[Snort-devel] Trigger rule type--take 2.0(1)

Martin Roesch roesch at ...402...
Fri Jan 11 14:15:02 EST 2002


Actually, I like it I've just been too massively busy for the past few weeks
to incorporate it and analyze it properly.  I'd actually like to think about
implementing it in the 1.8.x codebase, but it may take me a bit to get
there.  Patience is a virtue, there's some good news coming up in
snort-land...

     -Marty

On 1/11/02 4:48 PM, "Steve Halligan" <agent33 at ...269...> wrote:

> At the risk of beating a dead horse, I never got any response from this.
> Did it suck that bad? :)
> Somebody shoot me a:
> "Looks good"
> "Looks good, but we can't do it now because..."
> "Why the heck would anybody want this?"
> "Don't quit your day job"
> 
> -Steve 
> 
> 
> 
> A couple of weeks ago I sent in a dif to rules.c and .h that implemented
> a new "trigger" rule type (please see the archive for a full description of
> it
> http://www.geocrawler.com/lists/3/SourceForge/5344/75/7268679/ )
> With the codebase shifting over to the 2.0 structure, lots of other changes
> were happening to rules.c (breaking into parser.c, detect.c, etc) so
> I submit, for you evaulation, a re-done patch to the new codebase.
> 
> -Steve
> 
> ----------------------begin dif--cut here--------------------------
> Index: src/detect.c
> ===================================================================
> RCS file: /cvsroot/snort/snort/src/detect.c,v
> retrieving revision 1.1
> diff -r1.1 detect.c
> 27a28
>> extern ListHead Trigger;       /* Trigger Block Header */
> 36a38,39
>> extern int trigger_rules_present;
>> extern int active_trigger_nodes;
> 435c438,440
> < 
> ---
>>                 case RULE_TRIGGER:
>>  TriggerAction(p, otn_tmp, &otn_tmp->event_data);
>>  break;
> 1348a1354
>>     CreateRuleType("trigger", RULE_TRIGGER, 1, &Trigger);
> 1570c1576,1630
> < 
> ---
>> int TriggerAction(Packet * p, OptTreeNode * otn, Event *event)
>> {
>>    RuleTreeNode *rtn = otn->rtn;
>>    
>> #ifdef DEBUG
>>    printf("   => Checking and Incrementing Trigger rule Count and TTL
> (%d/%d %d/%d)...\n", rtn->countup, otn->countup, otn->countdown,
> rtn->countdown);
>> #endif
>>    /* If this is the first time this rule is triggered, record the time.
> */
>>    if(otn->countup == 0)
>>    {
>>      otn->counttime = p->pkth->ts.tv_sec;
>>      
>>    }
>>    /* If not, check to see how much time has passed since the last
> trigger.
>>       If the value is less than the maxtime defined in the rule, increment
> the
>>       counter and reset counttime.  If maxtime has passed, reset the
> counter
>>       to 1 and reset counttime. */
>>    if(p->pkth->ts.tv_sec - otn->counttime > otn->maxtime)
>>    {
>> #ifdef DEBUG
>>      printf("Expiring Counter, too much time has passed\n");
>> #endif
>>  
>>        otn->countup = 1;
>>        rtn->countup = 1;
>>        otn->counttime = p->pkth->ts.tv_sec;
>>        /* If the node was active, kill it and decrement active_count_nodes
> */
>>        otn->active_flag = 0;
>>        active_trigger_nodes--;
>>    }
>>    else
>>    {
>>        otn->countup++;
>>        rtn->countup++;
>>        
>>        otn->counttime = p->pkth->ts.tv_sec;
>>    }
>> 
>>    
>>  
>>    
>>    /* Now check to see if we have reached the rule's threshold count level
> */
>>    if(otn->countup >= otn->countdown)
>>    {
>> #ifdef DEBUG
>>      printf("Counter not expired and trigger number exceeded- Log the damn
> thing/n");
>> #endif
>>      /* set the otn to active and increment active_count_node (Were do we
> actually use these?) */
>>      otn->active_flag = 1;
>>      active_trigger_nodes++;
>>      /* Log the dang thing */
>>      CallLogFuncs(p, otn->message, otn->rtn->listhead, event);
>>    }
>>    return 1;
>> }  
> Index: src/detect.h
> ===================================================================
> RCS file: /cvsroot/snort/snort/src/detect.h,v
> retrieving revision 1.1
> diff -r1.1 detect.h
> 36c36
> < 
> ---
>> int TriggerAction(Packet *, OptTreeNode *, Event *);
> Index: src/parser.c
> ===================================================================
> RCS file: /cvsroot/snort/snort/src/parser.c,v
> retrieving revision 1.27
> diff -r1.27 parser.c
> 26a27
>> ListHead Trigger;       /* Trigger Block Header */
> 47a49,51
>> int trigger_rules_present;
>> int active_trigger_nodes;
>> 
> 223c227,228
> <         printf("+++++++++++++++++++++++++++++++++++++++++++++++++++\n\n");
> ---
>>         printf("%d Trigger rules\n", trigger_rules_present);
>> printf("+++++++++++++++++++++++++++++++++++++++++++++++++++\n\n");
> 550a556,561
>>         case RULE_TRIGGER:
>> #ifdef DEBUG
>>    printf("Trigger rule\n");
>> #endif
>>    break;
>> 
> 701c712,714
> < 
> ---
>>         case RULE_TRIGGER:
>>    ProcessHeadNode(&proto_node, &Trigger, protocol);
>>    break;
> 1766a1780,1803
>>    else if(!strncasecmp(opts[0], "number", 6))
>>    {
>>      if(num_opts == 2)
>> {
>>  ParseNumber(opts[1]);
>>  trigger_rules_present++;
>> }
>>      else
>> {
>>  goto parse_error;
>> }
>>    }
>>    else if(!strncasecmp(opts[0], "maxtime", 7))
>>      {
>> if(num_opts == 2)
>>  {
>>    ParseMaxtime(opts[1]);
>>  }
>> else
>>  {
>>    goto parse_error;
>>  }
>>      }
>> 
> 2000a2038,2040
>>     if(!strcasecmp(func, "trigger"))
>>       return RULE_TRIGGER;
>> 
> 2834a2875,2883
>> void ParseNumber(char *num)
>> {
>>   while(!isdigit((int) *num))
>>     num++;
>> 
>>   otn_tmp->countdown = atoi(num);
>>   otn_tmp->countup = 0;
>>   otn_tmp->counttime = 0;
>> }
> 2835a2885,2891
>> void ParseMaxtime(char *num)
>> {
>>   while(!isdigit((int) *num))
>>     num++;
>> 
>>   otn_tmp->maxtime = atoi(num);
>> }
> 4110c4166,4167
> <            (type != RULE_ACTIVATE) && (type != RULE_DYNAMIC))
> ---
>>            (type != RULE_ACTIVATE) && (type != RULE_DYNAMIC) &&
>>   (type != RULE_TRIGGER))
> Index: src/parser.h
> ===================================================================
> RCS file: /cvsroot/snort/snort/src/parser.h,v
> retrieving revision 1.6
> diff -r1.6 parser.h
> 54a55,56
>> void ParseNumber(char *);
>> void ParseMaxtime(char *);
> Index: src/rules.h
> ===================================================================
> RCS file: /cvsroot/snort/snort/src/rules.h,v
> retrieving revision 1.25
> diff -r1.25 rules.h
> 50c50,51
> < #define RULE_UNKNOWN     11
> ---
>> #define RULE_TRIGGER     11
>> #define RULE_UNKNOWN     12
> 188a190,193
>>   /*other stuff for trigger rules ... */
>>   int countup;
>>     time_t maxtime;
>>     time_t counttime;
> 244a250
>>   int countup;
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> 

-- 
Martin Roesch - Founder/CEO Sourcefire Inc. - (410) 552-6999
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch at ...402... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org





More information about the Snort-devel mailing list