📄 snort_stream5_tcp.c
字号:
if (!host_entry || !host_entry->hostInfo.streamPolicyName) return 0; host_entry->hostInfo.streamPolicy = StreamPolicyIdFromName(host_entry->hostInfo.streamPolicyName); host_entry->hostInfo.streamPolicySet = 1; STREAM5_DEBUG_WRAP( DebugMessage(DEBUG_STREAM_STATE, "STREAM5 INIT: %s(%d) for Entry %s:%s:%s (%s)\n", reassembly_policy_names[host_entry->hostInfo.streamPolicy], host_entry->hostInfo.streamPolicy, host_entry->hostInfo.operatingSystem.value.s_value, host_entry->hostInfo.vendor.value.s_value, host_entry->hostInfo.version.value.s_value, host_entry->hostInfo.streamPolicyName);); return 0;}#endifint Stream5VerifyTcpConfig(){ if (!tcp_lws_cache) { LogMessage("WARNING: Stream5 TCP Session Cache not initialized\n"); return -1; } if (numTcpPolicies < 1) { LogMessage("WARNING: Stream5 TCP no policies specified in configuration\n"); return -1; } if (!(s5_global_config.flags & STREAM5_CONFIG_DEFAULT_TCP_POLICY_SET)) { LogMessage("WARNING: Stream5 TCP default policy not specified in configuration\n"); return -1; } /* Do this now * verify config is called after all preprocs (static & dynamic) * are inited. Gives us the correct number of bits for * p->preprocessor_bits */ if (!s5_pkt) Stream5InitPacket();#ifdef TARGET_BASED SFAT_SetPolicyIds(StreamPolicyIdFromHostAttributeEntry);#endif return 0;}void Stream5CleanTcp(){ DecoderFlags decoder_flags; int policyIndex; Stream5TcpPolicy *policy = NULL; /* Turn off decoder alerts since we're decoding stored * packets that we already alerted on. */ memcpy(&decoder_flags, &pv.decoder_flags, sizeof(DecoderFlags)); memset(&pv.decoder_flags, 0, sizeof(DecoderFlags)); /* Set s5_tcp_cleanup to force a flush of all queued data */ s5_tcp_cleanup = 1; /* Clean up hash table -- delete all sessions */ PurgeLWSessionCache(tcp_lws_cache); tcp_lws_cache = NULL; /* Cleanup the rebuilt packet */ if (s5_pkt) { free((void *)s5_pkt->pkth); boFreeBITOP(s5_pkt->preprocessor_bits); free(s5_pkt->preprocessor_bits); free(s5_pkt); s5_pkt = NULL; }#ifdef SUP_IP6 if (s5_pkt_6) { free((void *)s5_pkt_6->pkth); free(s5_pkt_6->preprocessor_bits); free(s5_pkt_6); s5_pkt_6 = NULL; }#endif /* Reset this */ s5_tcp_cleanup = 0; mempool_destroy(&tcp_session_mempool); /* And turn decoder alerts back on (or whatever they were set to) */ memcpy(&pv.decoder_flags, &decoder_flags, sizeof(DecoderFlags)); /* Cleanup TCP Policies and the list */ for (policyIndex = 0; policyIndex < numTcpPolicies; policyIndex++) { policy = tcpPolicyList[policyIndex]; free(policy->flush_point_list.flush_points); free(policy->bound_addrs); free(policy); } free(tcpPolicyList); tcpPolicyList = NULL;}#ifdef DEBUG_STREAM5static void PrintStateMgr(StateMgr *s){ LogMessage("StateMgr:\n"); LogMessage(" state: %s\n", state_names[s->state]); LogMessage(" state_queue: %s\n", state_names[s->state_queue]); LogMessage(" expected_flags: 0x%X\n", s->expected_flags); LogMessage(" transition_seq: 0x%X\n", s->transition_seq); LogMessage(" stq_get_seq: %d\n", s->stq_get_seq);}static void PrintStreamTracker(StreamTracker *s){ LogMessage(" + StreamTracker +\n"); LogMessage(" isn: 0x%X\n", s->isn); LogMessage(" ttl: %d\n", s->ttl); LogMessage(" ts_last: %lu\n", s->ts_last); LogMessage(" wscale: %lu\n", s->wscale); LogMessage(" mss: 0x%08X\n", s->mss); LogMessage(" l_unackd: %X\n", s->l_unackd); LogMessage(" l_nxt_seq: %X\n", s->l_nxt_seq); LogMessage(" l_window: %lu\n", s->l_window); LogMessage(" r_nxt_ack: %X\n", s->r_nxt_ack); LogMessage(" r_win_base: %X\n", s->r_win_base); LogMessage(" seglist_base_seq: %X\n", s->seglist_base_seq); LogMessage(" seglist: %p\n", s->seglist); LogMessage(" seglist_tail: %p\n", s->seglist_tail); LogMessage(" seg_count: %d\n", s->seg_count); LogMessage(" seg_bytes_total: %d\n", s->seg_bytes_total); LogMessage(" seg_bytes_logical: %d\n", s->seg_bytes_logical); PrintStateMgr(&s->s_mgr);}static void PrintTcpSession(TcpSession *ts){ LogMessage("TcpSession:\n");#ifdef DEBUG LogMessage(" ssn_time: %lu\n", ts->ssn_time.tv_sec);#endif LogMessage(" server IP: 0x%08X\n", ts->tcp_server_ip); LogMessage(" client IP: 0x%08X\n", ts->tcp_client_ip); LogMessage(" server port: %d\n", ts->tcp_server_port); LogMessage(" client port: %d\n", ts->tcp_client_port); LogMessage(" flags: 0x%X\n", ts->lwssn->session_flags); LogMessage("Client Tracker:\n"); PrintStreamTracker(&ts->client); LogMessage("Server Tracker:\n"); PrintStreamTracker(&ts->server);}static void PrintTcpDataBlock(TcpDataBlock *tdb){ LogMessage("TcpDataBlock:\n"); LogMessage(" sip: 0x%08X\n", tdb->sip); LogMessage(" dip: 0x%08X\n", tdb->dip); LogMessage(" seq: 0x%08X\n", tdb->seq); LogMessage(" ack: 0x%08X\n", tdb->ack); LogMessage(" win: %d\n", tdb->win); LogMessage(" end: 0x%08X\n", tdb->end_seq);}static void PrintFlushMgr(FlushMgr *fm){ if(fm == NULL) return; switch(fm->flush_policy) { case STREAM_FLPOLICY_NONE: STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, " NONE\n");); break; case STREAM_FLPOLICY_FOOTPRINT: STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, " FOOTPRINT %d\n", fm->flush_pt);); break; case STREAM_FLPOLICY_LOGICAL: STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, " LOGICAL %d\n", fm->flush_pt);); break; case STREAM_FLPOLICY_RESPONSE: STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, " RESPONSE\n");); break; case STREAM_FLPOLICY_SLIDING_WINDOW: STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, " SLIDING_WINDOW %d\n", fm->flush_pt);); break;#if 0 case STREAM_FLPOLICY_CONSUMED: STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, " CONSUMED %d\n", fm->flush_pt);); break;#endif case STREAM_FLPOLICY_IGNORE: STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, " IGNORE\n");); break; }}#endifstatic INLINE void EventSynOnEst(Stream5TcpPolicy *s5TcpPolicy){ if(!(s5TcpPolicy->flags & STREAM5_CONFIG_ENABLE_ALERTS)) return; s5stats.events++; SnortEventqAdd(GENERATOR_SPP_STREAM5, /* GID */ STREAM5_SYN_ON_EST, /* SID */ 1, /* rev */ 0, /* class */ 3, /* priority */ STREAM5_SYN_ON_EST_STR, /* event msg */ NULL); /* rule info ptr */}static INLINE void EventExcessiveOverlap(Stream5TcpPolicy *s5TcpPolicy){ if(!(s5TcpPolicy->flags & STREAM5_CONFIG_ENABLE_ALERTS)) return; s5stats.events++; SnortEventqAdd(GENERATOR_SPP_STREAM5, /* GID */ STREAM5_EXCESSIVE_TCP_OVERLAPS, /* SID */ 1, /* rev */ 0, /* class */ 3, /* priority */ STREAM5_EXCESSIVE_TCP_OVERLAPS_STR, /* event msg */ NULL); /* rule info ptr */}static INLINE void EventBadTimestamp(Stream5TcpPolicy *s5TcpPolicy){ if(!(s5TcpPolicy->flags & STREAM5_CONFIG_ENABLE_ALERTS)) return; s5stats.events++; SnortEventqAdd(GENERATOR_SPP_STREAM5, /* GID */ STREAM5_BAD_TIMESTAMP, /* SID */ 1, /* rev */ 0, /* class */ 3, /* priority */ STREAM5_BAD_TIMESTAMP_STR, /* event msg */ NULL); /* rule info ptr */}static INLINE void EventWindowTooLarge(Stream5TcpPolicy *s5TcpPolicy){ if(!(s5TcpPolicy->flags & STREAM5_CONFIG_ENABLE_ALERTS)) return; s5stats.events++; SnortEventqAdd(GENERATOR_SPP_STREAM5, /* GID */ STREAM5_WINDOW_TOO_LARGE, /* SID */ 1, /* rev */ 0, /* class */ 3, /* priority */ STREAM5_WINDOW_TOO_LARGE_STR, /* event msg */ NULL); /* rule info ptr */}static INLINE void EventDataOnSyn(Stream5TcpPolicy *s5TcpPolicy){ if(!(s5TcpPolicy->flags & STREAM5_CONFIG_ENABLE_ALERTS)) return; s5stats.events++; SnortEventqAdd(GENERATOR_SPP_STREAM5, /* GID */ STREAM5_DATA_ON_SYN, /* SID */ 1, /* rev */ 0, /* class */ 3, /* priority */ STREAM5_DATA_ON_SYN_STR, /* event msg */ NULL); /* rule info ptr */}static INLINE void EventDataOnClosed(Stream5TcpPolicy *s5TcpPolicy){ if(!(s5TcpPolicy->flags & STREAM5_CONFIG_ENABLE_ALERTS)) return; s5stats.events++; SnortEventqAdd(GENERATOR_SPP_STREAM5, /* GID */ STREAM5_DATA_ON_CLOSED, /* SID */ 1, /* rev */ 0, /* class */ 3, /* priority */ STREAM5_DATA_ON_CLOSED_STR, /* event msg */ NULL); /* rule info ptr */}static INLINE void EventDataAfterReset(Stream5TcpPolicy *s5TcpPolicy){ if(!(s5TcpPolicy->flags & STREAM5_CONFIG_ENABLE_ALERTS)) return; s5stats.events++; SnortEventqAdd(GENERATOR_SPP_STREAM5, /* GID */ STREAM5_DATA_AFTER_RESET, /* SID */ 1, /* rev */ 0, /* class */ 3, /* priority */ STREAM5_DATA_AFTER_RESET_STR, /* event msg */ NULL); /* rule info ptr */}static INLINE void EventBadSegment(Stream5TcpPolicy *s5TcpPolicy){ if(!(s5TcpPolicy->flags & STREAM5_CONFIG_ENABLE_ALERTS)) return; s5stats.events++; SnortEventqAdd(GENERATOR_SPP_STREAM5, /* GID */ STREAM5_BAD_SEGMENT, /* SID */ 1, /* rev */ 0, /* class */ 3, /* priority */ STREAM5_BAD_SEGMENT_STR, /* event msg */ NULL); /* rule info ptr */}static INLINE void EventSessionHijackedClient(Stream5TcpPolicy *s5TcpPolicy){ if(!(s5TcpPolicy->flags & STREAM5_CONFIG_ENABLE_ALERTS)) return; s5stats.events++; SnortEventqAdd(GENERATOR_SPP_STREAM5, /* GID */ STREAM5_SESSION_HIJACKED_CLIENT, /* SID */ 1, /* rev */ 0, /* class */ 3, /* priority */ STREAM5_SESSION_HIJACKED_CLIENT_STR, /* event msg */ NULL); /* rule info ptr */}static INLINE void EventSessionHijackedServer(Stream5TcpPolicy *s5TcpPolicy){ if(!(s5TcpPolicy->flags & STREAM5_CONFIG_ENABLE_ALERTS)) return; s5stats.events++; SnortEventqAdd(GENERATOR_SPP_STREAM5, /* GID */ STREAM5_SESSION_HIJACKED_SERVER, /* SID */ 1, /* rev */ 0, /* class */ 3, /* priority */ ⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -