From: Shravan Rangarajuvenkata (shrarang) Date: Tue, 9 Feb 2021 14:11:48 +0000 (+0000) Subject: Merge pull request #2735 in SNORT/snort3 from ~SHRARANG/snort3:appid_remove_obsolete_... X-Git-Tag: 3.1.2.0~45 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a91b70a1babcbeef4cac1da8523db8a7816f194a;p=thirdparty%2Fsnort3.git Merge pull request #2735 in SNORT/snort3 from ~SHRARANG/snort3:appid_remove_obsolete_detectors to master Squashed commit of the following: commit 37dc196d8111a349c7acb34d2333a70dc1d6fde1 Author: Shravan Rangaraju Date: Fri Feb 5 09:45:23 2021 -0500 appid: remove detectors for obsolete apps - AOL instant messenger and Yahoo messenger --- diff --git a/src/network_inspectors/appid/CMakeLists.txt b/src/network_inspectors/appid/CMakeLists.txt index 20431ae59..5e9c8a402 100644 --- a/src/network_inspectors/appid/CMakeLists.txt +++ b/src/network_inspectors/appid/CMakeLists.txt @@ -14,8 +14,6 @@ set (APPID_INCLUDES set ( APPID_INCLUDE_DIR ${CMAKE_CURRENT_SOURCE_DIR} ) set ( CP_APPID_SOURCES - client_plugins/client_app_aim.cc - client_plugins/client_app_aim.h client_plugins/client_app_bit.cc client_plugins/client_app_bit.h client_plugins/client_app_bit_tracker.cc @@ -34,8 +32,6 @@ set ( CP_APPID_SOURCES client_plugins/client_app_tns.h client_plugins/client_app_vnc.cc client_plugins/client_app_vnc.h - client_plugins/client_app_ym.cc - client_plugins/client_app_ym.h client_plugins/client_detector.cc client_plugins/client_detector.h client_plugins/client_discovery.cc @@ -61,8 +57,6 @@ set ( SP_APPID_SOURCES service_plugins/service_direct_connect.h service_plugins/service_discovery.cc service_plugins/service_discovery.h - service_plugins/service_flap.cc - service_plugins/service_flap.h service_plugins/service_ftp.cc service_plugins/service_ftp.h service_plugins/service_irc.cc @@ -223,7 +217,6 @@ add_library(appid OBJECT target_include_directories ( appid PRIVATE ${APPID_INCLUDE_DIR} ) -add_subdirectory(client_plugins/test) add_subdirectory(service_plugins/test) add_subdirectory(detector_plugins/test) add_subdirectory(test) diff --git a/src/network_inspectors/appid/application_ids.h b/src/network_inspectors/appid/application_ids.h index fedca093b..2dcaa407c 100644 --- a/src/network_inspectors/appid/application_ids.h +++ b/src/network_inspectors/appid/application_ids.h @@ -555,7 +555,6 @@ enum ApplicationIds : AppId APP_ID_XNS = 520, APP_ID_XYPLEX = 521, APP_ID_YAHOO_GAMES = 522, - APP_ID_YAHOO_MSG_FILE_TRANSFER = 523, APP_ID_YAHOO = 524, APP_ID_Z3950 = 525, APP_ID_ZANNET = 526, @@ -579,7 +578,6 @@ enum ApplicationIds : AppId APP_ID_AMERICAN_EXPRESS = 544, APP_ID_ANDROID_BROWSER = 545, APP_ID_AOL_EMAIL = 546, - APP_ID_AOL_INSTANT_MESSENGER = 547, APP_ID_AOL_SOFTWARE = 549, APP_ID_APPLE_EMAIL = 550, APP_ID_APPLE_STORE = 551, @@ -965,7 +963,6 @@ enum ApplicationIds : AppId APP_ID_ZAPPOS = 931, APP_ID_ZIP_CA = 932, APP_ID_ZOOOMR = 933, - APP_ID_YAHOO_MSG = 936, APP_ID_YAHOOMAIL = 946, APP_ID_YAHOO_TOOLBAR = 947, APP_ID_RSYNC = 1097, @@ -977,7 +974,6 @@ enum ApplicationIds : AppId APP_ID_X_WAV = 1104, APP_ID_MPA = 1105, APP_ID_MP4A = 1106, - APP_ID_AOL_NETSCAPE = 1107, APP_ID_SMTP_IMO = 1108, APP_ID_DDM_SSL = 1111, APP_ID_SMTPS = 1112, diff --git a/src/network_inspectors/appid/client_plugins/client_app_aim.cc b/src/network_inspectors/appid/client_plugins/client_app_aim.cc deleted file mode 100644 index 7ce86d7a3..000000000 --- a/src/network_inspectors/appid/client_plugins/client_app_aim.cc +++ /dev/null @@ -1,244 +0,0 @@ -//-------------------------------------------------------------------------- -// Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved. -// Copyright (C) 2005-2013 Sourcefire, Inc. -// -// This program is free software; you can redistribute it and/or modify it -// under the terms of the GNU General Public License Version 2 as published -// by the Free Software Foundation. You may not use, modify or distribute -// this program under any other version of the GNU General Public License. -// -// This program is distributed in the hope that it will be useful, but -// WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -// General Public License for more details. -// -// You should have received a copy of the GNU General Public License along -// with this program; if not, write to the Free Software Foundation, Inc., -// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -//-------------------------------------------------------------------------- - -// client_app_aim.cc author Sourcefire Inc. - -#ifdef HAVE_CONFIG_H -#include "config.h" -#endif - -#include "client_app_aim.h" - -#include "app_info_table.h" - -#pragma pack(1) - -struct FLAPFNACSignOn -{ - uint16_t len; -}; - -struct FLAPFNAC -{ - uint16_t family; - uint16_t subtype; - uint16_t flags; - uint32_t id; -}; - -struct FLAPTLV -{ - uint16_t subtype; - uint16_t len; -}; - -struct FLAPHeader -{ - uint8_t start; - uint8_t channel; - uint16_t seq; - uint16_t len; -}; - -#pragma pack() - -#define MAX_VERSION_SIZE 64 - -static const uint8_t NEW_CONNECTION[] = "\x02a\x001"; -static const uint8_t AIM_PROTOCOL_VERSION[] = "\x000\x004\x000\x000\x000\x001"; -static const uint8_t OLDER_AOL[] = "AOL Instant Messenger"; -static const uint8_t AOL[] = "imApp"; -static const uint8_t NETSCAPE_AOL[] = "Netscape 2000 an approved user of AOL Instant Messenger"; - -AimClientDetector::AimClientDetector(ClientDiscovery* cdm) -{ - handler = cdm; - name = "AIM"; - proto = IpProtocol::TCP; - minimum_matches = 2; - provides_user = true; - - tcp_patterns = - { - { NEW_CONNECTION, sizeof(NEW_CONNECTION) - 1, 0, 0, 0 }, - { AIM_PROTOCOL_VERSION, sizeof(AIM_PROTOCOL_VERSION) - 1, 4, 0, 0 }, - { OLDER_AOL, sizeof(OLDER_AOL) - 1, -1, 0, APP_ID_AOL_INSTANT_MESSENGER }, - { AOL, sizeof(AOL) - 1, -1, 0, APP_ID_AOL_INSTANT_MESSENGER }, - { NETSCAPE_AOL, sizeof(NETSCAPE_AOL) - 1, -1, 0, APP_ID_AOL_NETSCAPE }, - }; - - appid_registry = - { - { APP_ID_AOL_NETSCAPE, APPINFO_FLAG_CLIENT_ADDITIONAL | APPINFO_FLAG_CLIENT_USER }, - { APP_ID_AOL_INSTANT_MESSENGER, APPINFO_FLAG_CLIENT_ADDITIONAL | - APPINFO_FLAG_CLIENT_USER }, - }; - - handler->register_detector(name, this, proto); -} - - -template -static inline const Hdr* advance(const uint8_t*& cur, const uint8_t* const end) -{ - assert(end >= cur); - if ( (size_t)(end - cur) < sizeof(Hdr) ) - return nullptr; - - cur += sizeof(Hdr); - return reinterpret_cast(cur); -} - -static inline bool check_username( - const uint8_t* const data, const FLAPTLV* tlv, char* const buf, char* const buf_end) -{ - const uint8_t* const end = data + tlv->len; - char* ptr = buf; - - for ( const uint8_t* cur = data; cur < end; ++cur ) - { - if (isalnum(*cur) || *cur == '.' || *cur == '@' || *cur == '-' || *cur == '_') - { - if ( ptr < buf_end ) - *ptr++ = *cur; - } - else - return false; - } - - *ptr = '\0'; - - return true; -} - -int AimClientDetector::validate(AppIdDiscoveryArgs& args) -{ - if ( args.dir != APP_ID_FROM_INITIATOR ) - return APPID_INPROCESS; - - const uint8_t* const end = args.data + args.size; - const uint8_t* cur = args.data; - - while ( cur < end ) - { - auto fh = advance(cur, end); - if ( !fh ) - goto bail; - - if (fh->start != 0x2a || fh->channel < 1 || fh->channel > 5) - goto bail; - - uint16_t len = ntohs(fh->len); - - if (len > (end - cur)) - goto bail; - - bool check_user_name = false; - - if ( fh->channel == 0x02 ) - { - auto fnac = advance(cur, end); - if ( !fnac ) - goto bail; - - if (fnac->family == htons(0x0017) && fnac->subtype == htons(0x0006)) - check_user_name = true; - - len -= sizeof(*fnac); - } - else if ( fh->channel == 0x01 ) - { - if ( len < 4 || memcmp(cur, &AIM_PROTOCOL_VERSION[2], 4) != 0 ) - goto bail; - - len -= 4; - cur += 4; - } - - if ( len ) - { - bool got_id = false; - uint16_t major = 0; - uint16_t minor = 0; - uint16_t lesser = 0; - - const uint8_t* const frame_end = cur + len; - - while ( cur < frame_end ) - { - auto tlv = advance(cur, frame_end); - if ( !tlv ) - goto bail; - - if (frame_end - cur < tlv->len) - goto bail; - - switch ( ntohs(tlv->subtype) ) - { - case 0x0001: - if ( check_user_name ) - { - constexpr auto USERNAME_LEN = 256; - char username[USERNAME_LEN]; - - if ( check_username(cur, tlv, username, username + USERNAME_LEN - 1) ) - add_user(args.asd, username, APP_ID_AOL_INSTANT_MESSENGER, true, args.change_bits); - } - break; - case 0x0003: - got_id = true; - break; - case 0x0017: - got_id = true; - major = ntohs(*(const uint16_t*)cur); - break; - case 0x0018: - got_id = true; - minor = ntohs(*(const uint16_t*)cur); - break; - case 0x0019: - got_id = true; - lesser = ntohs(*(const uint16_t*)cur); - break; - default: - break; - } - - cur += tlv->len; - } - - if ( got_id ) - { - char version[MAX_VERSION_SIZE]; - - snprintf(version, sizeof(version), "%d.%d.%d", major, minor, lesser); - add_app(args.asd, APP_ID_AOL_INSTANT_MESSENGER, APP_ID_AOL_INSTANT_MESSENGER, - version, args.change_bits); - } - } - } - - return APPID_INPROCESS; - -bail: - // FIXIT-L - why are we setting client detected here? - args.asd.set_client_detected(); - return APPID_SUCCESS; -} - diff --git a/src/network_inspectors/appid/client_plugins/client_app_aim.h b/src/network_inspectors/appid/client_plugins/client_app_aim.h deleted file mode 100644 index a1698138f..000000000 --- a/src/network_inspectors/appid/client_plugins/client_app_aim.h +++ /dev/null @@ -1,35 +0,0 @@ -//-------------------------------------------------------------------------- -// Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved. -// Copyright (C) 2005-2013 Sourcefire, Inc. -// -// This program is free software; you can redistribute it and/or modify it -// under the terms of the GNU General Public License Version 2 as published -// by the Free Software Foundation. You may not use, modify or distribute -// this program under any other version of the GNU General Public License. -// -// This program is distributed in the hope that it will be useful, but -// WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -// General Public License for more details. -// -// You should have received a copy of the GNU General Public License along -// with this program; if not, write to the Free Software Foundation, Inc., -// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -//-------------------------------------------------------------------------- - -// client_app_aim.h author Sourcefire Inc. - -#ifndef CLIENT_APP_AIM_H -#define CLIENT_APP_AIM_H - -#include "client_plugins/client_detector.h" - -class AimClientDetector : public ClientDetector -{ -public: - AimClientDetector(ClientDiscovery*); - - int validate(AppIdDiscoveryArgs&) override; -}; -#endif - diff --git a/src/network_inspectors/appid/client_plugins/client_app_ym.cc b/src/network_inspectors/appid/client_plugins/client_app_ym.cc deleted file mode 100644 index 1b916061b..000000000 --- a/src/network_inspectors/appid/client_plugins/client_app_ym.cc +++ /dev/null @@ -1,154 +0,0 @@ -//-------------------------------------------------------------------------- -// Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved. -// Copyright (C) 2005-2013 Sourcefire, Inc. -// -// This program is free software; you can redistribute it and/or modify it -// under the terms of the GNU General Public License Version 2 as published -// by the Free Software Foundation. You may not use, modify or distribute -// this program under any other version of the GNU General Public License. -// -// This program is distributed in the hope that it will be useful, but -// WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -// General Public License for more details. -// -// You should have received a copy of the GNU General Public License along -// with this program; if not, write to the Free Software Foundation, Inc., -// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -//-------------------------------------------------------------------------- - -// client_app_ym.cc author Sourcefire Inc. - -#ifdef HAVE_CONFIG_H -#include "config.h" -#endif - -#include "client_app_ym.h" - -#include "app_info_table.h" -#include "application_ids.h" - -#define MAX_VERSION_SIZE 64 -static const uint8_t APP_YMSG[] = "YMSG"; - -YmDetector::YmDetector(ClientDiscovery* cdm) -{ - handler = cdm; - name = "YM"; - proto = IpProtocol::TCP; - minimum_matches = 1; - provides_user = true; - - tcp_patterns = - { - { APP_YMSG, sizeof(APP_YMSG) - 1, -1, 0, APP_ID_YAHOO_MSG }, - }; - - appid_registry = - { - { APP_ID_YAHOO, APPINFO_FLAG_CLIENT_ADDITIONAL }, - { APP_ID_YAHOO_MSG, APPINFO_FLAG_CLIENT_ADDITIONAL } - }; - - handler->register_detector(name, this, proto); -} - - -static const uint8_t* skip_separator(const uint8_t* data, const uint8_t* end) -{ - while ( data + 1 < end ) - { - if ( data[0] == 0xc0 && data[1] == 0x80 ) - break; - - data++; - } - - data += 2; - - return data; -} - -int YmDetector::validate(AppIdDiscoveryArgs& args) -{ -#define HEADERSIZE 20 -#define VERSIONID "135" -#define SEPARATOR 0xc080 - - const uint8_t* end; - uint16_t len; - uint8_t version[MAX_VERSION_SIZE]; - uint8_t* v; - uint8_t* v_end; - uint32_t product_id; - - product_id = APP_ID_YAHOO; - memset(&version,0,sizeof(version)); - - if ( !args.data ) - return APPID_ENULL; - - if (args.dir != APP_ID_FROM_INITIATOR) - return APPID_INPROCESS; - - /* Validate the packet using the length field, otherwise abort. */ - if ( args.size < 10 ) - return APPID_ENULL; - - len = *((const uint16_t*)(args.data + 8)); - len = ntohs(len); - - if ( len != (args.size - HEADERSIZE) ) - return APPID_ENULL; - - end = args.data + args.size; - - if ( args.size >= HEADERSIZE ) - { - args.data += HEADERSIZE; - } - - while ( args.data < end ) - { - if ( end-args.data >= (int)sizeof(VERSIONID) && memcmp(args.data, VERSIONID, - sizeof(VERSIONID)-1) == - 0 ) - { - args.data += sizeof(VERSIONID)-1; - - if ( args.data + 2 >= end ) /* Skip the separator */ - goto done; - else - args.data += 2; - - product_id = APP_ID_YAHOO; - - v = version; - - v_end = v + (MAX_VERSION_SIZE - 1); - - /* Get the version */ - while ( args.data + 1 < end && v < v_end ) - { - if ( args.data[0] == 0xc0 && args.data[1] == 0x80 ) - break; - - *v = *args.data; - v++; - args.data++; - } - - goto done; - } - - args.data = skip_separator(args.data,end); /*skip to the command end separator */ - args.data = skip_separator(args.data,end); /* skip to the command data end separator */ - } - - return APPID_INPROCESS; - -done: - add_app(args.asd, APP_ID_YAHOO, product_id, (char*)version, args.change_bits); - return APPID_SUCCESS; -} - diff --git a/src/network_inspectors/appid/client_plugins/client_app_ym.h b/src/network_inspectors/appid/client_plugins/client_app_ym.h deleted file mode 100644 index e7828cb9a..000000000 --- a/src/network_inspectors/appid/client_plugins/client_app_ym.h +++ /dev/null @@ -1,35 +0,0 @@ -//-------------------------------------------------------------------------- -// Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved. -// Copyright (C) 2005-2013 Sourcefire, Inc. -// -// This program is free software; you can redistribute it and/or modify it -// under the terms of the GNU General Public License Version 2 as published -// by the Free Software Foundation. You may not use, modify or distribute -// this program under any other version of the GNU General Public License. -// -// This program is distributed in the hope that it will be useful, but -// WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -// General Public License for more details. -// -// You should have received a copy of the GNU General Public License along -// with this program; if not, write to the Free Software Foundation, Inc., -// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -//-------------------------------------------------------------------------- - -// client_app_ym.h author Sourcefire Inc. - -#ifndef CLIENT_APP_YM_H -#define CLIENT_APP_YM_H - -#include "client_plugins/client_detector.h" - -class YmDetector : public ClientDetector -{ -public: - YmDetector(ClientDiscovery*); - - int validate(AppIdDiscoveryArgs&) override; -}; -#endif - diff --git a/src/network_inspectors/appid/client_plugins/client_discovery.cc b/src/network_inspectors/appid/client_plugins/client_discovery.cc index b6ff74b20..a2b692c82 100644 --- a/src/network_inspectors/appid/client_plugins/client_discovery.cc +++ b/src/network_inspectors/appid/client_plugins/client_discovery.cc @@ -31,7 +31,6 @@ #include "app_info_table.h" #include "appid_debug.h" #include "appid_session.h" -#include "client_app_aim.h" #include "client_app_bit_tracker.h" #include "client_app_bit.h" #include "client_app_msn.h" @@ -53,7 +52,6 @@ using namespace snort; void ClientDiscovery::initialize() { - new AimClientDetector(this); new BitClientDetector(this); new BitTrackerClientDetector(this); new ImapClientDetector(this); diff --git a/src/network_inspectors/appid/client_plugins/test/CMakeLists.txt b/src/network_inspectors/appid/client_plugins/test/CMakeLists.txt deleted file mode 100644 index 42f8e48fd..000000000 --- a/src/network_inspectors/appid/client_plugins/test/CMakeLists.txt +++ /dev/null @@ -1,4 +0,0 @@ - -include_directories ( appid PRIVATE ${APPID_INCLUDE_DIR} ) - -add_cpputest( client_app_aim_test ) diff --git a/src/network_inspectors/appid/client_plugins/test/client_app_aim_test.cc b/src/network_inspectors/appid/client_plugins/test/client_app_aim_test.cc deleted file mode 100644 index 7225cc625..000000000 --- a/src/network_inspectors/appid/client_plugins/test/client_app_aim_test.cc +++ /dev/null @@ -1,62 +0,0 @@ -//-------------------------------------------------------------------------- -// Copyright (C) 2020-2020 Cisco and/or its affiliates. All rights reserved. -// -// This program is free software; you can redistribute it and/or modify it -// under the terms of the GNU General Public License Version 2 as published -// by the Free Software Foundation. You may not use, modify or distribute -// this program under any other version of the GNU General Public License. -// -// This program is distributed in the hope that it will be useful, but -// WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -// General Public License for more details. -// -// You should have received a copy of the GNU General Public License along -// with this program; if not, write to the Free Software Foundation, Inc., -// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -//-------------------------------------------------------------------------- - -// client_app_aim_test.cc author Kani Murthi -// unit test for client_app_aim_test.cc -#ifdef HAVE_CONFIG_H -#include "config.h" -#endif - -#include "network_inspectors/appid/client_plugins/client_app_aim.cc" -#include "network_inspectors/appid/client_plugins/client_detector.cc" -#include "protocols/packet.h" -#include "client_plugin_mock.h" - -#include -#include -#include - -void ServiceDiscovery::initialize() {} -void ServiceDiscovery::reload() {} -int ServiceDiscovery::fail_service(AppIdSession&, const Packet*, AppidSessionDirection, - ServiceDetector*, ServiceDiscoveryState*) { return 0; } -int ServiceDiscovery::add_service_port(AppIdDetector*, - const ServiceDetectorPort&) { return APPID_EINVALID; } - -TEST_GROUP(client_app_aim_test){}; - -TEST(client_app_aim_test, check_username) -{ - uint8_t data[] = {"test@gmail.com\0"}; - FLAPTLV tlv = {0x0001, 14}; - char buf[256]; - bool ret; - ret = check_username(data, &tlv, buf, buf + 255); - CHECK_TRUE(ret); - STRCMP_EQUAL(buf, "test@gmail.com"); - uint8_t invalid_data[] = {"test^"}; - tlv = {0x0001, 5}; - ret = check_username(invalid_data, &tlv, buf, buf + 255); - CHECK_FALSE(ret); -} - -int main(int argc, char** argv) -{ - int return_value = CommandLineTestRunner::RunAllTests(argc, argv); - return return_value; -} diff --git a/src/network_inspectors/appid/client_plugins/test/client_plugin_mock.h b/src/network_inspectors/appid/client_plugins/test/client_plugin_mock.h deleted file mode 100644 index 439ec9db1..000000000 --- a/src/network_inspectors/appid/client_plugins/test/client_plugin_mock.h +++ /dev/null @@ -1,123 +0,0 @@ -//-------------------------------------------------------------------------- -// Copyright (C) 2020-2020 Cisco and/or its affiliates. All rights reserved. -// -// This program is free software; you can redistribute it and/or modify it -// under the terms of the GNU General Public License Version 2 as published -// by the Free Software Foundation. You may not use, modify or distribute -// this program under any other version of the GNU General Public License. -// -// This program is distributed in the hope that it will be useful, but -// WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -// General Public License for more details. -// -// You should have received a copy of the GNU General Public License along -// with this program; if not, write to the Free Software Foundation, Inc., -// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -//-------------------------------------------------------------------------- -// client_plugins_mock.h author Kani Murthi - -#ifndef CLIENT_PLUGIN_MOCK_H -#define CLIENT_PLUGIN_MOCK_H - -#include "appid_detector.h" -#include "appid_module.h" -#include "appid_peg_counts.h" -#include "utils/stats.h" -namespace snort -{ -// Stubs for messages -void ParseWarning(WarningGroup, const char*, ...) { } - -// Stubs for appid sessions -FlowData::FlowData(unsigned, Inspector*) { } -FlowData::~FlowData() = default; - -// Stubs for packet -Packet::Packet(bool) { } -Packet::~Packet() = default; - -Inspector::Inspector() = default; -Inspector::~Inspector() = default; -bool Inspector::likes(Packet*) { return true; } -bool Inspector::get_buf(const char*, Packet*, InspectionBuffer&) { return true; } -class StreamSplitter* Inspector::get_splitter(bool) { return nullptr; } - -// Stubs for search_tool.cc -SearchTool::SearchTool(const char*, bool) { } -SearchTool::~SearchTool() = default; - -// Stubs for util.cc -char* snort_strdup(const char* str) -{ - assert(str); - size_t n = strlen(str) + 1; - char* p = (char*)snort_alloc(n); - memcpy(p, str, n); - return p; -} -class InspectorManager -{ -public: - SO_PUBLIC static Inspector* get_inspector(const char*, bool, SnortConfig*) {return nullptr;} -}; -PegCount Module::get_global_count(char const*) const { return 0; } -void Module::show_interval_stats(std::vector >&, FILE*) {} -void Module::show_stats(){} -void Module::sum_stats(bool ){} -void Module::reset_stats() {} -} - -SslPatternMatchers::~SslPatternMatchers() { } -SipPatternMatchers::~SipPatternMatchers() { } -HttpPatternMatchers::~HttpPatternMatchers() { } -DnsPatternMatchers::~DnsPatternMatchers() { } -void ClientDiscovery::initialize() {} -void ClientDiscovery::reload() {} - -int AppIdDetector::initialize(){return 0;} -void AppIdDetector::reload() { } -int AppIdDetector::data_add(AppIdSession&, void*, AppIdFreeFCN){return 0;} -void* AppIdDetector::data_get(AppIdSession&) {return nullptr;} -void AppIdDetector::add_user(AppIdSession&, const char*, AppId, bool, AppidChangeBits&){} -void AppIdDetector::add_payload(AppIdSession&, AppId){} -void AppIdDetector::add_app(const snort::Packet&, AppIdSession&, AppidSessionDirection, AppId, AppId, const char*, AppidChangeBits&){} -void AppIdDiscovery::add_pattern_data(AppIdDetector*, snort::SearchTool&, int, - const uint8_t* const, unsigned, unsigned){} -void AppIdDiscovery::register_detector(const std::string&, AppIdDetector*, IpProtocol){} -void add_pattern_data(AppIdDetector*, snort::SearchTool*, int, - const uint8_t* const, unsigned, unsigned) {} -void AppIdDiscovery::register_tcp_pattern(AppIdDetector*, const uint8_t* const, unsigned, - int, unsigned){} -void AppIdDiscovery::register_udp_pattern(AppIdDetector*, const uint8_t* const, unsigned, - int, unsigned){} -int AppIdDiscovery::add_service_port(AppIdDetector*, const ServiceDetectorPort&){return 0;} -void ApplicationDescriptor::set_id(const snort::Packet&, AppIdSession&, AppidSessionDirection, AppId, AppidChangeBits&){} -void ApplicationDescriptor::set_id(AppId){} -AppIdDiscovery::~AppIdDiscovery() { } -void