"Fossies" - the Fresh Open Source Software Archive 
Member "snort3_extra-3.1.53.0/src/inspectors/dpx/dpx.cc" (20 Dec 2022, 5275 Bytes) of package /linux/misc/snort3_extra-3.1.53.0.tar.gz:
As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) C and C++ source code syntax highlighting (style:
standard) with prefixed line numbers and
code folding option.
Alternatively you can here
view or
download the uninterpreted source code file.
For more information about "dpx.cc" see the
Fossies "Dox" file reference documentation.
1 //--------------------------------------------------------------------------
2 // Copyright (C) 2014-2022 Cisco and/or its affiliates. All rights reserved.
3 //
4 // This program is free software; you can redistribute it and/or modify it
5 // under the terms of the GNU General Public License Version 2 as published
6 // by the Free Software Foundation. You may not use, modify or distribute
7 // this program under any other version of the GNU General Public License.
8 //
9 // This program is distributed in the hope that it will be useful, but
10 // WITHOUT ANY WARRANTY; without even the implied warranty of
11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 // General Public License for more details.
13 //
14 // You should have received a copy of the GNU General Public License along
15 // with this program; if not, write to the Free Software Foundation, Inc.,
16 // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
17 //--------------------------------------------------------------------------
18 // dpx.cc author Russ Combs <rcombs@sourcefire.com>
19
20 #include "detection/detection_engine.h"
21 #include "events/event_queue.h"
22 #include "framework/inspector.h"
23 #include "framework/module.h"
24 #include "log/messages.h"
25 #include "profiler/profiler.h"
26 #include "protocols/packet.h"
27 #include "trace/trace_api.h"
28
29 using namespace snort;
30
31 #define DPX_GID 256
32 #define DPX_SID 1
33
34 static const char* s_name = "dpx";
35 static const char* s_help = "dynamic inspector example";
36
37 static THREAD_LOCAL ProfileStats dpxPerfStats;
38
39 static THREAD_LOCAL SimpleStats dpxstats;
40
41 THREAD_LOCAL const Trace* dpx_trace = nullptr;
42
43 //-------------------------------------------------------------------------
44 // class stuff
45 //-------------------------------------------------------------------------
46
47 class Dpx : public Inspector
48 {
49 public:
50 Dpx(uint16_t port, uint16_t max);
51
52 void show(const SnortConfig*) const override;
53 void eval(Packet*) override;
54
55 private:
56 uint16_t port;
57 uint16_t max;
58 };
59
60 Dpx::Dpx(uint16_t p, uint16_t m)
61 {
62 port = p;
63 max = m;
64 }
65
66 void Dpx::show(const SnortConfig*) const
67 {
68 ConfigLogger::log_value("port", port);
69 ConfigLogger::log_value("max", max);
70 }
71
72 void Dpx::eval(Packet* p)
73 {
74 // precondition - what we registered for
75 assert(p->is_udp());
76
77 if ( p->ptrs.dp == port && p->dsize > max )
78 {
79 trace_logf(dpx_trace, p, "destination port: %d, packet payload size: %d.\n",
80 p->ptrs.dp, p->dsize);
81 DetectionEngine::queue_event(DPX_GID, DPX_SID);
82 }
83
84 ++dpxstats.total_packets;
85 }
86
87 //-------------------------------------------------------------------------
88 // module stuff
89 //-------------------------------------------------------------------------
90
91 static const Parameter dpx_params[] =
92 {
93 { "port", Parameter::PT_PORT, nullptr, nullptr,
94 "port to check" },
95
96 { "max", Parameter::PT_INT, "0:65535", "0",
97 "maximum payload before alert" },
98
99 { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
100 };
101
102 static const RuleMap dpx_rules[] =
103 {
104 { DPX_SID, "too much data sent to port" },
105 { 0, nullptr }
106 };
107
108 class DpxModule : public Module
109 {
110 public:
111 DpxModule() : Module(s_name, s_help, dpx_params)
112 { }
113
114 unsigned get_gid() const override
115 { return DPX_GID; }
116
117 const RuleMap* get_rules() const override
118 { return dpx_rules; }
119
120 const PegInfo* get_pegs() const override
121 { return simple_pegs; }
122
123 PegCount* get_counts() const override
124 { return (PegCount*)&dpxstats; }
125
126 ProfileStats* get_profile() const override
127 { return &dpxPerfStats; }
128
129 bool set(const char*, Value& v, SnortConfig*) override;
130
131 Usage get_usage() const override
132 { return INSPECT; }
133
134 void set_trace(const Trace*) const override;
135 const TraceOption* get_trace_options() const override;
136
137 public:
138 uint16_t port;
139 uint16_t max;
140 };
141
142 bool DpxModule::set(const char*, Value& v, SnortConfig*)
143 {
144 if ( v.is("port") )
145 port = v.get_uint16();
146
147 else if ( v.is("max") )
148 max = v.get_uint16();
149
150 return true;
151 }
152
153 void DpxModule::set_trace(const Trace* trace) const
154 { dpx_trace = trace; }
155
156 const TraceOption* DpxModule::get_trace_options() const
157 {
158 static const TraceOption dpx_options(nullptr, 0, nullptr);
159 return &dpx_options;
160 }
161
162 //-------------------------------------------------------------------------
163 // api stuff
164 //-------------------------------------------------------------------------
165
166 static Module* mod_ctor()
167 { return new DpxModule; }
168
169 static void mod_dtor(Module* m)
170 { delete m; }
171
172 static Inspector* dpx_ctor(Module* m)
173 {
174 DpxModule* mod = (DpxModule*)m;
175 return new Dpx(mod->port, mod->max);
176 }
177
178 static void dpx_dtor(Inspector* p)
179 {
180 delete p;
181 }
182
183 static const InspectApi dpx_api
184 {
185 {
186 PT_INSPECTOR,
187 sizeof(InspectApi),
188 INSAPI_VERSION,
189 0,
190 API_RESERVED,
191 API_OPTIONS,
192 s_name,
193 s_help,
194 mod_ctor,
195 mod_dtor
196 },
197 IT_NETWORK,
198 PROTO_BIT__UDP,
199 nullptr, // buffers
200 nullptr, // service
201 nullptr, // pinit
202 nullptr, // pterm
203 nullptr, // tinit
204 nullptr, // tterm
205 dpx_ctor,
206 dpx_dtor,
207 nullptr, // ssn
208 nullptr // reset
209 };
210
211 SO_PUBLIC const BaseApi* snort_plugins[] =
212 {
213 &dpx_api.base,
214 nullptr
215 };
216