#include <string.h>#include <stdlib.h>#include <assert.h>#include "snort.h"#include "detect.h"#include "plugbase.h"#include "debug.h"#include "util.h"#include "mstring.h"#include "tag.h"#include "pcrm.h"#include "fpcreate.h"#include "fpdetect.h"#include "sfthreshold.h"#include "event_wrapper.h"#include "event_queue.h"#include "stream.h"#include "inline.h"#include "preprocessors/spp_stream4.h"#include "preprocessors/spp_flow.h"Go to the source code of this file.
|
|
|
|
||||||||||||||||
|
Definition at line 1466 of file detect.c. References _OptTreeNode::activation_counter, active_dynamic_nodes, _OptTreeNode::active_flag, _RuleTreeNode::active_flag, CallAlertFuncs(), CallLogFuncs(), _OptTreeNode::countdown, _RuleTreeNode::countdown, DEBUG_DETECT, DEBUG_WRAP, _RuleTreeNode::listhead, LogMessage(), _SigInfo::message, NULL, _OptTreeNode::OTN_activation_ptr, _OptTreeNode::rtn, _OptTreeNode::RTN_activation_ptr, and _OptTreeNode::sigInfo. Referenced by fpLogEvent(). |
|
||||||||||||||||
|
Definition at line 1413 of file detect.c. References _RuleListNode::evalIndex, _RuleListNode::next, and NULL. Referenced by OrderRuleLists(). |
|
||||||||||||||||
|
Definition at line 1498 of file detect.c. References CallAlertFuncs(), CallLogFuncs(), CallSigOutputFuncs(), DEBUG_DETECT, DEBUG_WRAP, _RuleTreeNode::listhead, _SigInfo::message, _OptTreeNode::outputFuncs, _OptTreeNode::rtn, and _OptTreeNode::sigInfo. Referenced by fpLogEvent(). |
|
||||||||||||||||||||
|
Definition at line 343 of file detect.c. References _PacketCount::alert_pkts, _ListHead::AlertList, _OutputFuncNode::arg, CallAlertPlugins(), _Event::event_id, event_id, _progvars::event_log_id, _Event::event_reference, _OutputFuncNode::func, _OutputFuncNode::next, NULL, ObfuscatePacket(), _progvars::obfuscation_flag, pc, pv, _Event::ref_time, sfthreshold_test(), _Event::sig_generator, and _Event::sig_id. Referenced by ActivateAction(), AlertAction(), AlertIntermediateInfo(), DropAction(), GenerateSnortEvent(), PortscanPreprocFunction(), and SAlert(). |
|
||||||||||||||||||||
|
Definition at line 416 of file detect.c. References _PacketCount::alert_pkts, _OutputFuncNode::arg, DEBUG_DETECT, DEBUG_WRAP, _OutputFuncNode::func, _OutputFuncNode::next, NULL, ObfuscatePacket(), _progvars::obfuscation_flag, pc, and pv. Referenced by CallAlertFuncs(). |
|
||||||||||||||||||||
|
Definition at line 229 of file detect.c. References _OutputFuncNode::arg, CallLogPlugins(), _Event::event_id, event_id, _progvars::event_log_id, _OutputFuncNode::func, _IPHdr::ip_dst, _IPHdr::ip_src, _Packet::iph, _PacketCount::log_pkts, _ListHead::LogList, _OutputFuncNode::next, NULL, ObfuscatePacket(), _progvars::obfuscation_flag, pc, _Packet::pkth, pv, _Event::ref_time, sfthreshold_test(), _Event::sig_generator, _Event::sig_id, and pcap_pkthdr::ts. Referenced by ActivateAction(), AlertAction(), CheckTagging(), DropAction(), DynamicAction(), GenerateOpenPortEvent(), GenerateSnortEvent(), LogAction(), and LogTagData(). |
|
||||||||||||||||||||
|
Definition at line 302 of file detect.c. References _OutputFuncNode::arg, _OutputFuncNode::func, _PacketCount::log_pkts, _OutputFuncNode::next, NULL, ObfuscatePacket(), _progvars::obfuscation_flag, pc, and pv. Referenced by CallLogFuncs(), and ProcessPacket(). |
|
||||||||||||||||
|
Definition at line 326 of file detect.c. References _OutputFuncNode::arg, _OutputFuncNode::func, _SigInfo::message, _OutputFuncNode::next, NULL, ObfuscatePacket(), _progvars::obfuscation_flag, _OptTreeNode::outputFuncs, pv, and _OptTreeNode::sigInfo. Referenced by AlertAction(). |
|
||||||||||||||||||||||||||||
|
Definition at line 487 of file detect.c. References _IpAddrSet::addr_flags, ANY_DST_PORT, ANY_SRC_PORT, CHECK_SRC, DEBUG_DETECT, DEBUG_WRAP, _Packet::dp, EXCEPT_DST_IP, EXCEPT_DST_PORT, EXCEPT_IP, EXCEPT_SRC_IP, EXCEPT_SRC_PORT, INVERSE, _IpAddrSet::ip_addr, _IPHdr::ip_dst, _IPHdr::ip_src, _Packet::iph, _IpAddrSet::netmask, _IpAddrSet::next, NULL, and _Packet::sp. Referenced by CheckBidirectional(), IsIgnored(), IsServer(), and PortscanPreprocFunction(). |
|
||||||||||||||||
|
Definition at line 829 of file detect.c. References CHECK_DST, CHECK_SRC, CheckAddrPort(), DEBUG_DETECT, DEBUG_WRAP, _RuleTreeNode::dip, _RuleTreeNode::flags, _RuleTreeNode::hdp, _RuleTreeNode::hsp, INVERSE, _RuleTreeNode::ldp, _RuleTreeNode::lsp, and _RuleTreeNode::sip. Referenced by SetupRTNFuncList(). |
|
||||||||||||||||
|
Definition at line 1039 of file detect.c. References _IpAddrSet::addr_flags, DEBUG_DETECT, DEBUG_WRAP, _RuleTreeNode::dip, EXCEPT_DST_IP, EXCEPT_IP, _RuleTreeNode::flags, _IpAddrSet::ip_addr, _IPHdr::ip_dst, _IPHdr::ip_src, _Packet::iph, _IpAddrSet::netmask, _IpAddrSet::next, _RuleFpList::next, NULL, and _RuleFpList::RuleHeadFunc. Referenced by AddrToFunc(). |
|
||||||||||||||||
|
Definition at line 1115 of file detect.c. References DEBUG_DETECT, DEBUG_WRAP, _RuleTreeNode::dip, _IpAddrSet::ip_addr, _IPHdr::ip_dst, _Packet::iph, _IpAddrSet::netmask, _IpAddrSet::next, _RuleFpList::next, NULL, and _RuleFpList::RuleHeadFunc. |
|
||||||||||||||||
|
Definition at line 1183 of file detect.c. References DEBUG_DETECT, DEBUG_WRAP, _Packet::dp, _RuleTreeNode::hdp, _RuleTreeNode::ldp, _RuleFpList::next, and _RuleFpList::RuleHeadFunc. Referenced by PortToFunc(). |
|
||||||||||||||||
|
Definition at line 1203 of file detect.c. References DEBUG_DETECT, DEBUG_WRAP, _Packet::dp, _RuleTreeNode::hdp, _RuleTreeNode::ldp, _RuleFpList::next, and _RuleFpList::RuleHeadFunc. Referenced by PortToFunc(). |
|
||||||||||||||||
|
Definition at line 923 of file detect.c. References _IpAddrSet::addr_flags, DEBUG_DETECT, DEBUG_WRAP, EXCEPT_IP, EXCEPT_SRC_IP, _RuleTreeNode::flags, _IpAddrSet::ip_addr, _IPHdr::ip_src, _Packet::iph, _IpAddrSet::netmask, _IpAddrSet::next, _RuleFpList::next, NULL, _RuleFpList::RuleHeadFunc, and _RuleTreeNode::sip. Referenced by AddrToFunc(). |
|
||||||||||||||||
|
Definition at line 1001 of file detect.c. References DEBUG_DETECT, DEBUG_WRAP, _IpAddrSet::ip_addr, _IPHdr::ip_src, _Packet::iph, _IpAddrSet::netmask, _IpAddrSet::next, _RuleFpList::next, NULL, _RuleFpList::RuleHeadFunc, and _RuleTreeNode::sip. |
|
||||||||||||||||
|
Definition at line 1139 of file detect.c. References DEBUG_DETECT, DEBUG_WRAP, _RuleTreeNode::hsp, _RuleTreeNode::lsp, _RuleFpList::next, _RuleFpList::RuleHeadFunc, and _Packet::sp. Referenced by PortToFunc(). |
|
||||||||||||||||
|
Definition at line 1161 of file detect.c. References DEBUG_DETECT, DEBUG_WRAP, _RuleTreeNode::hsp, _RuleTreeNode::lsp, _RuleFpList::next, _RuleFpList::RuleHeadFunc, and _Packet::sp. Referenced by PortToFunc(). |
|
|
This is where we check to see if we tag the packet. We only do this if we've alerted on a non-pass rule and the packet is not rebuilt. We don't log rebuilt packets because the output plugins log the individual packets of a rebuilt stream, so we don't want to dup tagged packets for rebuilt streams.
Definition at line 206 of file detect.c. References CallLogFuncs(), check_tags_flag, CheckTagList(), DEBUG_FLOW, DEBUG_WRAP, NULL, _Packet::packet_flags, and PKT_REBUILT_STREAM. Referenced by Preprocess(). |
|
|
Definition at line 1235 of file detect.c. References CreateRuleType(), RULE_ACTIVATE, RULE_ALERT, RULE_DROP, RULE_DYNAMIC, RULE_LOG, RULE_PASS, RULE_REINJECT, RULE_REJECT, RULE_REJECTBOTH, RULE_REJECTDST, RULE_REJECTSRC, and RULE_SDROP. Referenced by SnortMain(). |
|
||||||||||||||||||||
|
Definition at line 1274 of file detect.c. References _ListHead::AlertList, _RuleListNode::evalIndex, _ListHead::IcmpList, _ListHead::IpList, _ListHead::LogList, _RuleListNode::mode, _RuleListNode::name, _RuleListNode::next, NULL, _progvars::num_rule_types, pv, _RuleListNode::RuleList, _ListHead::ruleListNode, _RuleListNode::rval, _ListHead::TcpList, and _ListHead::UdpList. Referenced by CreateDefaultRules(), and ParseRuleTypeDeclaration(). |
|
|
Definition at line 450 of file detect.c. References fpEvalPacket(), and NULL. Referenced by Preprocess(), and SnortHttpInspect(). |
|
||||||||||||||||
|
Definition at line 1532 of file detect.c. References CallAlertFuncs(), CallLogFuncs(), DEBUG_DETECT, DEBUG_WRAP, InlineDrop(), _RuleTreeNode::listhead, _SigInfo::message, _Stream4Data::ms_inline_alerts, _Packet::packet_flags, PKT_INLINE_DROP, _OptTreeNode::rtn, _Session::session_flags, _OptTreeNode::sigInfo, SSNFLAG_MIDSTREAM, and _Packet::ssnptr. Referenced by fpLogEvent(). |
|
||||||||||||||||
|
||||||||||||||||
|
Definition at line 1730 of file detect.c. References active_dynamic_nodes, _OptTreeNode::active_flag, _RuleTreeNode::active_flag, CallLogFuncs(), _RuleTreeNode::countdown, _OptTreeNode::countdown, DEBUG_DETECT, DEBUG_WRAP, _RuleTreeNode::listhead, _SigInfo::message, _OptTreeNode::rtn, and _OptTreeNode::sigInfo. Referenced by fpLogEvent(). |
|
||||||||||||||||
|
Definition at line 766 of file detect.c. References DEBUG_DETECT, DEBUG_WRAP, _RuleTreeNode::down, FatalError(), _OptFpList::next, _OptTreeNode::next, NULL, _OptTreeNode::opt_func, _OptFpList::OptTestFunc, pv, _progvars::quiet_flag, _RuleTreeNode::right, snprintf, and STD_BUF. Referenced by IntegrityCheckRules(). |
|
||||||||||||||||
|
Definition at line 1760 of file detect.c. References CallLogFuncs(), DEBUG_DETECT, DEBUG_WRAP, _RuleTreeNode::listhead, _SigInfo::message, _OptTreeNode::rtn, and _OptTreeNode::sigInfo. Referenced by fpLogEvent(). |
|
|
Definition at line 1776 of file detect.c. References _progvars::homenet, _IPHdr::ip_dst, _IPHdr::ip_src, _Packet::iph, _progvars::netmask, _progvars::obfuscation_mask, _progvars::obfuscation_net, _Packet::packet_flags, PKT_OBFUSCATED, and pv. Referenced by CallAlertFuncs(), CallAlertPlugins(), CallLogFuncs(), CallLogPlugins(), and CallSigOutputFuncs(). |
|
||||||||||||||||
|
