static const Parameter s_params[] =
{
{ "reset", Parameter::PT_ENUM, "source|dest|both", nullptr,
- "send tcp reset to one or both ends" },
+ "send TCP reset to one or both ends" },
{ "control", Parameter::PT_ENUM, "network|host|port|all", nullptr,
- "send icmp unreachable(s)" },
+ "send ICMP unreachable(s)" },
{ nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
};
mgr.set_context_data(1, a);
mgr.interrupt();
CHECK(mgr.idle_count() == max-2);
- CHECK(mgr.busy_count() == 2);
+ CHECK((mgr.busy_count() == 2));
unsigned u = mgr.suspend();
CHECK(mgr.idle_count() == max-2);
mgr.resume(u);
CHECK(mgr.idle_count() == max-2);
- CHECK(mgr.busy_count() == 2);
+ CHECK((mgr.busy_count() == 2));
CHECK(mgr.hold_count() == 0);
mgr.complete();
CHECK(mgr.idle_count() == max-3);
mgr.suspend();
- CHECK(mgr.busy_count() == 2);
+ CHECK((mgr.busy_count() == 2));
CHECK(mgr.hold_count() == 1);
mgr.abort();
#define DETECTION_UTIL_H
// this is a legacy junk-drawer file that needs to be refactored
-// it provides file and alt data pointers, event trace foo, and
-// some http stuff.
+// it provides file and alt data and event trace foo.
#include "main/snort_config.h"
unsigned len;
};
-#define SetDetectLimit(pktPtr, altLen) \
-{ \
- (pktPtr)->alt_dsize = altLen; \
-}
-
-#define IsLimitedDetect(pktPtr) ((pktPtr)->packet_flags & PKT_HTTP_DECODE)
-
// FIXIT-L event trace should be placed in its own files
void EventTrace_Init();
void EventTrace_Term();
private:
const struct MpseApi* search_api;
- bool inspect_stream_insert = false;
+ bool inspect_stream_insert = true;
bool trim;
bool split_any_any = false;
bool debug_print_fast_pattern = false;
return -1;
OptFpList* next = nullptr;
- bool exclude, only_literal = !MpseManager::is_regex_capable(fp->get_search_api());
+ bool only_literal = !MpseManager::is_regex_capable(fp->get_search_api());
+ bool exclude;
+
pmv = get_fp_content(otn, next, srvc, only_literal, exclude);
if ( !pmv.empty() )
fpBuildServicePortGroups(sc, sc->spgmmTable->to_cli[i],
sc->sopgTable->to_cli[i], sc->srmmTable->to_cli[i], fp);
}
- if ( !sc->sopgTable->set_user_mode() )
- {
- fp->set_stream_insert(true);
- ParseWarning(WARN_RULES, "legacy mode fast pattern searching enabled");
- }
+ sc->sopgTable->set_user_mode();
}
/*
// ports search raw packet only
if ( Mpse* so = port_group->mpse[PM_TYPE_PKT] )
{
- uint16_t pattern_match_size = p->dsize;
-
- if ( IsLimitedDetect(p) && (p->alt_dsize < p->dsize) )
- pattern_match_size = p->alt_dsize;
-
- if ( pattern_match_size )
+ if ( uint16_t pattern_match_size = p->get_detect_limit() )
{
- trace_logf(detection, TRACE_FP_SEARCH, "%ld fp %s[%d]\n",
+ trace_logf(detection, TRACE_FP_SEARCH, "%ld fp %s[%u]\n",
pc.total_from_daq, pm_type_strings[PM_TYPE_PKT], pattern_match_size);
search_data(so, omd, p->data, pattern_match_size, pc.pkt_searches);
{
set("alt_data", buf.data, buf.len);
}
- else if ( IsLimitedDetect(p) )
- {
- set("pkt_data", p->data, p->alt_dsize);
- }
else
{
- set("pkt_data", p->data, p->dsize);
+ set("pkt_data", p->data, p->get_detect_limit());
}
}
list_iter=list.end();
while (current_size > newsize)
{
- list_iter--;
+ --list_iter;
current_size--;
map.erase(list_iter->first);
list.erase(list_iter);
{
LruListIter list_iter;
list_iter = list.end();
- list_iter--;
+ --list_iter;
map.erase(list_iter->first);
list.erase(list_iter);
stats.prunes++;
/* Decide if we can free this node. */
- //bx++; if(bx == 4 )bx=0; /* for testing */
+ bx++; if(bx == 4 )bx=0; /* for testing */
/* if we are allowing the node to die, kill it */
if ( !bx )
"service identifier" },
{ "proto", Parameter::PT_ENUM, "tcp | udp", "tcp",
- "ip protocol" },
+ "IP protocol" },
{ "port", Parameter::PT_PORT, nullptr, nullptr,
