/*********************************************************************
* Function: DCE2_PafAbort()
*
* Purpose: Queries the dcerpc2 session data to see if paf abort
* flag is set.
*
* Arguments:
* void * - stream session pointer
* uint32_t - flags passed in to callback.
* Should have PKT_FROM_CLIENT or PKT_FROM_SERVER set.
*
* Returns:
* bool - true if we should abort PAF, false if not.
*
*********************************************************************/
static inline bool DCE2_PafAbort(void *ssn, uint32_t flags)
{
DCE2_SsnData *sd;
if (_dpd.sessionAPI->get_session_flags(ssn) & SSNFLAG_MIDSTREAM)
{
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF,
"Aborting PAF because of midstream pickup.\n"));
return true;
}
else if (!(_dpd.sessionAPI->get_session_flags(ssn) & SSNFLAG_ESTABLISHED))
{
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF,
"Aborting PAF because of unestablished session.\n"));
return true;
}
sd = (DCE2_SsnData *)_dpd.sessionAPI->get_application_data(ssn, PP_DCE2);
if ((sd != NULL) && DCE2_SsnNoInspect(sd))
{
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__PAF, "Aborting PAF because of session data check.\n"));
return true;
}
return false;
}
/*********************************************************************
* Function:
*
* Purpose:
*
* Arguments:
*
* Returns:
*
*********************************************************************/
void DCE2_Detect(DCE2_SsnData *sd)
{
SFSnortPacket *top_pkt = (SFSnortPacket *)DCE2_CStackTop(dce2_pkt_stack);
PROFILE_VARS;
if (top_pkt == NULL)
{
DCE2_Log(DCE2_LOG_TYPE__ERROR,
"%s(%d) No packet on top of stack.",
__FILE__, __LINE__);
return;
}
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Detecting ------------------------------------------------\n"));
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, " Rule options:\n"));
DCE2_DEBUG_CODE(DCE2_DEBUG__ROPTIONS, DCE2_PrintRoptions(&sd->ropts););
/******************************************************************
* Function: DCE2_Alert()
*
* Potentially generates an alert if an event is triggered.
*
* Arguments:
* DCE2_SsnData *
* This is the current session data structure being used
* when the event was triggered. It is not a necessary
* argument if no session data is currently available, for
* example if the event is a memcap event - pass in NULL in
* this case.
* DCE2_Event
* The event type that was triggered.
* ...
* The arguments to the format for the event.
*
* Returns: None
*
******************************************************************/
void DCE2_Alert(DCE2_SsnData *sd, DCE2_Event e, ...)
{
va_list ap;
#ifdef DEBUG_MSGS
// When debugging want to see all of the alerts generated
va_start(ap, e);
vsnprintf(dce2_event_bufs[e], sizeof(dce2_event_bufs[e]) - 1, dce2_events[e].format, ap);
va_end(ap);
dce2_event_bufs[e][sizeof(dce2_event_bufs[e]) - 1] = '\0';
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ALL, "DCE2 Alert => %s\n", dce2_event_bufs[e]));
#endif
if (sd != NULL)
{
// NOTE This check needs to change if the number of preprocessor events
// should exceed 63
/* Only log a specific alert once per session */
if (sd->alert_mask & ((uint64_t)1 << e))
return;
/* set bit for this alert so we don't alert on again
* in this session */
sd->alert_mask |= ((uint64_t)1 << e);
}
if (!DCE2_GcAlertOnEvent(dce2_events[e].eflag))
return;
dce2_stats.events++;
#ifndef DEBUG_MSGS
va_start(ap, e);
vsnprintf(dce2_event_bufs[e], sizeof(dce2_event_bufs[e]) - 1, dce2_events[e].format, ap);
va_end(ap);
dce2_event_bufs[e][sizeof(dce2_event_bufs[e]) - 1] = '\0';
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ALL, "DCE2 Alert => %s\n", dce2_event_bufs[e]));
#endif
_dpd.alertAdd(GENERATOR_DCE2, e, 1, 0, 3, dce2_event_bufs[e], 0);
}
/********************************************************************
* Function: DCE2_HttpProcessServer()
*
* Wrapper arount main processing point for an RPC over HTTP
* session. Checks and sets session setup state for a server.
*
* Arguments:
* DCE2_HttpSsnData *
* Pointer to an RPC over HTTP session data structure.
*
* Returns: None
*
********************************************************************/
void DCE2_HttpProcessServer(DCE2_HttpSsnData *hsd)
{
const SFSnortPacket *p = hsd->sd.wire_pkt;
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Processing RPC over HTTP server packet.\n"));
dce2_stats.http_server_pkts++;
if (hsd->state == DCE2_HTTP_STATE__NONE)
{
if (DCE2_SsnFromServer(p))
hsd->state = DCE2_HTTP_STATE__INIT_SERVER;
}
DCE2_HttpProcess(hsd);
}
/********************************************************************
* Function: DCE2_HttpProcessProxy()
*
* Wrapper arount main processing point for an RPC over HTTP
* session. Checks and sets session setup state for a proxy.
*
* Arguments:
* DCE2_HttpSsnData *
* Pointer to an RPC over HTTP session data structure.
*
* Returns: None
*
********************************************************************/
void DCE2_HttpProcessProxy(DCE2_HttpSsnData *hsd)
{
const SFSnortPacket *p = hsd->sd.wire_pkt;
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Processing RPC over HTTP proxy packet.\n"));
dce2_stats.http_proxy_pkts++;
if (hsd->state == DCE2_HTTP_STATE__NONE)
{
if (DCE2_SsnFromClient(p))
hsd->state = DCE2_HTTP_STATE__INIT_CLIENT;
}
DCE2_HttpProcess(hsd);
}
/*********************************************************************
* Function: DCE2_Main()
*
* Purpose: Main entry point for DCE/RPC processing.
*
* Arguments:
* void * - pointer to packet structure
* void * - pointer to context
*
* Returns: None
*
*********************************************************************/
static void DCE2_Main(void *pkt, void *context)
{
SFSnortPacket *p = (SFSnortPacket *)pkt;
PROFILE_VARS;
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ALL, "%s\n", DCE2_DEBUG__START_MSG));
sfPolicyUserPolicySet (dce2_config, _dpd.getRuntimePolicy());
#ifdef DEBUG_MSGS
if (DCE2_SsnFromServer(p))
{
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Packet from Server.\n"));
}
else
{
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Packet from Client.\n"));
}
#endif
/* No inspection to do */
if ((p->payload_size == 0) || (p->payload == NULL))
{
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "No payload - not inspecting.\n"));
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ALL, "%s\n", DCE2_DEBUG__END_MSG));
return;
}
else if (p->stream_session_ptr == NULL)
{
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "No session pointer - not inspecting.\n"));
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ALL, "%s\n", DCE2_DEBUG__END_MSG));
return;
}
else if (!IsTCP(p) && !IsUDP(p))
{
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Not UDP or TCP - not inspecting.\n"));
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ALL, "%s\n", DCE2_DEBUG__END_MSG));
return;
}
if (IsTCP(p))
{
if (DCE2_SsnIsMidstream(p))
{
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Midstream - not inspecting.\n"));
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ALL, "%s\n", DCE2_DEBUG__END_MSG));
return;
}
else if (!DCE2_SsnIsEstablished(p))
{
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Not established - not inspecting.\n"));
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ALL, "%s\n", DCE2_DEBUG__END_MSG));
return;
}
}
PREPROC_PROFILE_START(dce2_pstat_main);
if (DCE2_Process(p) == DCE2_RET__INSPECTED)
DCE2_DisableDetect(p);
PREPROC_PROFILE_END(dce2_pstat_main);
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ALL, "%s\n", DCE2_DEBUG__END_MSG));
}
/********************************************************************
* Function: DCE2_ClRequest()
*
* Handles a client request.
*
* Arguments:
* DCE2_SsnData *
* Pointer to the session data structure.
