snort_dcerpc.c

snort2.8.4版本

    ((TCPHeader *)dce_mock_pkt->tcp_header)->flags = TCPHEADER_PUSH | TCPHEADER_ACK;

#ifdef SUP_IP6    
    _dpd.ip6Build((void *)dce_mock_pkt, dce_mock_pkt->ip4_header, AF_INET);

    /* Same thing as above, but for the IPv6-enabled packet */
    dce_mock_pkt_6 = (SFSnortPacket *)calloc(1, sizeof(SFSnortPacket));
    if (dce_mock_pkt_6 == NULL)
    {
        DynamicPreprocessorFatalMessage("Failed to allocate memory for "
                                        "mock IPv6 packet\n");
    }

    dce_mock_pkt_6->pcap_header = calloc(1, sizeof(struct pcap_pkthdr) +
                                               ETHER_HDR_LEN +
                                               SUN_SPARC_TWIDDLE + IP_MAXPKT);
    if (dce_mock_pkt_6 == NULL)
    {
        DynamicPreprocessorFatalMessage("Failed to allocate memory for "
                                        "mock IPv6 pcap header\n");
    }

    dce_mock_pkt_6->pkt_data =
        ((u_int8_t *)dce_mock_pkt_6->pcap_header) + sizeof(struct pcap_pkthdr);
    dce_mock_pkt_6->ether_header =
        (void *)((u_int8_t *)dce_mock_pkt_6->pkt_data + SUN_SPARC_TWIDDLE);
    dce_mock_pkt_6->ip4_header =
        (IPV4Header *)((u_int8_t *)dce_mock_pkt_6->ether_header + ETHER_HDR_LEN);
    dce_mock_pkt_6->tcp_header =
        (TCPHeader *)((u_int8_t *)dce_mock_pkt_6->ip4_header + IP6_HEADER_LEN);

    dce_mock_pkt_6->payload = (u_int8_t *)dce_mock_pkt_6->tcp_header + TCP_HDR_LEN;

    ((EtherHeader *)dce_mock_pkt_6->ether_header)->ethernet_type = htons(0x0800);
    SET_IP4_VER((IPV4Header *)dce_mock_pkt_6->ip4_header, 0x4);
    SET_IP4_HLEN((IPV4Header *)dce_mock_pkt_6->ip4_header, 0x5);
    ((IPV4Header *)dce_mock_pkt_6->ip4_header)->type_service = 0x10;
    dce_mock_pkt_6->inner_ip6h.next = ((IPV4Header *)dce_mock_pkt_6->ip4_header)->proto = IPPROTO_TCP;
    dce_mock_pkt_6->inner_ip6h.hop_lmt = ((IPV4Header *)dce_mock_pkt_6->ip4_header)->time_to_live = 0xF0;
    dce_mock_pkt_6->inner_ip6h.len = IP6_HEADER_LEN >> 2;
 
    _dpd.ip6SetCallbacks((void *)dce_mock_pkt_6, AF_INET6, SET_CALLBACK_IP);
    dce_mock_pkt_6->ip6h = &dce_mock_pkt_6->inner_ip6h;
    dce_mock_pkt_6->ip4h = &dce_mock_pkt_6->inner_ip4h;

    SET_TCP_HDR_OFFSET((TCPHeader *)dce_mock_pkt_6->tcp_header, 0x5);
    ((TCPHeader *)dce_mock_pkt_6->tcp_header)->flags = TCPHEADER_PUSH | TCPHEADER_ACK;
#endif
}


static int ProcessRawSMB(SFSnortPacket *p, const u_int8_t *data, u_int16_t size)
{
    /* Must remember to convert stuff to host order before using it... */
    SMB_HDR *smbHdr;
    u_int16_t nbt_data_size;
    u_int8_t *smb_command;
    u_int16_t smb_data_size;

    while (size > 0)
    {
        NBT_HDR *nbt_hdr;

        /* Check for size enough for NBT_HDR and SMB_HDR */
        if ( size <= (sizeof(NBT_HDR) + sizeof(SMB_HDR)) )
        {
            /* Not enough data */
            return 0;
        }

        nbt_hdr = (NBT_HDR *)data;
        nbt_data_size = ntohs(nbt_hdr->length);
        if (nbt_data_size > (size - sizeof(NBT_HDR)))
            nbt_data_size = size - sizeof(NBT_HDR);

        smbHdr = (SMB_HDR *)(data + sizeof(NBT_HDR));
        smb_command = (u_int8_t *)smbHdr + sizeof(SMB_HDR);
        smb_data_size = nbt_data_size - sizeof(SMB_HDR);

        if (memcmp(smbHdr->protocol, "\xffSMB", 4) != 0)
        {
            /* Not an SMB request, nothing really to do here... */
            return 0;
        }

        ProcessNextSMBCommand(smbHdr->command, smbHdr, smb_command, smb_data_size, nbt_data_size);

        size -= (sizeof(NBT_HDR) + nbt_data_size);
        data += (sizeof(NBT_HDR) + nbt_data_size);
    }

    return 1;
}

static int ProcessRawDCERPC(SFSnortPacket *p, const u_int8_t *data, u_int16_t size)
{
    DCERPC_Buffer *sbuf = &_dcerpc->tcp_seg_buf;
    int status = ProcessDCERPCMessage(NULL, 0, data, size);

    if (status == -1)
        return -1;

    if ((status == DCERPC_FULL_FRAGMENT) && !DCERPC_BufferIsEmpty(sbuf))
    {
        DCERPC_BufferReassemble(sbuf);
        DCERPC_BufferEmpty(sbuf);
    }
    else if ((status == DCERPC_SEGMENTED) && _reassemble_increment)
    {
        _dcerpc->num_inc_reass++;
        if (_reassemble_increment == _dcerpc->num_inc_reass)
        {
            _dcerpc->num_inc_reass = 0;
            DCERPC_BufferReassemble(sbuf);
        }
    }

    return 1;
}

/*
 * Free SMB-specific related to this session
 *
 * @param   v   pointer to SMB session structure
 *
 * @return  none
 */
void DCERPC_SessionFree(void * v)
{
    DCERPC *x = (DCERPC *) v;

    if (x != NULL)
    {
        DCERPC_DataFree(x);
        free(x);
    }
}

static void DCERPC_DataFree(DCERPC *dssn)
{
    DCERPC_BufferFreeData(&dssn->smb_seg_buf);
    DCERPC_BufferFreeData(&dssn->tcp_seg_buf);
    DCERPC_BufferFreeData(&dssn->dce_frag_buf);
}

static DCERPC_TransType DCERPC_AutoDetect(SFSnortPacket *p, const u_int8_t *data, u_int16_t size)
{
    NBT_HDR *nbtHdr;
    SMB_HDR *smbHdr;
    DCERPC_HDR *dcerpc;

    if ( !_autodetect )
    {
        return DCERPC_TRANS_TYPE__NONE;
    }

    if ( size > (sizeof(NBT_HDR) + sizeof(SMB_HDR)) )
    {
        /* See if this looks like SMB */
        smbHdr = (SMB_HDR *) (data + sizeof(NBT_HDR));

        if (memcmp(smbHdr->protocol, "\xffSMB", 4) == 0)
        {
            /* Do an extra check on NetBIOS header, which should be valid for both
               NetBIOS and raw SMB */
            nbtHdr = (NBT_HDR *)data;

            if (nbtHdr->type == SMB_SESSION )
            {
                return DCERPC_TRANS_TYPE__SMB;
            }
        }
    }

    /* Might be DCE/RPC */
    /*  Make sure it's a reasonable size */
    if (size > sizeof(DCERPC_REQ))
    {
        dcerpc = (DCERPC_HDR *) data;

        /*  Minimal DCE/RPC check - check for version and request */
        if ((dcerpc->version == 5) &&
            ((dcerpc->packet_type == DCERPC_REQUEST) || (dcerpc->packet_type == DCERPC_BIND)))
        {
            return DCERPC_TRANS_TYPE__DCERPC;
        }
    }

    return DCERPC_TRANS_TYPE__NONE;
}

/* For Target based *************************************************************
 *
 * (1) If a protocol for the session is already identified and not ones DCE/RPC is
 * interested in, DCE/RPC should leave it alone and return without processing.
 * (2) If a protocol for the session is already identified and is one that DCE/RPC is
 * interested in, decode it.
 * (3) If the protocol for the session is not already identified and the preprocessor
 * is configured to detect on one of the packet ports or can autodetect it,
 * decode the packet.
 *
 * Returns a transport type - none type if app id already set to something other
 * than DCE/RPC or SMB or if not configured or autodetect fails.
 */
static DCERPC_TransType DCERPC_GetTransport(SFSnortPacket *p, char *autodetected)
{
#ifdef TARGET_BASED
    int16_t app_id = _dpd.streamAPI->get_application_protocol_id(p->stream_session_ptr);

