set ( APPID_INCLUDE_DIR ${CMAKE_CURRENT_SOURCE_DIR} )
set ( CP_APPID_SOURCES
- client_plugins/client_app_aim.cc
- client_plugins/client_app_aim.h
client_plugins/client_app_bit.cc
client_plugins/client_app_bit.h
client_plugins/client_app_bit_tracker.cc
client_plugins/client_app_tns.h
client_plugins/client_app_vnc.cc
client_plugins/client_app_vnc.h
- client_plugins/client_app_ym.cc
- client_plugins/client_app_ym.h
client_plugins/client_detector.cc
client_plugins/client_detector.h
client_plugins/client_discovery.cc
service_plugins/service_direct_connect.h
service_plugins/service_discovery.cc
service_plugins/service_discovery.h
- service_plugins/service_flap.cc
- service_plugins/service_flap.h
service_plugins/service_ftp.cc
service_plugins/service_ftp.h
service_plugins/service_irc.cc
target_include_directories ( appid PRIVATE ${APPID_INCLUDE_DIR} )
-add_subdirectory(client_plugins/test)
add_subdirectory(service_plugins/test)
add_subdirectory(detector_plugins/test)
add_subdirectory(test)
APP_ID_XNS = 520,
APP_ID_XYPLEX = 521,
APP_ID_YAHOO_GAMES = 522,
- APP_ID_YAHOO_MSG_FILE_TRANSFER = 523,
APP_ID_YAHOO = 524,
APP_ID_Z3950 = 525,
APP_ID_ZANNET = 526,
APP_ID_AMERICAN_EXPRESS = 544,
APP_ID_ANDROID_BROWSER = 545,
APP_ID_AOL_EMAIL = 546,
- APP_ID_AOL_INSTANT_MESSENGER = 547,
APP_ID_AOL_SOFTWARE = 549,
APP_ID_APPLE_EMAIL = 550,
APP_ID_APPLE_STORE = 551,
APP_ID_ZAPPOS = 931,
APP_ID_ZIP_CA = 932,
APP_ID_ZOOOMR = 933,
- APP_ID_YAHOO_MSG = 936,
APP_ID_YAHOOMAIL = 946,
APP_ID_YAHOO_TOOLBAR = 947,
APP_ID_RSYNC = 1097,
APP_ID_X_WAV = 1104,
APP_ID_MPA = 1105,
APP_ID_MP4A = 1106,
- APP_ID_AOL_NETSCAPE = 1107,
APP_ID_SMTP_IMO = 1108,
APP_ID_DDM_SSL = 1111,
APP_ID_SMTPS = 1112,
+++ /dev/null
-//--------------------------------------------------------------------------
-// Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved.
-// Copyright (C) 2005-2013 Sourcefire, Inc.
-//
-// This program is free software; you can redistribute it and/or modify it
-// under the terms of the GNU General Public License Version 2 as published
-// by the Free Software Foundation. You may not use, modify or distribute
-// this program under any other version of the GNU General Public License.
-//
-// This program is distributed in the hope that it will be useful, but
-// WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-// General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License along
-// with this program; if not, write to the Free Software Foundation, Inc.,
-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-//--------------------------------------------------------------------------
-
-// client_app_aim.cc author Sourcefire Inc.
