📄 spp_httpinspect.c
字号:
/**************************************************************************** * * Copyright (C) 2003-2007 Sourcefire, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as * published by the Free Software Foundation. You may not use, modify or * distribute this program under any other version of the GNU General * Public License. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ****************************************************************************/ /**** @file preproc_setup.c** ** @author Daniel Roelker <droelker@sourcefire.com>**** @brief This file initializes HttpInspect as a Snort ** preprocessor.**** This file registers the HttpInspect initialization function,** adds the HttpInspect function into the preprocessor list, reads** the user configuration in the snort.conf file, and prints out** the configuration that is read.**** In general, this file is a wrapper to HttpInspect functionality,** by interfacing with the Snort preprocessor functions. The rest** of HttpInspect should be separate from the preprocessor hooks.**** NOTES**** - 2.10.03: Initial Development. DJR*/#include <string.h>#include <sys/types.h>#include "decode.h"#include "plugbase.h"#include "debug.h"#include "util.h"#include "hi_ui_config.h"#include "hi_client.h"#include "hi_norm.h"#include "snort_httpinspect.h"#include "hi_util_kmap.h"#include "hi_util_xmalloc.h"#include "snort.h"#include "profiler.h"/*** Defines for preprocessor initialization*//**** snort.conf preprocessor keyword*/#define GLOBAL_KEYWORD "http_inspect"#define SERVER_KEYWORD "http_inspect_server"/**** The length of the error string buffer.*/#define ERRSTRLEN 1000/*** External Global Variables** Variables that we need from Snort to log errors correctly and such.*/extern char *file_name;extern char *file_line;extern HttpUri UriBufs[URI_COUNT];/*** Global Variables** This is the only way to work with Snort preprocessors because** the user configuration must be kept between the Init function** the actual preprocessor. There is no interaction between the** two except through global variable usage.*/HTTPINSPECT_GLOBAL_CONF GlobalConf;#ifdef PERF_PROFILINGPreprocStats hiPerfStats;PreprocStats hiDetectPerfStats;int hiDetectCalled = 0;#endif/*** Prototypes*/static void HttpInspectDropStats(int);static void HttpInspect(Packet *, void *);static void HttpInspectCleanExit(int, void *);static void HttpInspectInit(char *);/*** NAME** HttpInspect::*//**** This function wraps the functionality in the generic HttpInspect** processing. We get a Packet structure and pass this into the** HttpInspect module where the first stage in HttpInspect is the** Session Inspection stage where most of the other Snortisms are** taken care of. After that, the modules should be fairly generic,** and that's what we're trying to do here.**** @param p a Packet structure that contains Snort info about the** packet.**** @return void*/static void HttpInspect(Packet *p, void *context){ PROFILE_VARS; /* ** IMPORTANT: ** This is where we initialize any variables that can impact other ** aspects of detection/processing. ** ** First thing that we do is reset the p->uri_count to zero, so there ** is no way that we would inspect a buffer that was completely bogus. */ p->uri_count = 0; UriBufs[0].decode_flags = 0; /* ** Check for valid packet ** if neither header or data is good, then we just abort. */ if(!IPH_IS_VALID(p) || !p->tcph || !p->data || !p->dsize) { return; } PREPROC_PROFILE_START(hiPerfStats); /* ** Pass in the configuration and the packet. */ SnortHttpInspect(&GlobalConf, p); p->uri_count = 0; UriBufs[0].decode_flags = 0; /* XXX: * NOTE: this includes the HTTPInspect directly * calling the detection engine - * to get the true HTTPInspect only stats, have another * var inside SnortHttpInspect that tracks the time * spent in Detect(). * Subtract the ticks from this if iCallDetect == 0 */ PREPROC_PROFILE_END(hiPerfStats);#ifdef PERF_PROFILING if (hiDetectCalled) { hiPerfStats.ticks -= hiDetectPerfStats.ticks; /* And Reset ticks to 0 */ hiDetectPerfStats.ticks = 0; hiDetectCalled = 0; }#endif return;}static void HttpInspectDropStats(int exiting) { if(!hi_stats.total) return; LogMessage("HTTP Inspect - encodings (Note: stream-reassembled " "packets included):\n");#ifdef WIN32 LogMessage(" POST methods: %-10I64u\n", hi_stats.post); LogMessage(" GET methods: %-10I64u\n", hi_stats.get); LogMessage(" Post parameters extracted: %-10I64u\n", hi_stats.post_params); LogMessage(" Unicode: %-10I64u\n", hi_stats.unicode); LogMessage(" Double unicode: %-10I64u\n", hi_stats.double_unicode); LogMessage(" Non-ASCII representable: %-10I64u\n", hi_stats.non_ascii); LogMessage(" Base 36: %-10I64u\n", hi_stats.base36); LogMessage(" Directory traversals: %-10I64u\n", hi_stats.dir_trav); LogMessage(" Extra slashes (\"//\"): %-10I64u\n", hi_stats.slashes); LogMessage(" Self-referencing paths (\"./\"): %-10I64u\n", hi_stats.self_ref); LogMessage(" Total packets processed: %-10I64u\n", hi_stats.total);#else LogMessage(" POST methods: %-10llu\n", hi_stats.post); LogMessage(" GET methods: %-10llu\n", hi_stats.get); LogMessage(" Post parameters extracted: %-10llu\n", hi_stats.post_params); LogMessage(" Unicode: %-10llu\n", hi_stats.unicode); LogMessage(" Double unicode: %-10llu\n", hi_stats.double_unicode); LogMessage(" Non-ASCII representable: %-10llu\n", hi_stats.non_ascii); LogMessage(" Base 36: %-10llu\n", hi_stats.base36); LogMessage(" Directory traversals: %-10llu\n", hi_stats.dir_trav); LogMessage(" Extra slashes (\"//\"): %-10llu\n", hi_stats.slashes); LogMessage(" Self-referencing paths (\"./\"): %-10llu\n", hi_stats.self_ref); LogMessage(" Total packets processed: %-10llu\n", hi_stats.total);#endif}static void HttpInspectCleanExit(int signal, void *data){ /* Cleanup */ KMapDelete(GlobalConf.server_lookup); xfree(GlobalConf.iis_unicode_map);}/*** NAME** HttpInspectInit::*//**** This function initializes HttpInspect with a user configuration.**** The function is called when HttpInspect is configured in ** snort.conf. It gets passed a string of arguments, which gets** parsed into configuration constructs that HttpInspect understands.**** This function gets called for every HttpInspect configure line. We** use this characteristic to split up the configuration, so each line** is a configuration construct. We need to keep track of what part** of the configuration has been configured, so we don't configure one** part, then configure it again.**** Any upfront memory is allocated here (if necessary).**** @param args a string to the preprocessor arguments.**** @return void*/static void HttpInspectInit(char *args){ char ErrorString[ERRSTRLEN]; int iErrStrLen = ERRSTRLEN; int iRet; static int siFirstConfig = 1; int iGlobal = 0; if(siFirstConfig) { memset(&hi_stats, 0, sizeof(HIStats)); iRet = hi_ui_config_init_global_conf(&GlobalConf); if (iRet) { snprintf(ErrorString, iErrStrLen, "Error initializing Global Configuration."); FatalError("%s(%d) => %s\n", file_name, file_line, ErrorString); return; } iRet = hi_ui_config_default(&GlobalConf); if (iRet) { snprintf(ErrorString, iErrStrLen, "Error configuring default global configuration."); FatalError("%s(%d) => %s\n", file_name, file_line, ErrorString); return; } iRet = hi_client_init(&GlobalConf); if (iRet) { snprintf(ErrorString, iErrStrLen, "Error initializing client module."); FatalError("%s(%d) => %s\n", file_name, file_line, ErrorString); return; } iRet = hi_norm_init(&GlobalConf); if (iRet) { snprintf(ErrorString, iErrStrLen, "Error initializing normalization module."); FatalError("%s(%d) => %s\n", file_name, file_line, ErrorString); return; } /* ** We set the global configuration variable */ iGlobal = 1; } iRet = HttpInspectSnortConf(&GlobalConf, args, iGlobal, ErrorString, iErrStrLen); if (iRet) { if(iRet > 0) { /* ** Non-fatal Error */ if(ErrorString) { ErrorMessage("%s(%d) => %s\n", file_name, file_line, ErrorString); } } else { /* ** Fatal Error, log error and exit. */ if(ErrorString) { FatalError("%s(%d) => %s\n", file_name, file_line, ErrorString); } else { /* ** Check if ErrorString is undefined. */ if(iRet == -2) { FatalError("%s(%d) => ErrorString is undefined.\n", file_name, file_line); } else { FatalError("%s(%d) => Undefined Error.\n", file_name, file_line); } } } } /* ** Only add the functions one time to the preproc list. */ if(siFirstConfig) { /* ** Add HttpInspect into the preprocessor list */ AddFuncToPreprocList(HttpInspect, PRIORITY_APPLICATION, PP_HTTPINSPECT); RegisterPreprocStats("http_inspect", HttpInspectDropStats); /* ** Remember to add any cleanup functions into the appropriate ** lists. */ AddFuncToPreprocCleanExitList(HttpInspectCleanExit, NULL, PRIORITY_APPLICATION, PP_HTTPINSPECT); AddFuncToPreprocRestartList(HttpInspectCleanExit, NULL, PRIORITY_APPLICATION, PP_HTTPINSPECT); siFirstConfig = 0;#ifdef PERF_PROFILING RegisterPreprocessorProfile("httpinspect", &hiPerfStats, 0, &totalPerfStats);#endif } return;}/*** NAME** SetupHttpInspect::*//**** This function initializes HttpInspect as a Snort preprocessor.**** It registers the preprocessor keyword for use in the snort.conf** and sets up the initialization module for the preprocessor, in** case it is configured.**** This function must be called in InitPreprocessors() in plugbase.c** in order to be recognized by Snort.**** @param none**** @return void*/void SetupHttpInspect(){ RegisterPreprocessor(GLOBAL_KEYWORD, HttpInspectInit); RegisterPreprocessor(SERVER_KEYWORD, HttpInspectInit); AddFuncToConfigCheckList(HttpInspectCheckConfig); DEBUG_WRAP(DebugMessage(DEBUG_HTTPINSPECT, "Preprocessor: HttpInspect is " "setup . . .\n"););}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -