From: Hui Cao (huica) Date: Tue, 8 Nov 2016 17:31:04 +0000 (-0500) Subject: Merge pull request #694 in SNORT/snort3 from appid_no_so_wild to master X-Git-Tag: 3.0.0-233~198 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a88746d948cc8a61046527efba747b479eecc281;p=thirdparty%2Fsnort3.git Merge pull request #694 in SNORT/snort3 from appid_no_so_wild to master Squashed commit of the following: commit e5ae9e59f829351580d1b880a0077090c7b6cb5f Author: davis mcpherson Date: Fri Nov 4 11:34:51 2016 -0400 updates from code review comments and a few generall coding style fixups commit 1c6e1c075a61c8237090c42b18da97f8bb0dec62 Author: davis mcpherson Date: Wed Nov 2 15:28:32 2016 -0400 fix memory leak in service_rpc, list of rpc program nodes were dynamically allocated but never freed enable appid in default snort.lua configuration report parse errors with ParseWarning, functionality may be reduced but appid will still work commit a0a9c28afccfc93f550369d9f60d3e47f8c1c916 Author: davis mcpherson Date: Wed Nov 2 10:26:40 2016 -0400 refactor NetworkSet utility functions into a proper class commit cabb0a02458a3f3ff3c8eec9de7b36b5f992515e Author: davis mcpherson Date: Wed Nov 2 08:54:12 2016 -0400 consolidate utility functions to single utilities file or file where the function is used, eliminate duplicated types for custom config elements, delete deprecated files commit 10e5cac96c626f8dbc6cd5322b612cb0969545c4 Author: davis mcpherson Date: Wed Nov 2 07:48:07 2016 -0400 reduce appid chatiness - changed LogMessage to DebugMessage where appropriate, move more functions to appropriate source file and delete files no longer useful, ensure all Debug* logging for AppId is controlled by the DEBUG_APPID flag commit 8913c81160ae3ed00361b6946a369eb48856fa9e Author: davis mcpherson Date: Wed Nov 2 06:48:16 2016 -0400 refactoring to move functions and data defs to appropriate source file and delete source files no longer useful --- diff --git a/lua/snort.lua b/lua/snort.lua index 2980ee45b..f6134effe 100644 --- a/lua/snort.lua +++ b/lua/snort.lua @@ -64,6 +64,7 @@ stream_udp = { } stream_user = { } stream_file = { } +appid = { } arp_spoof = { } back_orifice = { } dnp3 = { } diff --git a/src/network_inspectors/appid/CMakeLists.txt b/src/network_inspectors/appid/CMakeLists.txt index 8cd0159f2..60310cf07 100644 --- a/src/network_inspectors/appid/CMakeLists.txt +++ b/src/network_inspectors/appid/CMakeLists.txt @@ -111,23 +111,18 @@ set ( DP_APPID_SOURCES ) set ( UTIL_APPID_SOURCES - appid_utils/common_util.h + appid_utils/appid_utils.cc + appid_utils/appid_utils.h appid_utils/fw_avltree.cc appid_utils/fw_avltree.h appid_utils/ip_funcs.cc appid_utils/ip_funcs.h appid_utils/network_set.cc appid_utils/network_set.h - appid_utils/output_file.cc - appid_utils/output_file.h - appid_utils/sfksearch.cc - appid_utils/sfksearch.h appid_utils/sf_mlmp.cc appid_utils/sf_mlmp.h appid_utils/sf_multi_mpse.cc appid_utils/sf_multi_mpse.h - appid_utils/sfutil.cc - appid_utils/sfutil.h ) set ( APPID_SOURCES @@ -139,7 +134,6 @@ set ( APPID_SOURCES appid_config.h appid_session.cc appid_session.h - appid.h appid_inspector.cc appid_inspector.h appid_module.cc @@ -150,9 +144,6 @@ set ( APPID_SOURCES app_info_table.cc app_info_table.h application_ids.h - flow_error.h - fw_appid.cc - fw_appid.h host_port_app_cache.cc host_port_app_cache.h http_common.h diff --git a/src/network_inspectors/appid/Makefile.am b/src/network_inspectors/appid/Makefile.am index 1329d91c4..4e6135154 100644 --- a/src/network_inspectors/appid/Makefile.am +++ b/src/network_inspectors/appid/Makefile.am @@ -108,23 +108,18 @@ service_plugins/service_tns.cc \ service_plugins/service_util.h util_file_list = \ -appid_utils/common_util.h \ +appid_utils/appid_utils.cc \ +appid_utils/appid_utils.h \ appid_utils/fw_avltree.cc \ appid_utils/fw_avltree.h \ appid_utils/ip_funcs.cc \ appid_utils/ip_funcs.h \ appid_utils/network_set.cc \ appid_utils/network_set.h \ -appid_utils/output_file.cc \ -appid_utils/output_file.h \ -appid_utils/sfksearch.cc \ -appid_utils/sfksearch.h \ appid_utils/sf_mlmp.cc \ appid_utils/sf_mlmp.h \ appid_utils/sf_multi_mpse.cc \ -appid_utils/sf_multi_mpse.h \ -appid_utils/sfutil.cc \ -appid_utils/sfutil.h +appid_utils/sf_multi_mpse.h file_list = \ app_forecast.cc \ @@ -135,7 +130,6 @@ appid_config.cc \ appid_config.h \ appid_session.cc \ appid_session.h \ -appid.h \ appid_inspector.cc \ appid_inspector.h \ appid_module.cc \ @@ -146,9 +140,6 @@ appid_stats.h \ app_info_table.cc \ app_info_table.h \ application_ids.h \ -flow_error.h \ -fw_appid.cc \ -fw_appid.h \ host_port_app_cache.cc \ host_port_app_cache.h \ http_common.h \ diff --git a/src/network_inspectors/appid/app_info_table.cc b/src/network_inspectors/appid/app_info_table.cc index 20fe5ab78..5b8693952 100644 --- a/src/network_inspectors/appid/app_info_table.cc +++ b/src/network_inspectors/appid/app_info_table.cc @@ -98,6 +98,31 @@ static AppId get_static_app_info_entry(AppId appid) return 0; } +void checkSandboxDetection(AppId appId) +{ + if (AppIdConfig::get_appid_config()->mod_config->instance_id) + { + auto entry = AppInfoManager::get_instance().get_app_info_entry(appId); + if ( entry && ( entry->flags & APPINFO_FLAG_ACTIVE ) ) + { + DebugFormat(DEBUG_APPID, "Detected application %d is active.\n", entry->appId); + } + else if( appId != 0 ) + { + if(entry) + { + DebugFormat(DEBUG_APPID, "Detected application %d is not active.\n", appId); + } + else + { + DebugFormat(DEBUG_APPID, + "No entry in application info table for detected application %d.\n", + appId); + } + } + } +} + AppInfoTableEntry* AppInfoManager::get_app_info_entry(AppId appId, const AppInfoTable& lookup_table) { AppId tmp; @@ -217,73 +242,65 @@ void AppInfoManager::set_app_info_active(AppId appId) if (entry) entry->flags |= APPINFO_FLAG_ACTIVE; else - DebugFormat(DEBUG_APPID, "AppInfo: AppId %d is UNKNOWN\n", appId); - + ErrorMessage("AppInfo: AppId %d has no entry in application info table\n", appId); } void AppInfoManager::load_appid_config(const char* path) { - FILE* config_file; - char* token; char buf[1024]; - char referred_app_list[4096]; - int referred_app_index; - char* conf_type; - char* conf_key; - char* conf_val; unsigned line = 0; - int max_tp_flow_depth; - char* context; - config_file = fopen(path, "r"); + FILE* config_file = fopen(path, "r"); if (config_file == nullptr) return; - DebugFormat(DEBUG_INSPECTOR, "Loading configuration file %s\n", path); + DebugFormat(DEBUG_APPID, "Loading configuration file %s\n", path); while (fgets(buf, sizeof(buf), config_file) != nullptr) { + char* context; + line++; - token = strtok_r(buf, CONF_SEPARATORS, &context); + char* token = strtok_r(buf, CONF_SEPARATORS, &context); if (token == nullptr) { - ErrorMessage("Could not read configuration at line %s:%u\n", path, line); + ParseWarning(WARN_CONF, "No 'conf_type' value at line %s:%u\n", path, line); continue; } - conf_type = token; + char* conf_type = token; token = strtok_r(nullptr, CONF_SEPARATORS, &context); if (token == nullptr) { - ErrorMessage("Could not read configuration value at line %s:%u\n", path, line); + ParseWarning(WARN_CONF, "No 'conf_key' value at line %s:%u\n", path, line); continue; } - conf_key = token; + char* conf_key = token; token = strtok_r(nullptr, CONF_SEPARATORS, &context); if (token == nullptr) { - ErrorMessage("Could not read configuration value at line %s:%u\n", path, line); + ParseWarning(WARN_CONF, "No 'conf_val' value at line %s:%u\n", path, line); continue; } - conf_val = token; + char* conf_val = token; /* APPID configurations are for anything else - currently we only have ssl_reinspect */ if (!(strcasecmp(conf_type, "appid"))) { if (!(strcasecmp(conf_key, "max_tp_flow_depth"))) { - max_tp_flow_depth = atoi(conf_val); + int max_tp_flow_depth = atoi(conf_val); if (max_tp_flow_depth < MIN_MAX_TP_FLOW_DEPTH || max_tp_flow_depth > MAX_MAX_TP_FLOW_DEPTH) { - DebugFormat(DEBUG_INSPECTOR, + ParseWarning(WARN_CONF, "AppId: invalid max_tp_flow_depth %d, must be between %d and %d\n.", max_tp_flow_depth, MIN_MAX_TP_FLOW_DEPTH, MAX_MAX_TP_FLOW_DEPTH); } else { - DebugFormat(DEBUG_INSPECTOR, + DebugFormat(DEBUG_APPID, "AppId: setting max thirdparty inspection flow depth to %d packets.\n", max_tp_flow_depth); AppIdConfig::get_appid_config()->mod_config->max_tp_flow_depth = max_tp_flow_depth; @@ -293,7 +310,7 @@ void AppInfoManager::load_appid_config(const char* path) { if (!(strcasecmp(conf_val, "enabled"))) { - DebugMessage(DEBUG_INSPECTOR, + DebugMessage(DEBUG_APPID, "AppId: TCP probes will be analyzed by NAVL.\n"); AppIdConfig::get_appid_config()->mod_config->tp_allow_probes = 1; @@ -301,14 +318,14 @@ void AppInfoManager::load_appid_config(const char* path) } else if (!(strcasecmp(conf_key, "tp_client_app"))) { - DebugFormat(DEBUG_INSPECTOR, + DebugFormat(DEBUG_APPID, "AppId: if thirdparty reports app %d, we will use it as a client.\n", atoi(conf_val)); set_app_info_flags(atoi(conf_val), APPINFO_FLAG_TP_CLIENT); } else if (!(strcasecmp(conf_key, "ssl_reinspect"))) { - DebugFormat(DEBUG_INSPECTOR, + DebugFormat(DEBUG_APPID, "AppId: adding app %d to list of SSL apps that get more granular inspection.\n", atoi(conf_val)); set_app_info_flags(atoi(conf_val), APPINFO_FLAG_SSL_INSPECT); @@ -317,28 +334,27 @@ void AppInfoManager::load_appid_config(const char* path) { if (!(strcasecmp(conf_val, "disabled"))) { - DEBUG_WRAP(DebugMessage(DEBUG_INSPECTOR, - "AppId: disabling safe search enforcement.\n"); ); + DebugMessage(DEBUG_APPID, "AppId: disabling safe search enforcement.\n"); AppIdConfig::get_appid_config()->mod_config->disable_safe_search = 1; } } else if (!(strcasecmp(conf_key, "ssl_squelch"))) { - DebugFormat(DEBUG_INSPECTOR, + DebugFormat(DEBUG_APPID, "AppId: adding app %d to list of SSL apps that may open a second SSL connection.\n", atoi(conf_val)); set_app_info_flags(atoi(conf_val), APPINFO_FLAG_SSL_SQUELCH); } else if (!(strcasecmp(conf_key, "defer_to_thirdparty"))) { - DebugFormat(DEBUG_INSPECTOR, + DebugFormat(DEBUG_APPID, "AppId: adding app %d to list of apps where we should take thirdparty ID over the NDE's.\n", atoi(conf_val)); set_app_info_flags(atoi(conf_val), APPINFO_FLAG_DEFER); } else if (!(strcasecmp(conf_key, "defer_payload_to_thirdparty"))) { - DebugFormat(DEBUG_INSPECTOR, + DebugFormat(DEBUG_APPID, "AppId: adding app %d to list of apps where we should take " "thirdparty payload ID over the NDE's.\n", atoi(conf_val)); @@ -348,7 +364,7 @@ void AppInfoManager::load_appid_config(const char* path) { if (!(strcasecmp(conf_val, "disabled"))) { - DebugMessage(DEBUG_INSPECTOR, + DebugMessage(DEBUG_APPID, "AppId: HTTP UserID collection disabled.\n"); AppIdConfig::get_appid_config()->mod_config->chp_userid_disabled = 1; continue; @@ -358,7 +374,7 @@ void AppInfoManager::load_appid_config(const char* path) { if (!(strcasecmp(conf_val, "disabled"))) { - DebugMessage(DEBUG_INSPECTOR, + DebugMessage(DEBUG_APPID, "AppId: HTTP Body header reading disabled.\n"); AppIdConfig::get_appid_config()->mod_config->chp_body_collection_disabled = 1; continue; @@ -368,8 +384,7 @@ void AppInfoManager::load_appid_config(const char* path) { if (!(strcasecmp(conf_val, "disabled"))) { - DEBUG_WRAP(DebugMessage(DEBUG_INSPECTOR, - "AppId: HTTP future flow creation disabled.\n"); ); + DebugMessage(DEBUG_APPID, "AppId: HTTP future flow creation disabled.\n"); AppIdConfig::get_appid_config()->mod_config->chp_fflow_disabled = 1; continue; } @@ -378,7 +393,7 @@ void AppInfoManager::load_appid_config(const char* path) { if (!(strcasecmp(conf_val, "disabled"))) { - DEBUG_WRAP(DebugMessage(DEBUG_INSPECTOR, "AppId: FTP userID disabled.\n"); ); + DebugMessage(DEBUG_APPID, "AppId: FTP userID disabled.\n"); AppIdConfig::get_appid_config()->mod_config->ftp_userid_disabled = 1; continue; } @@ -391,14 +406,14 @@ void AppInfoManager::load_appid_config(const char* path) token = strtok_r(nullptr, CONF_SEPARATORS, &context); if (token == nullptr) { - ErrorMessage("Could not read app_priority at line %u\n", line); + ParseWarning(WARN_CONF, "Could not read app_priority at line %u\n", line); continue; } conf_val = token; uint8_t temp_val; temp_val = strtol(conf_val, nullptr, 10); set_app_info_priority (temp_appid, temp_val); - DebugFormat(DEBUG_INSPECTOR,"AppId: %d Setting priority bit %d .\n", + DebugFormat(DEBUG_APPID,"AppId: %d Setting priority bit %d .\n", temp_appid, temp_val); } else if (!(strcasecmp(conf_key, "referred_appId"))) @@ -410,17 +425,18 @@ void AppInfoManager::load_appid_config(const char* path) } else if (!AppIdConfig::get_appid_config()->mod_config->referred_appId_disabled) { - referred_app_index=0; - referred_app_index += sprintf(referred_app_list, "%d ", atoi(conf_val)); + char referred_app_list[4096]; + int referred_app_index = snprintf(referred_app_list, 4096, "%d ", atoi(conf_val)); set_app_info_flags(atoi(conf_val), APPINFO_FLAG_REFERRED); while ((token = strtok_r(nullptr, CONF_SEPARATORS, &context)) != nullptr) { - referred_app_index += sprintf(referred_app_list+referred_app_index, "%d ", - atoi(token)); - set_app_info_flags(atoi(token), APPINFO_FLAG_REFERRED); + AppId id = atoi(token); + referred_app_index += snprintf(referred_app_list + referred_app_index, + 4096 - referred_app_index, "%d ", id); + set_app_info_flags(id, APPINFO_FLAG_REFERRED); } - DebugFormat(DEBUG_INSPECTOR, + DebugFormat(DEBUG_APPID, "AppId: adding appIds to list of referred web apps: %s\n", referred_app_list); } @@ -443,8 +459,8 @@ void AppInfoManager::load_appid_config(const char* path) } else if (!(strcasecmp(conf_key, "ignore_thirdparty_appid"))) { - LogMessage("AppId: adding app %d to list of ignore thirdparty apps.\n", atoi( - conf_val)); + DebugFormat(DEBUG_APPID, "AppId: adding app %d to list of ignore thirdparty apps.\n", + atoi(conf_val)); set_app_info_flags(atoi(conf_val), APPINFO_FLAG_IGNORE); } else if (!(strcasecmp(conf_key, "http2_detection"))) @@ -456,22 +472,23 @@ void AppInfoManager::load_appid_config(const char* path) // ports. if (!(strcasecmp(conf_val, "disabled"))) { - LogMessage("AppId: disabling internal HTTP/2 detection.\n"); + DebugMessage(DEBUG_APPID, "AppId: disabling internal HTTP/2 detection.\n"); AppIdConfig::get_appid_config()->mod_config->http2_detection_enabled = false; } else if (!(strcasecmp(conf_val, "enabled"))) { - LogMessage("AppId: enabling internal HTTP/2 detection.\n"); + DebugMessage(DEBUG_APPID, "AppId: enabling internal HTTP/2 detection.\n"); AppIdConfig::get_appid_config()->mod_config->http2_detection_enabled = true; } else { - LogMessage("AppId: ignoring invalid option for http2_detection: %s\n", + ParseWarning(WARN_CONF, "AppId: ignoring invalid option for http2_detection: %s\n", conf_val); } } } } + fclose(config_file); } @@ -493,11 +510,12 @@ void AppInfoManager::init_appid_info_table(const char* path) tableFile = fopen(filepath, "r"); if (tableFile == nullptr) { - ParseError("Could not open AppMapping Table file: %s, no AppId rule support", filepath); + ParseWarning(WARN_RULES, + "Could not open AppMapping Table file: %s, no AppId rule support", filepath); return; } - DebugFormat(DEBUG_INSPECTOR, "AppInfo read from %s\n", filepath); + DebugFormat(DEBUG_APPID, "AppInfo read from %s\n", filepath); while (fgets(buf, sizeof(buf), tableFile)) { diff --git a/src/network_inspectors/appid/app_info_table.h b/src/network_inspectors/appid/app_info_table.h index 19a480d51..24091ca55 100644 --- a/src/network_inspectors/appid/app_info_table.h +++ b/src/network_inspectors/appid/app_info_table.h @@ -32,6 +32,10 @@ #include "utils/util.h" #define APP_PRIORITY_DEFAULT 2 +#define SF_APPID_MAX 40000 +#define SF_APPID_BUILDIN_MAX 30000 +#define SF_APPID_CSD_MIN 1000000 +#define SF_APPID_DYNAMIC_MIN 2000000 struct RNAClientAppModule; struct RNAServiceElement; @@ -151,8 +155,9 @@ private: void load_appid_config(const char* path); AppInfoTableEntry* get_app_info_entry(AppId appId, const AppInfoTable& lookup_table); std::mutex custom_app_mutex; - }; +void checkSandboxDetection(AppId appId); + #endif diff --git a/src/network_inspectors/appid/appid.h b/src/network_inspectors/appid/appid.h deleted file mode 100644 index 8bc04016e..000000000 --- a/src/network_inspectors/appid/appid.h +++ /dev/null @@ -1,53 +0,0 @@ -//-------------------------------------------------------------------------- -// Copyright (C) 2014-2016 Cisco and/or its affiliates. All rights reserved. -// Copyright (C) 2005-2013 Sourcefire, Inc. -// -// This program is free software; you can redistribute it and/or modify it -// under the terms of the GNU General Public License Version 2 as published -// by the Free Software Foundation. You may not use, modify or distribute -// this program under any other version of the GNU General Public License. -// -// This program is distributed in the hope that it will be useful, but -// WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -// General Public License for more details. -// -// You should have received a copy of the GNU General Public License along -// with this program; if not, write to the Free Software Foundation, Inc., -// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -//-------------------------------------------------------------------------- - -// appid.h author Sourcefire Inc. - -#ifndef APPID_H -#define APPID_H - -#define SF_APPID_MAX 40000 -#define SF_APPID_BUILDIN_MAX 30000 -#define APPID_MAX_PRIORITY 3 -#define SF_APPID_CSD_MIN 1000000 -#define SF_APPID_DYNAMIC_MIN 2000000 -#define NUMBER_OF_PTYPES 9 - -#define RESPONSE_CODE_PACKET_THRESHHOLD 0 - -enum APPID_SESSION_DIRECTION -{ - APP_ID_FROM_INITIATOR, - APP_ID_FROM_RESPONDER, - APP_ID_APPID_SESSION_DIRECTION_MAX // Maximum value of a direction (must be last in the list) -}; - -enum SERVICE_HOST_INFO_CODE -{ - SERVICE_HOST_INFO_NETBIOS_NAME = 1 -}; - -#define FINGERPRINT_UDP_FLAGS_XENIX 0x00000800 -#define FINGERPRINT_UDP_FLAGS_NT 0x00001000 -#define FINGERPRINT_UDP_FLAGS_MASK (FINGERPRINT_UDP_FLAGS_XENIX | FINGERPRINT_UDP_FLAGS_NT) - -using AppIdFreeFCN = void(*)(void*); - -#endif - diff --git a/src/network_inspectors/appid/appid_api.cc b/src/network_inspectors/appid/appid_api.cc index d38c91d88..199c61122 100644 --- a/src/network_inspectors/appid/appid_api.cc +++ b/src/network_inspectors/appid/appid_api.cc @@ -22,10 +22,8 @@ #include "appid_api.h" #include "app_info_table.h" -#include "appid.h" #include "service_plugins/service_base.h" #include "app_info_table.h" -#include "fw_appid.h" #include "utils/util.h" @@ -159,7 +157,7 @@ bool AppIdApi::is_appid_inspecting_session(AppIdSession* appIdSession) if (appIdSession && appIdSession->common.flow_type == APPID_FLOW_TYPE_NORMAL) { if (appIdSession->rnaServiceState != RNA_STATE_FINISHED || - !TPIsAppIdDone(appIdSession->tpsession) || + !is_third_party_appid_done(appIdSession->tpsession) || appIdSession->get_session_flags(APPID_SESSION_HTTP_SESSION | APPID_SESSION_CONTINUE) || (appIdSession->get_session_flags(APPID_SESSION_ENCRYPTED) && (appIdSession->get_session_flags(APPID_SESSION_DECRYPTED) || @@ -204,7 +202,7 @@ bool AppIdApi::is_appid_available(AppIdSession* asd) { if (asd->get_session_flags(APPID_SESSION_NO_TPI)) return true; - return TPIsAppIdAvailable(asd->tpsession); + return is_third_party_appid_available(asd->tpsession); } return false; } @@ -512,7 +510,7 @@ uint32_t AppIdApi::produce_ha_state(Flow* flow, uint8_t* buf) if ( asd ) { appHA->flags = APPID_HA_FLAGS_APP; - if (TPIsAppIdAvailable(asd->tpsession)) + if (is_third_party_appid_available(asd->tpsession)) appHA->flags |= APPID_HA_FLAGS_TP_DONE; if (asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED)) appHA->flags |= APPID_HA_FLAGS_SVC_DONE; diff --git a/src/network_inspectors/appid/appid_config.cc b/src/network_inspectors/appid/appid_config.cc index ca36e405f..c2821a64b 100644 --- a/src/network_inspectors/appid/appid_config.cc +++ b/src/network_inspectors/appid/appid_config.cc @@ -25,8 +25,7 @@ #include "app_info_table.h" #include "appid_utils/network_set.h" #include "appid_utils/ip_funcs.h" -#include "appid_utils/common_util.h" -#include "appid_utils/sfutil.h" +#include "appid_utils/appid_utils.h" #include "main/snort_debug.h" #include "log/messages.h" #include "utils/util.h" @@ -36,6 +35,7 @@ #define ODP_PORT_DETECTORS "odp/port/*" #define CUSTOM_PORT_DETECTORS "custom/port/*" #define MAX_DISPLAY_SIZE 65536 +#define MAX_LINE 2048 static AppIdConfig* appid_config = nullptr; unsigned appIdPolicyId; @@ -47,7 +47,7 @@ struct PortList uint16_t port; }; -static THREAD_LOCAL SF_LIST genericConfigList; ///< List of AppidGenericConfigItem structures +static THREAD_LOCAL SF_LIST appid_custom_configs; AppIdModuleConfig::~AppIdModuleConfig() { @@ -74,49 +74,48 @@ AppIdConfig* AppIdConfig::get_appid_config() return appid_config; } -void AppIdConfig::add_generic_config_element(const char* name, void* pData) +void AppidConfigElement::add_generic_config_element(const char* name, void* data) { - AppidGenericConfigItem* pConfigItem; + AppidConfigElement* ce; - pConfigItem = (AppidGenericConfigItem*)snort_calloc(sizeof(AppidGenericConfigItem)); - pConfigItem->name = snort_strdup(name); - pConfigItem->pData = pData; - sflist_add_tail(&genericConfigList, pConfigItem); + ce = (AppidConfigElement*)snort_calloc(sizeof(AppidConfigElement)); + ce->name = snort_strdup(name); + ce->value = data; + sflist_add_tail(&appid_custom_configs, ce); } -void* AppIdConfig::find_generic_config_element(const char* name) +void* AppidConfigElement::find_generic_config_element(const char* name) { - AppidGenericConfigItem* pConfigItem; + AppidConfigElement* ce; SF_LNODE* next; // Search a module's configuration by its name - for (pConfigItem = (AppidGenericConfigItem*)sflist_first( - (SF_LIST*)&genericConfigList, &next); - pConfigItem != nullptr; - pConfigItem = (AppidGenericConfigItem*)sflist_next(&next)) + for (ce = (AppidConfigElement*)sflist_first(&appid_custom_configs, &next); + ce != nullptr; + ce = (AppidConfigElement*)sflist_next(&next)) { - if (strcmp(pConfigItem->name, name) == 0) - return pConfigItem->pData; + if (strcmp(ce->name, name) == 0) + return ce->value; } return nullptr; } -void AppIdConfig::remove_generic_config_element(const char* name) +void AppidConfigElement::remove_generic_config_element(const char* name) { SF_LNODE* iter; - AppidGenericConfigItem* cfg; + AppidConfigElement* ce; // Search a module's configuration by its name - for (cfg = (AppidGenericConfigItem*)sflist_first(&genericConfigList, &iter); - cfg != nullptr; - cfg = (AppidGenericConfigItem*)sflist_next(&iter)) + for (ce = (AppidConfigElement*)sflist_first(&appid_custom_configs, &iter); + ce != nullptr; + ce = (AppidConfigElement*)sflist_next(&iter)) { - if (strcmp(cfg->name, name) == 0) + if (strcmp(ce->name, name) == 0) { - snort_free(cfg->name); - snort_free(cfg); - sflist_remove_node(&genericConfigList, iter); + snort_free(ce->name); + snort_free(ce); + sflist_remove_node(&appid_custom_configs, iter); break; } } @@ -292,18 +291,18 @@ void AppIdConfig::configure_analysis_networks(char* toklist[], uint32_t flag) zone = -1; ias6->addr_flags |= flag; six = ias6->range_min; - NSIPv6AddrHtoN(&six); + NetworkSetManager::ntoh_ipv6(&six); inet_ntop(AF_INET6, (struct in6_addr*)&six, min_ip, sizeof(min_ip)); six = ias6->range_max; - NSIPv6AddrHtoN(&six); + NetworkSetManager::ntoh_ipv6(&six); inet_ntop(AF_INET6, (struct in6_addr*)&six, max_ip, sizeof(max_ip)); - LogMessage("Adding %s-%s (0x%08X) with zone %d\n", min_ip, max_ip, + DebugFormat(DEBUG_APPID, "Adding %s-%s (0x%08X) with zone %d\n", min_ip, max_ip, ias6->addr_flags, zone); if (zone >= 0) { if (!(my_net_list = net_list_by_zone[zone])) { - if (NetworkSet_New(&my_net_list)) + if (NetworkSetManager::create(&my_net_list)) ErrorMessage("%s", "Failed to create a network set"); else { @@ -315,9 +314,8 @@ void AppIdConfig::configure_analysis_networks(char* toklist[], uint32_t flag) } else my_net_list = net_list; - if (my_net_list && NetworkSet_AddCidrBlock6Ex(my_net_list, &ias6->range_min, - ias6->netmask, - ias6->addr_flags & IPFUNCS_EXCEPT_IP, 0, + if (my_net_list && NetworkSetManager::add_cidr_block6_ex(my_net_list, + &ias6->range_min, ias6->netmask, ias6->addr_flags & IPFUNCS_EXCEPT_IP, 0, ias6->addr_flags & (~IPFUNCS_EXCEPT_IP))) { ErrorMessage( @@ -347,14 +345,13 @@ void AppIdConfig::configure_analysis_networks(char* toklist[], uint32_t flag) else zone = -1; ias->addr_flags |= flag; - LogMessage("Adding 0x%08X-0x%08X (0x%08X) with zone %d\n", ias->range_min, - ias->range_max, - ias->addr_flags, zone); + DebugFormat(DEBUG_APPID, "Adding 0x%08X-0x%08X (0x%08X) with zone %d\n", + ias->range_min, ias->range_max, ias->addr_flags, zone); if (zone >= 0) { if (!(my_net_list = net_list_by_zone[zone])) { - if (NetworkSet_New(&my_net_list)) + if (NetworkSetManager::create(&my_net_list)) ErrorMessage("%s", "Failed to create a network set"); else { @@ -366,7 +363,7 @@ void AppIdConfig::configure_analysis_networks(char* toklist[], uint32_t flag) } else my_net_list = net_list; - if (my_net_list && NetworkSet_AddCidrBlockEx(my_net_list, ias->range_min, + if (my_net_list && NetworkSetManager::add_cidr_block_ex(my_net_list, ias->range_min, ias->netmask, ias->addr_flags & IPFUNCS_EXCEPT_IP, 0, ias->addr_flags & (~IPFUNCS_EXCEPT_IP))) @@ -495,8 +492,8 @@ void AppIdConfig::process_port_exclusion(char* toklist[]) ErrorMessage("Config: Invalid port exclusion address specified"); return; } - NSIPv6AddrHtoNConv(&ias6->range_min, &ip); - NSIPv6AddrHtoNConv(&ias6->netmask_mask, &netmask); + NetworkSetManager::hton_swap_ipv6(&ias6->range_min, &ip); + NetworkSetManager::hton_swap_ipv6(&ias6->netmask_mask, &netmask); family = AF_INET6; snort_free(ias6); } @@ -577,14 +574,14 @@ int AppIdConfig::load_analysis_config(const char* config_file, int reload, int i unsigned line = 0; NetworkSet* my_net_list; - if (NetworkSet_New(&net_list)) + if (NetworkSetManager::create(&net_list)) FatalError("Failed to allocate a network set"); net_list_list = net_list; if (!config_file || (!config_file[0])) { char addrString[sizeof("0.0.0.0/0")]; - LogMessage("Defaulting to monitoring all Snort traffic for AppID.\n"); + DebugMessage(DEBUG_APPID, "Defaulting to monitoring all Snort traffic for AppID.\n"); toklist[1] = nullptr; toklist[0] = addrString; strcpy(addrString,"0.0.0.0/0"); @@ -608,9 +605,7 @@ int AppIdConfig::load_analysis_config(const char* config_file, int reload, int i while (fgets(linebuffer, MAX_LINE, fp) != nullptr) { line++; - - strip(linebuffer); - + AppIdUtils::strip(linebuffer); cptr = linebuffer; while (isspace((int)*cptr)) @@ -619,8 +614,7 @@ int AppIdConfig::load_analysis_config(const char* config_file, int reload, int i if (*cptr && (*cptr != '#') && (*cptr != 0x0a)) { memset(toklist, 0, sizeof(toklist)); - /* tokenize the line */ - num_toks = Tokenize(cptr, toklist); + num_toks = AppIdUtils::tokenize(cptr, toklist); if (num_toks < 2) { fclose(fp); @@ -628,13 +622,9 @@ int AppIdConfig::load_analysis_config(const char* config_file, int reload, int i return -1; } if (!(strcasecmp(toklist[0], "config"))) - { process_config_directive(toklist, reload); - } else if (!(strcasecmp(toklist[0], "portexclusion"))) - { process_port_exclusion(toklist); - } } } @@ -645,7 +635,7 @@ int AppIdConfig::load_analysis_config(const char* config_file, int reload, int i { char* instance_toklist[2]; char addrString[sizeof("0.0.0.0/0")]; - LogMessage("Defaulting to monitoring all Snort traffic for AppID.\n"); + DebugMessage(DEBUG_APPID, "Defaulting to monitoring all Snort traffic for AppID.