📄 spp_frag3.c
字号:
pfn->context = (void *) context; if(!stats_registered) { AddFuncToCleanExitList(Frag3CleanExit, NULL); AddFuncToRestartList(Frag3Restart, NULL); stats_registered = 1; } /* * print this engine config */ Frag3PrintEngineConfig(context); return;}/** * Config parser for global config. * * @param args List of configuration parameters * * @return none */static void Frag3ParseGlobalArgs(u_char *args){ char **toks; int num_toks; int i; char *index; char **stoks = NULL; int s_toks; if(args != NULL && strlen(args) != 0) { toks = mSplit(args, ",", 12, &num_toks, 0); i=0; while(i < num_toks) { index = toks[i]; while(isspace((int)*index)) index++; stoks = mSplit(index, " ", 4, &s_toks, 0); if(!strcasecmp(stoks[0], "max_frags")) { if(isdigit((int)stoks[1][0])) { global_config.max_frags = atoi(stoks[1]); } else { LogMessage("WARNING %s(%d) => Bad max_frags in config " "file, defaulting to %d frags\n", file_name, file_line, DEFAULT_MAX_FRAGS); global_config.max_frags = DEFAULT_MAX_FRAGS; } } else if(!strcasecmp(stoks[0], "memcap")) {#ifdef FRAG3_USE_MEMCAP if(stoks[1] && isdigit((int)stoks[1][0])) { global_config.memcap = atoi(stoks[1]); if(global_config.memcap < 16384) { LogMessage("WARNING %s(%d) => Ludicrous (<16k) memcap " "size, setting to default (%d bytes)\n", file_name, file_line, FRAG_MEMCAP); global_config.memcap = FRAG_MEMCAP; } } else { LogMessage("WARNING %s(%d) => Bad memcap in config file, " "defaulting to %u bytes\n", file_name, file_line, FRAG_MEMCAP); global_config.memcap = FRAG_MEMCAP; } /* ok ok, it's really 9.375%, sue me */ ten_percent = ((global_config.memcap >> 5) + (global_config.memcap >> 6));#else /* Use memcap to calculate prealloc_frag value */ int memcap; if(stoks[1] && isdigit((int)stoks[1][0])) { memcap = atoi(stoks[1]); if(memcap < 16384) { LogMessage("WARNING %s(%d) => Ludicrous (<16k) memcap " "size, setting to default (%d bytes)\n", file_name, file_line, FRAG_MEMCAP); memcap = FRAG_MEMCAP; } } else { LogMessage("WARNING %s(%d) => Bad memcap in config file, " "defaulting to %u bytes\n", file_name, file_line, FRAG_MEMCAP); memcap = FRAG_MEMCAP; } global_config.static_frags = (u_int32_t)memcap / (sizeof(Frag3Frag) + sizeof(u_int8_t) * snaplen) + 1; global_config.use_prealloc = 1; ten_percent = global_config.static_frags >> 5;#endif } else if(!strcasecmp(stoks[0], "prealloc_frags")) { if(isdigit((int)stoks[1][0])) { global_config.static_frags = atoi(stoks[1]); global_config.use_prealloc = 1; //ten_percent = ((global_config.static_frags >> 5) + // (global_config.static_frags >> 6)); ten_percent = global_config.static_frags >> 5; } else { LogMessage("WARNING %s(%d) => Bad prealloc_frags in config " "file, defaulting to dynamic frag management\n", file_name, file_line); global_config.static_frags = 0; } } mSplitFree(&stoks, s_toks); i++; } mSplitFree(&toks, num_toks); } return;}/** * Config parser for engine context config. * * @param args List of configuration parameters * * @return none */static void Frag3ParseArgs(u_char *args, Frag3Context *context){ char **toks; int num_toks; int i; char *index; if(args == NULL || strlen(args) == 0) { return; } else { int increment; toks = mSplit(args, " ", 13, &num_toks, 0); i=0; while(i < num_toks) { increment = 1; index = toks[i]; if(!strcasecmp(index, "timeout")) { if(i+1 < num_toks && isdigit((int)toks[i+1][0])) { context->frag_timeout = atoi(toks[i+1]); increment = 2; } else { LogMessage("WARNING %s(%d) => Bad timeout in config file, " "defaulting to %d seconds\n", file_name, file_line, FRAG_PRUNE_QUANTA); context->frag_timeout = FRAG_PRUNE_QUANTA; } } else if(!strcasecmp(index, "ttl_limit")) { if(i+1 >= num_toks || toks[i+1][0] == '\0') { FatalError("%s(%d) => ttl_limit requires an integer " "argument\n", file_name,file_line); } if(isdigit((int)toks[i+1][0])) { context->ttl_limit = atoi(toks[i+1]); increment = 2; } else { LogMessage("WARNING %s(%d) => Bad TTL Limit" "size, setting to default (%d\n", file_name, file_line, FRAG3_TTL_LIMIT); context->ttl_limit = FRAG3_TTL_LIMIT; } } else if(!strcasecmp(index, "min_ttl")) { if(i+1 >= num_toks || toks[i+1][0] == '\0') { FatalError("%s(%d) => min_ttl requires an integer " "argument\n", file_name,file_line); } if(isdigit((int)toks[i+1][0])) { context->min_ttl = atoi(toks[i+1]); increment = 2; } else { LogMessage("WARNING %s(%d) => Bad Min TTL " "size, setting to default (%d\n", file_name, file_line, FRAG3_MIN_TTL); context->min_ttl = FRAG3_MIN_TTL; } } else if(!strcasecmp(index, "detect_anomalies")) { context->frag3_alerts |= FRAG3_DETECT_ANOMALIES; } else if(!strcasecmp(index, "policy")) { if (i+1 >= num_toks) FatalError("%s(%d) => policy requires a policy " "identifier argument\n", file_name, file_line); if(!strcasecmp(toks[i+1], "bsd")) { context->frag_policy = FRAG_POLICY_BSD; } else if(!strcasecmp(toks[i+1], "bsd-right")) { context->frag_policy = FRAG_POLICY_BSD_RIGHT; } else if(!strcasecmp(toks[i+1], "linux")) { context->frag_policy = FRAG_POLICY_LINUX; } else if(!strcasecmp(toks[i+1], "first")) { context->frag_policy = FRAG_POLICY_FIRST; } else if(!strcasecmp(toks[i+1], "windows")) { context->frag_policy = FRAG_POLICY_WINDOWS; } else if(!strcasecmp(toks[i+1], "solaris")) { context->frag_policy = FRAG_POLICY_SOLARIS; } else if(!strcasecmp(toks[i+1], "last")) { context->frag_policy = FRAG_POLICY_LAST; } else { LogMessage("WARNING %s(%d) => Bad policy name \"%s\"" "reverting to FRAG_POLICY_BSD\n", file_name, file_line, toks[i+1]); } increment = 2; } else if(!strcasecmp(index, "bind_to")) { if (i+1 < num_toks) { context->bound_addrs = IpAddrSetParse(toks[i+1]); increment = 2; } else { FatalError("%s(%d) => bind_to requires an IP list or " "CIDR block argument\n", file_name, file_line); } } i += increment; } mSplitFree(&toks, num_toks); if(context->bound_addrs == NULL) { /* allocate and initializes the IpAddrSet at the same time * set to "any" */ context->bound_addrs = (IpAddrSet *) SnortAlloc(sizeof(IpAddrSet)); } } return;}/** * Main runtime entry point for Frag3 * * @param p Current packet to process. * @param context Context for this defrag engine * * @return none */void Frag3Defrag(Packet *p, void *context){ FRAGKEY fkey; /* fragkey for this packet */ FragTracker *ft; /* FragTracker to process the packet on */ Frag3Context *f3context = (Frag3Context *) context; /* engine context */ int insert_return = 0; /* return value from the insert function */ /* * check to make sure this preprocessor should run */ if( (p == NULL) || !(p->preprocessors & PP_FRAG3) || p->iph == NULL || !p->frag_flag || (p->csum_flags & CSE_IP) || (p->packet_flags & PKT_REBUILT_FRAG)) { return; } /* Ugly HACK -- if frag offset is 0 & UDP, let that packet go * through the rest of the system. This results in the * first packet going through detection. If we do see * the rest of the frags, the contents of that first frag * will go through again with the defrag'd (built) packet. */ if ((p->frag_offset != 0) || (p->iph->ip_proto != IPPROTO_UDP)) { /* * This packet is fragmented, will either be dropped * or payload included in a rebuilt packet later. Don't * process it further. */ p->preprocessors = 0; p->preprocessors |= PP_PORTSCAN2; do_detect = 0; otn_tmp = NULL; }#if 0 /* * fragments with IP options are bad, m'kay? */ if(p->ip_options_len) { EventAnomIpOpts(f3context); f3stats.discards++; return; }#endif /* * pkt's not going to make it to the target, bail */ if(p->iph->ip_ttl < f3context->min_ttl) { LogMessage( "[FRAG3] Fragment discarded due to low TTL " "[0x%X->0x%X], TTL: %d " "Offset: %d Length: %d\n", ntohl(p->iph->ip_src.s_addr), ntohl(p->iph->ip_dst.s_addr), p->iph->ip_ttl, p->frag_offset, p->dsize); f3stats.discards++; return; } /* * Does this engine context handle fragments to this IP address? */ if(!IpAddrSetContains(f3context->bound_addrs, p->iph->ip_dst)) { DEBUG_WRAP(DebugMessage(DEBUG_FRAG, "[FRAG3] Fragment ignored, not in IpAddrSet\n");); return; } f3stats.total++; UpdateIPFragStats(&(sfPerf.sfBase), p->pkth->caplen); DEBUG_WRAP(DebugMessage(DEBUG_FRAG, "\n++++++++++++++++++++++++++++++++++++++++++++++\n");); DEBUG_WRAP(DebugMessage(DEBUG_FRAG, "[**] [FRAG3] Inspecting fragment...\n");); DEBUG_WRAP(DebugMessage(DEBUG_FRAG, "[FRAG3] Got frag packet (mem use: %ld frag " "trackers: %d p->pkt_flags: 0x%X " "prealloc nodes in use: %lu/%lu)\n", mem_in_use, sfxhash_count(f_cache), ⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -