src/detection-plugins/sp_ip_proto.c Source File

00001 /* $Id$ */
00002 
00003 /* sp_ip_proto 
00004  * 
00005  * Purpose:
00006  *
00007  * Check the IP header's protocol field value.
00008  *
00009  * Arguments:
00010  *   
00011  *   Number, protocol name, ! for negation
00012  *
00013  * Effect:
00014  *
00015  *  Success on protocol match, failure otherwise 
00016  *
00017  * Comments:
00018  *
00019  * None.
00020  *
00021  */
00022 
00023 #ifdef HAVE_CONFIG_H
00024 #include "config.h"
00025 #endif
00026 
00027 #include <sys/types.h>
00028 #include <stdlib.h>
00029 #include <ctype.h>
00030 #ifndef WIN32
00031 #include <netdb.h>
00032 #endif /* !WIN32 */
00033 
00034 #include "rules.h"
00035 #include "decode.h"
00036 #include "plugbase.h"
00037 #include "parser.h"
00038 #include "debug.h"
00039 #include "util.h"
00040 #include "plugin_enum.h"
00041 #include "sp_ip_proto.h"
00042 
00043 
00044 void IpProtoInit(char *, OptTreeNode *, int);
00045 void IpProtoRuleParseFunction(char *, IpProtoData *);
00046 int IpProtoDetectorFunction(Packet *, struct _OptTreeNode *, OptFpList *);
00047 
00048 
00049 
00050 /****************************************************************************
00051  * 
00052  * Function: SetupIpProto()
00053  *
00054  * Purpose: Generic detection engine plugin ip_proto.  Registers the
00055  *          configuration function and links it to a rule keyword.  This is
00056  *          the function that gets called from InitPlugins in plugbase.c.
00057  *
00058  * Arguments: None.
00059  *
00060  * Returns: void function
00061  *
00062  ****************************************************************************/
00063 void SetupIpProto(void)
00064 {
00065     /* map the keyword to an initialization/processing function */
00066     RegisterPlugin("ip_proto", IpProtoInit);
00067     DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN,"Plugin: IpProto Setup\n"););
00068 }
00069 
00070 
00071 /****************************************************************************
00072  * 
00073  * Function: IpProtoInit(char *, OptTreeNode *)
00074  *
00075  * Purpose: Generic rule configuration function.  Handles parsing the rule 
00076  *          information and attaching the associated detection function to
00077  *          the OTN.
00078  *
00079  * Arguments: data => rule arguments/data
00080  *            otn => pointer to the current rule option list node
00081  *
00082  * Returns: void function
00083  *
00084  ****************************************************************************/
00085 void IpProtoInit(char *data, OptTreeNode *otn, int protocol)
00086 {
00087     OptFpList *ofl;
00088     IpProtoData *ipd;
00089     
00090     /* multiple declaration check */ 
00091     /*if(otn->ds_list[PLUGIN_IP_PROTO_CHECK])
00092     {
00093         FatalError("%s(%d): Multiple ip_proto options in rule\n", file_name,
00094                 file_line);
00095     }*/
00096 
00097     ipd = (IpProtoData *) SnortAlloc(sizeof(IpProtoData));
00098 
00099     /* allocate the data structure and attach it to the
00100        rule's data struct list */
00101     //otn->ds_list[PLUGIN_IP_PROTO_CHECK] = (IpProtoData *) calloc(sizeof(IpProtoData), sizeof(char));
00102 
00103     /* this is where the keyword arguments are processed and placed into the 
00104        rule option's data structure */
00105     IpProtoRuleParseFunction(data, ipd);
00106 
00107     /* finally, attach the option's detection function to the rule's 
00108        detect function pointer list */
00109     ofl = AddOptFuncToList(IpProtoDetectorFunction, otn);
00110 
00111     ofl->context = ipd;
00112 
00113     /*
00114     **  Set the ds_list for the first ip_proto check for a rule.  This
00115     **  is needed for the high-speed rule optimization.
00116     */
00117     if(!otn->ds_list[PLUGIN_IP_PROTO_CHECK])
00118         otn->ds_list[PLUGIN_IP_PROTO_CHECK] = ipd;
00119 }
00120 
00121 
00122 
00123 /****************************************************************************
00124  * 
00125  * Function: IpProtoRuleParseFunction(char *, OptTreeNode *)
00126  *
00127  * Purpose: This is the function that is used to process the option keyword's
00128  *          arguments and attach them to the rule's data structures.
00129  *
00130  * Arguments: data => argument data
00131  *            ds_ptr => pointer to the IpProtoData struct
00132  *
00133  * Returns: void function
00134  *
00135  ****************************************************************************/
00136 void IpProtoRuleParseFunction(char *data, IpProtoData *ds_ptr)
00137 {
00138     //IpProtoData *ds_ptr;  /* data struct pointer */
00139     struct protoent *pt;
00140 
00141     /* set the ds pointer to make it easier to reference the option's
00142        particular data struct */
00143     //ds_ptr = otn->ds_list[PLUGIN_IP_PROTO_CHECK];
00144 
00145     while(isspace((int)*data)) data++;
00146 
00147     if(*data == '!')
00148     {
00149         ds_ptr->not_flag = 1;
00150         data++;
00151     }
00152 
00153     if(*data == '>')
00154     {
00155         ds_ptr->comparison_flag = GREATER_THAN; 
00156         data++;
00157     }
00158 
00159     if(*data == '<')
00160     {
00161         ds_ptr->comparison_flag = LESS_THAN; 
00162         data++;
00163     }
00164 
00165     /* check for a number or a protocol name */
00166     if(isdigit((int)*data))
00167     {
00168         ds_ptr->protocol = atoi(data);
00169     }
00170     else
00171     {
00172         pt = getprotobyname(data);
00173 
00174         if(pt)
00175         {
00176             ds_ptr->protocol = (u_char) pt->p_proto;
00177         }
00178         else
00179         {
00180             FatalError("%s(%d) => Bad protocol name \"%s\"\n", 
00181                     file_name, file_line, data);
00182         }
00183     } 
00184 }
00185 
00186 
00187 /****************************************************************************
00188  * 
00189  * Function: IpProtoDetectorFunction(char *, OptTreeNode *)
00190  *
00191  * Purpose: Use this function to perform the particular detection routine
00192  *          that this rule keyword is supposed to encompass.
00193  *
00194  * Arguments: data => argument data
00195  *            otn => pointer to the current rule's OTN
00196  *
00197  * Returns: If the detection test fails, this function *must* return a zero!
00198  *          On success, it calls the next function in the detection list 
00199  *
00200  ****************************************************************************/
00201 int IpProtoDetectorFunction(Packet *p, struct _OptTreeNode *otn, 
00202         OptFpList *fp_list)
00203 {
00204     IpProtoData *ipd;  /* data struct pointer */
00205 
00206     //ipd = otn->ds_list[PLUGIN_IP_PROTO_CHECK];
00207     ipd = fp_list->context;
00208 
00209     if(!p->iph)
00210     {
00211         DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN,"Not IP\n"););
00212         return 0;
00213     }
00214 
00215     switch(ipd->comparison_flag)
00216     {
00217         case 0:
00218             if((ipd->protocol == p->iph->ip_proto) ^ ipd->not_flag)
00219             {
00220                 return fp_list->next->OptTestFunc(p, otn, fp_list->next);
00221             }
00222             else
00223             {
00224                 /* you can put debug comments here or not */
00225                 DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN,"No match\n"););
00226             }
00227 
00228             break;
00229 
00230         case GREATER_THAN:
00231             if(p->iph->ip_proto > ipd->protocol)
00232             {
00233                 return fp_list->next->OptTestFunc(p, otn, fp_list->next);
00234             }
00235 
00236             break;
00237 
00238         default:
00239             if(p->iph->ip_proto < ipd->protocol)
00240             {
00241                 return fp_list->next->OptTestFunc(p, otn, fp_list->next);
00242             }
00243 
00244             break;
00245     }
00246 
00247     /* if the test isn't successful, this function *must* return 0 */
00248     return 0;
00249 }