\n"); instance_toklist[0] = addrString; instance_toklist[1] = nullptr; strcpy(addrString,"0.0.0.0/0"); @@ -658,16 +648,16 @@ int AppIdConfig::load_analysis_config(const char* config_file, int reload, int i { if (my_net_list != net_list) { - if (NetworkSet_AddSet(my_net_list, net_list)) + if (NetworkSetManager::add_set(my_net_list, net_list)) ErrorMessage("Failed to add any network list to a zone network list"); } } net_list_count = 0; for (my_net_list = net_list_list; my_net_list; my_net_list = net_list->next) { - if (NetworkSet_Reduce(my_net_list)) + if (NetworkSetManager::reduce(my_net_list)) ErrorMessage("Failed to reduce the IP address sets"); - net_list_count += NetworkSet_CountEx(my_net_list) + NetworkSet_Count6Ex(my_net_list); + net_list_count += NetworkSetManager::count_ex(my_net_list) + NetworkSetManager::count6_ex(my_net_list); } return 0; @@ -684,14 +674,13 @@ bool AppIdConfig::init_appid( ) appid_config = this; map_app_names_to_snort_ids(); appIdPolicyId = 53; - InitNetmasks(app_id_netmasks); + AppIdUtils::init_netmasks(app_id_netmasks); app_info_mgr.init_appid_info_table(mod_config->app_detector_dir); sflist_init(&appid_config->client_app_args); load_analysis_config(mod_config->conf_file, 0, mod_config->instance_id); read_port_detectors(ODP_PORT_DETECTORS); read_port_detectors(CUSTOM_PORT_DETECTORS); ThirdPartyAppIDInit(mod_config); - show(); if ( mod_config->dump_ports ) { @@ -704,7 +693,7 @@ bool AppIdConfig::init_appid( ) return true; } -static void free_config_items(ConfigItem* ci) +static void free_config_items(AppidConfigElement* ci) { if (ci) { @@ -741,7 +730,7 @@ void AppIdConfig::cleanup() while ((net_list = net_list_list)) { net_list_list = net_list->next; - NetworkSet_Destroy(net_list); + NetworkSetManager::destroy(net_list); } free_port_exclusion_list(tcp_port_exclusions_src); @@ -806,10 +795,10 @@ void AppIdConfig::show() for (i = 0; i < my_net_list->count6; i++) { six = my_net_list->pnetwork6[i]->range_min; - NSIPv6AddrHtoN(&six); + NetworkSetManager::ntoh_ipv6(&six); p = inet_ntop(AF_INET6, (struct in6_addr*)&six, inet_buffer, sizeof(inet_buffer)); six = my_net_list->pnetwork6[i]->range_max; - NSIPv6AddrHtoN(&six); + NetworkSetManager::ntoh_ipv6(&six); p2 = inet_ntop(AF_INET6, (struct in6_addr*)&six, inet_buffer2, sizeof(inet_buffer2)); LogMessage(" %s%s-%s %04X\n", (my_net_list->pnetwork6[i]->info.ip_not) ? "!" : "", p ? @@ -836,10 +825,10 @@ void AppIdConfig::show() for (i = 0; i < my_net_list->count6; i++) { six = my_net_list->pnetwork6[i]->range_min; - NSIPv6AddrHtoN(&six); + NetworkSetManager::ntoh_ipv6(&six); p = inet_ntop(AF_INET6, (struct in6_addr*)&six, inet_buffer, sizeof(inet_buffer)); six = my_net_list->pnetwork6[i]->range_max; - NSIPv6AddrHtoN(&six); + NetworkSetManager::ntoh_ipv6(&six); p2 = inet_ntop(AF_INET6, (struct in6_addr*)&six, inet_buffer2, sizeof(inet_buffer2)); LogMessage(" %s%s-%s %04X\n", (my_net_list->pnetwork6[i]->info.ip_not) ? "!" : "", @@ -867,34 +856,28 @@ void AppIdConfig::show() void AppIdConfig::display_port_config() { - unsigned i; - int first; + bool first = true; - first = 1; - for (i = 0; i < sizeof(tcp_port_only) / sizeof(AppId); i++) - { + for ( auto& i : tcp_port_only ) if (tcp_port_only[i]) { if (first) { LogMessage(" TCP Port-Only Services\n"); - first = 0; + first = false; } LogMessage(" %5u - %u\n", i, tcp_port_only[i]); } - } - first = 1; - for (i = 0; i + #include "client_plugins/client_app_config.h" #include "detector_plugins/detector_sip.h" #include "service_plugins/service_config.h" @@ -53,10 +54,14 @@ struct PortExclusion // Currently, IMAP, PO3 and MDNS use this data structure. Lua modules currently // do not have any configuration. They can use this data structure in the future, // if needed. -struct AppidGenericConfigItem +struct AppidConfigElement { char* name; ///< Module name - void* pData; ///< Module configuration data + void* value; ///< Module configuration data + + static void add_generic_config_element(const char* name, void* pData); + static void* find_generic_config_element(const char* name); + static void remove_generic_config_element(const char* name); }; struct AppIdSessionLogFilter @@ -128,19 +133,14 @@ public: static AppIdConfig* get_appid_config(); void set_safe_search_enforcement(int enabled); - // add, find, remove generic config items... - void add_generic_config_element(const char* name, void* pData); - void* find_generic_config_element(const char* name); - void remove_generic_config_element(const char* name); - unsigned max_service_info = 0; unsigned net_list_count = 0; NetworkSet* net_list_list = nullptr; NetworkSet* net_list = nullptr; NetworkSet* net_list_by_zone[MAX_ZONES] = { nullptr }; - AppId tcp_port_only[65536] = { 0 }; ///< Service IDs for port-only TCP services - AppId udp_port_only[65536] = { 0 }; ///< Service IDs for port-only UDP services - AppId ip_protocol[255] = { 0 }; ///< Service IDs for non-TCP / UDP protocol services + std::array tcp_port_only; ///< Service IDs for port-only TCP services + std::array udp_port_only; ///< Service IDs for port-only UDP services + AppId ip_protocol[255] = { 0 }; ///< Service IDs for non-TCP / UDP protocol services SF_LIST client_app_args; ///< List of Client App arguments // for each potential port, an sflist of PortExclusion structs SF_LIST* tcp_port_exclusions_src[APP_ID_PORT_ARRAY_SIZE] = { nullptr }; diff --git a/src/network_inspectors/appid/appid_http_event_handler.cc b/src/network_inspectors/appid/appid_http_event_handler.cc index bc14515c1..cf8cd8bd0 100644 --- a/src/network_inspectors/appid/appid_http_event_handler.cc +++ b/src/network_inspectors/appid/appid_http_event_handler.cc @@ -159,7 +159,7 @@ void HttpEventHandler::handle(DataEvent& event, Flow* flow) session->scan_flags |= SCAN_HTTP_VIA_FLAG; } - session->processHTTPPacket(direction); + session->process_http_packet(direction); session->set_session_flags(APPID_SESSION_SERVICE_DETECTED | APPID_SESSION_HTTP_SESSION); if (direction == APP_ID_FROM_INITIATOR) appid_stats.http_flows++; diff --git a/src/network_inspectors/appid/appid_inspector.cc b/src/network_inspectors/appid/appid_inspector.cc index fd7aaedcc..34231978c 100644 --- a/src/network_inspectors/appid/appid_inspector.cc +++ b/src/network_inspectors/appid/appid_inspector.cc @@ -30,7 +30,6 @@ #include "profiler/profiler.h" #include "appid_stats.h" #include "appid_session.h" -#include "fw_appid.h" #include "lua_detector_module.h" #include "lua_detector_api.h" #include "host_port_app_cache.h" @@ -75,8 +74,6 @@ AppIdInspector::~AppIdInspector() bool AppIdInspector::configure(SnortConfig*) { active_config = new AppIdConfig( ( AppIdModuleConfig* )config); - if(config->debug) - show(nullptr); get_data_bus().subscribe(HTTP_REQUEST_HEADER_EVENT_KEY, new HttpEventHandler(HttpEventHandler::REQUEST_EVENT)); get_data_bus().subscribe(HTTP_RESPONSE_HEADER_EVENT_KEY, new HttpEventHandler(HttpEventHandler::RESPONSE_EVENT)); @@ -103,6 +100,8 @@ void AppIdInspector::show(SnortConfig*) LogMessage(" appStats Rollover time: %lu secs\n", config->app_stats_rollover_time); LogMessage("\n"); + active_config->show(); + } void AppIdInspector::tinit() diff --git a/src/network_inspectors/appid/appid_session.cc b/src/network_inspectors/appid/appid_session.cc index 56a66c0ea..5598139d9 100644 --- a/src/network_inspectors/appid/appid_session.cc +++ b/src/network_inspectors/appid/appid_session.cc @@ -31,7 +31,6 @@ #include "app_info_table.h" #include "appid_module.h" -#include "fw_appid.h" #include "appid_stats.h" #include "app_forecast.h" #include "host_port_app_cache.h" @@ -59,6 +58,43 @@ static int16_t snortId_for_unsynchronized; static int16_t snortId_for_ftp_data; static int16_t snortId_for_http2; +inline int ThirdPartyAppIDFoundProto(AppId proto, AppId* proto_list) +{ + unsigned int proto_cnt = 0; + while (proto_list[proto_cnt] != APP_ID_NONE) + if (proto_list[proto_cnt++] == proto) + return 1; // found + + return 0; // not found +} + +inline int testSSLAppIdForReinspect(AppId app_id) +{ + if (app_id <= SF_APPID_MAX && + (app_id == APP_ID_SSL || AppInfoManager::get_instance().get_app_info_flags(app_id, APPINFO_FLAG_SSL_INSPECT))) + return 1; + else + return 0; +} + +void AppIdSession::add_user(AppIdSession* asd, const char* username, AppId appId, int success) +{ + if (asd->username) + snort_free(asd->username); + asd->username = snort_strdup(username); + asd->username_service = appId; + if (success) + asd->set_session_flags(APPID_SESSION_LOGIN_SUCCEEDED); + else + asd->clear_session_flags(APPID_SESSION_LOGIN_SUCCEEDED); +} + +void AppIdSession::add_payload(AppIdSession* asd, AppId payload_id) +{ + checkSandboxDetection(payload_id); + asd->payload_app_id = payload_id; +} + void map_app_names_to_snort_ids() { /* init globals for snortId compares */ @@ -1043,13 +1079,13 @@ bool AppIdSession::do_third_party_discovery(IpProtocol protocol, const sfip_t* i if ((payload_app_id == APP_ID_HTTP_TUNNEL) && (tp_app_id == APP_ID_SSL)) set_payload_app_id_data(APP_ID_HTTP_SSL_TUNNEL, NULL); - processHTTPPacket(p, direction, nullptr); + process_http_packet(p, direction, nullptr); // If SSL over HTTP tunnel, make sure Snort knows that it's encrypted. if (payload_app_id == APP_ID_HTTP_SSL_TUNNEL) snort_app_id = APP_ID_SSL; - if (TPIsAppIdAvailable(tpsession) && tp_app_id == APP_ID_HTTP + if (is_third_party_appid_available(tpsession) && tp_app_id == APP_ID_HTTP && !get_session_flags(APPID_SESSION_APP_REINSPECT)) { rna_client_state = RNA_STATE_FINISHED; @@ -1197,8 +1233,8 @@ void AppIdSession::pickHttpXffAddress(Packet*, ThirdPartyAppIDAttributeData* att #endif -bool AppIdSession::do_service_discovery(IpProtocol protocol, int direction, AppId ClientAppId, - AppId payloadAppId, Packet* p) +bool AppIdSession::do_service_discovery(IpProtocol protocol, int direction, AppId client_app_id, + AppId payload_app_id, Packet* p) { AppInfoTableEntry* entry; bool isTpAppidDiscoveryDone = false; @@ -1206,8 +1242,7 @@ bool AppIdSession::do_service_discovery(IpProtocol protocol, int direction, AppI if (rnaServiceState != RNA_STATE_FINISHED) { Profile serviceMatchPerfStats_profile_context(serviceMatchPerfStats); - uint32_t prevRnaServiceState; - prevRnaServiceState = rnaServiceState; + uint32_t prevRnaServiceState = rnaServiceState; //decision to directly call validator or go through elaborate service_state tracking //is made once at the beginning of sesssion. if (rnaServiceState == RNA_STATE_NONE && p->dsize) @@ -1234,7 +1269,7 @@ bool AppIdSession::do_service_discovery(IpProtocol protocol, int direction, AppI rnaServiceState = RNA_STATE_FINISHED; } } - else if (TPIsAppIdAvailable(tpsession)) + else if (is_third_party_appid_available(tpsession)) { if (tp_app_id > APP_ID_NONE) { @@ -1265,7 +1300,7 @@ bool AppIdSession::do_service_discovery(IpProtocol protocol, int direction, AppI if (rnaServiceState == RNA_STATE_STATEFUL&& prevRnaServiceState == RNA_STATE_STATEFUL && !get_session_flags(APPID_SESSION_NO_TPI) && - TPIsAppIdAvailable(tpsession) && + is_third_party_appid_available(tpsession) && tp_app_id > APP_ID_NONE && tp_app_id < SF_APPID_MAX) { entry = app_info_mgr->get_app_info_entry(tp_app_id); @@ -1276,6 +1311,7 @@ bool AppIdSession::do_service_discovery(IpProtocol protocol, int direction, AppI stop_rna_service_inspection(p, direction); } } + if (rnaServiceState == RNA_STATE_STATEFUL) { AppIdDiscoverService(p, direction, this); @@ -1289,8 +1325,8 @@ bool AppIdSession::do_service_discovery(IpProtocol protocol, int direction, AppI && dsession && dsession->host) { size_t size = dsession->host_len; - dns_host_scan_hostname((const uint8_t*) (dsession->host), size, &ClientAppId, &payloadAppId); - set_client_app_id_data(ClientAppId, nullptr); + dns_host_scan_hostname((const uint8_t*) (dsession->host), size, &client_app_id, &payload_app_id); + set_client_app_id_data(client_app_id, nullptr); } else if (serviceAppId == APP_ID_RTMP) examine_rtmp_metadata(); @@ -1305,6 +1341,7 @@ bool AppIdSession::do_service_discovery(IpProtocol protocol, int direction, AppI } } } + return isTpAppidDiscoveryDone; } @@ -1325,7 +1362,7 @@ bool AppIdSession::do_client_discovery(int direction, Packet* p) { if (p->flow->get_session_flags() & SSNFLAG_MIDSTREAM) rna_client_state = RNA_STATE_FINISHED; - else if (TPIsAppIdAvailable(tpsession) && ( tp_app_id > APP_ID_NONE ) + else if (is_third_party_appid_available(tpsession) && ( tp_app_id > APP_ID_NONE ) && ( tp_app_id < SF_APPID_MAX ) ) { entry = app_info_mgr->get_app_info_entry(tp_app_id); @@ -1353,7 +1390,7 @@ bool AppIdSession::do_client_discovery(int direction, Packet* p) //stop rna inspection as soon as tp has classified a valid AppId later in the session if ((rna_client_state == RNA_STATE_STATEFUL || rna_client_state == RNA_STATE_DIRECT) && rna_client_state == prevRnaClientState && !get_session_flags(APPID_SESSION_NO_TPI) - && TPIsAppIdAvailable(tpsession) && tp_app_id > APP_ID_NONE && tp_app_id < SF_APPID_MAX) + && is_third_party_appid_available(tpsession) && tp_app_id > APP_ID_NONE && tp_app_id < SF_APPID_MAX) { entry = app_info_mgr->get_app_info_entry(tp_app_id); if (!(entry && entry->clntValidator && entry->clntValidator == rna_client_data @@ -1430,9 +1467,8 @@ bool AppIdSession::do_client_discovery(int direction, Packet* p) void AppIdSession::do_application_discovery(Packet* p) { IpProtocol protocol; - AppId serviceAppId = 0; - AppId ClientAppId = 0; - AppId payloadAppId = 0; + AppId client_app_id = 0; + AppId payload_app_id = 0; bool isTpAppidDiscoveryDone = false; uint64_t flow_flags; int direction; @@ -1731,8 +1767,8 @@ void AppIdSession::do_application_discovery(Packet* p) { size_t size = asd->dsession->host_len; dns_host_scan_hostname((const uint8_t*)asd->dsession->host, size, - &ClientAppId, &payloadAppId); - asd->set_client_app_id_data(ClientAppId, nullptr); + &client_app_id, &payload_app_id); + asd->set_client_app_id_data(client_app_id, nullptr); } else if (asd->serviceAppId == APP_ID_RTMP) asd->examine_rtmp_metadata(); @@ -1744,7 +1780,7 @@ void AppIdSession::do_application_discovery(Packet* p) { // FIXIT-M commented out assignment causes analysis warning /*isTpAppidDiscoveryDone = */ - asd->do_service_discovery(protocol, direction, ClientAppId, payloadAppId, p); + asd->do_service_discovery(protocol, direction, client_app_id, payload_app_id, p); isTpAppidDiscoveryDone = asd->do_client_discovery(direction, p); asd->set_session_flags(APPID_SESSION_ADDITIONAL_PACKET); } @@ -1758,8 +1794,8 @@ void AppIdSession::do_application_discovery(Packet* p) } } - serviceAppId = asd->pick_service_app_id(); - payloadAppId = asd->pick_payload_app_id(); + AppId serviceAppId = asd->pick_service_app_id(); + payload_app_id = asd->pick_payload_app_id(); if (serviceAppId > APP_ID_NONE) { @@ -1778,12 +1814,12 @@ void AppIdSession::do_application_discovery(Packet* p) #endif } - p->flow->set_application_ids(serviceAppId, asd->pick_client_app_id(), payloadAppId, asd->pick_misc_app_id()); + p->flow->set_application_ids(serviceAppId, asd->pick_client_app_id(), payload_app_id, asd->pick_misc_app_id()); /* Set the field that the Firewall queries to see if we have a search engine. */ - if (asd->search_support_type == UNKNOWN_SEARCH_ENGINE && payloadAppId > APP_ID_NONE) + if (asd->search_support_type == UNKNOWN_SEARCH_ENGINE && payload_app_id > APP_ID_NONE) { - uint flags = AppInfoManager::get_instance().get_app_info_flags(payloadAppId, APPINFO_FLAG_SEARCH_ENGINE | + uint flags = AppInfoManager::get_instance().get_app_info_flags(payload_app_id, APPINFO_FLAG_SEARCH_ENGINE | APPINFO_FLAG_SUPPORTED_SEARCH); asd->search_support_type = (flags & APPINFO_FLAG_SEARCH_ENGINE) ? @@ -1802,16 +1838,16 @@ void AppIdSession::do_application_discovery(Packet* p) } LogMessage("AppIdDbg %s appId: %u (safe)search_support_type=%s\n", - asd->session_logging_id, payloadAppId, typeString); + asd->session_logging_id, payload_app_id, typeString); } } if ( serviceAppId != APP_ID_NONE ) { - if ( payloadAppId != APP_ID_NONE && payloadAppId != asd->pastIndicator) + if ( payload_app_id != APP_ID_NONE && payload_app_id != asd->pastIndicator) { - asd->pastIndicator = payloadAppId; - check_session_for_AF_indicator(p, direction, (ApplicationId)payloadAppId); + asd->pastIndicator = payload_app_id; + check_session_for_AF_indicator(p, direction, (ApplicationId)payload_app_id); } if (asd->payload_app_id == APP_ID_NONE && asd->pastForecast != serviceAppId && @@ -1927,13 +1963,13 @@ static inline unsigned get_ipfuncs_flags(const Packet* p, bool dst) { if (sf_ip->ip32[0] == 0xFFFFFFFF) return IPFUNCS_CHECKED; - NetworkSet_ContainsEx(net_list, ntohl(sf_ip->ip32[0]), &flags); + NetworkSetManager::contains_ex(net_list, ntohl(sf_ip->ip32[0]), &flags); } else { memcpy(&ip6, sf_ip->ip32, sizeof(ip6)); - NSIPv6AddrNtoH(&ip6); - NetworkSet_Contains6Ex(net_list, &ip6, &flags); + NetworkSetManager::ntoh_ipv6(&ip6); + NetworkSetManager::contains6_ex(net_list, &ip6, &flags); } return flags | IPFUNCS_CHECKED; @@ -2240,22 +2276,21 @@ void AppIdSession::update_encrypted_app_id(AppId serviceAppId) } } -void AppIdSession::set_client_app_id_data(AppId clientAppId, char** version) +void AppIdSession::set_client_app_id_data(AppId id, char** version) { - if (clientAppId <= APP_ID_NONE || clientAppId == APP_ID_HTTP) + if (id <= APP_ID_NONE || id == APP_ID_HTTP) return; - if (client_app_id != clientAppId) + if (id != client_app_id) { unsigned prev_priority = app_info_mgr->get_app_info_priority(client_app_id); - unsigned curr_priority = app_info_mgr->get_app_info_priority(clientAppId); + unsigned curr_priority = app_info_mgr->get_app_info_priority(id); - if (config->mod_config->instance_id) - checkSandboxDetection(clientAppId); + checkSandboxDetection(id); if ((client_app_id) && (prev_priority > curr_priority )) return; - client_app_id = clientAppId; + client_app_id = id; if (client_version) snort_free(client_version); @@ -2339,18 +2374,18 @@ void AppIdSession::examine_ssl_metadata(Packet* p) { size_t size; int ret; - AppId clientAppId = 0; + AppId client_app_id = 0; AppId payload_app_id = 0; if ((scan_flags & SCAN_SSL_HOST_FLAG) && tsession->tls_host) { size = strlen(tsession->tls_host); if ((ret = ssl_scan_hostname((const uint8_t*)tsession->tls_host, size, - &clientAppId, &payload_app_id))) + &client_app_id, &payload_app_id))) { - set_client_app_id_data(clientAppId, nullptr); + set_client_app_id_data(client_app_id, nullptr); set_payload_app_id_data((ApplicationId)payload_app_id, nullptr); - setSSLSquelch(p, ret, (ret == 1 ? payload_app_id : clientAppId)); + setSSLSquelch(p, ret, (ret == 1 ? payload_app_id : client_app_id)); } scan_flags &= ~SCAN_SSL_HOST_FLAG; } @@ -2358,11 +2393,11 @@ void AppIdSession::examine_ssl_metadata(Packet* p) { size = strlen(tsession->tls_cname); if ((ret = ssl_scan_cname((const uint8_t*)tsession->tls_cname, size, - &clientAppId, &payload_app_id))) + &client_app_id, &payload_app_id))) { - set_client_app_id_data(clientAppId, nullptr); + set_client_app_id_data(client_app_id, nullptr); set_payload_app_id_data((ApplicationId)payload_app_id, nullptr); - setSSLSquelch(p, ret, (ret == 1 ? payload_app_id : clientAppId)); + setSSLSquelch(p, ret, (ret == 1 ? payload_app_id : client_app_id)); } snort_free(tsession->tls_cname); tsession->tls_cname = nullptr; @@ -2371,11 +2406,11 @@ void AppIdSession::examine_ssl_metadata(Packet* p) { size = strlen(tsession->tls_orgUnit); if ((ret = ssl_scan_cname((const uint8_t*)tsession->tls_orgUnit, size, - &clientAppId, &payload_app_id))) + &client_app_id, &payload_app_id))) { - set_client_app_id_data(clientAppId, nullptr); + set_client_app_id_data(client_app_id, nullptr); set_payload_app_id_data((ApplicationId)payload_app_id, nullptr); - setSSLSquelch(p, ret, (ret == 1 ? payload_app_id : clientAppId)); + setSSLSquelch(p, ret, (ret == 1 ? payload_app_id : client_app_id)); } snort_free(tsession->tls_orgUnit); tsession->tls_orgUnit = nullptr; @@ -2385,8 +2420,8 @@ void AppIdSession::examine_ssl_metadata(Packet* p) void AppIdSession::examine_rtmp_metadata() { AppId serviceAppId = 0; - AppId ClientAppId = 0; - AppId payloadAppId = 0; + AppId client_app_id = 0; + AppId payload_app_id = 0; AppId referredPayloadAppId = 0; char* version = nullptr; @@ -2396,20 +2431,20 @@ void AppIdSession::examine_rtmp_metadata() if (hsession->url) { if (((get_appid_from_url(nullptr, hsession->url, &version, - hsession->referer, &ClientAppId, &serviceAppId, - &payloadAppId, &referredPayloadAppId, 1)) || + hsession->referer, &client_app_id, &serviceAppId, + &payload_app_id, &referredPayloadAppId, 1)) || (get_appid_from_url(nullptr, hsession->url, &version, - hsession->referer, &ClientAppId, &serviceAppId, - &payloadAppId, &referredPayloadAppId, 0))) == 1) + hsession->referer, &client_app_id, &serviceAppId, + &payload_app_id, &referredPayloadAppId, 0))) == 1) { /* do not overwrite a previously-set client or service */ - if (ClientAppId <= APP_ID_NONE) - set_client_app_id_data(ClientAppId, nullptr); + if (client_app_id <= APP_ID_NONE) + set_client_app_id_data(client_app_id, nullptr); if (serviceAppId <= APP_ID_NONE) set_service_appid_data(serviceAppId, nullptr, nullptr); /* DO overwrite a previously-set data */ - set_payload_app_id_data((ApplicationId)payloadAppId, nullptr); + set_payload_app_id_data((ApplicationId)payload_app_id, nullptr); set_referred_payload_app_id_data(referredPayloadAppId); } } @@ -2422,9 +2457,7 @@ void AppIdSession::set_referred_payload_app_id_data(AppId id) if (referred_payload_app_id != id) { - if (config->mod_config->instance_id) - checkSandboxDetection(id); - + checkSandboxDetection(id); referred_payload_app_id = id; } } @@ -2439,8 +2472,7 @@ void AppIdSession::set_payload_app_id_data(ApplicationId id, char** version) unsigned prev_priority = app_info_mgr->get_app_info_priority(payload_app_id); unsigned curr_priority = app_info_mgr->get_app_info_priority(id); - if (config->mod_config->instance_id) - checkSandboxDetection(id); + checkSandboxDetection(id); if ((payload_app_id ) && (prev_priority > curr_priority )) return; @@ -2472,22 +2504,18 @@ void AppIdSession::set_service_appid_data(AppId id, char* vendor, char** version if (id <= APP_ID_NONE) return; - //in drambuie, 3rd party is in INIT state after processing first GET requuest. + // 3rd party is in INIT state after processing first GET request. if (id == APP_ID_HTTP) { if (client_service_app_id == APP_ID_NONE) - { client_service_app_id = id; - } return; } if (serviceAppId != id) { serviceAppId = id; - - if (config->mod_config->instance_id) - checkSandboxDetection(id); + checkSandboxDetection(id); /* Clear out previous values of vendor & version */ if (serviceVendor) @@ -2892,7 +2920,7 @@ AppId AppIdSession::pick_service_app_id() if (serviceAppId > APP_ID_NONE && !deferred) return serviceAppId; - if (TPIsAppIdAvailable(tpsession)) + if (is_third_party_appid_available(tpsession)) { if (tp_app_id > APP_ID_NONE) return tp_app_id; @@ -2929,7 +2957,7 @@ AppId AppIdSession::pick_only_service_app_id() if (serviceAppId > APP_ID_NONE && !deferred) return serviceAppId; - if (TPIsAppIdAvailable(tpsession) && tp_app_id > APP_ID_NONE) + if (is_third_party_appid_available(tpsession) && tp_app_id > APP_ID_NONE) return tp_app_id; else if (deferred) return serviceAppId; @@ -3413,13 +3441,12 @@ void AppIdSession::processCHP(char** version, Packet* p) } } -int AppIdSession::processHTTPPacket(int direction) +int AppIdSession::process_http_packet(int direction) { Profile http_profile_context(httpPerfStats); constexpr auto RESPONSE_CODE_LENGTH = 3; HeaderMatchedPatterns hmp; - httpSession* http_session; int size; char* version = nullptr; char* vendorVersion = nullptr; @@ -3427,14 +3454,8 @@ int AppIdSession::processHTTPPacket(int direction) AppId service_id = 0; AppId client_id = 0; AppId payload_id = 0; - AppId referredPayloadAppId = 0; - char* host; - char* url; - char* useragent; - char* referer; - char* via; - http_session = hsession; + httpSession* http_session = hsession; if (!http_session) { clear_app_id_data(); @@ -3484,18 +3505,17 @@ int AppIdSession::processHTTPPacket(int direction) } #endif } - host = http_session->host; - url = http_session->url; - via = http_session->via; - useragent = http_session->useragent; - referer = http_session->referer; + char* host = http_session->host; + char* url = http_session->url; + char* via = http_session->via; + char* useragent = http_session->useragent; + char* referer = http_session->referer; memset(&hmp, 0, sizeof(hmp)); if (serviceAppId == APP_ID_NONE) { serviceAppId = APP_ID_HTTP; - if (config->mod_config->instance_id) - checkSandboxDetection(APP_ID_HTTP); + checkSandboxDetection(APP_ID_HTTP); } if (session_logging_enabled) @@ -3505,13 +3525,11 @@ int AppIdSession::processHTTPPacket(int direction) if (!http_session->chp_finished || http_session->chp_hold_flow) processCHP(&version, nullptr); - if (!http_session->skip_simple_detect) // false unless a match happened with a call to - // processCHP(). + if (!http_session->skip_simple_detect) // true if processCHP found match { if (!get_session_flags(APPID_SESSION_APP_REINSPECT)) { // Scan Server Header for Vendor & Version - // FIXIT-M: Should we be checking the scan_flags even when // thirdparty_appid_module is off? if ((thirdparty_appid_module && (scan_flags & SCAN_HTTP_VENDOR_FLAG) && @@ -3577,8 +3595,8 @@ int AppIdSession::processHTTPPacket(int direction) LogMessage("AppIdDbg %s User Agent is service %d\n", session_logging_id, service_id); set_service_appid_data(service_id, nullptr, nullptr); - if (session_logging_enabled && client_id > APP_ID_NONE && client_id != - APP_ID_HTTP && client_app_id != client_id) + if (session_logging_enabled && client_id > APP_ID_NONE && + client_id != APP_ID_HTTP && client_app_id != client_id) LogMessage("AppIdDbg %s User Agent is client %d\n", session_logging_id, client_id); set_client_app_id_data(client_id, &version); @@ -3655,11 +3673,14 @@ int AppIdSession::processHTTPPacket(int direction) if (scan_flags & SCAN_HTTP_HOST_URL_FLAG) { + AppId referredPayloadAppId = 0; + if (version) { snort_free(version); version = nullptr; } + if (get_appid_from_url(host, url, &version, referer, &client_id, &service_id, &payload_id, &referredPayloadAppId, 0) == 1) { @@ -3697,7 +3718,7 @@ int AppIdSession::processHTTPPacket(int direction) if (tp_payload_app_id > APP_ID_NONE) { entry = app_info_mgr->get_app_info_entry(tp_payload_app_id); - // only move tpPayloadAppId to client if its got a clientAppId + // only move tpPayloadAppId to client if its got a client_app_id if (entry && entry->clientId > APP_ID_NONE) { misc_app_id = client_app_id; @@ -3707,7 +3728,7 @@ int AppIdSession::processHTTPPacket(int direction) else if (payload_app_id > APP_ID_NONE) { entry = app_info_mgr->get_app_info_entry(payload_app_id); - // only move payloadAppId to client if it has a ClientAppid + // only move payload_app_id to client if it has a ClientAppid if (entry && entry->clientId > APP_ID_NONE) { misc_app_id = client_app_id; diff --git a/src/network_inspectors/appid/appid_session.h b/src/network_inspectors/appid/appid_session.h index f14709163..4eaa07d10 100644 --- a/src/network_inspectors/appid/appid_session.h +++ b/src/network_inspectors/appid/appid_session.h @@ -30,15 +30,21 @@ #include "protocols/packet.h" #include "utils/sflsq.h" -#include "appid.h" #include "appid_api.h" #include "application_ids.h" -#include "flow_error.h" #include "length_app_cache.h" #include "service_state.h" +#include "http_common.h" #include "thirdparty_appid_api.h" #include "thirdparty_appid_types.h" -#include "http_common.h" +#include "thirdparty_appid_utils.h" + +struct RNAServiceElement; +struct RNAServiceSubtype; +struct RNAClientAppModule; +class AppInfoManager; + +using AppIdFreeFCN = void(*)(void*); #define MAX_ATTR_LEN 1024 #define HTTP_PREFIX "http://" @@ -59,12 +65,26 @@ (APPID_SESSION_RESPONDER_MONITORED | \ APPID_SESSION_INITIATOR_MONITORED | APPID_SESSION_DISCOVER_USER | \ APPID_SESSION_SPECIAL_MONITORED) + +// flow status codes +enum AppIdFlowStatusCodes +{ + APPID_SESSION_SUCCESS = 0, + APPID_SESSION_ENULL, + APPID_SESSION_EINVALID, + APPID_SESSION_ENOMEM, + APPID_SESSION_NOTFOUND, + APPID_SESSION_BADJUJU, + APPID_SESSION_DISABLED, + APPID_SESSION_EUNSUPPORTED, + APPID_SESSION_STOP_PROCESSING, + APPID_SESSION_EEXISTS +}; + #define MAX_SESSION_LOGGING_ID_LEN (39+1+5+4+39+1+5+1+3+1+1+1+2+1+10+1+1+1+10+1) -struct RNAServiceElement; -struct RNAServiceSubtype; -struct RNAClientAppModule; -class AppInfoManager; +#define MIN_SFTP_PACKET_COUNT 30 +#define MAX_SFTP_PACKET_COUNT 55 enum RNA_INSPECTION_STATE { @@ -74,6 +94,13 @@ enum RNA_INSPECTION_STATE RNA_STATE_FINISHED }; +enum APPID_SESSION_DIRECTION +{ + APP_ID_FROM_INITIATOR, + APP_ID_FROM_RESPONDER, + APP_ID_APPID_SESSION_DIRECTION_MAX // Maximum value of a direction (must be last in the list) +}; + struct AppIdFlowData { AppIdFlowData* next; @@ -112,6 +139,8 @@ struct fflow_info int flow_prepared; }; +#define RESPONSE_CODE_PACKET_THRESHHOLD 0 + struct httpSession { char* host; @@ -204,7 +233,8 @@ public: static AppIdSession* create_future_session(const Packet*, const sfip_t*, uint16_t, const sfip_t*, uint16_t, IpProtocol, int16_t, int); static void do_application_discovery(Packet*); - int processHTTPPacket(int); + static void add_user(AppIdSession*, const char* username, AppId, int success); + static void add_payload(AppIdSession*, AppId); AppIdConfig* config = nullptr; CommonAppIdData common; @@ -217,12 +247,12 @@ public: uint16_t service_port = 0; IpProtocol protocol = IpProtocol::PROTO_NOT_SET; uint8_t previous_tcp_flags = 0; + // AppId matching service side + RNA_INSPECTION_STATE rnaServiceState = RNA_STATE_NONE; AppId serviceAppId = APP_ID_NONE; AppId portServiceAppId = APP_ID_NONE; - // RNAServiceElement for identifying detector const RNAServiceElement* serviceData = nullptr; - RNA_INSPECTION_STATE rnaServiceState = RNA_STATE_NONE; char* serviceVendor = nullptr; char* serviceVersion = nullptr; RNAServiceSubtype* subtype = nullptr; @@ -230,25 +260,24 @@ public: char* netbios_name = nullptr; SF_LIST* candidate_service_list = nullptr; unsigned int num_candidate_services_tried = 0; - int got_incompatible_services = 0; + bool got_incompatible_services = false; - /**AppId matching client side */ + // AppId matching client side + RNA_INSPECTION_STATE rna_client_state = RNA_STATE_NONE; AppId client_app_id = APP_ID_NONE; AppId client_service_app_id = APP_ID_NONE; char* client_version = nullptr; - /**RNAClientAppModule for identifying client detector*/ const RNAClientAppModule* rna_client_data = nullptr; - RNA_INSPECTION_STATE rna_client_state = RNA_STATE_NONE; SF_LIST* candidate_client_list = nullptr; unsigned int num_candidate_clients_tried = 0; bool tried_reverse_service = false; - /**AppId matching payload*/ + // AppId matching payload AppId payload_app_id = APP_ID_NONE; AppId referred_payload_app_id = APP_ID_NONE; AppId misc_app_id = APP_ID_NONE; - //appId determined by 3rd party library + // appId determined by 3rd party library AppId tp_app_id = APP_ID_NONE; AppId tp_payload_app_id = APP_ID_NONE; @@ -352,7 +381,8 @@ public: AppId fw_pick_payload_app_id(); AppId fw_pick_referred_payload_app_id(); bool is_ssl_session_decrypted(); - int processHTTPPacket(Packet*, int, HttpParsedHeaders* const); + int process_http_packet(Packet*, int, HttpParsedHeaders* const); + int process_http_packet(int); private: bool do_client_discovery(int, Packet*); @@ -394,4 +424,40 @@ private: static THREAD_LOCAL AppIdFlowData* fd_free_list; }; +inline bool is_third_party_appid_done(void* tp_session) +{ + if (thirdparty_appid_module) + { + unsigned state; + + if (tp_session) + state = thirdparty_appid_module->session_state_get(tp_session); + else + state = TP_STATE_INIT; + + return (state == TP_STATE_CLASSIFIED || state == TP_STATE_TERMINATED + || state == TP_STATE_HA); + } + + return true; +} + +inline bool is_third_party_appid_available(void* tp_session) +{ + if (thirdparty_appid_module) + { + unsigned state; + + if (tp_session) + state = thirdparty_appid_module->session_state_get(tp_session); + else + state = TP_STATE_INIT; + + return (state == TP_STATE_CLASSIFIED || state == TP_STATE_TERMINATED + || state == TP_STATE_MONITORING); + } + + return true; +} + #endif diff --git a/src/network_inspectors/appid/appid_stats.cc b/src/network_inspectors/appid/appid_stats.cc index e644fc0fc..208e9ec5c 100644 --- a/src/network_inspectors/appid/appid_stats.cc +++ b/src/network_inspectors/appid/appid_stats.cc @@ -36,7 +36,6 @@ #include "appid_session.h" #include "app_info_table.h" #include "appid_utils/fw_avltree.h" -#include "appid_utils/output_file.h" #define URLCATBUCKETS 100 #define URLREPBUCKETS 5 @@ -347,6 +346,33 @@ static StatsBucket* get_stats_bucket(time_t startTime) return bucket; } +static FILE* open_stats_log_file(const char* const filename, time_t tstamp) +{ + FILE* fp; + char output_fullpath[512]; + time_t curr_time; + + if (tstamp) + curr_time = tstamp; + else + curr_time = time(nullptr); + + snprintf(output_fullpath, sizeof(output_fullpath), "%s.