SnortExtras: src/inspectors/dpx/dpx.cc

"Fossies" - the Fresh Open Source Software Archive

Member "snort3_extra-3.0.3-1/src/inspectors/dpx/dpx.cc" (23 Sep 2020, 4760 Bytes) of package /linux/misc/snort3_extra-3.0.3-1.tar.gz:

As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) C and C++ source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file. For more information about "dpx.cc" see the Fossies "Dox" file reference documentation and the latest Fossies "Diffs" side-by-side code changes report:

1.0.0-beta2_vs_3.0.3-1.

1 //-------------------------------------------------------------------------- 2 // Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved. 3 // 4 // This program is free software; you can redistribute it and/or modify it 5 // under the terms of the GNU General Public License Version 2 as published 6 // by the Free Software Foundation. You may not use, modify or distribute 7 // this program under any other version of the GNU General Public License. 8 // 9 // This program is distributed in the hope that it will be useful, but 10 // WITHOUT ANY WARRANTY; without even the implied warranty of 11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 12 // General Public License for more details. 13 // 14 // You should have received a copy of the GNU General Public License along 15 // with this program; if not, write to the Free Software Foundation, Inc., 16 // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 17 //-------------------------------------------------------------------------- 18 // dpx.cc author Russ Combs <rcombs@sourcefire.com> 19 20 #include "detection/detection_engine.h" 21 #include "events/event_queue.h" 22 #include "framework/inspector.h" 23 #include "framework/module.h" 24 #include "log/messages.h" 25 #include "profiler/profiler.h" 26 #include "protocols/packet.h" 27 28 using namespace snort; 29 30 #define DPX_GID 256 31 #define DPX_SID 1 32 33 static const char* s_name = "dpx"; 34 static const char* s_help = "dynamic inspector example"; 35 36 static THREAD_LOCAL ProfileStats dpxPerfStats; 37 38 static THREAD_LOCAL SimpleStats dpxstats; 39 40 //------------------------------------------------------------------------- 41 // class stuff 42 //------------------------------------------------------------------------- 43 44 class Dpx : public Inspector 45 { 46 public: 47 Dpx(uint16_t port, uint16_t max); 48 49 void show(const SnortConfig*) const override; 50 void eval(Packet*) override; 51 52 private: 53 uint16_t port; 54 uint16_t max; 55 }; 56 57 Dpx::Dpx(uint16_t p, uint16_t m) 58 { 59 port = p; 60 max = m; 61 } 62 63 void Dpx::show(const SnortConfig*) const 64 { 65 ConfigLogger::log_value("port", port); 66 ConfigLogger::log_value("max", max); 67 } 68 69 void Dpx::eval(Packet* p) 70 { 71 // precondition - what we registered for 72 assert(p->is_udp()); 73 74 if ( p->ptrs.dp == port && p->dsize > max ) 75 DetectionEngine::queue_event(DPX_GID, DPX_SID); 76 77 ++dpxstats.total_packets; 78 } 79 80 //------------------------------------------------------------------------- 81 // module stuff 82 //------------------------------------------------------------------------- 83 84 static const Parameter dpx_params[] = 85 { 86 { "port", Parameter::PT_PORT, nullptr, nullptr, 87 "port to check" }, 88 89 { "max", Parameter::PT_INT, "0:65535", "0", 90 "maximum payload before alert" }, 91 92 { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } 93 }; 94 95 static const RuleMap dpx_rules[] = 96 { 97 { DPX_SID, "too much data sent to port" }, 98 { 0, nullptr } 99 }; 100 101 class DpxModule : public Module 102 { 103 public: 104 DpxModule() : Module(s_name, s_help, dpx_params) 105 { } 106 107 unsigned get_gid() const override 108 { return DPX_GID; } 109 110 const RuleMap* get_rules() const override 111 { return dpx_rules; } 112 113 const PegInfo* get_pegs() const override 114 { return simple_pegs; } 115 116 PegCount* get_counts() const override 117 { return (PegCount*)&dpxstats; } 118 119 ProfileStats* get_profile() const override 120 { return &dpxPerfStats; } 121 122 bool set(const char*, Value& v, SnortConfig*) override; 123 124 Usage get_usage() const override 125 { return INSPECT; } 126 127 public: 128 uint16_t port; 129 uint16_t max; 130 }; 131 132 bool DpxModule::set(const char*, Value& v, SnortConfig*) 133 { 134 if ( v.is("port") ) 135 port = v.get_long(); 136 137 else if ( v.is("max") ) 138 max = v.get_long(); 139 140 else 141 return false; 142 143 return true; 144 } 145 146 //------------------------------------------------------------------------- 147 // api stuff 148 //------------------------------------------------------------------------- 149 150 static Module* mod_ctor() 151 { return new DpxModule; } 152 153 static void mod_dtor(Module* m) 154 { delete m; } 155 156 static Inspector* dpx_ctor(Module* m) 157 { 158 DpxModule* mod = (DpxModule*)m; 159 return new Dpx(mod->port, mod->max); 160 } 161 162 static void dpx_dtor(Inspector* p) 163 { 164 delete p; 165 } 166 167 static const InspectApi dpx_api 168 { 169 { 170 PT_INSPECTOR, 171 sizeof(InspectApi), 172 INSAPI_VERSION, 173 0, 174 API_RESERVED, 175 API_OPTIONS, 176 s_name, 177 s_help, 178 mod_ctor, 179 mod_dtor 180 }, 181 IT_NETWORK, 182 PROTO_BIT__UDP, 183 nullptr, // buffers 184 nullptr, // service 185 nullptr, // pinit 186 nullptr, // pterm 187 nullptr, // tinit 188 nullptr, // tterm 189 dpx_ctor, 190 dpx_dtor, 191 nullptr, // ssn 192 nullptr // reset 193 }; 194 195 SO_PUBLIC const BaseApi* snort_plugins[] = 196 { 197 &dpx_api.base, 198 nullptr 199 }; 200