📄 stream5_common.c
字号:
inspectDst = -1; } else { port_array = PortObjectCharPortArray(port_array, rtn->dst_portobject, &num_ports); if (port_array && num_ports != 0) { inspectDst = 1; for (i=0;i<SFPO_MAX_PORTS;i++) { if (port_array[i]) { portList[i] |= PORT_MONITOR_INSPECT; /* port specific rule */ for (otn = rtn->down; otn; otn = otn->next) { /* Look for an OTN with flow or flowbits keyword */ if (Stream5OtnHasFlowOrFlowbit(otn)) { portList[i] |= PORT_MONITOR_SESSION; } } } } } } free(port_array); port_array = NULL; if ((inspectSrc == -1) && (inspectDst == -1)) { /* any -> any rule */ if (any_any_flow == 0) { any_any_flow = Stream5AnyAnyFlow(portList, rtn, any_any_flow, &pIgnoredRuleList, ignoreAnyAnyRules); } }#else sport = (int16_t)((rtn->hsp == rtn->lsp) ? rtn->hsp : -1); if (rtn->flags & ANY_SRC_PORT) { sport = -1; } if (sport > 0 && rtn->not_sp_flag > 0 ) { sport = -1; } /* Set the source port to inspect */ if (sport != -1) { portList[sport] |= PORT_MONITOR_INSPECT; } dport = (int16_t)((rtn->hdp == rtn->ldp) ? rtn->hdp : -1); if (rtn->flags & ANY_DST_PORT) { dport = -1; } if (dport > 0 && rtn->not_dp_flag > 0 ) { dport = -1; } /* Set the dest port to inspect */ if (dport != -1) { inspectDst = 1; portList[dport] |= PORT_MONITOR_INSPECT; } if (inspectSrc || inspectDst) { /* port specific rule */ for (otn = rtn->down; otn; otn = otn->next) { /* Look for an OTN with flow or flowbits keyword */ if (Stream5OtnHasFlowOrFlowbit(otn)) { if (inspectSrc) { portList[sport] |= PORT_MONITOR_SESSION; } if (inspectDst) { portList[dport] |= PORT_MONITOR_SESSION; } } } } else { /* any -> any rule */ if (any_any_flow == 0) { any_any_flow = Stream5AnyAnyFlow(portList, rtn, any_any_flow, &pIgnoredRuleList, ignoreAnyAnyRules); } }#endif /* PORTLISTS */ } /* for (rtn=...) */ } } /* for (rule=...) */ /* If portscan is tracking TCP/UDP, need to create * sessions for all ports */ if (((protocol == IPPROTO_UDP) && (ps_get_protocols() & PS_PROTO_UDP)) || ((protocol == IPPROTO_TCP) && (ps_get_protocols() & PS_PROTO_TCP))) { int j; for (j=0; j<MAX_PORTS; j++) { portList[j] |= PORT_MONITOR_SESSION; } } if (any_any_flow == 1) { LogMessage("Warning: 'ignore_any_rules' option for Stream5 %s " "disabled because of %s rule with flow or flowbits option\n", protocolName, protocolName); } else if (pIgnoredRuleList) { LogMessage("Warning: Rules (GID:SID) effectively ignored because of " "'ignore_any_rules' option for Stream5 %s:\n", protocolName); printIgnoredRules(pIgnoredRuleList, any_any_flow); }}/**Determines whether any_any_flow should be ignored or not. * * Dont ignore any_any_flows if flow bit is set on an any_any_flow, * or ignoreAnyAnyRules is not set. * @param portList port list * @param rtn Rule tree node * @param any_any_flow - set if any_any_flow is ignored,0 otherwise * @param ppIgnoredRuleList * @param ignoreAnyAnyRules * @returns */int Stream5AnyAnyFlow( u_int8_t *portList, RuleTreeNode *rtn, int any_any_flow, IgnoredRuleList **ppIgnoredRuleList, int ignoreAnyAnyRules ){ OptTreeNode *otn; int i; /**if any_any_flow is set then following code has no effect.*/ if (any_any_flow) { return any_any_flow; } for (otn = rtn->down; otn; otn = otn->next) { /* Look for an OTN with flow or flowbits keyword */ if (Stream5OtnHasFlowOrFlowbit(otn)) { for (i=1;i<=MAX_PORTS;i++) { /* track sessions for ALL ports becuase * of any -> any with flow/flowbits */ portList[i] |= PORT_MONITOR_SESSION; } any_any_flow = 1; break; } else if (any_any_flow == 0) { if (!ignoreAnyAnyRules) { /* Not ignoring any any rules... */ break; } /* if not, then ignore the content/pcre/etc */ if (otn->ds_list[PLUGIN_PATTERN_MATCH] || otn->ds_list[PLUGIN_PATTERN_MATCH_OR] || otn->ds_list[PLUGIN_PATTERN_MATCH_URI] ||#ifdef DYNAMIC_PLUGIN DynamicHasContent(otn) || DynamicHasByteTest(otn) || DynamicHasPCRE(otn) ||#endif otn->ds_list[PLUGIN_BYTE_TEST] || otn->ds_list[PLUGIN_PCRE]) { /* Ignoring this rule.... */ addRuleToIgnoreList(ppIgnoredRuleList, otn); } } } /* for (otn=...) */ return any_any_flow;}/**add rule to the ignore rule list. */static void addRuleToIgnoreList(IgnoredRuleList **ppIgnoredRuleList, OptTreeNode *otn){ IgnoredRuleList *ignored_rule; ignored_rule = SnortAlloc(sizeof(*ignored_rule)); ignored_rule->otn = otn; ignored_rule->next = *ppIgnoredRuleList; *ppIgnoredRuleList = ignored_rule;}/**print the ignored rule list. */static void printIgnoredRules( IgnoredRuleList *pIgnoredRuleList, int any_any_flow ){ char six_sids = 0; int sids_ignored = 0; char buf[STD_BUF]; IgnoredRuleList *ignored_rule; IgnoredRuleList *next_ignored_rule; buf[0] = '\0'; for (ignored_rule = pIgnoredRuleList; ignored_rule != NULL; ) { if (any_any_flow == 0) { if (six_sids == 1) { SnortSnprintfAppend(buf, STD_BUF-1, "\n"); LogMessage(buf); six_sids = 0; } if (sids_ignored == 0) { SnortSnprintf(buf, STD_BUF-1, " %d:%d", ignored_rule->otn->sigInfo.generator, ignored_rule->otn->sigInfo.id); } else { SnortSnprintfAppend(buf, STD_BUF-1, ", %d:%d", ignored_rule->otn->sigInfo.generator, ignored_rule->otn->sigInfo.id); } sids_ignored++; if (sids_ignored %6 == 0) { /* Have it print next time through */ six_sids = 1; sids_ignored = 0; } } next_ignored_rule = ignored_rule->next; free(ignored_rule); ignored_rule = next_ignored_rule; } if (sids_ignored || six_sids) { SnortSnprintfAppend(buf, STD_BUF-1, "\n"); LogMessage(buf); }}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -