Exemplo n.º 1
0
SFGHASH_NODE * sfatom_findfirst()
{
   SFGHASH_NODE * node = sfghash_findfirst( g_atom );

   if( node ) return node;

   return NULL;
}
Exemplo n.º 2
0
void hostPortAppCacheDump(void)
{
    SFGHASH_NODE * node;

   for( node = sfghash_findfirst(hostPortCache); node; node = sfghash_findnext(hostPortCache) )
   {
      char inet_buffer[INET6_ADDRSTRLEN];
      tHostPortKey *key;

      key = (tHostPortKey *)node->key;
      inet_ntop(AF_INET6, &key->ip, inet_buffer, sizeof(inet_buffer));
      printf("\tip=%s, \tport %d, \tproto %d, \tappId=%d\n", inet_buffer, key->port, key->proto, (signed)(node->data));
   }
}
Exemplo n.º 3
0
static int print_thd_local(ThresholdObjects *thd_objs, PrintFormat type, unsigned* prnMode)
{
    SFGHASH  * sfthd_hash;
    THD_ITEM * sfthd_item;
    THD_NODE * sfthd_node;
    int        gen_id;
    SFGHASH_NODE * item_hash_node;
    int        lcnt=0;
    tSfPolicyId policyId;

    for (policyId = 0; policyId < thd_objs->numPoliciesAllocated; policyId++)
    {
        for(gen_id=0;gen_id < THD_MAX_GENID ; gen_id++ )
        {
            sfthd_hash = thd_objs->sfthd_array[gen_id];
            if( !sfthd_hash )
            {
                continue;
            }

            for(item_hash_node  = sfghash_findfirst( sfthd_hash );
                    item_hash_node != 0;
                    item_hash_node  = sfghash_findnext( sfthd_hash ) )
            {
                /* Check for any Permanent sig_id objects for this gen_id */
                sfthd_item = (THD_ITEM*)item_hash_node->data;

                if (sfthd_item->policyId != policyId)
                {
                    continue;
                }

                for( sfthd_node  = (THD_NODE*)sflist_first(sfthd_item->sfthd_node_list);
                        sfthd_node != 0;
                        sfthd_node = (THD_NODE*)sflist_next(sfthd_item->sfthd_node_list) )
                {
                    if (print_thd_node(sfthd_node, type, prnMode) != 0)
                        lcnt++;
                }
            }
        }
    }

    if( !lcnt && !*prnMode )
        LogMessage("| none\n");

    return 0;
}
Exemplo n.º 4
0
/* A function to print the thresholding objects to stdout.
 *
 * @param pContext pointer to global threshold context
 * @return
 */
void SFRF_ShowObjects(RateFilterConfig *config)
{
    SFGHASH* genHash;
    tSFRFSidNode* pSidnode;
    tSFRFConfigNode* cfgNode;
    int gid;
    SFGHASH_NODE* sidHashNode;

    for ( gid=0;gid < SFRF_MAX_GENID ; gid++ )
    {
        genHash = config->genHash [ gid ];
        if ( !genHash )
        {
            continue;
        }

        printf("...GEN_ID = %u\n",gid);

        for ( sidHashNode  = sfghash_findfirst( genHash );
              sidHashNode != 0;
              sidHashNode  = sfghash_findnext( genHash ) )
        {
            /* Check for any Permanent sid objects for this gid */
            pSidnode = (tSFRFSidNode*)sidHashNode->data;

            printf(".....GEN_ID = %u, SIG_ID = %u, PolicyId = %u\n",gid, pSidnode->sid, pSidnode->policyId);

            /* For each permanent thresholding object, test/add/update the thd object */
            /* We maintain a list of thd objects for each gid+sid */
            /* each object has it's own unique thd_id */

            for ( cfgNode  = (tSFRFConfigNode*)sflist_first(pSidnode->configNodeList);
                  cfgNode != 0;
                  cfgNode = (tSFRFConfigNode*)sflist_next(pSidnode->configNodeList) )
            {
                printf(".........SFRF_ID  =%d\n",cfgNode->tid );
                printf(".........tracking =%d\n",cfgNode->tracking);
                printf(".........count    =%u\n",cfgNode->count);
                printf(".........seconds  =%u\n",cfgNode->seconds);
            }
        }
    }
}
Exemplo n.º 5
0
/**initialize given port list from the given ruleset, for a given policy
 * @param portList pointer to array of MAX_PORTS+1 uint8_t. This array content
 * is changed by walking through the rulesets.
 * @param protocol - protocol type
 */
void setPortFilterList(
    uint8_t *portList,
    int protocol,
    int ignoreAnyAnyRules,
    tSfPolicyId policyId
)
{
    char *port_array = NULL;
    int num_ports = 0;
    int i;
    RuleTreeNode *rtn;
    OptTreeNode *otn;
    int inspectSrc, inspectDst;
    char any_any_flow = 0;
    IgnoredRuleList *pIgnoredRuleList = NULL;     ///list of ignored rules
    char *protocolName;
    SFGHASH_NODE *hashNode;
    int flowBitIsSet = 0;
    SnortConfig *sc = snort_conf_for_parsing;

    if (sc == NULL)
    {
        FatalError("%s(%d) Snort conf for parsing is NULL.\n",
                   __FILE__, __LINE__);
    }

    if ((protocol == IPPROTO_TCP) && (ignoreAnyAnyRules == 0))
    {
        int j;
        for (j=0; j<MAX_PORTS; j++)
        {
            portList[j] |= PORT_MONITOR_SESSION | PORT_MONITOR_INSPECT;
        }
        return;
    }

    protocolName = getProtocolName(protocol);

    /* Post-process TCP rules to establish TCP ports to inspect. */
    for (hashNode = sfghash_findfirst(sc->otn_map);
            hashNode;
            hashNode = sfghash_findnext(sc->otn_map))
    {
        otn = (OptTreeNode *)hashNode->data;
        flowBitIsSet = Stream5OtnHasFlowOrFlowbit(otn);

        rtn = getRtnFromOtn(otn, policyId);

        if (!rtn)
        {
            continue;
        }

        if (rtn->proto == protocol)
        {
            //do operation
            inspectSrc = inspectDst = 0;
            if (PortObjectHasAny(rtn->src_portobject))
            {
                inspectSrc = -1;
            }
            else
            {
                port_array = PortObjectCharPortArray(port_array, rtn->src_portobject, &num_ports);
                if (port_array && num_ports != 0)
                {
                    inspectSrc = 1;
                    for (i=0; i<SFPO_MAX_PORTS; i++)
                    {
                        if (port_array[i])
                        {
                            portList[i] |= PORT_MONITOR_INSPECT;
                            /* port specific rule */
                            /* Look for an OTN with flow or flowbits keyword */
                            if (flowBitIsSet)
                            {
                                portList[i] |= PORT_MONITOR_SESSION;
                            }
                        }
                    }
                }
                if ( port_array )
                {
                    free(port_array);
                    port_array = NULL;
                }
            }
            if (PortObjectHasAny(rtn->dst_portobject))
            {
                inspectDst = -1;
            }
            else
            {
                port_array = PortObjectCharPortArray(port_array, rtn->dst_portobject, &num_ports);
                if (port_array && num_ports != 0)
                {
                    inspectDst = 1;
                    for (i=0; i<SFPO_MAX_PORTS; i++)
                    {
                        if (port_array[i])
                        {
                            portList[i] |= PORT_MONITOR_INSPECT;
                            /* port specific rule */
                            if (flowBitIsSet)
                            {
                                portList[i] |= PORT_MONITOR_SESSION;
                            }
                        }
                    }
                }
                if ( port_array )
                {
                    free(port_array);
                    port_array = NULL;
                }
            }
            if ((inspectSrc == -1) && (inspectDst == -1))
            {
                /* any -> any rule */
                if (any_any_flow == 0)
                {
                    any_any_flow = Stream5AnyAnyFlow(portList, otn, rtn, any_any_flow,
                                                     &pIgnoredRuleList, ignoreAnyAnyRules);
                }
            }
        }
    }

    /* If portscan is tracking TCP/UDP, need to create
     * sessions for all ports */
    if (((protocol == IPPROTO_UDP) && (ps_get_protocols(policyId) & PS_PROTO_UDP))
            || ((protocol == IPPROTO_TCP) && (ps_get_protocols(policyId) & PS_PROTO_TCP)))
    {
        int j;
        for (j=0; j<MAX_PORTS; j++)
        {
            portList[j] |= PORT_MONITOR_SESSION;
        }
    }

    if (any_any_flow == 1)
    {
        LogMessage("Warning: 'ignore_any_rules' option for Stream5 %s "
                   "disabled because of %s rule with flow or flowbits option\n",
                   protocolName, protocolName);
    }

    else if (pIgnoredRuleList)
    {
        LogMessage("Warning: Rules (GID:SID) effectively ignored because of "
                   "'ignore_any_rules' option for Stream5 %s:\n", protocolName);
    }
    // free list; print iff any_any_flow
    printIgnoredRules(pIgnoredRuleList, any_any_flow);

}
Exemplo n.º 6
0
/*!
 *   A function to print the thresholding objects to stdout.
 *
 */
int sfthd_show_objects(ThresholdObjects *thd_objs)
{
    SFGHASH  * sfthd_hash;
    THD_ITEM * sfthd_item;
    THD_NODE * sfthd_node;
    int        gen_id;
    SFGHASH_NODE * item_hash_node;
    tSfPolicyId policyId;

    for(gen_id=0;gen_id < THD_MAX_GENID ; gen_id++ )
    {
        sfthd_hash = thd_objs->sfthd_array[gen_id];
        if (sfthd_hash == NULL)
            continue;

        printf("...GEN_ID = %u\n",gen_id);

        for(item_hash_node  = sfghash_findfirst( sfthd_hash );
            item_hash_node != 0;
            item_hash_node  = sfghash_findnext( sfthd_hash ) )
        {
            /* Check for any Permanent sig_id objects for this gen_id */
            sfthd_item = (THD_ITEM*)item_hash_node->data;

            printf(".....GEN_ID = %u, SIG_ID = %u, Policy = %u\n",gen_id,sfthd_item->sig_id, sfthd_item->policyId);

            /* For each permanent thresholding object, test/add/update the thd object */
            /* We maintain a list of thd objects for each gen_id+sig_id */
            /* each object has it's own unique thd_id */

            for( sfthd_node  = (THD_NODE*)sflist_first(sfthd_item->sfthd_node_list);
                 sfthd_node != 0;
                 sfthd_node = (THD_NODE*)sflist_next(sfthd_item->sfthd_node_list) )
            {
                printf(".........THD_ID  =%d\n",sfthd_node->thd_id );

                if( sfthd_node->type == THD_TYPE_SUPPRESS )
                    printf(".........type    =Suppress\n");
                if( sfthd_node->type == THD_TYPE_LIMIT )
                    printf(".........type    =Limit\n");
                if( sfthd_node->type == THD_TYPE_THRESHOLD )
                    printf(".........type    =Threshold\n");
                if( sfthd_node->type == THD_TYPE_BOTH )
                    printf(".........type    =Both\n");

                printf(".........tracking=%d\n",sfthd_node->tracking);
                printf(".........priority=%d\n",sfthd_node->priority);

                if( sfthd_node->type == THD_TYPE_SUPPRESS )
                {
                    printf(".........ip      =%s\n",
                           sfip_to_str(&sfthd_node->ip_address));
                    printf(".........mask    =%d\n",
                           sfip_bits(&sfthd_node->ip_address));
                    printf(".........not_flag=%d\n",sfthd_node->ip_mask);
                }
                else
                {
                    printf(".........count   =%d\n",sfthd_node->count);
                    printf(".........seconds =%d\n",sfthd_node->seconds);
                }
            }
        }
    }

    return 0;
}
Exemplo n.º 7
0
/*
*       Hash test program  
*/
int main ( int argc, char ** argv )
{
   int         i;
   SFGHASH      * t;
   SFGHASH_NODE * n, *m;
   char str[256],*p;
   int  num=100;

   if( argc > 1 )
       num = atoi(argv[1]);

   sfatom_init();

   /* Create a Hash Table */
   t = sfghash_new( 1000, 0 , GH_COPYKEYS , myfree  );

   /* Add Nodes to the Hash Table */
   for(i=0;i<num;i++) 
   {
       snprintf(str, sizeof(str), "KeyWord%d",i+1);
       str[sizeof(str) - 1] = '\0';
       sfghash_add( t, str,  strupr(strdup(str)) );

       sfatom_add( str,  strupr(strdup(str)) );
   }  

   /* Find and Display Nodes in the Hash Table */
   printf("\n** FIND KEY TEST\n");

   for(i=0;i<num;i++) 
   {
      snprintf(str, sizeof(str), "KeyWord%d",i+1);
      str[sizeof(str) - 1] = '\0';

      p = (char*) sfghash_find( t, str );

      printf("Hash-key=%*s, data=%*s\n", strlen(str),str, strlen(str), p );

      p = (char*) sfatom_find( str );

      printf("Atom-key=%*s, data=%*s\n", strlen(str),str, strlen(str), p );
   }  

   /* Display All Nodes in the Hash Table */
   printf("\n** FINDFIRST / FINDNEXT TEST\n");

   for( n = sfghash_findfirst(t); n; n = sfghash_findnext(t) )
   {
      printf("hash-findfirst/next: key=%s, data=%s\n", n->key, n->data );

      // hashing code frees user data using 'myfree' above ....
      if( sfghash_remove(t,n->key) ) 
            printf("Could not remove the key node\n");
      else  
            printf("key node removed\n");
   }

   for( n = sfatom_findfirst(); n; n = sfatom_findnext() )
   {
      printf("atom-findfirst/next: key=%s, data=%s\n", n->key, n->data );

      free( n->data );  //since atom data is not freed automatically
   }

   /* Free the table and it's user data */
   printf("****sfghash_delete\n");
   sfghash_delete( t );

   printf("****sfatom_reset\n");
   sfatom_reset();

   printf("\nnormal pgm finish\n\n");

   return 0;
}