📄 sf_snort_detection_engine.c
字号:
} } } else { if(*pat_idx != ' ') { DynamicEngineFatalMessage("What is this \"%c\"(0x%X) doing in your " "binary buffer for dynamic rule [%d:%d]? " "Valid hex values only please! " "(0x0 - 0xF) Position: %d\n", (char) *pat_idx, (char) *pat_idx, rule->info.genID, rule->info.sigID, char_count); } } } else { if(*pat_idx >= 0x1F && *pat_idx <= 0x7e) { if(raw_idx < raw_end) { tmp_buf[tmp_len] = pat_begin[char_count]; tmp_len++; } else { DynamicEngineFatalMessage("ParsePattern() buffer overflow in " "dynamic rule [%d:%d]!\n", rule->info.genID, rule->info.sigID); } if(escaped) { escaped = 0; } } else { if(escaped) { tmp_buf[tmp_len] = pat_begin[char_count]; tmp_len++; DEBUG_WRAP(DebugMessage(DEBUG_PARSER, "Clearing literal\n");); escaped = 0; } else { DynamicEngineFatalMessage("character value out of range, try a " "binary buffer for dynamic rule [%d:%d]\n", rule->info.genID, rule->info.sigID); } } } break; } raw_idx++; pat_idx++; char_count++; } /* Now, tmp_buf contains the decoded ascii & raw binary from the patter */ content->patternByteForm = (u_int8_t *)calloc(tmp_len, sizeof(u_int8_t)); if (content->patternByteForm == NULL) { DynamicEngineFatalMessage("Failed to allocate memory\n"); } memcpy(content->patternByteForm, tmp_buf, tmp_len); content->patternByteFormLength = tmp_len; return 0;}static unsigned int getNonRepeatingLength(char *data, int data_len){ int i, j; j = 0; for ( i = 1; i < data_len; i++ ) { if ( data[j] != data[i] ) { j = 0; continue; } if ( i == (data_len - 1) ) { return (data_len - j - 1); } j++; } return data_len;}int RegisterOneRule(Rule *rule, int registerRule){ int i; int fpContentFlags = 0; int result; RuleOption *option; unsigned long longestContent = 0; int longestContentIndex = -1; for (i=0;rule->options[i] != NULL; i++) { option = rule->options[i]; switch (option->optionType) { case OPTION_TYPE_CONTENT: { ContentInfo *content = option->option_u.content; DecodeContentPattern(rule, content); BoyerContentSetup(rule, content); content->incrementLength = getNonRepeatingLength((char *)content->patternByteForm, content->patternByteFormLength); if (!(content->flags & NOT_FLAG)) { if (content->flags & CONTENT_FAST_PATTERN) { if (content->flags & (CONTENT_BUF_URI | CONTENT_BUF_POST | CONTENT_BUF_HEADER | CONTENT_BUF_METHOD)) fpContentFlags |= FASTPATTERN_URI; else fpContentFlags |= FASTPATTERN_NORMAL; } if (content->patternByteFormLength > longestContent) { longestContent = content->patternByteFormLength; longestContentIndex = i; } } } break; case OPTION_TYPE_PCRE: { PCREInfo *pcre = option->option_u.pcre; if (PCRESetup(rule, pcre)) { break; } } break; case OPTION_TYPE_FLOWBIT: { FlowBitsInfo *flowbits = option->option_u.flowBit; flowbits->id = _ded.flowbitRegister(flowbits->flowBitsName, 0); if (flowbits->operation & FLOWBIT_NOALERT) rule->noAlert = 1; } break; case OPTION_TYPE_ASN1: /* Call asn1_init_mem(512); if linking statically to asn source */ break; case OPTION_TYPE_HDR_CHECK: { HdrOptCheck *optData = option->option_u.hdrData; result = ValidateHeaderCheck(rule, optData); if (result) { /* Don't initialize this rule */ rule->initialized = 0; return result; } } break; case OPTION_TYPE_BYTE_EXTRACT: { ByteExtract *extractData = option->option_u.byteExtract; result = ByteExtractInitialize(rule, extractData); if (result) { /* Don't initialize this rule */ rule->initialized = 0; return result; } } break; case OPTION_TYPE_LOOP: { LoopInfo *loopInfo = option->option_u.loop; result = LoopInfoInitialize(rule, loopInfo); if (result) { /* Don't initialize this rule */ rule->initialized = 0; return result; } loopInfo->initialized = 1; } break; case OPTION_TYPE_PREPROCESSOR: { PreprocessorOption *preprocOpt = option->option_u.preprocOpt; PreprocOptionInit optionInit; result = _ded.getPreprocOptFuncs(preprocOpt->optionName, &preprocOpt->optionInit, &preprocOpt->optionEval); if (result) { /* Don't initialize this rule */ rule->initialized = 0; return result; } optionInit = (PreprocOptionInit)preprocOpt->optionInit; result = optionInit(preprocOpt->optionName, preprocOpt->optionParameters, &preprocOpt->dataPtr); if (result) { /* Don't initialize this rule */ rule->initialized = 0; return result; } } break; case OPTION_TYPE_BYTE_TEST: case OPTION_TYPE_BYTE_JUMP: default: /* nada */ break; } } /* If no options were marked as the fast pattern, * use the longest one we found. */ if ((fpContentFlags == 0) && (longestContentIndex != -1)) { option = rule->options[longestContentIndex]; /* Just to be safe, make sure this is a content option */ if (option->optionType == OPTION_TYPE_CONTENT) { ContentInfo *content = option->option_u.content; if (content->flags & (CONTENT_BUF_URI | CONTENT_BUF_POST)) fpContentFlags |= FASTPATTERN_URI; else fpContentFlags |= FASTPATTERN_NORMAL; content->flags |= CONTENT_FAST_PATTERN; } } if (registerRule) { /* Allocate an OTN and link it in with snort */ _ded.ruleRegister(rule->info.sigID, rule->info.genID, (void *)rule, &CheckRule, &HasOption, fpContentFlags, &GetFPContent); } rule->initialized = 1; /* Index less one since we've iterated through them already */ rule->numOptions = i; return 0;}#define TCP_STRING "tcp"#define UDP_STRING "udp"#define ICMP_STRING "icmp"#define IP_STRING "ip"char *GetProtoString(int protocol){ switch (protocol) { case IPPROTO_TCP: return TCP_STRING; case IPPROTO_UDP: return UDP_STRING; case IPPROTO_ICMP: return ICMP_STRING; default: break; } return IP_STRING;}static int DumpRule(FILE *fp, Rule *rule){ RuleReference *ref; RuleMetaData *meta; int i; fprintf(fp, "alert %s %s %s %s %s %s ", GetProtoString(rule->ip.protocol), rule->ip.src_addr, rule->ip.src_port, rule->ip.direction == 0 ? "->" : "<>", rule->ip.dst_addr, rule->ip.dst_port); fprintf(fp, "(msg:\"%s\"; ", rule->info.message); fprintf(fp, "sid:%d; ", rule->info.sigID); fprintf(fp, "gid:%d; ", rule->info.genID); fprintf(fp, "rev:%d; ", rule->info.revision); if (rule->info.classification != NULL) fprintf(fp, "classtype:%s; ", rule->info.classification); if (rule->info.priority != 0) fprintf(fp, "priority:%d; ", rule->info.priority); if (rule->info.references) { for (i=0,ref = rule->info.references[i]; ref != NULL; i++,ref = rule->info.references[i]) { fprintf(fp, "reference:%s,%s; ", ref->systemName, ref->refIdentifier); } } fprintf(fp, "metadata: engine shared, soid %d|%d", rule->info.genID, rule->info.sigID); if(rule->info.meta) { for (i=0, meta= rule->info.meta[i]; meta != NULL; i++, meta = rule->info.meta[i]) { fprintf(fp, ", %s", meta->data); } } fprintf(fp, ";)\n"); return 0;}ENGINE_LINKAGE int RegisterRules(Rule **rules){ int i; for (i=0; rules[i] != NULL; i++) { if (rules[i]->initialized == 0) { RegisterOneRule(rules[i], REGISTER_RULE); } } return 0;}ENGINE_LINKAGE int DumpRules(char *rulesFileName, Rule **rules){ FILE *ruleFP; char ruleFile[PATH_MAX+1]; int i;#ifndef WIN32#define DIR_SEP "/"#else#define DIR_SEP "\\"#define snprintf _snprintf#endif /* XXX: Need to do some checking here on lengths */ ruleFile[0] = '\0'; if ((strlen(_ded.dataDumpDirectory) + strlen(DIR_SEP) + strlen(rulesFileName) + strlen(".rules")) > PATH_MAX) return -1; snprintf(ruleFile, PATH_MAX, "%s%s%s.rules", _ded.dataDumpDirectory, DIR_SEP, rulesFileName); ruleFile[PATH_MAX] = '\0'; ruleFP = fopen(ruleFile, "w"); if (ruleFP) { fprintf(ruleFP, "# Autogenerated skeleton rules file. Do NOT edit by hand\n"); for (i=0; rules[i] != NULL; i++) { DumpRule(ruleFP, rules[i]); } fclose(ruleFP); } else { return -1; } return 0;}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -