From: Russ Combs (rucombs) Date: Mon, 4 Nov 2019 15:15:45 +0000 (-0500) Subject: Merge pull request #1825 in SNORT/snort3 from ~RUCOMBS/snort3:talos_alignment to... X-Git-Tag: 3.0.0-264~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ac2d72b9b51e3cf8a50d1c21188b5f79e6dbf9d4;p=thirdparty%2Fsnort3.git Merge pull request #1825 in SNORT/snort3 from ~RUCOMBS/snort3:talos_alignment to master Squashed commit of the following: commit 08d2f79e350a96c4359e7169ff1369e97f86f458 Author: russ Date: Fri Nov 1 10:22:36 2019 -0400 search_engine: stop searching if queue limit is reached commit 6e23316f0236958c4656610bdc1bad3a164c1a9f Author: russ Date: Tue Oct 29 18:46:47 2019 -0400 lua: tweak default conf and add tweaks for various scenarios Remove perf related configs from default snort.lua. These depend on the specific deployment. Add lua files for connectivity, balanced, security, and max detect which provide an easy way to start tuning your config. commit e1bc66e26d8b042153e8c41ba7f05526f4bdab38 Author: russ Date: Mon Nov 4 07:42:01 2019 -0500 imap, pop, smtp: changed default decode depths to unlimited commit d93e7ec438fec3ecbfd404fb33e0f1e5a8283846 Author: russ Date: Fri Nov 1 10:15:42 2019 -0400 http_inspect: change accelerated_blocking to detained_inspection commit 8f93239ab64372053cd7c1c1806b03e5b6768e54 Author: russ Date: Wed Oct 30 07:57:54 2019 -0400 ips_option::enable: fix dynamic plugin build commit d803c6f0c428dfd491733db4f18311157a7247d6 Author: russ Date: Tue Oct 29 22:09:28 2019 -0400 detection: negated fast patterns are last choice commit 1b9bfcaa59a55b43f17817d6a2ad351aab9ec4af Author: russ Date: Tue Oct 29 13:34:27 2019 -0400 ips: define a builtin GID range to prevent unloaded SIDs from firing on all packets 100 <= GID <= 999 defines a builtin rule range such that SIDs from GIDs in this range that are configured won't fire unless the module is loaded and configured. This is helpful when a dynamic plugin is not loaded. It is possible to have builtin GIDs outside this range, but they may fire inadvertently. Also, note that "builtin" rules doesn't include just statically linked modules. Any plugin generator (excluding text rules and SO rules) is considered "builtin". Exception to the above is granted for the old SDF (138) generator from Snort 2. Rules for GID 138 may appear as a result of snort2lua or user porting efforts so it is not considered a builtin rule. commit d6f3553be176e7e916c627a2235546d5b0bf99a3 Author: russ Date: Tue Oct 29 11:13:50 2019 -0400 port_scan: increase default memcap to a more reasonable 10M commit 1ec6e5825939555a5924de522ae5608a49f98c69 Author: russ Date: Tue Oct 29 11:12:07 2019 -0400 telnet: fix check_encrypted help string commit b30cebb995019ef83de4d9cd52a9d2f929a006c9 Author: russ Date: Sat Oct 26 19:43:19 2019 -0400 dce_smb: deprecate config for smb_file_inspection, use smb_file_depth only commit 147827d7a3228ebabf973ff1a188b13d4f50d939 Author: russ Date: Tue Oct 22 14:36:07 2019 -0400 normalizer: make tcp.ips defaults to true --- diff --git a/lua/CMakeLists.txt b/lua/CMakeLists.txt index 4f9fc0343..b8866ef03 100644 --- a/lua/CMakeLists.txt +++ b/lua/CMakeLists.txt @@ -1,7 +1,11 @@ set (LUA_SCRIPTS + balanced.lua + connectivity.lua file_magic.lua inline.lua + max_detect.lua + security.lua snort.lua snort_defaults.lua talos.lua diff --git a/lua/balanced.lua b/lua/balanced.lua new file mode 100644 index 000000000..74fbc89ab --- /dev/null +++ b/lua/balanced.lua @@ -0,0 +1,21 @@ +--------------------------------------------------------------------------- +-- balanced connectivity and security policy +-- use with -c snort.lua --tweaks balanced +--------------------------------------------------------------------------- + +http_inspect.request_depth = 300 +http_inspect.response_depth = 500 + +normalizer.tcp = +{ + ips = false, + rsv = false, + pad = false, + req_urg = false, + req_pay = false, + req_urp = false, + block = false, +} + +port_scan = nil + diff --git a/lua/connectivity.lua b/lua/connectivity.lua new file mode 100644 index 000000000..f9447bded --- /dev/null +++ b/lua/connectivity.lua @@ -0,0 +1,24 @@ +--------------------------------------------------------------------------- +-- reduced security policy that favors connectivity +-- use with -c snort.lua --tweaks connectivity +--------------------------------------------------------------------------- + +http_inspect.request_depth = 300 +http_inspect.response_depth = 500 + +http_inspect.unzip = false +http_inspect.utf8 = false + +normalizer.tcp = +{ + ips = false, + rsv = false, + pad = false, + req_urg = false, + req_pay = false, + req_urp = false, + block = false, +} + +port_scan = nil + diff --git a/lua/max_detect.lua b/lua/max_detect.lua new file mode 100644 index 000000000..bd18f15ec --- /dev/null +++ b/lua/max_detect.lua @@ -0,0 +1,43 @@ +--------------------------------------------------------------------------- +-- maximum detection policy +-- this will yield lowest throughput +-- use with -c snort.lua --tweaks max_detect +--------------------------------------------------------------------------- + +ftp_server.check_encrypted = true + +http_inspect.detained_inspection = true +http_inspect.decompress_pdf = true +http_inspect.decompress_swf = true +http_inspect.decompress_zip = true +http_inspect.percent_u = true +http_inspect.normalize_javascript = true + +imap.decompress_pdf = true +imap.decompress_swf = true +imap.decompress_zip = true + +pop.decompress_pdf = true +pop.decompress_swf = true +pop.decompress_zip = true + +port_scan = nil + +search_engine.detect_raw_tcp = true +search_engine.queue_limit = 0 + +smtp.decompress_pdf = true +smtp.decompress_swf = true +smtp.decompress_zip = true + +stream_tcp.require_3whs = 0 + +stream_tcp.small_segments = +{ + count = 3, + maximum_size = 150, +} + +telnet.check_encrypted = true +telnet.normalize = true + diff --git a/lua/security.lua b/lua/security.lua new file mode 100644 index 000000000..994542853 --- /dev/null +++ b/lua/security.lua @@ -0,0 +1,36 @@ +--------------------------------------------------------------------------- +-- enhanced security policy +-- use with -c snort.lua --tweaks security +--------------------------------------------------------------------------- + +ftp_server.check_encrypted = true + +http_inspect.decompress_pdf = true +http_inspect.decompress_swf = true +http_inspect.decompress_zip = true + +imap.decompress_pdf = true +imap.decompress_swf = true +imap.decompress_zip = true + +pop.decompress_pdf = true +pop.decompress_swf = true +pop.decompress_zip = true + +port_scan = nil + +smtp.decompress_pdf = true +smtp.decompress_swf = true +smtp.decompress_zip = true + +stream_tcp.require_3whs = 180 + +stream_tcp.small_segments = +{ + count = 3, + maximum_size = 150, +} + +telnet.check_encrypted = true +telnet.normalize = true + diff --git a/lua/snort.lua b/lua/snort.lua index 9032ecc46..f7ac1adc4 100644 --- a/lua/snort.lua +++ b/lua/snort.lua @@ -148,11 +148,7 @@ binder = --------------------------------------------------------------------------- -- use latency to monitor / enforce packet and rule thresholds -latency = -{ - packet = { max_time = 1500 }, - rule = { max_time = 200 }, -} +--latency = { } -- use these to capture perf data for analysis and tuning --profiler = { } diff --git a/lua/talos.lua b/lua/talos.lua index 5a3630c19..a165fc4b3 100644 --- a/lua/talos.lua +++ b/lua/talos.lua @@ -29,8 +29,6 @@ daq = snaplen = 65535 } -normalizer = { tcp = { ips = true } } - snort = { } snort['-Q'] = true diff --git a/src/detection/fp_create.cc b/src/detection/fp_create.cc index c4482256b..bcce9ad5e 100644 --- a/src/detection/fp_create.cc +++ b/src/detection/fp_create.cc @@ -396,7 +396,7 @@ static int fpFinishPortGroupRule( pattern_length = pmd->pattern_size; } - if ( fp->get_debug_print_fast_patterns() ) + if ( fp->get_debug_print_fast_patterns() and !otn->soid ) print_fp_info(s_group, otn, pmd, pattern, pattern_length); PMX* pmx = (PMX*)snort_calloc(sizeof(PMX)); diff --git a/src/detection/fp_detect.cc b/src/detection/fp_detect.cc index f754a7ded..1aa2ce4fa 100644 --- a/src/detection/fp_detect.cc +++ b/src/detection/fp_detect.cc @@ -777,6 +777,12 @@ bool MpseStash::push(void* user, void* tree, int index, void* list) } } + if ( max and ( count == max ) ) + { + pmqs.tot_inq_overruns++; + return true; + } + if ( !max or ( count < max ) ) { Node node; @@ -790,12 +796,6 @@ bool MpseStash::push(void* user, void* tree, int index, void* list) count++; } - if ( max and ( count == max ) ) - { - pmqs.tot_inq_overruns++; - return true; - } - return false; } @@ -858,8 +858,7 @@ static int rule_tree_queue( { MpseStash* stash = ((IpsContext*)context)->stash; - stash->push(user, tree, index, list); - return 0; + return stash->push(user, tree, index, list) ? 1 : 0; } static inline int batch_search( diff --git a/src/detection/fp_utils.cc b/src/detection/fp_utils.cc index 59f661fd7..5fee5d735 100644 --- a/src/detection/fp_utils.cc +++ b/src/detection/fp_utils.cc @@ -289,6 +289,9 @@ bool FpSelector::is_better_than( if ( !pmd->is_negated() && rhs.pmd->is_negated() ) return true; + if ( pmd->is_negated() && !rhs.pmd->is_negated() ) + return false; + if ( size > rhs.size ) return true; diff --git a/src/detection/rules.h b/src/detection/rules.h index 1a65ee121..5e8bad60b 100644 --- a/src/detection/rules.h +++ b/src/detection/rules.h @@ -32,6 +32,12 @@ #define GID_DEFAULT 1 #define GID_SESSION 135 +#define GID_BUILTIN_MIN 100 +#define GID_BUILTIN_MAX 999 + +// should be revoked in the future +#define GID_EXCEPTION_SDF 138 + #define SESSION_EVENT_SYN_RX 1 #define SESSION_EVENT_SETUP 2 #define SESSION_EVENT_CLEAR 3 diff --git a/src/ips_options/CMakeLists.txt b/src/ips_options/CMakeLists.txt index affe4d62b..a1d56704f 100644 --- a/src/ips_options/CMakeLists.txt +++ b/src/ips_options/CMakeLists.txt @@ -101,11 +101,12 @@ else (STATIC_IPS_OPTIONS) add_dynamic_module(ips_ber_data ips_options ips_ber_data.cc) add_dynamic_module(ips_ber_skip ips_options ips_ber_skip.cc) add_dynamic_module(ips_bufferlen ips_options ips_bufferlen.cc) - add_dynamic_module(ips_byte_test ips_options ips_byte_test.cc) - add_dynamic_module(ips_byte_jump ips_options ips_byte_jump.cc) add_dynamic_module(ips_byte_extract ips_options ips_byte_extract.cc) + add_dynamic_module(ips_byte_jump ips_options ips_byte_jump.cc) add_dynamic_module(ips_byte_math ips_options ips_byte_math.cc) + add_dynamic_module(ips_byte_test ips_options ips_byte_test.cc) add_dynamic_module(ips_cvs