📄 dce2_roptions.c
字号:
else if ((tok_num > DCE2_BJUMP__MIN_ARGS) && (tok_num <= DCE2_BJUMP__MAX_ARGS)) { char *arg, *argptr; /* Detach arg to get potenial sub-arg */ arg = strtok_r(token, DCE2_RTOKEN__ARG_SEP, &argptr); if (arg == NULL) { DCE2_Die("%s(%d) => %s rule option: strtok_r() returned NULL when " "str argument was not NULL.\n", *_dpd.config_file, *_dpd.config_line, DCE2_ROPT__BYTE_JUMP); } if (strcmp(arg, DCE2_RARG__RELATIVE) == 0) { bj_data->relative = 1; } else if (strcmp(arg, DCE2_RARG__ALIGN) == 0) { bj_data->align = 1; } else if (strcmp(arg, DCE2_RARG__MULTIPLIER) == 0) { char *endptr; unsigned long int multiplier; arg = strtok_r(NULL, DCE2_RTOKEN__ARG_SEP, &argptr); if (arg == NULL) { DCE2_Die("%s(%d) => %s rule option: \"%s\" requires an unsigned ", "integer argument.\n", *_dpd.config_file, *_dpd.config_line, DCE2_ROPT__BYTE_JUMP, DCE2_RARG__MULTIPLIER); } multiplier = strtoul(arg, &endptr, 10); if ((errno == ERANGE) || (*endptr != '\0') || (multiplier > UINT16_MAX)) { DCE2_Die("%s(%d) => %s rule option: \"%s\": Invalid multiplier.\n", *_dpd.config_file, *_dpd.config_line, DCE2_ROPT__BYTE_JUMP, DCE2_RARG__MULTIPLIER); } bj_data->multiplier = multiplier; } else if (strcmp(arg, DCE2_RARG__DCE_OVERRIDE) != 0) { DCE2_Die("%s(%d) => %s rule option: Invalid argument: %s.\n", *_dpd.config_file, *_dpd.config_line, DCE2_ROPT__BYTE_JUMP, arg); } } else { DCE2_Die("%s(%d) => %s rule option: Too many arguments\n", *_dpd.config_file, *_dpd.config_line, DCE2_ROPT__BYTE_JUMP); } } while ((token = strtok_r(NULL, DCE2_RTOKEN__OPT_SEP, &saveptr)) != NULL); if (tok_num < DCE2_BJUMP__MIN_ARGS) { DCE2_Die("%s(%d) => %s rule option: Not enough arguments. Example => %s: " "4,-4,multiplier 2,relative,align;\n", *_dpd.config_file, *_dpd.config_line, DCE2_ROPT__BYTE_JUMP, DCE2_ROPT__BYTE_JUMP); } *data = (void *)bj_data; return 1;}/******************************************************************** * Function: * * Purpose: * * Arguments: * * Returns: * ********************************************************************/static int DCE2_IfaceEval(void *pkt, const uint8_t **cursor, void *data){ SFSnortPacket *p = (SFSnortPacket *)pkt; DCE2_SsnData *sd; DCE2_Roptions *ropts; DCE2_IfaceData *iface_data; int ret = 0; PROFILE_VARS; PREPROC_PROFILE_START(dce2_pstat_roptions); DCE2_DEBUG_MSG(DCE2_DEBUG__ROPTIONS, "Evaluating \"%s\" rule option.\n", DCE2_ROPT__IFACE); if (!DCE2_RoptDoEval(p)) { PREPROC_PROFILE_END(dce2_pstat_roptions); return 0; } sd = (DCE2_SsnData *)_dpd.streamAPI->get_application_data(p->stream_session_ptr, PP_DCE2); if (sd == NULL) { DCE2_DEBUG_MSG(DCE2_DEBUG__ROPTIONS, "No session data - not evaluating.\n"); PREPROC_PROFILE_END(dce2_pstat_roptions); return 0; } ropts = &sd->ropts; if (ropts->first_frag == DCE2_SENTINEL) { DCE2_DEBUG_MSG(DCE2_DEBUG__ROPTIONS, "First frag not set - not evaluating.\n"); PREPROC_PROFILE_END(dce2_pstat_roptions); return 0; } iface_data = (DCE2_IfaceData *)data; if (iface_data == NULL) { PREPROC_PROFILE_END(dce2_pstat_roptions); return 0; } if (!iface_data->any_frag && !ropts->first_frag) { DCE2_DEBUG_MSG(DCE2_DEBUG__ROPTIONS, "Not a first fragment and rule set to only look at first fragment.