static inline int SIP_RoptDoEval(SFSnortPacket *p)
{
if ((p->payload_size == 0) ||
(p->stream_session == NULL) ||
(!IsTCP(p) && !IsUDP(p)))
{
DEBUG_WRAP(DebugMessage(DEBUG_SIP, "No payload or no "
"session pointer or not TCP or UDP - not evaluating.\n"));
return 0;
}
return 1;
}
/*********************************************************************
* Function: DCE2_Main()
*
* Purpose: Main entry point for DCE/RPC processing.
*
* Arguments:
* void * - pointer to packet structure
* void * - pointer to context
*
* Returns: None
*
*********************************************************************/
static void DCE2_Main(void *pkt, void *context)
{
SFSnortPacket *p = (SFSnortPacket *)pkt;
PROFILE_VARS;
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ALL, "%s\n", DCE2_DEBUG__START_MSG));
sfPolicyUserPolicySet (dce2_config, _dpd.getRuntimePolicy());
#ifdef DEBUG_MSGS
if (DCE2_SsnFromServer(p))
{
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Packet from Server.\n"));
}
else
{
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Packet from Client.\n"));
}
#endif
/* No inspection to do */
if ((p->payload_size == 0) || (p->payload == NULL))
{
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "No payload - not inspecting.\n"));
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ALL, "%s\n", DCE2_DEBUG__END_MSG));
return;
}
else if (p->stream_session_ptr == NULL)
{
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "No session pointer - not inspecting.\n"));
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ALL, "%s\n", DCE2_DEBUG__END_MSG));
return;
}
else if (!IsTCP(p) && !IsUDP(p))
{
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Not UDP or TCP - not inspecting.\n"));
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ALL, "%s\n", DCE2_DEBUG__END_MSG));
return;
}
if (IsTCP(p))
{
if (DCE2_SsnIsMidstream(p))
{
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Midstream - not inspecting.\n"));
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ALL, "%s\n", DCE2_DEBUG__END_MSG));
return;
}
else if (!DCE2_SsnIsEstablished(p))
{
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Not established - not inspecting.\n"));
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ALL, "%s\n", DCE2_DEBUG__END_MSG));
return;
}
}
PREPROC_PROFILE_START(dce2_pstat_main);
if (DCE2_Process(p) == DCE2_RET__INSPECTED)
DCE2_DisableDetect(p);
PREPROC_PROFILE_END(dce2_pstat_main);
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ALL, "%s\n", DCE2_DEBUG__END_MSG));
}
/* Main runtime entry point for SIP preprocessor.
* Analyzes SIP packets for anomalies/exploits.
*
* PARAMETERS:
*
* packetp: Pointer to current packet to process.
* contextp: Pointer to context block, not used.
*
* RETURNS: Nothing.
*/
static void SIPmain( void* ipacketp, void* contextp )
{
SIPData* sessp = NULL;
uint8_t source = 0;
uint8_t dest = 0;
SFSnortPacket* packetp;
#ifdef TARGET_BASED
int16_t app_id = SFTARGET_UNKNOWN_PROTOCOL;
#endif
tSfPolicyId policy_id = _dpd.getRuntimePolicy();
PROFILE_VARS;
DEBUG_WRAP(DebugMessage(DEBUG_SIP, "%s\n", SIP_DEBUG__START_MSG));
packetp = (SFSnortPacket*) ipacketp;
sfPolicyUserPolicySet (sip_config, policy_id);
/* Make sure this preprocessor should run. */
if (( !packetp ) || ( !packetp->payload ) ||( !packetp->payload_size ))
{
DEBUG_WRAP(DebugMessage(DEBUG_SIP, "No payload - not inspecting.\n"));
DEBUG_WRAP(DebugMessage(DEBUG_SIP, "%s\n", SIP_DEBUG__END_MSG));
return;
}
/* check if we're waiting on stream reassembly */
else if ( packetp->flags & FLAG_STREAM_INSERT)
{
DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Stream inserted - not inspecting.\n"));
DEBUG_WRAP(DebugMessage(DEBUG_SIP, "%s\n", SIP_DEBUG__END_MSG));
return;
}
else if (!IsTCP(packetp) && !IsUDP(packetp))
{
DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Not UDP or TCP - not inspecting.\n"));
DEBUG_WRAP(DebugMessage(DEBUG_SIP, "%s\n", SIP_DEBUG__END_MSG));
return;
}
PREPROC_PROFILE_START(sipPerfStats);
sip_eval_config = sfPolicyUserDataGetCurrent(sip_config);
/* Attempt to get a previously allocated SIP block. */
sessp = _dpd.streamAPI->get_application_data(packetp->stream_session_ptr, PP_SIP);
if (sessp != NULL)
{
sip_eval_config = sfPolicyUserDataGet(sessp->config, sessp->policy_id);
}
if (sessp == NULL)
{
/* If not doing autodetection, check the ports to make sure this is
* running on an SIP port, otherwise no need to examine the traffic.