Definition at line 1229 of file detect.c. Referenced by ParseRuleOptions(). |
|
|
Definition at line 1350 of file detect.c. References addNodeToOrderedList(), FatalError(), LogMessage(), mSplit(), mSplitFree(), _RuleListNode::name, _RuleListNode::next, and NULL. Referenced by ParseConfig(), and SnortMain(). |
|
|
Definition at line 1456 of file detect.c. References DEBUG_DETECT, DEBUG_WRAP, _PacketCount::pass_pkts, and pc. Referenced by fpLogEvent(). |
|
|
See if we should go ahead and remove this flow from the flow_preprocessor -- cmg Definition at line 107 of file detect.c. References AlertFlushStream(), _Packet::bytes_to_inspect, check_tags_flag, CheckFlowShutdown(), CheckTagging(), _PreprocessFuncNode::context, _Packet::csum_flags, DEBUG_DETECT, DEBUG_WRAP, _HttpUri::decode_flags, Detect(), do_detect, _Packet::dsize, _PreprocessFuncNode::func, _PreprocessFuncNode::next, NULL, PP_ALL, _Packet::preprocessors, SnortEventqLog(), SnortEventqReset(), _Packet::ssnptr, and _Packet::uri_count. Referenced by FlushStream(), and ProcessPacket(). |
|
|
Definition at line 1440 of file detect.c. References LogMessage(), _RuleListNode::name, _RuleListNode::next, NULL, sfsnprintfappend(), snprintf, and STD_BUF. Referenced by printRuleOrder(). |
|
|
Definition at line 1255 of file detect.c. References printRuleListOrder(). Referenced by SnortMain(). |
|
||||||||||||||||
|
Definition at line 1223 of file detect.c. Referenced by SetupRTNFuncList(). |
|
||||||||||||
|
Definition at line 470 of file detect.c. References DEBUG_DETECT, DEBUG_WRAP, _RspFpList::next, NULL, _RspFpList::ResponseFunc, and _OptTreeNode::rsp_func. Referenced by fpLogEvent(). |
|
|
|
|
|
Definition at line 95 of file parser.c. Referenced by ActivateAction(), DynamicAction(), fpEvalRTN(), and fpEvalRTNSW(). |
|
|
|
|
|
Definition at line 587 of file plugbase.c. |
|
|
Definition at line 100 of file detect.c. Referenced by CheckTagging(), fpLogEvent(), Preprocess(), and SetTags(). |
|
|
Definition at line 98 of file detect.c. Referenced by DisableDetect(), Frag3Defrag(), Preprocess(), ReassembleStream4(), and SnortHttpInspect(). |
|
|
|
|
|
|
|
|
Definition at line 94 of file parser.c. Referenced by ParseRuleOptions(), and ParseRulesFile(). |
|
|
Definition at line 99 of file detect.c. Referenced by CallAlertFuncs(), CallLogFuncs(), flowps_generate_flow_event(), fpLogEvent(), GeneratePSSnortEvent(), OldUnifiedLogPacketAlert(), PortscanPreprocFunction(), and SetEvent(). |
|
|
|
|
|
|
|
|
Definition at line 588 of file plugbase.c. |
|
|
Definition at line 80 of file parser.c. Referenced by SnortHttpInspect(). |
|
|
|
|
|
Definition at line 418 of file plugbase.c. |
|
|
|
|
|
Definition at line 83 of file parser.c. Referenced by fpCreateFastPacketDetection(). |
|
|
Definition at line 377 of file spp_stream4.c. |
|
|
|
1.4.2