/* Parse basic CIDR block - [!]a.b.c.d/bits */ static void parseCIDR( THDX_STRUCT * thdx, char * s ) { #ifdef SUP_IP6 sfip_pton(s, &thdx->ip_address); #else char **args; int nargs; if (*s == '!') { thdx->not_flag = 1; s++; while( (*s <= ' ') && (*s > 0) ) s++; /* skip whitespace */ } args = mSplit( s , "/", 2, &nargs, 0 ); /* get rule option pairs */ if( !nargs || nargs > 2 ) { FatalError("%s(%d) => Suppress-Parse: argument pairing error\n", file_name, file_line); } /* * Keep IP in network order */ thdx->ip_address = inet_addr( args[0] ); if( nargs == 2 ) { int i; int nbits; int mask; nbits = xatou( args[1],"suppress: cidr mask bits" ); mask = 1 << 31; for( i=0; i<nbits; i++ ) { thdx->ip_mask |= mask; mask >>= 1; } /* Put mask in network order */ thdx->ip_mask = htonl(thdx->ip_mask); }
static int ip_parse(char *ipstr, sfip_t *ip, char *not_flag, PORTSET *portset, char **endIP) { char *port_str; char *comma; char *end_bracket; if (*ipstr == '!') { ipstr++; *not_flag = 1; } else { *not_flag = 0; } comma = strchr(ipstr, ','); end_bracket = strrchr(ipstr, ']'); if (comma) { *comma = '\0'; } else if (end_bracket) { *end_bracket = '\0'; } if (sfip_pton(ipstr, ip) != SFIP_SUCCESS) return -1; /* Just to get the IP string out of the way */ port_str = strtok(ipstr, " \t"); /* Is either the port after the 1st space, or NULL */ port_str = strtok(NULL, " \t"); while (port_str) { if (!comma) { comma = strchr(port_str, ','); if (comma) *comma = '\0'; } if (!end_bracket) { end_bracket = strrchr(port_str, ']'); if (end_bracket) *end_bracket = '\0'; } port_parse(port_str, portset); port_str = strtok(NULL, " \t"); } if (portset->port_list.count == 0) { /* Make sure we have at least one port range in list, but * an invalid port range to convey all is good. */ portset_add(portset, 0, 0); } if (comma) { *endIP = comma; *comma = ','; } else if (end_bracket) { *end_bracket = ']'; *endIP = end_bracket; } else { /* Didn't see the comma or end bracket, so set endIP now */ *endIP = port_str; } return 0; }
static int Reputation_Lookup(uint16_t type, const uint8_t *data, uint32_t length, void **new_config, char *statusBuf, int statusBufLen) { snort_ip addr; IPrepInfo *repInfo = NULL; char *tokstr, *save, *data_copy; CSMessageDataHeader *msg_hdr = (CSMessageDataHeader *)data; statusBuf[0] = 0; if (length <= sizeof(*msg_hdr)) { return -1; } length -= sizeof(*msg_hdr); if (length != (uint32_t)ntohs(msg_hdr->length)) { return -1; } data += sizeof(*msg_hdr); data_copy = malloc(length + 1); if (data_copy == NULL) { return -1; } memcpy(data_copy, data, length); data_copy[length] = 0; tokstr = strtok_r(data_copy, " \t\n", &save); if (tokstr == NULL) { free(data_copy); return -1; } /* Convert tokstr to sfip type */ if (sfip_pton(tokstr, IP_ARG(addr))) { free(data_copy); return -1; } /* Get the reputation info */ repInfo = ReputationLookup(IP_ARG(addr)); if (!repInfo) { snprintf(statusBuf, statusBufLen, "Reputation Info: Error doing lookup"); free(data_copy); return -1; } /* Are we looking to obtain the decision? */ tokstr = strtok_r(NULL, " \t\n", &save); if (tokstr) { uint32_t listid; char *decision; #ifdef DAQ_PKTHDR_UNKNOWN int zone = atoi(tokstr); #endif SFSnortPacket p; #ifdef DAQ_PKTHDR_UNKNOWN DAQ_PktHdr_t hdr; p.pkt_header = &hdr; hdr.ingress_group = zone; #else p.pkt_header = NULL; #endif switch (GetReputation(repInfo, &p, &listid)) { case DECISION_NULL: decision = "DECISION_NULL"; break; case BLACKLISTED: decision = "BLACKLISTED"; break; case WHITELISTED_UNBLACK: decision = "WHITELISTED UNBLACK"; break; case MONITORED: decision = "MONITORED"; break; case WHITELISTED_TRUST: decision = "WHITELISTED TRUST"; break; default: decision = "UNKNOWN"; break; } snprintf(statusBuf, statusBufLen, "Reputation Info: %s in list %d" #ifdef DAQ_PKTHDR_UNKNOWN " from zone %d" #endif ,decision, listid #ifdef DAQ_PKTHDR_UNKNOWN ,zone #endif ); } else { ReputationRepInfo(repInfo, (uint8_t *)reputation_eval_config->iplist, statusBuf, statusBufLen); } free(data_copy); return 0; }