==== Configuration
POP inspector and IMAP inspector offer same set of configuration options
-for MIME decoding depth:
+for MIME decoding depth. These depths range from 0 to 65535 bytes. Setting
+the value to 0 ("do none") turns the feature off. Alternatively the value
+-1 means an unlimited amount of data should be decoded. If you do not
+specify the default value is 1460 bytes.
+
+The depth limits apply per attachment. They are:
===== b64_decode_depth
-This config option is used to turn off/on or set the base64 decoding depth
-used to decode the base64 encoded MIME attachments. The value ranges from
--1 to 65535. A value of -1 turns off the base64 decoding of MIME
-attachments. The value of 0 sets the decoding of base64 encoded MIME
-attachments to unlimited. A value other than 0 or -1 restricts the
-decoding of base64 MIME attachments, and applies per attachment. The
-default value is 1460.
+Set the base64 decoding depth used to decode the base64-encoded MIME
+attachments.
===== qp_decode_depth
-This config option is used to turn off/on or set the Quoted-Printable
-decoding depth used to decode the Quoted-Printable(QP) encoded MIME
-attachments. The value ranges from -1 to 65535. A value of -1 turns off
-the QP decoding of MIME attachments.
-The value of 0 sets the decoding of QP encoded MIME attachments to
-unlimited. A value other than 0 or -1 restricts the decoding of QP MIME
-attachments, and applies per attachment.
+Set the Quoted-Printable (QP) decoding depth used to decode QP-encoded
+MIME attachments.
===== bitenc_decode_depth
-This config option is used to turn off/on or set the non-encoded MIME
-extraction depth used to extract the non-encoded MIME attachments. The
-value ranges from -1 to 65535. A value of -1 turns off the extraction of
-these MIME attachments.
-The value of 0 sets the extraction of these MIME attachments to unlimited.
-A value other than 0 or -1 restricts the extraction of these MIME
-attachments, and applies per attachment.
+Set the non-encoded MIME extraction depth used for non-encoded MIME
+attachments.
===== uu_decode_depth
-This config option is used to turn off/on or set the Unix-to-Unix decoding
-depth used to decode the Unix-to-Unix(UU) encoded attachments. The value
-ranges from -1 to 65535. A value of -1 turns off the UU decoding of POP
-attachments.
-The value of 0 sets the decoding of UU encoded POP attachments to
-unlimited. A value other than 0 or -1 restricts the decoding of UU POP
-attachments, and applies per attachment.
+Set the Unix-to-Unix (UU) decoding depth used to decode UU-encoded
+attachments.
===== Examples
imap =
{
- qp_decode_depth = 15,
+ qp_decode_depth = 500,
}
pop =
{
- qp_decode_depth = 0,
- b64_decode_depth = 10,
+ qp_decode_depth = -1,
+ b64_decode_depth = 3000,
}
See CVE-2005-0560 for a description of the vulnerability.
-===== b64_decode_depth
-
-This config option is used to turn off/on or set the base64 decoding depth
-used to decode the base64 encoded MIME attachments. The value ranges from
--1 to 65535. A value of -1 turns off the base64 decoding of MIME
-attachments. The value of 0
-sets the decoding of base64 encoded MIME attachments to unlimited. A value
-other than 0 or -1 restricts the decoding of base64 MIME attachments, and
-applies per attachment.
-
-===== qp_decode_depth
-
-This config option is used to turn off/on or set the Quoted-Printable
-decoding depth used to decode the Quoted-Printable(QP) encoded MIME
-attachments. The value ranges from -1 to 65535. A value of -1 turns off
-the QP decoding of MIME attachments.
-The value of 0 sets the decoding of QP encoded MIME attachments to
-unlimited. A value other than 0 or -1 restricts the decoding of QP MIME
-attachments, and applies per attachment.
-
-===== bitenc_decode_depth * default to 25
-
-This config option is used to turn off/on or set the non-encoded MIME
-extraction depth used to extract the non-encoded MIME attachments. The
-value ranges from -1 to 65535. A value of -1 turns off the extraction of
-these MIME attachments.
-The value of 0 sets the extraction of these MIME attachments to unlimited.
-A value other than 0 or -1 restricts the extraction of these MIME
-attachments, and applies per attachment.
-
-===== uu_decode_depth
-
-This config option is used to turn off/on or set the Unix-to-Unix decoding
-depth used to decode the Unix-to-Unix(UU) encoded attachments. The value
-ranges from -1 to 65535. A value of -1 turns off the UU decoding of SMTP
-attachments.
