UnivNautes

diff -rNu ./src/Makefile.am ./src.new/Makefile.am

--- ./src/Makefile.am	2013-09-24 06:28:37.000000000 -0400

+++ ./src.new/Makefile.am	2014-04-18 16:36:04.000000000 -0400

@@ -10,6 +10,7 @@

 alert-debuglog.c alert-debuglog.h \

 alert-fastlog.c alert-fastlog.h \

 alert-pcapinfo.c alert-pcapinfo.h \

+alert-pf.c alert-pf.h \

 alert-prelude.c alert-prelude.h \

 alert-syslog.c alert-syslog.h \

 alert-unified2-alert.c alert-unified2-alert.h \

diff -rNu ./src/Makefile.in ./src.new/Makefile.in

--- ./src/Makefile.in	2013-09-24 06:28:49.000000000 -0400

+++ ./src.new/Makefile.in	2014-04-18 16:38:02.000000000 -0400

@@ -73,7 +73,7 @@

 PROGRAMS = $(bin_PROGRAMS)

 am__suricata_SOURCES_DIST = alert-debuglog.c alert-debuglog.h \

 	alert-fastlog.c alert-fastlog.h alert-pcapinfo.c \

-	alert-pcapinfo.h alert-prelude.c alert-prelude.h \

+	alert-pcapinfo.h alert-pf.c alert-pf.h alert-prelude.c alert-prelude.h \

 	alert-syslog.c alert-syslog.h alert-unified2-alert.c \

 	alert-unified2-alert.h app-layer.c app-layer.h \

 	app-layer-dcerpc.c app-layer-dcerpc.h app-layer-dcerpc-udp.c \

@@ -274,7 +274,7 @@

 	cuda-ptxdump.h

 am__objects_1 =

 am_suricata_OBJECTS = alert-debuglog.$(OBJEXT) alert-fastlog.$(OBJEXT) \

-	alert-pcapinfo.$(OBJEXT) alert-prelude.$(OBJEXT) \

+	alert-pcapinfo.$(OBJEXT) alert-pf.$(OBJEXT) alert-prelude.$(OBJEXT) \

 	alert-syslog.$(OBJEXT) alert-unified2-alert.$(OBJEXT) \

 	app-layer.$(OBJEXT) app-layer-dcerpc.$(OBJEXT) \

 	app-layer-dcerpc-udp.$(OBJEXT) \

@@ -621,6 +621,7 @@

 suricata_SOURCES = alert-debuglog.c alert-debuglog.h alert-fastlog.c \

 	alert-fastlog.h alert-pcapinfo.c alert-pcapinfo.h \

+	alert-pf.c alert-pf.h \

 	alert-prelude.c alert-prelude.h alert-syslog.c alert-syslog.h \

 	alert-unified2-alert.c alert-unified2-alert.h app-layer.c \

 	app-layer.h app-layer-dcerpc.c app-layer-dcerpc.h \

@@ -947,6 +948,7 @@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/alert-debuglog.Po@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/alert-fastlog.Po@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/alert-pcapinfo.Po@am__quote@

+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/alert-pf.Po@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/alert-prelude.Po@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/alert-syslog.Po@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/alert-unified2-alert.Po@am__quote@

diff -rNu ./src/alert-pf.c ./src.new/alert-pf.c

--- ./src/alert-pf.c	1969-12-31 19:00:00.000000000 -0500

+++ ./src.new/alert-pf.c	2014-04-30 20:20:08.000000000 -0400

@@ -0,0 +1,835 @@

+/* Copyright (C) 2007-2014 Open Information Security Foundation

+ *

+ * You can copy, redistribute or modify this Program under the terms of

+ * the GNU General Public License version 2 as published by the Free

+ * Software Foundation.

+ *

+ * This program is distributed in the hope that it will be useful,

+ * but WITHOUT ANY WARRANTY; without even the implied warranty of

+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+ * GNU General Public License for more details.

+ *

+ * You should have received a copy of the GNU General Public License

+ * version 2 along with this program; if not, write to the Free Software

+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA

+ * 02110-1301, USA.

+ *

+ * Portions of this module are based on previous works of the following:

+ *

+ * Copyright (c) 2012  Ermal Lu?i

+ * Copyright (c) 2006  Antonio Benojar <zz.stalker@gmail.com>

+ * Copyright (c) 2005  Antonio Benojar <zz.stalker@gmail.com>

+ *

+ * Copyright (c) 2003, 2004 Armin Wolfermann:

+ * 

+ * The AlertPfBlock() function is based 

+ * on Armin's Wolfermann pftabled-1.03 functions.

+ *

+ * All rights reserved.

+ *

+ * Redistribution and use in source and binary forms, with or without

+ * modification, are permitted provided that the following conditions

+ * are met:

+ *

+ * 1. Redistributions of source code must retain the above copyright

+ *    notice, this list of conditions and the following disclaimer.

+ *

+ * 2. Redistributions in binary form must reproduce the above copyright

+ *    notice, this list of conditions and the following disclaimer in the

+ *    documentation and/or other materials provided with the distribution.

+ *

+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR

+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES

+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.

+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,

+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,

+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY

+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT

+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF

+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

+ */

+

+/**

+ * \file

+ *

+ * \author Bill Meeks <bill@themeeks.net>

+ *

+ * Inserts blocks for IP alerts into the pf firewall used in NetBSD and FreeBSD, 

+ * and logs the event, including the IP address, in "block.log".

+ *

+ *    # alert_pf blocking plugin

+ *    - alert-pf:

+ *        enabled: yes/no            # "yes" to enable blocking plugin

+ *        kill-state: yes/no         # "yes" to kill open state table entries associated with blocked IP addresses (default is YES)

+ *        pass-list: <filename>      # complete path and filename for txt file of single IP addresses or CIDR networks that should never be blocked

+ *        block-ip: src/dst/both     # which IP in packet to block (default is BOTH)

+ *        pf-table: <pf table name>  # name of packet filter firewall table where block IP addresses should be added.  This table must exist!

+ *

+ */

+

+#include "suricata-common.h"

+#include "conf.h"

+#include "output.h"

+#include "threads.h"

+#include "tm-threads.h"

+#include "threadvars.h"

+

+#include "alert-pf.h"

+

+#include "util-atomic.h"

+#include "util-debug.h"

+#include "util-logopenfile.h"

+#include "util-print.h"

+#include "util-proto-name.h"

+#include "util-radix-tree.h"

+

+#include <sys/types.h>

+#include <sys/ioctl.h>

+#include <sys/socket.h>

+#include <sys/stat.h>

+#include <ctype.h>

+#include <net/if.h>

+#include <net/pfvar.h>

+#include <err.h>

+#include <unistd.h>

+#include <regex.h>

+

+#define PFDEVICE	"/dev/pf"

+#define WLMAX		1024

+#define MODULE_NAME	"AlertPf"

+#define DEFAULT_LOG_FILENAME "block.log"

+

+enum spblock { BLOCK_SRC, BLOCK_DST, BLOCK_BOTH };

+

+TmEcode AlertPf (ThreadVars *, Packet *, void *, PacketQueue *, PacketQueue *);

+TmEcode AlertPfIPv4(ThreadVars *, Packet *, void *, PacketQueue *, PacketQueue *);

+TmEcode AlertPfIPv6(ThreadVars *, Packet *, void *, PacketQueue *, PacketQueue *);

+TmEcode AlertPfThreadInit(ThreadVars *, void *, void **);

+TmEcode AlertPfThreadDeinit(ThreadVars *, void *);

+void AlertPfExitPrintStats(ThreadVars *, void *);

+static void AlertPfDeInitCtx(OutputCtx *);

+

+void TmModuleAlertPfRegister (void) {

+    tmm_modules[TMM_ALERTPF].name = MODULE_NAME;

+    tmm_modules[TMM_ALERTPF].ThreadInit = AlertPfThreadInit;

+    tmm_modules[TMM_ALERTPF].Func = AlertPf;

+    tmm_modules[TMM_ALERTPF].ThreadExitPrintStats = AlertPfExitPrintStats;

+    tmm_modules[TMM_ALERTPF].ThreadDeinit = AlertPfThreadDeinit;

+    tmm_modules[TMM_ALERTPF].RegisterTests = NULL;

+    tmm_modules[TMM_ALERTPF].cap_flags = 0;

+

+    OutputRegisterModule(MODULE_NAME, "alert-pf", AlertPfInitCtx);

+}

+

+void TmModuleAlertPfIPv4Register (void) {

+    tmm_modules[TMM_ALERTPF4].name = "AlertPfIPv4";

+    tmm_modules[TMM_ALERTPF4].ThreadInit = AlertPfThreadInit;

+    tmm_modules[TMM_ALERTPF4].Func = AlertPfIPv4;

+    tmm_modules[TMM_ALERTPF4].ThreadExitPrintStats = AlertPfExitPrintStats;

+    tmm_modules[TMM_ALERTPF4].ThreadDeinit = AlertPfThreadDeinit;

+    tmm_modules[TMM_ALERTPF4].RegisterTests = NULL;

+}

+

+void TmModuleAlertPfIPv6Register (void) {

+    tmm_modules[TMM_ALERTPF6].name = "AlertPfIPv6";

+    tmm_modules[TMM_ALERTPF6].ThreadInit = AlertPfThreadInit;

+    tmm_modules[TMM_ALERTPF6].Func = AlertPfIPv6;

+    tmm_modules[TMM_ALERTPF6].ThreadExitPrintStats = AlertPfExitPrintStats;

+    tmm_modules[TMM_ALERTPF6].ThreadDeinit = AlertPfThreadDeinit;

+    tmm_modules[TMM_ALERTPF6].RegisterTests = NULL;

+}

+

+/**

+ * This holds global structures and variables.

+ * Each thread gets a pointer to this data.

+ */

+typedef struct _AlertPfCtx_ {

+    char *pftable; 

+    int kill_state;

+    enum spblock block_ip;

+    SCRadixTree *tree;

+    LogFileCtx* file_ctx;

+} AlertPfCtx;

+

+/**

+ * This holds per-thread specific structures and variables.

+ */

+typedef struct AlertPfThread_ {

+    AlertPfCtx* ctx;       /* Pointer to the global context data */

+    int fd;                /* pf device handle */

+} AlertPfThread;

+

+SC_ATOMIC_DECLARE(uint64_t, alert_pf_blocks);  /**< Atomic counter, to hold block count */

+

+static int AlertPf_parse_line(char *, FILE *);

+static int AlertPfLoadPassList(char *, AlertPfCtx *);

+static int AlertPfDeviceInit(void);

+static int AlertPfTableExists(char *);

+static int AlertPfBlock(AlertPfThread *, Address *net_addr);

+

+/** \brief Print and format a UNIX timestamp into supplied buffer

+ *  \param *ts pointer to a timeval structure

+ *  \param *str pointer to a buffer to hold output string

+ *  \param size size of output string buffer

+ *  \retval None */

+static void CreateTimeString (const struct timeval *ts, char *str, size_t size) {

+    time_t time = ts->tv_sec;

+    struct tm local_tm;

+    struct tm *t = (struct tm *)SCLocalTime(time, &local_tm);

+

+    snprintf(str, size, "%02d/%02d/%02d-%02d:%02d:%02d.%06u",

+            t->tm_mon + 1, t->tm_mday, t->tm_year + 1900, t->tm_hour,

+            t->tm_min, t->tm_sec, (uint32_t) ts->tv_usec);

+}

+

+/**

+ * This opens the pf device and returns a file descriptor.

+ */

+static int AlertPfDeviceInit(void)

+{

+    return(open(PFDEVICE, O_RDWR));

+}

+

+/** \brief Verifies the supplied pf table exists

+ *  \param *tablename pointer to pf table name string

+ *  \retval -1 on error, 1 if table exists or 0 if not */

+static int AlertPfTableExists(char *tablename)

+{

+    int i;

+    int dev;

+    struct pfioc_table io;

+    struct pfr_table *table_aux = NULL;

+	

+    memset(&io, 0x00, sizeof(struct pfioc_table));

+	

+    io.pfrio_buffer = table_aux;

+    io.pfrio_esize  = sizeof(struct pfr_table);

+    io.pfrio_size   = 0;

+

+    dev = AlertPfDeviceInit();

+    if (dev == -1) {

+	SCLogError(SC_ERR_SYSCALL, "Failed to open pf device.");

+	return -1;

+    }

+	

+    if(ioctl(dev, DIOCRGETTABLES, &io)) {  

+        SCLogError(SC_ERR_SYSCALL, "AlertPfTableExists() => ioctl() DIOCRGETTABLES: %s\n", strerror(errno));

+	return -1;

+    }

+	

+    table_aux = (struct pfr_table*)malloc(sizeof(struct pfr_table)*io.pfrio_size);

+	

+    if (table_aux == NULL) { 

+        SCLogError(SC_ERR_SYSCALL, "AlertPfTableExists() => malloc(): %s\n", strerror(errno));

+        return -1;

+    }

+	

+    io.pfrio_buffer = table_aux;

+    io.pfrio_esize = sizeof(struct pfr_table);

+	

+    if(ioctl(dev, DIOCRGETTABLES, &io)) {

+        SCLogError(SC_ERR_SYSCALL, "AlertPfTableExists() => ioctl() DIOCRGETTABLES: %s\n", strerror(errno));

+	return -1;

+    }

+

+    for(i=0; i < io.pfrio_size; i++) {

+        if (!strcmp(table_aux[i].pfrt_name, tablename))

+            return 1;	

+    }

+	

+    return 0;

+}

+

+/** \brief Inserts the passed IP address into the pf block table

+ *  \param *data pointer to AlertPfThread structure for current thread

+ *  \param *net_addr pointer to IP address to block

+ *  \retval -1 on error, 1 if IP blocked, 0 if already blocked */

+static int AlertPfBlock(AlertPfThread *data, Address *net_addr) 

+{ 

+    struct pfioc_table io; 

+    struct pfr_table table; 

+    struct pfr_addr addr; 

+

+    if (data->fd < 0)

+	data->fd = AlertPfDeviceInit();

+    if (data->fd == -1) {

+	SCLogError(SC_ERR_SYSCALL, "AlertPfDeviceInit() => no pf device\n");

+	return -1;

+    }

+

+    memset(&io,    0x00, sizeof(struct pfioc_table)); 

+    memset(&table, 0x00, sizeof(struct pfr_table)); 

+    memset(&addr,  0x00, sizeof(struct pfr_addr)); 

+            

+    strlcpy(table.pfrt_name, data->ctx->pftable, PF_TABLE_NAME_SIZE); 

+        

+    net_addr->family == AF_INET ? memcpy(&addr.pfra_ip4addr.s_addr, net_addr->addr_data32, sizeof(in_addr_t)) : memcpy(&addr.pfra_ip6addr, net_addr->addr_data8, sizeof(struct in6_addr));

+

+    addr.pfra_af  = net_addr->family; 

+    addr.pfra_net = net_addr->family == AF_INET ? 32 : 128;

+

+    io.pfrio_table  = table; 

+    io.pfrio_buffer = &addr; 

+    io.pfrio_esize  = sizeof(addr); 

+    io.pfrio_size   = 1; 

+        

+    if (ioctl(data->fd, DIOCRADDADDRS, &io)) {

+	SCLogError(SC_ERR_SYSCALL, "AlertPfBlock() => ioctl() DIOCRADDADDRS: %s\n", strerror(errno));

+	return (-1);

+    }

+ 

+    if (io.pfrio_nadd > 0) {

+        SC_ATOMIC_ADD(alert_pf_blocks, 1);

+    }

+

+    if (data->ctx->kill_state) {

+	struct pfioc_state_kill psk;

+

+        memset(&psk, 0, sizeof(psk));

+	memset(&psk.psk_src.addr.v.a.mask, 0xff, sizeof(psk.psk_src.addr.v.a.mask));

+	psk.psk_af = net_addr->family;

+	if (psk.psk_af == AF_INET)

+	    memcpy(&psk.psk_src.addr.v.a.addr.v4.s_addr, net_addr->addr_data32, sizeof(in_addr_t));

+	else if (psk.psk_af == AF_INET6)

+	    memcpy(&psk.psk_src.addr.v.a.addr.v6, net_addr->addr_data8, sizeof(struct in6_addr));

+	else {

+            SCLogError(SC_ERR_UNKNOWN_VALUE, "AlertPfBlock() unknown address family type: %d for source IP.", psk.psk_af);

+	    return (-1);

+        }

+

+	/* Attempt to clear any open states for source IP */

+	if (ioctl(data->fd, DIOCKILLSTATES, &psk))

+	    SCLogError(SC_ERR_SYSCALL, "AlertPfBlock() => ioctl() DIOCKILLSTATES: %s\n", strerror(errno));

+

+	memset(&psk, 0, sizeof(psk));

+	memset(&psk.psk_dst.addr.v.a.mask, 0xff, sizeof(psk.psk_dst.addr.v.a.mask));

+	psk.psk_af = net_addr->family;

+	if (psk.psk_af == AF_INET)

+	    memcpy(&psk.psk_dst.addr.v.a.addr.v4.s_addr, net_addr->addr_data32, sizeof(in_addr_t));

+	else if (psk.psk_af == AF_INET6)

+	    memcpy(&psk.psk_dst.addr.v.a.addr.v6, net_addr->addr_data8, sizeof(struct in6_addr));

+	else {

+            SCLogError(SC_ERR_UNKNOWN_VALUE, "AlertPfBlock() unknown address family type: %d for destination IP.", psk.psk_af);

+	    return (-1);

+        }

+

+	/* Attempt to clear any open states for destination IP */

+	if (ioctl(data->fd, DIOCKILLSTATES, &psk))

+	    SCLogError(SC_ERR_SYSCALL, "AlertPfBlock() => ioctl() DIOCKILLSTATES: %s\n", strerror(errno));

+    }

+

+    /* Return the number of effective IP blocks inserted */

+    return (io.pfrio_nadd); 

+}

+

+/** \brief Load and parse a single line of text from Pass List file

+ *  \param buf buffer of length WLMAX to receive a line of text from Pass List file

+ *  \param *wfile FILE pointer to open Pass List text file

+ *  \retval buf[] filled with next line of text from Pass List file

+ *  \retval 0 on EOF, 1 if success or -1 if line exceed WLMAX length */

+static int AlertPf_parse_line(char buf[WLMAX], FILE* wfile)

+{

+    static char     next_ch = '\n';

+    int             i = 0;

+

+    if (feof(wfile))

+        return (0);

+

+    do {

+        next_ch = fgetc(wfile);

+        if (i < WLMAX)

+            buf[i++] = next_ch;

+    } while (!feof(wfile) && next_ch != '\n');

+

+    if (i >= WLMAX)

+        return (-1);

+

+    buf[--i] = '\0';

+    return (1);

+}

+

+/** \brief Load and parse a Pass List text file and insert

+ *   the IP addresses and networks (in CIDR form) into a

+ *   Radix Tree for easy searching.

+ *  \param *plfile pointer to Pass List filename string

+ *  \param *ctx pointer to AlertPfCtx global data structure

+ *  \retval false (0) if error, true (-1) if success */

+static int AlertPfLoadPassList(char *plfile, AlertPfCtx *ctx)

+{

+    FILE *wfile;

+    struct flock lock;

+    char cad[WLMAX];

+    int ret;

+    int count = 0;

+

+    wfile = fopen(plfile, "r");

+    if (wfile == NULL) {

+        SCLogError(SC_ERR_FATAL, "Unable to open Pass List file: %s", strerror(errno));

+        return (0);

+    }

+

+    memset(&lock, 0x00, sizeof(struct flock));

+    lock.l_type = F_RDLCK;

+    fcntl(fileno(wfile), F_SETLKW, &lock);

+

+    ctx->tree = SCRadixCreateRadixTree(free, NULL);

+

+    memset(cad, 0, WLMAX);

+    while((ret = AlertPf_parse_line(cad, wfile)) != 0) {

+	if (ret == 1 && strlen(cad) > 0) {

+	    /* is it an IPv6 address? */

+	    if (strchr(cad, ':') != NULL) {

+	        if (SCRadixAddKeyIPV6String(cad, ctx->tree, NULL) == NULL) {

+		    SCLogInfo("Invalid IP(%s) parameter provided in Pass List, skipping...", cad);

+		    continue;

+		}

+		count++;

+	    }

+	    else {

+		if (SCRadixAddKeyIPV4String(cad, ctx->tree, NULL) == NULL) {

+		    SCLogInfo("Invalid IP(%s) parameter provided in Pass List, skipping...", cad);

+		    continue;

+		}

+		count++;

+	    }

+	} else if (ret == -1)

+	    SCLogInfo("Error occurred parsing line(%s) in Pass List, skipping...", cad);

+    }

+

+    lock.l_type = F_UNLCK;

+    fcntl(fileno(wfile), F_SETLKW, &lock);

+    fclose(wfile);

+

+    if (count == 1)

+	SCLogInfo("Pass List %s parsed: %d IP address loaded.", plfile, count);

+    else

+	SCLogInfo("Pass List %s parsed: %d IP addresses loaded.", plfile, count);

+

+    return (-1);

+}

+

+/**

+ * This initializes the data for a new thread.

+ */

+TmEcode AlertPfThreadInit(ThreadVars *t, void *initdata, void **data)

+{

+    AlertPfThread *apft;

+

+    if(initdata == NULL)

+    {

+        SCLogDebug("Error getting context for Alert-PF.  \"initdata\" argument NULL");

+        return TM_ECODE_FAILED;

+    }

+

+    apft = SCMalloc(sizeof(AlertPfThread));

+

+    if (unlikely(apft == NULL))

+        return TM_ECODE_FAILED;

+    memset(apft, 0, sizeof(AlertPfThread));

+

+    /* Use the Ouput Context */

+    apft->ctx = ((OutputCtx *)initdata)->data;

+

+    /* Open the pf device */

+    apft->fd = AlertPfDeviceInit();

+    if (apft->fd == -1) {

+	SCLogError(SC_ERR_SYSCALL, "Failed to open pf device, alert-pf module thread init failed.");

+        return TM_ECODE_FAILED;

+    }

+

+    *data = (void *)apft;

+    return TM_ECODE_OK;

+}

+

+/**

+ * This clears and releases the data for a thread.

+ */

+TmEcode AlertPfThreadDeinit(ThreadVars *t, void *data)

+{

+    AlertPfThread *apft = (AlertPfThread *)data;

+

+    if (apft == NULL) {

+        SCLogDebug("AlertPfThreadDeinit done (error)");

+        return TM_ECODE_FAILED;

+    }

+

+    /* Close the pf device */

+    close(apft->fd);

+

+    /* clear memory */

+    memset(apft, 0, sizeof(AlertPfThread));

+    SCFree(apft);

+

+    return TM_ECODE_OK;

+}

+

+/** \brief Print the pf alert module blocking stats.

+ *  \param *tv pointer to ThreadVars structure

+ *  \param *data pointer to AlertPfThread structure

+*/

+void AlertPfExitPrintStats(ThreadVars *tv, void *data)

+{

+    AlertPfThread *apft = (AlertPfThread *)data;

+    if (apft == NULL) {

+        return;

+    }

+

+    uint64_t alerts = SC_ATOMIC_GET(alert_pf_blocks);

+    if (alerts == 1)

+        SCLogInfo("alert-pf output inserted %" PRIu64 " IP address block", alerts);

+    else

+        SCLogInfo("alert-pf output inserted %" PRIu64 " IP address blocks", alerts);

+

+    if (apft->ctx->file_ctx->alerts == 1)

+        SCLogInfo("alert-pf output wrote %" PRIu64 " alerts", apft->ctx->file_ctx->alerts);

+    else

+        SCLogInfo("alert-pf output wrote %" PRIu64 " alerts", apft->ctx->file_ctx->alerts);

+

+    SC_ATOMIC_DESTROY(alert_pf_blocks);

+}

+

+/** \brief Initialize the pf alert blocking module.

+ *  \param *conf pointer to module's ConfNode structure

+ * \return A newly allocated AlertPfCtx structure, or NULL

+ */

+OutputCtx *AlertPfInitCtx(ConfNode *conf)

+{

+    AlertPfCtx *ctx;

+    LogFileCtx *logfile_ctx;

+    const char *pass_list_name;

+    const char *kill_state;

+    const char *block_ip;

+    const char *pf_table;

+    OutputCtx *output_ctx;

+

+    pass_list_name = ConfNodeLookupChildValue(conf, "pass-list");

+    if (pass_list_name == NULL) {

+	SCLogWarning(SC_WARN_UNCOMMON, "alert-pf: No Pass List specified, critical interface IPs may become blocked.");

+    }

+

+    kill_state = ConfNodeLookupChildValue(conf, "kill-state");

+    block_ip = ConfNodeLookupChildValue(conf, "block-ip");

+    pf_table = ConfNodeLookupChildValue(conf, "pf-table");

+

+    if (unlikely(pf_table == NULL)) {

+	SCLogError(SC_ERR_INVALID_ARGUMENT, "alert-pf: No PF table name specified, module init failed.");

+        exit(EXIT_FAILURE);

+    }

+

+    ctx = SCMalloc(sizeof(AlertPfCtx));

+    if (unlikely(ctx == NULL)) {

+	SCLogError(SC_ERR_MEM_ALLOC, "alert-pf: Unable to allocate memory for AlertPfCtx, module init failed.");

+        exit(EXIT_FAILURE);

+    }

+

+    /* Create a LogFileCtx for the block.log output */

+    logfile_ctx = LogFileNewCtx();

+    if (logfile_ctx == NULL) {

+        SCLogDebug("AlertPfInitCtx: Could not create new LogFileCtx");

+        SCFree(ctx);

+        return NULL;

+    }

+

+    if (SCConfLogOpenGeneric(conf, logfile_ctx, DEFAULT_LOG_FILENAME) < 0) {

+        LogFileFreeCtx(logfile_ctx);

+        SCLogDebug("AlertPfInitCtx: Could not create new LogFileCtx");

+        SCFree(ctx);

+        return NULL;

+    }

+

+    ctx->file_ctx = logfile_ctx;

+

+    ctx->kill_state = 1;

+    if (kill_state == NULL) {

+        SCLogWarning(SC_ERR_INVALID_ARGUMENT, "alert-pf: kill-state parameter not recognized, defaulting to 'yes'.");

+    }

+    if (kill_state && ConfValIsFalse(kill_state))

+        ctx->kill_state = 0;

+

+    if (block_ip == NULL) {

+        SCLogWarning(SC_ERR_INVALID_ARGUMENT, "alert-pf: block-ip parameter not recognized, defaulting to 'both'.");

+    }

+    if (block_ip && !strncasecmp("src", block_ip, strlen("src")))

+        ctx->block_ip = BLOCK_SRC;

+    else if (block_ip && !strncasecmp("dst", block_ip, strlen("dst")))

+        ctx->block_ip = BLOCK_DST;

+    else

+        ctx->block_ip = BLOCK_BOTH;

+

+    if (pass_list_name) {

+	AlertPfLoadPassList(SCStrdup(pass_list_name), ctx);

+    }

+

+    ctx->pftable = SCStrdup(pf_table);

+

+    /* TODO -- add validation of pf table */

+    if (AlertPfTableExists(ctx->pftable) != 1) {

+        LogFileFreeCtx(logfile_ctx);

+        SCFree(ctx);

+	SCLogError(SC_ERR_INVALID_ARGUMENT, "alert-pf: Could not validate pf table: %s, module init failed.", pf_table);

+        exit(EXIT_FAILURE);

+    }

+

+    output_ctx = SCMalloc(sizeof(OutputCtx));

+    if (unlikely(output_ctx == NULL)) {

+        LogFileFreeCtx(logfile_ctx);

+        SCFree(ctx);

+	SCLogError(SC_ERR_MEM_ALLOC, "alert-pf: Unable to allocate memory for OutputCtx, module init failed.");

+        exit(EXIT_FAILURE);

+    }

+    output_ctx->data = ctx;

+    output_ctx->DeInit = AlertPfDeInitCtx;

+    SC_ATOMIC_INIT(alert_pf_blocks);

+

+    const char *block;

+    switch (ctx->block_ip) {

+        case BLOCK_SRC:

+            block = "src";

+            break;

+

+        case BLOCK_DST:

+            block = "dst";

+            break;

+

+        default:

+            block = "both";

+    }

+    const char *state = ctx->kill_state ? "on" : "off";

+    SCLogInfo("alert-pf output initialized, pf-table=%s  block-ip=%s  kill-state=%s", ctx->pftable, block, state);

+

+    return output_ctx;

+}

+

+/** \brief This releases the memory used by the global

+ * AlertPfCtx data structure.

+ */

+static void AlertPfDeInitCtx(OutputCtx *output_ctx)

+{

+    AlertPfCtx *ctx = (AlertPfCtx *)output_ctx->data;

+    LogFileFreeCtx(ctx->file_ctx);

+    SCRadixReleaseRadixTree(ctx->tree);

+    SCFree(ctx);

+    SCFree(output_ctx);

+}

+

+/** \brief This processes an IPv4 alert and inserts the appropriate

+ * block if the IP address is not on the Pass List.

+ */

+TmEcode AlertPfIPv4(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQueue *postpq)

+{

+    AlertPfThread *apft = (AlertPfThread *)data;

+    int i;

+    char proto[16] = "";

+    char timebuf[64];

+    char srcip[16], dstip[16];

+

+    if (p->alerts.cnt == 0)

+        return TM_ECODE_OK;

+

+    CreateTimeString(&p->ts, timebuf, sizeof(timebuf));

+    PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, sizeof(srcip));

+    PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, sizeof(dstip));

+

+    if (SCProtoNameValid(IPV4_GET_IPPROTO(p)) == TRUE) {

+        strlcpy(proto, known_proto[IPV4_GET_IPPROTO(p)], sizeof(proto));

+    } else {

+        snprintf(proto, sizeof(proto), "PROTO:%03" PRIu32, IPV4_GET_IPPROTO(p));

+    }

+

+    for (i = 0; i < p->alerts.cnt; i++) {

+        PacketAlert *pa = &p->alerts.alerts[i];

+        if (unlikely(pa->s == NULL)) {

+            continue;

+        }

+

+        switch (apft->ctx->block_ip) {

+

+            case BLOCK_BOTH:

+	        /* Block only if IP is not in Pass List */

+	        if (SCRadixFindKeyIPV4BestMatch((uint8_t *)&GET_IPV4_SRC_ADDR_U32(p), apft->ctx->tree) == NULL) {

+                    if (AlertPfBlock(apft, &p->src) > 0) {

+                        SCMutexLock(&apft->ctx->file_ctx->fp_mutex);

+                        fprintf(apft->ctx->file_ctx->fp, "%s,Block Src,%" PRIu32 ",%" PRIu32 ",%"

+                                PRIu32 ",%s,%s,%" PRIu32

+                                ",%s,%s,%" PRIu32 "\n", timebuf, pa->s->gid,

+                                pa->s->id, pa->s->rev, pa->s->msg, pa->s->class_msg, pa->s->prio,

+                                proto, srcip, p->sp);

+                        fflush(apft->ctx->file_ctx->fp);

+                        apft->ctx->file_ctx->alerts++;

+                        SCMutexUnlock(&apft->ctx->file_ctx->fp_mutex);

+                    }

+                }

+                if (SCRadixFindKeyIPV4BestMatch((uint8_t *)&GET_IPV4_DST_ADDR_U32(p), apft->ctx->tree) == NULL) {

+                    if (AlertPfBlock(apft, &p->dst) > 0) {

+                        SCMutexLock(&apft->ctx->file_ctx->fp_mutex);

+                        fprintf(apft->ctx->file_ctx->fp, "%s,Block Dst,%" PRIu32 ",%" PRIu32 ",%"

+                                PRIu32 ",%s,%s,%" PRIu32

+                                ",%s,%s,%" PRIu32 "\n", timebuf, pa->s->gid,

+                                pa->s->id, pa->s->rev, pa->s->msg, pa->s->class_msg, pa->s->prio,

+                                proto, dstip, p->dp);

+                        fflush(apft->ctx->file_ctx->fp);

+                        apft->ctx->file_ctx->alerts++;

+                        SCMutexUnlock(&apft->ctx->file_ctx->fp_mutex);

+                    }

+                }

+                break;

+

+            case BLOCK_SRC:

+                /* Block SRC only if IP is not in Pass List */

+	        if (SCRadixFindKeyIPV4BestMatch((uint8_t *)&GET_IPV4_SRC_ADDR_U32(p), apft->ctx->tree) == NULL) {

+                    if (AlertPfBlock(apft, &p->src) > 0) {

+                        SCMutexLock(&apft->ctx->file_ctx->fp_mutex);

+                        fprintf(apft->ctx->file_ctx->fp, "%s,Block Src,%" PRIu32 ",%" PRIu32 ",%"

+                                PRIu32 ",%s,%s,%" PRIu32

+                                ",%s,%s,%" PRIu32 "\n", timebuf, pa->s->gid,

+                                pa->s->id, pa->s->rev, pa->s->msg, pa->s->class_msg, pa->s->prio,

+                                proto, srcip, p->sp);

+                        fflush(apft->ctx->file_ctx->fp);

+                        apft->ctx->file_ctx->alerts++;

+                        SCMutexUnlock(&apft->ctx->file_ctx->fp_mutex);

+                    }

+                }

+                break;

+

+            case BLOCK_DST:

+	        /* Block DST only if IP is not in Pass List */

+	        if (SCRadixFindKeyIPV4BestMatch((uint8_t *)&GET_IPV4_DST_ADDR_U32(p), apft->ctx->tree) == NULL) {

+                    if (AlertPfBlock(apft, &p->dst) > 0) {

+                        SCMutexLock(&apft->ctx->file_ctx->fp_mutex);

+                        fprintf(apft->ctx->file_ctx->fp, "%s,Block Dst,%" PRIu32 ",%" PRIu32 ",%"

+                                PRIu32 ",%s,%s,%" PRIu32

+                                ",%s,%s,%" PRIu32 "\n", timebuf, pa->s->gid,

+                                pa->s->id, pa->s->rev, pa->s->msg, pa->s->class_msg, pa->s->prio,

+                                proto, dstip, p->dp);

+                        fflush(apft->ctx->file_ctx->fp);

+                        apft->ctx->file_ctx->alerts++;

+                        SCMutexUnlock(&apft->ctx->file_ctx->fp_mutex);

+                    }

+                }

+        }

+

+        /* Once we find and block the first packet alert for this IP, we're done */

+        break;

+    }

+

+    return TM_ECODE_OK;

+}

+

+/** \brief This processes an IPv6 alert and inserts the appropriate

+ * block if the IP address is not on the Pass List.

+ */

+TmEcode AlertPfIPv6(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQueue *postpq)

+{

+    AlertPfThread *apft = (AlertPfThread *)data;

+    int i;

+    char proto[16] = "";

+    char timebuf[64];

+    char srcip[46], dstip[46];

+

+    if (p->alerts.cnt == 0)

+        return TM_ECODE_OK;

+

+    CreateTimeString(&p->ts, timebuf, sizeof(timebuf));

+    PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip));

+    PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip));

+

+    if (SCProtoNameValid(IPV6_GET_L4PROTO(p)) == TRUE) {

+        strlcpy(proto, known_proto[IPV6_GET_L4PROTO(p)], sizeof(proto));

+    } else {

+        snprintf(proto, sizeof(proto), "PROTO:%03" PRIu32, IPV6_GET_L4PROTO(p));

+    }

+

+    for (i = 0; i < p->alerts.cnt; i++) {

+        PacketAlert *pa = &p->alerts.alerts[i];

+        if (unlikely(pa->s == NULL)) {

+            continue;

+        }

+

+        switch (apft->ctx->block_ip) {

+

+    	    case BLOCK_BOTH:

+                /* Block only if IP is not in Pass List */

+	        if (SCRadixFindKeyIPV6BestMatch((uint8_t *)&GET_IPV6_SRC_ADDR(p), apft->ctx->tree) == NULL) {

+                    if (AlertPfBlock(apft, &p->src) > 0) {

+                        SCMutexLock(&apft->ctx->file_ctx->fp_mutex);

+                        fprintf(apft->ctx->file_ctx->fp, "%s,Block Src,%" PRIu32 ",%" PRIu32 ",%"

+                                PRIu32 ",%s,%s,%" PRIu32

+                                ",%s,%s,%" PRIu32 "\n", timebuf, pa->s->gid,

+                                pa->s->id, pa->s->rev, pa->s->msg, pa->s->class_msg, pa->s->prio,

+                                proto, srcip, p->sp);

+                        fflush(apft->ctx->file_ctx->fp);

+                        apft->ctx->file_ctx->alerts++;

+                        SCMutexUnlock(&apft->ctx->file_ctx->fp_mutex);

+                    }

+                }

+	        if (SCRadixFindKeyIPV6BestMatch((uint8_t *)&GET_IPV6_DST_ADDR(p), apft->ctx->tree) == NULL) {

+                    if (AlertPfBlock(apft, &p->dst) > 0) {

+                        SCMutexLock(&apft->ctx->file_ctx->fp_mutex);

+                        fprintf(apft->ctx->file_ctx->fp, "%s,Block Dst,%" PRIu32 ",%" PRIu32 ",%"

+                                PRIu32 ",%s,%s,%" PRIu32

+                                ",%s,%s,%" PRIu32 "\n", timebuf, pa->s->gid,

+                                pa->s->id, pa->s->rev, pa->s->msg, pa->s->class_msg, pa->s->prio,

+                                proto, dstip, p->dp);

+                        fflush(apft->ctx->file_ctx->fp);

+                        apft->ctx->file_ctx->alerts++;

+                        SCMutexUnlock(&apft->ctx->file_ctx->fp_mutex);

+                    }

+                }

+	        break;

+

+	    case BLOCK_SRC:

+	        /* Block SRC only if IP is not in Pass List */

+	        if (SCRadixFindKeyIPV6BestMatch((uint8_t *)&GET_IPV6_SRC_ADDR(p), apft->ctx->tree) == NULL) {

+                    if (AlertPfBlock(apft, &p->src) > 0) {

+                        SCMutexLock(&apft->ctx->file_ctx->fp_mutex);

+                        fprintf(apft->ctx->file_ctx->fp, "%s,Block Src,%" PRIu32 ",%" PRIu32 ",%"

+                                PRIu32 ",%s,%s,%" PRIu32

+                                ",%s,%s,%" PRIu32 "\n", timebuf, pa->s->gid,

+                                pa->s->id, pa->s->rev, pa->s->msg, pa->s->class_msg, pa->s->prio,

+                                proto, srcip, p->sp);

+                        fflush(apft->ctx->file_ctx->fp);

+                        apft->ctx->file_ctx->alerts++;

+                        SCMutexUnlock(&apft->ctx->file_ctx->fp_mutex);

+                    }

+                }

+	        break;

+

+	    case BLOCK_DST:

+	        /* Block DST only if IP is not in Pass List */

+	        if (SCRadixFindKeyIPV6BestMatch((uint8_t *)&GET_IPV6_DST_ADDR(p), apft->ctx->tree) == NULL) {

+                    if (AlertPfBlock(apft, &p->dst) > 0) {

+                        SCMutexLock(&apft->ctx->file_ctx->fp_mutex);

+                        fprintf(apft->ctx->file_ctx->fp, "%s,Block Dst,%" PRIu32 ",%" PRIu32 ",%"

+                                PRIu32 ",%s,%s,%" PRIu32

+                                ",%s,%s,%" PRIu32 "\n", timebuf, pa->s->gid,

+                                pa->s->id, pa->s->rev, pa->s->msg, pa->s->class_msg, pa->s->prio,

+                                proto, dstip, p->dp);

+                        fflush(apft->ctx->file_ctx->fp);

+                        apft->ctx->file_ctx->alerts++;

+                        SCMutexUnlock(&apft->ctx->file_ctx->fp_mutex);

+                    }

+                }

+        }

+

+        /* Once we find and block the first packet alert for this IP, we're done */

+        break;

+    }

+

+    return TM_ECODE_OK;

+}

+

+/** \brief This processes an IP alert and routes it to the

+ * appropriate handler.

+ */

+TmEcode AlertPf (ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQueue *postpq)

+{

+    if (PKT_IS_IPV4(p)) {

+        return AlertPfIPv4(tv, p, data, pq, postpq);

+    } else if (PKT_IS_IPV6(p)) {

+        return AlertPfIPv6(tv, p, data, pq, postpq);

+    }

+

+    return TM_ECODE_OK;

+}

+

diff -rNu ./src/alert-pf.h ./src.new/alert-pf.h

--- ./src/alert-pf.h	1969-12-31 19:00:00.000000000 -0500

+++ ./src.new/alert-pf.h	2014-04-21 20:13:22.000000000 -0400

@@ -0,0 +1,51 @@

+/* Copyright (C) 2007-2010 Open Information Security Foundation

+ *

+ * You can copy, redistribute or modify this Program under the terms of

+ * the GNU General Public License version 2 as published by the Free

+ * Software Foundation.

+ *

+ * This program is distributed in the hope that it will be useful,

+ * but WITHOUT ANY WARRANTY; without even the implied warranty of

+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+ * GNU General Public License for more details.

+ *

+ * You should have received a copy of the GNU General Public License

+ * version 2 along with this program; if not, write to the Free Software

+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA

+ * 02110-1301, USA.

+ */

+

+/**

+ * \file

+ *

+ * \author Bill Meeks <bill@themeeks.net>

+ */

+

+#ifndef __ALERT_PF_H__

+#define __ALERT_PF_H__

+

+/**

+ * define these macros since we need them in <net/pfvar.h>

+ * and Suricata by default uses it's own customized

+ * <queue.h> file that omits these particular macros.

+ */

+#define SLIST_HEAD(name, type)						\

+struct name {								\

+	struct type *slh_first;	/* first element */			\

+}

+

+#define	SLIST_HEAD_INITIALIZER(head)					\

+	{ NULL }

+

+#define SLIST_ENTRY(type)						\

+struct {								\

+	struct type *sle_next;	/* next element */			\

+}

+

+void TmModuleAlertPfRegister (void);

+void TmModuleAlertPfIPv4Register (void);

+void TmModuleAlertPfIPv6Register (void);

+OutputCtx *AlertPfInitCtx(ConfNode *);

+

+#endif /* __ALERT_PF_H__ */

+

diff -rNu ./src/suricata.c ./src.new/suricata.c

--- ./src/suricata.c	2013-09-24 06:28:37.000000000 -0400

+++ ./src.new/suricata.c	2014-04-30 19:20:58.000000000 -0400

@@ -100,6 +100,7 @@

 #include "alert-prelude.h"

 #include "alert-syslog.h"

 #include "alert-pcapinfo.h"

+#include "alert-pf.h"

 #include "log-droplog.h"

 #include "log-httplog.h"

@@ -1557,6 +1558,10 @@

     /* napatech */

     TmModuleNapatechStreamRegister();

     TmModuleNapatechDecodeRegister();

+    /* alert pf */

+    TmModuleAlertPfRegister();

+    TmModuleAlertPfIPv4Register();

+    TmModuleAlertPfIPv6Register();

     /* stream engine */

     TmModuleStreamTcpRegister();

@@ -1887,6 +1892,7 @@

         if (engine_analysis) {

             exit(EXIT_SUCCESS);

         }

+        SCThresholdConfInitContext(de_ctx,NULL);

     }

     /* registering singal handlers we use.  We register usr2 here, so that one

@@ -1898,7 +1904,6 @@

     SCCudaPBSetUpQueuesAndBuffers();

 #endif /* __SC_CUDA_SUPPORT__ */

-    SCThresholdConfInitContext(de_ctx,NULL);

     SCAsn1LoadConfig();

     CoredumpLoadConfig();

@@ -2019,6 +2024,7 @@

             if (de_ctx->failure_fatal)

                 exit(EXIT_FAILURE);

         }

+        SCThresholdConfInitContext(de_ctx,NULL);

         TmThreadActivateDummySlot();

         SCLogInfo("Signature(s) loaded, Detect thread(s) activated.");

     }

diff -rNu ./src/tm-modules.c ./src.new/tm-modules.c

--- ./src/tm-modules.c	2013-09-24 06:28:37.000000000 -0400

+++ ./src.new/tm-modules.c	2014-04-18 16:45:17.000000000 -0400

@@ -238,6 +238,9 @@

         CASE_CODE (TMM_ALERTPRELUDE);

         CASE_CODE (TMM_ALERTDEBUGLOG);

         CASE_CODE (TMM_ALERTSYSLOG);

+	CASE_CODE (TMM_ALERTPF);

+	CASE_CODE (TMM_ALERTPF4);

+	CASE_CODE (TMM_ALERTPF6);

         CASE_CODE (TMM_LOGDROPLOG);

         CASE_CODE (TMM_ALERTSYSLOG4);

         CASE_CODE (TMM_ALERTSYSLOG6);

diff -rNu ./src/tm-threads-common.h ./src.new/tm-threads-common.h

--- ./src/tm-threads-common.h	2013-09-24 06:28:37.000000000 -0400

+++ ./src.new/tm-threads-common.h	2014-04-18 18:59:26.000000000 -0400

@@ -78,6 +78,9 @@

     TMM_ALERTPCAPINFO,

     TMM_RECEIVENAPATECH,

     TMM_DECODENAPATECH,

+    TMM_ALERTPF,

+    TMM_ALERTPF4,

+    TMM_ALERTPF6,

     TMM_SIZE,

 } TmmId;