IpAddrSet *IpAddrSetParse(SnortConfig *sc, char *addr)
{
IpAddrSet *ret;
int ret_code;
vartable_t *ip_vartable;
if ((sc == NULL) || (sc->targeted_policies[getParserPolicy(sc)] == NULL))
{
FatalError("%s(%d) Snort conf for parsing is NULL.\n",
__FILE__, __LINE__);
}
ip_vartable = sc->targeted_policies[getParserPolicy(sc)]->ip_vartable;
DEBUG_WRAP(DebugMessage(DEBUG_CONFIGRULES,"Got address string: %s\n",
addr););
/*!
Add a permanent threshold object to the threshold table. Multiple
objects may be defined for each gen_id and sig_id pair. Internally
a unique threshold id is generated for each pair.
Threshold objects track the number of events seen during the time
interval specified by seconds. Depending on the type of threshold
object and the count value, the thresholding object determines if
the current event should be logged or dropped.
@param thd Threshold object from sfthd_new()
@param gen_id Generator id
@param sig_id Signauture id
@param tracking Selects tracking by src ip or by dst ip
@param type Thresholding type: Limit, Threshold, or Limt+Threshold, Suppress
@param priority Assigns a relative priority to this object, higher numbers imply higher priority
@param count Number of events
@param seconds Time duration over which this threshold object acts.
@param ip IP address, for supression
@param ip-mask IP mask, applied with ip_mask, for supression
@return integer
@retval 0 successfully added the thresholding object
@retval !0 failed
--- Local and Global Thresholding is setup here ---
*/
int sfthd_create_threshold(SnortConfig *sc,
ThresholdObjects *thd_objs,
unsigned gen_id,
unsigned sig_id,
int tracking,
int type,
int priority,
int count,
int seconds,
IpAddrSet* ip_address,
IpAddrSet* dst_ip_address)
{
//allocate memory fpr sfthd_array if needed.
tSfPolicyId policyId = getParserPolicy(sc);
THD_NODE sfthd_node;
memset(&sfthd_node, 0, sizeof(sfthd_node));
thd_objs->count++;
sfthd_node.thd_id = thd_objs->count; /* produce a unique thd_id for this node */
sfthd_node.gen_id = gen_id;
sfthd_node.sig_id = sig_id;
sfthd_node.tracking = tracking; /* by_src, by_dst */
sfthd_node.type = type;
sfthd_node.priority = priority;
sfthd_node.count = count;
sfthd_node.seconds = seconds;
sfthd_node.ip_address= ip_address;
sfthd_node.dst_ip_address= dst_ip_address;
sfDynArrayCheckBounds ((void **)&thd_objs->sfthd_garray, policyId, &thd_objs->numPoliciesAllocated);
if (thd_objs->sfthd_garray[policyId] == NULL)
{
thd_objs->sfthd_garray[policyId] = SnortAlloc(THD_MAX_GENID * sizeof(THD_NODE *));
if (thd_objs->sfthd_garray[policyId] == NULL)
{
return -1;
}
}
if( sig_id == 0 )
{
return sfthd_create_threshold_global(sc, thd_objs, &sfthd_node);
}
if( gen_id == 0 )
return -1;
return sfthd_create_threshold_local(sc, thd_objs, &sfthd_node);
}
/*
** Initialize the portscan infrastructure. We check to make sure that
** we have enough memory to support at least 100 nodes.
**
** @return int
**
** @retval -2 memcap is too low
*/
int ps_init(struct _SnortConfig *sc, PortscanConfig *config, int detect_scans, int detect_scan_type,
int sense_level, IPSET *scanner, IPSET *scanned, IPSET *watch, unsigned long memcap)
{
if (getParserPolicy(sc) != getDefaultPolicy())
{
/**checks valid for non-default policy only. Default is allowed to specify
* just memcap.
*/
if (!(detect_scans & PS_PROTO_ALL))
return -1;
if(!(detect_scan_type & PS_TYPE_ALL))
return -1;
if(sense_level < 1 || sense_level > 3)
return -1;
}
else
{
/**memcap from non-default is ignored, so check is valid for default policy
* only
*/
if(memcap <= 0 || (unsigned)memcap < (sizeof(PS_TRACKER) * 100))
return -2;
}
config->memcap = memcap;
config->detect_scans = detect_scans;
config->detect_scan_type = detect_scan_type;
config->sense_level = sense_level;
config->ignore_scanners = scanner;
config->ignore_scanned = scanned;
config->watch_ip = watch;
return 0;
}
/* Add a permanent threshold object to the threshold table. Multiple
* objects may be defined for each gid and sid pair. Internally
* a unique threshold id is generated for each pair.
*
* Threshold objects track the number of events seen during the time
* interval specified by seconds. Depending on the type of threshold
* object and the count value, the thresholding object determines if
* the current event should be logged or dropped.
*
* @param pContext Threshold object from SFRF_ContextNew()
* @param cfgNode Permanent Thresholding Object
*
* @return @retval 0 successfully added the thresholding object, !0 otherwise
*/
int SFRF_ConfigAdd(SnortConfig *sc, RateFilterConfig *rf_config, tSFRFConfigNode *cfgNode)
{
SFGHASH* genHash;
int nrows;
int hstatus;
tSFRFSidNode* pSidNode;
tSFRFConfigNode* pNewConfigNode;
tSFRFGenHashKey key = {0,0};
tSfPolicyId policy_id = getParserPolicy(sc);
// Auto init - memcap must be set 1st, which is not really a problem
if ( rf_hash == NULL )
{
SFRF_New(rf_config->memcap);
if ( rf_hash == NULL )
return -1;
}
if ((rf_config == NULL) || (cfgNode == NULL))
return -1;
if ( (cfgNode->sid == 0 ) || (cfgNode->gid == 0) )
return -1;
if ( cfgNode->gid >= SFRF_MAX_GENID )
return -1;
if ( cfgNode->count < 1 )
return -1;
if ( cfgNode->timeout == 0 )
{
if ( rf_config->noRevertCount >= SFRF_NO_REVERT_LIMIT )
return -1;
rf_config->noRevertCount++;
}
/* Check for an existing 'gid' entry, if none found then create one. */
/* Get the hash table for this gid */
genHash = rf_config->genHash[cfgNode->gid];
if ( !genHash )
{
if ( cfgNode->gid == 1 )/* patmatch rules gid, many rules */
{
nrows= SFRF_GEN_ID_1_ROWS;
}
else /* other gid's */
{
nrows= SFRF_GEN_ID_ROWS;
}
/* Create the hash table for this gid */
genHash = sfghash_new( nrows, sizeof(tSFRFGenHashKey), 0, SFRF_SidNodeFree );
if ( !genHash )
return -2;
rf_config->genHash[cfgNode->gid] = genHash;
}
key.sid = cfgNode->sid;
key.policyId = policy_id;
/* Check if sid is already in the table - if not allocate and add it */
pSidNode = (tSFRFSidNode*)sfghash_find( genHash, (void*)&key );
if ( !pSidNode )
{
/* Create the pSidNode hash node data */
pSidNode = (tSFRFSidNode*)calloc(1,sizeof(tSFRFSidNode));
if ( !pSidNode )
return -3;
pSidNode->gid = cfgNode->gid;
pSidNode->sid = cfgNode->sid;
pSidNode->configNodeList = sflist_new();
if ( !pSidNode->configNodeList )
{
free(pSidNode);
return -4;
}
/* Add the pSidNode to the hash table */
hstatus = sfghash_add( genHash, (void*)&key, pSidNode );
if ( hstatus )
{
sflist_free(pSidNode->configNodeList);
free(pSidNode);
return -5;
}
}
/* Create a tSFRFConfigNode for this tSFRFSidNode (Object) */
pNewConfigNode = (tSFRFConfigNode*)calloc(1,sizeof(tSFRFConfigNode));
if ( !pNewConfigNode )
{
sflist_free(pSidNode->configNodeList);
free(pSidNode);
return -6;
}
*pNewConfigNode = *cfgNode;
rf_config->count++;
/* Copy the node parameters, with unique internally assigned tid */
pNewConfigNode->tid = rf_config->count;
if ( pNewConfigNode->tid == 0 )
{
// tid overflow. rare but possible
free(pNewConfigNode);
sflist_free(pSidNode->configNodeList);
free(pSidNode);
return -6;
}
#ifdef SFRF_DEBUG
printf("--%d-%d-%d: Threshold node added to tail of list\n",
pNewConfigNode->tid,
pNewConfigNode->gid,
pNewConfigNode->sid);
fflush(stdout);
#endif
sflist_add_tail(pSidNode->configNodeList,pNewConfigNode);
return 0;
}
static int sfthd_create_threshold_global(SnortConfig *sc, ThresholdObjects *thd_objs,
THD_NODE* config)
{
THD_NODE *sfthd_node;
tSfPolicyId policy_id = getParserPolicy(sc);
if (thd_objs == NULL)
return -1;
if (thd_objs->sfthd_garray[policy_id] == NULL)
{
thd_objs->sfthd_garray[policy_id] = (THD_NODE **)(calloc(THD_MAX_GENID, sizeof(THD_NODE *)));
if (thd_objs->sfthd_garray[policy_id] == NULL)
{
return -1;
}
}
if ((config->gen_id == 0) &&
(thd_objs->sfthd_garray[policy_id][config->gen_id] != NULL))
{
return THD_TOO_MANY_THDOBJ;
}
/* Reset the current threshold */
if (thd_objs->sfthd_garray[policy_id][config->gen_id] ==
thd_objs->sfthd_garray[policy_id][0])
{
thd_objs->sfthd_garray[policy_id][config->gen_id] = NULL;
}
else if(thd_objs->sfthd_garray[policy_id][config->gen_id])
{
return THD_TOO_MANY_THDOBJ;
}
sfthd_node = (THD_NODE*)calloc(1,sizeof(THD_NODE));
if( !sfthd_node )
{
return -2;
}
/* Copy the node parameters */
sfthd_node->thd_id = config->thd_id;
sfthd_node->gen_id = config->gen_id;
sfthd_node->sig_id = config->sig_id; /* -1 for global thresholds */
sfthd_node->tracking = config->tracking; /* by_src, by_dst */
sfthd_node->type = config->type;
sfthd_node->priority = config->priority;
sfthd_node->count = config->count;
sfthd_node->seconds = config->seconds;
sfthd_node->ip_address = config->ip_address;
/* need a hash of these where
* key=[gen_id,sig_id] => THD_GNODE_KEY
* data = THD_NODE's
*/
if (config->gen_id == 0) /* do em all */
{
int i;
for (i = 0; i < THD_MAX_GENID; i++)
{
/* only assign if there wasn't a value */
if (thd_objs->sfthd_garray[policy_id][i] == NULL)
{
thd_objs->sfthd_garray[policy_id][i] = sfthd_node;
}
}
}
else
{
thd_objs->sfthd_garray[policy_id][config->gen_id] = sfthd_node;
}
#ifdef THD_DEBUG
printf("THD_DEBUG-GLOBAL: created global threshold object "
"for gen_id=%d\n",config->gen_id);
fflush(stdout);
#endif
return 0;
}
/*!
Add a permanent threshold object to the threshold table. Multiple
objects may be defined for each gen_id and sig_id pair. Internally
a unique threshold id is generated for each pair.
Threshold objects track the number of events seen during the time
interval specified by seconds. Depending on the type of threshold
object and the count value, the thresholding object determines if
the current event should be logged or dropped.
@param thd Threshold object from sfthd_new()
@param gen_id Generator id
@param sig_id Signauture id
@param tracking Selects tracking by src ip or by dst ip
@param type Thresholding type: Limit, Threshold, or Limt+Threshold, Suppress
@param priority Assigns a relative priority to this object, higher numbers imply higher priority
@param count Number of events
@param seconds Time duration over which this threshold object acts.
@param ip IP address, for supression
@param ip-mask IP mask, applied with ip_mask, for supression
@return integer
@retval 0 successfully added the thresholding object
@retval !0 failed
*/
static int sfthd_create_threshold_local(SnortConfig *sc, ThresholdObjects *thd_objs,
THD_NODE* config)
{
SFGHASH * sfthd_hash;
THD_ITEM * sfthd_item;
THD_NODE * sfthd_node;
tThdItemKey key;
int nrows;
int hstatus;
tSfPolicyId policy_id = getParserPolicy(sc);
if (thd_objs == NULL )
return -1;
if( config->gen_id >= THD_MAX_GENID )
return -1;
#ifdef CRIPPLE
return 0;
#endif
/* Check for an existing 'gen_id' entry, if none found create one. */
if (thd_objs->sfthd_array[config->gen_id] == NULL)
{
if( config->gen_id == 1 )/* patmatch rules gen_id, many rules */
{
nrows= THD_GEN_ID_1_ROWS;
}
else /* other gen_id's */
{
nrows= THD_GEN_ID_ROWS;
}
/* Create the hash table for this gen_id */
sfthd_hash = sfghash_new( nrows, sizeof(tThdItemKey), 0, sfthd_item_free );
if( !sfthd_hash )
{
return -2;
}
thd_objs->sfthd_array[config->gen_id] = sfthd_hash;
}
else
{
/* Get the hash table for this gen_id */
sfthd_hash = thd_objs->sfthd_array[config->gen_id];
}
if (sfthd_hash == NULL)
return -2;
key.sig_id = config->sig_id;
key.policyId = policy_id;
/* Check if sig_id is already in the table - if not allocate and add it */
sfthd_item = (THD_ITEM*)sfghash_find( sfthd_hash, (void*)&key );
if( !sfthd_item )
{
/* Create the sfthd_item hash node data */
sfthd_item = (THD_ITEM*)calloc(1,sizeof(THD_ITEM));
if( !sfthd_item )
{
return -3;
}
sfthd_item->gen_id = config->gen_id;
sfthd_item->sig_id = config->sig_id;
sfthd_item->policyId = policy_id;
sfthd_item->sfthd_node_list = sflist_new();
if(!sfthd_item->sfthd_node_list)
{
free(sfthd_item);
return -4;
}
/* Add the sfthd_item to the hash table */
hstatus = sfghash_add( sfthd_hash, (void*)&key, sfthd_item );
if( hstatus )
{
sflist_free(sfthd_item->sfthd_node_list);
free(sfthd_item);
return -5;
}
}
/*
* Test that we only have one Limit/Threshold/Both Object at the tail,
* we can have multiple suppression nodes at the head
*/
if( sfthd_item->sfthd_node_list->count > 0 )
{
THD_NODE * p;
if( !sfthd_item->sfthd_node_list->tail)
{
/* can you say paranoid- if there is a count, there should be a tail */
return -10;
}
p = (THD_NODE*)sfthd_item->sfthd_node_list->tail->ndata;
if(p) /* just to be safe- if thers a tail, there is is node data */
{
if( p->type != THD_TYPE_SUPPRESS && config->type != THD_TYPE_SUPPRESS )
{
#ifdef THD_DEBUG
printf("THD_DEBUG: Could not add a 2nd Threshold object, "
"you can only have 1 per sid: gid=%u, sid=%u\n",
config->gen_id, config->sig_id);
#endif
/* cannot add more than one threshold per sid in
version 3.0, wait for 3.2 and CIDR blocks */
return THD_TOO_MANY_THDOBJ;
}
}
}
/* Create a THD_NODE for this THD_ITEM (Object) */
sfthd_node = (THD_NODE*)calloc(1,sizeof(THD_NODE));
if( !sfthd_node )
{
return -6;
}
/* Limit priorities to force supression nodes to highest priority */
if( config->priority >= THD_PRIORITY_SUPPRESS )
{
config->priority = THD_PRIORITY_SUPPRESS - 1;
}
/* Copy the node parameters */
sfthd_node->thd_id = config->thd_id;
sfthd_node->gen_id = config->gen_id;
sfthd_node->sig_id = config->sig_id;
sfthd_node->tracking = config->tracking; /* by_src, by_dst */
sfthd_node->type = config->type;
sfthd_node->priority = config->priority;
sfthd_node->count = config->count;
sfthd_node->seconds = config->seconds;
sfthd_node->ip_address= config->ip_address;
if( config->type == THD_TYPE_SUPPRESS )
{
sfthd_node->priority = THD_PRIORITY_SUPPRESS;
}
/*
If sfthd_node list is empty - add as head node
*/
if( !sfthd_item->sfthd_node_list->count )
{
#ifdef THD_DEBUG
printf("Threshold node added to head of list\n");fflush(stdout);
#endif
sflist_add_head(sfthd_item->sfthd_node_list,sfthd_node);
}
/*
else add the sfthd_node using priority to determine where in the list
it belongs
3.0 we can have only 1 threshold object but several suppression objects
plus a single threshold object is ok. Blocking multiple threshold
objects is done above.
Suppressions have the highest priority and are at the front of the
list, the tail node is either a supprssion node or the only pure
thresholding node.
*/
else
{
SF_LNODE* lnode;
/* Walk the list and insert based on priorities if suppress */
for( lnode = sflist_first_node(sfthd_item->sfthd_node_list);
lnode;
lnode = sflist_next_node(sfthd_item->sfthd_node_list) )
{
THD_NODE* sfthd_n = (THD_NODE*)lnode->ndata;
/* check if the new node is higher priority */
if( sfthd_node->priority > sfthd_n->priority )
{
/* insert before current node */
#ifdef THD_DEBUG
printf("Threshold node added after based on priority\n");fflush(stdout);
#endif
sflist_add_before(sfthd_item->sfthd_node_list,lnode,sfthd_node);
return 0;
}
/* last node, just insert it here */
if( !lnode->next )
{
/* if last node, insert at end of list */
#ifdef THD_DEBUG
printf("Threshold node added to tail\n");fflush(stdout);
#endif
sflist_add_tail(sfthd_item->sfthd_node_list,sfthd_node);
return 0;
}
}
}
return 0;
}
tSfPolicyId GetParserPolicy(struct _SnortConfig *sc)
{
return getParserPolicy(sc);
}
