📄 flowps_snort.c
字号:
{ IPSET *ipset = ipset_new(IPV4_FAMILY); if(!ipset || ip4_setparse(ipset, value) !=0) { FatalError("%s(%d) Unable to create an IPSet from %s\n", file_name,file_line,value); } config->dst_ignore_ipv4 = ipset; } else if(!strcasecmp(key, "tcp-penalties")) { if(toggle_option(key, value, &config->tcp_penalties)) { FatalError("%s(%d) Error processing %s directive (value = %s)\n", file_name,file_line,key,value); } } else if(!strcasecmp(key, "server-learning-time")) { ivalue = atoi(value); config->server_learning_time = ivalue; } else if(!strcasecmp(key, "server-ignore-limit")) { ivalue = atoi(value); config->server_ignore_limit = ivalue; } else if(!strcasecmp(key, "server-scanner-limit")) { ivalue = atoi(value); config->server_scanner_limit = ivalue; } else if(!strcasecmp(key, "talker-fixed-threshold")) { ivalue = atoi(value); config->limit_talker.fixed = ivalue; } else if(!strcasecmp(key, "talker-sliding-threshold")) { ivalue = atoi(value); config->limit_talker.sliding = ivalue; } else if(!strcasecmp(key, "talker-fixed-window")) { ivalue = atoi(value); config->limit_talker.fixed_size = ivalue; } else if(!strcasecmp(key, "talker-sliding-window")) { ivalue = atoi(value); config->limit_talker.sliding_size = ivalue; } else if(!strcasecmp(key, "talker-sliding-scale-factor")) { config->limit_talker.window_scale = (float)strtod(value, NULL); } else if(!strcasecmp(key, "scanner-fixed-threshold")) { ivalue = atoi(value); config->limit_scanner.fixed = ivalue; } else if(!strcasecmp(key, "scanner-sliding-threshold")) { ivalue = atoi(value); config->limit_scanner.sliding = ivalue; } else if(!strcasecmp(key, "scanner-fixed-window")) { ivalue = atoi(value); config->limit_scanner.fixed_size = ivalue; } else if(!strcasecmp(key, "scanner-sliding-window")) { ivalue = atoi(value); config->limit_scanner.sliding_size = ivalue; } else if(!strcasecmp(key, "scanner-sliding-scale-factor")) { config->limit_scanner.window_scale = (float)strtod(value, NULL); } else if(!strcasecmp(key, "base-score")) { config->base_score = atoi(value); } else if(!strcasecmp(key, "dumpall")) { config->dumpall = atoi(value); } else if(!strcasecmp(key, "alert-mode")) { if(!strcasecmp(value, "once")) { config->alert_once = 1; } else if(!strcasecmp(value, "all")) { config->alert_once = 0; } else { FatalError("%s(%d) Bad option to %s => %s\n", file_name, file_line, key, value); } } else if(!strcasecmp(key, "output-mode")) { if(!strcasecmp(value, "msg")) { config->output_mode = VARIABLEMSG; } else if(!strcasecmp(value, "pktkludge")) { config->output_mode = PKTKLUDGE; } else { FatalError("%s(%d) Bad option to %s => %s\n", file_name, file_line, key, value); } } else { FatalError("%s(%d) Unknown Arguments: key(%s) value(%s)\n", fname, lineno, key, value); } }/** * Parse out the snort.conf line * * output type - (variable alert string, custom file, pktkludge) * watch-net - optional * ignore-net - optional * * @param config config to set * @param args string to parse */static void FlowPSParseArgs(PS_CONFIG *config , char *args){ const char *delim = " \t"; char *key, *value; char *myargs; if(!config) { FatalError("FlowPSParseArgs: NULL config passed\n!"); } if(!args) { return; } while(isspace((int)*args)) args++; if(*args == '\0') { return; } myargs = strdup(args); if(myargs == NULL) { FatalError("%s(%d) Unable to allocate memory!\n", file_name, file_line); } key = strtok(myargs, delim); while(key != NULL) { value = strtok(NULL, delim); if(!value) { FatalError("%s(%d) key %s has no value", file_name, file_line); } FlowPSParseOption(config, file_name, file_line, key, value); key = strtok(NULL, delim); } if(myargs) free(myargs); /* is server statistics table enabled? */ if(config->server_watchnet_ipv4 != NULL) { if((config->server_scanner_limit == 0) && (config->server_ignore_limit == 0)) { FatalError("A Server watchnet is set" " with no scanner or ignore limit\n" "Perhaps you should just remove" " the server-watchnet option\n"); } }}void FlowPSRestart(int signal, void *data){ return;}void FlowPSCleanExit(int signal, void *data){ if(s_pkt) { free(s_pkt); s_pkt = NULL; } if(!pv.quiet_flag) flowps_stats(&s_tracker); flowps_destroy(&s_tracker); return;}/** * The callback for the flow-portscan module * * This function's purpose is to do about the same thing as a * traditional snort preprocessor. The only difference is that this * occurs only on a specific FLOW position. * * This individual callback position is only valid in the "NEW" flow * position. * * The operations are pretty much the same as laid out by * * Chris Green, Marc Norton, Dan Roelker * * Basic code flow: * * 1) Get the score and flag type * 2) return if the score is 0 * 3) Get the score entry node * 4) Perform time window maintence * - includes flushing the "scan data" out of the subsys * 5) Process the score data * 6) Generate alerts if necessary * * @param position where in the flow module this is being called from * @param flow the flow that the stats are kept for * @param direction the direction of the flow * @param cur the current time * @param p the current packet (may be NULL) * * @return TBD */int flowps_newflow_callback(FLOW_POSITION position, FLOW *flowp, int direction, time_t cur, FLOWPACKET *p){ TRACKER_POSITION tr_pos = TRACKER_ACTIVE; /* where new nodes get inserted */ PS_TRACKER *pstp = &s_tracker; SCORE_ENTRY *current_entry = NULL; int ret, score; u_int32_t alert_flags; u_int8_t cflags; u_int32_t *address = &flowp->key.init_address; if(!flowps_enabled()) return 0; if(s_debug > 5) { if (IS_IP4(p)) { printf("DEBUG: callback %s:%d -> %s:%d\n", inet_ntoax(p->iph->ip_src.s_addr), p->sp, inet_ntoax(p->iph->ip_dst.s_addr), p->dp); } } if(position != FLOW_NEW) {#ifndef WIN32 flow_printf("Wrong callback position for %s\n", __func__);#else flow_printf("Wrong callback position for %s(%d)\n", __FILE__, __LINE__);#endif return 0; } if(flowps_is_ignored_ipv4(pstp, &flowp->key.init_address, &flowp->key.resp_address) == FLOW_SUCCESS) { return 0; } if(IsTcpPacket(p)) { /* allow radically different flags from SYN help score * differently */ cflags = GetTcpFlags(p); } else { cflags = 0; } /* * if we can't find the score for whatever reason, or the * resultant score is 0 (indicating that this a "normal" event), * just go ahead and return */ if(flowps_get_score(pstp, flowp, cur, cflags, &score, &tr_pos) != FLOW_SUCCESS) { return -1; } if(score == 0) { return 0; } else if(s_debug > 5) { flow_printf("new unique flow!\n"); flowkey_print(&flowp->key); flow_printf("\n"); } /* run the "score entry finder" or create a new node */ ret = flowps_find_entry(pstp, address, ¤t_entry); if(ret == FLOW_NOTFOUND) { ret = flowps_add_entry(pstp, tr_pos, address, ¤t_entry); if(ret != FLOW_SUCCESS) { /* tracker failed horribly */#ifndef WIN32 flow_printf("flowps_add_entry check failed in %s\n", __func__);#else flow_printf("flowps_add_entry check failed in %s(%d)\n", __FILE__, __LINE__);#endif return 0; } } else if(ret != FLOW_SUCCESS) {#ifndef WIN32 flow_printf("bad return for finding the entry %s\n", __func__);#else flow_printf("bad return for finding the entry %s(%d)\n", __FILE__, __LINE__);#endif return 0; } flowps_sliding_winadj(¤t_entry->sliding_talker, cur, &pstp->config.limit_talker); flowps_fixed_winadj(¤t_entry->fixed_talker, cur, &pstp->config.limit_talker); flowps_sliding_winadj(¤t_entry->sliding_scanner, cur, &pstp->config.limit_scanner);⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -