"Fossies" - the Fresh Open Source Software Archive

Member "snort3_extra-3.1.53.0/src/ips_options/ips_urg/ips_urg.cc" (20 Dec 2022, 4580 Bytes) of package /linux/misc/snort3_extra-3.1.53.0.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) C and C++ source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file. For more information about "ips_urg.cc" see the Fossies "Dox" file reference documentation.

    1 //--------------------------------------------------------------------------
    2 // Copyright (C) 2014-2022 Cisco and/or its affiliates. All rights reserved.
    3 //
    4 // This program is free software; you can redistribute it and/or modify it
    5 // under the terms of the GNU General Public License Version 2 as published
    6 // by the Free Software Foundation.  You may not use, modify or distribute
    7 // this program under any other version of the GNU General Public License.
    8 //
    9 // This program is distributed in the hope that it will be useful, but
   10 // WITHOUT ANY WARRANTY; without even the implied warranty of
   11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
   12 // General Public License for more details.
   13 //
   14 // You should have received a copy of the GNU General Public License along
   15 // with this program; if not, write to the Free Software Foundation, Inc.,
   16 // 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
   17 //--------------------------------------------------------------------------
   18 
   19 // ips_urg.cc author Russ Combs <rucombs@cisco.com>
   20 
   21 #include "framework/ips_option.h"
   22 #include "framework/module.h"
   23 #include "framework/range.h"
   24 #include "hash/hash_key_operations.h"
   25 #include "profiler/profiler.h"
   26 #include "protocols/packet.h"
   27 #include "protocols/tcp.h"
   28 
   29 using namespace snort;
   30 
   31 static const char* s_name = "urg";
   32 static const char* s_help = "detection for TCP urgent pointer";
   33 
   34 static THREAD_LOCAL ProfileStats tcpUrgPerfStats;
   35 
   36 //-------------------------------------------------------------------------
   37 // option
   38 //-------------------------------------------------------------------------
   39 
   40 class TcpUrgOption : public IpsOption
   41 {
   42 public:
   43     TcpUrgOption(const RangeCheck& c) : IpsOption(s_name)
   44     { config = c; }
   45 
   46     uint32_t hash() const override;
   47     bool operator==(const IpsOption&) const override;
   48 
   49     EvalStatus eval(Cursor&, Packet*) override;
   50 
   51 private:
   52     RangeCheck config;
   53 };
   54 
   55 uint32_t TcpUrgOption::hash() const
   56 {
   57     uint32_t a, b, c;
   58 
   59     a = config.op;
   60     b = config.min;
   61     c = config.max;
   62 
   63     mix_str(a,b,c,get_name());
   64     finalize(a,b,c);
   65 
   66     return c;
   67 }
   68 
   69 bool TcpUrgOption::operator==(const IpsOption& ips) const
   70 {
   71     if ( strcmp(s_name, ips.get_name()) )
   72         return false;
   73 
   74     const TcpUrgOption& rhs = (const TcpUrgOption&)ips;
   75     return ( config == rhs.config );
   76 }
   77 
   78 IpsOption::EvalStatus TcpUrgOption::eval(Cursor&, Packet* p)
   79 {
   80     Profile profile(tcpUrgPerfStats);
   81 
   82     if ( p->ptrs.tcph and p->ptrs.tcph->are_flags_set(TH_URG) and
   83         config.eval(p->ptrs.tcph->urp()) )
   84     {
   85         return MATCH;
   86     }
   87 
   88     return NO_MATCH;
   89 }
   90 
   91 //-------------------------------------------------------------------------
   92 // module
   93 //-------------------------------------------------------------------------
   94 
   95 #define RANGE "0:65535"
   96 
   97 static const Parameter s_params[] =
   98 {
   99     { "~range", Parameter::PT_INTERVAL, RANGE, nullptr,
  100       "check if tcp urgent offset is in given range" },
  101 
  102     { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
  103 };
  104 
  105 class UrgModule : public Module
  106 {
  107 public:
  108     UrgModule() : Module(s_name, s_help, s_params) { }
  109 
  110     bool begin(const char*, int, SnortConfig*) override;
  111     bool set(const char*, Value&, SnortConfig*) override;
  112 
  113     ProfileStats* get_profile() const override
  114     { return &tcpUrgPerfStats; }
  115 
  116     Usage get_usage() const override
  117     { return DETECT; }
  118 
  119 public:
  120     RangeCheck data;
  121 };
  122 
  123 bool UrgModule::begin(const char*, int, SnortConfig*)
  124 {
  125     data.init();
  126     return true;
  127 }
  128 
  129 bool UrgModule::set(const char*, Value& v, SnortConfig*)
  130 {
  131     assert(v.is("~range"));
  132     return data.validate(v.get_string(), RANGE);
  133 }
  134 
  135 //-------------------------------------------------------------------------
  136 // api methods
  137 //-------------------------------------------------------------------------
  138 
  139 static Module* mod_ctor()
  140 {
  141     return new UrgModule;
  142 }
  143 
  144 static void mod_dtor(Module* m)
  145 {
  146     delete m;
  147 }
  148 
  149 static IpsOption* urg_ctor(Module* p, OptTreeNode*)
  150 {
  151     UrgModule* m = (UrgModule*)p;
  152     return new TcpUrgOption(m->data);
  153 }
  154 
  155 static void urg_dtor(IpsOption* p)
  156 {
  157     delete p;
  158 }
  159 
  160 static const IpsApi urg_api =
  161 {
  162     {
  163         PT_IPS_OPTION,
  164         sizeof(IpsApi),
  165         IPSAPI_VERSION,
  166         0,
  167         API_RESERVED,
  168         API_OPTIONS,
  169         s_name,
  170         s_help,
  171         mod_ctor,
  172         mod_dtor
  173     },
  174     OPT_TYPE_DETECTION,
  175     1, PROTO_BIT__TCP,
  176     nullptr, // pinit
  177     nullptr, // pterm
  178     nullptr, // tinit
  179     nullptr, // tterm
  180     urg_ctor,
  181     urg_dtor,
  182     nullptr
  183 };
  184 
  185 SO_PUBLIC const BaseApi* snort_plugins[] =
  186 {
  187     &urg_api.base,
  188     nullptr
  189 };
  190