static inline OptTreeNode *getRuleInfo(uint32_t gid, uint32_t sid, uint32_t rev, uint32_t classification, uint32_t priority, const char *msg, OptTreeNode *rule_info) { if (rule_info) { if (!getRtnFromOtn(rule_info, getIpsRuntimePolicy())) return NULL; return rule_info; } return GetOTN(gid, sid, rev, classification, priority, msg); }
RuleTreeNode* GenerateSnortEventRtn (OptTreeNode* otn, tSfPolicyId policyId) { RuleTreeNode *rtn = getRtnFromOtn(otn, policyId); if (!rtn) { rtn = calloc(1, sizeof(RuleTreeNode)); if (rtn) { rtn->type = RULE_TYPE__ALERT; if (addRtnToOtn(otn, policyId, rtn) != 0) rtn = NULL; } } return rtn; }
static int LogSnortEvents(void * event, void * user) { EventNode *en = (EventNode *) event; SNORT_EVENTQ_USER *snort_user = (SNORT_EVENTQ_USER *) user; OptTreeNode *otn; RuleTreeNode *rtn = NULL; if (!event || !user) return 0; if (s_events > 0) s_events--; if (en->rule_info) { otn = en->rule_info; } else { // The above en->rule_info may be NULL to avoid performing an OTN/RTN // lookup until after policy switching is finalized. In that case, // perform the lookup here. otn = GetApplicableOtn( en->gid, en->sid, en->rev, en->classification, en->priority, en->msg ); } if (otn) { rtn = getRtnFromOtn(otn, getApplicableRuntimePolicy(en->gid)); if (rtn) { snort_user->rule_alert = otn->sigInfo.rule_flushing; LogSnortEvent((Packet *) snort_user->pkt, otn, rtn, en->msg); } } sfthreshold_reset(); return 0; }
int file_eventq_add(uint32_t gid, uint32_t sid, char *msg, RuleType type) { OptTreeNode *otn; RuleTreeNode *rtn; otn = GetApplicableOtn(gid, sid, 1, 0, 3, msg); if (otn == NULL) return 0; rtn = getRtnFromOtn(otn, getIpsRuntimePolicy()); if (rtn == NULL) { return 0; } rtn->type = type; return SnortEventqAdd(gid, sid, 1, 0, 3, msg, otn); }
RuleTreeNode* GenerateSnortEventRtn ( OptTreeNode* otn, tSfPolicyId policyId ) { RuleTreeNode* rtn = getRtnFromOtn(otn, policyId); rtn = calloc(1, sizeof(RuleTreeNode)); if ( !rtn ) return NULL; rtn->type = RULE_TYPE__ALERT; if ( addRtnToOtn(otn, policyId, rtn) != 0 ) { //unsuccessful adding rtn free(rtn); return NULL; } return rtn; }
int SnortEventqAdd( uint32_t gid, uint32_t sid, uint32_t rev, uint32_t classification, uint32_t priority, const char * msg, void * rule_info ) { EventNode *en; OptTreeNode *otn = (OptTreeNode *) rule_info; if (!otn) otn = GetApplicableOtn(gid, sid, rev, classification, priority, msg); else if (!getRtnFromOtn(otn, getApplicableRuntimePolicy(gid))) otn = NULL; if (otn) { en = (EventNode *) sfeventq_event_alloc(getEventQueue()); if (!en) return -1; en->gid = gid; en->sid = sid; en->rev = rev; en->classification = classification; en->priority = priority; en->msg = msg; en->rule_info = rule_info; if (sfeventq_add(getEventQueue(), (void *) en) != 0) return -1; s_events++; } return 0; }
/**initialize given port list from the given ruleset, for a given policy * @param portList pointer to array of MAX_PORTS+1 uint8_t. This array content * is changed by walking through the rulesets. * @param protocol - protocol type */ void setPortFilterList( uint8_t *portList, int protocol, int ignoreAnyAnyRules, tSfPolicyId policyId ) { char *port_array = NULL; int num_ports = 0; int i; RuleTreeNode *rtn; OptTreeNode *otn; int inspectSrc, inspectDst; char any_any_flow = 0; IgnoredRuleList *pIgnoredRuleList = NULL; ///list of ignored rules char *protocolName; SFGHASH_NODE *hashNode; int flowBitIsSet = 0; SnortConfig *sc = snort_conf_for_parsing; if (sc == NULL) { FatalError("%s(%d) Snort conf for parsing is NULL.\n", __FILE__, __LINE__); } if ((protocol == IPPROTO_TCP) && (ignoreAnyAnyRules == 0)) { int j; for (j=0; j<MAX_PORTS; j++) { portList[j] |= PORT_MONITOR_SESSION | PORT_MONITOR_INSPECT; } return; } protocolName = getProtocolName(protocol); /* Post-process TCP rules to establish TCP ports to inspect. */ for (hashNode = sfghash_findfirst(sc->otn_map); hashNode; hashNode = sfghash_findnext(sc->otn_map)) { otn = (OptTreeNode *)hashNode->data; flowBitIsSet = Stream5OtnHasFlowOrFlowbit(otn); rtn = getRtnFromOtn(otn, policyId); if (!rtn) { continue; } if (rtn->proto == protocol) { //do operation inspectSrc = inspectDst = 0; if (PortObjectHasAny(rtn->src_portobject)) { inspectSrc = -1; } else { port_array = PortObjectCharPortArray(port_array, rtn->src_portobject, &num_ports); if (port_array && num_ports != 0) { inspectSrc = 1; for (i=0; i<SFPO_MAX_PORTS; i++) { if (port_array[i]) { portList[i] |= PORT_MONITOR_INSPECT; /* port specific rule */ /* Look for an OTN with flow or flowbits keyword */ if (flowBitIsSet) { portList[i] |= PORT_MONITOR_SESSION; } } } } if ( port_array ) { free(port_array); port_array = NULL; } } if (PortObjectHasAny(rtn->dst_portobject)) { inspectDst = -1; } else { port_array = PortObjectCharPortArray(port_array, rtn->dst_portobject, &num_ports); if (port_array && num_ports != 0) { inspectDst = 1; for (i=0; i<SFPO_MAX_PORTS; i++) { if (port_array[i]) { portList[i] |= PORT_MONITOR_INSPECT; /* port specific rule */ if (flowBitIsSet) { portList[i] |= PORT_MONITOR_SESSION; } } } } if ( port_array ) { free(port_array); port_array = NULL; } } if ((inspectSrc == -1) && (inspectDst == -1)) { /* any -> any rule */ if (any_any_flow == 0) { any_any_flow = Stream5AnyAnyFlow(portList, otn, rtn, any_any_flow, &pIgnoredRuleList, ignoreAnyAnyRules); } } } } /* If portscan is tracking TCP/UDP, need to create * sessions for all ports */ if (((protocol == IPPROTO_UDP) && (ps_get_protocols(policyId) & PS_PROTO_UDP)) || ((protocol == IPPROTO_TCP) && (ps_get_protocols(policyId) & PS_PROTO_TCP))) { int j; for (j=0; j<MAX_PORTS; j++) { portList[j] |= PORT_MONITOR_SESSION; } } if (any_any_flow == 1) { LogMessage("Warning: 'ignore_any_rules' option for Stream5 %s " "disabled because of %s rule with flow or flowbits option\n", protocolName, protocolName); } else if (pIgnoredRuleList) { LogMessage("Warning: Rules (GID:SID) effectively ignored because of " "'ignore_any_rules' option for Stream5 %s:\n", protocolName); } // free list; print iff any_any_flow printIgnoredRules(pIgnoredRuleList, any_any_flow); }
/* * Changed so events are inserted in action config order 'drop alert ...', * and sub sorted in each action group by priority or content length. * The sub sorting is done in fpFinalSelect inf fpdetect.c. Once the * events are inserted they can all be logged, as we only insert * g_event_queue.log_events into the queue. * ... Jan '06 */ int SnortEventqAdd(unsigned int gid, unsigned int sid, unsigned int rev, unsigned int classification, unsigned int pri, char *msg, void *rule_info) { EventNode *en; en = (EventNode *)sfeventq_event_alloc(snort_conf->event_queue[qIndex]); if(!en) return -1; en->gid = gid; en->sid = sid; en->rev = rev; en->classification = classification; en->priority = pri; en->msg = msg; en->rule_info = rule_info; /* * Check if we have a preprocessor or decoder event * Preprocessors and decoders may be configured to inspect * and alert in their principal configuration (legacy code) * this test than checks if the rule otn says they should * be enabled or not. The rule itself will decide if it should * be an alert or a drop (sdrop) condition. */ #ifdef PREPROCESSOR_AND_DECODER_RULE_EVENTS { struct _OptTreeNode * potn; /* every event should have a rule/otn */ potn = OtnLookup(snort_conf->otn_map, gid, sid); /* * if no rule otn exists for this event, than it was * not enabled via rules */ if (potn == NULL) { if (ScAutoGenPreprocDecoderOtns()) { /* Generate an OTN if configured to do so.... */ potn = GenerateSnortEventOtn(en->gid, en->sid, en->rev, en->classification, en->priority, en->msg); if (potn != NULL) OtnLookupAdd(snort_conf->otn_map, potn); } if (potn == NULL) { /* no otn found/created - do not add it to the queue */ return 0; } } else { tSfPolicyId policyId = getRuntimePolicy(); RuleTreeNode* rtn = getRtnFromOtn(potn, policyId); if ( !rtn ) { if ( ScAutoGenPreprocDecoderOtns() ) rtn = GenerateSnortEventRtn(potn, getRuntimePolicy()); if ( !rtn ) return 0; } } } #endif if (sfeventq_add(snort_conf->event_queue[qIndex], (void *)en)) { return -1; } s_events++; return 0; }