📄 snort_stream5_tcp.c

📁 入侵检测SNORT.最近更新的基于网络检测的IDS.希望能给大家带来方便.
💻 C
📖 第 1 页 / 共 5 页
字号:
上一页 1 2 3 45
        }        s5TcpPolicy->bound_addrs = (IpAddrSet *) SnortAlloc(sizeof(IpAddrSet));        s5_global_config.flags |= STREAM5_CONFIG_DEFAULT_TCP_POLICY_SET;    }    if (!set_flush_policy)    {        /* Initialize it if not already... */        InitFlushPointList(&s5TcpPolicy->flush_point_list, 192, 128, use_static);        for (i=0;i<sizeof(default_ports)/sizeof(int); i++)        {            if (reassembly_direction & SSN_DIR_CLIENT)            {                FlushMgr *flush_mgr = &s5TcpPolicy->flush_config[default_ports[i]].client;                FlushPointList *flush_point_list = &s5TcpPolicy->flush_point_list;                InitFlushMgr(flush_mgr, flush_point_list, STREAM_FLPOLICY_FOOTPRINT);            }            if (reassembly_direction & SSN_DIR_SERVER)            {                FlushMgr *flush_mgr = &s5TcpPolicy->flush_config[default_ports[i]].server;                FlushPointList *flush_point_list = &s5TcpPolicy->flush_point_list;                InitFlushMgr(flush_mgr, flush_point_list, STREAM_FLPOLICY_FOOTPRINT);            }        }    }    return;}static void Stream5PrintTcpConfig(Stream5TcpPolicy *s5TcpPolicy){    int i=0, j=0;    LogMessage("Stream5 TCP Policy config:\n");    LogMessage("    Reassembly Policy: %s\n",        reassembly_policy_names[s5TcpPolicy->reassembly_policy]);    LogMessage("    Timeout: %d seconds\n", s5TcpPolicy->session_timeout);    LogMessage("    Min ttl:  %d\n", s5TcpPolicy->min_ttl);    //LogMessage("    Stream ttl_limit: %d\n", s5TcpPolicy->ttl_delta_limit);    if (s5TcpPolicy->max_window != 0)        LogMessage("    Max TCP Window: %u\n", s5TcpPolicy->max_window);    if (s5TcpPolicy->overlap_limit)        LogMessage("    Limit on TCP Overlaps: %d\n", s5TcpPolicy->overlap_limit);    if (s5TcpPolicy->max_queued_bytes != 0)    {        LogMessage("    Maximum number of bytes to queue per session: %d\n",            s5TcpPolicy->max_queued_bytes);    }    if (s5TcpPolicy->max_queued_segs != 0)    {        LogMessage("    Maximum number of segs to queue per session: %d\n",            s5TcpPolicy->max_queued_segs);    }    if (s5TcpPolicy->flags)    {        LogMessage("    Options:\n");        if (s5TcpPolicy->flags & STREAM5_CONFIG_REQUIRE_3WHS)        {            LogMessage("        Require 3-Way Handshake: YES\n");            if (s5TcpPolicy->hs_timeout != 0)            {                LogMessage("        3-Way Handshake Timeout: %d\n",                    s5TcpPolicy->hs_timeout);            }        }        if (s5TcpPolicy->flags & STREAM5_CONFIG_ENABLE_ALERTS)        {            LogMessage("        Detect Anomalies: YES\n");        }        if (s5TcpPolicy->flags & STREAM5_CONFIG_STATIC_FLUSHPOINTS)        {            LogMessage("        Static Flushpoint Sizes: YES\n");        }        if (s5TcpPolicy->flags & STREAM5_CONFIG_PERFORMANCE)        {            LogMessage("        Don't Queue Large Packets for Reassembly: YES\n");        }        if (s5TcpPolicy->flags & STREAM5_CONFIG_CHECK_SESSION_HIJACKING)        {            LogMessage("        Check for TCP Session Hijacking: YES\n");        }        if (s5TcpPolicy->flags & STREAM5_CONFIG_NO_ASYNC_REASSEMBLY)        {            LogMessage("        Don't queue packets on one-sided sessions: YES\n");        }    }    LogMessage("    Reassembly Ports:\n");    for (i=0; i<MAX_PORTS && j<20; i++)    {        int direction = 0;        int client_flushpolicy = s5TcpPolicy->flush_config[i].client.flush_policy;        int server_flushpolicy = s5TcpPolicy->flush_config[i].server.flush_policy;        char client_policy_str[STD_BUF];        char server_policy_str[STD_BUF];        client_policy_str[0] = server_policy_str[0] = '\0';        if (client_flushpolicy != STREAM_FLPOLICY_IGNORE)        {            direction |= SSN_DIR_CLIENT;            if (client_flushpolicy <= STREAM_FLPOLICY_MAX)                SnortSnprintf(client_policy_str, STD_BUF, "client (%s)",                              flush_policy_names[client_flushpolicy]);        }        if (server_flushpolicy != STREAM_FLPOLICY_IGNORE)        {            direction |= SSN_DIR_SERVER;            if (server_flushpolicy <= STREAM_FLPOLICY_MAX)                SnortSnprintf(server_policy_str, STD_BUF, "server (%s)",                              flush_policy_names[server_flushpolicy]);        }        if (direction)        {            LogMessage("      %d %s %s\n", i,                client_policy_str, server_policy_str);#ifndef DEBUG            /* Don't increment, so we print the full list in             * debug mode. */            j++;#endif        }    }#ifdef SUP_IP6// XXX-IPv6 var printing#else    IpAddrSetPrint("    Bound Addresses:", s5TcpPolicy->bound_addrs);#endif}#ifdef TARGET_BASEDint StreamPolicyIdFromHostAttributeEntry(HostAttributeEntry *host_entry){    if (!host_entry || !host_entry->hostInfo.streamPolicyName)        return 0;    host_entry->hostInfo.streamPolicy = StreamPolicyIdFromName(host_entry->hostInfo.streamPolicyName);    host_entry->hostInfo.streamPolicySet = 1;    STREAM5_DEBUG_WRAP(        DebugMessage(DEBUG_STREAM_STATE,            "STREAM5 INIT: %s(%d) for Entry %s:%s:%s (%s)\n",            reassembly_policy_names[host_entry->hostInfo.streamPolicy],            host_entry->hostInfo.streamPolicy,            host_entry->hostInfo.operatingSystem.value.s_value,            host_entry->hostInfo.vendor.value.s_value,            host_entry->hostInfo.version.value.s_value,            host_entry->hostInfo.streamPolicyName););    return 0;}#endifint Stream5VerifyTcpConfig(){    if (!tcp_lws_cache)    {        LogMessage("WARNING: Stream5 TCP Session Cache not initialized\n");        return -1;    }    if (numTcpPolicies < 1)    {        LogMessage("WARNING: Stream5 TCP no policies specified in configuration\n");        return -1;    }    if (!(s5_global_config.flags & STREAM5_CONFIG_DEFAULT_TCP_POLICY_SET))    {        LogMessage("WARNING: Stream5 TCP default policy not specified in configuration\n");        return -1;    }    /* Do this now     * verify config is called after all preprocs (static & dynamic)     * are inited.  Gives us the correct number of bits for     * p->preprocessor_bits     */    if (!s5_pkt)        Stream5InitPacket();#ifdef TARGET_BASED    SFAT_SetPolicyIds(StreamPolicyIdFromHostAttributeEntry);#endif    return 0;}void Stream5ResetTcp(void){    DecoderFlags decoder_flags;    int ret;    ret = SafeMemcpy(&decoder_flags, &pv.decoder_flags, sizeof(decoder_flags),                     &decoder_flags,                     (u_int8_t *)(&decoder_flags) + sizeof(decoder_flags));    if (ret != SAFEMEM_SUCCESS)        return;    memset(&pv.decoder_flags, 0, sizeof(pv.decoder_flags));    s5_tcp_cleanup = 1;    PurgeLWSessionCache(tcp_lws_cache);    s5_tcp_cleanup = 0;    mempool_clean(&tcp_session_mempool);    ret = SafeMemcpy(&pv.decoder_flags, &decoder_flags, sizeof(pv.decoder_flags),                     &pv.decoder_flags,                     (u_int8_t *)(&pv.decoder_flags) + sizeof(pv.decoder_flags));    if (ret != SAFEMEM_SUCCESS)        return;    ResetFlushMgrs();}void Stream5CleanTcp(){    DecoderFlags decoder_flags;    int policyIndex;    Stream5TcpPolicy *policy = NULL;    /* Turn off decoder alerts since we're decoding stored     * packets that we already alerted on.     */    memcpy(&decoder_flags, &pv.decoder_flags, sizeof(DecoderFlags));    memset(&pv.decoder_flags, 0, sizeof(DecoderFlags));    /* Set s5_tcp_cleanup to force a flush of all queued data */    s5_tcp_cleanup = 1;    /* Clean up hash table -- delete all sessions */    DeleteLWSessionCache(tcp_lws_cache);    tcp_lws_cache = NULL;    /* Cleanup the rebuilt packet */    if (s5_pkt)    {        free((void *)s5_pkt->pkth);        boFreeBITOP(s5_pkt->preprocessor_bits);        free(s5_pkt->preprocessor_bits);        boFreeBITOP(s5_pkt->preproc_reassembly_pkt_bits);        free(s5_pkt->preproc_reassembly_pkt_bits);        free(s5_pkt);        s5_pkt = NULL;    }#ifdef SUP_IP6    if (s5_pkt_6)    {        free((void *)s5_pkt_6->pkth);        boFreeBITOP(s5_pkt_6->preprocessor_bits);        free(s5_pkt_6->preprocessor_bits);        boFreeBITOP(s5_pkt_6->preproc_reassembly_pkt_bits);        free(s5_pkt_6->preproc_reassembly_pkt_bits);        free(s5_pkt_6);        s5_pkt_6 = NULL;    }#endif    /* Reset this */    s5_tcp_cleanup = 0;    mempool_destroy(&tcp_session_mempool);    /* And turn decoder alerts back on (or whatever they were set to) */    memcpy(&pv.decoder_flags, &decoder_flags, sizeof(DecoderFlags));    /* Cleanup TCP Policies and the list */    for (policyIndex = 0; policyIndex < numTcpPolicies; policyIndex++)    {        policy = tcpPolicyList[policyIndex];        free(policy->flush_point_list.flush_points);#ifdef SUP_IP6        sfvar_free(policy->bound_addrs);#else        IpAddrSetDestroy(policy->bound_addrs);        free(policy->bound_addrs);#endif        free(policy);    }    free(tcpPolicyList);    tcpPolicyList = NULL;}#ifdef DEBUG_STREAM5static void PrintStateMgr(StateMgr *s){    LogMessage("StateMgr:\n");    LogMessage("    state:          %s\n", state_names[s->state]);    LogMessage("    state_queue:    %s\n", state_names[s->state_queue]);    LogMessage("    expected_flags: 0x%X\n", s->expected_flags);    LogMessage("    transition_seq: 0x%X\n", s->transition_seq);    LogMessage("    stq_get_seq:    %d\n", s->stq_get_seq);}static void PrintStreamTracker(StreamTracker *s){    LogMessage(" + StreamTracker +\n");    LogMessage("    isn:                0x%X\n", s->isn);    LogMessage("    ttl:                %d\n", s->ttl);    LogMessage("    ts_last:            %lu\n", s->ts_last);    LogMessage("    wscale:             %lu\n", s->wscale);    LogMessage("    mss:                0x%08X\n", s->mss);    LogMessage("    l_unackd:           %X\n", s->l_unackd);    LogMessage("    l_nxt_seq:          %X\n", s->l_nxt_seq);    LogMessage("    l_window:           %lu\n", s->l_window);    LogMessage("    r_nxt_ack:          %X\n", s->r_nxt_ack);    LogMessage("    r_win_base:         %X\n", s->r_win_base);    LogMessage("    seglist_base_seq:   %X\n", s->seglist_base_seq);    LogMessage("    seglist:            %p\n", s->seglist);    LogMessage("    seglist_tail:       %p\n", s->seglist_tail);    LogMessage("    seg_count:          %d\n", s->seg_count);    LogMessage("    seg_bytes_total:    %d\n", s->seg_bytes_total);    LogMessage("    seg_bytes_logical:  %d\n", s->seg_bytes_logical);    PrintStateMgr(&s->s_mgr);}static void PrintTcpSession(TcpSession *ts){    LogMessage("TcpSession:\n");#ifdef DEBUG    LogMessage("    ssn_time:           %lu\n", ts->ssn_time.tv_sec);#endif    LogMessage("    server IP:          0x%08X\n", ts->tcp_server_ip);    LogMessage("    client IP:          0x%08X\n", ts->tcp_client_ip);    LogMessage("    server port:        %d\n", ts->tcp_server_port);    LogMessage("    client port:        %d\n", ts->tcp_client_port);    LogMessage("    flags:              0x%X\n", ts->lwssn->session_flags);    LogMessage("Client Tracker:\n");    PrintStreamTracker(&ts->client);    LogMessage("Server Tracker:\n");    PrintStreamTracker(&ts->server);}static void PrintTcpDataBlock(TcpDataBlock *tdb){    LogMessage("TcpDataBlock:\n");    LogMessage("    sip:    0x%08X\n", tdb->sip);    LogMessage("    dip:    0x%08X\n", tdb->dip);    LogMessage("    seq:    0x%08X\n", tdb->seq);    LogMessage("    ack:    0x%08X\n", tdb->ack);    LogMessage("    win:    %d\n", tdb->win);    LogMessage("    end:    0x%08X\n", tdb->end_seq);}static void PrintFlushMgr(FlushMgr *fm){    if(fm == NULL)        return;    switch(fm->flush_policy)    {        case STREAM_FLPOLICY_NONE:             STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE,                        "    NONE\n"););            break;        case STREAM_FLPOLICY_FOOTPRINT:            STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE,                        "    FOOTPRINT %d\n", fm->flush_pt););            break;        case STREAM_FLPOLICY_LOGICAL:            STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE,                        "    LOGICAL %d\n", fm->flush_pt););            break;        case STREAM_FLPOLICY_RESPONSE:            STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE,
上一页 1 2 3 45
💿 文件大小 4374 K
👤 上传用户 maple_78
📂 所属分类 Linux/Unix编程
🏷️ 相关标签

#SNORT #IDS #入侵检测 #更新
⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -