snort  2.9.17.1
About: Snort is a network intrusion prevention and detection system (IDS/IPS) combining the benefits of signature, protocol and anomaly-based inspection.
  Fossies Dox: snort-2.9.17.1.tar.gz  ("unofficial" and yet experimental doxygen-generated source code documentation)  

flow.h
Go to the documentation of this file.
1 /*
2 ** Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved.
3 ** Copyright (C) 2005-2013 Sourcefire, Inc.
4 **
5 ** This program is free software; you can redistribute it and/or modify
6 ** it under the terms of the GNU General Public License Version 2 as
7 ** published by the Free Software Foundation. You may not use, modify or
8 ** distribute this program under any other version of the GNU General
9 ** Public License.
10 **
11 ** This program is distributed in the hope that it will be useful,
12 ** but WITHOUT ANY WARRANTY; without even the implied warranty of
13 ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 ** GNU General Public License for more details.
15 **
16 ** You should have received a copy of the GNU General Public License
17 ** along with this program; if not, write to the Free Software
18 ** Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
19 */
20 
21 
22 #ifndef _APPID_SESSION_H
23 #define _APPID_SESSION_H
24 
25 #include <stdint.h>
26 #include <time.h>
27 #include "sf_snort_packet.h"
28 #include "flow_error.h"
29 #include "appId.h"
30 #include "appIdApi.h"
31 #include "service_state.h"
32 #include "lengthAppCache.h"
33 #include "thirdparty_appid_api.h"
34 #include "thirdparty_appid_types.h"
35 #include "sflsq.h"
36 #include "sfghash.h"
37 
38 #define SF_DEBUG_FILE stdout
39 #define NUMBER_OF_PTYPES 9
40 
41 #define APPID_SESSION_DATA_NONE 0
42 
43 #define APPID_SESSION_DATA_DHCP_FP_DATA 2
44 #define APPID_SESSION_DATA_SMB_DATA 4
45 #define APPID_SESSION_DATA_DHCP_INFO 5
46 
47 #define APPID_SESSION_DATA_SERVICE_MODSTATE_BIT 0x20000000
48 #define APPID_SESSION_DATA_CLIENT_MODSTATE_BIT 0x40000000
49 #define APPID_SESSION_DATA_DETECTOR_MODSTATE_BIT 0x80000000
50 
51 #define APPID_SESSION_BIDIRECTIONAL_CHECKED (APPID_SESSION_INITIATOR_CHECKED | APPID_SESSION_RESPONDER_CHECKED)
52 #define APPID_SESSION_DO_RNA (APPID_SESSION_RESPONDER_MONITORED | APPID_SESSION_INITIATOR_MONITORED | APPID_SESSION_DISCOVER_USER | APPID_SESSION_SPECIAL_MONITORED)
53 struct RNAServiceElement;
54 
55 typedef enum
56 {
62 typedef void (*AppIdFreeFCN)(void *);
63 
64 #define FINGERPRINT_UDP_FLAGS_XENIX 0x00000800
65 #define FINGERPRINT_UDP_FLAGS_NT 0x00001000
66 #define FINGERPRINT_UDP_FLAGS_MASK (FINGERPRINT_UDP_FLAGS_XENIX | FINGERPRINT_UDP_FLAGS_NT)
67 
68 
69 typedef struct _AppIdFlowData
70 {
72  unsigned fd_id;
73  void *fd_data;
76 
77 #define APPID_SESSION_TYPE_IGNORE APPID_FLOW_TYPE_IGNORE
78 #define APPID_SESSION_TYPE_NORMAL APPID_FLOW_TYPE_NORMAL
79 #define APPID_SESSION_TYPE_TMP APPID_FLOW_TYPE_TMP
80 
82 {
85 
86 typedef struct _tCommonAppIdData
87 {
88  APPID_SESSION_STRUCT_FLAG fsf_type; /* This must be first. */
89  unsigned policyId;
90  //flags shared with other preprocessor via session attributes.
91  uint64_t flags;
92  struct in6_addr initiator_ip;
95 
96 typedef struct _tTmpAppIdData
97 {
99 
102 
103 #define SCAN_HTTP_VIA_FLAG (1<<0)
104 #define SCAN_HTTP_USER_AGENT_FLAG (1<<1)
105 #define SCAN_HTTP_HOST_URL_FLAG (1<<2)
106 #define SCAN_SSL_CERTIFICATE_FLAG (1<<3)
107 #define SCAN_SSL_HOST_FLAG (1<<4)
108 #define SCAN_HOST_PORT_FLAG (1<<5)
109 #define SCAN_HTTP_VENDOR_FLAG (1<<6)
110 #define SCAN_HTTP_XWORKINGWITH_FLAG (1<<7)
111 #define SCAN_HTTP_CONTENT_TYPE_FLAG (1<<8)
112 #define SCAN_HTTP_URI_FLAG (1<<9)
113 #define SCAN_CERTVIZ_ENABLED_FLAG (1<<10)
114 #define SCAN_SPOOFED_SNI_FLAG (1<<11)
115 
116 typedef struct _fflow_info
117 {
126 
127 typedef struct _httpFields
128 {
129  char *str;
131 
132 typedef struct _tunnelDest
133 {
137 
138 typedef struct _httpSession
139 {
140  char *host;
141  char *url;
142  char *uri;
147  char *via;
148  char *useragent;
150  char *referer;
155  char *cookie;
157  char *location;
158  char *body;
162  char *req_body;
163  char *server;
166 
170 
172  bool skip_simple_detect; // Flag to indicate if simple detection of client ID, payload ID, etc
173  // should be skipped
175 
181  unsigned app_type_flags;
189  bool is_tunnel;
190 
191 #if RESPONSE_CODE_PACKET_THRESHHOLD
192  unsigned response_code_packets;
193 #endif
194 
196 
197 // For dnsSession.state:
198 #define DNS_GOT_QUERY 0x01
199 #define DNS_GOT_RESPONSE 0x02
200 
201 typedef struct _dnsSession
202 {
203  uint8_t state; // state
204  uint8_t host_len; // for host
205  uint8_t response_type; // response: RCODE
206  uint16_t id; // DNS msg ID
207  uint16_t host_offset; // for host
208  uint16_t record_type; // query: QTYPE
209  uint16_t options_offset; // offset at which DNS options such as EDNS begin in DNS query
210  uint32_t ttl; // response: TTL
211  char *host; // host (usually query, but could be response for reverse lookup)
213 
214 struct _RNAServiceSubtype;
215 
216 typedef enum
217 {
224 
225 typedef struct _tlsSession
226 {
227  char *tls_host;
230  char *tls_cname;
231  char *tls_orgUnit;
238 
239 typedef struct AppIdData
240 {
242 
243  struct AppIdData *next;
244 
245  void *ssn;
252 
254 
255  /**AppId matching service side */
258  /**RNAServiceElement for identifying detector*/
268 
269  /**AppId matching client side */
274  /**RNAClientAppModule for identifying client detector*/
278 
279  /**AppId matching payload*/
283 
284  //appId determined by 3rd party library
287 
288  char *username;
290 
293 
294 
297 
298  unsigned scan_flags;
299 #if RESPONSE_CODE_PACKET_THRESHHOLD
300  unsigned response_code_packets;
301 #endif
302 
304 
306 
308  void *tpsession;
311 
317 
318  /* Length-based detectors. */
320  bool is_http2;
321  //appIds picked from encrypted session.
322  struct {
329  // New fields introduced for DNS Blacklisting
330 
331  struct
332  {
335  uint64_t initiatorBytes;
336  uint64_t responderBytes;
337  } stats;
338 
339  /* Policy and rule ID for related flows (e.g. ftp-data) */
341  //struct FwEarlyData *fwData;
342 
344 
348 
350 
352 #if !defined(SFLINUX) && defined(DAQ_CAPA_VRF)
353  uint16_t serviceAsId; //This is specific to VRF
354 #endif
355 #if !defined(SFLINUX) && defined(DAQ_CAPA_CARRIER_ID)
356  uint32_t carrierId;
357 #endif
359 /**
360  * Mark a flow with a particular flag
361  *
362  * @param flow
363  * @param flags
364  */
365 static inline void setAppIdFlag(tAppIdData *flow, uint64_t flags)
366 {
367  flow->common.flags |= flags;
368 }
369 
370 /**
371  * Mark a flow with a particular flag
372  *
373  * @param flow
374  * @param flags
375  */
376 static inline void clearAppIdFlag(tAppIdData *flow, uint64_t flags)
377 {
378  flow->common.flags &= ~flags;
379 }
380 
381 /**
382  * Check to see if a particular flag exists
383  *
384  * @param flow
385  * @param flags
386  */
387 static inline uint64_t getAppIdFlag(tAppIdData *flow, uint64_t flags)
388 {
389  return (flow->common.flags & flags);
390 }
391 
392 void AppIdFlowdataFree(tAppIdData *flowp);
393 void AppIdFlowdataFini(void);
394 void *AppIdFlowdataGet(tAppIdData *flowp, unsigned id);
395 int AppIdFlowdataAdd(tAppIdData *flowp, void *data, unsigned id, AppIdFreeFCN fcn);
396 void *AppIdFlowdataRemove(tAppIdData *flowp, unsigned id);
397 void AppIdFlowdataDelete(tAppIdData *flowp, unsigned id);
398 void AppIdFlowdataDeleteAllByMask(tAppIdData *flowp, unsigned mask);
400  sfaddr_t *srvIp, uint16_t srvPort, uint8_t proto, int16_t app_id, int flags);
401 struct RNAServiceElement;
403 
404 #endif /* _APPID_SESSION_H */
405 
SEARCH_SUPPORT_TYPE
Definition: appIdApi.h:170
APPID_FLOW_TYPE
Definition: appIdApi.h:111
int32_t tAppId
Definition: appIdApi.h:30
@ HTTP_FIELD_MAX
Definition: appIdApi.h:188
struct _httpSession httpSession
struct _dnsSession dnsSession
struct _httpFields HttpRewriteableFields
struct _tTmpAppIdData tTmpAppIdData
void * AppIdFlowdataRemove(tAppIdData *flowp, unsigned id)
Definition: flow.c:62
void AppIdFlowdataDeleteAllByMask(tAppIdData *flowp, unsigned mask)
Definition: flow.c:94
void AppIdFlowdataFree(tAppIdData *flowp)
Definition: flow.c:30
struct AppIdData tAppIdData
struct _fflow_info fflow_info
struct _tCommonAppIdData tCommonAppIdData
MATCHED_TLS_TYPE
Definition: flow.h:217
@ MATCHED_TLS_HOST
Definition: flow.h:219
@ MATCHED_TLS_ORG_UNIT
Definition: flow.h:222
@ MATCHED_TLS_CNAME
Definition: flow.h:221
@ MATCHED_TLS_NONE
Definition: flow.h:218
@ MATCHED_TLS_FIRST_SAN
Definition: flow.h:220
void(* AppIdFreeFCN)(void *)
Definition: flow.h:62
RNA_INSPECTION_STATE
Definition: flow.h:56
@ RNA_STATE_STATEFUL
Definition: flow.h:59
@ RNA_STATE_FINISHED
Definition: flow.h:60
@ RNA_STATE_NONE
Definition: flow.h:57
@ RNA_STATE_DIRECT
Definition: flow.h:58
void * AppIdFlowdataGet(tAppIdData *flowp, unsigned id)
Definition: flow.c:54
struct _APPID_SESSION_STRUCT_FLAG APPID_SESSION_STRUCT_FLAG
struct _tlsSession tlsSession
static uint64_t getAppIdFlag(tAppIdData *flow, uint64_t flags)
Definition: flow.h:387
void AppIdFlowdataDelete(tAppIdData *flowp, unsigned id)
Definition: flow.c:78
int AppIdFlowdataAddId(tAppIdData *flowp, uint16_t port, const struct RNAServiceElement *svc_element)
tAppIdData * AppIdEarlySessionCreate(tAppIdData *flowp, SFSnortPacket *ctrlPkt, sfaddr_t *cliIp, uint16_t cliPort, sfaddr_t *srvIp, uint16_t srvPort, uint8_t proto, int16_t app_id, int flags)
Definition: flow.c:154
struct _tunnelDest tunnelDest
void AppIdFlowdataFini(void)
Definition: flow.c:43
static void setAppIdFlag(tAppIdData *flow, uint64_t flags)
Definition: flow.h:365
struct _AppIdFlowData AppIdFlowData
static void clearAppIdFlag(tAppIdData *flow, uint64_t flags)
Definition: flow.h:376
#define NUMBER_OF_PTYPES
Definition: flow.h:39
int AppIdFlowdataAdd(tAppIdData *flowp, void *data, unsigned id, AppIdFreeFCN fcn)
Definition: flow.c:118
FLOW_SERVICE_ID_STATE
Definition: service_state.h:61
static int16_t app_id
Definition: service_tftp.c:98
static tRNAServiceElement svc_element
Definition: service_tns.c:95
__int16 int16_t
Definition: stdint.h:27
tAppId pastForecast
Definition: flow.h:347
uint8_t previous_tcp_flags
Definition: flow.h:249
int16_t snortId
Definition: flow.h:316
uint64_t initiatorBytesWithoutServerReply
Definition: flow.h:315
char * netbios_name
Definition: flow.h:265
tAppId miscAppId
Definition: flow.h:282
uint8_t proto
Definition: flow.h:248
const struct RNAClientAppModule * clientData
Definition: flow.h:275
tAppId pastIndicator
Definition: flow.h:346
tAppId tpAppId
Definition: flow.h:285
uint32_t firstPktsecond
Definition: flow.h:333
FLOW_SERVICE_ID_STATE search_state
Definition: flow.h:261
struct AppIdData * next
Definition: flow.h:243
tAppId tmpAppId
Definition: flow.h:307
uint64_t responderBytes
Definition: flow.h:336
int got_incompatible_services
Definition: flow.h:267
struct AppIdData * expectedFlow
Definition: flow.h:340
tAppId payloadAppId
Definition: flow.h:280
uint32_t lastPktsecond
Definition: flow.h:334
uint16_t session_packet_count
Definition: flow.h:312
struct _RNAServiceSubtype * subtype
Definition: flow.h:264
sfaddr_t service_ip
Definition: flow.h:246
httpSession * hsession
Definition: flow.h:295
uint8_t tpReinspectByInitiator
Definition: flow.h:251
tLengthKey length_sequence
Definition: flow.h:319
tAppId tpPayloadAppId
Definition: flow.h:286
struct AppIdData::@33 stats
tAppId clientServiceAppId
Definition: flow.h:271
tAppId referredAppId
Definition: flow.h:305
AppIdFlowData * flowData
Definition: flow.h:253
SEARCH_SUPPORT_TYPE search_support_type
Definition: flow.h:349
unsigned int num_candidate_clients_tried
Definition: flow.h:277
void * ssn
Definition: flow.h:245
SF_LIST * candidate_service_list
Definition: flow.h:266
tAppId clientAppId
Definition: flow.h:270
unsigned scan_flags
Definition: flow.h:298
const struct RNAServiceElement * serviceData
Definition: flow.h:259
struct AppIdData::@32 encrypted
void * firewallEarlyData
Definition: flow.h:345
tAppId usernameService
Definition: flow.h:289
char * username
Definition: flow.h:288
char * clientVersion
Definition: flow.h:273
uint16_t hostCacheVersion
Definition: flow.h:351
tAppId serviceAppId
Definition: flow.h:256
uint16_t service_port
Definition: flow.h:247
char * netbiosDomain
Definition: flow.h:292
tAppId portServiceAppId
Definition: flow.h:257
signed char tried_reverse_service
Definition: flow.h:250
uint32_t flowId
Definition: flow.h:291
char * payloadVersion
Definition: flow.h:314
tAppId referredPayloadAppId
Definition: flow.h:281
char * serviceVersion
Definition: flow.h:263
RNA_INSPECTION_STATE rnaServiceState
Definition: flow.h:260
SFGHASH * multiPayloadList
Definition: flow.h:303
void * tpsession
Definition: flow.h:308
char * serviceVendor
Definition: flow.h:262
uint16_t resp_tpPackets
Definition: flow.h:310
uint64_t initiatorBytes
Definition: flow.h:335
tCommonAppIdData common
Definition: flow.h:241
SF_LIST * candidate_client_list
Definition: flow.h:276
RNA_INSPECTION_STATE rnaClientState
Definition: flow.h:272
tlsSession * tsession
Definition: flow.h:296
dnsSession * dsession
Definition: flow.h:343
uint16_t initiatorPcketCountWithoutReply
Definition: flow.h:313
signed char is_http2
Definition: flow.h:320
uint16_t init_tpPackets
Definition: flow.h:309
APPID_FLOW_TYPE flow_type
Definition: flow.h:83
struct _AppIdFlowData * next
Definition: flow.h:71
AppIdFreeFCN fd_free
Definition: flow.h:74
unsigned fd_id
Definition: flow.h:72
void * fd_data
Definition: flow.h:73
uint32_t ttl
Definition: flow.h:210
char * host
Definition: flow.h:211
uint16_t host_offset
Definition: flow.h:207
uint16_t record_type
Definition: flow.h:208
uint16_t options_offset
Definition: flow.h:209
uint8_t host_len
Definition: flow.h:204
uint8_t response_type
Definition: flow.h:205
uint8_t state
Definition: flow.h:203
uint16_t id
Definition: flow.h:206
int flow_prepared
Definition: flow.h:124
uint16_t sport
Definition: flow.h:120
uint8_t protocol
Definition: flow.h:122
tAppId appId
Definition: flow.h:123
uint16_t dport
Definition: flow.h:121
uint32_t sip
Definition: flow.h:118
uint32_t dip
Definition: flow.h:119
char * str
Definition: flow.h:129
uint16_t referer_buflen
Definition: flow.h:151
char * cookie
Definition: flow.h:155
char * host
Definition: flow.h:140
char * req_body
Definition: flow.h:162
signed char is_tunnel
Definition: flow.h:189
signed char skip_simple_detect
Definition: flow.h:172
int chp_hold_flow
Definition: flow.h:179
char * response_code
Definition: flow.h:149
int chp_finished
Definition: flow.h:176
char ** xffPrecedence
Definition: flow.h:187
char * new_field[HTTP_FIELD_MAX+1]
Definition: flow.h:165
uint16_t useragent_buflen
Definition: flow.h:145
char * server
Definition: flow.h:163
tAppId chp_alt_candidate
Definition: flow.h:178
uint16_t fieldOffset[HTTP_FIELD_MAX+1]
Definition: flow.h:168
uint16_t req_body_buflen
Definition: flow.h:160
tunnelDest * tunDest
Definition: flow.h:188
int get_offsets_from_rebuilt
Definition: flow.h:182
fflow_info * fflow
Definition: flow.h:174
uint16_t location_buflen
Definition: flow.h:154
uint16_t cookie_buflen
Definition: flow.h:152
int numXffFields
Definition: flow.h:185
uint16_t response_code_buflen
Definition: flow.h:146
char * useragent
Definition: flow.h:148
uint16_t new_field_len[HTTP_FIELD_MAX+1]
Definition: flow.h:167
char * location
Definition: flow.h:157
uint16_t body_buflen
Definition: flow.h:159
tAppId chp_candidate
Definition: flow.h:177
signed char new_field_contents
Definition: flow.h:171
uint16_t uri_buflen
Definition: flow.h:144
unsigned app_type_flags
Definition: flow.h:181
int num_matches
Definition: flow.h:183
char * content_type
Definition: flow.h:156
int total_found
Definition: flow.h:161
char * x_working_with
Definition: flow.h:164
sfaddr_t * xffAddr
Definition: flow.h:186
char * url
Definition: flow.h:141
uint16_t content_type_buflen
Definition: flow.h:153
int num_scans
Definition: flow.h:184
int ptype_req_counts[9]
Definition: flow.h:180
uint16_t host_buflen
Definition: flow.h:143
uint16_t fieldEndOffset[HTTP_FIELD_MAX+1]
Definition: flow.h:169
char * uri
Definition: flow.h:142
char * body
Definition: flow.h:158
char * referer
Definition: flow.h:150
char * via
Definition: flow.h:147
Definition: sf_ip.h:91
uint64_t flags
Definition: flow.h:91
struct in6_addr initiator_ip
Definition: flow.h:92
uint16_t initiator_port
Definition: flow.h:93
APPID_SESSION_STRUCT_FLAG fsf_type
Definition: flow.h:88
unsigned policyId
Definition: flow.h:89
tCommonAppIdData common
Definition: flow.h:98
struct _tTmpAppIdData * next
Definition: flow.h:100
signed char tls_handshake_done
Definition: flow.h:236
char * tls_orgUnit
Definition: flow.h:231
int tls_host_strlen
Definition: flow.h:228
int tls_cname_strlen
Definition: flow.h:229
char * tls_host
Definition: flow.h:227
int tls_orgUnit_strlen
Definition: flow.h:232
MATCHED_TLS_TYPE matched_tls_type
Definition: flow.h:235
int tls_first_san_strlen
Definition: flow.h:233
char * tls_first_san
Definition: flow.h:234
char * tls_cname
Definition: flow.h:230
sfaddr_t ip
Definition: flow.h:134
uint16_t port
Definition: flow.h:135
Definition: sflsq.h:81
unsigned short uint16_t
Definition: u2openappid.c:53
unsigned int uint32_t
Definition: u2openappid.c:52
unsigned char uint8_t
Definition: u2openappid.c:54