-
-#ifdef HAVE_CONFIG_H
-#include "config.h"
-#endif
-
-#include "client_app_aim.h"
-
-#include "app_info_table.h"
-
-#pragma pack(1)
-
-struct FLAPFNACSignOn
-{
- uint16_t len;
-};
-
-struct FLAPFNAC
-{
- uint16_t family;
- uint16_t subtype;
- uint16_t flags;
- uint32_t id;
-};
-
-struct FLAPTLV
-{
- uint16_t subtype;
- uint16_t len;
-};
-
-struct FLAPHeader
-{
- uint8_t start;
- uint8_t channel;
- uint16_t seq;
- uint16_t len;
-};
-
-#pragma pack()
-
-#define MAX_VERSION_SIZE 64
-
-static const uint8_t NEW_CONNECTION[] = "\x02a\x001";
-static const uint8_t AIM_PROTOCOL_VERSION[] = "\x000\x004\x000\x000\x000\x001";
-static const uint8_t OLDER_AOL[] = "AOL Instant Messenger";
-static const uint8_t AOL[] = "imApp";
-static const uint8_t NETSCAPE_AOL[] = "Netscape 2000 an approved user of AOL Instant Messenger";
-
-AimClientDetector::AimClientDetector(ClientDiscovery* cdm)
-{
- handler = cdm;
- name = "AIM";
- proto = IpProtocol::TCP;
- minimum_matches = 2;
- provides_user = true;
-
- tcp_patterns =
- {
- { NEW_CONNECTION, sizeof(NEW_CONNECTION) - 1, 0, 0, 0 },
- { AIM_PROTOCOL_VERSION, sizeof(AIM_PROTOCOL_VERSION) - 1, 4, 0, 0 },
- { OLDER_AOL, sizeof(OLDER_AOL) - 1, -1, 0, APP_ID_AOL_INSTANT_MESSENGER },
- { AOL, sizeof(AOL) - 1, -1, 0, APP_ID_AOL_INSTANT_MESSENGER },
- { NETSCAPE_AOL, sizeof(NETSCAPE_AOL) - 1, -1, 0, APP_ID_AOL_NETSCAPE },
- };
-
- appid_registry =
- {
- { APP_ID_AOL_NETSCAPE, APPINFO_FLAG_CLIENT_ADDITIONAL | APPINFO_FLAG_CLIENT_USER },
- { APP_ID_AOL_INSTANT_MESSENGER, APPINFO_FLAG_CLIENT_ADDITIONAL |
- APPINFO_FLAG_CLIENT_USER },
- };
-
- handler->register_detector(name, this, proto);
-}
-
-
-template<typename Hdr>
-static inline const Hdr* advance(const uint8_t*& cur, const uint8_t* const end)
-{
- assert(end >= cur);
- if ( (size_t)(end - cur) < sizeof(Hdr) )
- return nullptr;
-
- cur += sizeof(Hdr);
- return reinterpret_cast<const Hdr*>(cur);
-}
-
-static inline bool check_username(
- const uint8_t* const data, const FLAPTLV* tlv, char* const buf, char* const buf_end)
-{
- const uint8_t* const end = data + tlv->len;
- char* ptr = buf;
-
- for ( const uint8_t* cur = data; cur < end; ++cur )
- {
- if (isalnum(*cur) || *cur == '.' || *cur == '@' || *cur == '-' || *cur == '_')
- {
- if ( ptr < buf_end )
- *ptr++ = *cur;
- }
- else
- return false;
- }
-
- *ptr = '\0';
-
- return true;
-}
-
-int AimClientDetector::validate(AppIdDiscoveryArgs& args)
-{
- if ( args.dir != APP_ID_FROM_INITIATOR )
- return APPID_INPROCESS;
-
- const uint8_t* const end = args.data + args.size;
- const uint8_t* cur = args.data;
-
- while ( cur < end )
- {
- auto fh = advance<FLAPHeader>(cur, end);
- if ( !fh )
- goto bail;
-
- if (fh->start != 0x2a || fh->channel < 1 || fh->channel > 5)
- goto bail;
-
- uint16_t len = ntohs(fh->len);
-
- if (len > (end - cur))
- goto bail;
-
- bool check_user_name = false;
-
- if ( fh->channel == 0x02 )
- {
- auto fnac = advance<FLAPFNAC>(cur, end);
- if ( !fnac )
- goto bail;
-
- if (fnac->family == htons(0x0017) && fnac->subtype == htons(0x0006))
- check_user_name = true;
-
- len -= sizeof(*fnac);
- }
- else if ( fh->channel == 0x01 )
- {
- if ( len < 4 || memcmp(cur, &AIM_PROTOCOL_VERSION[2], 4) != 0 )
- goto bail;
-
- len -= 4;
- cur += 4;
- }
-
- if ( len )
- {
- bool got_id = false;
- uint16_t major = 0;
- uint16_t minor = 0;
- uint16_t lesser = 0;
-
- const uint8_t* const frame_end = cur + len;
-
- while ( cur < frame_end )
- {
- auto tlv = advance<FLAPTLV>(cur, frame_end);
- if ( !tlv )
- goto bail;
-
- if (frame_end - cur < tlv->len)
- goto bail;
-
- switch ( ntohs(tlv->subtype) )
- {
- case 0x0001:
- if ( check_user_name )
- {
- constexpr auto USERNAME_LEN = 256;
- char username[USERNAME_LEN];
-
- if ( check_username(cur, tlv, username, username + USERNAME_LEN - 1) )
- add_user(args.asd, username, APP_ID_AOL_INSTANT_MESSENGER, true, args.change_bits);
- }
- break;
- case 0x0003:
- got_id = true;
- break;
- case 0x0017:
- got_id = true;
- major = ntohs(*(const uint16_t*)cur);
- break;
- case 0x0018:
- got_id = true;
- minor = ntohs(*(const uint16_t*)cur);
- break;
- case 0x0019:
- got_id = true;
- lesser = ntohs(*(const uint16_t*)cur);
- break;
- default:
- break;
- }
-
- cur += tlv->len;
- }
-
- if ( got_id )
- {
- char version[MAX_VERSION_SIZE];
-
- snprintf(version, sizeof(version), "%d.%d.%d", major, minor, lesser);
- add_app(args.asd, APP_ID_AOL_INSTANT_MESSENGER, APP_ID_AOL_INSTANT_MESSENGER,
- version, args.change_bits);
- }
- }
- }
-
- return APPID_INPROCESS;
-
-bail:
- // FIXIT-L - why are we setting client detected here?
- args.asd.set_client_detected();
- return APPID_SUCCESS;
-}
-
+++ /dev/null
-//--------------------------------------------------------------------------
-// Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved.
-// Copyright (C) 2005-2013 Sourcefire, Inc.
-//
-// This program is free software; you can redistribute it and/or modify it
-// under the terms of the GNU General Public License Version 2 as published
-// by the Free Software Foundation. You may not use, modify or distribute
-// this program under any other version of the GNU General Public License.
-//
-// This program is distributed in the hope that it will be useful, but
-// WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-// General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License along
-// with this program; if not, write to the Free Software Foundation, Inc.,
-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-//--------------------------------------------------------------------------
-
-// client_app_aim.h author Sourcefire Inc.
-
-#ifndef CLIENT_APP_AIM_H
-#define CLIENT_APP_AIM_H
-
-#include "client_plugins/client_detector.h"
-
-class AimClientDetector : public ClientDetector
-{
-public:
- AimClientDetector(ClientDiscovery*);
-
- int validate(AppIdDiscoveryArgs&) override;
-};
-#endif
-
+++ /dev/null
-//--------------------------------------------------------------------------
-// Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved.
-// Copyright (C) 2005-2013 Sourcefire, Inc.
-//
-// This program is free software; you can redistribute it and/or modify it
-// under the terms of the GNU General Public License Version 2 as published
-// by the Free Software Foundation. You may not use, modify or distribute
-// this program under any other version of the GNU General Public License.
-//
-// This program is distributed in the hope that it will be useful, but
-// WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-// General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License along
-// with this program; if not, write to the Free Software Foundation, Inc.,
-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-//--------------------------------------------------------------------------
-
-// client_app_ym.cc author Sourcefire Inc.