%lu", filename, curr_time); + LogMessage("Opening %s for AppId statistics logging.\n", output_fullpath); + + if ((fp = fopen(output_fullpath, "w")) == nullptr) + { + ErrorMessage("Unable to open output file \"%s\": %s\n for AppId statistics logging.",output_fullpath, strerror(errno)); + } + return fp; +} + +static FILE* rollover_stats_log_file(const char* const filename, FILE* const oldfp, time_t tstamp) +{ + fclose(oldfp); + return open_stats_log_file(filename, tstamp); +} + static void dump_statistics() { struct StatsBucket* bucket = nullptr; @@ -445,14 +471,14 @@ static void dump_statistics() { if (!appfp) { - appfp = openOutputFile(appid_stats_filename, currTime); + appfp = open_stats_log_file(appid_stats_filename, currTime); appTime = currTime; appSize = 0; } else if (((currTime - appTime) > rollPeriod) || ((appSize + buffSize) > rollSize)) { - appfp = rolloverOutputFile(appid_stats_filename, appfp, currTime); + appfp = rollover_stats_log_file(appid_stats_filename, appfp, currTime); appTime = currTime; appSize = 0; } diff --git a/src/network_inspectors/appid/appid_utils/sfutil.cc b/src/network_inspectors/appid/appid_utils/appid_utils.cc similarity index 69% rename from src/network_inspectors/appid/appid_utils/sfutil.cc rename to src/network_inspectors/appid/appid_utils/appid_utils.cc index 2f9debfc5..295d5a6a6 100644 --- a/src/network_inspectors/appid/appid_utils/sfutil.cc +++ b/src/network_inspectors/appid/appid_utils/appid_utils.cc @@ -19,23 +19,21 @@ // sfutil.cc author Sourcefire Inc. -#include "sfutil.h" -#include "common_util.h" +#include "appid_utils.h" +#include #include -#include -#include #include "utils/util.h" -int Split(char* data, char** toklist, int max_toks, const char* separator) +int AppIdUtils::split(char* data, char** toklist, int max_toks, const char* separator) { char** ap; int argcount = 0; memset(toklist, 0, max_toks * sizeof(*toklist)); for (ap = (char**)toklist; - ap < &toklist[max_toks] && (*ap=strsep(&data, separator)) != nullptr; ) + ap < &toklist[max_toks] && (*ap = strsep(&data, separator)) != nullptr; ) { if (**ap != '\0') { @@ -47,7 +45,7 @@ int Split(char* data, char** toklist, int max_toks, const char* separator) return argcount; } -void InitNetmasks(uint32_t netmasks[]) +void AppIdUtils::init_netmasks(uint32_t netmasks[]) { netmasks[0] = 0x0; netmasks[1] = 0x80000000; @@ -84,7 +82,7 @@ void InitNetmasks(uint32_t netmasks[]) netmasks[32] = 0xFFFFFFFF; } -int strip(char* data) +int AppIdUtils::strip(char* data) { int size; char* idx; @@ -110,7 +108,7 @@ int strip(char* data) return size; } -int Tokenize(char* data, char* toklist[]) +int AppIdUtils::tokenize(char* data, char* toklist[]) { char** ap; int argcount = 0; @@ -151,3 +149,51 @@ int Tokenize(char* data, char* toklist[]) return argcount; } +// FIXIT-L - refactor this to be a general snort utility...also look at LogBuffer() in u2spewfoo.cc +void AppIdUtils::dump_hex(FILE* fp, const uint8_t* data, unsigned len) +{ + char str[18]; + unsigned i; + unsigned pos; + char c; + + for (i=0, pos=0; i +#include +#include + +#define MAX_TOKS 256 + +class AppIdUtils +{ +public: + static int tokenize(char* data, char* toklist[]); + static int strip(char* data); + static void init_netmasks(uint32_t netmasks[]); + static int split(char* data, char** toklist, int max_toks, const char* separator); + static void dump_hex(FILE* fp, const uint8_t* data, unsigned len); +}; -extern int Tokenize(char* data, char* toklist[]); -extern int strip(char* data); -extern void InitNetmasks(uint32_t netmasks[]); -extern int Split(char* data, char** toklist, int max_toks, const char* separator); #endif diff --git a/src/network_inspectors/appid/appid_utils/common_util.h b/src/network_inspectors/appid/appid_utils/common_util.h deleted file mode 100644 index cb6637089..000000000 --- a/src/network_inspectors/appid/appid_utils/common_util.h +++ /dev/null @@ -1,90 +0,0 @@ -//-------------------------------------------------------------------------- -// Copyright (C) 2014-2016 Cisco and/or its affiliates. All rights reserved. -// Copyright (C) 2005-2013 Sourcefire, Inc. -// -// This program is free software; you can redistribute it and/or modify it -// under the terms of the GNU General Public License Version 2 as published -// by the Free Software Foundation. You may not use, modify or distribute -// this program under any other version of the GNU General Public License. -// -// This program is distributed in the hope that it will be useful, but -// WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -// General Public License for more details. -// -// You should have received a copy of the GNU General Public License along -// with this program; if not, write to the Free Software Foundation, Inc., -// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -//-------------------------------------------------------------------------- - -// common_util.h author Sourcefire Inc. - -#ifndef COMMON_UTIL_H -#define COMMON_UTIL_H - -#include -#include -#include -#include - -#include "framework/decode_data.h" - -struct ConfigItem -{ - char* name; /* name of the config item */ - char* value; /* config item value */ -}; - -#define MAX_LINE 2048 -#define MAX_TOKS 256 - -inline void DumpHex(FILE* fp, const uint8_t* data, unsigned len) -{ - char str[18]; - unsigned i; - unsigned pos; - char c; - - for (i=0, pos=0; irange_min, (const void*)&ia, sizeof(ias->range_min)); - NSIPv6AddrNtoH(&ias->range_min); + NetworkSetManager::ntoh_ipv6(&ias->range_min); if (num_toks > 1) { diff --git a/src/network_inspectors/appid/appid_utils/network_set.cc b/src/network_inspectors/appid/appid_utils/network_set.cc index e2546ff0b..c93893544 100644 --- a/src/network_inspectors/appid/appid_utils/network_set.cc +++ b/src/network_inspectors/appid/appid_utils/network_set.cc @@ -24,20 +24,18 @@ #include "log/messages.h" #include "utils/util.h" -int NetworkSet_New(NetworkSet** network_set) +int NetworkSetManager::create(NetworkSet** network_set) { - NetworkSet* tmp = nullptr; - if (!network_set) return -1; - tmp = (NetworkSet*)snort_calloc(sizeof(NetworkSet)); + NetworkSet* tmp = (NetworkSet*)snort_calloc(sizeof(NetworkSet)); sflist_init(&tmp->networks); tmp->ids = sfxhash_new(64, sizeof(unsigned), 0, 0, 0, nullptr, nullptr, 1); if (tmp->ids == nullptr) { ErrorMessage("NetworkSet:Out of memory (wanted %zu bytes)", sizeof(NetworkSet)); - NetworkSet_Destroy(tmp); + destroy(tmp); return -1; } @@ -46,16 +44,15 @@ int NetworkSet_New(NetworkSet** network_set) if (tmp->ids6 == nullptr) { ErrorMessage("NetworkSet:Out of memory (wanted %zu bytes)", sizeof(NetworkSet)); - NetworkSet_Destroy(tmp); + destroy(tmp); return -1; } *network_set = tmp; - return 0; } -int NetworkSet_Destroy(NetworkSet* network_set) +int NetworkSetManager::destroy(NetworkSet* network_set) { if (!network_set) return -1; @@ -79,17 +76,13 @@ int NetworkSet_Destroy(NetworkSet* network_set) return 0; } -int NetworkSet_AddNetworkRangeEx(NetworkSet* network_set, uint32_t range_min, +int NetworkSetManager::add_network_range_ex(NetworkSet* network_set, uint32_t range_min, uint32_t range_max, unsigned cidr_bits, int ip_not, unsigned id, unsigned type) { - Network* network; - Network* iNetwork; - int rval; - if (!network_set) return -1; - network = (Network*)snort_calloc(sizeof(Network)); + Network* network = (Network*)snort_calloc(sizeof(Network)); network->info.id = id; network->info.ip_not = ip_not; network->info.type = type; @@ -109,7 +102,7 @@ int NetworkSet_AddNetworkRangeEx(NetworkSet* network_set, uint32_t range_min, { SF_LNODE* iter = nullptr; - for (iNetwork = (Network*)sflist_first(&network_set->networks, &iter); + for (Network* iNetwork = (Network*)sflist_first(&network_set->networks, &iter); iNetwork; iNetwork = (Network*)sflist_next(&iter)) { @@ -125,7 +118,7 @@ int NetworkSet_AddNetworkRangeEx(NetworkSet* network_set, uint32_t range_min, } sflist_add_tail(&network_set->networks, (void*)network); - rval = sfxhash_add(network_set->ids, &network->info.id, &network->info.id); + int rval = sfxhash_add(network_set->ids, &network->info.id, &network->info.id); if (rval != SFXHASH_OK && rval != SFXHASH_INTABLE) { ErrorMessage("NetworkSet:Out of memory"); @@ -136,29 +129,25 @@ int NetworkSet_AddNetworkRangeEx(NetworkSet* network_set, uint32_t range_min, return 0; } -int NetworkSet_AddNetworkRange(NetworkSet* network_set, uint32_t range_min, +int NetworkSetManager::add_network_range(NetworkSet* network_set, uint32_t range_min, uint32_t range_max, unsigned cidr_bits, int ip_not, unsigned id) { - return NetworkSet_AddNetworkRangeEx(network_set, range_min, range_max, cidr_bits, ip_not, id, + return add_network_range_ex(network_set, range_min, range_max, cidr_bits, ip_not, id, 0); } -int NetworkSet_AddNetworkRange6Ex(NetworkSet* network_set, NSIPv6Addr* range_min, +int NetworkSetManager::add_network_range6(NetworkSet* network_set, NSIPv6Addr* range_min, NSIPv6Addr* range_max, unsigned cidr_bits, int ip_not, unsigned id, unsigned type) { - Network6* network; - Network6* iNetwork; - int rval; - if (!network_set) return -1; - network = (Network6*)snort_calloc(sizeof(Network6)); + Network6* network = (Network6*)snort_calloc(sizeof(Network6)); network->info.id = id; network->info.ip_not = ip_not; network->info.type = type; network->info.netmask = cidr_bits; - if (NSIPv6AddrCompare(range_min, range_max) <= 0) + if (compare_ipv6_address(range_min, range_max) <= 0) { network->range_min = *range_min; network->range_max = *range_max; @@ -173,13 +162,13 @@ int NetworkSet_AddNetworkRange6Ex(NetworkSet* network_set, NSIPv6Addr* range_min { SF_LNODE* iter = nullptr; - for (iNetwork = (Network6*)sflist_first(&network_set->networks6, &iter); + for (Network6* iNetwork = (Network6*)sflist_first(&network_set->networks6, &iter); iNetwork; iNetwork = (Network6*)sflist_next(&iter)) { if (iNetwork->info.id == network->info.id && - !NSIPv6AddrCompare(&iNetwork->range_min, &network->range_min) && - !NSIPv6AddrCompare(&iNetwork->range_max, &network->range_max)) + !compare_ipv6_address(&iNetwork->range_min, &network->range_min) && + !compare_ipv6_address(&iNetwork->range_max, &network->range_max)) { iNetwork->info.type |= network->info.type; snort_free(network); @@ -189,7 +178,7 @@ int NetworkSet_AddNetworkRange6Ex(NetworkSet* network_set, NSIPv6Addr* range_min } sflist_add_tail(&network_set->networks6, (void*)network); - rval = sfxhash_add(network_set->ids6, &network->info.id, &network->info.id); + int rval = sfxhash_add(network_set->ids6, &network->info.id, &network->info.id); if (rval != SFXHASH_OK && rval != SFXHASH_INTABLE) { ErrorMessage("NetworkSet:Out of memory"); @@ -200,82 +189,51 @@ int NetworkSet_AddNetworkRange6Ex(NetworkSet* network_set, NSIPv6Addr* range_min return 0; } -int NetworkSet_AddNetworkRange6(NetworkSet* network_set, NSIPv6Addr* range_min, +int NetworkSetManager::add_network_range6(NetworkSet* network_set, NSIPv6Addr* range_min, NSIPv6Addr* range_max, unsigned cidr_bits, int ip_not, unsigned id) { - return NetworkSet_AddNetworkRange6Ex(network_set, range_min, range_max, cidr_bits, ip_not, id, + return add_network_range6(network_set, range_min, range_max, cidr_bits, ip_not, id, 0); } -int NetworkSet_AddNetworkRangeOnlyIPv6(NetworkSet* network_set, int ip_not, unsigned id, unsigned +int NetworkSetManager::add_network_range_only_ipv6(NetworkSet* network_set, int ip_not, unsigned id, unsigned type) { // Use two ranges to represent all of IPv6, excluding the IPv4-mapped range, ::FFFF:*.*.*.* - int rval; NSIPv6Addr range_min, range_max; range_min.lo = 0; range_min.hi = 0; range_max.lo = 0x0000FFFEFFFFFFFFULL; // 0x0000FFFF00000000 - 1 range_max.hi = 0; - rval = NetworkSet_AddNetworkRange6Ex(network_set, &range_min, &range_max, 0, ip_not, id, type); + int rval = add_network_range6(network_set, &range_min, &range_max, 0, ip_not, id, type); range_min.lo = 0x0001000000000000ULL; // 0x0000FFFFFFFFFFFF + 1 range_min.hi = 0; range_max.lo = 0xFFFFFFFFFFFFFFFFULL; range_max.hi = 0xFFFFFFFFFFFFFFFFULL; - return rval ? rval : NetworkSet_AddNetworkRange6Ex(network_set, &range_min, &range_max, 0, + return rval ? rval : add_network_range6(network_set, &range_min, &range_max, 0, ip_not, id, type); } -static inline int NetworkSet_AddNetwork(NetworkSet* network_set, uint32_t ip, - unsigned cidr_bits, uint32_t mask, int ip_not, unsigned id, unsigned type) -{ - uint32_t range_min; - uint32_t range_max; - - range_min = ip & mask; - range_max = range_min + ~mask; - return NetworkSet_AddNetworkRangeEx(network_set, range_min, range_max, cidr_bits, ip_not, id, - type); -} - -int NetworkSet_AddCidrBlockEx(NetworkSet* network_set, uint32_t ip, +int NetworkSetManager::add_cidr_block_ex(NetworkSet* network_set, uint32_t ip, unsigned cidr_bits, int ip_not, unsigned id, unsigned type) { - uint32_t mask; - if (cidr_bits > 32) return -1; - /* Convert cidr to netmask */ - if (cidr_bits == 0) - mask = 0; - else - mask = 0xffffffff << (32 - cidr_bits); - - return NetworkSet_AddNetwork(network_set, ip, cidr_bits, mask, ip_not, id, type); + uint32_t mask = (cidr_bits == 0) ? 0 : 0xffffffff << (32 - cidr_bits); + uint32_t range_min = ip & mask; + uint32_t range_max = range_min + ~mask; + return add_network_range_ex(network_set, range_min, range_max, cidr_bits, + ip_not, id, type); } -int NetworkSet_AddCidrBlock(NetworkSet* network_set, uint32_t ip, +int NetworkSetManager::add_cidr_block(NetworkSet* network_set, uint32_t ip, unsigned cidr_bits, int ip_not, unsigned id) { - return NetworkSet_AddCidrBlockEx(network_set, ip, cidr_bits, ip_not, id, 0); -} - -static inline int NetworkSet_AddNetwork6(NetworkSet* network_set, NSIPv6Addr* ip, - unsigned cidr_bits, NSIPv6Addr* mask, int ip_not, unsigned id, unsigned type) -{ - NSIPv6Addr range_min; - NSIPv6Addr range_max; - - range_min.lo = ip->lo & mask->lo; - range_min.hi = ip->hi & mask->hi; - range_max.lo = range_min.lo + ~mask->lo; - range_max.hi = range_min.hi + ~mask->hi; - return NetworkSet_AddNetworkRange6Ex(network_set, &range_min, &range_max, cidr_bits, ip_not, - id, type); + return add_cidr_block_ex(network_set, ip, cidr_bits, ip_not, id, 0); } -int NetworkSet_AddCidrBlock6Ex(NetworkSet* network_set, NSIPv6Addr* ip, +int NetworkSetManager::add_cidr_block6_ex(NetworkSet* network_set, NSIPv6Addr* ip, unsigned cidr_bits, int ip_not, unsigned id, unsigned type) { NSIPv6Addr mask; @@ -305,29 +263,43 @@ int NetworkSet_AddCidrBlock6Ex(NetworkSet* network_set, NSIPv6Addr* ip, mask.lo = ULLONG_MAX << (128 - cidr_bits); } - return NetworkSet_AddNetwork6(network_set, ip, cidr_bits, &mask, ip_not, id, type); + NSIPv6Addr range_min; + NSIPv6Addr range_max; + + range_min.lo = ip->lo & mask.lo; + range_min.hi = ip->hi & mask.hi; + range_max.lo = range_min.lo + ~mask.lo; + range_max.hi = range_min.hi + ~mask.hi; + return add_network_range6(network_set, &range_min, &range_max, cidr_bits, ip_not, + id, type); } -int NetworkSet_AddCidrBlock6(NetworkSet* network_set, NSIPv6Addr* ip, +int NetworkSetManager::add_cidr_block6(NetworkSet* network_set, NSIPv6Addr* ip, unsigned cidr_bits, int ip_not, unsigned id) { - return NetworkSet_AddCidrBlock6Ex(network_set, ip, cidr_bits, ip_not, id, 0); + return add_cidr_block6_ex(network_set, ip, cidr_bits, ip_not, id, 0); } -static inline void NetworkList_Fprintf(NetworkSet* network_set, const char* prefix, FILE* stream) +int NetworkSetManager::log_network_set(NetworkSet* network_set, const char* prefix, FILE* stream) { - Network* network; - Network6* network6; - struct in_addr four; - NSIPv6Addr six; SF_LNODE* iter = nullptr; char min_ip[INET6_ADDRSTRLEN]; char max_ip[INET6_ADDRSTRLEN]; - for (network = (Network*)sflist_first(&network_set->networks, &iter); + if (!network_set) + return -1; + + if (!prefix) + prefix = ""; + + if (!stream) + stream = stdout; + + for (Network* network = (Network*)sflist_first(&network_set->networks, &iter); network; network = (Network*)sflist_next(&iter)) { + struct in_addr four; four.s_addr = htonl(network->range_min); inet_ntop(AF_INET, &four, min_ip, sizeof(min_ip)); four.s_addr = htonl(network->range_max); @@ -335,50 +307,33 @@ static inline void NetworkList_Fprintf(NetworkSet* network_set, const char* pref /* check containment for this network */ fprintf(stream, "%s%s%s-%s for %u with %08X\n", prefix, network->info.ip_not ? "!" : "", - min_ip, max_ip, - network->info.id, network->info.type); + min_ip, max_ip, network->info.id, network->info.type); } - for (network6 = (Network6*)sflist_first(&network_set->networks6, &iter); + for (Network6* network6 = (Network6*)sflist_first(&network_set->networks6, &iter); network6; network6 = (Network6*)sflist_next(&iter)) { - six = network6->range_min; - NSIPv6AddrHtoN(&six); + NSIPv6Addr six = network6->range_min; + ntoh_ipv6(&six); inet_ntop(AF_INET6, (struct in6_addr*)&six, min_ip, sizeof(min_ip)); six = network6->range_max; - NSIPv6AddrHtoN(&six); + ntoh_ipv6(&six); inet_ntop(AF_INET6, (struct in6_addr*)&six, max_ip, sizeof(max_ip)); /* check containment for this network */ fprintf(stream, "%s%s%s-%s for %u with %08X\n", prefix, network6->info.ip_not ? "!" : "", - min_ip, max_ip, - network6->info.id, network6->info.type); + min_ip, max_ip, network6->info.id, network6->info.type); } -} - -int NetworkSet_Fprintf(NetworkSet* network_set, const char* prefix, FILE* stream) -{ - if (!network_set) - return -1; - - if (!prefix) - prefix = ""; - - if (!stream) - stream = stdout; - - NetworkList_Fprintf(network_set, prefix, stream); return 0; } -static inline int NetworkSet_OrderByNetmask(SF_LIST* ordered_networks, SF_LIST* networks, unsigned +int NetworkSetManager::order_by_netmask(SF_LIST* ordered_networks, SF_LIST* networks, unsigned id) { SF_LNODE* node = nullptr; NODE_DATA node_data; - NSNetworkInfo* network; sflist_init(ordered_networks); do @@ -386,7 +341,7 @@ static inline int NetworkSet_OrderByNetmask(SF_LIST* ordered_networks, SF_LIST* SF_LNODE* iter = nullptr; node_data = nullptr; - for (network = (NSNetworkInfo*)sflist_first(networks, &iter); + for (NSNetworkInfo* network = (NSNetworkInfo*)sflist_first(networks, &iter); network; network = (NSNetworkInfo*)sflist_next(&iter)) { @@ -411,7 +366,7 @@ static inline int NetworkSet_OrderByNetmask(SF_LIST* ordered_networks, SF_LIST* return 0; } -static inline int NetworkSet_AddList(SF_LIST* networks, SF_LIST* new_networks) +int NetworkSetManager::add_network_list(SF_LIST* networks, SF_LIST* new_networks) { void* network; @@ -421,7 +376,7 @@ static inline int NetworkSet_AddList(SF_LIST* networks, SF_LIST* new_networks) return 0; } -static inline int NetworkSet_ReduceNetworkSet(SF_LIST* networks) +int NetworkSetManager::reduce_network_set(SF_LIST* networks) { Network* ias; Network* i_ias; @@ -690,7 +645,7 @@ static inline int NetworkSet_ReduceNetworkSet(SF_LIST* networks) return 0; } -static inline int NetworkSet_ReduceNetworkSet6(SF_LIST* networks) +int NetworkSetManager::reduce_network_set6(SF_LIST* networks) { Network6* ias; Network6* i_ias; @@ -720,8 +675,8 @@ static inline int NetworkSet_ReduceNetworkSet6(SF_LIST* networks) i_ias ****** ias *************** */ - if (NSIPv6AddrCompare(&ias->range_min, &i_ias->range_min) <= 0 && - NSIPv6AddrCompare(&ias->range_max, &i_ias->range_max) >= 0) + if (compare_ipv6_address(&ias->range_min, &i_ias->range_min) <= 0 && + compare_ipv6_address(&ias->range_max, &i_ias->range_max) >= 0) { sflist_remove_node(&reduced_networks, iter); changed = true; @@ -733,18 +688,18 @@ static inline int NetworkSet_ReduceNetworkSet6(SF_LIST* networks) i_ias ************ ias ************ */ - else if (NSIPv6AddrCompare(&ias->range_min, &i_ias->range_min) > 0 && - NSIPv6AddrCompare(&ias->range_min, &i_ias->range_max) <= 0) + else if (compare_ipv6_address(&ias->range_min, &i_ias->range_min) > 0 && + compare_ipv6_address(&ias->range_min, &i_ias->range_max) <= 0) { tmp = i_ias->range_max; i_ias->range_max = ias->range_min; - NSIPv6AddrDec(&i_ias->range_max); - if (NSIPv6AddrCompare(&ias->range_max, &tmp) < 0) + decrement_ipv6_addr(&i_ias->range_max); + if (compare_ipv6_address(&ias->range_max, &tmp) < 0) { new_ias = (Network6*)snort_calloc(sizeof(Network6)); *new_ias = *i_ias; new_ias->range_min = ias->range_max; - NSIPv6AddrInc(&new_ias->range_min); + increment_ipv6_addr(&new_ias->range_min); new_ias->range_max = tmp; sflist_add_tail(&reduced_networks, new_ias); changed = true; @@ -757,19 +712,19 @@ static inline int NetworkSet_ReduceNetworkSet6(SF_LIST* networks) i_ias ************ ias **** */ - else if (NSIPv6AddrCompare(&ias->range_max, &i_ias->range_min) >= 0 && - NSIPv6AddrCompare(&ias->range_max, &i_ias->range_max) <= 0) + else if (compare_ipv6_address(&ias->range_max, &i_ias->range_min) >= 0 && + compare_ipv6_address(&ias->range_max, &i_ias->range_max) <= 0) { tmp = i_ias->range_min; i_ias->range_min = ias->range_max; - NSIPv6AddrInc(&i_ias->range_min); - if (NSIPv6AddrCompare(&ias->range_min, &tmp) > 0) + increment_ipv6_addr(&i_ias->range_min); + if (compare_ipv6_address(&ias->range_min, &tmp) > 0) { new_ias = (Network6*)snort_calloc(sizeof(Network6)); *new_ias = *i_ias; new_ias->range_min = tmp; new_ias->range_max = ias->range_min; - NSIPv6AddrDec(&new_ias->range_max); + decrement_ipv6_addr(&new_ias->range_max); sflist_add_tail(&reduced_networks, new_ias); changed = true; } @@ -794,8 +749,8 @@ static inline int NetworkSet_ReduceNetworkSet6(SF_LIST* networks) i_ias ****** ias *************** */ - if (NSIPv6AddrCompare(&ias->range_min, &i_ias->range_min) <= 0 && - NSIPv6AddrCompare(&ias->range_max, &i_ias->range_max) >= 0) + if (compare_ipv6_address(&ias->range_min, &i_ias->range_min) <= 0 && + compare_ipv6_address(&ias->range_max, &i_ias->range_max) >= 0) { sflist_remove_node(&reduced_networks, iter); changed = true; @@ -806,8 +761,8 @@ static inline int NetworkSet_ReduceNetworkSet6(SF_LIST* networks) i_ias *************** ias ****** */ - else if (NSIPv6AddrCompare(&i_ias->range_min, &ias->range_min) <= 0 && - NSIPv6AddrCompare(&i_ias->range_max, &ias->range_max) >= 0) + else if (compare_ipv6_address(&i_ias->range_min, &ias->range_min) <= 0 && + compare_ipv6_address(&i_ias->range_max, &ias->range_max) >= 0) { ias->range_min = i_ias->range_min; ias->range_max = i_ias->range_max; @@ -820,21 +775,21 @@ static inline int NetworkSet_ReduceNetworkSet6(SF_LIST* networks) i_ias ************ ias ************ */ - else if (NSIPv6AddrCompare(&ias->range_min, &i_ias->range_min) > 0 && - NSIPv6AddrCompare(&ias->range_min, &i_ias->range_max) <= 0) + else if (compare_ipv6_address(&ias->range_min, &i_ias->range_min) > 0 && + compare_ipv6_address(&ias->range_min, &i_ias->range_max) <= 0) { i_ias->range_max = ias->range_min; - NSIPv6AddrDec(&i_ias->range_max); + decrement_ipv6_addr(&i_ias->range_max); } /* i_ias ************ ias ************ */ - else if (NSIPv6AddrCompare(&ias->range_max, &i_ias->range_min) >= 0 && - NSIPv6AddrCompare(&ias->range_max, &i_ias->range_max) < 0) + else if (compare_ipv6_address(&ias->range_max, &i_ias->range_min) >= 0 && + compare_ipv6_address(&ias->range_max, &i_ias->range_max) < 0) { i_ias->range_min = ias->range_max; - NSIPv6AddrInc(&i_ias->range_min); + increment_ipv6_addr(&i_ias->range_min); } } else /* different types */ @@ -843,8 +798,8 @@ static inline int NetworkSet_ReduceNetworkSet6(SF_LIST* networks) i_ias ****** ias ****** */ - if (!NSIPv6AddrCompare(&ias->range_min, &i_ias->range_min) && - !NSIPv6AddrCompare(&ias->range_max, &i_ias->range_max)) + if (!compare_ipv6_address(&ias->range_min, &i_ias->range_min) && + !compare_ipv6_address(&ias->range_max, &i_ias->range_max)) { i_ias->info.type = ias->info.type; snort_free(ias); @@ -855,8 +810,8 @@ static inline int NetworkSet_ReduceNetworkSet6(SF_LIST* networks) i_ias ****** ias *************** */ - else if (NSIPv6AddrCompare(&ias->range_min, &i_ias->range_min) < 0 && - NSIPv6AddrCompare(&ias->range_max, &i_ias->range_max) >= 0) + else if (compare_ipv6_address(&ias->range_min, &i_ias->range_min) < 0 && + compare_ipv6_address(&ias->range_max, &i_ias->range_max) >= 0) { sflist_remove_node(&reduced_networks, iter); snort_free(i_ias); @@ -873,18 +828,18 @@ static inline int NetworkSet_ReduceNetworkSet6(SF_LIST* networks) i_ias ************ ias ****** */ - else if (NSIPv6AddrCompare(&ias->range_min, &i_ias->range_min) > 0 && - NSIPv6AddrCompare(&ias->range_min, &i_ias->range_max) <= 0) + else if (compare_ipv6_address(&ias->range_min, &i_ias->range_min) > 0 && + compare_ipv6_address(&ias->range_min, &i_ias->range_max) <= 0) { tmp = i_ias->range_max; i_ias->range_max = ias->range_min; - NSIPv6AddrDec(&i_ias->range_max); - if (NSIPv6AddrCompare(&ias->range_max, &tmp) < 0) + decrement_ipv6_addr(&i_ias->range_max); + if (compare_ipv6_address(&ias->range_max, &tmp) < 0) { new_ias = (Network6*)snort_calloc(sizeof(Network6)); *new_ias = *i_ias; new_ias->range_min = ias->range_max; - NSIPv6AddrInc(&new_ias->range_min); + increment_ipv6_addr(&new_ias->range_min); new_ias->range_max = tmp; sflist_add_tail(&reduced_networks, new_ias); changed = true; @@ -897,11 +852,11 @@ static inline int NetworkSet_ReduceNetworkSet6(SF_LIST* networks) i_ias ************ ias **** */ - else if (NSIPv6AddrCompare(&ias->range_max, &i_ias->range_min) > 0 && - NSIPv6AddrCompare(&ias->range_max, &i_ias->range_max) < 0) + else if (compare_ipv6_address(&ias->range_max, &i_ias->range_min) > 0 && + compare_ipv6_address(&ias->range_max, &i_ias->range_max) < 0) { i_ias->range_min = ias->range_max; - NSIPv6AddrInc(&i_ias->range_min); + increment_ipv6_addr(&i_ias->range_min); } } @@ -934,11 +889,11 @@ static inline int NetworkSet_ReduceNetworkSet6(SF_LIST* networks) ias *** */ tmp = i_ias->range_max; - NSIPv6AddrInc(&tmp); + increment_ipv6_addr(&tmp); tmp2 = ias->range_max; - NSIPv6AddrInc(&tmp2); - if ((ias->range_min.lo || ias->range_min.hi) && !NSIPv6AddrCompare(&tmp, - &ias->range_min)) + increment_ipv6_addr(&tmp2); + if ((ias->range_min.lo || ias->range_min.hi) && + !compare_ipv6_address(&tmp, &ias->range_min)) { i_ias->range_max = ias->range_max; sflist_remove_node(&reduced_networks, outer_iter); @@ -951,7 +906,7 @@ static inline int NetworkSet_ReduceNetworkSet6(SF_LIST* networks) ias ***** */ else if ((i_ias->range_min.lo || i_ias->range_min.hi) && - !NSIPv6AddrCompare(&tmp2, &i_ias->range_min)) + !compare_ipv6_address(&tmp2, &i_ias->range_min)) { i_ias->range_min = ias->range_min; sflist_remove_node(&reduced_networks, outer_iter); @@ -978,7 +933,7 @@ static inline int NetworkSet_ReduceNetworkSet6(SF_LIST* networks) return 0; } -int NetworkSet_Reduce(NetworkSet* network_set) +int NetworkSetManager::reduce(NetworkSet* network_set) { SFXHASH_NODE* hnode; unsigned id; @@ -988,40 +943,39 @@ int NetworkSet_Reduce(NetworkSet* network_set) Network6* network6; unsigned tmp; int count; - int i; - int j; if (!network_set) return -1; - for (hnode=sfxhash_gfindfirst(network_set->ids); hnode; hnode=sfxhash_gfindnext( - network_set->ids)) + for (hnode = sfxhash_gfindfirst(network_set->ids); + hnode; + hnode=sfxhash_gfindnext(network_set->ids)) { id = *(unsigned*)(hnode->data); - if ((rval = NetworkSet_OrderByNetmask(&ordered_networks, &network_set->networks, id)) != 0) + if ((rval = order_by_netmask(&ordered_networks, &network_set->networks, id)) != 0) { sflist_free_all(&ordered_networks, &snort_free); return rval; } - if ((rval = NetworkSet_ReduceNetworkSet(&ordered_networks)) != 0) + if ((rval = reduce_network_set(&ordered_networks)) != 0) { sflist_free_all(&ordered_networks, &snort_free); return rval; } - if ((rval = NetworkSet_AddList(&network_set->networks, &ordered_networks)) != 0) + if ((rval = add_network_list(&network_set->networks, &ordered_networks)) != 0) { sflist_free_all(&ordered_networks, &snort_free); return rval; } } - if ((rval = NetworkSet_ReduceNetworkSet(&network_set->networks)) != 0) + if ((rval = reduce_network_set(&network_set->networks)) != 0) { sflist_free_all(&ordered_networks, &snort_free); return rval; } tmp = 0; - if ((rval = NetworkSet_Count(network_set, &tmp)) != 0) + if ((rval = count4(network_set, &tmp)) != 0) return rval; count = (int)tmp; @@ -1035,56 +989,58 @@ int NetworkSet_Reduce(NetworkSet* network_set) } network_set->pnetwork = (Network**)snort_calloc(count * sizeof(Network*)); SF_LNODE* iter = nullptr; - for (network = (Network*)sflist_first(&network_set->networks, &iter), i = 0; + int i = 0; + for (network = (Network*)sflist_first(&network_set->networks, &iter); network && i < count; network = (Network*)sflist_next(&iter)) { network_set->pnetwork[i++] = network; } /* bubble sort this array */ - for (i = (count - 1); i >= 0; i--) + for (int i = (count - 1); i >= 0; i--) { - for (j = 1; j <= i; j++ ) + for (int j = 1; j <= i; j++) { - if (network_set->pnetwork[j-1]->range_min > network_set->pnetwork[j]->range_min) + if (network_set->pnetwork[j - 1]->range_min > network_set->pnetwork[j]->range_min) { - network = network_set->pnetwork[j-1]; - network_set->pnetwork[j-1] = network_set->pnetwork[j]; + network = network_set->pnetwork[j - 1]; + network_set->pnetwork[j - 1] = network_set->pnetwork[j]; network_set->pnetwork[j] = network; } } } } - for (hnode=sfxhash_gfindfirst(network_set->ids6); hnode; hnode=sfxhash_gfindnext( + for (hnode = sfxhash_gfindfirst(network_set->ids6); hnode; hnode=sfxhash_gfindnext( network_set->ids6)) { id = *(unsigned*)(hnode->data); - if ((rval = NetworkSet_OrderByNetmask(&ordered_networks, &network_set->networks6, id)) != - 0) + if ((rval = order_by_netmask(&ordered_networks, &network_set->networks6, id)) != 0) { sflist_free_all(&ordered_networks, &snort_free); return rval; } - if ((rval = NetworkSet_ReduceNetworkSet6(&ordered_networks)) != 0) + + if ((rval = reduce_network_set6(&ordered_networks)) != 0) { sflist_free_all(&ordered_networks, &snort_free); return rval; } - if ((rval = NetworkSet_AddList(&network_set->networks6, &ordered_networks)) != 0) + + if ((rval = add_network_list(&network_set->networks6, &ordered_networks)) != 0) { sflist_free_all(&ordered_networks, &snort_free); return rval; } } - if ((rval = NetworkSet_ReduceNetworkSet6(&network_set->networks6)) != 0) + if ((rval = reduce_network_set6(&network_set->networks6)) != 0) { sflist_free_all(&ordered_networks, &snort_free); return rval; } tmp = 0; - if ((rval = NetworkSet_Count6(network_set, &tmp)) != 0) + if ((rval = count6(network_set, &tmp)) != 0) return rval; count = (int)tmp; @@ -1098,22 +1054,23 @@ int NetworkSet_Reduce(NetworkSet* network_set) } network_set->pnetwork6 = (Network6**)snort_calloc(count * sizeof(Network6*)); SF_LNODE* iter = nullptr; - for (network6 = (Network6*)sflist_first(&network_set->networks6, &iter), i = 0; + int i = 0; + for (network6 = (Network6*)sflist_first(&network_set->networks6, &iter); network6 && i < count; network6 = (Network6*)sflist_next(&iter)) { network_set->pnetwork6[i++] = network6; } /* bubble sort this array */ - for (i = (count - 1); i >= 0; i--) + for (int i = (count - 1); i >= 0; i--) { - for (j = 1; j <= i; j++ ) + for (int j = 1; j <= i; j++) { - if (NSIPv6AddrCompare(&network_set->pnetwork6[j-1]->range_min, + if (compare_ipv6_address(&network_set->pnetwork6[j - 1]->range_min, &network_set->pnetwork6[j]->range_min) > 0) { network6 = network_set->pnetwork6[j-1]; - network_set->pnetwork6[j-1] = network_set->pnetwork6[j]; + network_set->pnetwork6[j - 1] = network_set->pnetwork6[j]; network_set->pnetwork6[j] = network6; } } @@ -1122,73 +1079,69 @@ int NetworkSet_Reduce(NetworkSet* network_set) return 0; } -NetworkSet* NetworkSet_Copy(NetworkSet* network_set) +NetworkSet* NetworkSetManager::copy(NetworkSet* network_set) { NetworkSet* new_set; - Network* network; - Network6* network6; SF_LNODE* iter; if (!network_set) return nullptr; - if (NetworkSet_New(&new_set) != 0) + if (create(&new_set) != 0) return nullptr; - for (network = (Network*)sflist_first(&network_set->networks, &iter); + for (Network* network = (Network*)sflist_first(&network_set->networks, &iter); network; network = (Network*)sflist_next(&iter)) { - if (NetworkSet_AddNetworkRangeEx(new_set, network->range_min, network->range_max, + if (add_network_range_ex(new_set, network->range_min, network->range_max, network->info.netmask, network->info.ip_not, network->info.id, network->info.type) != 0) { - NetworkSet_Destroy(new_set); + destroy(new_set); return nullptr; } } - for (network6 = (Network6*)sflist_first(&network_set->networks6, &iter); + for (Network6* network6 = (Network6*)sflist_first(&network_set->networks6, &iter); network6; network6 = (Network6*)sflist_next(&iter)) { - if (NetworkSet_AddNetworkRange6Ex(new_set, &network6->range_min, &network6->range_max, + if (add_network_range6(new_set, &network6->range_min, &network6->range_max, network6->info.netmask, network6->info.ip_not, network6->info.id, network6->info.type) != 0) { - NetworkSet_Destroy(new_set); + destroy(new_set); return nullptr; } } return new_set; } -int NetworkSet_AddSet(NetworkSet* dest_set, NetworkSet* src_set) +int NetworkSetManager::add_set(NetworkSet* dest_set, NetworkSet* src_set) { - Network* network; - Network6* network6; SF_LNODE* iter; int rval; if (!src_set || !dest_set) return -1; - for (network = (Network*)sflist_first(&src_set->networks, &iter); + for (Network* network = (Network*)sflist_first(&src_set->networks, &iter); network; network = (Network*)sflist_next(&iter)) { - if ((rval=NetworkSet_AddNetworkRangeEx(dest_set, network->range_min, network->range_max, + if ((rval = add_network_range_ex(dest_set, network->range_min, network->range_max, network->info.netmask, network->info.ip_not, network->info.id, network->info.type)) != 0) { return rval; } } - for (network6 = (Network6*)sflist_first(&src_set->networks6, &iter); + + for (Network6* network6 = (Network6*)sflist_first(&src_set->networks6, &iter); network6; network6 = (Network6*)sflist_next(&iter)) { - if ((rval=NetworkSet_AddNetworkRange6Ex(dest_set, &network6->range_min, - &network6->range_max, + if ((rval = add_network_range6(dest_set, &network6->range_min, &network6->range_max, network6->info.netmask, network6->info.ip_not, network6->info.id, network6->info.type)) != 0) { diff --git a/src/network_inspectors/appid/appid_utils/network_set.h b/src/network_inspectors/appid/appid_utils/network_set.h index 0a12b89e7..6439ffbd0 100644 --- a/src/network_inspectors/appid/appid_utils/network_set.h +++ b/src/network_inspectors/appid/appid_utils/network_set.h @@ -79,114 +79,6 @@ struct NSIPv6Addr || ((IN6_IS_ADDR_V4MAPPED(a) || IN6_IS_ADDR_V4COMPAT(a)) && (((__const uint32_t*)(a))[3] == \ 0xffffffff))) -inline void NSIPv6PackIpv4(NSIPv6Addr* ipv6Addr, uint32_t ipv4Addr) -{ - ipv6Addr->hi = 0ULL; - ipv6Addr->lo = (uint64_t)ipv4Addr | 0x0000FFFF00000000ULL; -} - -inline int NSIPv6UnpackIpv4(const NSIPv6Addr* ipv6Addr, uint32_t* ipv4Addr) -{ - if (!ipv6Addr->hi) - { - uint64_t lo = ipv6Addr->lo & 0xFFFFFFFF00000000ULL; - if (!lo || lo == 0x0000FFFF00000000ULL) - { - *ipv4Addr = (uint32_t)ipv6Addr->lo; - return 0; - } - } - return -1; -} - -inline void NSIPv6AddrCopy(const NSIPv6Addr* src, NSIPv6Addr* dst) -{ - dst->hi = src->hi; - dst->lo = src->lo; -} - -inline int NSIPv6AddrCompare(const NSIPv6Addr* a, const NSIPv6Addr* b) -{ - if (a->hi < b->hi) - return -1; - else if (a->hi > b->hi) - return 1; - if (a->lo < b->lo) - return -1; - else if (a->lo > b->lo) - return 1; - return 0; -} - -#if defined(WORDS_BIGENDIAN) - -#define NSIPv6AddrNtoH(ip6) do { } while (0) - -#else - -inline void NSIPv6AddrNtoH(NSIPv6Addr* ip6) -{ - uint64_t tmp; - - tmp = BYTE_SWAP_64(ip6->hi); - ip6->hi = BYTE_SWAP_64(ip6->lo); - ip6->lo = tmp; -} - -#endif - -#if defined(WORDS_BIGENDIAN) - -inline void _NSIPv6AddrConv(const NSIPv6Addr* ip6, NSIPv6Addr* ip6h) -{ - ip6h->hi = ip6->hi; - ip6h->lo = ip6->lo; -} - -#else - -inline void _NSIPv6AddrConv(const NSIPv6Addr* ip6, NSIPv6Addr* ip6h) -{ - ip6h->hi = BYTE_SWAP_64(ip6->lo); - ip6h->lo = BYTE_SWAP_64(ip6->hi); -} - -#endif - -inline void NSIPv6AddrNtoHConv(const ip::snort_in6_addr* ip6, NSIPv6Addr* ip6h) -{ - _NSIPv6AddrConv((const NSIPv6Addr*)ip6, ip6h); -} - -inline void NSIPv6AddrHtoNConv(const NSIPv6Addr* ip6, ip::snort_in6_addr* ip6h) -{ - _NSIPv6AddrConv(ip6, (NSIPv6Addr*)ip6h); -} - -#define NSIPv6AddrHtoN(ip6) NSIPv6AddrNtoH(ip6) - -inline void NSIPv6AddrInc(NSIPv6Addr* ip6) -{ - if (ip6->lo == ULLONG_MAX) - { - ip6->lo = 0; - ip6->hi++; - } - else - ip6->lo++; -} - -inline void NSIPv6AddrDec(NSIPv6Addr* ip6) -{ - if (!ip6->lo) - { - ip6->lo = ULLONG_MAX; - ip6->hi--; - } - else - ip6->lo--; -} - struct NSNetworkInfo { unsigned id; @@ -222,179 +114,253 @@ struct NetworkSet unsigned count6; }; -// Create a new network set -int NetworkSet_New(NetworkSet** network_set); - -// Destroy a network set -int NetworkSet_Destroy(NetworkSet* network_set); - -// Copy a network set -NetworkSet* NetworkSet_Copy(NetworkSet* network_set); - -// Add a network set to another network set -int NetworkSet_AddSet(NetworkSet* dest_set, NetworkSet* src_set); +// FIXIT-L - this should be integrated into the snort3 general IP address support library +class NetworkSetManager +{ +public: + static int create(NetworkSet** network_set); + static int destroy(NetworkSet* network_set); + static NetworkSet* copy(NetworkSet* network_set); + static int add_set(NetworkSet* dest_set, NetworkSet* src_set); + static int add_cidr_block_ex(NetworkSet* network_set, uint32_t ip, + unsigned cidr_bits, int ip_not, unsigned id, unsigned type); + static int add_cidr_block6_ex(NetworkSet* network_set, NSIPv6Addr* ip, + unsigned cidr_bits, int ip_not, unsigned id, unsigned type); + static int add_cidr_block(NetworkSet* network_set, uint32_t ip, + unsigned cidr_bits, int ip_not, unsigned id); + static int add_cidr_block6(NetworkSet* network_set, NSIPv6Addr* ip, + unsigned cidr_bits, int ip_not, unsigned id); + static int add_network_range_ex(NetworkSet* network_set, uint32_t range_min, + uint32_t range_max, unsigned cidr_bits, int ip_not, unsigned id, unsigned type); + static int add_network_range6(NetworkSet* network_set, NSIPv6Addr* range_min, + NSIPv6Addr* range_max, unsigned cidr_bits, int ip_not, unsigned id, unsigned type); + static int add_network_range(NetworkSet* network_set, uint32_t range_min, + uint32_t range_max, unsigned cidr_bits, int ip_not, unsigned id); + static int add_network_range6(NetworkSet* network_set, NSIPv6Addr* range_min, + NSIPv6Addr* range_max, unsigned cidr_bits, int ip_not, unsigned id); + static int add_network_range_only_ipv6(NetworkSet* network_set, int ip_not, + unsigned id, unsigned type); + static int reduce(NetworkSet* network_set); + static int log_network_set(NetworkSet* network_set, const char* prefix, FILE* stream); + + static void pack_ipv4_to_ipv6(NSIPv6Addr* ipv6Addr, uint32_t ipv4Addr) + { + ipv6Addr->hi = 0ULL; + ipv6Addr->lo = (uint64_t)ipv4Addr | 0x0000FFFF00000000ULL; + } -// Add a network to the set using cidr block notation -int NetworkSet_AddCidrBlockEx(NetworkSet* network_set, uint32_t ip, - unsigned cidr_bits, int ip_not, unsigned id, unsigned type); + static int unpack_ipv4_from_ipv6(const NSIPv6Addr* ipv6Addr, uint32_t* ipv4Addr) + { + if (!ipv6Addr->hi) + { + uint64_t lo = ipv6Addr->lo & 0xFFFFFFFF00000000ULL; + if (!lo || lo == 0x0000FFFF00000000ULL) + { + *ipv4Addr = (uint32_t)ipv6Addr->lo; + return 0; + } + } + return -1; + } -// Add a network to the set using cidr block notation -int NetworkSet_AddCidrBlock6Ex(NetworkSet* network_set, NSIPv6Addr* ip, - unsigned cidr_bits, int ip_not, unsigned id, unsigned type); + static void copy_ipv6_address(const NSIPv6Addr* src, NSIPv6Addr* dst) + { + dst->hi = src->hi; + dst->lo = src->lo; + } -// Add a network to the set using cidr block notation -int NetworkSet_AddCidrBlock(NetworkSet* network_set, uint32_t ip, - unsigned cidr_bits, int ip_not, unsigned id); + static int compare_ipv6_address(const NSIPv6Addr* a, const NSIPv6Addr* b) + { + if (a->hi < b->hi) + return -1; + else if (a->hi > b->hi) + return 1; + if (a->lo < b->lo) + return -1; + else if (a->lo > b->lo) + return 1; + return 0; + } -// Add a network to the set using cidr block notation -int NetworkSet_AddCidrBlock6(NetworkSet* network_set, NSIPv6Addr* ip, - unsigned cidr_bits, int ip_not, unsigned id); +#if defined(WORDS_BIGENDIAN) +#define ntoh_ipv6(ip6) do { } while (0) +#else + static void ntoh_ipv6(NSIPv6Addr* ip6) + { + uint64_t tmp; -// Add a network to the set using a range -int NetworkSet_AddNetworkRangeEx(NetworkSet* network_set, uint32_t range_min, - uint32_t range_max, unsigned cidr_bits, int ip_not, unsigned id, unsigned type); + tmp = BYTE_SWAP_64(ip6->hi); + ip6->hi = BYTE_SWAP_64(ip6->lo); + ip6->lo = tmp; + } -// Add a network to the set using a range -int NetworkSet_AddNetworkRange6Ex(NetworkSet* network_set, NSIPv6Addr* range_min, - NSIPv6Addr* range_max, unsigned cidr_bits, int ip_not, unsigned id, unsigned type); +#endif -// Add a network to the set using a range -int NetworkSet_AddNetworkRange(NetworkSet* network_set, uint32_t range_min, - uint32_t range_max, unsigned cidr_bits, int ip_not, unsigned id); +#if defined(WORDS_BIGENDIAN) -// Add a network to the set using a range -int NetworkSet_AddNetworkRange6(NetworkSet* network_set, NSIPv6Addr* range_min, - NSIPv6Addr* range_max, unsigned cidr_bits, int ip_not, unsigned id); + static void _swap_ipv6(const NSIPv6Addr* ip6, NSIPv6Addr* ip6h) + { + ip6h->hi = ip6->hi; + ip6h->lo = ip6->lo; + } -// Add a network to the set using a range of all IPv6, excluding IPv4 -int NetworkSet_AddNetworkRangeOnlyIPv6(NetworkSet* network_set, int ip_not, unsigned id, unsigned - type); +#else + static void _swap_ipv6(const NSIPv6Addr* ip6, NSIPv6Addr* ip6h) + { + ip6h->hi = BYTE_SWAP_64(ip6->lo); + ip6h->lo = BYTE_SWAP_64(ip6->hi); + } -// Reduce the networks to a list of existing ranges -int NetworkSet_Reduce(NetworkSet* network_set); +#endif -// Print the network to the specified stream -int NetworkSet_Fprintf(NetworkSet* network_set, const char* prefix, FILE* stream); + static void ntoh_swap_ipv6(const ip::snort_in6_addr* ip6, NSIPv6Addr* ip6h) + { + _swap_ipv6((const NSIPv6Addr*)ip6, ip6h); + } -// Test is the set contains the specied address -inline int NetworkSet_ContainsEx(NetworkSet* network_set, uint32_t ipaddr, unsigned* type) -{ - int low=0; - int middle=0; - int high=0; + static void hton_swap_ipv6(const NSIPv6Addr* ip6, ip::snort_in6_addr* ip6h) + { + _swap_ipv6(ip6, (NSIPv6Addr*)ip6h); + } - *type = 0; - if (!network_set) - return 0; - if (!network_set->count) - return 0; - high = network_set->count - 1; - if (ipaddr < network_set->pnetwork[low]->range_min || ipaddr > - network_set->pnetwork[high]->range_max) - return 0; - while (low <= high) + static void increment_ipv6_addr(NSIPv6Addr* ip6) { - middle = low + ((high - low)>>1); - if (ipaddr < network_set->pnetwork[middle]->range_min) - high = middle - 1; - else if (ipaddr > network_set->pnetwork[middle]->range_max) - low = middle + 1; - else + if (ip6->lo == ULLONG_MAX) { - *type = network_set->pnetwork[middle]->info.type; - return 1; + ip6->lo = 0; + ip6->hi++; } + else + ip6->lo++; } - return 0; -} -// Test is the set contains the specied address -inline int NetworkSet_Contains6Ex(NetworkSet* network_set, NSIPv6Addr* ipaddr, - unsigned* type) -{ - int low=0; - int middle=0; - int high=0; + static void decrement_ipv6_addr(NSIPv6Addr* ip6) + { + if (!ip6->lo) + { + ip6->lo = ULLONG_MAX; + ip6->hi--; + } + else + ip6->lo--; + } - *type = 0; - if (!network_set) - return 0; - if (!network_set->count6) - return 0; - high = network_set->count6 - 1; - if (NSIPv6AddrCompare(ipaddr, &network_set->pnetwork6[low]->range_min) < 0 || - NSIPv6AddrCompare(ipaddr, &network_set->pnetwork6[high]->range_max) > 0) + static int contains_ex(NetworkSet* network_set, uint32_t ipaddr, unsigned* type) { + int low=0; + int middle=0; + int high=0; + + *type = 0; + if (!network_set) + return 0; + if (!network_set->count) + return 0; + high = network_set->count - 1; + if (ipaddr < network_set->pnetwork[low]->range_min || ipaddr > + network_set->pnetwork[high]->range_max) + return 0; + while (low <= high) + { + middle = low + ((high - low)>>1); + if (ipaddr < network_set->pnetwork[middle]->range_min) + high = middle - 1; + else if (ipaddr > network_set->pnetwork[middle]->range_max) + low = middle + 1; + else + { + *type = network_set->pnetwork[middle]->info.type; + return 1; + } + } return 0; } - while (low <= high) + + static int contains6_ex(NetworkSet* network_set, NSIPv6Addr* ipaddr, unsigned* type) { - middle = low + ((high - low)>>1); - if (NSIPv6AddrCompare(ipaddr, &network_set->pnetwork6[middle]->range_min) < 0) - high = middle - 1; - else if (NSIPv6AddrCompare(ipaddr, &network_set->pnetwork6[middle]->range_max) > 0) - low = middle + 1; - else + int low=0; + int middle=0; + int high=0; + + *type = 0; + if (!network_set) + return 0; + if (!network_set->count6) + return 0; + high = network_set->count6 - 1; + if (compare_ipv6_address(ipaddr, &network_set->pnetwork6[low]->range_min) < 0 || + compare_ipv6_address(ipaddr, &network_set->pnetwork6[high]->range_max) > 0) { - *type = network_set->pnetwork6[middle]->info.type; - return 1; + return 0; + } + while (low <= high) + { + middle = low + ((high - low)>>1); + if (compare_ipv6_address(ipaddr, &network_set->pnetwork6[middle]->range_min) < 0) + high = middle - 1; + else if (compare_ipv6_address(ipaddr, &network_set->pnetwork6[middle]->range_max) > 0) + low = middle + 1; + else + { + *type = network_set->pnetwork6[middle]->info.type; + return 1; + } } + return 0; } - return 0; -} - -// Test is the set contains the specied address -inline int NetworkSet_Contains(NetworkSet* network_set, uint32_t ipaddr) -{ - unsigned type; - return NetworkSet_ContainsEx(network_set, ipaddr, &type); -} -// Test is the set contains the specied address -inline int NetworkSet_Contains6(NetworkSet* network_set, NSIPv6Addr* ipaddr) -{ - unsigned type; - return NetworkSet_Contains6Ex(network_set, ipaddr, &type); -} + static int contains(NetworkSet* network_set, uint32_t ipaddr) + { + unsigned type; + return contains_ex(network_set, ipaddr, &type); + } -// Get a count of the number of networks in the set -inline int NetworkSet_Count(NetworkSet* network_set, unsigned* count) -{ - if (!network_set || !count) - return -1; + static int contains6(NetworkSet* network_set, NSIPv6Addr* ipaddr) + { + unsigned type; + return contains6_ex(network_set, ipaddr, &type); + } - *count = sflist_count(&network_set->networks); + static int count4(NetworkSet* network_set, unsigned* count) + { + if (!network_set || !count) + return -1; - return 0; -} + *count = sflist_count(&network_set->networks); -// Get a count of the number of networks in the set -inline int NetworkSet_Count6(NetworkSet* network_set, unsigned* count) -{ - if (!network_set || !count) - return -1; + return 0; + } - *count = sflist_count(&network_set->networks6); + static int count6(NetworkSet* network_set, unsigned* count) + { + if (!network_set || !count) + return -1; - return 0; -} + *count = sflist_count(&network_set->networks6); -// Get a count of the number of networks in the set -inline unsigned NetworkSet_CountEx(NetworkSet* network_set) -{ - if (!network_set) return 0; + } - return sflist_count(&network_set->networks); -} + static unsigned count_ex(NetworkSet* network_set) + { + if (!network_set) + return 0; -// Get a count of the number of networks in the set -inline unsigned NetworkSet_Count6Ex(NetworkSet* network_set) -{ - if (!network_set) - return 0; + return sflist_count(&network_set->networks); + } + + static unsigned count6_ex(NetworkSet* network_set) + { + if (!network_set) + return 0; - return sflist_count(&network_set->networks6); -} + return sflist_count(&network_set->networks6); + } +private: + static int order_by_netmask(SF_LIST* ordered_networks, SF_LIST* networks, unsigned id); + static int add_network_list(SF_LIST* networks, SF_LIST* new_networks); + static int reduce_network_set(SF_LIST* networks); + static int reduce_network_set6(SF_LIST* networks); +}; #endif diff --git a/src/network_inspectors/appid/appid_utils/output_file.cc b/src/network_inspectors/appid/appid_utils/output_file.cc deleted file mode 100644 index 51814b465..000000000 --- a/src/network_inspectors/appid/appid_utils/output_file.cc +++ /dev/null @@ -1,53 +0,0 @@ -//-------------------------------------------------------------------------- -// Copyright (C) 2014-2016 Cisco and/or its affiliates. All rights reserved. -// Copyright (C) 2005-2013 Sourcefire, Inc. -// -// This program is free software; you can redistribute it and/or modify it -// under the terms of the GNU General Public License Version 2 as published -// by the Free Software Foundation. You may not use, modify or distribute -// this program under any other version of the GNU General Public License. -// -// This program is distributed in the hope that it will be useful, but -// WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -// General Public License for more details. -// -// You should have received a copy of the GNU General Public License along -// with this program; if not, write to the Free Software Foundation, Inc., -// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -//-------------------------------------------------------------------------- - -// output_file.cc author Sourcefire Inc. - -#include "output_file.h" - -#include -#include -#include "log/messages.h" - -FILE* openOutputFile(const char* const filename, time_t tstamp) -{ - FILE* fp; - char output_fullpath[512]; - time_t curr_time; - - if (tstamp) - curr_time = tstamp; - else - curr_time = time(nullptr); - snprintf(output_fullpath, sizeof(output_fullpath), "%s.%lu", filename, curr_time); - LogMessage("*** Opening %s for output\n",output_fullpath); - if ((fp = fopen(output_fullpath, "w")) == nullptr) - { - ErrorMessage("Unable to open output file \"%s\": %s\n",output_fullpath, strerror(errno)); - } - return fp; -} - -FILE* rolloverOutputFile(const char* const filename, FILE* const oldfp, time_t tstamp) -{ - fclose(oldfp); - - return openOutputFile(filename, tstamp); -} - diff --git a/src/network_inspectors/appid/appid_utils/output_file.h b/src/network_inspectors/appid/appid_utils/output_file.h deleted file mode 100644 index b41b3d85b..000000000 --- a/src/network_inspectors/appid/appid_utils/output_file.h +++ /dev/null @@ -1,32 +0,0 @@ -//-------------------------------------------------------------------------- -// Copyright (C) 2014-2016 Cisco and/or its affiliates. All rights reserved. -// Copyright (C) 2005-2013 Sourcefire, Inc. -// -// This program is free software; you can redistribute it and/or modify it -// under the terms of the GNU General Public License Version 2 as published -// by the Free Software Foundation. You may not use, modify or distribute -// this program under any other version of the GNU General Public License. -// -// This program is distributed in the hope that it will be useful, but -// WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -// General Public License for more details. -// -// You should have received a copy of the GNU General Public License along -// with this program; if not, write to the Free Software Foundation, Inc., -// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -//-------------------------------------------------------------------------- - -// output_file.h author Sourcefire Inc. - -#ifndef OUTPUT_FILE -#define OUTPUT_FILE - -#include -#include - -FILE* openOutputFile(const char* const filename, time_t tstamp); -FILE* rolloverOutputFile(const char* const filename, FILE* const oldfp, time_t tstamp); - -#endif - diff --git a/src/network_inspectors/appid/appid_utils/sf_mlmp.cc b/src/network_inspectors/appid/appid_utils/sf_mlmp.cc index 2acf294c0..bab73b70e 100644 --- a/src/network_inspectors/appid/appid_utils/sf_mlmp.cc +++ b/src/network_inspectors/appid/appid_utils/sf_mlmp.cc @@ -284,7 +284,7 @@ static void dumpTreesRecursively(tMlmpTree* rootNode) primaryPatternNode; primaryPatternNode = primaryPatternNode->nextPrimaryNode) { - DebugFormat(DEBUG_INSPECTOR, "%s%u. Primary id %u. partTotal %u, Data %p\n", prefix, + DebugFormat(DEBUG_APPID, "%s%u. Primary id %u. partTotal %u, Data %p\n", prefix, rootNode->level+1, primaryPatternNode->patternNode.patternId, primaryPatternNode->patternNode.partTotal, @@ -294,7 +294,7 @@ static void dumpTreesRecursively(tMlmpTree* rootNode) ddPatternNode; ddPatternNode = ddPatternNode->nextPattern) { - DebugFormat(DEBUG_INSPECTOR, "%s\t part %u/%u: Pattern %s, size %u\n", prefix, + DebugFormat(DEBUG_APPID, "%s\t part %u/%u: Pattern %s, size %u\n", prefix, ddPatternNode->partNum, ddPatternNode->partTotal, (char*)ddPatternNode->pattern.pattern, @@ -333,14 +333,14 @@ static tPatternNode* patternSelector(const tMatchedPatternList* patternMatchList #if _MLMP_DEBUG tPatternNode* ddPatternNode; - DebugMessage(DEBUG_INSPECTOR, "\tMatches found -------------------\n"); for (tmpList = + DebugMessage(DEBUG_APPID, "\tMatches found -------------------\n"); for (tmpList = patternMatchList; tmpList; tmpList = tmpList->next) { ddPatternNode = tmpList->patternNode; { - DebugFormat(DEBUG_INSPECTOR, + DebugFormat(DEBUG_APPID, "\t\tid %d, Pattern %s, size %u, partNum %u, partTotal %u, userData %p\n", ddPatternNode->patternId, ddPatternNode->pattern.pattern, @@ -398,7 +398,7 @@ static tPatternNode* patternSelector(const tMatchedPatternList* patternMatchList { ddPatternNode = bestNode; { - DebugFormat(DEBUG_INSPECTOR, + DebugFormat(DEBUG_APPID, "\t\tSELECTED Id %d, pattern %s, size %u, partNum %u, partTotal %u, userData %p\n", ddPatternNode->patternId, ddPatternNode->pattern.pattern, @@ -408,7 +408,7 @@ static tPatternNode* patternSelector(const tMatchedPatternList* patternMatchList ddPatternNode->userData); } } - DebugMessage(DEBUG_INSPECTOR, "\tMatches end -------------------\n"); + DebugMessage(DEBUG_APPID, "\tMatches end -------------------\n"); #endif return bestNode; } @@ -437,7 +437,7 @@ static int patternMatcherCallback(void* id, void*, int index, void* data, void*) /*sort matches by patternId, and then by partId or pattern// */ #if _MLMP_DEBUG - DebugFormat(DEBUG_INSPECTOR, + DebugFormat(DEBUG_APPID, "\tCallback id %d, Pattern %s, size %u, partNum %u, partTotal %u, userData %p\n", target->patternId, target->pattern.pattern, diff --git a/src/network_inspectors/appid/appid_utils/sfksearch.cc b/src/network_inspectors/appid/appid_utils/sfksearch.cc deleted file mode 100644 index 1f1c47e7c..000000000 --- a/src/network_inspectors/appid/appid_utils/sfksearch.cc +++ /dev/null @@ -1,951 +0,0 @@ -//-------------------------------------------------------------------------- -// Copyright (C) 2014-2016 Cisco and/or its affiliates. All rights reserved. -// Copyright (C) 2005-2013 Sourcefire, Inc. -// -// This program is free software; you can redistribute it and/or modify it -// under the terms of the GNU General Public License Version 2 as published -// by the Free Software Foundation. You may not use, modify or distribute -// this program under any other version of the GNU General Public License. -// -// This program is distributed in the hope that it will be useful, but -// WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -// General Public License for more details. -// -// You should have received a copy of the GNU General Public License along -// with this program; if not, write to the Free Software Foundation, Inc., -// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -//-------------------------------------------------------------------------- - -// sfksearch.cc author Sourcefire Inc. - -/* -* -* Basic Keyword Search Trie - uses linked lists to build the finite automata -* -* Keyword-Match: Performs the equivalent of a multi-string strcmp() -* - use for token testing after parsing the language tokens using lex or the like. -* -* Keyword-Search: searches the input text for one of multiple keywords, -* and supports case sensitivite and case insensitive patterns. -* -*/ - -#include "sfksearch.h" - -#include -#include -#include -#include -#include - -#include "utils/util.h" - -static void KTrieFree(KTRIENODE* n); - -static unsigned int mtot = 0; - -unsigned int KTrieMemUsed(void) { return mtot; } - -void KTrieInitMemUsed(void) -{ - mtot = 0; -} - -/* -* Allocate Memory -*/ -static void* KTRIE_MALLOC(int n) -{ - void* p; - - if (n < 1) - return nullptr; - - p = snort_calloc(n); - mtot += n; - - return p; -} - -/* -* Free Memory -*/ -static void KTRIE_FREE(void* p) -{ - if (p == nullptr) - return; - - snort_free(p); -} - -/* -* Local/Tmp nocase array -*/ -static unsigned char Tnocase[65*1024]; - -/* -** Case Translation Table -*/ -static unsigned char xlatcase[256]; - -static void init_xlatcase(void) -{ - int i; - static int first=1; - - if ( !first ) - return; /* thread safe */ - - for (i=0; i<256; i++) - { - xlatcase[ i ] = (unsigned char)tolower(i); - } - - first=0; -} - -static inline void ConvertCaseEx(unsigned char* d, const unsigned char* s, int m) -{ - int i; - for ( i=0; i < m; i++ ) - { - d[i] = xlatcase[ s[i] ]; - } -} - -KTRIE_STRUCT* KTrieNew(int method, void (* userfree)(void* p), - void (* optiontreefree)(void** p), - void (* neg_list_free)(void** p)) -{ - KTRIE_STRUCT* ts = (KTRIE_STRUCT*)KTRIE_MALLOC(sizeof(KTRIE_STRUCT) ); - - if ( !ts ) - return 0; - - memset(ts, 0, sizeof(KTRIE_STRUCT)); - - init_xlatcase(); - - ts->memory = sizeof(KTRIE_STRUCT); - ts->nchars = 0; - ts->npats = 0; - ts->end_states = 0; - ts->method = method; /* - old method, 1 = queue */ - ts->userfree = userfree; - ts->optiontreefree = optiontreefree; - ts->neg_list_free = neg_list_free; - - return ts; -} - -int KTriePatternCount(KTRIE_STRUCT* k) -{ - return k->npats; -} - -/* - * Deletes memory that was used in creating trie - * and nodes - */ -void KTrieDelete(KTRIE_STRUCT* k) -{ - KTRIEPATTERN* p = nullptr; - KTRIEPATTERN* pnext = nullptr; - int i; - - if (k == nullptr) - return; - - p = k->patrn; - - while (p != nullptr) - { - pnext = p->next; - - if (k->userfree && p->id) - k->userfree(p->id); - - if (k->optiontreefree) - { - if (p && p->rule_option_tree) - k->optiontreefree(&p->rule_option_tree); - } - - if (k->neg_list_free) - { - if (p && p->neg_list) - k->neg_list_free(&p->neg_list); - } - - KTRIE_FREE(p->P); - KTRIE_FREE(p->Pcase); - KTRIE_FREE(p); - - p = pnext; - } - - for (i = 0; i < KTRIE_ROOT_NODES; i++) - KTrieFree(k->root[i]); - - KTRIE_FREE(k); -} - -/* - * Recursively delete all nodes in trie - */ -static void KTrieFree(KTRIENODE* n) -{ - if (n == nullptr) - return; - - KTrieFree(n->child); - KTrieFree(n->sibling); - - KTRIE_FREE(n); -} - -static KTRIEPATTERN* KTrieNewPattern(unsigned char* P, int n) -{ - KTRIEPATTERN* p; - - if (n < 1) - return nullptr; - - p = (KTRIEPATTERN*)KTRIE_MALLOC(sizeof(KTRIEPATTERN) ); - - if (p == nullptr) - return nullptr; - - /* Save as a nocase string */ - p->P = (unsigned char*)KTRIE_MALLOC(n); - if ( !p->P ) - { - KTRIE_FREE(p); - return nullptr; - } - - ConvertCaseEx(p->P, P, n); - - /* Save Case specific version */ - p->Pcase = (unsigned char*)KTRIE_MALLOC(n); - if ( !p->Pcase ) - { - KTRIE_FREE(p->P); - KTRIE_FREE(p); - return nullptr; - } - - memcpy(p->Pcase, P, n); - - p->n = n; - p->next = nullptr; - - return p; -} - -/* -* Add Pattern info to the list of patterns -*/ -int KTrieAddPattern(KTRIE_STRUCT* ts, unsigned char* P, int n, - int nocase, int negative, void* id) -{ - KTRIEPATTERN* pnew; - - if ( !ts->patrn ) - { - pnew = ts->patrn = KTrieNewPattern(P, n); - - if ( !pnew ) - return -1; - } - else - { - pnew = KTrieNewPattern(P, n); - - if ( !pnew ) - return -1; - - pnew->next = ts->patrn; /* insert at head of list */ - - ts->patrn = pnew; - } - - pnew->nocase = nocase; - pnew->negative = negative; - pnew->id = id; - pnew->mnext = nullptr; - - ts->npats++; - ts->memory += sizeof(KTRIEPATTERN) + 2 * n; /* Case and nocase */ - - return 0; -} - -static KTRIENODE* KTrieCreateNode(KTRIE_STRUCT* ts) -{ - KTRIENODE* t=(KTRIENODE*)KTRIE_MALLOC(sizeof(KTRIENODE) ); - - if (!t) - return 0; - - memset(t,0,sizeof(KTRIENODE)); - - ts->memory += sizeof(KTRIENODE); - - return t; -} - -/* -* Insert a Pattern in the Trie -*/ -static int KTrieInsert(KTRIE_STRUCT* ts, KTRIEPATTERN* px) -{ - int type = 0; - int n = px->n; - unsigned char* P = px->P; - KTRIENODE* root; - - /* Make sure we at least have a root character for the tree */ - if ( !ts->root[*P] ) - { - ts->root[*P] = root = KTrieCreateNode(ts); - if ( !root ) - return -1; - root->edge = *P; - } - else - { - root = ts->root[*P]; - } - - /* Walk existing Patterns */ - while ( n ) - { - if ( root->edge == *P ) - { - P++; - n--; - - if ( n && root->child ) - { - root=root->child; - } - else /* cannot continue */ - { - type = 0; /* Expand the tree via the child */ - break; - } - } - else - { - if ( root->sibling ) - { - root=root->sibling; - } - else /* cannot continue */ - { - type = 1; /* Expand the tree via the sibling */ - break; - } - } - } - - /* - * Add the next char of the Keyword, if any - */ - if ( n ) - { - if ( type == 0 ) - { - /* - * Start with a new child to finish this Keyword - */ - root->child= KTrieCreateNode(ts); - if ( !root->child ) - return -1; - root=root->child; - root->edge = *P; - P++; - n--; - ts->nchars++; - } - else - { - /* - * Start a new sibling bracnch to finish this Keyword - */ - root->sibling= KTrieCreateNode(ts); - if ( !root->sibling ) - return -1; - root=root->sibling; - root->edge = *P; - P++; - n--; - ts->nchars++; - } - } - - /* - * Finish the keyword as child nodes - */ - while ( n ) - { - root->child = KTrieCreateNode(ts); - if ( !root->child ) - return -1; - root=root->child; - root->edge = *P; - P++; - n--; - ts->nchars++; - } - - if ( root->pkeyword ) - { - px->mnext = root->pkeyword; /* insert duplicates at front of list */ - root->pkeyword = px; - ts->duplicates++; - } - else - { - root->pkeyword = px; - ts->end_states++; - } - - return 0; -} - -static void Build_Bad_Character_Shifts(KTRIE_STRUCT* kt) -{ - int i,k; - KTRIEPATTERN* plist; - - /* Calc the min pattern size */ - kt->bcSize = 32000; - - for ( plist=kt->patrn; plist!=nullptr; plist=plist->next ) - { - if ( plist->n < kt->bcSize ) - { - kt->bcSize = plist->n; /* smallest pattern size */ - } - } - - /* - * Initialze the Bad Character shift table. - */ - for (i = 0; i < KTRIE_ROOT_NODES; i++) - { - kt->bcShift[i] = (unsigned short)kt->bcSize; - } - - /* - * Finish the Bad character shift table - */ - for ( plist=kt->patrn; plist!=nullptr; plist=plist->next ) - { - int shift, cindex; - - for ( k=0; kbcSize; k++ ) - { - shift = kt->bcSize - 1 - k; - - cindex = plist->P[ k ]; - - if ( shift < kt->bcShift[ cindex ] ) - { - kt->bcShift[ cindex ] = (unsigned short)shift; - } - } - } -} - -static int KTrieBuildMatchStateNode(KTRIENODE* root, - int (* build_tree)(void* id, void** existing_tree), - int (* neg_list_func)(void* id, void** list)) -{ - int cnt = 0; - KTRIEPATTERN* p; - - if (!root) - return 0; - - /* each and every prefix match at this root*/ - if (root->pkeyword) - { - for (p = root->pkeyword; p; p = p->mnext) - { - if (p->id) - { - if (p->negative) - { - neg_list_func(p->id, &root->pkeyword->neg_list); - } - else - { - build_tree(p->id, &root->pkeyword->rule_option_tree); - } - } - - cnt++; - } - - /* Last call to finalize the tree for this root */ - build_tree(nullptr, &root->pkeyword->rule_option_tree); - } - - /* for child of this root */ - if (root->child) - { - cnt += KTrieBuildMatchStateNode(root->child, build_tree, neg_list_func); - } - - /* 1st sibling of this root -- other siblings will be processed from - * within the processing for root->sibling. */ - if (root->sibling) - { - cnt += KTrieBuildMatchStateNode(root->sibling, build_tree, neg_list_func); - } - - return cnt; -} - -static int KTrieBuildMatchStateTrees(KTRIE_STRUCT* ts, - int (* build_tree)(void* id, void** existing_tree), - int (* neg_list_func)(void* id, void** list)) -{ - int i, cnt = 0; - KTRIENODE* root; - - /* Find the states that have a MatchList */ - for (i = 0; i < KTRIE_ROOT_NODES; i++) - { - root = ts->root[i]; - /* each and every prefix match at this root*/ - if (root) - { - cnt += KTrieBuildMatchStateNode(root, build_tree, neg_list_func); - } - } - - return cnt; -} - -/* -* Build the Keyword TRIE -* -*/ -int KTrieCompile(KTRIE_STRUCT* ts, - int (* build_tree)(void* id, void** existing_tree), - int (* neg_list_func)(void* id, void** list)) -{ - KTRIEPATTERN* p; - /* - static int tmem=0; - */ - - /* - * Build the Keyword TRIE - */ - for ( p=ts->patrn; p; p=p->next ) - { - if ( KTrieInsert(ts, p) ) - return -1; - } - - /* - * Build A Setwise Bad Character Shift Table - */ - Build_Bad_Character_Shifts(ts); - - /* - tmem += ts->memory; - printf(" Compile stats: %d patterns, %d chars, %d duplicate patterns, %d bytes, %d total-bytes\n",ts->npats,ts->nchars,ts->duplicates,ts->memory,tmem); - */ - if (build_tree && neg_list_func) - { - KTrieBuildMatchStateTrees(ts, build_tree, neg_list_func); - } - - return 0; -} - -void sfksearch_print_qinfo(void) -{ -#ifdef SFKSEARCH_TRACK_Q - if ( snort_conf->max_inq ) - { - LogMessage("lowmem: queue size = %u, max = %u\n", snort_conf->max_inq,SFK_MAX_INQ); - LogMessage("lowmem: queue flushes = " STDu64 "\n", snort_conf->tot_inq_flush); - LogMessage("lowmem: queue inserts = " STDu64 "\n", snort_conf->tot_inq_inserts); - LogMessage("lowmem: queue uinserts = " STDu64 "\n", snort_conf->tot_inq_uinserts); - } -#endif -} - -static inline void _init_queue(SFK_PMQ* b) -{ - b->inq=0; - b->inq_flush=0; -} - -/* uniquely insert into q */ -static inline int _add_queue(SFK_PMQ* b, KTRIEPATTERN* p) -{ - int i; - -#ifdef SFKSEARCH_TRACK_Q - snort_conf->tot_inq_inserts++; -#endif - - for (i=(int)(b->inq)-1; i>=0; i--) - if ( p == b->q[i] ) - return 0; - -#ifdef SFKSEARCH_TRACK_Q - snort_conf->tot_inq_uinserts++; -#endif - - if ( b->inq < SFK_MAX_INQ ) - { - b->q[ b->inq++ ] = p; - } - - if ( b->inq == SFK_MAX_INQ ) - { -#ifdef SFKSEARCH_TRACK_Q - b->inq_flush++; -#endif - return 1; - } - return 0; -} - -static inline unsigned _process_queue(SFK_PMQ* q, - int (* match)(void* id, void* tree, int index, void* data, void* neg_list), - void* data) -{ - KTRIEPATTERN* pk; - unsigned int i; - -#ifdef SFKSEARCH_TRACK_Q - if ( q->inq > snort_conf->max_inq ) - snort_conf->max_inq = q->inq; - snort_conf->tot_inq_flush += q->inq_flush; -#endif - - for ( i=0; iinq; i++ ) - { - pk = q->q[i]; - if (pk) - { - if (match (pk->id, pk->rule_option_tree, 0, data, pk->neg_list) > 0) - { - q->inq=0; - return 1; - } - } - } - q->inq=0; - return 0; -} - -static inline int KTriePrefixMatchQ(KTRIE_STRUCT* kt, - const unsigned char* T, - int n, - int (* match)(void* id, void* tree, int index, void* data, void* neg_list), - void* data) -{ - KTRIENODE* root; - - root = kt->root[ xlatcase[*T] ]; - - if ( !root ) - return 0; - - while ( n ) - { - if ( root->edge == xlatcase[*T] ) - { - T++; - n--; - - if ( root->pkeyword ) - { - if ( _add_queue(&kt->q, root->pkeyword) ) - { - if ( _process_queue(&kt->q,match,data) ) - { - return 1; - } - } - } - - if ( n && root->child ) - { - root = root->child; - } - else /* cannot continue -- match is over */ - { - break; - } - } - else - { - if ( root->sibling ) - { - root = root->sibling; - } - else /* cannot continue */ - { - break; - } - } - } - - return 0; -} - -/* -* Search - Algorithm -* -* This routine will log any substring of T that matches a keyword, -* and processes all prefix matches. This is used for generic -* pattern searching with a set of keywords and a body of text. -* -* -* -* kt- Trie Structure -* T - nocase text -* Tc- case specific text -* n - text length -* -* returns: -* # pattern matches -*/ -static inline int KTriePrefixMatch(KTRIE_STRUCT* kt, - const unsigned char* T, - const unsigned char*, - const unsigned char* bT, - int n, - int (* match)(void* id, void* tree, int index, void* data, void* neg_list), - void* data) -{ - KTRIENODE* root = kt->root[ *T ]; - int nfound = 0; - KTRIEPATTERN* pk; - int index; - - /* Check if any keywords start with this character */ - if ( !root ) - return 0; - - while ( n ) - { - if ( root->edge == *T ) - { - T++; - n--; - - pk = root->pkeyword; - if (pk) - { - index = (int)(T - bT - pk->n ); - nfound++; - if (match (pk->id, pk->rule_option_tree, index, data, pk->neg_list) > 0) - { - return nfound; - } - } - - if ( n && root->child ) - { - root = root->child; - } - else /* cannot continue -- match is over */ - { - break; - } - } - else - { - if ( root->sibling ) - { - root = root->sibling; - } - else /* cannot continue */ - { - break; - } - } - } - - return nfound; -} - -static inline int KTrieSearchQ(KTRIE_STRUCT* ks, const unsigned char* T, int n, - int (* match)(void* id, void* tree, int index, void* data, void* neg_list), - void* data) -{ - _init_queue(&ks->q); - while ( n > 0 ) - { - if ( KTriePrefixMatchQ(ks, T++, n--, match, data) ) - return 0; - } - _process_queue(&ks->q,match,data); - - return 0; -} - -static inline int KTrieSearchNoBC(KTRIE_STRUCT* ks, const unsigned char* Tx, - int n, - int (* match)(void* id, void* tree, int index, void* data, void* neg_list), - void* data) -{ - int nfound = 0; - const unsigned char* T, * bT; - - ConvertCaseEx(Tnocase, Tx, n); - - T = Tnocase; - bT = T; - - for (; n>0; n--, T++, Tx++ ) - { - nfound += KTriePrefixMatch(ks, T, Tx, bT, n, match, data); - } - - return nfound; -} - -static inline int KTrieSearchBC(KTRIE_STRUCT* ks, const unsigned char* Tx, - int n, - int (* match)(void* id, void* tree, int index, void* data, void* neg_list), - void* data) -{ - int tshift; - const unsigned char* Tend; - const unsigned char* T, * bT; - int nfound = 0; - short* bcShift = (short*)ks->bcShift; - int bcSize = ks->bcSize; - - ConvertCaseEx(Tnocase, Tx, n); - - T = Tnocase; - bT = T; - - Tend = T + n - bcSize; - - bcSize--; - - for (; T <= Tend; n--, T++, Tx++ ) - { - while ( (tshift = bcShift[ *( T + bcSize ) ]) > 0 ) - { - T += tshift; - Tx += tshift; - if ( T > Tend ) - return nfound; - } - - nfound += KTriePrefixMatch(ks, T, Tx, bT, n, match, data); - } - - return nfound; -} - -int KTrieSearch(KTRIE_STRUCT* ks, const unsigned char* T, int n, - int (* match)(void* id, void* tree, int index, void* data, void* neg_list), - void* data) -{ - if ( ks->method == KTRIEMETHOD_QUEUE ) - { - /*if( ks->bcSize < 3) */ - return KTrieSearchQ(ks, T, n, match, data); - /*else - return KTrieSearchQBC( ks, T, n, match, data ); */ - } - else - { - if ( ks->bcSize < 3) - return KTrieSearchNoBC(ks, T, n, match, data); - else - return KTrieSearchBC(ks, T, n, match, data); - } -} - -/* -* -* TEST DRIVER FOR KEYWORD TRIE -* -*/ -#ifdef KTRIE_MAIN - -char** gargv; - -int trie_nmatches = 0; - -int match(unsigned id, int index, void* data) -{ - trie_nmatches++; - data = data; - printf("id=%d found at index=%d, %s\n",id,index,gargv[id]); - return 0; -} - -int main(int argc, char** argv) -{ - int i; - KTRIE_STRUCT* ts; - int nocase=1; /* don't care about case */ - - gargv = argv; - - ts = KTrieNew(); - - if ( argc < 3 ) - { - printf("%s text pat1 pat2 ... patn [-c(ase-sensitive)\n",argv[0]); - printf("search for keywords-default, or match keywords\n"); - exit(0); - } - - for (i=1; i %d characters, %d patterns, %d bytes allocated\n",ts->nchars,ts->npats,ts->memory); - - printf("Searching...\n"); - - KTrieSearch(ts, (unsigned char*)argv[1], strlen(argv[1]), match, 0); - - printf("%d matches found\n",trie_nmatches); - - printf("normal pgm finish.\n"); - - return 0; -} - -#endif - diff --git a/src/network_inspectors/appid/appid_utils/sfksearch.h b/src/network_inspectors/appid/appid_utils/sfksearch.h deleted file mode 100644 index ef6ddb3df..000000000 --- a/src/network_inspectors/appid/appid_utils/sfksearch.h +++ /dev/null @@ -1,112 +0,0 @@ -//-------------------------------------------------------------------------- -// Copyright (C) 2014-2016 Cisco and/or its affiliates. All rights reserved. -// Copyright (C) 2003-2013 Sourcefire, Inc. -// Copyright (C) 2001 Marc Norton -// -// This program is free software; you can redistribute it and/or modify it -// under the terms of the GNU General Public License Version 2 as published -// by the Free Software Foundation. You may not use, modify or distribute -// this program under any other version of the GNU General Public License. -// -// This program is distributed in the hope that it will be useful, but -// WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -// General Public License for more details. -// -// You should have received a copy of the GNU General Public License along -// with this program; if not, write to the Free Software Foundation, Inc., -// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -//-------------------------------------------------------------------------- - -// sfksearch.h author Sourcefire Inc. - -#ifndef KTRIE_H -#define KTRIE_H - -// Trie based multi-pattern matcher - -#define ALPHABET_SIZE 256 - -#ifdef WIN32 -#define inline __inline -#endif - -#define KTRIEMETHOD_STD 0 -#define KTRIEMETHOD_QUEUE 1 - -struct KTRIEPATTERN -{ - KTRIEPATTERN* next; /* global list of all patterns */ - KTRIEPATTERN* mnext; /* matching list of duplicate keywords */ - - unsigned char* P; /* no case */ - unsigned char* Pcase; /* case sensitive */ - int n; - int nocase; - int negative; - void* id; - void* rule_option_tree; - void* neg_list; -}; - -struct KTRIENODE -{ - int edge; /* character */ - - KTRIENODE* sibling; - KTRIENODE* child; - - KTRIEPATTERN* pkeyword; -}; - -#define KTRIE_ROOT_NODES 256 - -#define SFK_MAX_INQ 32 -struct SFK_PMQ -{ - unsigned inq; - unsigned inq_flush; - KTRIEPATTERN* q[SFK_MAX_INQ]; -}; - -struct KTRIE_STRUCT -{ - KTRIEPATTERN* patrn; /* List of patterns, built as they are added */ - - KTRIENODE* root[KTRIE_ROOT_NODES]; /* KTrie nodes */ - - int memory; - int nchars; - int npats; - int duplicates; - int method; - int end_states; /* should equal npats - duplicates */ - - int bcSize; - unsigned short bcShift[KTRIE_ROOT_NODES]; - void (* userfree)(void* p); - void (* optiontreefree)(void** p); - void (* neg_list_free)(void** p); - SFK_PMQ q; -}; - -KTRIE_STRUCT* KTrieNew(int method, void (* userfree)(void* p), - void (* optiontreefree)(void** p), - void (* neg_list_free)(void** p)); -int KTrieAddPattern(KTRIE_STRUCT* ts, unsigned char* P, int n, - int nocase, int negative, void* id); -int KTrieCompile(KTRIE_STRUCT* ts, - int (* build_tree)(void* id, void** existing_tree), - int (* neg_list_func)(void* id, void** list)); -int KTrieSearch(KTRIE_STRUCT* ts, const unsigned char* T, int n, - int (* match)(void* id, void* tree, int index, void* data, void* neg_list), - void* data); -unsigned int KTrieMemUsed(); -void KTrieInitMemUsed(); -void KTrieDelete(KTRIE_STRUCT* k); -int KTriePatternCount(KTRIE_STRUCT* k); - -void sfksearch_print_qinfo(); - -#endif - diff --git a/src/network_inspectors/appid/application_ids.h b/src/network_inspectors/appid/application_ids.h index 3a84907a7..167c48027 100644 --- a/src/network_inspectors/appid/application_ids.h +++ b/src/network_inspectors/appid/application_ids.h @@ -26,7 +26,7 @@ enum ApplicationId : int32_t { - APP_ID_UNKNOWN = -1, // searched and not found any matching app id + APP_ID_UNKNOWN = -1, // searched and not found any matching app id APP_ID_NONE = 0, // AppId not searched APP_ID_3COM_TSMUX = 2, @@ -555,7 +555,6 @@ enum ApplicationId : int32_t APP_ID_ZOHO_WIKI = 532, APP_ID_ZYNGA = 533, APP_ID_ZYNGA_POKER = 534, - APP_ID_1_800_FLOWERS = 535, APP_ID_100BAO = 536, APP_ID_2CHANNEL = 537, @@ -992,7 +991,7 @@ enum ApplicationId : int32_t APP_ID_LYCOS = 2775, APP_ID_DOGPILE = 2804, APP_ID_SPDY = 2886, - APP_ID_HTTP2 = 2889, // only used for some quick bookkeeping -- treat as HTTP + APP_ID_HTTP2 = 2889, // only used for some quick bookkeeping -- treat as HTTP APP_ID_ANYCONNECT = 2921, APP_ID_ANYCONNECT_SSL_CLIENT = 2922, APP_ID_ANYCONNECT_IPSEC_CLIENT = 2923, @@ -1001,7 +1000,7 @@ enum ApplicationId : int32_t APP_ID_HTTP_SSL_TUNNEL = 3860, APP_ID_FTP_ACTIVE = 4002, APP_ID_FTP_PASSIVE = 4003, - APP_ID_UNKNOWN_UI = 65535 // this causes the UI to render Unknown instead of pending or blank + APP_ID_UNKNOWN_UI = 65535 // this causes the UI to render Unknown instead of pending or blank }; struct AppRegistryEntry diff --git a/src/network_inspectors/appid/client_plugins/client_app_aim.cc b/src/network_inspectors/appid/client_plugins/client_app_aim.cc index 0f898c802..dac48fe80 100644 --- a/src/network_inspectors/appid/client_plugins/client_app_aim.cc +++ b/src/network_inspectors/appid/client_plugins/client_app_aim.cc @@ -136,7 +136,7 @@ static CLIENT_APP_RETCODE aim_init(const InitClientAppAPI* const init_api, SF_LI item; item = (RNAClientAppModuleConfigItem*)sflist_next(&cursor) ) { - DebugFormat(DEBUG_INSPECTOR, "Processing %s: %s\n", item->name, item->value); + DebugFormat(DEBUG_APPID, "Processing %s: %s\n", item->name, item->value); if (strcasecmp(item->name, "enabled") == 0) aim_config.enabled = atoi(item->value); } @@ -146,7 +146,7 @@ static CLIENT_APP_RETCODE aim_init(const InitClientAppAPI* const init_api, SF_LI { for (unsigned i = 0; i < sizeof(patterns)/sizeof(*patterns); i++) { - DebugFormat(DEBUG_INSPECTOR, "registering pattern length %u at %d\n", + DebugFormat(DEBUG_APPID, "registering pattern length %u at %d\n", patterns[i].length, patterns[i].index); init_api->RegisterPattern(&aim_validate, IpProtocol::TCP, patterns[i].pattern, @@ -156,7 +156,7 @@ static CLIENT_APP_RETCODE aim_init(const InitClientAppAPI* const init_api, SF_LI for (unsigned j = 0; j < sizeof(appIdRegistry)/sizeof(*appIdRegistry); j++) { - DebugFormat(DEBUG_INSPECTOR, "registering appId: %d\n", + DebugFormat(DEBUG_APPID, "registering appId: %d\n", appIdRegistry[j].appId); init_api->RegisterAppId(&aim_validate, appIdRegistry[j].appId, appIdRegistry[j].additionalInfo); diff --git a/src/network_inspectors/appid/client_plugins/client_app_api.h b/src/network_inspectors/appid/client_plugins/client_app_api.h index b7c55c7c1..7bdbf9764 100644 --- a/src/network_inspectors/appid/client_plugins/client_app_api.h +++ b/src/network_inspectors/appid/client_plugins/client_app_api.h @@ -61,13 +61,13 @@ using RNAClientAppFCN = CLIENT_APP_RETCODE(*)( const uint8_t* data, uint16_t siz struct InitClientAppAPI { - void (* RegisterPattern)(RNAClientAppFCN, IpProtocol proto, const uint8_t* const pattern, + void (*RegisterPattern)(RNAClientAppFCN, IpProtocol proto, const uint8_t* const pattern, unsigned size, int position); - void (* RegisterPatternEx)(RNAClientAppFCN, IpProtocol proto, const uint8_t* const pattern, + void (*RegisterPatternEx)(RNAClientAppFCN, IpProtocol proto, const uint8_t* const pattern, unsigned size, int position, Detector*); - void (* RegisterPatternNoCase)(RNAClientAppFCN, IpProtocol proto, const uint8_t* const pattern, + void (*RegisterPatternNoCase)(RNAClientAppFCN, IpProtocol proto, const uint8_t* const pattern, unsigned size, int position); - void (* RegisterAppId)(RNAClientAppFCN, AppId, uint32_t additionalInfo); + void (*RegisterAppId)(RNAClientAppFCN, AppId, uint32_t additionalInfo); int debug; uint32_t instance_id; AppIdConfig* pAppidConfig; ///< AppId context for which this API should be used diff --git a/src/network_inspectors/appid/client_plugins/client_app_base.cc b/src/network_inspectors/appid/client_plugins/client_app_base.cc index db8ce1e20..be6263f0b 100644 --- a/src/network_inspectors/appid/client_plugins/client_app_base.cc +++ b/src/network_inspectors/appid/client_plugins/client_app_base.cc @@ -19,6 +19,8 @@ // client_app_base.cc author Ron Dempster +#include "client_app_base.h" + #include #include #include @@ -27,8 +29,6 @@ #include #include -#include "client_app_base.h" - #include "main/snort_debug.h" #include "log/messages.h" #include "protocols/packet.h" @@ -38,7 +38,7 @@ #include "appid_api.h" #include "appid_config.h" -#include "fw_appid.h" +#include "app_info_table.h" #include "client_app_api.h" #include "client_app_base.h" #include "client_app_msn.h" @@ -72,8 +72,8 @@ static const ClientAppApi client_app_api = &client_app_flowdata_add, &AppIdAddClientApp, &AppIdAddClientAppInfo, - &AppIdAddUser, - &AppIdAddPayload + &AppIdSession::add_user, + &AppIdSession::add_payload }; static void CClientAppRegisterPattern(RNAClientAppFCN fcn, IpProtocol proto, @@ -110,7 +110,7 @@ extern RNAClientAppModule pattern_udp_client_mod; extern RNAClientAppModule pattern_tcp_client_mod; extern RNAClientAppModule http_client_mod; -static RNAClientAppModule* static_client_list[] = +static RNAClientAppModule* builtin_client_plugins[] = { &ssh_client_mod, &msn_client_mod, @@ -130,7 +130,7 @@ static RNAClientAppModule* static_client_list[] = &dns_tcp_client_mod, &http_client_mod }; -const uint32_t NUM_STATIC_CLIENTS = sizeof(static_client_list)/sizeof(RNAClientAppModule*); +const uint32_t NUM_BUILTIN_CLIENT_PLUGINS = sizeof(builtin_client_plugins)/sizeof(RNAClientAppModule*); static THREAD_LOCAL ClientAppConfig* client_app_config = nullptr; @@ -148,7 +148,7 @@ static void appSetClientValidator(RNAClientAppFCN fcn, AppId appId, unsigned ext AppInfoTableEntry* pEntry = AppInfoManager::get_instance().get_app_info_entry(appId); if (!pEntry) { - ParseError( + ParseWarning(WARN_RULES, "AppId: ID to Name mapping entry missing for AppId: %d. No rule support for this ID.", appId); return; @@ -292,7 +292,7 @@ void ClientAppRegisterPattern(RNAClientAppFCN fcn, IpProtocol proto, const uint8 } } -int ClientAppLoadCallback(void* symbol) +int load_client_application_plugin(void* symbol) { static THREAD_LOCAL unsigned client_module_index = 0; RNAClientAppModule* cam = (RNAClientAppModule*)symbol; @@ -308,13 +308,9 @@ int ClientAppLoadCallback(void* symbol) } if (cam->proto == IpProtocol::TCP) - { list = &client_app_config->tcp_client_app_list; - } else if (cam->proto == IpProtocol::UDP) - { list = &client_app_config->udp_client_app_list; - } else { ErrorMessage("Client %s did not have a valid protocol (%u)", @@ -327,6 +323,7 @@ int ClientAppLoadCallback(void* symbol) if (li->module == cam) break; } + if (!li) { li = (RNAClientAppRecord*)snort_calloc(sizeof(RNAClientAppRecord)); @@ -345,18 +342,6 @@ int ClientAppLoadCallback(void* symbol) return 0; } -int LoadClientAppModules() -{ - unsigned i; - - for (i = 0; i < NUM_STATIC_CLIENTS; i++) - { - if (ClientAppLoadCallback(static_client_list[i])) - return -1; - } - - return 0; -} static void AddModuleConfigItem(char* module_name, char* item_name, char* item_value) { @@ -481,14 +466,14 @@ static void DisplayClientAppConfig(ClientAppConfig* config) static int ClientAppParseArgs(SF_LIST* args) { - ConfigItem* ci; + AppidConfigElement* ci; SF_LNODE* cursor; - for (ci = (ConfigItem*)sflist_first(args, &cursor); + for (ci = (AppidConfigElement*)sflist_first(args, &cursor); ci; - ci = (ConfigItem*)sflist_next(&cursor)) + ci = (AppidConfigElement*)sflist_next(&cursor)) { - ClientAppParseOption(ci->name, ci->value); + ClientAppParseOption(ci->name, (char*)ci->value); } #ifdef DEBUG @@ -559,6 +544,19 @@ static void finalize_module(RNAClientAppRecord* li) } } +static int load_builtin_client_plugins() +{ + unsigned i; + + for (i = 0; i < NUM_BUILTIN_CLIENT_PLUGINS; i++) + { + if (load_client_application_plugin(builtin_client_plugins[i])) + return -1; + } + + return 0; +} + /** * Initialize the configuration of the client app module * @@ -569,7 +567,7 @@ void init_client_plugins() RNAClientAppRecord* li; client_app_config = new ClientAppConfig; - if (LoadClientAppModules()) + if (load_builtin_client_plugins()) exit(-1); sflist_init(&client_app_config->module_configs); diff --git a/src/network_inspectors/appid/client_plugins/client_app_base.h b/src/network_inspectors/appid/client_plugins/client_app_base.h index 3b74b8339..a8f4eb99c 100644 --- a/src/network_inspectors/appid/client_plugins/client_app_base.h +++ b/src/network_inspectors/appid/client_plugins/client_app_base.h @@ -39,8 +39,7 @@ void init_client_plugins(); void finalize_client_plugins(); void UnconfigureClientApp(AppIdConfig*); void clean_client_plugins(); -int ClientAppLoadCallback(void* symbol); -int LoadClientAppModules(); +int load_client_application_plugin(void* symbol); void ClientAppRegisterPattern(RNAClientAppFCN, IpProtocol proto, const uint8_t* const pattern, unsigned size, int position, unsigned nocase, Detector*); const ClientAppApi* getClientApi(); diff --git a/src/network_inspectors/appid/detector_plugins/detector_api.h b/src/network_inspectors/appid/detector_plugins/detector_api.h index ca5fda9de..abc4c8ed1 100644 --- a/src/network_inspectors/appid/detector_plugins/detector_api.h +++ b/src/network_inspectors/appid/detector_plugins/detector_api.h @@ -27,8 +27,8 @@ struct RNAServiceValidationModule; struct RNAClientAppModule; -using DetectorFlowdataGet = void*(*)(AppIdSession*, unsigned); -using DetectorFlowdataAdd = int(*)(AppIdSession*, void*, unsigned, AppIdFreeFCN); +using DetectorFlowdataGet = void* (*)(AppIdSession*, unsigned); +using DetectorFlowdataAdd = int (*)(AppIdSession*, void*, unsigned, AppIdFreeFCN); struct DetectorApi { @@ -39,12 +39,8 @@ struct DetectorApi // compound detector with both service and client side. struct RNADetectorValidationModule { - /**service side.*/ RNAServiceValidationModule* service; - - /**client side.*/ RNAClientAppModule* client; - const DetectorApi* api; unsigned flow_data_index; }; diff --git a/src/network_inspectors/appid/detector_plugins/detector_base.cc b/src/network_inspectors/appid/detector_plugins/detector_base.cc index be47f60e8..42f189985 100644 --- a/src/network_inspectors/appid/detector_plugins/detector_base.cc +++ b/src/network_inspectors/appid/detector_plugins/detector_base.cc @@ -68,7 +68,7 @@ static int detectorLoadCallback(void* symbol) return -1; if (svm->client) - if (ClientAppLoadCallback(svm->client)) + if (load_client_application_plugin(svm->client)) return -1; svm->api = &detector_api; diff --git a/src/network_inspectors/appid/detector_plugins/detector_dns.cc b/src/network_inspectors/appid/detector_plugins/detector_dns.cc index bebd51350..c083df75c 100644 --- a/src/network_inspectors/appid/detector_plugins/detector_dns.cc +++ b/src/network_inspectors/appid/detector_plugins/detector_dns.cc @@ -317,7 +317,7 @@ static int dns_service_init(const InitServiceAPI* const init_api) unsigned i; for (i=0; i < sizeof(appIdRegistry)/sizeof(*appIdRegistry); i++) { - DebugFormat(DEBUG_INSPECTOR, "registering appId: %d\n", appIdRegistry[i].appId); + DebugFormat(DEBUG_APPID, "registering appId: %d\n", appIdRegistry[i].appId); init_api->RegisterAppId(&dns_udp_validate, appIdRegistry[i].appId, appIdRegistry[i].additionalInfo); } diff --git a/src/network_inspectors/appid/detector_plugins/detector_imap.cc b/src/network_inspectors/appid/detector_plugins/detector_imap.cc index e5dff198a..27c76e88d 100644 --- a/src/network_inspectors/appid/detector_plugins/detector_imap.cc +++ b/src/network_inspectors/appid/detector_plugins/detector_imap.cc @@ -39,8 +39,6 @@ #include "search_engines/search_tool.h" #include "utils/util.h" -/*#define DEBUG_IMAP_DETECTOR 1 */ - static const unsigned IMAP_USER_NAME_MAX_LEN = 32; static const unsigned IMAP_TAG_MAX_LEN = 6; static const unsigned MIN_CMDS = 3; @@ -225,9 +223,6 @@ struct ServiceIMAPData unsigned count; unsigned parens; char tagValue[IMAP_TAG_MAX_LEN+1]; -#ifdef DEBUG_IMAP_DETECTOR - IMAPState last_state; -#endif }; static int imap_init(const InitServiceAPI* const init_api); @@ -301,7 +296,7 @@ static CLIENT_APP_RETCODE init(const InitClientAppAPI* const init_api, SF_LIST* } cmd_matcher->prep(); - AppIdConfig::get_appid_config()->add_generic_config_element(client_app_mod.name, cmd_matcher); + AppidConfigElement::add_generic_config_element(client_app_mod.name, cmd_matcher); ca_config.enabled = 1; @@ -355,11 +350,11 @@ static int imap_init(const InitServiceAPI* const init_api) static void clean() { SearchTool* cmd_matcher = - (SearchTool*)AppIdConfig::get_appid_config()->find_generic_config_element(client_app_mod.name); + (SearchTool*)AppidConfigElement::find_generic_config_element(client_app_mod.name); if (cmd_matcher) delete cmd_matcher; - AppIdConfig::get_appid_config()->remove_generic_config_element(client_app_mod.name); + AppidConfigElement::remove_generic_config_element(client_app_mod.name); } static int pattern_match(void* id, void*, int index, void* data, void*) @@ -406,13 +401,6 @@ static int imap_server_validate(DetectorData* dd, const uint8_t* data, uint16_t for (; data < end; data++) { -#ifdef DEBUG_IMAP_DETECTOR - if (id->state != id->last_state) - { - DebugFormat(DEBUG_INSPECTOR,"%p State %d\n",asd, id->state); - id->last_state = id->state; - } -#endif switch (id->state) { case IMAP_STATE_BEGIN: @@ -677,7 +665,7 @@ static CLIENT_APP_RETCODE validate(const uint8_t* data, uint16_t size, const int ClientAppData* fd; char tag[IMAP_TAG_MAX_LEN+1] = { 0 }; SearchTool* cmd_matcher = - (SearchTool*)AppIdConfig::get_appid_config()->find_generic_config_element(client_app_mod.name); + (SearchTool*)AppidConfigElement::find_generic_config_element(client_app_mod.name); #ifdef APP_ID_USES_REASSEMBLED Stream::flush_response_flush(pkt); diff --git a/src/network_inspectors/appid/detector_plugins/detector_kerberos.cc b/src/network_inspectors/appid/detector_plugins/detector_kerberos.cc index 49853ea04..74ebe92f1 100644 --- a/src/network_inspectors/appid/detector_plugins/detector_kerberos.cc +++ b/src/network_inspectors/appid/detector_plugins/detector_kerberos.cc @@ -88,9 +88,6 @@ struct KRBState unsigned cname_len; char cname[256]; char ver[2]; -#ifdef DEBUG_MSGS - KerberosState last_state; -#endif unsigned flags; }; @@ -225,7 +222,7 @@ static CLIENT_APP_RETCODE krb_client_init(const InitClientAppAPI* const init_api item; item = (RNAClientAppModuleConfigItem*)sflist_next(&iter)) { - DebugFormat(DEBUG_INSPECTOR,"Processing %s: %s\n",item->name, item->value); + DebugFormat(DEBUG_APPID,"Processing %s: %s\n",item->name, item->value); if (strcasecmp(item->name, "enabled") == 0) krb_client_config.enabled = atoi(item->value); @@ -238,7 +235,7 @@ static CLIENT_APP_RETCODE krb_client_init(const InitClientAppAPI* const init_api { for (i=0; i < sizeof(client_patterns)/sizeof(*client_patterns); i++) { - DebugFormat(DEBUG_INSPECTOR,"registering pattern with length %u\n", + DebugFormat(DEBUG_APPID,"registering pattern with length %u\n", client_patterns[i].length); init_api->RegisterPattern(&krb_client_validate, IpProtocol::UDP, client_patterns[i].pattern, client_patterns[i].length, -1); @@ -250,7 +247,7 @@ static CLIENT_APP_RETCODE krb_client_init(const InitClientAppAPI* const init_api unsigned j; for (j=0; j < sizeof(appIdRegistry)/sizeof(*appIdRegistry); j++) { - DebugFormat(DEBUG_INSPECTOR,"registering appId: %d\n",appIdRegistry[j].appId); + DebugFormat(DEBUG_APPID,"registering appId: %d\n",appIdRegistry[j].appId); init_api->RegisterAppId(&krb_client_validate, appIdRegistry[j].appId, appIdRegistry[j].additionalInfo); } @@ -264,7 +261,7 @@ static int krb_server_init(const InitServiceAPI* const init_api) for (i=0; i < sizeof(service_patterns)/sizeof(*service_patterns); i++) { - DebugFormat(DEBUG_INSPECTOR,"registering pattern with length %u\n", + DebugFormat(DEBUG_APPID,"registering pattern with length %u\n", service_patterns[i].length); init_api->RegisterPatternUser(&krb_server_validate, IpProtocol::UDP, service_patterns[i].pattern, service_patterns[i].length, -1, "kerberos"); @@ -275,7 +272,7 @@ static int krb_server_init(const InitServiceAPI* const init_api) unsigned j; for (j=0; j < sizeof(appIdRegistry)/sizeof(*appIdRegistry); j++) { - DebugFormat(DEBUG_INSPECTOR,"registering appId: %d\n",appIdRegistry[j].appId); + DebugFormat(DEBUG_APPID,"registering appId: %d\n",appIdRegistry[j].appId); init_api->RegisterAppId(&krb_server_validate, appIdRegistry[j].appId, appIdRegistry[j].additionalInfo); } @@ -302,13 +299,6 @@ static KRB_RETCODE krb_walk_client_packet(KRBState* krbs, const uint8_t* s, cons while (s < end) { -#ifdef DEBUG_MSGS - if (krbs->state != krbs->last_state) - { - DebugFormat(DEBUG_INSPECTOR,"%p State %d\n", (void*)asd, krbs->state); - krbs->last_state = krbs->state; - } -#endif switch (krbs->state) { case KRB_STATE_TCP_LENGTH: @@ -318,7 +308,7 @@ static KRB_RETCODE krb_walk_client_packet(KRBState* krbs, const uint8_t* s, cons krbs->pos++; break; case KRB_STATE_APP: - DebugFormat(DEBUG_INSPECTOR,"%p Type %d (%02X)\n", + DebugFormat(DEBUG_APPID,"%p Type %d (%02X)\n", (void*)asd, *s & (~ASN_1_TYPE_MASK), *s); if ((*s & ASN_1_TYPE_MASK) != (ASN_1_APPLICATION|ASN_1_CONSTRUCT)) return KRB_FAILED; @@ -385,7 +375,7 @@ static KRB_RETCODE krb_walk_client_packet(KRBState* krbs, const uint8_t* s, cons krbs->tag = 0xa2; break; case KRB_STATE_FIELD: - DebugFormat(DEBUG_INSPECTOR,"%p Tag %02X\n", (void*)asd, *s); + DebugFormat(DEBUG_APPID,"%p Tag %02X\n", (void*)asd, *s); if (krbs->msg_len < 2 || *s <= krbs->tag || (*s & ASN_1_TYPE_MASK) != 0xa0) return KRB_FAILED; krbs->tag = *s; @@ -408,7 +398,7 @@ static KRB_RETCODE krb_walk_client_packet(KRBState* krbs, const uint8_t* s, cons { if (krbs->msg_len <= 1) { - DebugFormat(DEBUG_INSPECTOR,"%p Valid\n", (void*)asd); + DebugFormat(DEBUG_APPID,"%p Valid\n", (void*)asd); if (!krbs->added) { client_app_mod.api->add_app(asd, APP_ID_KERBEROS, APP_ID_KERBEROS, @@ -441,7 +431,7 @@ static KRB_RETCODE krb_walk_client_packet(KRBState* krbs, const uint8_t* s, cons break; case KRB_STATE_FIELD_LEVEL2: - DebugFormat(DEBUG_INSPECTOR,"%p Tag %02X\n", (void*)asd, *s); + DebugFormat(DEBUG_APPID,"%p Tag %02X\n", (void*)asd, *s); if (krbs->msg_len <= 1) { krbs->state = KRB_STATE_APP; @@ -554,7 +544,7 @@ static KRB_RETCODE krb_walk_client_packet(KRBState* krbs, const uint8_t* s, cons { if (krbs->pos) { - DebugFormat(DEBUG_INSPECTOR,"%p Name %u\n", (void*)asd, krbs->pos); + DebugFormat(DEBUG_APPID,"%p Name %u\n", (void*)asd, krbs->pos); krbs->cname[krbs->pos] = 0; } if (krbs->msg_len <= 1) @@ -626,13 +616,6 @@ static KRB_RETCODE krb_walk_server_packet(KRBState* krbs, const uint8_t* s, cons while (s < end) { -#ifdef DEBUG_MSGS - if (krbs->state != krbs->last_state) - { - DebugFormat(DEBUG_INSPECTOR,"%p State %d\n", (void*)asd, krbs->state); - krbs->last_state = krbs->state; - } -#endif switch (krbs->state) { case KRB_STATE_TCP_LENGTH: @@ -642,7 +625,7 @@ static KRB_RETCODE krb_walk_server_packet(KRBState* krbs, const uint8_t* s, cons krbs->pos++; break; case KRB_STATE_APP: - DebugFormat(DEBUG_INSPECTOR,"%p Type %d (%02X)\n", + DebugFormat(DEBUG_APPID,"%p Type %d (%02X)\n", (void*)asd, *s & (~ASN_1_TYPE_MASK), *s); if ((*s & ASN_1_TYPE_MASK) != (ASN_1_APPLICATION|ASN_1_CONSTRUCT)) return KRB_FAILED; @@ -719,7 +702,7 @@ static KRB_RETCODE krb_walk_server_packet(KRBState* krbs, const uint8_t* s, cons krbs->pos++; break; case KRB_STATE_ERROR_VALUE: - DebugFormat(DEBUG_INSPECTOR,"%p Error %hhu\n", (void*)asd, *s); + DebugFormat(DEBUG_APPID,"%p Error %hhu\n", (void*)asd, *s); if (krbs->msg_len <= 1) { krbs->flags |= KRB_FLAG_SERVICE_DETECTED; @@ -731,13 +714,13 @@ static KRB_RETCODE krb_walk_server_packet(KRBState* krbs, const uint8_t* s, cons if (*s == KDC_ERR_PREAUTH_FAILED) { - DebugFormat(DEBUG_INSPECTOR,"%p unAuthorized\n", (void*)asd); + DebugFormat(DEBUG_APPID,"%p unAuthorized\n", (void*)asd); krbs->flags |= KRB_FLAG_AUTH_FAILED; } krbs->state = KRB_STATE_FIELD; break; case KRB_STATE_FIELD: - DebugFormat(DEBUG_INSPECTOR,"%p Tag %02X\n", (void*)asd, *s); + DebugFormat(DEBUG_APPID,"%p Tag %02X\n", (void*)asd, *s); if (krbs->msg_len < 2 || *s <= krbs->tag || (*s & ASN_1_TYPE_MASK) != 0xa0) return KRB_FAILED; krbs->tag = *s; @@ -855,7 +838,7 @@ static KRB_RETCODE krb_walk_server_packet(KRBState* krbs, const uint8_t* s, cons { if (krbs->pos) { - DebugFormat(DEBUG_INSPECTOR,"%p Name %u\n", (void*)asd, krbs->pos); + DebugFormat(DEBUG_APPID,"%p Name %u\n", (void*)asd, krbs->pos); krbs->cname[krbs->pos] = 0; krbs->flags |= KRB_FLAG_USER_DETECTED; } @@ -918,7 +901,7 @@ static KRB_RETCODE krb_walk_server_packet(KRBState* krbs, const uint8_t* s, cons if (krbs->msg_len <= 1) { /*end of server response message */ - DebugFormat(DEBUG_INSPECTOR,"%p Valid\n", (void*)asd); + DebugFormat(DEBUG_APPID,"%p Valid\n", (void*)asd); if (krbs->flags & KRB_FLAG_SERVICE_DETECTED) { if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED) && pkt) @@ -961,15 +944,10 @@ static CLIENT_APP_RETCODE krb_client_validate(const uint8_t* data, uint16_t size const uint8_t* end = (data + size); DetectorData* fd; -#ifdef DEBUG_MSGS - DebugFormat(DEBUG_INSPECTOR, "%p Processing %u %hu->%hu %hu %d", - (void*)asd, (unsigned int)asd->protocol, pkt->ptrs.sp, pkt->ptrs.dp, size, dir); -#else - UNUSED(pkt); -#endif - #ifdef APP_ID_USES_REASSEMBLED Stream::flush_response_flush(pkt); +#else + UNUSED(pkt); #endif if (!size) @@ -992,10 +970,6 @@ static CLIENT_APP_RETCODE krb_client_validate(const uint8_t* data, uint16_t size fd->clnt_state.state = KRB_STATE_APP; fd->svr_state.state = KRB_STATE_APP; } -#ifdef DEBUG_MSGS - fd->clnt_state.last_state = KRB_STATE_INVALID; - fd->svr_state.last_state = KRB_STATE_INVALID; -#endif } if (!fd->set_flags) @@ -1009,7 +983,7 @@ static CLIENT_APP_RETCODE krb_client_validate(const uint8_t* data, uint16_t size { if (krb_walk_client_packet(&fd->clnt_state, s, end, asd) == KRB_FAILED) { - DebugFormat(DEBUG_INSPECTOR,"%p Failed\n", (void*)asd); + DebugFormat(DEBUG_APPID,"%p Failed\n", (void*)asd); asd->set_session_flags(APPID_SESSION_CLIENT_DETECTED); asd->clear_session_flags(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS); return CLIENT_APP_SUCCESS; @@ -1018,7 +992,7 @@ static CLIENT_APP_RETCODE krb_client_validate(const uint8_t* data, uint16_t size else if (krb_walk_server_packet(&fd->svr_state, s, end, asd, nullptr, dir, fd->clnt_state.cname) == KRB_FAILED) { - DebugFormat(DEBUG_INSPECTOR,"%p Server Failed\n", (void*)asd); + DebugFormat(DEBUG_APPID,"%p Server Failed\n", (void*)asd); asd->clear_session_flags(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS); } return CLIENT_APP_INPROCESS; @@ -1035,7 +1009,7 @@ static int krb_server_validate(ServiceValidationArgs* args) const uint8_t* s = data; const uint8_t* end = (data + size); - DebugFormat(DEBUG_INSPECTOR, "%p Processing %u %hu->%hu %hu %d", + DebugFormat(DEBUG_APPID, "%p Processing %u %hu->%hu %hu %d", (void*)asd, (unsigned int)asd->protocol, pkt->ptrs.sp, pkt->ptrs.dp, size, dir); if (dir != APP_ID_FROM_RESPONDER) @@ -1068,10 +1042,6 @@ static int krb_server_validate(ServiceValidationArgs* args) fd->clnt_state.state = KRB_STATE_APP; fd->svr_state.state = KRB_STATE_APP; } -#ifdef DEBUG_MSGS - fd->clnt_state.last_state = KRB_STATE_INVALID; - fd->svr_state.last_state = KRB_STATE_INVALID; -#endif } if (fd->need_continue) @@ -1086,7 +1056,7 @@ static int krb_server_validate(ServiceValidationArgs* args) if (krb_walk_server_packet(&fd->svr_state, s, end, asd, pkt, dir, fd->clnt_state.cname) == KRB_FAILED) { - DebugFormat(DEBUG_INSPECTOR,"%p Failed\n", (void*)asd); + DebugFormat(DEBUG_APPID,"%p Failed\n", (void*)asd); if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED)) { service_mod.api->fail_service(asd, pkt, dir, &svc_element, diff --git a/src/network_inspectors/appid/detector_plugins/detector_pop3.cc b/src/network_inspectors/appid/detector_plugins/detector_pop3.cc index 7b01aace6..cd80b55fb 100644 --- a/src/network_inspectors/appid/detector_plugins/detector_pop3.cc +++ b/src/network_inspectors/appid/detector_plugins/detector_pop3.cc @@ -260,7 +260,7 @@ static CLIENT_APP_RETCODE pop3_ca_init(const InitClientAppAPI* const init_api, S } cmd_matcher->prep(); - init_api->pAppidConfig->add_generic_config_element(client_app_mod.name, cmd_matcher); + AppidConfigElement::add_generic_config_element(client_app_mod.name, cmd_matcher); pop3_config.enabled = 1; @@ -272,7 +272,7 @@ static CLIENT_APP_RETCODE pop3_ca_init(const InitClientAppAPI* const init_api, S item; item = (RNAClientAppModuleConfigItem*)sflist_next(&iter)) { - DebugFormat(DEBUG_INSPECTOR,"Processing %s: %s\n",item->name, item->value); + DebugFormat(DEBUG_APPID,"Processing %s: %s\n",item->name, item->value); if (strcasecmp(item->name, "enabled") == 0) { pop3_config.enabled = atoi(item->value); @@ -284,7 +284,7 @@ static CLIENT_APP_RETCODE pop3_ca_init(const InitClientAppAPI* const init_api, S { for (i=0; i < sizeof(patterns)/sizeof(*patterns); i++) { - DebugFormat(DEBUG_INSPECTOR,"registering pattern: %s\n", + DebugFormat(DEBUG_APPID,"registering pattern: %s\n", (const char*)patterns[i].pattern); init_api->RegisterPatternNoCase(&pop3_ca_validate, IpProtocol::TCP, patterns[i].pattern, patterns[i].length, 0); @@ -294,7 +294,7 @@ static CLIENT_APP_RETCODE pop3_ca_init(const InitClientAppAPI* const init_api, S unsigned j; for (j=0; j < sizeof(appIdRegistry)/sizeof(*appIdRegistry); j++) { - DebugFormat(DEBUG_INSPECTOR,"registering appId: %d\n",appIdRegistry[j].appId); + DebugFormat(DEBUG_APPID,"registering appId: %d\n",appIdRegistry[j].appId); init_api->RegisterAppId(&pop3_ca_validate, appIdRegistry[j].appId, appIdRegistry[j].additionalInfo); } @@ -312,7 +312,7 @@ static int pop3_init(const InitServiceAPI* const init_api) unsigned j; for (j=0; j < sizeof(appIdRegistry)/sizeof(*appIdRegistry); j++) { - DebugFormat(DEBUG_INSPECTOR,"registering appId: %d\n",appIdRegistry[j].appId); + DebugFormat(DEBUG_APPID,"registering appId: %d\n",appIdRegistry[j].appId); init_api->RegisterAppId(&pop3_validate, appIdRegistry[j].appId, appIdRegistry[j].additionalInfo); } @@ -322,10 +322,10 @@ static int pop3_init(const InitServiceAPI* const init_api) static void pop3_ca_clean() { SearchTool* cmd_matcher = - (SearchTool*)AppIdConfig::get_appid_config()->find_generic_config_element(client_app_mod.name); + (SearchTool*)AppidConfigElement::find_generic_config_element(client_app_mod.name); if (cmd_matcher) delete cmd_matcher; - AppIdConfig::get_appid_config()->remove_generic_config_element(client_app_mod.name); + AppidConfigElement::remove_generic_config_element(client_app_mod.name); } static int pop3_pattern_match(void* id, void*, int index, void* data, void*) @@ -702,8 +702,8 @@ static CLIENT_APP_RETCODE pop3_ca_validate(const uint8_t* data, uint16_t size, c if (dir == APP_ID_FROM_RESPONDER) { #ifdef DEBUG_POP3 - DebugFormat(DEBUG_INSPECTOR,"%p Calling server\n",asd); - DumpHex(SF_DEBUG_FILE, data, size); + DebugFormat(DEBUG_APPID,"%p Calling server\n",asd); + AppIdUtils::DumpHex(SF_DEBUG_FILE, data, size); #endif if (pop3_server_validate(dd, data, size, asd, 0)) @@ -712,15 +712,15 @@ static CLIENT_APP_RETCODE pop3_ca_validate(const uint8_t* data, uint16_t size, c } #ifdef DEBUG_POP3 - DebugFormat(DEBUG_INSPECTOR,"%p Client\n",asd); - DumpHex(SF_DEBUG_FILE, data, size); + DebugFormat(DEBUG_APPID,"%p Client\n",asd); + AppIdUtils::DumpHex(SF_DEBUG_FILE, data, size); #endif while ((length = (end - s))) { unsigned pattern_index; SearchTool* cmd_matcher = - (SearchTool*)AppIdConfig::get_appid_config()->find_generic_config_element(client_app_mod.name); + (SearchTool*)AppidConfigElement::find_generic_config_element(client_app_mod.name); cmd = nullptr; cmd_matcher->find_all((char*)s, (length > longest_pattern ? longest_pattern : length), @@ -888,8 +888,8 @@ static int pop3_validate(ServiceValidationArgs* args) goto inprocess; #ifdef DEBUG_POP3 - DebugFormat(DEBUG_INSPECTOR,"%p Dir %d\n",asd, dir); - DumpHex(SF_DEBUG_FILE, data, size); + DebugFormat(DEBUG_APPID,"%p Dir %d\n",asd, dir); + AppIdUtils::DumpHex(SF_DEBUG_FILE, data, size); #endif dd = (POP3DetectorData*)pop3_detector_mod.api->data_get(asd, diff --git a/src/network_inspectors/appid/detector_plugins/detector_sip.cc b/src/network_inspectors/appid/detector_plugins/detector_sip.cc index 2a048bec2..9c7df29e6 100644 --- a/src/network_inspectors/appid/detector_plugins/detector_sip.cc +++ b/src/network_inspectors/appid/detector_plugins/detector_sip.cc @@ -21,19 +21,27 @@ #include "detector_sip.h" -#include "appid/appid_module.h" -#include "appid_utils/sf_mlmp.h" -#include "fw_appid.h" -#include "http_url_patterns.h" -#include "service_plugins/service_base.h" -#include "utils/util.h" - #include "log/messages.h" #include "main/snort_debug.h" +#include "utils/util.h" #include "pub_sub/sip_events.h" +#include "service_inspectors/sip/sip_common.h" +#include "appid_module.h" +#include "app_info_table.h" +#include "client_plugins/client_app_api.h" +#include "service_plugins/service_base.h" +#include "http_url_patterns.h" +#include "appid_utils/sf_mlmp.h" + using namespace std; +#include "app_info_table.h" +#include "client_plugins/client_app_api.h" +#include "service_plugins/service_base.h" +#include "http_url_patterns.h" +#include "appid_utils/sf_mlmp.h" + static const char SIP_REGISTER_BANNER[] = "REGISTER "; static const char SIP_INVITE_BANNER[] = "INVITE "; static const char SIP_CANCEL_BANNER[] = "CANCEL "; @@ -166,12 +174,12 @@ static Client_App_Pattern patterns[] = static AppRegistryEntry appIdClientRegistry[] = { - { APP_ID_SIP, APPINFO_FLAG_CLIENT_ADDITIONAL|APPINFO_FLAG_CLIENT_USER }, + { APP_ID_SIP, APPINFO_FLAG_CLIENT_ADDITIONAL | APPINFO_FLAG_CLIENT_USER }, }; static AppRegistryEntry appIdServiceRegistry[] = { - { APP_ID_SIP, APPINFO_FLAG_SERVICE_ADDITIONAL|APPINFO_FLAG_CLIENT_USER }, + { APP_ID_SIP, APPINFO_FLAG_SERVICE_ADDITIONAL | APPINFO_FLAG_CLIENT_USER }, { APP_ID_RTP, APPINFO_FLAG_SERVICE_ADDITIONAL } }; diff --git a/src/network_inspectors/appid/flow_error.h b/src/network_inspectors/appid/flow_error.h deleted file mode 100644 index 223acf740..000000000 --- a/src/network_inspectors/appid/flow_error.h +++ /dev/null @@ -1,36 +0,0 @@ -//-------------------------------------------------------------------------- -// Copyright (C) 2014-2016 Cisco and/or its affiliates. All rights reserved. -// Copyright (C) 2005-2013 Sourcefire, Inc. -// -// This program is free software; you can redistribute it and/or modify it -// under the terms of the GNU General Public License Version 2 as published -// by the Free Software Foundation. You may not use, modify or distribute -// this program under any other version of the GNU General Public License. -// -// This program is distributed in the hope that it will be useful, but -// WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -// General Public License for more details. -// -// You should have received a copy of the GNU General Public License along -// with this program; if not, write to the Free Software Foundation, Inc., -// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -//-------------------------------------------------------------------------- - -// flow_error.h author Sourcefire Inc. - -#ifndef FLOW_ERROR_H -#define FLOW_ERROR_H - -#define APPID_SESSION_SUCCESS 0 -#define APPID_SESSION_ENULL 1 -#define APPID_SESSION_EINVALID 2 -#define APPID_SESSION_ENOMEM 3 -#define APPID_SESSION_NOTFOUND 4 -#define APPID_SESSION_BADJUJU 5 -#define APPID_SESSION_DISABLED 6 -#define APPID_SESSION_EUNSUPPORTED 7 -#define APPID_SESSION_STOP_PROCESSING 8 -#define APPID_SESSION_EEXISTS 9 - -#endif diff --git a/src/network_inspectors/appid/fw_appid.cc b/src/network_inspectors/appid/fw_appid.cc deleted file mode 100644 index 244aaf5c2..000000000 --- a/src/network_inspectors/appid/fw_appid.cc +++ /dev/null @@ -1,91 +0,0 @@ -//-------------------------------------------------------------------------- -// Copyright (C) 2014-2016 Cisco and/or its affiliates. All rights reserved. -// Copyright (C) 2005-2013 Sourcefire, Inc. -// -// This program is free software; you can redistribute it and/or modify it -// under the terms of the GNU General Public License Version 2 as published -// by the Free Software Foundation. You may not use, modify or distribute -// this program under any other version of the GNU General Public License. -// -// This program is distributed in the hope that it will be useful, but -// WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -// General Public License for more details. -// -// You should have received a copy of the GNU General Public License along -// with this program; if not, write to the Free Software Foundation, Inc., -// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -//-------------------------------------------------------------------------- - -// fw_appid.cc author Sourcefire Inc. - -#include "fw_appid.h" - -#include "log/messages.h" -#include "profiler/profiler.h" -#include "protocols/tcp.h" -#include "target_based/snort_protocols.h" -#include "utils/util.h" - -#include "appid_stats.h" -#include "appid_config.h" -#include "appid_module.h" -#include "app_forecast.h" -#include "app_info_table.h" -#include "appid_api.h" -#include "host_port_app_cache.h" -#include "lua_detector_module.h" -#include "client_plugins/client_app_base.h" -#include "detector_plugins/detector_dns.h" -#include "service_plugins/service_base.h" -#include "service_plugins/service_ssl.h" -#include "service_plugins/service_util.h" -#include "appid_utils/common_util.h" -#include "appid_utils/ip_funcs.h" -#include "appid_utils/network_set.h" -#include "time/packet_time.h" -#include "sfip/sf_ip.h" - -#define HTTP_PATTERN_MAX_LEN 1024 -#define PORT_MAX 65535 - -#ifdef APPID_UNUSED_CODE -void reset_appid_stats(int, void*) -{ - if (thirdparty_appid_module) - thirdparty_appid_module->reset_stats(); -} -#endif - -void AppIdAddUser(AppIdSession* asd, const char* username, AppId appId, int success) -{ - if (asd->username) - snort_free(asd->username); - asd->username = snort_strdup(username); - asd->username_service = appId; - if (success) - asd->set_session_flags(APPID_SESSION_LOGIN_SUCCEEDED); - else - asd->clear_session_flags(APPID_SESSION_LOGIN_SUCCEEDED); -} - -void AppIdAddPayload(AppIdSession* asd, AppId payload_id) -{ - if (AppIdConfig::get_appid_config()->mod_config->instance_id) - checkSandboxDetection(payload_id); - asd->payload_app_id = payload_id; -} - -void checkSandboxDetection(AppId appId) -{ - AppInfoTableEntry* entry; - - if (AppIdConfig::get_appid_config()->mod_config->instance_id) - { - entry = AppInfoManager::get_instance().get_app_info_entry(appId); - if ( entry && ( entry->flags & APPINFO_FLAG_ACTIVE ) ) - fprintf(SF_DEBUG_FILE, "Detected AppId %d\n", entry->appId); - else if( appId != 0 ) - fprintf(SF_DEBUG_FILE, "No Entry For AppId %d\n", appId); - } -} diff --git a/src/network_inspectors/appid/fw_appid.h b/src/network_inspectors/appid/fw_appid.h deleted file mode 100644 index c49027951..000000000 --- a/src/network_inspectors/appid/fw_appid.h +++ /dev/null @@ -1,122 +0,0 @@ -//-------------------------------------------------------------------------- -// Copyright (C) 2014-2016 Cisco and/or its affiliates. All rights reserved. -// Copyright (C) 2005-2013 Sourcefire, Inc. -// -// This program is free software; you can redistribute it and/or modify it -// under the terms of the GNU General Public License Version 2 as published -// by the Free Software Foundation. You may not use, modify or distribute -// this program under any other version of the GNU General Public License. -// -// This program is distributed in the hope that it will be useful, but -// WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -// General Public License for more details. -// -// You should have received a copy of the GNU General Public License along -// with this program; if not, write to the Free Software Foundation, Inc., -// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -//-------------------------------------------------------------------------- - -// fw_appid.h author Sourcefire Inc. - -#ifndef FW_APPID_H -#define FW_APPID_H - -#include "client_plugins/client_app_api.h" -#include "appid_utils/common_util.h" - -#include "appid.h" -#include "appid_api.h" -#include "appid_config.h" -#include "appid_session.h" -#include "application_ids.h" -#include "app_info_table.h" -#include "service_plugins/service_api.h" -#include "thirdparty_appid_utils.h" - -#define MIN_SFTP_PACKET_COUNT 30 -#define MAX_SFTP_PACKET_COUNT 55 - -extern uint8_t appIdPriorityArray[SF_APPID_MAX + 1]; - -AppIdSession* getAppIdData(void* lwssn); - -void AppIdAddUser(AppIdSession*, const char* username, AppId, int success); -void AppIdAddPayload(AppIdSession*, AppId); - -extern unsigned dhcp_fp_table_size; - -void checkSandboxDetection(AppId appId); - -inline void initializePriorityArray() -{ - for ( int i=0; i < SF_APPID_MAX; ++i ) - appIdPriorityArray[i] = 2; -} - -inline void setAppPriority(AppId app_id, uint8_t bit_val) -{ - if ( app_id < SF_APPID_MAX && bit_val <= APPID_MAX_PRIORITY ) - appIdPriorityArray[app_id] = bit_val; -} - -inline int getAppPriority(AppId app_id) -{ - if (app_id > APP_ID_NONE && app_id < SF_APPID_MAX) - return appIdPriorityArray[app_id]; - - return -1; -} - -inline int ThirdPartyAppIDFoundProto(AppId proto, AppId* proto_list) -{ - unsigned int proto_cnt = 0; - while (proto_list[proto_cnt] != APP_ID_NONE) - if (proto_list[proto_cnt++] == proto) - return 1; // found - - return 0; // not found -} - -inline int TPIsAppIdDone(void* tpSession) -{ - if (thirdparty_appid_module) - { - unsigned state; - - if (tpSession) - state = thirdparty_appid_module->session_state_get(tpSession); - else - state = TP_STATE_INIT; - return (state == TP_STATE_CLASSIFIED || state == TP_STATE_TERMINATED || state == - TP_STATE_HA); - } - return true; -} - -inline int TPIsAppIdAvailable(void* tpSession) -{ - if (thirdparty_appid_module) - { - unsigned state; - - if (tpSession) - state = thirdparty_appid_module->session_state_get(tpSession); - else - state = TP_STATE_INIT; - return (state == TP_STATE_CLASSIFIED || state == TP_STATE_TERMINATED || state == - TP_STATE_MONITORING); - } - return true; -} - -inline int testSSLAppIdForReinspect(AppId app_id) -{ - if (app_id <= SF_APPID_MAX && - (app_id == APP_ID_SSL || AppInfoManager::get_instance().get_app_info_flags(app_id, APPINFO_FLAG_SSL_INSPECT))) - return 1; - else - return 0; -} - -#endif diff --git a/src/network_inspectors/appid/http_common.h b/src/network_inspectors/appid/http_common.h index 07ebc2247..5afe8df12 100644 --- a/src/network_inspectors/appid/http_common.h +++ b/src/network_inspectors/appid/http_common.h @@ -22,7 +22,6 @@ #ifndef HTTP_COMMON_H #define HTTP_COMMON_H -#include "appid.h" #include "appid_api.h" #include "appid_utils/sf_multi_mpse.h" @@ -126,6 +125,7 @@ enum PatternType CONTENT_TYPE_PT, // 6 LOCATION_PT, // 7 BODY_PT, // 8 + NUMBER_OF_PTYPES, // 9 MAX_PATTERN_TYPE = BODY_PT, MAX_KEY_PATTERN = URI_PT, }; diff --git a/src/network_inspectors/appid/lua_detector_api.cc b/src/network_inspectors/appid/lua_detector_api.cc index 804417579..5ca48274d 100644 --- a/src/network_inspectors/appid/lua_detector_api.cc +++ b/src/network_inspectors/appid/lua_detector_api.cc @@ -36,7 +36,6 @@ #include "appid_module.h" #include "app_forecast.h" #include "app_info_table.h" -#include "fw_appid.h" #include "host_port_app_cache.h" #include "http_common.h" #include "lua_detector_flow_api.h" @@ -1022,7 +1021,7 @@ static int client_register_pattern(lua_State* L) /*mpse library does not hold reference to pattern therefore we dont need to allocate it. */ ud->client.appModule.userData = ud.ptr; - ClientAppLoadCallback((void*)&(ud->client.appModule)); + load_client_application_plugin((void*)&(ud->client.appModule)); ClientAppRegisterPattern(validate_client_application, protocol, (const uint8_t*)pattern, size, position, 0, ud); @@ -2257,19 +2256,17 @@ static int add_client_application(lua_State* L) */ static int add_service_application(lua_State* L) { - unsigned int serviceId, retValue = SERVICE_ENULL; auto& ud = *UserData::check(L, DETECTOR, 1); - serviceId = lua_tonumber(L, 2); + unsigned serviceId = lua_tonumber(L, 2); CHECK_INPUTS(); /*Phase2 - discuss RNAServiceSubtype will be maintained on lua side therefore the last parameter on the following call is nullptr. Subtype is not displayed on DC at present. */ - retValue = AppIdServiceAddService(ud->validateParams.asd, ud->validateParams.pkt, - ud->validateParams.dir, ud->server.pServiceElement, - serviceId, nullptr, nullptr, nullptr); + unsigned retValue = AppIdServiceAddService(ud->validateParams.asd, ud->validateParams.pkt, + ud->validateParams.dir, ud->server.pServiceElement, serviceId, nullptr, nullptr, nullptr); lua_pushnumber(L, retValue); return 1; diff --git a/src/network_inspectors/appid/lua_detector_flow_api.cc b/src/network_inspectors/appid/lua_detector_flow_api.cc index 19d224def..2923e4dbc 100644 --- a/src/network_inspectors/appid/lua_detector_flow_api.cc +++ b/src/network_inspectors/appid/lua_detector_flow_api.cc @@ -30,7 +30,6 @@ #include "lua_detector_module.h" #include "main/snort_debug.h" #include "sfip/sf_ip.h" -#include "appid_utils/common_util.h" /* Lua flag bit/index to C flag value (0 for invalid). */ static const uint64_t FLAGS_TABLE_LUA_TO_C[32] diff --git a/src/network_inspectors/appid/lua_detector_module.cc b/src/network_inspectors/appid/lua_detector_module.cc index c2ec8af3f..ac14026be 100644 --- a/src/network_inspectors/appid/lua_detector_module.cc +++ b/src/network_inspectors/appid/lua_detector_module.cc @@ -27,6 +27,7 @@ #include #include #include +#include #include "appid_config.h" #include "client_plugins/client_app_base.h" @@ -469,9 +470,8 @@ void LuaDetectorManager::load_lua_detectors(const char* path, bool isCustom) { char pattern[PATH_MAX]; snprintf(pattern, sizeof(pattern), "%s/*", path); - - // FIXIT-M - is glob thread safe? glob_t globs; + memset(&globs, 0, sizeof(globs)); int rval = glob(pattern, 0, nullptr, &globs); if (rval == 0 ) @@ -482,9 +482,9 @@ void LuaDetectorManager::load_lua_detectors(const char* path, bool isCustom) globfree(&globs); } else if(rval == GLOB_NOMATCH) - WarningMessage("No lua detectors found in directory '%s'\n", pattern); + ParseWarning(WARN_CONF, "No lua detectors found in directory '%s'\n", pattern); else - ErrorMessage("Error reading lua detectors directory '%s'. Error Code: %d\n", + ParseWarning(WARN_CONF, "Error reading lua detectors directory '%s'. Error Code: %d\n", pattern, rval); } @@ -511,13 +511,8 @@ static void init_service_detector(Detector* detector) name.c_str(), lua_tostring(L, -1)); return; } - else - { - if ( detector->server.pServiceElement ) - detector->server.pServiceElement->ref_count = 1; - - DebugFormat(DEBUG_APPID, "Initialized %s\n", name.c_str()); - } + else if ( detector->server.pServiceElement ) + detector->server.pServiceElement->ref_count = 1; } static void init_client_detector(Detector* detector) diff --git a/src/network_inspectors/appid/service_plugins/service_api.h b/src/network_inspectors/appid/service_plugins/service_api.h index 701894d2c..2d35d335c 100644 --- a/src/network_inspectors/appid/service_plugins/service_api.h +++ b/src/network_inspectors/appid/service_plugins/service_api.h @@ -31,6 +31,13 @@ struct RNAServiceSubtype; struct Packet; struct DynamicPreprocessorData; +#define APPID_EARLY_SESSION_FLAG_FW_RULE 1 + +enum SERVICE_HOST_INFO_CODE +{ + SERVICE_HOST_INFO_NETBIOS_NAME = 1 +}; + enum SERVICE_RETCODE { SERVICE_SUCCESS = 0, @@ -73,13 +80,13 @@ struct RNAServiceValidationPort; struct RNAServiceValidationModule; struct InitServiceAPI { - void (* RegisterPattern)( RNAServiceValidationFCN, IpProtocol proto, const uint8_t* pattern, + void (*RegisterPattern)( RNAServiceValidationFCN, IpProtocol proto, const uint8_t* pattern, unsigned size, int position, const char* name); - int (* AddPort)( const RNAServiceValidationPort*, RNAServiceValidationModule*); - void (* RemovePorts)(RNAServiceValidationFCN); - void (* RegisterPatternUser)(RNAServiceValidationFCN, IpProtocol proto, + int (*AddPort)( const RNAServiceValidationPort*, RNAServiceValidationModule*); + void (*RemovePorts)(RNAServiceValidationFCN); + void (*RegisterPatternUser)(RNAServiceValidationFCN, IpProtocol proto, const uint8_t* pattern, unsigned size, int position, const char* name); - void (* RegisterAppId)( RNAServiceValidationFCN, AppId, uint32_t additionalInfo); + void (*RegisterAppId)( RNAServiceValidationFCN, AppId, uint32_t additionalInfo); int debug; uint32_t instance_id; AppIdConfig* pAppidConfig; ///< AppId context for which this API should be used @@ -102,36 +109,35 @@ struct RNAServiceElement const char* name; }; -typedef void*(* ServiceFlowdataGet)(AppIdSession*, unsigned); -typedef int (* ServiceFlowdataAdd)(AppIdSession*, void*, unsigned, AppIdFreeFCN); -typedef int (* ServiceFlowdataAddDHCP)(AppIdSession*, unsigned, const uint8_t*, unsigned, const +typedef void* (*ServiceFlowdataGet)(AppIdSession*, unsigned); +typedef int (*ServiceFlowdataAdd)(AppIdSession*, void*, unsigned, AppIdFreeFCN); +typedef int (*ServiceFlowdataAddDHCP)(AppIdSession*, unsigned, const uint8_t*, unsigned, const uint8_t*, const uint8_t*); -#define APPID_EARLY_SESSION_FLAG_FW_RULE 1 -typedef void (* ServiceDhcpNewLease)(AppIdSession* flow, const uint8_t* mac, uint32_t ip, int32_t +typedef void (*ServiceDhcpNewLease)(AppIdSession* flow, const uint8_t* mac, uint32_t ip, int32_t zone, uint32_t subnetmask, uint32_t leaseSecs, uint32_t router); -typedef void (* ServiceAnalyzeFP)(AppIdSession*, unsigned, unsigned, uint32_t); +typedef void (*ServiceAnalyzeFP)(AppIdSession*, unsigned, unsigned, uint32_t); -typedef int (* AddService)(AppIdSession* flow, const Packet* pkt, int dir, +typedef int (*AddService)(AppIdSession* flow, const Packet* pkt, int dir, const RNAServiceElement* svc_element, AppId service, const char* vendor, const char* version, const RNAServiceSubtype* subtype); -typedef int (* AddServiceConsumeSubtype)(AppIdSession* flow, const Packet* pkt, int dir, +typedef int (*AddServiceConsumeSubtype)(AppIdSession* flow, const Packet* pkt, int dir, const RNAServiceElement* svc_element, AppId service, const char* vendor, const char* version, RNAServiceSubtype* subtype); -typedef int (* ServiceInProcess)(AppIdSession* flow, const Packet* pkt, int dir, +typedef int (*ServiceInProcess)(AppIdSession* flow, const Packet* pkt, int dir, const RNAServiceElement* svc_element); -typedef int (* FailService)(AppIdSession* flow, const Packet* pkt, int dir, +typedef int (*FailService)(AppIdSession* flow, const Packet* pkt, int dir, const RNAServiceElement* svc_element, unsigned flow_data_index); -typedef int (* IncompatibleData)(AppIdSession* flow, const Packet* pkt, int dir, +typedef int (*IncompatibleData)(AppIdSession* flow, const Packet* pkt, int dir, const RNAServiceElement* svc_element, unsigned flow_data_index, const AppIdConfig*); -typedef void (* AddHostInfo)(AppIdSession* flow, SERVICE_HOST_INFO_CODE code, const void* info); -typedef void (* AddPayload)(AppIdSession*, AppId); -typedef void (* AddUser)(AppIdSession*, const char*, AppId, int); -typedef void (* AddMisc)(AppIdSession*, AppId); -typedef void (* AddDnsQueryInfo)(AppIdSession* flow, uint16_t id, const uint8_t* host, +typedef void (*AddHostInfo)(AppIdSession* flow, SERVICE_HOST_INFO_CODE code, const void* info); +typedef void (*AddPayload)(AppIdSession*, AppId); +typedef void (*AddUser)(AppIdSession*, const char*, AppId, int); +typedef void (*AddMisc)(AppIdSession*, AppId); +typedef void (*AddDnsQueryInfo)(AppIdSession* flow, uint16_t id, const uint8_t* host, uint8_t host_len, uint16_t host_offset, uint16_t record_type); -typedef void (* AddDnsResponseInfo)(AppIdSession* flow, uint16_t id, const uint8_t* host, +typedef void (*AddDnsResponseInfo)(AppIdSession* flow, uint16_t id, const uint8_t* host, uint8_t host_len, uint16_t host_offset, uint8_t response_type, uint32_t ttl); -typedef void (* ResetDnsInfo)(AppIdSession* flow); +typedef void (*ResetDnsInfo)(AppIdSession* flow); struct ServiceApi { diff --git a/src/network_inspectors/appid/service_plugins/service_base.cc b/src/network_inspectors/appid/service_plugins/service_base.cc index a91481b0d..df4ae28fa 100644 --- a/src/network_inspectors/appid/service_plugins/service_base.cc +++ b/src/network_inspectors/appid/service_plugins/service_base.cc @@ -23,8 +23,9 @@ #include #include - #include + +#include "app_info_table.h" #include "service_api.h" #include "service_battle_field.h" #include "service_bgp.h" @@ -55,13 +56,13 @@ #include "service_tftp.h" #include "appid_session.h" #include "appid_config.h" -#include "fw_appid.h" #include "lua_detector_api.h" #include "lua_detector_module.h" #include "appid_utils/ip_funcs.h" #include "detector_plugins/detector_dns.h" #include "detector_plugins/detector_pattern.h" #include "detector_plugins/detector_sip.h" + #include "log/messages.h" #include "main/snort_debug.h" #include "search_engines/search_tool.h" @@ -129,6 +130,10 @@ static const char* service_id_state_name[] = #define MAX_CANDIDATE_SERVICES 10 #define DHCP_OPTION55_LEN_MAX 255 +#define FINGERPRINT_UDP_FLAGS_XENIX 0x00000800 +#define FINGERPRINT_UDP_FLAGS_NT 0x00001000 +#define FINGERPRINT_UDP_FLAGS_MASK (FINGERPRINT_UDP_FLAGS_XENIX | FINGERPRINT_UDP_FLAGS_NT) + static void* service_flowdata_get(AppIdSession* asd, unsigned service_id); static int service_flowdata_add(AppIdSession* asd, void* data, unsigned service_id, AppIdFreeFCN fcn); @@ -172,8 +177,8 @@ const ServiceApi serviceapi = &AppIdServiceInProcess, &AppIdServiceIncompatibleData, &add_host_info, - &AppIdAddPayload, - &AppIdAddUser, + &AppIdSession::add_payload, + &AppIdSession::add_user, &AppIdServiceAddServiceSubtype, &add_miscellaneous_info, &add_dns_query_info, @@ -255,7 +260,7 @@ static void appSetServiceValidator(RNAServiceValidationFCN fcn, AppId appId, uns AppInfoTableEntry* pEntry = AppInfoManager::get_instance().get_app_info_entry(appId); if (!pEntry) { - ParseError( + ParseWarning(WARN_RULES, "AppId: ID to Name mapping entry missing for AppId: %d. No rule support for this ID.", appId); return; @@ -324,16 +329,16 @@ static int pattern_match(void* id, void*, int index, void* data, void*) return 0; } -AppId getPortServiceId(IpProtocol proto, uint16_t port, const AppIdConfig* pConfig) +AppId getPortServiceId(IpProtocol proto, uint16_t port, const AppIdConfig* config) { AppId appId; if (proto == IpProtocol::TCP) - appId = pConfig->tcp_port_only[port]; + appId = config->tcp_port_only[port]; else if (proto == IpProtocol::UDP) - appId = pConfig->udp_port_only[port]; + appId = config->udp_port_only[port]; else - appId = pConfig->ip_protocol[(uint16_t)proto]; + appId = config->ip_protocol[(uint16_t)proto]; checkSandboxDetection(appId); @@ -432,7 +437,7 @@ const RNAServiceElement* get_service_element(RNAServiceValidationFCN fcn, Detect if ((li->validate == fcn) && (li->userdata == userdata)) return li; - for (li=service_config->udp_service_list; li; li=li->next) + for (li = service_config->udp_service_list; li; li = li->next) if ((li->validate == fcn) && (li->userdata == userdata)) return li; @@ -472,7 +477,7 @@ static void ServiceRegisterPattern(RNAServiceValidationFCN fcn, IpProtocol proto return; } - for (li=*list; li; li=li->next) + for (li = *list; li; li=li->next) { if ((li->validate == fcn) && (li->userdata == userdata)) break; @@ -489,7 +494,7 @@ static void ServiceRegisterPattern(RNAServiceValidationFCN fcn, IpProtocol proto li->name = name; } - if (!(*patterns)) + if ( !(*patterns) ) { *patterns = new SearchTool("ac_full"); if (!(*patterns)) @@ -543,7 +548,7 @@ static void RemoveServicePortsByType(RNAServiceValidationFCN validate, SF_LIST** RNAServiceElement* li; unsigned i; - for (li=list; li; li=li->next) + for (li = list; li; li=li->next) { if (li->validate == validate && li->userdata == userdata) break; @@ -581,9 +586,7 @@ static void RemoveServicePortsByType(RNAServiceValidationFCN validate, SF_LIST** static void RemoveAllServicePorts() { - int i; - - for ( i= 0; i < RNA_SERVICE_MAX_PORT; i++) + for (unsigned i = 0; i < RNA_SERVICE_MAX_PORT; i++) { if (service_config->tcp_services[i]) { @@ -591,7 +594,7 @@ static void RemoveAllServicePorts() service_config->tcp_services[i] = nullptr; } } - for (i = 0; i < RNA_SERVICE_MAX_PORT; i++) + for (unsigned i = 0; i < RNA_SERVICE_MAX_PORT; i++) { if (service_config->udp_services[i]) { @@ -599,7 +602,7 @@ static void RemoveAllServicePorts() service_config->udp_services[i] = nullptr; } } - for (i = 0; i < RNA_SERVICE_MAX_PORT; i++) + for (unsigned i = 0; i < RNA_SERVICE_MAX_PORT; i++) { if (service_config->udp_reversed_services[i]) { @@ -632,7 +635,7 @@ int ServiceAddPort(const RNAServiceValidationPort* pp, RNAServiceValidationModul RNAServiceElement* li; RNAServiceElement* serviceElement; - DebugFormat(DEBUG_INSPECTOR, "Adding service %s for protocol %u on port %u\n", + DebugFormat(DEBUG_APPID, "Adding service %s for protocol %u on port %u\n", svm->name, (unsigned)pp->proto, (unsigned)pp->port); if (pp->proto == IpProtocol::TCP) { @@ -659,7 +662,7 @@ int ServiceAddPort(const RNAServiceValidationPort* pp, RNAServiceValidationModul return 0; } - for (li=*list; li; li=li->next) + for (li = *list; li; li = li->next) { if (li->validate == pp->validate && li->userdata == userdata) break; @@ -773,12 +776,12 @@ void init_service_plugins() void finalize_service_patterns() { - ServicePatternData* curr; ServicePatternData* lists[] = { service_config->tcp_pattern_data, service_config->udp_pattern_data }; + for ( unsigned i = 0; i < (sizeof(lists) / sizeof(*lists)); i++) { - curr = lists[i]; + ServicePatternData* curr = lists[i]; while (curr != nullptr) { if (curr->svc != nullptr) @@ -831,6 +834,7 @@ void clean_service_plugins() service_config->tcp_pattern_data = pattern->next; snort_free(pattern); } + while ((pattern = service_config->udp_pattern_data)) { service_config->udp_pattern_data = pattern->next; @@ -910,9 +914,6 @@ static inline RNAServiceElement* AppIdGetServiceByPattern(const Packet* pkt, IpP const int, AppIdServiceIDState* id_state) { SearchTool* patterns = nullptr; - ServiceMatch* match_list; - uint32_t i; - RNAServiceElement* service = nullptr; std::vector smOrderedList; if (proto == IpProtocol::TCP) @@ -927,7 +928,7 @@ static inline RNAServiceElement* AppIdGetServiceByPattern(const Packet* pkt, IpP } /*FRE didn't search */ - match_list = nullptr; + ServiceMatch* match_list = nullptr; patterns->find_all((char*)pkt->data, pkt->dsize, &pattern_match, false, (void*)&match_list); for (ServiceMatch* sm = match_list; sm; sm = sm->next) @@ -938,11 +939,12 @@ static inline RNAServiceElement* AppIdGetServiceByPattern(const Packet* pkt, IpP std::sort(smOrderedList.begin(), smOrderedList.end(), AppIdPatternPrecedence); + unsigned i; for (i = 0; i < smOrderedList.size() - 1; i++) smOrderedList[i]->next = smOrderedList[i + 1]; smOrderedList[i]->next = nullptr; - service = smOrderedList[0]->svc; + RNAServiceElement* service = smOrderedList[0]->svc; if (id_state) { @@ -995,9 +997,7 @@ static int add_dhcp_info(AppIdSession* asd, unsigned op55_len, const uint8_t* op if (op55_len && op55_len <= DHCP_OPTION55_LEN_MAX && !asd->get_session_flags(APPID_SESSION_HAS_DHCP_FP)) { - DHCPData* rdd; - - rdd = (DHCPData*)snort_calloc(sizeof(*rdd)); + DHCPData* rdd = (DHCPData*)snort_calloc(sizeof(*rdd)); if (asd->add_flow_data(rdd, APPID_SESSION_DATA_DHCP_FP_DATA, (AppIdFreeFCN)AppIdFreeDhcpData)) { @@ -1029,14 +1029,14 @@ static unsigned isIPv4HostMonitored(uint32_t ip4, int32_t zone) { NetworkSet* net_list; unsigned flags; - AppIdConfig* pConfig = AppIdConfig::get_appid_config(); + AppIdConfig* config = AppIdConfig::get_appid_config(); - if (zone >= 0 && zone < MAX_ZONES && pConfig->net_list_by_zone[zone]) - net_list = pConfig->net_list_by_zone[zone]; + if (zone >= 0 && zone < MAX_ZONES && config->net_list_by_zone[zone]) + net_list = config->net_list_by_zone[zone]; else - net_list = pConfig->net_list; + net_list = config->net_list; - NetworkSet_ContainsEx(net_list, ip4, &flags); + NetworkSetManager::contains_ex(net_list, ip4, &flags); return flags; } @@ -1044,7 +1044,6 @@ static void add_host_ip_info(AppIdSession* asd, const uint8_t* mac, uint32_t ip, uint32_t subnetmask, uint32_t leaseSecs, uint32_t router) { DHCPInfo* info; - unsigned flags; if (memcmp(mac, zeromac, 6) == 0 || ip == 0) return; @@ -1053,7 +1052,7 @@ static void add_host_ip_info(AppIdSession* asd, const uint8_t* mac, uint32_t ip, || asd->get_session_flags(APPID_SESSION_HAS_DHCP_INFO)) return; - flags = isIPv4HostMonitored(ntohl(ip), zone); + unsigned flags = isIPv4HostMonitored(ntohl(ip), zone); if (!(flags & IPFUNCS_HOSTS_IP)) return; @@ -1144,7 +1143,6 @@ static int AppIdServiceAddServiceEx(AppIdSession* asd, const Packet* pkt, int di } asd->set_session_flags(APPID_SESSION_SERVICE_DETECTED); asd->serviceAppId = appId; - checkSandboxDetection(appId); if (asd->get_session_flags(APPID_SESSION_IGNORE_HOST)) @@ -1179,8 +1177,7 @@ static int AppIdServiceAddServiceEx(AppIdSession* asd, const Packet* pkt, int di } } - /* If we ended up with UDP reversed, make sure we're pointing to the - * correct host tracker entry. */ + // If UDP reversed, ensure we have the correct host tracker entry. if (asd->get_session_flags(APPID_SESSION_UDP_REVERSED)) { asd->id_state = get_service_id_state(ip, asd->protocol, port, @@ -1189,8 +1186,8 @@ static int AppIdServiceAddServiceEx(AppIdSession* asd, const Packet* pkt, int di if (!(id_state = asd->id_state)) { - if (!(id_state = add_service_id_state(ip, asd->protocol, port, AppIdServiceDetectionLevel( - asd)))) + if (!(id_state = add_service_id_state(ip, asd->protocol, port, + AppIdServiceDetectionLevel(asd)))) { ErrorMessage("Add service failed to create state"); return SERVICE_ENOMEM; @@ -1279,7 +1276,6 @@ int AppIdServiceAddService(AppIdSession* asd, const Packet* pkt, int dir, const RNAServiceSubtype* subtype) { RNAServiceSubtype* new_subtype = nullptr; - RNAServiceSubtype* tmp_subtype; if (!svc_element->current_ref_count) { @@ -1292,7 +1288,7 @@ int AppIdServiceAddService(AppIdSession* asd, const Packet* pkt, int dir, for (; subtype; subtype = subtype->next) { - tmp_subtype = (RNAServiceSubtype*)snort_calloc(sizeof(RNAServiceSubtype)); + RNAServiceSubtype* tmp_subtype = (RNAServiceSubtype*)snort_calloc(sizeof(RNAServiceSubtype)); if (subtype->service) tmp_subtype->service = snort_strdup(subtype->service); @@ -1320,24 +1316,22 @@ int AppIdServiceInProcess(AppIdSession* asd, const Packet* pkt, int dir, return SERVICE_EINVALID; } - if (dir == APP_ID_FROM_INITIATOR || asd->get_session_flags(APPID_SESSION_IGNORE_HOST| - APPID_SESSION_UDP_REVERSED)) + if (dir == APP_ID_FROM_INITIATOR || + asd->get_session_flags(APPID_SESSION_IGNORE_HOST | APPID_SESSION_UDP_REVERSED)) return SERVICE_SUCCESS; if (!(id_state = asd->id_state)) { - uint16_t port; - const sfip_t* ip; + const sfip_t* ip = pkt->ptrs.ip_api.get_src(); + uint16_t port = asd->service_port ? asd->service_port : pkt->ptrs.sp; - ip = pkt->ptrs.ip_api.get_src(); - port = asd->service_port ? asd->service_port : pkt->ptrs.sp; - - if (!(id_state = add_service_id_state(ip, asd->protocol, port, AppIdServiceDetectionLevel( - asd)))) + if (!(id_state = add_service_id_state(ip, asd->protocol, port, + AppIdServiceDetectionLevel(asd)))) { ErrorMessage("In-process service failed to create state"); return SERVICE_ENOMEM; } + asd->id_state = id_state; asd->service_ip = *ip; asd->service_port = port; @@ -1348,8 +1342,7 @@ int AppIdServiceInProcess(AppIdSession* asd, const Packet* pkt, int dir, { if (!sfip_is_set(&asd->service_ip)) { - const sfip_t* ip = pkt->ptrs.ip_api.get_src(); - asd->service_ip = *ip; + asd->service_ip = *(pkt->ptrs.ip_api.get_src()); if (!asd->service_port) asd->service_port = pkt->ptrs.sp; } @@ -1422,11 +1415,8 @@ int AppIdServiceIncompatibleData(AppIdSession* asd, const Packet* pkt, int dir, if (!(id_state = asd->id_state)) { - uint16_t port; - const sfip_t* ip; - - ip = pkt->ptrs.ip_api.get_src(); - port = asd->service_port ? asd->service_port : pkt->ptrs.sp; + const sfip_t* ip = pkt->ptrs.ip_api.get_src(); + uint16_t port = asd->service_port ? asd->service_port : pkt->ptrs.sp; if (!(id_state = add_service_id_state(ip, asd->protocol, port, AppIdServiceDetectionLevel(asd)))) @@ -1446,8 +1436,7 @@ int AppIdServiceIncompatibleData(AppIdSession* asd, const Packet* pkt, int dir, { if (!sfip_is_set(&asd->service_ip)) { - const sfip_t* ip = pkt->ptrs.ip_api.get_src(); - asd->service_ip = *ip; + asd->service_ip = *(pkt->ptrs.ip_api.get_src()); if (!asd->service_port) asd->service_port = pkt->ptrs.sp; @@ -1520,11 +1509,8 @@ int AppIdServiceFailService(AppIdSession* asd, const Packet* pkt, int dir, if (!(id_state = asd->id_state)) { - uint16_t port; - const sfip_t* ip; - - ip = pkt->ptrs.ip_api.get_src(); - port = asd->service_port ? asd->service_port : pkt->ptrs.sp; + const sfip_t* ip = pkt->ptrs.ip_api.get_src(); + uint16_t port = asd->service_port ? asd->service_port : pkt->ptrs.sp; if (!(id_state = add_service_id_state(ip, asd->protocol, port, AppIdServiceDetectionLevel(asd)))) @@ -1544,8 +1530,7 @@ int AppIdServiceFailService(AppIdSession* asd, const Packet* pkt, int dir, { if (!sfip_is_set(&asd->service_ip)) { - const sfip_t* ip = pkt->ptrs.ip_api.get_src(); - asd->service_ip = *ip; + asd->service_ip = *(pkt->ptrs.ip_api.get_src()); if (!asd->service_port) asd->service_port = pkt->ptrs.sp; } @@ -1886,7 +1871,7 @@ int AppIdDiscoverService(Packet* p, const int dir, AppIdSession* asd) args.userdata = service->userdata; ret = service->validate(&args); if (ret == SERVICE_NOT_COMPATIBLE) - asd->got_incompatible_services = 1; + asd->got_incompatible_services = true; if (asd->session_logging_enabled) LogMessage("AppIdDbg %s %s returned %d\n", asd->session_logging_id, service->name ? service->name : "UNKNOWN", ret); @@ -1949,7 +1934,7 @@ int AppIdDiscoverService(Packet* p, const int dir, AppIdSession* asd) args.userdata = service->userdata; result = service->validate(&args); if (result == SERVICE_NOT_COMPATIBLE) - asd->got_incompatible_services = 1; + asd->got_incompatible_services = true; if (asd->session_logging_enabled) LogMessage("AppIdDbg %s %s returned %d\n", asd->session_logging_id, service->name ? service->name : "UNKNOWN", result); diff --git a/src/network_inspectors/appid/service_plugins/service_bgp.cc b/src/network_inspectors/appid/service_plugins/service_bgp.cc index 27e5392b8..34d070f29 100644 --- a/src/network_inspectors/appid/service_plugins/service_bgp.cc +++ b/src/network_inspectors/appid/service_plugins/service_bgp.cc @@ -137,7 +137,7 @@ static int bgp_init(const InitServiceAPI* const init_api) unsigned i; for (i=0; i < sizeof(appIdRegistry)/sizeof(*appIdRegistry); i++) { - DebugFormat(DEBUG_INSPECTOR,"registering appId: %d\n",appIdRegistry[i].appId); + DebugFormat(DEBUG_APPID,"registering appId: %d\n",appIdRegistry[i].appId); init_api->RegisterAppId(&bgp_validate, appIdRegistry[i].appId, appIdRegistry[i].additionalInfo); } diff --git a/src/network_inspectors/appid/service_plugins/service_bit.cc b/src/network_inspectors/appid/service_plugins/service_bit.cc index 758af5adf..7dd2e3fbc 100644 --- a/src/network_inspectors/appid/service_plugins/service_bit.cc +++ b/src/network_inspectors/appid/service_plugins/service_bit.cc @@ -119,7 +119,7 @@ static int bit_init(const InitServiceAPI* const init_api) unsigned i; for (i=0; i < sizeof(appIdRegistry)/sizeof(*appIdRegistry); i++) { - DebugFormat(DEBUG_INSPECTOR,"registering appId: %d\n",appIdRegistry[i].appId); + DebugFormat(DEBUG_APPID,"registering appId: %d\n",appIdRegistry[i].appId); init_api->RegisterAppId(&bit_validate, appIdRegistry[i].appId, appIdRegistry[i].additionalInfo); } diff --git a/src/network_inspectors/appid/service_plugins/service_bootp.cc b/src/network_inspectors/appid/service_plugins/service_bootp.cc index f801abb90..c70abcac4 100644 --- a/src/network_inspectors/appid/service_plugins/service_bootp.cc +++ b/src/network_inspectors/appid/service_plugins/service_bootp.cc @@ -110,7 +110,7 @@ static int bootp_init(const InitServiceAPI* const init_api) unsigned i; for (i=0; i < sizeof(appIdRegistry)/sizeof(*appIdRegistry); i++) { - DebugFormat(DEBUG_INSPECTOR,"registering appId: %d\n",appIdRegistry[i].appId); + DebugFormat(DEBUG_APPID,"registering appId: %d\n",appIdRegistry[i].appId); init_api->RegisterAppId(&bootp_validate, appIdRegistry[i].appId, appIdRegistry[i].additionalInfo); } diff --git a/src/network_inspectors/appid/service_plugins/service_config.h b/src/network_inspectors/appid/service_plugins/service_config.h index cd9c64974..dae68fbfa 100644 --- a/src/network_inspectors/appid/service_plugins/service_config.h +++ b/src/network_inspectors/appid/service_plugins/service_config.h @@ -26,7 +26,6 @@ #include -#include #include "service_api.h" #define RNA_SERVICE_MAX_PORT 65536 diff --git a/src/network_inspectors/appid/service_plugins/service_dcerpc.cc b/src/network_inspectors/appid/service_plugins/service_dcerpc.cc index 8b0090f29..d8ce28865 100644 --- a/src/network_inspectors/appid/service_plugins/service_dcerpc.cc +++ b/src/network_inspectors/appid/service_plugins/service_dcerpc.cc @@ -92,7 +92,7 @@ static int dcerpc_init(const InitServiceAPI* const init_api) unsigned i; for (i=0; i < sizeof(appIdRegistry)/sizeof(*appIdRegistry); i++) { - DebugFormat(DEBUG_INSPECTOR,"registering appId: %d\n",appIdRegistry[i].appId); + DebugFormat(DEBUG_APPID,"registering appId: %d\n",appIdRegistry[i].appId); init_api->RegisterAppId(&dcerpc_udp_validate, appIdRegistry[i].appId, appIdRegistry[i].additionalInfo); } diff --git a/src/network_inspectors/appid/service_plugins/service_direct_connect.cc b/src/network_inspectors/appid/service_plugins/service_direct_connect.cc index a904afec1..d799b713e 100644 --- a/src/network_inspectors/appid/service_plugins/service_direct_connect.cc +++ b/src/network_inspectors/appid/service_plugins/service_direct_connect.cc @@ -121,7 +121,7 @@ static int direct_connect_init(const InitServiceAPI* const init_api) unsigned i; for (i=0; i < sizeof(appIdRegistry)/sizeof(*appIdRegistry); i++) { - DebugFormat(DEBUG_INSPECTOR,"registering appId: %d\n",appIdRegistry[i].appId); + DebugFormat(DEBUG_APPID,"registering appId: %d\n",appIdRegistry[i].appId); init_api->RegisterAppId(&direct_connect_validate, appIdRegistry[i].appId, appIdRegistry[i].additionalInfo); } diff --git a/src/network_inspectors/appid/service_plugins/service_flap.cc b/src/network_inspectors/appid/service_plugins/service_flap.cc index afa23ba4c..91f502a91 100644 --- a/src/network_inspectors/appid/service_plugins/service_flap.cc +++ b/src/network_inspectors/appid/service_plugins/service_flap.cc @@ -123,7 +123,7 @@ static int flap_init(const InitServiceAPI* const init_api) //unsigned i; for (unsigned i=0; i < sizeof(appIdRegistry)/sizeof(*appIdRegistry); i++) { - DebugFormat(DEBUG_INSPECTOR,"registering appId: %d\n",appIdRegistry[i].appId); + DebugFormat(DEBUG_APPID,"registering appId: %d\n",appIdRegistry[i].appId); init_api->RegisterAppId(&flap_validate, appIdRegistry[i].appId, appIdRegistry[i].additionalInfo); } diff --git a/src/network_inspectors/appid/service_plugins/service_mdns.cc b/src/network_inspectors/appid/service_plugins/service_mdns.cc index af2ece3f6..03726fb4c 100644 --- a/src/network_inspectors/appid/service_plugins/service_mdns.cc +++ b/src/network_inspectors/appid/service_plugins/service_mdns.cc @@ -22,22 +22,22 @@ #include "service_mdns.h" #include "appid_module.h" -#include "search_engines/search_tool.h" -#include "client_plugins/client_app_base.h" -#include "detector_plugins/http_url_patterns.h" -#include "detector_plugins/detector_http.h" -#include "appid_utils/common_util.h" + #include "appid_config.h" +#include "app_info_table.h" #include "appid_session.h" -#include "fw_appid.h" #include "http_common.h" #include "lua_detector_api.h" #include "service_api.h" #include "service_base.h" #include "service_ssl.h" +#include "client_plugins/client_app_base.h" +#include "detector_plugins/http_url_patterns.h" +#include "detector_plugins/detector_http.h" #include "main/snort_debug.h" #include "utils/util.h" +#include "search_engines/search_tool.h" #define MDNS_PORT 5353 #define PATTERN_REFERENCE_PTR 3 @@ -92,16 +92,15 @@ struct MdnsConfig MatchedPatterns* patternList; }; -static int MDNS_init(const InitServiceAPI* const init_api); +static int mdns_init(const InitServiceAPI* const init_api); static int ReferencePointer(const char* start_ptr,const char** resp_endptr, int* start_index, - uint16_t data_size, uint8_t* user_name_len, unsigned offset, const AppIdConfig* pConfig); + uint16_t data_size, uint8_t* user_name_len, unsigned offset); static int MDNS_validate(ServiceValidationArgs* args); static int mdnsMatcherCreate(); static void mdnsMatcherDestroy(); -static unsigned mdnsMatchListCreate(const char* data, uint16_t dataSize, const - AppIdConfig* pConfig); +static unsigned mdnsMatchListCreate(const char* data, uint16_t dataSize); static void mdnsMatchListFind(const char* dataPtr, uint16_t index, const char** resp_endptr, - int* pattern_length, const AppIdConfig* pConfig); + int* pattern_length); static void mdnsMatchListDestroy(); static void MDNS_clean(); @@ -126,7 +125,7 @@ static const RNAServiceValidationPort pp[] = RNAServiceValidationModule mdns_service_mod = { "MDNS", - &MDNS_init, + &mdns_init, pp, nullptr, nullptr, @@ -140,12 +139,12 @@ static AppRegistryEntry appIdRegistry[] = { APP_ID_MDNS, APPINFO_FLAG_SERVICE_ADDITIONAL } }; -static int MDNS_init(const InitServiceAPI* const init_api) +static int mdns_init(const InitServiceAPI* const init_api) { unsigned i; for (i=0; i < sizeof(appIdRegistry)/sizeof(*appIdRegistry); i++) { - DebugFormat(DEBUG_INSPECTOR,"registering appId: %d\n",appIdRegistry[i].appId); + DebugFormat(DEBUG_APPID,"registering appId: %d\n",appIdRegistry[i].appId); init_api->RegisterAppId(&MDNS_validate, appIdRegistry[i].appId, appIdRegistry[i].additionalInfo); } @@ -178,7 +177,7 @@ static int MDNS_validate_reply(const uint8_t* data, uint16_t size) Returns 0 or 1 for successful/unsuccessful hit for pattern '@' Returns -1 for invalid address pointer or past the data_size */ static int ReferencePointer(const char* start_ptr, const char** resp_endptr, int* start_index, - uint16_t data_size, uint8_t* user_name_len, unsigned size, const AppIdConfig* pConfig) + uint16_t data_size, uint8_t* user_name_len, unsigned size) { int index = 0; int pattern_length = 0; @@ -193,7 +192,7 @@ static int ReferencePointer(const char* start_ptr, const char** resp_endptr, i const char* temp_start_ptr; temp_start_ptr = start_ptr+index; - mdnsMatchListFind(start_ptr, size - data_size + index, resp_endptr, &pattern_length, pConfig); + mdnsMatchListFind(start_ptr, size - data_size + index, resp_endptr, &pattern_length); /* Contains reference pointer */ while ((index < data_size) && !(*resp_endptr) && ((uint8_t )temp_start_ptr[index] >> SHIFT_BITS_REFERENCE_PTR != PATTERN_REFERENCE_PTR)) @@ -205,8 +204,7 @@ static int ReferencePointer(const char* start_ptr, const char** resp_endptr, i break; } index++; - mdnsMatchListFind(start_ptr, size - data_size + index, resp_endptr, &pattern_length, - pConfig); + mdnsMatchListFind(start_ptr, size - data_size + index, resp_endptr, &pattern_length); } if (index >= data_size) *user_name_len = 0; @@ -219,8 +217,7 @@ static int ReferencePointer(const char* start_ptr, const char** resp_endptr, i SHIFT_BITS_REFERENCE_PTR != PATTERN_REFERENCE_PTR)) { index++; - mdnsMatchListFind(start_ptr, size - data_size + index, resp_endptr, &pattern_length, - pConfig); + mdnsMatchListFind(start_ptr, size - data_size + index, resp_endptr, &pattern_length); } if (index >= data_size) *user_name_len = 0; @@ -246,45 +243,36 @@ static int ReferencePointer(const char* start_ptr, const char** resp_endptr, i 2. Calls the function which scans for pattern to identify the user 3. Calls the function which does the Username reporting along with the host MDNS User Analysis*/ -static int MDNSUserAnalyser(AppIdSession* asd, const Packet* pkt, uint16_t size, const - AppIdConfig* pConfig) +static int MDNSUserAnalyser(AppIdSession* asd, const Packet* pkt, uint16_t size) { - const char* query_val; - const char* answers; char user_name[MAX_LENGTH_SERVICE_NAME] = ""; char* user_name_bkp = nullptr; - const char* resp_endptr; - const char* srv_original; - const char* end_srv_original; - const char* user_original; - int query_val_int; - int ans_count = 0; - int start_index =0; - int processed_ans =0; - uint16_t data_len = 0; - uint8_t* data_len_str; + int start_index = 0; + int processed_ans = 0; uint8_t user_name_len = 0; uint16_t data_size = size; /* Scan for MDNS response, decided on Query value */ - query_val = (char*)pkt->data + QUERY_OFFSET; - query_val_int = (short)(query_val[0]<data + ANSWER_OFFSET; - ans_count = (short)(answers[0]<< SHIFT_BITS | (answers[1] )); + const char* query_val = (char*)pkt->data + QUERY_OFFSET; + int query_val_int = (short)(query_val[0]<data + ANSWER_OFFSET; + int ans_count = (short)(answers[0]<< SHIFT_BITS | (answers[1] )); - if ( query_val_int ==0) + if ( query_val_int == 0) { - srv_original = (char*)pkt->data + RECORD_OFFSET; - mdnsMatchListCreate(srv_original, size-RECORD_OFFSET, pConfig); - end_srv_original = (char*)pkt->data + RECORD_OFFSET+data_size; - for (processed_ans =0; processed_ans< ans_count && data_size <= size && size > 0; + const char* resp_endptr; + const char* user_original; + + const char* srv_original = (char*)pkt->data + RECORD_OFFSET; + mdnsMatchListCreate(srv_original, size-RECORD_OFFSET); + const char* end_srv_original = (char*)pkt->data + RECORD_OFFSET + data_size; + for (processed_ans = 0; processed_ans < ans_count && data_size <= size && size > 0; processed_ans++ ) { - /* Call Decode Reference pointer function if referenced value instead of direct value - */ + // Call Decode Reference pointer function if referenced value instead of direct value user_name_len = 0; int ret_value = ReferencePointer(srv_original, &resp_endptr, &start_index, data_size, - &user_name_len, size, pConfig); + &user_name_len, size); int user_index =0; int user_printable_index =0; @@ -300,7 +288,7 @@ static int MDNSUserAnalyser(AppIdSession* asd, const Packet* pkt, uint16_t size, } user_name_len -=user_index; - memcpy(user_name, srv_original+start_index, user_name_len); + memcpy(user_name, srv_original + start_index, user_name_len); user_name[user_name_len] = '\0'; user_index =0; @@ -315,12 +303,12 @@ static int MDNSUserAnalyser(AppIdSession* asd, const Packet* pkt, uint16_t size, mdns_service_mod.api->add_user(asd, user_name, APP_ID_MDNS, 1); break; } - /* Find the length to Jump to the next response */ + // Find the length to Jump to the next response if ((resp_endptr + NEXT_MESSAGE_OFFSET ) < (srv_original + data_size)) { - data_len_str = (uint8_t*)(resp_endptr+ LENGTH_OFFSET); - data_len = (short)( data_len_str[0]<< SHIFT_BITS | ( data_len_str[1] )); + uint8_t* data_len_str = (uint8_t*)(resp_endptr+ LENGTH_OFFSET); + uint16_t data_len = (short)( data_len_str[0]<< SHIFT_BITS | ( data_len_str[1] )); data_size = data_size - (resp_endptr + NEXT_MESSAGE_OFFSET + data_len - srv_original); /* Check if user name is available in the Domain Name field */ @@ -391,14 +379,13 @@ static int MDNSUserAnalyser(AppIdSession* asd, const Packet* pkt, uint16_t size, static int MDNS_validate(ServiceValidationArgs* args) { - ServiceMDNSData* fd; int ret_val; AppIdSession* asd = args->asd; const uint8_t* data = args->data; Packet* pkt = args->pkt; uint16_t size = args->size; - fd = (ServiceMDNSData*)mdns_service_mod.api->data_get(asd, mdns_service_mod.flow_data_index); + ServiceMDNSData* fd = (ServiceMDNSData*)mdns_service_mod.api->data_get(asd, mdns_service_mod.flow_data_index); if (!fd) { fd = (ServiceMDNSData*)snort_calloc(sizeof(ServiceMDNSData)); @@ -413,7 +400,7 @@ static int MDNS_validate(ServiceValidationArgs* args) { if (AppIdConfig::get_appid_config()->mod_config->mdns_user_reporting) { - MDNSUserAnalyser(asd, pkt, size, args->pConfig); + MDNSUserAnalyser(asd, pkt, size); mdnsMatchListDestroy(); goto success; } @@ -462,14 +449,14 @@ static int mdnsMatcherCreate() (char*)patterns[i].pattern, patterns[i].length, &patterns[i]); pMdnsConfig->mdnsMatcher->prep(); - AppIdConfig::get_appid_config()->add_generic_config_element(svc_element.name, pMdnsConfig); + AppidConfigElement::add_generic_config_element(svc_element.name, pMdnsConfig); return 1; } static void mdnsMatcherDestroy() { MdnsConfig* pMdnsConfig = - (MdnsConfig*)AppIdConfig::get_appid_config()->find_generic_config_element(svc_element.name); + (MdnsConfig*)AppidConfigElement::find_generic_config_element(svc_element.name); MatchedPatterns* node; if (pMdnsConfig->mdnsMatcher) delete pMdnsConfig->mdnsMatcher; @@ -483,7 +470,7 @@ static void mdnsMatcherDestroy() snort_free(node); } snort_free(pMdnsConfig); - AppIdConfig::get_appid_config()->remove_generic_config_element(svc_element.name); + AppidConfigElement::remove_generic_config_element(svc_element.name); } static int mdns_pattern_match(void* id, void*, int index, void* data, void*) @@ -525,11 +512,10 @@ static int mdns_pattern_match(void* id, void*, int index, void* data, void*) return 0; } -static unsigned mdnsMatchListCreate(const char* data, uint16_t dataSize, const - AppIdConfig* pConfig) +static unsigned mdnsMatchListCreate(const char* data, uint16_t dataSize) { - MdnsConfig* pMdnsConfig = (MdnsConfig*)((AppIdConfig*)pConfig)->find_generic_config_element( - svc_element.name); + MdnsConfig* pMdnsConfig = + (MdnsConfig*)AppidConfigElement::find_generic_config_element(svc_element.name); if (pMdnsConfig->patternList) mdnsMatchListDestroy(); @@ -543,10 +529,10 @@ static unsigned mdnsMatchListCreate(const char* data, uint16_t dataSize, const } static void mdnsMatchListFind(const char* dataPtr, uint16_t index, const char** resp_endptr, - int* pattern_length, const AppIdConfig* pConfig) + int* pattern_length) { - MdnsConfig* pMdnsConfig = (MdnsConfig*)((AppIdConfig*)pConfig)->find_generic_config_element( - svc_element.name); + MdnsConfig* pMdnsConfig = + (MdnsConfig*)AppidConfigElement::find_generic_config_element(svc_element.name); while (pMdnsConfig->patternList) { @@ -574,7 +560,8 @@ static void mdnsMatchListDestroy() MatchedPatterns* element; MdnsConfig* pMdnsConfig = - (MdnsConfig*)AppIdConfig::get_appid_config()->find_generic_config_element(svc_element.name); + (MdnsConfig*)AppidConfigElement::find_generic_config_element(svc_element.name); + while (pMdnsConfig->patternList) { element = pMdnsConfig->patternList; diff --git a/src/network_inspectors/appid/service_plugins/service_mysql.cc b/src/network_inspectors/appid/service_plugins/service_mysql.cc index 97cdc633c..2bacb599a 100644 --- a/src/network_inspectors/appid/service_plugins/service_mysql.cc +++ b/src/network_inspectors/appid/service_plugins/service_mysql.cc @@ -90,7 +90,7 @@ static int svc_mysql_init(const InitServiceAPI* const init_api) { for ( unsigned i=0; i < sizeof(appIdRegistry)/sizeof(*appIdRegistry); i++ ) { - DebugFormat(DEBUG_INSPECTOR,"registering appId: %d\n",appIdRegistry[i].appId); + DebugFormat(DEBUG_APPID,"registering appId: %d\n",appIdRegistry[i].appId); init_api->RegisterAppId(&svc_mysql_validate, appIdRegistry[i].appId, appIdRegistry[i].additionalInfo); } diff --git a/src/network_inspectors/appid/service_plugins/service_netbios.cc b/src/network_inspectors/appid/service_plugins/service_netbios.cc index 34a9de9c3..609e19636 100644 --- a/src/network_inspectors/appid/service_plugins/service_netbios.cc +++ b/src/network_inspectors/appid/service_plugins/service_netbios.cc @@ -349,16 +349,16 @@ static int netbios_init(const InitServiceAPI* const init_api) init_api->RegisterPattern(&nbss_validate, IpProtocol::TCP, NB_SMB_BANNER, sizeof(NB_SMB_BANNER), -1, "netbios"); - DebugFormat(DEBUG_INSPECTOR,"registering appId: %d for NetBIOS-ns\n",APP_ID_NETBIOS_NS); + DebugFormat(DEBUG_APPID,"registering appId: %d for NetBIOS-ns\n",APP_ID_NETBIOS_NS); init_api->RegisterAppId(&nbns_validate, APP_ID_NETBIOS_NS, APPINFO_FLAG_SERVICE_UDP_REVERSED); - DebugFormat(DEBUG_INSPECTOR,"registering appId: %d for NetBIOS-dgm\n",APP_ID_NETBIOS_DGM); + DebugFormat(DEBUG_APPID,"registering appId: %d for NetBIOS-dgm\n",APP_ID_NETBIOS_DGM); init_api->RegisterAppId(&nbdgm_validate, APP_ID_NETBIOS_DGM, APPINFO_FLAG_SERVICE_ADDITIONAL); - DebugFormat(DEBUG_INSPECTOR,"registering appId: %d for NetBIOS-ssn\n",APP_ID_NETBIOS_SSN); + DebugFormat(DEBUG_APPID,"registering appId: %d for NetBIOS-ssn\n",APP_ID_NETBIOS_SSN); init_api->RegisterAppId(&nbss_validate, APP_ID_NETBIOS_SSN, APPINFO_FLAG_SERVICE_ADDITIONAL); - DebugFormat(DEBUG_INSPECTOR,"registering appId: %d\n",APP_ID_DCE_RPC); + DebugFormat(DEBUG_APPID,"registering appId: %d\n",APP_ID_DCE_RPC); init_api->RegisterAppId(&nbss_validate, APP_ID_DCE_RPC, 0); return 0; diff --git a/src/network_inspectors/appid/service_plugins/service_rfb.cc b/src/network_inspectors/appid/service_plugins/service_rfb.cc index ebaa6c75c..37461a1fe 100644 --- a/src/network_inspectors/appid/service_plugins/service_rfb.cc +++ b/src/network_inspectors/appid/service_plugins/service_rfb.cc @@ -85,7 +85,7 @@ static int rfb_init(const InitServiceAPI* const init_api) unsigned i; for (i=0; i < sizeof(appIdRegistry)/sizeof(*appIdRegistry); i++) { - DebugFormat(DEBUG_INSPECTOR,"registering appId: %d\n",appIdRegistry[i].appId); + DebugFormat(DEBUG_APPID,"registering appId: %d\n",appIdRegistry[i].appId); init_api->RegisterAppId(&rfb_validate, appIdRegistry[i].appId, appIdRegistry[i].additionalInfo); } diff --git a/src/network_inspectors/appid/service_plugins/service_rlogin.cc b/src/network_inspectors/appid/service_plugins/service_rlogin.cc index e7b8f1515..9f40866f9 100644 --- a/src/network_inspectors/appid/service_plugins/service_rlogin.cc +++ b/src/network_inspectors/appid/service_plugins/service_rlogin.cc @@ -87,7 +87,7 @@ static int rlogin_init(const InitServiceAPI* const init_api) unsigned i; for (i=0; i < sizeof(appIdRegistry)/sizeof(*appIdRegistry); i++) { - DebugFormat(DEBUG_INSPECTOR,"registering appId: %d\n",appIdRegistry[i].appId); + DebugFormat(DEBUG_APPID,"registering appId: %d\n",appIdRegistry[i].appId); init_api->RegisterAppId(&rlogin_validate, appIdRegistry[i].appId, appIdRegistry[i].additionalInfo); } diff --git a/src/network_inspectors/appid/service_plugins/service_rpc.cc b/src/network_inspectors/appid/service_plugins/service_rpc.cc index 062b4066a..cdcdd4be1 100644 --- a/src/network_inspectors/appid/service_plugins/service_rpc.cc +++ b/src/network_inspectors/appid/service_plugins/service_rpc.cc @@ -162,6 +162,7 @@ struct ServiceRPCData }; static int rpc_init(const InitServiceAPI* const init_api); +static void rpc_clean(); static int rpc_validate(ServiceValidationArgs* args); static int rpc_tcp_validate(ServiceValidationArgs* args); @@ -218,7 +219,7 @@ RNAServiceValidationModule rpc_service_mod = nullptr, nullptr, 0, - nullptr, + &rpc_clean, 0 }; @@ -229,7 +230,7 @@ struct RPCProgram char* name; }; -static RPCProgram* rpc_programs; +static THREAD_LOCAL RPCProgram* rpc_programs; static uint8_t rpc_reply_accepted_pattern[8] = { 0,0,0,1,0,0,0,0 }; static uint8_t rpc_reply_denied_pattern[8] = { 0,0,0,1,0,0,0,1 }; @@ -277,7 +278,7 @@ static int rpc_init(const InitServiceAPI* const init_api) unsigned i; for (i=0; i < sizeof(appIdRegistry)/sizeof(*appIdRegistry); i++) { - DebugFormat(DEBUG_INSPECTOR,"registering appId: %d\n",appIdRegistry[i].appId); + DebugFormat(DEBUG_APPID,"registering appId: %d\n",appIdRegistry[i].appId); init_api->RegisterAppId(&rpc_validate, appIdRegistry[i].appId, appIdRegistry[i].additionalInfo); } @@ -285,11 +286,26 @@ static int rpc_init(const InitServiceAPI* const init_api) return 0; } +static void rpc_clean() +{ + RPCProgram* rpc = rpc_programs; + + while( rpc ) + { + RPCProgram* toast = rpc; + rpc = rpc->next; + + if (toast->name) + snort_free(toast->name); + snort_free(toast); + } +} + static const RPCProgram* FindRPCProgram(uint32_t program) { RPCProgram* rpc; - for (rpc=rpc_programs; rpc; rpc=rpc->next) + for (rpc = rpc_programs; rpc; rpc = rpc->next) { if (program == rpc->program) break; diff --git a/src/network_inspectors/appid/service_plugins/service_rshell.cc b/src/network_inspectors/appid/service_plugins/service_rshell.cc index d9a9dc9f7..94f071fd8 100644 --- a/src/network_inspectors/appid/service_plugins/service_rshell.cc +++ b/src/network_inspectors/appid/service_plugins/service_rshell.cc @@ -103,7 +103,7 @@ static int rshell_init(const InitServiceAPI* const init_api) for (i=0; i < sizeof(appIdRegistry)/sizeof(*appIdRegistry); i++) { - DebugFormat(DEBUG_INSPECTOR,"registering appId: %d\n",appIdRegistry[i].appId); + DebugFormat(DEBUG_APPID,"registering appId: %d\n",appIdRegistry[i].appId); init_api->RegisterAppId(&rshell_validate, appIdRegistry[i].appId, appIdRegistry[i].additionalInfo); } @@ -204,11 +204,8 @@ static int rshell_validate(ServiceValidationArgs* args) } pf->scan_flags |= SCAN_HOST_PORT_FLAG; PopulateExpectedFlow(asd, pf, - APPID_SESSION_CONTINUE | - APPID_SESSION_REXEC_STDERR | - APPID_SESSION_NO_TPI | - APPID_SESSION_SERVICE_DETECTED | - APPID_SESSION_NOT_A_SERVICE | + APPID_SESSION_CONTINUE | APPID_SESSION_REXEC_STDERR | APPID_SESSION_NO_TPI | + APPID_SESSION_SERVICE_DETECTED | APPID_SESSION_NOT_A_SERVICE | APPID_SESSION_PORT_SERVICE_DONE); pf->rnaServiceState = RNA_STATE_STATEFUL; } diff --git a/src/network_inspectors/appid/service_plugins/service_rsync.cc b/src/network_inspectors/appid/service_plugins/service_rsync.cc index e2bbcc359..f44c4c12e 100644 --- a/src/network_inspectors/appid/service_plugins/service_rsync.cc +++ b/src/network_inspectors/appid/service_plugins/service_rsync.cc @@ -90,7 +90,7 @@ static int rsync_init(const InitServiceAPI* const init_api) unsigned i; for (i=0; i < sizeof(appIdRegistry)/sizeof(*appIdRegistry); i++) { - DebugFormat(DEBUG_INSPECTOR,"registering appId: %d\n",appIdRegistry[i].appId); + DebugFormat(DEBUG_APPID,"registering appId: %d\n",appIdRegistry[i].appId); init_api->RegisterAppId(&rsync_validate, appIdRegistry[i].appId, appIdRegistry[i].additionalInfo); } diff --git a/src/network_inspectors/appid/service_plugins/service_rtmp.cc b/src/network_inspectors/appid/service_plugins/service_rtmp.cc index 16b84483b..db849da14 100644 --- a/src/network_inspectors/appid/service_plugins/service_rtmp.cc +++ b/src/network_inspectors/appid/service_plugins/service_rtmp.cc @@ -124,7 +124,7 @@ static int rtmp_init(const InitServiceAPI* const init_api) unsigned i; for (i = 0; i < (sizeof(appIdRegistry) / sizeof(*appIdRegistry)); i++) { - DebugFormat(DEBUG_INSPECTOR, "registering appId: %d\n", appIdRegistry[i].appId); + DebugFormat(DEBUG_APPID, "registering appId: %d\n", appIdRegistry[i].appId); init_api->RegisterAppId(&rtmp_validate, appIdRegistry[i].appId, appIdRegistry[i].additionalInfo); } @@ -683,9 +683,8 @@ success: asd->scan_flags |= SCAN_HTTP_HOST_URL_FLAG; } else - { snort_free(ss->swfUrl); - } + ss->swfUrl = nullptr; } if (ss->pageUrl != nullptr) @@ -698,6 +697,7 @@ success: asd->hsession->referer = ss->pageUrl; else snort_free(ss->pageUrl); + ss->pageUrl = nullptr; } rtmp_service_mod.api->add_service(asd, args->pkt, dir, &svc_element, diff --git a/src/network_inspectors/appid/service_plugins/service_ssh.cc b/src/network_inspectors/appid/service_plugins/service_ssh.cc index e7182d476..f6dc58a08 100644 --- a/src/network_inspectors/appid/service_plugins/service_ssh.cc +++ b/src/network_inspectors/appid/service_plugins/service_ssh.cc @@ -404,8 +404,7 @@ static int ssh_validate(ServiceValidationArgs* args) if (!ss) { ss = (ServiceSSHData*)snort_calloc(sizeof(ServiceSSHData)); - ssh_service_mod.api->data_add(asd, ss, - ssh_service_mod.flow_data_index, &ssh_free_state); + ssh_service_mod.api->data_add(asd, ss, ssh_service_mod.flow_data_index, &ssh_free_state); ss->state = SSH_STATE_BANNER; ss->hstate = SSH_HEADER_BEGIN; ss->oldhstate = OLD_SSH_HEADER_BEGIN; diff --git a/src/network_inspectors/appid/service_plugins/service_ssl.cc b/src/network_inspectors/appid/service_plugins/service_ssl.cc index 2a6e93e2a..7ba7dd0fb 100644 --- a/src/network_inspectors/appid/service_plugins/service_ssl.cc +++ b/src/network_inspectors/appid/service_plugins/service_ssl.cc @@ -27,12 +27,12 @@ #include #include +#include "appid_module.h" +#include "app_info_table.h" #include "appid_session.h" #include "service_config.h" #include "service_base.h" #include "service_ssl.h" -#include "fw_appid.h" -#include "appid_module.h" #include "main/snort_debug.h" #include "utils/util.h" diff --git a/src/network_inspectors/appid/test/appid_http_event_test.cc b/src/network_inspectors/appid/test/appid_http_event_test.cc index b7024b90a..f5061f251 100644 --- a/src/network_inspectors/appid/test/appid_http_event_test.cc +++ b/src/network_inspectors/appid/test/appid_http_event_test.cc @@ -121,7 +121,7 @@ AppIdSession::~AppIdSession() snort_free(hsession); } -int AppIdSession::processHTTPPacket(int) +int AppIdSession::process_http_packet(int) { return 0; } diff --git a/src/network_inspectors/appid/thirdparty_appid_utils.cc b/src/network_inspectors/appid/thirdparty_appid_utils.cc index 39149d36f..8d92de14e 100644 --- a/src/network_inspectors/appid/thirdparty_appid_utils.cc +++ b/src/network_inspectors/appid/thirdparty_appid_utils.cc @@ -87,9 +87,9 @@ static int LoadCallback(const char* const path, int /* indent */) } #endif -void ThirdPartyAppIDInit(AppIdModuleConfig* appidStaticConfig) +void ThirdPartyAppIDInit(AppIdModuleConfig* config) { - const char* thirdparty_appid_dir = appidStaticConfig->thirdparty_appid_dir; + const char* thirdparty_appid_dir = config->thirdparty_appid_dir; int ret; struct ThirdPartyUtils thirdpartyUtils; @@ -106,12 +106,12 @@ void ThirdPartyAppIDInit(AppIdModuleConfig* appidStaticConfig) } memset(&thirdpartyConfig, 0, sizeof(thirdpartyConfig)); - thirdpartyConfig.chp_body_collection_max = appidStaticConfig->chp_body_collection_max; - thirdpartyConfig.ftp_userid_disabled = appidStaticConfig->ftp_userid_disabled; + thirdpartyConfig.chp_body_collection_max = config->chp_body_collection_max; + thirdpartyConfig.ftp_userid_disabled = config->ftp_userid_disabled; thirdpartyConfig.chp_body_collection_disabled = - appidStaticConfig->chp_body_collection_disabled; - thirdpartyConfig.tp_allow_probes = appidStaticConfig->tp_allow_probes; - if (appidStaticConfig->http2_detection_enabled) + config->chp_body_collection_disabled; + thirdpartyConfig.tp_allow_probes = config->tp_allow_probes; + if (config->http2_detection_enabled) thirdpartyConfig.http_upgrade_reporting_enabled = 1; else thirdpartyConfig.http_upgrade_reporting_enabled = 0;