From: Masud Hasan (mashasan) Date: Mon, 27 Jul 2020 20:34:43 +0000 (+0000) Subject: Merge pull request #2318 in SNORT/snort3 from ~SMINUT/snort3:fingerprint_load to... X-Git-Tag: 3.0.2-3~5 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e6b5ff693c9c2b5f4a9cd9b226adb185b2124ae4;p=thirdparty%2Fsnort3.git Merge pull request #2318 in SNORT/snort3 from ~SMINUT/snort3:fingerprint_load to master Squashed commit of the following: commit b2822997b40623fc7fda065edabca1e3752d2629 Author: Silviu Minut Date: Tue Jul 7 13:07:20 2020 -0400 rna: fingerprint reader class and lookup table for tcp fingerprints --- diff --git a/src/network_inspectors/rna/CMakeLists.txt b/src/network_inspectors/rna/CMakeLists.txt index 5452bc8bb..3684996d5 100644 --- a/src/network_inspectors/rna/CMakeLists.txt +++ b/src/network_inspectors/rna/CMakeLists.txt @@ -1,4 +1,7 @@ set (RNA_INCLUDES + rna_fingerprint.h + rna_fingerprint_tcp.h + rna_fp_reader.h rna_logger.h ) @@ -6,6 +9,11 @@ set ( RNA_SOURCES ${RNA_INCLUDES} rna_event_handler.cc rna_event_handler.h + rna_fingerprint.h + rna_fingerprint_tcp.cc + rna_fingerprint_tcp.h + rna_fp_reader.cc + rna_fp_reader.h rna_inspector.cc rna_inspector.h rna_logger.cc diff --git a/src/network_inspectors/rna/rna_fingerprint.h b/src/network_inspectors/rna/rna_fingerprint.h new file mode 100644 index 000000000..fad62ece6 --- /dev/null +++ b/src/network_inspectors/rna/rna_fingerprint.h @@ -0,0 +1,41 @@ +//-------------------------------------------------------------------------- +// Copyright (C) 2020-2020 Cisco and/or its affiliates. All rights reserved. +// +// This program is free software; you can redistribute it and/or modify it +// under the terms of the GNU General Public License Version 2 as published +// by the Free Software Foundation. You may not use, modify or distribute +// this program under any other version of the GNU General Public License. +// +// This program is distributed in the hope that it will be useful, but +// WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +//-------------------------------------------------------------------------- + +// rna_fingerprint.h author Silviu Minut + +#ifndef RNA_FINGERPRINT_H +#define RNA_FINGERPRINT_H + +#include + +namespace snort +{ + +class FpFingerprint +{ +public: + uint32_t fpid; + uint32_t fp_type; + uuid_t fpuuid; + uint8_t ttl; +}; + +} + + +#endif diff --git a/src/network_inspectors/rna/rna_fingerprint_tcp.cc b/src/network_inspectors/rna/rna_fingerprint_tcp.cc new file mode 100644 index 000000000..206961f8c --- /dev/null +++ b/src/network_inspectors/rna/rna_fingerprint_tcp.cc @@ -0,0 +1,62 @@ +//-------------------------------------------------------------------------- +// Copyright (C) 2020-2020 Cisco and/or its affiliates. All rights reserved. +// +// This program is free software; you can redistribute it and/or modify it +// under the terms of the GNU General Public License Version 2 as published +// by the Free Software Foundation. You may not use, modify or distribute +// this program under any other version of the GNU General Public License. +// +// This program is distributed in the hope that it will be useful, but +// WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +//-------------------------------------------------------------------------- + +// rna_fingerprint_tcp.cc author Silviu Minut + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "rna_fingerprint_tcp.h" + +using namespace snort; +using namespace std; + +static TcpFpProcessor tcp_fp_processor; + +namespace snort +{ + +TcpFpProcessor* get_tcp_fp_processor() +{ + return &tcp_fp_processor; +} + +void TcpFpProcessor::push(const vector& fplist, TCP_FP_MODE mode) +{ + vector* fptable = (mode == TCP_FP_MODE::SERVER ? + table_tcp_server : table_tcp_client); + + for (const auto& tfp : fplist) + { + for (const auto& fpe : tfp.tcp_window) + { + switch (fpe.type) + { + case FpElementType::RANGE: + for (int i = fpe.d.range.min; i <= fpe.d.range.max; i++) + fptable[i].emplace_back(&tfp); + break; + default: + break; + } + } + } +} + +} diff --git a/src/network_inspectors/rna/rna_fingerprint_tcp.h b/src/network_inspectors/rna/rna_fingerprint_tcp.h new file mode 100644 index 000000000..948996e46 --- /dev/null +++ b/src/network_inspectors/rna/rna_fingerprint_tcp.h @@ -0,0 +1,94 @@ +//-------------------------------------------------------------------------- +// Copyright (C) 2020-2020 Cisco and/or its affiliates. All rights reserved. +// +// This program is free software; you can