📄 spp_stream4.c
字号:
RegisterPreprocessor("stream4", Stream4Init); RegisterPreprocessor("stream4_reassemble", Stream4InitReassembler); DEBUG_WRAP(DebugMessage(DEBUG_STREAM, "Preprocessor: Stream4 is setup...\n"););}/* * Function: Stream4Init(u_char *) * * Purpose: Calls the argument parsing function, performs final setup on data * structs, links the preproc function into the function list. * * Arguments: args => ptr to argument string * * Returns: void function */void Stream4Init(u_char *args){ char logfile[STD_BUF]; s4data.stream4_active = 1; pv.stateful = 1; s4data.memcap = STREAM4_MEMORY_CAP; s4data.max_sessions = STREAM4_MAX_SESSIONS; DEBUG_WRAP(DebugMessage(DEBUG_STREAM, "log_dir is %s\n", pv.log_dir);); /* initialize the self preservation counters */ s4data.sp_threshold = SELF_PRES_THRESHOLD; s4data.sp_period = SELF_PRES_PERIOD; s4data.suspend_threshold = SUSPEND_THRESHOLD; s4data.suspend_period = SUSPEND_PERIOD; s4data.state_protection = 0; s4_emergency.end_time = 0; s4_emergency.new_session_count = 0; s4_emergency.status = OPS_NORMAL; /* parse the argument list from the rules file */ ParseStream4Args(args); snprintf(logfile, STD_BUF, "%s/%s", pv.log_dir, "session.log"); if(s4data.track_stats_flag) { if((session_log = fopen(logfile, "a+")) == NULL) { FatalError("Unable to write to \"%s\": %s\n", logfile, strerror(errno)); } } s4data.last_prune_time = 0; stream_pkt = (Packet *) SafeAlloc(sizeof(Packet), 0, NULL); InitStream4Pkt(); /* tell the rest of the program that we're stateful */ snort_runtime.capabilities.stateful_inspection = 1; #ifdef USE_HASH_TABLE InitSessionCache();#else /* USE_SPLAY_TREE */ (void)ubi_trInitTree(RootPtr, /* ptr to the tree head */ CompareFunc, /* comparison function */ 0); /* don't allow overwrites/duplicates */#endif DEBUG_WRAP(DebugMessage(DEBUG_STREAM, "Preprocessor: Stream4 Initialized\n");); /* Set the preprocessor function into the function list */ AddFuncToPreprocList(ReassembleStream4); AddFuncToShutdownList(Stream4ShutdownFunction, NULL); AddFuncToCleanExitList(Stream4CleanExitFunction, NULL); AddFuncToRestartList(Stream4RestartFunction, NULL); }void DisplayStream4Config(void) { LogMessage("Stream4 config:\n"); LogMessage(" Stateful inspection: %s\n", s4data.stateful_inspection_flag ? "ACTIVE": "INACTIVE"); LogMessage(" Session statistics: %s\n", s4data.track_stats_flag ? "ACTIVE":"INACTIVE"); LogMessage(" Session timeout: %d seconds\n", s4data.timeout); LogMessage(" Session memory cap: %lu bytes\n", (unsigned long)s4data.memcap); LogMessage(" Session count max: %d sessions\n", (unsigned long)s4data.max_sessions); if (s4data.cache_clean_percent != 0) LogMessage(" Session cleanup percentage: %f %%\n", s4data.cache_clean_percent); else LogMessage(" Session cleanup count: %d\n", s4data.cache_clean_sessions); LogMessage(" State alerts: %s\n", s4data.state_alerts ? "ACTIVE":"INACTIVE"); LogMessage(" Evasion alerts: %s\n", s4data.evasion_alerts ? "ACTIVE":"INACTIVE"); LogMessage(" Scan alerts: %s\n", s4data.ps_alerts ? "ACTIVE":"INACTIVE"); LogMessage(" Log Flushed Streams: %s\n", s4data.log_flushed_streams ? "ACTIVE":"INACTIVE"); LogMessage(" MinTTL: %d\n", s4data.min_ttl); LogMessage(" TTL Limit: %d\n", s4data.ttl_limit); LogMessage(" Async Link: %d\n", s4data.asynchronous_link); LogMessage(" State Protection: %d\n", s4data.state_protection); LogMessage(" Self preservation