ips_options ips_cvs.cc) + add_dynamic_module(ips_enable ips_options ips_enable.cc) add_dynamic_module(ips_file_type ips_options ips_file_type.cc) add_dynamic_module(ips_flags ips_options ips_flags.cc) add_dynamic_module(ips_fragbits ips_options ips_fragbits.cc) diff --git a/src/network_inspectors/normalize/norm_module.cc b/src/network_inspectors/normalize/norm_module.cc index bc55a7f08..6f170c774 100644 --- a/src/network_inspectors/normalize/norm_module.cc +++ b/src/network_inspectors/normalize/norm_module.cc @@ -116,7 +116,7 @@ static const Parameter norm_tcp_params[] = { "urp", Parameter::PT_BOOL, nullptr, "true", "adjust urgent pointer if beyond segment length" }, - { "ips", Parameter::PT_BOOL, nullptr, "false", + { "ips", Parameter::PT_BOOL, nullptr, "true", "ensure consistency in retransmitted data" }, { "ecn", Parameter::PT_SELECT, "off | packet | stream", "off", diff --git a/src/network_inspectors/port_scan/ps_module.cc b/src/network_inspectors/port_scan/ps_module.cc index 85abdd373..b78f9d017 100644 --- a/src/network_inspectors/port_scan/ps_module.cc +++ b/src/network_inspectors/port_scan/ps_module.cc @@ -59,7 +59,7 @@ static const Parameter scan_params[] = static const Parameter ps_params[] = { - { "memcap", Parameter::PT_INT, "1024:maxSZ", "1048576", + { "memcap", Parameter::PT_INT, "1024:maxSZ", "10485760", "maximum tracker memory in bytes" }, { "protos", Parameter::PT_MULTI, protos, "all", diff --git a/src/parser/parse_rule.cc b/src/parser/parse_rule.cc index f57f27408..35f0113ab 100644 --- a/src/parser/parse_rule.cc +++ b/src/parser/parse_rule.cc @@ -1154,6 +1154,20 @@ static void parse_rule_state(SnortConfig* sc, RuleTreeNode& rtn, OptTreeNode* ot OtnFree(otn); } +static bool is_builtin(uint32_t gid) +{ + if ( ModuleManager::gid_in_use(gid) ) + return true; + + // the builtin range prevents unloaded sids from firing on every packet + if ( gid < GID_BUILTIN_MIN or gid > GID_BUILTIN_MAX ) + return false; + + // not builtin but may get used and abused by snort2lua + // should be deleted at some point + return gid != GID_EXCEPTION_SDF; +} + void parse_rule_close(SnortConfig* sc, RuleTreeNode& rtn, OptTreeNode* otn) { if ( s_ignore ) @@ -1226,7 +1240,7 @@ void parse_rule_close(SnortConfig* sc, RuleTreeNode& rtn, OptTreeNode* otn) otn->sigInfo.builtin = false; so_rule_count++; } - else if ( ModuleManager::gid_in_use(otn->sigInfo.gid) ) + else if ( is_builtin(otn->sigInfo.gid) ) { if ( otn->num_detection_opts ) ParseError("%u:%u builtin rules do not support detection options", diff --git a/src/service_inspectors/dce_rpc/dce_smb.cc b/src/service_inspectors/dce_rpc/dce_smb.cc index 25d6cfabc..bc77c4cea 100644 --- a/src/service_inspectors/dce_rpc/dce_smb.cc +++ b/src/service_inspectors/dce_rpc/dce_smb.cc @@ -28,7 +28,6 @@ #include "file_api/file_service.h" #include "protocols/packet.h" #include "utils/util.h" -#include "packet_io/active.h" #include "dce_context_data.h" #include "dce_smb_commands.h" @@ -337,11 +336,6 @@ private: Dce2Smb::Dce2Smb(const dce2SmbProtoConf& pc) { config = pc; - if ((config.smb_file_inspection == DCE2_SMB_FILE_INSPECTION_ONLY) - || (config.smb_file_inspection == DCE2_SMB_FILE_INSPECTION_ON)) - { - Active::set_enabled(); - } } Dce2Smb::~Dce2Smb() diff --git a/src/service_inspectors/dce_rpc/dce_smb2.cc b/src/service_inspectors/dce_rpc/dce_smb2.cc index 2874fbc35..ff0389e09 100644 --- a/src/service_inspectors/dce_rpc/dce_smb2.cc +++ b/src/service_inspectors/dce_rpc/dce_smb2.cc @@ -65,9 +65,8 @@ static inline void DCE2_Smb2InsertTid(DCE2_SmbSsnData* ssd, const uint32_t tid, { bool is_ipc = (share_type != SMB2_SHARE_TYPE_DISK); - if (!is_ipc && (!DCE2_ScSmbFileInspection((dce2SmbProtoConf*)ssd->sd.config) - || ((ssd->max_file_depth == -1) && DCE2_ScSmbFileDepth( - (dce2SmbProtoConf*)ssd->sd.config) == -1))) + if ( !is_ipc and + ssd->max_file_depth == -1 and DCE2_ScSmbFileDepth((dce2SmbProtoConf*)ssd->sd.config) == -1 ) { trace_logf(dce_smb, "Not inserting TID (%u) because it's " "not IPC and not inspecting normal file data.\n", tid); @@ -303,7 +302,7 @@ static void DCE2_Smb2CreateRequest(DCE2_SmbSsnData* ssd, const Smb2Hdr*, const Smb2CreateRequestHdr* smb_create_hdr,const uint8_t* end) { uint16_t name_offset = alignedNtohs(&(smb_create_hdr->name_offset)); - + DCE2_Smb2InitFileTracker(&ssd->ftracker, false, 0); if (name_offset > SMB2_HEADER_LENGTH) @@ -337,13 +336,13 @@ static void DCE2_Smb2CreateResponse(DCE2_SmbSsnData* ssd, const Smb2Hdr*, { uint64_t fileId_persistent; uint64_t file_size = UNKNOWN_FILE_SIZE; - + fileId_persistent = alignedNtohq((const uint64_t*)(&(smb_create_hdr->fileId_persistent))); ssd->ftracker.fid_v2 = fileId_persistent; if (smb_create_hdr->end_of_file) { - file_size = alignedNtohq((const uint64_t*)(&(smb_create_hdr->end_of_file))); + file_size = alignedNtohq((const uint64_t*)(&(smb_create_hdr->end_of_file))); ssd->ftracker.tracker.file.file_size = file_size; } @@ -481,7 +480,7 @@ static void DCE2_Smb2ReadRequest(DCE2_SmbSsnData* ssd, const Smb2Hdr* smb_hdr, { uint64_t message_id, offset; uint64_t fileId_persistent; - + message_id = alignedNtohq((const uint64_t*)(&(smb_hdr->message_id))); offset = alignedNtohq((const uint64_t*)(&(smb_read_hdr->offset))); fileId_persistent = alignedNtohq((const uint64_t*)(&(smb_read_hdr->fileId_persistent))); @@ -566,7 +565,7 @@ static void DCE2_Smb2Read(DCE2_SmbSsnData* ssd, const Smb2Hdr* smb_hdr, { uint64_t message_id; Smb2Request* request; - + message_id = alignedNtohq((const uint64_t*)(&(smb_hdr->message_id))); request = DCE2_Smb2GetRequest(ssd, message_id); if (!request) diff --git a/src/service_inspectors/dce_rpc/dce_smb_module.cc b/src/service_inspectors/dce_rpc/dce_smb_module.cc index 6a4c06237..ae8e28067 100644 --- a/src/service_inspectors/dce_rpc/dce_smb_module.cc +++ b/src/service_inspectors/dce_rpc/dce_smb_module.cc @@ -129,11 +129,11 @@ static const Parameter s_params[] = { "valid_smb_versions", Parameter::PT_MULTI, "v1 | v2 | all", "all", "valid SMB versions" }, - { "smb_file_inspection", Parameter::PT_ENUM, "off | on | only", "off", - "SMB file inspection" }, + { "smb_file_inspection", Parameter::PT_ENUM, "off | on | only", nullptr, + "deprecated (not used): file inspection controlled by smb_file_depth" }, { "smb_file_depth", Parameter::PT_INT, "-1:32767", "16384", - "SMB file depth for file data" }, + "SMB file depth for file data (-1 = disabled, 0 = unlimited)" }, { "smb_invalid_shares", Parameter::PT_STRING, nullptr, nullptr, "SMB shares to alert on " }, @@ -358,7 +358,7 @@ bool Dce2SmbModule::set(const char* fqn, Value& v, SnortConfig* c) set_smb_versions_mask(config,v.get_string()); else if ( v.is("smb_file_inspection") ) - config.smb_file_inspection = (dce2SmbFileInspection)v.get_uint8(); + ParseWarning(WARN_CONF, "smb_file_inspection is deprecated (not used): use smb_file_depth"); else if ( v.is("smb_file_depth") ) config.smb_file_depth = v.get_int16(); @@ -403,24 +403,12 @@ void print_dce2_smb_conf(dce2SmbProtoConf& config) else LogMessage(" Maximum SMB compounded requests: %u\n", config.smb_max_compound); - if (config.smb_file_inspection == DCE2_SMB_FILE_INSPECTION_OFF) - { - LogMessage(" SMB file inspection: Disabled\n"); - } + if (config.smb_file_depth == -1) + LogMessage(" SMB file depth: Disabled\n"); + else if (config.smb_file_depth == 0) + LogMessage(" SMB file depth: Unlimited\n"); else - { - if (config.smb_file_inspection == DCE2_SMB_FILE_INSPECTION_ONLY) - LogMessage(" SMB file inspection: Only\n"); - else - LogMessage(" SMB file inspection: Enabled\n"); - - if (config.smb_file_depth == -1) - LogMessage(" SMB file depth: Disabled\n"); - else if (config.smb_file_depth == 0) - LogMessage(" SMB file depth: Unlimited\n"); - else - LogMessage(" SMB file depth: %d\n",config.smb_file_depth); - } + LogMessage(" SMB file depth: %d\n",config.smb_file_depth); if (config.smb_valid_versions_mask == DCE2_VALID_SMB_VERSION_FLAG_V1) { diff --git a/src/service_inspectors/dce_rpc/dce_smb_module.h b/src/service_inspectors/dce_rpc/dce_smb_module.h index 11eb1e237..f64938c75 100644 --- a/src/service_inspectors/dce_rpc/dce_smb_module.h +++ b/src/service_inspectors/dce_rpc/dce_smb_module.h @@ -33,13 +33,6 @@ struct SnortConfig; #define DCE2_VALID_SMB_VERSION_FLAG_V1 1 #define DCE2_VALID_SMB_VERSION_FLAG_V2 2 -enum dce2SmbFileInspection -{ - DCE2_SMB_FILE_INSPECTION_OFF = 0, - DCE2_SMB_FILE_INSPECTION_ON, - DCE2_SMB_FILE_INSPECTION_ONLY -}; - enum dce2SmbFingerprintPolicy { DCE2_SMB_FINGERPRINT_POLICY_NONE = 0, @@ -63,7 +56,6 @@ struct dce2SmbProtoConf uint8_t smb_max_chain; uint8_t smb_max_compound; uint16_t smb_valid_versions_mask; - dce2SmbFileInspection smb_file_inspection; int16_t smb_file_depth; DCE2_List* smb_invalid_shares; bool legacy_mode; @@ -97,25 +89,8 @@ private: void print_dce2_smb_conf(dce2SmbProtoConf& config); -inline bool DCE2_ScSmbFileInspection(const dce2SmbProtoConf* sc) -{ - if (sc == nullptr) - return false; - return ((sc->smb_file_inspection == DCE2_SMB_FILE_INSPECTION_ON) - || (sc->smb_file_inspection == DCE2_SMB_FILE_INSPECTION_ONLY)); -} - -inline bool DCE2_ScSmbFileInspectionOnly(const dce2SmbProtoConf* sc) -{ - if (sc == nullptr) - return false; - return sc->smb_file_inspection == DCE2_SMB_FILE_INSPECTION_ONLY; -} - inline int64_t DCE2_ScSmbFileDepth(const dce2SmbProtoConf* sc) { - if (!DCE2_ScSmbFileInspection(sc)) - return -1; return sc->smb_file_depth; } diff --git a/src/service_inspectors/dce_rpc/dce_smb_utils.cc b/src/service_inspectors/dce_rpc/dce_smb_utils.cc index 1e280dc40..80087c71e 100644 --- a/src/service_inspectors/dce_rpc/dce_smb_utils.cc +++ b/src/service_inspectors/dce_rpc/dce_smb_utils.cc @@ -834,9 +834,8 @@ void DCE2_SmbRemoveTid(DCE2_SmbSsnData* ssd, const uint16_t tid) void DCE2_SmbInsertTid(DCE2_SmbSsnData* ssd, const uint16_t tid, const bool is_ipc) { - if (!is_ipc && (!DCE2_ScSmbFileInspection((dce2SmbProtoConf*)ssd->sd.config) - || ((ssd->max_file_depth == -1) && DCE2_ScSmbFileDepth( - (dce2SmbProtoConf*)ssd->sd.config) == -1))) + if ( !is_ipc and + ssd->max_file_depth == -1 and DCE2_ScSmbFileDepth((dce2SmbProtoConf*)ssd->sd.config) == -1 ) { trace_logf(dce_smb, "Not inserting TID (%hu) " "because it's not IPC and not inspecting normal file " @@ -844,14 +843,6 @@ void DCE2_SmbInsertTid(DCE2_SmbSsnData* ssd, return; } - if (is_ipc && DCE2_ScSmbFileInspectionOnly((dce2SmbProtoConf*)ssd->sd.config)) - { - trace_logf(dce_smb, "Not inserting TID (%hu) " - "because it's IPC and only inspecting normal file " - "data.\n", tid); - return; - } - int insert_tid = (int)tid; // Set a bit so as to distinguish between IPC and non-IPC TIDs if (!is_ipc) diff --git a/src/service_inspectors/ftp_telnet/telnet_module.cc b/src/service_inspectors/ftp_telnet/telnet_module.cc index 330745559..cb7e13afb 100644 --- a/src/service_inspectors/ftp_telnet/telnet_module.cc +++ b/src/service_inspectors/ftp_telnet/telnet_module.cc @@ -51,7 +51,7 @@ static const Parameter s_params[] = "check for end of encryption" }, { "encrypted_traffic", Parameter::PT_BOOL, nullptr, "false", - "check for encrypted Telnet and FTP" }, + "check for encrypted Telnet" }, { "normalize", Parameter::PT_BOOL, nullptr, "false", "eliminate escape sequences" }, diff --git a/src/service_inspectors/http_inspect/dev_notes.txt b/src/service_inspectors/http_inspect/dev_notes.txt index 4a733690c..5f526a20e 100644 --- a/src/service_inspectors/http_inspect/dev_notes.txt +++ b/src/service_inspectors/http_inspect/dev_notes.txt @@ -7,7 +7,7 @@ It serves several specialized purposes in cases where the HTTP message is trunca unexpectedly). The nature of splitting allows packets to be forwarded before they are aggregated into a message -section and inspected. Accelerated blocking is a feature that allows the splitter to designate +section and inspected. Detained inspection is a feature that allows the splitter to designate to Stream packets that are too risky to forward without being inspected. These packets are detained until such time as inspection is completed. The design is based on the principle that detaining one packet in a TCP stream effectively blocks all subsequent packets from being reassembled and diff --git a/src/service_inspectors/http_inspect/http_cutter.cc b/src/service_inspectors/http_inspect/http_cutter.cc index fe99162dd..a8c01fbf6 100644 --- a/src/service_inspectors/http_inspect/http_cutter.cc +++ b/src/service_inspectors/http_inspect/http_cutter.cc @@ -282,7 +282,7 @@ ScanResult HttpBodyClCutter::cut(const uint8_t* buffer, uint32_t length, HttpInf if (octets_seen + length < flow_target) { octets_seen += length; - return need_accelerated_blocking(buffer, length) ? SCAN_NOT_FOUND_DETAIN : SCAN_NOT_FOUND; + return need_detained_inspection(buffer, length) ? SCAN_NOT_FOUND_DETAIN : SCAN_NOT_FOUND; } if (!stretch) @@ -291,7 +291,7 @@ ScanResult HttpBodyClCutter::cut(const uint8_t* buffer, uint32_t length, HttpInf num_flush = flow_target - octets_seen; if (remaining > 0) { - need_accelerated_blocking(buffer, num_flush); + need_detained_inspection(buffer, num_flush); return SCAN_FOUND_PIECE; } else @@ -307,7 +307,7 @@ ScanResult HttpBodyClCutter::cut(const uint8_t* buffer, uint32_t length, HttpInf else num_flush = flow_target - octets_seen; remaining -= octets_seen + num_flush; - need_accelerated_blocking(buffer, num_flush); + need_detained_inspection(buffer, num_flush); return SCAN_FOUND_PIECE; } @@ -322,7 +322,7 @@ ScanResult HttpBodyClCutter::cut(const uint8_t* buffer, uint32_t length, HttpInf // Cannot stretch to the end of the message body. Cut at the original target. num_flush = flow_target - octets_seen; remaining -= flow_target; - need_accelerated_blocking(buffer, num_flush); + need_detained_inspection(buffer, num_flush); return SCAN_FOUND_PIECE; } @@ -344,13 +344,13 @@ ScanResult HttpBodyOldCutter::cut(const uint8_t* buffer, uint32_t length, HttpIn { // Not enough data yet to create a message section octets_seen += length; - return need_accelerated_blocking(buffer, length) ? SCAN_NOT_FOUND_DETAIN : SCAN_NOT_FOUND; + return need_detained_inspection(buffer, length) ? SCAN_NOT_FOUND_DETAIN : SCAN_NOT_FOUND; } else if (stretch && (octets_seen + length <= flow_target + MAX_SECTION_STRETCH)) { // Cut the section at the end of this TCP segment to avoid splitting a packet num_flush = length; - need_accelerated_blocking(buffer, num_flush); + need_detained_inspection(buffer, num_flush); return SCAN_FOUND_PIECE; } else @@ -358,7 +358,7 @@ ScanResult HttpBodyOldCutter::cut(const uint8_t* buffer, uint32_t length, HttpIn // Cut the section at the target length. Either stretching is not allowed or the end of // the segment is too far away. num_flush = flow_target - octets_seen; - need_accelerated_blocking(buffer, num_flush); + need_detained_inspection(buffer, num_flush); return SCAN_FOUND_PIECE; } } @@ -552,7 +552,7 @@ ScanResult HttpBodyChunkCutter::cut(const uint8_t* buffer, uint32_t length, } if (!detain_this_packet) - detain_this_packet = need_accelerated_blocking(buffer+k, skip_amount); + detain_this_packet = need_detained_inspection(buffer+k, skip_amount); k += skip_amount - 1; if ((expected -= skip_amount) == 0) @@ -627,7 +627,7 @@ ScanResult HttpBodyChunkCutter::cut(const uint8_t* buffer, uint32_t length, skip_amount = (skip_amount <= adjusted_target-data_seen) ? skip_amount : adjusted_target-data_seen; if (!detain_this_packet) - detain_this_packet = need_accelerated_blocking(buffer+k, skip_amount); + detain_this_packet = need_detained_inspection(buffer+k, skip_amount); k += skip_amount - 1; if ((data_seen += skip_amount) == adjusted_target) { @@ -657,19 +657,19 @@ ScanResult HttpBodyChunkCutter::cut(const uint8_t* buffer, uint32_t length, } // This method searches the input stream looking for the beginning of a script or other dangerous -// content that requires accelerated blocking. Exactly what we are looking for is encapsulated in +// content that requires detained inspection. Exactly what we are looking for is encapsulated in // dangerous(). // // Return value true indicates a match and enables the packet that completes the matching sequence // to be detained. // -// Once accelerated blocking is activated on a message body it never goes away. The first packet +// Once detained inspection is activated on a message body it never goes away. The first packet // of every subsequent message section must be detained (detention_required). Supporting this // requirement requires that the calling routine submit all data including buffers that are about // to be flushed. -bool HttpBodyCutter::need_accelerated_blocking(const uint8_t* data, uint32_t length) +bool HttpBodyCutter::need_detained_inspection(const uint8_t* data, uint32_t length) { - if (!accelerated_blocking || packet_detained) + if (!detained_inspection || packet_detained) return false; if (detention_required || dangerous(data, length)) { @@ -680,7 +680,7 @@ bool HttpBodyCutter::need_accelerated_blocking(const uint8_t* data, uint32_t len return false; } -// Currently we do accelerated blocking when we see a javascript starting +// Currently we do detained inspection when we see a javascript starting bool HttpBodyCutter::dangerous(const uint8_t* data, uint32_t length) { static const uint8_t match_string[] = { '<', 's', 'c', 'r', 'i', 'p', 't' }; diff --git a/src/service_inspectors/http_inspect/http_cutter.h b/src/service_inspectors/http_inspect/http_cutter.h index dcdba544b..d7d5d2ce7 100644 --- a/src/service_inspectors/http_inspect/http_cutter.h +++ b/src/service_inspectors/http_inspect/http_cutter.h @@ -96,17 +96,17 @@ private: class HttpBodyCutter : public HttpCutter { public: - HttpBodyCutter(bool accelerated_blocking_) : accelerated_blocking(accelerated_blocking_) {} + HttpBodyCutter(bool detained_inspection_) : detained_inspection(detained_inspection_) {} void soft_reset() override { octets_seen = 0; packet_detained = false; } void detain_ended() { packet_detained = false; } protected: - bool need_accelerated_blocking(const uint8_t* data, uint32_t length); + bool need_detained_inspection(const uint8_t* data, uint32_t length); private: bool dangerous(const uint8_t* data, uint32_t length); - const bool accelerated_blocking; + const bool detained_inspection; bool packet_detained = false; uint8_t partial_match = 0; bool detention_required = false; @@ -115,8 +115,8 @@ private: class HttpBodyClCutter : public HttpBodyCutter { public: - HttpBodyClCutter(int64_t expected_length, bool accelerated_blocking) : - HttpBodyCutter(accelerated_blocking), remaining(expected_length) + HttpBodyClCutter(int64_t expected_length, bool detained_inspection) : + HttpBodyCutter(detained_inspection), remaining(expected_length) { assert(remaining > 0); } HttpEnums::ScanResult cut(const uint8_t*, uint32_t length, HttpInfractions*, HttpEventGen*, uint32_t flow_target, bool stretch) override; @@ -128,7 +128,7 @@ private: class HttpBodyOldCutter : public HttpBodyCutter { public: - explicit HttpBodyOldCutter(bool accelerated_blocking) : HttpBodyCutter(accelerated_blocking) {} + explicit HttpBodyOldCutter(bool detained_inspection) : HttpBodyCutter(detained_inspection) {} HttpEnums::ScanResult cut(const uint8_t*, uint32_t, HttpInfractions*, HttpEventGen*, uint32_t flow_target, bool stretch) override; }; @@ -136,7 +136,7 @@ public: class HttpBodyChunkCutter : public HttpBodyCutter { public: - explicit HttpBodyChunkCutter(bool accelerated_blocking) : HttpBodyCutter(accelerated_blocking) + explicit HttpBodyChunkCutter(bool detained_inspection) : HttpBodyCutter(detained_inspection) {} HttpEnums::ScanResult cut(const uint8_t* buffer, uint32_t length, HttpInfractions* infractions, HttpEventGen* events, uint32_t flow_target, bool stretch) diff --git a/src/service_inspectors/http_inspect/http_flow_data.cc b/src/service_inspectors/http_inspect/http_flow_data.cc index a339c9488..ed494f2c5 100644 --- a/src/service_inspectors/http_inspect/http_flow_data.cc +++ b/src/service_inspectors/http_inspect/http_flow_data.cc @@ -113,7 +113,7 @@ void HttpFlowData::half_reset(SourceId source_id) body_octets[source_id] = STAT_NOT_PRESENT; section_size_target[source_id] = 0; stretch_section_to_packet[source_id] = false; - accelerated_blocking[source_id] = false; + detained_inspection[source_id] = false; file_depth_remaining[source_id] = STAT_NOT_PRESENT; detect_depth_remaining[source_id] = STAT_NOT_PRESENT; detection_status[source_id] = DET_REACTIVATING; diff --git a/src/service_inspectors/http_inspect/http_flow_data.h b/src/service_inspectors/http_inspect/http_flow_data.h index f8ffef62f..ca2d37d13 100644 --- a/src/service_inspectors/http_inspect/http_flow_data.h +++ b/src/service_inspectors/http_inspect/http_flow_data.h @@ -121,7 +121,7 @@ private: HttpEnums::CompressId compression[2] = { HttpEnums::CMP_NONE, HttpEnums::CMP_NONE }; HttpEnums::DetectionStatus detection_status[2] = { HttpEnums::DET_ON, HttpEnums::DET_ON }; bool stretch_section_to_packet[2] = { false, false }; - bool accelerated_blocking[2] = { false, false }; + bool detained_inspection[2] = { false, false }; // *** Inspector's internal data about the current message struct FdCallbackContext diff --git a/src/service_inspectors/http_inspect/http_module.cc b/src/service_inspectors/http_inspect/http_module.cc index e388becf7..111410831 100644 --- a/src/service_inspectors/http_inspect/http_module.cc +++ b/src/service_inspectors/http_inspect/http_module.cc @@ -55,8 +55,8 @@ const Parameter HttpModule::http_params[] = { "decompress_zip", Parameter::PT_BOOL, nullptr, "false", "decompress zip files in response bodies" }, - { "accelerated_blocking", Parameter::PT_BOOL, nullptr, "false", - "inspect JavaScript in response messages as soon as possible" }, + { "detained_inspection", Parameter::PT_BOOL, nullptr, "false", + "store-and-forward as necessary to effectively block alerting JavaScript" }, { "normalize_javascript", Parameter::PT_BOOL, nullptr, "false", "normalize JavaScript in response bodies" }, @@ -171,9 +171,9 @@ bool HttpModule::set(const char*, Value& val, SnortConfig*) { params->decompress_zip = val.get_bool(); } - else if (val.is("accelerated_blocking")) + else if (val.is("detained_inspection")) { - params->accelerated_blocking = val.get_bool(); + params->detained_inspection = val.get_bool(); } else if (val.is("normalize_javascript")) { diff --git a/src/service_inspectors/http_inspect/http_module.h b/src/service_inspectors/http_inspect/http_module.h index 65cbeb986..bc0ae1a51 100644 --- a/src/service_inspectors/http_inspect/http_module.h +++ b/src/service_inspectors/http_inspect/http_module.h @@ -42,7 +42,7 @@ public: bool decompress_pdf = false; bool decompress_swf = false; bool decompress_zip = false; - bool accelerated_blocking = false; + bool detained_inspection = false; struct JsNormParam { diff --git a/src/service_inspectors/http_inspect/http_msg_header.cc b/src/service_inspectors/http_inspect/http_msg_header.cc index d7761f2f0..5ff10d285 100644 --- a/src/service_inspectors/http_inspect/http_msg_header.cc +++ b/src/service_inspectors/http_inspect/http_msg_header.cc @@ -301,8 +301,8 @@ void HttpMsgHeader::prepare_body() setup_utf_decoding(); setup_file_decompression(); update_depth(); - // Limitations on accelerated blocking will be lifted as the feature is built out - session_data->accelerated_blocking[source_id] = params->accelerated_blocking && + // Limitations on detained inspection will be lifted as the feature is built out + session_data->detained_inspection[source_id] = params->detained_inspection && (source_id == SRC_SERVER) && (session_data->compression[source_id] == CMP_NONE) && (params->request_depth == -1); if (source_id == SRC_CLIENT) diff --git a/src/service_inspectors/http_inspect/http_stream_splitter_scan.cc b/src/service_inspectors/http_inspect/http_stream_splitter_scan.cc index 5d286f725..1860518c3 100644 --- a/src/service_inspectors/http_inspect/http_stream_splitter_scan.cc +++ b/src/service_inspectors/http_inspect/http_stream_splitter_scan.cc @@ -73,11 +73,11 @@ HttpCutter* HttpStreamSplitter::get_cutter(SectionType type, return (HttpCutter*)new HttpHeaderCutter; case SEC_BODY_CL: return (HttpCutter*)new HttpBodyClCutter(session_data->data_length[source_id], - session_data->accelerated_blocking[source_id]); + session_data->detained_inspection[source_id]); case SEC_BODY_CHUNK: - return (HttpCutter*)new HttpBodyChunkCutter(session_data->accelerated_blocking[source_id]); + return (HttpCutter*)new HttpBodyChunkCutter(session_data->detained_inspection[source_id]); case SEC_BODY_OLD: - return (HttpCutter*)new HttpBodyOldCutter(session_data->accelerated_blocking[source_id]); + return (HttpCutter*)new HttpBodyOldCutter(session_data->detained_inspection[source_id]); default: assert(false); return nullptr; diff --git a/src/service_inspectors/http_inspect/http_tables.cc b/src/service_inspectors/http_inspect/http_tables.cc index 92ab812fe..b39019e2a 100644 --- a/src/service_inspectors/http_inspect/http_tables.cc +++ b/src/service_inspectors/http_inspect/http_tables.cc @@ -406,8 +406,8 @@ const PegInfo HttpModule::peg_names[PEG_COUNT_MAX+1] = { CountType::SUM, "uri_coding", "URIs with character coding problems" }, { CountType::NOW, "concurrent_sessions", "total concurrent http sessions" }, { CountType::MAX, "max_concurrent_sessions", "maximum concurrent http sessions" }, - { CountType::SUM, "detained_packets", "TCP packets delayed by accelerated blocking" }, - { CountType::SUM, "partial_inspections", "pre-inspections for accelerated blocking" }, + { CountType::SUM, "detained_packets", "TCP packets delayed by detained inspection" }, + { CountType::SUM, "partial_inspections", "pre-inspections for detained inspection" }, { CountType::END, nullptr, nullptr } }; diff --git a/src/service_inspectors/http_inspect/http_test_input.h b/src/service_inspectors/http_inspect/http_test_input.h index be628f0e6..b626cab31 100644 --- a/src/service_inspectors/http_inspect/http_test_input.h +++ b/src/service_inspectors/http_inspect/http_test_input.h @@ -64,7 +64,7 @@ private: // TCP connection directional close bool tcp_closed = false; - // partial flush requested, useful for testing accelerated blocking + // partial flush requested, useful for testing detained inspection bool partial = false; // number of octets that have been flushed and must be sent by reassemble diff --git a/src/service_inspectors/imap/imap_module.cc b/src/service_inspectors/imap/imap_module.cc index a3031a110..e2595fcb7 100644 --- a/src/service_inspectors/imap/imap_module.cc +++ b/src/service_inspectors/imap/imap_module.cc @@ -33,10 +33,10 @@ using namespace std; static const Parameter s_params[] = { - { "b64_decode_depth", Parameter::PT_INT, "-1:65535", "1460", + { "b64_decode_depth", Parameter::PT_INT, "-1:65535", "-1", "base64 decoding depth (-1 no limit)" }, - { "bitenc_decode_depth", Parameter::PT_INT, "-1:65535", "1460", + { "bitenc_decode_depth", Parameter::PT_INT, "-1:65535", "-1", "non-Encoded MIME attachment extraction depth (-1 no limit)" }, { "decompress_pdf", Parameter::PT_BOOL, nullptr, "false", @@ -48,10 +48,10 @@ static const Parameter s_params[] = { "decompress_zip", Parameter::PT_BOOL, nullptr, "false", "decompress zip files in MIME attachments" }, - { "qp_decode_depth", Parameter::PT_INT, "-1:65535", "1460", + { "qp_decode_depth", Parameter::PT_INT, "-1:65535", "-1", "quoted Printable decoding depth (-1 no limit)" }, - { "uu_decode_depth", Parameter::PT_INT, "-1:65535", "1460", + { "uu_decode_depth", Parameter::PT_INT, "-1:65535", "-1", "Unix-to-Unix decoding depth (-1 no limit)" }, { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } diff --git a/src/service_inspectors/pop/pop_module.cc b/src/service_inspectors/pop/pop_module.cc index 0f74dc439..8f040a10a 100644 --- a/src/service_inspectors/pop/pop_module.cc +++ b/src/service_inspectors/pop/pop_module.cc @@ -33,10 +33,10 @@ using namespace std; static const Parameter s_params[] = { - { "b64_decode_depth", Parameter::PT_INT, "-1:65535", "1460", + { "b64_decode_depth", Parameter::PT_INT, "-1:65535", "-1", "base64 decoding depth (-1 no limit)" }, - { "bitenc_decode_depth", Parameter::PT_INT, "-1:65535", "1460", + { "bitenc_decode_depth", Parameter::PT_INT, "-1:65535", "-1", "Non-Encoded MIME attachment extraction depth (-1 no limit)" }, { "decompress_pdf", Parameter::PT_BOOL, nullptr, "false", @@ -48,10 +48,10 @@ static const Parameter s_params[] = { "decompress_zip", Parameter::PT_BOOL, nullptr, "false", "decompress zip files in MIME attachments" }, - { "qp_decode_depth", Parameter::PT_INT, "-1:65535", "1460", + { "qp_decode_depth", Parameter::PT_INT, "-1:65535", "-1", "Quoted Printable decoding depth (-1 no limit)" }, - { "uu_decode_depth", Parameter::PT_INT, "-1:65535", "1460", + { "uu_decode_depth", Parameter::PT_INT, "-1:65535", "-1", "Unix-to-Unix decoding depth (-1 no limit)" }, { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } diff --git a/src/service_inspectors/smtp/smtp_module.cc b/src/service_inspectors/smtp/smtp_module.cc index a7eb4ba60..6f639057f 100644 --- a/src/service_inspectors/smtp/smtp_module.cc +++ b/src/service_inspectors/smtp/smtp_module.cc @@ -70,13 +70,13 @@ static const Parameter s_params[] = { "auth_cmds", Parameter::PT_STRING, nullptr, nullptr, "commands that initiate an authentication exchange" }, - { "b64_decode_depth", Parameter::PT_INT, "-1:65535", "1460", + { "b64_decode_depth", Parameter::PT_INT, "-1:65535", "-1", "depth used to decode the base64 encoded MIME attachments (-1 no limit)" }, { "binary_data_cmds", Parameter::PT_STRING, nullptr, nullptr, "commands that initiate sending of data and use a length value after the command" }, - { "bitenc_decode_depth", Parameter::PT_INT, "-1:65535", "1460", + { "bitenc_decode_depth", Parameter::PT_INT, "-1:65535", "-1", "depth used to extract the non-encoded MIME attachments (-1 no limit)" }, { "data_cmds", Parameter::PT_STRING, nullptr, nullptr, @@ -134,10 +134,10 @@ static const Parameter s_params[] = { "normalize_cmds", Parameter::PT_STRING, nullptr, nullptr, "list of commands to normalize" }, - { "qp_decode_depth", Parameter::PT_INT, "-1:65535", "1460", + { "qp_decode_depth", Parameter::PT_INT, "-1:65535", "-1", "quoted-Printable decoding depth (-1 no limit)" }, - { "uu_decode_depth", Parameter::PT_INT, "-1:65535", "1460", + { "uu_decode_depth", Parameter::PT_INT, "-1:65535", "-1", "Unix-to-Unix decoding depth (-1 no limit)" }, { "valid_cmds", Parameter::PT_STRING, nullptr, nullptr, diff --git a/tools/snort2lua/preprocessor_states/pps_dcerpc_server.cc b/tools/snort2lua/preprocessor_states/pps_dcerpc_server.cc index 1856f60c9..4a893e5a1 100644 --- a/tools/snort2lua/preprocessor_states/pps_dcerpc_server.cc +++ b/tools/snort2lua/preprocessor_states/pps_dcerpc_server.cc @@ -186,7 +186,8 @@ bool DcerpcServer::parse_smb_file_inspection(std::istringstream& data_stream) { file_inspect.pop_back(); } - tmpval = table_api.add_option("smb_file_inspection", file_inspect); + file_inspect = "smb_file_inspection: " + file_inspect; + tmpval = table_api.add_deleted_comment(file_inspect); } else { @@ -207,7 +208,8 @@ bool DcerpcServer::parse_smb_file_inspection(std::istringstream& data_stream) std::string arg = file_inspect.substr(1, pos-1); // remove additional whitespaces arg.erase(remove_if(arg.begin(), arg.end(), isspace), arg.end()); - tmpval = table_api.add_option("smb_file_inspection", arg); + arg = "smb_file_inspection: " + arg; + tmpval = table_api.add_deleted_comment(arg); pos = file_inspect.find("file-depth"); if (pos == std::string::npos)