"Fossies" - the Fresh Open Source Software Archive

Member "snort3_extra-3.0.3-1/src/inspectors/dpx/dpx.cc" (23 Sep 2020, 4760 Bytes) of package /linux/misc/snort3_extra-3.0.3-1.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) C and C++ source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file. For more information about "dpx.cc" see the Fossies "Dox" file reference documentation and the latest Fossies "Diffs" side-by-side code changes report: 1.0.0-beta2_vs_3.0.3-1.

    1 //--------------------------------------------------------------------------
    2 // Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved.
    3 //
    4 // This program is free software; you can redistribute it and/or modify it
    5 // under the terms of the GNU General Public License Version 2 as published
    6 // by the Free Software Foundation.  You may not use, modify or distribute
    7 // this program under any other version of the GNU General Public License.
    8 //
    9 // This program is distributed in the hope that it will be useful, but
   10 // WITHOUT ANY WARRANTY; without even the implied warranty of
   11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
   12 // General Public License for more details.
   13 //
   14 // You should have received a copy of the GNU General Public License along
   15 // with this program; if not, write to the Free Software Foundation, Inc.,
   16 // 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
   17 //--------------------------------------------------------------------------
   18 // dpx.cc author Russ Combs <rcombs@sourcefire.com>
   19 
   20 #include "detection/detection_engine.h"
   21 #include "events/event_queue.h"
   22 #include "framework/inspector.h"
   23 #include "framework/module.h"
   24 #include "log/messages.h"
   25 #include "profiler/profiler.h"
   26 #include "protocols/packet.h"
   27 
   28 using namespace snort;
   29 
   30 #define DPX_GID 256
   31 #define DPX_SID 1
   32 
   33 static const char* s_name = "dpx";
   34 static const char* s_help = "dynamic inspector example";
   35 
   36 static THREAD_LOCAL ProfileStats dpxPerfStats;
   37 
   38 static THREAD_LOCAL SimpleStats dpxstats;
   39 
   40 //-------------------------------------------------------------------------
   41 // class stuff
   42 //-------------------------------------------------------------------------
   43 
   44 class Dpx : public Inspector
   45 {
   46 public:
   47     Dpx(uint16_t port, uint16_t max);
   48 
   49     void show(const SnortConfig*) const override;
   50     void eval(Packet*) override;
   51 
   52 private:
   53     uint16_t port;
   54     uint16_t max;
   55 };
   56 
   57 Dpx::Dpx(uint16_t p, uint16_t m)
   58 {
   59     port = p;
   60     max = m;
   61 }
   62 
   63 void Dpx::show(const SnortConfig*) const
   64 {
   65     ConfigLogger::log_value("port", port);
   66     ConfigLogger::log_value("max", max);
   67 }
   68 
   69 void Dpx::eval(Packet* p)
   70 {
   71     // precondition - what we registered for
   72     assert(p->is_udp());
   73 
   74     if ( p->ptrs.dp == port && p->dsize > max )
   75         DetectionEngine::queue_event(DPX_GID, DPX_SID);
   76 
   77     ++dpxstats.total_packets;
   78 }
   79 
   80 //-------------------------------------------------------------------------
   81 // module stuff
   82 //-------------------------------------------------------------------------
   83 
   84 static const Parameter dpx_params[] =
   85 {
   86     { "port", Parameter::PT_PORT, nullptr, nullptr,
   87       "port to check" },
   88 
   89     { "max", Parameter::PT_INT, "0:65535", "0",
   90       "maximum payload before alert" },
   91 
   92     { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
   93 };
   94 
   95 static const RuleMap dpx_rules[] =
   96 {
   97     { DPX_SID, "too much data sent to port" },
   98     { 0, nullptr }
   99 };
  100 
  101 class DpxModule : public Module
  102 {
  103 public:
  104     DpxModule() : Module(s_name, s_help, dpx_params)
  105     { }
  106 
  107     unsigned get_gid() const override
  108     { return DPX_GID; }
  109 
  110     const RuleMap* get_rules() const override
  111     { return dpx_rules; }
  112 
  113     const PegInfo* get_pegs() const override
  114     { return simple_pegs; }
  115 
  116     PegCount* get_counts() const override
  117     { return (PegCount*)&dpxstats; }
  118 
  119     ProfileStats* get_profile() const override
  120     { return &dpxPerfStats; }
  121 
  122     bool set(const char*, Value& v, SnortConfig*) override;
  123 
  124     Usage get_usage() const override
  125     { return INSPECT; }
  126 
  127 public:
  128     uint16_t port;
  129     uint16_t max;
  130 };
  131 
  132 bool DpxModule::set(const char*, Value& v, SnortConfig*)
  133 {
  134     if ( v.is("port") )
  135         port = v.get_long();
  136 
  137     else if ( v.is("max") )
  138         max = v.get_long();
  139 
  140     else
  141         return false;
  142 
  143     return true;
  144 }
  145 
  146 //-------------------------------------------------------------------------
  147 // api stuff
  148 //-------------------------------------------------------------------------
  149 
  150 static Module* mod_ctor()
  151 { return new DpxModule; }
  152 
  153 static void mod_dtor(Module* m)
  154 { delete m; }
  155 
  156 static Inspector* dpx_ctor(Module* m)
  157 {
  158     DpxModule* mod = (DpxModule*)m;
  159     return new Dpx(mod->port, mod->max);
  160 }
  161 
  162 static void dpx_dtor(Inspector* p)
  163 {
  164     delete p;
  165 }
  166 
  167 static const InspectApi dpx_api
  168 {
  169     {
  170         PT_INSPECTOR,
  171         sizeof(InspectApi),
  172         INSAPI_VERSION,
  173         0,
  174         API_RESERVED,
  175         API_OPTIONS,
  176         s_name,
  177         s_help,
  178         mod_ctor,
  179         mod_dtor
  180     },
  181     IT_NETWORK,
  182     PROTO_BIT__UDP,
  183     nullptr, // buffers
  184     nullptr, // service
  185     nullptr, // pinit
  186     nullptr, // pterm
  187     nullptr, // tinit
  188     nullptr, // tterm
  189     dpx_ctor,
  190     dpx_dtor,
  191     nullptr, // ssn
  192     nullptr  // reset
  193 };
  194 
  195 SO_PUBLIC const BaseApi* snort_plugins[] =
  196 {
  197     &dpx_api.base,
  198     nullptr
  199 };
  200