Merge pull request #2087 in SNORT/snort3 from ~NEHASH4/snort3:CSCvs29881 to master

author Bhargava Jandhyala (bjandhya) <bjandhya@cisco.com>

Thu, 18 Jun 2020 07:42:55 +0000 (07:42 +0000)

committer Bhargava Jandhyala (bjandhya) <bjandhya@cisco.com>

Thu, 18 Jun 2020 07:42:55 +0000 (07:42 +0000)
author Bhargava Jandhyala (bjandhya) <bjandhya@cisco.com>
Thu, 18 Jun 2020 07:42:55 +0000 (07:42 +0000)
committer Bhargava Jandhyala (bjandhya) <bjandhya@cisco.com>
Thu, 18 Jun 2020 07:42:55 +0000 (07:42 +0000)
diff --git a/src/file_api/file_cache.cc b/src/file_api/file_cache.cc

index a64397b750444ab9e1e4948dac1f1d4bd6f09502..b90f6b77895fc020a2429446bbfa1925c3bf8cd0 100644 (file)
--- a/src/file_api/file_cache.cc
+++ b/src/file_api/file_cache.cc
@@ -219,16 +219,14 @@ FileVerdict FileCache::check_verdict(Packet* p, FileInfo* file,
      assert(file);
  
      FileVerdict verdict = policy->type_lookup(p, file);
-
-    if ( file->get_file_sig_sha256() and
-        ((verdict == FILE_VERDICT_UNKNOWN) or (verdict == FILE_VERDICT_STOP_CAPTURE)))
+    if (verdict == FILE_VERDICT_STOP_CAPTURE)
      {
-        verdict = policy->signature_lookup(p, file);
+        verdict = FILE_VERDICT_UNKNOWN;
      }
  
-    if ((verdict == FILE_VERDICT_UNKNOWN) or (verdict == FILE_VERDICT_STOP_CAPTURE))
+    if ( file->get_file_sig_sha256() and verdict == FILE_VERDICT_UNKNOWN )
      {
-        verdict = file->verdict;
+        verdict = policy->signature_lookup(p, file);
      }
  
      return verdict;
diff --git a/src/file_api/file_module.cc b/src/file_api/file_module.cc

index 8ae34ab0912b1651a744dec4e39fb61829524c97..40006d7e7d1017afa60efd822f4e3bac2c1344b6 100644 (file)
--- a/src/file_api/file_module.cc
+++ b/src/file_api/file_module.cc
@@ -159,7 +159,7 @@ static const Parameter file_id_params[] =
      { "enable_type", Parameter::PT_BOOL, nullptr, "true",
        "enable type ID" },
  
-    { "enable_signature", Parameter::PT_BOOL, nullptr, "true",
+    { "enable_signature", Parameter::PT_BOOL, nullptr, "false",
        "enable signature calculation" },
  
      { "enable_capture", Parameter::PT_BOOL, nullptr, "false",
@@ -186,6 +186,27 @@ static const Parameter file_id_params[] =
      { "verdict_delay", Parameter::PT_INT, "0:max53", "0",
        "number of queries to return final verdict" },
  
+    { "b64_decode_depth", Parameter::PT_INT, "-1:65535", "-1",
+      "base64 decoding depth (-1 no limit)" },
+
+    { "bitenc_decode_depth", Parameter::PT_INT, "-1:65535", "-1",
+      "Non-Encoded MIME attachment extraction depth (-1 no limit)" },
+
+    { "decompress_pdf", Parameter::PT_BOOL, nullptr, "false",
+      "decompress pdf files in MIME attachments" },
+
+    { "decompress_swf", Parameter::PT_BOOL, nullptr, "false",
+      "decompress swf files in MIME attachments" },
+
+    { "decompress_zip", Parameter::PT_BOOL, nullptr, "false",
+      "decompress zip files in MIME attachments" },
+
+    { "qp_decode_depth", Parameter::PT_INT, "-1:65535", "-1",
+      "Quoted Printable decoding depth (-1 no limit)" },
+
+    { "uu_decode_depth", Parameter::PT_INT, "-1:65535", "-1",
+      "Unix-to-Unix decoding depth (-1 no limit)" },
+
      { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
  };
  
