From 76dbb7b354287ae410073e8fcb2de270bce181dd Mon Sep 17 00:00:00 2001 From: "Russ Combs (rucombs)" Date: Tue, 22 Nov 2016 07:07:40 -0500 Subject: [PATCH] Merge pull request #715 in SNORT/snort3 from appid_fflow3 to master Squashed commit of the following: commit a9e3e7de8612efb242df0f21d32d0654e647d90c Merge: 31d0bf7 61a685b Author: Steve Chew Date: Mon Nov 21 23:50:53 2016 -0500 Merge branch 'appid_fflow3' of ssh://bitbucket-eng-rtp1.cisco.com:7999/snort/snort3 into appid_fflow3 Conflicts: src/network_inspectors/appid/detector_plugins/detector_http.cc commit 31d0bf78b51445976b335f705e25be0b0f744794 Author: Steve Chew Date: Mon Nov 21 22:52:16 2016 -0500 Remove future flow appid feature for http since there is no known use case. commit 61a685bfd603fe098c64589162acbe2f838d2629 Author: Steve Chew Date: Mon Nov 21 22:52:16 2016 -0500 Remove future flow appid feature for http since there is no known use case. --- .../appid/app_info_table.cc | 9 - src/network_inspectors/appid/appid_config.h | 1 - src/network_inspectors/appid/appid_session.cc | 12 - src/network_inspectors/appid/appid_session.h | 12 - .../appid/detector_plugins/detector_http.cc | 409 ------------------ .../appid/detector_plugins/detector_http.h | 2 - 6 files changed, 445 deletions(-) diff --git a/src/network_inspectors/appid/app_info_table.cc b/src/network_inspectors/appid/app_info_table.cc index ae9af3d01..beeb41a18 100644 --- a/src/network_inspectors/appid/app_info_table.cc +++ b/src/network_inspectors/appid/app_info_table.cc @@ -355,15 +355,6 @@ void AppInfoManager::load_appid_config(const char* path) continue; } } - else if (!(strcasecmp(conf_key, "chp_fflow"))) - { - if (!(strcasecmp(conf_val, "disabled"))) - { - DebugMessage(DEBUG_APPID, "AppId: HTTP future flow creation disabled.\n"); - AppIdConfig::get_appid_config()->mod_config->chp_fflow_disabled = 1; - continue; - } - } else if (!(strcasecmp(conf_key, "ftp_userid"))) { if (!(strcasecmp(conf_val, "disabled"))) diff --git a/src/network_inspectors/appid/appid_config.h b/src/network_inspectors/appid/appid_config.h index aa288698d..b2d8510d4 100644 --- a/src/network_inspectors/appid/appid_config.h +++ b/src/network_inspectors/appid/appid_config.h @@ -110,7 +110,6 @@ public: uint32_t ftp_userid_disabled = 0; uint32_t chp_userid_disabled = 0; uint32_t chp_body_collection_disabled = 0; - uint32_t chp_fflow_disabled = 0; uint32_t chp_body_collection_max = 0; uint32_t max_tp_flow_depth = 0; uint32_t tp_allow_probes = 0; diff --git a/src/network_inspectors/appid/appid_session.cc b/src/network_inspectors/appid/appid_session.cc index 6346d1176..df1389daa 100644 --- a/src/network_inspectors/appid/appid_session.cc +++ b/src/network_inspectors/appid/appid_session.cc @@ -2651,11 +2651,6 @@ void AppIdSession::free_http_session_data() hsession->new_field[i] = nullptr; } } - if (hsession->fflow) - { - snort_free(hsession->fflow); - hsession->fflow = nullptr; - } if (hsession->via) { snort_free(hsession->via); @@ -3379,13 +3374,6 @@ void AppIdSession::processCHP(char** version, Packet* p) if (http_session->app_type_flags & APP_TYPE_PAYLOAD) set_payload_app_id_data((ApplicationId)chp_final, version); - if (http_session->fflow && http_session->fflow->flow_prepared) - { - finalize_fflow(http_session->fflow, http_session->app_type_flags, - (http_session->fflow->appId ? http_session->fflow->appId : chp_final), p); - snort_free(http_session->fflow); - http_session->fflow = nullptr; - } if (*version) *version = nullptr; if (user) diff --git a/src/network_inspectors/appid/appid_session.h b/src/network_inspectors/appid/appid_session.h index 09c19257d..d62fb9f7b 100644 --- a/src/network_inspectors/appid/appid_session.h +++ b/src/network_inspectors/appid/appid_session.h @@ -133,17 +133,6 @@ struct CommonAppIdData #define SCAN_HTTP_XWORKINGWITH_FLAG (1<<7) #define SCAN_HTTP_CONTENT_TYPE_FLAG (1<<8) -struct fflow_info -{ - uint32_t sip = 0; - uint32_t dip = 0; - uint16_t sport = 0; - uint16_t dport = 0; - IpProtocol protocol = IpProtocol::PROTO_NOT_SET; - AppId appId = APP_ID_NONE; - int flow_prepared = 0; -}; - #define RESPONSE_CODE_PACKET_THRESHHOLD 0 struct httpSession @@ -176,7 +165,6 @@ struct httpSession uint16_t new_field_len[HTTP_FIELD_MAX+1] = { 0 }; uint16_t fieldOffset[HTTP_FIELD_MAX+1] = { 0 }; uint16_t fieldEndOffset[HTTP_FIELD_MAX+1] = { 0 }; - fflow_info* fflow = nullptr; bool new_field_contents = false; int chp_finished = 0; AppId chp_candidate = APP_ID_NONE; diff --git a/src/network_inspectors/appid/detector_plugins/detector_http.cc b/src/network_inspectors/appid/detector_plugins/detector_http.cc index 0c75bf596..847913c0c 100644 --- a/src/network_inspectors/appid/detector_plugins/detector_http.cc +++ b/src/network_inspectors/appid/detector_plugins/detector_http.cc @@ -1143,358 +1143,6 @@ static void extractCHP(char* buf, int bs, int start, int psize, char* adata, ch *outbuf = snort_strndup(begin, end-begin); } -static uint32_t ddToIp(char* start, int size) -{ - uint32_t ret_addr = 0; - char* p; - int tmp = 0; - int octet = 3; - int digit_count = 1; - int done = 0; - - for (p = start; - p < start+size; - p++) - { - if (isdigit(*p)) - { - // if there are more than three digits in a row - if (digit_count > 3) - { - // this might be a spurrious digit after the IP address - if (octet == 0 && tmp && tmp <= 255) - { - ret_addr += tmp; - done = 1; - break; - } - else - return 0; - } - // otherwise, increase the value of tmp - tmp *= 10; - tmp += *p - '0'; - digit_count++; - } - // 0x2e is '.' - else if (*p == 0x2e) - { - // make sure we don't have random dots in there - if (!tmp) - return 0; - // otherwise, increase the return value - else - { - // octet value must fit in 8-bit boundary - if (tmp > 255) - return 0; - ret_addr += tmp < 255) - return 0; - if (!done) - ret_addr += tmp; - return htonl(ret_addr); -} - -static uint32_t ffSetIp(char* buf, int buf_size, int start, int psize) -{ - uint32_t ret_address; - - ret_address = ddToIp(buf+start+psize, buf_size); - - return ret_address; -} - -static uint16_t ffSetPort(char* buf, int buf_size, int start, int psize) -{ - uint16_t temp_port = 0; - uint16_t new_digit; - char* p; - int i; - - for (p = buf+start+psize, i = 1; p < buf+buf_size && isdigit(*p); p++, i++) - { - new_digit = *p -'0'; - // we don't want to try to put a value gt 65535 into a uint_16t - if ((i > 5) || (temp_port > 6535 || (temp_port == 6535 && new_digit > 5))) - return 0; - temp_port *= 10; - temp_port += *p - '0'; - } - - return temp_port; -} - -static IpProtocol ffSetProtocol(char* buf, int buf_size, int start, int psize) -{ - uint8_t temp_protocol = 0; - uint8_t new_digit; - char* p; - int i; - - for (p = buf+start+psize, i = 1; p < buf+buf_size && isdigit(*p); p++, i++) - { - new_digit = *p - '0'; - // we don't want to try to put a value gt 255 into a uint8_t - if ((i > 3) || (temp_protocol > 25 || (temp_protocol == 25 && new_digit > 5))) - return IpProtocol::PROTO_NOT_SET; - - temp_protocol *= 10; - temp_protocol += new_digit; - } - - return (IpProtocol)temp_protocol; -} - -#if MUST_FIX - // FIXIT-H: We do not have a packet when we get called from - // the HTTP inspector. Is there an alternative? -static void fflowCreate(char* adata, fflow_info* fflow, Packet* p, AppId target_appid) -{ - char* saddr_string = nullptr; - char* daddr_string = nullptr; - char* sport_string = nullptr; - char* dport_string = nullptr; - char* protocol_string = nullptr; - char* appid = nullptr; - const sfip_t* sip; - const sfip_t* dip; - int temp_port = 0; - char* brk; - - /* - The Action Data for this action is special - THE SEQUENCE MUST BE - source_address source_port dest_address dest_port protocol appid - DELIMITED BY A SPACE - if any value is '*', that means we should have already set this value with a previous action - */ - if (!(saddr_string = strtok_r(adata, " ", &brk))) - return; - if (!(sport_string = strtok_r(nullptr, " ", &brk))) - return; - if (!(daddr_string = strtok_r(nullptr, " ", &brk))) - return; - if (!(dport_string = strtok_r(nullptr, " ", &brk))) - return; - if (!(protocol_string = strtok_r(nullptr, " ", &brk))) - return; - if (!(appid = strtok_r(nullptr, " ", &brk))) - return; - - switch (*saddr_string) - { - case 'S': - sip = p->ptrs.ip_api.get_src(); - fflow->sip = sip->ip32[0]; - break; - case 'D': - sip = p->ptrs.ip_api.get_dst(); - fflow->sip = sip->ip32[0]; - break; - case '0': - sip = 0; - break; - case '*': - if (!fflow->sip) - return; - break; - default: - if ((!fflow->sip) && (!(fflow->sip = ddToIp(saddr_string, strlen(saddr_string))))) - return; - } - - switch (*sport_string) - { - case 'S': - if (strlen(sport_string) > 2) - { - if ((temp_port = strtol(sport_string+1, nullptr, 10))) - fflow->sport = p->ptrs.sp + temp_port; - else - return; - } - else - fflow->sport = p->ptrs.sp; - break; - case 'D': - if (strlen(sport_string) > 2) - { - if ((temp_port = strtol(sport_string+1, nullptr, 10))) - fflow->sport = p->ptrs.dp + temp_port; - else - return; - } - else - fflow->sport = p->ptrs.dp; - break; - case '0': - fflow->sport = 0; - break; - case '*': - if (!fflow->sport) - return; - break; - default: - if ((!fflow->sport) && (!(fflow->sport = ffSetPort(sport_string, strlen(sport_string), 0, - 0)))) - return; - } - - switch (*daddr_string) - { - case 'S': - dip = p->ptrs.ip_api.get_src(); - fflow->dip = dip->ip32[0]; - break; - case 'D': - dip = p->ptrs.ip_api.get_dst(); - fflow->dip = dip->ip32[0]; - break; - case '0': - fflow->dip = 0; - break; - case '*': - if (!fflow->dip) - return; - break; - default: - if ((!fflow->dip) && (!(fflow->dip = ddToIp(daddr_string, strlen(daddr_string))))) - return; - } - - switch (*dport_string) - { - case 'S': - if (strlen(dport_string) > 2) - { - if ((temp_port = strtol(dport_string+1, nullptr, 10))) - fflow->dport = p->ptrs.dp + temp_port; - else - return; - } - else - fflow->dport = p->ptrs.sp; - break; - case 'D': - if (strlen(dport_string) > 2) - { - if ((temp_port = strtol(dport_string+1, nullptr, 10))) - fflow->dport = p->ptrs.dp + temp_port; - else - return; - } - else - fflow->dport = p->ptrs.dp; - break; - case '0': - fflow->dport = 0; - break; - case '*': - if (!fflow->dport) - return; - break; - default: - if ((!fflow->dport) && (!(fflow->dport = ffSetPort(dport_string, strlen(dport_string), 0, - 0)))) - return; - } - - switch (*protocol_string) - { - case 'T': - fflow->protocol = IpProtocol::TCP; - break; - case 'U': - fflow->protocol = IpProtocol::UDP; - break; - case '0': - fflow->protocol = IpProtocol::PROTO_NOT_SET; - break; - case 'S': - case 'D': - fflow->protocol = p->is_tcp() ? IpProtocol::TCP : IpProtocol::UDP; - break; - case '*': - if ( fflow->protocol == IpProtocol::PROTO_NOT_SET ) - return; - break; - default: - if ( fflow->protocol == IpProtocol::PROTO_NOT_SET ) - { - fflow->protocol = ffSetProtocol( - protocol_string, strlen(protocol_string), 0, 0); - - if ( fflow->protocol == IpProtocol::PROTO_NOT_SET ) - return; - } - break; - } - - switch (*appid) - { - case '*': - fflow->appId = target_appid; - break; - default: - fflow->appId = strtol(appid, nullptr, 10); - } - - fflow->flow_prepared = 1; -} -#endif - -void finalize_fflow(fflow_info* fflow, unsigned app_type_flags, AppId target_appId, Packet* p) -{ - AppIdSession* fp; - sfip_t saddr, daddr; - - sfip_set_raw(&saddr, &fflow->sip, AF_INET); - sfip_set_raw(&daddr, &fflow->dip, AF_INET); - - if (!(fp = AppIdSession::create_future_session(p, &saddr, fflow->sport, &daddr, fflow->dport, - fflow->protocol, target_appId, 0))) - return; - - if (app_type_flags & APP_TYPE_SERVICE) - { - fp->serviceAppId = target_appId; - fp->rnaServiceState = RNA_STATE_FINISHED; - fp->rna_client_state = RNA_STATE_FINISHED; - } - if (app_type_flags & APP_TYPE_CLIENT) - { - fp->client_app_id = target_appId; - fp->rna_client_state = RNA_STATE_FINISHED; - } - if (app_type_flags & APP_TYPE_PAYLOAD) - { - fp->payload_app_id = target_appId; - } -} - void scan_key_chp(PatternType ptype, char* buf, int buf_size, CHPTallyAndActions& match_tally) { detectorHttpConfig->chp_matchers[ptype]->find_all(buf, buf_size, &chp_key_pattern_match, @@ -1586,63 +1234,6 @@ AppId scan_chp(PatternType ptype, char* buf, int buf_size, MatchedCHPAction* mp, do_not_further_modify_field = 1; } break; - case FUTURE_APPID_SESSION_SIP: - if (AppIdConfig::get_appid_config()->mod_config->chp_fflow_disabled) - break; - if (!hsession->fflow) - hsession->fflow = (fflow_info*)snort_calloc(sizeof(fflow_info)); - if (!hsession->fflow->sip) - hsession->fflow->sip = ffSetIp(buf, buf_size, tmp->index, match->psize); - break; - - case FUTURE_APPID_SESSION_DIP: - if (AppIdConfig::get_appid_config()->mod_config->chp_fflow_disabled) - break; - if (!hsession->fflow) - hsession->fflow = (fflow_info*)snort_calloc(sizeof(fflow_info)); - if (!hsession->fflow->dip) - hsession->fflow->dip = ffSetIp(buf, buf_size, tmp->index, match->psize); - break; - - case FUTURE_APPID_SESSION_SPORT: - if (AppIdConfig::get_appid_config()->mod_config->chp_fflow_disabled) - break; - if (!hsession->fflow) - hsession->fflow = (fflow_info*)snort_calloc(sizeof(fflow_info)); - if (!hsession->fflow->sport) - hsession->fflow->sport = ffSetPort(buf, buf_size, tmp->index, match->psize); - break; - - case FUTURE_APPID_SESSION_DPORT: - if (AppIdConfig::get_appid_config()->mod_config->chp_fflow_disabled) - break; - if (!hsession->fflow) - hsession->fflow = (fflow_info*)snort_calloc(sizeof(fflow_info)); - if (!hsession->fflow->dport) - hsession->fflow->dport = ffSetPort(buf, buf_size, tmp->index, match->psize); - break; - - case FUTURE_APPID_SESSION_PROTOCOL: - if (AppIdConfig::get_appid_config()->mod_config->chp_fflow_disabled) - break; - if (!hsession->fflow) - hsession->fflow = (fflow_info*)snort_calloc(sizeof(fflow_info)); - if (hsession->fflow->protocol == IpProtocol::PROTO_NOT_SET) - hsession->fflow->protocol = ffSetProtocol(buf, buf_size, tmp->index, match->psize); - break; - - case FUTURE_APPID_SESSION_CREATE: - if (AppIdConfig::get_appid_config()->mod_config->chp_fflow_disabled) - break; - if (!hsession->fflow) - hsession->fflow = (fflow_info*)snort_calloc(sizeof(fflow_info)); -#if MUST_FIX - // FIXIT-H: We do not have a packet when we get called from - // the HTTP inspector. Is there an alternative? - fflowCreate(match->action_data, hsession->fflow, p, hsession->chp_candidate); -#endif - break; - case INSERT_FIELD: if (!do_not_further_modify_field && second_sweep_for_inserts == nullptr) { diff --git a/src/network_inspectors/appid/detector_plugins/detector_http.h b/src/network_inspectors/appid/detector_plugins/detector_http.h index ad026b35e..87000c81c 100644 --- a/src/network_inspectors/appid/detector_plugins/detector_http.h +++ b/src/network_inspectors/appid/detector_plugins/detector_http.h @@ -28,7 +28,6 @@ #include "utils/util.h" struct httpSession; -struct fflow_info; struct CHPAction; struct CHPApp; class AppIdConfig; @@ -189,7 +188,6 @@ AppId scan_header_x_working_with(const uint8_t*, uint32_t, char**); void identify_user_agent(const uint8_t*, int, AppId*, AppId*, char**); void get_server_vendor_version(const uint8_t*, int, char**, char**, RNAServiceSubtype**); bool is_webdav_found(HeaderMatchedPatterns*); -void finalize_fflow(fflow_info*, unsigned app_type_flags, AppId, Packet* ); #endif -- 2.47.2