📄 snort_smtp.c
字号:
SMTP_token smtp_token; DEBUG_WRAP(_dpd.debugMsg(DEBUG_SMTP, "StrFound: %d, %d, %c\n", iid, index, ((char *)data)[0]);); smtp_token = _smtp_config.cmd[iid]; _smtp->token_id = smtp_token.id; _smtp->token_iid = iid; _smtp->token_index = index; _smtp->token_length = smtp_token.name_len; DEBUG_WRAP(_dpd.debugMsg(DEBUG_SMTP, "Found! %s, id = %x\n", smtp_token.name, _smtp->token_id);); /* Returning non-zero stops search, which is okay since we only look for one at a time */ return 1;}/* * Callback function for string search * * @param id id in array of search strings * @param index index in array of search strings * @param data buffer passed in to search function * * @return response * @retval 1 commands caller to stop searching */int SMTP_RespStrFound(void *id, int index, void *data){ int iid = (int) id; SMTP_token smtp_token; DEBUG_WRAP(_dpd.debugMsg(DEBUG_SMTP, "StrFound: %d, %d, %c\n", iid, index, ((char *)data)[0]);); smtp_token = _smtp_resp[iid]; _smtp->token_id = smtp_token.id; _smtp->token_iid = iid; _smtp->token_index = index; _smtp->token_length = smtp_token.name_len; DEBUG_WRAP(_dpd.debugMsg(DEBUG_SMTP, "Found! %s, id = %x\n", smtp_token.name, _smtp->token_id);); /* Returning non-zero stops search, which is okay since we only look for one at a time */ return 1;}/* * Callback function for string search * * @param id id in array of search strings * @param index index in array of search strings * @param data buffer passed in to search function * * @return response * @retval 1 commands caller to stop searching */int SMTP_DataStrFound(void *id, int index, void *data){ int iid = (int) id; SMTP_token smtp_token; DEBUG_WRAP(_dpd.debugMsg(DEBUG_SMTP, "StrFound: %d, %d, %c\n", iid, index, ((char *)data)[0]);); smtp_token = _smtp_data[iid]; _smtp->token_id = smtp_token.id; _smtp->token_iid = iid; _smtp->token_index = index; _smtp->token_length = smtp_token.name_len; DEBUG_WRAP(_dpd.debugMsg(DEBUG_SMTP, "Found! %s, id = %x\n", smtp_token.name, _smtp->token_id);); /* Returning non-zero stops search, which is okay since we only look for one at a time */ return 1;}/* * Function to extract boundary string from given text * * @param searchStr current data, may contain "boundary=" * * @return response * @retval 1 success, found boundary string * @retval 0 failure * * @note this whole routing could probably be optimized */static int GetBoundaryString(char *data, u_int data_len){ char *b; char *end; u_int blen = 0; u_int boundary_len = 9; /* strlen("boundary=") */ u_int multipart_len = 9; /* strlen("multipart") */ /* We've got Content-Type:, look for "multipart" following */ while ( data_len > 0 && isspace(*data) ) { data++; data_len--; } /* If not multipart, bail */ if ( data_len > multipart_len && memcmp(data, "multipart", multipart_len) != 0 ) return 0; /* We've got Content-Type, look for boundary string */ b = bm_search(data, data_len, &bm); if ( !b ) return 0; b += boundary_len; if ( *b == '\"' ) { b++; data_len -= (boundary_len + 1); end = safe_strchr(b, '\"', data_len); if ( !end ) return 0; } else { end = safe_strchr(b, '\r', data_len); if ( !end ) end = safe_strchr(b, '\n', data_len); if ( !end ) return 0; } blen = end - b; if ( blen > MAX_BOUNDARY_LEN ) return 0; memcpy(_smtp->boundary, "--", 2); memcpy(_smtp->boundary+2, b, blen); blen += 2; _smtp->boundary[blen] = '\0'; _smtp->boundary_len = blen; return 1;}/* * Handle COMMAND state * * @param packet standard Packet structure * * @param i index into p->payload buffer to start looking at data * * @return i index into p->payload where we stopped looking at data */static u_int16_t SMTP_HandleCommandState(SFSnortPacket *p, u_int16_t i){ u_int16_t count = 0; u_int8_t c; int cmdFound; char *searchStr; int nbytes; /* Loop through packet, counting chars. Notice if one is LF. */ for ( ; i < p->payload_size; i++ ) { /* If at beginning of line */ if ( count == 0 ) { /* Search starting at current character */ searchStr = p->payload + i; /* Check for command verb or data header end */ cmdFound = _dpd.searchAPI->search_find(CMD_SEARCH, searchStr, p->payload_size - i, 1, SMTP_CmdStrFound); DEBUG_WRAP(_dpd.debugMsg(DEBUG_SMTP, "Match found: %s\n", cmdFound ? "YES" : "NO");); /* See if we found a command at the beginning of the line */ if ( cmdFound && _smtp->token_index == 0 ) cmdFound = 1; else cmdFound = 0; if ( (_smtp->state == COMMAND) && cmdFound ) { if ( (_smtp->token_id & CMD_DATA) || (_smtp->token_id & CMD_BDAT) ) { /* Got client DATA or BDAT and server 354, now we know we are in data section */ _smtp->got_data_cmd = 1; if ( _smtp->got_data_resp ) { _smtp->state = DATA; } else { _smtp->state = DATA_PEND; } i += _smtp->token_length; if ( *(p->payload + i) == '\r' ) i++; if ( *(p->payload + i) == '\n' ) i++; return i; } else if ( _smtp->token_id & CMD_STARTTLS ) { _smtp->got_starttls = 1; if ( _smtp->got_server_tls ) { _smtp->state = TLS_DATA; /* Done, since now data is encrypted */ p->payload_size = i + _smtp->token_length; return p->payload_size; } } else if ( _smtp->token_id & CMD_XLINK2STATE ) { ParseXLink2State(p, (searchStr + _smtp->token_index)); } if ( _smtp_config.cmd[_smtp->token_iid].alert ) { SMTP_GenerateAlert(SMTP_EVENT_ILLEGAL_CMD, "%s: %s", SMTP_ILLEGAL_CMD_STR, _smtp_config.cmd[_smtp->token_iid].name); } if ( _smtp_config.normalize ) { if ( _smtp_config.normalize == normalize_all || _smtp_config.cmd[_smtp->token_iid].normalize ) { if ( !_smtp->normalizing ) { if ( SMTP_NeedNormalize(p->payload + _smtp->token_length) ) { _smtp->normalizing = 1; memcpy(_dpd.altBuffer, p->payload, i); p->normalized_payload_size = i; nbytes = SMTP_Normalize(p, i, _smtp->token_length); i+= nbytes; count += nbytes; p->flags |= FLAG_ALT_DECODE; } } else /* Already normalizing */ { nbytes = SMTP_Normalize(p, i, _smtp->token_length); i += nbytes; count += nbytes; } } } } else if ( (_smtp->state == COMMAND) && !cmdFound ) { if ( _smtp_config.alert_unknown_cmds ) { SMTP_GenerateAlert(SMTP_EVENT_UNKNOWN_CMD, "%s", SMTP_UNKNOWN_CMD_STR); } } } count++; c = *(p->payload + i); if ( _smtp->normalizing ) { _dpd.altBuffer[p->normalized_payload_size] = c; p->normalized_payload_size++; } if ( c == '\n' ) { if ( _smtp->token_id && _smtp_config.cmd[_smtp->token_iid].max_len != 0 && count > _smtp_config.cmd[_smtp->token_iid].max_len ) { SMTP_GenerateAlert(SMTP_EVENT_SPECIFIC_CMD_OVERFLOW, "%s: %s, %d chars", SMTP_SPECIFIC_CMD_OVERFLOW_STR, _smtp_config.cmd[_smtp->token_iid].name, count); } else if ( _smtp_config.max_command_line_len != 0 && count > _smtp_config.max_command_line_len ) { SMTP_GenerateAlert(SMTP_EVENT_COMMAND_OVERFLOW, "%s: more than %d chars", SMTP_COMMAND_OVERFLOW_STR, _smtp_config.max_command_line_len); } count = 0; /* Reset found string */ _smtp->token_id = 0; } } return i;}/* * Handle DATA state * * @param packet standard Packet structure * * @param i index into p->payload buffer to start looking at data * * @return i index into p->payload where we stopped looking at data */static u_int16_t SMTP_HandleDataState(SFSnortPacket *p, u_int16_t i){ u_int16_t count = 0; u_int8_t c; int cmdFound; char *searchStr; /* Loop through packet, counting chars. Notice if one is LF. */ for ( ; i < p->payload_size; i++ ) { /* If at beginning of line */ if ( count == 0 ) { /* Search starting at current character */ searchStr = p->payload + i; /* Check for command verb or data header end */ cmdFound = _dpd.searchAPI->search_find(CMD_SEARCH, searchStr, p->payload_size - i, 1, SMTP_CmdStrFound); DEBUG_WRAP(_dpd.debugMsg(DEBUG_SMTP, "Match found: %s\n", cmdFound ? "YES" : "NO");); /* See if we found a command at the beginning of the line */ if ( cmdFound && _smtp->token_index == 0 ) cmdFound = 1; else cmdFound = 0; if ( _smtp->state == DATA ) { if ( (searchStr[0] == '\n') || ( (i < p->payload_size-1) && searchStr[0] == '\r' && searchStr[1] == '\n' ) ) { DEBUG_WRAP(_dpd.debugMsg(DEBUG_SMTP, "End DATA HEADER section");); _smtp->state = DATA_BODY; } else if ( cmdFound && (_smtp->token_id & CMD_TYPE) ) { /* Find Boundary string */ i += _smtp->token_length; GetBoundaryString(p->payload + i, p->payload_size - i); SMTP_DataInit(_smtp); } } } count++; c = *(p->payload + i); if ( _smtp->normalizing ) { _dpd.altBuffer[p->normalized_payload_size] = c; p->normalized_payload_size++; } if ( c == '\n' ) { if ( _smtp_config.max_header_line_len != 0 && count > _smtp_config.max_header_line_len ) { SMTP_GenerateAlert(SMTP_EVENT_DATA_HDR_OVERFLOW, "%s: %d chars", SMTP_DATA_HDR_OVERFLOW_STR, count); } count = 0; } if ( _smtp->state == DATA_BODY ) { return i + 1; } } return i;}/* * Handle DATA_BODY state * * @param packet standard Packet structure * * @param i index into p->payload buffer to start looking at data * * @return i index into p->payload where we stopped looking at data⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -