📄 snort_stream5_tcp.c
字号:
file_name, file_line); } if (reassembly_direction & SSN_DIR_CLIENT) { FlushMgr *flush_mgr = &s5TcpPolicy->flush_policy[port].client; InitFlushMgr(flush_mgr, STREAM_FLPOLICY_FOOTPRINT, 192, 128, use_static); } if (reassembly_direction & SSN_DIR_SERVER) { FlushMgr *flush_mgr = &s5TcpPolicy->flush_policy[port].server; InitFlushMgr(flush_mgr, STREAM_FLPOLICY_FOOTPRINT, 192, 128, use_static); } } mSplitFree(&ptoks, num_ptoks); } set_flush_policy = 1; } } else { FatalError("%s(%d) => Invalid Stream5 TCP policy option\n", file_name, file_line); } mSplitFree(&stoks, s_toks); i++; } mSplitFree(&toks, num_toks); if(s5TcpPolicy->bound_addrs == NULL) { /* allocate and initializes the * IpAddrSet at the same time * set to "any" */ s5TcpPolicy->bound_addrs = (IpAddrSet *) SnortAlloc(sizeof(IpAddrSet)); } } if (!set_flush_policy) { for (i=0;i<sizeof(default_ports)/sizeof(int); i++) { if (reassembly_direction & SSN_DIR_CLIENT) { FlushMgr *flush_mgr = &s5TcpPolicy->flush_policy[default_ports[i]].client; InitFlushMgr(flush_mgr, STREAM_FLPOLICY_FOOTPRINT, 192, 128, use_static); } if (reassembly_direction & SSN_DIR_SERVER) { FlushMgr *flush_mgr = &s5TcpPolicy->flush_policy[default_ports[i]].server; InitFlushMgr(flush_mgr, STREAM_FLPOLICY_FOOTPRINT, 192, 128, use_static); } } } return;}static void Stream5PrintTcpConfig(Stream5TcpPolicy *s5TcpPolicy){ int i=0, j=0; LogMessage("Stream5 TCP Policy config:\n"); LogMessage(" Reassembly Policy: %s\n", reassembly_policy_names[s5TcpPolicy->reassembly_policy]); LogMessage(" Timeout: %d seconds\n", s5TcpPolicy->session_timeout); LogMessage(" Min ttl: %d\n", s5TcpPolicy->min_ttl); //LogMessage(" Stream ttl_limit: %d\n", s5TcpPolicy->ttl_delta_limit); LogMessage(" Max TCP Window: %d\n", s5TcpPolicy->max_window); LogMessage(" Flags: 0x%X\n", s5TcpPolicy->flags); LogMessage(" Reassembly Ports:\n"); for (i=0; i<MAX_PORTS && j<20; i++) { int direction = 0; int client_flushpolicy = s5TcpPolicy->flush_policy[i].client.flush_policy; int server_flushpolicy = s5TcpPolicy->flush_policy[i].server.flush_policy; char client_policy_str[STD_BUF]; char server_policy_str[STD_BUF]; client_policy_str[0] = server_policy_str[0] = '\0'; if (client_flushpolicy != STREAM_FLPOLICY_IGNORE) { direction |= SSN_DIR_CLIENT; snprintf(client_policy_str, STD_BUF, "client (%s)", flush_policy_names[client_flushpolicy]); } if (server_flushpolicy != STREAM_FLPOLICY_IGNORE) { direction |= SSN_DIR_SERVER; snprintf(server_policy_str, STD_BUF, "server (%s)", flush_policy_names[server_flushpolicy]); } if (direction) { LogMessage(" %d %s %s\n", i, client_policy_str, server_policy_str); j++; } } IpAddrSetPrint(" Bound Addresses:", s5TcpPolicy->bound_addrs);}int Stream5VerifyTcpConfig(){ if (!tcp_lws_cache) return -1; if (numTcpPolicies < 1) return -1; /* Do this now * verify config is called after all preprocs (static & dynamic) * are inited. Gives us the correct number of bits for * p->preprocessor_bits */ if (!s5_pkt) Stream5InitPacket(); return 0;}void Stream5CleanTcp(){ DecoderFlags decoder_flags; /* Turn off decoder alerts since we're decoding stored * packets that we already alerted on. */ memcpy(&decoder_flags, &pv.decoder_flags, sizeof(DecoderFlags)); memset(&pv.decoder_flags, 0, sizeof(DecoderFlags)); /* Set s5_tcp_cleanup to force a flush of all queued data */ s5_tcp_cleanup = 1; /* Clean up hash table -- delete all sessions */ PurgeLWSessionCache(tcp_lws_cache); free(s5_pkt); /* Reset this */ s5_tcp_cleanup = 0; mempool_destroy(&tcp_session_mempool); /* And turn decoder alerts back on (or whatever they were set to) */ memcpy(&pv.decoder_flags, &decoder_flags, sizeof(DecoderFlags));}#ifdef DEBUGstatic void PrintStateMgr(StateMgr *s){ LogMessage("StateMgr:\n"); LogMessage(" state: %s\n", state_names[s->state]); LogMessage(" state_queue: %s\n", state_names[s->state_queue]); LogMessage(" expected_flags: 0x%X\n", s->expected_flags); LogMessage(" transition_seq: 0x%X\n", s->transition_seq); LogMessage(" stq_get_seq: %d\n", s->stq_get_seq);}static void PrintStreamTracker(StreamTracker *s){ LogMessage(" + StreamTracker +\n"); LogMessage(" isn: 0x%X\n", s->isn); LogMessage(" ttl: %d\n", s->ttl); LogMessage(" ts_last: %lu\n", s->ts_last); LogMessage(" wscale: %lu\n", s->wscale); LogMessage(" mss: 0x%08X\n", s->mss); LogMessage(" l_unackd: %X\n", s->l_unackd); LogMessage(" l_nxt_seq: %X\n", s->l_nxt_seq); LogMessage(" l_window: %lu\n", s->l_window); LogMessage(" r_nxt_ack: %X\n", s->r_nxt_ack); LogMessage(" r_win_base: %X\n", s->r_win_base); LogMessage(" seglist_base_seq: %X\n", s->seglist_base_seq); LogMessage(" seglist: %p\n", s->seglist); LogMessage(" seglist_tail: %p\n", s->seglist_tail); LogMessage(" seg_count: %d\n", s->seg_count); LogMessage(" seg_bytes_total: %d\n", s->seg_bytes_total); LogMessage(" seg_bytes_logical: %d\n", s->seg_bytes_logical); PrintStateMgr(&s->s_mgr);}static void PrintTcpSession(TcpSession *ts){ LogMessage("TcpSession:\n"); LogMessage(" ssn_time: %lu\n", ts->ssn_time.tv_sec); LogMessage(" server IP: 0x%08X\n", ts->server_ip); LogMessage(" client IP: 0x%08X\n", ts->client_ip); LogMessage(" server port: %d\n", ts->server_port); LogMessage(" client port: %d\n", ts->client_port); LogMessage(" flags: 0x%X\n", ts->lwSsn->session_flags); LogMessage("Client Tracker:\n"); PrintStreamTracker(&ts->client); LogMessage("Server Tracker:\n"); PrintStreamTracker(&ts->server);}static void PrintTcpDataBlock(TcpDataBlock *tdb){ LogMessage("TcpDataBlock:\n"); LogMessage(" sip: 0x%08X\n", tdb->sip); LogMessage(" dip: 0x%08X\n", tdb->dip); LogMessage(" seq: 0x%08X\n", tdb->seq); LogMessage(" ack: 0x%08X\n", tdb->ack); LogMessage(" win: %d\n", tdb->win); LogMessage(" end: 0x%08X\n", tdb->end_seq);}static void PrintFlushMgr(FlushMgr *fm){ if(fm == NULL) return; switch(fm->flush_policy) { case STREAM_FLPOLICY_NONE: STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, " NONE\n");); break; case STREAM_FLPOLICY_FOOTPRINT: STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, " FOOTPRINT %d\n", fm->flush_pt);); break; case STREAM_FLPOLICY_LOGICAL: STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, " LOGICAL %d\n", fm->flush_pt);); break; case STREAM_FLPOLICY_RESPONSE: STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, " RESPONSE\n");); break; case STREAM_FLPOLICY_SLIDING_WINDOW: STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, " SLIDING_WINDOW %d\n", fm->flush_pt);); break; case STREAM_FLPOLICY_CONSUMED: STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, " CONSUMED %d\n", fm->flush_pt);); break; case STREAM_FLPOLICY_IGNORE: STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, " IGNORE\n");); break; }}#endifstatic INLINE void EventSynOnEst(Stream5TcpPolicy *s5TcpPolicy){ if(!(s5TcpPolicy->flags & STREAM5_CONFIG_ENABLE_ALERTS)) return; s5stats.events++; SnortEventqAdd(GENERATOR_SPP_STREAM5, /* GID */ STREAM5_SYN_ON_EST, /* SID */ 1, /* rev */ 0, /* class */ 3, /* priority */ STREAM5_SYN_ON_EST_STR, /* event msg */ NULL); /* rule info ptr */}static INLINE void EventExcessiveOverlap(Stream5TcpPolicy *s5TcpPolicy){ if(!(s5TcpPolicy->flags & STREAM5_CONFIG_ENABLE_ALERTS)) return; s5stats.events++; SnortEventqAdd(GENERATOR_SPP_STREAM5, /* GID */ STREAM5_EXCESSIVE_TCP_OVERLAPS, /* SID */ 1, /* rev */ 0, /* class */ 3, /* priority */ STREAM5_EXCESSIVE_TCP_OVERLAPS_STR, /* event msg */ NULL); /* rule info ptr */}static INLINE void EventBadTimestamp(Stream5TcpPolicy *s5TcpPolicy){ if(!(s5TcpPolicy->flags & STREAM5_CONFIG_ENABLE_ALERTS)) return; s5stats.events++; SnortEventqAdd(GENERATOR_SPP_STREAM5, /* GID */ STREAM5_BAD_TIMESTAMP, /* SID */ 1, /* rev */ 0, /* class */ 3, /* priority */ STREAM5_BAD_TIMESTAMP_STR, /* event msg */ NULL); /* rule info ptr */}static INLINE void EventWindowTooLarge(Stream5TcpPolicy *s5TcpPolicy){ if(!(s5TcpPolicy->flags & STREAM5_CONFIG_ENABLE_ALERTS)) return; s5stats.events++; SnortEventqAdd(GENERATOR_SPP_STREAM5, /* GID */ STREAM5_WINDOW_TOO_LARGE, /* SID */ 1, /* rev */ 0, /* class */ 3, /* priority */ STREAM5_WINDOW_TOO_LARGE_STR, /* event msg */ NULL); /* rule info ptr */}static INLINE void EventDataOnSyn(Stream5TcpPolicy *s5TcpPolicy){ if(!(s5TcpPolicy->flags & STREAM5_CONFIG_ENABLE_ALERTS)) return; s5stats.events++; SnortEventqAdd(GENERATOR_SPP_STREAM5, /* GID */ STREAM5_DATA_ON_SYN, /* SID */ 1, /* rev */ 0, /* class */ 3, /* priority */ STREAM5_DATA_ON_SYN_STR, /* event msg */ NULL); /* rule info ptr */}static INLINE void EventDataOnClosed(Stream5TcpPolicy *s5TcpPolicy){ if(!(s5TcpPolicy->flags & STREAM5_CONFIG_ENABLE_ALERTS)) return; s5stats.events++; SnortEventqAdd(GENERATOR_SPP_STREAM5, /* GID */ STREAM5_DATA_ON_CLOSED, /* SID */ 1, /* rev */ 0, /* class */ 3, /* priority */ STREAM5_DATA_ON_CLOSED_STR, /* event msg */ NULL); /* rule info ptr */}static INLINE void EventBadSegment(Stream5TcpPolicy *s5TcpPolicy){ if(!(s5TcpPolicy->flags & STREAM5_CONFIG_ENABLE_ALERTS)) return; s5stats.events++; SnortEventqAdd(GENERATOR_SPP_STREAM5, /* GID */ STREAM5_BAD_SEGMENT, /* SID */ 1, /* rev */ 0, /* class */ 3, /* priority */ STREAM5_BAD_SEGMENT_STR, /* event msg */ NULL); /* rule info ptr */}/* * Utility functions for TCP stuff */static INLINE int IsBetween(u_int32_t low, u_int32_t high, u_int32_t cur){ STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "(%X, %X, %X) = (low, high, cur)\n", low,high,cur);); /* If we haven't seen anything, ie, low & high are 0, return true */ if ((low == 0) && (low == high)) return 1; return (cur - low) <= (high - low);} /* XXX check for integer underflows! */static INLINE u_int32_t Stream5GetWindow(StreamTracker *st){ int32_t window; /* If we're in readback mode and haven't seen the other * side yet, window is r_next_ack - r_win_base. */ if ((st->l_window == 0) && (pv.readmode_flag == 1)) { window = st->r_nxt_ack - st->r_win_base + 1; } else { window = st->r_win_base + (st->l_window - st->r_nxt_ack); } if(window < 0) return 0; else return (u_int32_t) window;}static INLINE int ValidSeq(StreamTracker *st, TcpDataBlock *tdb){ STREAM5_DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE, "Checking end_seq (%X) > r_win_base (%X) && " "seq (%X) < r_nxt_ack(%X)\n", ⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -