void
codegen_select(tree *expr)
{
switch (state.class) {
case PROC_CLASS_EEPROM8:
case PROC_CLASS_GENERIC:
case PROC_CLASS_PIC12:
case PROC_CLASS_SX:
analyze_error(expr, "unsupported processor class");
break;
case PROC_CLASS_PIC14:
func_ptr = &codegen14_func;
state.pointer_size = size_uint8;
break;
case PROC_CLASS_PIC16:
analyze_error(expr, "unsupported processor class");
break;
case PROC_CLASS_PIC16E:
func_ptr = &codegen16e_func;
state.pointer_size = size_uint16;
break;
default:
assert(0);
}
}
static void
gen_expr(tree *expr)
{
struct variable *var;
switch(expr->tag) {
case node_arg:
var = get_global(ARG_NAME(expr));
codegen_load_file(expr, var);
break;
case node_call:
analyze_call(expr, true, codegen_size);
break;
case node_constant:
LOAD_CONSTANT(expr->value.constant, codegen_size);
break;
case node_symbol:
var = get_global(SYM_NAME(expr));
if (var->tag == sym_const) {
LOAD_CONSTANT(var->value, codegen_size);
} else {
codegen_load_file(expr, var);
}
break;
case node_unop:
gen_unop_expr(expr);
break;
case node_binop:
if (expr->value.binop.op == op_assign) {
analyze_error(expr, "assign operator = should be equal operator ==");
} else if ((expr->value.binop.op == op_lsh) ||
(expr->value.binop.op == op_rsh)) {
/* for shifts it is best to calculate the left side first */
gen_binop_expr(expr->value.binop.op,
expr->value.binop.p1,
expr->value.binop.p0);
} else {
/* for all others calculate the right side first */
gen_binop_expr(expr->value.binop.op,
expr->value.binop.p0,
expr->value.binop.p1);
}
break;
default:
assert(0);
}
}
static void
codegen_load_file(tree *symbol, struct variable *var)
{
int offset;
int element_size;
if ((symbol->tag == node_symbol) && (SYM_OFST(symbol))) {
/* access an array */
element_size = type_size(var->type->prim);
if ((var) && (var->type) && (var->type->tag == type_array)) {
if (can_evaluate(SYM_OFST(symbol), false)) {
/* direct access */
offset = analyze_check_array(symbol, var) * element_size;
if (is_far(var)) {
LOAD_FILE(var->name, codegen_size, offset, true);
} else {
LOAD_FILE(var->name, codegen_size, offset, false);
}
} else {
codegen_indirect(SYM_OFST(symbol), var, element_size, false);
if (is_far(var)) {
LOAD_INDIRECT(var->name, codegen_size, 0, true);
} else {
LOAD_INDIRECT(var->name, codegen_size, 0, false);
}
}
} else {
analyze_error(symbol, "symbol %s is not an array",
SYM_NAME(symbol));
}
} else {
if (is_far(var)) {
LOAD_FILE(var->name, codegen_size, 0, true);
} else {
LOAD_FILE(var->name, codegen_size, 0, false);
}
}
return;
}
void traffic_pattern_match_packet_user(t_session *s, t_pkt *p)
{
int buflen = 0;
int buflen_base = 0; ///!<used to keep buflen befors rule alteration
int rc, nummatch;
int i = 0;
char *bufc = p->payload;
char *buf = p->payload;
t_traffic_user *t = NULL;
t_user *user = NULL;
int ovector[150]; ///!<allows 50 substring matches (including the overall match)
_u8 phase = 0;
_u8 stream = 0;
//add check here
assert(s);
assert(p);
assert(s->proto > 0);
assert(p->payload_len);
//tuning inspection size
if (tuning.patternrestrictlen && p->payload_len > tuning.patternrestrictlen)
buflen = tuning.patternrestrictlen;
else
buflen = p->payload_len;
//saving original size
buflen_base = buflen;
//we are client style : ip src, port dst
if(option.debug == 24)
printf("doing user pattern matching on session %lld pkt %d for len %d\n", s->id, s->nb_pkt_in + s->nb_pkt_out, buflen);
//use the phase detection luke
if(p->ip->src == s->src)
{
stream = HOST_FROM;
if (p->phase_client == CONTROL_PHASE)
{
t = user_patterns;
phase = CONTROL_PHASE;
} else if (p->phase_client == DATA_PHASE && (s->file_client_last_pkt_num < tuning.contentpktnum || tuning.contentpktnum == 0)) {
t= duser_patterns;
phase = DATA_PHASE;
}
} else {
stream = HOST_TO;
if (p->phase_server == CONTROL_PHASE) {
t = user_patterns;
phase = CONTROL_PHASE;
} else if (p->phase_server == DATA_PHASE && (s->file_client_last_pkt_num < tuning.contentpktnum || tuning.contentpktnum == 0)) {
t= duser_patterns;
phase = DATA_PHASE;
}
}
while (t != NULL)
{
assert(t->common);
assert(t->common->regex_compiled);
i++;
//restoring
bufc = p->payload;
buf = p->payload;
buflen = buflen_base;
//pattern restriction according to rules options
//start offset
if((t->common->offset <= buflen) && (t->common->offset != 0))
{
bufc = (bufc + t->common->offset);
buf = bufc;
buflen -= t->common->offset;
}
//restrict depth if possible
if ((buflen > t->common->depth) && (t->common->depth != 0))
buflen = t->common->depth;
nummatch = pcre_exec(t->common->regex_compiled, t->common->regex_extra, bufc, buflen, 0, 0, ovector, sizeof(ovector) / sizeof(*ovector));
if (nummatch < 0) {
#ifdef PCRE_ERROR_MATCHLIMIT // earlier PCRE versions lack this
if (nummatch == PCRE_ERROR_MATCHLIMIT) {
if (option.debug == 24)
printf("Warning: Hit PCRE_ERROR_MATCHLIMIT when probing for service %s with the regex '%s'", t->common->servicename, t->common->matchstr);
} //else
#endif // PCRE_ERROR_MATCHLIMIT
} else {
if(option.debug == 24)
printf("User match for session %lld : proto %s\n",s->id, t->common->servicename);
// Yeah! Match apparently succeeded.
user = (t_user *)malloc(sizeof(t_user));
bzero(user, sizeof(t_user));
strncpy(user->protocol, t->common->servicename, sizeof(user->protocol));
if(p->ip)
user->ip = p->ip->src;
// Now lets get captured variable
if(t->familly_template != NULL) {
rc = dotmplsubst(buf, buflen, ovector, nummatch, t->familly_template, user->familly, sizeof(user->familly));
if (rc != 0)
warning("Warning: User pattern matching failed to fill familly_template (subjectlen: %d). Too long? Match string was line: v/%s/%s/", buf, (t->familly_template)? t->familly_template : "", (t->login_template)? t->login_template : "");
}
if(t->login_template != NULL) {
rc = dotmplsubst(buf, buflen, ovector, nummatch, t->login_template, user->login, sizeof(user->login));
if (rc != 0)
warning("Warning: User pattern matching failed to fill login_template (subjectlen: %d). Too long? Match string was line: v/%s/%s/", buf, (t->familly_template)? t->familly_template : "", (t->login_template)? t->login_template : "");
}
if(t->additionnal_template != NULL) {
rc = dotmplsubst(buf, buflen, ovector, nummatch, t->additionnal_template, user->additionnal, sizeof(user->additionnal));
if (rc != 0)
warning("Warning: User pattern matching failed to fill additionnal_template (subjectlen: %d). Too long? Match string was line: v/%s/%s/", buf, (t->familly_template)? t->familly_template : "", (t->login_template)? t->login_template : "");
}
if(t->pass_template != NULL) {
rc = dotmplsubst(buf, buflen, ovector, nummatch, t->pass_template, user->pass, sizeof(user->pass));
if (rc != 0)
warning("Warning: User pattern matching failed to fill additionnal_template (subjectlen: %d). Too long? Match string was line: v/%s/%s/", buf, (t->familly_template)? t->familly_template : "", (t->login_template)? t->login_template : "");
}
if(t->algorithm_template != NULL) {
rc = dotmplsubst(buf, buflen, ovector, nummatch, t->algorithm_template, user->algorithm, sizeof(user->algorithm));
if (rc != 0)
warning("Warning: User pattern matching failed to fill algorithm_template (subjectlen: %d). Too long? Match string was line: v/%s/%s/", buf, (t->familly_template)? t->familly_template : "", (t->login_template)? t->login_template : "");
}
if(t->origin_template != NULL) {
rc = dotmplsubst(buf, buflen, ovector, nummatch, t->origin_template, user->origin, sizeof(user->origin));
if (rc != 0)
warning("Warning: User pattern matching failed to fill origin_template (subjectlen: %d). Too long? Match string was line: v/%s/%s/", buf, (t->familly_template)? t->familly_template : "", (t->login_template)? t->login_template : "");
}
//nature of the file
user->nature = t->nature;
//adding it to user hashtable if needed
if (analyze_user(user))
{
//adding it to session if needed
pthread_mutex_lock(&mutex.hashsession);
if(s->last_user)
s->last_user->next = user;
else
s->user = user;
s->last_user = user;
pthread_mutex_unlock(&mutex.hashsession);
}
if (analyze.error && t->common->event_type == TYPE_ERROR)
analyze_error(s, p, s->id, 0, p->ip->src, TYPE_ERROR, '4', t->common->class_shortname, t->common->event_name, t->common->event_nature, t->common->event_details, t->common->event_target, s->last_time, s->last_time_usec);
if (analyze.event && t->common->event_type == TYPE_EVENT)
analyze_error(s, p, s->id, 0, p->ip->src, TYPE_EVENT, '4', t->common->class_shortname, t->common->event_name, t->common->event_nature, t->common->event_details, t->common->event_target, s->last_time, s->last_time_usec);
//stating l4
if(t->common->type)
traffic_analyze_stat(s, p, stream, t->common->type);
//phase feedback
if(t->common->next_phase)
traffic_phase_feedback(s, p, t->common->next_phase);
//Dynamic content protocol detection signature feedback
if(strncmp(t->common->servicename, "n/a",3) != 0)
detection_protocol_pattern(s, p, t->common->servicename, t->common->confidence);
if(need_to_return(t->common->policy))
return;
}
t = t->next;
}
}
