"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "src/network_inspectors/rna/rna_pnd.cc" between
snort3-3.1.31.0.tar.gz and snort3-3.1.32.0.tar.gz

About: Snort 3 is a network intrusion prevention and detection system (IDS/IPS) combining the benefits of signature, protocol and anomaly-based inspection.

rna_pnd.cc  (snort3-3.1.31.0):rna_pnd.cc  (snort3-3.1.32.0)
skipping to change at line 185 skipping to change at line 185
return true; return true;
} }
bool RnaPnd::analyze_netflow(snort::DataEvent& event) bool RnaPnd::analyze_netflow(snort::DataEvent& event)
{ {
const Packet* p = event.get_packet(); const Packet* p = event.get_packet();
if ( !p ) if ( !p )
return false; return false;
const auto& src_ip = p->ptrs.ip_api.get_src();
const auto& src_ip_ptr = (const struct in6_addr*) src_ip->get_ip6_ptr();
const auto& src_mac = layer::get_eth_layer(p)->ether_src;
NetflowEvent* nfe = static_cast<NetflowEvent*>(&event); NetflowEvent* nfe = static_cast<NetflowEvent*>(&event);
const NetflowSessionRecord* nf_record = nfe->get_record();
// process host and service log events if (nfe->get_create_host())
UNUSED(src_ip_ptr); analyze_netflow_host(nfe);
UNUSED(src_mac);
UNUSED(nf_record); if (nfe->get_create_service())
analyze_netflow_service(nfe);
return true; return true;
} }
void RnaPnd::analyze_netflow_host(NetflowEvent* nfe)
{
const Packet* p = nfe->get_packet();
if ( !p )
return;
bool new_host = false;
const auto& src_ip = nfe->get_record()->initiator_ip;
const auto& src_ip_ptr = (const struct in6_addr*) src_ip.get_ip6_ptr();
auto ht = find_or_create_host_tracker(src_ip, new_host);
if ( !new_host )
ht->update_last_seen();
const uint8_t src_mac[6] = {0};
if ( new_host )
logger.log(RNA_EVENT_NEW, NEW_HOST, p, &ht, src_ip_ptr, src_mac);
uint16_t ptype = rna_get_eth(p);
if ( ptype > to_utype(ProtocolId::ETHERTYPE_MINIMUM) )
{
if ( ht->add_network_proto(ptype) )
logger.log(RNA_EVENT_NEW, NEW_NET_PROTOCOL, p, &ht, ptype, src_mac,
src_ip_ptr,
packet_time());
}
ptype = to_utype(p->get_ip_proto_next());
if ( ht->add_xport_proto(ptype) )
logger.log(RNA_EVENT_NEW, NEW_XPORT_PROTOCOL, p, &ht, ptype, src_mac, sr
c_ip_ptr,
packet_time());
if ( !new_host )
generate_change_host_update(&ht, p, &src_ip, src_mac, packet_time());
}
void RnaPnd::analyze_netflow_service(NetflowEvent* nfe)
{
const Packet* p = nfe->get_packet();
if ( !p )
return;
bool new_host = false;
const auto& src_ip = nfe->get_record()->initiator_ip;
const auto& mac_addr = layer::get_eth_layer(p)->ether_src;
uint32_t service = nfe->get_service_id();
uint16_t port = nfe->get_record()->responder_port;
IpProtocol proto = (IpProtocol) nfe->get_record()->proto;
auto ht = find_or_create_host_tracker(src_ip, new_host);
ht->update_last_seen();
bool is_new = false;
auto ha = ht->add_service(port, proto, (uint32_t) packet_time(), is_new, ser
vice);
if ( is_new )
{
if ( proto == IpProtocol::TCP )
logger.log(RNA_EVENT_NEW, NEW_TCP_SERVICE, p, &ht,
(const struct in6_addr*) src_ip.get_ip6_ptr(), mac_addr, &ha);
else
logger.log(RNA_EVENT_NEW, NEW_UDP_SERVICE, p, &ht,
(const struct in6_addr*) src_ip.get_ip6_ptr(), mac_addr, &ha);
ha.hits = 0;
ht->update_service(ha);
}
}
void RnaPnd::discover_network_icmp(const Packet* p) void RnaPnd::discover_network_icmp(const Packet* p)
{ {
discover_network(p, 0); discover_network(p, 0);
} }
void RnaPnd::discover_network_ip(const Packet* p) void RnaPnd::discover_network_ip(const Packet* p)
{ {
discover_network(p, p->ptrs.ip_api.ttl()); discover_network(p, p->ptrs.ip_api.ttl());
} }
 End of changes. 4 change blocks. 
8 lines changed or deleted 77 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)