SFGHASH_NODE * sfatom_findnext()
{
SFGHASH_NODE * node = sfghash_findnext( g_atom );
if( node ) return node;
return NULL;
}
void hostPortAppCacheDump(void)
{
SFGHASH_NODE * node;
for( node = sfghash_findfirst(hostPortCache); node; node = sfghash_findnext(hostPortCache) )
{
char inet_buffer[INET6_ADDRSTRLEN];
tHostPortKey *key;
key = (tHostPortKey *)node->key;
inet_ntop(AF_INET6, &key->ip, inet_buffer, sizeof(inet_buffer));
printf("\tip=%s, \tport %d, \tproto %d, \tappId=%d\n", inet_buffer, key->port, key->proto, (signed)(node->data));
}
}
static int print_thd_local(ThresholdObjects *thd_objs, PrintFormat type, unsigned* prnMode)
{
SFGHASH * sfthd_hash;
THD_ITEM * sfthd_item;
THD_NODE * sfthd_node;
int gen_id;
SFGHASH_NODE * item_hash_node;
int lcnt=0;
tSfPolicyId policyId;
for (policyId = 0; policyId < thd_objs->numPoliciesAllocated; policyId++)
{
for(gen_id=0;gen_id < THD_MAX_GENID ; gen_id++ )
{
sfthd_hash = thd_objs->sfthd_array[gen_id];
if( !sfthd_hash )
{
continue;
}
for(item_hash_node = sfghash_findfirst( sfthd_hash );
item_hash_node != 0;
item_hash_node = sfghash_findnext( sfthd_hash ) )
{
/* Check for any Permanent sig_id objects for this gen_id */
sfthd_item = (THD_ITEM*)item_hash_node->data;
if (sfthd_item->policyId != policyId)
{
continue;
}
for( sfthd_node = (THD_NODE*)sflist_first(sfthd_item->sfthd_node_list);
sfthd_node != 0;
sfthd_node = (THD_NODE*)sflist_next(sfthd_item->sfthd_node_list) )
{
if (print_thd_node(sfthd_node, type, prnMode) != 0)
lcnt++;
}
}
}
}
if( !lcnt && !*prnMode )
LogMessage("| none\n");
return 0;
}
/* A function to print the thresholding objects to stdout.
*
* @param pContext pointer to global threshold context
* @return
*/
void SFRF_ShowObjects(RateFilterConfig *config)
{
SFGHASH* genHash;
tSFRFSidNode* pSidnode;
tSFRFConfigNode* cfgNode;
int gid;
SFGHASH_NODE* sidHashNode;
for ( gid=0;gid < SFRF_MAX_GENID ; gid++ )
{
genHash = config->genHash [ gid ];
if ( !genHash )
{
continue;
}
printf("...GEN_ID = %u\n",gid);
for ( sidHashNode = sfghash_findfirst( genHash );
sidHashNode != 0;
sidHashNode = sfghash_findnext( genHash ) )
{
/* Check for any Permanent sid objects for this gid */
pSidnode = (tSFRFSidNode*)sidHashNode->data;
printf(".....GEN_ID = %u, SIG_ID = %u, PolicyId = %u\n",gid, pSidnode->sid, pSidnode->policyId);
/* For each permanent thresholding object, test/add/update the thd object */
/* We maintain a list of thd objects for each gid+sid */
/* each object has it's own unique thd_id */
for ( cfgNode = (tSFRFConfigNode*)sflist_first(pSidnode->configNodeList);
cfgNode != 0;
cfgNode = (tSFRFConfigNode*)sflist_next(pSidnode->configNodeList) )
{
printf(".........SFRF_ID =%d\n",cfgNode->tid );
printf(".........tracking =%d\n",cfgNode->tracking);
printf(".........count =%u\n",cfgNode->count);
printf(".........seconds =%u\n",cfgNode->seconds);
}
}
}
}
/**initialize given port list from the given ruleset, for a given policy
* @param portList pointer to array of MAX_PORTS+1 uint8_t. This array content
* is changed by walking through the rulesets.
* @param protocol - protocol type
*/
void setPortFilterList(
uint8_t *portList,
int protocol,
int ignoreAnyAnyRules,
tSfPolicyId policyId
)
{
char *port_array = NULL;
int num_ports = 0;
int i;
RuleTreeNode *rtn;
OptTreeNode *otn;
int inspectSrc, inspectDst;
char any_any_flow = 0;
IgnoredRuleList *pIgnoredRuleList = NULL; ///list of ignored rules
char *protocolName;
SFGHASH_NODE *hashNode;
int flowBitIsSet = 0;
SnortConfig *sc = snort_conf_for_parsing;
if (sc == NULL)
{
FatalError("%s(%d) Snort conf for parsing is NULL.\n",
__FILE__, __LINE__);
}
if ((protocol == IPPROTO_TCP) && (ignoreAnyAnyRules == 0))
{
int j;
for (j=0; j<MAX_PORTS; j++)
{
portList[j] |= PORT_MONITOR_SESSION | PORT_MONITOR_INSPECT;
}
return;
}
protocolName = getProtocolName(protocol);
/* Post-process TCP rules to establish TCP ports to inspect. */
for (hashNode = sfghash_findfirst(sc->otn_map);
hashNode;
hashNode = sfghash_findnext(sc->otn_map))
{
otn = (OptTreeNode *)hashNode->data;
flowBitIsSet = Stream5OtnHasFlowOrFlowbit(otn);
rtn = getRtnFromOtn(otn, policyId);
if (!rtn)
{
continue;
}
if (rtn->proto == protocol)
{
//do operation
inspectSrc = inspectDst = 0;
if (PortObjectHasAny(rtn->src_portobject))
{
inspectSrc = -1;
}
else
{
port_array = PortObjectCharPortArray(port_array, rtn->src_portobject, &num_ports);
if (port_array && num_ports != 0)
{
inspectSrc = 1;
for (i=0; i<SFPO_MAX_PORTS; i++)
{
if (port_array[i])
{
portList[i] |= PORT_MONITOR_INSPECT;
/* port specific rule */
/* Look for an OTN with flow or flowbits keyword */
if (flowBitIsSet)
{
portList[i] |= PORT_MONITOR_SESSION;
}
}
}
}
if ( port_array )
{
free(port_array);
port_array = NULL;
}
}
if (PortObjectHasAny(rtn->dst_portobject))
{
inspectDst = -1;
}
else
{
port_array = PortObjectCharPortArray(port_array, rtn->dst_portobject, &num_ports);
if (port_array && num_ports != 0)
{
inspectDst = 1;
for (i=0; i<SFPO_MAX_PORTS; i++)
{
if (port_array[i])
{
portList[i] |= PORT_MONITOR_INSPECT;
/* port specific rule */
if (flowBitIsSet)
{
portList[i] |= PORT_MONITOR_SESSION;
}
}
}
}
if ( port_array )
{
free(port_array);
port_array = NULL;
}
}
if ((inspectSrc == -1) && (inspectDst == -1))
{
/* any -> any rule */
if (any_any_flow == 0)
{
any_any_flow = Stream5AnyAnyFlow(portList, otn, rtn, any_any_flow,
&pIgnoredRuleList, ignoreAnyAnyRules);
}
}
}
}
/* If portscan is tracking TCP/UDP, need to create
* sessions for all ports */
if (((protocol == IPPROTO_UDP) && (ps_get_protocols(policyId) & PS_PROTO_UDP))
|| ((protocol == IPPROTO_TCP) && (ps_get_protocols(policyId) & PS_PROTO_TCP)))
{
int j;
for (j=0; j<MAX_PORTS; j++)
{
portList[j] |= PORT_MONITOR_SESSION;
}
}
if (any_any_flow == 1)
{
LogMessage("Warning: 'ignore_any_rules' option for Stream5 %s "
"disabled because of %s rule with flow or flowbits option\n",
protocolName, protocolName);
}
else if (pIgnoredRuleList)
{
LogMessage("Warning: Rules (GID:SID) effectively ignored because of "
"'ignore_any_rules' option for Stream5 %s:\n", protocolName);
}
// free list; print iff any_any_flow
printIgnoredRules(pIgnoredRuleList, any_any_flow);
}
/*!
* A function to print the thresholding objects to stdout.
*
*/
int sfthd_show_objects(ThresholdObjects *thd_objs)
{
SFGHASH * sfthd_hash;
THD_ITEM * sfthd_item;
THD_NODE * sfthd_node;
int gen_id;
SFGHASH_NODE * item_hash_node;
tSfPolicyId policyId;
for(gen_id=0;gen_id < THD_MAX_GENID ; gen_id++ )
{
sfthd_hash = thd_objs->sfthd_array[gen_id];
if (sfthd_hash == NULL)
continue;
printf("...GEN_ID = %u\n",gen_id);
for(item_hash_node = sfghash_findfirst( sfthd_hash );
item_hash_node != 0;
item_hash_node = sfghash_findnext( sfthd_hash ) )
{
/* Check for any Permanent sig_id objects for this gen_id */
sfthd_item = (THD_ITEM*)item_hash_node->data;
printf(".....GEN_ID = %u, SIG_ID = %u, Policy = %u\n",gen_id,sfthd_item->sig_id, sfthd_item->policyId);
/* For each permanent thresholding object, test/add/update the thd object */
/* We maintain a list of thd objects for each gen_id+sig_id */
/* each object has it's own unique thd_id */
for( sfthd_node = (THD_NODE*)sflist_first(sfthd_item->sfthd_node_list);
sfthd_node != 0;
sfthd_node = (THD_NODE*)sflist_next(sfthd_item->sfthd_node_list) )
{
printf(".........THD_ID =%d\n",sfthd_node->thd_id );
if( sfthd_node->type == THD_TYPE_SUPPRESS )
printf(".........type =Suppress\n");
if( sfthd_node->type == THD_TYPE_LIMIT )
printf(".........type =Limit\n");
if( sfthd_node->type == THD_TYPE_THRESHOLD )
printf(".........type =Threshold\n");
if( sfthd_node->type == THD_TYPE_BOTH )
printf(".........type =Both\n");
printf(".........tracking=%d\n",sfthd_node->tracking);
printf(".........priority=%d\n",sfthd_node->priority);
if( sfthd_node->type == THD_TYPE_SUPPRESS )
{
printf(".........ip =%s\n",
sfip_to_str(&sfthd_node->ip_address));
printf(".........mask =%d\n",
sfip_bits(&sfthd_node->ip_address));
printf(".........not_flag=%d\n",sfthd_node->ip_mask);
}
else
{
printf(".........count =%d\n",sfthd_node->count);
printf(".........seconds =%d\n",sfthd_node->seconds);
}
}
}
}
return 0;
}
/*
* Hash test program
*/
int main ( int argc, char ** argv )
{
int i;
SFGHASH * t;
SFGHASH_NODE * n, *m;
char str[256],*p;
int num=100;
if( argc > 1 )
num = atoi(argv[1]);
sfatom_init();
/* Create a Hash Table */
t = sfghash_new( 1000, 0 , GH_COPYKEYS , myfree );
/* Add Nodes to the Hash Table */
for(i=0;i<num;i++)
{
snprintf(str, sizeof(str), "KeyWord%d",i+1);
str[sizeof(str) - 1] = '\0';
sfghash_add( t, str, strupr(strdup(str)) );
sfatom_add( str, strupr(strdup(str)) );
}
/* Find and Display Nodes in the Hash Table */
printf("\n** FIND KEY TEST\n");
for(i=0;i<num;i++)
{
snprintf(str, sizeof(str), "KeyWord%d",i+1);
str[sizeof(str) - 1] = '\0';
p = (char*) sfghash_find( t, str );
printf("Hash-key=%*s, data=%*s\n", strlen(str),str, strlen(str), p );
p = (char*) sfatom_find( str );
printf("Atom-key=%*s, data=%*s\n", strlen(str),str, strlen(str), p );
}
/* Display All Nodes in the Hash Table */
printf("\n** FINDFIRST / FINDNEXT TEST\n");
for( n = sfghash_findfirst(t); n; n = sfghash_findnext(t) )
{
printf("hash-findfirst/next: key=%s, data=%s\n", n->key, n->data );
// hashing code frees user data using 'myfree' above ....
if( sfghash_remove(t,n->key) )
printf("Could not remove the key node\n");
else
printf("key node removed\n");
}
for( n = sfatom_findfirst(); n; n = sfatom_findnext() )
{
printf("atom-findfirst/next: key=%s, data=%s\n", n->key, n->data );
free( n->data ); //since atom data is not freed automatically
}
/* Free the table and it's user data */
printf("****sfghash_delete\n");
sfghash_delete( t );
printf("****sfatom_reset\n");
sfatom_reset();
printf("\nnormal pgm finish\n\n");
return 0;
}