"port number" },
const Parameter HostTrackerModule::host_tracker_params[] =
{
- { "ip", Parameter::PT_ADDR, nullptr, "0.0.0.0/32",
+ { "IP", Parameter::PT_ADDR, nullptr, "0.0.0.0/32",
"hosts address / cidr" },
{ "frag_policy", Parameter::PT_ENUM, IP_POLICIES, nullptr,
"defragmentation policy" },
{ "tcp_policy", Parameter::PT_ENUM, TCP_POLICIES, nullptr,
- "tcp reassembly policy" },
+ "TCP reassembly policy" },
{ "services", Parameter::PT_LIST, HostTrackerModule::service_params, nullptr,
"list of service parameters" },
static const Parameter s_params[] =
{
{ "~range", Parameter::PT_INTERVAL, RANGE, nullptr,
- "check if tcp ack value is 'value | min<>max | <max | >min'" },
+ "check if TCP ack value is 'value | min<>max | <max | >min'" },
{ nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
};
static const Parameter s_params[] =
{
{ "~range", Parameter::PT_INTERVAL, RANGE, nullptr,
- "check if icmp id is in given range" },
+ "check if ICMP ID is in given range" },
{ nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
};
static const Parameter s_params[] =
{
{ "~range", Parameter::PT_INTERVAL, RANGE, nullptr,
- "check if icmp sequence number is in given range" },
+ "check if ICMP sequence number is in given range" },
{ nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
};
static const Parameter s_params[] =
{
{ "~range", Parameter::PT_INTERVAL, RANGE, nullptr,
- "check if icmp code is in given range is" },
+ "check if ICMP code is in given range is" },
{ nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
};
static const Parameter s_params[] =
{
{ "~range", Parameter::PT_INTERVAL, RANGE, nullptr,
- "check if the ip id is in the given range" },
+ "check if the IP ID is in the given range" },
{ nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
};
static const Parameter s_params[] =
{
{ "~range", Parameter::PT_INTERVAL, RANGE, nullptr,
- "check if icmp type is in given range" },
+ "check if ICMP type is in given range" },
{ nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
};
static const Parameter s_params[] =
{
{ "~range", Parameter::PT_INTERVAL, RANGE, nullptr,
- "check if tcp sequence number is in given range" },
+ "check if TCP sequence number is in given range" },
{ nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
};
static const Parameter s_params[] =
{
{ "~range", Parameter::PT_INTERVAL, RANGE, nullptr,
- "check if ip tos is in given range" },
+ "check if IP TOS is in given range" },
{ nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
};
static const Parameter s_params[] =
{
{ "~range", Parameter::PT_INTERVAL, RANGE, nullptr,
- "check if ip ttl is in the given range" },
+ "check if IP TTL is in the given range" },
{ nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
};
static const Parameter s_params[] =
{
{ "~range", Parameter::PT_INTERVAL, RANGE, nullptr,
- "check if tcp window size is in given range" },
+ "check if TCP window size is in given range" },
{ nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
};
{ "max_queue_events", Parameter::PT_INT, "2:100", "5", // upper bound is MAX_EVENT_MATCH
"maximum number of matching fast pattern states to queue per packet" },
- { "inspect_stream_inserts", Parameter::PT_BOOL, nullptr, "false",
- "inspect reassembled payload - disabling is good for performance, bad for detection" },
+ { "detect_raw_tcp", Parameter::PT_BOOL, nullptr, "true",
+ "detect on TCP payload before reassembly" },
{ "search_method", Parameter::PT_DYNAMIC, (void*)&get_search_methods, "ac_bnfa",
"set fast pattern algorithm - choose available search engine" },
else if ( v.is("max_queue_events") )
fp->set_max_queue_events(v.get_long());
- else if ( v.is("inspect_stream_inserts") )
+ else if ( v.is("detect_raw_tcp") )
fp->set_stream_insert(v.get_bool());
else if ( v.is("search_method") )
"correlate unified2 events with configuration" },
{ "min_ttl", Parameter::PT_INT, "1:255", "1",
- "alert / normalize packets with lower ttl / hop limit "
+ "alert / normalize packets with lower TTL / hop limit "
"(you must enable rules and / or normalization also)" },
{ "new_ttl", Parameter::PT_INT, "1:255", "1",
"service identifier" },
{ "proto", Parameter::PT_ENUM, "tcp | udp", "tcp",
- "ip protocol" },
+ "IP protocol" },
{ "port", Parameter::PT_PORT, nullptr, nullptr,
"port number" },
static const Parameter hosts_params[] =
{
{ "ip", Parameter::PT_ADDR, nullptr, "0.0.0.0/32",
- "hosts address / cidr" },
+ "hosts address / CIDR" },
{ "frag_policy", Parameter::PT_ENUM, IP_POLICIES, nullptr,
"defragmentation policy" },
{ "tcp_policy", Parameter::PT_ENUM, TCP_POLICIES, nullptr,
- "tcp reassembly policy" },
+ "TCP reassembly policy" },
{ "services", Parameter::PT_LIST, service_params, nullptr,
"list of service parameters" },
#ifdef SHELL
{ "-j", Parameter::PT_PORT, nullptr, nullptr,
- "<port> to listen for telnet connections" },
+ "<port> to listen for Telnet connections" },
#endif
{ "-k", Parameter::PT_ENUM, "all|noip|notcp|noudp|noicmp|none", "all",
{
if ( asd->service.get_id() == APP_ID_NONE || asd->service.get_id() == APP_ID_HTTP )
{
- AppIdServiceSubtype* local_subtype = nullptr;
+ //AppIdServiceSubtype* local_subtype = nullptr;
char* vendorVersion = nullptr;
char* vendor = nullptr;
snort_free(vendor);
snort_free(vendorVersion);
}
- if (local_subtype)
+#if 0
+ if (local_subtype) // FIXIT-W always false
{
AppIdServiceSubtype** tmpSubtype;
*tmpSubtype = local_subtype;
}
+#endif
}
}
static const Parameter session_log_filter[] =
{
{ "src_ip", Parameter::PT_ADDR, nullptr, "0.0.0.0/32",
- "source ip address in CIDR format" },
+ "source IP address in CIDR format" },
{ "dst_ip", Parameter::PT_ADDR, nullptr, "0.0.0.0/32",
- "destination ip address in CIDR format" },
+ "destination IP address in CIDR format" },
{ "src_port", Parameter::PT_PORT, "1:", nullptr, "source port" },
{ "dst_port", Parameter::PT_PORT, "1:", nullptr, "destination port" },
- { "protocol", Parameter::PT_STRING, nullptr, nullptr,"ip protocol" },
+ { "protocol", Parameter::PT_STRING, nullptr, nullptr,"IP protocol" },
{ "log_all_sessions", Parameter::PT_BOOL, nullptr, "false",
"enable logging for all appid sessions" },
{ nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
static void dumpTreesRecursively(tMlmpTree* rootNode)
{
- tPatternPrimaryNode* primaryPatternNode;
- tPatternNode* ddPatternNode;
- char prefix[41];
- uint32_t prefixSize;
+#ifdef DEBUG
+ uint32_t prefixSize = 4 * (rootNode->level) + 2;
- prefixSize = 4 * (rootNode->level) + 2;
if (prefixSize > 40)
prefixSize = 40;
+ char prefix[41];
memset(prefix, ' ', prefixSize);
prefix[prefixSize] = '\0';
+#endif
- for (primaryPatternNode = rootNode->patternList;
+ for (tPatternPrimaryNode* primaryPatternNode = rootNode->patternList;
primaryPatternNode;
primaryPatternNode = primaryPatternNode->nextPrimaryNode)
{
primaryPatternNode->patternNode.partTotal,
primaryPatternNode->patternNode.userData);
- for (ddPatternNode = &primaryPatternNode->patternNode;
+ for (tPatternNode* ddPatternNode = &primaryPatternNode->patternNode;
ddPatternNode;
ddPatternNode = ddPatternNode->nextPattern)
{
CHECK_TRUE(service == APPID_UT_ID);
CHECK_TRUE(!isLoginSuccessful);
mock_session->set_session_flags(APPID_SESSION_LOGIN_SUCCEEDED);
- val = appid_api.get_user_name(mock_session, &service, &isLoginSuccessful);
+ appid_api.get_user_name(mock_session, &service, &isLoginSuccessful);
CHECK_TRUE(service == APPID_UT_ID);
CHECK_TRUE(isLoginSuccessful);
}
mock_flow_data= nullptr;
SfIp ip;
ip.pton(AF_INET, "192.168.1.222");
- val = appid_api.consume_ha_state(flow, (uint8_t*)&appHA, 0, IpProtocol::TCP, &ip, 1066);
+ appid_api.consume_ha_state(flow, (uint8_t*)&appHA, 0, IpProtocol::TCP, &ip, 1066);
mock_session = (AppIdSession*)flow->get_flow_data(AppIdSession::inspector_id);
CHECK_TRUE(mock_session);
CHECK_TRUE(mock_session->tp_app_id == appHA.appId[0]);
delete mock_session;
mock_session = nullptr;
mock_flow_data= nullptr;
- val = appid_api.consume_ha_state(flow, (uint8_t*)&appHA, 0, IpProtocol::TCP, &ip, 1066);
+ appid_api.consume_ha_state(flow, (uint8_t*)&appHA, 0, IpProtocol::TCP, &ip, 1066);
mock_session = (AppIdSession*)flow->get_flow_data(AppIdSession::inspector_id);
CHECK_TRUE(mock_session);
uint64_t flags = mock_session->get_session_flags(APPID_SESSION_CLIENT_DETECTED |
{
// FIXIT-M need to get xff fields from http config
const char** xffFields = nullptr; // = _dpd.getHttpXffFields(&thirdpartyConfig.numXffFields);
- if (!xffFields)
+ //if (!xffFields) FIXIT-W always true
{
xffFields = defaultXffFields;
thirdpartyConfig.numXffFields = sizeof(defaultXffFields) / sizeof(defaultXffFields[0]);
"list of CIDRs with optional ports" },
{ "tcp_ports", Parameter::PT_TABLE, scan_params, nullptr,
- "tcp port scan configuration (one-to-one)" },
+ "TCP port scan configuration (one-to-one)" },
{ "tcp_decoy", Parameter::PT_TABLE, scan_params, nullptr,
- "tcp decoy scan configuration (one-to-one decoy)" },
+ "TCP decoy scan configuration (one-to-one decoy)" },
{ "tcp_sweep", Parameter::PT_TABLE, scan_params, nullptr,
- "tcp sweep scan configuration (one-to-many)" },
+ "TCP sweep scan configuration (one-to-many)" },
{ "tcp_dist", Parameter::PT_TABLE, scan_params, nullptr,
- "tcp distributed scan configuration (many-to-one)" },
+ "TCP distributed scan configuration (many-to-one)" },
{ "udp_ports", Parameter::PT_TABLE, scan_params, nullptr,
- "udp port scan configuration (one-to-one)" },
+ "UDP port scan configuration (one-to-one)" },
{ "udp_decoy", Parameter::PT_TABLE, scan_params, nullptr,
- "udp decoy scan configuration (one-to-one)" },
+ "UDP decoy scan configuration (one-to-one)" },
{ "udp_sweep", Parameter::PT_TABLE, scan_params, nullptr,
- "udp sweep scan configuration (one-to-many)" },
+ "UDP sweep scan configuration (one-to-many)" },
{ "udp_dist", Parameter::PT_TABLE, scan_params, nullptr,
- "udp distributed scan configuration (many-to-one)" },
+ "UDP distributed scan configuration (many-to-one)" },
{ "ip_proto", Parameter::PT_TABLE, scan_params, nullptr,
- "ip protocol scan configuration (one-to-one)" },
+ "IP protocol scan configuration (one-to-one)" },
{ "ip_decoy", Parameter::PT_TABLE, scan_params, nullptr,
- "ip decoy scan configuration (one-to-one decoy)" },
+ "IP decoy scan configuration (one-to-one decoy)" },
{ "ip_sweep", Parameter::PT_TABLE, scan_params, nullptr,
"ip sweep scan configuration (one-to-many)" },
{ "ip_dist", Parameter::PT_TABLE, scan_params, nullptr,
- "ip distributed scan configuration (many-to-one)" },
+ "IP distributed scan configuration (many-to-one)" },
{ "icmp_sweep", Parameter::PT_TABLE, scan_params, nullptr,
- "icmp sweep scan configuration (one-to-many)" },
+ "ICMP sweep scan configuration (one-to-many)" },
{ "tcp_window", Parameter::PT_INT, "0:", "0",
- "detection interval for all tcp scans" },
+ "detection interval for all TCP scans" },
{ "udp_window", Parameter::PT_INT, "0:", "0",
- "detection interval for all udp scans" },
+ "detection interval for all UDP scans" },
{ "ip_window", Parameter::PT_INT, "0:", "0",
- "detection interval for all ip scans" },
+ "detection interval for all IP scans" },
{ "icmp_window", Parameter::PT_INT, "0:", "0",
- "detection interval for all icmp scans" },
+ "detection interval for all ICMP scans" },
{ nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
};
static const Parameter s_params[] =
{
{ "blacklist", Parameter::PT_STRING, nullptr, nullptr,
- "blacklist file name with ip lists" },
+ "blacklist file name with IP lists" },
{ "memcap", Parameter::PT_INT, "1:4095", "500",
"maximum total MB of memory allocated" },
{ "nested_ip", Parameter::PT_ENUM, "inner|outer|all", "inner",
- "ip to use when there is IP encapsulation" },
+ "IP to use when there is IP encapsulation" },
{ "priority", Parameter::PT_ENUM, "blacklist|whitelist", "whitelist",
"defines priority when there is a decision conflict during run-time" },
"specify the meaning of whitelist" },
{ "whitelist", Parameter::PT_STRING, nullptr, nullptr,
- "whitelist file name with ip lists" },
+ "whitelist file name with IP lists" },
{ nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
};
#define PKT_PDU_HEAD 0x00000100 /* start of PDU */
#define PKT_PDU_TAIL 0x00000200 /* end of PDU */
-#define PKT_HTTP_DECODE 0x00000400 /* this packet has normalized http */
+#define PKT_DETECT_LIMIT 0x00000400 /* alt_dsize is valid */
#define PKT_ALLOW_MULTIPLE_DETECT 0x00000800 /* packet has either pipelined mime attachments
or pipeline http requests */
uint32_t xtradata_mask;
uint16_t proto_bits; /* protocols contained within this packet */
- uint16_t alt_dsize; /* the dsize of a packet before munging (used for log)*/
+ uint16_t alt_dsize; /* size for detection (iff PKT_DETECT_LIMIT) */
uint8_t num_layers; /* index into layers for next encap */
// FIXIT-M Consider moving ip_proto_next below `pkth`.
inline PktType type() const
{ return ptrs.get_pkt_type(); } // defined in codec.h
+ void set_detect_limit(uint16_t n)
+ {
+ alt_dsize = n;
+ packet_flags |= PKT_DETECT_LIMIT;
+ }
+
+ uint16_t get_detect_limit()
+ { return (packet_flags & PKT_DETECT_LIMIT) ? alt_dsize : dsize; }
+
const char* get_type() const;
const char* get_pseudo_type() const;
{
DceHttpProxySplitter* splitter = new DceHttpProxySplitter(true);
Flow* flow = new Flow();
- uint32_t fp;
+ uint32_t fp = 0;
REQUIRE(splitter->scan(flow, (const uint8_t*)HTTP_PROXY_REQUEST,
strlen(HTTP_PROXY_REQUEST), PKT_FROM_CLIENT, &fp) == StreamSplitter::FLUSH);
const char* extra = "ignore";
char* string = new char[strlen(HTTP_PROXY_REQUEST)+strlen(extra)+1];
Flow* flow = new Flow();
- uint32_t fp;
+ uint32_t fp = 0;
strncpy(string,(const char*)HTTP_PROXY_REQUEST,strlen(HTTP_PROXY_REQUEST));
strncpy(string+strlen(HTTP_PROXY_REQUEST),extra,strlen(extra));
{
DceHttpProxySplitter* splitter = new DceHttpProxySplitter(false);
Flow* flow = new Flow();
- uint32_t fp;
+ uint32_t fp = 0;
REQUIRE(splitter->cutover_inspector() == false);
- REQUIRE(splitter->scan(flow, (const uint8_t*)"HTTP/1.xxx\n\n", 12, PKT_FROM_SERVER, &fp) ==
- StreamSplitter::FLUSH);
- REQUIRE(fp == 12);
+ REQUIRE(splitter->scan(flow, (const uint8_t*)"HTTP/1.xxx\n\n", 12,
+ PKT_FROM_SERVER, &fp) == StreamSplitter::FLUSH);
+ REQUIRE((fp == 12));
REQUIRE(splitter->cutover_inspector() == true);
delete flow;
delete splitter;
{
DceHttpProxySplitter* splitter = new DceHttpProxySplitter(false);
Flow* flow = new Flow();
- uint32_t fp;
+ uint32_t fp = 0;
REQUIRE(splitter->cutover_inspector() == false);
- REQUIRE(splitter->scan(flow, (const uint8_t*)"HTTP/1.xxx\nxx\n\n", 15, PKT_FROM_SERVER, &fp) ==
- StreamSplitter::FLUSH);
- REQUIRE(fp == 15);
+ REQUIRE(splitter->scan(flow, (const uint8_t*)"HTTP/1.xxx\nxx\n\n", 15,
+ PKT_FROM_SERVER, &fp) == StreamSplitter::FLUSH);
+ REQUIRE((fp == 15));
REQUIRE(splitter->cutover_inspector() == true);
delete flow;
delete splitter;
{
