Stream5LWSession *GetLWSession(Stream5SessionCache *sessionCache, Packet *p, SessionKey *key)
{
Stream5LWSession *returned = NULL;
SFXHASH_NODE *hnode;
if (!sessionCache)
return NULL;
if (!GetLWSessionKey(p, key))
{
return NULL;
}
hnode = sfxhash_find_node(sessionCache->hashTable, key);
if (hnode && hnode->data)
{
/* This is a unique hnode, since the sfxhash finds the
* same key before returning this node.
*/
returned = (Stream5LWSession *)hnode->data;
if (returned && (returned->last_data_seen < p->pkth->ts.tv_sec))
{
returned->last_data_seen = p->pkth->ts.tv_sec;
}
}
return returned;
}
Session *GetSessionFromHashTable(Packet *p)
{
Session *returned = NULL;
SFXHASH_NODE *hnode;
SessionHashKey sessionKey;
SFXHASH *table;
if (!GetSessionKey(p, &sessionKey))
return NULL;
if (sessionKey.proto == IPPROTO_TCP)
{
table = sessionHashTable;
}
else /* Implied IPPROTO_UDP */
{
table = udpSessionHashTable;
}
hnode = sfxhash_find_node(table, &sessionKey);
if (hnode && hnode->data)
{
/* This is a unique hnode, since the sfxhash finds the
* same key before returning this node.
*/
returned = (Session *)hnode->data;
}
return returned;
}
/** *
* @param sip - source IP address
* @param dip - destination IP address
* @param sport - server sport number
* @param file_sig - file signature
* @param expiry - session expiry in seconds.
*/
int file_resume_block_add_file(void *pkt, uint32_t file_sig, uint32_t timeout,
File_Verdict verdict, uint32_t file_type_id, uint8_t *signature)
{
FileHashKey hashKey;
SFXHASH_NODE *hash_node = NULL;
FileNode *node;
FileNode new_node;
snort_ip_p srcIP;
snort_ip_p dstIP;
Packet *p = (Packet *)pkt;
time_t now = p->pkth->ts.tv_sec;
srcIP = GET_SRC_IP(p);
dstIP = GET_DST_IP(p);
IP_COPY_VALUE(hashKey.dip, dstIP);
IP_COPY_VALUE(hashKey.sip, srcIP);
hashKey.file_sig = file_sig;
hash_node = sfxhash_find_node(fileHash, &hashKey);
if (hash_node)
{
if (!(node = hash_node->data))
sfxhash_free_node(fileHash, hash_node);
}
else
node = NULL;
if (node)
{
node->expires = now + timeout;
updateFileNode(node, verdict, file_type_id, signature);
}
else
{
DEBUG_WRAP(DebugMessage(DEBUG_FILE, "Adding file node\n"););
updateFileNode(&new_node, verdict, file_type_id, signature);
/*
* use the time that we keep files around
* since this info would effectively be invalid
* after that anyway because the file that
* caused this will be gone.
*/
new_node.expires = now + timeout;
/* Add it to the table */
if (sfxhash_add(fileHash, &hashKey, &new_node) != SFXHASH_OK)
{
/* Uh, shouldn't get here...
* There is already a node or couldn't alloc space
* for key. This means bigger problems, but fail
* gracefully.
*/
DEBUG_WRAP(DebugMessage(DEBUG_FILE,
"Failed to add file node to hash table\n"););
Stream5LWSession *GetLWSessionFromKey(Stream5SessionCache *sessionCache, SessionKey *key)
{
Stream5LWSession *returned = NULL;
SFXHASH_NODE *hnode;
if (!sessionCache)
return NULL;
hnode = sfxhash_find_node(sessionCache->hashTable, key);
if (hnode && hnode->data)
{
/* This is a unique hnode, since the sfxhash finds the
* same key before returning this node.
*/
returned = (Stream5LWSession *)hnode->data;
}
return returned;
}
IP_COPY_VALUE(hashKey.ip1, srvIP);
hashKey.port1 = srvPort;
IP_COPY_VALUE(hashKey.ip2, cliIP);
hashKey.port2 = cliPort;
reversed_key = 1;
DEBUG_WRAP(DebugMessage(DEBUG_STREAM, "reversed\n"););
}
/* Actually add it to the hash table with a timestamp of now.
* so we can expire entries that are older than a configurable
* time. Those entries will be for sessions that we missed or
* never occured. Should not keep the entry around indefinitely.
*/
hashKey.protocol = (uint32_t)protocol;
hash_node = sfxhash_find_node(channelHash, &hashKey);
if (hash_node)
{
if (!(node = hash_node->data))
sfxhash_free_node(channelHash, hash_node);
}
else
node = NULL;
if (node)
{
int expired;
DEBUG_WRAP(DebugMessage(DEBUG_STREAM, "exists\n"););
/*
* This handles the case where there is already an entry
* for this key (IP addresses/port). It could occur when
/** *
* @param sip - source IP address
* @param dip - destination IP address
* @param sport - server sport number
* @param file_sig - file signature
* @param expiry - session expiry in seconds.
*/
int file_resume_block_add_file(void *pkt, uint32_t file_sig, uint32_t timeout,
File_Verdict verdict, uint32_t file_type_id, uint8_t *signature)
{
FileHashKey hashKey;
SFXHASH_NODE *hash_node = NULL;
FileNode *node;
FileNode new_node;
sfaddr_t* srcIP;
sfaddr_t* dstIP;
Packet *p = (Packet*)pkt;
time_t now = p->pkth->ts.tv_sec;
srcIP = GET_SRC_IP(p);
dstIP = GET_DST_IP(p);
sfaddr_copy_to_raw(&hashKey.dip, dstIP);
sfaddr_copy_to_raw(&hashKey.sip, srcIP);
hashKey.file_sig = file_sig;
#ifdef HAVE_DAQ_DP_ADD_DC
{
DAQ_DC_Params params;
memset(¶ms, 0, sizeof(params));
params.flags = DAQ_DC_ALLOW_MULTIPLE | DAQ_DC_PERSIST;
params.timeout_ms = 5 * 60 * 1000; /* 5 minutes */
if (p->packet_flags & PKT_FROM_CLIENT)
DAQ_Add_Dynamic_Protocol_Channel(p, srcIP, 0, dstIP, p->dp, GET_IPH_PROTO(p),
¶ms);
else if (p->packet_flags & PKT_FROM_SERVER)
DAQ_Add_Dynamic_Protocol_Channel(p, dstIP, 0, srcIP, p->sp, GET_IPH_PROTO(p),
¶ms);
}
#endif
hash_node = sfxhash_find_node(fileHash, &hashKey);
if (hash_node)
{
if (!(node = hash_node->data))
sfxhash_free_node(fileHash, hash_node);
}
else
node = NULL;
if (node)
{
node->expires = now + timeout;
updateFileNode(node, verdict, file_type_id, signature);
}
else
{
DEBUG_WRAP(DebugMessage(DEBUG_FILE, "Adding file node\n"););
updateFileNode(&new_node, verdict, file_type_id, signature);
/*
* use the time that we keep files around
* since this info would effectively be invalid
* after that anyway because the file that
* caused this will be gone.
*/
new_node.expires = now + timeout;
/* Add it to the table */
if (sfxhash_add(fileHash, &hashKey, &new_node) != SFXHASH_OK)
{
/* Uh, shouldn't get here...
* There is already a node or couldn't alloc space
* for key. This means bigger problems, but fail
* gracefully.
*/
DEBUG_WRAP(DebugMessage(DEBUG_FILE,
"Failed to add file node to hash table\n"););
FileEntry *file_cache_get(FileCache *fileCache, void* p, uint64_t file_id,
bool can_create)
{
SFXHASH_NODE *hnode;
FileKey fileKey;
Packet *pkt = (Packet *)p;
sfaddr_t* srcIP;
sfaddr_t* dstIP;
if ((fileCache == NULL) || (fileCache->hashTable == NULL))
return NULL;
if ((pkt->packet_flags & PKT_FROM_CLIENT))
{
srcIP = GET_SRC_IP(pkt);
dstIP = GET_DST_IP(pkt);
}
else
{
srcIP = GET_DST_IP(pkt);
dstIP = GET_SRC_IP(pkt);
}
sfaddr_copy_to_raw(&fileKey.dip, dstIP);
sfaddr_copy_to_raw(&fileKey.sip, srcIP);
fileKey.file_id = file_id;
if (!can_create)
{
hnode = sfxhash_find_node(fileCache->hashTable, &fileKey);
}
else
{
hnode = sfxhash_get_node(fileCache->hashTable, &fileKey);
if (!hnode)
{
/*No more file entries, free up some old ones*/
pruneFileCache(fileCache, NULL);
/* Should have some freed nodes now */
hnode = sfxhash_get_node(fileCache->hashTable, &fileKey);
#ifdef DEBUG_MSGS
if (!hnode)
LogMessage("%s(%d) Problem, no freed nodes\n", __FILE__, __LINE__);
#endif
}
}
if (hnode && hnode->data)
{
FileEntry *file_entry = (FileEntry *)hnode->data;
return file_entry;
}
else
{
return NULL;
}
}
