snort_stream5_tcp.c

入侵检测SNORT.最近更新的基于网络检测的IDS.希望能给大家带来方便.

    if (tcpPolicyList == NULL)
    {
        numTcpPolicies = 1;
        tcpPolicyList = (Stream5TcpPolicy **)SnortAlloc(sizeof (Stream5TcpPolicy *)
            * numTcpPolicies);
    }
    else
    {
        Stream5TcpPolicy **tmpPolicyList =
            (Stream5TcpPolicy **)SnortAlloc(sizeof (Stream5TcpPolicy *)
            * (++numTcpPolicies));
        memcpy(tmpPolicyList, tcpPolicyList,
            sizeof(Stream5TcpPolicy *) * (numTcpPolicies-1));
        free(tcpPolicyList);
        
        tcpPolicyList = tmpPolicyList;
    }
    tcpPolicyList[numTcpPolicies-1] = s5TcpPolicy;

    Stream5PrintTcpConfig(s5TcpPolicy);

    return;
}

static INLINE u_int16_t StreamPolicyIdFromName(char *name)
{
    if (!name)
    {
        return STREAM_POLICY_DEFAULT;
    }

    if(!strcasecmp(name, "bsd"))
    {
        return STREAM_POLICY_BSD;
    }
    else if(!strcasecmp(name, "old-linux"))
    {
        return STREAM_POLICY_OLD_LINUX;
    }
    else if(!strcasecmp(name, "linux"))
    {
        return STREAM_POLICY_LINUX;
    }
    else if(!strcasecmp(name, "first"))
    {
        return STREAM_POLICY_FIRST;
    }
    else if(!strcasecmp(name, "last"))
    {
        return STREAM_POLICY_LAST;
    }
    else if(!strcasecmp(name, "windows"))
    {
        return STREAM_POLICY_WINDOWS;
    }
    else if(!strcasecmp(name, "solaris"))
    {
        return STREAM_POLICY_SOLARIS;
    }
    else if(!strcasecmp(name, "win2003") ||
            !strcasecmp(name, "win2k3"))
    {
        return STREAM_POLICY_WINDOWS2K3;
    }
    else if(!strcasecmp(name, "vista"))
    {
        return STREAM_POLICY_VISTA;
    }
    else if(!strcasecmp(name, "hpux") ||
            !strcasecmp(name, "hpux11"))
    {
        return STREAM_POLICY_HPUX11;
    }
    else if(!strcasecmp(name, "hpux10"))
    {
        return STREAM_POLICY_HPUX10;
    }
    else if(!strcasecmp(name, "irix"))
    {
        return STREAM_POLICY_IRIX;
    }
    else if(!strcasecmp(name, "macos") ||
            !strcasecmp(name, "grannysmith"))
    {
        return STREAM_POLICY_MACOS;
    }

    return STREAM_POLICY_DEFAULT; /* BSD is the default */
}

static INLINE u_int16_t GetTcpReassemblyPolicy(int os_policy)
{
    switch (os_policy)
    {
        case STREAM_POLICY_FIRST:
            return REASSEMBLY_POLICY_FIRST;
            break;
        case STREAM_POLICY_LINUX:
            return REASSEMBLY_POLICY_LINUX;
            break;
        case STREAM_POLICY_BSD:
            return REASSEMBLY_POLICY_BSD;
            break;
        case STREAM_POLICY_OLD_LINUX:
            return REASSEMBLY_POLICY_OLD_LINUX;
            break;
        case STREAM_POLICY_LAST:
            return REASSEMBLY_POLICY_LAST;
            break;
        case STREAM_POLICY_WINDOWS:
            return REASSEMBLY_POLICY_WINDOWS;
            break;
        case STREAM_POLICY_SOLARIS:
            return REASSEMBLY_POLICY_SOLARIS;
            break;
        case STREAM_POLICY_WINDOWS2K3:
            return REASSEMBLY_POLICY_WINDOWS2K3;
            break;
        case STREAM_POLICY_VISTA:
            return REASSEMBLY_POLICY_VISTA;
            break;
        case STREAM_POLICY_HPUX11:
            return REASSEMBLY_POLICY_HPUX11;
            break;
        case STREAM_POLICY_HPUX10:
            return REASSEMBLY_POLICY_HPUX10;
            break;
        case STREAM_POLICY_IRIX:
            return REASSEMBLY_POLICY_IRIX;
            break;
        case STREAM_POLICY_MACOS:
            return REASSEMBLY_POLICY_MACOS;
            break;
        default:
            return REASSEMBLY_POLICY_DEFAULT;
            break;
    }
}

static void Stream5ParseTcpArgs(char *args, Stream5TcpPolicy *s5TcpPolicy)
{
    char **toks;
    int num_toks;
    int i;
    char *index;
    char **stoks = NULL;
    int s_toks;
    char *endPtr = NULL;
    char use_static = 0;
    char set_flush_policy = 0;
    int reassembly_direction = SSN_DIR_CLIENT;
    int32_t long_val = 0;

    s5TcpPolicy->policy = STREAM_POLICY_DEFAULT;
    s5TcpPolicy->reassembly_policy = REASSEMBLY_POLICY_DEFAULT;
    s5TcpPolicy->session_timeout = S5_DEFAULT_SSN_TIMEOUT;
    //s5TcpPolicy->ttl_delta_limit = S5_DEFAULT_TTL_LIMIT;
    s5TcpPolicy->min_ttl = S5_DEFAULT_MIN_TTL;
    s5TcpPolicy->max_window = 0;
    s5TcpPolicy->flags = 0;
    //s5TcpPolicy->flags |=  STREAM5_CONFIG_STATEFUL_INSPECTION;
    //s5TcpPolicy->flags |=  STREAM5_CONFIG_ENABLE_ALERTS;
    //s5TcpPolicy->flags |=  STREAM5_CONFIG_REASS_CLIENT;
    //s5TcpPolicy->flags |= STREAM5_CONFIG_NO_ASYNC_REASSEMBLY;
    s5TcpPolicy->max_queued_bytes = S5_DEFAULT_MAX_QUEUED_BYTES;
    s5TcpPolicy->max_queued_segs = S5_DEFAULT_MAX_QUEUED_SEGS;

    if(args != NULL && strlen(args) != 0)
    {
        toks = mSplit(args, ",", 13, &num_toks, 0);

        i=0;

        while(i < num_toks)
        {
            index = toks[i];

            while(isspace((int)*index)) index++;

            stoks = mSplit(index, " ", 3, &s_toks, 0);

            if (s_toks == 0)
            {
                FatalError("%s(%d) => Missing parameter in Stream5 TCP config.\n",
                    file_name, file_line);
            }

            if(!strcasecmp(stoks[0], "timeout"))
            {
                if(stoks[1])
                {
                    s5TcpPolicy->session_timeout = strtoul(stoks[1], &endPtr, 10);
                }
                
                if (!stoks[1] || (endPtr == &stoks[1][0]))
                {
                    FatalError("%s(%d) => Invalid timeout in config file.  "
                        "Integer parameter required.\n",
                        file_name, file_line);
                }

                if ((s5TcpPolicy->session_timeout > S5_MAX_SSN_TIMEOUT) ||
                    (s5TcpPolicy->session_timeout < S5_MIN_SSN_TIMEOUT))
                {
                    FatalError("%s(%d) => Invalid timeout in config file.  "
                        "Must be between %d and %d\n",
                        file_name, file_line,
                        S5_MIN_SSN_TIMEOUT, S5_MAX_SSN_TIMEOUT);
                }
                if (s_toks > 2)
                {
                    FatalError("%s(%d) => Invalid Stream5 TCP Policy option.  Missing comma?\n",
                        file_name, file_line);
                }
            }
#if 0
            else if(!strcasecmp(stoks[0], "ttl_limit"))
            {
                if(stoks[1])
                {
                    s5TcpPolicy->ttl_delta_limit = strtoul(stoks[1], &endPtr, 10);
                }
                
                if (!stoks[1] || (endPtr == &stoks[1][0]))
                {
                    FatalError("%s(%d) => Invalid TTL Limit in config file.  Integer parameter required\n",
                            file_name, file_line);
                }
            }
#endif
            else if(!strcasecmp(stoks[0], "min_ttl"))
            {
                if(stoks[1])
                {
                    long_val = strtol(stoks[1], &endPtr, 10);
                    if (errno == ERANGE)
                    {
                        errno = 0;
                        long_val = -1;
                    }
                    s5TcpPolicy->min_ttl = (u_int8_t)long_val;
                }

                if (!stoks[1] || (endPtr == &stoks[1][0]))
                {
                    FatalError("%s(%d) => Invalid min TTL in config file.  Integer parameter required\n",
                            file_name, file_line);
                }

                if ((long_val > S5_MAX_MIN_TTL) ||
                    (long_val < S5_MIN_MIN_TTL))
                {
                    FatalError("%s(%d) => Invalid min TTL in config file.  "
                        "Must be between %d and %d\n",
                        file_name, file_line,
                        S5_MIN_MIN_TTL, S5_MAX_MIN_TTL);
                }
                if (s_toks > 2)
                {
                    FatalError("%s(%d) => Invalid Stream5 TCP Policy option.  Missing comma?\n",
                        file_name, file_line);
                }
            }
            else if(!strcasecmp(stoks[0], "overlap_limit"))
            {
                if(stoks[1])
                {
                    long_val = strtol(stoks[1], &endPtr, 10);
                    if (errno == ERANGE)
                    {
                        errno = 0;
                        long_val = -1;
                    }
                    s5TcpPolicy->overlap_limit = (u_int8_t)long_val;
                }

                if (!stoks[1] || (endPtr == &stoks[1][0]))
                {
                    FatalError("%s(%d) => Invalid overlap limit in config file."
                            "Integer parameter required\n",
                            file_name, file_line);
                }

                if ((long_val > S5_MAX_OVERLAP_LIMIT) ||
                    (long_val < S5_MIN_OVERLAP_LIMIT))
                {
                    FatalError("%s(%d) => Invalid overlap limit in config file."
                        "  Must be between %d and %d\n",
                        file_name, file_line,
                        S5_MIN_OVERLAP_LIMIT, S5_MAX_OVERLAP_LIMIT);
                }
                if (s_toks > 2)
                {
                    FatalError("%s(%d) => Invalid Stream5 TCP Policy option.  Missing comma?\n",
                        file_name, file_line);
                }
            }
            else if(!strcasecmp(stoks[0], "detect_anomalies"))
            {
                s5TcpPolicy->flags |=  STREAM5_CONFIG_ENABLE_ALERTS;
                if (s_toks > 1)
                {
                    FatalError("%s(%d) => Invalid Stream5 TCP Policy option.  Missing comma?\n",
                        file_name, file_line);
                }
            }
            else if(!strcasecmp(stoks[0], "policy"))
            {
                s5TcpPolicy->policy = StreamPolicyIdFromName(stoks[1]);

                if ((s5TcpPolicy->policy == STREAM_POLICY_DEFAULT) &&
                    (strcasecmp(stoks[1], "bsd")))
                {
                    /* Default is BSD.  If we don't have "bsd", its
                     * the default and invalid.
                     */
                    FatalError("%s(%d) => Bad policy name \"%s\"\n",
                            file_name, file_line, stoks[1]);
                }

                s5TcpPolicy->reassembly_policy = GetTcpReassemblyPolicy(s5TcpPolicy->policy);
                if (s_toks > 2)
                {
                    FatalError("%s(%d) => Invalid Stream5 TCP Policy option.  Missing comma?\n",
                        file_name, file_line);
                }
            }
            else if(!strcasecmp(stoks[0], "require_3whs"))
            {
                s5TcpPolicy->flags |= STREAM5_CONFIG_REQUIRE_3WHS;

                if (s_toks > 1)
                {
                    s5TcpPolicy->hs_timeout = strtoul(stoks[1], &endPtr, 10);
                }

                if ((s_toks > 1) && (endPtr == &stoks[1][0]))
                {
                    FatalError("%s(%d) => Invalid 3Way Handshake allowable.  Integer parameter required.\n",
                            file_name, file_line);
                }

                if (s_toks > 1)
                {
                    if ((s5TcpPolicy->hs_timeout > S5_MAX_SSN_TIMEOUT) ||
                        (s5TcpPolicy->hs_timeout < S5_MIN_ALT_HS_TIMEOUT))
                    {
                        FatalError("%s(%d) => Invalid handshake timeout in "
                            "config file.  Must be between %d and %d\n",
                            file_name, file_line,
                            S5_MIN_ALT_HS_TIMEOUT, S5_MAX_SSN_TIMEOUT);
                    }
                }
                if (s_toks > 2)
                {
                    FatalError("%s(%d) => Invalid Stream5 TCP Policy option.  Missing comma?\n",
                        file_name, file_line);
                }
            }
            else if(!strcasecmp(stoks[0], "bind_to"))
            {
                if(strstr(stoks[1], "["))
                {
                    FatalError("%s(%d) => Invalid Stream5 TCP Policy option.  IP lists are not allowed.\n",
                        file_name, file_line);
                }

                s5TcpPolicy->bound_addrs = IpAddrSetParse(stoks[1]);

                if (s_toks > 2)
                {
                    FatalError("%s(%d) => Invalid Stream5 TCP Policy option.  Missing comma?\n",
                        file_name, file_line);
                }