redistribute it and/or modify it +// under the terms of the GNU General Public License Version 2 as published +// by the Free Software Foundation. You may not use, modify or distribute +// this program under any other version of the GNU General Public License. +// +// This program is distributed in the hope that it will be useful, but +// WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +//-------------------------------------------------------------------------- + +// rna_fingerprint_tcp.h author Silviu Minut + +#ifndef RNA_FINGERPRINT_TCP_H +#define RNA_FINGERPRINT_TCP_H + +#include +#include + +#include "main/snort_types.h" +#include "protocols/packet.h" + +#include "rna_fingerprint.h" + +namespace snort +{ + +enum FpElementType +{ + RANGE=1, + INCREMENT, + SYN_MATCH, + RANDOM, + DONT_CARE, + SYNTS +}; + +class FpElement +{ +public: + FpElementType type; + union + { + int value; + struct + { + int min; + int max; + } range; + } d; +}; + +class FpTcpFingerprint : public FpFingerprint +{ +public: + + std::vector tcp_window; + std::vector mss; + std::vector id; + std::vector topts; + std::vector ws; + char df; +}; + +class TcpFpProcessor +{ +public: + + enum TCP_FP_MODE { SERVER, CLIENT }; + + typedef std::list::iterator Iter_t; + + SO_PUBLIC void push(const std::vector&, TCP_FP_MODE); + + +private: + + // table_tcp_xxx[i] contains all fingerprints whose tcp window range + // contains i + std::vector table_tcp_server[snort::MAX_PORTS]; + std::vector table_tcp_client[snort::MAX_PORTS]; +}; + +SO_PUBLIC TcpFpProcessor* get_tcp_fp_processor(); +} + +#endif diff --git a/src/network_inspectors/rna/rna_fp_reader.cc b/src/network_inspectors/rna/rna_fp_reader.cc new file mode 100644 index 000000000..67efd1f1a --- /dev/null +++ b/src/network_inspectors/rna/rna_fp_reader.cc @@ -0,0 +1,44 @@ +//-------------------------------------------------------------------------- +// Copyright (C) 2020-2020 Cisco and/or its affiliates. All rights reserved. +// +// This program is free software; you can redistribute it and/or modify it +// under the terms of the GNU General Public License Version 2 as published +// by the Free Software Foundation. You may not use, modify or distribute +// this program under any other version of the GNU General Public License. +// +// This program is distributed in the hope that it will be useful, but +// WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +//-------------------------------------------------------------------------- + +// rna_fp_reader.cc author Silviu Minut + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "rna_fp_reader.h" + +using namespace snort; + +static RnaFingerprintReader* fp_reader = nullptr; + +namespace snort +{ + +const RnaFingerprintReader* get_rna_fp_reader() +{ + return fp_reader; +} + +void set_rna_fp_reader(RnaFingerprintReader* fpr) +{ + fp_reader = fpr; +} + +} diff --git a/src/network_inspectors/rna/rna_fp_reader.h b/src/network_inspectors/rna/rna_fp_reader.h new file mode 100644 index 000000000..a39947d7d --- /dev/null +++ b/src/network_inspectors/rna/rna_fp_reader.h @@ -0,0 +1,53 @@ +//-------------------------------------------------------------------------- +// Copyright (C) 2020-2020 Cisco and/or its affiliates. All rights reserved. +// +// This program is free software; you can redistribute it and/or modify it +// under the terms of the GNU General Public License Version 2 as published +// by the Free Software Foundation. You may not use, modify or distribute +// this program under any other version of the GNU General Public License. +// +// This program is distributed in the hope that it will be useful, but +// WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +//-------------------------------------------------------------------------- + +// rna_fp_reader.h author Silviu Minut + +#ifndef RNA_FP_READER_H +#define RNA_FP_READER_H + +#include + +#include "main/snort_types.h" + +#include "rna_fingerprint_tcp.h" + +namespace snort +{ + +class RnaFingerprintReader +{ +public: + RnaFingerprintReader() { } + virtual ~RnaFingerprintReader() { } + virtual bool init(const char*) { return true; } + + const std::vector& get_tcp_server_fps() const { return tcp_server_fps; } + const std::vector& get_tcp_client_fps() const { return tcp_client_fps; } + +protected: + std::vector tcp_server_fps; + std::vector tcp_client_fps; +}; + +SO_PUBLIC const RnaFingerprintReader* get_rna_fp_reader(); +SO_PUBLIC void set_rna_fp_reader(RnaFingerprintReader*); + +} + +#endif