snort_dcerpc.c

snort2.8.4版本

#endif  /* TARGET_BASED */

    return DCERPC_TRANS_TYPE__NONE;
}

int DCERPCDecode(void *pkt)
{
    SFSnortPacket *p = (SFSnortPacket *) pkt;
    DCERPC *x = NULL;
    DCERPC_TransType trans = DCERPC_TRANS_TYPE__NONE;

    real_dce_mock_pkt = NULL;

    x = (DCERPC *)_dpd.streamAPI->get_application_data(p->stream_session_ptr, PP_DCERPC);
    if (x == NULL)
    {
        char autodetected = 0;

        trans = DCERPC_GetTransport(p, &autodetected);
        if (trans == DCERPC_TRANS_TYPE__NONE)
            return 0;

        x = (DCERPC *)calloc(1, sizeof(DCERPC));
        if ( x == NULL )
        {
            DynamicPreprocessorFatalMessage("%s(%d) => Failed to allocate for SMB session data\n", 
                                            _dpd.config_file, _dpd.config_line);
        }
        else
        {
            _dpd.streamAPI->set_application_data(p->stream_session_ptr, PP_DCERPC,
                                                 (void *)x, &DCERPC_SessionFree);        
        }

        DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, "Created new session\n"););

        x->trans = trans;
        if (autodetected)
            x->autodetected = 1;

        if (_dpd.streamAPI->get_reassembly_direction(p->stream_session_ptr) != SSN_DIR_SERVER)
        {
            _dpd.streamAPI->set_reassembly(p->stream_session_ptr, STREAM_FLPOLICY_FOOTPRINT,
                                           SSN_DIR_SERVER, STREAM_FLPOLICY_SET_ABSOLUTE);
        }

        if (p->flags & FLAG_FROM_SERVER)
        {
            _dpd.streamAPI->response_flush_stream(p);
            return 0;
        }

        if (p->flags & FLAG_STREAM_INSERT)
            return 0;
    }
    else if (x->no_inspect)
    {
        return 0;
    }
    else if (p->flags & FLAG_FROM_SERVER)
    {
        _dpd.streamAPI->response_flush_stream(p);
        return 0;
    }
    else if ((p->flags & FLAG_FROM_CLIENT) && !(p->flags & FLAG_REBUILT_STREAM))
    {
        /* Should be doing reassembly at this point */
        return 0;
    }


    _dcerpc = x;
    _dcerpc_pkt = p;

    switch (_dcerpc->trans)
    {
        case DCERPC_TRANS_TYPE__SMB:
            DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, "Decoding SMB packet\n"););
            ProcessRawSMB(p, p->payload, p->payload_size);
            break;
        case DCERPC_TRANS_TYPE__DCERPC:
            DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, "Decoding DCE/RPC packet\n"););
            ProcessRawDCERPC(p, p->payload, p->payload_size);
            break;
        default:
            /* Shouldn't get here.  Just adding action for default case */
            return 0;
    }

    if (_dcerpc->fragmentation & SUSPEND_FRAGMENTATION)
    {
        DCERPC_DataFree(_dcerpc);
        _dcerpc->no_inspect = 1;
    }

    /* If it's an autodetected session, still let other preprocessors
     * look at it */
    if (_dcerpc->autodetected)
        return 0;

    return 1;
}

void DCERPC_Exit(void)
{
    if (dce_reassembly_buf != NULL)
        free((void *)dce_reassembly_buf);

    if (dce_mock_pkt != NULL)
    {
        if (dce_mock_pkt->pcap_header != NULL)
            free((void *)dce_mock_pkt->pcap_header);

        free((void *)dce_mock_pkt);
    }
#ifdef SUP_IP6
    if (dce_mock_pkt_6 != NULL)
    {
        if (dce_mock_pkt_6->pcap_header != NULL)
            free((void *)dce_mock_pkt_6->pcap_header);

        free((void *)dce_mock_pkt_6);
    }
#endif

#ifdef PERF_PROFILING
#ifdef DEBUG_DCERPC_PRINT
    printf("SMB Debug\n");
    printf("  Number of packets seen:      %u\n", dcerpcPerfStats.checks);
    printf("  Number of packets ignored: %d\n", dcerpcIgnorePerfStats.checks);
#endif
#endif
}


int ProcessNextSMBCommand(u_int8_t command, SMB_HDR *smbHdr,
                          u_int8_t *data, u_int16_t size, u_int16_t total_size)
{
    switch (command)
    {
        case SMB_COM_TREE_CONNECT_ANDX:
            return ProcessSMBTreeConnXReq(smbHdr, data, size, total_size);
        case SMB_COM_NT_CREATE_ANDX:
            return ProcessSMBNTCreateX(smbHdr, data, size, total_size);
        case SMB_COM_WRITE_ANDX: 
            return ProcessSMBWriteX(smbHdr, data, size, total_size);
        case SMB_COM_TRANSACTION:
            return ProcessSMBTransaction(smbHdr, data, size, total_size);
        case SMB_COM_READ_ANDX:
            return ProcessSMBReadX(smbHdr, data, size, total_size);

#ifdef UNUSED_SMB_COMMAND

        case SMB_COM_SESSION_SETUP_ANDX:
            return ProcessSMBSetupXReq(smbHdr, data, size, total_size);
        case SMB_COM_LOGOFF_ANDX:
            return ProcessSMBLogoffXReq(smbHdr, data, size, total_size);
        case SMB_COM_READ_ANDX:
            return ProcessSMBReadX(smbHdr, data, size, total_size);
        case SMB_COM_LOCKING_ANDX:
            return ProcessSMBLockingX(smbHdr, data, size, total_size);

        case SMB_COM_NEGOTIATE:
            return ProcessSMBNegProtReq(smbHdr, data, size, total_size);
        case SMB_COM_TRANSACTION2:
            return ProcessSMBTransaction2(smbHdr, data, size, total_size);
        case SMB_COM_TRANSACTION2_SECONDARY:
            return ProcessSMBTransaction2Secondary(smbHdr, data, size, total_size);
        case SMB_COM_NT_TRANSACT:
            return ProcessSMBNTTransact(smbHdr, data, size, total_size);
        case SMB_COM_NT_TRANSACT_SECONDARY:
            return ProcessSMBNTTransactSecondary(smbHdr, data, size, total_size);
        case SMB_COM_TRANSACTION_SECONDARY:
            break;
        
        case SMB_COM_ECHO:
            return ProcessSMBEcho(smbHdr, data, size, total_size);
        case SMB_COM_SEEK:
            return ProcessSMBSeek(smbHdr, data, size, total_size);
        case SMB_COM_FLUSH:
            return ProcessSMBFlush(smbHdr, data, size, total_size);
        case SMB_COM_CLOSE:
        case SMB_COM_CLOSE_AND_TREE_DISC:
            return ProcessSMBClose(smbHdr, data, size, total_size);
        case SMB_COM_TREE_DISCONNECT:
        case SMB_COM_NT_CANCEL:
            return ProcessSMBNoParams(smbHdr, data, size, total_size);
#endif
        default:
#ifdef DEBUG_DCERPC_PRINT
            printf("====> Unprocessed command 0x%02x <==== \n", command);
#endif
            break;
    }

    return 0;
}

int DCERPC_BufferAddData(DCERPC *dce_ssn, DCERPC_Buffer *sbuf, const u_int8_t *data, u_int16_t data_size)
{
    int status;

    if ((sbuf == NULL) || (data == NULL))
        return -1;

    if (data_size == 0)
        return 0;

    if ((sbuf == &dce_ssn->smb_seg_buf) && _disable_smb_fragmentation)
        return 0;
    else if (_disable_dcerpc_fragmentation)
        return 0;

    if (sbuf->data == NULL)
    {
        u_int16_t alloc_size = data_size;

        if (dce_ssn->fragmentation & SUSPEND_FRAGMENTATION)
            return -1;

        /* Add a minimum size so we don't have to realloc as often */
        if (alloc_size < DCERPC_MIN_SEG_ALLOC_SIZE)
            alloc_size = DCERPC_MIN_SEG_ALLOC_SIZE;

        if (DCERPC_IsMemcapExceeded(alloc_size))
            return -1;

        sbuf->data = (u_int8_t *)calloc(alloc_size, 1);
        if (sbuf->data == NULL)
            DynamicPreprocessorFatalMessage("Failed to allocate space for TCP seg buf\n");

        _total_memory += alloc_size;
        sbuf->size = alloc_size;
    }
    else
    {
        u_int16_t buf_size_left = sbuf->size - sbuf->len;

        if (data_size > buf_size_left)
        {
            u_int16_t alloc_size = data_size - buf_size_left;

            if (dce_ssn->fragmentation & SUSPEND_FRAGMENTATION)
                return -1;

            if (alloc_size < DCERPC_MIN_SEG_ALLOC_SIZE)
                alloc_size = DCERPC_MIN_SEG_ALLOC_SIZE;

            if ((USHRT_MAX - sbuf->size) < alloc_size)
                alloc_size = USHRT_MAX - sbuf->size;

            if (alloc_size == 0)
                return -1;

            if (DCERPC_IsMemcapExceeded(alloc_size))
                return -1;

            sbuf->data = (u_int8_t *)realloc(sbuf->data, sbuf->size + alloc_size);
            if (sbuf->data == NULL)
                DynamicPreprocessorFatalMessage("Failed to allocate space for TCP seg buf\n");

            _total_memory += alloc_size;
            sbuf->size += alloc_size;

            /* This would be because of potential overflow */
            if (sbuf->len + data_size > sbuf->size)
                data_size = sbuf->size - sbuf->len;
        }
    }

    status = SafeMemcpy(sbuf->data + sbuf->len, data, data_size,
                        sbuf->data + sbuf->len, sbuf->data + sbuf->size);

    if (status != SAFEMEM_SUCCESS)
        return -1;

    sbuf->len += data_size;

    return 0;
}

void DCERPC_BufferFreeData(DCERPC_Buffer *sbuf)
{
    if (sbuf == NULL)
        return;

    if (sbuf->data != NULL)
    {
        if (_total_memory > sbuf->size)
            _total_memory -= sbuf->size;
        else
            _total_memory = 0;

        free(sbuf->data);

        sbuf->data = NULL;
        sbuf->len = 0;
        sbuf->size = 0;
    }
}

int DCERPC_IsMemcapExceeded(u_int16_t alloc_size)
{
    if ((alloc_size + _total_memory) > _memcap)
    {
        if (_alert_memcap)
        {
            DCERPC_GenerateAlert(DCERPC_EVENT_MEMORY_OVERFLOW, 
                                    DCERPC_EVENT_MEMORY_OVERFLOW_STR);
        }

        return 1;
    }

    return 0;
}