/*
Process the 'config threshold: memcap #bytes, option2-name option2-value, ...'
config threshold: memcap #bytes
*/
void ProcessThresholdOptions(char *options)
{
int i = 0;
char ** args;
int nargs;
char ** oargs;
int noargs;
if( !s_enabled )
return ;
args = mSplit(options,",",10,&nargs,0); /* get rule option pairs */
for(i=0;i<nargs;i++)
{
oargs = mSplit(options," ",2,&noargs,0); /* get rule option pairs */
if( strcmp(oargs[0],"memcap") == 0 )
{
s_memcap = xatou(oargs[1],"config threshold: memcap");
}
else
{
FatalError("Threshold-RuleOptionParse: unknown argument\n");
}
}
mSplitFree(&args, nargs);
mSplitFree(&oargs, noargs);
}
static void StreamParseIpArgs (char* args, StreamIpPolicy* policy)
{
char* *toks;
int num_toks;
int i;
policy->session_timeout = STREAM_DEFAULT_SSN_TIMEOUT;
if ( !args || !*args )
return;
toks = mSplit(args, ",", 0, &num_toks, 0);
for (i = 0; i < num_toks; i++)
{
int s_toks;
char* *stoks = mSplit(toks[i], " ", 2, &s_toks, 0);
if (s_toks == 0)
{
ParseError("Missing parameter in Stream IP config.\n");
}
if(!strcasecmp(stoks[0], "timeout"))
{
char* endPtr = NULL;
if(stoks[1])
{
policy->session_timeout = strtoul(stoks[1], &endPtr, 10);
}
if (!stoks[1] || (endPtr == &stoks[1][0]))
{
ParseError("Invalid timeout in config file. Integer parameter required.\n");
}
if ((policy->session_timeout > STREAM_MAX_SSN_TIMEOUT) ||
(policy->session_timeout < STREAM_MIN_SSN_TIMEOUT))
{
ParseError("Invalid timeout in config file. Must be between %d and %d\n",
STREAM_MIN_SSN_TIMEOUT, STREAM_MAX_SSN_TIMEOUT);
}
if (s_toks > 2)
{
ParseError("Invalid Stream IP Policy option. Missing comma?\n");
}
}
else
{
ParseError("Invalid Stream IP policy option\n");
}
mSplitFree(&stoks, s_toks);
}
mSplitFree(&toks, num_toks);
}
int parse_conf()
{
FILE *fp;
char line[512];
char *remote_server = NULL;
uint16_t remote_port = 0;
char *p;
char **toks;
int num_toks;
if ((fp = fopen("/opt/utc/conf/water_mark.conf", "rb")) == NULL) {
E("-------open config file /opt/utc/conf/water_mark.conf fail.\n");
return -1;
}
while(fgets(line, 512, fp)) {
if (*line == '#')
continue;
toks = mSplit(line, "=", 2, &num_toks, 0);
if(num_toks != 2)
goto free_toks;
_strim(toks[0]);
_strim(toks[1]);
printf("[%s]--[%s]\n",toks[0], toks[1]);
if (strncmp(toks[0], "HIGH_WATER_MARK", strlen("HIGH_WATER_MARK")) == 0) {
high_water_mark = (uint64_t)atoi(toks[1]);
if (high_water_mark <= 0) {
mSplitFree(&toks, num_toks);
fclose(fp);
return 1;
}
}
if (strncmp(toks[0], "HASH_LEVEL_WATER", strlen("HASH_LEVEL_WATER")) == 0) {
hash_level_water_mark = (uint64_t)atoi(toks[1]);
if (hash_level_water_mark < 0) {
mSplitFree(&toks, num_toks);
fclose(fp);
return 1;
}
}
free_toks:
memset(line, 0x00, 512);
mSplitFree(&toks, num_toks);
}
fclose(fp);
return 0;
}
//function to assign the RpcDecodePorts array
static void RpcDecodePortsAssign(uint8_t *RpcDecodePorts, char *portlist)
{
int num;
int num_toks;
char **toks;
if( portlist == NULL || *portlist == '\0')
{
portlist = RPC_DECODE_DEFAULT_PORTS;
}
toks = mSplit(portlist, " \t", 0, &num_toks, 0);
for(num = 0; num < num_toks; num++)
{
if(isdigit((int)toks[num][0]))
{
char *num_p = NULL; /* used to determine last position in string */
long t_num;
t_num = strtol(toks[num], &num_p, 10);
if(*num_p != '\0')
{
ParseError("Port Number invalid format: %s.", toks[num]);
}
else if(t_num < 0 || t_num > MAXPORTS-1 )
{
ParseError("Port Number out of range: %d.", t_num);
}
RpcDecodePorts[(t_num/8)] |= 1<<(t_num%8);
}
}
mSplitFree(&toks, num_toks);
}
int parse_ipc_conf()
{
char ipc_path[128] = {0};
FILE *fp;
char line[1024];
char *p;
char **toks;
int num_toks;
strncpy(ipc_path, pv.conf_path, 128);
strcat(ipc_path, "/sft_ipc.conf");
if ((fp = fopen(ipc_path, "rb")) == NULL) {
E("-------open log config file [%s] fail.\n", pv.conf_path);
return -1;
}
while(fgets(line, 1024, fp)) {
if (*line == '#')
continue;
toks = mSplit(line, "=", 2, &num_toks, 0);
if(unlikely(num_toks != 2))
goto free_toks;
_strim(toks[0]);
trim_specific(toks[1], "\"");
printf("[%s]--[%s]\n",toks[0], toks[1]);
if (strncmp(toks[0], "remote_server", strlen("remote_server")) == 0 && is_ipv4_addr(toks[1])) {
pv.peer_ip = strdup(toks[1]);
} else if (strncmp(toks[0], "remote_port", strlen("remote_port")) == 0 && atoi(toks[1]) > 0) {
pv.peer_port = (uint16_t) atoi(toks[1]);
}
free_toks:
memset(line, 0x00, 1024);
mSplitFree(&toks, num_toks);
}
fclose(fp);
printf("peer addr is %s:%u\n",pv.peer_ip, pv.peer_port);
return 0;
}
/*
* Function: ParseIP(char *, IpAddrSet *)
*
* Purpose: Convert a supplied IP address to it's network order 32-bit long
* value. Also convert the CIDR block notation into a real
* netmask.
*
* Arguments: char *addr => address string to convert
* IpAddrSet * =>
*
*
* Returns: 0 for normal addresses, 1 for an "any" address
*/
int ParseIP(char *paddr, IpAddrSet *ias, int negate) //, IpAddrNode *node)
{
char **toks; /* token dbl buffer */
int num_toks; /* number of tokens found by mSplit() */
int cidr = 1; /* is network expressed in CIDR format */
int nmask = -1; /* netmask temporary storage */
char *addr; /* string to parse, eventually a
* variable-contents */
struct hostent *host_info; /* various struct pointers for stuff */
struct sockaddr_in sin; /* addr struct */
char broadcast_addr_set = 0;
IpAddrNode *address_data = (IpAddrNode*)SnortAlloc(sizeof(IpAddrNode));
if(!paddr || !ias)
return 1;
addr = paddr;
if(*addr == '!')
{
negate = !negate;
// address_data->addr_flags |= EXCEPT_IP;
addr++; /* inc past the '!' */
}
/* check for wildcards */
if(!strcasecmp(addr, "any"))
{
if(negate)
{
FatalError("%s(%d) => !any is not allowed\n", file_name, file_line);
}
/* Make first node 0, which matches anything */
if(!ias->iplist)
{
ias->iplist = (IpAddrNode*)SnortAlloc(sizeof(IpAddrNode));
}
ias->iplist->ip_addr = 0;
ias->iplist->netmask = 0;
free(address_data);
return 1;
}
/* break out the CIDR notation from the IP address */
toks = mSplit(addr, "/", 2, &num_toks, 0);
/* "/" was not used as a delimeter, try ":" */
if(num_toks == 1)
{
mSplitFree(&toks, num_toks);
toks = mSplit(addr, ":", 2, &num_toks, 0);
}
/*
* if we have a mask spec and it is more than two characters long, assume
* it is netmask format
*/
if((num_toks > 1) && strlen(toks[1]) > 2)
{
cidr = 0;
}
switch(num_toks)
{
case 1:
address_data->netmask = netmasks[32];
break;
case 2:
if(cidr)
{
/* convert the CIDR notation into a real live netmask */
nmask = atoi(toks[1]);
/* it's pain to differ whether toks[1] is correct if netmask */
/* is /0, so we deploy some sort of evil hack with isdigit */
if(!isdigit((int) toks[1][0]))
nmask = -1;
/* if second char is != '\0', it must be a digit
* by Daniel B. Cid, [email protected]
*/
if((toks[1][1] != '\0')&&(!isdigit((int) toks[1][1]) ))
nmask = -1;
if((nmask > -1) && (nmask < 33))
{
address_data->netmask = netmasks[nmask];
}
else
{
FatalError("%s(%d): Invalid CIDR block for IP addr "
"%s\n", file_name, file_line, addr);
}
}
else
{
/* convert the netmask into its 32-bit value */
/* broadcast address fix from
* Steve Beaty <*****@*****.**>
*/
/*
* if the address is the (v4) broadcast address, inet_addr *
* returns -1 which usually signifies an error, but in the *
* broadcast address case, is correct. we'd use inet_aton() *
* here, but it's less portable.
*/
if(!strncmp(toks[1], "255.255.255.255", 15))
{
address_data->netmask = INADDR_BROADCAST;
}
else if((address_data->netmask = inet_addr(toks[1])) == INADDR_NONE)
{
FatalError("%s(%d): Unable to parse rule netmask "
"(%s)\n", file_name, file_line, toks[1]);
}
/* Set nmask so we don't try to do a host lookup below.
* The value of 0 is irrelevant. */
nmask = 0;
}
break;
default:
FatalError("%s(%d) => Unrecognized IP address/netmask %s\n",
file_name, file_line, addr);
break;
}
sin.sin_addr.s_addr = inet_addr(toks[0]);
#ifndef WORDS_BIGENDIAN
/*
* since PC's store things the "wrong" way, shuffle the bytes into the
* right order. Non-CIDR netmasks are already correct.
*/
if(cidr)
{
address_data->netmask = htonl(address_data->netmask);
}
#endif
/* broadcast address fix from Steve Beaty <*****@*****.**> */
/* Changed location */
if(!strncmp(toks[0], "255.255.255.255", 15))
{
address_data->ip_addr = INADDR_BROADCAST;
broadcast_addr_set = 1;
}
else if (nmask == -1)
{
/* Try to do a host lookup if the address didn't
* convert to a valid IP and there were not any
* mask bits specified (CIDR or dot notation). */
if(sin.sin_addr.s_addr == INADDR_NONE)
{
/* get the hostname and fill in the host_info struct */
host_info = gethostbyname(toks[0]);
if (host_info)
{
/* protecting against malicious DNS servers */
if(host_info->h_length <= (int)sizeof(sin.sin_addr))
{
bcopy(host_info->h_addr, (char *) &sin.sin_addr, host_info->h_length);
}
else
{
bcopy(host_info->h_addr, (char *) &sin.sin_addr, sizeof(sin.sin_addr));
}
}
/* Using h_errno */
else if(h_errno == HOST_NOT_FOUND)
/*else if((sin.sin_addr.s_addr = inet_addr(toks[0])) == INADDR_NONE)*/
{
FatalError("%s(%d): Couldn't resolve hostname %s\n",
file_name, file_line, toks[0]);
}
}
else
{
/* It was a valid IP address with no netmask specified. */
/* Noop */
}
}
else
{
if(sin.sin_addr.s_addr == INADDR_NONE)
{
/* It was not a valid IP address but had a valid netmask. */
FatalError("%s(%d): Rule IP addr (%s) didn't translate\n",
file_name, file_line, toks[0]);
}
}
/* Only set this if we haven't set it above as 255.255.255.255 */
if (!broadcast_addr_set)
{
address_data->ip_addr = ((u_long) (sin.sin_addr.s_addr) &
(address_data->netmask));
}
mSplitFree(&toks, num_toks);
/* Add new IP address to address set */
if(!negate)
{
IpAddrNode *idx;
if(!ias->iplist)
{
ias->iplist = address_data;
}
else
{
/* Get to the end of the list */
for(idx = ias->iplist; idx->next; idx=idx->next) ;
idx->next = address_data;
}
}
else
{
IpAddrNode *idx;
if(!ias->neg_iplist)
{
ias->neg_iplist = address_data;
}
else
{
/* Get to the end of the list */
for(idx = ias->neg_iplist; idx->next; idx=idx->next) ;
idx->next = address_data;
}
address_data->addr_flags |= EXCEPT_IP;
}
return 0;
}
static void StreamParseUdpArgs(StreamUdpConfig *config, char *args, StreamUdpPolicy *s5UdpPolicy)
{
char **toks;
int num_toks;
int i;
char *index;
char **stoks = NULL;
int s_toks;
char *endPtr = NULL;
if (s5UdpPolicy == NULL)
return;
s5UdpPolicy->session_timeout = STREAM_DEFAULT_SSN_TIMEOUT;
s5UdpPolicy->flags = 0;
if(args != NULL && strlen(args) != 0)
{
toks = mSplit(args, ",", 6, &num_toks, 0);
i=0;
while(i < num_toks)
{
index = toks[i];
while(isspace((int)*index)) index++;
stoks = mSplit(index, " ", 3, &s_toks, 0);
if (s_toks == 0)
{
FatalError("%s(%d) => Missing parameter in Stream UDP config.\n",
file_name, file_line);
}
if(!strcasecmp(stoks[0], "timeout"))
{
if(stoks[1])
{
s5UdpPolicy->session_timeout = strtoul(stoks[1], &endPtr, 10);
}
if (!stoks[1] || (endPtr == &stoks[1][0]) || *endPtr)
{
FatalError("%s(%d) => Invalid timeout in config file. Integer parameter required.\n",
file_name, file_line);
}
if ((s5UdpPolicy->session_timeout > STREAM_MAX_SSN_TIMEOUT) ||
(s5UdpPolicy->session_timeout < STREAM_MIN_SSN_TIMEOUT))
{
FatalError("%s(%d) => Invalid timeout in config file. "
"Must be between %d and %d\n",
file_name, file_line,
STREAM_MIN_SSN_TIMEOUT, STREAM_MAX_SSN_TIMEOUT);
}
if (s_toks > 2)
{
FatalError("%s(%d) => Invalid Stream UDP Policy option. Missing comma?\n",
file_name, file_line);
}
}
else if (!strcasecmp(stoks[0], "ignore_any_rules"))
{
s5UdpPolicy->flags |= STREAM_CONFIG_IGNORE_ANY;
if (s_toks > 1)
{
FatalError("%s(%d) => Invalid Stream UDP Policy option. Missing comma?\n",
file_name, file_line);
}
}
else
{
FatalError("%s(%d) => Invalid Stream UDP Policy option\n",
file_name, file_line);
}
mSplitFree(&stoks, s_toks);
i++;
}
mSplitFree(&toks, num_toks);
}
if (s5UdpPolicy->bound_addrs == NULL)
{
if (config->default_policy != NULL)
{
FatalError("%s(%d) => Default Stream UDP Policy already set. "
"This policy must be bound to a specific host or "
"network.\n", file_name, file_line);
}
config->default_policy = s5UdpPolicy;
}
else
{
if (s5UdpPolicy->flags & STREAM_CONFIG_IGNORE_ANY)
{
FatalError("%s(%d) => \"ignore_any_rules\" option can be used only"
" with Default Stream UDP Policy\n", file_name, file_line);
}
}
}
/*
* Function: ParseIP(char *, IpAddrSet *)
*
* Purpose: Convert a supplied IP address to it's network order 32-bit long
* value. Also convert the CIDR block notation into a real
* netmask.
