00001 /* 00002 ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com> 00003 ** Copyright (C) 2001 Phil Wood <cpw@lanl.gov> 00004 ** 00005 ** This program is free software; you can redistribute it and/or modify 00006 ** it under the terms of the GNU General Public License as published by 00007 ** the Free Software Foundation; either version 2 of the License, or 00008 ** (at your option) any later version. 00009 ** 00010 ** This program is distributed in the hope that it will be useful, 00011 ** but WITHOUT ANY WARRANTY; without even the implied warranty of 00012 ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 00013 ** GNU General Public License for more details. 00014 ** 00015 ** You should have received a copy of the GNU General Public License 00016 ** along with this program; if not, write to the Free Software 00017 ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 00018 */ 00019 00020 /* $Id$ */ 00021 00022 #ifdef HAVE_CONFIG_H 00023 #include "config.h" 00024 #endif 00025 00026 #include <sys/types.h> 00027 #include <stdlib.h> 00028 #include <ctype.h> 00029 00030 #include "rules.h" 00031 #include "decode.h" 00032 #include "plugbase.h" 00033 #include "parser.h" 00034 #include "debug.h" 00035 #include "util.h" 00036 #include "plugin_enum.h" 00037 00038 00039 00040 typedef struct _IpSameData 00041 { 00042 u_char ip_same; 00043 00044 } IpSameData; 00045 00046 void IpSameCheckInit(char *, OptTreeNode *, int); 00047 void ParseIpSame(char *, OptTreeNode *); 00048 int IpSameCheck(Packet *, struct _OptTreeNode *, OptFpList *); 00049 00050 00051 /**************************************************************************** 00052 * 00053 * Function: SetupIpSameCheck() 00054 * 00055 * Purpose: Associate the same keyword with IpSameCheckInit 00056 * 00057 * Arguments: None. 00058 * 00059 * Returns: void function 00060 * 00061 ****************************************************************************/ 00062 void SetupIpSameCheck(void) 00063 { 00064 /* map the keyword to an initialization/processing function */ 00065 RegisterPlugin("sameip", IpSameCheckInit); 00066 DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "Plugin: IpSameCheck Initialized\n");); 00067 } 00068 00069 00070 /**************************************************************************** 00071 * 00072 * Function: IpSameCheckInit(char *, OptTreeNode *) 00073 * 00074 * Purpose: Setup the same data struct and link the function into option 00075 * function pointer list 00076 * 00077 * Arguments: data => rule arguments/data 00078 * otn => pointer to the current rule option list node 00079 * 00080 * Returns: void function 00081 * 00082 ****************************************************************************/ 00083 void IpSameCheckInit(char *data, OptTreeNode *otn, int protocol) 00084 { 00085 /* multiple declaration check */ 00086 if(otn->ds_list[PLUGIN_IP_SAME_CHECK]) 00087 { 00088 FatalError("%s(%d): Multiple sameip options in rule\n", file_name, 00089 file_line); 00090 } 00091 00092 /* allocate the data structure and attach it to the 00093 rule's data struct list */ 00094 otn->ds_list[PLUGIN_IP_SAME_CHECK] = (IpSameData *) 00095 SnortAlloc(sizeof(IpSameData)); 00096 00097 /* this is where the keyword arguments are processed and placed into the 00098 rule option's data structure */ 00099 ParseIpSame(data, otn); 00100 00101 /* finally, attach the option's detection function to the rule's 00102 detect function pointer list */ 00103 AddOptFuncToList(IpSameCheck, otn); 00104 } 00105 00106 00107 00108 /**************************************************************************** 00109 * 00110 * Function: ParseIpSame(char *, OptTreeNode *) 00111 * 00112 * Purpose: Convert the id option argument to data and plug it into the 00113 * data structure 00114 * 00115 * Arguments: data => argument data 00116 * otn => pointer to the current rule's OTN 00117 * 00118 * Returns: void function 00119 * 00120 ****************************************************************************/ 00121 void ParseIpSame(char *data, OptTreeNode *otn) 00122 { 00123 IpSameData *ds_ptr; /* data struct pointer */ 00124 00125 return; /* the check below bombs. */ 00126 /* set the ds pointer to make it easier to reference the option's 00127 particular data struct */ 00128 ds_ptr = otn->ds_list[PLUGIN_IP_SAME_CHECK]; 00129 00130 /* get rid of any whitespace */ 00131 while(isspace((int)*data)) 00132 { 00133 data++; 00134 } 00135 if (*data) { 00136 FatalError("%s(%d): arg '%s' not required\n", file_name, file_line, data); 00137 } 00138 } 00139 00140 00141 /**************************************************************************** 00142 * 00143 * Function: IpSameCheck(char *, OptTreeNode *) 00144 * 00145 * Purpose: Test the ip header's id field to see if its value is equal to the 00146 * value in the rule. This is useful to detect things like "elite" 00147 * numbers, oddly repeating numbers, etc. 00148 * 00149 * Arguments: data => argument data 00150 * otn => pointer to the current rule's OTN 00151 * 00152 * Returns: void function 00153 * 00154 ****************************************************************************/ 00155 int IpSameCheck(Packet *p, struct _OptTreeNode *otn, OptFpList *fp_list) 00156 { 00157 if(!p->iph) 00158 return 0; /* if error occured while ip header 00159 * was processed, return 0 automagically. 00160 */ 00161 if (p->iph->ip_src.s_addr == p->iph->ip_dst.s_addr) 00162 { 00163 00164 DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN,"Match! %x -> %x\n", 00165 p->iph->ip_src.s_addr, p->iph->ip_dst.s_addr);); 00166 /* call the next function in the function list recursively */ 00167 return fp_list->next->OptTestFunc(p, otn, fp_list->next); 00168 } 00169 else 00170 { 00171 /* you can put debug comments here or not */ 00172 DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN,"No match %x -> %x\n", 00173 p->iph->ip_src.s_addr, p->iph->ip_dst.s_addr);); 00174 } 00175 00176 /* if the test isn't successful, return 0 */ 00177 return 0; 00178 }
1.4.2