Stream5LWSession *GetLWSession(Stream5SessionCache *sessionCache, Packet *p, SessionKey *key) { Stream5LWSession *returned = NULL; SFXHASH_NODE *hnode; if (!sessionCache) return NULL; if (!GetLWSessionKey(p, key)) { return NULL; } hnode = sfxhash_find_node(sessionCache->hashTable, key); if (hnode && hnode->data) { /* This is a unique hnode, since the sfxhash finds the * same key before returning this node. */ returned = (Stream5LWSession *)hnode->data; if (returned && (returned->last_data_seen < p->pkth->ts.tv_sec)) { returned->last_data_seen = p->pkth->ts.tv_sec; } } return returned; }
Session *GetSessionFromHashTable(Packet *p) { Session *returned = NULL; SFXHASH_NODE *hnode; SessionHashKey sessionKey; SFXHASH *table; if (!GetSessionKey(p, &sessionKey)) return NULL; if (sessionKey.proto == IPPROTO_TCP) { table = sessionHashTable; } else /* Implied IPPROTO_UDP */ { table = udpSessionHashTable; } hnode = sfxhash_find_node(table, &sessionKey); if (hnode && hnode->data) { /* This is a unique hnode, since the sfxhash finds the * same key before returning this node. */ returned = (Session *)hnode->data; } return returned; }
/** * * @param sip - source IP address * @param dip - destination IP address * @param sport - server sport number * @param file_sig - file signature * @param expiry - session expiry in seconds. */ int file_resume_block_add_file(void *pkt, uint32_t file_sig, uint32_t timeout, File_Verdict verdict, uint32_t file_type_id, uint8_t *signature) { FileHashKey hashKey; SFXHASH_NODE *hash_node = NULL; FileNode *node; FileNode new_node; snort_ip_p srcIP; snort_ip_p dstIP; Packet *p = (Packet *)pkt; time_t now = p->pkth->ts.tv_sec; srcIP = GET_SRC_IP(p); dstIP = GET_DST_IP(p); IP_COPY_VALUE(hashKey.dip, dstIP); IP_COPY_VALUE(hashKey.sip, srcIP); hashKey.file_sig = file_sig; hash_node = sfxhash_find_node(fileHash, &hashKey); if (hash_node) { if (!(node = hash_node->data)) sfxhash_free_node(fileHash, hash_node); } else node = NULL; if (node) { node->expires = now + timeout; updateFileNode(node, verdict, file_type_id, signature); } else { DEBUG_WRAP(DebugMessage(DEBUG_FILE, "Adding file node\n");); updateFileNode(&new_node, verdict, file_type_id, signature); /* * use the time that we keep files around * since this info would effectively be invalid * after that anyway because the file that * caused this will be gone. */ new_node.expires = now + timeout; /* Add it to the table */ if (sfxhash_add(fileHash, &hashKey, &new_node) != SFXHASH_OK) { /* Uh, shouldn't get here... * There is already a node or couldn't alloc space * for key. This means bigger problems, but fail * gracefully. */ DEBUG_WRAP(DebugMessage(DEBUG_FILE, "Failed to add file node to hash table\n"););
Stream5LWSession *GetLWSessionFromKey(Stream5SessionCache *sessionCache, SessionKey *key) { Stream5LWSession *returned = NULL; SFXHASH_NODE *hnode; if (!sessionCache) return NULL; hnode = sfxhash_find_node(sessionCache->hashTable, key); if (hnode && hnode->data) { /* This is a unique hnode, since the sfxhash finds the * same key before returning this node. */ returned = (Stream5LWSession *)hnode->data; } return returned; }