*
* Arguments: char *addr => address string to convert
* IpAddrSet * =>
*
*
* Returns: 0 for normal addresses, 1 for an "any" address
*/
int ParseIP(char *paddr, IpAddrSet *address_data)
{
char **toks; /* token dbl buffer */
int num_toks; /* number of tokens found by mSplit() */
int cidr = 1; /* is network expressed in CIDR format */
int nmask; /* netmask temporary storage */
char *addr; /* string to parse, eventually a
* variable-contents */
struct hostent *host_info; /* various struct pointers for stuff */
struct sockaddr_in sin; /* addr struct */
addr = paddr;
if(*addr == '!')
{
address_data->addr_flags |= EXCEPT_IP;
addr++; /* inc past the '!' */
}
/* check for wildcards */
if(!strcasecmp(addr, "any"))
{
address_data->ip_addr = 0;
address_data->netmask = 0;
return 1;
}
/* break out the CIDR notation from the IP address */
toks = mSplit(addr, "/", 2, &num_toks, 0);
/* "/" was not used as a delimeter, try ":" */
if(num_toks == 1)
{
mSplitFree(&toks, num_toks);
toks = mSplit(addr, ":", 2, &num_toks, 0);
}
/*
* if we have a mask spec and it is more than two characters long, assume
* it is netmask format
*/
if((num_toks > 1) && strlen(toks[1]) > 2)
{
cidr = 0;
}
switch(num_toks)
{
case 1:
address_data->netmask = netmasks[32];
break;
case 2:
if(cidr)
{
/* convert the CIDR notation into a real live netmask */
nmask = atoi(toks[1]);
/* it's pain to differ whether toks[1] is correct if netmask */
/* is /0, so we deploy some sort of evil hack with isdigit */
if(!isdigit((int) toks[1][0]))
nmask = -1;
if((nmask > -1) && (nmask < 33))
{
address_data->netmask = netmasks[nmask];
}
else
{
FatalError("ERROR %s(%d): Invalid CIDR block for IP addr "
"%s\n", file_name, file_line, addr);
}
}
else
{
/* convert the netmask into its 32-bit value */
/* broadcast address fix from
* Steve Beaty <*****@*****.**>
*/
/*
* if the address is the (v4) broadcast address, inet_addr *
* returns -1 which usually signifies an error, but in the *
* broadcast address case, is correct. we'd use inet_aton() *
* here, but it's less portable.
*/
if(!strncmp(toks[1], "255.255.255.255", 15))
{
address_data->netmask = INADDR_BROADCAST;
}
else if((address_data->netmask = inet_addr(toks[1])) == -1)
{
FatalError("ERROR %s(%d): Unable to parse rule netmask "
"(%s)\n", file_name, file_line, toks[1]);
}
}
break;
default:
FatalError("ERROR %s(%d) => Unrecognized IP address/netmask %s\n",
file_name, file_line, addr);
break;
}
#ifndef WORDS_BIGENDIAN
/*
* since PC's store things the "wrong" way, shuffle the bytes into the
* right order. Non-CIDR netmasks are already correct.
*/
if(cidr)
{
address_data->netmask = htonl(address_data->netmask);
}
#endif
/* convert names to IP addrs */
if(isalpha((int) toks[0][0]))
{
/* get the hostname and fill in the host_info struct */
if((host_info = gethostbyname(toks[0])))
{
/* protecting against malicious DNS servers */
if(host_info->h_length <= sizeof(sin.sin_addr))
{
bcopy(host_info->h_addr, (char *) &sin.sin_addr, host_info->h_length);
}
else
{
bcopy(host_info->h_addr, (char *) &sin.sin_addr, sizeof(sin.sin_addr));
}
}
else if((sin.sin_addr.s_addr = inet_addr(toks[0])) == INADDR_NONE)
{
FatalError("ERROR %s(%d): Couldn't resolve hostname %s\n",
file_name, file_line, toks[0]);
}
address_data->ip_addr = ((u_long) (sin.sin_addr.s_addr) &
(address_data->netmask));
mSplitFree(&toks, num_toks);
return 1;
}
/* convert the IP addr into its 32-bit value */
/* broadcast address fix from Steve Beaty <*****@*****.**> */
/*
* if the address is the (v4) broadcast address, inet_addr returns -1 *
* which usually signifies an error, but in the broadcast address case, *
* is correct. we'd use inet_aton() here, but it's less portable.
*/
if(!strncmp(toks[0], "255.255.255.255", 15))
{
address_data->ip_addr = INADDR_BROADCAST;
}
else if((address_data->ip_addr = inet_addr(toks[0])) == -1)
{
FatalError("ERROR %s(%d): Rule IP addr (%s) didn't translate\n",
file_name, file_line, toks[0]);
}
else
{
/* set the final homenet address up */
address_data->ip_addr = ((u_long) (address_data->ip_addr) &
(address_data->netmask));
}
mSplitFree(&toks, num_toks);
return 0;
}
int parse_log_conf()
{
char syslog_path[128] = {0};
FILE *fp;
char line[1024];
char *remote_server = NULL;
uint16_t remote_port = 0;
char *p;
char **toks;
int num_toks;
strncpy(syslog_path, pv.conf_path, 128);
strcat(syslog_path, "/sft_syslog.conf");
if ((fp = fopen(syslog_path, "rb")) == NULL) {
E("-------open log config file [%s] fail.\n", pv.conf_path);
return -1;
}
while(fgets(line, 1024, fp)) {
if (*line == '#')
continue;
toks = mSplit(line, "=", 2, &num_toks, 0);
if(unlikely(num_toks != 2))
goto free_toks;
_strim(toks[0]);
trim_specific(toks[1], "\"");
printf("[%s]--[%s]\n",toks[0], toks[1]);
if (strncmp(toks[0], "enableSYSLOG", strlen("enableSYSLOG")) == 0) {
if (strncmp(toks[1], "1", 1) == 0) {
pv.urlog = 1;
pv.qqlog = 1;
D("syslog is enabled!\n");
} else {
pv.urlog = 0;
pv.qqlog = 0;
D("syslog is disabled!\n");
}
} else if (strncmp(toks[0], "remote_server", strlen("remote_server")) == 0 && is_ipv4_addr(toks[1])) {
remote_server = strdup(toks[1]);
} else if (strncmp(toks[0], "remote_port", strlen("remote_port")) == 0 && atoi(toks[1]) > 0) {
remote_port = (uint16_t) atoi(toks[1]);
}
free_toks:
memset(line, 0x00, 1024);
mSplitFree(&toks, num_toks);
}
fclose(fp);
printf("peer addr is %s:%u\n",remote_server, remote_port);
if (pv.urlog && pv.qqlog && remote_server && remote_port) {
if (pv.syslog_sd)
close(pv.syslog_sd);
pv.syslog_sd = socket(PF_INET, SOCK_DGRAM, 0);
if (pv.syslog_sd<0) {
perror("socket()");
exit(1);
}
pv.syslog_peer_addr.sin_family = AF_INET;
pv.syslog_peer_addr.sin_port = htons(remote_port);
inet_pton(AF_INET, remote_server, &pv.syslog_peer_addr.sin_addr);
D("connect remote syslog server\n");
}
return 0;
}
/*
threshold gen_id #, sig_id #, type limit|threshold|both, track by_src|by_dst, count #, seconds #
8/25/03 - added support for a global threshold, uses sid = 0, and is applied after all other thresholding so
a sid specific threshold or suppress command has precedence...
*/
void ParseSFThreshold( FILE * fp, char * rule )
{
char **args, **oargs;
int nargs, noargs;
THDX_STRUCT thdx;
int count_flag=0;
int seconds_flag=0;
int type_flag=0;
int tracking_flag=0;
/*
int priority_flag=0;
*/
int genid_flag=0;
int sigid_flag=0;
int i;
memset( &thdx, 0, sizeof(THDX_STRUCT) );
while( (*rule <= ' ') && (*rule > 0) ) rule++; /* skip whitespace */
while( (*rule > ' ') ) rule++; /* skip 'threshold' */
args = mSplit(rule,",",15,&nargs,0); /* get rule option pairs */
for( i=0; i<nargs; i++ )
{
oargs = mSplit(args[i]," ",2,&noargs,0); /* get rule option pairs */
if( noargs != 2 )
{
FatalError("Threshold Parse: argument pairing error\n");
}
if( strcmp(oargs[0],"type")==0 )
{
if( strcmp(oargs[1],"limit") == 0 )
{
thdx.type = THD_TYPE_LIMIT;
}
else if( strcmp(oargs[1],"threshold") == 0 )
{
thdx.type = THD_TYPE_THRESHOLD;
}
else if( strcmp(oargs[1],"both") == 0 )
{
thdx.type = THD_TYPE_BOTH;
}
else
{
/* Fatal incorrect threshold type */
FatalError("Threshold-Parse: incorrect 'type' argument \n");
}
type_flag++;
}
else if( strcmp(oargs[0],"track")==0 )
{
if( strcmp(oargs[1],"by_src") == 0 )
{
thdx.tracking = THD_TRK_SRC;
}
else if( strcmp(oargs[1],"by_dst") == 0 )
{
thdx.tracking = THD_TRK_DST;
}
else
{
/* Fatal incorrect threshold type */
FatalError("Threshold-Parse: incorrect tracking type\n");
}
tracking_flag++;
}
else if( strcmp(oargs[0],"count")==0 )
{
thdx.count = xatou(oargs[1],"threshold: count");
count_flag++;
}
else if( strcmp(oargs[0],"seconds")==0 )
{
thdx.seconds = xatou(oargs[1],"threshold: seconds");
seconds_flag++;
}
else if( strcmp(oargs[0],"gen_id")==0 )
{
thdx.gen_id = xatou(oargs[1],"threshold: gen_id");
genid_flag++;
if( oargs[1][0]== '-' )
FatalError("Threshold-Parse: gen_id < 0 not supported '%s %s'\n",oargs[0],oargs[1]);
}
else if( strcmp(oargs[0],"sig_id")==0 )
{
thdx.sig_id = xatou(oargs[1],"threshold: sig_id");
sigid_flag++;
if( oargs[1][0]== '-' )
FatalError("Threshold-Parse: sig_id < 0 not supported '%s %s'\n",oargs[0],oargs[1]);
}
else
{
/* Fatal incorrect threshold type */
FatalError("Threshold-Parse: unsupported option : %s %s\n",oargs[0],oargs[1]);
}
}
if( (count_flag + tracking_flag + type_flag + seconds_flag + genid_flag + sigid_flag) != 6 )
{
/* Fatal - incorrect argument count */
FatalError("Threshold-Parse: incorrect argument count\n");
}
if( sfthreshold_create( &thdx ) )
{
if( thdx.sig_id == 0 )
{
FatalError("Global Threshold-Parse: could not create a threshold object -- only one per gen_id=%u!\n",thdx.gen_id);
}
else
{
if( thdx.gen_id == 0 )
{
FatalError("Global Threshold-Parse: could not create a threshold object -- a gen_id < 0 requires a sig_id < 0, sig_id=%u !\n",thdx.sig_id);
}
else
{
FatalError("Threshold-Parse: could not create a threshold object -- only one per sig_id=%u!\n",thdx.sig_id);
}
}
}
mSplitFree(&args, nargs);
mSplitFree(&oargs, noargs);
}
static void StreamParseIcmpArgs(char *args, StreamIcmpPolicy *s5IcmpPolicy)
{
char **toks;
int num_toks;
int i;
char **stoks = NULL;
int s_toks;
char *endPtr = NULL;
s5IcmpPolicy->session_timeout = STREAM_DEFAULT_SSN_TIMEOUT;
//s5IcmpPolicy->flags = 0;
if(args != NULL && strlen(args) != 0)
{
toks = mSplit(args, ",", 0, &num_toks, 0);
for (i = 0; i < num_toks; i++)
{
stoks = mSplit(toks[i], " ", 2, &s_toks, 0);
if (s_toks == 0)
{
FatalError("%s(%d) => Missing parameter in Stream ICMP config.\n",
file_name, file_line);
}
if(!strcasecmp(stoks[0], "timeout"))
{
if(stoks[1])
{
s5IcmpPolicy->session_timeout = strtoul(stoks[1], &endPtr, 10);
}
if (!stoks[1] || (endPtr == &stoks[1][0]) || *endPtr)
{
FatalError("%s(%d) => Invalid timeout in config file. Integer parameter required.\n",
file_name, file_line);
}
if ((s5IcmpPolicy->session_timeout > STREAM_MAX_SSN_TIMEOUT) ||
(s5IcmpPolicy->session_timeout < STREAM_MIN_SSN_TIMEOUT))
{
FatalError("%s(%d) => Invalid timeout in config file. "
"Must be between %d and %d\n",
file_name, file_line,
STREAM_MIN_SSN_TIMEOUT, STREAM_MAX_SSN_TIMEOUT);
}
if (s_toks > 2)
{
FatalError("%s(%d) => Invalid Stream ICMP Policy option. Missing comma?\n",
file_name, file_line);
}
}
else
{
FatalError("%s(%d) => Invalid Stream ICMP policy option\n",
file_name, file_line);
}
mSplitFree(&stoks, s_toks);
}
mSplitFree(&toks, num_toks);
}
}
OpSyslog_Data *OpSyslog_ParseArgs(char *args)
{
OpSyslog_Data *op_data = NULL;
op_data = (OpSyslog_Data *)SnortAlloc(sizeof(OpSyslog_Data));
if(args != NULL)
{
char **toks;
int num_toks;
int i;
/* parse out your args */
toks = mSplit(args, ",", 31, &num_toks, '\\');
for(i = 0; i < num_toks; ++i)
{
char **stoks;
int num_stoks;
char *index = toks[i];
while(isspace((int)*index))
++index;
stoks = mSplit(index, " ", 2, &num_stoks, 0);
if(strcasecmp("port", stoks[0]) == 0)
{
if(num_stoks > 1 )
op_data->port = strtoul(stoks[1], NULL, 0);
else
LogMessage("Argument Error in %s(%i): %s\n", file_name,
file_line, index);
}
else if(strcasecmp("server", stoks[0]) == 0)
{
if(num_stoks > 1 && !op_data->server )
op_data->server = strdup(stoks[1]);
else
LogMessage("Argument Error in %s(%i): %s\n", file_name,
file_line, index);
}
else if(strcasecmp("sensor_name", stoks[0]) == 0)
{
if(num_stoks > 1 && !op_data->sensor_name )
op_data->sensor_name = strdup(stoks[1]);
else
LogMessage("Argument Error in %s(%i): %s\n", file_name,
file_line, index);
}
else if(strcasecmp("protocol", stoks[0]) == 0)
{
if(num_stoks > 1)
{
if(strcasecmp("udp", stoks[1]) == 0)
op_data->proto = 0;
else
op_data->proto = 1;
}
else
LogMessage("Argument Error in %s(%i): %s\n", file_name,
file_line, index);
}
else if(strcasecmp("detail", stoks[0]) == 0)
{
if(num_stoks > 1)
{
if(strcasecmp("full", stoks[1]) == 0)
op_data->detail = 1;
}
else
LogMessage("Argument Error in %s(%i): %s\n", file_name,
file_line, index);
}
else if(strcasecmp("delimiters", stoks[0]) == 0)
{
if(num_stoks >= 1)
{
if( (strlen(stoks[1]) > 3) ||
(strlen(stoks[1]) < 3))
{
LogMessage("Invalid delimiters configured [%s], default will be used \n",stoks[1]);
}
else
{
if(stoks[1][0] == '"' &&
stoks[1][2] == '"')
{
op_data->delim = stoks[1][1];
}
else
{
LogMessage("Invalid delimiters configured [%s], default will be used \n",stoks[1]);
}
}
}
}
else if(strcasecmp("separators", stoks[0]) == 0)
{
if(num_stoks >= 1)
{
if( (strlen(stoks[1]) > 3) ||
(strlen(stoks[1]) < 3))
{
LogMessage("Invalid field separator configured [%s], default will be used \n",stoks[1]);
}
else
{
if(stoks[1][0] == '"' &&
stoks[1][2] == '"')
{
op_data->field_separators = stoks[1][1];
}
else
{
LogMessage("Invalid field separator configured [%s], default will be used. \n",stoks[1]);
}
}
}
}
else if(strcasecmp("operation_mode", stoks[0]) == 0)
{
if(num_stoks >=1)
{
if(strcasecmp("default",stoks[1]))
{
op_data->operation_mode = 0;
}
else if(strcasecmp("complete",stoks[1]))
{
op_data->operation_mode = 1;
}
else
{
LogMessage("Invalid operation_mode defined [%s], will use default mode \n",stoks[1]);
}
}
else
{
LogMessage("Invalid operation_mode defined, will use default mode \n");
}
}
else if(strcasecmp("local", stoks[0]) == 0)
{
op_data->local_logging = 1;
}
else if(strcasecmp("log_facility", stoks[0]) == 0)
{
if(num_stoks >=1)
{
if(!strcasecmp("LOG_KERN", stoks[1]))
{
op_data->syslog_priority |= LOG_KERN;
snprintf(op_data->syslog_tx_facility,16,"%s","LOG_KERN");
}
else if(!strcasecmp("LOG_MAIL", stoks[1]))
{
op_data->syslog_priority |= LOG_MAIL;
snprintf(op_data->syslog_tx_facility,16,"%s","LOG_MAIL");
}
else if(!strcasecmp("LOG_DAEMON", stoks[1]))
{
op_data->syslog_priority |= LOG_DAEMON;
snprintf(op_data->syslog_tx_facility,16,"%s","LOG_DAEMON");
}
else if(!strcasecmp("LOG_AUTH", stoks[1]))
{
op_data->syslog_priority |= LOG_AUTH;
snprintf(op_data->syslog_tx_facility,16,"%s","LOG_AUTH");
}
else if(!strcasecmp("LOG_SYSLOG", stoks[1]))
{
op_data->syslog_priority |= LOG_SYSLOG;
snprintf(op_data->syslog_tx_facility,16,"%s","LOG_SYSLOG");
}
else if(!strcasecmp("LOG_LPR", stoks[1]))
{
op_data->syslog_priority |= LOG_LPR;
snprintf(op_data->syslog_tx_facility,16,"%s","LOG_LPR");
}
else if(!strcasecmp("LOG_NEWS", stoks[1]))
{
op_data->syslog_priority |= LOG_NEWS;
snprintf(op_data->syslog_tx_facility,16,"%s","LOG_NEWS");
}
else if(!strcasecmp("LOG_UUCP", stoks[1]))
{
op_data->syslog_priority |= LOG_UUCP;
snprintf(op_data->syslog_tx_facility,16,"%s","LOG_UUCP");
}
else if(!strcasecmp("LOG_CRON", stoks[1]))
{
op_data->syslog_priority |= LOG_CRON;
snprintf(op_data->syslog_tx_facility,16,"%s","LOG_CRON");
}
else if(!strcasecmp("LOG_AUTHPRIV", stoks[1]))
{
op_data->syslog_priority |= LOG_AUTHPRIV;
snprintf(op_data->syslog_tx_facility,16,"%s","LOG_AUTHPRIV");
}
else if(!strcasecmp("LOG_FTP", stoks[1]))
{
op_data->syslog_priority |= LOG_FTP;
snprintf(op_data->syslog_tx_facility,16,"%s","LOG_FTP");
}
else if(!strcasecmp("LOG_LOCAL1", stoks[1]))
{
op_data->syslog_priority |= LOG_LOCAL1;
snprintf(op_data->syslog_tx_facility,16,"%s","LOG_LOCAL1");
}
else if(!strcasecmp("LOG_LOCAL2", stoks[1]))
{
op_data->syslog_priority |= LOG_LOCAL2;
snprintf(op_data->syslog_tx_facility,16,"%s","LOG_LOCAL2");
}
else if(!strcasecmp("LOG_LOCAL3", stoks[1]))
{
op_data->syslog_priority |= LOG_LOCAL3;
snprintf(op_data->syslog_tx_facility,16,"%s","LOG_LOCAL3");
}
else if(!strcasecmp("LOG_LOCAL4", stoks[1]))
{
op_data->syslog_priority |= LOG_LOCAL4;
snprintf(op_data->syslog_tx_facility,16,"%s","LOG_LOCAL4");
}
else if(!strcasecmp("LOG_LOCAL5", stoks[1]))
{
op_data->syslog_priority |= LOG_LOCAL5;
snprintf(op_data->syslog_tx_facility,16,"%s","LOG_LOCAL5");
}
else if(!strcasecmp("LOG_LOCAL6", stoks[1]))
{
op_data->syslog_priority |= LOG_LOCAL6;
snprintf(op_data->syslog_tx_facility,16,"%s","LOG_LOCAL6");
}
else if(!strcasecmp("LOG_LOCAL7", stoks[1]))
{
op_data->syslog_priority |= LOG_LOCAL7;
snprintf(op_data->syslog_tx_facility,16,"%s","LOG_LOCAL7");
}
else if(!strcasecmp("LOG_USER", stoks[1]))
{
op_data->syslog_priority |= LOG_USER;
snprintf(op_data->syslog_tx_facility,16,"%s","LOG_USER");
}
else
{
LogMessage("[%s()]: Unknown log_facility defined [%s], using \"LOG_USER\" as default \n",
__FUNCTION__,
stoks[1]);
op_data->syslog_priority |= LOG_USER;
snprintf(op_data->syslog_tx_facility,16,"%s","LOG_USER");
}
}
else
{
LogMessage("No default log_facility defined, using LOG_USER as default \n");
op_data->syslog_priority |= LOG_USER;
}
}
else if(strcasecmp("log_priority", stoks[0]) == 0)
{
if(num_stoks >=1)
{
if(!strcasecmp("LOG_EMERG",stoks[1]))
{
op_data->syslog_priority |= LOG_EMERG;
snprintf(op_data->syslog_tx_priority,16,"%s","LOG_EMERG");
}
else if(!strcasecmp("LOG_ALERT", stoks[1]))
{
op_data->syslog_priority |= LOG_ALERT;
snprintf(op_data->syslog_tx_priority,16,"%s","LOG_ALERT");
}
else if(!strcasecmp("LOG_CRIT", stoks[1]))
{
op_data->syslog_priority |=LOG_CRIT;
snprintf(op_data->syslog_tx_priority,16,"%s","LOG_CRIT");
}
else if(!strcasecmp("LOG_ERR", stoks[1]))
{
op_data->syslog_priority |=LOG_ERR;
snprintf(op_data->syslog_tx_priority,16,"%s","LOG_ERR");
}
else if(!strcasecmp("LOG_WARNING", stoks[1]))
{
op_data->syslog_priority |= LOG_WARNING;
snprintf(op_data->syslog_tx_priority,16,"%s","LOG_WARNING");
}
else if(!strcasecmp("LOG_NOTICE", stoks[1]))
{
op_data->syslog_priority |= LOG_NOTICE;
snprintf(op_data->syslog_tx_priority,16,"%s","LOG_NOTICE");
}
else if(!strcasecmp("LOG_INFO", stoks[1]))
{
op_data->syslog_priority |=LOG_INFO;
snprintf(op_data->syslog_tx_priority,16,"%s","LOG_INFO");
}
else if(!strcasecmp("LOG_DEBUG", stoks[1]))
{
op_data->syslog_priority |= LOG_DEBUG;
snprintf(op_data->syslog_tx_priority,16,"%s","LOG_DEBUG");
}
else
{
LogMessage("[%s()]: Unknown log_priority defined [%s], using \"LOG_INFO\" as default \n",
__FUNCTION__,
stoks[1]);
op_data->syslog_priority |= LOG_INFO;
}
}
else
{
LogMessage("No default log_priority defined, using LOG_INFO as default \n");
op_data->syslog_priority |= LOG_INFO;
}
}
else
{
fprintf(stderr, "WARNING %s (%d) => Unrecognized argument for "
"SyslogFull plugin: %s\n", file_name, file_line, index);
}
}
/* free your mSplit tokens */
mSplitFree(&toks, num_toks);
}
/* Default */
if(op_data->sensor_name == NULL)
{
FatalError("You must specify a sensor name\n");
}
if(op_data->syslog_priority == 0)
{
op_data->syslog_priority = LOG_INFO | LOG_USER;
snprintf(op_data->syslog_tx_facility,16,"%s","LOG_USER");
snprintf(op_data->syslog_tx_priority,16,"%s","LOG_INFO");
}
if(op_data->local_logging == 1)
{
LogMessage("Local logging enabled, WILL NOT send information to a remote syslog \n");
}
if( op_data->local_logging == 0)
{
if(op_data->port == 0)
{
LogMessage("Using default Syslog port [%u] \n",op_data->port);
op_data->port = 514;
}
if( op_data->server == NULL)
{
FatalError("You must specify a valid server \n");
}
}
if(op_data->operation_mode == 0)
{
LogMessage("using operation_mode: default \n");
}
else if(op_data->operation_mode == 1)
{
LogMessage("using operation_mode: complete \n");
if(op_data->delim == 0)
{
LogMessage("Using default delimiters for syslog messages \"|\"\n");
op_data->delim = '|';
}
else
{
LogMessage("Using \"%c\" as delimiters for syslog messages \n",op_data->delim);
}
if(op_data->field_separators == 0)
{
LogMessage("Using default field separators for syslog messages \" \"\n");
op_data->field_separators= ' ';
}
else
{
LogMessage("Using \"%c\" as field separators for syslog messages \n",op_data->field_separators);
}
}
else
{
LogMessage("Defaulting operation_mode to default. \n");
op_data->operation_mode = 0;
}
return op_data;
}