Main Page | Modules | Class List | Directories | File List | Class Members | File Members | Related Pages
src

sfthreshold.c

Go to the documentation of this file.
00001 /*
00002    sfthreshold.c
00003 
00004    This file contains functions that glue the generic thresholding2 code to 
00005    snort.
00006 
00007    dependent files:  sfthd sfxghash sfghash sflsq 
00008                      util mstring
00009 
00010    Copyright (C) 2003 Sourcefire,Inc.
00011    Marc Norton
00012 
00013    2003-05-29:
00014      cmg: Added s_checked variable  --
00015        when this is 1, the sfthreshold_test will always return the same 
00016        answer until
00017        sfthreshold_reset is called
00018 
00019    2003-11-3:
00020      man: cleaned up and added more startup printout.
00021 */
00022 #include <stdio.h>
00023 #include <stdlib.h>
00024 #include <string.h>
00025 
00026 #include "mstring.h"
00027 #include "util.h"
00028 #include "parser.h"
00029 
00030 #include "sfthd.h"
00031 #include "sfthreshold.h"
00032 #include "snort.h"
00033 
00034 #ifndef WIN32
00035 #include <sys/socket.h>
00036 #include <netinet/in.h>
00037 #include <arpa/inet.h>
00038 #endif
00039 
00040 #include <errno.h>
00041 
00042 /*
00043      Data
00044 */
00045 static int          s_memcap  = 1024 * 1024;
00046 static THD_STRUCT * s_thd     = 0;
00047 static int          s_enabled = 1;
00048 static int          s_checked = 0; /**< have we evaluated this yet? */
00049 static int          s_answer  = 0; /**< what was the last return value? */
00050 
00051 
00052 /*
00053 *   Fatal Integer Parser
00054 *   Ascii to Integer conversion with fatal error support
00055 */
00056 static unsigned xatou( char * s , char * etext)
00057 {
00058     unsigned val;
00059 
00060     char *endptr;
00061   
00062     while( *s == ' ' ) s++;
00063 
00064     if( *s == '-' ) 
00065        FatalError("%s(%d) => *** %s\n*** Invalid unsigned integer - negative sign found, input: %s\n",
00066                             file_name, file_line, etext ,s );
00067 
00068     errno = 0;
00069     
00070     /*
00071     *  strtoul - errors on win32 : ERANGE (VS 6.0)
00072     *            errors on linux : ERANGE, EINVAL
00073     */ 
00074     val =(unsigned)strtoul(s,&endptr,10);
00075     
00076     if(errno || endptr == s)
00077     {
00078        FatalError("%s(%d) => *** %s\n*** Invalid integer input: %s\n",
00079                             file_name, file_line, etext, s );
00080     } 
00081 
00082     return val;         
00083 }
00084 
00085 /*
00086 
00087      Parse Threshold Rule option parameters for each RULE
00088 
00089      'threshold: type limit|threshold|both, track by_src|by_dst, count #, seconds #;'
00090 
00091 */
00092 void ParseThreshold2( THDX_STRUCT * thdx, char * s )
00093 {
00094       int    i = 0;
00095       char * argv[100], * t;
00096       int    argc;
00097       int    count_flag=0;
00098       int    seconds_flag=0;
00099       int    type_flag=0;
00100       int    tracking_flag=0;
00101       
00102       if( !s_enabled )
00103           return ;
00104 
00105       memset( thdx, 0, sizeof(THDX_STRUCT) );
00106 
00107       thdx->priority = -1; /* Make this lower than standalone threshold command defaults ??? */
00108       
00109       /* Parse all of the args - they come in pairs */      
00110       for( argc=0, t = strtok(s," ,\n");  argc < 100 &&  t != 0 ;  argc++, t = strtok(0," ,\n") )
00111       {
00112           argv[ argc ] = t;           
00113       }
00114 
00115       /* Parameter Check - enough args ?*/
00116       if( argc != 8 )
00117       {
00118           /* Fatal incorrect argument count */ 
00119           FatalError("%s(%d) => Threshold-RuleOptionParse: incorrect argument count, should be 4 pairs\n",
00120                             file_name, file_line);
00121       }
00122 
00123       for(i=0;i<argc;i++)
00124       {
00125         if( strcmp(argv[i],"count") == 0  )
00126          {
00127             i++;
00128             thdx->count = xatou(argv[i],"threshold: count");
00129             count_flag++;
00130          }
00131         else if( strcmp(argv[i],"seconds") == 0  )
00132          {
00133             i++;
00134             thdx->seconds = xatou(argv[i],"threshold: seconds");
00135             seconds_flag++;
00136          }
00137         else if( strcmp(argv[i],"type") == 0  )
00138          {
00139             i++;
00140             if( strcmp(argv[i],"limit") == 0 )
00141             {
00142                thdx->type = THD_TYPE_LIMIT;
00143             }
00144             else if( strcmp(argv[i],"threshold") == 0 )
00145             {
00146                thdx->type = THD_TYPE_THRESHOLD;
00147             }
00148             else if( strcmp(argv[i],"both") == 0 )
00149             {
00150                thdx->type = THD_TYPE_BOTH;
00151             }
00152             else
00153             {
00154                 /* Fatal incorrect threshold type */
00155                  FatalError("%s(%d) => Threshold-RuleOptionParse: incorrect 'type' argument \n",
00156                                 file_name, file_line);
00157             }
00158             type_flag++;
00159          }
00160         else if( strcmp(argv[i],"track") == 0  )
00161          {
00162             i++;
00163             if( strcmp(argv[i],"by_src") == 0 )
00164             {
00165                 thdx->tracking = THD_TRK_SRC;
00166             }
00167             else if( strcmp(argv[i],"by_dst") == 0 )
00168             {
00169                 thdx->tracking = THD_TRK_DST;
00170             }
00171             else
00172             {
00173                 /* Fatal incorrect threshold type */
00174                  FatalError("%s(%d) => Threshold-RuleOptionParse: incorrect tracking type\n",
00175                                 file_name, file_line);
00176             }
00177             tracking_flag++;
00178          }
00179         else
00180          {
00181             /* Fatal Out Here - Unknow Option */
00182             FatalError("%s(%d) => Threshold-RuleOptionParse: unknown argument \n",
00183                             file_name, file_line);
00184          }
00185      }
00186 
00187      if( (count_flag + tracking_flag + type_flag + seconds_flag ) != 4 )
00188      {
00189          /* Fatal - incorrect argument count */
00190          FatalError("%s(%d) => Threshold-RuleOptionParse: incorrect argument count\n",
00191                         file_name, file_line);
00192      }
00193 }
00194 
00195 /*
00196 
00197    Process the 'config threshold: memcap #bytes, option2-name option2-value, ...'
00198 
00199    config threshold: memcap #bytes
00200 */
00201 void ProcessThresholdOptions(char *options)
00202 {
00203       int     i = 0;
00204       char ** args;
00205       int     nargs;
00206       char ** oargs;
00207       int     noargs;
00208       
00209       if( !s_enabled )
00210           return ;
00211 
00212       args = mSplit(options,",",10,&nargs,0);  /* get rule option pairs */
00213 
00214       for(i=0;i<nargs;i++)
00215       {
00216           oargs = mSplit(options," ",2,&noargs,0);  /* get rule option pairs */
00217 
00218           if( strcmp(oargs[0],"memcap") == 0  )
00219           {
00220              s_memcap = xatou(oargs[1],"config threshold: memcap");
00221           }
00222           else
00223           {
00224              FatalError("%s(%d) => Threshold-RuleOptionParse: unknown argument\n",file_name, file_line);
00225           }
00226      }
00227      mSplitFree(&args, nargs);
00228      mSplitFree(&oargs, noargs);
00229 }
00230 
00231 /*
00232    threshold gen_id #, sig_id #, type limit|threshold|both, track by_src|by_dst,  count #, seconds #
00233 
00234    8/25/03 - added support for a global threshold, uses sid = 0, and is applied after all other thresholding so 
00235    a sid specific threshold or suppress command has precedence...
00236 */
00237 void ParseSFThreshold( FILE * fp, char * rule )
00238 {
00239      char        **args, **oargs;
00240      int         nargs, noargs;
00241      THDX_STRUCT thdx;
00242      int         count_flag=0;
00243      int         seconds_flag=0;
00244      int         type_flag=0;
00245      int         tracking_flag=0;
00246      int         genid_flag=0;
00247      int         sigid_flag=0;
00248      int         i;
00249 
00250      memset( &thdx, 0, sizeof(THDX_STRUCT) );
00251 
00252      while( (*rule <= ' ') && (*rule > 0) ) rule++; /* skip whitespace */
00253      while( (*rule  > ' ') ) rule++;  /* skip 'threshold' */
00254 
00255      args = mSplit(rule,",",15,&nargs,0);  /* get rule option pairs */
00256 
00257      for( i=0; i<nargs; i++ )
00258      {
00259          oargs = mSplit(args[i]," ",2,&noargs,0);  /* get rule option pairs */
00260          
00261              if( noargs != 2 )
00262          {
00263              FatalError("%s(%d) => Threshold Parse: argument pairing error\n", file_name, file_line);
00264          }
00265 
00266          if( strcmp(oargs[0],"type")==0 )
00267          {
00268             if( strcmp(oargs[1],"limit") == 0 )
00269             {
00270                thdx.type = THD_TYPE_LIMIT;
00271             }
00272             else if( strcmp(oargs[1],"threshold") == 0 )
00273             {
00274                thdx.type = THD_TYPE_THRESHOLD;
00275             }
00276             else if( strcmp(oargs[1],"both") == 0 )
00277             {
00278                thdx.type = THD_TYPE_BOTH;
00279             }
00280             else
00281             {
00282                 /* Fatal incorrect threshold type */
00283                  FatalError("%s(%d) => Threshold-Parse: incorrect 'type' argument \n", file_name, file_line);
00284             }
00285             type_flag++;
00286          }
00287 
00288          else if( strcmp(oargs[0],"track")==0 )
00289          {
00290             if( strcmp(oargs[1],"by_src") == 0 )
00291             {
00292                 thdx.tracking = THD_TRK_SRC;
00293             }
00294             else if( strcmp(oargs[1],"by_dst") == 0 )
00295             {
00296                 thdx.tracking = THD_TRK_DST;
00297             }
00298             else
00299             {
00300                 /* Fatal incorrect threshold type */
00301                  FatalError("%s(%d) => Threshold-Parse: incorrect tracking type\n", file_name, file_line);
00302             }
00303             tracking_flag++;
00304          }
00305 
00306              else if( strcmp(oargs[0],"count")==0 )
00307          {
00308             thdx.count = xatou(oargs[1],"threshold: count");
00309             count_flag++;
00310          }
00311 
00312          else if( strcmp(oargs[0],"seconds")==0 )
00313          {
00314             thdx.seconds = xatou(oargs[1],"threshold: seconds");
00315             seconds_flag++;
00316          }
00317 
00318          else if( strcmp(oargs[0],"gen_id")==0 )
00319          {
00320             thdx.gen_id =  xatou(oargs[1],"threshold: gen_id");
00321             genid_flag++;
00322 
00323                 if( oargs[1][0]== '-' ) 
00324                 FatalError("%s(%d) => Threshold-Parse: gen_id < 0 not supported  '%s %s'\n",
00325                                     file_name, file_line, oargs[0],oargs[1]);
00326          }
00327 
00328          else if( strcmp(oargs[0],"sig_id")==0 )
00329          {
00330             thdx.sig_id = xatou(oargs[1],"threshold: sig_id");
00331             sigid_flag++;
00332                 if( oargs[1][0]== '-' ) 
00333                 FatalError("%s(%d) => Threshold-Parse: sig_id < 0 not supported  '%s %s'\n",
00334                                     file_name, file_line, oargs[0],oargs[1]);
00335          }
00336          else
00337          {
00338              /* Fatal incorrect threshold type */
00339              FatalError("%s(%d) => Threshold-Parse: unsupported option : %s %s\n",
00340                                 file_name, file_line, oargs[0],oargs[1]);
00341          }
00342      }
00343 
00344      if( (count_flag + tracking_flag + type_flag + seconds_flag + genid_flag + sigid_flag) != 6 )
00345      {
00346         /* Fatal - incorrect argument count */
00347         FatalError("%s(%d) => Threshold-Parse: incorrect argument count\n",file_name, file_line);
00348      }
00349 
00350      if( sfthreshold_create( &thdx  ) )
00351      {
00352             if( thdx.sig_id == 0 )
00353             {
00354                FatalError("%s(%d) => Global Threshold-Parse: could not create a threshold object "
00355                             "-- only one per gen_id=%u!\n",
00356                                 file_name, file_line,thdx.gen_id);
00357             }
00358             else
00359             {
00360                if( thdx.gen_id ==  0 )
00361                {
00362                   FatalError("%s(%d) => Global Threshold-Parse: could not create a threshold object "
00363                             "-- a gen_id < 0 requires a sig_id < 0, sig_id=%u !\n",
00364                                     file_name, file_line, thdx.sig_id);
00365                }
00366                else
00367                {
00368                   FatalError("%s(%d) => Threshold-Parse: could not create a threshold object -- only one per sig_id=%u!\n",
00369                                     file_name, file_line, thdx.sig_id);
00370                }
00371             }
00372      }
00373 
00374      mSplitFree(&args, nargs);
00375      mSplitFree(&oargs, noargs);
00376 }
00377 
00378 /*
00379 
00380     Parse basic CIDR block  - [!]a.b.c.d/bits
00381 
00382 */
00383 static void parseCIDR( THDX_STRUCT * thdx, char * s )
00384 {
00385    char        **args;
00386    int          nargs;
00387 
00388    if (*s == '!')
00389    {
00390        thdx->not_flag = 1;
00391        s++;
00392        while( (*s <= ' ') && (*s > 0) ) s++; /* skip whitespace */
00393    }
00394 
00395    args = mSplit( s , "/", 2, &nargs, 0 );  /* get rule option pairs */
00396 
00397    if( !nargs || nargs > 2  )
00398    {
00399        FatalError("%s(%d) => Suppress-Parse: argument pairing error\n", file_name, file_line);
00400    }
00401 
00402    /*
00403    *   Keep IP in network order
00404    */
00405    thdx->ip_address = inet_addr( args[0] );   
00406 
00407    if( nargs == 2 )
00408    {
00409        int      i;
00410        int      nbits;
00411        unsigned mask;
00412 
00413        nbits = xatou( args[1],"suppress: cidr mask bits" );
00414        mask  = 1 << 31;
00415 
00416        for( i=0; i<nbits; i++ )
00417        {
00418           thdx->ip_mask |= mask;
00419           mask >>= 1;
00420        }
00421 
00422        /* 
00423           Put mask in network order 
00424        */
00425        thdx->ip_mask = htonl(thdx->ip_mask);       
00426    }
00427    else
00428    {
00429        thdx->ip_mask = 0xffffffff; /* requires exact ip match */
00430    }
00431 
00432    /* just in case the network is not right */
00433    thdx->ip_address &= thdx->ip_mask;
00434 
00435    mSplitFree(&args, nargs);
00436 }
00437 
00438 /*
00439 
00440    suppress gen_id #, sig_id #, track by_src|by_dst, ip cidr'
00441 
00442 */
00443 void ParseSFSuppress( FILE * fp, char * rule )
00444 {
00445 
00446      char        **args, **oargs;
00447      int         nargs, noargs;
00448      THDX_STRUCT thdx;
00449      int         genid_flag=0;
00450      int         sigid_flag=0;
00451      int         i;
00452 
00453      memset( &thdx, 0, sizeof(THDX_STRUCT) );
00454 
00455      while( (*rule <= ' ') && (*rule > 0) ) rule++; /* skip whitespace */
00456      while( (*rule  > ' ') ) rule++;  /* skip 'suppress' */
00457 
00458      args = mSplit(rule,",",15,&nargs,0);  /* get rule option pairs */
00459 
00460      thdx.type      =  THD_TYPE_SUPPRESS;
00461      thdx.priority  =  THD_PRIORITY_SUPPRESS;
00462      thdx.ip_address=  0;  //default is all ip's- ignore this event altogether
00463      thdx.ip_mask   =  0;
00464      thdx.tracking  =  THD_TRK_DST;
00465 
00466      for( i=0; i<nargs; i++ )
00467      {
00468          oargs = mSplit(args[i]," ",2,&noargs,0);  /* get rule option pairs */
00469          if( noargs != 2 )
00470          {
00471              FatalError("%s(%d) => Suppress-Parse: argument pairing error\n", file_name, file_line);
00472          }
00473 
00474          if( strcmp(oargs[0],"track")==0 )
00475          {
00476             if( strcmp(oargs[1],"by_src") == 0 )
00477             {
00478                 thdx.tracking = THD_TRK_SRC;
00479             }
00480             else if( strcmp(oargs[1],"by_dst") == 0 )
00481             {
00482                 thdx.tracking = THD_TRK_DST;
00483             }
00484             else
00485             {
00486                 /* Fatal incorrect threshold type */
00487                  FatalError("%s(%d) => Suppress-Parse: incorrect tracking type\n", file_name, file_line);
00488             }
00489          }
00490 
00491          else if( strcmp(oargs[0],"gen_id")==0 )
00492          {
00493             char * endptr;
00494             thdx.gen_id = strtoul(oargs[1],&endptr,10);
00495             genid_flag++;
00496             if( oargs[1][0]=='-' )
00497                 FatalError("%s(%d) => Suppress-Parse: gen_id < 0 is not supported, '%s %s' \n",
00498                                 file_name, file_line, oargs[0],oargs[1]);
00499          }
00500 
00501          else if( strcmp(oargs[0],"sig_id")==0 )
00502          {
00503             char * endptr;
00504             thdx.sig_id = strtoul(oargs[1],&endptr,10);
00505             sigid_flag++;
00506             if( oargs[1][0]=='-' )
00507                 FatalError("%s(%d) => Suppress-Parse: sig_id < 0 is not supported, '%s %s' \n",
00508                                 file_name, file_line, oargs[0],oargs[1]);
00509          }
00510 
00511          else if( strcmp(oargs[0],"ip")==0 )
00512          {
00513             parseCIDR( &thdx, oargs[1] );
00514          }
00515      }
00516 
00517      if( ( genid_flag + sigid_flag) != 2 )
00518      {
00519          /* Fatal - incorrect argument count */
00520          FatalError("%s(%d) => Suppress-Parse: incorrect argument count\n", file_name, file_line);
00521      }
00522 
00523      if( sfthreshold_create( &thdx  ) )
00524      {
00525          FatalError("%s(%d) => Suppress-Parse: could not create a threshold object\n", file_name, file_line);
00526      }
00527 
00528      mSplitFree(&args, nargs);
00529      mSplitFree(&oargs, noargs);
00530 }
00531 
00532 /*
00533 
00534     Init Thresholding - call when starting to parsing rules - so we can add them 
00535 
00536     if the init function is not called, than all thresholding is turned off because
00537     the thd_struct pointer is null.
00538 
00539 */
00540 int sfthreshold_init()
00541 {
00542    if( !s_enabled )
00543        return 0;
00544 
00545    /* Check if already init'd */
00546    if( s_thd )
00547        return 0;
00548 
00549    s_thd = sfthd_new( s_memcap );
00550    if( !s_thd )
00551    {
00552        return -1;
00553    }
00554 
00555    return 0;
00556 }
00557 
00558 /*
00559 *  DEBUGGING ONLY
00560 */
00561 void print_netip(unsigned long ip)
00562 {
00563     struct in_addr addr;
00564     char *str;
00565 
00566     addr.s_addr= ip;
00567     str = inet_ntoa(addr);
00568 
00569     if(str)
00570         printf("%s", str);
00571 
00572     return;
00573 }
00574 
00575 /*
00576 *  DEBUGGING ONLY
00577 */
00578 void print_thdx( THDX_STRUCT * thdx )
00579 {
00580     if( thdx->type != THD_TYPE_SUPPRESS )
00581     {
00582        printf("THRESHOLD: gen_id=%u, sig_id=%u, type=%d, tracking=%d, count=%d, seconds=%d \n",
00583                        thdx->gen_id,
00584                        thdx->sig_id,
00585                        thdx->type,
00586                        thdx->tracking,
00587                        thdx->count,
00588                        thdx->seconds );
00589     }
00590     else
00591     {
00592        printf("SUPPRESS: gen_id=%u, sig_id=%u, tracking=%d, not_flag=%d ",
00593                        thdx->gen_id,
00594                        thdx->sig_id,
00595                        thdx->tracking,
00596                        thdx->not_flag);
00597 
00598        printf(" ip=");
00599        print_netip(thdx->ip_address); 
00600        printf(", mask=" );
00601        print_netip(thdx->ip_mask); 
00602        printf("\n");
00603     }
00604 }
00605 
00606 static 
00607 void ntoa( char * buff, int blen, unsigned ip )
00608 {
00609    snprintf(buff,blen,"%d.%d.%d.%d", ip&0xff,(ip>>8)&0xff,(ip>>16)&0xff,(ip>>24)&0xff );
00610 }
00611 
00612 #define PRINT_GLOBAL   0
00613 #define PRINT_LOCAL    1
00614 #define PRINT_SUPPRESS 2
00615 /*
00616  *   type = 0 : global
00617  *          1 : local
00618  *          2 : suppres         
00619  */
00620 int print_thd_node( THD_NODE *p , int type )
00621 {
00622     char buf[STD_BUF+1];
00623     char buffer[80];
00624 
00625     memset(buf, 0, STD_BUF+1);
00626 
00627     switch( type )
00628     {
00629     case 0: /* global */
00630                if(p->type == THD_TYPE_SUPPRESS ) return 0;
00631            if(p->sig_id != 0 ) return 0;
00632            break;
00633            
00634     case 1: /* local */
00635                if(p->type == THD_TYPE_SUPPRESS ) return 0;
00636            if(p->sig_id == 0 || p->gen_id == 0 ) return 0;
00637            break;
00638            
00639     case 2: /*suppress  */
00640                if(p->type != THD_TYPE_SUPPRESS ) return 0;
00641            break;
00642     }
00643     
00644     /*     sfsnprintfappend(buf, STD_BUF, "| thd-id=%d", p->thd_id ); */
00645 
00646     
00647     if( p->gen_id == 0 )
00648     {
00649         sfsnprintfappend(buf, STD_BUF, "| gen-id=global");
00650     }
00651     else
00652     {
00653         sfsnprintfappend(buf, STD_BUF, "| gen-id=%-6d", p->gen_id );
00654     }
00655     if( p->sig_id == 0 )
00656     {
00657         sfsnprintfappend(buf, STD_BUF, " sig-id=global" );
00658     }
00659     else
00660     {
00661         sfsnprintfappend(buf, STD_BUF, " sig-id=%-10d", p->sig_id );
00662     }
00663     
00664     /*               
00665     if( p->type == THD_TYPE_SUPPRESS )
00666     sfsnprintfappend(buf, STD_BUF, " type=Suppress ");
00667     */      
00668     if( p->type != THD_TYPE_SUPPRESS )
00669     {
00670         if( p->type == THD_TYPE_LIMIT )
00671             sfsnprintfappend(buf, STD_BUF, " type=Limit    ");
00672         
00673         if( p->type == THD_TYPE_THRESHOLD )
00674             sfsnprintfappend(buf, STD_BUF, " type=Threshold");
00675         
00676         if( p->type == THD_TYPE_BOTH )
00677             sfsnprintfappend(buf, STD_BUF, " type=Both     ");
00678     }
00679     
00680     sfsnprintfappend(buf, STD_BUF, " tracking=%s", (!p->tracking) ? "src" : "dst" );
00681                   
00682     if( p->type == THD_TYPE_SUPPRESS )
00683     {
00684         ntoa(buffer,80,p->ip_address);
00685         if (p->not_flag)
00686             sfsnprintfappend(buf, STD_BUF, "ip=!%-16s", buffer);
00687         else
00688             sfsnprintfappend(buf, STD_BUF, "ip=%-17s", buffer);
00689         ntoa(buffer,80,p->ip_mask);
00690         sfsnprintfappend(buf, STD_BUF, " mask=%-15s", buffer );
00691     }
00692     else
00693     {
00694         sfsnprintfappend(buf, STD_BUF, " count=%-3d", p->count);
00695         sfsnprintfappend(buf, STD_BUF, " seconds=%-3d", p->seconds);
00696     }
00697     
00698     LogMessage("%s\n", buf);
00699     
00700     return 1;
00701 }
00702 /*
00703  * 
00704  */
00705 int print_thd_local( THD_STRUCT * thd, int type )
00706 {
00707     SFGHASH  * sfthd_hash; 
00708     THD_ITEM * sfthd_item;
00709     THD_NODE * sfthd_node;
00710     int        gen_id;
00711     SFGHASH_NODE * item_hash_node;
00712     int        lcnt=0;
00713     
00714     for(gen_id=0;gen_id < THD_MAX_GENID ; gen_id++ )
00715     {
00716         sfthd_hash = thd->sfthd_array [ gen_id ];
00717         if( !sfthd_hash )
00718         {
00719             continue;
00720         }
00721         
00722         for(item_hash_node  = sfghash_findfirst( sfthd_hash );
00723         item_hash_node != 0; 
00724         item_hash_node  = sfghash_findnext( sfthd_hash ) )
00725         {
00726             /* Check for any Permanent sig_id objects for this gen_id */
00727             sfthd_item = (THD_ITEM*)item_hash_node->data;
00728             
00729             /* For each permanent thresholding object, test/add/update the thd object */
00730             /* We maintain a list of thd objects for each gen_id+sig_id */
00731             /* each object has it's own unique thd_id */
00732             
00733             for( sfthd_node  = (THD_NODE*)sflist_first(sfthd_item->sfthd_node_list);
00734             sfthd_node != 0;
00735             sfthd_node = (THD_NODE*)sflist_next(sfthd_item->sfthd_node_list) )
00736             {
00737                 if (print_thd_node( sfthd_node,type) != 0)
00738                     lcnt++;
00739             }
00740         }
00741     }
00742     
00743     if( ! lcnt ) LogMessage("| none\n");
00744     
00745     return 0;
00746 }
00747 
00748 
00749 /*
00750  *  Startup Display Of Thresholding
00751  */
00752 void print_thresholding()
00753 {
00754         int i, gcnt=0;
00755         THD_NODE * thd;
00756         
00757         LogMessage("\n");
00758         LogMessage("+-----------------------[thresholding-config]----------------------------------\n");
00759         LogMessage("| memory-cap : %d bytes\n",s_memcap);
00760 
00761         
00762         LogMessage("+-----------------------[thresholding-global]----------------------------------\n");
00763         if( !s_thd ) 
00764         {
00765              LogMessage("| none\n");
00766         }
00767         else
00768         {
00769           for(i=0;i<THD_MAX_GENID;i++)
00770           {
00771                 thd = s_thd->sfthd_garray[i];
00772                 if( !thd ) continue;
00773                 gcnt++;
00774           }
00775           
00776           if( !gcnt ) 
00777              LogMessage("| none\n");
00778           
00779           /* display gen_id=global  and sig_id=global rules */
00780           if( gcnt )
00781           for(i=0;i<THD_MAX_GENID;i++)
00782           {
00783                 thd = s_thd->sfthd_garray[i];
00784                 if( !thd ) continue;
00785         
00786                 if( thd->gen_id == 0 && thd->sig_id == 0 )
00787                 {
00788                       print_thd_node( thd, PRINT_GLOBAL );
00789                       break;
00790                 }
00791           }
00792 
00793           /* display gen_id!=global and sig_id=global rules */
00794           if( gcnt )
00795           for(i=0;i<THD_MAX_GENID;i++)
00796           {
00797                 thd = s_thd->sfthd_garray[i];
00798                 if( !thd ) continue;
00799                 
00800                 if( thd->gen_id !=0 ||  thd->sig_id != 0 )
00801                 {
00802                   print_thd_node( thd, PRINT_GLOBAL );
00803                 }
00804           }
00805         }
00806 
00807         LogMessage("+-----------------------[thresholding-local]-----------------------------------\n");
00808         if( !s_thd )
00809         {
00810              LogMessage("| none\n");
00811         }
00812         else
00813         {
00814           print_thd_local(s_thd, PRINT_LOCAL );
00815         }
00816         
00817         LogMessage("+-----------------------[suppression]------------------------------------------\n");
00818         if( !s_thd )
00819         {
00820            LogMessage("| none\n");
00821         }
00822         else
00823         {
00824            print_thd_local(s_thd, PRINT_SUPPRESS );
00825         }
00826         
00827         LogMessage("-------------------------------------------------------------------------------\n");
00828         
00829 }
00830 
00831 /*
00832 
00833     Create and Add a Thresholding Event Object
00834 
00835 */
00836 int sfthreshold_create( THDX_STRUCT * thdx  )
00837 {
00838         if( !s_enabled )
00839                 return 0;
00840 
00841         if( !s_thd )  /* Auto init - memcap must be set 1st, which is not really a problem */
00842         {
00843                 sfthreshold_init();
00844 
00845                 if( !s_thd )
00846                         return -1;
00847         }
00848 
00849         /* print_thdx( thdx ); */
00850 
00851         /* Add the object to the table - */
00852         return sfthd_create_threshold( s_thd,
00853                        thdx->gen_id,
00854                        thdx->sig_id,
00855                        thdx->tracking,
00856                        thdx->type,
00857                        thdx->priority,
00858                        thdx->count,
00859                        thdx->seconds,
00860                        thdx->ip_address, 
00861                        thdx->ip_mask,
00862                        thdx->not_flag ); 
00863 }
00864 
00865 /*
00866 
00867     Test an event against the threshold object table
00868     to determine if it should be logged.
00869 
00870     It will always return the same answer until sfthreshold_reset is
00871     called
00872 
00873         gen_id:
00874         sig_id: 
00875         sip:    host ordered sip
00876         dip:    host ordered dip
00877         curtime: 
00878 
00879     2003-05-29 cmg:
00880 
00881      This code is in use in fpLogEvent, CallAlertFuncs, CallLogFuncs
00882      and the reset function is called in ProcessPacket
00883 
00884 
00885     returns 1 - log
00886             0 - don't log
00887 
00888             
00889 */
00890 int sfthreshold_test( unsigned gen_id, unsigned  sig_id, unsigned sip, unsigned dip, long curtime )
00891 {
00892    if( !s_enabled )
00893    {
00894        return 1;
00895    }
00896   
00897    if( !s_thd ) /* this should not happen, see the create fcn */
00898    {
00899        return 1;
00900    }
00901 
00902    if( !s_checked )
00903    {
00904       s_checked = 1;
00905       s_answer  = !sfthd_test_threshold( s_thd, gen_id, sig_id, sip, dip, curtime );
00906    }
00907        
00908    return s_answer;
00909 }
00910 
00911 /** 
00912  * Reset the thresholding system so that subsequent calls to
00913  * sfthreshold_test will indeed try to alter the thresholding system
00914  *
00915  */
00916 void sfthreshold_reset(void)
00917 {
00918     s_checked = 0;
00919 }
Generated on Sun May 14 14:51:18 2006 by  doxygen 1.4.2