From: Mike Stepanek (mstepane) Date: Wed, 4 Aug 2021 16:49:03 +0000 (+0000) Subject: Merge pull request #3005 in SNORT/snort3 from ~SVLASIUK/snort3:wizard_options_move... X-Git-Tag: 3.1.10.0~9 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=586b46bfc1e4741771564a67bf44aa8d9d77857a;p=thirdparty%2Fsnort3.git Merge pull request #3005 in SNORT/snort3 from ~SVLASIUK/snort3:wizard_options_move to master Squashed commit of the following: commit 4781785cec1ec20013758611cea6628db253d5c2 Author: russ Date: Thu May 6 09:54:51 2021 -0400 wizard: add wizard max_pattern option and update HTTP/SIP aware methods patterns commit a80b39187048cbab9bdcb70d59273aff773c7bff Author: russ Date: Thu May 6 12:59:33 2021 -0400 smtp: remove unused defines commit 2bc14ed5ebee6aa818b60959432e0f22fb7651e3 Author: russ Date: Thu May 6 13:00:16 2021 -0400 telnet: correct help for ayt_attack_thresh commit c695c3092b7ef955e81de6090c6d6683e1946195 Author: russ Date: Thu May 6 13:00:57 2021 -0400 ftp: remove unused defines and crufty comments --- diff --git a/lua/snort_defaults.lua b/lua/snort_defaults.lua index c85159466..36381eb1b 100644 --- a/lua/snort_defaults.lua +++ b/lua/snort_defaults.lua @@ -340,14 +340,15 @@ http_methods = -- build from default_http_methods 'UPDATEREDIRECTREF', 'PROPFIND', 'PROPPATCH', 'MKCOL', 'COPY', 'MOVE', 'LOCK', 'UNLOCK', 'SEARCH', 'BCOPY', 'BDELETE', 'BMOVE', 'BPROPFIND', 'BPROPPATCH', 'POLL', 'UNSUBSCRIBE', 'X_MS_ENUMATTS', - --'NOTIFY', 'OPTIONS', 'SUBSCRIBE', 'UPDATE' + 'OPTIONS * HTTP/', + --'NOTIFY', 'SUBSCRIBE', 'UPDATE' } -sip_methods = +sip_requests = { - 'INVITE', 'CANCEL', 'ACK', 'BYE', 'REGISTER', 'REFER', 'SUBSCRIBE', - 'UPDATE', 'JOIN', 'INFO', 'MESSAGE', 'NOTIFY', 'PRACK' - --'OPTIONS', + 'INVITE * SIP/', 'CANCEL * SIP/', 'ACK * SIP/', 'BYE * SIP/', 'REGISTER * SIP/', + 'REFER * SIP/', 'SUBSCRIBE * SIP/', 'UPDATE * SIP/', 'INFO * SIP/', 'MESSAGE * SIP/', + 'NOTIFY * SIP/', 'PRACK * SIP/', 'OPTIONS * SIP/' } telnet_commands = @@ -381,7 +382,7 @@ default_wizard = to_client = { '+OK', '-ERR' } }, { service = 'sip', client_first = true, - to_server = sip_methods, to_client = { 'SIP/' } }, + to_server = sip_requests, to_client = { 'SIP/' } }, { service = 'smtp', proto = 'tcp', client_first = true, to_server = { 'HELO', 'EHLO' }, @@ -1191,7 +1192,7 @@ default_low_port_scan = default_whitelist = [[ ftp_command_specs default_ftp_server smtp_default_alt_max_command_lines - default_smtp http_methods sip_methods telnet_commands default_wizard + default_smtp http_methods sip_requests telnet_commands default_wizard default_references default_classifications gtp_v0_msg gtp_v1_msg gtp_v2_msg gtp_v0_info gtp_v1_info gtp_v2_info default_gtp tcp_low_ports tcp_low_decoy tcp_low_sweep tcp_low_dist tcp_med_ports diff --git a/src/service_inspectors/ftp_telnet/ftpp_si.cc b/src/service_inspectors/ftp_telnet/ftpp_si.cc index d7fd395ea..35bb88f8c 100644 --- a/src/service_inspectors/ftp_telnet/ftpp_si.cc +++ b/src/service_inspectors/ftp_telnet/ftpp_si.cc @@ -22,13 +22,6 @@ * This file contains functions to select server configurations * and begin the FTPTelnet process. * - * The session Inspection Module interfaces with the Stream Inspection - * Module and the User Interface Module to select the appropriate - * FTPTelnet configuration and in the case of stateful inspection the - * session Inspection Module retrieves the user-data from the Stream - * Module. For stateless inspection, the session Inspection Module uses - * the same structure for use by each packet. - * * The main responsibility of this module is to supply the appropriate * data structures and configurations for the rest of the FTPTelnet * process. The module also determines what type of data is being @@ -135,14 +128,10 @@ static int TelnetStatefulsessionInspection(Packet* p, * configuration for the session, and the type of inspection * to be performed (client or server.) * - * When the session Inspection module is in stateful mode, it - * checks to see if there is a TELNET_SESSION pointer already + * Checks to see if there is a TELNET_SESSION pointer already * associated with the stream. If there is, then it uses that * session pointer, otherwise it calculates the server configuration - * using the FTP_SI_INPUT and returns a TELNET_SESSION pointer. In - * stateful mode, this means that memory is allocated, but in - * stateless mode, the same session pointer is used for all packets - * to reduce the allocation overhead. + * using the FTP_SI_INPUT and returns a TELNET_SESSION pointer. * * The inspection mode can be either client or server. * @@ -486,14 +475,11 @@ static int FTPStatefulsessionInspection( * configuration for the session, and the type of inspection to * be performed (client or server.) * - * When the session Inspection module is in stateful mode, it - * checks to see if there is a FTP_SESSION pointer already + * Checks to see if there is a FTP_SESSION pointer already * associated with the stream. If there is, then it uses that * session pointer, otherwise it calculates the server * configuration using the FTP_SI_INPUT and returns a FTP_SESSION - * pointer. In stateful mode, this means that memory is allocated, - * but in stateless mode, the same session pointer is used for all - * packets to reduce the allocation overhead. + * pointer. * * The inspection mode can be either client or server. */ diff --git a/src/service_inspectors/ftp_telnet/ftpp_ui_config.h b/src/service_inspectors/ftp_telnet/ftpp_ui_config.h index 217e8abd6..de505943b 100644 --- a/src/service_inspectors/ftp_telnet/ftpp_ui_config.h +++ b/src/service_inspectors/ftp_telnet/ftpp_ui_config.h @@ -44,8 +44,6 @@ /* * Defines */ -#define FTPP_UI_CONFIG_STATELESS 0 -#define FTPP_UI_CONFIG_STATEFUL 1 #define FTPP_UI_CONFIG_TELNET_DEF_AYT_THRESHOLD (-1) #define FTPP_UI_CONFIG_FTP_DEF_RESP_MSG_MAX (-1) diff --git a/src/service_inspectors/ftp_telnet/telnet_module.cc b/src/service_inspectors/ftp_telnet/telnet_module.cc index dec8e6b4b..4d130760b 100644 --- a/src/service_inspectors/ftp_telnet/telnet_module.cc +++ b/src/service_inspectors/ftp_telnet/telnet_module.cc @@ -45,7 +45,7 @@ using namespace std; static const Parameter s_params[] = { { "ayt_attack_thresh", Parameter::PT_INT, "-1:max31", "-1", - "alert on this number of consecutive Telnet AYT commands" }, + "alert beyond this number of consecutive Telnet AYT commands (-1 is disabled)" }, { "check_encrypted", Parameter::PT_BOOL, nullptr, "false", "check for end of encryption" }, diff --git a/src/service_inspectors/smtp/smtp.h b/src/service_inspectors/smtp/smtp.h index 74e5ef995..c032f34d9 100644 --- a/src/service_inspectors/smtp/smtp.h +++ b/src/service_inspectors/smtp/smtp.h @@ -32,10 +32,6 @@ #define SMTP_PKT_FROM_CLIENT 1 #define SMTP_PKT_FROM_SERVER 2 -// Inspection type -#define SMTP_STATELESS 0 -#define SMTP_STATEFUL 1 - #define SEARCH_CMD 0 #define SEARCH_RESP 1 #define SEARCH_HDR 2 diff --git a/src/service_inspectors/wizard/hexes.cc b/src/service_inspectors/wizard/hexes.cc index 63845556d..a83448278 100644 --- a/src/service_inspectors/wizard/hexes.cc +++ b/src/service_inspectors/wizard/hexes.cc @@ -164,8 +164,11 @@ const MagicPage* HexBook::find_spell( } const char* HexBook::find_spell( - const uint8_t* data, unsigned len, const MagicPage*& p) const + const uint8_t* data, unsigned len, unsigned max, const MagicPage*& p) const { + if ( max and len > max ) + len = max; + p = find_spell(data, len, p, 0); if ( p and !p->value.empty() ) diff --git a/src/service_inspectors/wizard/magic.h b/src/service_inspectors/wizard/magic.h index 3c46c344f..8b7db0cc8 100644 --- a/src/service_inspectors/wizard/magic.h +++ b/src/service_inspectors/wizard/magic.h @@ -52,7 +52,8 @@ public: MagicBook& operator=(const MagicBook&) = delete; virtual bool add_spell(const char* key, const char*& val) = 0; - virtual const char* find_spell(const uint8_t*, unsigned len, const MagicPage*&) const = 0; + virtual const char* find_spell(const uint8_t*, unsigned len, unsigned max, + const MagicPage*&) const = 0; const MagicPage* page1() { return root; } @@ -73,7 +74,8 @@ public: SpellBook(); bool add_spell(const char*, const char*&) override; - const char* find_spell(const uint8_t*, unsigned len, const MagicPage*&) const override; + const char* find_spell(const uint8_t*, unsigned len, unsigned max, + const MagicPage*&) const override; private: bool translate(const char*, HexVector&); @@ -92,7 +94,8 @@ public: HexBook() = default; bool add_spell(const char*, const char*&) override; - const char* find_spell(const uint8_t*, unsigned len, const MagicPage*&) const override; + const char* find_spell(const uint8_t*, unsigned len, unsigned, + const MagicPage*&) const override; private: bool translate(const char*, HexVector&); diff --git a/src/service_inspectors/wizard/spells.cc b/src/service_inspectors/wizard/spells.cc index f0f6d531e..51719f79f 100644 --- a/src/service_inspectors/wizard/spells.cc +++ b/src/service_inspectors/wizard/spells.cc @@ -163,13 +163,11 @@ const MagicPage* SpellBook::find_spell( } const char* SpellBook::find_spell( - const uint8_t* data, unsigned len, const MagicPage*& p) const + const uint8_t* data, unsigned len, unsigned max, const MagicPage*& p) const { - // FIXIT-L make configurable upper bound to limit globbing - unsigned max = 64; assert(p); - if ( len > max ) + if ( max and len > max ) len = max; p = find_spell(data, len, p, 0); diff --git a/src/service_inspectors/wizard/wiz_module.cc b/src/service_inspectors/wizard/wiz_module.cc index 4b79175a1..5e9cff769 100644 --- a/src/service_inspectors/wizard/wiz_module.cc +++ b/src/service_inspectors/wizard/wiz_module.cc @@ -106,17 +106,13 @@ static const Parameter s_params[] = { "curses", Parameter::PT_MULTI, "dce_smb | dce_udp | dce_tcp | sslv2", nullptr, "enable service identification based on internal algorithm" }, + { "max_pattern", Parameter::PT_INT, "0:65535", "64", + "maximum scan depth per segment (0 is unlimited)" }, + { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } }; -WizardModule::WizardModule() : Module(WIZ_NAME, WIZ_HELP, s_params) -{ - c2s_hexes = nullptr; - s2c_hexes = nullptr; - c2s_spells = nullptr; - s2c_spells = nullptr; - curses = nullptr; -} +WizardModule::WizardModule() : Module(WIZ_NAME, WIZ_HELP, s_params) { } WizardModule::~WizardModule() { @@ -163,6 +159,9 @@ bool WizardModule::set(const char*, Value& v, SnortConfig*) else if ( v.is("curses") ) curses->add_curse(v.get_string()); + else if ( v.is("max_pattern") ) + max_pattern = v.get_uint16(); + return true; } diff --git a/src/service_inspectors/wizard/wiz_module.h b/src/service_inspectors/wizard/wiz_module.h index fd085e209..5d3dc4d0d 100644 --- a/src/service_inspectors/wizard/wiz_module.h +++ b/src/service_inspectors/wizard/wiz_module.h @@ -58,6 +58,9 @@ public: MagicBook* get_book(bool c2s, bool hex); CurseBook* get_curse_book(); + uint16_t get_max_pattern() + { return max_pattern; } + Usage get_usage() const override { return INSPECT; } @@ -73,13 +76,14 @@ private: std::vector s2c_patterns; bool c2s; - MagicBook* c2s_hexes; - MagicBook* s2c_hexes; + MagicBook* c2s_hexes = nullptr; + MagicBook* s2c_hexes = nullptr; - MagicBook* c2s_spells; - MagicBook* s2c_spells; + MagicBook* c2s_spells = nullptr; + MagicBook* s2c_spells = nullptr; - CurseBook* curses; + CurseBook* curses = nullptr; + uint16_t max_pattern = 0; }; #endif diff --git a/src/service_inspectors/wizard/wizard.cc b/src/service_inspectors/wizard/wizard.cc index ad1ed202d..273af7b50 100644 --- a/src/service_inspectors/wizard/wizard.cc +++ b/src/service_inspectors/wizard/wizard.cc @@ -150,6 +150,7 @@ public: MagicBook* s2c_spells; CurseBook* curses; + uint16_t max_pattern; }; //------------------------------------------------------------------------- @@ -215,6 +216,7 @@ Wizard::Wizard(WizardModule* m) s2c_spells = m->get_book(false, false); curses = m->get_curse_book(); + max_pattern = m->get_max_pattern(); } Wizard::~Wizard() @@ -291,7 +293,7 @@ StreamSplitter* Wizard::get_splitter(bool c2s) bool Wizard::spellbind( const MagicPage*& m, Flow* f, const uint8_t* data, unsigned len) { - f->service = m->book.find_spell(data, len, m); + f->service = m->book.find_spell(data, len, max_pattern, m); return ( f->service != nullptr ); }