"Fossies" - the Fresh Open Source Software Archive

Member "snort-2.9.17/src/dynamic-preprocessors/ftptelnet/ftpp_si.h" (16 Oct 2020, 7541 Bytes) of package /linux/misc/snort-2.9.17.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) C and C++ source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file. For more information about "ftpp_si.h" see the Fossies "Dox" file reference documentation and the latest Fossies "Diffs" side-by-side code changes report: 2.9.16.1_vs_2.9.17.

    1 /*
    2  * ftpp_si.h
    3  *
    4  * Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved.
    5  * Copyright (C) 2004-2013 Sourcefire, Inc.
    6  * Steven A. Sturges <ssturges@sourcefire.com>
    7  * Daniel J. Roelker <droelker@sourcefire.com>
    8  * Marc A. Norton <mnorton@sourcefire.com>
    9  *
   10  * This program is free software; you can redistribute it and/or modify
   11  * it under the terms of the GNU General Public License Version 2 as
   12  * published by the Free Software Foundation.  You may not use, modify or
   13  * distribute this program under any other version of the GNU General
   14  * Public License.
   15  *
   16  * This program is distributed in the hope that it will be useful,
   17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
   18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   19  * GNU General Public License for more details.
   20  *
   21  * You should have received a copy of the GNU General Public License
   22  * along with this program; if not, write to the Free Software
   23  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
   24  *
   25  * Description:
   26  *
   27  * This file contains structures and functions for the
   28  * Session Inspection Module.
   29  *
   30  * The Session Inspection Module has several data structures that are
   31  * very important to the functionality of the module.  The two major
   32  * structures are the FTPP_SESSION and the FTPP_SI_INPUT.
   33  *
   34  * NOTES:
   35  * - 20.09.04:  Initial Development.  SAS
   36  *
   37  */
   38 #ifndef __FTPP_SI_H__
   39 #define __FTPP_SI_H__
   40 
   41 #include <stdint.h>
   42 
   43 #include "ftpp_include.h"
   44 #include "ftpp_ui_config.h"
   45 #include "ftp_client.h"
   46 #include "ftp_server.h"
   47 
   48 #include "sf_snort_packet.h"
   49 #include "ftpp_eo.h"
   50 #include "sfPolicy.h"
   51 #include "sfPolicyUserData.h"
   52 #include "session_api.h"
   53 
   54 /*
   55  * These are the defines for the different types of
   56  * inspection modes.  We have a server mode and a client mode.
   57  */
   58 #define FTPP_SI_NO_MODE     0
   59 #define FTPP_SI_CLIENT_MODE 1
   60 #define FTPP_SI_SERVER_MODE 2
   61 
   62 #define FTPP_SI_PROTO_UNKNOWN   0
   63 #define FTPP_SI_PROTO_TELNET    1
   64 #define FTPP_SI_PROTO_FTP       2
   65 #define FTPP_SI_PROTO_FTP_DATA  3
   66 
   67 #define FTPP_FILE_IGNORE    -1
   68 #define FTPP_FILE_UNKNOWN    0
   69 
   70 /* Macros for testing the type of FTP_TELNET_SESSION */
   71 #define FTPP_SI_IS_PROTO(Ssn, Pro)      ((Ssn) && ((Ssn)->ft_ssn.proto == (Pro)))
   72 #define PROTO_IS_FTP(ssn)               FTPP_SI_IS_PROTO(ssn, FTPP_SI_PROTO_FTP)
   73 #define PROTO_IS_FTP_DATA(ssn)          FTPP_SI_IS_PROTO(ssn, FTPP_SI_PROTO_FTP_DATA)
   74 #define PROTO_IS_TELNET(ssn)            FTPP_SI_IS_PROTO(ssn, FTPP_SI_PROTO_TELNET)
   75 
   76 typedef struct s_FTP_TELNET_SESSION
   77 {
   78     int proto;
   79 
   80 } FTP_TELNET_SESSION;
   81 
   82 /*
   83  * The TELNET_SESSION structure contains the complete TELNET session.
   84  * This structure is the structure that is saved per session in the
   85  * Stream Interface Module.  This structure gets sent through the
   86  * detection engine process (Normalization, Detection).
   87  */
   88 typedef struct s_TELNET_SESSION
   89 {
   90     FTP_TELNET_SESSION ft_ssn;
   91 
   92     /* The global configuration for this session */
   93     tSfPolicyId policy_id;
   94     tSfPolicyUserContextId global_conf;
   95 
   96     /* The client configuration for this session if its FTP */
   97     TELNET_PROTO_CONF *telnet_conf;
   98 
   99     /* Number of consecutive are-you-there commands seen. */
  100     int consec_ayt;
  101 
  102     int encr_state;
  103 
  104     TELNET_EVENTS event_list;
  105 
  106 } TELNET_SESSION;
  107 
  108 /*
  109  * These are the state values for determining the FTP data channel.
  110  */
  111 #define NO_STATE                  0x00
  112 #define LOST_STATE                0xFFFFFFFF
  113 
  114 #define DATA_CHAN_PORT_CMD_ISSUED    0x01
  115 #define DATA_CHAN_PORT_CMD_ACCEPT    0x02
  116 #define DATA_CHAN_PASV_CMD_ISSUED    0x04
  117 #define DATA_CHAN_PASV_CMD_ACCEPT    0x08
  118 #define DATA_CHAN_XFER_CMD_ISSUED    0x10
  119 #define DATA_CHAN_XFER_STARTED       0x20
  120 #define DATA_CHAN_CLIENT_HELLO_SEEN  0x40
  121 #define DATA_CHAN_REST_CMD_ISSUED    0x80
  122 
  123 #define AUTH_TLS_CMD_ISSUED       0x01
  124 #define AUTH_SSL_CMD_ISSUED       0x02
  125 #define AUTH_UNKNOWN_CMD_ISSUED   0x04
  126 #define AUTH_TLS_ENCRYPTED        0x08
  127 #define AUTH_SSL_ENCRYPTED        0x10
  128 #define AUTH_UNKNOWN_ENCRYPTED    0x20
  129 
  130 /*
  131  * The FTP_SESSION structure contains the complete FTP session, both the
  132  * client and the server constructs.  This structure is the structure that
  133  * is saved per session in the Stream Interface Module.  This structure
  134  * gets sent through the detection engine process (Normalization,
  135  * Detection).
  136  */
  137 typedef struct s_FTP_SESSION
  138 {
  139     FTP_TELNET_SESSION ft_ssn;
  140     tSfPolicyId policy_id;
  141 
  142     /* The client construct contains all the info associated with a
  143      * client request. */
  144     FTP_CLIENT client;
  145 
  146     /* The server construct contains all the info associated with a
  147      * server response. */
  148     FTP_SERVER server;
  149 
  150     /* The client configuration for this session if its FTP */
  151     FTP_CLIENT_PROTO_CONF *client_conf;
  152 
  153     /* The server configuration for this session if its FTP */
  154     FTP_SERVER_PROTO_CONF *server_conf;
  155 
  156     /* The global configuration for this session */
  157     tSfPolicyUserContextId global_conf;
  158 
  159     /* The data channel info */
  160     int data_chan_state;
  161     uint32_t data_chan_index;
  162     uint32_t data_xfer_index;
  163     sfaddr_t      clientIP;
  164     uint16_t clientPort;
  165     sfaddr_t      serverIP;
  166     uint16_t serverPort;
  167     uint32_t ftp_cmd_pipe_index;
  168     uint32_t rest_cmd_offset;
  169     uint16_t control_clientPort;
  170     uint16_t control_serverPort;
  171 
  172     /* A file is being transfered on ftp-data channel */
  173     char *filename;
  174     int file_xfer_info; /* -1: ignore, 0: unknown, >0: filename length */
  175     bool data_xfer_dir;
  176 
  177     /* Command/data channel encryption */
  178     bool encr_state_chello;
  179     unsigned char flags;
  180     int encr_state;
  181     uint32_t flow_id;
  182 
  183     /* Alertable event list */
  184     FTP_EVENTS event_list;
  185     void *datassn;
  186     sfaddr_t      control_clientIP;
  187     sfaddr_t      control_serverIP;
  188 
  189 } FTP_SESSION;
  190 
  191 #define FTP_FLG_MALWARE_ENABLED (1<<1)
  192 
  193 #ifdef TARGET_BASED
  194 
  195 /* FTP-Data Transfer Modes */
  196 enum {
  197     FTPP_XFER_PASSIVE = 0,
  198     FTPP_XFER_ACTIVE  = 1
  199 };
  200 
  201 typedef struct s_FTP_DATA_SESSION
  202 {
  203     FTP_TELNET_SESSION ft_ssn;
  204     StreamSessionKey * ftp_key;
  205     void* ftpssn;
  206     char *filename;
  207     int data_chan;
  208     int file_xfer_info;
  209     FilePosition position;
  210     bool direction;
  211     unsigned char mode;
  212     unsigned char flags;
  213     uint32_t flow_id;
  214     uint32_t path_hash;
  215 } FTP_DATA_SESSION;
  216 
  217 #define FTPDATA_FLG_REASSEMBLY_SET  (1<<0)
  218 #define FTPDATA_FLG_FILENAME_SET    (1<<1)
  219 #define FTPDATA_FLG_STOP            (1<<2)
  220 #define FTPDATA_FLG_REST            (1<<3)
  221 #define FTPDATA_FLG_FLUSH           (1<<4)
  222 
  223 #endif
  224 
  225 /*
  226  * The FTPP_SI_INPUT structure holds the information that the Session
  227  * Inspection Module needs to determine the type of inspection mode
  228  * (client, server, neither) and to retrieve the appropriate server
  229  * configuration.
  230  *
  231  * The input is the source and destination IP addresses, and the
  232  * source and destination ports (since this should always be a
  233  * TCP packet).
  234  */
  235 typedef struct s_FTPP_SI_INPUT
  236 {
  237     sfaddr_t sip;
  238     sfaddr_t dip;
  239     unsigned short sport;
  240     unsigned short dport;
  241     unsigned char pdir;
  242     unsigned char pproto;
  243 
  244 } FTPP_SI_INPUT;
  245 
  246 int ftpp_si_determine_proto(SFSnortPacket *p, FTPTELNET_GLOBAL_CONF *GlobalConf,
  247         FTP_TELNET_SESSION **, FTPP_SI_INPUT *SiInput, int *piInspectMode);
  248 int FTPGetPacketDir(SFSnortPacket *);
  249 
  250 #ifdef TARGET_BASED
  251 /* FTP-Data file processing */
  252 FTP_DATA_SESSION * FTPDataSessionNew(SFSnortPacket *p);
  253 void FTPDataSessionFree(void *p_ssn);
  254 bool FTPDataDirection(SFSnortPacket *p, FTP_DATA_SESSION *ftpdata);
  255 #endif
  256 
  257 #endif /* ! __FTPP_SI_H__ */
  258