"Fossies" - the Fresh Open Source Software Archive

Member "snort-2.9.17/src/preprocessors/snort_httpinspect.h" (16 Oct 2020, 9626 Bytes) of package /linux/misc/snort-2.9.17.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) C and C++ source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file. For more information about "snort_httpinspect.h" see the Fossies "Dox" file reference documentation and the latest Fossies "Diffs" side-by-side code changes report: 2.9.16.1_vs_2.9.17.

    1 /****************************************************************************
    2  *
    3  * Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved.
    4  * Copyright (C) 2003-2013 Sourcefire, Inc.
    5  *
    6  * This program is free software; you can redistribute it and/or modify
    7  * it under the terms of the GNU General Public License Version 2 as
    8  * published by the Free Software Foundation.  You may not use, modify or
    9  * distribute this program under any other version of the GNU General
   10  * Public License.
   11  *
   12  * This program is distributed in the hope that it will be useful,
   13  * but WITHOUT ANY WARRANTY; without even the implied warranty of
   14  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   15  * GNU General Public License for more details.
   16  *
   17  * You should have received a copy of the GNU General Public License
   18  * along with this program; if not, write to the Free Software
   19  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
   20  *
   21  ****************************************************************************/
   22 
   23 #ifndef __SNORT_HTTPINSPECT_H__
   24 #define __SNORT_HTTPINSPECT_H__
   25 
   26 #include "decode.h"
   27 #include "session_api.h"
   28 #include "stream_api.h"
   29 #include "hi_ui_config.h"
   30 #include "util_utf.h"
   31 #include "detection_util.h"
   32 #include "mempool.h"
   33 #include "str_search.h"
   34 #include "util_jsnorm.h"
   35 
   36 #include <zlib.h>
   37 
   38 extern MemPool *http_mempool;
   39 extern MemPool *mime_decode_mempool;
   40 extern MemPool *mime_log_mempool;
   41 
   42 extern DataBuffer HttpDecodeBuf;
   43 
   44 #ifdef PERF_PROFILING
   45 extern PreprocStats hi2PerfStats;
   46 extern PreprocStats hi2InitPerfStats;
   47 extern PreprocStats hi2PayloadPerfStats;
   48 extern PreprocStats hi2PseudoPerfStats;
   49 #endif
   50 
   51 /**
   52 **  The definition of the configuration separators in the snort.conf
   53 **  configure line.
   54 */
   55 #define CONF_SEPARATORS " \t\n\r"
   56 #define MAX_METHOD_LEN  256
   57 
   58 /*
   59 **  These are the definitions of the parser section delimiting
   60 **  keywords to configure HttpInspect.  When one of these keywords
   61 **  are seen, we begin a new section.
   62 */
   63 #define GLOBAL        "global"
   64 #define GLOBAL_SERVER "global_server"
   65 #define SERVER        "server"
   66 #define CLIENT        "client"
   67 
   68 #define DEFAULT_HTTP_MEMCAP 150994944 /* 144 MB */
   69 #define MIN_HTTP_MEMCAP     2304
   70 #define MAX_HTTP_MEMCAP     603979776 /* 576 MB */
   71 #define MAX_URI_EXTRACTED   2048
   72 #define MAX_HOSTNAME        256
   73 
   74 
   75 #define DEFAULT_MAX_GZIP_MEM 838860
   76 #define GZIP_MEM_MIN    3276
   77 #define MAX_GZIP_DEPTH    65535
   78 #define DEFAULT_COMP_DEPTH 1460
   79 #define DEFAULT_DECOMP_DEPTH 2920
   80 
   81 #define DEFLATE_RAW_WBITS -15
   82 #define DEFLATE_WBITS   15
   83 #define GZIP_WBITS      31
   84 
   85 #define XFF_MAX_PIPELINE_REQ 255
   86 
   87 
   88 #define CONTENT_NONE    0
   89 #define PARTIAL_CONTENT 1
   90 #define FULL_CONTENT    2
   91 
   92 typedef enum _HttpRespCompressType
   93 {
   94     HTTP_RESP_COMPRESS_TYPE__GZIP     = 0x00000001,
   95     HTTP_RESP_COMPRESS_TYPE__DEFLATE  = 0x00000002
   96 
   97 } _HttpRespCompressType;
   98 
   99 typedef enum _DecompressStage
  100 {
  101     HTTP_DECOMP_START,
  102     HTTP_DECOMP_MID,
  103     HTTP_DECOMP_FIN
  104 } DecompressStage;
  105 
  106 typedef struct s_DECOMPRESS_STATE
