"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "src/dynamic-preprocessors/appid/flow.h" between
snort-2.9.16.1.tar.gz and snort-2.9.17.tar.gz

About: Snort is a network intrusion prevention and detection system (IDS/IPS) combining the benefits of signature, protocol and anomaly-based inspection.

flow.h  (snort-2.9.16.1):flow.h  (snort-2.9.17)
skipping to change at line 111 skipping to change at line 111
#define SCAN_HTTP_VIA_FLAG (1<<0) #define SCAN_HTTP_VIA_FLAG (1<<0)
#define SCAN_HTTP_USER_AGENT_FLAG (1<<1) #define SCAN_HTTP_USER_AGENT_FLAG (1<<1)
#define SCAN_HTTP_HOST_URL_FLAG (1<<2) #define SCAN_HTTP_HOST_URL_FLAG (1<<2)
#define SCAN_SSL_CERTIFICATE_FLAG (1<<3) #define SCAN_SSL_CERTIFICATE_FLAG (1<<3)
#define SCAN_SSL_HOST_FLAG (1<<4) #define SCAN_SSL_HOST_FLAG (1<<4)
#define SCAN_HOST_PORT_FLAG (1<<5) #define SCAN_HOST_PORT_FLAG (1<<5)
#define SCAN_HTTP_VENDOR_FLAG (1<<6) #define SCAN_HTTP_VENDOR_FLAG (1<<6)
#define SCAN_HTTP_XWORKINGWITH_FLAG (1<<7) #define SCAN_HTTP_XWORKINGWITH_FLAG (1<<7)
#define SCAN_HTTP_CONTENT_TYPE_FLAG (1<<8) #define SCAN_HTTP_CONTENT_TYPE_FLAG (1<<8)
#define SCAN_HTTP_URI_FLAG (1<<9) #define SCAN_HTTP_URI_FLAG (1<<9)
#define SCAN_CERTVIZ_ENABLED_FLAG (1<<10)
#define SCAN_SPOOFED_SNI_FLAG (1<<11)
typedef struct _fflow_info typedef struct _fflow_info
{ {
uint32_t sip; uint32_t sip;
uint32_t dip; uint32_t dip;
uint16_t sport; uint16_t sport;
uint16_t dport; uint16_t dport;
uint8_t protocol; uint8_t protocol;
tAppId appId; tAppId appId;
int flow_prepared; int flow_prepared;
skipping to change at line 137 skipping to change at line 139
typedef struct _tunnelDest typedef struct _tunnelDest
{ {
sfaddr_t ip; sfaddr_t ip;
uint16_t port; uint16_t port;
} tunnelDest; } tunnelDest;
typedef struct _httpSession typedef struct _httpSession
{ {
char *host; char *host;
uint16_t host_buflen;
char *url; char *url;
char *uri; char *uri;
uint16_t host_buflen;
uint16_t uri_buflen; uint16_t uri_buflen;
uint16_t useragent_buflen;
uint16_t response_code_buflen;
char *via; char *via;
char *useragent; char *useragent;
uint16_t useragent_buflen;
char *response_code; char *response_code;
uint16_t response_code_buflen;
char *referer; char *referer;
uint16_t referer_buflen; uint16_t referer_buflen;
char *cookie;
uint16_t cookie_buflen; uint16_t cookie_buflen;
char *content_type;
uint16_t content_type_buflen; uint16_t content_type_buflen;
char *location;
uint16_t location_buflen; uint16_t location_buflen;
char *cookie;
char *content_type;
char *location;
char *body; char *body;
uint16_t body_buflen; uint16_t body_buflen;
char *req_body;
uint16_t req_body_buflen; uint16_t req_body_buflen;
int total_found;
char *req_body;
char *server; char *server;
char *x_working_with; char *x_working_with;
char *new_field[HTTP_FIELD_MAX+1]; char *new_field[HTTP_FIELD_MAX+1];
uint16_t new_field_len[HTTP_FIELD_MAX+1];
uint16_t new_field_len[HTTP_FIELD_MAX+1];
uint16_t fieldOffset[HTTP_FIELD_MAX+1]; uint16_t fieldOffset[HTTP_FIELD_MAX+1];
uint16_t fieldEndOffset[HTTP_FIELD_MAX+1]; uint16_t fieldEndOffset[HTTP_FIELD_MAX+1];
bool new_field_contents;
bool skip_simple_detect; // Flag to indicate if simple detection of clien
t ID, payload ID, etc
// should be skipped
fflow_info *fflow; fflow_info *fflow;
bool new_field_contents;
int chp_finished; int chp_finished;
tAppId chp_candidate; tAppId chp_candidate;
tAppId chp_alt_candidate; tAppId chp_alt_candidate;
int chp_hold_flow; int chp_hold_flow;
int ptype_req_counts[NUMBER_OF_PTYPES]; int ptype_req_counts[NUMBER_OF_PTYPES];
int total_found;
unsigned app_type_flags; unsigned app_type_flags;
int get_offsets_from_rebuilt;
int num_matches; int num_matches;
int num_scans; int num_scans;
