📄 rules.c
字号:
void ParseOutputPlugin(char *rule)
{
char **toks;
char **pp_head;
char *funcname;
char *pp_args = NULL;
int num_toks;
int found = 0;
OutputKeywordList *pl_idx;
toks = mSplit(rule, ":", 2, &num_toks,'\\');
if (num_toks >= 1)
{
pp_args = toks[1];
}
pp_head = mSplit(toks[0], " ", 2, &num_toks, '\\');
funcname = pp_head[1];
pl_idx = OutputKeywords;
while (pl_idx != NULL)
{
#ifdef DEBUG
printf("comparing: \"%s\" => \"%s\"\n", funcname, pl_idx->entry.keyword);
#endif
if (!strcasecmp(funcname, pl_idx->entry.keyword))
{
switch (pl_idx->entry.node_type)
{
case NT_OUTPUT_ALERT:
if (!pv.alert_cmd_override)
{
if (AlertFunc == NULL)
{
AlertFunc = CallAlertPlugins;
}
/* call the configuration function for the plugin */
pl_idx->entry.func(pp_args);
}
else
{
ErrorMessage("WARNING: command line overrides rules file alert plugin!\n");
}
break;
case NT_OUTPUT_LOG:
if (!pv.log_cmd_override)
{
if (LogFunc == NULL)
{
LogFunc = CallLogPlugins;
}
/* call the configuration function for the plugin */
pl_idx->entry.func(pp_args);
}
else
{
ErrorMessage("WARNING: command line overrides rules file logging plugin!\n");
}
break;
}
found = 1;
}
if (!found)
{
pl_idx = pl_idx->next;
}
else
break;
}
if (!found)
{
printf("\n*WARNING*: unknown output plugin \"%s\", ignoring!\n\n", funcname);
}
}
/*
* frees the existing OutputList ands sets it a single node for the
* function argument
*/
void SetOutputList(void (*func)(Packet *, char *, void *), char node_type, void *arg)
{
OutputFuncNode *idx;
OutputFuncNode *prev;
switch (node_type)
{
case NT_OUTPUT_ALERT:
prev = AlertList;
break;
case NT_OUTPUT_LOG:
prev = LogList;
break;
default:
return;
}
while(prev != NULL) {
idx = prev->next;
free(prev);
prev = idx;
}
AddFuncToOutputList(func, node_type, arg);
return;
}
void AddFuncToOutputList(void (*func)(Packet *, char *, void *), char node_type, void *arg)
{
OutputFuncNode *idx=NULL; /* avoid warnings */
switch (node_type)
{
case NT_OUTPUT_ALERT:
if (AlertList == NULL)
{
AlertList = (OutputFuncNode *) calloc(sizeof(OutputFuncNode), sizeof(char));
AlertList->func = func;
return;
}
else
{
idx = AlertList;
}
break;
case NT_OUTPUT_LOG:
if (LogList == NULL)
{
LogList = (OutputFuncNode *) calloc(sizeof(OutputFuncNode), sizeof(char));
LogList->func = func;
return;
}
else
{
idx = LogList;
}
break;
default:
/* just to be error-prone */
FatalError("Unknown nodetype: %i. Possible bug. please report\n",
node_type);
}
while (idx->next != NULL)
{
idx = idx->next;
}
idx->next = (OutputFuncNode *) calloc(sizeof(OutputFuncNode), sizeof(char));
idx = idx->next;
idx->func = func;
return;
}
/****************************************************************************
*
* Function: ParseListFile(char *, char *)
*
* Purpose: Read the content_list file a line at a time, convert each line
* into rule and sent to the rule parser
*
* Arguments:rule => rule including the list
* file => list file filename
*
* Returns: void function
*
***************************************************************************/
void ParseListFile(char *rule, char *file)
{
FILE *thefp; /* file pointer for the content_list file */
char *tmp;
char buf[STD_BUF]; /* file read buffer */
char rule_buf[STD_BUF]; /* rule buffer */
int frazes_count; /* frazes counter */
#ifdef DEBUG
printf("Opening content_list file: %s\n", file);
#endif
/* open the list file */
if ((thefp = fopen(file,"r")) == NULL)
{
FatalError("Unable to open list file: %s\n", file);
}
/* clear the line and rule buffers */
bzero((char *)buf, STD_BUF);
bzero((char *)rule_buf, STD_BUF);
frazes_count = 0;
/* loop thru each list file line and create the rule */
while ((fgets(buf, STD_BUF, thefp)) != NULL)
{
/* inc the line counter */
list_file_line++;
#ifdef DEBUG2
printf("Got line %d: %s", list_file_line, buf);
#endif
/* if it's not a comment or a <CR>, send it to the parser */
if ((buf[0] != '#') && (buf[0] != 0x0a) && (buf[0] != ';'))
{
frazes_count++;
strip(buf);
tmp = CreateRule(rule, buf, &rule_buf[0]);
ParseRule(rule_buf, 0);
}
bzero((char *)buf, STD_BUF);
bzero((char *)rule_buf, STD_BUF);
}
#ifdef DEBUG
printf("%d frazes read...\n", frazes_count);
#endif
fclose(thefp);
return;
}
/****************************************************************************
*
* Function: CreateRule(char *, char *)
*
* Purpose: Fill ParseListFile rule buffer with the list text
*
* Arguments:rule => rule including the list
* text => text of the content option
* buf => rule_buf from ParseListFile
*
* Returns: char * to contents of rule buffor
*
***************************************************************************/
char *CreateRule(char *rule, char *buf, char *rule_buf)
{
/*char **tmpptr; */ /* dbl ptr for memccpy call */
char *idx; /* tmp ptr */
char con[] = "content: \""; /* option array */
char oux[] = ")";
#ifdef DEBUG
printf("Creating content: \"%s\"; rule... ", buf);
#endif
/* clear the rule buffer */
bzero((char *)rule_buf, STD_BUF);
/* create the rule */
memccpy(rule_buf, rule, (int)'(', STD_BUF); /* rule core */
idx = strcat(rule_buf, con); /* content option */
idx = strcat(rule_buf, buf); /* text */
idx = strcat(rule_buf, &con[9]); /* " */
idx = strcat(rule_buf, strchr(rule, ';')); /* other options */
idx = strcat(rule_buf, oux); /* ) */
#ifdef DEBUG
printf(" rule created\n");
#endif
return(rule_buf);
}
/****************************************************************************
*
* Function: ParseRuleOptions(char *, int)
*
* Purpose: Process an individual rule's options and add it to the
* appropriate rule chain
*
* Arguments: rule => rule string
* rule_type => enumerated rule type (alert, pass, log)
*
* Returns: void function
*
***************************************************************************/
void ParseRuleOptions(char *rule, int rule_type, int protocol)
{
char **toks = NULL;
char **opts;
char *idx;
char *aux;
int num_toks;
int i;
int num_opts;
int found = 0;
int list = 0;
OptTreeNode *otn_idx;
KeywordXlateList *kw_idx;
/* set the OTN to the beginning of the list */
otn_idx = rtn_tmp->down;
/* make a new one and stick it either at the end of the list or
hang it off the RTN pointer */
if (otn_idx != NULL)
{
/* loop to the end of the list */
while (otn_idx->next != NULL)
{
otn_idx = otn_idx->next;
}
/* setup the new node */
otn_idx->next = (OptTreeNode *) calloc(sizeof(OptTreeNode), sizeof(char));
/* set the global temp ptr */
otn_tmp = otn_idx->next;
if (otn_tmp == NULL)
{
FatalError("ERROR: Unable to alloc OTN: %s", strerror(errno));
}
otn_tmp->next = NULL;
opt_count++;
}
else
{
/* first entry on the chain, make a new node and attach it */
otn_idx = (OptTreeNode *) calloc(sizeof(OptTreeNode), sizeof(char));
bzero((char *)otn_idx, sizeof(OptTreeNode));
otn_tmp = otn_idx;
if (otn_tmp == NULL)
{
FatalError( "ERROR: Unable to alloc OTN!\n");
}
otn_tmp->next = NULL;
rtn_tmp->down = otn_tmp;
opt_count++;
}
otn_tmp->chain_node_number = opt_count;
otn_tmp->type = rule_type;
/* find the start of the options block */
idx = index(rule, '(');
i = 0;
if (idx != NULL)
{
idx++;
/* find the end of the options block */
aux = strrchr(idx,')');
/* get rid of the trailing ")" */
*aux = 0;
/* seperate all the options out, the seperation token is a semicolon */
/* NOTE: if you want to include a semicolon in the content of your rule,
it must be preceeded with a '\' */
toks = mSplit(idx, ";", 10, &num_toks,'\\');
#ifdef DEBUG
printf(" Got %d tokens\n", num_toks);
#endif
/* decrement the number of toks */
num_toks--;
#ifdef DEBUG
printf("Parsing options list: ");
#endif
while (num_toks)
{
#ifdef DEBUG
printf(" option: %s\n", toks[i]);
#endif
/* break out the option name from its data */
opts = mSplit(toks[i], ":", 2, &num_opts,'\\');
#ifdef DEBUG
printf(" option name: %s\n", opts[0]);
printf(" option args: %s\n", opts[1]);
#endif
/* advance to the beginning of the data (past the whitespace) */
while (isspace((int)*opts[0])) opts[0]++;
/* figure out which option tag we're looking at */
if (!strcasecmp(opts[0], "content_list"))
{
AddOptFuncToList(OptListEnd, otn_tmp);
while (isspace((int)*opts[1])) opts[1]++;
ParseListFile(rule, opts[1]);
list = 1;
}
else if (!strcasecmp(opts[0], "msg"))
{
ParseMessage(opts[1]);
}
else if (!strcasecmp(opts[0], "logto"))
{
ParseLogto(opts[1]);
}
#ifdef ENABLE_RESPONSE
else if (!strncasecmp(opts[0], "resp", 4))
{
otn_tmp->response_flag = RESP_RST_SND;
ParseResponse(opts[1]);
}
#endif
else
{
kw_idx = KeywordList;
found = 0;
while (kw_idx != NULL)
{
#ifdef DEBUG
printf("comparing: \"%s\" => \"%s\"\n", opts[0], kw_idx->entry.keyword);
#endif
if (!strcasecmp(opts[0], kw_idx->entry.keyword))
{
kw_idx->entry.func(opts[1], otn_tmp, protocol);
found = 1;
#ifdef DEBUG
printf("%s->", kw_idx->entry.keyword);
#endif
}
if (!found)
{
kw_idx = kw_idx->next;
}
else
break;
}
if (!found)
{
if (!strcasecmp(opts[0], "minfrag"))
{
FatalError( "\nERROR: %s (%d) => Minfrag is no longer a rule option, it is a\npreprocessor (please remove it from your rules file). See RULES.SAMPLE or\nsnort-lib for examples of using the new preprocessors!\n", file_name, file_line);
}
else
{
FatalError( "\nERROR: %s (%d) => Unknown keyword \"%s\" in rule!\n", file_name, file_line, opts[0]);
}
}
}
free(opts);
--num_toks;
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -