+
fpAddMatch((OtnxMatchData*)pomd, pattern_size, otn);
}
result = rval = DETECTION_OPTION_MATCH;
}
}
+#ifdef DEBUG_MSGS
+ else
+ trace_log(detection, TRACE_RULE_EVAL, "Header check failed\n");
+#endif
break;
}
if ( rval == DETECTION_OPTION_NO_MATCH )
{
+ trace_log(detection, TRACE_RULE_EVAL, "no match\n");
state.last_check.result = result;
return result;
}
else if ( rval == DETECTION_OPTION_FAILED_BIT )
{
+ trace_log(detection, TRACE_RULE_EVAL, "failed bit\n");
eval_data->flowbit_failed = 1;
// clear the timestamp so failed flowbit gets eval'd again
state.last_check.flowbit_failed = 1;
// so nodes below this don't alert.
tmp_noalert_flag = eval_data->flowbit_noalert;
eval_data->flowbit_noalert = 1;
+ trace_log(detection, TRACE_RULE_EVAL, "flowbit no alert\n");
}
// Back up byte_extract vars so they don't get overwritten between rules
+ trace_log(detection, TRACE_RULE_VARS, "Rule options variables: \n");
for ( int i = 0; i < NUM_IPS_OPTIONS_VARS; ++i )
+ {
GetVarValueByIndex(&(tmp_byte_extract_vars[i]), (int8_t)i);
+ trace_logf_wo_name(detection, TRACE_RULE_VARS, "var[%d]=%d ", i,
+ tmp_byte_extract_vars[i]);
+ }
+ trace_log_wo_name(detection, TRACE_RULE_VARS, "\n");
if ( PacketLatency::fastpath() )
{
#include "utils/util.h"
#include "detection_options.h"
+#include "detect_trace.h"
#include "fp_config.h"
#include "fp_utils.h"
#include "pattern_match_data.h"
#include "service_map.h"
#include "treenodes.h"
+using namespace std;
+
static unsigned mpse_count = 0;
static const char* s_group = "";
static void print_fp_info(const char*, const OptTreeNode*, const PatternMatchData*,
const char* pattern, int pattern_length);
-static const char* const pm_type_strings[PM_TYPE_MAX] =
-{
- "packet", "alt", "key", "header", "body", "file"
-};
-
static int finalize_detection_option_tree(SnortConfig* sc, detection_option_tree_root_t* root)
{
if ( !root )
if (fpCreateInitRuleMap(sc->prmIcmpRTNX, p->icmp.src, p->icmp.dst, p->icmp.any))
return -1;
-
if (fpCreateInitRuleMap(sc->prmTcpRTNX, p->tcp.src, p->tcp.dst, p->tcp.any))
return -1;
-
if (fpCreateInitRuleMap(sc->prmUdpRTNX, p->udp.src, p->udp.dst, p->udp.any))
return -1;
static void fp_print_service_rules_by_proto(SnortConfig* sc, srmm_table_t* srmm)
{
for ( int i = SNORT_PROTO_IP; i < SNORT_PROTO_MAX; ++i )
- fp_print_service_rules(sc, srmm->to_srv[i], srmm->to_cli[i],
- sc->proto_ref->get_name(i));
+ fp_print_service_rules(sc, srmm->to_srv[i], srmm->to_cli[i], sc->proto_ref->get_name(i));
}
static void fp_sum_port_groups(PortGroup* pg, unsigned c[PM_TYPE_MAX])
group, otn->sigInfo.gid, otn->sigInfo.sid, otn->sigInfo.rev);
}
-static void print_fp_info(
- const char* group, const OptTreeNode* otn, const PatternMatchData* pmd,
- const char* pattern, int pattern_length)
+void get_pattern_info(const PatternMatchData* pmd,
+ const char* pattern, int pattern_length, string& hex, string& txt, string& opts)
{
- std::string hex, txt;
char buf[8];
for ( int i = 0; i < pattern_length; ++i )
hex += buf;
txt += isprint(pattern[i]) ? pattern[i] : '.';
}
- std::string opts = "(";
- if ( pmd->is_fast_pattern() ) opts += " user";
- if ( pmd->fp_only ) opts += " only";
- if ( pmd->is_negated() ) opts += " negated";
+ opts = "(";
+ if ( pmd->is_fast_pattern() )
+ opts += " user";
+ if ( pmd->fp_only )
+ opts += " only";
+ if ( pmd->is_negated() )
+ opts += " negated";
opts += " )";
+}
+
+static void print_fp_info(const char* group, const OptTreeNode* otn, const PatternMatchData* pmd,
+ const char* pattern, int pattern_length)
+{
+ std::string hex, txt, opts;
+ get_pattern_info(pmd, pattern, pattern_length, hex, txt, opts);
LogMessage("FP %s %u:%u:%u %s[%d] = '%s' |%s| %s\n",
group, otn->sigInfo.gid, otn->sigInfo.sid, otn->sigInfo.rev,
pm_type_strings[pmd->pm_type], pattern_length,
// this is where rule groups are compiled and MPSE are instantiated
+#include <string>
#include "ports/port_group.h"
struct SnortConfig;
*/
int fpCreateFastPacketDetection(SnortConfig*);
void fpDeleteFastPacketDetection(SnortConfig*);
+void get_pattern_info(const PatternMatchData* pmd,
+ const char* pattern, int pattern_length, std::string& hex, std::string& txt,
+ std::string& opts);
#endif
#include "fp_detect.h"
-#include "detection/detection_engine.h"
-#include "detection/ips_context.h"
#include "events/event.h"
#include "filters/rate_filter.h"
#include "filters/sfthreshold.h"
#include "latency/rule_latency.h"
#include "log/messages.h"
#include "log/packet_tracer.h"
+#include "main/modules.h"
#include "main/snort.h"
#include "main/snort_config.h"
#include "main/snort_debug.h"
#include "utils/stats.h"
#include "utils/util.h"
-#include "detect.h"
-#include "detection_options.h"
-#include "detection_util.h"
-#include "fp_config.h"
-#include "fp_create.h"
-#include "pattern_match_data.h"
-#include "pcrm.h"
-#include "service_map.h"
-
#include "context_switcher.h"
+#include "detect.h"
+#include "detect_trace.h"
#include "detection_util.h"
#include "detection_engine.h"
#include "detection_options.h"
// FIXIT-L maybe add a port test here ...
- DebugFormat(DEBUG_DETECT, "[*] Rule Head %p\n", (void*) rtn);
+ DebugFormat(DEBUG_DETECT, "[*] Rule Head %p\n", (void*)rtn);
if (!rtn->rule_func->RuleHeadFunc(p, rtn, rtn->rule_func, check_ports))
{
Cursor c(eval_data->p);
int rval = 0;
+ trace_log(detection, TRACE_RULE_EVAL, "Starting tree eval\n");
+
for ( int i = 0; i < root->num_children; ++i )
{
// Increment number of events generated from that child
rval += detection_option_node_evaluate(root->children[i], eval_data, c);
}
+ clear_trace_cursor_info();
return rval;
}
eval_data.flowbit_failed = 0;
eval_data.flowbit_noalert = 0;
+ print_pattern(pmx->pmd);
+
{
Profile rule_profile(rulePerfStats);
/* NOTE: The otn will be the first one in the match state. If there are
unsigned count;
unsigned flushed;
- struct Node {
+ struct Node
+ {
void* user;
void* tree;
void* list;
pmqs.tot_inq_flush += flushed;
+#ifdef DEBUG_MSGS
+ if (count == 0)
+ trace_log(detection, TRACE_RULE_EVAL, "Fast pattern processing - no matches found\n");
+#endif
+
for ( unsigned i = 0; i < count; ++i )
{
Node& node = queue[i];
// process a pattern - case is handled by otn processing
+ trace_logf(detection, TRACE_RULE_EVAL,"Processing pattern match #%d\n", i+1);
int res = match(node.user, node.tree, node.index, context, node.list);
if ( res > 0 )
omd->data = buf; omd->size = len;
MpseStash* stash = omd->p->context->stash;
stash->init();
+ dump_buffer(buf, len);
so->search(buf, len, rule_tree_queue, omd, &start_state);
stash->process(rule_tree_match, omd);
if ( PacketLatency::fastpath() )
if ( gadget->get_fp_buf(ibt, omd->p, buf) )
{
if ( Mpse* so = omd->pg->mpse[pmt] )
+ {
+ trace_logf(detection, TRACE_RULE_EVAL,
+ "inspector %s, buffer type %s\n",
+ gadget->get_name(),pm_type_strings[pmt]);
+
search_data(so, omd, buf.data, buf.len, cnt);
+ }
}
return 0;
}
bool user_mode = snort_conf->sopgTable->user_mode;
+ trace_log(detection, TRACE_RULE_EVAL, "Fast pattern search\n");
+
if ( (!user_mode or type < 2) and p->data and p->dsize )
{
// ports search raw packet only
DataPointer file_data = p->context->file_data;
if ( file_data.len )
+ {
+ trace_log(detection, TRACE_RULE_EVAL, "Searching file data\n");
search_data(so, omd, file_data.data, file_data.len, pc.file_searches);
+ }
}
}
return 0;
uint16_t tmp_dsize;
FastPatternConfig* fp = snort_conf->fast_pattern_config;
+ print_pkt_info(p);
+
if (ip_rule)
{
tmp_payload = p->data;
{
Profile rule_profile(rulePerfStats);
Profile rule_nfp_eval_profile(ruleNFPEvalPerfStats);
+ trace_log(detection, TRACE_RULE_EVAL, "Testing non-content rules\n");
rval = detection_option_tree_evaluate(
(detection_option_tree_root_t*)port_group->nfp_tree, &eval_data);
}
if ( ip_group )
fpEvalHeaderSW(ip_group, p, 0, 1, 0, omd);
- if (any )
+ if (any )
fpEvalHeaderSW(any, p, 0, 1, 0, omd);
}
p->ptrs.sp,p->ptrs.dp,(void*)src,(void*)dst,(void*)any);
if ( dst )
- fpEvalHeaderSW(dst, p, 1, 0, 0, omd) ;
+ fpEvalHeaderSW(dst, p, 1, 0, 0, omd);
if ( src )
- fpEvalHeaderSW(src, p, 1, 0, 0, omd) ;
+ fpEvalHeaderSW(src, p, 1, 0, 0, omd);
if ( any )
- fpEvalHeaderSW(any, p, 1, 0, 0, omd) ;
+ fpEvalHeaderSW(any, p, 1, 0, 0, omd);
}
static inline bool fpEvalHeaderSvc(Packet* p, OtnxMatchData* omd, int proto)
if ( !trace_enabled(mask, flags) )
return;
- char buf[STD_BUF];
+ char buf[STD_BUF];
int buf_len = sizeof(buf);
char* buf_ptr = buf;
-
- int size = snprintf(buf, buf_len, "%s: ", name);
- if ( size > 0 && size < buf_len )
- {
- buf_ptr += size;
- buf_len -= size;
+ int size;
+
+ if (name)
+ {
+ size = snprintf(buf, buf_len, "%s: ", name);
+ if ( size >= buf_len )
+ size = buf_len - 1;
+ if ( size > 0 )
+ {
+ buf_ptr += size;
+ buf_len -= size;
+ }
}
-
+
if ( file )
{
size = snprintf(buf_ptr, buf_len, "%s:%d: ", file, line);
- if ( size > 0 && size < buf_len )
+ if ( size >= buf_len )
+ size = buf_len - 1;
+ if ( size > 0 )
{
buf_ptr += size;
buf_len -= size;
#define trace_log(tracer, ...) \
trace_print(#tracer, tracer##_trace, nullptr, 0, __VA_ARGS__)
+#define trace_log_wo_name(tracer, ...) \
+ trace_print(nullptr, tracer##_trace, nullptr, 0, __VA_ARGS__)
+
#define trace_logf(tracer, ...) \
trace_printf(#tracer, tracer##_trace, nullptr, 0, __VA_ARGS__)
+#define trace_logf_wo_name(tracer, ...) \
+ trace_printf(nullptr, tracer##_trace, nullptr, 0, __VA_ARGS__)
+
#define trace_debug(tracer, ...) \
trace_print(#tracer, tracer##_trace, __FILE__, __LINE__, __VA_ARGS__)
#else
#define trace_log(tracer, ...)
+#define trace_log_wo_name(tracer, ...)
#define trace_logf(tracer, ...)
+#define trace_logf_wo_name(tracer, ...)
#define trace_debug(tracer, ...)
#define trace_debugf(tracer, ...)
enum PmType
{
- PM_TYPE_PKT,
+ PM_TYPE_PKT = 0,
PM_TYPE_ALT,
PM_TYPE_KEY,
PM_TYPE_HEADER,
PM_TYPE_MAX
};
+const char* const pm_type_strings[PM_TYPE_MAX] =
+{
+ "packet", "alt", "key", "header", "body", "file"
+};
+
struct RULE_NODE
{
RULE_NODE* rnNext;
projects / thirdparty / snort3.git / commitdiff
