static sfSFSValue *findFlowIPStats(SFFLOW *sfFlow, snort_ip_p src_addr, snort_ip_p dst_addr, int *swapped) { SFXHASH_NODE *node; sfSFSKey key; sfSFSValue *value; if (IP_LESSER(src_addr, dst_addr)) { IP_COPY_VALUE(key.ipA, src_addr); IP_COPY_VALUE(key.ipB, dst_addr); *swapped = 0; } else { IP_COPY_VALUE(key.ipA, dst_addr); IP_COPY_VALUE(key.ipB, src_addr); *swapped = 1; } value = sfxhash_find(sfFlow->ipMap, &key); if (!value) { node = sfxhash_get_node(sfFlow->ipMap, &key); if (!node) { DEBUG_WRAP(DebugMessage(DEBUG_STREAM, "Key/Value pair didn't exist in the flow stats table and we couldn't add it!\n"););
u_int32_t server_stats_hitcount_ipv4(SERVER_STATS *ssp, u_int8_t ip_proto, u_int32_t address, u_int16_t port) { SERVER_KEY *kp = &s_key; u_int32_t *hitcountp; #ifdef DEBUG u_int32_t hostaddress = ntohl(address); #endif /* DEBUG */ /* OK, IPSETs are acting in HOST ORDER */ FLOWASSERT(ipset_contains(ssp->ipv4_watch, &hostaddress, IPV4_FAMILY)); /* make a key */ kp->address = address; kp->port = port; kp->protocol = ip_proto; hitcountp = (u_int32_t *) sfxhash_find(ssp->ipv4_table, kp); if(hitcountp != NULL) { return *hitcountp; } return 0; }
int add_detection_option(option_type_t type, void *option_data, void **existing_data) { SnortConfig *sc = snort_conf_for_parsing; detection_option_key_t key; if (sc == NULL) { FatalError("%s(%d) Snort config is NULL.\n", __FILE__, __LINE__); } if (sc->detection_option_hash_table == NULL) sc->detection_option_hash_table = DetectionHashTableNew(); if (!option_data) { /* No option data, no conflict to resolve. */ return DETECTION_OPTION_EQUAL; } key.option_type = type; key.option_data = option_data; *existing_data = sfxhash_find(sc->detection_option_hash_table, &key); if (*existing_data) { return DETECTION_OPTION_EQUAL; } sfxhash_add(sc->detection_option_hash_table, &key, option_data); return DETECTION_OPTION_NOT_EQUAL; }
/** * Look for the data in the flow tables. * * @param flowcachep cache to look in * @param keyp pointer to searching key data * @param flowpp pointer to set with this module * @param direction pass back argument (FROM_INITIATOR or FROM_RESPONDER) * * @return FLOW_SUCCESS on success, FLOW_NOTFOUND when not found, else usage error */ int flowcache_find(FLOWCACHE *flowcachep, FLOWKEY *keyp, FLOW **flowpp, int *direction) { FLOWKEY search_key; FLOW *fp; int way; if(!flowcachep || !keyp || !flowpp || !direction) { return FLOW_ENULL; } FCS_find(flowcachep, keyp); /* give us a single search key that we can hash on */ flowkey_normalize(&search_key, keyp); fp = sfxhash_find(flowcachep->ipv4_table, &search_key); if(fp == NULL) { /* we have failed. Nothing else to do here */ *flowpp = NULL; FCS_find_fail(flowcachep, keyp); return FLOW_NOTFOUND; } else { /* now, lets see which way this flow was stored. Note, this has nothing to do with the search key as that is only good for searching */ if(fp->key.init_address == keyp->init_address && fp->key.init_port == keyp->init_port) { way = FROM_INITIATOR; } else { way = FROM_RESPONDER; FCS_revfind(flowcachep, &search_key); } } *direction = way; *flowpp = fp; FCS_find_success(flowcachep, keyp); return FLOW_SUCCESS; }
void checkSessionForAFIndicator(SFSnortPacket *p, int dir, const tAppIdConfig *pConfig, tAppId indicator) { AFElement *ind_element; if (!(ind_element = (AFElement*)sfxhash_find(pConfig->AF_indicators, &indicator))) return; rekeyMasterAFActKey(p, dir, ind_element->forecast); AFActVal *test_active_value; if ((test_active_value = (AFActVal*)sfxhash_find(pConfig->AF_actives, &master_key))) { test_active_value->last = GetPacketRealTime; test_active_value->target = ind_element->target; return; } AFActVal new_active_value; new_active_value.target = ind_element->target; new_active_value.last = GetPacketRealTime; sfxhash_add(pConfig->AF_actives, &master_key, &new_active_value); }
int scoreboard_find(SCOREBOARD *sbp, u_int32_t *address, SCORE_ENTRY **sepp) { if(!sbp || !address || !sepp) return FLOW_ENULL; /* printf("looking for %s\n", inet_ntoa(*(struct in_addr *) address)); */ *sepp = sfxhash_find(sbp->ipv4_table, address); if(*sepp == NULL) return FLOW_NOTFOUND; return FLOW_SUCCESS; }
tAppId checkSessionForAFForecast(tAppIdData *session, SFSnortPacket *p, int dir, const tAppIdConfig *pConfig, tAppId forecast) { AFActVal *check_act_val; rekeyMasterAFActKey(p, dir, forecast); //get out if there is no value if (!(check_act_val = (AFActVal*)sfxhash_find(pConfig->AF_actives, &master_key))) return APP_ID_UNKNOWN; //if the value is older than 5 minutes, remove it and get out time_t age; age = GetPacketRealTime - check_act_val->last; if (age < 0 || age > 300) { sfxhash_remove(pConfig->AF_actives, &master_key); return APP_ID_UNKNOWN; } session->payloadAppId = check_act_val->target; return forecast; }
/** ** Get a tracker node by either finding one or starting a new one. We may ** return NULL, in which case we wait till the next packet. */ static int ps_tracker_get(PS_TRACKER **ht, PS_HASH_KEY *key) { int iRet; *ht = (PS_TRACKER *)sfxhash_find(portscan_hash, (void *)key); if(!(*ht)) { iRet = sfxhash_add(portscan_hash, (void *)key, NULL); if(iRet == SFXHASH_OK) { *ht = (PS_TRACKER *)sfxhash_mru(portscan_hash); if(!(*ht)) return -1; ps_tracker_init(*ht); } else { return -1; } } return 0; }
/* * Hash test program : use 'sfxhash 1000 50000' to stress the Auto_NodeRecover feature */ int main ( int argc, char ** argv ) { int i; SFXHASH * t; SFXHASH_NODE * n; char strkey[256], strdata[256], * p; int num = 100; int mem = 0; memset(strkey,0,20); memset(strdata,0,20); if( argc > 1 ) { num = atoi(argv[1]); } if( argc > 2 ) { mem = atoi(argv[2]); } /* Create a Hash Table */ t = sfxhash_new( 100, /* one row per element in table, when possible */ 20, /* key size : padded with zeros */ 20, /* data size: padded with zeros */ mem, /* max bytes, 0=no max */ 1, /* enable AutoNodeRecovery */ anrfree, /* provide a function to let user know we want to kill a node */ usrfree, /* provide a function to release user memory */ 1); /* Recycle nodes */ if(!t) { printf("Low Memory!\n"); exit(0); } /* Add Nodes to the Hash Table */ for(i=0;i<num;i++) { snprintf(strkey, sizeof(strkey), "KeyWord%5.5d",i+1); strkey[sizeof(strkey) - 1] = '\0'; snprintf(strdata, sizeof(strdata), "KeyWord%5.5d",i+1); strdata[sizeof(strdata) - 1] = '\0'; //strupr(strdata); sfxhash_add( t, strkey /* user key */ , strdata /* user data */ ); } /* Find and Display Nodes in the Hash Table */ printf("\n** FIND KEY TEST\n"); for(i=0;i<num;i++) { snprintf(strkey, sizeof(strkey) - 1, "KeyWord%5.5d",i+1); strkey[sizeof(strkey) - 1] = '\0'; p = (char*) sfxhash_find( t, strkey ); if(p)printf("Hash-key=%*s, data=%*s\n", strlen(strkey),strkey, strlen(strkey), p ); } /* Show memcap memory */ printf("\n...******\n"); sfmemcap_showmem(&t->mc); printf("...******\n"); /* Display All Nodes in the Hash Table findfirst/findnext */ printf("\n...FINDFIRST / FINDNEXT TEST\n"); for( n = sfxhash_findfirst(t); n != 0; n = sfxhash_findnext(t) ) { printf("hash-findfirst/next: n=%x, key=%s, data=%s\n", n, n->key, n->data ); /* remove node we are looking at, this is first/next safe. */ if( sfxhash_remove(t,n->key) ) { printf("...ERROR: Could not remove the key node!\n"); } else { printf("...key node removed\n"); } } printf("...Auto-Node-Recovery: %d recycle attempts, %d completions.\n",t->anr_tries,t->anr_count); /* Free the table and it's user data */ printf("...sfxhash_delete\n"); sfxhash_delete( t ); printf("\nnormal pgm finish\n\n"); return 0; }