int get_offsets_from_rebuilt; int numXffFields;
bool skip_simple_detect; // Flag to indicate if simple detection of clien
t ID, payload ID, etc
// should be skipped
sfaddr_t* xffAddr; sfaddr_t* xffAddr;
char** xffPrecedence; char** xffPrecedence;
int numXffFields;
tunnelDest *tunDest; tunnelDest *tunDest;
bool is_tunnel;
#if RESPONSE_CODE_PACKET_THRESHHOLD #if RESPONSE_CODE_PACKET_THRESHHOLD
unsigned response_code_packets; unsigned response_code_packets;
#endif #endif
} httpSession; } httpSession;
// For dnsSession.state: // For dnsSession.state:
#define DNS_GOT_QUERY 0x01 #define DNS_GOT_QUERY 0x01
#define DNS_GOT_RESPONSE 0x02 #define DNS_GOT_RESPONSE 0x02
typedef struct _dnsSession typedef struct _dnsSession
{ {
uint8_t state; // state uint8_t state; // state
uint8_t host_len; // for host uint8_t host_len; // for host
uint8_t response_type; // response: RCODE uint8_t response_type; // response: RCODE
uint16_t id; // DNS msg ID uint16_t id; // DNS msg ID
uint16_t host_offset; // for host uint16_t host_offset; // for host
uint16_t record_type; // query: QTYPE uint16_t record_type; // query: QTYPE
uint16_t options_offset; // offset at which DNS options such as EDNS begi n in DNS query
uint32_t ttl; // response: TTL uint32_t ttl; // response: TTL
char *host; // host (usually query, but could be response fo r reverse lookup) char *host; // host (usually query, but could be response fo r reverse lookup)
uint16_t options_offset; // offset at which DNS options such as EDNS begi n in DNS query
} dnsSession; } dnsSession;
struct _RNAServiceSubtype; struct _RNAServiceSubtype;
typedef enum
{
MATCHED_TLS_NONE = 0,
MATCHED_TLS_HOST,
MATCHED_TLS_FIRST_SAN,
MATCHED_TLS_CNAME,
MATCHED_TLS_ORG_UNIT
} MATCHED_TLS_TYPE;
typedef struct _tlsSession typedef struct _tlsSession
{ {
char *tls_host; char *tls_host;
int tls_host_strlen; int tls_host_strlen;
char *tls_cname;
int tls_cname_strlen; int tls_cname_strlen;
char *tls_cname;
char *tls_orgUnit; char *tls_orgUnit;
int tls_orgUnit_strlen; int tls_orgUnit_strlen;
int tls_first_san_strlen;
char *tls_first_san;
MATCHED_TLS_TYPE matched_tls_type;
bool tls_handshake_done;
} tlsSession; } tlsSession;
typedef struct AppIdData typedef struct AppIdData
{ {
tCommonAppIdData common; tCommonAppIdData common;
struct AppIdData *next; struct AppIdData *next;
void *ssn; void *ssn;
sfaddr_t service_ip; sfaddr_t service_ip;
uint16_t service_port; uint16_t service_port;
uint8_t proto; uint8_t proto;
uint8_t previous_tcp_flags; uint8_t previous_tcp_flags;
bool tried_reverse_service;
uint8_t tpReinspectByInitiator;
AppIdFlowData *flowData; AppIdFlowData *flowData;
/**AppId matching service side */ /**AppId matching service side */
tAppId serviceAppId; tAppId serviceAppId;
tAppId portServiceAppId; tAppId portServiceAppId;
/**RNAServiceElement for identifying detector*/ /**RNAServiceElement for identifying detector*/
const struct RNAServiceElement *serviceData; const struct RNAServiceElement *serviceData;
RNA_INSPECTION_STATE rnaServiceState; RNA_INSPECTION_STATE rnaServiceState;
FLOW_SERVICE_ID_STATE search_state;
char *serviceVendor; char *serviceVendor;
char *serviceVersion; char *serviceVersion;
struct _RNAServiceSubtype *subtype; struct _RNAServiceSubtype *subtype;
FLOW_SERVICE_ID_STATE search_state;
char *netbios_name; char *netbios_name;
SF_LIST * candidate_service_list; SF_LIST * candidate_service_list;
int got_incompatible_services; int got_incompatible_services;
/**AppId matching client side */ /**AppId matching client side */
tAppId clientAppId; tAppId clientAppId;
tAppId clientServiceAppId; tAppId clientServiceAppId;
RNA_INSPECTION_STATE rnaClientState;
char *clientVersion; char *clientVersion;
/**RNAClientAppModule for identifying client detector*/ /**RNAClientAppModule for identifying client detector*/
const struct RNAClientAppModule *clientData; const struct RNAClientAppModule *clientData;
RNA_INSPECTION_STATE rnaClientState;
SF_LIST * candidate_client_list; SF_LIST * candidate_client_list;
unsigned int num_candidate_clients_tried; unsigned int num_candidate_clients_tried;
bool tried_reverse_service;
/**AppId matching payload*/ /**AppId matching payload*/
tAppId payloadAppId; tAppId payloadAppId;
tAppId referredPayloadAppId; tAppId referredPayloadAppId;
tAppId miscAppId; tAppId miscAppId;
//appId determined by 3rd party library //appId determined by 3rd party library
tAppId tpAppId; tAppId tpAppId;
tAppId tpPayloadAppId; tAppId tpPayloadAppId;
char *username; char *username;
tAppId usernameService; tAppId usernameService;
char *netbiosDomain;
uint32_t flowId; uint32_t flowId;
char *netbiosDomain;
httpSession *hsession; httpSession *hsession;
tlsSession *tsession; tlsSession *tsession;
unsigned scan_flags; unsigned scan_flags;
#if RESPONSE_CODE_PACKET_THRESHHOLD #if RESPONSE_CODE_PACKET_THRESHHOLD
unsigned response_code_packets; unsigned response_code_packets;
#endif #endif
SFGHASH *multiPayloadList; SFGHASH *multiPayloadList;
tAppId referredAppId; tAppId referredAppId;
tAppId tmpAppId; tAppId tmpAppId;
void *tpsession; void *tpsession;
uint16_t init_tpPackets; uint16_t init_tpPackets;
uint16_t resp_tpPackets; uint16_t resp_tpPackets;
uint8_t tpReinspectByInitiator;
char *payloadVersion;
uint16_t session_packet_count; uint16_t session_packet_count;
uint16_t initiatorPcketCountWithoutReply; uint16_t initiatorPcketCountWithoutReply;
char *payloadVersion;
uint64_t initiatorBytesWithoutServerReply; uint64_t initiatorBytesWithoutServerReply;
int16_t snortId; int16_t snortId;
/* Length-based detectors. */ /* Length-based detectors. */
tLengthKey length_sequence; tLengthKey length_sequence;
bool is_http2;
//appIds picked from encrypted session.
struct {
tAppId serviceAppId;
tAppId clientAppId;
tAppId payloadAppId;
tAppId miscAppId;
tAppId referredAppId;
} encrypted;
// New fields introduced for DNS Blacklisting
struct struct
{ {
uint32_t firstPktsecond; uint32_t firstPktsecond;
uint32_t lastPktsecond; uint32_t lastPktsecond;
uint64_t initiatorBytes; uint64_t initiatorBytes;
uint64_t responderBytes; uint64_t responderBytes;
} stats; } stats;
/* Policy and rule ID for related flows (e.g. ftp-data) */ /* Policy and rule ID for related flows (e.g. ftp-data) */
struct AppIdData *expectedFlow; struct AppIdData *expectedFlow;
//struct FwEarlyData *fwData; //struct FwEarlyData *fwData;
//appIds picked from encrypted session.
struct {
tAppId serviceAppId;
tAppId clientAppId;
tAppId payloadAppId;
tAppId miscAppId;
tAppId referredAppId;
} encrypted;
// New fields introduced for DNS Blacklisting
dnsSession *dsession; dnsSession *dsession;
void * firewallEarlyData; void * firewallEarlyData;
tAppId pastIndicator; tAppId pastIndicator;
tAppId pastForecast; tAppId pastForecast;
bool is_http2;
SEARCH_SUPPORT_TYPE search_support_type; SEARCH_SUPPORT_TYPE search_support_type;
uint16_t hostCacheVersion; uint16_t hostCacheVersion;
#if !defined(SFLINUX) && defined(DAQ_CAPA_VRF) #if !defined(SFLINUX) && defined(DAQ_CAPA_VRF)
uint16_t serviceAsId; //This is specific to VRF uint16_t serviceAsId; //This is specific to VRF
#endif #endif
#if !defined(SFLINUX) && defined(DAQ_CAPA_CARRIER_ID) #if !defined(SFLINUX) && defined(DAQ_CAPA_CARRIER_ID)
uint32_t carrierId; uint32_t carrierId;
#endif #endif
} tAppIdData; } tAppIdData;
 End of changes. 40 change blocks. 
35 lines changed or deleted 49 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)