* DCE2_ClActTracker *
* Pointer to the connectionless activity tracker.
* DceRpcClHdr *
* Pointer to the connectionless header in the packet.
* const uint8_t *
* Pointer to current position in the packet payload.
* uint16_t
* Length of packet payload left from current pointer
* position.
*
* Returns: None
*
********************************************************************/
static void DCE2_ClRequest(DCE2_SsnData *sd, DCE2_ClActTracker *at, DceRpcClHdr *cl_hdr,
const uint8_t *data_ptr, uint16_t data_len)
{
uint32_t seq_num = DceRpcClSeqNum(cl_hdr);
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__CL, "Processing Request ...\n"));
if (seq_num > at->seq_num)
{
/* This is the normal case where the sequence number is incremented
* for each request. Set the new sequence number and mark it valid. */
at->seq_num = seq_num;
at->seq_num_invalid = 0;
/* If there are any fragments, the new sequence number invalidates
* all of the frags that might be currently stored. */
DCE2_ClResetFragTracker(&at->frag_tracker);
}
else if ((seq_num < at->seq_num) || at->seq_num_invalid)
{
#if 0
/* If we get a seqence number less than what we're at, the
* server won't look at it. If we get the same sequence number,
* but we've already processed a previous request, it's bad.
* Fragments will have the same sequence number, but we won't
* mark the seq number invalid until we've gotten all of them. */
/* Comment for now since we're not able to detect retransmits */
DCE2_Alert(sd, DCE2_EVENT__CL_BAD_SEQ_NUM, dce2_pdu_types[DceRpcClPduType(cl_hdr)]);
#endif
return;
}
DCE2_ResetRopts(&sd->ropts);
if (DceRpcClFrag(cl_hdr)) /* It's a frag */
{
dce2_stats.cl_fragments++;
if (DCE2_GcDceDefrag())
{
DCE2_ClHandleFrag(sd, at, cl_hdr, data_ptr, data_len);
return;
}
}
else /* It's a full request */
{
if ((at->frag_tracker.frags != NULL) &&
!DCE2_ListIsEmpty(at->frag_tracker.frags))
{
/* If we get a full request, i.e. not a frag, any frags
* we have collected are invalidated */
DCE2_ClResetFragTracker(&at->frag_tracker);
}
else if (seq_num != DCE2_CL__MAX_SEQ_NUM)
{
/* This sequence number is now invalid. 0xffffffff is the end of
* the sequence number space and can be reused */
at->seq_num_invalid = 1;
}
else
{
/* Got the last sequence number in the sequence number space */
dce2_stats.cl_max_seqnum++;
}
}
/* Cache relevant values for rule option processing */
sd->ropts.first_frag = DceRpcClFirstFrag(cl_hdr);
DCE2_CopyUuid(&sd->ropts.iface, DceRpcClIface(cl_hdr), DceRpcClByteOrder(cl_hdr));
sd->ropts.iface_vers = DceRpcClIfaceVers(cl_hdr);
sd->ropts.hdr_byte_order = DceRpcClByteOrder(cl_hdr);
sd->ropts.data_byte_order = DceRpcClByteOrder(cl_hdr);
sd->ropts.opnum = DceRpcClOpnum(cl_hdr);
sd->ropts.stub_data = (uint8_t *)cl_hdr + sizeof(DceRpcClHdr);
DCE2_Detect(sd);
}
/********************************************************************
* Function: DCE2_ClProcess()
*
* Main entry point for connectionless DCE/RPC processing. Gets
* the activity tracker associated with this session and passes
* along to client or server handling.
*
* Arguments:
* DCE2_SsnData *
* Pointer to the session data structure.
* DCE2_ClTracker *
* Pointer to the connectionless tracker structure.
*
* Returns: None
*
********************************************************************/
void DCE2_ClProcess(DCE2_SsnData *sd, DCE2_ClTracker *clt)
{
DceRpcClHdr *cl_hdr;
DCE2_ClActTracker *at;
const uint8_t *data_ptr = sd->wire_pkt->payload;
uint16_t data_len = sd->wire_pkt->payload_size;
PROFILE_VARS;
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__CL, "Cl processing ...\n"));
dce2_stats.cl_pkts++;
if (data_len < sizeof(DceRpcClHdr))
{
if (!DCE2_SsnAutodetected(sd))
DCE2_Alert(sd, DCE2_EVENT__CL_DATA_LT_HDR, data_len, sizeof(DceRpcClHdr));
return;
}
cl_hdr = (DceRpcClHdr *)data_ptr;
DCE2_MOVE(data_ptr, data_len, sizeof(DceRpcClHdr));
if (DCE2_ClHdrChecks(sd, cl_hdr) != DCE2_RET__SUCCESS)
return;
PREPROC_PROFILE_START(dce2_pstat_cl_acts);
at = DCE2_ClGetActTracker(clt, cl_hdr);
PREPROC_PROFILE_END(dce2_pstat_cl_acts);
if (at == NULL)
return;
if (DCE2_SsnFromClient(sd->wire_pkt))
{
switch (DceRpcClPduType(cl_hdr))
{
case DCERPC_PDU_TYPE__REQUEST:
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__CL, "Request\n"));
dce2_stats.cl_request++;
DCE2_ClRequest(sd, at, cl_hdr, data_ptr, data_len);
break;
case DCERPC_PDU_TYPE__ACK:
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__CL, "Ack\n"));
dce2_stats.cl_ack++;
break;
case DCERPC_PDU_TYPE__CL_CANCEL:
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__CL, "Cancel\n"));
dce2_stats.cl_cancel++;
break;
case DCERPC_PDU_TYPE__FACK:
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__CL, "Fack\n"));
dce2_stats.cl_cli_fack++;
break;
case DCERPC_PDU_TYPE__PING:
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__CL, "Ping\n"));
dce2_stats.cl_ping++;
break;
case DCERPC_PDU_TYPE__RESPONSE:
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__CL, "Response from client. Changing stream direction."));
_dpd.streamAPI->update_direction(sd->wire_pkt->stream_session, SSN_DIR_FROM_RESPONDER,
GET_SRC_IP(((SFSnortPacket *)sd->wire_pkt)),
sd->wire_pkt->src_port);
break;
default:
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__CL, "Other pdu type\n"));
dce2_stats.cl_other_req++;
break;
}
}
else
{
switch (DceRpcClPduType(cl_hdr))
{
case DCERPC_PDU_TYPE__RESPONSE:
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__CL, "Response\n"));
dce2_stats.cl_response++;
break;
case DCERPC_PDU_TYPE__REJECT:
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__CL, "Reject\n"));
dce2_stats.cl_reject++;
if (DceRpcClSeqNum(cl_hdr) == at->seq_num)
{
DCE2_ClResetFragTracker(&at->frag_tracker);
at->seq_num_invalid = 1;
}
break;
case DCERPC_PDU_TYPE__CANCEL_ACK:
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__CL, "Cancel Ack\n"));
dce2_stats.cl_cancel_ack++;
break;
case DCERPC_PDU_TYPE__FACK:
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__CL, "Fack\n"));
dce2_stats.cl_srv_fack++;
break;
case DCERPC_PDU_TYPE__FAULT:
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__CL, "Fault\n"));
dce2_stats.cl_fault++;
break;
case DCERPC_PDU_TYPE__NOCALL:
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__CL, "No call\n"));
dce2_stats.cl_nocall++;
break;
case DCERPC_PDU_TYPE__WORKING:
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__CL, "Working\n"));
dce2_stats.cl_working++;
break;
default:
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__CL, "Other pdu type\n"));
dce2_stats.cl_other_resp++;
break;
}
}
}
/*********************************************************************
* Function:
*
* Purpose:
*
* Arguments:
*
* Returns:
*
*********************************************************************/
static DCE2_SsnData * DCE2_NewSession(SFSnortPacket *p, tSfPolicyId policy_id)
{
DCE2_SsnData *sd = NULL;
DCE2_TransType trans;
const DCE2_ServerConfig *sc = DCE2_ScGetConfig(p);
int autodetected = 0;
PROFILE_VARS;
PREPROC_PROFILE_START(dce2_pstat_new_session);
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Creating new session: "));
trans = DCE2_GetTransport(p, sc, &autodetected);
switch (trans)
{
case DCE2_TRANS_TYPE__SMB:
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "SMB transport ... "));
sd = (DCE2_SsnData *)DCE2_SmbSsnInit(p);
break;
case DCE2_TRANS_TYPE__TCP:
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "TCP transport ... "));
sd = (DCE2_SsnData *)DCE2_TcpSsnInit();
break;
case DCE2_TRANS_TYPE__UDP:
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "UDP transport ... "));
sd = (DCE2_SsnData *)DCE2_UdpSsnInit();
break;
case DCE2_TRANS_TYPE__HTTP_PROXY:
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "RPC over HTTP proxy transport ... "));
sd = (DCE2_SsnData *)DCE2_HttpProxySsnInit();
break;
case DCE2_TRANS_TYPE__HTTP_SERVER:
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "RPC over HTTP server transport ... "));
sd = (DCE2_SsnData *)DCE2_HttpServerSsnInit();
break;
case DCE2_TRANS_TYPE__NONE:
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Not configured to "
"look at this traffic or unable to autodetect - not inspecting.\n"));
PREPROC_PROFILE_END(dce2_pstat_new_session);
return NULL;
default:
DCE2_Log(DCE2_LOG_TYPE__ERROR,
"%s(%d) Invalid transport type: %d",
__FILE__, __LINE__, trans);
PREPROC_PROFILE_END(dce2_pstat_new_session);
return NULL;
}
if (sd == NULL)
{
PREPROC_PROFILE_END(dce2_pstat_new_session);
return NULL;
}
DCE2_SsnSetAppData(p, (void *)sd, DCE2_SsnFree);
dce2_stats.sessions++;
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Created (%p)\n", (void *)sd));
sd->trans = trans;
sd->server_policy = DCE2_ScPolicy(sc);
sd->client_policy = DCE2_POLICY__WINXP; // Default to Windows XP
sd->sconfig = sc;
sd->wire_pkt = p;
sd->policy_id = policy_id;
sd->config = dce2_config;
((DCE2_Config *)sfPolicyUserDataGet(sd->config, policy_id))->ref_count++;
if (autodetected)
{
dce2_stats.sessions_autodetected++;
#ifdef DEBUG
if (DCE2_SsnFromServer(p))
dce2_stats.autoports[p->src_port][trans]++;
else
dce2_stats.autoports[p->dst_port][trans]++;
#endif
DCE2_SsnSetAutodetected(sd, p);
}
/* If we've determined a transport, make sure we're doing
* reassembly on the session */
if (IsTCP(p))
{
int rs_dir = DCE2_SsnGetReassembly(p);
if (!_dpd.isPafEnabled() && (rs_dir != SSN_DIR_BOTH))
{
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN,
"Setting client/server reassembly to FOOTPRINT for this session.\n"));
DCE2_SsnSetReassembly(p);
}
if (!DCE2_SsnIsRebuilt(p))
{
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Got non-rebuilt packet\n"));
if (DCE2_SsnIsStreamInsert(p))
{
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Stream inserted - not inspecting.\n"));
PREPROC_PROFILE_END(dce2_pstat_new_session);
return NULL;
}
else if ((DCE2_SsnFromClient(p) && (rs_dir == SSN_DIR_FROM_SERVER))
|| (DCE2_SsnFromServer(p) && (rs_dir == SSN_DIR_FROM_CLIENT))
|| (rs_dir == SSN_DIR_BOTH))
{
/* Reassembly was already set for this session, but stream
* decided not to use the packet so it's probably not good */
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Got non-stream inserted packet - not inspecting\n"));
PREPROC_PROFILE_END(dce2_pstat_new_session);
return NULL;
}
}
}
PREPROC_PROFILE_END(dce2_pstat_new_session);
return sd;
}
/********************************************************************
* Function: DCE2_SetSsnState()
*
* Purpose:
* Checks for missing packets and overlapping data on session
*
* Arguments:
* DCE2_SsnData * - session data pointer
* SFSnortPacket * - packet structure
*
* Returns:
* DCE2_RET__SUCCESS
* DCE2_RET__ERROR
*
********************************************************************/
static DCE2_Ret DCE2_SetSsnState(DCE2_SsnData *sd, SFSnortPacket *p)
{
uint32_t pkt_seq = ntohl(p->tcp_header->sequence);
PROFILE_VARS;
PREPROC_PROFILE_START(dce2_pstat_session_state);
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Payload size: %u\n", p->payload_size));
if (DCE2_SsnFromClient(p) && !DCE2_SsnSeenClient(sd))
{
uint32_t pkt_ack = ntohl(p->tcp_header->acknowledgement);
if (DCE2_SsnSeenServer(sd) && SEQ_LT(sd->cli_seq, pkt_seq)
&& (sd->trans != DCE2_TRANS_TYPE__HTTP_SERVER))
{
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN,
"Missing packets on session - aborting session inspection\n"));
DCE2_SetNoInspect(sd);
PREPROC_PROFILE_END(dce2_pstat_session_state);
return DCE2_RET__ERROR;
}
DCE2_SsnSetSeenClient(sd);
sd->cli_seq = pkt_seq;
sd->cli_nseq = pkt_seq + p->payload_size;
if (!DCE2_SsnSeenServer(sd))
sd->srv_seq = sd->srv_nseq = pkt_ack;
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Initial client => seq: %u, "
"next seq: %u\n", sd->cli_seq, sd->cli_nseq));
}
else if (DCE2_SsnFromServer(p) && !DCE2_SsnSeenServer(sd))
{
uint32_t pkt_ack = ntohl(p->tcp_header->acknowledgement);
if ((DCE2_SsnSeenClient(sd) && SEQ_LT(sd->srv_seq, pkt_seq))
|| (!DCE2_SsnSeenClient(sd) && (sd->trans != DCE2_TRANS_TYPE__HTTP_SERVER)))
{
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN,
"Missing packets on session - aborting session inspection\n"));
PREPROC_PROFILE_END(dce2_pstat_session_state);
DCE2_SetNoInspect(sd);
return DCE2_RET__ERROR;
}
DCE2_SsnSetSeenServer(sd);
sd->srv_seq = pkt_seq;
sd->srv_nseq = pkt_seq + p->payload_size;
if (!DCE2_SsnSeenClient(sd))
sd->cli_seq = sd->cli_nseq = pkt_ack;
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Initial server => seq: %u, "
"next seq: %u\n", sd->srv_seq, sd->srv_nseq));
}
else
{
uint32_t *ssn_seq;
uint32_t *ssn_nseq;
if (DCE2_SsnFromClient(p))
{
ssn_seq = &sd->cli_seq;
ssn_nseq = &sd->cli_nseq;
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Client last => seq: %u, "
"next seq: %u\n", sd->cli_seq, sd->cli_nseq));
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "This packet => seq: %u, "
"next seq: %u\n", pkt_seq, pkt_seq + p->payload_size));
}
else
{
ssn_seq = &sd->srv_seq;
ssn_nseq = &sd->srv_nseq;
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Server last => seq: %u, "
"next seq: %u\n", sd->srv_seq, sd->srv_nseq));
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "This packet => seq: %u, "
"next seq: %u\n", pkt_seq, pkt_seq + p->payload_size));
}
if (*ssn_nseq != pkt_seq)
{
if (SEQ_LT(*ssn_nseq, pkt_seq))
{
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Next expected sequence number (%u) is less than "
"this sequence number (%u).\n", *ssn_nseq, pkt_seq));
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN,
"Missing packets on session - aborting session inspection\n"));
DCE2_SetNoInspect(sd);
PREPROC_PROFILE_END(dce2_pstat_session_state);
return DCE2_RET__ERROR;
}
else
{
/* Got some kind of overlap. This shouldn't happen since we're doing
* reassembly on both sides and not looking at non-reassembled packets
* Actually this can happen if the stream seg list is empty */
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Overlap => seq: %u, "
"next seq: %u - aborting session inspection\n",
pkt_seq, pkt_seq + p->payload_size));
DCE2_SetNoInspect(sd);
PREPROC_PROFILE_END(dce2_pstat_session_state);
return DCE2_RET__ERROR;
}
}
*ssn_seq = pkt_seq;
*ssn_nseq = pkt_seq + p->payload_size;
}
PREPROC_PROFILE_END(dce2_pstat_session_state);
return DCE2_RET__SUCCESS;
}
/*********************************************************************
* Function: DCE2_Process()
*
* Purpose: Main entry point for DCE/RPC processing.
*
* Arguments:
* SFSnortPacket * - pointer to packet structure
*
* Returns:
* DCE2_Ret - status
*
*********************************************************************/
DCE2_Ret DCE2_Process(SFSnortPacket *p)
{
tSfPolicyId policy_id = _dpd.getNapRuntimePolicy();
DCE2_SsnData *sd = (DCE2_SsnData *)DCE2_SsnGetAppData(p);
PROFILE_VARS;
PREPROC_PROFILE_START(dce2_pstat_session);
if ((sd != NULL) && DCE2_SsnNoInspect(sd))
{
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Session set to "
"not inspect. Returning\n"));
PREPROC_PROFILE_END(dce2_pstat_session);
return DCE2_RET__NOT_INSPECTED;
}
dce2_eval_config = (DCE2_Config *)sfPolicyUserDataGet(dce2_config, policy_id);
if (sd != NULL)
dce2_eval_config = (DCE2_Config *)sfPolicyUserDataGet(sd->config, sd->policy_id);
if (dce2_eval_config == NULL)
{
PREPROC_PROFILE_END(dce2_pstat_session);
return DCE2_RET__NOT_INSPECTED;
}
if (sd == NULL)
{
sd = DCE2_NewSession(p, policy_id);
if (sd == NULL)
{
PREPROC_PROFILE_END(dce2_pstat_session);
return DCE2_RET__NOT_INSPECTED;
}
}
else
{
sd->wire_pkt = p;
if (_dpd.isPafEnabled() && !DCE2_SsnIsPafActive(p))
{
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "PAF was aborted on "
"one or both sides - aborting session inspection\n"));
DCE2_SetNoInspect(sd);
PREPROC_PROFILE_END(dce2_pstat_session);
return DCE2_RET__NOT_INSPECTED;
}
if (IsTCP(p) && !DCE2_SsnIsRebuilt(p))
{
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Got non-rebuilt packet "
"on session (%p)\n", (void *)sd));
if (DCE2_SsnIsStreamInsert(p))
{
if (!_dpd.isPafEnabled())
{
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Flushing opposite direction.\n"));
DCE2_SsnFlush(p);
}
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Stream inserted - not inspecting.\n"));
}
else
{
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Got non-stream inserted packet "
"- not inspecting\n"));
}
PREPROC_PROFILE_END(dce2_pstat_session);
return DCE2_RET__NOT_INSPECTED;
}
else if (DCE2_SsnAutodetected(sd) && !(p->flags & sd->autodetect_dir))
{
/* Try to autodetect in opposite direction */
if ((sd->trans != DCE2_TRANS_TYPE__HTTP_PROXY) &&
(sd->trans != DCE2_TRANS_TYPE__HTTP_SERVER) &&
(DCE2_GetAutodetectTransport(p, sd->sconfig) != sd->trans))
{
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Bad autodetect.\n"));
DCE2_SetNoInspect(sd);
dce2_stats.bad_autodetects++;
PREPROC_PROFILE_END(dce2_pstat_session);
return DCE2_RET__NOT_INSPECTED;
}
DCE2_SsnClearAutodetected(sd);
}
}
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Session pointer: %p\n", (void *)sd));
if (IsTCP(p) && (DCE2_SetSsnState(sd, p) != DCE2_RET__SUCCESS))
{
PREPROC_PROFILE_END(dce2_pstat_session);
return DCE2_RET__NOT_INSPECTED;
}
if (DCE2_PushPkt((void *)p) != DCE2_RET__SUCCESS)
{
DCE2_Log(DCE2_LOG_TYPE__ERROR,
"%s(%d) Failed to push packet onto packet stack.",
__FILE__, __LINE__);
PREPROC_PROFILE_END(dce2_pstat_session);
return DCE2_RET__NOT_INSPECTED;
}
p->flags |= FLAG_ALLOW_MULTIPLE_DETECT;
dce2_detected = 0;
PREPROC_PROFILE_END(dce2_pstat_session);
switch (sd->trans)
{
case DCE2_TRANS_TYPE__SMB:
DCE2_SmbProcess((DCE2_SmbSsnData *)sd);
break;
case DCE2_TRANS_TYPE__TCP:
DCE2_TcpProcess((DCE2_TcpSsnData *)sd);
break;
case DCE2_TRANS_TYPE__UDP:
DCE2_UdpProcess((DCE2_UdpSsnData *)sd);
break;
case DCE2_TRANS_TYPE__HTTP_PROXY:
DCE2_HttpProcessProxy((DCE2_HttpSsnData *)sd);
break;
case DCE2_TRANS_TYPE__HTTP_SERVER:
DCE2_HttpProcessServer((DCE2_HttpSsnData *)sd);
break;
default:
DCE2_Log(DCE2_LOG_TYPE__ERROR,
"%s(%d) Invalid transport type: %d",
__FILE__, __LINE__, sd->trans);
return DCE2_RET__NOT_INSPECTED;
}
if (sd->flags & DCE2_SSN_FLAG__NO_INSPECT)
{
DCE2_SetNoInspect(sd);
DCE2_PopPkt();
PREPROC_PROFILE_END(dce2_pstat_session);
return DCE2_RET__NOT_INSPECTED;
}
if (!dce2_detected)
DCE2_Detect(sd);
DCE2_ResetRopts(&sd->ropts);
DCE2_PopPkt();
if (dce2_mem_state == DCE2_MEM_STATE__MEMCAP)
{
DCE2_SetNoInspect(sd);
dce2_mem_state = DCE2_MEM_STATE__OKAY;
return DCE2_RET__NOT_INSPECTED;
}
if (DCE2_SsnAutodetected(sd))
return DCE2_RET__NOT_INSPECTED;
return DCE2_RET__INSPECTED;
}
{
SFSnortPacket *top_pkt = (SFSnortPacket *)DCE2_CStackTop(dce2_pkt_stack);
PROFILE_VARS;
if (top_pkt == NULL)
{
DCE2_Log(DCE2_LOG_TYPE__ERROR,
"%s(%d) No packet on top of stack.",
__FILE__, __LINE__);
return;
}
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Detecting ------------------------------------------------\n"));
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__ROPTIONS, " Rule options:\n"));
DCE2_DEBUG_CODE(DCE2_DEBUG__ROPTIONS, DCE2_PrintRoptions(&sd->ropts););
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Payload:\n"));
DCE2_DEBUG_CODE(DCE2_DEBUG__MAIN, DCE2_PrintPktData(top_pkt->payload, top_pkt->payload_size););
DCE2_DEBUG_CODE(DCE2_DEBUG__ROPTIONS,
if (sd->ropts.stub_data != NULL) {
printf("\nStub data:\n");
DCE2_PrintPktData(sd->ropts.stub_data,
top_pkt->payload_size - (sd->ropts.stub_data - top_pkt->payload)); });
PREPROC_PROFILE_START(dce2_pstat_detect);
_dpd.pushAlerts();
_dpd.detect(top_pkt);
_dpd.popAlerts();
PREPROC_PROFILE_END(dce2_pstat_detect);
