"Fossies" - the Fresh Open Source Software Archive

Member "snort-2.9.17/src/dynamic-preprocessors/appid/flow.h" (16 Oct 2020, 10985 Bytes) of package /linux/misc/snort-2.9.17.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) C and C++ source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file. For more information about "flow.h" see the Fossies "Dox" file reference documentation and the latest Fossies "Diffs" side-by-side code changes report: 2.9.16.1_vs_2.9.17.

    1 /*
    2 ** Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved.
    3 ** Copyright (C) 2005-2013 Sourcefire, Inc.
    4 **
    5 ** This program is free software; you can redistribute it and/or modify
    6 ** it under the terms of the GNU General Public License Version 2 as
    7 ** published by the Free Software Foundation.  You may not use, modify or
    8 ** distribute this program under any other version of the GNU General
    9 ** Public License.
   10 **
   11 ** This program is distributed in the hope that it will be useful,
   12 ** but WITHOUT ANY WARRANTY; without even the implied warranty of
   13 ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   14 ** GNU General Public License for more details.
   15 **
   16 ** You should have received a copy of the GNU General Public License
   17 ** along with this program; if not, write to the Free Software
   18 ** Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
   19 */
   20 
   21 
   22 #ifndef _APPID_SESSION_H
   23 #define _APPID_SESSION_H
   24 
   25 #include <stdint.h>
   26 #include <time.h>
   27 #include "sf_snort_packet.h"
   28 #include "flow_error.h"
   29 #include "appId.h"
   30 #include "appIdApi.h"
   31 #include "service_state.h"
   32 #include "lengthAppCache.h"
   33 #include "thirdparty_appid_api.h"
   34 #include "thirdparty_appid_types.h"
   35 #include "sflsq.h"
   36 #include "sfghash.h"
   37 
   38 #define SF_DEBUG_FILE   stdout
   39 #define NUMBER_OF_PTYPES    9
   40 
   41 #define APPID_SESSION_DATA_NONE                  0
   42 
   43 #define APPID_SESSION_DATA_DHCP_FP_DATA          2
   44 #define APPID_SESSION_DATA_SMB_DATA              4
   45 #define APPID_SESSION_DATA_DHCP_INFO             5
   46 
   47 #define APPID_SESSION_DATA_SERVICE_MODSTATE_BIT  0x20000000
   48 #define APPID_SESSION_DATA_CLIENT_MODSTATE_BIT   0x40000000
   49 #define APPID_SESSION_DATA_DETECTOR_MODSTATE_BIT 0x80000000
   50 
   51 #define APPID_SESSION_BIDIRECTIONAL_CHECKED  (APPID_SESSION_INITIATOR_CHECKED | APPID_SESSION_RESPONDER_CHECKED)
   52 #define APPID_SESSION_DO_RNA (APPID_SESSION_RESPONDER_MONITORED | APPID_SESSION_INITIATOR_MONITORED | APPID_SESSION_DISCOVER_USER | APPID_SESSION_SPECIAL_MONITORED)
   53 struct RNAServiceElement;
   54 
   55 typedef enum
   56 {
   57     RNA_STATE_NONE = 0,
   58     RNA_STATE_DIRECT,
   59     RNA_STATE_STATEFUL,
   60     RNA_STATE_FINISHED
   61 } RNA_INSPECTION_STATE;
   62 typedef void (*AppIdFreeFCN)(void *);
   63 
   64 #define FINGERPRINT_UDP_FLAGS_XENIX 0x00000800
   65 #define FINGERPRINT_UDP_FLAGS_NT    0x00001000
   66 #define FINGERPRINT_UDP_FLAGS_MASK  (FINGERPRINT_UDP_FLAGS_XENIX | FINGERPRINT_UDP_FLAGS_NT)
   67 
   68 
   69 typedef struct _AppIdFlowData
   70 {
   71     struct _AppIdFlowData *next;
   72     unsigned fd_id;
   73     void *fd_data;
   74     AppIdFreeFCN fd_free;
   75 } AppIdFlowData;
   76 
   77 #define APPID_SESSION_TYPE_IGNORE   APPID_FLOW_TYPE_IGNORE
   78 #define APPID_SESSION_TYPE_NORMAL   APPID_FLOW_TYPE_NORMAL
   79 #define APPID_SESSION_TYPE_TMP      APPID_FLOW_TYPE_TMP
   80 
   81 typedef struct _APPID_SESSION_STRUCT_FLAG
   82 {
   83     APPID_FLOW_TYPE flow_type;
   84 } APPID_SESSION_STRUCT_FLAG;
   85 
   86 typedef struct _tCommonAppIdData
   87 {
   88     APPID_SESSION_STRUCT_FLAG fsf_type;  /* This must be first. */
   89     unsigned policyId;
   90     //flags shared with other preprocessor via session attributes.
   91     uint64_t flags;
   92     struct in6_addr initiator_ip;
   93     uint16_t initiator_port;
   94 } tCommonAppIdData;
   95 
   96 typedef struct _tTmpAppIdData
   97 {
   98     tCommonAppIdData common;
   99 
  100     struct _tTmpAppIdData *next;
  101 } tTmpAppIdData;
  102 
  103 #define SCAN_HTTP_VIA_FLAG          (1<<0)
  104 #define SCAN_HTTP_USER_AGENT_FLAG   (1<<1)
  105 #define SCAN_HTTP_HOST_URL_FLAG     (1<<2)
  106 #define SCAN_SSL_CERTIFICATE_FLAG   (1<<3)
  107 #define SCAN_SSL_HOST_FLAG          (1<<4)
  108 #define SCAN_HOST_PORT_FLAG         (1<<5)
  109 #define SCAN_HTTP_VENDOR_FLAG       (1<<6)
  110 #define SCAN_HTTP_XWORKINGWITH_FLAG (1<<7)
  111 #define SCAN_HTTP_CONTENT_TYPE_FLAG (1<<8)
  112 #define SCAN_HTTP_URI_FLAG          (1<<9)
  113 #define SCAN_CERTVIZ_ENABLED_FLAG   (1<<10)
  114 #define SCAN_SPOOFED_SNI_FLAG       (1<<11)
  115 
  116 typedef struct _fflow_info
  117 {
  118     uint32_t sip;
  119     uint32_t dip;
  120     uint16_t sport;
  121     uint16_t dport;
  122     uint8_t protocol;
  123     tAppId appId;
  124     int flow_prepared;
  125 } fflow_info;
  126 
  127 typedef struct _httpFields
  128 {
  129     char *str;
  130 } HttpRewriteableFields;
  131 
  132 typedef struct _tunnelDest
  133 {
  134     sfaddr_t ip;
  135     uint16_t port;
  136 } tunnelDest;
  137 
  138 typedef struct _httpSession
  139 {
  140     char *host;
  141     char *url;
  142     char *uri;
  143     uint16_t host_buflen;
  144     uint16_t uri_buflen;
  145     uint16_t useragent_buflen;
  146     uint16_t response_code_buflen;
  147     char *via;
  148     char *useragent;
  149     char *response_code;
  150     char *referer;
  151     uint16_t referer_buflen;
  152     uint16_t cookie_buflen;
  153     uint16_t content_type_buflen;
  154     uint16_t location_buflen;
  155     char *cookie;
  156     char *content_type;
  157     char *location;
  158     char *body;
  159     uint16_t body_buflen;
  160     uint16_t req_body_buflen;
  161     int total_found;
  162     char *req_body;
  163     char *server;
  164     char *x_working_with;
  165     char *new_field[HTTP_FIELD_MAX+1];
  166 
  167     uint16_t new_field_len[HTTP_FIELD_MAX+1];
  168     uint16_t fieldOffset[HTTP_FIELD_MAX+1];
  169     uint16_t fieldEndOffset[HTTP_FIELD_MAX+1];
  170 
  171     bool new_field_contents;
  172     bool skip_simple_detect;    // Flag to indicate if simple detection of client ID, payload ID, etc
  173                                 // should be skipped
  174     fflow_info *fflow;
  175 
  176     int chp_finished;
  177     tAppId chp_candidate;
  178     tAppId chp_alt_candidate;
  179     int chp_hold_flow;
  180     int ptype_req_counts[NUMBER_OF_PTYPES];
  181     unsigned app_type_flags;
  182     int get_offsets_from_rebuilt;
  183     int num_matches;
  184     int num_scans;
  185     int numXffFields;
  186     sfaddr_t* xffAddr;
  187     char** xffPrecedence;
  188     tunnelDest *tunDest;
  189     bool is_tunnel;
  190 
  191 #if RESPONSE_CODE_PACKET_THRESHHOLD
  192     unsigned response_code_packets;
  193 #endif
  194 
  195 } httpSession;
  196 
  197 // For dnsSession.state:
  198 #define DNS_GOT_QUERY    0x01
  199 #define DNS_GOT_RESPONSE 0x02
  200 
  201 typedef struct _dnsSession
  202 {
  203     uint8_t   state;            // state
  204     uint8_t   host_len;         // for host
  205     uint8_t   response_type;    // response: RCODE
  206     uint16_t  id;               // DNS msg ID
  207     uint16_t  host_offset;      // for host
  208     uint16_t  record_type;      // query: QTYPE
  209     uint16_t  options_offset;   // offset at which DNS options such as EDNS begin in DNS query
  210     uint32_t  ttl;              // response: TTL
  211     char     *host;             // host (usually query, but could be response for reverse lookup)
  212 } dnsSession;
  213 
  214 struct _RNAServiceSubtype;
  215 
  216 typedef enum
  217 {
  218     MATCHED_TLS_NONE = 0,
  219     MATCHED_TLS_HOST,
  220     MATCHED_TLS_FIRST_SAN,
  221     MATCHED_TLS_CNAME,
  222     MATCHED_TLS_ORG_UNIT
  223 } MATCHED_TLS_TYPE;
  224 
  225 typedef struct _tlsSession
  226 {
  227     char *tls_host;
  228     int   tls_host_strlen;
  229     int   tls_cname_strlen;
  230     char *tls_cname;
  231     char *tls_orgUnit;
  232     int   tls_orgUnit_strlen;
  233     int   tls_first_san_strlen;
  234     char *tls_first_san;
  235     MATCHED_TLS_TYPE matched_tls_type;
  236     bool  tls_handshake_done;
  237 } tlsSession;
  238 
  239 typedef struct AppIdData
  240 {
  241     tCommonAppIdData common;
  242 
  243     struct AppIdData *next;
  244 
  245     void *ssn;
  246     sfaddr_t service_ip;
  247     uint16_t service_port;
  248     uint8_t proto;
  249     uint8_t previous_tcp_flags;
  250     bool tried_reverse_service;
  251     uint8_t tpReinspectByInitiator;
  252 
  253     AppIdFlowData *flowData;
  254 
  255     /**AppId matching service side */
  256     tAppId serviceAppId;
  257     tAppId portServiceAppId;
  258     /**RNAServiceElement for identifying detector*/
  259     const struct RNAServiceElement *serviceData;
  260     RNA_INSPECTION_STATE rnaServiceState;
  261     FLOW_SERVICE_ID_STATE search_state;
  262     char *serviceVendor;
  263     char *serviceVersion;
  264     struct _RNAServiceSubtype *subtype;
  265     char *netbios_name;
  266     SF_LIST * candidate_service_list;
  267     int got_incompatible_services;
  268 
  269     /**AppId matching client side */
  270     tAppId clientAppId;
  271     tAppId clientServiceAppId;
  272     RNA_INSPECTION_STATE rnaClientState;
  273     char *clientVersion;
  274     /**RNAClientAppModule for identifying client detector*/
  275     const struct RNAClientAppModule *clientData;
  276     SF_LIST * candidate_client_list;
  277     unsigned int num_candidate_clients_tried;
  278 
  279     /**AppId matching payload*/
  280     tAppId payloadAppId;
  281     tAppId referredPayloadAppId;
  282     tAppId miscAppId;
  283 
  284     //appId determined by 3rd party library
  285     tAppId tpAppId;
  286     tAppId tpPayloadAppId;
  287 
  288     char *username;
  289     tAppId usernameService;
  290 
  291     uint32_t flowId;
  292     char *netbiosDomain;
  293 
  294 
  295     httpSession *hsession;
  296     tlsSession  *tsession;
  297 
  298     unsigned scan_flags;
  299 #if RESPONSE_CODE_PACKET_THRESHHOLD
  300     unsigned response_code_packets;
  301 #endif
  302 
  303     SFGHASH *multiPayloadList;
  304 
  305     tAppId referredAppId;
  306 
  307     tAppId tmpAppId;
  308     void *tpsession;
  309     uint16_t init_tpPackets;
  310     uint16_t resp_tpPackets;
  311 
  312     uint16_t session_packet_count;
  313     uint16_t initiatorPcketCountWithoutReply;
  314     char *payloadVersion;
  315     uint64_t initiatorBytesWithoutServerReply;
  316     int16_t snortId;
  317 
  318     /* Length-based detectors. */
  319     tLengthKey length_sequence;
  320     bool is_http2;
  321     //appIds picked from encrypted session.
  322     struct {
  323         tAppId serviceAppId;
  324         tAppId clientAppId;
  325         tAppId payloadAppId;
  326         tAppId miscAppId;
  327         tAppId referredAppId;
  328     } encrypted;
  329     // New fields introduced for DNS Blacklisting
  330 
  331     struct
  332     {
  333         uint32_t    firstPktsecond;
  334         uint32_t    lastPktsecond;
  335         uint64_t    initiatorBytes;
  336         uint64_t    responderBytes;
  337     } stats;
  338 
  339     /* Policy and rule ID for related flows (e.g. ftp-data) */
  340     struct AppIdData *expectedFlow;
  341     //struct FwEarlyData *fwData;
  342 
  343     dnsSession *dsession;
  344 
  345     void * firewallEarlyData;
  346     tAppId pastIndicator;
  347     tAppId pastForecast;
  348 
  349     SEARCH_SUPPORT_TYPE search_support_type;
  350 
  351     uint16_t hostCacheVersion;
  352 #if !defined(SFLINUX) && defined(DAQ_CAPA_VRF)
  353     uint16_t serviceAsId; //This is specific to VRF
  354 #endif
  355 #if !defined(SFLINUX) && defined(DAQ_CAPA_CARRIER_ID)
  356     uint32_t carrierId;
  357 #endif
  358 } tAppIdData;
  359 /**
  360  * Mark a flow with a particular flag
  361  *
  362  * @param flow
  363  * @param flags
  364  */
  365 static inline void setAppIdFlag(tAppIdData *flow, uint64_t flags)
  366 {
  367     flow->common.flags |= flags;
  368 }
  369 
  370 /**
  371  * Mark a flow with a particular flag
  372  *
  373  * @param flow
  374  * @param flags
  375  */
  376 static inline void clearAppIdFlag(tAppIdData *flow, uint64_t flags)
  377 {
  378     flow->common.flags &= ~flags;
  379 }
  380 
  381 /**
  382  * Check to see if a particular flag exists
  383  *
  384  * @param flow
  385  * @param flags
  386  */
  387 static inline uint64_t getAppIdFlag(tAppIdData *flow, uint64_t flags)
  388 {
  389     return (flow->common.flags & flags);
  390 }
  391 
  392 void AppIdFlowdataFree(tAppIdData *flowp);
  393 void AppIdFlowdataFini(void);
  394 void *AppIdFlowdataGet(tAppIdData *flowp, unsigned id);
  395 int AppIdFlowdataAdd(tAppIdData *flowp, void *data, unsigned id, AppIdFreeFCN fcn);
  396 void *AppIdFlowdataRemove(tAppIdData *flowp, unsigned id);
  397 void AppIdFlowdataDelete(tAppIdData *flowp, unsigned id);
  398 void AppIdFlowdataDeleteAllByMask(tAppIdData *flowp, unsigned mask);
  399 tAppIdData *AppIdEarlySessionCreate(tAppIdData *flowp, SFSnortPacket *ctrlPkt, sfaddr_t *cliIp, uint16_t cliPort,
  400                           sfaddr_t *srvIp, uint16_t srvPort, uint8_t proto, int16_t app_id, int flags);
  401 struct RNAServiceElement;
  402 int AppIdFlowdataAddId(tAppIdData *flowp, uint16_t port, const struct RNAServiceElement *svc_element);
  403 
  404 #endif /* _APPID_SESSION_H */
  405