From eb4a54f83d81f06205594dea810d2a2725463a5c Mon Sep 17 00:00:00 2001 From: "Mike Stepanek (mstepane)" Date: Wed, 14 Oct 2020 21:09:01 +0000 Subject: [PATCH] Merge pull request #2547 in SNORT/snort3 from ~MDAGON/snort3:react to master Squashed commit of the following: commit 0fa4392bc933cb6a8c8c65d1dc4378ed87f881df Author: mdagon Date: Mon Sep 28 14:15:25 2020 -0400 actions: use payload_injector for react --- src/actions/act_react.cc | 43 +++++++++++++++++++++++---------------- src/actions/dev_notes.txt | 16 +++++++++++++++ 2 files changed, 42 insertions(+), 17 deletions(-) diff --git a/src/actions/act_react.cc b/src/actions/act_react.cc index 40fa375ef..98f6f8513 100644 --- a/src/actions/act_react.cc +++ b/src/actions/act_react.cc @@ -34,8 +34,7 @@ * * This version will send a web page to the client and then reset both * ends of the session. The web page may be configured or the default - * may be used. The web page can have the default warning message - * inserted or the message from the rule. + * may be used. * * If you wish to just reset the session, use the reject keyword instead. */ @@ -53,7 +52,9 @@ #include "framework/module.h" #include "log/messages.h" #include "main/snort_config.h" +#include "main/snort_debug.h" #include "packet_io/active.h" +#include "payload_injector/payload_injector_module.h" #include "profiler/profiler.h" #include "protocols/packet.h" #include "utils/util.h" @@ -89,6 +90,8 @@ static THREAD_LOCAL ProfileStats reactPerfStats; "\r\n" \ "\r\n" +THREAD_LOCAL const snort::Trace* react_trace = nullptr; + class ReactData { public: @@ -121,7 +124,6 @@ private: std::string resp_buf; // response to send }; - class ReactAction : public snort::IpsAction { public: @@ -143,19 +145,17 @@ public: private: void send(snort::Packet* p) { - EncodeFlags df = (p->is_from_server()) ? ENC_FLAG_FWD : 0; - EncodeFlags sent = 0; - - Active* act = p->active; - - if ( p->packet_flags & PKT_STREAM_EST ) - sent = act->send_data(p, df, (const uint8_t*)config->get_resp_buf(), config->get_buf_len()); - - EncodeFlags rf = ENC_FLAG_SEQ | (ENC_FLAG_VAL & sent); - act->send_reset(p, rf); - - // block the flow in case the RST is lost. - act->block_session(p); + InjectionControl control; + control.http_page = (const uint8_t*)config->get_resp_buf(); + control.http_page_len = config->get_buf_len(); + InjectionReturnStatus status = PayloadInjectorModule::inject_http_payload(p, control); +#ifdef DEBUG_MSGS + if (status != INJECTION_SUCCESS) + debug_logf(react_trace, nullptr, "Injection error: %s\n", + PayloadInjectorModule::get_err_string(status)); +#else + UNUSED(status); +#endif } private: @@ -169,7 +169,7 @@ private: static const Parameter s_params[] = { { "page", Parameter::PT_STRING, nullptr, nullptr, - "file containing HTTP response (headers and body)" }, + "file containing HTTP response body" }, { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } }; @@ -189,6 +189,15 @@ public: Usage get_usage() const override { return DETECT; } + void set_trace(const snort::Trace* trace) const override + { react_trace = trace; } + + const snort::TraceOption* get_trace_options() const override + { + static const TraceOption react_trace_options(nullptr, 0, nullptr); + return &react_trace_options; + } + public: std::string page; diff --git a/src/actions/dev_notes.txt b/src/actions/dev_notes.txt index c7beb9699..90b114dd7 100644 --- a/src/actions/dev_notes.txt +++ b/src/actions/dev_notes.txt @@ -13,3 +13,19 @@ trigger. The rule types defined in this module are: * reset There is also a "none" rule type, which is a no-op. + +It also defines 3 active responses: +* react +* reject +* rewrite + +Reject performs active response to shutdown hostile network +session by injecting TCP resets (TCP connections) or ICMP unreachable +packets. + +React sends an HTML page to the client, a RST to the server +and blocks the flow. It is using payload_injector utilty. +payload_injector should be configured when react is used. + +Rewrite enables overwrite packet contents based on "replace" +option in the rules. -- 2.47.3