diff -Naur snort-1.8.7.orig/Makefile.am snort-1.8.7p1/Makefile.am --- snort-1.8.7.orig/Makefile.am Wed May 15 06:30:59 2002 +++ snort-1.8.7p1/Makefile.am Fri Sep 6 06:12:42 2002 @@ -34,8 +34,10 @@ spo_unified.c spo_unified.h generators.h spp_stream4.h spp_stream4.c \ ubi_SplayTree.h sys_include.h spp_frag2.c spp_frag2.h spp_arpspoof.c \ spp_arpspoof.h spo_idmef.h spo_idmef.c spo_SnmpTrap.c spo_SnmpTrap.h \ -event.h spo_log_null.c spo_log_null.h cdefs.h - +event.h spo_log_null.c spo_log_null.h cdefs.h \ +engine2.h e2_help.c e2_cluster_tree.c e2_parse.c e2_extract.c \ +e2_feature_int.c e2_feature_ipv4.c e2_feature_string.c \ +e2_feature_flags.c EXTRA_DIST = BUGS RULES.SAMPLE CREDITS snort.conf USAGE backdoor.rules \ info.rules smtp.rules ddos.rules local.rules telnet.rules dns.rules \ diff -Naur snort-1.8.7.orig/e2_cluster_tree.c snort-1.8.7p1/e2_cluster_tree.c --- snort-1.8.7.orig/e2_cluster_tree.c Wed Dec 31 16:00:00 1969 +++ snort-1.8.7p1/e2_cluster_tree.c Fri Sep 6 07:48:08 2002 @@ -0,0 +1,811 @@ +/* +** Copyright (C) 2002 Distributed Systems Group, Technical University Vienna +** +** Thomas Toth (ttoth@infosys.tuwien.ac.at) +** Christopher Kruegel (chris@infosys.tuwien.ac.t) +** +** This program is free software; you can redistribute it and/or modify +** it under the terms of the GNU General Public License as published by +** the Free Software Foundation; either version 2 of the License, or +** (at your option) any later version. +** +** This program is distributed in the hope that it will be useful, +** but WITHOUT ANY WARRANTY; without even the implied warranty of +** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +** GNU General Public License for more details. +** +** You should have received a copy of the GNU General Public License +** along with this program; if not, write to the Free Software +** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +*/ + +#include "engine2.h" +#include + +/******************************************************************************/ +/* Variable Definitions */ +/******************************************************************************/ + +u_int8_t **rule_map; + +/* +float threshold[NUM_TREE] = { + 0.7, + 0.9 +}; +*/ + +float threshold[NUM_TREE] = { + 0.3, + 0.5 +}; + + +E2TreeNode *trees[NUM_PROTO][NUM_TREE]; + +OptTreeNode **snort_rules; +u_int32_t snort_rule_count; + +/******************************************************************************/ +/* Internal Functions */ +/******************************************************************************/ + +/* + * rules holds the original rule set, while succs all the successor nodes after splitting + * + * + * we want to include the following properties into the gain calculation: + * + * 1. total number of rules in successor nodes (the fewer, the better) + * 2. decrease in entropy (i.e. how 'good' does this split divide the rules) + * and the weights of individual rules + * 3. cost of navigation function for this tree node (e.g. strings are more expensive than ints) + */ + + + +float calc_gain(E2Rule *rules, u_int32_t rule_count, E2SuccessorNode *succs, u_int8_t feature) +{ + E2SuccessorNode *succ; + float children, local, child_count, total_count; + u_int32_t total; + + for (total = 0, succ = succs; succ != NULL; succ = succ->next) { + total += succ->rule_count; + } + + local = log(rule_count); + + children = 0.0; + total_count = (float) total; + for (succ = succs; succ != NULL; succ = succ->next) { + + if (succ->rule_count > 0) { + child_count = (float) succ->rule_count; + children += ((child_count / total_count) * log(child_count)); + } + } + return (local - children); +} + +u_int8_t* determine_max_features(u_int8_t *active, u_int8_t *hidden, u_int8_t proto, u_int32_t rule_count) +{ + u_int32_t sum, *feature_count; + u_int8_t *feature; + int feat, rule, index, final_index; +#ifdef E2DEBUG + int cnt; +#endif + + /* data structures to determine the best features for the decision tree */ + feature = (u_int8_t *) calloc(e2_map_size[proto], sizeof(u_int8_t)); + feature_count = (u_int32_t *) calloc(e2_map_size[proto], sizeof(u_int32_t)); + + + /* determine total number of defined values for each feature */ + /* and sort it in descending order */ + for (feat = 0; feat < e2_map_size[proto]; ++feat) { + + sum = 0; + for (rule = 0; rule < rule_count; ++rule) + if (active[rule] && !hidden[rule] && rule_map[feat][rule]) + ++sum; + + /* find correct index */ + for (index = 0; index < feat; ++index) + if (feature_count[index] < sum) + break; + final_index = index; + + /* shift rest one pos to right */ + for (index = feat; index > final_index; --index) { + feature[index] = feature[index - 1]; + feature_count[index] = feature_count[index - 1]; + } + + /* insert value */ + feature[index] = feat; + feature_count[index] = sum; + } + +#ifdef E2DEBUG + printf(" Max. features:\n"); + for (cnt = 0; cnt < e2_map_size[proto]; ++cnt) + printf(" %s - %d\n", e2_map[proto][feature[cnt]].f_name, feature_count[cnt]); +#endif + + free(feature_count); + return feature; +} + +u_int8_t* determine_rules(u_int32_t rule_count, u_int8_t *active, u_int8_t *hidden, u_int8_t proto, u_int8_t *feature, int fcount, int mode) +{ + u_int8_t *result; + int feat, rule, set, needed; + + result = calloc(rule_count, sizeof(u_int32_t)); + + if (fcount > e2_map_size[proto]) + fcount = e2_map_size[proto]; + + if (fcount >= (mode+1)) + needed = (fcount - (mode+1)); + else + needed = 0; + + + for (rule = 0; rule < rule_count; ++rule) { + + if (!active[rule]) + continue; + + if (!hidden[rule]) + set = 0; + else + continue; + // set = (needed - fcount); + + for (feat = 0; feat < fcount; ++feat) + if (rule_map[feature[feat]][rule]) + ++set; + + if (set >= needed) + result[rule] = 1; + } + + return result; +} + +E2TreeNode* perform_split(E2Rule *rules, u_int8_t *active, u_int8_t proto, u_int8_t *features, int fcount) +{ + E2Rule *clone, *tr, *split_rules = NULL; + E2TreeNode *result; + int *useable_features; + int cnt, index; + + for (tr = rules; tr != NULL; tr = tr->next) { + if (active[tr->id]) { + clone = rule_clone(tr); + clone->next = split_rules; + split_rules = clone; + } + } + + useable_features = calloc(e2_map_size[proto], sizeof(int)); + for (cnt = 0; cnt < fcount; ++cnt) { + index = features[cnt]; + useable_features[index] = 1; + } + for (cnt = 0; cnt < e2_map_size[proto]; ++cnt) + useable_features[cnt] = !useable_features[cnt]; + + result = split_snort_rules(split_rules, proto, useable_features); + + while (split_rules != NULL) { + tr = split_rules->next; + rule_destroy(split_rules); + split_rules = tr; + } + + free(useable_features); + + + return result; +} + +OptFpList* opt_list_dup(OptFpList *list) +{ + OptFpList *head, *tail, *element; + + head = tail = NULL; + + for (; list != NULL; list = list->next) { + + element = calloc(1, sizeof(OptFpList)); + memcpy(element, list, sizeof(OptFpList)); + + if (head == NULL) + head = tail = element; + else { + tail->next = element; + tail = element; + } + tail->next = NULL; + } + + return head; +} + +OptFpList* rtn_list_append(OptFpList *list, RuleFpList *rlist) +{ + OptFpList *wrapper; + + for (; rlist->next != NULL; rlist = rlist->next) { + + wrapper = calloc(1, sizeof(OptFpList)); + + wrapper->feature_id = rlist->feature_id; + wrapper->referring = rlist; + wrapper->OptTestFunc = Engine2RuleFpListWrapper; + + wrapper->next = list; + list = wrapper; + } + + return list; +} + +/******************************************************************************/ +/* API Functions */ +/******************************************************************************/ + +void build_e2_engine(E2Rule *rules, u_int32_t rule_count) +{ + u_int32_t active_count[NUM_TREE+1], unused, total_rules; + u_int8_t tree, proto, *active, *feature, *used[NUM_TREE+1], found; + int feat, cnt, sum, len, i, j; + float ratio; + + E2Rule *rule, *tr; + E2Trigger *trigger; + + RuleTreeNode *parent; + OptTreeNode *otn; + OptFpList *fplist, *todelete; + RuleFpList *rlist; +#ifdef E2DEBUG + int32_t uri_index; +#endif + + /* sanity checks */ + if (rule_count == 0) { + printf("Fatal: build_e2_engine: attempt to build engine without any rules\n"); + exit(1); + } + + + /* initialize data structures */ + active = (u_int8_t *) calloc(rule_count, sizeof(u_int8_t)); + used[0] = (u_int8_t *) calloc(rule_count, sizeof(u_int8_t)); + + for (i = 0; i < NUM_PROTO; ++i) + for (j = 0; j < NUM_TREE; ++j) + trees[i][j] = NULL; + + + + /* build final snort rules array */ + snort_rules = calloc(rule_count, sizeof(OptTreeNode)); + for (rule = rules, total_rules = 0; rule != NULL; rule = rule->next) { +#ifdef E2DEBUG + if (rule->id >= rule_count) { + printf("Fatal: build_e2_engine: rule_id is out of bounds\n"); + exit(1); + } + + + uri_index = e2_index_mapping_table[rule->proto][CONST_FEATURE_ID_CONTENT_URI]; + if (uri_index < 0) { + printf("Fatal: e2_build_engine: no URI index found\n"); + exit(1); + } + else if (rule->features[uri_index] != NULL) { + printf("Fatal: e2_build_engine: assertion failed - URI feature != NULL\n"); + exit(1); + } + +#endif + + snort_rules[rule->id] = rule->otn; + rule->otn->rule_id = rule->id; + + ++total_rules; + } + snort_rule_count = rule_count; + +#ifdef E2DEBUG + for (cnt = 0; cnt < rule_count; ++cnt) { + if (snort_rules[cnt] == NULL) { + printf("Fatal: build_e2_engine: rule id %d is missing in final array\n", cnt); + exit(1); + } + } +#endif + + +#ifdef ENGINE2 + + + /* copy the OptTreeNode checks to the list of interest - needed to handle ip rules */ + for (rule = rules; rule != NULL; rule = rule->next) { + + otn = snort_rules[rule->id]; + + switch (rule->proto) { + + case E2_PROTO_ICMP: + if (otn->opt_func_proto[E2_PROTO_ICMP] == NULL) + otn->opt_func_proto[E2_PROTO_ICMP] = opt_list_dup(otn->opt_func); + break; + case E2_PROTO_UDP: + if (otn->opt_func_proto[E2_PROTO_UDP] == NULL) + otn->opt_func_proto[E2_PROTO_UDP] = opt_list_dup(otn->opt_func); + break; + case E2_PROTO_TCP: + if (otn->opt_func_proto[E2_PROTO_TCP] == NULL) + otn->opt_func_proto[E2_PROTO_TCP] = opt_list_dup(otn->opt_func); + break; + default: + printf("Fatal: build_e2_engine: rule has unknown proto (otn list)\n"); + exit(1); + } + } + + /* append RuleTreeNode checks (i.e. IP addresses and ports) to each individual rule */ + for (rule = rules; rule != NULL; rule = rule->next) { + + otn = snort_rules[rule->id]; + parent = otn->rtn; + + rlist = parent->rule_func; + +#ifdef E2DEBUG + if (rlist == NULL) { + printf("Fatal: build_e2_engine: RuleList is empty but should at least contain 'End of List' entry\n"); + exit(1); + } +#endif + + switch (rule->proto) { + + case E2_PROTO_ICMP: + otn->opt_func_proto[E2_PROTO_ICMP] = rtn_list_append(otn->opt_func_proto[E2_PROTO_ICMP], rlist); + break; + case E2_PROTO_UDP: + otn->opt_func_proto[E2_PROTO_UDP] = rtn_list_append(otn->opt_func_proto[E2_PROTO_UDP], rlist); + break; + case E2_PROTO_TCP: + otn->opt_func_proto[E2_PROTO_TCP] = rtn_list_append(otn->opt_func_proto[E2_PROTO_TCP], rlist); + break; + default: + printf("Fatal: build_e2_engine: rule has unknown proto (rtn list)\n"); + exit(1); + } + } + + + printf("Snort -*> next generation detection engine <*-\n"); + printf("By Christopher Kruegel and Thomas Toth (chris@infosys.tuwien.ac.at, ttoth@infosys.tuwien.ac.at)\n\n"); + printf("Building decision trees for %d rules - this may take a while, please be patient\n", total_rules); + + for (proto = 0; proto < NUM_PROTO; ++proto) { + + /* only process 'good' protocols (e.g. not raw IP) */ + switch (proto) { + case E2_PROTO_ICMP: +#ifdef E2DEBUG + printf("Protocol: ICMP\n"); +#endif + break; + case E2_PROTO_UDP: +#ifdef E2DEBUG + printf("Protocol: UDP\n"); +#endif + break; + case E2_PROTO_TCP: +#ifdef E2DEBUG + printf("Protocol: TCP\n"); +#endif + break; + default: + continue; + } + + /* 'activate' all rules with correct protocol */ + memset(active, 0, rule_count * sizeof(u_int8_t)); + for (active_count[0] = 0, rule = rules; rule != NULL; rule = rule->next) { + + if ((active[rule->id]) && (rule->proto != proto)) { + printf("Fatal: rule %d has been activated previously\n", rule->id); + exit(1); + } + + if (rule->proto == proto) { + active[rule->id] = 1; + ++active_count[0]; + } + } + + /* allocate rule map (rule x feature - matrix) */ + rule_map = (u_int8_t **) calloc(e2_map_size[proto], sizeof(u_int8_t *)); + for (feat = 0; feat < e2_map_size[proto]; ++feat) + rule_map[feat] = calloc(rule_count, sizeof(u_int8_t)); + + + /* insert defined features of each rule into rule_map */ + for (rule = rules; rule != NULL; rule = rule->next) { + for (feat = 0; feat < e2_map_size[proto]; ++feat) { + + if (rule->id >= rule_count) { + printf("Fatal: build_e2_engine: rule_id is out of bounds\n"); + exit(1); + } + if (rule->features == NULL) { + printf("Fatal: build_e2_engine: feature array is null\n"); + exit(1); + } + + if (active[rule->id]) { + + if (rule->proto != proto) { + printf("Fatal: build_e2_engine: protos don't match\n"); + exit(1); + } + + if (rule->features[feat] != NULL) + rule_map[feat][rule->id] = 1; + } + } + } + + /* init data structures */ + for (cnt = 1; cnt < (NUM_TREE + 1); ++cnt) + used[cnt] = NULL; + + for (tree = 0; tree < NUM_TREE; ++tree) { + + if (active_count[tree] == 0) + break; + + feature = determine_max_features(active, used[tree], proto, rule_count); + + len = 4; + ratio = 1.0; + while ((ratio > threshold[tree]) && (len <= e2_map_size[proto])) { + + used[tree+1] = determine_rules(rule_count, active, used[tree], proto, feature, len, tree); + + for (cnt = 0, sum = 0; cnt < rule_count; ++cnt) + if (used[tree+1][cnt]) + ++sum; + ratio = (float) sum / (float) active_count[tree]; +#ifdef E2DEBUG + printf(" %d - %f\n", len, ratio); +#endif + ++len; + + free(used[tree+1]); + } + + if (ratio < threshold[tree]) + len -= 2; + else + len -= 1; + + used[tree+1] = determine_rules(rule_count, active, used[tree], proto, feature, len, tree); + for (cnt = 0, sum = 0; cnt < rule_count; ++cnt) + if (used[tree+1][cnt]) + ++sum; + ratio = (float) sum / (float) active_count[tree]; +#ifdef E2DEBUG + printf("Tree %d (Depth = %d): %d of %d rules used - ratio = %f", tree+1, len, sum, active_count[tree], ratio); +#endif + trees[proto][tree] = perform_split(rules, used[tree+1], proto, feature, len); + +#ifdef E2DEBUG + printf(" ... done\n"); +#endif + active_count[tree+1] = (active_count[tree] - sum); + + + for (unused = 0, cnt = 0; cnt < rule_count; ++cnt) { + if (!active[cnt]) + continue; + found = 0; + for (i = 0; i < tree+1; ++i) { + if (used[i+1][cnt]) { + found = 1; + break; + } + } + if (!found) + ++unused; + } +#ifdef E2DEBUG + printf("-- %d (%.2f%%) rules are always true\n\n", unused, (100*(float) unused / (float) active_count[0])); +#endif + + /* remove reduntant checks from otn function lists */ + for (cnt = 0; cnt < rule_count; ++cnt) { + + /* rule has been used in tree --> remove used feature checks */ + if (active[cnt] && used[tree+1][cnt]) { + + + /* search OptTreeNode function list for relevant entry and delete it */ + fplist = snort_rules[cnt]->opt_func_proto[proto]; + if (fplist == NULL) + continue; + + while (fplist == snort_rules[cnt]->opt_func_proto[proto]) { + + found = 0; + if (fplist->feature_id < CONST_NUMBER_OF_FEATURES) { + for (feat = 0; feat < len; ++ feat) { + if (feature[feat] == e2_index_mapping_table[proto][fplist->feature_id]) { + found = 1; break; + } + } + } + if (found) { + todelete = fplist; + snort_rules[cnt]->opt_func_proto[proto] = fplist->next; + free(todelete); + fplist = snort_rules[cnt]->opt_func_proto[proto]; + } + else + fplist = NULL; + } + + fplist = snort_rules[cnt]->opt_func_proto[proto]; + while (fplist->next != NULL) { + + found = 0; + if (fplist->next->feature_id < CONST_NUMBER_OF_FEATURES) { + for (feat = 0; feat < len; ++ feat) { + if (feature[feat] == e2_index_mapping_table[proto][fplist->next->feature_id]) { + found = 1; break; + } + } + } + if (found) { + todelete = fplist->next; + fplist->next = fplist->next->next; + free(todelete); + } + else + fplist = fplist->next; + } + } + } + free(feature); + } + + + /* change rule lists to trigger arrays */ + for (tree = 0; tree < NUM_TREE; ++tree) { + + if (trees[proto][tree] != NULL) { + +#ifdef E2_DEBUG_CLUSTER_TREE + trees[proto][tree]->debug(trees[proto][tree]); +#endif + + trigger = trigger_create(rule_count); + + for (cnt = 0; cnt < rule_count; ++cnt) + if (active[cnt] && !used[tree+1][cnt]) + trigger_set(trigger, (u_int16_t) cnt); + + trees[proto][tree]->propagate(trees[proto][tree], trigger, trees[proto][tree]); + + if (trees[proto][tree]->trigger != NULL) + trigger_destroy(trigger); + else { + trigger_compact(trigger); + trees[proto][tree]->trigger = trigger; + } + } + } + + /* deallocate data structures */ + for (feat = 0; feat < e2_map_size[proto]; ++feat) + free(rule_map[feat]); + free(rule_map); + for (tree = 0; tree < NUM_TREE; ++tree) { + if (used[tree + 1] != NULL) + free(used[tree + 1]); + } + } + +#endif + + /* remove initial rules */ + for (rule = rules; rule != NULL; ) { + tr = rule->next; + rule_destroy(rule); + rule = tr; + } + + /* free remaining data structures */ + free(used[0]); + free(active); + + printf("+++++++++++++++++++++++++++++++++++++++++++++++++++\n"); + +#ifdef E2DEBUG + _mem_print(); +#endif +} + + +/* + * "rules" list is removed by caller and split_snort_rules is NOT allowed to + * use any rules directly (i.e. w/o calling rule_clone first) + */ + +E2TreeNode* split_snort_rules(E2Rule *rules, u_int8_t proto, int *feature_map) +{ + + E2Rule *rule; + E2TreeNode *tree_node; + E2SuccessorNode *succs; + int feature, best_feature, type, best_type, string_feature; + float gain, best_gain; + u_int32_t rule_count; + + if (rules == NULL) { + printf("[*] Fatal: split_snort_rules: tree rule list empty\n"); + exit(1); + } + tree_node = calloc(1, sizeof(E2TreeNode)); + + tree_node->debug_count = 0; + tree_node->debug_rules = NULL; + + for (rule = rules, rule_count = 0; rule != NULL; rule = rule->next) { + ++rule_count; + + tree_node->debug_rules = list_add(tree_node->debug_rules, rule_clone(rule)); + ++tree_node->debug_count; + } + + if (rule_count == 0) { + printf("No rules to be split\n"); + exit(1); + } + + + // choose each feature and calculate its gain + best_gain = 0.0; + string_feature = best_feature = best_type = -1; + + for (feature = 0; feature < e2_map_size[proto]; ++feature) { + + // only check features that have not been used previously + if (feature_map[feature]) + continue; + + // determine feature type + type = e2_map[proto][feature].index_into_type_map; + +#ifdef E2DEBUG + if ((type < 0 ) || (type >= e2_t_map_size)) { + printf("Fatal: split_snort_rules: unknown feature type (%d)\n", type); + exit(1); + } +#endif + + // pre_split node + succs = e2_t_map[type].pre_split_node(rules, feature); + + // determine gain int rval; + gain = calc_gain(rule, rule_count, succs, feature); + + if (type == CONST_STRING && gain > 0.0) { + string_feature = feature; + } + else if (gain > best_gain) { + best_gain = gain; + best_feature = feature; + best_type = type; + } + else if ((best_gain == 0.0) && (best_feature < 0)) { + + for (rule = rules; rule != NULL; rule = rule->next) + if (rule->features[feature] != NULL) { + best_feature = feature; + best_type = type; + break; + } + } + + // undo previous split + e2_t_map[type].undo_split_node(succs); + } + + + // split along best feature (with highest gain) --> non-string first + if ((best_feature >= 0) || (string_feature >= 0)) { + + if (best_feature < 0) { + best_feature = string_feature; + best_type = CONST_STRING; + } + + // build up tree structure + succs = e2_t_map[best_type].pre_split_node(rules, best_feature); + tree_node->private = e2_t_map[best_type].final_split_node(succs, best_feature, feature_map, proto); + e2_t_map[best_type].undo_split_node(succs); + + // set functions + tree_node->navigate = e2_t_map[best_type].navigate; + tree_node->extract = e2_map[proto][best_feature].extract; + tree_node->debug = e2_t_map[best_type].debug; + tree_node->propagate = e2_t_map[best_type].propagate; + tree_node->feature = best_feature; + } + // no distinguishing feature found - choose one with rules that have at least one != any + else { + + for (feature = 0; feature < e2_map_size[proto]; ++feature) { + + if (feature_map[feature]) + continue; + + for (rule = rules; rule != NULL; rule = rule->next) + if (rule->features[feature] != NULL) { + best_feature = feature; + best_type = e2_map[proto][feature].index_into_type_map; + break; + } + + if (rule != NULL) { + + printf("This may never happen now\n"); + exit(1); + + // build up tree structure + succs = e2_t_map[best_type].pre_split_node(rules, best_feature); + tree_node->private = e2_t_map[best_type].final_split_node(succs, best_feature, feature_map, proto); + e2_t_map[best_type].undo_split_node(succs); + + // set functions + tree_node->navigate = e2_t_map[best_type].navigate; + tree_node->extract = e2_map[proto][best_feature].extract; + tree_node->debug = e2_t_map[best_type].debug; + tree_node->propagate = e2_t_map[best_type].propagate; + tree_node->feature = best_feature; + break; + } + } + + /* all remaining features have only NULL entries --> immediately finish tree branch */ + if (feature == e2_map_size[proto]) { + tree_node->navigate = e2_t_map[CONST_UNDEF].navigate; + tree_node->propagate = e2_t_map[CONST_UNDEF].propagate; + tree_node->debug = e2_t_map[CONST_UNDEF].debug; + tree_node->feature = -1; + + for (rule = rules; rule != NULL; rule = rule->next) + tree_node->fire = list_add(tree_node->fire, rule_clone(rule)); + } + } + + // return root of current sub_tree + return tree_node; +} + + + + diff -Naur snort-1.8.7.orig/e2_extract.c snort-1.8.7p1/e2_extract.c --- snort-1.8.7.orig/e2_extract.c Wed Dec 31 16:00:00 1969 +++ snort-1.8.7p1/e2_extract.c Fri Sep 6 07:48:17 2002 @@ -0,0 +1,246 @@ +/* +** Copyright (C) 2002 Distributed Systems Group, Technical University Vienna +** +** Thomas Toth (ttoth@infosys.tuwien.ac.at) +** Christopher Kruegel (chris@infosys.tuwien.ac.t) +** +** This program is free software; you can redistribute it and/or modify +** it under the terms of the GNU General Public License as published by +** the Free Software Foundation; either version 2 of the License, or +** (at your option) any later version. +** +** This program is distributed in the hope that it will be useful, +** but WITHOUT ANY WARRANTY; without even the implied warranty of +** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +** GNU General Public License for more details. +** +** You should have received a copy of the GNU General Public License +** along with this program; if not, write to the Free Software +** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +*/ + +#include "decode.h" +#include "engine2.h" + +void * extract_dsize (Packet * p) { + u_int32_t * ptr; + ptr = salloc(sizeof(u_int32_t)); + + *ptr = (u_int32_t) p->dsize; + + return ptr; +} + +void * extract_ipid (Packet * p) { + u_int32_t * value; + + value = salloc(sizeof(u_int32_t)); + + *value = (u_int32_t) p->iph->ip_id; + + return value; +} + +void * extract_ipoptions (Packet * p) { + u_int32_t * value; + int i=0; + + value = salloc(sizeof(u_int32_t)); + + for (i=0;iip_option_count; i++) { + switch (p->ip_options[i].code) { + case IPOPT_RR: + *value |= 1 << CONST_INDEX_OF_RR; + break; + + case IPOPT_EOL: + *value |= 1 << CONST_INDEX_OF_EOL; + break; + + case IPOPT_NOP: + *value |= 1 < extract_ipoptions: option IPOPT_RTRALT found, but don't know how to handle this!"); + break; + } + } + + return value; +} + +void * extract_ipfragbits (Packet * p) { + u_int32_t * value; + + value = salloc(sizeof(u_int32_t)); + + *value =0; + + *value |= p->df << CONST_INDEX_OF_DF; + *value |= p->rf << CONST_INDEX_OF_R; + *value |= p->mf << CONST_INDEX_OF_MF; + + return value; +} + +void * extract_tcpflags (Packet * p) { + u_int32_t * value; + + value = salloc(sizeof(u_int32_t)); + + *value =0; + *value |= p->tcph->th_flags; + + return value; +} + +void * extract_icmp_id (Packet * p) { + u_int32_t * ptr; + ptr = salloc(sizeof(u_int32_t)); + + if (p->icmph->type == ICMP_ECHO || p->icmph->type == ICMP_ECHOREPLY) { + *ptr = htonl((u_int32_t) p->icmph->s_icmp_id); + } + else { + return NULL; + } + return ptr; +} + +void * extract_icmp_seq (Packet * p) { + u_int32_t * ptr; + ptr = salloc(sizeof(u_int32_t)); + + if (p->icmph->type == ICMP_ECHO || p->icmph->type == ICMP_ECHOREPLY) { + *ptr = htonl((u_int32_t) p->icmph->s_icmp_id); + } + else { + return NULL; + } + return ptr; +} + +void * extract_icode (Packet * p) { + u_int32_t * ptr; + ptr = salloc(sizeof(u_int32_t)); + + if (!p->icmph) + return NULL; + + *ptr = (u_int32_t) p->icmph->code; + + return ptr; +} + +void * extract_itype (Packet * p) { + u_int32_t * ptr; + ptr = salloc(sizeof(u_int32_t)); + + if (!p->icmph) + return NULL; + + *ptr = (u_int32_t) p->icmph->type; + + return ptr; +} + +void * extract_srcip (Packet * p) { + u_int32_t * ptr; + + ptr = salloc(sizeof(u_int32_t)); + *ptr = htonl(p->iph->ip_src.s_addr); + + return ptr; +} + +void * extract_dstip (Packet * p) { + u_int32_t * ptr; + + ptr = salloc(sizeof(u_int32_t)); + *ptr = htonl(p->iph->ip_dst.s_addr); + + return ptr; +} + +void * extract_udp_srcport (Packet * p) { + u_int32_t * ptr; + + ptr = salloc(sizeof(u_int32_t)); + *ptr = htons(p->udph->uh_sport); + + return ptr; +} + +void * extract_tcp_srcport (Packet * p) { + u_int32_t * ptr; + + ptr = salloc(sizeof(u_int32_t)); + *ptr = htons(p->tcph->th_sport); + + return ptr; +} + +void * extract_udp_dstport (Packet * p) { + u_int32_t * ptr; + ptr = salloc(sizeof(u_int32_t)); + + *ptr = htons(p->udph->uh_dport); + return ptr; +} + +void * extract_tcp_dstport (Packet * p) { + u_int32_t * ptr; + ptr = salloc(sizeof(u_int32_t)); + + *ptr = htons(p->tcph->th_dport); + return ptr; +} + +void * extract_content ( Packet * p) { + E2PAYLOAD * ret; + + ret = (E2PAYLOAD *) salloc(sizeof(E2PAYLOAD)); + + ret->content = p->data; + ret->content_length = p->dsize; + + return ret; +} + +void * extract_uricontent ( Packet * p) { + E2PAYLOAD * ret; + + if (p->URI.uri != NULL) { + ret = (E2PAYLOAD *) salloc(sizeof(E2PAYLOAD)); + + ret->content = p->URI.uri; + ret->content_length = p->URI.length; + + return ret; + } + else { + return extract_content(p); + } +} diff -Naur snort-1.8.7.orig/e2_feature_flags.c snort-1.8.7p1/e2_feature_flags.c --- snort-1.8.7.orig/e2_feature_flags.c Wed Dec 31 16:00:00 1969 +++ snort-1.8.7p1/e2_feature_flags.c Fri Sep 6 07:48:35 2002 @@ -0,0 +1,1282 @@ +/* +** Copyright (C) 2002 Distributed Systems Group, Technical University Vienna +** +** Thomas Toth (ttoth@infosys.tuwien.ac.at) +** Christopher Kruegel (chris@infosys.tuwien.ac.t) +** +** This program is free software; you can redistribute it and/or modify +** it under the terms of the GNU General Public License as published by +** the Free Software Foundation; either version 2 of the License, or +** (at your option) any later version. +** +** This program is distributed in the hope that it will be useful, +** but WITHOUT ANY WARRANTY; without even the implied warranty of +** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +** GNU General Public License for more details. +** +** You should have received a copy of the GNU General Public License +** along with this program; if not, write to the Free Software +** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +*/ + +#include "engine2.h" + + +char *ipoptions_names [CONST_NUMBER_OF_SUPPORTED_IPOPTIONS] = + { "","","","