-The value of 0 sets the decoding of UU encoded SMTP attachments to
-unlimited. A value other than 0 or -1 restricts the decoding of UU SMTP
-attachments, and applies per attachment.
+===== MIME processing depth parameters
+
+These four MIME processing depth parameters are identical to their POP and
+IMAP counterparts. See that section for further details.
+
+b64_decode_depth
+qp_decode_depth
+bitenc_decode_depth
+uu_decode_depth
===== Log Options
using namespace snort;
using namespace std;
-#define IMAP_UNKNOWN_CMD_STR "unknown IMAP3 command"
-#define IMAP_UNKNOWN_RESP_STR "unknown IMAP3 response"
-#define IMAP_B64_DECODING_FAILED_STR "base64 decoding failed"
-#define IMAP_QP_DECODING_FAILED_STR "quoted-printable decoding failed"
-#define IMAP_UU_DECODING_FAILED_STR "Unix-to-Unix decoding failed"
-
static const Parameter s_params[] =
{
{ "b64_decode_depth", Parameter::PT_INT, "-1:65535", "1460",
- "base64 decoding depth" },
+ "base64 decoding depth (-1 no limit)" },
{ "bitenc_decode_depth", Parameter::PT_INT, "-1:65535", "1460",
- "non-Encoded MIME attachment extraction depth" },
+ "non-Encoded MIME attachment extraction depth (-1 no limit)" },
{ "qp_decode_depth", Parameter::PT_INT, "-1:65535", "1460",
- "quoted Printable decoding depth" },
+ "quoted Printable decoding depth (-1 no limit)" },
{ "uu_decode_depth", Parameter::PT_INT, "-1:65535", "1460",
- "Unix-to-Unix decoding depth" },
+ "Unix-to-Unix decoding depth (-1 no limit)" },
{ nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
};
static const RuleMap imap_rules[] =
{
- { IMAP_UNKNOWN_CMD, IMAP_UNKNOWN_CMD_STR },
- { IMAP_UNKNOWN_RESP, IMAP_UNKNOWN_RESP_STR },
- { IMAP_B64_DECODING_FAILED, IMAP_B64_DECODING_FAILED_STR },
- { IMAP_QP_DECODING_FAILED, IMAP_QP_DECODING_FAILED_STR },
- { IMAP_UU_DECODING_FAILED, IMAP_UU_DECODING_FAILED_STR },
+ { IMAP_UNKNOWN_CMD, "unknown IMAP3 command" },
+ { IMAP_UNKNOWN_RESP, "unknown IMAP3 response" },
+ { IMAP_B64_DECODING_FAILED, "base64 decoding failed" },
+ { IMAP_QP_DECODING_FAILED, "quoted-printable decoding failed" },
+ { IMAP_UU_DECODING_FAILED, "Unix-to-Unix decoding failed" },
{ 0, nullptr }
};
bool ImapModule::set(const char*, Value& v, SnortConfig*)
{
+ const long value = v.get_long();
+ const long mime_value = (value > 0) ? value : -(value+1); // flip 0 and -1 for MIME processing
if ( v.is("b64_decode_depth") )
- {
- int decode_depth = v.get_long();
-
- if ((decode_depth > 0) && (decode_depth & 3))
- {
- decode_depth += 4 - (decode_depth & 3);
- if (decode_depth > 65535 )
- {
- decode_depth = decode_depth - 4; // FIXIT-H what does this do?
- }
- ParseWarning(WARN_CONF, "IMAP: 'b64_decode_depth' is not a multiple of 4. "
- "Rounding up to the next multiple of 4. The new 'b64_decode_depth' is %d.\n",
- decode_depth);
- }
- config->decode_conf.set_b64_depth(decode_depth);
- }
+ config->decode_conf.set_b64_depth(mime_value);
else if ( v.is("bitenc_decode_depth") )
- config->decode_conf.set_bitenc_depth(v.get_long());
-
+ config->decode_conf.set_bitenc_depth(mime_value);
else if ( v.is("qp_decode_depth") )
- config->decode_conf.set_qp_depth(v.get_long());
-
+ config->decode_conf.set_qp_depth(mime_value);
else if ( v.is("uu_decode_depth") )
- config->decode_conf.set_uu_depth(v.get_long());
-
+ config->decode_conf.set_uu_depth(mime_value);
else
return false;
using namespace snort;
using namespace std;
-#define POP_UNKNOWN_CMD_STR "unknown POP3 command"
-#define POP_UNKNOWN_RESP_STR "unknown POP3 response"
-#define POP_B64_DECODING_FAILED_STR "base64 decoding failed"
-#define POP_QP_DECODING_FAILED_STR "quoted-printable decoding failed"
-#define POP_UU_DECODING_FAILED_STR "Unix-to-Unix decoding failed"
-
static const Parameter s_params[] =
{
{ "b64_decode_depth", Parameter::PT_INT, "-1:65535", "1460",
- " base64 decoding depth" },
+ "base64 decoding depth (-1 no limit)" },
{ "bitenc_decode_depth", Parameter::PT_INT, "-1:65535", "1460",
- " Non-Encoded MIME attachment extraction depth" },
+ "Non-Encoded MIME attachment extraction depth (-1 no limit)" },
{ "qp_decode_depth", Parameter::PT_INT, "-1:65535", "1460",
- " Quoted Printable decoding depth" },
+ "Quoted Printable decoding depth (-1 no limit)" },
{ "uu_decode_depth", Parameter::PT_INT, "-1:65535", "1460",
- " Unix-to-Unix decoding depth" },
+ "Unix-to-Unix decoding depth (-1 no limit)" },
{ nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
};
static const RuleMap pop_rules[] =
{
- { POP_UNKNOWN_CMD, POP_UNKNOWN_CMD_STR },
- { POP_UNKNOWN_RESP, POP_UNKNOWN_RESP_STR },
- { POP_B64_DECODING_FAILED, POP_B64_DECODING_FAILED_STR },
- { POP_QP_DECODING_FAILED, POP_QP_DECODING_FAILED_STR },
- { POP_UU_DECODING_FAILED, POP_UU_DECODING_FAILED_STR },
-
+ { POP_UNKNOWN_CMD, "unknown POP3 command" },
+ { POP_UNKNOWN_RESP, "unknown POP3 response" },
+ { POP_B64_DECODING_FAILED, "base64 decoding failed" },
+ { POP_QP_DECODING_FAILED, "quoted-printable decoding failed" },
+ { POP_UU_DECODING_FAILED, "Unix-to-Unix decoding failed" },
{ 0, nullptr }
};
bool PopModule::set(const char*, Value& v, SnortConfig*)
{
+ const long value = v.get_long();
+ const long mime_value = (value > 0) ? value : -(value+1); // flip 0 and -1 for MIME processing
if ( v.is("b64_decode_depth") )
- {
- int decode_depth = v.get_long();
-
- if ((decode_depth > 0) && (decode_depth & 3))
- {
- decode_depth += 4 - (decode_depth & 3);
- if (decode_depth > 65535 )
- {
- decode_depth = decode_depth - 4;
- }
- ParseWarning(WARN_CONF,
- "POP: 'b64_decode_depth' is not a multiple of 4. "
- "Rounding up to the next multiple of 4. "
- "The new 'b64_decode_depth' is %d.\n",
- decode_depth);
- }
- config->decode_conf.set_b64_depth(decode_depth);
- }
+ config->decode_conf.set_b64_depth(mime_value);
else if ( v.is("bitenc_decode_depth") )
- config->decode_conf.set_bitenc_depth(v.get_long());
-
+ config->decode_conf.set_bitenc_depth(mime_value);
else if ( v.is("qp_decode_depth") )
- config->decode_conf.set_qp_depth(v.get_long());
-
+ config->decode_conf.set_qp_depth(mime_value);
else if ( v.is("uu_decode_depth") )
- config->decode_conf.set_uu_depth(v.get_long());
-
+ config->decode_conf.set_uu_depth(mime_value);
else
return false;
{ "auth_cmds", Parameter::PT_STRING, nullptr, nullptr,
"commands that initiate an authentication exchange" },
+ { "b64_decode_depth", Parameter::PT_INT, "-1:65535", "1460",
+ "depth used to decode the base64 encoded MIME attachments (-1 no limit)" },
+
{ "binary_data_cmds", Parameter::PT_STRING, nullptr, nullptr,
"commands that initiate sending of data and use a length value after the command" },
- { "bitenc_decode_depth", Parameter::PT_INT, "-1:65535", "25",
- "depth used to extract the non-encoded MIME attachments" },
-
- { "b64_decode_depth", Parameter::PT_INT, "-1:65535", "25",
- "depth used to decode the base64 encoded MIME attachments" },
+ { "bitenc_decode_depth", Parameter::PT_INT, "-1:65535", "1460",
+ "depth used to extract the non-encoded MIME attachments (-1 no limit)" },
{ "data_cmds", Parameter::PT_STRING, nullptr, nullptr,
"commands that initiate sending of data with an end of data delimiter" },
"log the SMTP email headers extracted from SMTP data" },
{ "log_filename", Parameter::PT_BOOL, nullptr, "false",
- "log the MIME attachment filenames extracted from the Content-Disposition header within the MIME body" },
+ "log the MIME attachment filenames extracted from the Content-Disposition header within"
+ " the MIME body" },
{ "log_mailfrom", Parameter::PT_BOOL, nullptr, "false",
"log the sender's email address extracted from the MAIL FROM command" },
{ "normalize_cmds", Parameter::PT_STRING, nullptr, nullptr,
"list of commands to normalize" },
- { "qp_decode_depth", Parameter::PT_INT, "-1:65535", "25",
- "quoted-Printable decoding depth" },
+ { "qp_decode_depth", Parameter::PT_INT, "-1:65535", "1460",
+ "quoted-Printable decoding depth (-1 no limit)" },
- { "uu_decode_depth", Parameter::PT_INT, "-1:65535", "25",
- "unix-to-Unix decoding depth" },
+ { "uu_decode_depth", Parameter::PT_INT, "-1:65535", "1460",
+ "Unix-to-Unix decoding depth (-1 no limit)" },
{ "valid_cmds", Parameter::PT_STRING, nullptr, nullptr,
"list of valid commands" },
else if ( v.is("b64_decode_depth") )
{
- int decode_depth = v.get_long();
-
- if ((decode_depth > 0) && (decode_depth & 3))
- {
- decode_depth += 4 - (decode_depth & 3);
- if (decode_depth > 65535 )
- {
- decode_depth = decode_depth - 4;
- }
- ParseWarning(WARN_CONF, "SMTP: 'b64_decode_depth' is not a multiple of 4. "
- "Rounding up to the next multiple of 4. The new 'b64_decode_depth' is %d.\n",
- decode_depth);
- }
- config->decode_conf.set_b64_depth(decode_depth);
+ const long value = v.get_long();
+ const long mime_value = (value > 0) ? value : -(value+1);
+ config->decode_conf.set_b64_depth(mime_value);
}
else if ( v.is("bitenc_decode_depth") )
- config->decode_conf.set_bitenc_depth(v.get_long());
+ {
+ const long value = v.get_long();
+ const long mime_value = (value > 0) ? value : -(value+1);
+ config->decode_conf.set_bitenc_depth(mime_value);
+ }
else if ( v.is("command") )
names = v.get_string();
add_commands(v, PCMD_NORM);
else if ( v.is("qp_decode_depth") )
- config->decode_conf.set_qp_depth(v.get_long());
+ {
+ const long value = v.get_long();
+ const long mime_value = (value > 0) ? value : -(value+1);
+ config->decode_conf.set_qp_depth(mime_value);
+ }
else if ( v.is("valid_cmds"))
add_commands(v, PCMD_VALID);
else if ( v.is("uu_decode_depth") )
- config->decode_conf.set_uu_depth(v.get_long());
+ {
+ const long value = v.get_long();
+ const long mime_value = (value > 0) ? value : -(value+1);
+ config->decode_conf.set_uu_depth(mime_value);
+ }
else if ( v.is("xlink2state") )
config->xlink2state = (XLINK2STATE)v.get_long();
TableApi& table_api;
RuleApi& rule_api;
-#if 0
- Forward declaration of parsing methods.Since these are all inline,
- unable to forward declare in regular code.
-
- inline bool eat_option(std::istringstream& stream);
- inline bool parse_string_option(std::string opt_name,
- std::istringstream& stream);
- inline bool parse_int_option(std::string opt_name,
- std::istringstream& stream, bool append);
- inline bool parse_curly_bracket_list(std::string list_name,
- std::istringstream& stream);
- inline bool parse_yn_bool_option(std::string opt_name,
- std::istringstream& stream, bool append);
- inline bool parse_bracketed_byte_list(std::string list_name,
- std::istringstream& stream);
- inline bool parse_bracketed_unsupported_list(std::string list_name,
- std::istringstream& stream);
- inline bool parse_deleted_option(std::string table_name,
- std::istringstream& stream);
-
- // rules have no order. Function placed here because every rule
- // uses this.
