static int DecideHighEntropyFlow(FlowRecord * flow_record)
{
int i = 0;
int j = 0;
int SEQSys = 0;
int SkipPacket = 0;
int repeat_packet = 0;
int TotalPktNumber = 0;
int TotalEncrypt = 0;
int TotalNonEncrypt = 0;
int SequentEncrypt = 0;
int EncryptPktAfterSeq = 0;
int NonEncryptPktAfterSeq = 0;
int TotalZeroPayload = 0;
int ZeroPayloadAfterSeq = 0;
//printf("DecideHighEntropyFlow\n");
if(flow_record->have_payload != 1)
{
return 0;
}
//the flow record has been labeled
if(flow_record->labeled != -1)
{
return 0;
}
for(i=0; i < flow_record->packet_count; i++)
{
if(i >= PktsLimit)
{
break;
}
repeat_packet = 0;
TotalPktNumber++;
/*check whether packet has high entropy*/
if(flow_record->pkt_entropy[i] == 1)
{
TotalEncrypt++;
SequentEncrypt++;
/*the first encrypted packet*/
if(SequentEncrypt == 1)
{
EncryptPktAfterSeq++;
ZeroPayloadAfterSeq = 0;
}
else if(SequentEncrypt < SEQ_HIGH_ENTROPY)
{
EncryptPktAfterSeq++;
}
else if(SequentEncrypt == SEQ_HIGH_ENTROPY)
{
/*set the flow as have N sequential high entropy packets*/
SEQSys = 1;
SkipPacket = TotalPktNumber - SEQ_HIGH_ENTROPY - ZeroPayloadAfterSeq;
EncryptPktAfterSeq = SequentEncrypt;
}
else if(SequentEncrypt > SEQ_HIGH_ENTROPY)
{
EncryptPktAfterSeq++;
}
}
/*the packet has low entropy*/
else if( flow_record->pkt_entropy[i] == -1 )
{
TotalNonEncrypt++;
/*the flow doesn't have N sequential high entropy packets*/
if(SequentEncrypt < SEQ_HIGH_ENTROPY)
{
EncryptPktAfterSeq = 0;
NonEncryptPktAfterSeq = 0;
ZeroPayloadAfterSeq = 0;
SequentEncrypt = 0;
}
/*the flow has N sequential high entropy packets*/
else if(SequentEncrypt >= SEQ_HIGH_ENTROPY)
{
NonEncryptPktAfterSeq++;
}
}
else if(flow_record->pkt_entropy[i] == 0)
{
TotalZeroPayload++;
ZeroPayloadAfterSeq++;
}
}
if((SEQSys == 1) && ( EncryptPktAfterSeq * 100 > ( EncryptPktAfterSeq + NonEncryptPktAfterSeq) * HEPercent))
{
flow_record->labeled = 1;
OptTreeNode * otn = OtnLookup(snort_conf->otn_map, GENERATOR_SPP_ENTROPY, HE_TRAFFIC_DETECT);
char log_timestamp[TIMEBUF_SIZE];
struct timeval log_timeval;
char proto[16];
log_timeval.tv_sec = flow_record->first_sec;
log_timeval.tv_usec = flow_record->first_usec;
ts_print(&log_timeval, log_timestamp);
if(flow_record->proto == 6)
{
strcpy(proto, "TCP");
}
else if(flow_record->proto == 17)
{
strcpy(proto, "UDP");
}
fprintf(LOG_FILE_DESCRIPTOR, "\n[**] [%d:%d:%d] %s [**]\n[Classification: %s] [Priority: %d]\n %s %s %s:%d <-> %s:%d\n", otn->sigInfo.generator, otn->sigInfo.id, otn->sigInfo.rev, otn->sigInfo.message, otn->sigInfo.classType->name, otn->sigInfo.priority, log_timestamp, proto, flow_record->src_ip, flow_record->src_port, flow_record->dst_ip, flow_record->dst_port);
TotalEncryptFlows++;
return 1;
}
else
{
flow_record->labeled = 0;
TotalNonEncryptFlows++;
return -1;
}
return 0;
}
/*
* Changed so events are inserted in action config order 'drop alert ...',
* and sub sorted in each action group by priority or content length.
* The sub sorting is done in fpFinalSelect inf fpdetect.c. Once the
* events are inserted they can all be logged, as we only insert
* g_event_queue.log_events into the queue.
* ... Jan '06
*/
int SnortEventqAdd(unsigned int gid,
unsigned int sid,
unsigned int rev,
unsigned int classification,
unsigned int pri,
char *msg,
void *rule_info)
{
EventNode *en;
en = (EventNode *)sfeventq_event_alloc(snort_conf->event_queue);
if(!en)
return -1;
en->gid = gid;
en->sid = sid;
en->rev = rev;
en->classification = classification;
en->priority = pri;
en->msg = msg;
en->rule_info = rule_info;
/*
* Check if we have a preprocessor or decoder event
* Preprocessors and decoders may be configured to inspect
* and alert in their principle configuration (legacy code)
* this test than checks if the rule otn says they should
* be enabled or not. The rule itself will decide if it should
* be an alert or a drop (sdrop) condition.
*/
#ifdef PREPROCESSOR_AND_DECODER_RULE_EVENTS
{
struct _OptTreeNode * potn;
/* every event should have a rule/otn */
potn = OtnLookup(snort_conf->otn_map, gid, sid);
/*
* if no rule otn exists for this event, than it was
* not enabled via rules
*/
if (potn == NULL)
{
if (ScAutoGenPreprocDecoderOtns())
{
/* Generate an OTN if configured to do so.... */
potn = GenerateSnortEventOtn(en->gid,
en->sid,
en->rev,
en->classification,
en->priority,
en->msg);
if (potn != NULL)
OtnLookupAdd(snort_conf->otn_map, potn);
}
}
if (potn == NULL)
{
/* no otn found/created - do not add it to the queue */
return 0;
}
}
#endif
if (sfeventq_add(snort_conf->event_queue, (void *)en))
{
return -1;
}
return 0;
}
void ppm_pkt_log(ppm_cfg_t *ppm_cfg, Packet* p)
{
int filterEvent = 0;
if (!ppm_cfg->max_pkt_ticks)
return;
ppm_cfg->pkt_event_cnt++;
if (ppm_cfg->pkt_log & PPM_LOG_ALERT)
{
OptTreeNode* potn;
Event ev;
/* make sure we have an otn already in our table for this event */
potn = OtnLookup(snort_conf->otn_map, GENERATOR_PPM, PPM_EVENT_PACKET_ABORTED);
if (potn == NULL)
{
/* have to make one */
potn = GenerateSnortEventOtn(GENERATOR_PPM, /* GID */
PPM_EVENT_PACKET_ABORTED, /* SID */
1, /* Rev */
0, /* classification */
3, /* priority (low) */
PPM_EVENT_PACKET_ABORTED_STR /* msg string */);
if (potn == NULL)
return;
OtnLookupAdd(snort_conf->otn_map, potn);
}
SetEvent(&ev,
potn->sigInfo.generator, /* GID */
potn->sigInfo.id, /* SID */
potn->sigInfo.rev, /* Rev */
potn->sigInfo.class_id, /* classification */
potn->sigInfo.priority, /* priority (low) */
#if !defined(FEAT_OPEN_APPID)
0);
#else /* defined(FEAT_OPEN_APPID) */
0, NULL);
#endif /* defined(FEAT_OPEN_APPID) */
if ( IPH_IS_VALID(p) )
{
filterEvent = sfthreshold_test(
potn->event_data.sig_generator,
potn->event_data.sig_id,
GET_SRC_IP(p), GET_DST_IP(p),
p->pkth->ts.tv_sec);
}
else
{
snort_ip cleared;
IP_CLEAR(cleared);
filterEvent = sfthreshold_test(
potn->event_data.sig_generator,
potn->event_data.sig_id,
IP_ARG(cleared), IP_ARG(cleared),
p->pkth->ts.tv_sec);
}
if(filterEvent < 0)
filterEvent = 0;
else
AlertAction(p, potn, &ev);
}
static int LogSnortEvents(void *event, void *user)
{
Packet *p;
EventNode *en;
OTNX *otnx;
struct _OptTreeNode * potn;
SNORT_EVENTQ_USER *snort_user;
if(!event || !user)
return 0;
en = (EventNode *)event;
snort_user = (SNORT_EVENTQ_USER *)user;
p = (Packet *)snort_user->pkt;
/*
** Log rule events differently because we have to.
*/
if(en->rule_info)
{
otnx = (OTNX *)en->rule_info;
if(!otnx->otn || !getRuntimeRtnFromOtn(otnx->otn))
return 0;
snort_user->rule_alert = otnx->otn->sigInfo.rule_flushing;
fpLogEvent(getRuntimeRtnFromOtn(otnx->otn), otnx->otn, p);
}
else
{
/* Look up possible decoder and preprocessor event otn */
potn = OtnLookup(snort_conf->otn_map, en->gid, en->sid);
if (potn == NULL)
{
#ifdef PREPROCESSOR_AND_DECODER_RULE_EVENTS
if (ScAutoGenPreprocDecoderOtns())
{
/* Generate an OTN if configured to do so.... */
potn = GenerateSnortEventOtn(en->gid,
en->sid,
en->rev,
en->classification,
en->priority,
en->msg);
}
#else
/* Always generate an OTN.... */
potn = GenerateSnortEventOtn(en->gid,
en->sid,
en->rev,
en->classification,
en->priority,
en->msg);
#endif
if (potn != NULL)
{
OtnLookupAdd(snort_conf->otn_map, potn);
}
}
if( potn )
{
char *tmp = potn->sigInfo.message;
snort_user->rule_alert = potn->sigInfo.rule_flushing;
potn->sigInfo.message = en->msg;
fpLogEvent( getRuntimeRtnFromOtn(potn), potn, p );
potn->sigInfo.message = tmp;
}
}
sfthreshold_reset();
return 0;
}
