[Snort-devel] Trigger rule type--take 2.0(1)

Steve Halligan agent33 at ...269...
Fri Jan 11 13:49:11 EST 2002


At the risk of beating a dead horse, I never got any response from this.
Did it suck that bad? :)
Somebody shoot me a:
"Looks good"
"Looks good, but we can't do it now because..."
"Why the heck would anybody want this?"
"Don't quit your day job" 

-Steve 



A couple of weeks ago I sent in a dif to rules.c and .h that implemented
a new "trigger" rule type (please see the archive for a full description of
it
http://www.geocrawler.com/lists/3/SourceForge/5344/75/7268679/ )
With the codebase shifting over to the 2.0 structure, lots of other changes
were happening to rules.c (breaking into parser.c, detect.c, etc) so
I submit, for you evaulation, a re-done patch to the new codebase.

-Steve

----------------------begin dif--cut here--------------------------
Index: src/detect.c
===================================================================
RCS file: /cvsroot/snort/snort/src/detect.c,v
retrieving revision 1.1
diff -r1.1 detect.c
27a28
> extern ListHead Trigger;       /* Trigger Block Header */
36a38,39
> extern int trigger_rules_present;
> extern int active_trigger_nodes;
435c438,440
< 
---
>                 case RULE_TRIGGER:
> 		  TriggerAction(p, otn_tmp, &otn_tmp->event_data);
> 		  break;
1348a1354
>     CreateRuleType("trigger", RULE_TRIGGER, 1, &Trigger);
1570c1576,1630
< 
---
> int TriggerAction(Packet * p, OptTreeNode * otn, Event *event)
> {
>    RuleTreeNode *rtn = otn->rtn;
>    
> #ifdef DEBUG
>    printf("   => Checking and Incrementing Trigger rule Count and TTL
(%d/%d %d/%d)...\n", rtn->countup, otn->countup, otn->countdown,
rtn->countdown);
> #endif
>    /* If this is the first time this rule is triggered, record the time.
*/
>    if(otn->countup == 0)
>    {
>      otn->counttime = p->pkth->ts.tv_sec;
>      
>    }
>    /* If not, check to see how much time has passed since the last
trigger.
>       If the value is less than the maxtime defined in the rule, increment
the
>       counter and reset counttime.  If maxtime has passed, reset the
counter
>       to 1 and reset counttime. */
>    if(p->pkth->ts.tv_sec - otn->counttime > otn->maxtime)
>    {
> #ifdef DEBUG
>      printf("Expiring Counter, too much time has passed\n");
> #endif
>  
>        otn->countup = 1;
>        rtn->countup = 1;
>        otn->counttime = p->pkth->ts.tv_sec;
>        /* If the node was active, kill it and decrement active_count_nodes
*/
>        otn->active_flag = 0;
>        active_trigger_nodes--;
>    }
>    else
>    {
>        otn->countup++;
>        rtn->countup++;
>        
>        otn->counttime = p->pkth->ts.tv_sec;
>    }
>  	
>    
>  
>    
>    /* Now check to see if we have reached the rule's threshold count level
*/
>    if(otn->countup >= otn->countdown)
>    {
> #ifdef DEBUG
>      printf("Counter not expired and trigger number exceeded- Log the damn
thing/n");
> #endif
>      /* set the otn to active and increment active_count_node (Were do we
actually use these?) */
>      otn->active_flag = 1;
>      active_trigger_nodes++;
>      /* Log the dang thing */
>      CallLogFuncs(p, otn->message, otn->rtn->listhead, event);
>    }
>    return 1;
> }  
Index: src/detect.h
===================================================================
RCS file: /cvsroot/snort/snort/src/detect.h,v
retrieving revision 1.1
diff -r1.1 detect.h
36c36
< 
---
> int TriggerAction(Packet *, OptTreeNode *, Event *);
Index: src/parser.c
===================================================================
RCS file: /cvsroot/snort/snort/src/parser.c,v
retrieving revision 1.27
diff -r1.27 parser.c
26a27
> ListHead Trigger;       /* Trigger Block Header */
47a49,51
> int trigger_rules_present;
> int active_trigger_nodes;
> 
223c227,228
<         printf("+++++++++++++++++++++++++++++++++++++++++++++++++++\n\n");
---
>         printf("%d Trigger rules\n", trigger_rules_present);
> 	printf("+++++++++++++++++++++++++++++++++++++++++++++++++++\n\n");
550a556,561
>         case RULE_TRIGGER:
> #ifdef DEBUG
> 	    printf("Trigger rule\n");
> #endif
> 	    break;
> 
701c712,714
< 
---
>         case RULE_TRIGGER:
> 	    ProcessHeadNode(&proto_node, &Trigger, protocol);
> 	    break;
1766a1780,1803
> 	    else if(!strncasecmp(opts[0], "number", 6))
> 	    {
> 	      if(num_opts == 2)
> 		{
> 		  ParseNumber(opts[1]);
> 		  trigger_rules_present++;
> 		}
> 	      else
> 		{
> 		  goto parse_error;
> 		}
> 	    }
> 	    else if(!strncasecmp(opts[0], "maxtime", 7))
> 	      {
> 		if(num_opts == 2)
> 		  {
> 		    ParseMaxtime(opts[1]);
> 		  }
> 		else
> 		  {
> 		    goto parse_error;
> 		  }
> 	      }
> 
2000a2038,2040
>     if(!strcasecmp(func, "trigger"))
>       return RULE_TRIGGER;
> 
2834a2875,2883
> void ParseNumber(char *num)
> {
>   while(!isdigit((int) *num))
>     num++;
> 
>   otn_tmp->countdown = atoi(num);
>   otn_tmp->countup = 0;
>   otn_tmp->counttime = 0;
> }
2835a2885,2891
> void ParseMaxtime(char *num)
> {
>   while(!isdigit((int) *num))
>     num++;
> 
>   otn_tmp->maxtime = atoi(num);
> }
4110c4166,4167
<            (type != RULE_ACTIVATE) && (type != RULE_DYNAMIC))
---
>            (type != RULE_ACTIVATE) && (type != RULE_DYNAMIC) && 
> 	   (type != RULE_TRIGGER))
Index: src/parser.h
===================================================================
RCS file: /cvsroot/snort/snort/src/parser.h,v
retrieving revision 1.6
diff -r1.6 parser.h
54a55,56
> void ParseNumber(char *);
> void ParseMaxtime(char *);
Index: src/rules.h
===================================================================
RCS file: /cvsroot/snort/snort/src/rules.h,v
retrieving revision 1.25
diff -r1.25 rules.h
50c50,51
< #define RULE_UNKNOWN     11
---
> #define RULE_TRIGGER     11
> #define RULE_UNKNOWN     12
188a190,193
>   /*other stuff for trigger rules ... */
>   int countup;
>     time_t maxtime;
>     time_t counttime;
244a250
>   int countup;

_______________________________________________
Snort-devel mailing list
Snort-devel at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel




More information about the Snort-devel mailing list