spp_stream4.c

著名的入侵检测系统snort的最新版本的源码

            spd = spd->next;
#ifdef DEBUG
            if(savspd->chuck == SEG_FULL)
            {
                DebugMessage(DEBUG_STREAM, "[sct] chucking used segment\n");
            }
            else
            {
                DebugMessage(DEBUG_STREAM, "[sct] tossing unused segment\n");
            }
#endif /*DEBUG*/

            /* Break out if we hit the packet where we stopped because
             * of a gap.  The rest will be cleaned when we reassemble
             * after the gap. */
            if (s4data.seq_gap)
            {
                /* SEQ_GT to handle wrapped seq */
                if  (SEQ_GT(savspd->seq_num, s4data.stop_seq))
                {
                    break;
                }
            }

            foo = RemoveSpd(s, savspd);
            StreamSegmentSub(s, foo->payload_size);

            stream4_memory_usage -= foo->pkt_size;
            free(foo->pktOrig);
            stream4_memory_usage -= sizeof(StreamPacketData);
            free(foo);
        }
        else
        {
            /* We just break out of the loop here since the
             * packets are stored in order */
            break;
        }
    }
}

/* XXX: this will be removed as we clean up the modularization */
void DirectLogTcpdump(struct pcap_pkthdr *, u_int8_t *);

static void LogTraverse(StreamPacketData *NodePtr, void *foo)
{
    StreamPacketData *spd;

    spd = (StreamPacketData *) NodePtr;
    /* XXX: modularization violation */
    DirectLogTcpdump((struct pcap_pkthdr *)&spd->pkth, spd->pkt); 
}

void *SafeAlloc(unsigned long size, int tv_sec, Session *ssn)
{
    void *tmp;

    stream4_memory_usage += size;

    /* if we use up all of our RAM, try to free up some stale sessions */
    if(stream4_memory_usage > s4data.memcap)
    {
        pc.str_mem_faults++;
        sfPerf.sfBase.iStreamFaults++;
        s4data.last_prune_time = tv_sec;
        if(!PruneSessionCache(IPPROTO_TCP, (u_int32_t)tv_sec, 0, ssn))
        {
            /* if we can't prune due to time, just nuke 5 random sessions */
            PruneSessionCache(IPPROTO_TCP, 0, 5, ssn);            
        }
    }

    tmp = (void *) calloc(size, sizeof(char));

    if(tmp == NULL)
    {
        FatalError("Unable to allocate memory! (%lu bytes in use)\n", 
                   (unsigned long)stream4_memory_usage);
    }

    return tmp;
}

/*
 * Function: SetupStream4()
 *
 * Purpose: Registers the preprocessor keyword and initialization 
 *          function into the preprocessor list.  This is the function that
 *          gets called from InitPreprocessors() in plugbase.c.
 *
 * Arguments: None.
 *
 * Returns: void function
 */
void SetupStream4()
{
    /* link the preprocessor keyword to the init function in 
       the preproc list */
    RegisterPreprocessor("stream4", Stream4Init);
    RegisterPreprocessor("stream4_reassemble", Stream4InitReassembler);
    RegisterPreprocessor("stream4_external", Stream4InitExternalOptions);

    DEBUG_WRAP(DebugMessage(DEBUG_STREAM,  "Preprocessor: Stream4 is setup...\n"););
}

/*
 * Function: Stream4Init(char *)
 *
 * Purpose: Calls the argument parsing function, performs final setup on data
 *          structs, links the preproc function into the function list.
 *
 * Arguments: args => ptr to argument string
 *
 * Returns: void function
 */
void Stream4Init(char *args)
{
    char logfile[STD_BUF];

    if (stream_api == NULL)
        stream_api = &s4api;
    else
        FatalError("Cannot use both Stream4 & Stream5 simultaneously\n");

#ifdef SUP_IP6
    FatalError("Stream4 cannot be used when IPv6 support is compiled into Snort. "
                "Please switch to Stream5.\n");
#endif    

    s4data.stream4_active = 1;
    pv.stateful = 1;
    s4data.memcap = STREAM4_MEMORY_CAP;
    s4data.max_sessions = STREAM4_MAX_SESSIONS;
#ifdef STREAM4_UDP
    s4data.max_udp_sessions = STREAM4_MAX_SESSIONS;
    s4data.udp_ignore_any = 0;
#endif

    DEBUG_WRAP(DebugMessage(DEBUG_STREAM, "log_dir is %s\n", pv.log_dir););

    /* initialize the self preservation counters */
    s4data.sp_threshold      = SELF_PRES_THRESHOLD;
    s4data.sp_period         = SELF_PRES_PERIOD;
    s4data.suspend_threshold = SUSPEND_THRESHOLD;
    s4data.suspend_period    = SUSPEND_PERIOD;
    s4data.state_protection  = 0; 
    
    s4_emergency.end_time = 0;
    s4_emergency.new_session_count = 0;
    s4_emergency.status = OPS_NORMAL;
   
    /* parse the argument list from the rules file */
    ParseStream4Args((char *)args);

    SnortSnprintf(logfile, STD_BUF, "%s/%s", pv.log_dir, "session.log");
    
    if(s4data.track_stats_flag)
    {
        if((session_log = fopen(logfile, "a+")) == NULL)
        {
            FatalError("Unable to write to \"%s\": %s\n", logfile, 
                       strerror(errno));
        }
    }

    s4data.last_prune_time = 0;
    
    stream_pkt = (Packet *) SafeAlloc(sizeof(Packet), 0, NULL);

    /* Need to do this later.  We have dynamic preprocessors
     * and a dynamic preproc bit field that is set based on number of
     * preprocessors */
    //InitStream4Pkt();

    /* tell the rest of the program that we're stateful */
    snort_runtime.capabilities.stateful_inspection = 1;
   
    InitSessionCache();

    DEBUG_WRAP(DebugMessage(DEBUG_STREAM,  "Preprocessor: Stream4 Initialized\n"););

    /* Set the preprocessor function into the function list */
    AddFuncToPreprocList(ReassembleStream4, PRIORITY_TRANSPORT, PP_STREAM4);
    AddFuncToPreprocShutdownList(Stream4ShutdownFunction, NULL, PRIORITY_FIRST, PP_STREAM4);
    AddFuncToPreprocCleanExitList(Stream4CleanExitFunction, NULL, PRIORITY_FIRST, PP_STREAM4);
    AddFuncToPreprocRestartList(Stream4RestartFunction, NULL, PRIORITY_FIRST, PP_STREAM4);    
    AddFuncToConfigCheckList(Stream4VerifyConfig);
    RegisterPreprocStats("stream4", Stream4PrintStats);

#ifdef PERF_PROFILING
    RegisterPreprocessorProfile("s4", &stream4PerfStats, 0, &totalPerfStats);
    RegisterPreprocessorProfile("s4PktInsert", &stream4InsertPerfStats, 1, &stream4PerfStats);
    RegisterPreprocessorProfile("s4NewSess", &stream4NewSessPerfStats, 1, &stream4PerfStats);
    RegisterPreprocessorProfile("s4GetSess", &stream4LUSessPerfStats, 1, &stream4PerfStats);
    RegisterPreprocessorProfile("s4State", &stream4StatePerfStats, 1, &stream4PerfStats);
    RegisterPreprocessorProfile("s4StateAsync", &stream4StateAsyncPerfStats, 1, &stream4PerfStats);
    RegisterPreprocessorProfile("s4StateAction", &stream4ActionPerfStats, 1, &stream4PerfStats);
    RegisterPreprocessorProfile("s4Flush", &stream4FlushPerfStats, 1, &stream4PerfStats);
    RegisterPreprocessorProfile("s4BuildPacket", &stream4BuildPerfStats, 2, &stream4FlushPerfStats);
    RegisterPreprocessorProfile("s4ProcessRebuilt", &stream4ProcessRebuiltPerfStats, 2, &stream4FlushPerfStats);
    RegisterPreprocessorProfile("s4StateActionAsync", &stream4ActionAsyncPerfStats, 1, &stream4PerfStats);
    RegisterPreprocessorProfile("s4Prune", &stream4PrunePerfStats, 1, &stream4PerfStats);
#endif
}

void Stream4VerifyConfig()
{
    /* Finish setup of reassembly packet */
    InitStream4Pkt();

#ifdef STREAM4_UDP
    Stream4UdpConfigure();
#endif
}

void DisplayStream4Config(void) 
{
    LogMessage("Stream4 config:\n");
    LogMessage("    Stateful inspection: %s\n", 
               s4data.stateful_inspection_flag ? "ACTIVE": "INACTIVE");
    LogMessage("    Session statistics: %s\n", 
               s4data.track_stats_flag ? "ACTIVE":"INACTIVE");
    LogMessage("    Session timeout: %d seconds\n", s4data.timeout);
    LogMessage("    Session memory cap: %lu bytes\n", (unsigned long)s4data.memcap);
    LogMessage("    Session count max: %d sessions\n", (unsigned long)s4data.max_sessions);
#ifdef STREAM4_UDP
    LogMessage("    UDP Tracking Enabled: %s\n",
                s4data.enable_udp_sessions ? "YES" : "NO");
    if (s4data.enable_udp_sessions)
    {
        LogMessage("    UDP Session count max: %d sessions\n", (unsigned long)s4data.max_udp_sessions);
        LogMessage("    UDP Ignore Traffic on port without port-specific rules: %s\n",
                s4data.udp_ignore_any ? "YES" : "NO");
    }
#endif

    LogMessage("    Session cleanup count: %d\n", s4data.cache_clean_sessions);
    LogMessage("    State alerts: %s\n", 
               s4data.state_alerts ? "ACTIVE":"INACTIVE");
    LogMessage("    Evasion alerts: %s\n", 
               s4data.evasion_alerts ? "ACTIVE":"INACTIVE");
    LogMessage("    Scan alerts: %s\n", 
               s4data.ps_alerts ? "ACTIVE":"INACTIVE");
    LogMessage("    Log Flushed Streams: %s\n",
               s4data.log_flushed_streams ? "ACTIVE":"INACTIVE");
    LogMessage("    MinTTL: %d\n", s4data.min_ttl);
    LogMessage("    TTL Limit: %d\n", s4data.ttl_limit);
    LogMessage("    Async Link: %d\n", s4data.asynchronous_link);
    LogMessage("    State Protection: %d\n", s4data.state_protection);
    LogMessage("    Self preservation threshold: %d\n", s4data.sp_threshold);
    LogMessage("    Self preservation period: %d\n", s4data.sp_period);
    LogMessage("    Suspend threshold: %d\n", s4data.suspend_threshold);
    LogMessage("    Suspend period: %d\n", s4data.suspend_period);
    LogMessage("    Enforce TCP State: %s %s\n",
            s4data.enforce_state ? "ACTIVE" : "INACTIVE",
            s4data.enforce_state & ENFORCE_STATE_DROP ? "and DROPPING" : " ");
    LogMessage("    Midstream Drop Alerts: %s\n",
            s4data.ms_inline_alerts ? "ACTIVE" : "INACTIVE");
    LogMessage("    Allow Blocking of TCP Sessions in Inline: %s\n",
            s4data.allow_session_blocking ? "ACTIVE" : "INACTIVE");
    if (s4data.server_inspect_limit > 0)
        LogMessage("    Server Data Inspection Limit: %d\n", 
                    s4data.server_inspect_limit);

}


/*
 * Function: ParseStream4Args(char *)
 *
 * Purpose: Process the preprocessor arguements from the rules file and 
 *          initialize the preprocessor's data struct.  This function doesn't
 *          have to exist if it makes sense to parse the args in the init 
 *          function.
 *
 * Arguments: args => argument list
 *
 * Returns: void function
 */
void ParseStream4Args(char *args)
{
    char **toks;
    int num_toks;
    int i;
    char *index;
    char **stoks = NULL;
    int s_toks;

    s4data.timeout = PRUNE_QUANTA;
    s4data.memcap = STREAM4_MEMORY_CAP;
    s4data.max_sessions = STREAM4_MAX_SESSIONS;
#ifdef STREAM4_UDP
    s4data.max_udp_sessions = STREAM4_MAX_SESSIONS;
    s4data.enable_udp_sessions = 0;
#endif
    s4data.cache_clean_sessions = STREAM4_CLEANUP;
    s4data.stateful_inspection_flag = 1;
    s4data.state_alerts = 0;
    s4data.evasion_alerts = 1;
    s4data.ps_alerts = 0;
    s4data.reassemble_client = s4data.reassemble_server = 0;
    s4data.log_flushed_streams = 0;
    s4data.min_ttl = 1;
    s4data.path_mtu = 1460;
    s4data.ttl_limit = STREAM4_TTL_LIMIT;
    s4data.asynchronous_link = 0;
    s4data.flush_data_diff_size = 500; 
    s4data.zero_flushed_packets = 0;
    s4data.flush_on_alert = 0;
    s4data.overlap_limit = -1;
    s4data.server_inspect_limit = -1;
    /* Default is to block session on inline drop */
    s4data.allow_session_blocking = 1;
    
    /* dynamic flush points */
    s4data.flush_behavior = FLUSH_BEHAVIOR_DEFAULT;
    s4data.flush_range = STREAM4_FLUSH_RANGE;
    s4data.flush_base = STREAM4_FLUSH_BASE;
    s4data.flush_seed = getpid() + time(NULL);

#ifdef STREAM4_UDP
    /* Ports on which to do UDP sessions.
     * Derived from rules that have "flow" keyword
     */
    //s4data.udp_ports[x] = UDP_SESSION;
#endif

    /* if no arguments, go ahead and return */
    if(args == NULL || args[0] == '\0')
    {
        DisplayStream4Config();
        return;
    }

    i=0;

    toks = mSplit(args, ",", 20, &num_toks, 0);
    
    while(i < num_toks)
    {
        index = toks[i];

        while(isspace((int)*index)) index++;

        stoks = mSplit(index, " ", 4, &s_toks, 0);

        if(!strcasecmp(stoks[0], "noinspect"))
        {
            s4data.stateful_inspection_flag = 0;
        }
        else if(!strcasecmp(stoks[0], "asynchronous_link"))
        {
            s4data.asynchronous_link = 1;
        }
        else if(!strcasecmp(stoks[0], "keepstats"))
        {
            s4data.track_stats_flag = STATS_HUMAN_READABLE;

            if(s_toks > 1)
            {
                if(!strcasecmp(stoks[1], "machine"))
                {
                    s4data.track_stats_flag = STATS_MACHINE_READABLE;
                }
                else if(!strcasecmp(stoks[1], "binary"))
                {
                    s4data.track_stats_flag = STATS_BINARY;
                    stats_log = (StatsLog *)SnortAlloc(sizeof(StatsLog));
                    stats_log->filename = strdup("snort-unified.stats");
                    OpenStatsFile();
                } 
                else
                {
                    ErrorMessage("Bad stats mode for stream4, ignoring\n");
                    s4data.track_stats_flag = 0;
                }
            }
        }
        else if(!strcasecmp(stoks[0], "detect_scans"))
        {
            s4data.ps_alerts = 1;
        }
        else if(!strcasecmp(stoks[0], "log_flushed_streams"))
        {
            s4data.log_flushed_streams = 1;
        }