/* detection functions */ int rule16370eval(void *p) { const uint8_t *cursor_normal = 0; SFSnortPacket *sp = (SFSnortPacket *) p; const uint8_t *beg_of_payload, *end_of_payload; uint16_t Csiz; uint16_t atomlen; uint16_t Crgn; if(sp == NULL) return RULE_NOMATCH; if(sp->payload == NULL) return RULE_NOMATCH; // flow:established, to_client; if (checkFlow(p, rule16370options[0]->option_u.flowFlags) > 0 ) { // flowbits:isset "file.pdf"; if (processFlowbits(p, rule16370options[1]->option_u.flowBit) > 0) { // content:"jP ", depth 0, fast_pattern; if (contentMatch(p, rule16370options[2]->option_u.content, &cursor_normal) > 0) { // content:"|FF|O|FF|Q", depth 0; if (contentMatch(p, rule16370options[3]->option_u.content, &cursor_normal) > 0) { if(getBuffer(sp, CONTENT_BUF_NORMALIZED, &beg_of_payload, &end_of_payload) <= 0) return RULE_NOMATCH; //Make sure at least the entire atom is present, as well as //the atom signature and length of the following atom if(cursor_normal + 47 + 4 > end_of_payload) return RULE_NOMATCH; // Now make sure this atomlen is 47 if(*cursor_normal != 0 || *(cursor_normal + 1) != 47) return RULE_NOMATCH; //Extract the value of Csiz Csiz = read_big_16(cursor_normal + 36); //Jump to the next atom, just before the signature cursor_normal += 47; //atomlen; //Check to see if the following byte is FF (eg:the first byte of a signature) //and that we haven't ended up in no man's land while((cursor_normal + 4 < end_of_payload) && (*cursor_normal == 255)) { //Extract the length of next atom atomlen = read_big_16(cursor_normal+2); //Make sure the whole atom is present. Atom length is atomlen + file signature (2 bytes) if ((cursor_normal + atomlen + 2) > end_of_payload) return RULE_NOMATCH; //Check second byte of atom signature //A FF5E is the Region-of-interest atom if (*(cursor_normal+1) == '\x5e') { //This atom can only be either 5 or 6 bytes long, but no other value. //Crgn will be either 1 or 2 bytes depending on this length. //Exit if you some unexpected value. if (atomlen == 5) Crgn = *(cursor_normal+4); else if (atomlen == 6) { Crgn = read_big_16(cursor_normal+4); } else return RULE_NOMATCH; //Fire if Crgn >= Csiz if (Crgn >= Csiz) return RULE_MATCH; } //Skip to next atom cursor_normal += atomlen + 2; } } } } } return RULE_NOMATCH; }
bool roomba_t::parse_sensor_packet_m() { size_t index=0; sensor_t temp_packet; while(index<serial_size_m) { uint8_t sensor=serial_buffer_m[index++]; if(sensor==ROOMBA_ID_SENSOR_BUMPER_DROP) { temp_packet.bumper=*(uint8_t*)(serial_buffer_m+index); index+=sizeof(uint8_t); } else if(sensor==ROOMBA_ID_SENSOR_CHARGE_STATE) { temp_packet.battery.state=*(uint8_t*)(serial_buffer_m+index); index+=sizeof(uint8_t); } else if(sensor==ROOMBA_ID_SENSOR_BATT_TEMP) { temp_packet.battery.temperature=*(int8_t*)(serial_buffer_m+index); index+=sizeof(int8_t); } else if(sensor==ROOMBA_ID_SENSOR_BATT_CHARGE) { temp_packet.battery.charge=read_big_16(serial_buffer_m+index); index+=sizeof(uint16_t); } else if(sensor==ROOMBA_ID_SENSOR_ENCODER_L) { temp_packet.encoder.L=read_big_16(serial_buffer_m+index); index+=sizeof(uint16_t); } else if(sensor==ROOMBA_ID_SENSOR_ENCODER_R) { temp_packet.encoder.R=read_big_16(serial_buffer_m+index); index+=sizeof(uint16_t); } else if(sensor==ROOMBA_ID_SENSOR_CLIFF_L) { temp_packet.floor[0]=adapt_floor(read_big_16(serial_buffer_m+index)); index+=sizeof(uint16_t); } else if(sensor==ROOMBA_ID_SENSOR_CLIFF_FL) { temp_packet.floor[1]=adapt_floor(read_big_16(serial_buffer_m+index)); index+=sizeof(uint16_t); } else if(sensor==ROOMBA_ID_SENSOR_CLIFF_FR) { temp_packet.floor[2]=adapt_floor(read_big_16(serial_buffer_m+index)); index+=sizeof(uint16_t); } else if(sensor==ROOMBA_ID_SENSOR_CLIFF_R) { temp_packet.floor[3]=adapt_floor(read_big_16(serial_buffer_m+index)); index+=sizeof(uint16_t); } else if(sensor==ROOMBA_ID_SENSOR_MODE) { temp_packet.mode=*(uint8_t*)(serial_buffer_m+index); index+=sizeof(uint8_t); } else if(sensor==ROOMBA_ID_SENSOR_LIGHT_FIELD) { temp_packet.light_field=*(uint8_t*)(serial_buffer_m+index); index+=sizeof(uint8_t); } else if(sensor==ROOMBA_ID_SENSOR_LIGHT_L) { temp_packet.light[0]=adapt_light(read_big_16(serial_buffer_m+index)); index+=sizeof(uint16_t); } else if(sensor==ROOMBA_ID_SENSOR_LIGHT_FL) { temp_packet.light[1]=adapt_light(read_big_16(serial_buffer_m+index)); index+=sizeof(uint16_t); } else if(sensor==ROOMBA_ID_SENSOR_LIGHT_CL) { temp_packet.light[2]=adapt_light(read_big_16(serial_buffer_m+index)); index+=sizeof(uint16_t); } else if(sensor==ROOMBA_ID_SENSOR_LIGHT_CR) { temp_packet.light[3]=adapt_light(read_big_16(serial_buffer_m+index)); index+=sizeof(uint16_t); } else if(sensor==ROOMBA_ID_SENSOR_LIGHT_FR) { temp_packet.light[4]=adapt_light(read_big_16(serial_buffer_m+index)); index+=sizeof(uint16_t); } else if(sensor==ROOMBA_ID_SENSOR_LIGHT_R) { temp_packet.light[5]=adapt_light(read_big_16(serial_buffer_m+index)); index+=sizeof(uint16_t); } else if (sensor==ROOMBA_ID_SENSOR_BUTTONS) { temp_packet.buttons=*(uint8_t*)(serial_buffer_m+index); index+=sizeof(uint8_t); } else { return false; } } sensor_packet_m=temp_packet; return true; }
/* detection functions */ int rule15327eval(void *p) { const uint8_t *cursor_normal = 0; const uint8_t *end_of_payload; uint16_t numanswers; uint16_t numqueries; uint16_t len; uint32_t total = 0; int i; SFSnortPacket *sp = (SFSnortPacket *) p; if(sp == NULL) return RULE_NOMATCH; if(sp->payload == NULL) return RULE_NOMATCH; // flow:to_client; if (checkFlow(p, rule15327options[0]->option_u.flowFlags) > 0 ) { // byte_test:size 2, value 7999, operator >, offset 2; if (byteTest(p, rule15327options[1]->option_u.byte, cursor_normal) > 0) { if(getBuffer(sp, CONTENT_BUF_NORMALIZED, &cursor_normal, &end_of_payload) <= 0) return RULE_NOMATCH; if ((cursor_normal+12) > end_of_payload) return RULE_NOMATCH; // Extract number of query and answer records numqueries = read_big_16(cursor_normal+4); numanswers = read_big_16(cursor_normal+6); cursor_normal += 12; // Iterate through variable-sized query records to skip to the answer records. for(i = 0; i < numqueries; i++) { while(cursor_normal < end_of_payload && *cursor_normal != 0 && !((*cursor_normal & 0xc0) == 0xc0)) { cursor_normal += *cursor_normal + 1; } if (cursor_normal >= end_of_payload) return RULE_NOMATCH; cursor_normal += ((*cursor_normal & 0xc0) == 0xc0) ? 2 : 1 ; cursor_normal += 2+2; } if(cursor_normal >= end_of_payload) return RULE_NOMATCH; // Iterate through answer records for(i = 0; i < numanswers; i++) { // Reset the counter used to detect the overflow for each new answer record total = 0; while(cursor_normal < end_of_payload && *cursor_normal != 0 && !((*cursor_normal & 0xc0) == 0xc0)) { cursor_normal += *cursor_normal + 1; } if(cursor_normal >= end_of_payload) return RULE_NOMATCH; cursor_normal += ((*cursor_normal & 0xc0) == 0xc0) ? 2 : 1 ; if ((cursor_normal + 1) >= end_of_payload) return RULE_NOMATCH; // Check that the record type is TXT, that is, 0x10 if (*(cursor_normal + 1) != 0x10) return RULE_NOMATCH; cursor_normal += 2+2+4; if (cursor_normal + 1 >= end_of_payload) return RULE_NOMATCH; // Extract the length field len = read_big_16_inc(cursor_normal); // Iterate through the byte[data] section and add each of the // individual string lengths together while(cursor_normal < end_of_payload && total < len) { total += *cursor_normal + 1; cursor_normal += *cursor_normal + 1; } // Alert if the sum (total) of the inidividual string lengths // exceeds the length field for the entire data section if(cursor_normal >= end_of_payload) return RULE_NOMATCH; else if(total > len) return RULE_MATCH; } } } return RULE_NOMATCH; }