    *autodetected = 0;

    if (app_id != 0)
    {
        DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, "DCE/RPC: Target-based: App id: %u.\n", app_id););

        if (app_id == _dce_proto_ids.dcerpc)
        {
            DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, "DCE/RPC: Target-based: App id is "
                                    "set to \"%s\".\n", DCE_PROTO_REF_STR__DCERPC););

            return DCERPC_TRANS_TYPE__DCERPC;
        }
        else if (app_id == _dce_proto_ids.nbss)
        {
            DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, "DCE/RPC: Target-based: App id is "
                                    "set to \"%s or %s\".\n",
                                    DCE_PROTO_REF_STR__SMB, DCE_PROTO_REF_STR__NBSS););

            return DCERPC_TRANS_TYPE__SMB;
        }
        else
        {
            DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, "DCE/RPC: Target-based: App id is "
                                    "set to something not DCE/RPC or SMB.\n"););

            return DCERPC_TRANS_TYPE__NONE;
        }
    }
    else
    {
        DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, "DCE/RPC: Target-based: Unknown protocol for "
                                "this session.  See if we're configured or can autodetect.\n"););

        if (((p->flags & FLAG_FROM_CLIENT) && (SMBPorts[PORT_INDEX(p->dst_port)] & CONV_PORT(p->dst_port))) ||
            ((p->flags & FLAG_FROM_SERVER) && (SMBPorts[PORT_INDEX(p->src_port)] & CONV_PORT(p->src_port))))
        {
            DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, "DCE/RPC: Target-based: SMB port is configured. "
                                    "Set protocol to NBSS/SMB for session.\n"););

            return DCERPC_TRANS_TYPE__SMB;
        }
        else if (((p->flags & FLAG_FROM_CLIENT) && (DCERPCPorts[PORT_INDEX(p->dst_port)] & CONV_PORT(p->dst_port))) ||
                 ((p->flags & FLAG_FROM_SERVER) && (DCERPCPorts[PORT_INDEX(p->src_port)] & CONV_PORT(p->src_port))))
        {
            DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, "DCE/RPC: Target-based: DCE/RPC port is configured. "
                                    "Set protocol to DCE/RPC for session.\n"););

            return DCERPC_TRANS_TYPE__DCERPC;
        }
        else if (_autodetect)
        {
            DCERPC_TransType trans = DCERPC_AutoDetect(p, p->payload, p->payload_size);

            DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, "DCE/RPC: Target-based: Autodetecting ... \n"););

            switch (trans)
            {
                case DCERPC_TRANS_TYPE__DCERPC:
                    DEBUG_WRAP(DebugMessage(DEBUG_DCERPC,
                                            "DCE/RPC: Target-based: Autodetected DCE/RPC. Set "
                                            "protocol to DCE/RPC for session.\n"););

                    break;

                case DCERPC_TRANS_TYPE__SMB:
                    DEBUG_WRAP(DebugMessage(DEBUG_DCERPC,
                                            "DCE/RPC: Target-based: Autodetected SMB. Set "
                                            "protocol to SMB for session.\n"););

                    break;

                case DCERPC_TRANS_TYPE__NONE:
                default:
                    DEBUG_WRAP(DebugMessage(DEBUG_DCERPC,
                                            "DCE/RPC: Target-based: Unable to autodetect.\n"););

                    return DCERPC_TRANS_TYPE__NONE;
            }

            *autodetected = 1;

            return trans;
        }
        else
        {
            DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, "DCE/RPC: Target-based: No configured ports "
                                    "and autodetect not enabled.  Return unhappy and weepy.\n"););
        }
    }
#else
    *autodetected = 0;

    /* check the port list */
    if (((p->flags & FLAG_FROM_CLIENT) && (SMBPorts[PORT_INDEX(p->dst_port)] & CONV_PORT(p->dst_port))) ||
        ((p->flags & FLAG_FROM_SERVER) && (SMBPorts[PORT_INDEX(p->src_port)] & CONV_PORT(p->src_port))))
    {
        return DCERPC_TRANS_TYPE__SMB;
    }
    else if (((p->flags & FLAG_FROM_CLIENT) && (DCERPCPorts[PORT_INDEX(p->dst_port)] & CONV_PORT(p->dst_port))) ||
             ((p->flags & FLAG_FROM_SERVER) && (DCERPCPorts[PORT_INDEX(p->src_port)] & CONV_PORT(p->src_port))))
    {
        return DCERPC_TRANS_TYPE__DCERPC;
    }
    else if (_autodetect)
    {
        DCERPC_TransType trans = DCERPC_AutoDetect(p, p->payload, p->payload_size);
        *autodetected = 1;

        return trans;
    }