From d4ff2e2ca578bb2f4c4d07d00a89d4ad20f4b35e Mon Sep 17 00:00:00 2001 From: Russ Combs Date: Sat, 5 Aug 2017 11:56:54 -0400 Subject: [PATCH] Squashed commit of the following: commit 3b226926b43af0665ba14c502c4a23cd8589811a Author: Russ Combs Date: Sat Aug 5 10:55:06 2017 -0400 rules: make table consistency checks debug only commit 1f1901fecb88d2871fb4088d6f5f0955767ea5a3 Author: Russ Combs Date: Fri Aug 4 14:01:13 2017 -0400 doc: add stdlog usage example commit f7f4dd5cef22a138582fe8ecad2d03f0b8a8e611 Author: Russ Combs Date: Fri Aug 4 13:26:46 2017 -0400 build: remove a4 from version string commit 057220564faa84541f3882b2ea4e1d04df33557a Author: Russ Combs Date: Fri Aug 4 12:13:32 2017 -0400 conf: convert string ranges to interval params commit 2c997e0a969bea72bd641e519e48de4052753a16 Author: Russ Combs Date: Fri Aug 4 11:03:29 2017 -0400 conf: add explicit interval type commit 756be7ac77ae96ef026aa92a4af268708ebf4748 Author: Russ Combs Date: Fri Aug 4 07:32:40 2017 -0400 spell check: fix typo commit fc7830bd27d6718a4bd439cde33bfc641d8363b7 Author: Russ Combs Date: Thu Aug 3 22:02:35 2017 -0400 snort2lua: convert dsize:a<>b to dsize:a<=>b for consistency with other rule options --- CMakeLists.txt | 3 +- configure.ac | 2 +- doc/params.txt | 4 ++ doc/usage.txt | 6 ++ .../ips_options/ips_pkt_num/ips_pkt_num.cc | 6 +- extra/src/ips_options/ips_urg/ips_urg.cc | 4 +- src/framework/parameter.cc | 18 ++++- src/framework/parameter.h | 1 + src/ips_options/ips_ack.cc | 6 +- src/ips_options/ips_bufferlen.cc | 4 +- src/ips_options/ips_dsize.cc | 4 +- src/ips_options/ips_fragoffset.cc | 4 +- src/ips_options/ips_icmp_id.cc | 4 +- src/ips_options/ips_icmp_seq.cc | 4 +- src/ips_options/ips_icode.cc | 4 +- src/ips_options/ips_id.cc | 8 ++- src/ips_options/ips_itype.cc | 4 +- src/ips_options/ips_seq.cc | 8 ++- src/ips_options/ips_tos.cc | 4 +- src/ips_options/ips_ttl.cc | 4 +- src/ips_options/ips_window.cc | 4 +- src/ports/port_table.cc | 56 +++++++-------- .../dce_rpc/ips_dce_iface.cc | 6 +- src/stream/tcp/ips_stream_size.cc | 8 ++- .../snort2lua/output_states/out_sfunified2.cc | 2 +- tools/snort2lua/rule_states/CMakeLists.txt | 1 + tools/snort2lua/rule_states/Makefile.am | 1 + tools/snort2lua/rule_states/rule_dsize.cc | 71 +++++++++++++++++++ tools/snort2lua/rule_states/rule_unchanged.cc | 15 +--- 29 files changed, 182 insertions(+), 84 deletions(-) create mode 100644 tools/snort2lua/rule_states/rule_dsize.cc diff --git a/CMakeLists.txt b/CMakeLists.txt index a1f71a71c..3bf767d2b 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -4,9 +4,8 @@ project (snort CXX C) set (VERSION_MAJOR 3) set (VERSION_MINOR 0) set (VERSION_BUILD 0) -set (VERSION_RELEASE a4) set (VERSION - "${VERSION_MAJOR}.${VERSION_MINOR}.${VERSION_BUILD}-${VERSION_RELEASE}") + "${VERSION_MAJOR}.${VERSION_MINOR}.${VERSION_BUILD}") set (INCLUDE_SUFFIX "${CMAKE_PROJECT_NAME}") set (INCLUDE_INSTALL_PATH "include/${INCLUDE_SUFFIX}") diff --git a/configure.ac b/configure.ac index e1bf4d4ee..a3f7179bc 100644 --- a/configure.ac +++ b/configure.ac @@ -23,7 +23,7 @@ # initialization #-------------------------------------------------------------------------- -AC_INIT([snort],[3.0.0-a4],[snort-team@cisco.com]) +AC_INIT([snort],[3.0.0],[snort-team@cisco.com]) AC_PREREQ([2.69]) AC_CONFIG_SRCDIR([src/main.h]) diff --git a/doc/params.txt b/doc/params.txt index a33a4e9b0..9fd4231c8 100644 --- a/doc/params.txt +++ b/doc/params.txt @@ -13,6 +13,7 @@ The following types are used: * *enum*: a string selected from the given range * *implied*: an IPS rule option that takes no value but means true * *int*: a whole number in the given range +* *interval*: a set of ints (see below) * *ip4*: an IP4 address or CIDR * *mac*: an ethernet address with the form 01:02:03:04:05:06 * *multi*: one or more space separated strings from the given range @@ -43,4 +44,7 @@ Some additional details to note: there is no hard limit. * bit_list is typically used to store a set of byte, port, or VLAN ID values. +* interval takes the form [operator]i, j<>k, or j<=>k where i,j,k are + integers and operator is one of =, !, != (same as !), <, <=, >, >=. + j<>k means j < int < k and j<=>k means j <= int <= k. diff --git a/doc/usage.txt b/doc/usage.txt index 0a036fca6..b127e845b 100644 --- a/doc/usage.txt +++ b/doc/usage.txt @@ -98,6 +98,12 @@ Log any generated alerts to the console using the "-A" option: snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap -A alert_full +Capture separate stdout, stderr, and stdlog files (out has startup and +shutdown output, err has warnings and errors, and log has alerts): + + snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap -A csv \ + 1>out 2>err 3>log + Add or modify a configuration from the command line using the "--lua" option: snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap -A cmg \ diff --git a/extra/src/ips_options/ips_pkt_num/ips_pkt_num.cc b/extra/src/ips_options/ips_pkt_num/ips_pkt_num.cc index 4b1a96da2..1d51c8311 100644 --- a/extra/src/ips_options/ips_pkt_num/ips_pkt_num.cc +++ b/extra/src/ips_options/ips_pkt_num/ips_pkt_num.cc @@ -87,9 +87,11 @@ int PktNumOption::eval(Cursor&, Packet*) // module //------------------------------------------------------------------------- +#define RANGE "1:" + static const Parameter s_params[] = { - { "~range", Parameter::PT_STRING, nullptr, nullptr, + { "~range", Parameter::PT_INTERVAL, RANGE, nullptr, "check if packet number is in given range" }, { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } @@ -120,7 +122,7 @@ bool PktNumModule::set(const char*, Value& v, SnortConfig*) if ( !v.is("~range") ) return false; - return data.validate(v.get_string(), "0:"); + return data.validate(v.get_string(), RANGE); } //------------------------------------------------------------------------- diff --git a/extra/src/ips_options/ips_urg/ips_urg.cc b/extra/src/ips_options/ips_urg/ips_urg.cc index f3818bb95..42c6e534f 100644 --- a/extra/src/ips_options/ips_urg/ips_urg.cc +++ b/extra/src/ips_options/ips_urg/ips_urg.cc @@ -97,8 +97,8 @@ int TcpUrgOption::eval(Cursor&, Packet* p) static const Parameter s_params[] = { - { "~range", Parameter::PT_STRING, nullptr, nullptr, - "check if urgent offset is min<>max | min, range is " RANGE }, + { "~range", Parameter::PT_INTERVAL, RANGE, nullptr, + "check if tcp urgent offset is in given range" }, { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } }; diff --git a/src/framework/parameter.cc b/src/framework/parameter.cc index 99100c9ad..cac91045f 100644 --- a/src/framework/parameter.cc +++ b/src/framework/parameter.cc @@ -78,6 +78,20 @@ static bool valid_int(Value& v, const char* r) return true; } +// interval is a special case because we support a<>b and a<=>b for convenience. +// if not for that, then dsize:1<>10; would be dsize:>1, <10; (2 parameters) but +// that is the same as dsize:>1; dsize:<10; which is arguably easier to read and +// not significantly worse performance and which we also, obviously, already +// support. and note that <> and <=> are non-standard Snort-isms. so, we wind +// up with a multivalued parameter which is best handled as a string. validation +// must be done by the user. the advantage of using an interval instead of string +// is that we can document the type in one place and the parameters can focus on +// their actual, specific semantics instead of trying to explain the syntax. this +// also ensures that an int-type range is not applied to a string. + +static bool valid_interval(Value&, const char*) +{ return true; } + // FIXIT-L allow multiple , separated ranges static bool valid_real(Value& v, const char* r) { @@ -362,6 +376,8 @@ bool Parameter::validate(Value& v) const // fall through case PT_INT: return valid_int(v, (const char*)range); + case PT_INTERVAL: + return valid_interval(v, (const char*)range); case PT_REAL: return valid_real(v, (const char*)range); @@ -402,7 +418,7 @@ bool Parameter::validate(Value& v) const static const char* const pt2str[Parameter::PT_MAX] = { "table", "list", "dynamic", - "bool", "int", "real", "port", + "bool", "int", "interval", "real", "port", "string", "select", "multi", "enum", "mac", "ip4", "addr", "bit_list", "addr_list", "implied" diff --git a/src/framework/parameter.h b/src/framework/parameter.h index eeab5a617..01387ca85 100644 --- a/src/framework/parameter.h +++ b/src/framework/parameter.h @@ -42,6 +42,7 @@ struct SO_PUBLIC Parameter PT_DYNAMIC, // range is RangeQuery* PT_BOOL, // if you are reading this, get more coffee PT_INT, // signed 64 bits or less determined by range + PT_INTERVAL, // string that defines an interval, bounds within range PT_REAL, // double PT_PORT, // 0 to 64K-1 unless specified otherwise PT_STRING, // any string less than len chars diff --git a/src/ips_options/ips_ack.cc b/src/ips_options/ips_ack.cc index 5e55ccaf2..7b7bdcedf 100644 --- a/src/ips_options/ips_ack.cc +++ b/src/ips_options/ips_ack.cc @@ -94,9 +94,11 @@ int TcpAckOption::eval(Cursor&, Packet* p) // module //------------------------------------------------------------------------- +#define RANGE "0:" + static const Parameter s_params[] = { - { "~range", Parameter::PT_STRING, nullptr, nullptr, + { "~range", Parameter::PT_INTERVAL, RANGE, nullptr, "check if tcp ack value is 'value | min<>max | min'" }, { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } @@ -127,7 +129,7 @@ bool AckModule::set(const char*, Value& v, SnortConfig*) if ( !v.is("~range") ) return false; - return data.validate(v.get_string(), "0:"); + return data.validate(v.get_string(), RANGE); } //------------------------------------------------------------------------- diff --git a/src/ips_options/ips_bufferlen.cc b/src/ips_options/ips_bufferlen.cc index df072a0a6..427b9f104 100644 --- a/src/ips_options/ips_bufferlen.cc +++ b/src/ips_options/ips_bufferlen.cc @@ -97,8 +97,8 @@ int LenOption::eval(Cursor& c, Packet*) static const Parameter s_params[] = { - { "~range", Parameter::PT_STRING, nullptr, nullptr, - "len | min<>max | min, range is " RANGE }, + { "~range", Parameter::PT_INTERVAL, RANGE, nullptr, + "check that lenght of current buffer is in given range" }, { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } }; diff --git a/src/ips_options/ips_dsize.cc b/src/ips_options/ips_dsize.cc index 540fa8a76..595068e6f 100644 --- a/src/ips_options/ips_dsize.cc +++ b/src/ips_options/ips_dsize.cc @@ -103,8 +103,8 @@ int DsizeOption::eval(Cursor&, Packet* p) static const Parameter s_params[] = { - { "~range", Parameter::PT_STRING, nullptr, nullptr, - "check if packet payload size is 'size | min<>max | min', range is " RANGE }, + { "~range", Parameter::PT_INTERVAL, RANGE, nullptr, + "check if packet payload size is in the given range" }, { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } }; diff --git a/src/ips_options/ips_fragoffset.cc b/src/ips_options/ips_fragoffset.cc index d377558e7..fb130b549 100644 --- a/src/ips_options/ips_fragoffset.cc +++ b/src/ips_options/ips_fragoffset.cc @@ -98,8 +98,8 @@ int FragOffsetOption::eval(Cursor&, Packet* p) static const Parameter s_params[] = { - { "~range", Parameter::PT_STRING, nullptr, nullptr, - "check if ip fragment offset value is 'value | min<>max | min', range is " RANGE }, + { "~range", Parameter::PT_INTERVAL, RANGE, nullptr, + "check if ip fragment offset is in given range" }, { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } }; diff --git a/src/ips_options/ips_icmp_id.cc b/src/ips_options/ips_icmp_id.cc index 60f42ca9e..ad64a6277 100644 --- a/src/ips_options/ips_icmp_id.cc +++ b/src/ips_options/ips_icmp_id.cc @@ -128,8 +128,8 @@ int IcmpIdOption::eval(Cursor&, Packet* p) static const Parameter s_params[] = { - { "~range", Parameter::PT_STRING, nullptr, nullptr, - "check if icmp id is 'id | min<>max | min', range is " RANGE }, + { "~range", Parameter::PT_INTERVAL, RANGE, nullptr, + "check if icmp id is in given range" }, { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } }; diff --git a/src/ips_options/ips_icmp_seq.cc b/src/ips_options/ips_icmp_seq.cc index 6f66bf110..461b0005c 100644 --- a/src/ips_options/ips_icmp_seq.cc +++ b/src/ips_options/ips_icmp_seq.cc @@ -129,8 +129,8 @@ int IcmpSeqOption::eval(Cursor&, Packet* p) static const Parameter s_params[] = { - { "~range", Parameter::PT_STRING, nullptr, nullptr, - "check if icmp sequence number is 'seq | min<>max | min', range is " RANGE }, + { "~range", Parameter::PT_INTERVAL, RANGE, nullptr, + "check if icmp sequence number is in given range" }, { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } }; diff --git a/src/ips_options/ips_icode.cc b/src/ips_options/ips_icode.cc index 9a0353b6c..5c07c5a29 100644 --- a/src/ips_options/ips_icode.cc +++ b/src/ips_options/ips_icode.cc @@ -99,8 +99,8 @@ int IcodeOption::eval(Cursor&, Packet* p) static const Parameter s_params[] = { - { "~range", Parameter::PT_STRING, nullptr, nullptr, - "check if ICMP code is 'code | min<>max | min', range is " RANGE }, + { "~range", Parameter::PT_INTERVAL, RANGE, nullptr, + "check if icmp code is in given range is" }, { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } }; diff --git a/src/ips_options/ips_id.cc b/src/ips_options/ips_id.cc index a76cf6740..838f5b30a 100644 --- a/src/ips_options/ips_id.cc +++ b/src/ips_options/ips_id.cc @@ -93,10 +93,12 @@ int IpIdOption::eval(Cursor&, Packet* p) // module //------------------------------------------------------------------------- +#define RANGE "0:" + static const Parameter s_params[] = { - { "~range", Parameter::PT_STRING, nullptr, nullptr, - "check if the IP ID is 'id | min<>max | min'" }, + { "~range", Parameter::PT_INTERVAL, RANGE, nullptr, + "check if the ip id is in the given range" }, { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } }; @@ -129,7 +131,7 @@ bool IpIdModule::set(const char*, Value& v, SnortConfig*) if ( !v.is("~range") ) return false; - return data.validate(v.get_string(), "0:"); + return data.validate(v.get_string(), RANGE); } //------------------------------------------------------------------------- diff --git a/src/ips_options/ips_itype.cc b/src/ips_options/ips_itype.cc index 9aeae999f..464476e73 100644 --- a/src/ips_options/ips_itype.cc +++ b/src/ips_options/ips_itype.cc @@ -100,8 +100,8 @@ int IcmpTypeOption::eval(Cursor&, Packet* p) static const Parameter s_params[] = { - { "~range", Parameter::PT_STRING, nullptr, nullptr, - "check if icmp type is 'type | min<>max | min', range is " RANGE }, + { "~range", Parameter::PT_INTERVAL, RANGE, nullptr, + "check if icmp type is in given range" }, { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } }; diff --git a/src/ips_options/ips_seq.cc b/src/ips_options/ips_seq.cc index 9339f1a89..b3672551e 100644 --- a/src/ips_options/ips_seq.cc +++ b/src/ips_options/ips_seq.cc @@ -93,10 +93,12 @@ int TcpSeqOption::eval(Cursor&, Packet* p) // module //------------------------------------------------------------------------- +#define RANGE "0:" + static const Parameter s_params[] = { - { "~range", Parameter::PT_STRING, nullptr, nullptr, - "check if tcp sequence number value is 'value | min<>max | min'" }, + { "~range", Parameter::PT_INTERVAL, RANGE, nullptr, + "check if tcp sequence number is in given range" }, { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } }; @@ -129,7 +131,7 @@ bool SeqModule::set(const char*, Value& v, SnortConfig*) if ( !v.is("~range") ) return false; - return data.validate(v.get_string(), "0:"); + return data.validate(v.get_string(), RANGE); } //------------------------------------------------------------------------- diff --git a/src/ips_options/ips_tos.cc b/src/ips_options/ips_tos.cc index 7954160ca..cd32c99a7 100644 --- a/src/ips_options/ips_tos.cc +++ b/src/ips_options/ips_tos.cc @@ -101,8 +101,8 @@ int IpTosOption::eval(Cursor&, Packet* p) static const Parameter s_params[] = { - { "~range", Parameter::PT_STRING, nullptr, nullptr, - "check if ip tos value is 'value | min<>max | min', range is " RANGE }, + { "~range", Parameter::PT_INTERVAL, RANGE, nullptr, + "check if ip tos is in given range" }, { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } }; diff --git a/src/ips_options/ips_ttl.cc b/src/ips_options/ips_ttl.cc index 80d5d868c..d5ad99641 100644 --- a/src/ips_options/ips_ttl.cc +++ b/src/ips_options/ips_ttl.cc @@ -98,8 +98,8 @@ int TtlOption::eval(Cursor&, Packet* p) static const Parameter s_params[] = { - { "~range", Parameter::PT_STRING, nullptr, nullptr, - "check if ip ttl field value is 'value | min<>max | min', range is " RANGE }, + { "~range", Parameter::PT_INTERVAL, RANGE, nullptr, + "check if ip ttl is in the given range" }, { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } }; diff --git a/src/ips_options/ips_window.cc b/src/ips_options/ips_window.cc index 02dc5b0b8..5cfc23f8f 100644 --- a/src/ips_options/ips_window.cc +++ b/src/ips_options/ips_window.cc @@ -98,8 +98,8 @@ int TcpWinOption::eval(Cursor&, Packet* p) static const Parameter s_params[] = { - { "~range", Parameter::PT_STRING, nullptr, nullptr, - "check if tcp window field size is 'size | min<>max | min', range is " RANGE }, + { "~range", Parameter::PT_INTERVAL, RANGE, nullptr, + "check if tcp window size is in given range" }, { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } }; diff --git a/src/ports/port_table.cc b/src/ports/port_table.cc index b1229fbc9..25041b407 100644 --- a/src/ports/port_table.cc +++ b/src/ports/port_table.cc @@ -513,33 +513,6 @@ static PortObject2* PortTableCompileMergePortObjectList2( return ponew; } -/* - * - * Verify all rules in 'po' list are in 'po2' hash - * - * return 0 - OK - * !0 - a rule in po is not in po2 - */ -static int _po2_include_po_rules(PortObject2* po2, PortObject* po) -{ - SF_LNODE* rpos; - - /* get each rule in po */ - for ( int* pid = (int*)sflist_first(po->rule_list, &rpos); - pid; - pid = (int*)sflist_next(&rpos) ) - { - /* find it in po2 */ - int* id = (int*)sfghash_find(po2->rule_hash, pid); - - /* make sure it's in po2 */ - if ( !id ) - return 1; /* error */ - } - - return 0; -} - static int PortTableCompileMergePortObjects(PortTable* p) { DebugMessage(DEBUG_PORTLISTS, "***\n***Merging PortObjects->PortObjects2\n***\n"); @@ -715,9 +688,9 @@ static int PortTableCompileMergePortObjects(PortTable* p) return 0; } +#ifdef DEBUG // consistency check - part 1 // make sure each port is only in one composite port object - static bool PortTableConsistencyCheck(PortTable* p) { std::unique_ptr upA(new char[SFPO_MAX_PORTS]); @@ -757,6 +730,30 @@ static bool PortTableConsistencyCheck(PortTable* p) return true; } +/* + * Verify all rules in 'po' list are in 'po2' hash + * return 0 - OK; !0 - a rule in po is not in po2 + */ +static int _po2_include_po_rules(PortObject2* po2, PortObject* po) +{ + SF_LNODE* rpos; + + /* get each rule in po */ + for ( int* pid = (int*)sflist_first(po->rule_list, &rpos); + pid; + pid = (int*)sflist_next(&rpos) ) + { + /* find it in po2 */ + int* id = (int*)sfghash_find(po2->rule_hash, pid); + + /* make sure it's in po2 */ + if ( !id ) + return 1; /* error */ + } + + return 0; +} + // consistency check - part 2 /* * This phase checks the Input port object rules/ports against @@ -809,6 +806,7 @@ static bool PortTableConsistencyCheck2(PortTable* p) return true; } +#endif //------------------------------------------------------------------------- // PortTable - public @@ -934,8 +932,10 @@ int PortTableCompile(PortTable* p) DEBUG_WRAP(DebugMessage(DEBUG_PORTLISTS, "Done\n"); fflush(stdout); ); +#ifdef DEBUG assert(PortTableConsistencyCheck(p)); assert(PortTableConsistencyCheck2(p)); +#endif return 0; } diff --git a/src/service_inspectors/dce_rpc/ips_dce_iface.cc b/src/service_inspectors/dce_rpc/ips_dce_iface.cc index b5d53c876..35bcdb544 100644 --- a/src/service_inspectors/dce_rpc/ips_dce_iface.cc +++ b/src/service_inspectors/dce_rpc/ips_dce_iface.cc @@ -421,11 +421,13 @@ int Dce2IfaceOption::eval(Cursor&, Packet* p) // dce2_iface module //------------------------------------------------------------------------- +#define RANGE "0:" + static const Parameter s_params[] = { { "uuid", Parameter::PT_STRING, nullptr, nullptr, "match given dcerpc uuid" }, - { "version",Parameter::PT_STRING, nullptr, nullptr, + { "version",Parameter::PT_INTERVAL, RANGE, nullptr, "interface version" }, { "any_frag", Parameter::PT_IMPLIED, nullptr, nullptr, "match on any fragment" }, @@ -456,7 +458,7 @@ bool Dce2IfaceModule::begin(const char*, int, SnortConfig*) bool Dce2IfaceModule::set(const char*, Value& v, SnortConfig*) { if ( v.is("version") ) - return version.validate(v.get_string(), "0:"); + return version.validate(v.get_string(), RANGE); else if ( v.is("any_frag") ) any_frag = true; else if ( v.is("uuid") ) diff --git a/src/stream/tcp/ips_stream_size.cc b/src/stream/tcp/ips_stream_size.cc index 26d18d2fb..ef716bc8a 100644 --- a/src/stream/tcp/ips_stream_size.cc +++ b/src/stream/tcp/ips_stream_size.cc @@ -162,10 +162,12 @@ int SizeOption::eval(Cursor&, Packet* pkt) // stream_size module //------------------------------------------------------------------------- +#define RANGE "0:" + static const Parameter s_params[] = { - { "~range", Parameter::PT_STRING, nullptr, nullptr, - "size for comparison" }, + { "~range", Parameter::PT_INTERVAL, RANGE, nullptr, + "check if the stream size is in the given range" }, { "~direction", Parameter::PT_ENUM, "either|to_server|to_client|both", nullptr, "compare applies to the given direction(s)" }, @@ -198,7 +200,7 @@ bool SizeModule::begin(const char*, int, SnortConfig*) bool SizeModule::set(const char*, Value& v, SnortConfig*) { if ( v.is("~range") ) - return ssod.validate(v.get_string(), "0:"); + return ssod.validate(v.get_string(), RANGE); else if ( v.is("~direction") ) direction = v.get_long(); diff --git a/tools/snort2lua/output_states/out_sfunified2.cc b/tools/snort2lua/output_states/out_sfunified2.cc index 43439a2cf..b83e88a13 100644 --- a/tools/snort2lua/output_states/out_sfunified2.cc +++ b/tools/snort2lua/output_states/out_sfunified2.cc @@ -28,7 +28,7 @@ namespace output { namespace { - //FIXIT-L add when avaiable + //FIXIT-L add when available static std::string header = "output sf_unified2: "; template diff --git