From: Russ Combs (rucombs) Date: Tue, 4 Feb 2020 01:28:00 +0000 (+0000) Subject: Merge pull request #1967 in SNORT/snort3 from ~RUCOMBS/snort3:crc_miscellany to master X-Git-Tag: 3.0.0-268~24 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4c0de120a2a5fd34632ffa0d3b8b49444c7529a6;p=thirdparty%2Fsnort3.git Merge pull request #1967 in SNORT/snort3 from ~RUCOMBS/snort3:crc_miscellany to master Squashed commit of the following: commit bc841270df5017e7d2e4c14290269d97eae7896e Author: russ Date: Fri Jan 31 12:06:57 2020 -0500 stream_tcp: ensure that flows with mss and timestamps are picked up on syn commit a40f9e06dcd6209b050b89578234bb19346a3af7 Author: russ Date: Thu Jan 30 07:46:03 2020 -0500 tweaks: set reasonable stream_ip.min_fragment_length values commit 1ca008ec891eb29786878cb5e73b21dd7bb37423 Author: russ Date: Thu Jan 30 07:43:27 2020 -0500 tweaks: update per new normalizer defaults commit d552fcc6c8769cc9d6117ddbe13a5c1208d60ee1 Author: russ Date: Wed Jan 29 21:30:13 2020 -0500 tweaks: update policy configs to better align with Snort 2 commit c308df033a25fbb7b2d8ac319cc8dc13c64809e9 Author: russ Date: Wed Jan 29 21:28:46 2020 -0500 smtp: update defaults to better align with Snort 2 commit cf37521cc7f04db3f65378eb55815ac8f5c393c2 Author: russ Date: Mon Jan 27 09:07:17 2020 -0500 build: clean up non-hyperscan builds commit c210f495c665920cfd8af2cfda1ab0e721f15a19 Author: russ Date: Mon Jan 27 09:06:20 2020 -0500 dce_tcp: fixup flow data handling --- diff --git a/lua/balanced.lua b/lua/balanced.lua index 74fbc89ab..97ce4aadd 100644 --- a/lua/balanced.lua +++ b/lua/balanced.lua @@ -3,19 +3,12 @@ -- use with -c snort.lua --tweaks balanced --------------------------------------------------------------------------- +arp_spoof = nil + http_inspect.request_depth = 300 http_inspect.response_depth = 500 -normalizer.tcp = -{ - ips = false, - rsv = false, - pad = false, - req_urg = false, - req_pay = false, - req_urp = false, - block = false, -} - port_scan = nil +stream_ip.min_frag_length = 16 + diff --git a/lua/connectivity.lua b/lua/connectivity.lua index f9447bded..290f5bada 100644 --- a/lua/connectivity.lua +++ b/lua/connectivity.lua @@ -3,22 +3,15 @@ -- use with -c snort.lua --tweaks connectivity --------------------------------------------------------------------------- +arp_spoof = nil + http_inspect.request_depth = 300 http_inspect.response_depth = 500 http_inspect.unzip = false http_inspect.utf8 = false -normalizer.tcp = -{ - ips = false, - rsv = false, - pad = false, - req_urg = false, - req_pay = false, - req_urp = false, - block = false, -} - port_scan = nil +stream_ip.min_frag_length = 16 + diff --git a/lua/inline.lua b/lua/inline.lua index 90b3fe6a4..132bc8a88 100644 --- a/lua/inline.lua +++ b/lua/inline.lua @@ -18,5 +18,3 @@ daq = }, } -normalizer = { tcp = { ips = true } } - diff --git a/lua/max_detect.lua b/lua/max_detect.lua index bd18f15ec..02cc4cdaa 100644 --- a/lua/max_detect.lua +++ b/lua/max_detect.lua @@ -4,8 +4,16 @@ -- use with -c snort.lua --tweaks max_detect --------------------------------------------------------------------------- +arp_spoof = nil + ftp_server.check_encrypted = true +detection = +{ + pcre_match_limit = 3500, + pcre_match_limit_recursion = 3500 +} + http_inspect.detained_inspection = true http_inspect.decompress_pdf = true http_inspect.decompress_swf = true @@ -30,6 +38,8 @@ smtp.decompress_pdf = true smtp.decompress_swf = true smtp.decompress_zip = true +stream_ip.min_frag_length = 100 + stream_tcp.require_3whs = 0 stream_tcp.small_segments = diff --git a/lua/security.lua b/lua/security.lua index 994542853..163b71ab5 100644 --- a/lua/security.lua +++ b/lua/security.lua @@ -3,8 +3,16 @@ -- use with -c snort.lua --tweaks security --------------------------------------------------------------------------- +arp_spoof = nil + ftp_server.check_encrypted = true +detection = +{ + pcre_match_limit = 3500, + pcre_match_limit_recursion = 3500 +} + http_inspect.decompress_pdf = true http_inspect.decompress_swf = true http_inspect.decompress_zip = true @@ -23,6 +31,8 @@ smtp.decompress_pdf = true smtp.decompress_swf = true smtp.decompress_zip = true +stream_ip.min_frag_length = 100 + stream_tcp.require_3whs = 180 stream_tcp.small_segments = diff --git a/lua/snort_defaults.lua b/lua/snort_defaults.lua index bb2e3d874..b641a72c3 100644 --- a/lua/snort_defaults.lua +++ b/lua/snort_defaults.lua @@ -201,8 +201,7 @@ ftp_command_specs = { command = 'PORT', length = 400, format = '< host_port >' }, { command = 'PROT', format = '< char CSEP >' }, { command = 'STRU', format = '< char FRPO [ string ] >' }, - { command = 'TYPE', - format = '< { char AE [ char NTC ] | char I | char L [ number ] } >' } + { command = 'TYPE', format = '< { char AE [ char NTC ] | char I | char L [ number ] } >' } } default_ftp_server = @@ -240,20 +239,68 @@ smtp_default_data_cmds = smtp_default_normalize_cmds = [[ - RCPT VRFY EXPN + ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY EXPN + HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SOML STARTTLS + TICK TIME TURN TURNME VERB VRFY X-ADAT XADR XAUTH XCIR X-DRCP X-ERCP XEXCH50 + X-EXCH50 X-EXPS XGEN XLICENSE X-LINK2STATE XQUE XSTA XTRN XUSR ]] -smtp_default_valid_cmds = -[[ - ATRN AUTH BDAT DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY EXPN HELO - HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SIZE SOML - STARTTLS TICK TIME TURN TURNME VERB VRFY X-EXPS X-LINK2STATE XADR XAUTH - XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR -]] +smtp_default_valid_cmds = smtp_default_normalize_cmds + +smtp_default_alt_max_command_lines = +{ + { command = 'ATRN', length = 255, }, + { command = 'AUTH', length = 246, }, + { command = 'BDAT', length = 255, }, + { command = 'DATA', length = 246, }, + { command = 'DEBUG', length = 255, }, + { command = 'EHLO', length = 500, }, + { command = 'EMAL', length = 255, }, + { command = 'ESAM', length = 255, }, + { command = 'ESND', length = 255, }, + { command = 'ESOM', length = 255, }, + { command = 'ETRN', length = 500, }, + { command = 'EVFY', length = 255, }, + { command = 'EXPN', length = 255, }, + { command = 'HELO', length = 500, }, + { command = 'HELP', length = 500, }, + { command = 'IDENT', length = 255, }, + { command = 'MAIL', length = 260, }, + { command = 'NOOP', length = 255, }, + { command = 'ONEX', length = 246, }, + { command = 'QUEU', length = 246, }, + { command = 'QUIT', length = 246, }, + { command = 'RCPT', length = 300, }, + { command = 'RSET', length = 255, }, + { command = 'SAML', length = 246, }, + { command = 'SEND', length = 246, }, + { command = 'SIZE', length = 255, }, + { command = 'SOML', length = 246, }, + { command = 'STARTTLS', length = 246, }, + { command = 'TICK', length = 246, }, + { command = 'TIME', length = 246, }, + { command = 'TURN', length = 246, }, + { command = 'TURNME', length = 246, }, + { command = 'VERB', length = 246, }, + { command = 'VRFY', length = 255, }, + { command = 'XADR', length = 246, }, + { command = 'XAUTH', length = 246, }, + { command = 'XCIR', length = 246, }, + { command = 'XEXCH50', length = 246, }, + { command = 'X-EXPS', length = 246, }, + { command = 'XGEN', length = 246, }, + { command = 'XLICENSE', length = 246, }, + { command = 'X-LINK2STATE', length = 246, }, + { command = 'XQUE', length = 246, }, + { command = 'XSTA', length = 246, }, + { command = 'XTRN', length = 246, }, + { command = 'XUSR', length = 246, } +} default_smtp = { -- params not specified here get internal defaults + alt_max_command_line_len = default_smtp_alt_max_command_lines, auth_cmds = smtp_default_auth_cmds, binary_data_cmds = smtp_default_binary_data_cmds, data_cmds = smtp_default_data_cmds, diff --git a/src/codecs/ip/cd_tcp.cc b/src/codecs/ip/cd_tcp.cc index 1b0be6140..335484169 100644 --- a/src/codecs/ip/cd_tcp.cc +++ b/src/codecs/ip/cd_tcp.cc @@ -359,6 +359,8 @@ void TcpCodec::decode_options( case tcp::TcpOptCode::MAXSEG: code = validate_option(opt, end_ptr, TCPOLEN_MAXSEG); + if (code == 0) + snort.decode_flags |= DECODE_TCP_MSS; break; case tcp::TcpOptCode::SACKOK: @@ -374,7 +376,7 @@ void TcpCodec::decode_options( /* LOG INVALID WINDOWSCALE alert */ codec_event(codec, DECODE_TCPOPT_WSCALE_INVALID); } - snort.decode_flags |= DECODE_WSCALE; + snort.decode_flags |= DECODE_TCP_WS; } break; @@ -420,6 +422,8 @@ void TcpCodec::decode_options( case tcp::TcpOptCode::TIMESTAMP: code = validate_option(opt, end_ptr, TCPOLEN_TIMESTAMP); + if (code == 0) + snort.decode_flags |= DECODE_TCP_TS; break; case tcp::TcpOptCode::SKEETER: diff --git a/src/flow/flow_control.cc b/src/flow/flow_control.cc index 3b2dbf25f..c9706d5d7 100644 --- a/src/flow/flow_control.cc +++ b/src/flow/flow_control.cc @@ -324,8 +324,12 @@ static bool want_flow(PktType type, Packet* p) // guessing direction based on ports is misleading return false; - if ( !p->ptrs.tcph->is_syn_only() or SnortConfig::get_conf()->track_on_syn() or - (p->ptrs.decode_flags & DECODE_WSCALE) ) + if ( !p->ptrs.tcph->is_syn_only() or SnortConfig::get_conf()->track_on_syn() ) + return true; + + const unsigned DECODE_TCP_HS = DECODE_TCP_MSS | DECODE_TCP_TS | DECODE_TCP_WS; + + if ( (p->ptrs.decode_flags & DECODE_TCP_HS) or p->dsize ) return true; p->packet_flags |= PKT_FROM_CLIENT; diff --git a/src/framework/decode_data.h b/src/framework/decode_data.h index 0b5b9eb38..f7ec61976 100644 --- a/src/framework/decode_data.h +++ b/src/framework/decode_data.h @@ -102,7 +102,9 @@ enum DecodeFlags : std::uint16_t DECODE_EOF = 0x0400, // user - end of flow DECODE_GTP = 0x0800, - DECODE_WSCALE = 0x1000, + DECODE_TCP_MSS = 0x1000, + DECODE_TCP_TS = 0x2000, + DECODE_TCP_WS = 0x4000, }; struct DecodeData diff --git a/src/helpers/literal_search.cc b/src/helpers/literal_search.cc index 4738ab293..4f245ce2e 100644 --- a/src/helpers/literal_search.cc +++ b/src/helpers/literal_search.cc @@ -50,6 +50,8 @@ void LiteralSearch::cleanup(LiteralSearch::Handle* h) { #ifdef HAVE_HYPERSCAN HyperSearch::cleanup(h); +#else + UNUSED(h); #endif } diff --git a/src/ips_options/ips_pcre.cc b/src/ips_options/ips_pcre.cc index ca4c0143a..806b5307e 100644 --- a/src/ips_options/ips_pcre.cc +++ b/src/ips_options/ips_pcre.cc @@ -614,7 +614,9 @@ static const Parameter s_params[] = struct PcreStats { PegCount pcre_rules; +#ifdef HAVE_HYPERSCAN PegCount pcre_to_hyper; +#endif PegCount pcre_native; PegCount pcre_negated; }; @@ -622,7 +624,9 @@ struct PcreStats const PegInfo pcre_pegs[] = { { CountType::SUM, "pcre_rules", "total rules processed with pcre option" }, +#ifdef HAVE_HYPERSCAN { CountType::SUM, "pcre_to_hyper", "total pcre rules by hyperscan engine" }, +#endif { CountType::SUM, "pcre_native", "total pcre rules compiled by pcre engine" }, { CountType::SUM, "pcre_negated", "total pcre rules using negation syntax" }, { CountType::END, nullptr, nullptr } @@ -649,7 +653,9 @@ public: delete scratcher; } +#ifdef HAVE_HYPERSCAN bool begin(const char*, int, SnortConfig*) override; +#endif bool set(const char*, Value&, SnortConfig*) override; bool end(const char*, int, SnortConfig*) override; @@ -664,7 +670,6 @@ public: Usage get_usage() const override { return DETECT; } - void get_mod_regex_instance(const char* name, int v, SnortConfig* sc); Module* get_mod_regex() const { return mod_regex; } @@ -690,7 +695,8 @@ const PegInfo* PcreModule::get_pegs() const PegCount* PcreModule::get_counts() const { return (PegCount*)&pcre_stats; } -void PcreModule::get_mod_regex_instance(const char* name, int v, SnortConfig* sc) +#ifdef HAVE_HYPERSCAN +bool PcreModule::begin(const char* name, int v, SnortConfig* sc) { if ( sc->pcre_to_regex ) { @@ -700,13 +706,9 @@ void PcreModule::get_mod_regex_instance(const char* name, int v, SnortConfig* sc if( mod_regex ) mod_regex = mod_regex->begin(name, v, sc) ? mod_regex : nullptr; } -} - -bool PcreModule::begin(const char* name, int v, SnortConfig* sc) -{ - get_mod_regex_instance(name, v, sc); return true; } +#endif bool PcreModule::set(const char* name, Value& v, SnortConfig* sc) { @@ -784,6 +786,7 @@ static IpsOption* pcre_ctor(Module* p, OptTreeNode* otn) pcre_stats.pcre_rules++; PcreModule* m = (PcreModule*)p; +#ifdef HAVE_HYPERSCAN Module* mod_regex = m->get_mod_regex(); if ( mod_regex ) { @@ -792,6 +795,9 @@ static IpsOption* pcre_ctor(Module* p, OptTreeNode* otn) return opt_api->ctor(mod_regex, otn); } else +#else + UNUSED(otn); +#endif { pcre_stats.pcre_native++; PcreData* d = m->get_data(); diff --git a/src/main/modules.cc b/src/main/modules.cc index 568966fba..96850b424 100644 --- a/src/main/modules.cc +++ b/src/main/modules.cc @@ -104,8 +104,10 @@ static const Parameter detection_params[] = { "pcre_override", Parameter::PT_BOOL, nullptr, "true", "enable pcre match limit overrides when pattern matching (ie ignore /O)" }, +#ifdef HAVE_HYPERSCAN { "pcre_to_regex", Parameter::PT_BOOL, nullptr, "false", - "disable pcre pattern matching" }, + "enable the use of regex instead of pcre for compatible expressions" }, +#endif { "enable_address_anomaly_checks", Parameter::PT_BOOL, nullptr, "false", "enable check and alerting of address anomalies" }, @@ -208,9 +210,11 @@ bool DetectionModule::set(const char* fqn, Value& v, SnortConfig* sc) else if ( v.is("pcre_override") ) sc->pcre_override = v.get_bool(); - + +#ifdef HAVE_HYPERSCAN else if ( v.is("pcre_to_regex") ) sc->pcre_to_regex = v.get_bool(); +#endif else if ( v.is("enable_address_anomaly_checks") ) sc->address_anomaly_check_enabled = v.get_bool(); diff --git a/src/main/snort_config.h b/src/main/snort_config.h index c8ff51dd5..0fd54d13e 100644 --- a/src/main/snort_config.h +++ b/src/main/snort_config.h @@ -244,11 +244,11 @@ public: #ifdef HAVE_HYPERSCAN bool hyperscan_literals = false; + bool pcre_to_regex = false; #endif bool global_rule_state = false; bool global_default_rule_state = true; - bool pcre_to_regex = false; //------------------------------------------------------ // process stuff diff --git a/src/service_inspectors/dce_rpc/dce_context_data.cc b/src/service_inspectors/dce_rpc/dce_context_data.cc index fe4424a94..ebaf79dc2 100644 --- a/src/service_inspectors/dce_rpc/dce_context_data.cc +++ b/src/service_inspectors/dce_rpc/dce_context_data.cc @@ -76,13 +76,17 @@ void DceContextData::set_ips_id(DCE2_TransType trans, unsigned id) DceContextData* DceContextData::get_current_data(const Packet* p) { - IpsContext* context = p ? p->context : nullptr; + assert(p); + + if ( !p->flow ) + return nullptr; + unsigned ips_id = get_ips_id(get_dce2_trans_type(p)); if ( !ips_id ) return nullptr; - DceContextData* dcd = (DceContextData*)DetectionEngine::get_data(ips_id, context); + DceContextData* dcd = (DceContextData*)DetectionEngine::get_data(ips_id, p->context); if ( !dcd ) return nullptr; diff --git a/src/service_inspectors/smtp/smtp_module.cc b/src/service_inspectors/smtp/smtp_module.cc index 6f639057f..3f2755e7d 100644 --- a/src/service_inspectors/smtp/smtp_module.cc +++ b/src/service_inspectors/smtp/smtp_module.cc @@ -119,13 +119,13 @@ static const Parameter s_params[] = { "max_auth_command_line_len", Parameter::PT_INT, "0:65535", "1000", "max auth command Line Length" }, - { "max_command_line_len", Parameter::PT_INT, "0:65535", "0", + { "max_command_line_len", Parameter::PT_INT, "0:65535", "512", "max Command Line Length" }, - { "max_header_line_len", Parameter::PT_INT, "0:65535", "0", + { "max_header_line_len", Parameter::PT_INT, "0:65535", "1000", "max SMTP DATA header line" }, - { "max_response_line_len", Parameter::PT_INT, "0:65535", "0", + { "max_response_line_len", Parameter::PT_INT, "0:65535", "512", "max SMTP response line" }, { "normalize", Parameter::PT_ENUM, "none | cmds | all", "none", diff --git a/src/stream/tcp/tcp_normalizer.cc b/src/stream/tcp/tcp_normalizer.cc index 3da3d0902..0b6ad6a37 100644 --- a/src/stream/tcp/tcp_normalizer.cc +++ b/src/stream/tcp/tcp_normalizer.cc @@ -190,27 +190,29 @@ uint32_t TcpNormalizer::get_stream_window( uint32_t TcpNormalizer::get_tcp_timestamp( TcpNormalizerState& tns, TcpSegmentDescriptor& tsd, bool strip) { - tcp::TcpOptIterator iter(tsd.get_tcph(), tsd.get_pkt() ); - - // using const because non-const is not supported - for ( const tcp::TcpOption& opt : iter ) + if ( tsd.get_pkt()->ptrs.decode_flags & DECODE_TCP_TS ) { - if ( opt.code == tcp::TcpOptCode::TIMESTAMP ) + tcp::TcpOptIterator iter(tsd.get_tcph(), tsd.get_pkt() ); + + // using const because non-const is not supported + for ( const tcp::TcpOption& opt : iter ) { - bool stripped = false; + if ( opt.code == tcp::TcpOptCode::TIMESTAMP ) + { + bool stripped = false; - if (strip) - stripped = strip_tcp_timestamp(tns, tsd, &opt, (NormMode)tns.opt_block); + if (strip) + stripped = strip_tcp_timestamp(tns, tsd, &opt, (NormMode)tns.opt_block); - if (!stripped) - { - tsd.set_ts(extract_32bits(opt.data) ); - return TF_TSTAMP; + if (!stripped) + { + tsd.set_ts(extract_32bits(opt.data) ); + return TF_TSTAMP; + } } } } tsd.set_ts(0); - return TF_NONE; } diff --git a/src/stream/tcp/tcp_segment_descriptor.cc b/src/stream/tcp/tcp_segment_descriptor.cc index 443bd9a9a..9c0de122f 100644 --- a/src/stream/tcp/tcp_segment_descriptor.cc +++ b/src/stream/tcp/tcp_segment_descriptor.cc @@ -53,18 +53,20 @@ TcpSegmentDescriptor::TcpSegmentDescriptor(Flow* flow_, Packet* pkt_, TcpEventLo uint32_t TcpSegmentDescriptor::init_mss(uint16_t* value) { - tcp::TcpOptIterator iter(tcph, pkt); - for ( const tcp::TcpOption& opt : iter ) + if ( pkt->ptrs.decode_flags & DECODE_TCP_MSS ) { - if ( opt.code == tcp::TcpOptCode::MAXSEG ) + tcp::TcpOptIterator iter(tcph, pkt); + + for ( const tcp::TcpOption& opt : iter ) { - *value = extract_16bits(opt.data); - return TF_MSS; + if ( opt.code == tcp::TcpOptCode::MAXSEG ) + { + *value = extract_16bits(opt.data); + return TF_MSS; + } } } - *value = 0; - return TF_NONE; } @@ -97,7 +99,7 @@ bool TcpSegmentDescriptor::has_wscale() { uint16_t wscale; - if ( !(pkt->ptrs.decode_flags & DECODE_WSCALE) ) + if ( !(pkt->ptrs.decode_flags & DECODE_TCP_WS) ) return false; return ( init_wscale(&wscale) & TF_WSCALE ) != TF_NONE;