  107 {
  108     uint8_t inflate_init;
  109     uint16_t compress_fmt;
  110     uint8_t decompress_data;
  111     int compr_bytes_read;
  112     int decompr_bytes_read;
  113     int compr_depth;
  114     int decompr_depth;
  115     z_stream d_stream;
  116     MemBucket *bkt;
  117     bool deflate_initialized;
  118     DecompressStage stage;
  119 } DECOMPRESS_STATE;
  120 
  121 typedef enum _ChunkLenState
  122 {
  123     CHUNK_LEN_DEFAULT = 0,
  124     CHUNK_LEN_INCOMPLETE
  125 } ChunkLenState;
  126 
  127 typedef struct s_HTTP_RESP_STATE
  128 {
  129     uint8_t inspect_body;
  130     uint8_t inspect_reassembled;
  131     uint8_t last_pkt_contlen;
  132     uint8_t last_pkt_chunked;
  133     uint32_t next_seq;
  134     uint32_t chunk_remainder;
  135     int data_extracted;
  136     uint32_t max_seq;
  137     bool flow_depth_excd;
  138     bool eoh_found;
  139     uint8_t look_for_partial_content;
  140     uint8_t chunk_len_state;
  141 }HTTP_RESP_STATE;
  142 
  143 typedef struct s_HTTP_LOG_STATE
  144 {
  145     uint32_t uri_bytes;
  146     uint32_t hostname_bytes;
  147     MemBucket *log_bucket;
  148     uint8_t *uri_extracted;
  149     uint8_t *hostname_extracted;
  150 }HTTP_LOG_STATE;
  151 
  152 typedef struct _Transaction
  153 {
  154    uint8_t tID;
  155    sfaddr_t *true_ip;
  156    struct _Transaction *next;
  157 }Transaction;
  158 
  159 typedef struct _HttpSessionData
  160 {
  161     uint64_t event_flags;
  162     HTTP_RESP_STATE resp_state;
  163     DECOMPRESS_STATE *decomp_state;
  164     HTTP_LOG_STATE *log_state;
  165     decode_utf_state_t utf_state;
  166     uint8_t log_flags;
  167     uint8_t cli_small_chunk_count;
  168     uint8_t srv_small_chunk_count;
  169     uint8_t http_req_id;
  170     uint8_t http_resp_id;
  171     uint8_t is_response;
  172     uint8_t tList_count;
  173     MimeState *mime_ssn;
  174     fd_session_p_t fd_state;
  175     Transaction *tList_start;
  176     Transaction *tList_end;
  177 } HttpSessionData;
  178 
  179 typedef struct _HISearch
  180 {
  181     char *name;
  182     int   name_len;
  183 
  184 } HISearch;
  185 
  186 typedef struct _HiSearchToken
  187 {
  188     char *name;
  189     int   name_len;
  190     int   search_id;
  191 } HiSearchToken;
  192 
  193 typedef struct _HISearchInfo
  194 {
  195     int id;
  196     int index;
  197     int length;
  198 } HISearchInfo;
  199 
  200 
  201 #define COPY_URI 1
  202 #define COPY_HOSTNAME 2
  203 
  204 #define HTTP_LOG_URI        0x0001
  205 #define HTTP_LOG_HOSTNAME   0x0002
  206 #define HTTP_LOG_GZIP_DATA  0x0004
  207 #define HTTP_LOG_JSNORM_DATA  0x0008
  208 
  209 typedef enum _HiSearchIdEnum
  210 {
  211     HI_JAVASCRIPT = 0,
  212     HI_LAST
  213 } HiSearchId;
  214 
  215 typedef enum _HtmlSearchIdEnum
  216 {
  217     HTML_JS = 0,
  218     HTML_EMA,
  219     HTML_VB,
  220     HTML_LAST
  221 } HtmlSearchId;
  222 
  223 extern void *hi_javascript_search_mpse;
  224 extern void *hi_htmltype_search_mpse;
  225 extern HISearch hi_js_search[HI_LAST];
  226 extern HISearch hi_html_search[HTML_LAST];
  227 extern HISearch *hi_current_search;
  228 extern HISearchInfo hi_search_info;
  229 
  230 void ApplyFlowDepth(HTTPINSPECT_CONF *, Packet *, HttpSessionData *, int, int, uint32_t);
  231 
  232 
  233 
  234 int SnortHttpInspect(HTTPINSPECT_GLOBAL_CONF *GlobalConf, Packet *p);
  235 int ProcessGlobalConf(HTTPINSPECT_GLOBAL_CONF *, char *, int, char **saveptr);
  236 int PrintGlobalConf(HTTPINSPECT_GLOBAL_CONF *);
  237 int ProcessUniqueServerConf(struct _SnortConfig *, HTTPINSPECT_GLOBAL_CONF *, char *, int, char **);
  238 int HttpInspectInitializeGlobalConfig(HTTPINSPECT_GLOBAL_CONF *, char *, int);
  239 HttpSessionData * SetNewHttpSessionData(Packet *, void *);
  240 void FreeHttpSessionData(void *data);
  241 int GetHttpTrueIP(void *data, uint8_t **buf, uint32_t *len, uint32_t *type);
  242 int GetHttpGzipData(void *data, uint8_t **buf, uint32_t *len, uint32_t *type);
  243 int GetHttpJSNormData(void *data, uint8_t **buf, uint32_t *len, uint32_t *type);
  244 int GetHttpUriData(void *data, uint8_t **buf, uint32_t *len, uint32_t *type);
  245 int GetHttpHostnameData(void *data, uint8_t **buf, uint32_t *len, uint32_t *type);
  246 void HI_SearchInit(void);
  247 void HI_SearchFree(void);
  248 int HI_SearchStrFound(void *, void *, int , void *, void *);
  249 int GetHttpFlowDepth(void *, uint32_t);
  250 uint8_t isHttpRespPartialCont(void *data);
  251 bool GetHttpFastBlockingStatus();
  252 
  253 static inline HttpSessionData * GetHttpSessionData(Packet *p)
  254 {
  255     if (p->ssnptr == NULL)
  256         return NULL;
  257     return (HttpSessionData *)session_api->get_application_data(p->ssnptr, PP_HTTPINSPECT);
  258 }
  259 
  260 static inline void freeTransactionNode(Transaction *tPtr)
  261 {
  262     if(tPtr->true_ip)
  263         sfaddr_free(tPtr->true_ip);
  264     free(tPtr);
  265     hi_stats.mem_used -=  sizeof(Transaction);
  266 }
  267 
  268 static inline void deleteNode_tList(HttpSessionData *hsd)
  269 {
  270     Transaction *tmp = hsd->tList_start;
  271     hsd->tList_start = hsd->tList_start->next;
  272     if( hsd->tList_start == NULL )
  273          hsd->tList_end = NULL;
  274     freeTransactionNode(tmp);
  275 }
  276 
  277 static inline sfaddr_t *GetTrueIPForSession(void *data)
  278 {
  279     HttpSessionData *hsd = NULL;
  280 
  281     if (data == NULL)
  282         return NULL;
  283     hsd = (HttpSessionData *)session_api->get_application_data(data, PP_HTTPINSPECT);
  284 
  285     if(hsd == NULL)
  286         return NULL;
  287 
  288     if( hsd->tList_start != NULL )
  289     {
  290         if ((hsd->is_response == 0) && ( hsd->http_req_id == hsd->tList_end->tID ) )
  291            return hsd->tList_end->true_ip;
  292         else if ( (hsd->is_response == 1) && (hsd->http_resp_id == hsd->tList_start->tID ) )
  293            return hsd->tList_start->true_ip;
  294     }
  295 
  296     return NULL;
  297 }
  298 
  299 static inline void ResetGzipState(DECOMPRESS_STATE *ds)
  300 {
  301     if (ds == NULL)
  302         return;
  303 
  304     inflateEnd(&(ds->d_stream));
  305 
  306     ds->inflate_init = 0;
  307     ds->deflate_initialized = false;
  308     ds->compr_bytes_read = 0;
  309     ds->decompr_bytes_read = 0;
  310     ds->compress_fmt = 0;
  311     ds->decompress_data = 0;
  312     ds->stage = HTTP_DECOMP_START;
  313 }
  314 
  315 static inline void ResetRespState(HTTP_RESP_STATE *ds)
  316 {
  317     if (ds == NULL)
  318         return;
  319     ds->inspect_body = 0;
  320     ds->last_pkt_contlen = 0;
  321     ds->last_pkt_chunked = 0;
  322     ds->inspect_reassembled = 0;
  323     ds->next_seq = 0;
  324     ds->chunk_remainder = 0;
  325     ds->data_extracted = 0;
  326     ds->max_seq = 0;
  327 }
  328 
  329 static inline int SetLogBuffers(HttpSessionData *hsd, void* scbPtr)
  330 {
  331     int iRet = 0;
  332     if (hsd->log_state == NULL)
  333     {
  334         MemBucket *bkt = mempool_alloc(http_mempool);
  335 
  336         if (bkt != NULL)
  337         {
  338             hsd->log_state = (HTTP_LOG_STATE *)calloc(1, sizeof(HTTP_LOG_STATE));
  339             if( hsd->log_state != NULL )
  340             {
  341                 bkt->scbPtr = scbPtr;
  342                 hsd->log_state->log_bucket = bkt;
  343                 hsd->log_state->uri_bytes = 0;
  344                 hsd->log_state->hostname_bytes = 0;
  345                 hsd->log_state->uri_extracted = (uint8_t *)bkt->data;
  346                 hsd->log_state->hostname_extracted = (uint8_t *)bkt->data + MAX_URI_EXTRACTED;
  347             }
  348             else
  349             {
  350                 mempool_free(http_mempool, bkt);
  351                 iRet = -1;
  352             }
  353         }
  354         else
  355             iRet = -1;
  356     }
  357 
  358     return iRet;
  359 }
  360 
  361 static inline void SetHttpDecode(uint16_t altLen)
  362 {
  363     HttpDecodeBuf.len = altLen;
  364 }
  365 
  366 
  367 #endif