/* Initializes the DNS preprocessor module and registers
* it in the preprocessor list.
*
* PARAMETERS:
*
* argp: Pointer to argument string to process for config
* data.
*
* RETURNS: Nothing.
*/
static void DNSInit( u_char* argp )
{
_dpd.addPreproc( ProcessDNS, PRIORITY_APPLICATION, PP_DNS );
_dpd.addPreprocConfCheck( DNSConfigCheck );
ParseDNSArgs( argp );
#ifdef PERF_PROFILING
_dpd.addPreprocProfileFunc("dns", (void *)&dnsPerfStats, 0, _dpd.totalPerfStats);
#endif
}
/* Called at preprocessor setup time. Links preprocessor keyword
* to corresponding preprocessor initialization function.
*
* PARAMETERS: None.
*
* RETURNS: Nothing.
*
*/
void SetupSSH(void)
{
/* Link preprocessor keyword to initialization function
* in the preprocessor list. */
#ifndef SNORT_RELOAD
_dpd.registerPreproc( "ssh", SSHInit );
#else
_dpd.registerPreproc("ssh", SSHInit, SSHReload,
SSHReloadSwap, SSHReloadSwapFree);
#endif
}
static int SSHCheckPolicyConfig(
tSfPolicyUserContextId config,
tSfPolicyId policyId,
void* pData
)
{
_dpd.setParserPolicy(policyId);
if (!_dpd.isPreprocEnabled(PP_STREAM5))
{
DynamicPreprocessorFatalMessage("SSHCheckPolicyConfig(): The Stream preprocessor must be enabled.\n");
}
return 0;
}
/* Display the configuration for the DNS preprocessor.
*
* PARAMETERS: None.
*
* RETURNS: Nothing.
*/
static void PrintDNSConfig()
{
int index;
_dpd.logMsg("DNS config: \n");
#if 0
_dpd.logMsg(" Autodetection: %s\n",
dns_config.autodetect ?
"ENABLED":"DISABLED");
#endif
_dpd.logMsg(" DNS Client rdata txt Overflow Alert: %s\n",
dns_config.enabled_alerts & DNS_ALERT_RDATA_OVERFLOW ?
"ACTIVE" : "INACTIVE" );
_dpd.logMsg(" Obsolete DNS RR Types Alert: %s\n",
dns_config.enabled_alerts & DNS_ALERT_OBSOLETE_TYPES ?
"ACTIVE" : "INACTIVE" );
_dpd.logMsg(" Experimental DNS RR Types Alert: %s\n",
dns_config.enabled_alerts & DNS_ALERT_EXPERIMENTAL_TYPES ?
"ACTIVE" : "INACTIVE" );
/* Printing ports */
_dpd.logMsg(" Ports:");
for(index = 0; index < MAX_PORTS; index++)
{
if( dns_config.ports[ PORT_INDEX(index) ] & CONV_PORT(index) )
{
_dpd.logMsg(" %d", index);
}
}
_dpd.logMsg("\n");
}
static void SSHReload(char *args)
{
tSfPolicyId policy_id = _dpd.getParserPolicy();
SSHConfig * pPolicyConfig = NULL;
if (ssh_swap_config == NULL)
{
//create a context
ssh_swap_config = sfPolicyConfigCreate();
if (ssh_swap_config == NULL)
{
DynamicPreprocessorFatalMessage("Failed to allocate memory "
"for SSH config.\n");
}
if (_dpd.streamAPI == NULL)
{
DynamicPreprocessorFatalMessage("SetupSSH(): The Stream preprocessor must be enabled.\n");
}
}
sfPolicyUserPolicySet (ssh_swap_config, policy_id);
pPolicyConfig = (SSHConfig *)sfPolicyUserDataGetCurrent(ssh_swap_config);
if (pPolicyConfig != NULL)
{
DynamicPreprocessorFatalMessage("SSH preprocessor can only be "
"configured once.\n");
}
pPolicyConfig = (SSHConfig *)calloc(1, sizeof(SSHConfig));
if (!pPolicyConfig)
{
DynamicPreprocessorFatalMessage("Could not allocate memory for "
"SSH preprocessor configuration.\n");
}
sfPolicyUserDataSetCurrent(ssh_swap_config, pPolicyConfig);
ParseSSHArgs(pPolicyConfig, (u_char *)args);
_dpd.addPreproc( ProcessSSH, PRIORITY_APPLICATION, PP_SSH, PROTO_BIT__TCP );
_dpd.addPreprocReloadVerify(SSHReloadVerify);
_addPortsToStream5Filter(pPolicyConfig, policy_id);
#ifdef TARGET_BASED
_addServicesToStream5Filter(policy_id);
#endif
}
/* Initializes the SSH preprocessor module and registers
* it in the preprocessor list.
*
* PARAMETERS:
*
* argp: Pointer to argument string to process for config
* data.
*
* RETURNS: Nothing.
*/
static void
SSHInit( u_char* argp )
{
if(!_dpd.streamAPI)
{
_dpd.fatalMsg("SetupSSH(): The Stream preprocessor must be enabled.\n");
}
_dpd.addPreproc( ProcessSSH, PRIORITY_APPLICATION, PP_SSH );
ParseSSHArgs( argp );
#ifdef PERF_PROFILING
_dpd.addPreprocProfileFunc("ssh", (void *)&sshPerfStats, 0, _dpd.totalPerfStats);
#endif
}
/* Called at preprocessor setup time. Links preprocessor keyword
* to corresponding preprocessor initialization function.
*
* PARAMETERS: None.
*
* RETURNS: Nothing.
*
*/
void SetupSSH()
{
/* Link preprocessor keyword to initialization function
* in the preprocessor list.
*/
_dpd.registerPreproc( "ssh", SSHInit );
}
/********************************************************************
* Function: DCE2_GetDebugLevel()
*
* Gets the debugging level set by the DCE2 debugging environment
* variable on the first call. Subsequent calls will used the
* cached value.
*
* Arguments: None
*
* Returns:
* uint32_t
* The debugging level set by the environment variable.
*
********************************************************************/
static uint32_t DCE2_GetDebugLevel(void)
{
static int debug_init = 0;
static uint32_t debug_level = 0;
const char* value;
if (debug_init)
return debug_level;
value = getenv(DCE2_DEBUG_VARIABLE);
if (value != NULL)
{
char *endptr;
debug_level = _dpd.SnortStrtoul(value, &endptr, 0);
if ((errno == ERANGE) || (*endptr != '\0'))
{
DCE2_Log(DCE2_LOG_TYPE__WARN,
"\"%s\" value out of range or not a number: %s. "
"Debugging will not be turned on.",
DCE2_DEBUG_VARIABLE, value);
debug_level = 0;
}
}
debug_init = 1;
return debug_level;
}
/* Display the configuration for the SSL preprocessor.
*
* PARAMETERS: None.
*
* RETURNS: Nothing.
*/
static void PrintSSLConfig( const SSLConfig* ssl_config )
{
int index;
if (ssl_config->server_cnt > 0)
{
_dpd.logMsg("SSL Config:\n");
_dpd.logMsg(" Server(s):\n");
for(index = 0; index < ssl_config->server_cnt; index++)
{
_dpd.logMsg("IP address: %s\n", inet_ntoa(ssl_config->server[index]->server_ip));
_dpd.logMsg(" Port: %i\n", ssl_config->server[index]->port);
_dpd.logMsg(" Keyfile: %s\n\n", ssl_config->server[index]->server_keyfile);
}
}
}
static int SSHReloadVerify(void)
{
if (!_dpd.isPreprocEnabled(PP_STREAM5))
{
DynamicPreprocessorFatalMessage("SetupSSH(): The Stream preprocessor must be enabled.\n");
}
return 0;
}
/* Called at preprocessor setup time. Links preprocessor keyword
* to corresponding preprocessor initialization function.
*
* PARAMETERS: None.
*
* RETURNS: Nothing.
*
*/
void SetupDNS()
{
/* Link preprocessor keyword to initialization function
* in the preprocessor list.
*/
_dpd.registerPreproc( "dns", DNSInit );
memset(dns_config.ports, 0, sizeof(char) * (MAX_PORTS/8));
}
NORETURN void DynamicPreprocessorFatalMessage(const char *format, ...)
{
char buf[STD_BUF];
va_list ap;
va_start(ap, format);
vsnprintf(buf, STD_BUF, format, ap);
va_end(ap);
buf[STD_BUF - 1] = '\0';
_dpd.fatalMsg("%s", buf);
exit(1);
}
int LoadConfig( const u_char* conf, SSLConfig* cfg )
{
ParseContext ctx;
u_char* conf_copy = NULL;
ConfigToken TopLevelTokens[] = { Token_Server, Token_EOF };
ConfigToken token = Token_Unknown;
error_buffer[0] = 0;
conf_copy = (u_char*) malloc( strlen( conf ) + 1 );
strcpy( conf_copy, conf );
memset( &ctx, 0, sizeof(ctx) );
ctx.input = conf_copy;
ctx.config = cfg;
do
{
token = ParseOneOf( &ctx, TopLevelTokens, ARRAY_SIZE( TopLevelTokens ) );
if( token == Token_Server )
{
if( ParseServer( &ctx ) == CONFIG_PARSE_ERROR ) token = CONFIG_PARSE_ERROR;
}
} while ( token == Token_Server );
free( conf_copy ); conf_copy = ctx.input = NULL;
/* make sure we have at least one server set up */
if( token != CONFIG_PARSE_ERROR && ctx.config->server_cnt == 0 )
{
sprintf( error_buffer, "%s: at least one SSL server's configuration is expected", ERROR_PREFIX );
token = CONFIG_PARSE_ERROR;
}
if( token == CONFIG_PARSE_ERROR )
{
if( strlen( error_buffer ) )
{
_dpd.fatalMsg( "%s(%d) => %s", *(_dpd.config_file), *(_dpd.config_line), error_buffer );
}
return CONFIG_PARSE_ERROR;
}
PrintSSLConfig( ctx.config );
return 0;
}
void ExampleSetup()
{
_dpd.registerPreproc("dynamic_example", ExampleInit, 0, 0, 0);
DEBUG_WRAP(_dpd.debugMsg(DEBUG_PLUGIN, "Preprocessor: Example is setup\n"););
/*
* Handle X-Link2State vulnerability
*
* From Lurene Grenier:
The X-LINK2STATE command always takes the following form:
X-LINK2STATE [FIRST|NEXT|LAST] CHUNK=<SOME DATA>
The overwrite occurs when three criteria are met:
No chunk identifier exists - ie neither FIRST, NEXT, or LAST are specified
No previous FIRST chunk was sent
<SOME DATA> has a length greater than 520 bytes
Normally you send a FIRST chunk, then some intermediary chunks marked with
either NEXT or not marked, then finally a LAST chunk. If no first chunk is
sent, and a chunk with no specifier is sent, it assumes it must append to
something, but it has nothing to append to, so an overwrite occurs. Sending out
of order chunks WITH specifiers results in an exception.
So simply:
if (gotFirstChunk)
next; # chunks came with proper first chunk specified
if (/X-LINK2STATE [FIRST|NEXT|LAST] CHUNK/) {
if (/X-LINK2STATE FIRST CHUNK/) gotFirstChunk = TRUE;
next; # some specifier is marked
}
if (chunkLen > 520)
attempt = TRUE; # Gotcha!
Usually it takes more than one unspecified packet in a row, but I think this is
just a symptom of the fact that we're triggering a heap overwrite, and not a
condition of the bug. However, if we're still getting FPs this might be an
avenue to try.
*
* @param p standard Packet structure
* @param x pointer to "X-LINK2STATE" in buffer
*
* @retval 1 if alert raised
* @retval 0 if no alert raised
*/
int ParseXLink2State(SFSnortPacket *p, const uint8_t *ptr)
{
uint8_t *lf = NULL;
uint32_t len = 0;
char x_keyword;
const uint8_t *end;
if (p == NULL || ptr == NULL)
return 0;
/* If we got a FIRST chunk on this stream, this is not an exploit */
if (smtp_ssn->session_flags & SMTP_FLAG_XLINK2STATE_GOTFIRSTCHUNK)
return 0;
/* Calculate length from pointer to end of packet data */
end = p->payload + p->payload_size;
if (ptr >= end)
return 0;
/* Check for "FIRST" or "CHUNK" after X-LINK2STATE */
x_keyword = get_xlink_keyword(ptr, end);
if (x_keyword != XLINK_CHUNK)
{
if (x_keyword == XLINK_FIRST)
smtp_ssn->session_flags |= SMTP_FLAG_XLINK2STATE_GOTFIRSTCHUNK;
return 0;
}
ptr = (uint8_t *)memchr((char *)ptr, '=', end - ptr);
if (ptr == NULL)
return 0;
/* move past '=' and make sure we're within bounds */
ptr++;
if (ptr >= end)
return 0;
/* Look for one of two patterns:
*
* ... CHUNK={0000006d} MULTI (5) ({00000000051} ...
* ... CHUNK=AAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n
*/
if (*ptr == '{')
{
/* move past '{' and make sure we're within bounds */
ptr++;
if ((ptr + 8) >= end)
return 0;
/* Get length - can we always trust it? */
len = get_xlink_hex_value(ptr, end);
}
else
{
lf = (uint8_t *)memchr((char *)ptr, '\n', end - ptr);
if (lf == NULL)
return 0;
len = lf - ptr;
}
if (len > XLINK2STATE_MAX_LEN)
{
/* Need to drop the packet if we're told to
* (outside of whether its thresholded). */
if (smtp_eval_config->drop_xlink2state)
{
_dpd.inlineDrop(p);
}
SMTP_GenerateAlert(SMTP_XLINK2STATE_OVERFLOW, "%s", SMTP_XLINK2STATE_OVERFLOW_STR);
smtp_ssn->session_flags |= SMTP_FLAG_XLINK2STATE_ALERTED;
return 1;
}
/* Check for more than one command in packet */
ptr = (uint8_t *)memchr((char *)ptr, '\n', end - ptr);
if (ptr == NULL)
return 0;
/* move past '\n' */
ptr++;
if (ptr < end)
{
ParseXLink2State(p, ptr);
}
return 0;
}
/**
**
** xlink2state { <enable/disable> <drop> }
**
** @param ErrorString error string buffer
** @param ErrStrLen the length of the error string buffer
**
** @return an error code integer
** (0 = success, >0 = non-fatal error, <0 = fatal error)
**
** @retval 0 successs
** @retval -1 generic fatal error
*/
static int ProcessXlink2State(char *ErrorString, int ErrStrLen)
{
char *pcToken;
int iEnd = 0;
pcToken = strtok(NULL, CONF_SEPARATORS);
if(!pcToken)
{
snprintf(ErrorString, ErrStrLen,
"Invalid xlink2state argument format.");
return -1;
}
if(strcmp(CONF_START_LIST, pcToken))
{
snprintf(ErrorString, ErrStrLen,
"Must start xlink2state arguments with the '%s' token.",
CONF_START_LIST);
return -1;
}
while ((pcToken = strtok(NULL, CONF_SEPARATORS)) != NULL)
{
if(!strcmp(CONF_END_LIST, pcToken))
{
iEnd = 1;
break;
}
if ( !strcasecmp(CONF_DISABLE, pcToken) )
{
_smtp_config.alert_xlink2state = 0;
_smtp_config.ports[XLINK2STATE_DEFAULT_PORT / 8] &= ~(1 << (XLINK2STATE_DEFAULT_PORT % 8));
}
else if ( !strcasecmp(CONF_ENABLE, pcToken) )
{
_smtp_config.alert_xlink2state = 1;
_smtp_config.ports[XLINK2STATE_DEFAULT_PORT / 8] |= 1 << (XLINK2STATE_DEFAULT_PORT % 8);
}
else if ( !strcasecmp(CONF_INLINE_DROP, pcToken) )
{
if (!_smtp_config.alert_xlink2state)
{
snprintf(ErrorString, ErrStrLen,
"Alerting on X-LINK2STATE must be enabled to drop.");
return -1;
}
if (_dpd.inlineMode())
{
_smtp_config.drop_xlink2state = 1;
}
else
{
snprintf(ErrorString, ErrStrLen,
"Cannot use 'drop' keyword in X-LINK2STATE config "
"if Snort is not in inline mode.");
return -1;
}
}
}
if(!iEnd)
{
snprintf(ErrorString, ErrStrLen,
"Must end '%s' configuration with '%s'.",
CONF_XLINK2STATE, CONF_END_LIST);
return -1;
}
return 0;
}
static void PrintConfig(void)
{
int i;
const SMTPToken *cmd;
char buf[8192];
memset(&buf[0], 0, sizeof(buf));
_dpd.logMsg("\nSMTP Config:\n");
snprintf(buf, sizeof(buf) - 1, " Ports: ");
for (i = 0; i < 65536; i++)
{
if (_smtp_config.ports[i / 8] & (1 << (i % 8)))
{
_dpd.printfappend(buf, sizeof(buf) - 1, "%d ", i);
}
}
_dpd.logMsg("%s\n", buf);
_dpd.logMsg(" Inspection Type: %s\n",
_smtp_config.inspection_type ? "Stateful" : "Stateless");
