📄 spp_frag3.c
字号:
}/** * Print out a Frag3Frag structure * * @param f Pointer to the Frag3Frag to print * * @return none */static void PrintFrag3Frag(Frag3Frag *f){ LogMessage("Frag3Frag: %p\n", f); if(f) { LogMessage(" data: %p\n", f->data); LogMessage(" size: %d\n", f->size); LogMessage(" offset: %d\n", f->offset); LogMessage(" fptr: %p\n", f->fptr); LogMessage(" flen: %d\n", f->flen); LogMessage(" prev: %p\n", f->prev); LogMessage(" next: %p\n", f->next); }}#endif /* DEBUG_FRAG3 *//** * Print out the global runtime configuration * * @param None * * @return none */static void Frag3PrintGlobalConfig(){ LogMessage("Frag3 global config:\n"); LogMessage(" Max frags: %d\n", global_config.max_frags); if(!global_config.use_prealloc) LogMessage(" Fragment memory cap: %lu bytes\n", (unsigned long)global_config.memcap); else LogMessage(" Preallocated frag nodes: %lu\n", global_config.static_frags);}/** * Print out a defrag engine runtime context * * @param context Pointer to the context structure to print * * @return none */static void Frag3PrintEngineConfig(Frag3Context *context){ LogMessage("Frag3 engine config:\n"); LogMessage(" Target-based policy: %s\n", policy_names[context->frag_policy]); LogMessage(" Fragment timeout: %d seconds\n", context->frag_timeout); LogMessage(" Fragment min_ttl: %d\n", context->min_ttl); LogMessage(" Fragment ttl_limit: %d\n", context->ttl_limit); LogMessage(" Fragment Problems: %X\n", context->frag3_alerts); //LogMessage(" Bound Addresses:\n"); IpAddrSetPrint(" Bound Addresses: ", context->bound_addrs);}/** * Generate an event due to IP options being detected in a frag packet * * @param context Current run context * * @return none */static INLINE void EventAnomIpOpts(Frag3Context *context){ if(!(context->frag3_alerts & FRAG3_DETECT_ANOMALIES)) return; SnortEventqAdd(GENERATOR_SPP_FRAG3, /* GID */ FRAG3_IPOPTIONS, /* SID */ 1, /* rev */ 0, /* classification enum */ 3, /* priority (low) */ FRAG3_IPOPTIONS_STR, /* event message */ NULL); /* rule info ptr */ f3stats.alerts++;}/** * Generate an event due to a Teardrop-style attack detected in a frag packet * * @param context Current run context * * @return none */static INLINE void EventAttackTeardrop(Frag3Context *context){ if(!(context->frag3_alerts & FRAG3_DETECT_ANOMALIES)) return; SnortEventqAdd(GENERATOR_SPP_FRAG3, /* GID */ FRAG3_TEARDROP, /* SID */ 1, /* rev */ 0, /* classification enum */ 3, /* priority (low) */ FRAG3_TEARDROP_STR, /* event message */ NULL); /* rule info ptr */ f3stats.alerts++;}/** * Generate an event due to a fragment being too short, typcially based * on a non-last fragment that doesn't properly end on an 8-byte boundary * * @param context Current run context * * @return none */static INLINE void EventAnomShortFrag(Frag3Context *context){ if(!(context->frag3_alerts & FRAG3_DETECT_ANOMALIES)) return; SnortEventqAdd(GENERATOR_SPP_FRAG3, /* GID */ FRAG3_SHORT_FRAG, /* SID */ 1, /* rev */ 0, /* classification enum */ 3, /* priority (low) */ FRAG3_SHORT_FRAG_STR, /* event message */ NULL); /* rule info ptr */ f3stats.alerts++; f3stats.anomalies++;}/** * This fragment's size will end after the already calculated reassembled * fragment end, as in a Bonk/Boink/etc attack. * * @param context Current run context * * @return none */static INLINE void EventAnomOversize(Frag3Context *context){ if(!(context->frag3_alerts & FRAG3_DETECT_ANOMALIES)) return; SnortEventqAdd(GENERATOR_SPP_FRAG3,/* GID */ FRAG3_ANOMALY_OVERSIZE, /* SID */ 1, /* rev */ 0, /* classification enum */ 3, /* priority (low) */ FRAG3_ANOM_OVERSIZE_STR, /* event message */ NULL); /* rule info ptr */ f3stats.alerts++; f3stats.anomalies++;}/** * The current fragment will be inserted with a size of 0 bytes, that's * an anomaly if I've ever seen one. * * @param context Current run context * * @return none */static INLINE void EventAnomZeroFrag(Frag3Context *context){ if(!(context->frag3_alerts & FRAG3_DETECT_ANOMALIES)) return; SnortEventqAdd(GENERATOR_SPP_FRAG3,/* GID */ FRAG3_ANOMALY_ZERO, /* SID */ 1, /* rev */ 0, /* classification enum */ 3, /* priority (low) */ FRAG3_ANOM_ZERO_STR, /* event message */ NULL); /* rule info ptr */ f3stats.alerts++; f3stats.anomalies++;}/** * The reassembled packet will be bigger than 64k, generate an event. * * @param context Current run context * * @return none */static INLINE void EventAnomBadsizeLg(Frag3Context *context){ if(!(context->frag3_alerts & FRAG3_DETECT_ANOMALIES)) return; SnortEventqAdd(GENERATOR_SPP_FRAG3,/* GID */ FRAG3_ANOMALY_BADSIZE_LG, /* SID */ 1, /* rev */ 0, /* classification enum */ 3, /* priority (low) */ FRAG3_ANOM_BADSIZE_LG_STR, /* event message */ NULL); /* rule info ptr */ f3stats.alerts++; f3stats.anomalies++;}/** * Fragment size is negative after insertion (end < offset). * * @param context Current run context * * @return none */static INLINE void EventAnomBadsizeSm(Frag3Context *context){ if(!(context->frag3_alerts & FRAG3_DETECT_ANOMALIES)) return; SnortEventqAdd(GENERATOR_SPP_FRAG3,/* GID */ FRAG3_ANOMALY_BADSIZE_SM, /* SID */ 1, /* rev */ 0, /* classification enum */ 3, /* priority (low) */ FRAG3_ANOM_BADSIZE_SM_STR, /* event message */ NULL); /* rule info ptr */ f3stats.alerts++; f3stats.anomalies++;}/** * There is an overlap with this fragment, someone is probably being naughty. * * @param context Current run context * * @return none */static INLINE void EventAnomOverlap(Frag3Context *context){ if(!(context->frag3_alerts & FRAG3_DETECT_ANOMALIES)) return; SnortEventqAdd(GENERATOR_SPP_FRAG3,/* GID */ FRAG3_ANOMALY_OVLP, /* SID */ 1, /* rev */ 0, /* classification enum */ 3, /* priority (low) */ FRAG3_ANOM_OVLP_STR, /* event message */ NULL); /* rule info ptr */ f3stats.alerts++; f3stats.anomalies++;}/** * Main setup function to regiser frag3 with the rest of Snort. * * @param none * * @return none */void SetupFrag3(){ RegisterPreprocessor("frag3_global", Frag3GlobalInit); RegisterPreprocessor("frag3_engine", Frag3Init); DEBUG_WRAP(DebugMessage(DEBUG_FRAG, "Preprocessor: frag3 is setup...\n"););}/** * Global init function, handles setting up the runtime hash table and * memory management mode. * * @param args argument string to process for config data * * @return none */void Frag3GlobalInit(u_char *args){ Frag3Frag *tmp; /* for initializing the prealloc queue */ unsigned int i; /* counter */ /* * setup default values */ global_config.max_frags = DEFAULT_MAX_FRAGS; global_config.memcap = FRAG_MEMCAP; global_config.static_frags = 0; global_config.use_prealloc = 0; Frag3ParseGlobalArgs(args); /* * we really only need one frag cache no matter how many different * contexts we have loaded */ if(f_cache == NULL) { /* we keep FragTrackers in the hash table.. */ int hashTableSize = (int) (global_config.max_frags * 1.4); int maxFragMem = global_config.max_frags * ( sizeof(FragTracker) + sizeof(SFXHASH_NODE) + sizeof (FRAGKEY) + sizeof(SFXHASH_NODE *)); int tableMem = (hashTableSize + 1) * sizeof(SFXHASH_NODE *); int maxMem = maxFragMem + tableMem; f_cache = sfxhash_new( hashTableSize, /* number of hash buckets */ sizeof(FRAGKEY), /* size of the key we're going to use */ sizeof(FragTracker), /* size of the storage node */ maxMem, /* memcap for frag trackers */ 1, /* use auto node recovery */ Frag3AutoFree, /* anr free function */ Frag3UserFree, /* user free function */ 1); /* recycle node flag */ } /* * can't proceed if we can't get a fragment cache */ if(!f_cache) { LogMessage("WARNING: Unable to generate new sfxhash for frag3, " "defragmentation disabled!\n"); return; } /* * user has decided to prealloc the node structs for performance */ if(global_config.static_frags) { for(i=0; i< global_config.static_frags; i++) { tmp = (Frag3Frag *) SnortAlloc(sizeof(Frag3Frag)); tmp->fptr = (u_int8_t *) SnortAlloc(sizeof(u_int8_t) * snaplen); Frag3PreallocPush(tmp); } prealloc_nodes_in_use = 0; } /* * preallocate the reassembled packet struct */ defrag_pkt = (Packet *)SnortAlloc(sizeof(Packet)); /* * setup the reassembly pseudopacket */ Frag3InitPkt(); /* * indicate that we've got a global config active */ global_init_complete = 1; /* * display the global config for the user */ Frag3PrintGlobalConfig(); return;}/** * Setup a frag3 engine context * * @param args list of configuration arguments * * @return none */void Frag3Init(u_char *args){ PreprocessFuncNode *pfn; /* place to attach the runtime context */ Frag3Context *context; /* context pointer */ DEBUG_WRAP(DebugMessage(DEBUG_FRAG, "Initializing frag3\n");); context = (Frag3Context *) SnortAlloc(sizeof(Frag3Context)); if(!global_init_complete) { LogMessage("[!] WARNING: Unable to configure frag3 engine!\n" "Frag3 global config has not been established, " "please issue a \"preprocessor frag3_global\" directive\n"); return; } /* * setup default context config. Thinking maybe we should go with * FRAG_POLICY_FIRST or FRAG_POLICY_LINUX as the default instead of * BSD since Win32/Linux have a higher incidence of occurrence. Anyone * with an opinion on the matter feel free to email me... */ context->frag_policy = FRAG_POLICY_BSD; context->frag_timeout = FRAG_PRUNE_QUANTA; /* 60 seconds */ context->ttl_limit = FRAG3_TTL_LIMIT; context->min_ttl = FRAG3_MIN_TTL; context->frag3_alerts = 0; /* * the IpAddrSet struct is initialized in Frag3ParseArgs */ context->bound_addrs = NULL; /* * parse the configuration for this engine */ Frag3ParseArgs(args, context); /* * get me a preprocessor func node to attach the context */ pfn = AddFuncToPreprocList(Frag3Defrag);⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -