ftpp_si.c

入侵检测SNORT.最近更新的基于网络检测的IDS.希望能给大家带来方便.

 */
static INLINE int FTPResetSession(FTP_SESSION *FtpSession, int first)
{
    FtpSession->server.response.pipeline_req = 0;
    FtpSession->server.response.state = 0;
    FtpSession->client.request.pipeline_req = 0;
    FtpSession->client.state = 0;

    FtpSession->client_conf = NULL;
    FtpSession->server_conf = NULL;
    FtpSession->global_conf = NULL;

    FtpSession->encr_state = NO_STATE;
    IP_CLEAR(FtpSession->clientIP);
    FtpSession->clientPort = 0;
    IP_CLEAR(FtpSession->serverIP);
    FtpSession->serverPort = 0;
    FtpSession->data_chan_state = NO_STATE;
    FtpSession->data_chan_index = -1;
    FtpSession->data_xfer_index = -1;

    FtpSession->event_list.stack_count = 0;

    return FTPP_SUCCESS;
}

/*
 * Function: FTPStatefulSessionInspection(Packet *p,
 *                          FTPTELNET_GLOBAL_CONF *GlobalConf,
 *                          FTP_SESSION **FtpSession,
 *                          FTPP_SI_INPUT *SiInput, int *piInspectMode)
 *
 * Purpose: Initialize the session and server configurations for this
 *          packet/stream.  In this function, we set the Session pointer
 *          (which includes the correct server configuration).  The actual
 *          processing to find which IP is the server and which is the
 *          client, is done in the InitServerConf() function.
 *
 * Arguments: p                 => pointer to the Packet/Session
 *            GlobalConf        => pointer to the global configuration
 *            Session           => double pointer to the Session structure
 *            SiInput           => pointer to the session information
 *            piInspectMode     => pointer so the inspection mode can be set
 *
 * Returns: int => return code indicating error or success
 *
 */
static int FTPStatefulSessionInspection(SFSnortPacket *p,
        FTPTELNET_GLOBAL_CONF *GlobalConf,
        FTP_SESSION **FtpSession,
        FTPP_SI_INPUT *SiInput, int *piInspectMode)
{
    FTP_CLIENT_PROTO_CONF *ClientConf;
    FTP_SERVER_PROTO_CONF *ServerConf;
    int iRet;
    FTP_SESSION *NewSession;

    /*
     * First, check if there is already a session pointer.
     */
    if (p->stream_session_ptr)
    {
        *FtpSession =
            _dpd.streamAPI->get_application_data(p->stream_session_ptr, PP_FTPTELNET);
        if (*FtpSession)
        {
            if (SiInput->pdir != FTPP_SI_NO_MODE)
            {
                *piInspectMode = SiInput->pdir;
            }
            else
            {
                FTP_SESSION *tmp = *FtpSession;
                /* check session pointer server conf port */

                if (tmp->server_conf && tmp->server_conf->proto_ports.ports[SiInput->sport])
                    *piInspectMode = FTPP_SI_SERVER_MODE;
                else if (tmp->server_conf && tmp->server_conf->proto_ports.ports[SiInput->dport])
                    *piInspectMode = FTPP_SI_CLIENT_MODE;
                else
                    *piInspectMode = FTPGetPacketDir(p);
            }

            return FTPP_SUCCESS;
        }
    }

    /*
     * If not, create a new one, and initialize it.
     */
    iRet = FTPInitConf(p, GlobalConf, &ClientConf, &ServerConf, SiInput, piInspectMode);
    if (iRet)
    {
        return iRet;
    }

    if (*piInspectMode)
    {
        NewSession = (FTP_SESSION *)calloc(1, sizeof(FTP_SESSION));
        if (NewSession == NULL)
        {
            DynamicPreprocessorFatalMessage("%s(%d) => Failed to allocate memory for new FTP session\n",
                                            *(_dpd.config_file), *(_dpd.config_line));
        }

        FTPResetSession(NewSession, 1);

        NewSession->client_conf = ClientConf;
        NewSession->server_conf = ServerConf;
        NewSession->global_conf = GlobalConf;

        *FtpSession = NewSession;
        return FTPP_SUCCESS;
    }

    return FTPP_INVALID_PROTO;
}

/*
 * Function: FTPStatelessSessionInspection(Packet *p,
 *                          FTPTELNET_GLOBAL_CONF *GlobalConf,
 *                          FTP_SESSION **FtpSession,
 *                          FTPP_SI_INPUT *SiInput, int *piInspectMode)
 *
 * Purpose: Initialize the session and server configurations for this
 *          packet/stream.  It is important to note in stateless mode that
 *          we assume no knowledge of the state of a connection, other than
 *          the knowledge that we can glean from an individual packet.  So
 *          in essence, each packet is it's own session and there is no
 *          knowledge retained from one packet to another.  If you want to
 *          track an FTP session for real, use stateful mode.
 *
 *          In this function, we set the Session pointer (which includes
 *          the correct server configuration).  The actual processing to find
 *          which IP is the server and which is the client, is done in the
 *          InitServerConf() function.
 *
 * Arguments: p                 => pointer to the Packet/Session
 *            GlobalConf        => pointer to the global configuration
 *            Session           => double pointer to the Session structure
 *            SiInput           => pointer to the session information
 *            piInspectMode     => pointer so the inspection mode can be set
 *
 * Returns: int => return code indicating error or success
 *
 */
static FTP_SESSION StaticSession;
static int first = 1;

static int FTPStatelessSessionInspection(SFSnortPacket *p,
        FTPTELNET_GLOBAL_CONF *GlobalConf,
        FTP_SESSION **FtpSession,
        FTPP_SI_INPUT *SiInput, int *piInspectMode)
{
    FTP_CLIENT_PROTO_CONF *ClientConf;
    FTP_SERVER_PROTO_CONF *ServerConf;
    int iRet;

