SnortExtras: src/ips_options/ips_wscale/ips_wscale.cc

"Fossies" - the Fresh Open Source Software Archive

Member "snort3_extra-3.0.3-1/src/ips_options/ips_wscale/ips_wscale.cc" (23 Sep 2020, 5013 Bytes) of package /linux/misc/snort3_extra-3.0.3-1.tar.gz:

As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) C and C++ source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file. For more information about "ips_wscale.cc" see the Fossies "Dox" file reference documentation.

1 //-------------------------------------------------------------------------- 2 // Copyright (C) 2017-2020 Cisco and/or its affiliates. All rights reserved. 3 // 4 // This program is free software; you can redistribute it and/or modify it 5 // under the terms of the GNU General Public License Version 2 as published 6 // by the Free Software Foundation. You may not use, modify or distribute 7 // this program under any other version of the GNU General Public License. 8 // 9 // This program is distributed in the hope that it will be useful, but 10 // WITHOUT ANY WARRANTY; without even the implied warranty of 11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 12 // General Public License for more details. 13 // 14 // You should have received a copy of the GNU General Public License along 15 // with this program; if not, write to the Free Software Foundation, Inc., 16 // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 17 //-------------------------------------------------------------------------- 18 19 // ips_wscale.cc author Russ Combs <rucombs@cisco.com> 20 21 #include "framework/ips_option.h" 22 #include "framework/module.h" 23 #include "framework/range.h" 24 #include "hash/hash_key_operations.h" 25 #include "profiler/profiler.h" 26 #include "protocols/packet.h" 27 #include "protocols/tcp.h" 28 #include "protocols/tcp_options.h" 29 30 using namespace snort; 31 32 static const char* s_name = "wscale"; 33 static const char* s_help = "detection for TCP window scale"; 34 35 static THREAD_LOCAL ProfileStats tcpWscalePerfStats; 36 37 //------------------------------------------------------------------------- 38 // option 39 //------------------------------------------------------------------------- 40 41 class TcpWscaleOption : public IpsOption 42 { 43 public: 44 TcpWscaleOption(const RangeCheck& c) : IpsOption(s_name) 45 { config = c; } 46 47 uint32_t hash() const override; 48 bool operator==(const IpsOption&) const override; 49 50 EvalStatus eval(Cursor&, Packet*) override; 51 52 private: 53 RangeCheck config; 54 }; 55 56 uint32_t TcpWscaleOption::hash() const 57 { 58 uint32_t a, b, c; 59 60 a = config.op; 61 b = config.min; 62 c = config.max; 63 64 mix_str(a,b,c,get_name()); 65 finalize(a,b,c); 66 67 return c; 68 } 69 70 bool TcpWscaleOption::operator==(const IpsOption& ips) const 71 { 72 if ( strcmp(s_name, ips.get_name()) ) 73 return false; 74 75 const TcpWscaleOption& rhs = (const TcpWscaleOption&)ips; 76 return ( config == rhs.config ); 77 } 78 79 static bool get_wscale(Packet* p, uint16_t& wscale) 80 { 81 if ( !p->ptrs.tcph ) 82 return false; 83 84 tcp::TcpOptIterator iter(p->ptrs.tcph, p); 85 86 for (const auto& opt : iter) 87 { 88 if (opt.code == tcp::TcpOptCode::WSCALE) 89 { 90 wscale = opt.data[0]; 91 return true; 92 } 93 } 94 return false; 95 } 96 97 IpsOption::EvalStatus TcpWscaleOption::eval(Cursor&, Packet* p) 98 { 99 Profile profile(tcpWscalePerfStats); 100 uint16_t wscale; 101 102 if ( get_wscale(p, wscale) and config.eval(wscale) ) 103 return MATCH; 104 105 return NO_MATCH; 106 } 107 108 //------------------------------------------------------------------------- 109 // module 110 //------------------------------------------------------------------------- 111 112 #define RANGE "0:65535" 113 114 static const Parameter s_params[] = 115 { 116 { "~range", Parameter::PT_INTERVAL, RANGE, nullptr, 117 "check if TCP window scale is in given range" }, 118 119 { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } 120 }; 121 122 class WscaleModule : public Module 123 { 124 public: 125 WscaleModule() : Module(s_name, s_help, s_params) { } 126 127 bool begin(const char*, int, SnortConfig*) override; 128 bool set(const char*, Value&, SnortConfig*) override; 129 130 ProfileStats* get_profile() const override 131 { return &tcpWscalePerfStats; } 132 133 Usage get_usage() const override 134 { return DETECT; } 135 136 public: 137 RangeCheck data; 138 }; 139 140 bool WscaleModule::begin(const char*, int, SnortConfig*) 141 { 142 data.init(); 143 return true; 144 } 145 146 bool WscaleModule::set(const char*, Value& v, SnortConfig*) 147 { 148 if ( !v.is("~range") ) 149 return false; 150 151 return data.validate(v.get_string(), RANGE); 152 } 153 154 //------------------------------------------------------------------------- 155 // api methods 156 //------------------------------------------------------------------------- 157 158 static Module* mod_ctor() 159 { 160 return new WscaleModule; 161 } 162 163 static void mod_dtor(Module* m) 164 { 165 delete m; 166 } 167 168 static IpsOption* wscale_ctor(Module* p, OptTreeNode*) 169 { 170 WscaleModule* m = (WscaleModule*)p; 171 return new TcpWscaleOption(m->data); 172 } 173 174 static void wscale_dtor(IpsOption* p) 175 { 176 delete p; 177 } 178 179 static const IpsApi wscale_api = 180 { 181 { 182 PT_IPS_OPTION, 183 sizeof(IpsApi), 184 IPSAPI_VERSION, 185 0, 186 API_RESERVED, 187 API_OPTIONS, 188 s_name, 189 s_help, 190 mod_ctor, 191 mod_dtor 192 }, 193 OPT_TYPE_DETECTION, 194 1, PROTO_BIT__TCP, 195 nullptr, // pinit 196 nullptr, // pterm 197 nullptr, // tinit 198 nullptr, // tterm 199 wscale_ctor, 200 wscale_dtor, 201 nullptr 202 }; 203 204 SO_PUBLIC const BaseApi* snort_plugins[] = 205 { 206 &wscale_api.base, 207 nullptr 208 }; 209