'UPDATEREDIRECTREF', 'PROPFIND', 'PROPPATCH', 'MKCOL', 'COPY',
'MOVE', 'LOCK', 'UNLOCK', 'SEARCH', 'BCOPY', 'BDELETE', 'BMOVE',
'BPROPFIND', 'BPROPPATCH', 'POLL', 'UNSUBSCRIBE', 'X_MS_ENUMATTS',
- --'NOTIFY', 'OPTIONS', 'SUBSCRIBE', 'UPDATE'
+ 'OPTIONS * HTTP/',
+ --'NOTIFY', 'SUBSCRIBE', 'UPDATE'
}
-sip_methods =
+sip_requests =
{
- 'INVITE', 'CANCEL', 'ACK', 'BYE', 'REGISTER', 'REFER', 'SUBSCRIBE',
- 'UPDATE', 'JOIN', 'INFO', 'MESSAGE', 'NOTIFY', 'PRACK'
- --'OPTIONS',
+ 'INVITE * SIP/', 'CANCEL * SIP/', 'ACK * SIP/', 'BYE * SIP/', 'REGISTER * SIP/',
+ 'REFER * SIP/', 'SUBSCRIBE * SIP/', 'UPDATE * SIP/', 'INFO * SIP/', 'MESSAGE * SIP/',
+ 'NOTIFY * SIP/', 'PRACK * SIP/', 'OPTIONS * SIP/'
}
telnet_commands =
to_client = { '+OK', '-ERR' } },
{ service = 'sip', client_first = true,
- to_server = sip_methods, to_client = { 'SIP/' } },
+ to_server = sip_requests, to_client = { 'SIP/' } },
{ service = 'smtp', proto = 'tcp', client_first = true,
to_server = { 'HELO', 'EHLO' },
default_whitelist =
[[
ftp_command_specs default_ftp_server smtp_default_alt_max_command_lines
- default_smtp http_methods sip_methods telnet_commands default_wizard
+ default_smtp http_methods sip_requests telnet_commands default_wizard
default_references default_classifications gtp_v0_msg gtp_v1_msg gtp_v2_msg
gtp_v0_info gtp_v1_info gtp_v2_info default_gtp tcp_low_ports
tcp_low_decoy tcp_low_sweep tcp_low_dist tcp_med_ports
* This file contains functions to select server configurations
* and begin the FTPTelnet process.
*
- * The session Inspection Module interfaces with the Stream Inspection
- * Module and the User Interface Module to select the appropriate
- * FTPTelnet configuration and in the case of stateful inspection the
- * session Inspection Module retrieves the user-data from the Stream
- * Module. For stateless inspection, the session Inspection Module uses
- * the same structure for use by each packet.
- *
* The main responsibility of this module is to supply the appropriate
* data structures and configurations for the rest of the FTPTelnet
* process. The module also determines what type of data is being
* configuration for the session, and the type of inspection
* to be performed (client or server.)
*
- * When the session Inspection module is in stateful mode, it
- * checks to see if there is a TELNET_SESSION pointer already
+ * Checks to see if there is a TELNET_SESSION pointer already
* associated with the stream. If there is, then it uses that
* session pointer, otherwise it calculates the server configuration
- * using the FTP_SI_INPUT and returns a TELNET_SESSION pointer. In
- * stateful mode, this means that memory is allocated, but in
- * stateless mode, the same session pointer is used for all packets
- * to reduce the allocation overhead.
+ * using the FTP_SI_INPUT and returns a TELNET_SESSION pointer.
*
* The inspection mode can be either client or server.
*
* configuration for the session, and the type of inspection to
* be performed (client or server.)
*
- * When the session Inspection module is in stateful mode, it
- * checks to see if there is a FTP_SESSION pointer already
+ * Checks to see if there is a FTP_SESSION pointer already
* associated with the stream. If there is, then it uses that
* session pointer, otherwise it calculates the server
* configuration using the FTP_SI_INPUT and returns a FTP_SESSION
- * pointer. In stateful mode, this means that memory is allocated,
- * but in stateless mode, the same session pointer is used for all
- * packets to reduce the allocation overhead.
+ * pointer.
*
* The inspection mode can be either client or server.
*/
/*
* Defines
*/
-#define FTPP_UI_CONFIG_STATELESS 0
-#define FTPP_UI_CONFIG_STATEFUL 1
#define FTPP_UI_CONFIG_TELNET_DEF_AYT_THRESHOLD (-1)
#define FTPP_UI_CONFIG_FTP_DEF_RESP_MSG_MAX (-1)
static const Parameter s_params[] =
{
{ "ayt_attack_thresh", Parameter::PT_INT, "-1:max31", "-1",
- "alert on this number of consecutive Telnet AYT commands" },
+ "alert beyond this number of consecutive Telnet AYT commands (-1 is disabled)" },
{ "check_encrypted", Parameter::PT_BOOL, nullptr, "false",
"check for end of encryption" },
#define SMTP_PKT_FROM_CLIENT 1
#define SMTP_PKT_FROM_SERVER 2
-// Inspection type
-#define SMTP_STATELESS 0
-#define SMTP_STATEFUL 1
-
#define SEARCH_CMD 0
#define SEARCH_RESP 1
#define SEARCH_HDR 2
}
const char* HexBook::find_spell(
- const uint8_t* data, unsigned len, const MagicPage*& p) const
+ const uint8_t* data, unsigned len, unsigned max, const MagicPage*& p) const
{
+ if ( max and len > max )
+ len = max;
+
p = find_spell(data, len, p, 0);
if ( p and !p->value.empty() )
MagicBook& operator=(const MagicBook&) = delete;
virtual bool add_spell(const char* key, const char*& val) = 0;
- virtual const char* find_spell(const uint8_t*, unsigned len, const MagicPage*&) const = 0;
+ virtual const char* find_spell(const uint8_t*, unsigned len, unsigned max,
+ const MagicPage*&) const = 0;
const MagicPage* page1()
{ return root; }
SpellBook();
bool add_spell(const char*, const char*&) override;
- const char* find_spell(const uint8_t*, unsigned len, const MagicPage*&) const override;
+ const char* find_spell(const uint8_t*, unsigned len, unsigned max,
+ const MagicPage*&) const override;
private:
bool translate(const char*, HexVector&);
HexBook() = default;
bool add_spell(const char*, const char*&) override;
- const char* find_spell(const uint8_t*, unsigned len, const MagicPage*&) const override;
+ const char* find_spell(const uint8_t*, unsigned len, unsigned,
+ const MagicPage*&) const override;
private:
bool translate(const char*, HexVector&);
}
const char* SpellBook::find_spell(
- const uint8_t* data, unsigned len, const MagicPage*& p) const
+ const uint8_t* data, unsigned len, unsigned max, const MagicPage*& p) const
{
- // FIXIT-L make configurable upper bound to limit globbing
- unsigned max = 64;
assert(p);
- if ( len > max )
+ if ( max and len > max )
len = max;
p = find_spell(data, len, p, 0);
{ "curses", Parameter::PT_MULTI, "dce_smb | dce_udp | dce_tcp | sslv2", nullptr,
"enable service identification based on internal algorithm" },
+ { "max_pattern", Parameter::PT_INT, "0:65535", "64",
+ "maximum scan depth per segment (0 is unlimited)" },
+
{ nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
};
-WizardModule::WizardModule() : Module(WIZ_NAME, WIZ_HELP, s_params)
-{
- c2s_hexes = nullptr;
- s2c_hexes = nullptr;
- c2s_spells = nullptr;
- s2c_spells = nullptr;
- curses = nullptr;
-}
+WizardModule::WizardModule() : Module(WIZ_NAME, WIZ_HELP, s_params) { }
WizardModule::~WizardModule()
{
else if ( v.is("curses") )
curses->add_curse(v.get_string());
+ else if ( v.is("max_pattern") )
+ max_pattern = v.get_uint16();
+
return true;
}
MagicBook* get_book(bool c2s, bool hex);
CurseBook* get_curse_book();
+ uint16_t get_max_pattern()
+ { return max_pattern; }
+
Usage get_usage() const override
{ return INSPECT; }
std::vector<std::string> s2c_patterns;
bool c2s;
- MagicBook* c2s_hexes;
- MagicBook* s2c_hexes;
+ MagicBook* c2s_hexes = nullptr;
+ MagicBook* s2c_hexes = nullptr;
- MagicBook* c2s_spells;
- MagicBook* s2c_spells;
+ MagicBook* c2s_spells = nullptr;
+ MagicBook* s2c_spells = nullptr;
- CurseBook* curses;
+ CurseBook* curses = nullptr;
+ uint16_t max_pattern = 0;
};
#endif
MagicBook* s2c_spells;
CurseBook* curses;
+ uint16_t max_pattern;
};
//-------------------------------------------------------------------------
s2c_spells = m->get_book(false, false);
curses = m->get_curse_book();
+ max_pattern = m->get_max_pattern();
}
Wizard::~Wizard()
bool Wizard::spellbind(
const MagicPage*& m, Flow* f, const uint8_t* data, unsigned len)
{
- f->service = m->book.find_spell(data, len, m);
+ f->service = m->book.find_spell(data, len, max_pattern, m);
return ( f->service != nullptr );
}
projects / thirdparty / snort3.git / commitdiff
