int Active_ForceDropAction(Packet *p)
{
// explicitly drop packet
Active_ForceDropPacket();
switch ( GET_IPH_PROTO(p) )
{
case IPPROTO_TCP:
case IPPROTO_UDP:
_Active_DoIgnoreSession(p);
}
return 0;
}
int Active_ForceDropAction(Packet *p)
{
if ( !IsIP(p) )
return 0;
// explicitly drop packet
Active_ForceDropPacket();
switch ( GET_IPH_PROTO(p) )
{
case IPPROTO_TCP:
case IPPROTO_UDP:
Active_DropSession();
_Active_ForceIgnoreSession(p);
}
return 0;
}
static inline void add_file_to_block(Packet *p, File_Verdict verdict,
uint32_t file_type_id, uint8_t *signature)
{
uint8_t *buf = NULL;
uint32_t len = 0;
uint32_t type = 0;
uint32_t file_sig;
Packet *pkt = (Packet *)p;
FileConfig *file_config = (FileConfig *)(snort_conf->file_config);
Active_ForceDropPacket();
DisableAllDetect( p );
pkt->packet_flags |= PKT_FILE_EVENT_SET;
/*Use URI as the identifier for file*/
if (GetHttpUriData(p->ssnptr, &buf, &len, &type))
{
file_sig = str_to_hash(buf, len);
file_resume_block_add_file(p, file_sig,
(uint32_t)file_config->file_block_timeout,
verdict, file_type_id, signature);
}
}
/* File signature lookup at the end of file
* File signature callback can be used for malware lookup, file capture etc
*/
static inline void _file_signature_lookup(FileContext* context,
void* p, bool is_retransmit, bool suspend_block_verdict)
{
File_Verdict verdict = FILE_VERDICT_UNKNOWN;
Packet *pkt = (Packet *)p;
void *ssnptr = pkt->ssnptr;
if (file_signature_cb)
{
verdict = file_signature_cb(p, ssnptr, context->sha256,
context->file_size, &(context->file_state), context->upload,
context->file_id);
file_stats.verdicts_signature[verdict]++;
}
if (suspend_block_verdict)
context->suspend_block_verdict = true;
context->verdict = verdict;
if (verdict == FILE_VERDICT_LOG )
{
file_eventq_add(GENERATOR_FILE_SIGNATURE, FILE_SIGNATURE_SHA256,
FILE_SIGNATURE_SHA256_STR, RULE_TYPE__ALERT);
pkt->packet_flags |= PKT_FILE_EVENT_SET;
context->file_signature_enabled = false;
}
else if (verdict == FILE_VERDICT_PENDING)
{
/*Can't decide verdict, drop packet and waiting...*/
if (is_retransmit)
{
FileConfig *file_config = (FileConfig *)context->file_config;
/*Drop packets if not timeout*/
if (pkt->pkth->ts.tv_sec <= context->expires)
{
Active_ForceDropPacket();
return;
}
/*Timeout, let packet go through OR block based on config*/
context->file_signature_enabled = false;
if (file_config && file_config->block_timeout_lookup)
file_eventq_add(GENERATOR_FILE_SIGNATURE, FILE_SIGNATURE_SHA256,
FILE_SIGNATURE_SHA256_STR, RULE_TYPE__REJECT);
else
file_eventq_add(GENERATOR_FILE_SIGNATURE, FILE_SIGNATURE_SHA256,
FILE_SIGNATURE_SHA256_STR, RULE_TYPE__ALERT);
pkt->packet_flags |= PKT_FILE_EVENT_SET;
}
else
{
FileConfig *file_config = (FileConfig *)context->file_config;
if (file_config)
context->expires = (time_t)(file_config->file_lookup_timeout
+ pkt->pkth->ts.tv_sec);
Active_ForceDropPacket();
stream_api->set_event_handler(ssnptr, s_cb_id, SE_REXMIT);
save_to_pending_context(ssnptr);
return;
}
}
else if ((verdict == FILE_VERDICT_BLOCK) || (verdict == FILE_VERDICT_REJECT))
{
if (!context->suspend_block_verdict)
render_block_verdict(context, p);
context->file_signature_enabled = false;
return;
}
finish_signature_lookup(context);
}
