root/pehunter/spp_pehunter.c

Revision 1134, 8.0 kB (checked in by till, 1 year ago)

pehunter initial insert

Line 
1 /*
2  * spp_pehunter.c
3  *
4  * This program is free software; you can redistribute it and/or modify
5  * it under the terms of the GNU General Public License as published by
6  * the Free Software Foundation; either version 2 of the License, or
7  * (at your option) any later version.
8  *
9  * This program is distributed in the hope that it will be useful,
10  * but WITHOUT ANY WARRANTY; without even the implied warranty of
11  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
12  * GNU General Public License for more details.
13  *
14  * You should have received a copy of the GNU General Public License
15  * along with this program; if not, write to the Free Software
16  * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
17  *
18  * Copyright (C) 2007 Tillmann Werner
19  *
20  * Description:
21  *
22  */
23
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #endif  /* HAVE_CONFIG_H */
27
28 #include <string.h>
29 #include <errno.h>
30
31 #include "sf_snort_packet.h"
32 #include "sf_dynamic_preprocessor.h"
33 #include "sf_snort_plugin_api.h"
34 #include "preprocids.h"
35
36 #include "spp_pehunter.h"
37 #include "pehunter.h"
38
39 #include "profiler.h"
40 #ifdef PERF_PROFILING
41 PreprocStats pehuntPerfStats;
42 PreprocStats pehuntDetectPerfStats;
43 int pehuntDetectCalled = 0;
44 #endif
45
46 #define CONF_SEPARATORS             " \t\n\r"
47
48
49 extern DynamicPreprocessorData _dpd;
50
51 static void PEHunterInit(u_char *);
52 void PEHunter_ParseArgs(u_char *args);
53 static void PrintPEHunterConfig(void);
54 static void FreePEHunterConfig(void);
55 static void HuntPE(void *, void *context);
56 static void PEHunterCleanExitFunction(int, void *);
57 static void PEHunterRestartFunction(int, void *);
58 static void HuntPE(void *pkt, void *context);
59
60
61 /*
62  * Function: SetupPEHunter()
63  *
64  * Purpose: Registers the preprocessor keyword and initialization
65  *          function into the preprocessor list.  This is the function that
66  *          gets called from InitPreprocessors() in plugbase.c.
67  *
68  * Arguments: None.
69  *
70  * Returns: void function
71  *
72  */
73 void SetupPEHunter()
74 {
75     /* link the preprocessor keyword to the init function in
76      * the preproc list */
77     _dpd.registerPreproc("pehunter", PEHunterInit);
78 }
79
80
81 /*
82  * Function: PEHunterInit(u_char *)
83  *
84  * Purpose: Calls the argument parsing function, performs final setup on data
85  *          structs, links the preproc function into the function list.
86  *
87  * Arguments: args => ptr to argument string
88  *
89  * Returns: void function
90  *
91  */
92 static void PEHunterInit(u_char *args)
93 {
94     static int bFirstConfig = 1;
95
96
97     if(!_dpd.streamAPI)
98     {
99         _dpd.fatalMsg("PEHunterInit(): The Stream preprocessor must be enabled.\n");
100     }
101
102
103     /* Parse the argument list from the rules file */
104     PEHunter_ParseArgs(args);
105
106
107     /* Perform any other initialization functions that are required here */
108 //    PEHunter_Init();
109
110     /* Put the preprocessor function into the function list */
111     if ( bFirstConfig )
112     {
113         _dpd.addPreproc(HuntPE, PRIORITY_APPLICATION, PP_PEHUNTER);
114         _dpd.addPreprocExit(PEHunterCleanExitFunction, NULL, PRIORITY_LAST, PP_PEHUNTER);
115         _dpd.addPreprocRestart(PEHunterRestartFunction, NULL, PRIORITY_LAST, PP_PEHUNTER);
116         bFirstConfig = 0;
117
118 #ifdef PERF_PROFILING
119         _dpd.addPreprocProfileFunc("pehunter", (void*)&pehuntPerfStats, 0, _dpd.totalPerfStats);       
120 #endif
121     }
122 }
123
124
125 /*
126  * Function: PEHunter_ParseArgs(char *)
127  *
128  * Purpose: Process the preprocessor arguments from the rules file and
129  *          initialize the preprocessor's data struct.  This function doesn't
130  *          have to exist if it makes sense to parse the args in the init
131  *          function.
132  *
133  * Arguments: args => argument list
134  *
135  * Returns: void function
136  *
137  */
138 void PEHunter_ParseArgs(u_char *args)
139 {
140         char *arg;
141         char *value;
142
143         bzero(&_pehunterConfig, sizeof(PEHunterConfig));
144
145         if ((!_dpd.streamAPI) || (_dpd.streamAPI->version < STREAM_API_VERSION4))
146                 _dpd.fatalMsg("%s(): Streaming & reassembly must be enabled\n", __PRETTY_FUNCTION__);
147
148         if ( args == NULL )
149         {
150                 return;
151         }
152
153         /* loop through args */
154         arg = strtok((char *)args, CONF_SEPARATORS);
155         while (arg != NULL)
156         {
157                 if ( !strcasecmp("dump_dir", arg) ) {
158                         value = strtok(NULL, CONF_SEPARATORS);
159                         if ( value == NULL ) return;
160                         if ((_pehunterConfig.dumpDir = strdup(value)) == NULL) {
161                                 _dpd.fatalMsg("%s(): Unable to allocate memory: %s\n", __PRETTY_FUNCTION__, strerror(errno));
162                         }
163                 } else if ( !strcasecmp("debug", arg) ) {
164                         _pehunterConfig.debug = 1;
165                 } else {
166                         _dpd.fatalMsg("%s(%d) => Unknown PEHunter configuration option %s\n",
167                                 *(_dpd.config_file), *(_dpd.config_line), arg);
168                 }
169                 /*  Get next token */
170                 arg = strtok(NULL, CONF_SEPARATORS);
171         }
172
173         PrintPEHunterConfig();
174
175         if (_pehunterConfig.dumpDir == NULL)
176         {
177                 _dpd.fatalMsg("%s(): No dump directory given. Check your config file.\n", __PRETTY_FUNCTION__);
178         }
179 }
180
181
182 /*
183  * Function: PrintPEHunterConfig(void)
184  *
185  * Purpose: Does what it's named
186  *
187  * Arguments: none
188  *
189  * Returns: void
190  *
191  */
192 static void PrintPEHunterConfig(void)
193 {
194         /* print configuration */
195         _dpd.logMsg("PEHunter config:\n");
196         _dpd.logMsg("    Dump Directory:\t %s\n", _pehunterConfig.dumpDir);
197         _dpd.logMsg("    Debug:\t\t %s\n", _pehunterConfig.debug ? "yes" : "no");
198         _dpd.logMsg("\n");
199
200         return;
201 }
202
203
204 /*
205  * Function: FreePEHunterConfig(void)
206  *
207  * Purpose: Frees allocated memory for config options
208  *
209  * Arguments: none
210  *
211  * Returns: void
212  *
213  */
214 static void FreePEHunterConfig(void)
215 {
216         free(_pehunterConfig.dumpDir);
217         return;
218 }
219
220
221 /*
222  * Function: HuntPE(Packet *)
223  *
224  * Purpose: Perform the preprocessor's intended function.  This can be
225  *          simple (statistics collection) or complex (IP defragmentation)
226  *          as you like.  Try not to destroy the performance of the whole
227  *          system by trying to do too much....
228  *
229  * Arguments: p => pointer to the current packet data struct
230  *
231  * Returns: void function
232  *
233  */
234 static void HuntPE(void *initial_pkt, void *context)
235 {
236     SFSnortPacket *p = (SFSnortPacket *)initial_pkt;
237     PROFILE_VARS;
238
239     /* Make sure this preprocessor should run. */
240     if (( !p ) ||
241         ( !p->payload ) ||
242         ( !p->payload_size ) ||
243         /* check if we're waiting on stream reassembly */
244         ( p->flags & FLAG_STREAM_INSERT))
245     {
246         return;
247     }
248
249
250     PREPROC_PROFILE_START(pehuntPerfStats);
251
252     if (_pehunterConfig.debug) _dpd.logMsg("PEHunter: Processing packet with %u bytes.\n", p->payload_size);
253     Hunt(p);
254    
255     PREPROC_PROFILE_END(pehuntPerfStats);
256 #ifdef PERF_PROFILING
257     if (pehuntDetectCalled)
258     {
259         pehuntPerfStats.ticks -= pehuntDetectPerfStats.ticks;
260         /* And Reset ticks to 0 */
261         pehuntDetectPerfStats.ticks = 0;
262         pehuntDetectCalled = 0;
263     }
264 #endif
265
266     /*
267      * if you need to issue an alert from your preprocessor, check out
268      * event_wrapper.h, there are some useful helper functions there
269      */
270 }
271
272
273 /*
274  * Function: PEHunterCleanExitFunction(int, void *)
275  *
276  * Purpose: This function gets called when Snort is exiting, if there's
277  *          any cleanup that needs to be performed (e.g. closing files)
278  *          it should be done here.
279  *
280  * Arguments: signal => the code of the signal that was issued to Snort
281  *            data => any arguments or data structs linked to this
282  *                    function when it was registered, may be
283  *                    needed to properly exit
284  *       
285  * Returns: void function
286  */                   
287 static void PEHunterCleanExitFunction(int signal, void *data)
288 {   
289     FreePEHunterConfig();
290 //    PEHunter_Free();
291 }
292
293
294 /*
295  * Function: PEHunterRestartFunction(int, void *)
296  *
297  * Purpose: This function gets called when Snort is restarting on a SIGHUP,
298  *          if there's any initialization or cleanup that needs to happen
299  *          it should be done here.
300  *
301  * Arguments: signal => the code of the signal that was issued to Snort
302  *            data => any arguments or data structs linked to this
303  *                    functioin when it was registered, may be
304  *                    needed to properly exit
305  *       
306  * Returns: void function
307  */                   
308 static void PEHunterRestartFunction(int signal, void *foo)
309 {
310        /* restart code goes here */
311 }
Note: See TracBrowser for help on using the browser.