From 75e1e1901fe826204f4251ffe2d41047392399ca Mon Sep 17 00:00:00 2001 From: Jason Ish Date: Tue, 27 Apr 2010 12:32:18 -0600 Subject: [PATCH] Fix issue 131. Flow-timeouts likely don't need to be a sequence, but rather mappings. We'd only need a sequence if you wanted to list something like "tcp" twice which I don't think makes sense for configuration section. Also fixup flow.c to not attempt to use the sequence, and put the timeouts into their correct place. --- src/flow.c | 218 ++++++++++++++++++++++++++++----------------------------- suricata.yaml | 48 ++++++------ 2 files changed, 130 insertions(+), 136 deletions(-) diff --git a/src/flow.c b/src/flow.c index 17c8b93..5bf8718 100644 --- a/src/flow.c +++ b/src/flow.c @@ -824,159 +824,153 @@ void FlowInitFlowProto(void) { ConfNode *proto = NULL; uint32_t configval = 0; - TAILQ_FOREACH(proto, &flow_timeouts->head, next) { - if (strncmp("default", proto->val, 7)) { - new = ConfNodeLookupChildValue(proto->head.tqh_first, "new"); - established = ConfNodeLookupChildValue(proto->head.tqh_first, - "established"); - closed = ConfNodeLookupChildValue(proto->head.tqh_first, - "closed"); - emergency_new = ConfNodeLookupChildValue(proto->head.tqh_first, - "emergency_new"); - emergency_established = ConfNodeLookupChildValue( - proto->head.tqh_first, - "emergency_established"); - emergency_closed = ConfNodeLookupChildValue( - proto->head.tqh_first, - "emergency_closed"); - - if (new != NULL && ByteExtractStringUint32(&configval, 10, - strlen(new), new) > 0) { + /* Defaults. */ + proto = ConfNodeLookupChild(flow_timeouts, "default"); + if (proto != NULL) { + new = ConfNodeLookupChildValue(proto, "new"); + established = ConfNodeLookupChildValue(proto, "established"); + closed = ConfNodeLookupChildValue(proto, "closed"); + emergency_new = ConfNodeLookupChildValue(proto, "emergency_new"); + emergency_established = ConfNodeLookupChildValue(proto, + "emergency_established"); + emergency_closed = ConfNodeLookupChildValue(proto, + "emergency_closed"); + + if (new != NULL && ByteExtractStringUint32(&configval, 10, + strlen(new), new) > 0) { flow_proto[FLOW_PROTO_DEFAULT].new_timeout = configval; - } - if (established != NULL && ByteExtractStringUint32(&configval, + } + if (established != NULL && ByteExtractStringUint32(&configval, 10, strlen(established), established) > 0) { - flow_proto[FLOW_PROTO_DEFAULT].est_timeout = configval; - } - if (closed != NULL && ByteExtractStringUint32(&configval, 10, + flow_proto[FLOW_PROTO_DEFAULT].est_timeout = configval; + } + if (closed != NULL && ByteExtractStringUint32(&configval, 10, strlen(closed), closed) > 0) { - flow_proto[FLOW_PROTO_DEFAULT].closed_timeout = configval; - } - if (emergency_new != NULL && ByteExtractStringUint32(&configval, + flow_proto[FLOW_PROTO_DEFAULT].closed_timeout = configval; + } + if (emergency_new != NULL && ByteExtractStringUint32(&configval, 10, strlen(emergency_new), emergency_new) > 0) { - flow_proto[FLOW_PROTO_DEFAULT].emerg_new_timeout = configval; - } - if (emergency_established != NULL && + flow_proto[FLOW_PROTO_DEFAULT].emerg_new_timeout = configval; + } + if (emergency_established != NULL && ByteExtractStringUint32(&configval, 10, strlen(emergency_established), emergency_established) > 0) { - flow_proto[FLOW_PROTO_DEFAULT].emerg_est_timeout= configval; - } - if (emergency_closed != NULL && + flow_proto[FLOW_PROTO_DEFAULT].emerg_est_timeout= configval; + } + if (emergency_closed != NULL && ByteExtractStringUint32(&configval, 10, strlen(emergency_closed), emergency_closed) > 0) { - flow_proto[FLOW_PROTO_DEFAULT].emerg_closed_timeout = configval; - } - } else if (strncmp("tcp", proto->val, 3)) { - - new = ConfNodeLookupChildValue(proto->head.tqh_first, "new"); - - established = ConfNodeLookupChildValue(proto->head.tqh_first, - "established"); - closed = ConfNodeLookupChildValue(proto->head.tqh_first, - "closed"); - emergency_new = ConfNodeLookupChildValue(proto->head.tqh_first, - "emergency_new"); - emergency_established = ConfNodeLookupChildValue( - proto->head.tqh_first, "emergency_established"); - emergency_closed = ConfNodeLookupChildValue( - proto->head.tqh_first, "emergency_closed"); - - if (new != NULL && ByteExtractStringUint32(&configval, 10, + flow_proto[FLOW_PROTO_DEFAULT].emerg_closed_timeout = configval; + } + } + + /* TCP. */ + proto = ConfNodeLookupChild(flow_timeouts, "tcp"); + if (proto != NULL) { + new = ConfNodeLookupChildValue(proto, "new"); + established = ConfNodeLookupChildValue(proto, "established"); + closed = ConfNodeLookupChildValue(proto, "closed"); + emergency_new = ConfNodeLookupChildValue(proto, "emergency_new"); + emergency_established = ConfNodeLookupChildValue(proto, + "emergency_established"); + emergency_closed = ConfNodeLookupChildValue(proto, + "emergency_closed"); + + if (new != NULL && ByteExtractStringUint32(&configval, 10, strlen(new), new) > 0) { - flow_proto[FLOW_PROTO_TCP].new_timeout = configval; - } - if (established != NULL && ByteExtractStringUint32(&configval, + flow_proto[FLOW_PROTO_TCP].new_timeout = configval; + } + if (established != NULL && ByteExtractStringUint32(&configval, 10, strlen(established), established) > 0) { - flow_proto[FLOW_PROTO_TCP].est_timeout = configval; - } - if (closed != NULL && ByteExtractStringUint32(&configval, 10, + flow_proto[FLOW_PROTO_TCP].est_timeout = configval; + } + if (closed != NULL && ByteExtractStringUint32(&configval, 10, strlen(closed), closed) > 0) { - flow_proto[FLOW_PROTO_TCP].closed_timeout = configval; - } - if (emergency_new != NULL && ByteExtractStringUint32(&configval, + flow_proto[FLOW_PROTO_TCP].closed_timeout = configval; + } + if (emergency_new != NULL && ByteExtractStringUint32(&configval, 10, strlen(emergency_new), emergency_new) > 0) { - flow_proto[FLOW_PROTO_TCP].emerg_new_timeout = configval; - } - if (emergency_established != NULL && + flow_proto[FLOW_PROTO_TCP].emerg_new_timeout = configval; + } + if (emergency_established != NULL && ByteExtractStringUint32(&configval, 10, strlen(emergency_established), emergency_established) > 0) { - flow_proto[FLOW_PROTO_TCP].emerg_est_timeout = configval; - } - if (emergency_closed != NULL && + flow_proto[FLOW_PROTO_TCP].emerg_est_timeout = configval; + } + if (emergency_closed != NULL && ByteExtractStringUint32(&configval, 10, strlen(emergency_closed), emergency_closed) > 0) { - flow_proto[FLOW_PROTO_TCP].emerg_closed_timeout = configval; - } - } else if (strncmp("udp", proto->val, 3)) { - - new = ConfNodeLookupChildValue(proto->head.tqh_first, "new"); - established = ConfNodeLookupChildValue(proto->head.tqh_first, - "established"); - emergency_new = ConfNodeLookupChildValue(proto->head.tqh_first, - "emergency_new"); - emergency_established = ConfNodeLookupChildValue( - proto->head.tqh_first, "emergency_established"); - if (new != NULL && ByteExtractStringUint32(&configval, 10, + flow_proto[FLOW_PROTO_TCP].emerg_closed_timeout = configval; + } + } + + /* UDP. */ + proto = ConfNodeLookupChild(flow_timeouts, "udp"); + if (proto != NULL) { + new = ConfNodeLookupChildValue(proto, "new"); + established = ConfNodeLookupChildValue(proto, "established"); + emergency_new = ConfNodeLookupChildValue(proto, "emergency_new"); + emergency_established = ConfNodeLookupChildValue(proto, + "emergency_established"); + if (new != NULL && ByteExtractStringUint32(&configval, 10, strlen(new), new) > 0) { - flow_proto[FLOW_PROTO_TCP].new_timeout = configval; - } - if (established != NULL && ByteExtractStringUint32(&configval, + flow_proto[FLOW_PROTO_UDP].new_timeout = configval; + } + if (established != NULL && ByteExtractStringUint32(&configval, 10, strlen(established), established) > 0) { - flow_proto[FLOW_PROTO_TCP].est_timeout = configval; - } - if (emergency_new != NULL && ByteExtractStringUint32(&configval, + flow_proto[FLOW_PROTO_UDP].est_timeout = configval; + } + if (emergency_new != NULL && ByteExtractStringUint32(&configval, 10, strlen(emergency_new), emergency_new) > 0) { - flow_proto[FLOW_PROTO_TCP].emerg_new_timeout = configval; - } - if (emergency_established != NULL && + flow_proto[FLOW_PROTO_UDP].emerg_new_timeout = configval; + } + if (emergency_established != NULL && ByteExtractStringUint32(&configval, 10, strlen(emergency_established), emergency_established) > 0) { - flow_proto[FLOW_PROTO_TCP].emerg_est_timeout = configval; - } - } else if (strncmp("icmp", proto->val, 4)) { - new = ConfNodeLookupChildValue(proto->head.tqh_first, "new"); - established = ConfNodeLookupChildValue(proto->head.tqh_first, - "established"); - emergency_new = ConfNodeLookupChildValue(proto->head.tqh_first, - "emergency_new"); - emergency_established = ConfNodeLookupChildValue( - proto->head.tqh_first, "emergency_established"); - - if (new != NULL && ByteExtractStringUint32(&configval, 10, + flow_proto[FLOW_PROTO_UDP].emerg_est_timeout = configval; + } + } + + /* ICMP. */ + proto = ConfNodeLookupChild(flow_timeouts, "icmp"); + if (proto != NULL) { + new = ConfNodeLookupChildValue(proto, "new"); + established = ConfNodeLookupChildValue(proto, "established"); + emergency_new = ConfNodeLookupChildValue(proto, "emergency_new"); + emergency_established = ConfNodeLookupChildValue(proto, + "emergency_established"); + + if (new != NULL && ByteExtractStringUint32(&configval, 10, strlen(new), new) > 0) { - flow_proto[FLOW_PROTO_TCP].new_timeout = configval; - } - if (established != NULL && ByteExtractStringUint32(&configval, + flow_proto[FLOW_PROTO_ICMP].new_timeout = configval; + } + if (established != NULL && ByteExtractStringUint32(&configval, 10, strlen(established), established) > 0) { - flow_proto[FLOW_PROTO_TCP].est_timeout = configval; - } - if (emergency_new != NULL && ByteExtractStringUint32(&configval, + flow_proto[FLOW_PROTO_ICMP].est_timeout = configval; + } + if (emergency_new != NULL && ByteExtractStringUint32(&configval, 10, strlen(emergency_new), emergency_new) > 0) { - flow_proto[FLOW_PROTO_TCP].emerg_new_timeout = configval; - } - if (emergency_established != NULL && + flow_proto[FLOW_PROTO_ICMP].emerg_new_timeout = configval; + } + if (emergency_established != NULL && ByteExtractStringUint32(&configval, 10, strlen(emergency_established), emergency_established) > 0) { - flow_proto[FLOW_PROTO_TCP].emerg_est_timeout = configval; - } - } else { - SCLogError(SC_ERR_UNKNOWN_PROTOCOL, "Unknown protocol for flow" - "timeouts. Please, review your config"); + flow_proto[FLOW_PROTO_ICMP].emerg_est_timeout = configval; } } } diff --git a/suricata.yaml b/suricata.yaml index 610c6c6..9843066 100644 --- a/suricata.yaml +++ b/suricata.yaml @@ -150,30 +150,30 @@ flow: flow-timeouts: - - default: - new: 30 - established: 300 - closed: 0 - emergency_new: 10 - emergency_established: 100 - emergency_closed: 0 - - tcp: - new: 60 - established: 3600 - closed: 120 - emergency_new: 10 - emergency_established: 300 - emergency_closed: 20 - - udp: - new: 30 - established: 300 - emergency_new: 10 - emergency_established: 100 - - icmp: - new: 30 - established: 300 - emergency_new: 10 - emergency_established: 100 + default: + new: 30 + established: 300 + closed: 0 + emergency_new: 10 + emergency_established: 100 + emergency_closed: 0 + tcp: + new: 60 + established: 3600 + closed: 120 + emergency_new: 10 + emergency_established: 300 + emergency_closed: 20 + udp: + new: 30 + established: 300 + emergency_new: 10 + emergency_established: 100 + icmp: + new: 30 + established: 300 + emergency_new: 10 + emergency_established: 100 # Stream engine settings. # stream: -- 1.6.6.1