static sfSFSValue *findFlowIPStats(SFFLOW *sfFlow, snort_ip_p src_addr, snort_ip_p dst_addr, int *swapped)
{
SFXHASH_NODE *node;
sfSFSKey key;
sfSFSValue *value;
if (IP_LESSER(src_addr, dst_addr))
{
IP_COPY_VALUE(key.ipA, src_addr);
IP_COPY_VALUE(key.ipB, dst_addr);
*swapped = 0;
}
else
{
IP_COPY_VALUE(key.ipA, dst_addr);
IP_COPY_VALUE(key.ipB, src_addr);
*swapped = 1;
}
value = sfxhash_find(sfFlow->ipMap, &key);
if (!value)
{
node = sfxhash_get_node(sfFlow->ipMap, &key);
if (!node)
{
DEBUG_WRAP(DebugMessage(DEBUG_STREAM, "Key/Value pair didn't exist in the flow stats table and we couldn't add it!\n"););
u_int32_t server_stats_hitcount_ipv4(SERVER_STATS *ssp, u_int8_t ip_proto, u_int32_t address, u_int16_t port)
{
SERVER_KEY *kp = &s_key;
u_int32_t *hitcountp;
#ifdef DEBUG
u_int32_t hostaddress = ntohl(address);
#endif /* DEBUG */
/* OK, IPSETs are acting in HOST ORDER */
FLOWASSERT(ipset_contains(ssp->ipv4_watch, &hostaddress, IPV4_FAMILY));
/* make a key */
kp->address = address;
kp->port = port;
kp->protocol = ip_proto;
hitcountp = (u_int32_t *) sfxhash_find(ssp->ipv4_table, kp);
if(hitcountp != NULL)
{
return *hitcountp;
}
return 0;
}
int add_detection_option(option_type_t type, void *option_data, void **existing_data)
{
SnortConfig *sc = snort_conf_for_parsing;
detection_option_key_t key;
if (sc == NULL)
{
FatalError("%s(%d) Snort config is NULL.\n",
__FILE__, __LINE__);
}
if (sc->detection_option_hash_table == NULL)
sc->detection_option_hash_table = DetectionHashTableNew();
if (!option_data)
{
/* No option data, no conflict to resolve. */
return DETECTION_OPTION_EQUAL;
}
key.option_type = type;
key.option_data = option_data;
*existing_data = sfxhash_find(sc->detection_option_hash_table, &key);
if (*existing_data)
{
return DETECTION_OPTION_EQUAL;
}
sfxhash_add(sc->detection_option_hash_table, &key, option_data);
return DETECTION_OPTION_NOT_EQUAL;
}
/**
* Look for the data in the flow tables.
*
* @param flowcachep cache to look in
* @param keyp pointer to searching key data
* @param flowpp pointer to set with this module
* @param direction pass back argument (FROM_INITIATOR or FROM_RESPONDER)
*
* @return FLOW_SUCCESS on success, FLOW_NOTFOUND when not found, else usage error
*/
int flowcache_find(FLOWCACHE *flowcachep, FLOWKEY *keyp, FLOW **flowpp, int *direction)
{
FLOWKEY search_key;
FLOW *fp;
int way;
if(!flowcachep || !keyp || !flowpp || !direction)
{
return FLOW_ENULL;
}
FCS_find(flowcachep, keyp);
/* give us a single search key that we can hash on */
flowkey_normalize(&search_key, keyp);
fp = sfxhash_find(flowcachep->ipv4_table, &search_key);
if(fp == NULL)
{
/* we have failed. Nothing else to do here */
*flowpp = NULL;
FCS_find_fail(flowcachep, keyp);
return FLOW_NOTFOUND;
}
else
{
/* now, lets see which way this flow was stored. Note, this
has nothing to do with the search key as that is only good
for searching */
if(fp->key.init_address == keyp->init_address &&
fp->key.init_port == keyp->init_port)
{
way = FROM_INITIATOR;
}
else
{
way = FROM_RESPONDER;
FCS_revfind(flowcachep, &search_key);
}
}
*direction = way;
*flowpp = fp;
FCS_find_success(flowcachep, keyp);
return FLOW_SUCCESS;
}
void checkSessionForAFIndicator(SFSnortPacket *p, int dir, const tAppIdConfig *pConfig, tAppId indicator)
{
AFElement *ind_element;
if (!(ind_element = (AFElement*)sfxhash_find(pConfig->AF_indicators, &indicator)))
return;
rekeyMasterAFActKey(p, dir, ind_element->forecast);
AFActVal *test_active_value;
if ((test_active_value = (AFActVal*)sfxhash_find(pConfig->AF_actives, &master_key)))
{
test_active_value->last = GetPacketRealTime;
test_active_value->target = ind_element->target;
return;
}
AFActVal new_active_value;
new_active_value.target = ind_element->target;
new_active_value.last = GetPacketRealTime;
sfxhash_add(pConfig->AF_actives, &master_key, &new_active_value);
}
int scoreboard_find(SCOREBOARD *sbp, u_int32_t *address, SCORE_ENTRY **sepp)
{
if(!sbp || !address || !sepp)
return FLOW_ENULL;
/* printf("looking for %s\n", inet_ntoa(*(struct in_addr *) address)); */
*sepp = sfxhash_find(sbp->ipv4_table, address);
if(*sepp == NULL)
return FLOW_NOTFOUND;
return FLOW_SUCCESS;
}
tAppId checkSessionForAFForecast(tAppIdData *session, SFSnortPacket *p, int dir, const tAppIdConfig *pConfig, tAppId forecast)
{
AFActVal *check_act_val;
rekeyMasterAFActKey(p, dir, forecast);
//get out if there is no value
if (!(check_act_val = (AFActVal*)sfxhash_find(pConfig->AF_actives, &master_key)))
return APP_ID_UNKNOWN;
//if the value is older than 5 minutes, remove it and get out
time_t age;
age = GetPacketRealTime - check_act_val->last;
if (age < 0 || age > 300)
{
sfxhash_remove(pConfig->AF_actives, &master_key);
return APP_ID_UNKNOWN;
}
session->payloadAppId = check_act_val->target;
return forecast;
}
/**
** Get a tracker node by either finding one or starting a new one. We may
** return NULL, in which case we wait till the next packet.
*/
static int ps_tracker_get(PS_TRACKER **ht, PS_HASH_KEY *key)
{
int iRet;
*ht = (PS_TRACKER *)sfxhash_find(portscan_hash, (void *)key);
if(!(*ht))
{
iRet = sfxhash_add(portscan_hash, (void *)key, NULL);
if(iRet == SFXHASH_OK)
{
*ht = (PS_TRACKER *)sfxhash_mru(portscan_hash);
if(!(*ht))
return -1;
ps_tracker_init(*ht);
}
else
{
return -1;
}
}
return 0;
}
/*
* Hash test program : use 'sfxhash 1000 50000' to stress the Auto_NodeRecover feature
*/
int main ( int argc, char ** argv )
{
int i;
SFXHASH * t;
SFXHASH_NODE * n;
char strkey[256], strdata[256], * p;
int num = 100;
int mem = 0;
memset(strkey,0,20);
memset(strdata,0,20);
if( argc > 1 )
{
num = atoi(argv[1]);
}
if( argc > 2 )
{
mem = atoi(argv[2]);
}
/* Create a Hash Table */
t = sfxhash_new( 100, /* one row per element in table, when possible */
20, /* key size : padded with zeros */
20, /* data size: padded with zeros */
mem, /* max bytes, 0=no max */
1, /* enable AutoNodeRecovery */
anrfree, /* provide a function to let user know we want to kill a node */
usrfree, /* provide a function to release user memory */
1); /* Recycle nodes */
if(!t)
{
printf("Low Memory!\n");
exit(0);
}
/* Add Nodes to the Hash Table */
for(i=0;i<num;i++)
{
snprintf(strkey, sizeof(strkey), "KeyWord%5.5d",i+1);
strkey[sizeof(strkey) - 1] = '\0';
snprintf(strdata, sizeof(strdata), "KeyWord%5.5d",i+1);
strdata[sizeof(strdata) - 1] = '\0';
//strupr(strdata);
sfxhash_add( t, strkey /* user key */ , strdata /* user data */ );
}
/* Find and Display Nodes in the Hash Table */
printf("\n** FIND KEY TEST\n");
for(i=0;i<num;i++)
{
snprintf(strkey, sizeof(strkey) - 1, "KeyWord%5.5d",i+1);
strkey[sizeof(strkey) - 1] = '\0';
p = (char*) sfxhash_find( t, strkey );
if(p)printf("Hash-key=%*s, data=%*s\n", strlen(strkey),strkey, strlen(strkey), p );
}
/* Show memcap memory */
printf("\n...******\n");
sfmemcap_showmem(&t->mc);
printf("...******\n");
/* Display All Nodes in the Hash Table findfirst/findnext */
printf("\n...FINDFIRST / FINDNEXT TEST\n");
for( n = sfxhash_findfirst(t);
n != 0;
n = sfxhash_findnext(t) )
{
printf("hash-findfirst/next: n=%x, key=%s, data=%s\n", n, n->key, n->data );
/*
remove node we are looking at, this is first/next safe.
*/
if( sfxhash_remove(t,n->key) )
{
printf("...ERROR: Could not remove the key node!\n");
}
else
{
printf("...key node removed\n");
}
}
printf("...Auto-Node-Recovery: %d recycle attempts, %d completions.\n",t->anr_tries,t->anr_count);
/* Free the table and it's user data */
printf("...sfxhash_delete\n");
sfxhash_delete( t );
printf("\nnormal pgm finish\n\n");
return 0;
}
