sfthd.c

Linux snort-2.4.4源代码

    *  Go on and do standard thresholding
    */
    
    /* Set up the key */
    key.ip     = ip;
    key.gen_id = sfthd_node->gen_id;
    key.sig_id = sig_id;

    /* Set up a new data element */
    data.count  = 1;
    data.tstart = curtime; /* Event time */

    /* 
     * Check for any Permanent sig_id objects for this gen_id  or add this one ...
     */
    status = sfxhash_add( thd->ip_gnodes, (void*)&key, &data );
    
    if( status == SFXHASH_INTABLE )
    {
        /* Already in the table */
        sfthd_ip_node = thd->ip_gnodes->cnode->data;

        /* Increment the event count */
        sfthd_ip_node->count++;
    }
    else if (status )
    {
        /* hash error */
        return 1; /*  check the next threshold object */
    }
    else
    {
        /* Was not in the table - it was added - work with our copy of the data */
        sfthd_ip_node = &data;
    }


    /*
     *  Do the appropriate test for the Threshold Object Type 
     */
    
    /*
      Limit
    */
    if( sfthd_node->type == THD_TYPE_LIMIT )
    {
#ifdef THD_DEBUG
        printf("\n...Limit Test\n");
	fflush(stdout);
#endif		
        dt = curtime - sfthd_ip_node->tstart;
        if( dt > sfthd_node->seconds )
        {   /* reset */
            sfthd_ip_node->tstart = curtime;
            sfthd_ip_node->count  = 1;
        }

#ifdef THD_DEBUG
        printf("...dt=%d, sfthd_node->seconds=%d\n",dt, sfthd_node->seconds );
        printf("...sfthd_ip_node->count=%d, sfthd_node->count=%d\n",sfthd_ip_node->count,sfthd_node->count );
	fflush(stdout);
#endif
        if( sfthd_ip_node->count <= sfthd_node->count )
        {
            return 0; /* Log it, stop looking: only log the 1st 'count' events */
        }

        return -1; /* Don't Log yet, don't keep looking : already logged our limit, don't log this sid  */
    }
    
    else if( sfthd_node->type == THD_TYPE_THRESHOLD )
    {
#ifdef THD_DEBUG
        printf("\n...Threshold Test\n");
	fflush(stdout);
#endif		
        dt = curtime - sfthd_ip_node->tstart;
	if( dt > sfthd_node->seconds )
        {
            sfthd_ip_node->tstart = curtime;
            sfthd_ip_node->count  = 1;

            return -1; /* Don't Log, keep looking: only log after we reach count, which must be > '1' */
        }
        else
        {
            if( sfthd_ip_node->count >= sfthd_node->count ) 
            {
                /* reset */
                sfthd_ip_node->count = 0;
                sfthd_ip_node->tstart= curtime;
			
                return 0; /* Log it, stop looking */ 
            }
            return -1; /* don't log yet */
        }
    }

    else if( sfthd_node->type == THD_TYPE_BOTH )
    {
#ifdef THD_DEBUG
        printf("\n...Threshold+Limit Test\n");
	fflush(stdout);
#endif
        dt = curtime - sfthd_ip_node->tstart;
        if( dt > sfthd_node->seconds )
        {
            sfthd_ip_node->tstart = curtime;
            sfthd_ip_node->count  = 1;

            return -1; /* Don't Log yet, keep looking: only log after we reach count, which must be > '1' */
        }
        else
        {
            if( sfthd_ip_node->count >= sfthd_node->count ) 
            {
                if( sfthd_ip_node->count >  sfthd_node->count ) 
		{
                    return -1; /* don't log it, stop  looking, log once per time interval - than block it */
		}
                return 0; /* Log it, stop looking, log the 1st event we see past 'count' events */
            }
	    else  /* Block it from logging */
	    {
              return -1; /* don't log it, stop  looking,  we must see at least count events 1st */
	    }
        }
    }

#ifdef THD_DEBUG
        printf("THD_DEBUG: You should not be here...\n");
	fflush(stdout);
#endif

    	return 0;  /* should not get here, so log it just to be safe */
}


/*!
 *
 *  Test a an event against the threshold database.  
 *  Events without thresholding objects are automatically 
 *  loggable.
 *  
 *  @param thd     Threshold table pointer
 *  @param gen_id  Generator Id from the event
 *  @param sig_id  Signature Id from the event
 *  @param sip     Event/Packet Src IP address
 *  @param dip     Event/Packet Dst IP address
 *  @param curtime Current Event/Packet time
 *    
 *  @return  integer
 *  @retval  0 : Event is loggable 
 *  @retval !0 : Event should not be logged
 *
 */
int sfthd_test_threshold( THD_STRUCT * thd,
                          unsigned gen_id,  
                          unsigned sig_id,
                          unsigned sip,   
                          unsigned dip,
                          long     curtime )  
{
    SFGHASH  * sfthd_hash; 
    THD_ITEM * sfthd_item;
    THD_NODE * sfthd_node, * g_thd_node;
    int cnt;
    int status=0;

#ifdef CRIPPLE
    return 0;
#endif

#ifdef THD_DEBUG
    printf("sfthd_test_threshold...\n");fflush(stdout);
#endif    
    if( gen_id >= THD_MAX_GENID )
    {
#ifdef THD_DEBUG
        printf("THD_DEBUG: invalid gen_id=%u\n",gen_id);
	fflush(stdout);
#endif  
	return 0; /* bogus gen_id */
    }

    /*
     *  Get the hash table for this gen_id
     */
    sfthd_hash = thd->sfthd_array [ gen_id ];
    if( !sfthd_hash )
    {
#ifdef THD_DEBUG
        printf("THD_DEBUG: no hash table entry for gen_id=%u\n",gen_id);
	fflush(stdout);
#endif      
        goto global_test;	
        /* return 0; */ /* no threshold objects for this gen_id, log it ! */
    }

    /* 
     * Check for any Permanent sig_id objects for this gen_id 
     */
    sfthd_item = (THD_ITEM*)sfghash_find( sfthd_hash, (void*)&sig_id );
    if( !sfthd_item )
    {
#ifdef THD_DEBUG
        printf("THD_DEBUG: no THD objects for gen_id=%u, sig_id=%u\n",gen_id,sig_id);
	fflush(stdout);
#endif       
        goto global_test;	
        /* return 0; */ /* no matching permanent sig_id objects so, log it ! */
    }
   
    /* No List of Threshold objects - bail and log it */ 
    if( !sfthd_item->sfthd_node_list )
    {
          goto global_test;	
	  /*  return 0; */
    }
		    
    /* For each permanent thresholding object, test/add/update the thd object */
    /* We maintain a list of thd objects for each gen_id+sig_id */
    /* each object has it's own unique thd_id */
    /* Suppression nodes have a very high priority, so they are tested 1st */
    cnt=0;
    for( sfthd_node  = (THD_NODE*)sflist_first(sfthd_item->sfthd_node_list);
         sfthd_node != 0;
         sfthd_node  = (THD_NODE*)sflist_next(sfthd_item->sfthd_node_list) )
    {
        cnt++;
	
#ifdef THD_DEBUG
        printf("THD_DEBUG: gen_id=%u sig_id=%u testing thd_id=%d thd_type=%d\n",
			gen_id, sig_id, sfthd_node->thd_id, sfthd_node->type);
	fflush(stdout);
#endif
	/*
	 *   Test SUPPRESSION and THRESHOLDING
	 *
	 *   For 3.0 SUPPRESSION returns -1 to suppress, +1 to keep on testing the next object
	 *           THRESHOLDING returns -1 to suppress, and 0 to log
	 */
        status = sfthd_test_object( thd, sfthd_node, sip, dip, curtime );
	
        if( status < 0 ) /* -1 == Don't log and stop looking */
        {
#ifdef THD_DEBUG
		printf("THD_DEBUG: gen_id=%u sig_id=%u, UnLoggable\n\n",gen_id, sig_id,cnt);
		fflush(stdout);
#endif
		return 1;  /* 1 == Don't log it*/
        }
        else if( status == 0 )  /* Log it and stop looking */
        {
#ifdef THD_DEBUG
		printf("THD_DEBUG: gen_id=%u sig_id=%u tested %d THD_NODE's, Loggable\n\n",sfthd_item->gen_id, sfthd_item->sig_id,cnt);
		fflush(stdout);
#endif
		return 0; /* 0 == Log the event */
        }
        /* status > 0 : Log it later but Keep looking....check the next threshold object for a blocking action ... 
	*              For 3.0 SUPPRESS objects return +1 if they don't suppress... so we can fall out of this loop
	*              to log by returning 0 below....
	*/
    }


    /*
     * 
     * 
     *  Test for a global threshold object  - we're here cause ther were no threshold objects for this gen_id/sig_id pair
     *
     *  
     */
global_test:

#ifdef THD_DEBUG
    printf("THD_DEBUG-GLOBAL: doing global object test\n");
#endif    
     
     g_thd_node = thd->sfthd_garray[ gen_id ];
     if( g_thd_node )
     {
         status = sfthd_test_gobject( thd, g_thd_node, sig_id, gen_id, sip, dip, curtime );
         if( status < 0 ) /* -1 == Don't log and stop looking */
         {
#ifdef THD_DEBUG
            printf("THD_DEBUG-GLOBAL: gen_id=%u sig_id=%u THD_NODE's, UnLoggable\n\n",gen_id, sig_id);
	    fflush(stdout);
#endif
            return 1;  /* 1 == Don't log it*/
         }

	 /* Log it ! */
#ifdef THD_DEBUG
        printf("THD_DEBUG-GLOBAL: gen_id=%u sig_id=%u  THD_NODE's, Loggable\n\n",gen_id, sig_id);
        fflush(stdout);
#endif
     }
     else
     {
#ifdef THD_DEBUG
        printf("THD_DEBUG-GLOBAL: no Global THD Object for gen_id=%u, sig_id=%u\n\n",gen_id, sig_id);
        fflush(stdout);
#endif
     }
     
    return 0; /* Default: Log it if we did not block the logging action */
}

/*!
 *   A function to print the thresholding objects to stdout.
 *
 */
int sfthd_show_objects( THD_STRUCT * thd )
{
    SFGHASH  * sfthd_hash; 
    THD_ITEM * sfthd_item;
    THD_NODE * sfthd_node;
    int        gen_id;
    SFGHASH_NODE * item_hash_node;

    for(gen_id=0;gen_id < THD_MAX_GENID ; gen_id++ )
    {
        sfthd_hash = thd->sfthd_array [ gen_id ];
        if( !sfthd_hash )
        {
            continue;
        }

        printf("...GEN_ID = %u\n",gen_id);

        for(item_hash_node  = sfghash_findfirst( sfthd_hash );
            item_hash_node != 0; 
            item_hash_node  = sfghash_findnext( sfthd_hash ) )
        {
            /* Check for any Permanent sig_id objects for this gen_id */
            sfthd_item = (THD_ITEM*)item_hash_node->data;

            printf(".....GEN_ID = %u, SIG_ID = %u\n",gen_id,sfthd_item->sig_id);
     
            /* For each permanent thresholding object, test/add/update the thd object */
            /* We maintain a list of thd objects for each gen_id+sig_id */
            /* each object has it's own unique thd_id */

            for( sfthd_node  = (THD_NODE*)sflist_first(sfthd_item->sfthd_node_list);
                 sfthd_node != 0;
                 sfthd_node = (THD_NODE*)sflist_next(sfthd_item->sfthd_node_list) )
            {
                printf(".........THD_ID  =%d\n",sfthd_node->thd_id );
               
	       	if( sfthd_node->type == THD_TYPE_SUPPRESS )
                printf(".........type    =Suppress\n");
                if( sfthd_node->type == THD_TYPE_LIMIT )
                printf(".........type    =Limit\n");
                if( sfthd_node->type == THD_TYPE_THRESHOLD )
                printf(".........type    =Threshold\n");
                if( sfthd_node->type == THD_TYPE_BOTH )
                printf(".........type    =Both\n");
		
                printf(".........tracking=%d\n",sfthd_node->tracking);
                printf(".........priority=%d\n",sfthd_node->priority);
		  
                if( sfthd_node->type == THD_TYPE_SUPPRESS )
                {
                    printf(".........ip      =%d\n",sfthd_node->ip_address);
                    printf(".........mask    =%d\n",sfthd_node->ip_mask);
                    printf(".........not_flag=%d\n",sfthd_node->ip_mask);
                }
                else
                {
		    printf(".........count   =%d\n",sfthd_node->count);
		    printf(".........seconds =%d\n",sfthd_node->seconds);
                }
            }
	}
    }

    return 0;
}