📄 dce2_roptions.c
字号:
DCE2_DEBUG_MSG(DCE2_DEBUG__ROPTIONS, "Data byte order or header byte order not set " "in rule options - not evaluating.\n"); PREPROC_PROFILE_END(dce2_pstat_roptions); return 0; } bt_data = (DCE2_ByteTestData *)data; if (bt_data == NULL) { PREPROC_PROFILE_END(dce2_pstat_roptions); return 0; } /* Make sure we don't read past the end of the payload or before * beginning of payload */ if (bt_data->relative) { if ((bt_data->offset < 0) && (*cursor + bt_data->offset) < p->payload) { DCE2_DEBUG_MSG(DCE2_DEBUG__ROPTIONS, "Offset is negative and puts cursor before beginning " "of payload - not evaluating.\n"); PREPROC_PROFILE_END(dce2_pstat_roptions); return 0; } if ((*cursor + bt_data->offset + bt_data->num_bytes) > (p->payload + p->payload_size)) { DCE2_DEBUG_MSG(DCE2_DEBUG__ROPTIONS, "Offset plus number of bytes to read puts cursor past end " "of payload - not evaluating.\n"); PREPROC_PROFILE_END(dce2_pstat_roptions); return 0; } bt_ptr = *cursor + bt_data->offset; } else { if (bt_data->offset < 0) { DCE2_DEBUG_MSG(DCE2_DEBUG__ROPTIONS, "Offset is negative but is not relative - not evaluating.\n"); PREPROC_PROFILE_END(dce2_pstat_roptions); return 0; } else if ((p->payload + bt_data->offset + bt_data->num_bytes) > (p->payload + p->payload_size)) { DCE2_DEBUG_MSG(DCE2_DEBUG__ROPTIONS, "Offset plus number of bytes to read puts cursor past end " "of payload - not evaluating.\n"); PREPROC_PROFILE_END(dce2_pstat_roptions); return 0; } bt_ptr = p->payload + bt_data->offset; } /* Determine which byte order to use */ if (ropts->stub_data == NULL) { DCE2_DEBUG_MSG(DCE2_DEBUG__ROPTIONS, "Stub data is NULL. Setting byte order to that of the header.\n"); byte_order = (DceRpcBoFlag)ropts->hdr_byte_order; } else if (bt_ptr < ropts->stub_data) { DCE2_DEBUG_MSG(DCE2_DEBUG__ROPTIONS, "Reading data in the header. Setting byte order to that of the header.\n"); byte_order = (DceRpcBoFlag)ropts->hdr_byte_order; } else { DCE2_DEBUG_MSG(DCE2_DEBUG__ROPTIONS, "Reading data in the stub. Setting byte order to that of the stub data.\n"); byte_order = (DceRpcBoFlag)ropts->data_byte_order; } /* Get the value */ switch (bt_data->num_bytes) { case 1: pkt_value = *((uint8_t *)bt_ptr); DCE2_DEBUG_MSG(DCE2_DEBUG__ROPTIONS, "Got 1 byte: %u.\n", pkt_value); break; case 2: pkt_value = DceRpcNtohs(*((uint16_t *)bt_ptr), byte_order); DCE2_DEBUG_MSG(DCE2_DEBUG__ROPTIONS, "Got 2 bytes: %u.\n", pkt_value); break; case 4: pkt_value = DceRpcNtohl(*((uint32_t *)bt_ptr), byte_order); DCE2_DEBUG_MSG(DCE2_DEBUG__ROPTIONS, "Got 4 bytes: %u.\n", pkt_value); break; default: PREPROC_PROFILE_END(dce2_pstat_roptions); return 0; } /* Invert the return value if necessary */ if (bt_data->invert) { DCE2_DEBUG_MSG(DCE2_DEBUG__ROPTIONS, "Applying not flag.\n"); ret ^= 1; } switch (bt_data->operator) { case DCE2_BT_OP__LT: if (pkt_value < bt_data->value) { DCE2_DEBUG_MSG(DCE2_DEBUG__ROPTIONS, "Packet value (%u) < Option value (%u).\n", pkt_value, bt_data->value); ret ^= 1; } break; case DCE2_BT_OP__EQ: if (pkt_value == bt_data->value) { DCE2_DEBUG_MSG(DCE2_DEBUG__ROPTIONS, "Packet value (%u) == Option value (%u).\n", pkt_value, bt_data->value); ret ^= 1; } break; case DCE2_BT_OP__GT: if (pkt_value > bt_data->value) { DCE2_DEBUG_MSG(DCE2_DEBUG__ROPTIONS, "Packet value (%u) > Option value (%u).\n", pkt_value, bt_data->value); ret ^= 1; } break; case DCE2_BT_OP__AND: if (pkt_value & bt_data->value) { DCE2_DEBUG_MSG(DCE2_DEBUG__ROPTIONS, "Packet value (%08x) & Option value (%08x).\n", pkt_value, bt_data->value); ret ^= 1; } break; case DCE2_BT_OP__XOR: if (pkt_value ^ bt_data->value) { DCE2_DEBUG_MSG(DCE2_DEBUG__ROPTIONS, "Packet value (%08x) ^ Option value (%08x).\n", pkt_value, bt_data->value); ret ^= 1; } break; default: PREPROC_PROFILE_END(dce2_pstat_roptions); return 0; }#ifdef DEBUG if (ret) { DCE2_DEBUG_MSG(DCE2_DEBUG__ROPTIONS, "\"%s\" Match.\n", DCE2_ROPT__BYTE_TEST); } else { DCE2_DEBUG_MSG(DCE2_DEBUG__ROPTIONS, "\"%s\" Fail.\n", DCE2_ROPT__BYTE_TEST); }#endif PREPROC_PROFILE_END(dce2_pstat_roptions); return ret;}/******************************************************************** * Function: * * Purpose: * * Arguments: * * Returns: * ********************************************************************/static int DCE2_ByteJumpEval(void *pkt, const uint8_t **cursor, void *data){ SFSnortPacket *p = (SFSnortPacket *)pkt; DCE2_SsnData *sd; DCE2_Roptions *ropts; DCE2_ByteJumpData *bj_data; const uint8_t *bj_ptr; uint32_t jmp_value; DceRpcBoFlag byte_order; PROFILE_VARS; PREPROC_PROFILE_START(dce2_pstat_roptions); DCE2_DEBUG_MSG(DCE2_DEBUG__ROPTIONS, "Evaluating \"%s\" rule option.\n", DCE2_ROPT__BYTE_JUMP); if (*cursor == NULL) { DCE2_DEBUG_MSG(DCE2_DEBUG__ROPTIONS, "Cursor is NULL - not evaluating.\n"); PREPROC_PROFILE_END(dce2_pstat_roptions); return 0; } if (!DCE2_RoptDoEval(p)) { PREPROC_PROFILE_END(dce2_pstat_roptions); return 0; } sd = (DCE2_SsnData *)_dpd.streamAPI->get_application_data(p->stream_session_ptr, PP_DCE2); if (sd == NULL) { DCE2_DEBUG_MSG(DCE2_DEBUG__ROPTIONS, "No session data - not evaluating.\n"); PREPROC_PROFILE_END(dce2_pstat_roptions); return 0; } ropts = &sd->ropts; if ((ropts->data_byte_order == DCE2_SENTINEL) || (ropts->hdr_byte_order == DCE2_SENTINEL)) { DCE2_DEBUG_MSG(DCE2_DEBUG__ROPTIONS, "Data byte order or header byte order not set " "in rule options - not evaluating.\n"); PREPROC_PROFILE_END(dce2_pstat_roptions); return 0; } bj_data = (DCE2_ByteJumpData *)data; if (bj_data == NULL) { PREPROC_PROFILE_END(dce2_pstat_roptions); return 0; } /* Make sure we don't read past the end of the payload or before * beginning of payload */ if (bj_data->relative) { if ((bj_data->offset < 0) && (*cursor + bj_data->offset) < p->payload) { DCE2_DEBUG_MSG(DCE2_DEBUG__ROPTIONS, "Offset is negative and puts cursor before beginning " "of payload - not evaluating.\n"); PREPROC_PROFILE_END(dce2_pstat_roptions); return 0; } if ((*cursor + bj_data->offset + bj_data->num_bytes) > (p->payload + p->payload_size)) { DCE2_DEBUG_MSG(DCE2_DEBUG__ROPTIONS, "Offset plus number of bytes to read puts cursor past end " "of payload - not evaluating.\n"); PREPROC_PROFILE_END(dce2_pstat_roptions); return 0; } bj_ptr = *cursor + bj_data->offset; } else { if (bj_data->offset < 0) { DCE2_DEBUG_MSG(DCE2_DEBUG__ROPTIONS, "Offset is negative but is not relative - not evaluating.\n"); PREPROC_PROFILE_END(dce2_pstat_roptions); return 0; } else if ((p->payload + bj_data->offset + bj_data->num_bytes) > (p->payload + p->payload_size)) { DCE2_DEBUG_MSG(DCE2_DEBUG__ROPTIONS, "Offset plus number of bytes to read puts cursor past end " "of payload - not evaluating.\n"); PREPROC_PROFILE_END(dce2_pstat_roptions); return 0; } bj_ptr = p->payload + bj_data->offset; } /* Determine which byte order to use */ if (ropts->stub_data == NULL) { DCE2_DEBUG_MSG(DCE2_DEBUG__ROPTIONS, "Stub data is NULL. Setting byte order to that of the header.\n"); byte_order = (DceRpcBoFlag)ropts->hdr_byte_order; } else if (bj_ptr < ropts->stub_data) { DCE2_DEBUG_MSG(DCE2_DEBUG__ROPTIONS, "Reading data in the header. Setting byte order to that of the header.\n"); byte_order = (DceRpcBoFlag)ropts->hdr_byte_order; } else { DCE2_DEBUG_MSG(DCE2_DEBUG__ROPTIONS, "Reading data in the stub. Setting byte order to that of the stub data.\n"); byte_order = (DceRpcBoFlag)ropts->data_byte_order; } /* Get the value */ switch (bj_data->num_bytes) { case 1: jmp_value = *((uint8_t *)bj_ptr); DCE2_DEBUG_MSG(DCE2_DEBUG__ROPTIONS, "Got 1 byte: %u.\n", jmp_value); break; case 2: jmp_value = DceRpcNtohs(*((uint16_t *)bj_ptr), byte_order); DCE2_DEBUG_MSG(DCE2_DEBUG__ROPTIONS, "Got 2 bytes: %u.\n", jmp_value); break; case 4: jmp_value = DceRpcNtohl(*((uint32_t *)bj_ptr), byte_order); DCE2_DEBUG_MSG(DCE2_DEBUG__ROPTIONS, "Got 4 bytes: %u.\n", jmp_value); break; default: PREPROC_PROFILE_END(dce2_pstat_roptions); return 0; } if (bj_data->multiplier != DCE2_SENTINEL) { DCE2_DEBUG_MSG(DCE2_DEBUG__ROPTIONS, "Applying multiplier: %u * %u = %u.\n", jmp_value, bj_data->multiplier, jmp_value * bj_data->multiplier); jmp_value *= bj_data->multiplier; } if (bj_data->align && (jmp_value & 3)) { DCE2_DEBUG_MSG(DCE2_DEBUG__ROPTIONS, "Aligning to 4 byte boundary: %u => %u.\n", jmp_value, jmp_value + (4 - (jmp_value & 3))); jmp_value += (4 - (jmp_value & 3)); } if ((bj_ptr + bj_data->num_bytes + jmp_value) >= (p->payload + p->payload_size)) { DCE2_DEBUG_MSG(DCE2_DEBUG__ROPTIONS, "\"%s\" Fail. Jump puts us past end of payload.\n", DCE2_ROPT__BYTE_JUMP); PREPROC_PROFILE_END(dce2_pstat_roptions); return 0; } *cursor = bj_ptr + bj_data->num_bytes + jmp_value; DCE2_DEBUG_MSG(DCE2_DEBUG__ROPTIONS, "\"%s\" Match.\n", DCE2_ROPT__BYTE_JUMP); PREPROC_PROFILE_END(dce2_pstat_roptions); return 1;}/******************************************************************** * Function: * * Purpose: * * Arguments: * * Returns: * ********************************************************************/static INLINE int DCE2_RoptDoEval(SFSnortPacket *p){ if ((p->payload_size == 0) || (p->stream_session_ptr == NULL) || (!IsTCP(p) && !IsUDP(p))) { DCE2_DEBUG_MSG(DCE2_DEBUG__ROPTIONS, "No payload or no session pointer or " "not TCP or UDP - not evaluating.\n"); return 0; } return 1;}/******************************************************************** * Function: * * Purpose: * * Arguments: * * Returns: * ********************************************************************/static void DCE2_IfaceCleanup(void *data){ if (data == NULL) return; DCE2_DEBUG_MSG(DCE2_DEBUG__MEMORY, "Cleaning Iface data: %u bytes.\n", sizeof(DCE2_IfaceData)); DCE2_Free(data, sizeof(DCE2_IfaceData), DCE2_MEM_TYPE__ROPTION);}/******************************************************************** * Function: * * Purpose: * * Arguments: * * Returns: * ****************************************************⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -