{
// FIXIT-L make configurable
SfIp sip, dip;
- sip.set("192.168.1.1");
- dip.set("192.168.2.2");
- snort.ip_api.set(sip, dip);
+ if ( sip.set("192.168.1.1") == SFIP_SUCCESS and dip.set("192.168.2.2") == SFIP_SUCCESS )
+ snort.ip_api.set(sip, dip);
snort.sp = 12345;
snort.dp = 54321;
#include <cassert>
+#include "pub_sub/auxiliary_ip_event.h"
#include "pub_sub/stash_events.h"
using namespace snort;
void FlowStash::reset()
{
- for(map<string, StashItem*>::iterator it = container.begin(); it != container.end(); ++it)
+ for(auto it = container.begin(); it != container.end(); ++it)
{
delete it->second;
}
UNUSED(type);
#endif
auto item = new StashItem(val);
- auto it_and_status = container.emplace(make_pair(key, item));
+ auto it_and_status = container.emplace(key, item);
if (!it_and_status.second)
{
UNUSED(type);
#endif
auto item = new StashItem(val);
- auto it_and_status = container.emplace(make_pair(key, item));
+ auto it_and_status = container.emplace(key, item);
if (!it_and_status.second)
{
StashEvent e(item);
DataBus::publish(key.c_str(), e);
}
+
+bool FlowStash::store(const SfIp& ip, const SnortConfig* sc)
+{
+ if ( !sc )
+ sc = SnortConfig::get_conf();
+
+ if ( sc->max_aux_ip < 0 )
+ return false;
+
+ if ( sc->max_aux_ip > 0 )
+ {
+ for ( const auto& aip : aux_ip_fifo )
+ if ( aip == ip )
+ return false;
+
+ if ( aux_ip_fifo.size() == (unsigned)sc->max_aux_ip )
+ aux_ip_fifo.pop_back();
+
+ aux_ip_fifo.emplace_front(ip);
+ }
+
+ AuxiliaryIpEvent event(ip);
+ DataBus::publish(AUXILIARY_IP_EVENT, event);
+ return true;
+}
#ifndef FLOW_STASH_H
#define FLOW_STASH_H
+#include <list>
#include <map>
#include <string>
+#include <unordered_map>
+#include "main/snort_config.h"
#include "main/snort_types.h"
+#include "sfip/sf_ip.h"
#include "stash_item.h"
void store(const std::string& key, std::string* val);
void store(const std::string& key, StashGenericObject* val, bool publish = true);
+ bool store(const snort::SfIp&, const SnortConfig* sc = nullptr);
+
private:
- std::map<std::string, StashItem*> container;
+ std::list<snort::SfIp> aux_ip_fifo;
+ std::unordered_map<std::string, StashItem*> container;
template<typename T>
bool get(const std::string& key, T& val, StashItemType type);
add_cpputest( flow_stash_test
SOURCES ../flow_stash.cc
+ ../../sfip/sf_ip.cc
)
add_cpputest( flow_control_test
#include "flow/flow_stash.h"
#include "pub_sub/stash_events.h"
+#include "utils/util.h"
#include <CppUTest/CommandLineTestRunner.h>
#include <CppUTest/TestHarness.h>
}
// end DataBus mock.
+static SnortConfig snort_conf;
+namespace snort
+{
+SnortConfig::SnortConfig(const SnortConfig* const) { }
+SnortConfig::~SnortConfig() = default;
+const SnortConfig* SnortConfig::get_conf() { return &snort_conf; }
+
+char* snort_strdup(const char* str)
+{
+ assert(str);
+ size_t n = strlen(str) + 1;
+ char* p = (char*)snort_alloc(n);
+ memcpy(p, str, n);
+ return p;
+}
+}
TEST_GROUP(stash_tests)
{
CHECK_EQUAL(test_object->get_object_type(), ((TestStashObject*)retrieved_object)->get_object_type());
}
+TEST(stash_tests, store_ip)
+{
+ FlowStash stash;
+ SfIp ip;
+ CHECK(ip.set("1.1.1.1") == SFIP_SUCCESS);
+
+ // Disabled
+ snort_conf.max_aux_ip = -1;
+ CHECK_FALSE(stash.store(ip));
+
+ // Enabled without stashing, no duplicate IP checking
+ snort_conf.max_aux_ip = 0;
+ CHECK_TRUE(stash.store(ip));
+ CHECK_TRUE(stash.store(ip));
+
+ // Enabled with FIFO stashing, duplicate IP checking
+ snort_conf.max_aux_ip = 2;
+ CHECK_TRUE(stash.store(ip));
+ CHECK_FALSE(stash.store(ip));
+
+ SfIp ip2;
+ CHECK(ip2.set("1.1.1.2") == SFIP_SUCCESS);
+ CHECK_TRUE(stash.store(ip2));
+ CHECK_FALSE(stash.store(ip2));
+
+ SfIp ip3;
+ CHECK(ip3.set("1111::8888") == SFIP_SUCCESS);
+ CHECK_TRUE(stash.store(ip3));
+ CHECK_FALSE(stash.store(ip3));
+ CHECK_FALSE(stash.store(ip2));
+ CHECK_TRUE(stash.store(ip));
+ CHECK_FALSE(stash.store(ip));
+ CHECK_FALSE(stash.store(ip3));
+}
+
int main(int argc, char** argv)
{
return CommandLineTestRunner::RunAllTests(argc, argv);
{ "mode", Parameter::PT_ENUM, "inline | inline-test", "inline-test",
"set policy mode" },
+ { "max_aux_ip", Parameter::PT_INT, "-1:127", "16",
+ "maximum number of auxiliary IPs per flow to detect and save "
+ "(-1 = disable, 0 = detect but don't save, 1+ = save in FIFO manner)" },
+
{ nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
};
}
}
+ else if ( v.is("max_aux_ip") )
+ {
+ sc->max_aux_ip = v.get_int16();
+ return true;
+ }
+
else
return false;
uint16_t tunnel_mask = 0;
+ int16_t max_aux_ip = 16;
+
// FIXIT-L this is temporary for legacy paf_max required only for HI;
// it is not appropriate for multiple stream_tcp with different
// paf_max; the HI splitter should pull from there
bool is_address_anomaly_check_enabled() const
{ return address_anomaly_check_enabled; }
+ bool aux_ip_is_enabled() const
+ { return max_aux_ip >= 0; }
+
// mode related
bool dump_config_mode() const
{ return dump_config_type > DUMP_CONFIG_NONE; }
struct TunnelDest
{
snort::SfIp ip;
- uint16_t port;
+ uint16_t port = 0;
TunnelDest(const char* string_srcip, uint16_t tun_port)
{
- ip.set(string_srcip);
- port = tun_port;
+ if ( ip.set(string_srcip) == SFIP_SUCCESS )
+ port = tun_port;
}
};
PegCount trusted;
PegCount monitored;
PegCount memory_allocated;
+ PegCount aux_ip_blocked;
+ PegCount aux_ip_trusted;
+ PegCount aux_ip_monitored;
};
extern const PegInfo reputation_peg_names[];
#include "packet_io/active.h"
#include "profiler/profiler.h"
#include "protocols/packet.h"
-
+#include "pub_sub/auxiliary_ip_event.h"
#include "reputation_parse.h"
{ CountType::SUM, "trusted", "number of packets trusted" },
{ CountType::SUM, "monitored", "number of packets monitored" },
{ CountType::SUM, "memory_allocated", "total memory allocated" },
+{ CountType::SUM, "aux_ip_blocked", "number of auxiliary ip packets blocked" },
+{ CountType::SUM, "aux_ip_trusted", "number of auxiliary ip packets trusted" },
+{ CountType::SUM, "aux_ip_monitored", "number of auxiliary ip packets monitored" },
{ CountType::END, nullptr, nullptr }
};
return decision_final;
}
+static void snort_reputation_aux_ip(ReputationConfig* config, Packet* p, const SfIp* ip)
+{
+ if (!config->ip_list)
+ return;
+
+ uint32_t ingress_intf = 0;
+ uint32_t egress_intf = 0;
+
+ if (p->pkth)
+ {
+ ingress_intf = p->pkth->ingress_index;
+ if (p->pkth->egress_index < 0)
+ egress_intf = ingress_intf;
+ else
+ egress_intf = p->pkth->egress_index;
+ }
+
+ IPrepInfo* result = reputation_lookup(config, ip);
+ if (result)
+ {
+ IPdecision decision = get_reputation(config, result, &p->iplist_id, ingress_intf,
+ egress_intf);
+
+ if (decision == BLOCKED)
+ {
+ if (p->flow)
+ p->flow->flags.reputation_blocklist = true;
+
+ // Prior to IPRep logging, IPS policy must be set to the default policy,
+ set_ips_policy(SnortConfig::get_conf(), 0);
+
+ DetectionEngine::queue_event(GID_REPUTATION, REPUTATION_EVENT_BLOCKLIST_DST);
+ p->active->drop_packet(p, true);
+
+ // disable all preproc analysis and detection for this packet
+ DetectionEngine::disable_all(p);
+ p->active->block_session(p, true);
+ p->active->set_drop_reason("reputation");
+ reputationstats.aux_ip_blocked++;
+ if (PacketTracer::is_active())
+ {
+ char ip_str[INET6_ADDRSTRLEN];
+ sfip_ntop(ip, ip_str, sizeof(ip_str));
+ PacketTracer::log("Reputation: packet blocked for auxiliary ip %s, drop\n",
+ ip_str);
+ }
+ }
+ else if (decision == MONITORED)
+ {
+ if (p->flow)
+ p->flow->flags.reputation_monitor = true;
+
+ DetectionEngine::queue_event(GID_REPUTATION, REPUTATION_EVENT_MONITOR_DST);
+ reputationstats.aux_ip_monitored++;
+ }
+ else if (decision == TRUSTED)
+ {
+ if (p->flow)
+ p->flow->flags.reputation_allowlist = true;
+
+ DetectionEngine::queue_event(GID_REPUTATION, REPUTATION_EVENT_ALLOWLIST_DST);
+ p->active->trust_session(p, true);
+ reputationstats.aux_ip_trusted++;
+ }
+ }
+}
+
static void snort_reputation(ReputationConfig* config, Packet* p)
{
IPdecision decision;
}
}
+class AuxiliaryIpRepHandler : public DataHandler
+{
+public:
+ AuxiliaryIpRepHandler(ReputationConfig& rc) : DataHandler(REPUTATION_NAME), conf(rc) { }
+ void handle(DataEvent&, Flow*) override;
+
+private:
+ ReputationConfig& conf;
+};
+
+void AuxiliaryIpRepHandler::handle(DataEvent& event, Flow*)
+{
+ Profile profile(reputation_perf_stats);
+ snort_reputation_aux_ip(&conf, DetectionEngine::get_current_packet(),
+ static_cast<AuxiliaryIpEvent*>(&event)->get_ip());
+}
+
//-------------------------------------------------------------------------
// class stuff
//-------------------------------------------------------------------------
++reputationstats.packets;
}
+bool Reputation::configure(SnortConfig* sc)
+{
+ DataBus::subscribe_global( AUXILIARY_IP_EVENT, new AuxiliaryIpRepHandler(config), sc );
+ return true;
+}
+
//-------------------------------------------------------------------------
// api stuff
//-------------------------------------------------------------------------
void show(const snort::SnortConfig*) const override;
void eval(snort::Packet*) override;
+ bool configure(snort::SnortConfig*) override;
private:
ReputationConfig config;
--- /dev/null
+//--------------------------------------------------------------------------
+// Copyright (C) 2021-2021 Cisco and/or its affiliates. All rights reserved.
+//
+// This program is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License Version 2 as published
+// by the Free Software Foundation. You may not use, modify or distribute
+// this program under any other version of the GNU General Public License.
+//
+// This program is distributed in the hope that it will be useful, but
+// WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+// General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+//--------------------------------------------------------------------------
+// auxiliary_ip_event.h author Masud Hasan <mashasan@cisco.com>
+
+#ifndef AUXILIARY_IP_EVENT_H
+#define AUXILIARY_IP_EVENT_H
+
+#include "framework/data_bus.h"
+#include "sfip/sf_ip.h"
+
+#define AUXILIARY_IP_EVENT "auxiliary_ip_event"
+
+class AuxiliaryIpEvent : public snort::DataEvent
+{
+public:
+ AuxiliaryIpEvent(const snort::SfIp& aux_ip) : ip(aux_ip) { }
+
+ const snort::SfIp* get_ip()
+ { return &ip; }
+
+private:
+ const snort::SfIp& ip;
+};
+
+#endif
#include "http_api.h"
#include "http_common.h"
#include "http_enum.h"
+#include "http_test_manager.h"
using namespace HttpCommon;
using namespace HttpEnums;
using namespace snort;
+using namespace std;
HttpMsgRequest::HttpMsgRequest(const uint8_t* buffer, const uint16_t buf_size,
HttpFlowData* session_data_, SourceId source_id_, bool buf_owner, Flow* flow_,
session_data->ssl_search_abandoned = true;
DataBus::publish(SSL_SEARCH_ABANDONED, DetectionEngine::get_current_packet());
}
+
+ if (SnortConfig::get_conf()->aux_ip_is_enabled())
+ {
+ string aux_ip_str = get_aux_ip();
+
+ if (!aux_ip_str.empty())
+ {
+ SfIp aux_ip;
+ if (parse_ip_from_uri(aux_ip_str, aux_ip))
+ flow->stash->store(aux_ip);
+ }
+ }
+}
+
+string HttpMsgRequest::get_aux_ip()
+{
+ string ip_str;
+
+ if (!uri)
+ return ip_str;
+
+ const Field& auth = uri->get_authority();
+
+ if (!(auth.length() > 0) or auth.start() == nullptr)
+ return ip_str;
+
+ // The following rules out most host values that are not IP addresses before we
+ // waste resources on them. The subscriber must do more careful validation. IPv4
+ // must begin with a digit while IPv6 within a URI must begin with a '['.
+ if (((auth.start()[0] >= '0') && (auth.start()[0] <= '9')) ||
+ (auth.start()[0] == '['))
+ {
+ const Field& host = uri->get_host();
+ if (host.length() > 0)
+ {
+ ip_str = string((const char*)host.start(), (size_t)host.length());
+ return ip_str;
+ }
+ }
+
+ return ip_str;
}
#ifdef REG_TEST
const Field& get_method() { return method; }
const Field& get_uri();
const Field& get_uri_norm_classic();
+ std::string get_aux_ip();
HttpUri* get_http_uri() { return uri; }
ParameterMap& get_query_params();
ParameterMap& get_body_params();
#include "sf_ip.h"
-#include <cassert>
#include <cmath> // For ceil
#include "main/thread.h"
using namespace snort;
-/* Support function */
-// note that an ip6 address may have a trailing dotted quad form
-// but that it always has at least 2 ':'s; furthermore there is
-// no valid ip4 format (including mask) with 2 ':'s
-// we don't have to figure out if the format is entirely legal
-// we just have to be able to tell correct formats apart
-static inline int sfip_str_to_fam(const char* str)
-{
- const char* s;
- assert(str);
- s = strchr(str, (int)':');
- if ( s && strchr(s+1, (int)':') )
- return AF_INET6;
- if ( strchr(str, (int)'.') )
- return AF_INET;
- return AF_UNSPEC;
-}
-
/* Masks off 'val' bits from the IP contained within 'ip' */
inline int SfIp::cidr_mask(int val)
{
#include <arpa/inet.h>
#include <sys/socket.h>
+#include <cassert>
+#include <cstring>
#include <sstream>
#include "main/snort_types.h"
{
using SfIpString = char[INET6_ADDRSTRLEN];
+// INET6_ADDRSTRLEN without IPv4-mapped IPv6
+#define MAX_INET6_STRLEN_NO_IPV4_MAP 40
+
struct SfCidr;
struct SO_PUBLIC SfIp
/* End of member function definitions */
+/* Support functions */
+// note that an ip6 address may have a trailing dotted quad form
+// but that it always has at least 2 ':'s; furthermore there is
+// no valid ip4 format (including mask) with 2 ':'s
+// we don't have to figure out if the format is entirely legal
+// we just have to be able to tell correct formats apart
+static inline int sfip_str_to_fam(const char* str)
+{
+ const char* s;
+ assert(str);
+ s = strchr(str, (int)':');
+ if ( s && strchr(s+1, (int)':') )
+ return AF_INET6;
+ if ( strchr(str, (int)'.') )
+ return AF_INET;
+ return AF_UNSPEC;
+}
+
+static inline bool parse_ip_from_uri(std::string& ip_str, SfIp& ip)
+{
+ auto host_start = ip_str.find("://");
+ if ( host_start != std::string::npos )
+ {
+ host_start += 3;
+ if ( host_start >= ip_str.size() )
+ return false;
+ }
+ else
+ host_start = 0;
+
+ auto host_end = host_start;
+ int family = sfip_str_to_fam(ip_str.c_str() + host_start);
+
+ if ( family == AF_INET )
+ {
+ while ( host_end < ip_str.size() and ip_str[host_end] != ':' and ip_str[host_end] != '/' )
+ ++host_end;
+ }
+ else if ( family == AF_INET6 )
+ {
+ if ( ip_str[host_start] == '[' )
+ {
+ ++host_start;
+ ++host_end;
+ }
+ while ( host_end < ip_str.size() and ip_str[host_end] != ']' and ip_str[host_end] != '/')
+ ++host_end;
+ }
+ else
+ return false;
+
+ if ( host_end <= host_start or (host_end - host_start) > MAX_INET6_STRLEN_NO_IPV4_MAP )
+ return false;
+
+ if ( host_start != 0 or host_end != ip_str.size() )
+ {
+ const std::string host_str = ip_str.substr(host_start, host_end - host_start);
+ if ( ip.set(host_str.c_str()) != SFIP_SUCCESS )
+ return false;
+ }
+ else if ( ip.set(ip_str.c_str()) != SFIP_SUCCESS )
+ return false;
+
+ return true;
+}
+
SO_PUBLIC const char* sfip_ntop(const SfIp* ip, char* buf, int bufsize);
inline std::ostream& operator<<(std::ostream& os, const SfIp* addr)
for ( unsigned i = 0; i < NUM_TESTS; ++i )
CHECK(CopyCheck(i) == 1);
}
+
+TEST_CASE("uri parsing", "[sfip]")
+{
+ std::string ip_str;
+ SfIp ip;
+
+ // Validity of IP strings: empty, large, protocol, port, path
+ CHECK(parse_ip_from_uri(ip_str, ip) == false);
+ ip_str = "1111:2222:3333:4444:5555:6666:7777:8888:9999";
+ CHECK(parse_ip_from_uri(ip_str, ip) == false);
+ ip_str = "http://";
+ CHECK(parse_ip_from_uri(ip_str, ip) == false);
+ ip_str = "http://1.2.3.4:80";
+ CHECK(parse_ip_from_uri(ip_str, ip));
+ ip_str = "https://1.2.3.5/about.html";
+ CHECK(parse_ip_from_uri(ip_str, ip));
+ ip_str = "[1111::2222]/about.html";
+ CHECK(parse_ip_from_uri(ip_str, ip));
+}
{
#ifdef REG_TEST
{ "footprint", Parameter::PT_INT, "0:max32", "0",
- "use zero for production, non-zero for testing at given size (for TCP and user)" },
+ "use zero for production, non-zero for testing at given size (for TCP and user)" },
#endif
{ "ip_frags_only", Parameter::PT_BOOL, nullptr, "false",
- "don't process non-frag flows" },
+ "don't process non-frag flows" },
{ "max_flows", Parameter::PT_INT, "2:max32", "476288",
- "maximum simultaneous flows tracked before pruning" },
+ "maximum simultaneous flows tracked before pruning" },
{ "pruning_timeout", Parameter::PT_INT, "1:max32", "30",
- "minimum inactive time before being eligible for pruning" },
+ "minimum inactive time before being eligible for pruning" },
{ "held_packet_timeout", Parameter::PT_INT, "1:max32", "1000",
"timeout in milliseconds for held packets" },
void StreamModuleConfig::show() const
{
ConfigLogger::log_value("max_flows", flow_cache_cfg.max_flows);
+ ConfigLogger::log_value("max_aux_ip", SnortConfig::get_conf()->max_aux_ip);
ConfigLogger::log_value("pruning_timeout", flow_cache_cfg.pruning_timeout);
for (int i = to_utype(PktType::IP); i < to_utype(PktType::MAX); ++i)
projects / thirdparty / snort3.git / commitdiff
