"Fossies" - the Fresh Open Source Software Archive

Member "snort-2.9.17/src/dynamic-preprocessors/appid/fw_appid.h" (16 Oct 2020, 14031 Bytes) of package /linux/misc/snort-2.9.17.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) C and C++ source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file. For more information about "fw_appid.h" see the Fossies "Dox" file reference documentation and the latest Fossies "Diffs" side-by-side code changes report: 2.9.16.1_vs_2.9.17.

    1 /*
    2 ** Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved.
    3 ** Copyright (C) 2005-2013 Sourcefire, Inc.
    4 **
    5 ** This program is free software; you can redistribute it and/or modify
    6 ** it under the terms of the GNU General Public License Version 2 as
    7 ** published by the Free Software Foundation.  You may not use, modify or
    8 ** distribute this program under any other version of the GNU General
    9 ** Public License.
   10 **
   11 ** This program is distributed in the hope that it will be useful,
   12 ** but WITHOUT ANY WARRANTY; without even the implied warranty of
   13 ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   14 ** GNU General Public License for more details.
   15 **
   16 ** You should have received a copy of the GNU General Public License
   17 ** along with this program; if not, write to the Free Software
   18 ** Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
   19 */
   20 
   21 
   22 #ifndef _APPID_H_
   23 #define _APPID_H_
   24 
   25 #include <stdint.h>
   26 #include <attribute.h>
   27 
   28 #include <netinet/in.h>
   29 #include "profiler.h"
   30 #include "commonAppMatcher.h"
   31 #include "client_app_api.h"
   32 #include "service_api.h"
   33 #include "flow.h"
   34 #include "common_util.h"
   35 #include "sip_common.h"
   36 #include "appInfoTable.h"
   37 #include "thirdparty_appid_utils.h"
   38 #include "sfghash.h"
   39 
   40 #define PP_APP_ID   1
   41 
   42 #define MIN_SFTP_PACKET_COUNT   30
   43 #define MAX_SFTP_PACKET_COUNT   55
   44 
   45 /*#define  APPID_FULL_CLEANUP   1 */
   46 
   47 typedef enum
   48 {
   49     APPID_DEBUG_HOST_MONITOR0,
   50     APPID_DEBUG_HOST_MONITOR1,
   51     APPID_DEBUG_HOST_MONITOR2,
   52     APPID_DEBUG_HOST_MONITOR3,
   53     APPID_DEBUG_HOST_MONITOR4,
   54     APPID_DEBUG_HOST_MONITOR5,
   55     APPID_DEBUG_HOST_NOT_MONITORED,
   56 } AppIdDebugHostMonitorType;
   57 
   58 typedef struct
   59 {
   60     struct in6_addr initiatorIp;
   61     int family;
   62     tAppIdData* session;
   63     uint16_t initiatorPort;
   64     APPID_SESSION_DIRECTION direction;
   65     uint8_t protocol;
   66     int monitorType;
   67 } AppIdDebugHostInfo_t;
   68 
   69 
   70 extern uint8_t  appIdPriorityArray[SF_APPID_MAX+1];
   71 extern AppIdDebugHostInfo_t AppIdDebugHostInfo;
   72 
   73 struct AppIdData * getAppIdData(void* lwssn);
   74 
   75 void fwAppIdInit(void);
   76 void fwAppIdFini(tAppIdConfig *pConfig);
   77 void fwAppIdSearch(SFSnortPacket *p);
   78 void httpHeaderCallback (SFSnortPacket *p, HttpParsedHeaders *const headers);
   79 void SipSessionSnortCallback (void *ssnptr, ServiceEventType eventType, void *eventData);
   80 
   81 void readRnaAppMappingTable(const char *path, tAppIdConfig *pConfig);
   82 tAppId appGetAppFromServiceId(uint32_t serviceId, tAppIdConfig *pConfig);
   83 tAppId appGetAppFromClientId(uint32_t clientId, tAppIdConfig *pConfig);
   84 tAppId appGetAppFromPayloadId(uint32_t payloadId, tAppIdConfig *pConfig);
   85 void appSharedDataDelete(tAppIdData * sharedData);
   86 void AppIdAddUser(tAppIdData *flowp, const char *username, tAppId appId, int success);
   87 void AppIdAddDnsQueryInfo(tAppIdData *flow,
   88                           uint16_t id,
   89                           const uint8_t *host, uint8_t host_len, uint16_t host_offset,
   90                           uint16_t record_type, uint16_t options_offset);
   91 void AppIdAddDnsResponseInfo(tAppIdData *flow,
   92                              uint16_t id,
   93                              const uint8_t *host, uint8_t host_len, uint16_t host_offset,
   94                              uint8_t response_type, uint32_t ttl);
   95 void AppIdResetDnsInfo(tAppIdData *flow);
   96 
   97 void AppIdAddPayload(tAppIdData *flow, tAppId payload_id);
   98 void AppIdAddMultiPayload(tAppIdData *flow, tAppId payload_id);
   99 tAppIdData* appSharedDataAlloc(uint8_t proto, const struct in6_addr *ip, uint16_t initiator_port);
  100 tAppId getOpenAppId(void *ssnptr);
  101 
  102 void appSetServiceDetectorCallback(RNAServiceCallbackFCN fcn, tAppId appId, struct _Detector *userdata, tAppIdConfig *pConfig);
  103 void appSetClientDetectorCallback(RNAClientAppCallbackFCN fcn, tAppId appId, struct _Detector *userdata, tAppIdConfig *pConfig);
  104 
  105 void appSetServiceValidator(RNAServiceValidationFCN fcn, tAppId appId, unsigned extractsInfo, tAppIdConfig *pConfig);
  106 void appSetLuaServiceValidator(RNAServiceValidationFCN fcn, tAppId appId, unsigned extractsInfo, struct _Detector *dat);
  107 void appSetClientValidator(RNAClientAppFCN fcn, tAppId appId, unsigned extractsInfo, tAppIdConfig *pConfig);
  108 void appSetLuaClientValidator(RNAClientAppFCN fcn, tAppId appId, unsigned extractsInfo, struct _Detector *data);
  109 int sslAppGroupIdLookup(void *ssnptr, const char * serverName, const char * commonName, tAppId *serviceAppId, tAppId *clientAppId, tAppId *payloadAppId);
  110 
  111 tAppId getAppId(void *ssnptr);
  112 void CheckDetectorCallback(const SFSnortPacket *p, tAppIdData *session, APPID_SESSION_DIRECTION direction, tAppId appId, const tAppIdConfig *pConfig);
  113 void setTlsHost(void *ssnptr, const char *serverName, const char *commonName,
  114         const char *orgName, const char *subjectAltName, bool isSniMismatch,
  115         tAppId *serviceAppId, tAppId *clientAppId, tAppId *payloadAppId);
  116 
  117 #ifdef FW_TRACKER_DEBUG
  118 void logAppIdInfo(SFSnortPacket *p, char *message, tAppId id);
  119 #endif
  120 int AppIdDebug(uint16_t type, const uint8_t *data, uint32_t length, void **new_context,
  121                char* statusBuf, int statusBuf_len);
  122 
  123 extern char app_id_debug_session[FW_DEBUG_SESSION_ID_SIZE];
  124 extern bool app_id_debug_session_flag;
  125 
  126 #ifdef PERF_PROFILING
  127 extern PreprocStats httpPerfStats;
  128 extern PreprocStats clientMatchPerfStats;
  129 extern PreprocStats serviceMatchPerfStats;
  130 extern PreprocStats luaDetectorsPerfStats;
  131 extern PreprocStats luaCiscoPerfStats;
  132 extern PreprocStats luaCustomPerfStats;
  133 extern PreprocStats tpPerfStats;
  134 extern PreprocStats tpLibPerfStats;
  135 #endif
  136 
  137 extern unsigned dhcp_fp_table_size;
  138 extern unsigned long app_id_ongoing_session;
  139 extern unsigned long app_id_total_alloc;
  140 extern unsigned long app_id_raw_packet_count;
  141 extern unsigned long app_id_processed_packet_count;
  142 extern unsigned long app_id_ignored_packet_count;
  143 extern int app_id_debug;
  144 extern unsigned isIPv4HostMonitored(uint32_t ip4, int32_t zone);
  145 extern void checkSandboxDetection(tAppId appId);
  146 static inline void initializePriorityArray()
  147 {
  148     int i;
  149     for (i=0; i < SF_APPID_MAX; i++)
  150         appIdPriorityArray[i] = 2;
  151 }
  152 
  153 static inline void setAppPriority (tAppId app_id, uint8_t  bit_val)
  154 {
  155     if (app_id < SF_APPID_MAX && bit_val <= APPID_MAX_PRIORITY )
  156     appIdPriorityArray[app_id] = bit_val;
  157 }
  158 
  159 static inline int getAppPriority (tAppId app_id)
  160 {
  161     if (app_id > APP_ID_NONE && app_id < SF_APPID_MAX)
  162         return  appIdPriorityArray[app_id] ;
  163     else
  164         return -1;
  165 }
  166 
  167 static inline int ThirdPartyAppIDFoundProto(tAppId proto, tAppId* proto_list)
  168 {
  169     unsigned int proto_cnt = 0;
  170     while (proto_list[proto_cnt] != APP_ID_NONE)
  171         if (proto_list[proto_cnt++] == proto)
  172             return 1;    // found
  173     return 0;            // not found
  174 }
  175 static inline int TPIsAppIdDone(void *tpSession)
  176 {
  177     if (thirdparty_appid_module)
  178     {
  179         unsigned state;
  180 
  181         if (tpSession)
  182             state = thirdparty_appid_module->session_state_get(tpSession);
  183         else
  184             state = TP_STATE_INIT;
  185         return (state  == TP_STATE_CLASSIFIED || state == TP_STATE_TERMINATED || state == TP_STATE_HA);
  186     }
  187     return true;
  188 }
  189 
  190 static inline int TPIsAppIdAvailable(void * tpSession)
  191 {
  192     if (thirdparty_appid_module)
  193     {
  194         unsigned state;
  195 
  196         if (tpSession)
  197             state = thirdparty_appid_module->session_state_get(tpSession);
  198         else
  199             state = TP_STATE_INIT;
  200         return (state == TP_STATE_CLASSIFIED || state == TP_STATE_TERMINATED || state == TP_STATE_MONITORING);
  201     }
  202     return true;
  203 }
  204 
  205 static inline int isTPProcessingDone(tAppIdData *flow)
  206 {
  207     if (thirdparty_appid_module &&
  208         !getAppIdFlag(flow, APPID_SESSION_NO_TPI) &&
  209         (!TPIsAppIdDone(flow->tpsession) ||
  210         getAppIdFlag(flow, APPID_SESSION_APP_REINSPECT | APPID_SESSION_APP_REINSPECT_SSL)))
  211         return 0;
  212     else
  213         return 1;
  214 }
  215 static inline tAppId isAppDetectionDone(tAppIdData *flow)
  216 {
  217     return getAppIdFlag(flow, APPID_SESSION_SERVICE_DETECTED);
  218 }
  219 
  220 static inline tAppId pickServiceAppId(tAppIdData *flow)
  221 {
  222     tAppId rval;
  223 
  224     if (!flow || flow->common.fsf_type.flow_type != APPID_SESSION_TYPE_NORMAL)
  225         return APP_ID_NONE;
  226 
  227     if (getAppIdFlag(flow, APPID_SESSION_SERVICE_DETECTED))
  228     {
  229         bool deferred = appInfoEntryFlagGet(flow->serviceAppId, APPINFO_FLAG_DEFER, appIdActiveConfigGet()) || appInfoEntryFlagGet(flow->tpAppId, APPINFO_FLAG_DEFER, appIdActiveConfigGet());
  230 
  231         if (flow->serviceAppId > APP_ID_NONE && !deferred)
  232             return flow->serviceAppId;
  233         if (TPIsAppIdAvailable(flow->tpsession))
  234         {
  235             if (flow->tpAppId > APP_ID_NONE)
  236                 return flow->tpAppId;
  237             else if (deferred)
  238                 return flow->serviceAppId;
  239             else
  240                 rval = APP_ID_UNKNOWN_UI;
  241         }
  242         else
  243             rval = flow->tpAppId;
  244     }
  245     else if (flow->tpAppId > APP_ID_NONE)
  246         return flow->tpAppId;
  247     else
  248         rval = APP_ID_NONE;
  249 
  250     if (flow->clientServiceAppId > APP_ID_NONE)
  251         return flow->clientServiceAppId;
  252 
  253     if (flow->portServiceAppId > APP_ID_NONE)
  254         return flow->portServiceAppId;
  255 
  256     return rval;
  257 }
  258 
  259 static inline tAppId pickOnlyServiceAppId(tAppIdData *flow)
  260 {
  261     if (!flow || flow->common.fsf_type.flow_type != APPID_SESSION_TYPE_NORMAL)
  262         return APP_ID_NONE;
  263 
  264     bool deferred = appInfoEntryFlagGet(flow->serviceAppId, APPINFO_FLAG_DEFER, appIdActiveConfigGet()) || appInfoEntryFlagGet(flow->tpAppId, APPINFO_FLAG_DEFER, appIdActiveConfigGet());
  265 
  266     if (flow->serviceAppId > APP_ID_NONE && !deferred)
  267         return flow->serviceAppId;
  268 
  269     if (TPIsAppIdAvailable(flow->tpsession) && flow->tpAppId > APP_ID_NONE)
  270         return flow->tpAppId;
  271     else if (deferred)
  272         return flow->serviceAppId;
  273 
  274     if (flow->serviceAppId < APP_ID_NONE)
  275         return APP_ID_UNKNOWN_UI;
  276 
  277     return APP_ID_NONE;
  278 }
  279 
  280 static inline tAppId pickMiscAppId(tAppIdData *flow)
  281 {
  282     if (!flow || flow->common.fsf_type.flow_type != APPID_SESSION_TYPE_NORMAL)
  283         return APP_ID_NONE;
  284     if (flow->miscAppId > APP_ID_NONE)
  285         return flow->miscAppId;
  286     return APP_ID_NONE;
  287 }
  288 
  289 static inline tAppId pickClientAppId(tAppIdData *flow)
  290 {
  291     if (!flow || flow->common.fsf_type.flow_type != APPID_SESSION_TYPE_NORMAL)
  292         return APP_ID_NONE;
  293     if (flow->clientAppId > APP_ID_NONE)
  294         return flow->clientAppId;
  295     return APP_ID_NONE;
  296 }
  297 
  298 static inline bool isSvcHttpType(tAppId app_id)
  299 {
  300     switch(app_id)
  301     {
  302         case APP_ID_HTTP:
  303         case APP_ID_HTTPS:
  304         case APP_ID_FTPS:
  305         case APP_ID_IMAPS:
  306         case APP_ID_IRCS:
  307         case APP_ID_LDAPS:
  308         case APP_ID_NNTPS:
  309         case APP_ID_POP3S:
  310         case APP_ID_SMTPS:
  311         case APP_ID_SSHELL:
  312         case APP_ID_SSL:
  313             return true;
  314     }
  315     return false;
  316 }
  317 
  318 static inline tAppId pickPayloadId(tAppIdData *flow)
  319 {
  320     if (!flow || flow->common.fsf_type.flow_type != APPID_SESSION_TYPE_NORMAL)
  321         return APP_ID_NONE;
  322 
  323     // if we have a deferred payload, just use it.
  324     // we are not worried about the APP_ID_UNKNOWN case here
  325     if (appInfoEntryFlagGet(flow->tpPayloadAppId, APPINFO_FLAG_DEFER_PAYLOAD, appIdActiveConfigGet()))
  326         return flow->tpPayloadAppId;
  327     if (flow->payloadAppId > APP_ID_NONE)
  328         return flow->payloadAppId;
  329     if (flow->tpPayloadAppId > APP_ID_NONE)
  330         return flow->tpPayloadAppId;
  331     /* APP_ID_UNKNOWN is valid only for HTTP type services */
  332     if (flow->payloadAppId == APP_ID_UNKNOWN &&
  333         isSvcHttpType(flow->serviceAppId))
  334         return APP_ID_UNKNOWN;
  335     return APP_ID_NONE;
  336 }
  337 
  338 static inline SFGHASH* pickMultiPayloadList(tAppIdData *flow)
  339 {
  340     if (!flow || flow->common.fsf_type.flow_type != APPID_SESSION_TYPE_NORMAL)
  341         return NULL;
  342     if (flow->multiPayloadList)
  343         return flow->multiPayloadList;
  344     return NULL;
  345 }
  346 static inline tAppId pickReferredPayloadId(tAppIdData *flow)
  347 {
  348     if (!flow || flow->common.fsf_type.flow_type != APPID_SESSION_TYPE_NORMAL)
  349         return APP_ID_NONE;
  350     if (flow->referredPayloadAppId > APP_ID_NONE)
  351         return flow->referredPayloadAppId;
  352     return APP_ID_NONE;
  353 }
  354 static inline tAppId fwPickServiceAppId(tAppIdData *session)
  355 {
  356     tAppId appId;
  357     appId = pickServiceAppId(session);
  358     if (appId == APP_ID_NONE || appId== APP_ID_UNKNOWN_UI)
  359         appId = session->encrypted.serviceAppId;
  360     return appId;
  361 }
  362 
  363 static inline tAppId fwPickMiscAppId(tAppIdData *session)
  364 {
  365     tAppId appId;
  366     appId = pickMiscAppId(session);
  367     if (appId == APP_ID_NONE)
  368         appId = session->encrypted.miscAppId;
  369     return appId;
  370 }
  371 
  372 static inline tAppId fwPickClientAppId(tAppIdData *session)
  373 {
  374     tAppId appId;
  375     appId = pickClientAppId(session);
  376     return appId;
  377 }
  378 
  379 static inline tAppId fwPickPayloadAppId(tAppIdData *session)
  380 {
  381     tAppId appId;
  382     appId = pickPayloadId(session);
  383     if (appId == APP_ID_NONE ||
  384         (appId == APP_ID_SPDY && session && session->hsession && session->hsession->url == NULL && session->encrypted.payloadAppId>APP_ID_NONE))
  385         appId = session->encrypted.payloadAppId;
  386     return appId;
  387 }
  388 
  389 static inline tAppId fwPickReferredPayloadAppId(tAppIdData *session)
  390 {
  391     tAppId appId;
  392     appId = pickReferredPayloadId(session);
  393     if (appId == APP_ID_NONE)
  394         appId = session->encrypted.referredAppId;
  395     return appId;
  396 }
  397 
  398 static inline SFGHASH* fwPickMultiPayloadList(tAppIdData *session)
  399 {
  400     SFGHASH* multiPayloadList = NULL;
  401     multiPayloadList = pickMultiPayloadList(session);
  402     return multiPayloadList;
  403 }
  404 
  405 static inline tAppIdData* appSharedGetData(const SFSnortPacket *p)
  406 {
  407     return _dpd.sessionAPI->get_application_data(p->stream_session, PP_APP_ID);
  408 }
  409 
  410 static inline unsigned int isFwSessionSslDecrypted(tAppIdData *session)
  411 {
  412     return getAppIdFlag(session, APPID_SESSION_DECRYPTED);
  413 }
  414 static inline int testSSLAppIdForReinspect (tAppId app_id)
  415 {
  416     if (app_id <= SF_APPID_MAX && (app_id == APP_ID_SSL || appInfoEntryFlagGet(app_id, APPINFO_FLAG_SSL_INSPECT, appIdActiveConfigGet())))
  417         return 1;
  418     else
  419         return 0;
  420 }
  421 #endif