Title: Extending snort, without knowing C for dirt
1Extending snort, without knowing C for dirt
2Thanks
- Jeff Nathan (jeff_at_snort.org)
- Co-author of one of the plugins discussed in this
presentation - Co-author of any number of slides for this
presentation - Sourcefire (http//www.sourcefire.com)
- Paying me to work on snort
- Michelle (my wife)
- Who let me skip out on watching our son and new
puppy to give this presentation
3The life of a packet through Snorts detection
engine
4Overview of protocol decoding and protocol
anomaly detection
- Static Decoders
- Normalization of Data
5Recent detection improvements
- Advanced content options (distance, within,
byte_test and byte_jump) - All purpose state engine (conversation)
- Improved message passing between components
6Distance
- contentSITE contentEXEC distance0
53 49 54 45 20 20 20 20 20 45 58 45 43 20 65
76 SITE EXEC ev 69 6C 66 6F 6F 0A
ilfoo.
7Distance
- contentSITE contentEXEC distance0
53 49 54 45 20 20 20 20 20 45 58 45 43 20 65
76 SITE EXEC ev 69 6C 66 6F 6F 0A
ilfoo.
8Distance
- contentSITE contentEXEC distance0
53 49 54 45 20 20 20 20 20 45 58 45 43 20 65
76 SITE EXEC ev 69 6C 66 6F 6F 0A
ilfoo.
9Distance
- contentSITE contentEXEC distance0
53 49 54 45 20 20 20 20 20 45 58 45 43 20 65
76 SITE EXEC ev 69 6C 66 6F 6F 0A
ilfoo.
10Within
- contentSITE content!0a within50
53 49 54 45 20 20 20 20 20 45 58 45 43 20 65
76 SITE EXEC ev 69 6C 66 6F 6F 0A
ilfoo.
11Within
- contentSITE content!0a within50
53 49 54 45 20 20 20 20 20 45 58 45 43 20 65
76 SITE EXEC ev 69 6C 66 6F 6F 0A
ilfoo.
12Within
- contentSITE content!0a within50
53 49 54 45 20 20 20 20 20 45 58 45 43 20 65
76 SITE EXEC ev 69 6C 66 6F 6F 0A
ilfoo.
13Within
- contentSITE content!0a within50
53 49 54 45 20 20 20 20 20 45 58 45 43 20 65
76 SITE EXEC ev 69 6C 66 6F 6F 0A
ilfoo.
14Byte Test
- content" LSUB 22" content"22 "
distance0 byte_test5,gt,256,0,string,dec,relativ
e
31 20 4C 53 55 42 20 22 22 20 7B 31 30 36 34 7D
1 LSUB "" 1064
15Byte Test
- content" LSUB 22" content"22 "
distance0 byte_test5,gt,256,0,string,dec,relativ
e
31 20 4C 53 55 42 20 22 22 20 7B 31 30 36 34 7D
1 LSUB "" 1064
16Byte Test
- content" LSUB 22" content"22 "
distance0 byte_test5,gt,256,0,string,dec,relativ
e
31 20 4C 53 55 42 20 22 22 20 7B 31 30 36 34 7D
1 LSUB "" 1064
17Byte Test
- content" LSUB 22" content"22 "
distance0 byte_test5,gt,256,0,string,dec,relativ
e
31 20 4C 53 55 42 20 22 22 20 7B 31 30 36 34 7D
1 LSUB "" 1064
18Byte Test
- content" LSUB 22" content"22 "
distance0 byte_test5,gt,256,0,string,dec,relativ
e
31 20 4C 53 55 42 20 22 22 20 7B 31 30 36 34 7D
1 LSUB "" 1064
19Byte Test
- content" LSUB 22" content"22 "
distance0 byte_test5,gt,256,0,string,dec,relativ
e
31 20 4C 53 55 42 20 22 22 20 7B 31 30 36 34 7D
1 LSUB "" 1064
20Byte Jump
- content"00 00 00 00" offset8 depth4
content"00 01 86 F3" offset16 depth4
content"00 00 00 07" distance4 within4
byte_jump4,4,relative,align byte_jump4,4,relati
ve,align byte_test4,gt,128,0,relative
00 00 0F 9C 36 51 D5 2B 00 00 00 00 00 00 00 02
....6Q......... 00 01 86 F3 00 00 00 01 00 00 00
07 00 00 00 01 ................ 00 00 00 20 37
5E D1 6A 00 00 00 09 6C 6F 63 61 ...
7.j....loca 6C 68 6F 73 74 00 00 00 00 00 00 00
00 00 00 00 lhost........... 00 00 00 00 00 00
00 00 00 00 00 00 00 00 0F FF ................ 41
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA
21Byte Jump
- content"00 00 00 00" offset8 depth4
content"00 01 86 F3" offset16 depth4
content"00 00 00 07" distance4 within4
byte_jump4,4,relative,align byte_jump4,4,relati
ve,align byte_test4,gt,128,0,relative
00 00 0F 9C 36 51 D5 2B 00 00 00 00 00 00 00 02
....6Q......... 00 01 86 F3 00 00 00 01 00 00 00
07 00 00 00 01 ................ 00 00 00 20 37
5E D1 6A 00 00 00 09 6C 6F 63 61 ...
7.j....loca 6C 68 6F 73 74 00 00 00 00 00 00 00
00 00 00 00 lhost........... 00 00 00 00 00 00
00 00 00 00 00 00 00 00 0F FF ................ 41
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA
22Byte Jump
- content"00 00 00 00" offset8 depth4
content"00 01 86 F3" offset16 depth4
content"00 00 00 07" distance4 within4
byte_jump4,4,relative,align byte_jump4,4,relati
ve,align byte_test4,gt,128,0,relative
00 00 0F 9C 36 51 D5 2B 00 00 00 00 00 00 00 02
....6Q......... 00 01 86 F3 00 00 00 01 00 00 00
07 00 00 00 01 ................ 00 00 00 20 37
5E D1 6A 00 00 00 09 6C 6F 63 61 ...
7.j....loca 6C 68 6F 73 74 00 00 00 00 00 00 00
00 00 00 00 lhost........... 00 00 00 00 00 00
00 00 00 00 00 00 00 00 0F FF ................ 41
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA
23Byte Jump
- content"00 00 00 00" offset8 depth4
content"00 01 86 F3" offset16 depth4
content"00 00 00 07" distance4 within4
byte_jump4,4,relative,align byte_jump4,4,relati
ve,align byte_test4,gt,128,0,relative
00 00 0F 9C 36 51 D5 2B 00 00 00 00 00 00 00 02
....6Q......... 00 01 86 F3 00 00 00 01 00 00 00
07 00 00 00 01 ................ 00 00 00 20 37
5E D1 6A 00 00 00 09 6C 6F 63 61 ...
7.j....loca 6C 68 6F 73 74 00 00 00 00 00 00 00
00 00 00 00 lhost........... 00 00 00 00 00 00
00 00 00 00 00 00 00 00 0F FF ................ 41
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA
24Byte Jump
- content"00 00 00 00" offset8 depth4
content"00 01 86 F3" offset16 depth4
content"00 00 00 07" distance4 within4
byte_jump4,4,relative,align byte_jump4,4,relati
ve,align byte_test4,gt,128,0,relative
00 00 0F 9C 36 51 D5 2B 00 00 00 00 00 00 00 02
....6Q......... 00 01 86 F3 00 00 00 01 00 00 00
07 00 00 00 01 ................ 00 00 00 20 37
5E D1 6A 00 00 00 09 6C 6F 63 61 ...
7.j....loca 6C 68 6F 73 74 00 00 00 00 00 00 00
00 00 00 00 lhost........... 00 00 00 00 00 00
00 00 00 00 00 00 00 00 0F FF ................ 41
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA
25Byte Jump
- content"00 00 00 00" offset8 depth4
content"00 01 86 F3" offset16 depth4
content"00 00 00 07" distance4 within4
byte_jump4,4,relative,align byte_jump4,4,relati
ve,align byte_test4,gt,128,0,relative
00 00 0F 9C 36 51 D5 2B 00 00 00 00 00 00 00 02
....6Q......... 00 01 86 F3 00 00 00 01 00 00 00
07 00 00 00 01 ................ 00 00 00 20 37
5E D1 6A 00 00 00 09 6C 6F 63 61 ...
7.j....loca 6C 68 6F 73 74 00 00 00 00 00 00 00
00 00 00 00 lhost........... 00 00 00 00 00 00
00 00 00 00 00 00 00 00 0F FF ................ 41
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA
26Byte Jump
- content"00 00 00 00" offset8 depth4
content"00 01 86 F3" offset16 depth4
content"00 00 00 07" distance4 within4
byte_jump4,4,relative,align byte_jump4,4,relati
ve,align byte_test4,gt,128,0,relative
00 00 0F 9C 36 51 D5 2B 00 00 00 00 00 00 00 02
....6Q......... 00 01 86 F3 00 00 00 01 00 00 00
07 00 00 00 01 ................ 00 00 00 20 37
5E D1 6A 00 00 00 09 6C 6F 63 61 ...
7.j....loca 6C 68 6F 73 74 00 00 00 00 00 00 00
00 00 00 00 lhost........... 00 00 00 00 00 00
00 00 00 00 00 00 00 00 0F FF ................ 41
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA
27Byte Jump
- content"00 00 00 00" offset8 depth4
content"00 01 86 F3" offset16 depth4
content"00 00 00 07" distance4 within4
byte_jump4,4,relative,align byte_jump4,4,relati
ve,align byte_test4,gt,128,0,relative
00 00 0F 9C 36 51 D5 2B 00 00 00 00 00 00 00 02
....6Q......... 00 01 86 F3 00 00 00 01 00 00 00
07 00 00 00 01 ................ 00 00 00 20 37
5E D1 6A 00 00 00 09 6C 6F 63 61 ...
7.j....loca 6C 68 6F 73 74 00 00 00 00 00 00 00
00 00 00 00 lhost........... 00 00 00 00 00 00
00 00 00 00 00 00 00 00 0F FF ................ 41
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA
28Advantages and Disadvantages of static software
- Advantages
- Relatively Fast
- State-based implementations
- Disadvantages
- Users are not programmers
- Requires recompilation of the entire system
- Requires specific knowledge of the protocol (in
addition to Snort)
29The promise of advanced rules
- A quicker development cycle for discrete protocol
anomaly detection - Only requires knowledge of Snorts rule language
and the protocol itself - NO NEED TO LEARN C
30Where existing advanced rules and preprocessors
fall short
- New preprocessors can require significant
development time - Preprocessors rely on Snorts pattern matching
for detection of normalized data - No advanced constructs (loops, regex, and data
munging) - Not all vulnerabilities can be covered with
advanced rules and existing preprocessors
31(No Transcript)
32A new solution sp_perl
- Two new detection keywords
- perlre provides real regular expressions
- perl provides runtime evaluation of virtually
any perl code
33sp_perl, are we nuts?
- Extensibility through perl
- No additional CPU cost for non-perl rules
- Rapid updates to Snorts detection capabilities
without re-implementing N-CODE
34OK, so were nuts. How does this actually work?
- Create an embedded perl interpreter
- Parse all the rules and store perl data for later
- When a perl rule option is triggered
- Push the rule, payload, and IP data onto the
perl stack - Eval the perl rule
- Check the return code of eval
35Embedded perl
- PerlInterpreter my_perl perl_alloc()
- perl_construct(my_perl)
- perl_parse(my_perl, NULL, 2, perl_cmdline_opts,
NULL) - perl_run(my_perl)
- perl_destruct(my_perl)
- perl_free(my_perl)
36OK, but how does that work inside of Snort?
- SetupPerlKungFoo()
- Verifies the file with our perl functions is
there - Registers our keywords as valid detection options
- Allocates a runtime perl interpreter
- Initializes the perl stack for our runtime
interpreter - Parses our perl file to get our functions into
the runtime environment - Stores the persistent data specific to sp_perl in
the OptTreeNode(s)
37sp_perl, what the ugly C does
- Calls perl_regex with the pattern, type of test
(perl vs perlre), along with the packet - Pushes args onto a local copy of the perl stack,
then replace the global perl stack with our stack - Calls the appropriate perl function using the new
global perl stack - Pops the return code from the perl stack, convert
to an integer - Returns the next test on the OptTreeNode on
success, otherwise 0
38Example Rules
39IMAP LSUB Buffer Overflow
- CAN-2000-0284
- 11/11-104541.482210 172.16.2.13033012 -gt
10.2.2.250143 - AP Seq 0x6F578C60 Ack 0xFE6E84A1 Win
0x16D0 TcpLen 32 - 31 20 4C 53 55 42 20 22 22 20 7B 31 30 36 34 7D
1 LSUB "" 1064 - 0D 0A
.. - 11/11-104541.482699 10.2.2.250143 -gt
172.16.2.13033012 - AP Seq 0xFE6E84A1 Ack 0x6F578C72 Win
0x7BFC TcpLen 32 - TCP Options (3) gt NOP NOP TS 26213694 338288987
- 2B 20 52 65 61 64 79 20 66 6F 72 20 61 72 67 75
Ready for argu - 6D 65 6E 74 0D 0A
ment.. - 11/11-104541.483459 172.16.2.13033012 -gt
10.2.2.250143 - AP Seq 0x6F578C72 Ack 0xFE6E84B7 Win
0x16D0 TcpLen 32 - 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
................ - 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
................
40IMAP LSUB Buffer Overflow, continued
- Our content
- 1 LSUB 1064\r\nSHELLCODEHERE
- So how do we detect this?
- Regex
- Regex and some math
41IMAP LSUB Buffer Overflow, regex
- 1 LSUB 1064\r\nSHELLCODEHERE
- Regex
- \w\sLSUB\s"\s\d4,
42IMAP LSUB Buffer Overflow, regex and some math
- 1 LSUB 1064\r\nSHELLCODEHERE
- Regex
- \w\sLSUB\s"\s(\d)
- Math
- 1 gt 1000
43IMAP LSUB Buffer Overflow, the rules
- alert ip any any -gt any any (perlre/\w\sLSUB\s
"\s\d4,/) - alert ip any any -gt any any (perl"content
/\w\sLSUB\s"\s(\d)/\ 1 gt
1000")
44IMAP LSUB Buffer Overflow, the optimized rules
- alert tcp any any -gt any 143 (flowto_server,estab
lished contentLSUB perlre/\w\sLSUB\s
"\s\d4,/) - alert tcp any any -gt any 143 (flowto_server,estab
lished contentLSUB perl"content
/\w\sLSUB\s"\s(\d)/\ 1 gt
1000")
45FTP Port Bounce
- CVE-1999-0017
- 12/31--50000.007051 10.1.1.2543161 -gt
10.1.1.11321 - AP Seq 0x4FE9C1C4 Ack 0x1E001761 Win
0x7D78 TcpLen 32 - 70 6F 72 74 20 31 37 32 2C 31 36 2C 30 2C 33 32
port 172,16,0,32 - 2C 31 32 2C 37 32 0A
,12,72.
46FTP Port Bounce, continued
- Our content
- port 172,16,0,32,12,72\n
- So how do we detect this?
- Regex and some perl
47FTP Port Bounce, regex and some perl
- port 172,16,0,32,12,72
- Regex
- content /port\s(\d),(\d),(\d),(\d)/
- The Perl
- srcip ne 1.'.'.2.'.'.3.'.'.4
48FTP Port Bounce, the rules
- alert tcp any any -gt any 21 ( flowto_server,estab
lished contentport nocase perl"content
/port\s(\d),(\d),(\d),(\d)/i srcip ne
1.'.'.2.'.'.3.'.'.4")
49HTTP Unknown Version
- 04/06-200412.457297 10.200.1.10033599 -gt
66.35.250.15080 - TCP TTL64 TOS0x0 ID58321 IpLen20 DgmLen56 DF
- AP Seq 0xDD594D3E Ack 0xAEE Win 0x1490
TcpLen 20 - 47 45 54 20 2F 20 48 54 54 50 2F 30 2E 32 0A 0A
GET / HTTP/0.2..
50HTTP Unknown Version, continued
- Our content
- GET / HTTP/0.2\n\n
- So how do we detect this?
- Regex
- Regex and some perl
51HTTP Unknown Version, regex
- GET / HTTP/0.2\n\n
- Regex
- \sHTTP/(0\.91\.11\.0)\r0,1\n
52HTTP Unknown Version, regex and some perl
- GET / HTTP/0.2\n\n
- Regex
- \sHTTP/(\n)\n
- Perl
- 1 ne '1.1' 1 ne '1.0' 1 ne '0.9'
53HTTP Unknown Version, the rules
- alert tcp any any -gt any 80 (flowto_server,establ
ished contentHTTP perlre\sHTTP/(0\.91\.11
\.0)\r0,1\n) - alert tcp any any -gt any 80 (flowto_server,establ
ished contentHTTP perl"content !
HTTP/(.3)! 1 ne '1.1' 1 ne '1.0' 1
ne '0.9'")
54Even more advanced foo
- So, you want one or two specific rules to email
you when they fire. - Add this to snort.pl
- sub insane
- my (srcip,content) _at__
- use NetSMTP
- my server "mail.server.com" my email
"perlfoo\_at_snort.org" - my smtp NetSMTP-gtnew(server) die
"Can't connect to mail server" - smtp-gtmail(from) smtp-gtto(to)
smtp-gtdata() - smtp-gtdatasend("To email\nFrom email\n")
- smtp-gtdatasend("Subject perl alert - srcip
srcip\n\ncontent\n") - smtp-gtdataend() smtp-gtquit()
-
- Then use it in your rule
- insane(srcip,content)
55Whats wrong with sp_perl
- Slow. Eval kills us
- Embedding perl. Yes, thats nuts
- No method to make sure our users didnt write
dumb code
56Another solution, pcre
- Perl style compatible regular expressions
- 70 of the perl win without perl
- Decently fast
- Only took about an hour to hook in ?
57PCRE? How does that work?
- Call pcre_compile with re and compile time flags
- Call pcre_study to optimize the re
- For each packet, call pcre_exec with our re,
study data, run time flags, and our payload - Check the return code of pcre_exec
58PCRE compile time flags
- Anchored
- Just like using
- Nocase
- case insensitive
- eos_matches_on_eos_only
- Make look for the end of the string, not each
EOL - dot_includes_newline
- Without it . wont match on \n (very useful in
combination with multiline) - Multiline
- Treat the packet as one big line of characters
so and match on the beginning of the
packet and end of the packet - not_greedy
- Dont try and match as many times as possible,
just give us the minimum (not compatable with
perl) - Utf8
- Treat both the pattern and packet as strings of
utf8 characters
59PCRE run time flags
- not_begining_of_line
- The first character of the payload isnt the
beginning of a line (changes how works) - not_eol
- The end of the string isnt by default an end of
a line (Changes how works) - not_empty
- An empty string can be a valid match (if it
passes all the re) - relative
- Match relative to the end of the last content
match (like using distance0) - dump_config
- Dump out the configuration for each pcre after it
is built
60PCRE vs IMAP LSUB Buffer Overflow
- 1 LSUB 1064\r\nSHELLCODEHERE
- alert tcp any any -gt any 143 (flowto_server,estab
lished pcre\w\sLSUB\s\\\\s\d4,
, nocase)
61Future Work with sp_perl
- Figure out how to pass the entire packet struct
in and out of perl - Add in relative matching
- Create anonymous subroutines for each perl call,
which gets us out of having to eval - Instead of raw perl, use swig
- Buy flak jackets to save us from the rest of the
Snort developers
62Ok, thats it. Thanks
- (Or Give me a second, and we can look at the
source)
63sp_perl
- www.snort.org/dl/contrib/snort_perl
64- int perl_regex(int type, char operation, Packet
p) -
- int n
- dSP / initialize stack pointer
/ - ENTER / everything created after
here / - SAVETMPS / ...is a temporary
variable. / - PUSHMARK(sp) / remember the stack pointer
/ - XPUSHs(sv_2mortal(newSVpvn(p-gtdata,p-gtdsize)))
/ push payload onto stack / - XPUSHs(sv_2mortal(newSVpv(operation,0)))
/ push operation onto stack / - XPUSHs(sv_2mortal(newSVuv(p-gtiph-gtip_src.s_add
r))) / push srcip onto stack / - XPUSHs(sv_2mortal(newSVuv(p-gtiph-gtip_dst.s_add
r))) / push dstip onto stack / - XPUSHs(sv_2mortal(newSViv(p-gtsp))) / push
srcport onto stack / - XPUSHs(sv_2mortal(newSViv(p-gtdp))) / push
srcport onto stack / - PUTBACK / make local stack pointer
global /
65- / call the specified function /
- if (type SNORT_PERL_EXEC)
- perl_call_pv("run_code", G_ARRAY)
- else
- perl_call_pv("regex", G_ARRAY)
-
- SPAGAIN / refresh our local copy of
the global stack pointer / - n POPi / fetch the return code from
perl / - PUTBACK
- FREETMPS / free that return value
/ - LEAVE / ...and the XPUSHed
"mortal" args./ - return n / return our return code
from perl /
66sp_pcre
- www.snort.org/dl/contrib/snort_pcre
67- int SnortPcre(Packet p, struct _OptTreeNode
otn, OptFpList fp_list) -
- PcreData pcre_data / pointer to the eval
string for each test / - int rc
- int ovectorSNORT_PCRE_OVECTOR_SIZE
- char base_ptr, end_ptr, start_ptr
- int dsize
- int depth
- / get my data /
- pcre_data (PcreData ) fp_list-gtcontext
- if (p-gtpacket_flags PKT_ALT_DECODE)
-
- dsize p-gtalt_dsize
- start_ptr (char )DecodeBuffer
- else
- dsize p-gtdsize
- start_ptr (char ) p-gtdata
68- base_ptr start_ptr
- end_ptr start_ptr dsize
- if(doe_ptr)
-
- if(!inBounds(start_ptr, end_ptr,
doe_ptr)) -
- doe_ptr NULL
- return 0
-
-
- if(pcre_data-gtrelative doe_ptr)
-
- base_ptr doe_ptr
- else
- base_ptr start_ptr
-
69- depth end_ptr - base_ptr
- / you should only see this on empty packets /
- if (depth lt 1)
-
- return 0
-
- if(!inBounds(start_ptr, end_ptr, base_ptr))
-
- doe_ptr NULL
- return 0
-
70- rc pcre_exec(
- pcre_data-gtre, / result
of pcre_compile() / - pcre_data-gtpe, / result
of pcre_study() / - base_ptr, / the
subject string / - depth, / the
length of the subject string / - 0, / start at
offset 0 in the subject / - pcre_data-gtmatch_flags, / execute
option flags / - ovector, / vector
for substring information / - SNORT_PCRE_OVECTOR_SIZE) / number
of elements in the vector / - if (rc lt 0) / pcre failed, so
return 0 / - return 0
- else
- /
- The second int in our ovector is the
offset for the last pattern - match. So we move the doe_ptr that
many forwards. - /
- doe_ptr ovector1
-
71- /
- even though we don't really care about
the doe_ptr, we - check the doe_ptr anyways just in case
other people suck - and don't bother to do this either.
- /
- if(!inBounds(start_ptr, end_ptr,
doe_ptr)) -
- DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_
MATCH, - "pcre bounds check
failed.\n")) - doe_ptr NULL
-
-
- DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATC
H, - "pcre doe_ptr set to p
(d)\n", doe_ptr, doe_ptr)) - return fp_list-gtnext-gtOptTestFunc(p, otn,
fp_list-gtnext) -