spp_dce2.c

snort2.8.4版本

/****************************************************************************
 * Copyright (C) 2008-2008 Sourcefire,Inc
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License Version 2 as
 * published by the Free Software Foundation.  You may not use, modify or
 * distribute this program under any other version of the GNU General
 * Public License.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 *
 ****************************************************************************
 * 
 ****************************************************************************/

#include "spp_dce2.h"
#include "dce2_memory.h"
#include "dce2_list.h"
#include "dce2_utils.h"
#include "dce2_config.h"
#include "dce2_roptions.h"
#include "dce2_stats.h"
#include "dce2_event.h"
#include "snort_dce2.h"
#include "preprocids.h"
#include "profiler.h"
#include "sfrt.h"
#include "sf_snort_packet.h"
#include "sf_dynamic_preprocessor.h"
#include "stream_api.h"

/********************************************************************
 * Global variables
 ********************************************************************/
#ifdef PERF_PROFILING
PreprocStats dce2_pstat_main;
PreprocStats dce2_pstat_roptions;
PreprocStats dce2_pstat_session;
#endif

/********************************************************************
 * Extern variables
 ********************************************************************/
extern DCE2_ServerConfig *dconfig;
extern table_t *dce2_sconfigs;      /* Routing table with server configurations */
extern DCE2_Stats dce2_stats;
extern DCE2_Memory dce2_memory;
extern char **dce2_trans_strs;
extern DynamicPreprocessorData _dpd;
extern DCE2_CStack *dce2_pkt_stack;
extern DCE2_ProtoIds dce2_proto_ids;

/********************************************************************
 * Macros
 ********************************************************************/
#ifdef PERF_PROFILING
#define DCE2_PSTAT__MAIN      "dce2_pstat_main"
#define DCE2_PSTAT__SESSION   "dce2_pstat_session"
#define DCE2_PSTAT__ROPTIONS  "dce2_pstat_roptions"
#define DCE2_PSTAT__SMB       "dce2_pstat_smb"
#define DCE2_PSTAT__CO        "dce2_pstat_co"
#define DCE2_PSTAT__CL        "dce2_pstat_cl"
#endif  /* PERF_PROFILING */

/********************************************************************
 * Private function prototypes
 ********************************************************************/
static void DCE2_InitGlobal(char *);
static void DCE2_InitServer(char *);
static void DCE2_CheckConfig(void);
static void DCE2_Main(void *, void *);
static void DCE2_PrintStats(int);
static void DCE2_Reset(int, void *);
static void DCE2_ResetStats(int, void *);
static void DCE2_CleanExit(int, void *);

/********************************************************************
 * Function: DCE2_RegisterPreprocessor()
 *
 * Purpose: Registers the DCE/RPC preprocessor with Snort
 *
 * Arguments: None
 *
 * Returns: None
 *
 ********************************************************************/
void DCE2_RegisterPreprocessor(void)
{
    _dpd.registerPreproc(DCE2_GNAME, DCE2_InitGlobal);
    _dpd.registerPreproc(DCE2_SNAME, DCE2_InitServer);
}

/*********************************************************************
 * Function: DCE2_InitGlobal()
 *
 * Purpose: Initializes the global DCE/RPC preprocessor config.
 *
 * Arguments: snort.conf argument line for the DCE/RPC preprocessor.
 *
 * Returns: None
 *
 *********************************************************************/
static void DCE2_InitGlobal(char *args)
{
    if ((_dpd.streamAPI == NULL) || (_dpd.streamAPI->version != STREAM_API_VERSION5))
    {
        DCE2_Die("%s(%d) => %s: Stream5 must be enabled with TCP and UDP tracking.\n",
                 *_dpd.config_file, *_dpd.config_line, DCE2_GNAME);
    }

    DCE2_RegRuleOptions();

    DCE2_MemInit();
    DCE2_StatsInit();
    DCE2_EventsInit();

    /* Parse configuration args */
    DCE2_GlobalConfigure(args);

    /* Initialize reassembly packet */
    DCE2_InitRpkts();

    /* Register callbacks */
    _dpd.addPreprocConfCheck(DCE2_CheckConfig);
	_dpd.addPreproc(DCE2_Main, PRIORITY_APPLICATION, PP_DCE2);
    _dpd.registerPreprocStats(DCE2_GNAME, DCE2_PrintStats);
	_dpd.addPreprocReset(DCE2_Reset, NULL, PRIORITY_LAST, PP_DCE2);
	_dpd.addPreprocResetStats(DCE2_ResetStats, NULL, PRIORITY_LAST, PP_DCE2);
	_dpd.addPreprocExit(DCE2_CleanExit, NULL, PRIORITY_LAST, PP_DCE2);

#ifdef PERF_PROFILING
    /* XXX Add some more perfstats for list traversal, etc. */
    _dpd.addPreprocProfileFunc(DCE2_PSTAT__MAIN, &dce2_pstat_main, 0, _dpd.totalPerfStats);
    _dpd.addPreprocProfileFunc(DCE2_PSTAT__ROPTIONS, &dce2_pstat_roptions, 0, _dpd.totalPerfStats);
#endif

#ifdef TARGET_BASED
    dce2_proto_ids.dcerpc = _dpd.findProtocolReference(DCE2_PROTO_REF_STR__DCERPC);
    if (dce2_proto_ids.dcerpc == SFTARGET_UNKNOWN_PROTOCOL)
        dce2_proto_ids.dcerpc = _dpd.addProtocolReference(DCE2_PROTO_REF_STR__DCERPC);

    /* smb and netbios-ssn refer to the same thing */
    dce2_proto_ids.nbss = _dpd.findProtocolReference(DCE2_PROTO_REF_STR__NBSS);
    if (dce2_proto_ids.nbss == SFTARGET_UNKNOWN_PROTOCOL)
        dce2_proto_ids.nbss = _dpd.addProtocolReference(DCE2_PROTO_REF_STR__NBSS);
#endif
}

/*********************************************************************
 * Function: DCE2_InitServer()
 *
 * Purpose: Initializes a DCE/RPC server configuration
 *
 * Arguments: snort.conf argument line for the DCE/RPC preprocessor.
 *
 * Returns: None
 *
 *********************************************************************/
static void DCE2_InitServer(char *args)
{
    /* Parse configuration args */
    DCE2_ServerConfigure(args);
}

/*********************************************************************
 * Function: DCE2_CheckConfig()
 *
 * Purpose: Verifies the DCE/RPC preprocessor configuration
 *
 * Arguments: None
 *
 * Returns: None
 *
 *********************************************************************/
static void DCE2_CheckConfig(void)
{
    if (dce2_dconfig == NULL)
        DCE2_CreateDefaultServerConfig();

    /* Register routing table memory */
    if (dce2_sconfigs != NULL)
        DCE2_RegMem(sfrt_usage(dce2_sconfigs), DCE2_MEM_TYPE__RT);
}

/*********************************************************************
 * Function: DCE2_Main()
 *
 * Purpose: Main entry point for DCE/RPC processing.
 *
 * Arguments:
 *  void * - pointer to packet structure
 *  void * - pointer to context 
 *
 * Returns: None
 *
 *********************************************************************/
static void DCE2_Main(void *pkt, void *context)
{
	SFSnortPacket *p = (SFSnortPacket *)pkt;
    PROFILE_VARS;

    PREPROC_PROFILE_START(dce2_pstat_main);

    DCE2_DEBUG_MSG(DCE2_DEBUG__ALL, "%s\n", DCE2_DEBUG__START_MSG);

#ifdef DEBUG
    if (DCE2_SsnFromServer(p))
    {
        DCE2_DEBUG_MSG(DCE2_DEBUG__MAIN, "Packet from server.\n");
    }
    else
    {
        DCE2_DEBUG_MSG(DCE2_DEBUG__MAIN, "Packet from client.\n");
    }
#endif

    /* No inspection to do */
    if (p->payload_size == 0)
    {
        DCE2_DEBUG_MSG(DCE2_DEBUG__MAIN, "No payload - not inspecting.\n");
        DCE2_DEBUG_MSG(DCE2_DEBUG__ALL, "%s\n", DCE2_DEBUG__END_MSG);
        PREPROC_PROFILE_END(dce2_pstat_main);
        return;
    }
    else if (p->stream_session_ptr == NULL)
    {
        DCE2_DEBUG_MSG(DCE2_DEBUG__MAIN, "No session pointer - not inspecting.\n");
        DCE2_DEBUG_MSG(DCE2_DEBUG__ALL, "%s\n", DCE2_DEBUG__END_MSG);
        PREPROC_PROFILE_END(dce2_pstat_main);
        return;
    }
    else if (!IsTCP(p) && !IsUDP(p))
    {
        DCE2_DEBUG_MSG(DCE2_DEBUG__MAIN, "Not UDP or TCP - not inspecting.\n");
        DCE2_DEBUG_MSG(DCE2_DEBUG__ALL, "%s\n", DCE2_DEBUG__END_MSG);
        PREPROC_PROFILE_END(dce2_pstat_main);
        return;
    }

    if (IsTCP(p))
    {
        if (DCE2_SsnIsMidstream(p))
        {
            DCE2_DEBUG_MSG(DCE2_DEBUG__MAIN, "Midstream - not inspecting.\n");
            DCE2_DEBUG_MSG(DCE2_DEBUG__ALL, "%s\n", DCE2_DEBUG__END_MSG);
            PREPROC_PROFILE_END(dce2_pstat_main);
            return;
        }
        else if (!DCE2_SsnIsEstablished(p))
        {
            DCE2_DEBUG_MSG(DCE2_DEBUG__MAIN, "Not established - not inspecting.\n");
            DCE2_DEBUG_MSG(DCE2_DEBUG__ALL, "%s\n", DCE2_DEBUG__END_MSG);
            PREPROC_PROFILE_END(dce2_pstat_main);
            return;
        }
    }

    if (DCE2_Process(p) == DCE2_RET__INSPECTED)
        _dpd.disableAllDetect(p);

    DCE2_DEBUG_MSG(DCE2_DEBUG__ALL, "%s\n", DCE2_DEBUG__END_MSG);