/** \test full overlap */ static int StreamTcpInlineTest01(void) { SCEnter(); uint8_t payload1[] = "AAC"; /* packet */ uint8_t payload2[] = "ABC"; /* segment */ int result = 0; TcpSegment *t = NULL; Packet *p = UTHBuildPacketSrcDstPorts(payload1, sizeof(payload1)-1, IPPROTO_TCP, 1024, 80); if (p == NULL || p->tcph == NULL) { printf("generating test packet failed: "); goto end; } p->tcph->th_seq = htonl(10000000UL); t = SCMalloc(sizeof(TcpSegment)); if (t == NULL) { printf("alloc TcpSegment failed: "); goto end; } memset(t, 0x00, sizeof(TcpSegment)); t->payload = payload2; t->payload_len = sizeof(payload2)-1; t->seq = 10000000UL; StreamTcpInlineSegmentReplacePacket(p, t); if (!(p->flags & PKT_STREAM_MODIFIED)) { printf("PKT_STREAM_MODIFIED pkt flag not set: "); goto end; } if (memcmp(p->payload, t->payload, p->payload_len) != 0) { printf("Packet:\n"); PrintRawDataFp(stdout,p->payload,p->payload_len); printf("Segment:\n"); PrintRawDataFp(stdout,t->payload,t->payload_len); printf("payloads didn't match: "); goto end; } uint8_t *pkt = GET_PKT_DATA(p)+(GET_PKT_LEN(p)-sizeof(payload1)+1); if (memcmp(pkt,payload2,sizeof(payload2)-1) != 0) { PrintRawDataFp(stdout,pkt,3); PrintRawDataFp(stdout,GET_PKT_DATA(p),GET_PKT_LEN(p)); goto end; } result = 1; end: if (p != NULL) { UTHFreePacket(p); } if (t != NULL) { SCFree(t); } SCReturnInt(result); }
static int DetectTransformToSha256Test01(void) { const uint8_t *input = (const uint8_t *)" A B C D "; uint32_t input_len = strlen((char *)input); InspectionBuffer buffer; InspectionBufferInit(&buffer, 8); InspectionBufferSetup(&buffer, input, input_len); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); TransformToSha256(&buffer); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); InspectionBufferFree(&buffer); PASS; }
/** * \brief This function is called to retrieve a ftp request * \param ftp_state the ftp state structure for the parser * \param input input line of the command * \param input_len length of the request * \param output the resulting output * * \retval 1 when the command is parsed, 0 otherwise */ static int FTPParseRequest(Flow *f, void *ftp_state, AppLayerParserState *pstate, uint8_t *input, uint32_t input_len, void *local_data, AppLayerParserResult *output) { SCEnter(); /* PrintRawDataFp(stdout, input,input_len); */ uint32_t offset = 0; if (pstate == NULL) return -1; //PrintRawDataFp(stdout, pstate->store, pstate->store_len); const uint8_t delim[] = { 0x0D, 0x0A }; int r = AlpParseFieldByDelimiter(output, pstate, FTP_FIELD_REQUEST_LINE, delim, sizeof(delim), input, input_len, &offset); if (r == 0) { pstate->parse_field = 0; return 0; } if (pstate->store_len) PrintRawDataFp(stdout, pstate->store, pstate->store_len); pstate->parse_field = 0; return 1; }
int DetectBase64DecodeDoMatch(DetectEngineThreadCtx *det_ctx, Signature *s, const SigMatch *sm, uint8_t *payload, uint32_t payload_len) { DetectBase64Decode *data = (DetectBase64Decode *)sm->ctx; int decode_len; #if 0 printf("Input data:\n"); PrintRawDataFp(stdout, payload, payload_len); #endif if (data->relative) { payload += det_ctx->buffer_offset; payload_len -= det_ctx->buffer_offset; } if (data->offset) { if (data->offset >= payload_len) { return 0; } payload = payload + data->offset; payload_len -= data->offset; } decode_len = MIN(payload_len, data->bytes); #if 0 printf("Decoding:\n"); PrintRawDataFp(stdout, payload, decode_len); #endif det_ctx->base64_decoded_len = DecodeBase64(det_ctx->base64_decoded, payload, decode_len, 0); SCLogDebug("Decoded %d bytes from base64 data.", det_ctx->base64_decoded_len); #if 0 if (det_ctx->base64_decoded_len) { printf("Decoded data:\n"); PrintRawDataFp(stdout, det_ctx->base64_decoded, det_ctx->base64_decoded_len); } #endif return det_ctx->base64_decoded_len > 0; }
static int DetectTransformCompressWhitespaceTest02(void) { const uint8_t *input = (const uint8_t *)" A B C D "; uint32_t input_len = strlen((char *)input); InspectionBuffer buffer; InspectionBufferInit(&buffer, 8); InspectionBufferSetup(&buffer, input, input_len); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); TransformDoubleWhitespace(&buffer); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); TransformDoubleWhitespace(&buffer); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); TransformCompressWhitespace(&buffer); PrintRawDataFp(stdout, buffer.inspect, buffer.inspect_len); InspectionBufferFree(&buffer); PASS; }
void DumpSegment(StreamingBuffer *sb, StreamingBufferSegment *seg) { const uint8_t *data = NULL; uint32_t data_len = 0; StreamingBufferSegmentGetData(sb, seg, &data, &data_len); if (data && data_len) { PrintRawDataFp(stdout, data, data_len); } }
/** * \brief Function to log the PktVars in to alert-debug.log * * \param aft Pointer to AltertDebugLog Thread * \param p Pointer to the packet * */ static void AlertDebugLogPktVars(AlertDebugLogThread *aft, Packet *p) { PktVar *pv = p->pktvar; while(pv != NULL) { fprintf(aft->file_ctx->fp, "PKTVAR: %s\n", pv->name); PrintRawDataFp(aft->file_ctx->fp, pv->value, pv->value_len); pv = pv->next; } }
static int TransformDoubleWhitespace(InspectionBuffer *buffer) { const uint8_t *input = buffer->inspect; const uint32_t input_len = buffer->inspect_len; uint8_t output[input_len * 2]; // if all chars are whitespace this fits uint8_t *oi = output, *os = output; PrintRawDataFp(stdout, input, input_len); for (uint32_t i = 0; i < input_len; i++) { if (isspace(*input)) { *oi++ = *input; } *oi++ = *input; input++; } uint32_t output_size = oi - os; PrintRawDataFp(stdout, output, output_size); InspectionBufferCopy(buffer, os, output_size); return 0; }
/** * \retval 1 data is the same * \retval 0 data is different */ int StreamingBufferCompareRawData(const StreamingBuffer *sb, const uint8_t *rawdata, uint32_t rawdata_len) { const uint8_t *sbdata = NULL; uint32_t sbdata_len = 0; uint64_t offset = 0; StreamingBufferGetData(sb, &sbdata, &sbdata_len, &offset); if (offset == 0 && sbdata && sbdata_len && sbdata_len == rawdata_len && memcmp(sbdata, rawdata, sbdata_len) == 0) { return 1; } SCLogInfo("sbdata_len %u, offset %u", sbdata_len, (uint)offset); PrintRawDataFp(stdout, sbdata,sbdata_len); return 0; }
/** * \brief Print the information and chunks of a Body * \param body pointer to the HtpBody holding the list * \retval none */ void HtpBodyPrint(HtpBody *body) { if (SCLogDebugEnabled()||1) { SCEnter(); if (body->first == NULL) return; HtpBodyChunk *cur = NULL; SCLogDebug("--- Start body chunks at %p ---", body); printf("--- Start body chunks at %p ---\n", body); for (cur = body->first; cur != NULL; cur = cur->next) { SCLogDebug("Body %p; data %p, len %"PRIu32, body, cur->data, (uint32_t)cur->len); printf("Body %p; data %p, len %"PRIu32"\n", body, cur->data, (uint32_t)cur->len); PrintRawDataFp(stdout, (uint8_t*)cur->data, cur->len); } SCLogDebug("--- End body chunks at %p ---", body); } }
TmEcode AlertDebugLogDecoderEvent(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQueue *postpq) { AlertDebugLogThread *aft = (AlertDebugLogThread *)data; int i; char timebuf[64]; if (p->alerts.cnt == 0) return TM_ECODE_OK; CreateTimeString(&p->ts, timebuf, sizeof(timebuf)); SCMutexLock(&aft->file_ctx->fp_mutex); fprintf(aft->file_ctx->fp, "+================\n"); fprintf(aft->file_ctx->fp, "TIME: %s\n", timebuf); if (p->pcap_cnt > 0) { fprintf(aft->file_ctx->fp, "PCAP PKT NUM: %"PRIu64"\n", p->pcap_cnt); } fprintf(aft->file_ctx->fp, "ALERT CNT: %" PRIu32 "\n", p->alerts.cnt); for (i = 0; i < p->alerts.cnt; i++) { PacketAlert *pa = &p->alerts.alerts[i]; fprintf(aft->file_ctx->fp, "ALERT MSG [%02d]: %s\n", i, pa->msg); fprintf(aft->file_ctx->fp, "ALERT GID [%02d]: %" PRIu32 "\n", i, pa->gid); fprintf(aft->file_ctx->fp, "ALERT SID [%02d]: %" PRIu32 "\n", i, pa->sid); fprintf(aft->file_ctx->fp, "ALERT REV [%02d]: %" PRIu32 "\n", i, pa->rev); fprintf(aft->file_ctx->fp, "ALERT CLASS [%02d]: %s\n", i, pa->class_msg); fprintf(aft->file_ctx->fp, "ALERT PRIO [%02d]: %" PRIu32 "\n", i, pa->prio); } aft->file_ctx->alerts += p->alerts.cnt; fprintf(aft->file_ctx->fp, "PACKET LEN: %" PRIu32 "\n", GET_PKT_LEN(p)); fprintf(aft->file_ctx->fp, "PACKET:\n"); PrintRawDataFp(aft->file_ctx->fp, GET_PKT_DATA(p), GET_PKT_LEN(p)); fflush(aft->file_ctx->fp); SCMutexUnlock(&aft->file_ctx->fp_mutex); return TM_ECODE_OK; }
/** * \brief Print the information and chunks of a Body * \param body pointer to the HtpBody holding the list * \retval none */ void HtpBodyPrint(HtpBody *body) { if (SCLogDebugEnabled()||1) { SCEnter(); if (body->first == NULL) return; HtpBodyChunk *cur = NULL; SCLogDebug("--- Start body chunks at %p ---", body); printf("--- Start body chunks at %p ---\n", body); for (cur = body->first; cur != NULL; cur = cur->next) { const uint8_t *data = NULL; uint32_t data_len = 0; StreamingBufferSegmentGetData(body->sb, &cur->sbseg, &data, &data_len); SCLogDebug("Body %p; data %p, len %"PRIu32, body, data, data_len); printf("Body %p; data %p, len %"PRIu32"\n", body, data, data_len); PrintRawDataFp(stdout, data, data_len); } SCLogDebug("--- End body chunks at %p ---", body); } }
/** * \brief Do the content inspection & validation for a signature * * \param de_ctx Detection engine context * \param det_ctx Detection engine thread context * \param s Signature to inspect * \param sm SigMatch to inspect * \param f Flow * \param flags app layer flags * \param state App layer state * * \retval 0 no match. * \retval 1 match. * \retval 2 Sig can't match. */ int DetectEngineInspectHttpResponseLine(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id) { htp_tx_t *tx = (htp_tx_t *)txv; if (tx->response_line == NULL) { if (AppLayerParserGetStateProgress(IPPROTO_TCP, ALPROTO_HTTP, txv, flags) > HTP_RESPONSE_LINE) return DETECT_ENGINE_INSPECT_SIG_CANT_MATCH; else return DETECT_ENGINE_INSPECT_SIG_NO_MATCH; } det_ctx->discontinue_matching = 0; det_ctx->buffer_offset = 0; det_ctx->inspection_recursion_counter = 0; #if 0 PrintRawDataFp(stdout, (uint8_t *)bstr_ptr(tx->response_line), bstr_len(tx->response_line)); #endif /* run the inspection against the buffer */ int r = DetectEngineContentInspection(de_ctx, det_ctx, s, s->sm_lists[DETECT_SM_LIST_HTTP_RESLINEMATCH], f, bstr_ptr(tx->response_line), bstr_len(tx->response_line), 0, DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL); if (r == 1) { return DETECT_ENGINE_INSPECT_SIG_MATCH; } else { return DETECT_ENGINE_INSPECT_SIG_CANT_MATCH; } }
/** * \brief Decode the nodes/frames located at certain position/level * * \param ac pointer to the ASN1 ctx * \param node_id node index at the asn1 stack of the ctx * * \retval byte of parser status */ uint8_t SCAsn1Decode(Asn1Ctx *ac, uint16_t node_id) { Asn1Node *node = NULL; uint8_t ret = 0; /* while remaining data, and no fatal error, or end, or max stack frames */ while (ac->iter < ac->end && !(ac->parser_status & ASN1_STATUS_DONE) && ac->cur_frame < asn1_max_frames_config) { /* Prepare a new frame */ if (SCAsn1CtxNewFrame(ac, node_id) == NULL) break; ac->cur_frame = node_id; node = ASN1CTX_GET_NODE(ac, node_id); SCLogDebug("ASN1 Getting ID, cur:%x remaining %"PRIu32, (uint8_t)*ac->iter, (uint32_t)(ac->end - ac->iter)); /* Get identifier/tag */ ret = SCAsn1DecodeIdentifier(ac); if (ret == ASN1_PARSER_ERR) { SCLogDebug("Error parsing identifier"); node->flags |= ASN1_BER_EVENT_INVALID_ID; ac->ctx_flags |= node->flags; break; } SCLogDebug("ASN1 Getting LEN"); /* Get length of content */ ret = SCAsn1DecodeLength(ac); if (ret == ASN1_PARSER_ERR) { SCLogDebug("Error parsing length"); node->flags |= ASN1_BER_EVENT_INVALID_LEN; ac->ctx_flags |= node->flags; break; } if ( !(node->flags & ASN1_NODE_IS_EOC)) { SCLogDebug("ASN1 Getting CONTENT"); /* Inspect content */ ret = SCAsn1DecodeContent(ac); if (ret == ASN1_PARSER_ERR) { SCLogDebug("Error parsing content"); break; } /* Skip to the next record (if any) */ if (node->id.tag_type != ASN1_TAG_TYPE_CONSTRUCTED) /* Is primitive, skip it all (no need to decode it)*/ ac->iter += node->data.len; } /* Check if we are done with data */ ret = SCAsn1CheckBounds(ac); if (ret == ASN1_PARSER_ERR) { ac->parser_status |= ASN1_STATUS_DONE; /* There's no more data available */ ret = ASN1_PARSER_OK; break; } #if 0 printf("Tag Num: %"PRIu32", Tag Type: %"PRIu8", Class:%"PRIu8", Length: %"PRIu32"\n", node->id.tag_num, node->id.tag_type, node->id.class_tag, node->len.len); printf("Data: \n"); PrintRawDataFp(stdout, node->data.ptr, node->len.len); printf(" -- EOD --\n"); #endif /* Stack flags/events here, so we have the resume at the ctx flags */ ac->ctx_flags |= node->flags; /* Check if it's not a primitive type, * then we need to decode contents */ if (node->id.tag_type == ASN1_TAG_TYPE_CONSTRUCTED) { ret = SCAsn1Decode(ac, node_id + 1); } /* Else we have reached a primitive type and stop the recursion, * look if we have other branches at the same level */ /* But first check if it's a constructed node, and the sum of child * lengths was more than the length of this frame * this would mean that we have an overflow at the attributes */ if (ac->iter > node->data.ptr + node->data.len + 1) { /* We decoded more length on this frame */ } node_id = ac->cur_frame + 1; } return ret; }
/** \test POST, but not multipart */ static int HTPFileParserTest07(void) { int result = 0; Flow *f = NULL; uint8_t httpbuf1[] = "POST /filename HTTP/1.1\r\n" "Host: www.server.lan\r\n" "Content-Length: 11\r\n" "\r\n"; uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */ uint8_t httpbuf2[] = "FILECONTENT"; uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */ TcpSession ssn; HtpState *http_state = NULL; memset(&ssn, 0, sizeof(ssn)); f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 1024, 80); if (f == NULL) goto end; f->protoctx = &ssn; StreamTcpInitConfig(TRUE); SCLogDebug("\n>>>> processing chunk 1 size %u <<<<\n", httplen1); int r = AppLayerParse(NULL, f, ALPROTO_HTTP, STREAM_TOSERVER|STREAM_START, httpbuf1, httplen1); if (r != 0) { printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); result = 0; goto end; } SCLogDebug("\n>>>> processing chunk 2 size %u <<<<\n", httplen2); r = AppLayerParse(NULL, f, ALPROTO_HTTP, STREAM_TOSERVER|STREAM_EOF, httpbuf2, httplen2); if (r != 0) { printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r); result = 0; goto end; } http_state = f->alstate; if (http_state == NULL) { printf("no http state: "); result = 0; goto end; } htp_tx_t *tx = list_get(http_state->connp->conn->transactions, 0); if (tx == NULL) { goto end; } if (tx->request_method == NULL || memcmp(bstr_tocstr(tx->request_method), "POST", 4) != 0) { printf("expected method POST, got %s \n", bstr_tocstr(tx->request_method)); goto end; } if (http_state->files_ts == NULL || http_state->files_ts->tail == NULL || http_state->files_ts->tail->state != FILE_STATE_CLOSED) { printf("state != FILE_STATE_CLOSED"); goto end; } if (http_state->files_ts->head->chunks_head->len != 11) { printf("expected 11 but file is %u bytes instead: ", http_state->files_ts->head->chunks_head->len); PrintRawDataFp(stdout, http_state->files_ts->head->chunks_head->data, http_state->files_ts->head->chunks_head->len); goto end; } if (memcmp("FILECONTENT", http_state->files_ts->head->chunks_head->data, http_state->files_ts->head->chunks_head->len) != 0) { goto end; } result = 1; end: StreamTcpFreeConfig(TRUE); if (http_state != NULL) HTPStateFree(http_state); UTHFreeFlow(f); return result; }
/** \test filedata cut in two pieces */ static int HTPFileParserTest11(void) { int result = 0; Flow *f = NULL; uint8_t httpbuf1[] = "POST /upload.cgi HTTP/1.1\r\n" "Host: www.server.lan\r\n" "Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBRDbP74mBhBxsIdo\r\n" "Content-Length: 1102\r\n" "\r\n"; uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */ uint8_t httpbuf2[] = "------WebKitFormBoundaryBRDbP74mBhBxsIdo\r\n"; uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */ uint8_t httpbuf3[] = "Content-Disposition: form-data; name=\"PROGRESS_URL\"\r\n" "\r\n" "http://somserver.com/progress.php?UPLOAD_IDENTIFIER=XXXXXXXXX.XXXXXXXXXX.XXXXXXXX.XX.X\r\n" "------WebKitFormBoundaryBRDbP74mBhBxsIdo\r\n" "Content-Disposition: form-data; name=\"DESTINATION_DIR\"\r\n" "\r\n" "10\r\n" "------WebKitFormBoundaryBRDbP74mBhBxsIdo\r\n" "Content-Disposition: form-data; name=\"js_enabled\"\r\n" "\r\n" "1" "------WebKitFormBoundaryBRDbP74mBhBxsIdo\r\n" "Content-Disposition: form-data; name=\"signature\"\r\n" "\r\n" "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\r\n" "------WebKitFormBoundaryBRDbP74mBhBxsIdo\r\n" "Content-Disposition: form-data; name=\"upload_files\"\r\n" "\r\n" "------WebKitFormBoundaryBRDbP74mBhBxsIdo\r\n" "Content-Disposition: form-data; name=\"terms\"\r\n" "\r\n" "1" "------WebKitFormBoundaryBRDbP74mBhBxsIdo\r\n" "Content-Disposition: form-data; name=\"file[]\"\r\n" "\r\n" "------WebKitFormBoundaryBRDbP74mBhBxsIdo\r\n" "Content-Disposition: form-data; name=\"description[]\"\r\n" "\r\n" "------WebKitFormBoundaryBRDbP74mBhBxsIdo\r\n" "Content-Disposition: form-data; name=\"upload_file[]\"; filename=\"filename.doc\"\r\n" "Content-Type: application/msword\r\n" "\r\n" "FILE"; uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */ uint8_t httpbuf4[] = "CONTENT\r\n" "------WebKitFormBoundaryBRDbP74mBhBxsIdo--"; uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */ TcpSession ssn; HtpState *http_state = NULL; memset(&ssn, 0, sizeof(ssn)); f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 1024, 80); if (f == NULL) goto end; f->protoctx = &ssn; StreamTcpInitConfig(TRUE); SCLogDebug("\n>>>> processing chunk 1 <<<<\n"); int r = AppLayerParse(NULL, f, ALPROTO_HTTP, STREAM_TOSERVER|STREAM_START, httpbuf1, httplen1); if (r != 0) { printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); goto end; } SCLogDebug("\n>>>> processing chunk 2 size %u <<<<\n", httplen2); r = AppLayerParse(NULL, f, ALPROTO_HTTP, STREAM_TOSERVER, httpbuf2, httplen2); if (r != 0) { printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r); goto end; } SCLogDebug("\n>>>> processing chunk 3 size %u <<<<\n", httplen3); r = AppLayerParse(NULL, f, ALPROTO_HTTP, STREAM_TOSERVER, httpbuf3, httplen3); if (r != 0) { printf("toserver chunk 3 returned %" PRId32 ", expected 0: ", r); goto end; } SCLogDebug("\n>>>> processing chunk 4 size %u <<<<\n", httplen4); r = AppLayerParse(NULL, f, ALPROTO_HTTP, STREAM_TOSERVER|STREAM_EOF, httpbuf4, httplen4); if (r != 0) { printf("toserver chunk 4 returned %" PRId32 ", expected 0: ", r); goto end; } http_state = f->alstate; if (http_state == NULL) { printf("no http state: "); goto end; } AppLayerDecoderEvents *decoder_events = AppLayerGetDecoderEventsForFlow(f); if (decoder_events != NULL) { printf("app events: "); goto end; } htp_tx_t *tx = list_get(http_state->connp->conn->transactions, 0); if (tx == NULL) { goto end; } if (tx->request_method == NULL || memcmp(bstr_tocstr(tx->request_method), "POST", 4) != 0) { printf("expected method POST, got %s \n", bstr_tocstr(tx->request_method)); goto end; } if (http_state->files_ts == NULL || http_state->files_ts->tail == NULL || http_state->files_ts->tail->state != FILE_STATE_CLOSED) { printf("state != FILE_STATE_CLOSED: "); goto end; } if (http_state->files_ts->head->chunks_head->len != 11) { printf("expected 11 but file is %u bytes instead: ", http_state->files_ts->head->chunks_head->len); PrintRawDataFp(stdout, http_state->files_ts->head->chunks_head->data, http_state->files_ts->head->chunks_head->len); goto end; } if (memcmp("FILECONTENT", http_state->files_ts->head->chunks_head->data, http_state->files_ts->head->chunks_head->len) != 0) { goto end; } result = 1; end: StreamTcpFreeConfig(TRUE); if (http_state != NULL) HTPStateFree(http_state); UTHFreeFlow(f); return result; }
TmEcode AlertDebugLogIPv6(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQueue *postpq) { AlertDebugLogThread *aft = (AlertDebugLogThread *)data; int i; char timebuf[64]; if (p->alerts.cnt == 0) return TM_ECODE_OK; aft->file_ctx->alerts += p->alerts.cnt; CreateTimeString(&p->ts, timebuf, sizeof(timebuf)); SCMutexLock(&aft->file_ctx->fp_mutex); for (i = 0; i < p->alerts.cnt; i++) { PacketAlert *pa = &p->alerts.alerts[i]; char srcip[46], dstip[46]; inet_ntop(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip)); inet_ntop(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip)); fprintf(aft->file_ctx->fp, "%s [**] [%" PRIu32 ":%" PRIu32 ":%" PRIu32 "] %s [**] [Classification: fixme] [Priority: %" PRIu32 "] {%" PRIu32 "} %s:%" PRIu32 " -> %s:%" PRIu32 "\n", timebuf, pa->gid, pa->sid, pa->rev, pa->msg, pa->prio, IPV6_GET_L4PROTO(p), srcip, p->sp, dstip, p->dp); } fprintf(aft->file_ctx->fp, "FLOW: to_server: %s, to_client: %s\n", p->flowflags & FLOW_PKT_TOSERVER ? "TRUE" : "FALSE", p->flowflags & FLOW_PKT_TOCLIENT ? "TRUE" : "FALSE"); if (p->flow != NULL) { SCMutexLock(&p->flow->m); CreateTimeString(&p->flow->startts, timebuf, sizeof(timebuf)); fprintf(aft->file_ctx->fp, "FLOW Start TS: %s\n",timebuf); fprintf(aft->file_ctx->fp, "FLOW PKTS TODST: %"PRIu32"\n",p->flow->todstpktcnt); fprintf(aft->file_ctx->fp, "FLOW PKTS TOSRC: %"PRIu32"\n",p->flow->tosrcpktcnt); fprintf(aft->file_ctx->fp, "FLOW Total Bytes: %"PRIu64"\n",p->flow->bytecnt); fprintf(aft->file_ctx->fp, "FLOW IPONLY SET: TOSERVER: %s, TOCLIENT: %s\n", p->flow->flags & FLOW_TOSERVER_IPONLY_SET ? "TRUE" : "FALSE", p->flow->flags & FLOW_TOCLIENT_IPONLY_SET ? "TRUE" : "FALSE"); fprintf(aft->file_ctx->fp, "FLOW ACTION: DROP: %s, PASS %s\n", p->flow->flags & FLOW_ACTION_DROP ? "TRUE" : "FALSE", p->flow->flags & FLOW_ACTION_PASS ? "TRUE" : "FALSE"); fprintf(aft->file_ctx->fp, "FLOW NOINSPECTION: PACKET: %s, PAYLOAD: %s, APP_LAYER: %s\n", p->flow->flags & FLOW_NOPACKET_INSPECTION ? "TRUE" : "FALSE", p->flow->flags & FLOW_NOPAYLOAD_INSPECTION ? "TRUE" : "FALSE", p->flow->alflags & FLOW_AL_NO_APPLAYER_INSPECTION ? "TRUE" : "FALSE"); fprintf(aft->file_ctx->fp, "FLOW APP_LAYER: DETECTED: %s, PROTO %"PRIu16"\n", p->flow->alflags & FLOW_AL_PROTO_DETECT_DONE ? "TRUE" : "FALSE", p->flow->alproto); AlertDebugLogFlowVars(aft, p); AlertDebugLogFlowBits(aft, p); SCMutexUnlock(&p->flow->m); } AlertDebugLogPktVars(aft, p); fprintf(aft->file_ctx->fp, "PACKET LEN: %" PRIu32 "\n", GET_PKT_LEN(p)); fprintf(aft->file_ctx->fp, "PACKET:\n"); PrintRawDataFp(aft->file_ctx->fp, GET_PKT_DATA(p), GET_PKT_LEN(p)); fflush(aft->file_ctx->fp); SCMutexUnlock(&aft->file_ctx->fp_mutex); return TM_ECODE_OK; }
TmEcode AlertDebugLogIPv4(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQueue *postpq) { AlertDebugLogThread *aft = (AlertDebugLogThread *)data; int i; char timebuf[64]; if (p->alerts.cnt == 0) return TM_ECODE_OK; CreateTimeString(&p->ts, timebuf, sizeof(timebuf)); SCMutexLock(&aft->file_ctx->fp_mutex); fprintf(aft->file_ctx->fp, "+================\n"); fprintf(aft->file_ctx->fp, "TIME: %s\n", timebuf); if (p->pcap_cnt > 0) { fprintf(aft->file_ctx->fp, "PCAP PKT NUM: %"PRIu64"\n", p->pcap_cnt); } fprintf(aft->file_ctx->fp, "ALERT CNT: %" PRIu32 "\n", p->alerts.cnt); for (i = 0; i < p->alerts.cnt; i++) { PacketAlert *pa = &p->alerts.alerts[i]; fprintf(aft->file_ctx->fp, "ALERT MSG [%02d]: %s\n", i, pa->msg); fprintf(aft->file_ctx->fp, "ALERT GID [%02d]: %" PRIu32 "\n", i, pa->gid); fprintf(aft->file_ctx->fp, "ALERT SID [%02d]: %" PRIu32 "\n", i, pa->sid); fprintf(aft->file_ctx->fp, "ALERT REV [%02d]: %" PRIu32 "\n", i, pa->rev); fprintf(aft->file_ctx->fp, "ALERT CLASS [%02d]: %s\n", i, pa->class_msg); fprintf(aft->file_ctx->fp, "ALERT PRIO [%02d]: %" PRIu32 "\n", i, pa->prio); } char srcip[16], dstip[16]; inet_ntop(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, sizeof(srcip)); inet_ntop(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, sizeof(dstip)); fprintf(aft->file_ctx->fp, "SRC IP: %s\n", srcip); fprintf(aft->file_ctx->fp, "DST IP: %s\n", dstip); fprintf(aft->file_ctx->fp, "PROTO: %" PRIu32 "\n", IPV4_GET_IPPROTO(p)); if (PKT_IS_TCP(p) || PKT_IS_UDP(p)) { fprintf(aft->file_ctx->fp, "SRC PORT: %" PRIu32 "\n", p->sp); fprintf(aft->file_ctx->fp, "DST PORT: %" PRIu32 "\n", p->dp); if (PKT_IS_TCP(p)) { fprintf(aft->file_ctx->fp, "TCP SEQ: %"PRIu32"\n", TCP_GET_SEQ(p)); fprintf(aft->file_ctx->fp, "TCP ACK: %"PRIu32"\n", TCP_GET_ACK(p)); } } /* flow stuff */ fprintf(aft->file_ctx->fp, "FLOW: to_server: %s, to_client: %s\n", p->flowflags & FLOW_PKT_TOSERVER ? "TRUE" : "FALSE", p->flowflags & FLOW_PKT_TOCLIENT ? "TRUE" : "FALSE"); if (p->flow != NULL) { SCMutexLock(&p->flow->m); CreateTimeString(&p->flow->startts, timebuf, sizeof(timebuf)); fprintf(aft->file_ctx->fp, "FLOW Start TS: %s\n",timebuf); fprintf(aft->file_ctx->fp, "FLOW PKTS TODST: %"PRIu32"\n",p->flow->todstpktcnt); fprintf(aft->file_ctx->fp, "FLOW PKTS TOSRC: %"PRIu32"\n",p->flow->tosrcpktcnt); fprintf(aft->file_ctx->fp, "FLOW Total Bytes: %"PRIu64"\n",p->flow->bytecnt); fprintf(aft->file_ctx->fp, "FLOW IPONLY SET: TOSERVER: %s, TOCLIENT: %s\n", p->flow->flags & FLOW_TOSERVER_IPONLY_SET ? "TRUE" : "FALSE", p->flow->flags & FLOW_TOCLIENT_IPONLY_SET ? "TRUE" : "FALSE"); fprintf(aft->file_ctx->fp, "FLOW ACTION: DROP: %s, PASS %s\n", p->flow->flags & FLOW_ACTION_DROP ? "TRUE" : "FALSE", p->flow->flags & FLOW_ACTION_PASS ? "TRUE" : "FALSE"); fprintf(aft->file_ctx->fp, "FLOW NOINSPECTION: PACKET: %s, PAYLOAD: %s, APP_LAYER: %s\n", p->flow->flags & FLOW_NOPACKET_INSPECTION ? "TRUE" : "FALSE", p->flow->flags & FLOW_NOPAYLOAD_INSPECTION ? "TRUE" : "FALSE", p->flow->alflags & FLOW_AL_NO_APPLAYER_INSPECTION ? "TRUE" : "FALSE"); fprintf(aft->file_ctx->fp, "FLOW APP_LAYER: DETECTED: %s, PROTO %"PRIu16"\n", p->flow->alflags & FLOW_AL_PROTO_DETECT_DONE ? "TRUE" : "FALSE", p->flow->alproto); AlertDebugLogFlowVars(aft, p); AlertDebugLogFlowBits(aft, p); SCMutexUnlock(&p->flow->m); } AlertDebugLogPktVars(aft, p); /* any stuff */ /* Sig details? */ aft->file_ctx->alerts += p->alerts.cnt; fprintf(aft->file_ctx->fp, "PACKET LEN: %" PRIu32 "\n", GET_PKT_LEN(p)); fprintf(aft->file_ctx->fp, "PACKET:\n"); PrintRawDataFp(aft->file_ctx->fp, GET_PKT_DATA(p), GET_PKT_LEN(p)); fflush(aft->file_ctx->fp); SCMutexUnlock(&aft->file_ctx->fp_mutex); return TM_ECODE_OK; }
void Dump(StreamingBuffer *sb) { PrintRawDataFp(stdout, sb->buf, sb->buf_offset); }
/** * \brief Compare the shared data portion of two segments * * If no data is shared, 0 will be returned. * * \param seg1 first segment * \param seg2 second segment * * \retval 0 shared data is the same (or no data is shared) * \retval 1 shared data is different */ int StreamTcpInlineSegmentCompare(TcpSegment *seg1, TcpSegment *seg2) { SCEnter(); if (seg1 == NULL || seg2 == NULL) { SCReturnInt(0); } if (SEQ_EQ(seg1->seq, seg2->seq) && seg1->payload_len == seg2->payload_len) { int r = SCMemcmp(seg1->payload, seg2->payload, seg1->payload_len); #if 0 if (r) { PrintRawDataFp(stdout,seg1->payload,seg1->payload_len); PrintRawDataFp(stdout,seg2->payload,seg2->payload_len); } #endif SCReturnInt(r); } else if (SEQ_GT(seg1->seq, (seg2->seq + seg2->payload_len))) { SCReturnInt(0); } else if (SEQ_GT(seg2->seq, (seg1->seq + seg1->payload_len))) { SCReturnInt(0); } else { SCLogDebug("seg1 %u (%u), seg2 %u (%u)", seg1->seq, seg1->payload_len, seg2->seq, seg2->payload_len); uint32_t seg1_end = seg1->seq + seg1->payload_len; uint32_t seg2_end = seg2->seq + seg2->payload_len; SCLogDebug("seg1_end %u, seg2_end %u", seg1_end, seg2_end); #if 0 SCLogDebug("seg1"); PrintRawDataFp(stdout,seg1->payload,seg1->payload_len); SCLogDebug("seg2"); PrintRawDataFp(stdout,seg2->payload,seg2->payload_len); #endif /* get the minimal seg*_end */ uint32_t end = (SEQ_GT(seg1_end, seg2_end)) ? seg2_end : seg1_end; /* and the max seq */ uint32_t seq = (SEQ_LT(seg1->seq, seg2->seq)) ? seg2->seq : seg1->seq; SCLogDebug("seq %u, end %u", seq, end); uint16_t seg1_off = seq - seg1->seq; uint16_t seg2_off = seq - seg2->seq; SCLogDebug("seg1_off %u, seg2_off %u", seg1_off, seg2_off); uint32_t range = end - seq; SCLogDebug("range %u", range); BUG_ON(range > 65536); if (range) { int r = SCMemcmp(seg1->payload+seg1_off, seg2->payload+seg2_off, range); #if 0 if (r) { PrintRawDataFp(stdout,seg1->payload+seg1_off,range); PrintRawDataFp(stdout,seg2->payload+seg2_off,range); PrintRawDataFp(stdout,seg1->payload,seg1->payload_len); PrintRawDataFp(stdout,seg2->payload,seg2->payload_len); } #endif SCReturnInt(r); } SCReturnInt(0); } }