TRACE_BUFFER_MINIMAL = 0x4,
TRACE_BUFFER_VERBOSE = 0x8,
TRACE_RULE_VARS = 0x10,
- TRACE_FP_SEARCH = 0x20
+ TRACE_FP_SEARCH = 0x20,
+ TRACE_PKT_DETECTION = 0x40,
};
void clear_trace_cursor_info();
{
if ( p->context->active_rules == IpsContext::CONTENT )
p->context->active_rules = IpsContext::NON_CONTENT;
+ trace_logf(detection, TRACE_PKT_DETECTION, "Disabled content detect, packet %" PRIu64"\n", pc.total_from_daq);
}
void DetectionEngine::enable_content(Packet* p)
#define DEBUG_STREAM 0x0000000200000000LL
#define DEBUG_STREAM_STATE 0x0000000400000000LL
#define DEBUG_STREAM_PAF 0x0000000800000000LL
-#define DEBUG_HTTPINSPECT 0x0000001000000000LL
#define DEBUG_ASN1 0x0000002000000000LL
#define DEBUG_DNS 0x0000004000000000LL
#define DEBUG_FTPTELNET 0x0000008000000000LL
#define DEBUG_GTP 0x0000010000000000LL
-#define DEBUG_IMAP 0x0000020000000000LL
-#define DEBUG_POP 0x0000040000000000LL
-#define DEBUG_RPC 0x0000080000000000LL
#define DEBUG_SIP 0x0000100000000000LL
-#define DEBUG_SSL 0x0000200000000000LL
#define DEBUG_SMTP 0x0000400000000000LL
#define DEBUG_REPUTATION 0x0000800000000000LL
#define DEBUG_MPSE 0x0010000000000000LL
#define DEBUG_SO_RULE 0x0020000000000000LL
#define DEBUG_LOGGER 0x0040000000000000LL
-#define DEBUG_DCE_TCP 0x0080000000000000LL
-#define DEBUG_DCE_SMB 0x0100000000000000LL
-#define DEBUG_DCE_COMMON 0x0200000000000000LL
#define DEBUG_APPID 0x0400000000000000LL
#ifdef PIGLET
#define DEBUG_PIGLET 0x0800000000000000LL
#endif
-#define DEBUG_DCE_UDP 0x1000000000000000LL
-
typedef uint64_t Trace;
bool trace_enabled(Trace mask);
#include "dce_co.h"
-#include "main/snort_debug.h"
#include "utils/util.h"
#include "dce_smb.h"
{
return;
}
- DEBUG_WRAP(char uuid_buf[DCE2_UUID_BUF_SIZE];)
-
- DebugFormat(DEBUG_DCE_COMMON, "Added Context item to queue.\n"
- " Context id: %hu\n"
- " Interface: %s\n"
- " Interface major version: %hu\n"
- " Interface minor version: %hu\n",
- ctx_node->ctx_id,
- DCE2_UuidToStr(&ctx_node->iface, DCERPC_BO_FLAG__NONE, uuid_buf),
- ctx_node->iface_vers_maj, ctx_node->iface_vers_min);
switch (policy)
{
ctx_node = (DCE2_CoCtxIdNode*)DCE2_QueueDequeue(cot->pending_ctx_ids);
if (ctx_node == nullptr)
{
- DebugMessage(DEBUG_DCE_COMMON, "Failed to dequeue a context id node.\n");
return;
}
- DEBUG_WRAP(char uuid_buf[DCE2_UUID_BUF_SIZE];)
-
- DebugFormat(DEBUG_DCE_COMMON, "Adding Context item to context item list.\n"
- " Context id: %hu\n"
- " Interface: %s\n"
- " Interface major version: %hu\n"
- " Interface minor version: %hu\n",
- ctx_node->ctx_id,
- DCE2_UuidToStr(&ctx_node->iface, DCERPC_BO_FLAG__NONE, uuid_buf),
- ctx_node->iface_vers_maj, ctx_node->iface_vers_min);
if (result == DCERPC_CO_CONT_DEF_RESULT__ACCEPTANCE)
{
- DebugMessage(DEBUG_DCE_COMMON, "Server accepted context item.\n");
ctx_node->state = DCE2_CO_CTX_STATE__ACCEPTED;
if (DceRpcCoPduType(co_hdr) == DCERPC_PDU_TYPE__BIND_ACK)
cot->got_bind = 1;
}
else
{
- DebugMessage(DEBUG_DCE_COMMON, "Server rejected context item.\n");
ctx_node->state = DCE2_CO_CTX_STATE__REJECTED;
cot->got_bind = 0;
}
if (status != DCE2_RET__SUCCESS)
{
snort_free((void*)ctx_node);
- DebugMessage(DEBUG_DCE_COMMON,
- "Failed to add context id node to list.\n");
return;
}
}
break;
default:
- DebugFormat(DEBUG_DCE_COMMON, "Invalid policy: %d\n", policy);
+ assert(false);
return;
}
break;
default:
- DebugFormat(DEBUG_DCE_COMMON, "Invalid policy: %d\n", policy);
+ assert(false);
break;
}
break;
default:
- DebugFormat(DEBUG_DCE_COMMON, "Invalid buffer type: %d\n", btype);
+ assert(false);
break;
}
break;
break;
default:
- DebugFormat(DEBUG_DCE_COMMON, "Invalid buffer type: %d\n", btype);
+ assert(false);
break;
}
break;
default:
- DebugFormat(DEBUG_DCE_COMMON, "Invalid transport type: %d", sd->trans);
+ assert(false);
break;
}
return rtype;
break;
default:
- DebugFormat(DEBUG_DCE_COMMON, "Invalid CO rpkt type: %d\n", co_rtype);
+ assert(false);
return nullptr;
}
Packet* rpkt = DCE2_CoGetRpkt(sd, cot, co_rtype, &rpkt_type);
if (rpkt == nullptr)
{
- DebugMessage(DEBUG_DCE_COMMON, "Could not create DCE/RPC frag reassembled buffer.\n");
return nullptr;
}
- uint8_t *wrdata = const_cast<uint8_t*>(rpkt->data);
+ uint8_t* wrdata = const_cast<uint8_t*>(rpkt->data);
switch (rpkt_type)
{
return rpkt;
default:
- DebugFormat(DEBUG_DCE_COMMON, "Invalid rpkt type: %d\n", rpkt_type);
+ assert(false);
return nullptr;
}
}
DCE2_CoSetRopts(sd, cot, co_hdr, rpkt);
- DebugMessage(DEBUG_DCE_COMMON, "Reassembled CO fragmented packet:\n");
- DCE2_PrintPktData(rpkt->data, rpkt->dsize);
-
DCE2_Detect(sd);
co_reassembled = 1;
}
if (DceRpcCoFirstFrag(co_hdr) && DceRpcCoLastFrag(co_hdr))
{
int auth_len = DCE2_CoGetAuthLen(sd, co_hdr, frag_ptr, frag_len);
- DebugMessage(DEBUG_DCE_COMMON, "First and last fragment.\n");
if (auth_len == -1)
return;
DCE2_CoSetRopts(sd, cot, co_hdr, sd->wire_pkt);
dce_common_stats->co_req_fragments++;
- if (DceRpcCoFirstFrag(co_hdr))
- DebugMessage(DEBUG_DCE_COMMON, "First fragment.\n");
- else if (DceRpcCoLastFrag(co_hdr))
- DebugMessage(DEBUG_DCE_COMMON, "Last fragment.\n");
- else
- {
- DebugMessage(DEBUG_DCE_COMMON, "Middle fragment.\n");
- }
- DCE2_PrintPktData(frag_ptr, frag_len);
-
if (auth_len == -1)
return;
break;
default:
- DebugFormat(DEBUG_DCE_COMMON, "Invalid policy: %d\n", policy);
+ assert(false);
break;
}
break;
default:
- DebugFormat(DEBUG_DCE_COMMON, "Invalid policy: %d\n", policy);
+ assert(false);
break;
}
if (ctx_node == nullptr)
{
- DebugMessage(DEBUG_DCE_COMMON, "Failed to dequeue a context id node.\n");
return;
}
if (DceRpcCoFirstFrag(co_hdr) && DceRpcCoLastFrag(co_hdr))
{
int auth_len = DCE2_CoGetAuthLen(sd, co_hdr, frag_ptr, frag_len);
- DebugMessage(DEBUG_DCE_COMMON, "First and last fragment.\n");
+
if (auth_len == -1)
return;
DCE2_CoSetRopts(sd, cot, co_hdr, sd->wire_pkt);
* start of the pdu */
DCE2_MOVE(frag_ptr, frag_len, sizeof(DceRpcCoHdr));
- DebugMessage(DEBUG_DCE_COMMON, "PDU type: ");
-
/* Client specific pdu types - some overlap with server */
if (DCE2_SsnFromClient(sd->wire_pkt))
{
switch (pdu_type)
{
case DCERPC_PDU_TYPE__BIND:
- DebugMessage(DEBUG_DCE_COMMON, "Bind\n");
dce_common_stats->co_bind++;
/* Make sure context id list and queue are initialized */
break;
case DCERPC_PDU_TYPE__ALTER_CONTEXT:
- DebugMessage(DEBUG_DCE_COMMON, "Alter Context\n");
dce_common_stats->co_alter_ctx++;
if (DCE2_CoInitCtxStorage(cot) != DCE2_RET__SUCCESS)
break;
case DCERPC_PDU_TYPE__REQUEST:
- DebugMessage(DEBUG_DCE_COMMON, "Request\n");
dce_common_stats->co_request++;
if (DCE2_ListIsEmpty(cot->ctx_ids) &&
break;
case DCERPC_PDU_TYPE__AUTH3:
- DebugMessage(DEBUG_DCE_COMMON, "Auth3\n");
dce_common_stats->co_auth3++;
break;
case DCERPC_PDU_TYPE__CO_CANCEL:
- DebugMessage(DEBUG_DCE_COMMON, "Cancel\n");
dce_common_stats->co_cancel++;
break;
case DCERPC_PDU_TYPE__ORPHANED:
- DebugMessage(DEBUG_DCE_COMMON, "Orphaned\n");
dce_common_stats->co_orphaned++;
break;
case DCERPC_PDU_TYPE__MICROSOFT_PROPRIETARY_OUTLOOK2003_RPC_OVER_HTTP:
- DebugMessage(DEBUG_DCE_COMMON, "Microsoft Request To Send RPC over HTTP\n");
dce_common_stats->co_ms_pdu++;
break;
default:
- DebugFormat(DEBUG_DCE_COMMON, "Unknown (0x%02x)\n", pdu_type);
dce_common_stats->co_other_req++;
break;
}
case DCERPC_PDU_TYPE__ALTER_CONTEXT_RESP:
if (pdu_type == DCERPC_PDU_TYPE__BIND_ACK)
{
- DebugMessage(DEBUG_DCE_COMMON, "Bind Ack\n");
dce_common_stats->co_bind_ack++;
}
else
{
- DebugMessage(DEBUG_DCE_COMMON, "Alter Context Response\n");
dce_common_stats->co_alter_ctx_resp++;
}
break;
case DCERPC_PDU_TYPE__BIND_NACK:
- DebugMessage(DEBUG_DCE_COMMON, "Bind Nack\n");
dce_common_stats->co_bind_nack++;
/* Bind nack in Windows seems to blow any previous context away */
break;
case DCERPC_PDU_TYPE__RESPONSE:
- DebugMessage(DEBUG_DCE_COMMON, "Response\n");
dce_common_stats->co_response++;
DCE2_CoResponse(sd, cot, co_hdr, frag_ptr, frag_len);
break;
case DCERPC_PDU_TYPE__FAULT:
- DebugMessage(DEBUG_DCE_COMMON, "Fault\n");
dce_common_stats->co_fault++;
/* Clear out the client side */
break;
case DCERPC_PDU_TYPE__SHUTDOWN:
- DebugMessage(DEBUG_DCE_COMMON, "Shutdown\n");
dce_common_stats->co_shutdown++;
break;
case DCERPC_PDU_TYPE__REJECT:
- DebugMessage(DEBUG_DCE_COMMON, "Reject\n");
dce_common_stats->co_reject++;
DCE2_QueueEmpty(cot->pending_ctx_ids);
break;
case DCERPC_PDU_TYPE__MICROSOFT_PROPRIETARY_OUTLOOK2003_RPC_OVER_HTTP:
- DebugMessage(DEBUG_DCE_COMMON, "Microsoft Request To Send RPC over HTTP\n");
dce_common_stats->co_ms_pdu++;
break;
default:
- DebugFormat(DEBUG_DCE_COMMON, "Unknown (0x%02x)\n", pdu_type);
dce_common_stats->co_other_resp++;
break;
}
{
if (seg_bytes == 0)
{
- DebugMessage(DEBUG_DCE_COMMON, "Early reassemble - DCE/RPC fragments\n");
DCE2_CoReassemble(sd, cot, DCE2_CO_RPKT_TYPE__FRAG);
}
else
{
- DebugMessage(DEBUG_DCE_COMMON,
- "Early reassemble - DCE/RPC fragments and segments\n");
DCE2_CoReassemble(sd, cot, DCE2_CO_RPKT_TYPE__ALL);
}
}
{
DCE2_Ret status;
- DebugMessage(DEBUG_DCE_COMMON, "Early reassemble - DCE/RPC segments\n");
-
status = DCE2_CoSegEarlyRequest(cot, DCE2_BufferData(cot->cli_seg.buf), bytes);
if (status != DCE2_RET__SUCCESS)
{
- DebugMessage(DEBUG_DCE_COMMON,
- "Not enough data in seg buffer to set rule option data.\n");
return;
}
break;
default:
- DebugFormat(DEBUG_DCE_COMMON, "Invalid transport type: %d\n", sd->trans);
+ assert(false);
break;
}
break;
default:
- DebugFormat(DEBUG_DCE_COMMON, "Invalid transport type: %d\n",
- sd->trans);
+ assert(false);
return;
}
/* All is good. Decode the pdu */
DCE2_CoDecode(sd, cot, frag_ptr, frag_len);
- DebugMessage(DEBUG_DCE_COMMON, "Reassembled CO segmented packet\n");
- DCE2_PrintPktData(rpkt->data, rpkt->dsize);
-
/* Call detect since this is a reassembled packet that the
* detection engine hasn't seen yet */
if (!co_reassembled)
{
num_frags++;
- DebugFormat(DEBUG_DCE_COMMON, "DCE/RPC message number: %u\n", num_frags);
-
/* Fast track full fragments */
if (DCE2_BufferIsEmpty(seg->buf))
{
/* Not enough data left for a header. Buffer it and return */
if (data_len < sizeof(DceRpcCoHdr))
{
- DebugMessage(DEBUG_DCE_COMMON,
- "Not enough data in packet for DCE/RPC Connection-oriented header.\n");
-
DCE2_CoHandleSegmentation(sd, seg, data_ptr, data_len, sizeof(DceRpcCoHdr),
&data_used);
/* Not enough data left for the pdu. */
if (data_len < frag_len)
{
- DebugFormat(DEBUG_DCE_COMMON,
- "Not enough data in packet for fragment length: %hu\n", frag_len);
-
/* Set frag length so we don't have to check it again in seg code */
seg->frag_len = frag_len;
{
uint16_t data_used = 0;
- DebugFormat(DEBUG_DCE_COMMON, "Segmentation buffer has %u bytes\n",
- DCE2_BufferLength(seg->buf));
-
// Need more data to get header
if (DCE2_BufferLength(seg->buf) < sizeof(DceRpcCoHdr))
{
data_back = -data_used;
DCE2_MOVE(data_ptr, data_len, data_back);
/*Check the original packet*/
- if (DCE2_CoHdrChecks(sd, cot, (const DceRpcCoHdr*)data_ptr) != DCE2_RET__SUCCESS)
+ if (DCE2_CoHdrChecks(sd, cot, (const DceRpcCoHdr*)data_ptr) !=
+ DCE2_RET__SUCCESS)
return;
else
{
#include "detection/detection_engine.h"
#include "ips_options/extract.h"
#include "log/messages.h"
-#include "main/snort_debug.h"
#include "utils/safec.h"
#include "dce_http_proxy_module.h"
{
if (flow->get_session_flags() & SSNFLAG_MIDSTREAM)
{
- DebugMessage(DEBUG_DCE_COMMON,
- "Aborting PAF because of midstream pickup.\n");
return true;
}
else if (!(flow->get_session_flags() & SSNFLAG_ESTABLISHED))
{
- DebugMessage(DEBUG_DCE_COMMON,
- "Aborting PAF because of unestablished session.\n");
return true;
}
if ((sd != nullptr) && DCE2_SsnNoInspect(sd))
{
- DebugMessage(DEBUG_DCE_COMMON, "Aborting PAF because of session data check.\n");
return true;
}
return false;
}
-static void DCE2_PrintRoptions(DCE2_Roptions* ropts)
-{
- DebugFormat(DEBUG_DCE_COMMON,
- " First frag: %s\n", ropts->first_frag == 1 ? "yes" : (ropts->first_frag == 0 ? "no" :
- "unset"));
- if (ropts->first_frag == DCE2_SENTINEL)
- {
- DebugMessage(DEBUG_DCE_COMMON, " Iface: unset\n");
- DebugMessage(DEBUG_DCE_COMMON, " Iface version: unset\n");
- }
- else
- {
- DEBUG_WRAP(char uuid_buf[DCE2_UUID_BUF_SIZE];)
- DebugFormat(DEBUG_DCE_COMMON, " Iface: %s\n",
- DCE2_UuidToStr(&ropts->iface, DCERPC_BO_FLAG__NONE, uuid_buf));
- DebugFormat(DEBUG_DCE_COMMON, " Iface version: %hu\n", ropts->iface_vers_maj);
- }
- if (ropts->opnum == DCE2_SENTINEL)
- DebugMessage(DEBUG_DCE_COMMON, " Opnum: unset\n");
- else
- {
- DebugFormat(DEBUG_DCE_COMMON, " Opnum: %d\n", ropts->opnum);
- }
- if (ropts->stub_data != nullptr)
- DebugFormat(DEBUG_DCE_COMMON, " Stub data: %p\n", ropts->stub_data);
- else
- {
- DebugMessage(DEBUG_DCE_COMMON, " Stub data: NULL\n");
- }
-}
static void dce2_protocol_detect(DCE2_SsnData* sd, snort::Packet* pkt)
{
return;
}
snort::Packet* top_pkt = DetectionEngine::get_current_packet();
-
- DCE2_PrintRoptions(&sd->ropts);
- DebugMessage(DEBUG_DCE_COMMON, "Payload:\n");
- DCE2_PrintPktData(top_pkt->data, top_pkt->dsize);
-
- if (sd->ropts.stub_data != nullptr)
- {
- DebugMessage(DEBUG_DCE_COMMON,"\nStub data:\n");
- DCE2_PrintPktData(sd->ropts.stub_data,
- top_pkt->dsize - (sd->ropts.stub_data - top_pkt->data));
- }
-
dce2_protocol_detect(sd, top_pkt);
/* Always reset rule option data after detecting */
DCE2_ResetRopts(&sd->ropts);
- DebugMessage(DEBUG_DCE_COMMON, "----------------------------------------------------------\n");
}
DCE2_SsnData* get_dce2_session_data(snort::Packet* p)
if ((data_byte_order == DCE2_SENTINEL) ||
(hdr_byte_order == DCE2_SENTINEL))
- {
- DebugMessage(DEBUG_DCE_COMMON,
- "Data byte order or header byte order not set "
- "in rule options - not evaluating.\n");
return false;
- }
if (stub_data_offset == DCE2_SENTINEL)
{
- DebugMessage(DEBUG_DCE_COMMON, "Stub data is NULL. "
- "Setting byte order to that of the header.\n");
byte_order = (DceRpcBoFlag)hdr_byte_order;
}
else if (offset < stub_data_offset)
{
- DebugMessage(DEBUG_DCE_COMMON,
- "Reading data in the header. Setting byte order "
- "to that of the header.\n");
byte_order = (DceRpcBoFlag)hdr_byte_order;
}
else
{
- DebugMessage(DEBUG_DCE_COMMON,
- "Reading data in the stub. Setting byte order "
- "to that of the stub data.\n");
byte_order = (DceRpcBoFlag)data_byte_order;
}
endian = (byte_order == DCERPC_BO_FLAG__BIG_ENDIAN) ? ENDIAN_BIG : ENDIAN_LITTLE;
- DebugFormat(DEBUG_DCE_COMMON, " Byte order: %s\n",
- endian == ENDIAN_LITTLE ? "little endian" : "big endian");
+
return true;
}
break;
default:
- DebugFormat(DEBUG_DCE_COMMON,"Invalid reassembly packet type: %d\n",rtype);
+ assert(false);
return 0;
}
return (snort::Packet::max_dsize - overhead);
break;
default:
- DebugFormat(DEBUG_DCE_COMMON, "Invalid reassembly packet type: %d\n",rpkt_type);
assert(false);
return nullptr;
}
if (data_len > snort::Packet::max_dsize - data_overhead)
{
- DebugMessage(DEBUG_DCE_COMMON, "Failed to create reassembly packet.\n");
delete rpkt->endianness;
rpkt->endianness = nullptr;
return nullptr;
#include "dce_list.h"
-#include "main/snort_debug.h"
#include "utils/util.h"
/********************************************************************
static void DCE2_ListInsertTail(DCE2_List* list, DCE2_ListNode* n)
{
if ((list == nullptr) || (n == nullptr))
- {
- DebugMessage(DEBUG_DCE_COMMON, "List and/or list node passed in was NULL\n");
return;
- }
+
if (list->tail == nullptr)
{
static void DCE2_ListInsertHead(DCE2_List* list, DCE2_ListNode* n)
{
if ((list == nullptr) || (n == nullptr))
- {
- DebugMessage(DEBUG_DCE_COMMON, "List and/or list node passed in was NULL\n");
- return;
- }
+ return;
if (list->head == nullptr)
{
static void DCE2_ListInsertBefore(DCE2_List* list, DCE2_ListNode* insert, DCE2_ListNode* front)
{
if ((list == nullptr) || (insert == nullptr) || (front == nullptr))
- {
- DebugMessage(DEBUG_DCE_COMMON, "List, insert node and/or front node passed in was NULL\n");
return;
- }
if (front == list->head)
{
if (p->flow->get_session_flags() & SSNFLAG_MIDSTREAM)
{
- DebugMessage(DEBUG_DCE_SMB,
- "Midstream - not inspecting.\n");
return;
}
|| ((ssd->max_file_depth == -1) && DCE2_ScSmbFileDepth(
(dce2SmbProtoConf*)ssd->sd.config) == -1)))
{
- DebugFormat(DEBUG_DCE_SMB, "Not inserting TID (%u) "
- "because it's not IPC and not inspecting normal file "
- "data.", tid);
+ trace_logf(dce_smb, "Not inserting TID (%u) because it's "
+ "not IPC and not inspecting normal file data.\n", tid);
return;
}
if (is_ipc)
{
- DebugFormat(DEBUG_DCE_SMB, "Not inserting TID (%u) "
- "because it's IPC and only inspecting normal file data.", tid);
+ trace_logf(dce_smb, "Not inserting TID (%u) "
+ "because it's IPC and only inspecting normal file data.\n", tid);
return;
}
- DebugFormat(DEBUG_DCE_SMB, "Inserting Tid: %u\n", tid);
-
if (ssd->tids == nullptr)
{
ssd->tids = DCE2_ListNew(DCE2_LIST_TYPE__SPLAYED, DCE2_Smb2TidCompare,
const Smb2CreateRequestHdr* smb_create_hdr,const uint8_t* end)
{
uint16_t name_offset = alignedNtohs(&(smb_create_hdr->name_offset));
- DebugMessage(DEBUG_DCE_SMB, "Processing create request command!\n");
+
DCE2_Smb2InitFileTracker(&ssd->ftracker, false, 0);
if (name_offset > SMB2_HEADER_LENGTH)
{
uint64_t fileId_persistent;
uint64_t file_size = UNKNOWN_FILE_SIZE;
- DebugMessage(DEBUG_DCE_SMB, "Processing create response command!\n");
+
fileId_persistent = alignedNtohq((const uint64_t*)(&(smb_create_hdr->fileId_persistent)));
ssd->ftracker.fid_v2 = fileId_persistent;
if (smb_create_hdr->end_of_file)
{
- file_size = alignedNtohq((const uint64_t*)(&(smb_create_hdr->end_of_file)));
- DebugFormat(DEBUG_DCE_SMB, "Get file size %" PRIu64 "!\n", file_size);
+ file_size = alignedNtohq((const uint64_t*)(&(smb_create_hdr->end_of_file)));
ssd->ftracker.tracker.file.file_size = file_size;
}
DCE2_Smb2FreeFileName(&(ssd->ftracker));
}
}
- else
- {
- DebugMessage(DEBUG_DCE_SMB, "Wrong format for smb create command!\n");
- }
}
/********************************************************************
if (smb_set_info_hdr->file_info_class == SMB2_FILE_ENDOFFILE_INFO)
{
uint64_t file_size = alignedNtohq((const uint64_t*)file_data);
- DebugFormat(DEBUG_DCE_SMB, "Get file size %" PRIu64 "!\n", file_size);
ssd->ftracker.tracker.file.file_size = file_size;
uint64_t fileId_persistent = alignedNtohq(&(smb_set_info_hdr->fileId_persistent));
FileContext* file = get_file_context(ssd, fileId_persistent);
{
uint64_t message_id, offset;
uint64_t fileId_persistent;
- DebugMessage(DEBUG_DCE_SMB, "Processing read request command!\n");
+
message_id = alignedNtohq((const uint64_t*)(&(smb_hdr->message_id)));
offset = alignedNtohq((const uint64_t*)(&(smb_read_hdr->offset)));
fileId_persistent = alignedNtohq((const uint64_t*)(&(smb_read_hdr->fileId_persistent)));
DCE2_Smb2StoreRequest(ssd, message_id, offset, fileId_persistent);
if (fileId_persistent && (ssd->ftracker.fid_v2 != fileId_persistent))
{
- DebugMessage(DEBUG_DCE_SMB, "Persistent file ID changed read request command!\n");
ssd->ftracker.fid_v2 = fileId_persistent;
}
if (ssd->ftracker.tracker.file.file_size && (offset > ssd->ftracker.tracker.file.file_size))
uint16_t data_offset;
Smb2Request* request;
- DebugMessage(DEBUG_DCE_SMB, "Processing read response command!\n");
-
message_id = alignedNtohq((const uint64_t*)(&(smb_hdr->message_id)));
request = DCE2_Smb2GetRequest(ssd, message_id);
if (!request)
{
uint64_t message_id;
Smb2Request* request;
- DebugMessage(DEBUG_DCE_SMB, "Wrong format for smb read command!\n");
+
message_id = alignedNtohq((const uint64_t*)(&(smb_hdr->message_id)));
request = DCE2_Smb2GetRequest(ssd, message_id);
if (!request)
uint16_t data_offset;
uint32_t total_data_length;
- DebugMessage(DEBUG_DCE_SMB, "Processing write request command!\n");
-
fileId_persistent = alignedNtohq((const uint64_t*)(&(smb_write_hdr->fileId_persistent)));
if (fileId_persistent && (ssd->ftracker.fid_v2 != fileId_persistent))
{
- DebugMessage(DEBUG_DCE_SMB, "Persistent file ID changed read request command!\n");
ssd->ftracker.fid_v2 = fileId_persistent;
}
data_offset = alignedNtohs((const uint16_t*)(&(smb_write_hdr->data_offset)));
ssd->pdu_state = DCE2_SMB_PDU_STATE__RAW_DATA;
}
-/********************************************************************
- *
- * Process write response
- *
- ********************************************************************/
-static void DCE2_Smb2WriteResponse(DCE2_SmbSsnData*, const Smb2Hdr*,
- const Smb2WriteResponseHdr*, const uint8_t*)
-{
- DebugMessage(DEBUG_DCE_SMB, "Processing write response command!\n");
-}
/********************************************************************
*
return;
DCE2_Smb2WriteRequest(ssd, smb_hdr, smb_write_hdr, end);
}
- else if (structure_size == SMB2_WRITE_RESPONSE_STRUC_SIZE)
- {
- if ((const uint8_t*)smb_write_hdr + SMB2_WRITE_RESPONSE_STRUC_SIZE - 1 > end)
- return;
- DCE2_Smb2WriteResponse(ssd, smb_hdr, (const Smb2WriteResponseHdr*)smb_write_hdr, end);
- }
- else
- {
- DebugMessage(DEBUG_DCE_SMB, "Wrong format for smb write command!\n");
- }
}
/********************************************************************
switch (command)
{
case SMB2_COM_CREATE:
- DebugMessage(DEBUG_DCE_SMB, "Create command.\n");
dce2_smb_stats.smb2_create++;
if (DCE2_Smb2FindTid(ssd, smb_hdr) != DCE2_RET__SUCCESS)
return;
DCE2_Smb2Create(ssd, smb_hdr, smb_data, end);
break;
case SMB2_COM_READ:
- DebugMessage(DEBUG_DCE_SMB, "Read command.\n");
dce2_smb_stats.smb2_read++;
if (DCE2_Smb2FindTid(ssd, smb_hdr) != DCE2_RET__SUCCESS)
return;
DCE2_Smb2Read(ssd, smb_hdr, smb_data, end);
break;
case SMB2_COM_WRITE:
- DebugMessage(DEBUG_DCE_SMB, "Write command.\n");
dce2_smb_stats.smb2_write++;
if (DCE2_Smb2FindTid(ssd, smb_hdr) != DCE2_RET__SUCCESS)
return;
DCE2_Smb2Write(ssd, smb_hdr, smb_data, end);
break;
case SMB2_COM_SET_INFO:
- DebugMessage(DEBUG_DCE_SMB, "Set info command.\n");
dce2_smb_stats.smb2_set_info++;
if (DCE2_Smb2FindTid(ssd, smb_hdr) != DCE2_RET__SUCCESS)
return;
DCE2_Smb2SetInfo(ssd, smb_hdr, smb_data, end);
break;
case SMB2_COM_CLOSE:
- DebugMessage(DEBUG_DCE_SMB, "Close command.\n");
dce2_smb_stats.smb2_close++;
if (DCE2_Smb2FindTid(ssd, smb_hdr) != DCE2_RET__SUCCESS)
return;
DCE2_Smb2CloseCmd(ssd, smb_hdr, smb_data, end);
break;
case SMB2_COM_TREE_CONNECT:
- DebugMessage(DEBUG_DCE_SMB, "Tree connect command.\n");
dce2_smb_stats.smb2_tree_connect++;
DCE2_Smb2TreeConnect(ssd, smb_hdr, smb_data, end);
break;
case SMB2_COM_TREE_DISCONNECT:
- DebugMessage(DEBUG_DCE_SMB, "Tree disconnect command.\n");
dce2_smb_stats.smb2_tree_disconnect++;
DCE2_Smb2TreeDisconnect(ssd, smb_hdr, smb_data, end);
break;
default:
- DebugMessage(DEBUG_DCE_SMB, "command ignored!\n");
break;
}
}
#include "dce_smb_commands.h"
-#include "main/snort_debug.h"
#include "utils/util.h"
#include "dce_smb_module.h"
static DCE2_Ret DCE2_SmbWriteAndXRawRequest(DCE2_SmbSsnData* ssd, const SmbNtHdr* smb_hdr,
const DCE2_SmbComInfo* com_info, const uint8_t* nb_ptr, uint32_t nb_len)
{
- DebugMessage(DEBUG_DCE_SMB,
- "Processing WriteAndX with raw mode flags\n");
-
// Set this now for possible reassembled packet
uint16_t fid = SmbWriteAndXReqFid((const SmbWriteAndXReq*)nb_ptr);
DCE2_SmbFileTracker* ftracker = DCE2_SmbGetFileTracker(ssd, fid);
// See below.
break;
default:
- DebugFormat(DEBUG_DCE_SMB, "Invalid policy: %d", policy);
+ assert(false);
break;
}
}
return DCE2_RET__ERROR;
}
- DebugMessage(DEBUG_DCE_SMB, "Reassembled WriteAndX raw mode request\n");
- DCE2_PrintPktData(rpkt->data, rpkt->dsize);
-
(void)DCE2_SmbProcessRequestData(ssd, fid, data_ptr, data_len, 0);
DCE2_BufferEmpty(ftracker->fp_writex_raw->buf);
// if both flags are set.
break;
default:
- DebugFormat(DEBUG_DCE_SMB, "Invalid policy: %d", policy);
+ assert(false);
break;
}
DCE2_SmbCheckFmtData(ssd, nb_len, byte_count, fmt, com_dcnt, fmt_dcnt);
- DebugFormat(DEBUG_DCE_SMB," SmbWriteLockAndRead dcnt %d\n", com_dcnt);
if (com_dcnt == 0)
{
dce_alert(GID_DCE2, DCE2_SMB_DCNT_ZERO, (dce2CommonStats*)&dce2_smb_stats);
DCE2_MOVE(nb_ptr, nb_len, 1);
}
- DebugMessage(DEBUG_DCE_SMB, "Attempting to fingerprint "
- "Client Windows/Samba version ... \n");
-
+ // Attempting to fingerprint Client Windows/Samba version.
// Move past Account and Domain strings
// Blob version doesn't have these as they're in the blob
if (DCE2_ComInfoWordCount(com_info) == 13)
// is kosher. It's policy will be used when the server is
// sending data to it.
-#ifdef DEBUG_MSGS
- {
- uint32_t k, l = 0;
- char buf[65535];
-
- for (k = 0; (k < nb_len) && (nb_ptr[k] != 0); k += increment, l++)
- buf[l] = nb_ptr[k];
-
- buf[l] = 0;
- DebugFormat(DEBUG_DCE_SMB, " Client OS: %s\n", buf);
-
- k += increment;
-
- l = 0;
- for (; k < nb_len && nb_ptr[k] != 0; k += increment, l++)
- buf[l] = nb_ptr[k];
-
- buf[l] = 0;
- DebugFormat(DEBUG_DCE_SMB, " Client Lanman: %s\n", buf);
- }
-#endif
-
// Windows Vista and above don't put anything here
if (*nb_ptr == '\0')
{
- DebugMessage(DEBUG_DCE_SMB,
- "Setting client policy to Windows Vista\n");
DCE2_SsnSetPolicy(&ssd->sd, DCE2_POLICY__WINVISTA);
return DCE2_RET__SUCCESS;
}
switch (state)
{
case OS_WIN2000:
- DebugMessage(DEBUG_DCE_SMB,
- "Setting client policy to Windows 2000\n");
DCE2_SsnSetPolicy(&ssd->sd, DCE2_POLICY__WIN2000);
break;
case OS_WINXP:
- DebugMessage(DEBUG_DCE_SMB,
- "Setting client policy to Windows XP\n");
DCE2_SsnSetPolicy(&ssd->sd, DCE2_POLICY__WINXP);
break;
case OS_WIN2003:
- DebugMessage(DEBUG_DCE_SMB,
- "Setting client policy to Windows 2003\n");
DCE2_SsnSetPolicy(&ssd->sd, DCE2_POLICY__WIN2003);
break;
default:
// Samba
if (*nb_ptr == 'S')
{
- DebugMessage(DEBUG_DCE_SMB,
- "Setting client policy to Samba\n");
DCE2_SsnSetPolicy(&ssd->sd, DCE2_POLICY__SAMBA);
}
}
DCE2_MOVE(nb_ptr, nb_len, 1);
}
- DebugMessage(DEBUG_DCE_SMB, "Attempting to fingerprint "
- "Server Windows/Samba version ... \n");
-
+ // Attempting to fingerprint Server Windows/Samba version.
// Note the below is quick and dirty. We're assuming the server
// is kosher. It's policy will be used when the client is
// sending data to it.
-
-#ifdef DEBUG_MSGS
- {
- uint32_t k, l = 0;
- char buf[65535];
-
- for (k = 0; (k < nb_len) && (nb_ptr[k] != 0); k += increment, l++)
- buf[l] = nb_ptr[k];
-
- buf[l] = 0;
- DebugFormat(DEBUG_DCE_SMB, " Server OS: %s\n", buf);
-
- k += increment;
-
- l = 0;
- for (; k < nb_len && nb_ptr[k] != 0; k += increment, l++)
- buf[l] = nb_ptr[k];
-
- buf[l] = 0;
- DebugFormat(DEBUG_DCE_SMB, " Server Lanman: %s\n", buf);
- }
-#endif
-
if ((nb_len < increment) || (*nb_ptr == '\0'))
{
return DCE2_RET__SUCCESS;
switch (state)
{
case OS_WIN2000:
- DebugMessage(DEBUG_DCE_SMB,
- "Setting server policy to Windows 2000\n");
DCE2_SsnSetPolicy(&ssd->sd, DCE2_POLICY__WIN2000);
break;
case OS_WINXP:
- DebugMessage(DEBUG_DCE_SMB,
- "Setting server policy to Windows XP\n");
DCE2_SsnSetPolicy(&ssd->sd, DCE2_POLICY__WINXP);
break;
case OS_WIN2003:
- DebugMessage(DEBUG_DCE_SMB,
- "Setting server policy to Windows 2003\n");
DCE2_SsnSetPolicy(&ssd->sd, DCE2_POLICY__WIN2003);
break;
case OS_WIN2008:
- DebugMessage(DEBUG_DCE_SMB,
- "Setting server policy to Windows 2008\n");
DCE2_SsnSetPolicy(&ssd->sd, DCE2_POLICY__WIN2008);
break;
case OS_WINVISTA:
- DebugMessage(DEBUG_DCE_SMB,
- "Setting server policy to Windows Vista\n");
DCE2_SsnSetPolicy(&ssd->sd, DCE2_POLICY__WINVISTA);
break;
case OS_WIN7:
- DebugMessage(DEBUG_DCE_SMB,
- "Setting server policy to Windows 7\n");
DCE2_SsnSetPolicy(&ssd->sd, DCE2_POLICY__WIN7);
break;
default:
// If less than 3 set policy to earliest Samba policy we use
if ((nb_ptr[i] == '0') || (nb_ptr[i] == '1') || (nb_ptr[i] == '2'))
{
- DebugMessage(DEBUG_DCE_SMB,
- "Setting server policy to Samba 3.0.20\n");
DCE2_SsnSetPolicy(&ssd->sd, DCE2_POLICY__SAMBA_3_0_20);
return DCE2_RET__SUCCESS;
}
// If it's not 0, then set to latest Samba policy we use
if (nb_ptr[i] != '0')
{
- DebugMessage(DEBUG_DCE_SMB,
- "Setting server policy to current Samba\n");
DCE2_SsnSetPolicy(&ssd->sd, DCE2_POLICY__SAMBA);
return DCE2_RET__SUCCESS;
}
// First digit is 1 or no second digit or 20, Samba 3.0.20
if ((r1 == '1') || (r2 == '\0') || ((r1 == '2') && (r2 == '0')))
{
- DebugMessage(DEBUG_DCE_SMB,
- "Setting server policy to Samba 3.0.20\n");
DCE2_SsnSetPolicy(&ssd->sd, DCE2_POLICY__SAMBA_3_0_20);
return DCE2_RET__SUCCESS;
}
// 21 or 22, Samba 3.0.22
if ((r1 == '2') && (r2 <= '2'))
{
- DebugMessage(DEBUG_DCE_SMB,
- "Setting server policy to Samba 3.0.22\n");
DCE2_SsnSetPolicy(&ssd->sd, DCE2_POLICY__SAMBA_3_0_22);
return DCE2_RET__SUCCESS;
}
// 23, 24 ... 30 ... 37, Samba 3.0.37
if ((r1 == '2') || ((r1 == '3') && (r2 <= '7')))
{
- DebugMessage(DEBUG_DCE_SMB,
- "Setting server policy to Samba 3.0.37\n");
DCE2_SsnSetPolicy(&ssd->sd, DCE2_POLICY__SAMBA_3_0_37);
return DCE2_RET__SUCCESS;
}
- DebugMessage(DEBUG_DCE_SMB,
- "Setting server policy to current Samba\n");
DCE2_SsnSetPolicy(&ssd->sd, DCE2_POLICY__SAMBA);
}
}
switch (state)
{
case SERVICE_IPC:
- DebugFormat(DEBUG_DCE_SMB,
- "Tid (%hu) is an IPC tree.\n", tid);
break;
case SERVICE_DISK:
is_ipc = false;
- DebugFormat(DEBUG_DCE_SMB,
- "Tid (%hu) is a DISK tree.\n", tid);
break;
default:
return DCE2_RET__IGNORE;
// in the TreeConnect command response?
uint16_t tid = SmbTid(smb_hdr);
DCE2_SmbInsertTid(ssd, tid, ssd->cur_rtracker->is_ipc);
-
- DebugFormat(DEBUG_DCE_SMB, "Tid (%hu) %s an IPC tree\n", tid,
- (ssd->cur_rtracker->is_ipc) ? "is" : "is not");
}
return DCE2_RET__SUCCESS;
using namespace snort;
using namespace std;
+Trace TRACE_NAME(dce_smb);
+
static const PegInfo dce2_smb_pegs[] =
{
{ CountType::SUM, "events", "total events" },
{ 0, nullptr }
};
-Dce2SmbModule::Dce2SmbModule() : Module(DCE2_SMB_NAME, DCE2_SMB_HELP, s_params)
+Dce2SmbModule::Dce2SmbModule() : Module(DCE2_SMB_NAME, DCE2_SMB_HELP, s_params, false, &TRACE_NAME(dce_smb))
{
memset(&config, 0, sizeof(config));
}
return(true);
}
-bool Dce2SmbModule::set(const char*, snort::Value& v, snort::SnortConfig*)
+bool Dce2SmbModule::set(const char* fqn, snort::Value& v, snort::SnortConfig* c)
{
if (dce2_set_co_config(v,config.common))
return true;
else if ( v.is("smb_legacy_mode"))
config.legacy_mode = v.get_bool();
else
- return false;
+ return Module::set(fqn, v, c);
return true;
}
bool legacy_mode;
};
+extern Trace TRACE_NAME(dce_smb);
+
class Dce2SmbModule : public snort::Module
{
public:
#include "dce_smb_paf.h"
-#include "main/snort_debug.h"
-
#include "dce_smb.h"
using namespace snort;
*
*********************************************************************/
static StreamSplitter::Status dce2_smb_paf(DCE2_PafSmbData* ss, Flow* flow, const uint8_t* data,
- uint32_t len, uint32_t flags, uint32_t* fp)
+ uint32_t len, uint32_t, uint32_t* fp)
{
uint32_t n = 0;
StreamSplitter::Status ps = StreamSplitter::SEARCH;
uint32_t nb_len;
DCE2_SmbSsnData* sd = get_dce2_smb_session_data(flow);
- DebugFormat(DEBUG_DCE_SMB, "%s\n", DCE2_DEBUG__PAF_START_MSG_SMB);
- DebugFormat(DEBUG_DCE_SMB, "SMB: %u bytes of data\n", len);
-
-#ifdef DEBUG_MSGS
- if (flags & PKT_FROM_CLIENT)
- DebugMessage(DEBUG_DCE_SMB, "Packet from Client\n");
- else
- DebugMessage(DEBUG_DCE_SMB, "Packet from Server\n");
-#else
- UNUSED(flags);
-#endif
-
if (dce2_paf_abort(flow, (DCE2_SsnData*)sd))
{
- DebugFormat(DEBUG_DCE_SMB, "%s\n", DCE2_DEBUG__PAF_END_MSG);
return StreamSplitter::ABORT;
}
- DebugFormat(DEBUG_DCE_SMB, "Start state: %u\n", ss->paf_state);
-
while (n < len)
{
- DebugFormatNoFileLine(DEBUG_DCE_SMB, " State %d : 0x%02x\n", ss->paf_state, data[n]);
-
switch (ss->paf_state)
{
case DCE2_PAF_SMB_STATES__0:
nb_len = NbssLen((const NbssHdr*)&nb_hdr);
*fp = (nb_len + sizeof(NbssHdr) + n) - ss->paf_state;
ss->paf_state = DCE2_PAF_SMB_STATES__0;
- DebugFormat(DEBUG_DCE_SMB,
- "Setting flush point: %u\n", *fp);
- DebugFormat(DEBUG_DCE_SMB, "%s\n", DCE2_DEBUG__PAF_END_MSG);
return StreamSplitter::FLUSH;
}
- DebugFormatNoFileLine(DEBUG_DCE_SMB, "%s", "Invalid NetBIOS header - "
- "entering junk data states.\n");
+
ss->paf_state = (DCE2_PafSmbStates)(((int)ss->paf_state) + 1);
break;
case DCE2_PAF_SMB_STATES__7:
if (!DCE2_PafSmbIsValidNetbiosHdr((uint32_t)(ss->nb_hdr >> 32), true))
{
- DebugFormatNoFileLine(DEBUG_DCE_SMB, "%s", "Invalid NetBIOS header - "
- "staying in State 7.\n");
break;
}
if (((uint32_t)ss->nb_hdr != DCE2_SMB_ID)
&& ((uint32_t)ss->nb_hdr != DCE2_SMB2_ID))
{
- DebugFormatNoFileLine(DEBUG_DCE_SMB, "%s", "Invalid SMB ID - "
- "staying in State 7.\n");
break;
}
nb_hdr = htonl((uint32_t)(ss->nb_hdr >> 32));
nb_len = NbssLen((const NbssHdr*)&nb_hdr);
*fp = (nb_len + sizeof(NbssHdr) + n) - ss->paf_state;
- DebugFormat(DEBUG_DCE_SMB,
- "Setting flush point: %u\n", *fp);
ss->paf_state = DCE2_PAF_SMB_STATES__0;
- DebugFormat(DEBUG_DCE_SMB, "%s\n", DCE2_DEBUG__PAF_END_MSG);
+
return StreamSplitter::FLUSH;
default:
DCE2_SMB_PAF_SHIFT(ss->nb_hdr, data[n]);
n++;
}
- DebugFormat(DEBUG_DCE_SMB, "%s\n", DCE2_DEBUG__PAF_END_MSG);
return ps;
}
#include "stream/stream_splitter.h"
#define DCE2_SMB_PAF_SHIFT(x64, x8) { (x64) <<= 8; (x64) |= (uint64_t)(x8); }
-#define DCE2_DEBUG__PAF_START_MSG_SMB "DCE/RPC over SMB PAF ====================================="
// Enumerations for PAF states
enum DCE2_PafSmbStates
#include "dce_smb_transaction.h"
-#include "main/snort_debug.h"
-
+#include "dce_smb_module.h"
#include "dce_smb_transaction_utils.h"
#define DCE2_SMB_TRANS__NONE 0x00
// Won't get a response
if (DCE2_SsnIsWindowsPolicy(&ssd->sd) && ttracker->one_way)
{
- DebugFormat(DEBUG_DCE_SMB,
- "Setting pipe to %s mode\n",
- ttracker->pipe_byte_mode ? "byte" : "message");
-
ssd->cur_rtracker->ftracker->fp_byte_mode = ttracker->pipe_byte_mode;
}
}
ttracker->dsent += dcnt;
ttracker->psent += pcnt;
- DebugFormat(DEBUG_DCE_SMB, "Data displacement: %u, "
- "Data count: %u, Total data count: %u\n"
- "Parameter displacement: %u, "
- "Parameter count: %u, Total parameter count: %u\n",
- ddisp, dcnt, tdcnt, pdisp, pcnt, tpcnt);
-
if (data_params & DCE2_SMB_TRANS__DATA)
{
DCE2_MOVE(nb_ptr, nb_len, ((const uint8_t*)smb_hdr + doff) - nb_ptr);
pcnt = SmbTransactionReqParamCnt((const SmbTransactionReq*)nb_ptr);
poff = SmbTransactionReqParamOff((const SmbTransactionReq*)nb_ptr);
- DebugFormat(DEBUG_DCE_SMB,
- "Transaction subcommand: %s (0x%04X)\n",
- (sub_com < TRANS_SUBCOM_MAX)
- ? smb_transaction_sub_command_strings[sub_com]
- : "Unknown", sub_com);
-
ssd->cur_rtracker->ftracker = DCE2_SmbGetFileTracker(ssd, fid);
if (ssd->cur_rtracker->ftracker == nullptr)
return DCE2_RET__IGNORE;
if (DCE2_SsnIsWindowsPolicy(&ssd->sd)
&& ssd->cur_rtracker->ftracker->fp_byte_mode)
{
- DebugMessage(DEBUG_DCE_SMB, "Pipe is in byte "
+ trace_log(dce_smb, "Pipe is in byte "
"mode - TRANS_TRANSACT_NMPIPE won't work\n");
return DCE2_RET__ERROR;
}
&& (DCE2_SmbTransactionGetName(nb_ptr, nb_len,
byte_count, SmbUnicode(smb_hdr)) != DCE2_RET__SUCCESS))
{
- DebugMessage(DEBUG_DCE_SMB, "Failed to validate "
+ trace_log(dce_smb, "Failed to validate "
"pipe name for Samba.\n");
return DCE2_RET__ERROR;
}
pcnt = SmbTransaction2ReqParamCnt((const SmbTransaction2Req*)nb_ptr);
poff = SmbTransaction2ReqParamOff((const SmbTransaction2Req*)nb_ptr);
- DebugFormat(DEBUG_DCE_SMB,
- "Transaction2 subcommand: %s (0x%04X)\n",
- (sub_com < TRANS2_SUBCOM_MAX)
- ? smb_transaction2_sub_command_strings[sub_com]
- : "Unknown", sub_com);
-
switch (sub_com)
{
case TRANS2_OPEN2:
pcnt = SmbNtTransactReqParamCnt((const SmbNtTransactReq*)nb_ptr);
poff = SmbNtTransactReqParamOff((const SmbNtTransactReq*)nb_ptr);
- DebugFormat(DEBUG_DCE_SMB,
- "Nt Transact subcommand: %s (0x%04X)\n",
- (sub_com < NT_TRANSACT_SUBCOM_MAX)
- ? smb_nt_transact_sub_command_strings[sub_com]
- : "Unknown", sub_com);
-
switch (sub_com)
{
case NT_TRANSACT_CREATE:
ttracker->tpcnt = tpcnt;
ttracker->psent = pcnt;
- DebugFormat(DEBUG_DCE_SMB, "Data count: %u, "
- "Total data count: %u, Param count: %u, "
- "Total param count: %u\n", dcnt, tdcnt, pcnt, tpcnt);
-
// Testing shows that Transacts aren't processed until
// all of the data and parameters are received, so overlapping
// writes to the same FID can occur as long as the pid/mid are
poff = SmbTransactionRespParamOff((const SmbTransactionResp*)nb_ptr);
pdisp = SmbTransactionRespParamDisp((const SmbTransactionResp*)nb_ptr);
- DebugFormat(DEBUG_DCE_SMB,
- "Transaction subcommand: %s (0x%04X)\n",
- (sub_com < TRANS_SUBCOM_MAX)
- ? smb_transaction_sub_command_strings[sub_com]
- : "Unknown", sub_com);
-
switch (sub_com)
{
case TRANS_TRANSACT_NMPIPE:
doff = SmbTransaction2RespDataOff((const SmbTransaction2Resp*)nb_ptr);
ddisp = SmbTransaction2RespDataDisp((const SmbTransaction2Resp*)nb_ptr);
- DebugFormat(DEBUG_DCE_SMB,
- "Transaction2 subcommand: %s (0x%04X)\n",
- (sub_com < TRANS2_SUBCOM_MAX)
- ? smb_transaction2_sub_command_strings[sub_com]
- : "Unknown", sub_com);
-
switch (sub_com)
{
case TRANS2_OPEN2:
doff = SmbNtTransactRespDataOff((const SmbNtTransactResp*)nb_ptr);
ddisp = SmbNtTransactRespDataDisp((const SmbNtTransactResp*)nb_ptr);
- DebugFormat(DEBUG_DCE_SMB,
- "Nt Transact subcommand: %s (0x%04X)\n",
- (sub_com < NT_TRANSACT_SUBCOM_MAX)
- ? smb_nt_transact_sub_command_strings[sub_com]
- : "Unknown", sub_com);
-
switch (sub_com)
{
case NT_TRANSACT_CREATE:
ttracker->dsent += dcnt;
ttracker->psent += pcnt;
- DebugFormat(DEBUG_DCE_SMB, "Data displacement: %u, "
- "Data count: %u, Total data count: %u\n"
- "Parameter displacement: %u, "
- "Parameter count: %u, Total parameter count: %u\n",
- ddisp, dcnt, tdcnt, pdisp, pcnt, tpcnt);
-
if (data_params & DCE2_SMB_TRANS__DATA)
{
DCE2_MOVE(nb_ptr, nb_len, ((const uint8_t*)smb_hdr + doff) - nb_ptr);
if (DCE2_ComInfoIsRequest(com_info)
&& !DCE2_SmbIsTransactionComplete(ttracker))
{
- DebugMessage(DEBUG_DCE_SMB, "Got new transaction request "
+ trace_log(dce_smb, "Got new transaction request "
"that matches an in progress transaction - not inspecting.\n");
return DCE2_RET__ERROR;
}
if (DCE2_ComInfoIsRequest(com_info)
&& (DCE2_ComInfoWordCount(com_info) != 16))
{
- DebugMessage(DEBUG_DCE_SMB, "\\PIPE\\LANMAN request - not inspecting\n");
+ trace_log(dce_smb, "\\PIPE\\LANMAN request - not inspecting\n");
return DCE2_RET__IGNORE;
}
if (DCE2_ComInfoIsResponse(com_info)
&& (com_size == sizeof(SmbTransactionInterimResp)))
{
- DebugMessage(DEBUG_DCE_SMB,
- " Server Transaction interim response.\n");
-
return DCE2_RET__SUCCESS;
}
if (rpkt == nullptr)
return DCE2_RET__ERROR;
- DebugMessage(DEBUG_DCE_SMB, "Reassembled Transaction response\n");
- DCE2_PrintPktData(rpkt->data, rpkt->dsize);
-
status = DCE2_SmbProcessResponseData(ssd, data_ptr, data_len);
if (status != DCE2_RET__SUCCESS)
break;
case TRANS_SET_NMPIPE_STATE:
- DebugFormat(DEBUG_DCE_SMB, "Setting pipe "
- "to %s mode\n", ttracker->pipe_byte_mode ? "byte" : "message");
ssd->cur_rtracker->ftracker->fp_byte_mode = ttracker->pipe_byte_mode;
break;
if (DCE2_ComInfoIsRequest(com_info)
&& !DCE2_SmbIsTransactionComplete(ttracker))
{
- DebugMessage(DEBUG_DCE_SMB, "Got new transaction request "
+ trace_log(dce_smb, "Got new transaction request "
"that matches an in progress transaction - not inspecting.\n");
return DCE2_RET__ERROR;
}
if (DCE2_ComInfoIsRequest(com_info)
&& !DCE2_SmbIsTransactionComplete(ttracker))
{
- DebugMessage(DEBUG_DCE_SMB, "Got new transaction request "
+ trace_log(dce_smb, "Got new transaction request "
"that matches an in progress transaction - not inspecting.\n");
return DCE2_RET__ERROR;
}
snort::Packet* rpkt = DCE2_SmbGetRpkt(ssd, &data_ptr, &data_len, DCE2_RPKT_TYPE__SMB_TRANS);
if (rpkt == nullptr)
- return DCE2_RET__ERROR;
-
- DebugMessage(DEBUG_DCE_SMB, "Reassembled Transaction request\n");
- DCE2_PrintPktData(rpkt->data, rpkt->dsize);
+ return DCE2_RET__ERROR;
status = DCE2_SmbTransactionReq(ssd, ttracker, data_ptr, data_len,
DCE2_BufferData(ttracker->pbuf), DCE2_BufferLength(ttracker->pbuf));
#include "dce_smb_transaction_utils.h"
-#include "main/snort_debug.h"
-
#define TRANS_NM_PIPE_0 (0)
#define TRANS_NM_PIPE_1 (TRANS_NM_PIPE_0+7)
#define TRANS_NM_PIPE_2 (TRANS_NM_PIPE_1+1)
{
snort::Profile profile(dce2_smb_pstat_smb_req);
- DebugMessage(DEBUG_DCE_SMB, "Buffering transaction data.\n");
-
if (ttracker->dbuf == nullptr)
{
/* Buf size should be the total data count we need */
if (DCE2_BufferAddData(ttracker->dbuf, data_ptr, dcnt, ddisp,
DCE2_BUFFER_MIN_ADD_FLAG__IGNORE) != DCE2_RET__SUCCESS)
{
- DebugMessage(DEBUG_DCE_SMB,
- "Failed to buffer transaction data.\n");
return DCE2_RET__ERROR;
}
- DebugMessage(DEBUG_DCE_SMB,
- "Successfully buffered transaction data.\n");
-
return DCE2_RET__SUCCESS;
}
{
snort::Profile profile(dce2_smb_pstat_smb_req);
- DebugMessage(DEBUG_DCE_SMB, "Buffering transaction parameters.\n");
-
if (ttracker->pbuf == nullptr)
{
/* Buf size should be the total data count we need */
if (DCE2_BufferAddData(ttracker->pbuf, param_ptr, pcnt, pdisp,
DCE2_BUFFER_MIN_ADD_FLAG__IGNORE) != DCE2_RET__SUCCESS)
{
- DebugMessage(DEBUG_DCE_SMB,
- "Failed to buffer transaction parameter data.\n");
return DCE2_RET__ERROR;
}
- DebugMessage(DEBUG_DCE_SMB,
- "Successfully buffered transaction parameter data.\n");
-
return DCE2_RET__SUCCESS;
}
{
Profile profile(dce2_smb_pstat_smb_uid);
- DebugFormat(DEBUG_DCE_SMB, "Inserting Uid: %hu\n", uid);
-
if (ssd->uid == DCE2_SENTINEL)
{
ssd->uid = (int)uid;
Profile profile(dce2_smb_pstat_smb_uid);
- DebugFormat(DEBUG_DCE_SMB,"Removing Uid: %hu\n", uid);
-
if ((ssd->uid != DCE2_SENTINEL) && (ssd->uid == (int)uid))
ssd->uid = DCE2_SENTINEL;
else
break;
default:
- DebugFormat(DEBUG_DCE_SMB, "Invalid policy: %d", policy);
+ assert(false);
break;
}
}
if (ssd->outstanding_requests > dce2_smb_stats.smb_max_outstanding_requests)
dce2_smb_stats.smb_max_outstanding_requests = ssd->outstanding_requests;
- DebugFormat(DEBUG_DCE_SMB, "Added new request tracker => "
- "Uid: %hu, Tid: %hu, Pid: %hu, Mid: %d\n",
- rtracker->uid, rtracker->tid, rtracker->pid, rtracker->mid);
- DebugFormat(DEBUG_DCE_SMB,
- "Current outstanding requests: %hu\n", ssd->outstanding_requests);
-
return rtracker;
}
&& (DCE2_ScSmbFileDepth((dce2SmbProtoConf*)ssd->sd.config) == -1))
return nullptr;
- DebugFormat(DEBUG_DCE_SMB, "Creating new file tracker "
- "with Uid: %hu, Tid: %hu, Fid: 0x%04X\n", uid, tid, fid);
-
DCE2_SmbFileTracker* ftracker = nullptr;
if (ssd->ftracker.fid_v1 == DCE2_SENTINEL)
{
ftracker->ff_bytes_queued = 0;
if ((ssd->fapi_ftracker == nullptr) && (ssd->max_file_depth != -1))
{
- DebugFormat(DEBUG_DCE_SMB, "Designating file tracker "
- "for file API processing: 0x%04X\n", (uint16_t)fid);
ssd->fapi_ftracker = ftracker;
}
}
{
Profile profile(dce2_smb_pstat_smb_fid);
- DebugFormat(DEBUG_DCE_SMB, "Finding file tracker with "
- "Uid: %hu, Tid: %hu, Fid: 0x%04X ... ", uid, tid, fid);
-
DCE2_SmbFileTracker* ftracker;
if ((ssd->ftracker.fid_v1 != DCE2_SENTINEL) && (ssd->ftracker.fid_v1 == (int)fid))
{
if (ftracker == nullptr)
{
- DebugMessage(DEBUG_DCE_SMB, "Not found.\n");
return nullptr;
}
// Only Uid used to open file can be used to make a request
if (ftracker->uid_v1 != uid)
{
- DebugMessage(DEBUG_DCE_SMB, "Not found.\n");
return nullptr;
}
// Check that the Uid exists
if (DCE2_SmbFindUid(ssd, uid) != DCE2_RET__SUCCESS)
{
- DebugMessage(DEBUG_DCE_SMB, "Not found.\n");
return nullptr;
}
// Both Uid and Tid used to create file must be used to make a request
if ((ftracker->uid_v1 != uid) || (ftracker->tid_v1 != tid))
{
- DebugMessage(DEBUG_DCE_SMB, "Not found.\n");
return nullptr;
}
break;
default:
- DebugFormat(DEBUG_DCE_SMB, "Invalid policy: %d", policy);
+ assert(false);
break;
}
- DebugFormat(DEBUG_DCE_SMB, "Found with "
- "Uid: %hu, Tid: %hu, Fid: 0x%04X\n",
- ftracker->uid_v1, ftracker->tid_v1, ftracker->fid_v1);
return ftracker;
}
Profile profile(dce2_smb_pstat_smb_fid);
- DebugFormat(DEBUG_DCE_SMB,
- "Removing file tracker with Fid: 0x%04X\n", ftracker->fid_v1);
-
if (ssd->fapi_ftracker == ftracker)
DCE2_SmbFinishFileAPI(ssd);
if (ftracker == nullptr)
return;
- DebugFormat(DEBUG_DCE_SMB, "Freeing file tracker: "
- "Uid: %hu, Tid: %hu, Fid: 0x%04X\n",
- ftracker->uid_v1, ftracker->tid_v1, ftracker->fid_v1);
-
DCE2_SmbCleanFileTracker(ftracker);
snort_free((void*)ftracker);
}
return;
}
- DebugFormat(DEBUG_DCE_SMB, "Removing request tracker => "
- "Uid: %hu, Tid: %hu, Pid: %hu, Mid: %d ... ",
- rtracker->uid, rtracker->tid, rtracker->pid, rtracker->mid);
-
if (rtracker == &ssd->rtracker)
{
- DebugMessage(DEBUG_DCE_SMB, "Removed\n");
-
DCE2_SmbCleanRequestTracker(&ssd->rtracker);
ssd->outstanding_requests--;
return;
{
if (tmp_node == (void*)rtracker)
{
- DebugMessage(DEBUG_DCE_SMB, "Removed\n");
-
DCE2_QueueRemoveCurrent(ssd->rtrackers);
ssd->outstanding_requests--;
return;
}
}
-
- DebugMessage(DEBUG_DCE_SMB, "Not removed.\n");
}
void DCE2_SmbRemoveFileTrackerFromRequestTrackers(DCE2_SmbSsnData* ssd,
DCE2_SmbRequestTracker* rtracker, const uint16_t fid)
{
Profile profile(dce2_smb_pstat_smb_fid);
- DebugFormat(DEBUG_DCE_SMB, "Dequeuing file tracker and binding to fid: 0x%04X\n", fid);
+
DCE2_SmbFileTracker* ftracker = (DCE2_SmbFileTracker*)DCE2_QueueDequeue(rtracker->ft_queue);
if (ftracker == nullptr)
if (rtracker == nullptr)
return;
- DebugFormat(DEBUG_DCE_SMB, "Freeing request tracker: "
- "Uid: %hu, Tid: %hu, Pid: %hu, Mid: %d\n",
- rtracker->uid, rtracker->tid, rtracker->pid, rtracker->mid);
-
DCE2_SmbCleanRequestTracker(rtracker);
snort_free((void*)rtracker);
}
{
Profile profile(dce2_smb_pstat_smb_tid);
- DebugFormat(DEBUG_DCE_SMB, "Removing Tid: %hu\n", tid);
-
if ((ssd->tid != DCE2_SENTINEL) && ((ssd->tid & 0x0000ffff) == (int)tid))
ssd->tid = DCE2_SENTINEL;
else
|| ((ssd->max_file_depth == -1) && DCE2_ScSmbFileDepth(
(dce2SmbProtoConf*)ssd->sd.config) == -1)))
{
- DebugFormat(DEBUG_DCE_SMB, "Not inserting TID (%hu) "
+ trace_logf(dce_smb, "Not inserting TID (%hu) "
"because it's not IPC and not inspecting normal file "
- "data.", tid);
+ "data.\n", tid);
return;
}
if (is_ipc && DCE2_ScSmbFileInspectionOnly((dce2SmbProtoConf*)ssd->sd.config))
{
- DebugFormat(DEBUG_DCE_SMB, "Not inserting TID (%hu) "
+ trace_logf(dce_smb, "Not inserting TID (%hu) "
"because it's IPC and only inspecting normal file "
- "data.", tid);
+ "data.\n", tid);
return;
}
- DebugFormat(DEBUG_DCE_SMB, "Inserting Tid: %hu\n", tid);
int insert_tid = (int)tid;
// Set a bit so as to distinguish between IPC and non-IPC TIDs
if (!is_ipc)
{
Profile profile(dce2_smb_pstat_smb_fid);
- DebugFormat(DEBUG_DCE_SMB, "Queuing file tracker "
- "with Uid: %hu, Tid: %hu\n", uid, tid);
-
DCE2_SmbFileTracker* ftracker = (DCE2_SmbFileTracker*)
snort_calloc(sizeof(DCE2_SmbFileTracker));
if (ftracker == nullptr)
return DCE2_RET__ERROR;
- DebugFormat(DEBUG_DCE_SMB,
- "Processing request data with Fid: 0x%04X ~~~~~~~~~~~~~~~~~\n", ftracker->fid_v1);
-
// Set this in case of chained commands or reassembled packet
ssd->cur_rtracker->ftracker = ftracker;
DCE2_SmbProcessFileData(ssd, ftracker, data_ptr, data_len, true);
}
- DebugMessage(DEBUG_DCE_SMB, "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n");
-
return DCE2_RET__SUCCESS;
}
if (ftracker == nullptr)
return DCE2_RET__ERROR;
- DebugFormat(DEBUG_DCE_SMB,
- "Processing response data with Fid: 0x%04X ~~~~~~~~~~~~~~~~\n", ftracker->fid_v1);
-
if (ftracker->is_ipc)
{
// Maximum possible fragment length is 16 bit
DCE2_SmbProcessFileData(ssd, ftracker, data_ptr, data_len, false);
}
- DebugMessage(DEBUG_DCE_SMB, "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n");
-
return DCE2_RET__SUCCESS;
}
position = SNORT_FILE_MIDDLE;
}
- DebugMessage(DEBUG_DCE_SMB, "Sending SMB file data to file API ........\n");
-
Profile profile(dce2_smb_pstat_smb_file_api);
FileFlows* file_flows = FileFlows::get_file_flows(ssd->sd.wire_pkt->flow);
if (!file_flows->file_process(data_ptr, (int)data_len, position, upload,
DCE2_SmbIsVerdictSuspend(upload, position)))
{
- DebugFormat(DEBUG_DCE_SMB, "File API returned FAILURE "
+ trace_logf(dce_smb, "File API returned FAILURE "
"for (0x%02X) %s\n", ftracker->fid_v1, upload ? "UPLOAD" : "DOWNLOAD");
// Failure. Abort tracking this file under file API
}
else
{
- DebugFormat(DEBUG_DCE_SMB, "File API returned SUCCESS "
- "for (0x%02X) %s\n", ftracker->fid_v1, upload ? "UPLOAD" : "DOWNLOAD");
-
if (((position == SNORT_FILE_START) || (position == SNORT_FILE_FULL))
&& (ftracker->file_name_size != 0))
{
if ((ret = DCE2_ListInsert(ftracker->ff_file_chunks,
(void*)file_chunk, (void*)file_chunk)) != DCE2_RET__SUCCESS)
{
- DebugFormat(DEBUG_DCE_SMB, "Insert file chunk failed: "
- "0x%02X.\n", ftracker->fid_v1);
-
snort_free((void*)file_chunk->data);
snort_free((void*)file_chunk);
}
}
- DebugFormat(DEBUG_DCE_SMB, "Currently buffering %u bytes "
- "of out of order file data.\n", ftracker->ff_bytes_queued);
-
return DCE2_RET__SUCCESS;
}
Profile profile(dce2_smb_pstat_smb_file);
- DebugFormat(DEBUG_DCE_SMB,
- "File size: %" PRIu64 ", File offset: %" PRIu64 ", Bytes processed: %" PRIu64 ", "
- "Data len: %u\n", ftracker->ff_file_size, ftracker->ff_file_offset,
- ftracker->ff_bytes_processed, data_len);
-
// Account for wrapping. Not likely but just in case.
if ((ftracker->ff_bytes_processed + data_len) < ftracker->ff_bytes_processed)
{
if (cur_upload)
{
// Went from writing to reading. Ignore the read.
- DebugMessage(DEBUG_DCE_SMB, "Went from writing to "
- "reading - ignoring read.\n");
return;
}
- DebugMessage(DEBUG_DCE_SMB, "Went from reading to "
- "writing - consider transfer done.\n");
-
// Went from reading to writing. Consider the transfer done
// and remove the file tracker.
DCE2_SmbRemoveFileTracker(ssd, ftracker);
}
else if (ftracker->ff_file_offset < ftracker->ff_bytes_processed)
{
- DebugFormat(DEBUG_DCE_SMB, "File offset %" PRIu64 " is "
+ trace_logf(dce_smb, "File offset %" PRIu64 " is "
"less than bytes processed %" PRIu64 " - aborting.\n",
ftracker->ff_file_offset, ftracker->ff_bytes_processed);
|| ((file_data_depth != 0)
&& (ftracker->ff_bytes_processed >= (uint64_t)file_data_depth)))
{
- DebugFormat(DEBUG_DCE_SMB, "Bytes processed %" PRIu64
- "is at or beyond file data depth %" PRIi64 " - finished.\n",
- ftracker->ff_bytes_processed, file_data_depth);
+ // Bytes processed is at or beyond file data depth - finished.
DCE2_SmbRemoveFileTracker(ssd, ftracker);
-
return;
}
}
{
Packet* top_pkt = DetectionEngine::get_current_packet();
- DebugMessage(DEBUG_DCE_SMB, "Payload:\n");
- DCE2_PrintPktData(top_pkt->data, top_pkt->dsize);
-
Profile profile(dce2_smb_pstat_smb_file_detect);
DetectionEngine::detect(top_pkt);
&& !ftracker->is_ipc && ftracker->ff_sequential_only
&& (ftracker->ff_bytes_processed == 0))
{
- DebugFormat(DEBUG_DCE_SMB, "Designating file tracker "
- "for file API processing: \"%s\" (0x%04X)\n",
- ftracker->file_name, (uint16_t)ftracker->fid_v1);
break;
}
{
Profile profile(dce2_tcp_pstat_new_session);
- DebugMessage(DEBUG_DCE_TCP, "DCE over TCP packet detected\n");
- DebugMessage(DEBUG_DCE_TCP, "Creating new session\n");
-
DCE2_TcpSsnData* dce2_tcp_sess = set_new_dce2_tcp_session(p);
if ( dce2_tcp_sess )
DCE2_ResetRopts(&dce2_tcp_sess->sd.ropts);
dce2_tcp_stats.tcp_sessions++;
- DebugFormat(DEBUG_DCE_TCP,"Created (%p)\n", (void*)dce2_tcp_sess);
dce2_tcp_sess->sd.trans = DCE2_TRANS_TYPE__TCP;
dce2_tcp_sess->sd.server_policy = config->common.policy;
dce2_tcp_sess = dce2_create_new_tcp_session(p, config);
}
- DebugFormat(DEBUG_DCE_TCP, "Session pointer: %p\n", (void*)dce2_tcp_sess);
-
return dce2_tcp_sess;
}
{
DCE2_TcpSsnData* dce2_tcp_sess;
Profile profile(dce2_tcp_pstat_main);
- if (DCE2_SsnFromServer(p))
- {
- DebugMessage(DEBUG_DCE_TCP, "Packet from Server.\n");
- }
- else
- {
- DebugMessage(DEBUG_DCE_TCP, "Packet from Client.\n");
- }
assert(p->has_tcp_data());
assert(p->flow);
if (p->flow->get_session_flags() & SSNFLAG_MIDSTREAM)
{
- DebugMessage(DEBUG_DCE_TCP,
- "Midstream - not inspecting.\n");
return;
}
#include "dce_tcp_paf.h"
-#include "main/snort_debug.h"
-
#include "dce_tcp.h"
using namespace snort;
int num_requests = 0;
- DebugFormat(DEBUG_DCE_TCP, "%s\n", DCE2_DEBUG__PAF_START_MSG_TCP);
- DebugFormat(DEBUG_DCE_TCP, "TCP: %u bytes of data\n", len);
-
-#ifdef DEBUG_MSGS
- if (flags & PKT_FROM_CLIENT)
- DebugMessage(DEBUG_DCE_TCP, "Packet from Client\n");
- else
- DebugMessage(DEBUG_DCE_TCP, "Packet from Server\n");
-#endif
-
if (dce2_paf_abort(flow, (DCE2_SsnData*)sd))
{
- DebugFormat(DEBUG_DCE_TCP, "%s\n", DCE2_DEBUG__PAF_END_MSG);
return StreamSplitter::ABORT;
}
if (sd == nullptr)
{
bool autodetected = false;
- DebugMessage(DEBUG_DCE_TCP, "No session data - autodetecting\n");
-
if (len >= sizeof(DceRpcCoHdr))
{
const DceRpcCoHdr* co_hdr = (const DceRpcCoHdr*)data;
&& (DceRpcCoFragLen(co_hdr) >= sizeof(DceRpcCoHdr)))
{
autodetected = true;
- DebugMessage(DEBUG_DCE_TCP, "Autodetected!\n");
}
}
else if ((*data == DCERPC_PROTO_MAJOR_VERS__5) && (flags & PKT_FROM_CLIENT))
{
autodetected = true;
- DebugMessage(DEBUG_DCE_TCP, "Autodetected!\n");
}
if (!autodetected)
{
- DebugMessage(DEBUG_DCE_TCP, "Couldn't autodetect - aborting\n");
- DebugFormat(DEBUG_DCE_TCP, "%s\n", DCE2_DEBUG__PAF_END_MSG);
return StreamSplitter::ABORT;
}
}
- DebugFormat(DEBUG_DCE_TCP, "Start state: %d\n", ds->paf_state);
start_state = (uint8_t)ds->paf_state;
while (n < len)
{
- DebugFormatNoFileLine(DEBUG_DCE_TCP, " State %d : 0x%02x\n", ds->paf_state, data[n]);
-
switch (ds->paf_state)
{
case DCE2_PAF_TCP_STATES__4: // Get byte order
ds->byte_order = DceRpcByteOrder(data[n]);
ds->paf_state = (DCE2_PafTcpStates)(((int)ds->paf_state) + 1);
- if (ds->byte_order == DCERPC_BO_FLAG__LITTLE_ENDIAN)
- {
- DebugFormatNoFileLine(DEBUG_DCE_TCP, "%s","Byte order: Little endian\n");
- }
- else
- {
- DebugFormatNoFileLine(DEBUG_DCE_TCP, "%s","Byte order: Big endian\n");
- }
break;
case DCE2_PAF_TCP_STATES__8:
- DebugFormatNoFileLine(DEBUG_DCE_TCP, "%s", "First byte of fragment length\n");
if (ds->byte_order == DCERPC_BO_FLAG__LITTLE_ENDIAN)
ds->frag_len = data[n];
else
ds->paf_state = (DCE2_PafTcpStates)(((int)ds->paf_state) + 1);
break;
case DCE2_PAF_TCP_STATES__9:
- DebugFormatNoFileLine(DEBUG_DCE_TCP, "%s", "Second byte of fragment length\n");
if (ds->byte_order == DCERPC_BO_FLAG__LITTLE_ENDIAN)
ds->frag_len |= data[n] << 8;
else
/* If we get a bad frag length abort */
if (ds->frag_len < sizeof(DceRpcCoHdr))
{
- DebugFormatNoFileLine(DEBUG_DCE_TCP, "%s\n", DCE2_DEBUG__PAF_END_MSG);
return StreamSplitter::ABORT;
}
- DebugFormatNoFileLine(DEBUG_DCE_TCP, "Fragment length: %hu\n", ds->frag_len);
-
/* Increment n here so we can continue */
n += ds->frag_len - (uint8_t)ds->paf_state;
num_requests++;
* flush just before it */
if ((num_requests == 1) || (n <= len))
tmp_fp += ds->frag_len;
- DebugFormatNoFileLine(DEBUG_DCE_TCP, "Requests: %d\n", num_requests);
+
ds->paf_state = DCE2_PAF_TCP_STATES__0;
continue; // we incremented n already
default:
if (tmp_fp != 0)
{
*fp = tmp_fp - start_state;
- DebugFormat(DEBUG_DCE_TCP, "Setting flush point: %u\n", *fp);
- DebugFormat(DEBUG_DCE_TCP, "%s\n", DCE2_DEBUG__PAF_END_MSG);
return StreamSplitter::FLUSH;
}
- DebugFormat(DEBUG_DCE_TCP, "%s\n", DCE2_DEBUG__PAF_END_MSG);
return ps;
}
{
Profile profile(dce2_udp_pstat_new_session);
- DebugMessage(DEBUG_DCE_UDP, "DCE over UDP packet detected\n");
- DebugMessage(DEBUG_DCE_UDP, "Creating new session\n");
-
DCE2_UdpSsnData* dce2_udp_sess = set_new_dce2_udp_session(p);
DCE2_ResetRopts(&dce2_udp_sess->sd.ropts);
dce2_udp_stats.udp_sessions++;
- DebugFormat(DEBUG_DCE_UDP,"Created (%p)\n", (void*)dce2_udp_sess);
-
dce2_udp_sess->sd.trans = DCE2_TRANS_TYPE__UDP;
dce2_udp_sess->sd.wire_pkt = p;
dce2_udp_sess->sd.config = (void*)config;
dce2_udp_sess = dce2_create_new_udp_session(p, config);
}
- DebugFormat(DEBUG_DCE_UDP, "Session pointer: %p\n", (void*)dce2_udp_sess);
-
return dce2_udp_sess;
}
{
DCE2_UdpSsnData* dce2_udp_sess;
Profile profile(dce2_udp_pstat_main);
- if (DCE2_SsnFromServer(p))
- {
- DebugMessage(DEBUG_DCE_UDP, "Packet from Server.\n");
- }
- else
- {
- DebugMessage(DEBUG_DCE_UDP, "Packet from Client.\n");
- }
assert(p->flow);
using namespace snort;
using namespace std;
+Trace TRACE_NAME(dce_udp);
+
static const Parameter s_params[] =
{
{ "disable_defrag", Parameter::PT_BOOL, nullptr, "false",
{ CountType::END, nullptr, nullptr }
};
-Dce2UdpModule::Dce2UdpModule() : Module(DCE2_UDP_NAME, DCE2_UDP_HELP, s_params)
+Dce2UdpModule::Dce2UdpModule() : Module(DCE2_UDP_NAME, DCE2_UDP_HELP, s_params, false, &TRACE_NAME(dce_udp))
{
}
return nullptr;
}
-bool Dce2UdpModule::set(const char*, Value& v, SnortConfig*)
+bool Dce2UdpModule::set(const char* fqn, Value& v, SnortConfig* c)
{
if (dce2_set_common_config(v,config.common))
return true;
else
- return false;
+ return Module::set(fqn, v, c);
}
void Dce2UdpModule::get_data(dce2UdpProtoConf& dce2_udp_config)
dce2CommonProtoConf common;
};
+extern Trace TRACE_NAME(dce_udp);
+
class Dce2UdpModule : public snort::Module
{
public:
const uint8_t* data_ptr = sd->wire_pkt->data;
uint16_t data_len = sd->wire_pkt->dsize;
- DebugMessage(DEBUG_DCE_UDP, "Cl processing ...\n");
-
if (data_len < sizeof(DceRpcClHdr))
{
dce_alert(GID_DCE2, DCE2_CL_DATA_LT_HDR, (dce2CommonStats*)&dce2_udp_stats);
switch (DceRpcClPduType(cl_hdr))
{
case DCERPC_PDU_TYPE__REQUEST:
- DebugMessage(DEBUG_DCE_UDP, "Request\n");
dce2_udp_stats.cl_request++;
DCE2_ClRequest(sd, at, cl_hdr, data_ptr, data_len);
break;
case DCERPC_PDU_TYPE__ACK:
- DebugMessage(DEBUG_DCE_UDP, "Ack\n");
dce2_udp_stats.cl_ack++;
break;
case DCERPC_PDU_TYPE__CL_CANCEL:
- DebugMessage(DEBUG_DCE_UDP, "Cancel\n");
dce2_udp_stats.cl_cancel++;
break;
case DCERPC_PDU_TYPE__FACK:
- DebugMessage(DEBUG_DCE_UDP, "Fack\n");
dce2_udp_stats.cl_cli_fack++;
break;
case DCERPC_PDU_TYPE__PING:
- DebugMessage(DEBUG_DCE_UDP, "Ping\n");
dce2_udp_stats.cl_ping++;
break;
case DCERPC_PDU_TYPE__RESPONSE:
{
- DebugMessage(DEBUG_DCE_UDP, "Response from client. Changing stream direction.");
+ trace_log(dce_udp, "Response from client. Changing stream direction.\n");
Packet* p = sd->wire_pkt;
ip::IpApi* ip_api = &p->ptrs.ip_api;
break;
}
default:
- DebugMessage(DEBUG_DCE_UDP, "Other pdu type\n");
dce2_udp_stats.cl_other_req++;
break;
}
switch (DceRpcClPduType(cl_hdr))
{
case DCERPC_PDU_TYPE__RESPONSE:
- DebugMessage(DEBUG_DCE_UDP, "Response\n");
dce2_udp_stats.cl_response++;
break;
case DCERPC_PDU_TYPE__REJECT:
- DebugMessage(DEBUG_DCE_UDP, "Reject\n");
dce2_udp_stats.cl_reject++;
if (DceRpcClSeqNum(cl_hdr) == at->seq_num)
break;
case DCERPC_PDU_TYPE__CANCEL_ACK:
- DebugMessage(DEBUG_DCE_UDP, "Cancel Ack\n");
dce2_udp_stats.cl_cancel_ack++;
break;
case DCERPC_PDU_TYPE__FACK:
- DebugMessage(DEBUG_DCE_UDP, "Fack\n");
dce2_udp_stats.cl_srv_fack++;
break;
case DCERPC_PDU_TYPE__FAULT:
- DebugMessage(DEBUG_DCE_UDP, "Fault\n");
dce2_udp_stats.cl_fault++;
break;
case DCERPC_PDU_TYPE__NOCALL:
- DebugMessage(DEBUG_DCE_UDP, "No call\n");
dce2_udp_stats.cl_nocall++;
break;
case DCERPC_PDU_TYPE__WORKING:
- DebugMessage(DEBUG_DCE_UDP, "Working\n");
dce2_udp_stats.cl_working++;
break;
default:
- DebugMessage(DEBUG_DCE_UDP, "Other pdu type\n");
dce2_udp_stats.cl_other_resp++;
break;
}
{
const uint32_t seq_num = DceRpcClSeqNum(cl_hdr);
- DebugMessage(DEBUG_DCE_UDP, "Processing Request ...\n");
-
if (seq_num > at->seq_num)
{
/* This is the normal case where the sequence number is incremented
fnode = (DCE2_ClFragNode*)DCE2_ListNext(ft->frags))
{
if (fnode->frag_len > rlen)
- {
- DebugMessage(DEBUG_DCE_UDP,
- "Size of fragments exceeds reassembly buffer size. "
- "Using as many fragments as will fit.");
break;
- }
memcpy(const_cast<uint8_t*>(rdata), fnode->frag_data, fnode->frag_len);
DCE2_MOVE(rdata, rlen, fnode->frag_len);
#include "dce_utils.h"
-#include "main/snort_debug.h"
#include "utils/safec.h"
#include "utils/util.h"
return uuid_buf;
}
-#ifdef DEBUG_MSGS
-void DCE2_PrintPktData(const uint8_t* data, const uint16_t len)
-{
- unsigned int i, j = 0, line_len = 0;
- uint8_t hex_buf[16];
- uint8_t char_buf[16];
-
- for (i = 0; i < len; i++)
- {
- hex_buf[j] = data[i];
-
- if (isascii((int)data[i]) && isprint((int)data[i]))
- char_buf[j] = data[i];
- else
- char_buf[j] = '.';
-
- if (line_len == 15)
- {
- unsigned int k, sub_line_len = 0;
- for (k = 0; k <= j; k++)
- {
- DebugFormatNoFileLine(DEBUG_DCE_COMMON,"%02x ", hex_buf[k]);
- if (sub_line_len >= 7)
- {
- DebugFormatNoFileLine(DEBUG_DCE_COMMON,"%s"," ");
- sub_line_len = 0;
- }
- else
- {
- sub_line_len++;
- }
- }
-
- DebugFormatNoFileLine(DEBUG_DCE_COMMON,"%s"," ");
-
- sub_line_len = 0;
- for (k = 0; k <= j; k++)
- {
- DebugFormatNoFileLine(DEBUG_DCE_COMMON,"%c", char_buf[k]);
- if (sub_line_len >= 7)
- {
- DebugFormatNoFileLine(DEBUG_DCE_COMMON,"%s"," ");
- sub_line_len = 0;
- }
- else
- {
- sub_line_len++;
- }
- }
-
- DebugFormatNoFileLine(DEBUG_DCE_COMMON,"%s","\n");
-
- j = line_len = 0;
- }
- else
- {
- j++;
- line_len++;
- }
- }
-
- if (line_len > 0)
- {
- unsigned int k, sub_line_len = 0;
- for (k = 0; k < j; k++)
- {
- DebugFormatNoFileLine(DEBUG_DCE_COMMON,"%02x ", hex_buf[k]);
- if (sub_line_len >= 7)
- {
- DebugFormatNoFileLine(DEBUG_DCE_COMMON,"%s"," ");
- sub_line_len = 0;
- }
- else
- {
- sub_line_len++;
- }
- }
-
- if (k < 8)
- DebugFormatNoFileLine(DEBUG_DCE_COMMON,"%s"," ");
- else
- DebugFormatNoFileLine(DEBUG_DCE_COMMON,"%s"," ");
-
- while (k < 16)
- {
- DebugFormatNoFileLine(DEBUG_DCE_COMMON,"%s"," ");
- k++;
- }
-
- sub_line_len = 0;
- for (k = 0; k < j; k++)
- {
- DebugFormatNoFileLine(DEBUG_DCE_COMMON,"%c", char_buf[k]);
- if (sub_line_len >= 7)
- {
- DebugFormatNoFileLine(DEBUG_DCE_COMMON,"%s"," ");
- sub_line_len = 0;
- }
- else
- {
- sub_line_len++;
- }
- }
- }
-
- DebugFormatNoFileLine(DEBUG_DCE_COMMON,"%s","\n");
-}
-
-#else
-void DCE2_PrintPktData(const uint8_t*, const uint16_t)
-{
-}
-
-#endif // DEBUG_MSGS
DCE2_Buffer* DCE2_BufferNew(uint32_t initial_size, uint32_t min_add_size)
{
}
else if (new_size < old_size)
{
- DebugMessage(DEBUG_DCE_COMMON, "New size is less than old size.\n");
return nullptr;
}
else if (new_size == old_size)
* Public function prototypes
********************************************************************/
DCE2_Ret DCE2_GetValue(const char*, char*, void*, int, DCE2_IntType, uint8_t);
-void DCE2_PrintPktData(const uint8_t*, const uint16_t);
DCE2_Buffer* DCE2_BufferNew(uint32_t, uint32_t);
void* DCE2_ReAlloc(void*, uint32_t, uint32_t);
DCE2_Ret DCE2_BufferAddData(DCE2_Buffer*, const uint8_t*,
Profile profile(dce2_smb_pstat_smb_req);
- DebugFormat(DEBUG_DCE_SMB, "Find request tracker => "
- "Uid: %hu, Tid: %hu, Pid: %hu, Mid: %hu ... ", uid, tid, pid, mid);
-
DCE2_SmbRequestTracker* tmp_rtracker = &ssd->rtracker;
int smb_com = SmbCom(smb_hdr);
switch (smb_com)
if (ret_rtracker != nullptr)
{
- DebugMessage(DEBUG_DCE_SMB, "Found.\n");
return ret_rtracker;
}
ret_rtracker = first_mid_rtracker;
break;
default:
- DebugFormat(DEBUG_DCE_SMB, "Invalid policy: %d", policy);
+ assert(false);
break;
}
if ((SmbEmptyComWct(ec) == 0)
&& (SmbEmptyComBcc(ec) == 0) && SmbError(smb_hdr))
{
- DebugFormat(DEBUG_DCE_SMB,
- "Response error: 0x%08X\n", SmbNtStatus(smb_hdr));
-
// If broken pipe, clean up data associated with open named pipe
if (SmbBrokenPipe(smb_hdr))
{
- DebugMessage(DEBUG_DCE_SMB, "Broken or disconnected pipe.\n");
DCE2_SmbRemoveFileTracker(ssd, ssd->cur_rtracker->ftracker);
}
com_info.cmd_size = 0;
com_info.byte_count = 0;
DCE2_SmbCheckCommand(ssd, smb_hdr, smb_com, nb_ptr, nb_len, com_info);
- DebugFormat(DEBUG_DCE_SMB, "Processing command: %s (0x%02X)\n",
+ trace_logf(dce_smb, "Processing command: %s (0x%02X)\n",
get_smb_com_string(smb_com), smb_com);
// Note that even if the command shouldn't be processed, some of
if (smb_com2 == SMB_COM_NO_ANDX_COMMAND)
break;
- DebugFormat(DEBUG_DCE_SMB, "Chained SMB command: %s\n",
+ trace_logf(dce_smb, "Chained SMB command: %s\n",
get_smb_com_string(smb_com2));
num_chained++;
{
int smb_com = SmbCom(smb_hdr);
- DebugFormat(DEBUG_DCE_SMB, "SMB command: %s (0x%02X)\n",
+ trace_logf(dce_smb, "SMB command: %s (0x%02X)\n",
get_smb_com_string(smb_com), smb_com);
if (smb_com_funcs[smb_com] == nullptr)
{
- DebugMessage(DEBUG_DCE_SMB, "Command isn't processed "
- "by preprocessor.\n");
return nullptr;
}
break;
default:
if (DCE2_SmbFindTid(ssd, SmbTid(smb_hdr)) != DCE2_RET__SUCCESS)
- {
- DebugFormat(DEBUG_DCE_SMB,
- "Couldn't find Tid (%hu)\n", SmbTid(smb_hdr));
return nullptr;
- }
if (DCE2_SmbIsTidIPC(ssd, SmbTid(smb_hdr)))
{
case DCE2_POLICY__SAMBA_3_0_37:
case DCE2_POLICY__SAMBA_3_0_22:
case DCE2_POLICY__SAMBA_3_0_20:
- DebugMessage(DEBUG_DCE_SMB, "Samba doesn't "
- "process this command under an IPC tree.\n");
return nullptr;
default:
break;
case DCE2_POLICY__SAMBA_3_0_37:
case DCE2_POLICY__SAMBA_3_0_22:
case DCE2_POLICY__SAMBA_3_0_20:
- DebugMessage(DEBUG_DCE_SMB, "Samba and "
- "Windows Vista on don't process this "
- "command under an IPC tree.\n");
return nullptr;
default:
break;
// These commands are only used for IPC
case SMB_COM_TRANSACTION:
case SMB_COM_TRANSACTION_SECONDARY:
- DebugMessage(DEBUG_DCE_SMB, "secondary transaction not IPC.\n");
return nullptr;
case SMB_COM_READ_RAW:
case SMB_COM_WRITE_RAW:
case DCE2_POLICY__WINVISTA:
case DCE2_POLICY__WIN2008:
case DCE2_POLICY__WIN7:
- DebugMessage(DEBUG_DCE_SMB,
- "Windows Vista on don't process "
- "this command.\n");
return nullptr;
default:
break;
if (DCE2_SsnFromClient(ssd->sd.wire_pkt))
{
- DebugMessage(DEBUG_DCE_SMB, "Raw data: Write Raw\n");
- DebugFormat(DEBUG_DCE_SMB, "Request Fid: 0x%04X\n", ftracker->fid_v1);
-
if (nb_len > ssd->cur_rtracker->writeraw_remaining)
{
dce_alert(GID_DCE2, DCE2_SMB_TDCNT_LT_DSIZE, (dce2CommonStats*)&dce2_smb_stats);
}
else
{
- DebugMessage(DEBUG_DCE_SMB, "Raw data: Read Raw\n");
- DebugFormat(DEBUG_DCE_SMB, "Response Fid: 0x%04X\n", ftracker->fid_v1);
-
remove_rtracker = true;
}
Dce2SmbFlowData::Dce2SmbFlowData() : FlowData(inspector_id)
{
dce2_smb_stats.concurrent_sessions++;
- if(dce2_smb_stats.max_concurrent_sessions < dce2_smb_stats.concurrent_sessions)
+ if (dce2_smb_stats.max_concurrent_sessions < dce2_smb_stats.concurrent_sessions)
dce2_smb_stats.max_concurrent_sessions = dce2_smb_stats.concurrent_sessions;
}
{
Profile profile(dce2_smb_pstat_new_session);
- DebugMessage(DEBUG_DCE_SMB, "DCE over SMB packet detected\n");
- DebugMessage(DEBUG_DCE_SMB, "Creating new session\n");
-
DCE2_SmbSsnData* dce2_smb_sess = set_new_dce2_smb_session(p);
if ( dce2_smb_sess )
{
DCE2_ResetRopts(&dce2_smb_sess->sd.ropts);
dce2_smb_stats.smb_sessions++;
- DebugFormat(DEBUG_DCE_SMB,"Created (%p)\n", (void*)dce2_smb_sess);
dce2_smb_sess->sd.trans = DCE2_TRANS_TYPE__SMB;
dce2_smb_sess->sd.server_policy = config->common.policy;
Packet* p = ssd->sd.wire_pkt;
bool is_seg_buf = DCE2_SmbIsSegBuffer(ssd, (const uint8_t*)nb_hdr);
- DebugMessage(DEBUG_DCE_SMB, "NetBIOS Session Service type: ");
-
switch (NbssType(nb_hdr))
{
case NBSS_SESSION_TYPE__MESSAGE:
/* Only want to look at session messages */
- DebugMessage(DEBUG_DCE_SMB, "Session Message\n");
-
if (!DCE2_SmbIsRawData(ssd))
{
uint32_t nb_len = NbssLen(nb_hdr);
if (nb_len < sizeof(SmbNtHdr))
{
- DebugFormat(DEBUG_DCE_SMB, "NetBIOS SS len(%zu) < SMB header len(%zu).\n",
- sizeof(SmbNtHdr), sizeof(NbssHdr) + nb_len);
-
if (is_seg_buf)
DCE2_SmbSegAlert(ssd, DCE2_SMB_NB_LT_SMBHDR);
else
return DCE2_RET__SUCCESS;
case NBSS_SESSION_TYPE__REQUEST:
- DebugMessage(DEBUG_DCE_SMB, "Session Request\n");
if (DCE2_SsnFromServer(p))
{
if (is_seg_buf)
break;
case NBSS_SESSION_TYPE__KEEP_ALIVE:
- DebugMessage(DEBUG_DCE_SMB, "Session Keep Alive\n");
break;
default:
- DebugFormat(DEBUG_DCE_SMB,
- "Invalid Session Service type: 0x%02X\n", NbssType(nb_hdr));
-
if (is_seg_buf)
DCE2_SmbSegAlert(ssd, DCE2_SMB_BAD_NBSS_TYPE);
else
return DCE2_RET__IGNORE;
}
-
// This is the main entry point for SMB1 processing.
static void DCE2_Smb1Process(DCE2_SmbSsnData* ssd)
{
- DebugMessage(DEBUG_DCE_SMB, "Processing SMB packet.\n");
dce2_smb_stats.smb_pkts++;
const Packet* p = ssd->sd.wire_pkt;
uint32_t* ignore_bytes = DCE2_SmbGetIgnorePtr(ssd);
if (*ignore_bytes)
{
- DebugFormat(DEBUG_DCE_SMB, "Ignoring %u bytes\n", *ignore_bytes);
-
if (data_len <= *ignore_bytes)
{
*ignore_bytes -= data_len;
// See if there is enough data to process the NetBIOS header
if (data_len < data_need)
{
- DebugFormat(DEBUG_DCE_SMB, "Data len(%hu) < NetBIOS SS header(%u). "
- "Queuing data.\n", data_len, data_need);
-
if (DCE2_SmbHandleSegmentation(seg_buf, data_ptr,
data_len, sizeof(NbssHdr)) != DCE2_RET__SUCCESS)
{
}
uint32_t nb_len = NbssLen(nb_hdr);
-
- DebugFormat(DEBUG_DCE_SMB, "NetBIOS PDU length: %u\n", nb_len);
-
DCE2_Ret status = DCE2_NbssHdrChecks(ssd, nb_hdr);
if (status != DCE2_RET__SUCCESS)
{
- DebugMessage(DEBUG_DCE_SMB, "Not a NetBIOS Session Message.\n");
-
if (status == DCE2_RET__IGNORE)
{
- DebugMessage(DEBUG_DCE_SMB, "Valid NetBIOS header "
- "type so ignoring NetBIOS length bytes.\n");
+ // Valid NetBIOS header type so ignoring NetBIOS length bytes
*ignore_bytes = data_need + nb_len;
}
else // nb_ret == DCE2_RET__ERROR, i.e. invalid NetBIOS type
{
- DebugMessage(DEBUG_DCE_SMB, "Not a valid NetBIOS "
- "header type so trying to find \\xffSMB to "
- "determine how many bytes to ignore.\n");
+ // Trying to find \\xffSMB to determine how many bytes to ignore
*ignore_bytes = DCE2_IgnoreJunkData(data_ptr, data_len, data_need + nb_len);
}
// Continue here because of fall through below
continue;
default:
- DebugFormat(DEBUG_DCE_SMB,"Invalid SMB PDU state: %d\n", ssd->pdu_state);
return;
}
}
// See if there is enough data to process the SMB header
if (data_len < data_need)
{
- DebugFormat(DEBUG_DCE_SMB, "Data len (%hu) < "
- "NetBIOS SS header + SMB header (%u). Queuing data.\n",
- data_len, data_need);
-
if (DCE2_SmbHandleSegmentation(seg_buf, data_ptr, data_len,
sizeof(NbssHdr) + sizeof(SmbNtHdr)) != DCE2_RET__SUCCESS)
{
rtracker = DCE2_SmbInspect(ssd, smb_hdr);
if (rtracker == nullptr)
{
- DebugMessage(DEBUG_DCE_SMB, "Not inspecting SMB packet.\n");
+ trace_log(dce_smb, "Not inspecting SMB packet.\n");
if (DCE2_BufferIsEmpty(*seg_buf))
{
// Check the SMB header for anomalies
if (DCE2_SmbHdrChecks(ssd, smb_hdr) != DCE2_RET__SUCCESS)
{
- DebugMessage(DEBUG_DCE_SMB, "Bad SMB header.\n");
-
if (DCE2_BufferIsEmpty(*seg_buf))
{
*ignore_bytes = sizeof(NbssHdr) + NbssLen((const NbssHdr*)data_ptr);
/* It's something we want to inspect so make sure we have the full NBSS packet */
if (data_len < data_need)
{
- DebugFormat(DEBUG_DCE_SMB, "Data len(%hu) < "
- "NetBIOS SS header + NetBIOS len(%zu). "
- "Queuing data.\n", data_len, sizeof(NbssHdr) + nb_len);
-
if (DCE2_SmbHandleSegmentation(seg_buf, data_ptr, data_len,
sizeof(NbssHdr) + nb_len) != DCE2_RET__SUCCESS)
{
nb_ptr = DCE2_BufferData(*seg_buf);
nb_len = DCE2_BufferLength(*seg_buf);
- DebugFormat(DEBUG_DCE_SMB,
- "Segmentation buffer: len: %u, size: %u\n",
- DCE2_BufferLength(*seg_buf), DCE2_BufferSize(*seg_buf));
-
if (DCE2_SsnFromClient(ssd->sd.wire_pkt))
dce2_smb_stats.smb_cli_seg_reassembled++;
else
dce2_smb_stats.smb_srv_seg_reassembled++;
-
- DebugMessage(DEBUG_DCE_SMB, "TCP reassembled SMB PDU\n");
- DCE2_PrintPktData(rpkt->data, rpkt->dsize);
}
switch (ssd->pdu_state)
ssd->pdu_state = DCE2_SMB_PDU_STATE__COMMAND;
break;
default:
- DebugFormat(DEBUG_DCE_SMB, "Invalid SMB PDU state: %d\n", ssd->pdu_state);
return;
}
}
default:
- DebugFormat(DEBUG_DCE_SMB, "Invalid SMB Data state: %d\n", *data_state);
return;
}
}
dce2_smb_sess = dce2_create_new_smb_session(p, config);
}
- DebugFormat(DEBUG_DCE_SMB, "Session pointer: %p\n", (void*)dce2_smb_sess);
-
return dce2_smb_sess;
}
{
if ((ssd->sd.flags & DCE2_SSN_FLAG__SMB2))
{
- DebugMessage(DEBUG_DCE_SMB, "SMB1 packet detected!\n");
ssd->sd.flags &= ~DCE2_SSN_FLAG__SMB2;
DCE2_SmbCleanFileTracker(&(ssd->ftracker));
ssd->ftracker.is_smb2 = false;
{
if (!(ssd->sd.flags & DCE2_SSN_FLAG__SMB2))
{
- DebugMessage(DEBUG_DCE_SMB, "SMB2 packet detected!\n");
DCE2_SmbCleanFileTracker(&(ssd->ftracker));
DCE2_Smb2InitFileTracker(&(ssd->ftracker), false, 0);
ssd->sd.flags |= DCE2_SSN_FLAG__SMB2;
#include "detection/detection_engine.h"
#include "log/messages.h"
-#include "main/snort_debug.h"
#include "profiler/profiler.h"
#include "protocols/packet.h"
#include "protocols/ssl.h"
imap_ssn->mime_ssn->set_mime_stats(&(imapstats.mime_stats));
if (p->packet_flags & SSNFLAG_MIDSTREAM)
- {
- DebugMessage(DEBUG_IMAP, "Got midstream packet - "
- "setting state to unknown\n");
imap_ssn->state = STATE_UNKNOWN;
- }
imap_ssn->body_read = imap_ssn->body_len = 0;
if (ssn->session_flags & IMAP_FLAG_NEXT_STATE_UNKNOWN)
{
- DebugMessage(DEBUG_IMAP, "Found gap in previous reassembly buffer - "
- "set state to unknown\n");
ssn->state = STATE_UNKNOWN;
ssn->session_flags &= ~IMAP_FLAG_NEXT_STATE_UNKNOWN;
}
if (missing_in_rebuilt == SSN_MISSING_BEFORE)
{
- DebugMessage(DEBUG_IMAP, "Found missing packets before "
- "in reassembly buffer - set state to unknown\n");
ssn->state = STATE_UNKNOWN;
}
}
{
if (imap_ssn->state == STATE_UNKNOWN)
{
- DebugMessage(DEBUG_IMAP, "Command not found, but state is "
- "unknown - checking for SSL\n");
-
/* check for encrypted */
if ((imap_ssn->session_flags & IMAP_FLAG_CHECK_SSL) &&
(IsSSL(ptr, end - ptr, p->packet_flags)))
{
- DebugMessage(DEBUG_IMAP, "Packet is SSL encrypted\n");
-
imap_ssn->state = STATE_TLS_DATA;
/* Ignore data */
}
else
{
- DebugMessage(DEBUG_IMAP, "Not SSL - try data state\n");
/* don't check for ssl again in this packet */
if (imap_ssn->session_flags & IMAP_FLAG_CHECK_SSL)
imap_ssn->session_flags &= ~IMAP_FLAG_CHECK_SSL;
else
{
DetectionEngine::queue_event(GID_IMAP, IMAP_UNKNOWN_CMD);
- DebugMessage(DEBUG_IMAP, "No known command found\n");
return eol;
}
}
{
if (imap_ssn->state == STATE_DATA)
{
- DebugMessage(DEBUG_IMAP, "DATA STATE ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n");
if ( imap_ssn->body_len > imap_ssn->body_read)
{
int len = imap_ssn->body_len - imap_ssn->body_read;
}
else
{
- DebugMessage(DEBUG_IMAP,
- "Server response not found - see if it's SSL data\n");
-
if ((imap_ssn->session_flags & IMAP_FLAG_CHECK_SSL) &&
(IsSSL(ptr, end - ptr, p->packet_flags)))
{
- DebugMessage(DEBUG_IMAP, "Server response is an SSL packet\n");
-
imap_ssn->state = STATE_TLS_DATA;
-
return;
}
else if (imap_ssn->session_flags & IMAP_FLAG_CHECK_SSL)
if ( (*ptr != '*') && (*ptr !='+') && (*ptr != '\r') && (*ptr != '\n') )
{
DetectionEngine::queue_event(GID_IMAP, IMAP_UNKNOWN_RESP);
- DebugMessage(DEBUG_IMAP, "Server response not found\n");
}
}
{
if (IsTlsClientHello(p->data, p->data + p->dsize))
{
- DebugMessage(DEBUG_IMAP,
- "TLS DATA STATE ~~~~~~~~~~~~~~~~~~~~~~~~~\n");
-
imap_ssn->state = STATE_TLS_SERVER_PEND;
return;
}
return;
}
IMAP_ProcessClientPacket(p, imap_ssn);
- DebugMessage(DEBUG_IMAP, "IMAP client packet\n");
}
else
{
if ( !InspectPacket(p))
{
/* Packet will be rebuilt, so wait for it */
- DebugMessage(DEBUG_IMAP, "Client packet will be reassembled\n");
return;
}
else if (!(p->packet_flags & PKT_REBUILT_STREAM))
* that were not rebuilt, state is going to be messed up
* so set state to unknown. It's likely this was the
* beginning of the conversation so reset state */
- DebugMessage(DEBUG_IMAP, "Got non-rebuilt packets before "
- "this rebuilt packet\n");
-
imap_ssn->state = STATE_UNKNOWN;
imap_ssn->session_flags &= ~IMAP_FLAG_GOT_NON_REBUILT;
}
#include "imap_paf.h"
-#include "main/snort_debug.h"
#include "protocols/packet.h"
#include "stream/stream.h"
if (literal_complete(pfdata)
&& check_imap_data_end(&(pfdata->data_end_state), ch))
{
- DebugMessage(DEBUG_IMAP, "IMAP PAF: End of Data!\n");
reset_data_states(pfdata);
return true;
}
// check for mime flush point
if (process_mime_paf_data(&(pfdata->mime_info), ch))
- {
- DebugMessage(DEBUG_IMAP, "IMAP PAF: Mime Boundary found."
- " Flushing data!\n");
return true;
- }
return false;
}
if (flush_len)
{
- DebugMessage(DEBUG_IMAP, "IMAP PAF: flushing data!\n");
-
// flush at the final termination sequence
*fp = flush_len;
return StreamSplitter::FLUSH;
if (pch != nullptr)
{
- DebugMessage(DEBUG_IMAP, "IMAP PAF: Flushing client"
- " data!\n");
*fp = (uint32_t)(pch - (const char*)data) + 1;
return StreamSplitter::FLUSH;
}
ImapPafData* pfdata = &state;
if (flags & PKT_FROM_SERVER)
- {
- DebugMessage(DEBUG_IMAP, "PAF: From server.\n");
return imap_paf_server(pfdata, data, len, fp);
- }
else
- {
- DebugMessage(DEBUG_IMAP, "PAF: From client.\n");
return imap_paf_client(data, len, fp);
- }
}
bool imap_is_data_end(Flow* ssn)
#include "detection/detection_engine.h"
#include "log/messages.h"
-#include "main/snort_debug.h"
#include "profiler/profiler.h"
#include "protocols/packet.h"
#include "protocols/ssl.h"
if (p->packet_flags & SSNFLAG_MIDSTREAM)
{
- DebugMessage(DEBUG_POP, "Got midstream packet - "
- "setting state to unknown\n");
pop_ssn->state = STATE_UNKNOWN;
}
if (ssn->session_flags & POP_FLAG_NEXT_STATE_UNKNOWN)
{
- DebugMessage(DEBUG_POP, "Found gap in previous reassembly buffer - "
- "set state to unknown\n");
ssn->state = STATE_UNKNOWN;
ssn->session_flags &= ~POP_FLAG_NEXT_STATE_UNKNOWN;
}
if (missing_in_rebuilt == SSN_MISSING_BEFORE)
{
- DebugMessage(DEBUG_POP, "Found missing packets before "
- "in reassembly buffer - set state to unknown\n");
ssn->state = STATE_UNKNOWN;
}
}
{
if (pop_ssn->state == STATE_UNKNOWN)
{
- DebugMessage(DEBUG_POP, "Command not found, but state is "
- "unknown - checking for SSL\n");
-
/* check for encrypted */
-
if ((pop_ssn->session_flags & POP_FLAG_CHECK_SSL) &&
(IsSSL(ptr, end - ptr, p->packet_flags)))
{
- DebugMessage(DEBUG_POP, "Packet is SSL encrypted\n");
-
pop_ssn->state = STATE_TLS_DATA;
/* Ignore data */
}
else
{
- DebugMessage(DEBUG_POP, "Not SSL - try data state\n");
/* don't check for ssl again in this packet */
if (pop_ssn->session_flags & POP_FLAG_CHECK_SSL)
pop_ssn->session_flags &= ~POP_FLAG_CHECK_SSL;
else
{
DetectionEngine::queue_event(GID_POP, POP_UNKNOWN_CMD);
- DebugMessage(DEBUG_POP, "No known command found\n");
return eol;
}
}
{
if (pop_ssn->state == STATE_DATA)
{
- DebugMessage(DEBUG_POP, "DATA STATE ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n");
//ptr = POP_HandleData(p, ptr, end);
FilePosition position = get_file_position(p);
int len = end - ptr;
}
else
{
- DebugMessage(DEBUG_POP,
- "Server response not found - see if it's SSL data\n");
-
if ((pop_ssn->session_flags & POP_FLAG_CHECK_SSL) &&
(IsSSL(ptr, end - ptr, p->packet_flags)))
{
- DebugMessage(DEBUG_POP, "Server response is an SSL packet\n");
-
pop_ssn->state = STATE_TLS_DATA;
-
return;
}
else if (pop_ssn->session_flags & POP_FLAG_CHECK_SSL)
else if (*ptr == '+')
{
DetectionEngine::queue_event(GID_POP, POP_UNKNOWN_RESP);
- DebugMessage(DEBUG_POP, "Server response not found\n");
}
}
{
if (IsTlsClientHello(p->data, p->data + p->dsize))
{
- DebugMessage(DEBUG_POP,
- "TLS DATA STATE ~~~~~~~~~~~~~~~~~~~~~~~~~\n");
-
pop_ssn->state = STATE_TLS_SERVER_PEND;
return;
}
return;
}
POP_ProcessClientPacket(p, pop_ssn);
- DebugMessage(DEBUG_POP, "POP client packet\n");
}
else
{
if ( !InspectPacket(p))
{
/* Packet will be rebuilt, so wait for it */
- DebugMessage(DEBUG_POP, "Client packet will be reassembled\n");
return;
}
else if (!(p->packet_flags & PKT_REBUILT_STREAM))
* that were not rebuilt, state is going to be messed up
* so set state to unknown. It's likely this was the
* beginning of the conversation so reset state */
- DebugMessage(DEBUG_POP, "Got non-rebuilt packets before "
- "this rebuilt packet\n");
-
pop_ssn->state = STATE_UNKNOWN;
pop_ssn->session_flags &= ~POP_FLAG_GOT_NON_REBUILT;
}
#include "pop_paf.h"
-#include "main/snort_debug.h"
#include "protocols/packet.h"
#include "stream/stream.h"
if (check_data_end(&(pfdata->end_state), ch))
{
- DebugMessage(DEBUG_POP, "End of Multi-line response found\n");
pfdata->end_of_data = true;
pfdata->pop_state = POP_PAF_SINGLE_LINE_STATE;
reset_data_states(pfdata);
{
if (process_mime_paf_data(&(pfdata->data_info), ch))
{
- DebugMessage(DEBUG_POP, "Mime Boundary found. Flushing data!\n");
pfdata->cmd_continued = true;
return true;
}
else
reset_data_states(pfdata);
- DebugMessage(DEBUG_POP, "End of single-line response "
- "found. Flushing data!\n");
return true;
}
PopPafData* pfdata = &state;
if (flags & PKT_FROM_SERVER)
- {
- DebugMessage(DEBUG_POP, "PAF: From server.\n");
return pop_paf_server(pfdata, data, len, fp);
- }
else
- {
- DebugMessage(DEBUG_POP, "PAF: From client.\n");
return pop_paf_client(ssn, pfdata, data, len, fp);
- }
}
bool pop_is_data_end(Flow* ssn)
int need;
RpcStatus status;
- DebugMessage(DEBUG_RPC,
- "STATEFUL: Start *******************************\n");
- DebugFormat(DEBUG_RPC,
- "STATEFUL: Ssn: %p\n", (void*) rsdata);
-
if (rsdata->ignore)
{
if (dsize < rsdata->ignore)
{
- DebugFormat(DEBUG_RPC,
- "STATEFUL: Ignoring %hu bytes\n", dsize);
-
rsdata->ignore -= dsize;
-
- DebugFormat(DEBUG_RPC,
- "STATEFUL: Bytes left to ignore: %u \n", rsdata->ignore);
-
return RPC_STATUS__SUCCESS;
}
- DebugFormat(DEBUG_RPC,
- "STATEFUL: Ignoring %u bytes\n", rsdata->ignore);
-
dsize -= (uint16_t)rsdata->ignore;
data += rsdata->ignore;
rsdata->ignore = 0;
{
if (dsize < RPC_FRAG_HDR_SIZE)
{
- DebugFormat(DEBUG_RPC,
- "STATEFUL: Not enough data for frag header: %hu\n",
- dsize);
-
RpcPreprocEvent(rconfig, rsdata, RPC_INCOMPLETE_SEGMENT);
if (RpcBufAdd(&rsdata->seg, data, dsize) != RPC_STATUS__SUCCESS)
}
rsdata->frag_len = RPC_FRAG_LEN(data);
-
- DebugFormat(DEBUG_RPC,
- "STATEFUL: Fragment length: %u\n", rsdata->frag_len);
-
if (dsize < (RPC_FRAG_HDR_SIZE + rsdata->frag_len))
{
- DebugFormat(DEBUG_RPC,
- "STATEFUL: Not enough data for fragment: %hu\n",
- dsize);
-
RpcPreprocEvent(rconfig, rsdata, RPC_INCOMPLETE_SEGMENT);
if (RpcBufAdd(&rsdata->seg, data, dsize) != RPC_STATUS__SUCCESS)
if (status == RPC_STATUS__DEFRAG)
{
- DebugMessage(DEBUG_RPC,
- "STATEFUL: Last frag - calling detect\n");
-
if ((dsize != 0) || (data != p->data))
{
/* Only do this if there is more than one fragment in
need = RPC_FRAG_HDR_SIZE - RpcBufLen(&rsdata->seg);
if (dsize < need)
{
- DebugFormat(DEBUG_RPC,
- "STATEFUL: Not enough data for frag header "
- "(%d): %hu\n", need, dsize);
-
RpcPreprocEvent(rconfig, rsdata, RPC_INCOMPLETE_SEGMENT);
if (RpcBufAdd(&rsdata->seg, data, dsize) != RPC_STATUS__SUCCESS)
dsize -= need;
rsdata->frag_len = RPC_FRAG_LEN(RpcBufData(&rsdata->seg));
-
- DebugFormat(DEBUG_RPC,
- "STATEFUL: Fragment length: %u\n", rsdata->frag_len);
}
need = rsdata->frag_len - (RpcBufLen(&rsdata->seg) - RPC_FRAG_HDR_SIZE);
if (dsize < need)
{
- DebugFormat(DEBUG_RPC,
- "STATEFUL: Not enough data for fragment (%d): %hu\n",
- need, dsize);
-
RpcPreprocEvent(rconfig, rsdata, RPC_INCOMPLETE_SEGMENT);
if (RpcBufAdd(&rsdata->seg, data, dsize) != RPC_STATUS__SUCCESS)
return RPC_STATUS__ERROR;
}
- DebugMessage(DEBUG_RPC,
- "STATEFUL: Last frag - calling detect\n");
-
if ( (dsize > 0) )
RpcPreprocEvent(rconfig, rsdata, RPC_MULTIPLE_RECORD);
if (RpcBufLen(&rsdata->frag) != 0)
{
- DebugFormat(DEBUG_RPC,
- "STATEFUL: Prepping Frag data: %u\n",
- RpcBufLen(&rsdata->frag));
-
if (RpcPrepFrag(rsdata, p) != RPC_STATUS__SUCCESS)
return RPC_STATUS__ERROR;
}
else if (RpcBufLen(&rsdata->seg) != 0)
{
- DebugFormat(DEBUG_RPC,
- "STATEFUL: Prepping Seg data: %u\n",
- RpcBufLen(&rsdata->seg));
-
if (RpcPrepSeg(rsdata, p) != RPC_STATUS__SUCCESS)
return RPC_STATUS__ERROR;
}
- DebugMessage(DEBUG_RPC,
- "STATEFUL: Success *****************************\n");
-
return RPC_STATUS__SUCCESS;
}
if (RpcBufLen(&rsdata->seg) > RPC_MAX_BUF_SIZE)
{
rsdata->ignore = (sizeof(uint32_t) + rsdata->frag_len) - RpcBufLen(&rsdata->seg);
- DebugFormat(DEBUG_RPC,
- "STATEFUL: Ignoring %u bytes\n", rsdata->ignore);
RpcBufClean(&rsdata->seg);
}
if ((RpcBufLen(&rsdata->frag) == 0) && last_frag)
return RPC_STATUS__DEFRAG;
- DebugFormat(DEBUG_RPC,
- "STATEFUL: Adding %u bytes to frag buffer\n", frag_len);
-
if (RpcBufAdd(&rsdata->frag,
fragment + sizeof(uint32_t), frag_len) != RPC_STATUS__SUCCESS)
{
if (rsdata == nullptr)
return;
- DebugFormat(DEBUG_RPC, "STATEFUL: Deactivating session: %p\n",
- (void*) rsdata);
-
RpcSsnClean(rsdata);
}
p->flow->set_flow_data(fd);
- DebugFormat(DEBUG_RPC, "STATEFUL: Created new session: " "%p\n", (void*) rsdata);
return rsdata;
}
if (psize < MIN_CALL_BODY_SZ)
{
- DebugFormat(DEBUG_RPC, "Not enough data to decode: %u\n",
- psize);
return 0;
}
/* on match, normalize the data */
- DebugFormat(DEBUG_RPC, "Got RPC traffic (%u bytes)!\n", psize);
/* cheesy alignment safe fraghdr = *(uint32_t *) data*/
*((uint8_t*)&fraghdr) = data[0];
if (fraghdr & MSB)
{
/* on match, normalize the data */
- DebugFormat(DEBUG_RPC, "Found Last Fragment: %u!\n", length);
-
if ((length + 4 != psize) && !(p->packet_flags & PKT_REBUILT_STREAM))
{
- DebugFormat(DEBUG_RPC, "It's not the only thing in this buffer!"
- " length: %u psize: %u!\n", length, psize);
return RPC_MULTIPLE_RECORD;
}
else if ( length == 0 )
{
- DebugFormat(DEBUG_RPC, "Zero-length RPC fragment detected."
- " length: %u psize: %u.\n", length, psize);
return RPC_ZERO_LENGTH_FRAGMENT;
}
return 0;
if (fraghdr & MSB)
{
- DebugMessage(DEBUG_RPC, "Last Fragment detected\n");
last_fragment = 1;
}
/* don't allow integer overflow to confuse us. Should be
* caught by length > psize but who knows when weird
* psize's might be allowed */
-
- DebugFormat(DEBUG_RPC, "Integer Overflow"
- " field(%u) exceeds packet size(%u)\n",
- length, psize);
return RPC_LARGE_FRAGSIZE;
}
if (length > psize)
{
- DebugFormat(DEBUG_RPC, "Length of"
- " field(%u) exceeds packet size(%u)\n",
- length, psize);
return RPC_INCOMPLETE_SEGMENT;
}
else if (decoded_len > psize)
/* The entire request is larger than our current packet
* size
*/
- DebugFormat(DEBUG_RPC, " Decoded Length (%u)"
- "exceeds packet size(%u)\n",
- decoded_len, psize);
return RPC_LARGE_FRAGSIZE;
}
else if ((data_index + length) > data_end)
{
- DebugMessage(DEBUG_RPC,
- "returning LARGE_FRAGSIZE since we'd read past our end\n");
return RPC_LARGE_FRAGSIZE;
}
else
{
fragcount++;
-
- DebugFormat(DEBUG_RPC,
- "length: %u size: %u decoded_len: %u\n",
- length, psize, decoded_len);
-
if (decode_buf_rem >= length)
{
memcpy_s(norm_index, decode_buf_rem, data_index, length);
*/
if (decoded_len + ((fragcount - 1) * 4) != psize)
{
- DebugFormat(DEBUG_RPC, "decoded len does not compute: %u\n",
- decoded_len);
return RPC_MULTIPLE_RECORD;
}
- DebugFormat(DEBUG_RPC, "New size: %u\n", decoded_len);
- DebugMessage(DEBUG_RPC, "converted data:\n");
-
buf.len = (uint16_t)decoded_len;
return 0;
}
if (ret == RPC_STATUS__ERROR)
RpcSsnSetInactive(rsdata, p);
}
-
- DebugMessage(DEBUG_RPC,"Stateless inspection\n");
-
RpcPreprocEvent(&config, rsdata, ConvertRPC(&config, rsdata, p));
}
static inline uint32_t SSLPP_process_alert(
SSL_PROTO_CONF*, uint32_t ssn_flags, uint32_t new_flags, Packet* packet)
{
- DebugMessage(DEBUG_SSL, "Process Alert\n");
-
ssn_flags |= new_flags;
/* Check if we've seen a handshake, that this isn't it,
!(new_flags & SSL_CHANGE_CIPHER_FLAG) &&
!(new_flags & SSL_HEARTBEAT_SEEN))
{
- DebugMessage(DEBUG_SSL, "Disabling detect\n");
DetectionEngine::disable_content(packet);
}
static inline uint32_t SSLPP_process_hs(uint32_t ssl_flags, uint32_t new_flags)
{
- DebugMessage(DEBUG_SSL, "Process Handshake\n");
-
if (!SSL_BAD_HS(new_flags))
{
ssl_flags |= new_flags & (SSL_CLIENT_HELLO_FLAG |
static inline uint32_t SSLPP_process_app(SSL_PROTO_CONF* config, uint32_t ssn_flags, uint32_t
new_flags, Packet* packet)
{
- DebugMessage(DEBUG_SSL, "Process Application\n");
-
if (SSLPP_is_encrypted(config, ssn_flags | new_flags, packet) )
{
ssn_flags |= SSL_ENCRYPTED_FLAG;
// Heartbleed check is disabled. Stop inspection on this session.
if (!config->max_heartbeat_len)
{
- DebugMessage(DEBUG_SSL, "STOPPING INSPECTION (process_app)\n");
Stream::stop_inspection(packet->flow, packet, SSN_DIR_BOTH, -1, 0);
sslstats.stopped++;
}
if (!config->max_heartbeat_len)
{
- DebugMessage(DEBUG_SSL, "STOPPING INSPECTION (process_other)\n");
Stream::stop_inspection(packet->flow, packet, SSN_DIR_BOTH, -1, 0);
}
else if (!(new_flags & SSL_HEARTBEAT_SEEN))
#include "stream_module.h"
+#include "main/snort_debug.h"
+
using namespace snort;
using namespace std;
//-------------------------------------------------------------------------
// stream module
//-------------------------------------------------------------------------
+Trace TRACE_NAME(stream);
#define CACHE_PARAMS(name, max, prune, idle, cleanup) \
static const Parameter name[] = \
};
StreamModule::StreamModule() :
- Module(MOD_NAME, MOD_HELP, s_params)
+ Module(MOD_NAME, MOD_HELP, s_params, false, &TRACE_NAME(stream))
{ }
const PegInfo* StreamModule::get_pegs() const
return true;
}
-bool StreamModule::set(const char* fqn, Value& v, SnortConfig*)
+bool StreamModule::set(const char* fqn, Value& v, SnortConfig* c)
{
FlowConfig* fc = nullptr;
fc = &config.file_cfg;
else
- return false;
+ return Module::set(fqn, v, c);
if ( v.is("max_sessions") )
fc->max_sessions = v.get_long();
//-------------------------------------------------------------------------
// stream module
//-------------------------------------------------------------------------
+extern Trace TRACE_NAME(stream);
#define MOD_NAME "stream"
#define MOD_HELP "common flow tracking"
#include "main/snort_debug.h"
#include "packet_io/active.h"
#include "protocols/vlan.h"
+#include "stream/base/stream_module.h"
#include "target_based/sftarget_hostentry.h"
#include "target_based/snort_protocols.h"
#include "utils/util.h"
{
assert(flow && flow->session);
+ trace_logf(stream, "stop inspection on flow, dir %s \n",
+ dir == SSN_DIR_BOTH ? "BOTH":
+ ((dir == SSN_DIR_FROM_CLIENT) ? "FROM_CLIENT" : "FROM_SERVER"));
+
switch (dir)
{
case SSN_DIR_BOTH:
projects / thirdparty / snort3.git / commitdiff