threshold: %d\n", s4data.sp_threshold); LogMessage(" Self preservation period: %d\n", s4data.sp_period); LogMessage(" Suspend threshold: %d\n", s4data.suspend_threshold); LogMessage(" Suspend period: %d\n", s4data.suspend_period); LogMessage(" Enforce TCP State: %s\n", s4data.enforce_state ? "ACTIVE" : "INACTIVE"); LogMessage(" Midstream Drop Alerts: %s\n", s4data.ms_inline_alerts ? "ACTIVE" : "INACTIVE"); if (s4data.server_inspect_limit > 0) LogMessage(" Server Data Inspection Limit: %d\n", s4data.server_inspect_limit);}/* * Function: ParseStream4Args(char *) * * Purpose: Process the preprocessor arguements from the rules file and * initialize the preprocessor's data struct. This function doesn't * have to exist if it makes sense to parse the args in the init * function. * * Arguments: args => argument list * * Returns: void function */void ParseStream4Args(char *args){ char **toks; int num_toks; int i; char *index; char **stoks = NULL; int s_toks; s4data.timeout = PRUNE_QUANTA; s4data.memcap = STREAM4_MEMORY_CAP; s4data.max_sessions = STREAM4_MAX_SESSIONS; s4data.cache_clean_percent = 0; s4data.cache_clean_sessions = STREAM4_CLEANUP; s4data.stateful_inspection_flag = 1; s4data.state_alerts = 0; s4data.evasion_alerts = 1; s4data.ps_alerts = 0; s4data.reassemble_client = s4data.reassemble_server = 0; s4data.log_flushed_streams = 0; s4data.min_ttl = 1; s4data.path_mtu = 1460; s4data.ttl_limit = STREAM4_TTL_LIMIT; s4data.asynchronous_link = 0; s4data.flush_data_diff_size = 500; s4data.zero_flushed_packets = 0; s4data.flush_on_alert = 0; s4data.overlap_limit = -1; s4data.server_inspect_limit = -1; /* dynamic flush points */ s4data.flush_behavior = FLUSH_BEHAVIOR_DEFAULT; s4data.flush_range = STREAM4_FLUSH_RANGE; s4data.flush_base = STREAM4_FLUSH_BASE; s4data.flush_seed = getpid() + time(NULL); /* if no arguments, go ahead and return */ if(args == NULL || args[0] == '\0') { DisplayStream4Config(); return; } i=0; toks = mSplit(args, ",", 20, &num_toks, 0); while(i < num_toks) { index = toks[i]; while(isspace((int)*index)) index++; stoks = mSplit(index, " ", 4, &s_toks, 0); if(!strcasecmp(stoks[0], "noinspect")) { s4data.stateful_inspection_flag = 0; } else if(!strcasecmp(stoks[0], "asynchronous_link")) { s4data.asynchronous_link = 1; } else if(!strcasecmp(stoks[0], "keepstats")) { s4data.track_stats_flag = STATS_HUMAN_READABLE; if(s_toks > 1) { if(!strcasecmp(stoks[1], "machine")) { s4data.track_stats_flag = STATS_MACHINE_READABLE; } else if(!strcasecmp(stoks[1], "binary")) { s4data.track_stats_flag = STATS_BINARY; stats_log = (StatsLog *) calloc(sizeof(StatsLog), sizeof(char)); stats_log->filename = strdup("snort-unified.stats"); OpenStatsFile(); } else { ErrorMessage("Bad stats mode for stream4, ignoring\n"); s4data.track_stats_flag = 0; } } } else if(!strcasecmp(stoks[0], "detect_scans")) { s4data.ps_alerts = 1; } else if(!strcasecmp(stoks[0], "log_flushed_streams")) { s4data.log_flushed_streams = 1; } else if(!strcasecmp(stoks[0], "detect_state_problems")) { s4data.state_alerts = 1; } else if(!strcasecmp(stoks[0], "disable_evasion_alerts")) { s4data.evasion_alerts = 0; } else if(!strcasecmp(stoks[0], "timeout")) { if(isdigit((int)stoks[1][0])) { s4data.timeout = atoi(stoks[1]); } else { LogMessage("WARNING %s(%d) => Bad timeout in config file, " "defaulting to %d seconds\n", file_name, file_line, PRUNE_QUANTA); s4data.timeout = PRUNE_QUANTA; } } else if(!strcasecmp(stoks[0], "memcap")) { if(isdigit((int)stoks[1][0])) { s4data.memcap = atoi(stoks[1]); if(s4data.memcap < 16384) { LogMessage("WARNING %s(%d) => Ludicrous (<16k) memcap " "size, setting to default (%d bytes)\n", file_name, file_line, STREAM4_MEMORY_CAP); s4data.memcap = STREAM4_MEMORY_CAP; } } else { FatalError("%s(%d) => Bad memcap in config file, %d\n", file_name, file_line); } } else if(!strcasecmp(stoks[0], "max_sessions")) { if(isdigit((int)stoks[1][0])) { s4data.max_sessions = atoi(stoks[1]); if(s4data.max_sessions < 8192) { LogMessage("WARNING %s(%d) => Ludicrous (<8k) max_sessions " "size, setting to default (%d sessions)\n", file_name, file_line, STREAM4_MAX_SESSIONS); s4data.max_sessions = STREAM4_MAX_SESSIONS; } } else { FatalError("%s(%d) => Bad max_sessions in config file, %d\n", file_name, file_line); } } else if(!strcasecmp(stoks[0], "cache_clean_percent")) { if(isdigit((int)stoks[1][0])) { s4data.cache_clean_percent = atof(stoks[1]); if ((s4data.cache_clean_percent < 0) || (s4data.cache_clean_percent > 5)) { LogMessage("WARNING %s(%d) => Ludicrous (%f) cache cleanup " "percentage, setting to default (%f %%)\n", file_name, file_line, STREAM4_CACHE_PERCENT); s4data.cache_clean_percent = STREAM4_CACHE_PERCENT; } } else { FatalError("%s(%d) => Bad cache cleanup percent in " "config file, %d\n", file_name, file_line); } } else if(!strcasecmp(stoks[0], "cache_clean_sessions")) { if(isdigit((int)stoks[1][0])) { s4data.cache_clean_sessions = atoi(stoks[1]); } else { FatalError("%s(%d) => Bad cache cleanup value in " "config file\n", file_name, file_line); } } else if(!strcasecmp(stoks[0], "ttl_limit")) { if(s_toks > 1) { if(stoks[1] == NULL || stoks[1][0] == '\0') { FatalError("%s(%d) => ttl_limit requires an integer argument\n", file_name,file_line); } if(isdigit((int)stoks[1][0])) { s4data.ttl_limit = atoi(stoks[1]); } else { LogMessage("WARNING %s(%d) => Bad TTL Limit" "size, setting to default (%d\n", file_name, file_line, STREAM4_TTL_LIMIT); s4data.ttl_limit = STREAM4_TTL_LIMIT; } } else { FatalError("%s(%d) => ttl_limit requires an integer argument\n", file_name,file_line); } } else if(!strcasecmp(stoks[0], "self_preservation_threshold")) { if(isdigit((int)stoks[1][0])) { s4data.sp_threshold = atoi(stoks[1]); } else { LogMessage("WARNING %s(%d) => Bad sp_threshold in config file, " "defaulting to %d new sessions/second\n", file_name, file_line, SELF_PRES_THRESHOLD); s4data.sp_threshold = SELF_PRES_THRESHOLD; } } else if(!strcasecmp(stoks[0], "self_preservation_period")) { if(isdigit((int)stoks[1][0])) { s4data.sp_period = atoi(stoks[1]); } else { LogMessage("WARNING %s(%d) => Bad sp_period in config file, " "defaulting to %d seconds\n", file_name, file_line, SELF_PRES_PERIOD); s4data.sp_period = SELF_PRES_PERIOD; } } else if(!strcasecmp(stoks[0], "suspend_threshold")) { if(isdigit((int)stoks[1][0])) { s4data.suspend_threshold = atoi(stoks[1]); } else { LogMessage("WARNING %s(%d) => Bad suspend_threshold in config " "file, defaulting to %d new sessions/second\n", file_name, file_line, SUSPEND_THRESHOLD); s4data.suspend_threshold = SUSPEND_THRESHOLD; } } else if(!strcasecmp(stoks[0], "suspend_period")) { if(isdigit((int)stoks[1][0])) { s4data.suspend_period = atoi(stoks[1]); } else {⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -