📄 spp_ssl.c
字号:
} /* Different record type that we don't care about. * Either it's a 'change cipher spec' or we failed to recognize the * record type. Do not update session data */ else { SSLPP_process_other(ssn_flags, new_flags, packet); /* Application data is updated inside of SSLPP_process_other */ PREPROC_PROFILE_END(sslpp_perf_stats); return; } ssn_flags |= new_flags; _dpd.streamAPI->set_application_data( packet->stream_session_ptr, PP_SSL, (void*)(uintptr_t)ssn_flags, NULL); PREPROC_PROFILE_END(sslpp_perf_stats);}/* Parsing for the ssl_state rule option */static int SSLPP_state_init(char *name, char *params, void **data) { unsigned long flags = 0; char *end; char *tok; tok = strtok_r(params, ",", &end); if(!tok) DynamicPreprocessorFatalMessage("%s(%d) => missing argument to" "ssl_state keyword\n", *(_dpd.config_file), *(_dpd.config_line)); do { if(!strcasecmp("client_hello", tok)) flags |= SSL_CUR_CLIENT_HELLO_FLAG; else if(!strcasecmp("server_hello", tok)) flags |= SSL_CUR_SERVER_HELLO_FLAG; else if(!strcasecmp("client_keyx", tok)) flags |= SSL_CUR_CLIENT_KEYX_FLAG; else if(!strcasecmp("server_keyx", tok)) flags |= SSL_CUR_SERVER_KEYX_FLAG; else if(!strcasecmp("unknown", tok)) flags |= SSL_UNKNOWN_FLAG; else DynamicPreprocessorFatalMessage( "%s(%d) => %s is not a recognized argument to %s.\n", *(_dpd.config_file), _dpd.config_file, tok, name); } while( (tok = strtok_r(NULL, ",", &end)) != NULL ); *(unsigned long *)data = flags; return 0;}/* Parsing for the ssl_version rule option */static int SSLPP_ver_init(char *name, char *params, void **data) { unsigned long flags = 0; char *end; char *tok; tok = strtok_r(params, ",", &end); if(!tok) DynamicPreprocessorFatalMessage("%s(%d) => missing argument to" "ssl_state keyword\n", *(_dpd.config_file), *(_dpd.config_line)); do { if(!strcasecmp("sslv2", tok)) flags |= SSL_VER_SSLV2_FLAG; else if(!strcasecmp("sslv3", tok)) flags |= SSL_VER_SSLV3_FLAG; else if(!strcasecmp("tls1.0", tok)) flags |= SSL_VER_TLS10_FLAG; else if(!strcasecmp("tls1.1", tok)) flags |= SSL_VER_TLS11_FLAG; else if(!strcasecmp("tls1.2", tok)) flags |= SSL_VER_TLS12_FLAG; else DynamicPreprocessorFatalMessage( "%s(%d) => %s is not a recognized argument to %s.\n", *(_dpd.config_file), _dpd.config_file, tok, name); } while( (tok = strtok_r(NULL, ",", &end)) != NULL ); *(unsigned long *)data = flags; return 0;}/* Rule option evaluation (for both rule options) */static int SSLPP_rule_eval(void *raw_packet, const u_int8_t **cursor, void *data){ u_int32_t ssn_data; unsigned long to_match = (unsigned long)data; SFSnortPacket *p = (SFSnortPacket*)raw_packet; if(!p || !p->tcp_header || !p->stream_session_ptr || !data) return 0; ssn_data = (unsigned long)_dpd.streamAPI->get_application_data( p->stream_session_ptr, PP_SSL); if(to_match & ssn_data) return 1; return 0;}/* SSL Preprocessor configuration parsing */static void SSLPP_config(char *conf){ char *saveptr; char *space_tok; char *comma_tok; char *portptr; char *search; SFP_errstr_t err; if(!conf) return; search = conf; while( (comma_tok = strtok_r(search, ",", &saveptr)) != NULL ) { search = NULL; space_tok = strtok_r(comma_tok, " ", &portptr); if(!space_tok) return; if(!strcasecmp(space_tok, "ports")) { memset(config.ports, 0, sizeof(config.ports)); if(SFP_ports(config.ports, portptr, err) != SFP_SUCCESS) DynamicPreprocessorFatalMessage( "%s(%d) => Failed to parse: %s\n", *(_dpd.config_file), *(_dpd.config_line), SFP_GET_ERR(err)); } else if(!strcasecmp(space_tok, "noinspect_encrypted")) { char *tmpChar; tmpChar = strtok_r(NULL, " \t\n", &portptr); if(tmpChar) { DynamicPreprocessorFatalMessage("%s(%d) => Invalid argument to the" " SSL preprocessor: '%s' in %s\n", *(_dpd.config_file), *(_dpd.config_line), space_tok, tmpChar); } config.flags |= SSLPP_DISABLE_FLAG; } else if(!strcasecmp(space_tok, "trustservers")) { char *tmpChar; tmpChar = strtok_r(NULL, " \t\n", &portptr); if(tmpChar) { DynamicPreprocessorFatalMessage("%s(%d) => Invalid argument to the" " SSL preprocessor: '%s' in %s\n", *(_dpd.config_file), *(_dpd.config_line), space_tok, tmpChar); } config.flags |= SSLPP_TRUSTSERVER_FLAG; } else { DynamicPreprocessorFatalMessage("%s(%d) => Invalid argument to the" " SSL preprocessor: '%s' in %s\n", *(_dpd.config_file), *(_dpd.config_line), comma_tok, conf); } } /* Verify configured options make sense */ if ((config.flags & SSLPP_TRUSTSERVER_FLAG) && !(config.flags & SSLPP_DISABLE_FLAG)) { DynamicPreprocessorFatalMessage("%s(%d) => SSL preprocessor: 'trustservers' requires 'noinspect_encrypted' to be useful.\n", *(_dpd.config_file), *(_dpd.config_line)); }}static void SSLPP_print_config(void) { char buf[1024]; /* For syslog printing */ int i; int newline; memset(buf, 0, sizeof(buf)); _dpd.logMsg("SSLPP config:\n"); _dpd.logMsg(" Encrypted packets: %s\n", config.flags & SSLPP_DISABLE_FLAG ? "not inspected" : "inspected"); _dpd.logMsg(" Ports:\n"); for(newline = 0, i = 0; i < MAXPORTS; i++) { if( config.ports[ PORT_INDEX(i) ] & CONV_PORT(i) ) { SFP_snprintfa(buf, sizeof(buf), " %5d", i); if( !((++newline) % 5) ) { SFP_snprintfa(buf, sizeof(buf), "\n"); _dpd.logMsg(buf); memset(buf, 0, sizeof(buf)); } } } if(newline % 5) SFP_snprintfa(buf, sizeof(buf), "\n"); _dpd.logMsg(buf);}static void SSLPP_init_config(void) { memset(&config, 0, sizeof(config)); memset(&counts, 0, sizeof(counts));#define SET_PORT(x) config.ports[ PORT_INDEX(x) ] |= CONV_PORT(x); /* Setup default ports */ SET_PORT(443); /* HTTPS */ SET_PORT(465); /* SMTPS */ SET_PORT(563); /* NNTPS */ SET_PORT(636); /* LDAPS */ SET_PORT(989); /* FTPS */ SET_PORT(992); /* TelnetS */ SET_PORT(993); /* IMAPS */ SET_PORT(994); /* IRCS */ SET_PORT(995); /* POPS */}static void SSLPP_drop_stats(int exiting) { if(!counts.decoded) return; _dpd.logMsg("SSL Preprocessor:\n"); _dpd.logMsg(" SSL packets decoded: " FMTu64("-10") "\n", counts.decoded); _dpd.logMsg(" Alert records: " FMTu64("-10") "\n", counts.alerts); _dpd.logMsg(" Application records: " FMTu64("-10") "\n", counts.applications); _dpd.logMsg(" Change cipher records: " FMTu64("-10") "\n", counts.cipher_change); _dpd.logMsg(" Unrecognized records: " FMTu64("-10") "\n", counts.unrecognized); _dpd.logMsg(" Handshake records: " FMTu64("-10") "\n", counts.handshakes); _dpd.logMsg(" Completed handshakes: " FMTu64("-10") "\n", counts.completed_hs); _dpd.logMsg(" Bad handshakes: " FMTu64("-10") "\n", counts.bad_handshakes); _dpd.logMsg(" Sessions ignored: " FMTu64("-10") "\n", counts.stopped); _dpd.logMsg(" Detection disabled: " FMTu64("-10") "\n", counts.disabled);}static void SSLPP_init(char *conf) { if(!_dpd.streamAPI) { DynamicPreprocessorFatalMessage( "SSLPP_init(): The Stream preprocessor must be enabled.\n"); } SSLPP_init_config(); SSLPP_config(conf); SSLPP_print_config(); _dpd.addPreproc( SSLPP_process, PRIORITY_TUNNEL, PP_SSL ); _dpd.preprocOptRegister("ssl_state", SSLPP_state_init, SSLPP_rule_eval, NULL); _dpd.preprocOptRegister("ssl_version", SSLPP_ver_init, SSLPP_rule_eval, NULL); _dpd.registerPreprocStats("ssl", SSLPP_drop_stats);#ifdef PERF_PROFILING _dpd.addPreprocProfileFunc("ssl", (void *)&sslpp_perf_stats, 0, _dpd.totalPerfStats);#endif}void SetupSSLPP(void){ _dpd.registerPreproc( "ssl", SSLPP_init);}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -