snort  2.9.17.1
About: Snort is a network intrusion prevention and detection system (IDS/IPS) combining the benefits of signature, protocol and anomaly-based inspection.
  Fossies Dox: snort-2.9.17.1.tar.gz  ("unofficial" and yet experimental doxygen-generated source code documentation)  

appIdApi.h
Go to the documentation of this file.
1 /******************************************************************************
2  * Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved.
3  * Copyright (C) 2009-2013 Sourcefire, Inc.
4  *
5  * This program is free software; you can redistribute it and/or modify
6  * it under the terms of the GNU General Public License Version 2 as
7  * published by the Free Software Foundation. You may not use, modify or
8  * distribute this program under any other version of the GNU General
9  * Public License.
10  *
11  * This program is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14  * GNU General Public License for more details.
15  *
16  * You should have received a copy of the GNU General Public License
17  * along with this program; if not, write to the Free Software
18  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
19  *
20  ******************************************************************************/
21 
22 #ifndef __APPID_API_H__
23 #define __APPID_API_H__
24 
25 #include "stdint.h"
26 #include "stdbool.h"
27 #include "ipv6_port.h"
28 #include "sfghash.h"
29 
30 struct AppIdData;
31 
32 typedef int32_t tAppId;
33 
34 #define APPID_SESSION_RESPONDER_MONITORED (1ULL << 0)
35 #define APPID_SESSION_INITIATOR_MONITORED (1ULL << 1)
36 #define APPID_SESSION_SPECIAL_MONITORED (1ULL << 2)
37 #define APPID_SESSION_INITIATOR_SEEN (1ULL << 3)
38 #define APPID_SESSION_RESPONDER_SEEN (1ULL << 4)
39 #define APPID_SESSION_DISCOVER_USER (1ULL << 5)
40 #define APPID_SESSION_HAS_DHCP_FP (1ULL << 6)
41 #define APPID_SESSION_HAS_DHCP_INFO (1ULL << 7)
42 #define APPID_SESSION_HAS_SMB_INFO (1ULL << 8)
43 #define APPID_SESSION_MID (1ULL << 9)
44 #define APPID_SESSION_OOO (1ULL << 10)
45 #define APPID_SESSION_SYN_RST (1ULL << 11)
46 
47  /**Service missed the first UDP packet in a flow. This causes detectors to see traffic in reverse direction.
48  * Detectors should set this flag by verifying that packet from initiator is indeed a packet from responder.
49  * Setting this flag without this check will cause RNA to not try other detectors in some cases (see bug 77551).*/
50 #define APPID_SESSION_UDP_REVERSED (1ULL << 12)
51 #define APPID_SESSION_HTTP_SESSION (1ULL << 13)
52 
53  /**Service protocol was detected */
54 #define APPID_SESSION_SERVICE_DETECTED (1ULL << 14)
55 
56  /**Finsihed with client app detection */
57 #define APPID_SESSION_CLIENT_DETECTED (1ULL << 15)
58  /**Flow is a data connection not a service */
59 #define APPID_SESSION_NOT_A_SERVICE (1ULL << 16)
60 
61 #define APPID_SESSION_DECRYPTED (1ULL << 17)
62 #define APPID_SESSION_SERVICE_DELETED (1ULL << 18)
63 
64  //The following attributes are references only with appId
65  /**Continue calling the routine after the service has been identified. */
66 #define APPID_SESSION_CONTINUE (1ULL << 19)
67  /**Call service detection even if the host does not exist */
68 #define APPID_SESSION_IGNORE_HOST (1ULL << 20)
69  /**Service protocol had incompatible client data */
70 #define APPID_SESSION_INCOMPATIBLE (1ULL << 21)
71  /**we are ready to see out of network Server packets */
72 #define APPID_SESSION_CLIENT_GETS_SERVER_PACKETS (1ULL << 22)
73 
74 #define APPID_SESSION_DISCOVER_APP (1ULL << 23)
75 
76 #define APPID_SESSION_PORT_SERVICE_DONE (1ULL << 24)
77 #define APPID_SESSION_ADDITIONAL_PACKET (1ULL << 25)
78 #define APPID_SESSION_RESPONDER_CHECKED (1ULL << 26)
79 #define APPID_SESSION_INITIATOR_CHECKED (1ULL << 27)
80 #define APPID_SESSION_SSL_SESSION (1ULL << 28)
81 #define APPID_SESSION_LOGIN_SUCCEEDED (1ULL << 29)
82 
83 #define APPID_SESSION_SPDY_SESSION (1ULL << 30)
84 #define APPID_SESSION_ENCRYPTED (1ULL << 31)
85 
86 #define APPID_SESSION_APP_REINSPECT (1ULL << 32)
87 #define APPID_SESSION_RESPONSE_CODE_CHECKED (1ULL << 33)
88 #define APPID_SESSION_REXEC_STDERR (1ULL << 34)
89 #define APPID_SESSION_CHP_INSPECTING (1ULL << 35)
90 #define APPID_SESSION_STICKY_SERVICE (1ULL << 36)
91 #define APPID_SESSION_APP_REINSPECT_SSL (1ULL << 37)
92 
93 #define APPID_SESSION_NO_TPI (1ULL << 38)
94 #define APPID_SESSION_IGNORE_FLOW (1ULL << 39)
95 #define APPID_SESSION_IGNORE_FLOW_LOGGED (1ULL << 40)
96 
97 #define APPID_SESSION_EXPECTED_EVALUATE (1ULL << 41)
98 #define APPID_SESSION_HOST_CACHE_MATCHED (1ULL << 42)
99 #define APPID_SESSION_OOO_CHECK_TP (1ULL << 43)
100 
101 #define APPID_SESSION_HTTP_TUNNEL (1ULL << 44)
102 #define APPID_SESSION_HTTP_CONNECT (1ULL << 45)
103 
104 #define APPID_SESSION_IGNORE_ID_FLAGS (APPID_SESSION_IGNORE_FLOW | \
105  APPID_SESSION_NOT_A_SERVICE | \
106  APPID_SESSION_NO_TPI | \
107  APPID_SESSION_SERVICE_DETECTED | \
108  APPID_SESSION_PORT_SERVICE_DONE)
109 
110 typedef enum
111 {
116 
117 typedef struct _RNAServiceSubtype
118 {
120  const char *service;
121  const char *vendor;
122  const char *version;
124 
125 #define DHCP_OP55_MAX_SIZE 64
126 #define DHCP_OP60_MAX_SIZE 64
127 
128 typedef struct _DHCP_FP_DATA
129 {
131  unsigned op55_len;
132  unsigned op60_len;
137 
138 typedef struct _DHCPInfo
139 {
140  struct _DHCPInfo *next;
147 
148 typedef struct _FpSMBData
149 {
150  struct _FpSMBData *next;
151  unsigned major;
152  unsigned minor;
155 
156 //maximum number of appIds replicated for a flow/session
157 #define APPID_HA_SESSION_APP_NUM_MAX 8
158 #define APPID_HA_FLAGS_APP (1<<0)
159 #define APPID_HA_FLAGS_TP_DONE (1<<1)
160 #define APPID_HA_FLAGS_SVC_DONE (1<<2)
161 #define APPID_HA_FLAGS_HTTP (1<<3)
162 
163 typedef struct _AppIdSessionHA
164 {
168 
169 typedef enum
170 {
176 
177 typedef enum
178 {
190 
191 /*******************************************************************************
192  * AppId API
193  ******************************************************************************/
194 struct AppIdApi
195 {
196  const char * (*getApplicationName)(int32_t appId);
197  tAppId (*getApplicationId)(const char *appName);
198 
199  tAppId (*getServiceAppId)(struct AppIdData *session);
200  tAppId (*getPortServiceAppId)(struct AppIdData *session);
201  tAppId (*getOnlyServiceAppId)(struct AppIdData *session);
202  tAppId (*getMiscAppId)(struct AppIdData *session);
203  tAppId (*getClientAppId)(struct AppIdData *session);
204  tAppId (*getPayloadAppId)(struct AppIdData *session);
205  tAppId (*getReferredAppId)(struct AppIdData *session);
206  tAppId (*getFwServiceAppId)(struct AppIdData *session);
207  tAppId (*getFwMiscAppId)(struct AppIdData *session);
208  tAppId (*getFwClientAppId)(struct AppIdData *session);
209  tAppId (*getFwPayloadAppId)(struct AppIdData *session);
210  tAppId (*getFwReferredAppId)(struct AppIdData *session);
211  SFGHASH*(*getFwMultiPayloadList)(struct AppIdData *session);
212 
213  bool (*isSessionSslDecrypted)(struct AppIdData *session);
215  bool (*isAppIdAvailable)(struct AppIdData *session);
216 
217  char* (*getUserName)(struct AppIdData *session, tAppId *service, bool *isLoginSuccessful);
218  char* (*getClientVersion)(struct AppIdData *session);
219 
220  uint64_t (*getAppIdSessionAttribute)(struct AppIdData *session, uint64_t flag);
221 
222  APPID_FLOW_TYPE (*getFlowType)(struct AppIdData *session);
223  void (*getServiceInfo)(struct AppIdData *session, char **serviceVendor, char **serviceVersion, RNAServiceSubtype **subtype);
224  short (*getServicePort)(struct AppIdData *session);
225  sfaddr_t* (*getServiceIp)(struct AppIdData *session);
226  struct in6_addr* (*getInitiatorIp)(struct AppIdData *session);
227 
228  char* (*getHttpUserAgent)(struct AppIdData *session);
229  char* (*getHttpHost)(struct AppIdData *session);
230  char* (*getHttpUrl)(struct AppIdData *session);
231  char* (*getHttpReferer)(struct AppIdData *session);
232  char* (*getHttpNewUrl)(struct AppIdData *session);
233  char* (*getHttpUri)(struct AppIdData *session);
234  char* (*getHttpResponseCode)(struct AppIdData *session);
235  char* (*getHttpCookie)(struct AppIdData *session);
236  char* (*getHttpNewCookie)(struct AppIdData *session);
237  char* (*getHttpContentType)(struct AppIdData *session);
238  char* (*getHttpLocation)(struct AppIdData *session);
239  char* (*getHttpBody)(struct AppIdData *session);
240  char* (*getHttpReqBody)(struct AppIdData *session);
241  uint16_t (*getHttpUriOffset)(struct AppIdData *session);
246  sfaddr_t* (*getHttpXffAddr)(struct AppIdData *session);
247 
248  char* (*getTlsHost)(struct AppIdData *session);
249 
250  DhcpFPData* (*getDhcpFpData)(struct AppIdData *session);
251  void (*freeDhcpFpData)(struct AppIdData *session, DhcpFPData *data);
252  DHCPInfo* (*getDhcpInfo)(struct AppIdData *session);
253  void (*freeDhcpInfo)(struct AppIdData *session, DHCPInfo *data);
254  FpSMBData* (*getSmbFpData)(struct AppIdData *session);
255  void (*freeSmbFpData)(struct AppIdData *session, FpSMBData *data);
256  char* (*getNetbiosName)(struct AppIdData *session);
257  uint32_t (*produceHAState)(void *lwssn, uint8_t *buf);
258  uint32_t (*consumeHAState)(void *lwssn, const uint8_t *buf, uint8_t length, uint8_t proto, const struct in6_addr* ip, uint16_t initiatorPort);
259  struct AppIdData * (*getAppIdData)(void *lwssn);
260  int (*getAppIdSessionPacketCount)(struct AppIdData *appIdData);
261 
262  char* (*getDNSQuery)(struct AppIdData *appIdData, uint8_t *query_len, bool *got_response);
263  uint16_t (*getDNSQueryoffset)(struct AppIdData *appIdData);
264  uint16_t (*getDNSRecordType)(struct AppIdData *appIdData);
265  uint8_t (*getDNSResponseType)(struct AppIdData *appIdData);
266  uint32_t (*getDNSTTL)(struct AppIdData *appIdData);
267  uint16_t (*getDNSOptionsOffset)(struct AppIdData *appIdData);
268  char* (*getHttpNewField)(struct AppIdData *session, HTTP_FIELD_ID fieldId);
269  void (*freeHttpNewField)(struct AppIdData *appIdData, HTTP_FIELD_ID fieldId);
270  uint16_t (*getHttpFieldOffset)(struct AppIdData *session, HTTP_FIELD_ID fieldId);
272  bool (*isHttpInspectionDone)(struct AppIdData *session);
273  void (*dumpDebugHostInfo)(void);
274 };
275 
276 /* For access when including header */
277 extern struct AppIdApi appIdApi;
278 
279 //#define UNIT_TESTING // NOTE These testing #define's are used in service_base.c and fw_appid.c
280 //#define UNIT_TEST_FIRST_DECRYPTED_PACKET 12 // WARNING this assumes a single stream in a decrypted pcap
281 
282 #endif /* __APPID_API_H__ */
283 
#define DHCP_OP60_MAX_SIZE
Definition: appIdApi.h:126
struct _FpSMBData FpSMBData
SEARCH_SUPPORT_TYPE
Definition: appIdApi.h:170
@ SEARCH_SUPPORT_TYPE_UNKNOWN
Definition: appIdApi.h:174
@ UNSUPPORTED_SEARCH_ENGINE
Definition: appIdApi.h:173
@ NOT_A_SEARCH_ENGINE
Definition: appIdApi.h:171
@ SUPPORTED_SEARCH_ENGINE
Definition: appIdApi.h:172
#define DHCP_OP55_MAX_SIZE
Definition: appIdApi.h:125
APPID_FLOW_TYPE
Definition: appIdApi.h:111
@ APPID_FLOW_TYPE_TMP
Definition: appIdApi.h:114
@ APPID_FLOW_TYPE_IGNORE
Definition: appIdApi.h:112
@ APPID_FLOW_TYPE_NORMAL
Definition: appIdApi.h:113
struct _AppIdSessionHA AppIdSessionHA
struct AppIdApi appIdApi
int32_t tAppId
Definition: appIdApi.h:30
struct _RNAServiceSubtype RNAServiceSubtype
#define APPID_HA_SESSION_APP_NUM_MAX
Definition: appIdApi.h:157
struct _DHCPInfo DHCPInfo
struct _DHCP_FP_DATA DhcpFPData
HTTP_FIELD_ID
Definition: appIdApi.h:178
@ RSP_BODY_FID
Definition: appIdApi.h:187
@ REQ_URI_FID
Definition: appIdApi.h:182
@ REQ_REFERER_FID
Definition: appIdApi.h:181
@ RSP_LOCATION_FID
Definition: appIdApi.h:186
@ RSP_CONTENT_TYPE_FID
Definition: appIdApi.h:185
@ REQ_AGENT_FID
Definition: appIdApi.h:179
@ REQ_HOST_FID
Definition: appIdApi.h:180
@ HTTP_FIELD_MAX
Definition: appIdApi.h:188
@ REQ_BODY_FID
Definition: appIdApi.h:184
@ REQ_COOKIE_FID
Definition: appIdApi.h:183
unsigned int length
Definition: sf_sechash.c:55
#define bool
Definition: sf_types.h:209
const int
Definition: spp_ftptelnet.c:75
__int32 int32_t
Definition: stdint.h:28
tAppId(* getPortServiceAppId)(struct AppIdData *session)
Definition: appIdApi.h:200
APPID_FLOW_TYPE(* getFlowType)(struct AppIdData *session)
Definition: appIdApi.h:222
tAppId(* getFwMiscAppId)(struct AppIdData *session)
Definition: appIdApi.h:207
uint16_t(* getHttpUriEndOffset)(struct AppIdData *session)
Definition: appIdApi.h:242
uint16_t(* getHttpFieldOffset)(struct AppIdData *session, HTTP_FIELD_ID fieldId)
Definition: appIdApi.h:270
int(* getAppIdSessionPacketCount)(struct AppIdData *appIdData)
Definition: appIdApi.h:260
uint64_t(* getAppIdSessionAttribute)(struct AppIdData *session, uint64_t flag)
Definition: appIdApi.h:220
bool(* isAppIdInspectingSession)(struct AppIdData *session)
Definition: appIdApi.h:214
tAppId(* getApplicationId)(const char *appName)
Definition: appIdApi.h:197
uint16_t(* getHttpCookieEndOffset)(struct AppIdData *session)
Definition: appIdApi.h:244
uint16_t(* getDNSRecordType)(struct AppIdData *appIdData)
Definition: appIdApi.h:264
tAppId(* getFwPayloadAppId)(struct AppIdData *session)
Definition: appIdApi.h:209
tAppId(* getReferredAppId)(struct AppIdData *session)
Definition: appIdApi.h:205
tAppId(* getOnlyServiceAppId)(struct AppIdData *session)
Definition: appIdApi.h:201
tAppId(* getServiceAppId)(struct AppIdData *session)
Definition: appIdApi.h:199
SEARCH_SUPPORT_TYPE(* getHttpSearch)(struct AppIdData *session)
Definition: appIdApi.h:245
tAppId(* getClientAppId)(struct AppIdData *session)
Definition: appIdApi.h:203
uint32_t(* consumeHAState)(void *lwssn, const uint8_t *buf, uint8_t length, uint8_t proto, const struct in6_addr *ip, uint16_t initiatorPort)
Definition: appIdApi.h:258
tAppId(* getFwReferredAppId)(struct AppIdData *session)
Definition: appIdApi.h:210
uint16_t(* getHttpCookieOffset)(struct AppIdData *session)
Definition: appIdApi.h:243
tAppId(* getPayloadAppId)(struct AppIdData *session)
Definition: appIdApi.h:204
void(* getServiceInfo)(struct AppIdData *session, char **serviceVendor, char **serviceVersion, RNAServiceSubtype **subtype)
Definition: appIdApi.h:223
uint32_t(* produceHAState)(void *lwssn, uint8_t *buf)
Definition: appIdApi.h:257
void(* freeHttpNewField)(struct AppIdData *appIdData, HTTP_FIELD_ID fieldId)
Definition: appIdApi.h:269
uint8_t(* getDNSResponseType)(struct AppIdData *appIdData)
Definition: appIdApi.h:265
tAppId(* getFwServiceAppId)(struct AppIdData *session)
Definition: appIdApi.h:206
void(* freeDhcpFpData)(struct AppIdData *session, DhcpFPData *data)
Definition: appIdApi.h:251
void(* dumpDebugHostInfo)(void)
Definition: appIdApi.h:273
uint16_t(* getDNSOptionsOffset)(struct AppIdData *appIdData)
Definition: appIdApi.h:267
uint16_t(* getDNSQueryoffset)(struct AppIdData *appIdData)
Definition: appIdApi.h:263
tAppId(* getMiscAppId)(struct AppIdData *session)
Definition: appIdApi.h:202
uint16_t(* getHttpFieldEndOffset)(struct AppIdData *session, HTTP_FIELD_ID fieldId)
Definition: appIdApi.h:271
bool(* isSessionSslDecrypted)(struct AppIdData *session)
Definition: appIdApi.h:213
short(* getServicePort)(struct AppIdData *session)
Definition: appIdApi.h:224
void(* freeSmbFpData)(struct AppIdData *session, FpSMBData *data)
Definition: appIdApi.h:255
tAppId(* getFwClientAppId)(struct AppIdData *session)
Definition: appIdApi.h:208
uint16_t(* getHttpUriOffset)(struct AppIdData *session)
Definition: appIdApi.h:241
void(* freeDhcpInfo)(struct AppIdData *session, DHCPInfo *data)
Definition: appIdApi.h:253
bool(* isHttpInspectionDone)(struct AppIdData *session)
Definition: appIdApi.h:272
bool(* isAppIdAvailable)(struct AppIdData *session)
Definition: appIdApi.h:215
uint32_t(* getDNSTTL)(struct AppIdData *appIdData)
Definition: appIdApi.h:266
uint8_t proto
Definition: flow.h:248
struct _RNAServiceSubtype * subtype
Definition: flow.h:264
char * serviceVersion
Definition: flow.h:263
char * serviceVendor
Definition: flow.h:262
tAppId appId[8]
Definition: appIdApi.h:166
uint16_t flags
Definition: appIdApi.h:165
uint8_t macAddr[6]
Definition: appIdApi.h:142
uint32_t subnetmask
Definition: appIdApi.h:143
struct _DHCPInfo * next
Definition: appIdApi.h:140
uint32_t leaseSecs
Definition: appIdApi.h:144
uint32_t router
Definition: appIdApi.h:145
uint32_t ipAddr
Definition: appIdApi.h:141
struct _DHCP_FP_DATA * next
Definition: appIdApi.h:130
uint8_t op60[64]
Definition: appIdApi.h:134
uint8_t mac[6]
Definition: appIdApi.h:135
uint8_t op55[64]
Definition: appIdApi.h:133
unsigned op55_len
Definition: appIdApi.h:131
unsigned op60_len
Definition: appIdApi.h:132
unsigned minor
Definition: appIdApi.h:152
unsigned major
Definition: appIdApi.h:151
uint32_t flags
Definition: appIdApi.h:153
struct _FpSMBData * next
Definition: appIdApi.h:150
struct _RNAServiceSubtype * next
Definition: appIdApi.h:119
const char * vendor
Definition: appIdApi.h:121
const char * service
Definition: appIdApi.h:120
const char * version
Definition: appIdApi.h:122
Definition: sf_ip.h:91
Definition: IP.H:59
unsigned short uint16_t
Definition: u2openappid.c:53
unsigned int uint32_t
Definition: u2openappid.c:52
unsigned char uint8_t
Definition: u2openappid.c:54