From 6658eb90b4445e1afe0bd2f51f430e0159030a97 Mon Sep 17 00:00:00 2001 From: "Michael Altizer (mialtize)" Date: Fri, 23 Sep 2016 16:10:18 -0400 Subject: [PATCH] Merge pull request #632 in SNORT/snort3 from dce_udp_snort2lua to master Squashed commit of the following: commit ee86fa251e30c1fdaddb21774244ed608a71c327 Author: mdagon Date: Thu Sep 22 18:30:54 2016 -0400 Code review commit 90b8e627ae34ed8124c9d31207cc99dc2d915345 Author: mdagon Date: Mon Sep 19 08:59:48 2016 -0400 Dce udp snort2lua --- .../preprocessor_states/pps_dcerpc.cc | 25 +++++++++++-------- .../preprocessor_states/pps_dcerpc_server.cc | 19 +++++++++++--- .../preprocessor_states/pps_dcerpc_server.h | 4 +-- 3 files changed, 32 insertions(+), 16 deletions(-) diff --git a/tools/snort2lua/preprocessor_states/pps_dcerpc.cc b/tools/snort2lua/preprocessor_states/pps_dcerpc.cc index 6b963afb2..700087999 100644 --- a/tools/snort2lua/preprocessor_states/pps_dcerpc.cc +++ b/tools/snort2lua/preprocessor_states/pps_dcerpc.cc @@ -33,11 +33,11 @@ public: private: bool add_deleted_comment_to_table(std::string table_name, std::string option); bool add_deleted_comment_to_defaults(std::string option); - bool add_option_to_all(std::string option, const bool val); - bool add_option_to_all(std::string option, const int val); + bool add_option_to_all(std::string option, const bool val, bool co_only); + bool add_option_to_all(std::string option, const int val, bool co_only); bool add_option_to_type(std::string type, std::string option, std::string value); bool add_option_to_type(std::string type, std::string option); - bool parse_int_and_add_to_all(std::string opt_name, std::istringstream& stream); + bool parse_int_and_add_to_all(std::string opt_name, std::istringstream& stream, bool co_only); bool parse_string_and_add_to_type(std::string type, std::string opt_name, std::istringstream& stream); }; @@ -51,12 +51,14 @@ bool Dcerpc::add_deleted_comment_to_table(std::string table_name, std::string op return tmpval; } -bool Dcerpc::add_option_to_all(std::string option, const bool val) +bool Dcerpc::add_option_to_all(std::string option, const bool val, bool co_only) { bool tmpval = true; for (auto type : transport) { + if (co_only && (type.compare("udp") == 0)) + continue; tmpval = add_option_to_table(table_api, "dce_" + type, option, val); for (int i=0; i < DcerpcServer::get_binding_id(); i++) { @@ -67,12 +69,14 @@ bool Dcerpc::add_option_to_all(std::string option, const bool val) return tmpval; } -bool Dcerpc::add_option_to_all(std::string option, const int val) +bool Dcerpc::add_option_to_all(std::string option, const int val, bool co_only) { bool tmpval = true; for (auto type : transport) { + if (co_only && (type.compare("udp") == 0)) + continue; tmpval = add_option_to_table(table_api, "dce_" + type, option, val); for (int i=0; i < DcerpcServer::get_binding_id(); i++) { @@ -120,13 +124,14 @@ bool Dcerpc::add_deleted_comment_to_defaults(std::string option) return tmpval; } -bool Dcerpc::parse_int_and_add_to_all(std::string opt_name, std::istringstream& stream) +bool Dcerpc::parse_int_and_add_to_all(std::string opt_name, std::istringstream& stream, bool + co_only) { int val; if (stream >> val) { - return add_option_to_all(opt_name, val); + return add_option_to_all(opt_name, val, co_only); } return false; @@ -170,10 +175,10 @@ bool Dcerpc::convert(std::istringstream& data_stream) tmpval = eat_option(data_stream); } else if (!keyword.compare("disable_defrag")) - tmpval = add_option_to_all("disable_defrag", true); + tmpval = add_option_to_all("disable_defrag", true, false); else if (!keyword.compare("max_frag_len")) - tmpval = parse_int_and_add_to_all("max_frag_len", data_stream); + tmpval = parse_int_and_add_to_all("max_frag_len", data_stream, false); else if (!keyword.compare("events")) { @@ -201,7 +206,7 @@ bool Dcerpc::convert(std::istringstream& data_stream) } } else if (!keyword.compare("reassemble_threshold")) - tmpval = parse_int_and_add_to_all("reassemble_threshold", data_stream); + tmpval = parse_int_and_add_to_all("reassemble_threshold", data_stream, true); else if (!keyword.compare("disabled")) tmpval = add_deleted_comment_to_defaults("disabled"); diff --git a/tools/snort2lua/preprocessor_states/pps_dcerpc_server.cc b/tools/snort2lua/preprocessor_states/pps_dcerpc_server.cc index d2b1789d6..e2c95a3d0 100644 --- a/tools/snort2lua/preprocessor_states/pps_dcerpc_server.cc +++ b/tools/snort2lua/preprocessor_states/pps_dcerpc_server.cc @@ -44,13 +44,15 @@ enum DceDetectListState DCE_DETECT_LIST_STATE__END, }; -std::string transport[2] = { "smb", "tcp" }; +std::string transport[3] = { "smb", "tcp", "udp" }; std::map > default_ports { { "smb", { 139, 445 } }, { "tcp", { 135 } + }, + { "udp", { 135 } } }; @@ -60,6 +62,8 @@ std::map > autodetect_default_ports { "smb", { 1025 } }, { "tcp", { 1026 } + }, + { "udp", { 1027 } } }; @@ -524,6 +528,8 @@ bool DcerpcServer::init_net_created_table() table_api.close_table(); for (auto type : transport) { + if (type.compare("udp") == 0) + continue; tmpval = add_option_to_table(table_api,table_name[type], "reassemble_threshold", std::stoi(val)) && tmpval; } @@ -598,12 +604,14 @@ bool DcerpcServer::parse_nets(std::istringstream& data_stream, std::map bind; bind["smb"] = &bind_smb; bind["tcp"] = &bind_tcp; + bind["udp"] = &bind_udp; for (auto type : transport) { - bind[type]->set_when_proto("tcp"); // FIXIT-M once dce_udp is ported + bind[type]->set_when_proto("tcp"); bind[type]->set_use_type("dce_" + type); } + bind["udp"]->set_when_proto("udp"); if (!(data_stream >> keyword)) return false; @@ -682,7 +693,7 @@ bool DcerpcServer::convert(std::istringstream& data_stream) if (policy.back() == ',') policy.pop_back(); - tmpval = add_option_to_all_transports("policy", policy); + tmpval = add_option_to_transports("policy", policy, true); } else if (!keyword.compare("detect")) { diff --git a/tools/snort2lua/preprocessor_states/pps_dcerpc_server.h b/tools/snort2lua/preprocessor_states/pps_dcerpc_server.h index 86216cb6d..661e533df 100644 --- a/tools/snort2lua/preprocessor_states/pps_dcerpc_server.h +++ b/tools/snort2lua/preprocessor_states/pps_dcerpc_server.h @@ -30,7 +30,7 @@ namespace preprocessors { namespace dce { -extern std::string transport[2]; +extern std::string transport[3]; class DcerpcServer : public ConversionState { @@ -55,7 +55,7 @@ private: bool init_new_tables(bool is_default); bool parse_nets(std::istringstream& data_stream, std::map bind); - bool add_option_to_all_transports(std::string option, std::string value); + bool add_option_to_transports(std::string option, std::string value, bool co_only); std::map detect_ports_set; std::map autodetect_ports_set; std::map table_name; -- 2.47.2