a/tools/snort2lua/rule_states/CMakeLists.txt b/tools/snort2lua/rule_states/CMakeLists.txt index e2f61d2db..f1f295322 100644 --- a/tools/snort2lua/rule_states/CMakeLists.txt +++ b/tools/snort2lua/rule_states/CMakeLists.txt @@ -5,6 +5,7 @@ add_library( rule_states rule_convert_comma_list.cc rule_dce_iface.cc rule_dnp3_obj.cc + rule_dsize.cc rule_file_data.cc rule_http_encode.cc rule_isdataat.cc diff --git a/tools/snort2lua/rule_states/Makefile.am b/tools/snort2lua/rule_states/Makefile.am index 47c18e061..bf6287d1d 100644 --- a/tools/snort2lua/rule_states/Makefile.am +++ b/tools/snort2lua/rule_states/Makefile.am @@ -7,6 +7,7 @@ rule_content.cc \ rule_convert_comma_list.cc \ rule_dce_iface.cc \ rule_dnp3_obj.cc \ +rule_dsize.cc \ rule_file_data.cc \ rule_http_encode.cc \ rule_isdataat.cc \ diff --git a/tools/snort2lua/rule_states/rule_dsize.cc b/tools/snort2lua/rule_states/rule_dsize.cc new file mode 100644 index 000000000..5322768a5 --- /dev/null +++ b/tools/snort2lua/rule_states/rule_dsize.cc @@ -0,0 +1,71 @@ +//-------------------------------------------------------------------------- +// Copyright (C) 2017-2017 Cisco and/or its affiliates. All rights reserved. +// +// This program is free software; you can redistribute it and/or modify it +// under the terms of the GNU General Public License Version 2 as published +// by the Free Software Foundation. You may not use, modify or distribute +// this program under any other version of the GNU General Public License. +// +// This program is distributed in the hope that it will be useful, but +// WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +//-------------------------------------------------------------------------- +// rule_dsize.cc author Russ Combs +// (based on the amazing original work by Josh) + +#include +//#include + +#include "conversion_state.h" +#include "helpers/converter.h" +#include "rule_states/rule_api.h" +#include "helpers/s2l_util.h" + +namespace rules +{ +namespace +{ +class Dsize : public ConversionState +{ +public: + Dsize(Converter& c) : ConversionState(c) { } + virtual ~Dsize() { } + virtual bool convert(std::istringstream& data); +}; +} // namespace + +bool Dsize::convert(std::istringstream& data_stream) +{ + std::string args = util::get_rule_option_args(data_stream); + size_t ltgt = args.find("<>"); + + if ( ltgt != std::string::npos ) + { + rule_api.add_comment("dsize: option change: '<>' --> '<=>'"); + args.insert(ltgt+1, "="); + } + rule_api.add_option("dsize", args); + return set_next_rule_state(data_stream); +} + +/************************** + ******* A P I *********** + **************************/ + +static ConversionState* dsize_ctor(Converter& c) +{ return new Dsize(c); } + +static const ConvertMap rule_dsize = +{ + "dsize", + dsize_ctor, +}; + +const ConvertMap* dsize_map = &rule_dsize; +} // namespace rules + diff --git a/tools/snort2lua/rule_states/rule_unchanged.cc b/tools/snort2lua/rule_states/rule_unchanged.cc index 9af3fe69c..160fc8408 100644 --- a/tools/snort2lua/rule_states/rule_unchanged.cc +++ b/tools/snort2lua/rule_states/rule_unchanged.cc @@ -172,20 +172,7 @@ static const ConvertMap rule_flowbits = const ConvertMap* flowbits_map = &rule_flowbits; /************************************ - ********* D S I Z E ************** - ************************************/ - -static const std::string dsize = "dsize"; -static const ConvertMap rule_dsize = -{ - dsize, - unchanged_rule_ctor<& dsize>, -}; - -const ConvertMap* dsize_map = &rule_dsize; - -/************************************ - ********* D S I Z E ************** + ************ FRABGITS ************ ************************************/ static const std::string fragbits = "fragbits"; -- 2.47.3