- inline bool set_next_rule_state(std::istringstream& stream)
-
-#endif
-
inline bool eat_option(std::istringstream& stream)
{
std::string val;
return false;
}
+ // Like parse_int_option() but reverses -1 and 0 values
+ inline bool parse_int_option_reverse_m10(const std::string& opt_name,
+ std::istringstream& stream)
+ {
+ int val;
+
+ if (stream >> val)
+ {
+ val = !val ? -1 : ( val == -1 ? 0 : val );
+ table_api.add_option(opt_name, val);
+ return true;
+ }
+
+ table_api.add_comment("snort.conf missing argument for: " + opt_name + " <int>");
+ return false;
+ }
+
// parse and add a curly bracketed list to the table
inline bool parse_curly_bracket_list(const std::string& list_name, std::istringstream& stream)
{
public:
HttpInspectServer(Converter& c) : ConversionState(c) { }
bool convert(std::istringstream& data_stream) override;
- bool reverse_depths(const std::string& opt_name, std::istringstream& stream)
- {
- int val;
-
- if (stream >> val)
- {
- val = !val ? -1 : ( val == -1 ? 0 : val );
- table_api.add_option(opt_name, val);
- return true;
- }
-
- table_api.add_comment("snort.conf missing argument for: " + opt_name + " <int>");
- return false;
- }
private:
static int binding_id;
else if (keyword == "server_flow_depth" || keyword == "flow_depth")
{
table_api.add_diff_option_comment(keyword, "response_depth");
- tmpval = reverse_depths("response_depth", data_stream);
+ tmpval = parse_int_option_reverse_m10("response_depth", data_stream);
}
else if (keyword == "client_flow_depth")
{
table_api.add_diff_option_comment("client_flow_depth", "request_depth");
- tmpval = reverse_depths("request_depth", data_stream);
+ tmpval = parse_int_option_reverse_m10("request_depth", data_stream);
}
else if (keyword == "chunk_length")
parse_deleted_option("chunk_length", data_stream);
else if (keyword == "b64_decode_depth")
{
- tmpval = parse_int_option("b64_decode_depth", data_stream, false);
+ tmpval = parse_int_option_reverse_m10("b64_decode_depth", data_stream);
}
else if (keyword == "qp_decode_depth")
{
- tmpval = parse_int_option("qp_decode_depth", data_stream, false);
+ tmpval = parse_int_option_reverse_m10("qp_decode_depth", data_stream);
}
else if (keyword == "bitenc_decode_depth")
{
- tmpval = parse_int_option("bitenc_decode_depth", data_stream, false);
+ tmpval = parse_int_option_reverse_m10("bitenc_decode_depth", data_stream);
}
else if (keyword == "uu_decode_depth")
{
- tmpval = parse_int_option("uu_decode_depth", data_stream, false);
+ tmpval = parse_int_option_reverse_m10("uu_decode_depth", data_stream);
}
else if (keyword == "ports")
else if (keyword == "b64_decode_depth")
{
- tmpval = parse_int_option("b64_decode_depth", data_stream, false);
+ tmpval = parse_int_option_reverse_m10("b64_decode_depth", data_stream);
}
else if (keyword == "qp_decode_depth")
{
- tmpval = parse_int_option("qp_decode_depth", data_stream, false);
+ tmpval = parse_int_option_reverse_m10("qp_decode_depth", data_stream);
}
else if (keyword == "bitenc_decode_depth")
{
- tmpval = parse_int_option("bitenc_decode_depth", data_stream, false);
+ tmpval = parse_int_option_reverse_m10("bitenc_decode_depth", data_stream);
}
else if (keyword == "uu_decode_depth")
{
- tmpval = parse_int_option("uu_decode_depth", data_stream, false);
+ tmpval = parse_int_option_reverse_m10("uu_decode_depth", data_stream);
}
else if (keyword == "ports")
}
else if (keyword == "b64_decode_depth")
{
- tmpval = parse_int_option("b64_decode_depth", data_stream, false);
+ tmpval = parse_int_option_reverse_m10("b64_decode_depth", data_stream);
}
else if (keyword == "qp_decode_depth")
{
- tmpval = parse_int_option("qp_decode_depth", data_stream, false);
+ tmpval = parse_int_option_reverse_m10("qp_decode_depth", data_stream);
}
else if (keyword == "bitenc_decode_depth")
{
- tmpval = parse_int_option("bitenc_decode_depth", data_stream, false);
+ tmpval = parse_int_option_reverse_m10("bitenc_decode_depth", data_stream);
}
else if (keyword == "uu_decode_depth")
{
- tmpval = parse_int_option("uu_decode_depth", data_stream, false);
+ tmpval = parse_int_option_reverse_m10("uu_decode_depth", data_stream);
}
else if (keyword == "alt_max_command_line_len")
{
projects / thirdparty / snort3.git / commitdiff
