From fdc98fbad54cc4c53cee7f69c0d2724f029a206e Mon Sep 17 00:00:00 2001 From: "Akhilesh MY (amuttuva)" Date: Thu, 22 May 2025 05:43:40 +0000 Subject: [PATCH] Pull request #4740: telnet: handle ayt commands in splitter Merge in SNORT/snort3 from ~AMUTTUVA/snort3:telnet_block to master Squashed commit of the following: commit e862f9ad8ae83f116d57eb74bb8ebeef0566d7d8 Author: Akhilesh MY Date: Mon May 12 07:45:34 2025 -0400 telnet: handle ayt commands in splitter --- src/service_inspectors/ftp_telnet/ftpp_return_codes.h | 1 + src/service_inspectors/ftp_telnet/pp_ftp.cc | 3 +++ src/service_inspectors/ftp_telnet/pp_telnet.cc | 2 ++ src/service_inspectors/ftp_telnet/telnet.cc | 4 ++-- src/service_inspectors/ftp_telnet/telnet_splitter.cc | 5 +++++ 5 files changed, 13 insertions(+), 2 deletions(-) diff --git a/src/service_inspectors/ftp_telnet/ftpp_return_codes.h b/src/service_inspectors/ftp_telnet/ftpp_return_codes.h index 612d71697..8ff26ea52 100644 --- a/src/service_inspectors/ftp_telnet/ftpp_return_codes.h +++ b/src/service_inspectors/ftp_telnet/ftpp_return_codes.h @@ -53,6 +53,7 @@ #define FTPP_PORT_ATTACK 9 #define FTPP_INVALID_SESSION 10 +#define FTPP_AYT_FOUND 11 #define FTPP_OR_FOUND 100 #define FTPP_OPT_END_FOUND 101 diff --git a/src/service_inspectors/ftp_telnet/pp_ftp.cc b/src/service_inspectors/ftp_telnet/pp_ftp.cc index 0be10370c..af97806ab 100644 --- a/src/service_inspectors/ftp_telnet/pp_ftp.cc +++ b/src/service_inspectors/ftp_telnet/pp_ftp.cc @@ -999,6 +999,9 @@ int initialize_ftp(FTP_SESSION* session, Packet* p, int iMode) if (iRet == FTPP_ALERT) DetectionEngine::queue_event(GID_FTP, FTP_EVASIVE_TELNET_CMD); + else if (iRet == FTPP_AYT_FOUND) + DetectionEngine::queue_event(GID_FTP, FTP_TELNET_CMD); + return iRet; } diff --git a/src/service_inspectors/ftp_telnet/pp_telnet.cc b/src/service_inspectors/ftp_telnet/pp_telnet.cc index f85e80c39..7f9ee9750 100644 --- a/src/service_inspectors/ftp_telnet/pp_telnet.cc +++ b/src/service_inspectors/ftp_telnet/pp_telnet.cc @@ -229,6 +229,8 @@ int normalize_telnet( return FTPP_ALERT; } } + else if (on_ftp_channel && p->dsize == 2) + return FTPP_AYT_FOUND; /* Fall through */ case TNC_BRK: case TNC_DM: diff --git a/src/service_inspectors/ftp_telnet/telnet.cc b/src/service_inspectors/ftp_telnet/telnet.cc index c8461aa54..3aa844add 100644 --- a/src/service_inspectors/ftp_telnet/telnet.cc +++ b/src/service_inspectors/ftp_telnet/telnet.cc @@ -114,7 +114,7 @@ static int snort_telnet(TELNET_PROTO_CONF* GlobalConf, Packet* p) if (p->flow) { TelnetFlowData* fd = (TelnetFlowData*) - p->flow->get_flow_data(FtpFlowData::inspector_id); + p->flow->get_flow_data(TelnetFlowData::inspector_id); ft_ssn = fd ? &fd->session.ft_ssn : nullptr; @@ -143,7 +143,7 @@ static int snort_telnet(TELNET_PROTO_CONF* GlobalConf, Packet* p) else { assert(false); - p->flow->free_flow_data(FtpFlowData::inspector_id); + p->flow->free_flow_data(TelnetFlowData::inspector_id); return 0; } } diff --git a/src/service_inspectors/ftp_telnet/telnet_splitter.cc b/src/service_inspectors/ftp_telnet/telnet_splitter.cc index f8002fa7b..03e13bca1 100644 --- a/src/service_inspectors/ftp_telnet/telnet_splitter.cc +++ b/src/service_inspectors/ftp_telnet/telnet_splitter.cc @@ -96,6 +96,11 @@ StreamSplitter::Status TelnetSplitter::scan( { if ( *read_ptr == (unsigned char)TNC_SB ) state = TELNET_IAC_SB; + else if ( *read_ptr == (unsigned char)TNC_AYT ) + { + state = TELNET_NONE; + fp_ptr = read_ptr; + } else if ( *read_ptr != (unsigned char)TNC_IAC ) state = TELNET_NONE; break; -- 2.47.2