Beispiel #1
0
static inline OptTreeNode *getRuleInfo(uint32_t gid, uint32_t sid, uint32_t rev,
                                uint32_t classification, uint32_t priority,
                                const char *msg, OptTreeNode *rule_info)
{
    if (rule_info)
    {
        if (!getRtnFromOtn(rule_info, getIpsRuntimePolicy()))
            return NULL;

        return rule_info;
    }

    return GetOTN(gid, sid, rev, classification, priority, msg);
}
Beispiel #2
0
int file_eventq_add(uint32_t gid, uint32_t sid, char *msg, RuleType type)
{
    OptTreeNode *otn;
    RuleTreeNode *rtn;

    otn = GetApplicableOtn(gid, sid, 1, 0, 3, msg);
    if (otn == NULL)
        return 0;

    rtn = getRtnFromOtn(otn, getIpsRuntimePolicy());
    if (rtn == NULL)
    {
        return 0;
    }

    rtn->type = type;

    return SnortEventqAdd(gid, sid, 1, 0, 3, msg, otn);
}
Beispiel #3
0
OptTreeNode * GenerateSnortEventOtn(
                            uint32_t gen_id,
                            uint32_t sig_id,
                            uint32_t sig_rev,
                            uint32_t classification,
                            uint32_t priority,
                            char *msg )
{
   OptTreeNode * p;
   RuleTreeNode *rtn = NULL;

   p = calloc( 1, sizeof(OptTreeNode) );
   if(!p )
       return 0;

   p->sigInfo.generator = gen_id;
   p->sigInfo.id = sig_id;
   p->sigInfo.rev = sig_rev;
   p->sigInfo.message = msg;
   p->sigInfo.priority = priority;
   p->sigInfo.class_id = classification;

   p->generated = 1;

   p->sigInfo.rule_type=SI_RULE_TYPE_PREPROC; /* TODO: could be detect ... */
   p->sigInfo.rule_flushing=SI_RULE_FLUSHING_OFF; /* only standard rules do this */

   p->event_data.sig_generator = gen_id;
   p->event_data.sig_id = sig_id;
   p->event_data.sig_rev = sig_rev;
   p->event_data.classification = classification;
   p->event_data.priority = priority;

   rtn = GenerateSnortEventRtn(p, getIpsRuntimePolicy());

   if( !rtn )
   {
       free(p);
       return NULL;
   }

   DEBUG_WRAP(
           LogMessage("Generating OTN for GID: %u, SID: %u\n",gen_id,sig_id););
Beispiel #4
0
OptTreeNode * GenerateSnortEventOtn(
                            uint32_t gen_id,
                            uint32_t sig_id,
                            uint32_t sig_rev,
                            uint32_t classification,
                            uint32_t priority,
                            const char *msg )
{
    OptTreeNode *otn;
    RuleTreeNode *rtn;

    otn = otnCreate(gen_id, sig_id, sig_rev, classification, priority, msg);
    if (otn)
    {
        rtn = GenerateSnortEventRtn(otn, getIpsRuntimePolicy());
        if (!rtn)
        {
            free(otn);
            return NULL;
        }
    }

    DEBUG_WRAP(
        LogMessage("Generating OTN for GID: %u, SID: %u\n",gen_id,sig_id););
Beispiel #5
0
/*!
 *
 *  Find/Test/Add an event against a single threshold object.
 *  Events without thresholding objects are automatically loggable.
 *
 *  @param thd     Threshold table pointer
 *  @param sfthd_node Permanent Thresholding Object
 *  @param sip     Event/Packet Src IP address- should be host ordered for comparison
 *  @param dip     Event/Packet Dst IP address
 *  @param curtime Current Event/Packet time in seconds
 *
 *  @return  integer
 *  @retval   0 : Event is loggable
 *  @retval  >0 : Event should not be logged, try next thd object
 *  @retval  <0 : Event should never be logged to this user! Suppressed Event+IP
 *
 */
int sfthd_test_local(
    SFXHASH *local_hash,
    THD_NODE   * sfthd_node,
    snort_ip_p   sip,
    snort_ip_p   dip,
    time_t       curtime )
{
    THD_IP_NODE_KEY key;
    THD_IP_NODE     data,*sfthd_ip_node;
    int             status=0;
    snort_ip_p      ip;
    tSfPolicyId policy_id = getIpsRuntimePolicy();

#ifdef THD_DEBUG
    printf("THD_DEBUG: Key THD_NODE IP=%s,",printIP((unsigned)sfthd_node->ip_address) );
    printf(" MASK=%s\n",printIP((unsigned)sfthd_node->ip_mask) );
    printf("THD_DEBUG:        PKT  SIP=%s\n",printIP((unsigned)sip) );
    printf("THD_DEBUG:        PKT  DIP=%s\n",printIP((unsigned)dip) );
    fflush(stdout);
#endif

    /* -1 means don't do any limit or thresholding */
    if ( sfthd_node->count == THD_NO_THRESHOLD)
    {
#ifdef THD_DEBUG
        printf("\n...No Threshold applied for this object\n");
        fflush(stdout);
#endif
        return 0;
    }


    /*
     *  Check for and test Suppression of this event to this IP
     */
    if( sfthd_node->type == THD_TYPE_SUPPRESS )
    {
#ifdef THD_DEBUG
        printf("THD_DEBUG: SUPPRESS NODE Testing...\n");fflush(stdout);
#endif
        return sfthd_test_suppress(sfthd_node, sip,dip);
    }

    /*
     *  Get The correct IP
     */
    if (sfthd_node->tracking == THD_TRK_SRC)
       ip = sip;
    else
       ip = dip;

    /*
    *  Go on and do standard thresholding
    */

    /* Set up the key */
    key.policyId = policy_id;
    key.ip     = IP_VAL(ip);
    key.thd_id = sfthd_node->thd_id;

    /* Set up a new data element */
    data.count  = 1;
    data.prev   = 0;
    data.tstart = data.tlast = curtime; /* Event time */

    /*
     * Check for any Permanent sig_id objects for this gen_id  or add this one ...
     */
    status = sfxhash_add(local_hash, (void*)&key, &data);
    if (status == SFXHASH_INTABLE)
    {
        /* Already in the table */
        sfthd_ip_node = local_hash->cnode->data;

        /* Increment the event count */
        sfthd_ip_node->count++;
    }
    else if (status != SFXHASH_OK)
    {
        /* hash error */
        return 1; /*  check the next threshold object */
    }
    else
    {
        /* Was not in the table - it was added - work with our copy of the data */
        sfthd_ip_node = &data;
    }

    return sfthd_test_non_suppress(sfthd_node, sfthd_ip_node, curtime);
}
Beispiel #6
0
/*!
 *
 *  Test a an event against the threshold database.
 *  Events without thresholding objects are automatically
 *  loggable.
 *
 *  @param thd     Threshold table pointer
 *  @param gen_id  Generator Id from the event
 *  @param sig_id  Signature Id from the event
 *  @param sip     Event/Packet Src IP address
 *  @param dip     Event/Packet Dst IP address
 *  @param curtime Current Event/Packet time
 *
 *  @return  integer
 *  @retval  0 : Event is loggable
 *  @retval !0 : Event should not be logged (-1 suppressed, 1 filtered)
 *
 */
int sfthd_test_threshold(
    ThresholdObjects *thd_objs,
    THD_STRUCT *thd,
    unsigned   gen_id,
    unsigned   sig_id,
    snort_ip_p sip,
    snort_ip_p dip,
    long       curtime )
{
    tThdItemKey key;
    SFGHASH  * sfthd_hash;
    THD_ITEM * sfthd_item;
    THD_NODE * sfthd_node;
    THD_NODE * g_thd_node = NULL;
#ifdef THD_DEBUG
    int cnt;
#endif
    int status=0;
    tSfPolicyId policy_id = getIpsRuntimePolicy();

    if ((thd_objs == NULL) || (thd == NULL))
        return 0;

#ifdef CRIPPLE
    return 0;
#endif

#ifdef THD_DEBUG
    printf("sfthd_test_threshold...\n");fflush(stdout);
#endif

    if( gen_id >= THD_MAX_GENID )
    {
#ifdef THD_DEBUG
        printf("THD_DEBUG: invalid gen_id=%u\n",gen_id);
        fflush(stdout);
#endif
        return 0; /* bogus gen_id */
    }

    /*
     *  Get the hash table for this gen_id
     */
    sfthd_hash = thd_objs->sfthd_array[gen_id];
    if (sfthd_hash == NULL)
    {
#ifdef THD_DEBUG
        printf("THD_DEBUG: no hash table entry for gen_id=%u\n",gen_id);
        fflush(stdout);
#endif
        goto global_test;
        /* return 0; */ /* no threshold objects for this gen_id, log it ! */
    }

    key.sig_id = sig_id;
    key.policyId = policy_id;
    /*
     * Check for any Permanent sig_id objects for this gen_id
     */
    sfthd_item = (THD_ITEM *)sfghash_find(sfthd_hash, (void*)&key);
    if (sfthd_item == NULL)
    {
#ifdef THD_DEBUG
        printf("THD_DEBUG: no THD objects for gen_id=%u, sig_id=%u\n",gen_id,sig_id);
        fflush(stdout);
#endif
        /* no matching permanent sig_id objects so, log it ! */
        goto global_test;
    }

    /* No List of Threshold objects - bail and log it */
    if (sfthd_item->sfthd_node_list == NULL)
    {
          goto global_test;
    }

    /* For each permanent thresholding object, test/add/update the thd object */
    /* We maintain a list of thd objects for each gen_id+sig_id */
    /* each object has it's own unique thd_id */
    /* Suppression nodes have a very high priority, so they are tested 1st */
#ifdef THD_DEBUG
    cnt=0;
#endif
    for (sfthd_node = (THD_NODE *)sflist_first(sfthd_item->sfthd_node_list);
         sfthd_node != NULL;
         sfthd_node = (THD_NODE *)sflist_next(sfthd_item->sfthd_node_list))
    {
#ifdef THD_DEBUG
        cnt++;
        printf("THD_DEBUG: gen_id=%u sig_id=%u testing thd_id=%d thd_type=%d\n",
                        gen_id, sig_id, sfthd_node->thd_id, sfthd_node->type);
        fflush(stdout);
#endif
        /*
         *   Test SUPPRESSION and THRESHOLDING
         */
        status = sfthd_test_local(thd->ip_nodes, sfthd_node, sip, dip, curtime );

        if( status < 0 ) /* -1 == Don't log and stop looking */
        {
#ifdef THD_DEBUG
            printf("THD_DEBUG: gen_id=%u sig_id=%u, UnLoggable\n\n",gen_id, sig_id,cnt);
            fflush(stdout);
#endif
            return (status < -1) ? 1 : -1;  /* !0 == Don't log it*/
        }
        else if( status == 0 )  /* Log it and stop looking */
        {
#ifdef THD_DEBUG
            printf("THD_DEBUG: gen_id=%u sig_id=%u tested %d THD_NODE's, "
                   "Loggable\n\n",sfthd_item->gen_id, sfthd_item->sig_id,cnt);
            fflush(stdout);
#endif
            return 0; /* 0 == Log the event */
        }
        /* status > 0 : Log it later but Keep looking
         * check the next threshold object for a blocking action ...
         */
    }


    /*
     * Test for a global threshold object
     * we're here cause ther were no threshold objects for this gen_id/sig_id pair
     */
global_test:

#ifdef THD_DEBUG
    printf("THD_DEBUG-GLOBAL: doing global object test\n");
#endif

     if (thd_objs->sfthd_garray && thd_objs->sfthd_garray[policy_id])
     {
         g_thd_node = thd_objs->sfthd_garray[policy_id][gen_id];
     }

     if( g_thd_node )
     {
         status = sfthd_test_global(
             thd->ip_gnodes, g_thd_node, gen_id, sig_id, sip, dip, curtime );

         if( status < 0 ) /* -1 == Don't log and stop looking */
         {
#ifdef THD_DEBUG
            printf("THD_DEBUG-GLOBAL: gen_id=%u sig_id=%u THD_NODE's, "
                   "UnLoggable\n\n",gen_id, sig_id);
            fflush(stdout);
#endif
            return (status < -1) ? 1 : -1;  /* !0 == Don't log it*/
         }

         /* Log it ! */
#ifdef THD_DEBUG
        printf("THD_DEBUG-GLOBAL: gen_id=%u sig_id=%u  THD_NODE's, "
               "Loggable\n\n",gen_id, sig_id);
        fflush(stdout);
#endif
     }
     else
     {
#ifdef THD_DEBUG
        printf("THD_DEBUG-GLOBAL: no Global THD Object for gen_id=%u, "
               "sig_id=%u\n\n",gen_id, sig_id);
        fflush(stdout);
#endif
     }

    return 0; /* Default: Log it if we did not block the logging action */
}
Beispiel #7
0
tSfPolicyId GetIpsRuntimePolicy(void)
{
    return getIpsRuntimePolicy();
}