From: Bhargava Jandhyala (bjandhya) Date: Thu, 18 Jun 2020 07:42:55 +0000 (+0000) Subject: Merge pull request #2087 in SNORT/snort3 from ~NEHASH4/snort3:CSCvs29881 to master X-Git-Tag: 3.0.1-5~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=aa1e37687d6565c98c0880ff19214180bbdf53fc;p=thirdparty%2Fsnort3.git Merge pull request #2087 in SNORT/snort3 from ~NEHASH4/snort3:CSCvs29881 to master Squashed commit of the following: commit d778ed0b01db01711626f4e4d447dc2632d1ba5b Author: neha sharma Date: Sat Apr 11 13:40:32 2020 -0400 file: Making sure that file malware inspection is turned off and only file-type detection is enabled when file_id config is defined without any parameter. forcing file-policy lookup/evaluation for cached verdict and file inspection is done only in case of unknown verdict HTTP inspector changed to use the decode depth from file_id config --- diff --git a/src/file_api/file_cache.cc b/src/file_api/file_cache.cc index a64397b75..b90f6b778 100644 --- a/src/file_api/file_cache.cc +++ b/src/file_api/file_cache.cc @@ -219,16 +219,14 @@ FileVerdict FileCache::check_verdict(Packet* p, FileInfo* file, assert(file); FileVerdict verdict = policy->type_lookup(p, file); - - if ( file->get_file_sig_sha256() and - ((verdict == FILE_VERDICT_UNKNOWN) or (verdict == FILE_VERDICT_STOP_CAPTURE))) + if (verdict == FILE_VERDICT_STOP_CAPTURE) { - verdict = policy->signature_lookup(p, file); + verdict = FILE_VERDICT_UNKNOWN; } - if ((verdict == FILE_VERDICT_UNKNOWN) or (verdict == FILE_VERDICT_STOP_CAPTURE)) + if ( file->get_file_sig_sha256() and verdict == FILE_VERDICT_UNKNOWN ) { - verdict = file->verdict; + verdict = policy->signature_lookup(p, file); } return verdict; diff --git a/src/file_api/file_module.cc b/src/file_api/file_module.cc index 8ae34ab09..40006d7e7 100644 --- a/src/file_api/file_module.cc +++ b/src/file_api/file_module.cc @@ -159,7 +159,7 @@ static const Parameter file_id_params[] = { "enable_type", Parameter::PT_BOOL, nullptr, "true", "enable type ID" }, - { "enable_signature", Parameter::PT_BOOL, nullptr, "true", + { "enable_signature", Parameter::PT_BOOL, nullptr, "false", "enable signature calculation" }, { "enable_capture", Parameter::PT_BOOL, nullptr, "false", @@ -186,6 +186,27 @@ static const Parameter file_id_params[] = { "verdict_delay", Parameter::PT_INT, "0:max53", "0", "number of queries to return final verdict" }, + { "b64_decode_depth", Parameter::PT_INT, "-1:65535", "-1", + "base64 decoding depth (-1 no limit)" }, + + { "bitenc_decode_depth", Parameter::PT_INT, "-1:65535", "-1", + "Non-Encoded MIME attachment extraction depth (-1 no limit)" }, + + { "decompress_pdf", Parameter::PT_BOOL, nullptr, "false", + "decompress pdf files in MIME attachments" }, + + { "decompress_swf", Parameter::PT_BOOL, nullptr, "false", + "decompress swf files in MIME attachments" }, + + { "decompress_zip", Parameter::PT_BOOL, nullptr, "false", + "decompress zip files in MIME attachments" }, + + { "qp_decode_depth", Parameter::PT_INT, "-1:65535", "-1", + "Quoted Printable decoding depth (-1 no limit)" }, + + { "uu_decode_depth", Parameter::PT_INT, "-1:65535", "-1", + "Unix-to-Unix decoding depth (-1 no limit)" }, + { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } }; @@ -272,29 +293,20 @@ bool FileIdModule::set(const char*, Value& v, SnortConfig*) else if ( v.is("enable_type") ) { - if ( v.get_bool() ) - { - fp.set_file_type(true); - } + fp.set_file_type(v.get_bool()); } else if ( v.is("enable_signature") ) { - if ( v.get_bool() ) - { - fp.set_file_signature(true); - } + fp.set_file_signature(v.get_bool()); } else if ( v.is("enable_capture") ) { - if ( v.get_bool() ) + if (v.get_bool() and Snort::is_reloading() and !FileService::is_file_capture_enabled()) { - if (Snort::is_reloading() && !FileService::is_file_capture_enabled()) - { - ReloadError("Changing file_id.enable_capture requires a restart.\n"); - return false; - } - fp.set_file_capture(true); + ReloadError("Changing file_id.enable_capture requires a restart.\n"); + return false; } + fp.set_file_capture(v.get_bool()); } else if ( v.is("show_data_depth") ) fc->show_data_depth = v.get_int64(); @@ -313,6 +325,39 @@ bool FileIdModule::set(const char*, Value& v, SnortConfig*) fc->verdict_delay = v.get_int64(); fp.set_verdict_delay(fc->verdict_delay); } + else if ( v.is("decompress_pdf") ) + FileService::decode_conf.set_decompress_pdf(v.get_bool()); + + else if ( v.is("decompress_swf") ) + FileService::decode_conf.set_decompress_swf(v.get_bool()); + + else if ( v.is("decompress_zip") ) + FileService::decode_conf.set_decompress_zip(v.get_bool()); + + else if (v.is("b64_decode_depth")) + { + int32_t value = v.get_int32(); + int32_t mime = value > 0 ? value : -(value+1); + FileService::decode_conf.set_b64_depth(mime); + } + else if (v.is("bitenc_decode_depth")) + { + int32_t value = v.get_int32(); + int32_t mime = value > 0 ? value : -(value+1); + FileService::decode_conf.set_bitenc_depth(mime); + } + else if (v.is("qp_decode_depth")) + { + int32_t value = v.get_int32(); + int32_t mime = value > 0 ? value : -(value+1); + FileService::decode_conf.set_qp_depth(mime); + } + else if (v.is("uu_decode_depth")) + { + int32_t value = v.get_int32(); + int32_t mime = value > 0 ? value : -(value+1); + FileService::decode_conf.set_uu_depth(mime); + } else if ( v.is("file_rules") ) return true; diff --git a/src/file_api/file_service.cc b/src/file_api/file_service.cc index 8f371ad00..db43ff374 100644 --- a/src/file_api/file_service.cc +++ b/src/file_api/file_service.cc @@ -47,6 +47,7 @@ bool FileService::file_capture_enabled = false; bool FileService::file_processing_initiated = false; FileCache* FileService::file_cache = nullptr; +DecodeConfig FileService::decode_conf; // FIXIT-L make these params reloadable static int64_t max_files_cached = 0; @@ -177,6 +178,16 @@ int64_t FileService::get_max_file_depth() } } +void FileService::reset_depths() +{ + FileConfig* file_config = get_file_config(); + + if (file_config) + file_config->file_depth = 0; + + decode_conf.sync_all_depths(); +} + namespace snort { uint64_t get_file_processed_size(Flow* flow) diff --git a/src/file_api/file_service.h b/src/file_api/file_service.h index 2b504d199..42da0312b 100644 --- a/src/file_api/file_service.h +++ b/src/file_api/file_service.h @@ -27,6 +27,7 @@ #include "file_api/file_policy.h" #include "main/snort_config.h" #include "main/snort_types.h" +#include "mime/file_mime_config.h" class FileEnforcer; class FileCache; @@ -59,8 +60,10 @@ public: static bool is_file_capture_enabled() { return file_capture_enabled; } static bool is_file_service_enabled(); static int64_t get_max_file_depth(); + static void reset_depths(); static FileCache* get_file_cache() { return file_cache; } + static DecodeConfig decode_conf; private: static bool file_type_id_enabled; diff --git a/src/service_inspectors/dce_rpc/dce_smb_utils.cc b/src/service_inspectors/dce_rpc/dce_smb_utils.cc index 7586b650f..08f26cfcf 100644 --- a/src/service_inspectors/dce_rpc/dce_smb_utils.cc +++ b/src/service_inspectors/dce_rpc/dce_smb_utils.cc @@ -1345,8 +1345,10 @@ void DCE2_SmbAbortFileAPI(DCE2_SmbSsnData* ssd) static FileContext* DCE2_get_main_file_context() { FileFlows* file_flows = FileFlows::get_file_flows(DetectionEngine::get_current_packet()->flow); - assert(file_flows); - return file_flows->get_current_file_context(); + if (file_flows) + return file_flows->get_current_file_context(); + else + return nullptr; } FileVerdict DCE2_get_file_verdict() @@ -1538,6 +1540,10 @@ static DCE2_Ret DCE2_SmbFileAPIProcess(DCE2_SmbSsnData* ssd, Packet* p = DetectionEngine::get_current_packet(); FileFlows* file_flows = FileFlows::get_file_flows(p->flow); + + if (!file_flows) + return DCE2_RET__ERROR; + if (!file_flows->file_process(p, data_ptr, (int)data_len, position, upload, DCE2_SmbIsVerdictSuspend(upload, position))) { diff --git a/src/service_inspectors/http_inspect/http_inspect.cc b/src/service_inspectors/http_inspect/http_inspect.cc index 198d4aaa7..4ed650aae 100644 --- a/src/service_inspectors/http_inspect/http_inspect.cc +++ b/src/service_inspectors/http_inspect/http_inspect.cc @@ -113,8 +113,6 @@ bool HttpInspect::configure(SnortConfig* ) if (params->js_norm_param.normalize_javascript) params->js_norm_param.js_norm->configure(); - config_decode(); - return true; } @@ -464,8 +462,7 @@ bool HttpInspect::process(const uint8_t* data, const uint16_t dsize, Flow* const break; case SEC_HEADER: current_section = new HttpMsgHeader( - data, dsize, session_data, source_id, buf_owner, flow, params, - decode_conf); + data, dsize, session_data, source_id, buf_owner, flow, params); break; case