static sfSFSValue *findFlowIPStats(SFFLOW *sfFlow, snort_ip_p src_addr, snort_ip_p dst_addr, int *swapped)
{
SFXHASH_NODE *node;
sfSFSKey key;
sfSFSValue *value;
if (IP_LESSER(src_addr, dst_addr))
{
IP_COPY_VALUE(key.ipA, src_addr);
IP_COPY_VALUE(key.ipB, dst_addr);
*swapped = 0;
}
else
{
IP_COPY_VALUE(key.ipA, dst_addr);
IP_COPY_VALUE(key.ipB, src_addr);
*swapped = 1;
}
value = sfxhash_find(sfFlow->ipMap, &key);
if (!value)
{
node = sfxhash_get_node(sfFlow->ipMap, &key);
if (!node)
{
DEBUG_WRAP(DebugMessage(DEBUG_STREAM, "Key/Value pair didn't exist in the flow stats table and we couldn't add it!\n"););
/**
** This function updates the PS_PROTO structure.
**
** @param PS_PROTO pointer to structure to update
** @param int number to increment portscan counter
** @param u_long IP address of other host
** @param u_short port/ip_proto to track
** @param time_t time the packet was received. update windows.
*/
static int ps_proto_update(PS_PROTO *proto, int ps_cnt, int pri_cnt, snort_ip_p ip,
u_short port, time_t pkt_time)
{
if(!proto)
return 0;
/*
** If the ps_cnt is negative, that means we are just taking off
** for valid connection, and we don't want to do anything else,
** like update ip/port, etc.
*/
if(ps_cnt < 0)
{
proto->connection_count += ps_cnt;
if(proto->connection_count < 0)
proto->connection_count = 0;
return 0;
}
/*
** If we are updating a priority cnt, it means we already did the
** unique port and IP on the connection packet.
**
** Priority points are only added for invalid response packets.
*/
if(pri_cnt)
{
proto->priority_count += pri_cnt;
if(proto->priority_count < 0)
proto->priority_count = 0;
return 0;
}
/*
** Do time check first before we update the counters, so if
** we need to reset them we do it before we update them.
*/
if(ps_proto_update_window(proto, pkt_time))
return -1;
/*
** Update ps counter
*/
proto->connection_count += ps_cnt;
if(proto->connection_count < 0)
proto->connection_count = 0;
if(!IP_EQUALITY_UNSET(&proto->u_ips, ip))
{
proto->u_ip_count++;
IP_COPY_VALUE(proto->u_ips, ip);
}
/* we need to do the IP comparisons in host order */
if(sfip_is_set(&proto->low_ip))
{
if(IP_GREATER(&proto->low_ip, ip))
IP_COPY_VALUE(proto->low_ip, ip);
}
else
{
IP_COPY_VALUE(proto->low_ip, ip);
}
if(IP_IS_SET(proto->high_ip))
{
if(IP_LESSER(&proto->high_ip, ip))
IP_COPY_VALUE(proto->high_ip, ip);
}
else
{
IP_COPY_VALUE(proto->high_ip, ip);
}
if(proto->u_ports != port)
{
proto->u_port_count++;
proto->u_ports = port;
}
if(proto->low_p)
{
if(proto->low_p > port)
proto->low_p = port;
}
else
{
proto->low_p = port;
}
if(proto->high_p)
{
if(proto->high_p < port)
proto->high_p = port;
}
else
{
proto->high_p = port;
}
return 0;
}
int GetSessionKey(Packet *p, SessionHashKey *key)
{
ip_p srcIp, dstIp;
u_int16_t srcPort, dstPort;
if (!key)
return 0;
memset(key, 0, sizeof(SessionHashKey));
srcIp = GET_SRC_IP(p);
dstIp = GET_DST_IP(p);
if (p->tcph)
{
srcPort = p->tcph->th_sport;
dstPort = p->tcph->th_dport;
}
#ifdef STREAM4_UDP
else if (p->udph)
{
srcPort = p->udph->uh_sport;
dstPort = p->udph->uh_dport;
}
#endif
else
{
srcPort = 0;
dstPort = 0;
}
if (IP_LESSER(srcIp, dstIp))
{
IP_COPY_VALUE(key->lowIP, srcIp);
key->port = srcPort;
IP_COPY_VALUE(key->highIP, dstIp);
key->port2 = dstPort;
}
else if (IP_EQUALITY(srcIp, dstIp))
{
IP_COPY_VALUE(key->lowIP, srcIp);
IP_COPY_VALUE(key->highIP, dstIp);
if (srcPort < dstPort)
{
key->port = srcPort;
key->port2 = dstPort;
}
else
{
key->port2 = srcPort;
key->port = dstPort;
}
}
else
{
IP_COPY_VALUE(key->lowIP, dstIp);
key->port = dstPort;
IP_COPY_VALUE(key->highIP, srcIp);
key->port2 = srcPort;
}
key->proto = GET_IPH_PROTO(p);
#ifdef _LP64
key->pad1 = key->pad2 = 0;
#endif
return 1;
}
int GetLWSessionKey(Packet *p, SessionKey *key)
{
u_int16_t sport;
u_int16_t dport;
int proto;
/* Because the key is going to be used for hash lookups,
* the lower of the values of the IP address field is
* stored in the key->ip_l and the port for that ip is
* stored in key->port_l.
*/
if (!key)
return 0;
#ifdef SUP_IP6
if (IS_IP4(p))
{
u_int32_t *src;
u_int32_t *dst;
proto = p->iph->ip_proto;
switch (proto)
{
case IPPROTO_TCP:
case IPPROTO_UDP:
sport = p->sp;
dport = p->dp;
break;
case IPPROTO_ICMP:
default:
sport = dport = 0;
break;
}
src = p->ip4h.ip_src.ip32;
dst = p->ip4h.ip_dst.ip32;
/* These comparisons are done in this fashion for performance reasons */
if (*src < *dst)
{
COPY4(key->ip_l, src);
COPY4(key->ip_h, dst);
key->port_l = sport;
key->port_h = dport;
}
else if (*src == *dst)
{
COPY4(key->ip_l, src);
COPY4(key->ip_h, dst);
if (sport < dport)
{
key->port_l = sport;
key->port_h = dport;
}
else
{
key->port_l = dport;
key->port_h = sport;
}
}
else
{
COPY4(key->ip_l, dst);
key->port_l = dport;
COPY4(key->ip_h, src);
key->port_h = sport;
}
#ifdef MPLS
if(pv.overlapping_IP && (p->mpls)
&& isPrivateIP(*src) && isPrivateIP(*dst) )
{
key->mplsLabel = p->mplsHdr.label;
} else {
key->mplsLabel = 0;
}
#endif
}
else
{
/* IPv6 */
sfip_t *src;
sfip_t *dst;
proto = p->ip6h.next;
switch (proto)
{
case IPPROTO_TCP:
case IPPROTO_UDP:
sport = p->sp;
dport = p->dp;
break;
case IPPROTO_ICMP:
default:
sport = dport = 0;
break;
}
src = &p->ip6h.ip_src;
dst = &p->ip6h.ip_dst;
if (sfip_fast_lt6(src, dst))
{
COPY4(key->ip_l, src->ip32);
key->port_l = sport;
COPY4(key->ip_h, dst->ip32);
key->port_h = dport;
}
else if (sfip_fast_eq6(src, dst))
{
COPY4(key->ip_l, src->ip32);
COPY4(key->ip_h, dst->ip32);
if (sport < dport)
{
key->port_l = sport;
key->port_h = dport;
}
else
{
key->port_l = dport;
key->port_h = sport;
}
}
else
{
COPY4(key->ip_l, dst->ip32);
key->port_l = dport;
COPY4(key->ip_h, src->ip32);
key->port_h = sport;
}
#ifdef MPLS
if(pv.overlapping_IP && (p->mpls))
{
key->mplsLabel = p->mplsHdr.label;
} else {
key->mplsLabel = 0;
}
#endif
}
#else
proto = p->iph->ip_proto;
switch (proto)
{
case IPPROTO_TCP:
case IPPROTO_UDP:
sport = p->sp;
dport = p->dp;
break;
case IPPROTO_ICMP:
default:
sport = dport = 0;
break;
}
/* These comparisons are done in this fashion for performance reasons */
if (IP_LESSER(GET_SRC_IP(p), GET_DST_IP(p)))
{
IP_COPY_VALUE(key->ip_l, GET_SRC_IP(p));
key->port_l = sport;
IP_COPY_VALUE(key->ip_h, GET_DST_IP(p));
key->port_h = dport;
}
else if (IP_EQUALITY(GET_SRC_IP(p), GET_DST_IP(p)))
{
IP_COPY_VALUE(key->ip_l, GET_SRC_IP(p));
IP_COPY_VALUE(key->ip_h, GET_DST_IP(p));
if (sport < dport)
{
key->port_l = sport;
key->port_h = dport;
}
else
{
key->port_l = dport;
key->port_h = sport;
}
}
else
{
IP_COPY_VALUE(key->ip_l, GET_DST_IP(p));
key->port_l = dport;
IP_COPY_VALUE(key->ip_h, GET_SRC_IP(p));
key->port_h = sport;
}
#ifdef MPLS
if(pv.overlapping_IP && (p->mpls)
&& isPrivateIP(key->ip_l) && isPrivateIP(key->ip_h))
{
key->mplsLabel = p->mplsHdr.label;
} else {
key->mplsLabel = 0;
}
#endif
#endif
key->protocol = proto;
if (p->vh)
key->vlan_tag = (u_int16_t)VTH_VLAN(p->vh);
else
key->vlan_tag = 0;
key->pad = 0;
#ifdef MPLS
key->mplsPad = 0;
#endif
return 1;
}
