mirror of
https://github.com/BlackLight/Snort_AIPreproc.git
synced 2024-11-24 04:35:11 +01:00
517 lines
14 KiB
C
517 lines
14 KiB
C
|
/* $Id$ */
|
||
|
|
||
|
/*
|
||
|
* ** Copyright (C) 2005-2010 Sourcefire, Inc.
|
||
|
* ** AUTHOR: Steven Sturges
|
||
|
* **
|
||
|
* ** This program is free software; you can redistribute it and/or modify
|
||
|
* ** it under the terms of the GNU General Public License Version 2 as
|
||
|
* ** published by the Free Software Foundation. You may not use, modify or
|
||
|
* ** distribute this program under any other version of the GNU General
|
||
|
* ** Public License.
|
||
|
* **
|
||
|
* ** This program is distributed in the hope that it will be useful,
|
||
|
* ** but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||
|
* ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||
|
* ** GNU General Public License for more details.
|
||
|
* **
|
||
|
* ** You should have received a copy of the GNU General Public License
|
||
|
* ** along with this program; if not, write to the Free Software
|
||
|
* ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
|
||
|
* */
|
||
|
|
||
|
/* stream_api.h
|
||
|
*
|
||
|
* Purpose: Definition of the StreamAPI. To be used as a common interface
|
||
|
* for TCP (and later UDP & ICMP) Stream access for other
|
||
|
* preprocessors and detection plugins.
|
||
|
*
|
||
|
* Arguments:
|
||
|
*
|
||
|
* Effect:
|
||
|
*
|
||
|
* Comments:
|
||
|
*
|
||
|
* Any comments?
|
||
|
*
|
||
|
*/
|
||
|
|
||
|
#ifndef STREAM_API_H_
|
||
|
#define STREAM_API_H_
|
||
|
|
||
|
#include <sys/types.h>
|
||
|
|
||
|
#include "ipv6_port.h"
|
||
|
#include "preprocids.h" /* IDs are used when setting preproc specific data */
|
||
|
#include "bitop.h"
|
||
|
#include "sf_snort_packet.h"
|
||
|
#include "sfPolicy.h"
|
||
|
|
||
|
#define IGNORE_FLAG_ALWAYS 0x01
|
||
|
|
||
|
#define SSN_MISSING_NONE 0x00
|
||
|
#define SSN_MISSING_BEFORE 0x01
|
||
|
#define SSN_MISSING_AFTER 0x02
|
||
|
#define SSN_MISSING_BOTH (SSN_MISSING_BEFORE | SSN_MISSING_AFTER)
|
||
|
|
||
|
#define SSN_DIR_NONE 0x0
|
||
|
#define SSN_DIR_CLIENT 0x1
|
||
|
#define SSN_DIR_SENDER 0x1
|
||
|
#define SSN_DIR_SERVER 0x2
|
||
|
#define SSN_DIR_RESPONDER 0x2
|
||
|
#define SSN_DIR_BOTH 0x03
|
||
|
|
||
|
#define SSNFLAG_SEEN_CLIENT 0x00000001
|
||
|
#define SSNFLAG_SEEN_SENDER 0x00000001
|
||
|
#define SSNFLAG_SEEN_SERVER 0x00000002
|
||
|
#define SSNFLAG_SEEN_RESPONDER 0x00000002
|
||
|
#define SSNFLAG_ESTABLISHED 0x00000004
|
||
|
#define SSNFLAG_NMAP 0x00000008
|
||
|
#define SSNFLAG_ECN_CLIENT_QUERY 0x00000010
|
||
|
#define SSNFLAG_ECN_SERVER_REPLY 0x00000020
|
||
|
#define SSNFLAG_HTTP_1_1 0x00000040 /* has stream seen HTTP 1.1? */
|
||
|
#define SSNFLAG_SEEN_PMATCH 0x00000080 /* seen pattern match? */
|
||
|
#define SSNFLAG_MIDSTREAM 0x00000100 /* picked up midstream */
|
||
|
#define SSNFLAG_CLIENT_FIN 0x00000200 /* server sent fin */
|
||
|
#define SSNFLAG_SERVER_FIN 0x00000400 /* client sent fin */
|
||
|
#define SSNFLAG_CLIENT_PKT 0x00000800 /* packet is from the client */
|
||
|
#define SSNFLAG_SERVER_PKT 0x00001000 /* packet is from the server */
|
||
|
#define SSNFLAG_COUNTED_INITIALIZE 0x00002000
|
||
|
#define SSNFLAG_COUNTED_ESTABLISH 0x00004000
|
||
|
#define SSNFLAG_COUNTED_CLOSING 0x00008000
|
||
|
#define SSNFLAG_TIMEDOUT 0x00010000
|
||
|
#define SSNFLAG_PRUNED 0x00020000
|
||
|
#define SSNFLAG_RESET 0x00040000
|
||
|
#define SSNFLAG_DROP_CLIENT 0x00080000
|
||
|
#define SSNFLAG_DROP_SERVER 0x00100000
|
||
|
#define SSNFLAG_LOGGED_QUEUE_FULL 0x00200000
|
||
|
#define SSNFLAG_ALL 0xFFFFFFFF /* all that and a bag of chips */
|
||
|
#define SSNFLAG_NONE 0x00000000 /* nothing, an MT bag of chips */
|
||
|
|
||
|
#define STREAM_FLPOLICY_NONE 0x00
|
||
|
#define STREAM_FLPOLICY_FOOTPRINT 0x01 /* size-based footprint flush */
|
||
|
#define STREAM_FLPOLICY_LOGICAL 0x02 /* queued bytes-based flush */
|
||
|
#define STREAM_FLPOLICY_RESPONSE 0x03 /* flush when we see response */
|
||
|
#define STREAM_FLPOLICY_SLIDING_WINDOW 0x04 /* flush on sliding window */
|
||
|
#if 0
|
||
|
#define STREAM_FLPOLICY_CONSUMED 0x05 /* purge consumed bytes */
|
||
|
#endif
|
||
|
#define STREAM_FLPOLICY_IGNORE 0x06 /* ignore this traffic */
|
||
|
|
||
|
#define STREAM_FLPOLICY_MAX STREAM_FLPOLICY_IGNORE
|
||
|
|
||
|
#define STREAM_FLPOLICY_SET_ABSOLUTE 0x01
|
||
|
#define STREAM_FLPOLICY_SET_APPEND 0x02
|
||
|
|
||
|
#define UNKNOWN_PORT 0
|
||
|
|
||
|
#define STREAM_API_VERSION5 5
|
||
|
|
||
|
typedef void (*StreamAppDataFree)(void *);
|
||
|
typedef int (*PacketIterator)
|
||
|
(
|
||
|
struct pcap_pkthdr *,
|
||
|
uint8_t *, /* pkt pointer */
|
||
|
void * /* user-defined data pointer */
|
||
|
);
|
||
|
|
||
|
typedef int (*StreamSegmentIterator)
|
||
|
(
|
||
|
struct pcap_pkthdr *,
|
||
|
uint8_t *, /* pkt pointer */
|
||
|
uint8_t *, /* payload pointer */
|
||
|
uint32_t, /* sequence number */
|
||
|
void * /* user-defined data pointer */
|
||
|
);
|
||
|
|
||
|
typedef struct _StreamFlowData
|
||
|
{
|
||
|
BITOP boFlowbits;
|
||
|
unsigned char flowb[1];
|
||
|
} StreamFlowData;
|
||
|
|
||
|
typedef struct _stream_api
|
||
|
{
|
||
|
int version;
|
||
|
|
||
|
/*
|
||
|
* Drop on Inline Alerts for Midstream pickups
|
||
|
*
|
||
|
* Parameters
|
||
|
*,
|
||
|
* Returns
|
||
|
* 0 if not alerting
|
||
|
* !0 if alerting
|
||
|
*/
|
||
|
int (*alert_inline_midstream_drops)(void);
|
||
|
|
||
|
/* Set direction of session
|
||
|
*
|
||
|
* Parameters:
|
||
|
* Session Ptr
|
||
|
* New Direction
|
||
|
* IP
|
||
|
* Port
|
||
|
*/
|
||
|
void (*update_direction)(void *, char, snort_ip_p, uint16_t );
|
||
|
|
||
|
/* Get direction of packet
|
||
|
*
|
||
|
* Parameters:
|
||
|
* Packet
|
||
|
*/
|
||
|
uint32_t (*get_packet_direction)(SFSnortPacket *);
|
||
|
|
||
|
/* Stop inspection for session, up to count bytes (-1 to ignore
|
||
|
* for life or until resume).
|
||
|
*
|
||
|
* If response flag is set, automatically resume inspection up to
|
||
|
* count bytes when a data packet in the other direction is seen.
|
||
|
*
|
||
|
* Also marks the packet to be ignored
|
||
|
*
|
||
|
* Parameters
|
||
|
* Session Ptr
|
||
|
* Packet
|
||
|
* Direction
|
||
|
* Bytes
|
||
|
* Response Flag
|
||
|
*/
|
||
|
void (*stop_inspection)(void *, SFSnortPacket *, char, int32_t, int);
|
||
|
|
||
|
/* Turn off inspection for potential session.
|
||
|
* Adds session identifiers to a hash table.
|
||
|
* TCP only.
|
||
|
*
|
||
|
* Parameters
|
||
|
* IP addr #1
|
||
|
* Port #1
|
||
|
* IP addr #2
|
||
|
* Port #2
|
||
|
* Protocol
|
||
|
* Direction
|
||
|
* Flags (permanent)
|
||
|
*
|
||
|
* Returns
|
||
|
* 0 on success
|
||
|
* -1 on failure
|
||
|
*/
|
||
|
int (*ignore_session)(snort_ip_p, uint16_t, snort_ip_p, uint16_t,
|
||
|
char, char, char);
|
||
|
|
||
|
/* Resume inspection for session.
|
||
|
*
|
||
|
* Parameters
|
||
|
* Session Ptr
|
||
|
* Direction
|
||
|
*/
|
||
|
void (*resume_inspection)(void *, char);
|
||
|
|
||
|
/* Drop traffic arriving on session.
|
||
|
*
|
||
|
* Parameters
|
||
|
* Session Ptr
|
||
|
* Direction
|
||
|
*/
|
||
|
void (*drop_traffic)(void *, char);
|
||
|
|
||
|
/* Drop retransmitted packet arriving on session.
|
||
|
*
|
||
|
* Parameters
|
||
|
* Packet
|
||
|
*/
|
||
|
void (*drop_packet)(SFSnortPacket *);
|
||
|
|
||
|
/* Set a reference to application data for a session
|
||
|
*
|
||
|
* Parameters
|
||
|
* Session Ptr
|
||
|
* Application Protocol
|
||
|
* Application Data reference (pointer)
|
||
|
* Application Data free function
|
||
|
*/
|
||
|
void (*set_application_data)(void *, uint32_t, void *, StreamAppDataFree);
|
||
|
|
||
|
/* Set a reference to application data for a session
|
||
|
*
|
||
|
* Parameters
|
||
|
* Session Ptr
|
||
|
* Application Protocol
|
||
|
*
|
||
|
* Returns
|
||
|
* Application Data reference (pointer)
|
||
|
*/
|
||
|
void *(*get_application_data)(void *, uint32_t);
|
||
|
|
||
|
/* Sets the flags for a session
|
||
|
* This ORs the supplied flags with the previous values
|
||
|
*
|
||
|
* Parameters
|
||
|
* Session Ptr
|
||
|
* Flags
|
||
|
*
|
||
|
* Returns
|
||
|
* New Flags
|
||
|
*/
|
||
|
uint32_t (*set_session_flags)(void *, uint32_t);
|
||
|
|
||
|
/* Gets the flags for a session
|
||
|
*
|
||
|
* Parameters
|
||
|
* Session Ptr
|
||
|
*/
|
||
|
uint32_t (*get_session_flags)(void *);
|
||
|
|
||
|
/* Flushes the stream on an alert
|
||
|
* Side that is flushed is the same as the packet.
|
||
|
*
|
||
|
* Parameters
|
||
|
* Packet
|
||
|
*/
|
||
|
int (*alert_flush_stream)(SFSnortPacket *);
|
||
|
|
||
|
/* Flushes the stream on arrival of another packet
|
||
|
* Side that is flushed is the opposite of the packet.
|
||
|
*
|
||
|
* Parameters
|
||
|
* Packet
|
||
|
*/
|
||
|
int (*response_flush_stream)(SFSnortPacket *);
|
||
|
|
||
|
/* Calls user-provided callback function for each packet of
|
||
|
* a reassembled stream. If the callback function returns non-zero,
|
||
|
* iteration ends.
|
||
|
*
|
||
|
* Parameters
|
||
|
* Packet
|
||
|
* SFSnortPacket Iterator Function (called for each packet in the stream)
|
||
|
* user data (may be NULL)
|
||
|
*
|
||
|
* Returns
|
||
|
* number of packets
|
||
|
*/
|
||
|
int (*traverse_reassembled)(SFSnortPacket *, PacketIterator, void *userdata);
|
||
|
|
||
|
/* Calls user-provided callback function for each segment of
|
||
|
* a reassembled stream. If the callback function returns non-zero,
|
||
|
* iteration ends.
|
||
|
*
|
||
|
* Parameters
|
||
|
* Packet
|
||
|
* StreamSegmentIterator Function (called for each packet in the stream)
|
||
|
* user data (may be NULL)
|
||
|
*
|
||
|
* Returns
|
||
|
* number of packets
|
||
|
*/
|
||
|
int (*traverse_stream_segments)(SFSnortPacket *, StreamSegmentIterator, void *userdata);
|
||
|
|
||
|
/* Add session alert
|
||
|
*
|
||
|
* Parameters
|
||
|
* Session Ptr
|
||
|
* gen ID
|
||
|
* sig ID
|
||
|
*
|
||
|
* Returns
|
||
|
* 0 success
|
||
|
* -1 failure (max alerts reached)
|
||
|
*
|
||
|
*/
|
||
|
int (*add_session_alert)(void *, SFSnortPacket *p, uint32_t, uint32_t);
|
||
|
|
||
|
/* Check session alert
|
||
|
*
|
||
|
* Parameters
|
||
|
* Session Ptr
|
||
|
* Packet
|
||
|
* gen ID
|
||
|
* sig ID
|
||
|
*
|
||
|
* Returns
|
||
|
* 0 if not previously alerted
|
||
|
* !0 if previously alerted
|
||
|
*/
|
||
|
int (*check_session_alerted)(void *, SFSnortPacket *p, uint32_t, uint32_t);
|
||
|
|
||
|
/* Get Flowbits data
|
||
|
*
|
||
|
* Parameters
|
||
|
* Packet
|
||
|
*
|
||
|
* Returns
|
||
|
* Ptr to Flowbits Data
|
||
|
*/
|
||
|
StreamFlowData *(*get_flow_data)(SFSnortPacket *p);
|
||
|
|
||
|
/* Set reassembly flush policy/direction for given session
|
||
|
*
|
||
|
* Parameters
|
||
|
* Session Ptr
|
||
|
* Flush Policy
|
||
|
* Direction(s)
|
||
|
* Flags
|
||
|
*
|
||
|
* Returns
|
||
|
* direction(s) of reassembly for session
|
||
|
*/
|
||
|
char (*set_reassembly)(void *, uint8_t, char, char);
|
||
|
|
||
|
/* Get reassembly direction for given session
|
||
|
*
|
||
|
* Parameters
|
||
|
* Session Ptr
|
||
|
*
|
||
|
* Returns
|
||
|
* direction(s) of reassembly for session
|
||
|
*/
|
||
|
char (*get_reassembly_direction)(void *);
|
||
|
|
||
|
/* Get reassembly flush_policy for given session
|
||
|
*
|
||
|
* Parameters
|
||
|
* Session Ptr
|
||
|
* Direction
|
||
|
*
|
||
|
* Returns
|
||
|
* flush policy for specified direction
|
||
|
*/
|
||
|
char (*get_reassembly_flush_policy)(void *, char);
|
||
|
|
||
|
/* Get true/false as to whether stream data is in
|
||
|
* sequence or packets are missing
|
||
|
*
|
||
|
* Parameters
|
||
|
* Session Ptr
|
||
|
* Direction
|
||
|
*
|
||
|
* Returns
|
||
|
* true/false
|
||
|
*/
|
||
|
char (*is_stream_sequenced)(void *, char);
|
||
|
|
||
|
/* Get whether there are missing packets before, after or
|
||
|
* before and after reassembled buffer
|
||
|
*
|
||
|
* Parameters
|
||
|
* Session Ptr
|
||
|
* Direction
|
||
|
*
|
||
|
* Returns
|
||
|
* SSN_MISSING_BOTH if missing before and after
|
||
|
* SSN_MISSING_BEFORE if missing before
|
||
|
* SSN_MISSING_AFTER if missing after
|
||
|
* SSN_MISSING_NONE if none missing
|
||
|
*/
|
||
|
int (*missing_in_reassembled)(void *, char);
|
||
|
|
||
|
/* Get true/false as to whether packets were missed on
|
||
|
* the stream
|
||
|
*
|
||
|
* Parameters
|
||
|
* Session Ptr
|
||
|
* Direction
|
||
|
*
|
||
|
* Returns
|
||
|
* true/false
|
||
|
*/
|
||
|
char (*missed_packets)(void *, char);
|
||
|
|
||
|
#ifdef TARGET_BASED
|
||
|
/* Get the protocol identifier from a stream
|
||
|
*
|
||
|
* Parameters
|
||
|
* Session Ptr
|
||
|
*
|
||
|
* Returns
|
||
|
* integer protocol identifier
|
||
|
*/
|
||
|
int16_t (*get_application_protocol_id)(void *);
|
||
|
|
||
|
/* Set the protocol identifier for a stream
|
||
|
*
|
||
|
* Parameters
|
||
|
* Session Ptr
|
||
|
* ID
|
||
|
*
|
||
|
* Returns
|
||
|
* integer protocol identifier
|
||
|
*/
|
||
|
int16_t (*set_application_protocol_id)(void *, int16_t);
|
||
|
|
||
|
/** Set service to either ignore, inspect or maintain session state.
|
||
|
* If this is called during parsing a preprocessor configuration, make
|
||
|
* sure to set the parsing argument to 1.
|
||
|
*/
|
||
|
void (*set_service_filter_status)(int service, int status, tSfPolicyId policyId, int parsing);
|
||
|
#endif
|
||
|
|
||
|
/** Set port to either ignore, inspect or maintain session state.
|
||
|
* If this is called during parsing a preprocessor configuration, make
|
||
|
* sure to set the parsing argument to 1.
|
||
|
*/
|
||
|
void (*set_port_filter_status)(int protocol, uint16_t port, int status, tSfPolicyId policyId, int parsing);
|
||
|
|
||
|
/* Get the current flush point
|
||
|
*
|
||
|
* Arguments
|
||
|
* void * - session pointer
|
||
|
* char - direction
|
||
|
*
|
||
|
* Returns
|
||
|
* Current flush point for session
|
||
|
*/
|
||
|
uint32_t (*get_flush_point)(void *, char);
|
||
|
|
||
|
/* Set the next flush point
|
||
|
*
|
||
|
* Arguments
|
||
|
* void * - session pointer
|
||
|
* char - direction
|
||
|
* uint32_t - flush point size
|
||
|
*/
|
||
|
void (*set_flush_point)(void *, char, uint32_t);
|
||
|
|
||
|
#ifdef TARGET_BASED
|
||
|
/* Turn off inspection for potential session.
|
||
|
* Adds session identifiers to a hash table.
|
||
|
* TCP only.
|
||
|
*
|
||
|
* Parameters
|
||
|
* IP addr #1
|
||
|
* Port #1
|
||
|
* IP addr #2
|
||
|
* Port #2
|
||
|
* Protocol
|
||
|
* ID
|
||
|
*
|
||
|
* Returns
|
||
|
* 0 on success
|
||
|
* -1 on failure
|
||
|
*/
|
||
|
int (*set_application_protocol_id_expected)(snort_ip_p, uint16_t, snort_ip_p, uint16_t,
|
||
|
char, int16_t);
|
||
|
#endif
|
||
|
} StreamAPI;
|
||
|
|
||
|
/* To be set by Stream5 (or Stream4) */
|
||
|
extern StreamAPI *stream_api;
|
||
|
|
||
|
/**Port Inspection States. Port can be either ignored,
|
||
|
* or inspected or session tracked. The values are bitmasks.
|
||
|
*/
|
||
|
typedef enum {
|
||
|
/**Dont monitor the port. */
|
||
|
PORT_MONITOR_NONE = 0x00,
|
||
|
|
||
|
/**Inspect the port. */
|
||
|
PORT_MONITOR_INSPECT = 0x01,
|
||
|
|
||
|
/**perform session tracking on the port. */
|
||
|
PORT_MONITOR_SESSION = 0x02
|
||
|
|
||
|
} PortMonitorStates;
|
||
|
|
||
|
#endif /* STREAM_API_H_ */
|
||
|
|