From: Manav Soneja (msoneja) Date: Wed, 14 Aug 2024 13:22:20 +0000 (+0000) Subject: Pull request #4343: ftp: refactoring ftp_data X-Git-Tag: 3.3.4.0~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ff6ac2c7ce57c4e106e18f7eb142f561b5e69562;p=thirdparty%2Fsnort3.git Pull request #4343: ftp: refactoring ftp_data Merge in SNORT/snort3 from ~MSONEJA/snort3:ftps_malware to master Squashed commit of the following: commit 27655a50c70a8b28abd85876866a9e4176350f1d Author: msoneja Date: Thu Jul 4 05:35:07 2024 +0000 ftp_telnet: refactoring ftp-data --- diff --git a/src/service_inspectors/ftp_telnet/CMakeLists.txt b/src/service_inspectors/ftp_telnet/CMakeLists.txt index f11e1afc2..fe2efca8f 100644 --- a/src/service_inspectors/ftp_telnet/CMakeLists.txt +++ b/src/service_inspectors/ftp_telnet/CMakeLists.txt @@ -1,3 +1,10 @@ +set(FTP_INCLUDES + ftp_data.h + ftpdata_splitter.h + ftp_module.h + ftpp_ui_config.h + kmap.h +) set (FILE_LIST ft_main.cc @@ -46,3 +53,6 @@ else (STATIC_INSPECTORS) endif (STATIC_INSPECTORS) +install(FILES ${FTP_INCLUDES} + DESTINATION "${INCLUDE_INSTALL_PATH}/service_inspectors/ftp_telnet" +) diff --git a/src/service_inspectors/ftp_telnet/ftp_data.cc b/src/service_inspectors/ftp_telnet/ftp_data.cc index 8a4d4351b..4e21eb768 100644 --- a/src/service_inspectors/ftp_telnet/ftp_data.cc +++ b/src/service_inspectors/ftp_telnet/ftp_data.cc @@ -39,7 +39,6 @@ #include "utils/util.h" #include "ft_main.h" -#include "ftp_module.h" #include "ftpp_si.h" #include "ftpdata_splitter.h" @@ -257,44 +256,6 @@ void FtpDataFlowData::handle_eof(Packet* p) ftstats.total_sessions_mss_changed++; } -//------------------------------------------------------------------------- -// class stuff -//------------------------------------------------------------------------- - -class FtpData : public Inspector -{ -public: - FtpData() = default; - - void eval(Packet*) override; - StreamSplitter* get_splitter(bool to_server) override; - - bool can_carve_files() const override - { return true; } - - bool can_start_tls() const override - { return true; } -}; - -class FtpDataModule : public Module -{ -public: - FtpDataModule() : Module(FTP_DATA_NAME, s_help) { } - - const PegInfo* get_pegs() const override; - PegCount* get_counts() const override; - ProfileStats* get_profile() const override; - - bool set(const char*, Value&, SnortConfig*) override - { return false; } - - Usage get_usage() const override - { return INSPECT; } - - bool is_bindable() const override - { return true; } -}; - const PegInfo* FtpDataModule::get_pegs() const { return simple_pegs; } diff --git a/src/service_inspectors/ftp_telnet/ftp_data.h b/src/service_inspectors/ftp_telnet/ftp_data.h index 4bb13c8ee..141c84fbb 100644 --- a/src/service_inspectors/ftp_telnet/ftp_data.h +++ b/src/service_inspectors/ftp_telnet/ftp_data.h @@ -20,8 +20,46 @@ #define FTP_DATA_H #include "framework/inspector.h" +#include "ftp_module.h" extern const snort::InspectApi fd_api; +#define FTP_DATA_NAME "ftp_data" +#define s_help \ + "FTP data channel handler" + +class SO_PUBLIC FtpData : public snort::Inspector +{ +public: + FtpData() = default; + + void eval(snort::Packet*) override; + snort::StreamSplitter* get_splitter(bool to_server) override; + + bool can_carve_files() const override + { return true; } + + bool can_start_tls() const override + { return true; } +}; + +class FtpDataModule : public snort::Module +{ +public: + FtpDataModule() : snort::Module(FTP_DATA_NAME, s_help) { } + + const PegInfo* get_pegs() const override; + PegCount* get_counts() const override; + snort::ProfileStats* get_profile() const override; + + bool set(const char*, snort::Value&, snort::SnortConfig*) override + { return false; } + + Usage get_usage() const override + { return INSPECT; } + + bool is_bindable() const override + { return true; } +}; #endif diff --git a/src/service_inspectors/ftp_telnet/ftpdata_splitter.cc b/src/service_inspectors/ftp_telnet/ftpdata_splitter.cc index 11848e215..04f94b3aa 100644 --- a/src/service_inspectors/ftp_telnet/ftpdata_splitter.cc +++ b/src/service_inspectors/ftp_telnet/ftpdata_splitter.cc @@ -40,7 +40,7 @@ void FtpDataSplitter::restart_scan() } StreamSplitter::Status FtpDataSplitter::scan(Packet* pkt, const uint8_t*, uint32_t len, - uint32_t, uint32_t* fp) + uint32_t flags, uint32_t* fp) { Flow* flow = pkt->flow; assert(flow); @@ -73,7 +73,7 @@ StreamSplitter::Status FtpDataSplitter::scan(Packet* pkt, const uint8_t*, uint32 fdfd->session.mss_changed = true; expected_seg_size = len; - if (pkt->ptrs.tcph and !pkt->ptrs.tcph->is_fin()) + if (!flow->assistant_gadget && pkt->ptrs.tcph and !pkt->ptrs.tcph->is_fin()) { // set flag for signature calculation in case this is the last packet fdfd->session.packet_flags |= FTPDATA_FLG_FLUSH; @@ -81,6 +81,17 @@ StreamSplitter::Status FtpDataSplitter::scan(Packet* pkt, const uint8_t*, uint32 return SEARCH; } } + + if (flow->assistant_gadget && (flags & FTPDATA_FLG_FLUSH)) + { + fdfd = (FtpDataFlowData*)flow->get_flow_data(FtpDataFlowData::inspector_id); + if (!fdfd) + return SEARCH; + + fdfd->session.packet_flags |= FTPDATA_FLG_FLUSH; + pkt->active->hold_packet(pkt); + return SEARCH; + } } if ((segs >= 2 and bytes >= min) or (pkt->ptrs.tcph and pkt->ptrs.tcph->is_fin())) diff --git a/src/service_inspectors/ftp_telnet/ftpdata_splitter.h b/src/service_inspectors/ftp_telnet/ftpdata_splitter.h index 5f63c642a..707758165 100644 --- a/src/service_inspectors/ftp_telnet/ftpdata_splitter.h +++ b/src/service_inspectors/ftp_telnet/ftpdata_splitter.h @@ -26,7 +26,7 @@ //--------------------------------------------------------------------------------- // FtpDataSplitter - flush when current seg size is different from previous segment //--------------------------------------------------------------------------------- -class FtpDataSplitter : public snort::StreamSplitter +class SO_PUBLIC FtpDataSplitter : public snort::StreamSplitter { public: FtpDataSplitter(bool b, uint16_t sz = 0) : snort::StreamSplitter(b) diff --git a/src/stream/CMakeLists.txt b/src/stream/CMakeLists.txt index bce84efd9..36436e3cc 100644 --- a/src/stream/CMakeLists.txt +++ b/src/stream/CMakeLists.txt @@ -9,6 +9,7 @@ add_subdirectory(file) add_subdirectory(test) set (STREAM_INCLUDES + flush_bucket.h paf.h pafng.h stream.h