static int SIPReloadVerify(struct _SnortConfig *sc, void *swap_config)
{
tSfPolicyUserContextId sip_swap_config = (tSfPolicyUserContextId)swap_config;
SIPConfig * pPolicyConfig = NULL;
SIPConfig * pCurrentConfig = NULL;
int rval;
if (sip_swap_config == NULL)
return 0;
pPolicyConfig = (SIPConfig *)sfPolicyUserDataGet(sip_swap_config, _dpd.getDefaultPolicy());
if ( pPolicyConfig == NULL )
return 0;
if (sip_config != NULL)
{
pCurrentConfig = (SIPConfig *)sfPolicyUserDataGet(sip_config, _dpd.getDefaultPolicy());
if (!pCurrentConfig)
return 0;
if (pPolicyConfig->maxNumSessions != pCurrentConfig->maxNumSessions)
{
_dpd.errMsg("SIP reload: Changing the max_sessions requires a restart.\n");
return -1;
}
}
// validate each policy and do per policy initialization processing
if ((rval = sfPolicyUserDataIterate (sc, sip_config, SIPCheckPolicyConfig)))
return rval;
return 0;
}
/* Registered as a callback with our SSH data blocks when
* they are added to the underlying stream session. Called
* by the stream preprocessor when a session is about to be
* destroyed.
*
* PARAMETERS:
*
* idatap: Pointer to the moribund data.
*
* RETURNS: Nothing.
*/
static void
FreeSSHData( void* idatap )
{
SSHData *ssn = (SSHData *)idatap;
SSHConfig *config = NULL;
if (ssn == NULL)
return;
if (ssn->config != NULL)
{
config = (SSHConfig *)sfPolicyUserDataGet(ssn->config, ssn->policy_id);
}
if (config != NULL)
{
config->ref_count--;
if ((config->ref_count == 0) &&
(ssn->config != ssh_config))
{
sfPolicyUserDataClear (ssn->config, ssn->policy_id);
free(config);
if (sfPolicyUserPolicyGetActive(ssn->config) == 0)
{
/* No more outstanding configs - free the config array */
SSHFreeConfig(ssn->config);
}
}
}
free(ssn);
}
static void FreeModbusData(void *data)
{
modbus_session_data_t *session = (modbus_session_data_t *)data;
modbus_config_t *config = NULL;
if (session == NULL)
return;
if (session->context_id != NULL)
{
config = (modbus_config_t *)sfPolicyUserDataGet(session->context_id, session->policy_id);
}
if (config != NULL)
{
config->ref_count--;
if ((config->ref_count == 0) &&
(session->context_id != modbus_context_id))
{
sfPolicyUserDataClear(session->context_id, session->policy_id);
free(config);
if (sfPolicyUserPolicyGetActive(session->context_id) == 0)
{
/* No more outstanding configs - free the config array */
ModbusFreeConfig(session->context_id);
}
}
}
free(session);
}
static void FreeDNP3Data(void *bucket)
{
MemBucket *tmp_bucket = (MemBucket *)bucket;
dnp3_session_data_t *session;
dnp3_config_t *config = NULL;
if ((tmp_bucket == NULL) || (tmp_bucket->data == NULL))
return;
session = tmp_bucket->data;
if (session->context_id != NULL)
{
config = (dnp3_config_t *)sfPolicyUserDataGet(session->context_id, session->policy_id);
}
if (config != NULL)
{
config->ref_count--;
if ((config->ref_count == 0) &&
(session->context_id != dnp3_context_id))
{
sfPolicyUserDataClear(session->context_id, session->policy_id);
free(config);
if (sfPolicyUserPolicyGetActive(session->context_id) == 0)
{
/* No more outstanding configs - free the config array */
DNP3FreeConfig(session->context_id);
}
}
}
mempool_free(dnp3_mempool, tmp_bucket);
}
/*
* Function: FTPFreeSession(void *preproc_session)
*
* Purpose: This function frees the data that is associated with a session.
*
* Arguments: preproc_session => pointer to the session to free
*
* Returns: None
*/
static void FTPFreeSession(void *preproc_session)
{
FTP_SESSION *ssn = (FTP_SESSION *)preproc_session;
FTPTELNET_GLOBAL_CONF *pPolicyConfig = NULL;
if (ssn == NULL)
return;
pPolicyConfig = (FTPTELNET_GLOBAL_CONF *)sfPolicyUserDataGet(ssn->global_conf, ssn->policy_id);
if (pPolicyConfig != NULL)
{
pPolicyConfig->ref_count--;
if ((pPolicyConfig->ref_count == 0) &&
(ssn->global_conf != ftp_telnet_config))
{
sfPolicyUserDataClear (ssn->global_conf, ssn->policy_id);
FTPTelnetFreeConfig(pPolicyConfig);
if (sfPolicyUserPolicyGetActive(ssn->global_conf) == 0)
FTPTelnetFreeConfigs(ssn->global_conf);
}
}
if (ssn->filename)
{
free(ssn->filename);
}
free(ssn);
}
// *DROP* flags are set to mark the direction(s) for which traffic was
// seen since last reset and then cleared after sending new attempt so
// that we only send in the still active direction(s).
void Stream5ActiveResponse(Packet* p, Stream5LWSession *lwssn)
{
Stream5Config *config = sfPolicyUserDataGet(s5_config, getRuntimePolicy());
uint8_t max = config->global_config->max_active_responses;
if ( p->packet_flags & PKT_FROM_CLIENT )
lwssn->session_state |= STREAM5_STATE_DROP_CLIENT;
else
lwssn->session_state |= STREAM5_STATE_DROP_SERVER;
if ( (lwssn->response_count < max) && Stream5GetExpire(p, lwssn) )
{
uint32_t delay = config->global_config->min_response_seconds;
EncodeFlags flags =
( (lwssn->session_state & STREAM5_STATE_DROP_CLIENT) &&
(lwssn->session_state & STREAM5_STATE_DROP_SERVER) ) ?
ENC_FLAG_FWD : 0; // reverse dir is always true
Active_KillSession(p, &flags);
++lwssn->response_count;
Stream5SetExpire(p, lwssn, delay);
lwssn->session_state &= ~(STREAM5_STATE_DROP_CLIENT|STREAM5_STATE_DROP_SERVER);
}
}
/*
* Function: FTPFreeSession(void *preproc_session)
*
* Purpose: This function frees the data that is associated with a session.
*
* Arguments: preproc_session => pointer to the session to free
*
* Returns: None
*/
static void FTPFreeSession(void *preproc_session)
{
FTP_SESSION *ssn = (FTP_SESSION *)preproc_session;
FTPTELNET_GLOBAL_CONF *pPolicyConfig = NULL;
ssl_callback_interface_t *ssl_cb = (ssl_callback_interface_t *)_dpd.getSSLCallback();
if (ssn == NULL)
return;
pPolicyConfig = (FTPTELNET_GLOBAL_CONF *)sfPolicyUserDataGet(ssn->global_conf, ssn->policy_id);
if (pPolicyConfig != NULL)
{
pPolicyConfig->ref_count--;
if ((pPolicyConfig->ref_count == 0) &&
(ssn->global_conf != ftp_telnet_config))
{
sfPolicyUserDataClear (ssn->global_conf, ssn->policy_id);
FTPTelnetFreeConfig(pPolicyConfig);
if (sfPolicyUserPolicyGetActive(ssn->global_conf) == 0)
FTPTelnetFreeConfigs(ssn->global_conf);
}
}
if (ssn->filename)
{
free(ssn->filename);
}
if ( ssl_cb )
ssl_cb->session_free(ssn->flow_id);
free(ssn);
}
int ps_get_protocols(struct _SnortConfig *sc, tSfPolicyId policyId)
{
tSfPolicyUserContextId config = portscan_config;
PortscanConfig *pPolicyConfig = NULL;
#ifdef SNORT_RELOAD
/* This is called during configuration time so use the swap
* config if it exists */
tSfPolicyUserContextId portscan_swap_config;
portscan_swap_config = (tSfPolicyUserContextId)GetRelatedReloadData(sc, "sfportscan");
if (portscan_swap_config != NULL)
config = portscan_swap_config;
#endif
if( config == NULL)
return 0;
pPolicyConfig = (PortscanConfig *)sfPolicyUserDataGet(config, policyId);
if (pPolicyConfig == NULL)
return 0;
/* Disabled in this policy */
if (pPolicyConfig->disabled == 1)
return 0;
return pPolicyConfig->detect_scans;
}
int SSLReloadVerify(struct _SnortConfig *sc, void *swap_config)
{
tSfPolicyUserContextId ssl_swap_config = (tSfPolicyUserContextId)swap_config;
SSLPP_config_t *reload_config = NULL;
SSLPP_config_t *start_config = NULL;
tSfPolicyId policyId = _dpd.getDefaultPolicy();
int ret = 0;
if (!_dpd.isPreprocEnabled(sc, PP_STREAM))
{
_dpd.errMsg("SSLPP_init(): The Stream preprocessor must be enabled.\n");
return -1;
}
if (!ssl_swap_config || !ssl_config)
return 0;
reload_config = (SSLPP_config_t *)sfPolicyUserDataGet(ssl_swap_config, policyId);
start_config = (SSLPP_config_t *)sfPolicyUserDataGet(ssl_config, policyId);
if( !reload_config || !start_config )
{
_dpd.errMsg("SSL reload: Turning on or off SSL preprocessor requires a restart.\n");
return -1;
}
if ( reload_config->memcap != start_config->memcap )
{
_dpd.errMsg("SSL reload: Changing the memcap requires a restart.\n");
return -1;
}
if ( reload_config->decrypt_memcap != start_config->decrypt_memcap )
{
_dpd.errMsg("SSL reload: Changing the decrypt_memcap requires a restart.\n");
return -1;
}
ret = SSLPP_PolicyInit(sc, ssl_swap_config, reload_config, policyId, true);
if (!ret)
{
start_config->reload_handle = reload_config->current_handle;
}
return ret;
}
static int DCE2_ReloadVerifyPolicy(
tSfPolicyUserContextId config,
tSfPolicyId policyId,
void* pData
)
{
DCE2_Config *swap_config = (DCE2_Config *)pData;
DCE2_Config *current_config = (DCE2_Config *)sfPolicyUserDataGet(dce2_config, policyId);
DCE2_ServerConfig *dconfig;
//do any housekeeping before freeing DCE2_Config
if ( swap_config == NULL || swap_config->gconfig->disabled )
return 0;
if (!_dpd.isPreprocEnabled(PP_STREAM5))
{
DCE2_Die("%s(%d) \"%s\" configuration: "
"Stream5 must be enabled with TCP and UDP tracking.",
*_dpd.config_file, *_dpd.config_line, DCE2_GNAME);
}
dconfig = swap_config->dconfig;
if (dconfig == NULL)
DCE2_CreateDefaultServerConfig(swap_config, policyId);
#ifdef TARGET_BASED
if (!_dpd.isAdaptiveConfigured(policyId, 1))
#endif
{
DCE2_ScCheckTransports(swap_config);
}
#ifdef ENABLE_PAF
DCE2_AddPortsToPaf(swap_config, policyId);
#endif
/* Register routing table memory */
if (swap_config->sconfigs != NULL)
DCE2_RegMem(sfrt_usage(swap_config->sconfigs), DCE2_MEM_TYPE__RT);
if (current_config == NULL)
return 0;
if (swap_config->gconfig->memcap != current_config->gconfig->memcap)
{
_dpd.errMsg("dcerpc2 reload: Changing the memcap requires a restart.\n");
DCE2_FreeConfigs(dce2_swap_config);
dce2_swap_config = NULL;
return -1;
}
return 0;
}
/* Check that Stream5 is still running, and that the memcap didn't change. */
static int DNP3ReloadVerify(struct _SnortConfig *sc, void *swap_config)
{
tSfPolicyUserContextId dnp3_swap_context_id = (tSfPolicyUserContextId)swap_config;
dnp3_config_t *current_default_config, *new_default_config;
if ((dnp3_context_id == NULL) || (dnp3_swap_context_id == NULL))
return 0;
current_default_config =
(dnp3_config_t *)sfPolicyUserDataGet(dnp3_context_id, _dpd.getDefaultPolicy());
new_default_config =
(dnp3_config_t *)sfPolicyUserDataGet(dnp3_swap_context_id, _dpd.getDefaultPolicy());
/* Sanity check. Shouldn't be possible. */
if (current_default_config == NULL)
return 0;
if (new_default_config == NULL)
{
_dpd.errMsg("DNP3 reload: Changing the DNP3 configuration "
"requires a restart.\n");
return -1;
}
/* Did memcap change? */
if (current_default_config->memcap != new_default_config->memcap)
{
_dpd.errMsg("DNP3 reload: Changing the DNP3 memcap "
"requires a restart.\n");
return -1;
}
/* Did stream5 get turned off? */
if (!_dpd.isPreprocEnabled(sc, PP_STREAM5))
{
_dpd.errMsg("SetupDNP3(): The Stream preprocessor must be enabled.\n");
return -1;
}
return 0;
}
static int SIPReloadVerify(void)
{
SIPConfig * pPolicyConfig = NULL;
SIPConfig * pCurrentConfig = NULL;
if (sip_swap_config == NULL)
return 0;
pPolicyConfig = (SIPConfig *)sfPolicyUserDataGet(sip_swap_config, _dpd.getDefaultPolicy());
if (!pPolicyConfig)
return 0;
if ( pPolicyConfig->disabled )
return 0;
if (!_dpd.isPreprocEnabled(PP_STREAM5))
{
DynamicPreprocessorFatalMessage("SetupSIP(): The Stream preprocessor must be enabled.\n");
}
if (sip_config != NULL)
{
pCurrentConfig = (SIPConfig *)sfPolicyUserDataGet(sip_config, _dpd.getDefaultPolicy());
}
if (!pCurrentConfig)
return 0;
if (pPolicyConfig->maxNumSessions != pCurrentConfig->maxNumSessions)
{
_dpd.errMsg("SIP reload: Changing the max_sessions requires a restart.\n");
SIPFreeConfig(sip_swap_config);
sip_swap_config = NULL;
return -1;
}
return 0;
}
static int SIPReloadVerify(struct _SnortConfig *sc, void *swap_config)
{
tSfPolicyUserContextId sip_swap_config = (tSfPolicyUserContextId)swap_config;
SIPConfig * pPolicyConfig = NULL;
SIPConfig * pCurrentConfig = NULL;
if (sip_swap_config == NULL)
return 0;
pPolicyConfig = (SIPConfig *)sfPolicyUserDataGet(sip_swap_config, _dpd.getDefaultPolicy());
if (!pPolicyConfig)
return 0;
if ( pPolicyConfig->disabled )
return 0;
if (!_dpd.isPreprocEnabled(sc, PP_STREAM5))
{
_dpd.errMsg("SetupSIP(): The Stream preprocessor must be enabled.\n");
return -1;
}
if (sip_config != NULL)
{
pCurrentConfig = (SIPConfig *)sfPolicyUserDataGet(sip_config, _dpd.getDefaultPolicy());
}
if (!pCurrentConfig)
return 0;
if (pPolicyConfig->maxNumSessions != pCurrentConfig->maxNumSessions)
{
_dpd.errMsg("SIP reload: Changing the max_sessions requires a restart.\n");
return -1;
}
return 0;
}
static int FileReloadVerify(struct _SnortConfig *sc, void *swap_config)
{
tSfPolicyUserContextId file_swap_config = (tSfPolicyUserContextId)swap_config;
FileInspectConf * pPolicyConfig = NULL;
FileInspectConf * pCurrentConfig = NULL;
if (file_swap_config == NULL)
return 0;
pPolicyConfig = (FileInspectConf *)sfPolicyUserDataGet(file_swap_config, _dpd.getDefaultPolicy());
if (!pPolicyConfig)
return 0;
if (file_config != NULL)
{
pCurrentConfig = (FileInspectConf *)sfPolicyUserDataGet(file_config, _dpd.getDefaultPolicy());
}
if (!pCurrentConfig)
return 0;
if (file_config_compare(pCurrentConfig, pPolicyConfig))
{
_dpd.errMsg("File inspect reload: Changing file settings requires a restart.\n");
return -1;
}
if (!_dpd.isPreprocEnabled(sc, PP_STREAM))
{
_dpd.errMsg("SetupFile(): The Stream preprocessor must be enabled.\n");
return -1;
}
return 0;
}
/***********************************************************************
* Registered as a callback with our SIP data blocks when
* they are added to the underlying stream session. Called
* by the stream preprocessor when a session is about to be
* destroyed.
*
* PARAMETERS:
*
* idatap: Pointer to the moribund data.
*
* RETURNS: Nothing.
***********************************************************************/
static void FreeSIPData( void* idatap )
{
SIPData *ssn = (SIPData *)idatap;
SIPConfig *config = NULL;
if (ssn == NULL)
return;
if (numSessions > 0)
numSessions--;
/*Free all the dialog data*/
sip_freeDialogs(&ssn->dialogs);
/*Clean the configuration data*/
if (ssn->config != NULL)
{
config = (SIPConfig *)sfPolicyUserDataGet(ssn->config, ssn->policy_id);
}
if (config == NULL)
{
free(ssn);
return;
}
config->ref_count--;
if ((config->ref_count == 0) && (ssn->config != sip_config))
{
sfPolicyUserDataClear (ssn->config, ssn->policy_id);
free(config);
if (sfPolicyUserPolicyGetActive(ssn->config) == 0)
{
/* No more outstanding configs - free the config array */
SIPFreeConfig(ssn->config);
}
}
free(ssn);
}
/***********************************************************************
* Registered as a callback with our GTP data blocks when
* they are added to the underlying stream session. Called
* by the stream preprocessor when a session is about to be
* destroyed.
*
* PARAMETERS:
*
* idatap: Pointer to the moribund data.
*
* RETURNS: Nothing.
***********************************************************************/
static void FreeGTPData( void* idatap )
{
GTPData *ssn = (GTPData *)idatap;
GTPConfig *config = NULL;
if (ssn == NULL)
return;
if (numSessions > 0)
numSessions--;
/*Clean the configuration data*/
if (ssn->config != NULL)
{
config = (GTPConfig *)sfPolicyUserDataGet(ssn->config, ssn->policy_id);
}
if (config == NULL)
{
free(ssn);
return;
}
config->ref_count--;
if ((config->ref_count == 0) && (ssn->config != gtp_config))
{
sfPolicyUserDataClear (ssn->config, ssn->policy_id);
free(config);
if (sfPolicyUserPolicyGetActive(ssn->config) == 0)
{
/* No more outstanding configs - free the config array */
GTPFreeConfig(ssn->config);
}
}
free(ssn);
}
int RemoveLWSession(Stream5SessionCache *sessionCache, Stream5LWSession *ssn)
{
Stream5Config *pPolicyConfig = NULL;
tSfPolicyId policy_id = ssn->policy_id;
mempool_free(&s5FlowMempool, ssn->flowdata);
ssn->flowdata = NULL;
pPolicyConfig = (Stream5Config *)sfPolicyUserDataGet(ssn->config, policy_id);
if (pPolicyConfig != NULL)
{
pPolicyConfig->ref_count--;
if ((pPolicyConfig->ref_count == 0) && (ssn->config != s5_config))
{
sfPolicyUserDataClear (ssn->config, policy_id);
Stream5FreeConfig(pPolicyConfig);
if (sfPolicyUserPolicyGetActive(ssn->config) == 0)
Stream5FreeConfigs(ssn->config);
}
}
return sfxhash_remove(sessionCache->hashTable, &(ssn->key));
}
/* Main runtime entry point for SIP preprocessor.
* Analyzes SIP packets for anomalies/exploits.
*
* PARAMETERS:
*
* packetp: Pointer to current packet to process.
* contextp: Pointer to context block, not used.
*
* RETURNS: Nothing.
*/
static void SIPmain( void* ipacketp, void* contextp )
{
SIPData* sessp = NULL;
uint8_t source = 0;
uint8_t dest = 0;
SFSnortPacket* packetp;
#ifdef TARGET_BASED
int16_t app_id = SFTARGET_UNKNOWN_PROTOCOL;
#endif
tSfPolicyId policy_id = _dpd.getRuntimePolicy();
PROFILE_VARS;
DEBUG_WRAP(DebugMessage(DEBUG_SIP, "%s\n", SIP_DEBUG__START_MSG));
packetp = (SFSnortPacket*) ipacketp;
sfPolicyUserPolicySet (sip_config, policy_id);
/* Make sure this preprocessor should run. */
if (( !packetp ) || ( !packetp->payload ) ||( !packetp->payload_size ))
{
DEBUG_WRAP(DebugMessage(DEBUG_SIP, "No payload - not inspecting.\n"));
DEBUG_WRAP(DebugMessage(DEBUG_SIP, "%s\n", SIP_DEBUG__END_MSG));
return;
}
/* check if we're waiting on stream reassembly */
else if ( packetp->flags & FLAG_STREAM_INSERT)
{
DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Stream inserted - not inspecting.\n"));
DEBUG_WRAP(DebugMessage(DEBUG_SIP, "%s\n", SIP_DEBUG__END_MSG));
return;
}
else if (!IsTCP(packetp) && !IsUDP(packetp))
{
DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Not UDP or TCP - not inspecting.\n"));
DEBUG_WRAP(DebugMessage(DEBUG_SIP, "%s\n", SIP_DEBUG__END_MSG));
return;
}
PREPROC_PROFILE_START(sipPerfStats);
sip_eval_config = sfPolicyUserDataGetCurrent(sip_config);
/* Attempt to get a previously allocated SIP block. */
sessp = _dpd.streamAPI->get_application_data(packetp->stream_session_ptr, PP_SIP);
if (sessp != NULL)
{
sip_eval_config = sfPolicyUserDataGet(sessp->config, sessp->policy_id);
}
if (sessp == NULL)
{
/* If not doing autodetection, check the ports to make sure this is
* running on an SIP port, otherwise no need to examine the traffic.
*/
#ifdef TARGET_BASED
app_id = _dpd.streamAPI->get_application_protocol_id(packetp->stream_session_ptr);
if (app_id == SFTARGET_UNKNOWN_PROTOCOL)
{
DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Unknown protocol - not inspecting.\n"));
DEBUG_WRAP(DebugMessage(DEBUG_SIP, "%s\n", SIP_DEBUG__END_MSG));
PREPROC_PROFILE_END(sipPerfStats);
return;
}
else if (app_id && (app_id != sip_app_id))
{
DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Not SIP - not inspecting.\n"));
DEBUG_WRAP(DebugMessage(DEBUG_SIP, "%s\n", SIP_DEBUG__END_MSG));
PREPROC_PROFILE_END(sipPerfStats);
return;
}
else if (!app_id)
{
#endif
source = (uint8_t)CheckSIPPort( packetp->src_port );
dest = (uint8_t)CheckSIPPort( packetp->dst_port );
if ( !source && !dest )
{
/* Not one of the ports we care about. */
DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Not SIP ports - not inspecting.\n"));
DEBUG_WRAP(DebugMessage(DEBUG_SIP, "%s\n", SIP_DEBUG__END_MSG));
PREPROC_PROFILE_END(sipPerfStats);
return;
}
#ifdef TARGET_BASED
}
#endif
/* Check the stream session. If it does not currently
* have our SIP data-block attached, create one.
*/
sessp = SIPGetNewSession(packetp, policy_id);
if ( !sessp )
{
/* Could not get/create the session data for this packet. */
DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Create session error - not inspecting.\n"));
DEBUG_WRAP(DebugMessage(DEBUG_SIP, "%s\n", SIP_DEBUG__END_MSG));
PREPROC_PROFILE_END(sipPerfStats);
return;
}
}
/* Don't process if we've missed packets */
if (sessp->state_flags & SIP_FLG_MISSED_PACKETS)
{
DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Missed packets - not inspecting.\n"));
DEBUG_WRAP(DebugMessage(DEBUG_SIP, "%s\n", SIP_DEBUG__END_MSG));
PREPROC_PROFILE_END(sipPerfStats);
return;
}
/* If we picked up mid-stream or missed any packets (midstream pick up
* means we've already missed packets) set missed packets flag and make
* sure we don't do any more reassembly on this session */
if (IsTCP(packetp))
{
if ((_dpd.streamAPI->get_session_flags(packetp->stream_session_ptr) & SSNFLAG_MIDSTREAM)
|| _dpd.streamAPI->missed_packets(packetp->stream_session_ptr, SSN_DIR_BOTH))
{
_dpd.streamAPI->set_reassembly(packetp->stream_session_ptr,
STREAM_FLPOLICY_IGNORE, SSN_DIR_BOTH,
STREAM_FLPOLICY_SET_ABSOLUTE);
sessp->state_flags |= SIP_FLG_MISSED_PACKETS;
DEBUG_WRAP(DebugMessage(DEBUG_SIP, "Missed packets - not inspecting.\n"));
DEBUG_WRAP(DebugMessage(DEBUG_SIP, "%s\n", SIP_DEBUG__END_MSG));
PREPROC_PROFILE_END(sipPerfStats);
return;
}
}
/* We're interested in this session. Turn on stream reassembly. */
if ( !(sessp->state_flags & SIP_FLG_REASSEMBLY_SET ))
{
_dpd.streamAPI->set_reassembly(packetp->stream_session_ptr,
STREAM_FLPOLICY_FOOTPRINT, SSN_DIR_BOTH, STREAM_FLPOLICY_SET_ABSOLUTE);
sessp->state_flags |= SIP_FLG_REASSEMBLY_SET;
}
/*
* Start process PAYLOAD
*/
SIP_Process(packetp,sessp);
DEBUG_WRAP(DebugMessage(DEBUG_SIP, "%s\n", SIP_DEBUG__END_MSG));
PREPROC_PROFILE_END(sipPerfStats);
}
static void ParseDNP3Args(struct _SnortConfig *sc, dnp3_config_t *config, char *args)
{
char *saveptr;
char *token;
/* Set defaults */
config->memcap = DNP3_DEFAULT_MEMCAP;
config->ports[PORT_INDEX(DNP3_PORT)] |= CONV_PORT(DNP3_PORT);
config->check_crc = 0;
/* No arguments? Stick with defaults. */
if (args == NULL)
return;
token = strtok_r(args, " ,", &saveptr);
while (token != NULL)
{
if (strcmp(token, DNP3_PORTS_KEYWORD) == 0)
{
unsigned nPorts = 0;
/* Un-set the default port */
config->ports[PORT_INDEX(DNP3_PORT)] = 0;
/* Parse ports */
token = strtok_r(NULL, " ,", &saveptr);
if (token == NULL)
{
DynamicPreprocessorFatalMessage("%s(%d): Missing argument for "
"DNP3 preprocessor 'ports' option.\n",
*_dpd.config_file, *_dpd.config_line);
}
if (isdigit(token[0]))
{
ParseSinglePort(config, token);
nPorts++;
}
else if (*token == '{')
{
/* list of ports */
token = strtok_r(NULL, " ,", &saveptr);
while (token != NULL && *token != '}')
{
ParseSinglePort(config, token);
nPorts++;
token = strtok_r(NULL, " ,", &saveptr);
}
}
else
{
nPorts = 0;
}
if ( nPorts == 0 )
{
DynamicPreprocessorFatalMessage("%s(%d): Bad DNP3 'ports' argument: '%s'\n"
"Argument to DNP3 'ports' must be an integer, or a list "
"enclosed in { } braces.\n",
*_dpd.config_file, *_dpd.config_line, token);
}
}
else if (strcmp(token, DNP3_MEMCAP_KEYWORD) == 0)
{
uint32_t memcap;
char *endptr;
/* Parse memcap */
token = strtok_r(NULL, " ", &saveptr);
/* In a multiple policy scenario, the memcap from the default policy
overrides the memcap in any targeted policies. */
if (_dpd.getParserPolicy(sc) != _dpd.getDefaultPolicy())
{
dnp3_config_t *default_config =
(dnp3_config_t *)sfPolicyUserDataGet(dnp3_context_id,
_dpd.getDefaultPolicy());
if (!default_config || default_config->memcap == 0)
{
DynamicPreprocessorFatalMessage("%s(%d): DNP3 'memcap' must be "
"configured in the default config.\n",
*_dpd.config_file, *_dpd.config_line);
}
config->memcap = default_config->memcap;
}
else
{
if (token == NULL)
{
DynamicPreprocessorFatalMessage("%s(%d): Missing argument for DNP3 "
"preprocessor 'memcap' option.\n",
*_dpd.config_file, *_dpd.config_line);
}
memcap = _dpd.SnortStrtoul(token, &endptr, 10);
if ((token[0] == '-') || (*endptr != '\0') ||
(memcap < MIN_DNP3_MEMCAP) || (memcap > MAX_DNP3_MEMCAP))
{
DynamicPreprocessorFatalMessage("%s(%d): Bad DNP3 'memcap' argument: %s\n"
"Argument to DNP3 'memcap' must be an integer between "
"%d and %d.\n", *_dpd.config_file, *_dpd.config_line,
token, MIN_DNP3_MEMCAP, MAX_DNP3_MEMCAP);
}
config->memcap = memcap;
}
}
else if (strcmp(token, DNP3_CHECK_CRC_KEYWORD) == 0)
{
/* Parse check_crc */
config->check_crc = 1;
}
else if (strcmp(token, DNP3_DISABLED_KEYWORD) == 0)
{
/* TODO: if disabled, check that no other stuff is turned on except memcap */
config->disabled = 1;
}
else
{
DynamicPreprocessorFatalMessage("%s(%d): Failed to parse dnp3 argument: "
"%s\n", *_dpd.config_file, *_dpd.config_line, token);
}
token = strtok_r(NULL, " ,", &saveptr);
}
}
/*********************************************************************
* Function: DCE2_Process()
*
* Purpose: Main entry point for DCE/RPC processing.
*
* Arguments:
* SFSnortPacket * - pointer to packet structure
*
* Returns:
* DCE2_Ret - status
*
*********************************************************************/
DCE2_Ret DCE2_Process(SFSnortPacket *p)
{
tSfPolicyId policy_id = _dpd.getNapRuntimePolicy();
DCE2_SsnData *sd = (DCE2_SsnData *)DCE2_SsnGetAppData(p);
PROFILE_VARS;
PREPROC_PROFILE_START(dce2_pstat_session);
if ((sd != NULL) && DCE2_SsnNoInspect(sd))
{
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Session set to "
"not inspect. Returning\n"));
PREPROC_PROFILE_END(dce2_pstat_session);
return DCE2_RET__NOT_INSPECTED;
}
dce2_eval_config = (DCE2_Config *)sfPolicyUserDataGet(dce2_config, policy_id);
if (sd != NULL)
dce2_eval_config = (DCE2_Config *)sfPolicyUserDataGet(sd->config, sd->policy_id);
if (dce2_eval_config == NULL)
{
PREPROC_PROFILE_END(dce2_pstat_session);
return DCE2_RET__NOT_INSPECTED;
}
if (sd == NULL)
{
sd = DCE2_NewSession(p, policy_id);
if (sd == NULL)
{
PREPROC_PROFILE_END(dce2_pstat_session);
return DCE2_RET__NOT_INSPECTED;
}
}
else
{
sd->wire_pkt = p;
if (_dpd.isPafEnabled() && !DCE2_SsnIsPafActive(p))
{
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "PAF was aborted on "
"one or both sides - aborting session inspection\n"));
DCE2_SetNoInspect(sd);
PREPROC_PROFILE_END(dce2_pstat_session);
return DCE2_RET__NOT_INSPECTED;
}
if (IsTCP(p) && !DCE2_SsnIsRebuilt(p))
{
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Got non-rebuilt packet "
"on session (%p)\n", (void *)sd));
if (DCE2_SsnIsStreamInsert(p))
{
if (!_dpd.isPafEnabled())
{
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Flushing opposite direction.\n"));
DCE2_SsnFlush(p);
}
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Stream inserted - not inspecting.\n"));
}
else
{
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Got non-stream inserted packet "
"- not inspecting\n"));
}
PREPROC_PROFILE_END(dce2_pstat_session);
return DCE2_RET__NOT_INSPECTED;
}
else if (DCE2_SsnAutodetected(sd) && !(p->flags & sd->autodetect_dir))
{
/* Try to autodetect in opposite direction */
if ((sd->trans != DCE2_TRANS_TYPE__HTTP_PROXY) &&
(sd->trans != DCE2_TRANS_TYPE__HTTP_SERVER) &&
(DCE2_GetAutodetectTransport(p, sd->sconfig) != sd->trans))
{
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Bad autodetect.\n"));
DCE2_SetNoInspect(sd);
dce2_stats.bad_autodetects++;
PREPROC_PROFILE_END(dce2_pstat_session);
return DCE2_RET__NOT_INSPECTED;
}
DCE2_SsnClearAutodetected(sd);
}
}
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Session pointer: %p\n", (void *)sd));
if (IsTCP(p) && (DCE2_SetSsnState(sd, p) != DCE2_RET__SUCCESS))
{
PREPROC_PROFILE_END(dce2_pstat_session);
return DCE2_RET__NOT_INSPECTED;
}
if (DCE2_PushPkt((void *)p) != DCE2_RET__SUCCESS)
{
DCE2_Log(DCE2_LOG_TYPE__ERROR,
"%s(%d) Failed to push packet onto packet stack.",
__FILE__, __LINE__);
PREPROC_PROFILE_END(dce2_pstat_session);
return DCE2_RET__NOT_INSPECTED;
}
p->flags |= FLAG_ALLOW_MULTIPLE_DETECT;
dce2_detected = 0;
PREPROC_PROFILE_END(dce2_pstat_session);
switch (sd->trans)
{
case DCE2_TRANS_TYPE__SMB:
DCE2_SmbProcess((DCE2_SmbSsnData *)sd);
break;
case DCE2_TRANS_TYPE__TCP:
DCE2_TcpProcess((DCE2_TcpSsnData *)sd);
break;
case DCE2_TRANS_TYPE__UDP:
DCE2_UdpProcess((DCE2_UdpSsnData *)sd);
break;
case DCE2_TRANS_TYPE__HTTP_PROXY:
DCE2_HttpProcessProxy((DCE2_HttpSsnData *)sd);
break;
case DCE2_TRANS_TYPE__HTTP_SERVER:
DCE2_HttpProcessServer((DCE2_HttpSsnData *)sd);
break;
default:
DCE2_Log(DCE2_LOG_TYPE__ERROR,
"%s(%d) Invalid transport type: %d",
__FILE__, __LINE__, sd->trans);
return DCE2_RET__NOT_INSPECTED;
}
if (sd->flags & DCE2_SSN_FLAG__NO_INSPECT)
{
DCE2_SetNoInspect(sd);
DCE2_PopPkt();
PREPROC_PROFILE_END(dce2_pstat_session);
return DCE2_RET__NOT_INSPECTED;
}
if (!dce2_detected)
DCE2_Detect(sd);
DCE2_ResetRopts(&sd->ropts);
DCE2_PopPkt();
if (dce2_mem_state == DCE2_MEM_STATE__MEMCAP)
{
DCE2_SetNoInspect(sd);
dce2_mem_state = DCE2_MEM_STATE__OKAY;
return DCE2_RET__NOT_INSPECTED;
}
if (DCE2_SsnAutodetected(sd))
return DCE2_RET__NOT_INSPECTED;
return DCE2_RET__INSPECTED;
}
/* Main runtime entry point for SSH preprocessor.
* Analyzes SSH packets for anomalies/exploits.
*
* PARAMETERS:
*
* packetp: Pointer to current packet to process.
* contextp: Pointer to context block, not used.
*
* RETURNS: Nothing.
*/
static void
ProcessSSH( void* ipacketp, void* contextp )
{
SSHData* sessp = NULL;
uint8_t source = 0;
uint8_t dest = 0;
uint8_t known_port = 0;
uint8_t direction;
SFSnortPacket* packetp;
#ifdef TARGET_BASED
int16_t app_id = SFTARGET_UNKNOWN_PROTOCOL;
#endif
tSfPolicyId policy_id = _dpd.getRuntimePolicy();
PROFILE_VARS;
packetp = (SFSnortPacket*) ipacketp;
sfPolicyUserPolicySet (ssh_config, policy_id);
/* Make sure this preprocessor should run. */
if (( !packetp ) ||
( !packetp->payload ) ||
( !packetp->payload_size ) ||
( !IPH_IS_VALID(packetp) ) ||
( !packetp->tcp_header ) ||
/* check if we're waiting on stream reassembly */
( packetp->flags & FLAG_STREAM_INSERT))
{
return;
}
PREPROC_PROFILE_START(sshPerfStats);
ssh_eval_config = sfPolicyUserDataGetCurrent(ssh_config);
/* Attempt to get a previously allocated SSH block. */
sessp = _dpd.streamAPI->get_application_data(packetp->stream_session_ptr, PP_SSH);
if (sessp != NULL)
{
ssh_eval_config = sfPolicyUserDataGet(sessp->config, sessp->policy_id);
known_port = 1;
}
if (sessp == NULL)
{
/* If not doing autodetection, check the ports to make sure this is
* running on an SSH port, otherwise no need to examine the traffic.
*/
#ifdef TARGET_BASED
app_id = _dpd.streamAPI->get_application_protocol_id(packetp->stream_session_ptr);
if (app_id == SFTARGET_UNKNOWN_PROTOCOL)
{
PREPROC_PROFILE_END(sshPerfStats);
return;
}
if (app_id && (app_id != ssh_app_id))
{
PREPROC_PROFILE_END(sshPerfStats);
return;
}
if (app_id == ssh_app_id)
{
known_port = 1;
}
if (!app_id)
{
#endif
source = (uint8_t)CheckSSHPort( packetp->src_port );
dest = (uint8_t)CheckSSHPort( packetp->dst_port );
if ( !ssh_eval_config->AutodetectEnabled && !source && !dest )
{
/* Not one of the ports we care about. */
PREPROC_PROFILE_END(sshPerfStats);
return;
}
#ifdef TARGET_BASED
}
#endif
/* Check the stream session. If it does not currently
* have our SSH data-block attached, create one.
*/
sessp = SSHGetNewSession(packetp, policy_id);
if ( !sessp )
{
/* Could not get/create the session data for this packet. */
PREPROC_PROFILE_END(sshPerfStats);
return;
}
/* See if a known server port is involved. */
if (!known_port)
{
known_port = ( source || dest ? 1 : 0 );
/* If this is a non-SSH port, but autodetect is on, we flag this
session to reduce false positives later on. */
if (!known_port && ssh_eval_config->AutodetectEnabled)
{
sessp->state_flags |= SSH_FLG_AUTODETECTED;
}
}
}
/* Don't process if we've missed packets */
if (sessp->state_flags & SSH_FLG_MISSED_PACKETS)
return;
/* If we picked up mid-stream or missed any packets (midstream pick up
* means we've already missed packets) set missed packets flag and make
* sure we don't do any more reassembly on this session */
if ((_dpd.streamAPI->get_session_flags(packetp->stream_session_ptr) & SSNFLAG_MIDSTREAM)
|| _dpd.streamAPI->missed_packets(packetp->stream_session_ptr, SSN_DIR_BOTH))
{
/* Don't turn off reassembly if autodetected since another preprocessor
* may actually be looking at this session as well and the SSH
* autodetect of this session may be wrong. */
if (!(sessp->state_flags & SSH_FLG_AUTODETECTED))
{
_dpd.streamAPI->set_reassembly(packetp->stream_session_ptr,
STREAM_FLPOLICY_IGNORE, SSN_DIR_BOTH,
STREAM_FLPOLICY_SET_ABSOLUTE);
}
sessp->state_flags |= SSH_FLG_MISSED_PACKETS;
return;
}
/* We're interested in this session. Turn on stream reassembly. */
if ( !(sessp->state_flags & SSH_FLG_REASSEMBLY_SET ))
{
_dpd.streamAPI->set_reassembly(packetp->stream_session_ptr,
STREAM_FLPOLICY_FOOTPRINT, SSN_DIR_BOTH, STREAM_FLPOLICY_SET_APPEND);
sessp->state_flags |= SSH_FLG_REASSEMBLY_SET;
}
/* Get the direction of the packet. */
direction = ( (packetp->flags & FLAG_FROM_SERVER ) ?
SSH_DIR_FROM_SERVER : SSH_DIR_FROM_CLIENT );
if ( !(sessp->state_flags & SSH_FLG_SESS_ENCRYPTED ))
{
/* If server and client have not performed the protocol
* version exchange yet, must look for version strings.
*/
if ( (sessp->state_flags & SSH_FLG_BOTH_IDSTRING_SEEN)
!= SSH_FLG_BOTH_IDSTRING_SEEN )
{
if ( ProcessSSHProtocolVersionExchange( sessp,
packetp, direction, known_port ) ==
SSH_FAILURE )
{
/*Error processing protovers exchange msg */
}
PREPROC_PROFILE_END(sshPerfStats);
return;
}
/* Expecting to see the key init exchange at this point
* (in SSH2) or the actual key exchange if SSH1
*/
if ((( sessp->state_flags & SSH_FLG_V1_KEYEXCH_DONE )
!= SSH_FLG_V1_KEYEXCH_DONE ) &&
((sessp->state_flags & SSH_FLG_V2_KEXINIT_DONE )
!= SSH_FLG_V2_KEXINIT_DONE ))
{
ProcessSSHKeyInitExchange( sessp, packetp, direction );
PREPROC_PROFILE_END(sshPerfStats);
return;
}
/* If SSH2, need to process the actual key exchange msgs.
* The actual key exchange type was negotiated in the
* key exchange init msgs. SSH1 won't arrive here.
*/
ProcessSSHKeyExchange( sessp, packetp, direction );
}
else
{
/* Traffic on this session is currently encrypted.
* Two of the major SSH exploits, SSH1 CRC-32 and
* the Challenge-Response Overflow attack occur within
* the encrypted portion of the SSH session. Therefore,
* the only way to detect these attacks is by examining
* amounts of data exchanged for anomalies.
*/
sessp->num_enc_pkts++;
if ( sessp->num_enc_pkts <= ssh_eval_config->MaxEncryptedPackets )
{
if ( direction == SSH_DIR_FROM_CLIENT )
{
sessp->num_client_bytes += packetp->payload_size;
if ( sessp->num_client_bytes >=
ssh_eval_config->MaxClientBytes )
{
/* Probable exploit in progress.*/
if (sessp->version == SSH_VERSION_1)
{
if ( ssh_eval_config->EnabledAlerts & SSH_ALERT_CRC32 )
{
ALERT(SSH_EVENT_CRC32, SSH_EVENT_CRC32_STR);
_dpd.streamAPI->stop_inspection(
packetp->stream_session_ptr,
packetp,
SSN_DIR_BOTH, -1, 0 );
}
}
else
{
if (ssh_eval_config->EnabledAlerts & SSH_ALERT_RESPOVERFLOW )
{
ALERT(SSH_EVENT_RESPOVERFLOW, SSH_EVENT_RESPOVERFLOW_STR);
_dpd.streamAPI->stop_inspection(
packetp->stream_session_ptr,
packetp,
SSN_DIR_BOTH, -1, 0 );
}
}
}
}
else
{
/*
* Have seen a server response, so
* this appears to be a valid exchange.
* Reset suspicious byte count to zero.
*/
sessp->num_client_bytes = 0;
}
}
else
{
/* Have already examined more than the limit
* of encrypted packets. Both the Gobbles and
* the CRC32 attacks occur during authentication
* and therefore cannot be used late in an
* encrypted session. For performance purposes,
* stop examining this session.
*/
_dpd.streamAPI->stop_inspection(
packetp->stream_session_ptr,
packetp,
SSN_DIR_BOTH, -1, 0 );
}
}
PREPROC_PROFILE_END(sshPerfStats);
}
/*********************************************************************
* Function:
*
* Purpose:
*
* Arguments:
*
* Returns:
*
*********************************************************************/
static DCE2_SsnData * DCE2_NewSession(SFSnortPacket *p, tSfPolicyId policy_id)
{
DCE2_SsnData *sd = NULL;
DCE2_TransType trans;
const DCE2_ServerConfig *sc = DCE2_ScGetConfig(p);
int autodetected = 0;
PROFILE_VARS;
PREPROC_PROFILE_START(dce2_pstat_new_session);
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Creating new session: "));
trans = DCE2_GetTransport(p, sc, &autodetected);
switch (trans)
{
case DCE2_TRANS_TYPE__SMB:
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "SMB transport ... "));
sd = (DCE2_SsnData *)DCE2_SmbSsnInit(p);
break;
case DCE2_TRANS_TYPE__TCP:
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "TCP transport ... "));
sd = (DCE2_SsnData *)DCE2_TcpSsnInit();
break;
case DCE2_TRANS_TYPE__UDP:
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "UDP transport ... "));
sd = (DCE2_SsnData *)DCE2_UdpSsnInit();
break;
case DCE2_TRANS_TYPE__HTTP_PROXY:
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "RPC over HTTP proxy transport ... "));
sd = (DCE2_SsnData *)DCE2_HttpProxySsnInit();
break;
case DCE2_TRANS_TYPE__HTTP_SERVER:
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "RPC over HTTP server transport ... "));
sd = (DCE2_SsnData *)DCE2_HttpServerSsnInit();
break;
case DCE2_TRANS_TYPE__NONE:
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Not configured to "
"look at this traffic or unable to autodetect - not inspecting.\n"));
PREPROC_PROFILE_END(dce2_pstat_new_session);
return NULL;
default:
DCE2_Log(DCE2_LOG_TYPE__ERROR,
"%s(%d) Invalid transport type: %d",
__FILE__, __LINE__, trans);
PREPROC_PROFILE_END(dce2_pstat_new_session);
return NULL;
}
if (sd == NULL)
{
PREPROC_PROFILE_END(dce2_pstat_new_session);
return NULL;
}
DCE2_SsnSetAppData(p, (void *)sd, DCE2_SsnFree);
dce2_stats.sessions++;
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Created (%p)\n", (void *)sd));
sd->trans = trans;
sd->server_policy = DCE2_ScPolicy(sc);
sd->client_policy = DCE2_POLICY__WINXP; // Default to Windows XP
sd->sconfig = sc;
sd->wire_pkt = p;
sd->policy_id = policy_id;
sd->config = dce2_config;
((DCE2_Config *)sfPolicyUserDataGet(sd->config, policy_id))->ref_count++;
if (autodetected)
{
dce2_stats.sessions_autodetected++;
#ifdef DEBUG
if (DCE2_SsnFromServer(p))
dce2_stats.autoports[p->src_port][trans]++;
else
dce2_stats.autoports[p->dst_port][trans]++;
#endif
DCE2_SsnSetAutodetected(sd, p);
}
/* If we've determined a transport, make sure we're doing
* reassembly on the session */
if (IsTCP(p))
{
int rs_dir = DCE2_SsnGetReassembly(p);
if (!_dpd.isPafEnabled() && (rs_dir != SSN_DIR_BOTH))
{
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN,
"Setting client/server reassembly to FOOTPRINT for this session.\n"));
DCE2_SsnSetReassembly(p);
}
if (!DCE2_SsnIsRebuilt(p))
{
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Got non-rebuilt packet\n"));
if (DCE2_SsnIsStreamInsert(p))
{
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Stream inserted - not inspecting.\n"));
PREPROC_PROFILE_END(dce2_pstat_new_session);
return NULL;
}
else if ((DCE2_SsnFromClient(p) && (rs_dir == SSN_DIR_FROM_SERVER))
|| (DCE2_SsnFromServer(p) && (rs_dir == SSN_DIR_FROM_CLIENT))
|| (rs_dir == SSN_DIR_BOTH))
{
/* Reassembly was already set for this session, but stream
* decided not to use the packet so it's probably not good */
DEBUG_WRAP(DCE2_DebugMsg(DCE2_DEBUG__MAIN, "Got non-stream inserted packet - not inspecting\n"));
PREPROC_PROFILE_END(dce2_pstat_new_session);
return NULL;
}
}
}
PREPROC_PROFILE_END(dce2_pstat_new_session);
return sd;
}
/* Main runtime entry point for GTP preprocessor.
* Analyzes GTP packets for anomalies/exploits.
*
* PARAMETERS:
*
* packetp: Pointer to current packet to process.
* contextp: Pointer to context block, not used.
*
* RETURNS: Nothing.
*/
static void GTPmain( void* ipacketp, void* contextp )
{
GTPData* sessp = NULL;
uint8_t source = 0;
uint8_t dest = 0;
SFSnortPacket* packetp;
#ifdef TARGET_BASED
int16_t app_id = SFTARGET_UNKNOWN_PROTOCOL;
#endif
tSfPolicyId policy_id = _dpd.getRuntimePolicy();
PROFILE_VARS;
DEBUG_WRAP(DebugMessage(DEBUG_GTP, "%s\n", GTP_DEBUG__START_MSG));
packetp = (SFSnortPacket*) ipacketp;
sfPolicyUserPolicySet (gtp_config, policy_id);
/* Make sure this preprocessor should run. */
if (( !packetp ) || ( !packetp->payload ) ||( !packetp->payload_size ))
{
DEBUG_WRAP(DebugMessage(DEBUG_GTP, "No payload - not inspecting.\n"));
DEBUG_WRAP(DebugMessage(DEBUG_GTP, "%s\n", GTP_DEBUG__END_MSG));
return;
}
else if (!IsUDP(packetp))
{
DEBUG_WRAP(DebugMessage(DEBUG_GTP, "Not UDP - not inspecting.\n"));
DEBUG_WRAP(DebugMessage(DEBUG_GTP, "%s\n", GTP_DEBUG__END_MSG));
return;
}
PREPROC_PROFILE_START(gtpPerfStats);
gtp_eval_config = sfPolicyUserDataGetCurrent(gtp_config);
/* Attempt to get a previously allocated GTP block. */
sessp = _dpd.streamAPI->get_application_data(packetp->stream_session_ptr, PP_GTP);
if (sessp != NULL)
{
gtp_eval_config = sfPolicyUserDataGet(sessp->config, sessp->policy_id);
}
if (sessp == NULL)
{
/* If not doing autodetection, check the ports to make sure this is
* running on an GTP port, otherwise no need to examine the traffic.
*/
#ifdef TARGET_BASED
app_id = _dpd.streamAPI->get_application_protocol_id(packetp->stream_session_ptr);
if (app_id == SFTARGET_UNKNOWN_PROTOCOL)
{
DEBUG_WRAP(DebugMessage(DEBUG_GTP, "Unknown protocol - not inspecting.\n"));
DEBUG_WRAP(DebugMessage(DEBUG_GTP, "%s\n", GTP_DEBUG__END_MSG));
PREPROC_PROFILE_END(gtpPerfStats);
return;
}
else if (app_id && (app_id != gtp_app_id))
{
DEBUG_WRAP(DebugMessage(DEBUG_GTP, "Not GTP - not inspecting.\n"));
DEBUG_WRAP(DebugMessage(DEBUG_GTP, "%s\n", GTP_DEBUG__END_MSG));
PREPROC_PROFILE_END(gtpPerfStats);
return;
}
else if (!app_id)
{
#endif
source = (uint8_t)CheckGTPPort( packetp->src_port );
dest = (uint8_t)CheckGTPPort( packetp->dst_port );
if ( !source && !dest )
{
/* Not one of the ports we care about. */
DEBUG_WRAP(DebugMessage(DEBUG_GTP, "Not GTP ports - not inspecting.\n"));
DEBUG_WRAP(DebugMessage(DEBUG_GTP, "%s\n", GTP_DEBUG__END_MSG));
PREPROC_PROFILE_END(gtpPerfStats);
return;
}
#ifdef TARGET_BASED
}
#endif
/* Check the stream session. If it does not currently
* have our GTP data-block attached, create one.
*/
sessp = GTPGetNewSession(packetp, policy_id);
if ( !sessp )
{
/* Could not get/create the session data for this packet. */
DEBUG_WRAP(DebugMessage(DEBUG_GTP, "Create session error - not inspecting.\n"));
DEBUG_WRAP(DebugMessage(DEBUG_GTP, "%s\n", GTP_DEBUG__END_MSG));
PREPROC_PROFILE_END(gtpPerfStats);
return;
}
}
/* We're interested in this session. Turn on stream reassembly. */
if ( !(sessp->state_flags & GTP_FLG_REASSEMBLY_SET ))
{
_dpd.streamAPI->set_reassembly(packetp->stream_session_ptr,
STREAM_FLPOLICY_FOOTPRINT, SSN_DIR_BOTH, STREAM_FLPOLICY_SET_ABSOLUTE);
sessp->state_flags |= GTP_FLG_REASSEMBLY_SET;
}
/*
* Start process PAYLOAD
*/
GTP_Process(packetp,sessp);
DEBUG_WRAP(DebugMessage(DEBUG_GTP, "%s\n", GTP_DEBUG__END_MSG));
PREPROC_PROFILE_END(gtpPerfStats);
}
