ReferenceSystemNode * ReferenceSystemAdd(ReferenceSystemNode **head, char *name, char *url)
{
ReferenceSystemNode *node;
if (name == NULL)
{
ErrorMessage("NULL reference system name\n");
return NULL;
}
if (head == NULL)
return NULL;
/* create the new node */
node = (ReferenceSystemNode *)SnortAlloc(sizeof(ReferenceSystemNode));
node->name = SnortStrdup(name);
if (url != NULL)
node->url = SnortStrdup(url);
/* Add to the front of the list */
node->next = *head;
*head = node;
return node;
}
static int ConvertFlowbitOption(Rule *rule, int index, OptTreeNode *otn)
{
FlowBitsInfo *flowBit = rule->options[index]->option_u.flowBit;
FLOWBITS_OP *fop = (FLOWBITS_OP *) SnortAlloc(sizeof(FLOWBITS_OP));
OptFpList *fpl;
void *idx_dup;
/* Convert struct for rule option */
fop->name = SnortStrdup(flowBit->flowBitsName);
fop->type = flowBit->operation;
fop->id = flowBit->id;
/* Add detection option to hash table */
otn->ds_list[PLUGIN_FLOWBIT] = (void *)1;
if (add_detection_option(RULE_OPTION_TYPE_FLOWBIT, (void *)fop, &idx_dup) == DETECTION_OPTION_EQUAL)
{
free(fop->name);
free(fop);
fop = idx_dup;
}
/* Add detection function to otn */
fpl = AddOptFuncToList(FlowBitsCheck, otn);
fpl->type = RULE_OPTION_TYPE_FLOWBIT;
fpl->context = (void *) fop;
return 1;
}
/*-------------------------------------------------------------------
* TextLog_Init: constructor
*-------------------------------------------------------------------
*/
TextLog* TextLog_Init (
const char* name, unsigned int maxBuf, size_t maxFile
) {
TextLog* this;
if ( maxBuf < MIN_BUF ) maxBuf = MIN_BUF;
if ( maxFile < MIN_FILE ) maxFile = MIN_FILE;
if ( maxFile < maxBuf ) maxFile = maxBuf;
this = (TextLog*)malloc(sizeof(TextLog)+maxBuf);
if ( !this )
{
FatalError("Unable to allocate a TextLog(%u)!\n", maxBuf);
}
this->name = name ? SnortStrdup(name) : NULL;
this->file = TextLog_Open(this->name);
this->size = TextLog_Size(this->file);
this->last = time(NULL);
this->maxFile = maxFile;
this->maxBuf = maxBuf;
TextLog_Reset(this);
return this;
}
ReferenceNode * AddReference(Barnyard2Config *bc, ReferenceNode **head, char *system, char *id)
{
ReferenceNode *node;
if ((system == NULL) || (id == NULL) ||
(bc == NULL) || (head == NULL))
{
return NULL;
}
/* create the new node */
node = (ReferenceNode *)SnortAlloc(sizeof(ReferenceNode));
/* lookup the reference system */
node->system = ReferenceSystemLookup(bc->references, system);
if (node->system == NULL)
node->system = ReferenceSystemAdd(&bc->references, system, NULL);
node->id = SnortStrdup(id);
/* Add the node to the front of the list */
node->next = *head;
*head = node;
return node;
}
void RegisterSideChannelModule(const char *keyword, SCMFunctionBundle *funcs)
{
SCModule *module, *tmp, *last = NULL;
if (!ScSideChannelEnabled())
return;
if (!keyword)
FatalError("No keyword given while registering a side channel module!\n");
if (!funcs)
FatalError("No function bundle given while registering side channel '%s'!\n", keyword);
for (tmp = modules; tmp; tmp = tmp->next)
{
if (strcasecmp(tmp->keyword, keyword) == 0)
FatalError("Duplicate side channel keyword: %s\n", keyword);
last = tmp;
}
module = SnortAlloc(sizeof(SCModule));
module->next = NULL;
module->keyword = SnortStrdup(keyword);
module->funcs = *funcs;
module->enabled = 0;
LogMessage("Register SCM '%s' with configFunc=%p, initFunc=%p, postInitFunc=%p, idleFunc=%p, statsFunc=%p, shutdownFunc=%p\n",
keyword, module->funcs.configFunc, module->funcs.initFunc, module->funcs.postInitFunc,
module->funcs.idleFunc, module->funcs.statsFunc, module->funcs.shutdownFunc);
if (last)
last->next = module;
else
modules = module;
}
int main( int argc, char ** argv )
{
int i,n=10;
KMAP * km;
char * p;
char str[80];
printf("usage: kmap nkeys (default=10)\n\n");
km = KMapNew( free ); /* use 'free' to free 'userdata' */
KMapSetNoCase(km,1); //need to add xlat....
if( argc > 1 )
{
n = atoi(argv[1]);
}
for(i=1;i<=n;i++)
{
SnortSnprintf(str, sizeof(str), "KeyWord%d",i);
KMapAdd( km, str, 0 /* strlen(str) */, strupr(SnortStrdup(str)) );
printf("Adding Key=%s\n",str);
}
printf("xmem: %u bytes, %d chars\n",xmalloc_bytes(),km->nchars);
printf("\nKey Find test...\n");
for(i=1;i<=n;i++)
{
SnortSnprintf(str, sizeof(str), "KeyWord%d",i);
p = (char*) KMapFind( km, str, 0 /*strlen(str) */ );
if(p)printf("key=%s, data=%*s\n",str,strlen(str),p);
else printf("'%s' NOT found.\n",str);
}
KMapSetNoCase(km,0); // this should fail all key searches
printf("\nKey Find test2...\n");
for(i=1;i<=n;i++)
{
SnortSnprintf(str, sizeof(str), "KeyWord%d",i);
p = (char*) KMapFind( km, str, 0 /*strlen(str) */ );
if(p)printf("key=%s, data=%*s\n",str,strlen(str),p);
else printf("'%s' NOT found.\n",str);
}
printf("\nKey FindFirst/Next test...\n");
for(p = (char*) KMapFindFirst(km); p; p=(char*)KMapFindNext(km) )
printf("data=%s\n",p);
printf("\nKey FindFirst/Next test done.\n");
KMapDelete( km );
printf("xmem: %u bytes\n",xmalloc_bytes());
printf("normal pgm finish.\n");
return 0;
}
int DAQ_New (const SnortConfig* sc, const char* intf)
{
DAQ_Config_t cfg;
if ( !daq_mod )
FatalError("DAQ_Init not called!\n");
if ( intf )
interface_spec = SnortStrdup(intf);
intf = DAQ_GetInterfaceSpec();
memset(&cfg, 0, sizeof(cfg));
cfg.name = (char*)intf;
cfg.snaplen = snap;
cfg.timeout = PKT_TIMEOUT;
cfg.mode = daq_mode;
cfg.extra = NULL;
cfg.flags = 0;
DAQ_LoadVars(&cfg, sc);
if ( !ScReadMode() )
{
if ( !(sc->run_flags & RUN_FLAG__NO_PROMISCUOUS) )
cfg.flags |= DAQ_CFG_PROMISC;
}
DAQ_Config(&cfg);
if ( !DAQ_ValidateInstance() )
FatalError("DAQ configuration incompatible with intended operation.\n");
if ( DAQ_UnprivilegedStart() )
daq_dlt = daq_get_datalink_type(daq_mod, daq_hand);
if ( intf && *intf )
{
LogMessage("Acquiring network traffic from \"%s\".\n",
strcmp(intf, "-") == 0 ? "stdin" : intf);
}
DAQ_SetFilter(sc->bpf_filter);
daq_config_clear_values(&cfg);
return 0;
}
int StringVector_Add (void* pv, const char* s)
{
StringVector* sv = (StringVector*)pv;
char** v;
if ( !sv || !s )
return 0;
v = realloc(sv->v, (sv->n+2) * sizeof(char*));
if ( !v )
return 0;
sv->v = v;
sv->v[sv->n++] = SnortStrdup(s);
sv->v[sv->n] = NULL;
return 1;
}
static int ConvertPcreOption(Rule *rule, int index, OptTreeNode *otn)
{
PcreData *pcre_data = (PcreData *) SnortAlloc(sizeof(PcreData));
PCREInfo *pcre_info = rule->options[index]->option_u.pcre;
OptFpList *fpl;
void *pcre_dup;
const char *error;
int erroroffset;
/* Need to recompile the expression so double free doesn't occur
* during reload */
/* Compile & Study PCRE */
pcre_data->re = pcreCompile(
pcre_info->expr,
pcre_info->compile_flags,
&error,
&erroroffset,
NULL
);
if (pcre_data->re == NULL)
{
free(pcre_data);
return -1;
}
pcre_data->pe = pcreStudy(
pcre_data->re,
pcre_info->compile_flags,
&error
);
if (error)
{
free(pcre_data->re);
free(pcre_data);
return -1;
}
/* Copy to struct used for normal PCRE rules */
pcre_data->expression = SnortStrdup(pcre_info->expr);
/* Option values differ between PCREInfo and PcreData,
* so a straight copy of the options variable won't work. */
if (pcre_info->flags & CONTENT_RELATIVE)
pcre_data->options |= SNORT_PCRE_RELATIVE;
if (pcre_info->flags & NOT_FLAG)
pcre_data->options |= SNORT_PCRE_INVERT;
if (pcre_info->flags & CONTENT_BUF_RAW)
pcre_data->options |= SNORT_PCRE_RAWBYTES;
if (pcre_info->flags & CONTENT_BUF_NORMALIZED)
pcre_data->options &= ~SNORT_PCRE_RAWBYTES;
if (pcre_info->flags & CONTENT_BUF_POST)
pcre_data->options |= SNORT_PCRE_HTTP_BODY;
if (pcre_info->flags & CONTENT_BUF_HEADER)
pcre_data->options |= SNORT_PCRE_HTTP_HEADER;
if (pcre_info->flags & CONTENT_BUF_METHOD)
pcre_data->options |= SNORT_PCRE_HTTP_METHOD;
if (pcre_info->flags & CONTENT_BUF_COOKIE)
pcre_data->options |= SNORT_PCRE_HTTP_COOKIE;
if (pcre_info->flags & CONTENT_BUF_URI)
pcre_data->options |= SNORT_PCRE_HTTP_URI;
if (pcre_info->flags & CONTENT_BUF_STAT_CODE)
pcre_data->options |= SNORT_PCRE_HTTP_STAT_CODE;
if (pcre_info->flags & CONTENT_BUF_STAT_MSG)
pcre_data->options |= SNORT_PCRE_HTTP_STAT_MSG;
if (pcre_info->flags & CONTENT_BUF_RAW_URI)
pcre_data->options |= SNORT_PCRE_HTTP_RAW_URI;
if (pcre_info->flags & CONTENT_BUF_RAW_HEADER)
pcre_data->options |= SNORT_PCRE_HTTP_RAW_HEADER;
if (pcre_info->flags & CONTENT_BUF_RAW_COOKIE)
pcre_data->options |= SNORT_PCRE_HTTP_RAW_COOKIE;
if (pcre_info->flags & CONTENT_BUF_STAT_CODE)
pcre_data->options |= SNORT_PCRE_HTTP_STAT_CODE;
if (pcre_info->flags & CONTENT_BUF_STAT_MSG)
pcre_data->options |= SNORT_PCRE_HTTP_STAT_MSG;
PcreCheckAnchored(pcre_data);
/* Attach option to tree, checking for duplicate */
otn->pcre_flag = 1;
fpl = AddOptFuncToList(SnortPcre, otn);
fpl->type = RULE_OPTION_TYPE_PCRE;
if (add_detection_option(RULE_OPTION_TYPE_PCRE, (void *)pcre_data, &pcre_dup) == DETECTION_OPTION_EQUAL)
{
if (pcre_data->expression)
free(pcre_data->expression);
if (pcre_data->pe)
free(pcre_data->pe);
if (pcre_data->re)
free(pcre_data->re);
free(pcre_data);
pcre_data = pcre_dup;
}
fpl->context = (void *)pcre_data;
if (pcre_data->options & SNORT_PCRE_RELATIVE)
fpl->isRelative = 1;
if (otn->ds_list[PLUGIN_PCRE] == NULL)
otn->ds_list[PLUGIN_PCRE] = (void *)pcre_data;
return 1;
}
int DeleteLWSession(Stream5SessionCache *sessionCache,
Stream5LWSession *ssn, char *delete_reason)
{
/* Need to save the current configurations being used since this function
* may cause a packet reassembly on this deleted session when flushing
* (via sessionCache->cleanup_fcn) and a preprocessor may call an API
* function changing the configurations to this one to be deleted */
Stream5GlobalConfig *save_global_eval_config = s5_global_eval_config;
Stream5TcpConfig *save_tcp_eval_config = s5_tcp_eval_config;
Stream5UdpConfig *save_udp_eval_config = s5_udp_eval_config;
Stream5IcmpConfig *save_icmp_eval_config = s5_icmp_eval_config;
int ret;
uint32_t prune_log_max;
/* Save the current mem in use before pruning */
uint32_t old_mem_in_use = mem_in_use;
/* And save some info on that session */
#ifdef SUP_IP6
sfip_t client_ip;
sfip_t server_ip;
#else
struct in_addr client_ip;
struct in_addr server_ip;
#endif
uint16_t client_port = ntohs(ssn->client_port);
uint16_t server_port = ntohs(ssn->server_port);
uint16_t lw_session_state = ssn->session_state;
uint32_t lw_session_flags = ssn->session_flags;
#ifdef TARGET_BASED
int16_t app_proto_id = ssn->application_protocol;
#endif
#ifdef SUP_IP6
sfip_set_ip(&client_ip, &ssn->client_ip);
sfip_set_ip(&server_ip, &ssn->server_ip);
#else
client_ip.s_addr = ssn->client_ip;
server_ip.s_addr = ssn->server_ip;
#endif
/*
* Call callback to cleanup the protocol (TCP/UDP/ICMP)
* specific session details
*/
if (sessionCache->cleanup_fcn)
sessionCache->cleanup_fcn(ssn);
FreeLWApplicationData(ssn);
/* Need to save this off since the global config might be from an
* older session - because of a reload - and that config might
* get freed after removing the session */
prune_log_max = s5_global_eval_config->prune_log_max;
ret = RemoveLWSession(sessionCache, ssn);
/* If we're pruning and we clobbered some large amount, log a
* message about that session. */
if (prune_log_max
&& ((old_mem_in_use - mem_in_use ) > prune_log_max))
{
char *client_ip_str, *server_ip_str;
#ifdef SUP_IP6
client_ip_str = SnortStrdup(inet_ntoa(&client_ip));
server_ip_str = SnortStrdup(inet_ntoa(&server_ip));
#else
client_ip_str = SnortStrdup(inet_ntoa(client_ip));
server_ip_str = SnortStrdup(inet_ntoa(server_ip));
#endif
LogMessage("S5: Pruned session from cache that was "
"using %d bytes (%s). %s %d --> %s %d "
#ifdef TARGET_BASED
"(%d) "
#endif
": LWstate 0x%x LWFlags 0x%x\n",
old_mem_in_use - mem_in_use,
delete_reason,
client_ip_str, client_port,
server_ip_str, server_port,
#ifdef TARGET_BASED
app_proto_id,
#endif
lw_session_state, lw_session_flags);
free(client_ip_str);
free(server_ip_str);
}
s5_global_eval_config = save_global_eval_config;
s5_tcp_eval_config = save_tcp_eval_config;
s5_udp_eval_config = save_udp_eval_config;
s5_icmp_eval_config = save_icmp_eval_config;
return ret;
}
