"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "src/detection/fp_detect.cc" between
snort3-3.1.36.0.tar.gz and snort3-3.1.38.0.tar.gz

About: Snort 3 is a network intrusion prevention and detection system (IDS/IPS) combining the benefits of signature, protocol and anomaly-based inspection.

fp_detect.cc  (snort3-3.1.36.0):fp_detect.cc  (snort3-3.1.38.0)
skipping to change at line 339 skipping to change at line 339
return true; return true;
} }
int fp_eval_option(void* v, Cursor& c, Packet* p) int fp_eval_option(void* v, Cursor& c, Packet* p)
{ {
IpsOption* opt = (IpsOption*)v; IpsOption* opt = (IpsOption*)v;
return opt->eval(c, p); return opt->eval(c, p);
} }
static int detection_option_tree_evaluate(detection_option_tree_root_t* root, static void detection_option_tree_evaluate(detection_option_tree_root_t* root,
detection_option_eval_data_t& eval_data) detection_option_eval_data_t& eval_data)
{ {
assert(root); assert(root);
RuleLatency::Context rule_latency_ctx(root, eval_data.p); RuleLatency::Context rule_latency_ctx(root, eval_data.p);
if ( RuleLatency::suspended() ) if ( RuleLatency::suspended() )
return 0; return;
Cursor c(eval_data.p); Cursor c(eval_data.p);
int rval = 0;
debug_log(detection_trace, TRACE_RULE_EVAL, eval_data.p, "Starting tree eval \n"); debug_log(detection_trace, TRACE_RULE_EVAL, eval_data.p, "Starting tree eval \n");
for ( int i = 0; i < root->num_children; ++i ) for ( int i = 0; i < root->num_children; ++i )
{ {
// Increment number of events generated from that child detection_option_node_evaluate(root->children[i], eval_data, c);
rval += detection_option_node_evaluate(root->children[i], eval_data, c);
} }
clear_trace_cursor_info(); clear_trace_cursor_info();
return rval;
} }
static void rule_tree_match( static void rule_tree_match(
IpsContext* context, void* user, void* tree, int index, void* neg_list) IpsContext* context, void* user, void* tree, int index, void* neg_list)
{ {
PMX* pmx = (PMX*)user; PMX* pmx = (PMX*)user;
detection_option_eval_data_t eval_data; detection_option_eval_data_t eval_data(context->packet);
eval_data.p = context->packet;
eval_data.pmd = pmx->pmd; eval_data.pmd = pmx->pmd;
eval_data.flowbit_failed = 0;
eval_data.flowbit_noalert = 0;
print_pattern(pmx->pmd, eval_data.p); print_pattern(pmx->pmd, eval_data.p);
{ {
/* NOTE: The otn will be the first one in the match state. If there are /* NOTE: The otn will be the first one in the match state. If there are
* multiple rules associated with a match state, mucking with the otn * multiple rules associated with a match state, mucking with the otn
* may muck with an unintended rule */ * may muck with an unintended rule */
/* Set flag for not contents so they aren't evaluated */ /* Set flag for not contents so they aren't evaluated */
for ( NCListNode* ncl = (NCListNode*)neg_list; ncl != nullptr; ncl = ncl ->next) for ( NCListNode* ncl = (NCListNode*)neg_list; ncl != nullptr; ncl = ncl ->next)
skipping to change at line 402 skipping to change at line 395
last_check->ts.tv_usec = eval_data.p->pkth->ts.tv_usec; last_check->ts.tv_usec = eval_data.p->pkth->ts.tv_usec;
last_check->run_num = get_run_num(); last_check->run_num = get_run_num();
last_check->context_num = context->context_num; last_check->context_num = context->context_num;
last_check->rebuild_flag = (eval_data.p->packet_flags & PKT_REBUILT_ STREAM); last_check->rebuild_flag = (eval_data.p->packet_flags & PKT_REBUILT_ STREAM);
} }
if ( !tree ) if ( !tree )
return; return;
detection_option_tree_root_t* root = (detection_option_tree_root_t*)tree ; detection_option_tree_root_t* root = (detection_option_tree_root_t*)tree ;
int ret = detection_option_tree_evaluate(root, eval_data);
if ( ret ) detection_option_tree_evaluate(root, eval_data);
if ( eval_data.leaf_reached )
pmqs.qualified_events++; pmqs.qualified_events++;
else else
pmqs.non_qualified_events++; pmqs.non_qualified_events++;
} }
if (eval_data.flowbit_failed) if (eval_data.flowbit_failed)
return; return;
/* If this is for an IP rule set, evaluate the rules from /* If this is for an IP rule set, evaluate the rules from
* the inner IP offset as well */ * the inner IP offset as well */
skipping to change at line 1032 skipping to change at line 1026
} }
} }
do do
{ {
if (port_group->nfp_rule_count) if (port_group->nfp_rule_count)
{ {
// walk and test the nfp OTNs // walk and test the nfp OTNs
if ( fp->get_debug_print_nc_rules() ) if ( fp->get_debug_print_nc_rules() )
LogMessage("NC-testing %u rules\n", port_group->nfp_rule_count); LogMessage("NC-testing %u rules\n", port_group->nfp_rule_count);
detection_option_eval_data_t eval_data; detection_option_eval_data_t eval_data(p);
eval_data.p = p; debug_log(detection_trace, TRACE_RULE_EVAL, p,
eval_data.pmd = nullptr; "Testing non-content rules\n");
eval_data.flowbit_failed = 0;
eval_data.flowbit_noalert = 0;
int rval = 0; detection_option_tree_root_t* root = (detection_option_tree_root_t*)
{ port_group->nfp_tree;
debug_log(detection_trace, TRACE_RULE_EVAL, p,
"Testing non-content rules\n"); detection_option_tree_evaluate(root, eval_data);
rval = detection_option_tree_evaluate(
(detection_option_tree_root_t*)port_group->nfp_tree, eval_da
ta);
}
if (rval) if (eval_data.leaf_reached)
pmqs.qualified_events++; pmqs.qualified_events++;
else else
pmqs.non_qualified_events++; pmqs.non_qualified_events++;
pc.hard_evals++; pc.hard_evals++;
} }
// FIXIT-L should really be logging any events based on curr_ip_layer // FIXIT-L should really be logging any events based on curr_ip_layer
if (ip_rule) if (ip_rule)
{ {
 End of changes. 13 change blocks. 
27 lines changed or deleted 15 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)