sfthd.c

Linux snort-2.4.4源代码

    sfthd_node->ip_address= ip_address;
    sfthd_node->ip_mask   = ip_mask;
   
    if( sfthd_node->ip_mask == 0 && sfthd_node->ip_address != 0 )
    {
        sfthd_node->ip_mask = 0xffffffff;
    }

    /* need a hash of these where the key=[gen_id,sig_id] => THD_GNODE_KEY, the data = THD_NODE's */
    if( gen_id == 0)/* do em all */
    {
       int i;
       for(i=0;i<THD_MAX_GENID;i++)
           thd->sfthd_garray [ i ] =  sfthd_node;
    }
    else
    { 
       thd->sfthd_garray [ gen_id ] =  sfthd_node;
    }

#ifdef THD_DEBUG
    printf("THD_DEBUG-GLOBAL: created global threshold object for gen_id=%d\n",gen_id);
    fflush(stdout);
#endif    
    
    return 0; 	
}


/*!

Add a permanent threshold object to the threshold table. Multiple
objects may be defined for each gen_id and sig_id pair. Internally
a unique threshold id is generated for each pair.

Threshold objects track the number of events seen during the time
interval specified by seconds. Depending on the type of threshold
object and the count value, the thresholding object determines if
the current event should be logged or dropped.

@param thd Threshold object from sfthd_new()
@param gen_id Generator id
@param sig_id Signauture id
@param tracking Selects tracking by src ip or by dst ip
@param type  Thresholding type: Limit, Threshold, or Limt+Threshold, Suppress  
@param priority Assigns a relative priority to this object, higher numbers imply higher priority

@param count Number of events
@param seconds Time duration over which this threshold object acts.
@param ip      IP address, for supression
@param ip-mask IP mask, applied with ip_mask, for supression

@return integer
@retval  0 successfully added the thresholding object
@retval !0 failed 

 --- Local and Global Thresholding is setup here  ---

*/
int sfthd_create_threshold(	THD_STRUCT * thd,
				unsigned     gen_id,
				unsigned     sig_id,
				int          tracking,
				int          type,
				int          priority,
				int          count,
				int          seconds,
				unsigned     ip_address,
                unsigned     ip_mask,
                unsigned     not_flag)
{

  if( sig_id == 0 )
  {
    	  return  sfthd_create_threshold_global( thd,
				     gen_id,
				     sig_id,
				     tracking,
				     type,
				     priority,
				     count,
				     seconds,
				     ip_address,
				     ip_mask );

  }
  else
  {
      if( gen_id == 0 )
	      return -1;
      
      return  sfthd_create_threshold_local( thd,
                                            gen_id,
                                            sig_id,
                                            tracking,
                                            type,
                                            priority,
                                            count,
                                            seconds,
                                            ip_address,
                                            ip_mask,
                                            not_flag );
  }
}

#ifdef THD_DEBUG
static char * printIP(unsigned u )
{
	static char s[80];
	snprintf(s,80,"%d.%d.%d.%d", (u>>24)&0xff, (u>>16)&0xff, (u>>8)&0xff, u&0xff );
	s[79]=0;
	return s;
}
#endif

/*!
 *
 *  Find/Test/Add an event against a single threshold object.
 *  Events without thresholding objects are automatically loggable.
 *  
 *  @param thd     Threshold table pointer
 *  @param sfthd_node Permanent Thresholding Object
 *  @param sip     Event/Packet Src IP address- should be host ordered for comparison
 *  @param dip     Event/Packet Dst IP address
 *  @param curtime Current Event/Packet time in seconds
 *    
 *  @return  integer
 *  @retval   0 : Event is loggable 
 *  @retval  >0 : Event should not be logged, try next thd object
 *  @retval  <0 : Event should never be logged to this user! Suppressed Event+IP
 *
 */
static
int sfthd_test_object(	THD_STRUCT * thd,
			THD_NODE   * sfthd_node,
			unsigned     sip,   
			unsigned     dip,
			time_t       curtime )  
{
    THD_IP_NODE_KEY key;
    THD_IP_NODE     data,*sfthd_ip_node;
    int             status=0;
    unsigned        ip,dt;

#ifdef THD_DEBUG
        printf("THD_DEBUG: Key THD_NODE IP=%s,",printIP((unsigned)sfthd_node->ip_address) );
        printf(" MASK=%s\n",printIP((unsigned)sfthd_node->ip_mask) );
        printf("THD_DEBUG:        PKT  SIP=%s\n",printIP((unsigned)sip) );
        printf("THD_DEBUG:        PKT  DIP=%s\n",printIP((unsigned)dip) );
	fflush(stdout);
#endif

    /*
     *  Get The correct IP  
     */
    if( sfthd_node->tracking== THD_TRK_SRC ) 
    {
       ip = sip;
    }
    else
    {
       ip = dip;
    }
    
    /*
     *  Check for and test Suppression of this event to this IP 
     */
    if( sfthd_node->type == THD_TYPE_SUPPRESS )
    {
#ifdef THD_DEBUG
        printf("THD_DEBUG: SUPPRESS NODE Testing...\n");fflush(stdout);
#endif
        if((sfthd_node->ip_address == (sfthd_node->ip_mask & ip) && !sfthd_node->not_flag) ||
           (sfthd_node->ip_address != (sfthd_node->ip_mask & ip) && sfthd_node->not_flag))
        { 
#ifdef THD_DEBUG
            printf("THD_DEBUG: SUPPRESS NODE, do not log events with this IP\n");fflush(stdout);
#endif
            return -1; /* Don't log, and stop looking( event's to this address for this gen_id+sig_id) */
        }
        return 1; /* Keep looking for other suppressors */
    }

    /*
    *  Go on and do standard thresholding
    */
    
    /* Set up the key */
    key.ip     = ip;
    key.thd_id = sfthd_node->thd_id;

    /* Set up a new data element */
    data.ip     = ip;
    data.count  = 1;
    data.tstart = curtime; /* Event time */

    /* 
     * Check for any Permanent sig_id objects for this gen_id  or add this one ...
     */
    status = sfxhash_add( thd->ip_nodes, (void*)&key, &data );
    
    if( status == SFXHASH_INTABLE )
    {
        /* Already in the table */
        sfthd_ip_node = thd->ip_nodes->cnode->data;

        /* Increment the event count */
        sfthd_ip_node->count++;
    }
    else if (status )
    {
        /* hash error */
        return 1; /*  check the next threshold object */
    }
    else
    {
        /* Was not in the table - it was added - work with our copy of the data */
        sfthd_ip_node = &data;
    }


    /*
     *  Do the appropriate test for the Threshold Object Type 
     */
    
    /*
      Limit
    */
    if( sfthd_node->type == THD_TYPE_LIMIT )
    {
#ifdef THD_DEBUG
        printf("\n...Limit Test\n");
	fflush(stdout);
#endif		
        dt = curtime - sfthd_ip_node->tstart;
        if( dt > sfthd_node->seconds )
        {   /* reset */
            sfthd_ip_node->tstart = curtime;
            sfthd_ip_node->count  = 1;
        }

#ifdef THD_DEBUG
        printf("...dt=%d, sfthd_node->seconds=%d\n",dt,sfthd_node->seconds );
        printf("...sfthd_ip_node->count=%d, sfthd_node->count=%d\n",sfthd_ip_node->count,sfthd_node->count );
	fflush(stdout);
#endif
        if( sfthd_ip_node->count <= sfthd_node->count )
        {
            return 0; /* Log it, stop looking: only log the 1st 'count' events */
        }

        return -1; /* Don't Log yet, don't keep looking : already logged our limit, don't log this sid  */
    }
    
    else if( sfthd_node->type == THD_TYPE_THRESHOLD )
    {
#ifdef THD_DEBUG
        printf("\n...Threshold Test\n");
	fflush(stdout);
#endif		
        dt = curtime - sfthd_ip_node->tstart;
	if( dt > sfthd_node->seconds )
        {
            sfthd_ip_node->tstart = curtime;
            sfthd_ip_node->count  = 1;

            return -1; /* Don't Log, keep looking: only log after we reach count, which must be > '1' */
        }
        else
        {
            if( sfthd_ip_node->count >= sfthd_node->count ) 
            {
                /* reset */
                sfthd_ip_node->count = 0;
                sfthd_ip_node->tstart= curtime;
			
                return 0; /* Log it, stop looking */ 
            }
            return -1; /* don't log yet */
        }
    }

    else if( sfthd_node->type == THD_TYPE_BOTH )
    {
#ifdef THD_DEBUG
        printf("\n...Threshold+Limit Test\n");
	fflush(stdout);
#endif
        dt = curtime - sfthd_ip_node->tstart;
        if( dt > sfthd_node->seconds )
        {
            sfthd_ip_node->tstart = curtime;
            sfthd_ip_node->count  = 1;

            return -1; /* Don't Log yet, keep looking: only log after we reach count, which must be > '1' */
        }
        else
        {
            if( sfthd_ip_node->count >= sfthd_node->count ) 
            {
                if( sfthd_ip_node->count >  sfthd_node->count ) 
		{
                    return -1; /* don't log it, stop  looking, log once per time interval - than block it */
		}
                return 0; /* Log it, stop looking, log the 1st event we see past 'count' events */
            }
	    else  /* Block it from logging */
	    {
              return -1; /* don't log it, stop  looking,  we must see at least count events 1st */
	    }
        }
    }

#ifdef THD_DEBUG
        printf("THD_DEBUG: You should not be here...\n");
	fflush(stdout);
#endif

    	return 0;  /* should not get here, so log it just to be safe */
}
/*
 *
 *
 *
 *   Test a global thresholding object 
 *
 * 
 *   
 */ 
static
int sfthd_test_gobject(	THD_STRUCT * thd,
			THD_NODE   * sfthd_node,  
			unsigned     gen_id,     /* from current event */
			unsigned     sig_id,     /* from current event */
			unsigned     sip,        /* " */
			unsigned     dip,        /* " */
			time_t       curtime )   
{
    THD_IP_GNODE_KEY key;
    THD_IP_GNODE     data, *sfthd_ip_node;
    int              status=0;
    unsigned         ip, dt;

#ifdef THD_DEBUG
        printf("THD_DEBUG-GLOBAL:  gen_id=%u, sig_id=%u\n",gen_id,sig_id);
        printf("THD_DEBUG: Global THD_NODE IP=%s,",printIP((unsigned)sfthd_node->ip_address) );
        printf(" MASK=%s\n",printIP((unsigned)sfthd_node->ip_mask) );
        printf("THD_DEBUG:        PKT  SIP=%s\n",printIP((unsigned)sip) );
        printf("THD_DEBUG:        PKT  DIP=%s\n",printIP((unsigned)dip) );
	fflush(stdout);
#endif

    /*
     *  Get The correct IP  
     */
    if( sfthd_node->tracking== THD_TRK_SRC ) 
    {
       ip = sip;
    }
    else
    {
       ip = dip;
    }
    
    /*
     *  Check for and test Suppression of this event to this IP 
     */
    if( sfthd_node->type == THD_TYPE_SUPPRESS )
    {
#ifdef THD_DEBUG
        printf("THD_DEBUG: G-SUPPRESS NODE Testing...\n");fflush(stdout);
#endif
        if( sfthd_node->ip_address == (sfthd_node->ip_mask & ip) )
	{ 
#ifdef THD_DEBUG
            printf("THD_DEBUG: G-SUPPRESS NODE, do not log events with this IP\n");fflush(stdout);
#endif
            return -1; /* Don't log, and stop looking( event's to this address for this gen_id+sig_id) */
        }
	return 1; /* Keep looking for other suppressors */
    }

    /*