#include <sys/types.h>
#include <stdlib.h>
#include <ctype.h>
#include <rpc/types.h>
#include "bounds.h"
#include "generators.h"
#include "log.h"
#include "detect.h"
#include "decode.h"
#include "event.h"
#include "util.h"
#include "debug.h"
#include "plugbase.h"
#include "parser.h"
#include "mstring.h"
#include "checksum.h"
#include "perf.h"
#include "event_queue.h"
#include "timersub.h"
#include "fpcreate.h"
#include "sfutil/sflsq.h"
#include "sfutil/sfxhash.h"
#include "snort.h"
Go to the source code of this file.
Definition in file spp_frag3.c.
|
|
Definition at line 151 of file spp_frag3.c. |
|
|
Definition at line 154 of file spp_frag3.c. Referenced by Frag3GlobalInit(), and Frag3ParseGlobalArgs(). |
|
|
Definition at line 179 of file spp_frag3.c. Referenced by EventAnomBadsizeLg(), EventAnomBadsizeSm(), EventAnomIpOpts(), EventAnomOverlap(), EventAnomOversize(), EventAnomShortFrag(), EventAnomZeroFrag(), EventAttackTeardrop(), Frag3Insert(), and Frag3ParseArgs(). |
|
|
Definition at line 126 of file spp_frag3.c. Referenced by Frag3Init(), and Frag3ParseArgs(). |
|
|
Definition at line 124 of file spp_frag3.c. Referenced by Frag3Init(), and Frag3ParseArgs(). |
|
|
Definition at line 115 of file spp_frag3.c. Referenced by Frag3Defrag(), and Frag3Insert(). |
|
|
Definition at line 170 of file spp_frag3.c. Referenced by Frag3CheckFirstLast(). |
|
|
Definition at line 112 of file spp_frag3.c. |
|
|
Definition at line 113 of file spp_frag3.c. |
|
|
Definition at line 166 of file spp_frag3.c. Referenced by AddFragNode(), Frag3Defrag(), and Frag3Insert(). |
|
|
Definition at line 165 of file spp_frag3.c. Referenced by Frag3Defrag(), and Frag3Insert(). |
|
|
Definition at line 162 of file spp_frag3.c. Referenced by AddFragNode(), DupFragNode(), Frag3Defrag(), and Frag3Insert(). |
|
|
Definition at line 161 of file spp_frag3.c. Referenced by AddFragNode(), DupFragNode(), Frag3Defrag(), and Frag3Insert(). |
|
|
Definition at line 163 of file spp_frag3.c. |
|
|
Definition at line 164 of file spp_frag3.c. Referenced by Frag3Defrag(), and Frag3Insert(). |
|
|
Definition at line 167 of file spp_frag3.c. Referenced by Frag3Defrag(), and Frag3Insert(). |
|
|
Definition at line 171 of file spp_frag3.c. Referenced by Frag3CheckFirstLast(). |
|
|
Definition at line 176 of file spp_frag3.c. Referenced by Frag3CheckFirstLast(), and Frag3Insert(). |
|
|
Definition at line 122 of file spp_frag3.c. |
|
|
Definition at line 174 of file spp_frag3.c. Referenced by Frag3Expire(). |
|
|
Definition at line 131 of file spp_frag3.c. Referenced by Frag3CheckFirstLast(), Frag3Init(), Frag3Insert(), and Frag3ParseArgs(). |
|
|
Definition at line 132 of file spp_frag3.c. Referenced by Frag3CheckFirstLast(), Frag3Insert(), and Frag3ParseArgs(). |
|
|
Definition at line 129 of file spp_frag3.c. Referenced by Frag3CheckFirstLast(), Frag3Insert(), and Frag3ParseArgs(). |
|
|
Definition at line 133 of file spp_frag3.c. Referenced by Frag3CheckFirstLast(), Frag3Insert(), and Frag3ParseArgs(). |
|
|
Definition at line 130 of file spp_frag3.c. Referenced by Frag3CheckFirstLast(), Frag3Insert(), and Frag3ParseArgs(). |
|
|
Definition at line 137 of file spp_frag3.c. Referenced by Frag3CheckFirstLast(), Frag3Insert(), and Frag3ParseArgs(). |
|
|
Definition at line 134 of file spp_frag3.c. Referenced by Frag3CheckFirstLast(), Frag3Insert(), and Frag3ParseArgs(). |
|
|
Definition at line 117 of file spp_frag3.c. |
|
|
Definition at line 114 of file spp_frag3.c. |
|
|
Definition at line 157 of file spp_frag3.c. Referenced by CheckTimeout(). |
|
|
Definition at line 158 of file spp_frag3.c. Referenced by CheckTimeout(), Frag3Expire(), and Frag3Prune(). |
|
|
Definition at line 175 of file spp_frag3.c. Referenced by Frag3Expire(), and Frag3Insert(). |
|
|
Definition at line 235 of file spp_frag3.c. Referenced by fpAddFragAlert(). |
|
|
Definition at line 147 of file spp_frag3.c. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Handle the creation of the new frag node and list insertion. Separating this from actually calculating the values.
Definition at line 2006 of file spp_frag3.c. References _Frag3Frag::data, DEBUG_FRAG, DEBUG_WRAP, _Frag3Stats::discards, _Frag3Frag::flen, _Frag3Frag::fptr, Frag3FraglistAddNode(), Frag3PreallocPop(), Frag3Prune(), _FragTracker::frag_bytes, FRAG_INSERT_ANOMALY, FRAG_INSERT_FAILED, FRAG_INSERT_OK, _FragTracker::fraglist, _FragTracker::fraglist_count, _Frag3Stats::fragnodes_created, _Frag3Frag::last, mem_in_use, Frag3GlobalConfig::memcap, memcpy, _Frag3Frag::next, NULL, _Frag3Frag::offset, _Frag3Frag::ord, _FragTracker::ordinal, _Frag3Frag::prev, _Frag3Frag::size, SnortAlloc(), and Frag3GlobalConfig::use_prealloc. Referenced by Frag3Insert(). |
|
||||||||||||||||
|
Check to see if a FragTracker has timed out
Definition at line 1424 of file spp_frag3.c. References FRAG_TIME_OK, FRAG_TIMEOUT, _Frag3Context::frag_timeout, and TIMERSUB. Referenced by Frag3Expire(), and Frag3Prune(). |
|
||||||||||||||||
|
Duplicate a frag node and insert it into the list.
Definition at line 2155 of file spp_frag3.c. References _Frag3Frag::data, DEBUG_FRAG, DEBUG_WRAP, _Frag3Frag::flen, _Frag3Frag::fptr, Frag3FraglistAddNode(), Frag3PreallocPop(), Frag3Prune(), _FragTracker::frag_bytes, FRAG_INSERT_FAILED, FRAG_INSERT_OK, _FragTracker::fraglist_count, _Frag3Stats::fragnodes_created, _Frag3Frag::last, mem_in_use, Frag3GlobalConfig::memcap, memcpy, _Frag3Frag::next, NULL, _Frag3Frag::offset, _Frag3Frag::ord, _FragTracker::ordinal, _Frag3Frag::prev, _Frag3Frag::size, SnortAlloc(), and Frag3GlobalConfig::use_prealloc. Referenced by Frag3Insert(). |
|
|
The reassembled packet will be bigger than 64k, generate an event.
Definition at line 619 of file spp_frag3.c. References _Frag3Stats::alerts, _Frag3Stats::anomalies, _Frag3Context::frag3_alerts, FRAG3_ANOM_BADSIZE_LG_STR, FRAG3_ANOMALY_BADSIZE_LG, FRAG3_DETECT_ANOMALIES, GENERATOR_SPP_FRAG3, NULL, and SnortEventqAdd(). Referenced by Frag3Insert(). |
|
|
Fragment size is negative after insertion (end < offset).
Definition at line 643 of file spp_frag3.c. References _Frag3Stats::alerts, _Frag3Stats::anomalies, _Frag3Context::frag3_alerts, FRAG3_ANOM_BADSIZE_SM_STR, FRAG3_ANOMALY_BADSIZE_SM, FRAG3_DETECT_ANOMALIES, GENERATOR_SPP_FRAG3, NULL, and SnortEventqAdd(). Referenced by Frag3Insert(). |
|
|
Generate an event due to IP options being detected in a frag packet
Definition at line 498 of file spp_frag3.c. References _Frag3Stats::alerts, _Frag3Context::frag3_alerts, FRAG3_DETECT_ANOMALIES, FRAG3_IPOPTIONS, FRAG3_IPOPTIONS_STR, GENERATOR_SPP_FRAG3, NULL, and SnortEventqAdd(). Referenced by Frag3Defrag(), and Frag3HandleIPOptions(). |
|
|
There is an overlap with this fragment, someone is probably being naughty.
Definition at line 667 of file spp_frag3.c. References _Frag3Stats::alerts, _Frag3Stats::anomalies, _Frag3Context::frag3_alerts, FRAG3_ANOM_OVLP_STR, FRAG3_ANOMALY_OVLP, FRAG3_DETECT_ANOMALIES, GENERATOR_SPP_FRAG3, NULL, and SnortEventqAdd(). Referenced by Frag3Insert(). |
|
|
This fragment's size will end after the already calculated reassembled fragment end, as in a Bonk/Boink/etc attack.
Definition at line 570 of file spp_frag3.c. References _Frag3Stats::alerts, _Frag3Stats::anomalies, _Frag3Context::frag3_alerts, FRAG3_ANOM_OVERSIZE_STR, FRAG3_ANOMALY_OVERSIZE, FRAG3_DETECT_ANOMALIES, GENERATOR_SPP_FRAG3, NULL, and SnortEventqAdd(). Referenced by Frag3Insert(). |
|
|
Generate an event due to a fragment being too short, typcially based on a non-last fragment that doesn't properly end on an 8-byte boundary
Definition at line 545 of file spp_frag3.c. References _Frag3Stats::alerts, _Frag3Stats::anomalies, _Frag3Context::frag3_alerts, FRAG3_DETECT_ANOMALIES, FRAG3_SHORT_FRAG, FRAG3_SHORT_FRAG_STR, GENERATOR_SPP_FRAG3, NULL, and SnortEventqAdd(). Referenced by Frag3Insert(), and Frag3NewTracker(). |
|
|
The current fragment will be inserted with a size of 0 bytes, that's an anomaly if I've ever seen one.
Definition at line 595 of file spp_frag3.c. References _Frag3Stats::alerts, _Frag3Stats::anomalies, _Frag3Context::frag3_alerts, FRAG3_ANOM_ZERO_STR, FRAG3_ANOMALY_ZERO, FRAG3_DETECT_ANOMALIES, GENERATOR_SPP_FRAG3, NULL, and SnortEventqAdd(). Referenced by Frag3Insert(). |
|
|
Generate an event due to a Teardrop-style attack detected in a frag packet
Definition at line 521 of file spp_frag3.c. References _Frag3Stats::alerts, _Frag3Context::frag3_alerts, FRAG3_DETECT_ANOMALIES, FRAG3_TEARDROP, FRAG3_TEARDROP_STR, GENERATOR_SPP_FRAG3, NULL, and SnortEventqAdd(). Referenced by Frag3Insert(). |
|
||||||||||||
|
Definition at line 3758 of file spp_frag3.c. References _FragTracker::alert_count, _FragTracker::alert_gid, _FragTracker::alert_sid, _Packet::fragtracker, _SigInfo::generator, _SigInfo::id, MAX_FRAG_ALERTS, _otnx_::otn, and _OptTreeNode::sigInfo. Referenced by fpFinalSelectEvent(). |
|
||||||||||||
|
Definition at line 3800 of file spp_frag3.c. References _FragTracker::alert_gid, _FragTracker::alert_sid, _SigInfo::generator, _SigInfo::id, _otnx_::otn, PKT_REBUILT_FRAG, and _OptTreeNode::sigInfo. Referenced by fpFinalSelectEvent(). |
|
||||||||||||
|
This is the auto-node-release function that gets handed to the sfxhash table at initialization. Handles deletion of sfxhash table data members.
Definition at line 3384 of file spp_frag3.c. References DEBUG_FRAG, DEBUG_WRAP, Frag3DeleteTracker(), _Frag3Stats::fragtrackers_autoreleased, _SFBASE::iCurrentFrags, _SFBASE::iFragAutoFrees, _SFBASE::iFragDeletes, and _SFPERF::sfBase. Referenced by Frag3GlobalInit(). |
|
||||||||||||
|
Check to see if we've got the first or last fragment on a FragTracker and set the appropriate frag_flags
Definition at line 1545 of file spp_frag3.c. References _Packet::actual_ip_len, _FragTracker::calculated_size, _FragTracker::context, DEBUG_FRAG, DEBUG_WRAP, _FragTracker::frag_bytes, FRAG_FIRSTLAST_OK, _FragTracker::frag_flags, FRAG_GOT_FIRST, FRAG_GOT_LAST, FRAG_LAST_DUPLICATE, FRAG_LAST_OFFSET_ADJUST, _Packet::frag_offset, _Frag3Context::frag_policy, FRAG_POLICY_BSD, FRAG_POLICY_BSD_RIGHT, FRAG_POLICY_FIRST, FRAG_POLICY_LAST, FRAG_POLICY_LINUX, FRAG_POLICY_SOLARIS, FRAG_POLICY_WINDOWS, IP_HLEN, _Packet::iph, and _Packet::mf. Referenced by Frag3Insert(), and Frag3NewTracker(). |
|
||||||||||||
|
CleanExit func required by preprocessors Definition at line 3589 of file spp_frag3.c. References Frag3PrintStats(). Referenced by Frag3Init(). |
|
||||||||||||
|
|
Delete a Frag3Frag struct
Definition at line 3297 of file spp_frag3.c. References DEBUG_FRAG, DEBUG_WRAP, _Frag3Frag::flen, _Frag3Frag::fptr, Frag3PreallocPush(), _Frag3Stats::fragnodes_released, mem_in_use, _Frag3Frag::next, _Frag3Frag::offset, _Frag3Frag::prev, _Frag3Frag::size, and Frag3GlobalConfig::use_prealloc. Referenced by Frag3DeleteTracker(), and Frag3FraglistDeleteNode(). |
|
|
Delete the contents of a FragTracker, in this instance that just means to dump the fraglist. The sfxhash system deletes the actual FragTracker mem.
Definition at line 3328 of file spp_frag3.c. References DEBUG_FRAG, DEBUG_WRAP, Frag3DeleteFrag(), _FragTracker::fraglist, _FragTracker::fraglist_count, _FragTracker::ip_options_data, _Frag3Frag::next, and NULL. Referenced by Frag3AutoFree(), and Frag3UserFree(). |
|
||||||||||||||||||||
|
Time-related expiration of fragments from the system. Checks the current FragTracker for timeout, then walks up the LRU list looking to see if anyone should have timed out.
Definition at line 1455 of file spp_frag3.c. References CheckTimeout(), DEBUG_FRAG, _FragTracker::dip, Frag3RemoveTracker(), FRAG_OK, _FragTracker::frag_time, FRAG_TIMEOUT, FRAG_TRACKER_TIMEOUT, _FragTracker::id, _SFBASE::iFragTimeouts, LogMessage(), _Packet::pkth, pkttime, _SFPERF::sfBase, sfxhash_free_node(), sfxhash_lru(), sfxhash_lru_node(), _FragTracker::sip, _Frag3Stats::timeouts, and pcap_pkthdr::ts. Referenced by Frag3Insert(). |
|
||||||||||||||||
|
Plug a Frag3Frag into the fraglist of a FragTracker
Definition at line 3687 of file spp_frag3.c. References _FragTracker::fraglist, _FragTracker::fraglist_count, _FragTracker::fraglist_tail, _Frag3Frag::next, and _Frag3Frag::prev. Referenced by AddFragNode(), and DupFragNode(). |
|
||||||||||||
|
Delete a Frag3Frag from a fraglist
Definition at line 3722 of file spp_frag3.c. References DEBUG_FRAG, DEBUG_WRAP, Frag3DeleteFrag(), _FragTracker::fraglist, _FragTracker::fraglist_count, _FragTracker::fraglist_tail, _Frag3Frag::next, and _Frag3Frag::prev. Referenced by Frag3Insert(). |
|
||||||||||||
|
Lookup a FragTracker in the f_cache sfxhash table based on an input key
Definition at line 1656 of file spp_frag3.c. References DEBUG_FRAG, DEBUG_WRAP, _fragkey::dip, _fragkey::id, _IPHdr::ip_dst, _IPHdr::ip_id, _IPHdr::ip_proto, _IPHdr::ip_src, _Packet::iph, NULL, _fragkey::proto, sfxhash_count(), sfxhash_find(), and _fragkey::sip. Referenced by Frag3Defrag(). |
|
|
Global init function, handles setting up the runtime hash table and memory management mode.
Definition at line 706 of file spp_frag3.c. References DEFAULT_MAX_FRAGS, _Frag3Frag::fptr, Frag3AutoFree(), Frag3InitPkt(), Frag3ParseGlobalArgs(), Frag3PreallocPush(), Frag3PrintGlobalConfig(), Frag3UserFree(), FRAG_MEMCAP, global_init_complete, int(), LogMessage(), Frag3GlobalConfig::max_frags, Frag3GlobalConfig::memcap, NULL, prealloc_nodes_in_use, sfxhash_new(), snaplen, SnortAlloc(), Frag3GlobalConfig::static_frags, and Frag3GlobalConfig::use_prealloc. Referenced by SetupFrag3(). |
|
||||||||||||
|
Handle IP Options in fragmented packets.
Definition at line 1701 of file spp_frag3.c. References _Options::code, _FragTracker::context, _FragTracker::copied_ip_option_count, EventAnomIpOpts(), _Packet::frag_offset, _Packet::ip_option_count, _FragTracker::ip_option_count, _Packet::ip_options, _Packet::ip_options_data, _FragTracker::ip_options_data, _FragTracker::ip_options_len, _Packet::ip_options_len, IP_OPTMAX, memcpy, and SnortAlloc(). Referenced by Frag3Insert(), and Frag3NewTracker(). |
|
|
Setup a frag3 engine context
Definition at line 802 of file spp_frag3.c. References AddFuncToCleanExitList(), AddFuncToPreprocList(), AddFuncToRestartList(), _Frag3Context::bound_addrs, _PreprocessFuncNode::context, DEBUG_FRAG, DEBUG_WRAP, _Frag3Context::frag3_alerts, FRAG3_MIN_TTL, FRAG3_TTL_LIMIT, Frag3CleanExit(), Frag3Defrag(), Frag3ParseArgs(), Frag3PrintEngineConfig(), Frag3Restart(), _Frag3Context::frag_policy, FRAG_POLICY_BSD, FRAG_PRUNE_QUANTA, _Frag3Context::frag_timeout, global_init_complete, LogMessage(), _Frag3Context::min_ttl, NULL, SnortAlloc(), stats_registered, and _Frag3Context::ttl_limit. Referenced by SetupFrag3(). |
|
|
Initialize the packet data buffers for the reassembly pseudopacket
Definition at line 3271 of file spp_frag3.c. References DATASIZE, FatalError(), NULL, _Packet::pkt, _Packet::pkth, SnortAlloc(), and SPARC_TWIDDLE. Referenced by Frag3GlobalInit(). |
|
||||||||||||||||||||
|
This is where the rubber hits the road. Insert the new fragment's data into the current FragTracker's fraglist, doing anomaly detection and handling overlaps in a target-based manner.
Definition at line 2262 of file spp_frag3.c. References _Packet::actual_ip_len, AddFragNode(), _FragTracker::calculated_size, _Frag3Frag::data, DEBUG_FRAG, DEBUG_WRAP, _Frag3Stats::discards, DupFragNode(), EventAnomBadsizeLg(), EventAnomBadsizeSm(), EventAnomOverlap(), EventAnomOversize(), EventAnomShortFrag(), EventAnomZeroFrag(), EventAttackTeardrop(), _Frag3Context::frag3_alerts, FRAG3_DETECT_ANOMALIES, Frag3CheckFirstLast(), Frag3Expire(), Frag3FraglistDeleteNode(), Frag3HandleIPOptions(), FRAG_BAD, _FragTracker::frag_bytes, _FragTracker::frag_flags, FRAG_GOT_LAST, FRAG_INSERT_ANOMALY, FRAG_INSERT_ATTACK, FRAG_INSERT_FAILED, FRAG_INSERT_OK, FRAG_INSERT_TIMEOUT, FRAG_INSERT_TTL, FRAG_LAST_OFFSET_ADJUST, _Packet::frag_offset, _FragTracker::frag_pkts, _Frag3Context::frag_policy, FRAG_POLICY_BSD, FRAG_POLICY_BSD_RIGHT, FRAG_POLICY_FIRST, FRAG_POLICY_LAST, FRAG_POLICY_LINUX, FRAG_POLICY_SOLARIS, FRAG_POLICY_WINDOWS, FRAG_TRACKER_TIMEOUT, _FragTracker::fraglist, _FragTracker::fraglist_count, _SFBASE::iFragInserts, IP_HLEN, _IPHdr::ip_len, IP_MAXPACKET, _IPHdr::ip_off, _IPHdr::ip_ttl, _Packet::iph, _Packet::mf, _Frag3Frag::next, NULL, _Frag3Frag::offset, _Frag3Stats::overlaps, _Frag3Frag::prev, _SFPERF::sfBase, _Frag3Frag::size, snaplen, _FragTracker::ttl, and _Frag3Context::ttl_limit. Referenced by Frag3Defrag(). |
|
|
Check to see if a FragTracker has met all of its completion criteria
Definition at line 2989 of file spp_frag3.c. References _FragTracker::calculated_size, DEBUG_FRAG, DEBUG_WRAP, _FragTracker::frag_bytes, _FragTracker::frag_flags, FRAG_GOT_FIRST, FRAG_GOT_LAST, _SFBASE::iFragCompletes, and _SFPERF::sfBase. Referenced by Frag3Defrag(). |
|
||||||||||||||||
|
Didn't find a FragTracker in the hash table, create a new one and put it into the f_cache
Definition at line 1760 of file spp_frag3.c. References _Packet::actual_ip_len, _FragTracker::alert_count, _FragTracker::alerted, _FragTracker::calculated_size, _FragTracker::context, _FragTracker::copied_ip_option_count, _FragTracker::copied_ip_options_len, _Frag3Frag::data, _sfxhash_node::data, DEBUG_FRAG, DEBUG_WRAP, _fragkey::dip, _FragTracker::dip, EventAnomShortFrag(), _Frag3Frag::flen, _Frag3Frag::fptr, Frag3CheckFirstLast(), Frag3HandleIPOptions(), Frag3PreallocPop(), Frag3Prune(), _FragTracker::frag_bytes, _FragTracker::frag_flags, _Packet::frag_offset, _FragTracker::frag_pkts, _FragTracker::frag_time, _PacketCount::frag_trackers, _FragTracker::fraglist, _FragTracker::fraglist_count, _FragTracker::fraglist_tail, _Frag3Stats::fragnodes_created, _Packet::fragtracker, _Frag3Stats::fragtrackers_created, _SFBASE::iCurrentFrags, _fragkey::id, _FragTracker::id, _SFBASE::iFragCreates, _SFBASE::iMaxFrags, IP_HLEN, _IPHdr::ip_len, _IPHdr::ip_off, _FragTracker::ip_option_count, _FragTracker::ip_options_data, _FragTracker::ip_options_len, _IPHdr::ip_ttl, _Packet::iph, _Frag3Frag::last, LogMessage(), mem_in_use, Frag3GlobalConfig::memcap, memcpy, memset, _Packet::mf, NULL, _Frag3Frag::offset, _Frag3Frag::ord, _FragTracker::ordinal, _sfxhash::overhead_bytes, pc, _Packet::pkth, _fragkey::proto, _FragTracker::protocol, _SFPERF::sfBase, sfxhash_add(), sfxhash_get_node(), SFXHASH_INTABLE, SFXHASH_OK, _fragkey::sip, _FragTracker::sip, _Frag3Frag::size, snaplen, SnortAlloc(), pcap_pkthdr::ts, _FragTracker::ttl, and Frag3GlobalConfig::use_prealloc. Referenced by Frag3Defrag(). |
|
||||||||||||
|
Config parser for engine context config.
Definition at line 1009 of file spp_frag3.c. References _Frag3Context::bound_addrs, FatalError(), file_line, file_name, _Frag3Context::frag3_alerts, FRAG3_DETECT_ANOMALIES, FRAG3_MIN_TTL, FRAG3_TTL_LIMIT, _Frag3Context::frag_policy, FRAG_POLICY_BSD, FRAG_POLICY_BSD_RIGHT, FRAG_POLICY_FIRST, FRAG_POLICY_LAST, FRAG_POLICY_LINUX, FRAG_POLICY_SOLARIS, FRAG_POLICY_WINDOWS, FRAG_PRUNE_QUANTA, _Frag3Context::frag_timeout, index, IpAddrSetParse(), LogMessage(), _Frag3Context::min_ttl, mSplit(), mSplitFree(), NULL, SnortAlloc(), strcasecmp, and _Frag3Context::ttl_limit. Referenced by Frag3Init(). |
|
|
Config parser for global config.
Definition at line 870 of file spp_frag3.c. References DEFAULT_MAX_FRAGS, file_line, file_name, FRAG_MEMCAP, index, LogMessage(), Frag3GlobalConfig::max_frags, Frag3GlobalConfig::memcap, mSplit(), mSplitFree(), NULL, snaplen, Frag3GlobalConfig::static_frags, strcasecmp, ten_percent, and Frag3GlobalConfig::use_prealloc. Referenced by Frag3GlobalInit(). |
|
|
Get a node from the prealloc_list
Definition at line 3605 of file spp_frag3.c. References DEBUG_FRAG, DEBUG_WRAP, _Frag3Frag::flen, _Frag3Frag::fptr, _Frag3Frag::last, _Frag3Frag::next, NULL, _Frag3Frag::offset, prealloc_nodes_in_use, _Frag3Frag::prev, and _Frag3Frag::size. Referenced by AddFragNode(), DupFragNode(), and Frag3NewTracker(). |
|
|
Put a prealloc node back into the prealloc_cache pool
Definition at line 3651 of file spp_frag3.c. References _Frag3Frag::data, DEBUG_FRAG, DEBUG_WRAP, _Frag3Frag::fptr, _Frag3Frag::next, NULL, prealloc_nodes_in_use, and _Frag3Frag::prev. Referenced by Frag3DeleteFrag(), and Frag3GlobalInit(). |
|
|
Print out a defrag engine runtime context
Definition at line 477 of file spp_frag3.c. References _Frag3Context::bound_addrs, _Frag3Context::frag3_alerts, _Frag3Context::frag_policy, _Frag3Context::frag_timeout, IpAddrSetPrint(), LogMessage(), _Frag3Context::min_ttl, policy_names, and _Frag3Context::ttl_limit. Referenced by Frag3Init(). |
|
|
Print out the global runtime configuration
Definition at line 457 of file spp_frag3.c. References LogMessage(), Frag3GlobalConfig::max_frags, Frag3GlobalConfig::memcap, Frag3GlobalConfig::static_frags, and Frag3GlobalConfig::use_prealloc. Referenced by Frag3GlobalInit(). |
|
|
Print out the frag stats from this run
Definition at line 3556 of file spp_frag3.c. References _Frag3Stats::alerts, _Frag3Stats::anomalies, _Frag3Stats::discards, _Frag3Stats::fragnodes_created, _Frag3Stats::fragnodes_released, _Frag3Stats::fragtrackers_autoreleased, _Frag3Stats::fragtrackers_created, _Frag3Stats::fragtrackers_released, LogMessage(), _Frag3Stats::overlaps, _Frag3Stats::prunes, _Frag3Stats::reassembles, _Frag3Stats::timeouts, and _Frag3Stats::total. Referenced by Frag3CleanExit(), and Frag3Restart(). |
|
|
This function gets called either when we run out of prealloc nodes or when the memcap is exceeded. Its job is to free memory up in frag3 by deleting old/stale data. Currently implemented using a simple LRU pruning technique, could probably benefit from having some sort of tail selection randomization added to it. Additonally, right now when we hit the wall we try to drop at least enough memory to satisfy the "ten_percent" value. Hopefully that's not too aggressive, salt to taste!
Definition at line 3435 of file spp_frag3.c. References CheckTimeout(), _FragTracker::context, _sfxhash::count, _sfxhash_node::data, DEBUG_FRAG, DEBUG_WRAP, _FragTracker::dip, Frag3RemoveTracker(), _FragTracker::frag_time, FRAG_TIMEOUT, _FragTracker::fraglist_count, _FragTracker::id, _SFBASE::iFragFaults, _SFBASE::iFragTimeouts, _sfxhash_node::key, LogMessage(), Frag3GlobalConfig::max_frags, mem_in_use, Frag3GlobalConfig::memcap, pkttime, prealloc_nodes_in_use, _Frag3Stats::prunes, _SFPERF::sfBase, sfxhash_gmovetofront(), sfxhash_lru_node(), _FragTracker::sip, Frag3GlobalConfig::static_frags, ten_percent, _Frag3Stats::timeouts, and Frag3GlobalConfig::use_prealloc. Referenced by AddFragNode(), DupFragNode(), Frag3Defrag(), and Frag3NewTracker(). |
|
||||||||||||
|
Reassemble the packet from the data in the FragTracker and reinject into Snort's packet analysis system
Definition at line 3053 of file spp_frag3.c. References _Packet::actual_ip_len, _FragTracker::calculated_size, pcap_pkthdr::caplen, ClearDumpBuf(), _FragTracker::copied_ip_options_len, _Frag3Frag::data, DATASIZE, DEBUG_FRAG, DEBUG_WRAP, _Packet::dp, ETHERNET_HEADER_LEN, _FragTracker::frag_bytes, _Packet::frag_flag, _FragTracker::frag_flags, FRAG_REBUILT, _FragTracker::fraglist, _SFBASE::iFragFlushes, in_chksum_ip(), _IPHdr::ip_csum, _IPHdr::ip_dst, IP_HLEN, _IPHdr::ip_len, IP_MAXPACKET, _IPHdr::ip_off, _FragTracker::ip_options_data, _Packet::ip_options_len, _FragTracker::ip_options_len, _IPHdr::ip_proto, _IPHdr::ip_src, _Packet::iph, pcap_pkthdr::len, _Frag3Frag::next, NULL, _Frag3Frag::offset, _Packet::packet_flags, pc, _Packet::pkt, PKT_REBUILT_FRAG, _Packet::pkth, _Frag3Frag::prev, PrintIPPkt(), ProcessPacket(), _Frag3Stats::reassembles, _PacketCount::rebuilt_frags, SafeMemcpy(), SET_IP_HLEN, _SFPERF::sfBase, _Frag3Frag::size, _Packet::sp, pcap_pkthdr::ts, and UpdateIPReassStats(). Referenced by Frag3Defrag(). |
|
||||||||||||
|
Remove a FragTracker from the f_cache hash table
Definition at line 3362 of file spp_frag3.c. References ErrorMessage(), SFXHASH_OK, and sfxhash_remove(). Referenced by Frag3Defrag(), Frag3Expire(), and Frag3Prune(). |
|
||||||||||||
|
Basic restart function required by preprocessors Definition at line 3580 of file spp_frag3.c. References Frag3PrintStats(). Referenced by Frag3Init(). |
|
||||||||||||
|
This is the user free function that gets handed to the sfxhash table at initialization. Handles deletion of sfxhash table data members.
Definition at line 3408 of file spp_frag3.c. References DEBUG_FRAG, DEBUG_WRAP, Frag3DeleteTracker(), _Frag3Stats::fragtrackers_released, _SFBASE::iCurrentFrags, _SFBASE::iFragDeletes, and _SFPERF::sfBase. Referenced by Frag3GlobalInit(). |
|
|
Main setup function to regiser frag3 with the rest of Snort.
Definition at line 691 of file spp_frag3.c. References DEBUG_FRAG, DEBUG_WRAP, Frag3GlobalInit(), Frag3Init(), and RegisterPreprocessor(). Referenced by InitPreprocessors(). |
|
|
Definition at line 318 of file spp_frag3.c. |
|
|
Definition at line 314 of file spp_frag3.c. |
|
|
Definition at line 304 of file spp_frag3.c. |
|
|
|
|
|
|
|
|
Definition at line 303 of file spp_frag3.c. |
|
|
Definition at line 307 of file spp_frag3.c. Referenced by Frag3GlobalInit(), and Frag3Init(). |
|
|
Definition at line 309 of file spp_frag3.c. Referenced by AddFragNode(), DupFragNode(), Frag3Defrag(), Frag3DeleteFrag(), Frag3NewTracker(), and Frag3Prune(). |
|
|
|
|
|
Definition at line 352 of file spp_frag3.c. Referenced by Frag3Defrag(), Frag3Expire(), and Frag3Prune(). |
|
|
Initial value: { "no policy!",
"FIRST",
"LINUX",
"BSD",
"BSD_RIGHT",
"LAST",
"WINDOWS",
"SOLARIS"}
Definition at line 321 of file spp_frag3.c. Referenced by Frag3PrintEngineConfig(). |
|
|
Definition at line 305 of file spp_frag3.c. |
|
|
Definition at line 311 of file spp_frag3.c. Referenced by Frag3Defrag(), Frag3GlobalInit(), Frag3PreallocPop(), Frag3PreallocPush(), and Frag3Prune(). |
|
|
Definition at line 170 of file snort.c. Referenced by DeleteSession(), FlushStream(), Frag2Alloc(), Frag2Defrag(), Frag2DeleteFrag(), Frag2SelfPreserve(), FragIsComplete(), GetEventPtr(), InsertFrag(), ParsePerfMonitorArgs(), PerfMonitorCleanExit(), ProcessPerfMonitor(), PruneCheck(), PruneFragCache(), ReassembleStream4(), RebuildFrag(), SafeAlloc(), sfGetFlowPtr(), UpdateICMPFlowStatsEx(), UpdateNQEvents(), UpdateQEvents(), UpdateTCPFlowStatsEx(), and UpdateUDPFlowStatsEx(). |
|
|
Definition at line 156 of file snort.c. Referenced by DecodeEthPkt(), DecodeFDDIPkt(), DecodeIEEE80211Pkt(), DecodeOldPflog(), DecodePflog(), DecodePPPoEPkt(), DecodeTRPkt(), Frag3GlobalInit(), Frag3Insert(), Frag3NewTracker(), Frag3ParseGlobalArgs(), OpenPcap(), and UnifiedInitLogFile(). |
|
|
Definition at line 315 of file spp_frag3.c. Referenced by Frag3Init(). |
|
|
Definition at line 312 of file spp_frag3.c. Referenced by Frag3ParseGlobalArgs(), and Frag3Prune(). |
1.4.2