    FTPResetSession(&StaticSession, first);

    if (first)
        first = 0;

    iRet = FTPInitConf(p, GlobalConf, &ClientConf, &ServerConf, SiInput, piInspectMode);
    if (iRet)
    {
        return iRet;
    }
    
    StaticSession.client_conf = ClientConf;
    StaticSession.server_conf = ServerConf;
    StaticSession.global_conf = GlobalConf;

    *FtpSession = &StaticSession;

    return FTPP_SUCCESS;
}
    

/*
 * Function: FTPSessionInspection(Packet *p,
 *                          FTPTELNET_GLOBAL_CONF *GlobalConf,
 *                          FTPP_SI_INPUT *SiInput, int *piInspectMode)
 *
 * Purpose: The Session Inspection module selects the appropriate client
 *          configuration for the session, and the type of inspection to
 *          be performed (client or server.)
 *
 *          When the Session Inspection module is in stateful mode, it
 *          checks to see if there is a FTP_SESSION pointer already
 *          associated with the stream.  If there is, then it uses that
 *          session pointer, otherwise it calculates the server
 *          configuration using the FTP_SI_INPUT and returns a FTP_SESSION
 *          pointer.  In stateful mode, this means that memory is allocated,
 *          but in stateless mode, the same session pointer is used for all
 *          packets to reduce the allocation overhead.
 *
 *          The inspection mode can be either client or server.
 *
 * Arguments: p                 => pointer to the Packet/Session
 *            GlobalConf        => pointer to the global configuration
 *            SiInput           => pointer to the session information
 *            piInspectMode     => pointer so the inspection mode can be set
 *
 * Returns: int => return code indicating error or success
 *
 */
int FTPSessionInspection(SFSnortPacket *p, FTPTELNET_GLOBAL_CONF *GlobalConf,
        FTPP_SI_INPUT *SiInput, int *piInspectMode)
{
    int iRet;
    FTP_SESSION *FtpSession;

    /*
     * We get the server configuration and the session structure differently 
     * depending on what type of inspection we are doing.  In the case of 
     * stateful processing, we may get the session structure from the Stream
     * Reassembly module (which includes the server configuration) or the 
     * structure will be allocated and added to the stream pointer for the
     * rest of the session.
     *
     * In stateless mode, we just use a static variable that is contained in
     * the function here.
     */
    if(GlobalConf->inspection_type == FTPP_UI_CONFIG_STATEFUL)
    {
        iRet = FTPStatefulSessionInspection(p, GlobalConf, &FtpSession, SiInput, piInspectMode);
        if (iRet)
        {
            return iRet;
        }

        if (p->stream_session_ptr)
        {
            SiInput->pproto = FTPP_SI_PROTO_FTP;
            _dpd.streamAPI->set_application_data(p->stream_session_ptr,
                    PP_FTPTELNET, FtpSession, &FTPFreeSession);
        }
        else
        {
            /* Uh, can't create the session info */

            /* Free session data, to avoid memory leak */
            FTPFreeSession(FtpSession);
            SiInput->pproto = FTPP_SI_PROTO_UNKNOWN;
            return FTPP_NONFATAL_ERR;
        }
    }
    else
    {
        /*
         * Assume stateless processing otherwise
         */
        iRet = FTPStatelessSessionInspection(p, GlobalConf, &FtpSession, SiInput, piInspectMode);
        if (iRet)
        {
            return iRet;
        }

        if (p->stream_session_ptr)
        {
            SiInput->pproto = FTPP_SI_PROTO_FTP;
            /* Set the free function pointer to NULL,
             * since this is a static one */
            _dpd.streamAPI->set_application_data(p->stream_session_ptr,
                    PP_FTPTELNET, FtpSession, NULL);
        }
        else
        {
            /* Uh, can't create the session info */
            return FTPP_NONFATAL_ERR;
        }
    }

    return FTPP_SUCCESS;
}

/*
 * Function: ftpp_si_determine_proto(Packet *p,
 *                          FTPTELNET_GLOBAL_CONF *GlobalConf,
 *                          FTPP_SI_INPUT *SiInput, int *piInspectMode)
 *
 * Purpose: The Protocol Determination module determines whether this is
 *          an FTP or telnet request.  If this is an FTP request, it sets
 *          the FTP Session data and inspection mode.
 *
 *          The inspection mode can be either client or server.
 *
 * Arguments: p                 => pointer to the Packet/Session
 *            GlobalConf        => pointer to the global configuration
 *            SiInput           => pointer to the session information
 *            piInspectMode     => pointer so the inspection mode can be set
 *
 * Returns: int => return code indicating error or success
 *
 */
int ftpp_si_determine_proto(SFSnortPacket *p, FTPTELNET_GLOBAL_CONF *GlobalConf,
        FTPP_SI_INPUT *SiInput, int *piInspectMode)
{
    /* Default to no FTP or Telnet case */
    SiInput->pproto = FTPP_SI_PROTO_UNKNOWN;
    *piInspectMode = FTPP_SI_NO_MODE;

    TelnetSessionInspection(p, GlobalConf, SiInput, piInspectMode);
    if (SiInput->pproto == FTPP_SI_PROTO_TELNET)
        return FTPP_SUCCESS;

    FTPSessionInspection(p, GlobalConf, SiInput, piInspectMode);
    if (SiInput->pproto == FTPP_SI_PROTO_FTP)
        return FTPP_SUCCESS;

    return FTPP_INVALID_PROTO;
}