*/
#ifdef TARGET_BASED
app_id = _dpd.streamAPI->get_application_protocol_id(packetp->stream_session_ptr);
if (app_id == SFTARGET_UNKNOWN_PROTOCOL)
{
DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Unknown protocol - not inspecting.\n"));
DEBUG_WRAP(DebugMessage(DEBUG_SIP, "%s\n", SIP_DEBUG__END_MSG));
PREPROC_PROFILE_END(sipPerfStats);
return;
}
else if (app_id && (app_id != sip_app_id))
{
DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Not SIP - not inspecting.\n"));
DEBUG_WRAP(DebugMessage(DEBUG_SIP, "%s\n", SIP_DEBUG__END_MSG));
PREPROC_PROFILE_END(sipPerfStats);
return;
}
else if (!app_id)
{
#endif
source = (uint8_t)CheckSIPPort( packetp->src_port );
dest = (uint8_t)CheckSIPPort( packetp->dst_port );
if ( !source && !dest )
{
/* Not one of the ports we care about. */
DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Not SIP ports - not inspecting.\n"));
DEBUG_WRAP(DebugMessage(DEBUG_SIP, "%s\n", SIP_DEBUG__END_MSG));
PREPROC_PROFILE_END(sipPerfStats);
return;
}
#ifdef TARGET_BASED
}
#endif
/* Check the stream session. If it does not currently
* have our SIP data-block attached, create one.
*/
sessp = SIPGetNewSession(packetp, policy_id);
if ( !sessp )
{
/* Could not get/create the session data for this packet. */
DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Create session error - not inspecting.\n"));
DEBUG_WRAP(DebugMessage(DEBUG_SIP, "%s\n", SIP_DEBUG__END_MSG));
PREPROC_PROFILE_END(sipPerfStats);
return;
}
}
/* Don't process if we've missed packets */
if (sessp->state_flags & SIP_FLG_MISSED_PACKETS)
{
DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Missed packets - not inspecting.\n"));
DEBUG_WRAP(DebugMessage(DEBUG_SIP, "%s\n", SIP_DEBUG__END_MSG));
PREPROC_PROFILE_END(sipPerfStats);
return;
}
/* If we picked up mid-stream or missed any packets (midstream pick up
* means we've already missed packets) set missed packets flag and make
* sure we don't do any more reassembly on this session */
if (IsTCP(packetp))
{
if ((_dpd.streamAPI->get_session_flags(packetp->stream_session_ptr) & SSNFLAG_MIDSTREAM)
|| _dpd.streamAPI->missed_packets(packetp->stream_session_ptr, SSN_DIR_BOTH))
{
_dpd.streamAPI->set_reassembly(packetp->stream_session_ptr,
STREAM_FLPOLICY_IGNORE, SSN_DIR_BOTH,
STREAM_FLPOLICY_SET_ABSOLUTE);
sessp->state_flags |= SIP_FLG_MISSED_PACKETS;
DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Missed packets - not inspecting.\n"));
DEBUG_WRAP(DebugMessage(DEBUG_SIP, "%s\n", SIP_DEBUG__END_MSG));
PREPROC_PROFILE_END(sipPerfStats);
return;
}
}
/* We're interested in this session. Turn on stream reassembly. */
if ( !(sessp->state_flags & SIP_FLG_REASSEMBLY_SET ))
{
_dpd.streamAPI->set_reassembly(packetp->stream_session_ptr,
STREAM_FLPOLICY_FOOTPRINT, SSN_DIR_BOTH, STREAM_FLPOLICY_SET_ABSOLUTE);
sessp->state_flags |= SIP_FLG_REASSEMBLY_SET;
}
/*
* Start process PAYLOAD
*/
SIP_Process(packetp,sessp);
DEBUG_WRAP(DebugMessage(DEBUG_SIP, "%s\n", SIP_DEBUG__END_MSG));
PREPROC_PROFILE_END(sipPerfStats);
}
void GetLWPacketDirection(Packet *p, Stream5LWSession *ssn)
{
#ifndef SUP_IP6
if (p->iph->ip_src.s_addr == ssn->client_ip)
{
if ( IsTCP(p) )
{
if (p->tcph->th_sport == ssn->client_port)
{
p->packet_flags |= PKT_FROM_CLIENT;
}
else
{
p->packet_flags |= PKT_FROM_SERVER;
}
}
else if ( IsUDP(p) )
{
if (p->udph->uh_sport == ssn->client_port)
{
p->packet_flags |= PKT_FROM_CLIENT;
}
else
{
p->packet_flags |= PKT_FROM_SERVER;
}
}
else if ( IsICMP(p) )
{
p->packet_flags |= PKT_FROM_CLIENT;
}
}
else if (p->iph->ip_dst.s_addr == ssn->client_ip)
{
if ( IsTCP(p) )
{
if (p->tcph->th_dport == ssn->client_port)
{
p->packet_flags |= PKT_FROM_SERVER;
}
else
{
p->packet_flags |= PKT_FROM_CLIENT;
}
}
else if ( IsUDP(p) )
{
if (p->udph->uh_dport == ssn->client_port)
{
p->packet_flags |= PKT_FROM_SERVER;
}
else
{
p->packet_flags |= PKT_FROM_CLIENT;
}
}
else if ( IsICMP(p) )
{
p->packet_flags |= PKT_FROM_CLIENT;
}
}
else
{
/* Uh, no match of the packet to the session. */
/* Probably should log an error */
}
#else
if(IS_IP4(p))
{
if (sfip_fast_eq4(&p->ip4h->ip_src, &ssn->client_ip))
{
if (p->ip4h->ip_proto == IPPROTO_TCP)
{
if (p->tcph->th_sport == ssn->client_port)
{
p->packet_flags |= PKT_FROM_CLIENT;
}
else
{
p->packet_flags |= PKT_FROM_SERVER;
}
}
else if (p->ip4h->ip_proto == IPPROTO_UDP)
{
if (p->udph->uh_sport == ssn->client_port)
{
p->packet_flags |= PKT_FROM_CLIENT;
}
else
{
p->packet_flags |= PKT_FROM_SERVER;
}
}
else if (p->ip4h->ip_proto == IPPROTO_ICMP)
{
p->packet_flags |= PKT_FROM_CLIENT;
}
}
else if (sfip_fast_eq4(&p->ip4h->ip_dst, &ssn->client_ip))
{
if (p->ip4h->ip_proto == IPPROTO_TCP)
{
if (p->tcph->th_dport == ssn->client_port)
{
p->packet_flags |= PKT_FROM_SERVER;
}
else
{
p->packet_flags |= PKT_FROM_CLIENT;
}
}
else if (p->ip4h->ip_proto == IPPROTO_UDP)
{
if (p->udph->uh_dport == ssn->client_port)
{
p->packet_flags |= PKT_FROM_SERVER;
}
else
{
p->packet_flags |= PKT_FROM_CLIENT;
}
}
else if (p->ip4h->ip_proto == IPPROTO_ICMP)
{
p->packet_flags |= PKT_FROM_CLIENT;
}
}
}
else /* IS_IP6(p) */
{
if (sfip_fast_eq6(&p->ip6h->ip_src, &ssn->client_ip))
{
if (p->ip6h->next == IPPROTO_TCP)
{
if (p->tcph->th_sport == ssn->client_port)
{
p->packet_flags |= PKT_FROM_CLIENT;
}
else
{
p->packet_flags |= PKT_FROM_SERVER;
}
}
else if (p->ip6h->next == IPPROTO_UDP)
{
if (p->udph->uh_sport == ssn->client_port)
{
p->packet_flags |= PKT_FROM_CLIENT;
}
else
{
p->packet_flags |= PKT_FROM_SERVER;
}
}
else if (p->ip6h->next == IPPROTO_ICMP)
{
p->packet_flags |= PKT_FROM_CLIENT;
}
}
else if (sfip_fast_eq6(&p->ip6h->ip_dst, &ssn->client_ip))
{
if (p->ip6h->next == IPPROTO_TCP)
{
if (p->tcph->th_dport == ssn->client_port)
{
p->packet_flags |= PKT_FROM_SERVER;
}
else
{
p->packet_flags |= PKT_FROM_CLIENT;
}
}
else if (p->ip6h->next == IPPROTO_UDP)
{
if (p->udph->uh_dport == ssn->client_port)
{
p->packet_flags |= PKT_FROM_SERVER;
}
else
{
p->packet_flags |= PKT_FROM_CLIENT;
}
}
else if (p->ip6h->next == IPPROTO_ICMP)
{
p->packet_flags |= PKT_FROM_CLIENT;
}
}
}
#endif /* SUP_IP6 */
}
/* Main runtime entry point for GTP preprocessor.
* Analyzes GTP packets for anomalies/exploits.
*
* PARAMETERS:
*
* packetp: Pointer to current packet to process.
* contextp: Pointer to context block, not used.
*
* RETURNS: Nothing.
*/
static void GTPmain( void* ipacketp, void* contextp )
{
GTPData* sessp = NULL;
uint8_t source = 0;
uint8_t dest = 0;
SFSnortPacket* packetp;
#ifdef TARGET_BASED
int16_t app_id = SFTARGET_UNKNOWN_PROTOCOL;
#endif
tSfPolicyId policy_id = _dpd.getRuntimePolicy();
PROFILE_VARS;
DEBUG_WRAP(DebugMessage(DEBUG_GTP, "%s\n", GTP_DEBUG__START_MSG));
packetp = (SFSnortPacket*) ipacketp;
sfPolicyUserPolicySet (gtp_config, policy_id);
/* Make sure this preprocessor should run. */
if (( !packetp ) || ( !packetp->payload ) ||( !packetp->payload_size ))
{
DEBUG_WRAP(DebugMessage(DEBUG_GTP, "No payload - not inspecting.\n"));
DEBUG_WRAP(DebugMessage(DEBUG_GTP, "%s\n", GTP_DEBUG__END_MSG));
return;
}
else if (!IsUDP(packetp))
{
DEBUG_WRAP(DebugMessage(DEBUG_GTP, "Not UDP - not inspecting.\n"));
DEBUG_WRAP(DebugMessage(DEBUG_GTP, "%s\n", GTP_DEBUG__END_MSG));
return;
}
PREPROC_PROFILE_START(gtpPerfStats);
gtp_eval_config = sfPolicyUserDataGetCurrent(gtp_config);
/* Attempt to get a previously allocated GTP block. */
sessp = _dpd.streamAPI->get_application_data(packetp->stream_session_ptr, PP_GTP);
if (sessp != NULL)
{
gtp_eval_config = sfPolicyUserDataGet(sessp->config, sessp->policy_id);
}
if (sessp == NULL)
{
/* If not doing autodetection, check the ports to make sure this is
* running on an GTP port, otherwise no need to examine the traffic.
*/
#ifdef TARGET_BASED
app_id = _dpd.streamAPI->get_application_protocol_id(packetp->stream_session_ptr);
if (app_id == SFTARGET_UNKNOWN_PROTOCOL)
{
DEBUG_WRAP(DebugMessage(DEBUG_GTP, "Unknown protocol - not inspecting.\n"));
DEBUG_WRAP(DebugMessage(DEBUG_GTP, "%s\n", GTP_DEBUG__END_MSG));
PREPROC_PROFILE_END(gtpPerfStats);
return;
}
else if (app_id && (app_id != gtp_app_id))
{
DEBUG_WRAP(DebugMessage(DEBUG_GTP, "Not GTP - not inspecting.\n"));
DEBUG_WRAP(DebugMessage(DEBUG_GTP, "%s\n", GTP_DEBUG__END_MSG));
PREPROC_PROFILE_END(gtpPerfStats);
return;
}
else if (!app_id)
{
#endif
source = (uint8_t)CheckGTPPort( packetp->src_port );
dest = (uint8_t)CheckGTPPort( packetp->dst_port );
if ( !source && !dest )
{
/* Not one of the ports we care about. */
DEBUG_WRAP(DebugMessage(DEBUG_GTP, "Not GTP ports - not inspecting.\n"));
DEBUG_WRAP(DebugMessage(DEBUG_GTP, "%s\n", GTP_DEBUG__END_MSG));
PREPROC_PROFILE_END(gtpPerfStats);
return;
}
#ifdef TARGET_BASED
}
#endif
/* Check the stream session. If it does not currently
* have our GTP data-block attached, create one.
*/
sessp = GTPGetNewSession(packetp, policy_id);
if ( !sessp )
{
/* Could not get/create the session data for this packet. */
DEBUG_WRAP(DebugMessage(DEBUG_GTP, "Create session error - not inspecting.\n"));
DEBUG_WRAP(DebugMessage(DEBUG_GTP, "%s\n", GTP_DEBUG__END_MSG));
PREPROC_PROFILE_END(gtpPerfStats);
return;
}
}
/* We're interested in this session. Turn on stream reassembly. */
if ( !(sessp->state_flags & GTP_FLG_REASSEMBLY_SET ))
{
_dpd.streamAPI->set_reassembly(packetp->stream_session_ptr,
STREAM_FLPOLICY_FOOTPRINT, SSN_DIR_BOTH, STREAM_FLPOLICY_SET_ABSOLUTE);
sessp->state_flags |= GTP_FLG_REASSEMBLY_SET;
}
/*
* Start process PAYLOAD
*/
GTP_Process(packetp,sessp);
DEBUG_WRAP(DebugMessage(DEBUG_GTP, "%s\n", GTP_DEBUG__END_MSG));
PREPROC_PROFILE_END(gtpPerfStats);
}
