/*
Parse basic CIDR block - [!]a.b.c.d/bits
*/
static void parseCIDR( THDX_STRUCT * thdx, char * s )
{
#ifdef SUP_IP6
sfip_pton(s, &thdx->ip_address);
#else
char **args;
int nargs;
if (*s == '!')
{
thdx->not_flag = 1;
s++;
while( (*s <= ' ') && (*s > 0) ) s++; /* skip whitespace */
}
args = mSplit( s , "/", 2, &nargs, 0 ); /* get rule option pairs */
if( !nargs || nargs > 2 )
{
FatalError("%s(%d) => Suppress-Parse: argument pairing error\n", file_name, file_line);
}
/*
* Keep IP in network order
*/
thdx->ip_address = inet_addr( args[0] );
if( nargs == 2 )
{
int i;
int nbits;
int mask;
nbits = xatou( args[1],"suppress: cidr mask bits" );
mask = 1 << 31;
for( i=0; i<nbits; i++ )
{
thdx->ip_mask |= mask;
mask >>= 1;
}
/*
Put mask in network order
*/
thdx->ip_mask = htonl(thdx->ip_mask);
}
static int ip_parse(char *ipstr, sfip_t *ip, char *not_flag, PORTSET *portset, char **endIP)
{
char *port_str;
char *comma;
char *end_bracket;
if (*ipstr == '!')
{
ipstr++;
*not_flag = 1;
}
else
{
*not_flag = 0;
}
comma = strchr(ipstr, ',');
end_bracket = strrchr(ipstr, ']');
if (comma)
{
*comma = '\0';
}
else if (end_bracket)
{
*end_bracket = '\0';
}
if (sfip_pton(ipstr, ip) != SFIP_SUCCESS)
return -1;
/* Just to get the IP string out of the way */
port_str = strtok(ipstr, " \t");
/* Is either the port after the 1st space, or NULL */
port_str = strtok(NULL, " \t");
while (port_str)
{
if (!comma)
{
comma = strchr(port_str, ',');
if (comma)
*comma = '\0';
}
if (!end_bracket)
{
end_bracket = strrchr(port_str, ']');
if (end_bracket)
*end_bracket = '\0';
}
port_parse(port_str, portset);
port_str = strtok(NULL, " \t");
}
if (portset->port_list.count == 0)
{
/* Make sure we have at least one port range in list, but
* an invalid port range to convey all is good. */
portset_add(portset, 0, 0);
}
if (comma)
{
*endIP = comma;
*comma = ',';
}
else if (end_bracket)
{
*end_bracket = ']';
*endIP = end_bracket;
}
else
{
/* Didn't see the comma or end bracket, so set endIP now */
*endIP = port_str;
}
return 0;
}
static int Reputation_Lookup(uint16_t type, const uint8_t *data, uint32_t length, void **new_config,
char *statusBuf, int statusBufLen)
{
snort_ip addr;
IPrepInfo *repInfo = NULL;
char *tokstr, *save, *data_copy;
CSMessageDataHeader *msg_hdr = (CSMessageDataHeader *)data;
statusBuf[0] = 0;
if (length <= sizeof(*msg_hdr))
{
return -1;
}
length -= sizeof(*msg_hdr);
if (length != (uint32_t)ntohs(msg_hdr->length))
{
return -1;
}
data += sizeof(*msg_hdr);
data_copy = malloc(length + 1);
if (data_copy == NULL)
{
return -1;
}
memcpy(data_copy, data, length);
data_copy[length] = 0;
tokstr = strtok_r(data_copy, " \t\n", &save);
if (tokstr == NULL)
{
free(data_copy);
return -1;
}
/* Convert tokstr to sfip type */
if (sfip_pton(tokstr, IP_ARG(addr)))
{
free(data_copy);
return -1;
}
/* Get the reputation info */
repInfo = ReputationLookup(IP_ARG(addr));
if (!repInfo)
{
snprintf(statusBuf, statusBufLen,
"Reputation Info: Error doing lookup");
free(data_copy);
return -1;
}
/* Are we looking to obtain the decision? */
tokstr = strtok_r(NULL, " \t\n", &save);
if (tokstr)
{
uint32_t listid;
char *decision;
#ifdef DAQ_PKTHDR_UNKNOWN
int zone = atoi(tokstr);
#endif
SFSnortPacket p;
#ifdef DAQ_PKTHDR_UNKNOWN
DAQ_PktHdr_t hdr;
p.pkt_header = &hdr;
hdr.ingress_group = zone;
#else
p.pkt_header = NULL;
#endif
switch (GetReputation(repInfo, &p, &listid))
{
case DECISION_NULL:
decision = "DECISION_NULL";
break;
case BLACKLISTED:
decision = "BLACKLISTED";
break;
case WHITELISTED_UNBLACK:
decision = "WHITELISTED UNBLACK";
break;
case MONITORED:
decision = "MONITORED";
break;
case WHITELISTED_TRUST:
decision = "WHITELISTED TRUST";
break;
default:
decision = "UNKNOWN";
break;
}
snprintf(statusBuf, statusBufLen,
"Reputation Info: %s in list %d"
#ifdef DAQ_PKTHDR_UNKNOWN
" from zone %d"
#endif
,decision, listid
#ifdef DAQ_PKTHDR_UNKNOWN
,zone
#endif
);
}
else
{
ReputationRepInfo(repInfo,
(uint8_t *)reputation_eval_config->iplist,
statusBuf, statusBufLen);
}
free(data_copy);
return 0;
}
