sftarget_reader.c

著名的入侵检测系统snort的最新版本的源码

        if (app->fields & APPLICATION_ENTRY_APPLICATION)
        {
            DebugMessage(DEBUG_ATTRIBUTE, "\t\tApplication: %s(%d)\n",
                app->application.value.s_value,
                app->application.confidence);

            if (app->fields & APPLICATION_ENTRY_VERSION)
                DebugMessage(DEBUG_ATTRIBUTE, "\t\tVersion: %s(%d)\n",
                    app->version.value.s_value,
                    app->version.confidence);
        }
    }
    if (i==0)
    {
        DebugMessage(DEBUG_ATTRIBUTE, "\t\tNone\n");
    }
}
#endif

int SFAT_AddHostEntryToMap()
{
    HostAttributeEntry *host = current_host;
    int ret;
    u_int32_t ipAddr;

    SFAT_CHECKHOST;

    DEBUG_WRAP(PrintHostAttributeEntry(host););

    ipAddr = host->ipAddr;

    ret = sfrt_insert(&ipAddr, host->bits, host,
                        RT_FAVOR_SPECIFIC, attribute_lookup_table_tmp);

    if (ret != RT_SUCCESS)
    {
        if (ret == RT_POLICY_TABLE_EXCEEDED)
        {
            SnortSnprintf(sfat_error_message, STD_BUF,
                "AttributeTable insertion failed: %d Insufficient "
                "space in attribute table, only configured to store %d hosts\n",
                ret, pv.max_attribute_hosts);
            sfat_grammar_error_printed = 1;
        }
        else
        {
            SnortSnprintf(sfat_error_message, STD_BUF,
                "AttributeTable insertion failed: %d '%s'\n",
                ret, rt_error_messages[ret]);
            sfat_grammar_error_printed = 1;
        }
    }

    current_host = NULL;

    return ret == RT_SUCCESS ? SFAT_OK : SFAT_ERROR;
}

HostAttributeEntry *SFAT_LookupHostEntryByIp4Addr(u_int32_t ipAddr)
{
    HostAttributeEntry *host = NULL;

    host = sfrt_lookup(&ipAddr, attribute_lookup_table);

    if (host)
    {
        /* Set the policy values for Frag & Stream if not already set */
        //TODO: SetTargetBasedPolicy(host);
    }

    return host;
}

HostAttributeEntry *SFAT_LookupHostEntryBySrc(Packet *p)
{
    u_int32_t ipAddr;

    if (!p || !p->iph)
        return NULL;

    ipAddr = ntohl(p->iph->ip_src.s_addr);

    return SFAT_LookupHostEntryByIp4Addr(ipAddr);
}

HostAttributeEntry *SFAT_LookupHostEntryByDst(Packet *p)
{
    u_int32_t ipAddr;

    if (!p || !p->iph)
        return NULL;

    ipAddr = ntohl(p->iph->ip_dst.s_addr);

    return SFAT_LookupHostEntryByIp4Addr(ipAddr);
}

static GetPolicyIdFunc updatePolicyCallback;
static GetPolicyIdsCallbackList *updatePolicyCallbackList = NULL;
void SFAT_SetPolicyCallback(void *host_attr_ent)
{
    HostAttributeEntry *host_entry = (HostAttributeEntry*)host_attr_ent;

    if (!host_entry)
        return;

    updatePolicyCallback(host_entry);

    return;
}

void SFAT_SetPolicyIds(GetPolicyIdFunc policyCallback)
{
    GetPolicyIdsCallbackList *list_entry, *new_list_entry = NULL;
    updatePolicyCallback = policyCallback;

    sfrt_iterate(attribute_lookup_table, SFAT_SetPolicyCallback);

    if (!updatePolicyCallbackList)
    {
        /* No list present, so no attribute table... bye-bye */
        return;
    }

    /* Look for this callback in the list */
    list_entry = updatePolicyCallbackList;
    while (list_entry)
    {
        if (list_entry->policyCallback == policyCallback)
            return; /* We're done with this one */

        if (list_entry->next)
        {
            list_entry = list_entry->next;
        }
        else
        {
            /* Leave list_entry pointint to last node in list */
            break;
        }
    }

    /* Wasn't there, add it so that when we reload the table,
     * we can set those policy entries on reload. */
    new_list_entry = (GetPolicyIdsCallbackList *)SnortAlloc(sizeof(GetPolicyIdsCallbackList));
    new_list_entry->policyCallback = policyCallback;
    if (list_entry)
    {
        /* list_entry is valid here since there was at least an
         * empty head entry in the list. */
        list_entry->next = new_list_entry;
    }
}

void SFAT_CleanupCallback(void *host_attr_ent)
{
    HostAttributeEntry *host_entry = (HostAttributeEntry*)host_attr_ent;
    FreeHostEntry(host_entry);
}

void SFAT_Cleanup()
{
    if (attribute_map_table)
    {
        sfxhash_delete(attribute_map_table);
        attribute_map_table = NULL;
    }

    if (attribute_map_table_old)
    {
        sfxhash_delete(attribute_map_table_old);
        attribute_map_table_old = NULL;
    }

    if (attribute_map_table_tmp)
    {
        sfxhash_delete(attribute_map_table_tmp);
        attribute_map_table_tmp = NULL;
    }

    if (attribute_lookup_table)
    {
        sfrt_cleanup(attribute_lookup_table, SFAT_CleanupCallback);
        sfrt_free(attribute_lookup_table);
        attribute_lookup_table = NULL;
    }

    if (attribute_lookup_table_old)
    {
        sfrt_cleanup(attribute_lookup_table_old, SFAT_CleanupCallback);
        sfrt_free(attribute_lookup_table_old);
        attribute_lookup_table_old = NULL;
    }

    if (attribute_lookup_table_tmp)
    {
        sfrt_cleanup(attribute_lookup_table_tmp, SFAT_CleanupCallback);
        sfrt_free(attribute_lookup_table_tmp);
        attribute_lookup_table_tmp = NULL;
    }
}

#define set_attribute_table_flag(flag) \
    pv.reload_attribute_table_flags |= flag;
#define clear_attribute_table_flag(flag) \
    pv.reload_attribute_table_flags &= ~flag;
#define check_attribute_table_flag(flag) \
    (pv.reload_attribute_table_flags & flag)

static void SigAttributeTableReloadHandler(int signal)
{
    LogMessage("AttrReloadThread: Got reload signal.\n");
    /* If we're already reloading, don't do anything. */
    if (check_attribute_table_flag(ATTRIBUTE_TABLE_RELOADING_FLAG))
        return;

    /* Set flag to reload attribute table */
    set_attribute_table_flag(ATTRIBUTE_TABLE_RELOAD_FLAG);
}

void SFAT_VTAlrmHandler(int signal)
{
    /* Do nothing, just used to wake the sleeping dog... */
    return;
}

extern char *sfat_saved_file;
void *SFAT_ReloadAttributeTableThread(void *arg)
{
#ifndef WIN32
    sigset_t mtmask, oldmask;
    int ret;
    int reloads = 0;

    sigemptyset(&mtmask);
    pv.attribute_reload_thread_pid = getpid();

    /* Get the current set of signals inherited from main thread.*/
    pthread_sigmask(SIG_UNBLOCK, &mtmask, &oldmask);

    /* Now block those signals from being delivered to this thread.
     * now Main receives all signals. */
    pthread_sigmask(SIG_BLOCK, &oldmask, NULL);

    /* And allow SIGVTALRM through */
    signal (SIGVTALRM, SFAT_VTAlrmHandler);  if(errno!=0) errno=0;
    sigemptyset(&mtmask);
    sigaddset(&mtmask, SIGVTALRM);
    pthread_sigmask(SIG_UNBLOCK, &mtmask, NULL);

    pv.attribute_reload_thread_running = 1;

    /* Checks the flag and terminates the attribute reload thread.
     *
     * Receipt of VTALRM signal pulls it out of the idle sleep (at
     * bottom of while().  Thread exits normally on next iteration
     * through its loop because stop flag is set.
     */
    while (!pv.attribute_reload_thread_stop)
    {
#ifdef DEBUG
        DebugMessage(DEBUG_ATTRIBUTE,
            "AttrReloadThread: Checking for new attr table...\n");
#endif
        ret = SFAT_ERROR;

        /* Is there an old table waiting to be cleaned up? */
        if (check_attribute_table_flag(ATTRIBUTE_TABLE_TAKEN_FLAG))
        {
            if (check_attribute_table_flag(ATTRIBUTE_TABLE_AVAILABLE_FLAG))
            {
#ifdef DEBUG
                DebugMessage(DEBUG_ATTRIBUTE,
                    "AttrReloadThread: Freeing old attr table...\n");
#endif
                /* Free the map and attribute tables that are stored in
                 * attribute_map_table_old and attribute_lookup_table_old */
                sfxhash_delete(attribute_map_table_old);
                attribute_map_table_old = NULL;
    
                sfrt_cleanup(attribute_lookup_table_old, SFAT_CleanupCallback);
                sfrt_free(attribute_lookup_table_old);
                attribute_lookup_table_old = NULL;
                clear_attribute_table_flag(ATTRIBUTE_TABLE_AVAILABLE_FLAG);
            }
            clear_attribute_table_flag(ATTRIBUTE_TABLE_PARSE_FAILED_FLAG);
            clear_attribute_table_flag(ATTRIBUTE_TABLE_TAKEN_FLAG);
            continue;
        }
        else if (check_attribute_table_flag(ATTRIBUTE_TABLE_RELOAD_FLAG) &&
                 !check_attribute_table_flag(ATTRIBUTE_TABLE_AVAILABLE_FLAG) &&
                 !check_attribute_table_flag(ATTRIBUTE_TABLE_PARSE_FAILED_FLAG))
        {
            /* Is there an new table ready? */
            set_attribute_table_flag(ATTRIBUTE_TABLE_RELOADING_FLAG);
#ifdef DEBUG
            DebugMessage(DEBUG_ATTRIBUTE,
                "AttrReloadThread: loading new attr table.\n");
#endif
            reloads++;
            if (sfat_saved_file)
            {
                /* Initialize a new lookup table */
                if (!attribute_lookup_table_tmp)
                {
                    attribute_lookup_table_tmp = sfrt_new(DIR_16_4x4, IPv4, pv.max_attribute_hosts, sizeof(HostAttributeEntry) * 200);
                    if (!attribute_lookup_table_tmp)
                    {
                        SnortSnprintf(sfat_error_message, STD_BUF,
                            "Failed to initialize memory for new attribute table\n");
                        clear_attribute_table_flag(ATTRIBUTE_TABLE_RELOAD_FLAG);
                        clear_attribute_table_flag(ATTRIBUTE_TABLE_RELOADING_FLAG);
                        set_attribute_table_flag(ATTRIBUTE_TABLE_PARSE_FAILED_FLAG);
                        continue;
                    }
                }
                ret = ParseTargetMap(sfat_saved_file);
                if (ret == SFAT_OK)
                {
                    GetPolicyIdsCallbackList *list_entry = NULL;
                    /* Set flag that a new table is available.  Main
                     * process will check that flag and do the swap.
                     * After the new table is in use, the available
                     * flag should be cleared, the taken flag gets set
                     * and we'll go off and free the old one.
                     */

                    /* Set the policy IDs in the new table... */
                    list_entry = (GetPolicyIdsCallbackList *)arg;
                    while (list_entry)
                    {
                        if (list_entry->policyCallback)
                        {
                            sfrt_iterate(attribute_lookup_table_tmp,
                                (void *)list_entry->policyCallback);
                        }
                        list_entry = list_entry->next;
    }

                    set_attribute_table_flag(ATTRIBUTE_TABLE_AVAILABLE_FLAG);
                }
                else
                {
                    /* Failed to parse, clean it up */
                    if (attribute_map_table_tmp)
                        sfxhash_delete(attribute_map_table_tmp);
                    attribute_map_table_tmp = NULL;

                    sfrt_cleanup(attribute_lookup_table_tmp, SFAT_CleanupCallback);
                    sfrt_free(attribute_lookup_table_tmp);
                    attribute_lookup_table_tmp = NULL;

                    set_attribute_table_flag(ATTRIBUTE_TABLE_PARSE_FAILED_FLAG);
                }
            }
            clear_attribute_table_flag(ATTRIBUTE_TABLE_RELOAD_FLAG);
            clear_attribute_table_flag(ATTRIBUTE_TABLE_RELOADING_FLAG);
        }
        else
        {
            /* Sleep for 60 seconds */
#ifdef DEBUG
            DebugMessage(DEBUG_ATTRIBUTE,
                "AttrReloadThread: Checked for new attr table... sleeping.\n");
#endif
            sleep(60);
        }
    }
#ifdef DEBUG
    DebugMessage(DEBUG_ATTRIBUTE,
        "AttrReloadThread: exiting... Handled %d reloads\n", reloads);
#endif

    pv.attribute_reload_thread_running = 0;
    pthread_exit(NULL);
#endif /* !Win32 */
    return NULL;
}

void AttributeTableReloadCheck()
{
    if (check_attribute_table_flag(ATTRIBUTE_TABLE_TAKEN_FLAG))
    {
        return; /* Nothing to do, waiting for thread to clear this
                 * flag... */
    }
    /* Swap the attribute table pointers. */
    else if (check_attribute_table_flag(ATTRIBUTE_TABLE_AVAILABLE_FLAG))
    {
        LogMessage("Swapping Attribute Tables.\n");
        /***Do this on receipt of new packet ****/
        /***Avoids need for mutex****/
        attribute_lookup_table_old = attribute_lookup_table;
        attribute_lookup_table = attribute_lookup_table_tmp;
        attribute_lookup_table_tmp = NULL;

        attribute_map_table_old = attribute_map_table;
        attribute_map_table = attribute_map_table_tmp;
        attribute_map_table_tmp = NULL;

        /* Set taken to indicate we've taken the new table */
        set_attribute_table_flag(ATTRIBUTE_TABLE_TAKEN_FLAG);

        sfPerf.sfBase.iAttributeHosts = SFAT_NumberOfHosts();
        sfPerf.sfBase.iAttributeReloads++;
        pc.attribute_table_reloads++;
    }
    else if (check_attribute_table_flag(ATTRIBUTE_TABLE_PARSE_FAILED_FLAG))
    {
        LogMessage(sfat_error_message);
        /* Set taken to indicate we've taken the error message */
        set_attribute_table_flag(ATTRIBUTE_TABLE_TAKEN_FLAG);
    }
}

int SFAT_ParseAttributeTable(char *args)
{
    char **toks;
    int num_toks;
    int ret;

    /* Initialize lookup table */
    if (!attribute_lookup_table_tmp)
    {
        attribute_lookup_table_tmp = sfrt_new(DIR_16_4x4, IPv4, pv.max_attribute_hosts, sizeof(HostAttributeEntry) * 200);
        if (!attribute_lookup_table_tmp)
        {
            FatalError("Failed to initialize attribute table memory\n");
        }
    }

    /* Parse filename */
    toks = mSplit(args, " ", 4, &num_toks, 0);

    if (num_toks != 3)
    {
        FatalError("%s(%d) ==> attribute_table must have 2 parameters\n",
                file_name, file_line);
    }

    if (!(strcasecmp(toks[1], "filename") == 0))
    {
        FatalError("%s(%d) ==> attribute_table must have 2 arguments, the 1st "
                "is 'filename'\n",
                file_name, file_line);
    }

    ret = ParseTargetMap(toks[2]);

    if (ret == SFAT_OK)
    {
        attribute_lookup_table = attribute_lookup_table_tmp;
        attribute_lookup_table_tmp = NULL;
        attribute_map_table = attribute_map_table_tmp;
        attribute_map_table_tmp = NULL;
    }
    else
    {
        LogMessage(sfat_error_message);
        FatalError("%s(%d) ==> failed to load attribute table from %s\n",
            file_name, file_line, toks[2]);
    }
    mSplitFree(&toks, num_toks);

    /* Create Thread to handle reparsing stuff... */
    sfPerf.sfBase.iAttributeHosts = SFAT_NumberOfHosts();
    LogMessage("Attribute Table Loaded with %u hosts\n", sfPerf.sfBase.iAttributeHosts);
    LogMessage("Attribute Table Reload Thread Starting...\n");
    /* Register signal handler for attribute table. */
    signal(SIGNAL_SNORT_READ_ATTR_TBL, SigAttributeTableReloadHandler);
    if(errno!=0) errno=0;

    /* Set up the head (empty) node in the policy callback list to
     * pass to thread.*/
    updatePolicyCallbackList = (GetPolicyIdsCallbackList *)SnortAlloc(sizeof(GetPolicyIdsCallbackList));
#ifndef WIN32
    if (pthread_create(&pv.attribute_reload_thread_id, NULL,
            SFAT_ReloadAttributeTableThread, updatePolicyCallbackList))
    {
        FatalError("Failed to start thread to handle reloading attribute table\n");
    }
    while (!pv.attribute_reload_thread_running)
    {
        sleep(1);
    }
    LogMessage("Attribute Table Reload Thread Started, thread %d (%d)\n",
        pv.attribute_reload_thread_id, pv.attribute_reload_thread_pid);
#endif
    return SFAT_OK;
}

#endif /* TARGET_BASED */