DceHttpProxySplitter* splitter = new DceHttpProxySplitter(false);
Flow* flow = new Flow();
- uint32_t fp;
+ uint32_t fp = 0;
REQUIRE(splitter->cutover_inspector() == false);
- REQUIRE(splitter->scan(flow, (const uint8_t*)"HTTP/1.xxx\nxx\n\nyyy", 18, PKT_FROM_SERVER, &fp) ==
- StreamSplitter::FLUSH);
- REQUIRE(fp == 18);
+ REQUIRE(splitter->scan(flow, (const uint8_t*)"HTTP/1.xxx\nxx\n\nyyy", 18,
+ PKT_FROM_SERVER, &fp) == StreamSplitter::FLUSH);
+ REQUIRE((fp == 18));
REQUIRE(splitter->cutover_inspector() == true);
delete flow;
delete splitter;
#define s_name "dnp3_func"
#define s_help \
- "detection option to check dnp3 function code"
+ "detection option to check DNP3 function code"
static THREAD_LOCAL ProfileStats dnp3_func_perf_stats;
static const Parameter s_params[] =
{
{ "~", Parameter::PT_STRING, nullptr, nullptr,
- "match dnp3 function code or name" },
+ "match DNP3 function code or name" },
{ nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
};
#define s_name "dnp3_ind"
#define s_help \
- "detection option to check dnp3 indicator flags"
+ "detection option to check DNP3 indicator flags"
static THREAD_LOCAL ProfileStats dnp3_ind_perf_stats;
static const Parameter s_params[] =
{
{ "~", Parameter::PT_STRING, nullptr, nullptr,
- "match given dnp3 indicator flags" },
+ "match given DNP3 indicator flags" },
{ nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
};
#define s_name "dnp3_obj"
#define s_help \
- "detection option to check dnp3 object headers"
+ "detection option to check DNP3 object headers"
/* Object decoding constants */
#define DNP3_OBJ_HDR_MIN_LEN 3 /* group, var, qualifier */
static const Parameter s_params[] =
{
{ "group", Parameter::PT_INT, "0:255", "0",
- "match given dnp3 object header group" },
+ "match given DNP3 object header group" },
{ "var", Parameter::PT_INT, "0:255", "0",
- "match given dnp3 object header var" },
+ "match given DNP3 object header var" },
{ nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
};
static const Parameter client_bounce_params[] =
{
{ "address", Parameter::PT_ADDR, nullptr, "1.0.0.0/32",
- "allowed ip address in CIDR format" },
+ "allowed IP address in CIDR format" },
// FIXIT-L port and last_port should be replaced with a port list
{ "port", Parameter::PT_PORT, "1:", "20",
"ignore erase character and erase line commands when normalizing" },
{ "max_resp_len", Parameter::PT_INT, "-1:", "-1",
- "maximum ftp response accepted by client" },
+ "maximum FTP response accepted by client" },
{ "telnet_cmds", Parameter::PT_BOOL, nullptr, "false",
- "detect telnet escape sequences on ftp control channel" },
+ "detect Telnet escape sequences on FTP control channel" },
{ nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
};
"default maximum length of commands handled by server; 0 is unlimited" },
{ "encrypted_traffic", Parameter::PT_BOOL, nullptr, "false",
- "check for encrypted telnet and ftp" },
+ "check for encrypted Telnet and FTP" },
{ "ftp_cmds", Parameter::PT_STRING, nullptr, nullptr,
"specify additional commands supported by server beyond RFC 959" },
{ "ignore_data_chan", Parameter::PT_BOOL, nullptr, "false",
- "do not inspect ftp data channels" },
+ "do not inspect FTP data channels" },
{ "ignore_telnet_erase_cmds", Parameter::PT_BOOL, nullptr, "false",
"ignore erase character and erase line commands when normalizing" },
"print command configurations on start up" },
{ "telnet_cmds", Parameter::PT_BOOL, nullptr, "false",
- "detect telnet escape sequences of ftp control channel" },
+ "detect Telnet escape sequences of FTP control channel" },
{ nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
};
static const PegInfo ftp_pegs[] =
{
{ CountType::SUM, "total_packets", "total packets" },
- { CountType::NOW, "concurrent_sessions", "total concurrent ftp sessions" },
- { CountType::MAX, "max_concurrent_sessions", "maximum concurrent ftp sessions" },
+ { CountType::NOW, "concurrent_sessions", "total concurrent FTP sessions" },
+ { CountType::MAX, "max_concurrent_sessions", "maximum concurrent FTP sessions" },
{ CountType::END, nullptr, nullptr }
};
//-------------------------------------------------------------------------
#define TELNET_AYT_OVERFLOW_STR \
- "consecutive telnet AYT commands beyond threshold"
+ "consecutive Telnet AYT commands beyond threshold"
#define TELNET_ENCRYPTED_STR \
- "telnet traffic encrypted"
+ "Telnet traffic encrypted"
#define TELNET_SB_NO_SE_STR \
- "telnet subnegotiation begin command without subnegotiation end"
+ "Telnet subnegotiation begin command without subnegotiation end"
static const Parameter s_params[] =
{
{ "ayt_attack_thresh", Parameter::PT_INT, "-1:", "-1",
- "alert on this number of consecutive telnet AYT commands" },
+ "alert on this number of consecutive Telnet AYT commands" },
{ "check_encrypted", Parameter::PT_BOOL, nullptr, "false",
"check for end of encryption" },
{ "encrypted_traffic", Parameter::PT_BOOL, nullptr, "false",
- "check for encrypted telnet and ftp" },
+ "check for encrypted Telnet and FTP" },
{ "normalize", Parameter::PT_BOOL, nullptr, "false",
"eliminate escape sequences" },
static const PegInfo telnet_pegs[] =
{
{ CountType::SUM, "total_packets", "total packets" },
- { CountType::NOW, "concurrent_sessions", "total concurrent telnet sessions" },
- { CountType::MAX, "max_concurrent_sessions", "maximum concurrent telnet sessions" },
+ { CountType::NOW, "concurrent_sessions", "total concurrent Telnet sessions" },
+ { CountType::MAX, "max_concurrent_sessions", "maximum concurrent Telnet sessions" },
{ CountType::END, nullptr, nullptr }
};
static const Parameter gtp_params[] =
{
{ "version", Parameter::PT_INT, "0:2", "2",
- "gtp version" },
+ "GTP version" },
{ "messages", Parameter::PT_LIST, gtp_msg_params, nullptr,
"message dictionary" },
};
#define s_help \
- "rule option to check gtp version"
+ "rule option to check GTP version"
class GtpVersionModule : public Module
{
#include "http_inspect.h"
#include "detection/detection_engine.h"
+#include "detection/detection_util.h"
#include "log/unified2.h"
#include "protocols/packet.h"
#include "stream/stream.h"
if (session_data->section_type[source_id] == SEC__NOT_COMPUTE)
return;
+ // Limit alt_dsize of message body sections to request/response depth
+ if ((session_data->detect_depth_remaining[source_id] > 0) &&
+ (session_data->detect_depth_remaining[source_id] < p->dsize))
+ {
+ p->set_detect_limit(session_data->detect_depth_remaining[source_id]);
+ }
+
const int remove_workaround = session_data->zero_byte_workaround[source_id] ? 1 : 0;
if (!process(p->data, p->dsize - remove_workaround, p->flow, source_id, true))
{
static const Parameter s_params[] =
{
{ "~", Parameter::PT_INT, "0:255", nullptr,
- "modbus unit ID" },
+ "Modbus unit ID" },
{ nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
};
#define s_help \
- "rule option to check modbus unit ID"
+ "rule option to check Modbus unit ID"
class ModbusUnitModule : public Module
{
"maximum via field size" },
{ "methods", Parameter::PT_STRING, nullptr, default_methods,
- "list of methods to check in sip messages" },
+ "list of methods to check in SIP messages" },
{ nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
};
{
{ CountType::SUM, "packets", "total packets" },
{ CountType::SUM, "sessions", "total sessions" },
- { CountType::NOW, "concurrent_sessions", "total concurrent sip sessions" },
- { CountType::MAX, "max_concurrent_sessions", "maximum concurrent sip sessions" },
+ { CountType::NOW, "concurrent_sessions", "total concurrent SIP sessions" },
+ { CountType::MAX, "max_concurrent_sessions", "maximum concurrent SIP sessions" },
{ CountType::SUM, "events", "events generated" },
{ CountType::SUM, "dialogs", "total dialogs" },
{ CountType::SUM, "ignored_channels", "total channels ignored" },
/* reset normalization stuff */
smtp_normalizing = false;
- SetDetectLimit(p, 0);
if (pkt_dir == SMTP_PKT_FROM_SERVER)
{
if ((unsigned long)length > alt_size - buf.len)
{
- //SetDetectLimit(p, 0);
smtp_normalizing = false;
return -1;
}
bool is_paf() override { return true; }
+private:
+ void count_scan(const Flow* f)
+ {
+ if ( f->pkt_type == PktType::TCP )
+ ++tstats.tcp_scans;
+ else
+ ++tstats.user_scans;
+ }
+
+ void count_hit(const Flow* f)
+ {
+ if ( f->pkt_type == PktType::TCP )
+ ++tstats.tcp_hits;
+ else
+ ++tstats.user_hits;
+ }
+
private:
Wizard* wizard;
Wand wand;
uint32_t, uint32_t*)
{
Profile profile(wizPerfStats);
- ++tstats.tcp_scans;
+ count_scan(f);
if ( wizard->cast_spell(wand, f, data, len) )
- ++tstats.tcp_hits;
+ count_hit(f);
else if ( wizard->finished(wand) )
return ABORT;
static const Parameter s_params[] =
{
{ "footprint", Parameter::PT_INT, "0:", "0",
- "use zero for production, non-zero for testing at given size (for tcp and user)" },
+ "use zero for production, non-zero for testing at given size (for TCP and user)" },
{ "ip_frags_only", Parameter::PT_BOOL, nullptr, "false",
"don't process non-frag flows" },
"alert if fragment length is below this limit before or after trimming" },
{ "min_ttl", Parameter::PT_INT, "1:255", "1",
- "discard fragments with ttl below the minimum" },
+ "discard fragments with TTL below the minimum" },
{ "policy", Parameter::PT_ENUM, IP_POLICIES, "linux",
"fragment reassembly policy" },
"flush upon seeing a drop in segment size after given number of non-decreasing segments" },
{ "ignore_any_rules", Parameter::PT_BOOL, nullptr, "false",
- "process tcp content rules w/o ports only if rules with ports are present" },
+ "process TCP content rules w/o ports only if rules with ports are present" },
{ "max_window", Parameter::PT_INT, "0:1073725440", "0",
- "maximum allowed tcp window" },
+ "maximum allowed TCP window" },
{ "overlap_limit", Parameter::PT_INT, "0:255", "0",
"maximum number of allowed overlapping segments per session" },
"session tracking timeout" },
{ "ignore_any_rules", Parameter::PT_BOOL, nullptr, "false",
- "process udp content rules w/o ports only if rules with ports are present" },
+ "process UDP content rules w/o ports only if rules with ports are present" },
{ nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
};
else if (keyword == "no_stream_inserts")
{
- table_api.add_diff_option_comment("no_stream_inserts", "inspect_stream_inserts");
- tmpval = table_api.add_option("inspect_stream_inserts", false);
+ table_api.add_diff_option_comment("no_stream_inserts", "detect_raw_tcp");
+ tmpval = table_api.add_option("detect_raw_tcp", false);
}
else if (keyword == "debug")
while(util::get_string(data_stream, key_value_pair, ";"))
{
std::istringstream arg_stream(key_value_pair);
- std::vector<std::string> word_list;
-
util::trim(key_value_pair);
size_t pos = key_value_pair.find_first_of(':');
bool PerfMonitor::convert(std::istringstream& data_stream)
{
- std::string keyword;
- bool retval = true;
-
table_api.open_table("perf_monitor");
- retval |= table_api.add_option("base", true);
- retval |= table_api.add_option("cpu", true);
+
+ bool retval =
+ table_api.add_option("base", true) and
+ table_api.add_option("cpu", true);
+
+ std::string keyword;
while (data_stream >> keyword)
{
projects / thirdparty / snort3.git / commitdiff
