"Fossies" - the Fresh Open Source Software Archive 
Member "snort-2.9.17/src/preprocessors/snort_httpinspect.h" (16 Oct 2020, 9626 Bytes) of package /linux/misc/snort-2.9.17.tar.gz:
As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) C and C++ source code syntax highlighting (style:
standard) with prefixed line numbers and
code folding option.
Alternatively you can here
view or
download the uninterpreted source code file.
For more information about "snort_httpinspect.h" see the
Fossies "Dox" file reference documentation and the latest
Fossies "Diffs" side-by-side code changes report:
2.9.16.1_vs_2.9.17.
1 /****************************************************************************
2 *
3 * Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved.
4 * Copyright (C) 2003-2013 Sourcefire, Inc.
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License Version 2 as
8 * published by the Free Software Foundation. You may not use, modify or
9 * distribute this program under any other version of the GNU General
10 * Public License.
11 *
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
20 *
21 ****************************************************************************/
22
23 #ifndef __SNORT_HTTPINSPECT_H__
24 #define __SNORT_HTTPINSPECT_H__
25
26 #include "decode.h"
27 #include "session_api.h"
28 #include "stream_api.h"
29 #include "hi_ui_config.h"
30 #include "util_utf.h"
31 #include "detection_util.h"
32 #include "mempool.h"
33 #include "str_search.h"
34 #include "util_jsnorm.h"
35
36 #include <zlib.h>
37
38 extern MemPool *http_mempool;
39 extern MemPool *mime_decode_mempool;
40 extern MemPool *mime_log_mempool;
41
42 extern DataBuffer HttpDecodeBuf;
43
44 #ifdef PERF_PROFILING
45 extern PreprocStats hi2PerfStats;
46 extern PreprocStats hi2InitPerfStats;
47 extern PreprocStats hi2PayloadPerfStats;
48 extern PreprocStats hi2PseudoPerfStats;
49 #endif
50
51 /**
52 ** The definition of the configuration separators in the snort.conf
53 ** configure line.
54 */
55 #define CONF_SEPARATORS " \t\n\r"
56 #define MAX_METHOD_LEN 256
57
58 /*
59 ** These are the definitions of the parser section delimiting
60 ** keywords to configure HttpInspect. When one of these keywords
61 ** are seen, we begin a new section.
62 */
63 #define GLOBAL "global"
64 #define GLOBAL_SERVER "global_server"
65 #define SERVER "server"
66 #define CLIENT "client"
67
68 #define DEFAULT_HTTP_MEMCAP 150994944 /* 144 MB */
69 #define MIN_HTTP_MEMCAP 2304
70 #define MAX_HTTP_MEMCAP 603979776 /* 576 MB */
71 #define MAX_URI_EXTRACTED 2048
72 #define MAX_HOSTNAME 256
73
74
75 #define DEFAULT_MAX_GZIP_MEM 838860
76 #define GZIP_MEM_MIN 3276
77 #define MAX_GZIP_DEPTH 65535
78 #define DEFAULT_COMP_DEPTH 1460
79 #define DEFAULT_DECOMP_DEPTH 2920
80
81 #define DEFLATE_RAW_WBITS -15
82 #define DEFLATE_WBITS 15
83 #define GZIP_WBITS 31
84
85 #define XFF_MAX_PIPELINE_REQ 255
86
87
88 #define CONTENT_NONE 0
89 #define PARTIAL_CONTENT 1
90 #define FULL_CONTENT 2
91
92 typedef enum _HttpRespCompressType
93 {
94 HTTP_RESP_COMPRESS_TYPE__GZIP = 0x00000001,
95 HTTP_RESP_COMPRESS_TYPE__DEFLATE = 0x00000002
96
97 } _HttpRespCompressType;
98
99 typedef enum _DecompressStage
100 {
101 HTTP_DECOMP_START,
102 HTTP_DECOMP_MID,
103 HTTP_DECOMP_FIN
104 } DecompressStage;
105
106 typedef struct s_DECOMPRESS_STATE
107 {
108 uint8_t inflate_init;
109 uint16_t compress_fmt;
110 uint8_t decompress_data;
111 int compr_bytes_read;
112 int decompr_bytes_read;
113 int compr_depth;
114 int decompr_depth;
115 z_stream d_stream;
116 MemBucket *bkt;
117 bool deflate_initialized;
118 DecompressStage stage;
119 } DECOMPRESS_STATE;
120
121 typedef enum _ChunkLenState
122 {
123 CHUNK_LEN_DEFAULT = 0,
124 CHUNK_LEN_INCOMPLETE
125 } ChunkLenState;
126
127 typedef struct s_HTTP_RESP_STATE
128 {
129 uint8_t inspect_body;
130 uint8_t inspect_reassembled;
131 uint8_t last_pkt_contlen;
132 uint8_t last_pkt_chunked;
133 uint32_t next_seq;
134 uint32_t chunk_remainder;
135 int data_extracted;
136 uint32_t max_seq;
137 bool flow_depth_excd;
138 bool eoh_found;
139 uint8_t look_for_partial_content;
140 uint8_t chunk_len_state;
141 }HTTP_RESP_STATE;
142
143 typedef struct s_HTTP_LOG_STATE
144 {
145 uint32_t uri_bytes;
146 uint32_t hostname_bytes;
147 MemBucket *log_bucket;
148 uint8_t *uri_extracted;
149 uint8_t *hostname_extracted;
150 }HTTP_LOG_STATE;
151
152 typedef struct _Transaction
153 {
154 uint8_t tID;
155 sfaddr_t *true_ip;
156 struct _Transaction *next;
157 }Transaction;
158
159 typedef struct _HttpSessionData
160 {
161 uint64_t event_flags;
162 HTTP_RESP_STATE resp_state;
163 DECOMPRESS_STATE *decomp_state;
164 HTTP_LOG_STATE *log_state;
165 decode_utf_state_t utf_state;
166 uint8_t log_flags;
167 uint8_t cli_small_chunk_count;
168 uint8_t srv_small_chunk_count;
169 uint8_t http_req_id;
170 uint8_t http_resp_id;
171 uint8_t is_response;
172 uint8_t tList_count;
173 MimeState *mime_ssn;
174 fd_session_p_t fd_state;
175 Transaction *tList_start;
176 Transaction *tList_end;
177 } HttpSessionData;
178
179 typedef struct _HISearch
180 {
181 char *name;
182 int name_len;
183
184 } HISearch;
185
186 typedef struct _HiSearchToken
187 {
188 char *name;
189 int name_len;
190 int search_id;
191 } HiSearchToken;
192
193 typedef struct _HISearchInfo
194 {
195 int id;
196 int index;
197 int length;
198 } HISearchInfo;
199
200
201 #define COPY_URI 1
202 #define COPY_HOSTNAME 2
203
204 #define HTTP_LOG_URI 0x0001
205 #define HTTP_LOG_HOSTNAME 0x0002
206 #define HTTP_LOG_GZIP_DATA 0x0004
207 #define HTTP_LOG_JSNORM_DATA 0x0008
208
209 typedef enum _HiSearchIdEnum
210 {
211 HI_JAVASCRIPT = 0,
212 HI_LAST
213 } HiSearchId;
214
215 typedef enum _HtmlSearchIdEnum
216 {
217 HTML_JS = 0,
218 HTML_EMA,
219 HTML_VB,
220 HTML_LAST
221 } HtmlSearchId;
222
223 extern void *hi_javascript_search_mpse;
224 extern void *hi_htmltype_search_mpse;
225 extern HISearch hi_js_search[HI_LAST];
226 extern HISearch hi_html_search[HTML_LAST];
227 extern HISearch *hi_current_search;
228 extern HISearchInfo hi_search_info;
229
230 void ApplyFlowDepth(HTTPINSPECT_CONF *, Packet *, HttpSessionData *, int, int, uint32_t);
231
232
233
234 int SnortHttpInspect(HTTPINSPECT_GLOBAL_CONF *GlobalConf, Packet *p);
235 int ProcessGlobalConf(HTTPINSPECT_GLOBAL_CONF *, char *, int, char **saveptr);
236 int PrintGlobalConf(HTTPINSPECT_GLOBAL_CONF *);
237 int ProcessUniqueServerConf(struct _SnortConfig *, HTTPINSPECT_GLOBAL_CONF *, char *, int, char **);
238 int HttpInspectInitializeGlobalConfig(HTTPINSPECT_GLOBAL_CONF *, char *, int);
239 HttpSessionData * SetNewHttpSessionData(Packet *, void *);
240 void FreeHttpSessionData(void *data);
241 int GetHttpTrueIP(void *data, uint8_t **buf, uint32_t *len, uint32_t *type);
242 int GetHttpGzipData(void *data, uint8_t **buf, uint32_t *len, uint32_t *type);
243 int GetHttpJSNormData(void *data, uint8_t **buf, uint32_t *len, uint32_t *type);
244 int GetHttpUriData(void *data, uint8_t **buf, uint32_t *len, uint32_t *type);
245 int GetHttpHostnameData(void *data, uint8_t **buf, uint32_t *len, uint32_t *type);
246 void HI_SearchInit(void);
247 void HI_SearchFree(void);
248 int HI_SearchStrFound(void *, void *, int , void *, void *);
249 int GetHttpFlowDepth(void *, uint32_t);
250 uint8_t isHttpRespPartialCont(void *data);
251 bool GetHttpFastBlockingStatus();
252
253 static inline HttpSessionData * GetHttpSessionData(Packet *p)
254 {
255 if (p->ssnptr == NULL)
256 return NULL;
257 return (HttpSessionData *)session_api->get_application_data(p->ssnptr, PP_HTTPINSPECT);
258 }
259
260 static inline void freeTransactionNode(Transaction *tPtr)
261 {
262 if(tPtr->true_ip)
263 sfaddr_free(tPtr->true_ip);
264 free(tPtr);
265 hi_stats.mem_used -= sizeof(Transaction);
266 }
267
268 static inline void deleteNode_tList(HttpSessionData *hsd)
269 {
270 Transaction *tmp = hsd->tList_start;
271 hsd->tList_start = hsd->tList_start->next;
272 if( hsd->tList_start == NULL )
273 hsd->tList_end = NULL;
274 freeTransactionNode(tmp);
275 }
276
277 static inline sfaddr_t *GetTrueIPForSession(void *data)
278 {
279 HttpSessionData *hsd = NULL;
280
281 if (data == NULL)
282 return NULL;
283 hsd = (HttpSessionData *)session_api->get_application_data(data, PP_HTTPINSPECT);
284
285 if(hsd == NULL)
286 return NULL;
287
288 if( hsd->tList_start != NULL )
289 {
290 if ((hsd->is_response == 0) && ( hsd->http_req_id == hsd->tList_end->tID ) )
291 return hsd->tList_end->true_ip;
292 else if ( (hsd->is_response == 1) && (hsd->http_resp_id == hsd->tList_start->tID ) )
293 return hsd->tList_start->true_ip;
294 }
295
296 return NULL;
297 }
298
299 static inline void ResetGzipState(DECOMPRESS_STATE *ds)
300 {
301 if (ds == NULL)
302 return;
303
304 inflateEnd(&(ds->d_stream));
305
306 ds->inflate_init = 0;
307 ds->deflate_initialized = false;
308 ds->compr_bytes_read = 0;
309 ds->decompr_bytes_read = 0;
310 ds->compress_fmt = 0;
311 ds->decompress_data = 0;
312 ds->stage = HTTP_DECOMP_START;
313 }
314
315 static inline void ResetRespState(HTTP_RESP_STATE *ds)
316 {
317 if (ds == NULL)
318 return;
319 ds->inspect_body = 0;
320 ds->last_pkt_contlen = 0;
321 ds->last_pkt_chunked = 0;
322 ds->inspect_reassembled = 0;
323 ds->next_seq = 0;
324 ds->chunk_remainder = 0;
325 ds->data_extracted = 0;
326 ds->max_seq = 0;
327 }
328
329 static inline int SetLogBuffers(HttpSessionData *hsd, void* scbPtr)
330 {
331 int iRet = 0;
332 if (hsd->log_state == NULL)
333 {
334 MemBucket *bkt = mempool_alloc(http_mempool);
335
336 if (bkt != NULL)
337 {
338 hsd->log_state = (HTTP_LOG_STATE *)calloc(1, sizeof(HTTP_LOG_STATE));
339 if( hsd->log_state != NULL )
340 {
341 bkt->scbPtr = scbPtr;
342 hsd->log_state->log_bucket = bkt;
343 hsd->log_state->uri_bytes = 0;
344 hsd->log_state->hostname_bytes = 0;
345 hsd->log_state->uri_extracted = (uint8_t *)bkt->data;
346 hsd->log_state->hostname_extracted = (uint8_t *)bkt->data + MAX_URI_EXTRACTED;
347 }
348 else
349 {
350 mempool_free(http_mempool, bkt);
351 iRet = -1;
352 }
353 }
354 else
355 iRet = -1;
356 }
357
358 return iRet;
359 }
360
361 static inline void SetHttpDecode(uint16_t altLen)
362 {
363 HttpDecodeBuf.len = altLen;
364 }
365
366
367 #endif