自学教程：C++ DEBUG_WRAP函数代码示例

static int SIP_MethodAddFastPatterns(void *data, int protocol,		int direction, FPContentInfo **info){	char *sip = "SIP";	FPContentInfo *method_fp;	SipMethodRuleOptData *sdata = (SipMethodRuleOptData *)data;	DEBUG_WRAP(DebugMessage(DEBUG_SIP,				"Evaluating /"%s/" fast pattern rule option./n", SIP_ROPT__METHOD));	if ((sdata == NULL) || (info == NULL))		return -1;	if ((protocol != IPPROTO_TCP) && (protocol != IPPROTO_UDP))		return -1;	DEBUG_WRAP(DebugMessage(DEBUG_SIP,					"adding info to /"%s/" fast pattern rule option./n", SIP_ROPT__METHOD));	method_fp = (FPContentInfo *)calloc(1,sizeof(FPContentInfo));    if (NULL == method_fp)    	return -1;	method_fp->content = (char *)malloc(strlen(sip));	if (NULL == method_fp->content)    {        free(method_fp);		return -1;    }	memcpy(method_fp->content, sip, strlen(sip));	method_fp->length =  strlen(sip);    *info = method_fp;	return 0;}

/* Add/update a file entry specified by file_id in the file cache*/void *file_cache_update_entry (FileCache *fileCache, void* p, uint64_t file_id,        uint8_t *file_name, uint32_t file_name_size, uint64_t file_size){    FileEntry *fileEntry;    fileEntry = file_cache_get(fileCache, p, file_id, true);    if (!fileEntry)        return NULL;    if (file_name)    {        DEBUG_WRAP(DebugMessage(DEBUG_FILE,                "Add file: %s (%p)with file id %d /n", file_name, file_name, file_id));        if (fileEntry->file_name && fileEntry->file_name != file_name)        {            DEBUG_WRAP(DebugMessage(DEBUG_FILE,                    "File name: %s released (%p)/n", fileEntry->file_name , fileEntry->file_name ));            free(fileEntry->file_name);        }        fileEntry->file_name = file_name;        fileEntry->file_name_size = file_name_size;    }    if (file_size)    {        fileEntry->file_size = file_size;    }    return fileEntry;}

/* Rule option evaluation */static int SIP_BodyEval(void *pkt, const uint8_t **cursor, void *data){	SFSnortPacket *p = (SFSnortPacket *)pkt;	SIPData *sd;	SIP_Roptions *ropts;	DEBUG_WRAP(DebugMessage(DEBUG_SIP,			"Evaluating /"%s/" rule option./n", SIP_ROPT__BODY));	if (!SIP_RoptDoEval(p))		return RULE_NOMATCH;	sd = (SIPData *)_dpd.sessionAPI->get_application_data(p->stream_session, PP_SIP);	if (sd == NULL)	{		DEBUG_WRAP(DebugMessage(DEBUG_SIP,				"No session data - not evaluating./n"));		return RULE_NOMATCH;	}	ropts = &sd->ropts;	if (ropts->body_data != NULL)	{		DEBUG_WRAP(DebugMessage(DEBUG_SIP,				"Setting cursor to body data: %p./n", ropts->body_data));		*cursor = ropts->body_data;		//Limit the length	    _dpd.SetAltDetect((uint8_t *)ropts->body_data, ropts->body_len);		return RULE_MATCH;	}	return RULE_NOMATCH;}

/* Rule option evaluation */static int SIP_MethodEval(void *pkt, const uint8_t **cursor, void *data){	SFSnortPacket *p = (SFSnortPacket *)pkt;	SIPData *sd;	SIP_Roptions *ropts;	SipMethodRuleOptData *sdata = (SipMethodRuleOptData *)data;    uint32_t methodFlag;	DEBUG_WRAP(DebugMessage(DEBUG_SIP,			"Evaluating /"%s/" rule option./n", SIP_ROPT__METHOD));	if (!SIP_RoptDoEval(p))		return RULE_NOMATCH;	sd = (SIPData *)_dpd.sessionAPI->get_application_data(p->stream_session, PP_SIP);	if (sd == NULL)	{		DEBUG_WRAP(DebugMessage(DEBUG_SIP,				"No session data - not evaluating./n"));		return RULE_NOMATCH;	}	ropts = &sd->ropts;	DEBUG_WRAP(DebugMessage(DEBUG_SIP,			"Rule Flags: %x Data Flags: %x, Mask: %x /n", sdata->flags, ropts->methodFlag, sdata->mask ));    // Not response	methodFlag = 1 << (ropts->methodFlag - 1);	if (IsRequest(ropts) && ((sdata->flags & methodFlag) ^ sdata->mask))	{		return RULE_MATCH;	}	return RULE_NOMATCH;}

/* Rule option evaluation */static int GTP_TypeEval(void *pkt, const uint8_t **cursor, void *data){    SFSnortPacket *p = (SFSnortPacket *)pkt;    GTPData *sd;    GTP_Roptions *ropts;    GTP_TypeRuleOptData *sdata = (GTP_TypeRuleOptData *)data;    DEBUG_WRAP(DebugMessage(DEBUG_GTP,            "Evaluating /"%s/" rule option./n", GTP_ROPT__TYPE));    if (!GTP_RoptDoEval(p))        return RULE_NOMATCH;    sd = (GTPData *)_dpd.sessionAPI->get_application_data(p->stream_session, PP_GTP);    if (sd == NULL)    {        DEBUG_WRAP(DebugMessage(DEBUG_GTP,                "No session data - not evaluating./n"));        return RULE_NOMATCH;    }    ropts = &sd->ropts;    DEBUG_WRAP(DebugMessage(DEBUG_GTP,            "GTP type in packet: %d /n", ropts->gtp_type));    /*Match the GTP type*/    if ((1 << ropts->gtp_version) & sdata->types[ropts->gtp_type])        return RULE_MATCH;    DEBUG_WRAP(DebugMessage(DEBUG_GTP,            "Rule No Match/n"));    return RULE_NOMATCH;}

/********************************************************************* * Function: DCE2_PafAbort() * * Purpose: Queries the dcerpc2 session data to see if paf abort *          flag is set. * * Arguments: *  void *   - stream session pointer *  uint32_t - flags passed in to callback. *             Should have PKT_FROM_CLIENT or PKT_FROM_SERVER set. * * Returns: *  bool - true if we should abort PAF, false if not. * *********************************************************************/static inline bool DCE2_PafAbort(void *ssn, uint32_t flags){    DCE2_SsnData *sd;    if (_dpd.sessionAPI->get_session_flags(ssn) & SSNFLAG_MIDSTREAM)    {        DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF,                    "Aborting PAF because of midstream pickup./n"));        return true;    }    else if (!(_dpd.sessionAPI->get_session_flags(ssn) & SSNFLAG_ESTABLISHED))    {        DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF,                    "Aborting PAF because of unestablished session./n"));        return true;    }    sd = (DCE2_SsnData *)_dpd.sessionAPI->get_application_data(ssn, PP_DCE2);    if ((sd != NULL) && DCE2_SsnNoInspect(sd))    {        DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "Aborting PAF because of session data check./n"));        return true;    }    return false;}

/* Display the configuration for the GTP preprocessor. * * PARAMETERS: * * GTPConfig *config: GTP preprocessor configuration. * * RETURNS: Nothing. */static void DisplayGTPConfig(GTPConfig *config){    int index;    int newline;    if (config == NULL)        return;    _dpd.logMsg("GTP config: /n");    /* Traverse list, printing ports, 5 per line */    newline = 1;    _dpd.logMsg("    Ports:/n");    for(index = 0; index < MAXPORTS; index++)    {        if( config->ports[ PORT_INDEX(index) ] & CONV_PORT(index) )        {            _dpd.logMsg("/t%d", index);            if ( !((newline++)% 5) )                _dpd.logMsg("/n");        }    }    _dpd.logMsg("/n");    DEBUG_WRAP(DisplayMsgTypes(config));    DEBUG_WRAP(DisplayInfoElements(config));}

/* Rule option evaluation */static int GTP_IEEval(void *pkt, const uint8_t **cursor, void *data){    SFSnortPacket *p = (SFSnortPacket *)pkt;    GTPData *sd;    GTP_Roptions *ropts;    GTP_InfoRuleOptData *ie;    uint8_t ieType;    GTP_IEData *ieData;    DEBUG_WRAP(DebugMessage(DEBUG_GTP,            "Evaluating /"%s/" rule option./n", GTP_ROPT__IE));    if (!GTP_RoptDoEval(p))        return RULE_NOMATCH;    sd = (GTPData *)_dpd.sessionAPI->get_application_data(p->stream_session, PP_GTP);    if (sd == NULL)    {        DEBUG_WRAP(DebugMessage(DEBUG_GTP,                "No session data - not evaluating./n"));        return RULE_NOMATCH;    }    ropts = &sd->ropts;    if (NULL == ropts->gtp_infoElements)        return RULE_NOMATCH;    /*Match the status code*/    ie = (GTP_InfoRuleOptData *)data;    ieType = ie->types[ropts->gtp_version];    if (!ieType)    {        return RULE_NOMATCH;    }    ieData = &ropts->gtp_infoElements[ieType];    /*if the data is up to date*/    if (ieData->msg_id == ropts->msg_id)    {        *cursor = ieData->shift + (uint8_t *)ropts->gtp_header;        DEBUG_WRAP(DebugMessage(DEBUG_GTP,                "Setting cursor to IE data: %p./n", *cursor));        /*Limit the length*/        _dpd.SetAltDetect((uint8_t *)*cursor, ieData->length);        return RULE_MATCH;    }    DEBUG_WRAP(DebugMessage(DEBUG_GTP,            "Rule No Match/n"));    return RULE_NOMATCH;}

/* detection functions */int rule13897eval(void *p) {   const u_int8_t *cursor_normal = 0;   SFSnortPacket *sp = (SFSnortPacket *) p;   const u_int8_t *beg_of_payload, *end_of_payload;   u_int32_t atom_size;   u_int16_t region_size;         if(sp == NULL)      return RULE_NOMATCH;   if(sp->payload == NULL)      return RULE_NOMATCH;       // flow:established, to_client;   if(checkFlow(p, rule13897options[0]->option_u.flowFlags) > 0 ) {      // flowbits:isset "file.quicktime";      if(processFlowbits(p, rule13897options[1]->option_u.flowBit) > 0) {        // content:"crgn";        if(contentMatch(p, rule13897options[2]->option_u.content, &cursor_normal) > 0) {           if(getBuffer(sp, CONTENT_BUF_NORMALIZED, &beg_of_payload, &end_of_payload) <= 0)              return RULE_NOMATCH;                           if(cursor_normal + 2 >= end_of_payload)              return RULE_NOMATCH;              region_size = (*cursor_normal++) << 8;           region_size |= *cursor_normal++;              DEBUG_WRAP(printf("REGION SIZE: %d/n", region_size));                 cursor_normal = cursor_normal - 10;           if(cursor_normal < beg_of_payload)              return RULE_NOMATCH;                 atom_size = (*cursor_normal++) << 24;              atom_size |= (*cursor_normal++) << 16;           atom_size |= (*cursor_normal++) << 8;           atom_size |= *cursor_normal++;              DEBUG_WRAP(printf("ATOM SIZE: %d/n", atom_size));             // Changed from region_size > (atom_size - 8) to avoid           // integer underflow from (atom_size - 8)           if(((u_int32_t)region_size + 8) > atom_size)               return RULE_MATCH;         }      }   }   return RULE_NOMATCH;}

/********************************************************************* * Function: * * Purpose: * * Arguments: * * Returns: * *********************************************************************/void DCE2_Detect(DCE2_SsnData *sd){    SFSnortPacket *top_pkt = (SFSnortPacket *)DCE2_CStackTop(dce2_pkt_stack);    PROFILE_VARS;    if (top_pkt == NULL)    {        DCE2_Log(DCE2_LOG_TYPE__ERROR,                 "%s(%d) No packet on top of stack.",                 __FILE__, __LINE__);        return;    }    DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Detecting ------------------------------------------------/n"));    DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, " Rule options:/n"));    DCE2_DEBUG_CODE(DCE2_DEBUG__ROPTIONS, DCE2_PrintRoptions(&sd->ropts););

/*gtp type can be numbers*/static bool GTP_AddTypeByNumer(GTP_TypeRuleOptData *sdata, char *tok){    char *endStr = NULL;    unsigned long gtpType;    gtpType = _dpd.SnortStrtoul(tok, &endStr, 10);    if ( *endStr)    {        DynamicPreprocessorFatalMessage(" %s(%d) => Bad value specified for %s. "                "Please specify an integer between %d and %d, OR a correct name./n",                *(_dpd.config_file), *(_dpd.config_line),                GTP_ROPT__TYPE, MIN_GTP_TYPE_CODE, MAX_GTP_TYPE_CODE);    }    if ((gtpType > MAX_GTP_TYPE_CODE) || (errno == ERANGE))    {        DynamicPreprocessorFatalMessage(" %s(%d) => Value specified for %s is out of "                "bounds.  Please specify an integer between %d and %d, OR a correct name./n",                *(_dpd.config_file), *(_dpd.config_line),                GTP_ROPT__TYPE, MIN_GTP_TYPE_CODE, MAX_GTP_TYPE_CODE);    }    DEBUG_WRAP(DebugMessage(DEBUG_GTP,            "Rule GTP type: %d./n",gtpType));    sdata->types[gtpType] = GTP_VERSION_ALL_FLAG;    return true;}

static inline void file_entry_free(FileEntry *file_entry){    if (!file_entry)        return;    if (file_entry->file_name)    {        DEBUG_WRAP(DebugMessage(DEBUG_FILE,                "File name: %s released (%p)/n", file_entry->file_name, file_entry->file_name));        free(file_entry->file_name);        file_entry->file_name = NULL;        file_entry->file_name_size = 0;    }    if (file_entry->context)    {        file_context_free(file_entry->context);        file_entry->context = NULL;    }    file_entry->file_size = 0;    file_segments_free(file_entry);}

/********************************************************************** *  Retrieves the GTP data block registered with the stream * session associated w/ the current packet. If none exists, * allocates it and registers it with the stream API. * * Arguments: * * packetp:	Pointer to the packet from which/in which to * 		retrieve/store the GTP data block. * * RETURNS:	Pointer to an GTP data block, upon success. *		NULL, upon failure. **********************************************************************/GTPData * GTPGetNewSession(SFSnortPacket *packetp, tSfPolicyId policy_id){    GTPData* datap = NULL;    /* Sanity check(s) */    assert( packetp );    if ( !packetp->stream_session_ptr )    {        return NULL;    }    datap = (GTPData *)calloc(1, sizeof(GTPData));    if ( !datap )        return NULL;    /*Register the new GTP data block in the stream session. */    _dpd.streamAPI->set_application_data(            packetp->stream_session_ptr,            PP_GTP, datap, FreeGTPData );    datap->policy_id = policy_id;    datap->config = gtp_config;    ((GTPConfig *)sfPolicyUserDataGetCurrent(gtp_config))->ref_count++;    gtp_stats.sessions++;    DEBUG_WRAP(DebugMessage(DEBUG_GTP, "Number of sessions created: %u/n", gtp_stats.sessions));    return datap;}

/********************************************************************* * Main entry point for SIP processing. * * Arguments: *  SFSnortPacket * - pointer to packet structure * * Returns: *  int - 	SIP_SUCCESS *		    SIP_FAILURE * *********************************************************************/static inline int SIP_Process(SFSnortPacket *p, SIPData* sessp){    int status;    char* sip_buff = (char*) p->payload;    char* end;    SIP_Roptions *pRopts;    SIPMsg sipMsg;    memset(&sipMsg, 0, SIPMSG_ZERO_LEN);    /*Input parameters*/    sipMsg.isTcp = IsTCP(p);    end =  sip_buff + p->payload_size;    status = sip_parse(&sipMsg, sip_buff, end);    if (SIP_SUCCESS == status)    {        SIP_overloadURI(p, &sipMsg);        /*Update the dialog state*/        SIP_updateDialog(&sipMsg, &(sessp->dialogs), p);    }    /*Update the session data*/    pRopts = &(sessp->ropts);    pRopts->methodFlag = sipMsg.methodFlag;    pRopts->header_data = sipMsg.header;    pRopts->header_len = sipMsg.headerLen;    pRopts->body_len = sipMsg.bodyLen;    pRopts->body_data = sipMsg.body_data;    pRopts->status_code = sipMsg.status_code;    DEBUG_WRAP(DebugMessage(DEBUG_SIP, "SIP message header length: %d/n",            sipMsg.headerLen));    DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Parsed method: %.*s, Flag: 0x%x/n",            sipMsg.methodLen, sipMsg.method, sipMsg.methodFlag));    DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Parsed status code:  %d/n",            sipMsg.status_code));    DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Parsed header address: %p./n",            sipMsg.header));    DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Parsed body address: %p./n",            sipMsg.body_data));    sip_freeMsg(&sipMsg);    return status;}

/******************************************************************** * Function: sip_process_headField() * * Process the header fields (lines). This also deals with folding. * * Arguments: *  SIPMsg *    - sip message *  char* start - start of the header line *  char* end   - end of the header line *  int*        - index of last field processed. Used for folding processing *                This value will be updated after current field been processed * Returns: *  SIP_PARSE_ERROR *  SIP_PARSE_SUCCESS ********************************************************************/static int sip_process_headField(SIPMsg *msg, const char *start, const char *end, int *lastFieldIndex){	int findex =0;	int length = end -start;	char *colonIndex;    char *newStart, *newEnd, newLength;	DEBUG_WRAP(DebugMessage(DEBUG_SIP, "process line: %.*s/n", length, start));	// If this is folding	if((' ' == start[0]) || ('/t' == start[0]))	{		if(SIP_PARSE_NOFOLDING != *lastFieldIndex)		{			SIP_TrimSP(start, end, &newStart, &newEnd);			return(headerFields[*lastFieldIndex].setfield(msg, newStart, newEnd));		}	}	// Otherwise, continue normal processing	colonIndex = memchr(start, ':', length);	if (!colonIndex || (colonIndex < start + 1))		return SIP_PARSE_ERROR;	if (!SIP_TrimSP(start, colonIndex, &newStart, &newEnd))		return SIP_PARSE_ERROR;	newLength =  newEnd - newStart;	/*Find out whether the field name needs to process*/	while (NULL != headerFields[findex].fname)	{		//Use the full name to check		if ((headerFields[findex].fnameLen == newLength)&&				(0 == strncasecmp(headerFields[findex].fname, newStart, newLength)))		{			break;		}		//Use short name to check		else if ((NULL != headerFields[findex].shortName) &&				( 1 == newLength)&&				(0 == strncasecmp(headerFields[findex].shortName, newStart, newLength)))		{			break;		}		findex++;	}	if (NULL != headerFields[findex].fname)	{		// Found the field name, evaluate the value		SIP_TrimSP(colonIndex + 1, end, &newStart, &newEnd);		*lastFieldIndex = findex;		return (headerFields[findex].setfield(msg, newStart, newEnd));	}	*lastFieldIndex = SIP_PARSE_NOFOLDING;	return SIP_PARSE_SUCCESS;}

/* Parsing for the rule option */static int SIP_StatCodeInit(struct _SnortConfig *sc, char *name, char *params, void **data){	char *end = NULL;	char *tok;	int i_tok = 0;	SipStatCodeRuleOptData *sdata;	if (strcasecmp(name, SIP_ROPT__STATUS_CODE) != 0)		return 0;	/* Must have arguments */	if (SIP_IsEmptyStr(params))	{	    DynamicPreprocessorFatalMessage("%s(%d) => missing argument to sip_stat_code keyword/n",	            *(_dpd.config_file), *(_dpd.config_line));	}	tok = strtok_r(params, ",", &end);	if(!tok)		DynamicPreprocessorFatalMessage("%s(%d) => missing argument to sip_stat_code keyword/n",				*(_dpd.config_file), *(_dpd.config_line));	sdata = (SipStatCodeRuleOptData *)calloc(1, sizeof(*sdata));	if (sdata == NULL)	{		DynamicPreprocessorFatalMessage("Could not allocate memory for the "				"sip preprocessor rule option./n");	}	while ((NULL != tok) && (i_tok < SIP_NUM_STAT_CODE_MAX))	{		unsigned long statCode =  _dpd.SnortStrtoul(tok, NULL, 10);		DEBUG_WRAP(DebugMessage(DEBUG_SIP,					"Rule Status code: %d./n",sdata->stat_codes[i_tok]));		if ((statCode > MAX_STAT_CODE) ||				((statCode > NUM_OF_RESPONSE_TYPES - 1) && (statCode < MIN_STAT_CODE)))		{			DynamicPreprocessorFatalMessage("%s(%d) => Status code %u specified is not a 3 digit number or 1 - %d/n ",					*(_dpd.config_file), *(_dpd.config_line), statCode, NUM_OF_RESPONSE_TYPES-1);		}		sdata->stat_codes[i_tok] = (uint16_t)statCode;		tok = strtok_r(NULL, ", ", &end);		i_tok++;	}	if (NULL != tok)		DynamicPreprocessorFatalMessage("%s(%d) => More than %d argument to sip_stat_code keyword/n",				*(_dpd.config_file), *(_dpd.config_line), SIP_NUM_STAT_CODE_MAX);	*data = (void *)sdata;	return 1;}

/****************************************************************** * Function: DCE2_Alert() * * Potentially generates an alert if an event is triggered. * * Arguments: *  DCE2_SsnData * *      This is the current session data structure being used *      when the event was triggered.  It is not a necessary *      argument if no session data is currently available, for *      example if the event is a memcap event - pass in NULL in *      this case. *  DCE2_Event *      The event type that was triggered. *  ... *      The arguments to the format for the event. * * Returns: None * ******************************************************************/void DCE2_Alert(DCE2_SsnData *sd, DCE2_Event e, ...){    va_list ap;#ifdef DEBUG_MSGS    // When debugging want to see all of the alerts generated    va_start(ap, e);    vsnprintf(dce2_event_bufs[e], sizeof(dce2_event_bufs[e]) - 1, dce2_events[e].format, ap);    va_end(ap);    dce2_event_bufs[e][sizeof(dce2_event_bufs[e]) - 1] = '/0';    DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ALL, "DCE2 Alert => %s/n", dce2_event_bufs[e]));#endif    if (sd != NULL)    {        // NOTE This check needs to change if the number of preprocessor events        // should exceed 63        /* Only log a specific alert once per session */        if (sd->alert_mask & ((uint64_t)1 << e))            return;        /* set bit for this alert so we don't alert on again         * in this session */        sd->alert_mask |= ((uint64_t)1 << e);    }    if (!DCE2_GcAlertOnEvent(dce2_events[e].eflag))        return;    dce2_stats.events++;#ifndef DEBUG_MSGS    va_start(ap, e);    vsnprintf(dce2_event_bufs[e], sizeof(dce2_event_bufs[e]) - 1, dce2_events[e].format, ap);    va_end(ap);    dce2_event_bufs[e][sizeof(dce2_event_bufs[e]) - 1] = '/0';    DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ALL, "DCE2 Alert => %s/n", dce2_event_bufs[e]));#endif    _dpd.alertAdd(GENERATOR_DCE2, e, 1, 0, 3, dce2_event_bufs[e], 0);}

/* Rule option evaluation */static int SIP_StatCodeEval(void *pkt, const uint8_t **cursor, void *data){	SFSnortPacket *p = (SFSnortPacket *)pkt;	SIPData *sd;	SIP_Roptions *ropts;	SipStatCodeRuleOptData *sdata = (SipStatCodeRuleOptData *)data;	uint16_t short_code;    int i_code;	DEBUG_WRAP(DebugMessage(DEBUG_SIP,			"Evaluating /"%s/" rule option./n", SIP_ROPT__STATUS_CODE));	if (!SIP_RoptDoEval(p))		return RULE_NOMATCH;	sd = (SIPData *)_dpd.sessionAPI->get_application_data(p->stream_session, PP_SIP);	if (sd == NULL)	{		DEBUG_WRAP(DebugMessage(DEBUG_SIP,				"No session data - not evaluating./n"));		return RULE_NOMATCH;	}	ropts = &sd->ropts;	DEBUG_WRAP(DebugMessage(DEBUG_SIP,			"Status code in packet: %d /n", ropts->status_code));   if (0 == ropts->status_code)    	return RULE_NOMATCH;    /*Match the status code*/	short_code = ropts->status_code / 100;	for(i_code = 0; i_code < SIP_NUM_STAT_CODE_MAX; i_code++)	{	   if ((sdata->stat_codes[i_code] == short_code)||			   (sdata->stat_codes[i_code] == ropts->status_code))		return RULE_MATCH;	}	DEBUG_WRAP(DebugMessage(DEBUG_SIP,				"Rule No Match/n"));	return RULE_NOMATCH;}

/********************************************************************* * Main entry point for GTP processing. * * Arguments: *  SFSnortPacket * - pointer to packet structure * * Returns: *  int - 	GTP_SUCCESS *		    GTP_FAILURE * *********************************************************************/static inline int GTP_Process(SFSnortPacket *p, GTPData* sessp){    int status;    char* gtp_buff = (char*) p->payload;    static uint32_t msgId = 0;    GTP_Roptions *pRopts;    GTPMsg gtpMsg;    pRopts = &(sessp->ropts);    memset(&gtpMsg, 0, GTPMSG_ZERO_LEN);    /* msg_id is used to associate message with information elements     * If msg_id matches, the information element in the info_elements     * belongs to the message     * Using msg_id avoids initializing info_elements for every message     * Tabled based info_elements improves information element search performance */    /* To avoid id overlap, clean table when msgId resets*/    if ( msgId == 0)        gtp_cleanInfoElements();    gtpMsg.msg_id = ++msgId;    status = gtp_parse(&gtpMsg, gtp_buff, p->payload_size);    /*Update the session data*/    pRopts->gtp_type = gtpMsg.msg_type;    pRopts->gtp_version = gtpMsg.version;    pRopts->gtp_infoElements = gtpMsg.info_elements;    pRopts->gtp_header = gtpMsg.gtp_header;    pRopts->msg_id = gtpMsg.msg_id;    DEBUG_WRAP(DebugMessage(DEBUG_GTP, "GTP message version: %d/n",            gtpMsg.version));    DEBUG_WRAP(DebugMessage(DEBUG_GTP, "GTP message type: %d/n",            gtpMsg.msg_type));    return status;}

static inline int SIP_RoptDoEval(SFSnortPacket *p){	if ((p->payload_size == 0) ||			(p->stream_session == NULL) ||			(!IsTCP(p) && !IsUDP(p)))	{		DEBUG_WRAP(DebugMessage(DEBUG_SIP, "No payload or no "				"session pointer or not TCP or UDP - not evaluating./n"));		return 0;	}	return 1;}

static int Reputation_Control(uint16_t type, void *new_config, void **old_config){    ReputationConfig *config = (ReputationConfig *) new_config;    if (NULL != config)    {        SwitchToActiveSegment(config->segment_version, &IPtables);        DEBUG_WRAP(DebugMessage(DEBUG_REPUTATION,"***Switched to segment %d/n",                config->segment_version));        *old_config = config;        return 0;    }    return -1;}

/* Rule option evaluation */static int GTP_VersionEval(void *pkt, const uint8_t **cursor, void *data){    SFSnortPacket *p = (SFSnortPacket *)pkt;    GTPData *sd;    GTP_Roptions *ropts;    uint8_t version = *((uint8_t *)data);    DEBUG_WRAP(DebugMessage(DEBUG_GTP,            "Evaluating /"%s/" rule option./n", GTP_ROPT__VERSION));    if (!GTP_RoptDoEval(p))        return RULE_NOMATCH;    sd = (GTPData *)_dpd.sessionAPI->get_application_data(p->stream_session, PP_GTP);    if (sd == NULL)    {        DEBUG_WRAP(DebugMessage(DEBUG_GTP,                "No session data - not evaluating./n"));        return RULE_NOMATCH;    }    ropts = &sd->ropts;    /*Match the status code*/    if (version == ropts->gtp_version)    {        return RULE_MATCH;    }    DEBUG_WRAP(DebugMessage(DEBUG_GTP,            "Rule No Match/n"));    return RULE_NOMATCH;}

/******************************************************************** * Function: DCE2_HttpProcessServer() * * Wrapper arount main processing point for an RPC over HTTP * session.  Checks and sets session setup state for a server. * * Arguments: *  DCE2_HttpSsnData * *      Pointer to an RPC over HTTP session data structure. * * Returns: None * ********************************************************************/void DCE2_HttpProcessServer(DCE2_HttpSsnData *hsd){    const SFSnortPacket *p = hsd->sd.wire_pkt;    DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Processing RPC over HTTP server packet./n"));    dce2_stats.http_server_pkts++;    if (hsd->state == DCE2_HTTP_STATE__NONE)    {        if (DCE2_SsnFromServer(p))            hsd->state = DCE2_HTTP_STATE__INIT_SERVER;    }    DCE2_HttpProcess(hsd);}

/******************************************************************** * Function: DCE2_HttpProcessProxy() * * Wrapper arount main processing point for an RPC over HTTP * session.  Checks and sets session setup state for a proxy. * * Arguments: *  DCE2_HttpSsnData * *      Pointer to an RPC over HTTP session data structure. * * Returns: None * ********************************************************************/void DCE2_HttpProcessProxy(DCE2_HttpSsnData *hsd){    const SFSnortPacket *p = hsd->sd.wire_pkt;    DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Processing RPC over HTTP proxy packet./n"));    dce2_stats.http_proxy_pkts++;    if (hsd->state == DCE2_HTTP_STATE__NONE)    {        if (DCE2_SsnFromClient(p))            hsd->state = DCE2_HTTP_STATE__INIT_CLIENT;    }    DCE2_HttpProcess(hsd);}

/********************************************************************** *  Retrieves the SIP data block registered with the stream * session associated w/ the current packet. If none exists, * allocates it and registers it with the stream API. * * Arguments: * * packetp:	Pointer to the packet from which/in which to * 		retrieve/store the SIP data block. * * RETURNS:	Pointer to an SIP data block, upon success. *		NULL, upon failure. **********************************************************************/SIPData * SIPGetNewSession(SFSnortPacket *packetp, tSfPolicyId policy_id){    SIPData* datap = NULL;    static int MaxSessionsAlerted = 0;    /* Sanity check(s) */    assert( packetp );    if ( !packetp->stream_session )    {        return NULL;    }    if(numSessions > ((SIPConfig *)sfPolicyUserDataGetCurrent(sip_config))->maxNumSessions)    {        if (!MaxSessionsAlerted)            ALERT(SIP_EVENT_MAX_SESSIONS,SIP_EVENT_MAX_SESSIONS_STR);        MaxSessionsAlerted = 1;        return NULL;    }    else    {        MaxSessionsAlerted = 0;    }    datap = (SIPData *)calloc(1, sizeof(SIPData));    if ( !datap )        return NULL;    /*Register the new SIP data block in the stream session. */    _dpd.sessionAPI->set_application_data(            packetp->stream_session,            PP_SIP, datap, FreeSIPData );                /* We're interested in this session. Turn on stream reassembly. */    if ( !(_dpd.streamAPI->get_reassembly_direction(packetp->stream_session) & SSN_DIR_BOTH ))    {        _dpd.streamAPI->set_reassembly(packetp->stream_session,                STREAM_FLPOLICY_FOOTPRINT, SSN_DIR_BOTH, STREAM_FLPOLICY_SET_ABSOLUTE);    }    datap->policy_id = policy_id;    datap->config = sip_config;    ((SIPConfig *)sfPolicyUserDataGetCurrent(sip_config))->ref_count++;    numSessions++;    sip_stats.sessions++;    DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Number of sessions created: %u/n", numSessions));    return datap;}

/******************************************************************** * Function: sip_headers_parse() * * Parse the SIP header: request and response are the same * * Arguments: *  SIPMsg *    - sip message *  char* buff  - start of the header *  char* end   - end of the buffer *  char**lineEnd - output, the found end of header * Returns: *  SIP_FAILURE *  SIP_SUCCESS ********************************************************************/static int sip_headers_parse(SIPMsg *msg, const char *buff, char *end, char **headEnd){	char *next;	char *start;	int length;	int numOfLineBreaks;    int lastFieldIndex = SIP_PARSE_NOFOLDING ;	start = (char *) buff;	/*	 * The end of header is defined by two CRLFs, or CRCR, or LFLF	 */	numOfLineBreaks = sip_find_linebreak(start, end, &next);	while (numOfLineBreaks > 0)	{		/*Processing this line*/		length =  next - start - numOfLineBreaks;		DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Header line: %.*s/n", length, start));		/*Process headers*/		sip_process_headField(msg, start, start + length, &lastFieldIndex);		/*check the end of header*/		if ((1 == numOfLineBreaks) &&  ( start[0] == start[-1]))		{			/*Either CRCR or LFLF*/			*headEnd = next ;			return SIP_SUCCESS;		}		else if ( (2 == numOfLineBreaks) && ('/r' == start[0])&&('/n' == start[1]))		{			*headEnd = next;			return SIP_SUCCESS;		}		start = next;		numOfLineBreaks = sip_find_linebreak(start, end, &next);	}	return SIP_SUCCESS;}

/********************************************************************** *  Retrieves the SIP data block registered with the stream * session associated w/ the current packet. If none exists, * allocates it and registers it with the stream API. * * Arguments: * * packetp:	Pointer to the packet from which/in which to * 		retrieve/store the SIP data block. * * RETURNS:	Pointer to an SIP data block, upon success. *		NULL, upon failure. **********************************************************************/SIPData * SIPGetNewSession(SFSnortPacket *packetp, tSfPolicyId policy_id){    SIPData* datap = NULL;    static int MaxSessionsAlerted = 0;    /* Sanity check(s) */    assert( packetp );    if ( !packetp->stream_session_ptr )    {        return NULL;    }    if(numSessions > ((SIPConfig *)sfPolicyUserDataGetCurrent(sip_config))->maxNumSessions)    {        if (!MaxSessionsAlerted)            ALERT(SIP_EVENT_MAX_SESSIONS,SIP_EVENT_MAX_SESSIONS_STR);        MaxSessionsAlerted = 1;        return NULL;    }    else    {        MaxSessionsAlerted = 0;    }    datap = (SIPData *)calloc(1, sizeof(SIPData));    if ( !datap )        return NULL;    /*Register the new SIP data block in the stream session. */    _dpd.streamAPI->set_application_data(            packetp->stream_session_ptr,            PP_SIP, datap, FreeSIPData );    datap->policy_id = policy_id;    datap->config = sip_config;    ((SIPConfig *)sfPolicyUserDataGetCurrent(sip_config))->ref_count++;    numSessions++;    sip_stats.sessions++;    DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Number of sessions created: %u/n", numSessions));    return datap;}

/*gtp information element can be number*/static bool GTP_AddInfoElementByNumer(GTP_InfoRuleOptData *sdata, char *tok){    char *end = NULL;    unsigned long gtpIE;    int i;    gtpIE =  _dpd.SnortStrtoul(tok, &end, 10);    DEBUG_WRAP(DebugMessage(DEBUG_GTP,            "Rule GTP information element: %d./n",gtpIE));    if ( *end)    {        DynamicPreprocessorFatalMessage(" %s(%d) => Bad value specified for %s. "                "Please specify an integer between %d and %d, OR a correct name./n",                *(_dpd.config_file), *(_dpd.config_line),                GTP_ROPT__IE, MIN_GTP_IE_CODE, MAX_GTP_IE_CODE);    }    if ((gtpIE > MAX_GTP_IE_CODE) || (errno == ERANGE))    {        DynamicPreprocessorFatalMessage("%s(%d) => Value specified for %s is out of "                "bounds. Please specify an integer between %d and %d,"                "OR a correct name./n ",                *(_dpd.config_file), *(_dpd.config_line),                GTP_ROPT__IE, MIN_GTP_IE_CODE, MAX_GTP_IE_CODE);    }    for( i = 0; i < MAX_GTP_VERSION_CODE + 1; i++)    {        sdata->types[i] = (uint8_t)gtpIE;    }    return true;}

/* detection functions */int ruleLINUXICMPDOSeval(void *p) {#ifdef MISSING_DELETED   return RULE_NOMATCH;#else   SFSnortPacket *sp = (SFSnortPacket *) p;   // stuff we're testing   uint8_t length;   uint8_t pointer;   // cruft   int i;   if(NULL == sp)      return RULE_NOMATCH;   DEBUG_WRAP(printf("Beginning of processing/n"));   // Leave if not ipopt 0x07 and not ipopt 0x44   if((checkHdrOpt(p, ruleLINUXICMPDOSoptions[0]->option_u.hdrData) <= 0) &&      (checkHdrOpt(p, ruleLINUXICMPDOSoptions[1]->option_u.hdrData) <= 0)) {      DEBUG_WRAP(printf("not ipopt 0x07 or ipopt 0x44/n"););

/********************************************************************* * Function: DCE2_Main() * * Purpose: Main entry point for DCE/RPC processing. * * Arguments: *  void * - pointer to packet structure *  void * - pointer to context * * Returns: None * *********************************************************************/static void DCE2_Main(void *pkt, void *context){    SFSnortPacket *p = (SFSnortPacket *)pkt;    PROFILE_VARS;    DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ALL, "%s/n", DCE2_DEBUG__START_MSG));    sfPolicyUserPolicySet (dce2_config, _dpd.getRuntimePolicy());#ifdef DEBUG_MSGS    if (DCE2_SsnFromServer(p))    {        DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Packet from Server./n"));    }    else    {        DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Packet from Client./n"));    }#endif    /* No inspection to do */    if ((p->payload_size == 0) || (p->payload == NULL))    {        DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "No payload - not inspecting./n"));        DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ALL, "%s/n", DCE2_DEBUG__END_MSG));        return;    }    else if (p->stream_session_ptr == NULL)    {        DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "No session pointer - not inspecting./n"));        DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ALL, "%s/n", DCE2_DEBUG__END_MSG));        return;    }    else if (!IsTCP(p) && !IsUDP(p))    {        DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Not UDP or TCP - not inspecting./n"));        DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ALL, "%s/n", DCE2_DEBUG__END_MSG));        return;    }    if (IsTCP(p))    {        if (DCE2_SsnIsMidstream(p))        {            DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Midstream - not inspecting./n"));            DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ALL, "%s/n", DCE2_DEBUG__END_MSG));            return;        }        else if (!DCE2_SsnIsEstablished(p))        {            DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Not established - not inspecting./n"));            DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ALL, "%s/n", DCE2_DEBUG__END_MSG));            return;        }    }    PREPROC_PROFILE_START(dce2_pstat_main);    if (DCE2_Process(p) == DCE2_RET__INSPECTED)        DCE2_DisableDetect(p);    PREPROC_PROFILE_END(dce2_pstat_main);    DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ALL, "%s/n", DCE2_DEBUG__END_MSG));}