snort.h File Reference

#include <sys/types.h>
#include <pcap.h>
#include <stdio.h>
#include "decode.h"
#include "perf.h"

Go to the source code of this file.

Defines
#define	SNORT_20
#define	PRINT_INTERFACE(i)   i
#define	BUILD   "28"
#define	STD_BUF   1024
#define	RF_ANY_SIP   0x01
#define	RF_ANY_DIP   0x02
#define	RF_ANY_SP   0x04
#define	RF_ANY_DP   0x10
#define	RF_ANY_FLAGS   0x20
#define	MAX_PIDFILE_SUFFIX   11
#define	DEFAULT_LOG_DIR   "/var/log/snort"
#define	DEFAULT_DAEMON_ALERT_FILE   "alert"
#define	SNIFFUSER   0
#define	FILEACCESSBITS   0x1FF
#define	TIMEBUF_SIZE   26
#define	ASSURE_ALL   0
#define	ASSURE_EST   1
#define	DO_IP_CHECKSUMS   0x00000001
#define	DO_TCP_CHECKSUMS   0x00000002
#define	DO_UDP_CHECKSUMS   0x00000004
#define	DO_ICMP_CHECKSUMS   0x00000008
#define	LOG_UNIFIED   0x00000001
#define	LOG_TCPDUMP   0x00000002
#define	SIGNAL_SNORT_ROTATE_STATS   28
#define	MODE_PACKET_DUMP   1
#define	MODE_PACKET_LOG   2
#define	MODE_IDS   3
#define	MODE_TEST   4
#define	LOG_ASCII   1
#define	LOG_PCAP   2
#define	LOG_NONE   3
#define	ALERT_FULL   1
#define	ALERT_FAST   2
#define	ALERT_NONE   3
#define	ALERT_UNSOCK   4
#define	ALERT_STDOUT   5
#define	ALERT_CMG   6
#define	ALERT_SYSLOG   8
#define	MAX_IFS   1
Typedefs
typedef _Configuration	Configuration
typedef _Capabilities	Capabilities
typedef _runtime_config	runtime_config
typedef _progvars	PV
typedef _PacketCount	PacketCount
typedef void(*	grinder_t )(Packet *, struct pcap_pkthdr *, u_char *)
Functions
int	SnortMain (int argc, char *argv[])
int	ParseCmdLine (int, char **)
void *	InterfaceThread (void *)
int	OpenPcap ()
void	DefineIfaceVar (char *, u_char *, u_char *)
int	SetPktProcessor ()
void	CleanExit (int)
void	PcapProcessPacket (char *, struct pcap_pkthdr *, u_char *)
void	ProcessPacket (char *, struct pcap_pkthdr *, u_char *, void *)
int	ShowUsage (char *)
void	SigCantHupHandler (int signal)
Variables
SFPERF	sfPerf
char	_PATH_VARRUN [STD_BUF]
u_int8_t	runMode
PV	pv
int	datalink
char *	progname
char **	progargs
char *	username
char *	groupname
unsigned long	userid
unsigned long	groupid
passwd *	pw
group *	gr
char *	pcap_cmd
char *	pktidx
pcap_t *	pd
FILE *	alert
FILE *	binlog_ptr
int	flow
int	thiszone
PacketCount	pc
u_long	netmasks [33]
pcap_pkthdr *	g_pkthdr
u_char *	g_pkt
u_long	g_caplen
char *	protocol_names [256]
u_int	snaplen
grinder_t	grinder
runtime_config	snort_runtime

---

Define Documentation

#define ALERT_CMG   6

Definition at line 149 of file snort.h. Referenced by ParseCmdLine(), and ProcessAlertCommandLine().

#define ALERT_FAST   2

Definition at line 145 of file snort.h. Referenced by ParseCmdLine(), and ProcessAlertCommandLine().

#define ALERT_FULL   1

Definition at line 144 of file snort.h. Referenced by ParseCmdLine(), ProcessAlertCommandLine(), and SnortMain().

#define ALERT_NONE   3

Definition at line 146 of file snort.h. Referenced by ParseCmdLine(), and ProcessAlertCommandLine().

#define ALERT_STDOUT   5

Definition at line 148 of file snort.h. Referenced by ParseCmdLine(), and ProcessAlertCommandLine().

#define ALERT_SYSLOG   8

Definition at line 150 of file snort.h. Referenced by ParseCmdLine(), and ProcessAlertCommandLine().

#define ALERT_UNSOCK   4

Definition at line 147 of file snort.h. Referenced by ParseCmdLine(), and ProcessAlertCommandLine().

#define ASSURE_ALL   0

Definition at line 100 of file snort.h. Referenced by ReassembleStream4(), and SnortMain().

#define ASSURE_EST   1

Definition at line 101 of file snort.h. Referenced by fpLogEvent(), ParseCmdLine(), and ParseConfig().

#define BUILD   "28"

Definition at line 55 of file snort.h. Referenced by DisplayBanner().

#define DEFAULT_DAEMON_ALERT_FILE   "alert"

Definition at line 73 of file snort.h. Referenced by OpenAlertFile().

#define DEFAULT_LOG_DIR   "/var/log/snort"

Definition at line 72 of file snort.h. Referenced by SnortMain().

#define DO_ICMP_CHECKSUMS   0x00000008

Definition at line 106 of file snort.h. Referenced by DecodeICMP(), ParseCmdLine(), ParseConfig(), and SnortMain().

#define DO_IP_CHECKSUMS   0x00000001

Definition at line 103 of file snort.h. Referenced by DecodeIP(), ParseCmdLine(), ParseConfig(), and SnortMain().

#define DO_TCP_CHECKSUMS   0x00000002

Definition at line 104 of file snort.h. Referenced by DecodeTCP(), ParseCmdLine(), ParseConfig(), and SnortMain().

#define DO_UDP_CHECKSUMS   0x00000004

Definition at line 105 of file snort.h. Referenced by DecodeUDP(), ParseCmdLine(), ParseConfig(), and SnortMain().

#define FILEACCESSBITS   0x1FF

Definition at line 93 of file snort.h. Referenced by ParseCmdLine(), and ParseConfig().

#define LOG_ASCII   1

Definition at line 140 of file snort.h. Referenced by ParseCmdLine(), and ProcessLogCommandLine().

#define LOG_NONE   3

Definition at line 142 of file snort.h. Referenced by ParseCmdLine(), ParseConfig(), and ProcessLogCommandLine().

#define LOG_PCAP   2

Definition at line 141 of file snort.h. Referenced by ParseCmdLine(), ProcessLogCommandLine(), and SnortMain().

#define LOG_TCPDUMP   0x00000002

Definition at line 109 of file snort.h. Referenced by LogStream(), and LogTcpdumpInit().

#define LOG_UNIFIED   0x00000001

Definition at line 108 of file snort.h. Referenced by UnifiedLogInit().

#define MAX_IFS   1

Definition at line 152 of file snort.h.

#define MAX_PIDFILE_SUFFIX   11

Definition at line 65 of file snort.h. Referenced by ParseCmdLine().

#define MODE_IDS   3

Definition at line 117 of file snort.h. Referenced by DecodeARP(), DecodeEAP(), DecodeEapol(), DecodeEapolKey(), DecodeICMP(), DecodeIEEE80211Pkt(), DecodeIP(), DecodeIPOptions(), DecodePPPoEPkt(), DecodeTCP(), DecodeTCPOptions(), DecodeTRPkt(), DecodeUDP(), DecodeVlan(), IPHdrTests(), ProcessPacket(), and SnortMain().

#define MODE_PACKET_DUMP   1

Definition at line 115 of file snort.h. Referenced by SnortMain().

#define MODE_PACKET_LOG   2

Definition at line 116 of file snort.h. Referenced by ProcessPacket(), and SnortMain().

#define MODE_TEST   4

Definition at line 118 of file snort.h.

#define PRINT_INTERFACE (  i   )     i

Definition at line 49 of file snort.h. Referenced by AlertFast(), AlertFull(), AlertSyslog(), DatabaseInit(), OpenPcap(), ParseCmdLine(), ParseConfig(), PortscanPreprocFunction(), SetPktProcessor(), and SnortMain().

#define RF_ANY_DIP   0x02

Definition at line 60 of file snort.h.

#define RF_ANY_DP   0x10

Definition at line 62 of file snort.h.

#define RF_ANY_FLAGS   0x20

Definition at line 63 of file snort.h.

#define RF_ANY_SIP   0x01

Definition at line 59 of file snort.h.

#define RF_ANY_SP   0x04

Definition at line 61 of file snort.h.

#define SIGNAL_SNORT_ROTATE_STATS   28

Definition at line 111 of file snort.h. Referenced by SigUsrHandler(), and SnortMain().

#define SNIFFUSER   0

Definition at line 83 of file snort.h.

#define SNORT_20

Definition at line 42 of file snort.h.

#define STD_BUF   1024

Definition at line 57 of file snort.h. Referenced by AlertSyslog(), CheckLogDir(), ConvInit(), CreatePidFile(), ErrorMessage(), FatalError(), IntegrityCheck(), LogMessage(), OpenAlertFile(), OpenAlertSock(), OpenLogFile(), OpenSessionFile(), OpenStatsFile(), ParseCmdLine(), ParseConfig(), ParseContentListFile(), ParseScanmungeArgs(), ParseSyslogArgs(), print_thd_node(), PrintConfig(), PrintPortscanConf(), printRuleListOrder(), PrintServerConf(), ProcessFileOption(), SetRpcPorts(), SetTelnetPorts(), SLog(), Stream4Init(), Stream4InitReassembler(), TcpdumpInitLogFile(), UnifiedInitAlertFile(), UnifiedInitFile(), and UnifiedInitLogFile().

#define TIMEBUF_SIZE   26

Definition at line 97 of file snort.h. Referenced by AlertFast(), AlertFull(), LogPortscanAlert(), PrintArpHeader(), PrintEapolPkt(), PrintIPPkt(), PrintWifiPkt(), RealAlertCSV(), SLog(), and ts_print().

---

Typedef Documentation

typedef struct _Capabilities Capabilities

typedef struct _Configuration Configuration

typedef void(* grinder_t)(Packet *, struct pcap_pkthdr *, u_char *)

Definition at line 326 of file snort.h.

typedef struct _PacketCount PacketCount

typedef struct _progvars PV

typedef struct _runtime_config runtime_config

---

Function Documentation

void CleanExit (  int   )

Definition at line 2417 of file snort.c. References _PluginSignalFuncNode::arg, bzero, _progvars::done_processing, DropStats(), endtime, fpShowEventStats(), _PluginSignalFuncNode::func, gettimeofday(), InlineMode(), LogMessage(), _PluginSignalFuncNode::next, NULL, pcap_close(), _progvars::pid_filename, SIGQUIT, starttime, _progvars::test_mode_flag, and TIMERSUB. Referenced by InterfaceThread(), SetPktProcessor(), SigIntHandler(), SigQuitHandler(), SigTermHandler(), and SnortMain().

void DefineIfaceVar (  char *  , u_char *  , u_char *  )

Definition at line 214 of file util.c. References snprintf, and VarDefine(). Referenced by OpenPcap().

void* InterfaceThread (  void *   )

Definition at line 2006 of file snort.c. References bzero, CleanExit(), _progvars::daemon_flag, _progvars::done_processing, ErrorMessage(), gettimeofday(), LOG_CONS, LOG_DAEMON, LOG_PID, NULL, pcap_geterr(), pcap_loop(), PcapProcessPacket(), _progvars::pkt_cnt, starttime, and syslog(). Referenced by SnortMain().

int OpenPcap (   )

Definition at line 2046 of file snort.c. References datalink, DEBUG_INIT, DEBUG_WRAP, DefineIfaceVar(), ErrorMessage(), FatalError(), _progvars::interface, LogMessage(), MIN_SNAPLEN, NULL, _progvars::pcap_cmd, pcap_compile(), pcap_datalink(), PCAP_ERRBUF_SIZE, pcap_geterr(), pcap_lookupdev(), pcap_lookupnet(), pcap_open_live(), pcap_open_offline(), pcap_setfilter(), pcap_snapshot(), _progvars::pkt_snaplen, PRINT_INTERFACE, PROMISC, _progvars::promisc_flag, _progvars::quiet_flag, READ_TIMEOUT, _progvars::readfile, _progvars::readmode_flag, SNAPLEN, snaplen, and strstr(). Referenced by ParseConfig(), and SnortMain().

int ParseCmdLine (  int  , char **  )

void PcapProcessPacket (  char *  , struct pcap_pkthdr *  , u_char *  )

Definition at line 749 of file snort.c. References pcap_pkthdr::caplen, ClearDumpBuf(), NULL, packet_time_update(), ProcessPacket(), _SFPERF::sfBase, sfthreshold_reset(), SnortEventqReset(), _PacketCount::total, pcap_pkthdr::ts, and UpdateWireStats(). Referenced by InterfaceThread().

void ProcessPacket (  char *  , struct pcap_pkthdr *  , u_char *  , void *  )

Definition at line 779 of file snort.c. References CallLogPlugins(), ClearDumpBuf(), DEBUG_DECODE, DEBUG_WRAP, g_drop_pkt, _progvars::min_ttl, MODE_IDS, MODE_PACKET_LOG, NULL, _Packet::packet_flags, PKT_IGNORE_PORT, PKT_REBUILT_FRAG, Preprocess(), PrintArpHeader(), PrintEapolPkt(), PrintIPPkt(), PrintWifiPkt(), runMode, _progvars::showwifimgmt_flag, and _progvars::verbose_flag. Referenced by Frag3Rebuild(), PcapProcessPacket(), and RebuildFrag().

int SetPktProcessor (   )

Definition at line 1703 of file snort.c. References CleanExit(), datalink, DecodeChdlcPkt(), DecodeEncPkt(), DecodeEthPkt(), DecodeFDDIPkt(), DecodeI4LCiscoIPPkt(), DecodeI4LRawIPPkt(), DecodeIEEE80211Pkt(), DecodeLinuxSLLPkt(), DecodeNullPkt(), DecodeOldPflog(), DecodePflog(), DecodePppPkt(), DecodePppSerialPkt(), DecodeRawPkt(), DecodeSlipPkt(), DecodeTRPkt(), DLT_CHDLC, DLT_EN10MB, DLT_ENC, DLT_FDDI, DLT_IEEE802, DLT_IEEE802_11, DLT_LINUX_SLL, DLT_LOOP, DLT_NULL, DLT_OLDPFLOG, DLT_PFLOG, DLT_PPP, DLT_PPP_SERIAL, DLT_RAW, DLT_SLIP, ErrorMessage(), grinder, InlineMode(), _progvars::interface, LogMessage(), PRINT_INTERFACE, progname, _progvars::quiet_flag, _progvars::readmode_flag, and _progvars::show2hdr_flag. Referenced by SnortMain().

int ShowUsage (  char *   )

Definition at line 855 of file snort.c. References FPUTS_BOTH, FPUTS_UNIX, FPUTS_WIN32, and SNAPLEN. Referenced by ParseCmdLine(), and SnortMain().

void SigCantHupHandler (  int  signal  )

dummy signal handler for nonroot users or chroot. Parameters: signal  signal to exec Definition at line 2397 of file snort.c. References LogMessage(). Referenced by SetChroot(), and SnortMain().

int SnortMain (  int  argc, char *  argv[] )

Definition at line 236 of file snort.c. References _progvars::alert_cmd_override, _progvars::alert_filename, ALERT_FULL, _progvars::alert_mode, _progvars::alert_plugin_active, AlertPreludeSetupAfterSetuid(), asn1_init_mem(), _progvars::assurance_mode, ASSURE_ALL, CheckLogDir(), _progvars::checksums_mode, _progvars::chroot_dir, CleanExit(), _progvars::config_dir, _progvars::config_file, ConfigFileSearch(), CreateDefaultRules(), CreatePidFile(), _progvars::daemon_flag, DEBUG_INIT, DEBUG_WRAP, DEFAULT_LOG_DIR, DisplayBanner(), DO_ICMP_CHECKSUMS, DO_IP_CHECKSUMS, DO_TCP_CHECKSUMS, DO_UDP_CHECKSUMS, DumpOutputPlugins(), DumpPlugIns(), DumpPreprocessors(), errno, _progvars::event_log_id, FatalError(), FlowBitsVerify(), fpCreateFastPacketDetection(), fpInitDetectionEngine(), gmt2local(), GoDaemon(), init_winsock(), InitDecoderFlags(), InitNetmasks(), InitOutputPlugins(), InitPlugIns(), InitPreprocessors(), InitProtoNames(), InitTag(), InlineMode(), _progvars::interface, InterfaceThread(), _progvars::log_cmd_override, LOG_CONS, LOG_DAEMON, _progvars::log_dir, _progvars::log_mode, LOG_PCAP, LOG_PID, _progvars::log_plugin_active, LogMessage(), memset, MODE_IDS, MODE_PACKET_DUMP, MODE_PACKET_LOG, mpsePrintSummary(), NULL, openlog(), OpenPcap(), OrderRuleLists(), OtnXMatchDataInitialize(), ParseCmdLine(), ParseRulesFile(), _progvars::pidfile_suffix, _progvars::pkt_cnt, PRINT_INTERFACE, print_thresholding(), PrintError(), printRuleOrder(), ProcessAlertCommandLine(), ProcessLogCommandLine(), progargs, progname, _progvars::quiet_flag, _progvars::readfile, _progvars::readmode_flag, _progvars::rotate_perf_file, _progvars::rules_order_flag, runMode, SetChroot(), SetPktProcessor(), SetUidGid(), ShowUsage(), SIG_SETMASK, SIGALRM, SigCantHupHandler(), SIGHUP, SigHupHandler(), SigIntHandler(), SIGNAL_SNORT_ROTATE_STATS, SIGQUIT, SigQuitHandler(), SigTermHandler(), SIGUSR1, SigUsrHandler(), SnortEventqInit(), _progvars::test_mode_flag, thiszone, _progvars::use_utc, userid, and _progvars::verbose_flag. Referenced by main().

---

Variable Documentation

char _PATH_VARRUN[STD_BUF]

Definition at line 167 of file snort.c. Referenced by CreatePidFile().

FILE* alert

Definition at line 146 of file snort.c.

FILE* binlog_ptr

Definition at line 147 of file snort.c.

int datalink

Definition at line 130 of file snort.c. Referenced by DropStats(), OpenPcap(), Print2ndHeader(), SetPktProcessor(), and UnifiedInitLogFile().

int flow

Definition at line 148 of file snort.c. Referenced by ps_filter_ignore(), ps_tracker_update_ip(), ps_tracker_update_tcp(), and ps_tracker_update_udp().

u_long g_caplen

Definition at line 154 of file snort.c.

u_char* g_pkt

Definition at line 153 of file snort.c.

struct pcap_pkthdr* g_pkthdr

Definition at line 152 of file snort.c.

struct group* gr

Definition at line 138 of file snort.c. Referenced by ParseCmdLine(), and ParseConfig().

grinder_t grinder

Definition at line 159 of file snort.c. Referenced by SetPktProcessor().

unsigned long groupid

Definition at line 136 of file snort.c. Referenced by ParseCmdLine(), ParseConfig(), and SetUidGid().

char* groupname

Definition at line 134 of file snort.c. Referenced by ParseCmdLine(), ParseConfig(), and SetUidGid().

u_long netmasks[33]

Definition at line 151 of file snort.c.

PacketCount pc

Definition at line 150 of file snort.c. Referenced by BuildPacket(), CallAlertFuncs(), CallAlertPlugins(), CallLogFuncs(), CallLogPlugins(), CreateNewSession(), DecodeARP(), DecodeChdlcPkt(), DecodeEAP(), DecodeEapol(), DecodeEapolKey(), DecodeEthLoopback(), DecodeEthPkt(), DecodeFDDIPkt(), DecodeI4LCiscoIPPkt(), DecodeI4LRawIPPkt(), DecodeICMP(), DecodeIEEE80211Pkt(), DecodeIP(), DecodeIPV6(), DecodeIPX(), DecodeOldPflog(), DecodePflog(), DecodeTCP(), DecodeTRPkt(), DecodeUDP(), DecodeVlan(), DirectLogTcpdump(), DropStats(), Frag2Alloc(), Frag2SelfPreserve(), Frag3NewTracker(), Frag3Rebuild(), GetEventsPerSecond(), LoadStateTable(), NewFragTracker(), PassAction(), PruneFragCache(), ReassembleStream4(), RebuildFrag(), RebuildTraverse(), SafeAlloc(), SpoLogTcpdumpCleanExitFunc(), SpoLogTcpdumpRestartFunc(), and TraverseFunc().

char* pcap_cmd

Definition at line 139 of file snort.c.

pcap_t* pd

Definition at line 141 of file snort.c. Referenced by DropStats(), GetPktDropStats(), ParseConfig(), and TcpdumpInitLogFile().

char* pktidx

Definition at line 140 of file snort.c.

char** progargs

Definition at line 132 of file snort.c. Referenced by Restart(), and SnortMain().

char* progname

Definition at line 131 of file snort.c. Referenced by ParseCmdLine(), Restart(), SetPktProcessor(), and SnortMain().

char* protocol_names[256]

Definition at line 155 of file snort.c. Referenced by AlertFast(), AlertSyslog(), CleanupProtoNames(), InitProtoNames(), OpenLogFile(), and PrintIPHeader().

PV pv

Definition at line 129 of file snort.c.

struct passwd* pw

Definition at line 137 of file snort.c. Referenced by ParseCmdLine(), and ParseConfig().

u_int8_t runMode

Definition at line 128 of file snort.c. Referenced by DecodeARP(), DecodeEAP(), DecodeEapol(), DecodeEapolKey(), DecodeICMP(), DecodeIEEE80211Pkt(), DecodeIP(), DecodeIPOptions(), DecodePPPoEPkt(), DecodeTCP(), DecodeTCPOptions(), DecodeTRPkt(), DecodeUDP(), DecodeVlan(), IPHdrTests(), ProcessPacket(), and SnortMain().

SFPERF sfPerf

Definition at line 170 of file snort.c.

u_int snaplen

Definition at line 156 of file snort.c.

runtime_config snort_runtime

Definition at line 160 of file snort.c. Referenced by fpEvalOTN(), PreprocRpcDecode(), and Stream4Init().

int thiszone

Definition at line 149 of file snort.c.

unsigned long userid

Definition at line 135 of file snort.c. Referenced by ParseCmdLine(), ParseConfig(), SetUidGid(), and SnortMain().

char* username

Definition at line 133 of file snort.c. Referenced by ParseCmdLine(), ParseConfig(), and SetUidGid().

---