From: Steve Chew (stechew) Date: Tue, 8 Oct 2019 18:09:06 +0000 (-0400) Subject: Merge pull request #1770 in SNORT/snort3 from ~BBANTWAL/snort3:snort2lua_port_binding... X-Git-Tag: 3.0.0-262~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3b479aa1c575b20d0015312ba79772885d0f880f;p=thirdparty%2Fsnort3.git Merge pull request #1770 in SNORT/snort3 from ~BBANTWAL/snort3:snort2lua_port_bindings to master Squashed commit of the following: commit be613587a79866a0f0c462759eb85bb94aea107a Author: Bhagya Tholpady Date: Fri Sep 27 02:00:27 2019 -0400 snort2lua: convert snort2 port bindings into snort3 service bindings for inspectors configured in wizard and add --bind-port option to enable port bindings conversion --- diff --git a/tools/snort2lua/helpers/converter.cc b/tools/snort2lua/helpers/converter.cc index dae28e8a8..d48ac301c 100644 --- a/tools/snort2lua/helpers/converter.cc +++ b/tools/snort2lua/helpers/converter.cc @@ -56,7 +56,8 @@ bool Converter::parse_includes = true; bool Converter::empty_args = false; bool Converter::convert_rules_mult_files = true; bool Converter::convert_conf_mult_files = true; -bool Converter::bind_wizard = false; +bool Converter::bind_wizard = true; +bool Converter::bind_port = false; bool Converter::convert_max_session = true; Converter::Converter() : @@ -413,6 +414,13 @@ void Converter::add_bindings() // vector::clear()'s ordering isn't deterministic but this is // keep in place for stable regressions std::stable_sort(binders.rbegin(), binders.rend()); + for (auto it = binders.begin(); it != binders.end();) + { + if ( (*it)->has_ports() ) + it = binders.erase(it); + else + ++it; + } while ( !binders.empty() ) binders.pop_back(); } diff --git a/tools/snort2lua/helpers/converter.h b/tools/snort2lua/helpers/converter.h index 6b1315c0d..adf2324a8 100644 --- a/tools/snort2lua/helpers/converter.h +++ b/tools/snort2lua/helpers/converter.h @@ -73,6 +73,12 @@ public: inline static bool get_bind_wizard() { return bind_wizard; } + inline static void set_bind_port(bool val) + { bind_port = val; } + + inline static bool get_bind_port() + { return bind_port; } + static void unset_convert_max_session() { convert_max_session = false; } @@ -130,6 +136,7 @@ private: static bool convert_conf_mult_files; static bool empty_args; static bool bind_wizard; + static bool bind_port; static bool convert_max_session; bool ftp_data_is_added = false; diff --git a/tools/snort2lua/helpers/parse_cmd_line.cc b/tools/snort2lua/helpers/parse_cmd_line.cc index 282d0bfaf..1d3e3ae60 100644 --- a/tools/snort2lua/helpers/parse_cmd_line.cc +++ b/tools/snort2lua/helpers/parse_cmd_line.cc @@ -254,6 +254,12 @@ static void add_remark(const char* /*key*/, const char* val) static void bind_wizard(const char* /*key*/, const char* /*val*/) { Converter::set_bind_wizard(true); } +static void bind_port(const char* /*key*/, const char* /*val*/) +{ + Converter::set_bind_port(true); + Converter::set_bind_wizard(false); +} + static void print_all(const char* /*key*/, const char* /*val*/) { DataApi::set_default_print(); } @@ -382,6 +388,9 @@ static ConfigFunc basic_opts[] = { "bind-wizard", bind_wizard, "", "Add default wizard to bindings" }, + { "bind-port", bind_port, "", + "Convert port bindings" }, + { "conf-file", parse_config_file, "", "Same as '-c'. A Snort file which will be converted" }, diff --git a/tools/snort2lua/helpers/util_binder.cc b/tools/snort2lua/helpers/util_binder.cc index 796483520..fa6806bed 100644 --- a/tools/snort2lua/helpers/util_binder.cc +++ b/tools/snort2lua/helpers/util_binder.cc @@ -45,52 +45,55 @@ void Binder::add_to_configuration() table_api.open_top_level_table("binder"); table_api.open_table(true); - table_api.open_table("when", true); + if (use_type != "wizard") + { + table_api.open_table("when", true); - //FIXIT-M this needs to be split out into ips, network, and inspection - if ( has_ips_policy_id() ) - table_api.add_option("ips_policy_id", when_ips_policy_id); + //FIXIT-M this needs to be split out into ips, network, and inspection + if ( has_ips_policy_id() ) + table_api.add_option("ips_policy_id", when_ips_policy_id); - for ( const auto& s : vlans ) - table_api.add_list("vlans", s); + for ( const auto& s : vlans ) + table_api.add_list("vlans", s); - if ( has_service() ) - table_api.add_option("service", when_service); + if ( has_service() ) + table_api.add_option("service", when_service); - for ( const auto& n : src_nets ) - table_api.add_list("src_nets", n); + for ( const auto& n : src_nets ) + table_api.add_list("src_nets", n); - for ( const auto& n : dst_nets ) - table_api.add_list("dst_nets", n); + for ( const auto& n : dst_nets ) + table_api.add_list("dst_nets", n); - for ( const auto& n : nets ) - table_api.add_list("nets", n); + for ( const auto& n : nets ) + table_api.add_list("nets", n); - for ( const auto& p : src_ports ) - table_api.add_list("src_ports", p); + for ( const auto& p : src_ports ) + table_api.add_list("src_ports", p); - for ( const auto& p : dst_ports ) - table_api.add_list("dst_ports", p); + for ( const auto& p : dst_ports ) + table_api.add_list("dst_ports", p); - for ( const auto& p : ports ) - table_api.add_list("ports", p); + for ( const auto& p : ports ) + table_api.add_list("ports", p); - for ( const auto& p : when_src_zone ) - table_api.add_list("src_zone", p); + for ( const auto& p : when_src_zone ) + table_api.add_list("src_zone", p); - for ( const auto& p : when_dst_zone ) - table_api.add_list("dst_zone", p); + for ( const auto& p : when_dst_zone ) + table_api.add_list("dst_zone", p); - for ( const auto& p : zones ) - table_api.add_list("zones", p); + for ( const auto& p : zones ) + table_api.add_list("zones", p); - if ( has_proto() ) - table_api.add_option("proto", when_proto); + if ( has_proto() ) + table_api.add_option("proto", when_proto); - if ( has_role() ) - table_api.add_option("role", when_role); + if ( has_role() ) + table_api.add_option("role", when_role); - table_api.close_table(); // "when" + table_api.close_table(); // "when" + } table_api.open_table("use", true); diff --git a/tools/snort2lua/preprocessor_states/pps_dcerpc_server.cc b/tools/snort2lua/preprocessor_states/pps_dcerpc_server.cc index 1a6e0a7de..1856f60c9 100644 --- a/tools/snort2lua/preprocessor_states/pps_dcerpc_server.cc +++ b/tools/snort2lua/preprocessor_states/pps_dcerpc_server.cc @@ -44,17 +44,17 @@ enum DceDetectListState std::string transport[5] = { "smb", "tcp", "udp", "http_proxy", "http_server" }; -std::map > default_ports +std::map default_bindings { - { "smb", { 139, 445 } + { "smb", "netbios-ssn" }, - { "tcp", { 135 } + { "tcp", "dcerpc" }, - { "udp", { 135 } + { "udp", "dcerpc" }, - { "http_proxy", { 80 } + { "http_proxy", "dce_http_proxy" }, - { "http_server", { 593 } + { "http_server", "dce_http_server" } }; @@ -112,7 +112,7 @@ DcerpcServer::DcerpcServer(Converter& c) : ConversionState(c) { for (const auto& type: transport) { - detect_ports_set[type] = false; + default_binding[type] = true; } } @@ -222,12 +222,9 @@ bool DcerpcServer::parse_smb_file_inspection(std::istringstream& data_stream) return tmpval; } -void DcerpcServer::add_default_ports(const std::string& type, std::map bind) +void DcerpcServer::add_default_binding(const std::string& type, std::map bind) { - for (auto port : default_ports[type]) - { - bind[type]->add_when_port(std::to_string(port)); - } + bind[type]->set_when_service(default_bindings[type]); } // add single port / range @@ -280,7 +277,7 @@ bool DcerpcServer::parse_and_add_ports(const std::string& ports, const std::stri } } - detect_ports_set[type] = true; + default_binding[type] = false; return true; } @@ -344,7 +341,6 @@ bool DcerpcServer::parse_detect(std::istringstream& data_stream, { if (is_detect) { - detect_ports_set[transport_type] = true; bind[transport_type]->print_binding(false); } } @@ -442,16 +438,18 @@ bool DcerpcServer::parse_detect(std::istringstream& data_stream, add_deleted_comment_to_table(table_api, table_name[type], "autodetect"); continue; } - - // remove '[',']' - ports.erase(std::remove(ports.begin(), ports.end(), '['), ports.end()); - ports.erase(std::remove(ports.begin(), ports.end(), ']'), ports.end()); - // remove extra spaces - ports.erase(remove_if(ports.begin(), ports.end(), isspace), ports.end()); - - if (!parse_and_add_ports(ports, type, bind, bind_port_to_tcp)) + if (cv.get_bind_port()) { - return false; + // remove '[',']' + ports.erase(std::remove(ports.begin(), ports.end(), '['), ports.end()); + ports.erase(std::remove(ports.begin(), ports.end(), ']'), ports.end()); + // remove extra spaces + ports.erase(remove_if(ports.begin(), ports.end(), isspace), ports.end()); + + if (!parse_and_add_ports(ports, type, bind, bind_port_to_tcp)) + { + return false; + } } } break; @@ -654,15 +652,20 @@ bool DcerpcServer::convert(std::istringstream& data_stream) // FIXIT-M add when there is a way to make this play with http_inspect bindings // port 80 should not be added by default. If explicitly configured and conflicting // with other bindings, punt to wizard - bind["http_proxy"]->print_binding(false); + if ( cv.get_bind_port() ) + bind["http_proxy"]->print_binding(false); + bool bind_port = cv.get_bind_port(); for (const auto& type : transport) { - bind[type]->set_when_proto("tcp"); + if ( bind_port ) + bind[type]->set_when_proto("tcp"); bind[type]->set_use_type("dce_" + type); } bind["udp"]->set_when_proto("udp"); - bind["tcp"]->set_when_service("dce_tcp"); + bind["tcp"]->set_when_proto("tcp"); + if ( bind_port ) + bind["tcp"]->set_when_service("dce_tcp"); if (!(data_stream >> keyword)) return false; @@ -783,9 +786,9 @@ bool DcerpcServer::convert(std::istringstream& data_stream) for (const auto& type : transport) { - if (!detect_ports_set[type]) + if (default_binding[type]) { - add_default_ports(type, bind); + add_default_binding(type, bind); } } diff --git a/tools/snort2lua/preprocessor_states/pps_dcerpc_server.h b/tools/snort2lua/preprocessor_states/pps_dcerpc_server.h index 7838360dd..8fddce5c1 100644 --- a/tools/snort2lua/preprocessor_states/pps_dcerpc_server.h +++ b/tools/snort2lua/preprocessor_states/pps_dcerpc_server.h @@ -44,7 +44,7 @@ private: bool parse_smb_file_inspection(std::istringstream& data_stream); bool parse_detect(std::istringstream& data_stream, std::map bind, bool is_detect); - void add_default_ports(const std::string& type, std::map bind); + void add_default_binding(const std::string& type, std::map bind); bool parse_and_add_ports(const std::string& ports, const std::string& type, std::map bind, bool bind_port_to_tcp); bool init_net_created_table(); @@ -52,8 +52,7 @@ private: bool parse_nets(std::istringstream& data_stream, std::map bind); bool add_option_to_transports(const std::string& option, const std::string& value, bool co_only); - std::map detect_ports_set; - std::map autodetect_ports_set; + std::map default_binding; std::map table_name; static int binding_id; }; diff --git a/tools/snort2lua/preprocessor_states/pps_dnp3.cc b/tools/snort2lua/preprocessor_states/pps_dnp3.cc index 14b3a4a85..04b6775fb 100644 --- a/tools/snort2lua/preprocessor_states/pps_dnp3.cc +++ b/tools/snort2lua/preprocessor_states/pps_dnp3.cc @@ -47,16 +47,25 @@ Dnp3::~Dnp3() if (converted_args) return; - auto& tcp_bind = cv.make_binder(); - tcp_bind.set_when_proto("tcp"); - tcp_bind.add_when_port("20000"); - tcp_bind.set_use_type("dnp3"); + if (!cv.get_bind_port()) + { + auto& bind = cv.make_binder(); + bind.set_when_service("dnp3"); + bind.set_use_type("dnp3"); + } + else + { + auto& tcp_bind = cv.make_binder(); + tcp_bind.set_when_proto("tcp"); + tcp_bind.add_when_port("20000"); + tcp_bind.set_use_type("dnp3"); - auto& udp_bind = cv.make_binder(); - udp_bind.set_when_proto("udp"); - udp_bind.add_when_port("20000"); - udp_bind.set_use_type("dnp3"); + auto& udp_bind = cv.make_binder(); + udp_bind.set_when_proto("udp"); + udp_bind.add_when_port("20000"); + udp_bind.set_use_type("dnp3"); + } table_api.open_table("dnp3"); table_api.close_table(); } @@ -65,17 +74,10 @@ bool Dnp3::convert(std::istringstream& data_stream) { std::string keyword; bool retval = true; - bool ports_set = false; - auto& tcp_bind = cv.make_binder(); - auto& udp_bind = cv.make_binder(); + bool default_binding = true; converted_args = true; - tcp_bind.set_when_proto("tcp"); - tcp_bind.set_use_type("dnp3"); - udp_bind.set_when_proto("udp"); - udp_bind.set_use_type("dnp3"); - table_api.open_table("dnp3"); // parse the file configuration @@ -98,21 +100,32 @@ bool Dnp3::convert(std::istringstream& data_stream) } else if (keyword == "ports") { - table_api.add_diff_option_comment("ports", "bindings"); - - if ((data_stream >> keyword) && keyword == "{") + if (!cv.get_bind_port()) + default_binding = parse_bracketed_unsupported_list("ports", data_stream); + else { - while (data_stream >> keyword && keyword != "}") + table_api.add_diff_option_comment("ports", "bindings"); + + if ((data_stream >> keyword) && keyword == "{") { - ports_set = true; - tcp_bind.add_when_port(keyword); - udp_bind.add_when_port(keyword); + auto& tcp_bind = cv.make_binder(); + auto& udp_bind = cv.make_binder(); + tcp_bind.set_when_proto("tcp"); + tcp_bind.set_use_type("dnp3"); + udp_bind.set_when_proto("udp"); + udp_bind.set_use_type("dnp3"); + while (data_stream >> keyword && keyword != "}") + { + default_binding = false; + tcp_bind.add_when_port(keyword); + udp_bind.add_when_port(keyword); + } + } + else + { + data_api.failed_conversion(data_stream, "ports "); + retval = false; } - } - else - { - data_api.failed_conversion(data_stream, "ports "); - retval = false; } } else @@ -127,10 +140,11 @@ bool Dnp3::convert(std::istringstream& data_stream) } } - if (!ports_set) + if (default_binding) { - tcp_bind.add_when_port("20000"); - udp_bind.add_when_port("20000"); + auto& bind = cv.make_binder(); + bind.set_when_service("dnp3"); + bind.set_use_type("dnp3"); } return retval; diff --git a/tools/snort2lua/preprocessor_states/pps_dns.cc b/tools/snort2lua/preprocessor_states/pps_dns.cc index bb3653b95..0a4f7ead3 100644 --- a/tools/snort2lua/preprocessor_states/pps_dns.cc +++ b/tools/snort2lua/preprocessor_states/pps_dns.cc @@ -42,10 +42,14 @@ bool Dns::convert(std::istringstream& data_stream) std::string keyword; bool retval = true; bool ports_set = false; - auto& bind = cv.make_binder(); - bind.set_when_proto("tcp"); - bind.set_use_type("dns"); + auto& tcp_bind = cv.make_binder(); + tcp_bind.set_when_proto("tcp"); + tcp_bind.set_use_type("dns"); + + auto& udp_bind = cv.make_binder(); + udp_bind.set_when_proto("udp"); + udp_bind.set_use_type("dns"); table_api.open_table("dns"); @@ -73,8 +77,10 @@ bool Dns::convert(std::istringstream& data_stream) while (data_stream >> keyword && keyword != "}") { ports_set = true; - bind.set_when_role("server"); - bind.add_when_port(keyword); + tcp_bind.set_when_role("server"); + tcp_bind.add_when_port(keyword); + udp_bind.set_when_role("server"); + udp_bind.add_when_port(keyword); } } else @@ -98,8 +104,10 @@ bool Dns::convert(std::istringstream& data_stream) if (!ports_set) { - bind.set_when_role("server"); - bind.add_when_port("53"); + tcp_bind.set_when_role("server"); + tcp_bind.add_when_port("53"); + udp_bind.set_when_role("server"); + udp_bind.add_when_port("53"); } return retval; diff --git a/tools/snort2lua/preprocessor_states/pps_ftp_telnet_protocol.cc b/tools/snort2lua/preprocessor_states/pps_ftp_telnet_protocol.cc index 7b195d8ff..995d23daf 100644 --- a/tools/snort2lua/preprocessor_states/pps_ftp_telnet_protocol.cc +++ b/tools/snort2lua/preprocessor_states/pps_ftp_telnet_protocol.cc @@ -321,7 +321,7 @@ bool FtpServer::convert(std::istringstream& data_stream) { std::string keyword; bool retval = true; - bool ports_set = false; + bool default_binding = true; // Set up ftp_data whenever we have ftp_server configured. if(!cv.added_ftp_data()) @@ -338,7 +338,6 @@ bool FtpServer::convert(std::istringstream& data_stream) auto& bind = cv.make_binder(); bind.set_use_type("ftp_server"); - bind.set_when_proto("tcp"); if (data_stream >> keyword) { @@ -469,21 +468,27 @@ bool FtpServer::convert(std::istringstream& data_stream) } else if (keyword == "ports") { - table_api.add_diff_option_comment("ports", "bindings"); - table_api.add_comment("check bindings table for port information"); - - if ((data_stream >> keyword) && keyword == "{") + if (!cv.get_bind_port()) + default_binding = parse_bracketed_unsupported_list("ports", data_stream); + else { - while (data_stream >> keyword && keyword != "}") + table_api.add_diff_option_comment("ports", "bindings"); + table_api.add_comment("check bindings table for port information"); + + if ((data_stream >> keyword) && keyword == "{") + { + bind.set_when_proto("tcp"); + while (data_stream >> keyword && keyword != "}") + { + default_binding = false; + bind.add_when_port(keyword); + } + } + else { - bind.add_when_port(keyword); - ports_set = true; + tmpval = false; } } - else - { - tmpval = false; - } } else { @@ -556,8 +561,8 @@ bool FtpServer::convert(std::istringstream& data_stream) table_api.close_table(); } - if (!ports_set) - bind.add_when_port("21"); + if (default_binding) + bind.set_when_service("ftp"); return retval; } @@ -715,11 +720,10 @@ public: bool Telnet::convert(std::istringstream& data_stream) { std::string keyword; - bool ports_set = false; + bool default_binding = true; bool retval = true; auto& bind = cv.make_binder(); - bind.set_when_proto("tcp"); bind.set_use_type("telnet"); table_api.open_table("telnet"); @@ -744,23 +748,29 @@ bool Telnet::convert(std::istringstream& data_stream) } else if (keyword == "ports") { - table_api.add_diff_option_comment("ports", "bindings"); - table_api.add_comment("check bindings table for port information"); - - // adding ports to the binding. - if ((data_stream >> keyword) && keyword == "{") + if (!cv.get_bind_port()) + default_binding = parse_bracketed_unsupported_list("ports", data_stream); + else { - while (data_stream >> keyword && keyword != "}") + table_api.add_diff_option_comment("ports", "bindings"); + table_api.add_comment("check bindings table for port information"); + + // adding ports to the binding. + if ((data_stream >> keyword) && keyword == "{") + { + bind.set_when_proto("tcp"); + while (data_stream >> keyword && keyword != "}") + { + default_binding = false; + bind.add_when_port(keyword); + } + } + else { - ports_set = true; - bind.add_when_port(keyword); + data_api.failed_conversion(data_stream, "ports - invalid port list"); + retval = false; } } - else - { - data_api.failed_conversion(data_stream, "ports - invalid port list"); - retval = false; - } } else { @@ -774,9 +784,9 @@ bool Telnet::convert(std::istringstream& data_stream) } } - // adding the default port. - if (!ports_set) - bind.add_when_port("23"); + // adding the default service binding. + if (default_binding) + bind.set_when_service("telnet"); return retval; } diff --git a/tools/snort2lua/preprocessor_states/pps_http_inspect_server.cc b/tools/snort2lua/preprocessor_states/pps_http_inspect_server.cc index 71db71adb..108c95519 100644 --- a/tools/snort2lua/preprocessor_states/pps_http_inspect_server.cc +++ b/tools/snort2lua/preprocessor_states/pps_http_inspect_server.cc @@ -46,12 +46,11 @@ bool HttpInspectServer::convert(std::istringstream& data_stream) { std::string keyword; bool retval = true; - bool ports_set = false; + bool default_binding = true; bool simplify = false; bool slash_dir_set = false; auto& bind = cv.make_binder(); - bind.set_when_proto("tcp"); bind.set_use_type("http_inspect"); if (!(data_stream >> keyword) || keyword != "server") @@ -278,21 +277,27 @@ bool HttpInspectServer::convert(std::istringstream& data_stream) else if (keyword == "ports") { - table_api.add_diff_option_comment("ports", "bindings"); - - if ((data_stream >> keyword) && keyword == "{") + if (!cv.get_bind_port()) + default_binding = parse_bracketed_unsupported_list("ports", data_stream); + else { - while (data_stream >> keyword && keyword != "}") + table_api.add_diff_option_comment("ports", "bindings"); + + if ((data_stream >> keyword) && keyword == "{") { - ports_set = true; - bind.set_when_role("server"); - bind.add_when_port(keyword); + bind.set_when_proto("tcp"); + while (data_stream >> keyword && keyword != "}") + { + default_binding = false; + bind.set_when_role("server"); + bind.add_when_port(keyword); + } + } + else + { + data_api.failed_conversion(data_stream, "ports "); + retval = false; } - } - else - { - data_api.failed_conversion(data_stream, "ports "); - retval = false; } } else if (keyword == "small_chunk_length") @@ -346,10 +351,9 @@ bool HttpInspectServer::convert(std::istringstream& data_stream) } } - if (!ports_set) + if (default_binding) { - bind.set_when_role("server"); - bind.add_when_port("80"); + bind.set_when_service("http"); } return retval; } diff --git a/tools/snort2lua/preprocessor_states/pps_imap.cc b/tools/snort2lua/preprocessor_states/pps_imap.cc index 2de70ce1f..df48e1243 100644 --- a/tools/snort2lua/preprocessor_states/pps_imap.cc +++ b/tools/snort2lua/preprocessor_states/pps_imap.cc @@ -41,10 +41,9 @@ bool Imap::convert(std::istringstream& data_stream) { std::string keyword; bool retval = true; - bool ports_set = false; + bool default_binding = true; auto& bind = cv.make_binder(); - bind.set_when_proto("tcp"); bind.set_use_type("imap"); table_api.open_table("imap"); @@ -94,20 +93,26 @@ bool Imap::convert(std::istringstream& data_stream) else if (keyword == "ports") { - table_api.add_diff_option_comment("ports", "bindings"); - - if ((data_stream >> keyword) && keyword == "{") + if (!cv.get_bind_port()) + default_binding = parse_bracketed_unsupported_list("ports", data_stream); + else { - while (data_stream >> keyword && keyword != "}") + table_api.add_diff_option_comment("ports", "bindings"); + + if ((data_stream >> keyword) && keyword == "{") { - ports_set = true; - bind.add_when_port(keyword); + bind.set_when_proto("tcp"); + while (data_stream >> keyword && keyword != "}") + { + default_binding = false;; + bind.add_when_port(keyword); + } + } + else + { + data_api.failed_conversion(data_stream, "ports "); + retval = false; } - } - else - { - data_api.failed_conversion(data_stream, "ports "); - retval = false; } } @@ -123,8 +128,10 @@ bool Imap::convert(std::istringstream& data_stream) } } - if (!ports_set) - bind.add_when_port("143"); + if (default_binding) + { + bind.set_when_service("imap"); + } return retval; } diff --git a/tools/snort2lua/preprocessor_states/pps_pop.cc b/tools/snort2lua/preprocessor_states/pps_pop.cc index 618edab4b..5544741be 100644 --- a/tools/snort2lua/preprocessor_states/pps_pop.cc +++ b/tools/snort2lua/preprocessor_states/pps_pop.cc @@ -41,10 +41,9 @@ bool Pop::convert(std::istringstream& data_stream) { std::string keyword; bool retval = true; - bool ports_set = false; + bool default_binding = true; auto& bind = cv.make_binder(); - bind.set_when_proto("tcp"); bind.set_use_type("pop"); table_api.open_table("pop"); @@ -94,20 +93,26 @@ bool Pop::convert(std::istringstream& data_stream) else if (keyword == "ports") { - table_api.add_diff_option_comment("ports", "bindings"); - - if ((data_stream >> keyword) && keyword == "{") + if (!cv.get_bind_port()) + default_binding = parse_bracketed_unsupported_list("ports", data_stream); + else { - while (data_stream >> keyword && keyword != "}") + table_api.add_diff_option_comment("ports", "bindings"); + + if ((data_stream >> keyword) && keyword == "{") { - ports_set = true; - bind.add_when_port(keyword); + bind.set_when_proto("tcp"); + while (data_stream >> keyword && keyword != "}") + { + default_binding = false; + bind.add_when_port(keyword); + } + } + else + { + data_api.failed_conversion(data_stream, "ports "); + retval = false; } - } - else - { - data_api.failed_conversion(data_stream, "ports "); - retval = false; } } @@ -123,8 +128,8 @@ bool Pop::convert(std::istringstream& data_stream) } } - if (!ports_set) - bind.add_when_port("110"); + if (default_binding) + bind.set_when_service("pop3"); return retval; } diff --git a/tools/snort2lua/preprocessor_states/pps_sip.cc b/tools/snort2lua/preprocessor_states/pps_sip.cc index c92b60efe..9a26f7c39 100644 --- a/tools/snort2lua/preprocessor_states/pps_sip.cc +++ b/tools/snort2lua/preprocessor_states/pps_sip.cc @@ -41,7 +41,7 @@ bool Sip::convert(std::istringstream& data_stream) { std::string keyword; bool retval = true; - bool ports_set = false; + bool default_binding = true; auto& bind = cv.make_binder(); bind.set_use_type("sip"); @@ -120,20 +120,25 @@ bool Sip::convert(std::istringstream& data_stream) else if (keyword == "ports") { - table_api.add_diff_option_comment("ports", "bindings"); - - if ((arg_stream >> keyword) && keyword == "{") + if (!cv.get_bind_port()) + default_binding = parse_bracketed_unsupported_list("ports", arg_stream); + else { - while (arg_stream >> keyword && keyword != "}") + table_api.add_diff_option_comment("ports", "bindings"); + + if ((arg_stream >> keyword) && keyword == "{") { - ports_set = true; - bind.add_when_port(keyword); + while (arg_stream >> keyword && keyword != "}") + { + default_binding = false; + bind.add_when_port(keyword); + } + } + else + { + data_api.failed_conversion(arg_stream, "ports "); + retval = false; } - } - else - { - data_api.failed_conversion(arg_stream, "ports "); - retval = false; } } @@ -149,12 +154,8 @@ bool Sip::convert(std::istringstream& data_stream) } } - if (!ports_set) - { - bind.add_when_port("5060"); - bind.add_when_port("5061"); - bind.add_when_port("5600"); - } + if (default_binding) + bind.set_when_service("sip"); return retval; } diff --git a/tools/snort2lua/preprocessor_states/pps_smtp.cc b/tools/snort2lua/preprocessor_states/pps_smtp.cc index 4b7a28b91..42d4ecf62 100644 --- a/tools/snort2lua/preprocessor_states/pps_smtp.cc +++ b/tools/snort2lua/preprocessor_states/pps_smtp.cc @@ -111,10 +111,9 @@ bool Smtp::convert(std::istringstream& data_stream) { std::string keyword; bool retval = true; - bool ports_set = false; + bool default_binding = true; auto& bind = cv.make_binder(); - bind.set_when_proto("tcp"); bind.set_use_type("smtp"); table_api.open_table("smtp"); @@ -301,20 +300,27 @@ bool Smtp::convert(std::istringstream& data_stream) } else if (keyword == "ports") { - table_api.add_diff_option_comment("ports", "bindings"); - - if ((data_stream >> keyword) && keyword == "{") + if (!cv.get_bind_port()) + default_binding = parse_bracketed_unsupported_list("ports", data_stream); + else { - while (data_stream >> keyword && keyword != "}") + + table_api.add_diff_option_comment("ports", "bindings"); + + if ((data_stream >> keyword) && keyword == "{") { - ports_set = true; - bind.add_when_port(keyword); + bind.set_when_proto("tcp"); + while (data_stream >> keyword && keyword != "}") + { + default_binding = false; + bind.add_when_port(keyword); + } + } + else + { + data_api.failed_conversion(data_stream, "ports "); + retval = false; } - } - else - { - data_api.failed_conversion(data_stream, "ports "); - retval = false; } } else @@ -351,11 +357,8 @@ bool Smtp::convert(std::istringstream& data_stream) table_api.close_table(); } - if (!ports_set) - bind.add_when_port("25"); - bind.add_when_port("465"); - bind.add_when_port("587"); - bind.add_when_port("691"); + if (default_binding) + bind.set_when_service("smtp"); return retval; } diff --git a/tools/snort2lua/preprocessor_states/pps_ssh.cc b/tools/snort2lua/preprocessor_states/pps_ssh.cc index 01314aafa..5d59e013b 100644 --- a/tools/snort2lua/preprocessor_states/pps_ssh.cc +++ b/tools/snort2lua/preprocessor_states/pps_ssh.cc @@ -41,10 +41,9 @@ bool Ssh::convert(std::istringstream& data_stream) { std::string keyword; bool retval = true; - bool ports_set = false; + bool default_binding = true; auto& bind = cv.make_binder(); - bind.set_when_proto("tcp"); bind.set_use_type("ssh"); table_api.open_table("ssh"); @@ -96,20 +95,26 @@ bool Ssh::convert(std::istringstream& data_stream) else if (keyword == "server_ports") { - table_api.add_diff_option_comment("server_ports", "bindings"); - - if ((data_stream >> keyword) && keyword == "{") + if (!cv.get_bind_port()) + default_binding = parse_bracketed_unsupported_list("server_ports", data_stream); + else { - while (data_stream >> keyword && keyword != "}") + table_api.add_diff_option_comment("server_ports", "bindings"); + + if ((data_stream >> keyword) && keyword == "{") { - ports_set = true; - bind.add_when_port(keyword); + bind.set_when_proto("tcp"); + while (data_stream >> keyword && keyword != "}") + { + default_binding = false; + bind.add_when_port(keyword); + } + } + else + { + data_api.failed_conversion(data_stream, "server_ports "); + retval = false; } - } - else - { - data_api.failed_conversion(data_stream, "server_ports "); - retval = false; } } @@ -125,8 +130,8 @@ bool Ssh::convert(std::istringstream& data_stream) } } - if (!ports_set) - bind.add_when_port("22"); + if (default_binding) + bind.set_when_service("ssh"); return retval; } diff --git a/tools/snort2lua/preprocessor_states/pps_ssl.cc b/tools/snort2lua/preprocessor_states/pps_ssl.cc index e9a64d621..e5b26aca4 100644 --- a/tools/snort2lua/preprocessor_states/pps_ssl.cc +++ b/tools/snort2lua/preprocessor_states/pps_ssl.cc @@ -40,10 +40,9 @@ bool Ssl::convert(std::istringstream& data_stream) { std::string keyword; bool retval = true; - bool ports_set = false; + bool default_binding = true; auto& bind = cv.make_binder(); - bind.set_when_proto("tcp"); bind.set_use_type("ssl"); table_api.open_table("ssl"); @@ -70,22 +69,28 @@ bool Ssl::convert(std::istringstream& data_stream) } else if (keyword == "ports") { - table_api.add_diff_option_comment("ports", "bindings"); - - if (arg_stream >> keyword) + if (!cv.get_bind_port()) + default_binding = parse_bracketed_unsupported_list("ports", arg_stream); + else { - if (keyword == "{") + table_api.add_diff_option_comment("ports", "bindings"); + + if (arg_stream >> keyword) { - while (arg_stream >> keyword && keyword != "}") + if (keyword == "{") { - ports_set = true; - bind.add_when_port(keyword); + bind.set_when_proto("tcp"); + while (arg_stream >> keyword && keyword != "}") + { + default_binding = false; + bind.add_when_port(keyword); + } + } + else + { + data_api.failed_conversion(arg_stream, "ports "); + retval = false; } - } - else - { - data_api.failed_conversion(arg_stream, "ports "); - retval = false; } } } @@ -101,41 +106,8 @@ bool Ssl::convert(std::istringstream& data_stream) } } - if (!ports_set) - { - bind.add_when_port("443"); - bind.add_when_port("465"); - bind.add_when_port("563"); - bind.add_when_port("639"); - bind.add_when_port("989"); - bind.add_when_port("992"); - bind.add_when_port("993"); - bind.add_when_port("994"); - bind.add_when_port("995"); - bind.add_when_port("7801"); - bind.add_when_port("7802"); - bind.add_when_port("7900"); - bind.add_when_port("7901"); - bind.add_when_port("7902"); - bind.add_when_port("7903"); - bind.add_when_port("7904"); - bind.add_when_port("7905"); - bind.add_when_port("7906"); - bind.add_when_port("7907"); - bind.add_when_port("7908"); - bind.add_when_port("7909"); - bind.add_when_port("7910"); - bind.add_when_port("7911"); - bind.add_when_port("7912"); - bind.add_when_port("7913"); - bind.add_when_port("7914"); - bind.add_when_port("7915"); - bind.add_when_port("7916"); - bind.add_when_port("7917"); - bind.add_when_port("7918"); - bind.add_when_port("7919"); - bind.add_when_port("7920"); - } + if (default_binding) + bind.set_when_service("ssl"); return retval; } diff --git a/tools/snort2lua/preprocessor_states/pps_stream5_tcp.cc b/tools/snort2lua/preprocessor_states/pps_stream5_tcp.cc index b2bc20f8b..4e534107f 100644 --- a/tools/snort2lua/preprocessor_states/pps_stream5_tcp.cc +++ b/tools/snort2lua/preprocessor_states/pps_stream5_tcp.cc @@ -170,6 +170,13 @@ bool StreamTcp::parse_ports(std::istringstream& arg_stream) } } + if (!cv.get_bind_port()) + { + bind_any->print_binding(false); + bind_client->print_binding(false); + bind_server->print_binding(false); + } + return true; } @@ -249,6 +256,12 @@ bool StreamTcp::parse_protocol(std::istringstream& arg_stream) while (arg_stream >> protocol); } } + if (!cv.get_bind_port()) + { + bind_any->print_binding(false); + bind_client->print_binding(false); + bind_server->print_binding(false); + } return true; } @@ -480,14 +493,19 @@ bool StreamTcp::convert(std::istringstream& data_stream) if (!ports_set) { - const std::vector default_ports = { "21", "23", "25", "42", - "53", "80", "110", "111", "135", "136", - "137", "139", "143", "445", - "513", "514", "1433", "1521", "2401", - "3306" }; - - for (const std::string& s : default_ports) - bind_default->add_when_port(s); + if ( cv.get_bind_port() ) + { + const std::vector default_ports = { "21", "23", "25", "42", + "53", "80", "110", "111", "135", "136", + "137", "139", "143", "445", + "513", "514", "1433", "1521", "2401", + "3306" }; + + for (const std::string& s : default_ports) + bind_default->add_when_port(s); + } + else + bind_default->print_binding(false); } // Add the port bindings separately from the protocol bindings since @@ -502,7 +520,7 @@ bool StreamTcp::convert(std::istringstream& data_stream) cv.make_binder(any); any.clear_ports(); - if (!protos_set) + if (!protos_set and cv.get_bind_port()) { const std::vector default_protos = { "ftp", "telnet", "smtp", "nameserver", "dns", "http",