📄 snort_dce2.c
字号:
} sd->cli_seq = pkt_seq; sd->cli_nseq = pkt_seq + p->payload_size; DCE2_SsnSetSeenClient(sd); } else if (DCE2_SsnFromServer(p) && !DCE2_SsnSeenServer(sd)) { int missing = 0; DCE2_DEBUG_MSG(DCE2_DEBUG__MAIN, "Initial server => seq: %u, next seq: %u\n", pkt_seq, pkt_seq + p->payload_size); if (DCE2_SsnIsRebuilt(p)) { switch (DCE2_SsnServerMissedInReassembled(p)) { case SSN_MISSING_BOTH: /* Missed packets before and after this one */ case SSN_MISSING_BEFORE: /* Missed packets before this one */ missing = 1; break; case SSN_MISSING_AFTER: /* Missed packets after this one */ default: /* Didn't miss any packets */ break; } } if (missing) { /* Try to autodetect */ if (DCE2_GetAutodetectTransport(p, sd->sconfig) != sd->trans) return DCE2_RET__NOT_INSPECTED; } sd->srv_seq = pkt_seq; sd->srv_nseq = pkt_seq + p->payload_size; DCE2_SsnSetSeenServer(sd); } else { uint32_t *ssn_seq; uint32_t *ssn_nseq; uint32_t *missed_bytes; uint16_t *overlap_bytes; if (DCE2_SsnFromClient(p)) { ssn_seq = &sd->cli_seq; ssn_nseq = &sd->cli_nseq; missed_bytes = &sd->cli_missed_bytes; overlap_bytes = &sd->cli_overlap_bytes; DCE2_DEBUG_MSG(DCE2_DEBUG__MAIN, "Client last => seq: %u, next seq: %u\n", sd->cli_seq, sd->cli_nseq); } else { ssn_seq = &sd->srv_seq; ssn_nseq = &sd->srv_nseq; missed_bytes = &sd->srv_missed_bytes; overlap_bytes = &sd->srv_overlap_bytes; DCE2_DEBUG_MSG(DCE2_DEBUG__MAIN, "Server last => seq: %u, next seq: %u\n", sd->srv_seq, sd->srv_nseq); } *overlap_bytes = 0; if (*ssn_nseq != pkt_seq) { if (*ssn_nseq < pkt_seq) { /* Missed packets */ DCE2_DEBUG_MSG(DCE2_DEBUG__MAIN, "Next expected sequence number (%u) is less than " "this sequence number (%u).\n", *ssn_nseq, pkt_seq); DCE2_SsnSetMissedPkts(sd); } else { /* Got some kind of overlap. This shouldn't happen since we're doing * reassembly on both sides and not looking at non-reassembled packets * Actually this can happen if the stream seg list is empty */ DCE2_DEBUG_MSG(DCE2_DEBUG__MAIN, "Overlap => seq: %u, next seq: %u\n", pkt_seq, pkt_seq + p->payload_size); /* Do what we can and take the difference and only inspect what we * haven't already inspected */ if ((pkt_seq + p->payload_size) > *ssn_nseq) { *overlap_bytes = (uint16_t)(*ssn_nseq - pkt_seq); dce2_stats.overlapped_bytes += *overlap_bytes; DCE2_DEBUG_MSG(DCE2_DEBUG__MAIN, "Setting overlap bytes: %u\n", *overlap_bytes); } else { return DCE2_RET__NOT_INSPECTED; } } } else if (DCE2_SsnMissedPkts(sd)) { DCE2_SsnClearMissedPkts(sd); } if (DCE2_SsnMissedPkts(sd)) { DCE2_DEBUG_MSG(DCE2_DEBUG__MAIN, "Missing packets...\n"); *missed_bytes = pkt_seq - *ssn_nseq; dce2_stats.missed_bytes += *missed_bytes; DCE2_DEBUG_MSG(DCE2_DEBUG__MAIN, "Missed %u bytes.\n", *missed_bytes); if (DCE2_GetAutodetectTransport(p, sd->sconfig) != sd->trans) return DCE2_RET__NOT_INSPECTED; DCE2_DEBUG_MSG(DCE2_DEBUG__MAIN, "Autodetected - continue to inspect.\n"); } else if (*missed_bytes != 0) { *missed_bytes = 0; } *ssn_seq = pkt_seq; *ssn_nseq = pkt_seq + p->payload_size; DCE2_DEBUG_MSG(DCE2_DEBUG__MAIN, "This packet => seq: %u, next seq: %u\n", *ssn_seq, *ssn_nseq); } return DCE2_RET__SUCCESS;}/********************************************************************* * Function: DCE2_GetTransport() * * Determines whether or not we should look at this traffic and if * so, what transport it should be classified as. * * Arguments: * SFSnortPacket * * Pointer to packet structure. * const DCE2_ServerConfig * * The server configuration associated with the packet's IP. * int * * Pointer to a value that will be filled in with whether * or not the packet was autodetected. * Non-zero if autodetected * Zero if not autodetected * * Returns: * DCE2_TransType * DCE2_TRANS_TYPE__NONE if a transport could not be * determined or target based labeled the session as * traffic we are not interested in. * DCE2_TRANS_TYPE__SMB if the traffic is determined to be * DCE/RPC over SMB. * DCE2_TRANS_TYPE__TCP if the traffic is determined to be * DCE/RPC over TCP. * DCE2_TRANS_TYPE__TCP_PENDING if the traffic was minimally * autodeteced as DCE/RPC over TCP. * DCE2_TRANS_TYPE__UDP if the traffic is determined to be * DCE/RPC over UDP. * DCE2_TRANS_TYPE__HTTP_PROXY if the traffic is determined * to be DCE/RPC over HTTP proxy. * DCE2_TRANS_TYPE__HTTP_SERVER if the traffic is determined * to be DCE/RPC over HTTP server. * *********************************************************************/static DCE2_TransType DCE2_GetTransport(SFSnortPacket *p, const DCE2_ServerConfig *sc, int *autodetected){ DCE2_TransType trans = DCE2_TRANS_TYPE__NONE;#ifdef TARGET_BASED int16_t proto_id = _dpd.streamAPI->get_application_protocol_id(p->stream_session_ptr); if (proto_id == SFTARGET_UNKNOWN_PROTOCOL) return DCE2_TRANS_TYPE__NONE;#endif *autodetected = 0;#ifdef TARGET_BASED if (proto_id != 0) { if (proto_id == dce2_proto_ids.dcerpc) { if (IsTCP(p)) { return DCE2_TRANS_TYPE__TCP; } else { return DCE2_TRANS_TYPE__UDP; } } else if (proto_id == dce2_proto_ids.nbss) { return DCE2_TRANS_TYPE__SMB; } } else#endif { trans = DCE2_GetDetectTransport(p, sc); if (trans == DCE2_TRANS_TYPE__NONE) { trans = DCE2_GetAutodetectTransport(p, sc); *autodetected = 1; } else if ((trans == DCE2_TRANS_TYPE__HTTP_PROXY) && (DCE2_ScAutodetectHttpProxyPorts(sc) == DCE2_CS__ENABLED)) { trans = DCE2_HttpAutodetectProxy(p); *autodetected = 1; } } return trans;}/********************************************************************* * Function: * * Purpose: * * Arguments: * * Returns: * *********************************************************************/static DCE2_TransType DCE2_GetDetectTransport(SFSnortPacket *p, const DCE2_ServerConfig *sc){ DCE2_TransType trans = DCE2_TRANS_TYPE__NONE; uint16_t port; if (DCE2_SsnFromServer(p)) port = p->src_port; else port = p->dst_port; /* Check our configured ports to see if we should continue processing */ if (IsTCP(p)) { if (DCE2_ScIsDetectPortSet(sc, port, DCE2_TRANS_TYPE__SMB)) trans = DCE2_TRANS_TYPE__SMB; else if (DCE2_ScIsDetectPortSet(sc, port, DCE2_TRANS_TYPE__TCP)) trans = DCE2_TRANS_TYPE__TCP; else if (DCE2_ScIsDetectPortSet(sc, port, DCE2_TRANS_TYPE__HTTP_PROXY)) trans = DCE2_TRANS_TYPE__HTTP_PROXY; else if (DCE2_ScIsDetectPortSet(sc, port, DCE2_TRANS_TYPE__HTTP_SERVER)) trans = DCE2_TRANS_TYPE__HTTP_SERVER; } else /* it's UDP */ { if (DCE2_ScIsDetectPortSet(sc, port, DCE2_TRANS_TYPE__UDP)) trans = DCE2_TRANS_TYPE__UDP; } return trans;}/********************************************************************* * Function: DCE2_GetAutodetectTransport() * * * Arguments: * * Returns: * *********************************************************************/static DCE2_TransType DCE2_GetAutodetectTransport(SFSnortPacket *p, const DCE2_ServerConfig *sc){ DCE2_TransType trans = DCE2_TRANS_TYPE__NONE; uint16_t port; if (DCE2_SsnFromServer(p)) port = p->src_port; else port = p->dst_port; if (IsTCP(p)) { /* Look for raw DCE/RCP over TCP first, since it's * more likely not to have configured a port for this. */ if (DCE2_ScIsAutodetectPortSet(sc, port, DCE2_TRANS_TYPE__TCP)) { trans = DCE2_TcpAutodetect(p); if (trans != DCE2_TRANS_TYPE__NONE) return trans; } if (DCE2_ScIsAutodetectPortSet(sc, port, DCE2_TRANS_TYPE__HTTP_SERVER)) { trans = DCE2_HttpAutodetectServer(p); if (trans != DCE2_TRANS_TYPE__NONE) return trans; } if (DCE2_ScIsAutodetectPortSet(sc, port, DCE2_TRANS_TYPE__HTTP_PROXY)) { trans = DCE2_HttpAutodetectProxy(p); if (trans != DCE2_TRANS_TYPE__NONE) return trans; } if (DCE2_ScIsAutodetectPortSet(sc, port, DCE2_TRANS_TYPE__SMB)) { trans = DCE2_SmbAutodetect(p); if (trans != DCE2_TRANS_TYPE__NONE) return trans; } } else /* it's UDP */ { if (DCE2_ScIsAutodetectPortSet(sc, port, DCE2_TRANS_TYPE__UDP)) { trans = DCE2_UdpAutodetect(p); if (trans != DCE2_TRANS_TYPE__NONE) return trans; } } return DCE2_TRANS_TYPE__NONE;}/********************************************************************* * Function: DCE2_InitRpkts() * * Purpose: Allocate and initialize reassembly packets. * * Arguments: None * * Returns: None * *********************************************************************/void DCE2_InitRpkts(void){ dce2_pkt_stack = DCE2_CStackNew(DCE2_PKT_STACK__SIZE, NULL, DCE2_MEM_TYPE__INIT); if (dce2_pkt_stack == NULL) DCE2_Die("%s: Failed to allocate memory for packet stack\n", DCE2_GNAME); dce2_smb_seg_rpkt = DCE2_AllocPkt(); if (dce2_smb_seg_rpkt == NULL) DCE2_Die("%s: Failed to allocate memory for reassembly packet\n", DCE2_GNAME); DCE2_InitTcpRpkt(dce2_smb_seg_rpkt); dce2_smb_trans_rpkt = DCE2_AllocPkt(); if (dce2_smb_trans_rpkt == NULL) DCE2_Die("%s: Failed to allocate memory for reassembly packet\n", DCE2_GNAME); DCE2_InitTcpRpkt(dce2_smb_trans_rpkt); DCE2_SmbInitRdata((uint8_t *)dce2_smb_trans_rpkt->payload); dce2_smb_co_seg_rpkt = DCE2_AllocPkt(); if (dce2_smb_co_seg_rpkt == NULL) DCE2_Die("%s: Failed to allocate memory for reassembly packet\n", DCE2_GNAME); DCE2_InitTcpRpkt(dce2_smb_co_seg_rpkt); DCE2_SmbInitRdata((uint8_t *)dce2_smb_co_seg_rpkt->payload); dce2_smb_co_frag_rpkt = DCE2_AllocPkt(); if (dce2_smb_co_frag_rpkt == NULL) DCE2_Die("%s: Failed to allocate memory for reassembly packet\n", DCE2_GNAME); DCE2_InitTcpRpkt(dce2_smb_co_frag_rpkt); DCE2_SmbInitRdata((uint8_t *)dce2_smb_co_frag_rpkt->payload); DCE2_CoInitRdata((uint8_t *)dce2_smb_co_frag_rpkt->payload + DCE2_MOCK_HDR_LEN__SMB); dce2_tcp_co_seg_rpkt = DCE2_AllocPkt(); if (dce2_tcp_co_seg_rpkt == NULL) DCE2_Die("%s: Failed to allocate memory for reassembly packet\n", DCE2_GNAME); DCE2_InitTcpRpkt(dce2_tcp_co_seg_rpkt); dce2_tcp_co_frag_rpkt = DCE2_AllocPkt(); if (dce2_tcp_co_frag_rpkt == NULL) DCE2_Die("%s: Failed to allocate memory for reassembly packet\n", DCE2_GNAME); DCE2_InitTcpRpkt(dce2_tcp_co_frag_rpkt); DCE2_CoInitRdata((uint8_t *)dce2_tcp_co_frag_rpkt->payload); dce2_udp_cl_frag_rpkt = DCE2_AllocPkt(); if (dce2_udp_cl_frag_rpkt == NULL) DCE2_Die("%s: Failed to allocate memory for reassembly packet\n", DCE2_GNAME); DCE2_InitUdpRpkt(dce2_udp_cl_frag_rpkt); DCE2_ClInitRdata((uint8_t *)dce2_udp_cl_frag_rpkt->payload);#ifdef SUP_IP6 dce2_smb_seg_rpkt6 = DCE2_AllocPkt(); if (dce2_smb_seg_rpkt6 == NULL) DCE2_Die("%s: Failed to allocate memory for reassembly packet\n", DCE2_GNAME); DCE2_InitTcp6Rpkt(dce2_smb_seg_rpkt6); dce2_smb_trans_rpkt6 = DCE2_AllocPkt(); if (dce2_smb_trans_rpkt6 == NULL) DCE2_Die("%s: Failed to allocate memory for reassembly packet\n", DCE2_GNAME); DCE2_InitTcp6Rpkt(dce2_smb_trans_rpkt6); DCE2_SmbInitRdata((uint8_t *)dce2_smb_trans_rpkt6->payload); dce2_smb_co_seg_rpkt6 = DCE2_AllocPkt(); if (dce2_smb_co_seg_rpkt6 == NULL) DCE2_Die("%s: Failed to allocate memory for reassembly packet\n", DCE2_GNAME); DCE2_InitTcp6Rpkt(dce2_smb_co_seg_rpkt6); DCE2_SmbInitRdata((uint8_t *)dce2_smb_co_seg_rpkt6->payload); dce2_smb_co_frag_rpkt6 = DCE2_AllocPkt(); if (dce2_smb_co_frag_rpkt6 == NULL) DCE2_Die("%s: Failed to allocate memory for reassembly packet\n", DCE2_GNAME); DCE2_InitTcp6Rpkt(dce2_smb_co_frag_rpkt6); DCE2_SmbInitRdata((uint8_t *)dce2_smb_co_frag_rpkt6->payload); DCE2_CoInitRdata((uint8_t *)dce2_smb_co_frag_rpkt6->payload + DCE2_MOCK_HDR_LEN__SMB); dce2_tcp_co_seg_rpkt6 = DCE2_AllocPkt(); if (dce2_tcp_co_seg_rpkt6 == NULL) DCE2_Die("%s: Failed to allocate memory for reassembly packet\n", DCE2_GNAME); DCE2_InitTcp6Rpkt(dce2_tcp_co_seg_rpkt6); dce2_tcp_co_frag_rpkt6 = DCE2_AllocPkt(); if (dce2_tcp_co_frag_rpkt6 == NULL) DCE2_Die("%s: Failed to allocate memory for reassembly packet\n", DCE2_GNAME); DCE2_InitTcp6Rpkt(dce2_tcp_co_frag_rpkt6); DCE2_CoInitRdata((uint8_t *)dce2_tcp_co_frag_rpkt6->payload); dce2_udp_cl_frag_rpkt6 = DCE2_AllocPkt(); if (dce2_udp_cl_frag_rpkt6 == NULL) DCE2_Die("%s: Failed to allocate memory for reassembly packet\n", DCE2_GNAME); DCE2_InitUdp6Rpkt(dce2_udp_cl_frag_rpkt6);#endif}/********************************************************************* * Function: DCE2_InitTcpRpkt() * * Purpose: Allocate and initialize reassembly packet for TCP. * * Arguments: None * * Returns: None * *********************************************************************/static void DCE2_InitTcpRpkt(SFSnortPacket *p){ DCE2_InitCommonRpkt(p); ((IPV4Header *)p->ip4_header)->proto = IPPROTO_TCP;⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -