static inline OptTreeNode *getRuleInfo(uint32_t gid, uint32_t sid, uint32_t rev,
uint32_t classification, uint32_t priority,
const char *msg, OptTreeNode *rule_info)
{
if (rule_info)
{
if (!getRtnFromOtn(rule_info, getIpsRuntimePolicy()))
return NULL;
return rule_info;
}
return GetOTN(gid, sid, rev, classification, priority, msg);
}
RuleTreeNode* GenerateSnortEventRtn (OptTreeNode* otn, tSfPolicyId policyId)
{
RuleTreeNode *rtn = getRtnFromOtn(otn, policyId);
if (!rtn)
{
rtn = calloc(1, sizeof(RuleTreeNode));
if (rtn)
{
rtn->type = RULE_TYPE__ALERT;
if (addRtnToOtn(otn, policyId, rtn) != 0)
rtn = NULL;
}
}
return rtn;
}
static int LogSnortEvents(void * event, void * user)
{
EventNode *en = (EventNode *) event;
SNORT_EVENTQ_USER *snort_user = (SNORT_EVENTQ_USER *) user;
OptTreeNode *otn;
RuleTreeNode *rtn = NULL;
if (!event || !user)
return 0;
if (s_events > 0)
s_events--;
if (en->rule_info)
{
otn = en->rule_info;
}
else
{
// The above en->rule_info may be NULL to avoid performing an OTN/RTN
// lookup until after policy switching is finalized. In that case,
// perform the lookup here.
otn = GetApplicableOtn(
en->gid,
en->sid,
en->rev,
en->classification,
en->priority,
en->msg
);
}
if (otn)
{
rtn = getRtnFromOtn(otn, getApplicableRuntimePolicy(en->gid));
if (rtn)
{
snort_user->rule_alert = otn->sigInfo.rule_flushing;
LogSnortEvent((Packet *) snort_user->pkt, otn, rtn, en->msg);
}
}
sfthreshold_reset();
return 0;
}
int file_eventq_add(uint32_t gid, uint32_t sid, char *msg, RuleType type)
{
OptTreeNode *otn;
RuleTreeNode *rtn;
otn = GetApplicableOtn(gid, sid, 1, 0, 3, msg);
if (otn == NULL)
return 0;
rtn = getRtnFromOtn(otn, getIpsRuntimePolicy());
if (rtn == NULL)
{
return 0;
}
rtn->type = type;
return SnortEventqAdd(gid, sid, 1, 0, 3, msg, otn);
}
RuleTreeNode* GenerateSnortEventRtn (
OptTreeNode* otn,
tSfPolicyId policyId
) {
RuleTreeNode* rtn = getRtnFromOtn(otn, policyId);
rtn = calloc(1, sizeof(RuleTreeNode));
if ( !rtn )
return NULL;
rtn->type = RULE_TYPE__ALERT;
if ( addRtnToOtn(otn, policyId, rtn) != 0 )
{
//unsuccessful adding rtn
free(rtn);
return NULL;
}
return rtn;
}
int SnortEventqAdd(
uint32_t gid,
uint32_t sid,
uint32_t rev,
uint32_t classification,
uint32_t priority,
const char * msg,
void * rule_info
)
{
EventNode *en;
OptTreeNode *otn = (OptTreeNode *) rule_info;
if (!otn)
otn = GetApplicableOtn(gid, sid, rev, classification, priority, msg);
else if (!getRtnFromOtn(otn, getApplicableRuntimePolicy(gid)))
otn = NULL;
if (otn)
{
en = (EventNode *) sfeventq_event_alloc(getEventQueue());
if (!en)
return -1;
en->gid = gid;
en->sid = sid;
en->rev = rev;
en->classification = classification;
en->priority = priority;
en->msg = msg;
en->rule_info = rule_info;
if (sfeventq_add(getEventQueue(), (void *) en) != 0)
return -1;
s_events++;
}
return 0;
}
/**initialize given port list from the given ruleset, for a given policy
* @param portList pointer to array of MAX_PORTS+1 uint8_t. This array content
* is changed by walking through the rulesets.
* @param protocol - protocol type
*/
void setPortFilterList(
uint8_t *portList,
int protocol,
int ignoreAnyAnyRules,
tSfPolicyId policyId
)
{
char *port_array = NULL;
int num_ports = 0;
int i;
RuleTreeNode *rtn;
OptTreeNode *otn;
int inspectSrc, inspectDst;
char any_any_flow = 0;
IgnoredRuleList *pIgnoredRuleList = NULL; ///list of ignored rules
char *protocolName;
SFGHASH_NODE *hashNode;
int flowBitIsSet = 0;
SnortConfig *sc = snort_conf_for_parsing;
if (sc == NULL)
{
FatalError("%s(%d) Snort conf for parsing is NULL.\n",
__FILE__, __LINE__);
}
if ((protocol == IPPROTO_TCP) && (ignoreAnyAnyRules == 0))
{
int j;
for (j=0; j<MAX_PORTS; j++)
{
portList[j] |= PORT_MONITOR_SESSION | PORT_MONITOR_INSPECT;
}
return;
}
protocolName = getProtocolName(protocol);
/* Post-process TCP rules to establish TCP ports to inspect. */
for (hashNode = sfghash_findfirst(sc->otn_map);
hashNode;
hashNode = sfghash_findnext(sc->otn_map))
{
otn = (OptTreeNode *)hashNode->data;
flowBitIsSet = Stream5OtnHasFlowOrFlowbit(otn);
rtn = getRtnFromOtn(otn, policyId);
if (!rtn)
{
continue;
}
if (rtn->proto == protocol)
{
//do operation
inspectSrc = inspectDst = 0;
if (PortObjectHasAny(rtn->src_portobject))
{
inspectSrc = -1;
}
else
{
port_array = PortObjectCharPortArray(port_array, rtn->src_portobject, &num_ports);
if (port_array && num_ports != 0)
{
inspectSrc = 1;
for (i=0; i<SFPO_MAX_PORTS; i++)
{
if (port_array[i])
{
portList[i] |= PORT_MONITOR_INSPECT;
/* port specific rule */
/* Look for an OTN with flow or flowbits keyword */
if (flowBitIsSet)
{
portList[i] |= PORT_MONITOR_SESSION;
}
}
}
}
if ( port_array )
{
free(port_array);
port_array = NULL;
}
}
if (PortObjectHasAny(rtn->dst_portobject))
{
inspectDst = -1;
}
else
{
port_array = PortObjectCharPortArray(port_array, rtn->dst_portobject, &num_ports);
if (port_array && num_ports != 0)
{
inspectDst = 1;
for (i=0; i<SFPO_MAX_PORTS; i++)
{
if (port_array[i])
{
portList[i] |= PORT_MONITOR_INSPECT;
/* port specific rule */
if (flowBitIsSet)
{
portList[i] |= PORT_MONITOR_SESSION;
}
}
}
}
if ( port_array )
{
free(port_array);
port_array = NULL;
}
}
if ((inspectSrc == -1) && (inspectDst == -1))
{
/* any -> any rule */
if (any_any_flow == 0)
{
any_any_flow = Stream5AnyAnyFlow(portList, otn, rtn, any_any_flow,
&pIgnoredRuleList, ignoreAnyAnyRules);
}
}
}
}
/* If portscan is tracking TCP/UDP, need to create
* sessions for all ports */
if (((protocol == IPPROTO_UDP) && (ps_get_protocols(policyId) & PS_PROTO_UDP))
|| ((protocol == IPPROTO_TCP) && (ps_get_protocols(policyId) & PS_PROTO_TCP)))
{
int j;
for (j=0; j<MAX_PORTS; j++)
{
portList[j] |= PORT_MONITOR_SESSION;
}
}
if (any_any_flow == 1)
{
LogMessage("Warning: 'ignore_any_rules' option for Stream5 %s "
"disabled because of %s rule with flow or flowbits option\n",
protocolName, protocolName);
}
else if (pIgnoredRuleList)
{
LogMessage("Warning: Rules (GID:SID) effectively ignored because of "
"'ignore_any_rules' option for Stream5 %s:\n", protocolName);
}
// free list; print iff any_any_flow
printIgnoredRules(pIgnoredRuleList, any_any_flow);
}
/*
* Changed so events are inserted in action config order 'drop alert ...',
* and sub sorted in each action group by priority or content length.
* The sub sorting is done in fpFinalSelect inf fpdetect.c. Once the
* events are inserted they can all be logged, as we only insert
* g_event_queue.log_events into the queue.
* ... Jan '06
*/
int SnortEventqAdd(unsigned int gid,
unsigned int sid,
unsigned int rev,
unsigned int classification,
unsigned int pri,
char *msg,
void *rule_info)
{
EventNode *en;
en = (EventNode *)sfeventq_event_alloc(snort_conf->event_queue[qIndex]);
if(!en)
return -1;
en->gid = gid;
en->sid = sid;
en->rev = rev;
en->classification = classification;
en->priority = pri;
en->msg = msg;
en->rule_info = rule_info;
/*
* Check if we have a preprocessor or decoder event
* Preprocessors and decoders may be configured to inspect
* and alert in their principal configuration (legacy code)
* this test than checks if the rule otn says they should
* be enabled or not. The rule itself will decide if it should
* be an alert or a drop (sdrop) condition.
*/
#ifdef PREPROCESSOR_AND_DECODER_RULE_EVENTS
{
struct _OptTreeNode * potn;
/* every event should have a rule/otn */
potn = OtnLookup(snort_conf->otn_map, gid, sid);
/*
* if no rule otn exists for this event, than it was
* not enabled via rules
*/
if (potn == NULL)
{
if (ScAutoGenPreprocDecoderOtns())
{
/* Generate an OTN if configured to do so.... */
potn = GenerateSnortEventOtn(en->gid,
en->sid,
en->rev,
en->classification,
en->priority,
en->msg);
if (potn != NULL)
OtnLookupAdd(snort_conf->otn_map, potn);
}
if (potn == NULL)
{
/* no otn found/created - do not add it to the queue */
return 0;
}
}
else
{
tSfPolicyId policyId = getRuntimePolicy();
RuleTreeNode* rtn = getRtnFromOtn(potn, policyId);
if ( !rtn )
{
if ( ScAutoGenPreprocDecoderOtns() )
rtn = GenerateSnortEventRtn(potn, getRuntimePolicy());
if ( !rtn )
return 0;
}
}
}
#endif
if (sfeventq_add(snort_conf->event_queue[qIndex], (void *)en))
{
return -1;
}
s_events++;
return 0;
}