show_stats(PegCount*, const PegInfo*, unsigned, const char*) { } -void show_stats(PegCount*, const PegInfo*, const IndexVec&, const char*, FILE*) { } -AppIdConfig config; -AppIdContext ctxt(config); - -// Stubs for modules, config -AppIdConfig::~AppIdConfig() = default; - -// Stubs for AppIdPegCounts -void AppIdPegCounts::update_payload_count(AppId, bool) { } -void AppIdPegCounts::update_client_count(AppId, bool) { } - -THREAD_LOCAL AppIdStats appid_stats; - -// Stubs for app_info_table.cc -AppInfoTableEntry* AppInfoManager::get_app_info_entry(int) -{ - return nullptr; -} - -bool AppInfoManager::configured() -{ - return true; -} - -#endif diff --git a/src/network_inspectors/appid/service_plugins/service_discovery.cc b/src/network_inspectors/appid/service_plugins/service_discovery.cc index 6523f180e..0c7dfff80 100644 --- a/src/network_inspectors/appid/service_plugins/service_discovery.cc +++ b/src/network_inspectors/appid/service_plugins/service_discovery.cc @@ -50,7 +50,6 @@ #include "service_bootp.h" #include "service_dcerpc.h" #include "service_direct_connect.h" -#include "service_flap.h" #include "service_ftp.h" #include "service_irc.h" #include "service_lpr.h" @@ -95,7 +94,6 @@ void ServiceDiscovery::initialize() new DirectConnectServiceDetector(this); new DnsTcpServiceDetector(this); new DnsUdpServiceDetector(this); - new FlapServiceDetector(this); new FtpServiceDetector(this); new ImapServiceDetector(this); new IrcServiceDetector(this); diff --git a/src/network_inspectors/appid/service_plugins/service_flap.cc b/src/network_inspectors/appid/service_plugins/service_flap.cc deleted file mode 100644 index 3627600b8..000000000 --- a/src/network_inspectors/appid/service_plugins/service_flap.cc +++ /dev/null @@ -1,212 +0,0 @@ -//-------------------------------------------------------------------------- -// Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved. -// Copyright (C) 2005-2013 Sourcefire, Inc. -// -// This program is free software; you can redistribute it and/or modify it -// under the terms of the GNU General Public License Version 2 as published -// by the Free Software Foundation. You may not use, modify or distribute -// this program under any other version of the GNU General Public License. -// -// This program is distributed in the hope that it will be useful, but -// WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -// General Public License for more details. -// -// You should have received a copy of the GNU General Public License along -// with this program; if not, write to the Free Software Foundation, Inc., -// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -//-------------------------------------------------------------------------- - -// service_flap.cc author Sourcefire Inc. - -#ifdef HAVE_CONFIG_H -#include "config.h" -#endif - -#include "service_flap.h" - -#define FLAP_PORT 5190 - -enum FLAPState -{ - FLAP_STATE_ACK, - FLAP_STATE_COOKIE -}; - -#define FNAC_SIGNON 0x0017 -#define FNAC_GENERIC 0x0001 -#define FNAC_SUB_SIGNON_REPLY 0x0007 -#define FNAC_SUB_SERVER_READY 0x0003 - -struct ServiceFLAPData -{ - FLAPState state; -}; - -#pragma pack(1) - -struct FLAPFNACSignOn -{ - uint16_t len; -}; - -struct FLAPFNAC -{ - uint16_t family; - uint16_t subtype; - uint16_t flags; - uint32_t id; -}; - -struct FLAPTLV -{ - uint16_t subtype; - uint16_t len; -}; - -struct FLAPHeader -{ - uint8_t start; - uint8_t type; - uint16_t seq; - uint16_t len; -}; - -#pragma pack() - -static uint8_t FLAP_PATTERN[] = { 0x2A, 0x01 }; - -FlapServiceDetector::FlapServiceDetector(ServiceDiscovery* sd) -{ - handler = sd; - name = "flap"; - proto = IpProtocol::TCP; - detectorType = DETECTOR_TYPE_DECODER; - - tcp_patterns = - { - { FLAP_PATTERN, sizeof(FLAP_PATTERN), 0, 0, 0 }, - }; - - appid_registry = - { - { APP_ID_AOL_INSTANT_MESSENGER, 0 } - }; - - service_ports = - { - { 5190, IpProtocol::TCP, false }, - { 9898, IpProtocol::TCP, false }, - { 4443, IpProtocol::TCP, false } - }; - - handler->register_detector(name, this, proto); -} - - -int