spp_stream5.c

著名的入侵检测系统snort的最新版本的源码

    ssn = p->ssnptr;

    if ((ssn->protocol != IPPROTO_TCP) ||
        (p->packet_flags & PKT_REBUILT_STREAM))
    {
        DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE,
                    "Don't flush on rebuilt packets\n"););
        return 0;
    }

    /* Flush the listener queue -- this is the same side that
     * the packet gets inserted into */
    Stream5FlushListener(p, ssn);

    return 0;
}

static int Stream5ResponseFlushStream(Packet *p)
{
    Stream5LWSession *ssn;

    if ((p == NULL) || (p->ssnptr == NULL))
    {
        DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE,
                    "Don't flush NULL packet or session\n"););
        return 0;
    }

    ssn = p->ssnptr;

    if ((ssn->protocol != IPPROTO_TCP) ||
        (p->packet_flags & PKT_REBUILT_STREAM))
    {
        DEBUG_WRAP(DebugMessage(DEBUG_STREAM_STATE,
                    "Don't flush on rebuilt packets\n"););
        return 0;
    }

    /* Flush the talker queue -- this is the opposite side that
     * the packet gets inserted into */
    Stream5FlushTalker(p, ssn);

    return 0;
}

static u_int32_t Stream5SetSessionFlags(
                    void *ssnptr,
                    u_int32_t flags)
{
    Stream5LWSession *ssn;
    if (ssnptr)
    {
        ssn = (Stream5LWSession *)ssnptr;
        ssn->session_flags |= flags;
        return ssn->session_flags;
    }

    return 0;
}

static u_int32_t Stream5GetSessionFlags(void *ssnptr)
{
    Stream5LWSession *ssn;
    if (ssnptr)
    {
        ssn = (Stream5LWSession *)ssnptr; 
        return ssn->session_flags;
    }

    return 0;
}

static int Stream5AddSessionAlert(void *ssnptr,
                                  Packet *p,
                                  u_int32_t gid,
                                  u_int32_t sid)
{
    Stream5LWSession *ssn;
    if (ssnptr)
    {
        ssn = (Stream5LWSession *)ssnptr;
        switch (GET_IPH_PROTO(p))
        {
            case IPPROTO_TCP:
                return Stream5AddSessionAlertTcp(ssn, p, gid, sid);
                break;
#if 0 /* Don't need to do this for UDP/ICMP because they don't
         do any reassembly. */
            case IPPROTO_UDP:
                return Stream5AddSessionAlertUdp(ssn, p, gid, sid);
                break;
            case IPPROTO_ICMP:
                return Stream5AddSessionAlertIcmp(ssn, p, gid, sid);
                break;
#endif
        }
    }

    return 0;
}

/* return non-zero if gid/sid have already been seen */
static int Stream5CheckSessionAlert(void *ssnptr,
                                    Packet *p,
                                    u_int32_t gid,
                                    u_int32_t sid)
{
    Stream5LWSession *ssn;

    if (ssnptr)
    {
        ssn = (Stream5LWSession *)ssnptr;
        switch (GET_IPH_PROTO(p))
        {
            case IPPROTO_TCP:
                return Stream5CheckSessionAlertTcp(ssn, p, gid, sid);
                break;
#if 0 /* Don't need to do this for UDP/ICMP because they don't
         do any reassembly. */
            case IPPROTO_UDP:
                return Stream5CheckSessionAlertUdp(ssn, p, gid, sid);
                break;
            case IPPROTO_ICMP:
                return Stream5CheckSessionAlertIcmp(ssn, p, gid, sid);
                break;
#endif
        }
    }
    return 0;
}

static int Stream5IgnoreChannel(
                    ip_p      srcIP,
                    u_int16_t srcPort,
                    ip_p      dstIP,
                    u_int16_t dstPort,
                    char protocol,
                    char direction,
                    char flags)
{
    return IgnoreChannel(srcIP, srcPort, dstIP, dstPort,
                         protocol, direction, flags, 300);
}

void Stream5DisableInspection(Stream5LWSession *lwssn, Packet *p)
{
    /*
     * Don't want to mess up PortScan by "dropping"
     * this packet.
     *
     * Also still want the perfmon to collect the stats.
     *
     * And don't want to do any detection with rules
     */
    DisableDetect(p);
    SetPreprocBit(p, PP_SFPORTSCAN);
    SetPreprocBit(p, PP_PERFMONITOR);
    otn_tmp = NULL;
}

static void Stream5StopInspection(
                    void * ssnptr,
                    Packet *p,
                    char dir,
                    int32_t bytes,
                    int response)
{
    Stream5LWSession *ssn = (Stream5LWSession *)ssnptr;

    if (!ssn)
        return;

    switch (dir)
    {
        case SSN_DIR_BOTH:
            ssn->ignore_direction = dir;
            break;
        case SSN_DIR_CLIENT:
            ssn->ignore_direction = dir;
            break;
        case SSN_DIR_SERVER:
            ssn->ignore_direction = dir;
            break;
    }

    /* Flush any queued data on the client and/or server */
    if (ssn->protocol == IPPROTO_TCP)
    {
        if (ssn->ignore_direction & SSN_DIR_CLIENT)
        {
            Stream5FlushClient(p, ssn);
        }

        if (ssn->ignore_direction & SSN_DIR_SERVER)
        {
            Stream5FlushServer(p, ssn);
        }
    }

    /* TODO: Handle bytes/response parameters */

    Stream5DisableInspection(ssn, p);
}

static void Stream5ResumeInspection(
                    void *ssnptr,
                    char dir)
{
    Stream5LWSession *ssn = (Stream5LWSession *)ssnptr;

    if (!ssn)
        return;

    switch (dir)
    {
        case SSN_DIR_BOTH:
            ssn->ignore_direction &= ~dir;
            break;
        case SSN_DIR_CLIENT:
            ssn->ignore_direction &= ~dir;
            break;
        case SSN_DIR_SERVER:
            ssn->ignore_direction &= ~dir;
            break;
    }

}

static void Stream5UpdateDirection(
                    void * ssnptr,
                    char dir,
                    ip_p ip,
                    u_int16_t port)
{
    Stream5LWSession *ssn = (Stream5LWSession *)ssnptr;

    if (!ssn)
        return;

    switch (ssn->protocol)
    {
        case IPPROTO_TCP:
            TcpUpdateDirection(ssn, dir, ip, port);
            break;
        case IPPROTO_UDP:
            UdpUpdateDirection(ssn, dir, ip, port);
            break;
        case IPPROTO_ICMP:
            //IcmUpdateDirection(ssn, dir, ip, port);
            break;
    }
}

static u_int32_t Stream5GetPacketDirection(Packet *p)
{
    Stream5LWSession *lwssn;
    
    if (!p || !(p->ssnptr))
        return 0;
    
    lwssn = (Stream5LWSession *)p->ssnptr;

    GetLWPacketDirection(p, lwssn);

    return (p->packet_flags & (PKT_FROM_SERVER|PKT_FROM_CLIENT));
}

static void Stream5DropTraffic(
                    void *ssnptr,
                    char dir)
{
    Stream5LWSession *ssn = (Stream5LWSession *)ssnptr;

    if (!ssn)
        return;

    if (dir & SSN_DIR_CLIENT)
    {
        ssn->session_flags |= STREAM5_STATE_DROP_CLIENT;
    }

    if (dir & SSN_DIR_SERVER)
    {
        ssn->session_flags |= STREAM5_STATE_DROP_SERVER;
    }

    /* XXX: Issue resets if TCP or ICMP Unreach if UDP? */
}

static void Stream5DropPacket(
                            Packet *p)
{
    Stream5TcpBlockPacket(p);
    Stream5DropTraffic(p->ssnptr, SSN_DIR_BOTH);
}

static int Stream5GetRebuiltPackets(
                            Packet *p,
                            PacketIterator callback,
                            void *userdata)
{
    Stream5LWSession *ssn = (Stream5LWSession*)p->ssnptr;

    if (!ssn || ssn->protocol != IPPROTO_TCP)
        return 0;

    /* Only if this is a rebuilt packet */
    if (!(p->packet_flags & PKT_REBUILT_STREAM))
        return 0;

    return GetTcpRebuiltPackets(p, ssn, callback, userdata);
}

static StreamFlowData *Stream5GetFlowData(Packet *p)
{
#if 0
    FLOW *fp;
    FLOWDATA *flowdata;
    if (!p->flow)
        return NULL;

    fp = (FLOW *)p->flow;
    flowdata = &fp->data;

    return (StreamFlowData *)flowdata;
#endif
    Stream5LWSession *ssn = (Stream5LWSession*)p->ssnptr;

    if (!ssn)
        return NULL;

    return (StreamFlowData *)ssn->flowdata->data;
}

static char Stream5GetReassemblyDirection(void *ssnptr)
{
    Stream5LWSession *ssn = (Stream5LWSession *)ssnptr;

    if (!ssn || ssn->protocol != IPPROTO_TCP)
        return SSN_DIR_NONE;

    return Stream5GetReassemblyDirectionTcp(ssn);
}

static char Stream5SetReassembly(void *ssnptr,
                                   u_int8_t flush_policy,
                                   char dir,
                                   char flags)
{
    Stream5LWSession *ssn = (Stream5LWSession *)ssnptr;

    if (!ssn || ssn->protocol != IPPROTO_TCP)
        return 0;

    return Stream5SetReassemblyTcp(ssn, flush_policy, dir, flags);
}

static char Stream5GetReassemblyFlushPolicy(void *ssnptr, char dir)
{
    Stream5LWSession *ssn = (Stream5LWSession *)ssnptr;

    if (!ssn || ssn->protocol != IPPROTO_TCP)
        return STREAM_FLPOLICY_NONE;

    return Stream5GetReassemblyFlushPolicyTcp(ssn, dir);
}

static char Stream5IsStreamSequenced(void *ssnptr, char dir)
{
    Stream5LWSession *ssn = (Stream5LWSession *)ssnptr;

    if (!ssn || ssn->protocol != IPPROTO_TCP)
        return 1;

    return Stream5IsStreamSequencedTcp(ssn, dir);
}

#ifdef TARGET_BASED
void Stream5SetIPProtocol(Stream5LWSession *lwssn)
{
    switch (lwssn->protocol)
    {
    case IPPROTO_TCP:
        lwssn->ipprotocol = FindProtocolReference("tcp");
        break;
    case IPPROTO_UDP:
        lwssn->ipprotocol = FindProtocolReference("udp");
        break;
    case IPPROTO_ICMP:
        lwssn->ipprotocol = FindProtocolReference("icmp");
        break;
    }
}

void Stream5SetApplicationProtocolIdFromHostEntry(Stream5LWSession *lwssn,
                                           HostAttributeEntry *host_entry,
                                           int direction)
{
    if (!lwssn || !host_entry)
        return;

    /* Cool, its already set! */
    if (lwssn->application_protocol != 0)
        return;

    if (lwssn->ipprotocol == 0)
    {
        Stream5SetIPProtocol(lwssn);
    }

    if (direction == SSN_DIR_SERVER)
    {
        lwssn->application_protocol = getApplicationProtocolId(host_entry,
                                        lwssn->ipprotocol,
                                        ntohs(lwssn->server_port),
                                        SFAT_SERVICE);
    }
    else
    {
        lwssn->application_protocol = getApplicationProtocolId(host_entry,
                                        lwssn->ipprotocol,
                                        ntohs(lwssn->client_port),
                                        SFAT_SERVICE);
    }
}

static int16_t Stream5GetApplicationProtocolId(void *ssnptr)
{
    Stream5LWSession *lwssn = (Stream5LWSession *)ssnptr;
    /* Not caching the source and dest host_entry in the session so we can
     * swap the table out after processing this packet if we need
     * to.  */
#ifndef SUP_IP6
    HostAttributeEntry *host_entry = NULL;
#endif
    int16_t protocol = 0;

    if (!lwssn)
        return protocol;

    if (lwssn->application_protocol != 0)
        return lwssn->application_protocol;

    if (lwssn->ipprotocol == 0)
    {
        Stream5SetIPProtocol(lwssn);
    }

#ifndef SUP_IP6
    host_entry = SFAT_LookupHostEntryByIp4Addr(ntohl(lwssn->server_ip));
    if (host_entry)
    {
        Stream5SetApplicationProtocolIdFromHostEntry(lwssn,
                                           host_entry, SSN_DIR_SERVER);

        if (lwssn->application_protocol != 0)
        {
            return lwssn->application_protocol;
        }
    }

    host_entry = SFAT_LookupHostEntryByIp4Addr(ntohl(lwssn->client_ip));
    if (host_entry)
    {
        Stream5SetApplicationProtocolIdFromHostEntry(lwssn,
                                           host_entry, SSN_DIR_CLIENT);
        if (lwssn->application_protocol != 0)
        {
            return lwssn->application_protocol;
        }
    }
#endif

    return lwssn->application_protocol;
}

static int16_t Stream5SetApplicationProtocolId(void *ssnptr, int16_t id)
{
    Stream5LWSession *ssn = (Stream5LWSession *)ssnptr;
    if (!ssn)
        return 0;

    ssn->application_protocol = id;

    return id;
}
#endif