static sfSFSValue *findFlowIPStats(SFFLOW *sfFlow, snort_ip_p src_addr, snort_ip_p dst_addr, int *swapped) { SFXHASH_NODE *node; sfSFSKey key; sfSFSValue *value; if (IP_LESSER(src_addr, dst_addr)) { IP_COPY_VALUE(key.ipA, src_addr); IP_COPY_VALUE(key.ipB, dst_addr); *swapped = 0; } else { IP_COPY_VALUE(key.ipA, dst_addr); IP_COPY_VALUE(key.ipB, src_addr); *swapped = 1; } value = sfxhash_find(sfFlow->ipMap, &key); if (!value) { node = sfxhash_get_node(sfFlow->ipMap, &key); if (!node) { DEBUG_WRAP(DebugMessage(DEBUG_STREAM, "Key/Value pair didn't exist in the flow stats table and we couldn't add it!\n"););
/** ** This function updates the PS_PROTO structure. ** ** @param PS_PROTO pointer to structure to update ** @param int number to increment portscan counter ** @param u_long IP address of other host ** @param u_short port/ip_proto to track ** @param time_t time the packet was received. update windows. */ static int ps_proto_update(PS_PROTO *proto, int ps_cnt, int pri_cnt, snort_ip_p ip, u_short port, time_t pkt_time) { if(!proto) return 0; /* ** If the ps_cnt is negative, that means we are just taking off ** for valid connection, and we don't want to do anything else, ** like update ip/port, etc. */ if(ps_cnt < 0) { proto->connection_count += ps_cnt; if(proto->connection_count < 0) proto->connection_count = 0; return 0; } /* ** If we are updating a priority cnt, it means we already did the ** unique port and IP on the connection packet. ** ** Priority points are only added for invalid response packets. */ if(pri_cnt) { proto->priority_count += pri_cnt; if(proto->priority_count < 0) proto->priority_count = 0; return 0; } /* ** Do time check first before we update the counters, so if ** we need to reset them we do it before we update them. */ if(ps_proto_update_window(proto, pkt_time)) return -1; /* ** Update ps counter */ proto->connection_count += ps_cnt; if(proto->connection_count < 0) proto->connection_count = 0; if(!IP_EQUALITY_UNSET(&proto->u_ips, ip)) { proto->u_ip_count++; IP_COPY_VALUE(proto->u_ips, ip); } /* we need to do the IP comparisons in host order */ if(sfip_is_set(&proto->low_ip)) { if(IP_GREATER(&proto->low_ip, ip)) IP_COPY_VALUE(proto->low_ip, ip); } else { IP_COPY_VALUE(proto->low_ip, ip); } if(IP_IS_SET(proto->high_ip)) { if(IP_LESSER(&proto->high_ip, ip)) IP_COPY_VALUE(proto->high_ip, ip); } else { IP_COPY_VALUE(proto->high_ip, ip); } if(proto->u_ports != port) { proto->u_port_count++; proto->u_ports = port; } if(proto->low_p) { if(proto->low_p > port) proto->low_p = port; } else { proto->low_p = port; } if(proto->high_p) { if(proto->high_p < port) proto->high_p = port; } else { proto->high_p = port; } return 0; }
int GetSessionKey(Packet *p, SessionHashKey *key) { ip_p srcIp, dstIp; u_int16_t srcPort, dstPort; if (!key) return 0; memset(key, 0, sizeof(SessionHashKey)); srcIp = GET_SRC_IP(p); dstIp = GET_DST_IP(p); if (p->tcph) { srcPort = p->tcph->th_sport; dstPort = p->tcph->th_dport; } #ifdef STREAM4_UDP else if (p->udph) { srcPort = p->udph->uh_sport; dstPort = p->udph->uh_dport; } #endif else { srcPort = 0; dstPort = 0; } if (IP_LESSER(srcIp, dstIp)) { IP_COPY_VALUE(key->lowIP, srcIp); key->port = srcPort; IP_COPY_VALUE(key->highIP, dstIp); key->port2 = dstPort; } else if (IP_EQUALITY(srcIp, dstIp)) { IP_COPY_VALUE(key->lowIP, srcIp); IP_COPY_VALUE(key->highIP, dstIp); if (srcPort < dstPort) { key->port = srcPort; key->port2 = dstPort; } else { key->port2 = srcPort; key->port = dstPort; } } else { IP_COPY_VALUE(key->lowIP, dstIp); key->port = dstPort; IP_COPY_VALUE(key->highIP, srcIp); key->port2 = srcPort; } key->proto = GET_IPH_PROTO(p); #ifdef _LP64 key->pad1 = key->pad2 = 0; #endif return 1; }
int GetLWSessionKey(Packet *p, SessionKey *key) { u_int16_t sport; u_int16_t dport; int proto; /* Because the key is going to be used for hash lookups, * the lower of the values of the IP address field is * stored in the key->ip_l and the port for that ip is * stored in key->port_l. */ if (!key) return 0; #ifdef SUP_IP6 if (IS_IP4(p)) { u_int32_t *src; u_int32_t *dst; proto = p->iph->ip_proto; switch (proto) { case IPPROTO_TCP: case IPPROTO_UDP: sport = p->sp; dport = p->dp; break; case IPPROTO_ICMP: default: sport = dport = 0; break; } src = p->ip4h.ip_src.ip32; dst = p->ip4h.ip_dst.ip32; /* These comparisons are done in this fashion for performance reasons */ if (*src < *dst) { COPY4(key->ip_l, src); COPY4(key->ip_h, dst); key->port_l = sport; key->port_h = dport; } else if (*src == *dst) { COPY4(key->ip_l, src); COPY4(key->ip_h, dst); if (sport < dport) { key->port_l = sport; key->port_h = dport; } else { key->port_l = dport; key->port_h = sport; } } else { COPY4(key->ip_l, dst); key->port_l = dport; COPY4(key->ip_h, src); key->port_h = sport; } #ifdef MPLS if(pv.overlapping_IP && (p->mpls) && isPrivateIP(*src) && isPrivateIP(*dst) ) { key->mplsLabel = p->mplsHdr.label; } else { key->mplsLabel = 0; } #endif } else { /* IPv6 */ sfip_t *src; sfip_t *dst; proto = p->ip6h.next; switch (proto) { case IPPROTO_TCP: case IPPROTO_UDP: sport = p->sp; dport = p->dp; break; case IPPROTO_ICMP: default: sport = dport = 0; break; } src = &p->ip6h.ip_src; dst = &p->ip6h.ip_dst; if (sfip_fast_lt6(src, dst)) { COPY4(key->ip_l, src->ip32); key->port_l = sport; COPY4(key->ip_h, dst->ip32); key->port_h = dport; } else if (sfip_fast_eq6(src, dst)) { COPY4(key->ip_l, src->ip32); COPY4(key->ip_h, dst->ip32); if (sport < dport) { key->port_l = sport; key->port_h = dport; } else { key->port_l = dport; key->port_h = sport; } } else { COPY4(key->ip_l, dst->ip32); key->port_l = dport; COPY4(key->ip_h, src->ip32); key->port_h = sport; } #ifdef MPLS if(pv.overlapping_IP && (p->mpls)) { key->mplsLabel = p->mplsHdr.label; } else { key->mplsLabel = 0; } #endif } #else proto = p->iph->ip_proto; switch (proto) { case IPPROTO_TCP: case IPPROTO_UDP: sport = p->sp; dport = p->dp; break; case IPPROTO_ICMP: default: sport = dport = 0; break; } /* These comparisons are done in this fashion for performance reasons */ if (IP_LESSER(GET_SRC_IP(p), GET_DST_IP(p))) { IP_COPY_VALUE(key->ip_l, GET_SRC_IP(p)); key->port_l = sport; IP_COPY_VALUE(key->ip_h, GET_DST_IP(p)); key->port_h = dport; } else if (IP_EQUALITY(GET_SRC_IP(p), GET_DST_IP(p))) { IP_COPY_VALUE(key->ip_l, GET_SRC_IP(p)); IP_COPY_VALUE(key->ip_h, GET_DST_IP(p)); if (sport < dport) { key->port_l = sport; key->port_h = dport; } else { key->port_l = dport; key->port_h = sport; } } else { IP_COPY_VALUE(key->ip_l, GET_DST_IP(p)); key->port_l = dport; IP_COPY_VALUE(key->ip_h, GET_SRC_IP(p)); key->port_h = sport; } #ifdef MPLS if(pv.overlapping_IP && (p->mpls) && isPrivateIP(key->ip_l) && isPrivateIP(key->ip_h)) { key->mplsLabel = p->mplsHdr.label; } else { key->mplsLabel = 0; } #endif #endif key->protocol = proto; if (p->vh) key->vlan_tag = (u_int16_t)VTH_VLAN(p->vh); else key->vlan_tag = 0; key->pad = 0; #ifdef MPLS key->mplsPad = 0; #endif return 1; }