\n"); PREPROC_PROFILE_END(dce2_pstat_roptions); return 0; } /* Compare the uuid */ DCE2_DEBUG_MSG(DCE2_DEBUG__ROPTIONS, "Comparing \"%s\" to \"%s\"\n", DCE2_UuidToStr(&ropts->iface, DCERPC_BO_FLAG__NONE), DCE2_UuidToStr(&iface_data->iface, DCERPC_BO_FLAG__NONE)); if (DCE2_UuidCompare((void *)&ropts->iface, (void *)&iface_data->iface) != 0) { DCE2_DEBUG_MSG(DCE2_DEBUG__ROPTIONS, "Uuids don't match\n"); PREPROC_PROFILE_END(dce2_pstat_roptions); return 0; } if (iface_data->operator == DCE2_SENTINEL) { DCE2_DEBUG_MSG(DCE2_DEBUG__ROPTIONS, "\"%s\" Match\n", DCE2_ROPT__IFACE); PREPROC_PROFILE_END(dce2_pstat_roptions); return 1; } switch (iface_data->operator) { case DCE2_IF_OP__LT: if (IsTCP(p) && (iface_data->iface_vers_maj != DCE2_SENTINEL)) { if ((int)ropts->iface_vers_maj < iface_data->iface_vers_maj) ret = 1; } else { if (ropts->iface_vers < iface_data->iface_vers) ret = 1; } break; case DCE2_IF_OP__EQ: if (IsTCP(p) && (iface_data->iface_vers_maj != DCE2_SENTINEL)) { if ((int)ropts->iface_vers_maj == iface_data->iface_vers_maj) ret = 1; } else { if (ropts->iface_vers == iface_data->iface_vers) ret = 1; } break; case DCE2_IF_OP__GT: if (IsTCP(p) && (iface_data->iface_vers_maj != DCE2_SENTINEL)) { if ((int)ropts->iface_vers_maj > iface_data->iface_vers_maj) ret = 1; } else { if (ropts->iface_vers > iface_data->iface_vers) ret = 1; } break; case DCE2_IF_OP__NE: if (IsTCP(p) && (iface_data->iface_vers_maj != DCE2_SENTINEL)) { if ((int)ropts->iface_vers_maj != iface_data->iface_vers_maj) ret = 1; } else { if (ropts->iface_vers != iface_data->iface_vers) ret = 1; } break; default: break; } PREPROC_PROFILE_END(dce2_pstat_roptions); return ret;}/******************************************************************** * Function: * * Purpose: * * Arguments: * * Returns: * ********************************************************************/static int DCE2_OpnumEval(void *pkt, const uint8_t **cursor, void *data){ SFSnortPacket *p = (SFSnortPacket *)pkt; DCE2_OpnumData *opnum_data = (DCE2_OpnumData *)data; DCE2_SsnData *sd; DCE2_Roptions *ropts; PROFILE_VARS; PREPROC_PROFILE_START(dce2_pstat_roptions); DCE2_DEBUG_MSG(DCE2_DEBUG__ROPTIONS, "Evaluating \"%s\" rule option.\n", DCE2_ROPT__OPNUM); if (!DCE2_RoptDoEval(p)) { PREPROC_PROFILE_END(dce2_pstat_roptions); return 0; } sd = (DCE2_SsnData *)_dpd.streamAPI->get_application_data(p->stream_session_ptr, PP_DCE2); if (sd == NULL) { DCE2_DEBUG_MSG(DCE2_DEBUG__ROPTIONS, "No session data - not evaluating.\n"); PREPROC_PROFILE_END(dce2_pstat_roptions); return 0; } ropts = &sd->ropts; if (ropts->opnum == DCE2_SENTINEL) { DCE2_DEBUG_MSG(DCE2_DEBUG__ROPTIONS, "Opnum not set - not evaluating.\n"); PREPROC_PROFILE_END(dce2_pstat_roptions); return 0; } switch (opnum_data->type) { case DCE2_OPNUM_TYPE__SINGLE: DCE2_DEBUG_MSG(DCE2_DEBUG__ROPTIONS, "Rule opnum: %u, ropts opnum: %u\n", ((DCE2_OpnumSingle *)opnum_data)->opnum, ropts->opnum); if (ropts->opnum == ((DCE2_OpnumSingle *)opnum_data)->opnum) { DCE2_DEBUG_MSG(DCE2_DEBUG__ROPTIONS, "\"%s\" Match\n", DCE2_ROPT__OPNUM); PREPROC_PROFILE_END(dce2_pstat_roptions); return 1; } break; case DCE2_OPNUM_TYPE__MULTIPLE: DCE2_DEBUG_MSG(DCE2_DEBUG__ROPTIONS, "Multiple opnums: ropts opnum: %u\n", ropts->opnum); { DCE2_OpnumMultiple *omult = (DCE2_OpnumMultiple *)opnum_data; if (DCE2_OpnumIsSet(omult->mask, omult->opnum_lo, omult->opnum_hi, (uint16_t)ropts->opnum)) { DCE2_DEBUG_MSG(DCE2_DEBUG__ROPTIONS, "\"%s\" Match\n", DCE2_ROPT__OPNUM); PREPROC_PROFILE_END(dce2_pstat_roptions); return 1; } } break; default: DCE2_Log("%s(%d) => Invalid opnum type\n", __FILE__, __LINE__); break; } DCE2_DEBUG_MSG(DCE2_DEBUG__ROPTIONS, "\"%s\" Fail\n", DCE2_ROPT__OPNUM); PREPROC_PROFILE_END(dce2_pstat_roptions); return 0;}/******************************************************************** * Function: * * Purpose: * * Arguments: * * Returns: * ********************************************************************/static int DCE2_StubDataEval(void *pkt, const uint8_t **cursor, void *data){ SFSnortPacket *p = (SFSnortPacket *)pkt; DCE2_SsnData *sd; DCE2_Roptions *ropts; PROFILE_VARS; PREPROC_PROFILE_START(dce2_pstat_roptions); DCE2_DEBUG_MSG(DCE2_DEBUG__ROPTIONS, "Evaluating \"%s\" rule option.\n", DCE2_ROPT__STUB_DATA); if (!DCE2_RoptDoEval(p)) { PREPROC_PROFILE_END(dce2_pstat_roptions); return 0; } sd = (DCE2_SsnData *)_dpd.streamAPI->get_application_data(p->stream_session_ptr, PP_DCE2); if (sd == NULL) { DCE2_DEBUG_MSG(DCE2_DEBUG__ROPTIONS, "No session data - not evaluating.\n"); PREPROC_PROFILE_END(dce2_pstat_roptions); return 0; } ropts = &sd->ropts; if (ropts->stub_data != NULL) { DCE2_DEBUG_MSG(DCE2_DEBUG__ROPTIONS, "Setting cursor to stub data: %p.\n", ropts->stub_data); *cursor = ropts->stub_data; PREPROC_PROFILE_END(dce2_pstat_roptions); return 1; } PREPROC_PROFILE_END(dce2_pstat_roptions); return 0;}/******************************************************************** * Function: * * Purpose: * * Arguments: * * Returns: * ********************************************************************/static int DCE2_ByteTestEval(void *pkt, const uint8_t **cursor, void *data){ SFSnortPacket *p = (SFSnortPacket *)pkt; DCE2_SsnData *sd; DCE2_Roptions *ropts; DCE2_ByteTestData *bt_data; const uint8_t *bt_ptr; uint32_t pkt_value; DceRpcBoFlag byte_order; int ret = 0; PROFILE_VARS; PREPROC_PROFILE_START(dce2_pstat_roptions); DCE2_DEBUG_MSG(DCE2_DEBUG__ROPTIONS, "Evaluating \"%s\" rule option.\n", DCE2_ROPT__BYTE_TEST); if (*cursor == NULL) { DCE2_DEBUG_MSG(DCE2_DEBUG__ROPTIONS, "Cursor is NULL - not evaluating.\n"); PREPROC_PROFILE_END(dce2_pstat_roptions); return 0; } if (!DCE2_RoptDoEval(p)) { PREPROC_PROFILE_END(dce2_pstat_roptions); return 0; } sd = (DCE2_SsnData *)_dpd.streamAPI->get_application_data(p->stream_session_ptr, PP_DCE2); if (sd == NULL) { DCE2_DEBUG_MSG(DCE2_DEBUG__ROPTIONS, "No session data - not evaluating.\n"); PREPROC_PROFILE_END(dce2_pstat_roptions); return 0; } ropts = &sd->ropts; if ((ropts->data_byte_order == DCE2_SENTINEL) || (ropts->hdr_byte_order == DCE2_SENTINEL)) {⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -