int Active_ForceDropAction(Packet *p) { // explicitly drop packet Active_ForceDropPacket(); switch ( GET_IPH_PROTO(p) ) { case IPPROTO_TCP: case IPPROTO_UDP: _Active_DoIgnoreSession(p); } return 0; }
int Active_ForceDropAction(Packet *p) { if ( !IsIP(p) ) return 0; // explicitly drop packet Active_ForceDropPacket(); switch ( GET_IPH_PROTO(p) ) { case IPPROTO_TCP: case IPPROTO_UDP: Active_DropSession(); _Active_ForceIgnoreSession(p); } return 0; }
static inline void add_file_to_block(Packet *p, File_Verdict verdict, uint32_t file_type_id, uint8_t *signature) { uint8_t *buf = NULL; uint32_t len = 0; uint32_t type = 0; uint32_t file_sig; Packet *pkt = (Packet *)p; FileConfig *file_config = (FileConfig *)(snort_conf->file_config); Active_ForceDropPacket(); DisableAllDetect( p ); pkt->packet_flags |= PKT_FILE_EVENT_SET; /*Use URI as the identifier for file*/ if (GetHttpUriData(p->ssnptr, &buf, &len, &type)) { file_sig = str_to_hash(buf, len); file_resume_block_add_file(p, file_sig, (uint32_t)file_config->file_block_timeout, verdict, file_type_id, signature); } }
/* File signature lookup at the end of file * File signature callback can be used for malware lookup, file capture etc */ static inline void _file_signature_lookup(FileContext* context, void* p, bool is_retransmit, bool suspend_block_verdict) { File_Verdict verdict = FILE_VERDICT_UNKNOWN; Packet *pkt = (Packet *)p; void *ssnptr = pkt->ssnptr; if (file_signature_cb) { verdict = file_signature_cb(p, ssnptr, context->sha256, context->file_size, &(context->file_state), context->upload, context->file_id); file_stats.verdicts_signature[verdict]++; } if (suspend_block_verdict) context->suspend_block_verdict = true; context->verdict = verdict; if (verdict == FILE_VERDICT_LOG ) { file_eventq_add(GENERATOR_FILE_SIGNATURE, FILE_SIGNATURE_SHA256, FILE_SIGNATURE_SHA256_STR, RULE_TYPE__ALERT); pkt->packet_flags |= PKT_FILE_EVENT_SET; context->file_signature_enabled = false; } else if (verdict == FILE_VERDICT_PENDING) { /*Can't decide verdict, drop packet and waiting...*/ if (is_retransmit) { FileConfig *file_config = (FileConfig *)context->file_config; /*Drop packets if not timeout*/ if (pkt->pkth->ts.tv_sec <= context->expires) { Active_ForceDropPacket(); return; } /*Timeout, let packet go through OR block based on config*/ context->file_signature_enabled = false; if (file_config && file_config->block_timeout_lookup) file_eventq_add(GENERATOR_FILE_SIGNATURE, FILE_SIGNATURE_SHA256, FILE_SIGNATURE_SHA256_STR, RULE_TYPE__REJECT); else file_eventq_add(GENERATOR_FILE_SIGNATURE, FILE_SIGNATURE_SHA256, FILE_SIGNATURE_SHA256_STR, RULE_TYPE__ALERT); pkt->packet_flags |= PKT_FILE_EVENT_SET; } else { FileConfig *file_config = (FileConfig *)context->file_config; if (file_config) context->expires = (time_t)(file_config->file_lookup_timeout + pkt->pkth->ts.tv_sec); Active_ForceDropPacket(); stream_api->set_event_handler(ssnptr, s_cb_id, SE_REXMIT); save_to_pending_context(ssnptr); return; } } else if ((verdict == FILE_VERDICT_BLOCK) || (verdict == FILE_VERDICT_REJECT)) { if (!context->suspend_block_verdict) render_block_verdict(context, p); context->file_signature_enabled = false; return; } finish_signature_lookup(context); }