Add "udp_content_ports" option

Any port in that set found as either source or destination port of a UDP packet will cause the "udp_contents" event to be raised.
2025-10-10 02:28:21 +00:00 · 2020-04-07 13:02:29 -07:00 · 2020-04-07 13:02:29 -07:00 · c1b3c9593b
commit c1b3c9593b
parent 2da84020cf
7 changed files with 60 additions and 24 deletions
--- a/src/NetVar.cc
+++ b/src/NetVar.cc
@ -75,6 +75,7 @@ bool tcp_content_deliver_all_resp;

 TableVal* udp_content_delivery_ports_orig;
 TableVal* udp_content_delivery_ports_resp;
+TableVal* udp_content_ports;
 bool udp_content_deliver_all_orig;
 bool udp_content_deliver_all_resp;
 bool udp_content_delivery_ports_use_resp;
@ -320,6 +321,8 @@ void init_net_var()
 		internal_val("udp_content_delivery_ports_orig")->AsTableVal();
 	udp_content_delivery_ports_resp =
 		internal_val("udp_content_delivery_ports_resp")->AsTableVal();
+	udp_content_ports =
+		internal_val("udp_content_ports")->AsTableVal();
 	udp_content_deliver_all_orig =
 		bool(internal_val("udp_content_deliver_all_orig")->AsBool());
 	udp_content_deliver_all_resp =
--- a/src/NetVar.h
+++ b/src/NetVar.h
@ -75,6 +75,7 @@ extern bool tcp_content_deliver_all_resp;

 extern TableVal* udp_content_delivery_ports_orig;
 extern TableVal* udp_content_delivery_ports_resp;
+extern TableVal* udp_content_ports;
 extern bool udp_content_deliver_all_orig;
 extern bool udp_content_deliver_all_resp;
 extern bool udp_content_delivery_ports_use_resp;
--- a/src/analyzer/protocol/udp/UDP.cc
+++ b/src/analyzer/protocol/udp/UDP.cc
@ -134,24 +134,33 @@ void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,

 	if ( udp_contents )
 		{
-		uint16_t p = udp_content_delivery_ports_use_resp ? Conn()->RespPort()
-		                                                 : up->uh_dport;
-		auto port_val = val_mgr->GetPort(ntohs(p), TRANSPORT_UDP);
 		bool do_udp_contents = false;
+		auto sport_val = IntrusivePtr{AdoptRef{}, val_mgr->GetPort(ntohs(up->uh_sport), TRANSPORT_UDP)};
+		auto dport_val = IntrusivePtr{AdoptRef{}, val_mgr->GetPort(ntohs(up->uh_dport), TRANSPORT_UDP)};

-		if ( is_orig )
-			{
-			auto result = udp_content_delivery_ports_orig->Lookup(port_val);
-
-			if ( udp_content_deliver_all_orig || (result && result->AsBool()) )
-				do_udp_contents = true;
-			}
+		if ( udp_content_ports->Lookup(dport_val.get()) ||
+		     udp_content_ports->Lookup(sport_val.get()) )
+			do_udp_contents = true;
 		else
 			{
-			auto result = udp_content_delivery_ports_resp->Lookup(port_val);
+			uint16_t p = udp_content_delivery_ports_use_resp ? Conn()->RespPort()
+			                                                 : up->uh_dport;
+			auto port_val = IntrusivePtr{AdoptRef{}, val_mgr->GetPort(ntohs(p), TRANSPORT_UDP)};

-			if ( udp_content_deliver_all_resp || (result && result->AsBool()) )
-				do_udp_contents = true;
+			if ( is_orig )
+				{
+				auto result = udp_content_delivery_ports_orig->Lookup(port_val.get());
+
+				if ( udp_content_deliver_all_orig || (result && result->AsBool()) )
+					do_udp_contents = true;
+				}
+			else
+				{
+				auto result = udp_content_delivery_ports_resp->Lookup(port_val.get());
+
+				if ( udp_content_deliver_all_resp || (result && result->AsBool()) )
+					do_udp_contents = true;
+				}
 			}

 		if ( do_udp_contents )
@ -160,8 +169,6 @@ void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
 				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
 				make_intrusive<StringVal>(len, (const char*) data)
 			);
-
-		Unref(port_val);
 		}

 	if ( is_orig )