ftpp_si.c

Snort为国际上著名的轻量型入侵防御系统,为国内多家著名“自主知识产权”网络安全公司所使用。

/*
 * ftpp_si.c
 *
 * Copyright (C) 2004 Sourcefire,Inc
 * Steven A. Sturges <ssturges@sourcefire.com>
 * Daniel J. Roelker <droelker@sourcefire.com>
 * Marc A. Norton <mnorton@sourcefire.com>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 *
 * Description:
 *
 * This file contains functions to select server configurations
 * and begin the FTPTelnet process.
 *
 * The Session Inspection Module interfaces with the Stream Inspection 
 * Module and the User Interface Module to select the appropriate 
 * FTPTelnet configuration and in the case of stateful inspection the
 * Session Inspection Module retrieves the user-data from the Stream
 * Module.  For stateless inspection, the Session Inspection Module uses
 * the same structure for use by each packet.
 *
 * The main responsibility of this module is to supply the appropriate
 * data structures and configurations for the rest of the FTPTelnet
 * process.  The module also determines what type of data is being
 * inspected, whether it is client, server, or neither.
 *
 * NOTES:
 * - 20.09.04:  Initial Development.  SAS
 *
 */
#include <stdlib.h>
#include <stdio.h>
#include <string.h>

#include "ftpp_return_codes.h"
#include "ftpp_ui_config.h"
#include "ftpp_ui_client_lookup.h"
#include "ftpp_ui_server_lookup.h"
#include "ftpp_si.h"

#include "stream_api.h"

#ifndef WIN32
#include <ctype.h>
#endif

/*
 * Function: PortMatch(PROTO_CONF *Conf, unsigned short port)
 *
 * Purpose: Given a configuration and a port number, we decide if
 *          the port is in the port list.
 *
 * Arguments: PROTO_CONF    => pointer to the client or server configuration
 *            port          => the port number to check for
 *
 * Returns: int => 0 indicates the port is not a client/server port.
 *                 1 indicates the port is one of the client/server ports.
 *
 */
static int PortMatch(PROTO_CONF *Conf, unsigned short port)
{
    if(Conf->ports[port])
    {
        return 1;
    }

    return 0;
}

/*
 * Function: TelnetFreeSession(void *preproc_session)
 *
 * Purpose: This function frees the data that is associated with a session.
 * 
 * Arguments: preproc_session   => pointer to the session to free
 * 
 * Returns: None
 */
static void TelnetFreeSession(void *preproc_session)
{
    TELNET_SESSION *TelnetSession = preproc_session;
    free(TelnetSession);
}

/*
 * Function: TelnetResetSession(TELNET_SESSION *Session)
 *
 * Purpose: This function resets all the variables that need to be
 *          initialized for a new Session.  I've tried to keep this to
 *          a minimum, so we don't have to worry about initializing big
 *          structures.
 * 
 * Arguments: Session         => pointer to the session to reset
 * 
 * Returns: int => return code indicating error or success
 *
 */
static INLINE int TelnetResetSession(TELNET_SESSION *Session)
{
    Session->telnet_conf = NULL;
    Session->global_conf = NULL;

    Session->consec_ayt = 0;
    Session->encr_state = NO_STATE;

    Session->event_list.stack_count = 0;

    return FTPP_SUCCESS;
}

/*
 * Function: TelnetStatefulSessionInspection(Packet *p,
 *                              FTPTELNET_GLOBAL_CONF *GlobalConf,
 *                              TELNET_SESSION **TelnetSession,
 *                              FTPP_SI_INPUT *SiInput)
 *
 * Purpose: Initialize the session and server configurations for
 *          this packet/stream.  In this function, we set the Session
 *          pointer (which includes the correct server configuration).
 *          The actual processing to find which IP is the server and
 *          which is the client, is done in the InitServerConf() function.
 *
 * Arguments: p             => pointer to the packet/stream
 *            GlobalConf    => pointer to the global configuration
 *            Session       => double pointer to the Session structure
 *            SiInput       => pointer to the session information
 *
 * Returns: int => return code indicating error or success
 *
 */
static int TelnetStatefulSessionInspection(SFSnortPacket *p,
        FTPTELNET_GLOBAL_CONF *GlobalConf,
        TELNET_SESSION **TelnetSession,
        FTPP_SI_INPUT *SiInput)
{
    TELNET_SESSION *NewSession;

    /*
     * First, check if there is already a session pointer.
     */
    if (p->stream_session_ptr)
    {
        *TelnetSession =
            _dpd.streamAPI->get_application_data(p->stream_session_ptr, PP_TELNET);
        if (*TelnetSession)
            return FTPP_SUCCESS;
    }

    /*
     * If not, create a new one, and initialize it.
     */
    NewSession = malloc(sizeof(TELNET_SESSION));
    
    TelnetResetSession(NewSession);

    NewSession->telnet_conf = &GlobalConf->global_telnet;
    NewSession->global_conf = GlobalConf;

    *TelnetSession = NewSession;

    return FTPP_SUCCESS;
}

/*
 * Function: TelnetStatelessSessionInspection(Packet *p,
 *                              FTPTELNET_GLOBAL_CONF *GlobalConf,
 *                              TELNET_SESSION **TelnetSession,
 *                              FTPP_SI_INPUT *SiInput)
 *
 * Purpose: Initialize the session and server configurations for this
 *          packet/stream.  It is important to note in stateless mode that
 *          we assume no knowledge of the state of a connection, other
 *          than the knowledge that we can glean from an individual packet.
 *          So in essence, each packet is it's own session and there
 *          is no knowledge retained from one packet to another.  If you
 *          want to track a telnet session for real, use stateful mode.
 *
 *          In this function, we set the Session pointer (which includes
 *          the correct server configuration).  The actual processing to
 *          find which IP is the server and which is the client, is done in
 *          the InitServerConf() function.
 *
 * Arguments: p             => pointer to the packet/stream
 *            GlobalConf    => pointer to the global configuration
 *            Session       => double pointer to the Session structure
 *            SiInput       => pointer to the session information
 *
 * Returns: int => return code indicating error or success
 *
 */
static int TelnetStatelessSessionInspection(SFSnortPacket *p,
        FTPTELNET_GLOBAL_CONF *GlobalConf,
        TELNET_SESSION **Session,
        FTPP_SI_INPUT *SiInput)
{
    static TELNET_SESSION StaticSession;

    TelnetResetSession(&StaticSession);

    StaticSession.telnet_conf = &GlobalConf->global_telnet;
    StaticSession.global_conf = GlobalConf;

    *Session = &StaticSession;

    return FTPP_SUCCESS;
}
    

/*
 * Function: TelnetSessionInspection(Packet *p,
 *                          FTPTELNET_GLOBAL_CONF *GlobalConf,
 *                          FTPP_SI_INPUT *SiInput,
 *                          int *piInspectMode)
 *
 * Purpose: The Session Inspection module selects the appropriate
 *          configuration for the session, and the type of inspection
 *          to be performed (client or server.)
 *
 *          When the Session Inspection module is in stateful mode, it
 *          checks to see if there is a TELNET_SESSION pointer already
 *          associated with the stream.  If there is, then it uses that
 *          session pointer, otherwise it calculates the server configuration
 *          using the FTP_SI_INPUT and returns a TELNET_SESSION pointer.  In
 *          stateful mode, this means that memory is allocated, but in
 *          stateless mode, the same session pointer is used for all packets
 *          to reduce the allocation overhead.
 *
 *          The inspection mode can be either client or server.
 *
 * Arguments: p             => pointer to the packet/stream
 *            GlobalConf    => pointer to the global configuration
 *            Session       => double pointer to the Session structure
 *            SiInput       => pointer to the session information
 *            piInspectMode => pointer for setting inspection mode
 *
 * Returns: int => return code indicating error or success
 *
 */
int TelnetSessionInspection(SFSnortPacket *p, FTPTELNET_GLOBAL_CONF *GlobalConf,
        FTPP_SI_INPUT *SiInput, int *piInspectMode)
{
    TELNET_SESSION *TelnetSession;
    int iRet;
    int iTelnetSip;
    int iTelnetDip;

    iTelnetSip = PortMatch((PROTO_CONF*)&GlobalConf->global_telnet,
                           SiInput->sport);
    iTelnetDip = PortMatch((PROTO_CONF*)&GlobalConf->global_telnet,
                           SiInput->dport);

    if (iTelnetSip)
    {
        *piInspectMode = FTPP_SI_SERVER_MODE;
    }
    else if (iTelnetDip)
    {
        *piInspectMode = FTPP_SI_CLIENT_MODE;
    }
    else
    {
        return FTPP_INVALID_PROTO;
    }

    SiInput->pproto = FTPP_SI_PROTO_TELNET;

    /*
     * We get the server configuration and the session structure differently 
     * depending on what type of inspection we are doing.  In the case of 
     * stateful processing, we may get the session structure from the Stream
     * Reassembly module (which includes the server configuration) or the 
     * structure will be allocated and added to the stream pointer for the
     * rest of the session.
     *
     * In stateless mode, we just use a static variable that is contained in
     * the function here.
     */
    if(GlobalConf->inspection_type == FTPP_UI_CONFIG_STATEFUL)
    {
        if((iRet = TelnetStatefulSessionInspection(p, GlobalConf,
                        &TelnetSession, SiInput)))
        {
            return iRet;
        }
        if (p->stream_session_ptr)
        {
            _dpd.streamAPI->set_application_data(p->stream_session_ptr,
                    PP_TELNET, TelnetSession, &TelnetFreeSession);
        }
        else
        {
            /* Uh, can't create the session info */
            /* Free session data, to avoid memory leak */
            TelnetFreeSession(TelnetSession);
            return FTPP_NONFATAL_ERR;
        }
    }
    else
    {
        /*
         * Assume stateless processing otherwise
         */
        if((iRet = TelnetStatelessSessionInspection(p, GlobalConf,
                        &TelnetSession, SiInput)))
        {
            return iRet;