From: Michael Altizer (mialtize) Date: Thu, 2 Nov 2017 17:29:28 +0000 (-0400) Subject: Merge pull request #1049 in SNORT/snort3 from norm_test to master X-Git-Tag: 3.0.0-241~29 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2da66818836bbe504b68da1800545fc7ce1fbba0;p=thirdparty%2Fsnort3.git Merge pull request #1049 in SNORT/snort3 from norm_test to master Squashed commit of the following: commit f090e0dd005bde5fcb6303ae6781426fda3cb44f Author: Carter Waxman Date: Fri Oct 27 13:13:12 2017 -0400 fixed build of several dyanmic modules on OSX / clang commit 62b7ba4bca0c88afe6521a4cf444718125656e86 Author: Carter Waxman Date: Wed Oct 25 15:45:07 2017 -0400 cd_pbb, alert_json: fixed build issues on OSX with clang commit 8701c0f859bcba2797d52f2998013ff1ec71896f Author: Carter Waxman Date: Fri Oct 27 12:18:57 2017 -0400 snort2lua: added inspection uuid commit 20c0dba9d13fb1b7d81073bd87605fb61d16ebf6 Author: Carter Waxman Date: Tue Oct 17 11:31:52 2017 -0400 snort2lua: added na_policy_mode. added ability amend tables if created. commit 31356c8c8110c618b3d9d469cf0ee3a9963ace50 Author: Carter Waxman Date: Mon Oct 16 15:29:23 2017 -0400 snort2lua: added normalize_tcp: ftp commit f11fb08f1c08d72e921274086ba0d8739ac24b83 Author: Carter Waxman Date: Fri Oct 27 10:17:48 2017 -0400 autoconf: fixed uuid library inclusion on OSX commit bcbc9f517ab8f2bbefe9ec3e42447160e467964a Author: Carter Waxman Date: Wed Oct 25 17:12:39 2017 -0400 policy, cmake: fixed uuid build issues on OSX commit be8d14bb54f88120e6422421812cf05f3cadf92a Author: Carter Waxman Date: Fri Oct 13 17:33:18 2017 -0400 policy, normalizer: added test mode and reorganized policies. added inspection policy config. --- diff --git a/cmake/FindUUID.cmake b/cmake/FindUUID.cmake index a2c3b7e8e..b52a31501 100644 --- a/cmake/FindUUID.cmake +++ b/cmake/FindUUID.cmake @@ -3,14 +3,22 @@ find_package(PkgConfig) pkg_check_modules(PKG_HINT uuid) +if (APPLE) + set(APPLE_UUID_INCLUDE_DIR "/usr/include/uuid") + set(UUID_LIBRARY_NAME "System") +else() + set(APPLE_INCLUDE_DIR "") + set(UUID_LIBRARY_NAME "uuid") +endif() + find_path (UUID_INCLUDE_DIR NAMES uuid.h - HINTS ${UUID_INCLUDE_DIR_HINT} ${PKG_HINT_INCLUDE_DIRS} + HINTS ${UUID_INCLUDE_DIR_HINT} ${PKG_HINT_INCLUDE_DIRS} ${APPLE_UUID_INCLUDE_DIR} ) if (UUID_INCLUDE_DIR) find_library(UUID_LIBRARY - NAMES uuid + NAMES ${UUID_LIBRARY_NAME} HINTS ${UUID_LIBRARIES_DIR_HINT} ${PKG_HINT_LIBRARY_DIRS} ) else() diff --git a/configure.ac b/configure.ac index 9332849dd..319623e50 100644 --- a/configure.ac +++ b/configure.ac @@ -1087,6 +1087,14 @@ PKG_CHECK_EXISTS([uuid], [ have_uuid_pkgconfig="yes" ], [ have_uuid_pkgconfig="n AC_MSG_RESULT(${have_uuid_pkgconfig}) UUID_CPPFLAGS="" +if test "${macos}" = "yes"; then + UUID_CPPFLAGS="-I/usr/include/uuid" + UUID_LDFLAGS="-lSystem" + UUID_LIBNAME="System" +else + UUID_LIBNAME="uuid" +fi + if test "${have_uuid_pkgconfig}" = "yes" ; then UUID_CPPFLAGS=`${PKG_CONFIG} --cflags uuid` UUID_LDFLAGS=`${PKG_CONFIG} --libs-only-L uuid` @@ -1117,12 +1125,12 @@ AC_CHECK_HEADERS(uuid.h, UUID_H="yes") # Verify that we have the library UUID_L="" -AC_CHECK_LIB(uuid, uuid_parse, UUID_L="yes") +AC_CHECK_LIB("${UUID_LIBNAME}", uuid_parse, UUID_L="yes") if test "x$UUID_L" = "xyes"; then if test "x$UUID_H" = "xyes"; then AC_DEFINE([HAVE_UUID],[1],[can build uuid code]) - LIBS="${LIBS} -luuid" + LIBS="${LIBS} -l${UUID_LIBNAME}" fi fi diff --git a/extra/src/codecs/cd_pbb/cd_pbb.cc b/extra/src/codecs/cd_pbb/cd_pbb.cc index cffb2f922..93a360326 100644 --- a/extra/src/codecs/cd_pbb/cd_pbb.cc +++ b/extra/src/codecs/cd_pbb/cd_pbb.cc @@ -150,8 +150,8 @@ bool PbbCodec::encode(const uint8_t* const raw_in, const uint16_t /*raw_len*/, { memcpy(ho->ether_src, hi->ether_src, sizeof(ho->ether_src)); - if ( snort_conf->eth_dst ) - memcpy(ho->ether_dst, snort_conf->eth_dst, sizeof(ho->ether_dst)); + if ( SnortConfig::get_conf()->eth_dst ) + memcpy(ho->ether_dst, SnortConfig::get_conf()->eth_dst, sizeof(ho->ether_dst)); else memcpy(ho->ether_dst, hi->ether_dst, sizeof(ho->ether_dst)); } @@ -159,8 +159,8 @@ bool PbbCodec::encode(const uint8_t* const raw_in, const uint16_t /*raw_len*/, { memcpy(ho->ether_src, hi->ether_dst, sizeof(ho->ether_src)); - if ( snort_conf->eth_dst ) - memcpy(ho->ether_dst, snort_conf->eth_dst, sizeof(ho->ether_dst)); + if ( SnortConfig::get_conf()->eth_dst ) + memcpy(ho->ether_dst, SnortConfig::get_conf()->eth_dst, sizeof(ho->ether_dst)); else memcpy(ho->ether_dst, hi->ether_src, sizeof(ho->ether_dst)); } diff --git a/extra/src/loggers/alert_json/alert_json.cc b/extra/src/loggers/alert_json/alert_json.cc index 675f23cb0..dcc872f71 100644 --- a/extra/src/loggers/alert_json/alert_json.cc +++ b/extra/src/loggers/alert_json/alert_json.cc @@ -359,7 +359,7 @@ static bool ff_pkt_len(Args& a) static bool ff_pkt_num(Args& a) { print_label(a, "pkt_num"); - TextLog_Print(json_log, STDu64, pc.total_from_daq); + TextLog_Print(json_log, STDu64, get_packet_number()); return true; } diff --git a/src/codecs/ip/cd_auth.cc b/src/codecs/ip/cd_auth.cc index 11f338c4f..68906a563 100644 --- a/src/codecs/ip/cd_auth.cc +++ b/src/codecs/ip/cd_auth.cc @@ -102,7 +102,7 @@ bool AuthCodec::decode(const RawData& raw, CodecData& codec, DecodeData& snort) // must be called AFTER setting next_prot_id if (snort.ip_api.is_ip6()) { - if ( snort_conf->hit_ip6_maxopts(codec.ip6_extension_count) ) + if ( SnortConfig::get_conf()->hit_ip6_maxopts(codec.ip6_extension_count) ) { codec_event(codec, DECODE_IP6_EXCESS_EXT_HDR); return false; diff --git a/src/codecs/ip/cd_dst_opts.cc b/src/codecs/ip/cd_dst_opts.cc index 96238ce74..e7e9c8f34 100644 --- a/src/codecs/ip/cd_dst_opts.cc +++ b/src/codecs/ip/cd_dst_opts.cc @@ -58,7 +58,7 @@ bool Ipv6DSTOptsCodec::decode(const RawData& raw, CodecData& codec, DecodeData&) return false; } - if ( snort_conf->hit_ip6_maxopts(codec.ip6_extension_count) ) + if ( SnortConfig::get_conf()->hit_ip6_maxopts(codec.ip6_extension_count) ) codec_event(codec, DECODE_IP6_EXCESS_EXT_HDR); if (dsthdr->ip6dest_nxt == IpProtocol::ROUTING) diff --git a/src/codecs/ip/cd_esp.cc b/src/codecs/ip/cd_esp.cc index f2bcda232..850520d8f 100644 --- a/src/codecs/ip/cd_esp.cc +++ b/src/codecs/ip/cd_esp.cc @@ -124,7 +124,7 @@ bool EspCodec::decode(const RawData& raw, CodecData& codec, DecodeData& snort) // must be called AFTER setting next_prot_id if (snort.ip_api.is_ip6()) { - if ( snort_conf->hit_ip6_maxopts(codec.ip6_extension_count) ) + if ( SnortConfig::get_conf()->hit_ip6_maxopts(codec.ip6_extension_count) ) { codec_event(codec, DECODE_IP6_EXCESS_EXT_HDR); return false; diff --git a/src/codecs/ip/cd_frag.cc b/src/codecs/ip/cd_frag.cc index 010bd9f18..3d1f0824a 100644 --- a/src/codecs/ip/cd_frag.cc +++ b/src/codecs/ip/cd_frag.cc @@ -53,7 +53,7 @@ bool Ipv6FragCodec::decode(const RawData& raw, CodecData& codec, DecodeData& sno return false; } - if ( snort_conf->hit_ip6_maxopts(codec.ip6_extension_count) ) + if ( SnortConfig::get_conf()->hit_ip6_maxopts(codec.ip6_extension_count) ) { codec_event(codec, DECODE_IP6_EXCESS_EXT_HDR); return false; diff --git a/src/codecs/ip/cd_hop_opts.cc b/src/codecs/ip/cd_hop_opts.cc index 6f61f86c5..0eff1c437 100644 --- a/src/codecs/ip/cd_hop_opts.cc +++ b/src/codecs/ip/cd_hop_opts.cc @@ -62,7 +62,7 @@ bool Ipv6HopOptsCodec::decode(const RawData& raw, CodecData& codec, DecodeData&) return false; } - if ( snort_conf->hit_ip6_maxopts(codec.ip6_extension_count) ) + if ( SnortConfig::get_conf()->hit_ip6_maxopts(codec.ip6_extension_count) ) { codec_event(codec, DECODE_IP6_EXCESS_EXT_HDR); return false; diff --git a/src/codecs/ip/cd_ipv4.cc b/src/codecs/ip/cd_ipv4.cc index 509822a6a..45f619407 100644 --- a/src/codecs/ip/cd_ipv4.cc +++ b/src/codecs/ip/cd_ipv4.cc @@ -143,7 +143,7 @@ bool Ipv4Codec::decode(const RawData& raw, CodecData& codec, DecodeData& snort) return false; } - if ( snort_conf->hit_ip_maxlayers(codec.ip_layer_cnt) ) + if ( SnortConfig::get_conf()->hit_ip_maxlayers(codec.ip_layer_cnt) ) { codec_event(codec, DECODE_IP_MULTIPLE_ENCAPSULATION); return false; diff --git a/src/codecs/ip/cd_ipv6.cc b/src/codecs/ip/cd_ipv6.cc index 840cad297..708b65d48 100644 --- a/src/codecs/ip/cd_ipv6.cc +++ b/src/codecs/ip/cd_ipv6.cc @@ -136,7 +136,7 @@ bool Ipv6Codec::decode(const RawData& raw, CodecData& codec, DecodeData& snort) return false; } - if ( snort_conf->hit_ip_maxlayers(codec.ip_layer_cnt) ) + if ( SnortConfig::get_conf()->hit_ip_maxlayers(codec.ip_layer_cnt) ) { codec_event(codec, DECODE_IP_MULTIPLE_ENCAPSULATION); return false; diff --git a/src/codecs/ip/cd_mobility.cc b/src/codecs/ip/cd_mobility.cc index 94b4abee4..b6a065d1c 100644 --- a/src/codecs/ip/cd_mobility.cc +++ b/src/codecs/ip/cd_mobility.cc @@ -48,7 +48,7 @@ void MobilityCodec::get_protocol_ids(std::vector& v) bool MobilityCodec::decode(const RawData&, CodecData& codec, DecodeData&) { - if ( snort_conf->hit_ip6_maxopts(codec.ip6_extension_count) ) + if ( SnortConfig::get_conf()->hit_ip6_maxopts(codec.ip6_extension_count) ) { codec_event(codec, DECODE_IP6_EXCESS_EXT_HDR); return false; diff --git a/src/codecs/ip/cd_no_next.cc b/src/codecs/ip/cd_no_next.cc index 04190ea28..78a3a8dd8 100644 --- a/src/codecs/ip/cd_no_next.cc +++ b/src/codecs/ip/cd_no_next.cc @@ -47,7 +47,7 @@ bool Ipv6NoNextCodec::decode(const RawData& raw, CodecData& codec, DecodeData&) if (raw.len < ip::MIN_EXT_LEN) return false; - if ( snort_conf->hit_ip6_maxopts(codec.ip6_extension_count) ) + if ( SnortConfig::get_conf()->hit_ip6_maxopts(codec.ip6_extension_count) ) { codec_event(codec, DECODE_IP6_EXCESS_EXT_HDR); return false; diff --git a/src/codecs/ip/cd_routing.cc b/src/codecs/ip/cd_routing.cc index 9fc3c13e4..420d6b23e 100644 --- a/src/codecs/ip/cd_routing.cc +++ b/src/codecs/ip/cd_routing.cc @@ -78,7 +78,7 @@ bool Ipv6RoutingCodec::decode(const RawData& raw, CodecData& codec, DecodeData&) return false; } - if ( snort_conf->hit_ip6_maxopts(codec.ip6_extension_count) ) + if ( SnortConfig::get_conf()->hit_ip6_maxopts(codec.ip6_extension_count) ) { codec_event(codec, DECODE_IP6_EXCESS_EXT_HDR); return false; diff --git a/src/codecs/root/cd_eth.cc b/src/codecs/root/cd_eth.cc index c68597e62..c04d2c7d8 100644 --- a/src/codecs/root/cd_eth.cc +++ b/src/codecs/root/cd_eth.cc @@ -171,8 +171,8 @@ bool EthCodec::encode(const uint8_t* const raw_in, const uint16_t /*raw_len*/, { memcpy(ho->ether_src, hi->ether_src, sizeof(ho->ether_src)); - if ( snort_conf->eth_dst ) - memcpy(ho->ether_dst, snort_conf->eth_dst, sizeof(ho->ether_dst)); + if ( SnortConfig::get_conf()->eth_dst ) + memcpy(ho->ether_dst, SnortConfig::get_conf()->eth_dst, sizeof(ho->ether_dst)); else memcpy(ho->ether_dst, hi->ether_dst, sizeof(ho->ether_dst)); } @@ -180,8 +180,8 @@ bool EthCodec::encode(const uint8_t* const raw_in, const uint16_t /*raw_len*/, { memcpy(ho->ether_src, hi->ether_dst, sizeof(ho->ether_src)); - if ( snort_conf->eth_dst ) - memcpy(ho->ether_dst, snort_conf->eth_dst, sizeof(ho->ether_dst)); + if ( SnortConfig::get_conf()->eth_dst ) + memcpy(ho->ether_dst, SnortConfig::get_conf()->eth_dst, sizeof(ho->ether_dst)); else memcpy(ho->ether_dst, hi->ether_src, sizeof(ho->ether_dst)); } diff --git a/src/detection/detection_engine.cc b/src/detection/detection_engine.cc index ee0107cc0..6970fd451 100644 --- a/src/detection/detection_engine.cc +++ b/src/detection/detection_engine.cc @@ -59,7 +59,7 @@ static THREAD_LOCAL uint64_t context_num = 0; //-------------------------------------------------------------------------- void DetectionEngine::thread_init() -{ offloader = new RegexOffload(snort_conf->offload_threads); } +{ offloader = new RegexOffload(SnortConfig::get_conf()->offload_threads); } void DetectionEngine::thread_term() { delete offloader; } @@ -257,7 +257,7 @@ bool DetectionEngine::offload(Packet* p) { ContextSwitcher* sw = Snort::get_switcher(); - if ( p->type() != PktType::PDU or (p->dsize < snort_conf->offload_limit) or !sw->can_hold() ) + if ( p->type() != PktType::PDU or (p->dsize < SnortConfig::get_conf()->offload_limit) or !sw->can_hold() ) { fp_local(p); return false; @@ -272,7 +272,7 @@ bool DetectionEngine::offload(Packet* p) pc.total_from_daq, id, offloader->count()); p->flow->set_offloaded(); - p->context->conf = snort_conf; + p->context->conf = SnortConfig::get_conf(); offloader->put(id, p); pc.offloads++; diff --git a/src/detection/detection_util.cc b/src/detection/detection_util.cc index 1c4b6170c..2b4759375 100644 --- a/src/detection/detection_util.cc +++ b/src/detection/detection_util.cc @@ -45,8 +45,8 @@ static void LogBuffer(const char* s, const uint8_t* p, unsigned n) if ( !p ) return; - if ( n > snort_conf->event_trace_max ) - n = snort_conf->event_trace_max; + if ( n > SnortConfig::get_conf()->event_trace_max ) + n = SnortConfig::get_conf()->event_trace_max; for ( idx = 0; idx < n; idx++) { @@ -102,7 +102,7 @@ void EventTrace_Log(const Packet* p, const OptTreeNode* otn, int action) void EventTrace_Init() { - if ( snort_conf->event_trace_max > 0 ) + if ( SnortConfig::get_conf()->event_trace_max > 0 ) { time_t now = time(nullptr); char time_buf[26]; @@ -110,7 +110,7 @@ void EventTrace_Init() tlog = TextLog_Init ("event_trace.txt", 4*1024, 8*1024*1024); TextLog_Print(tlog, "\nTrace started at %s", time_buf); - TextLog_Print(tlog, "Trace max_data is %u bytes\n", snort_conf->event_trace_max); + TextLog_Print(tlog, "Trace max_data is %u bytes\n", SnortConfig::get_conf()->event_trace_max); } } diff --git a/src/detection/detection_util.h b/src/detection/detection_util.h index 1e8582aff..79668e627 100644 --- a/src/detection/detection_util.h +++ b/src/detection/detection_util.h @@ -56,7 +56,7 @@ void EventTrace_Log(const Packet*, const OptTreeNode*, int action); inline int EventTrace_IsEnabled() { - return ( snort_conf->event_trace_max > 0 ); + return ( SnortConfig::get_conf()->event_trace_max > 0 ); } #endif diff --git a/src/detection/fp_detect.cc b/src/detection/fp_detect.cc index 82df22d46..e51c127fe 100644 --- a/src/detection/fp_detect.cc +++ b/src/detection/fp_detect.cc @@ -260,7 +260,7 @@ int fpAddMatch(OtnxMatchData* omd_local, int /*pLen*/, const OptTreeNode* otn) ** If we hit the max number of unique events for any rule type alert, ** log or pass, then we don't add it to the list. */ - if ( pmi->iMatchCount >= (int)snort_conf->fast_pattern_config->get_max_queue_events() || + if ( pmi->iMatchCount >= (int)SnortConfig::get_conf()->fast_pattern_config->get_max_queue_events() || pmi->iMatchCount >= MAX_EVENT_MATCH) { pc.match_limit++; @@ -627,7 +627,7 @@ static inline int fpFinalSelectEvent(OtnxMatchData* o, Packet* p) int k; const OptTreeNode* otn; int tcnt = 0; - EventQueueConfig* eq = snort_conf->event_queue_config; + EventQueueConfig* eq = SnortConfig::get_conf()->event_queue_config; RuleTreeNode* rtn; for ( i = 0; i < o->iMatchInfoArraySize; i++ ) @@ -831,10 +831,10 @@ void fp_set_context(IpsContext& c) c.stash = new MpseStash; c.otnx = (OtnxMatchData*)snort_calloc(sizeof(OtnxMatchData)); - c.otnx->iMatchInfoArraySize = snort_conf->num_rule_types; + c.otnx->iMatchInfoArraySize = SnortConfig::get_conf()->num_rule_types; c.otnx->matchInfo = (MatchInfo*)snort_calloc( - snort_conf->num_rule_types, sizeof(MatchInfo)); + SnortConfig::get_conf()->num_rule_types, sizeof(MatchInfo)); c.context_num = 0; } @@ -906,7 +906,7 @@ static int fp_search( omd->p = p; omd->check_ports = check_ports; - bool user_mode = snort_conf->sopgTable->user_mode; + bool user_mode = SnortConfig::get_conf()->sopgTable->user_mode; trace_log(detection, TRACE_RULE_EVAL, "Fast pattern search\n"); @@ -989,7 +989,7 @@ static inline int fpEvalHeaderSW(PortGroup* port_group, Packet* p, int8_t curr_ip_layer = 0; bool repeat = false; uint16_t tmp_dsize = 0; - FastPatternConfig* fp = snort_conf->fast_pattern_config; + FastPatternConfig* fp = SnortConfig::get_conf()->fast_pattern_config; print_pkt_info(p); @@ -1084,10 +1084,10 @@ static inline void fpEvalHeaderIp(Packet* p, OtnxMatchData* omd) { PortGroup* any = nullptr, * ip_group = nullptr; - if ( !prmFindRuleGroupIp(snort_conf->prmIpRTNX, ANYPORT, &ip_group, &any) ) + if ( !prmFindRuleGroupIp(SnortConfig::get_conf()->prmIpRTNX, ANYPORT, &ip_group, &any) ) return; - if ( snort_conf->fast_pattern_config->get_debug_print_nc_rules() ) + if ( SnortConfig::get_conf()->fast_pattern_config->get_debug_print_nc_rules() ) LogMessage("fpEvalHeaderIp: ip_group=%p, any=%p\n", (void*)ip_group, (void*)any); if ( ip_group ) @@ -1101,7 +1101,7 @@ static inline void fpEvalHeaderIcmp(Packet* p, OtnxMatchData* omd) { PortGroup* any = nullptr, * type = nullptr; - if ( !prmFindRuleGroupIcmp(snort_conf->prmIcmpRTNX, p->ptrs.icmph->type, &type, &any) ) + if ( !prmFindRuleGroupIcmp(SnortConfig::get_conf()->prmIcmpRTNX, p->ptrs.icmph->type, &type, &any) ) return; if ( type ) @@ -1115,7 +1115,7 @@ static inline void fpEvalHeaderTcp(Packet* p, OtnxMatchData* omd) { PortGroup* src = nullptr, * dst = nullptr, * any = nullptr; - if ( !prmFindRuleGroupTcp(snort_conf->prmTcpRTNX, p->ptrs.dp, p->ptrs.sp, &src, &dst, &any) ) + if ( !prmFindRuleGroupTcp(SnortConfig::get_conf()->prmTcpRTNX, p->ptrs.dp, p->ptrs.sp, &src, &dst, &any) ) return; DebugFormat(DEBUG_ATTRIBUTE, @@ -1136,7 +1136,7 @@ static inline void fpEvalHeaderUdp(Packet* p, OtnxMatchData* omd) { PortGroup* src = nullptr, * dst = nullptr, * any = nullptr; - if ( !prmFindRuleGroupUdp(snort_conf->prmUdpRTNX, p->ptrs.dp, p->ptrs.sp, &src, &dst, &any) ) + if ( !prmFindRuleGroupUdp(SnortConfig::get_conf()->prmUdpRTNX, p->ptrs.dp, p->ptrs.sp, &src, &dst, &any) ) return; DebugFormat(DEBUG_ATTRIBUTE, @@ -1167,16 +1167,16 @@ static inline bool fpEvalHeaderSvc(Packet* p, OtnxMatchData* omd, int proto) { DebugMessage(DEBUG_ATTRIBUTE, "pkt_from_server\n"); - svc = snort_conf->sopgTable->get_port_group(proto, false, proto_ordinal); - file = snort_conf->sopgTable->get_port_group(proto, false, SNORT_PROTO_FILE); + svc = SnortConfig::get_conf()->sopgTable->get_port_group(proto, false, proto_ordinal); + file = SnortConfig::get_conf()->sopgTable->get_port_group(proto, false, SNORT_PROTO_FILE); } if (p->is_from_client()) /* to srv */ { DebugMessage(DEBUG_ATTRIBUTE, "pkt_from_client\n"); - svc = snort_conf->sopgTable->get_port_group(proto, true, proto_ordinal); - file = snort_conf->sopgTable->get_port_group(proto, true, SNORT_PROTO_FILE); + svc = SnortConfig::get_conf()->sopgTable->get_port_group(proto, true, proto_ordinal); + file = SnortConfig::get_conf()->sopgTable->get_port_group(proto, true, SNORT_PROTO_FILE); } DebugFormat(DEBUG_ATTRIBUTE, @@ -1279,7 +1279,7 @@ static int fpEvalPacket(Packet* p) break; case PktType::PDU: - if ( snort_conf->sopgTable->user_mode ) + if ( SnortConfig::get_conf()->sopgTable->user_mode ) fpEvalHeaderSvc(p, omd, SNORT_PROTO_USER); // use ports if we don't know service or don't have rules diff --git a/src/detection/ips_context.cc b/src/detection/ips_context.cc index 04797c9a1..a9508504c 100644 --- a/src/detection/ips_context.cc +++ b/src/detection/ips_context.cc @@ -62,7 +62,7 @@ IpsContext::IpsContext(unsigned size) : pkth = new DAQ_PktHdr_t; buf = new uint8_t[buf_size]; - const EventQueueConfig* qc = snort_conf->event_queue_config; + const EventQueueConfig* qc = SnortConfig::get_conf()->event_queue_config; equeue = sfeventq_new(qc->max_events, qc->log_events, sizeof(EventNode)); packet->context = this; diff --git a/src/detection/pcrm.cc b/src/detection/pcrm.cc index 81774eeeb..e4da1f139 100644 --- a/src/detection/pcrm.cc +++ b/src/detection/pcrm.cc @@ -97,7 +97,7 @@ static int prmFindRuleGroup( /* If no Src/Dst rules - use the generic set, if any exist */ if ( p->prmGeneric and (p->prmGeneric->rule_count > 0) ) { - if ( snort_conf->fast_pattern_config->get_split_any_any() or (!*src and !*dst) ) + if ( SnortConfig::get_conf()->fast_pattern_config->get_split_any_any() or (!*src and !*dst) ) { *gen = p->prmGeneric; } diff --git a/src/detection/regex_offload.cc b/src/detection/regex_offload.cc index 6f8df1a2a..2fec335cd 100644 --- a/src/detection/regex_offload.cc +++ b/src/detection/regex_offload.cc @@ -107,7 +107,7 @@ void RegexOffload::worker(RegexRequest* req) assert(req->packet); assert(req->packet->flow->is_offloaded()); - snort_conf = req->packet->context->conf; // FIXIT-H reload issue + SnortConfig::set_conf(req->packet->context->conf); // FIXIT-H reload issue fp_offload(req->packet); req->offload = false; diff --git a/src/detection/signature.cc b/src/detection/signature.cc index 15a04590c..1c3b8c933 100644 --- a/src/detection/signature.cc +++ b/src/detection/signature.cc @@ -266,7 +266,7 @@ OptTreeNode* OtnLookup(SFGHASH* otn_map, uint32_t gid, uint32_t sid) OptTreeNode* GetOTN(uint32_t gid, uint32_t sid) { - OptTreeNode* otn = OtnLookup(snort_conf->otn_map, gid, sid); + OptTreeNode* otn = OtnLookup(SnortConfig::get_conf()->otn_map, gid, sid); if ( !otn ) return nullptr; diff --git a/src/file_api/file_cache.cc b/src/file_api/file_cache.cc index ce4ca8a7d..7db068f50 100644 --- a/src/file_api/file_cache.cc +++ b/src/file_api/file_cache.cc @@ -44,7 +44,7 @@ static int file_cache_free_func(void*, void* data) FileCache::FileCache() { - int max_files = snort_conf->file_config.max_files_cached; + int max_files = SnortConfig::get_conf()->file_config.max_files_cached; fileHash = sfxhash_new(max_files, sizeof(FileHashKey), sizeof(FileNode), 0, 1, nullptr, file_cache_free_func, 1); if (!fileHash) diff --git a/src/file_api/file_lib.cc b/src/file_api/file_lib.cc index 6389b914a..fbcc55e14 100644 --- a/src/file_api/file_lib.cc +++ b/src/file_api/file_lib.cc @@ -205,7 +205,7 @@ FileContext::FileContext () file_signature_context = nullptr; file_capture = nullptr; file_segments = nullptr; - inspector = (FileInspect*)InspectorManager::acquire(FILE_ID_NAME, snort_conf); + inspector = (FileInspect*)InspectorManager::acquire(FILE_ID_NAME, SnortConfig::get_conf()); file_config = inspector->config; } diff --git a/src/filters/rate_filter.cc b/src/filters/rate_filter.cc index 2142f6a03..1350b07b2 100644 --- a/src/filters/rate_filter.cc +++ b/src/filters/rate_filter.cc @@ -126,7 +126,8 @@ int RateFilter_Test( dip = &cleared; } - if ((snort_conf == nullptr) || (snort_conf->rate_filter_config == nullptr)) + if ((SnortConfig::get_conf() == nullptr) || + (SnortConfig::get_conf()->rate_filter_config == nullptr)) { /* this should not happen, see the create fcn */ return -1; @@ -139,13 +140,13 @@ int RateFilter_Test( if ( p->is_from_server() ) { return SFRF_TestThreshold( - snort_conf->rate_filter_config, gid, sid, dip, sip, + SnortConfig::get_conf()->rate_filter_config, gid, sid, dip, sip, p->pkth->ts.tv_sec, SFRF_COUNT_INCREMENT); } } return SFRF_TestThreshold( - snort_conf->rate_filter_config, gid, sid, sip, dip, + SnortConfig::get_conf()->rate_filter_config, gid, sid, sip, dip, p->pkth->ts.tv_sec, SFRF_COUNT_INCREMENT); } diff --git a/src/filters/sfthreshold.cc b/src/filters/sfthreshold.cc index 459f003c8..66c4c2bd6 100644 --- a/src/filters/sfthreshold.cc +++ b/src/filters/sfthreshold.cc @@ -316,8 +316,8 @@ int sfthreshold_test( const SfIp* sip, const SfIp* dip, long curtime) { - if ((snort_conf->threshold_config == nullptr) || - !snort_conf->threshold_config->enabled) + if ((SnortConfig::get_conf()->threshold_config == nullptr) || + !SnortConfig::get_conf()->threshold_config->enabled) { return 0; } @@ -325,7 +325,7 @@ int sfthreshold_test( if (!thd_checked) { thd_checked = 1; - thd_answer = sfthd_test_threshold(snort_conf->threshold_config->thd_objs, + thd_answer = sfthd_test_threshold(SnortConfig::get_conf()->threshold_config->thd_objs, thd_runtime, gen_id, sig_id, sip, dip, curtime); } diff --git a/src/flow/flow_control.cc b/src/flow/flow_control.cc index 52e11914b..055b1d681 100644 --- a/src/flow/flow_control.cc +++ b/src/flow/flow_control.cc @@ -411,9 +411,9 @@ unsigned FlowControl::process(Flow* flow, Packet* p) if ( flow->flow_state != Flow::FlowState::SETUP ) { - set_inspection_policy(snort_conf, flow->inspection_policy_id); - set_ips_policy(snort_conf, flow->ips_policy_id); - set_network_policy(snort_conf, flow->network_policy_id); + set_inspection_policy(SnortConfig::get_conf(), flow->inspection_policy_id); + set_ips_policy(SnortConfig::get_conf(), flow->ips_policy_id); + set_network_policy(SnortConfig::get_conf(), flow->network_policy_id); } else diff --git a/src/framework/inspector.cc b/src/framework/inspector.cc index 0782af284..7822d91dc 100644 --- a/src/framework/inspector.cc +++ b/src/framework/inspector.cc @@ -108,3 +108,8 @@ bool Inspector::likes(Packet* p) return true; } +void Inspector::add_ref() +{ ++ref_count[slot]; } + +void Inspector::rem_ref() +{ --ref_count[slot]; } diff --git a/src/framework/inspector.h b/src/framework/inspector.h index c3dfc2097..cddeb3dfb 100644 --- a/src/framework/inspector.h +++ b/src/framework/inspector.h @@ -91,8 +91,8 @@ public: unsigned get_ref(unsigned i) { return ref_count[i]; } void set_ref(unsigned i, unsigned r) { ref_count[i] = r; } - void add_ref() { ++ref_count[slot]; } - void rem_ref() { --ref_count[slot]; } + void add_ref(); + void rem_ref(); bool is_inactive(); diff --git a/src/hash/test/sfghash_test.cc b/src/hash/test/sfghash_test.cc index 59b952f35..a3e34c06c 100644 --- a/src/hash/test/sfghash_test.cc +++ b/src/hash/test/sfghash_test.cc @@ -33,9 +33,15 @@ // Stubs whose sole purpose is to make the test code link static SnortConfig my_config; THREAD_LOCAL SnortConfig *snort_conf = &my_config; + SnortConfig::SnortConfig(SnortConfig*) { snort_conf->run_flags = 0;} // run_flags is used indirectly from SFHASHFCN class by calling SnortConfig::static_hash() + SnortConfig::~SnortConfig() = default; + +SnortConfig* SnortConfig::get_conf() +{ return snort_conf; } + // implement functions for virtual FileVerdict FilePolicy::type_lookup(Flow* , FileContext* ) { return FILE_VERDICT_UNKNOWN;} FileVerdict FilePolicy::type_lookup(Flow* , FileInfo* ) { return FILE_VERDICT_UNKNOWN;} diff --git a/src/helpers/process.cc b/src/helpers/process.cc index 5a0128f30..092ff678f 100644 --- a/src/helpers/process.cc +++ b/src/helpers/process.cc @@ -121,7 +121,7 @@ static void exit_handler(int signal) static void dirty_handler(int signal) { - snort_conf->dirty_pig = true; + SnortConfig::get_conf()->dirty_pig = true; exit_handler(signal); } diff --git a/src/host_tracker/host_cache.cc b/src/host_tracker/host_cache.cc index 1677c3ecd..271474afb 100644 --- a/src/host_tracker/host_cache.cc +++ b/src/host_tracker/host_cache.cc @@ -38,7 +38,7 @@ void host_cache_add_host_tracker(HostTracker* ht) bool host_cache_add_service(const SfIp& ipaddr, Protocol ipproto, Port port, const char* /*service*/) { HostIpKey ipkey((const uint8_t*) ipaddr.get_ip6_ptr()); - uint16_t proto = 0; // FIXIT-M not safe with multithreads snort_conf->proto_ref->add(service)); + uint16_t proto = 0; // FIXIT-M not safe with multithreads SnortConfig::get_conf()->proto_ref->add(service)); HostApplicationEntry app_entry(ipproto, port, proto); std::shared_ptr ht; diff --git a/src/ips_options/ips_pcre.cc b/src/ips_options/ips_pcre.cc index 4bba8d898..08ce82ba1 100644 --- a/src/ips_options/ips_pcre.cc +++ b/src/ips_options/ips_pcre.cc @@ -362,7 +362,7 @@ static bool pcre_search( found_offset = -1; - SnortState* ss = snort_conf->state + get_instance_id(); + SnortState* ss = SnortConfig::get_conf()->state + get_instance_id(); assert(ss->pcre_ovector); int result = pcre_exec( @@ -373,7 +373,7 @@ static bool pcre_search( start_offset, /* start at offset 0 in the subject */ 0, /* options(handled at compile time */ ss->pcre_ovector, /* vector for substring information */ - snort_conf->pcre_ovector_size); /* number of elements in the vector */ + SnortConfig::get_conf()->pcre_ovector_size); /* number of elements in the vector */ if (result >= 0) { diff --git a/src/ips_options/ips_regex.cc b/src/ips_options/ips_regex.cc index b0073b6ea..7aa867794 100644 --- a/src/ips_options/ips_regex.cc +++ b/src/ips_options/ips_regex.cc @@ -175,7 +175,7 @@ IpsOption::EvalStatus RegexOption::eval(Cursor& c, Packet*) if ( pos > c.size() ) return NO_MATCH; - SnortState* ss = snort_conf->state + get_instance_id(); + SnortState* ss = SnortConfig::get_conf()->state + get_instance_id(); assert(ss->regex_scratch); s_to = 0; diff --git a/src/ips_options/ips_sd_pattern.cc b/src/ips_options/ips_sd_pattern.cc index 2d932a11d..0a25e7041 100644 --- a/src/ips_options/ips_sd_pattern.cc +++ b/src/ips_options/ips_sd_pattern.cc @@ -251,7 +251,7 @@ unsigned SdPatternOption::SdSearch(Cursor& c, Packet* p) const uint8_t* buf = c.start(); unsigned int buflen = c.length(); - SnortState* ss = snort_conf->state + get_instance_id(); + SnortState* ss = SnortConfig::get_conf()->state + get_instance_id(); assert(ss->sdpattern_scratch); hsContext ctx(config, p, start, buf, buflen); diff --git a/src/ips_options/ips_session.cc b/src/ips_options/ips_session.cc index 463d7af2c..7d3d02415 100644 --- a/src/ips_options/ips_session.cc +++ b/src/ips_options/ips_session.cc @@ -174,9 +174,9 @@ static FILE* OpenSessionFile(Packet* p) const char* addr; - if (snort_conf->homenet.contains(dst) == SFIP_CONTAINS) + if (SnortConfig::get_conf()->homenet.contains(dst) == SFIP_CONTAINS) { - if (snort_conf->homenet.contains(src) == SFIP_NOT_CONTAINS) + if (SnortConfig::get_conf()->homenet.contains(src) == SFIP_NOT_CONTAINS) { addr = p->ptrs.ip_api.get_src()->ntoa(); } @@ -194,7 +194,7 @@ static FILE* OpenSessionFile(Packet* p) } else { - if (snort_conf->homenet.contains(src) == SFIP_CONTAINS) + if (SnortConfig::get_conf()->homenet.contains(src) == SFIP_CONTAINS) { addr = p->ptrs.ip_api.get_dst()->ntoa(); } diff --git a/src/ips_options/test/ips_regex_test.cc b/src/ips_options/test/ips_regex_test.cc index d77796322..a286f469c 100644 --- a/src/ips_options/test/ips_regex_test.cc +++ b/src/ips_options/test/ips_regex_test.cc @@ -73,6 +73,9 @@ SnortConfig::SnortConfig(SnortConfig*) SnortConfig::~SnortConfig() { } +SnortConfig* SnortConfig::get_conf() +{ return snort_conf; } + unsigned get_instance_id() { return 0; } diff --git a/src/latency/packet_latency.cc b/src/latency/packet_latency.cc index b7ff72e64..abe335510 100644 --- a/src/latency/packet_latency.cc +++ b/src/latency/packet_latency.cc @@ -187,7 +187,7 @@ inline bool Impl::fastpath() static struct SnortConfigWrapper : public ConfigWrapper { const PacketLatencyConfig* operator->() const override - { return &snort_conf->latency->packet_latency; } + { return &SnortConfig::get_conf()->latency->packet_latency; } } config; diff --git a/src/latency/rule_latency.cc b/src/latency/rule_latency.cc index 174555284..12ae9499c 100644 --- a/src/latency/rule_latency.cc +++ b/src/latency/rule_latency.cc @@ -285,7 +285,7 @@ inline void Impl::handle(const Event& e) static struct SnortConfigWrapper : public ConfigWrapper { const RuleLatencyConfig* operator->() const override - { return &snort_conf->latency->rule_latency; } + { return &SnortConfig::get_conf()->latency->rule_latency; } } config; diff --git a/src/log/log_text.cc b/src/log/log_text.cc index ba7ba96b0..c1f91ebd1 100644 --- a/src/log/log_text.cc +++ b/src/log/log_text.cc @@ -269,10 +269,10 @@ void LogIpAddrs(TextLog* log, Packet* p) if (SnortConfig::obfuscate()) { ObfuscateIpToText(p->ptrs.ip_api.get_src(), - snort_conf->homenet, snort_conf->obfuscation_net, src); + SnortConfig::get_conf()->homenet, SnortConfig::get_conf()->obfuscation_net, src); ObfuscateIpToText(p->ptrs.ip_api.get_dst(), - snort_conf->homenet, snort_conf->obfuscation_net, dst); + SnortConfig::get_conf()->homenet, SnortConfig::get_conf()->obfuscation_net, dst); TextLog_Print(log, ip_fmt, src, dst); } @@ -291,10 +291,10 @@ void LogIpAddrs(TextLog* log, Packet* p) if (SnortConfig::obfuscate()) { ObfuscateIpToText(p->ptrs.ip_api.get_src(), - snort_conf->homenet, snort_conf->obfuscation_net, src); + SnortConfig::get_conf()->homenet, SnortConfig::get_conf()->obfuscation_net, src); ObfuscateIpToText(p->ptrs.ip_api.get_dst(), - snort_conf->homenet, snort_conf->obfuscation_net, dst); + SnortConfig::get_conf()->homenet, SnortConfig::get_conf()->obfuscation_net, dst); TextLog_Print(log, ip_fmt, src, p->ptrs.sp, dst, p->ptrs.dp); } @@ -1203,7 +1203,7 @@ void LogNetData( buf_name = p->get_pseudo_type(); } - const HexAsciiLayout& hal = snort_conf->output_wide_hex() ? hal_wide : hal_std; + const HexAsciiLayout& hal = SnortConfig::get_conf()->output_wide_hex() ? hal_wide : hal_std; const char* hdr_off = SnortConfig::verbose_byte_dump() ? hal.offset_hdr : ""; const char* ins_name = p->flow and p->flow->gadget ? p->flow->gadget->get_name() : "snort"; diff --git a/src/log/messages.cc b/src/log/messages.cc index db00b2fa3..282a0bdec 100644 --- a/src/log/messages.cc +++ b/src/log/messages.cc @@ -81,7 +81,7 @@ void ParseMessage(const char* format, ...) void ParseWarning(WarningGroup wg, const char* format, ...) { - if ( !(snort_conf->warning_flags & (1 << wg)) ) + if ( !(SnortConfig::get_conf()->warning_flags & (1 << wg)) ) return; char buf[STD_BUF+1]; @@ -135,7 +135,7 @@ void ParseError(const char* format, ...) static void WriteLogMessage(FILE* fh, bool prefer_fh, const char* format, va_list& ap) { - if ( snort_conf && !prefer_fh ) + if ( SnortConfig::get_conf() && !prefer_fh ) { if ( SnortConfig::log_quiet() ) return; @@ -196,12 +196,12 @@ void WarningMessage(const char* format,...) { va_list ap; - if ( snort_conf and SnortConfig::log_quiet() ) + if ( SnortConfig::get_conf() and SnortConfig::log_quiet() ) return; va_start(ap, format); - if ( snort_conf and SnortConfig::log_syslog() ) + if ( SnortConfig::get_conf() and SnortConfig::log_syslog() ) { char buf[STD_BUF+1]; vsnprintf(buf, STD_BUF, format, ap); @@ -232,7 +232,7 @@ void ErrorMessage(const char* format,...) va_start(ap, format); - if ( snort_conf and SnortConfig::log_syslog() ) + if ( SnortConfig::get_conf() and SnortConfig::log_syslog() ) { char buf[STD_BUF+1]; vsnprintf(buf, STD_BUF, format, ap); @@ -276,7 +276,7 @@ void ErrorMessage(const char* format,...) buf[STD_BUF] = '\0'; - if ( snort_conf and SnortConfig::log_syslog() ) + if ( SnortConfig::get_conf() and SnortConfig::log_syslog() ) { syslog(LOG_CONS | LOG_DAEMON | LOG_ERR, "FATAL ERROR: %s", buf); } diff --git a/src/loggers/alert_csv.cc b/src/loggers/alert_csv.cc index 4ae5b83c2..49bf58e78 100644 --- a/src/loggers/alert_csv.cc +++ b/src/loggers/alert_csv.cc @@ -264,7 +264,7 @@ static void ff_pkt_len(Args& a) static void ff_pkt_num(Args&) { - TextLog_Print(csv_log, STDu64, pc.total_from_daq); + TextLog_Print(csv_log, STDu64, get_packet_number()); } static void ff_priority(Args& a) diff --git a/src/loggers/alert_sf_socket.cc b/src/loggers/alert_sf_socket.cc index 41db8ce67..8ce4a5315 100644 --- a/src/loggers/alert_sf_socket.cc +++ b/src/loggers/alert_sf_socket.cc @@ -246,9 +246,9 @@ static OptTreeNode* OptTreeNode_Search(uint32_t, uint32_t sid) if (sid == 0) return nullptr; - for (hashNode = sfghash_findfirst(snort_conf->otn_map); + for (hashNode = sfghash_findfirst(SnortConfig::get_conf()->otn_map); hashNode; - hashNode = sfghash_findnext(snort_conf->otn_map)) + hashNode = sfghash_findnext(SnortConfig::get_conf()->otn_map)) { OptTreeNode* otn = (OptTreeNode*)hashNode->data; RuleTreeNode* rtn = getRuntimeRtnFromOtn(otn); diff --git a/src/loggers/alert_syslog.cc b/src/loggers/alert_syslog.cc index 29ac2fca6..f6c152a4e 100644 --- a/src/loggers/alert_syslog.cc +++ b/src/loggers/alert_syslog.cc @@ -252,11 +252,11 @@ static void AlertSyslog( if (SnortConfig::obfuscate()) { - ObfuscateIpToText(p->ptrs.ip_api.get_src(), snort_conf->homenet, - snort_conf->obfuscation_net, src); + ObfuscateIpToText(p->ptrs.ip_api.get_src(), SnortConfig::get_conf()->homenet, + SnortConfig::get_conf()->obfuscation_net, src); - ObfuscateIpToText(p->ptrs.ip_api.get_dst(), snort_conf->homenet, - snort_conf->obfuscation_net, dst); + ObfuscateIpToText(p->ptrs.ip_api.get_dst(), SnortConfig::get_conf()->homenet, + SnortConfig::get_conf()->obfuscation_net, dst); SnortSnprintfAppend(event_string, sizeof(event_string), ip_fmt, src, dst); } @@ -274,11 +274,11 @@ static void AlertSyslog( if (SnortConfig::obfuscate()) { - ObfuscateIpToText(p->ptrs.ip_api.get_src(), snort_conf->homenet, - snort_conf->obfuscation_net, src); + ObfuscateIpToText(p->ptrs.ip_api.get_src(), SnortConfig::get_conf()->homenet, + SnortConfig::get_conf()->obfuscation_net, src); - ObfuscateIpToText(p->ptrs.ip_api.get_dst(), snort_conf->homenet, - snort_conf->obfuscation_net, dst); + ObfuscateIpToText(p->ptrs.ip_api.get_dst(), SnortConfig::get_conf()->homenet, + SnortConfig::get_conf()->obfuscation_net, dst); SnortSnprintfAppend(event_string, sizeof(event_string), ip_fmt, src, p->ptrs.sp, dst, p->ptrs.dp); diff --git a/src/main.cc b/src/main.cc index 54efb0bee..c959a9a25 100644 --- a/src/main.cc +++ b/src/main.cc @@ -149,7 +149,7 @@ void Pig::start() assert(!athread); LogMessage("++ [%u] %s\n", idx, analyzer->get_source()); - Swapper* ps = new Swapper(snort_conf, SFAT_GetConfig()); + Swapper* ps = new Swapper(SnortConfig::get_conf(), SFAT_GetConfig()); athread = new std::thread(std::ref(*analyzer), ps, ++run_num); } @@ -315,7 +315,7 @@ int main_reload_config(lua_State* L) } current_request->respond(".. reloading configuration\n"); - SnortConfig* old = snort_conf; + SnortConfig* old = SnortConfig::get_conf(); SnortConfig* sc = Snort::get_reload_config(fname); if ( !sc ) @@ -323,7 +323,7 @@ int main_reload_config(lua_State* L) current_request->respond("== reload failed\n"); return 0; } - snort_conf = sc; + SnortConfig::set_conf(sc); proc_stats.conf_reloads++; bool from_shell = ( L != nullptr ); @@ -356,7 +356,7 @@ int main_reload_policy(lua_State* L) return 0; } - SnortConfig* old = snort_conf; + SnortConfig* old = SnortConfig::get_conf(); SnortConfig* sc = Snort::get_updated_policy(old, fname, nullptr); if ( !sc ) @@ -364,7 +364,7 @@ int main_reload_policy(lua_State* L) current_request->respond("== reload failed\n"); return 0; } - snort_conf = sc; + SnortConfig::set_conf(sc); proc_stats.policy_reloads++; bool from_shell = ( L != nullptr ); @@ -403,7 +403,7 @@ int main_reload_hosts(lua_State* L) } Shell sh = Shell(fname); - sh.configure(snort_conf); + sh.configure(SnortConfig::get_conf()); tTargetBasedConfig* old = SFAT_GetConfig(); tTargetBasedConfig* tc = SFAT_Swap(); @@ -444,7 +444,7 @@ int main_delete_inspector(lua_State* L) return 0; } - SnortConfig* old = snort_conf; + SnortConfig* old = SnortConfig::get_conf(); SnortConfig* sc = Snort::get_updated_policy(old, nullptr, iname); if ( !sc ) @@ -452,7 +452,7 @@ int main_delete_inspector(lua_State* L) current_request->respond("== reload failed\n"); return 0; } - snort_conf = sc; + SnortConfig::set_conf(sc); proc_stats.inspector_deletions++; bool from_shell = ( L != nullptr ); @@ -635,7 +635,7 @@ static bool just_validate() if ( SnortConfig::test_mode() ) return true; - if ( use_shell(snort_conf) ) + if ( use_shell(SnortConfig::get_conf()) ) return false; /* FIXIT-L X This should really check if the DAQ module was unset as it could be explicitly @@ -645,7 +645,7 @@ static bool just_validate() if ( SnortConfig::read_mode() && !Trough::get_queue_size() ) return true; - if ( !SnortConfig::read_mode() && !SFDAQ::get_input_spec(snort_conf, 0) ) + if ( !SnortConfig::read_mode() && !SFDAQ::get_input_spec(SnortConfig::get_conf(), 0) ) return true; } @@ -689,11 +689,11 @@ static bool set_mode() warnings); // force test mode to exit w/o stats - snort_conf->run_flags |= RUN_FLAG__TEST; + SnortConfig::get_conf()->run_flags |= RUN_FLAG__TEST; return false; } - if ( snort_conf->run_flags & RUN_FLAG__PAUSE ) + if ( SnortConfig::get_conf()->run_flags & RUN_FLAG__PAUSE ) { LogMessage("Paused; resume to start packet processing\n"); paused = true; @@ -702,7 +702,7 @@ static bool set_mode() LogMessage("Commencing packet processing\n"); #ifdef SHELL - if ( use_shell(snort_conf) ) + if ( use_shell(SnortConfig::get_conf()) ) { LogMessage("Entering command shell\n"); ControlMgmt::add_control(STDOUT_FILENO, true); @@ -791,7 +791,7 @@ static void main_loop() if (!SnortConfig::read_mode()) { for (swine = 0; swine < max_pigs; swine++) - pigs[swine].prep(SFDAQ::get_input_spec(snort_conf, swine)); + pigs[swine].prep(SFDAQ::get_input_spec(SnortConfig::get_conf(), swine)); } // Iterate over the drove, spawn them as allowed, and handle their deaths. diff --git a/src/main/analyzer_command.cc b/src/main/analyzer_command.cc index 6cf682aeb..366fd9647 100644 --- a/src/main/analyzer_command.cc +++ b/src/main/analyzer_command.cc @@ -70,7 +70,7 @@ void ACGetStats::execute(Analyzer&) // FIXIT-P This incurs locking on all threads to retrieve stats. It could be reimplemented to // optimize for large thread counts by retrieving stats in the command and accumulating in the // main thread. - ModuleManager::accumulate(snort_conf); + ModuleManager::accumulate(SnortConfig::get_conf()); } ACGetStats::~ACGetStats() diff --git a/src/main/control_mgmt.cc b/src/main/control_mgmt.cc index 7d3a2ca39..dcadab65a 100644 --- a/src/main/control_mgmt.cc +++ b/src/main/control_mgmt.cc @@ -108,25 +108,25 @@ void ControlMgmt::delete_controls() int ControlMgmt::setup_socket_family() { int family = AF_UNSPEC; - if ( snort_conf->remote_control_port ) + if ( SnortConfig::get_conf()->remote_control_port ) { memset(&in_addr, 0, sizeof(in_addr)); in_addr.sin_family = AF_INET; in_addr.sin_addr.s_addr = htonl(0x7F000001); - in_addr.sin_port = htons(snort_conf->remote_control_port); + in_addr.sin_port = htons(SnortConfig::get_conf()->remote_control_port); sock_addr = (struct sockaddr*)&in_addr; sock_addr_size = sizeof(in_addr); family = AF_INET; } - else if ( !snort_conf->remote_control_socket.empty() ) + else if ( !SnortConfig::get_conf()->remote_control_socket.empty() ) { std::string fullpath; - const char* path_sep = strrchr(snort_conf->remote_control_socket.c_str(), '/'); + const char* path_sep = strrchr(SnortConfig::get_conf()->remote_control_socket.c_str(), '/'); if (path_sep != nullptr) - fullpath = snort_conf->remote_control_socket; + fullpath = SnortConfig::get_conf()->remote_control_socket; else - get_instance_file(fullpath, snort_conf->remote_control_socket.c_str()); + get_instance_file(fullpath, SnortConfig::get_conf()->remote_control_socket.c_str()); memset(&unix_addr, 0, sizeof(unix_addr)); unix_addr.sun_family = AF_UNIX; diff --git a/src/main/help.cc b/src/main/help.cc index a8eb6a313..191a6a77a 100644 --- a/src/main/help.cc +++ b/src/main/help.cc @@ -151,7 +151,7 @@ enum HelpType [[noreturn]] static void show_help(SnortConfig* sc, const char* val, HelpType ht) { - snort_conf = new SnortConfig; + SnortConfig::set_conf(new SnortConfig); ScriptManager::load_scripts(sc->script_paths); PluginManager::load_plugins(sc->plugin_path); ModuleManager::init(); @@ -207,7 +207,7 @@ enum HelpType ModuleManager::term(); PluginManager::release_plugins(); ScriptManager::release_scripts(); - delete snort_conf; + delete SnortConfig::get_conf(); exit(0); } diff --git a/src/main/modules.cc b/src/main/modules.cc index 7d8aefa3e..685c9f1c0 100644 --- a/src/main/modules.cc +++ b/src/main/modules.cc @@ -1100,7 +1100,81 @@ bool NetworkModule::set(const char*, Value& v, SnortConfig* sc) } //------------------------------------------------------------------------- -// detection policy module +// inspection policy module +//------------------------------------------------------------------------- + +static const Parameter inspection_params[] = +{ + { "id", Parameter::PT_INT, "0:65535", "0", + "correlate policy and events with other items in configuration" }, + +#ifdef HAVE_UUID + { "uuid", Parameter::PT_STRING, nullptr, nullptr, + "correlate events by uuid" }, +#endif + + { "mode", Parameter::PT_ENUM, "inline | inline-test", "inline-test", + "set policy mode" }, + + { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } +}; + +#define inspection_help \ + "configure basic inspection policy parameters" + +class InspectionModule : public Module +{ +public: + InspectionModule() : Module("inspection", inspection_help, inspection_params) { } + bool set(const char*, Value&, SnortConfig*) override; + + Usage get_usage() const override + { return INSPECT; } +}; + +bool InspectionModule::set(const char*, Value& v, SnortConfig* sc) +{ + InspectionPolicy* p = get_inspection_policy(); + + if ( v.is("id") ) + { + p->user_policy_id = v.get_long(); + sc->policy_map->set_user_inspection(p); + } + +#ifdef HAVE_UUID + else if ( v.is("uuid") ) + { + if(uuid_parse(v.get_string(), p->uuid) != 0) + { + ParseError("Invalid Inspection UUID: %s", v.get_string()); + uuid_clear(p->uuid); + } + } +#endif + + else if ( v.is("mode") ) + { + switch ( v.get_long() ) + { + case 0: + p->policy_mode = POLICY_MODE__INLINE; + break; + case 1: + p->policy_mode = POLICY_MODE__INLINE_TEST; + break; + default: + break; + } + } + + else + return false; + + return true; +} +//------------------------------------------------------------------------- +// Ips policy module //------------------------------------------------------------------------- static const Parameter ips_params[] = @@ -1122,7 +1196,7 @@ static const Parameter ips_params[] = "snort rules and includes" }, #ifdef HAVE_UUID - { "uuid", Parameter::PT_STRING, nullptr, nullptr, + { "uuid", Parameter::PT_STRING, nullptr, "00000000-0000-0000-0000-000000000000", "IPS policy uuid" }, #endif @@ -1832,6 +1906,7 @@ void module_init() // these are preliminary policies ModuleManager::add_module(new NetworkModule); + ModuleManager::add_module(new InspectionModule); ModuleManager::add_module(new IpsModule); // these modules replace config and hosts.xml diff --git a/src/main/policy.cc b/src/main/policy.cc index 0c10fed63..3fa271bf8 100644 --- a/src/main/policy.cc +++ b/src/main/policy.cc @@ -275,7 +275,7 @@ void set_ips_policy(IpsPolicy* p) void set_user_ips_policy(unsigned policy_id) { - IpsPolicy *p = snort_conf->policy_map->get_user_ips(policy_id); + IpsPolicy *p = SnortConfig::get_conf()->policy_map->get_user_ips(policy_id); if(!p) { ips_module_stats.invalid_policy_ids++; @@ -315,7 +315,7 @@ void set_default_policy(SnortConfig* sc) } void set_default_policy() -{ set_default_policy(snort_conf); } +{ set_default_policy(SnortConfig::get_conf()); } bool only_inspection_policy() { return get_inspection_policy() && !get_ips_policy() && !get_network_policy(); } diff --git a/src/main/policy.h b/src/main/policy.h index 84fe44adc..a94a6fea8 100644 --- a/src/main/policy.h +++ b/src/main/policy.h @@ -44,6 +44,14 @@ struct sfip_var_t; typedef unsigned int PolicyId; typedef struct SFGHASH PortVarTable; +enum PolicyMode +{ + POLICY_MODE__PASSIVE, + POLICY_MODE__INLINE, + POLICY_MODE__INLINE_TEST, + POLICY_MODE__MAX +}; + // FIXIT-L split into separate headers //------------------------------------------------------------------------- @@ -101,7 +109,9 @@ public: public: PolicyId policy_id; + PolicyMode policy_mode = POLICY_MODE__INLINE_TEST; uint32_t user_policy_id = 0; + uuid_t uuid{}; struct FrameworkPolicy* framework_policy; DataBus dbus; @@ -115,14 +125,6 @@ private: // detection stuff //------------------------------------------------------------------------- -enum PolicyMode -{ - POLICY_MODE__PASSIVE, - POLICY_MODE__INLINE, - POLICY_MODE__INLINE_TEST, - POLICY_MODE__MAX -}; - // this is the ips policy post ac-split struct IpsPolicy { @@ -182,6 +184,9 @@ public: Shell* get_shell(unsigned i = 0) { return i < shells.size() ? shells[i] : nullptr; } + void set_user_inspection(InspectionPolicy* p) + { user_inspection[p->user_policy_id] = p; } + void set_user_ips(IpsPolicy* p) { user_ips[p->user_policy_id] = p; } @@ -198,6 +203,7 @@ public: // FIXIT-M make impl private bool cloned = false; private: + std::unordered_map user_inspection; std::unordered_map user_ips; }; diff --git a/src/main/snort.cc b/src/main/snort.cc index 3ba8e7226..cda10206f 100644 --- a/src/main/snort.cc +++ b/src/main/snort.cc @@ -247,7 +247,7 @@ void Snort::init(int argc, char** argv) /* chew up the command line */ snort_cmd_line_conf = parse_cmd_line(argc, argv); - snort_conf = snort_cmd_line_conf; + SnortConfig::set_conf(snort_cmd_line_conf); LogMessage("--------------------------------------------------\n"); LogMessage("%s Snort++ %s-%s\n", get_prompt(), VERSION, BUILD); @@ -264,7 +264,7 @@ void Snort::init(int argc, char** argv) ScriptManager::load_scripts(snort_cmd_line_conf->script_paths); PluginManager::load_plugins(snort_cmd_line_conf->plugin_path); - if ( snort_conf->logging_flags & LOGGING_FLAG__SHOW_PLUGINS ) + if ( SnortConfig::get_conf()->logging_flags & LOGGING_FLAG__SHOW_PLUGINS ) { ModuleManager::dump_modules(); PluginManager::dump_plugins(); @@ -280,7 +280,7 @@ void Snort::init(int argc, char** argv) * command line overriding config file. * Set the global snort_conf that will be used during run time */ sc->merge(snort_cmd_line_conf); - snort_conf = sc; + SnortConfig::set_conf(sc); #ifdef PIGLET if ( !Piglet::piglet_mode() ) @@ -290,38 +290,38 @@ void Snort::init(int argc, char** argv) #ifdef PIGLET if ( !Piglet::piglet_mode() ) #endif - if ( !snort_conf->output.empty() ) - EventManager::instantiate(snort_conf->output.c_str(), snort_conf); + if ( !SnortConfig::get_conf()->output.empty() ) + EventManager::instantiate(SnortConfig::get_conf()->output.c_str(), SnortConfig::get_conf()); if (SnortConfig::alert_before_pass()) { - OrderRuleLists(snort_conf, "drop sdrop reject alert pass log"); + OrderRuleLists(SnortConfig::get_conf(), "drop sdrop reject alert pass log"); } - snort_conf->setup(); + SnortConfig::get_conf()->setup(); FileService::post_init(); // Must be after CodecManager::instantiate() - if ( !InspectorManager::configure(snort_conf) ) + if ( !InspectorManager::configure(SnortConfig::get_conf()) ) ParseError("can't initialize inspectors"); else if ( SnortConfig::log_verbose() ) - InspectorManager::print_config(snort_conf); + InspectorManager::print_config(SnortConfig::get_conf()); - ModuleManager::reset_stats(snort_conf); + ModuleManager::reset_stats(SnortConfig::get_conf()); - if (snort_conf->file_mask != 0) - umask(snort_conf->file_mask); + if (SnortConfig::get_conf()->file_mask != 0) + umask(SnortConfig::get_conf()->file_mask); else umask(077); /* set default to be sane */ /* Need to do this after dynamic detection stuff is initialized, too */ - IpsManager::global_init(snort_conf); + IpsManager::global_init(SnortConfig::get_conf()); - snort_conf->post_setup(); + SnortConfig::get_conf()->post_setup(); MpseManager::activate_search_engine( - snort_conf->fast_pattern_config->get_search_api(), snort_conf); + SnortConfig::get_conf()->fast_pattern_config->get_search_api(), SnortConfig::get_conf()); SFAT_Start(); @@ -332,13 +332,13 @@ void Snort::init(int argc, char** argv) Trough::setup(); // FIXIT-L refactor stuff done here and in snort_config.cc::VerifyReload() - if ( snort_conf->bpf_filter.empty() && !snort_conf->bpf_file.empty() ) - snort_conf->bpf_filter = read_infile("bpf_file", snort_conf->bpf_file.c_str()); + if ( SnortConfig::get_conf()->bpf_filter.empty() && !SnortConfig::get_conf()->bpf_file.empty() ) + SnortConfig::get_conf()->bpf_filter = read_infile("bpf_file", SnortConfig::get_conf()->bpf_file.c_str()); - if ( !snort_conf->bpf_filter.empty() ) - LogMessage("Snort BPF option: %s\n", snort_conf->bpf_filter.c_str()); + if ( !SnortConfig::get_conf()->bpf_filter.empty() ) + LogMessage("Snort BPF option: %s\n", SnortConfig::get_conf()->bpf_filter.c_str()); - parser_term(snort_conf); + parser_term(SnortConfig::get_conf()); } // this function should only include initialization that must be done as a @@ -360,8 +360,8 @@ void Snort::init(int argc, char** argv) bool Snort::drop_privileges() { /* Enter the chroot jail if necessary. */ - if (!snort_conf->chroot_dir.empty() && - !EnterChroot(snort_conf->chroot_dir, snort_conf->log_dir)) + if (!SnortConfig::get_conf()->chroot_dir.empty() && + !EnterChroot(SnortConfig::get_conf()->chroot_dir, SnortConfig::get_conf()->log_dir)) return false; /* Drop privileges if requested. */ @@ -416,7 +416,7 @@ void Snort::term() initializing = false; // just in case we cut out early term_signals(); - IpsManager::global_term(snort_conf); + IpsManager::global_term(SnortConfig::get_conf()); SFAT_Cleanup(); host_cache.clear(); @@ -428,14 +428,14 @@ void Snort::term() ClosePidFile(); /* remove pid file */ - if ( !snort_conf->pid_filename.empty() ) + if ( !SnortConfig::get_conf()->pid_filename.empty() ) { - int ret = unlink(snort_conf->pid_filename.c_str()); + int ret = unlink(SnortConfig::get_conf()->pid_filename.c_str()); if (ret != 0) { ErrorMessage("Could not remove pid file %s: %s\n", - snort_conf->pid_filename.c_str(), get_error(errno)); + SnortConfig::get_conf()->pid_filename.c_str(), get_error(errno)); } } @@ -449,19 +449,19 @@ void Snort::term() Periodic::unregister_all(); /* free allocated memory */ - if (snort_conf == snort_cmd_line_conf) + if (SnortConfig::get_conf() == snort_cmd_line_conf) { delete snort_cmd_line_conf; snort_cmd_line_conf = nullptr; - snort_conf = nullptr; + SnortConfig::set_conf(nullptr); } else { delete snort_cmd_line_conf; snort_cmd_line_conf = nullptr; - delete snort_conf; - snort_conf = nullptr; + delete SnortConfig::get_conf(); + SnortConfig::set_conf(nullptr); } CleanupProtoNames(); SideChannelManager::term(); @@ -475,19 +475,19 @@ void Snort::clean_exit(int) SnortConfig tmp; // Have to trick LogMessage to log correctly after snort_conf is freed - if ( snort_conf ) + if ( SnortConfig::get_conf() ) { tmp.logging_flags |= - (snort_conf->logging_flags & LOGGING_FLAG__QUIET); + (SnortConfig::get_conf()->logging_flags & LOGGING_FLAG__QUIET); - tmp.run_flags |= (snort_conf->run_flags & RUN_FLAG__DAEMON); + tmp.run_flags |= (SnortConfig::get_conf()->run_flags & RUN_FLAG__DAEMON); tmp.logging_flags |= - (snort_conf->logging_flags & LOGGING_FLAG__SYSLOG); + (SnortConfig::get_conf()->logging_flags & LOGGING_FLAG__SYSLOG); } term(); - snort_conf = &tmp; + SnortConfig::set_conf(&tmp); LogMessage("%s Snort exiting\n", get_prompt()); closelog(); @@ -527,7 +527,7 @@ void Snort::setup(int argc, char* argv[]) init(argc, argv); LogMessage("%s\n", LOG_DIV); - SFDAQ::init(snort_conf); + SFDAQ::init(SnortConfig::get_conf()); if ( SnortConfig::daemon_mode() ) daemonize(); @@ -596,13 +596,13 @@ SnortConfig* Snort::get_reload_config(const char* fname) FlowbitResetCounts(); // FIXIT-L updates global hash, put in sc - if ((sc->file_mask != 0) && (sc->file_mask != snort_conf->file_mask)) + if ((sc->file_mask != 0) && (sc->file_mask != SnortConfig::get_conf()->file_mask)) umask(sc->file_mask); // FIXIT-L is this still needed? /* Transfer any user defined rule type outputs to the new rule list */ { - RuleListNode* cur = snort_conf->rule_lists; + RuleListNode* cur = SnortConfig::get_conf()->rule_lists; for (; cur != nullptr; cur = cur->next) { @@ -626,7 +626,7 @@ SnortConfig* Snort::get_reload_config(const char* fname) sc->post_setup(); if ( sc->fast_pattern_config->get_search_api() != - snort_conf->fast_pattern_config->get_search_api() ) + SnortConfig::get_conf()->fast_pattern_config->get_search_api() ) { MpseManager::activate_search_engine(sc->fast_pattern_config->get_search_api(), sc); } @@ -733,12 +733,12 @@ bool Snort::thread_init_privileged(const char* intf) { show_source(intf); - snort_conf->thread_config->implement_thread_affinity(STHREAD_TYPE_PACKET, get_instance_id()); + SnortConfig::get_conf()->thread_config->implement_thread_affinity(STHREAD_TYPE_PACKET, get_instance_id()); // FIXIT-M the start-up sequence is a little off due to dropping privs SFDAQInstance *daq_instance = new SFDAQInstance(intf); SFDAQ::set_local_instance(daq_instance); - if (!daq_instance->configure(snort_conf)) + if (!daq_instance->configure(SnortConfig::get_conf())) { SFDAQ::set_local_instance(nullptr); delete daq_instance; @@ -762,24 +762,24 @@ void Snort::thread_init_unprivileged() for ( unsigned i = 0; i < max_contexts; ++i ) s_switcher->push(new IpsContext); - CodecManager::thread_init(snort_conf); + CodecManager::thread_init(SnortConfig::get_conf()); // this depends on instantiated daq capabilities // so it is done here instead of init() - Active::init(snort_conf); + Active::init(SnortConfig::get_conf()); InitTag(); EventTrace_Init(); - detection_filter_init(snort_conf->detection_filter_config); + detection_filter_init(SnortConfig::get_conf()->detection_filter_config); DetectionEngine::thread_init(); EventManager::open_outputs(); IpsManager::setup_options(); - ActionManager::thread_init(snort_conf); + ActionManager::thread_init(SnortConfig::get_conf()); FileService::thread_init(); SideChannelManager::thread_init(); HighAvailabilityManager::thread_init(); // must be before InspectorManager::thread_init(); - InspectorManager::thread_init(snort_conf); + InspectorManager::thread_init(SnortConfig::get_conf()); PacketTracer::thread_init(); if (SnortConfig::packet_trace_enabled()) PacketTracer::enable_user_trace(); @@ -792,14 +792,14 @@ void Snort::thread_term() { HighAvailabilityManager::thread_term_beginning(); - if ( !snort_conf->dirty_pig ) + if ( !SnortConfig::get_conf()->dirty_pig ) Stream::purge_flows(); DetectionEngine::idle(); - InspectorManager::thread_stop(snort_conf); - ModuleManager::accumulate(snort_conf); - InspectorManager::thread_term(snort_conf); - ActionManager::thread_term(snort_conf); + InspectorManager::thread_stop(SnortConfig::get_conf()); + ModuleManager::accumulate(SnortConfig::get_conf()); + InspectorManager::thread_term(SnortConfig::get_conf()); + ActionManager::thread_term(SnortConfig::get_conf()); IpsManager::clear_options(); EventManager::close_outputs(); @@ -955,7 +955,7 @@ DAQ_Verdict Snort::packet_callback( pc.total_from_daq++; packet_time_update(&pkthdr->ts); - if ( snort_conf->pkt_skip && pc.total_from_daq <= snort_conf->pkt_skip ) + if ( SnortConfig::get_conf()->pkt_skip && pc.total_from_daq <= SnortConfig::get_conf()->pkt_skip ) return DAQ_VERDICT_PASS; s_switcher->start(); @@ -985,7 +985,7 @@ DAQ_Verdict Snort::packet_callback( s_packet->pkth = nullptr; // no longer avail upon sig segv - if ( snort_conf->pkt_cnt && pc.total_from_daq >= snort_conf->pkt_cnt ) + if ( SnortConfig::get_conf()->pkt_cnt && pc.total_from_daq >= SnortConfig::get_conf()->pkt_cnt ) SFDAQ::break_loop(-1); else if ( break_time() ) diff --git a/src/main/snort_config.cc b/src/main/snort_config.cc index 9ff85ad42..5b27a8d7c 100644 --- a/src/main/snort_config.cc +++ b/src/main/snort_config.cc @@ -84,6 +84,7 @@ #define OUTPUT_FAST "alert_fast" THREAD_LOCAL SnortConfig* snort_conf = nullptr; + uint32_t SnortConfig::warning_flags = 0; //------------------------------------------------------------------------- @@ -256,7 +257,7 @@ SnortConfig::~SnortConfig() if ( fast_pattern_config && (!snort_conf || this == snort_conf || (fast_pattern_config->get_search_api() != - snort_conf->fast_pattern_config->get_search_api())) ) + get_conf()->fast_pattern_config->get_search_api())) ) { MpseManager::stop_search_engine(fast_pattern_config->get_search_api()); } @@ -454,36 +455,36 @@ void SnortConfig::merge(SnortConfig* cmd_line) bool SnortConfig::verify() { - if (snort_conf->asn1_mem != asn1_mem) + if (get_conf()->asn1_mem != asn1_mem) { ErrorMessage("Snort Reload: Changing the asn1 memory configuration " "requires a restart.\n"); return false; } - if ( bpf_filter != snort_conf->bpf_filter ) + if ( bpf_filter != get_conf()->bpf_filter ) { ErrorMessage("Snort Reload: Changing the bpf filter configuration " "requires a restart.\n"); return false; } - if ( respond_attempts != snort_conf->respond_attempts || - respond_device != snort_conf->respond_device ) + if ( respond_attempts != get_conf()->respond_attempts || + respond_device != get_conf()->respond_device ) { ErrorMessage("Snort Reload: Changing config response " "requires a restart.\n"); return false; } - if (snort_conf->chroot_dir != chroot_dir) + if (get_conf()->chroot_dir != chroot_dir) { ErrorMessage("Snort Reload: Changing the chroot directory " "configuration requires a restart.\n"); return false; } - if ((snort_conf->run_flags & RUN_FLAG__DAEMON) != + if ((get_conf()->run_flags & RUN_FLAG__DAEMON) != (run_flags & RUN_FLAG__DAEMON)) { ErrorMessage("Snort Reload: Changing to or from daemon mode " @@ -492,27 +493,27 @@ bool SnortConfig::verify() } /* Orig log dir because a chroot might have changed it */ - if (snort_conf->orig_log_dir != orig_log_dir) + if (get_conf()->orig_log_dir != orig_log_dir) { ErrorMessage("Snort Reload: Changing the log directory " "configuration requires a restart.\n"); return false; } - if (snort_conf->max_attribute_hosts != max_attribute_hosts) + if (get_conf()->max_attribute_hosts != max_attribute_hosts) { ErrorMessage("Snort Reload: Changing max_attribute_hosts " "configuration requires a restart.\n"); return false; } - if (snort_conf->max_attribute_services_per_host != max_attribute_services_per_host) + if (get_conf()->max_attribute_services_per_host != max_attribute_services_per_host) { ErrorMessage("Snort Reload: Changing max_attribute_services_per_host " "configuration requires a restart.\n"); return false; } - if ((snort_conf->run_flags & RUN_FLAG__NO_PROMISCUOUS) != + if ((get_conf()->run_flags & RUN_FLAG__NO_PROMISCUOUS) != (run_flags & RUN_FLAG__NO_PROMISCUOUS)) { ErrorMessage("Snort Reload: Changing to or from promiscuous mode " @@ -520,28 +521,28 @@ bool SnortConfig::verify() return false; } - if (snort_conf->group_id != group_id) + if (get_conf()->group_id != group_id) { ErrorMessage("Snort Reload: Changing the group id " "configuration requires a restart.\n"); return false; } - if (snort_conf->user_id != user_id) + if (get_conf()->user_id != user_id) { ErrorMessage("Snort Reload: Changing the user id " "configuration requires a restart.\n"); return false; } - if (snort_conf->daq_config->mru_size != daq_config->mru_size) + if (get_conf()->daq_config->mru_size != daq_config->mru_size) { ErrorMessage("Snort Reload: Changing the packet snaplen " "configuration requires a restart.\n"); return false; } - if (snort_conf->threshold_config->memcap != + if (get_conf()->threshold_config->memcap != threshold_config->memcap) { ErrorMessage("Snort Reload: Changing the threshold memcap " @@ -549,7 +550,7 @@ bool SnortConfig::verify() return false; } - if (snort_conf->rate_filter_config->memcap != + if (get_conf()->rate_filter_config->memcap != rate_filter_config->memcap) { ErrorMessage("Snort Reload: Changing the rate filter memcap " @@ -557,7 +558,7 @@ bool SnortConfig::verify() return false; } - if (snort_conf->detection_filter_config->memcap != + if (get_conf()->detection_filter_config->memcap != detection_filter_config->memcap) { ErrorMessage("Snort Reload: Changing the detection filter memcap " @@ -991,5 +992,11 @@ void SnortConfig::free_rule_state_list() bool SnortConfig::tunnel_bypass_enabled(uint8_t proto) { - return (!((snort_conf->tunnel_mask & proto) or SFDAQ::get_tunnel_bypass(proto))); -} \ No newline at end of file + return (!((get_conf()->tunnel_mask & proto) or SFDAQ::get_tunnel_bypass(proto))); +} + +SO_PUBLIC SnortConfig* SnortConfig::get_conf() +{ return snort_conf; } + +void SnortConfig::set_conf(SnortConfig* conf) +{ snort_conf = conf; } diff --git a/src/main/snort_config.h b/src/main/snort_config.h index 269d0a634..584a2dc75 100644 --- a/src/main/snort_config.h +++ b/src/main/snort_config.h @@ -124,8 +124,6 @@ struct LatencyConfig; struct SFDAQConfig; class ThreadConfig; -SO_PUBLIC extern THREAD_LOCAL SnortConfig* snort_conf; - // SnortState members are updated during runtime. an array in SnortConfig is // used instead of thread_locals because these must get changed on reload // FIXIT-L register this data to avoid explicit dependency @@ -423,41 +421,41 @@ public: // Static convenience accessor methods static long int get_mpls_stack_depth() - { return snort_conf->mpls_stack_depth; } + { return get_conf()->mpls_stack_depth; } static long int get_mpls_payload_type() - { return snort_conf->mpls_payload_type; } + { return get_conf()->mpls_payload_type; } static bool mpls_overlapping_ip() - { return snort_conf->run_flags & RUN_FLAG__MPLS_OVERLAPPING_IP; } + { return get_conf()->run_flags & RUN_FLAG__MPLS_OVERLAPPING_IP; } static bool mpls_multicast() - { return snort_conf->run_flags & RUN_FLAG__MPLS_MULTICAST; } + { return get_conf()->run_flags & RUN_FLAG__MPLS_MULTICAST; } static bool deep_teredo_inspection() - { return snort_conf->enable_teredo; } + { return get_conf()->enable_teredo; } static bool gtp_decoding() - { return snort_conf->gtp_ports; } + { return get_conf()->gtp_ports; } static bool is_gtp_port(uint16_t port) - { return snort_conf->gtp_ports->test(port); } + { return get_conf()->gtp_ports->test(port); } static bool esp_decoding() - { return snort_conf->enable_esp; } + { return get_conf()->enable_esp; } // mode related static bool test_mode() - { return snort_conf->run_flags & RUN_FLAG__TEST; } + { return get_conf()->run_flags & RUN_FLAG__TEST; } static bool mem_check() - { return snort_conf->run_flags & RUN_FLAG__MEM_CHECK; } + { return get_conf()->run_flags & RUN_FLAG__MEM_CHECK; } static bool daemon_mode() - { return snort_conf->run_flags & RUN_FLAG__DAEMON; } + { return get_conf()->run_flags & RUN_FLAG__DAEMON; } static bool read_mode() - { return snort_conf->run_flags & RUN_FLAG__READ; } + { return get_conf()->run_flags & RUN_FLAG__READ; } static bool inline_mode() { return ::get_ips_policy()->policy_mode == POLICY_MODE__INLINE; } @@ -466,33 +464,33 @@ public: { return ::get_ips_policy()->policy_mode == POLICY_MODE__INLINE_TEST; } static bool adaptor_inline_mode() - { return snort_conf->run_flags & RUN_FLAG__INLINE; } + { return get_conf()->run_flags & RUN_FLAG__INLINE; } static bool adaptor_inline_test_mode() - { return snort_conf->run_flags & RUN_FLAG__INLINE_TEST; } + { return get_conf()->run_flags & RUN_FLAG__INLINE_TEST; } // logging stuff static bool log_syslog() - { return snort_conf->logging_flags & LOGGING_FLAG__SYSLOG; } + { return get_conf()->logging_flags & LOGGING_FLAG__SYSLOG; } static bool log_verbose() - { return snort_conf->logging_flags & LOGGING_FLAG__VERBOSE; } + { return get_conf()->logging_flags & LOGGING_FLAG__VERBOSE; } static bool log_quiet() - { return snort_conf->logging_flags & LOGGING_FLAG__QUIET; } + { return get_conf()->logging_flags & LOGGING_FLAG__QUIET; } // event stuff static uint32_t get_event_log_id() - { return snort_conf->event_log_id; } + { return get_conf()->event_log_id; } static bool process_all_events() - { return snort_conf->event_queue_config->process_all_events; } + { return get_conf()->event_queue_config->process_all_events; } static int get_eval_index(RuleType type) - { return snort_conf->evalOrder[type]; } + { return get_conf()->evalOrder[type]; } static int get_default_rule_state() - { return snort_conf->default_rule_state; } + { return get_conf()->default_rule_state; } SO_PUBLIC static bool tunnel_bypass_enabled(uint8_t proto); @@ -526,72 +524,72 @@ public: // output stuff static bool output_include_year() - { return snort_conf->output_flags & OUTPUT_FLAG__INCLUDE_YEAR; } + { return get_conf()->output_flags & OUTPUT_FLAG__INCLUDE_YEAR; } static bool output_use_utc() - { return snort_conf->output_flags & OUTPUT_FLAG__USE_UTC; } + { return get_conf()->output_flags & OUTPUT_FLAG__USE_UTC; } static bool output_datalink() - { return snort_conf->output_flags & OUTPUT_FLAG__SHOW_DATA_LINK; } + { return get_conf()->output_flags & OUTPUT_FLAG__SHOW_DATA_LINK; } static bool verbose_byte_dump() - { return snort_conf->output_flags & OUTPUT_FLAG__VERBOSE_DUMP; } + { return get_conf()->output_flags & OUTPUT_FLAG__VERBOSE_DUMP; } static bool obfuscate() - { return snort_conf->output_flags & OUTPUT_FLAG__OBFUSCATE; } + { return get_conf()->output_flags & OUTPUT_FLAG__OBFUSCATE; } static bool output_app_data() - { return snort_conf->output_flags & OUTPUT_FLAG__APP_DATA; } + { return get_conf()->output_flags & OUTPUT_FLAG__APP_DATA; } static bool output_char_data() - { return snort_conf->output_flags & OUTPUT_FLAG__CHAR_DATA; } + { return get_conf()->output_flags & OUTPUT_FLAG__CHAR_DATA; } static bool alert_interface() - { return snort_conf->output_flags & OUTPUT_FLAG__ALERT_IFACE; } + { return get_conf()->output_flags & OUTPUT_FLAG__ALERT_IFACE; } static bool output_no_timestamp() - { return snort_conf->output_flags & OUTPUT_FLAG__NO_TIMESTAMP; } + { return get_conf()->output_flags & OUTPUT_FLAG__NO_TIMESTAMP; } static bool line_buffered_logging() - { return snort_conf->output_flags & OUTPUT_FLAG__LINE_BUFFER; } + { return get_conf()->output_flags & OUTPUT_FLAG__LINE_BUFFER; } static bool output_wide_hex() - { return snort_conf->output_flags & OUTPUT_FLAG__WIDE_HEX; } + { return get_conf()->output_flags & OUTPUT_FLAG__WIDE_HEX; } static bool alert_refs() - { return snort_conf->output_flags & OUTPUT_FLAG__ALERT_REFS; } + { return get_conf()->output_flags & OUTPUT_FLAG__ALERT_REFS; } // run flags static bool no_lock_pid_file() - { return snort_conf->run_flags & RUN_FLAG__NO_LOCK_PID_FILE; } + { return get_conf()->run_flags & RUN_FLAG__NO_LOCK_PID_FILE; } static bool create_pid_file() - { return snort_conf->run_flags & RUN_FLAG__CREATE_PID_FILE; } + { return get_conf()->run_flags & RUN_FLAG__CREATE_PID_FILE; } static bool pcap_show() - { return snort_conf->run_flags & RUN_FLAG__PCAP_SHOW; } + { return get_conf()->run_flags & RUN_FLAG__PCAP_SHOW; } static bool treat_drop_as_alert() - { return snort_conf->run_flags & RUN_FLAG__TREAT_DROP_AS_ALERT; } + { return get_conf()->run_flags & RUN_FLAG__TREAT_DROP_AS_ALERT; } static bool treat_drop_as_ignore() - { return snort_conf->run_flags & RUN_FLAG__TREAT_DROP_AS_IGNORE; } + { return get_conf()->run_flags & RUN_FLAG__TREAT_DROP_AS_IGNORE; } static bool alert_before_pass() - { return snort_conf->run_flags & RUN_FLAG__ALERT_BEFORE_PASS; } + { return get_conf()->run_flags & RUN_FLAG__ALERT_BEFORE_PASS; } static bool no_pcre() - { return snort_conf->run_flags & RUN_FLAG__NO_PCRE; } + { return get_conf()->run_flags & RUN_FLAG__NO_PCRE; } static bool conf_error_out() - { return snort_conf->run_flags & RUN_FLAG__CONF_ERROR_OUT; } + { return get_conf()->run_flags & RUN_FLAG__CONF_ERROR_OUT; } static bool assure_established() - { return snort_conf->run_flags & RUN_FLAG__ASSURE_EST; } + { return get_conf()->run_flags & RUN_FLAG__ASSURE_EST; } // FIXIT-L snort_conf needed for static hash before initialized static bool static_hash() - { return snort_conf && snort_conf->run_flags & RUN_FLAG__STATIC_HASH; } + { return get_conf() && get_conf()->run_flags & RUN_FLAG__STATIC_HASH; } // other stuff static uint8_t min_ttl() @@ -601,45 +599,49 @@ public: { return ::get_network_policy()->new_ttl; } static long int get_pcre_match_limit() - { return snort_conf->pcre_match_limit; } + { return get_conf()->pcre_match_limit; } static long int get_pcre_match_limit_recursion() - { return snort_conf->pcre_match_limit_recursion; } + { return get_conf()->pcre_match_limit_recursion; } static const ProfilerConfig* get_profiler() - { return snort_conf->profiler; } + { return get_conf()->profiler; } static long int get_tagged_packet_limit() - { return snort_conf->tagged_packet_limit; } + { return get_conf()->tagged_packet_limit; } static uint32_t get_max_attribute_hosts() - { return snort_conf->max_attribute_hosts; } + { return get_conf()->max_attribute_hosts; } static uint32_t get_max_services_per_host() - { return snort_conf->max_attribute_services_per_host; } + { return get_conf()->max_attribute_services_per_host; } static int get_uid() - { return snort_conf->user_id; } + { return get_conf()->user_id; } static int get_gid() - { return snort_conf->group_id; } + { return get_conf()->group_id; } static bool get_vlan_agnostic() - { return snort_conf->vlan_agnostic; } + { return get_conf()->vlan_agnostic; } static bool address_space_agnostic() - { return snort_conf->addressspace_agnostic; } + { return get_conf()->addressspace_agnostic; } static bool change_privileges() { - return snort_conf->user_id != -1 || snort_conf->group_id != -1 || - !snort_conf->chroot_dir.empty(); + return get_conf()->user_id != -1 || get_conf()->group_id != -1 || + !get_conf()->chroot_dir.empty(); } static bool packet_trace_enabled() { - return snort_conf->enable_packet_trace; + return get_conf()->enable_packet_trace; } + + // Use this to access current thread's conf from other units + static void set_conf(SnortConfig*); + SO_PUBLIC static SnortConfig* get_conf(); }; #endif diff --git a/src/main/snort_debug.cc b/src/main/snort_debug.cc index 9fab636b6..22b755e52 100644 --- a/src/main/snort_debug.cc +++ b/src/main/snort_debug.cc @@ -62,7 +62,7 @@ void Debug::print( va_list ap; va_start(ap, fmt); - if ( snort_conf and SnortConfig::log_syslog() ) + if ( SnortConfig::get_conf() and SnortConfig::log_syslog() ) { char buf[STD_BUF]; int buf_len = sizeof(buf); @@ -135,7 +135,7 @@ static inline void trace_vprintf(const char* name, Trace mask, const char* file, vsnprintf(buf_ptr, buf_len, fmt, ap); - if ( snort_conf and SnortConfig::log_syslog() ) + if ( SnortConfig::get_conf() and SnortConfig::log_syslog() ) syslog(LOG_DAEMON | LOG_DEBUG, "%s", buf); else output(buf, stdout); diff --git a/src/main/swapper.cc b/src/main/swapper.cc index feb204421..461da443c 100644 --- a/src/main/swapper.cc +++ b/src/main/swapper.cc @@ -68,7 +68,7 @@ Swapper::~Swapper() void Swapper::apply() { if ( new_conf ) - snort_conf = new_conf; + SnortConfig::set_conf(new_conf); if ( new_attribs ) SFAT_SetConfig(new_attribs); diff --git a/src/main/thread.cc b/src/main/thread.cc index 75e69495e..0ec491639 100644 --- a/src/main/thread.cc +++ b/src/main/thread.cc @@ -89,26 +89,26 @@ bool break_time() const char* get_instance_file(std::string& file, const char* name) { bool sep = false; - file = !snort_conf->log_dir.empty() ? snort_conf->log_dir : "./"; + file = !SnortConfig::get_conf()->log_dir.empty() ? SnortConfig::get_conf()->log_dir : "./"; if ( file.back() != '/' ) file += '/'; - if ( !snort_conf->run_prefix.empty() ) + if ( !SnortConfig::get_conf()->run_prefix.empty() ) { - file += snort_conf->run_prefix; + file += SnortConfig::get_conf()->run_prefix; sep = true; } - if ( (ThreadConfig::get_instance_max() > 1) || snort_conf->id_zero ) + if ( (ThreadConfig::get_instance_max() > 1) || SnortConfig::get_conf()->id_zero ) { char id[8]; - snprintf(id, sizeof(id), "%u", get_instance_id() + snort_conf->id_offset); + snprintf(id, sizeof(id), "%u", get_instance_id() + SnortConfig::get_conf()->id_offset); file += id; sep = true; } - if ( snort_conf->id_subdir ) + if ( SnortConfig::get_conf()->id_subdir ) { file += '/'; struct stat s; diff --git a/src/managers/ips_manager.cc b/src/managers/ips_manager.cc index 6227861bb..0bd50e7aa 100644 --- a/src/managers/ips_manager.cc +++ b/src/managers/ips_manager.cc @@ -332,14 +332,14 @@ void IpsManager::setup_options() { for ( auto* p : s_options ) if ( p->init && p->api->tinit ) - p->api->tinit(snort_conf); + p->api->tinit(SnortConfig::get_conf()); } void IpsManager::clear_options() { for ( auto* p : s_options ) if ( p->init && p->api->tterm ) - p->api->tterm(snort_conf); + p->api->tterm(SnortConfig::get_conf()); } bool IpsManager::verify(SnortConfig* sc) diff --git a/src/managers/mpse_manager.cc b/src/managers/mpse_manager.cc index 3fca1852b..60e06be6b 100644 --- a/src/managers/mpse_manager.cc +++ b/src/managers/mpse_manager.cc @@ -98,8 +98,8 @@ Mpse* MpseManager::get_search_engine( Mpse* MpseManager::get_search_engine(const char* type) { - if ( !type and snort_conf->fast_pattern_config ) - type = snort_conf->fast_pattern_config->get_search_method(); + if ( !type and SnortConfig::get_conf()->fast_pattern_config ) + type = SnortConfig::get_conf()->fast_pattern_config->get_search_method(); if ( !type ) type = "ac_bnfa"; @@ -113,7 +113,7 @@ Mpse* MpseManager::get_search_engine(const char* type) Mpse* eng = api->ctor(nullptr, mod, nullptr); eng->set_api(api); - if ( snort_conf->fast_pattern_config and snort_conf->fast_pattern_config->get_search_opt() ) + if ( SnortConfig::get_conf()->fast_pattern_config and SnortConfig::get_conf()->fast_pattern_config->get_search_opt() ) eng->set_opt(1); return eng; diff --git a/src/memory/memory_cap.cc b/src/memory/memory_cap.cc index 3040e3844..12e3f3c70 100644 --- a/src/memory/memory_cap.cc +++ b/src/memory/memory_cap.cc @@ -141,7 +141,7 @@ bool MemoryCap::free_space(size_t n) if ( !thread_cap ) return true; - const auto& config = *snort_conf->memory; + const auto& config = *SnortConfig::get_conf()->memory; return memory::free_space(n, thread_cap, s_tracker, prune_handler) || config.soft; } @@ -172,7 +172,7 @@ bool MemoryCap::over_threshold() void MemoryCap::calculate(unsigned num_threads) { assert(!is_packet_thread()); - const MemoryConfig& config = *snort_conf->memory; + const MemoryConfig& config = *SnortConfig::get_conf()->memory; auto main_thread_used = s_tracker.used(); @@ -206,7 +206,7 @@ void MemoryCap::calculate(unsigned num_threads) void MemoryCap::print() { - const MemoryConfig& config = *snort_conf->memory; + const MemoryConfig& config = *SnortConfig::get_conf()->memory; if ( SnortConfig::log_verbose() or s_tracker.allocations ) LogLabel("memory (heap)"); diff --git a/src/network_inspectors/appid/app_info_table.cc b/src/network_inspectors/appid/app_info_table.cc index 669adebfa..db3ff423a 100644 --- a/src/network_inspectors/appid/app_info_table.cc +++ b/src/network_inspectors/appid/app_info_table.cc @@ -506,7 +506,7 @@ int16_t AppInfoManager::add_appid_protocol_reference(const char* protocol) static std::mutex apr_mutex; std::lock_guard lock(apr_mutex); - int16_t id = snort_conf->proto_ref->add(protocol); + int16_t id = SnortConfig::get_conf()->proto_ref->add(protocol); return id; } diff --git a/src/network_inspectors/appid/appid_config.cc b/src/network_inspectors/appid/appid_config.cc index c3dc1906e..debf0a38d 100644 --- a/src/network_inspectors/appid/appid_config.cc +++ b/src/network_inspectors/appid/appid_config.cc @@ -65,9 +65,9 @@ int16_t snortId_for_http2; static void map_app_names_to_snort_ids() { /* init globals for snortId compares */ - snortId_for_unsynchronized = snort_conf->proto_ref->add("unsynchronized"); - snortId_for_ftp_data = snort_conf->proto_ref->add("ftp-data"); - snortId_for_http2 = snort_conf->proto_ref->add("http2"); + snortId_for_unsynchronized = SnortConfig::get_conf()->proto_ref->add("unsynchronized"); + snortId_for_ftp_data = SnortConfig::get_conf()->proto_ref->add("ftp-data"); + snortId_for_http2 = SnortConfig::get_conf()->proto_ref->add("http2"); } AppIdModuleConfig::AppIdModuleConfig() diff --git a/src/network_inspectors/binder/binder.cc b/src/network_inspectors/binder/binder.cc index c77c41884..2dbcd9bfc 100644 --- a/src/network_inspectors/binder/binder.cc +++ b/src/network_inspectors/binder/binder.cc @@ -393,7 +393,7 @@ static Inspector* get_gadget(Flow* flow) if ( !flow->ssn_state.application_protocol ) return nullptr; - const char* s = snort_conf->proto_ref->get_name(flow->ssn_state.application_protocol); + const char* s = SnortConfig::get_conf()->proto_ref->get_name(flow->ssn_state.application_protocol); return InspectorManager::get_inspector(s); } @@ -672,7 +672,7 @@ int Binder::exec_handle_gadget( void* pv ) flow->ssn_state.application_protocol = ins->get_service(); } else if ( flow->service ) - flow->ssn_state.application_protocol = snort_conf->proto_ref->find(flow->service); + flow->ssn_state.application_protocol = SnortConfig::get_conf()->proto_ref->find(flow->service); if ( !flow->is_stream() ) return 0; @@ -774,19 +774,19 @@ void Binder::get_bindings(Flow* flow, Stuff& stuff, Packet* p) if ( pb->use.inspection_index ) { - set_inspection_policy(snort_conf, pb->use.inspection_index - 1); + set_inspection_policy(SnortConfig::get_conf(), pb->use.inspection_index - 1); flow->inspection_policy_id = pb->use.inspection_index - 1; } if ( pb->use.ips_index ) { - set_ips_policy(snort_conf, pb->use.ips_index - 1); + set_ips_policy(SnortConfig::get_conf(), pb->use.ips_index - 1); flow->ips_policy_id = pb->use.ips_index - 1; } if ( pb->use.network_index ) { - set_network_policy(snort_conf, pb->use.network_index - 1); + set_network_policy(SnortConfig::get_conf(), pb->use.network_index - 1); flow->network_policy_id = pb->use.network_index - 1; } diff --git a/src/network_inspectors/normalize/norm.cc b/src/network_inspectors/normalize/norm.cc index 12dd42525..f78700268 100644 --- a/src/network_inspectors/normalize/norm.cc +++ b/src/network_inspectors/normalize/norm.cc @@ -158,9 +158,12 @@ static int Norm_Eth(Packet* p, uint8_t layer, int changes) // ether header + min payload (excludes FCS, which makes it 64 total) #define ETH_MIN_LEN 60 -static inline NormMode get_norm_mode(const NormalizerConfig* const c, const Packet * const p) +static inline NormMode get_norm_mode(const Packet * const p) { - NormMode mode = c->norm_mode; + NormMode mode = NORM_MODE_ON; + + if ( get_inspection_policy()->policy_mode != POLICY_MODE__INLINE ) + mode = NORM_MODE_TEST; if ( !SFDAQ::forwarding_packet(p->pkth) ) mode = NORM_MODE_TEST; @@ -174,7 +177,7 @@ static int Norm_IP4( IP4Hdr* h = (IP4Hdr*)const_cast(p->layers[layer].start); uint16_t fragbits = ntohs(h->ip_off); uint16_t origbits = fragbits; - const NormMode mode = get_norm_mode(c, p); + const NormMode mode = get_norm_mode(p); if ( Norm_IsEnabled(c, NORM_IP4_TRIM) && (layer == 1) ) { @@ -271,10 +274,10 @@ static int Norm_IP4( //----------------------------------------------------------------------- static int Norm_ICMP4( - NormalizerConfig* c, Packet* p, uint8_t layer, int changes) + NormalizerConfig*, Packet* p, uint8_t layer, int changes) { ICMPHdr* h = reinterpret_cast(const_cast(p->layers[layer].start)); - const NormMode mode = get_norm_mode(c, p); + const NormMode mode = get_norm_mode(p); if ( (h->type == ICMP_ECHO || h->type == ICMP_ECHOREPLY) && (h->code != icmp::IcmpCode::ECHO_CODE) ) @@ -301,7 +304,7 @@ static int Norm_IP6( if ( h->ip6_hoplim < SnortConfig::min_ttl() ) { - const NormMode mode = get_norm_mode(c, p); + const NormMode mode = get_norm_mode(p); if ( mode == NORM_MODE_ON ) { @@ -318,7 +321,7 @@ static int Norm_IP6( //----------------------------------------------------------------------- static int Norm_ICMP6( - NormalizerConfig* c, Packet* p, uint8_t layer, int changes) + NormalizerConfig*, Packet* p, uint8_t layer, int changes) { ICMPHdr* h = reinterpret_cast(const_cast(p->layers[layer].start)); @@ -326,7 +329,7 @@ static int Norm_ICMP6( (uint16_t)h->type == icmp::Icmp6Types::ECHO_REPLY) && (h->code != 0) ) { - const NormMode mode = get_norm_mode(c, p); + const NormMode mode = get_norm_mode(p); if ( mode == NORM_MODE_ON ) { @@ -353,9 +356,9 @@ struct ExtOpt #define IP6_OPT_PAD_N 1 static int Norm_IP6_Opts( - NormalizerConfig* c, Packet* p, uint8_t layer, int changes) + NormalizerConfig*, Packet* p, uint8_t layer, int changes) { - NormMode mode = get_norm_mode(c, p); + NormMode mode = get_norm_mode(p); if ( mode == NORM_MODE_ON ) { @@ -495,7 +498,7 @@ static int Norm_TCP( NormalizerConfig* c, Packet* p, uint8_t layer, int changes) { tcp::TCPHdr* h = reinterpret_cast(const_cast(p->layers[layer].start)); - const NormMode mode = get_norm_mode(c, p); + const NormMode mode = get_norm_mode(p); if ( Norm_IsEnabled(c, NORM_TCP_RSV) ) { diff --git a/src/network_inspectors/normalize/norm.h b/src/network_inspectors/normalize/norm.h index a8b31744e..3aff44aff 100644 --- a/src/network_inspectors/normalize/norm.h +++ b/src/network_inspectors/normalize/norm.h @@ -41,7 +41,6 @@ struct NormalizerConfig // these must be in the same order PROTO_IDs are defined! // if entry is NULL, proto doesn't have normalization or it is disabled NormalFunc normalizers[PacketManager::max_protocols()]; - NormMode norm_mode; }; int Norm_SetConfig(NormalizerConfig*); diff --git a/src/network_inspectors/normalize/norm_module.cc b/src/network_inspectors/normalize/norm_module.cc index 4a84c5e63..a0e889ace 100644 --- a/src/network_inspectors/normalize/norm_module.cc +++ b/src/network_inspectors/normalize/norm_module.cc @@ -353,12 +353,20 @@ bool NormalizeModule::begin(const char* fqn, int, SnortConfig*) return true; } -bool NormalizeModule::end(const char* fqn, int, SnortConfig*) +bool NormalizeModule::end(const char* fqn, int, SnortConfig* sc) { if ( !strcmp(fqn, NORM_NAME) ) { NetworkPolicy* policy = get_network_policy(); + // FIXIT-M untangle these policies. this is a workaround for loading inspection-only confs + if ( policy == nullptr ) + { + set_network_policy(sc); + policy = get_network_policy(); + set_network_policy((NetworkPolicy*)nullptr); + } + if ( (policy->new_ttl > 1) && (policy->new_ttl >= policy->min_ttl) ) { if ( Norm_IsEnabled(&config, NORM_IP4_BASE) ) diff --git a/src/network_inspectors/normalize/normalize.cc b/src/network_inspectors/normalize/normalize.cc index dbc4c7642..33aeb5db4 100644 --- a/src/network_inspectors/normalize/normalize.cc +++ b/src/network_inspectors/normalize/normalize.cc @@ -186,25 +186,18 @@ Normalizer::Normalizer(const NormalizerConfig& nc) // FIXIT-L this works with one normalizer per policy // but would be better if binder could select // in which case normal_mask must be moved to flow +// from cwaxman - why can't normal_mask be applied directly from Normalizer? bool Normalizer::configure(SnortConfig*) { - PolicyMode mode = get_ips_policy()->policy_mode; - // FIXIT-L norm needs a nap policy mode - if ( mode == POLICY_MODE__PASSIVE ) - { - config.normalizer_flags = 0; - return true; - } - + // FIXIT-M move entire config to network policy? Leaving split loads the currently selected + // network policy with whichever instantiation of an inspection policy this normalize is in NetworkPolicy* nap = get_network_policy(); + nap->normal_mask = config.normalizer_flags; if ( nap->new_ttl && nap->new_ttl < nap->min_ttl ) - { nap->new_ttl = nap->min_ttl; - } - config.norm_mode = (mode == POLICY_MODE__INLINE) ? NORM_MODE_ON : NORM_MODE_TEST; Norm_SetConfig(&config); return true; } @@ -220,17 +213,15 @@ bool Normalize_IsEnabled(NormFlags nf) return ( (nap->normal_mask & nf) != 0 ); } +// FIXIT-L should return OFF if flag isn't set. Stream will need to handle that condition NormMode Normalize_GetMode(NormFlags nf) { if (Normalize_IsEnabled(nf)) { - const PolicyMode mode = get_ips_policy()->policy_mode; + const PolicyMode mode = get_inspection_policy()->policy_mode; if ( mode == POLICY_MODE__INLINE ) return NORM_MODE_ON; - - else if ( mode == POLICY_MODE__INLINE_TEST ) - return NORM_MODE_TEST; } return NORM_MODE_TEST; } diff --git a/src/packet_io/active.cc b/src/packet_io/active.cc index 62c74e235..6a955f188 100644 --- a/src/packet_io/active.cc +++ b/src/packet_io/active.cc @@ -462,7 +462,7 @@ void Active::reset_session(Packet* p, bool force) if ( force or SnortConfig::inline_mode() or SnortConfig::treat_drop_as_ignore() ) Stream::drop_flow(p); - if ( s_enabled and snort_conf->max_responses ) + if ( s_enabled and SnortConfig::get_conf()->max_responses ) { ActionManager::queue_reject(p); @@ -558,3 +558,50 @@ const char* Active::get_action_string() return act_str[active_action][active_status]; } +void Active::suspend() +{ active_suspend = true; } + +void Active::resume() +{ active_suspend = false; } + +bool Active::suspended() +{ return active_suspend; } + +Active::ActiveAction Active::get_action() +{ return active_action; } + +bool Active::can_block() +{ return active_status == AST_ALLOW or active_status == AST_FORCE; } + +void Active::block_again() +{ active_action = ACT_BLOCK; } + +void Active::reset_again() +{ active_action = ACT_RESET; } + +bool Active::packet_was_dropped() +{ return ( active_action >= ACT_DROP ); } + +bool Active::packet_retry_requested() +{ return ( active_action == ACT_RETRY ); } + +bool Active::session_was_blocked() +{ return ( active_action >= ACT_BLOCK); } + +bool Active::packet_would_be_dropped() +{ return (active_status == AST_WOULD ); } + +bool Active::packet_force_dropped() +{ return (active_status == AST_FORCE ); } + +void Active::set_tunnel_bypass() +{ active_tunnel_bypass++; } + +void Active::clear_tunnel_bypass() +{ active_tunnel_bypass--; } + +bool Active::get_tunnel_bypass() +{ return ( active_tunnel_bypass > 0 ); } + +uint64_t Active::get_injects() +{ return s_injects; } diff --git a/src/packet_io/active.h b/src/packet_io/active.h index aa8cd023a..bbc548fba 100644 --- a/src/packet_io/active.h +++ b/src/packet_io/active.h @@ -64,22 +64,14 @@ public: static bool is_enabled(); static void set_enabled(bool = true); - static void suspend() - { active_suspend = true; } - - static void resume() - { active_suspend = false; } - - static bool suspended() - { return active_suspend; } - - static ActiveAction get_action() - { return active_action; } + static void suspend(); + static void resume(); + static bool suspended(); + static ActiveAction get_action(); static ActiveStatus get_status(); - static bool can_block() - { return active_status == AST_ALLOW or active_status == AST_FORCE; } + static bool can_block(); static const char* get_action_string(); @@ -92,41 +84,22 @@ public: static void block_session(Packet*, bool force = false); static void reset_session(Packet*, bool force = false); - static void block_again() - { active_action = ACT_BLOCK; } - - static void reset_again() - { active_action = ACT_RESET; } - - static bool packet_was_dropped() - { return ( active_action >= ACT_DROP ); } - - static bool packet_retry_requested() - { return ( active_action == ACT_RETRY ); } + static void block_again(); + static void reset_again(); - static bool session_was_blocked() - { return ( active_action >= ACT_BLOCK); } + static bool packet_was_dropped(); + static bool packet_retry_requested(); + static bool session_was_blocked(); + static bool packet_would_be_dropped(); + static bool packet_force_dropped(); - static bool packet_would_be_dropped() - { return (active_status == AST_WOULD ); } + static void set_tunnel_bypass(); + static void clear_tunnel_bypass(); + static bool get_tunnel_bypass(); - static bool packet_force_dropped() - { return (active_status == AST_FORCE ); } - - static void set_tunnel_bypass() - { active_tunnel_bypass++; } - - static void clear_tunnel_bypass() - { active_tunnel_bypass--; } - - static bool get_tunnel_bypass() - { return ( active_tunnel_bypass > 0 ); } - - static uint64_t get_injects() - { return s_injects; } + static uint64_t get_injects(); static void set_delayed_action(ActiveAction, bool force = false); - static void apply_delayed_action(Packet*); private: diff --git a/src/piglet/piglet.cc b/src/piglet/piglet.cc index 7f5d65831..5d4f25dd7 100644 --- a/src/piglet/piglet.cc +++ b/src/piglet/piglet.cc @@ -43,5 +43,5 @@ int main() } bool piglet_mode() -{ return snort_conf->run_flags & RUN_FLAG__PIGLET; } +{ return SnortConfig::get_conf()->run_flags & RUN_FLAG__PIGLET; } } // namespace Piglet diff --git a/src/piglet/piglet_manager.cc b/src/piglet/piglet_manager.cc index 215ec0137..cdba8aebc 100644 --- a/src/piglet/piglet_manager.cc +++ b/src/piglet/piglet_manager.cc @@ -98,11 +98,11 @@ static BasePlugin* instantiate( Module* m; if ( key == PT_IPS_OPTION || use_defaults ) // FIXIT-L this is just a workaround, need to be able to get parsed rule module - m = ModuleManager::get_default_module(name.c_str(), snort_conf); + m = ModuleManager::get_default_module(name.c_str(), SnortConfig::get_conf()); else m = ModuleManager::get_module(name.c_str()); - auto piglet = piglet_api->ctor(lua, name, m, snort_conf); + auto piglet = piglet_api->ctor(lua, name, m, SnortConfig::get_conf()); assert(piglet); diff --git a/src/piglet_plugins/pp_inspector_iface.cc b/src/piglet_plugins/pp_inspector_iface.cc index 9e87ecf6b..30d630e4b 100644 --- a/src/piglet_plugins/pp_inspector_iface.cc +++ b/src/piglet_plugins/pp_inspector_iface.cc @@ -53,7 +53,7 @@ static const luaL_Reg methods[] = { auto& self = InspectorIface.get(L); // FIXIT-L do we need an opaque SnortConfig interface? - bool result = self.configure(snort_conf); + bool result = self.configure(SnortConfig::get_conf()); lua_pushboolean(L, result); return 1; } diff --git a/src/profiler/rule_profiler.cc b/src/profiler/rule_profiler.cc index 83472b9dc..37d196575 100644 --- a/src/profiler/rule_profiler.cc +++ b/src/profiler/rule_profiler.cc @@ -189,10 +189,10 @@ static void consolidate_otn_states(OtnState* states) static std::vector build_entries() { - assert(snort_conf); + assert(SnortConfig::get_conf()); - detection_option_tree_update_otn_stats(snort_conf->detection_option_tree_hash_table); - auto* otn_map = snort_conf->otn_map; + detection_option_tree_update_otn_stats(SnortConfig::get_conf()->detection_option_tree_hash_table); + auto* otn_map = SnortConfig::get_conf()->otn_map; std::vector entries; @@ -308,8 +308,8 @@ void show_rule_profiler_stats(const RuleProfilerConfig& config) void reset_rule_profiler_stats() { - assert(snort_conf); - auto* otn_map = snort_conf->otn_map; + assert(SnortConfig::get_conf()); + auto* otn_map = SnortConfig::get_conf()->otn_map; for ( auto* h = sfghash_findfirst(otn_map); h; h = sfghash_findnext(otn_map) ) { diff --git a/src/search_engines/hyperscan.cc b/src/search_engines/hyperscan.cc index 10cab6389..9d9450afa 100644 --- a/src/search_engines/hyperscan.cc +++ b/src/search_engines/hyperscan.cc @@ -278,7 +278,7 @@ int HyperscanMpse::_search( match_cb = mf; match_ctx = pv; - SnortState* ss = snort_conf->state + get_instance_id(); + SnortState* ss = SnortConfig::get_conf()->state + get_instance_id(); // scratch is null for the degenerate case w/o patterns assert(!hs_db or ss->hyperscan_scratch); diff --git a/src/search_engines/test/hyperscan_test.cc b/src/search_engines/test/hyperscan_test.cc index 8c25cb83e..20fa9d06d 100644 --- a/src/search_engines/test/hyperscan_test.cc +++ b/src/search_engines/test/hyperscan_test.cc @@ -87,6 +87,9 @@ SnortConfig::SnortConfig(SnortConfig*) SnortConfig::~SnortConfig() { } +SnortConfig* SnortConfig::get_conf() +{ return snort_conf; } + unsigned get_instance_id() { return 0; } diff --git a/src/search_engines/test/search_tool_test.cc b/src/search_engines/test/search_tool_test.cc index 1c7bf15c0..dd256102b 100644 --- a/src/search_engines/test/search_tool_test.cc +++ b/src/search_engines/test/search_tool_test.cc @@ -57,6 +57,9 @@ SnortConfig::SnortConfig(SnortConfig*) SnortConfig::~SnortConfig() { } +SnortConfig* SnortConfig::get_conf() +{ return snort_conf; } + unsigned get_instance_id() { return 0; } diff --git a/src/service_inspectors/ftp_telnet/ftp.cc b/src/service_inspectors/ftp_telnet/ftp.cc index eb02fc29e..6fdfb9f4a 100644 --- a/src/service_inspectors/ftp_telnet/ftp.cc +++ b/src/service_inspectors/ftp_telnet/ftp.cc @@ -453,7 +453,7 @@ static Module* fs_mod_ctor() static void fs_init() { - ftp_data_app_id = snort_conf->proto_ref->add("ftp-data"); + ftp_data_app_id = SnortConfig::get_conf()->proto_ref->add("ftp-data"); FtpFlowData::init(); } diff --git a/src/stream/stream.cc b/src/stream/stream.cc index 73854f5aa..a3e934f6b 100644 --- a/src/stream/stream.cc +++ b/src/stream/stream.cc @@ -334,8 +334,8 @@ void Stream::init_active_response(const Packet* p, Flow* flow) flow->response_count = 1; - if ( snort_conf->max_responses > 1 ) - flow->set_expire(p, snort_conf->min_interval); + if ( SnortConfig::get_conf()->max_responses > 1 ) + flow->set_expire(p, SnortConfig::get_conf()->min_interval); } void Stream::purge_flows() @@ -573,7 +573,7 @@ uint8_t Stream::get_flow_ttl(Flow* flow, char dir, bool outer) // that we only send in the still active direction(s). static void active_response(Packet* p, Flow* lwssn) { - uint8_t max = snort_conf->max_responses; + uint8_t max = SnortConfig::get_conf()->max_responses; if ( p->is_from_client() ) lwssn->session_state |= STREAM_STATE_DROP_CLIENT; @@ -582,7 +582,7 @@ static void active_response(Packet* p, Flow* lwssn) if ( (lwssn->response_count < max) && lwssn->expired(p) ) { - uint32_t delay = snort_conf->min_interval; + uint32_t delay = SnortConfig::get_conf()->min_interval; EncodeFlags flags = ( (lwssn->session_state & STREAM_STATE_DROP_CLIENT) && (lwssn->session_state & STREAM_STATE_DROP_SERVER) ) ? diff --git a/src/stream/stream_splitter.cc b/src/stream/stream_splitter.cc index cd62eb28d..c0300d06a 100644 --- a/src/stream/stream_splitter.cc +++ b/src/stream/stream_splitter.cc @@ -31,7 +31,7 @@ #include "stream.h" unsigned StreamSplitter::max(Flow*) -{ return snort_conf->max_pdu; } +{ return SnortConfig::get_conf()->max_pdu; } uint16_t StreamSplitter::get_flush_bucket_size() { return FlushBucket::get_size(); } diff --git a/src/stream/tcp/ips_stream_reassemble.cc b/src/stream/tcp/ips_stream_reassemble.cc index 5b07a9e7c..ccbdc6bc5 100644 --- a/src/stream/tcp/ips_stream_reassemble.cc +++ b/src/stream/tcp/ips_stream_reassemble.cc @@ -302,7 +302,7 @@ TEST_CASE("IPS Stream Reassemble", "[ips_stream_reassemble][stream_tcp]") SECTION("reassembler initialization") { - bool status = reassembler->begin(nullptr, 0, snort_conf); + bool status = reassembler->begin(nullptr, 0, SnortConfig::get_conf()); CHECK(status); CHECK( ( reassembler->srod.enable == 0 ) ); CHECK( ( reassembler->srod.direction == 0 ) ); diff --git a/src/stream/tcp/tcp_event_logger.cc b/src/stream/tcp/tcp_event_logger.cc index 340bcd86b..45dc390ef 100644 --- a/src/stream/tcp/tcp_event_logger.cc +++ b/src/stream/tcp/tcp_event_logger.cc @@ -90,7 +90,7 @@ struct tcp_event_sid tcp_event_sids[] = void TcpEventLogger::log_internal_event(uint32_t eventSid) { - if (is_internal_event_enabled(snort_conf->rate_filter_config, eventSid)) + if (is_internal_event_enabled(SnortConfig::get_conf()->rate_filter_config, eventSid)) { tcpStats.internalEvents++; DetectionEngine::queue_event(GENERATOR_INTERNAL, eventSid); diff --git a/src/stream/test/stream_splitter_test.cc b/src/stream/test/stream_splitter_test.cc index 0b23285c1..ad75a4b3d 100644 --- a/src/stream/test/stream_splitter_test.cc +++ b/src/stream/test/stream_splitter_test.cc @@ -35,6 +35,9 @@ //-------------------------------------------------------------------------- THREAD_LOCAL SnortConfig* snort_conf = nullptr; +SnortConfig* SnortConfig::get_conf() +{ return snort_conf; } + static StreamSplitter* next_splitter = nullptr; static int flushed = 0; diff --git a/src/target_based/sftarget_reader.cc b/src/target_based/sftarget_reader.cc index f9a41df52..50ebef2ad 100644 --- a/src/target_based/sftarget_reader.cc +++ b/src/target_based/sftarget_reader.cc @@ -59,7 +59,7 @@ tTargetBasedConfig::tTargetBasedConfig() // FIXIT-M 16k per host is no longer true // FIXIT-M init before snort_conf; move to filename and load separately // this is a hack to get it going - uint32_t max = snort_conf ? + uint32_t max = SnortConfig::get_conf() ? SnortConfig::get_max_attribute_hosts() : DEFAULT_MAX_ATTRIBUTE_HOSTS; lookupTable = sfrt_new(DIR_8x16, IPv6, max + 1, (max>>6) + 1); } @@ -258,7 +258,7 @@ int SFAT_AddHostEntryToMap(HostAttributeEntry* host) ret, SnortConfig::get_max_attribute_hosts()); sfat_insufficient_space_logged = true; } - /* Reset return value and continue w/ only snort_conf->max_attribute_hosts */ + /* Reset return value and continue w/ only SnortConfig::get_conf()->max_attribute_hosts */ ret = RT_SUCCESS; } else if ( !sfat_grammar_error_printed ) diff --git a/src/utils/stats.cc b/src/utils/stats.cc index 0629c7719..db6523207 100644 --- a/src/utils/stats.cc +++ b/src/utils/stats.cc @@ -276,7 +276,7 @@ void get_daq_stats(DAQStats& daq_stats) daq_stats.internal_blacklist = gaux.internal_blacklist; daq_stats.internal_whitelist = gaux.internal_whitelist; - daq_stats.skipped = snort_conf->pkt_skip; + daq_stats.skipped = SnortConfig::get_conf()->pkt_skip; daq_stats.idle = gaux.idle; daq_stats.rx_bytes = gaux.rx_bytes; } @@ -293,7 +293,7 @@ void DropStats() LogLabel("Module Statistics"); const char* exclude = "daq snort"; - ModuleManager::dump_stats(snort_conf, exclude); + ModuleManager::dump_stats(SnortConfig::get_conf(), exclude); file_stats_print(); @@ -312,19 +312,19 @@ void PrintStatistics() timing_stats(); // FIXIT-L below stats need to be made consistent with above - print_thresholding(snort_conf->threshold_config, 1); + print_thresholding(SnortConfig::get_conf()->threshold_config, 1); { // FIXIT-L can do flag saving with RAII (much cleaner) - int save_quiet_flag = snort_conf->logging_flags & LOGGING_FLAG__QUIET; + int save_quiet_flag = SnortConfig::get_conf()->logging_flags & LOGGING_FLAG__QUIET; - snort_conf->logging_flags &= ~LOGGING_FLAG__QUIET; + SnortConfig::get_conf()->logging_flags &= ~LOGGING_FLAG__QUIET; // once more for the main thread Profiler::consolidate_stats(); Profiler::show_stats(); - snort_conf->logging_flags |= save_quiet_flag; + SnortConfig::get_conf()->logging_flags |= save_quiet_flag; } } diff --git a/src/utils/util.cc b/src/utils/util.cc index 7ac5d239c..4aa275816 100644 --- a/src/utils/util.cc +++ b/src/utils/util.cc @@ -167,7 +167,7 @@ void ts_print(const struct timeval* tvp, char* timebuf) tvp = &tv; } - int localzone = snort_conf->thiszone; + int localzone = SnortConfig::get_conf()->thiszone; /* ** If we're doing UTC, then make sure that the timezone is correct. @@ -246,14 +246,14 @@ static FILE* pid_file = nullptr; void CreatePidFile(pid_t pid) { - snort_conf->pid_filename = snort_conf->log_dir; - snort_conf->pid_filename += "/snort.pid"; + SnortConfig::get_conf()->pid_filename = SnortConfig::get_conf()->log_dir; + SnortConfig::get_conf()->pid_filename += "/snort.pid"; std::string pid_lockfilename; if ( !SnortConfig::no_lock_pid_file() ) { - pid_lockfilename = snort_conf->pid_filename; + pid_lockfilename = SnortConfig::get_conf()->pid_filename; pid_lockfilename += ".lck"; /* First, lock the PID file */ @@ -273,18 +273,18 @@ void CreatePidFile(pid_t pid) { ClosePidFile(); ParseError("Failed to Lock PID File \"%s\" for PID \"%d\"", - snort_conf->pid_filename.c_str(), (int)pid); + SnortConfig::get_conf()->pid_filename.c_str(), (int)pid); return; } } } /* Okay, were able to lock PID file, now open and write PID */ - pid_file = fopen(snort_conf->pid_filename.c_str(), "w"); + pid_file = fopen(SnortConfig::get_conf()->pid_filename.c_str(), "w"); if (pid_file) { LogMessage("Writing PID \"%d\" to file \"%s\"\n", (int)pid, - snort_conf->pid_filename.c_str()); + SnortConfig::get_conf()->pid_filename.c_str()); fprintf(pid_file, "%d\n", (int)pid); fflush(pid_file); } @@ -292,8 +292,8 @@ void CreatePidFile(pid_t pid) { const char* error = get_error(errno); ErrorMessage("Failed to create pid file %s, Error: %s", - snort_conf->pid_filename.c_str(), error); - snort_conf->pid_filename.clear(); + SnortConfig::get_conf()->pid_filename.c_str(), error); + SnortConfig::get_conf()->pid_filename.clear(); } if ( !pid_lockfilename.empty() ) unlink(pid_lockfilename.c_str()); @@ -548,7 +548,7 @@ static char* GetAbsolutePath(const char* dir, PathBuf& buf) } /** - * Chroot and adjust the snort_conf->log_dir reference + * Chroot and adjust the SnortConfig::get_conf()->log_dir reference */ bool EnterChroot(std::string& root_dir, std::string& log_dir) { diff --git a/tools/snort2lua/config_states/config_na_policy_mode.cc b/tools/snort2lua/config_states/config_na_policy_mode.cc index d07a82cc1..41927b1b9 100644 --- a/tools/snort2lua/config_states/config_na_policy_mode.cc +++ b/tools/snort2lua/config_states/config_na_policy_mode.cc @@ -26,12 +26,53 @@ namespace config { +namespace +{ +class NaPolicyMode : public ConversionState +{ +public: + NaPolicyMode(Converter& c) : ConversionState(c) { } + bool convert(std::istringstream& data_stream) override; +}; +} // namespace + +bool NaPolicyMode::convert(std::istringstream& data_stream) +{ + bool retval = true; + std::string mode; + + if ( data_stream >> mode) + { + if ( mode == "tap" || mode == "inline_test" ) + { + table_api.open_top_level_table("inspection"); + table_api.add_option("mode", "inline-test"); + table_api.add_diff_option_comment("na_policy_mode", "mode"); + table_api.close_table(); + } + else if ( mode == "inline" ) + { + table_api.open_top_level_table("inspection"); + table_api.add_option("mode", "inline"); + table_api.add_diff_option_comment("na_policy_mode", "mode"); + table_api.close_table(); + } + else + { + retval = false; + data_api.failed_conversion(data_stream, mode); + } + } -//FIXIT-L add when snort supports separate inline mode and normalization inline mode -static std::string header = "config na_policy_mode: "; + return retval; +} + +/************************** + ******* A P I *********** + **************************/ static ConversionState* ctor(Converter& c) -{ return new UnsupportedState<&header>(c); } +{ return new NaPolicyMode(c); } static const ConvertMap na_policy_mode_api = { @@ -40,5 +81,6 @@ static const ConvertMap na_policy_mode_api = }; const ConvertMap* na_policy_mode_map = &na_policy_mode_api; + } // namespace config diff --git a/tools/snort2lua/config_states/config_policy_uuid.cc b/tools/snort2lua/config_states/config_policy_uuid.cc index 80a9905cc..bcae370f7 100644 --- a/tools/snort2lua/config_states/config_policy_uuid.cc +++ b/tools/snort2lua/config_states/config_policy_uuid.cc @@ -40,9 +40,14 @@ bool PolicyUuid::convert(std::istringstream& data_stream) std::string policy_version; std::string policy_revision; + // This could belong to either inspection or ips policy. + // binder[].use.*_policy logic in snort will apply these correctly if (data_stream >> policy_version >> policy_revision) { // Had both a base policy version and revision. Use revision UUID. + cv.get_table_api().open_table("inspection"); + cv.get_table_api().add_option("uuid", policy_revision); + cv.get_table_api().close_table(); cv.get_table_api().open_table("ips"); cv.get_table_api().add_option("uuid", policy_revision); cv.get_table_api().close_table(); @@ -50,6 +55,9 @@ bool PolicyUuid::convert(std::istringstream& data_stream) else if (!policy_version.empty()) { // Had only a base policy version. + cv.get_table_api().open_table("inspection"); + cv.get_table_api().add_option("uuid", policy_version); + cv.get_table_api().close_table(); cv.get_table_api().open_table("ips"); cv.get_table_api().add_option("uuid", policy_version); cv.get_table_api().close_table(); diff --git a/tools/snort2lua/data/dt_table_api.cc b/tools/snort2lua/data/dt_table_api.cc index 9bc971ea5..b6b9b290f 100644 --- a/tools/snort2lua/data/dt_table_api.cc +++ b/tools/snort2lua/data/dt_table_api.cc @@ -74,8 +74,9 @@ void TableApi::open_top_level_table(const std::string& table_name, bool one_line } Table* t = util::find_table(tables, table_name); + bool existed = (t != nullptr); - if (t == nullptr) + if ( !existed ) { t = new Table(table_name, 0); tables.push_back(t); @@ -85,8 +86,24 @@ void TableApi::open_top_level_table(const std::string& table_name, bool one_line open_tables.push(t); // ignore the initial table - if (open_tables.size() > 1) + if ( open_tables.size() > 1 ) top_level_tables.push(open_tables.size()); + + if ( !existed ) + { + auto p = pending.find(table_name); + if ( p != pending.end() ) + { + auto& q = p->second; + while ( q.size() ) + { + q.front()(*this); + q.pop(); + } + + pending.erase(p); + } + } } void TableApi::open_table(const std::string& table_name, bool one_line) @@ -98,26 +115,15 @@ void TableApi::open_table(const std::string& table_name, bool one_line) return; } - Table* t; - // if no open tables, create a top-level table if (!open_tables.empty()) { - t = open_tables.top()->open_table(table_name); + Table* t = open_tables.top()->open_table(table_name); + t->set_one_line(one_line); + open_tables.push(t); } else - { - t = util::find_table(tables, table_name); - - if (t == nullptr) - { - t = new Table(table_name, 0); - tables.push_back(t); - } - } - - t->set_one_line(one_line); - open_tables.push(t); + open_top_level_table(table_name, one_line); } void TableApi::open_table(bool one_line) @@ -425,3 +431,18 @@ bool TableApi::get_option_value(const std::string& name, std::string& value) return open_tables.top()->get_option(name, value); } +void TableApi::run_when_exists(const char* table_name, PendingFunction action) +{ + if ( should_delegate(table_name) ) + delegate->run_when_exists(table_name, action); + + if ( util::find_table(tables, table_name) ) + action(*this); + else + { + if ( pending.find(table_name) == pending.end() ) + pending[table_name] = std::queue(); + + pending[table_name].push(action); + } +} diff --git a/tools/snort2lua/data/dt_table_api.h b/tools/snort2lua/data/dt_table_api.h index 9d2b58ef5..e5f570a44 100644 --- a/tools/snort2lua/data/dt_table_api.h +++ b/tools/snort2lua/data/dt_table_api.h @@ -21,11 +21,13 @@ #ifndef DATA_DT_TABLE_API_H #define DATA_DT_TABLE_API_H -#include +#include #include +#include +#include +#include #include #include -#include /* * @@ -50,6 +52,8 @@ class Table; class TableApi; typedef std::unordered_map TableDelegation; +typedef std::function PendingFunction; + class TableApi { public: @@ -136,6 +140,9 @@ public: // and value updated successfully bool get_option_value(const std::string& name, std::string& value); + // allows adding options to tables if they exist or once they are created + void run_when_exists(const char* table_name, PendingFunction action); + private: template bool do_add_option(const std::string& opt_name, const T val, const std::string& s_val); @@ -151,6 +158,7 @@ private: std::vector tables; std::stack open_tables; std::stack top_level_tables; + std::unordered_map> pending; bool curr_data_bad = false; TableApi* delegate = nullptr; diff --git a/tools/snort2lua/helpers/converter.cc b/tools/snort2lua/helpers/converter.cc index 68990aade..5038ceb57 100644 --- a/tools/snort2lua/helpers/converter.cc +++ b/tools/snort2lua/helpers/converter.cc @@ -41,6 +41,7 @@ TableDelegation table_delegation = { "binder", true }, { "ips", true }, { "network", true }, + { "normalizer", true}, }; std::string Converter::ips_pattern; diff --git a/tools/snort2lua/preprocessor_states/pps_normalizers.cc b/tools/snort2lua/preprocessor_states/pps_normalizers.cc index cf057960c..0d4bfdb61 100644 --- a/tools/snort2lua/preprocessor_states/pps_normalizers.cc +++ b/tools/snort2lua/preprocessor_states/pps_normalizers.cc @@ -207,6 +207,9 @@ bool TcpNormalizer::convert(std::istringstream& data_stream) else if (keyword == "trim_mss") table_api.add_option("trim_mss", true); + else if (keyword == "ftp" ) + table_api.add_deleted_comment(keyword); + else if (keyword == "ecn") { if (util::get_string(data_stream, value, " ,"))