diff -Naur snort-2.7.0.1/src/preprocessors/HttpInspect/client/hi_client.c ss-snort-2.7.0.1-http_inspect/src/preprocessors/HttpInspect/client/hi_client.c --- snort-2.7.0.1/src/preprocessors/HttpInspect/client/hi_client.c 2007-07-03 14:41:47.000000000 -0600 +++ ss-snort-2.7.0.1-http_inspect/src/preprocessors/HttpInspect/client/hi_client.c 2007-09-11 10:20:21.000000000 -0600 @@ -18,6 +18,10 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ + + /* Copyright © 2007 Latis Networks, Inc. ((d.b.a. StillSecure) + applies to marked preprocessor drops */ + /** ** @file hi_client.c @@ -145,6 +149,9 @@ int iCheckChunk = 1; u_char *ptr; u_char *jump_ptr; + + //StillSecure + HTTPINSPECT_CONF *ServerConf = Session->server_conf; if(!start || !end) return HI_INVALID_ARG; @@ -162,6 +169,10 @@ { hi_eo_client_event_log(Session, HI_EO_CLIENT_LARGE_CHUNK, NULL, NULL); + /** StillSecure **/ + if(ServerConf->drop_flags & HI_DROP_LARGE_CHUNK) + Session->drop_session = 1; + /** End StillSecure **/ } jump_ptr = ptr + iChunkLen; @@ -539,6 +550,10 @@ { hi_eo_client_event_log(Session, HI_EO_CLIENT_IIS_DELIMITER, NULL, NULL); + /** StillSecure **/ + if(ServerConf->drop_flags & HI_DROP_IIS_DELIMITER) + Session->drop_session = 1; + /** End StillSecure **/ } uri_ptr->delimiter = *ptr; @@ -728,6 +743,10 @@ { hi_eo_client_event_log(Session, HI_EO_CLIENT_APACHE_WS, NULL, NULL); + /** StillSecure **/ + if(ServerConf->drop_flags & HI_DROP_APACHE_WS) + Session->drop_session = 1; + /** End StillSecure **/ } } (*ptr)++; @@ -885,6 +904,8 @@ u_char *ptr) { int iDirLen; + //StillSecure + HTTPINSPECT_CONF *ServerConf = Session->server_conf; /* ** Check for oversize directory @@ -899,6 +920,10 @@ { hi_eo_client_event_log(Session, HI_EO_CLIENT_OVERSIZE_DIR, NULL, NULL); + /** StillSecure **/ + if(ServerConf->drop_flags & HI_DROP_OVERSIZE_DIR) + Session->drop_session = 1; + /** End StillSecure **/ } } @@ -1610,6 +1635,10 @@ { hi_eo_client_event_log(Session, HI_EO_CLIENT_PROXY_USE, NULL, NULL); + /** StillSecure **/ + if(ServerConf->drop_flags & HI_DROP_PROXY_USE) + Session->drop_session = 1; + /** End StillSecure **/ } } diff -Naur snort-2.7.0.1/src/preprocessors/HttpInspect/include/hi_si.h ss-snort-2.7.0.1-http_inspect/src/preprocessors/HttpInspect/include/hi_si.h --- snort-2.7.0.1/src/preprocessors/HttpInspect/include/hi_si.h 2007-07-03 14:41:48.000000000 -0600 +++ ss-snort-2.7.0.1-http_inspect/src/preprocessors/HttpInspect/include/hi_si.h 2007-09-11 10:21:18.000000000 -0600 @@ -18,6 +18,10 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ + + /* Copyright © 2007 Latis Networks, Inc. ((d.b.a. StillSecure) + applies to marked preprocessor drops */ + /** ** @file hi_si.h @@ -95,6 +99,9 @@ */ HTTPINSPECT_GLOBAL_CONF *global_conf; + //StillSecure + u_int32_t drop_session; + u_int32_t norm_flags; } HI_SESSION; diff -Naur snort-2.7.0.1/src/preprocessors/HttpInspect/include/hi_ui_config.h ss-snort-2.7.0.1-http_inspect/src/preprocessors/HttpInspect/include/hi_ui_config.h --- snort-2.7.0.1/src/preprocessors/HttpInspect/include/hi_ui_config.h 2007-07-03 14:41:48.000000000 -0600 +++ ss-snort-2.7.0.1-http_inspect/src/preprocessors/HttpInspect/include/hi_ui_config.h 2007-09-11 10:21:45.000000000 -0600 @@ -18,6 +18,10 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ + + /* Copyright © 2007 Latis Networks, Inc. ((d.b.a. StillSecure) + applies to marked preprocessor drops */ + /** ** @file hi_ui_config.h @@ -52,6 +56,33 @@ #define HI_UI_CONFIG_WS_BEFORE_URI 0x01 #define HI_UI_CONFIG_WS_AFTER_URI 0x02 + +/** StillSecure **/ +/* +** Drop Masks +*/ +#define HI_DROP_ASCII 0x000000001 +#define HI_DROP_DOUBLE_DECODE 0x000000002 +#define HI_DROP_U_ENCODE 0x000000004 +#define HI_DROP_BARE_BYTE 0x000000008 +#define HI_DROP_BASE36 0x000000010 +#define HI_DROP_UTF_8 0x000000020 +#define HI_DROP_IIS_UNICODE 0x000000040 +#define HI_DROP_MULTI_SLASH 0x000000080 +#define HI_DROP_IIS_BACKSLASH 0x000000100 +#define HI_DROP_SELF_DIR_TRAV 0x000000200 +#define HI_DROP_DIR_TRAV 0x000000400 +#define HI_DROP_APACHE_WS 0x000000800 +#define HI_DROP_IIS_DELIMITER 0x000001000 +#define HI_DROP_NON_RFC_CHAR 0x000002000 +#define HI_DROP_OVERSIZE_DIR 0x000004000 +#define HI_DROP_LARGE_CHUNK 0x000008000 +#define HI_DROP_PROXY_USE 0x000010000 +#define HI_DROP_WEBROOT_DIR 0x000020000 +/** End StillSecure **/ + + + /** ** Defines a search type for the server configurations in the ** global configuration. We want this generic so we can change @@ -105,6 +136,9 @@ int long_dir; int uri_only; int no_alerts; + + //StillSecure + int drop_flags; /* ** Chunk encoding anomaly detection diff -Naur snort-2.7.0.1/src/preprocessors/HttpInspect/normalization/hi_norm.c ss-snort-2.7.0.1-http_inspect/src/preprocessors/HttpInspect/normalization/hi_norm.c --- snort-2.7.0.1/src/preprocessors/HttpInspect/normalization/hi_norm.c 2007-07-03 14:41:49.000000000 -0600 +++ ss-snort-2.7.0.1-http_inspect/src/preprocessors/HttpInspect/normalization/hi_norm.c 2007-09-11 10:22:33.000000000 -0600 @@ -18,6 +18,10 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ + + /* Copyright © 2007 Latis Networks, Inc. ((d.b.a. StillSecure) + applies to marked preprocessor drops */ + /** ** @file hi_norm.c @@ -221,6 +225,10 @@ { hi_eo_client_event_log(Session, HI_EO_CLIENT_IIS_UNICODE, NULL, NULL); + /** StillSecure **/ + if(ServerConf->drop_flags & HI_DROP_IIS_UNICODE) + Session->drop_session = 1; + /** End StillSecure **/ } } else @@ -237,6 +245,10 @@ !norm_state->param) { hi_eo_client_event_log(Session, HI_EO_CLIENT_U_ENCODE, NULL, NULL); + /** StillSecure **/ + if(ServerConf->drop_flags & HI_DROP_U_ENCODE) + Session->drop_session = 1; + /** End StillSecure **/ } return iNorm; @@ -359,6 +371,10 @@ !norm_state->param) { hi_eo_client_event_log(Session, HI_EO_CLIENT_BASE36, NULL, NULL); + /** StillSecure **/ + if(ServerConf->drop_flags & HI_DROP_BASE36) + Session->drop_session = 1; + /** End StillSecure **/ } } @@ -393,6 +409,10 @@ !norm_state->param) { hi_eo_client_event_log(Session, HI_EO_CLIENT_BASE36, NULL, NULL); + /** StillSecure **/ + if(ServerConf->drop_flags & HI_DROP_BASE36) + Session->drop_session = 1; + /** End StillSecure **/ } } @@ -403,6 +423,10 @@ { hi_eo_client_event_log(Session, HI_EO_CLIENT_ASCII, NULL, NULL); + /** StillSecure **/ + if(ServerConf->drop_flags & HI_DROP_ASCII) + Session->drop_session = 1; + /** End StillSecure **/ } return iNorm; @@ -473,6 +497,10 @@ { hi_eo_client_event_log(Session, HI_EO_CLIENT_BARE_BYTE, NULL, NULL); + /** StillSecure **/ + if(ServerConf->drop_flags & HI_DROP_BARE_BYTE) + Session->drop_session = 1; + /** End StillSecure **/ } /* @@ -608,6 +636,10 @@ { hi_eo_client_event_log(Session, HI_EO_CLIENT_IIS_UNICODE, NULL, NULL); + /** StillSecure **/ + if(ServerConf->drop_flags & HI_DROP_IIS_UNICODE) + Session->drop_session = 1; + /** End StillSecure **/ } hi_stats.unicode++; @@ -625,6 +657,10 @@ { hi_eo_client_event_log(Session, HI_EO_CLIENT_UTF_8, NULL, NULL); + /** StillSecure **/ + if(ServerConf->drop_flags & HI_DROP_UTF_8) + Session->drop_session = 1; + /** End StillSecure **/ } return iNorm; @@ -812,6 +848,11 @@ { hi_eo_client_event_log(Session, HI_EO_CLIENT_DOUBLE_DECODE, NULL, NULL); + /** StillSecure **/ + if(ServerConf->drop_flags & HI_DROP_DOUBLE_DECODE) + Session->drop_session = 1; + /** End StillSecure **/ + } return iNorm; @@ -875,6 +916,10 @@ { hi_eo_client_event_log(Session, HI_EO_CLIENT_IIS_BACKSLASH, NULL, NULL); + /** StillSecure **/ + if(ServerConf->drop_flags & HI_DROP_IIS_BACKSLASH) + Session->drop_session = 1; + /** End StillSecure **/ } iChar = 0x2f; @@ -939,6 +984,10 @@ { hi_eo_client_event_log(Session, HI_EO_CLIENT_WEBROOT_DIR, NULL, NULL); + /** StillSecure **/ + if(ServerConf->drop_flags & HI_DROP_WEBROOT_DIR) + Session->drop_session = 1; + /** End StillSecure **/ } } @@ -1068,6 +1117,10 @@ hi_eo_client_event_log(Session, HI_EO_CLIENT_MULTI_SLASH, NULL, NULL); + /** StillSecure **/ + if(ServerConf->drop_flags & HI_DROP_MULTI_SLASH) + Session->drop_session = 1; + /** End StillSecure **/ } continue; @@ -1110,6 +1163,10 @@ hi_eo_client_event_log(Session, HI_EO_CLIENT_DIR_TRAV, NULL, NULL); + /** StillSecure **/ + if(ServerConf->drop_flags & HI_DROP_DOUBLE_DECODE) + Session->drop_session = 1; + /** End StillSecure **/ } *ptr = dir_ptr; @@ -1135,6 +1192,10 @@ hi_eo_client_event_log(Session, HI_EO_CLIENT_SELF_DIR_TRAV, NULL, NULL); + /** StillSecure **/ + if(ServerConf->drop_flags & HI_DROP_DOUBLE_DECODE) + Session->drop_session = 1; + /** End StillSecure **/ } continue; @@ -1180,6 +1241,9 @@ int iDirLen; u_char *LastDir; + //StillSecure + HTTPINSPECT_CONF *ServerConf = Session->server_conf; + /* ** First check that we are alerting on long directories and then ** check that we've seen a previous directory. @@ -1197,6 +1261,10 @@ { hi_eo_client_event_log(Session, HI_EO_CLIENT_OVERSIZE_DIR, NULL, NULL); + /** StillSecure **/ + if(ServerConf->drop_flags & HI_DROP_OVERSIZE_DIR) + Session->drop_session = 1; + /** End StillSecure **/ } } @@ -1354,6 +1422,10 @@ { hi_eo_client_event_log(Session, HI_EO_CLIENT_NON_RFC_CHAR, NULL, NULL); + /** StillSecure **/ + if(ServerConf->drop_flags & HI_DROP_NON_RFC_CHAR) + Session->drop_session = 1; + /** End StillSecure **/ } } @@ -1465,6 +1537,10 @@ { hi_eo_client_event_log(Session, HI_EO_CLIENT_NON_RFC_CHAR, NULL, NULL); + /** StillSecure **/ + if(ServerConf->drop_flags & HI_DROP_NON_RFC_CHAR) + Session->drop_session = 1; + /** End StillSecure **/ } } diff -Naur snort-2.7.0.1/src/preprocessors/HttpInspect/session_inspection/hi_si.c ss-snort-2.7.0.1-http_inspect/src/preprocessors/HttpInspect/session_inspection/hi_si.c --- snort-2.7.0.1/src/preprocessors/HttpInspect/session_inspection/hi_si.c 2007-07-03 14:41:50.000000000 -0600 +++ ss-snort-2.7.0.1-http_inspect/src/preprocessors/HttpInspect/session_inspection/hi_si.c 2007-09-11 10:20:48.000000000 -0600 @@ -18,6 +18,10 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ + + /* Copyright © 2007 Latis Networks, Inc. ((d.b.a. StillSecure) + applies to marked preprocessor drops */ + /** ** @file hi_si.c @@ -252,6 +256,8 @@ Session->client.request.uri_norm_size = 0; Session->client.request.pipeline_req = NULL; + //StillSecure + Session->drop_session = 0; return HI_SUCCESS; } diff -Naur snort-2.7.0.1/src/preprocessors/snort_httpinspect.c ss-snort-2.7.0.1-http_inspect/src/preprocessors/snort_httpinspect.c --- snort-2.7.0.1/src/preprocessors/snort_httpinspect.c 2007-07-03 14:41:44.000000000 -0600 +++ ss-snort-2.7.0.1-http_inspect/src/preprocessors/snort_httpinspect.c 2007-09-11 10:23:05.000000000 -0600 @@ -18,6 +18,10 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ + + /* Copyright © 2007 Latis Networks, Inc. ((d.b.a. StillSecure) + applies to marked preprocessor drops */ + /** ** @file snort_httpinspect.c @@ -166,6 +170,27 @@ #define TAB_URI_DELIMITER "tab_uri_delimiter" #define WHITESPACE "whitespace_chars" +/** StillSecure **/ +#define DROP_ASCII "drop_ascii" +#define DROP_DOUBLE_DECODE "drop_double_decode" +#define DROP_U_ENCODE "drop_u_encode" +#define DROP_BARE_BYTE "drop_bare_byte" +#define DROP_BASE36 "drop_base36" +#define DROP_UTF_8 "drop_utf_8" +#define DROP_IIS_UNICODE "drop_iis_unicode" +#define DROP_MULTI_SLASH "drop_multi_slash" +#define DROP_IIS_BACKSLASH "drop_iis_backslash" +#define DROP_SELF_DIR_TRAV "drop_self_dir_traversal" +#define DROP_DIR_TRAV "drop_dir_traversal" +#define DROP_APACHE_WS "drop_apache_whitespace" +#define DROP_IIS_DELIMITER "drop_iis_delimiter" +#define DROP_NON_RFC_CHAR "drop_non_rfc_char" +#define DROP_OVERSIZE_DIR "drop_oversize_dir" +#define DROP_LARGE_CHUNK "drop_large_chunk" +#define DROP_PROXY_USE "drop_proxy_use" +#define DROP_WEBROOT_DIR "drop_webroot_dir" +/** End StillSecure **/ + /* ** Alert subkeywords */ @@ -1711,6 +1736,79 @@ return iRet; } } + /** StillSecure **/ + else if(!strcmp(DROP_ASCII, pcToken)) + { + ServerConf->drop_flags |= HI_DROP_ASCII; + } + else if(!strcmp(DROP_DOUBLE_DECODE, pcToken)) + { + ServerConf->drop_flags |= HI_DROP_DOUBLE_DECODE; + } + else if(!strcmp(DROP_U_ENCODE, pcToken)) + { + ServerConf->drop_flags |= HI_DROP_U_ENCODE; + } + else if(!strcmp(DROP_BARE_BYTE, pcToken)) + { + ServerConf->drop_flags |= HI_DROP_BARE_BYTE; + } + else if(!strcmp(DROP_BASE36, pcToken)) + { + ServerConf->drop_flags |= HI_DROP_BASE36; + } + else if(!strcmp(DROP_UTF_8, pcToken)) + { + ServerConf->drop_flags |= HI_DROP_UTF_8; + } + else if(!strcmp(DROP_IIS_UNICODE, pcToken)) + { + ServerConf->drop_flags |= HI_DROP_IIS_UNICODE; + } + else if(!strcmp(DROP_MULTI_SLASH, pcToken)) + { + ServerConf->drop_flags |= HI_DROP_MULTI_SLASH; + } + else if(!strcmp(DROP_IIS_BACKSLASH, pcToken)) + { + ServerConf->drop_flags |= HI_DROP_IIS_BACKSLASH; + } + else if(!strcmp(DROP_SELF_DIR_TRAV, pcToken)) + { + ServerConf->drop_flags |= HI_DROP_SELF_DIR_TRAV; + } + else if(!strcmp(DROP_DIR_TRAV, pcToken)) + { + ServerConf->drop_flags |= HI_DROP_DIR_TRAV; + } + else if(!strcmp(DROP_APACHE_WS, pcToken)) + { + ServerConf->drop_flags |= HI_DROP_APACHE_WS; + } + else if(!strcmp(DROP_IIS_DELIMITER, pcToken)) + { + ServerConf->drop_flags |= HI_DROP_IIS_DELIMITER; + } + else if(!strcmp(DROP_NON_RFC_CHAR, pcToken)) + { + ServerConf->drop_flags |= HI_DROP_NON_RFC_CHAR; + } + else if(!strcmp(DROP_OVERSIZE_DIR, pcToken)) + { + ServerConf->drop_flags |= HI_DROP_OVERSIZE_DIR; + } + else if(!strcmp(DROP_LARGE_CHUNK, pcToken)) + { + ServerConf->drop_flags |= HI_DROP_LARGE_CHUNK; + } + else if(!strcmp(DROP_PROXY_USE, pcToken)) + { + ServerConf->drop_flags |= HI_DROP_PROXY_USE; + } + else if(!strcmp(DROP_WEBROOT_DIR, pcToken)) + { + ServerConf->drop_flags |= HI_DROP_WEBROOT_DIR; + } else { SnortSnprintf(ErrorString, ErrStrLen, @@ -1870,6 +1968,82 @@ LogMessage("%s\n", buf); + /** StillSecure **/ + if(ServerConf->drop_flags & HI_DROP_ASCII) + LogMessage(" Drop ASCII Encoding: YES\n"); + else + LogMessage(" Drop ASCII Encoding: NO\n"); + if(ServerConf->drop_flags & HI_DROP_DOUBLE_DECODE) + LogMessage(" Drop Double Decoding: YES\n"); + else + LogMessage(" Drop Double Decoding: NO\n"); + if(ServerConf->drop_flags & HI_DROP_U_ENCODE) + LogMessage(" Drop IIS %%u Encoding: YES\n"); + else + LogMessage(" Drop IIS %%U Encoding: NO\n"); + if(ServerConf->drop_flags & HI_DROP_BARE_BYTE) + LogMessage(" Drop Bare Byte Encoding: YES\n"); + else + LogMessage(" Drop Bare Byte Encoding: NO\n"); + if(ServerConf->drop_flags & HI_DROP_BASE36) + LogMessage(" Drop Base36 Encoding: YES\n"); + else + LogMessage(" Drop Base36 Encoding: NO\n"); + if(ServerConf->drop_flags & HI_DROP_UTF_8) + LogMessage(" Drop UTF-8 Encoding: YES\n"); + else + LogMessage(" Drop UTF-8 Encoding: NO\n"); + if(ServerConf->drop_flags & HI_DROP_IIS_UNICODE) + LogMessage(" Drop IIS Unicode: YES\n"); + else + LogMessage(" Drop IIS Unicode: NO\n"); + if(ServerConf->drop_flags & HI_DROP_MULTI_SLASH) + LogMessage(" Drop Multiple Slashes: YES\n"); + else + LogMessage(" Drop Multiple Slashes: NO\n"); + if(ServerConf->drop_flags & HI_DROP_IIS_BACKSLASH) + LogMessage(" Drop IIS Backslash: YES\n"); + else + LogMessage(" Drop IIS Backslash: NO\n"); + if(ServerConf->drop_flags & HI_DROP_SELF_DIR_TRAV) + LogMessage(" Drop Self Reference Traversals: YES\n"); + else + LogMessage(" Drop Self Reference Traversals: NO\n"); + if(ServerConf->drop_flags & HI_DROP_DIR_TRAV) + LogMessage(" Drop Self Directory Traversals: YES\n"); + else + LogMessage(" Drop Self Directory Traversals: NO\n"); + if(ServerConf->drop_flags & HI_DROP_APACHE_WS) + LogMessage(" Drop Apache Whitespace: YES\n"); + else + LogMessage(" Drop Apache Whitespace: NO\n"); + if(ServerConf->drop_flags & HI_DROP_IIS_DELIMITER) + LogMessage(" Drop Non-RFC Delimeter: YES\n"); + else + LogMessage(" Drop Non-RFC Delimeter: NO\n"); + if(ServerConf->drop_flags & HI_DROP_NON_RFC_CHAR) + LogMessage(" Drop Non-RFC Char: YES\n"); + else + LogMessage(" Drop NON-RFC Char: NO\n"); + if(ServerConf->drop_flags & HI_DROP_OVERSIZE_DIR) + LogMessage(" Drop Oversize URI Request: YES\n"); + else + LogMessage(" Drop Oversize URI Request: NO\n"); + if(ServerConf->drop_flags & HI_DROP_LARGE_CHUNK) + LogMessage(" Drop Oversize Chunk Encoding: YES\n"); + else + LogMessage(" Drop Oversize Chunk Encoding: NO\n"); + if(ServerConf->drop_flags & HI_DROP_PROXY_USE) + LogMessage(" Drop Proxy Use: YES\n"); + else + LogMessage(" Drop Proxy Use: NO\n"); + if(ServerConf->drop_flags & HI_DROP_WEBROOT_DIR) + LogMessage(" Drop Webroot Directory Traversal: YES\n"); + else + LogMessage(" Drop Webroot Directory Traversal: NO\n"); + /** End StillSecure **/ + + return 0; } @@ -2276,76 +2450,83 @@ { iEvent = GenEvents.stack[iCtr]; OrigEvent = &(GenEvents.events[iEvent]); + //StillSecure + HiEvent = OrigEvent; /* ** Set the event to start off the comparison */ - if(!HiEvent) - { - HiEvent = OrigEvent; - } +//SS if(!HiEvent) +//SS { +//SS HiEvent = OrigEvent; +//SS } /* ** This is our "comparison function". Log the event with the highest ** priority. */ - if(OrigEvent->event_info->priority < HiEvent->event_info->priority) - { - HiEvent = OrigEvent; - } +//SS if(OrigEvent->event_info->priority < HiEvent->event_info->priority) +//SS { +//SS HiEvent = OrigEvent; +//SS } /* ** IMPORTANT: ** This is how we reset the events in the event queue. ** If you miss this step, you can be really screwed. */ - OrigEvent->count = 0; - } +//SS OrigEvent->count = 0; +//SS } - /* - ** We use the iEvent+1 because the event IDs between snort and - ** HttpInspect are mapped off-by-one. Don't ask why, drink Bud - ** Dry . . . They're mapped off-by one because in the internal - ** HttpInspect queue, events are mapped starting at 0. For some - ** reason, it appears that the first event can't be zero, so we - ** use the internal value and add one for snort. - */ - iEvent = HiEvent->event_info->alert_id + 1; + /* + ** We use the iEvent+1 because the event IDs between snort and + ** HttpInspect are mapped off-by-one. Don't ask why, drink Bud + ** Dry . . . They're mapped off-by one because in the internal + ** HttpInspect queue, events are mapped starting at 0. For some + ** reason, it appears that the first event can't be zero, so we + ** use the internal value and add one for snort. + */ + iEvent = HiEvent->event_info->alert_id + 1; - uiMask = (u_int32_t)(1 << (iEvent & 31)); + uiMask = (u_int32_t)(1 << (iEvent & 31)); - /* - ** If we've already logged this event for this stream, then - ** don't log it again. - */ - if(p->ssnptr) - { - httpflags = (u_int32_t)stream_api->get_application_data(p->ssnptr, - PP_HTTPINSPECT); - } + /* + ** If we've already logged this event for this stream, then + ** don't log it again. + */ + if(p->ssnptr) + { + httpflags = (u_int32_t)stream_api->get_application_data(p->ssnptr, + PP_HTTPINSPECT); + } - if (httpflags & uiMask) - { - return 0; - } + if (httpflags & uiMask) + { + return 0; + } - SnortEventqAdd(iGenerator, iEvent, 1, 0, 3, HiEvent->event_info->alert_str,0); + SnortEventqAdd(iGenerator, iEvent, 1, 0, 3, HiEvent->event_info->alert_str,0); + /** StillSecure **/ + if(hi_ssn->drop_session && InlineMode()) + InlineDrop(p); + /** End StillSecure **/ - /* - ** Set the http_flag (preproc_specific data) bit so we don't log the event on a reassembled - ** stream. - */ - if(p->ssnptr) - { - httpflags |= uiMask; - stream_api->set_application_data(p->ssnptr, PP_HTTPINSPECT, - (void *)httpflags, NULL); - } + /* + ** Set the http_flag (preproc_specific data) bit so we don't log the event on a reassembled + ** stream. + */ + if(p->ssnptr) + { + httpflags |= uiMask; + stream_api->set_application_data(p->ssnptr, PP_HTTPINSPECT, + (void *)httpflags, NULL); + } - /* - ** Reset the event queue stack counter, in the case of pipelined - ** requests. - */ + /* + ** Reset the event queue stack counter, in the case of pipelined + ** requests. + */ + }//StillSecure *(GenEvents.stack_count) = 0; return 0;