-
-#ifdef HAVE_CONFIG_H
-#include "config.h"
-#endif
-
-#include "client_app_ym.h"
-
-#include "app_info_table.h"
-#include "application_ids.h"
-
-#define MAX_VERSION_SIZE 64
-static const uint8_t APP_YMSG[] = "YMSG";
-
-YmDetector::YmDetector(ClientDiscovery* cdm)
-{
- handler = cdm;
- name = "YM";
- proto = IpProtocol::TCP;
- minimum_matches = 1;
- provides_user = true;
-
- tcp_patterns =
- {
- { APP_YMSG, sizeof(APP_YMSG) - 1, -1, 0, APP_ID_YAHOO_MSG },
- };
-
- appid_registry =
- {
- { APP_ID_YAHOO, APPINFO_FLAG_CLIENT_ADDITIONAL },
- { APP_ID_YAHOO_MSG, APPINFO_FLAG_CLIENT_ADDITIONAL }
- };
-
- handler->register_detector(name, this, proto);
-}
-
-
-static const uint8_t* skip_separator(const uint8_t* data, const uint8_t* end)
-{
- while ( data + 1 < end )
- {
- if ( data[0] == 0xc0 && data[1] == 0x80 )
- break;
-
- data++;
- }
-
- data += 2;
-
- return data;
-}
-
-int YmDetector::validate(AppIdDiscoveryArgs& args)
-{
-#define HEADERSIZE 20
-#define VERSIONID "135"
-#define SEPARATOR 0xc080
-
- const uint8_t* end;
- uint16_t len;
- uint8_t version[MAX_VERSION_SIZE];
- uint8_t* v;
- uint8_t* v_end;
- uint32_t product_id;
-
- product_id = APP_ID_YAHOO;
- memset(&version,0,sizeof(version));
-
- if ( !args.data )
- return APPID_ENULL;
-
- if (args.dir != APP_ID_FROM_INITIATOR)
- return APPID_INPROCESS;
-
- /* Validate the packet using the length field, otherwise abort. */
- if ( args.size < 10 )
- return APPID_ENULL;
-
- len = *((const uint16_t*)(args.data + 8));
- len = ntohs(len);
-
- if ( len != (args.size - HEADERSIZE) )
- return APPID_ENULL;
-
- end = args.data + args.size;
-
- if ( args.size >= HEADERSIZE )
- {
- args.data += HEADERSIZE;
- }
-
- while ( args.data < end )
- {
- if ( end-args.data >= (int)sizeof(VERSIONID) && memcmp(args.data, VERSIONID,
- sizeof(VERSIONID)-1) ==
- 0 )
- {
- args.data += sizeof(VERSIONID)-1;
-
- if ( args.data + 2 >= end ) /* Skip the separator */
- goto done;
- else
- args.data += 2;
-
- product_id = APP_ID_YAHOO;
-
- v = version;
-
- v_end = v + (MAX_VERSION_SIZE - 1);
-
- /* Get the version */
- while ( args.data + 1 < end && v < v_end )
- {
- if ( args.data[0] == 0xc0 && args.data[1] == 0x80 )
- break;
-
- *v = *args.data;
- v++;
- args.data++;
- }
-
- goto done;
- }
-
- args.data = skip_separator(args.data,end); /*skip to the command end separator */
- args.data = skip_separator(args.data,end); /* skip to the command data end separator */
- }
-
- return APPID_INPROCESS;
-
-done:
- add_app(args.asd, APP_ID_YAHOO, product_id, (char*)version, args.change_bits);
- return APPID_SUCCESS;
-}
-
+++ /dev/null
-//--------------------------------------------------------------------------
-// Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved.
-// Copyright (C) 2005-2013 Sourcefire, Inc.
-//
-// This program is free software; you can redistribute it and/or modify it
-// under the terms of the GNU General Public License Version 2 as published
-// by the Free Software Foundation. You may not use, modify or distribute
-// this program under any other version of the GNU General Public License.
-//
-// This program is distributed in the hope that it will be useful, but
-// WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-// General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License along
-// with this program; if not, write to the Free Software Foundation, Inc.,
-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-//--------------------------------------------------------------------------
-
-// client_app_ym.h author Sourcefire Inc.
-
-#ifndef CLIENT_APP_YM_H
-#define CLIENT_APP_YM_H
-
-#include "client_plugins/client_detector.h"
-
-class YmDetector : public ClientDetector
-{
-public:
- YmDetector(ClientDiscovery*);
-
- int validate(AppIdDiscoveryArgs&) override;
-};
-#endif
-
#include "app_info_table.h"
#include "appid_debug.h"
#include "appid_session.h"
-#include "client_app_aim.h"
#include "client_app_bit_tracker.h"
#include "client_app_bit.h"
#include "client_app_msn.h"
void ClientDiscovery::initialize()
{
- new AimClientDetector(this);
new BitClientDetector(this);
new BitTrackerClientDetector(this);
new ImapClientDetector(this);
+++ /dev/null
-
-include_directories ( appid PRIVATE ${APPID_INCLUDE_DIR} )
-
-add_cpputest( client_app_aim_test )
+++ /dev/null
-//--------------------------------------------------------------------------
-// Copyright (C) 2020-2020 Cisco and/or its affiliates. All rights reserved.
-//
-// This program is free software; you can redistribute it and/or modify it
-// under the terms of the GNU General Public License Version 2 as published
-// by the Free Software Foundation. You may not use, modify or distribute
-// this program under any other version of the GNU General Public License.
-//
-// This program is distributed in the hope that it will be useful, but
-// WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-// General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License along
-// with this program; if not, write to the Free Software Foundation, Inc.,
-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-//--------------------------------------------------------------------------
-
-// client_app_aim_test.cc author Kani Murthi<kamurthi@cisco.com>
-// unit test for client_app_aim_test.cc
-#ifdef HAVE_CONFIG_H
-#include "config.h"
-#endif
-
-#include "network_inspectors/appid/client_plugins/client_app_aim.cc"
-#include "network_inspectors/appid/client_plugins/client_detector.cc"
-#include "protocols/packet.h"
-#include "client_plugin_mock.h"
-
-#include <CppUTest/CommandLineTestRunner.h>
-#include <CppUTest/TestHarness.h>
-#include <CppUTestExt/MockSupport.h>
-
-void ServiceDiscovery::initialize() {}
-void ServiceDiscovery::reload() {}
-int ServiceDiscovery::fail_service(AppIdSession&, const Packet*, AppidSessionDirection,
- ServiceDetector*, ServiceDiscoveryState*) { return 0; }
-int ServiceDiscovery::add_service_port(AppIdDetector*,
- const ServiceDetectorPort&) { return APPID_EINVALID; }
-
-TEST_GROUP(client_app_aim_test){};
-
-TEST(client_app_aim_test, check_username)
-{
- uint8_t data[] = {"test@gmail.com\0"};
- FLAPTLV tlv = {0x0001, 14};
- char buf[256];
- bool ret;
- ret = check_username(data, &tlv, buf, buf + 255);
- CHECK_TRUE(ret);
- STRCMP_EQUAL(buf, "test@gmail.com");
- uint8_t invalid_data[] = {"test^"};
- tlv = {0x0001, 5};
- ret = check_username(invalid_data, &tlv, buf, buf + 255);
- CHECK_FALSE(ret);
-}
-
-int main(int argc, char** argv)
-{
- int return_value = CommandLineTestRunner::RunAllTests(argc, argv);
- return return_value;
-}
+++ /dev/null
-//--------------------------------------------------------------------------
-// Copyright (C) 2020-2020 Cisco and/or its affiliates. All rights reserved.
-//
-// This program is free software; you can redistribute it and/or modify it
-// under the terms of the GNU General Public License Version 2 as published
-// by the Free Software Foundation. You may not use, modify or distribute
-// this program under any other version of the GNU General Public License.
-//
-// This program is distributed in the hope that it will be useful, but
-// WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-// General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License along
-// with this program; if not, write to the Free Software Foundation, Inc.,
-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-//--------------------------------------------------------------------------
-// client_plugins_mock.h author Kani Murthi <kamurthi@cisco.com>
-
-#ifndef CLIENT_PLUGIN_MOCK_H
-#define CLIENT_PLUGIN_MOCK_H
-
-#include "appid_detector.h"
-#include "appid_module.h"
-#include "appid_peg_counts.h"
-#include "utils/stats.h"
-namespace snort
-{
-// Stubs for messages
-void ParseWarning(WarningGroup, const char*, ...) { }
-
-// Stubs for appid sessions
-FlowData::FlowData(unsigned, Inspector*) { }
-FlowData::~FlowData() = default;
-
-// Stubs for packet
-Packet::Packet(bool) { }
-Packet::~Packet() = default;
-
-Inspector::Inspector() = default;
-Inspector::~Inspector() = default;
-bool Inspector::likes(Packet*) { return true; }
-bool Inspector::get_buf(const char*, Packet*, InspectionBuffer&) { return true; }
-class StreamSplitter* Inspector::get_splitter(bool) { return nullptr; }
-
-// Stubs for search_tool.cc
-SearchTool::SearchTool(const char*, bool) { }
-SearchTool::~SearchTool() = default;
-
-// Stubs for util.cc
-char* snort_strdup(const char* str)
-{
- assert(str);
- size_t n = strlen(str) + 1;
- char* p = (char*)snort_alloc(n);
- memcpy(p, str, n);
- return p;
-}
-class InspectorManager
-{
-public:
- SO_PUBLIC static Inspector* get_inspector(const char*, bool, SnortConfig*) {return nullptr;}
-};
-PegCount Module::get_global_count(char const*) const { return 0; }
-void Module::show_interval_stats(std::vector<unsigned int, std::allocator<unsigned int> >&, FILE*) {}
-void Module::show_stats(){}
-void Module::sum_stats(bool ){}
-void Module::reset_stats() {}
-}
-
-SslPatternMatchers::~SslPatternMatchers() { }
-SipPatternMatchers::~SipPatternMatchers() { }
-HttpPatternMatchers::~HttpPatternMatchers() { }
-DnsPatternMatchers::~DnsPatternMatchers() { }
-void ClientDiscovery::initialize() {}
-void ClientDiscovery::reload() {}
-
-int AppIdDetector::initialize(){return 0;}
-void AppIdDetector::reload() { }
-int AppIdDetector::data_add(AppIdSession&, void*, AppIdFreeFCN){return 0;}
-void* AppIdDetector::data_get(AppIdSession&) {return nullptr;}
-void AppIdDetector::add_user(AppIdSession&, const char*, AppId, bool, AppidChangeBits&){}
-void AppIdDetector::add_payload(AppIdSession&, AppId){}
-void AppIdDetector::add_app(const snort::Packet&, AppIdSession&, AppidSessionDirection, AppId, AppId, const char*, AppidChangeBits&){}
-void AppIdDiscovery::add_pattern_data(AppIdDetector*, snort::SearchTool&, int,
- const uint8_t* const, unsigned, unsigned){}
-void AppIdDiscovery::register_detector(const std::string&, AppIdDetector*, IpProtocol){}
-void add_pattern_data(AppIdDetector*, snort::SearchTool*, int,
- const uint8_t* const, unsigned, unsigned) {}
-void AppIdDiscovery::register_tcp_pattern(AppIdDetector*, const uint8_t* const, unsigned,
- int, unsigned){}
-void AppIdDiscovery::register_udp_pattern(AppIdDetector*, const uint8_t* const, unsigned,
- int, unsigned){}
-int AppIdDiscovery::add_service_port(AppIdDetector*, const ServiceDetectorPort&){return 0;}
-void ApplicationDescriptor::set_id(const snort::Packet&, AppIdSession&, AppidSessionDirection, AppId, AppidChangeBits&){}
-void ApplicationDescriptor::set_id(AppId){}
-AppIdDiscovery::~AppIdDiscovery() { }
-void show_stats(PegCount*, const PegInfo*, unsigned, const char*) { }
-void show_stats(PegCount*, const PegInfo*, const IndexVec&, const char*, FILE*) { }
-AppIdConfig config;
-AppIdContext ctxt(config);
-
-// Stubs for modules, config
-AppIdConfig::~AppIdConfig() = default;
-
-// Stubs for AppIdPegCounts
-void AppIdPegCounts::update_payload_count(AppId, bool) { }
-void AppIdPegCounts::update_client_count(AppId, bool) { }
-
-THREAD_LOCAL AppIdStats appid_stats;
-
-// Stubs for app_info_table.cc
-AppInfoTableEntry* AppInfoManager::get_app_info_entry(int)
-{
- return nullptr;
-}
-
-bool AppInfoManager::configured()
-{
- return true;
-}
-
-#endif
#include "service_bootp.h"
#include "service_dcerpc.h"
#include "service_direct_connect.h"
-#include "service_flap.h"
#include "service_ftp.h"
#include "service_irc.h"
#include "service_lpr.h"
new DirectConnectServiceDetector(this);
new DnsTcpServiceDetector(this);
new DnsUdpServiceDetector(this);
- new FlapServiceDetector(this);
new FtpServiceDetector(this);
new ImapServiceDetector(this);
new IrcServiceDetector(this);
+++ /dev/null
-//--------------------------------------------------------------------------
-// Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved.
-// Copyright (C) 2005-2013 Sourcefire, Inc.
-//
-// This program is free software; you can redistribute it and/or modify it
-// under the terms of the GNU General Public License Version 2 as published
-// by the Free Software Foundation. You may not use, modify or distribute
-// this program under any other version of the GNU General Public License.
-//
-// This program is distributed in the hope that it will be useful, but
-// WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-// General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License along
-// with this program; if not, write to the Free Software Foundation, Inc.,
-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-//--------------------------------------------------------------------------
-
-// service_flap.cc author Sourcefire Inc.
-
-#ifdef HAVE_CONFIG_H
-#include "config.h"
-#endif
-
-#include "service_flap.h"
-
-#define FLAP_PORT 5190
-
-enum FLAPState
-{
- FLAP_STATE_ACK,
- FLAP_STATE_COOKIE
-};
-
-#define FNAC_SIGNON 0x0017
-#define FNAC_GENERIC 0x0001
-#define FNAC_SUB_SIGNON_REPLY 0x0007
-#define FNAC_SUB_SERVER_READY 0x0003
-
-struct ServiceFLAPData
-{
- FLAPState state;
-};
-
-#pragma pack(1)
-
-struct FLAPFNACSignOn
-{
- uint16_t len;
-};
-
-struct FLAPFNAC
-{
- uint16_t family;
- uint16_t subtype;
- uint16_t flags;
- uint32_t id;
-};
-
-struct FLAPTLV
-{
- uint16_t subtype;
- uint16_t len;
-};
-
-struct FLAPHeader
-{
- uint8_t start;
- uint8_t type;
- uint16_t seq;
- uint16_t len;
-};
-
-#pragma pack()
-
-static uint8_t FLAP_PATTERN[] = { 0x2A, 0x01 };
-
-FlapServiceDetector::FlapServiceDetector(ServiceDiscovery* sd)
-{
- handler = sd;
- name = "flap";
- proto = IpProtocol::TCP;
- detectorType = DETECTOR_TYPE_DECODER;
-
- tcp_patterns =
- {
- { FLAP_PATTERN, sizeof(FLAP_PATTERN), 0, 0, 0 },
- };
-
- appid_registry =
- {
- { APP_ID_AOL_INSTANT_MESSENGER, 0 }
- };
-
- service_ports =
- {
- { 5190, IpProtocol::TCP, false },
- { 9898, IpProtocol::TCP, false },
- { 4443, IpProtocol::TCP, false }
- };
-
- handler->register_detector(name, this, proto);
-}
-
-
-int FlapServiceDetector::validate(AppIdDiscoveryArgs& args)
-{
- ServiceFLAPData* sf;
- const uint8_t* data = args.data;
- const FLAPHeader* hdr = (const FLAPHeader*)args.data;
- uint16_t size = args.size;
- const FLAPFNAC* ff;
- const FLAPTLV* tlv;
- uint16_t len;
-
- if (!size)
- goto inprocess;
- if (args.dir != APP_ID_FROM_RESPONDER)
- goto inprocess;
-
- sf = (ServiceFLAPData*)data_get(args.asd);
- if (!sf)
- {
- sf = (ServiceFLAPData*)snort_calloc(sizeof(ServiceFLAPData));
- data_add(args.asd, sf, &snort_free);
- sf->state = FLAP_STATE_ACK;
- }
-
- switch (sf->state)
- {
- case FLAP_STATE_ACK:
- sf->state = FLAP_STATE_COOKIE;
- if (size < sizeof(FLAPHeader))
- goto fail;
- if (hdr->start != 0x2A)
- goto fail;
- if (hdr->type != 0x01)
- goto fail;
- if (ntohs(hdr->len) != 4)
- goto fail;
- if (size - sizeof(FLAPHeader) != 4)
- goto fail;
- if (ntohl(*((const uint32_t*)(data + sizeof(FLAPHeader)))) != 0x00000001)
- goto fail;
- goto inprocess;
- case FLAP_STATE_COOKIE:
- if (size < sizeof(FLAPHeader) + sizeof(FLAPFNAC))
- goto fail;
- if (hdr->start != 0x2A)
- goto fail;
- if ((uint16_t)ntohs(hdr->len) != (uint16_t)(size - sizeof(FLAPHeader)))
- goto fail;
- if (hdr->type == 0x02)
- {
- ff = (const FLAPFNAC*)(data + sizeof(FLAPHeader));
- if (ntohs(ff->family) == FNAC_SIGNON)
- {
- const FLAPFNACSignOn* ffs = (const FLAPFNACSignOn*)((const uint8_t*)ff + sizeof(FLAPFNAC));
-
- if (ntohs(ff->subtype) != FNAC_SUB_SIGNON_REPLY)
- goto fail;
- if ((uint16_t)ntohs(ffs->len) != (uint16_t)(size -
- (sizeof(FLAPHeader) +
- sizeof(FLAPFNAC) +
- sizeof(FLAPFNACSignOn))))
- goto fail;
- }
- else if (ntohs(ff->family) == FNAC_GENERIC)
- {
- if (ntohs(ff->subtype) != FNAC_SUB_SERVER_READY)
- goto fail;
- }
- else
- goto fail;
- goto success;
- }
- if (hdr->type == 0x04)
- {
- data += sizeof(FLAPHeader);
- size -= sizeof(FLAPHeader);
- while (size >= sizeof(FLAPTLV))
- {
- tlv = (const FLAPTLV*)data;
- data += sizeof(FLAPTLV);
- size -= sizeof(FLAPTLV);
- len = ntohs(tlv->len);
- if (size < len)
- goto fail;
- size -= len;
- data += len;
- }
- if (size)
- goto fail;
- goto success;
- }
- goto fail;
- }
-
-fail:
- fail_service(args.asd, args.pkt, args.dir);
- return APPID_NOMATCH;
-
-success:
- return add_service(args.change_bits, args.asd, args.pkt, args.dir,
- APP_ID_AOL_INSTANT_MESSENGER);
-
-inprocess:
- service_inprocess(args.asd, args.pkt, args.dir);
- return APPID_INPROCESS;
-}
-
+++ /dev/null
-//--------------------------------------------------------------------------
-// Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved.
-// Copyright (C) 2005-2013 Sourcefire, Inc.
-//
-// This program is free software; you can redistribute it and/or modify it
-// under the terms of the GNU General Public License Version 2 as published
-// by the Free Software Foundation. You may not use, modify or distribute
-// this program under any other version of the GNU General Public License.
-//
-// This program is distributed in the hope that it will be useful, but
-// WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-// General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License along
-// with this program; if not, write to the Free Software Foundation, Inc.,
-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-//--------------------------------------------------------------------------
-
-// service_flap.h author Sourcefire Inc.
-
-#ifndef SERVICE_FLAP_H
-#define SERVICE_FLAP_H
-
-#include "service_detector.h"
-
-class ServiceDiscovery;
-
-class FlapServiceDetector : public ServiceDetector
-{
-public:
- FlapServiceDetector(ServiceDiscovery*);
-
- int validate(AppIdDiscoveryArgs&) override;
-};
-#endif
-
projects / thirdparty / snort3.git / commitdiff
