spo_alert_arubaaction.c

著名的入侵检测系统snort的最新版本的源码

/*
** Copyright (C) 2006 Joshua Wright <jwright@arubanetworks.com>
**
** This program is free software; you can redistribute it and/or modify
** it under the terms of the GNU General Public License Version 2 as
** published by the Free Software Foundation.  You may not use, modify or
** distribute this program under any other version of the GNU General
** Public License.
**
** This program is distributed in the hope that it will be useful,
** but WITHOUT ANY WARRANTY; without even the implied warranty of
** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
** GNU General Public License for more details.
**
** You should have received a copy of the GNU General Public License
** along with this program; if not, write to the Free Software
** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
*/

/* $Id$ */

/* spo_alert_arubaaction
 * 
 * Purpose: output plugin for dynamically changing station access status on
 *          an Aruba switch.
 *
 * Arguments:  switch secret_type secret action
 * 	switch		IP address of the Aruba switch
 * 	secret_type	How secret is represented, one of "sha1", "md5" or
 * 			"cleartext"
 *	secret		The shared secret configured on the Aruba switch
 *	action		The action the switch should take with the target user
 *   
 * Effect:
 *
 * When an alert is passed to this output plugin, the plugin connects to the
 * specified switch using the secret for authentication and applies the
 * configured action for the source IP address of the alert.  This allows the
 * administrator to establish rules that will dynamically blacklist a user,
 * allowing the administrator to define rules that take action based on the
 * power of the Snort rules language.
 */

/* output plugin header file */
#ifdef HAVE_CONFIG_H
#include "config.h"
#endif

#include "event.h"
#include "decode.h"
#include "debug.h"
#include "plugbase.h"
#include "spo_plugbase.h"
#include "parser.h"
#include "util.h"
#include "log.h"
#include "mstring.h"

#include "snort.h"

#include "ipv6_port.h"

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#ifdef HAVE_STRINGS_H
#include <strings.h>
#endif

#ifndef WIN32
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#endif /* !WIN32 */

#include <sys/types.h>

typedef struct _SpoAlertArubaActionData
{
	char		*secret;
	uint8_t		secret_type;
	uint8_t		action_type;
	char		*role_name;
#ifdef SUP_IP6
	sfip_t         aswitch;
#else
	struct in_addr aswitch;
#endif
	int		fd;
} SpoAlertArubaActionData;


#define MAX_XML_PAYLOAD_LEN 512
#define MAX_POST_LEN 1024
#define MAX_RESPONSE_LEN MAX_POST_LEN

typedef struct _ArubaSecretType {
	uint8_t	type;
	char	*name;
} ArubaSecretType;

#define ARUBA_SECRET_UNKNOWN 0
#define ARUBA_SECRET_SHA1 1
#define ARUBA_SECRET_MD5 2
#define ARUBA_SECRET_PLAIN 4

const ArubaSecretType secret_lookup[] = {
	{ ARUBA_SECRET_SHA1,  "sha1"  },
	{ ARUBA_SECRET_MD5,   "md5"   },
	{ ARUBA_SECRET_PLAIN, "cleartext" },
	{ 0, NULL }
};


#define ArubaActionType ArubaSecretType

#define ARUBA_ACTION_UNKNOWN 0
#define ARUBA_ACTION_BLACKLIST 1
#define ARUBA_ACTION_SETROLE 2

const ArubaActionType action_lookup[] = {
	{ ARUBA_ACTION_BLACKLIST, "blacklist" },
	{ ARUBA_ACTION_SETROLE,   "setrole"   },
	{ 0, NULL }
};


#define ArubaResponseCode ArubaSecretType 

#define ARUBA_RESP_SUCCESS 0
#define ARUBA_RESP_UNKN_USER 1
#define ARUBA_RESP_UNKN_ROLE 2
#define ARUBA_RESP_UNKN_EXT_AGENT 3
#define ARUBA_RESP_AUTH_FAILED 4
#define ARUBA_RESP_INVAL_CMD 5
#define ARUBA_RESP_INVAL_AUTH_METHOD 6
#define ARUBA_RESP_INVAL_MSG_DGST 7
#define ARUBA_RESP_MSSNG_MSG_AUTH 8

const ArubaResponseCode response_lookup[] = {
	{ ARUBA_RESP_SUCCESS,          "success" },
	{ ARUBA_RESP_UNKN_USER,        "unknown user" },
	{ ARUBA_RESP_UNKN_ROLE,        "unknown role" },
	{ ARUBA_RESP_UNKN_EXT_AGENT,   "unknown external agent" },
	{ ARUBA_RESP_AUTH_FAILED,      "authentication failed" },
	{ ARUBA_RESP_INVAL_CMD,        "invalid command" },
	{ ARUBA_RESP_INVAL_AUTH_METHOD, 
			"invalid message authentication method" },
	{ ARUBA_RESP_INVAL_MSG_DGST,   "invalid message digest" },
	{ ARUBA_RESP_MSSNG_MSG_AUTH,   "missing message authentication" },
	{ 0, NULL }
};


void AlertArubaActionInit(char *);
SpoAlertArubaActionData *ParseAlertArubaActionArgs(char *);
void AlertArubaActionCleanExitFunc(int, void *);
void AlertArubaActionRestartFunc(int, void *);
void AlertArubaAction(Packet *, char *, void *, Event *);
int ArubaSwitchConnect(SpoAlertArubaActionData *data);
int ArubaSwitchSend(SpoAlertArubaActionData *data, uint8_t *post, int len);
int ArubaSwitchRecv(SpoAlertArubaActionData *data, uint8_t *recv, int maxlen);

/*
 * Function: SetupAlertArubaAction()
 *
 * Purpose: Registers the output plugin keyword and initialization 
 *          function into the output plugin list.  This is the function that
 *          gets called from InitOutputPlugins() in plugbase.c.
 *
 * Arguments: None.
 *
 * Returns: void function
 *
 */
void AlertArubaActionSetup(void)
{
	/* link the preprocessor keyword to the init function in 
	   the preproc list */
	RegisterOutputPlugin("alert_aruba_action", NT_OUTPUT_ALERT,
			AlertArubaActionInit);
	DEBUG_WRAP(DebugMessage(DEBUG_INIT,"Output plugin: AlertArubaAction is "
			"setup...\n"););
}


/*
 * Function: AlertArubaActionInit(char *)
 *
 * Purpose: Calls the argument parsing function, performs final setup on data
 *          structs, links the preproc function into the function list.
 *
 * Arguments: args => ptr to argument string
 *
 * Returns: void function
 *
 */
void AlertArubaActionInit(char *args)
{
	SpoAlertArubaActionData *data;

	DEBUG_WRAP(DebugMessage(DEBUG_INIT,"Output: AlertArubaAction "
			"Initialized\n"););

	pv.alert_plugin_active = 1;

	/* parse the argument list from the rules file */
	data = ParseAlertArubaActionArgs(args);

	DEBUG_WRAP(DebugMessage(DEBUG_INIT,"Linking AlertArubaAction functions "
			"to call lists...\n"););
	
	/* Set the preprocessor function into the function list */
	AddFuncToOutputList(AlertArubaAction, NT_OUTPUT_ALERT, data);
	AddFuncToCleanExitList(AlertArubaActionCleanExitFunc, data);
	AddFuncToRestartList(AlertArubaActionRestartFunc, data);
}

void AlertArubaAction(Packet *p, char *msg, void *arg, Event *event)
{
	char cmdbuf[MAX_XML_PAYLOAD_LEN], post[MAX_POST_LEN];
	char response[MAX_RESPONSE_LEN];
	char *cmdbufp, *responsecode, *responsemsg;
	int postlen, xmllenrem, i, responsecodei;


	SpoAlertArubaActionData *data = (SpoAlertArubaActionData *)arg;
	cmdbufp = cmdbuf;

	/* Establish a connection to the switch */
	data->fd = ArubaSwitchConnect(data);
	if (data->fd < 0) {
		ErrorMessage("Unable to connect to Aruba switch at %s\n",
#ifdef SUP_IP6
				inet_ntoa(&data->aswitch));
#else
				inet_ntoa(data->aswitch));
#endif
		return;
	}

	xmllenrem = MAX_XML_PAYLOAD_LEN;

	switch(data->action_type) {
		case ARUBA_ACTION_BLACKLIST:
		snprintf(cmdbufp, xmllenrem, "xml=<aruba "
				"command=user_blacklist>");
		break;

		case ARUBA_ACTION_SETROLE:
		snprintf(cmdbufp, xmllenrem, "xml=<aruba command=user_add>"
				"<role>%s</role>", data->role_name);
		break;

		default: /* The parser prevents this from happening */
		ErrorMessage("aruba_action: invalid action type specified");
		return;
		break;
	}

	xmllenrem -= strlen(cmdbufp);
	cmdbufp += strlen(cmdbufp);

	if (xmllenrem < 1) {
		ErrorMessage("aruba_action: configuration parameters too "
				"long\n");
		FatalError("Unable to parse configuration parameters for Aruba"
				"Action output plugin.\n");
		return;
	}

	snprintf(cmdbufp, xmllenrem, "<ipaddr>%s</ipaddr>",
#ifdef SUP_IP6
			inet_ntoa(GET_SRC_ADDR(p))
#else
			inet_ntoa(p->iph->ip_src)
#endif
        );

	xmllenrem -= strlen(cmdbufp);
	cmdbufp += strlen(cmdbufp);

	if (xmllenrem < 1) {
		ErrorMessage("aruba_action: configuration parameters too "
				"long\n");
		FatalError("Unable to parse configuration parameters for Aruba"
				"Action output plugin.\n");
		return;
	}

	switch(data->secret_type) {
		case ARUBA_SECRET_SHA1:
		snprintf(cmdbufp, xmllenrem, "<authentication>sha-1"
				"</authentication>");
		break;

		case ARUBA_SECRET_MD5:
		snprintf(cmdbufp, xmllenrem, "<authentication>md5"
				"</authentication>");
		break;

		case ARUBA_SECRET_PLAIN:
		snprintf(cmdbufp, xmllenrem, "<authentication>cleartext"
				"</authentication>");
		break;

		default: /* The parser prevents this from happening */
		ErrorMessage("aruba_action: invalid secret type specified");
		return;
		break;
	}

	xmllenrem -= strlen(cmdbufp);
	cmdbufp += strlen(cmdbufp);

	if (xmllenrem < 1) {
		ErrorMessage("aruba_action: configuration parameters too "
				"long\n");
		FatalError("Unable to parse configuration parameters for Aruba"
				"Action output plugin.\n");
		return;
	}

	snprintf(cmdbufp, xmllenrem, "<key>%s</key>", data->secret);
	xmllenrem -= strlen(cmdbufp);
	cmdbufp += strlen(cmdbufp);