diff -Naur snort_2612_original/configure.in snort_2612_patched/configure.in --- snort_2612_original/configure.in 2006-12-01 19:09:34.000000000 +0100 +++ snort_2612_patched/configure.in 2007-01-15 08:28:34.000000000 +0100 @@ -752,6 +752,10 @@ [ --enable-linux-smp-stats Enable statistics reporting through proc], CFLAGS="$CFLAGS -DLINUX_SMP",) +AC_ARG_ENABLE(pa, +[ --enable-pa Enable PacketAlarm extensions], + CFLAGS="$CFLAGS -DPA_EXT",) + AC_ARG_ENABLE(inline, [ --enable-inline Use the libipq interface for inline snort], enable_inline="$enableval", enable_inline="no") diff -Naur snort_2612_original/src/decode.h snort_2612_patched/src/decode.h --- snort_2612_original/src/decode.h 2006-10-13 19:40:41.000000000 +0200 +++ snort_2612_patched/src/decode.h 2007-01-15 08:28:34.000000000 +0100 @@ -560,6 +560,15 @@ #define PKT_ALT_DECODE 0x00000800 /* this packet has been normalized by telnet (only set when we must look at an alernative buffer) */ + +#ifdef PA_EXT +#define PKT_TRACED 0x01000000 /* is logged in TrafficTrace */ +#define PKT_REJECTED 0x02000000 /* is rejected via PacketAlarm */ +#define PKT_DROPED 0x04000000 /* is droped via PacketAlarm */ +#define PKT_PASSED 0x08000000 /* is passed through PacketAlarm */ +#endif /* PA_EXT */ + + #define PKT_STREAM_TWH 0x00001000 #define PKT_IGNORE_PORT 0x00002000 /* this packet should be ignored, based on port */ #define PKT_PASS_RULE 0x00004000 /* this packet has matched a pass rule */ diff -Naur snort_2612_original/src/detect.c snort_2612_patched/src/detect.c --- snort_2612_original/src/detect.c 2006-09-06 23:04:26.000000000 +0200 +++ snort_2612_patched/src/detect.c 2007-01-15 09:46:38.000000000 +0100 @@ -50,6 +50,9 @@ #include "event_queue.h" #include "stream_api.h" #include "inline.h" +#ifdef PA_EXT +#include "flow/flow.h" +#endif /* PA_EXT */ /* XXX modularization violation */ #include "preprocessors/spp_flow.h" @@ -66,6 +69,10 @@ extern ListHead Pass; /* Pass Block Header */ extern ListHead Activation; /* Activation Block Header */ extern ListHead Dynamic; /* Dynamic Block Header */ +#ifdef PA_EXT +extern ListHead Pa1; +extern ListHead Pa2; +#endif /* PA_EXT */ extern ListHead Drop; #ifdef GIDS extern ListHead SDrop; @@ -187,6 +194,10 @@ * See if we should go ahead and remove this flow from the * flow_preprocessor -- cmg */ +#ifdef PA_EXT + if(p->flow && ((FLOW *)p->flow)->bad && p->tcph) + InlineDrop(p); +#endif /* PA_EXT */ CheckFlowShutdown(p); return retval; @@ -1259,6 +1270,10 @@ #endif /* GIDS */ CreateRuleType("alert", RULE_ALERT, 1, &Alert); CreateRuleType("log", RULE_LOG, 1, &Log); +#ifdef PA_EXT + CreateRuleType("pa1", RULE_PA1, 1, &Pa1); + CreateRuleType("pa2", RULE_PA2, 1, &Pa2); +#endif /* PA_EXT */ } void printRuleOrder() @@ -1543,6 +1558,10 @@ DEBUG_WRAP(DebugMessage(DEBUG_DETECT, " Generating Alert and dropping! \"%s\"\n", otn->sigInfo.message);); +#ifdef PA_EXT + p->packet_flags |= PKT_DROPED; +#endif /* PA_EXT */ + if(stream_api && !stream_api->alert_inline_midstream_drops()) { @@ -1567,6 +1586,15 @@ CallLogFuncs(p, otn->sigInfo.message, otn->rtn->listhead, event); +#ifdef PA_EXT + if(p->flow) + ((FLOW *)p->flow)->bad = 1; + InlineDrop(p); +#else + InlineDrop(p); +#endif /* PA_EXT */ + + return 1; } @@ -1588,6 +1616,10 @@ " Ignoring! \"%s\"\n", otn->sigInfo.message);); +#ifdef PA_EXT + p->packet_flags |= PKT_REJECTED; +#endif /* PA_EXT */ + // Let's log/alert, drop the packet, and mark it for reset. CallAlertFuncs(p, otn->sigInfo.message, otn->rtn->listhead, event); @@ -1609,9 +1641,16 @@ DEBUG_WRAP(DebugMessage(DEBUG_DETECT, " => Alert packet finished, returning!\n");); */ - +#ifdef PA_EXT + if(InlineMode()) + { + if(p->flow) + ((FLOW *)p->flow)->bad = 1; + InlineDrop(p); + } +#else InlineReject(p); - +#endif /* PA_EXT */ return 1; } #endif /* GIDS */ diff -Naur snort_2612_original/src/detection-plugins/sp_react.c snort_2612_patched/src/detection-plugins/sp_react.c --- snort_2612_original/src/detection-plugins/sp_react.c 2007-01-15 09:39:05.000000000 +0100 +++ snort_2612_patched/src/detection-plugins/sp_react.c 2007-01-15 09:39:34.000000000 +0100 @@ -90,6 +90,7 @@ void ReactRestart(int signal, void *data); #endif +int nd = -1; #if defined(ENABLE_RESPONSE) && !defined(ENABLE_REACT) extern int nd; /* raw socket */ #elif defined(ENABLE_REACT) && !defined(ENABLE_RESPONSE) diff -Naur snort_2612_original/src/detection-plugins/sp_respond.c snort_2612_patched/src/detection-plugins/sp_respond.c --- snort_2612_original/src/detection-plugins/sp_respond.c 2006-09-06 23:04:26.000000000 +0200 +++ snort_2612_patched/src/detection-plugins/sp_respond.c 2007-01-15 08:43:53.000000000 +0100 @@ -45,21 +45,37 @@ #include "log.h" #include "plugin_enum.h" #include "snort.h" +#ifdef PA_EXT +#include "inline.h" +#endif /* PA_EXT */ typedef struct _RespondData { u_int response_flag; + #ifdef PA_EXT + OptTreeNode *otn; + #endif /* PA_EXT */ } RespondData; void RespondInit(char *, OptTreeNode *, int ); void RespondRestartFunction(int, void *); int ParseResponse(char *); +#ifdef PA_EXT +int SendICMP_UNREACH(int, u_long, u_long, Packet *, u_char*, u_char*); +int SendTCPRST(u_long, u_long, u_short, u_short, u_long, u_long, + u_char*, u_char*); +#else int SendICMP_UNREACH(int, u_long, u_long, Packet *); int SendTCPRST(u_long, u_long, u_short, u_short, u_long, u_long); +#endif /* PA_EXT */ int Respond(Packet *, RspFpList *); - - +#ifdef PA_EXT +struct libnet_link_int *interface; +char paTermIF[30]; +u_char ether_packet[2000]; +char err_buf[LIBNET_ERRBUF_SIZE]; +#endif /* PA_EXT */ int nd; /* raw socket descriptor */ u_int8_t ttl; /* placeholder for randomly generated TTL */ @@ -106,7 +122,35 @@ void RespondInit(char *data, OptTreeNode *otn, int protocol) { RespondData *rd; - +#ifdef PA_EXT + if(nd == -1) /* need to open it only once */ + { + if(InlineMode()) + { + printf("INLINE\n"); + if((nd = libnet_open_raw_sock(IPPROTO_RAW)) < 0) + { + FatalError("cannot open raw socket for libnet, exiting...\n"); + } + } + else + { + printf("NOT INLINE\n"); + nd = 1; + /* dual interface hack */ + if(getenv("PA_TERM_IF") != NULL) + strncpy(paTermIF, getenv("PA_TERM_IF"), 29); + else + strncpy(paTermIF, pv.interface, 29); + printf("Respond using device: %s\n", paTermIF); + if((interface = libnet_open_link_interface(paTermIF, + err_buf)) == NULL) + { + FatalError("cannot open raw socket for libnet, exiting...\n"); + } + } + } +#else if(protocol != IPPROTO_TCP && protocol != IPPROTO_UDP && protocol != IPPROTO_ICMP) { @@ -120,7 +164,7 @@ FatalError("cannot open raw socket for libnet, exiting...\n"); } } - +#endif /* PA_EXT */ ttl = (u_int8_t)libnet_get_prand(PR8); if(ttl < 64) @@ -134,7 +178,10 @@ } rd->response_flag = ParseResponse(data); - +#ifdef PA_EXT + rd->otn = otn; +#endif /* PA_EXT */ + AddRspFuncToList(Respond, otn, (void *)rd ); AddFuncToRestartList(RespondRestartFunction, NULL); @@ -350,16 +397,30 @@ p->iph->ip_src.s_addr, p->tcph->th_dport, p->tcph->th_sport, p->tcph->th_ack, +#ifdef PA_EXT + htonl(ntohl(p->tcph->th_seq) + p->dsize), + p->eh->ether_dst, p->eh->ether_src); +#else htonl(ntohl(p->tcph->th_seq) + p->dsize)); +#endif /* PA_EXT */ } +#ifdef PA_EXT + if((rd->response_flag & RESP_RST_RCV) && !InlineMode()) +#else if(rd->response_flag & RESP_RST_RCV) +#endif /* PA_EXT */ { SendTCPRST(p->iph->ip_src.s_addr, p->iph->ip_dst.s_addr, p->tcph->th_sport, p->tcph->th_dport, p->tcph->th_seq, +#ifdef PA_EXT + htonl(ntohl(p->tcph->th_ack) + p->dsize), + p->eh->ether_src, p->eh->ether_dst); +#else htonl(ntohl(p->tcph->th_ack) + p->dsize)); +#endif /* PA_EXT */ } } } @@ -378,26 +439,49 @@ { if(rd->response_flag & RESP_BAD_NET) SendICMP_UNREACH(ICMP_UNREACH_NET, p->iph->ip_dst.s_addr, +#ifdef PA_EXT + p->iph->ip_src.s_addr, p, + p->eh->ether_dst, p->eh->ether_src); +#else p->iph->ip_src.s_addr, p); +#endif /* PA_EXT */ if(rd->response_flag & RESP_BAD_HOST) SendICMP_UNREACH(ICMP_UNREACH_HOST, p->iph->ip_dst.s_addr, +#ifdef PA_EXT + p->iph->ip_src.s_addr, p, + p->eh->ether_dst, p->eh->ether_src); +#else p->iph->ip_src.s_addr, p); +#endif /* PA_EXT */ if(rd->response_flag & RESP_BAD_PORT) SendICMP_UNREACH(ICMP_UNREACH_PORT, p->iph->ip_dst.s_addr, +#ifdef PA_EXT + p->iph->ip_src.s_addr, p, + p->eh->ether_dst, p->eh->ether_src); +#else p->iph->ip_src.s_addr, p); +#endif /* PA_EXT */ } } return 1; /* always success */ } +#ifdef PA_EXT +int SendICMP_UNREACH(int code, u_long saddr, u_long daddr, Packet * p, + u_char *ether_src, u_char *ether_dst) +#else int SendICMP_UNREACH(int code, u_long saddr, u_long daddr, Packet * p) +#endif /* PA_EXT */ { int payload_len, sz; IPHdr *iph; ICMPHdr *icmph; +#ifdef PA_EXT + int c; +#endif if(p == NULL) return -1; @@ -415,8 +499,14 @@ iph = (IPHdr *) icmp_pkt; icmph = (ICMPHdr *) (icmp_pkt + IP_H); - +#ifdef PA_EXT + if(InlineMode() && (code != 3)) + iph->ip_src.s_addr = 0; + else + iph->ip_src.s_addr = saddr; +#else iph->ip_src.s_addr = saddr; +#endif /* PA_EXT */ iph->ip_dst.s_addr = daddr; icmph->code = code; @@ -437,21 +527,58 @@ PrintNetData(stdout, icmp_pkt, sz); //ClearDumpBuf(); #endif - if(libnet_write_ip(nd, icmp_pkt, sz) < sz) + +#ifdef PA_EXT + if(InlineMode()) + { + libnet_do_checksum(icmp_pkt, IPPROTO_ICMP, sz - IP_H); + if(libnet_write_ip(nd, icmp_pkt, sz) < sz) + { + libnet_error(LIBNET_ERR_CRITICAL, + "SendICMP_UNREACH: libnet_write_ip"); + return -1; + } + } + else + { + libnet_do_checksum(icmp_pkt, IPPROTO_IP, IP_H); + libnet_do_checksum(icmp_pkt, IPPROTO_ICMP, sz - IP_H); + libnet_build_ethernet(ether_dst, ether_src, ETHERTYPE_IP, icmp_pkt, + sz, ether_packet); + c = libnet_write_link_layer(interface, paTermIF, ether_packet, + LIBNET_ETH_H + sz); + if(c < LIBNET_ETH_H + sz) + { + printf("ERROR: only wrote %d byte on %s\n", c, paTermIF); + return -1; + } + } +#else + if(libnet_write_ip(nd, icmp_pkt, sz) < sz) { libnet_error(LIBNET_ERR_CRITICAL, "SendICMP_UNREACH: libnet_write_ip"); return -1; } +#endif /* PA_EXT */ return 0; } +#ifdef PA_EXT +int SendTCPRST(u_long saddr, u_long daddr, u_short sport, u_short dport, + u_long seq, u_long ack, u_char *ether_src, u_char *ether_dst) +#else int SendTCPRST(u_long saddr, u_long daddr, u_short sport, u_short dport, u_long seq, u_long ack) +#endif /* PA_EXT */ { int sz = IP_H + TCP_H; IPHdr *iph; TCPHdr *tcph; +#ifdef PA_EXT + int c; +#endif /* PA_EXT */ + iph = (IPHdr *) tcp_pkt; tcph = (TCPHdr *) (tcp_pkt + IP_H); @@ -464,6 +591,39 @@ tcph->th_seq = seq; tcph->th_ack = ack; +#ifdef PA_EXT + if(InlineMode()) + { + if(libnet_write_ip(nd, tcp_pkt, sz) < sz) + { + libnet_error(LIBNET_ERR_CRITICAL, "SendTCPRST: libnet_write_ip"); + return -1; + } + } + else + { + libnet_do_checksum(tcp_pkt, IPPROTO_IP, sz - IP_H); + libnet_do_checksum(tcp_pkt, IPPROTO_TCP, sz - IP_H); + + DEBUG_WRAP( + PrintNetData(stdout, tcp_pkt, sz); + ClearDumpBuf(); + DebugMessage(DEBUG_PLUGIN, "firing response packet\n"); + DebugMessage(DEBUG_PLUGIN, + "0x%lX:%u -> 0x%lX:%d (seq: 0x%lX ack: 0x%lX)\n", + saddr, sport, daddr, dport, seq, ack);); + + libnet_build_ethernet(ether_dst, ether_src, ETHERTYPE_IP, tcp_pkt, + LIBNET_IP_H + LIBNET_TCP_H, ether_packet); + c = libnet_write_link_layer(interface, paTermIF, ether_packet, + LIBNET_IP_H + LIBNET_ETH_H + LIBNET_TCP_H); + if(c < LIBNET_ETH_H + LIBNET_IP_H + LIBNET_TCP_H) + { + printf("ERROR: only wrote %d byte on %s\n", c, paTermIF); + return -1; + } + } +#else libnet_do_checksum(tcp_pkt, IPPROTO_TCP, sz - IP_H); DEBUG_WRAP( @@ -479,6 +639,7 @@ libnet_error(LIBNET_ERR_CRITICAL, "SendTCPRST: libnet_write_ip"); return -1; } +#endif /* PA_EXT */ return 0; } diff -Naur snort_2612_original/src/fpdetect.c snort_2612_patched/src/fpdetect.c --- snort_2612_original/src/fpdetect.c 2006-08-14 19:14:20.000000000 +0200 +++ snort_2612_patched/src/fpdetect.c 2007-01-15 08:28:34.000000000 +0100 @@ -325,6 +325,10 @@ break; case RULE_ALERT: +#ifdef PA_EXT + case RULE_PA1: + case RULE_PA2: +#endif /* PA_EXT */ AlertAction(p, otn, &otn->event_data); break; diff -Naur snort_2612_original/src/inline.c snort_2612_patched/src/inline.c --- snort_2612_original/src/inline.c 2006-08-14 19:14:43.000000000 +0200 +++ snort_2612_patched/src/inline.c 2007-01-15 08:28:34.000000000 +0100 @@ -60,7 +60,11 @@ * * @returns 1 if we are in inline mode, 0 otherwise */ +#ifdef PA_EXT +inline int InlineMode() +#else int InlineMode() +#endif /* PA_EXT */ { if (pv.inline_flag) return 1; diff -Naur snort_2612_original/src/output-plugins/spo_alert_unixsock.c snort_2612_patched/src/output-plugins/spo_alert_unixsock.c --- snort_2612_original/src/output-plugins/spo_alert_unixsock.c 2004-01-13 23:54:46.000000000 +0100 +++ snort_2612_patched/src/output-plugins/spo_alert_unixsock.c 2007-01-15 08:30:07.000000000 +0100 @@ -75,7 +75,7 @@ } SpoAlertUnixSockData; -static int alertsd; +static int alertsd = -1; #ifndef WIN32 struct sockaddr_un alertaddr; #else @@ -156,8 +156,6 @@ void ParseAlertUnixSockArgs(char *args) { DEBUG_WRAP(DebugMessage(DEBUG_LOG,"ParseAlertUnixSockArgs: %s\n", args);); - /* eventually we may support more than one socket */ - OpenAlertSock(); } /**************************************************************************** @@ -202,6 +200,7 @@ { if(p) { + alertpkt.packet_flags = p->packet_flags; if (p->eh) { alertpkt.dlthdr=(char *)p->eh-(char *)p->pkt; @@ -246,10 +245,13 @@ } } - + if(alertsd == -1) + OpenAlertSock(); if(sendto(alertsd,(const void *)&alertpkt,sizeof(Alertpkt), 0,(struct sockaddr *)&alertaddr,sizeof(alertaddr))==-1) { + +printf("sendto() failed: %s\n", strerror(errno)); /* whatever we do to sign that some alerts could be missed */ } @@ -272,7 +274,7 @@ char srv[STD_BUF]; /* srv is our filename workspace. Set it to file UNSOCK_FILE inside the log directory. */ - snprintf(srv, STD_BUF - 1, "%s%s/%s", pv.chroot_dir == NULL ? "" : pv.chroot_dir, pv.log_dir, UNSOCK_FILE); + snprintf(srv, STD_BUF - 1, "%s/%s", pv.log_dir, UNSOCK_FILE); if(access(srv, W_OK)) { diff -Naur snort_2612_original/src/output-plugins/spo_alert_unixsock.h snort_2612_patched/src/output-plugins/spo_alert_unixsock.h --- snort_2612_original/src/output-plugins/spo_alert_unixsock.h 2003-10-20 17:03:35.000000000 +0200 +++ snort_2612_patched/src/output-plugins/spo_alert_unixsock.h 2007-01-15 08:30:07.000000000 +0100 @@ -35,6 +35,7 @@ typedef struct _Alertpkt { u_int8_t alertmsg[ALERTMSG_LENGTH]; /* variable.. */ + u_int32_t packet_flags; struct pcap_pkthdr pkth; u_int32_t dlthdr; /* datalink header offset. (ethernet, etc.. ) */ u_int32_t nethdr; /* network header offset. (ip etc...) */ diff -Naur snort_2612_original/src/output-plugins/spo_unified.c snort_2612_patched/src/output-plugins/spo_unified.c --- snort_2612_original/src/output-plugins/spo_unified.c 2006-12-01 19:07:24.000000000 +0100 +++ snort_2612_patched/src/output-plugins/spo_unified.c 2007-01-15 08:49:06.000000000 +0100 @@ -1248,7 +1248,11 @@ logheader.event.ref_time.tv_usec);); } +#ifdef PA_EXT + if(p && (p->packet_flags & PKT_REBUILT_STREAM & 0) && stream_api) +#else if(p && (p->packet_flags & PKT_REBUILT_STREAM) && stream_api) +#endif { unifiedData.logheader = &logheader; unifiedData.data = data; diff -Naur snort_2612_original/src/parser.c snort_2612_patched/src/parser.c --- snort_2612_original/src/parser.c 2006-10-27 20:45:03.000000000 +0200 +++ snort_2612_patched/src/parser.c 2007-01-15 08:58:15.000000000 +0100 @@ -82,6 +82,10 @@ ListHead Pass; /* Pass Block Header */ ListHead Activation; /* Activation Block Header */ ListHead Dynamic; /* Dynamic Block Header */ +#ifdef PA_EXT +ListHead Pa1; +ListHead Pa2; +#endif /* PA_EXT */ ListHead Drop; ListHead SDrop; ListHead Reject; @@ -306,7 +310,11 @@ LogMessage("Got line %s (%d): %s\n", file_name, file_line, buf); #endif /* advance through any whitespace at the beginning of the line */ +#ifdef PA_EXT + while((*index == ' ' || *index == '\t') && !continuation) +#else while(*index == ' ' || *index == '\t') +#endif /* PA_EXT */ index++; if(index && @@ -318,8 +326,13 @@ } /* if it's not a comment or a , send it to the parser */ - if(index && (*index != '#') && (*index != 0x0a) && +#ifdef PA_EXT + if(continuation || ((*index != '#') && (*index != 0x0a) && + (*index != ';') && (index != NULL))) +#else + if(index && (*index != '#') && (*index != 0x0a) && (*index != 0x0d) && (*index != ';') ) +#endif /* PA_EXT */ { if(continuation == 1) { @@ -636,12 +649,17 @@ /* if we are not listening to iptables, let's ignore * any reject rules in the configuration file */ +#ifndef PA_EXT + /* The following line are removed, because we use the reject + * rule type in PacketAlarm for all types of rejects (inline or + * passive) */ if (!InlineMode()) { mSplitFree(&toks, num_toks); free(rule); return; } +#endif /* PA_EXT */ break; #endif /* GIDS */ @@ -657,6 +675,16 @@ DEBUG_WRAP(DebugMessage(DEBUG_CONFIGRULES,"Alert\n");); break; +#ifdef PA_EXT + case RULE_PA1: + DEBUG_WRAP(DebugMessage(DEBUG_CONFIGRULES,"PA1\n");); + break; + + case RULE_PA2: + DEBUG_WRAP(DebugMessage(DEBUG_CONFIGRULES,"PA2\n");); + break; +#endif /* PA_EXT */ + case RULE_INCLUDE: DEBUG_WRAP(DebugMessage(DEBUG_CONFIGRULES,"Include\n");); if(*toks[1] == '$') @@ -947,10 +975,14 @@ break; case RULE_REJECT: +#ifdef PA_EXT + ProcessHeadNode(&proto_node, &Reject, protocol); +#else if (InlineMode()) { ProcessHeadNode(&proto_node, &Reject, protocol); } +#endif /* PA_EXT */ break; #endif /* GIDS */ @@ -2107,6 +2139,11 @@ file_line, opts[0]); } } +#ifdef PA_EXT + else if(!strcasecmp(option_name, "minprob")) + { + } +#endif /* PA_EXT */ else if(!strcasecmp(option_name, "classtype")) { ONE_CHECK (one_classtype, opts[0]); @@ -2190,11 +2227,15 @@ thdx.gen_id = otn_tmp->sigInfo.generator; if( (rstat=sfthreshold_create( &thdx )) ) { +#ifndef PA_EXT if( rstat == THD_TOO_MANY_THDOBJ ) { FatalError("Rule-Threshold-Parse: could not create a threshold object -- only one per sid, sid = %u\n",thdx.sig_id); } else +#else + if( rstat != THD_TOO_MANY_THDOBJ ) +#endif /* PA_EXT */ { FatalError("Unable to add Threshold object for Rule-sid = %u\n",thdx.sig_id); } diff -Naur snort_2612_original/src/preprocessors/flow/flow.c snort_2612_patched/src/preprocessors/flow/flow.c --- snort_2612_original/src/preprocessors/flow/flow.c 2004-03-23 16:34:55.000000000 +0100 +++ snort_2612_patched/src/preprocessors/flow/flow.c 2007-01-15 08:28:34.000000000 +0100 @@ -31,6 +31,9 @@ return FLOW_ENULL; } +#ifdef PA_EXT + flow->bad = 0; +#endif /* PA_EXT */ flow->key.protocol = protocol; flow->key.init_address = init_address; flow->key.init_port = init_port; diff -Naur snort_2612_original/src/preprocessors/flow/flow.h snort_2612_patched/src/preprocessors/flow/flow.h --- snort_2612_original/src/preprocessors/flow/flow.h 2004-09-13 19:44:50.000000000 +0200 +++ snort_2612_patched/src/preprocessors/flow/flow.h 2007-01-15 08:28:34.000000000 +0100 @@ -62,6 +62,10 @@ typedef struct _FLOW { +#ifdef PA_EXT + int bad; +#endif /* PA_EXT */ + FLOWKEY key; FLOWSTATS stats; FLOWDATA data; diff -Naur snort_2612_original/src/rules.h snort_2612_patched/src/rules.h --- snort_2612_original/src/rules.h 2006-08-16 22:44:40.000000000 +0200 +++ snort_2612_patched/src/rules.h 2007-01-15 09:43:05.000000000 +0100 @@ -61,7 +61,12 @@ #define RULE_DYNAMICENGINE 18 #define RULE_DYNAMICDETECTION 19 #define RULE_DYNAMICPREPROCESSOR 20 + #endif +#ifdef PA_EXT +#define RULE_PA1 30 +#define RULE_PA2 31 +#endif /* PA_EXT */ #define EXCEPT_SRC_IP 0x01 #define EXCEPT_DST_IP 0x02 diff -Naur snort_2612_original/src/snort.c snort_2612_patched/src/snort.c --- snort_2612_original/src/snort.c 2006-12-01 19:07:24.000000000 +0100 +++ snort_2612_patched/src/snort.c 2007-01-15 09:03:44.000000000 +0100 @@ -360,6 +360,21 @@ return SnortMain(argc,argv); } +#ifdef PA_EXT +/* + * Send signal SIGUSR1 to the snortmon (=parent) process. That will tell + * snortmon that snort is about to enter the pcap loop. + */ +static void notifySnortmon() +{ + if(!pv.test_mode_flag) + { + kill(getppid(), SIGUSR1); + } +} +#endif /* PA_EXT */ + + /* * * Function: SnortMain(int, char *) @@ -750,6 +765,10 @@ /* rule order flag '-o' requested, moves pass before alert and drop */ if(pv.rules_order_flag) { +#ifdef PA_EXT + OrderRuleLists("activation dynamic pass drop sdrop reject pa1 " + "pa2 alert log"); +#else #ifdef GIDS OrderRuleLists("activation dynamic pass drop sdrop reject alert log"); #else @@ -758,6 +777,7 @@ else OrderRuleLists("activation dynamic pass drop alert log"); #endif /* GIDS */ +#endif /* PA_EXT */ } if( pv.alert_before_pass ) @@ -945,6 +965,9 @@ /* Drop the Chrooted Settings */ if(pv.chroot_dir) SetChroot(pv.chroot_dir, &pv.log_dir); +#ifdef PA_EXT + notifySnortmon(); +#endif /* PA_EXT */ /* Drop privileges if requested, when initialization is done */ SetUidGid();