00001 /* 00002 ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> 00003 ** 00004 ** This program is free software; you can redistribute it and/or modify 00005 ** it under the terms of the GNU General Public License as published by 00006 ** the Free Software Foundation; either version 2 of the License, or 00007 ** (at your option) any later version. 00008 ** 00009 ** This program is distributed in the hope that it will be useful, 00010 ** but WITHOUT ANY WARRANTY; without even the implied warranty of 00011 ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 00012 ** GNU General Public License for more details. 00013 ** 00014 ** You should have received a copy of the GNU General Public License 00015 ** along with this program; if not, write to the Free Software 00016 ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 00017 */ 00018 00019 /* $Id$ */ 00020 00021 #ifdef HAVE_CONFIG_H 00022 #include "config.h" 00023 #endif 00024 00025 #include <sys/types.h> 00026 #include <stdlib.h> 00027 #include <ctype.h> 00028 00029 #include "rules.h" 00030 #include "decode.h" 00031 #include "parser.h" 00032 #include "plugbase.h" 00033 #include "debug.h" 00034 #include "plugin_enum.h" 00035 #include "util.h" 00036 00037 typedef struct _IpIdData 00038 { 00039 u_long ip_id; 00040 00041 } IpIdData; 00042 00043 void IpIdCheckInit(char *, OptTreeNode *, int); 00044 void ParseIpId(char *, OptTreeNode *); 00045 int IpIdCheckEq(Packet *, struct _OptTreeNode *, OptFpList *); 00046 00047 00048 /**************************************************************************** 00049 * 00050 * Function: SetupIpIdCheck() 00051 * 00052 * Purpose: Associate the id keyword with IpIdCheckInit 00053 * 00054 * Arguments: None. 00055 * 00056 * Returns: void function 00057 * 00058 ****************************************************************************/ 00059 void SetupIpIdCheck(void) 00060 { 00061 /* map the keyword to an initialization/processing function */ 00062 RegisterPlugin("id", IpIdCheckInit); 00063 00064 DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN,"Plugin: IpIdCheck Initialized\n");); 00065 } 00066 00067 00068 /**************************************************************************** 00069 * 00070 * Function: IpIdCheckInit(char *, OptTreeNode *) 00071 * 00072 * Purpose: Setup the id data struct and link the function into option 00073 * function pointer list 00074 * 00075 * Arguments: data => rule arguments/data 00076 * otn => pointer to the current rule option list node 00077 * 00078 * Returns: void function 00079 * 00080 ****************************************************************************/ 00081 void IpIdCheckInit(char *data, OptTreeNode *otn, int protocol) 00082 { 00083 /* multiple declaration check */ 00084 if(otn->ds_list[PLUGIN_IP_ID_CHECK]) 00085 { 00086 FatalError("%s(%d): Multiple IP id options in rule\n", file_name, 00087 file_line); 00088 } 00089 00090 /* allocate the data structure and attach it to the 00091 rule's data struct list */ 00092 otn->ds_list[PLUGIN_IP_ID_CHECK] = (IpIdData *) 00093 SnortAlloc(sizeof(IpIdData)); 00094 00095 /* this is where the keyword arguments are processed and placed into the 00096 rule option's data structure */ 00097 ParseIpId(data, otn); 00098 00099 /* finally, attach the option's detection function to the rule's 00100 detect function pointer list */ 00101 AddOptFuncToList(IpIdCheckEq, otn); 00102 } 00103 00104 00105 00106 /**************************************************************************** 00107 * 00108 * Function: ParseIpId(char *, OptTreeNode *) 00109 * 00110 * Purpose: Convert the id option argument to data and plug it into the 00111 * data structure 00112 * 00113 * Arguments: data => argument data 00114 * otn => pointer to the current rule's OTN 00115 * 00116 * Returns: void function 00117 * 00118 ****************************************************************************/ 00119 void ParseIpId(char *data, OptTreeNode *otn) 00120 { 00121 IpIdData *ds_ptr; /* data struct pointer */ 00122 00123 /* set the ds pointer to make it easier to reference the option's 00124 particular data struct */ 00125 ds_ptr = otn->ds_list[PLUGIN_IP_ID_CHECK]; 00126 00127 /* get rid of any whitespace */ 00128 while(isspace((int)*data)) 00129 { 00130 data++; 00131 } 00132 00133 ds_ptr->ip_id = htons( (u_short) atoi(data)); 00134 00135 DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN,"ID set to %ld\n", ds_ptr->ip_id);); 00136 } 00137 00138 00139 /**************************************************************************** 00140 * 00141 * Function: IpIdCheckEq(char *, OptTreeNode *) 00142 * 00143 * Purpose: Test the ip header's id field to see if its value is equal to the 00144 * value in the rule. This is useful to detect things like "elite" 00145 * numbers, oddly repeating numbers, etc. 00146 * 00147 * Arguments: data => argument data 00148 * otn => pointer to the current rule's OTN 00149 * 00150 * Returns: void function 00151 * 00152 ****************************************************************************/ 00153 int IpIdCheckEq(Packet *p, struct _OptTreeNode *otn, OptFpList *fp_list) 00154 { 00155 if(!p->iph) 00156 return 0; /* if error occured while ip header 00157 * was processed, return 0 automagically. 00158 */ 00159 if(((IpIdData *)otn->ds_list[PLUGIN_IP_ID_CHECK])->ip_id == p->iph->ip_id) 00160 { 00161 /* call the next function in the function list recursively */ 00162 return fp_list->next->OptTestFunc(p, otn, fp_list->next); 00163 } 00164 else 00165 { 00166 /* you can put debug comments here or not */ 00167 DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "No match for sp_ip_id_check\n");); 00168 } 00169 00170 /* if the test isn't successful, return 0 */ 00171 return 0; 00172 }
1.4.2