/** * \brief Search for a threshold data into threshold hash table * * \param de_ctx Dectection Context * \param tsh_ptr Threshold element * \param p Packet structure * * \retval lookup_tsh Return the threshold element */ DetectThresholdEntry *ThresholdHashSearch(DetectEngineCtx *de_ctx, DetectThresholdEntry *tsh_ptr, Packet *p) { SCEnter(); DetectThresholdEntry *lookup_tsh = NULL; SCLogDebug("tsh_ptr->track %u", tsh_ptr->track); if (tsh_ptr->track == TRACK_DST) { if (PKT_IS_IPV4(p)) { SCLogDebug("ipv4 dst"); lookup_tsh = HashListTableLookup(de_ctx->ths_ctx.threshold_hash_table_dst, tsh_ptr, sizeof(DetectThresholdEntry)); } else if (PKT_IS_IPV6(p)) { lookup_tsh = HashListTableLookup(de_ctx->ths_ctx.threshold_hash_table_dst_ipv6, tsh_ptr, sizeof(DetectThresholdEntry)); } } else if (tsh_ptr->track == TRACK_SRC) { if (PKT_IS_IPV4(p)) { SCLogDebug("ipv4 src"); lookup_tsh = HashListTableLookup(de_ctx->ths_ctx.threshold_hash_table_src, tsh_ptr, sizeof(DetectThresholdEntry)); } else if (PKT_IS_IPV6(p)) lookup_tsh = HashListTableLookup(de_ctx->ths_ctx.threshold_hash_table_src_ipv6, tsh_ptr, sizeof(DetectThresholdEntry)); } else { SCLogDebug("no track, weird"); } SCReturnPtr(lookup_tsh, "DetectThresholdEntry"); }
/** * \brief Handle a packet and check if needs a threshold logic * Also apply rule action if necessary. * * \param de_ctx Detection Context * \param sig Signature pointer * \param p Packet structure * * \retval 1 alert is not suppressed * \retval 0 alert is suppressed */ static int PacketAlertHandle(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Signature *s, Packet *p, uint16_t pos) { SCEnter(); int ret = 1; DetectThresholdData *td = NULL; SigMatch *sm = NULL; if (!(PKT_IS_IPV4(p) || PKT_IS_IPV6(p))) { SCReturnInt(1); } do { td = SigGetThresholdTypeIter(s, p, &sm); if (td != NULL) { SCLogDebug("td %p", td); /* PacketAlertThreshold returns 2 if the alert is suppressed but * we do need to apply rule actions to the packet. */ ret = PacketAlertThreshold(de_ctx, det_ctx, td, p, s); if (ret == 0 || ret == 2) { /* It doesn't match threshold, remove it */ SCReturnInt(ret); } } } while (sm != NULL); SCReturnInt(1); }
/** * \brief Recalculate the csum for a modified packet * * \param p packet to inspect */ void StreamTcpInlineRecalcCsum(Packet *p) { if (!(p->flags & PKT_STREAM_MODIFIED)) { SCReturn; } if (!(PKT_IS_TCP(p))) { SCReturn; } if (PKT_IS_IPV4(p)) { /* TCP */ p->tcph->th_sum = 0; p->tcph->th_sum = TCPCalculateChecksum((uint16_t *)&(p->ip4h->ip_src), (uint16_t *)p->tcph, (p->payload_len + p->tcpvars.hlen)); /* IPV4 */ p->ip4h->ip_csum = 0; p->ip4h->ip_csum = IPV4CalculateChecksum((uint16_t *)p->ip4h, IPV4_GET_RAW_HLEN(p->ip4h)); } else if (PKT_IS_IPV6(p)) { /* just TCP for IPV6 */ p->tcph->th_sum = 0; p->tcph->th_sum = TCPV6CalculateChecksum((uint16_t *)&(p->ip6h->ip6_src), (uint16_t *)p->tcph, (p->payload_len + p->tcpvars.hlen)); } SCReturn; }
/** * \brief Handle a packet and check if needs a threshold logic * * \param de_ctx Detection Context * \param sig Signature pointer * \param p Packet structure * * \retval 1 alert is not suppressed * \retval 0 alert is suppressed */ static int PacketAlertHandle(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Signature *s, Packet *p, uint16_t pos) { SCEnter(); int ret = 1; DetectThresholdData *td = NULL; SigMatch *sm = NULL; if (!(PKT_IS_IPV4(p) || PKT_IS_IPV6(p))) { SCReturnInt(1); } do { td = SigGetThresholdTypeIter(s, p, &sm); if (td != NULL) { SCLogDebug("td %p", td); ret = PacketAlertThreshold(de_ctx, det_ctx, td, p, s); if (ret == 0) { /* It doesn't match threshold, remove it */ PacketAlertRemove(p, pos); break; } } } while (sm != NULL); SCReturnInt(ret); }
static inline DetectThresholdEntry *DetectThresholdEntryAlloc(DetectThresholdData *td, Packet *p, Signature *s) { SCEnter(); DetectThresholdEntry *ste = SCMalloc(sizeof(DetectThresholdEntry)); if (ste == NULL) { SCReturnPtr(NULL, "DetectThresholdEntry"); } if (PKT_IS_IPV4(p)) ste->ipv = 4; else if (PKT_IS_IPV6(p)) ste->ipv = 6; ste->sid = s->id; ste->gid = s->gid; if (td->track == TRACK_DST) { COPY_ADDRESS(&p->dst, &ste->addr); } else if (td->track == TRACK_SRC) { COPY_ADDRESS(&p->src, &ste->addr); } ste->track = td->track; ste->seconds = td->seconds; ste->tv_timeout = 0; SCReturnPtr(ste, "DetectThresholdEntry"); }
static void PrefilterPacketFragOffsetMatch(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx) { if (PKT_IS_PSEUDOPKT(p)) return; uint16_t frag; if (PKT_IS_IPV4(p)) { frag = IPV4_GET_IPOFFSET(p); } else if (PKT_IS_IPV6(p)) { if (IPV6_EXTHDR_ISSET_FH(p)) { frag = IPV6_EXTHDR_GET_FH_OFFSET(p); } else { return; } } else { SCLogDebug("No IPv4 or IPv6 packet"); return; } const PrefilterPacketHeaderCtx *ctx = pectx; if (FragOffsetMatch(frag, ctx->v1.u8[0], ctx->v1.u16[1])) { PrefilterAddSids(&det_ctx->pmq, ctx->sigs_array, ctx->sigs_cnt); } }
int ReCalculateChecksum(Packet *p) { if (PKT_IS_IPV4(p)) { if (PKT_IS_TCP(p)) { /* TCP */ p->tcph->th_sum = 0; p->tcph->th_sum = TCPChecksum(p->ip4h->s_ip_addrs, (uint16_t *)p->tcph, (p->payload_len + TCP_GET_HLEN(p)), 0); } else if (PKT_IS_UDP(p)) { p->udph->uh_sum = 0; p->udph->uh_sum = UDPV4Checksum(p->ip4h->s_ip_addrs, (uint16_t *)p->udph, (p->payload_len + UDP_HEADER_LEN), 0); } /* IPV4 */ p->ip4h->ip_csum = 0; p->ip4h->ip_csum = IPV4Checksum((uint16_t *)p->ip4h, IPV4_GET_RAW_HLEN(p->ip4h), 0); } else if (PKT_IS_IPV6(p)) { /* just TCP for IPV6 */ if (PKT_IS_TCP(p)) { p->tcph->th_sum = 0; p->tcph->th_sum = TCPV6Checksum(p->ip6h->s_ip6_addrs, (uint16_t *)p->tcph, (p->payload_len + TCP_GET_HLEN(p)), 0); } else if (PKT_IS_UDP(p)) { p->udph->uh_sum = 0; p->udph->uh_sum = UDPV6Checksum(p->ip6h->s_ip6_addrs, (uint16_t *)p->udph, (p->payload_len + UDP_HEADER_LEN), 0); } } return 0; }
/** * \brief This function is used to match TEMPLATE rule option on a packet * * \param t pointer to thread vars * \param det_ctx pointer to the pattern matcher thread * \param p pointer to the current packet * \param m pointer to the sigmatch with context that we will cast into DetectTemplateData * * \retval 0 no match * \retval 1 match */ static int DetectTemplateMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p, Signature *s, const SigMatchCtx *ctx) { int ret = 0; const DetectTemplateData *templated = (const DetectTemplateData *) ctx; #if 0 if (PKT_IS_PSEUDOPKT(p)) { /* fake pkt */ } if (PKT_IS_IPV4(p)) { /* ipv4 pkt */ } else if (PKT_IS_IPV6(p)) { /* ipv6 pkt */ } else { SCLogDebug("packet is of not IPv4 or IPv6"); return ret; } #endif /* packet payload access */ if (p->payload != NULL && p->payload_len > 0) { if (templated->arg1 == p->payload[0] && templated->arg2 == p->payload[p->payload_len - 1]) { ret = 1; } } return ret; }
/** * \brief This function is used to match TTL rule option on a packet with those passed via ttl: * * \param t pointer to thread vars * \param det_ctx pointer to the pattern matcher thread * \param p pointer to the current packet * \param m pointer to the sigmatch that we will cast into DetectTtlData * * \retval 0 no match * \retval 1 match */ int DetectTtlMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p, Signature *s, SigMatch *m) { int ret = 0; uint8_t pttl; DetectTtlData *ttld = (DetectTtlData *) m->ctx; if (PKT_IS_PSEUDOPKT(p)) return 0; if (PKT_IS_IPV4(p)) { pttl = IPV4_GET_IPTTL(p); } else if (PKT_IS_IPV6(p)) { pttl = IPV6_GET_HLIM(p); } else { SCLogDebug("Packet is of not IPv4 or IPv6"); return ret; } if (ttld->mode == DETECT_TTL_EQ && pttl == ttld->ttl1) ret = 1; else if (ttld->mode == DETECT_TTL_LT && pttl < ttld->ttl1) ret = 1; else if (ttld->mode == DETECT_TTL_GT && pttl > ttld->ttl1) ret = 1; else if (ttld->mode == DETECT_TTL_RA && (pttl > ttld->ttl1 && pttl < ttld->ttl2)) ret = 1; return ret; }
/** * \brief This function is used to match fragoffset rule option set on a packet * * \param t pointer to thread vars * \param det_ctx pointer to the pattern matcher thread * \param p pointer to the current packet * \param m pointer to the sigmatch that we will cast into DetectFragOffsetData * * \retval 0 no match or frag is not set * \retval 1 match * */ int DetectFragOffsetMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p, Signature *s, const SigMatchCtx *ctx) { uint16_t frag = 0; const DetectFragOffsetData *fragoff = (const DetectFragOffsetData *)ctx; if (PKT_IS_PSEUDOPKT(p)) return 0; if (PKT_IS_IPV4(p)) { frag = IPV4_GET_IPOFFSET(p); } else if (PKT_IS_IPV6(p)) { if(IPV6_EXTHDR_FH(p)) { frag = IPV6_EXTHDR_GET_FH_OFFSET(p); } else { return 0; } } else { SCLogDebug("No IPv4 or IPv6 packet"); return 0; } switch (fragoff->mode) { case FRAG_LESS: if (frag < fragoff->frag_off) return 1; break; case FRAG_MORE: if (frag > fragoff->frag_off) return 1; break; default: if (frag == fragoff->frag_off) return 1; } return 0; }
static void PrefilterPacketTtlMatch(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx) { if (PKT_IS_PSEUDOPKT(p)) { SCReturn; } uint8_t pttl; if (PKT_IS_IPV4(p)) { pttl = IPV4_GET_IPTTL(p); } else if (PKT_IS_IPV6(p)) { pttl = IPV6_GET_HLIM(p); } else { SCLogDebug("Packet is of not IPv4 or IPv6"); return; } const PrefilterPacketHeaderCtx *ctx = pectx; if (PrefilterPacketHeaderExtraMatch(ctx, p) == FALSE) return; if (TtlMatch(pttl, ctx->v1.u8[0], ctx->v1.u8[1], ctx->v1.u8[2])) { SCLogDebug("packet matches ttl/hl %u", pttl); PrefilterAddSids(&det_ctx->pmq, ctx->sigs_array, ctx->sigs_cnt); } }
static int LogFilestoreLogger(ThreadVars *tv, void *thread_data, const Packet *p, const File *ff, const FileData *ffd, uint8_t flags) { SCEnter(); LogFilestoreLogThread *aft = (LogFilestoreLogThread *)thread_data; char filename[PATH_MAX] = ""; int file_fd = -1; int ipver = -1; /* no flow, no htp state */ if (p->flow == NULL) { SCReturnInt(TM_ECODE_OK); } if (PKT_IS_IPV4(p)) { ipver = AF_INET; } else if (PKT_IS_IPV6(p)) { ipver = AF_INET6; } else { return 0; } SCLogDebug("ff %p, ffd %p", ff, ffd); snprintf(filename, sizeof(filename), "%s/file.%u", g_logfile_base_dir, ff->file_id); if (flags & OUTPUT_FILEDATA_FLAG_OPEN) { aft->file_cnt++; /* create a .meta file that contains time, src/dst/sp/dp/proto */ LogFilestoreLogCreateMetaFile(p, ff, filename, ipver); file_fd = open(filename, O_CREAT | O_TRUNC | O_NOFOLLOW | O_WRONLY, 0644); if (file_fd == -1) { SCLogDebug("failed to create file"); return -1; } /* we can get called with a NULL ffd when we need to close */ } else if (ffd != NULL) { file_fd = open(filename, O_APPEND | O_NOFOLLOW | O_WRONLY); if (file_fd == -1) { SCLogDebug("failed to open file %s: %s", filename, strerror(errno)); return -1; } } if (file_fd != -1) { ssize_t r = write(file_fd, (const void *)ffd->data, (size_t)ffd->len); if (r == -1) { SCLogDebug("write failed: %s", strerror(errno)); } close(file_fd); } if (flags & OUTPUT_FILEDATA_FLAG_CLOSE) { LogFilestoreLogCloseMetaFile(ff); } return 0; }
static void DBLogAlState(void *alstate, AppProto proto, const Packet *p, json_t *js, const char *name) { if ((PKT_IS_TOCLIENT(p))) { /* drop server -> client log */ return; } char timebuf[64]; CreateTimeString(&p->ts, timebuf, sizeof(timebuf)); char srcip[46], dstip[46]; json_t *dbjs = json_object(); if (dbjs == NULL) return; if (PKT_IS_IPV4(p)) { PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, sizeof(srcip)); PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, sizeof(dstip)); } else { PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip)); PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip)); } #if 0 char *dbtype = AlstateGetDBType(alstate, proto); char *username = AlstateGetUsername(alstate, proto); char *dbname = AlstateGetDBname(alstate, proto); char *dbopr = AlstateGetDBOpr(alstate, proto); char *action = AlstateGetAction(alstate, proto); char *meta = AlstateGetMetaInfo(alstate, proto); if (dbtype != NULL) { json_object_set_new(dbjs, "time", timebuf); } if (username != NULL) { json_object_set_new(dbjs, "user", username); } if (dbname != NULL) { json_object_set_new(dbjs, "db_name", dbname); } if (dbopr != NULL) { json_object_set_new(dbjs, "db_operation", dbopr); } if (action != NULL) { json_object_set_new(dbjs, "action", action); } if (meta != NULL) { json_object_set_new(dbjs, "meta_info", meta); } #endif json_object_set_new(js, name, dbjs); }
static int AlertDebugLogLogger(ThreadVars *tv, void *thread_data, const Packet *p) { if (PKT_IS_IPV4(p) || PKT_IS_IPV6(p)) { return AlertDebugLogger(tv, p, thread_data); } else if (p->events.cnt > 0) { return AlertDebugLogDecoderEvent(tv, p, thread_data); } return TM_ECODE_OK; }
void SCProfilingPrintPacketProfile(Packet *p) { if (profiling_packets_csv_enabled == 0 || p == NULL || packet_profile_csv_fp == NULL || p->profile == NULL) { return; } uint64_t delta = p->profile->ticks_end - p->profile->ticks_start; fprintf(packet_profile_csv_fp, "%"PRIu64",%c,%"PRIu8",%"PRIu64",", p->pcap_cnt, PKT_IS_IPV4(p) ? '4' : (PKT_IS_IPV6(p) ? '6' : '?'), p->proto, delta); int i; uint64_t tmm_total = 0; uint64_t tmm_streamtcp_tcp = 0; for (i = 0; i < TMM_SIZE; i++) { PktProfilingTmmData *pdt = &p->profile->tmm[i]; uint64_t tmm_delta = pdt->ticks_end - pdt->ticks_start; fprintf(packet_profile_csv_fp, "%"PRIu64",", tmm_delta); tmm_total += tmm_delta; if (p->proto == IPPROTO_TCP && i == TMM_STREAMTCP) { tmm_streamtcp_tcp = tmm_delta; } } fprintf(packet_profile_csv_fp, "%"PRIu64",", delta - tmm_total); uint64_t app_total = 0; for (i = 0; i < ALPROTO_MAX; i++) { PktProfilingAppData *pdt = &p->profile->app[i]; fprintf(packet_profile_csv_fp,"%"PRIu64",", pdt->ticks_spent); if (p->proto == IPPROTO_TCP) { app_total += pdt->ticks_spent; } } uint64_t real_tcp = 0; if (tmm_streamtcp_tcp > app_total) real_tcp = tmm_streamtcp_tcp - app_total; fprintf(packet_profile_csv_fp, "%"PRIu64",", real_tcp); fprintf(packet_profile_csv_fp, "%"PRIu64",", p->profile->proto_detect); for (i = 0; i < PROF_DETECT_SIZE; i++) { PktProfilingDetectData *pdt = &p->profile->detect[i]; fprintf(packet_profile_csv_fp,"%"PRIu64",", pdt->ticks_spent); } fprintf(packet_profile_csv_fp,"\n"); }
static inline int DefragTrackerCompare(DefragTracker *t, Packet *p) { uint32_t id; if (PKT_IS_IPV4(p)) { id = (uint32_t)IPV4_GET_IPID(p); } else { id = IPV6_EXTHDR_GET_FH_ID(p); } return CMP_DEFRAGTRACKER(t, p, id); }
static int JsonAlertLogger(ThreadVars *tv, void *thread_data, const Packet *p) { JsonAlertLogThread *aft = thread_data; if (PKT_IS_IPV4(p) || PKT_IS_IPV6(p)) { return AlertJson(tv, aft, p); } else if (p->alerts.cnt > 0) { return AlertJsonDecoderEvent(tv, aft, p); } return 0; }
TmEcode AlertFastLog (ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQueue *postpq) { if (PKT_IS_IPV4(p)) { return AlertFastLogIPv4(tv, p, data, pq, postpq); } else if (PKT_IS_IPV6(p)) { return AlertFastLogIPv6(tv, p, data, pq, postpq); } else if (p->events.cnt > 0) { return AlertFastLogDecoderEvent(tv, p, data, pq, postpq); } return TM_ECODE_OK; }
/* initialize the flow from the first packet * we see from it. */ void FlowInit(Flow *f, const Packet *p) { SCEnter(); SCLogDebug("flow %p", f); f->proto = p->proto; f->recursion_level = p->recursion_level; f->vlan_id[0] = p->vlan_id[0]; f->vlan_id[1] = p->vlan_id[1]; if (PKT_IS_IPV4(p)) { FLOW_SET_IPV4_SRC_ADDR_FROM_PACKET(p, &f->src); FLOW_SET_IPV4_DST_ADDR_FROM_PACKET(p, &f->dst); f->flags |= FLOW_IPV4; } else if (PKT_IS_IPV6(p)) { FLOW_SET_IPV6_SRC_ADDR_FROM_PACKET(p, &f->src); FLOW_SET_IPV6_DST_ADDR_FROM_PACKET(p, &f->dst); f->flags |= FLOW_IPV6; } #ifdef DEBUG /* XXX handle default */ else { printf("FIXME: %s:%s:%" PRId32 "\n", __FILE__, __FUNCTION__, __LINE__); } #endif if (p->tcph != NULL) { /* XXX MACRO */ SET_TCP_SRC_PORT(p,&f->sp); SET_TCP_DST_PORT(p,&f->dp); } else if (p->udph != NULL) { /* XXX MACRO */ SET_UDP_SRC_PORT(p,&f->sp); SET_UDP_DST_PORT(p,&f->dp); } else if (p->icmpv4h != NULL) { f->type = p->type; f->code = p->code; } else if (p->icmpv6h != NULL) { f->type = p->type; f->code = p->code; } else if (p->sctph != NULL) { /* XXX MACRO */ SET_SCTP_SRC_PORT(p,&f->sp); SET_SCTP_DST_PORT(p,&f->dp); } /* XXX handle default */ #ifdef DEBUG else { printf("FIXME: %s:%s:%" PRId32 "\n", __FILE__, __FUNCTION__, __LINE__); } #endif COPY_TIMESTAMP(&p->ts, &f->startts); f->protomap = FlowGetProtoMapping(f->proto); SCReturn; }
/** \internal * \brief fill lua stack with header info * \param luastate the lua state * \param p packet * \retval cnt number of data items placed on the stack * * Places: ipver (number), src ip (string), dst ip (string), protocol (number), * sp or icmp type (number), dp or icmp code (number). */ static int LuaCallbackTuplePushToStackFromPacket(lua_State *luastate, const Packet *p) { int ipver = 0; if (PKT_IS_IPV4(p)) { ipver = 4; } else if (PKT_IS_IPV6(p)) { ipver = 6; } lua_pushnumber (luastate, ipver); if (ipver == 0) return 1; char srcip[46] = "", dstip[46] = ""; if (PKT_IS_IPV4(p)) { PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, sizeof(srcip)); PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, sizeof(dstip)); } else if (PKT_IS_IPV6(p)) { PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip)); PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip)); } lua_pushstring (luastate, srcip); lua_pushstring (luastate, dstip); /* proto and ports (or type/code) */ lua_pushnumber (luastate, p->proto); if (p->proto == IPPROTO_TCP || p->proto == IPPROTO_UDP) { lua_pushnumber (luastate, p->sp); lua_pushnumber (luastate, p->dp); } else if (p->proto == IPPROTO_ICMP || p->proto == IPPROTO_ICMPV6) { lua_pushnumber (luastate, p->type); lua_pushnumber (luastate, p->code); } else { lua_pushnumber (luastate, 0); lua_pushnumber (luastate, 0); } return 6; }
void SCProfilingUpdatePacketAppRecords(Packet *p) { int i; for (i = 0; i < ALPROTO_MAX; i++) { PktProfilingAppData *pdt = &p->profile.app[i]; if (pdt->ticks_spent > 0) { if (PKT_IS_IPV4(p)) { SCProfilingUpdatePacketAppRecord(i, p->proto, pdt, 4); } else { SCProfilingUpdatePacketAppRecord(i, p->proto, pdt, 6); } } } if (p->profile.proto_detect > 0) { if (PKT_IS_IPV4(p)) { SCProfilingUpdatePacketAppPdRecord(p->proto, p->profile.proto_detect, 4); } else { SCProfilingUpdatePacketAppPdRecord(p->proto, p->profile.proto_detect, 6); } } }
static void SCProfilingUpdatePacketLogRecords(Packet *p) { for (LoggerId i = 0; i < LOGGER_SIZE; i++) { PktProfilingLoggerData *pdt = &p->profile->logger[i]; if (pdt->ticks_spent > 0) { if (PKT_IS_IPV4(p)) { SCProfilingUpdatePacketLogRecord(i, p->proto, pdt, 4); } else { SCProfilingUpdatePacketLogRecord(i, p->proto, pdt, 6); } } } }
void SCProfilingUpdatePacketDetectRecords(Packet *p) { PacketProfileDetectId i; for (i = 0; i < PROF_DETECT_SIZE; i++) { PktProfilingDetectData *pdt = &p->profile.detect[i]; if (pdt->ticks_spent > 0) { if (PKT_IS_IPV4(p)) { SCProfilingUpdatePacketDetectRecord(i, p->proto, pdt, 4); } else { SCProfilingUpdatePacketDetectRecord(i, p->proto, pdt, 6); } } } }
/** * \brief Convert IP packet to an IDMEF alert (RFC 4765). * This function stores the alert SID (description and reference), * the payload of the packet, and pre-processed data. * * \return 0 if ok */ static int PacketToData(Packet *p, PacketAlert *pa, idmef_alert_t *alert, AlertPreludeCtx *ctx) { SCEnter(); if ( ! p ) SCReturnInt(0); AddIntData(alert, "snort_rule_sid", pa->s->id); AddIntData(alert, "snort_rule_rev", pa->s->rev); if (ctx->log_packet_header) { if ( PKT_IS_IPV4(p) ) PacketToDataV4(p, pa, alert); else if ( PKT_IS_IPV6(p) ) PacketToDataV6(p, pa, alert); if ( PKT_IS_TCP(p) ) { AddIntData(alert, "tcp_seq", ntohl(p->tcph->th_seq)); AddIntData(alert, "tcp_ack", ntohl(p->tcph->th_ack)); AddIntData(alert, "tcp_off", TCP_GET_RAW_OFFSET(p->tcph)); AddIntData(alert, "tcp_res", TCP_GET_RAW_X2(p->tcph)); AddIntData(alert, "tcp_flags", p->tcph->th_flags); AddIntData(alert, "tcp_win", ntohs(p->tcph->th_win)); AddIntData(alert, "tcp_sum", ntohs(p->tcph->th_sum)); AddIntData(alert, "tcp_urp", ntohs(p->tcph->th_urp)); } else if ( PKT_IS_UDP(p) ) { AddIntData(alert, "udp_len", ntohs(p->udph->uh_len)); AddIntData(alert, "udp_sum", ntohs(p->udph->uh_sum)); } else if ( PKT_IS_ICMPV4(p) ) { AddIntData(alert, "icmp_type", p->icmpv4h->type); AddIntData(alert, "icmp_code", p->icmpv4h->code); AddIntData(alert, "icmp_sum", ntohs(p->icmpv4h->checksum)); } } if (ctx->log_packet_content) AddByteData(alert, "payload", p->payload, p->payload_len); SCReturnInt(0); }
static int LogTlsLogger(ThreadVars *tv, void *thread_data, const Packet *p, Flow *f, void *state, void *tx, uint64_t tx_id) { LogTlsLogThread *aft = (LogTlsLogThread *)thread_data; LogTlsFileCtx *hlog = aft->tlslog_ctx; char timebuf[64]; int ipproto = (PKT_IS_IPV4(p)) ? AF_INET : AF_INET6; SSLState *ssl_state = (SSLState *)state; if (unlikely(ssl_state == NULL)) { return 0; } if (ssl_state->server_connp.cert0_issuerdn == NULL || ssl_state->server_connp.cert0_subject == NULL) { return 0; } CreateTimeString(&p->ts, timebuf, sizeof(timebuf)); #define PRINT_BUF_LEN 46 char srcip[PRINT_BUF_LEN], dstip[PRINT_BUF_LEN]; Port sp, dp; if (!TLSGetIPInformations(p, srcip, PRINT_BUF_LEN, &sp, dstip, PRINT_BUF_LEN, &dp, ipproto)) { return 0; } MemBufferReset(aft->buffer); MemBufferWriteString(aft->buffer, "%s %s:%d -> %s:%d TLS: Subject='%s' Issuerdn='%s'", timebuf, srcip, sp, dstip, dp, ssl_state->server_connp.cert0_subject, ssl_state->server_connp.cert0_issuerdn); if (hlog->flags & LOG_TLS_EXTENDED) { LogTlsLogExtended(aft, ssl_state); } else { MemBufferWriteString(aft->buffer, "\n"); } aft->tls_cnt++; SCMutexLock(&hlog->file_ctx->fp_mutex); hlog->file_ctx->Write((const char *)MEMBUFFER_BUFFER(aft->buffer), MEMBUFFER_OFFSET(aft->buffer), hlog->file_ctx); SCMutexUnlock(&hlog->file_ctx->fp_mutex); return 0; }
void SCProfilingUpdatePacketTmmRecords(Packet *p) { int i; for (i = 0; i < TMM_SIZE; i++) { PktProfilingTmmData *pdt = &p->profile.tmm[i]; if (pdt->ticks_start == 0 || pdt->ticks_end == 0 || pdt->ticks_start > pdt->ticks_end) { continue; } if (PKT_IS_IPV4(p)) { SCProfilingUpdatePacketTmmRecord(i, p->proto, pdt, 4); } else { SCProfilingUpdatePacketTmmRecord(i, p->proto, pdt, 6); } } }
int LogHttpLogger(ThreadVars *tv, void *thread_data, const Packet *p, Flow *f, void *state, void *tx, uint64_t tx_id) { SCEnter(); if (!(PKT_IS_TCP(p))) { SCReturnInt(TM_ECODE_OK); } int r = 0; if (PKT_IS_IPV4(p)) { r = LogHttpLogIPWrapper(tv, thread_data, p, f, (HtpState *)state, (htp_tx_t *)tx, tx_id, AF_INET); } else if (PKT_IS_IPV6(p)) { r = LogHttpLogIPWrapper(tv, thread_data, p, f, (HtpState *)state, (htp_tx_t *)tx, tx_id, AF_INET6); } SCReturnInt(r); }
/** * \brief Match function for tos keyword. * * \param tv ThreadVars instance. * \param det_ctx Pointer to the detection thread ctx. * \param p Pointer to the packet. * \param m Pointer to the SigMatch containing the tos data. * * \retval 0 no match * \retval 1 match */ static int DetectTosMatch(ThreadVars *tv, DetectEngineThreadCtx *det_ctx, Packet *p, const Signature *s, const SigMatchCtx *ctx) { const DetectTosData *tosd = (const DetectTosData *)ctx; int result = 0; if (!PKT_IS_IPV4(p) || PKT_IS_PSEUDOPKT(p)) { return 0; } if (tosd->tos == IPV4_GET_IPTOS(p)) { SCLogDebug("tos match found for %d\n", tosd->tos); result = 1; } return (tosd->negated ^ result); }
/** * \brief This function is used to match TTL rule option on a packet with those passed via ttl: * * \param t pointer to thread vars * \param det_ctx pointer to the pattern matcher thread * \param p pointer to the current packet * \param m pointer to the sigmatch that we will cast into DetectTtlData * * \retval 0 no match * \retval 1 match */ int DetectTtlMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p, Signature *s, const SigMatchCtx *ctx) { if (PKT_IS_PSEUDOPKT(p)) return 0; uint8_t pttl; if (PKT_IS_IPV4(p)) { pttl = IPV4_GET_IPTTL(p); } else if (PKT_IS_IPV6(p)) { pttl = IPV6_GET_HLIM(p); } else { SCLogDebug("Packet is of not IPv4 or IPv6"); return 0; } const DetectTtlData *ttld = (const DetectTtlData *)ctx; return TtlMatch(pttl, ttld->mode, ttld->ttl1, ttld->ttl2); }
/** * \brief Unified2 main entry function * * \retval TM_ECODE_OK all is good * \retval TM_ECODE_FAILED serious error */ TmEcode Unified2Alert (ThreadVars *t, Packet *p, void *data, PacketQueue *pq, PacketQueue *postpq) { int ret = 0; if (PKT_IS_IPV4(p)) { ret = Unified2IPv4TypeAlert (t, p, data, pq); } else if(PKT_IS_IPV6(p)) { ret = Unified2IPv6TypeAlert (t, p, data, pq); } else { /* we're only supporting IPv4 and IPv6 */ return TM_ECODE_OK; } if (ret != 0) { return TM_ECODE_FAILED; } return TM_ECODE_OK; }