spp_stream5.c

著名的入侵检测系统snort的最新版本的源码

                                    file_name, file_line,
                                    s5_global_config.max_icmp_sessions,
                                    S5_RIDICULOUS_MAX_SESSIONS);
                        }
                    }
                }

                if (!stoks[1] || (endPtr == &stoks[1][0]))
                {
                    FatalError("%s(%d) => Invalid max_icmp in config file.  Requires integer parameter.\n",
                                file_name, file_line);
                }
                max_set |= MAX_ICMP;
            }
            else if(!strcasecmp(stoks[0], "track_icmp"))
            {
                if (stoks[1])
                {
                    if(!strcasecmp(stoks[1], "no"))
                        s5_global_config.track_icmp_sessions = S5_TRACK_NO;
                    else
                        s5_global_config.track_icmp_sessions = S5_TRACK_YES;
                }
                else
                {
                    FatalError("%s(%d) => 'track_icmp' missing option\n",
                        file_name, file_line);
                }

                if ((max_set & MAX_ICMP) && 
                    (s5_global_config.track_icmp_sessions == S5_TRACK_NO))
                {
                    FatalError("%s(%d) => max_icmp/track_icmp conflict: not "
                                    "tracking ICMP sessions\n",
                                    file_name, file_line);
                }
            }
            else if(!strcasecmp(stoks[0], "flush_on_alert"))
            {
                s5_global_config.flags |= STREAM5_CONFIG_FLUSH_ON_ALERT;
            }
            else if(!strcasecmp(stoks[0], "show_rebuilt_packets"))
            {
                s5_global_config.flags |= STREAM5_CONFIG_SHOW_PACKETS;
            }
#ifdef TBD
            else if(!strcasecmp(stoks[0], "no_midstream_drop_alerts"))
            {
                /*
                 * XXX: Do we want to not alert on drops for sessions picked
                 * up midstream ?  If we're inline, and get a session midstream,
                 * its because it was picked up during startup.  In inline
                 * mode, we should ALWAYS be requiring TCP 3WHS.
                 */
                s5_global_config.flags |= STREAM5_CONFIG_MIDSTREAM_DROP_NOALERT;
            }
#endif
            else
            {
                FatalError("%s(%d) => Unknown Stream5 global option (%s)\n",
                                file_name, file_line, index);
            }

            mSplitFree(&stoks, s_toks);
            i++;
        }

        mSplitFree(&toks, num_toks);

    }

    return;
}

static void Stream5PrintGlobalConfig()
{
    LogMessage("Stream5 global config:\n");
    LogMessage("    Track TCP sessions: %s\n",
        s5_global_config.track_tcp_sessions == S5_TRACK_YES ?
        "ACTIVE" : "INACTIVE");
    if (s5_global_config.track_tcp_sessions == S5_TRACK_YES)
        LogMessage("    Max TCP sessions: %lu\n",
            s5_global_config.max_tcp_sessions);
    LogMessage("    Memcap (for reassembly packet storage): %d\n",
        s5_global_config.memcap);
    LogMessage("    Track UDP sessions: %s\n",
        s5_global_config.track_udp_sessions == S5_TRACK_YES ?
        "ACTIVE" : "INACTIVE");
    if (s5_global_config.track_udp_sessions == S5_TRACK_YES)
        LogMessage("    Max UDP sessions: %lu\n",
            s5_global_config.max_udp_sessions);
    LogMessage("    Track ICMP sessions: %s\n",
        s5_global_config.track_icmp_sessions == S5_TRACK_YES ?
        "ACTIVE" : "INACTIVE");
    if (s5_global_config.track_icmp_sessions == S5_TRACK_YES)
        LogMessage("    Max ICMP sessions: %lu\n",
            s5_global_config.max_icmp_sessions);
}

void Stream5PolicyInitTcp(char *args)
{
    PreprocessFuncNode *pfn;

    if(!s5_global_config_complete)
    {
        LogMessage("Tried to config stream5 TCP policy without global config!\n");
        return;
    }

    if (!s5_process_registered)
    {
        pfn = AddFuncToPreprocList(Stream5Process, PRIORITY_TRANSPORT, PP_STREAM5);
        s5_process_registered = 1;
    }

    if (!s5_global_config.track_tcp_sessions)
    {
        FatalError("Stream5 TCP Configuration specified, but TCP tracking is turned off\n");
    }

    /* Call the protocol specific initializer */
    Stream5TcpPolicyInit(args);

    return;
}

void Stream5PolicyInitUdp(char *args)
{
    PreprocessFuncNode *pfn;

    if(!s5_global_config_complete)
    {
        LogMessage("Tried to config stream5 UDP policy without global config!\n");
        return;
    }

    if (!s5_process_registered)
    {
        pfn = AddFuncToPreprocList(Stream5Process, PRIORITY_TRANSPORT, PP_STREAM5);
        s5_process_registered = 1;
    }

    if (!s5_global_config.track_udp_sessions)
    {
        FatalError("Stream5 UDP Configuration specified, but UDP tracking is turned off\n");
    }

    /* Call the protocol specific initializer */
    Stream5UdpPolicyInit(args);

    return;
}

void Stream5PolicyInitIcmp(char *args)
{
    PreprocessFuncNode *pfn;

    if(!s5_global_config_complete)
    {
        LogMessage("Tried to config stream5 ICMP policy without global config!\n");
        return;
    }

    if (!s5_process_registered)
    {
        pfn = AddFuncToPreprocList(Stream5Process, PRIORITY_TRANSPORT, PP_STREAM5);
        s5_process_registered = 1;
    }

    if (!s5_global_config.track_icmp_sessions)
    {
        FatalError("Stream5 ICMP Configuration specified, but ICMP tracking is turned off\n");
    }

    /* Call the protocol specific initializer */
    Stream5IcmpPolicyInit(args);

    return;
}

static void Stream5Restart(int signal, void *foo)
{
    return;
}

static void Stream5CleanExit(int signal, void *foo)
{
    /* Clean up the hash tables for these */
    Stream5CleanTcp();
    Stream5CleanUdp();
    Stream5CleanIcmp();

    mempool_destroy(&s5FlowMempool);

    return;
}

static void Stream5VerifyConfig()
{
    int tcpNotConfigured = 0;
    int udpNotConfigured = 0;
    int icmpNotConfigured = 0;
    PoolCount total_sessions = 0;
    int obj_size = 0;

    if (s5_global_config_complete)
    {
        if (s5_global_config.track_tcp_sessions)
        {
            tcpNotConfigured = Stream5VerifyTcpConfig();
            if (tcpNotConfigured)
            {
                LogMessage("WARNING: Stream5 TCP misconfigured\n");
            }
            else
            {
                total_sessions += s5_global_config.max_tcp_sessions;
            }
        }

        if (s5_global_config.track_udp_sessions)
        {
            udpNotConfigured = Stream5VerifyUdpConfig();
            if (udpNotConfigured)
            {
                LogMessage("WARNING: Stream5 UDP misconfigured\n");
            }
            else
            {
                total_sessions += s5_global_config.max_udp_sessions;
            }
        }

        if (s5_global_config.track_icmp_sessions)
        {
            icmpNotConfigured = Stream5VerifyIcmpConfig();
            if (icmpNotConfigured)
            {
                LogMessage("WARNING: Stream5 ICMP misconfigured\n");
            }
            else
            {
                total_sessions += s5_global_config.max_icmp_sessions;
            }
        }

        if (tcpNotConfigured || udpNotConfigured || icmpNotConfigured)
        {
            FatalError("Stream5 not properly configured... exiting\n");
        }

        /* Initialize the memory pool for Flowbits Data */
        /* use giFlowbitSize - 1, since there is already 1 byte in the
         * StreamFlowData structure */
        obj_size = sizeof(StreamFlowData) + giFlowbitSize - 1;

        if (obj_size % sizeof(long) != 0)
        {
            /* Increase obj_size by sizeof(long) to force sizeof(long) byte
             * alignment for each object in the mempool.  Without this,
             * the mempool data buffer was not aligned. Overlaying the
             * StreamFlowData structure caused problems on some Solaris
             * platforms. */
            obj_size += ( sizeof(long) - (obj_size % sizeof(long)));
        }
        mempool_init(&s5FlowMempool, total_sessions, obj_size);
    }
}

static void Stream5PrintStats(int exiting)
{
    LogMessage("Stream5 statistics:\n");
    LogMessage("            Total sessions: %lu\n",
            s5stats.total_tcp_sessions +
            s5stats.total_udp_sessions +
            s5stats.total_icmp_sessions);
    LogMessage("              TCP sessions: %lu\n", s5stats.total_tcp_sessions);
    LogMessage("              UDP sessions: %lu\n", s5stats.total_udp_sessions);
    LogMessage("             ICMP sessions: %lu\n", s5stats.total_icmp_sessions);

    LogMessage("                TCP Prunes: %lu\n", s5stats.tcp_prunes);
    LogMessage("                UDP Prunes: %lu\n", s5stats.udp_prunes);
    LogMessage("               ICMP Prunes: %lu\n", s5stats.icmp_prunes);
    LogMessage("TCP StreamTrackers Created: %lu\n",
            s5stats.tcp_streamtrackers_created);
    LogMessage("TCP StreamTrackers Deleted: %lu\n",
            s5stats.tcp_streamtrackers_released);
    LogMessage("              TCP Timeouts: %lu\n", s5stats.tcp_timeouts);
    LogMessage("              TCP Overlaps: %lu\n", s5stats.tcp_overlaps);
    LogMessage("       TCP Segments Queued: %lu\n", s5stats.tcp_streamsegs_created);
    LogMessage("     TCP Segments Released: %lu\n", s5stats.tcp_streamsegs_released);
    LogMessage("       TCP Rebuilt Packets: %lu\n", s5stats.tcp_rebuilt_packets);
    LogMessage("         TCP Segments Used: %lu\n", s5stats.tcp_rebuilt_seqs_used);
    LogMessage("              TCP Discards: %lu\n", s5stats.tcp_discards);
    LogMessage("      UDP Sessions Created: %lu\n",
            s5stats.udp_sessions_created);
    LogMessage("      UDP Sessions Deleted: %lu\n",
            s5stats.udp_sessions_released);
    LogMessage("              UDP Timeouts: %lu\n", s5stats.udp_timeouts);
    LogMessage("              UDP Discards: %lu\n", s5stats.udp_discards);
    LogMessage("                    Events: %lu\n", s5stats.events);
}

/*
 * MAIN ENTRY POINT
 */
void Stream5Process(Packet *p, void *context)
{
    PROFILE_VARS;

    if (!firstPacketTime)
        firstPacketTime = p->pkth->ts.tv_sec;

    if(!IsEligible(p))
    {
        DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Is not eligible!\n"););
        return;
    }

    DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE,
                "++++++++++++++++++++++++++++++++++++++++++++++++++++++\n"););
    DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "In Stream5!\n"););

    PREPROC_PROFILE_START(s5PerfStats);

    /* Call individual TCP/UDP/ICMP processing, per GET_IPH_PROTO(p) */
    switch(GET_IPH_PROTO(p))
    {
        case IPPROTO_TCP:
            if (s5_global_config.track_tcp_sessions)
                Stream5ProcessTcp(p);
            break;
        case IPPROTO_UDP:
            if (s5_global_config.track_udp_sessions)
                Stream5ProcessUdp(p);
            break;
        case IPPROTO_ICMP:
            if (s5_global_config.track_icmp_sessions)
                Stream5ProcessIcmp(p);
            break;
    }

    PREPROC_PROFILE_END(s5PerfStats);
    return;
}

static INLINE int IsEligible(Packet *p)
{
    if ((p->frag_flag) || (p->csum_flags & CSE_IP))
        return 0;

    if (p->packet_flags & PKT_REBUILT_STREAM)
        return 0;

    if (!IPH_IS_VALID(p))
        return 0;

    switch(GET_IPH_PROTO(p))
    {
        case IPPROTO_TCP:
        {
             if(p->tcph == NULL)
                 return 0;

             if (p->csum_flags & CSE_TCP)
                 return 0;
        }
        break;
        case IPPROTO_UDP:
        {
             if(p->udph == NULL)
                 return 0;

             if (p->csum_flags & CSE_UDP)
                 return 0;
        }
        break;
        case IPPROTO_ICMP:
        {
             if(p->icmph == NULL)
                 return 0;

             if (p->csum_flags & CSE_ICMP)
                 return 0;
        }
        break;
        default:
            return 0;
    }

    return 1;
}

/*************************** API Implementations *******************/
static void Stream5SetApplicationData(
                    void *ssnptr,
                    u_int32_t protocol,
                    void *data,
                    StreamAppDataFree free_func)
{
    Stream5LWSession *ssn;
    Stream5AppData *appData = NULL;
    if (ssnptr)
    {
        ssn = (Stream5LWSession*)ssnptr;
        appData = ssn->appDataList;
        while (appData)
        {
            if (appData->protocol == protocol)
            {
                /* If changing the pointer to the data, free old one */
                if ((appData->freeFunc) && (appData->dataPointer != data))
                {
                    appData->freeFunc(appData->dataPointer);
                }
                else
                {
                    /* Same pointer, same protocol.  Go away */
                    break;
                }

                appData->dataPointer = NULL;
                break;
            }

            appData = appData->next;
        }

        /* If there isn't one for this protocol, allocate */
        if (!appData)
        {
            appData = SnortAlloc(sizeof(Stream5AppData));

            /* And add it to the list */
            if (ssn->appDataList)
            {
                ssn->appDataList->prev = appData;
            }
            appData->next = ssn->appDataList;
            ssn->appDataList = appData;
        }

        /* This will reset free_func if it already exists */
        appData->protocol = protocol;
        appData->freeFunc = free_func;
        appData->dataPointer = data;
    }
}

static void *Stream5GetApplicationData(
                    void *ssnptr,
                    u_int32_t protocol)
{
    Stream5LWSession *ssn;
    Stream5AppData *appData = NULL;
    void *data = NULL;
    if (ssnptr)
    {
        ssn = (Stream5LWSession*)ssnptr;
        appData = ssn->appDataList;
        while (appData)
        {
            if (appData->protocol == protocol)
            {
                data = appData->dataPointer;
                break;
            }
            appData = appData->next;
        }
    }
    return data;
}

static int Stream5AlertFlushStream(Packet *p)
{
    Stream5LWSession *ssn;

    if (!(s5_global_config.flags & STREAM5_CONFIG_FLUSH_ON_ALERT))
    {
        DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE,
                    "Don't flush on alert from individual packet\n"););
        return 0;
    }

    if (!p || !p->ssnptr)
    {
        DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE,
                    "Don't flush NULL packet or session\n"););
        return 0;
    }