IP_COPY_VALUE(hashKey.ip1, srvIP); hashKey.port1 = srvPort; IP_COPY_VALUE(hashKey.ip2, cliIP); hashKey.port2 = cliPort; reversed_key = 1; DEBUG_WRAP(DebugMessage(DEBUG_STREAM, "reversed\n");); } /* Actually add it to the hash table with a timestamp of now. * so we can expire entries that are older than a configurable * time. Those entries will be for sessions that we missed or * never occured. Should not keep the entry around indefinitely. */ hashKey.protocol = (uint32_t)protocol; hash_node = sfxhash_find_node(channelHash, &hashKey); if (hash_node) { if (!(node = hash_node->data)) sfxhash_free_node(channelHash, hash_node); } else node = NULL; if (node) { int expired; DEBUG_WRAP(DebugMessage(DEBUG_STREAM, "exists\n");); /* * This handles the case where there is already an entry * for this key (IP addresses/port). It could occur when
/** * * @param sip - source IP address * @param dip - destination IP address * @param sport - server sport number * @param file_sig - file signature * @param expiry - session expiry in seconds. */ int file_resume_block_add_file(void *pkt, uint32_t file_sig, uint32_t timeout, File_Verdict verdict, uint32_t file_type_id, uint8_t *signature) { FileHashKey hashKey; SFXHASH_NODE *hash_node = NULL; FileNode *node; FileNode new_node; sfaddr_t* srcIP; sfaddr_t* dstIP; Packet *p = (Packet*)pkt; time_t now = p->pkth->ts.tv_sec; srcIP = GET_SRC_IP(p); dstIP = GET_DST_IP(p); sfaddr_copy_to_raw(&hashKey.dip, dstIP); sfaddr_copy_to_raw(&hashKey.sip, srcIP); hashKey.file_sig = file_sig; #ifdef HAVE_DAQ_DP_ADD_DC { DAQ_DC_Params params; memset(¶ms, 0, sizeof(params)); params.flags = DAQ_DC_ALLOW_MULTIPLE | DAQ_DC_PERSIST; params.timeout_ms = 5 * 60 * 1000; /* 5 minutes */ if (p->packet_flags & PKT_FROM_CLIENT) DAQ_Add_Dynamic_Protocol_Channel(p, srcIP, 0, dstIP, p->dp, GET_IPH_PROTO(p), ¶ms); else if (p->packet_flags & PKT_FROM_SERVER) DAQ_Add_Dynamic_Protocol_Channel(p, dstIP, 0, srcIP, p->sp, GET_IPH_PROTO(p), ¶ms); } #endif hash_node = sfxhash_find_node(fileHash, &hashKey); if (hash_node) { if (!(node = hash_node->data)) sfxhash_free_node(fileHash, hash_node); } else node = NULL; if (node) { node->expires = now + timeout; updateFileNode(node, verdict, file_type_id, signature); } else { DEBUG_WRAP(DebugMessage(DEBUG_FILE, "Adding file node\n");); updateFileNode(&new_node, verdict, file_type_id, signature); /* * use the time that we keep files around * since this info would effectively be invalid * after that anyway because the file that * caused this will be gone. */ new_node.expires = now + timeout; /* Add it to the table */ if (sfxhash_add(fileHash, &hashKey, &new_node) != SFXHASH_OK) { /* Uh, shouldn't get here... * There is already a node or couldn't alloc space * for key. This means bigger problems, but fail * gracefully. */ DEBUG_WRAP(DebugMessage(DEBUG_FILE, "Failed to add file node to hash table\n"););
FileEntry *file_cache_get(FileCache *fileCache, void* p, uint64_t file_id, bool can_create) { SFXHASH_NODE *hnode; FileKey fileKey; Packet *pkt = (Packet *)p; sfaddr_t* srcIP; sfaddr_t* dstIP; if ((fileCache == NULL) || (fileCache->hashTable == NULL)) return NULL; if ((pkt->packet_flags & PKT_FROM_CLIENT)) { srcIP = GET_SRC_IP(pkt); dstIP = GET_DST_IP(pkt); } else { srcIP = GET_DST_IP(pkt); dstIP = GET_SRC_IP(pkt); } sfaddr_copy_to_raw(&fileKey.dip, dstIP); sfaddr_copy_to_raw(&fileKey.sip, srcIP); fileKey.file_id = file_id; if (!can_create) { hnode = sfxhash_find_node(fileCache->hashTable, &fileKey); } else { hnode = sfxhash_get_node(fileCache->hashTable, &fileKey); if (!hnode) { /*No more file entries, free up some old ones*/ pruneFileCache(fileCache, NULL); /* Should have some freed nodes now */ hnode = sfxhash_get_node(fileCache->hashTable, &fileKey); #ifdef DEBUG_MSGS if (!hnode) LogMessage("%s(%d) Problem, no freed nodes\n", __FILE__, __LINE__); #endif } } if (hnode && hnode->data) { FileEntry *file_entry = (FileEntry *)hnode->data; return file_entry; } else { return NULL; } }