FlapServiceDetector::validate(AppIdDiscoveryArgs& args) -{ - ServiceFLAPData* sf; - const uint8_t* data = args.data; - const FLAPHeader* hdr = (const FLAPHeader*)args.data; - uint16_t size = args.size; - const FLAPFNAC* ff; - const FLAPTLV* tlv; - uint16_t len; - - if (!size) - goto inprocess; - if (args.dir != APP_ID_FROM_RESPONDER) - goto inprocess; - - sf = (ServiceFLAPData*)data_get(args.asd); - if (!sf) - { - sf = (ServiceFLAPData*)snort_calloc(sizeof(ServiceFLAPData)); - data_add(args.asd, sf, &snort_free); - sf->state = FLAP_STATE_ACK; - } - - switch (sf->state) - { - case FLAP_STATE_ACK: - sf->state = FLAP_STATE_COOKIE; - if (size < sizeof(FLAPHeader)) - goto fail; - if (hdr->start != 0x2A) - goto fail; - if (hdr->type != 0x01) - goto fail; - if (ntohs(hdr->len) != 4) - goto fail; - if (size - sizeof(FLAPHeader) != 4) - goto fail; - if (ntohl(*((const uint32_t*)(data + sizeof(FLAPHeader)))) != 0x00000001) - goto fail; - goto inprocess; - case FLAP_STATE_COOKIE: - if (size < sizeof(FLAPHeader) + sizeof(FLAPFNAC)) - goto fail; - if (hdr->start != 0x2A) - goto fail; - if ((uint16_t)ntohs(hdr->len) != (uint16_t)(size - sizeof(FLAPHeader))) - goto fail; - if (hdr->type == 0x02) - { - ff = (const FLAPFNAC*)(data + sizeof(FLAPHeader)); - if (ntohs(ff->family) == FNAC_SIGNON) - { - const FLAPFNACSignOn* ffs = (const FLAPFNACSignOn*)((const uint8_t*)ff + sizeof(FLAPFNAC)); - - if (ntohs(ff->subtype) != FNAC_SUB_SIGNON_REPLY) - goto fail; - if ((uint16_t)ntohs(ffs->len) != (uint16_t)(size - - (sizeof(FLAPHeader) + - sizeof(FLAPFNAC) + - sizeof(FLAPFNACSignOn)))) - goto fail; - } - else if (ntohs(ff->family) == FNAC_GENERIC) - { - if (ntohs(ff->subtype) != FNAC_SUB_SERVER_READY) - goto fail; - } - else - goto fail; - goto success; - } - if (hdr->type == 0x04) - { - data += sizeof(FLAPHeader); - size -= sizeof(FLAPHeader); - while (size >= sizeof(FLAPTLV)) - { - tlv = (const FLAPTLV*)data; - data += sizeof(FLAPTLV); - size -= sizeof(FLAPTLV); - len = ntohs(tlv->len); - if (size < len) - goto fail; - size -= len; - data += len; - } - if (size) - goto fail; - goto success; - } - goto fail; - } - -fail: - fail_service(args.asd, args.pkt, args.dir); - return APPID_NOMATCH; - -success: - return add_service(args.change_bits, args.asd, args.pkt, args.dir, - APP_ID_AOL_INSTANT_MESSENGER); - -inprocess: - service_inprocess(args.asd, args.pkt, args.dir); - return APPID_INPROCESS; -} - diff --git a/src/network_inspectors/appid/service_plugins/service_flap.h b/src/network_inspectors/appid/service_plugins/service_flap.h deleted file mode 100644 index c468fdd5b..000000000 --- a/src/network_inspectors/appid/service_plugins/service_flap.h +++ /dev/null @@ -1,37 +0,0 @@ -//-------------------------------------------------------------------------- -// Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved. -// Copyright (C) 2005-2013 Sourcefire, Inc. -// -// This program is free software; you can redistribute it and/or modify it -// under the terms of the GNU General Public License Version 2 as published -// by the Free Software Foundation. You may not use, modify or distribute -// this program under any other version of the GNU General Public License. -// -// This program is distributed in the hope that it will be useful, but -// WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -// General Public License for more details. -// -// You should have received a copy of the GNU General Public License along -// with this program; if not, write to the Free Software Foundation, Inc., -// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -//-------------------------------------------------------------------------- - -// service_flap.h author Sourcefire Inc. - -#ifndef SERVICE_FLAP_H -#define SERVICE_FLAP_H - -#include "service_detector.h" - -class ServiceDiscovery; - -class FlapServiceDetector : public ServiceDetector -{ -public: - FlapServiceDetector(ServiceDiscovery*); - - int validate(AppIdDiscoveryArgs&) override; -}; -#endif -