📄 snort_stream5_tcp.c
字号:
"TIME_WAIT", "CLOSED"};#endifstatic char *flush_policy_names[] = { "None", "Footprint", "Logical", "Response", "Sliding Window", "Consumed", "Ignore"};static int s5_tcp_cleanup = 0;/* F U N C T I O N S **********************************************/static INLINE void UpdateFlushMgr(FlushMgr *mgr){ switch (mgr->flush_policy) { case STREAM_FLPOLICY_FOOTPRINT: case STREAM_FLPOLICY_LOGICAL: /* Ideally, we would call rand() each time, but that * is a performance headache waiting to happen. */#ifdef DYNAMIC_RANDOM_FLUSH_POINTS mgr->flush_pt = (rand() % mgr->flush_range) + mgr->flush_base;#else mgr->flush_pt = mgr->flush_pts[mgr->flush_pt_index]; mgr->flush_pt_index = (mgr->flush_pt_index+1) % RAND_FLUSH_POINTS;#endif default: break; }}static u_int32_t static_points[RAND_FLUSH_POINTS] = { 128, 217, 189, 130, 240, 221, 134, 129, 250, 232, 141, 131, 144, 177, 201, 130, 230, 190, 177, 142, 130, 200, 173, 129, 250, 244, 174, 151, 201, 190, 180, 198, 220, 201, 142, 185, 219, 129, 194, 140, 145, 191, 197, 183, 199, 220, 231, 245, 233, 135, 143, 158, 174, 194, 200, 180, 201, 142, 153, 187, 173, 199, 143, 201 };static INLINE void InitFlushMgr(FlushMgr *mgr, u_int32_t policy, u_int32_t value, u_int32_t range, char use_static){ u_int32_t i; mgr->flush_policy = policy; mgr->flush_range = range; mgr->flush_base = value - range/2; mgr->flush_pt_index = 0; if ((policy == STREAM_FLPOLICY_FOOTPRINT) || (policy == STREAM_FLPOLICY_LOGICAL)) {#ifndef DYNAMIC_RANDOM_FLUSH_POINTS for (i=0;i<RAND_FLUSH_POINTS;i++) { if (use_static) { mgr->flush_pts[i] = static_points[i]; } else { mgr->flush_pts[i] = (rand() % mgr->flush_range) + mgr->flush_base; } }#endif UpdateFlushMgr(mgr); }}void Stream5InitTcp(){ int i; if((tcp_lws_cache == NULL) && s5_global_config.track_tcp_sessions) { tcp_lws_cache = InitLWSessionCache(s5_global_config.max_tcp_sessions, 30, 5, 0, &TcpSessionCleanup); if(!tcp_lws_cache) { LogMessage("Unable to init stream5 TCP session cache, no TCP " "stream inspection!\n"); s5_global_config.track_tcp_sessions = 0; s5_global_config.max_tcp_sessions = 0; return; } mempool_init(&tcp_session_mempool, s5_global_config.max_tcp_sessions, sizeof(TcpSession)); } /* Default is to ignore, for all ports */ for(i=0;i<MAX_PORTS;i++) { ignore_flush_policy[i].client.flush_policy = STREAM_FLPOLICY_IGNORE; ignore_flush_policy[i].server.flush_policy = STREAM_FLPOLICY_IGNORE; } /* Seed the flushpoint random generator */ srand( (unsigned int) sizeof(default_ports) + (unsigned int) time(NULL) ); s5_mem_in_use = 0;#ifdef PERF_PROFILING RegisterPreprocessorProfile("s5TcpNewSess", &s5TcpNewSessPerfStats, 2, &s5TcpPerfStats); RegisterPreprocessorProfile("s5TcpState", &s5TcpStatePerfStats, 2, &s5TcpPerfStats); RegisterPreprocessorProfile("s5TcpData", &s5TcpDataPerfStats, 3, &s5TcpStatePerfStats); RegisterPreprocessorProfile("s5TcpPktInsert", &s5TcpInsertPerfStats, 4, &s5TcpDataPerfStats); RegisterPreprocessorProfile("s5TcpFlush", &s5TcpFlushPerfStats, 3, &s5TcpStatePerfStats); RegisterPreprocessorProfile("s5TcpBuildPacket", &s5TcpBuildPacketPerfStats, 4, &s5TcpFlushPerfStats); RegisterPreprocessorProfile("s5TcpProcessRebuilt", &s5TcpProcessRebuiltPerfStats, 4, &s5TcpFlushPerfStats);#endif return;}void Stream5TcpPolicyInit(u_char *args){ Stream5TcpPolicy *s5TcpPolicy; s5TcpPolicy = (Stream5TcpPolicy *) SnortAlloc(sizeof(Stream5TcpPolicy)); s5TcpPolicy->bound_addrs = (IpAddrSet *) SnortAlloc(sizeof(IpAddrSet)); /* Initialize flush policy to Ignore */ memcpy(&s5TcpPolicy->flush_policy, ignore_flush_policy, sizeof(FlushPolicy) * MAX_PORTS); Stream5ParseTcpArgs(args, s5TcpPolicy); /* Now add this context to the internal list */ if (tcpPolicyList == NULL) { numTcpPolicies = 1; tcpPolicyList = (Stream5TcpPolicy **)SnortAlloc(sizeof (Stream5TcpPolicy *) * numTcpPolicies); } else { Stream5TcpPolicy **tmpPolicyList = (Stream5TcpPolicy **)SnortAlloc(sizeof (Stream5TcpPolicy *) * (++numTcpPolicies)); memcpy(tmpPolicyList, tcpPolicyList, sizeof(Stream5TcpPolicy *) * (numTcpPolicies-1)); free(tcpPolicyList); tcpPolicyList = tmpPolicyList; } tcpPolicyList[numTcpPolicies-1] = s5TcpPolicy; Stream5PrintTcpConfig(s5TcpPolicy); return;}static void Stream5ParseTcpArgs(u_char *args, Stream5TcpPolicy *s5TcpPolicy){ char **toks; int num_toks; int i; char *index; char **stoks = NULL; int s_toks; char *endPtr; char use_static = 0; char set_flush_policy = 0; int reassembly_direction = SSN_DIR_CLIENT; s5TcpPolicy->reassembly_policy = REASSEMBLY_POLICY_BSD; s5TcpPolicy->session_timeout = S5_DEFAULT_SSN_TIMEOUT; //s5TcpPolicy->ttl_delta_limit = S5_DEFAULT_TTL_LIMIT; s5TcpPolicy->min_ttl = S5_DEFAULT_MIN_TTL; s5TcpPolicy->max_window = 0; s5TcpPolicy->flags = 0; s5TcpPolicy->flags |= STREAM5_CONFIG_STATEFUL_INSPECTION; //s5TcpPolicy->flags |= STREAM5_CONFIG_ENABLE_ALERTS; s5TcpPolicy->flags |= STREAM5_CONFIG_REASS_CLIENT; if(args != NULL && strlen(args) != 0) { toks = mSplit(args, ",", 6, &num_toks, 0); i=0; while(i < num_toks) { index = toks[i]; while(isspace((int)*index)) index++; stoks = mSplit(index, " ", 3, &s_toks, 0); if(!strcasecmp(stoks[0], "timeout")) { if(stoks[1]) { s5TcpPolicy->session_timeout = strtoul(stoks[1], &endPtr, 10); } if (!stoks[1] || (endPtr == &stoks[1][0])) { FatalError("%s(%d) => Invalid timeout in config file. Integer parameter required.\n", file_name, file_line); } }#if 0 else if(!strcasecmp(stoks[0], "ttl_limit")) { if(stoks[1]) { s5TcpPolicy->ttl_delta_limit = strtoul(stoks[1], &endPtr, 10); } if (!stoks[1] || (endPtr == &stoks[1][0])) { FatalError("%s(%d) => Invalid TTL Limit in config file. Integer parameter required\n", file_name, file_line); } }#endif else if(!strcasecmp(stoks[0], "min_ttl")) { if(stoks[1]) { s5TcpPolicy->min_ttl = (u_int8_t)strtoul(stoks[1], &endPtr, 10); } if (!stoks[1] || (endPtr == &stoks[1][0])) { FatalError("%s(%d) => Invalid min TTL in config file. Integer parameter required\n", file_name, file_line); } } else if(!strcasecmp(stoks[0], "overlap_limit")) { if(stoks[1]) { s5TcpPolicy->overlap_limit = (u_int8_t)strtoul(stoks[1], &endPtr, 10); } if (!stoks[1] || (endPtr == &stoks[1][0])) { FatalError("%s(%d) => Invalid overlap limit in config file. Integer parameter required\n", file_name, file_line); } } else if(!strcasecmp(stoks[0], "detect_anomalies")) { s5TcpPolicy->flags |= STREAM5_CONFIG_ENABLE_ALERTS; } else if(!strcasecmp(stoks[0], "policy")) { if(!strcasecmp(stoks[1], "bsd")) { s5TcpPolicy->policy = STREAM_POLICY_BSD; s5TcpPolicy->reassembly_policy = REASSEMBLY_POLICY_BSD; } else if(!strcasecmp(stoks[1], "old-linux")) { s5TcpPolicy->policy = STREAM_POLICY_OLD_LINUX; s5TcpPolicy->reassembly_policy = REASSEMBLY_POLICY_OLD_LINUX; } else if(!strcasecmp(stoks[1], "linux")) { s5TcpPolicy->policy = STREAM_POLICY_LINUX; s5TcpPolicy->reassembly_policy = REASSEMBLY_POLICY_LINUX; } else if(!strcasecmp(stoks[1], "first")) { s5TcpPolicy->policy = STREAM_POLICY_FIRST; s5TcpPolicy->reassembly_policy = REASSEMBLY_POLICY_FIRST; } else if(!strcasecmp(stoks[1], "last")) { s5TcpPolicy->policy = STREAM_POLICY_LAST; s5TcpPolicy->reassembly_policy = REASSEMBLY_POLICY_LAST; } else if(!strcasecmp(stoks[1], "windows")) { s5TcpPolicy->policy = STREAM_POLICY_WINDOWS; s5TcpPolicy->reassembly_policy = REASSEMBLY_POLICY_WINDOWS; } else if(!strcasecmp(stoks[1], "solaris")) { s5TcpPolicy->policy = STREAM_POLICY_SOLARIS; s5TcpPolicy->reassembly_policy = REASSEMBLY_POLICY_SOLARIS; } else if(!strcasecmp(stoks[1], "hpux")) { s5TcpPolicy->policy = STREAM_POLICY_HPUX; s5TcpPolicy->reassembly_policy = REASSEMBLY_POLICY_HPUX; } else if(!strcasecmp(stoks[1], "irix")) { s5TcpPolicy->policy = STREAM_POLICY_IRIX; s5TcpPolicy->reassembly_policy = REASSEMBLY_POLICY_IRIX; } else if(!strcasecmp(stoks[1], "macos") || !strcasecmp(stoks[1], "grannysmith")) { s5TcpPolicy->policy = STREAM_POLICY_MACOS; /* MacOS follows BSD reassembly */ s5TcpPolicy->reassembly_policy = REASSEMBLY_POLICY_MACOS; } else { FatalError("%s(%d) => Bad policy name \"%s\"\n", file_name, file_line, stoks[1]); } } else if(!strcasecmp(stoks[0], "require_3whs")) { s5TcpPolicy->flags |= STREAM5_CONFIG_REQUIRE_3WHS; if (s_toks > 1) { s5TcpPolicy->hs_timeout = strtoul(stoks[1], &endPtr, 10); } if ((s_toks > 1) && (endPtr == &stoks[1][0])) { FatalError("%s(%d) => Invalid 3Way Handshake allowable. Integer parameter required.\n", file_name, file_line); } } else if(!strcasecmp(stoks[0], "bind_to")) { s5TcpPolicy->bound_addrs = IpAddrSetParse(stoks[1]); } else if(!strcasecmp(stoks[0], "max_window")) { if(stoks[1]) { s5TcpPolicy->max_window = strtoul(stoks[1], &endPtr, 10); } if (!stoks[1] || (endPtr == &stoks[1][0])) { FatalError("%s(%d) => Invalid Max Window size. Integer parameter required.\n", file_name, file_line); } } else if(!strcasecmp(stoks[0], "use_static_footprint_sizes")) { s5TcpPolicy->flags |= STREAM5_CONFIG_STATIC_FLUSHPOINTS; use_static = 1; } else if(!strcasecmp(stoks[0], "dont_store_large_packets")) { s5TcpPolicy->flags |= STREAM5_CONFIG_PERFORMANCE; } else if (!strcasecmp(stoks[0], "ports")) { if (s_toks > 1) { if(!strcasecmp(stoks[1], "client")) { reassembly_direction = SSN_DIR_CLIENT; } else if(!strcasecmp(stoks[1], "server")) { reassembly_direction = SSN_DIR_SERVER; } else { reassembly_direction = SSN_DIR_BOTH; } } if (s_toks > 2) { char **ptoks; int num_ptoks; int j; unsigned short port = 0; if (!strcasecmp(stoks[2], "all")) { for (j=0; j<MAX_PORTS; j++) { if (reassembly_direction & SSN_DIR_CLIENT) { FlushMgr *flush_mgr = &s5TcpPolicy->flush_policy[j].client; InitFlushMgr(flush_mgr, STREAM_FLPOLICY_FOOTPRINT, 192, 128, use_static); } if (reassembly_direction & SSN_DIR_SERVER) { FlushMgr *flush_mgr = &s5TcpPolicy->flush_policy[j].server; InitFlushMgr(flush_mgr, STREAM_FLPOLICY_FOOTPRINT, 192, 128, use_static); } } } else { ptoks = mSplit(stoks[2], " ", MAX_PORTS, &num_ptoks, 0); for (j=0;j<num_ptoks;j++) { if (ptoks[j]) { port = (unsigned short)strtoul(ptoks[j], &endPtr, 10); } if (!ptoks[j] || (endPtr == &ptoks[j][0])) { FatalError("%s(%d) => Invalid Port list. Integer parameter required.\n",⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -