"Fossies" - the Fresh Open Source Software Archive 
Member "snort3_extra-3.1.51.0/src/ips_options/ips_wscale/ips_wscale.cc" (20 Dec 2022, 4991 Bytes) of package /linux/misc/snort3_extra-3.1.51.0.tar.gz:
As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) C and C++ source code syntax highlighting (style:
standard) with prefixed line numbers and
code folding option.
Alternatively you can here
view or
download the uninterpreted source code file.
For more information about "ips_wscale.cc" see the
Fossies "Dox" file reference documentation.
1 //--------------------------------------------------------------------------
2 // Copyright (C) 2017-2022 Cisco and/or its affiliates. All rights reserved.
3 //
4 // This program is free software; you can redistribute it and/or modify it
5 // under the terms of the GNU General Public License Version 2 as published
6 // by the Free Software Foundation. You may not use, modify or distribute
7 // this program under any other version of the GNU General Public License.
8 //
9 // This program is distributed in the hope that it will be useful, but
10 // WITHOUT ANY WARRANTY; without even the implied warranty of
11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 // General Public License for more details.
13 //
14 // You should have received a copy of the GNU General Public License along
15 // with this program; if not, write to the Free Software Foundation, Inc.,
16 // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
17 //--------------------------------------------------------------------------
18
19 // ips_wscale.cc author Russ Combs <rucombs@cisco.com>
20
21 #include "framework/ips_option.h"
22 #include "framework/module.h"
23 #include "framework/range.h"
24 #include "hash/hash_key_operations.h"
25 #include "profiler/profiler.h"
26 #include "protocols/packet.h"
27 #include "protocols/tcp.h"
28 #include "protocols/tcp_options.h"
29
30 using namespace snort;
31
32 static const char* s_name = "wscale";
33 static const char* s_help = "detection for TCP window scale";
34
35 static THREAD_LOCAL ProfileStats tcpWscalePerfStats;
36
37 //-------------------------------------------------------------------------
38 // option
39 //-------------------------------------------------------------------------
40
41 class TcpWscaleOption : public IpsOption
42 {
43 public:
44 TcpWscaleOption(const RangeCheck& c) : IpsOption(s_name)
45 { config = c; }
46
47 uint32_t hash() const override;
48 bool operator==(const IpsOption&) const override;
49
50 EvalStatus eval(Cursor&, Packet*) override;
51
52 private:
53 RangeCheck config;
54 };
55
56 uint32_t TcpWscaleOption::hash() const
57 {
58 uint32_t a, b, c;
59
60 a = config.op;
61 b = config.min;
62 c = config.max;
63
64 mix_str(a,b,c,get_name());
65 finalize(a,b,c);
66
67 return c;
68 }
69
70 bool TcpWscaleOption::operator==(const IpsOption& ips) const
71 {
72 if ( strcmp(s_name, ips.get_name()) )
73 return false;
74
75 const TcpWscaleOption& rhs = (const TcpWscaleOption&)ips;
76 return ( config == rhs.config );
77 }
78
79 static bool get_wscale(Packet* p, uint16_t& wscale)
80 {
81 if ( !p->ptrs.tcph )
82 return false;
83
84 tcp::TcpOptIterator iter(p->ptrs.tcph, p);
85
86 for (const auto& opt : iter)
87 {
88 if (opt.code == tcp::TcpOptCode::WSCALE)
89 {
90 wscale = opt.data[0];
91 return true;
92 }
93 }
94 return false;
95 }
96
97 IpsOption::EvalStatus TcpWscaleOption::eval(Cursor&, Packet* p)
98 {
99 Profile profile(tcpWscalePerfStats);
100 uint16_t wscale;
101
102 if ( get_wscale(p, wscale) and config.eval(wscale) )
103 return MATCH;
104
105 return NO_MATCH;
106 }
107
108 //-------------------------------------------------------------------------
109 // module
110 //-------------------------------------------------------------------------
111
112 #define RANGE "0:65535"
113
114 static const Parameter s_params[] =
115 {
116 { "~range", Parameter::PT_INTERVAL, RANGE, nullptr,
117 "check if TCP window scale is in given range" },
118
119 { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
120 };
121
122 class WscaleModule : public Module
123 {
124 public:
125 WscaleModule() : Module(s_name, s_help, s_params) { }
126
127 bool begin(const char*, int, SnortConfig*) override;
128 bool set(const char*, Value&, SnortConfig*) override;
129
130 ProfileStats* get_profile() const override
131 { return &tcpWscalePerfStats; }
132
133 Usage get_usage() const override
134 { return DETECT; }
135
136 public:
137 RangeCheck data;
138 };
139
140 bool WscaleModule::begin(const char*, int, SnortConfig*)
141 {
142 data.init();
143 return true;
144 }
145
146 bool WscaleModule::set(const char*, Value& v, SnortConfig*)
147 {
148 assert(v.is("~range"));
149 return data.validate(v.get_string(), RANGE);
150 }
151
152 //-------------------------------------------------------------------------
153 // api methods
154 //-------------------------------------------------------------------------
155
156 static Module* mod_ctor()
157 {
158 return new WscaleModule;
159 }
160
161 static void mod_dtor(Module* m)
162 {
163 delete m;
164 }
165
166 static IpsOption* wscale_ctor(Module* p, OptTreeNode*)
167 {
168 WscaleModule* m = (WscaleModule*)p;
169 return new TcpWscaleOption(m->data);
170 }
171
172 static void wscale_dtor(IpsOption* p)
173 {
174 delete p;
175 }
176
177 static const IpsApi wscale_api =
178 {
179 {
180 PT_IPS_OPTION,
181 sizeof(IpsApi),
182 IPSAPI_VERSION,
183 0,
184 API_RESERVED,
185 API_OPTIONS,
186 s_name,
187 s_help,
188 mod_ctor,
189 mod_dtor
190 },
191 OPT_TYPE_DETECTION,
192 1, PROTO_BIT__TCP,
193 nullptr, // pinit
194 nullptr, // pterm
195 nullptr, // tinit
196 nullptr, // tterm
197 wscale_ctor,
198 wscale_dtor,
199 nullptr
200 };
201
202 SO_PUBLIC const BaseApi* snort_plugins[] =
203 {
204 &wscale_api.base,
205 nullptr
206 };
207