SEC_BODY_CL: current_section = new HttpMsgBodyCl( diff --git a/src/service_inspectors/http_inspect/http_inspect.h b/src/service_inspectors/http_inspect/http_inspect.h index 593f21aed..24e15e99b 100644 --- a/src/service_inspectors/http_inspect/http_inspect.h +++ b/src/service_inspectors/http_inspect/http_inspect.h @@ -70,7 +70,6 @@ public: static int get_xtra_uri(snort::Flow*, uint8_t**, uint32_t*, uint32_t*); static int get_xtra_host(snort::Flow*, uint8_t** buf, uint32_t* len, uint32_t* type); static int get_xtra_jsnorm(snort::Flow*, uint8_t**, uint32_t*, uint32_t*); - void config_decode() { decode_conf.sync_all_depths(); } private: friend HttpApi; @@ -88,7 +87,6 @@ private: const uint32_t xtra_uri_id; const uint32_t xtra_host_id; const uint32_t xtra_jsnorm_id; - snort::DecodeConfig decode_conf; }; #endif diff --git a/src/service_inspectors/http_inspect/http_msg_body.cc b/src/service_inspectors/http_inspect/http_msg_body.cc index c3cdba2a6..7275f3858 100644 --- a/src/service_inspectors/http_inspect/http_msg_body.cc +++ b/src/service_inspectors/http_inspect/http_msg_body.cc @@ -224,6 +224,9 @@ void HttpMsgBody::do_file_processing(const Field& file_data) if (!session_data->mime_state[source_id]) { FileFlows* file_flows = FileFlows::get_file_flows(flow); + if (!file_flows) + return; + const FileDirection dir = source_id == SRC_SERVER ? FILE_DOWNLOAD : FILE_UPLOAD; size_t file_index = 0; diff --git a/src/service_inspectors/http_inspect/http_msg_header.cc b/src/service_inspectors/http_inspect/http_msg_header.cc index 6131f8e18..f612a22ee 100644 --- a/src/service_inspectors/http_inspect/http_msg_header.cc +++ b/src/service_inspectors/http_inspect/http_msg_header.cc @@ -44,9 +44,8 @@ using namespace HttpEnums; HttpMsgHeader::HttpMsgHeader(const uint8_t* buffer, const uint16_t buf_size, HttpFlowData* session_data_, SourceId source_id_, bool buf_owner, Flow* flow_, - const HttpParaList* params_, DecodeConfig decode_conf_) : - HttpMsgHeadShared(buffer, buf_size, session_data_, source_id_, buf_owner, flow_, params_), - decode_conf(decode_conf_) + const HttpParaList* params_) : + HttpMsgHeadShared(buffer, buf_size, session_data_, source_id_, buf_owner, flow_, params_) { transaction->set_header(this, source_id); get_related_sections(); @@ -420,7 +419,7 @@ void HttpMsgHeader::setup_file_processing() { if (boundary_present(content_type)) { - session_data->mime_state[source_id] = new MimeSession(&decode_conf, &mime_conf, + session_data->mime_state[source_id] = new MimeSession(&FileService::decode_conf, &mime_conf, transaction->get_file_processing_id(source_id)); // Show file processing the Content-Type header as if it were regular data. // This will enable it to find the boundary string. diff --git a/src/service_inspectors/http_inspect/http_msg_header.h b/src/service_inspectors/http_inspect/http_msg_header.h index 16663d5bf..b09c2de6b 100644 --- a/src/service_inspectors/http_inspect/http_msg_header.h +++ b/src/service_inspectors/http_inspect/http_msg_header.h @@ -36,7 +36,7 @@ class HttpMsgHeader : public HttpMsgHeadShared public: HttpMsgHeader(const uint8_t* buffer, const uint16_t buf_size, HttpFlowData* session_data_, HttpCommon::SourceId source_id_, bool buf_owner, snort::Flow* flow_, - const HttpParaList* params_, snort::DecodeConfig decode_conf); + const HttpParaList* params_); HttpEnums::InspectSection get_inspection_section() const override { return HttpEnums::IS_HEADER; } bool detection_required() const override { return true; } @@ -55,7 +55,6 @@ private: // Dummy configurations to support MIME processing snort::MailLogConfig mime_conf; - snort::DecodeConfig decode_conf; Field true_ip; Field true_ip_addr; diff --git a/src/service_inspectors/http_inspect/http_stream_splitter_finish.cc b/src/service_inspectors/http_inspect/http_stream_splitter_finish.cc index dba08efc6..695fdd35e 100644 --- a/src/service_inspectors/http_inspect/http_stream_splitter_finish.cc +++ b/src/service_inspectors/http_inspect/http_stream_splitter_finish.cc @@ -125,6 +125,9 @@ bool HttpStreamSplitter::finish(Flow* flow) if (!session_data->mime_state[source_id]) { FileFlows* file_flows = FileFlows::get_file_flows(flow); + if (!file_flows) + return false; + const FileDirection dir = source_id == SRC_SERVER ? FILE_DOWNLOAD : FILE_UPLOAD; size_t file_index = 0;