@@ -272,29 +293,20 @@ bool FileIdModule::set(const char*, Value& v, SnortConfig*)
  
      else if ( v.is("enable_type") )
      {
-        if ( v.get_bool() )
-        {
-            fp.set_file_type(true);
-        }
+        fp.set_file_type(v.get_bool());
      }
      else if ( v.is("enable_signature") )
      {
-        if ( v.get_bool() )
-        {
-            fp.set_file_signature(true);
-        }
+        fp.set_file_signature(v.get_bool());
      }
      else if ( v.is("enable_capture") )
      {
-        if ( v.get_bool() )
+        if (v.get_bool() and Snort::is_reloading() and !FileService::is_file_capture_enabled())
          {
-            if (Snort::is_reloading() && !FileService::is_file_capture_enabled())
-            {
-                ReloadError("Changing file_id.enable_capture requires a restart.\n");
-                return false;
-            }
-            fp.set_file_capture(true);
+            ReloadError("Changing file_id.enable_capture requires a restart.\n");
+            return false;
          }
+        fp.set_file_capture(v.get_bool());
      }
      else if ( v.is("show_data_depth") )
          fc->show_data_depth = v.get_int64();
@@ -313,6 +325,39 @@ bool FileIdModule::set(const char*, Value& v, SnortConfig*)
          fc->verdict_delay = v.get_int64();
          fp.set_verdict_delay(fc->verdict_delay);
      }
+    else if ( v.is("decompress_pdf") )
+        FileService::decode_conf.set_decompress_pdf(v.get_bool());
+
+    else if ( v.is("decompress_swf") )
+        FileService::decode_conf.set_decompress_swf(v.get_bool());
+
+    else if ( v.is("decompress_zip") )
+        FileService::decode_conf.set_decompress_zip(v.get_bool());
+
+    else if (v.is("b64_decode_depth"))
+    {
+        int32_t value = v.get_int32();
+        int32_t mime = value > 0 ? value : -(value+1);
+        FileService::decode_conf.set_b64_depth(mime);
+    }
+    else if (v.is("bitenc_decode_depth"))
+    {
+        int32_t value = v.get_int32();
+        int32_t mime = value > 0 ? value : -(value+1);
+        FileService::decode_conf.set_bitenc_depth(mime);
+    }
+    else if (v.is("qp_decode_depth"))
+    {
+        int32_t value = v.get_int32();
+        int32_t mime = value > 0 ? value : -(value+1);
+        FileService::decode_conf.set_qp_depth(mime);
+    }
+    else if (v.is("uu_decode_depth"))
+    {
+        int32_t value = v.get_int32();
+        int32_t mime = value > 0 ? value : -(value+1);
+        FileService::decode_conf.set_uu_depth(mime);
+    }
  
      else if ( v.is("file_rules") )
          return true;
diff --git a/src/file_api/file_service.cc b/src/file_api/file_service.cc

index 8f371ad000289f1365d29b3bb0ac0f4d39156492..db43ff374b1117cfb425cbf869325c8e5b21e467 100644 (file)
--- a/src/file_api/file_service.cc
+++ b/src/file_api/file_service.cc
@@ -47,6 +47,7 @@ bool FileService::file_capture_enabled = false;
  bool FileService::file_processing_initiated = false;
  
  FileCache* FileService::file_cache = nullptr;
+DecodeConfig FileService::decode_conf;
  
  // FIXIT-L make these params reloadable
  static int64_t max_files_cached = 0;
@@ -177,6 +178,16 @@ int64_t FileService::get_max_file_depth()
      }
  }
  
+void FileService::reset_depths()
+{
+    FileConfig* file_config = get_file_config();
+    
+    if (file_config)
+        file_config->file_depth = 0;
+
+    decode_conf.sync_all_depths();
+}
+
  namespace snort
  {
  uint64_t get_file_processed_size(Flow* flow)
diff --git a/src/file_api/file_service.h b/src/file_api/file_service.h

index 2b504d199a2abaca525e6e7b50b761f225a00c9d..42da0312bafe10124f93dde4ceff5240f47cc7ab 100644 (file)
--- a/src/file_api/file_service.h
+++ b/src/file_api/file_service.h
@@ -27,6 +27,7 @@
  #include "file_api/file_policy.h"
  #include "main/snort_config.h"
  #include "main/snort_types.h"
+#include "mime/file_mime_config.h"
  
  class FileEnforcer;
  class FileCache;
@@ -59,8 +60,10 @@ public:
      static bool is_file_capture_enabled() { return file_capture_enabled; }
      static bool is_file_service_enabled();
      static int64_t get_max_file_depth();
+    static void reset_depths();
  
      static FileCache* get_file_cache() { return file_cache; }
+    static DecodeConfig decode_conf;
  
  private:
      static bool file_type_id_enabled;
diff --git a/src/service_inspectors/dce_rpc/dce_smb_utils.cc b/src/service_inspectors/dce_rpc/dce_smb_utils.cc

index 7586b650f2086e35be5657c633df503199b74e79..08f26cfcf4457f6980347c27445142c95772248e 100644 (file)
--- a/src/service_inspectors/dce_rpc/dce_smb_utils.cc
+++ b/src/service_inspectors/dce_rpc/dce_smb_utils.cc
@@ -1345,8 +1345,10 @@ void DCE2_SmbAbortFileAPI(DCE2_SmbSsnData* ssd)
  static FileContext* DCE2_get_main_file_context()
  {
      FileFlows* file_flows = FileFlows::get_file_flows(DetectionEngine::get_current_packet()->flow);
-    assert(file_flows);
-    return file_flows->get_current_file_context();
+    if (file_flows)
+        return file_flows->get_current_file_context();
+    else
+        return nullptr;
  }
  
  FileVerdict DCE2_get_file_verdict()
@@ -1538,6 +1540,10 @@ static DCE2_Ret DCE2_SmbFileAPIProcess(DCE2_SmbSsnData* ssd,
  
      Packet* p = DetectionEngine::get_current_packet();
      FileFlows* file_flows = FileFlows::get_file_flows(p->flow);
+
+    if (!file_flows)
+        return DCE2_RET__ERROR;
+
      if (!file_flows->file_process(p, data_ptr, (int)data_len, position, upload,
          DCE2_SmbIsVerdictSuspend(upload, position)))
      {
diff --git a/src/service_inspectors/http_inspect/http_inspect.cc b/src/service_inspectors/http_inspect/http_inspect.cc

index 198d4aaa78a1e8613d500de1d6e068033ca24c45..4ed650aae51b3611cad46e7008e906222da45d1a 100644 (file)
--- a/src/service_inspectors/http_inspect/http_inspect.cc
+++ b/src/service_inspectors/http_inspect/http_inspect.cc
@@ -113,8 +113,6 @@ bool HttpInspect::configure(SnortConfig* )
      if (params->js_norm_param.normalize_javascript)
          params->js_norm_param.js_norm->configure();
  
-    config_decode();
-
      return true;
  }
  
@@ -464,8 +462,7 @@ bool HttpInspect::process(const uint8_t* data, const uint16_t dsize, Flow* const
          break;
      case SEC_HEADER:
          current_section = new HttpMsgHeader(
-            data, dsize, session_data, source_id, buf_owner, flow, params,
-            decode_conf);
+            data, dsize, session_data, source_id, buf_owner, flow, params);
          break;
      case SEC_BODY_CL:
          current_section = new HttpMsgBodyCl(
diff --git a/src/service_inspectors/http_inspect/http_inspect.h b/src/service_inspectors/http_inspect/http_inspect.h

index 593f21aed52ed348681f2648a9dcc3467b027ec3..24e15e99ba7d7c2001fc6618cae3d5e51b2a98aa 100644 (file)
--- a/src/service_inspectors/http_inspect/http_inspect.h
+++ b/src/service_inspectors/http_inspect/http_inspect.h
@@ -70,7 +70,6 @@ public:
      static int get_xtra_uri(snort::Flow*, uint8_t**, uint32_t*, uint32_t*);
      static int get_xtra_host(snort::Flow*, uint8_t** buf, uint32_t* len, uint32_t* type);
      static int get_xtra_jsnorm(snort::Flow*, uint8_t**, uint32_t*, uint32_t*);
-    void config_decode() { decode_conf.sync_all_depths(); }
  
  private:
      friend HttpApi;
@@ -88,7 +87,6 @@ private:
      const uint32_t xtra_uri_id;
      const uint32_t xtra_host_id;
      const uint32_t xtra_jsnorm_id;
-    snort::DecodeConfig decode_conf;
  };
  
  #endif
diff --git a/src/service_inspectors/http_inspect/http_msg_body.cc b/src/service_inspectors/http_inspect/http_msg_body.cc

index c3cdba2a6b380dee1e96b033052909efde5ce086..7275f3858f89da24993c8eacee0502c359e1ece5 100644 (file)
--- a/src/service_inspectors/http_inspect/http_msg_body.cc
+++ b/src/service_inspectors/http_inspect/http_msg_body.cc
@@ -224,6 +224,9 @@ void HttpMsgBody::do_file_processing(const Field& file_data)
      if (!session_data->mime_state[source_id])
      {
          FileFlows* file_flows = FileFlows::get_file_flows(flow);
+        if (!file_flows)
+            return;
+
          const FileDirection dir = source_id == SRC_SERVER ? FILE_DOWNLOAD : FILE_UPLOAD;
  
          size_t file_index = 0;
diff --git a/src/service_inspectors/http_inspect/http_msg_header.cc b/src/service_inspectors/http_inspect/http_msg_header.cc

index 6131f8e18a93adfb823fdd0998b0a90fe2221758..f612a22ee6a54c1724d00394b47cc2f80228759e 100644 (file)
--- a/src/service_inspectors/http_inspect/http_msg_header.cc
+++ b/src/service_inspectors/http_inspect/http_msg_header.cc
@@ -44,9 +44,8 @@ using namespace HttpEnums;
  
  HttpMsgHeader::HttpMsgHeader(const uint8_t* buffer, const uint16_t buf_size,
      HttpFlowData* session_data_, SourceId source_id_, bool buf_owner, Flow* flow_,
-    const HttpParaList* params_, DecodeConfig decode_conf_) :
-    HttpMsgHeadShared(buffer, buf_size, session_data_, source_id_, buf_owner, flow_, params_),
-    decode_conf(decode_conf_)
+    const HttpParaList* params_) :
+    HttpMsgHeadShared(buffer, buf_size, session_data_, source_id_, buf_owner, flow_, params_)
  {
      transaction->set_header(this, source_id);
      get_related_sections();
@@ -420,7 +419,7 @@ void HttpMsgHeader::setup_file_processing()
          {
              if (boundary_present(content_type))
              {
-                session_data->mime_state[source_id] = new MimeSession(&decode_conf, &mime_conf,
+                session_data->mime_state[source_id] = new MimeSession(&FileService::decode_conf, &mime_conf,
                      transaction->get_file_processing_id(source_id));
                  // Show file processing the Content-Type header as if it were regular data.
                  // This will enable it to find the boundary string.
diff --git a/src/service_inspectors/http_inspect/http_msg_header.h b/src/service_inspectors/http_inspect/http_msg_header.h

index 16663d5bf5e0221a8d4af40188745eedffa71d87..b09c2de6b0cf500d1ea1a969b80c59d9e498332b 100644 (file)
--- a/src/service_inspectors/http_inspect/http_msg_header.h
+++ b/src/service_inspectors/http_inspect/http_msg_header.h
@@ -36,7 +36,7 @@ class HttpMsgHeader : public HttpMsgHeadShared
  public:
      HttpMsgHeader(const uint8_t* buffer, const uint16_t buf_size, HttpFlowData* session_data_,
          HttpCommon::SourceId source_id_, bool buf_owner, snort::Flow* flow_,
-        const HttpParaList* params_, snort::DecodeConfig decode_conf);
+        const HttpParaList* params_);
      HttpEnums::InspectSection get_inspection_section() const override
          { return HttpEnums::IS_HEADER; }
      bool detection_required() const override { return true; }
@@ -55,7 +55,6 @@ private:
  
      // Dummy configurations to support MIME processing
      snort::MailLogConfig mime_conf;
-    snort::DecodeConfig decode_conf;
  
      Field true_ip;
      Field true_ip_addr;
diff --git a/src/service_inspectors/http_inspect/http_stream_splitter_finish.cc b/src/service_inspectors/http_inspect/http_stream_splitter_finish.cc

index dba08efc63c145ec3d71de9916dff03bf2f1053c..695fdd35e8a63934231f5897eb24b5de316a6e4b 100644 (file)
--- a/src/service_inspectors/http_inspect/http_stream_splitter_finish.cc
+++ b/src/service_inspectors/http_inspect/http_stream_splitter_finish.cc
@@ -125,6 +125,9 @@ bool HttpStreamSplitter::finish(Flow* flow)
          if (!session_data->mime_state[source_id])
          {
              FileFlows* file_flows = FileFlows::get_file_flows(flow);
+            if (!file_flows)
+                return false;
+
              const FileDirection dir = source_id == SRC_SERVER ? FILE_DOWNLOAD : FILE_UPLOAD;
  
              size_t file_index = 0;
author	Bhargava Jandhyala (bjandhya) <bjandhya@cisco.com>
	Thu, 18 Jun 2020 07:42:55 +0000 (07:42 +0000)
committer	Bhargava Jandhyala (bjandhya) <bjandhya@cisco.com>
	Thu, 18 Jun 2020 07:42:55 +0000 (07:42 +0000)
src/file_api/file_cache.cc		patch \| blob \| blame \| history
src/file_api/file_module.cc		patch \| blob \| blame \| history
src/file_api/file_service.cc		patch \| blob \| blame \| history
src/file_api/file_service.h		patch \| blob \| blame \| history
src/service_inspectors/dce_rpc/dce_smb_utils.cc		patch \| blob \| blame \| history
src/service_inspectors/http_inspect/http_inspect.cc		patch \| blob \| blame \| history
src/service_inspectors/http_inspect/http_inspect.h		patch \| blob \| blame \| history
src/service_inspectors/http_inspect/http_msg_body.cc		patch \| blob \| blame \| history
src/service_inspectors/http_inspect/http_msg_header.cc		patch \| blob \| blame \| history
src/service_inspectors/http_inspect/http_msg_header.h		patch \| blob \| blame \| history
src/service_inspectors/http_inspect/http_stream_splitter_finish.cc		patch \| blob \| blame \| history