snprintf(buf, sizeof(buf) - 1, " Normalize: ");
switch (_smtp_config.normalize)
{
case NORMALIZE_ALL:
_dpd.printfappend(buf, sizeof(buf) - 1, "all");
break;
case NORMALIZE_NONE:
_dpd.printfappend(buf, sizeof(buf) - 1, "none");
break;
case NORMALIZE_CMDS:
if (_smtp_config.print_cmds)
{
for (cmd = _smtp_cmds; cmd->name != NULL; cmd++)
{
if (_smtp_cmd_config[cmd->search_id].normalize)
{
_dpd.printfappend(buf, sizeof(buf) - 1, "%s ", cmd->name);
}
}
}
else
{
_dpd.printfappend(buf, sizeof(buf) - 1, "cmds");
}
break;
}
_dpd.logMsg("%s\n", buf);
_dpd.logMsg(" Ignore Data: %s\n",
_smtp_config.ignore_data ? "Yes" : "No");
_dpd.logMsg(" Ignore TLS Data: %s\n",
_smtp_config.ignore_tls_data ? "Yes" : "No");
_dpd.logMsg(" Ignore SMTP Alerts: %s\n",
_smtp_config.no_alerts ? "Yes" : "No");
if (!_smtp_config.no_alerts)
{
snprintf(buf, sizeof(buf) - 1, " Max Command Line Length: ");
if (_smtp_config.max_command_line_len == 0)
_dpd.printfappend(buf, sizeof(buf) - 1, "Unlimited");
else
_dpd.printfappend(buf, sizeof(buf) - 1, "%d", _smtp_config.max_command_line_len);
_dpd.logMsg("%s\n", buf);
if (_smtp_config.print_cmds)
{
int max_line_len_count = 0;
int max_line_len = 0;
snprintf(buf, sizeof(buf) - 1, " Max Specific Command Line Length: ");
for (cmd = _smtp_cmds; cmd->name != NULL; cmd++)
{
max_line_len = _smtp_cmd_config[cmd->search_id].max_line_len;
if (max_line_len != 0)
{
if (max_line_len_count % 5 == 0)
{
_dpd.logMsg("%s\n", buf);
snprintf(buf, sizeof(buf) - 1, " %s:%d ", cmd->name, max_line_len);
}
else
{
_dpd.printfappend(buf, sizeof(buf) - 1, "%s:%d ", cmd->name, max_line_len);
}
max_line_len_count++;
}
}
if (max_line_len_count == 0)
_dpd.logMsg("%sNone\n", buf);
else
_dpd.logMsg("%s\n", buf);
}
snprintf(buf, sizeof(buf) - 1, " Max Header Line Length: ");
if (_smtp_config.max_header_line_len == 0)
_dpd.logMsg("%sUnlimited\n", buf);
else
_dpd.logMsg("%s%d\n", buf, _smtp_config.max_header_line_len);
snprintf(buf, sizeof(buf) - 1, " Max Response Line Length: ");
if (_smtp_config.max_response_line_len == 0)
_dpd.logMsg("%sUnlimited\n", buf);
else
_dpd.logMsg("%s%d\n", buf, _smtp_config.max_response_line_len);
}
_dpd.logMsg(" X-Link2State Alert: %s\n",
_smtp_config.alert_xlink2state ? "Yes" : "No");
if (_smtp_config.alert_xlink2state)
{
_dpd.logMsg(" Drop on X-Link2State Alert: %s\n",
_smtp_config.drop_xlink2state ? "Yes" : "No");
}
if (_smtp_config.print_cmds && !_smtp_config.no_alerts)
{
int alert_count = 0;
snprintf(buf, sizeof(buf) - 1, " Alert on commands: ");
for (cmd = _smtp_cmds; cmd->name != NULL; cmd++)
{
if (_smtp_cmd_config[cmd->search_id].alert)
{
_dpd.printfappend(buf, sizeof(buf) - 1, "%s ", cmd->name);
alert_count++;
}
}
if (alert_count == 0)
{
_dpd.logMsg("%sNone\n", buf);
}
else
{
_dpd.logMsg("%s\n", buf);
}
}
}
/* Main runtime entry point for SSH preprocessor.
* Analyzes SSH packets for anomalies/exploits.
*
* PARAMETERS:
*
* packetp: Pointer to current packet to process.
* contextp: Pointer to context block, not used.
*
* RETURNS: Nothing.
*/
static void
ProcessSSH( void* ipacketp, void* contextp )
{
SSHData* sessp = NULL;
uint8_t source = 0;
uint8_t dest = 0;
uint8_t known_port = 0;
uint8_t direction;
SFSnortPacket* packetp;
#ifdef TARGET_BASED
int16_t app_id = SFTARGET_UNKNOWN_PROTOCOL;
#endif
tSfPolicyId policy_id = _dpd.getRuntimePolicy();
PROFILE_VARS;
packetp = (SFSnortPacket*) ipacketp;
sfPolicyUserPolicySet (ssh_config, policy_id);
/* Make sure this preprocessor should run. */
if (( !packetp ) ||
( !packetp->payload ) ||
( !packetp->payload_size ) ||
( !IPH_IS_VALID(packetp) ) ||
( !packetp->tcp_header ) ||
/* check if we're waiting on stream reassembly */
( packetp->flags & FLAG_STREAM_INSERT))
{
return;
}
PREPROC_PROFILE_START(sshPerfStats);
ssh_eval_config = sfPolicyUserDataGetCurrent(ssh_config);
/* Attempt to get a previously allocated SSH block. */
sessp = _dpd.streamAPI->get_application_data(packetp->stream_session_ptr, PP_SSH);
if (sessp != NULL)
{
ssh_eval_config = sfPolicyUserDataGet(sessp->config, sessp->policy_id);
known_port = 1;
}
if (sessp == NULL)
{
/* If not doing autodetection, check the ports to make sure this is
* running on an SSH port, otherwise no need to examine the traffic.
*/
#ifdef TARGET_BASED
app_id = _dpd.streamAPI->get_application_protocol_id(packetp->stream_session_ptr);
if (app_id == SFTARGET_UNKNOWN_PROTOCOL)
{
PREPROC_PROFILE_END(sshPerfStats);
return;
}
if (app_id && (app_id != ssh_app_id))
{
PREPROC_PROFILE_END(sshPerfStats);
return;
}
if (app_id == ssh_app_id)
{
known_port = 1;
}
if (!app_id)
{
#endif
source = (uint8_t)CheckSSHPort( packetp->src_port );
dest = (uint8_t)CheckSSHPort( packetp->dst_port );
if ( !ssh_eval_config->AutodetectEnabled && !source && !dest )
{
/* Not one of the ports we care about. */
PREPROC_PROFILE_END(sshPerfStats);
return;
}
#ifdef TARGET_BASED
}
#endif
/* Check the stream session. If it does not currently
* have our SSH data-block attached, create one.
*/
sessp = SSHGetNewSession(packetp, policy_id);
if ( !sessp )
{
/* Could not get/create the session data for this packet. */
PREPROC_PROFILE_END(sshPerfStats);
return;
}
/* See if a known server port is involved. */
if (!known_port)
{
known_port = ( source || dest ? 1 : 0 );
/* If this is a non-SSH port, but autodetect is on, we flag this
session to reduce false positives later on. */
if (!known_port && ssh_eval_config->AutodetectEnabled)
{
sessp->state_flags |= SSH_FLG_AUTODETECTED;
}
}
}
/* Don't process if we've missed packets */
if (sessp->state_flags & SSH_FLG_MISSED_PACKETS)
return;
/* If we picked up mid-stream or missed any packets (midstream pick up
* means we've already missed packets) set missed packets flag and make
* sure we don't do any more reassembly on this session */
if ((_dpd.streamAPI->get_session_flags(packetp->stream_session_ptr) & SSNFLAG_MIDSTREAM)
|| _dpd.streamAPI->missed_packets(packetp->stream_session_ptr, SSN_DIR_BOTH))
{
_dpd.streamAPI->set_reassembly(packetp->stream_session_ptr,
STREAM_FLPOLICY_IGNORE, SSN_DIR_BOTH,
STREAM_FLPOLICY_SET_ABSOLUTE);
sessp->state_flags |= SSH_FLG_MISSED_PACKETS;
return;
}
/* We're interested in this session. Turn on stream reassembly. */
if ( !(sessp->state_flags & SSH_FLG_REASSEMBLY_SET ))
{
_dpd.streamAPI->set_reassembly(packetp->stream_session_ptr,
STREAM_FLPOLICY_FOOTPRINT, SSN_DIR_BOTH, 0);
sessp->state_flags |= SSH_FLG_REASSEMBLY_SET;
}
/* Get the direction of the packet. */
direction = ( (packetp->flags & FLAG_FROM_SERVER ) ?
SSH_DIR_FROM_SERVER : SSH_DIR_FROM_CLIENT );
if ( !(sessp->state_flags & SSH_FLG_SESS_ENCRYPTED ))
{
/* If server and client have not performed the protocol
* version exchange yet, must look for version strings.
*/
if ( (sessp->state_flags & SSH_FLG_BOTH_IDSTRING_SEEN)
!= SSH_FLG_BOTH_IDSTRING_SEEN )
{
if ( ProcessSSHProtocolVersionExchange( sessp,
packetp, direction, known_port ) ==
SSH_FAILURE )
{
/*Error processing protovers exchange msg */
}
PREPROC_PROFILE_END(sshPerfStats);
return;
}
/* Expecting to see the key init exchange at this point
* (in SSH2) or the actual key exchange if SSH1
*/
if ((( sessp->state_flags & SSH_FLG_V1_KEYEXCH_DONE )
!= SSH_FLG_V1_KEYEXCH_DONE ) &&
((sessp->state_flags & SSH_FLG_V2_KEXINIT_DONE )
!= SSH_FLG_V2_KEXINIT_DONE ))
{
ProcessSSHKeyInitExchange( sessp, packetp, direction );
PREPROC_PROFILE_END(sshPerfStats);
return;
}
/* If SSH2, need to process the actual key exchange msgs.
* The actual key exchange type was negotiated in the
* key exchange init msgs. SSH1 won't arrive here.
*/
ProcessSSHKeyExchange( sessp, packetp, direction );
}
else
{
/* Traffic on this session is currently encrypted.
* Two of the major SSH exploits, SSH1 CRC-32 and
* the Challenge-Response Overflow attack occur within
* the encrypted portion of the SSH session. Therefore,
* the only way to detect these attacks is by examining
* amounts of data exchanged for anomalies.
*/
sessp->num_enc_pkts++;
if ( sessp->num_enc_pkts <= ssh_eval_config->MaxEncryptedPackets )
{
if ( direction == SSH_DIR_FROM_CLIENT )
{
sessp->num_client_bytes += packetp->payload_size;
if ( sessp->num_client_bytes >=
ssh_eval_config->MaxClientBytes )
{
/* Probable exploit in progress.*/
if (sessp->version == SSH_VERSION_1)
{
if ( ssh_eval_config->EnabledAlerts & SSH_ALERT_CRC32 )
{
ALERT(SSH_EVENT_CRC32, SSH_EVENT_CRC32_STR);
_dpd.streamAPI->stop_inspection(
packetp->stream_session_ptr,
packetp,
SSN_DIR_BOTH, -1, 0 );
}
}
else
{
if (ssh_eval_config->EnabledAlerts & SSH_ALERT_RESPOVERFLOW )
{
ALERT(SSH_EVENT_RESPOVERFLOW, SSH_EVENT_RESPOVERFLOW_STR);
_dpd.streamAPI->stop_inspection(
packetp->stream_session_ptr,
packetp,
SSN_DIR_BOTH, -1, 0 );
}
}
}
}
else
{
/*
* Have seen a server response, so
* this appears to be a valid exchange.
* Reset suspicious byte count to zero.
*/
sessp->num_client_bytes = 0;
}
}
else
{
/* Have already examined more than the limit
* of encrypted packets. Both the Gobbles and
* the CRC32 attacks occur during authentication
* and therefore cannot be used late in an
* encrypted session. For performance purposes,
* stop examining this session.
*/
_dpd.streamAPI->stop_inspection(
packetp->stream_session_ptr,
packetp,
SSN_DIR_BOTH, -1, 0 );
}
}
PREPROC_PROFILE_END(sshPerfStats);
}
/* Display the configuration for the SSH preprocessor.
*
* PARAMETERS: None.
*
* RETURNS: Nothing.
*/
static void
DisplaySSHConfig(SSHConfig *config)
{
int index;
int newline;
if (config == NULL)
return;
_dpd.logMsg("SSH config: \n");
_dpd.logMsg(" Autodetection: %s\n",
config->AutodetectEnabled ?
"ENABLED":"DISABLED");
_dpd.logMsg(" Challenge-Response Overflow Alert: %s\n",
config->EnabledAlerts & SSH_ALERT_RESPOVERFLOW ?
"ENABLED" : "DISABLED" );
_dpd.logMsg(" SSH1 CRC32 Alert: %s\n",
config->EnabledAlerts & SSH_ALERT_CRC32 ?
"ENABLED" : "DISABLED" );
_dpd.logMsg(" Server Version String Overflow Alert: %s\n",
config->EnabledAlerts & SSH_ALERT_SECURECRT ?
"ENABLED" : "DISABLED" );
_dpd.logMsg(" Protocol Mismatch Alert: %s\n",
config->EnabledAlerts & SSH_ALERT_PROTOMISMATCH?
"ENABLED" : "DISABLED" );
_dpd.logMsg(" Bad Message Direction Alert: %s\n",
config->EnabledAlerts & SSH_ALERT_WRONGDIR ?
"ENABLED" : "DISABLED" );
_dpd.logMsg(" Bad Payload Size Alert: %s\n",
config->EnabledAlerts & SSH_ALERT_PAYSIZE ?
"ENABLED" : "DISABLED" );
_dpd.logMsg(" Unrecognized Version Alert: %s\n",
config->EnabledAlerts & SSH_ALERT_UNRECOGNIZED ?
"ENABLED" : "DISABLED" );
_dpd.logMsg(" Max Encrypted Packets: %d %s \n",
config->MaxEncryptedPackets,
config->MaxEncryptedPackets
== SSH_DEFAULT_MAX_ENC_PKTS ?
"(Default)" : "" );
_dpd.logMsg(" Max Server Version String Length: %d %s \n",
config->MaxServerVersionLen,
config->MaxServerVersionLen
== SSH_DEFAULT_MAX_SERVER_VERSION_LEN ?
"(Default)" : "" );
if ( config->EnabledAlerts &
(SSH_ALERT_RESPOVERFLOW | SSH_ALERT_CRC32))
{
_dpd.logMsg(" MaxClientBytes: %d %s \n",
config->MaxClientBytes,
config->MaxClientBytes
== SSH_DEFAULT_MAX_CLIENT_BYTES ?
"(Default)" : "" );
}
/* Traverse list, printing ports, 5 per line */
newline = 1;
_dpd.logMsg(" Ports:\n");
for(index = 0; index < MAX_PORTS; index++)
{
if( config->ports[ PORT_INDEX(index) ] & CONV_PORT(index) )
{
_dpd.logMsg("\t%d", index);
if ( !((newline++)% 5) )
{
_dpd.logMsg("\n");
}
}
}
_dpd.logMsg("\n");
}
/* Initializes the SSH preprocessor module and registers
* it in the preprocessor list.
*
* PARAMETERS:
*
* argp: Pointer to argument string to process for config
* data.
*
* RETURNS: Nothing.
*/
static void SSHInit(char *argp)
{
tSfPolicyId policy_id = _dpd.getParserPolicy();
SSHConfig *pPolicyConfig = NULL;
if (ssh_config == NULL)
{
//create a context
ssh_config = sfPolicyConfigCreate();
if (ssh_config == NULL)
{
DynamicPreprocessorFatalMessage("Failed to allocate memory "
"for SSH config.\n");
}
if (_dpd.streamAPI == NULL)
{
DynamicPreprocessorFatalMessage("SetupSSH(): The Stream preprocessor must be enabled.\n");
}
_dpd.addPreprocConfCheck(SSHCheckConfig);
_dpd.addPreprocExit(SSHCleanExit, NULL, PRIORITY_LAST, PP_SSH);
#ifdef PERF_PROFILING
_dpd.addPreprocProfileFunc("ssh", (void *)&sshPerfStats, 0, _dpd.totalPerfStats);
#endif
#ifdef TARGET_BASED
ssh_app_id = _dpd.findProtocolReference("ssh");
if (ssh_app_id == SFTARGET_UNKNOWN_PROTOCOL)
ssh_app_id = _dpd.addProtocolReference("ssh");
#endif
}
sfPolicyUserPolicySet (ssh_config, policy_id);
pPolicyConfig = (SSHConfig *)sfPolicyUserDataGetCurrent(ssh_config);
if (pPolicyConfig != NULL)
{
DynamicPreprocessorFatalMessage("SSH preprocessor can only be "
"configured once.\n");
}
pPolicyConfig = (SSHConfig *)calloc(1, sizeof(SSHConfig));
if (!pPolicyConfig)
{
DynamicPreprocessorFatalMessage("Could not allocate memory for "
"SSH preprocessor configuration.\n");
}
sfPolicyUserDataSetCurrent(ssh_config, pPolicyConfig);
ParseSSHArgs(pPolicyConfig, (u_char *)argp);
_dpd.addPreproc( ProcessSSH, PRIORITY_APPLICATION, PP_SSH, PROTO_BIT__TCP );
_addPortsToStream5Filter(pPolicyConfig, policy_id);
#ifdef TARGET_BASED
_addServicesToStream5Filter(policy_id);
#endif
}
/* Parses and processes the configuration arguments
* supplied in the SSH preprocessor rule.
*
* PARAMETERS:
*
* argp: Pointer to string containing the config arguments.
*
* RETURNS: Nothing.
*/
static void
ParseSSHArgs( u_char* argp )
{
char* cur_tokenp = NULL;
char* argcpyp = NULL;
int port;
/* Set up default port to listen on */
ssh_config.ports[ PORT_INDEX( 22 ) ] |= CONV_PORT(22);
/* Sanity check(s) */
if ( !argp )
{
DisplaySSHConfig();
return;
}
argcpyp = strdup( (char*) argp );
if ( !argcpyp )
{
_dpd.fatalMsg("Could not allocate memory to parse SSH options.\n");
return;
}
cur_tokenp = strtok( argcpyp, " ");
while ( cur_tokenp )
{
if ( !strcmp( cur_tokenp, SSH_SERVERPORTS_KEYWORD ))
{
/* If the user specified ports, remove '22' for now since
* it now needs to be set explicitely. */
ssh_config.ports[ PORT_INDEX( 22 ) ] = 0;
/* Eat the open brace. */
cur_tokenp = strtok( NULL, " ");
if (( !cur_tokenp ) || ( cur_tokenp[0] != '{' ))
{
_dpd.fatalMsg("Bad value specified for %s.\n",
SSH_SERVERPORTS_KEYWORD);
free(argcpyp);
return;
}
cur_tokenp = strtok( NULL, " ");
while (( cur_tokenp ) && ( cur_tokenp[0] != '}' ))
{
if ( !isdigit( cur_tokenp[0] ))
{
_dpd.fatalMsg("Bad port %s.\n", cur_tokenp );
free(argcpyp);
return;
}
else
{
port = atoi( cur_tokenp );
if( port < 0 || port > MAX_PORTS )
{
_dpd.fatalMsg("Port value illegitimate: %s\n", cur_tokenp);
free(argcpyp);
return;
}
ssh_config.ports[ PORT_INDEX( port ) ] |= CONV_PORT(port);
}
cur_tokenp = strtok( NULL, " ");
}
}
else if ( !strcmp( cur_tokenp, SSH_AUTODETECT_KEYWORD ))
{
ssh_config.AutodetectEnabled++;
}
else if ( !strcmp( cur_tokenp, SSH_MAX_ENC_PKTS_KEYWORD ))
{
cur_tokenp = strtok( NULL, " ");
if (( !cur_tokenp ) || !isdigit(cur_tokenp[0]) )
{
_dpd.logMsg("Bad value specified for %s."
"Reverting to default value %d. ",
SSH_MAX_ENC_PKTS_KEYWORD,
SSH_DEFAULT_MAX_ENC_PKTS );
}
else
{
ssh_config.MaxEncryptedPackets = (u_int16_t)
atoi( cur_tokenp );
}
}
else if (!strcmp( cur_tokenp, SSH_MAX_CLIENT_BYTES_KEYWORD ))
{
cur_tokenp = strtok( NULL, " ");
if (( !cur_tokenp ) || !isdigit(cur_tokenp[0]) )
{
_dpd.logMsg("Bad value specified for %s."
"Reverting to default value %d. ",
SSH_MAX_CLIENT_BYTES_KEYWORD,
SSH_DEFAULT_MAX_CLIENT_BYTES );
}
else
{
ssh_config.MaxClientBytes = (u_int16_t)
atoi( cur_tokenp );
}
}
else if ( !strcmp( cur_tokenp, SSH_DISABLE_GOBBLES_KEYWORD ))
{
ssh_config.EnabledAlerts &= ~SSH_ALERT_GOBBLES;
}
else if ( !strcmp( cur_tokenp, SSH_DISABLE_CRC32_KEYWORD ))
{
ssh_config.EnabledAlerts &= ~SSH_ALERT_CRC32;
}
else if (
!strcmp( cur_tokenp, SSH_DISABLE_SECURECRT_KEYWORD ))
{
ssh_config.EnabledAlerts &= ~SSH_ALERT_SECURECRT;
}
else if (
!strcmp( cur_tokenp, SSH_DISABLE_PROTOMISMATCH_KEYWORD ))
{
ssh_config.EnabledAlerts &= ~SSH_ALERT_PROTOMISMATCH;
}
else if (
!strcmp( cur_tokenp, SSH_DISABLE_WRONGDIR_KEYWORD ))
{
ssh_config.EnabledAlerts &= ~SSH_ALERT_WRONGDIR;
}
else if ( !strcmp( cur_tokenp, SSH_DISABLE_RULES_KEYWORD ))
{
ssh_config.DisableRules++;
}
else if( !strcmp( cur_tokenp, SSH_DISABLE_PAYLOAD_SIZE ))
{
ssh_config.EnabledAlerts &= ~SSH_ALERT_PAYSIZE;
}
else if( !strcmp( cur_tokenp, SSH_DISABLE_UNRECOGNIZED_VER ))
{
ssh_config.EnabledAlerts &= ~SSH_ALERT_UNRECOGNIZED;
}
else
{
_dpd.fatalMsg("Invalid argument: %s\n", cur_tokenp);
return;
}
cur_tokenp = strtok( NULL, " " );
}
DisplaySSHConfig();
free(argcpyp);
}
/* Display the configuration for the SSH preprocessor.
*
* PARAMETERS: None.
*
* RETURNS: Nothing.
*/
static void
DisplaySSHConfig()
{
int index;
int newline;
SSHPortNode* cur_nodep = NULL;
_dpd.logMsg("SSH config: \n");
_dpd.logMsg(" Autodetection: %s\n",
ssh_config.AutodetectEnabled ?
"ENABLED":"DISABLED");
_dpd.logMsg(" GOBBLES Alert: %s\n",
ssh_config.EnabledAlerts & SSH_ALERT_GOBBLES ?
"ENABLED" : "DISABLED" );
_dpd.logMsg(" SSH1 CRC32 Alert: %s\n",
ssh_config.EnabledAlerts & SSH_ALERT_CRC32 ?
"ENABLED" : "DISABLED" );
_dpd.logMsg(" Server Version String Overflow Alert: %s\n",
ssh_config.EnabledAlerts & SSH_ALERT_SECURECRT ?
"ENABLED" : "DISABLED" );
_dpd.logMsg(" Protocol Mismatch Alert: %s\n",
ssh_config.EnabledAlerts & SSH_ALERT_PROTOMISMATCH?
"ENABLED" : "DISABLED" );
_dpd.logMsg(" Bad Message Direction Alert: %s\n",
ssh_config.EnabledAlerts & SSH_ALERT_WRONGDIR ?
"ENABLED" : "DISABLED" );
_dpd.logMsg(" Bad Payload Size Alert: %s\n",
ssh_config.EnabledAlerts & SSH_ALERT_PAYSIZE ?
"ENABLED" : "DISABLED" );
_dpd.logMsg(" Unrecognized Version Alert: %s\n",
ssh_config.EnabledAlerts & SSH_ALERT_UNRECOGNIZED ?
"ENABLED" : "DISABLED" );
_dpd.logMsg(" Max Encrypted Packets: %d %s \n",
ssh_config.MaxEncryptedPackets,
ssh_config.MaxEncryptedPackets
== SSH_DEFAULT_MAX_ENC_PKTS ?
"(Default)" : "" );
if ( ssh_config.EnabledAlerts &
(SSH_ALERT_GOBBLES | SSH_ALERT_CRC32))
{
_dpd.logMsg(" MaxClientBytes: %d %s \n",
ssh_config.MaxClientBytes,
ssh_config.MaxClientBytes
== SSH_DEFAULT_MAX_CLIENT_BYTES ?
"(Default)" : "" );
}
/* Traverse list, printing ports, 5 per line */
newline = 1;
_dpd.logMsg(" Ports:\n");
for(index = 0; index < MAX_PORTS; index++)
{
if( ssh_config.ports[ PORT_INDEX(index) ] & CONV_PORT(index) )
{
_dpd.logMsg("\t%d", index);
if ( !((newline++)% 5) )
{
_dpd.logMsg("\n");
}
}
}
_dpd.logMsg("\n");
}
void ParseDNSResponseMessage(SFSnortPacket *p, DNSSessionData *dnsSessionData)
{
u_int16_t bytes_unused = p->payload_size;
int i;
unsigned char *data = p->payload;
while (bytes_unused)
{
/* Parse through the DNS Header */
if (dnsSessionData->state < DNS_RESP_STATE_QUESTION)
{
/* Length only applies on a TCP packet, skip to header ID
* if at beginning of a UDP Response.
*/
if ((dnsSessionData->state == DNS_RESP_STATE_LENGTH) &&
(p->udp_header))
{
dnsSessionData->state = DNS_RESP_STATE_HDR_ID;
}
bytes_unused = ParseDNSHeader(data, bytes_unused, dnsSessionData);
if (bytes_unused > 0)
{
data = p->payload + (p->payload_size - bytes_unused);
}
else
{
/* No more data */
return;
}
dnsSessionData->curr_rec_state = DNS_RESP_STATE_Q_NAME;
dnsSessionData->curr_rec = 0;
}
/* Print out the header (but only once -- when we're ready to parse the Questions */
#ifdef DEBUG
if ((dnsSessionData->curr_rec_state == DNS_RESP_STATE_Q_NAME) &&
(dnsSessionData->curr_rec == 0))
{
_dpd.debugMsg(DEBUG_DNS,
"DNS Header: length %d, id 0x%x, flags 0x%x, "
"questions %d, answers %d, authorities %d, additionals %d\n",
dnsSessionData->length, dnsSessionData->hdr.id,
dnsSessionData->hdr.flags, dnsSessionData->hdr.questions,
dnsSessionData->hdr.answers,
dnsSessionData->hdr.authorities,
dnsSessionData->hdr.additionals);
}
#endif
if (!(dnsSessionData->hdr.flags & DNS_HDR_FLAG_RESPONSE))
{
/* Not a response */
return;
}
/* Handle the DNS Queries */
if (dnsSessionData->state == DNS_RESP_STATE_QUESTION)
{
/* Skip over the 4 byte question records... */
for (i=dnsSessionData->curr_rec; i< dnsSessionData->hdr.questions; i++)
{
bytes_unused = ParseDNSQuestion(data, p->payload_size, bytes_unused, dnsSessionData);
if (dnsSessionData->curr_rec_state == DNS_RESP_STATE_Q_COMPLETE)
{
DEBUG_WRAP(
_dpd.debugMsg(DEBUG_DNS,
"DNS Question %d: type %d, class %d\n",
i, dnsSessionData->curr_q.type,
dnsSessionData->curr_q.dns_class);
);
dnsSessionData->curr_rec_state = DNS_RESP_STATE_Q_NAME;
dnsSessionData->curr_rec++;
}
if (bytes_unused > 0)
{
data = p->payload + (p->payload_size - bytes_unused);
}
else
{
/* No more data */
return;
}
}
dnsSessionData->state = DNS_RESP_STATE_ANS_RR;
dnsSessionData->curr_rec_state = DNS_RESP_STATE_RR_NAME_SIZE;
dnsSessionData->curr_rec = 0;
}
